diff --git a/monitor.c b/monitor.c index 0878c36429..bad79fec6b 100644 --- a/monitor.c +++ b/monitor.c @@ -1579,60 +1579,79 @@ static void do_info_balloon(Monitor *mon) monitor_printf(mon, "balloon: actual=%d\n", (int)(actual >> 20)); } -static void do_acl(Monitor *mon, - const char *command, - const char *aclname, - const char *match, - int has_index, - int index) +static qemu_acl *find_acl(Monitor *mon, const char *name) { - qemu_acl *acl; + qemu_acl *acl = qemu_acl_find(name); - acl = qemu_acl_find(aclname); if (!acl) { - monitor_printf(mon, "acl: unknown list '%s'\n", aclname); - return; + monitor_printf(mon, "acl: unknown list '%s'\n", name); } + return acl; +} - if (strcmp(command, "show") == 0) { - int i = 0; - qemu_acl_entry *entry; +static void do_acl_show(Monitor *mon, const char *aclname) +{ + qemu_acl *acl = find_acl(mon, aclname); + qemu_acl_entry *entry; + int i = 0; + + if (acl) { monitor_printf(mon, "policy: %s\n", acl->defaultDeny ? "deny" : "allow"); TAILQ_FOREACH(entry, &acl->entries, next) { i++; monitor_printf(mon, "%d: %s %s\n", i, - entry->deny ? "deny" : "allow", - entry->match); + entry->deny ? "deny" : "allow", entry->match); } - } else if (strcmp(command, "reset") == 0) { + } +} + +static void do_acl_reset(Monitor *mon, const char *aclname) +{ + qemu_acl *acl = find_acl(mon, aclname); + + if (acl) { qemu_acl_reset(acl); monitor_printf(mon, "acl: removed all rules\n"); - } else if (strcmp(command, "policy") == 0) { - if (!match) { - monitor_printf(mon, "acl: missing policy parameter\n"); - return; - } + } +} - if (strcmp(match, "allow") == 0) { +static void do_acl_policy(Monitor *mon, const char *aclname, + const char *policy) +{ + qemu_acl *acl = find_acl(mon, aclname); + + if (acl) { + if (strcmp(policy, "allow") == 0) { acl->defaultDeny = 0; monitor_printf(mon, "acl: policy set to 'allow'\n"); - } else if (strcmp(match, "deny") == 0) { + } else if (strcmp(policy, "deny") == 0) { acl->defaultDeny = 1; monitor_printf(mon, "acl: policy set to 'deny'\n"); } else { - monitor_printf(mon, "acl: unknown policy '%s', expected 'deny' or 'allow'\n", match); + monitor_printf(mon, "acl: unknown policy '%s', " + "expected 'deny' or 'allow'\n", policy); } - } else if ((strcmp(command, "allow") == 0) || - (strcmp(command, "deny") == 0)) { - int deny = strcmp(command, "deny") == 0 ? 1 : 0; - int ret; + } +} - if (!match) { - monitor_printf(mon, "acl: missing match parameter\n"); +static void do_acl_add(Monitor *mon, const char *aclname, + const char *match, const char *policy, + int has_index, int index) +{ + qemu_acl *acl = find_acl(mon, aclname); + int deny, ret; + + if (acl) { + if (strcmp(policy, "allow") == 0) { + deny = 0; + } else if (strcmp(policy, "deny") == 0) { + deny = 1; + } else { + monitor_printf(mon, "acl: unknown policy '%s', " + "expected 'deny' or 'allow'\n", policy); return; } - if (has_index) ret = qemu_acl_insert(acl, deny, match, index); else @@ -1641,21 +1660,20 @@ static void do_acl(Monitor *mon, monitor_printf(mon, "acl: unable to add acl entry\n"); else monitor_printf(mon, "acl: added rule at position %d\n", ret); - } else if (strcmp(command, "remove") == 0) { - int ret; + } +} - if (!match) { - monitor_printf(mon, "acl: missing match parameter\n"); - return; - } +static void do_acl_remove(Monitor *mon, const char *aclname, const char *match) +{ + qemu_acl *acl = find_acl(mon, aclname); + int ret; + if (acl) { ret = qemu_acl_remove(acl, match); if (ret < 0) monitor_printf(mon, "acl: no matching acl entry\n"); else monitor_printf(mon, "acl: removed rule at position %d\n", ret); - } else { - monitor_printf(mon, "acl: unknown command '%s'\n", command); } } diff --git a/qemu-monitor.hx b/qemu-monitor.hx index a87530ca7c..aa29a91738 100644 --- a/qemu-monitor.hx +++ b/qemu-monitor.hx @@ -569,48 +569,50 @@ STEXI Change watchdog action. ETEXI - { "acl", "sss?i?", do_acl, " [ []]\n", - "acl show vnc.username\n" - "acl policy vnc.username deny\n" - "acl allow vnc.username fred\n" - "acl deny vnc.username bob\n" - "acl reset vnc.username\n" }, + { "acl_show", "s", do_acl_show, "aclname", + "list rules in the access control list" }, STEXI -@item acl @var{subcommand} @var{aclname} @var{match} @var{index} +@item acl_show @var{aclname} +List all the matching rules in the access control list, and the default +policy. There are currently two named access control lists, +@var{vnc.x509dname} and @var{vnc.username} matching on the x509 client +certificate distinguished name, and SASL username respectively. +ETEXI -Manage access control lists for network services. There are currently -two named access control lists, @var{vnc.x509dname} and @var{vnc.username} -matching on the x509 client certificate distinguished name, and SASL -username respectively. - -@table @option -@item acl show -list all the match rules in the access control list, and the default -policy -@item acl policy @code{allow|deny} -set the default access control list policy, used in the event that + { "acl_policy", "ss", do_acl_policy, "aclname allow|deny", + "set default access control list policy" }, +STEXI +@item acl_policy @var{aclname] @code{allow|deny} +Set the default access control list policy, used in the event that none of the explicit rules match. The default policy at startup is -always @code{deny} -@item acl allow [] -add a match to the access control list, allowing access. The match will -normally be an exact username or x509 distinguished name, but can -optionally include wildcard globs. eg @code{*@@EXAMPLE.COM} to allow -all users in the @code{EXAMPLE.COM} kerberos realm. The match will +always @code{deny}. +ETEXI + + { "acl_add", "sssi?", do_acl_add, "aclname match allow|deny [index]", + "add a match rule to the access control list" }, +STEXI +@item acl_allow @var{aclname} @var{match} @code{allow|deny} [@var{index}] +Add a match rule to the access control list, allowing or denying access. +The match will normally be an exact username or x509 distinguished name, +but can optionally include wildcard globs. eg @code{*@@EXAMPLE.COM} to +allow all users in the @code{EXAMPLE.COM} kerberos realm. The match will normally be appended to the end of the ACL, but can be inserted -earlier in the list if the optional @code{index} parameter is supplied. -@item acl deny [] -add a match to the access control list, denying access. The match will -normally be an exact username or x509 distinguished name, but can -optionally include wildcard globs. eg @code{*@@EXAMPLE.COM} to allow -all users in the @code{EXAMPLE.COM} kerberos realm. The match will -normally be appended to the end of the ACL, but can be inserted -earlier in the list if the optional @code{index} parameter is supplied. -@item acl remove -remove the specified match rule from the access control list. -@item acl reset -remove all matches from the access control list, and set the default +earlier in the list if the optional @var{index} parameter is supplied. +ETEXI + + { "acl_remove", "ss", do_acl_remove, "aclname match", + "remove a match rule from the access control list" }, +STEXI +@item acl_remove @var{aclname} @var{match} +Remove the specified match rule from the access control list. +ETEXI + + { "acl_reset", "s", do_acl_reset, "aclname", + "reset the access control list" }, +STEXI +@item acl_remove @var{aclname} @var{match} +Remove all matches from the access control list, and set the default policy back to @code{deny}. -@end table ETEXI STEXI