qga: centralize logic for disabling/enabling commands
It is confusing having many different pieces of code enabling and disabling commands, and it is not clear that they all have the same semantics, especially wrt prioritization of the block/allow lists. The code attempted to prevent the user from setting both the block and allow lists concurrently, however, the logic was flawed as it checked settings in the configuration file separately from the command line arguments. Thus it was possible to set a block list in the config file and an allow list via a command line argument. The --dump-conf option also creates a configuration file with both keys present, even if unset, which means it is creating a config that cannot actually be loaded again. Centralizing the code in a single method "ga_apply_command_filters" will provide a strong guarantee of consistency and clarify the intended behaviour. With this there is no compelling technical reason to prevent concurrent setting of both the allow and block lists, so this flawed restriction is removed. Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Konstantin Kostiuk <kkostiuk@redhat.com> Message-ID: <20240712132459.3974109-23-berrange@redhat.com> Signed-off-by: Konstantin Kostiuk <kkostiuk@redhat.com>
This commit is contained in:
parent
f8bf2347ed
commit
2e3b166c41
@ -28,6 +28,20 @@ configuration options on the command line. For the same key, the last
|
|||||||
option wins, but the lists accumulate (see below for configuration
|
option wins, but the lists accumulate (see below for configuration
|
||||||
file format).
|
file format).
|
||||||
|
|
||||||
|
If an allowed RPCs list is defined in the configuration, then all
|
||||||
|
RPCs will be blocked by default, except for the allowed list.
|
||||||
|
|
||||||
|
If a blocked RPCs list is defined in the configuration, then all
|
||||||
|
RPCs will be allowed by default, except for the blocked list.
|
||||||
|
|
||||||
|
If both allowed and blocked RPCs lists are defined in the configuration,
|
||||||
|
then all RPCs will be blocked by default, then the allowed list will
|
||||||
|
be applied, followed by the blocked list.
|
||||||
|
|
||||||
|
While filesystems are frozen, all except for a designated safe set
|
||||||
|
of RPCs will blocked, regardless of what the general configuration
|
||||||
|
declares.
|
||||||
|
|
||||||
Options
|
Options
|
||||||
-------
|
-------
|
||||||
|
|
||||||
|
@ -1136,12 +1136,6 @@ error:
|
|||||||
|
|
||||||
#endif /* HAVE_GETIFADDRS */
|
#endif /* HAVE_GETIFADDRS */
|
||||||
|
|
||||||
/* add unsupported commands to the list of blocked RPCs */
|
|
||||||
GList *ga_command_init_blockedrpcs(GList *blockedrpcs)
|
|
||||||
{
|
|
||||||
return blockedrpcs;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* register init/cleanup routines for stateful command groups */
|
/* register init/cleanup routines for stateful command groups */
|
||||||
void ga_command_state_init(GAState *s, GACommandState *cs)
|
void ga_command_state_init(GAState *s, GACommandState *cs)
|
||||||
{
|
{
|
||||||
|
@ -1958,12 +1958,6 @@ done:
|
|||||||
g_free(rawpasswddata);
|
g_free(rawpasswddata);
|
||||||
}
|
}
|
||||||
|
|
||||||
/* add unsupported commands to the list of blocked RPCs */
|
|
||||||
GList *ga_command_init_blockedrpcs(GList *blockedrpcs)
|
|
||||||
{
|
|
||||||
return blockedrpcs;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* register init/cleanup routines for stateful command groups */
|
/* register init/cleanup routines for stateful command groups */
|
||||||
void ga_command_state_init(GAState *s, GACommandState *cs)
|
void ga_command_state_init(GAState *s, GACommandState *cs)
|
||||||
{
|
{
|
||||||
|
128
qga/main.c
128
qga/main.c
@ -423,58 +423,77 @@ static gint ga_strcmp(gconstpointer str1, gconstpointer str2)
|
|||||||
return strcmp(str1, str2);
|
return strcmp(str1, str2);
|
||||||
}
|
}
|
||||||
|
|
||||||
/* disable commands that aren't safe for fsfreeze */
|
static bool ga_command_is_allowed(const QmpCommand *cmd, GAState *state)
|
||||||
static void ga_disable_not_allowed_freeze(const QmpCommand *cmd, void *opaque)
|
|
||||||
{
|
{
|
||||||
bool allowed = false;
|
|
||||||
int i = 0;
|
int i = 0;
|
||||||
|
GAConfig *config = state->config;
|
||||||
const char *name = qmp_command_name(cmd);
|
const char *name = qmp_command_name(cmd);
|
||||||
|
/* Fallback policy is allow everything */
|
||||||
|
bool allowed = true;
|
||||||
|
|
||||||
while (ga_freeze_allowlist[i] != NULL) {
|
if (config->allowedrpcs) {
|
||||||
if (strcmp(name, ga_freeze_allowlist[i]) == 0) {
|
/*
|
||||||
|
* If an allow-list is given, this changes the fallback
|
||||||
|
* policy to deny everything
|
||||||
|
*/
|
||||||
|
allowed = false;
|
||||||
|
|
||||||
|
if (g_list_find_custom(config->allowedrpcs, name, ga_strcmp) != NULL) {
|
||||||
allowed = true;
|
allowed = true;
|
||||||
}
|
}
|
||||||
i++;
|
|
||||||
}
|
}
|
||||||
if (!allowed) {
|
|
||||||
g_debug("disabling command: %s", name);
|
/*
|
||||||
qmp_disable_command(&ga_commands, name, "the agent is in frozen state");
|
* If both allowedrpcs and blockedrpcs are set, the blocked
|
||||||
|
* list will take priority
|
||||||
|
*/
|
||||||
|
if (config->blockedrpcs) {
|
||||||
|
if (g_list_find_custom(config->blockedrpcs, name, ga_strcmp) != NULL) {
|
||||||
|
allowed = false;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* If frozen, this filtering must take priority over
|
||||||
|
* absolutely everything
|
||||||
|
*/
|
||||||
|
if (state->frozen) {
|
||||||
|
allowed = false;
|
||||||
|
|
||||||
|
while (ga_freeze_allowlist[i] != NULL) {
|
||||||
|
if (strcmp(name, ga_freeze_allowlist[i]) == 0) {
|
||||||
|
allowed = true;
|
||||||
|
}
|
||||||
|
i++;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return allowed;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* [re-]enable all commands, except those explicitly blocked by user */
|
static void ga_apply_command_filters_iter(const QmpCommand *cmd, void *opaque)
|
||||||
static void ga_enable_non_blocked(const QmpCommand *cmd, void *opaque)
|
|
||||||
{
|
{
|
||||||
GAState *s = opaque;
|
GAState *state = opaque;
|
||||||
GList *blockedrpcs = s->blockedrpcs;
|
bool want = ga_command_is_allowed(cmd, state);
|
||||||
GList *allowedrpcs = s->allowedrpcs;
|
bool have = qmp_command_is_enabled(cmd);
|
||||||
const char *name = qmp_command_name(cmd);
|
const char *name = qmp_command_name(cmd);
|
||||||
|
|
||||||
if (g_list_find_custom(blockedrpcs, name, ga_strcmp) == NULL) {
|
if (want == have) {
|
||||||
if (qmp_command_is_enabled(cmd)) {
|
return;
|
||||||
return;
|
}
|
||||||
}
|
|
||||||
|
|
||||||
if (allowedrpcs &&
|
|
||||||
g_list_find_custom(allowedrpcs, name, ga_strcmp) == NULL) {
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
|
|
||||||
|
if (have) {
|
||||||
|
g_debug("disabling command: %s", name);
|
||||||
|
qmp_disable_command(&ga_commands, name, "the command is not allowed");
|
||||||
|
} else {
|
||||||
g_debug("enabling command: %s", name);
|
g_debug("enabling command: %s", name);
|
||||||
qmp_enable_command(&ga_commands, name);
|
qmp_enable_command(&ga_commands, name);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/* disable commands that aren't allowed */
|
static void ga_apply_command_filters(GAState *state)
|
||||||
static void ga_disable_not_allowed(const QmpCommand *cmd, void *opaque)
|
|
||||||
{
|
{
|
||||||
GList *allowedrpcs = opaque;
|
qmp_for_each_command(&ga_commands, ga_apply_command_filters_iter, state);
|
||||||
const char *name = qmp_command_name(cmd);
|
|
||||||
|
|
||||||
if (g_list_find_custom(allowedrpcs, name, ga_strcmp) == NULL) {
|
|
||||||
g_debug("disabling command: %s", name);
|
|
||||||
qmp_disable_command(&ga_commands, name, "the command is not allowed");
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool ga_create_file(const char *path)
|
static bool ga_create_file(const char *path)
|
||||||
@ -509,15 +528,14 @@ void ga_set_frozen(GAState *s)
|
|||||||
if (ga_is_frozen(s)) {
|
if (ga_is_frozen(s)) {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
/* disable all forbidden (for frozen state) commands */
|
|
||||||
qmp_for_each_command(&ga_commands, ga_disable_not_allowed_freeze, NULL);
|
|
||||||
g_warning("disabling logging due to filesystem freeze");
|
g_warning("disabling logging due to filesystem freeze");
|
||||||
ga_disable_logging(s);
|
|
||||||
s->frozen = true;
|
s->frozen = true;
|
||||||
if (!ga_create_file(s->state_filepath_isfrozen)) {
|
if (!ga_create_file(s->state_filepath_isfrozen)) {
|
||||||
g_warning("unable to create %s, fsfreeze may not function properly",
|
g_warning("unable to create %s, fsfreeze may not function properly",
|
||||||
s->state_filepath_isfrozen);
|
s->state_filepath_isfrozen);
|
||||||
}
|
}
|
||||||
|
ga_apply_command_filters(s);
|
||||||
|
ga_disable_logging(s);
|
||||||
}
|
}
|
||||||
|
|
||||||
void ga_unset_frozen(GAState *s)
|
void ga_unset_frozen(GAState *s)
|
||||||
@ -549,12 +567,12 @@ void ga_unset_frozen(GAState *s)
|
|||||||
}
|
}
|
||||||
|
|
||||||
/* enable all disabled, non-blocked and allowed commands */
|
/* enable all disabled, non-blocked and allowed commands */
|
||||||
qmp_for_each_command(&ga_commands, ga_enable_non_blocked, s);
|
|
||||||
s->frozen = false;
|
s->frozen = false;
|
||||||
if (!ga_delete_file(s->state_filepath_isfrozen)) {
|
if (!ga_delete_file(s->state_filepath_isfrozen)) {
|
||||||
g_warning("unable to delete %s, fsfreeze may not function properly",
|
g_warning("unable to delete %s, fsfreeze may not function properly",
|
||||||
s->state_filepath_isfrozen);
|
s->state_filepath_isfrozen);
|
||||||
}
|
}
|
||||||
|
ga_apply_command_filters(s);
|
||||||
}
|
}
|
||||||
|
|
||||||
#ifdef CONFIG_FSFREEZE
|
#ifdef CONFIG_FSFREEZE
|
||||||
@ -1086,13 +1104,6 @@ static void config_load(GAConfig *config, const char *confpath, bool required)
|
|||||||
split_list(config->aliststr, ","));
|
split_list(config->aliststr, ","));
|
||||||
}
|
}
|
||||||
|
|
||||||
if (g_key_file_has_key(keyfile, "general", "block-rpcs", NULL) &&
|
|
||||||
g_key_file_has_key(keyfile, "general", "allow-rpcs", NULL)) {
|
|
||||||
g_critical("wrong config, using 'block-rpcs' and 'allow-rpcs' keys at"
|
|
||||||
" the same time is not allowed");
|
|
||||||
exit(EXIT_FAILURE);
|
|
||||||
}
|
|
||||||
|
|
||||||
end:
|
end:
|
||||||
g_key_file_free(keyfile);
|
g_key_file_free(keyfile);
|
||||||
if (gerr && (required ||
|
if (gerr && (required ||
|
||||||
@ -1172,7 +1183,6 @@ static void config_parse(GAConfig *config, int argc, char **argv)
|
|||||||
{
|
{
|
||||||
const char *sopt = "hVvdc:m:p:l:f:F::b:a:s:t:Dr";
|
const char *sopt = "hVvdc:m:p:l:f:F::b:a:s:t:Dr";
|
||||||
int opt_ind = 0, ch;
|
int opt_ind = 0, ch;
|
||||||
bool block_rpcs = false, allow_rpcs = false;
|
|
||||||
const struct option lopt[] = {
|
const struct option lopt[] = {
|
||||||
{ "help", 0, NULL, 'h' },
|
{ "help", 0, NULL, 'h' },
|
||||||
{ "version", 0, NULL, 'V' },
|
{ "version", 0, NULL, 'V' },
|
||||||
@ -1268,7 +1278,6 @@ static void config_parse(GAConfig *config, int argc, char **argv)
|
|||||||
}
|
}
|
||||||
config->blockedrpcs = g_list_concat(config->blockedrpcs,
|
config->blockedrpcs = g_list_concat(config->blockedrpcs,
|
||||||
split_list(optarg, ","));
|
split_list(optarg, ","));
|
||||||
block_rpcs = true;
|
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
case 'a': {
|
case 'a': {
|
||||||
@ -1278,7 +1287,6 @@ static void config_parse(GAConfig *config, int argc, char **argv)
|
|||||||
}
|
}
|
||||||
config->allowedrpcs = g_list_concat(config->allowedrpcs,
|
config->allowedrpcs = g_list_concat(config->allowedrpcs,
|
||||||
split_list(optarg, ","));
|
split_list(optarg, ","));
|
||||||
allow_rpcs = true;
|
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
#ifdef _WIN32
|
#ifdef _WIN32
|
||||||
@ -1319,12 +1327,6 @@ static void config_parse(GAConfig *config, int argc, char **argv)
|
|||||||
exit(EXIT_FAILURE);
|
exit(EXIT_FAILURE);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (block_rpcs && allow_rpcs) {
|
|
||||||
g_critical("wrong commandline, using --block-rpcs and --allow-rpcs at the"
|
|
||||||
" same time is not allowed");
|
|
||||||
exit(EXIT_FAILURE);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
static void config_free(GAConfig *config)
|
static void config_free(GAConfig *config)
|
||||||
@ -1435,7 +1437,6 @@ static GAState *initialize_agent(GAConfig *config, int socket_activation)
|
|||||||
s->deferred_options.log_filepath = config->log_filepath;
|
s->deferred_options.log_filepath = config->log_filepath;
|
||||||
}
|
}
|
||||||
ga_disable_logging(s);
|
ga_disable_logging(s);
|
||||||
qmp_for_each_command(&ga_commands, ga_disable_not_allowed_freeze, NULL);
|
|
||||||
} else {
|
} else {
|
||||||
if (config->daemonize) {
|
if (config->daemonize) {
|
||||||
become_daemon(config->pid_filepath);
|
become_daemon(config->pid_filepath);
|
||||||
@ -1459,25 +1460,6 @@ static GAState *initialize_agent(GAConfig *config, int socket_activation)
|
|||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (config->allowedrpcs) {
|
|
||||||
qmp_for_each_command(&ga_commands, ga_disable_not_allowed, config->allowedrpcs);
|
|
||||||
s->allowedrpcs = config->allowedrpcs;
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Some commands can be blocked due to system limitation.
|
|
||||||
* Initialize blockedrpcs list even if allowedrpcs specified.
|
|
||||||
*/
|
|
||||||
config->blockedrpcs = ga_command_init_blockedrpcs(config->blockedrpcs);
|
|
||||||
if (config->blockedrpcs) {
|
|
||||||
GList *l = config->blockedrpcs;
|
|
||||||
s->blockedrpcs = config->blockedrpcs;
|
|
||||||
do {
|
|
||||||
g_debug("disabling command: %s", (char *)l->data);
|
|
||||||
qmp_disable_command(&ga_commands, l->data, NULL);
|
|
||||||
l = g_list_next(l);
|
|
||||||
} while (l);
|
|
||||||
}
|
|
||||||
s->command_state = ga_command_state_new();
|
s->command_state = ga_command_state_new();
|
||||||
ga_command_state_init(s, s->command_state);
|
ga_command_state_init(s, s->command_state);
|
||||||
ga_command_state_init_all(s->command_state);
|
ga_command_state_init_all(s->command_state);
|
||||||
@ -1503,6 +1485,8 @@ static GAState *initialize_agent(GAConfig *config, int socket_activation)
|
|||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
ga_apply_command_filters(s);
|
||||||
|
|
||||||
ga_state = s;
|
ga_state = s;
|
||||||
return s;
|
return s;
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user