qga: centralize logic for disabling/enabling commands

It is confusing having many different pieces of code enabling and
disabling commands, and it is not clear that they all have the same
semantics, especially wrt prioritization of the block/allow lists.
The code attempted to prevent the user from setting both the block
and allow lists concurrently, however, the logic was flawed as it
checked settings in the configuration file  separately from the
command line arguments. Thus it was possible to set a block list
in the config file and an allow list via a command line argument.
The --dump-conf option also creates a configuration file with both
keys present, even if unset, which means it is creating a config
that cannot actually be loaded again.

Centralizing the code in a single method "ga_apply_command_filters"
will provide a strong guarantee of consistency and clarify the
intended behaviour. With this there is no compelling technical
reason to prevent concurrent setting of both the allow and block
lists, so this flawed restriction is removed.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Konstantin Kostiuk <kkostiuk@redhat.com>
Message-ID: <20240712132459.3974109-23-berrange@redhat.com>
Signed-off-by: Konstantin Kostiuk <kkostiuk@redhat.com>
This commit is contained in:
Daniel P. Berrangé 2024-07-12 14:24:59 +01:00 committed by Konstantin Kostiuk
parent f8bf2347ed
commit 2e3b166c41
4 changed files with 70 additions and 84 deletions

View File

@ -28,6 +28,20 @@ configuration options on the command line. For the same key, the last
option wins, but the lists accumulate (see below for configuration option wins, but the lists accumulate (see below for configuration
file format). file format).
If an allowed RPCs list is defined in the configuration, then all
RPCs will be blocked by default, except for the allowed list.
If a blocked RPCs list is defined in the configuration, then all
RPCs will be allowed by default, except for the blocked list.
If both allowed and blocked RPCs lists are defined in the configuration,
then all RPCs will be blocked by default, then the allowed list will
be applied, followed by the blocked list.
While filesystems are frozen, all except for a designated safe set
of RPCs will blocked, regardless of what the general configuration
declares.
Options Options
------- -------

View File

@ -1136,12 +1136,6 @@ error:
#endif /* HAVE_GETIFADDRS */ #endif /* HAVE_GETIFADDRS */
/* add unsupported commands to the list of blocked RPCs */
GList *ga_command_init_blockedrpcs(GList *blockedrpcs)
{
return blockedrpcs;
}
/* register init/cleanup routines for stateful command groups */ /* register init/cleanup routines for stateful command groups */
void ga_command_state_init(GAState *s, GACommandState *cs) void ga_command_state_init(GAState *s, GACommandState *cs)
{ {

View File

@ -1958,12 +1958,6 @@ done:
g_free(rawpasswddata); g_free(rawpasswddata);
} }
/* add unsupported commands to the list of blocked RPCs */
GList *ga_command_init_blockedrpcs(GList *blockedrpcs)
{
return blockedrpcs;
}
/* register init/cleanup routines for stateful command groups */ /* register init/cleanup routines for stateful command groups */
void ga_command_state_init(GAState *s, GACommandState *cs) void ga_command_state_init(GAState *s, GACommandState *cs)
{ {

View File

@ -423,58 +423,77 @@ static gint ga_strcmp(gconstpointer str1, gconstpointer str2)
return strcmp(str1, str2); return strcmp(str1, str2);
} }
/* disable commands that aren't safe for fsfreeze */ static bool ga_command_is_allowed(const QmpCommand *cmd, GAState *state)
static void ga_disable_not_allowed_freeze(const QmpCommand *cmd, void *opaque)
{ {
bool allowed = false;
int i = 0; int i = 0;
GAConfig *config = state->config;
const char *name = qmp_command_name(cmd); const char *name = qmp_command_name(cmd);
/* Fallback policy is allow everything */
bool allowed = true;
while (ga_freeze_allowlist[i] != NULL) { if (config->allowedrpcs) {
if (strcmp(name, ga_freeze_allowlist[i]) == 0) { /*
* If an allow-list is given, this changes the fallback
* policy to deny everything
*/
allowed = false;
if (g_list_find_custom(config->allowedrpcs, name, ga_strcmp) != NULL) {
allowed = true; allowed = true;
} }
i++;
} }
if (!allowed) {
g_debug("disabling command: %s", name); /*
qmp_disable_command(&ga_commands, name, "the agent is in frozen state"); * If both allowedrpcs and blockedrpcs are set, the blocked
* list will take priority
*/
if (config->blockedrpcs) {
if (g_list_find_custom(config->blockedrpcs, name, ga_strcmp) != NULL) {
allowed = false;
}
} }
/*
* If frozen, this filtering must take priority over
* absolutely everything
*/
if (state->frozen) {
allowed = false;
while (ga_freeze_allowlist[i] != NULL) {
if (strcmp(name, ga_freeze_allowlist[i]) == 0) {
allowed = true;
}
i++;
}
}
return allowed;
} }
/* [re-]enable all commands, except those explicitly blocked by user */ static void ga_apply_command_filters_iter(const QmpCommand *cmd, void *opaque)
static void ga_enable_non_blocked(const QmpCommand *cmd, void *opaque)
{ {
GAState *s = opaque; GAState *state = opaque;
GList *blockedrpcs = s->blockedrpcs; bool want = ga_command_is_allowed(cmd, state);
GList *allowedrpcs = s->allowedrpcs; bool have = qmp_command_is_enabled(cmd);
const char *name = qmp_command_name(cmd); const char *name = qmp_command_name(cmd);
if (g_list_find_custom(blockedrpcs, name, ga_strcmp) == NULL) { if (want == have) {
if (qmp_command_is_enabled(cmd)) { return;
return; }
}
if (allowedrpcs &&
g_list_find_custom(allowedrpcs, name, ga_strcmp) == NULL) {
return;
}
if (have) {
g_debug("disabling command: %s", name);
qmp_disable_command(&ga_commands, name, "the command is not allowed");
} else {
g_debug("enabling command: %s", name); g_debug("enabling command: %s", name);
qmp_enable_command(&ga_commands, name); qmp_enable_command(&ga_commands, name);
} }
} }
/* disable commands that aren't allowed */ static void ga_apply_command_filters(GAState *state)
static void ga_disable_not_allowed(const QmpCommand *cmd, void *opaque)
{ {
GList *allowedrpcs = opaque; qmp_for_each_command(&ga_commands, ga_apply_command_filters_iter, state);
const char *name = qmp_command_name(cmd);
if (g_list_find_custom(allowedrpcs, name, ga_strcmp) == NULL) {
g_debug("disabling command: %s", name);
qmp_disable_command(&ga_commands, name, "the command is not allowed");
}
} }
static bool ga_create_file(const char *path) static bool ga_create_file(const char *path)
@ -509,15 +528,14 @@ void ga_set_frozen(GAState *s)
if (ga_is_frozen(s)) { if (ga_is_frozen(s)) {
return; return;
} }
/* disable all forbidden (for frozen state) commands */
qmp_for_each_command(&ga_commands, ga_disable_not_allowed_freeze, NULL);
g_warning("disabling logging due to filesystem freeze"); g_warning("disabling logging due to filesystem freeze");
ga_disable_logging(s);
s->frozen = true; s->frozen = true;
if (!ga_create_file(s->state_filepath_isfrozen)) { if (!ga_create_file(s->state_filepath_isfrozen)) {
g_warning("unable to create %s, fsfreeze may not function properly", g_warning("unable to create %s, fsfreeze may not function properly",
s->state_filepath_isfrozen); s->state_filepath_isfrozen);
} }
ga_apply_command_filters(s);
ga_disable_logging(s);
} }
void ga_unset_frozen(GAState *s) void ga_unset_frozen(GAState *s)
@ -549,12 +567,12 @@ void ga_unset_frozen(GAState *s)
} }
/* enable all disabled, non-blocked and allowed commands */ /* enable all disabled, non-blocked and allowed commands */
qmp_for_each_command(&ga_commands, ga_enable_non_blocked, s);
s->frozen = false; s->frozen = false;
if (!ga_delete_file(s->state_filepath_isfrozen)) { if (!ga_delete_file(s->state_filepath_isfrozen)) {
g_warning("unable to delete %s, fsfreeze may not function properly", g_warning("unable to delete %s, fsfreeze may not function properly",
s->state_filepath_isfrozen); s->state_filepath_isfrozen);
} }
ga_apply_command_filters(s);
} }
#ifdef CONFIG_FSFREEZE #ifdef CONFIG_FSFREEZE
@ -1086,13 +1104,6 @@ static void config_load(GAConfig *config, const char *confpath, bool required)
split_list(config->aliststr, ",")); split_list(config->aliststr, ","));
} }
if (g_key_file_has_key(keyfile, "general", "block-rpcs", NULL) &&
g_key_file_has_key(keyfile, "general", "allow-rpcs", NULL)) {
g_critical("wrong config, using 'block-rpcs' and 'allow-rpcs' keys at"
" the same time is not allowed");
exit(EXIT_FAILURE);
}
end: end:
g_key_file_free(keyfile); g_key_file_free(keyfile);
if (gerr && (required || if (gerr && (required ||
@ -1172,7 +1183,6 @@ static void config_parse(GAConfig *config, int argc, char **argv)
{ {
const char *sopt = "hVvdc:m:p:l:f:F::b:a:s:t:Dr"; const char *sopt = "hVvdc:m:p:l:f:F::b:a:s:t:Dr";
int opt_ind = 0, ch; int opt_ind = 0, ch;
bool block_rpcs = false, allow_rpcs = false;
const struct option lopt[] = { const struct option lopt[] = {
{ "help", 0, NULL, 'h' }, { "help", 0, NULL, 'h' },
{ "version", 0, NULL, 'V' }, { "version", 0, NULL, 'V' },
@ -1268,7 +1278,6 @@ static void config_parse(GAConfig *config, int argc, char **argv)
} }
config->blockedrpcs = g_list_concat(config->blockedrpcs, config->blockedrpcs = g_list_concat(config->blockedrpcs,
split_list(optarg, ",")); split_list(optarg, ","));
block_rpcs = true;
break; break;
} }
case 'a': { case 'a': {
@ -1278,7 +1287,6 @@ static void config_parse(GAConfig *config, int argc, char **argv)
} }
config->allowedrpcs = g_list_concat(config->allowedrpcs, config->allowedrpcs = g_list_concat(config->allowedrpcs,
split_list(optarg, ",")); split_list(optarg, ","));
allow_rpcs = true;
break; break;
} }
#ifdef _WIN32 #ifdef _WIN32
@ -1319,12 +1327,6 @@ static void config_parse(GAConfig *config, int argc, char **argv)
exit(EXIT_FAILURE); exit(EXIT_FAILURE);
} }
} }
if (block_rpcs && allow_rpcs) {
g_critical("wrong commandline, using --block-rpcs and --allow-rpcs at the"
" same time is not allowed");
exit(EXIT_FAILURE);
}
} }
static void config_free(GAConfig *config) static void config_free(GAConfig *config)
@ -1435,7 +1437,6 @@ static GAState *initialize_agent(GAConfig *config, int socket_activation)
s->deferred_options.log_filepath = config->log_filepath; s->deferred_options.log_filepath = config->log_filepath;
} }
ga_disable_logging(s); ga_disable_logging(s);
qmp_for_each_command(&ga_commands, ga_disable_not_allowed_freeze, NULL);
} else { } else {
if (config->daemonize) { if (config->daemonize) {
become_daemon(config->pid_filepath); become_daemon(config->pid_filepath);
@ -1459,25 +1460,6 @@ static GAState *initialize_agent(GAConfig *config, int socket_activation)
return NULL; return NULL;
} }
if (config->allowedrpcs) {
qmp_for_each_command(&ga_commands, ga_disable_not_allowed, config->allowedrpcs);
s->allowedrpcs = config->allowedrpcs;
}
/*
* Some commands can be blocked due to system limitation.
* Initialize blockedrpcs list even if allowedrpcs specified.
*/
config->blockedrpcs = ga_command_init_blockedrpcs(config->blockedrpcs);
if (config->blockedrpcs) {
GList *l = config->blockedrpcs;
s->blockedrpcs = config->blockedrpcs;
do {
g_debug("disabling command: %s", (char *)l->data);
qmp_disable_command(&ga_commands, l->data, NULL);
l = g_list_next(l);
} while (l);
}
s->command_state = ga_command_state_new(); s->command_state = ga_command_state_new();
ga_command_state_init(s, s->command_state); ga_command_state_init(s, s->command_state);
ga_command_state_init_all(s->command_state); ga_command_state_init_all(s->command_state);
@ -1503,6 +1485,8 @@ static GAState *initialize_agent(GAConfig *config, int socket_activation)
} }
#endif #endif
ga_apply_command_filters(s);
ga_state = s; ga_state = s;
return s; return s;
} }