Bug 1161358

Description of problem:
[ACL]When give non-root user right permission using interface mac as filter condition, access always denied for all interface API.


Version-Release number of selected component (if applicable):
libvirt-1.2.8-5.el7.x86_64
qemu-kvm-rhev-2.1.2-3.el7.x86_64
kernel-3.10.0-190.el7.x86_64


How reproducible:
100%

Steps to Reproduce:

1. Enable 'polkit' as the Access control driver.
#vim /etc/libvirt/libvirtd.conf
access_drivers = [ "polkit" ]
 
2. Granted local user permission to connect to libvirt in full read-write mode
 #vi /etc/libvirt/libvirtd.conf
unix_sock_rw_perms = "0777"
auth_unix_rw = "none"

3. Add a normal user
#useradd test1
#passwd test1

4. I use virsh iface-undefine command as example to show the access denied error, other iface command show access denied error too.

Give user test1 the permission to undefine the interface, here we use interface_mac as filter condition in action.lookup
add rule in below file.
# cat  /etc/polkit-1/rules.d/100-libvirt-acl.rules  
polkit.addRule(function(action, subject) {
if (action.id == "org.libvirt.api.interface.delete" &&
        subject.user == "test1") {
          if (action.lookup("connect_driver") == 'QEMU' &&
              action.lookup("interface_mac") == '24:be:05:02:a0:e9') {
            return polkit.Result.YES;
          } else {
            return polkit.Result.NO;
          }
    }
});

5. login with user test1, connect the libvirtd server,
then excute the following command
#su test1
$ virsh -c qemu:///system
Welcome to virsh, the virtualization interactive terminal.

Type:  'help' for help with commands
       'quit' to quit
virsh# iface-list
 Name                 State      MAC Address
---------------------------------------------------
 eno1                 active     24:be:05:02:a0:e9
 lo                   active     00:00:00:00:00:00

virsh # iface-undefine --interface 24:be:05:02:a0:e9
error: Failed to undefine interface 24:be:05:02:a0:e9
error: access denied

6. check libvirt log find following error.
2014-10-23 08:40:47.151+0000: 2041: debug : virAccessDriverPolkitCheck:152 : Check action 'org.libvirt.api.interface.delete' for process '12428,1650015,1002'
2014-10-23 08:40:47.151+0000: 2041: debug : virCommandRunAsync:2398 : About to run /usr/bin/pkcheck --action-id org.libvirt.api.interface.delete --process 12428,1650015,1002 --detail connect_driver QEMU --detail interface_name eno1 --detail interface_macaddr 24:be:05:02:a0:e9
....
2014-10-23 08:40:47.152+0000: 2041: debug : virCommandRunAsync:2401 : Command result 0, with PID 14643
2014-10-23 08:40:47.157+0000: 2041: debug : virCommandRun:2249 : Result fatal signal 1, stdout: 'connect_driver=QEMU
interface_macaddr=24\72be\7205\7202\72a0\72e9
interface_name=eno1
....
2014-10-23 08:40:47.158+0000: 2041: error : virInterfaceUndefineEnsureACL:5363 : access denied


7. the same result also access denied when setting right action.id using interface_mac as filter condition
#virsh iface-start eno1
#virsh iface-destroy eno1
#virsh iface-define eno1


Actual results:
when I use interface_mac as action.lookup condition to give non-root user the right permission manage interface API, but access denied for all interface API command as above


Expected results:
1.When using interface_mac as action.lookup condition for non-root user, run interface API command return success, no access denied. Libvirt can match the right interface_mac value and authorize non-root user the right permission to manage interface.

2.When access denied happened, libvirt log can print out the exactly action id which is needed. It is useful for tester.
log should be print as below:
2014-10-23 06:29:36.962+0000: 11805: error : virAccessDriverPolkitCheck:177 : access denied: Policy kit denied action org.libvirt.api.interface.delete from 10824,18689289,1000: exit status 1.
It has already been provided in rhel7 libvirt-1.1.1-29.el7.x86_64 build, but discard now.

Additional info:

vivian zhang