aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--monitor.c96
-rw-r--r--qemu-monitor.hx76
2 files changed, 96 insertions, 76 deletions
diff --git a/monitor.c b/monitor.c
index 0878c36429..bad79fec6b 100644
--- a/monitor.c
+++ b/monitor.c
@@ -1579,60 +1579,79 @@ static void do_info_balloon(Monitor *mon)
monitor_printf(mon, "balloon: actual=%d\n", (int)(actual >> 20));
}
-static void do_acl(Monitor *mon,
- const char *command,
- const char *aclname,
- const char *match,
- int has_index,
- int index)
+static qemu_acl *find_acl(Monitor *mon, const char *name)
{
- qemu_acl *acl;
+ qemu_acl *acl = qemu_acl_find(name);
- acl = qemu_acl_find(aclname);
if (!acl) {
- monitor_printf(mon, "acl: unknown list '%s'\n", aclname);
- return;
+ monitor_printf(mon, "acl: unknown list '%s'\n", name);
}
+ return acl;
+}
+
+static void do_acl_show(Monitor *mon, const char *aclname)
+{
+ qemu_acl *acl = find_acl(mon, aclname);
+ qemu_acl_entry *entry;
+ int i = 0;
- if (strcmp(command, "show") == 0) {
- int i = 0;
- qemu_acl_entry *entry;
+ if (acl) {
monitor_printf(mon, "policy: %s\n",
acl->defaultDeny ? "deny" : "allow");
TAILQ_FOREACH(entry, &acl->entries, next) {
i++;
monitor_printf(mon, "%d: %s %s\n", i,
- entry->deny ? "deny" : "allow",
- entry->match);
+ entry->deny ? "deny" : "allow", entry->match);
}
- } else if (strcmp(command, "reset") == 0) {
+ }
+}
+
+static void do_acl_reset(Monitor *mon, const char *aclname)
+{
+ qemu_acl *acl = find_acl(mon, aclname);
+
+ if (acl) {
qemu_acl_reset(acl);
monitor_printf(mon, "acl: removed all rules\n");
- } else if (strcmp(command, "policy") == 0) {
- if (!match) {
- monitor_printf(mon, "acl: missing policy parameter\n");
- return;
- }
+ }
+}
+
+static void do_acl_policy(Monitor *mon, const char *aclname,
+ const char *policy)
+{
+ qemu_acl *acl = find_acl(mon, aclname);
- if (strcmp(match, "allow") == 0) {
+ if (acl) {
+ if (strcmp(policy, "allow") == 0) {
acl->defaultDeny = 0;
monitor_printf(mon, "acl: policy set to 'allow'\n");
- } else if (strcmp(match, "deny") == 0) {
+ } else if (strcmp(policy, "deny") == 0) {
acl->defaultDeny = 1;
monitor_printf(mon, "acl: policy set to 'deny'\n");
} else {
- monitor_printf(mon, "acl: unknown policy '%s', expected 'deny' or 'allow'\n", match);
+ monitor_printf(mon, "acl: unknown policy '%s', "
+ "expected 'deny' or 'allow'\n", policy);
}
- } else if ((strcmp(command, "allow") == 0) ||
- (strcmp(command, "deny") == 0)) {
- int deny = strcmp(command, "deny") == 0 ? 1 : 0;
- int ret;
+ }
+}
- if (!match) {
- monitor_printf(mon, "acl: missing match parameter\n");
+static void do_acl_add(Monitor *mon, const char *aclname,
+ const char *match, const char *policy,
+ int has_index, int index)
+{
+ qemu_acl *acl = find_acl(mon, aclname);
+ int deny, ret;
+
+ if (acl) {
+ if (strcmp(policy, "allow") == 0) {
+ deny = 0;
+ } else if (strcmp(policy, "deny") == 0) {
+ deny = 1;
+ } else {
+ monitor_printf(mon, "acl: unknown policy '%s', "
+ "expected 'deny' or 'allow'\n", policy);
return;
}
-
if (has_index)
ret = qemu_acl_insert(acl, deny, match, index);
else
@@ -1641,21 +1660,20 @@ static void do_acl(Monitor *mon,
monitor_printf(mon, "acl: unable to add acl entry\n");
else
monitor_printf(mon, "acl: added rule at position %d\n", ret);
- } else if (strcmp(command, "remove") == 0) {
- int ret;
+ }
+}
- if (!match) {
- monitor_printf(mon, "acl: missing match parameter\n");
- return;
- }
+static void do_acl_remove(Monitor *mon, const char *aclname, const char *match)
+{
+ qemu_acl *acl = find_acl(mon, aclname);
+ int ret;
+ if (acl) {
ret = qemu_acl_remove(acl, match);
if (ret < 0)
monitor_printf(mon, "acl: no matching acl entry\n");
else
monitor_printf(mon, "acl: removed rule at position %d\n", ret);
- } else {
- monitor_printf(mon, "acl: unknown command '%s'\n", command);
}
}
diff --git a/qemu-monitor.hx b/qemu-monitor.hx
index a87530ca7c..aa29a91738 100644
--- a/qemu-monitor.hx
+++ b/qemu-monitor.hx
@@ -569,48 +569,50 @@ STEXI
Change watchdog action.
ETEXI
- { "acl", "sss?i?", do_acl, "<command> <aclname> [<match> [<index>]]\n",
- "acl show vnc.username\n"
- "acl policy vnc.username deny\n"
- "acl allow vnc.username fred\n"
- "acl deny vnc.username bob\n"
- "acl reset vnc.username\n" },
+ { "acl_show", "s", do_acl_show, "aclname",
+ "list rules in the access control list" },
STEXI
-@item acl @var{subcommand} @var{aclname} @var{match} @var{index}
-
-Manage access control lists for network services. There are currently
-two named access control lists, @var{vnc.x509dname} and @var{vnc.username}
-matching on the x509 client certificate distinguished name, and SASL
-username respectively.
+@item acl_show @var{aclname}
+List all the matching rules in the access control list, and the default
+policy. There are currently two named access control lists,
+@var{vnc.x509dname} and @var{vnc.username} matching on the x509 client
+certificate distinguished name, and SASL username respectively.
+ETEXI
-@table @option
-@item acl show <aclname>
-list all the match rules in the access control list, and the default
-policy
-@item acl policy <aclname> @code{allow|deny}
-set the default access control list policy, used in the event that
+ { "acl_policy", "ss", do_acl_policy, "aclname allow|deny",
+ "set default access control list policy" },
+STEXI
+@item acl_policy @var{aclname] @code{allow|deny}
+Set the default access control list policy, used in the event that
none of the explicit rules match. The default policy at startup is
-always @code{deny}
-@item acl allow <aclname> <match> [<index>]
-add a match to the access control list, allowing access. The match will
-normally be an exact username or x509 distinguished name, but can
-optionally include wildcard globs. eg @code{*@@EXAMPLE.COM} to allow
-all users in the @code{EXAMPLE.COM} kerberos realm. The match will
-normally be appended to the end of the ACL, but can be inserted
-earlier in the list if the optional @code{index} parameter is supplied.
-@item acl deny <aclname> <match> [<index>]
-add a match to the access control list, denying access. The match will
-normally be an exact username or x509 distinguished name, but can
-optionally include wildcard globs. eg @code{*@@EXAMPLE.COM} to allow
-all users in the @code{EXAMPLE.COM} kerberos realm. The match will
+always @code{deny}.
+ETEXI
+
+ { "acl_add", "sssi?", do_acl_add, "aclname match allow|deny [index]",
+ "add a match rule to the access control list" },
+STEXI
+@item acl_allow @var{aclname} @var{match} @code{allow|deny} [@var{index}]
+Add a match rule to the access control list, allowing or denying access.
+The match will normally be an exact username or x509 distinguished name,
+but can optionally include wildcard globs. eg @code{*@@EXAMPLE.COM} to
+allow all users in the @code{EXAMPLE.COM} kerberos realm. The match will
normally be appended to the end of the ACL, but can be inserted
-earlier in the list if the optional @code{index} parameter is supplied.
-@item acl remove <aclname> <match>
-remove the specified match rule from the access control list.
-@item acl reset <aclname>
-remove all matches from the access control list, and set the default
+earlier in the list if the optional @var{index} parameter is supplied.
+ETEXI
+
+ { "acl_remove", "ss", do_acl_remove, "aclname match",
+ "remove a match rule from the access control list" },
+STEXI
+@item acl_remove @var{aclname} @var{match}
+Remove the specified match rule from the access control list.
+ETEXI
+
+ { "acl_reset", "s", do_acl_reset, "aclname",
+ "reset the access control list" },
+STEXI
+@item acl_remove @var{aclname} @var{match}
+Remove all matches from the access control list, and set the default
policy back to @code{deny}.
-@end table
ETEXI
STEXI