qemu/include/authz/pamacct.h
<<
>>
Prefs 
   1/*
   2 * QEMU PAM authorization driver
   3 *
   4 * Copyright (c) 2018 Red Hat, Inc.
   5 *
   6 * This library is free software; you can redistribute it and/or
   7 * modify it under the terms of the GNU Lesser General Public
   8 * License as published by the Free Software Foundation; either
   9 * version 2.1 of the License, or (at your option) any later version.
  10 *
  11 * This library is distributed in the hope that it will be useful,
  12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
  13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  14 * Lesser General Public License for more details.
  15 *
  16 * You should have received a copy of the GNU Lesser General Public
  17 * License along with this library; if not, see <http://www.gnu.org/licenses/>.
  18 *
  19 */
  20
  21#ifndef QAUTHZ_PAMACCT_H
  22#define QAUTHZ_PAMACCT_H
  23
  24#include "authz/base.h"
  25#include "qom/object.h"
  26
  27
  28#define TYPE_QAUTHZ_PAM "authz-pam"
  29
  30OBJECT_DECLARE_SIMPLE_TYPE(QAuthZPAM,
  31                           QAUTHZ_PAM)
  32
  33
  34
  35/**
  36 * QAuthZPAM:
  37 *
  38 * This authorization driver provides a PAM mechanism
  39 * for granting access by matching user names against a
  40 * list of globs. Each match rule has an associated policy
  41 * and a catch all policy applies if no rule matches
  42 *
  43 * To create an instance of this class via QMP:
  44 *
  45 *  {
  46 *    "execute": "object-add",
  47 *    "arguments": {
  48 *      "qom-type": "authz-pam",
  49 *      "id": "authz0",
  50 *      "parameters": {
  51 *        "service": "qemu-vnc-tls"
  52 *      }
  53 *    }
  54 *  }
  55 *
  56 * The driver only uses the PAM "account" verification
  57 * subsystem. The above config would require a config
  58 * file /etc/pam.d/qemu-vnc-tls. For a simple file
  59 * lookup it would contain
  60 *
  61 *   account requisite  pam_listfile.so item=user sense=allow \
  62 *           file=/etc/qemu/vnc.allow
  63 *
  64 * The external file would then contain a list of usernames.
  65 * If x509 cert was being used as the username, a suitable
  66 * entry would match the distinguish name:
  67 *
  68 *  CN=laptop.berrange.com,O=Berrange Home,L=London,ST=London,C=GB
  69 *
  70 * On the command line it can be created using
  71 *
  72 *   -object authz-pam,id=authz0,service=qemu-vnc-tls
  73 *
  74 */
  75struct QAuthZPAM {
  76    QAuthZ parent_obj;
  77
  78    char *service;
  79};
  80
  81
  82
  83
  84QAuthZPAM *qauthz_pam_new(const char *id,
  85                          const char *service,
  86                          Error **errp);
  87
  88#endif /* QAUTHZ_PAMACCT_H */
  89
Hosted by Missing Link Electronics. The original LXR software by the LXR community, this experimental version by lxr@linux.no.