api: introduce virConnectSetIdentity for passing uid, gid, selinux info

When using the fine grained access control mechanism for APIs, when a
client connects to libvirtd, the latter will fetch the uid, gid, selinux
info of the remote client on the UNIX domain socket. This is then used
as the identity when checking ACLs.

With the new split daemons things are a bit more complicated. The user
can connect to virtproxyd, which in turn connects to virtqemud. When
virtqemud requests the identity over the UNIX domain socket, it will
get the identity that virtproxyd is running as, not the identity of
the real end user/application.

virproxyd knows what the real identity is, and needs to be able to
forward this information to virtqemud. The virConnectSetIdentity API
provides a mechanism for doing this. Obviously virtqemud should not
accept such identity overrides from any client, it must only honour it
from a trusted client, aka one running as the same uid/gid as itself.

The typed parameters exposed in the API are the same as those currently
supported by the internal virIdentity class, with a few small name
changes.

Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>

include/libvirt/libvirt-host.h

@@ -579,6 +579,80 @@ virConnectPtr           virConnectOpenAuth      (const char *name,
                                                  unsigned int flags);
 int                     virConnectRef           (virConnectPtr conn);
 int                     virConnectClose         (virConnectPtr conn);
+
+/**
+ * VIR_CONNECT_IDENTITY_USER_NAME:
+ *
+ * The operating system user name as VIR_TYPED_PARAM_STRING.
+ */
+# define VIR_CONNECT_IDENTITY_USER_NAME "user-name"
+
+/**
+ * VIR_CONNECT_IDENTITY_UNIX_USER_ID:
+ *
+ * The UNIX user ID as VIR_TYPED_PARAM_ULLONG.
+ */
+# define VIR_CONNECT_IDENTITY_UNIX_USER_ID "unix-user-id"
+
+/**
+ * VIR_CONNECT_IDENTITY_GROUP_NAME:
+ *
+ * The operating system group name as VIR_TYPED_PARAM_STRING.
+ */
+# define VIR_CONNECT_IDENTITY_GROUP_NAME "group-name"
+
+/**
+ * VIR_CONNECT_IDENTITY_UNIX_GROUP_ID:
+ *
+ * The UNIX group ID as VIR_TYPED_PARAM_ULLONG.
+ */
+# define VIR_CONNECT_IDENTITY_UNIX_GROUP_ID "unix-group-id"
+
+/**
+ * VIR_CONNECT_IDENTITY_PROCESS_ID:
+ *
+ * The operating system process ID as VIR_TYPED_PARAM_LLONG.
+ */
+# define VIR_CONNECT_IDENTITY_PROCESS_ID "process-id"
+
+/**
+ * VIR_CONNECT_IDENTITY_PROCESS_TIME:
+ *
+ * The operating system process start time as VIR_TYPED_PARAM_ULLONG.
+ *
+ * The units the time is measured in vary according to the
+ * host operating system. On Linux this is usually clock
+ * ticks (as reported in /proc/$PID/stat field 22).
+ */
+# define VIR_CONNECT_IDENTITY_PROCESS_TIME "process-time"
+
+/**
+ * VIR_CONNECT_IDENTITY_SASL_USER_NAME:
+ *
+ * The SASL authenticated username as VIR_TYPED_PARAM_STRING
+ */
+# define VIR_CONNECT_IDENTITY_SASL_USER_NAME "sasl-user-name"
+
+/**
+ * VIR_CONNECT_IDENTITY_X509_DISTINGUISHED_NAME:
+ *
+ * The TLS x509 certificate distinguished named as VIR_TYPED_PARAM_STRING
+ */
+# define VIR_CONNECT_IDENTITY_X509_DISTINGUISHED_NAME "x509-distinguished-name"
+
+/**
+ * VIR_CONNECT_IDENTITY_SELINUX_CONTEXT:
+ *
+ * The application's SELinux context as VIR_TYPED_PARAM_STRING.
+ */
+# define VIR_CONNECT_IDENTITY_SELINUX_CONTEXT "selinux-context"
+
+
+int                     virConnectSetIdentity   (virConnectPtr conn,
+                                                 virTypedParameterPtr params,
+                                                 int nparams,
+                                                 unsigned int flags);
+
 const char *            virConnectGetType       (virConnectPtr conn);
 int                     virConnectGetVersion    (virConnectPtr conn,
                                                  unsigned long *hvVer);