From 57e332491e11e6f5044f7af496e12e98ff4ddfe3 Mon Sep 17 00:00:00 2001
From: Zeeshan Ali <zeeshanak@gnome.org>
Date: Fri, 11 Oct 2019 17:36:46 +0200
Subject: [PATCH] preflight: Ensure `crc` network is accessible from session
 libvirt

This is needed to be able to switch to session libvirt, which will be
through machine-driver-libvirt (See
https://github.com/code-ready/machine-driver-libvirt/issues/20)
---
 cmd/crc/cmd/config/config_linux.go          |  2 +
 pkg/crc/preflight/preflight_checks_linux.go | 50 +++++++++++++++++++++
 pkg/crc/preflight/preflight_linux.go        |  6 +++
 3 files changed, 58 insertions(+)

diff --git a/cmd/crc/cmd/config/config_linux.go b/cmd/crc/cmd/config/config_linux.go
index 60f1f80a29..b022063ae0 100644
--- a/cmd/crc/cmd/config/config_linux.go
+++ b/cmd/crc/cmd/config/config_linux.go
@@ -26,6 +26,8 @@ var (
 	WarnCheckCrcNetwork              = cfg.AddSetting("warn-check-crc-network", nil, []cfg.ValidationFnType{cfg.ValidateBool}, []cfg.SetFn{cfg.SuccessfullyApplied})
 	SkipCheckCrcNetworkActive        = cfg.AddSetting("skip-check-crc-network-active", nil, []cfg.ValidationFnType{cfg.ValidateBool}, []cfg.SetFn{cfg.SuccessfullyApplied})
 	WarnCheckCrcNetworkActive        = cfg.AddSetting("warn-check-crc-network-active", nil, []cfg.ValidationFnType{cfg.ValidateBool}, []cfg.SetFn{cfg.SuccessfullyApplied})
+	SkipCheckCrcBridgePermissions    = cfg.AddSetting("skip-check-crc-network-permissions", nil, []cfg.ValidationFnType{cfg.ValidateBool}, []cfg.SetFn{cfg.SuccessfullyApplied})
+	WarnCheckCrcBridgePermissions    = cfg.AddSetting("warn-check-crc-network-permissions", nil, []cfg.ValidationFnType{cfg.ValidateBool}, []cfg.SetFn{cfg.SuccessfullyApplied})
 	SkipCheckCrcDnsmasqFile          = cfg.AddSetting("skip-check-crc-dnsmasq-file", nil, []cfg.ValidationFnType{cfg.ValidateBool}, []cfg.SetFn{cfg.SuccessfullyApplied})
 	WarnCheckCrcDnsmasqFile          = cfg.AddSetting("warn-check-crc-dnsmasq-file", nil, []cfg.ValidationFnType{cfg.ValidateBool}, []cfg.SetFn{cfg.SuccessfullyApplied})
 	SkipCheckCrcNetworkManagerConfig = cfg.AddSetting("skip-check-network-manager-config", nil, []cfg.ValidationFnType{cfg.ValidateBool}, []cfg.SetFn{cfg.SuccessfullyApplied})
diff --git a/pkg/crc/preflight/preflight_checks_linux.go b/pkg/crc/preflight/preflight_checks_linux.go
index 19320da5c8..906de39ee9 100644
--- a/pkg/crc/preflight/preflight_checks_linux.go
+++ b/pkg/crc/preflight/preflight_checks_linux.go
@@ -32,6 +32,8 @@ const (
 	crcNetworkManagerConfigFile = "crc-nm-dnsmasq.conf"
 	// This is defined in https://github.com/code-ready/machine-driver-libvirt/blob/master/go.mod#L5
 	minSupportedLibvirtVersion = "3.4.0"
+	qemuBridgeConfigPath       = "/etc/qemu/bridge.conf"
+	qemuBridgeConfigPathRHEL   = "/etc/qemu-kvm/bridge.conf"
 )
 
 var (
@@ -44,6 +46,7 @@ server=/crc.testing/192.168.130.11
 dns=dnsmasq
 `
 	libvirtDriverDownloadURL = fmt.Sprintf("https://github.com/code-ready/machine-driver-libvirt/releases/download/%s/crc-driver-libvirt", libvirtDriverVersion)
+	qemuBridgeConfig         = "allow crc"
 )
 
 func checkVirtualizationEnabled() (bool, error) {
@@ -392,6 +395,53 @@ func fixLibvirtCrcNetworkActive() (bool, error) {
 	return true, nil
 }
 
+func checkLibvirtCrcBridgePermissions() (bool, error) {
+	logging.Debug("Checking if 'crc' bridge has appropriate permissions setup")
+	path := qemuBridgeConfigPath
+	_, err := os.Stat(path)
+	if err != nil {
+		logging.Debug(fmt.Sprintf("Failed to open %s: %s, trying %s..", qemuBridgeConfigPath, err, qemuBridgeConfigPathRHEL))
+		path = qemuBridgeConfigPathRHEL
+		_, err := os.Stat(path)
+		if err != nil {
+			return false, fmt.Errorf("Error opening file: %s: %s", qemuBridgeConfigPathRHEL, err.Error())
+		}
+	}
+	config, err := ioutil.ReadFile(filepath.Clean(path))
+	if err != nil {
+		return false, fmt.Errorf("Error opening file: %s: %s", path, err.Error())
+	}
+	if match, _ := regexp.MatchString(qemuBridgeConfig, string(config)); !match {
+		return false, fmt.Errorf("`crc` network not allowed unprivileged access")
+	}
+	logging.Debug("'crc' bridge has appropriate permissions")
+	return true, nil
+}
+
+func fixLibvirtCrcBridgePermissions() (bool, error) {
+	logging.Debug("Fixing permissions for 'crc'")
+	path := qemuBridgeConfigPath
+	_, err := os.Stat(path)
+	if err != nil {
+		logging.Debug(fmt.Sprintf("Failed to open %s: %s, trying %s..", qemuBridgeConfigPath, err, qemuBridgeConfigPathRHEL))
+		path = qemuBridgeConfigPathRHEL
+		_, err := os.Stat(path)
+		if err != nil {
+			return false, fmt.Errorf("Error opening file: %s: %s", qemuBridgeConfigPathRHEL, err.Error())
+		}
+	}
+	err = crcos.AppendToFileAsRoot(
+		"Allow 'crc' network to be used from session libvirt",
+		fmt.Sprintf("%s\n", qemuBridgeConfig),
+		path,
+	)
+	if err != nil {
+		return false, fmt.Errorf("Failed to write to %s: %v", path, err)
+	}
+	logging.Debug("'crc' bridge now has appropriate permissions")
+	return true, nil
+}
+
 func checkCrcDnsmasqConfigFile() (bool, error) {
 	logging.Debug("Checking dnsmasq configuration")
 	c := []byte(crcDnsmasqConfig)
diff --git a/pkg/crc/preflight/preflight_linux.go b/pkg/crc/preflight/preflight_linux.go
index 506039e989..d5c80304f1 100644
--- a/pkg/crc/preflight/preflight_linux.go
+++ b/pkg/crc/preflight/preflight_linux.go
@@ -169,6 +169,12 @@ func SetupHost(vmDriver string) {
 		"Starting libvirt 'crc' network",
 		config.GetBool(cmdConfig.WarnCheckCrcNetworkActive.Name),
 	)
+	preflightCheckAndFix(config.GetBool(cmdConfig.SkipCheckCrcBridgePermissions.Name),
+		checkLibvirtCrcBridgePermissions,
+		fixLibvirtCrcBridgePermissions,
+		"Checking for appropriate permissions on 'crc' network",
+		config.GetBool(cmdConfig.WarnCheckCrcBridgePermissions.Name),
+	)
 	preflightCheckAndFix(config.GetBool(cmdConfig.SkipCheckNetworkManagerInstalled.Name),
 		checkNetworkManagerInstalled,
 		fixNetworkManagerInstalled,