X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=blobdiff_plain;f=src%2Fbus-proxyd%2Fbus-policy.c;h=15acae2a38f51db271f20c345ffb3c92947b4c2c;hb=da927ba997d68401563b927f92e6e40e021a8e5c;hp=151d679f6b85bee97833b4148bf71e1180d33485;hpb=38349552d8d6418229fee9ee68b1f470b4ad7a52;p=elogind.git diff --git a/src/bus-proxyd/bus-policy.c b/src/bus-proxyd/bus-policy.c index 151d679f6..15acae2a3 100644 --- a/src/bus-proxyd/bus-policy.c +++ b/src/bus-proxyd/bus-policy.c @@ -95,7 +95,7 @@ static int file_load(Policy *p, const char *path) { if (r == -EISDIR) return r; - log_error("Failed to load %s: %s", path, strerror(-r)); + log_error_errno(r, "Failed to load %s: %m", path); return r; } @@ -106,7 +106,7 @@ static int file_load(Policy *p, const char *path) { t = xml_tokenize(&q, &name, &xml_state, &line); if (t < 0) { - log_error("XML parse failure in %s: %s", path, strerror(-t)); + log_error_errno(t, "XML parse failure in %s: %m", path); return t; } @@ -358,7 +358,7 @@ static int file_load(Policy *p, const char *path) { r = get_user_creds(&u, &i->uid, NULL, NULL, NULL); if (r < 0) { - log_error("Failed to resolve user %s, ignoring policy: %s", u, strerror(-r)); + log_error_errno(r, "Failed to resolve user %s, ignoring policy: %m", u); free(i); } else { PolicyItem *first; @@ -390,7 +390,7 @@ static int file_load(Policy *p, const char *path) { r = get_group_creds(&g, &i->gid); if (r < 0) { - log_error("Failed to resolve group %s, ignoring policy: %s", g, strerror(-r)); + log_error_errno(r, "Failed to resolve group %s, ignoring policy: %m", g); free(i); } else { PolicyItem *first; @@ -533,7 +533,7 @@ static int file_load(Policy *p, const char *path) { r = get_user_creds(&u, &i->uid, NULL, NULL, NULL); if (r < 0) - log_error("Failed to resolve user %s: %s", name, strerror(-r)); + log_error_errno(r, "Failed to resolve user %s: %m", name); else i->uid_valid = true; } @@ -544,7 +544,7 @@ static int file_load(Policy *p, const char *path) { r = get_group_creds(&g, &i->gid); if (r < 0) - log_error("Failed to resolve group %s: %s", name, strerror(-r)); + log_error_errno(r, "Failed to resolve group %s: %m", name); else i->gid_valid = true; } @@ -592,94 +592,94 @@ static int file_load(Policy *p, const char *path) { } } -static bool is_matching_name_request(sd_bus_message *m, const char *name, bool prefix) { - - char *n = NULL; - int r; - - if (!sd_bus_message_is_method_call(m, "org.freedesktop.DBus", "RequestName")) - return false; +enum { + DENY, + ALLOW, + DUNNO, +}; - r = sd_bus_message_read(m, "s", &n); - if (r < 0) - return false; +static const char *verdict_to_string(int v) { + switch (v) { - r = sd_bus_message_rewind(m, true); - if (r < 0) - return false; + case DENY: + return "DENY"; + case ALLOW: + return "ALLOW"; + case DUNNO: + return "DUNNO"; + } - if (prefix) - return startswith(name, n); - else - return streq_ptr(name, n); + return NULL; } -static bool is_matching_call(PolicyItem *i, sd_bus_message *m, const char *name) { +struct policy_check_filter { + PolicyItemClass class; + uid_t uid; + gid_t gid; + int message_type; + const char *name; + const char *interface; + const char *path; + const char *member; +}; - if (i->message_type && (i->message_type != m->header->type)) - return false; +static int is_permissive(PolicyItem *i) { - if (i->path && (!m->path || !streq(i->path, m->path))) - return false; + assert(i); - if (i->member && (!m->member || !streq(i->member, m->member))) - return false; + return (i->type == POLICY_ITEM_ALLOW) ? ALLOW : DENY; +} - if (i->interface && (!m->interface || !streq(i->interface, m->interface))) - return false; +static int check_policy_item(PolicyItem *i, const struct policy_check_filter *filter) { - if (i->name && (!name || !streq(i->name, name))) - return false; + assert(i); + assert(filter); - return true; -} + switch (i->class) { + case POLICY_ITEM_SEND: + case POLICY_ITEM_RECV: -enum { - ALLOW, - DUNNO, - DENY, -}; + if (i->name && !streq_ptr(i->name, filter->name)) + break; -static int is_permissive(PolicyItem *i) { + if ((i->message_type != 0) && (i->message_type != filter->message_type)) + break; - return (i->type == POLICY_ITEM_ALLOW) ? ALLOW : DENY; -} + if (i->path && !streq_ptr(i->path, filter->path)) + break; -static int check_policy_item(PolicyItem *i, sd_bus_message *m, const struct ucred *ucred) { + if (i->member && !streq_ptr(i->member, filter->member)) + break; - switch (i->class) { - case POLICY_ITEM_SEND: - if ((m->bus->is_kernel && is_matching_call(i, m, m->destination)) || - (!m->bus->is_kernel && is_matching_call(i, m, m->sender))) - return is_permissive(i); - break; + if (i->interface && !streq_ptr(i->interface, filter->interface)) + break; - case POLICY_ITEM_RECV: - if ((m->bus->is_kernel && is_matching_call(i, m, m->sender)) || - (!m->bus->is_kernel && is_matching_call(i, m, m->destination))) - return is_permissive(i); - break; + return is_permissive(i); case POLICY_ITEM_OWN: - if (is_matching_name_request(m, i->name, false)) + assert(filter->name); + + if (streq(i->name, "*") || streq(i->name, filter->name)) return is_permissive(i); break; case POLICY_ITEM_OWN_PREFIX: - if (is_matching_name_request(m, i->name, true)) + assert(filter->name); + + if (streq(i->name, "*") || service_name_startswith(filter->name, i->name)) return is_permissive(i); break; case POLICY_ITEM_USER: - if (sd_bus_message_is_method_call(m, "org.freedesktop.DBus", "Hello") && - (streq_ptr(i->name, "*") || (i->uid_valid && i->uid == ucred->uid))) - return is_permissive(i); + if (filter->uid != (uid_t) -1) + if ((streq_ptr(i->name, "*") || (i->uid_valid && i->uid == filter->uid))) + return is_permissive(i); break; case POLICY_ITEM_GROUP: - if (sd_bus_message_is_method_call(m, "org.freedesktop.DBus", "Hello") && - (streq_ptr(i->name, "*") || (i->gid_valid && i->gid == ucred->gid))) - return is_permissive(i); + if (filter->gid != (gid_t) -1) + if ((streq_ptr(i->name, "*") || (i->gid_valid && i->gid == filter->gid))) + return is_permissive(i); break; case POLICY_ITEM_IGNORE: @@ -690,61 +690,194 @@ static int check_policy_item(PolicyItem *i, sd_bus_message *m, const struct ucre return DUNNO; } -static int check_policy_items(PolicyItem *items, sd_bus_message *m, const struct ucred *ucred) { +static int check_policy_items(PolicyItem *items, const struct policy_check_filter *filter) { PolicyItem *i; - int r, ret = DUNNO; + int verdict = DUNNO; + + assert(filter); /* Check all policies in a set - a broader one might be followed by a more specific one, * and the order of rules in policy definitions matters */ LIST_FOREACH(items, i, items) { - r = check_policy_item(i, m, ucred); - if (r != DUNNO) - ret = r; + int v; + + if (i->class != filter->class && + !(i->class == POLICY_ITEM_OWN_PREFIX && filter->class == POLICY_ITEM_OWN)) + continue; + + v = check_policy_item(i, filter); + if (v != DUNNO) + verdict = v; } - return ret; + return verdict; } -bool policy_check(Policy *p, sd_bus_message *m, const struct ucred *ucred) { +static int policy_check(Policy *p, const struct policy_check_filter *filter) { PolicyItem *items; - int r; + int verdict, v; + + assert(p); + assert(filter); + + assert(IN_SET(filter->class, POLICY_ITEM_SEND, POLICY_ITEM_RECV, POLICY_ITEM_OWN, POLICY_ITEM_USER, POLICY_ITEM_GROUP)); /* * The policy check is implemented by the following logic: * - * 1. Check mandatory items. If the message matches any of these, it is decisive. - * 2. See if the passed ucred match against the user/group hashmaps. A matching entry is also decisive. - * 3. Consult the defaults if non of the above matched with a more specific rule. - * 4. If the message isn't caught be the defaults either, reject it. + * 1. Check default items + * 2. Check group items + * 3. Check user items + * 4. Check mandatory items + * + * Later rules override earlier rules. */ - r = check_policy_items(p->mandatory_items, m, ucred); - if (r != DUNNO) - return r == ALLOW; + verdict = check_policy_items(p->default_items, filter); - if (ucred->pid > 0) { - items = hashmap_get(p->user_items, UINT32_TO_PTR(ucred->uid)); + if (filter->gid != (gid_t) -1) { + items = hashmap_get(p->group_items, UINT32_TO_PTR(filter->gid)); if (items) { - r = check_policy_items(items, m, ucred); - if (r != DUNNO) - return r == ALLOW; + v = check_policy_items(items, filter); + if (v != DUNNO) + verdict = v; } + } - items = hashmap_get(p->group_items, UINT32_TO_PTR(ucred->gid)); + if (filter->uid != (uid_t) -1) { + items = hashmap_get(p->user_items, UINT32_TO_PTR(filter->uid)); if (items) { - r = check_policy_items(items, m, ucred); - if (r != DUNNO) - return r == ALLOW; + v = check_policy_items(items, filter); + if (v != DUNNO) + verdict = v; } } - r = check_policy_items(p->default_items, m, ucred); - if (r != DUNNO) - return r == ALLOW; + v = check_policy_items(p->mandatory_items, filter); + if (v != DUNNO) + verdict = v; + + return verdict; +} + +bool policy_check_own(Policy *p, uid_t uid, gid_t gid, const char *name) { + + struct policy_check_filter filter = { + .class = POLICY_ITEM_OWN, + .uid = uid, + .gid = gid, + .name = name, + }; + + int verdict; + + assert(p); + assert(name); + + verdict = policy_check(p, &filter); + + log_full(LOG_AUTH | (verdict != ALLOW ? LOG_WARNING : LOG_DEBUG), + "Ownership permission check for uid=" UID_FMT " gid=" GID_FMT" name=%s: %s", + uid, gid, strna(name), strna(verdict_to_string(verdict))); + + return verdict == ALLOW; +} + +bool policy_check_hello(Policy *p, uid_t uid, gid_t gid) { + + struct policy_check_filter filter = { + .uid = uid, + .gid = gid, + }; + int verdict; + + assert(p); + + filter.class = POLICY_ITEM_USER; + verdict = policy_check(p, &filter); + + if (verdict != DENY) { + int v; + + filter.class = POLICY_ITEM_GROUP; + v = policy_check(p, &filter); + if (v != DUNNO) + verdict = v; + } + + log_full(LOG_AUTH | (verdict != ALLOW ? LOG_WARNING : LOG_DEBUG), + "Hello permission check for uid=" UID_FMT " gid=" GID_FMT": %s", + uid, gid, strna(verdict_to_string(verdict))); + + return verdict == ALLOW; +} + +bool policy_check_recv(Policy *p, + uid_t uid, + gid_t gid, + int message_type, + const char *name, + const char *path, + const char *interface, + const char *member) { + + struct policy_check_filter filter = { + .class = POLICY_ITEM_RECV, + .uid = uid, + .gid = gid, + .message_type = message_type, + .name = name, + .interface = interface, + .path = path, + .member = member, + }; + + int verdict; + + assert(p); + + verdict = policy_check(p, &filter); + + log_full(LOG_AUTH | (verdict != ALLOW ? LOG_WARNING : LOG_DEBUG), + "Recieve permission check for uid=" UID_FMT " gid=" GID_FMT" message=%s name=%s interface=%s path=%s member=%s: %s", + uid, gid, bus_message_type_to_string(message_type), strna(name), strna(path), strna(interface), strna(member), strna(verdict_to_string(verdict))); + + return verdict == ALLOW; +} + +bool policy_check_send(Policy *p, + uid_t uid, + gid_t gid, + int message_type, + const char *name, + const char *path, + const char *interface, + const char *member) { + + struct policy_check_filter filter = { + .class = POLICY_ITEM_SEND, + .uid = uid, + .gid = gid, + .message_type = message_type, + .name = name, + .interface = interface, + .path = path, + .member = member, + }; + + int verdict; + + assert(p); + + verdict = policy_check(p, &filter); + + log_full(LOG_AUTH | (verdict != ALLOW ? LOG_WARNING : LOG_DEBUG), + "Send permission check for uid=" UID_FMT " gid=" GID_FMT" message=%s name=%s interface=%s path=%s member=%s: %s", + uid, gid, bus_message_type_to_string(message_type), strna(name), strna(path), strna(interface), strna(member), strna(verdict_to_string(verdict))); - return false; + return verdict == ALLOW; } int policy_load(Policy *p, char **files) { @@ -762,7 +895,7 @@ int policy_load(Policy *p, char **files) { r = conf_files_list(&l, ".conf", NULL, *i, NULL); if (r < 0) { - log_error("Failed to get configuration file list: %s", strerror(-r)); + log_error_errno(r, "Failed to get configuration file list: %m"); return r; } @@ -872,6 +1005,7 @@ static void dump_items(PolicyItem *items, const char *prefix) { printf("%sGroup: %s (%d)\n", prefix, strna(group), i->gid); } + printf("%s-\n", prefix); } }