X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=elogind.git;a=blobdiff_plain;f=src%2Fbus-proxyd%2Fbus-policy.c;h=3cfe9befb2ffc70876264bcafec8403591b762d2;hp=2ff5d646f15a38c66bfb905a0525ade770eb75f0;hb=78f9b196ab9671ceb625cd2abf90629ed201c24f;hpb=4a3bb599609d687e0a501a748bfac491f5fb9f6c diff --git a/src/bus-proxyd/bus-policy.c b/src/bus-proxyd/bus-policy.c index 2ff5d646f..3cfe9befb 100644 --- a/src/bus-proxyd/bus-policy.c +++ b/src/bus-proxyd/bus-policy.c @@ -593,20 +593,34 @@ static int file_load(Policy *p, const char *path) { } enum { + DENY, ALLOW, DUNNO, - DENY, }; +static const char *verdict_to_string(int v) { + switch (v) { + + case DENY: + return "DENY"; + case ALLOW: + return "ALLOW"; + case DUNNO: + return "DUNNO"; + } + + return NULL; +} + struct policy_check_filter { - int class; - const struct ucred *ucred; + PolicyItemClass class; + uid_t uid; + gid_t gid; int message_type; + const char *name; const char *interface; const char *path; const char *member; - char **names_strv; - Hashmap *names_hash; }; static int is_permissive(PolicyItem *i) { @@ -625,15 +639,10 @@ static int check_policy_item(PolicyItem *i, const struct policy_check_filter *fi case POLICY_ITEM_SEND: case POLICY_ITEM_RECV: - if (i->name) { - if (filter->names_hash && !hashmap_contains(filter->names_hash, i->name)) - break; - - if (filter->names_strv && !strv_contains(filter->names_strv, i->name)) - break; - } + if (i->name && !streq_ptr(i->name, filter->name)) + break; - if (i->message_type && (i->message_type != filter->message_type)) + if ((i->message_type != 0) && (i->message_type != filter->message_type)) break; if (i->path && !streq_ptr(i->path, filter->path)) @@ -648,31 +657,29 @@ static int check_policy_item(PolicyItem *i, const struct policy_check_filter *fi return is_permissive(i); case POLICY_ITEM_OWN: - assert(filter->member); + assert(filter->name); - if (streq(i->name, filter->member)) + if (streq(i->name, "*") || streq(i->name, filter->name)) return is_permissive(i); break; case POLICY_ITEM_OWN_PREFIX: - assert(filter->member); + assert(filter->name); - if (startswith(i->name, filter->member)) + if (streq(i->name, "*") || service_name_startswith(filter->name, i->name)) return is_permissive(i); break; case POLICY_ITEM_USER: - assert(filter->ucred); - - if ((streq_ptr(i->name, "*") || (i->uid_valid && i->uid == filter->ucred->uid))) - return is_permissive(i); + if (filter->uid != (uid_t) -1) + if ((streq_ptr(i->name, "*") || (i->uid_valid && i->uid == filter->uid))) + return is_permissive(i); break; case POLICY_ITEM_GROUP: - assert(filter->ucred); - - if ((streq_ptr(i->name, "*") || (i->gid_valid && i->gid == filter->ucred->gid))) - return is_permissive(i); + if (filter->gid != (gid_t) -1) + if ((streq_ptr(i->name, "*") || (i->gid_valid && i->gid == filter->gid))) + return is_permissive(i); break; case POLICY_ITEM_IGNORE: @@ -686,135 +693,191 @@ static int check_policy_item(PolicyItem *i, const struct policy_check_filter *fi static int check_policy_items(PolicyItem *items, const struct policy_check_filter *filter) { PolicyItem *i; - int r, ret = DUNNO; + int verdict = DUNNO; assert(filter); /* Check all policies in a set - a broader one might be followed by a more specific one, * and the order of rules in policy definitions matters */ LIST_FOREACH(items, i, items) { - if (i->class != filter->class) + int v; + + if (i->class != filter->class && + !(i->class == POLICY_ITEM_OWN_PREFIX && filter->class == POLICY_ITEM_OWN)) continue; - r = check_policy_item(i, filter); - if (r != DUNNO) - ret = r; + v = check_policy_item(i, filter); + if (v != DUNNO) + verdict = v; } - return ret; + return verdict; } static int policy_check(Policy *p, const struct policy_check_filter *filter) { PolicyItem *items; - int r; + int verdict, v; assert(p); assert(filter); + assert(IN_SET(filter->class, POLICY_ITEM_SEND, POLICY_ITEM_RECV, POLICY_ITEM_OWN, POLICY_ITEM_USER, POLICY_ITEM_GROUP)); + /* * The policy check is implemented by the following logic: * - * 1. Check mandatory items. If the message matches any of these, it is decisive. - * 2. See if the passed ucred match against the user/group hashmaps. A matching entry is also decisive. - * 3. Consult the defaults if non of the above matched with a more specific rule. - * 4. If the message isn't caught be the defaults either, reject it. + * 1. Check default items + * 2. Check group items + * 3. Check user items + * 4. Check mandatory items + * + * Later rules override earlier rules. */ - r = check_policy_items(p->mandatory_items, filter); - if (r != DUNNO) - return r; + verdict = check_policy_items(p->default_items, filter); - if (filter->ucred) { - items = hashmap_get(p->user_items, UINT32_TO_PTR(filter->ucred->uid)); + if (filter->gid != (gid_t) -1) { + items = hashmap_get(p->group_items, UINT32_TO_PTR(filter->gid)); if (items) { - r = check_policy_items(items, filter); - if (r != DUNNO) - return r; + v = check_policy_items(items, filter); + if (v != DUNNO) + verdict = v; } + } - items = hashmap_get(p->group_items, UINT32_TO_PTR(filter->ucred->gid)); + if (filter->uid != (uid_t) -1) { + items = hashmap_get(p->user_items, UINT32_TO_PTR(filter->uid)); if (items) { - r = check_policy_items(items, filter); - if (r != DUNNO) - return r; + v = check_policy_items(items, filter); + if (v != DUNNO) + verdict = v; } } - return check_policy_items(p->default_items, filter); + v = check_policy_items(p->mandatory_items, filter); + if (v != DUNNO) + verdict = v; + + return verdict; } -bool policy_check_own(Policy *p, const struct ucred *ucred, const char *name) { +bool policy_check_own(Policy *p, uid_t uid, gid_t gid, const char *name) { struct policy_check_filter filter = { - .class = POLICY_ITEM_OWN, - .ucred = ucred, - .member = name, + .class = POLICY_ITEM_OWN, + .uid = uid, + .gid = gid, + .name = name, }; - return policy_check(p, &filter) == ALLOW; + int verdict; + + assert(p); + assert(name); + + verdict = policy_check(p, &filter); + + log_full(LOG_AUTH | (verdict != ALLOW ? LOG_WARNING : LOG_DEBUG), + "Ownership permission check for uid=" UID_FMT " gid=" GID_FMT" name=%s: %s", + uid, gid, strna(name), strna(verdict_to_string(verdict))); + + return verdict == ALLOW; } -bool policy_check_hello(Policy *p, const struct ucred *ucred) { +bool policy_check_hello(Policy *p, uid_t uid, gid_t gid) { struct policy_check_filter filter = { - .class = POLICY_ITEM_USER, - .ucred = ucred, + .uid = uid, + .gid = gid, }; - int user, group; + int verdict; - user = policy_check(p, &filter); - if (user == DENY) - return false; + assert(p); + + filter.class = POLICY_ITEM_USER; + verdict = policy_check(p, &filter); + + if (verdict != DENY) { + int v; + + filter.class = POLICY_ITEM_GROUP; + v = policy_check(p, &filter); + if (v != DUNNO) + verdict = v; + } - filter.class = POLICY_ITEM_GROUP; - group = policy_check(p, &filter); - if (user == DUNNO && group == DUNNO) - return false; + log_full(LOG_AUTH | (verdict != ALLOW ? LOG_WARNING : LOG_DEBUG), + "Hello permission check for uid=" UID_FMT " gid=" GID_FMT": %s", + uid, gid, strna(verdict_to_string(verdict))); - return !(user == DENY || group == DENY); + return verdict == ALLOW; } bool policy_check_recv(Policy *p, - const struct ucred *ucred, - Hashmap *names, + uid_t uid, + gid_t gid, int message_type, + const char *name, const char *path, const char *interface, const char *member) { struct policy_check_filter filter = { .class = POLICY_ITEM_RECV, - .ucred = ucred, - .names_hash = names, + .uid = uid, + .gid = gid, .message_type = message_type, + .name = name, .interface = interface, .path = path, .member = member, }; - return policy_check(p, &filter) == ALLOW; + int verdict; + + assert(p); + + verdict = policy_check(p, &filter); + + log_full(LOG_AUTH | (verdict != ALLOW ? LOG_WARNING : LOG_DEBUG), + "Recieve permission check for uid=" UID_FMT " gid=" GID_FMT" message=%s name=%s interface=%s path=%s member=%s: %s", + uid, gid, bus_message_type_to_string(message_type), strna(name), strna(path), strna(interface), strna(member), strna(verdict_to_string(verdict))); + + return verdict == ALLOW; } bool policy_check_send(Policy *p, - const struct ucred *ucred, - char **names, + uid_t uid, + gid_t gid, int message_type, + const char *name, const char *path, const char *interface, const char *member) { struct policy_check_filter filter = { .class = POLICY_ITEM_SEND, - .ucred = ucred, - .names_strv = names, + .uid = uid, + .gid = gid, .message_type = message_type, + .name = name, .interface = interface, .path = path, .member = member, }; - return policy_check(p, &filter) == ALLOW; + int verdict; + + assert(p); + + verdict = policy_check(p, &filter); + + log_full(LOG_AUTH | (verdict != ALLOW ? LOG_WARNING : LOG_DEBUG), + "Send permission check for uid=" UID_FMT " gid=" GID_FMT" message=%s name=%s interface=%s path=%s member=%s: %s", + uid, gid, bus_message_type_to_string(message_type), strna(name), strna(path), strna(interface), strna(member), strna(verdict_to_string(verdict))); + + return verdict == ALLOW; } int policy_load(Policy *p, char **files) { @@ -942,6 +1005,7 @@ static void dump_items(PolicyItem *items, const char *prefix) { printf("%sGroup: %s (%d)\n", prefix, strna(group), i->gid); } + printf("%s-\n", prefix); } }