Commit | Line | Data |
---|---|---|
9da480be MW |
1 | /* -*-c-*- |
2 | * | |
3 | * Policy parsing and implementation | |
4 | * | |
5 | * (c) 2012 Straylight/Edgeware | |
6 | */ | |
7 | ||
8 | /*----- Licensing notice --------------------------------------------------* | |
9 | * | |
10 | * This file is part of Yet Another Ident Daemon (YAID). | |
11 | * | |
12 | * YAID is free software; you can redistribute it and/or modify | |
13 | * it under the terms of the GNU General Public License as published by | |
14 | * the Free Software Foundation; either version 2 of the License, or | |
15 | * (at your option) any later version. | |
16 | * | |
17 | * YAID is distributed in the hope that it will be useful, | |
18 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
19 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
20 | * GNU General Public License for more details. | |
21 | * | |
22 | * You should have received a copy of the GNU General Public License | |
23 | * along with YAID; if not, write to the Free Software Foundation, | |
24 | * Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. | |
25 | */ | |
26 | ||
27 | /*----- Header files ------------------------------------------------------*/ | |
28 | ||
29 | #include "yaid.h" | |
30 | ||
c3794524 | 31 | /*----- Memory management -------------------------------------------------*/ |
9da480be | 32 | |
c3794524 MW |
33 | /* Initialize a policy structure. In this state, it doesn't actually have |
34 | * any resources allocated (so can be simply discarded) but it's safe to free | |
35 | * (using `free_policy'). | |
9da480be | 36 | */ |
9da480be MW |
37 | void init_policy(struct policy *p) { p->act.act = A_LIMIT; } |
38 | ||
c3794524 MW |
39 | /* Free an action structure, resetting it to a safe state. This function is |
40 | * idempotent. | |
41 | */ | |
9da480be MW |
42 | static void free_action(struct action *a) |
43 | { | |
44 | switch (a->act) { | |
45 | case A_LIE: | |
46 | xfree(a->u.lie); | |
47 | break; | |
48 | } | |
49 | a->act = A_LIMIT; | |
50 | } | |
51 | ||
c3794524 MW |
52 | /* Free a policy structure, resetting it to its freshly-initialized state. |
53 | * This function is idempotent. | |
54 | */ | |
9da480be MW |
55 | void free_policy(struct policy *p) |
56 | { free_action(&p->act); } | |
57 | ||
c3794524 MW |
58 | /*----- Diagnostics -------------------------------------------------------*/ |
59 | ||
bf4d9761 | 60 | static void print_addrpat(const struct addrops *ao, const struct addrpat *ap) |
9da480be MW |
61 | { |
62 | char buf[ADDRLEN]; | |
63 | ||
bf4d9761 MW |
64 | if (ap->len == 0) |
65 | putchar('*'); | |
66 | else { | |
67 | printf("%s/%u", | |
68 | inet_ntop(ao->af, &ap->addr, buf, sizeof(buf)), | |
69 | ap->len); | |
70 | } | |
9da480be MW |
71 | } |
72 | ||
73 | static void print_portpat(const struct portpat *pp) | |
74 | { | |
75 | if (pp->lo == 0 && pp->hi == 65535) putchar('*'); | |
76 | else if (pp->lo == pp->hi) printf("%u", pp->lo); | |
77 | else printf("%u-%u", pp->lo, pp->hi); | |
78 | } | |
79 | ||
bf4d9761 MW |
80 | static void print_sockpat(const struct addrops *ao, const struct sockpat *sp) |
81 | { print_addrpat(ao, &sp->addr); putchar(' '); print_portpat(&sp->port); } | |
9da480be | 82 | |
c039c936 MW |
83 | static void print_userpat(const struct userpat *up) |
84 | { | |
85 | if (up->lo == up->hi) printf("%d", up->lo); | |
86 | else printf("%u-%u", up->lo, up->hi); | |
87 | } | |
88 | ||
9da480be MW |
89 | static const char *const acttab[] = { |
90 | #define DEFACT(tag, name) name, | |
91 | ACTIONS(DEFACT) | |
92 | #undef DEFACT | |
93 | 0 | |
94 | }; | |
95 | ||
96 | static void print_action(const struct action *act) | |
97 | { | |
98 | assert(act->act < A_LIMIT); | |
99 | printf("%s", acttab[act->act]); | |
100 | switch (act->act) { | |
101 | case A_USER: { | |
102 | int i; | |
103 | unsigned m; | |
104 | for (i = 0, m = 1; i < A_LIMIT; i++, m <<= 1) | |
105 | if (act->u.user & m) printf(" %s", acttab[i]); | |
106 | } break; | |
107 | case A_LIE: | |
108 | printf(" %s", act->u.lie); | |
109 | break; | |
110 | } | |
111 | } | |
112 | ||
c3794524 | 113 | /* Print a policy rule to standard output. */ |
9da480be MW |
114 | void print_policy(const struct policy *p) |
115 | { | |
bf4d9761 MW |
116 | print_sockpat(p->ao, &p->sp[L]); putchar(' '); |
117 | print_sockpat(p->ao, &p->sp[R]); putchar(' '); | |
c039c936 | 118 | print_userpat(&p->up); putchar(' '); |
9da480be MW |
119 | print_action(&p->act); putchar('\n'); |
120 | } | |
121 | ||
c3794524 MW |
122 | /*----- Matching ----------------------------------------------------------*/ |
123 | ||
124 | /* Return true if the port matches the pattern. */ | |
9da480be MW |
125 | static int match_portpat(const struct portpat *pp, unsigned port) |
126 | { return (pp->lo <= port && port <= pp->hi); } | |
127 | ||
c3794524 | 128 | /* Return true if the socket matches the pattern. */ |
bf4d9761 MW |
129 | static int match_sockpat(const struct addrops *ao, |
130 | const struct sockpat *sp, const struct socket *s) | |
9da480be | 131 | { |
bf4d9761 | 132 | return (ao->match_addrpat(&sp->addr, &s->addr) && |
9da480be MW |
133 | match_portpat(&sp->port, s->port)); |
134 | } | |
135 | ||
c039c936 MW |
136 | /* Return true if the uid matches the pattern. */ |
137 | static int match_userpat(const struct userpat *up, uid_t u) | |
138 | { unsigned uu = u; return (up->lo <= uu && uu <= up->hi); } | |
139 | ||
c3794524 | 140 | /* Return true if the query matches the patterns in the policy rule. */ |
9da480be MW |
141 | int match_policy(const struct policy *p, const struct query *q) |
142 | { | |
bf4d9761 MW |
143 | return ((!p->ao || p->ao == q->ao) && |
144 | match_sockpat(q->ao, &p->sp[L], &q->s[L]) && | |
c039c936 MW |
145 | match_sockpat(q->ao, &p->sp[R], &q->s[R]) && |
146 | match_userpat(&p->up, q->u.uid)); | |
9da480be MW |
147 | } |
148 | ||
c3794524 MW |
149 | /*----- Parsing -----------------------------------------------------------*/ |
150 | ||
151 | /* Advance FP to the next line. */ | |
9da480be MW |
152 | static void nextline(FILE *fp) |
153 | { | |
154 | for (;;) { | |
155 | int ch = getc(fp); | |
156 | if (ch == '\n' || ch == EOF) break; | |
157 | } | |
158 | } | |
159 | ||
c3794524 MW |
160 | /* Scan a whitespace-separated token from FP, writing it to BUF. The token |
161 | * must fit in a buffer of size SZ, including a terminating null. Return | |
162 | * an appropriate T_* error code. | |
163 | */ | |
9da480be MW |
164 | static int scan(FILE *fp, char *buf, size_t sz) |
165 | { | |
166 | int ch; | |
167 | ||
168 | skip_ws: | |
c3794524 | 169 | /* Before we start grabbing a token proper, find out what's in store. */ |
9da480be MW |
170 | ch = getc(fp); |
171 | switch (ch) { | |
c3794524 | 172 | |
9da480be MW |
173 | case '\n': |
174 | newline: | |
c3794524 | 175 | /* Found a newline. Leave it where it is and report it. */ |
9da480be MW |
176 | ungetc(ch, fp); |
177 | return (T_EOL); | |
c3794524 | 178 | |
9da480be MW |
179 | case EOF: |
180 | eof: | |
c3794524 | 181 | /* Found end-of-file, or an I/O error. Return an appropriate code. */ |
9da480be | 182 | return (ferror(fp) ? T_ERROR : T_EOF); |
c3794524 | 183 | |
9da480be | 184 | case '#': |
c3794524 MW |
185 | /* Found a comment. Consume it, and continue appropriately: it must |
186 | * be terminated either by a newline or end-of-file. | |
187 | */ | |
9da480be MW |
188 | for (;;) { |
189 | ch = getc(fp); | |
190 | if (ch == '\n') goto newline; | |
191 | else if (ch == EOF) goto eof; | |
192 | } | |
c3794524 | 193 | |
9da480be | 194 | default: |
c3794524 MW |
195 | /* Whitespace means we just continue around. Anything else and we |
196 | * start snarfing. | |
197 | */ | |
9da480be MW |
198 | if (isspace(ch)) goto skip_ws; |
199 | break; | |
200 | } | |
201 | ||
202 | for (;;) { | |
c3794524 MW |
203 | |
204 | /* If there's buffer space left, store the character. */ | |
9da480be | 205 | if (sz) { *buf++ = ch; sz--; } |
c3794524 MW |
206 | |
207 | /* Get a new one, and find out what to do about it. */ | |
9da480be MW |
208 | ch = getc(fp); |
209 | switch (ch) { | |
210 | case '\n': | |
211 | ungetc(ch, fp); | |
212 | goto done; | |
213 | case EOF: | |
214 | goto done; | |
215 | default: | |
216 | if (isspace(ch)) goto done; | |
217 | break; | |
218 | } | |
219 | } | |
220 | ||
221 | done: | |
c3794524 MW |
222 | /* If there's no space for a terminating null then report an error. */ |
223 | if (!sz) return (T_ERROR); | |
224 | ||
225 | /* All done. */ | |
226 | *buf++ = 0; sz--; | |
227 | return (T_OK); | |
9da480be MW |
228 | } |
229 | ||
c3794524 MW |
230 | /* Parse an action name, storing the code in *ACT. Return an appropriate T_* |
231 | * code. | |
232 | */ | |
9da480be MW |
233 | static int parse_actname(FILE *fp, unsigned *act) |
234 | { | |
235 | char buf[32]; | |
236 | int t; | |
237 | const char *const *p; | |
238 | ||
239 | if ((t = scan(fp, buf, sizeof(buf))) != 0) return (t); | |
240 | for (p = acttab; *p; p++) | |
241 | if (strcmp(buf, *p) == 0) { *act = p - acttab; return (0); } | |
242 | return (T_ERROR); | |
243 | } | |
244 | ||
c3794524 | 245 | /* Parse an action, returning a T_* code. */ |
9da480be MW |
246 | static int parse_action(FILE *fp, struct action *act) |
247 | { | |
248 | char buf[32]; | |
249 | int t; | |
250 | unsigned a; | |
251 | unsigned long m; | |
252 | ||
c3794524 | 253 | /* Collect the action name. */ |
9da480be | 254 | if ((t = parse_actname(fp, &a)) != 0) return (t); |
c3794524 MW |
255 | |
256 | /* Parse parameters, if there are any. */ | |
9da480be | 257 | switch (a) { |
c3794524 | 258 | |
9da480be | 259 | case A_USER: |
c3794524 | 260 | /* `user ACTION ACTION ...': store permitted actions in a bitmask. */ |
9da480be MW |
261 | m = 0; |
262 | for (;;) { | |
263 | if ((t = parse_actname(fp, &a)) != 0) break; | |
02591975 | 264 | if (a == A_USER) return (T_ERROR); |
9da480be MW |
265 | m |= (1 << a); |
266 | } | |
267 | if (t != T_EOL && t != T_EOF) return (t); | |
268 | act->act = A_USER; | |
269 | act->u.user = m; | |
270 | break; | |
c3794524 | 271 | |
9da480be MW |
272 | case A_TOKEN: |
273 | case A_NAME: | |
274 | case A_DENY: | |
275 | case A_HIDE: | |
c3794524 | 276 | /* Dull actions which don't accept parameters. */ |
9da480be MW |
277 | act->act = a; |
278 | break; | |
c3794524 | 279 | |
9da480be | 280 | case A_LIE: |
c3794524 | 281 | /* `lie NAME': store the string we're to report. */ |
9da480be MW |
282 | if ((t = scan(fp, buf, sizeof(buf))) != 0) return (t); |
283 | act->act = a; | |
284 | act->u.lie = xstrdup(buf); | |
285 | break; | |
286 | } | |
c3794524 MW |
287 | |
288 | /* Make sure we've reached the end of the line. */ | |
9da480be MW |
289 | t = scan(fp, buf, sizeof(buf)); |
290 | if (t != T_EOF && t != T_EOL) { | |
291 | free_action(act); | |
292 | return (T_ERROR); | |
293 | } | |
c3794524 MW |
294 | |
295 | /* Done. */ | |
9da480be MW |
296 | return (0); |
297 | } | |
298 | ||
c3794524 MW |
299 | /* Parse an address pattern, writing it to AP. If the pattern has an |
300 | * identifiable address family, update *AOP to point to its operations table; | |
301 | * if *AOP is already set to something different then report an error. | |
302 | */ | |
303 | static int parse_addrpat(FILE *fp, const struct addrops **aop, | |
304 | struct addrpat *ap) | |
9da480be MW |
305 | { |
306 | char buf[64]; | |
307 | int t; | |
bf4d9761 | 308 | const struct addrops *ao; |
9da480be MW |
309 | long n; |
310 | char *delim; | |
311 | ||
c3794524 | 312 | /* Scan a token for the address pattern. */ |
9da480be | 313 | if ((t = scan(fp, buf, sizeof(buf))) != 0) return (t); |
c3794524 MW |
314 | |
315 | /* If this is a wildcard, then leave everything as it is. */ | |
316 | if (strcmp(buf, "*") == 0) { | |
317 | ap->len = 0; | |
318 | return (T_OK); | |
9da480be MW |
319 | } |
320 | ||
c3794524 MW |
321 | /* Decide what kind of address this must be. A bit grim, sorry. */ |
322 | if (strchr(buf, ':')) | |
323 | ao = &addroptab[ADDR_IPV6]; | |
324 | else | |
325 | ao = &addroptab[ADDR_IPV4]; | |
326 | ||
327 | /* Update the caller's idea of the address family in use. */ | |
328 | if (!*aop) *aop = ao; | |
329 | else if (*aop != ao) return (T_ERROR); | |
330 | ||
331 | /* See whether there's a prefix length. If so, clobber it. */ | |
332 | delim = strchr(buf, '/'); | |
333 | if (delim) *delim++ = 0; | |
334 | ||
335 | /* Parse the address. */ | |
336 | if (!inet_pton(ao->af, buf, &ap->addr)) return (T_ERROR); | |
337 | ||
338 | /* Parse the prefix length, or use the maximum one. */ | |
339 | if (!delim) n = ao->len; | |
340 | else n = strtol(delim, 0, 10); | |
341 | if (n < 0 || n > ao->len) return (T_ERROR); | |
342 | ap->len = n; | |
343 | ||
344 | /* Done. */ | |
345 | return (T_OK); | |
346 | } | |
347 | ||
348 | static int parse_portpat(FILE *fp, struct portpat *pp) | |
349 | { | |
350 | char buf[64]; | |
351 | int t; | |
352 | long n; | |
353 | char *delim; | |
354 | ||
355 | /* Parse a token for the pattern. */ | |
9da480be | 356 | if ((t = scan(fp, buf, sizeof(buf))) != 0) return (T_ERROR); |
c3794524 MW |
357 | |
358 | /* If this is a wildcard, then we're done. */ | |
9da480be | 359 | if (strcmp(buf, "*") == 0) { |
c3794524 MW |
360 | pp->lo = 0; |
361 | pp->hi = 65535; | |
362 | return (T_OK); | |
9da480be | 363 | } |
c3794524 MW |
364 | |
365 | /* Find a range delimiter. */ | |
366 | delim = strchr(buf, '-'); | |
367 | if (delim) *delim++ = 0; | |
368 | ||
369 | /* Parse the only or low end of the range. */ | |
370 | n = strtol(buf, 0, 0); | |
371 | if (n < 0 || n > 65535) return (T_ERROR); | |
372 | pp->lo = n; | |
373 | ||
374 | /* If there's no delimiter, then the high end is equal to the low end; | |
375 | * otherwise, parse the high end. | |
376 | */ | |
377 | if (!delim) | |
378 | pp->hi = n; | |
379 | else { | |
380 | n = strtol(delim, 0, 0); | |
381 | if (n < pp->lo || n > 65535) return (T_ERROR); | |
382 | pp->hi = n; | |
383 | } | |
384 | ||
385 | /* Done. */ | |
386 | return (T_OK); | |
9da480be MW |
387 | } |
388 | ||
c3794524 MW |
389 | /* Parse a socket pattern, writing it to SP. */ |
390 | static int parse_sockpat(FILE *fp, const struct addrops **aop, | |
391 | struct sockpat *sp) | |
392 | { | |
393 | int t; | |
394 | ||
395 | if ((t = parse_addrpat(fp, aop, &sp->addr)) != 0) return (t); | |
396 | if ((t = parse_portpat(fp, &sp->port)) != 0) return (T_ERROR); | |
397 | return (T_OK); | |
398 | } | |
399 | ||
c039c936 MW |
400 | /* Parse a user pattern, writing it to UP. */ |
401 | static int parse_userpat(FILE *fp, struct userpat *up) | |
402 | { | |
403 | struct passwd *pw; | |
404 | char buf[32]; | |
405 | int t; | |
406 | char *delim; | |
407 | ||
408 | if ((t = scan(fp, buf, sizeof(buf))) != 0) return (t); | |
409 | if (!strcmp(buf, "*")) { up->lo = 0; up->hi = UINT_MAX; } | |
410 | else if ((pw = getpwnam(buf)) != 0) up->lo = up->hi = pw->pw_uid; | |
411 | else { | |
412 | if ((delim = strchr(buf, '-')) != 0) *delim++ = 0; | |
413 | up->lo = strtoul(buf, 0, 0); | |
414 | if (!delim) up->hi = up->lo; | |
415 | else if (!*delim) up->hi = UINT_MAX; | |
416 | else up->hi = strtoul(delim, 0, 0); | |
417 | } | |
418 | return (0); | |
419 | } | |
420 | ||
c3794524 MW |
421 | /* Parse a policy rule line, writing it to P. */ |
422 | static int parse_policy(FILE *fp, struct policy *p) | |
9da480be MW |
423 | { |
424 | int t; | |
425 | ||
bf4d9761 | 426 | p->ao = 0; |
9da480be MW |
427 | free_policy(p); |
428 | ||
bf4d9761 MW |
429 | if ((t = parse_sockpat(fp, &p->ao, &p->sp[L])) != 0) goto fail; |
430 | if ((t = parse_sockpat(fp, &p->ao, &p->sp[R])) != 0) goto err; | |
c039c936 | 431 | if ((t = parse_userpat(fp, &p->up)) != 0) goto err; |
9da480be MW |
432 | if ((t = parse_action(fp, &p->act)) != 0) goto err; |
433 | return (0); | |
434 | ||
435 | err: | |
436 | t = T_ERROR; | |
437 | fail: | |
438 | free_policy(p); | |
439 | return (t); | |
440 | } | |
441 | ||
c3794524 MW |
442 | /* Open a policy file by NAME. The description WHAT and query Q are used for |
443 | * formatting error messages for the log. | |
7164a50b MW |
444 | * |
445 | * This function is somewhat careful only to read from actual regular files, | |
446 | * though (if the filesystem object identified by NAME is a symlink, say) it | |
447 | * might open a device node or other exotic thing without reading it. This | |
448 | * is likely harmless, since we're running as an unprivileged user anyway. | |
c3794524 | 449 | */ |
9da480be | 450 | int open_policy_file(struct policy_file *pf, const char *name, |
17272ab8 | 451 | const char *what, const struct query *q, unsigned f) |
9da480be | 452 | { |
c74afd8a MW |
453 | struct stat st; |
454 | ||
9da480be | 455 | if ((pf->fp = fopen(name, "r")) == 0) { |
17272ab8 MW |
456 | if (errno != ENOENT || !(f & OPF_NOENTOK)) { |
457 | logmsg(q, LOG_ERR, "failed to open %s `%s': %s", | |
458 | what, name, strerror(errno)); | |
459 | } | |
c74afd8a MW |
460 | goto err_0; |
461 | } | |
462 | ||
463 | if (fstat(fileno(pf->fp), &st)) { | |
464 | logmsg(q, LOG_ERR, "failed to read information about %s `%s': %s", | |
465 | what, name, strerror(errno)); | |
466 | goto err_1; | |
467 | } | |
468 | if (!S_ISREG(st.st_mode)) { | |
469 | logmsg(q, LOG_ERR, "object `%s', used as %s, is not a regular file", | |
470 | name, what); | |
471 | goto err_1; | |
9da480be MW |
472 | } |
473 | ||
474 | pf->name = name; | |
475 | pf->what = what; | |
476 | pf->q = q; | |
477 | pf->err = 0; | |
478 | pf->lno = 0; | |
479 | init_policy(&pf->p); | |
480 | return (0); | |
c74afd8a MW |
481 | |
482 | err_1: | |
483 | fclose(pf->fp); | |
484 | err_0: | |
485 | return (-1); | |
9da480be MW |
486 | } |
487 | ||
c3794524 MW |
488 | /* Read a policy rule from the file, storing it in PF->p. Return one of the |
489 | * T_* codes. | |
490 | */ | |
9da480be MW |
491 | int read_policy_file(struct policy_file *pf) |
492 | { | |
493 | int t; | |
494 | ||
495 | for (;;) { | |
496 | pf->lno++; | |
497 | t = parse_policy(pf->fp, &pf->p); | |
498 | switch (t) { | |
499 | case T_OK: | |
b9eb1a36 | 500 | case T_EOL: |
9da480be | 501 | nextline(pf->fp); |
b9eb1a36 | 502 | return (t); |
9da480be MW |
503 | case T_ERROR: |
504 | logmsg(pf->q, LOG_ERR, "%s:%d: parse error in %s", | |
505 | pf->name, pf->lno, pf->what); | |
506 | pf->err = 1; | |
b9eb1a36 | 507 | return (t); |
9da480be MW |
508 | case T_EOF: |
509 | if (ferror(pf->fp)) { | |
510 | logmsg(pf->q, LOG_ERR, "failed to read %s `%s': %s", | |
511 | pf->what, pf->name, strerror(errno)); | |
512 | } | |
b9eb1a36 | 513 | return (t); |
9da480be MW |
514 | default: |
515 | abort(); | |
516 | } | |
517 | } | |
518 | } | |
519 | ||
c3794524 MW |
520 | /* Close a policy file. It doesn't matter whether the file was completely |
521 | * read. | |
522 | */ | |
9da480be MW |
523 | void close_policy_file(struct policy_file *pf) |
524 | { | |
525 | fclose(pf->fp); | |
526 | free_policy(&pf->p); | |
527 | } | |
528 | ||
c3794524 MW |
529 | /* Load a policy file, writing a vector of records into PV. If the policy |
530 | * file has errors, then leave PV unchanged and return nonzero. | |
531 | */ | |
9da480be MW |
532 | int load_policy_file(const char *file, policy_v *pv) |
533 | { | |
534 | struct policy_file pf; | |
535 | policy_v v = DA_INIT; | |
b9eb1a36 | 536 | int t = 0; |
9da480be | 537 | |
17272ab8 | 538 | if (open_policy_file(&pf, file, "policy file", 0, 0)) |
9da480be | 539 | return (-1); |
b9eb1a36 MW |
540 | while ((t = read_policy_file(&pf)) < T_EOF) { |
541 | if (t == T_OK) { | |
542 | DA_PUSH(&v, pf.p); | |
543 | init_policy(&pf.p); | |
544 | } | |
9da480be MW |
545 | } |
546 | close_policy_file(&pf); | |
547 | if (!pf.err) { | |
548 | DA_DESTROY(pv); | |
549 | *pv = v; | |
550 | return (0); | |
551 | } else { | |
552 | DA_DESTROY(&v); | |
553 | return (-1); | |
554 | } | |
555 | } | |
556 | ||
557 | /*----- That's all, folks -------------------------------------------------*/ |