chiark / gitweb /
~ianmdlvl / elogind.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
bus: introduce concept of "const" properties
[elogind.git] / src / libsystemd-bus / bus-objects.c
diff --git a/src/libsystemd-bus/bus-objects.c b/src/libsystemd-bus/bus-objects.c
index 05a62f4a3ec6eb61883332af53b5aa25a636230e..e468025a8189f293e6db77896968096d161edbc5 100644 (file)
--- a/src/libsystemd-bus/bus-objects.c
+++ b/src/libsystemd-bus/bus-objects.c
@@ -19,6 +19,8 @@
   along with systemd; If not, see <http://www.gnu.org/licenses/>.
 ***/
 
+#include <sys/capability.h>
+
 #include "strv.h"
 #include "set.h"
 #include "bus-internal.h"
@@ -49,7 +51,7 @@ static int node_vtable_get_userdata(
                 if (r < 0)
                         return r;
                 if (sd_bus_error_is_set(error))
-                        return sd_bus_error_get_errno(error);
+                        return -sd_bus_error_get_errno(error);
                 if (r == 0)
                         return r;
         }
@@ -115,7 +117,7 @@ static int add_enumerated_to_set(
                 if (r < 0)
                         return r;
                 if (sd_bus_error_is_set(error))
-                        return sd_bus_error_get_errno(error);
+                        return -sd_bus_error_get_errno(error);
 
                 STRV_FOREACH(k, children) {
                         if (r < 0) {
@@ -264,6 +266,64 @@ static int node_callbacks_run(
         return 0;
 }
 
+#define CAPABILITY_SHIFT(x) (((x) >> __builtin_ctzll(_SD_BUS_VTABLE_CAPABILITY_MASK)) & 0xFFFF)
+
+static int check_access(sd_bus *bus, sd_bus_message *m, struct vtable_member *c, sd_bus_error *error) {
+        _cleanup_bus_creds_unref_ sd_bus_creds *creds = NULL;
+        uint64_t cap;
+        uid_t uid;
+        int r;
+
+        assert(bus);
+        assert(m);
+        assert(c);
+
+        /* If the entire bus is trusted let's grant access */
+        if (bus->trusted)
+                return 0;
+
+        /* If the member is marked UNPRIVILEGED let's grant access */
+        if (c->vtable->flags & SD_BUS_VTABLE_UNPRIVILEGED)
+                return 0;
+
+        /* If we are not connected to kdbus we cannot retrieve the
+         * effective capability set without race. Since we need this
+         * for a security decision we cannot use racy data, hence
+         * don't request it. */
+        if (bus->is_kernel)
+                r = sd_bus_query_sender_creds(m, SD_BUS_CREDS_UID|SD_BUS_CREDS_EFFECTIVE_CAPS, &creds);
+        else
+                r = sd_bus_query_sender_creds(m, SD_BUS_CREDS_UID, &creds);
+        if (r < 0)
+                return r;
+
+        /* Check have the caller has the requested capability
+         * set. Note that the flags value contains the capability
+         * number plus one, which we need to subtract here. We do this
+         * so that we have 0 as special value for "default
+         * capability". */
+        cap = CAPABILITY_SHIFT(c->vtable->flags);
+        if (cap == 0)
+                cap = CAPABILITY_SHIFT(c->parent->vtable[0].flags);
+        if (cap == 0)
+                cap = CAP_SYS_ADMIN;
+        else
+                cap --;
+
+        r = sd_bus_creds_has_effective_cap(creds, cap);
+        if (r > 0)
+                return 1;
+
+        /* Caller has same UID as us, then let's grant access */
+        r = sd_bus_creds_get_uid(creds, &uid);
+        if (r >= 0) {
+                if (uid == getuid())
+                        return 1;
+        }
+
+        return sd_bus_error_setf(error, SD_BUS_ERROR_ACCESS_DENIED, "Access to %s.%s() not permitted.", c->interface, c->member);
+}
+
 static int method_callbacks_run(
                 sd_bus *bus,
                 sd_bus_message *m,
@@ -284,6 +344,10 @@ static int method_callbacks_run(
         if (require_fallback && !c->parent->is_fallback)
                 return 0;
 
+        r = check_access(bus, m, c, &error);
+        if (r < 0)
+                return bus_maybe_reply_error(m, r, &error);
+
         r = node_vtable_get_userdata(bus, m->path, c->parent, &u, &error);
         if (r <= 0)
                 return bus_maybe_reply_error(m, r, &error);
@@ -312,6 +376,11 @@ static int method_callbacks_run(
                                 "Invalid arguments '%s' to call %s.%s(), expecting '%s'.",
                                 signature, c->interface, c->member, strempty(c->vtable->x.method.signature));
 
+        /* Keep track what the signature of the reply to this message
+         * should be, so that this can be enforced when sealing the
+         * reply. */
+        m->enforced_reply_signature = strempty(c->vtable->x.method.result);
+
         if (c->vtable->x.method.handler) {
                 r = c->vtable->x.method.handler(bus, m, u, &error);
                 return bus_maybe_reply_error(m, r, &error);
@@ -350,7 +419,7 @@ static int invoke_property_get(
                 if (r < 0)
                         return r;
                 if (sd_bus_error_is_set(error))
-                        return sd_bus_error_get_errno(error);
+                        return -sd_bus_error_get_errno(error);
                 return r;
         }
 
@@ -406,7 +475,7 @@ static int invoke_property_set(
                 if (r < 0)
                         return r;
                 if (sd_bus_error_is_set(error))
-                        return sd_bus_error_get_errno(error);
+                        return -sd_bus_error_get_errno(error);
                 return r;
         }
 
@@ -493,6 +562,11 @@ static int property_get_set_callbacks_run(
                 if (r < 0)
                         return r;
 
+                /* Note that we do not do an access check here. Read
+                 * access to properties is always unrestricted, since
+                 * PropertiesChanged signals broadcast contents
+                 * anyway. */
+
                 r = invoke_property_get(bus, c->vtable, m->path, c->interface, c->member, reply, u, &error);
                 if (r < 0)
                         return bus_maybe_reply_error(m, r, &error);
@@ -520,6 +594,10 @@ static int property_get_set_callbacks_run(
                 if (r < 0)
                         return r;
 
+                r = check_access(bus, m, c, &error);
+                if (r < 0)
+                        return bus_maybe_reply_error(m, r, &error);
+
                 r = invoke_property_set(bus, c->vtable, m->path, c->interface, c->member, m, u, &error);
                 if (r < 0)
                         return bus_maybe_reply_error(m, r, &error);
@@ -555,10 +633,16 @@ static int vtable_append_all_properties(
         assert(path);
         assert(c);
 
+        if (c->vtable[0].flags & SD_BUS_VTABLE_HIDDEN)
+                return 1;
+
         for (v = c->vtable+1; v->type != _SD_BUS_VTABLE_END; v++) {
                 if (v->type != _SD_BUS_VTABLE_PROPERTY && v->type != _SD_BUS_VTABLE_WRITABLE_PROPERTY)
                         continue;
 
+                if (v->flags & SD_BUS_VTABLE_HIDDEN)
+                        continue;
+
                 r = sd_bus_message_open_container(reply, 'e', "sv");
                 if (r < 0)
                         return r;
@@ -747,7 +831,7 @@ static int process_introspect(
         if (bus->nodes_modified)
                 return 0;
 
-        r = introspect_begin(&intro);
+        r = introspect_begin(&intro, bus->trusted);
         if (r < 0)
                 return r;
 
@@ -775,6 +859,9 @@ static int process_introspect(
 
                 empty = false;
 
+                if (c->vtable[0].flags & SD_BUS_VTABLE_HIDDEN)
+                        continue;
+
                 if (!streq_ptr(previous_interface, c->interface)) {
 
                         if (previous_interface)
@@ -1194,12 +1281,16 @@ int bus_process_object(sd_bus *bus, sd_bus_message *m) {
         if (m->header->type != SD_BUS_MESSAGE_METHOD_CALL)
                 return 0;
 
-        if (!m->path)
+        if (hashmap_isempty(bus->nodes))
                 return 0;
 
-        if (hashmap_isempty(bus->nodes))
+        /* Never respond to broadcast messages */
+        if (bus->bus_client && !m->destination)
                 return 0;
 
+        assert(m->path);
+        assert(m->member);
+
         pl = strlen(m->path);
         do {
                 char prefix[pl+1];
@@ -1247,7 +1338,8 @@ int bus_process_object(sd_bus *bus, sd_bus_message *m) {
 static struct node *bus_node_allocate(sd_bus *bus, const char *path) {
         struct node *n, *parent;
         const char *e;
-        char *s, *p;
+        _cleanup_free_ char *s = NULL;
+        char *p;
         int r;
 
         assert(bus);
@@ -1275,10 +1367,8 @@ static struct node *bus_node_allocate(sd_bus *bus, const char *path) {
                 p = strndupa(path, MAX(1, path - e));
 
                 parent = bus_node_allocate(bus, p);
-                if (!parent) {
-                        free(s);
+                if (!parent)
                         return NULL;
-                }
         }
 
         n = new0(struct node, 1);
@@ -1287,10 +1377,11 @@ static struct node *bus_node_allocate(sd_bus *bus, const char *path) {
 
         n->parent = parent;
         n->path = s;
+        s = NULL; /* do not free */
 
-        r = hashmap_put(bus->nodes, s, n);
+        r = hashmap_put(bus->nodes, n->path, n);
         if (r < 0) {
-                free(s);
+                free(n->path);
                 free(n);
                 return NULL;
         }
@@ -1589,7 +1680,7 @@ static int add_object_vtable_internal(
                             !signature_is_valid(strempty(v->x.method.signature), false) ||
                             !signature_is_valid(strempty(v->x.method.result), false) ||
                             !(v->x.method.handler || (isempty(v->x.method.signature) && isempty(v->x.method.result))) ||
-                            v->flags & (SD_BUS_VTABLE_PROPERTY_EMITS_CHANGE|SD_BUS_VTABLE_PROPERTY_INVALIDATE_ONLY)) {
+                            v->flags & (SD_BUS_VTABLE_PROPERTY_CONST|SD_BUS_VTABLE_PROPERTY_EMITS_CHANGE|SD_BUS_VTABLE_PROPERTY_EMITS_INVALIDATION)) {
                                 r = -EINVAL;
                                 goto fail;
                         }
@@ -1631,12 +1722,12 @@ static int add_object_vtable_internal(
                             !signature_is_single(v->x.property.signature, false) ||
                             !(v->x.property.get || bus_type_is_basic(v->x.property.signature[0]) || streq(v->x.property.signature, "as")) ||
                             v->flags & SD_BUS_VTABLE_METHOD_NO_REPLY ||
-                            (v->flags & SD_BUS_VTABLE_PROPERTY_INVALIDATE_ONLY && !(v->flags & SD_BUS_VTABLE_PROPERTY_EMITS_CHANGE))) {
+                            (!!(v->flags & SD_BUS_VTABLE_PROPERTY_CONST) + !!(v->flags & SD_BUS_VTABLE_PROPERTY_EMITS_CHANGE) + !!(v->flags & SD_BUS_VTABLE_PROPERTY_EMITS_INVALIDATION)) > 1 ||
+                            (v->flags & SD_BUS_VTABLE_UNPRIVILEGED && v->type == _SD_BUS_VTABLE_PROPERTY)) {
                                 r = -EINVAL;
                                 goto fail;
                         }
 
-
                         m = new0(struct vtable_member, 1);
                         if (!m) {
                                 r = -ENOMEM;
@@ -1661,7 +1752,8 @@ static int add_object_vtable_internal(
                 case _SD_BUS_VTABLE_SIGNAL:
 
                         if (!member_name_is_valid(v->x.signal.member) ||
-                            !signature_is_valid(strempty(v->x.signal.signature), false)) {
+                            !signature_is_valid(strempty(v->x.signal.signature), false) ||
+                            v->flags & SD_BUS_VTABLE_UNPRIVILEGED) {
                                 r = -EINVAL;
                                 goto fail;
                         }
@@ -1920,9 +2012,10 @@ static int emit_properties_changed_on_interface(
                         if (c != v->parent)
                                 continue;
 
-                        assert_return(v->vtable->flags & SD_BUS_VTABLE_PROPERTY_EMITS_CHANGE, -EDOM);
+                        assert_return(v->vtable->flags & SD_BUS_VTABLE_PROPERTY_EMITS_CHANGE ||
+                                      v->vtable->flags & SD_BUS_VTABLE_PROPERTY_EMITS_INVALIDATION, -EDOM);
 
-                        if (v->vtable->flags & SD_BUS_VTABLE_PROPERTY_INVALIDATE_ONLY) {
+                        if (v->vtable->flags & SD_BUS_VTABLE_PROPERTY_EMITS_INVALIDATION) {
                                 has_invalidating = true;
                                 continue;
                         }
@@ -1991,7 +2084,7 @@ static int emit_properties_changed_on_interface(
                                 assert_se(v = hashmap_get(bus->vtable_properties, &key));
                                 assert(c == v->parent);
 
-                                if (!(v->vtable->flags & SD_BUS_VTABLE_PROPERTY_INVALIDATE_ONLY))
+                                if (!(v->vtable->flags & SD_BUS_VTABLE_PROPERTY_EMITS_INVALIDATION))
                                         continue;
 
                                 r = sd_bus_message_append(m, "s", *property);
Unnamed repository; edit this file 'description' to name the repository.