diff options
author | Daniel Mack <zonque@gmail.com> | 2014-03-06 22:42:42 +0100 |
---|---|---|
committer | Daniel Mack <zonque@gmail.com> | 2014-03-07 19:14:05 +0100 |
commit | 54d76c92868838e17d6aad0a3bb0cc7a5b11e35f (patch) | |
tree | c094188e6eb2ac57b19bc64acc295654c160185d | |
parent | fb255b31c5f4eca821d60a2c9b1235a513f15732 (diff) |
busname: add parser for bus name policies
There are three directives to specify bus name polices in .busname
files:
* AllowUser [username] [access]
* AllowGroup [groupname] [access]
* AllowWorld [access]
Where [access] is one of
* 'see': The user/group/world is allowed to see a name on the bus
* 'talk': The user/group/world is allowed to talk to a name
* 'own': The user/group/world is allowed to own a name
There is no user added yet in this commit.
-rw-r--r-- | src/core/busname.c | 8 | ||||
-rw-r--r-- | src/core/busname.h | 34 | ||||
-rw-r--r-- | src/core/load-fragment-gperf.gperf.m4 | 4 | ||||
-rw-r--r-- | src/core/load-fragment.c | 85 | ||||
-rw-r--r-- | src/core/load-fragment.h | 1 |
5 files changed, 132 insertions, 0 deletions
diff --git a/src/core/busname.c b/src/core/busname.c index bca2145021..4806e741ca 100644 --- a/src/core/busname.c +++ b/src/core/busname.c @@ -553,6 +553,14 @@ static const char* const busname_result_table[_BUSNAME_RESULT_MAX] = { DEFINE_STRING_TABLE_LOOKUP(busname_result, BusNameResult); +static const char* const busname_policy_access_table[_BUSNAME_POLICY_ACCESS_MAX] = { + [BUSNAME_POLICY_ACCESS_SEE] = "see", + [BUSNAME_POLICY_ACCESS_TALK] = "talk", + [BUSNAME_POLICY_ACCESS_OWN] = "own", +}; + +DEFINE_STRING_TABLE_LOOKUP(busname_policy_access, BusNamePolicyAccess); + const UnitVTable busname_vtable = { .object_size = sizeof(BusName), diff --git a/src/core/busname.h b/src/core/busname.h index 6debd48551..f79f510ea2 100644 --- a/src/core/busname.h +++ b/src/core/busname.h @@ -22,6 +22,7 @@ ***/ typedef struct BusName BusName; +typedef struct BusNamePolicy BusNamePolicy; #include "unit.h" @@ -54,6 +55,36 @@ struct BusName { BusNameResult result; sd_event_source *event_source; + + LIST_HEAD(BusNamePolicy, policy); +}; + +typedef enum BusNamePolicyType { + BUSNAME_POLICY_TYPE_USER, + BUSNAME_POLICY_TYPE_GROUP, + BUSNAME_POLICY_TYPE_WORLD, + _BUSNAME_POLICY_TYPE_MAX, + _BUSNAME_POLICY_TYPE_INVALID = -1 +} BusNamePolicyType; + +typedef enum BusNamePolicyAccess { + BUSNAME_POLICY_ACCESS_SEE, + BUSNAME_POLICY_ACCESS_TALK, + BUSNAME_POLICY_ACCESS_OWN, + _BUSNAME_POLICY_ACCESS_MAX, + _BUSNAME_POLICY_ACCESS_INVALID = -1 +} BusNamePolicyAccess; + +struct BusNamePolicy { + BusNamePolicyType type; + BusNamePolicyAccess access; + + union { + uid_t uid; + gid_t gid; + }; + + LIST_FIELDS(BusNamePolicy, policy); }; extern const UnitVTable busname_vtable; @@ -63,3 +94,6 @@ BusNameState busname_state_from_string(const char *s) _pure_; const char* busname_result_to_string(BusNameResult i) _const_; BusNameResult busname_result_from_string(const char *s) _pure_; + +const char* busname_policy_access_to_string(BusNamePolicyAccess i) _const_; +BusNamePolicyAccess busname_policy_access_from_string(const char *s) _pure_; diff --git a/src/core/load-fragment-gperf.gperf.m4 b/src/core/load-fragment-gperf.gperf.m4 index 5604ee975d..f85d868043 100644 --- a/src/core/load-fragment-gperf.gperf.m4 +++ b/src/core/load-fragment-gperf.gperf.m4 @@ -252,6 +252,10 @@ KILL_CONTEXT_CONFIG_ITEMS(Socket)m4_dnl m4_dnl BusName.Name, config_parse_string, 0, offsetof(BusName, name) BusName.Service, config_parse_busname_service, 0, 0 +BusName.AllowUser, config_parse_bus_policy, 0, 0 +BusName.AllowGroup, config_parse_bus_policy, 0, 0 +BusName.AllowWorld, config_parse_bus_policy, 0, 0 +BusName.SELinuxContext, config_parse_exec_selinux_context, 0, 0 m4_dnl Mount.What, config_parse_string, 0, offsetof(Mount, parameters_fragment.what) Mount.Where, config_parse_path, 0, offsetof(Mount, where) diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c index 18dab02cd7..06e3031d65 100644 --- a/src/core/load-fragment.c +++ b/src/core/load-fragment.c @@ -33,6 +33,8 @@ #include <sys/stat.h> #include <sys/time.h> #include <sys/resource.h> +#include <sys/types.h> +#include <grp.h> #ifdef HAVE_SECCOMP #include <seccomp.h> @@ -1606,6 +1608,89 @@ int config_parse_busname_service( return 0; } +int config_parse_bus_policy( + const char *unit, + const char *filename, + unsigned line, + const char *section, + unsigned section_line, + const char *lvalue, + int ltype, + const char *rvalue, + void *data, + void *userdata) { + + _cleanup_free_ BusNamePolicy *p = NULL; + _cleanup_free_ char *id_str = NULL; + BusName *busname = data; + char *access_str; + int r; + + assert(filename); + assert(lvalue); + assert(rvalue); + assert(data); + + p = new0(BusNamePolicy, 1); + if (!p) + return log_oom(); + + if (streq(lvalue, "AllowUser")) + p->type = BUSNAME_POLICY_TYPE_USER; + else if (streq(lvalue, "AllowGroup")) + p->type = BUSNAME_POLICY_TYPE_GROUP; + else if (streq(lvalue, "AllowWorld")) + p->type = BUSNAME_POLICY_TYPE_WORLD; + else + assert_not_reached("Unknown lvalue"); + + id_str = strdup(rvalue); + if (!id_str) + return log_oom(); + + if (p->type != BUSNAME_POLICY_TYPE_WORLD) { + access_str = strchr(id_str, ' '); + if (!access_str) { + log_syntax(unit, LOG_ERR, filename, line, EINVAL, "Invalid busname policy value '%s'", rvalue); + return 0; + } + + *access_str = '\0'; + access_str++; + + if (p->type == BUSNAME_POLICY_TYPE_USER) { + const char *user = id_str; + + r = get_user_creds(&user, &p->uid, NULL, NULL, NULL); + if (r < 0) { + log_syntax(unit, LOG_ERR, filename, line, r, "Unable to parse uid from '%s'", id_str); + return 0; + } + } else { + const char *group = id_str; + + r = get_group_creds(&group, &p->gid); + if (r < 0) { + log_syntax(unit, LOG_ERR, filename, line, -errno, "Unable to parse gid from '%s'", id_str); + return 0; + } + } + } else { + access_str = id_str; + } + + p->access = busname_policy_access_from_string(access_str); + if (p->access < 0) { + log_syntax(unit, LOG_ERR, filename, line, EINVAL, "Invalid busname policy access type '%s'", access_str); + return 0; + } + + LIST_PREPEND(policy, busname->policy, p); + p = NULL; + + return 0; +} + int config_parse_unit_env_file(const char *unit, const char *filename, unsigned line, diff --git a/src/core/load-fragment.h b/src/core/load-fragment.h index fabbda212d..35138514f3 100644 --- a/src/core/load-fragment.h +++ b/src/core/load-fragment.h @@ -64,6 +64,7 @@ int config_parse_path_spec(const char *unit, const char *filename, unsigned line int config_parse_socket_service(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata); int config_parse_service_sockets(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata); int config_parse_busname_service(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata); +int config_parse_bus_policy(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata); int config_parse_unit_env_file(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata); int config_parse_ip_tos(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata); int config_parse_unit_condition_path(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata); |