diff options
| author | Lennart Poettering <lennart@poettering.net> | 2013-11-28 17:50:02 +0100 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2013-11-28 18:42:18 +0100 |
| commit | 5b12334d35eadf1f45cc3d631fd1a2e72ffaea0a (patch) | |
| tree | 55682fbecfeb705adfaf0f78fd76f5c8dc219b1b /src/libsystemd-bus/sd-bus.c | |
| parent | 70f75a523b16ad495a7791d595ee3eececf75953 (diff) | |
bus: add new sd_bus_creds object to encapsulate process credentials
This way we can unify handling of credentials that are attached to
messages, or can be queried for bus name owners or connection peers.
This also adds the ability to extend incomplete credential information
with data from /proc,
Also, provide a convenience call that will automatically determine the
most appropriate credential object for an incoming message, by using the
the attached information if possible, the sending name information if
available and otherwise the peer's credentials.
Diffstat (limited to 'src/libsystemd-bus/sd-bus.c')
| -rw-r--r-- | src/libsystemd-bus/sd-bus.c | 120 |
1 files changed, 64 insertions, 56 deletions
diff --git a/src/libsystemd-bus/sd-bus.c b/src/libsystemd-bus/sd-bus.c index 49a2abc73b..97a8c683bb 100644 --- a/src/libsystemd-bus/sd-bus.c +++ b/src/libsystemd-bus/sd-bus.c @@ -283,75 +283,38 @@ _public_ int sd_bus_negotiate_attach_timestamp(sd_bus *bus, int b) { return 0; } -_public_ int sd_bus_negotiate_attach_creds(sd_bus *bus, int b) { +_public_ int sd_bus_negotiate_attach_creds(sd_bus *bus, uint64_t mask) { assert_return(bus, -EINVAL); + assert_return(mask <= _SD_BUS_CREDS_MAX, -EINVAL); assert_return(bus->state == BUS_UNSET, -EPERM); assert_return(!bus_pid_changed(bus), -ECHILD); - SET_FLAG(bus->hello_flags, KDBUS_HELLO_ATTACH_CREDS, b); - return 0; -} + SET_FLAG(bus->hello_flags, KDBUS_HELLO_ATTACH_CREDS, + !!(mask & (SD_BUS_CREDS_UID|SD_BUS_CREDS_GID|SD_BUS_CREDS_PID|SD_BUS_CREDS_PID_STARTTIME|SD_BUS_CREDS_TID))); -_public_ int sd_bus_negotiate_attach_comm(sd_bus *bus, int b) { - assert_return(bus, -EINVAL); - assert_return(bus->state == BUS_UNSET, -EPERM); - assert_return(!bus_pid_changed(bus), -ECHILD); + SET_FLAG(bus->hello_flags, KDBUS_HELLO_ATTACH_COMM, + !!(mask & (SD_BUS_CREDS_COMM|SD_BUS_CREDS_TID_COMM))); - SET_FLAG(bus->hello_flags, KDBUS_HELLO_ATTACH_COMM, b); - return 0; -} + SET_FLAG(bus->hello_flags, KDBUS_HELLO_ATTACH_EXE, + !!(mask & SD_BUS_CREDS_EXE)); -_public_ int sd_bus_negotiate_attach_exe(sd_bus *bus, int b) { - assert_return(bus, -EINVAL); - assert_return(bus->state == BUS_UNSET, -EPERM); - assert_return(!bus_pid_changed(bus), -ECHILD); + SET_FLAG(bus->hello_flags, KDBUS_HELLO_ATTACH_CMDLINE, + !!(mask & SD_BUS_CREDS_CMDLINE)); - SET_FLAG(bus->hello_flags, KDBUS_HELLO_ATTACH_EXE, b); - return 0; -} + SET_FLAG(bus->hello_flags, KDBUS_HELLO_ATTACH_CGROUP, + !!(mask & (SD_BUS_CREDS_CGROUP|SD_BUS_CREDS_UNIT|SD_BUS_CREDS_USER_UNIT|SD_BUS_CREDS_SLICE|SD_BUS_CREDS_SESSION|SD_BUS_CREDS_OWNER_UID))); -_public_ int sd_bus_negotiate_attach_cmdline(sd_bus *bus, int b) { - assert_return(bus, -EINVAL); - assert_return(bus->state == BUS_UNSET, -EPERM); - assert_return(!bus_pid_changed(bus), -ECHILD); + SET_FLAG(bus->hello_flags, KDBUS_HELLO_ATTACH_CAPS, + !!(mask & (SD_BUS_CREDS_EFFECTIVE_CAPS|SD_BUS_CREDS_PERMITTED_CAPS|SD_BUS_CREDS_INHERITABLE_CAPS|SD_BUS_CREDS_BOUNDING_CAPS))); - SET_FLAG(bus->hello_flags, KDBUS_HELLO_ATTACH_CMDLINE, b); - return 0; -} + SET_FLAG(bus->hello_flags, KDBUS_HELLO_ATTACH_SECLABEL, + !!(mask & SD_BUS_CREDS_SELINUX_CONTEXT)); -_public_ int sd_bus_negotiate_attach_cgroup(sd_bus *bus, int b) { - assert_return(bus, -EINVAL); - assert_return(bus->state == BUS_UNSET, -EPERM); - assert_return(!bus_pid_changed(bus), -ECHILD); - - SET_FLAG(bus->hello_flags, KDBUS_HELLO_ATTACH_CGROUP, b); - return 0; -} - -_public_ int sd_bus_negotiate_attach_caps(sd_bus *bus, int b) { - assert_return(bus, -EINVAL); - assert_return(bus->state == BUS_UNSET, -EPERM); - assert_return(!bus_pid_changed(bus), -ECHILD); - - SET_FLAG(bus->hello_flags, KDBUS_HELLO_ATTACH_CAPS, b); - return 0; -} + SET_FLAG(bus->hello_flags, KDBUS_HELLO_ATTACH_AUDIT, + !!(mask & (SD_BUS_CREDS_AUDIT_SESSION_ID|SD_BUS_CREDS_AUDIT_LOGIN_UID))); -_public_ int sd_bus_negotiate_attach_selinux_context(sd_bus *bus, int b) { - assert_return(bus, -EINVAL); - assert_return(bus->state == BUS_UNSET, -EPERM); - assert_return(!bus_pid_changed(bus), -ECHILD); + bus->creds_mask = mask; - SET_FLAG(bus->hello_flags, KDBUS_HELLO_ATTACH_SECLABEL, b); - return 0; -} - -_public_ int sd_bus_negotiate_attach_audit(sd_bus *bus, int b) { - assert_return(bus, -EINVAL); - assert_return(bus->state == BUS_UNSET, -EPERM); - assert_return(!bus_pid_changed(bus), -ECHILD); - - SET_FLAG(bus->hello_flags, KDBUS_HELLO_ATTACH_AUDIT, b); return 0; } @@ -2812,3 +2775,48 @@ _public_ char *sd_bus_label_unescape(const char *f) { return r; } + +_public_ int sd_bus_get_peer_creds(sd_bus *bus, uint64_t mask, sd_bus_creds **ret) { + sd_bus_creds *c; + pid_t pid = 0; + int r; + + assert_return(bus, -EINVAL); + assert_return(mask <= _SD_BUS_CREDS_MAX, -ENOTSUP); + assert_return(ret, -EINVAL); + assert_return(BUS_IS_OPEN(bus->state), -ENOTCONN); + assert_return(!bus_pid_changed(bus), -ECHILD); + assert_return(!bus->is_kernel, -ENOTSUP); + + if (!bus->ucred_valid && !isempty(bus->label)) + return -ENODATA; + + c = bus_creds_new(); + if (!c) + return -ENOMEM; + + if (bus->ucred_valid) { + pid = c->pid = bus->ucred.pid; + c->uid = bus->ucred.uid; + c->gid = bus->ucred.gid; + + c->mask |= ((SD_BUS_CREDS_UID | SD_BUS_CREDS_PID | SD_BUS_CREDS_GID) & mask) & bus->creds_mask; + } + + if (!isempty(bus->label) && (mask & SD_BUS_CREDS_SELINUX_CONTEXT)) { + c->label = strdup(bus->label); + if (!c->label) { + sd_bus_creds_unref(c); + return -ENOMEM; + } + + c->mask |= SD_BUS_CREDS_SELINUX_CONTEXT | bus->creds_mask; + } + + r = bus_creds_add_more(c, mask, pid, 0); + if (r < 0) + return r; + + *ret = c; + return 0; +} |