/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/ /*** This file is part of systemd. Copyright 2013 Lennart Poettering systemd is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version. systemd is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. You should have received a copy of the GNU Lesser General Public License along with systemd; If not, see <http://www.gnu.org/licenses/>. ***/ #include "xml.h" #include "fileio.h" #include "strv.h" #include "conf-files.h" #include "bus-internal.h" #include "bus-message.h" #include "bus-policy.h" static void policy_item_free(PolicyItem *i) { assert(i); free(i->interface); free(i->member); free(i->error); free(i->name); free(i->path); free(i); } DEFINE_TRIVIAL_CLEANUP_FUNC(PolicyItem*, policy_item_free); static void item_append(PolicyItem *i, PolicyItem **list) { PolicyItem *tail; LIST_FIND_TAIL(items, *list, tail); LIST_INSERT_AFTER(items, *list, tail, i); } static int file_load(Policy *p, const char *path) { _cleanup_free_ char *c = NULL, *policy_user = NULL, *policy_group = NULL; _cleanup_(policy_item_freep) PolicyItem *i = NULL; void *xml_state = NULL; unsigned n_other = 0; const char *q; int r; enum { STATE_OUTSIDE, STATE_BUSCONFIG, STATE_POLICY, STATE_POLICY_CONTEXT, STATE_POLICY_USER, STATE_POLICY_GROUP, STATE_POLICY_OTHER_ATTRIBUTE, STATE_ALLOW_DENY, STATE_ALLOW_DENY_INTERFACE, STATE_ALLOW_DENY_MEMBER, STATE_ALLOW_DENY_ERROR, STATE_ALLOW_DENY_PATH, STATE_ALLOW_DENY_MESSAGE_TYPE, STATE_ALLOW_DENY_NAME, STATE_ALLOW_DENY_OTHER_ATTRIBUTE, STATE_OTHER, } state = STATE_OUTSIDE; enum { POLICY_CATEGORY_NONE, POLICY_CATEGORY_DEFAULT, POLICY_CATEGORY_MANDATORY, POLICY_CATEGORY_USER, POLICY_CATEGORY_GROUP } policy_category = POLICY_CATEGORY_NONE; unsigned line = 0; assert(p); r = read_full_file(path, &c, NULL); if (r < 0) { if (r == -ENOENT) return 0; if (r == -EISDIR) return r; log_error("Failed to load %s: %s", path, strerror(-r)); return r; } q = c; for (;;) { _cleanup_free_ char *name = NULL; int t; t = xml_tokenize(&q, &name, &xml_state, &line); if (t < 0) { log_error("XML parse failure in %s: %s", path, strerror(-t)); return t; } switch (state) { case STATE_OUTSIDE: if (t == XML_TAG_OPEN) { if (streq(name, "busconfig")) state = STATE_BUSCONFIG; else { log_error("Unexpected tag %s at %s:%u.", name, path, line); return -EINVAL; } } else if (t == XML_END) return 0; else if (t != XML_TEXT || !in_charset(name, WHITESPACE)) { log_error("Unexpected token (1) at %s:%u.", path, line); return -EINVAL; } break; case STATE_BUSCONFIG: if (t == XML_TAG_OPEN) { if (streq(name, "policy")) { state = STATE_POLICY; policy_category = POLICY_CATEGORY_NONE; free(policy_user); free(policy_group); policy_user = policy_group = NULL; } else { state = STATE_OTHER; n_other = 0; } } else if (t == XML_TAG_CLOSE_EMPTY || (t == XML_TAG_CLOSE && streq(name, "busconfig"))) state = STATE_OUTSIDE; else if (t != XML_TEXT || !in_charset(name, WHITESPACE)) { log_error("Unexpected token (2) at %s:%u.", path, line); return -EINVAL; } break; case STATE_POLICY: if (t == XML_ATTRIBUTE_NAME) { if (streq(name, "context")) state = STATE_POLICY_CONTEXT; else if (streq(name, "user")) state = STATE_POLICY_USER; else if (streq(name, "group")) state = STATE_POLICY_GROUP; else { if (streq(name, "at_console")) log_debug("Attribute %s of <policy> tag unsupported at %s:%u, ignoring.", name, path, line); else log_warning("Attribute %s of <policy> tag unknown at %s:%u, ignoring.", name, path, line); state = STATE_POLICY_OTHER_ATTRIBUTE; } } else if (t == XML_TAG_CLOSE_EMPTY || (t == XML_TAG_CLOSE && streq(name, "policy"))) state = STATE_BUSCONFIG; else if (t == XML_TAG_OPEN) { PolicyItemType it; if (streq(name, "allow")) it = POLICY_ITEM_ALLOW; else if (streq(name, "deny")) it = POLICY_ITEM_DENY; else { log_warning("Unknown tag %s in <policy> %s:%u.", name, path, line); return -EINVAL; } assert(!i); i = new0(PolicyItem, 1); if (!i) return log_oom(); i->type = it; state = STATE_ALLOW_DENY; } else if (t != XML_TEXT || !in_charset(name, WHITESPACE)) { log_error("Unexpected token (3) at %s:%u.", path, line); return -EINVAL; } break; case STATE_POLICY_CONTEXT: if (t == XML_ATTRIBUTE_VALUE) { if (streq(name, "default")) { policy_category = POLICY_CATEGORY_DEFAULT; state = STATE_POLICY; } else if (streq(name, "mandatory")) { policy_category = POLICY_CATEGORY_MANDATORY; state = STATE_POLICY; } else { log_error("context= parameter %s unknown for <policy> at %s:%u.", name, path, line); return -EINVAL; } } else { log_error("Unexpected token (4) at %s:%u.", path, line); return -EINVAL; } break; case STATE_POLICY_USER: if (t == XML_ATTRIBUTE_VALUE) { free(policy_user); policy_user = name; name = NULL; policy_category = POLICY_CATEGORY_USER; state = STATE_POLICY; } else { log_error("Unexpected token (5) in %s:%u.", path, line); return -EINVAL; } break; case STATE_POLICY_GROUP: if (t == XML_ATTRIBUTE_VALUE) { free(policy_group); policy_group = name; name = NULL; policy_category = POLICY_CATEGORY_GROUP; state = STATE_POLICY; } else { log_error("Unexpected token (6) at %s:%u.", path, line); return -EINVAL; } break; case STATE_POLICY_OTHER_ATTRIBUTE: if (t == XML_ATTRIBUTE_VALUE) state = STATE_POLICY; else { log_error("Unexpected token (7) in %s:%u.", path, line); return -EINVAL; } break; case STATE_ALLOW_DENY: assert(i); if (t == XML_ATTRIBUTE_NAME) { PolicyItemClass ic; if (startswith(name, "send_")) ic = POLICY_ITEM_SEND; else if (startswith(name, "receive_")) ic = POLICY_ITEM_RECV; else if (streq(name, "own")) ic = POLICY_ITEM_OWN; else if (streq(name, "own_prefix")) ic = POLICY_ITEM_OWN_PREFIX; else if (streq(name, "user")) ic = POLICY_ITEM_USER; else if (streq(name, "group")) ic = POLICY_ITEM_GROUP; else if (streq(name, "eavesdrop")) { log_debug("Unsupported attribute %s= at %s:%u, ignoring.", name, path, line); i->class = POLICY_ITEM_IGNORE; state = STATE_ALLOW_DENY_OTHER_ATTRIBUTE; break; } else { log_error("Unknown attribute %s= at %s:%u, ignoring.", name, path, line); state = STATE_ALLOW_DENY_OTHER_ATTRIBUTE; break; } if (i->class != _POLICY_ITEM_CLASS_UNSET && ic != i->class) { log_error("send_ and receive_ fields mixed on same tag at %s:%u.", path, line); return -EINVAL; } i->class = ic; if (ic == POLICY_ITEM_SEND || ic == POLICY_ITEM_RECV) { const char *u; u = strchr(name, '_'); assert(u); u++; if (streq(u, "interface")) state = STATE_ALLOW_DENY_INTERFACE; else if (streq(u, "member")) state = STATE_ALLOW_DENY_MEMBER; else if (streq(u, "error")) state = STATE_ALLOW_DENY_ERROR; else if (streq(u, "path")) state = STATE_ALLOW_DENY_PATH; else if (streq(u, "type")) state = STATE_ALLOW_DENY_MESSAGE_TYPE; else if ((streq(u, "destination") && ic == POLICY_ITEM_SEND) || (streq(u, "sender") && ic == POLICY_ITEM_RECV)) state = STATE_ALLOW_DENY_NAME; else { if (streq(u, "requested_reply")) log_debug("Unsupported attribute %s= at %s:%u, ignoring.", name, path, line); else log_error("Unknown attribute %s= at %s:%u, ignoring.", name, path, line); state = STATE_ALLOW_DENY_OTHER_ATTRIBUTE; break; } } else state = STATE_ALLOW_DENY_NAME; } else if (t == XML_TAG_CLOSE_EMPTY || (t == XML_TAG_CLOSE && streq(name, i->type == POLICY_ITEM_ALLOW ? "allow" : "deny"))) { if (i->class == _POLICY_ITEM_CLASS_UNSET) { log_error("Policy not set at %s:%u.", path, line); return -EINVAL; } if (policy_category == POLICY_CATEGORY_DEFAULT) item_append(i, &p->default_items); else if (policy_category == POLICY_CATEGORY_MANDATORY) item_append(i, &p->mandatory_items); else if (policy_category == POLICY_CATEGORY_USER) { const char *u = policy_user; assert_cc(sizeof(uid_t) == sizeof(uint32_t)); r = hashmap_ensure_allocated(&p->user_items, NULL); if (r < 0) return log_oom(); if (!u) { log_error("User policy without name"); return -EINVAL; } r = get_user_creds(&u, &i->uid, NULL, NULL, NULL); if (r < 0) { log_error("Failed to resolve user %s, ignoring policy: %s", u, strerror(-r)); free(i); } else { PolicyItem *first; first = hashmap_get(p->user_items, UINT32_TO_PTR(i->uid)); item_append(i, &first); i->uid_valid = true; r = hashmap_replace(p->user_items, UINT32_TO_PTR(i->uid), first); if (r < 0) { LIST_REMOVE(items, first, i); return log_oom(); } } } else if (policy_category == POLICY_CATEGORY_GROUP) { const char *g = policy_group; assert_cc(sizeof(gid_t) == sizeof(uint32_t)); r = hashmap_ensure_allocated(&p->group_items, NULL); if (r < 0) return log_oom(); if (!g) { log_error("Group policy without name"); return -EINVAL; } r = get_group_creds(&g, &i->gid); if (r < 0) { log_error("Failed to resolve group %s, ignoring policy: %s", g, strerror(-r)); free(i); } else { PolicyItem *first; first = hashmap_get(p->group_items, UINT32_TO_PTR(i->gid)); item_append(i, &first); i->gid_valid = true; r = hashmap_replace(p->group_items, UINT32_TO_PTR(i->gid), first); if (r < 0) { LIST_REMOVE(items, first, i); return log_oom(); } } } state = STATE_POLICY; i = NULL; } else if (t != XML_TEXT || !in_charset(name, WHITESPACE)) { log_error("Unexpected token (8) at %s:%u.", path, line); return -EINVAL; } break; case STATE_ALLOW_DENY_INTERFACE: if (t == XML_ATTRIBUTE_VALUE) { assert(i); if (i->interface) { log_error("Duplicate interface at %s:%u.", path, line); return -EINVAL; } i->interface = name; name = NULL; state = STATE_ALLOW_DENY; } else { log_error("Unexpected token (9) at %s:%u.", path, line); return -EINVAL; } break; case STATE_ALLOW_DENY_MEMBER: if (t == XML_ATTRIBUTE_VALUE) { assert(i); if (i->member) { log_error("Duplicate member in %s:%u.", path, line); return -EINVAL; } i->member = name; name = NULL; state = STATE_ALLOW_DENY; } else { log_error("Unexpected token (10) in %s:%u.", path, line); return -EINVAL; } break; case STATE_ALLOW_DENY_ERROR: if (t == XML_ATTRIBUTE_VALUE) { assert(i); if (i->error) { log_error("Duplicate error in %s:%u.", path, line); return -EINVAL; } i->error = name; name = NULL; state = STATE_ALLOW_DENY; } else { log_error("Unexpected token (11) in %s:%u.", path, line); return -EINVAL; } break; case STATE_ALLOW_DENY_PATH: if (t == XML_ATTRIBUTE_VALUE) { assert(i); if (i->path) { log_error("Duplicate path in %s:%u.", path, line); return -EINVAL; } i->path = name; name = NULL; state = STATE_ALLOW_DENY; } else { log_error("Unexpected token (12) in %s:%u.", path, line); return -EINVAL; } break; case STATE_ALLOW_DENY_MESSAGE_TYPE: if (t == XML_ATTRIBUTE_VALUE) { assert(i); if (i->message_type != 0) { log_error("Duplicate message type in %s:%u.", path, line); return -EINVAL; } r = bus_message_type_from_string(name, &i->message_type); if (r < 0) { log_error("Invalid message type in %s:%u.", path, line); return -EINVAL; } state = STATE_ALLOW_DENY; } else { log_error("Unexpected token (13) in %s:%u.", path, line); return -EINVAL; } break; case STATE_ALLOW_DENY_NAME: if (t == XML_ATTRIBUTE_VALUE) { assert(i); if (i->name) { log_error("Duplicate name in %s:%u.", path, line); return -EINVAL; } switch (i->class) { case POLICY_ITEM_USER: if (!streq(name, "*")) { const char *u = name; r = get_user_creds(&u, &i->uid, NULL, NULL, NULL); if (r < 0) log_error("Failed to resolve user %s: %s", name, strerror(-r)); else i->uid_valid = true; } break; case POLICY_ITEM_GROUP: if (!streq(name, "*")) { const char *g = name; r = get_group_creds(&g, &i->gid); if (r < 0) log_error("Failed to resolve group %s: %s", name, strerror(-r)); else i->gid_valid = true; } break; default: break; } i->name = name; name = NULL; state = STATE_ALLOW_DENY; } else { log_error("Unexpected token (14) in %s:%u.", path, line); return -EINVAL; } break; case STATE_ALLOW_DENY_OTHER_ATTRIBUTE: if (t == XML_ATTRIBUTE_VALUE) state = STATE_ALLOW_DENY; else { log_error("Unexpected token (15) in %s:%u.", path, line); return -EINVAL; } break; case STATE_OTHER: if (t == XML_TAG_OPEN) n_other++; else if (t == XML_TAG_CLOSE || t == XML_TAG_CLOSE_EMPTY) { if (n_other == 0) state = STATE_BUSCONFIG; else n_other--; } break; } } } enum { ALLOW, DUNNO, DENY, }; struct policy_check_filter { int class; const struct ucred *ucred; int message_type; const char *name; const char *interface; const char *path; const char *member; }; static int is_permissive(PolicyItem *i) { assert(i); return (i->type == POLICY_ITEM_ALLOW) ? ALLOW : DENY; } static int check_policy_item(PolicyItem *i, const struct policy_check_filter *filter) { assert(i); assert(filter); switch (i->class) { case POLICY_ITEM_SEND: case POLICY_ITEM_RECV: if (i->name && !streq_ptr(i->name, filter->name)) break; if ((i->message_type != _POLICY_ITEM_CLASS_UNSET) && (i->message_type != filter->message_type)) break; if (i->path && !streq_ptr(i->path, filter->path)) break; if (i->member && !streq_ptr(i->member, filter->member)) break; if (i->interface && !streq_ptr(i->interface, filter->interface)) break; return is_permissive(i); case POLICY_ITEM_OWN: assert(filter->name); if (streq(i->name, "*") || streq(i->name, filter->name)) return is_permissive(i); break; case POLICY_ITEM_OWN_PREFIX: assert(filter->name); if (streq(i->name, "*") || service_name_startswith(i->name, filter->name)) return is_permissive(i); break; case POLICY_ITEM_USER: assert(filter->ucred); if ((streq_ptr(i->name, "*") || (i->uid_valid && i->uid == filter->ucred->uid))) return is_permissive(i); break; case POLICY_ITEM_GROUP: assert(filter->ucred); if ((streq_ptr(i->name, "*") || (i->gid_valid && i->gid == filter->ucred->gid))) return is_permissive(i); break; case POLICY_ITEM_IGNORE: default: break; } return DUNNO; } static int check_policy_items(PolicyItem *items, const struct policy_check_filter *filter) { PolicyItem *i; int r, ret = DUNNO; assert(filter); /* Check all policies in a set - a broader one might be followed by a more specific one, * and the order of rules in policy definitions matters */ LIST_FOREACH(items, i, items) { if (i->class != filter->class) continue; r = check_policy_item(i, filter); if (r != DUNNO) ret = r; } return ret; } static int policy_check(Policy *p, const struct policy_check_filter *filter) { PolicyItem *items; int r; assert(p); assert(filter); /* * The policy check is implemented by the following logic: * * 1. Check mandatory items. If the message matches any of these, it is decisive. * 2. See if the passed ucred match against the user/group hashmaps. A matching entry is also decisive. * 3. Consult the defaults if non of the above matched with a more specific rule. * 4. If the message isn't caught be the defaults either, reject it. */ r = check_policy_items(p->mandatory_items, filter); if (r != DUNNO) return r; if (filter->ucred) { items = hashmap_get(p->user_items, UINT32_TO_PTR(filter->ucred->uid)); if (items) { r = check_policy_items(items, filter); if (r != DUNNO) return r; } items = hashmap_get(p->group_items, UINT32_TO_PTR(filter->ucred->gid)); if (items) { r = check_policy_items(items, filter); if (r != DUNNO) return r; } } return check_policy_items(p->default_items, filter); } bool policy_check_own(Policy *p, const struct ucred *ucred, const char *name) { struct policy_check_filter filter = { .class = POLICY_ITEM_OWN, .ucred = ucred, .name = name, }; return policy_check(p, &filter) == ALLOW; } bool policy_check_hello(Policy *p, const struct ucred *ucred) { struct policy_check_filter filter = { .ucred = ucred, }; int user, group; filter.class = POLICY_ITEM_USER; user = policy_check(p, &filter); if (user == DENY) return false; filter.class = POLICY_ITEM_GROUP; group = policy_check(p, &filter); if (group == DENY) return false; return !(user == DUNNO && group == DUNNO); } bool policy_check_recv(Policy *p, const struct ucred *ucred, int message_type, const char *name, const char *path, const char *interface, const char *member) { struct policy_check_filter filter = { .class = POLICY_ITEM_RECV, .ucred = ucred, .message_type = message_type, .name = name, .interface = interface, .path = path, .member = member, }; return policy_check(p, &filter) == ALLOW; } bool policy_check_send(Policy *p, const struct ucred *ucred, int message_type, const char *name, const char *path, const char *interface, const char *member) { struct policy_check_filter filter = { .class = POLICY_ITEM_SEND, .ucred = ucred, .message_type = message_type, .name = name, .interface = interface, .path = path, .member = member, }; return policy_check(p, &filter) == ALLOW; } int policy_load(Policy *p, char **files) { char **i; int r; assert(p); STRV_FOREACH(i, files) { r = file_load(p, *i); if (r == -EISDIR) { _cleanup_strv_free_ char **l = NULL; char **j; r = conf_files_list(&l, ".conf", NULL, *i, NULL); if (r < 0) { log_error("Failed to get configuration file list: %s", strerror(-r)); return r; } STRV_FOREACH(j, l) file_load(p, *j); } /* We ignore all errors but EISDIR, and just proceed. */ } return 0; } void policy_free(Policy *p) { PolicyItem *i, *first; if (!p) return; while ((i = p->default_items)) { LIST_REMOVE(items, p->default_items, i); policy_item_free(i); } while ((i = p->mandatory_items)) { LIST_REMOVE(items, p->mandatory_items, i); policy_item_free(i); } while ((first = hashmap_steal_first(p->user_items))) { while ((i = first)) { LIST_REMOVE(items, first, i); policy_item_free(i); } } while ((first = hashmap_steal_first(p->group_items))) { while ((i = first)) { LIST_REMOVE(items, first, i); policy_item_free(i); } } hashmap_free(p->user_items); hashmap_free(p->group_items); p->user_items = p->group_items = NULL; } static void dump_items(PolicyItem *items, const char *prefix) { PolicyItem *i; if (!items) return; if (!prefix) prefix = ""; LIST_FOREACH(items, i, items) { printf("%sType: %s\n" "%sClass: %s\n", prefix, policy_item_type_to_string(i->type), prefix, policy_item_class_to_string(i->class)); if (i->interface) printf("%sInterface: %s\n", prefix, i->interface); if (i->member) printf("%sMember: %s\n", prefix, i->member); if (i->error) printf("%sError: %s\n", prefix, i->error); if (i->path) printf("%sPath: %s\n", prefix, i->path); if (i->name) printf("%sName: %s\n", prefix, i->name); if (i->message_type != 0) printf("%sMessage Type: %s\n", prefix, bus_message_type_to_string(i->message_type)); if (i->uid_valid) { _cleanup_free_ char *user; user = uid_to_name(i->uid); printf("%sUser: %s (%d)\n", prefix, strna(user), i->uid); } if (i->gid_valid) { _cleanup_free_ char *group; group = gid_to_name(i->gid); printf("%sGroup: %s (%d)\n", prefix, strna(group), i->gid); } } } static void dump_hashmap_items(Hashmap *h) { PolicyItem *i; Iterator j; void *k; HASHMAP_FOREACH_KEY(i, k, h, j) { printf("\t%s Item for %u:\n", draw_special_char(DRAW_ARROW), PTR_TO_UINT(k)); dump_items(i, "\t\t"); } } void policy_dump(Policy *p) { printf("%s Default Items:\n", draw_special_char(DRAW_ARROW)); dump_items(p->default_items, "\t"); printf("%s Group Items:\n", draw_special_char(DRAW_ARROW)); dump_hashmap_items(p->group_items); printf("%s User Items:\n", draw_special_char(DRAW_ARROW)); dump_hashmap_items(p->user_items); printf("%s Mandatory Items:\n", draw_special_char(DRAW_ARROW)); dump_items(p->mandatory_items, "\t"); } static const char* const policy_item_type_table[_POLICY_ITEM_TYPE_MAX] = { [_POLICY_ITEM_TYPE_UNSET] = "unset", [POLICY_ITEM_ALLOW] = "allow", [POLICY_ITEM_DENY] = "deny", }; DEFINE_STRING_TABLE_LOOKUP(policy_item_type, PolicyItemType); static const char* const policy_item_class_table[_POLICY_ITEM_CLASS_MAX] = { [_POLICY_ITEM_CLASS_UNSET] = "unset", [POLICY_ITEM_SEND] = "send", [POLICY_ITEM_RECV] = "recv", [POLICY_ITEM_OWN] = "own", [POLICY_ITEM_OWN_PREFIX] = "own-prefix", [POLICY_ITEM_USER] = "user", [POLICY_ITEM_GROUP] = "group", [POLICY_ITEM_IGNORE] = "ignore", }; DEFINE_STRING_TABLE_LOOKUP(policy_item_class, PolicyItemClass);