diff options
| author | Marcel Holtmann <marcel@holtmann.org> | 2009-01-06 21:20:50 +0100 |
|---|---|---|
| committer | Marcel Holtmann <marcel@holtmann.org> | 2009-01-06 21:20:50 +0100 |
| commit | 77b134b5f3f2856cd6a915904b9ff3b207654c71 (patch) | |
| tree | 1873ac1fafd916d792ae0d5c89e775fafd924334 | |
| parent | 0dd6156eaf461a25781a9f0b7dd727e03c6172b0 (diff) | |
| download | connman-77b134b5f3f2856cd6a915904b9ff3b207654c71.tar.gz connman-77b134b5f3f2856cd6a915904b9ff3b207654c71.tar.bz2 connman-77b134b5f3f2856cd6a915904b9ff3b207654c71.zip | |
Add support for different security privileges
| -rw-r--r-- | include/security.h | 9 | ||||
| -rw-r--r-- | plugins/connman.policy | 10 | ||||
| -rw-r--r-- | plugins/polkit.c | 20 | ||||
| -rw-r--r-- | src/connection.c | 7 | ||||
| -rw-r--r-- | src/connman.h | 3 | ||||
| -rw-r--r-- | src/device.c | 13 | ||||
| -rw-r--r-- | src/manager.c | 7 | ||||
| -rw-r--r-- | src/network.c | 13 | ||||
| -rw-r--r-- | src/security.c | 5 |
9 files changed, 67 insertions, 20 deletions
diff --git a/include/security.h b/include/security.h index 123e6fb3..9e27a5f2 100644 --- a/include/security.h +++ b/include/security.h @@ -32,6 +32,12 @@ extern "C" { * @short_description: Functions for registering security modules */ +enum connman_security_privilege { + CONNMAN_SECURITY_PRIVILEGE_PUBLIC = 0, + CONNMAN_SECURITY_PRIVILEGE_MODIFY = 1, + CONNMAN_SECURITY_PRIVILEGE_SECRET = 2, +}; + #define CONNMAN_SECURITY_PRIORITY_LOW -100 #define CONNMAN_SECURITY_PRIORITY_DEFAULT 0 #define CONNMAN_SECURITY_PRIORITY_HIGH 100 @@ -39,7 +45,8 @@ extern "C" { struct connman_security { const char *name; int priority; - int (*authorize_sender) (const char *sender); + int (*authorize_sender) (const char *sender, + enum connman_security_privilege privilege); }; extern int connman_security_register(struct connman_security *security); diff --git a/plugins/connman.policy b/plugins/connman.policy index 1b34381b..bc36a6dd 100644 --- a/plugins/connman.policy +++ b/plugins/connman.policy @@ -6,10 +6,10 @@ <policyconfig> <vendor>Connection Manager</vendor> - <icon_name>stock_internet</icon_name> + <icon_name>network-wireless</icon_name> <action id="org.moblin.connman.modify"> - <description>Modify configuration</description> + <description>Settings configuration</description> <message>Policy prevents modification of settings</message> <defaults> <allow_inactive>no</allow_inactive> @@ -17,9 +17,9 @@ </defaults> </action> - <action id="org.moblin.connman.passphrase"> - <description>Passphrase configuration</description> - <message>Policy prevents modification of passphrases</message> + <action id="org.moblin.connman.secret"> + <description>Secrets configuration</description> + <message>Policy prevents modification of secrets</message> <defaults> <allow_inactive>no</allow_inactive> <allow_active>auth_admin_keep_always</allow_active> diff --git a/plugins/polkit.c b/plugins/polkit.c index d3ca6924..de183a27 100644 --- a/plugins/polkit.c +++ b/plugins/polkit.c @@ -34,20 +34,34 @@ #include <connman/dbus.h> #include <connman/log.h> -#define ACTION "org.moblin.connman.modify" +#define ACTION_MODIFY "org.moblin.connman.modify" +#define ACTION_SECRET "org.moblin.connman.secret" static DBusConnection *connection; static PolKitContext *polkit_context; -static int polkit_authorize(const char *sender) +static int polkit_authorize(const char *sender, + enum connman_security_privilege privilege) { DBusError error; PolKitCaller *caller; PolKitAction *action; PolKitResult result; + const char *id; DBG("sender %s", sender); + switch (privilege) { + case CONNMAN_SECURITY_PRIVILEGE_PUBLIC: + return 0; + case CONNMAN_SECURITY_PRIVILEGE_MODIFY: + id = ACTION_MODIFY; + break; + case CONNMAN_SECURITY_PRIVILEGE_SECRET: + id = ACTION_SECRET; + break; + } + dbus_error_init(&error); caller = polkit_caller_new_from_dbus_name(connection, sender, &error); @@ -61,7 +75,7 @@ static int polkit_authorize(const char *sender) } action = polkit_action_new(); - polkit_action_set_action_id(action, ACTION); + polkit_action_set_action_id(action, id); result = polkit_context_is_caller_authorized(polkit_context, action, caller, TRUE, NULL); diff --git a/src/connection.c b/src/connection.c index 0b3e59c4..ad381470 100644 --- a/src/connection.c +++ b/src/connection.c @@ -211,6 +211,10 @@ static DBusMessage *get_properties(DBusConnection *conn, DBG("conn %p", conn); + if (__connman_security_check_privilege(msg, + CONNMAN_SECURITY_PRIVILEGE_PUBLIC) < 0) + return __connman_error_permission_denied(msg); + reply = dbus_message_new_method_return(msg); if (reply == NULL) return NULL; @@ -286,7 +290,8 @@ static DBusMessage *set_property(DBusConnection *conn, dbus_message_iter_next(&iter); dbus_message_iter_recurse(&iter, &value); - if (__connman_security_check_privileges(msg) < 0) + if (__connman_security_check_privilege(msg, + CONNMAN_SECURITY_PRIVILEGE_MODIFY) < 0) return __connman_error_permission_denied(msg); return g_dbus_create_reply(msg, DBUS_TYPE_INVALID); diff --git a/src/connman.h b/src/connman.h index b160719b..f98fc790 100644 --- a/src/connman.h +++ b/src/connman.h @@ -67,7 +67,8 @@ void __connman_plugin_cleanup(void); #include <connman/security.h> -int __connman_security_check_privileges(DBusMessage *message); +int __connman_security_check_privilege(DBusMessage *message, + enum connman_security_privilege privilege); #include <connman/ipv4.h> diff --git a/src/device.c b/src/device.c index f07128f7..d865ad47 100644 --- a/src/device.c +++ b/src/device.c @@ -244,6 +244,10 @@ static DBusMessage *get_properties(DBusConnection *conn, DBG("conn %p", conn); + if (__connman_security_check_privilege(msg, + CONNMAN_SECURITY_PRIVILEGE_PUBLIC) < 0) + return __connman_error_permission_denied(msg); + reply = dbus_message_new_method_return(msg); if (reply == NULL) return NULL; @@ -323,7 +327,8 @@ static DBusMessage *set_property(DBusConnection *conn, dbus_message_iter_next(&iter); dbus_message_iter_recurse(&iter, &value); - if (__connman_security_check_privileges(msg) < 0) + if (__connman_security_check_privilege(msg, + CONNMAN_SECURITY_PRIVILEGE_MODIFY) < 0) return __connman_error_permission_denied(msg); if (g_str_equal(name, "Powered") == TRUE) { @@ -369,7 +374,8 @@ static DBusMessage *create_network(DBusConnection *conn, { DBG("conn %p", conn); - if (__connman_security_check_privileges(msg) < 0) + if (__connman_security_check_privilege(msg, + CONNMAN_SECURITY_PRIVILEGE_MODIFY) < 0) return __connman_error_permission_denied(msg); return __connman_error_invalid_arguments(msg); @@ -380,7 +386,8 @@ static DBusMessage *remove_network(DBusConnection *conn, { DBG("conn %p", conn); - if (__connman_security_check_privileges(msg) < 0) + if (__connman_security_check_privilege(msg, + CONNMAN_SECURITY_PRIVILEGE_MODIFY) < 0) return __connman_error_permission_denied(msg); return __connman_error_invalid_arguments(msg); diff --git a/src/manager.c b/src/manager.c index 71439742..f943720e 100644 --- a/src/manager.c +++ b/src/manager.c @@ -152,6 +152,10 @@ static DBusMessage *get_properties(DBusConnection *conn, DBG("conn %p", conn); + if (__connman_security_check_privilege(msg, + CONNMAN_SECURITY_PRIVILEGE_PUBLIC) < 0) + return __connman_error_permission_denied(msg); + reply = dbus_message_new_method_return(msg); if (reply == NULL) return NULL; @@ -204,7 +208,8 @@ static DBusMessage *set_property(DBusConnection *conn, dbus_message_iter_next(&iter); dbus_message_iter_recurse(&iter, &value); - if (__connman_security_check_privileges(msg) < 0) + if (__connman_security_check_privilege(msg, + CONNMAN_SECURITY_PRIVILEGE_MODIFY) < 0) return __connman_error_permission_denied(msg); if (g_str_equal(name, "Policy") == TRUE) { diff --git a/src/network.c b/src/network.c index 4af71c37..7b0ed7a4 100644 --- a/src/network.c +++ b/src/network.c @@ -83,6 +83,10 @@ static DBusMessage *get_properties(DBusConnection *conn, DBG("conn %p", conn); + if (__connman_security_check_privilege(msg, + CONNMAN_SECURITY_PRIVILEGE_PUBLIC) < 0) + return __connman_error_permission_denied(msg); + reply = dbus_message_new_method_return(msg); if (reply == NULL) return NULL; @@ -153,7 +157,8 @@ static DBusMessage *set_property(DBusConnection *conn, dbus_message_iter_next(&iter); dbus_message_iter_recurse(&iter, &value); - if (__connman_security_check_privileges(msg) < 0) + if (__connman_security_check_privilege(msg, + CONNMAN_SECURITY_PRIVILEGE_MODIFY) < 0) return __connman_error_permission_denied(msg); if (g_str_equal(name, "Remember") == TRUE) { @@ -185,7 +190,8 @@ static DBusMessage *do_connect(DBusConnection *conn, DBG("conn %p", conn); - if (__connman_security_check_privileges(msg) < 0) + if (__connman_security_check_privilege(msg, + CONNMAN_SECURITY_PRIVILEGE_MODIFY) < 0) return __connman_error_permission_denied(msg); if (network->connected == TRUE) @@ -209,7 +215,8 @@ static DBusMessage *do_disconnect(DBusConnection *conn, DBG("conn %p", conn); - if (__connman_security_check_privileges(msg) < 0) + if (__connman_security_check_privilege(msg, + CONNMAN_SECURITY_PRIVILEGE_MODIFY) < 0) return __connman_error_permission_denied(msg); if (network->connected == FALSE) diff --git a/src/security.c b/src/security.c index 31c7734b..9b274239 100644 --- a/src/security.c +++ b/src/security.c @@ -66,7 +66,8 @@ void connman_security_unregister(struct connman_security *security) security_list = g_slist_remove(security_list, security); } -int __connman_security_check_privileges(DBusMessage *message) +int __connman_security_check_privilege(DBusMessage *message, + enum connman_security_privilege privilege) { GSList *list; const char *sender; @@ -82,7 +83,7 @@ int __connman_security_check_privileges(DBusMessage *message) DBG("%s", security->name); if (security->authorize_sender) { - err = security->authorize_sender(sender); + err = security->authorize_sender(sender, privilege); break; } } |