Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
|
|
For SELinux we need to store the complete context for iptables
to work.
|
|
When the session core ask to create a configuration, then we
first ask the D-Bus server which UID/GID the session belongs to.
If possible we also ask for the SELinux context. Then we try
to figure out which file containts the configuration for
SElinux, UID or GID identification.
The order of matching preference is SELinux, UID and finally GID.
|
|
Use struct policy_data instead of struct create_data.
|
|
The old assumption was that a config file is associtated
with one session only. With introducing UID/GID support a policy
might be used for several sessions. Furthermore, it was assumed
that the file name is the key/ident to identify a session and
a file containts exactly one policy.
Here are the new rules for writing a policy file.
- A valid file name contains letters or numbers and must have a '.policy'
suffix.
- The file name has not semantical meaning
- A policy file may contain contain more than 1 policy
- Each policy entry starts with 'policy_'
- Each policy entry shall have one and exactly one valid key (e.g.
selinux)
The implementation has two main hash tables, file_hash and session_hash
which owns 'the file' respectively the session config. Additionally there
is a hash table which connects a policy with a session (selinux_hash).
|
|
|
|
The update flag can be removed as it is no longer needed.
|
|
g_strplit() will eventually strdup the tokens so no need to
strdup() 'context'. But we an ugly cast (from 'const unsigned char *'
to 'const char *') is needed for g_strsplit() to make the compiler happy.
|
|
Let's remove the small allocations error path because glib will
abort on memory exhausting anyway. Basically we remove dead code.
|
|
Do not handle the small alloc failures because glib will abort
when memory is tight anyway.
|
|
Streamline the callback typedefs with the rest of the code.
|
|
Use the generic callback helpers to encapsulate struct create_data.
In a later patch we will add some more data elemets to struct
create_data. That is the reason why it is not remove here.
|
|
When a file is added (not modified) we need to parse it as well
|
|
We should not unref the policy on parsing errors becase the policy
lifetime is attached to the lifetime of the file. When the file
is removed we remove it from the hash table.
|
|
Match all is expressed via CONNMAN_SERVICE_TYPE_UNKNOWN. An empty
list means no match.
|
|
Use connman_sessoin_set_default_config() instead of open coded
version.
This prepars the next fix.
|
|
When running unit/test-session the following happens if SELinux is disabled but
--enable-session-policy-local is specified for ./configure:
connmand[6468]: src/session.c:__connman_session_create() owner :1.269
connmand[6468]: src/dbus.c:selinux_get_context_reply() Failed to retrieve SELinux context
connmand[6468]: src/session.c:session_create_cb() session 0x2388dc0 config (nil)
connmand[6468]: Aborting (signal 11) [src/connmand]
connmand[6468]: ++++++++ backtrace ++++++++
connmand[6468]: #0 0x7f5b2b8184f0 in /lib/x86_64-linux-gnu/libc.so.6
connmand[6468]: #1 0x4379b4 in policy_local_destroy() at plugins/session_policy_local.c:245
connmand[6468]: #2 0x46703f in free_session() at src/session.c:258
connmand[6468]: #3 0x468603 in session_create_cb() at src/session.c:1710
connmand[6468]: #4 0x4377e7 in selinux_context_reply() at plugins/session_policy_local.c:201
connmand[6468]: #5 0x461366 in selinux_get_context_reply() at src/dbus.c:475
connmand[6468]: #6 0x7f5b2c66b1ca in /lib/x86_64-linux-gnu/libdbus-1.so.3
connmand[6468]: #7 0x7f5b2c66e293 in /lib/x86_64-linux-gnu/libdbus-1.so.3
connmand[6468]: #8 0x410aa8 in message_dispatch() at gdbus/mainloop.c:76
connmand[6468]: #9 0x7f5b2c8eeeeb in /lib/x86_64-linux-gnu/libglib-2.0.so.0
connmand[6468]: #10 0x7f5b2c8ee355 in /lib/x86_64-linux-gnu/libglib-2.0.so.0
connmand[6468]: #11 0x7f5b2c8ee688 in /lib/x86_64-linux-gnu/libglib-2.0.so.0
connmand[6468]: #12 0x7f5b2c8eea82 in /lib/x86_64-linux-gnu/libglib-2.0.so.0
connmand[6468]: #13 0x410592 in main() at src/main.c:672
connmand[6468]: #14 0x7f5b2b804ead in /lib/x86_64-linux-gnu/libc.so.6
connmand[6468]: +++++++++++++++++++++++++++
|
|
Create the policy directory as first thing. If we don't do this
adding a watch on the non existing directory will fail and the
whole plugin is not loaded.
We need to figure out later how permissive the MODE of the directory
should be. Currently, we play safe and have it tied down.
|
|
On popular request the plugin is renamed. The plugin is reading
local files and has nothing to do with IVI.
|