/* * * Connection Manager * * Copyright (C) 2012 BMW Car IT GbmH. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 as * published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA * */ #ifdef HAVE_CONFIG_H #include #endif #include #include #include #include #include #include #define CONNMAN_API_SUBJECT_TO_CHANGE #include #include #include #include #include #define POLICYDIR STORAGEDIR "/session_policy_local" #define MODE (S_IRUSR | S_IWUSR | S_IXUSR | S_IRGRP | \ S_IXGRP | S_IROTH | S_IXOTH) static DBusConnection *connection; static GHashTable *policy_hash; static GHashTable *session_hash; struct create_data { struct connman_session *session; connman_session_config_cb callback; void *user_data; }; struct policy_data { int refcount; char *ident; struct connman_session *session; struct connman_session_config *config; }; static void cleanup_policy(gpointer user_data) { struct policy_data *policy = user_data; if (policy->config != NULL) g_slist_free(policy->config->allowed_bearers); g_free(policy->ident); g_free(policy->config); g_free(policy); } static char *parse_ident(const unsigned char *context) { char *str, *ident, **tokens; /* * SELinux combines Role-Based Access Control (RBAC), Type * Enforcment (TE) and optionally Multi-Level Security (MLS). * * When SELinux is enabled all processes and files are labeled * with a contex that contains information such as user, role * type (and optionally a level). E.g. * * $ ls -Z * -rwxrwxr-x. wagi wagi unconfined_u:object_r:haifux_exec_t:s0 session_ui.py * * For identifyng application we (ab)using the type * information. In the above example the haifux_exec_t type * will be transfered to haifux_t as defined in the domain * transition and thus we are able to identify the application * as haifux_t. */ str = g_strdup((const gchar*)context); if (str == NULL) return NULL; DBG("SELinux context %s", str); tokens = g_strsplit(str, ":", 0); if (tokens == NULL) { g_free(str); return NULL; } /* Use the SELinux type as identification token. */ ident = g_strdup(tokens[2]); g_strfreev(tokens); g_free(str); return ident; } static struct policy_data *create_policy(const char *ident) { struct policy_data *policy; DBG("ident %s", ident); policy = g_try_new0(struct policy_data, 1); if (policy == NULL) return NULL; policy->config = connman_session_create_default_config(); if (policy->config == NULL) { g_free(policy); return NULL; } policy->refcount = 1; policy->ident = g_strdup(ident); g_hash_table_replace(policy_hash, policy->ident, policy); return policy; } static struct policy_data *policy_ref(struct policy_data *policy) { DBG("%p %s ref %d", policy, policy->ident, policy->refcount + 1); __sync_fetch_and_add(&policy->refcount, 1); return policy; } static void policy_unref(struct policy_data *policy) { DBG(" %p %s ref %d", policy, policy->ident, policy->refcount - 1); if (__sync_fetch_and_sub(&policy->refcount, 1) != 1) return; g_hash_table_remove(policy_hash, policy->ident); }; static void selinux_context_reply(const unsigned char *context, void *user_data, int err) { struct create_data *data = user_data; struct policy_data *policy; struct connman_session_config *config = NULL; char *ident = NULL; DBG("session %p", data->session); if (err < 0) goto done; ident = parse_ident(context); if (ident == NULL) { err = -EINVAL; goto done; } policy = g_hash_table_lookup(policy_hash, ident); if (policy != NULL) { policy_ref(policy); policy->session = data->session; } else { policy = create_policy(ident); if (policy == NULL) { err = -ENOMEM; goto done; } } g_hash_table_replace(session_hash, data->session, policy); config = policy->config; done: (*data->callback)(data->session, config, data->user_data, err); g_free(data); g_free(ident); } static int policy_local_create(struct connman_session *session, connman_session_config_cb callback, void *user_data) { struct create_data *data; const char *owner; int err; DBG("session %p", session); data = g_try_new0(struct create_data, 1); if (data == NULL) return -ENOMEM; data->session = session; data->callback = callback; data->user_data = user_data; owner = connman_session_get_owner(session); err = connman_dbus_get_selinux_context(connection, owner, selinux_context_reply, data); if (err < 0) { connman_error("Could not get SELinux context"); g_free(data); return err; } return 0; } static void policy_local_destroy(struct connman_session *session) { struct policy_data *policy; DBG("session %p", session); policy = g_hash_table_lookup(session_hash, session); if (policy == NULL) return; g_hash_table_remove(session_hash, session); policy->session = NULL; policy_unref(policy); } static struct connman_session_policy session_policy_local = { .name = "session local policy configuration", .priority = CONNMAN_SESSION_POLICY_PRIORITY_DEFAULT, .create = policy_local_create, .destroy = policy_local_destroy, }; static int load_keyfile(const char *pathname, GKeyFile **keyfile) { GError *error = NULL; int err; DBG("Loading %s", pathname); *keyfile = g_key_file_new(); if (g_key_file_load_from_file(*keyfile, pathname, 0, &error) == FALSE) goto err; return 0; err: /* * The fancy G_FILE_ERROR_* codes are identical to the native * error codes. */ err = -error->code; DBG("Unable to load %s: %s", pathname, error->message); g_clear_error(&error); g_key_file_free(*keyfile); *keyfile = NULL; return err; } static int load_policy(struct policy_data *policy) { struct connman_session_config *config = policy->config; GKeyFile *keyfile; char *pathname; char *str, **tokens; int i, err = 0; pathname = g_strdup_printf("%s/%s", POLICYDIR, policy->ident); if(pathname == NULL) return -ENOMEM; err = load_keyfile(pathname, &keyfile); if (err < 0) { g_free(pathname); if (err == -ENOENT) { /* Ignore empty files */ return 0; } return err; } config->priority = g_key_file_get_boolean(keyfile, "Default", "Priority", NULL); str = g_key_file_get_string(keyfile, "Default", "RoamingPolicy", NULL); if (str != NULL) { config->roaming_policy = connman_session_parse_roaming_policy(str); g_free(str); } else { config->roaming_policy = CONNMAN_SESSION_ROAMING_POLICY_DEFAULT; } str = g_key_file_get_string(keyfile, "Default", "ConnectionType", NULL); if (str != NULL) { config->type = connman_session_parse_connection_type(str); g_free(str); } else { config->type = CONNMAN_SESSION_TYPE_ANY; } config->ecall = g_key_file_get_boolean(keyfile, "Default", "EmergencyCall", NULL); g_slist_free(config->allowed_bearers); config->allowed_bearers = NULL; str = g_key_file_get_string(keyfile, "Default", "AllowedBearers", NULL); if (str != NULL) { tokens = g_strsplit(str, " ", 0); for (i = 0; tokens[i] != NULL; i++) { err = connman_session_parse_bearers(tokens[i], &config->allowed_bearers); if (err < 0) break; } g_free(str); g_strfreev(tokens); } else { config->allowed_bearers = g_slist_append(NULL, GINT_TO_POINTER(CONNMAN_SERVICE_TYPE_UNKNOWN)); if (config->allowed_bearers == NULL) err = -ENOMEM; } g_key_file_free(keyfile); g_free(pathname); return err; } static void update_session(struct connman_session *session) { if (connman_session_config_update(session) < 0) connman_session_destroy(session); } static void remove_policy(struct policy_data *policy) { connman_bool_t update = FALSE; int err; if (policy->session != NULL) update = TRUE; policy_unref(policy); if (update == FALSE) return; err = connman_session_set_default_config(policy->config); if (err < 0) { connman_session_destroy(policy->session); return; } update_session(policy->session); } static void notify_handler(struct inotify_event *event, const char *ident) { struct policy_data *policy; if (ident == NULL) return; policy = g_hash_table_lookup(policy_hash, ident); if (event->mask & (IN_CREATE | IN_MOVED_TO)) { connman_info("Policy added for '%s'", ident); if (policy != NULL) policy_ref(policy); else policy = create_policy(ident); } if (policy == NULL) return; if (event->mask & IN_MODIFY) { connman_info("Policy modifed for '%s'", ident); if (load_policy(policy) < 0) { remove_policy(policy); return; } } if (event->mask & (IN_DELETE | IN_MOVED_FROM)) { connman_info("Policy deleted for '%s'", ident); remove_policy(policy); return; } if (policy->session != NULL) update_session(policy->session); } static int read_policies(void) { GDir *dir; int err = 0; DBG(""); dir = g_dir_open(POLICYDIR, 0, NULL); if (dir != NULL) { const gchar *file; while ((file = g_dir_read_name(dir)) != NULL) { struct policy_data *policy; policy = create_policy(file); if (policy == NULL) { err = -ENOMEM; break; } err = load_policy(policy); if (err < 0) break; } g_dir_close(dir); } return err; } static int session_policy_local_init(void) { int err; /* If the dir doesn't exist, create it */ if (g_file_test(POLICYDIR, G_FILE_TEST_IS_DIR) == FALSE) { if (mkdir(POLICYDIR, MODE) < 0) { if (errno != EEXIST) return -errno; } } connection = connman_dbus_get_connection(); if (connection == NULL) return -EIO; session_hash = g_hash_table_new_full(g_direct_hash, g_direct_equal, NULL, NULL); if (session_hash == NULL) { err = -ENOMEM; goto err; } policy_hash = g_hash_table_new_full(g_str_hash, g_str_equal, NULL, cleanup_policy); if (policy_hash == NULL) { err = -ENOMEM; goto err; } err = connman_inotify_register(POLICYDIR, notify_handler); if (err < 0) goto err; err = read_policies(); if (err < 0) goto err_notify; err = connman_session_policy_register(&session_policy_local); if (err < 0) goto err_notify; return 0; err_notify: connman_inotify_unregister(POLICYDIR, notify_handler); err: if (session_hash != NULL) g_hash_table_destroy(session_hash); if (policy_hash != NULL) g_hash_table_destroy(policy_hash); connman_session_policy_unregister(&session_policy_local); dbus_connection_unref(connection); return err; } static void session_policy_local_exit(void) { g_hash_table_destroy(session_hash); g_hash_table_destroy(policy_hash); connman_session_policy_unregister(&session_policy_local); dbus_connection_unref(connection); connman_inotify_unregister(POLICYDIR, notify_handler); } CONNMAN_PLUGIN_DEFINE(session_policy_local, "Session local file policy configuration plugin", VERSION, CONNMAN_PLUGIN_PRIORITY_DEFAULT, session_policy_local_init, session_policy_local_exit)