[yast-commit] r55193 - in /branches/tmp/lslezak/core: dbus/namespace_service/ liby2dbus/src/
Author: lslezak Date: Mon Feb 2 16:30:23 2009 New Revision: 55193 URL: http://svn.opensuse.org/viewcvs/yast?rev=55193&view=rev Log: - DBus service - added PolicyKit checks Modified: branches/tmp/lslezak/core/dbus/namespace_service/DBusModulesServer.cc branches/tmp/lslezak/core/dbus/namespace_service/DBusModulesServer.h branches/tmp/lslezak/core/liby2dbus/src/DBusServerBase.cc branches/tmp/lslezak/core/liby2dbus/src/DBusServerBase.h branches/tmp/lslezak/core/liby2dbus/src/PolKit.cc branches/tmp/lslezak/core/liby2dbus/src/PolKit.h Modified: branches/tmp/lslezak/core/dbus/namespace_service/DBusModulesServer.cc URL: http://svn.opensuse.org/viewcvs/yast/branches/tmp/lslezak/core/dbus/namespac... ============================================================================== --- branches/tmp/lslezak/core/dbus/namespace_service/DBusModulesServer.cc (original) +++ branches/tmp/lslezak/core/dbus/namespace_service/DBusModulesServer.cc Mon Feb 2 16:30:23 2009 @@ -308,3 +308,26 @@ return reply; } + +std::string DBusModulesServer::createActionId(const DBusMsg &msg) +{ + // actionId: <prefix>.<namespace>.<method> + std::string ret("org.opensuse.yast.modules"); + + std::string obj(msg.path()); + + if (!obj.empty() && obj[0] == '/') + { + obj.erase(obj.begin()); + } + + ret += '.' + obj + '.' + msg.method(); + + if (!PolKit::isValidActionID(ret)) + { + ret = PolKit::makeValidActionID(ret); + } + + return ret; +} + Modified: branches/tmp/lslezak/core/dbus/namespace_service/DBusModulesServer.h URL: http://svn.opensuse.org/viewcvs/yast/branches/tmp/lslezak/core/dbus/namespac... ============================================================================== --- branches/tmp/lslezak/core/dbus/namespace_service/DBusModulesServer.h (original) +++ branches/tmp/lslezak/core/dbus/namespace_service/DBusModulesServer.h Mon Feb 2 16:30:23 2009 @@ -31,6 +31,11 @@ virtual bool connect(); + protected: + + virtual std::string createActionId(const DBusMsg &msg); + + private: // the wrapped Yast namespaces Modified: branches/tmp/lslezak/core/liby2dbus/src/DBusServerBase.cc URL: http://svn.opensuse.org/viewcvs/yast/branches/tmp/lslezak/core/liby2dbus/src... ============================================================================== --- branches/tmp/lslezak/core/liby2dbus/src/DBusServerBase.cc (original) +++ branches/tmp/lslezak/core/liby2dbus/src/DBusServerBase.cc Mon Feb 2 16:30:23 2009 @@ -28,7 +28,8 @@ // std::pair #include <utility> -static bool finish = false; +// use atomic type in signal handler +static sig_atomic_t finish = 0; DBusServerBase::DBusServerBase() { @@ -63,7 +64,7 @@ if (signal == SIGALRM) { // set the finish flag for the main loop - finish = true; + finish = 1; } } @@ -143,7 +144,7 @@ else { // reset the flag - finish = false; + finish = 0; // set a new timer resetTimer(); @@ -273,63 +274,70 @@ } else if (request.type() == DBUS_MESSAGE_TYPE_METHOD_CALL) { - // TODO check the policy - - // find the registered object - std::string objname = request.path(); - - // remove the slash at the beginning - if (objname.size() > 0 && objname[0] == '/') + // check the policy using PolicyKit + if (isActionAllowed(request)) { - objname.erase(objname.begin()); - } + // find the registered object + std::string objname = request.path(); - // search the object - Objects::const_iterator i = registered_objects.find(objname); + // remove the slash at the beginning + if (objname.size() > 0 && objname[0] == '/') + { + objname.erase(objname.begin()); + } - bool found = false; + // search the object + Objects::const_iterator i = registered_objects.find(objname); - if (i != registered_objects.end()) - { - ObjectData::const_iterator ii = i->second.find(request.interface()); + bool found = false; - if (ii != i->second.end()) + if (i != registered_objects.end()) { - InterfaceData::const_iterator iii = ii->second.find(request.method()); + ObjectData::const_iterator ii = i->second.find(request.interface()); - if (iii != ii->second.end()) + if (ii != i->second.end()) { - MethodData md = iii->second; - methodHandler mh = md.first; + InterfaceData::const_iterator iii = ii->second.find(request.method()); + + if (iii != ii->second.end()) + { + MethodData md = iii->second; + methodHandler mh = md.first; - y2milestone("Evaluating method: object %s interface: %s, method: %s", - request.path().c_str(), request.interface().c_str(), request.method().c_str()); + y2milestone("Evaluating method: object %s interface: %s, method: %s", + request.path().c_str(), request.interface().c_str(), request.method().c_str()); - // call the registered callback - found = true; - reply = mh(request); + // call the registered callback + found = true; + reply = mh(request); + } + else + { + y2warning("Object %s does not provide method %s in interface %s", + objname.c_str(), request.path().c_str(), request.interface().c_str()); + } } else { - y2warning("Object %s does not provide method %s in interface %s", - objname.c_str(), request.path().c_str(), request.interface().c_str()); + y2warning("Object %s does not provide interface %s", + objname.c_str(), request.interface().c_str()); } } else { - y2warning("Object %s does not provide interface %s", - objname.c_str(), request.interface().c_str()); + y2warning("Object %s is not registered", objname.c_str()); + } + + if (!found) + { + // report error + reply.createError(request, "Unknown object, interface or method", DBUS_ERROR_UNKNOWN_METHOD); } } else { - y2warning("Object %s is not registered", objname.c_str()); - } - - if (!found) - { // report error - reply.createError(request, "Unknown object, interface or method", DBUS_ERROR_UNKNOWN_METHOD); + reply.createError(request, "Access denied, check PolicyKit priviledges", DBUS_ERROR_ACCESS_DENIED); } } else if (request.type() == DBUS_MESSAGE_TYPE_ERROR) @@ -349,7 +357,7 @@ else if (request.type() == DBUS_MESSAGE_TYPE_SIGNAL) { // singals are not supported - y2error("Received a signal: interface: %s method: %s", request.interface().c_str(), request.method().c_str()); + y2warning("Ignoring a received signal: interface: %s method: %s", request.interface().c_str(), request.method().c_str()); } // was a reply set? @@ -362,9 +370,9 @@ } else { - y2milestone("Flushing connection..."); + y2debug("Flushing connection..."); connection.flush(); - y2milestone("...done"); + y2debug("...done"); } } @@ -442,21 +450,31 @@ } } } - -/* -#ifdef HAVE_POLKIT -bool DBusServerBase::isActionAllowed(const std::string &caller, const std::string &path, const std::string &method, - const std::string &arg, const std::string &opt) + +bool DBusServerBase::isActionAllowed(const DBusMsg &msg) { +#ifdef HAVE_POLKIT // create actionId - static const char *polkit_prefix = "org.opensuse.yast.scr"; - std::string action_id(PolKit::createActionId(polkit_prefix, path, method, arg, opt)); + std::string action_id(createActionId(msg)); + y2debug("PolicyKit check: action %s from %s", action_id.c_str(), msg.sender().c_str()); bool ret = false; + if (action_id.empty()) + { + // no actionId -> return the default (forbidden) + return ret; + } + + if (!PolKit::isValidActionID(action_id)) + { + y2error("Invalid action ID: %s", action_id.c_str()); + return ret; + } + // check the policy here - if (policykit.isDBusUserAuthorized(action_id, caller, connection.getConnection())) + if (policykit.isDBusUserAuthorized(action_id, msg.sender(), connection.getConnection())) { y2security("User is authorized to do action %s", action_id.c_str()); ret = true; @@ -467,13 +485,15 @@ } return ret; -} +#else + // no PolicyKit -> enable action + return true; #endif -*/ - +} std::string DBusServerBase::createActionId(const DBusMsg &msg) { - //TODO FIXME + // default implementation is empty string + // the inherited classes should redefine it return std::string(); } Modified: branches/tmp/lslezak/core/liby2dbus/src/DBusServerBase.h URL: http://svn.opensuse.org/viewcvs/yast/branches/tmp/lslezak/core/liby2dbus/src... ============================================================================== --- branches/tmp/lslezak/core/liby2dbus/src/DBusServerBase.h (original) +++ branches/tmp/lslezak/core/liby2dbus/src/DBusServerBase.h Mon Feb 2 16:30:23 2009 @@ -70,6 +70,7 @@ void resetTimer(); void registerSignalHandler(); bool canFinish(); + bool isActionAllowed(const DBusMsg &msg); typedef std::pair<methodHandler, DBusSignature> MethodData; typedef std::map<Method, MethodData> InterfaceData; Modified: branches/tmp/lslezak/core/liby2dbus/src/PolKit.cc URL: http://svn.opensuse.org/viewcvs/yast/branches/tmp/lslezak/core/liby2dbus/src... ============================================================================== --- branches/tmp/lslezak/core/liby2dbus/src/PolKit.cc (original) +++ branches/tmp/lslezak/core/liby2dbus/src/PolKit.cc Mon Feb 2 16:30:23 2009 @@ -65,7 +65,7 @@ return pk_result == POLKIT_RESULT_YES; } -std::string makeValidActionID(const std::string &s) +std::string PolKit::makeValidActionID(const std::string &s) { if (s.empty()) return s; @@ -128,3 +128,9 @@ return action_id; } + +bool PolKit::isValidActionID(const std::string &action) +{ + return polkit_action_validate_id(action.c_str()); +} + Modified: branches/tmp/lslezak/core/liby2dbus/src/PolKit.h URL: http://svn.opensuse.org/viewcvs/yast/branches/tmp/lslezak/core/liby2dbus/src... ============================================================================== --- branches/tmp/lslezak/core/liby2dbus/src/PolKit.h (original) +++ branches/tmp/lslezak/core/liby2dbus/src/PolKit.h Mon Feb 2 16:30:23 2009 @@ -25,6 +25,10 @@ const std::string &method, const std::string &arg = std::string(), const std::string &opt = std::string()); + static std::string makeValidActionID(const std::string &s); + + static bool isValidActionID(const std::string &action); + private: DBusError dbus_error; -- To unsubscribe, e-mail: yast-commit+unsubscribe@opensuse.org For additional commands, e-mail: yast-commit+help@opensuse.org
participants (1)
-
lslezak@svn.opensuse.org