Author: lslezak
Date: Mon Feb 2 16:30:23 2009
New Revision: 55193
URL: http://svn.opensuse.org/viewcvs/yast?rev=55193&view=rev
Log:
- DBus service - added PolicyKit checks
Modified:
branches/tmp/lslezak/core/dbus/namespace_service/DBusModulesServer.cc
branches/tmp/lslezak/core/dbus/namespace_service/DBusModulesServer.h
branches/tmp/lslezak/core/liby2dbus/src/DBusServerBase.cc
branches/tmp/lslezak/core/liby2dbus/src/DBusServerBase.h
branches/tmp/lslezak/core/liby2dbus/src/PolKit.cc
branches/tmp/lslezak/core/liby2dbus/src/PolKit.h
Modified: branches/tmp/lslezak/core/dbus/namespace_service/DBusModulesServer.cc
URL: http://svn.opensuse.org/viewcvs/yast/branches/tmp/lslezak/core/dbus/namespace_service/DBusModulesServer.cc?rev=55193&r1=55192&r2=55193&view=diff
==============================================================================
--- branches/tmp/lslezak/core/dbus/namespace_service/DBusModulesServer.cc (original)
+++ branches/tmp/lslezak/core/dbus/namespace_service/DBusModulesServer.cc Mon Feb 2 16:30:23 2009
@@ -308,3 +308,26 @@
return reply;
}
+
+std::string DBusModulesServer::createActionId(const DBusMsg &msg)
+{
+ // actionId: <prefix>.<namespace>.<method>
+ std::string ret("org.opensuse.yast.modules");
+
+ std::string obj(msg.path());
+
+ if (!obj.empty() && obj[0] == '/')
+ {
+ obj.erase(obj.begin());
+ }
+
+ ret += '.' + obj + '.' + msg.method();
+
+ if (!PolKit::isValidActionID(ret))
+ {
+ ret = PolKit::makeValidActionID(ret);
+ }
+
+ return ret;
+}
+
Modified: branches/tmp/lslezak/core/dbus/namespace_service/DBusModulesServer.h
URL: http://svn.opensuse.org/viewcvs/yast/branches/tmp/lslezak/core/dbus/namespace_service/DBusModulesServer.h?rev=55193&r1=55192&r2=55193&view=diff
==============================================================================
--- branches/tmp/lslezak/core/dbus/namespace_service/DBusModulesServer.h (original)
+++ branches/tmp/lslezak/core/dbus/namespace_service/DBusModulesServer.h Mon Feb 2 16:30:23 2009
@@ -31,6 +31,11 @@
virtual bool connect();
+ protected:
+
+ virtual std::string createActionId(const DBusMsg &msg);
+
+
private:
// the wrapped Yast namespaces
Modified: branches/tmp/lslezak/core/liby2dbus/src/DBusServerBase.cc
URL: http://svn.opensuse.org/viewcvs/yast/branches/tmp/lslezak/core/liby2dbus/src/DBusServerBase.cc?rev=55193&r1=55192&r2=55193&view=diff
==============================================================================
--- branches/tmp/lslezak/core/liby2dbus/src/DBusServerBase.cc (original)
+++ branches/tmp/lslezak/core/liby2dbus/src/DBusServerBase.cc Mon Feb 2 16:30:23 2009
@@ -28,7 +28,8 @@
// std::pair
#include <utility>
-static bool finish = false;
+// use atomic type in signal handler
+static sig_atomic_t finish = 0;
DBusServerBase::DBusServerBase()
{
@@ -63,7 +64,7 @@
if (signal == SIGALRM)
{
// set the finish flag for the main loop
- finish = true;
+ finish = 1;
}
}
@@ -143,7 +144,7 @@
else
{
// reset the flag
- finish = false;
+ finish = 0;
// set a new timer
resetTimer();
@@ -273,63 +274,70 @@
}
else if (request.type() == DBUS_MESSAGE_TYPE_METHOD_CALL)
{
- // TODO check the policy
-
- // find the registered object
- std::string objname = request.path();
-
- // remove the slash at the beginning
- if (objname.size() > 0 && objname[0] == '/')
+ // check the policy using PolicyKit
+ if (isActionAllowed(request))
{
- objname.erase(objname.begin());
- }
+ // find the registered object
+ std::string objname = request.path();
- // search the object
- Objects::const_iterator i = registered_objects.find(objname);
+ // remove the slash at the beginning
+ if (objname.size() > 0 && objname[0] == '/')
+ {
+ objname.erase(objname.begin());
+ }
- bool found = false;
+ // search the object
+ Objects::const_iterator i = registered_objects.find(objname);
- if (i != registered_objects.end())
- {
- ObjectData::const_iterator ii = i->second.find(request.interface());
+ bool found = false;
- if (ii != i->second.end())
+ if (i != registered_objects.end())
{
- InterfaceData::const_iterator iii = ii->second.find(request.method());
+ ObjectData::const_iterator ii = i->second.find(request.interface());
- if (iii != ii->second.end())
+ if (ii != i->second.end())
{
- MethodData md = iii->second;
- methodHandler mh = md.first;
+ InterfaceData::const_iterator iii = ii->second.find(request.method());
+
+ if (iii != ii->second.end())
+ {
+ MethodData md = iii->second;
+ methodHandler mh = md.first;
- y2milestone("Evaluating method: object %s interface: %s, method: %s",
- request.path().c_str(), request.interface().c_str(), request.method().c_str());
+ y2milestone("Evaluating method: object %s interface: %s, method: %s",
+ request.path().c_str(), request.interface().c_str(), request.method().c_str());
- // call the registered callback
- found = true;
- reply = mh(request);
+ // call the registered callback
+ found = true;
+ reply = mh(request);
+ }
+ else
+ {
+ y2warning("Object %s does not provide method %s in interface %s",
+ objname.c_str(), request.path().c_str(), request.interface().c_str());
+ }
}
else
{
- y2warning("Object %s does not provide method %s in interface %s",
- objname.c_str(), request.path().c_str(), request.interface().c_str());
+ y2warning("Object %s does not provide interface %s",
+ objname.c_str(), request.interface().c_str());
}
}
else
{
- y2warning("Object %s does not provide interface %s",
- objname.c_str(), request.interface().c_str());
+ y2warning("Object %s is not registered", objname.c_str());
+ }
+
+ if (!found)
+ {
+ // report error
+ reply.createError(request, "Unknown object, interface or method", DBUS_ERROR_UNKNOWN_METHOD);
}
}
else
{
- y2warning("Object %s is not registered", objname.c_str());
- }
-
- if (!found)
- {
// report error
- reply.createError(request, "Unknown object, interface or method", DBUS_ERROR_UNKNOWN_METHOD);
+ reply.createError(request, "Access denied, check PolicyKit priviledges", DBUS_ERROR_ACCESS_DENIED);
}
}
else if (request.type() == DBUS_MESSAGE_TYPE_ERROR)
@@ -349,7 +357,7 @@
else if (request.type() == DBUS_MESSAGE_TYPE_SIGNAL)
{
// singals are not supported
- y2error("Received a signal: interface: %s method: %s", request.interface().c_str(), request.method().c_str());
+ y2warning("Ignoring a received signal: interface: %s method: %s", request.interface().c_str(), request.method().c_str());
}
// was a reply set?
@@ -362,9 +370,9 @@
}
else
{
- y2milestone("Flushing connection...");
+ y2debug("Flushing connection...");
connection.flush();
- y2milestone("...done");
+ y2debug("...done");
}
}
@@ -442,21 +450,31 @@
}
}
}
-
-/*
-#ifdef HAVE_POLKIT
-bool DBusServerBase::isActionAllowed(const std::string &caller, const std::string &path, const std::string &method,
- const std::string &arg, const std::string &opt)
+
+bool DBusServerBase::isActionAllowed(const DBusMsg &msg)
{
+#ifdef HAVE_POLKIT
// create actionId
- static const char *polkit_prefix = "org.opensuse.yast.scr";
- std::string action_id(PolKit::createActionId(polkit_prefix, path, method, arg, opt));
+ std::string action_id(createActionId(msg));
+ y2debug("PolicyKit check: action %s from %s", action_id.c_str(), msg.sender().c_str());
bool ret = false;
+ if (action_id.empty())
+ {
+ // no actionId -> return the default (forbidden)
+ return ret;
+ }
+
+ if (!PolKit::isValidActionID(action_id))
+ {
+ y2error("Invalid action ID: %s", action_id.c_str());
+ return ret;
+ }
+
// check the policy here
- if (policykit.isDBusUserAuthorized(action_id, caller, connection.getConnection()))
+ if (policykit.isDBusUserAuthorized(action_id, msg.sender(), connection.getConnection()))
{
y2security("User is authorized to do action %s", action_id.c_str());
ret = true;
@@ -467,13 +485,15 @@
}
return ret;
-}
+#else
+ // no PolicyKit -> enable action
+ return true;
#endif
-*/
-
+}
std::string DBusServerBase::createActionId(const DBusMsg &msg)
{
- //TODO FIXME
+ // default implementation is empty string
+ // the inherited classes should redefine it
return std::string();
}
Modified: branches/tmp/lslezak/core/liby2dbus/src/DBusServerBase.h
URL: http://svn.opensuse.org/viewcvs/yast/branches/tmp/lslezak/core/liby2dbus/src/DBusServerBase.h?rev=55193&r1=55192&r2=55193&view=diff
==============================================================================
--- branches/tmp/lslezak/core/liby2dbus/src/DBusServerBase.h (original)
+++ branches/tmp/lslezak/core/liby2dbus/src/DBusServerBase.h Mon Feb 2 16:30:23 2009
@@ -70,6 +70,7 @@
void resetTimer();
void registerSignalHandler();
bool canFinish();
+ bool isActionAllowed(const DBusMsg &msg);
typedef std::pair