Commit b18bb2d8 authored by David Zeuthen's avatar David Zeuthen

read privilege files and actually use the policy described in those

parent 5a74d9b7
## Process this file with automake to produce Makefile.in
SUBDIRS = libpolkit doc tools
SUBDIRS = libpolkit doc tools privileges
pkgconfigdir = $(libdir)/pkgconfig
pkgconfig_DATA = libpolkit.pc
......
......@@ -173,6 +173,7 @@ doc/api/libpolkit/version.xml
doc/spec/Makefile
doc/spec/polkit-spec.xml.in
doc/man/Makefile
privileges/Makefile
])
dnl ==========================================================================
......
......@@ -70,6 +70,9 @@
<xi:include href="xml/libpolkit-context.xml"/>
<xi:include href="xml/libpolkit-privilege.xml"/>
<xi:include href="xml/libpolkit-privilege-file.xml"/>
<xi:include href="xml/libpolkit-privilege-file-entry.xml"/>
<xi:include href="xml/libpolkit-privilege-cache.xml"/>
<xi:include href="xml/libpolkit-privilege-default.xml"/>
<xi:include href="xml/libpolkit-resource.xml"/>
<xi:include href="xml/libpolkit-seat.xml"/>
<xi:include href="xml/libpolkit-session.xml"/>
......
if MAN_PAGES_ENABLED
MAN_IN_FILES = polkit-check-caller.1.in polkit-check-session.1.in
MAN_IN_FILES = polkit-check-caller.1.in polkit-check-session.1.in polkit-privilege-file-validate.1.in
man_MANS = $(MAN_IN_FILES:.in=)
......
.\"
.\" polkit-privilege-file-validate manual page.
.\" Copyright (C) 2007 David Zeuthen <david@fubar.dk>
.\"
.TH POLKIT-PRIVILEGE-FILE-VALIDATE 1
.SH NAME
polkit-privilege-file-validate \- check access
.SH SYNOPSIS
.PP
.B polkit-privilege-file-validate
[options]
.SH DESCRIPTION
\fIpolkit-privilege-file-validate\fP is used to validate PolicyKit
privilege definition files. These are normally stored in the
.I "@sysconfdir@/PolicyKit/privileges"
directory. For more information about the big picture
refer to the \fIPolicyKit spec\fP which can be found in
.I "@docdir@/spec/polkit-spec.html"
depending on the distribution.
.SH OPTIONS
The following options are supported:
.TP
.I "--file"
File to validate.
.TP
.I "--help"
Print out usage.
.TP
.I "--version"
Print the version.
.SH RETURN VALUE
.PP
If the file validates, this program exits with exit code 0. Otherwise
the program exits with a non-zero exit code.
.SH BUGS
.PP
Please send bug reports to either the distribution or the HAL
mailing list, see
.I "http://lists.freedesktop.org/mailman/listinfo/hal"
on how to subscribe.
.SH SEE ALSO
.PP
\&\fIpolkit-check-caller\fR\|(1),
\&\fIpolkit-check-session\fR\|(1)
.SH AUTHOR
Written by David Zeuthen <david@fubar.dk> with a lot of help from many
others.
......@@ -6,7 +6,7 @@ SPEC_XML_EXTRA_FILES = \
if DOCBOOK_DOCS_ENABLED
htmldocdir = $(DOCDIR)/spec
htmldocdir = $(docdir)/spec
htmldoc_DATA = polkit-spec.html $(FIGURE_FILES) docbook.css
polkit-spec.html : polkit-spec.xml.in $(FIGURE_FILES) $(SPEC_XML_EXTRA_FILES)
......
......@@ -25,19 +25,25 @@ libpolkitinclude_HEADERS = \
libpolkit-seat.h \
libpolkit-session.h \
libpolkit-caller.h \
libpolkit-privilege-file.h
libpolkit_la_SOURCES = \
libpolkit.h libpolkit.c \
libpolkit-error.h libpolkit-error.c \
libpolkit-result.h libpolkit-result.c \
libpolkit-context.h libpolkit-context.c \
libpolkit-privilege.h libpolkit-privilege.c \
libpolkit-resource.h libpolkit-resource.c \
libpolkit-seat.h libpolkit-seat.c \
libpolkit-session.h libpolkit-session.c \
libpolkit-caller.h libpolkit-caller.c \
libpolkit-privilege-file.h libpolkit-privilege-file.c
libpolkit-privilege-file-entry.h \
libpolkit-privilege-file.h \
libpolkit-privilege-cache.h \
libpolkit-privilege-default.h
libpolkit_la_SOURCES = \
libpolkit.h libpolkit.c \
libpolkit-error.h libpolkit-error.c \
libpolkit-result.h libpolkit-result.c \
libpolkit-context.h libpolkit-context.c \
libpolkit-privilege.h libpolkit-privilege.c \
libpolkit-resource.h libpolkit-resource.c \
libpolkit-seat.h libpolkit-seat.c \
libpolkit-session.h libpolkit-session.c \
libpolkit-caller.h libpolkit-caller.c \
libpolkit-privilege-file-entry.h libpolkit-privilege-file-entry.c \
libpolkit-privilege-file.h libpolkit-privilege-file.c \
libpolkit-privilege-cache.h libpolkit-privilege-cache.c \
libpolkit-privilege-default.h libpolkit-privilege-default.c
libpolkit_la_LIBADD = @GLIB_LIBS@ @DBUS_LIBS@
......
......@@ -435,3 +435,18 @@ out:
return caller;
}
/**
* libpolkit_caller_debug:
* @caller: the object
*
* Print debug details
**/
void
libpolkit_caller_debug (PolKitCaller *caller)
{
g_return_if_fail (caller != NULL);
g_debug ("PolKitCaller: refcount=%d dbus_name=%s uid=%d pid=%d selinux_context=%s",
caller->refcount, caller->dbus_name, caller->uid, caller->pid, caller->selinux_context);
if (caller->session != NULL)
libpolkit_session_debug (caller->session);
}
......@@ -52,6 +52,8 @@ gboolean libpolkit_caller_get_pid (PolKitCaller *caller,
gboolean libpolkit_caller_get_selinux_context (PolKitCaller *caller, char **out_selinux_context);
gboolean libpolkit_caller_get_ck_session (PolKitCaller *caller, PolKitSession **out_session);
void libpolkit_caller_debug (PolKitCaller *caller);
#endif /* LIBPOLKIT_H */
......@@ -38,6 +38,7 @@
#include <glib.h>
#include "libpolkit-context.h"
#include "libpolkit-privilege-cache.h"
/**
* SECTION:libpolkit-context
......@@ -56,22 +57,42 @@ struct PolKitContext
int refcount;
PolKitContextConfigChangedCB config_changed_cb;
gpointer config_changed_user_data;
PolKitPrivilegeCache *priv_cache;
};
/**
* libpolkit_context_new:
* @error: return location for error
*
* Create a new context.
*
* Returns: the new context object
* Returns: #NULL if @error was set, otherwise the #PolKitPrivilegeCache object
**/
PolKitContext *
libpolkit_context_new (void)
libpolkit_context_new (GError **error)
{
const char *dirname;
PolKitContext *pk_context;
pk_context = g_new0 (PolKitContext, 1);
pk_context->refcount = 1;
dirname = getenv ("POLKIT_PRIV_DIR");
if (dirname != NULL) {
g_debug ("Using directory %s", dirname);
} else {
dirname = PACKAGE_SYSCONF_DIR "/PolicyKit/privileges";
}
pk_context->priv_cache = libpolkit_privilege_cache_new (dirname, error);
if (pk_context->priv_cache == NULL)
goto error;
libpolkit_privilege_cache_debug (pk_context->priv_cache);
return pk_context;
error:
libpolkit_context_unref (pk_context);
return NULL;
}
/**
......@@ -128,3 +149,18 @@ libpolkit_context_set_config_changed (PolKitContext *pk_context,
pk_context->config_changed_cb = cb;
pk_context->config_changed_user_data = user_data;
}
/**
* libpolkit_context_get_privilege_cache:
* @pk_context: the context
*
* Get the #PolKitPrivilegeCache object that holds all the defined privileges as well as their defaults.
*
* Returns: the #PolKitPrivilegeCache object. Caller shall not unref it.
**/
PolKitPrivilegeCache *
libpolkit_context_get_privilege_cache (PolKitContext *pk_context)
{
g_return_val_if_fail (pk_context != NULL, NULL);
return pk_context->priv_cache;
}
......@@ -31,6 +31,8 @@
#include <sys/types.h>
#include <glib.h>
#include <libpolkit/libpolkit-privilege-cache.h>
struct PolKitContext;
typedef struct PolKitContext PolKitContext;
......@@ -44,13 +46,14 @@ typedef struct PolKitContext PolKitContext;
typedef void (*PolKitContextConfigChangedCB) (PolKitContext *pk_context,
gpointer user_data);
PolKitContext *libpolkit_context_new (void);
PolKitContext *libpolkit_context_new (GError **error);
PolKitContext *libpolkit_context_ref (PolKitContext *pk_context);
void libpolkit_context_set_config_changed (PolKitContext *pk_context,
PolKitContextConfigChangedCB cb,
gpointer user_data);
void libpolkit_context_unref (PolKitContext *pk_context);
PolKitPrivilegeCache *libpolkit_context_get_privilege_cache (PolKitContext *pk_context);
#endif /* LIBPOLKIT_CONTEXT_H */
......
......@@ -30,13 +30,13 @@
/**
* PolKitError:
* @POLKIT_ERROR_PRIVILEGE_FILE_INVALID_VALUE: There was an error parsing the given privilege file
* @POLKIT_ERROR_PRIVILEGE_FILE_INVALID: There was an error parsing the given privilege file
*
* Error codes returned by PolicyKit
*/
typedef enum
{
POLKIT_ERROR_PRIVILEGE_FILE_INVALID_VALUE
POLKIT_ERROR_PRIVILEGE_FILE_INVALID
} PolKitError;
/**
......
/* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 8 -*- */
/***************************************************************************
*
* libpolkit-privilege-cache.c : privilege cache
*
* Copyright (C) 2007 David Zeuthen, <david@fubar.dk>
*
* Licensed under the Academic Free License version 2.1
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*
**************************************************************************/
#ifdef HAVE_CONFIG_H
# include <config.h>
#endif
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <pwd.h>
#include <grp.h>
#include <unistd.h>
#include <errno.h>
#include <glib.h>
#include "libpolkit-privilege-file.h"
#include "libpolkit-privilege-cache.h"
/**
* SECTION:libpolkit-privilege-cache
* @short_description: System privilege queries.
*
* This class is used to query all system-defined privileges,
* e.g. privilege files installed in /etc/PolicyKit/privileges.
**/
/**
* PolKitPrivilegeCache:
*
* Instances of this class is used to query all system-defined
* privileges, e.g. privilege files installed in
* /etc/PolicyKit/privileges.
**/
struct PolKitPrivilegeCache
{
int refcount;
GSList *priv_entries;
};
static void
add_entries_from_file (PolKitPrivilegeCache *privilege_cache,
PolKitPrivilegeFile *privilege_file)
{
GSList *i;
g_return_if_fail (privilege_cache != NULL);
g_return_if_fail (privilege_file != NULL);
for (i = libpolkit_privilege_file_get_entries (privilege_file); i != NULL; i = g_slist_next (i)) {
PolKitPrivilegeFileEntry *privilege_file_entry = i->data;
libpolkit_privilege_file_entry_ref (privilege_file_entry);
privilege_cache->priv_entries = g_slist_append (privilege_cache->priv_entries,
privilege_file_entry);
}
}
/**
* libpolkit_privilege_cache_new:
* @dirname: directory containing privilege files
* @error: location to return error
*
* Create a new #PolKitPrivilegeCache object and load information from privilege files.
*
* Returns: #NULL if @error was set, otherwise the #PolKitPrivilegeCache object
**/
PolKitPrivilegeCache *
libpolkit_privilege_cache_new (const char *dirname, GError **error)
{
const char *file;
GDir *dir;
PolKitPrivilegeCache *pc;
pc = g_new0 (PolKitPrivilegeCache, 1);
pc->refcount = 1;
dir = g_dir_open (dirname, 0, error);
if (dir == NULL) {
goto out;
}
while ((file = g_dir_read_name (dir)) != NULL) {
char *path;
PolKitPrivilegeFile *pf;
if (!g_str_has_suffix (file, ".priv"))
continue;
path = g_strdup_printf ("%s/%s", dirname, file);
g_debug ("Loading %s", path);
pf = libpolkit_privilege_file_new (path, error);
g_free (path);
if (pf == NULL) {
goto out;
}
add_entries_from_file (pc, pf);
libpolkit_privilege_file_unref (pf);
}
g_dir_close (dir);
return pc;
out:
if (pc != NULL)
libpolkit_privilege_cache_ref (pc);
return NULL;
}
/**
* libpolkit_privilege_cache_ref:
* @privilege_cache: the privilege cache object
*
* Increase reference count.
*
* Returns: the object
**/
PolKitPrivilegeCache *
libpolkit_privilege_cache_ref (PolKitPrivilegeCache *privilege_cache)
{
g_return_val_if_fail (privilege_cache != NULL, privilege_cache);
privilege_cache->refcount++;
return privilege_cache;
}
/**
* libpolkit_privilege_cache_unref:
* @privilege_cache: the privilege cache object
*
* Decreases the reference count of the object. If it becomes zero,
* the object is freed. Before freeing, reference counts on embedded
* objects are decresed by one.
**/
void
libpolkit_privilege_cache_unref (PolKitPrivilegeCache *privilege_cache)
{
GSList *i;
g_return_if_fail (privilege_cache != NULL);
privilege_cache->refcount--;
if (privilege_cache->refcount > 0)
return;
for (i = privilege_cache->priv_entries; i != NULL; i = g_slist_next (i)) {
PolKitPrivilegeFileEntry *pfe = i->data;
libpolkit_privilege_file_entry_unref (pfe);
}
if (privilege_cache->priv_entries != NULL)
g_slist_free (privilege_cache->priv_entries);
g_free (privilege_cache);
}
/**
* libpolkit_privilege_cache_debug:
* @privilege_cache: the cache
*
* Print debug information about object
**/
void
libpolkit_privilege_cache_debug (PolKitPrivilegeCache *privilege_cache)
{
GSList *i;
g_return_if_fail (privilege_cache != NULL);
g_debug ("PolKitPrivilegeCache: refcount=%d num_entries=%d ...",
privilege_cache->refcount,
privilege_cache->priv_entries == NULL ? 0 : g_slist_length (privilege_cache->priv_entries));
for (i = privilege_cache->priv_entries; i != NULL; i = g_slist_next (i)) {
PolKitPrivilegeFileEntry *pfe = i->data;
libpolkit_privilege_file_entry_debug (pfe);
}
}
/**
* libpolkit_privilege_cache_get_entry:
* @privilege_cache: the cache
* @privilege: the privilege
*
* Given a privilege, find the object describing the definition of the
* privilege; e.g. data stemming from files in
* /etc/PolicyKit/privileges.
*
* Returns: A #PolKitPrivilegeFileEntry entry on sucess; otherwise
* #NULL if the privilege wasn't identified. Caller shall not unref
* this object.
**/
PolKitPrivilegeFileEntry*
libpolkit_privilege_cache_get_entry (PolKitPrivilegeCache *privilege_cache,
PolKitPrivilege *privilege)
{
char *priv_id;
GSList *i;
PolKitPrivilegeFileEntry *pfe;
pfe = NULL;
g_return_val_if_fail (privilege_cache != NULL, NULL);
g_return_val_if_fail (privilege != NULL, NULL);
if (!libpolkit_privilege_get_privilege_id (privilege, &priv_id))
goto out;
for (i = privilege_cache->priv_entries; i != NULL; i = g_slist_next (i)) {
pfe = i->data;
if (strcmp (libpolkit_privilege_file_entry_get_id (pfe), priv_id) == 0) {
goto out;
}
}
pfe = NULL;
out:
return pfe;
}
/* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 8 -*- */
/***************************************************************************
*
* libpolkit-privilege-cache.h : privilege cache
*
* Copyright (C) 2007 David Zeuthen, <david@fubar.dk>
*
* Licensed under the Academic Free License version 2.1
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
*
**************************************************************************/
#ifndef LIBPOLKIT_PRIVILEGE_CACHE_H
#define LIBPOLKIT_PRIVILEGE_CACHE_H
#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
#include <glib.h>
#include <libpolkit/libpolkit-privilege.h>
#include <libpolkit/libpolkit-privilege-file-entry.h>
struct PolKitPrivilegeCache;
typedef struct PolKitPrivilegeCache PolKitPrivilegeCache;
PolKitPrivilegeCache *libpolkit_privilege_cache_new (const char *dirname, GError **error);
PolKitPrivilegeCache *libpolkit_privilege_cache_ref (PolKitPrivilegeCache *privilege_cache);
void libpolkit_privilege_cache_unref (PolKitPrivilegeCache *privilege_cache);
void libpolkit_privilege_cache_debug (PolKitPrivilegeCache *privilege_cache);
PolKitPrivilegeFileEntry* libpolkit_privilege_cache_get_entry (PolKitPrivilegeCache *privilege_cache,
PolKitPrivilege *privilege);
#endif /* LIBPOLKIT_PRIVILEGE_CACHE_H */
This diff is collapsed.
/* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 8 -*- */
/***************************************************************************
*
* libpolkit-privilege-default.h : privilege definition for the defaults
*
* Copyright (C) 2007 David Zeuthen, <david@fubar.dk>
*
* Licensed under the Academic Free License version 2.1
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
*
**************************************************************************/
#ifndef LIBPOLKIT_PRIVILEGE_DEFAULT_H
#define LIBPOLKIT_PRIVILEGE_DEFAULT_H
#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
#include <glib.h>
#include <libpolkit/libpolkit-result.h>
#include <libpolkit/libpolkit-privilege.h>
#include <libpolkit/libpolkit-resource.h>
#include <libpolkit/libpolkit-session.h>
#include <libpolkit/libpolkit-caller.h>
struct PolKitPrivilegeDefault;
typedef struct PolKitPrivilegeDefault PolKitPrivilegeDefault;
PolKitPrivilegeDefault *libpolkit_privilege_default_new (GKeyFile *key_file, const char *privilege, GError **error);
PolKitPrivilegeDefault *libpolkit_privilege_default_ref (PolKitPrivilegeDefault *privilege_default);
void libpolkit_privilege_default_unref (PolKitPrivilegeDefault *privilege_default);
void libpolkit_privilege_default_debug (PolKitPrivilegeDefault *privilege_default);
PolKitResult libpolkit_privilege_default_can_session_access_resource (PolKitPrivilegeDefault *privilege_default,
PolKitPrivilege *privilege,
PolKitResource *resource,
PolKitSession *session);
PolKitResult libpolkit_privilege_default_can_caller_access_resource (PolKitPrivilegeDefault *privilege_default,
PolKitPrivilege *privilege,
PolKitResource *resource,
PolKitCaller *caller);
/* TODO: export knobs for "default policy" */
#endif /* LIBPOLKIT_PRIVILEGE_DEFAULT_H */
/* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 8 -*- */
/***************************************************************************
*
* libpolkit-privilege-file-entry.c : entries in privilege files
*
* Copyright (C) 2007 David Zeuthen, <david@fubar.dk>
*
* Licensed under the Academic Free License version 2.1
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*
**************************************************************************/
#ifdef HAVE_CONFIG_H
# include <config.h>
#endif
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <pwd.h>
#include <grp.h>
#include <unistd.h>
#include <errno.h>
#include <glib.h>
#include "libpolkit-error.h"
#include "libpolkit-result.h"
#include "libpolkit-privilege-file-entry.h"
/**
* SECTION:libpolkit-privilege-file-entry