plugins/session_policy_local.c

   1 /*
   2  *
   3  *  Connection Manager
   4  *
   5  *  Copyright (C) 2012  BMW Car IT GbmH. All rights reserved.
   6  *
   7  *  This program is free software; you can redistribute it and/or modify
   8  *  it under the terms of the GNU General Public License version 2 as
   9  *  published by the Free Software Foundation.
  10  *
  11  *  This program is distributed in the hope that it will be useful,
  12  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
  13  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  14  *  GNU General Public License for more details.
  15  *
  16  *  You should have received a copy of the GNU General Public License
  17  *  along with this program; if not, write to the Free Software
  18  *  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
  19  *
  20  */
  21
  22 #ifdef HAVE_CONFIG_H
  23 #include <config.h>
  24 #endif
  25
  26 #include <errno.h>
  27 #include <string.h>
  28 #include <sys/inotify.h>
  29 #include <sys/stat.h>
  30
  31 #include <glib.h>
  32
  33 #include <gdbus.h>
  34
  35 #define CONNMAN_API_SUBJECT_TO_CHANGE
  36 #include <connman/plugin.h>
  37 #include <connman/log.h>
  38 #include <connman/session.h>
  39 #include <connman/dbus.h>
  40 #include <connman/inotify.h>
  41
  42 #define POLICYDIR STORAGEDIR "/session_policy_local"
  43
  44 #define MODE            (S_IRUSR | S_IWUSR | S_IXUSR | S_IRGRP | \
  45                         S_IXGRP | S_IROTH | S_IXOTH)
  46
  47 static DBusConnection *connection;
  48
  49 static GHashTable *policy_hash;
  50 static GHashTable *session_hash;
  51
  52 struct create_data {
  53         struct connman_session *session;
  54 };
  55
  56 struct policy_data {
  57         int refcount;
  58         char *ident;
  59
  60         struct connman_session *session;
  61         struct connman_session_config *config;
  62 };
  63
  64 static void cleanup_policy(gpointer user_data)
  65 {
  66         struct policy_data *policy = user_data;
  67
  68         if (policy->config != NULL)
  69                 g_slist_free(policy->config->allowed_bearers);
  70
  71         g_free(policy->ident);
  72         g_free(policy->config);
  73         g_free(policy);
  74 }
  75
  76 static char *parse_selinux_type(const char *context)
  77 {
  78         char *ident, **tokens;
  79
  80         /*
  81          * SELinux combines Role-Based Access Control (RBAC), Type
  82          * Enforcment (TE) and optionally Multi-Level Security (MLS).
  83          *
  84          * When SELinux is enabled all processes and files are labeled
  85          * with a contex that contains information such as user, role
  86          * type (and optionally a level). E.g.
  87          *
  88          * $ ls -Z
  89          * -rwxrwxr-x. wagi wagi unconfined_u:object_r:haifux_exec_t:s0 session_ui.py
  90          *
  91          * For identifyng application we (ab)using the type
  92          * information. In the above example the haifux_exec_t type
  93          * will be transfered to haifux_t as defined in the domain
  94          * transition and thus we are able to identify the application
  95          * as haifux_t.
  96          */
  97
  98         tokens = g_strsplit(context, ":", 0);
  99         if (g_strv_length(tokens) < 2) {
 100                 g_strfreev(tokens);
 101                 return NULL;
 102         }
 103
 104         /* Use the SELinux type as identification token. */
 105         ident = g_strdup(tokens[2]);
 106
 107         g_strfreev(tokens);
 108
 109         return ident;
 110 }
 111
 112 static struct policy_data *create_policy(const char *ident)
 113 {
 114         struct policy_data *policy;
 115
 116         DBG("ident %s", ident);
 117
 118         policy = g_new0(struct policy_data, 1);
 119         policy->refcount = 1;
 120
 121         policy->config = connman_session_create_default_config();
 122         policy->ident = g_strdup(ident);
 123
 124         g_hash_table_replace(policy_hash, policy->ident, policy);
 125
 126         return policy;
 127 }
 128
 129 static struct policy_data *policy_ref(struct policy_data *policy)
 130 {
 131         DBG("%p %s ref %d", policy, policy->ident, policy->refcount + 1);
 132
 133         __sync_fetch_and_add(&policy->refcount, 1);
 134
 135         return policy;
 136 }
 137
 138 static void policy_unref(struct policy_data *policy)
 139 {
 140         DBG(" %p %s ref %d", policy, policy->ident, policy->refcount - 1);
 141
 142         if (__sync_fetch_and_sub(&policy->refcount, 1) != 1)
 143                 return;
 144
 145         g_hash_table_remove(policy_hash, policy->ident);
 146 };
 147
 148 static void selinux_context_reply(const unsigned char *context, void *user_data,
 149                                         int err)
 150 {
 151         struct cb_data *cbd = user_data;
 152         connman_session_config_func_t cb = cbd->cb;
 153         struct create_data *data = cbd->data;
 154         struct policy_data *policy;
 155         struct connman_session_config *config = NULL;
 156         char *ident = NULL;
 157
 158         DBG("session %p", data->session);
 159
 160         if (err < 0)
 161                 goto done;
 162
 163         DBG("SELinux context %s", context);
 164
 165         ident = parse_selinux_type((const char*)context);
 166         if (ident == NULL) {
 167                 err = -EINVAL;
 168                 goto done;
 169         }
 170
 171         policy = g_hash_table_lookup(policy_hash, ident);
 172         if (policy != NULL) {
 173                 policy_ref(policy);
 174                 policy->session = data->session;
 175         } else
 176                 policy = create_policy(ident);
 177
 178         g_hash_table_replace(session_hash, data->session, policy);
 179         config = policy->config;
 180
 181 done:
 182         (*cb)(data->session, config, cbd->user_data, err);
 183
 184         g_free(cbd);
 185         g_free(data);
 186         g_free(ident);
 187 }
 188
 189 static int policy_local_create(struct connman_session *session,
 190                                 connman_session_config_func_t cb,
 191                                 void *user_data)
 192 {
 193         struct cb_data *cbd = cb_data_new(cb, user_data);
 194         struct create_data *data;
 195         const char *owner;
 196         int err;
 197
 198         DBG("session %p", session);
 199
 200         data = g_new0(struct create_data, 1);
 201         cbd->data = data;
 202
 203         data->session = session;
 204
 205         owner = connman_session_get_owner(session);
 206
 207         err = connman_dbus_get_selinux_context(connection, owner,
 208                                         selinux_context_reply,
 209                                         cbd);
 210         if (err < 0) {
 211                 connman_error("Could not get SELinux context");
 212                 g_free(data);
 213                 g_free(cbd);
 214                 return err;
 215         }
 216
 217         return 0;
 218 }
 219
 220 static void policy_local_destroy(struct connman_session *session)
 221 {
 222         struct policy_data *policy;
 223
 224         DBG("session %p", session);
 225
 226         policy = g_hash_table_lookup(session_hash, session);
 227         if (policy == NULL)
 228                 return;
 229
 230         g_hash_table_remove(session_hash, session);
 231         policy->session = NULL;
 232         policy_unref(policy);
 233 }
 234
 235 static struct connman_session_policy session_policy_local = {
 236         .name = "session local policy configuration",
 237         .priority = CONNMAN_SESSION_POLICY_PRIORITY_DEFAULT,
 238         .create = policy_local_create,
 239         .destroy = policy_local_destroy,
 240 };
 241
 242 static int load_keyfile(const char *pathname, GKeyFile **keyfile)
 243 {
 244         GError *error = NULL;
 245         int err;
 246
 247         DBG("Loading %s", pathname);
 248
 249         *keyfile = g_key_file_new();
 250
 251         if (g_key_file_load_from_file(*keyfile, pathname, 0, &error) == FALSE)
 252                 goto err;
 253
 254         return 0;
 255
 256 err:
 257         /*
 258          * The fancy G_FILE_ERROR_* codes are identical to the native
 259          * error codes.
 260          */
 261         err = -error->code;
 262
 263         DBG("Unable to load %s: %s", pathname, error->message);
 264         g_clear_error(&error);
 265
 266         g_key_file_free(*keyfile);
 267         *keyfile = NULL;
 268
 269         return err;
 270 }
 271
 272 static int load_policy(struct policy_data *policy)
 273 {
 274         struct connman_session_config *config = policy->config;
 275         GKeyFile *keyfile;
 276         char *pathname;
 277         char *str, **tokens;
 278         int i, err = 0;
 279
 280         connman_session_set_default_config(config);
 281
 282         pathname = g_strdup_printf("%s/%s", POLICYDIR, policy->ident);
 283
 284         err = load_keyfile(pathname, &keyfile);
 285         if (err < 0) {
 286                 g_free(pathname);
 287
 288                 if (err == -ENOENT) {
 289                         /* Ignore empty files */
 290                         return 0;
 291                 }
 292
 293                 return err;
 294         }
 295
 296         config->priority = g_key_file_get_boolean(keyfile, "Default",
 297                                                 "Priority", NULL);
 298
 299         str = g_key_file_get_string(keyfile, "Default", "RoamingPolicy",
 300                                 NULL);
 301         if (str != NULL) {
 302                 config->roaming_policy = connman_session_parse_roaming_policy(str);
 303                 g_free(str);
 304         }
 305
 306         str = g_key_file_get_string(keyfile, "Default", "ConnectionType",
 307                                 NULL);
 308         if (str != NULL) {
 309                 config->type = connman_session_parse_connection_type(str);
 310                 g_free(str);
 311         }
 312
 313         config->ecall = g_key_file_get_boolean(keyfile, "Default",
 314                                                 "EmergencyCall", NULL);
 315
 316         str = g_key_file_get_string(keyfile, "Default", "AllowedBearers",
 317                                 NULL);
 318
 319         if (str != NULL) {
 320                 g_slist_free(config->allowed_bearers);
 321                 config->allowed_bearers = NULL;
 322
 323                 tokens = g_strsplit(str, " ", 0);
 324
 325                 for (i = 0; tokens[i] != NULL; i++) {
 326                         err = connman_session_parse_bearers(tokens[i],
 327                                         &config->allowed_bearers);
 328                         if (err < 0)
 329                                 break;
 330                 }
 331
 332                 g_free(str);
 333                 g_strfreev(tokens);
 334         }
 335
 336         g_key_file_free(keyfile);
 337         g_free(pathname);
 338
 339         return err;
 340 }
 341
 342 static void update_session(struct connman_session *session)
 343 {
 344         if (connman_session_config_update(session) < 0)
 345                 connman_session_destroy(session);
 346 }
 347
 348 static void remove_policy(struct policy_data *policy)
 349 {
 350         connman_bool_t update = FALSE;
 351
 352         if (policy->session != NULL)
 353                 update = TRUE;
 354
 355         policy_unref(policy);
 356
 357         if (update == FALSE)
 358                 return;
 359
 360         connman_session_set_default_config(policy->config);
 361         update_session(policy->session);
 362 }
 363
 364 static void notify_handler(struct inotify_event *event,
 365                                         const char *ident)
 366 {
 367         struct policy_data *policy;
 368         int err;
 369
 370         if (ident == NULL)
 371                 return;
 372
 373         policy = g_hash_table_lookup(policy_hash, ident);
 374
 375         if (event->mask & (IN_CREATE | IN_MOVED_TO)) {
 376                 connman_info("Policy added for '%s'", ident);
 377
 378                 if (policy != NULL)
 379                         policy_ref(policy);
 380                 else
 381                         policy = create_policy(ident);
 382
 383                 err = load_policy(policy);
 384                 if (err < 0) {
 385                         connman_warn("Loading policy file '%s' failed with %s",
 386                                         ident, strerror(-err));
 387                         return;
 388                 }
 389         }
 390
 391         if (policy == NULL)
 392                 return;
 393
 394         if (event->mask & IN_MODIFY) {
 395                 connman_info("Policy modifed for '%s'", ident);
 396
 397                 err = load_policy(policy);
 398                 if (err < 0) {
 399                         connman_warn("Loading policy file '%s' failed with %s",
 400                                         ident, strerror(-err));
 401                         return;
 402                 }
 403         }
 404
 405         if (event->mask & (IN_DELETE | IN_MOVED_FROM)) {
 406                 connman_info("Policy deleted for '%s'", ident);
 407
 408                 remove_policy(policy);
 409                 return;
 410         }
 411
 412         if (policy->session != NULL)
 413                 update_session(policy->session);
 414 }
 415
 416 static int read_policies(void)
 417 {
 418         GDir *dir;
 419         int err = 0;
 420
 421         DBG("");
 422
 423         dir = g_dir_open(POLICYDIR, 0, NULL);
 424         if (dir != NULL) {
 425                 const gchar *file;
 426
 427                 while ((file = g_dir_read_name(dir)) != NULL) {
 428                         struct policy_data *policy;
 429
 430                         policy = create_policy(file);
 431                         err = load_policy(policy);
 432                         if (err < 0)
 433                                 break;
 434                 }
 435
 436                 g_dir_close(dir);
 437         }
 438
 439         return err;
 440 }
 441
 442 static int session_policy_local_init(void)
 443 {
 444         int err;
 445
 446         /* If the dir doesn't exist, create it */
 447         if (g_file_test(POLICYDIR, G_FILE_TEST_IS_DIR) == FALSE) {
 448                 if (mkdir(POLICYDIR, MODE) < 0) {
 449                         if (errno != EEXIST)
 450                                 return -errno;
 451                 }
 452         }
 453
 454         connection = connman_dbus_get_connection();
 455         if (connection == NULL)
 456                 return -EIO;
 457
 458         session_hash = g_hash_table_new_full(g_direct_hash, g_direct_equal,
 459                                                 NULL, NULL);
 460         policy_hash = g_hash_table_new_full(g_str_hash, g_str_equal,
 461                                         NULL, cleanup_policy);
 462
 463         err = connman_inotify_register(POLICYDIR, notify_handler);
 464         if (err < 0)
 465                 goto err;
 466
 467         err = read_policies();
 468         if (err < 0)
 469                 goto err_notify;
 470
 471         err = connman_session_policy_register(&session_policy_local);
 472         if (err < 0)
 473                 goto err_notify;
 474
 475         return 0;
 476
 477 err_notify:
 478
 479         connman_inotify_unregister(POLICYDIR, notify_handler);
 480
 481 err:
 482         if (session_hash != NULL)
 483                 g_hash_table_destroy(session_hash);
 484         if (policy_hash != NULL)
 485                 g_hash_table_destroy(policy_hash);
 486
 487         connman_session_policy_unregister(&session_policy_local);
 488
 489         dbus_connection_unref(connection);
 490
 491         return err;
 492 }
 493
 494 static void session_policy_local_exit(void)
 495 {
 496         g_hash_table_destroy(session_hash);
 497         g_hash_table_destroy(policy_hash);
 498
 499         connman_session_policy_unregister(&session_policy_local);
 500
 501         dbus_connection_unref(connection);
 502
 503         connman_inotify_unregister(POLICYDIR, notify_handler);
 504 }
 505
 506 CONNMAN_PLUGIN_DEFINE(session_policy_local,
 507                 "Session local file policy configuration plugin",
 508                 VERSION, CONNMAN_PLUGIN_PRIORITY_DEFAULT,
 509                 session_policy_local_init, session_policy_local_exit)