From 49d098f29d7a0bf98e7fbecc4febf48d912e095b Mon Sep 17 00:00:00 2001 From: Dan Williams Date: Thu, 25 Jul 2013 22:53:43 -0500 Subject: [PATCH] core: add NMAuthSubject object to encapsulate authentication info This object encapsulates all authentication information we need about some entity that requests that NetworkManager perform an action on its behalf. --- src/Makefile.am | 2 + src/devices/wimax/Makefile.am | 1 + src/nm-auth-subject.c | 210 ++++++++++++++++++++++++++++++++++ src/nm-auth-subject.h | 68 +++++++++++ 4 files changed, 281 insertions(+) create mode 100644 src/nm-auth-subject.c create mode 100644 src/nm-auth-subject.h diff --git a/src/Makefile.am b/src/Makefile.am index 3a64a8f7d9..bcac9ac300 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -248,6 +248,8 @@ nm_sources = \ nm-ip6-config.h \ nm-manager-auth.c \ nm-manager-auth.h \ + nm-auth-subject.c \ + nm-auth-subject.h \ nm-manager.c \ nm-manager.h \ nm-netlink-monitor.c \ diff --git a/src/devices/wimax/Makefile.am b/src/devices/wimax/Makefile.am index 80a93b5be7..f6bd1e9e71 100644 --- a/src/devices/wimax/Makefile.am +++ b/src/devices/wimax/Makefile.am @@ -9,6 +9,7 @@ AM_CPPFLAGS = \ -I${top_builddir}/libnm-util \ -I${top_srcdir}/libnm-util \ $(DBUS_CFLAGS) \ + $(POLKIT_CFLAGS) \ $(IWMX_SDK_CFLAGS) \ $(LIBNL_CFLAGS) \ $(GUDEV_CFLAGS) diff --git a/src/nm-auth-subject.c b/src/nm-auth-subject.c new file mode 100644 index 0000000000..66c0d4e63e --- /dev/null +++ b/src/nm-auth-subject.c @@ -0,0 +1,210 @@ +/* -*- Mode: C; tab-width: 4; indent-tabs-mode: t; c-basic-offset: 4 -*- */ +/* NetworkManager -- Network link manager + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Copyright (C) 2013 Red Hat, Inc. + */ + +/** + * SECTION:nm-auth-subject + * @short_description: Encapsulates authentication information about a requestor + * + * #NMAuthSubject encpasulates identifying information about an entity that + * makes requests, like process identifier and user UID. + */ + +#include +#include +#include +#include +#include + +#if WITH_POLKIT +#include +#endif + +#include "nm-auth-subject.h" +#include "nm-dbus-manager.h" + +G_DEFINE_TYPE (NMAuthSubject, nm_auth_subject, G_TYPE_OBJECT) + +#define NM_AUTH_SUBJECT_GET_PRIVATE(o) (G_TYPE_INSTANCE_GET_PRIVATE ((o), NM_TYPE_AUTH_SUBJECT, NMAuthSubjectPrivate)) + +typedef struct { + gulong pid; + gulong uid; + char *dbus_sender; + +#if WITH_POLKIT + PolkitSubject *pk_subject; +#endif +} NMAuthSubjectPrivate; + +static NMAuthSubject * +_new_common (DBusGMethodInvocation *context, + DBusConnection *connection, + DBusMessage *message, + gboolean internal) +{ + NMAuthSubject *subject; + NMAuthSubjectPrivate *priv; + NMDBusManager *dbus_mgr; + gboolean success = FALSE; + + g_return_val_if_fail (context || (connection && message) || internal, NULL); + if (internal) + g_return_val_if_fail (context == NULL && connection == NULL && message == NULL, NULL); + + subject = NM_AUTH_SUBJECT (g_object_new (NM_TYPE_AUTH_SUBJECT, NULL)); + priv = NM_AUTH_SUBJECT_GET_PRIVATE (subject); + + dbus_mgr = nm_dbus_manager_get (); + + if (internal) { + priv->uid = 0; + priv->pid = 0; + return subject; + } + + if (context) { + success = nm_dbus_manager_get_caller_info (dbus_mgr, + context, + &priv->dbus_sender, + &priv->uid, + &priv->pid); + } else if (message) { + success = nm_dbus_manager_get_caller_info_from_message (dbus_mgr, + connection, + message, + &priv->dbus_sender, + &priv->uid, + &priv->pid); + } else + g_assert_not_reached (); + + if (!success) { + g_object_unref (subject); + return NULL; + } + + g_assert (priv->dbus_sender); + g_assert_cmpuint (priv->pid, !=, 0); + +#if WITH_POLKIT + /* FIXME: should we use polkit_unix_session_new() to store the session ID + * of a short-lived process, so that the process can exit but we can still + * ask that user for authorization? + */ + priv->pk_subject = polkit_unix_process_new_for_owner (priv->pid, 0, priv->uid); + if (!priv->pk_subject) + return NULL; +#endif + + return subject; +} + + +NMAuthSubject * +nm_auth_subject_new_from_context (DBusGMethodInvocation *context) +{ + return _new_common (context, NULL, NULL, FALSE); +} + +NMAuthSubject * +nm_auth_subject_new_from_message (DBusConnection *connection, + DBusMessage *message) +{ + return _new_common (NULL, connection, message, FALSE); +} + +/** + * nm_auth_subject_new_internal(): + * + * Creates a new auth subject representing the NetworkManager process itself. + * + * Returns: the new #NMAuthSubject + */ +NMAuthSubject * +nm_auth_subject_new_internal (void) +{ + return _new_common (NULL, NULL, NULL, TRUE); +} + +/**************************************************************/ + +gulong +nm_auth_subject_get_uid (NMAuthSubject *subject) +{ + return NM_AUTH_SUBJECT_GET_PRIVATE (subject)->uid; +} + +const char * +nm_auth_subject_get_dbus_sender (NMAuthSubject *subject) +{ + return NM_AUTH_SUBJECT_GET_PRIVATE (subject)->dbus_sender; +} + +gboolean +nm_auth_subject_get_internal (NMAuthSubject *subject) +{ + /* internal requests will have no dbus sender */ + return NM_AUTH_SUBJECT_GET_PRIVATE (subject)->dbus_sender ? FALSE : TRUE; +} + +#if WITH_POLKIT +PolkitSubject * +nm_auth_subject_get_polkit_subject (NMAuthSubject *subject) +{ + return NM_AUTH_SUBJECT_GET_PRIVATE (subject)->pk_subject; +} +#endif + +/******************************************************************/ + +static void +nm_auth_subject_init (NMAuthSubject *self) +{ + NMAuthSubjectPrivate *priv = NM_AUTH_SUBJECT_GET_PRIVATE (self); + + priv->pid = G_MAXULONG; + priv->uid = G_MAXULONG; +} + +static void +finalize (GObject *object) +{ + NMAuthSubjectPrivate *priv = NM_AUTH_SUBJECT_GET_PRIVATE (object); + + g_free (priv->dbus_sender); + +#if WITH_POLKIT + if (priv->pk_subject) + g_object_unref (priv->pk_subject); +#endif + + G_OBJECT_CLASS (nm_auth_subject_parent_class)->finalize (object); +} + +static void +nm_auth_subject_class_init (NMAuthSubjectClass *config_class) +{ + GObjectClass *object_class = G_OBJECT_CLASS (config_class); + + g_type_class_add_private (config_class, sizeof (NMAuthSubjectPrivate)); + + /* virtual methods */ + object_class->finalize = finalize; +} diff --git a/src/nm-auth-subject.h b/src/nm-auth-subject.h new file mode 100644 index 0000000000..8f049a8405 --- /dev/null +++ b/src/nm-auth-subject.h @@ -0,0 +1,68 @@ +/* -*- Mode: C; tab-width: 4; indent-tabs-mode: t; c-basic-offset: 4 -*- */ +/* NetworkManager -- Network link manager + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Copyright (C) 2013 Red Hat, Inc. + */ + +#ifndef NM_AUTH_SUBJECT_H +#define NM_AUTH_SUBJECT_H + +#include +#include +#include +#include +#include + +#if WITH_POLKIT +#include +#endif + +#define NM_TYPE_AUTH_SUBJECT (nm_auth_subject_get_type ()) +#define NM_AUTH_SUBJECT(obj) (G_TYPE_CHECK_INSTANCE_CAST ((obj), NM_TYPE_AUTH_SUBJECT, NMAuthSubject)) +#define NM_AUTH_SUBJECT_CLASS(klass) (G_TYPE_CHECK_CLASS_CAST ((klass), NM_TYPE_AUTH_SUBJECT, NMAuthSubjectClass)) +#define NM_IS_AUTH_SUBJECT(obj) (G_TYPE_CHECK_INSTANCE_TYPE ((obj), NM_TYPE_AUTH_SUBJECT)) +#define NM_IS_AUTH_SUBJECT_CLASS(klass) (G_TYPE_CHECK_CLASS_TYPE ((klass), NM_TYPE_AUTH_SUBJECT)) +#define NM_AUTH_SUBJECT_GET_CLASS(obj) (G_TYPE_INSTANCE_GET_CLASS ((obj), NM_TYPE_AUTH_SUBJECT, NMAuthSubjectClass)) + +typedef struct { + GObject parent; +} NMAuthSubject; + +typedef struct { + GObjectClass parent; + +} NMAuthSubjectClass; + +GType nm_auth_subject_get_type (void); + +NMAuthSubject *nm_auth_subject_new_from_context (DBusGMethodInvocation *context); + +NMAuthSubject *nm_auth_subject_new_from_message (DBusConnection *connection, DBusMessage *message); + +NMAuthSubject *nm_auth_subject_new_internal (void); + +gulong nm_auth_subject_get_uid (NMAuthSubject *subject); + +const char *nm_auth_subject_get_dbus_sender (NMAuthSubject *subject); + +gboolean nm_auth_subject_get_internal (NMAuthSubject *subject); + +#if WITH_POLKIT +PolkitSubject *nm_auth_subject_get_polkit_subject (NMAuthSubject *subject); +#endif + +#endif /* NM_AUTH_SUBJECT_H */