From a82e5148229d1475bccf8cd329e5a8314d163c4f Mon Sep 17 00:00:00 2001 From: Beniamino Galvani Date: Mon, 1 Aug 2016 17:19:14 +0200 Subject: [PATCH] checkpoint: add audit support --- src/nm-audit-manager.c | 2 +- src/nm-audit-manager.h | 19 +++++++++++++++++-- src/nm-manager.c | 33 +++++++++++++++++++-------------- 3 files changed, 37 insertions(+), 17 deletions(-) diff --git a/src/nm-audit-manager.c b/src/nm-audit-manager.c index 7096e81934..9e88409624 100644 --- a/src/nm-audit-manager.c +++ b/src/nm-audit-manager.c @@ -261,7 +261,7 @@ _nm_audit_manager_log_connection_op (NMAuditManager *self, const char *file, gui } void -_nm_audit_manager_log_control_op (NMAuditManager *self, const char *file, guint line, +_nm_audit_manager_log_generic_op (NMAuditManager *self, const char *file, guint line, const char *func, const char *op, const char *arg, gboolean result, gpointer subject_context, const char *reason) diff --git a/src/nm-audit-manager.h b/src/nm-audit-manager.h index d304ad2984..a14da5bbb9 100644 --- a/src/nm-audit-manager.h +++ b/src/nm-audit-manager.h @@ -64,6 +64,10 @@ typedef struct { #define NM_AUDIT_OP_DEVICE_MANAGED "device-managed" #define NM_AUDIT_OP_DEVICE_REAPPLY "device-reapply" +#define NM_AUDIT_OP_CHECKPOINT_CREATE "checkpoint-create" +#define NM_AUDIT_OP_CHECKPOINT_ROLLBACK "checkpoint-rollback" +#define NM_AUDIT_OP_CHECKPOINT_DESTROY "checkpoint-destroy" + GType nm_audit_manager_get_type (void); NMAuditManager *nm_audit_manager_get (void); gboolean nm_audit_manager_audit_enabled (NMAuditManager *self); @@ -84,7 +88,7 @@ gboolean nm_audit_manager_audit_enabled (NMAuditManager *self); NMAuditManager *_audit = nm_audit_manager_get (); \ \ if (nm_audit_manager_audit_enabled (_audit)) { \ - _nm_audit_manager_log_control_op (_audit, __FILE__, __LINE__, G_STRFUNC, \ + _nm_audit_manager_log_generic_op (_audit, __FILE__, __LINE__, G_STRFUNC, \ (op), (arg), (result), (subject_context), (reason)); \ } \ } G_STMT_END @@ -99,18 +103,29 @@ gboolean nm_audit_manager_audit_enabled (NMAuditManager *self); } \ } G_STMT_END +#define nm_audit_log_checkpoint_op(op, arg, result, subject_context, reason) \ + G_STMT_START { \ + NMAuditManager *_audit = nm_audit_manager_get (); \ + \ + if (nm_audit_manager_audit_enabled (_audit)) { \ + _nm_audit_manager_log_generic_op (_audit, __FILE__, __LINE__, G_STRFUNC, \ + (op), (arg), (result), (subject_context), (reason)); \ + } \ + } G_STMT_END + void _nm_audit_manager_log_connection_op (NMAuditManager *self, const char *file, guint line, const char *func, const char *op, NMSettingsConnection *connection, gboolean result, const char *args, gpointer subject_context, const char *reason); -void _nm_audit_manager_log_control_op (NMAuditManager *self, const char *file, guint line, +void _nm_audit_manager_log_generic_op (NMAuditManager *self, const char *file, guint line, const char *func, const char *op, const char *arg, gboolean result, gpointer subject_context, const char *reason); void _nm_audit_manager_log_device_op (NMAuditManager *self, const char *file, guint line, const char *func, const char *op, NMDevice *device, gboolean result, gpointer subject_context, const char *reason); + G_END_DECLS #endif /* __NM_AUDIT_MANAGER_H__ */ diff --git a/src/nm-manager.c b/src/nm-manager.c index 9d0a897c09..e94659b029 100644 --- a/src/nm-manager.c +++ b/src/nm-manager.c @@ -5144,17 +5144,22 @@ checkpoint_auth_done_cb (NMAuthChain *chain, { NMManager *self = NM_MANAGER (user_data); NMManagerPrivate *priv = NM_MANAGER_GET_PRIVATE (self); - char *op, *checkpoint_path, **devices; + char *op, *checkpoint_path = NULL, **devices; NMCheckpoint *checkpoint; NMAuthCallResult result; guint32 timeout, flags; GVariant *variant = NULL; GError *error = NULL; + const char *arg = NULL; - op = nm_auth_chain_get_data (chain, "op"); + op = nm_auth_chain_get_data (chain, "audit-op"); priv->auth_chains = g_slist_remove (priv->auth_chains, chain); result = nm_auth_chain_get_result (chain, NM_AUTH_PERMISSION_CHECKPOINT_ROLLBACK); + if ( nm_streq0 (op, NM_AUDIT_OP_CHECKPOINT_DESTROY) + || nm_streq0 (op, NM_AUDIT_OP_CHECKPOINT_ROLLBACK)) + arg = checkpoint_path = nm_auth_chain_get_data (chain, "checkpoint_path"); + if (auth_error) { error = g_error_new (NM_MANAGER_ERROR, NM_MANAGER_ERROR_PERMISSION_DENIED, @@ -5165,7 +5170,7 @@ checkpoint_auth_done_cb (NMAuthChain *chain, NM_MANAGER_ERROR_PERMISSION_DENIED, "Not authorized to checkpoint/rollback"); } else { - if (nm_streq0 (op, "create")) { + if (nm_streq0 (op, NM_AUDIT_OP_CHECKPOINT_CREATE)) { timeout = GPOINTER_TO_UINT (nm_auth_chain_get_data (chain, "timeout")); flags = GPOINTER_TO_UINT (nm_auth_chain_get_data (chain, "flags")); devices = nm_auth_chain_get_data (chain, "devices"); @@ -5176,28 +5181,28 @@ checkpoint_auth_done_cb (NMAuthChain *chain, (NMCheckpointCreateFlags) flags, &error); if (checkpoint) { - NMExportedObject *exported; - - exported = NM_EXPORTED_OBJECT (checkpoint); - variant = g_variant_new ("(o)", nm_exported_object_get_path (exported)); + arg = nm_exported_object_get_path (NM_EXPORTED_OBJECT (checkpoint)); + variant = g_variant_new ("(o)", arg); } - } else if (nm_streq0 (op, "destroy")) { - checkpoint_path = nm_auth_chain_get_data (chain, "checkpoint_path"); + } else if (nm_streq0 (op, NM_AUDIT_OP_CHECKPOINT_DESTROY)) { nm_checkpoint_manager_destroy (_checkpoint_mgr_get (self, TRUE), checkpoint_path, &error); - } else if (nm_streq0 (op, "rollback")) { - checkpoint_path = nm_auth_chain_get_data (chain, "checkpoint_path"); + } else if (nm_streq0 (op, NM_AUDIT_OP_CHECKPOINT_ROLLBACK)) { nm_checkpoint_manager_rollback (_checkpoint_mgr_get (self, TRUE), checkpoint_path, &variant, &error); } else g_return_if_reached (); } + nm_audit_log_checkpoint_op (op, arg ?: "", !error, nm_auth_chain_get_subject (chain), + error ? error->message : NULL); + if (error) g_dbus_method_invocation_take_error (context, error); else g_dbus_method_invocation_return_value (context, variant); + nm_auth_chain_unref (chain); } @@ -5226,7 +5231,7 @@ impl_manager_checkpoint_create (NMManager *self, } priv->auth_chains = g_slist_append (priv->auth_chains, chain); - nm_auth_chain_set_data (chain, "op", "create", NULL); + nm_auth_chain_set_data (chain, "audit-op", NM_AUDIT_OP_CHECKPOINT_CREATE, NULL); nm_auth_chain_set_data (chain, "devices", g_strdupv ((char **) devices), (GDestroyNotify) g_strfreev); nm_auth_chain_set_data (chain, "flags", GUINT_TO_POINTER (flags), NULL); nm_auth_chain_set_data (chain, "timeout", GUINT_TO_POINTER (rollback_timeout), NULL); @@ -5255,7 +5260,7 @@ impl_manager_checkpoint_destroy (NMManager *self, } priv->auth_chains = g_slist_append (priv->auth_chains, chain); - nm_auth_chain_set_data (chain, "op", "destroy", NULL); + nm_auth_chain_set_data (chain, "audit-op", NM_AUDIT_OP_CHECKPOINT_DESTROY, NULL); nm_auth_chain_set_data (chain, "checkpoint_path", g_strdup (checkpoint_path), g_free); nm_auth_chain_add_call (chain, NM_AUTH_PERMISSION_CHECKPOINT_ROLLBACK, TRUE); } @@ -5282,7 +5287,7 @@ impl_manager_checkpoint_rollback (NMManager *self, } priv->auth_chains = g_slist_append (priv->auth_chains, chain); - nm_auth_chain_set_data (chain, "op", "rollback", NULL); + nm_auth_chain_set_data (chain, "audit-op", NM_AUDIT_OP_CHECKPOINT_ROLLBACK, NULL); nm_auth_chain_set_data (chain, "checkpoint_path", g_strdup (checkpoint_path), g_free); nm_auth_chain_add_call (chain, NM_AUTH_PERMISSION_CHECKPOINT_ROLLBACK, TRUE); }