diff options
Diffstat (limited to 'meta-security/recipes-core/dbus-cynagora/dbus-cynagora/0007-Switch-from-cynara-to-cynagora.patch')
-rw-r--r-- | meta-security/recipes-core/dbus-cynagora/dbus-cynagora/0007-Switch-from-cynara-to-cynagora.patch | 1048 |
1 files changed, 0 insertions, 1048 deletions
diff --git a/meta-security/recipes-core/dbus-cynagora/dbus-cynagora/0007-Switch-from-cynara-to-cynagora.patch b/meta-security/recipes-core/dbus-cynagora/dbus-cynagora/0007-Switch-from-cynara-to-cynagora.patch deleted file mode 100644 index 7a69efcd2..000000000 --- a/meta-security/recipes-core/dbus-cynagora/dbus-cynagora/0007-Switch-from-cynara-to-cynagora.patch +++ /dev/null @@ -1,1048 +0,0 @@ -From 43cc361a5c32c81c0f93451bdb0ef781cd19a1cb Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> -Date: Tue, 4 Feb 2020 12:23:36 +0100 -Subject: [PATCH 7/8] Switch from cynara to cynagora -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Signed-off-by: José Bollo <jose.bollo@iot.bzh> ---- - bus/Makefile.am | 8 +- - bus/bus.h | 2 +- - bus/check.c | 26 +- - bus/check.h | 2 +- - bus/connection.c | 27 --- - bus/connection.h | 3 - - bus/cynagora-check.c | 330 +++++++++++++++++++++++++ - bus/{cynara.h => cynagora-check.h} | 10 +- - bus/cynara.c | 373 ----------------------------- - bus/system.conf.in | 6 +- - configure.ac | 18 +- - 11 files changed, 366 insertions(+), 439 deletions(-) - create mode 100644 bus/cynagora-check.c - rename bus/{cynara.h => cynagora-check.h} (81%) - delete mode 100644 bus/cynara.c - -diff --git a/bus/Makefile.am b/bus/Makefile.am -index 2a8a72c..1720048 100644 ---- a/bus/Makefile.am -+++ b/bus/Makefile.am -@@ -13,7 +13,7 @@ DBUS_BUS_LIBS = \ - $(THREAD_LIBS) \ - $(ADT_LIBS) \ - $(NETWORK_libs) \ -- $(CYNARA_LIBS) \ -+ $(CYNAGORA_LIBS) \ - $(NULL) - - DBUS_LAUNCHER_LIBS = \ -@@ -31,7 +31,7 @@ AM_CPPFLAGS = \ - $(APPARMOR_CFLAGS) \ - -DDBUS_SYSTEM_CONFIG_FILE=\""$(dbusdatadir)/system.conf"\" \ - -DDBUS_COMPILATION \ -- $(CYNARA_CFLAGS) \ -+ $(CYNAGORA_CFLAGS) \ - $(NULL) - - # if assertions are enabled, improve backtraces -@@ -101,8 +101,8 @@ BUS_SOURCES= \ - config-parser-common.h \ - connection.c \ - connection.h \ -- cynara.c \ -- cynara.h \ -+ cynagora-check.c \ -+ cynagora-check.h \ - desktop-file.c \ - desktop-file.h \ - $(DIR_WATCH_SOURCE) \ -diff --git a/bus/bus.h b/bus/bus.h -index 1b08f7c..e167d9e 100644 ---- a/bus/bus.h -+++ b/bus/bus.h -@@ -47,7 +47,7 @@ typedef struct BusMatchRule BusMatchRule; - typedef struct BusActivationEntry BusActivationEntry; - typedef struct BusCheck BusCheck; - typedef struct BusDeferredMessage BusDeferredMessage; --typedef struct BusCynara BusCynara; -+typedef struct BusCynagora BusCynagora; - - /** - * BusResult is defined as a pointer to a dummy structure to allow detection of type mismatches. -diff --git a/bus/check.c b/bus/check.c -index b73d08b..ec30770 100644 ---- a/bus/check.c -+++ b/bus/check.c -@@ -26,7 +26,7 @@ - #include "check.h" - #include "connection.h" - #include "dispatch.h" --#include "cynara.h" -+#include "cynagora-check.h" - #include "utils.h" - #include <dbus/dbus-connection-internal.h> - #include <dbus/dbus-message-internal.h> -@@ -38,7 +38,7 @@ typedef struct BusCheck - int refcount; - - BusContext *context; -- BusCynara *cynara; -+ BusCynagora *cynagora; - } BusCheck; - - typedef struct BusDeferredMessage -@@ -81,7 +81,7 @@ bus_check_new (BusContext *context, DBusError *error) - - check->refcount = 1; - check->context = context; -- check->cynara = bus_cynara_new(check, error); -+ check->cynagora = bus_cynagora_new(check, error); - if (dbus_error_is_set(error)) - { - dbus_message_free_data_slot(&deferred_message_data_slot); -@@ -110,7 +110,7 @@ bus_check_unref (BusCheck *check) - - if (check->refcount == 0) - { -- bus_cynara_unref(check->cynara); -+ bus_cynagora_unref(check->cynagora); - dbus_message_free_data_slot(&deferred_message_data_slot); - dbus_free(check); - } -@@ -122,10 +122,10 @@ bus_check_get_context (BusCheck *check) - return check->context; - } - --BusCynara * --bus_check_get_cynara (BusCheck *check) -+BusCynagora * -+bus_check_get_cynagora (BusCheck *check) - { -- return check->cynara; -+ return check->cynagora; - } - - static void -@@ -276,8 +276,8 @@ bus_check_privilege (BusCheck *check, - { - BusDeferredMessage *previous_deferred_message; - BusResult result = BUS_RESULT_FALSE; --#ifdef DBUS_ENABLE_CYNARA -- BusCynara *cynara; -+#ifdef DBUS_ENABLE_CYNAGORA -+ BusCynagora *cynagora; - #endif - DBusConnection *connection; - -@@ -304,7 +304,7 @@ bus_check_privilege (BusCheck *check, - * Message has been deferred due to receive or own rule which means that sending this message - * is allowed - it must have been checked previously. - * This might happen when client calls RequestName method which depending on security -- * policy might result in both "can_send" and "can_own" Cynara checks. -+ * policy might result in both "can_send" and "can_own" Cynagora checks. - */ - result = BUS_RESULT_TRUE; - } -@@ -327,9 +327,9 @@ bus_check_privilege (BusCheck *check, - else - { - /* ask policy checkers */ --#ifdef DBUS_ENABLE_CYNARA -- cynara = bus_check_get_cynara(check); -- result = bus_cynara_check_privilege(cynara, message, sender, addressed_recipient, -+#ifdef DBUS_ENABLE_CYNAGORA -+ cynagora = bus_check_get_cynagora(check); -+ result = bus_cynagora_check_privilege(cynagora, message, sender, addressed_recipient, - proposed_recipient, privilege, check_type, deferred_message); - #endif - if (result == BUS_RESULT_LATER && deferred_message != NULL) -diff --git a/bus/check.h b/bus/check.h -index d718a69..ab63c18 100644 ---- a/bus/check.h -+++ b/bus/check.h -@@ -45,7 +45,7 @@ BusCheck *bus_check_ref (BusCheck *check); - void bus_check_unref (BusCheck *check); - - BusContext *bus_check_get_context (BusCheck *check); --BusCynara *bus_check_get_cynara (BusCheck *check); -+BusCynagora *bus_check_get_cynagora (BusCheck *check); - BusResult bus_check_privilege (BusCheck *check, - DBusMessage *message, - DBusConnection *sender, -diff --git a/bus/connection.c b/bus/connection.c -index b520d57..48910e0 100644 ---- a/bus/connection.c -+++ b/bus/connection.c -@@ -38,10 +38,6 @@ - #include <dbus/dbus-connection-internal.h> - #include <dbus/dbus-internals.h> - #include <dbus/dbus-message-internal.h> --#ifdef DBUS_ENABLE_CYNARA --#include <stdlib.h> --#include <cynara-session.h> --#endif - - /* Trim executed commands to this length; we want to keep logs readable */ - #define MAX_LOG_COMMAND_LEN 50 -@@ -124,9 +120,6 @@ typedef struct - - /** non-NULL if and only if this is a monitor */ - DBusList *link_in_monitors; --#ifdef DBUS_ENABLE_CYNARA -- char *cynara_session_id; --#endif - } BusConnectionData; - - static dbus_bool_t bus_pending_reply_expired (BusExpireList *list, -@@ -461,10 +454,6 @@ free_connection_data (void *data) - - dbus_free (d->name); - --#ifdef DBUS_ENABLE_CYNARA -- free (d->cynara_session_id); --#endif -- - dbus_free (d); - } - -@@ -1095,22 +1084,6 @@ bus_connection_get_policy (DBusConnection *connection) - return d->policy; - } - --#ifdef DBUS_ENABLE_CYNARA --const char *bus_connection_get_cynara_session_id (DBusConnection *connection) --{ -- BusConnectionData *d = BUS_CONNECTION_DATA (connection); -- _dbus_assert (d != NULL); -- -- if (d->cynara_session_id == NULL) -- { -- unsigned long pid; -- if (dbus_connection_get_unix_process_id(connection, &pid)) -- d->cynara_session_id = cynara_session_from_pid(pid); -- } -- return d->cynara_session_id; --} --#endif -- - static dbus_bool_t - foreach_active (BusConnections *connections, - BusConnectionForeachFunction function, -diff --git a/bus/connection.h b/bus/connection.h -index 6af7bf1..3116bcf 100644 ---- a/bus/connection.h -+++ b/bus/connection.h -@@ -138,9 +138,6 @@ dbus_bool_t bus_connection_be_monitor (DBusConnection *connection, - BusTransaction *transaction, - DBusList **rules, - DBusError *error); --#ifdef DBUS_ENABLE_CYNARA --const char *bus_connection_get_cynara_session_id (DBusConnection *connection); --#endif - - /* transaction API so we can send or not send a block of messages as a whole */ - -diff --git a/bus/cynagora-check.c b/bus/cynagora-check.c -new file mode 100644 -index 0000000..6c0c635 ---- /dev/null -+++ b/bus/cynagora-check.c -@@ -0,0 +1,330 @@ -+/* -*- mode: C; c-file-style: "gnu"; indent-tabs-mode: nil; -*- */ -+/* cynagora.c Cynagora runtime privilege checking -+ * -+ * Copyright (c) 2014 Samsung Electronics, Ltd. -+ * -+ * Licensed under the Academic Free License version 2.1 -+ * -+ * This program is free software; you can redistribute it and/or modify -+ * it under the terms of the GNU General Public License as published by -+ * the Free Software Foundation; either version 2 of the License, or -+ * (at your option) any later version. -+ * -+ * This program is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ * GNU General Public License for more details. -+ * -+ * You should have received a copy of the GNU General Public License -+ * along with this program; if not, write to the Free Software -+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA -+ * -+ */ -+ -+#include <config.h> -+#include "cynagora-check.h" -+#include "check.h" -+#include "utils.h" -+ -+#include <stdlib.h> -+#include <stdio.h> -+#include <errno.h> -+ -+#include <dbus/dbus.h> -+#include <dbus/dbus-watch.h> -+#include <dbus/dbus-connection-internal.h> -+#include <bus/connection.h> -+ -+#ifndef DBUS_ENABLE_CYNAGORA -+ -+BusCynagora * -+bus_cynagora_new(BusCheck *check, DBusError *error) -+{ -+ return NULL; -+} -+ -+BusCynagora * -+bus_cynagora_ref (BusCynagora *cynagora) -+{ -+ return NULL; -+} -+ -+void -+bus_cynagora_unref (BusCynagora *cynagora) -+{ -+} -+ -+BusResult -+bus_cynagora_check_privilege (BusCynagora *cynagora, -+ DBusMessage *message, -+ DBusConnection *sender, -+ DBusConnection *addressed_recipient, -+ DBusConnection *proposed_recipient, -+ const char *privilege, -+ BusDeferredMessageStatus check_type, -+ BusDeferredMessage **deferred_message_param) -+{ -+ return BUS_RESULT_FALSE; -+} -+ -+#endif -+ -+#ifdef DBUS_ENABLE_CYNAGORA -+ -+#include <time.h> -+#include <sys/epoll.h> -+ -+#include <cynagora.h> -+ -+#ifndef CYNAGORA_CACHE_SIZE -+#define CYNAGORA_CACHE_SIZE 8000 -+#endif -+ -+typedef struct BusCynagora -+{ -+ int refcount; -+ -+ BusContext *context; -+ BusCheck *check; -+ cynagora_t *cynagora; -+ DBusWatch *cynagora_watch; -+} BusCynagora; -+ -+static int async_callback(void *closure, -+ int op, -+ int fd, -+ uint32_t events); -+ -+BusCynagora * -+bus_cynagora_new(BusCheck *check, DBusError *error) -+{ -+ BusContext *context; -+ BusCynagora *cynagora; -+ int ret; -+ -+ cynagora = dbus_new(BusCynagora, 1); -+ if (cynagora == NULL) -+ { -+ BUS_SET_OOM(error); -+ return NULL; -+ } -+ -+ context = bus_check_get_context(check); -+ -+ cynagora->refcount = 1; -+ cynagora->check = check; -+ cynagora->context = context; -+ cynagora->cynagora_watch = NULL; -+ -+ ret = cynagora_create(&cynagora->cynagora, cynagora_Check, CYNAGORA_CACHE_SIZE, NULL); -+ if (ret < 0) -+ { -+ dbus_set_error (error, DBUS_ERROR_FAILED, "Failed to create Cynagora configuration"); -+ } -+ else -+ { -+ ret = cynagora_async_setup(cynagora->cynagora, async_callback, cynagora); -+ if (ret < 0) -+ { -+ dbus_set_error (error, DBUS_ERROR_FAILED, "Failed to initialize Cynagora client"); -+ } -+ else -+ { -+ return cynagora; -+ } -+ cynagora_destroy(cynagora->cynagora); -+ } -+ -+ dbus_free(cynagora); -+ return NULL; -+} -+ -+BusCynagora * -+bus_cynagora_ref (BusCynagora *cynagora) -+{ -+ _dbus_assert (cynagora->refcount > 0); -+ cynagora->refcount += 1; -+ -+ return cynagora; -+} -+ -+void -+bus_cynagora_unref (BusCynagora *cynagora) -+{ -+ _dbus_assert (cynagora->refcount > 0); -+ -+ cynagora->refcount -= 1; -+ -+ if (cynagora->refcount == 0) -+ { -+ cynagora_destroy(cynagora->cynagora); -+ dbus_free(cynagora); -+ } -+} -+ -+static void -+async_check_callback (void *closure, int status) -+{ -+ BusDeferredMessage *deferred_message = closure; -+ BusResult result; -+ -+ if (deferred_message == NULL) -+ return; -+ -+ if (status == 1) -+ result = BUS_RESULT_TRUE; -+ else -+ result = BUS_RESULT_FALSE; -+ -+ bus_deferred_message_response_received(deferred_message, result); -+ bus_deferred_message_unref(deferred_message); -+} -+ -+BusResult -+bus_cynagora_check_privilege (BusCynagora *cynagora, -+ DBusMessage *message, -+ DBusConnection *sender, -+ DBusConnection *addressed_recipient, -+ DBusConnection *proposed_recipient, -+ const char *permission, -+ BusDeferredMessageStatus check_type, -+ BusDeferredMessage **deferred_message_param) -+{ -+ int result; -+ unsigned long uid; -+ unsigned long pid; -+ char *label; -+ char user[32]; -+ char session[32]; -+ DBusConnection *connection = check_type == BUS_DEFERRED_MESSAGE_CHECK_RECEIVE ? proposed_recipient : sender; -+ BusDeferredMessage *deferred_message; -+ BusResult ret; -+ cynagora_key_t key; -+ -+ _dbus_assert(connection != NULL); -+ -+ if (dbus_connection_get_unix_user(connection, &uid) == FALSE) -+ return BUS_RESULT_FALSE; -+ -+ if (dbus_connection_get_unix_process_id(connection, &pid) == FALSE) -+ return BUS_RESULT_FALSE; -+ -+ if (_dbus_connection_get_linux_security_label(connection, &label) == FALSE || label == NULL) -+ { -+ _dbus_warn("Failed to obtain security label for connection\n"); -+ return BUS_RESULT_FALSE; -+ } -+ -+ snprintf(user, sizeof(user), "%lu", uid); -+ snprintf(session, sizeof(session), "%lu", pid); -+ -+ key.client = label; -+ key.session = session; -+ key.user = user; -+ key.permission = permission; -+ -+ result = cynagora_cache_check(cynagora->cynagora, &key); -+ switch (result) -+ { -+ case 1: -+ _dbus_verbose("Cynagora: got ALLOWED answer from cache (client=%s session_id=%s user=%s permission=%s)\n", -+ label, session_id, user, permission); -+ ret = BUS_RESULT_TRUE; -+ break; -+ -+ case 0: -+ _dbus_verbose("Cynagora: got DENIED answer from cache (client=%s session_id=%s user=%s permission=%s)\n", -+ label, session_id, user, permission); -+ ret = BUS_RESULT_FALSE; -+ break; -+ -+ default: -+ deferred_message = bus_deferred_message_new(message, sender, addressed_recipient, -+ proposed_recipient, BUS_RESULT_LATER); -+ if (deferred_message == NULL) -+ { -+ _dbus_verbose("Failed to allocate memory for deferred message\n"); -+ ret = BUS_RESULT_FALSE; -+ goto out; -+ } -+ -+ /* callback is supposed to unref deferred_message*/ -+ result = cynagora_async_check(cynagora->cynagora, &key, 1, 0, async_check_callback, deferred_message); -+ if (result == 0) -+ { -+ _dbus_verbose("Created Cynagora request: client=%s session_id=%s user=%s permission=%s " -+ "deferred_message=%p\n", label, session_id, user, permission, deferred_message); -+ if (deferred_message_param != NULL) -+ *deferred_message_param = deferred_message; -+ ret = BUS_RESULT_LATER; -+ } -+ else -+ { -+ _dbus_verbose("Error on cynagora request create: %i\n", result); -+ bus_deferred_message_unref(deferred_message); -+ ret = BUS_RESULT_FALSE; -+ } -+ break; -+ } -+out: -+ dbus_free(label); -+ return ret; -+} -+ -+static dbus_bool_t -+watch_handler_callback(DBusWatch *watch, -+ unsigned int flags, -+ void *data) -+{ -+ BusCynagora *cynagora = (BusCynagora *)data; -+ int result = cynagora_async_process(cynagora->cynagora); -+ if (result < 0) -+ _dbus_verbose("cynagora_async_process returned %d\n", result); -+ -+ return result != -ENOMEM ? TRUE : FALSE; -+} -+ -+static int -+async_callback(void *closure, int op, int fd, uint32_t events) -+{ -+ BusCynagora *cynagora = (BusCynagora *)closure; -+ DBusLoop *loop = bus_context_get_loop(cynagora->context); -+ unsigned int flags; -+ DBusWatch *watch; -+ -+ /* compute flags */ -+ flags = 0; -+ if (events & EPOLLIN) -+ flags |= DBUS_WATCH_READABLE; -+ if (events & EPOLLOUT) -+ flags |= DBUS_WATCH_WRITABLE; -+ -+ /* remove the watch if needed */ -+ watch = cynagora->cynagora_watch; -+ if (watch != NULL) -+ { -+ cynagora->cynagora_watch = NULL; -+ _dbus_loop_remove_watch(loop, watch); -+ _dbus_watch_invalidate(watch); -+ _dbus_watch_unref(watch); -+ } -+ -+ /* create the watch if needed */ -+ watch = cynagora->cynagora_watch; -+ if (op != EPOLL_CTL_DEL) -+ { -+ watch = _dbus_watch_new(fd, flags, TRUE, watch_handler_callback, cynagora, NULL); -+ if (watch == NULL) -+ return -ENOMEM; -+ if (_dbus_loop_add_watch(loop, watch) != TRUE) -+ { -+ _dbus_watch_invalidate(watch); -+ _dbus_watch_unref(watch); -+ return -ENOMEM; -+ } -+ cynagora->cynagora_watch = watch; -+ } -+ return 0; -+} -+ -+#endif /* DBUS_ENABLE_CYNAGORA */ -diff --git a/bus/cynara.h b/bus/cynagora-check.h -similarity index 81% -rename from bus/cynara.h -rename to bus/cynagora-check.h -index c4728bb..c0892c3 100644 ---- a/bus/cynara.h -+++ b/bus/cynagora-check.h -@@ -1,5 +1,5 @@ - /* -*- mode: C; c-file-style: "gnu"; indent-tabs-mode: nil; -*- */ --/* cynara.h Cynara runtime privilege checking -+/* cynagora.h Cynagora runtime privilege checking - * - * Copyright (c) 2014 Samsung Electronics, Ltd. - * -@@ -24,10 +24,10 @@ - #include "bus.h" - #include "check.h" - --BusCynara *bus_cynara_new (BusCheck *check, DBusError *error); --BusCynara *bus_cynara_ref (BusCynara *cynara); --void bus_cynara_unref (BusCynara *cynara); --BusResult bus_cynara_check_privilege (BusCynara *cynara, -+BusCynagora *bus_cynagora_new (BusCheck *check, DBusError *error); -+BusCynagora *bus_cynagora_ref (BusCynagora *cynagora); -+void bus_cynagora_unref (BusCynagora *cynagora); -+BusResult bus_cynagora_check_privilege (BusCynagora *cynagora, - DBusMessage *message, - DBusConnection *sender, - DBusConnection *addressed_recipient, -diff --git a/bus/cynara.c b/bus/cynara.c -deleted file mode 100644 -index 77aed62..0000000 ---- a/bus/cynara.c -+++ /dev/null -@@ -1,373 +0,0 @@ --/* -*- mode: C; c-file-style: "gnu"; indent-tabs-mode: nil; -*- */ --/* cynara.c Cynara runtime privilege checking -- * -- * Copyright (c) 2014 Samsung Electronics, Ltd. -- * -- * Licensed under the Academic Free License version 2.1 -- * -- * This program is free software; you can redistribute it and/or modify -- * it under the terms of the GNU General Public License as published by -- * the Free Software Foundation; either version 2 of the License, or -- * (at your option) any later version. -- * -- * This program is distributed in the hope that it will be useful, -- * but WITHOUT ANY WARRANTY; without even the implied warranty of -- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -- * GNU General Public License for more details. -- * -- * You should have received a copy of the GNU General Public License -- * along with this program; if not, write to the Free Software -- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA -- * -- */ -- --#include <config.h> --#include "cynara.h" --#include "check.h" --#include "utils.h" -- --#include <stdio.h> -- --#include <dbus/dbus.h> --#include <dbus/dbus-watch.h> --#include <dbus/dbus-connection-internal.h> --#include <bus/connection.h> --#ifdef DBUS_ENABLE_CYNARA --#include <cynara-client-async.h> --#endif -- --#ifdef DBUS_ENABLE_CYNARA --typedef struct BusCynara --{ -- int refcount; -- -- BusContext *context; -- BusCheck *check; -- cynara_async *cynara; -- DBusWatch *cynara_watch; --} BusCynara; -- --#define USE_CYNARA_CACHE 1 --#ifdef USE_CYNARA_CACHE --#define CYNARA_CACHE_SIZE 1000 --#endif -- --static dbus_bool_t bus_cynara_watch_callback(DBusWatch *watch, -- unsigned int flags, -- void *data); -- --static void status_callback(int old_fd, -- int new_fd, -- cynara_async_status status, -- void *user_status_data); --static void bus_cynara_check_response_callback (cynara_check_id check_id, -- cynara_async_call_cause cause, -- int response, -- void *user_response_data); --#endif -- -- --BusCynara * --bus_cynara_new(BusCheck *check, DBusError *error) --{ --#ifdef DBUS_ENABLE_CYNARA -- BusContext *context; -- BusCynara *cynara; -- cynara_async_configuration *conf = NULL; -- int ret; -- -- cynara = dbus_new(BusCynara, 1); -- if (cynara == NULL) -- { -- BUS_SET_OOM(error); -- return NULL; -- } -- -- context = bus_check_get_context(check); -- -- cynara->refcount = 1; -- cynara->check = check; -- cynara->context = context; -- cynara->cynara_watch = NULL; -- -- ret = cynara_async_configuration_create(&conf); -- if (ret != CYNARA_API_SUCCESS) -- { -- dbus_set_error (error, DBUS_ERROR_FAILED, "Failed to create Cynara configuration"); -- goto out; -- } -- --#ifdef CYNARA_CACHE_SIZE -- ret = cynara_async_configuration_set_cache_size(conf, CYNARA_CACHE_SIZE); -- if (ret != CYNARA_API_SUCCESS) -- { -- dbus_set_error (error, DBUS_ERROR_FAILED, "Failed to Cynara cache size"); -- goto out; -- } --#endif -- -- ret = cynara_async_initialize(&cynara->cynara, conf, &status_callback, cynara); -- if (ret != CYNARA_API_SUCCESS) -- { -- dbus_set_error (error, DBUS_ERROR_FAILED, "Failed to initialize Cynara client"); -- goto out; -- } -- --out: -- cynara_async_configuration_destroy(conf); -- if (ret != CYNARA_API_SUCCESS) -- { -- dbus_free(cynara); -- return NULL; -- } -- -- return cynara; --#else -- return NULL; --#endif --} -- --BusCynara * --bus_cynara_ref (BusCynara *cynara) --{ --#ifdef DBUS_ENABLE_CYNARA -- _dbus_assert (cynara->refcount > 0); -- cynara->refcount += 1; -- -- return cynara; --#else -- return NULL; --#endif --} -- --void --bus_cynara_unref (BusCynara *cynara) --{ --#ifdef DBUS_ENABLE_CYNARA -- _dbus_assert (cynara->refcount > 0); -- -- cynara->refcount -= 1; -- -- if (cynara->refcount == 0) -- { -- cynara_async_finish(cynara->cynara); -- dbus_free(cynara); -- } --#endif --} -- --BusResult --bus_cynara_check_privilege (BusCynara *cynara, -- DBusMessage *message, -- DBusConnection *sender, -- DBusConnection *addressed_recipient, -- DBusConnection *proposed_recipient, -- const char *privilege, -- BusDeferredMessageStatus check_type, -- BusDeferredMessage **deferred_message_param) --{ --#ifdef DBUS_ENABLE_CYNARA -- int result; -- unsigned long uid; -- char *label; -- const char *session_id; -- char user[32]; -- cynara_check_id check_id; -- DBusConnection *connection = check_type == BUS_DEFERRED_MESSAGE_CHECK_RECEIVE ? proposed_recipient : sender; -- BusDeferredMessage *deferred_message; -- BusResult ret; -- -- _dbus_assert(connection != NULL); -- -- if (dbus_connection_get_unix_user(connection, &uid) == FALSE) -- return BUS_RESULT_FALSE; -- -- if (_dbus_connection_get_linux_security_label(connection, &label) == FALSE || label == NULL) -- { -- _dbus_warn("Failed to obtain security label for connection\n"); -- return BUS_RESULT_FALSE; -- } -- -- session_id = bus_connection_get_cynara_session_id (connection); -- if (session_id == NULL) -- { -- ret = BUS_RESULT_FALSE; -- goto out; -- } -- -- snprintf(user, sizeof(user), "%lu", uid); -- --#if USE_CYNARA_CACHE -- result = cynara_async_check_cache(cynara->cynara, label, session_id, user, privilege); --#else -- result = CYNARA_API_CACHE_MISS; --#endif -- -- switch (result) -- { -- case CYNARA_API_ACCESS_ALLOWED: -- _dbus_verbose("Cynara: got ALLOWED answer from cache (client=%s session_id=%s user=%s privilege=%s)\n", -- label, session_id, user, privilege); -- ret = BUS_RESULT_TRUE; -- break; -- -- case CYNARA_API_ACCESS_DENIED: -- _dbus_verbose("Cynara: got DENIED answer from cache (client=%s session_id=%s user=%s privilege=%s)\n", -- label, session_id, user, privilege); -- ret = BUS_RESULT_FALSE; -- break; -- -- case CYNARA_API_CACHE_MISS: -- deferred_message = bus_deferred_message_new(message, sender, addressed_recipient, -- proposed_recipient, BUS_RESULT_LATER); -- if (deferred_message == NULL) -- { -- _dbus_verbose("Failed to allocate memory for deferred message\n"); -- ret = BUS_RESULT_FALSE; -- goto out; -- } -- -- /* callback is supposed to unref deferred_message*/ -- result = cynara_async_create_request(cynara->cynara, label, session_id, user, privilege, &check_id, -- &bus_cynara_check_response_callback, deferred_message); -- if (result == CYNARA_API_SUCCESS) -- { -- _dbus_verbose("Created Cynara request: client=%s session_id=%s user=%s privilege=%s check_id=%u " -- "deferred_message=%p\n", label, session_id, user, privilege, (unsigned int)check_id, deferred_message); -- if (deferred_message_param != NULL) -- *deferred_message_param = deferred_message; -- ret = BUS_RESULT_LATER; -- } -- else -- { -- _dbus_verbose("Error on cynara request create: %i\n", result); -- bus_deferred_message_unref(deferred_message); -- ret = BUS_RESULT_FALSE; -- } -- break; -- default: -- _dbus_verbose("Error when accessing Cynara cache: %i\n", result); -- ret = BUS_RESULT_FALSE; -- } --out: -- dbus_free(label); -- return ret; -- --#else -- return BUS_RESULT_FALSE; --#endif --} -- -- -- --#ifdef DBUS_ENABLE_CYNARA --static void --status_callback(int old_fd, int new_fd, cynara_async_status status, -- void *user_status_data) --{ -- BusCynara *cynara = (BusCynara *)user_status_data; -- DBusLoop *loop = bus_context_get_loop(cynara->context); -- -- if (cynara->cynara_watch != NULL) -- { -- _dbus_loop_remove_watch(loop, cynara->cynara_watch); -- _dbus_watch_invalidate(cynara->cynara_watch); -- _dbus_watch_unref(cynara->cynara_watch); -- cynara->cynara_watch = NULL; -- } -- -- if (new_fd != -1) -- { -- unsigned int flags; -- DBusWatch *watch; -- -- switch (status) -- { -- case CYNARA_STATUS_FOR_READ: -- flags = DBUS_WATCH_READABLE; -- break; -- case CYNARA_STATUS_FOR_RW: -- flags = DBUS_WATCH_READABLE | DBUS_WATCH_WRITABLE; -- break; -- default: -- /* Cynara passed unknown status - warn and add RW watch */ -- _dbus_verbose("Cynara passed unknown status value: 0x%08X\n", (unsigned int)status); -- flags = DBUS_WATCH_READABLE | DBUS_WATCH_WRITABLE; -- break; -- } -- -- watch = _dbus_watch_new(new_fd, flags, TRUE, &bus_cynara_watch_callback, cynara, NULL); -- if (watch != NULL) -- { -- if (_dbus_loop_add_watch(loop, watch) == TRUE) -- { -- cynara->cynara_watch = watch; -- return; -- } -- -- _dbus_watch_invalidate(watch); -- _dbus_watch_unref(watch); -- } -- -- /* It seems like not much can be done at this point. Cynara events won't be processed -- * until next Cynara function call triggering status callback */ -- _dbus_verbose("Failed to add dbus watch\n"); -- } --} -- --static dbus_bool_t --bus_cynara_watch_callback(DBusWatch *watch, -- unsigned int flags, -- void *data) --{ -- BusCynara *cynara = (BusCynara *)data; -- int result = cynara_async_process(cynara->cynara); -- if (result != CYNARA_API_SUCCESS) -- _dbus_verbose("cynara_async_process returned %d\n", result); -- -- return result != CYNARA_API_OUT_OF_MEMORY ? TRUE : FALSE; --} -- --static inline const char * --call_cause_to_string(cynara_async_call_cause cause) --{ -- switch (cause) -- { -- case CYNARA_CALL_CAUSE_ANSWER: -- return "ANSWER"; -- case CYNARA_CALL_CAUSE_CANCEL: -- return "CANCEL"; -- case CYNARA_CALL_CAUSE_FINISH: -- return "FINSIH"; -- case CYNARA_CALL_CAUSE_SERVICE_NOT_AVAILABLE: -- return "SERVICE NOT AVAILABLE"; -- default: -- return "INVALID"; -- } --} -- --static void --bus_cynara_check_response_callback (cynara_check_id check_id, -- cynara_async_call_cause cause, -- int response, -- void *user_response_data) --{ -- BusDeferredMessage *deferred_message = user_response_data; -- BusResult result; -- -- _dbus_verbose("Cynara callback: check_id=%u, cause=%s response=%i response_data=%p\n", -- (unsigned int)check_id, call_cause_to_string(cause), response, user_response_data); -- -- if (deferred_message == NULL) -- return; -- -- if (cause == CYNARA_CALL_CAUSE_ANSWER && response == CYNARA_API_ACCESS_ALLOWED) -- result = BUS_RESULT_TRUE; -- else -- result = BUS_RESULT_FALSE; -- -- bus_deferred_message_response_received(deferred_message, result); -- bus_deferred_message_unref(deferred_message); --} -- --#endif /* DBUS_ENABLE_CYNARA */ -diff --git a/bus/system.conf.in b/bus/system.conf.in -index 19d0c04..81c39c8 100644 ---- a/bus/system.conf.in -+++ b/bus/system.conf.in -@@ -72,10 +72,10 @@ - send_interface="org.freedesktop.DBus.Introspectable"/> - <allow send_destination="org.freedesktop.DBus" - send_interface="org.freedesktop.DBus.Properties"/> -- <!-- If there is a need specific bus services could be protected by Cynara as well. -+ <!-- If there is a need specific bus services could be protected by Cynagora as well. - However, this can lead to deadlock during the boot process when such check is made and -- Cynara is not yet activated (systemd calls protected method synchronously, -- dbus daemon tries to consult Cynara, Cynara waits for systemd activation). -+ Cynagora is not yet activated (systemd calls protected method synchronously, -+ dbus daemon tries to consult Cynagora, Cynagora waits for systemd activation). - Therefore it is advised to allow root processes to use bus services. - Currently anyone is allowed to talk to the message bus --> - <allow receive_sender="org.freedesktop.DBus"/> -diff --git a/configure.ac b/configure.ac -index 11b5ffd..df9341c 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -1742,16 +1742,16 @@ AC_ARG_ENABLE([user-session], - AM_CONDITIONAL([DBUS_ENABLE_USER_SESSION], - [test "x$enable_user_session" = xyes]) - --#enable cynara integration --AC_ARG_ENABLE([cynara], [AS_HELP_STRING([--enable-cynara], [enable Cynara integration])], [], [enable_cynara=no]) --if test "x$enable_cynara" = xyes; then -- PKG_CHECK_MODULES([CYNARA], [cynara-client-async >= 0.6.0 cynara-session >= 0.6.0], -- [AC_DEFINE([DBUS_ENABLE_CYNARA], [1], [Define to enable Cynara privilege checks in dbus-daemon])], -- [AC_MSG_ERROR([libcynara-client-async and cynara-session are required to enable Cynara integration])]) -+#enable cynagora integration -+AC_ARG_ENABLE([cynagora], [AS_HELP_STRING([--enable-cynagora], [enable Cynagora integration])], [], [enable_cynagora=no]) -+if test "x$enable_cynagora" = xyes; then -+ PKG_CHECK_MODULES([CYNAGORA], [cynagora], -+ [AC_DEFINE([DBUS_ENABLE_CYNAGORA], [1], [Define to enable Cynagora privilege checks in dbus-daemon])], -+ [AC_MSG_ERROR([libcynagora is required to enable Cynagora integration])]) - fi - --AC_SUBST([CYNARA_CFLAGS]) --AC_SUBST([CYNARA_LIBS]) -+AC_SUBST([CYNAGORA_CFLAGS]) -+AC_SUBST([CYNAGORA_LIBS]) - - AC_CONFIG_FILES([ - Doxyfile -@@ -1835,7 +1835,7 @@ echo " - Building bus stats API: ${enable_stats} - Building SELinux support: ${have_selinux} - Building AppArmor support: ${have_apparmor} -- Building Cynara support: ${enable_cynara} -+ Building Cynagora support: ${enable_cynagora} - Building inotify support: ${have_inotify} - Building kqueue support: ${have_kqueue} - Building systemd support: ${have_systemd} --- -2.21.1 - |