e system - allow the per system permit/deny rules to work

3 years ago · 91c003100e
parent 3d490704ca
commit 91c003100e
3 changed files with 67 additions and 34 deletions
--- a/data/etc/system.conf
+++ b/data/etc/system.conf
@ -24,16 +24,27 @@

 # FORMAT:
 # 
-# user:  username  allow: halt reboot suspend hibernate
+# user:  username  allow: rfkill
 # group: groupname deny:  *
 # group: *         deny:  *
-# user:  *         allow: suspend
-# user:  billy     allow: halt reboot
-# group: staff     deny:  halt suspend hibernate
+# user:  *         allow: power
+# user:  billy     allow: l2ping
+# group: staff     deny:  backlight
 # ... etc. ...
 #
 # user and group name can use glob matches (* == all for example) like the
 # shell. as can action names allowed or denied.
+#
+# the system to allow at the end is a system name or * for "everything". this
+# is a glob like filenames. systems supported:
+#
+# backlight - core backlight device that maps to a laptop screen or keyboard
+# ddc       - external monitor controls like backlight, color correction etc
+# storage   - handling of removable media devices
+# power     - direct shutdown/reboot/suspend/resume/halt commands
+# rfkill    - rf controls for wireless adaptors
+# l2ping    - bluetooth pings for paired devices (no payload control)
+# cpufreq   - change cpu frequency, governor and similar power controls

 # root is allowed to do anything - but it needs to be here explicitly anyway
 user:     root      allow: *
--- a/src/bin/system/e_system.h
+++ b/src/bin/system/e_system.h
@ -95,6 +95,7 @@ void *alloca (size_t);
 # endif

 #define ERR(args...) do { fprintf(stderr, "E_SYSTEM_ERR: "); fprintf(stderr, ##args); } while (0)
+#define INF(args...) do { fprintf(stderr, "E_SYSTEM_INF: "); fprintf(stderr, ##args); } while (0)

 extern Eina_Bool alert_backlight_reset;

--- a/src/bin/system/e_system_main.c
+++ b/src/bin/system/e_system_main.c
@ -8,21 +8,23 @@ char *user_name = NULL;
 char *group_name = NULL;

 static int
-_conf_allow_deny(const char *cmd, const char *glob)
+_conf_allow_deny(const char *cmd, const char *glob, const char *sys)
 {
   if (!strcmp(cmd, "allow:"))
     {
        if (!strcmp(glob, "*")) return 1; // allow
+        if (!fnmatch(glob, sys, 0)) return 1; // allow this sys
     }
   else if (!strcmp(cmd, "deny:"))
     {
        if (!strcmp(glob, "*")) return -1; // deny
+        if (!fnmatch(glob, sys, 0)) return -1; // deny this sys
     }
   return 0; // unknown
 }

-static void
-_etc_enlightenment_system_conf(void)
+static int
+_etc_enlightenment_system_conf_check(const char *sys)
 {
 #define MAXGROUPS 1024
   int gn, i;
@ -30,13 +32,13 @@ _etc_enlightenment_system_conf(void)
   char type[32], usergroup[256], cmd[32], glob[256], buf[1024];
   Eina_Bool in_usergroup;
   FILE *f = fopen("/etc/enlightenment/system.conf", "r");
-   if (!f) return;
+   if (!f) return 1; // if the config doesnt exist - allow by policy

   gn = getgroups(MAXGROUPS, gl);
   if (gn < 0)
     {
        ERR("User %i member of too many groups\n", uid);
-        exit(9);
+        return 0;
     }
   while (fgets(buf, sizeof(buf), f))
     {
@ -55,15 +57,17 @@ _etc_enlightenment_system_conf(void)
                  if (pw)
                    {
                       if (!fnmatch(usergroup, pw->pw_name, 0))
-                       in_usergroup = EINA_TRUE;
+                         {
+                            in_usergroup = EINA_TRUE;
+                         }
                    }
                  if (in_usergroup)
                    {
-                       int ok = _conf_allow_deny(cmd, glob);
+                       int ok = _conf_allow_deny(cmd, glob, sys);
                       if (ok == 1) goto allow;
                       else if (ok == -1)
                         {
-                            ERR("Denied by rule:\n%s\n", buf);
+                            INF("Deny rule: %s\n", buf);
                            goto deny;
                         }
                    }
@ -91,11 +95,11 @@ _etc_enlightenment_system_conf(void)
                    }
                  if (in_usergroup)
                    {
-                       int ok = _conf_allow_deny(cmd, glob);
+                       int ok = _conf_allow_deny(cmd, glob, sys);
                       if (ok == 1) goto allow;
                       else if (ok == -1)
                         {
-                            ERR("Denied by rule:\n%s\n", buf);
+                            INF("Deny rule: %s\n", buf);
                            goto deny;
                         }
                    }
@ -104,11 +108,10 @@ _etc_enlightenment_system_conf(void)
     }
 allow:
   fclose(f);
-   return;
+   return 1;
 deny:
   fclose(f);
-   ERR("Permission denied to use this tool\n");
-   exit(11);
+   return 0;
 }

 static void
@ -321,7 +324,6 @@ setuid_setup(void)
   // pass 3 - set path and ifs to minimal defaults
   putenv("PATH=/bin:/usr/bin:/sbin:/usr/sbin");
   putenv("IFS= \t\n");
-   _etc_enlightenment_system_conf();
 }

 // no singleton mode - this is not really a bonus, just painful, so disable
@ -378,6 +380,7 @@ int
 main(int argc EINA_UNUSED, const char **argv EINA_UNUSED)
 {
   const char *s;
+   int systems = 0;

   // special mode to reset all newly found bl devices to max on
   // discovery because we were run by the e alert crash handler and
@ -397,28 +400,46 @@ main(int argc EINA_UNUSED, const char **argv EINA_UNUSED)
 #endif
   eet_init();

-//   singleton_setup();
-
   e_system_inout_init();
-   e_system_backlight_init();
-   e_system_ddc_init();
-   e_system_storage_init();
-   e_system_power_init();
-   e_system_rfkill_init();
-   e_system_l2ping_init();
-   e_system_cpufreq_init();
+
+#define CONF_INIT_CHECK(sys, fn, flag) \
+   Eina_Bool flag = EINA_FALSE; \
+   do { \
+      if (_etc_enlightenment_system_conf_check(sys)) { \
+         fn(); \
+         flag = EINA_TRUE; \
+         systems++; \
+      } \
+   } while (0)
+#define CONF_SHUTDOWN(fn, flag) \
+   if (flag) fn()
+
+   CONF_INIT_CHECK("backlight", e_system_backlight_init, init_backlight);
+   CONF_INIT_CHECK("ddc",       e_system_ddc_init,       init_ddc);
+   CONF_INIT_CHECK("storage",   e_system_storage_init,   init_storage);
+   CONF_INIT_CHECK("power",     e_system_power_init,     init_power);
+   CONF_INIT_CHECK("rfkill",    e_system_rfkill_init,    init_rfkill);
+   CONF_INIT_CHECK("l2ping",    e_system_l2ping_init,    init_l2ping);
+   CONF_INIT_CHECK("cpufreq",   e_system_cpufreq_init,   init_cpufreq);
+
+   if (systems == 0)
+     {
+        ERR("Permission denied to use this tool\n");
+        exit(11);
+     }

   ecore_idle_enterer_add(_cb_idle_enterer, NULL);

   ecore_main_loop_begin();

-   e_system_cpufreq_shutdown();
-   e_system_l2ping_shutdown();
-   e_system_rfkill_shutdown();
-   e_system_power_shutdown();
-   e_system_storage_shutdown();
-   e_system_ddc_shutdown();
-   e_system_backlight_shutdown();
+   CONF_SHUTDOWN(e_system_cpufreq_shutdown,   init_cpufreq);
+   CONF_SHUTDOWN(e_system_l2ping_shutdown,    init_l2ping);
+   CONF_SHUTDOWN(e_system_rfkill_shutdown,    init_rfkill);
+   CONF_SHUTDOWN(e_system_power_shutdown,     init_power);
+   CONF_SHUTDOWN(e_system_storage_shutdown,   init_storage);
+   CONF_SHUTDOWN(e_system_ddc_shutdown,       init_ddc);
+   CONF_SHUTDOWN(e_system_backlight_shutdown, init_backlight);
+
   e_system_inout_shutdown();

   eet_shutdown();