styx
/
enlightenment
forked from enlightenment/enlightenment
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

e system - allow the per system permit/deny rules to work

This commit is contained in:
Carsten Haitzler 2020-04-23 13:43:45 +01:00
parent 3d490704ca
commit 91c003100e
3 changed files with 67 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
data/etc/system.conf
View File

@ -24,16 +24,27 @@
# FORMAT: # FORMAT:
# #
# user: username allow: halt reboot suspend hibernate # user: username allow: rfkill
# group: groupname deny: * # group: groupname deny: *
# group: * deny: * # group: * deny: *
# user: * allow: suspend # user: * allow: power
# user: billy allow: halt reboot # user: billy allow: l2ping
# group: staff deny: halt suspend hibernate # group: staff deny: backlight
# ... etc. ... # ... etc. ...
# #
# user and group name can use glob matches (* == all for example) like the # user and group name can use glob matches (* == all for example) like the
# shell. as can action names allowed or denied. # shell. as can action names allowed or denied.
#
# the system to allow at the end is a system name or * for "everything". this
# is a glob like filenames. systems supported:
#
# backlight - core backlight device that maps to a laptop screen or keyboard
# ddc - external monitor controls like backlight, color correction etc
# storage - handling of removable media devices
# power - direct shutdown/reboot/suspend/resume/halt commands
# rfkill - rf controls for wireless adaptors
# l2ping - bluetooth pings for paired devices (no payload control)
# cpufreq - change cpu frequency, governor and similar power controls
# root is allowed to do anything - but it needs to be here explicitly anyway # root is allowed to do anything - but it needs to be here explicitly anyway
user: root allow: * user: root allow: *

1
src/bin/system/e_system.h
View File

@ -95,6 +95,7 @@ void *alloca (size_t);
# endif # endif
#define ERR(args...) do { fprintf(stderr, "E_SYSTEM_ERR: "); fprintf(stderr, ##args); } while (0) #define ERR(args...) do { fprintf(stderr, "E_SYSTEM_ERR: "); fprintf(stderr, ##args); } while (0)
#define INF(args...) do { fprintf(stderr, "E_SYSTEM_INF: "); fprintf(stderr, ##args); } while (0)
extern Eina_Bool alert_backlight_reset; extern Eina_Bool alert_backlight_reset;

81
src/bin/system/e_system_main.c
View File

@ -8,21 +8,23 @@ char *user_name = NULL;
char *group_name = NULL; char *group_name = NULL;
static int static int
_conf_allow_deny(const char *cmd, const char *glob) _conf_allow_deny(const char *cmd, const char *glob, const char *sys)
{ {
if (!strcmp(cmd, "allow:")) if (!strcmp(cmd, "allow:"))
{ {
if (!strcmp(glob, "*")) return 1; // allow if (!strcmp(glob, "*")) return 1; // allow
if (!fnmatch(glob, sys, 0)) return 1; // allow this sys
} }
else if (!strcmp(cmd, "deny:")) else if (!strcmp(cmd, "deny:"))
{ {
if (!strcmp(glob, "*")) return -1; // deny if (!strcmp(glob, "*")) return -1; // deny
if (!fnmatch(glob, sys, 0)) return -1; // deny this sys
} }
return 0; // unknown return 0; // unknown
} }
static void static int
_etc_enlightenment_system_conf(void) _etc_enlightenment_system_conf_check(const char *sys)
{ {
#define MAXGROUPS 1024 #define MAXGROUPS 1024
int gn, i; int gn, i;
@ -30,13 +32,13 @@ _etc_enlightenment_system_conf(void)
char type[32], usergroup[256], cmd[32], glob[256], buf[1024]; char type[32], usergroup[256], cmd[32], glob[256], buf[1024];
Eina_Bool in_usergroup; Eina_Bool in_usergroup;
FILE *f = fopen("/etc/enlightenment/system.conf", "r"); FILE *f = fopen("/etc/enlightenment/system.conf", "r");
if (!f) return; if (!f) return 1; // if the config doesnt exist - allow by policy
gn = getgroups(MAXGROUPS, gl); gn = getgroups(MAXGROUPS, gl);
if (gn < 0) if (gn < 0)
{ {
ERR("User %i member of too many groups\n", uid); ERR("User %i member of too many groups\n", uid);
exit(9); return 0;
} }
while (fgets(buf, sizeof(buf), f)) while (fgets(buf, sizeof(buf), f))
{ {
@ -55,15 +57,17 @@ _etc_enlightenment_system_conf(void)
if (pw) if (pw)
{ {
if (!fnmatch(usergroup, pw->pw_name, 0)) if (!fnmatch(usergroup, pw->pw_name, 0))
in_usergroup = EINA_TRUE; {
in_usergroup = EINA_TRUE;
}
} }
if (in_usergroup) if (in_usergroup)
{ {
int ok = _conf_allow_deny(cmd, glob); int ok = _conf_allow_deny(cmd, glob, sys);
if (ok == 1) goto allow; if (ok == 1) goto allow;
else if (ok == -1) else if (ok == -1)
{ {
ERR("Denied by rule:\n%s\n", buf); INF("Deny rule: %s\n", buf);
goto deny; goto deny;
} }
} }
@ -91,11 +95,11 @@ _etc_enlightenment_system_conf(void)
} }
if (in_usergroup) if (in_usergroup)
{ {
int ok = _conf_allow_deny(cmd, glob); int ok = _conf_allow_deny(cmd, glob, sys);
if (ok == 1) goto allow; if (ok == 1) goto allow;
else if (ok == -1) else if (ok == -1)
{ {
ERR("Denied by rule:\n%s\n", buf); INF("Deny rule: %s\n", buf);
goto deny; goto deny;
} }
} }
@ -104,11 +108,10 @@ _etc_enlightenment_system_conf(void)
} }
allow: allow:
fclose(f); fclose(f);
return; return 1;
deny: deny:
fclose(f); fclose(f);
ERR("Permission denied to use this tool\n"); return 0;
exit(11);
} }
static void static void
@ -321,7 +324,6 @@ setuid_setup(void)
// pass 3 - set path and ifs to minimal defaults // pass 3 - set path and ifs to minimal defaults
putenv("PATH=/bin:/usr/bin:/sbin:/usr/sbin"); putenv("PATH=/bin:/usr/bin:/sbin:/usr/sbin");
putenv("IFS= \t\n"); putenv("IFS= \t\n");
_etc_enlightenment_system_conf();
} }
// no singleton mode - this is not really a bonus, just painful, so disable // no singleton mode - this is not really a bonus, just painful, so disable
@ -378,6 +380,7 @@ int
main(int argc EINA_UNUSED, const char **argv EINA_UNUSED) main(int argc EINA_UNUSED, const char **argv EINA_UNUSED)
{ {
const char *s; const char *s;
int systems = 0;
// special mode to reset all newly found bl devices to max on // special mode to reset all newly found bl devices to max on
// discovery because we were run by the e alert crash handler and // discovery because we were run by the e alert crash handler and
@ -397,28 +400,46 @@ main(int argc EINA_UNUSED, const char **argv EINA_UNUSED)
#endif #endif
eet_init(); eet_init();
// singleton_setup();
e_system_inout_init(); e_system_inout_init();
e_system_backlight_init();
e_system_ddc_init(); #define CONF_INIT_CHECK(sys, fn, flag) \
e_system_storage_init(); Eina_Bool flag = EINA_FALSE; \
e_system_power_init(); do { \
e_system_rfkill_init(); if (_etc_enlightenment_system_conf_check(sys)) { \
e_system_l2ping_init(); fn(); \
e_system_cpufreq_init(); flag = EINA_TRUE; \
systems++; \
} \
} while (0)
#define CONF_SHUTDOWN(fn, flag) \
if (flag) fn()
CONF_INIT_CHECK("backlight", e_system_backlight_init, init_backlight);
CONF_INIT_CHECK("ddc", e_system_ddc_init, init_ddc);
CONF_INIT_CHECK("storage", e_system_storage_init, init_storage);
CONF_INIT_CHECK("power", e_system_power_init, init_power);
CONF_INIT_CHECK("rfkill", e_system_rfkill_init, init_rfkill);
CONF_INIT_CHECK("l2ping", e_system_l2ping_init, init_l2ping);
CONF_INIT_CHECK("cpufreq", e_system_cpufreq_init, init_cpufreq);
if (systems == 0)
{
ERR("Permission denied to use this tool\n");
exit(11);
}
ecore_idle_enterer_add(_cb_idle_enterer, NULL); ecore_idle_enterer_add(_cb_idle_enterer, NULL);
ecore_main_loop_begin(); ecore_main_loop_begin();
e_system_cpufreq_shutdown(); CONF_SHUTDOWN(e_system_cpufreq_shutdown, init_cpufreq);
e_system_l2ping_shutdown(); CONF_SHUTDOWN(e_system_l2ping_shutdown, init_l2ping);
e_system_rfkill_shutdown(); CONF_SHUTDOWN(e_system_rfkill_shutdown, init_rfkill);
e_system_power_shutdown(); CONF_SHUTDOWN(e_system_power_shutdown, init_power);
e_system_storage_shutdown(); CONF_SHUTDOWN(e_system_storage_shutdown, init_storage);
e_system_ddc_shutdown(); CONF_SHUTDOWN(e_system_ddc_shutdown, init_ddc);
e_system_backlight_shutdown(); CONF_SHUTDOWN(e_system_backlight_shutdown, init_backlight);
e_system_inout_shutdown(); e_system_inout_shutdown();
eet_shutdown(); eet_shutdown();