e system - allow the per system permit/deny rules to work
This commit is contained in:
parent
3d490704ca
commit
91c003100e
|
@ -24,16 +24,27 @@
|
||||||
|
|
||||||
# FORMAT:
|
# FORMAT:
|
||||||
#
|
#
|
||||||
# user: username allow: halt reboot suspend hibernate
|
# user: username allow: rfkill
|
||||||
# group: groupname deny: *
|
# group: groupname deny: *
|
||||||
# group: * deny: *
|
# group: * deny: *
|
||||||
# user: * allow: suspend
|
# user: * allow: power
|
||||||
# user: billy allow: halt reboot
|
# user: billy allow: l2ping
|
||||||
# group: staff deny: halt suspend hibernate
|
# group: staff deny: backlight
|
||||||
# ... etc. ...
|
# ... etc. ...
|
||||||
#
|
#
|
||||||
# user and group name can use glob matches (* == all for example) like the
|
# user and group name can use glob matches (* == all for example) like the
|
||||||
# shell. as can action names allowed or denied.
|
# shell. as can action names allowed or denied.
|
||||||
|
#
|
||||||
|
# the system to allow at the end is a system name or * for "everything". this
|
||||||
|
# is a glob like filenames. systems supported:
|
||||||
|
#
|
||||||
|
# backlight - core backlight device that maps to a laptop screen or keyboard
|
||||||
|
# ddc - external monitor controls like backlight, color correction etc
|
||||||
|
# storage - handling of removable media devices
|
||||||
|
# power - direct shutdown/reboot/suspend/resume/halt commands
|
||||||
|
# rfkill - rf controls for wireless adaptors
|
||||||
|
# l2ping - bluetooth pings for paired devices (no payload control)
|
||||||
|
# cpufreq - change cpu frequency, governor and similar power controls
|
||||||
|
|
||||||
# root is allowed to do anything - but it needs to be here explicitly anyway
|
# root is allowed to do anything - but it needs to be here explicitly anyway
|
||||||
user: root allow: *
|
user: root allow: *
|
||||||
|
|
|
@ -95,6 +95,7 @@ void *alloca (size_t);
|
||||||
# endif
|
# endif
|
||||||
|
|
||||||
#define ERR(args...) do { fprintf(stderr, "E_SYSTEM_ERR: "); fprintf(stderr, ##args); } while (0)
|
#define ERR(args...) do { fprintf(stderr, "E_SYSTEM_ERR: "); fprintf(stderr, ##args); } while (0)
|
||||||
|
#define INF(args...) do { fprintf(stderr, "E_SYSTEM_INF: "); fprintf(stderr, ##args); } while (0)
|
||||||
|
|
||||||
extern Eina_Bool alert_backlight_reset;
|
extern Eina_Bool alert_backlight_reset;
|
||||||
|
|
||||||
|
|
|
@ -8,21 +8,23 @@ char *user_name = NULL;
|
||||||
char *group_name = NULL;
|
char *group_name = NULL;
|
||||||
|
|
||||||
static int
|
static int
|
||||||
_conf_allow_deny(const char *cmd, const char *glob)
|
_conf_allow_deny(const char *cmd, const char *glob, const char *sys)
|
||||||
{
|
{
|
||||||
if (!strcmp(cmd, "allow:"))
|
if (!strcmp(cmd, "allow:"))
|
||||||
{
|
{
|
||||||
if (!strcmp(glob, "*")) return 1; // allow
|
if (!strcmp(glob, "*")) return 1; // allow
|
||||||
|
if (!fnmatch(glob, sys, 0)) return 1; // allow this sys
|
||||||
}
|
}
|
||||||
else if (!strcmp(cmd, "deny:"))
|
else if (!strcmp(cmd, "deny:"))
|
||||||
{
|
{
|
||||||
if (!strcmp(glob, "*")) return -1; // deny
|
if (!strcmp(glob, "*")) return -1; // deny
|
||||||
|
if (!fnmatch(glob, sys, 0)) return -1; // deny this sys
|
||||||
}
|
}
|
||||||
return 0; // unknown
|
return 0; // unknown
|
||||||
}
|
}
|
||||||
|
|
||||||
static void
|
static int
|
||||||
_etc_enlightenment_system_conf(void)
|
_etc_enlightenment_system_conf_check(const char *sys)
|
||||||
{
|
{
|
||||||
#define MAXGROUPS 1024
|
#define MAXGROUPS 1024
|
||||||
int gn, i;
|
int gn, i;
|
||||||
|
@ -30,13 +32,13 @@ _etc_enlightenment_system_conf(void)
|
||||||
char type[32], usergroup[256], cmd[32], glob[256], buf[1024];
|
char type[32], usergroup[256], cmd[32], glob[256], buf[1024];
|
||||||
Eina_Bool in_usergroup;
|
Eina_Bool in_usergroup;
|
||||||
FILE *f = fopen("/etc/enlightenment/system.conf", "r");
|
FILE *f = fopen("/etc/enlightenment/system.conf", "r");
|
||||||
if (!f) return;
|
if (!f) return 1; // if the config doesnt exist - allow by policy
|
||||||
|
|
||||||
gn = getgroups(MAXGROUPS, gl);
|
gn = getgroups(MAXGROUPS, gl);
|
||||||
if (gn < 0)
|
if (gn < 0)
|
||||||
{
|
{
|
||||||
ERR("User %i member of too many groups\n", uid);
|
ERR("User %i member of too many groups\n", uid);
|
||||||
exit(9);
|
return 0;
|
||||||
}
|
}
|
||||||
while (fgets(buf, sizeof(buf), f))
|
while (fgets(buf, sizeof(buf), f))
|
||||||
{
|
{
|
||||||
|
@ -55,15 +57,17 @@ _etc_enlightenment_system_conf(void)
|
||||||
if (pw)
|
if (pw)
|
||||||
{
|
{
|
||||||
if (!fnmatch(usergroup, pw->pw_name, 0))
|
if (!fnmatch(usergroup, pw->pw_name, 0))
|
||||||
|
{
|
||||||
in_usergroup = EINA_TRUE;
|
in_usergroup = EINA_TRUE;
|
||||||
}
|
}
|
||||||
|
}
|
||||||
if (in_usergroup)
|
if (in_usergroup)
|
||||||
{
|
{
|
||||||
int ok = _conf_allow_deny(cmd, glob);
|
int ok = _conf_allow_deny(cmd, glob, sys);
|
||||||
if (ok == 1) goto allow;
|
if (ok == 1) goto allow;
|
||||||
else if (ok == -1)
|
else if (ok == -1)
|
||||||
{
|
{
|
||||||
ERR("Denied by rule:\n%s\n", buf);
|
INF("Deny rule: %s\n", buf);
|
||||||
goto deny;
|
goto deny;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -91,11 +95,11 @@ _etc_enlightenment_system_conf(void)
|
||||||
}
|
}
|
||||||
if (in_usergroup)
|
if (in_usergroup)
|
||||||
{
|
{
|
||||||
int ok = _conf_allow_deny(cmd, glob);
|
int ok = _conf_allow_deny(cmd, glob, sys);
|
||||||
if (ok == 1) goto allow;
|
if (ok == 1) goto allow;
|
||||||
else if (ok == -1)
|
else if (ok == -1)
|
||||||
{
|
{
|
||||||
ERR("Denied by rule:\n%s\n", buf);
|
INF("Deny rule: %s\n", buf);
|
||||||
goto deny;
|
goto deny;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -104,11 +108,10 @@ _etc_enlightenment_system_conf(void)
|
||||||
}
|
}
|
||||||
allow:
|
allow:
|
||||||
fclose(f);
|
fclose(f);
|
||||||
return;
|
return 1;
|
||||||
deny:
|
deny:
|
||||||
fclose(f);
|
fclose(f);
|
||||||
ERR("Permission denied to use this tool\n");
|
return 0;
|
||||||
exit(11);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
static void
|
static void
|
||||||
|
@ -321,7 +324,6 @@ setuid_setup(void)
|
||||||
// pass 3 - set path and ifs to minimal defaults
|
// pass 3 - set path and ifs to minimal defaults
|
||||||
putenv("PATH=/bin:/usr/bin:/sbin:/usr/sbin");
|
putenv("PATH=/bin:/usr/bin:/sbin:/usr/sbin");
|
||||||
putenv("IFS= \t\n");
|
putenv("IFS= \t\n");
|
||||||
_etc_enlightenment_system_conf();
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// no singleton mode - this is not really a bonus, just painful, so disable
|
// no singleton mode - this is not really a bonus, just painful, so disable
|
||||||
|
@ -378,6 +380,7 @@ int
|
||||||
main(int argc EINA_UNUSED, const char **argv EINA_UNUSED)
|
main(int argc EINA_UNUSED, const char **argv EINA_UNUSED)
|
||||||
{
|
{
|
||||||
const char *s;
|
const char *s;
|
||||||
|
int systems = 0;
|
||||||
|
|
||||||
// special mode to reset all newly found bl devices to max on
|
// special mode to reset all newly found bl devices to max on
|
||||||
// discovery because we were run by the e alert crash handler and
|
// discovery because we were run by the e alert crash handler and
|
||||||
|
@ -397,28 +400,46 @@ main(int argc EINA_UNUSED, const char **argv EINA_UNUSED)
|
||||||
#endif
|
#endif
|
||||||
eet_init();
|
eet_init();
|
||||||
|
|
||||||
// singleton_setup();
|
|
||||||
|
|
||||||
e_system_inout_init();
|
e_system_inout_init();
|
||||||
e_system_backlight_init();
|
|
||||||
e_system_ddc_init();
|
#define CONF_INIT_CHECK(sys, fn, flag) \
|
||||||
e_system_storage_init();
|
Eina_Bool flag = EINA_FALSE; \
|
||||||
e_system_power_init();
|
do { \
|
||||||
e_system_rfkill_init();
|
if (_etc_enlightenment_system_conf_check(sys)) { \
|
||||||
e_system_l2ping_init();
|
fn(); \
|
||||||
e_system_cpufreq_init();
|
flag = EINA_TRUE; \
|
||||||
|
systems++; \
|
||||||
|
} \
|
||||||
|
} while (0)
|
||||||
|
#define CONF_SHUTDOWN(fn, flag) \
|
||||||
|
if (flag) fn()
|
||||||
|
|
||||||
|
CONF_INIT_CHECK("backlight", e_system_backlight_init, init_backlight);
|
||||||
|
CONF_INIT_CHECK("ddc", e_system_ddc_init, init_ddc);
|
||||||
|
CONF_INIT_CHECK("storage", e_system_storage_init, init_storage);
|
||||||
|
CONF_INIT_CHECK("power", e_system_power_init, init_power);
|
||||||
|
CONF_INIT_CHECK("rfkill", e_system_rfkill_init, init_rfkill);
|
||||||
|
CONF_INIT_CHECK("l2ping", e_system_l2ping_init, init_l2ping);
|
||||||
|
CONF_INIT_CHECK("cpufreq", e_system_cpufreq_init, init_cpufreq);
|
||||||
|
|
||||||
|
if (systems == 0)
|
||||||
|
{
|
||||||
|
ERR("Permission denied to use this tool\n");
|
||||||
|
exit(11);
|
||||||
|
}
|
||||||
|
|
||||||
ecore_idle_enterer_add(_cb_idle_enterer, NULL);
|
ecore_idle_enterer_add(_cb_idle_enterer, NULL);
|
||||||
|
|
||||||
ecore_main_loop_begin();
|
ecore_main_loop_begin();
|
||||||
|
|
||||||
e_system_cpufreq_shutdown();
|
CONF_SHUTDOWN(e_system_cpufreq_shutdown, init_cpufreq);
|
||||||
e_system_l2ping_shutdown();
|
CONF_SHUTDOWN(e_system_l2ping_shutdown, init_l2ping);
|
||||||
e_system_rfkill_shutdown();
|
CONF_SHUTDOWN(e_system_rfkill_shutdown, init_rfkill);
|
||||||
e_system_power_shutdown();
|
CONF_SHUTDOWN(e_system_power_shutdown, init_power);
|
||||||
e_system_storage_shutdown();
|
CONF_SHUTDOWN(e_system_storage_shutdown, init_storage);
|
||||||
e_system_ddc_shutdown();
|
CONF_SHUTDOWN(e_system_ddc_shutdown, init_ddc);
|
||||||
e_system_backlight_shutdown();
|
CONF_SHUTDOWN(e_system_backlight_shutdown, init_backlight);
|
||||||
|
|
||||||
e_system_inout_shutdown();
|
e_system_inout_shutdown();
|
||||||
|
|
||||||
eet_shutdown();
|
eet_shutdown();
|
||||||
|
|
Loading…
Reference in New Issue