1
0

Security_admin.c 6.8 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172
  1. /* vim: set expandtab ts=4 sw=4: */
  2. /*
  3. * You may redistribute this program and/or modify it under the terms of
  4. * the GNU General Public License as published by the Free Software Foundation,
  5. * either version 3 of the License, or (at your option) any later version.
  6. *
  7. * This program is distributed in the hope that it will be useful,
  8. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  9. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  10. * GNU General Public License for more details.
  11. *
  12. * You should have received a copy of the GNU General Public License
  13. * along with this program. If not, see <http://www.gnu.org/licenses/>.
  14. */
  15. #include "admin/Admin.h"
  16. #include "benc/String.h"
  17. #include "benc/Dict.h"
  18. #include "exception/Except.h"
  19. #include "exception/Jmp.h"
  20. #include "util/log/Log.h"
  21. #include "util/Security.h"
  22. struct Context
  23. {
  24. struct Log* logger;
  25. struct Admin* admin;
  26. struct Security* sec;
  27. Identity
  28. };
  29. static void sendError(char* errorMessage, String* txid, struct Admin* admin)
  30. {
  31. Dict error = Dict_CONST(String_CONST("error"), String_OBJ(String_CONST(errorMessage)), NULL);
  32. Admin_sendMessage(&error, txid, admin);
  33. }
  34. static void setUser(Dict* args, void* vctx, String* txid, struct Allocator* requestAlloc)
  35. {
  36. struct Context* const ctx = Identity_check((struct Context*) vctx);
  37. struct Jmp jmp;
  38. Jmp_try(jmp) {
  39. int64_t* user = Dict_getInt(args, String_CONST("uid"));
  40. int64_t* keepNetAdmin = Dict_getInt(args, String_CONST("keepNetAdmin"));
  41. Security_setUser(*user, *keepNetAdmin, ctx->logger, &jmp.handler, requestAlloc);
  42. } Jmp_catch {
  43. sendError(jmp.message, txid, ctx->admin);
  44. return;
  45. }
  46. sendError("none", txid, ctx->admin);
  47. }
  48. static void checkPermissionsB(struct Except* eh,
  49. String* txid,
  50. struct Admin* admin,
  51. struct Allocator* requestAlloc)
  52. {
  53. struct Security_Permissions* sp = Security_checkPermissions(requestAlloc, eh);
  54. Dict* out = Dict_new(requestAlloc);
  55. Dict_putInt(out, String_CONST("noOpenFiles"), sp->noOpenFiles, requestAlloc);
  56. Dict_putInt(out, String_CONST("seccompExists"), sp->seccompExists, requestAlloc);
  57. Dict_putInt(out, String_CONST("seccompEnforcing"), sp->seccompEnforcing, requestAlloc);
  58. Dict_putInt(out, String_CONST("userId"), sp->uid, requestAlloc);
  59. Dict_putString(out, String_CONST("error"), String_CONST("none"), requestAlloc);
  60. Admin_sendMessage(out, txid, admin);
  61. }
  62. static void checkPermissions(Dict* args, void* vctx, String* txid, struct Allocator* requestAlloc)
  63. {
  64. struct Context* const ctx = Identity_check((struct Context*) vctx);
  65. struct Jmp jmp;
  66. Jmp_try(jmp) {
  67. checkPermissionsB(&jmp.handler, txid, ctx->admin, requestAlloc);
  68. } Jmp_catch {
  69. sendError(jmp.message, txid, ctx->admin);
  70. return;
  71. }
  72. }
  73. #define NOARG_CALL(vctx, txid, func) \
  74. do { \
  75. struct Context* const ctx = Identity_check((struct Context*) vctx); \
  76. struct Jmp jmp; \
  77. Jmp_try(jmp) { \
  78. func(&jmp.handler); \
  79. } Jmp_catch { \
  80. sendError(jmp.message, txid, ctx->admin); \
  81. return; \
  82. } \
  83. sendError("none", txid, ctx->admin); \
  84. } while (0)
  85. // CHECKFILES_IGNORE expecting { bracket
  86. static void nofiles(Dict* args, void* vctx, String* txid, struct Allocator* requestAlloc)
  87. {
  88. NOARG_CALL(vctx, txid, Security_nofiles);
  89. }
  90. static void noforks(Dict* args, void* vctx, String* txid, struct Allocator* requestAlloc)
  91. {
  92. NOARG_CALL(vctx, txid, Security_noforks);
  93. }
  94. static void chroot(Dict* args, void* vctx, String* txid, struct Allocator* requestAlloc)
  95. {
  96. struct Context* const ctx = Identity_check((struct Context*) vctx);
  97. struct Jmp jmp;
  98. Jmp_try(jmp) {
  99. String* root = Dict_getString(args, String_CONST("root"));
  100. Security_chroot(root->bytes, &jmp.handler);
  101. } Jmp_catch {
  102. sendError(jmp.message, txid, ctx->admin);
  103. return;
  104. }
  105. sendError("none", txid, ctx->admin);
  106. }
  107. static void seccomp(Dict* args, void* vctx, String* txid, struct Allocator* requestAlloc)
  108. {
  109. struct Context* const ctx = Identity_check((struct Context*) vctx);
  110. struct Jmp jmp;
  111. Jmp_try(jmp) {
  112. Security_seccomp(requestAlloc, ctx->logger, &jmp.handler);
  113. } Jmp_catch {
  114. sendError(jmp.message, txid, ctx->admin);
  115. return;
  116. }
  117. sendError("none", txid, ctx->admin);
  118. }
  119. static void setupComplete(Dict* args, void* vctx, String* txid, struct Allocator* requestAlloc)
  120. {
  121. struct Context* const ctx = Identity_check((struct Context*) vctx);
  122. Security_setupComplete(ctx->sec);
  123. sendError("none", txid, ctx->admin);
  124. }
  125. static void getUser(Dict* args, void* vctx, String* txid, struct Allocator* requestAlloc)
  126. {
  127. struct Context* const ctx = Identity_check((struct Context*) vctx);
  128. String* user = Dict_getString(args, String_CONST("user"));
  129. Dict* ret = Security_getUser((user) ? user->bytes : NULL, requestAlloc);
  130. Admin_sendMessage(ret, txid, ctx->admin);
  131. }
  132. void Security_admin_register(struct Allocator* alloc,
  133. struct Log* logger,
  134. struct Security* sec,
  135. struct Admin* admin)
  136. {
  137. struct Context* ctx = Allocator_clone(alloc, (&(struct Context) {
  138. .logger = logger,
  139. .admin = admin
  140. }));
  141. Identity_set(ctx);
  142. ctx->sec = sec;
  143. Admin_registerFunction("Security_nofiles", nofiles, ctx, true, NULL, admin);
  144. Admin_registerFunction("Security_noforks", noforks, ctx, true, NULL, admin);
  145. Admin_registerFunction("Security_chroot", chroot, ctx, true, ((struct Admin_FunctionArg[]) {
  146. { .name = "root", .required = 1, .type = "String" }
  147. }), admin);
  148. Admin_registerFunction("Security_setUser", setUser, ctx, true, ((struct Admin_FunctionArg[]) {
  149. { .name = "uid", .required = 1, .type = "Int" },
  150. { .name = "keepNetAdmin", .required = 1, .type = "Int" },
  151. }), admin);
  152. Admin_registerFunction("Security_getUser", getUser, ctx, true, ((struct Admin_FunctionArg[]) {
  153. { .name = "user", .required = 0, .type = "String" }
  154. }), admin);
  155. Admin_registerFunction("Security_seccomp", seccomp, ctx, true, NULL, admin);
  156. Admin_registerFunction("Security_setupComplete", setupComplete, ctx, true, NULL, admin);
  157. Admin_registerFunction("Security_checkPermissions", checkPermissions, ctx, true, NULL, admin);
  158. }