123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182 |
- /* vim: set expandtab ts=4 sw=4: */
- /*
- * You may redistribute this program and/or modify it under the terms of
- * the GNU General Public License as published by the Free Software Foundation,
- * either version 3 of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program. If not, see <https://www.gnu.org/licenses/>.
- */
- #include "admin/Admin.h"
- #include "benc/String.h"
- #include "benc/Dict.h"
- #include "exception/Except.h"
- #include "exception/Jmp.h"
- #include "util/log/Log.h"
- #include "util/Security.h"
- #include "util/Security_admin.h"
- struct Context
- {
- struct Log* logger;
- struct Admin* admin;
- struct Security* sec;
- Identity
- };
- static void sendError(char* errorMessage, String* txid, struct Admin* admin)
- {
- Dict error = Dict_CONST(String_CONST("error"), String_OBJ(String_CONST(errorMessage)), NULL);
- Admin_sendMessage(&error, txid, admin);
- }
- static void setUser(Dict* args, void* vctx, String* txid, struct Allocator* requestAlloc)
- {
- struct Context* const ctx = Identity_check((struct Context*) vctx);
- struct Jmp jmp;
- Jmp_try(jmp) {
- int64_t* user = Dict_getIntC(args, "uid");
- int64_t* group = Dict_getIntC(args, "gid");
- int gid = group ? (int)*group : 0;
- int64_t* keepNetAdmin = Dict_getIntC(args, "keepNetAdmin");
- Security_setUser(*user, gid, *keepNetAdmin, ctx->logger, &jmp.handler, requestAlloc);
- } Jmp_catch {
- sendError(jmp.message, txid, ctx->admin);
- return;
- }
- sendError("none", txid, ctx->admin);
- }
- static void checkPermissionsB(struct Except* eh,
- String* txid,
- struct Admin* admin,
- struct Allocator* requestAlloc)
- {
- struct Security_Permissions* sp = Security_checkPermissions(requestAlloc, eh);
- Dict* out = Dict_new(requestAlloc);
- Dict_putIntC(out, "noOpenFiles", sp->noOpenFiles, requestAlloc);
- Dict_putIntC(out, "seccompExists", sp->seccompExists, requestAlloc);
- Dict_putIntC(out, "seccompEnforcing", sp->seccompEnforcing, requestAlloc);
- Dict_putIntC(out, "userId", sp->uid, requestAlloc);
- Dict_putStringCC(out, "error", "none", requestAlloc);
- Admin_sendMessage(out, txid, admin);
- }
- static void checkPermissions(Dict* args, void* vctx, String* txid, struct Allocator* requestAlloc)
- {
- struct Context* const ctx = Identity_check((struct Context*) vctx);
- struct Jmp jmp;
- Jmp_try(jmp) {
- checkPermissionsB(&jmp.handler, txid, ctx->admin, requestAlloc);
- } Jmp_catch {
- sendError(jmp.message, txid, ctx->admin);
- return;
- }
- }
- #define NOARG_CALL(vctx, txid, func) \
- do { \
- struct Context* const ctx = Identity_check((struct Context*) vctx); \
- struct Jmp jmp; \
- Jmp_try(jmp) { \
- func(&jmp.handler); \
- } Jmp_catch { \
- sendError(jmp.message, txid, ctx->admin); \
- return; \
- } \
- sendError("none", txid, ctx->admin); \
- } while (0)
- // CHECKFILES_IGNORE expecting { bracket
- static void nofiles(Dict* args, void* vctx, String* txid, struct Allocator* requestAlloc)
- {
- NOARG_CALL(vctx, txid, Security_nofiles);
- }
- static void noforks(Dict* args, void* vctx, String* txid, struct Allocator* requestAlloc)
- {
- NOARG_CALL(vctx, txid, Security_noforks);
- }
- static void chroot(Dict* args, void* vctx, String* txid, struct Allocator* requestAlloc)
- {
- struct Context* const ctx = Identity_check((struct Context*) vctx);
- struct Jmp jmp;
- Jmp_try(jmp) {
- String* root = Dict_getStringC(args, "root");
- Security_chroot(root->bytes, &jmp.handler);
- } Jmp_catch {
- sendError(jmp.message, txid, ctx->admin);
- return;
- }
- sendError("none", txid, ctx->admin);
- }
- static void seccomp(Dict* args, void* vctx, String* txid, struct Allocator* requestAlloc)
- {
- struct Context* const ctx = Identity_check((struct Context*) vctx);
- struct Jmp jmp;
- struct Except* eh = &jmp.handler;
- Jmp_try(jmp) {
- struct Security_Permissions* sp = Security_checkPermissions(requestAlloc, eh);
- if (!sp->seccompEnforcing) {
- Security_seccomp(requestAlloc, ctx->logger, eh);
- } else {
- sendError("seccomp is already enabled", txid, ctx->admin);
- }
- } Jmp_catch {
- sendError(jmp.message, txid, ctx->admin);
- return;
- }
- sendError("none", txid, ctx->admin);
- }
- static void setupComplete(Dict* args, void* vctx, String* txid, struct Allocator* requestAlloc)
- {
- struct Context* const ctx = Identity_check((struct Context*) vctx);
- Security_setupComplete(ctx->sec);
- sendError("none", txid, ctx->admin);
- }
- static void getUser(Dict* args, void* vctx, String* txid, struct Allocator* requestAlloc)
- {
- struct Context* const ctx = Identity_check((struct Context*) vctx);
- String* user = Dict_getStringC(args, "user");
- Dict* ret = Security_getUser((user) ? user->bytes : NULL, requestAlloc);
- Admin_sendMessage(ret, txid, ctx->admin);
- }
- void Security_admin_register(struct Allocator* alloc,
- struct Log* logger,
- struct Security* sec,
- struct Admin* admin)
- {
- struct Context* ctx = Allocator_clone(alloc, (&(struct Context) {
- .logger = logger,
- .admin = admin
- }));
- Identity_set(ctx);
- ctx->sec = sec;
- Admin_registerFunction("Security_nofiles", nofiles, ctx, true, NULL, admin);
- Admin_registerFunction("Security_noforks", noforks, ctx, true, NULL, admin);
- Admin_registerFunction("Security_chroot", chroot, ctx, true, ((struct Admin_FunctionArg[]) {
- { .name = "root", .required = 1, .type = "String" }
- }), admin);
- Admin_registerFunction("Security_setUser", setUser, ctx, true, ((struct Admin_FunctionArg[]) {
- { .name = "uid", .required = 1, .type = "Int" },
- { .name = "gid", .required = 0, .type = "Int" },
- { .name = "keepNetAdmin", .required = 1, .type = "Int" },
- }), admin);
- Admin_registerFunction("Security_getUser", getUser, ctx, true, ((struct Admin_FunctionArg[]) {
- { .name = "user", .required = 0, .type = "String" }
- }), admin);
- Admin_registerFunction("Security_seccomp", seccomp, ctx, true, NULL, admin);
- Admin_registerFunction("Security_setupComplete", setupComplete, ctx, true, NULL, admin);
- Admin_registerFunction("Security_checkPermissions", checkPermissions, ctx, true, NULL, admin);
- }
|