D-Bus  1.12.20
dbus-credentials.c
1 /* -*- mode: C; c-file-style: "gnu"; indent-tabs-mode: nil; -*- */
2 /* dbus-credentials.c Credentials provable through authentication
3  *
4  * Copyright (C) 2007 Red Hat Inc.
5  *
6  * Licensed under the Academic Free License version 2.1
7  *
8  * This program is free software; you can redistribute it and/or modify
9  * it under the terms of the GNU General Public License as published by
10  * the Free Software Foundation; either version 2 of the License, or
11  * (at your option) any later version.
12  *
13  * This program is distributed in the hope that it will be useful,
14  * but WITHOUT ANY WARRANTY; without even the implied warranty of
15  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16  * GNU General Public License for more details.
17  *
18  * You should have received a copy of the GNU General Public License
19  * along with this program; if not, write to the Free Software
20  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
21  *
22  */
23 #include <config.h>
24 #include <string.h>
25 #include "dbus-credentials.h"
26 #include "dbus-internals.h"
27 
49  int refcount;
50  dbus_uid_t unix_uid;
51  dbus_pid_t pid;
52 #ifdef HAVE_PDPLINUX
53  //parsec_caps_t unix_parsec_caps;
54  BusPDPLinuxID* credential_parsecid;
55 #endif
56  char *windows_sid;
57  char *linux_security_label;
58  void *adt_audit_data;
59  dbus_int32_t adt_audit_data_size;
60 };
61 
76 {
77  DBusCredentials *creds;
78 
79  creds = dbus_new (DBusCredentials, 1);
80  if (creds == NULL)
81  return NULL;
82 
83  creds->refcount = 1;
84  creds->unix_uid = DBUS_UID_UNSET;
85  creds->pid = DBUS_PID_UNSET;
86 #ifdef HAVE_PDPLINUX
87  creds->credential_parsecid = NULL;
88 #endif
89  creds->windows_sid = NULL;
90  creds->linux_security_label = NULL;
91  creds->adt_audit_data = NULL;
92  creds->adt_audit_data_size = 0;
93 
94  return creds;
95 }
96 
103 {
104  DBusCredentials *creds;
105 
106  creds = _dbus_credentials_new ();
107  if (creds == NULL)
108  return NULL;
109 
111  {
112  _dbus_credentials_unref (creds);
113  return NULL;
114  }
115 
116  return creds;
117 }
118 
124 void
126 {
127  _dbus_assert (credentials->refcount > 0);
128  credentials->refcount += 1;
129 }
130 
136 void
138 {
139  _dbus_assert (credentials->refcount > 0);
140 
141  credentials->refcount -= 1;
142  if (credentials->refcount == 0)
143  {
144  dbus_free (credentials->windows_sid);
145  dbus_free (credentials->linux_security_label);
146  dbus_free (credentials->adt_audit_data);
147 #ifdef HAVE_PDPLINUX
148  if (credentials->credential_parsecid) dbus_free(credentials->credential_parsecid);
149  credentials->credential_parsecid=NULL;
150 #endif
151  dbus_free (credentials);
152  }
153 }
154 
164  dbus_pid_t pid)
165 {
166 
167 #ifdef HAVE_PDPLINUX
168  _dbus_verbose("***** Add PID to credentials (%p)! %ld\n",credentials,pid);
169 #endif
170  credentials->pid = pid;
171  return TRUE;
172 }
173 
183  dbus_uid_t uid)
184 {
185  credentials->unix_uid = uid;
186  return TRUE;
187 
188 }
189 
199  const char *windows_sid)
200 {
201  char *copy;
202 
203  copy = _dbus_strdup (windows_sid);
204  if (copy == NULL)
205  return FALSE;
206 
207  dbus_free (credentials->windows_sid);
208  credentials->windows_sid = copy;
209 
210  return TRUE;
211 }
212 
223  const char *label)
224 {
225  char *copy;
226 
227  copy = _dbus_strdup (label);
228  if (copy == NULL)
229  return FALSE;
230 
231  dbus_free (credentials->linux_security_label);
232  credentials->linux_security_label = copy;
233 
234  return TRUE;
235 }
236 
247  void *audit_data,
248  dbus_int32_t size)
249 {
250  void *copy;
251  copy = _dbus_memdup (audit_data, size);
252  if (copy == NULL)
253  return FALSE;
254 
255  dbus_free (credentials->adt_audit_data);
256  credentials->adt_audit_data = copy;
257  credentials->adt_audit_data_size = size;
258 
259  return TRUE;
260 }
261 
271  DBusCredentialType type)
272 {
273  switch (type)
274  {
275  case DBUS_CREDENTIAL_UNIX_PROCESS_ID:
276  return credentials->pid != DBUS_PID_UNSET;
277  case DBUS_CREDENTIAL_UNIX_USER_ID:
278  return credentials->unix_uid != DBUS_UID_UNSET;
279  case DBUS_CREDENTIAL_WINDOWS_SID:
280  return credentials->windows_sid != NULL;
281  case DBUS_CREDENTIAL_LINUX_SECURITY_LABEL:
282  return credentials->linux_security_label != NULL;
283  case DBUS_CREDENTIAL_ADT_AUDIT_DATA_ID:
284  return credentials->adt_audit_data != NULL;
285 #ifdef HAVE_PDPLINUX
286  case DBUS_CREDENTIAL_UNIX_PARSEC:
287  return credentials->credential_parsecid != NULL;
288 #endif
289  default:
290  _dbus_assert_not_reached ("Unknown credential enum value");
291  return FALSE;
292  }
293 }
294 
304 {
305  return credentials->pid;
306 }
307 
317 {
318  return credentials->unix_uid;
319 }
320 
328 const char*
330 {
331  return credentials->windows_sid;
332 }
333 
341 const char *
343 {
344  return credentials->linux_security_label;
345 }
346 
354 void *
356 {
357  return credentials->adt_audit_data;
358 }
359 
367 dbus_int32_t
369 {
370  return credentials->adt_audit_data_size;
371 }
372 
383  DBusCredentials *possible_subset)
384 {
385  return
386  (possible_subset->pid == DBUS_PID_UNSET ||
387  possible_subset->pid == credentials->pid) &&
388 #ifdef HAVE_PDPLINUX
389  (possible_subset->credential_parsecid == NULL ||
390  (credentials->credential_parsecid && possible_subset->credential_parsecid &&
391  credentials->credential_parsecid->sz_pdplinux_context==possible_subset->credential_parsecid->sz_pdplinux_context &&
392  (0==memcmp(possible_subset->credential_parsecid,credentials->credential_parsecid,
393  sizeof(*(credentials->credential_parsecid))+credentials->credential_parsecid->sz_pdplinux_context))) ) &&
394 #endif
395  (possible_subset->unix_uid == DBUS_UID_UNSET ||
396  possible_subset->unix_uid == credentials->unix_uid) &&
397  (possible_subset->windows_sid == NULL ||
398  (credentials->windows_sid && strcmp (possible_subset->windows_sid,
399  credentials->windows_sid) == 0)) &&
400  (possible_subset->linux_security_label == NULL ||
401  (credentials->linux_security_label != NULL &&
402  strcmp (possible_subset->linux_security_label,
403  credentials->linux_security_label) == 0)) &&
404  (possible_subset->adt_audit_data == NULL ||
405  (credentials->adt_audit_data && memcmp (possible_subset->adt_audit_data,
406  credentials->adt_audit_data,
407  credentials->adt_audit_data_size) == 0));
408 }
409 
418 {
419  return
420  credentials->pid == DBUS_PID_UNSET &&
421 #ifdef HAVE_PDPLINUX
422  (credentials->credential_parsecid== NULL) &&
423 #endif
424  credentials->unix_uid == DBUS_UID_UNSET &&
425  credentials->windows_sid == NULL &&
426  credentials->linux_security_label == NULL &&
427  credentials->adt_audit_data == NULL;
428 }
429 
438 {
439  return
440  credentials->unix_uid == DBUS_UID_UNSET &&
441  credentials->windows_sid == NULL;
442 }
443 
454  DBusCredentials *other_credentials)
455 {
456  return
458  DBUS_CREDENTIAL_UNIX_PROCESS_ID,
459  other_credentials) &&
461  DBUS_CREDENTIAL_UNIX_USER_ID,
462  other_credentials) &&
464  DBUS_CREDENTIAL_ADT_AUDIT_DATA_ID,
465  other_credentials) &&
467  DBUS_CREDENTIAL_LINUX_SECURITY_LABEL,
468  other_credentials) &&
470  DBUS_CREDENTIAL_WINDOWS_SID,
471  other_credentials)
472 #ifdef HAVE_PDPLINUX
473  && _dbus_credentials_add_credential (credentials,
474  DBUS_CREDENTIAL_UNIX_PARSEC,
475  other_credentials);
476 #else
477  ;
478 #endif
479 
480 }
481 
496  DBusCredentialType which,
497  DBusCredentials *other_credentials)
498 {
499  if (which == DBUS_CREDENTIAL_UNIX_PROCESS_ID &&
500  other_credentials->pid != DBUS_PID_UNSET)
501  {
502  if (!_dbus_credentials_add_pid (credentials, other_credentials->pid))
503  return FALSE;
504  }
505  else if (which == DBUS_CREDENTIAL_UNIX_USER_ID &&
506  other_credentials->unix_uid != DBUS_UID_UNSET)
507  {
508  if (!_dbus_credentials_add_unix_uid (credentials, other_credentials->unix_uid))
509  return FALSE;
510  }
511  else if (which == DBUS_CREDENTIAL_WINDOWS_SID &&
512  other_credentials->windows_sid != NULL)
513  {
514  if (!_dbus_credentials_add_windows_sid (credentials, other_credentials->windows_sid))
515  return FALSE;
516  }
517  else if (which == DBUS_CREDENTIAL_LINUX_SECURITY_LABEL &&
518  other_credentials->linux_security_label != NULL)
519  {
521  other_credentials->linux_security_label))
522  return FALSE;
523  }
524  else if (which == DBUS_CREDENTIAL_ADT_AUDIT_DATA_ID &&
525  other_credentials->adt_audit_data != NULL)
526  {
527  if (!_dbus_credentials_add_adt_audit_data (credentials, other_credentials->adt_audit_data, other_credentials->adt_audit_data_size))
528  return FALSE;
529  }
530 #ifdef HAVE_PDPLINUX
531  else if (which == DBUS_CREDENTIAL_UNIX_PARSEC){
532 
533  _dbus_verbose("***** Asked to add credential DBUS_CREDENTIAL_UNIX_PARSEC (%d))\n", which);
534 
535  if (other_credentials->credential_parsecid != NULL) {
536  if (!_dbus_credentials_pdplinux_add_unix_parsec (credentials, other_credentials->credential_parsecid)){
537  _dbus_verbose("Return FAILED (can't set credentials to this one from other_credentials)\n");
538  return FALSE;
539  }
540  else{
541  _dbus_verbose("Return OK (credentials successful copied to this one from other_credentials)\n");
542  }
543  }
544  else{
545  _dbus_verbose("Return OK (but other_cred not set pid=%ld, uid=%lu). So do not add, pdp_credential=%p\n",
546  other_credentials->pid,
547  other_credentials->unix_uid,
548  credentials->credential_parsecid);
549  }
550  }
551 
552 #endif
553 
554  return TRUE;
555 }
556 
562 void
564 {
565 #ifdef HAVE_PDPLINUX
566  if (credentials->credential_parsecid) dbus_free(credentials->credential_parsecid);
567  credentials->credential_parsecid=NULL;
568 #endif
569  credentials->pid = DBUS_PID_UNSET;
570  credentials->unix_uid = DBUS_UID_UNSET;
571  dbus_free (credentials->windows_sid);
572  credentials->windows_sid = NULL;
573  dbus_free (credentials->linux_security_label);
574  credentials->linux_security_label = NULL;
575  dbus_free (credentials->adt_audit_data);
576  credentials->adt_audit_data = NULL;
577  credentials->adt_audit_data_size = 0;
578 }
579 
588 {
589  DBusCredentials *copy;
590 
591  copy = _dbus_credentials_new ();
592  if (copy == NULL)
593  return NULL;
594 
595  if (!_dbus_credentials_add_credentials (copy, credentials))
596  {
598  return NULL;
599  }
600 
601  return copy;
602 }
603 
617  DBusCredentials *other_credentials)
618 {
619  /* both windows and unix user must be the same (though pretty much
620  * in all conceivable cases, one will be unset)
621  */
622  return credentials->unix_uid == other_credentials->unix_uid &&
623  ((!(credentials->windows_sid || other_credentials->windows_sid)) ||
624  (credentials->windows_sid && other_credentials->windows_sid &&
625  strcmp (credentials->windows_sid, other_credentials->windows_sid) == 0));
626 }
627 
638  DBusString *string)
639 {
640  dbus_bool_t join;
641 
642  join = FALSE;
643  if (credentials->unix_uid != DBUS_UID_UNSET)
644  {
645  if (!_dbus_string_append_printf (string, "uid=" DBUS_UID_FORMAT, credentials->unix_uid))
646  goto oom;
647  join = TRUE;
648  }
649  if (credentials->pid != DBUS_PID_UNSET)
650  {
651  if (!_dbus_string_append_printf (string, "%spid=" DBUS_PID_FORMAT, join ? " " : "", credentials->pid))
652  goto oom;
653  join = TRUE;
654  }
655  else
656  join = FALSE;
657  if (credentials->windows_sid != NULL)
658  {
659  if (!_dbus_string_append_printf (string, "%ssid=%s", join ? " " : "", credentials->windows_sid))
660  goto oom;
661  join = TRUE;
662  }
663  else
664  join = FALSE;
665 
666  if (credentials->linux_security_label != NULL)
667  {
668  if (!_dbus_string_append_printf (string, "%slsm='%s'",
669  join ? " " : "",
670  credentials->linux_security_label))
671  goto oom;
672  join = TRUE;
673  }
674 #ifdef HAVE_PDPLINUX
675  if (credentials->credential_parsecid != NULL)
676  {
677  char* pdplinux_context_string=NULL;
678 
679  if (_dbus_pdplinux_context_to_name(credentials->credential_parsecid,&pdplinux_context_string)){
680  if (!_dbus_string_append_printf (string,
681  "%sparsec= %s",
682  join ? " " : "",
683  pdplinux_context_string)){
684  //goto oom;
685  }
686 
687  }
688 
689  if (pdplinux_context_string) dbus_free(pdplinux_context_string);
690 
691  join = TRUE;
692  }
693 #endif
694 
695  return TRUE;
696 oom:
697  return FALSE;
698 }
699 
700 // ********************************PDP********************************
701 #ifdef HAVE_PDPLINUX
702 
703 //-----------------------------------------------------------------------------------------------
704 void
705 _dbus_credentials_pdplinux_get_unix_parsec (DBusCredentials *credentials, BusPDPLinuxID** pparsecid)
706 {
707  *pparsecid=credentials->credential_parsecid;
708 }
709 
710 //-----------------------------------------------------------------------------------------------
712 _dbus_credentials_pdplinux_add_unix_parsec (DBusCredentials *credentials,
713  BusPDPLinuxID* parsecid)
714 {
715  if (!parsecid) return FALSE;
716  if (!credentials) return FALSE;
717 
718  if (credentials->credential_parsecid) dbus_free(credentials->credential_parsecid);
719  credentials->credential_parsecid=NULL;
720 
721  credentials->credential_parsecid=dbus_malloc0(
722  sizeof(*(parsecid))+parsecid->sz_pdplinux_context);
723 
724  if (credentials->credential_parsecid){
725  memcpy(credentials->credential_parsecid,parsecid,
726  sizeof(*(parsecid))+parsecid->sz_pdplinux_context);
727  }
728  else{
729  _dbus_verbose("No memory!\n");
730  return FALSE;
731  }
732  return TRUE;
733 }
734 
735 #endif
736 
738 /* tests in dbus-credentials-util.c */
_dbus_credentials_add_windows_sid
dbus_bool_t _dbus_credentials_add_windows_sid(DBusCredentials *credentials, const char *windows_sid)
Add a Windows user SID to the credentials.
Definition: dbus-credentials.c:198
_dbus_credentials_add_from_current_process
dbus_bool_t _dbus_credentials_add_from_current_process(DBusCredentials *credentials)
Adds the credentials of the current process to the passed-in credentials object.
Definition: dbus-sysdeps-unix.c:2819
_dbus_credentials_get_windows_sid
const char * _dbus_credentials_get_windows_sid(DBusCredentials *credentials)
Gets the Windows user SID in the credentials, or NULL if the credentials object doesn't contain a Win...
Definition: dbus-credentials.c:329
DBUS_UID_FORMAT
#define DBUS_UID_FORMAT
an appropriate printf format for dbus_uid_t
Definition: dbus-sysdeps.h:154
_dbus_credentials_are_empty
dbus_bool_t _dbus_credentials_are_empty(DBusCredentials *credentials)
Checks whether a credentials object contains anything.
Definition: dbus-credentials.c:417
_dbus_credentials_same_user
dbus_bool_t _dbus_credentials_same_user(DBusCredentials *credentials, DBusCredentials *other_credentials)
Check whether the user-identifying credentials in two credentials objects are identical.
Definition: dbus-credentials.c:616
_dbus_credentials_get_adt_audit_data
void * _dbus_credentials_get_adt_audit_data(DBusCredentials *credentials)
Gets the ADT audit data in the credentials, or NULL if the credentials object doesn't contain ADT aud...
Definition: dbus-credentials.c:355
_dbus_credentials_to_string_append
dbus_bool_t _dbus_credentials_to_string_append(DBusCredentials *credentials, DBusString *string)
Convert the credentials in this object to a human-readable string format, and append to the given str...
Definition: dbus-credentials.c:637
_dbus_credentials_copy
DBusCredentials * _dbus_credentials_copy(DBusCredentials *credentials)
Copy a credentials object.
Definition: dbus-credentials.c:587
TRUE
#define TRUE
Expands to "1".
dbus_malloc0
void * dbus_malloc0(size_t bytes)
Allocates the given number of bytes, as with standard malloc(), but all bytes are initialized to zero...
Definition: dbus-memory.c:532
_dbus_credentials_ref
void _dbus_credentials_ref(DBusCredentials *credentials)
Increment refcount on credentials.
Definition: dbus-credentials.c:125
_dbus_credentials_get_unix_uid
dbus_uid_t _dbus_credentials_get_unix_uid(DBusCredentials *credentials)
Gets the UNIX user ID in the credentials, or DBUS_UID_UNSET if the credentials object doesn't contain...
Definition: dbus-credentials.c:316
dbus_free
void dbus_free(void *memory)
Frees a block of memory previously allocated by dbus_malloc() or dbus_malloc0().
Definition: dbus-memory.c:702
_dbus_credentials_get_adt_audit_data_size
dbus_int32_t _dbus_credentials_get_adt_audit_data_size(DBusCredentials *credentials)
Gets the ADT audit data size in the credentials, or 0 if the credentials object doesn't contain ADT a...
Definition: dbus-credentials.c:368
_dbus_credentials_add_credential
dbus_bool_t _dbus_credentials_add_credential(DBusCredentials *credentials, DBusCredentialType which, DBusCredentials *other_credentials)
Merge the given credential found in the second object into the first object, overwriting the first ob...
Definition: dbus-credentials.c:495
_dbus_credentials_add_credentials
dbus_bool_t _dbus_credentials_add_credentials(DBusCredentials *credentials, DBusCredentials *other_credentials)
Merge all credentials found in the second object into the first object, overwriting the first object ...
Definition: dbus-credentials.c:453
DBusString
Definition: dbus-string.h:43
_dbus_string_append_printf
dbus_bool_t _dbus_string_append_printf(DBusString *str, const char *format,...)
Appends a printf-style formatted string to the DBusString.
Definition: dbus-string.c:1114
_dbus_credentials_add_pid
dbus_bool_t _dbus_credentials_add_pid(DBusCredentials *credentials, dbus_pid_t pid)
Add a UNIX process ID to the credentials.
Definition: dbus-credentials.c:163
_dbus_credentials_clear
void _dbus_credentials_clear(DBusCredentials *credentials)
Clear all credentials in the object.
Definition: dbus-credentials.c:563
_dbus_credentials_new_from_current_process
DBusCredentials * _dbus_credentials_new_from_current_process(void)
Creates a new object with credentials (user ID and process ID) from the current process.
Definition: dbus-credentials.c:102
DBusCredentials
Definition: dbus-credentials.c:48
_dbus_credentials_get_pid
dbus_pid_t _dbus_credentials_get_pid(DBusCredentials *credentials)
Gets the UNIX process ID in the credentials, or DBUS_PID_UNSET if the credentials object doesn't cont...
Definition: dbus-credentials.c:303
dbus_pid_t
unsigned long dbus_pid_t
A process ID.
Definition: dbus-sysdeps.h:132
dbus_uid_t
unsigned long dbus_uid_t
A user ID.
Definition: dbus-sysdeps.h:134
FALSE
#define FALSE
Expands to "0".
DBUS_UID_UNSET
#define DBUS_UID_UNSET
an invalid UID used to represent an uninitialized dbus_uid_t field
Definition: dbus-sysdeps.h:141
DBUS_PID_UNSET
#define DBUS_PID_UNSET
an invalid PID used to represent an uninitialized dbus_pid_t field
Definition: dbus-sysdeps.h:139
_dbus_assert_not_reached
#define _dbus_assert_not_reached(explanation)
Aborts with an error message if called.
Definition: dbus-internals.h:163
dbus_new
#define dbus_new(type, count)
Safe macro for using dbus_malloc().
Definition: dbus-memory.h:57
_dbus_credentials_include
dbus_bool_t _dbus_credentials_include(DBusCredentials *credentials, DBusCredentialType type)
Checks whether the given credential is present.
Definition: dbus-credentials.c:270
_dbus_assert
#define _dbus_assert(condition)
Aborts with an error message if the condition is false.
Definition: dbus-internals.h:152
_dbus_strdup
char * _dbus_strdup(const char *str)
Duplicates a string.
Definition: dbus-internals.c:644
_dbus_credentials_are_anonymous
dbus_bool_t _dbus_credentials_are_anonymous(DBusCredentials *credentials)
Checks whether a credentials object contains a user identity.
Definition: dbus-credentials.c:437
_dbus_credentials_add_adt_audit_data
dbus_bool_t _dbus_credentials_add_adt_audit_data(DBusCredentials *credentials, void *audit_data, dbus_int32_t size)
Add ADT audit data to the credentials.
Definition: dbus-credentials.c:246
_dbus_credentials_get_linux_security_label
const char * _dbus_credentials_get_linux_security_label(DBusCredentials *credentials)
Gets the Linux security label (as used by LSMs) from the credentials, or NULL if the credentials obje...
Definition: dbus-credentials.c:342
DBUS_PID_FORMAT
#define DBUS_PID_FORMAT
an appropriate printf format for dbus_pid_t
Definition: dbus-sysdeps.h:152
_dbus_credentials_unref
void _dbus_credentials_unref(DBusCredentials *credentials)
Decrement refcount on credentials.
Definition: dbus-credentials.c:137
_dbus_credentials_add_linux_security_label
dbus_bool_t _dbus_credentials_add_linux_security_label(DBusCredentials *credentials, const char *label)
Add a Linux security label, as used by LSMs such as SELinux, Smack and AppArmor, to the credentials.
Definition: dbus-credentials.c:222
_dbus_memdup
void * _dbus_memdup(const void *mem, size_t n_bytes)
Duplicates a block of memory.
Definition: dbus-internals.c:672
dbus_bool_t
dbus_uint32_t dbus_bool_t
A boolean, valid values are TRUE and FALSE.
Definition: dbus-types.h:35
_dbus_credentials_new
DBusCredentials * _dbus_credentials_new(void)
Creates a new credentials object.
Definition: dbus-credentials.c:75
NULL
#define NULL
A null pointer, defined appropriately for C or C++.
_dbus_credentials_are_superset
dbus_bool_t _dbus_credentials_are_superset(DBusCredentials *credentials, DBusCredentials *possible_subset)
Checks whether the first credentials object contains all the credentials found in the second credenti...
Definition: dbus-credentials.c:382
_dbus_credentials_add_unix_uid
dbus_bool_t _dbus_credentials_add_unix_uid(DBusCredentials *credentials, dbus_uid_t uid)
Add a UNIX user ID to the credentials.
Definition: dbus-credentials.c:182