118c2aff7Sartem /***************************************************************************
218c2aff7Sartem *
318c2aff7Sartem * libpolkit-rbac.c : RBAC implementation of the libpolkit API
418c2aff7Sartem *
5d2ec54f7Sphitran * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
618c2aff7Sartem * Use is subject to license terms.
718c2aff7Sartem *
818c2aff7Sartem * Licensed under the Academic Free License version 2.1
918c2aff7Sartem *
1018c2aff7Sartem **************************************************************************/
1118c2aff7Sartem
1218c2aff7Sartem #pragma ident "%Z%%M% %I% %E% SMI"
1318c2aff7Sartem
1418c2aff7Sartem #ifdef HAVE_CONFIG_H
1518c2aff7Sartem # include <config.h>
1618c2aff7Sartem #endif
1718c2aff7Sartem
1818c2aff7Sartem #include <stdio.h>
1918c2aff7Sartem #include <stdlib.h>
2018c2aff7Sartem #include <string.h>
2118c2aff7Sartem #include <sys/types.h>
2218c2aff7Sartem #include <pwd.h>
2318c2aff7Sartem #include <grp.h>
2418c2aff7Sartem #include <unistd.h>
2518c2aff7Sartem #include <errno.h>
2618c2aff7Sartem #include <auth_attr.h>
2718c2aff7Sartem #include <secdb.h>
2818c2aff7Sartem
2918c2aff7Sartem #include <glib.h>
3018c2aff7Sartem #include <dbus/dbus-glib.h>
3118c2aff7Sartem
3218c2aff7Sartem #include "libpolkit.h"
3318c2aff7Sartem
3418c2aff7Sartem #define LIBPOLKIT_MAGIC 0x3117beef
3518c2aff7Sartem
3618c2aff7Sartem #ifdef __SUNPRO_C
3718c2aff7Sartem #define __FUNCTION__ __func__
3818c2aff7Sartem #endif
3918c2aff7Sartem
4018c2aff7Sartem #define LIBPOLKIT_CHECK_CONTEXT(_ctx_, _ret_) \
4118c2aff7Sartem do { \
4218c2aff7Sartem if (_ctx_ == NULL) { \
4318c2aff7Sartem g_warning ("%s: given LibPolKitContext is NULL", \
4418c2aff7Sartem __FUNCTION__); \
4518c2aff7Sartem return _ret_; \
4618c2aff7Sartem } \
4718c2aff7Sartem if (_ctx_->magic != LIBPOLKIT_MAGIC) { \
4818c2aff7Sartem g_warning ("%s: given LibPolKitContext is invalid (read magic 0x%08x, should be 0x%08x)", \
4918c2aff7Sartem __FUNCTION__, _ctx_->magic, LIBPOLKIT_MAGIC); \
5018c2aff7Sartem return _ret_; \
5118c2aff7Sartem } \
5218c2aff7Sartem } while(0)
5318c2aff7Sartem
5418c2aff7Sartem
5518c2aff7Sartem struct LibPolKitContext_s
5618c2aff7Sartem {
5718c2aff7Sartem guint32 magic;
5818c2aff7Sartem };
5918c2aff7Sartem
6018c2aff7Sartem /** Get a new context.
6118c2aff7Sartem *
6218c2aff7Sartem * @return Pointer to new context or NULL if an error occured
6318c2aff7Sartem */
6418c2aff7Sartem LibPolKitContext *
libpolkit_new_context(DBusConnection * connection)6518c2aff7Sartem libpolkit_new_context (DBusConnection *connection)
6618c2aff7Sartem {
6718c2aff7Sartem LibPolKitContext *ctx;
6818c2aff7Sartem
6918c2aff7Sartem ctx = g_new0 (LibPolKitContext, 1);
7018c2aff7Sartem ctx->magic = LIBPOLKIT_MAGIC;
7118c2aff7Sartem
7218c2aff7Sartem return ctx;
7318c2aff7Sartem }
7418c2aff7Sartem
7518c2aff7Sartem /** Free a context
7618c2aff7Sartem *
7718c2aff7Sartem * @param ctx The context obtained from libpolkit_new_context
7818c2aff7Sartem * @return Pointer to new context or NULL if an error occured
7918c2aff7Sartem */
8018c2aff7Sartem gboolean
libpolkit_free_context(LibPolKitContext * ctx)8118c2aff7Sartem libpolkit_free_context (LibPolKitContext *ctx)
8218c2aff7Sartem {
8318c2aff7Sartem LIBPOLKIT_CHECK_CONTEXT (ctx, FALSE);
8418c2aff7Sartem
8518c2aff7Sartem ctx->magic = 0;
8618c2aff7Sartem g_free (ctx);
8718c2aff7Sartem return TRUE;
8818c2aff7Sartem }
8918c2aff7Sartem
9018c2aff7Sartem LibPolKitResult
libpolkit_get_allowed_resources_for_privilege_for_uid(LibPolKitContext * ctx,const char * user,const char * privilege,GList ** resources,GList ** restrictions,int * num_non_temporary)9118c2aff7Sartem libpolkit_get_allowed_resources_for_privilege_for_uid (LibPolKitContext *ctx,
9218c2aff7Sartem const char *user,
9318c2aff7Sartem const char *privilege,
9418c2aff7Sartem GList **resources,
9518c2aff7Sartem GList **restrictions,
9618c2aff7Sartem int *num_non_temporary)
9718c2aff7Sartem {
9818c2aff7Sartem LibPolKitResult res;
9918c2aff7Sartem char **resource_list;
10018c2aff7Sartem int num_resources;
10118c2aff7Sartem char **restriction_list;
10218c2aff7Sartem int num_restrictions;
10318c2aff7Sartem
10418c2aff7Sartem LIBPOLKIT_CHECK_CONTEXT (ctx, LIBPOLKIT_RESULT_INVALID_CONTEXT);
10518c2aff7Sartem
10618c2aff7Sartem res = LIBPOLKIT_RESULT_ERROR;
10718c2aff7Sartem *resources = NULL;
10818c2aff7Sartem *restrictions = NULL;
10918c2aff7Sartem
11018c2aff7Sartem res = LIBPOLKIT_RESULT_OK;
11118c2aff7Sartem
11218c2aff7Sartem return res;
11318c2aff7Sartem }
11418c2aff7Sartem
11518c2aff7Sartem LibPolKitResult
libpolkit_is_uid_allowed_for_privilege(LibPolKitContext * ctx,const char * system_bus_unique_name,const char * user,const char * privilege,const char * resource,gboolean * out_is_allowed,gboolean * out_is_temporary,char ** out_is_privileged_but_restricted_to_system_bus_unique_name)11618c2aff7Sartem libpolkit_is_uid_allowed_for_privilege (LibPolKitContext *ctx,
11718c2aff7Sartem const char *system_bus_unique_name,
11818c2aff7Sartem const char *user,
11918c2aff7Sartem const char *privilege,
12018c2aff7Sartem const char *resource,
12118c2aff7Sartem gboolean *out_is_allowed,
12218c2aff7Sartem gboolean *out_is_temporary,
12318c2aff7Sartem char **out_is_privileged_but_restricted_to_system_bus_unique_name)
12418c2aff7Sartem {
12518c2aff7Sartem LibPolKitResult res;
12618c2aff7Sartem const char *myresource = "";
12718c2aff7Sartem const char *mysystem_bus_unique_name = "";
12818c2aff7Sartem char *but_restricted_to = NULL;
12918c2aff7Sartem uid_t uid;
13018c2aff7Sartem struct passwd *pw;
13118c2aff7Sartem char *authname;
13218c2aff7Sartem int i;
13318c2aff7Sartem gboolean authname_free = FALSE;
13418c2aff7Sartem
13518c2aff7Sartem LIBPOLKIT_CHECK_CONTEXT (ctx, LIBPOLKIT_RESULT_INVALID_CONTEXT);
13618c2aff7Sartem
13718c2aff7Sartem uid = (uid_t)atol (user);
13818c2aff7Sartem if ((pw = getpwuid (uid)) == NULL) {
13918c2aff7Sartem *out_is_allowed = FALSE;
14018c2aff7Sartem *out_is_temporary = FALSE;
14118c2aff7Sartem return LIBPOLKIT_RESULT_NO_SUCH_USER;
14218c2aff7Sartem }
14318c2aff7Sartem
14418c2aff7Sartem /* map PolicyKit privilege to RBAC authorization */
14518c2aff7Sartem if (strcmp (privilege, "hal-storage-removable-mount") == 0) {
14618c2aff7Sartem authname = "solaris.device.mount.removable";
14718c2aff7Sartem } else if (strcmp (privilege, "hal-storage-removable-mount-all-options") == 0) {
14818c2aff7Sartem authname = "solaris.device.mount.alloptions.removable";
14918c2aff7Sartem } else if (strcmp (privilege, "hal-storage-fixed-mount") == 0) {
15018c2aff7Sartem authname = "solaris.device.mount.fixed";
15118c2aff7Sartem } else if (strcmp (privilege, "hal-storage-fixed-mount-all-options") == 0) {
15218c2aff7Sartem authname = "solaris.device.mount.alloptions.fixed";
153d2ec54f7Sphitran } else if (strcmp(privilege, "hal-power-suspend") == 0) {
154d2ec54f7Sphitran authname = "solaris.system.power.suspend.ram";
155d2ec54f7Sphitran } else if (strcmp(privilege, "hal-power-hibernate") == 0) {
156d2ec54f7Sphitran authname = "solaris.system.power.suspend.disk";
157d2ec54f7Sphitran } else if ((strcmp(privilege, "hal-power-shutdown") == 0) ||
158d2ec54f7Sphitran (strcmp(privilege, "hal-power-reboot") == 0)) {
159d2ec54f7Sphitran authname = "solaris.system.shutdown";
160d2ec54f7Sphitran } else if (strcmp(privilege, "hal-power-cpu") == 0) {
161d2ec54f7Sphitran authname = "solaris.system.power.cpu";
162d2ec54f7Sphitran } else if (strcmp(privilege, "hal-power-brightness") == 0) {
163d2ec54f7Sphitran authname = "solaris.system.power.brightness";
164*a9da3307Snp146283 } else if (strcmp (privilege, "hal-power-cpu") == 0) {
165*a9da3307Snp146283 authname = "solaris.system.power.cpu";
16618c2aff7Sartem } else {
16718c2aff7Sartem /* replace '-' with '.' */
16818c2aff7Sartem authname = g_strdup (privilege);
16918c2aff7Sartem authname_free = TRUE;
17018c2aff7Sartem for (i = 0; i < strlen (authname); i++) {
17118c2aff7Sartem if (authname[i] == '-') {
17218c2aff7Sartem authname[i] = '.';
17318c2aff7Sartem }
17418c2aff7Sartem }
17518c2aff7Sartem }
17618c2aff7Sartem
17718c2aff7Sartem *out_is_allowed = (chkauthattr(authname, pw->pw_name) != 0);
17818c2aff7Sartem *out_is_temporary = FALSE;
17918c2aff7Sartem
18018c2aff7Sartem if (authname_free) {
18118c2aff7Sartem g_free(authname);
18218c2aff7Sartem }
18318c2aff7Sartem
18418c2aff7Sartem return LIBPOLKIT_RESULT_OK;
18518c2aff7Sartem }
18618c2aff7Sartem
18718c2aff7Sartem LibPolKitResult
libpolkit_get_privilege_list(LibPolKitContext * ctx,GList ** result)18818c2aff7Sartem libpolkit_get_privilege_list (LibPolKitContext *ctx,
18918c2aff7Sartem GList **result)
19018c2aff7Sartem {
19118c2aff7Sartem LibPolKitResult res;
19218c2aff7Sartem char **privilege_list;
19318c2aff7Sartem int num_privileges = 0;
19418c2aff7Sartem int i;
19518c2aff7Sartem
19618c2aff7Sartem LIBPOLKIT_CHECK_CONTEXT (ctx, LIBPOLKIT_RESULT_INVALID_CONTEXT);
19718c2aff7Sartem
19818c2aff7Sartem *result = NULL;
19918c2aff7Sartem
20018c2aff7Sartem for (i = 0; i < num_privileges; i++) {
20118c2aff7Sartem *result = g_list_append (*result, g_strdup (privilege_list[i]));
20218c2aff7Sartem }
20318c2aff7Sartem
20418c2aff7Sartem res = LIBPOLKIT_RESULT_OK;
20518c2aff7Sartem
20618c2aff7Sartem return res;
20718c2aff7Sartem }
20818c2aff7Sartem
20918c2aff7Sartem LibPolKitResult
libpolkit_revoke_temporary_privilege(LibPolKitContext * ctx,const char * user,const char * privilege,const char * resource,gboolean * result)21018c2aff7Sartem libpolkit_revoke_temporary_privilege (LibPolKitContext *ctx,
21118c2aff7Sartem const char *user,
21218c2aff7Sartem const char *privilege,
21318c2aff7Sartem const char *resource,
21418c2aff7Sartem gboolean *result)
21518c2aff7Sartem {
21618c2aff7Sartem return LIBPOLKIT_RESULT_OK;
21718c2aff7Sartem }
218