1 kumpf 1.2 /*
2 //%2006////////////////////////////////////////////////////////////////////////
3 //
4 // Copyright (c) 2000, 2001, 2002 BMC Software; Hewlett-Packard Development
5 // Company, L.P.; IBM Corp.; The Open Group; Tivoli Systems.
6 // Copyright (c) 2003 BMC Software; Hewlett-Packard Development Company, L.P.;
7 // IBM Corp.; EMC Corporation, The Open Group.
8 // Copyright (c) 2004 BMC Software; Hewlett-Packard Development Company, L.P.;
9 // IBM Corp.; EMC Corporation; VERITAS Software Corporation; The Open Group.
10 // Copyright (c) 2005 Hewlett-Packard Development Company, L.P.; IBM Corp.;
11 // EMC Corporation; VERITAS Software Corporation; The Open Group.
12 // Copyright (c) 2006 Hewlett-Packard Development Company, L.P.; IBM Corp.;
13 // EMC Corporation; Symantec Corporation; The Open Group.
14 //
15 // Permission is hereby granted, free of charge, to any person obtaining a copy
16 // of this software and associated documentation files (the "Software"), to
17 // deal in the Software without restriction, including without limitation the
18 // rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
19 // sell copies of the Software, and to permit persons to whom the Software is
20 // furnished to do so, subject to the following conditions:
21 //
22 kumpf 1.2 // THE ABOVE COPYRIGHT NOTICE AND THIS PERMISSION NOTICE SHALL BE INCLUDED IN
23 // ALL COPIES OR SUBSTANTIAL PORTIONS OF THE SOFTWARE. THE SOFTWARE IS PROVIDED
24 // "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT
25 // LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
26 // PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
27 // HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
28 // ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
29 // WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
30 //
31 //%/////////////////////////////////////////////////////////////////////////////
32 */
33
34 #include <string.h>
35 #include <unistd.h>
36 #include <ctype.h>
37 #include <fcntl.h>
38 #include "Policy.h"
39 #include "Defines.h"
40 #include "Macro.h"
41 #include "Path.h"
42 #include "Fatal.h"
43 kumpf 1.2 #include "Log.h"
44 #include "Match.h"
45 #include "Messages.h"
46 #include "Globals.h"
47 #include "Strlcat.h"
48 #include "Strlcpy.h"
49
50 /*
51 **==============================================================================
52 **
53 ** ARG()
54 **
55 ** Expands function arguments to "name, value" for use in formatted
56 ** output statements.
57 **
58 ** For example, this,
59 **
60 ** printf("%s=\"%s\"", ARG(count));
61 **
62 ** is expanded to this:
63 **
64 kumpf 1.2 ** printf("%s=\"%s\"", "count", count);
65 **
66 **==============================================================================
67 */
68
69 #define ARG(X) #X, X
70
71 /*
72 **==============================================================================
73 **
74 ** Policy
75 **
76 ** This structure defines a policy rule.
77 **
78 **==============================================================================
79 */
80
81 struct Policy
82 {
83 enum ExecutorMessageCode messageCode;
84 const char* arg1;
85 kumpf 1.2 const char* arg2;
86 };
87
88 /*
89 **==============================================================================
90 **
91 ** _staticPolicyTable[]
92 **
93 ** This array defines the static policy table for the executor.
94 **
95 **==============================================================================
96 */
97
98 static struct Policy _staticPolicyTable[] =
99 {
100 /* cimserver_current.conf policies */
101 {
102 EXECUTOR_OPEN_FILE_MESSAGE,
103 "${currentConfigFilePath}",
104 "w",
105 },
106 kumpf 1.2 {
107 EXECUTOR_RENAME_FILE_MESSAGE,
108 "${currentConfigFilePath}",
109 "${currentConfigFilePath}.bak",
110 },
111 {
112 EXECUTOR_REMOVE_FILE_MESSAGE,
113 "${currentConfigFilePath}",
114 NULL,
115 },
116 {
117 EXECUTOR_REMOVE_FILE_MESSAGE,
118 "${currentConfigFilePath}.bak",
119 NULL,
120 },
121 /* cimserver_planned.conf policies */
122 {
123 EXECUTOR_OPEN_FILE_MESSAGE,
124 "${plannedConfigFilePath}",
125 "w",
126 },
127 kumpf 1.2 {
128 EXECUTOR_RENAME_FILE_MESSAGE,
129 "${plannedConfigFilePath}",
130 "${plannedConfigFilePath}.bak",
131 },
132 {
133 EXECUTOR_REMOVE_FILE_MESSAGE,
134 "${plannedConfigFilePath}",
135 NULL,
136 },
137 {
138 EXECUTOR_REMOVE_FILE_MESSAGE,
139 "${plannedConfigFilePath}.bak",
140 NULL,
141 },
142 /* cimserver.passwd policies */
143 {
144 EXECUTOR_OPEN_FILE_MESSAGE,
145 "${passwordFilePath}",
146 "w",
147 },
148 kumpf 1.2 {
149 EXECUTOR_RENAME_FILE_MESSAGE,
150 "${passwordFilePath}.bak",
151 "${passwordFilePath}",
152 },
153 {
154 EXECUTOR_RENAME_FILE_MESSAGE,
155 "${passwordFilePath}",
156 "${passwordFilePath}.bak",
157 },
158 {
159 EXECUTOR_REMOVE_FILE_MESSAGE,
160 "${passwordFilePath}.bak",
161 NULL,
162 },
163 {
164 EXECUTOR_REMOVE_FILE_MESSAGE,
165 "${passwordFilePath}",
166 NULL,
167 },
168 /* SSL key file policies. */
169 kumpf 1.2 {
170 EXECUTOR_OPEN_FILE_MESSAGE,
171 "${sslKeyFilePath}",
172 "r",
173 },
174 /* SSL trust store policies. */
175 {
176 EXECUTOR_OPEN_FILE_MESSAGE,
177 "${sslTrustStore}/*",
178 "w",
179 },
180 {
181 EXECUTOR_REMOVE_FILE_MESSAGE,
182 "${sslTrustStore}/*",
183 NULL,
184 },
185 /* CRL store policies. */
186 {
187 EXECUTOR_OPEN_FILE_MESSAGE,
188 "${crlStore}/*",
189 "w",
190 kumpf 1.2 },
191 {
192 EXECUTOR_REMOVE_FILE_MESSAGE,
193 "${crlStore}/*",
194 NULL,
195 },
196 };
197
198 static const size_t _staticPolicyTableSize =
199 sizeof(_staticPolicyTable) / sizeof(_staticPolicyTable[0]);
200
201 /*
202 **==============================================================================
203 **
204 ** CheckPolicy()
205 **
206 **==============================================================================
207 */
208
209 static int CheckPolicy(
210 const struct Policy* policyTable,
211 kumpf 1.2 size_t policyTableSize,
212 enum ExecutorMessageCode messageCode,
213 const char* arg1,
214 const char* arg2)
215 {
216 size_t i;
217
218 for (i = 0; i < policyTableSize; i++)
219 {
220 const struct Policy* p;
221
222 p = &policyTable[i];
223
224 /* Check message code */
225
226 if (p->messageCode != messageCode)
227 continue;
228
229 /* Check arg1. */
230
231 if (p->arg1)
232 kumpf 1.2 {
233 char pat[EXECUTOR_BUFFER_SIZE];
234
235 if (ExpandMacros(p->arg1, pat) != 0 || Match(pat, arg1) != 0)
236 continue;
237 }
238
239 /* Check arg2. */
240
241 if (p->arg2)
242 {
243 char pat[EXECUTOR_BUFFER_SIZE];
244
245 if (ExpandMacros(p->arg2, pat) != 0 || Match(pat, arg2) != 0)
246 continue;
247 }
248
249 /* Found a matching policy! */
250 return 0;
251 }
252
253 kumpf 1.2 /* Failed to find any matching policy. */
254
255 return -1;
256 }
257
258 /*
259 **==============================================================================
260 **
261 ** CheckOpenFilePolicy()
262 **
263 **==============================================================================
264 */
265
266 int CheckOpenFilePolicy(const char* path, int mode)
267 {
268 char arg2[2];
269
270 arg2[0] = mode;
271 arg2[1] = '\0';
272
273 if (CheckPolicy(_staticPolicyTable, _staticPolicyTableSize,
274 kumpf 1.2 EXECUTOR_OPEN_FILE_MESSAGE, path, arg2) == 0)
275 {
276 Log(LL_TRACE, "CheckOpenFilePolicy(%s=\"%s\", %s='%c') passed",
277 ARG(path), ARG(mode));
278 return 0;
279 }
280
281 Log(LL_SEVERE, "CheckOpenFilePolicy(%s=\"%s\", %s='%c') failed",
282 ARG(path), ARG(mode));
283
284 #if defined(EXIT_ON_POLICY_FAILURE)
285 Fatal(FL, "exited due to policy failure");
286 #endif
287
288 return -1;
289 }
290
291 /*
292 **==============================================================================
293 **
294 ** CheckRemoveFilePolicy()
295 kumpf 1.2 **
296 **==============================================================================
297 */
298
299 int CheckRemoveFilePolicy(const char* path)
300 {
301 if (CheckPolicy(_staticPolicyTable, _staticPolicyTableSize,
302 EXECUTOR_REMOVE_FILE_MESSAGE, path, NULL) == 0)
303 {
304 Log(LL_TRACE, "CheckRemoveFilePolicy(%s=\"%s\") passed", ARG(path));
305 return 0;
306 }
307
308 Log(LL_SEVERE, "CheckRemoveFilePolicy(%s=\"%s\") failed", ARG(path));
309
310 #if defined(EXIT_ON_POLICY_FAILURE)
311 Fatal(FL, "exited due to policy failure");
312 #endif
313
314 return -1;
315 }
316 kumpf 1.2
317 /*
318 **==============================================================================
319 **
320 ** CheckRenameFilePolicy()
321 **
322 **==============================================================================
323 */
324
325 int CheckRenameFilePolicy(const char* oldPath, const char* newPath)
326 {
327 if (CheckPolicy(_staticPolicyTable, _staticPolicyTableSize,
328 EXECUTOR_RENAME_FILE_MESSAGE, oldPath, newPath) == 0)
329 {
330 Log(LL_TRACE, "CheckRenameFilePolicy(%s=\"%s\", %s=\"%s\") passed",
331 ARG(oldPath), ARG(newPath));
332 return 0;
333 }
334
335 Log(LL_SEVERE, "CheckRenameFilePolicy(%s=\"%s\", %s=\"%s\") failed",
336 ARG(oldPath), ARG(newPath));
337 kumpf 1.2
338 #if defined(EXIT_ON_POLICY_FAILURE)
339 Fatal(FL, "exited due to policy failure");
340 #endif
341
342 return -1;
343 }
344
345 /*
346 **==============================================================================
347 **
348 ** _DumpPolicyHelper()
349 **
350 ** Dump the policy table given by *policyTable* and *policyTableSize*.
351 ** Expand any macros in the entries.
352 **
353 **==============================================================================
354 */
355
356 static void _DumpPolicyHelper(
357 const struct Policy* policyTable,
358 kumpf 1.2 size_t policyTableSize,
359 int expandMacros)
360 {
361 size_t i;
362
363 for (i = 0; i < policyTableSize; i++)
364 {
365 const struct Policy* p = &policyTable[i];
366 const char* codeStr = MessageCodeToString(p->messageCode);
367 char arg1[EXECUTOR_BUFFER_SIZE];
368 char arg2[EXECUTOR_BUFFER_SIZE];
369
370 if (expandMacros)
371 {
372 ExpandMacros(p->arg1, arg1);
373
374 if (p->arg2)
375 ExpandMacros(p->arg2, arg2);
376 }
377 else
378 {
379 kumpf 1.2 Strlcpy(arg1, p->arg1, sizeof(arg1));
380
381 if (p->arg2)
382 Strlcpy(arg2, p->arg2, sizeof(arg2));
383 }
384
385 if (p->arg2)
386 printf("%s(\"%s\", \"%s\")\n", codeStr, arg1, arg2);
387 else
388 printf("%s(\"%s\")\n", codeStr, arg1);
389 }
390 }
391
392 /*
393 **==============================================================================
394 **
395 ** DumpPolicy()
396 **
397 ** Dump both the static and dynamic policy tables.
398 **
399 **==============================================================================
400 kumpf 1.2 */
401
402 void DumpPolicy(int expandMacros)
403 {
404 printf("===== Policy:\n");
405
406 _DumpPolicyHelper(
407 _staticPolicyTable, _staticPolicyTableSize, expandMacros);
408
409 putchar('\n');
410 }
|