1 kumpf 1.2 /*
2 //%2006////////////////////////////////////////////////////////////////////////
3 //
4 // Copyright (c) 2000, 2001, 2002 BMC Software; Hewlett-Packard Development
5 // Company, L.P.; IBM Corp.; The Open Group; Tivoli Systems.
6 // Copyright (c) 2003 BMC Software; Hewlett-Packard Development Company, L.P.;
7 // IBM Corp.; EMC Corporation, The Open Group.
8 // Copyright (c) 2004 BMC Software; Hewlett-Packard Development Company, L.P.;
9 // IBM Corp.; EMC Corporation; VERITAS Software Corporation; The Open Group.
10 // Copyright (c) 2005 Hewlett-Packard Development Company, L.P.; IBM Corp.;
11 // EMC Corporation; VERITAS Software Corporation; The Open Group.
12 // Copyright (c) 2006 Hewlett-Packard Development Company, L.P.; IBM Corp.;
13 // EMC Corporation; Symantec Corporation; The Open Group.
14 //
15 // Permission is hereby granted, free of charge, to any person obtaining a copy
16 // of this software and associated documentation files (the "Software"), to
17 // deal in the Software without restriction, including without limitation the
18 // rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
19 // sell copies of the Software, and to permit persons to whom the Software is
20 // furnished to do so, subject to the following conditions:
21 //
22 kumpf 1.2 // THE ABOVE COPYRIGHT NOTICE AND THIS PERMISSION NOTICE SHALL BE INCLUDED IN
23 // ALL COPIES OR SUBSTANTIAL PORTIONS OF THE SOFTWARE. THE SOFTWARE IS PROVIDED
24 // "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT
25 // LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
26 // PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
27 // HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
28 // ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
29 // WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
30 //
31 //%/////////////////////////////////////////////////////////////////////////////
32 */
33
34 #include <string.h>
35 #include <unistd.h>
36 #include <ctype.h>
37 #include <fcntl.h>
38 #include "Policy.h"
39 #include "Defines.h"
40 #include "Macro.h"
41 #include "Path.h"
42 #include "Fatal.h"
43 kumpf 1.2 #include "Log.h"
44 #include "Match.h"
45 #include "Messages.h"
46 #include "Globals.h"
47 #include "Strlcat.h"
48 #include "Strlcpy.h"
49
50 /*
51 **==============================================================================
52 **
53 ** ARG()
54 **
55 ** Expands function arguments to "name, value" for use in formatted
56 ** output statements.
57 **
58 ** For example, this,
59 **
60 ** printf("%s=\"%s\"", ARG(count));
61 **
62 ** is expanded to this:
63 **
64 kumpf 1.2 ** printf("%s=\"%s\"", "count", count);
65 **
66 **==============================================================================
67 */
68
69 #define ARG(X) #X, X
70
71 /*
72 **==============================================================================
73 **
74 ** _staticPolicyTable[]
75 **
76 ** This array defines the static policy table for the executor.
77 **
78 **==============================================================================
79 */
80
81 static struct Policy _staticPolicyTable[] =
82 {
83 /* cimserver_current.conf policies */
84 {
85 kumpf 1.2 EXECUTOR_OPEN_FILE_MESSAGE,
86 "${currentConfigFilePath}",
87 "w",
|
88 kumpf 1.6 (S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH) /* 0644 */
|
89 kumpf 1.2 },
90 {
91 EXECUTOR_RENAME_FILE_MESSAGE,
92 "${currentConfigFilePath}",
93 "${currentConfigFilePath}.bak",
|
94 kumpf 1.6 0, /* flags */
|
95 kumpf 1.2 },
96 {
97 EXECUTOR_REMOVE_FILE_MESSAGE,
98 "${currentConfigFilePath}",
99 NULL,
|
100 kumpf 1.6 0, /* flags */
|
101 kumpf 1.2 },
102 {
103 EXECUTOR_REMOVE_FILE_MESSAGE,
104 "${currentConfigFilePath}.bak",
105 NULL,
|
106 kumpf 1.6 0, /* flags */
|
107 kumpf 1.2 },
108 /* cimserver_planned.conf policies */
109 {
110 EXECUTOR_OPEN_FILE_MESSAGE,
111 "${plannedConfigFilePath}",
112 "w",
|
113 kumpf 1.6 (S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH) /* 0644 */
|
114 kumpf 1.2 },
115 {
116 EXECUTOR_RENAME_FILE_MESSAGE,
117 "${plannedConfigFilePath}",
118 "${plannedConfigFilePath}.bak",
|
119 kumpf 1.6 0, /* flags */
|
120 kumpf 1.2 },
121 {
122 EXECUTOR_REMOVE_FILE_MESSAGE,
123 "${plannedConfigFilePath}",
124 NULL,
|
125 kumpf 1.6 0, /* flags */
|
126 kumpf 1.2 },
127 {
128 EXECUTOR_REMOVE_FILE_MESSAGE,
129 "${plannedConfigFilePath}.bak",
130 NULL,
|
131 kumpf 1.6 0, /* flags */
|
132 kumpf 1.2 },
133 /* cimserver.passwd policies */
134 {
135 EXECUTOR_OPEN_FILE_MESSAGE,
136 "${passwordFilePath}",
137 "w",
|
138 kumpf 1.6 (S_IRUSR | S_IWUSR) /* 0600 */
|
139 kumpf 1.2 },
140 {
141 EXECUTOR_RENAME_FILE_MESSAGE,
142 "${passwordFilePath}.bak",
143 "${passwordFilePath}",
|
144 kumpf 1.6 0, /* flags */
|
145 kumpf 1.2 },
146 {
147 EXECUTOR_RENAME_FILE_MESSAGE,
148 "${passwordFilePath}",
149 "${passwordFilePath}.bak",
|
150 kumpf 1.6 0, /* flags */
|
151 kumpf 1.2 },
152 {
153 EXECUTOR_REMOVE_FILE_MESSAGE,
154 "${passwordFilePath}.bak",
155 NULL,
|
156 kumpf 1.6 0, /* flags */
|
157 kumpf 1.2 },
158 {
159 EXECUTOR_REMOVE_FILE_MESSAGE,
160 "${passwordFilePath}",
161 NULL,
|
162 kumpf 1.6 0, /* flags */
|
163 kumpf 1.2 },
164 /* SSL key file policies. */
165 {
166 EXECUTOR_OPEN_FILE_MESSAGE,
167 "${sslKeyFilePath}",
168 "r",
|
169 kumpf 1.6 0, /* flags not used when opening a file for read access */
|
170 kumpf 1.2 },
171 /* SSL trust store policies. */
172 {
173 EXECUTOR_OPEN_FILE_MESSAGE,
174 "${sslTrustStore}/*",
175 "w",
|
176 kumpf 1.6 (S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH) /* 0644 */
|
177 kumpf 1.2 },
178 {
179 EXECUTOR_REMOVE_FILE_MESSAGE,
180 "${sslTrustStore}/*",
181 NULL,
|
182 kumpf 1.6 0, /* flags */
|
183 kumpf 1.2 },
184 /* CRL store policies. */
185 {
186 EXECUTOR_OPEN_FILE_MESSAGE,
187 "${crlStore}/*",
188 "w",
|
189 kumpf 1.6 (S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH) /* 0644 */
|
190 kumpf 1.2 },
191 {
192 EXECUTOR_REMOVE_FILE_MESSAGE,
193 "${crlStore}/*",
194 NULL,
|
195 kumpf 1.6 0, /* flags */
|
196 kumpf 1.2 },
197 };
198
199 static const size_t _staticPolicyTableSize =
200 sizeof(_staticPolicyTable) / sizeof(_staticPolicyTable[0]);
201
202 /*
203 **==============================================================================
204 **
205 ** CheckPolicy()
206 **
207 **==============================================================================
208 */
209
|
210 kumpf 1.4 int CheckPolicy(
|
211 kumpf 1.2 const struct Policy* policyTable,
212 size_t policyTableSize,
213 enum ExecutorMessageCode messageCode,
214 const char* arg1,
|
215 kumpf 1.6 const char* arg2,
216 unsigned long* flags)
|
217 kumpf 1.2 {
218 size_t i;
219
|
220 kumpf 1.6 /* Clear the flags. */
221
222 if (flags)
223 *flags = 0;
224
|
225 kumpf 1.2 for (i = 0; i < policyTableSize; i++)
226 {
227 const struct Policy* p;
228
229 p = &policyTable[i];
230
231 /* Check message code */
232
233 if (p->messageCode != messageCode)
234 continue;
235
236 /* Check arg1. */
237
238 if (p->arg1)
239 {
240 char pat[EXECUTOR_BUFFER_SIZE];
241
242 if (ExpandMacros(p->arg1, pat) != 0 || Match(pat, arg1) != 0)
243 continue;
244 }
245
246 kumpf 1.2 /* Check arg2. */
247
248 if (p->arg2)
249 {
250 char pat[EXECUTOR_BUFFER_SIZE];
251
252 if (ExpandMacros(p->arg2, pat) != 0 || Match(pat, arg2) != 0)
253 continue;
254 }
255
|
256 kumpf 1.6 /* Set the output flags argument. */
257
258 if (flags)
259 *flags = p->flags;
260
|
261 kumpf 1.2 /* Found a matching policy! */
|
262 kumpf 1.6
|
263 kumpf 1.2 return 0;
264 }
265
266 /* Failed to find any matching policy. */
267
268 return -1;
269 }
270
271 /*
272 **==============================================================================
273 **
274 ** CheckOpenFilePolicy()
275 **
276 **==============================================================================
277 */
278
|
279 kumpf 1.6 int CheckOpenFilePolicy(const char* path, int mode, unsigned long* flags)
|
280 kumpf 1.2 {
281 char arg2[2];
282
283 arg2[0] = mode;
284 arg2[1] = '\0';
285
286 if (CheckPolicy(_staticPolicyTable, _staticPolicyTableSize,
|
287 kumpf 1.6 EXECUTOR_OPEN_FILE_MESSAGE, path, arg2, flags) == 0)
|
288 kumpf 1.2 {
289 Log(LL_TRACE, "CheckOpenFilePolicy(%s=\"%s\", %s='%c') passed",
290 ARG(path), ARG(mode));
291 return 0;
292 }
293
294 Log(LL_SEVERE, "CheckOpenFilePolicy(%s=\"%s\", %s='%c') failed",
295 ARG(path), ARG(mode));
296
297 #if defined(EXIT_ON_POLICY_FAILURE)
298 Fatal(FL, "exited due to policy failure");
299 #endif
300
301 return -1;
302 }
303
304 /*
305 **==============================================================================
306 **
307 ** CheckRemoveFilePolicy()
308 **
309 kumpf 1.2 **==============================================================================
310 */
311
312 int CheckRemoveFilePolicy(const char* path)
313 {
314 if (CheckPolicy(_staticPolicyTable, _staticPolicyTableSize,
|
315 kumpf 1.6 EXECUTOR_REMOVE_FILE_MESSAGE, path, NULL, NULL) == 0)
|
316 kumpf 1.2 {
317 Log(LL_TRACE, "CheckRemoveFilePolicy(%s=\"%s\") passed", ARG(path));
318 return 0;
319 }
320
321 Log(LL_SEVERE, "CheckRemoveFilePolicy(%s=\"%s\") failed", ARG(path));
322
323 #if defined(EXIT_ON_POLICY_FAILURE)
324 Fatal(FL, "exited due to policy failure");
325 #endif
326
327 return -1;
328 }
329
330 /*
331 **==============================================================================
332 **
333 ** CheckRenameFilePolicy()
334 **
335 **==============================================================================
336 */
337 kumpf 1.2
338 int CheckRenameFilePolicy(const char* oldPath, const char* newPath)
339 {
340 if (CheckPolicy(_staticPolicyTable, _staticPolicyTableSize,
|
341 kumpf 1.6 EXECUTOR_RENAME_FILE_MESSAGE, oldPath, newPath, NULL) == 0)
|
342 kumpf 1.2 {
343 Log(LL_TRACE, "CheckRenameFilePolicy(%s=\"%s\", %s=\"%s\") passed",
344 ARG(oldPath), ARG(newPath));
345 return 0;
346 }
347
348 Log(LL_SEVERE, "CheckRenameFilePolicy(%s=\"%s\", %s=\"%s\") failed",
349 ARG(oldPath), ARG(newPath));
350
351 #if defined(EXIT_ON_POLICY_FAILURE)
352 Fatal(FL, "exited due to policy failure");
353 #endif
354
355 return -1;
356 }
357
358 /*
359 **==============================================================================
360 **
|
361 kumpf 1.5 ** DumpPolicyHelper()
|
362 kumpf 1.2 **
363 ** Dump the policy table given by *policyTable* and *policyTableSize*.
|
364 kumpf 1.5 ** Expand any macros in the entries, if requested.
|
365 kumpf 1.2 **
366 **==============================================================================
367 */
368
|
369 kumpf 1.5 void DumpPolicyHelper(
370 FILE* outputStream,
|
371 kumpf 1.2 const struct Policy* policyTable,
372 size_t policyTableSize,
373 int expandMacros)
374 {
375 size_t i;
376
377 for (i = 0; i < policyTableSize; i++)
378 {
379 const struct Policy* p = &policyTable[i];
380 const char* codeStr = MessageCodeToString(p->messageCode);
381 char arg1[EXECUTOR_BUFFER_SIZE];
382 char arg2[EXECUTOR_BUFFER_SIZE];
383
384 if (expandMacros)
385 {
|
386 kumpf 1.5 if (p->arg1)
387 ExpandMacros(p->arg1, arg1);
|
388 kumpf 1.2
389 if (p->arg2)
390 ExpandMacros(p->arg2, arg2);
391 }
392 else
393 {
|
394 kumpf 1.5 if (p->arg1)
395 Strlcpy(arg1, p->arg1, sizeof(arg1));
|
396 kumpf 1.2
397 if (p->arg2)
398 Strlcpy(arg2, p->arg2, sizeof(arg2));
399 }
400
|
401 kumpf 1.5 fprintf(outputStream, "%s(", codeStr);
402 if (p->arg1)
403 fprintf(outputStream, "\"%s\"", arg1);
|
404 kumpf 1.2 if (p->arg2)
|
405 kumpf 1.5 fprintf(outputStream, ", \"%s\"", arg2);
406 fprintf(outputStream, ")\n");
|
407 kumpf 1.2 }
408 }
409
410 /*
411 **==============================================================================
412 **
413 ** DumpPolicy()
414 **
|
415 kumpf 1.5 ** Dump the static policy table.
|
416 kumpf 1.2 **
417 **==============================================================================
418 */
419
|
420 kumpf 1.5 void DumpPolicy(FILE* outputStream, int expandMacros)
|
421 kumpf 1.2 {
|
422 kumpf 1.5 fprintf(outputStream, "===== Policy:\n");
|
423 kumpf 1.2
|
424 kumpf 1.5 DumpPolicyHelper(
425 outputStream, _staticPolicyTable, _staticPolicyTableSize, expandMacros);
|
426 kumpf 1.2
|
427 kumpf 1.5 putc('\n', outputStream);
|
428 kumpf 1.2 }
|