1 kumpf 1.2 /*
|
2 martin 1.7 //%LICENSE////////////////////////////////////////////////////////////////
|
3 martin 1.8 //
|
4 martin 1.7 // Licensed to The Open Group (TOG) under one or more contributor license
5 // agreements. Refer to the OpenPegasusNOTICE.txt file distributed with
6 // this work for additional information regarding copyright ownership.
7 // Each contributor licenses this file to you under the OpenPegasus Open
8 // Source License; you may not use this file except in compliance with the
9 // License.
|
10 martin 1.8 //
|
11 martin 1.7 // Permission is hereby granted, free of charge, to any person obtaining a
12 // copy of this software and associated documentation files (the "Software"),
13 // to deal in the Software without restriction, including without limitation
14 // the rights to use, copy, modify, merge, publish, distribute, sublicense,
15 // and/or sell copies of the Software, and to permit persons to whom the
16 // Software is furnished to do so, subject to the following conditions:
|
17 martin 1.8 //
|
18 martin 1.7 // The above copyright notice and this permission notice shall be included
19 // in all copies or substantial portions of the Software.
|
20 martin 1.8 //
|
21 martin 1.7 // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
|
22 martin 1.8 // OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
23 martin 1.7 // MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
24 // IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
25 // CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
26 // TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
27 // SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
28 martin 1.8 //
|
29 martin 1.7 //////////////////////////////////////////////////////////////////////////
|
30 kumpf 1.2 */
31
32 #include <string.h>
33 #include <unistd.h>
34 #include <ctype.h>
35 #include <fcntl.h>
36 #include "Policy.h"
37 #include "Defines.h"
38 #include "Macro.h"
39 #include "Path.h"
40 #include "Fatal.h"
41 #include "Log.h"
42 #include "Match.h"
43 #include "Messages.h"
44 #include "Globals.h"
45 #include "Strlcat.h"
46 #include "Strlcpy.h"
47
48 /*
49 **==============================================================================
50 **
51 kumpf 1.2 ** ARG()
52 **
53 ** Expands function arguments to "name, value" for use in formatted
54 ** output statements.
55 **
56 ** For example, this,
57 **
58 ** printf("%s=\"%s\"", ARG(count));
59 **
60 ** is expanded to this:
61 **
62 ** printf("%s=\"%s\"", "count", count);
63 **
64 **==============================================================================
65 */
66
67 #define ARG(X) #X, X
68
69 /*
70 **==============================================================================
71 **
72 kumpf 1.2 ** _staticPolicyTable[]
73 **
74 ** This array defines the static policy table for the executor.
75 **
76 **==============================================================================
77 */
78
79 static struct Policy _staticPolicyTable[] =
80 {
81 /* cimserver_current.conf policies */
82 {
83 EXECUTOR_OPEN_FILE_MESSAGE,
84 "${currentConfigFilePath}",
85 "w",
|
86 kumpf 1.6 (S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH) /* 0644 */
|
87 kumpf 1.2 },
88 {
89 EXECUTOR_RENAME_FILE_MESSAGE,
90 "${currentConfigFilePath}",
91 "${currentConfigFilePath}.bak",
|
92 kumpf 1.6 0, /* flags */
|
93 kumpf 1.2 },
94 {
95 EXECUTOR_REMOVE_FILE_MESSAGE,
96 "${currentConfigFilePath}",
97 NULL,
|
98 kumpf 1.6 0, /* flags */
|
99 kumpf 1.2 },
100 {
101 EXECUTOR_REMOVE_FILE_MESSAGE,
102 "${currentConfigFilePath}.bak",
103 NULL,
|
104 kumpf 1.6 0, /* flags */
|
105 kumpf 1.2 },
106 /* cimserver_planned.conf policies */
107 {
108 EXECUTOR_OPEN_FILE_MESSAGE,
109 "${plannedConfigFilePath}",
110 "w",
|
111 kumpf 1.6 (S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH) /* 0644 */
|
112 kumpf 1.2 },
113 {
114 EXECUTOR_RENAME_FILE_MESSAGE,
115 "${plannedConfigFilePath}",
116 "${plannedConfigFilePath}.bak",
|
117 kumpf 1.6 0, /* flags */
|
118 kumpf 1.2 },
119 {
120 EXECUTOR_REMOVE_FILE_MESSAGE,
121 "${plannedConfigFilePath}",
122 NULL,
|
123 kumpf 1.6 0, /* flags */
|
124 kumpf 1.2 },
125 {
126 EXECUTOR_REMOVE_FILE_MESSAGE,
127 "${plannedConfigFilePath}.bak",
128 NULL,
|
129 kumpf 1.6 0, /* flags */
|
130 kumpf 1.2 },
131 /* cimserver.passwd policies */
132 {
133 EXECUTOR_OPEN_FILE_MESSAGE,
134 "${passwordFilePath}",
135 "w",
|
136 kumpf 1.6 (S_IRUSR | S_IWUSR) /* 0600 */
|
137 kumpf 1.2 },
138 {
139 EXECUTOR_RENAME_FILE_MESSAGE,
140 "${passwordFilePath}.bak",
141 "${passwordFilePath}",
|
142 kumpf 1.6 0, /* flags */
|
143 kumpf 1.2 },
144 {
145 EXECUTOR_RENAME_FILE_MESSAGE,
146 "${passwordFilePath}",
147 "${passwordFilePath}.bak",
|
148 kumpf 1.6 0, /* flags */
|
149 kumpf 1.2 },
150 {
151 EXECUTOR_REMOVE_FILE_MESSAGE,
152 "${passwordFilePath}.bak",
153 NULL,
|
154 kumpf 1.6 0, /* flags */
|
155 kumpf 1.2 },
156 {
157 EXECUTOR_REMOVE_FILE_MESSAGE,
158 "${passwordFilePath}",
159 NULL,
|
160 kumpf 1.6 0, /* flags */
|
161 kumpf 1.2 },
162 /* SSL key file policies. */
163 {
164 EXECUTOR_OPEN_FILE_MESSAGE,
165 "${sslKeyFilePath}",
166 "r",
|
167 kumpf 1.6 0, /* flags not used when opening a file for read access */
|
168 kumpf 1.2 },
169 /* SSL trust store policies. */
170 {
171 EXECUTOR_OPEN_FILE_MESSAGE,
172 "${sslTrustStore}/*",
173 "w",
|
174 kumpf 1.6 (S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH) /* 0644 */
|
175 kumpf 1.2 },
176 {
177 EXECUTOR_REMOVE_FILE_MESSAGE,
178 "${sslTrustStore}/*",
179 NULL,
|
180 kumpf 1.6 0, /* flags */
|
181 kumpf 1.2 },
182 /* CRL store policies. */
183 {
184 EXECUTOR_OPEN_FILE_MESSAGE,
185 "${crlStore}/*",
186 "w",
|
187 kumpf 1.6 (S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH) /* 0644 */
|
188 kumpf 1.2 },
189 {
190 EXECUTOR_REMOVE_FILE_MESSAGE,
191 "${crlStore}/*",
192 NULL,
|
193 kumpf 1.6 0, /* flags */
|
194 kumpf 1.2 },
195 };
196
197 static const size_t _staticPolicyTableSize =
198 sizeof(_staticPolicyTable) / sizeof(_staticPolicyTable[0]);
199
200 /*
201 **==============================================================================
202 **
203 ** CheckPolicy()
204 **
205 **==============================================================================
206 */
207
|
208 kumpf 1.4 int CheckPolicy(
|
209 kumpf 1.2 const struct Policy* policyTable,
210 size_t policyTableSize,
211 enum ExecutorMessageCode messageCode,
212 const char* arg1,
|
213 kumpf 1.6 const char* arg2,
214 unsigned long* flags)
|
215 kumpf 1.2 {
216 size_t i;
217
|
218 kumpf 1.6 /* Clear the flags. */
219
220 if (flags)
221 *flags = 0;
222
|
223 kumpf 1.2 for (i = 0; i < policyTableSize; i++)
224 {
225 const struct Policy* p;
226
227 p = &policyTable[i];
228
229 /* Check message code */
230
231 if (p->messageCode != messageCode)
232 continue;
233
234 /* Check arg1. */
235
236 if (p->arg1)
237 {
238 char pat[EXECUTOR_BUFFER_SIZE];
239
240 if (ExpandMacros(p->arg1, pat) != 0 || Match(pat, arg1) != 0)
241 continue;
242 }
243
244 kumpf 1.2 /* Check arg2. */
245
246 if (p->arg2)
247 {
248 char pat[EXECUTOR_BUFFER_SIZE];
249
250 if (ExpandMacros(p->arg2, pat) != 0 || Match(pat, arg2) != 0)
251 continue;
252 }
253
|
254 kumpf 1.6 /* Set the output flags argument. */
255
256 if (flags)
257 *flags = p->flags;
258
|
259 kumpf 1.2 /* Found a matching policy! */
|
260 kumpf 1.6
|
261 kumpf 1.2 return 0;
262 }
263
264 /* Failed to find any matching policy. */
265
266 return -1;
267 }
268
269 /*
270 **==============================================================================
271 **
272 ** CheckOpenFilePolicy()
273 **
274 **==============================================================================
275 */
276
|
277 kumpf 1.6 int CheckOpenFilePolicy(const char* path, int mode, unsigned long* flags)
|
278 kumpf 1.2 {
279 char arg2[2];
280
281 arg2[0] = mode;
282 arg2[1] = '\0';
283
284 if (CheckPolicy(_staticPolicyTable, _staticPolicyTableSize,
|
285 kumpf 1.6 EXECUTOR_OPEN_FILE_MESSAGE, path, arg2, flags) == 0)
|
286 kumpf 1.2 {
287 Log(LL_TRACE, "CheckOpenFilePolicy(%s=\"%s\", %s='%c') passed",
288 ARG(path), ARG(mode));
289 return 0;
290 }
291
292 Log(LL_SEVERE, "CheckOpenFilePolicy(%s=\"%s\", %s='%c') failed",
293 ARG(path), ARG(mode));
294
295 #if defined(EXIT_ON_POLICY_FAILURE)
296 Fatal(FL, "exited due to policy failure");
297 #endif
298
299 return -1;
300 }
301
302 /*
303 **==============================================================================
304 **
305 ** CheckRemoveFilePolicy()
306 **
307 kumpf 1.2 **==============================================================================
308 */
309
310 int CheckRemoveFilePolicy(const char* path)
311 {
312 if (CheckPolicy(_staticPolicyTable, _staticPolicyTableSize,
|
313 kumpf 1.6 EXECUTOR_REMOVE_FILE_MESSAGE, path, NULL, NULL) == 0)
|
314 kumpf 1.2 {
315 Log(LL_TRACE, "CheckRemoveFilePolicy(%s=\"%s\") passed", ARG(path));
316 return 0;
317 }
318
319 Log(LL_SEVERE, "CheckRemoveFilePolicy(%s=\"%s\") failed", ARG(path));
320
321 #if defined(EXIT_ON_POLICY_FAILURE)
322 Fatal(FL, "exited due to policy failure");
323 #endif
324
325 return -1;
326 }
327
328 /*
329 **==============================================================================
330 **
331 ** CheckRenameFilePolicy()
332 **
333 **==============================================================================
334 */
335 kumpf 1.2
336 int CheckRenameFilePolicy(const char* oldPath, const char* newPath)
337 {
338 if (CheckPolicy(_staticPolicyTable, _staticPolicyTableSize,
|
339 kumpf 1.6 EXECUTOR_RENAME_FILE_MESSAGE, oldPath, newPath, NULL) == 0)
|
340 kumpf 1.2 {
341 Log(LL_TRACE, "CheckRenameFilePolicy(%s=\"%s\", %s=\"%s\") passed",
342 ARG(oldPath), ARG(newPath));
343 return 0;
344 }
345
346 Log(LL_SEVERE, "CheckRenameFilePolicy(%s=\"%s\", %s=\"%s\") failed",
347 ARG(oldPath), ARG(newPath));
348
349 #if defined(EXIT_ON_POLICY_FAILURE)
350 Fatal(FL, "exited due to policy failure");
351 #endif
352
353 return -1;
354 }
355
356 /*
357 **==============================================================================
358 **
|
359 kumpf 1.5 ** DumpPolicyHelper()
|
360 kumpf 1.2 **
361 ** Dump the policy table given by *policyTable* and *policyTableSize*.
|
362 kumpf 1.5 ** Expand any macros in the entries, if requested.
|
363 kumpf 1.2 **
364 **==============================================================================
365 */
366
|
367 kumpf 1.5 void DumpPolicyHelper(
368 FILE* outputStream,
|
369 kumpf 1.2 const struct Policy* policyTable,
370 size_t policyTableSize,
371 int expandMacros)
372 {
373 size_t i;
374
375 for (i = 0; i < policyTableSize; i++)
376 {
377 const struct Policy* p = &policyTable[i];
378 const char* codeStr = MessageCodeToString(p->messageCode);
379 char arg1[EXECUTOR_BUFFER_SIZE];
380 char arg2[EXECUTOR_BUFFER_SIZE];
381
382 if (expandMacros)
383 {
|
384 kumpf 1.5 if (p->arg1)
385 ExpandMacros(p->arg1, arg1);
|
386 kumpf 1.2
387 if (p->arg2)
388 ExpandMacros(p->arg2, arg2);
389 }
390 else
391 {
|
392 kumpf 1.5 if (p->arg1)
393 Strlcpy(arg1, p->arg1, sizeof(arg1));
|
394 kumpf 1.2
395 if (p->arg2)
396 Strlcpy(arg2, p->arg2, sizeof(arg2));
397 }
398
|
399 kumpf 1.5 fprintf(outputStream, "%s(", codeStr);
400 if (p->arg1)
401 fprintf(outputStream, "\"%s\"", arg1);
|
402 kumpf 1.2 if (p->arg2)
|
403 kumpf 1.5 fprintf(outputStream, ", \"%s\"", arg2);
404 fprintf(outputStream, ")\n");
|
405 kumpf 1.2 }
406 }
407
408 /*
409 **==============================================================================
410 **
411 ** DumpPolicy()
412 **
|
413 kumpf 1.5 ** Dump the static policy table.
|
414 kumpf 1.2 **
415 **==============================================================================
416 */
417
|
418 kumpf 1.5 void DumpPolicy(FILE* outputStream, int expandMacros)
|
419 kumpf 1.2 {
|
420 kumpf 1.5 fprintf(outputStream, "===== Policy:\n");
|
421 kumpf 1.2
|
422 kumpf 1.5 DumpPolicyHelper(
423 outputStream, _staticPolicyTable, _staticPolicyTableSize, expandMacros);
|
424 kumpf 1.2
|
425 kumpf 1.5 putc('\n', outputStream);
|
426 kumpf 1.2 }
|