1 kumpf 1.2 /*
|
2 martin 1.7 //%LICENSE////////////////////////////////////////////////////////////////
|
3 martin 1.8 //
|
4 martin 1.7 // Licensed to The Open Group (TOG) under one or more contributor license
5 // agreements. Refer to the OpenPegasusNOTICE.txt file distributed with
6 // this work for additional information regarding copyright ownership.
7 // Each contributor licenses this file to you under the OpenPegasus Open
8 // Source License; you may not use this file except in compliance with the
9 // License.
|
10 martin 1.8 //
|
11 martin 1.7 // Permission is hereby granted, free of charge, to any person obtaining a
12 // copy of this software and associated documentation files (the "Software"),
13 // to deal in the Software without restriction, including without limitation
14 // the rights to use, copy, modify, merge, publish, distribute, sublicense,
15 // and/or sell copies of the Software, and to permit persons to whom the
16 // Software is furnished to do so, subject to the following conditions:
|
17 martin 1.8 //
|
18 martin 1.7 // The above copyright notice and this permission notice shall be included
19 // in all copies or substantial portions of the Software.
|
20 martin 1.8 //
|
21 martin 1.7 // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
|
22 martin 1.8 // OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
23 martin 1.7 // MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
24 // IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
25 // CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
26 // TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
27 // SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
28 martin 1.8 //
|
29 martin 1.7 //////////////////////////////////////////////////////////////////////////
|
30 kumpf 1.2 */
31
32 #include <string.h>
33 #include <unistd.h>
34 #include <ctype.h>
35 #include <fcntl.h>
36 #include "Policy.h"
37 #include "Defines.h"
38 #include "Macro.h"
39 #include "Path.h"
40 #include "Fatal.h"
41 #include "Log.h"
42 #include "Match.h"
43 #include "Messages.h"
44 #include "Globals.h"
45 #include "Strlcat.h"
46 #include "Strlcpy.h"
47
48 /*
49 **==============================================================================
50 **
51 kumpf 1.2 ** ARG()
52 **
53 ** Expands function arguments to "name, value" for use in formatted
54 ** output statements.
55 **
56 ** For example, this,
57 **
58 ** printf("%s=\"%s\"", ARG(count));
59 **
60 ** is expanded to this:
61 **
62 ** printf("%s=\"%s\"", "count", count);
63 **
64 **==============================================================================
65 */
66
67 #define ARG(X) #X, X
68
69 /*
70 **==============================================================================
71 **
72 kumpf 1.2 ** _staticPolicyTable[]
73 **
74 ** This array defines the static policy table for the executor.
75 **
76 **==============================================================================
77 */
78
79 static struct Policy _staticPolicyTable[] =
80 {
81 /* cimserver_current.conf policies */
82 {
83 EXECUTOR_OPEN_FILE_MESSAGE,
84 "${currentConfigFilePath}",
85 "w",
|
86 kumpf 1.6 (S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH) /* 0644 */
|
87 kumpf 1.2 },
88 {
89 EXECUTOR_RENAME_FILE_MESSAGE,
90 "${currentConfigFilePath}",
91 "${currentConfigFilePath}.bak",
|
92 kumpf 1.6 0, /* flags */
|
93 kumpf 1.2 },
94 {
95 EXECUTOR_REMOVE_FILE_MESSAGE,
96 "${currentConfigFilePath}",
97 NULL,
|
98 kumpf 1.6 0, /* flags */
|
99 kumpf 1.2 },
100 {
101 EXECUTOR_REMOVE_FILE_MESSAGE,
102 "${currentConfigFilePath}.bak",
103 NULL,
|
104 kumpf 1.6 0, /* flags */
|
105 kumpf 1.2 },
106 /* cimserver_planned.conf policies */
107 {
108 EXECUTOR_OPEN_FILE_MESSAGE,
109 "${plannedConfigFilePath}",
110 "w",
|
111 kumpf 1.6 (S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH) /* 0644 */
|
112 kumpf 1.2 },
113 {
114 EXECUTOR_RENAME_FILE_MESSAGE,
115 "${plannedConfigFilePath}",
116 "${plannedConfigFilePath}.bak",
|
117 kumpf 1.6 0, /* flags */
|
118 kumpf 1.2 },
119 {
120 EXECUTOR_REMOVE_FILE_MESSAGE,
121 "${plannedConfigFilePath}",
122 NULL,
|
123 kumpf 1.6 0, /* flags */
|
124 kumpf 1.2 },
125 {
126 EXECUTOR_REMOVE_FILE_MESSAGE,
127 "${plannedConfigFilePath}.bak",
128 NULL,
|
129 kumpf 1.6 0, /* flags */
|
130 kumpf 1.2 },
131 /* cimserver.passwd policies */
132 {
133 EXECUTOR_OPEN_FILE_MESSAGE,
134 "${passwordFilePath}",
135 "w",
|
136 kumpf 1.6 (S_IRUSR | S_IWUSR) /* 0600 */
|
137 kumpf 1.2 },
138 {
139 EXECUTOR_RENAME_FILE_MESSAGE,
140 "${passwordFilePath}.bak",
141 "${passwordFilePath}",
|
142 kumpf 1.6 0, /* flags */
|
143 kumpf 1.2 },
144 {
145 EXECUTOR_RENAME_FILE_MESSAGE,
146 "${passwordFilePath}",
147 "${passwordFilePath}.bak",
|
148 kumpf 1.6 0, /* flags */
|
149 kumpf 1.2 },
150 {
151 EXECUTOR_REMOVE_FILE_MESSAGE,
152 "${passwordFilePath}.bak",
153 NULL,
|
154 kumpf 1.6 0, /* flags */
|
155 kumpf 1.2 },
156 {
157 EXECUTOR_REMOVE_FILE_MESSAGE,
158 "${passwordFilePath}",
159 NULL,
|
160 kumpf 1.6 0, /* flags */
|
161 kumpf 1.2 },
162 /* SSL key file policies. */
163 {
164 EXECUTOR_OPEN_FILE_MESSAGE,
165 "${sslKeyFilePath}",
166 "r",
|
167 kumpf 1.6 0, /* flags not used when opening a file for read access */
|
168 kumpf 1.2 },
169 /* SSL trust store policies. */
170 {
171 EXECUTOR_OPEN_FILE_MESSAGE,
172 "${sslTrustStore}/*",
173 "w",
|
174 kumpf 1.6 (S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH) /* 0644 */
|
175 kumpf 1.2 },
176 {
177 EXECUTOR_REMOVE_FILE_MESSAGE,
178 "${sslTrustStore}/*",
179 NULL,
|
180 kumpf 1.6 0, /* flags */
|
181 kumpf 1.2 },
182 /* CRL store policies. */
183 {
184 EXECUTOR_OPEN_FILE_MESSAGE,
185 "${crlStore}/*",
186 "w",
|
187 kumpf 1.6 (S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH) /* 0644 */
|
188 kumpf 1.2 },
189 {
190 EXECUTOR_REMOVE_FILE_MESSAGE,
191 "${crlStore}/*",
192 NULL,
|
193 kumpf 1.6 0, /* flags */
|
194 kumpf 1.2 },
|
195 sahana.prabhakar 1.9 {
196 EXECUTOR_REMOVE_FILE_MESSAGE,
197 "${localAuthDir}/*",
198 NULL,
199 0, /* flags */
200 },
201
|
202 kumpf 1.2 };
203
204 static const size_t _staticPolicyTableSize =
205 sizeof(_staticPolicyTable) / sizeof(_staticPolicyTable[0]);
206
207 /*
208 **==============================================================================
209 **
210 ** CheckPolicy()
211 **
212 **==============================================================================
213 */
214
|
215 kumpf 1.4 int CheckPolicy(
|
216 kumpf 1.2 const struct Policy* policyTable,
217 size_t policyTableSize,
218 enum ExecutorMessageCode messageCode,
219 const char* arg1,
|
220 kumpf 1.6 const char* arg2,
221 unsigned long* flags)
|
222 kumpf 1.2 {
223 size_t i;
224
|
225 kumpf 1.6 /* Clear the flags. */
226
227 if (flags)
228 *flags = 0;
229
|
230 kumpf 1.2 for (i = 0; i < policyTableSize; i++)
231 {
232 const struct Policy* p;
233
234 p = &policyTable[i];
235
236 /* Check message code */
237
238 if (p->messageCode != messageCode)
239 continue;
240
241 /* Check arg1. */
242
243 if (p->arg1)
244 {
245 char pat[EXECUTOR_BUFFER_SIZE];
246
247 if (ExpandMacros(p->arg1, pat) != 0 || Match(pat, arg1) != 0)
248 continue;
249 }
250
251 kumpf 1.2 /* Check arg2. */
252
253 if (p->arg2)
254 {
255 char pat[EXECUTOR_BUFFER_SIZE];
256
257 if (ExpandMacros(p->arg2, pat) != 0 || Match(pat, arg2) != 0)
258 continue;
259 }
260
|
261 kumpf 1.6 /* Set the output flags argument. */
262
263 if (flags)
264 *flags = p->flags;
265
|
266 kumpf 1.2 /* Found a matching policy! */
|
267 kumpf 1.6
|
268 kumpf 1.2 return 0;
269 }
270
271 /* Failed to find any matching policy. */
272
273 return -1;
274 }
275
276 /*
277 **==============================================================================
278 **
279 ** CheckOpenFilePolicy()
280 **
281 **==============================================================================
282 */
283
|
284 kumpf 1.6 int CheckOpenFilePolicy(const char* path, int mode, unsigned long* flags)
|
285 kumpf 1.2 {
286 char arg2[2];
287
288 arg2[0] = mode;
289 arg2[1] = '\0';
290
291 if (CheckPolicy(_staticPolicyTable, _staticPolicyTableSize,
|
292 kumpf 1.6 EXECUTOR_OPEN_FILE_MESSAGE, path, arg2, flags) == 0)
|
293 kumpf 1.2 {
294 Log(LL_TRACE, "CheckOpenFilePolicy(%s=\"%s\", %s='%c') passed",
295 ARG(path), ARG(mode));
296 return 0;
297 }
298
299 Log(LL_SEVERE, "CheckOpenFilePolicy(%s=\"%s\", %s='%c') failed",
300 ARG(path), ARG(mode));
301
302 #if defined(EXIT_ON_POLICY_FAILURE)
303 Fatal(FL, "exited due to policy failure");
304 #endif
305
306 return -1;
307 }
308
309 /*
310 **==============================================================================
311 **
312 ** CheckRemoveFilePolicy()
313 **
314 kumpf 1.2 **==============================================================================
315 */
316
317 int CheckRemoveFilePolicy(const char* path)
318 {
319 if (CheckPolicy(_staticPolicyTable, _staticPolicyTableSize,
|
320 kumpf 1.6 EXECUTOR_REMOVE_FILE_MESSAGE, path, NULL, NULL) == 0)
|
321 kumpf 1.2 {
322 Log(LL_TRACE, "CheckRemoveFilePolicy(%s=\"%s\") passed", ARG(path));
323 return 0;
324 }
325
326 Log(LL_SEVERE, "CheckRemoveFilePolicy(%s=\"%s\") failed", ARG(path));
327
328 #if defined(EXIT_ON_POLICY_FAILURE)
329 Fatal(FL, "exited due to policy failure");
330 #endif
331
332 return -1;
333 }
334
335 /*
336 **==============================================================================
337 **
338 ** CheckRenameFilePolicy()
339 **
340 **==============================================================================
341 */
342 kumpf 1.2
343 int CheckRenameFilePolicy(const char* oldPath, const char* newPath)
344 {
345 if (CheckPolicy(_staticPolicyTable, _staticPolicyTableSize,
|
346 kumpf 1.6 EXECUTOR_RENAME_FILE_MESSAGE, oldPath, newPath, NULL) == 0)
|
347 kumpf 1.2 {
348 Log(LL_TRACE, "CheckRenameFilePolicy(%s=\"%s\", %s=\"%s\") passed",
349 ARG(oldPath), ARG(newPath));
350 return 0;
351 }
352
353 Log(LL_SEVERE, "CheckRenameFilePolicy(%s=\"%s\", %s=\"%s\") failed",
354 ARG(oldPath), ARG(newPath));
355
356 #if defined(EXIT_ON_POLICY_FAILURE)
357 Fatal(FL, "exited due to policy failure");
358 #endif
359
360 return -1;
361 }
362
363 /*
364 **==============================================================================
365 **
|
366 kumpf 1.5 ** DumpPolicyHelper()
|
367 kumpf 1.2 **
368 ** Dump the policy table given by *policyTable* and *policyTableSize*.
|
369 kumpf 1.5 ** Expand any macros in the entries, if requested.
|
370 kumpf 1.2 **
371 **==============================================================================
372 */
373
|
374 kumpf 1.5 void DumpPolicyHelper(
375 FILE* outputStream,
|
376 kumpf 1.2 const struct Policy* policyTable,
377 size_t policyTableSize,
378 int expandMacros)
379 {
380 size_t i;
381
382 for (i = 0; i < policyTableSize; i++)
383 {
384 const struct Policy* p = &policyTable[i];
385 const char* codeStr = MessageCodeToString(p->messageCode);
386 char arg1[EXECUTOR_BUFFER_SIZE];
387 char arg2[EXECUTOR_BUFFER_SIZE];
388
389 if (expandMacros)
390 {
|
391 kumpf 1.5 if (p->arg1)
392 ExpandMacros(p->arg1, arg1);
|
393 kumpf 1.2
394 if (p->arg2)
395 ExpandMacros(p->arg2, arg2);
396 }
397 else
398 {
|
399 kumpf 1.5 if (p->arg1)
400 Strlcpy(arg1, p->arg1, sizeof(arg1));
|
401 kumpf 1.2
402 if (p->arg2)
403 Strlcpy(arg2, p->arg2, sizeof(arg2));
404 }
405
|
406 kumpf 1.5 fprintf(outputStream, "%s(", codeStr);
407 if (p->arg1)
408 fprintf(outputStream, "\"%s\"", arg1);
|
409 kumpf 1.2 if (p->arg2)
|
410 kumpf 1.5 fprintf(outputStream, ", \"%s\"", arg2);
411 fprintf(outputStream, ")\n");
|
412 kumpf 1.2 }
413 }
414
415 /*
416 **==============================================================================
417 **
418 ** DumpPolicy()
419 **
|
420 kumpf 1.5 ** Dump the static policy table.
|
421 kumpf 1.2 **
422 **==============================================================================
423 */
424
|
425 kumpf 1.5 void DumpPolicy(FILE* outputStream, int expandMacros)
|
426 kumpf 1.2 {
|
427 kumpf 1.5 fprintf(outputStream, "===== Policy:\n");
|
428 kumpf 1.2
|
429 kumpf 1.5 DumpPolicyHelper(
430 outputStream, _staticPolicyTable, _staticPolicyTableSize, expandMacros);
|
431 kumpf 1.2
|
432 kumpf 1.5 putc('\n', outputStream);
|
433 kumpf 1.2 }
|