From d433c5b5c4835fe80ba836b22fc4fb08c0e94110 Mon Sep 17 00:00:00 2001 From: Jerzi Kaminsky Date: Fri, 21 Apr 2017 02:09:01 +0300 Subject: [PATCH] Refactor IPC target validation --- include/sway/config.h | 2 ++ sway/commands/permit.c | 14 ++++++++++---- sway/security.c | 8 ++------ 3 files changed, 14 insertions(+), 10 deletions(-) diff --git a/include/sway/config.h b/include/sway/config.h index 2de90434..1ee84930 100644 --- a/include/sway/config.h +++ b/include/sway/config.h @@ -208,6 +208,7 @@ enum secure_feature { struct feature_policy { char *program; uint32_t features; + bool validated; }; enum ipc_feature { @@ -235,6 +236,7 @@ enum ipc_feature { struct ipc_policy { char *program; uint32_t features; + bool validated; }; /** diff --git a/sway/commands/permit.c b/sway/commands/permit.c index 66fa4e2a..11918efd 100644 --- a/sway/commands/permit.c +++ b/sway/commands/permit.c @@ -49,7 +49,6 @@ struct cmd_results *cmd_permit(int argc, char **argv) { return error; } - bool assign_perms = true; char *program = NULL; if (!strcmp(argv[0], "*")) { @@ -65,11 +64,14 @@ struct cmd_results *cmd_permit(int argc, char **argv) { } struct feature_policy *policy = get_feature_policy(program); - if (assign_perms) { + if (policy->validated) { policy->features |= get_features(argc, argv, &error); + sway_log(L_DEBUG, "Permissions granted to %s for features %d", + policy->program, policy->features); + } else { + sway_log(L_ERROR, "Unable to validate IPC permit target '%s'." + " will issue empty policy", argv[0]); } - sway_log(L_DEBUG, "Permissions granted to %s for features %d", - policy->program, policy->features); free(program); return cmd_results_new(CMD_SUCCESS, NULL, NULL); @@ -98,6 +100,10 @@ struct cmd_results *cmd_reject(int argc, char **argv) { } struct feature_policy *policy = get_feature_policy(program); + if (!policy->validated) { + sway_log(L_ERROR, "Unable to validate IPC reject target '%s'." + " Allowing `reject` directive anyway", argv[0]); + } policy->features &= ~get_features(argc, argv, &error); sway_log(L_DEBUG, "Permissions granted to %s for features %d", diff --git a/sway/security.c b/sway/security.c index 8eab6126..0c12bc32 100644 --- a/sway/security.c +++ b/sway/security.c @@ -45,9 +45,6 @@ static bool validate_ipc_target(const char *program) { struct feature_policy *alloc_feature_policy(const char *program) { uint32_t default_policy = 0; - if (!validate_ipc_target(program)) { - return NULL; - } for (int i = 0; i < config->feature_policies->length; ++i) { struct feature_policy *policy = config->feature_policies->items[i]; if (strcmp(policy->program, "*") == 0) { @@ -60,6 +57,7 @@ struct feature_policy *alloc_feature_policy(const char *program) { if (!policy) { return NULL; } + policy->validated = validate_ipc_target (program); policy->program = strdup(program); if (!policy->program) { free(policy); @@ -73,9 +71,6 @@ struct feature_policy *alloc_feature_policy(const char *program) { struct ipc_policy *alloc_ipc_policy(const char *program) { uint32_t default_policy = 0; - if (!validate_ipc_target(program)) { - return NULL; - } for (int i = 0; i < config->ipc_policies->length; ++i) { struct ipc_policy *policy = config->ipc_policies->items[i]; if (strcmp(policy->program, "*") == 0) { @@ -88,6 +83,7 @@ struct ipc_policy *alloc_ipc_policy(const char *program) { if (!policy) { return NULL; } + policy->validated = validate_ipc_target (program); policy->program = strdup(program); if (!policy->program) { free(policy);