mirror of
https://github.com/swaywm/sway.git
synced 2024-12-02 03:16:47 +00:00
Refactor IPC target validation
This commit is contained in:
Jerzi Kaminsky
parent
d2de52209e
commit
d433c5b5c4
|
|
@ -208,6 +208,7 @@ enum secure_feature {
|
||||||
struct feature_policy {
|
struct feature_policy {
|
||||||
char *program;
|
char *program;
|
||||||
uint32_t features;
|
uint32_t features;
|
||||||
|
bool validated;
|
||||||
};
|
};
|
||||||
|
|
||||||
enum ipc_feature {
|
enum ipc_feature {
|
||||||
|
|
@ -235,6 +236,7 @@ enum ipc_feature {
|
||||||
struct ipc_policy {
|
struct ipc_policy {
|
||||||
char *program;
|
char *program;
|
||||||
uint32_t features;
|
uint32_t features;
|
||||||
|
bool validated;
|
||||||
};
|
};
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|
|
||||||
|
|
@ -49,7 +49,6 @@ struct cmd_results *cmd_permit(int argc, char **argv) {
|
||||||
return error;
|
return error;
|
||||||
}
|
}
|
||||||
|
|
||||||
bool assign_perms = true;
|
|
||||||
char *program = NULL;
|
char *program = NULL;
|
||||||
|
|
||||||
if (!strcmp(argv[0], "*")) {
|
if (!strcmp(argv[0], "*")) {
|
||||||
|
|
@ -65,11 +64,14 @@ struct cmd_results *cmd_permit(int argc, char **argv) {
|
||||||
}
|
}
|
||||||
|
|
||||||
struct feature_policy *policy = get_feature_policy(program);
|
struct feature_policy *policy = get_feature_policy(program);
|
||||||
if (assign_perms) {
|
if (policy->validated) {
|
||||||
policy->features |= get_features(argc, argv, &error);
|
policy->features |= get_features(argc, argv, &error);
|
||||||
}
|
|
||||||
sway_log(L_DEBUG, "Permissions granted to %s for features %d",
|
sway_log(L_DEBUG, "Permissions granted to %s for features %d",
|
||||||
policy->program, policy->features);
|
policy->program, policy->features);
|
||||||
|
} else {
|
||||||
|
sway_log(L_ERROR, "Unable to validate IPC permit target '%s'."
|
||||||
|
" will issue empty policy", argv[0]);
|
||||||
|
}
|
||||||
|
|
||||||
free(program);
|
free(program);
|
||||||
return cmd_results_new(CMD_SUCCESS, NULL, NULL);
|
return cmd_results_new(CMD_SUCCESS, NULL, NULL);
|
||||||
|
|
@ -98,6 +100,10 @@ struct cmd_results *cmd_reject(int argc, char **argv) {
|
||||||
}
|
}
|
||||||
|
|
||||||
struct feature_policy *policy = get_feature_policy(program);
|
struct feature_policy *policy = get_feature_policy(program);
|
||||||
|
if (!policy->validated) {
|
||||||
|
sway_log(L_ERROR, "Unable to validate IPC reject target '%s'."
|
||||||
|
" Allowing `reject` directive anyway", argv[0]);
|
||||||
|
}
|
||||||
policy->features &= ~get_features(argc, argv, &error);
|
policy->features &= ~get_features(argc, argv, &error);
|
||||||
|
|
||||||
sway_log(L_DEBUG, "Permissions granted to %s for features %d",
|
sway_log(L_DEBUG, "Permissions granted to %s for features %d",
|
||||||
|
|
|
||||||
|
|
@ -45,9 +45,6 @@ static bool validate_ipc_target(const char *program) {
|
||||||
struct feature_policy *alloc_feature_policy(const char *program) {
|
struct feature_policy *alloc_feature_policy(const char *program) {
|
||||||
uint32_t default_policy = 0;
|
uint32_t default_policy = 0;
|
||||||
|
|
||||||
if (!validate_ipc_target(program)) {
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
for (int i = 0; i < config->feature_policies->length; ++i) {
|
for (int i = 0; i < config->feature_policies->length; ++i) {
|
||||||
struct feature_policy *policy = config->feature_policies->items[i];
|
struct feature_policy *policy = config->feature_policies->items[i];
|
||||||
if (strcmp(policy->program, "*") == 0) {
|
if (strcmp(policy->program, "*") == 0) {
|
||||||
|
|
@ -60,6 +57,7 @@ struct feature_policy *alloc_feature_policy(const char *program) {
|
||||||
if (!policy) {
|
if (!policy) {
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
policy->validated = validate_ipc_target (program);
|
||||||
policy->program = strdup(program);
|
policy->program = strdup(program);
|
||||||
if (!policy->program) {
|
if (!policy->program) {
|
||||||
free(policy);
|
free(policy);
|
||||||
|
|
@ -73,9 +71,6 @@ struct feature_policy *alloc_feature_policy(const char *program) {
|
||||||
struct ipc_policy *alloc_ipc_policy(const char *program) {
|
struct ipc_policy *alloc_ipc_policy(const char *program) {
|
||||||
uint32_t default_policy = 0;
|
uint32_t default_policy = 0;
|
||||||
|
|
||||||
if (!validate_ipc_target(program)) {
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
for (int i = 0; i < config->ipc_policies->length; ++i) {
|
for (int i = 0; i < config->ipc_policies->length; ++i) {
|
||||||
struct ipc_policy *policy = config->ipc_policies->items[i];
|
struct ipc_policy *policy = config->ipc_policies->items[i];
|
||||||
if (strcmp(policy->program, "*") == 0) {
|
if (strcmp(policy->program, "*") == 0) {
|
||||||
|
|
@ -88,6 +83,7 @@ struct ipc_policy *alloc_ipc_policy(const char *program) {
|
||||||
if (!policy) {
|
if (!policy) {
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
policy->validated = validate_ipc_target (program);
|
||||||
policy->program = strdup(program);
|
policy->program = strdup(program);
|
||||||
if (!policy->program) {
|
if (!policy->program) {
|
||||||
free(policy);
|
free(policy);
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue