diff options
| author | Wim Taymans <wtaymans@redhat.com> | 2017-02-13 10:42:36 +0100 |
|---|---|---|
| committer | Wim Taymans <wtaymans@redhat.com> | 2017-02-13 12:18:59 +0100 |
| commit | e323416499a5c6c5b5261eabb59c5e6a7ffdc300 (patch) | |
| tree | d1b5f6cdefff49628fed5dd11ebd1d20669c67c4 | |
| parent | 6fc7131ec231865d2c1ce8267013d9cf78f36e68 (diff) | |
Use permissive policy by defaultf26-flatpack
Make a default permissive policy that allows everything when not
sandboxed.
Improve debug log
| -rw-r--r-- | src/modules/module-flatpak.c | 69 |
1 files changed, 35 insertions, 34 deletions
diff --git a/src/modules/module-flatpak.c b/src/modules/module-flatpak.c index 9375a9b93..b22327963 100644 --- a/src/modules/module-flatpak.c +++ b/src/modules/module-flatpak.c @@ -87,8 +87,10 @@ struct userdata { pa_hook_slot *hook[PA_ACCESS_HOOK_MAX]; pa_idxset *policies; - uint32_t default_policy; + uint32_t permissive_policy; + uint32_t restricted_policy; uint32_t portal_policy; + uint32_t default_policy; pa_dbus_connection *connection; pa_hashmap *clients; @@ -152,7 +154,7 @@ static client_data * client_data_new(struct userdata *u, uint32_t index, uint32_ cd->policy = policy; cd->pid = pid; pa_hashmap_put(u->clients, PA_UINT32_TO_PTR(index), cd); - pa_log("new client %d with pid %d, policy %d", index, pid, policy); + pa_log_debug("new client %d with pid %d, policy %d", index, pid, policy); return cd; } @@ -164,7 +166,7 @@ static void client_data_free(client_data *cd) { PA_LLIST_REMOVE(event_item, cd->events, e); pa_xfree(e); } - pa_log("removed client %d", cd->index); + pa_log_debug("removed client %d", cd->index); pa_xfree(cd); } @@ -207,23 +209,23 @@ static pa_hook_result_t rule_check_owner (pa_core *c, pa_access_data *d, struct break; } if (idx == d->client_index) { - pa_log("allow operation %d/%d of same client %d", d->hook, d->object_index, idx); + pa_log_debug("allow operation %d/%d of same client %d", d->hook, d->object_index, idx); result = PA_HOOK_OK; } else - pa_log("blocked operation %d/%d of client %d to client %d", d->hook, d->object_index, idx, d->client_index); + pa_log_debug("blocked operation %d/%d of client %d to client %d", d->hook, d->object_index, idx, d->client_index); return result; } /* rule allows the operation */ static pa_hook_result_t rule_allow (pa_core *c, pa_access_data *d, struct userdata *u) { - pa_log("allow operation %d/%d for client %d", d->hook, d->object_index, d->client_index); + pa_log_debug("allow operation %d/%d for client %d", d->hook, d->object_index, d->client_index); return PA_HOOK_OK; } /* rule blocks the operation */ static pa_hook_result_t rule_block (pa_core *c, pa_access_data *d, struct userdata *u) { - pa_log("blocked operation %d/%d for client %d", d->hook, d->object_index, d->client_index); + pa_log_debug("blocked operation %d/%d for client %d", d->hook, d->object_index, d->client_index); return PA_HOOK_STOP; } @@ -241,14 +243,14 @@ static DBusHandlerResult portal_response(DBusConnection *connection, DBusMessage dbus_connection_remove_filter (connection, portal_response, cd); if (!dbus_message_get_args(msg, &error, DBUS_TYPE_UINT32, &response, DBUS_TYPE_INVALID)) { - pa_log("failed to parse Response: %s\n", error.message); + pa_log_error("failed to parse Response: %s\n", error.message); dbus_error_free(&error); } cd->cached[d->hook].checked = true; cd->cached[d->hook].granted = response == 0 ? true : false; - pa_log("portal check result: %d\n", cd->cached[d->hook].granted); + pa_log_debug("portal check result: %d\n", cd->cached[d->hook].granted); d->complete_cb (d, cd->cached[d->hook].granted); @@ -269,11 +271,11 @@ static pa_hook_result_t rule_check_portal (pa_core *c, pa_access_data *d, struct const char *device; if (cd->cached[d->hook].checked) { - pa_log("returned cached answer for portal check: %d\n", cd->cached[d->hook].granted); + pa_log_debug("returned cached answer for portal check: %d\n", cd->cached[d->hook].granted); return cd->cached[d->hook].granted ? PA_HOOK_OK : PA_HOOK_STOP; } - pa_log("ask portal for operation %d/%d for client %d", d->hook, d->object_index, d->client_index); + pa_log_info("ask portal for operation %d/%d for client %d", d->hook, d->object_index, d->client_index); cd->access_data = d; @@ -311,7 +313,7 @@ static pa_hook_result_t rule_check_portal (pa_core *c, pa_access_data *d, struct dbus_message_iter_close_container (&msg_iter, &dict_iter); if (!(r = dbus_connection_send_with_reply_and_block(pa_dbus_connection_get(u->connection), m, -1, &error))) { - pa_log("Failed to call portal: %s\n", error.message); + pa_log_error("Failed to call portal: %s\n", error.message); dbus_error_free(&error); dbus_message_unref(m); return PA_HOOK_STOP; @@ -320,7 +322,7 @@ static pa_hook_result_t rule_check_portal (pa_core *c, pa_access_data *d, struct dbus_message_unref(m); if (!dbus_message_get_args(r, &error, DBUS_TYPE_OBJECT_PATH, &handle, DBUS_TYPE_INVALID)) { - pa_log("Failed to parse AccessDevice result: %s\n", error.message); + pa_log_error("Failed to parse AccessDevice result: %s\n", error.message); dbus_error_free(&error); dbus_message_unref(r); return PA_HOOK_STOP; @@ -333,7 +335,7 @@ static pa_hook_result_t rule_check_portal (pa_core *c, pa_access_data *d, struct &error); dbus_connection_flush(pa_dbus_connection_get(u->connection)); if (dbus_error_is_set(&error)) { - pa_log("Failed to subscribe to Request signal: %s\n", error.message); + pa_log_error("Failed to subscribe to Request signal: %s\n", error.message); dbus_error_free(&error); return PA_HOOK_STOP; } @@ -407,7 +409,7 @@ static pa_hook_result_t filter_event (pa_core *c, pa_access_data *d, struct user case PA_SUBSCRIPTION_EVENT_REMOVE: /* if the client saw this object before, let the event go through */ if (remove_event(cd, facility, d->object_index)) { - pa_log("pass event %02x/%d to client %d", d->event, d->object_index, d->client_index); + pa_log_debug("pass event %02x/%d to client %d", d->event, d->object_index, d->client_index); return PA_HOOK_OK; } break; @@ -415,7 +417,7 @@ static pa_hook_result_t filter_event (pa_core *c, pa_access_data *d, struct user case PA_SUBSCRIPTION_EVENT_CHANGE: /* if the client saw this object before, let it go through */ if (find_event(cd, facility, d->object_index)) { - pa_log("pass event %02x/%d to client %d", d->event, d->object_index, d->client_index); + pa_log_debug("pass event %02x/%d to client %d", d->event, d->object_index, d->client_index); return PA_HOOK_OK; } @@ -428,7 +430,7 @@ static pa_hook_result_t filter_event (pa_core *c, pa_access_data *d, struct user if (data.hook && pa_hook_fire(&c->access[data.hook], &data) == PA_HOOK_OK) { /* client can inspect the object, remember for later */ add_event(cd, facility, d->object_index); - pa_log("pass event %02x/%d to client %d", d->event, d->object_index, d->client_index); + pa_log_debug("pass event %02x/%d to client %d", d->event, d->object_index, d->client_index); return PA_HOOK_OK; } break; @@ -438,7 +440,7 @@ static pa_hook_result_t filter_event (pa_core *c, pa_access_data *d, struct user } block: - pa_log("blocked event %02x/%d for client %d", d->event, d->object_index, d->client_index); + pa_log_debug("blocked event %02x/%d for client %d", d->event, d->object_index, d->client_index); return PA_HOOK_STOP; } @@ -455,10 +457,10 @@ client_is_sandboxed (pa_client *cl) pid_t pid; if (cl->creds_valid) { - pa_log ("client has trusted pid %d", cl->creds.pid); + pa_log_info ("client has trusted pid %d", cl->creds.pid); } else { - pa_log ("no trusted pid found, assuming not sandboxed\n"); + pa_log_info ("no trusted pid found, assuming not sandboxed\n"); return false; } @@ -479,7 +481,7 @@ client_is_sandboxed (pa_client *cl) if (strncmp(current, "1:name=systemd:", strlen("1:name=systemd:")) == 0) { const char *p = strstr(current, "flatpak-"); if (p && p - current < n) { - pa_log("found a flatpak cgroup, assuming sandboxed\n"); + pa_log_info("found a flatpak cgroup, assuming sandboxed\n"); result = true; break; } @@ -490,18 +492,12 @@ client_is_sandboxed (pa_client *cl) } static uint32_t find_policy_for_client (struct userdata *u, pa_client *cl) { - char *s; - - s = pa_proplist_to_string(cl->proplist); - pa_log ("client proplist %s", s); - pa_xfree(s); - if (client_is_sandboxed (cl)) { - pa_log("client is sandboxed, choosing portal policy\n"); + pa_log_info("client is sandboxed, choosing portal policy\n"); return u->portal_policy; } else { - pa_log("client not sandboxed, choosing default policy\n"); + pa_log_info("client not sandboxed, choosing default policy\n"); return u->default_policy; } } @@ -522,7 +518,7 @@ static pa_hook_result_t client_put_cb(pa_core *c, pa_object *o, struct userdata client_data_new(u, cl->index, policy, cl->creds.pid); - pa_log("client put: policy %d, pid %u\n", policy, cl->creds.pid); + pa_log_debug("client put: policy %d, pid %u\n", policy, cl->creds.pid); return PA_HOOK_OK; } @@ -546,7 +542,7 @@ static pa_hook_result_t client_auth_cb(pa_core *c, pa_object *o, struct userdata cd->policy = policy; cd->pid = cl->creds.pid; - pa_log("auth cb: policy %d, pid %u\n", cd->policy, cd->pid); + pa_log_debug("auth cb: policy %d, pid %u\n", cd->policy, cd->pid); return PA_HOOK_OK; } @@ -598,7 +594,7 @@ int pa__init(pa_module*m) { pa_assert(m); if (!(ma = pa_modargs_new(m->argument, valid_modargs))) { - pa_log("Failed to parse module arguments"); + pa_log_error("Failed to parse module arguments"); goto fail; } @@ -609,7 +605,7 @@ int pa__init(pa_module*m) { dbus_error_init(&error); if (!(u->connection = pa_dbus_bus_get (u->core, DBUS_BUS_SESSION, &error))) { - pa_log("Failed to connect to session bus: %s\n", error.message); + pa_log_error("Failed to connect to session bus: %s\n", error.message); dbus_error_free(&error); } @@ -633,6 +629,9 @@ int pa__init(pa_module*m) { u->hook[i] = pa_hook_connect(&u->core->access[i], PA_HOOK_EARLY - 1, cb, u); } + ap = access_policy_new(u, true); + u->permissive_policy = ap->index; + ap = access_policy_new(u, false); ap->rule[PA_ACCESS_HOOK_VIEW_SINK] = rule_allow; @@ -662,7 +661,7 @@ int pa__init(pa_module*m) { ap->rule[PA_ACCESS_HOOK_SET_SOURCE_OUTPUT_VOLUME] = rule_check_owner; ap->rule[PA_ACCESS_HOOK_KILL_SOURCE_OUTPUT] = rule_check_owner; - u->default_policy = ap->index; + u->restricted_policy = ap->index; ap = access_policy_new(u, false); @@ -695,6 +694,8 @@ int pa__init(pa_module*m) { u->portal_policy = ap->index; + u->default_policy = u->permissive_policy; + pa_modargs_free(ma); return 0; |