summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--src/modules/module-flatpak.c69
1 files changed, 35 insertions, 34 deletions
diff --git a/src/modules/module-flatpak.c b/src/modules/module-flatpak.c
index 9375a9b93..b22327963 100644
--- a/src/modules/module-flatpak.c
+++ b/src/modules/module-flatpak.c
@@ -87,8 +87,10 @@ struct userdata {
pa_hook_slot *hook[PA_ACCESS_HOOK_MAX];
pa_idxset *policies;
- uint32_t default_policy;
+ uint32_t permissive_policy;
+ uint32_t restricted_policy;
uint32_t portal_policy;
+ uint32_t default_policy;
pa_dbus_connection *connection;
pa_hashmap *clients;
@@ -152,7 +154,7 @@ static client_data * client_data_new(struct userdata *u, uint32_t index, uint32_
cd->policy = policy;
cd->pid = pid;
pa_hashmap_put(u->clients, PA_UINT32_TO_PTR(index), cd);
- pa_log("new client %d with pid %d, policy %d", index, pid, policy);
+ pa_log_debug("new client %d with pid %d, policy %d", index, pid, policy);
return cd;
}
@@ -164,7 +166,7 @@ static void client_data_free(client_data *cd) {
PA_LLIST_REMOVE(event_item, cd->events, e);
pa_xfree(e);
}
- pa_log("removed client %d", cd->index);
+ pa_log_debug("removed client %d", cd->index);
pa_xfree(cd);
}
@@ -207,23 +209,23 @@ static pa_hook_result_t rule_check_owner (pa_core *c, pa_access_data *d, struct
break;
}
if (idx == d->client_index) {
- pa_log("allow operation %d/%d of same client %d", d->hook, d->object_index, idx);
+ pa_log_debug("allow operation %d/%d of same client %d", d->hook, d->object_index, idx);
result = PA_HOOK_OK;
} else
- pa_log("blocked operation %d/%d of client %d to client %d", d->hook, d->object_index, idx, d->client_index);
+ pa_log_debug("blocked operation %d/%d of client %d to client %d", d->hook, d->object_index, idx, d->client_index);
return result;
}
/* rule allows the operation */
static pa_hook_result_t rule_allow (pa_core *c, pa_access_data *d, struct userdata *u) {
- pa_log("allow operation %d/%d for client %d", d->hook, d->object_index, d->client_index);
+ pa_log_debug("allow operation %d/%d for client %d", d->hook, d->object_index, d->client_index);
return PA_HOOK_OK;
}
/* rule blocks the operation */
static pa_hook_result_t rule_block (pa_core *c, pa_access_data *d, struct userdata *u) {
- pa_log("blocked operation %d/%d for client %d", d->hook, d->object_index, d->client_index);
+ pa_log_debug("blocked operation %d/%d for client %d", d->hook, d->object_index, d->client_index);
return PA_HOOK_STOP;
}
@@ -241,14 +243,14 @@ static DBusHandlerResult portal_response(DBusConnection *connection, DBusMessage
dbus_connection_remove_filter (connection, portal_response, cd);
if (!dbus_message_get_args(msg, &error, DBUS_TYPE_UINT32, &response, DBUS_TYPE_INVALID)) {
- pa_log("failed to parse Response: %s\n", error.message);
+ pa_log_error("failed to parse Response: %s\n", error.message);
dbus_error_free(&error);
}
cd->cached[d->hook].checked = true;
cd->cached[d->hook].granted = response == 0 ? true : false;
- pa_log("portal check result: %d\n", cd->cached[d->hook].granted);
+ pa_log_debug("portal check result: %d\n", cd->cached[d->hook].granted);
d->complete_cb (d, cd->cached[d->hook].granted);
@@ -269,11 +271,11 @@ static pa_hook_result_t rule_check_portal (pa_core *c, pa_access_data *d, struct
const char *device;
if (cd->cached[d->hook].checked) {
- pa_log("returned cached answer for portal check: %d\n", cd->cached[d->hook].granted);
+ pa_log_debug("returned cached answer for portal check: %d\n", cd->cached[d->hook].granted);
return cd->cached[d->hook].granted ? PA_HOOK_OK : PA_HOOK_STOP;
}
- pa_log("ask portal for operation %d/%d for client %d", d->hook, d->object_index, d->client_index);
+ pa_log_info("ask portal for operation %d/%d for client %d", d->hook, d->object_index, d->client_index);
cd->access_data = d;
@@ -311,7 +313,7 @@ static pa_hook_result_t rule_check_portal (pa_core *c, pa_access_data *d, struct
dbus_message_iter_close_container (&msg_iter, &dict_iter);
if (!(r = dbus_connection_send_with_reply_and_block(pa_dbus_connection_get(u->connection), m, -1, &error))) {
- pa_log("Failed to call portal: %s\n", error.message);
+ pa_log_error("Failed to call portal: %s\n", error.message);
dbus_error_free(&error);
dbus_message_unref(m);
return PA_HOOK_STOP;
@@ -320,7 +322,7 @@ static pa_hook_result_t rule_check_portal (pa_core *c, pa_access_data *d, struct
dbus_message_unref(m);
if (!dbus_message_get_args(r, &error, DBUS_TYPE_OBJECT_PATH, &handle, DBUS_TYPE_INVALID)) {
- pa_log("Failed to parse AccessDevice result: %s\n", error.message);
+ pa_log_error("Failed to parse AccessDevice result: %s\n", error.message);
dbus_error_free(&error);
dbus_message_unref(r);
return PA_HOOK_STOP;
@@ -333,7 +335,7 @@ static pa_hook_result_t rule_check_portal (pa_core *c, pa_access_data *d, struct
&error);
dbus_connection_flush(pa_dbus_connection_get(u->connection));
if (dbus_error_is_set(&error)) {
- pa_log("Failed to subscribe to Request signal: %s\n", error.message);
+ pa_log_error("Failed to subscribe to Request signal: %s\n", error.message);
dbus_error_free(&error);
return PA_HOOK_STOP;
}
@@ -407,7 +409,7 @@ static pa_hook_result_t filter_event (pa_core *c, pa_access_data *d, struct user
case PA_SUBSCRIPTION_EVENT_REMOVE:
/* if the client saw this object before, let the event go through */
if (remove_event(cd, facility, d->object_index)) {
- pa_log("pass event %02x/%d to client %d", d->event, d->object_index, d->client_index);
+ pa_log_debug("pass event %02x/%d to client %d", d->event, d->object_index, d->client_index);
return PA_HOOK_OK;
}
break;
@@ -415,7 +417,7 @@ static pa_hook_result_t filter_event (pa_core *c, pa_access_data *d, struct user
case PA_SUBSCRIPTION_EVENT_CHANGE:
/* if the client saw this object before, let it go through */
if (find_event(cd, facility, d->object_index)) {
- pa_log("pass event %02x/%d to client %d", d->event, d->object_index, d->client_index);
+ pa_log_debug("pass event %02x/%d to client %d", d->event, d->object_index, d->client_index);
return PA_HOOK_OK;
}
@@ -428,7 +430,7 @@ static pa_hook_result_t filter_event (pa_core *c, pa_access_data *d, struct user
if (data.hook && pa_hook_fire(&c->access[data.hook], &data) == PA_HOOK_OK) {
/* client can inspect the object, remember for later */
add_event(cd, facility, d->object_index);
- pa_log("pass event %02x/%d to client %d", d->event, d->object_index, d->client_index);
+ pa_log_debug("pass event %02x/%d to client %d", d->event, d->object_index, d->client_index);
return PA_HOOK_OK;
}
break;
@@ -438,7 +440,7 @@ static pa_hook_result_t filter_event (pa_core *c, pa_access_data *d, struct user
}
block:
- pa_log("blocked event %02x/%d for client %d", d->event, d->object_index, d->client_index);
+ pa_log_debug("blocked event %02x/%d for client %d", d->event, d->object_index, d->client_index);
return PA_HOOK_STOP;
}
@@ -455,10 +457,10 @@ client_is_sandboxed (pa_client *cl)
pid_t pid;
if (cl->creds_valid) {
- pa_log ("client has trusted pid %d", cl->creds.pid);
+ pa_log_info ("client has trusted pid %d", cl->creds.pid);
}
else {
- pa_log ("no trusted pid found, assuming not sandboxed\n");
+ pa_log_info ("no trusted pid found, assuming not sandboxed\n");
return false;
}
@@ -479,7 +481,7 @@ client_is_sandboxed (pa_client *cl)
if (strncmp(current, "1:name=systemd:", strlen("1:name=systemd:")) == 0) {
const char *p = strstr(current, "flatpak-");
if (p && p - current < n) {
- pa_log("found a flatpak cgroup, assuming sandboxed\n");
+ pa_log_info("found a flatpak cgroup, assuming sandboxed\n");
result = true;
break;
}
@@ -490,18 +492,12 @@ client_is_sandboxed (pa_client *cl)
}
static uint32_t find_policy_for_client (struct userdata *u, pa_client *cl) {
- char *s;
-
- s = pa_proplist_to_string(cl->proplist);
- pa_log ("client proplist %s", s);
- pa_xfree(s);
-
if (client_is_sandboxed (cl)) {
- pa_log("client is sandboxed, choosing portal policy\n");
+ pa_log_info("client is sandboxed, choosing portal policy\n");
return u->portal_policy;
}
else {
- pa_log("client not sandboxed, choosing default policy\n");
+ pa_log_info("client not sandboxed, choosing default policy\n");
return u->default_policy;
}
}
@@ -522,7 +518,7 @@ static pa_hook_result_t client_put_cb(pa_core *c, pa_object *o, struct userdata
client_data_new(u, cl->index, policy, cl->creds.pid);
- pa_log("client put: policy %d, pid %u\n", policy, cl->creds.pid);
+ pa_log_debug("client put: policy %d, pid %u\n", policy, cl->creds.pid);
return PA_HOOK_OK;
}
@@ -546,7 +542,7 @@ static pa_hook_result_t client_auth_cb(pa_core *c, pa_object *o, struct userdata
cd->policy = policy;
cd->pid = cl->creds.pid;
- pa_log("auth cb: policy %d, pid %u\n", cd->policy, cd->pid);
+ pa_log_debug("auth cb: policy %d, pid %u\n", cd->policy, cd->pid);
return PA_HOOK_OK;
}
@@ -598,7 +594,7 @@ int pa__init(pa_module*m) {
pa_assert(m);
if (!(ma = pa_modargs_new(m->argument, valid_modargs))) {
- pa_log("Failed to parse module arguments");
+ pa_log_error("Failed to parse module arguments");
goto fail;
}
@@ -609,7 +605,7 @@ int pa__init(pa_module*m) {
dbus_error_init(&error);
if (!(u->connection = pa_dbus_bus_get (u->core, DBUS_BUS_SESSION, &error))) {
- pa_log("Failed to connect to session bus: %s\n", error.message);
+ pa_log_error("Failed to connect to session bus: %s\n", error.message);
dbus_error_free(&error);
}
@@ -633,6 +629,9 @@ int pa__init(pa_module*m) {
u->hook[i] = pa_hook_connect(&u->core->access[i], PA_HOOK_EARLY - 1, cb, u);
}
+ ap = access_policy_new(u, true);
+ u->permissive_policy = ap->index;
+
ap = access_policy_new(u, false);
ap->rule[PA_ACCESS_HOOK_VIEW_SINK] = rule_allow;
@@ -662,7 +661,7 @@ int pa__init(pa_module*m) {
ap->rule[PA_ACCESS_HOOK_SET_SOURCE_OUTPUT_VOLUME] = rule_check_owner;
ap->rule[PA_ACCESS_HOOK_KILL_SOURCE_OUTPUT] = rule_check_owner;
- u->default_policy = ap->index;
+ u->restricted_policy = ap->index;
ap = access_policy_new(u, false);
@@ -695,6 +694,8 @@ int pa__init(pa_module*m) {
u->portal_policy = ap->index;
+ u->default_policy = u->permissive_policy;
+
pa_modargs_free(ma);
return 0;