mirrors/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2025-11-15 07:00:05 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

Implement access control

Browse source 
Move send and dispatch functions to the implementation. This makes it
possible to place an access check before sending and dispatching.
Add module-access that allows to bind and notify on globals owned by
the client.
This commit is contained in:
Wim Taymans 2017-01-10 17:12:53 +01:00
parent a8964ca657
commit ee0aa6a2ac
27 changed files with 819 additions and 220 deletions
Download patch file Download diff file Expand all files Collapse all files

9
pinos/modules/meson.build
View file

@ -6,6 +6,15 @@ pinos_module_c_args = [
'-D_GNU_SOURCE',
]
pinos_module_access = shared_library('pinos-module-access', [ 'module-access.c' ],
c_args : pinos_module_c_args,
include_directories : [configinc, spa_inc],
link_with : spalib,
install : true,
install_dir : '@0@/pinos-0.1'.format(get_option('libdir')),
dependencies : [mathlib, dl_lib, pinos_dep, pinoscore_dep],
)
pinos_module_autolink = shared_library('pinos-module-autolink', [ 'module-autolink.c' ],
c_args : pinos_module_c_args,
include_directories : [configinc, spa_inc],

160
pinos/modules/module-access.c Normal file
View file

@ -0,0 +1,160 @@
/* Pinos
* Copyright (C) 2016 Wim Taymans <wim.taymans@gmail.com>
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Library General Public
* License as published by the Free Software Foundation; either
* version 2 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Library General Public License for more details.
*
* You should have received a copy of the GNU Library General Public
* License along with this library; if not, write to the
* Free Software Foundation, Inc., 51 Franklin St, Fifth Floor,
* Boston, MA 02110-1301, USA.
*/
#include <string.h>
#include <stdio.h>
#include <errno.h>
#include "config.h"
#include "pinos/server/core.h"
#include "pinos/server/module.h"
typedef struct {
PinosCore *core;
PinosProperties *properties;
PinosListener check_send;
PinosListener check_dispatch;
} ModuleImpl;
static bool
check_global_owner (PinosCore *core,
PinosClient *client,
uint32_t id)
{
PinosGlobal *global;
global = pinos_map_lookup (&core->objects, id);
return (global && global->owner == client);
}
static void
do_check_send (PinosListener *listener,
PinosAccessFunc func,
PinosAccessData *data)
{
PinosClient *client = data->client;
PinosCore *core = client->core;
if (data->resource->type == core->uri.registry) {
switch (data->opcode) {
case PINOS_MESSAGE_NOTIFY_GLOBAL:
{
PinosMessageNotifyGlobal *m = data->message;
if (check_global_owner (core, client, m->id))
data->res = SPA_RESULT_OK;
else
data->res = SPA_RESULT_SKIPPED;
break;
}
case PINOS_MESSAGE_NOTIFY_GLOBAL_REMOVE:
{
PinosMessageNotifyGlobalRemove *m = data->message;
if (check_global_owner (core, client, m->id))
data->res = SPA_RESULT_OK;
else
data->res = SPA_RESULT_SKIPPED;
break;
}
default:
data->res = SPA_RESULT_NO_PERMISSION;
break;
}
}
else {
data->res = SPA_RESULT_OK;
}
}
static void
do_check_dispatch (PinosListener *listener,
PinosAccessFunc func,
PinosAccessData *data)
{
PinosClient *client = data->client;
PinosCore *core = client->core;
if (data->resource->type == core->uri.registry) {
if (data->opcode == PINOS_MESSAGE_BIND) {
PinosMessageBind *m = data->message;
if (check_global_owner (core, client, m->id))
data->res = SPA_RESULT_OK;
else
data->res = SPA_RESULT_NO_PERMISSION;
} else {
data->res = SPA_RESULT_NO_PERMISSION;
}
}
else {
data->res = SPA_RESULT_OK;
}
}
static ModuleImpl *
module_new (PinosCore *core,
PinosProperties *properties)
{
ModuleImpl *impl;
impl = calloc (1, sizeof (ModuleImpl));
pinos_log_debug ("module %p: new", impl);
impl->core = core;
impl->properties = properties;
pinos_signal_add (&core->access.check_send,
&impl->check_send,
do_check_send);
pinos_signal_add (&core->access.check_dispatch,
&impl->check_dispatch,
do_check_dispatch);
return impl;
}
#if 0
static void
module_destroy (ModuleImpl *impl)
{
pinos_log_debug ("module %p: destroy", impl);
pinos_global_destroy (impl->global);
pinos_signal_remove (&impl->global_added);
pinos_signal_remove (&impl->global_removed);
pinos_signal_remove (&impl->port_added);
pinos_signal_remove (&impl->port_removed);
pinos_signal_remove (&impl->port_unlinked);
pinos_signal_remove (&impl->link_state_changed);
free (impl);
}
#endif
bool
pinos__module_init (PinosModule * module, const char * args)
{
module_new (module->core, NULL);
return true;
}

65
pinos/modules/module-protocol-native.c
View file

@ -76,7 +76,6 @@ typedef struct {
SpaList link;
PinosClient *client;
int fd;
struct ucred ucred;
SpaSource *source;
PinosConnection *connection;
} PinosProtocolNativeClient;
@ -168,10 +167,9 @@ connection_data (SpaSource *source,
continue;
}
resource->dispatch_func (resource,
pinos_resource_dispatch (resource,
type,
message,
resource->dispatch_data);
message);
}
}
@ -180,14 +178,14 @@ client_new (PinosProtocolNative *impl,
int fd)
{
PinosProtocolNativeClient *this;
PinosClient *client;
socklen_t len;
this = calloc (1, sizeof (PinosProtocolNativeClient));
if (this == NULL)
goto no_native_client;
this->impl = impl;
len = sizeof (this->ucred);
if (getsockopt (fd, SOL_SOCKET, SO_PEERCRED, &this->ucred, &len) < 0) {
pinos_log_error ("no peercred: %m");
}
this->fd = fd;
this->source = pinos_loop_add_io (impl->core->main_loop->loop,
this->fd,
@ -195,21 +193,48 @@ client_new (PinosProtocolNative *impl,
false,
connection_data,
this);
if (this->source == NULL)
goto no_source;
this->connection = pinos_connection_new (fd);
if (this->connection == NULL)
goto no_connection;
client = pinos_client_new (impl->core, NULL);
if (client == NULL)
goto no_client;
this->client = client;
pinos_client_set_send (client,
client_send_func,
this);
len = sizeof (client->ucred);
if (getsockopt (fd, SOL_SOCKET, SO_PEERCRED, &client->ucred, &len) < 0) {
client->ucred_valid = false;
pinos_log_error ("no peercred: %m");
} else {
client->ucred_valid = true;
}
spa_list_insert (impl->client_list.prev, &this->link);
this->client = pinos_client_new (impl->core, NULL);
this->client->send_func = client_send_func;
this->client->send_data = this;
impl->core->global->bind (impl->core->global,
this->client,
0,
0);
pinos_global_bind (impl->core->global,
client,
0,
0);
return this;
no_client:
pinos_connection_destroy (this->connection);
no_connection:
pinos_loop_destroy_source (impl->core->main_loop->loop,
this->source);
no_source:
free (this);
no_native_client:
return NULL;
}
static Socket *
@ -326,7 +351,11 @@ socket_data (SpaSource *source,
return;
}
client_new (impl, client_fd);
if (client_new (impl, client_fd) == NULL) {
pinos_log_error ("failed to create client");
close (client_fd);
return;
}
}
static bool