mirrors/pulseaudio
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pulseaudio/pulseaudio.git synced 2025-10-31 22:25:33 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

implement "auth-ip-acl=" in the native and esound protocols

Browse source 
git-svn-id: file:///home/lennart/svn/public/pulseaudio/trunk@1125 fefdeb5f-60dc-0310-8127-8f9354f1896f
This commit is contained in:
Lennart Poettering 2006-07-20 18:43:20 +00:00
parent db75f68854
commit 44beeaa648
6 changed files with 96 additions and 20 deletions
Download patch file Download diff file Expand all files Collapse all files

6
src/Makefile.am
View file

@ -513,7 +513,7 @@ pulsecoreinclude_HEADERS = \
lib_LTLIBRARIES += libpulsecore.la lib_LTLIBRARIES += libpulsecore.la
# Some public stuff is used even in the core. # Some public stuff is used even in the core
libpulsecore_la_SOURCES = \ libpulsecore_la_SOURCES = \
pulse/channelmap.c pulse/channelmap.h \ pulse/channelmap.c pulse/channelmap.h \
pulse/error.c pulse/error.h \ pulse/error.c pulse/error.h \
@ -733,7 +733,7 @@ libprotocol_http_la_LIBADD = $(AM_LIBADD) libsocket-server.la libioline.la libpu
libprotocol_native_la_SOURCES = pulsecore/protocol-native.c pulsecore/protocol-native.h pulsecore/native-common.h libprotocol_native_la_SOURCES = pulsecore/protocol-native.c pulsecore/protocol-native.h pulsecore/native-common.h
libprotocol_native_la_LDFLAGS = -avoid-version libprotocol_native_la_LDFLAGS = -avoid-version
libprotocol_native_la_LIBADD = $(AM_LIBADD) libsocket-server.la libpstream.la libpstream-util.la libpdispatch.la libtagstruct.la libauthkey.la libauthkey-prop.la libstrlist.la libpulsecore.la libiochannel.la libprotocol_native_la_LIBADD = $(AM_LIBADD) libsocket-server.la libpstream.la libpstream-util.la libpdispatch.la libtagstruct.la libauthkey.la libauthkey-prop.la libstrlist.la libpulsecore.la libiochannel.la libipacl.la
libtagstruct_la_SOURCES = pulsecore/tagstruct.c pulsecore/tagstruct.h libtagstruct_la_SOURCES = pulsecore/tagstruct.c pulsecore/tagstruct.h
libtagstruct_la_LDFLAGS = -avoid-version libtagstruct_la_LDFLAGS = -avoid-version
@ -741,7 +741,7 @@ libtagstruct_la_LIBADD = $(AM_LIBADD) libpulsecore.la $(WINSOCK_LIBS)
libprotocol_esound_la_SOURCES = pulsecore/protocol-esound.c pulsecore/protocol-esound.h pulsecore/esound.h libprotocol_esound_la_SOURCES = pulsecore/protocol-esound.c pulsecore/protocol-esound.h pulsecore/esound.h
libprotocol_esound_la_LDFLAGS = -avoid-version libprotocol_esound_la_LDFLAGS = -avoid-version
libprotocol_esound_la_LIBADD = $(AM_LIBADD) libsocket-server.la libiochannel.la libauthkey.la libpulsecore.la libprotocol_esound_la_LIBADD = $(AM_LIBADD) libsocket-server.la libiochannel.la libauthkey.la libpulsecore.la libipacl.la
libauthkey_la_SOURCES = pulsecore/authkey.c pulsecore/authkey.h libauthkey_la_SOURCES = pulsecore/authkey.c pulsecore/authkey.h
libauthkey_la_LDFLAGS = -avoid-version libauthkey_la_LDFLAGS = -avoid-version

17
src/modules/module-protocol-stub.c
View file

@ -129,8 +129,11 @@
#endif #endif
#if defined(HAVE_CREDS) && !defined(USE_TCP_SOCKETS) #if defined(HAVE_CREDS) && !defined(USE_TCP_SOCKETS)
#define MODULE_ARGUMENTS MODULE_ARGUMENTS_COMMON "auth-group", "auth-group-enable=" #define MODULE_ARGUMENTS MODULE_ARGUMENTS_COMMON "auth-group", "auth-group-enable",
#define AUTH_USAGE "auth-group=<system group to allow access> auth-group-enable=<enable auth by UNIX group?> " #define AUTH_USAGE "auth-group=<system group to allow access> auth-group-enable=<enable auth by UNIX group?> "
#elif defined(USE_TCP_SOCKETS)
#define MODULE_ARGUMENTS MODULE_ARGUMENTS_COMMON "auth-ip-acl",
#define AUTH_USAGE "auth-ip-acl=<IP address ACL to allow access> "
#else #else
#define MODULE_ARGUMENTS MODULE_ARGUMENTS_COMMON #define MODULE_ARGUMENTS MODULE_ARGUMENTS_COMMON
#define AUTH_USAGE #define AUTH_USAGE
@ -149,17 +152,27 @@
#define TCPWRAP_SERVICE "esound" #define TCPWRAP_SERVICE "esound"
#define IPV4_PORT ESD_DEFAULT_PORT #define IPV4_PORT ESD_DEFAULT_PORT
#define UNIX_SOCKET ESD_UNIX_SOCKET_NAME #define UNIX_SOCKET ESD_UNIX_SOCKET_NAME
#define MODULE_ARGUMENTS "sink", "source", "auth-anonymous", "cookie", #define MODULE_ARGUMENTS_COMMON "sink", "source", "auth-anonymous", "cookie",
#ifdef USE_TCP_SOCKETS #ifdef USE_TCP_SOCKETS
#include "module-esound-protocol-tcp-symdef.h" #include "module-esound-protocol-tcp-symdef.h"
#else #else
#include "module-esound-protocol-unix-symdef.h" #include "module-esound-protocol-unix-symdef.h"
#endif #endif
#if defined(USE_TCP_SOCKETS)
#define MODULE_ARGUMENTS MODULE_ARGUMENTS_COMMON "auth-ip-acl",
#define AUTH_USAGE "auth-ip-acl=<IP address ACL to allow access> "
#else
#define MODULE_ARGUMENTS MODULE_ARGUMENTS_COMMON
#define AUTH_USAGE
#endif
PA_MODULE_DESCRIPTION("ESOUND protocol "SOCKET_DESCRIPTION) PA_MODULE_DESCRIPTION("ESOUND protocol "SOCKET_DESCRIPTION)
PA_MODULE_USAGE("sink=<sink to connect to> " PA_MODULE_USAGE("sink=<sink to connect to> "
"source=<source to connect to> " "source=<source to connect to> "
"auth-anonymous=<don't verify cookies?> " "auth-anonymous=<don't verify cookies?> "
"cookie=<path to cookie file> " "cookie=<path to cookie file> "
AUTH_USAGE
SOCKET_USAGE) SOCKET_USAGE)
#else #else
#error "Broken build system" #error "Broken build system"

6
src/pulsecore/iochannel.c
View file

@ -408,3 +408,9 @@ pa_mainloop_api* pa_iochannel_get_mainloop_api(pa_iochannel *io) {
return io->mainloop; return io->mainloop;
} }
int pa_iochannel_get_recv_fd(pa_iochannel *io) {
assert(io);
return io->ifd;
}

2
src/pulsecore/iochannel.h
View file

@ -79,4 +79,6 @@ int pa_iochannel_socket_set_sndbuf(pa_iochannel*io, size_t l);
pa_mainloop_api* pa_iochannel_get_mainloop_api(pa_iochannel *io); pa_mainloop_api* pa_iochannel_get_mainloop_api(pa_iochannel *io);
int pa_iochannel_get_recv_fd(pa_iochannel *io);
#endif #endif

41
src/pulsecore/protocol-esound.c
View file

@ -49,6 +49,7 @@
#include <pulsecore/log.h> #include <pulsecore/log.h>
#include <pulsecore/core-util.h> #include <pulsecore/core-util.h>
#include <pulsecore/core-error.h> #include <pulsecore/core-error.h>
#include <pulsecore/ipacl.h>
#include "endianmacros.h" #include "endianmacros.h"
@ -116,6 +117,7 @@ struct pa_protocol_esound {
char *sink_name, *source_name; char *sink_name, *source_name;
unsigned n_player; unsigned n_player;
uint8_t esd_key[ESD_KEY_LEN]; uint8_t esd_key[ESD_KEY_LEN];
pa_ip_acl *auth_ip_acl;
}; };
typedef struct proto_handler { typedef struct proto_handler {
@ -1162,7 +1164,7 @@ static void on_connection(pa_socket_server*s, pa_iochannel *io, void *userdata)
c->client->kill = client_kill_cb; c->client->kill = client_kill_cb;
c->client->userdata = c; c->client->userdata = c;
c->authorized = p->public; c->authorized = !!p->public;
c->swap_byte_order = 0; c->swap_byte_order = 0;
c->dead = 0; c->dead = 0;
@ -1191,6 +1193,11 @@ static void on_connection(pa_socket_server*s, pa_iochannel *io, void *userdata)
c->original_name = NULL; c->original_name = NULL;
if (!c->authorized && p->auth_ip_acl && pa_ip_acl_check(p->auth_ip_acl, pa_iochannel_get_recv_fd(io)) > 0) {
pa_log_info(__FILE__": Client authenticated by IP ACL.");
c->authorized = 1;
}
if (!c->authorized) { if (!c->authorized) {
struct timeval tv; struct timeval tv;
pa_gettimeofday(&tv); pa_gettimeofday(&tv);
@ -1211,20 +1218,32 @@ static void on_connection(pa_socket_server*s, pa_iochannel *io, void *userdata)
pa_protocol_esound* pa_protocol_esound_new(pa_core*core, pa_socket_server *server, pa_module *m, pa_modargs *ma) { pa_protocol_esound* pa_protocol_esound_new(pa_core*core, pa_socket_server *server, pa_module *m, pa_modargs *ma) {
pa_protocol_esound *p; pa_protocol_esound *p;
int public = 0; int public = 0;
assert(core && server && ma); const char *acl;
assert(core);
assert(server);
assert(m);
assert(ma);
p = pa_xnew(pa_protocol_esound, 1); p = pa_xnew(pa_protocol_esound, 1);
if (pa_modargs_get_value_boolean(ma, "auth-anonymous", &public) < 0) { if (pa_modargs_get_value_boolean(ma, "auth-anonymous", &public) < 0) {
pa_log(__FILE__": auth-anonymous= expects a boolean argument."); pa_log(__FILE__": auth-anonymous= expects a boolean argument.");
return NULL; goto fail;
} }
if (pa_authkey_load_auto(pa_modargs_get_value(ma, "cookie", DEFAULT_COOKIE_FILE), p->esd_key, sizeof(p->esd_key)) < 0) { if (pa_authkey_load_auto(pa_modargs_get_value(ma, "cookie", DEFAULT_COOKIE_FILE), p->esd_key, sizeof(p->esd_key)) < 0)
pa_xfree(p); goto fail;
return NULL;
}
if ((acl = pa_modargs_get_value(ma, "auth-ip-acl", NULL))) {
if (!(p->auth_ip_acl = pa_ip_acl_new(acl))) {
pa_log(__FILE__": Failed to parse IP ACL '%s'", acl);
goto fail;
}
} else
p->auth_ip_acl = NULL;
p->module = m; p->module = m;
p->public = public; p->public = public;
p->server = server; p->server = server;
@ -1238,6 +1257,10 @@ pa_protocol_esound* pa_protocol_esound_new(pa_core*core, pa_socket_server *serve
p->n_player = 0; p->n_player = 0;
return p; return p;
fail:
pa_xfree(p);
return NULL;
} }
void pa_protocol_esound_free(pa_protocol_esound *p) { void pa_protocol_esound_free(pa_protocol_esound *p) {
@ -1249,5 +1272,9 @@ void pa_protocol_esound_free(pa_protocol_esound *p) {
pa_idxset_free(p->connections, NULL, NULL); pa_idxset_free(p->connections, NULL, NULL);
pa_socket_server_unref(p->server); pa_socket_server_unref(p->server);
if (p->auth_ip_acl)
pa_ip_acl_free(p->auth_ip_acl);
pa_xfree(p); pa_xfree(p);
} }

44
src/pulsecore/protocol-native.c
View file

@ -57,6 +57,7 @@
#include <pulsecore/llist.h> #include <pulsecore/llist.h>
#include <pulsecore/creds.h> #include <pulsecore/creds.h>
#include <pulsecore/core-util.h> #include <pulsecore/core-util.h>
#include <pulsecore/ipacl.h>
#include "protocol-native.h" #include "protocol-native.h"
@ -139,6 +140,7 @@ struct pa_protocol_native {
#ifdef HAVE_CREDS #ifdef HAVE_CREDS
char *auth_group; char *auth_group;
#endif #endif
pa_ip_acl *auth_ip_acl;
}; };
static int sink_input_peek_cb(pa_sink_input *i, pa_memchunk *chunk); static int sink_input_peek_cb(pa_sink_input *i, pa_memchunk *chunk);
@ -942,7 +944,7 @@ static void command_auth(PA_GCC_UNUSED pa_pdispatch *pd, PA_GCC_UNUSED uint32_t
} }
#endif #endif
if (memcmp(c->protocol->auth_cookie, cookie, PA_NATIVE_COOKIE_LENGTH) == 0) if (!success && memcmp(c->protocol->auth_cookie, cookie, PA_NATIVE_COOKIE_LENGTH) == 0)
success = 1; success = 1;
if (!success) { if (!success) {
@ -2239,8 +2241,13 @@ static void on_connection(PA_GCC_UNUSED pa_socket_server*s, pa_iochannel *io, vo
c = pa_xmalloc(sizeof(struct connection)); c = pa_xmalloc(sizeof(struct connection));
c->authorized =!! p->public; c->authorized = !!p->public;
if (!c->authorized && p->auth_ip_acl && pa_ip_acl_check(p->auth_ip_acl, pa_iochannel_get_recv_fd(io)) > 0) {
pa_log_info(__FILE__": Client authenticated by IP ACL.");
c->authorized = 1;
}
if (!c->authorized) { if (!c->authorized) {
struct timeval tv; struct timeval tv;
pa_gettimeofday(&tv); pa_gettimeofday(&tv);
@ -2319,7 +2326,10 @@ static int load_key(pa_protocol_native*p, const char*fn) {
static pa_protocol_native* protocol_new_internal(pa_core *c, pa_module *m, pa_modargs *ma) { static pa_protocol_native* protocol_new_internal(pa_core *c, pa_module *m, pa_modargs *ma) {
pa_protocol_native *p; pa_protocol_native *p;
int public = 0; int public = 0;
assert(c && ma); const char *acl;
assert(c);
assert(ma);
if (pa_modargs_get_value_boolean(ma, "auth-anonymous", &public) < 0) { if (pa_modargs_get_value_boolean(ma, "auth-anonymous", &public) < 0) {
pa_log(__FILE__": auth-anonymous= expects a boolean argument."); pa_log(__FILE__": auth-anonymous= expects a boolean argument.");
@ -2331,7 +2341,8 @@ static pa_protocol_native* protocol_new_internal(pa_core *c, pa_module *m, pa_mo
p->module = m; p->module = m;
p->public = public; p->public = public;
p->server = NULL; p->server = NULL;
p->auth_ip_acl = NULL;
#ifdef HAVE_CREDS #ifdef HAVE_CREDS
{ {
int a = 1; int a = 1;
@ -2345,16 +2356,30 @@ static pa_protocol_native* protocol_new_internal(pa_core *c, pa_module *m, pa_mo
pa_log_info(__FILE__": Allowing access to group '%s'.", p->auth_group); pa_log_info(__FILE__": Allowing access to group '%s'.", p->auth_group);
} }
#endif #endif
if (load_key(p, pa_modargs_get_value(ma, "cookie", NULL)) < 0) {
pa_xfree(p); if ((acl = pa_modargs_get_value(ma, "auth-ip-acl", NULL))) {
return NULL;
if (!(p->auth_ip_acl = pa_ip_acl_new(acl))) {
pa_log(__FILE__": Failed to parse IP ACL '%s'", acl);
goto fail;
}
} }
if (load_key(p, pa_modargs_get_value(ma, "cookie", NULL)) < 0)
goto fail;
p->connections = pa_idxset_new(NULL, NULL); p->connections = pa_idxset_new(NULL, NULL);
assert(p->connections); assert(p->connections);
return p; return p;
fail:
pa_xfree(p->auth_group);
if (p->auth_ip_acl)
pa_ip_acl_free(p->auth_ip_acl);
pa_xfree(p);
return NULL;
} }
pa_protocol_native* pa_protocol_native_new(pa_core *core, pa_socket_server *server, pa_module *m, pa_modargs *ma) { pa_protocol_native* pa_protocol_native_new(pa_core *core, pa_socket_server *server, pa_module *m, pa_modargs *ma) {
@ -2405,6 +2430,9 @@ void pa_protocol_native_free(pa_protocol_native *p) {
if (p->auth_cookie_in_property) if (p->auth_cookie_in_property)
pa_authkey_prop_unref(p->core, PA_NATIVE_COOKIE_PROPERTY_NAME); pa_authkey_prop_unref(p->core, PA_NATIVE_COOKIE_PROPERTY_NAME);
if (p->auth_ip_acl)
pa_ip_acl_free(p->auth_ip_acl);
#ifdef HAVE_CREDS #ifdef HAVE_CREDS
pa_xfree(p->auth_group); pa_xfree(p->auth_group);
#endif #endif