pcsc-lite  1.8.20
auth.c
Go to the documentation of this file.
1 /*
2  * MUSCLE SmartCard Development ( http://pcsclite.alioth.debian.org/pcsclite.html )
3  *
4  * Copyright (C) 2013 Red Hat
5  *
6  * All rights reserved.
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted provided that the following conditions
9  * are met:
10  *
11  * 1. Redistributions of source code must retain the above copyright
12  * notice, this list of conditions and the following disclaimer.
13  *
14  * 2. Redistributions in binary form must reproduce the above copyright
15  * notice, this list of conditions and the following disclaimer in the
16  * documentation and/or other materials provided with the distribution.
17  *
18  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
19  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
20  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
21  * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
22  * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
23  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
24  * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
25  * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
26  * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27  * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
28  * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
29  * DAMAGE.
30  *
31  * Author: Nikos Mavrogiannopoulos <nmav@redhat.com>
32  */
33 
42 #include "config.h"
43 #define _GNU_SOURCE
44 #include <sys/types.h>
45 #include <sys/socket.h>
46 #include <sys/ioctl.h>
47 #include <sys/un.h>
48 #include <stdio.h>
49 #include "debuglog.h"
50 #include "auth.h"
51 
52 #include <errno.h>
53 
54 #if defined(HAVE_POLKIT) && defined(SO_PEERCRED)
55 
56 #include <polkit/polkit.h>
57 
58 /* Returns non zero when the client is authorized */
59 unsigned IsClientAuthorized(int socket, const char* action, const char* reader)
60 {
61  struct ucred cr;
62  socklen_t cr_len;
63  int ret;
64  PolkitSubject *subject;
65  PolkitAuthority *authority;
66  PolkitAuthorizationResult *result;
67  PolkitDetails *details;
68  GError *error = NULL;
69  char action_name[128];
70 
71  snprintf(action_name, sizeof(action_name), "org.debian.pcsc-lite.%s", action);
72 
73  cr_len = sizeof(cr);
74  ret = getsockopt(socket, SOL_SOCKET, SO_PEERCRED, &cr, &cr_len);
75  if (ret == -1)
76  {
77  int e = errno;
78  Log2(PCSC_LOG_CRITICAL,
79  "Error obtaining client process credentials: %s", strerror(e));
80  return 0;
81  }
82 
83  authority = polkit_authority_get_sync(NULL, NULL);
84  if (authority == NULL)
85  {
86  Log1(PCSC_LOG_CRITICAL, "polkit_authority_get_sync failed");
87  return 0;
88  }
89 
90  subject = polkit_unix_process_new_for_owner(cr.pid, 0, cr.uid);
91  if (subject == NULL)
92  {
93  Log1(PCSC_LOG_CRITICAL, "polkit_unix_process_new_for_owner failed");
94  ret = 0;
95  goto cleanup1;
96  }
97 
98  details = polkit_details_new();
99  if (details == NULL)
100  {
101  Log1(PCSC_LOG_CRITICAL, "polkit_details_new failed");
102  ret = 0;
103  goto cleanup0;
104  }
105 
106  if (reader != NULL)
107  polkit_details_insert(details, "reader", reader);
108 
109  result = polkit_authority_check_authorization_sync(authority, subject,
110  action_name, details,
111  POLKIT_CHECK_AUTHORIZATION_FLAGS_ALLOW_USER_INTERACTION,
112  NULL,
113  &error);
114 
115  if (result == NULL)
116  {
117  Log2(PCSC_LOG_CRITICAL, "Error in authorization: %s", error->message);
118  g_error_free(error);
119  ret = 0;
120  }
121  else
122  {
123  if (polkit_authorization_result_get_is_authorized(result))
124  {
125  ret = 1;
126  }
127  else
128  {
129  ret = 0;
130  }
131  }
132 
133  if (ret == 0)
134  {
135  Log4(PCSC_LOG_CRITICAL,
136  "Process %u (user: %u) is NOT authorized for action: %s",
137  (unsigned)cr.pid, (unsigned)cr.uid, action);
138  }
139 
140  g_object_unref(subject);
141 cleanup0:
142  g_object_unref(details);
143 cleanup1:
144  g_object_unref(authority);
145 
146  return ret;
147 }
148 
149 #else
150 
151 unsigned IsClientAuthorized(int socket, const char* action, const char* reader)
152 {
153  (void)socket;
154  (void)action;
155  (void)reader;
156 
157  return 1;
158 }
159 
160 #endif
This handles debugging.