pcsc-lite 2.3.3
auth.c
Go to the documentation of this file.
1/*
2 * MUSCLE SmartCard Development ( https://pcsclite.apdu.fr/ )
3 *
4 * Copyright (C) 2013 Red Hat
5 *
6 * All rights reserved.
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 *
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 *
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 *
18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
19 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
20 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
21 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
22 * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
23 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
24 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
25 * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
26 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
28 * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
29 * DAMAGE.
30 *
31 * Author: Nikos Mavrogiannopoulos <nmav@redhat.com>
32 */
33
42#include "config.h"
43#define _GNU_SOURCE
44#include <sys/types.h>
45#include <sys/socket.h>
46#include <sys/ioctl.h>
47#include <sys/un.h>
48#include <stdio.h>
49#include "debuglog.h"
50#include "auth.h"
51
52#include <errno.h>
53
54#ifdef HAVE_POLKIT
55
56#if defined(SO_PEERCRED) || defined(LOCAL_PEERCRED)
57
58#include <polkit/polkit.h>
59#include <stdbool.h>
60
61#ifdef __FreeBSD__
62
63#include <sys/ucred.h>
64typedef struct xucred platform_cred;
65#define CRED_PID(uc) (uc).cr_pid
66#define CRED_UID(uc) (uc).cr_uid
67
68#else
69
70typedef struct ucred platform_cred;
71#define CRED_PID(uc) (uc).pid
72#define CRED_UID(uc) (uc).uid
73
74#endif
75
76extern bool disable_polkit;
77
78/* Returns non zero when the client is authorized */
79unsigned IsClientAuthorized(int socket, const char* action, const char* reader)
80{
81 platform_cred cr;
82 socklen_t cr_len;
83 int ret;
84 PolkitSubject *subject;
85 PolkitAuthority *authority;
86 PolkitAuthorizationResult *result;
87 PolkitDetails *details;
88 GError *error = NULL;
89 char action_name[128];
90
91 if (disable_polkit)
92 return 1;
93
94 snprintf(action_name, sizeof(action_name), "org.debian.pcsc-lite.%s", action);
95
96 cr_len = sizeof(cr);
97#ifdef LOCAL_PEERCRED
98 ret = getsockopt(socket, SOL_LOCAL, LOCAL_PEERCRED, &cr, &cr_len);
99#else
100 ret = getsockopt(socket, SOL_SOCKET, SO_PEERCRED, &cr, &cr_len);
101#endif
102 if (ret == -1)
103 {
104#ifndef NO_LOG
105 int e = errno;
106 Log2(PCSC_LOG_CRITICAL,
107 "Error obtaining client process credentials: %s", strerror(e));
108#endif
109 return 0;
110 }
111
112 authority = polkit_authority_get_sync(NULL, &error);
113 if (authority == NULL)
114 {
115 Log2(PCSC_LOG_CRITICAL, "polkit_authority_get_sync failed: %s",
116 error->message);
117 g_error_free(error);
118 return 0;
119 }
120
121 subject = polkit_unix_process_new_for_owner(CRED_PID(cr), 0, CRED_UID(cr));
122 if (subject == NULL)
123 {
124 Log1(PCSC_LOG_CRITICAL, "polkit_unix_process_new_for_owner failed");
125 ret = 0;
126 goto cleanup1;
127 }
128
129 details = polkit_details_new();
130 if (details == NULL)
131 {
132 Log1(PCSC_LOG_CRITICAL, "polkit_details_new failed");
133 ret = 0;
134 goto cleanup0;
135 }
136
137 if (reader != NULL)
138 polkit_details_insert(details, "reader", reader);
139
140 result = polkit_authority_check_authorization_sync(authority, subject,
141 action_name, details,
142 POLKIT_CHECK_AUTHORIZATION_FLAGS_ALLOW_USER_INTERACTION,
143 NULL,
144 &error);
145
146 if (result == NULL)
147 {
148 Log2(PCSC_LOG_CRITICAL, "Error in authorization: %s", error->message);
149 g_error_free(error);
150 ret = 0;
151 }
152 else
153 {
154 if (polkit_authorization_result_get_is_authorized(result))
155 {
156 ret = 1;
157 }
158 else
159 {
160 ret = 0;
161 }
162 }
163
164 if (ret == 0)
165 {
166 Log4(PCSC_LOG_CRITICAL,
167 "Process %u (user: %u) is NOT authorized for action: %s",
168 (unsigned)CRED_PID(cr), (unsigned)CRED_UID(cr), action);
169 }
170
171 if (result)
172 g_object_unref(result);
173
174 g_object_unref(subject);
175cleanup0:
176 g_object_unref(details);
177cleanup1:
178 g_object_unref(authority);
179
180 return ret;
181}
182
183#else
184
185/* Do not enable polkit if it not yet supported on your system.
186 * Patches are welcome. */
187#error polkit is enabled, but no socket cred implementation for this platform
188
189#endif
190
191#else
192
193unsigned IsClientAuthorized(int socket, const char* action, const char* reader)
194{
195 (void)socket;
196 (void)action;
197 (void)reader;
198
199 return 1;
200}
201
202#endif
This handles debugging.