Merge pull request #1173 from JerziKaminsky/security_resolve_symlink

FOR_REVIEW: IPC security - Allow policy targets to be symlinks
This commit is contained in:
Drew DeVault 2017-04-16 10:17:43 -04:00 committed by GitHub
commit 7494a48378
10 changed files with 179 additions and 40 deletions

View file

@ -1,3 +1,7 @@
#define _XOPEN_SOURCE 500
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
#include <math.h> #include <math.h>
#include <stdint.h> #include <stdint.h>
#include <stdio.h> #include <stdio.h>
@ -118,3 +122,40 @@ uint32_t parse_color(const char *color) {
} }
return res; return res;
} }
char* resolve_path(const char* path) {
struct stat sb;
ssize_t r;
int i;
char *current = NULL;
char *resolved = NULL;
if(!(current = strdup(path))) {
return NULL;
}
for (i = 0; i < 16; ++i) {
if (lstat(current, &sb) == -1) {
goto failed;
}
if((sb.st_mode & S_IFMT) != S_IFLNK) {
return current;
}
if (!(resolved = malloc(sb.st_size + 1))) {
goto failed;
}
r = readlink(current, resolved, sb.st_size);
if (r == -1 || r > sb.st_size) {
goto failed;
}
resolved[r] = '\0';
free(current);
current = strdup(resolved);
free(resolved);
resolved = NULL;
}
failed:
free(resolved);
free(current);
return NULL;
}

View file

@ -3,9 +3,11 @@
#include <unistd.h> #include <unistd.h>
#include "sway/config.h" #include "sway/config.h"
uint32_t get_feature_policy(pid_t pid); uint32_t get_feature_policy_mask(pid_t pid);
uint32_t get_ipc_policy(pid_t pid); uint32_t get_ipc_policy_mask(pid_t pid);
uint32_t get_command_policy(const char *cmd); uint32_t get_command_policy_mask(const char *cmd);
struct feature_policy *get_feature_policy(const char *name);
const char *command_policy_str(enum command_context context); const char *command_policy_str(enum command_context context);

View file

@ -49,4 +49,12 @@ pid_t get_parent_pid(pid_t pid);
*/ */
uint32_t parse_color(const char *color); uint32_t parse_color(const char *color);
/**
* Given a path string, recurseively resolves any symlinks to their targets
* (which may be a file, directory) and returns the result.
* argument is returned. Caller must free the returned buffer.
* If an error occures, if the path does not exist or if the path corresponds
* to a dangling symlink, NULL is returned.
*/
char* resolve_path(const char* path);
#endif #endif

View file

@ -437,7 +437,7 @@ struct cmd_results *handle_command(char *_exec, enum command_context context) {
free_argv(argc, argv); free_argv(argc, argv);
goto cleanup; goto cleanup;
} }
if (!(get_command_policy(argv[0]) & context)) { if (!(get_command_policy_mask(argv[0]) & context)) {
if (results) { if (results) {
free_cmd_results(results); free_cmd_results(results);
} }

View file

@ -1,3 +1,4 @@
#define _XOPEN_SOURCE 500
#include <stdio.h> #include <stdio.h>
#include <string.h> #include <string.h>
#include "sway/security.h" #include "sway/security.h"
@ -18,8 +19,14 @@ struct cmd_results *cmd_ipc(int argc, char **argv) {
return error; return error;
} }
const char *program = argv[0]; char *program = NULL;
if (!strcmp(argv[0], "*")) {
program = strdup(argv[0]);
} else if (!(program = resolve_path(argv[0]))) {
return cmd_results_new(
CMD_INVALID, "ipc", "Unable to resolve IPC Policy target.");
}
if (config->reading && strcmp("{", argv[1]) != 0) { if (config->reading && strcmp("{", argv[1]) != 0) {
return cmd_results_new(CMD_INVALID, "ipc", return cmd_results_new(CMD_INVALID, "ipc",
"Expected '{' at start of IPC config definition."); "Expected '{' at start of IPC config definition.");
@ -32,6 +39,7 @@ struct cmd_results *cmd_ipc(int argc, char **argv) {
current_policy = alloc_ipc_policy(program); current_policy = alloc_ipc_policy(program);
list_add(config->ipc_policies, current_policy); list_add(config->ipc_policies, current_policy);
free(program);
return cmd_results_new(CMD_BLOCK_IPC, NULL, NULL); return cmd_results_new(CMD_BLOCK_IPC, NULL, NULL);
} }

View file

@ -1,7 +1,9 @@
#define _XOPEN_SOURCE 500
#include <string.h> #include <string.h>
#include "sway/commands.h" #include "sway/commands.h"
#include "sway/config.h" #include "sway/config.h"
#include "sway/security.h" #include "sway/security.h"
#include "util.h"
#include "log.h" #include "log.h"
static enum secure_feature get_features(int argc, char **argv, static enum secure_feature get_features(int argc, char **argv,
@ -38,25 +40,6 @@ static enum secure_feature get_features(int argc, char **argv,
return features; return features;
} }
static struct feature_policy *get_policy(const char *name) {
struct feature_policy *policy = NULL;
for (int i = 0; i < config->feature_policies->length; ++i) {
struct feature_policy *p = config->feature_policies->items[i];
if (strcmp(p->program, name) == 0) {
policy = p;
break;
}
}
if (!policy) {
policy = alloc_feature_policy(name);
if (!policy) {
sway_abort("Unable to allocate security policy");
}
list_add(config->feature_policies, policy);
}
return policy;
}
struct cmd_results *cmd_permit(int argc, char **argv) { struct cmd_results *cmd_permit(int argc, char **argv) {
struct cmd_results *error = NULL; struct cmd_results *error = NULL;
if ((error = checkarg(argc, "permit", EXPECTED_MORE_THAN, 1))) { if ((error = checkarg(argc, "permit", EXPECTED_MORE_THAN, 1))) {
@ -66,12 +49,29 @@ struct cmd_results *cmd_permit(int argc, char **argv) {
return error; return error;
} }
struct feature_policy *policy = get_policy(argv[0]); bool assign_perms = true;
policy->features |= get_features(argc, argv, &error); char *program = NULL;
if (!strcmp(argv[0], "*")) {
program = strdup(argv[0]);
} else {
program = resolve_path(argv[0]);
}
if (!program) {
sway_assert(program, "Unable to resolve IPC permit target '%s'."
" will issue empty policy", argv[0]);
assign_perms = false;
program = strdup(argv[0]);
}
struct feature_policy *policy = get_feature_policy(program);
if (assign_perms) {
policy->features |= get_features(argc, argv, &error);
}
sway_log(L_DEBUG, "Permissions granted to %s for features %d", sway_log(L_DEBUG, "Permissions granted to %s for features %d",
policy->program, policy->features); policy->program, policy->features);
free(program);
return cmd_results_new(CMD_SUCCESS, NULL, NULL); return cmd_results_new(CMD_SUCCESS, NULL, NULL);
} }
@ -84,11 +84,25 @@ struct cmd_results *cmd_reject(int argc, char **argv) {
return error; return error;
} }
struct feature_policy *policy = get_policy(argv[0]); char *program = NULL;
if (!strcmp(argv[0], "*")) {
program = strdup(argv[0]);
} else {
program = resolve_path(argv[0]);
}
if (!program) {
// Punt
sway_log(L_INFO, "Unable to resolve IPC reject target '%s'."
" Will use provided path", argv[0]);
program = strdup(argv[0]);
}
struct feature_policy *policy = get_feature_policy(program);
policy->features &= ~get_features(argc, argv, &error); policy->features &= ~get_features(argc, argv, &error);
sway_log(L_DEBUG, "Permissions granted to %s for features %d", sway_log(L_DEBUG, "Permissions granted to %s for features %d",
policy->program, policy->features); policy->program, policy->features);
free(program);
return cmd_results_new(CMD_SUCCESS, NULL, NULL); return cmd_results_new(CMD_SUCCESS, NULL, NULL);
} }

View file

@ -86,7 +86,7 @@ static void set_background(struct wl_client *client, struct wl_resource *resourc
struct wl_resource *_output, struct wl_resource *surface) { struct wl_resource *_output, struct wl_resource *surface) {
pid_t pid; pid_t pid;
wl_client_get_credentials(client, &pid, NULL, NULL); wl_client_get_credentials(client, &pid, NULL, NULL);
if (!(get_feature_policy(pid) & FEATURE_BACKGROUND)) { if (!(get_feature_policy_mask(pid) & FEATURE_BACKGROUND)) {
sway_log(L_INFO, "Denying background feature to %d", pid); sway_log(L_INFO, "Denying background feature to %d", pid);
return; return;
} }
@ -114,7 +114,7 @@ static void set_panel(struct wl_client *client, struct wl_resource *resource,
struct wl_resource *_output, struct wl_resource *surface) { struct wl_resource *_output, struct wl_resource *surface) {
pid_t pid; pid_t pid;
wl_client_get_credentials(client, &pid, NULL, NULL); wl_client_get_credentials(client, &pid, NULL, NULL);
if (!(get_feature_policy(pid) & FEATURE_PANEL)) { if (!(get_feature_policy_mask(pid) & FEATURE_PANEL)) {
sway_log(L_INFO, "Denying panel feature to %d", pid); sway_log(L_INFO, "Denying panel feature to %d", pid);
return; return;
} }
@ -152,7 +152,7 @@ static void desktop_ready(struct wl_client *client, struct wl_resource *resource
static void set_panel_position(struct wl_client *client, struct wl_resource *resource, uint32_t position) { static void set_panel_position(struct wl_client *client, struct wl_resource *resource, uint32_t position) {
pid_t pid; pid_t pid;
wl_client_get_credentials(client, &pid, NULL, NULL); wl_client_get_credentials(client, &pid, NULL, NULL);
if (!(get_feature_policy(pid) & FEATURE_PANEL)) { if (!(get_feature_policy_mask(pid) & FEATURE_PANEL)) {
sway_log(L_INFO, "Denying panel feature to %d", pid); sway_log(L_INFO, "Denying panel feature to %d", pid);
return; return;
} }
@ -191,7 +191,7 @@ static void set_lock_surface(struct wl_client *client, struct wl_resource *resou
struct wl_resource *_output, struct wl_resource *surface) { struct wl_resource *_output, struct wl_resource *surface) {
pid_t pid; pid_t pid;
wl_client_get_credentials(client, &pid, NULL, NULL); wl_client_get_credentials(client, &pid, NULL, NULL);
if (!(get_feature_policy(pid) & FEATURE_LOCK)) { if (!(get_feature_policy_mask(pid) & FEATURE_LOCK)) {
sway_log(L_INFO, "Denying lock feature to %d", pid); sway_log(L_INFO, "Denying lock feature to %d", pid);
return; return;
} }

View file

@ -595,7 +595,7 @@ static void handle_view_state_request(wlc_handle view, enum wlc_view_state_bit s
pid_t pid = wlc_view_get_pid(view); pid_t pid = wlc_view_get_pid(view);
switch (state) { switch (state) {
case WLC_BIT_FULLSCREEN: case WLC_BIT_FULLSCREEN:
if (!(get_feature_policy(pid) & FEATURE_FULLSCREEN)) { if (!(get_feature_policy_mask(pid) & FEATURE_FULLSCREEN)) {
sway_log(L_INFO, "Denying fullscreen to %d (%s)", pid, c->name); sway_log(L_INFO, "Denying fullscreen to %d (%s)", pid, c->name);
break; break;
} }
@ -811,7 +811,7 @@ static bool handle_key(wlc_handle view, uint32_t time, const struct wlc_modifier
swayc_t *focused = get_focused_container(&root_container); swayc_t *focused = get_focused_container(&root_container);
if (focused->type == C_VIEW) { if (focused->type == C_VIEW) {
pid_t pid = wlc_view_get_pid(focused->handle); pid_t pid = wlc_view_get_pid(focused->handle);
if (!(get_feature_policy(pid) & FEATURE_KEYBOARD)) { if (!(get_feature_policy_mask(pid) & FEATURE_KEYBOARD)) {
return EVENT_HANDLED; return EVENT_HANDLED;
} }
} }
@ -875,7 +875,7 @@ static bool handle_pointer_motion(wlc_handle handle, uint32_t time, const struct
swayc_t *focused = get_focused_container(&root_container); swayc_t *focused = get_focused_container(&root_container);
if (focused->type == C_VIEW) { if (focused->type == C_VIEW) {
pid_t pid = wlc_view_get_pid(focused->handle); pid_t pid = wlc_view_get_pid(focused->handle);
if (!(get_feature_policy(pid) & FEATURE_MOUSE)) { if (!(get_feature_policy_mask(pid) & FEATURE_MOUSE)) {
return EVENT_HANDLED; return EVENT_HANDLED;
} }
} }
@ -953,7 +953,7 @@ static bool handle_pointer_button(wlc_handle view, uint32_t time, const struct w
if (swayc_is_fullscreen(focused)) { if (swayc_is_fullscreen(focused)) {
if (focused->type == C_VIEW) { if (focused->type == C_VIEW) {
pid_t pid = wlc_view_get_pid(focused->handle); pid_t pid = wlc_view_get_pid(focused->handle);
if (!(get_feature_policy(pid) & FEATURE_MOUSE)) { if (!(get_feature_policy_mask(pid) & FEATURE_MOUSE)) {
return EVENT_HANDLED; return EVENT_HANDLED;
} }
} }
@ -1001,7 +1001,7 @@ static bool handle_pointer_button(wlc_handle view, uint32_t time, const struct w
if (focused->type == C_VIEW) { if (focused->type == C_VIEW) {
pid_t pid = wlc_view_get_pid(focused->handle); pid_t pid = wlc_view_get_pid(focused->handle);
if (!(get_feature_policy(pid) & FEATURE_MOUSE)) { if (!(get_feature_policy_mask(pid) & FEATURE_MOUSE)) {
return EVENT_HANDLED; return EVENT_HANDLED;
} }
} }

View file

@ -181,7 +181,7 @@ int ipc_handle_connection(int fd, uint32_t mask, void *data) {
client->event_source = wlc_event_loop_add_fd(client_fd, WLC_EVENT_READABLE, ipc_client_handle_readable, client); client->event_source = wlc_event_loop_add_fd(client_fd, WLC_EVENT_READABLE, ipc_client_handle_readable, client);
pid_t pid = get_client_pid(client->fd); pid_t pid = get_client_pid(client->fd);
client->security_policy = get_ipc_policy(pid); client->security_policy = get_ipc_policy_mask(pid);
list_add(ipc_client_list, client); list_add(ipc_client_list, client);

View file

@ -1,4 +1,6 @@
#define _XOPEN_SOURCE 500 #define _XOPEN_SOURCE 500
#include <sys/types.h>
#include <sys/stat.h>
#include <string.h> #include <string.h>
#include <unistd.h> #include <unistd.h>
#include <stdio.h> #include <stdio.h>
@ -6,8 +8,46 @@
#include "sway/security.h" #include "sway/security.h"
#include "log.h" #include "log.h"
static bool validate_ipc_target(const char *program) {
struct stat sb;
sway_log(L_DEBUG, "Validating IPC target '%s'", program);
if (!strcmp(program, "*")) {
return true;
}
if (lstat(program, &sb) == -1) {
return false;
}
if (!S_ISREG(sb.st_mode)) {
sway_log(L_ERROR,
"IPC target '%s' MUST be/point at an existing regular file",
program);
return false;
}
if (sb.st_uid != 0) {
#ifdef NDEBUG
sway_log(L_ERROR, "IPC target '%s' MUST be owned by root", program);
return false;
#else
sway_log(L_INFO, "IPC target '%s' MUST be owned by root (waived for debug build)", program);
return true;
#endif
}
if (sb.st_mode & S_IWOTH) {
sway_log(L_ERROR, "IPC target '%s' MUST NOT be world writable", program);
return false;
}
return true;
}
struct feature_policy *alloc_feature_policy(const char *program) { struct feature_policy *alloc_feature_policy(const char *program) {
uint32_t default_policy = 0; uint32_t default_policy = 0;
if (!validate_ipc_target(program)) {
return NULL;
}
for (int i = 0; i < config->feature_policies->length; ++i) { for (int i = 0; i < config->feature_policies->length; ++i) {
struct feature_policy *policy = config->feature_policies->items[i]; struct feature_policy *policy = config->feature_policies->items[i];
if (strcmp(policy->program, "*") == 0) { if (strcmp(policy->program, "*") == 0) {
@ -26,11 +66,16 @@ struct feature_policy *alloc_feature_policy(const char *program) {
return NULL; return NULL;
} }
policy->features = default_policy; policy->features = default_policy;
return policy; return policy;
} }
struct ipc_policy *alloc_ipc_policy(const char *program) { struct ipc_policy *alloc_ipc_policy(const char *program) {
uint32_t default_policy = 0; uint32_t default_policy = 0;
if (!validate_ipc_target(program)) {
return NULL;
}
for (int i = 0; i < config->ipc_policies->length; ++i) { for (int i = 0; i < config->ipc_policies->length; ++i) {
struct ipc_policy *policy = config->ipc_policies->items[i]; struct ipc_policy *policy = config->ipc_policies->items[i];
if (strcmp(policy->program, "*") == 0) { if (strcmp(policy->program, "*") == 0) {
@ -49,6 +94,7 @@ struct ipc_policy *alloc_ipc_policy(const char *program) {
return NULL; return NULL;
} }
policy->features = default_policy; policy->features = default_policy;
return policy; return policy;
} }
@ -94,7 +140,27 @@ static const char *get_pid_exe(pid_t pid) {
return link; return link;
} }
uint32_t get_feature_policy(pid_t pid) { struct feature_policy *get_feature_policy(const char *name) {
struct feature_policy *policy = NULL;
for (int i = 0; i < config->feature_policies->length; ++i) {
struct feature_policy *p = config->feature_policies->items[i];
if (strcmp(p->program, name) == 0) {
policy = p;
break;
}
}
if (!policy) {
policy = alloc_feature_policy(name);
if (!policy) {
sway_abort("Unable to allocate security policy");
}
list_add(config->feature_policies, policy);
}
return policy;
}
uint32_t get_feature_policy_mask(pid_t pid) {
uint32_t default_policy = 0; uint32_t default_policy = 0;
const char *link = get_pid_exe(pid); const char *link = get_pid_exe(pid);
@ -111,7 +177,7 @@ uint32_t get_feature_policy(pid_t pid) {
return default_policy; return default_policy;
} }
uint32_t get_ipc_policy(pid_t pid) { uint32_t get_ipc_policy_mask(pid_t pid) {
uint32_t default_policy = 0; uint32_t default_policy = 0;
const char *link = get_pid_exe(pid); const char *link = get_pid_exe(pid);
@ -128,7 +194,7 @@ uint32_t get_ipc_policy(pid_t pid) {
return default_policy; return default_policy;
} }
uint32_t get_command_policy(const char *cmd) { uint32_t get_command_policy_mask(const char *cmd) {
uint32_t default_policy = 0; uint32_t default_policy = 0;
for (int i = 0; i < config->command_policies->length; ++i) { for (int i = 0; i < config->command_policies->length; ++i) {