1*2912Sartem /***************************************************************************
2*2912Sartem  *
3*2912Sartem  * libpolkit-rbac.c : RBAC implementation of the libpolkit API
4*2912Sartem  *
5*2912Sartem  * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
6*2912Sartem  * Use is subject to license terms.
7*2912Sartem  *
8*2912Sartem  * Licensed under the Academic Free License version 2.1
9*2912Sartem  *
10*2912Sartem  **************************************************************************/
11*2912Sartem 
12*2912Sartem #pragma	ident	"%Z%%M%	%I%	%E% SMI"
13*2912Sartem 
14*2912Sartem #ifdef HAVE_CONFIG_H
15*2912Sartem #  include <config.h>
16*2912Sartem #endif
17*2912Sartem 
18*2912Sartem #include <stdio.h>
19*2912Sartem #include <stdlib.h>
20*2912Sartem #include <string.h>
21*2912Sartem #include <sys/types.h>
22*2912Sartem #include <pwd.h>
23*2912Sartem #include <grp.h>
24*2912Sartem #include <unistd.h>
25*2912Sartem #include <errno.h>
26*2912Sartem #include <auth_attr.h>
27*2912Sartem #include <secdb.h>
28*2912Sartem 
29*2912Sartem #include <glib.h>
30*2912Sartem #include <dbus/dbus-glib.h>
31*2912Sartem 
32*2912Sartem #include "libpolkit.h"
33*2912Sartem 
34*2912Sartem #define LIBPOLKIT_MAGIC 0x3117beef
35*2912Sartem 
36*2912Sartem #ifdef __SUNPRO_C
37*2912Sartem #define __FUNCTION__ __func__
38*2912Sartem #endif
39*2912Sartem 
40*2912Sartem #define LIBPOLKIT_CHECK_CONTEXT(_ctx_, _ret_)				\
41*2912Sartem 	do {									\
42*2912Sartem 		if (_ctx_ == NULL) {						\
43*2912Sartem 			g_warning ("%s: given LibPolKitContext is NULL",     \
44*2912Sartem 				   __FUNCTION__);			        \
45*2912Sartem 			return _ret_;					        \
46*2912Sartem 		}								\
47*2912Sartem 		if (_ctx_->magic != LIBPOLKIT_MAGIC) {			\
48*2912Sartem 			g_warning ("%s: given LibPolKitContext is invalid (read magic 0x%08x, should be 0x%08x)",  \
49*2912Sartem 				   __FUNCTION__, _ctx_->magic, LIBPOLKIT_MAGIC);	\
50*2912Sartem 			return _ret_;					        \
51*2912Sartem 		}								\
52*2912Sartem 	} while(0)
53*2912Sartem 
54*2912Sartem 
55*2912Sartem struct LibPolKitContext_s
56*2912Sartem {
57*2912Sartem 	guint32 magic;
58*2912Sartem };
59*2912Sartem 
60*2912Sartem /** Get a new context.
61*2912Sartem  *
62*2912Sartem  *  @return                     Pointer to new context or NULL if an error occured
63*2912Sartem  */
64*2912Sartem LibPolKitContext *
65*2912Sartem libpolkit_new_context (DBusConnection *connection)
66*2912Sartem {
67*2912Sartem 	LibPolKitContext *ctx;
68*2912Sartem 
69*2912Sartem 	ctx = g_new0 (LibPolKitContext, 1);
70*2912Sartem 	ctx->magic = LIBPOLKIT_MAGIC;
71*2912Sartem 
72*2912Sartem 	return ctx;
73*2912Sartem }
74*2912Sartem 
75*2912Sartem /** Free a context
76*2912Sartem  *
77*2912Sartem  *  @param  ctx                 The context obtained from libpolkit_new_context
78*2912Sartem  *  @return                     Pointer to new context or NULL if an error occured
79*2912Sartem  */
80*2912Sartem gboolean
81*2912Sartem libpolkit_free_context (LibPolKitContext *ctx)
82*2912Sartem {
83*2912Sartem 	LIBPOLKIT_CHECK_CONTEXT (ctx, FALSE);
84*2912Sartem 
85*2912Sartem 	ctx->magic = 0;
86*2912Sartem 	g_free (ctx);
87*2912Sartem 	return TRUE;
88*2912Sartem }
89*2912Sartem 
90*2912Sartem LibPolKitResult
91*2912Sartem libpolkit_get_allowed_resources_for_privilege_for_uid (LibPolKitContext    *ctx,
92*2912Sartem 						       const char          *user,
93*2912Sartem 						       const char          *privilege,
94*2912Sartem 						       GList              **resources,
95*2912Sartem 						       GList              **restrictions,
96*2912Sartem 						       int                 *num_non_temporary)
97*2912Sartem {
98*2912Sartem 	LibPolKitResult res;
99*2912Sartem 	char **resource_list;
100*2912Sartem 	int num_resources;
101*2912Sartem 	char **restriction_list;
102*2912Sartem 	int num_restrictions;
103*2912Sartem 
104*2912Sartem 	LIBPOLKIT_CHECK_CONTEXT (ctx, LIBPOLKIT_RESULT_INVALID_CONTEXT);
105*2912Sartem 
106*2912Sartem 	res = LIBPOLKIT_RESULT_ERROR;
107*2912Sartem 	*resources = NULL;
108*2912Sartem 	*restrictions = NULL;
109*2912Sartem 
110*2912Sartem 	res = LIBPOLKIT_RESULT_OK;
111*2912Sartem 
112*2912Sartem 	return res;
113*2912Sartem }
114*2912Sartem 
115*2912Sartem LibPolKitResult
116*2912Sartem libpolkit_is_uid_allowed_for_privilege (LibPolKitContext   *ctx,
117*2912Sartem 					const char         *system_bus_unique_name,
118*2912Sartem 					const char         *user,
119*2912Sartem 					const char         *privilege,
120*2912Sartem 					const char         *resource,
121*2912Sartem 					gboolean           *out_is_allowed,
122*2912Sartem 					gboolean           *out_is_temporary,
123*2912Sartem 					char              **out_is_privileged_but_restricted_to_system_bus_unique_name)
124*2912Sartem {
125*2912Sartem 	LibPolKitResult res;
126*2912Sartem 	const char *myresource = "";
127*2912Sartem 	const char *mysystem_bus_unique_name = "";
128*2912Sartem 	char *but_restricted_to = NULL;
129*2912Sartem 	uid_t uid;
130*2912Sartem 	struct passwd *pw;
131*2912Sartem 	char *authname;
132*2912Sartem 	int i;
133*2912Sartem 	gboolean authname_free = FALSE;
134*2912Sartem 
135*2912Sartem 	LIBPOLKIT_CHECK_CONTEXT (ctx, LIBPOLKIT_RESULT_INVALID_CONTEXT);
136*2912Sartem 
137*2912Sartem 	uid = (uid_t)atol (user);
138*2912Sartem 	if ((pw = getpwuid (uid)) == NULL) {
139*2912Sartem 		*out_is_allowed = FALSE;
140*2912Sartem 		*out_is_temporary = FALSE;
141*2912Sartem 		return LIBPOLKIT_RESULT_NO_SUCH_USER;
142*2912Sartem 	}
143*2912Sartem 
144*2912Sartem 	/* map PolicyKit privilege to RBAC authorization */
145*2912Sartem 	if (strcmp (privilege, "hal-storage-removable-mount") == 0) {
146*2912Sartem 		authname = "solaris.device.mount.removable";
147*2912Sartem 	} else if (strcmp (privilege, "hal-storage-removable-mount-all-options") == 0) {
148*2912Sartem 		authname = "solaris.device.mount.alloptions.removable";
149*2912Sartem 	} else if (strcmp (privilege, "hal-storage-fixed-mount") == 0) {
150*2912Sartem 		authname = "solaris.device.mount.fixed";
151*2912Sartem 	} else if (strcmp (privilege, "hal-storage-fixed-mount-all-options") == 0) {
152*2912Sartem 		authname = "solaris.device.mount.alloptions.fixed";
153*2912Sartem 	} else {
154*2912Sartem 		/* replace '-' with '.' */
155*2912Sartem 		authname = g_strdup (privilege);
156*2912Sartem 		authname_free = TRUE;
157*2912Sartem 		for (i = 0; i < strlen (authname); i++) {
158*2912Sartem 			if (authname[i] == '-') {
159*2912Sartem 				authname[i] = '.';
160*2912Sartem 			}
161*2912Sartem 		}
162*2912Sartem 	}
163*2912Sartem 
164*2912Sartem 	*out_is_allowed = (chkauthattr(authname, pw->pw_name) != 0);
165*2912Sartem 	*out_is_temporary = FALSE;
166*2912Sartem 
167*2912Sartem 	if (authname_free) {
168*2912Sartem 		g_free(authname);
169*2912Sartem 	}
170*2912Sartem 
171*2912Sartem 	return LIBPOLKIT_RESULT_OK;
172*2912Sartem }
173*2912Sartem 
174*2912Sartem LibPolKitResult
175*2912Sartem libpolkit_get_privilege_list (LibPolKitContext      *ctx,
176*2912Sartem 			      GList                **result)
177*2912Sartem {
178*2912Sartem 	LibPolKitResult res;
179*2912Sartem 	char **privilege_list;
180*2912Sartem 	int num_privileges = 0;
181*2912Sartem 	int i;
182*2912Sartem 
183*2912Sartem 	LIBPOLKIT_CHECK_CONTEXT (ctx, LIBPOLKIT_RESULT_INVALID_CONTEXT);
184*2912Sartem 
185*2912Sartem 	*result = NULL;
186*2912Sartem 
187*2912Sartem 	for (i = 0; i < num_privileges; i++) {
188*2912Sartem 		*result = g_list_append (*result, g_strdup (privilege_list[i]));
189*2912Sartem 	}
190*2912Sartem 
191*2912Sartem 	res = LIBPOLKIT_RESULT_OK;
192*2912Sartem 
193*2912Sartem 	return res;
194*2912Sartem }
195*2912Sartem 
196*2912Sartem LibPolKitResult
197*2912Sartem libpolkit_revoke_temporary_privilege (LibPolKitContext      *ctx,
198*2912Sartem                                       const char            *user,
199*2912Sartem                                       const char            *privilege,
200*2912Sartem                                       const char            *resource,
201*2912Sartem                                       gboolean              *result)
202*2912Sartem {
203*2912Sartem 	return LIBPOLKIT_RESULT_OK;
204*2912Sartem }
205