From: Daniel Wagner <[email protected]>
Hi,
This series is based on "[PATCH v1 00/10] Add 'firewall' support"
series.
It is rather large one which is divided into 3 parts.
1. Part: Bug fixes and generic refactoring patches
session: Empty policy list indicated no match all
session: Reorder shutdown sequence
Both patches are bug fixes. The first one fixes a corner case when a
setting exist in the provisiont file but contains no value,
e.g. 'AllowedBearers='. This will be treated as no-match.
The second one is needed when ConnMan is shutdown and a session is
still running. In this case ConnMan crashes because some invalid
pointers are used after free.
session_policy_local: Load policy when a new file is added
This patch fixes a behavoir thing. We need to look at the provision
file contents when it is just moved into the directory (no modification
happens).
session: Add "_t" postfix to callback typedef
session_policy_local: Use callback helpers
dbus: Use callback helpers
dbus: Add connman_dbus_get_connnection_unix_user()
Because we got in the last series ("connman: Add callback helpers")
generic callback helpers we should just use them everywhere. (Note the
next series will also depends on these helpers).
session: Do not fail when creating default policy configuration
session_policy_local: Do not handle small allocation
These is one belongs to the catogory 'we don't handle small alloc
failures'. That upside is, the whole error handling gets really
simple. This was really complex.
Part 2: Refactroring "Prepar the stage"
This part is changing session_policy_local so that we can then finally
add a new feature. So what has to change. Basically, the code assumes
that there is only one policy file per session. That is not true with
introducing UID/GID matching support to the session. First we try to
match against LSM context, if that failes, we try to match agaist user
and then gid.
Simply speaking, n:1 file-session mapping is needed.
session_policy_local: Refactor SELinux context parser
It is better to keep the D-Bus related code together (we will do the
same for uid/gid later one).
session_policy_local: Add some more debug infos
Not strinkly necessary, but I it helped debugging what is going
on.
session_policy_local: Print warning if loading of policy fails
We need ConnMan to complain loudly if a policy file is invalid.
Otherwise ConnMan wont do anything and doesn't let the user know it.
session_policy_local: Track policy data structure in a separate list
session_policy_local: Use policy_hash only to track the policy files
session_policy_local: Rename policy_hash to file_hash
session_policy_local: Rename ident to filename
These patches implement n:1 mapping. All files are keept in the
file_hash and whenever a new session is created we need to match them
up.
session_policy_local: Do not free policy on load error
Hmm, that is a bug fix (will it further down in the next series).
session_policy_local: Split LSM context ident from filename
This one introduce find_policy_by_session() and find_policy_by_file()
which are used to match newly created policies files against existing
sessions, respectively when a sessions is created and a matching
policy is looked for. Here happens the prioritizing which policy file
will be used.
Part 3: The new features
session_policy_local: Retrieve UID/GID from session user
This patch askes the D-Bus server which UID/GID the session
has.
session-test: Add tests for session_policy_local
And finally a test case for testing :)
cheers,
daniel
Daniel Wagner (20):
session: Empty policy list indicated no match all
session: Reorder shutdown sequence
session_policy_local: Load policy when a new file is added
session: Add "_t" postfix to callback typedef
session_policy_local: Use callback helpers
dbus: Use callback helpers
dbus: Add connman_dbus_get_connnection_unix_user()
session: Do not fail when creating default policy configuration
session_policy_local: Do not handle small allocation
session_policy_local: Refactor SELinux context parser
session_policy_local: Add some more debug infos
session_policy_local: Print warning if loading of policy fails
session_policy_local: Track policy data structure in a separate list
session_policy_local: Use policy_hash only to track the policy files
session_policy_local: Rename policy_hash to file_hash
session_policy_local: Rename ident to filename
session_policy_local: Do not free policy on load error
session_policy_local: Split LSM context ident from filename
session_policy_local: Retrieve UID/GID from session user
session-test: Add tests for session_policy_local
include/dbus.h | 16 +-
include/session.h | 10 +-
plugins/session_policy_local.c | 397 +++++++++++++++++++++++++++--------------
src/dbus.c | 111 +++++++++---
src/main.c | 2 +-
src/session.c | 31 ++--
tools/session-test.c | 156 ++++++++++++++++
7 files changed, 542 insertions(+), 181 deletions(-)
--
1.8.2.rc3.16.gce432ca
_______________________________________________
connman mailing list
[email protected]
http://lists.connman.net/listinfo/connman
