AllowedGroupConnectors::AllowedGroupConnectors(GroupConnector::Type c1, GroupConnector::Type c2) : flags_(0) { allow(c1); allow(c2); }
AllowedGroupTokens::AllowedGroupTokens(GroupToken::Type t1, GroupToken::Type t2, GroupToken::Type t3, GroupToken::Type t4) : flags_(0) { allow(t1); allow(t2); allow(t3); allow(t4); }
CookieExceptionsDialog::CookieExceptionsDialog(QWidget *parent) : QDialog(parent), ui(new Ui::CookieExceptionsDialog), m_cookieJar(0) { ui->setupUi(this); setWindowFlags(Qt::Sheet); connect(ui->removeButton, SIGNAL(clicked()), this, SLOT(remove())); connect(ui->removeAllButton, SIGNAL(clicked()), this, SLOT(removeAll())); m_exceptionsModel = new CookieExceptionsModel(this); m_proxyModel = new QSortFilterProxyModel(this); m_proxyModel->setSourceModel(m_exceptionsModel); connect(ui->search, SIGNAL(textChanged(QString)), m_proxyModel, SLOT(setFilterFixedString(QString))); ui->exceptionTable->setModel(m_proxyModel); CookieModel *cookieModel = new CookieModel(this); ui->domainLineEdit->setCompleter(new QCompleter(cookieModel, ui->domainLineEdit)); connect(ui->domainLineEdit, SIGNAL(textChanged(QString)), this, SLOT(textChanged(QString))); connect(ui->blockButton, SIGNAL(clicked()), this, SLOT(block())); connect(ui->allowButton, SIGNAL(clicked()), this, SLOT(allow())); connect(ui->allowForSessionButton, SIGNAL(clicked()), this, SLOT(allowForSession())); adjustColumns(); }
std::auto_ptr<IOChannel> StreamProvider::getStream(const URL& url, bool namedCacheFile) const { std::auto_ptr<IOChannel> stream; if (url.protocol() == "file") { std::string path = url.path(); if (path == "-") { // TODO: only allow this as the *very first* call ? // Rationale is a movie might request load of // standard input, being a security issue. // Note also that the FB gui will use stdin // for key events. // FILE *newin = fdopen(dup(0), "rb"); // Close on destruction. stream = makeFileChannel(newin, true); return stream; } else { // check security here !! if (!allow(url)) return stream; FILE *newin = std::fopen(path.c_str(), "rb"); if (!newin) { log_error(_("Could not open file %1%: %2%"), path, std::strerror(errno)); return stream; } // Close on destruction stream = makeFileChannel(newin, true); return stream; } } else { if (allow(url)) { stream = NetworkAdapter::makeStream(url.str(), namedCacheFile ? namingPolicy()(url) : ""); } // Will return 0 auto_ptr if not allowed. return stream; } }
int spi_read_buf(const char* str, size_t len) { #pragma GCC diagnostic push #pragma GCC diagnostic ignored "-Wcast-qual" // in lieu of RO allow void* buf = (void*) str; #pragma GCC diagnostic pop return allow(DRIVER_NUM_SPI, 0, buf, len); }
std::auto_ptr<IOChannel> StreamProvider::getStream(const URL& url, const std::string& postdata, bool namedCacheFile) const { std::auto_ptr<IOChannel> stream; if (url.protocol() == "file") { if (!postdata.empty()) { log_error(_("POST data discarded while getting a stream " "from file: uri")); } std::string path = url.path(); if (path == "-") { FILE *newin = fdopen(dup(0), "rb"); stream = makeFileChannel(newin, false); return stream; } else { if (!allow(url)) return stream; FILE *newin = std::fopen(path.c_str(), "rb"); if (!newin) { log_error(_("Could not open file %1%: %2%"), path, std::strerror(errno)); return stream; } stream = makeFileChannel(newin, false); return stream; } } else { if (allow(url)) { stream = NetworkAdapter::makeStream(url.str(), postdata, namedCacheFile ? namingPolicy()(url) : ""); } // Will return 0 auto_ptr if not allowed. return stream; } }
AllowedParams::AllowedParams(Param::Type p1, Param::Type p2, Param::Type p3, Param::Type p4, Param::Type p5, Param::Type p6, Param::Type p7, Param::Type p8, Param::Type p9, Param::Type p10) { init(); allow(p1); allow(p2); allow(p3); allow(p4); allow(p5); allow(p6); allow(p7); allow(p8); allow(p9); allow(p10); }
// ----------------------------------------------------------------------------- // CAknPhysicsRestrictor::AllowedViewPosition() // ----------------------------------------------------------------------------- // TBool CAknPhysicsRestrictor::AllowedViewPosition( TPoint& aPosition ) { // No restrictions to empty space, view position always allowed if ( !iEmptySpaceRestricted ) { return ETrue; } TBool allow( EFalse ); TInt *coord; if ( iLandscape ) { coord = &aPosition.iX; } else { coord = &aPosition.iY; } // View position is allowed if ( *coord >= iPositionTopLimit && *coord <= iPositionBottomLimit ) { allow = ETrue; iViewReachedLimit = EFalse; } // View has reached the limit for the first time - adjust the position // exactly to limit position else if ( !iViewReachedLimit ) { allow = ETrue; iViewReachedLimit = ETrue; if ( *coord < iPositionTopLimit ) { *coord = iPositionTopLimit; } else { *coord = iPositionBottomLimit; } } // Else view has already reached the limit, view position is not allowed // and no need to notify physics observer return allow; }
int main() { session_t sess; datum id; time_t create_time, last_seen; bool do_allow; char *reason; openlog("dorian/query", LOG_PID, LOG_MAIL); for (;;) { do_allow = false; if ((sess = sess_req(stdin)) == NULL) break; /* white listing */ for_each(i, whitelist_prefix) if (!strncasecmp(whitelist_prefix[i], sess->attr[Krecipient], strlen(whitelist_prefix[i]))) { do_allow = true; reason = "whitelist address"; break; } if (!do_allow) { sess_derive_key(sess, &id); { if (seen(id, &create_time, &last_seen)) { if (create_time < expired()) { bump(id, create_time); do_allow = true; reason = "in database"; } } else add(id); } free(id.dptr); } sess_free(&sess); if (do_allow) allow(reason); else defer(); } closelog(); return 0; }
std::auto_ptr<IOChannel> StreamProvider::getStream(const URL& url, const std::string& postdata, const NetworkAdapter::RequestHeaders& headers, bool namedCacheFile) const { if (url.protocol() == "file") { if (!headers.empty()) { log_error(_("Request Headers discarded while getting stream from file: uri")); } return getStream(url, postdata); } if (allow(url) ) { return NetworkAdapter::makeStream(url.str(), postdata, headers, namedCacheFile ? namingPolicy()(url) : ""); } return std::auto_ptr<IOChannel>(); }
void CCC_LoadCFG::Execute(LPCSTR args) { Msg("Executing config-script \"%s\"...", args); string_path cfg_name; xr_strcpy(cfg_name, args); if (strext(cfg_name)) *strext(cfg_name) = 0; xr_strcat(cfg_name, ".ltx"); string_path cfg_full_name; FS.update_path(cfg_full_name, "$app_data_root$", cfg_name); if (NULL == FS.exist(cfg_full_name)) FS.update_path(cfg_full_name, "$fs_root$", cfg_name); if (NULL == FS.exist(cfg_full_name)) xr_strcpy(cfg_full_name, cfg_name); IReader* F = FS.r_open(cfg_full_name); string1024 str; if (F != NULL) { while (!F->eof()) { F->r_string(str, sizeof(str)); if (allow(str)) Console->Execute(str); } FS.r_close(F); Msg("[%s] successfully loaded.", cfg_full_name); } else { Msg("! Cannot open script file [%s]", cfg_full_name); } }
int put_note (struct io_f *io, struct daddr_f *where, struct newt *newt, int flags) { static uid_t anon; static short anon_is_set = FALSE; struct note_f note; struct flock dlock, nlock; int notenum; if (!anon_is_set) { struct passwd *pw = getpwnam (ANON); anon = pw->pw_uid; anon_is_set = TRUE; endpwent (); } if (io == NULL || where == NULL || newt == NULL) return -1; /* Save the provided disk address information. */ note.n_addr.addr = where->addr; note.n_addr.textlen = where->textlen; /* Save the author information. */ strncpy (note.n_auth.aname, newt->auth.name, NAMESZ); strncpy (note.n_auth.asystem, newt->auth.system, HOMESYSSZ); note.n_auth.aid = (int) newt->auth.uid; strncpy (note.n_from, newt->auth.system, SYSSZ); note.n_from[SYSSZ - 1] = '\0'; /* Save the title. */ strncpy (note.ntitle, newt->title, TITLEN); note.ntitle[TITLEN - 1] = '\0'; /* Initialize response storage. */ note.n_nresp = 0; note.n_rindx = -1; /* Save note options - director message, write-only. */ note.n_stat = 0; if (newt->director_message && allow (io, DRCTOK)) note.n_stat |= DIRMES; if (newt->options & NOTE_WRITE_ONLY) note.n_stat |= WRITONLY; /* Adjust moderation flag appropriately. */ if (flags & SKIP_MODERATION) { if (newt->options & NOTE_UNAPPROVED) note.n_stat |= ISUNAPPROVED; } else if (io->descr.d_stat & ISMODERATED && !allow (io, DRCTOK)) note.n_stat |= ISUNAPPROVED; if (newt->options & NOTE_ANONYMOUS) { strncpy (note.n_auth.aname, "anonymous", NAMESZ); note.n_auth.aid = (int) anon; } /* Prepare to alter the descriptor. */ dlock.l_type = F_RDLCK; dlock.l_whence = SEEK_SET; dlock.l_start = 0; dlock.l_len = (off_t) sizeof (struct descr_f); TEMP_FAILURE_RETRY (fcntl (io->fidndx, F_SETLKW, &dlock)); getdescr (io, &io->descr); /* If specified, generate a new ID for the note. Otherwise, use the already * existing ID. */ if (flags & ADD_ID) { strncpy (note.n_id.sys, newt->auth.system, SYSSZ); note.n_id.sys[SYSSZ - 1] = '\0'; note.n_id.uniqid = ++io->descr.d_id.uniqid; note.n_id.uniqid += UNIQPLEX * io->descr.d_nfnum; } else { strncpy (note.n_id.sys, newt->id.system, SYSSZ); note.n_id.sys[SYSSZ - 1] = '\0'; note.n_id.uniqid = newt->id.number; } /* Set up flags for a policy note or a regular note, depending. */ if (flags & ADD_POLICY) { if (!allow (io, DRCTOK)) { closenf (io); return -2; } io->descr.d_plcy = 1; notenum = 0; } else { notenum = ++io->descr.d_nnote; } /* Save the current time into the note. */ if (flags & UPDATE_TIMES) get_uiuc_time (&io->descr.d_lastm, newt->created); get_uiuc_time (¬e.n_date, newt->created); get_uiuc_time (¬e.n_rcvd, newt->created); get_uiuc_time (¬e.n_lmod, newt->modified); /* Save to disk. */ nlock.l_type = F_WRLCK; nlock.l_whence = SEEK_SET; nlock.l_start = (off_t) (sizeof (struct descr_f) + (notenum * sizeof (struct note_f))); nlock.l_len = (off_t) sizeof (struct note_f); TEMP_FAILURE_RETRY (fcntl (io->fidndx, F_SETLKW, &nlock)); dlock.l_type = F_WRLCK; TEMP_FAILURE_RETRY (fcntl (io->fidndx, F_SETLKW, &dlock)); putnoterec (io, notenum, ¬e); nlock.l_type = F_UNLCK; fcntl (io->fidndx, F_SETLK, &nlock); io->descr.d_notwrit++; putdescr (io, &io->descr); fdatasync (io->fidndx); dlock.l_type = F_UNLCK; fcntl (io->fidndx, F_SETLK, &dlock); return notenum; }
AllowedParams::AllowedParams(const Param::Type *v, int n) { init(); for (int i = 0; i < n; i++) allow(v[i]); }
int uiuc_modify_note_text (struct newt *newt) { static uid_t anon; static short anon_is_set = FALSE; struct io_f io; struct daddr_f daddr; struct note_f note; struct stat statbuf; struct flock dlock, nlock; time_t timet; if (!anon_is_set) { struct passwd *pw = getpwnam (ANON); anon = pw->pw_uid; anon_is_set = TRUE; endpwent (); } init (&io, &newt->nr.nfr); if (io.descr.d_stat & NFINVALID) { closenf (&io); return -1; } if (newt->nr.notenum < -1 || newt->nr.notenum > io.descr.d_nnote) { closenf (&io); return -1; } nlock.l_type = F_RDLCK; nlock.l_whence = SEEK_SET; nlock.l_start = (off_t) (sizeof (struct descr_f) + (newt->nr.notenum * sizeof (struct note_f))); nlock.l_len = (off_t) sizeof (struct note_f); if (newt->nr.respnum == 0) { TEMP_FAILURE_RETRY (fcntl (io.fidndx, F_SETLKW, &nlock)); getnoterec (&io, newt->nr.notenum, ¬e); fstat (io.fidtxt, &statbuf); time (&timet); if (note.n_addr.textlen > HARDMAX || note.n_nresp < 0 || convert_time (¬e.n_lmod) > timet || convert_time (¬e.n_date) > timet || (off_t) (note.n_addr.textlen + note.n_addr.addr) > statbuf.st_size) { closenf (&io); return -1; } /* We're allowed to change the director message here; saves time. */ if (newt->director_message) note.n_stat |= DIRMES; else note.n_stat &= ~DIRMES; if (!allow (&io, DRCTOK)) { if (io.descr.d_stat & ISMODERATED) note.n_stat |= ISUNAPPROVED; else note.n_stat &= ~ISUNAPPROVED; } else note.n_stat &= ~ISUNAPPROVED; /* Update the note's text record */ puttextrec (&io, newt->text, &daddr, -1); note.n_addr.addr = daddr.addr; note.n_addr.textlen = daddr.textlen; /* We could be dealing with a newly anonymous note. Stupid, huh? */ if (newt->options & NOTE_ANONYMOUS) { strncpy (note.n_auth.aname, "anonymous", NAMESZ); note.n_auth.aid = (int) anon; } /* Set the descriptor lock; we'll be updating modification time. */ dlock.l_type = F_RDLCK; dlock.l_whence = SEEK_SET; dlock.l_start = 0; dlock.l_len = (off_t) sizeof (struct descr_f); TEMP_FAILURE_RETRY (fcntl (io.fidndx, F_SETLKW, &dlock)); getdescr (&io, &io.descr); get_uiuc_time (&io.descr.d_lastm, newt->modified); get_uiuc_time (¬e.n_lmod, newt->modified); io.descr.d_delnote++; nlock.l_type = F_WRLCK; TEMP_FAILURE_RETRY (fcntl (io.fidndx, F_SETLKW, &nlock)); dlock.l_type = F_WRLCK; TEMP_FAILURE_RETRY (fcntl (io.fidndx, F_SETLKW, &dlock)); putnoterec (&io, newt->nr.notenum, ¬e); nlock.l_type = F_UNLCK; fcntl (io.fidndx, F_SETLK, &nlock); putdescr (&io, &io.descr); fdatasync (io.fidndx); dlock.l_type = F_UNLCK; fcntl (io.fidndx, F_SETLK, &dlock); closenf (&io); return 0; } else { struct resp_f resp, oldresp; struct flock rlock; int offset, record; TEMP_FAILURE_RETRY (fcntl (io.fidndx, F_SETLKW, &nlock)); getnoterec (&io, newt->nr.notenum, ¬e); fstat (io.fidtxt, &statbuf); time (&timet); if (note.n_addr.textlen > HARDMAX || note.n_nresp < 0 || convert_time (¬e.n_lmod) > timet || convert_time (¬e.n_date) > timet || (off_t) (note.n_addr.textlen + note.n_addr.addr) > statbuf.st_size) { closenf (&io); return -1; } if (logical_resp (&io, newt->nr.notenum, newt->nr.respnum, &oldresp, &offset, &record) == -1) return -1; rlock.l_type = F_RDLCK; rlock.l_whence = SEEK_SET; rlock.l_start = (off_t) (sizeof (int) + (record * sizeof (struct resp_f))); rlock.l_len = (off_t) sizeof (struct resp_f); TEMP_FAILURE_RETRY (fcntl (io.fidrdx, F_SETLKW, &rlock)); memcpy (&resp, &oldresp, sizeof (struct resp_f)); /* We're allowed to change the director message here; it'll save time. */ if (newt->director_message) resp.r_stat[offset] |= DIRMES; else resp.r_stat[offset] &= ~DIRMES; if (!allow (&io, DRCTOK)) { if (io.descr.d_stat & ISMODERATED) note.n_stat |= ISUNAPPROVED; else note.n_stat &= ~ISUNAPPROVED; } else note.n_stat &= ~ISUNAPPROVED; /* Update the response's text record */ puttextrec (&io, newt->text, &daddr, -1); resp.r_addr[offset].addr = daddr.addr; resp.r_addr[offset].textlen = daddr.textlen; /* We could be dealing with a newly anonymous note. Stupid, huh? */ if (newt->options & NOTE_ANONYMOUS) { strncpy (resp.r_auth[offset].aname, "anonymous", NAMESZ); note.n_auth.aid = (int) anon; } /* Set up the descriptor lock (we update the "updated time") */ dlock.l_type = F_RDLCK; dlock.l_whence = SEEK_SET; dlock.l_start = 0; dlock.l_len = (off_t) sizeof (struct descr_f); TEMP_FAILURE_RETRY (fcntl (io.fidndx, F_SETLKW, &dlock)); getdescr (&io, &io.descr); get_uiuc_time (&io.descr.d_lastm, newt->modified); get_uiuc_time (¬e.n_lmod, newt->modified); io.descr.d_delresp++; rlock.l_type = F_WRLCK; TEMP_FAILURE_RETRY (fcntl (io.fidrdx, F_SETLKW, &rlock)); nlock.l_type = F_WRLCK; TEMP_FAILURE_RETRY (fcntl (io.fidndx, F_SETLKW, &nlock)); dlock.l_type = F_WRLCK; TEMP_FAILURE_RETRY (fcntl (io.fidndx, F_SETLKW, &dlock)); putresprec (&io, record, &resp); putnoterec (&io, newt->nr.notenum, ¬e); nlock.l_type = F_UNLCK; fcntl (io.fidndx, F_SETLK, &nlock); putdescr (&io, &io.descr); fdatasync (io.fidrdx); fdatasync (io.fidndx); dlock.l_type = F_UNLCK; fcntl (io.fidndx, F_SETLK, &dlock); rlock.l_type = F_UNLCK; fcntl (io.fidrdx, F_SETLK, &rlock); closenf (&io); return 0; } }
int main(int argc, char *argv[]) { struct stat st; static int socket_serv_fd = -1; char buf[64], shell[PATH_MAX], *result, debuggable[PROPERTY_VALUE_MAX]; char enabled[PROPERTY_VALUE_MAX], build_type[PROPERTY_VALUE_MAX]; char root_settings[PROPERTY_VALUE_MAX]; int i, dballow; mode_t orig_umask; for (i = 1; i < argc; i++) { if (!strcmp(argv[i], "-c") || !strcmp(argv[i], "--command")) { if (++i < argc) { su_to.command = argv[i]; } else { usage(); } } else if (!strcmp(argv[i], "-s") || !strcmp(argv[i], "--shell")) { if (++i < argc) { strncpy(shell, argv[i], sizeof(shell)); shell[sizeof(shell) - 1] = 0; } else { usage(); } } else if (!strcmp(argv[i], "-v") || !strcmp(argv[i], "--version")) { printf("%s\n", VERSION); exit(EXIT_SUCCESS); } else if (!strcmp(argv[i], "-V")) { printf("%d\n", VERSION_CODE); exit(EXIT_SUCCESS); } else if (!strcmp(argv[i], "-h") || !strcmp(argv[i], "--help")) { usage(); } else if (!strcmp(argv[i], "-") || !strcmp(argv[i], "-l") || !strcmp(argv[i], "--login")) { ++i; break; } else { break; } } if (i < argc-1) { usage(); } if (i == argc-1) { struct passwd *pw; pw = getpwnam(argv[i]); if (!pw) { su_to.uid = atoi(argv[i]); } else { su_to.uid = pw->pw_uid; } } if (from_init(&su_from) < 0) { deny(); } property_get("ro.debuggable", debuggable, "0"); property_get(ROOT_ACCESS_PROPERTY, enabled, ROOT_ACCESS_DEFAULT); property_get("ro.build.type", build_type, ""); property_get(ROOT_SETTINGS_PROPERTY, root_settings, ""); orig_umask = umask(027); // Root Settings-specific behavior if (strcmp("1", root_settings) == 0) { // only allow su on debuggable builds if (strcmp("1", debuggable) != 0) { LOGE("Root access is disabled on non-debug builds"); deny(); } // enforce persist.sys.root_access on non-eng builds if (strcmp("eng", build_type) != 0 && (atoi(enabled) & 1) != 1 ) { LOGE("Root access is disabled by system setting - enable it under settings -> developer options"); deny(); } // disallow su in a shell if appropriate if (su_from.uid == AID_SHELL && (atoi(enabled) == 1)) { LOGE("Root access is disabled by a system setting - enable it under settings -> developer options"); deny(); } } if (su_from.uid == AID_ROOT || su_from.uid == AID_SHELL) allow(shell, orig_umask); if (stat(REQUESTOR_DATA_PATH, &st) < 0) { PLOGE("stat"); deny(); } if (st.st_gid != st.st_uid) { LOGE("Bad uid/gid %d/%d for Superuser Requestor application", (int)st.st_uid, (int)st.st_gid); deny(); } if (mkdir(REQUESTOR_CACHE_PATH, 0770) >= 0) { chown(REQUESTOR_CACHE_PATH, st.st_uid, st.st_gid); } setgroups(0, NULL); setegid(st.st_gid); seteuid(st.st_uid); LOGE("sudb - Opening database"); db = database_init(); if (!db) { LOGE("sudb - Could not open database, prompt user"); // if the database could not be opened, we can assume we need to // prompt the user dballow = DB_INTERACTIVE; } else { LOGE("sudb - Database opened"); dballow = database_check(db, &su_from, &su_to); // Close the database, we're done with it. If it stays open, // it will cause problems sqlite3_close(db); db = NULL; LOGE("sudb - Database closed"); } switch (dballow) { case DB_DENY: deny(); case DB_ALLOW: allow(shell, orig_umask); case DB_INTERACTIVE: break; default: deny(); } socket_serv_fd = socket_create_temp(); if (socket_serv_fd < 0) { deny(); } signal(SIGHUP, cleanup_signal); signal(SIGPIPE, cleanup_signal); signal(SIGTERM, cleanup_signal); signal(SIGABRT, cleanup_signal); atexit(cleanup); if (send_intent(&su_from, &su_to, socket_path, -1, 0) < 0) { deny(); } if (socket_receive_result(socket_serv_fd, buf, sizeof(buf)) < 0) { deny(); } close(socket_serv_fd); socket_cleanup(); result = buf; if (!strcmp(result, "DENY")) { deny(); } else if (!strcmp(result, "ALLOW")) { allow(shell, orig_umask); } else { LOGE("unknown response from Superuser Requestor: %s", result); deny(); } deny(); return -1; }
void portthread (void * port_ptr) { SOCKET s; BT_PORT port_info ; port_info = *(BT_PORT*) port_ptr ; s = bt_listen (port_info.port); if (!s) _endthread(); while (1) { socklen_t addrlen = sizeof(SOCKADDR_IN); SOCKADDR_IN addr ; SOCKET client_sock; BT_CLIENT * client ; char reason, *ip; client_sock = accept (s, (SOCKADDR*) &addr, &addrlen); if (client_sock == -1) continue; ip = inet_ntoa (addr.sin_addr); if ((reason = allow(ip)) <= 0) { switch (reason) { case 0: logevent("Refused %s:%i (filter)", ip,port_info.port); break; case -1: logevent("Refused %s:%i (connection limit)", ip,port_info.port); break; case -2: logevent("Refused %s:%i (clone limit)", ip,port_info.port); break; } bt_close(client_sock); continue; } client = addconn(ip,port_info.port); client->sock = client_sock; client->use_pass = port_info.use_pass ; if (client->use_pass) bt_cpy (client->password, port_info.password); if (_beginthread (proxythread,0,client) == -1) { logevent ("Could not create proxy thread for %s:%i", client->ip,client->port); bt_close(client->sock); delconn(client); _endthread(); } } _endthread(); }
void ToolBar::allowTop(bool a) { allow(Qt::TopToolBarArea, a); }
void ToolBar::allowLeft(bool a) { allow(Qt::LeftToolBarArea, a); }
int sdcard_set_write_buffer (uint8_t* buffer, uint32_t len) { return allow(DRIVER_NUM_SDCARD, 1, (void*) buffer, len); }
int filter_frame(u_char *buffer, session_t *sp) { struct ethhdr *eth; struct iphdr *iph; struct ip6_hdr *ipv6h; struct udphdr *udph; struct tcphdr *tcph; struct icmp *icmph; char meth[3]; struct in_addr insaddr,indaddr; struct in6_addr in6src,in6dst; int cnt, i; char dest[20]; enum layer3 {ipv4, ipv6} NET_PROTO; enum layer4 {tcp, udp} TRANS_PROTO; static u_int32_t last_tcpseq, tcpseq; static u_int16_t last_icmpseq, icmpseq; char src_addr6[40], dst_addr6[40]; eth = (struct ethhdr *)buffer; // printf("%x %d %x %x\n",sp->destnet, sp->destmask, sp->network, (inet_addr(DEST_NET))); /* IP layer process */ if(ntohs(eth->h_proto) == ETH_P_IP){ NET_PROTO = ipv4; iph = (struct iphdr *)(buffer+sizeof(struct ethhdr)); } else if(ntohs(eth->h_proto) == ETH_P_IPV6){ // return deny(500); NET_PROTO = ipv6; ipv6h = (struct ip6_hdr *)(buffer+sizeof(struct ethhdr)); } else { /* Receive unsupporting protocol */ return deny(400); } #if 0 /* Transport layer process */ if(NET_PROTO == ipv4){ if(iph->protocol == IPPROTO_TCP){ } else if(iph->protocol == IPPROTO_UDP){ udph = (struct udphdr *)(buffer + sizeof(struct ethhdr) + iph->ihl*UNIT); printf("%d\n", ntohs(udph->len)); } } #endif #if 1 /* Transport layer process */ if(NET_PROTO == ipv4){ if(iph->protocol == IPPROTO_TCP){ /* フラグメントしていない時 */ if((htons(iph->frag_off) & IP_OFFMASK) == 0){ tcph = (struct tcphdr *)(buffer + sizeof(struct ethhdr) + iph->ihl*UNIT); // last_tcpseq = tcpseq; // tcpseq = tcph->seq; TRANS_PROTO = tcp; } } else if(iph->protocol == IPPROTO_UDP){ /* フラグメントしていない時 */ if((htons(iph->frag_off) & IP_OFFMASK) == 0){ udph = (struct udphdr *)(buffer + sizeof(struct ethhdr) + iph->ihl*UNIT); TRANS_PROTO = udp; } } else if(iph->protocol == IPPROTO_ICMP){ icmph = (struct icmp *)(buffer+sizeof(struct ethhdr)+iph->ihl*UNIT); // last_icmpseq = icmpseq; // icmpseq = icmph->icmp_seq; // if(last_icmpseq == icmpseq){ // return deny(2); // } TRANS_PROTO = 98; } else { TRANS_PROTO = 99; /* Do Nothing */ // return deny(); } } else if(NET_PROTO == ipv6){ in6src = ipv6h->ip6_src; in6dst = ipv6h->ip6_dst; if(ipv6h->ip6_nxt == IPPROTO_TCP){ tcph = (struct tcphdr *)(buffer + sizeof(struct ethhdr) + sizeof(struct ip6_hdr)); TRANS_PROTO = tcp; } else if(ipv6h->ip6_nxt == IPPROTO_UDP){ udph = (struct udphdr *)(buffer + sizeof(struct ethhdr) + sizeof(struct ip6_hdr)); TRANS_PROTO = udp; } else { TRANS_PROTO = 99; } } else { NET_PROTO = 99; } /* Filtering Rule */ /* avoid well-known port */ // printf("%d %x\n", iph->id, htons(iph->frag_off)&(IP_OFFMASK) ); if((TRANS_PROTO == udp) && (udph != NULL)){ assert(udph != NULL); for(i = 0;i < sp->d_port_cnt;i++){ if(ntohs(udph->dest) == sp->d_port[i]){ return deny(412); } } /* if(ntohs(udph->dest) < 1024){ return deny(410); } if(ntohs(udph->source) < 1024){ return deny(411); } if(ntohs(udph->dest) == 9004){ return deny(412); } if(ntohs(udph->source) == 9004){ return deny(413); } */ } if((TRANS_PROTO == tcp) && (tcph != NULL)){ /* if(last_tcpseq == tcpseq){ // return deny(4); } if(ntohs(tcph->dest) == 22){ return deny(422); } if(ntohs(tcph->source) == 22){ return deny(422); } if(ntohs(tcph->dest) == 20){ return allow(220); } if(ntohs(tcph->dest) == 21){ return allow(220); } if(ntohs(tcph->dest) == 80){ return allow(220); } if(ntohs(tcph->dest) < 1024){ return deny(420); } if(ntohs(tcph->source) < 1024){ return deny(421); } */ } // packet_dump(buffer); #endif if(NET_PROTO == ipv4){ /* for(cnt = 0; cnt < sp->session_num; cnt++){ sprintf(dest,"%s",sp->ESendAddr[cnt]); // avoid correspond node if(iph->saddr == inet_addr(dest)){ return deny(431); } } */ /* basic ipv4 filter rule */ /* avoid broadcast packet */ // printf("%x\n",sp->netmask^v4MASK); // if(((ntohl(iph->daddr)&0xff)) == 0xff){ if(((ntohl(iph->daddr)&(sp->netmask^v4MASK))) == (sp->netmask^v4MASK)){ return deny(430); } /* avoid sending packet */ //printf("%x %x\n", ntohl(sp->hostip), (iph->saddr)); if(ntohl(sp->hostip) == (iph->saddr)){ return deny(432); } /* avoid incoming packet */ if((sp->hostip) == (iph->daddr)){ return deny(433); } /* if((inet_addr(sp->localnet)&(NETMASK[24].mask)) == (iph->daddr&(NETMASK[24].mask))){ return deny(7); } */ /* For Multicast */ /* Multicastパケットの場合 */ if(IN_MULTICAST(ntohl(iph->daddr))){ /* 他ネットワークからのマルチキャストパケットの場合 */ if(sp->m_taddr){ /* if(iph->saddr == sp->m_taddr){ return m_allow(200); } */ } /* 送信パケットが自ネットワークのもの以外は拒否 */ if(sp->network != (iph->saddr&ntohl(sp->netmask))){ // if((inet_addr(sp->localnet)&(NETMASK[24].mask)) != (iph->saddr&(NETMASK[24].mask))){ return deny(440); } /* Avoid local multicast loop */ // if(inet_addr(sp->localnet) == inet_addr(DEST_NET)){ // if(sp->network == inet_addr(DEST_NET)){ /* 自ネットワークと宛先が同じマルチキャストパケットを拒否 */ /* これはパケットを見ていないんで意味がないかも */ #if 0 if(sp->network == sp->destnet){ return deny(441); } #endif return m_allow(200); } if((sp->destnet&(NETMASK[sp->destmask].mask)) == (iph->daddr&(NETMASK[sp->destmask].mask))){ if(sp->network == (iph->saddr&ntohl(sp->netmask))){ // if((inet_addr(sp->localnet)&(NETMASK[24].mask)) == (iph->saddr&(NETMASK[24].mask))){ // if((inet_addr(LOCAL_NET)&(NETMASK[24].mask)) == (iph->saddr&(NETMASK[24].mask))){ return allow(230); } } } else if(NET_PROTO == ipv6){ /* For Multicast */ // IN6_IS_ADDR_MULTICAST /* if(ntohs(in6dst.s6_addr16[0]) == 0xff02){ return m_allow(300); } */ sprintf(dst_addr6, "%04x:%04x:%04x:%04x:%04x:%04x:%04x:%04x\n", ntohs(in6dst.s6_addr16[0]), ntohs(in6dst.s6_addr16[1]), ntohs(in6dst.s6_addr16[2]), ntohs(in6dst.s6_addr16[3]), ntohs(in6dst.s6_addr16[4]), ntohs(in6dst.s6_addr16[5]), ntohs(in6dst.s6_addr16[6]), ntohs(in6dst.s6_addr16[7]) ); sprintf(src_addr6, "%04x:%04x:%04x:%04x:%04x:%04x:%04x:%04x\n", ntohs(in6src.s6_addr16[0]), ntohs(in6src.s6_addr16[1]), ntohs(in6src.s6_addr16[2]), ntohs(in6src.s6_addr16[3]), ntohs(in6src.s6_addr16[4]), ntohs(in6src.s6_addr16[5]), ntohs(in6src.s6_addr16[6]), ntohs(in6src.s6_addr16[7]) ); // printf("%s -> %s\n",src_addr6, dst_addr6); if((ntohs(in6dst.s6_addr16[0])&0xfff0) == 0xff10){ // if(ntohs(in6dst.s6_addr16[0]) == 0xff1e){ //printf("host %s src %s\n", sp->hostip6, src_addr6); /* 送信先が自ネットワークのもののみ送出 */ if(strncmp(sp->hostip6, src_addr6, sp->prefix/OCTET_BITS*OCTET_UNIT) == 0) { return m_allow(301); } /* マルチキャスト転送オプションがセットされている場合 */ if(sp->m_taddr6){ if(strncmp(sp->m_taddr6, src_addr6, sp->prefix/OCTET_BITS*OCTET_UNIT) == 0) { return m_allow(301); } } /* 送信元がリンクローカルアドレスでも送出 */ if(ntohs(in6src.s6_addr16[0]) == 0xfe80){ return m_allow(302); } return deny(533); /* if(ntohs(in6src.s6_addr16[2]) != 0x5102){ return deny(530); } return m_allow(300); */ } } return deny(499); }
bool isNumber(const char *s) { if(s == NULL) return false; while(*s == ' ') s++; string str(s); while(str.back() == ' ') str.pop_back(); if(str.length() == 0) return false; bool firstDigit = false; for(unsigned int i = 0; i < str.length(); ++i){ char c = str[i]; if(!allow(c)) return false; if(!firstDigit && '0' <= c && c <= '9') firstDigit = true; } if(!firstDigit) return false; // str.length > 0, all characters are allowed, at least one digit State state; firstDigit = false; // initialize state switch(str[0]){ case '+': case '-': state = PI; break; case '.': state = PD; break; case 'e': case 'E': state = F; break; default: // [0-9] state = I; firstDigit = true; } for(unsigned int i = 1; i < str.length() && state != F; ++i){ char c = str[i]; if(c == '+' || c == '-'){ switch(state){ case PE: { char prevChar = str[i-1]; if(prevChar != '+' || prevChar != '-') state = PE; else state = F; break; } default: state = F; } }else if(c == 'e' || c == 'E'){ switch(state){ case I: case D: state = PE; break; case PD: if(firstDigit) state = PE; else state = F; break; default: state = F; } }else if(c == '.'){ switch(state){ case I: case PI: state = PD; break; default: state = F; } }else{ // c = [0-9] firstDigit = true; switch(state){ case I: case PI: state = I; break; case D: case PD: state = D; break; case E: case PE: state = E; } } } return state == I || state == D || state == PD || state == E; }
static void setup_call(SIG_ENTITY *sig,unsigned long call_ref) { SOCKET *sock,*this,**walk; struct sockaddr_atmsvc in_addr; struct atm_sap in_sap; struct atm_qos in_qos; unsigned int problem; int i; problem = sap_decode(&in_dsc,&in_addr,&in_sap,&in_qos,sig->uni); if (problem) { send_release_complete(sig,call_ref,IE_PB_CAUSE(problem), IE_PB_IE(problem)); return; } if (!atmsvc_addr_in_use(in_addr)) { send_release_complete(sig,call_ref,ATM_CV_UNALLOC); return; } if (!allow(&in_addr,ACL_IN)) { send_release_complete(sig,call_ref,ATM_CV_REJ_CLIR); return; } this = new_sock(kptr_null); this->sig = sig; sock = lookup_sap(&in_addr,&in_sap,&in_qos,&this->local,&this->sap, &this->qos,0); if (!sock) { free_sock(this); send_release_complete(sig,call_ref,ATM_CV_INCOMP_DEST); return; } this->state = sig->mode == sm_net ? ss_proceeding : ss_indicated; this->call_state = cs_in_proc; this->call_ref = call_ref; if (q_present(&in_dsc,QF_ep_ref)) this->ep_ref = cvt_ep_ref(sig,q_fetch(&in_dsc,QF_ep_ref)); #ifdef CISCO else #endif if (sig->mode == sm_net) { int error; error = send_call_proceeding(this); if (error) { free_sock(this); send_release_complete(sig,call_ref,ATM_CV_NO_CI); return; } } /* if (sock->local) *this->local->sas_addr = sock->local->sas_addr; ??? */ diag(COMPONENT,DIAG_DEBUG,"AAL type %ld",q_fetch(&in_dsc,QF_aal_type)); if (sig->mode == sm_user) { /* already set by send_call_proceeding */ int vpci; vpci = q_fetch(&in_dsc,QF_vpi); this->pvc.sap_family = AF_ATMPVC; this->pvc.sap_addr.itf = get_itf(sig,&vpci); this->pvc.sap_addr.vpi = vpci; this->pvc.sap_addr.vci = q_fetch(&in_dsc,QF_vci); } diag(COMPONENT,DIAG_DEBUG,"ITF.VPI.VCI: %d.%d.%d",this->pvc.sap_addr.itf, this->pvc.sap_addr.vpi,this->pvc.sap_addr.vci); if (q_present(&in_dsc,QF_cgpn)) { /* should handle E.164 too */ char buffer[MAX_ATM_ADDR_LEN+1]; int plan; plan = q_fetch(&in_dsc,QF_cgpn_plan); switch (plan) { case ATM_NP_AEA: i = q_read(&in_dsc,QF_cgpn,(void *) this->remote.sas_addr.prv, ATM_ESA_LEN); break; case ATM_NP_E164: i = q_read(&in_dsc,QF_cgpn,(void *) this->remote.sas_addr.pub, ATM_E164_LEN); break; default: diag(COMPONENT,DIAG_WARN,"Ignoring cgpn with unrecognized " "numbering plan 0x%x\n",plan); i = 0; } if (i) { this->remote.sas_family = AF_ATMSVC; if (atm2text(buffer,MAX_ATM_ADDR_LEN+1, (struct sockaddr *) &this->remote,pretty) < 0) strcpy(buffer,"<invalid address>"); diag(COMPONENT,DIAG_DEBUG,"Incoming call from %s",buffer); } } send_kernel(kptr_null,sock->id,as_indicate,0,&this->pvc,&this->remote, &in_addr,&this->sap,&this->qos); for (walk = &sock->listen; *walk; walk = &(*walk)->listen); *walk = this; diag(COMPONENT,DIAG_DEBUG,"SE vpi.vci=%d.%d",this->pvc.sap_addr.vpi, this->pvc.sap_addr.vci); }
int put_resp (struct io_f *io, struct daddr_f *where, struct newt *newt, int flags) { struct note_f note; struct resp_f resp; struct flock dlock, nlock, rlock; int lastin, phys, i; rlock.l_whence = SEEK_SET; nlock.l_type = F_RDLCK; nlock.l_whence = SEEK_SET; nlock.l_start = (off_t) (sizeof (struct descr_f) + (newt->nr.notenum * sizeof (struct note_f))); nlock.l_len = (off_t) sizeof (struct note_f); TEMP_FAILURE_RETRY (fcntl (io->fidndx, F_SETLKW, &nlock)); getnoterec (io, newt->nr.notenum, ¬e); if (note.n_rindx < 0) { lastin = note.n_rindx = get_new_resp_block (io); resp.r_first = 1; resp.r_last = 0; resp.r_previous = -1; resp.r_next = -1; for (i=0; i<RESPSZ; i++) resp.r_stat[i] = 0; } else { rlock.l_type = F_RDLCK; rlock.l_start = (off_t) (sizeof (int) + (note.n_rindx * sizeof (struct resp_f))); rlock.l_len = (off_t) sizeof (struct resp_f); TEMP_FAILURE_RETRY (fcntl (io->fidrdx, F_SETLKW, &rlock)); getresprec (io, lastin = note.n_rindx, &resp); rlock.l_type = F_UNLCK; fcntl (io->fidrdx, F_SETLK, &rlock); } i = phys = 0; while (i < note.n_nresp) { if (phys >= RESPSZ) { rlock.l_type = F_RDLCK; rlock.l_start = (off_t) (sizeof (int) + (resp.r_next * sizeof (struct resp_f))); rlock.l_len = (off_t) sizeof (struct resp_f); TEMP_FAILURE_RETRY (fcntl (io->fidrdx, F_SETLKW, &rlock)); phys = 0; getresprec (io, lastin = resp.r_next, &resp); rlock.l_type = F_UNLCK; fcntl (io->fidrdx, F_SETLK, &rlock); } if ((resp.r_stat[phys] & NOTE_DELETED) == 0) i++; phys++; } if (phys >= RESPSZ) /* We are in a new block of responses. */ { phys = 0; resp.r_next = get_new_resp_block (io); rlock.l_type = F_WRLCK; rlock.l_start = (off_t) (sizeof (int) + (lastin * sizeof (struct resp_f))); rlock.l_len = (off_t) sizeof (struct resp_f); TEMP_FAILURE_RETRY (fcntl (io->fidrdx, F_SETLKW, &rlock)); putresprec (io, lastin, &resp); resp.r_previous = lastin; lastin = resp.r_next; resp.r_next = -1; resp.r_first = note.n_nresp + 1; resp.r_last = resp.r_first - 1; for (i=0; i<RESPSZ; i++) resp.r_stat[i] = 0; } fdatasync (io->fidrdx); rlock.l_type = F_RDLCK; rlock.l_start = (off_t) (sizeof (int) + (lastin * sizeof (struct resp_f))); rlock.l_len = (off_t) sizeof (struct resp_f); TEMP_FAILURE_RETRY (fcntl (io->fidrdx, F_SETLKW, &rlock)); note.n_nresp++; resp.r_addr[phys].addr = where->addr; resp.r_addr[phys].textlen = where->textlen; strncpy (resp.r_auth[phys].aname, newt->auth.name, NAMESZ); strncpy (resp.r_auth[phys].asystem, newt->auth.system, HOMESYSSZ); resp.r_auth[phys].aid = (int) newt->auth.uid; strncpy (resp.r_from[phys], newt->auth.system, SYSSZ); resp.r_stat[phys] = 0; if (newt->director_message && allow (io, DRCTOK)) resp.r_stat[phys] |= DIRMES; /* Adjust moderation flag appropriately. */ if (flags & SKIP_MODERATION) { if (newt->options & NOTE_UNAPPROVED) resp.r_stat[phys] |= ISUNAPPROVED; } else if (io->descr.d_stat & ISMODERATED && !allow (io, DRCTOK)) resp.r_stat[phys] |= ISUNAPPROVED; if (newt->options & NOTE_ANONYMOUS) strncpy (resp.r_auth[phys].aname, "anonymous", NAMESZ); /* Prepare to alter the descriptor. */ dlock.l_type = F_RDLCK; dlock.l_whence = SEEK_SET; dlock.l_start = 0; dlock.l_len = (off_t) sizeof (struct descr_f); TEMP_FAILURE_RETRY (fcntl (io->fidndx, F_SETLKW, &dlock)); getdescr (io, &io->descr); if (flags & ADD_ID) { strncpy (resp.r_id[phys].sys, newt->auth.system, SYSSZ); resp.r_id[phys].uniqid = ++io->descr.d_id.uniqid; resp.r_id[phys].uniqid += UNIQPLEX * io->descr.d_nfnum; } else { strncpy (resp.r_id[phys].sys, newt->id.system, SYSSZ); resp.r_id[phys].sys[SYSSZ - 1] = '\0'; resp.r_id[phys].uniqid = newt->id.number; } if (flags & UPDATE_TIMES) { get_uiuc_time (&io->descr.d_lastm, newt->created); get_uiuc_time (¬e.n_lmod, newt->modified); } get_uiuc_time (&resp.r_when[phys], newt->created); get_uiuc_time (&resp.r_rcvd[phys], newt->created); resp.r_last++; rlock.l_type = F_WRLCK; TEMP_FAILURE_RETRY (fcntl (io->fidrdx, F_SETLKW, &rlock)); nlock.l_type = F_WRLCK; TEMP_FAILURE_RETRY (fcntl (io->fidndx, F_SETLKW, &nlock)); dlock.l_type = F_WRLCK; TEMP_FAILURE_RETRY (fcntl (io->fidndx, F_SETLKW, &dlock)); putresprec (io, lastin, &resp); putnoterec (io, newt->nr.notenum, ¬e); io->descr.d_rspwrit++; nlock.l_type = F_UNLCK; fcntl (io->fidndx, F_SETLK, &nlock); putdescr (io, &io->descr); fdatasync (io->fidrdx); fdatasync (io->fidndx); dlock.l_type = F_UNLCK; fcntl (io->fidndx, F_SETLK, &dlock); rlock.l_type = F_UNLCK; fcntl (io->fidrdx, F_SETLK, &rlock); return note.n_nresp; }
void ToolBar::allowRight(bool a) { allow(Qt::RightToolBarArea, a); }
int uiuc_write_note (struct notesfile *nf, struct newt *newt, int flags) { struct io_f io; struct daddr_f daddr; int result; int error; if (newt->nr.notenum < -1 || newt->nr.notenum > nf->total_notes) return -1; flags &= ~SKIP_MODERATION; /* Not allowed via the public interface. */ error = init (&io, nf->ref); if (error != NEWTS_NO_ERROR) return error; if (io.descr.d_stat & NFINVALID) { closenf (&io); return -1; } if (io.descr.d_stat & ISARCHIVE && !allow (&io, DRCTOK)) { closenf (&io); return -2; } if (newt->nr.notenum == -1) { /* We have a new basenote here. */ if (!allow (&io, WRITOK)) { closenf (&io); return -2; } puttextrec (&io, newt->text, &daddr, -1); result = put_note (&io, &daddr, newt, flags); if (result < 0) { closenf (&io); return result; } if (!(flags & ADD_POLICY)) nf->total_notes++; closenf (&io); return result; } else { /* Reject responses to the policy note ... for now. */ if (newt->nr.notenum == 0) return -1; if (!allow (&io, RESPOK)) { closenf (&io); return -2; } puttextrec (&io, newt->text, &daddr, -1); result = put_resp (&io, &daddr, newt, flags); closenf (&io); return result; } }
void ToolBar::allowBottom(bool a) { allow(Qt::BottomToolBarArea, a); }
bool operator()(const std::wstring& name) { return allow(name); }