errno_t ifp_req_create(struct sbus_request *dbus_req,
struct ifp_ctx *ifp_ctx,
struct ifp_req **_ifp_req)
{
struct ifp_req *ireq = NULL;
errno_t ret;
if (ifp_ctx->sysbus == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "Responder not connected to sysbus!\n");
return EINVAL;
}
ireq = talloc_zero(dbus_req, struct ifp_req);
if (ireq == NULL) {
return ENOMEM;
}
ireq->ifp_ctx = ifp_ctx;
ireq->dbus_req = dbus_req;
if (dbus_req->client == -1) {
/* We got a sysbus message but couldn't identify the
* caller? Bail out! */
DEBUG(SSSDBG_CRIT_FAILURE,
"BUG: Received a message without a known caller!\n");
ret = EACCES;
goto done;
}
ret = check_allowed_uids(dbus_req->client,
ifp_ctx->rctx->allowed_uids_count,
ifp_ctx->rctx->allowed_uids);
if (ret == EACCES) {
DEBUG(SSSDBG_MINOR_FAILURE,
"User %"PRIi64" not in ACL\n", dbus_req->client);
goto done;
} else if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE,
"Cannot check if user %"PRIi64" is present in ACL\n",
dbus_req->client);
goto done;
}
*_ifp_req = ireq;
ret = EOK;
done:
if (ret != EOK) {
talloc_free(ireq);
}
return ret;
}
errno_t
ifp_access_check(struct sbus_request *sbus_req,
struct ifp_ctx *ifp_ctx)
{
uid_t uid;
errno_t ret;
/* We allow those special cases to access infopipe. */
if (sbus_req->sender->uid < 0) {
return EOK;
}
uid = (uid_t)sbus_req->sender->uid;
ret = check_allowed_uids(uid,
ifp_ctx->rctx->allowed_uids_count,
ifp_ctx->rctx->allowed_uids);
if (ret == EACCES) {
DEBUG(SSSDBG_MINOR_FAILURE, "User %"PRIi64" not in ACL\n",
sbus_req->sender->uid);
return ret;
} else if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "Cannot check if user %"PRIi64
"is present in ACL\n", sbus_req->sender->uid);
return ret;
}
switch (sbus_req->type) {
case SBUS_REQUEST_PROPERTY_GET:
if (strcmp(sbus_req->interface, "org.freedesktop.sssd.infopipe.Users.User") == 0) {
if (!ifp_is_user_attr_allowed(ifp_ctx, sbus_req->property)) {
DEBUG(SSSDBG_TRACE_ALL, "Attribute %s is not allowed\n",
sbus_req->property);
return EACCES;
}
}
break;
default:
return EOK;
}
return EOK;
}
