manager: also audit-log early failure to setting property
This commit is contained in:
Thomas Haller
@@ -4378,6 +4378,7 @@ typedef struct {
|
|||||||
NMAuthSubject *subject;
|
NMAuthSubject *subject;
|
||||||
const char *permission;
|
const char *permission;
|
||||||
const char *audit_op;
|
const char *audit_op;
|
||||||
|
char *audit_prop_value;
|
||||||
GObject *object;
|
GObject *object;
|
||||||
const char *property;
|
const char *property;
|
||||||
gboolean set_enable;
|
gboolean set_enable;
|
||||||
@@ -4391,6 +4392,7 @@ free_property_filter_data (PropertyFilterData *pfd)
|
|||||||
g_object_unref (pfd->message);
|
g_object_unref (pfd->message);
|
||||||
g_object_unref (pfd->subject);
|
g_object_unref (pfd->subject);
|
||||||
g_object_unref (pfd->object);
|
g_object_unref (pfd->object);
|
||||||
|
g_free (pfd->audit_prop_value);
|
||||||
g_slice_free (PropertyFilterData, pfd);
|
g_slice_free (PropertyFilterData, pfd);
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -4403,23 +4405,20 @@ prop_set_auth_done_cb (NMAuthChain *chain,
|
|||||||
PropertyFilterData *pfd = user_data;
|
PropertyFilterData *pfd = user_data;
|
||||||
NMManagerPrivate *priv = NM_MANAGER_GET_PRIVATE (pfd->self);
|
NMManagerPrivate *priv = NM_MANAGER_GET_PRIVATE (pfd->self);
|
||||||
NMAuthCallResult result;
|
NMAuthCallResult result;
|
||||||
gs_free char *prop_value = NULL;
|
|
||||||
GDBusMessage *reply;
|
GDBusMessage *reply;
|
||||||
|
|
||||||
prop_value = g_strdup_printf ("%s:%d", pfd->property, pfd->set_enable);
|
|
||||||
|
|
||||||
priv->auth_chains = g_slist_remove (priv->auth_chains, chain);
|
priv->auth_chains = g_slist_remove (priv->auth_chains, chain);
|
||||||
result = nm_auth_chain_get_result (chain, pfd->permission);
|
result = nm_auth_chain_get_result (chain, pfd->permission);
|
||||||
if (error || (result != NM_AUTH_CALL_RESULT_YES)) {
|
if (error || (result != NM_AUTH_CALL_RESULT_YES)) {
|
||||||
reply = g_dbus_message_new_method_error (pfd->message,
|
reply = g_dbus_message_new_method_error (pfd->message,
|
||||||
NM_PERM_DENIED_ERROR,
|
NM_PERM_DENIED_ERROR,
|
||||||
"Not authorized to perform this operation");
|
"Not authorized to perform this operation");
|
||||||
nm_audit_log_control_op (pfd->audit_op, prop_value, FALSE, pfd->subject, error ? error->message : NULL);
|
nm_audit_log_control_op (pfd->audit_op, pfd->audit_prop_value, FALSE, pfd->subject, error ? error->message : NULL);
|
||||||
} else {
|
} else {
|
||||||
g_object_set (pfd->object, pfd->property, pfd->set_enable, NULL);
|
g_object_set (pfd->object, pfd->property, pfd->set_enable, NULL);
|
||||||
reply = g_dbus_message_new_method_reply (pfd->message);
|
reply = g_dbus_message_new_method_reply (pfd->message);
|
||||||
g_dbus_message_set_body (reply, g_variant_new_tuple (NULL, 0));
|
g_dbus_message_set_body (reply, g_variant_new_tuple (NULL, 0));
|
||||||
nm_audit_log_control_op (pfd->audit_op, prop_value, TRUE, pfd->subject, NULL);
|
nm_audit_log_control_op (pfd->audit_op, pfd->audit_prop_value, TRUE, pfd->subject, NULL);
|
||||||
}
|
}
|
||||||
|
|
||||||
g_dbus_connection_send_message (pfd->connection, reply,
|
g_dbus_connection_send_message (pfd->connection, reply,
|
||||||
@@ -4438,12 +4437,13 @@ do_set_property_check (gpointer user_data)
|
|||||||
NMManagerPrivate *priv = NM_MANAGER_GET_PRIVATE (pfd->self);
|
NMManagerPrivate *priv = NM_MANAGER_GET_PRIVATE (pfd->self);
|
||||||
GDBusMessage *reply = NULL;
|
GDBusMessage *reply = NULL;
|
||||||
NMAuthChain *chain;
|
NMAuthChain *chain;
|
||||||
|
const char *error_message = NULL;
|
||||||
|
|
||||||
pfd->subject = nm_auth_subject_new_unix_process_from_message (pfd->connection, pfd->message);
|
pfd->subject = nm_auth_subject_new_unix_process_from_message (pfd->connection, pfd->message);
|
||||||
if (!pfd->subject) {
|
if (!pfd->subject) {
|
||||||
reply = g_dbus_message_new_method_error (pfd->message,
|
reply = g_dbus_message_new_method_error (pfd->message,
|
||||||
NM_PERM_DENIED_ERROR,
|
NM_PERM_DENIED_ERROR,
|
||||||
"Could not determine request UID.");
|
(error_message = "Could not determine request UID."));
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -4452,7 +4452,7 @@ do_set_property_check (gpointer user_data)
|
|||||||
if (!chain) {
|
if (!chain) {
|
||||||
reply = g_dbus_message_new_method_error (pfd->message,
|
reply = g_dbus_message_new_method_error (pfd->message,
|
||||||
NM_PERM_DENIED_ERROR,
|
NM_PERM_DENIED_ERROR,
|
||||||
"Could not authenticate request.");
|
(error_message = "Could not authenticate request."));
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -4461,6 +4461,7 @@ do_set_property_check (gpointer user_data)
|
|||||||
|
|
||||||
out:
|
out:
|
||||||
if (reply) {
|
if (reply) {
|
||||||
|
nm_audit_log_control_op (pfd->audit_op, pfd->audit_prop_value, FALSE, pfd->subject, error_message);
|
||||||
g_dbus_connection_send_message (pfd->connection, reply,
|
g_dbus_connection_send_message (pfd->connection, reply,
|
||||||
G_DBUS_SEND_MESSAGE_FLAGS_NONE,
|
G_DBUS_SEND_MESSAGE_FLAGS_NONE,
|
||||||
NULL, NULL);
|
NULL, NULL);
|
||||||
@@ -4556,6 +4557,7 @@ prop_filter (GDBusConnection *connection,
|
|||||||
pfd->property = glib_propname;
|
pfd->property = glib_propname;
|
||||||
pfd->set_enable = set_enable;
|
pfd->set_enable = set_enable;
|
||||||
pfd->audit_op = audit_op;
|
pfd->audit_op = audit_op;
|
||||||
|
pfd->audit_prop_value = g_strdup_printf ("%s:%d", pfd->property, pfd->set_enable);
|
||||||
g_idle_add (do_set_property_check, pfd);
|
g_idle_add (do_set_property_check, pfd);
|
||||||
|
|
||||||
return NULL;
|
return NULL;
|
||||||
|
|||||||
Reference in New Issue
Block a user