colin/NetworkManager
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

manager: add audit support

Browse Source
This commit is contained in:
Beniamino Galvani
2015-07-14 10:26:54 +02:00
parent 0d4dfe5007
commit f834a08d0b
1 changed files with 79 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

85
src/nm-manager.c
View File

@@ -57,6 +57,7 @@
#include "nm-activation-request.h" #include "nm-activation-request.h"
#include "nm-core-internal.h" #include "nm-core-internal.h"
#include "nm-config.h" #include "nm-config.h"
#include "nm-audit-manager.h"
static gboolean impl_manager_get_devices (NMManager *manager, static gboolean impl_manager_get_devices (NMManager *manager,
GPtrArray **devices, GPtrArray **devices,
@@ -3093,10 +3094,17 @@ _activation_auth_done (NMActiveConnection *active,
NMManager *self = user_data1; NMManager *self = user_data1;
DBusGMethodInvocation *context = user_data2; DBusGMethodInvocation *context = user_data2;
GError *error = NULL; GError *error = NULL;
NMAuthSubject *subject;
NMConnection *connection;
subject = nm_active_connection_get_subject (active);
connection = nm_active_connection_get_connection (active);
if (success) { if (success) {
if (_internal_activate_generic (self, active, &error)) { if (_internal_activate_generic (self, active, &error)) {
dbus_g_method_return (context, nm_exported_object_get_path (NM_EXPORTED_OBJECT (active))); dbus_g_method_return (context, nm_exported_object_get_path (NM_EXPORTED_OBJECT (active)));
nm_audit_log_connection_op (NM_AUDIT_OP_CONN_ACTIVATE, connection, TRUE,
subject, NULL);
g_object_unref (active); g_object_unref (active);
return; return;
} }
@@ -3108,7 +3116,10 @@ _activation_auth_done (NMActiveConnection *active,
g_assert (error); g_assert (error);
dbus_g_method_return_error (context, error); dbus_g_method_return_error (context, error);
nm_audit_log_connection_op (NM_AUDIT_OP_CONN_ACTIVATE, connection, FALSE,
subject, error->message);
_internal_activation_failed (self, active, error->message); _internal_activation_failed (self, active, error->message);
g_object_unref (active); g_object_unref (active);
g_error_free (error); g_error_free (error);
} }
@@ -3123,7 +3134,7 @@ impl_manager_activate_connection (NMManager *self,
NMManagerPrivate *priv = NM_MANAGER_GET_PRIVATE (self); NMManagerPrivate *priv = NM_MANAGER_GET_PRIVATE (self);
NMActiveConnection *active = NULL; NMActiveConnection *active = NULL;
NMAuthSubject *subject = NULL; NMAuthSubject *subject = NULL;
NMConnection *connection; NMConnection *connection = NULL;
NMDevice *device = NULL; NMDevice *device = NULL;
gboolean is_vpn = FALSE; gboolean is_vpn = FALSE;
GError *error = NULL; GError *error = NULL;
@@ -3215,6 +3226,10 @@ impl_manager_activate_connection (NMManager *self,
return; return;
error: error:
if (connection) {
nm_audit_log_connection_op (NM_AUDIT_OP_CONN_ACTIVATE, connection, FALSE,
subject, error->message);
}
g_clear_object (&active); g_clear_object (&active);
g_clear_object (&subject); g_clear_object (&subject);
@@ -3250,6 +3265,11 @@ activation_add_done (NMSettings *self,
dbus_g_method_return (context, dbus_g_method_return (context,
nm_connection_get_path (NM_CONNECTION (new_connection)), nm_connection_get_path (NM_CONNECTION (new_connection)),
nm_exported_object_get_path (NM_EXPORTED_OBJECT (info->active))); nm_exported_object_get_path (NM_EXPORTED_OBJECT (info->active)));
nm_audit_log_connection_op (NM_AUDIT_OP_CONN_ADD_ACTIVATE,
nm_active_connection_get_connection (info->active),
TRUE,
nm_active_connection_get_subject (info->active),
NULL);
goto done; goto done;
} }
error = local; error = local;
@@ -3259,6 +3279,11 @@ activation_add_done (NMSettings *self,
_internal_activation_failed (info->manager, info->active, error->message); _internal_activation_failed (info->manager, info->active, error->message);
nm_settings_connection_delete (new_connection, NULL, NULL); nm_settings_connection_delete (new_connection, NULL, NULL);
dbus_g_method_return_error (context, error); dbus_g_method_return_error (context, error);
nm_audit_log_connection_op (NM_AUDIT_OP_CONN_ADD_ACTIVATE,
nm_active_connection_get_connection (info->active),
FALSE,
nm_active_connection_get_subject (info->active),
error->message);
g_clear_error (&local); g_clear_error (&local);
done: done:
@@ -3297,6 +3322,11 @@ _add_and_activate_auth_done (NMActiveConnection *active,
NM_MANAGER_ERROR_PERMISSION_DENIED, NM_MANAGER_ERROR_PERMISSION_DENIED,
error_desc); error_desc);
dbus_g_method_return_error (context, error); dbus_g_method_return_error (context, error);
nm_audit_log_connection_op (NM_AUDIT_OP_CONN_ADD_ACTIVATE,
nm_active_connection_get_connection (active),
FALSE,
nm_active_connection_get_subject (active),
error->message);
g_error_free (error); g_error_free (error);
} }
@@ -3403,6 +3433,7 @@ impl_manager_add_and_activate_connection (NMManager *self,
return; return;
error: error:
nm_audit_log_connection_op (NM_AUDIT_OP_CONN_ADD_ACTIVATE, connection, FALSE, subject, error->message);
g_clear_object (&connection); g_clear_object (&connection);
g_slist_free (all_connections); g_slist_free (all_connections);
g_clear_object (&subject); g_clear_object (&subject);
@@ -3466,12 +3497,16 @@ deactivate_net_auth_done_cb (NMAuthChain *chain,
NMManagerPrivate *priv = NM_MANAGER_GET_PRIVATE (self); NMManagerPrivate *priv = NM_MANAGER_GET_PRIVATE (self);
GError *error = NULL; GError *error = NULL;
NMAuthCallResult result; NMAuthCallResult result;
NMActiveConnection *active;
char *path;
g_assert (context); g_assert (context);
priv->auth_chains = g_slist_remove (priv->auth_chains, chain); priv->auth_chains = g_slist_remove (priv->auth_chains, chain);
path = nm_auth_chain_get_data (chain, "path");
result = nm_auth_chain_get_result (chain, NM_AUTH_PERMISSION_NETWORK_CONTROL); result = nm_auth_chain_get_result (chain, NM_AUTH_PERMISSION_NETWORK_CONTROL);
active = active_connection_get_by_path (self, path);
if (auth_error) { if (auth_error) {
nm_log_dbg (LOGD_CORE, "Disconnect request failed: %s", auth_error->message); nm_log_dbg (LOGD_CORE, "Disconnect request failed: %s", auth_error->message);
@@ -3486,7 +3521,7 @@ deactivate_net_auth_done_cb (NMAuthChain *chain,
} else { } else {
/* success; deactivation allowed */ /* success; deactivation allowed */
if (!nm_manager_deactivate_connection (self, if (!nm_manager_deactivate_connection (self,
nm_auth_chain_get_data (chain, "path"), path,
NM_DEVICE_STATE_REASON_USER_REQUESTED, NM_DEVICE_STATE_REASON_USER_REQUESTED,
&error)) &error))
g_assert (error); g_assert (error);
@@ -3497,6 +3532,14 @@ deactivate_net_auth_done_cb (NMAuthChain *chain,
else else
dbus_g_method_return (context); dbus_g_method_return (context);
if (active) {
nm_audit_log_connection_op (NM_AUDIT_OP_CONN_DEACTIVATE,
nm_active_connection_get_connection (active),
!error,
nm_auth_chain_get_subject (chain),
error ? error->message : NULL);
}
g_clear_error (&error); g_clear_error (&error);
nm_auth_chain_unref (chain); nm_auth_chain_unref (chain);
} }
@@ -3565,9 +3608,14 @@ impl_manager_deactivate_connection (NMManager *self,
nm_auth_chain_add_call (chain, NM_AUTH_PERMISSION_NETWORK_CONTROL, TRUE); nm_auth_chain_add_call (chain, NM_AUTH_PERMISSION_NETWORK_CONTROL, TRUE);
done: done:
g_clear_object (&subject); if (error) {
if (error)
dbus_g_method_return_error (context, error); dbus_g_method_return_error (context, error);
if (connection) {
nm_audit_log_connection_op (NM_AUDIT_OP_CONN_DEACTIVATE, connection, FALSE,
subject, error->message);
}
}
g_clear_object (&subject);
g_clear_error (&error); g_clear_error (&error);
} }
@@ -3729,6 +3777,7 @@ impl_manager_sleep (NMManager *self,
{ {
NMManagerPrivate *priv; NMManagerPrivate *priv;
GError *error = NULL; GError *error = NULL;
gs_unref_object NMAuthSubject *subject = NULL;
#if 0 #if 0
NMAuthChain *chain; NMAuthChain *chain;
const char *error_desc = NULL; const char *error_desc = NULL;
@@ -3737,12 +3786,15 @@ impl_manager_sleep (NMManager *self,
g_return_if_fail (NM_IS_MANAGER (self)); g_return_if_fail (NM_IS_MANAGER (self));
priv = NM_MANAGER_GET_PRIVATE (self); priv = NM_MANAGER_GET_PRIVATE (self);
subject = nm_auth_subject_new_unix_process_from_context (context);
if (priv->sleeping == do_sleep) { if (priv->sleeping == do_sleep) {
error = g_error_new (NM_MANAGER_ERROR, error = g_error_new (NM_MANAGER_ERROR,
NM_MANAGER_ERROR_ALREADY_ASLEEP_OR_AWAKE, NM_MANAGER_ERROR_ALREADY_ASLEEP_OR_AWAKE,
"Already %s", do_sleep ? "asleep" : "awake"); "Already %s", do_sleep ? "asleep" : "awake");
dbus_g_method_return_error (context, error); dbus_g_method_return_error (context, error);
nm_audit_log_control_op (NM_AUDIT_OP_SLEEP_CONTROL, do_sleep ? "on" : "off", FALSE, subject,
error->message);
g_error_free (error); g_error_free (error);
return; return;
} }
@@ -3756,6 +3808,7 @@ impl_manager_sleep (NMManager *self,
* D-Bus permissions to restrict the call to root. * D-Bus permissions to restrict the call to root.
*/ */
_internal_sleep (self, do_sleep); _internal_sleep (self, do_sleep);
nm_audit_log_control_op (NM_AUDIT_OP_SLEEP_CONTROL, do_sleep ? "on" : "off", TRUE, subject, NULL);
dbus_g_method_return (context); dbus_g_method_return (context);
return; return;
@@ -3832,10 +3885,13 @@ enable_net_done_cb (NMAuthChain *chain,
GError *ret_error = NULL; GError *ret_error = NULL;
NMAuthCallResult result; NMAuthCallResult result;
gboolean enable; gboolean enable;
NMAuthSubject *subject;
g_assert (context); g_assert (context);
priv->auth_chains = g_slist_remove (priv->auth_chains, chain); priv->auth_chains = g_slist_remove (priv->auth_chains, chain);
enable = GPOINTER_TO_UINT (nm_auth_chain_get_data (chain, "enable"));
subject = nm_auth_chain_get_subject (chain);
result = nm_auth_chain_get_result (chain, NM_AUTH_PERMISSION_ENABLE_DISABLE_NETWORK); result = nm_auth_chain_get_result (chain, NM_AUTH_PERMISSION_ENABLE_DISABLE_NETWORK);
if (error) { if (error) {
@@ -3850,13 +3906,16 @@ enable_net_done_cb (NMAuthChain *chain,
"Not authorized to enable/disable networking"); "Not authorized to enable/disable networking");
} else { } else {
/* Auth success */ /* Auth success */
enable = GPOINTER_TO_UINT (nm_auth_chain_get_data (chain, "enable"));
_internal_enable (self, enable); _internal_enable (self, enable);
dbus_g_method_return (context); dbus_g_method_return (context);
nm_audit_log_control_op (NM_AUDIT_OP_NET_CONTROL, enable ? "on" : "off", TRUE,
subject, NULL);
} }
if (ret_error) { if (ret_error) {
dbus_g_method_return_error (context, ret_error); dbus_g_method_return_error (context, ret_error);
nm_audit_log_control_op (NM_AUDIT_OP_NET_CONTROL, enable ? "on" : "off", FALSE,
subject, ret_error->message);
g_error_free (ret_error); g_error_free (ret_error);
} }
@@ -4364,9 +4423,11 @@ prop_set_auth_done_cb (NMAuthChain *chain,
DBusConnection *connection; DBusConnection *connection;
NMAuthCallResult result; NMAuthCallResult result;
DBusMessage *reply = NULL, *message; DBusMessage *reply = NULL, *message;
const char *permission, *prop; const char *permission, *prop, *audit_op;
GObject *obj; GObject *obj;
gboolean set_enabled = TRUE; gboolean set_enabled = TRUE;
NMAuthSubject *subject;
gs_free char *prop_value = NULL;
priv->auth_chains = g_slist_remove (priv->auth_chains, chain); priv->auth_chains = g_slist_remove (priv->auth_chains, chain);
@@ -4375,15 +4436,21 @@ prop_set_auth_done_cb (NMAuthChain *chain,
prop = nm_auth_chain_get_data (chain, "prop"); prop = nm_auth_chain_get_data (chain, "prop");
set_enabled = GPOINTER_TO_UINT (nm_auth_chain_get_data (chain, "enabled")); set_enabled = GPOINTER_TO_UINT (nm_auth_chain_get_data (chain, "enabled"));
obj = nm_auth_chain_get_data (chain, "object"); obj = nm_auth_chain_get_data (chain, "object");
audit_op = nm_auth_chain_get_data (chain, "audit-op");
prop_value = g_strdup_printf ("%s:%d", prop, set_enabled);
result = nm_auth_chain_get_result (chain, permission); result = nm_auth_chain_get_result (chain, permission);
subject = nm_auth_chain_get_subject (chain);
if (error || (result != NM_AUTH_CALL_RESULT_YES)) { if (error || (result != NM_AUTH_CALL_RESULT_YES)) {
reply = dbus_message_new_error (message, reply = dbus_message_new_error (message,
NM_IS_DEVICE (obj) ? DEV_PERM_DENIED_ERROR : NM_PERM_DENIED_ERROR, NM_IS_DEVICE (obj) ? DEV_PERM_DENIED_ERROR : NM_PERM_DENIED_ERROR,
"Not authorized to perform this operation"); "Not authorized to perform this operation");
nm_audit_log_control_op (audit_op, prop_value, FALSE, subject, error ? error->message : NULL);
} else { } else {
g_object_set (obj, prop, set_enabled, NULL); g_object_set (obj, prop, set_enabled, NULL);
reply = dbus_message_new_method_return (message); reply = dbus_message_new_method_return (message);
nm_audit_log_control_op (audit_op, prop_value, TRUE, subject, NULL);
} }
g_assert (reply); g_assert (reply);
@@ -4412,6 +4479,7 @@ prop_filter (DBusConnection *connection,
NMAuthSubject *subject = NULL; NMAuthSubject *subject = NULL;
NMAuthChain *chain; NMAuthChain *chain;
GObject *obj; GObject *obj;
const char *audit_op = NULL;
/* The sole purpose of this function is to validate property accesses /* The sole purpose of this function is to validate property accesses
* on the NMManager object since dbus-glib doesn't yet give us this * on the NMManager object since dbus-glib doesn't yet give us this
@@ -4440,15 +4508,19 @@ prop_filter (DBusConnection *connection,
if (!strcmp (propname, "WirelessEnabled")) { if (!strcmp (propname, "WirelessEnabled")) {
glib_propname = NM_MANAGER_WIRELESS_ENABLED; glib_propname = NM_MANAGER_WIRELESS_ENABLED;
permission = NM_AUTH_PERMISSION_ENABLE_DISABLE_WIFI; permission = NM_AUTH_PERMISSION_ENABLE_DISABLE_WIFI;
audit_op = NM_AUDIT_OP_RADIO_CONTROL;
} else if (!strcmp (propname, "WwanEnabled")) { } else if (!strcmp (propname, "WwanEnabled")) {
glib_propname = NM_MANAGER_WWAN_ENABLED; glib_propname = NM_MANAGER_WWAN_ENABLED;
permission = NM_AUTH_PERMISSION_ENABLE_DISABLE_WWAN; permission = NM_AUTH_PERMISSION_ENABLE_DISABLE_WWAN;
audit_op = NM_AUDIT_OP_RADIO_CONTROL;
} else if (!strcmp (propname, "WimaxEnabled")) { } else if (!strcmp (propname, "WimaxEnabled")) {
glib_propname = NM_MANAGER_WIMAX_ENABLED; glib_propname = NM_MANAGER_WIMAX_ENABLED;
permission = NM_AUTH_PERMISSION_ENABLE_DISABLE_WIMAX; permission = NM_AUTH_PERMISSION_ENABLE_DISABLE_WIMAX;
audit_op = NM_AUDIT_OP_RADIO_CONTROL;
} else if (!strcmp (propname, "Autoconnect")) { } else if (!strcmp (propname, "Autoconnect")) {
glib_propname = NM_DEVICE_AUTOCONNECT; glib_propname = NM_DEVICE_AUTOCONNECT;
permission = NM_AUTH_PERMISSION_NETWORK_CONTROL; permission = NM_AUTH_PERMISSION_NETWORK_CONTROL;
audit_op = NM_AUDIT_OP_DEVICE_AUTOCONNECT;
} else } else
return DBUS_HANDLER_RESULT_NOT_YET_HANDLED; return DBUS_HANDLER_RESULT_NOT_YET_HANDLED;
@@ -4491,6 +4563,7 @@ prop_filter (DBusConnection *connection,
nm_auth_chain_set_data (chain, "message", dbus_message_ref (message), (GDestroyNotify) dbus_message_unref); nm_auth_chain_set_data (chain, "message", dbus_message_ref (message), (GDestroyNotify) dbus_message_unref);
nm_auth_chain_set_data (chain, "connection", dbus_connection_ref (connection), (GDestroyNotify) dbus_connection_unref); nm_auth_chain_set_data (chain, "connection", dbus_connection_ref (connection), (GDestroyNotify) dbus_connection_unref);
nm_auth_chain_set_data (chain, "object", g_object_ref (obj), (GDestroyNotify) g_object_unref); nm_auth_chain_set_data (chain, "object", g_object_ref (obj), (GDestroyNotify) g_object_unref);
nm_auth_chain_set_data (chain, "audit-op", (char *) audit_op, NULL);
nm_auth_chain_add_call (chain, permission, TRUE); nm_auth_chain_add_call (chain, permission, TRUE);
out: out: