1 From a949b090e9d4d11c300fb23b416a2cc69483962b Mon Sep 17 00:00:00 2001
2 From: George Kiagiadakis <george.kiagiadakis@collabora.com>
3 Date: Tue, 16 Feb 2021 17:26:20 +0200
4 Subject: [PATCH] modules: add new access-seclabel module
6 This module allows access control based on the security label
7 of the client. It is tailored for use with the semantics of SMACK
9 Upstream-Status: Inappropriate [smack specific]
11 src/modules/meson.build | 10 ++
12 src/modules/module-access-seclabel.c | 220 +++++++++++++++++++++++++++
13 2 files changed, 230 insertions(+)
14 create mode 100644 src/modules/module-access-seclabel.c
16 diff --git a/src/modules/meson.build b/src/modules/meson.build
17 index 8c9ccc85..234cff6b 100644
18 --- a/src/modules/meson.build
19 +++ b/src/modules/meson.build
20 @@ -14,6 +14,16 @@ pipewire_module_access = shared_library('pipewire-module-access', [ 'module-acce
21 dependencies : [mathlib, dl_lib, pipewire_dep],
24 +pipewire_module_access_seclabel = shared_library('pipewire-module-access-seclabel',
25 + [ 'module-access-seclabel.c' ],
26 + c_args : pipewire_module_c_args,
27 + include_directories : [configinc, spa_inc],
29 + install_dir : modules_install_dir,
30 + install_rpath: modules_install_dir,
31 + dependencies : [mathlib, dl_lib, pipewire_dep],
34 pipewire_module_profiler = shared_library('pipewire-module-profiler',
35 [ 'module-profiler.c',
36 'module-profiler/protocol-native.c', ],
37 diff --git a/src/modules/module-access-seclabel.c b/src/modules/module-access-seclabel.c
39 index 00000000..3739f2e4
41 +++ b/src/modules/module-access-seclabel.c
45 + * Copyright © 2018 Wim Taymans
46 + * Copyright © 2021 Collabora Ltd.
47 + * @author George Kiagiadakis <george.kiagiadakis@collabora.com>
49 + * Permission is hereby granted, free of charge, to any person obtaining a
50 + * copy of this software and associated documentation files (the "Software"),
51 + * to deal in the Software without restriction, including without limitation
52 + * the rights to use, copy, modify, merge, publish, distribute, sublicense,
53 + * and/or sell copies of the Software, and to permit persons to whom the
54 + * Software is furnished to do so, subject to the following conditions:
56 + * The above copyright notice and this permission notice (including the next
57 + * paragraph) shall be included in all copies or substantial portions of the
60 + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
61 + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
62 + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
63 + * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
64 + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
65 + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
66 + * DEALINGS IN THE SOFTWARE.
72 +#include <sys/types.h>
73 +#include <sys/stat.h>
80 +#include <spa/utils/result.h>
81 +#include <spa/utils/json.h>
83 +#include <pipewire/impl.h>
84 +#include <pipewire/private.h>
86 +#define NAME "access-seclabel"
88 +#define MODULE_USAGE "[ seclabel.allowed=<cmd-line> ] " \
89 + "[ seclabel.rejected=<cmd-line> ] " \
90 + "[ seclabel.restricted=<cmd-line> ] " \
92 +static const struct spa_dict_item module_props[] = {
93 + { PW_KEY_MODULE_AUTHOR, "George Kiagiadakis <george.kiagiadakis@collabora.com>" },
94 + { PW_KEY_MODULE_DESCRIPTION, "Perform access check based on the security label" },
95 + { PW_KEY_MODULE_USAGE, MODULE_USAGE },
96 + { PW_KEY_MODULE_VERSION, PACKAGE_VERSION },
100 + struct pw_context *context;
101 + struct pw_properties *properties;
103 + struct spa_hook context_listener;
104 + struct spa_hook module_listener;
107 +static int check_label(const char *label, const char *str)
111 + struct spa_json it[2];
113 + spa_json_init(&it[0], str, strlen(str));
114 + if ((res = spa_json_enter_array(&it[0], &it[1])) <= 0)
118 + while (spa_json_get_string(&it[1], key, sizeof(key)) > 0) {
119 + if (strcmp(label, key) == 0) {
129 +context_check_access(void *data, struct pw_impl_client *client)
131 + struct impl *impl = data;
132 + struct pw_permission permissions[1];
133 + struct spa_dict_item items[2];
134 + const struct pw_properties *props;
135 + const char *str, *access, *label = NULL;
138 + if ((props = pw_impl_client_get_properties(client)) != NULL) {
139 + if ((str = pw_properties_get(props, PW_KEY_ACCESS)) != NULL) {
140 + pw_log_info(NAME " client %p: has already access: '%s'", client, str);
143 + label = pw_properties_get(props, PW_KEY_SEC_LABEL);
147 + pw_log_info(NAME " client %p: has no security label", client);
151 + if (impl->properties && (str = pw_properties_get(impl->properties, "seclabel.allowed")) != NULL) {
152 + res = check_label(label, str);
154 + pw_log_warn(NAME" %p: client %p allowed check failed: %s",
155 + impl, client, spa_strerror(res));
156 + } else if (res > 0) {
157 + access = "allowed";
162 + if (impl->properties && (str = pw_properties_get(impl->properties, "seclabel.rejected")) != NULL) {
163 + res = check_label(label, str);
165 + pw_log_warn(NAME" %p: client %p rejected check failed: %s",
166 + impl, client, spa_strerror(res));
167 + } else if (res > 0) {
169 + access = "rejected";
174 + if (impl->properties && (str = pw_properties_get(impl->properties, "seclabel.restricted")) != NULL) {
175 + res = check_label(label, str);
177 + pw_log_warn(NAME" %p: client %p restricted check failed: %s",
178 + impl, client, spa_strerror(res));
180 + else if (res > 0) {
181 + pw_log_debug(NAME" %p: restricted client %p added", impl, client);
182 + access = "restricted";
183 + goto wait_permissions;
190 + pw_log_info(NAME" %p: client %p '%s' access granted", impl, client, access);
191 + items[0] = SPA_DICT_ITEM_INIT(PW_KEY_ACCESS, access);
192 + pw_impl_client_update_properties(client, &SPA_DICT_INIT(items, 1));
194 + permissions[0] = PW_PERMISSION_INIT(PW_ID_ANY, PW_PERM_ALL);
195 + pw_impl_client_update_permissions(client, 1, permissions);
199 + pw_log_info(NAME " %p: client %p wait for '%s' permissions",
200 + impl, client, access);
201 + items[0] = SPA_DICT_ITEM_INIT(PW_KEY_ACCESS, access);
202 + pw_impl_client_update_properties(client, &SPA_DICT_INIT(items, 1));
206 + pw_resource_error(pw_impl_client_get_core_resource(client), res, access);
207 + items[0] = SPA_DICT_ITEM_INIT(PW_KEY_ACCESS, access);
208 + pw_impl_client_update_properties(client, &SPA_DICT_INIT(items, 1));
212 +static const struct pw_context_events context_events = {
213 + PW_VERSION_CONTEXT_EVENTS,
214 + .check_access = context_check_access,
217 +static void module_destroy(void *data)
219 + struct impl *impl = data;
221 + spa_hook_remove(&impl->context_listener);
222 + spa_hook_remove(&impl->module_listener);
224 + if (impl->properties)
225 + pw_properties_free(impl->properties);
230 +static const struct pw_impl_module_events module_events = {
231 + PW_VERSION_IMPL_MODULE_EVENTS,
232 + .destroy = module_destroy,
236 +int pipewire__module_init(struct pw_impl_module *module, const char *args)
238 + struct pw_context *context = pw_impl_module_get_context(module);
239 + struct pw_properties *props;
242 + impl = calloc(1, sizeof(struct impl));
246 + pw_log_debug(NAME" module %p: new %s", impl, args);
249 + props = pw_properties_new_string(args);
253 + impl->context = context;
254 + impl->properties = props;
256 + pw_context_add_listener(context, &impl->context_listener, &context_events, impl);
257 + pw_impl_module_add_listener(module, &impl->module_listener, &module_events, impl);
259 + pw_impl_module_update_properties(module, &SPA_DICT_INIT_ARRAY(module_props));