diff options
author | Beniamino Galvani <bgalvani@redhat.com> | 2015-07-14 10:26:54 +0200 |
---|---|---|
committer | Beniamino Galvani <bgalvani@redhat.com> | 2015-08-04 09:32:12 +0200 |
commit | f834a08d0b70b5258866ece0c780db88697440cc (patch) | |
tree | 0efbd0e5178c2a556eaea90851ed8ce653120ba4 | |
parent | 0d4dfe5007135effef36d8491c8ad110cbd3d239 (diff) | |
download | NetworkManager-f834a08d0b70b5258866ece0c780db88697440cc.tar.gz |
manager: add audit support
-rw-r--r-- | src/nm-manager.c | 85 |
1 files changed, 79 insertions, 6 deletions
diff --git a/src/nm-manager.c b/src/nm-manager.c index c31418aa02..698cfcde17 100644 --- a/src/nm-manager.c +++ b/src/nm-manager.c @@ -57,6 +57,7 @@ #include "nm-activation-request.h" #include "nm-core-internal.h" #include "nm-config.h" +#include "nm-audit-manager.h" static gboolean impl_manager_get_devices (NMManager *manager, GPtrArray **devices, @@ -3093,10 +3094,17 @@ _activation_auth_done (NMActiveConnection *active, NMManager *self = user_data1; DBusGMethodInvocation *context = user_data2; GError *error = NULL; + NMAuthSubject *subject; + NMConnection *connection; + + subject = nm_active_connection_get_subject (active); + connection = nm_active_connection_get_connection (active); if (success) { if (_internal_activate_generic (self, active, &error)) { dbus_g_method_return (context, nm_exported_object_get_path (NM_EXPORTED_OBJECT (active))); + nm_audit_log_connection_op (NM_AUDIT_OP_CONN_ACTIVATE, connection, TRUE, + subject, NULL); g_object_unref (active); return; } @@ -3108,7 +3116,10 @@ _activation_auth_done (NMActiveConnection *active, g_assert (error); dbus_g_method_return_error (context, error); + nm_audit_log_connection_op (NM_AUDIT_OP_CONN_ACTIVATE, connection, FALSE, + subject, error->message); _internal_activation_failed (self, active, error->message); + g_object_unref (active); g_error_free (error); } @@ -3123,7 +3134,7 @@ impl_manager_activate_connection (NMManager *self, NMManagerPrivate *priv = NM_MANAGER_GET_PRIVATE (self); NMActiveConnection *active = NULL; NMAuthSubject *subject = NULL; - NMConnection *connection; + NMConnection *connection = NULL; NMDevice *device = NULL; gboolean is_vpn = FALSE; GError *error = NULL; @@ -3215,6 +3226,10 @@ impl_manager_activate_connection (NMManager *self, return; error: + if (connection) { + nm_audit_log_connection_op (NM_AUDIT_OP_CONN_ACTIVATE, connection, FALSE, + subject, error->message); + } g_clear_object (&active); g_clear_object (&subject); @@ -3250,6 +3265,11 @@ activation_add_done (NMSettings *self, dbus_g_method_return (context, nm_connection_get_path (NM_CONNECTION (new_connection)), nm_exported_object_get_path (NM_EXPORTED_OBJECT (info->active))); + nm_audit_log_connection_op (NM_AUDIT_OP_CONN_ADD_ACTIVATE, + nm_active_connection_get_connection (info->active), + TRUE, + nm_active_connection_get_subject (info->active), + NULL); goto done; } error = local; @@ -3259,6 +3279,11 @@ activation_add_done (NMSettings *self, _internal_activation_failed (info->manager, info->active, error->message); nm_settings_connection_delete (new_connection, NULL, NULL); dbus_g_method_return_error (context, error); + nm_audit_log_connection_op (NM_AUDIT_OP_CONN_ADD_ACTIVATE, + nm_active_connection_get_connection (info->active), + FALSE, + nm_active_connection_get_subject (info->active), + error->message); g_clear_error (&local); done: @@ -3297,6 +3322,11 @@ _add_and_activate_auth_done (NMActiveConnection *active, NM_MANAGER_ERROR_PERMISSION_DENIED, error_desc); dbus_g_method_return_error (context, error); + nm_audit_log_connection_op (NM_AUDIT_OP_CONN_ADD_ACTIVATE, + nm_active_connection_get_connection (active), + FALSE, + nm_active_connection_get_subject (active), + error->message); g_error_free (error); } @@ -3403,6 +3433,7 @@ impl_manager_add_and_activate_connection (NMManager *self, return; error: + nm_audit_log_connection_op (NM_AUDIT_OP_CONN_ADD_ACTIVATE, connection, FALSE, subject, error->message); g_clear_object (&connection); g_slist_free (all_connections); g_clear_object (&subject); @@ -3466,12 +3497,16 @@ deactivate_net_auth_done_cb (NMAuthChain *chain, NMManagerPrivate *priv = NM_MANAGER_GET_PRIVATE (self); GError *error = NULL; NMAuthCallResult result; + NMActiveConnection *active; + char *path; g_assert (context); priv->auth_chains = g_slist_remove (priv->auth_chains, chain); + path = nm_auth_chain_get_data (chain, "path"); result = nm_auth_chain_get_result (chain, NM_AUTH_PERMISSION_NETWORK_CONTROL); + active = active_connection_get_by_path (self, path); if (auth_error) { nm_log_dbg (LOGD_CORE, "Disconnect request failed: %s", auth_error->message); @@ -3486,7 +3521,7 @@ deactivate_net_auth_done_cb (NMAuthChain *chain, } else { /* success; deactivation allowed */ if (!nm_manager_deactivate_connection (self, - nm_auth_chain_get_data (chain, "path"), + path, NM_DEVICE_STATE_REASON_USER_REQUESTED, &error)) g_assert (error); @@ -3497,6 +3532,14 @@ deactivate_net_auth_done_cb (NMAuthChain *chain, else dbus_g_method_return (context); + if (active) { + nm_audit_log_connection_op (NM_AUDIT_OP_CONN_DEACTIVATE, + nm_active_connection_get_connection (active), + !error, + nm_auth_chain_get_subject (chain), + error ? error->message : NULL); + } + g_clear_error (&error); nm_auth_chain_unref (chain); } @@ -3565,9 +3608,14 @@ impl_manager_deactivate_connection (NMManager *self, nm_auth_chain_add_call (chain, NM_AUTH_PERMISSION_NETWORK_CONTROL, TRUE); done: - g_clear_object (&subject); - if (error) + if (error) { dbus_g_method_return_error (context, error); + if (connection) { + nm_audit_log_connection_op (NM_AUDIT_OP_CONN_DEACTIVATE, connection, FALSE, + subject, error->message); + } + } + g_clear_object (&subject); g_clear_error (&error); } @@ -3729,6 +3777,7 @@ impl_manager_sleep (NMManager *self, { NMManagerPrivate *priv; GError *error = NULL; + gs_unref_object NMAuthSubject *subject = NULL; #if 0 NMAuthChain *chain; const char *error_desc = NULL; @@ -3737,12 +3786,15 @@ impl_manager_sleep (NMManager *self, g_return_if_fail (NM_IS_MANAGER (self)); priv = NM_MANAGER_GET_PRIVATE (self); + subject = nm_auth_subject_new_unix_process_from_context (context); if (priv->sleeping == do_sleep) { error = g_error_new (NM_MANAGER_ERROR, NM_MANAGER_ERROR_ALREADY_ASLEEP_OR_AWAKE, "Already %s", do_sleep ? "asleep" : "awake"); dbus_g_method_return_error (context, error); + nm_audit_log_control_op (NM_AUDIT_OP_SLEEP_CONTROL, do_sleep ? "on" : "off", FALSE, subject, + error->message); g_error_free (error); return; } @@ -3756,6 +3808,7 @@ impl_manager_sleep (NMManager *self, * D-Bus permissions to restrict the call to root. */ _internal_sleep (self, do_sleep); + nm_audit_log_control_op (NM_AUDIT_OP_SLEEP_CONTROL, do_sleep ? "on" : "off", TRUE, subject, NULL); dbus_g_method_return (context); return; @@ -3832,10 +3885,13 @@ enable_net_done_cb (NMAuthChain *chain, GError *ret_error = NULL; NMAuthCallResult result; gboolean enable; + NMAuthSubject *subject; g_assert (context); priv->auth_chains = g_slist_remove (priv->auth_chains, chain); + enable = GPOINTER_TO_UINT (nm_auth_chain_get_data (chain, "enable")); + subject = nm_auth_chain_get_subject (chain); result = nm_auth_chain_get_result (chain, NM_AUTH_PERMISSION_ENABLE_DISABLE_NETWORK); if (error) { @@ -3850,13 +3906,16 @@ enable_net_done_cb (NMAuthChain *chain, "Not authorized to enable/disable networking"); } else { /* Auth success */ - enable = GPOINTER_TO_UINT (nm_auth_chain_get_data (chain, "enable")); _internal_enable (self, enable); dbus_g_method_return (context); + nm_audit_log_control_op (NM_AUDIT_OP_NET_CONTROL, enable ? "on" : "off", TRUE, + subject, NULL); } if (ret_error) { dbus_g_method_return_error (context, ret_error); + nm_audit_log_control_op (NM_AUDIT_OP_NET_CONTROL, enable ? "on" : "off", FALSE, + subject, ret_error->message); g_error_free (ret_error); } @@ -4364,9 +4423,11 @@ prop_set_auth_done_cb (NMAuthChain *chain, DBusConnection *connection; NMAuthCallResult result; DBusMessage *reply = NULL, *message; - const char *permission, *prop; + const char *permission, *prop, *audit_op; GObject *obj; gboolean set_enabled = TRUE; + NMAuthSubject *subject; + gs_free char *prop_value = NULL; priv->auth_chains = g_slist_remove (priv->auth_chains, chain); @@ -4375,15 +4436,21 @@ prop_set_auth_done_cb (NMAuthChain *chain, prop = nm_auth_chain_get_data (chain, "prop"); set_enabled = GPOINTER_TO_UINT (nm_auth_chain_get_data (chain, "enabled")); obj = nm_auth_chain_get_data (chain, "object"); + audit_op = nm_auth_chain_get_data (chain, "audit-op"); + + prop_value = g_strdup_printf ("%s:%d", prop, set_enabled); result = nm_auth_chain_get_result (chain, permission); + subject = nm_auth_chain_get_subject (chain); if (error || (result != NM_AUTH_CALL_RESULT_YES)) { reply = dbus_message_new_error (message, NM_IS_DEVICE (obj) ? DEV_PERM_DENIED_ERROR : NM_PERM_DENIED_ERROR, "Not authorized to perform this operation"); + nm_audit_log_control_op (audit_op, prop_value, FALSE, subject, error ? error->message : NULL); } else { g_object_set (obj, prop, set_enabled, NULL); reply = dbus_message_new_method_return (message); + nm_audit_log_control_op (audit_op, prop_value, TRUE, subject, NULL); } g_assert (reply); @@ -4412,6 +4479,7 @@ prop_filter (DBusConnection *connection, NMAuthSubject *subject = NULL; NMAuthChain *chain; GObject *obj; + const char *audit_op = NULL; /* The sole purpose of this function is to validate property accesses * on the NMManager object since dbus-glib doesn't yet give us this @@ -4440,15 +4508,19 @@ prop_filter (DBusConnection *connection, if (!strcmp (propname, "WirelessEnabled")) { glib_propname = NM_MANAGER_WIRELESS_ENABLED; permission = NM_AUTH_PERMISSION_ENABLE_DISABLE_WIFI; + audit_op = NM_AUDIT_OP_RADIO_CONTROL; } else if (!strcmp (propname, "WwanEnabled")) { glib_propname = NM_MANAGER_WWAN_ENABLED; permission = NM_AUTH_PERMISSION_ENABLE_DISABLE_WWAN; + audit_op = NM_AUDIT_OP_RADIO_CONTROL; } else if (!strcmp (propname, "WimaxEnabled")) { glib_propname = NM_MANAGER_WIMAX_ENABLED; permission = NM_AUTH_PERMISSION_ENABLE_DISABLE_WIMAX; + audit_op = NM_AUDIT_OP_RADIO_CONTROL; } else if (!strcmp (propname, "Autoconnect")) { glib_propname = NM_DEVICE_AUTOCONNECT; permission = NM_AUTH_PERMISSION_NETWORK_CONTROL; + audit_op = NM_AUDIT_OP_DEVICE_AUTOCONNECT; } else return DBUS_HANDLER_RESULT_NOT_YET_HANDLED; @@ -4491,6 +4563,7 @@ prop_filter (DBusConnection *connection, nm_auth_chain_set_data (chain, "message", dbus_message_ref (message), (GDestroyNotify) dbus_message_unref); nm_auth_chain_set_data (chain, "connection", dbus_connection_ref (connection), (GDestroyNotify) dbus_connection_unref); nm_auth_chain_set_data (chain, "object", g_object_ref (obj), (GDestroyNotify) g_object_unref); + nm_auth_chain_set_data (chain, "audit-op", (char *) audit_op, NULL); nm_auth_chain_add_call (chain, permission, TRUE); out: |