From da503db6603732ddee39b4b252d21463bfcefbbc Mon Sep 17 00:00:00 2001
From: Hans Dedecker <dedeckeh@gmail.com>
Date: Wed, 3 Oct 2018 15:36:17 +0200
Subject: ubusd_acl: event listen access list support

Adds event listen access list support in ubus via the "listen" keyword

Example of a json file:

{
    "user": "superuser",
    "listen": [ "network.*" ],
}

Signed-off-by: Koen Dergent <koen.cj.dergent@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
---
 ubusd_acl.c   | 20 ++++++++++++++++++++
 ubusd_acl.h   |  1 +
 ubusd_event.c |  3 +++
 3 files changed, 24 insertions(+)

diff --git a/ubusd_acl.c b/ubusd_acl.c
index fc11993..992d0ea 100644
--- a/ubusd_acl.c
+++ b/ubusd_acl.c
@@ -51,6 +51,7 @@ struct ubusd_acl_obj {
 	struct blob_attr *priv;
 	bool subscribe;
 	bool publish;
+	bool listen;
 };
 
 struct ubusd_acl_file {
@@ -132,6 +133,11 @@ ubusd_acl_check(struct ubus_client *cl, const char *obj,
 				return 0;
 			break;
 
+		case UBUS_ACL_LISTEN:
+			if (acl->listen)
+				return 0;
+			break;
+
 		case UBUS_ACL_ACCESS:
 			if (acl->methods) {
 				struct blob_attr *cur;
@@ -279,6 +285,13 @@ ubusd_acl_add_publish(struct ubusd_acl_file *file, const char *obj)
 	o->publish = true;
 }
 
+static void ubusd_acl_add_listen(struct ubusd_acl_file *file, const char *obj)
+{
+	struct ubusd_acl_obj *o = ubusd_acl_alloc_obj(file, obj);
+
+	o->listen = true;
+}
+
 enum {
 	ACL_USER,
 	ACL_GROUP,
@@ -286,6 +299,7 @@ enum {
 	ACL_PUBLISH,
 	ACL_SUBSCRIBE,
 	ACL_INHERIT,
+	ACL_LISTEN,
 	__ACL_MAX
 };
 
@@ -296,6 +310,7 @@ static const struct blobmsg_policy acl_policy[__ACL_MAX] = {
 	[ACL_PUBLISH] = { .name = "publish", .type = BLOBMSG_TYPE_ARRAY },
 	[ACL_SUBSCRIBE] = { .name = "subscribe", .type = BLOBMSG_TYPE_ARRAY },
 	[ACL_INHERIT] = { .name = "inherit", .type = BLOBMSG_TYPE_ARRAY },
+	[ACL_LISTEN] = { .name= "listen", .type = BLOBMSG_TYPE_ARRAY },
 };
 
 static void
@@ -327,6 +342,11 @@ ubusd_acl_file_add(struct ubusd_acl_file *file)
 		blobmsg_for_each_attr(cur, tb[ACL_PUBLISH], rem)
 			if (blobmsg_type(cur) == BLOBMSG_TYPE_STRING)
 				ubusd_acl_add_publish(file, blobmsg_get_string(cur));
+
+	if (tb[ACL_LISTEN])
+		blobmsg_for_each_attr(cur, tb[ACL_LISTEN], rem)
+			if (blobmsg_type(cur) == BLOBMSG_TYPE_STRING)
+				ubusd_acl_add_listen(file, blobmsg_get_string(cur));
 }
 
 static void
diff --git a/ubusd_acl.h b/ubusd_acl.h
index c5dfd8a..a6a6a30 100644
--- a/ubusd_acl.h
+++ b/ubusd_acl.h
@@ -18,6 +18,7 @@ enum ubusd_acl_type {
 	UBUS_ACL_PUBLISH,
 	UBUS_ACL_SUBSCRIBE,
 	UBUS_ACL_ACCESS,
+	UBUS_ACL_LISTEN,
 };
 
 int ubusd_acl_check(struct ubus_client *cl, const char *obj, const char *method, enum ubusd_acl_type type);
diff --git a/ubusd_event.c b/ubusd_event.c
index f07f826..6e612a1 100644
--- a/ubusd_event.c
+++ b/ubusd_event.c
@@ -88,6 +88,9 @@ static int ubusd_alloc_event_pattern(struct ubus_client *cl, struct blob_attr *m
 		len--;
 	}
 
+	if (pattern[0] && ubusd_acl_check(cl, pattern, NULL, UBUS_ACL_LISTEN))
+		return UBUS_STATUS_PERMISSION_DENIED;
+
 	ev = calloc(1, sizeof(*ev) + len + 1);
 	if (!ev)
 		return UBUS_STATUS_NO_DATA;
-- 
cgit v1.2.1