From 5cc0a71cbacedfb1c8ba6c3ba4642b9bc2679f02 Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Wed, 30 Jul 2014 11:38:27 +0200
Subject: remote: Allow restricting the connecting user and group

---
 p11-kit/p11-kit.c | 33 ++++++++++++++++++++++++++++++---
 p11-kit/remote.c  | 46 ++++++++++++++++++++++++++++++++++++++--------
 p11-kit/remote.h  |  3 ++-
 3 files changed, 70 insertions(+), 12 deletions(-)

diff --git a/p11-kit/p11-kit.c b/p11-kit/p11-kit.c
index effcebb..345b1e8 100644
--- a/p11-kit/p11-kit.c
+++ b/p11-kit/p11-kit.c
@@ -49,6 +49,9 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <unistd.h>
+#include <sys/types.h>
+#include <grp.h>
+#include <pwd.h>
 
 #include "tool.h"
 
@@ -130,8 +133,10 @@ int
 p11_kit_remote (int argc,
                 char *argv[])
 {
-	CK_FUNCTION_LIST *module;
 	char *socket_file = NULL;
+	CK_FUNCTION_LIST *module;
+	uid_t uid = -1;
+	gid_t gid = -1;
 	int opt;
 	int ret;
 
@@ -139,17 +144,21 @@ p11_kit_remote (int argc,
 		opt_verbose = 'v',
 		opt_help = 'h',
 		opt_socket = 's',
+		opt_user = 'u',
+		opt_group = 'g',
 	};
 
 	struct option options[] = {
 		{ "verbose", no_argument, NULL, opt_verbose },
 		{ "help", no_argument, NULL, opt_help },
 		{ "socket", required_argument, NULL, opt_socket },
+		{ "user", required_argument, NULL, opt_user },
+		{ "group", required_argument, NULL, opt_group },
 		{ 0 },
 	};
 
 	p11_tool_desc usages[] = {
-		{ 0, "usage: p11-kit remote <module> -s <socket-file>" },
+		{ 0, "usage: p11-kit remote <module> -s <socket-file> -u <allowed-user> -g <allowed-group>" },
 		{ 0 },
 	};
 
@@ -161,6 +170,24 @@ p11_kit_remote (int argc,
 		case opt_socket:
 			socket_file = strdup(optarg);
 			break;
+		case opt_group: {
+			const struct group* grp = getgrnam(optarg);
+			if (grp == NULL) {
+				p11_message ("unknown group: %s", optarg);
+				return 2;
+			}
+			gid = grp->gr_gid;
+			break;
+		}
+		case opt_user: {
+			const struct passwd* pwd = getpwnam(optarg);
+			if (pwd == NULL) {
+				p11_message ("unknown user: %s", optarg);
+				return 2;
+			}
+			uid = pwd->pw_uid;
+			break;
+		}
 		case opt_help:
 		case '?':
 			p11_tool_usage (usages, options);
@@ -188,7 +215,7 @@ p11_kit_remote (int argc,
 	if (module == NULL)
 		return 1;
 
-	ret = p11_kit_remote_serve_module (module, socket_file);
+	ret = p11_kit_remote_serve_module (module, socket_file, uid, gid);
 	p11_kit_module_release (module);
 
 	return ret;
diff --git a/p11-kit/remote.c b/p11-kit/remote.c
index b6f7681..a9f03c6 100644
--- a/p11-kit/remote.c
+++ b/p11-kit/remote.c
@@ -55,6 +55,8 @@
 #include <sys/wait.h>
 #include <sys/un.h>
 
+#include "unix-peer.h"
+
 #ifdef HAVE_SIGHANDLER_T
 # define SIGHANDLER_T sighandler_t
 #elif HAVE_SIG_T
@@ -204,7 +206,9 @@ static void handle_children(int signo)
 
 int
 p11_kit_remote_serve_module (CK_FUNCTION_LIST *module,
-                             const char *socket_file)
+                             const char *socket_file,
+                             uid_t uid,
+                             gid_t gid)
 {
 	p11_virtual virt;
 	p11_buffer options;
@@ -216,6 +220,8 @@ p11_kit_remote_serve_module (CK_FUNCTION_LIST *module,
 	struct sockaddr_un sa;
 	fd_set rd_set;
 	sigset_t emptyset, blockset;
+	uid_t tuid;
+	gid_t tgid;
 
 	sigemptyset(&blockset);
 	sigemptyset(&emptyset);
@@ -246,13 +252,14 @@ p11_kit_remote_serve_module (CK_FUNCTION_LIST *module,
 		return 1;
 	}
 
-#if 0
-	rc = chown(SOCKET_FILE, config->uid, config->gid);
-	if (rc == -1) {
-		e = errno;
-		p11_message ("could not chown socket %s: %s", socket_file, strerror(e));
+	if (uid != -1 && gid != -1) {
+		rc = chown(socket_file, uid, gid);
+		if (rc == -1) {
+			e = errno;
+			p11_message ("could not chown socket %s: %s", socket_file, strerror(e));
+			return 1;
+		}
 	}
-#endif
 
 	/* run as daemon */
 	if (daemon(0,0) == -1) {
@@ -300,7 +307,29 @@ p11_kit_remote_serve_module (CK_FUNCTION_LIST *module,
 			continue;
 		}
 
-		/* XXX: check the uid of the peer */
+		/* check the uid of the peer */
+		rc = p11_get_upeer_id(cfd, &tuid, &tgid, NULL);
+		if (rc == -1) {
+			e = errno;
+			p11_message ("could not check uid from socket %s: %s", socket_file, strerror(e));
+			goto cont;
+		}
+
+		if (uid != -1) {
+			if (uid != tuid) {
+				p11_message ("connecting uid (%u) doesn't match expected (%u)",
+					(unsigned)tuid, (unsigned)uid);
+				goto cont;
+			}
+		}
+
+		if (gid != -1) {
+			if (gid != tgid) {
+				p11_message ("connecting gid (%u) doesn't match expected (%u)",
+					(unsigned)tgid, (unsigned)gid);
+				goto cont;
+			}
+		}
 
 		pid = fork();
 		switch(pid) {
@@ -316,6 +345,7 @@ p11_kit_remote_serve_module (CK_FUNCTION_LIST *module,
 				children_avail++;
 				break;
 		}
+ cont:
 		close(cfd);
 	}
 
diff --git a/p11-kit/remote.h b/p11-kit/remote.h
index b72750a..e1bfde3 100644
--- a/p11-kit/remote.h
+++ b/p11-kit/remote.h
@@ -44,7 +44,8 @@ extern "C" {
 #ifdef P11_KIT_FUTURE_UNSTABLE_API
 
 int                    p11_kit_remote_serve_module          (CK_FUNCTION_LIST *module,
-							     const char *socket);
+							     const char *socket,
+							     uid_t, gid_t);
 
 #endif
 
-- 
cgit v1.2.1