[thirdparty/systemd.git] / src / condition.c

/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/

/***
  This file is part of systemd.

  Copyright 2010 Lennart Poettering

  systemd is free software; you can redistribute it and/or modify it
  under the terms of the GNU General Public License as published by
  the Free Software Foundation; either version 2 of the License, or
  (at your option) any later version.

  systemd is distributed in the hope that it will be useful, but
  WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  General Public License for more details.

  You should have received a copy of the GNU General Public License
  along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/

#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <unistd.h>
#include <sys/capability.h>

#ifdef HAVE_SELINUX
#include <selinux/selinux.h>
#endif

#include "util.h"
#include "condition.h"
#include "virt.h"

Condition* condition_new(ConditionType type, const char *parameter, bool trigger, bool negate) {
        Condition *c;

        assert(type < _CONDITION_TYPE_MAX);

        c = new0(Condition, 1);
        if (!c)
                return NULL;

        c->type = type;
        c->trigger = trigger;
        c->negate = negate;

        if (parameter) {
                c->parameter = strdup(parameter);
                if (!c->parameter) {
                        free(c);
                        return NULL;
                }
        }

        return c;
}

void condition_free(Condition *c) {
        assert(c);

        free(c->parameter);
        free(c);
}

void condition_free_list(Condition *first) {
        Condition *c, *n;

        LIST_FOREACH_SAFE(conditions, c, n, first)
                condition_free(c);
}

static bool test_kernel_command_line(const char *parameter) {
        char *line, *w, *state, *word = NULL;
        bool equal;
        int r;
        size_t l, pl;
        bool found = false;

        assert(parameter);

        if (detect_container(NULL) > 0)
                return false;

        r = read_one_line_file("/proc/cmdline", &line);
        if (r < 0) {
                log_warning("Failed to read /proc/cmdline, ignoring: %s", strerror(-r));
                return false;
        }

        equal = !!strchr(parameter, '=');
        pl = strlen(parameter);

        FOREACH_WORD_QUOTED(w, l, line, state) {

                free(word);
                word = strndup(w, l);
                if (!word)
                        break;

                if (equal) {
                        if (streq(word, parameter)) {
                                found = true;
                                break;
                        }
                } else {
                        if (startswith(word, parameter) && (word[pl] == '=' || word[pl] == 0)) {
                                found = true;
                                break;
                        }
                }

        }

        free(word);
        free(line);

        return found;
}

static bool test_virtualization(const char *parameter) {
        int b;
        Virtualization v;
        const char *id;

        assert(parameter);

        v = detect_virtualization(&id);
        if (v < 0) {
                log_warning("Failed to detect virtualization, ignoring: %s", strerror(-v));
                return false;
        }

        /* First, compare with yes/no */
        b = parse_boolean(parameter);

        if (v > 0 && b > 0)
                return true;

        if (v == 0 && b == 0)
                return true;

        /* Then, compare categorization */
        if (v == VIRTUALIZATION_VM && streq(parameter, "vm"))
                return true;

        if (v == VIRTUALIZATION_CONTAINER && streq(parameter, "container"))
                return true;

        /* Finally compare id */
        return v > 0 && streq(parameter, id);
}

static bool test_security(const char *parameter) {
#ifdef HAVE_SELINUX
        if (streq(parameter, "selinux"))
                return is_selinux_enabled() > 0;
#endif
        return false;
}

static bool test_capability(const char *parameter) {
        cap_value_t value;
        FILE *f;
        char line[LINE_MAX];
        unsigned long long capabilities = (unsigned long long) -1;

        /* If it's an invalid capability, we don't have it */

        if (cap_from_name(parameter, &value) < 0)
                return false;

        /* If it's a valid capability we default to assume
         * that we have it */

        f = fopen("/proc/self/status", "re");
        if (!f)
                return true;

        while (fgets(line, sizeof(line), f)) {
                truncate_nl(line);

                if (startswith(line, "CapBnd:")) {
                        (void) sscanf(line+7, "%llx", &capabilities);
                        break;
                }
        }

        fclose(f);

        return !!(capabilities & (1ULL << value));
}

bool condition_test(Condition *c) {
        assert(c);

        switch(c->type) {

        case CONDITION_PATH_EXISTS:
                return (access(c->parameter, F_OK) >= 0) == !c->negate;

        case CONDITION_PATH_EXISTS_GLOB:
                return (glob_exists(c->parameter) > 0) == !c->negate;

        case CONDITION_PATH_IS_DIRECTORY: {
                struct stat st;

                if (stat(c->parameter, &st) < 0)
                        return c->negate;
                return S_ISDIR(st.st_mode) == !c->negate;
        }

        case CONDITION_PATH_IS_SYMBOLIC_LINK: {
                struct stat st;

                if (lstat(c->parameter, &st) < 0)
                        return c->negate;
                return S_ISLNK(st.st_mode) == !c->negate;
        }

        case CONDITION_PATH_IS_MOUNT_POINT:
                return (path_is_mount_point(c->parameter, true) > 0) == !c->negate;

        case CONDITION_DIRECTORY_NOT_EMPTY: {
                int k;

                k = dir_is_empty(c->parameter);
                return !(k == -ENOENT || k > 0) == !c->negate;
        }

        case CONDITION_FILE_IS_EXECUTABLE: {
                struct stat st;

                if (stat(c->parameter, &st) < 0)
                        return c->negate;

                return (S_ISREG(st.st_mode) && (st.st_mode & 0111)) == !c->negate;
        }

        case CONDITION_KERNEL_COMMAND_LINE:
                return test_kernel_command_line(c->parameter) == !c->negate;

        case CONDITION_VIRTUALIZATION:
                return test_virtualization(c->parameter) == !c->negate;

        case CONDITION_SECURITY:
                return test_security(c->parameter) == !c->negate;

        case CONDITION_CAPABILITY:
                return test_capability(c->parameter) == !c->negate;

        case CONDITION_NULL:
                return !c->negate;

        default:
                assert_not_reached("Invalid condition type.");
        }
}

bool condition_test_list(Condition *first) {
        Condition *c;
        int triggered = -1;

        /* If the condition list is empty, then it is true */
        if (!first)
                return true;

        /* Otherwise, if all of the non-trigger conditions apply and
         * if any of the trigger conditions apply (unless there are
         * none) we return true */
        LIST_FOREACH(conditions, c, first) {
                bool b;

                b = condition_test(c);

                if (!c->trigger && !b)
                        return false;

                if (c->trigger && triggered <= 0)
                        triggered = b;
        }

        return triggered != 0;
}

void condition_dump(Condition *c, FILE *f, const char *prefix) {
        assert(c);
        assert(f);

        if (!prefix)
                prefix = "";

        fprintf(f,
                "%s\t%s: %s%s%s\n",
                prefix,
                condition_type_to_string(c->type),
                c->trigger ? "|" : "",
                c->negate ? "!" : "",
                c->parameter);
}

void condition_dump_list(Condition *first, FILE *f, const char *prefix) {
        Condition *c;

        LIST_FOREACH(conditions, c, first)
                condition_dump(c, f, prefix);
}

static const char* const condition_type_table[_CONDITION_TYPE_MAX] = {
        [CONDITION_PATH_EXISTS] = "ConditionPathExists",
        [CONDITION_PATH_EXISTS_GLOB] = "ConditionPathExistsGlob",
        [CONDITION_PATH_IS_DIRECTORY] = "ConditionPathIsDirectory",
        [CONDITION_PATH_IS_SYMBOLIC_LINK] = "ConditionPathIsSymbolicLink",
        [CONDITION_PATH_IS_MOUNT_POINT] = "ConditionPathIsMountPoint",
        [CONDITION_DIRECTORY_NOT_EMPTY] = "ConditionDirectoryNotEmpty",
        [CONDITION_KERNEL_COMMAND_LINE] = "ConditionKernelCommandLine",
        [CONDITION_VIRTUALIZATION] = "ConditionVirtualization",
        [CONDITION_SECURITY] = "ConditionSecurity",
        [CONDITION_NULL] = "ConditionNull"
};

DEFINE_STRING_TABLE_LOOKUP(condition_type, ConditionType);
Commit	Line	Data
52661efd LP	1	/-- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil --/
	2
	3	/***
	4	This file is part of systemd.
	5
f23c09b0	6	Copyright 2010 Lennart Poettering
52661efd LP	7
	8	systemd is free software; you can redistribute it and/or modify it
	9	under the terms of the GNU General Public License as published by
	10	the Free Software Foundation; either version 2 of the License, or
	11	(at your option) any later version.
	12
	13	systemd is distributed in the hope that it will be useful, but
	14	WITHOUT ANY WARRANTY; without even the implied warranty of
	15	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	16	General Public License for more details.
	17
	18	You should have received a copy of the GNU General Public License
	19	along with systemd; If not, see <http://www.gnu.org/licenses/>.
	20	***/
	21
	22	#include <stdlib.h>
	23	#include <errno.h>
	24	#include <string.h>
	25	#include <unistd.h>
62590f23	26	#include <sys/capability.h>
52661efd	27
07e833bc MS	28	#ifdef HAVE_SELINUX
	29	#include <selinux/selinux.h>
	30	#endif
	31
52661efd LP	32	#include "util.h"
52661efd LP	33	#include "condition.h"
8095200d	34	#include "virt.h"
52661efd	35
267632f0	36	Condition* condition_new(ConditionType type, const char *parameter, bool trigger, bool negate) {
52661efd LP	37	Condition *c;
52661efd LP	38
8092a428 LP	39	assert(type < _CONDITION_TYPE_MAX);
8092a428 LP	40
ab7f148f LP	41	c = new0(Condition, 1);
ab7f148f LP	42	if (!c)
da19d5c1 LP	43	return NULL;
da19d5c1 LP	44
52661efd	45	c->type = type;
267632f0	46	c->trigger = trigger;
52661efd LP	47	c->negate = negate;
52661efd LP	48
ab7f148f LP	49	if (parameter) {
	50	c->parameter = strdup(parameter);
	51	if (!c->parameter) {
d257ddef LP	52	free(c);
	53	return NULL;
	54	}
ab7f148f	55	}
52661efd LP	56
	57	return c;
	58	}
	59
	60	void condition_free(Condition *c) {
	61	assert(c);
	62
	63	free(c->parameter);
	64	free(c);
	65	}
	66
	67	void condition_free_list(Condition *first) {
	68	Condition c, n;
	69
	70	LIST_FOREACH_SAFE(conditions, c, n, first)
	71	condition_free(c);
	72	}
	73
	74	static bool test_kernel_command_line(const char *parameter) {
	75	char line, w, state, word = NULL;
	76	bool equal;
	77	int r;
	78	size_t l, pl;
	79	bool found = false;
	80
039655a4 LP	81	assert(parameter);
039655a4 LP	82
a373b0e7	83	if (detect_container(NULL) > 0)
2fc97846 LP	84	return false;
2fc97846 LP	85
ab7f148f LP	86	r = read_one_line_file("/proc/cmdline", &line);
ab7f148f LP	87	if (r < 0) {
52661efd LP	88	log_warning("Failed to read /proc/cmdline, ignoring: %s", strerror(-r));
	89	return false;
	90	}
	91
	92	equal = !!strchr(parameter, '=');
	93	pl = strlen(parameter);
	94
	95	FOREACH_WORD_QUOTED(w, l, line, state) {
	96
	97	free(word);
ab7f148f LP	98	word = strndup(w, l);
ab7f148f LP	99	if (!word)
52661efd LP	100	break;
	101
	102	if (equal) {
	103	if (streq(word, parameter)) {
	104	found = true;
	105	break;
	106	}
	107	} else {
	108	if (startswith(word, parameter) && (word[pl] == '=' \|\| word[pl] == 0)) {
	109	found = true;
	110	break;
	111	}
	112	}
	113
	114	}
	115
	116	free(word);
	117	free(line);
	118
	119	return found;
	120	}
	121
039655a4	122	static bool test_virtualization(const char *parameter) {
8095200d LP	123	int b;
8095200d LP	124	Virtualization v;
039655a4 LP	125	const char *id;
	126
	127	assert(parameter);
	128
8095200d LP	129	v = detect_virtualization(&id);
	130	if (v < 0) {
	131	log_warning("Failed to detect virtualization, ignoring: %s", strerror(-v));
039655a4 LP	132	return false;
	133	}
	134
8095200d	135	/* First, compare with yes/no */
039655a4 LP	136	b = parse_boolean(parameter);
039655a4 LP	137
8095200d LP	138	if (v > 0 && b > 0)
	139	return true;
	140
	141	if (v == 0 && b == 0)
	142	return true;
	143
	144	/* Then, compare categorization */
	145	if (v == VIRTUALIZATION_VM && streq(parameter, "vm"))
039655a4 LP	146	return true;
039655a4 LP	147
8095200d	148	if (v == VIRTUALIZATION_CONTAINER && streq(parameter, "container"))
039655a4 LP	149	return true;
039655a4 LP	150
8095200d	151	/* Finally compare id */
e5396fed	152	return v > 0 && streq(parameter, id);
039655a4 LP	153	}
039655a4 LP	154
07e833bc MS	155	static bool test_security(const char *parameter) {
07e833bc MS	156	#ifdef HAVE_SELINUX
d24e1b48	157	if (streq(parameter, "selinux"))
07e833bc MS	158	return is_selinux_enabled() > 0;
	159	#endif
	160	return false;
	161	}
	162
62590f23 LP	163	static bool test_capability(const char *parameter) {
	164	cap_value_t value;
	165	FILE *f;
	166	char line[LINE_MAX];
	167	unsigned long long capabilities = (unsigned long long) -1;
	168
	169	/* If it's an invalid capability, we don't have it */
	170
	171	if (cap_from_name(parameter, &value) < 0)
	172	return false;
	173
	174	/* If it's a valid capability we default to assume
	175	* that we have it */
	176
	177	f = fopen("/proc/self/status", "re");
	178	if (!f)
	179	return true;
	180
	181	while (fgets(line, sizeof(line), f)) {
	182	truncate_nl(line);
	183
	184	if (startswith(line, "CapBnd:")) {
	185	(void) sscanf(line+7, "%llx", &capabilities);
	186	break;
	187	}
	188	}
	189
7670e5a2 TJ	190	fclose(f);
7670e5a2 TJ	191
62590f23 LP	192	return !!(capabilities & (1ULL << value));
	193	}
	194
52661efd LP	195	bool condition_test(Condition *c) {
	196	assert(c);
	197
	198	switch(c->type) {
	199
	200	case CONDITION_PATH_EXISTS:
	201	return (access(c->parameter, F_OK) >= 0) == !c->negate;
	202
8092a428 LP	203	case CONDITION_PATH_EXISTS_GLOB:
	204	return (glob_exists(c->parameter) > 0) == !c->negate;
	205
2b583ce6 KS	206	case CONDITION_PATH_IS_DIRECTORY: {
	207	struct stat st;
	208
8571962c	209	if (stat(c->parameter, &st) < 0)
1f8fef5a	210	return c->negate;
2b583ce6 KS	211	return S_ISDIR(st.st_mode) == !c->negate;
	212	}
	213
0d60602c MS	214	case CONDITION_PATH_IS_SYMBOLIC_LINK: {
	215	struct stat st;
	216
	217	if (lstat(c->parameter, &st) < 0)
1f8fef5a	218	return c->negate;
0d60602c MS	219	return S_ISLNK(st.st_mode) == !c->negate;
	220	}
	221
ab7f148f LP	222	case CONDITION_PATH_IS_MOUNT_POINT:
	223	return (path_is_mount_point(c->parameter, true) > 0) == !c->negate;
	224
36af55d9 LP	225	case CONDITION_DIRECTORY_NOT_EMPTY: {
	226	int k;
	227
	228	k = dir_is_empty(c->parameter);
	229	return !(k == -ENOENT \|\| k > 0) == !c->negate;
	230	}
	231
82e487c5 LP	232	case CONDITION_FILE_IS_EXECUTABLE: {
	233	struct stat st;
	234
34a2dc4b	235	if (stat(c->parameter, &st) < 0)
1f8fef5a	236	return c->negate;
82e487c5 LP	237
	238	return (S_ISREG(st.st_mode) && (st.st_mode & 0111)) == !c->negate;
	239	}
	240
52661efd	241	case CONDITION_KERNEL_COMMAND_LINE:
cb40c15e	242	return test_kernel_command_line(c->parameter) == !c->negate;
52661efd	243
039655a4	244	case CONDITION_VIRTUALIZATION:
cb40c15e	245	return test_virtualization(c->parameter) == !c->negate;
039655a4	246
07e833bc MS	247	case CONDITION_SECURITY:
	248	return test_security(c->parameter) == !c->negate;
	249
62590f23 LP	250	case CONDITION_CAPABILITY:
	251	return test_capability(c->parameter) == !c->negate;
	252
d257ddef LP	253	case CONDITION_NULL:
	254	return !c->negate;
	255
52661efd LP	256	default:
	257	assert_not_reached("Invalid condition type.");
	258	}
	259	}
	260
	261	bool condition_test_list(Condition *first) {
	262	Condition *c;
267632f0	263	int triggered = -1;
52661efd LP	264
	265	/* If the condition list is empty, then it is true */
	266	if (!first)
	267	return true;
	268
267632f0 LP	269	/* Otherwise, if all of the non-trigger conditions apply and
	270	* if any of the trigger conditions apply (unless there are
	271	* none) we return true */
	272	LIST_FOREACH(conditions, c, first) {
	273	bool b;
	274
	275	b = condition_test(c);
	276
	277	if (!c->trigger && !b)
	278	return false;
	279
	280	if (c->trigger && triggered <= 0)
	281	triggered = b;
	282	}
52661efd	283
267632f0	284	return triggered != 0;
52661efd LP	285	}
	286
	287	void condition_dump(Condition c, FILE f, const char *prefix) {
	288	assert(c);
	289	assert(f);
	290
	291	if (!prefix)
	292	prefix = "";
	293
	294	fprintf(f,
8fb81fa7	295	"%s\t%s: %s%s%s\n",
52661efd LP	296	prefix,
52661efd LP	297	condition_type_to_string(c->type),
267632f0	298	c->trigger ? "\|" : "",
52661efd LP	299	c->negate ? "!" : "",
	300	c->parameter);
	301	}
	302
	303	void condition_dump_list(Condition first, FILE f, const char *prefix) {
	304	Condition *c;
	305
	306	LIST_FOREACH(conditions, c, first)
	307	condition_dump(c, f, prefix);
	308	}
	309
	310	static const char* const condition_type_table[_CONDITION_TYPE_MAX] = {
d257ddef	311	[CONDITION_PATH_EXISTS] = "ConditionPathExists",
8092a428	312	[CONDITION_PATH_EXISTS_GLOB] = "ConditionPathExistsGlob",
8fb81fa7	313	[CONDITION_PATH_IS_DIRECTORY] = "ConditionPathIsDirectory",
0d60602c	314	[CONDITION_PATH_IS_SYMBOLIC_LINK] = "ConditionPathIsSymbolicLink",
ab7f148f	315	[CONDITION_PATH_IS_MOUNT_POINT] = "ConditionPathIsMountPoint",
8fb81fa7 MS	316	[CONDITION_DIRECTORY_NOT_EMPTY] = "ConditionDirectoryNotEmpty",
	317	[CONDITION_KERNEL_COMMAND_LINE] = "ConditionKernelCommandLine",
	318	[CONDITION_VIRTUALIZATION] = "ConditionVirtualization",
07e833bc	319	[CONDITION_SECURITY] = "ConditionSecurity",
d257ddef	320	[CONDITION_NULL] = "ConditionNull"
52661efd LP	321	};
	322
	323	DEFINE_STRING_TABLE_LOOKUP(condition_type, ConditionType);