Include process start time when doing polkit checks

author Daniel P. Berrange <berrange@redhat.com>

Thu, 25 Apr 2013 16:05:00 +0000 (17:05 +0100)

committer Eric Blake <eblake@redhat.com>

Wed, 18 Sep 2013 18:22:25 +0000 (12:22 -0600)
author Daniel P. Berrange <berrange@redhat.com>
Thu, 25 Apr 2013 16:05:00 +0000 (17:05 +0100)
committer Eric Blake <eblake@redhat.com>
Wed, 18 Sep 2013 18:22:25 +0000 (12:22 -0600)
diff --git a/daemon/remote.c b/daemon/remote.c

index dd72f9fff6b28b4a730f9d1693c19545a2d207e5..cf43f04640c3f228e84e726ce0eef1f3036930a0 100644 (file)
--- a/daemon/remote.c
+++ b/daemon/remote.c
@@ -2370,6 +2370,7 @@ remoteDispatchAuthList(virNetServerPtr server ATTRIBUTE_UNUSED,
      uid_t callerUid;
      gid_t callerGid;
      pid_t callerPid;
+    unsigned long long timestamp;
  
      /* If the client is root then we want to bypass the
       * policykit auth to avoid root being denied if
@@ -2377,7 +2378,7 @@ remoteDispatchAuthList(virNetServerPtr server ATTRIBUTE_UNUSED,
       */
      if (auth == VIR_NET_SERVER_SERVICE_AUTH_POLKIT) {
          if (virNetServerClientGetUNIXIdentity(client, &callerUid, &callerGid,
-                                              &callerPid) < 0) {
+                                              &callerPid, &timestamp) < 0) {
              /* Don't do anything on error - it'll be validated at next
               * phase of auth anyway */
              virResetLastError();
@@ -2803,6 +2804,7 @@ remoteDispatchAuthPolkit(virNetServerPtr server ATTRIBUTE_UNUSED,
      pid_t callerPid = -1;
      gid_t callerGid = -1;
      uid_t callerUid = -1;
+    unsigned long long timestamp;
      const char *action;
      int status = -1;
      char *ident = NULL;
@@ -2828,7 +2830,7 @@ remoteDispatchAuthPolkit(virNetServerPtr server ATTRIBUTE_UNUSED,
      }
  
      if (virNetServerClientGetUNIXIdentity(client, &callerUid, &callerGid,
-                                          &callerPid) < 0) {
+                                          &callerPid, &timestamp) < 0) {
          goto authfail;
      }
  
@@ -2836,7 +2838,11 @@ remoteDispatchAuthPolkit(virNetServerPtr server ATTRIBUTE_UNUSED,
               (long long) callerPid, callerUid);
  
      virCommandAddArg(cmd, "--process");
-    virCommandAddArgFormat(cmd, "%lld", (long long) callerPid);
+    if (timestamp != 0) {
+        virCommandAddArgFormat(cmd, "%lld,%llu", (long long) callerPid, timestamp);
+    } else {
+        virCommandAddArgFormat(cmd, "%lld", (long long) callerPid);
+    }
      virCommandAddArg(cmd, "--allow-user-interaction");
  
      if (virAsprintf(&ident, "pid:%lld,uid:%d",
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms

index bf3b426c78e266bd615bbeb239516a172ceb2142..67db6a178c37fd10ee77bc7ad29f877d231765f4 100644 (file)
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -1750,6 +1750,7 @@ virStorageFileResize;
  virStringArrayHasString;
  virStringFreeList;
  virStringJoin;
+virStringListLength;
  virStringSplit;
  
  
diff --git a/src/locking/lock_daemon.c b/src/locking/lock_daemon.c

index 97e5d749c2b1c0a9198c2a1d05803a46558c8dcd..bf0ee8124e705bf5d551ef46e29b77e0a3013505 100644 (file)
--- a/src/locking/lock_daemon.c
+++ b/src/locking/lock_daemon.c
@@ -782,6 +782,7 @@ virLockDaemonClientNew(virNetServerClientPtr client,
      virLockDaemonClientPtr priv;
      uid_t clientuid;
      gid_t clientgid;
+    unsigned long long timestamp;
      bool privileged = opaque != NULL;
  
      if (VIR_ALLOC(priv) < 0) {
@@ -798,7 +799,8 @@ virLockDaemonClientNew(virNetServerClientPtr client,
      if (virNetServerClientGetUNIXIdentity(client,
                                            &clientuid,
                                            &clientgid,
-                                          &priv->clientPid) < 0)
+                                          &priv->clientPid,
+                                          &timestamp) < 0)
          goto error;
  
      VIR_DEBUG("New client pid %llu uid %llu",
diff --git a/src/rpc/virnetserverclient.c b/src/rpc/virnetserverclient.c

index 58fb0b4918f58c45d1b69afb13a0f5400fcc9706..b63ae300b6bb6b7cc0c897efc341a75d7e30e322 100644 (file)
--- a/src/rpc/virnetserverclient.c
+++ b/src/rpc/virnetserverclient.c
@@ -634,12 +634,15 @@ bool virNetServerClientIsLocal(virNetServerClientPtr client)
  
  
  int virNetServerClientGetUNIXIdentity(virNetServerClientPtr client,
-                                      uid_t *uid, gid_t *gid, pid_t *pid)
+                                      uid_t *uid, gid_t *gid, pid_t *pid,
+                                      unsigned long long *timestamp)
  {
      int ret = -1;
      virObjectLock(client);
      if (client->sock)
-        ret = virNetSocketGetUNIXIdentity(client->sock, uid, gid, pid);
+        ret = virNetSocketGetUNIXIdentity(client->sock,
+                                          uid, gid, pid,
+                                          timestamp);
      virObjectUnlock(client);
      return ret;
  }
@@ -649,6 +652,7 @@ static virIdentityPtr
  virNetServerClientCreateIdentity(virNetServerClientPtr client)
  {
      char *processid = NULL;
+    char *processtime = NULL;
      char *username = NULL;
      char *groupname = NULL;
  #if WITH_SASL
@@ -662,15 +666,23 @@ virNetServerClientCreateIdentity(virNetServerClientPtr client)
          gid_t gid;
          uid_t uid;
          pid_t pid;
-        if (virNetSocketGetUNIXIdentity(client->sock, &uid, &gid, &pid) < 0)
+        unsigned long long timestamp;
+        if (virNetSocketGetUNIXIdentity(client->sock,
+                                        &uid, &gid, &pid,
+                                        &timestamp) < 0)
              goto cleanup;
  
          if (!(username = virGetUserName(uid)))
              goto cleanup;
          if (!(groupname = virGetGroupName(gid)))
              goto cleanup;
-        if (virAsprintf(&processid, "%lld",
-                        (long long)pid) < 0) {
+        if (virAsprintf(&processid, "%llu",
+                        (unsigned long long)pid) < 0) {
+            virReportOOMError();
+            goto cleanup;
+        }
+        if (virAsprintf(&processtime, "%llu",
+                        timestamp) < 0) {
              virReportOOMError();
              goto cleanup;
          }
@@ -720,6 +732,11 @@ virNetServerClientCreateIdentity(virNetServerClientPtr client)
                             VIR_IDENTITY_ATTR_UNIX_PROCESS_ID,
                             processid) < 0)
          goto error;
+    if (processtime &&
+        virIdentitySetAttr(ret,
+                           VIR_IDENTITY_ATTR_UNIX_PROCESS_TIME,
+                           processtime) < 0)
+        goto error;
  #if HAVE_SASL
      if (saslname &&
          virIdentitySetAttr(ret,
@@ -742,6 +759,7 @@ cleanup:
      VIR_FREE(username);
      VIR_FREE(groupname);
      VIR_FREE(processid);
+    VIR_FREE(processtime);
      VIR_FREE(seccontext);
  #if HAVE_SASL
      VIR_FREE(saslname);
diff --git a/src/rpc/virnetserverclient.h b/src/rpc/virnetserverclient.h

index b3b8df0bf963b7febd277649b35820c9417b4e74..2a64d45ef8b74b64d44b0905f264b73e707a9918 100644 (file)
--- a/src/rpc/virnetserverclient.h
+++ b/src/rpc/virnetserverclient.h
@@ -99,7 +99,8 @@ bool virNetServerClientIsSecure(virNetServerClientPtr client);
  bool virNetServerClientIsLocal(virNetServerClientPtr client);
  
  int virNetServerClientGetUNIXIdentity(virNetServerClientPtr client,
-                                      uid_t *uid, gid_t *gid, pid_t *pid);
+                                      uid_t *uid, gid_t *gid, pid_t *pid,
+                                      unsigned long long *timestamp);
  
  int virNetServerClientGetSecurityContext(virNetServerClientPtr client,
                                           char **context);
diff --git a/src/rpc/virnetsocket.c b/src/rpc/virnetsocket.c

index 14c4a4f907de1c5282a333f9afa1c502cb2a2c72..d754b3e0673b3858458a246a5fdae89339aa7977 100644 (file)
--- a/src/rpc/virnetsocket.c
+++ b/src/rpc/virnetsocket.c
@@ -1103,31 +1103,41 @@ int virNetSocketGetPort(virNetSocketPtr sock)
  int virNetSocketGetUNIXIdentity(virNetSocketPtr sock,
                                  uid_t *uid,
                                  gid_t *gid,
-                                pid_t *pid)
+                                pid_t *pid,
+                                unsigned long long *timestamp)
  {
      struct ucred cr;
      socklen_t cr_len = sizeof(cr);
+    int ret = -1;
+
      virObjectLock(sock);
  
      if (getsockopt(sock->fd, SOL_SOCKET, SO_PEERCRED, &cr, &cr_len) < 0) {
          virReportSystemError(errno, "%s",
                               _("Failed to get client socket identity"));
-        virObjectUnlock(sock);
-        return -1;
+        goto cleanup;
      }
  
+    if (virProcessGetStartTime(cr.pid, timestamp) < 0)
+        goto cleanup;
+
      *pid = cr.pid;
      *uid = cr.uid;
      *gid = cr.gid;
  
+    ret = 0;
+
+cleanup:
      virObjectUnlock(sock);
-    return 0;
+    return ret;
  }
  #elif defined(LOCAL_PEERCRED)
+
  int virNetSocketGetUNIXIdentity(virNetSocketPtr sock,
                                  uid_t *uid,
                                  gid_t *gid,
-                                pid_t *pid)
+                                pid_t *pid,
+                                unsigned long long *timestamp ATTRIBUTE_UNUSED)
  {
      struct xucred cr;
      socklen_t cr_len = sizeof(cr);
@@ -1151,7 +1161,8 @@ int virNetSocketGetUNIXIdentity(virNetSocketPtr sock,
  int virNetSocketGetUNIXIdentity(virNetSocketPtr sock ATTRIBUTE_UNUSED,
                                  uid_t *uid ATTRIBUTE_UNUSED,
                                  gid_t *gid ATTRIBUTE_UNUSED,
-                                pid_t *pid ATTRIBUTE_UNUSED)
+                                pid_t *pid ATTRIBUTE_UNUSED,
+                                unsigned long long *timestamp ATTRIBUTE_UNUSED)
  {
      /* XXX Many more OS support UNIX socket credentials we could port to. See dbus ....*/
      virReportSystemError(ENOSYS, "%s",
diff --git a/src/rpc/virnetsocket.h b/src/rpc/virnetsocket.h

index 7392c722bf33e9336d81e2acca7988fc9b2290fc..a0536f262ddaee7a31e4778e146e49d8c23b1c60 100644 (file)
--- a/src/rpc/virnetsocket.h
+++ b/src/rpc/virnetsocket.h
@@ -113,7 +113,8 @@ int virNetSocketGetPort(virNetSocketPtr sock);
  int virNetSocketGetUNIXIdentity(virNetSocketPtr sock,
                                  uid_t *uid,
                                  gid_t *gid,
-                                pid_t *pid);
+                                pid_t *pid,
+                                unsigned long long *timestamp);
  int virNetSocketGetSecurityContext(virNetSocketPtr sock,
                                     char **context);
  
diff --git a/src/util/viridentity.h b/src/util/viridentity.h

index 39ab20ef9ee62eadd0a6f993c00671cc77052255..78680b51d3de58a4f1ffb3a7dc26c879a14d3f79 100644 (file)
--- a/src/util/viridentity.h
+++ b/src/util/viridentity.h
@@ -31,6 +31,7 @@ typedef enum {
        VIR_IDENTITY_ATTR_UNIX_USER_NAME,
        VIR_IDENTITY_ATTR_UNIX_GROUP_NAME,
        VIR_IDENTITY_ATTR_UNIX_PROCESS_ID,
+      VIR_IDENTITY_ATTR_UNIX_PROCESS_TIME,
        VIR_IDENTITY_ATTR_SASL_USER_NAME,
        VIR_IDENTITY_ATTR_X509_DISTINGUISHED_NAME,
        VIR_IDENTITY_ATTR_SECURITY_CONTEXT,
diff --git a/src/util/virprocess.c b/src/util/virprocess.c

index 86d872e563f2b0217d6f35bce637c7757e88c222..99db00335228a0ff6f5772b63d34222dda0a3ec8 100644 (file)
--- a/src/util/virprocess.c
+++ b/src/util/virprocess.c
@@ -33,12 +33,20 @@
  #endif
  #include <sched.h>
  
+#ifdef __FreeBSD__
+# include <sys/param.h>
+# include <sys/sysctl.h>
+# include <sys/user.h>
+#endif
+
+#include "viratomic.h"
  #include "virprocess.h"
  #include "virerror.h"
  #include "viralloc.h"
  #include "virfile.h"
  #include "virlog.h"
  #include "virutil.h"
+#include "virstring.h"
  
  #define VIR_FROM_THIS VIR_FROM_NONE
  
@@ -755,3 +763,112 @@ virProcessSetMaxFiles(pid_t pid ATTRIBUTE_UNUSED, unsigned int files)
      return -1;
  }
  #endif /* ! (HAVE_SETRLIMIT && defined(RLIMIT_NOFILE)) */
+
+#ifdef __linux__
+/*
+ * Port of code from polkitunixprocess.c under terms
+ * of the LGPLv2+
+ */
+int virProcessGetStartTime(pid_t pid,
+                           unsigned long long *timestamp)
+{
+    char *filename = NULL;
+    char *buf = NULL;
+    char *tmp;
+    int ret = -1;
+    int len;
+    char **tokens = NULL;
+
+    if (virAsprintf(&filename, "/proc/%llu/stat",
+                    (unsigned long long)pid) < 0) {
+        virReportOOMError();
+        return -1;
+    }
+
+    if ((len = virFileReadAll(filename, 1024, &buf)) < 0)
+        goto cleanup;
+
+    /* start time is the token at index 19 after the '(process name)' entry - since only this
+     * field can contain the ')' character, search backwards for this to avoid malicious
+     * processes trying to fool us
+     */
+
+    if (!(tmp = strrchr(buf, ')'))) {
+        virReportError(VIR_ERR_INTERNAL_ERROR,
+                       _("Cannot find start time in %s"),
+                       filename);
+        goto cleanup;
+    }
+    tmp += 2; /* skip ') ' */
+    if ((tmp - buf) >= len) {
+        virReportError(VIR_ERR_INTERNAL_ERROR,
+                       _("Cannot find start time in %s"),
+                       filename);
+        goto cleanup;
+    }
+
+    tokens = virStringSplit(tmp, " ", 0);
+
+    if (virStringListLength(tokens) < 20) {
+        virReportError(VIR_ERR_INTERNAL_ERROR,
+                       _("Cannot find start time in %s"),
+                       filename);
+        goto cleanup;
+    }
+
+    if (virStrToLong_ull(tokens[19],
+                         NULL,
+                         10,
+                         timestamp) < 0) {
+        virReportError(VIR_ERR_INTERNAL_ERROR,
+                       _("Cannot parse start time %s in %s"),
+                       tokens[19], filename);
+        goto cleanup;
+    }
+
+    ret = 0;
+
+cleanup:
+    virStringFreeList(tokens);
+    VIR_FREE(filename);
+    VIR_FREE(buf);
+    return ret;
+}
+#elif defined(__FreeBSD__)
+int virProcessGetStartTime(pid_t pid,
+                           unsigned long long *timestamp)
+{
+    struct kinfo_proc p;
+    int mib[4];
+    size_t len = 4;
+
+    sysctlnametomib("kern.proc.pid", mib, &len);
+
+    len = sizeof(struct kinfo_proc);
+    mib[3] = pid;
+
+    if (sysctl(mib, 4, &p, &len, NULL, 0) < 0) {
+        virReportSystemError(errno, "%s",
+                             _("Unable to query process ID start time"));
+        return -1;
+    }
+
+    *timestamp = (unsigned long long)p.ki_start.tv_sec;
+
+    return 0;
+
+}
+#else
+int virProcessGetStartTime(pid_t pid,
+                           unsigned long long *timestamp)
+{
+    static int warned = 0;
+    if (virAtomicIntInc(&warned) == 1) {
+        VIR_WARN("Process start time of pid %llu not available on this platform",
+                 (unsigned long long)pid);
+        warned = true;
+    }
+    *timestamp = 0;
+    return 0;
+}
+#endif
diff --git a/src/util/virprocess.h b/src/util/virprocess.h

index 5dea3349028d4c21ef9ca1b15e6a74e011ce0527..9f77bc54916912676388e4d0919360f9d2110643 100644 (file)
--- a/src/util/virprocess.h
+++ b/src/util/virprocess.h
@@ -47,6 +47,9 @@ int virProcessGetAffinity(pid_t pid,
                            virBitmapPtr *map,
                            int maxcpu);
  
+int virProcessGetStartTime(pid_t pid,
+                           unsigned long long *timestamp);
+
  int virProcessGetNamespaces(pid_t pid,
                              size_t *nfdlist,
                              int **fdlist);
diff --git a/src/util/virstring.c b/src/util/virstring.c

index 122ebb8f0f284627fa19d2f3fe46c2b34205a85e..67c1dbbfef7180f14ef287e2cd40b4edae0a8980 100644 (file)
--- a/src/util/virstring.c
+++ b/src/util/virstring.c
@@ -180,3 +180,14 @@ virStringArrayHasString(char **strings, const char *needle)
  
      return false;
  }
+
+
+size_t virStringListLength(char **strings)
+{
+    size_t i = 0;
+
+    while (strings && strings[i])
+        i++;
+
+    return i;
+}
diff --git a/src/util/virstring.h b/src/util/virstring.h

index 2ceadc6b84482913498cde72f659c8bbea6ea318..8d1995a48b88586deeb3b3e8c029a22544784b84 100644 (file)
--- a/src/util/virstring.h
+++ b/src/util/virstring.h
@@ -37,4 +37,6 @@ void virStringFreeList(char **strings);
  
  bool virStringArrayHasString(char **strings, const char *needle);
  
+size_t virStringListLength(char **strings);
+
  #endif /* __VIR_STRING_H__ */
author	Daniel P. Berrange <berrange@redhat.com>
	Thu, 25 Apr 2013 16:05:00 +0000 (17:05 +0100)
committer	Eric Blake <eblake@redhat.com>
	Wed, 18 Sep 2013 18:22:25 +0000 (12:22 -0600)
daemon/remote.c		patch \| blob \| blame \| history
src/libvirt_private.syms		patch \| blob \| blame \| history
src/locking/lock_daemon.c		patch \| blob \| blame \| history
src/rpc/virnetserverclient.c		patch \| blob \| blame \| history
src/rpc/virnetserverclient.h		patch \| blob \| blame \| history
src/rpc/virnetsocket.c		patch \| blob \| blame \| history
src/rpc/virnetsocket.h		patch \| blob \| blame \| history
src/util/viridentity.h		patch \| blob \| blame \| history
src/util/virprocess.c		patch \| blob \| blame \| history
src/util/virprocess.h		patch \| blob \| blame \| history
src/util/virstring.c		patch \| blob \| blame \| history
src/util/virstring.h		patch \| blob \| blame \| history