From 8fcf8065b8329ab9abe14ecddc1040e14adc6461 Mon Sep 17 00:00:00 2001
From: Wim Taymans <wtaymans@redhat.com>
Date: Fri, 15 Jul 2016 12:36:45 +0200
Subject: [PATCH 08/18] module-access: use the auth hook and pid
Connect to the client_auth hook and also check the pid from the
credentials to find the right policy for a client.
---
src/modules/module-access.c | 30 ++++++++++++++++++++++++++++++
1 file changed, 30 insertions(+)
diff --git a/src/modules/module-access.c b/src/modules/module-access.c
index 290d052..c00612a 100644
--- a/src/modules/module-access.c
+++ b/src/modules/module-access.c
@@ -89,6 +89,7 @@ struct userdata {
pa_hashmap *clients;
pa_hook_slot *client_put_slot;
+ pa_hook_slot *client_auth_slot;
pa_hook_slot *client_proplist_changed_slot;
pa_hook_slot *client_unlink_slot;
};
@@ -368,6 +369,9 @@ static uint32_t find_policy_for_client (struct userdata *u, pa_client *cl) {
pa_log ("client proplist %s", s);
pa_xfree(s);
+ if (cl->creds_valid) {
+ pa_log ("client has trusted pid %d", cl->creds.pid);
+ }
return u->default_policy;
}
@@ -381,6 +385,8 @@ static pa_hook_result_t client_put_cb(pa_core *c, pa_object *o, struct userdata
cl = (pa_client *) o;
pa_assert(cl);
+ /* when we get here, the client just connected and is not yet authenticated
+ * we should probably install a policy that denies all access */
policy = find_policy_for_client(u, cl);
client_data_new(u, cl->index, policy);
@@ -388,6 +394,27 @@ static pa_hook_result_t client_put_cb(pa_core *c, pa_object *o, struct userdata
return PA_HOOK_OK;
}
+static pa_hook_result_t client_auth_cb(pa_core *c, pa_object *o, struct userdata *u) {
+ pa_client *cl;
+ client_data *cd;
+ uint32_t policy;
+
+ pa_assert(c);
+ pa_object_assert_ref(o);
+
+ cl = (pa_client *) o;
+ pa_assert(cl);
+
+ cd = client_data_get (u, cl->index);
+ if (cd == NULL)
+ return PA_HOOK_OK;
+
+ policy = find_policy_for_client(u, cl);
+ cd->policy = policy;
+
+ return PA_HOOK_OK;
+}
+
static pa_hook_result_t client_proplist_changed_cb(pa_core *c, pa_object *o, struct userdata *u) {
pa_client *cl;
client_data *cd;
@@ -446,6 +473,7 @@ int pa__init(pa_module*m) {
(pa_free_cb_t) client_data_free);
u->client_put_slot = pa_hook_connect(&u->core->hooks[PA_CORE_HOOK_CLIENT_PUT], PA_HOOK_EARLY, (pa_hook_cb_t) client_put_cb, u);
+ u->client_auth_slot = pa_hook_connect(&u->core->hooks[PA_CORE_HOOK_CLIENT_AUTH], PA_HOOK_EARLY, (pa_hook_cb_t) client_auth_cb, u);
u->client_proplist_changed_slot = pa_hook_connect(&u->core->hooks[PA_CORE_HOOK_CLIENT_PROPLIST_CHANGED], PA_HOOK_EARLY, (pa_hook_cb_t) client_proplist_changed_cb, u);
u->client_unlink_slot = pa_hook_connect(&u->core->hooks[PA_CORE_HOOK_CLIENT_UNLINK], PA_HOOK_EARLY, (pa_hook_cb_t) client_unlink_cb, u);
@@ -519,6 +547,8 @@ void pa__done(pa_module*m) {
if (u->client_put_slot)
pa_hook_slot_free(u->client_put_slot);
+ if (u->client_auth_slot)
+ pa_hook_slot_free(u->client_auth_slot);
if (u->client_proplist_changed_slot)
pa_hook_slot_free(u->client_proplist_changed_slot);
if (u->client_unlink_slot)
--
2.9.3