Commit 6b4c2727 authored by Lukas Braun's avatar Lukas Braun Committed by Simon Ruderich
Browse files

slsm: implement exact flag

An exact rule only matches if it applies at the end of the path
that is being accessed.
parent 7b769e45
......@@ -353,15 +353,15 @@ test_expect_success 'example SSH private key setup' "
echo cfg >/tmp/slsm/home/user/.ssh/config &&
\
rules p=/tmp/slsm/home/user/.ssh/private m=0 '' \
p=/tmp/slsm/home/user/.ssh/private a=$HEAD m=4 '' \
p=/tmp/slsm/home/user/.ssh/id_rsa.pub m=4 &&
p=/tmp/slsm/home/user/.ssh/private f=4 m=4 '' \
p=/tmp/slsm/home/user/.ssh/private a=$HEAD m=4 &&
echo cfg >expected &&
test_cmp expected /tmp/slsm/home/user/.ssh/config &&
rm /tmp/slsm/home/user/.ssh/config &&
echo cfg >/tmp/slsm/home/user/.ssh/config &&
test_cmp expected /tmp/slsm/home/user/.ssh/config &&
test_must_fail cat /tmp/slsm/home/user/.ssh/id_rsa &&
test_must_fail ls /tmp/slsm/home/user/.ssh/private &&
ls /tmp/slsm/home/user/.ssh/private &&
echo key >expected &&
$HEAD /tmp/slsm/home/user/.ssh/id_rsa >actual &&
test_cmp expected actual
......
......@@ -86,7 +86,8 @@ static struct tree_node *slsm_find_matching_child(const struct tree_node *t,
* @app: application we are looking for
* @perms: where to write the new perms if one is found;
*/
static void slsm_last_match(const struct tree_node *t, const char *app, struct slsm_perms *perms) {
static void slsm_last_match(const struct tree_node *t, const char *app,
struct slsm_perms *perms, unsigned at_path_end) {
size_t i;
if (!t->rules || t->rules_used == 0)
......@@ -95,8 +96,11 @@ static void slsm_last_match(const struct tree_node *t, const char *app, struct s
i = t->rules_used - 1;
do {
if (!t->rules[i].app || !strcmp(t->rules[i].app, app)) {
*perms = t->rules[i].perms;
return;
struct slsm_perms tmp = t->rules[i].perms;
if (!(tmp.flags & SLSM_FLAG_EXACT) || at_path_end) {
*perms = tmp;
return;
}
}
} while (i-- > 0);
}
......@@ -128,7 +132,7 @@ struct slsm_perms slsm_query_perms(const char *path, const char *app) {
do {
size_t length;
slsm_last_match(t, app, &ret);
slsm_last_match(t, app, &ret, path == NULL);
if (!path)
break;
......
......@@ -36,6 +36,7 @@ struct tree_node {
#define SLSM_FLAG_INHERIT (1 << 0)
#define SLSM_FLAG_CONFINE (1 << 1)
#define SLSM_FLAG_EXACT (1 << 2)
/* NOTE: when adding new flags adapt slsm_perms_would_elevate() */
struct slsm_perms {
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment