hal/tools hal-system-storage-mount,1.13,1.14
David Zeuthen
david at freedesktop.org
Sat Jan 21 08:54:06 PST 2006
Update of /cvs/hal/hal/tools
In directory gabe:/tmp/cvs-serv14173/tools
Modified Files:
hal-system-storage-mount
Log Message:
2006-01-21 David Zeuthen <davidz at redhat.com>
* hald-runner/runner.c (find_program): Simply use glib convience
g_find_program_in_path() on the basename of the desired helper since
our allowed paths are now in $PATH
* hald-runner/main.c (main): Print out allowed paths
* hald/linux2/blockdev.c (add_blockdev_probing_helper_done): Fix up
indenting
* hald/hald_runner.h: Modify prototype of hald_runner_start_runner to
not take the path to the runner
* hald/hald_runner.c (hald_runner_start_runner): Use the flag
G_SPAWN_SEARCH_PATH to search for hald-runner. Export HALD_RUNNER_PATH
as PATH for the runner. Always include standard locations, e.g.
$(libexecdir) and $(datadir)/hal/scripts.
* hald/hald_dbus.c (hald_exec_method_cb): Check if there really
was an error
* hald/hald.c (usage): Remove usage for --with-runner
(main): Remove --with-runner option; just search $PATH for it
* hald/run-hald.sh, hald/debug-hald.sh, hald/valgrind-hald.sh:
Set $HALD_RUNNER_PATH and modify $PATH to include local hald-runner
* tools/hal-system-storage-mount: Read and enforce security policy
as specified in fdi/policy/10osvendor/10-security-policy.fdi
* fdi/policy/10osvendor/Makefile.am (dist_fdi_DATA):
Add 10-security-policy.fdi
* fdi/policy/10osvendor/10-security-policy.fdi: New file
Index: hal-system-storage-mount
===================================================================
RCS file: /cvs/hal/hal/tools/hal-system-storage-mount,v
retrieving revision 1.13
retrieving revision 1.14
diff -u -d -r1.13 -r1.14
--- hal-system-storage-mount 20 Jan 2006 16:34:07 -0000 1.13
+++ hal-system-storage-mount 21 Jan 2006 16:54:04 -0000 1.14
@@ -15,12 +15,6 @@
exit 1
fi
-if [ "$HAL_METHOD_INVOKED_BY_UID" == "" ]; then
- echo "org.freedesktop.Hal.Device.Volume.PermissionDenied" >&2
- echo "" >&2
- exit 1
-fi
-
# check if device is already mounted
if [ "$HAL_PROP_VOLUME_IS_MOUNTED" = "true" ]; then
echo "org.freedesktop.Hal.Device.Volume.AlreadyMounted" >&2
@@ -35,6 +29,46 @@
exit 1
fi
+# read our security policy (see policy/10osvendor/10-security-policy.fdi)
+SECPOL_ALLOW_UID_MOUNT_FIXED=`hal-get-property --udi /org/freedesktop/Hal/devices/computer --key security_policy.system.storage.allow_uid_mount_fixed`
+SECPOL_ALLOW_UID_MOUNT_NONFIXED=`hal-get-property --udi /org/freedesktop/Hal/devices/computer --key security_policy.system.storage.allow_uid_mount_nonfixed`
+
+# determine what kind of drive we stem from
+IS_HOTPLUGGABLE=`hal-get-property --udi $HAL_PROP_BLOCK_STORAGE_DEVICE --key storage.hotpluggable`
+IS_REMOVABLE=`hal-get-property --udi $HAL_PROP_BLOCK_STORAGE_DEVICE --key storage.removable`
+
+# enforce security policy
+ALLOW="false"
+if [ "$IS_HOTPLUGGABLE" == "true" ] || [ "$IS_REMOVABLE" == "true" ]; then
+ # nonfixed media, e.g. removable and/or hotpluggable
+ if [ "$SECPOL_ALLOW_UID_MOUNT_NONFIXED" == "" ]; then
+ ALLOW="true"
+ else
+ for i in $SECPOL_ALLOW_UID_MOUNT_NONFIXED; do
+ if [ "$i" == "$HAL_METHOD_INVOKED_BY_UID" ]; then
+ ALLOW="true"
+ fi
+ done
+ fi
+else
+ # fixed media
+ if [ "$SECPOL_ALLOW_UID_MOUNT_FIXED" == "" ]; then
+ ALLOW="true"
+ else
+ for i in $SECPOL_ALLOW_UID_MOUNT_FIXED; do
+ if [ "$i" == "$HAL_METHOD_INVOKED_BY_UID" ]; then
+ ALLOW="true"
+ fi
+ done
+ fi
+fi
+
+if [ "$ALLOW" != "true" ]; then
+ echo "org.freedesktop.Hal.Device.Volume.PermissionDenied" >&2
+ echo "uid $HAL_METHOD_INVOKED_BY_UID is not authorized according to security policy" >&2
+ exit 1
+fi
+
# read parameters
# "MyDisk\n"
# "fuse\n"
More information about the hal-commit
mailing list