[PATCH] libqmi-glib,utils: avoid getpwnam() call if --enable-qmi-username not used
Aleksander Morgado
aleksander at aleksander.es
Fri Jan 9 04:16:44 PST 2015
On Wed, Jan 7, 2015 at 6:38 PM, Roshan Pius <rpius at chromium.org> wrote:
> If --enable-qmi-username isn't explicitly used, we should just check
> for the root user UID, without using getpwnam(). See e.g. these SELinux warnings:
>
> SELinux is preventing /usr/bin/bash from read access on the file /etc/passwd.
>
> ***** Plugin catchall (100. confidence) suggests **************************
>
> If you believe that bash should be allowed read access on the passwd file by default.
> Then you should report this as a bug.
> You can generate a local policy module to allow this access.
> Do allow this access for now by executing:
> # grep qmi-proxy /var/log/audit/audit.log | audit2allow -M mypol
> # semodule -i mypol.pp
>
Pushed, thanks.
> ---
> configure.ac | 20 ++++++++++++++------
> src/libqmi-glib/qmi-utils.c | 9 +++++++++
> src/qmi-proxy/Makefile.am | 2 +-
> 3 files changed, 24 insertions(+), 7 deletions(-)
>
> diff --git a/configure.ac b/configure.ac
> index c1ca6ef..0c87850 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -80,17 +80,20 @@ dnl Documentation
> GTK_DOC_CHECK(1.0)
>
> # QMI username
> +QMI_USERNAME="root"
> AC_ARG_ENABLE(qmi-username,
> AS_HELP_STRING([--enable-qmi-username=<username>], [user allowed to access QMI devices]))
> if test -n "$enable_qmi_username" ; then
> + QMI_USERNAME_ENABLED=yes
> + AC_DEFINE(QMI_USERNAME_ENABLED, 1, [Define if we enable QMI username])
> QMI_USERNAME="$enable_qmi_username"
> + AC_SUBST(QMI_USERNAME)
> + AC_DEFINE_UNQUOTED(QMI_USERNAME, "$QMI_USERNAME", [Define the QMI username])
> else
> - QMI_USERNAME="root"
> + QMI_USERNAME_ENABLED=no
> fi
> -AM_CONDITIONAL([INSTALL_QMI_UDEV_RULES], [test "x$enable_qmi_username" = "x$QMI_USERNAME"])
> -AC_SUBST(QMI_USERNAME)
> -AC_DEFINE_UNQUOTED(QMI_USERNAME, "$QMI_USERNAME", [Define the QMI username])
> -AM_COND_IF([INSTALL_QMI_UDEV_RULES], [AC_CONFIG_FILES([src/qmi-proxy/76-qmi-proxy-device-ownership.rules])])
> +
> +AM_CONDITIONAL([QMI_USERNAME_ENABLED], [test "x$QMI_USERNAME_ENABLED" = "xyes"])
>
> # udev base directory
> AC_ARG_WITH(udev-base-dir, AS_HELP_STRING([--with-udev-base-dir=DIR], [where udev base directory is]))
> @@ -126,6 +129,11 @@ AC_CONFIG_FILES([Makefile
> docs/reference/libqmi-glib/Makefile
> docs/reference/libqmi-glib/version.xml
> docs/man/Makefile])
> +
> +if test "x$QMI_USERNAME_ENABLED" = "xyes"; then
> + AC_CONFIG_FILES([src/qmi-proxy/76-qmi-proxy-device-ownership.rules])
> +fi
> +
> AC_OUTPUT
>
> echo "
> @@ -137,5 +145,5 @@ echo "
> Maintainer mode: ${USE_MAINTAINER_MODE}
> udev base directory: ${UDEV_BASE_DIR}
> Documentation: ${enable_gtk_doc}
> - QMI username: ${QMI_USERNAME}
> + QMI username: ${QMI_USERNAME_ENABLED} (${QMI_USERNAME})
> "
> diff --git a/src/libqmi-glib/qmi-utils.c b/src/libqmi-glib/qmi-utils.c
> index 11f1d90..60100b6 100644
> --- a/src/libqmi-glib/qmi-utils.c
> +++ b/src/libqmi-glib/qmi-utils.c
> @@ -81,6 +81,14 @@ gboolean
> __qmi_user_allowed (uid_t uid,
> GError **error)
> {
> +#ifndef QMI_USERNAME_ENABLED
> + if (uid == 0)
> + return TRUE;
> +#else
> +# ifndef QMI_USERNAME
> +# error QMI username not defined
> +# endif
> +
> struct passwd *expected_usr = NULL;
>
> expected_usr = getpwnam (QMI_USERNAME);
> @@ -99,6 +107,7 @@ __qmi_user_allowed (uid_t uid,
>
> if (uid == expected_usr->pw_uid)
> return TRUE;
> +#endif
>
> g_set_error (error,
> QMI_CORE_ERROR,
> diff --git a/src/qmi-proxy/Makefile.am b/src/qmi-proxy/Makefile.am
> index 3eb532e..e03bfaa 100644
> --- a/src/qmi-proxy/Makefile.am
> +++ b/src/qmi-proxy/Makefile.am
> @@ -16,7 +16,7 @@ qmi_proxy_LDADD = \
> $(top_builddir)/src/libqmi-glib/libqmi-glib.la
>
> #Install udev rules only if configured with --enable-qmi-username
> -if INSTALL_QMI_UDEV_RULES
> +if QMI_USERNAME_ENABLED
> udevrulesdir = $(UDEV_BASE_DIR)/rules.d
> udevrules_DATA = 76-qmi-proxy-device-ownership.rules
>
> --
> 2.2.0.rc0.207.ga3a616c
>
--
Aleksander
https://aleksander.es
More information about the libqmi-devel
mailing list