fedir/ICFS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added mutex to permissions checks to avoid inconsistent permission checking

Browse Source
This commit is contained in:
fedir
2025-05-20 09:59:18 +02:00
parent 754a26884c
commit 8e1c325f98
1 changed files with 21 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
src/ui-socket.c
View File

@@ -30,6 +30,8 @@
#define DIALOGUE_NO 1 #define DIALOGUE_NO 1
#define DIALOGUE_PERM 2 #define DIALOGUE_PERM 2
pthread_mutex_t access_check_mutex = PTHREAD_MUTEX_INITIALIZER;
struct dialogue_response { struct dialogue_response {
access_t decision; access_t decision;
char *filename; char *filename;
@@ -127,6 +129,7 @@ struct dialogue_response ask_access(const char *filename,
} }
int dialogue_exit_code = WEXITSTATUS(pclose(fp)); int dialogue_exit_code = WEXITSTATUS(pclose(fp));
fprintf(stderr, "dialogue wrote out %s\n", first(&dialogue_output)); fprintf(stderr, "dialogue wrote out %s\n", first(&dialogue_output));
fprintf(stderr, "dialogue returned %d\n", dialogue_exit_code); fprintf(stderr, "dialogue returned %d\n", dialogue_exit_code);
@@ -172,6 +175,7 @@ struct dialogue_response ask_access(const char *filename,
int interactive_access(const char *filename, struct process_info proc_info, int interactive_access(const char *filename, struct process_info proc_info,
int opts) { int opts) {
char *real_path = real_filename(filename); char *real_path = real_filename(filename);
pthread_mutex_lock(&access_check_mutex);
access_t access = check_temp_access(real_path, proc_info); access_t access = check_temp_access(real_path, proc_info);
if (access == ALLOW) { if (access == ALLOW) {
@@ -180,6 +184,7 @@ int interactive_access(const char *filename, struct process_info proc_info,
"permission table.\n", "permission table.\n",
proc_info.name); proc_info.name);
free(real_path); free(real_path);
pthread_mutex_unlock(&access_check_mutex);
return 1; return 1;
} }
if (access == DENY) { if (access == DENY) {
@@ -188,6 +193,7 @@ int interactive_access(const char *filename, struct process_info proc_info,
"permission table.\n", "permission table.\n",
proc_info.name); proc_info.name);
free(real_path); free(real_path);
pthread_mutex_unlock(&access_check_mutex);
return 0; return 0;
} }
@@ -198,6 +204,7 @@ int interactive_access(const char *filename, struct process_info proc_info,
"permission table.\n", "permission table.\n",
proc_info.name); proc_info.name);
free(real_path); free(real_path);
pthread_mutex_unlock(&access_check_mutex);
return 1; return 1;
} }
if (access == DENY) { if (access == DENY) {
@@ -206,6 +213,7 @@ int interactive_access(const char *filename, struct process_info proc_info,
"permission table.\n", "permission table.\n",
proc_info.name); proc_info.name);
free(real_path); free(real_path);
pthread_mutex_unlock(&access_check_mutex);
return 0; return 0;
} }
@@ -216,12 +224,14 @@ int interactive_access(const char *filename, struct process_info proc_info,
fprintf(stderr, "Permission granted permanently to %s.\n", proc_info.name); fprintf(stderr, "Permission granted permanently to %s.\n", proc_info.name);
set_perm_access(real_path, proc_info, SET_ALLOW); set_perm_access(real_path, proc_info, SET_ALLOW);
free(real_path); free(real_path);
pthread_mutex_unlock(&access_check_mutex);
return 1; return 1;
} }
if (opts & GRANT_TEMP) { if (opts & GRANT_TEMP) {
fprintf(stderr, "Permission granted temporarily to %s.\n", proc_info.name); fprintf(stderr, "Permission granted temporarily to %s.\n", proc_info.name);
set_temp_access(real_path, proc_info, SET_ALLOW); set_temp_access(real_path, proc_info, SET_ALLOW);
free(real_path); free(real_path);
pthread_mutex_unlock(&access_check_mutex);
return 1; return 1;
} }
@@ -245,43 +255,36 @@ int interactive_access(const char *filename, struct process_info proc_info,
real_path = real_filename(response.filename); real_path = real_filename(response.filename);
free(response.filename); free(response.filename);
int ret = 0;
if (response.decision == ALLOW) { if (response.decision == ALLOW) {
fprintf(stderr, fprintf(stderr,
"Permission granted permanently to %s based on zenty response.\n", "Permission granted permanently to %s based on zenty response.\n",
proc_info.name); proc_info.name);
set_perm_access(real_path, proc_info, SET_ALLOW); set_perm_access(real_path, proc_info, SET_ALLOW);
free(real_path); ret = 1;
return 1; } else if (response.decision == ALLOW_TEMP) {
}
if (response.decision == ALLOW_TEMP) {
fprintf(stderr, fprintf(stderr,
"Permission granted temporarily to %s based on zenty response.\n", "Permission granted temporarily to %s based on zenty response.\n",
proc_info.name); proc_info.name);
set_temp_access(real_path, proc_info, SET_ALLOW); set_temp_access(real_path, proc_info, SET_ALLOW);
free(real_path); ret = 1;
return 1; } else if (response.decision == DENY_TEMP) {
}
if (response.decision == DENY_TEMP) {
fprintf(stderr, fprintf(stderr,
"Permission denied temporarily to %s based on zenty response.\n", "Permission denied temporarily to %s based on zenty response.\n",
proc_info.name); proc_info.name);
set_temp_access(real_path, proc_info, SET_DENY); set_temp_access(real_path, proc_info, SET_DENY);
free(real_path); ret = 0;
return 0; } else if (response.decision == DENY) {
}
if (response.decision == DENY) {
fprintf(stderr, fprintf(stderr,
"Permission denied permanently to %s based on zenty response.\n", "Permission denied permanently to %s based on zenty response.\n",
proc_info.name); proc_info.name);
set_perm_access(real_path, proc_info, SET_DENY); set_perm_access(real_path, proc_info, SET_DENY);
free(real_path); ret = 0;
return 0;
} }
pthread_mutex_unlock(&access_check_mutex);
free(real_path); free(real_path);
// deny on unknown options. // deny on unknown options.
return 0; return ret;
} }