diff --git a/src/perm_permissions_table.c b/src/perm_permissions_table.c index d6b4b5c..95d57c7 100644 --- a/src/perm_permissions_table.c +++ b/src/perm_permissions_table.c @@ -29,12 +29,12 @@ const char *const table_name = "permissions"; const int column_count = 3; const char *const schema[] = {"executable", "filename", "mode"}; const char *const types[] = {"TEXT", "TEXT", "INTEGER"}; -uid_t ruid, euid, current_pid; +uid_t ruid, euid, current_uid; pthread_mutex_t uid_switch = PTHREAD_MUTEX_INITIALIZER; void set_db_fsuid() { pthread_mutex_lock(&uid_switch); - if (current_pid == ruid) + if (current_uid == ruid) return; int status = -1; @@ -49,7 +49,7 @@ void set_db_fsuid() { void set_real_fsuid() { pthread_mutex_lock(&uid_switch); - if (current_pid == ruid) + if (current_uid == ruid) return; int status = -1; @@ -201,7 +201,7 @@ void destroy_perm_permissions_table(void) { sqlite3_close(perm_database); } * Checks if the process has a permanent access to the file. * * @param filename: The file that the process is trying to access - * @pram pi: The process information + * @param pi: The process information * @return: access status - ALLOW, DENY or NDEF in case if no information was * found */ @@ -250,7 +250,7 @@ access_t check_perm_access_noparent(const char *filename, * file. * * @param filename: The file that the process is trying to access - * @pram pi: The process information + * @param pi: The process information * @return: access status - ALLOW, DENY or NDEF in case if no information was * found. Does not return ALLOW_TEMP or DENY_TEMP. * @note: In case one of the parent processes is killed while this function @@ -321,7 +321,6 @@ int set_perm_access(const char *filename, struct process_info pi, if (ret != SQLITE_OK) { fprintf(stderr, "SQLite returned an error: %s\n", sqlite_error); sqlite3_free(sqlite_error); - free(query); return 1; } diff --git a/src/perm_permissions_table.h b/src/perm_permissions_table.h index 1dee36d..dc4336b 100644 --- a/src/perm_permissions_table.h +++ b/src/perm_permissions_table.h @@ -30,7 +30,7 @@ void destroy_perm_permissions_table(); * Checks if the process has a permanent access to the file. * * @param filename: The file that the process is trying to access - * @pram pi: The process information + * @param pi: The process information * @return: access status - ALLOW, DENY or NDEF in case if no information was * found */ @@ -43,7 +43,7 @@ access_t check_perm_access(const char *filename, struct process_info pi); * @param pi: The process information * @param mode: Kind of access rule to be set - SET_DENY to deny access, and * SET_ALLOW to allow access. - * @return: 0 on success, -1 on failure + * @return: 0 on success, 1 on failure */ int set_perm_access(const char *filename, struct process_info pi, set_mode_t mode); diff --git a/src/temp_permissions_table.c b/src/temp_permissions_table.c index 8e04170..cbfdad5 100644 --- a/src/temp_permissions_table.c +++ b/src/temp_permissions_table.c @@ -28,7 +28,7 @@ struct temp_process_permissions { }; map(pid_t, struct temp_process_permissions) temp_permissions_table; -pthread_mutex_t temp_permissions_table_lock; +pthread_rwlock_t temp_permissions_table_lock = PTHREAD_RWLOCK_INITIALIZER; pthread_t gc_thread; int is_gc_active = 0; @@ -94,7 +94,7 @@ void *garbage_collector(void *arg) { while (is_gc_active) { sleep(1); - pthread_mutex_lock(&temp_permissions_table_lock); + pthread_rwlock_wrlock(&temp_permissions_table_lock); vec(pid_t) blacklist; init(&blacklist); @@ -113,7 +113,7 @@ void *garbage_collector(void *arg) { cleanup(&blacklist); - pthread_mutex_unlock(&temp_permissions_table_lock); + pthread_rwlock_unlock(&temp_permissions_table_lock); } return NULL; @@ -125,7 +125,6 @@ void *garbage_collector(void *arg) { * @return: 0 on success, -1 on failure (e.g. ENOMEM) */ int init_temp_permissions_table(void) { - pthread_mutex_init(&temp_permissions_table_lock, PTHREAD_MUTEX_DEFAULT); init(&temp_permissions_table); return 0; } @@ -166,27 +165,26 @@ void destroy_temp_permissions_table(void) { } cleanup(&temp_permissions_table); - pthread_mutex_destroy(&temp_permissions_table_lock); } /** * Checks if the process has a temporary access to the file. * * @param filename: The file that the process is trying to access - * @pram pid: PID of the process + * @param pid: PID of the process * @return: access status - ALLOW, DENY or NDEF in case if no information was * found is avaliable */ access_t check_temp_access_noparent(const char *filename, pid_t pid) { // TODO: more efficient locking - pthread_mutex_lock(&temp_permissions_table_lock); + pthread_rwlock_rdlock(&temp_permissions_table_lock); struct temp_process_permissions *permission_entry = get(&temp_permissions_table, pid); if (permission_entry != NULL) { unsigned long long process_creation_time = get_process_creation_time(pid); if (process_creation_time == 0) { perror("Could not retrieve process creation time"); - pthread_mutex_unlock(&temp_permissions_table_lock); + pthread_rwlock_unlock(&temp_permissions_table_lock); return NDEF; } @@ -200,7 +198,7 @@ access_t check_temp_access_noparent(const char *filename, pid_t pid) { ((denied_file_len < filename_len && (*denied_file)[denied_file_len - 1] == '/') || (denied_file_len == filename_len))) { - pthread_mutex_unlock(&temp_permissions_table_lock); + pthread_rwlock_unlock(&temp_permissions_table_lock); return DENY; } } @@ -210,13 +208,13 @@ access_t check_temp_access_noparent(const char *filename, pid_t pid) { ((allowed_file_len < filename_len && (*allowed_file)[allowed_file_len - 1] == '/') || (allowed_file_len == filename_len))) { - pthread_mutex_unlock(&temp_permissions_table_lock); + pthread_rwlock_unlock(&temp_permissions_table_lock); return ALLOW; } } } } - pthread_mutex_unlock(&temp_permissions_table_lock); + pthread_rwlock_unlock(&temp_permissions_table_lock); return NDEF; } @@ -225,7 +223,7 @@ access_t check_temp_access_noparent(const char *filename, pid_t pid) { * file. * * @param filename: The file that the process is trying to access - * @pram pi: The process information + * @param pi: The process information * @return: access status - ALLOW, DENY or NDEF in case if no information was * found. Does not return ALLOW_TEMP. * @note: In case one of the parent processes is killed while this function @@ -256,7 +254,7 @@ access_t check_temp_access(const char *filename, struct process_info pi) { */ int set_temp_access(const char *filename, struct process_info pi, set_mode_t mode) { - pthread_mutex_lock(&temp_permissions_table_lock); + pthread_rwlock_wrlock(&temp_permissions_table_lock); struct temp_process_permissions *permission_entry = get(&temp_permissions_table, pi.PID); @@ -266,7 +264,7 @@ int set_temp_access(const char *filename, struct process_info pi, get_process_creation_time(pi.PID); if (process_creation_time == 0) { perror("Could not retrieve process creation time"); - pthread_mutex_unlock(&temp_permissions_table_lock); + pthread_rwlock_unlock(&temp_permissions_table_lock); return -1; } @@ -280,7 +278,7 @@ int set_temp_access(const char *filename, struct process_info pi, push(&permission_entry->denied_files, strdup(filename)); } - pthread_mutex_unlock(&temp_permissions_table_lock); + pthread_rwlock_unlock(&temp_permissions_table_lock); return 0; } // we have an entry for the process, but the process is different @@ -305,6 +303,6 @@ int set_temp_access(const char *filename, struct process_info pi, insert(&temp_permissions_table, pi.PID, new_permission_entry); - pthread_mutex_unlock(&temp_permissions_table_lock); + pthread_rwlock_unlock(&temp_permissions_table_lock); return 0; } diff --git a/src/temp_permissions_table.h b/src/temp_permissions_table.h index b460871..98fd078 100644 --- a/src/temp_permissions_table.h +++ b/src/temp_permissions_table.h @@ -41,7 +41,7 @@ void destroy_temp_permissions_table(void); * file. * * @param filename: The file that the process is trying to access - * @pram pi: The process information + * @param pi: The process information * @return: access status - ALLOW, DENY or NDEF in case if no information was * found. Does not return ALLOW_TEMP. * @note: In case one of the parent processes is killed while this function diff --git a/src/ui-socket.c b/src/ui-socket.c index fbc4066..fa64374 100644 --- a/src/ui-socket.c +++ b/src/ui-socket.c @@ -158,7 +158,7 @@ struct dialogue_response ask_access(const char *filename, * 3. user descision * * @param filename: The file that the process is trying to access - * @pram pi: The process information + * @param pi: The process information * @param opts: options (GRANT_TEMP, GRANT_PERM) * @return: 0 if access is denied, 1 if access is allowed */ diff --git a/src/ui-socket.h b/src/ui-socket.h index 5aa7a4f..8537440 100644 --- a/src/ui-socket.h +++ b/src/ui-socket.h @@ -35,7 +35,7 @@ void destroy_ui_socket(void); * 3. user descision * * @param filename: The file that the process is trying to access - * @pram pi: The process information + * @param pi: The process information * @param opts: options (GRANT_TEMP, GRANT_PERM) * @return: 0 if access is denied, 1 if access is allowed */