177 lines
4.5 KiB
C
177 lines
4.5 KiB
C
/*
|
|
ICFS: Interactively Controlled File System
|
|
Copyright (C) 2024-2025 Fedir Kovalov
|
|
|
|
This program can be distributed under the terms of the GNU GPLv2.
|
|
See the file LICENSE.
|
|
*/
|
|
|
|
#include "access_t.h"
|
|
#include <stddef.h>
|
|
#include <sys/types.h>
|
|
#include <time.h>
|
|
#define _GNU_SOURCE
|
|
#include "perm_permissions_table.h"
|
|
#include "temp_permissions_table.h"
|
|
#include "ui-socket.h"
|
|
#include <pthread.h>
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
#include <sys/socket.h>
|
|
#include <sys/un.h>
|
|
#include <unistd.h>
|
|
|
|
#define ZENITY_TEMP_ALLOW_MESSAGE "Allow this time\n"
|
|
|
|
int init_ui_socket(const char *perm_permissions_db_filename) {
|
|
FILE *fp = NULL;
|
|
|
|
if (init_temp_permissions_table()) {
|
|
fprintf(stderr, "Could not initialize temporary permissions table.\n");
|
|
return 1;
|
|
}
|
|
|
|
if (init_perm_permissions_table(perm_permissions_db_filename)) {
|
|
fprintf(stderr, "Could not initialize permanent permissions table.\n");
|
|
return 1;
|
|
}
|
|
|
|
// Test if Zenity is installed (get version)
|
|
fp = popen("zenity --version", "r");
|
|
if (fp == NULL) {
|
|
perror("Pipe returned an error");
|
|
return 1;
|
|
}
|
|
|
|
pclose(fp);
|
|
return 0;
|
|
}
|
|
|
|
void destroy_ui_socket(void) {
|
|
destroy_temp_permissions_table();
|
|
destroy_perm_permissions_table();
|
|
}
|
|
|
|
/**
|
|
* Asks the user if the process should be allowed to access the file using the
|
|
* GUI
|
|
*
|
|
* @param filename: The file that the process is trying to access
|
|
* @param pi: The process information
|
|
* @return: access status - ALLOW, DENY or ALLOW_TEMP
|
|
* allowed for the runtime of the process
|
|
*/
|
|
access_t ask_access(const char *filename, struct process_info proc_info) {
|
|
FILE *fp = NULL;
|
|
char *command = NULL;
|
|
int ret =
|
|
asprintf(&command,
|
|
"zenity --question --extra-button \"Allow this time\" --title "
|
|
"\"Allow Access?\" --text \"Allow process "
|
|
"<tt>%s</tt> with PID <tt>%d</tt> to access <tt>%s</tt>\"",
|
|
proc_info.name, proc_info.PID, filename);
|
|
|
|
if (ret < 0) {
|
|
// If asprintf fails, the contents of command are undefined (see man
|
|
// asprintf). That does not explicitly rule out that command will be a valid
|
|
// pointer. But the risk of freeing a non-allocated pointer is too much to
|
|
// justify preparing for this.
|
|
fprintf(stderr, "Could not create query on rule insertion");
|
|
perror("");
|
|
return 1;
|
|
}
|
|
|
|
// Zenity Question Message Popup
|
|
fp = popen(command, "r");
|
|
free(command);
|
|
|
|
if (fp == NULL) {
|
|
perror("Pipe returned a error");
|
|
return DENY;
|
|
}
|
|
|
|
// if the user clicks the "Allow this time" button, `zenity` will only
|
|
// write it to `stdout`, but the exit code will still be `1`. So, we need
|
|
// to manually check the output.
|
|
char buffer[sizeof(ZENITY_TEMP_ALLOW_MESSAGE) + 1];
|
|
while (fgets(buffer, sizeof(buffer), fp)) {
|
|
printf("%s", buffer);
|
|
if (strcmp(buffer, ZENITY_TEMP_ALLOW_MESSAGE) == 0) {
|
|
pclose(fp);
|
|
return ALLOW_TEMP;
|
|
}
|
|
}
|
|
|
|
int zenity_exit_code = WEXITSTATUS(pclose(fp));
|
|
fprintf(stderr, "zenity returned %d\n", zenity_exit_code);
|
|
// zenity returns 1 on "No" >:(
|
|
if (zenity_exit_code == 0) {
|
|
return ALLOW;
|
|
}
|
|
|
|
return DENY;
|
|
}
|
|
|
|
/**
|
|
* Check access according to:
|
|
* 1. temp permission table
|
|
* 2. permanent permission table
|
|
* 3. user descision
|
|
*
|
|
* @param filename: The file that the process is trying to access
|
|
* @pram pi: The process information
|
|
* @param opts: options (GRANT_TEMP, GRANT_PERM)
|
|
* @return: 0 if access is denied, 1 if access is allowed
|
|
*/
|
|
int interactive_access(const char *filename, struct process_info proc_info,
|
|
int opts) {
|
|
|
|
access_t access = check_temp_access(filename, proc_info);
|
|
if (access == ALLOW) {
|
|
return 1;
|
|
}
|
|
if (access == DENY) {
|
|
return 0;
|
|
}
|
|
|
|
access = check_perm_access(filename, proc_info);
|
|
if (access == ALLOW) {
|
|
return 1;
|
|
}
|
|
if (access == DENY) {
|
|
return 0;
|
|
}
|
|
|
|
// if noth GRANT_TEMP and GRANT_PERM are selected, then only permanent
|
|
// permissions are granted
|
|
|
|
if (opts & GRANT_PERM) {
|
|
give_perm_access(filename, proc_info);
|
|
return 1;
|
|
}
|
|
if (opts & GRANT_TEMP) {
|
|
set_temp_access(filename, proc_info, SET_ALLOW);
|
|
return 1;
|
|
}
|
|
|
|
access_t user_response = ask_access(filename, proc_info);
|
|
if (user_response == ALLOW) {
|
|
give_perm_access(filename, proc_info);
|
|
return 1;
|
|
}
|
|
|
|
if (user_response == ALLOW_TEMP) {
|
|
set_temp_access(filename, proc_info, SET_ALLOW);
|
|
return 1;
|
|
}
|
|
|
|
if (user_response == DENY) {
|
|
set_temp_access(filename, proc_info, SET_DENY);
|
|
return 0;
|
|
}
|
|
|
|
// deny on unknown options.
|
|
return 0;
|
|
}
|