Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
sudo-project
GitHub Repository: sudo-project/sudo
 Path: blob/main/plugins/python/python_plugin_policy.c
1532 views
1
/*

2
 * SPDX-License-Identifier: ISC

3
 *

4
 * Copyright (c) 2019-2020 Robert Manner <[email protected]>

5
 *

6
 * Permission to use, copy, modify, and distribute this software for any

7
 * purpose with or without fee is hereby granted, provided that the above

8
 * copyright notice and this permission notice appear in all copies.

9
 *

10
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

11
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

12
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR

13
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

14
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN

15
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF

16
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

17
 */

18


19
#include "python_plugin_common.h"

20


21


22
static struct PluginContext plugin_ctx;

23


24
extern struct policy_plugin python_policy;

25


26
#define PY_POLICY_PLUGIN_VERSION SUDO_API_MKVERSION(1, 0)

27


28
#define CALLBACK_PLUGINFUNC(func_name) python_policy.func_name

29
#define CALLBACK_CFUNC(func_name) python_plugin_policy_ ## func_name

30


31
// This also verifies compile time that the name matches the sudo plugin API.

32
#define CALLBACK_PYNAME(func_name) ((void)CALLBACK_PLUGINFUNC(func_name), #func_name)

33


34
#define MARK_CALLBACK_OPTIONAL(function_name) \

35
    do { \

36
        python_plugin_mark_callback_optional(&plugin_ctx, CALLBACK_PYNAME(function_name), \

37
            (void **)&CALLBACK_PLUGINFUNC(function_name)); \

38
    } while(0)

39


40


41
static int

42
python_plugin_policy_open(unsigned int version, sudo_conv_t conversation,

43
    sudo_printf_t sudo_printf, char * const settings[],

44
    char * const user_info[], char * const user_env[],

45
    char * const plugin_options[], const char **errstr)

46
{

47
    debug_decl(python_plugin_policy_open, PYTHON_DEBUG_CALLBACKS);

48


49
    if (version < SUDO_API_MKVERSION(1, 2)) {

50
        sudo_printf(SUDO_CONV_ERROR_MSG,

51
                    "Error: Python policy plugin requires at least plugin API version 1.2\n");

52
        debug_return_int(SUDO_RC_ERROR);

53
    }

54


55
    int rc = python_plugin_register_logging(conversation, sudo_printf, settings);

56
    if (rc != SUDO_RC_OK)

57
        debug_return_int(rc);

58


59
    rc = python_plugin_init(&plugin_ctx, plugin_options, version);

60
    if (rc != SUDO_RC_OK)

61
        debug_return_int(rc);

62


63
    rc = python_plugin_construct(&plugin_ctx, PY_POLICY_PLUGIN_VERSION, settings,

64
                                 user_info, user_env, plugin_options);

65
    CALLBACK_SET_ERROR(&plugin_ctx, errstr);

66
    if (rc != SUDO_RC_OK) {

67
        debug_return_int(rc);

68
    }

69


70
    // skip plugin callbacks which are not mandatory

71
    MARK_CALLBACK_OPTIONAL(list);

72
    MARK_CALLBACK_OPTIONAL(validate);

73
    MARK_CALLBACK_OPTIONAL(invalidate);

74
    MARK_CALLBACK_OPTIONAL(init_session);

75
    // check_policy, open and close are mandatory

76


77
    debug_return_int(rc);

78
}

79


80
static void

81
python_plugin_policy_close(int exit_status, int error)

82
{

83
    debug_decl(python_plugin_policy_close, PYTHON_DEBUG_CALLBACKS);

84
    python_plugin_close(&plugin_ctx, CALLBACK_PYNAME(close),

85
                        Py_BuildValue("(ii)", error == 0 ? exit_status : -1, error));

86
    debug_return;

87
}

88


89
static int 

90
python_plugin_policy_check(int argc, char * const argv[],

91
    char *env_add[], char **command_info_out[],

92
    char **argv_out[], char **user_env_out[], const char **errstr)

93
{

94
    debug_decl(python_plugin_policy_check, PYTHON_DEBUG_CALLBACKS);

95
    int rc = SUDO_RC_ERROR;

96


97
    PyThreadState_Swap(plugin_ctx.py_interpreter);

98


99
    *command_info_out = *argv_out = *user_env_out = NULL;

100


101
    PyObject *py_argv = py_str_array_to_tuple_with_count(argc, argv);

102


103
    PyObject *py_env_add = py_str_array_to_tuple(env_add);

104
    PyObject *py_result = NULL;

105


106
    if (py_argv == NULL || py_env_add == NULL) {

107
        sudo_debug_printf(SUDO_DEBUG_ERROR, "Failed to create some of the arguments for the python call "

108
                                           "(py_argv=%p py_env_add=%p)\n", (void *)py_argv, (void *)py_env_add);

109
        goto cleanup;

110
    }

111


112
    py_result = python_plugin_api_call(&plugin_ctx, CALLBACK_PYNAME(check_policy),

113
                                      Py_BuildValue("(OO)", py_argv, py_env_add));

114
    CALLBACK_SET_ERROR(&plugin_ctx, errstr);

115
    if (py_result == NULL)

116
        goto cleanup;

117


118
    PyObject *py_rc = NULL,

119
             *py_command_info_out = NULL,

120
             *py_argv_out = NULL,

121
             *py_user_env_out = NULL;

122
    if (PyTuple_Check(py_result))

123
    {

124
        if (!PyArg_ParseTuple(py_result, "O!|O!O!O!:python_plugin.check_policy",

125
                              &PyLong_Type, &py_rc,

126
                              &PyTuple_Type, &py_command_info_out,

127
                              &PyTuple_Type, &py_argv_out,

128
                              &PyTuple_Type, &py_user_env_out))

129
        {

130
            goto cleanup;

131
        }

132
    } else {

133
        py_rc = py_result;

134
    }

135


136
    if (py_command_info_out != NULL)

137
        *command_info_out = py_str_array_from_tuple(py_command_info_out);

138


139
    if (py_argv_out != NULL)

140
        *argv_out = py_str_array_from_tuple(py_argv_out);

141


142
    if (py_user_env_out != NULL)

143
        *user_env_out = py_str_array_from_tuple(py_user_env_out);

144


145
    rc = python_plugin_rc_to_int(py_rc);

146


147
cleanup:

148
    if (PyErr_Occurred()) {

149
        py_log_last_error(NULL);

150
        rc = SUDO_RC_ERROR;

151
        free(*command_info_out);

152
        free(*argv_out);

153
        free(*user_env_out);

154
        *command_info_out = *argv_out = *user_env_out = NULL;

155
    }

156


157
    Py_XDECREF(py_argv);

158
    Py_XDECREF(py_env_add);

159
    Py_XDECREF(py_result);

160


161
    if (rc == SUDO_RC_ACCEPT)

162
        plugin_ctx.call_close = 1;

163


164
    debug_return_int(rc);

165
}

166


167
static int

168
python_plugin_policy_list(int argc, char * const argv[], int verbose, const char *list_user, const char **errstr)

169
{

170
    debug_decl(python_plugin_policy_list, PYTHON_DEBUG_CALLBACKS);

171


172
    PyThreadState_Swap(plugin_ctx.py_interpreter);

173


174
    PyObject *py_argv = py_str_array_to_tuple_with_count(argc, argv);

175
    if (py_argv == NULL) {

176
        sudo_debug_printf(SUDO_DEBUG_ERROR, "%s: Failed to create argv argument for the python call\n", __func__);

177
        debug_return_int(SUDO_RC_ERROR);

178
    }

179


180
    int rc = python_plugin_api_rc_call(&plugin_ctx, CALLBACK_PYNAME(list),

181
        Py_BuildValue("(Oiz)", py_argv, verbose, list_user));

182


183
    Py_XDECREF(py_argv);

184


185
    CALLBACK_SET_ERROR(&plugin_ctx, errstr);

186
    debug_return_int(rc);

187
}

188


189
static int

190
python_plugin_policy_version(int verbose)

191
{

192
    debug_decl(python_plugin_policy_version, PYTHON_DEBUG_CALLBACKS);

193


194
    PyThreadState_Swap(plugin_ctx.py_interpreter);

195


196
    debug_return_int(python_plugin_show_version(&plugin_ctx, CALLBACK_PYNAME(show_version),

197
                                                verbose, PY_POLICY_PLUGIN_VERSION, "policy"));

198
}

199


200
static int

201
python_plugin_policy_validate(const char **errstr)

202
{

203
    debug_decl(python_plugin_policy_validate, PYTHON_DEBUG_CALLBACKS);

204
    PyThreadState_Swap(plugin_ctx.py_interpreter);

205
    int rc = python_plugin_api_rc_call(&plugin_ctx, CALLBACK_PYNAME(validate), NULL);

206
    CALLBACK_SET_ERROR(&plugin_ctx, errstr);

207
    debug_return_int(rc);

208
}

209


210
static void

211
python_plugin_policy_invalidate(int unlinkit)

212
{

213
    debug_decl(python_plugin_policy_invalidate, PYTHON_DEBUG_CALLBACKS);

214
    PyThreadState_Swap(plugin_ctx.py_interpreter);

215
    python_plugin_api_rc_call(&plugin_ctx, CALLBACK_PYNAME(invalidate),

216
                              Py_BuildValue("(i)", unlinkit));

217
    debug_return;

218
}

219


220
static int

221
python_plugin_policy_init_session(struct passwd *pwd, char **user_env[], const char **errstr)

222
{

223
    debug_decl(python_plugin_policy_init_session, PYTHON_DEBUG_CALLBACKS);

224
    int rc = SUDO_RC_ERROR;

225
    PyThreadState_Swap(plugin_ctx.py_interpreter);

226
    PyObject *py_pwd = NULL, *py_user_env = NULL, *py_result = NULL;

227


228
    py_pwd = py_from_passwd(pwd);

229
    if (py_pwd == NULL)

230
        goto cleanup;

231


232
    py_user_env = py_str_array_to_tuple(*user_env);

233
    if (py_user_env == NULL)

234
        goto cleanup;

235


236
    py_result = python_plugin_api_call(&plugin_ctx, CALLBACK_PYNAME(init_session),

237
        Py_BuildValue("(OO)", py_pwd, py_user_env));

238
    CALLBACK_SET_ERROR(&plugin_ctx, errstr);

239
    if (py_result == NULL)

240
        goto cleanup;

241


242
    PyObject *py_user_env_out = NULL, *py_rc = NULL;

243
    if (PyTuple_Check(py_result)) {

244
        if (!PyArg_ParseTuple(py_result, "O!|O!:python_plugin.init_session",

245
                         &PyLong_Type, &py_rc,

246
                         &PyTuple_Type, &py_user_env_out)) {

247
            goto cleanup;

248
        }

249
    } else {

250
        py_rc = py_result;

251
    }

252


253
    if (py_user_env_out != NULL) {

254
        str_array_free(user_env);

255
        *user_env = py_str_array_from_tuple(py_user_env_out);

256
        if (*user_env == NULL)

257
            goto cleanup;

258
    }

259


260
    rc = python_plugin_rc_to_int(py_rc);

261


262
cleanup:

263
    Py_XDECREF(py_pwd);

264
    Py_XDECREF(py_user_env);

265
    Py_XDECREF(py_result);

266


267
    debug_return_int(rc);

268
}

269


270
sudo_dso_public struct policy_plugin python_policy = {

271
    SUDO_POLICY_PLUGIN,

272
    SUDO_API_VERSION,

273
    CALLBACK_CFUNC(open),

274
    CALLBACK_CFUNC(close),

275
    CALLBACK_CFUNC(version),

276
    CALLBACK_CFUNC(check),

277
    CALLBACK_CFUNC(list),

278
    CALLBACK_CFUNC(validate),

279
    CALLBACK_CFUNC(invalidate),

280
    CALLBACK_CFUNC(init_session),

281
    NULL, /* register_hooks */

282
    NULL, /* deregister_hooks */

283
    NULL  /* event_alloc */

284
};

285


286