2021-05-20 12:43:04 +02:00
|
|
|
#ifndef SECURITYMANAGER_H
|
|
|
|
|
#define SECURITYMANAGER_H
|
|
|
|
|
|
|
|
|
|
#include "RemoteRunner.h"
|
|
|
|
|
#include "DBusConnection.h"
|
|
|
|
|
|
|
|
|
|
#include <QObject>
|
2024-03-06 11:48:16 +01:00
|
|
|
#include <QSettings>
|
2024-02-25 23:29:33 +01:00
|
|
|
#include <QDir>
|
|
|
|
|
#include <QFileSystemWatcher>
|
2021-05-20 12:43:04 +02:00
|
|
|
|
2024-05-17 11:39:44 +02:00
|
|
|
|
|
|
|
|
class QWidget;
|
|
|
|
|
|
2024-02-15 21:33:28 +01:00
|
|
|
/**
|
2024-02-19 12:52:17 +01:00
|
|
|
* The isolation-manager is the biggest part of the
|
2024-02-15 21:33:28 +01:00
|
|
|
* server. It is the listener and it drops root priviledges
|
|
|
|
|
* before even loading Qt.
|
|
|
|
|
*
|
|
|
|
|
* This class uses DBus to listen to any requests and after
|
|
|
|
|
* processing them sends data via the pipes to the second
|
|
|
|
|
* part of the server (largely in main.cpp and Runner).
|
|
|
|
|
*
|
|
|
|
|
*/
|
2024-02-19 12:52:17 +01:00
|
|
|
class IsolationManager : public QObject
|
2021-05-20 12:43:04 +02:00
|
|
|
{
|
|
|
|
|
Q_OBJECT
|
|
|
|
|
public:
|
2024-02-19 12:52:17 +01:00
|
|
|
explicit IsolationManager(int inputId, int outputId);
|
2021-05-20 12:43:04 +02:00
|
|
|
|
2021-05-20 19:08:42 +02:00
|
|
|
struct AppEntry {
|
2024-02-18 20:58:27 +01:00
|
|
|
int appId = -1;
|
2024-03-06 11:48:16 +01:00
|
|
|
QString profileName;
|
2024-02-19 19:52:24 +01:00
|
|
|
QString pathToExe;
|
2024-02-18 00:22:50 +01:00
|
|
|
QStringList denied;
|
|
|
|
|
QStringList allowed;
|
2024-02-24 11:40:42 +01:00
|
|
|
QString initScript;
|
2024-05-17 11:39:44 +02:00
|
|
|
QString jailPassword;
|
2026-04-11 14:54:32 +02:00
|
|
|
QString vpnConf; // the ovpn file-path
|
|
|
|
|
QString vpnAc; // the access credentials file-path
|
2024-02-25 23:29:33 +01:00
|
|
|
bool autoDelete = false;
|
2024-02-24 11:40:42 +01:00
|
|
|
|
2024-02-19 10:47:36 +01:00
|
|
|
// defaults as read from the rules file
|
|
|
|
|
QMap<QString, bool> defaults;
|
|
|
|
|
|
2024-02-18 00:22:50 +01:00
|
|
|
bool isAllowed(const QString &tag) const;
|
2024-02-20 20:27:07 +01:00
|
|
|
// set the list of denied permissions, filtering out only the known types
|
2024-02-18 20:58:27 +01:00
|
|
|
void setDenied(const QStringList &entries);
|
2024-02-20 20:27:07 +01:00
|
|
|
// set the list of allowed permissions, filtering out only the known types
|
2024-02-18 20:58:27 +01:00
|
|
|
void setAllowed(const QStringList &entries);
|
|
|
|
|
|
|
|
|
|
bool isKnownPermission(const QString &perm) const;
|
2021-05-20 19:08:42 +02:00
|
|
|
};
|
|
|
|
|
|
2024-02-19 19:52:24 +01:00
|
|
|
QString startApplicationRequest(AppEntry &dbEntry, const QStringList &arguments);
|
|
|
|
|
|
2024-02-18 20:58:27 +01:00
|
|
|
enum LookupBehavior {
|
|
|
|
|
OnlyExisting,
|
|
|
|
|
MaybeCreate
|
|
|
|
|
};
|
|
|
|
|
AppEntry lookupApp(const QString &path, LookupBehavior behavior);
|
2024-03-06 11:48:16 +01:00
|
|
|
std::unique_ptr<QSettings> startEditApp(const QString &profileName, LookupBehavior behavior);
|
2024-02-18 20:58:27 +01:00
|
|
|
|
2024-02-25 16:21:41 +01:00
|
|
|
struct ProfileInfo {
|
|
|
|
|
int jailId = 0;
|
|
|
|
|
QString name;
|
2024-03-06 12:17:02 +01:00
|
|
|
QString exe;
|
2024-02-25 16:21:41 +01:00
|
|
|
QDateTime lastRun;
|
|
|
|
|
bool active = false;
|
|
|
|
|
};
|
|
|
|
|
|
2024-02-20 20:27:07 +01:00
|
|
|
// list profiles and known apps we have hosted in the past.
|
2024-02-25 16:21:41 +01:00
|
|
|
QList<ProfileInfo> listProfiles() const;
|
2024-02-18 20:58:27 +01:00
|
|
|
|
|
|
|
|
QDir dbDir() const;
|
2024-02-25 23:29:33 +01:00
|
|
|
QString stateFile(int jailId) const;
|
|
|
|
|
QString pipeFilePath(int jailId) const;
|
|
|
|
|
QString jailDir(int jailId) const;
|
2024-02-18 20:58:27 +01:00
|
|
|
|
2024-02-19 09:44:46 +01:00
|
|
|
QString rulesDir() const;
|
|
|
|
|
void setRulesDir(const QString &dir);
|
|
|
|
|
|
2024-02-25 19:22:08 +01:00
|
|
|
private slots:
|
|
|
|
|
void receivedMessageFromRunner(const QByteArray &data);
|
|
|
|
|
|
2024-02-18 20:58:27 +01:00
|
|
|
private:
|
2024-02-19 10:47:36 +01:00
|
|
|
void applyRules(AppEntry &context, Message &message, const QString &ruleFile) const;
|
2024-02-17 18:11:48 +01:00
|
|
|
QString expandVars(const AppEntry &context, const QString &path) const;
|
2021-05-20 19:08:42 +02:00
|
|
|
|
2021-05-20 12:43:04 +02:00
|
|
|
RemoteRunner m_runner;
|
|
|
|
|
DBusConnection m_listener;
|
2021-05-20 19:08:42 +02:00
|
|
|
|
2024-02-19 09:44:46 +01:00
|
|
|
QString m_rulesDir;
|
2021-05-20 19:08:42 +02:00
|
|
|
QString m_basedir;
|
|
|
|
|
QString m_dbdir;
|
2024-02-19 19:52:24 +01:00
|
|
|
int m_nextJailId = 0;
|
2021-05-20 12:43:04 +02:00
|
|
|
};
|
|
|
|
|
|
2024-02-25 23:29:33 +01:00
|
|
|
class AutoDeleter : public QObject
|
|
|
|
|
{
|
|
|
|
|
Q_OBJECT
|
|
|
|
|
public:
|
|
|
|
|
explicit AutoDeleter(IsolationManager::AppEntry appEntry, IsolationManager *parent);
|
|
|
|
|
|
|
|
|
|
private slots:
|
|
|
|
|
void startMonitor();
|
|
|
|
|
void jailClosed(const QString &pipeFile);
|
|
|
|
|
|
|
|
|
|
private:
|
|
|
|
|
const IsolationManager *m_parent;
|
|
|
|
|
const IsolationManager::AppEntry m_jail;
|
|
|
|
|
int m_try = 0;
|
|
|
|
|
QFileSystemWatcher m_watcher;
|
|
|
|
|
};
|
|
|
|
|
|
2024-05-17 11:39:44 +02:00
|
|
|
class DelayedApp : public QObject
|
|
|
|
|
{
|
|
|
|
|
Q_OBJECT
|
|
|
|
|
public:
|
|
|
|
|
explicit DelayedApp(IsolationManager::AppEntry appEntry, const QStringList &arguments, IsolationManager *parent);
|
|
|
|
|
|
|
|
|
|
void askPassword();
|
|
|
|
|
|
|
|
|
|
private slots:
|
|
|
|
|
void cancelPressed();
|
|
|
|
|
void passwordEntered(const QString &text);
|
|
|
|
|
|
|
|
|
|
private:
|
|
|
|
|
IsolationManager *m_parent;
|
|
|
|
|
IsolationManager::AppEntry m_jail;
|
|
|
|
|
const QStringList m_arguments;
|
|
|
|
|
|
|
|
|
|
QWidget *m_win = nullptr;
|
|
|
|
|
};
|
|
|
|
|
|
2021-05-20 12:43:04 +02:00
|
|
|
#endif
|
