From c5a99933202c91630edc2ddd97e0e964b27540d6 Mon Sep 17 00:00:00 2001
From: Sebastien Braun
Date: Wed, 6 Oct 2010 17:56:59 +0200
Subject: Sanitize security model yet again

The flags model was not satisfactory since it made it unnecessarily
difficult to express the standard policy of "allow all to users that are
physically sitting in front of the machine and to privileged users".

The new model expressly knows different policies (two at the moment)
and refrains from decomposing them. Additional policies are not difficult
to add.
---
 src/input/CMakeLists.txt      |  2 +-
 src/input/inputEventHandler.h | 58 +++++++++++++++++++++++++++++++------------
 src/input/inputHandlerChain.h | 10 ++++----
 3 files changed, 48 insertions(+), 22 deletions(-)

(limited to 'src/input')

diff --git a/src/input/CMakeLists.txt b/src/input/CMakeLists.txt
index 398ca55..0e72c4c 100644
--- a/src/input/CMakeLists.txt
+++ b/src/input/CMakeLists.txt
@@ -2,7 +2,6 @@ include(${QT_USE_FILE})
 
 set(pvsinput_SRCS
     inputEvent.cpp
-    inputEventHandler.cpp
     )
    
 if(UNIX)
@@ -23,6 +22,7 @@ if(UNIX)
 		rebootSystemHandler.cpp
 		killX11Handler.cpp
 		sayHelloHandler.cpp
+		inputEventHandler.cpp
 	)
 	
 	set(pvsprivinputd_MOC_HDRS
diff --git a/src/input/inputEventHandler.h b/src/input/inputEventHandler.h
index 44713c2..52e3338 100644
--- a/src/input/inputEventHandler.h
+++ b/src/input/inputEventHandler.h
@@ -18,6 +18,7 @@
 #define INPUTEVENTHANDLER_H_
 
 #include <QtGlobal>
+#include <QtDebug>
 #include <QList>
 #include <QString>
 #include <QCoreApplication>
@@ -97,26 +98,33 @@ public:
 namespace policy {
 
 enum SecurityFlags {
-	SEC_PHYSICAL_SEAT = 1,
-	SEC_PRIVILEGED_USER = 2
+	SEC_FREE_FOR_ALL,
+	SEC_PHYSICAL_OR_PRIVILEGED
 };
 
 bool allowPhysicalSeat(InputEvent const& evt, InputEventContext const* ctx);
 bool allowPrivilegedUser(InputEvent const& evt, InputEventContext const* ctx);
 
-template<int flags = 0>
-struct Security
+struct SecurityAllowAny
 {
 	bool allow(InputEvent const& evt, InputEventContext const* ctx)
 	{
-		if((flags & SEC_PHYSICAL_SEAT) && !allowPhysicalSeat(evt, ctx))
-			return false;
-		if((flags & SEC_PRIVILEGED_USER) && !allowPrivilegedUser(evt, ctx))
-			return false;
 		return true;
 	}
 };
 
+struct SecurityAllowPhysicalOrPrivileged
+{
+	bool allow(InputEvent const& evt, InputEventContext const* ctx)
+	{
+		if(allowPhysicalSeat(evt, ctx))
+			return true;
+		else if(allowPrivilegedUser(evt, ctx))
+			return true;
+		return false;
+	}
+};
+
 struct UnixLike;
 struct Linux;
 struct Windows;
@@ -154,6 +162,8 @@ public:
 	bool handle(InputEvent const& evt, InputEventContext const* context = 0) {
 		if(!securityPolicy.allow(evt, context))
 		{
+			std::string evtStr = evt.toString();
+			qWarning("Input Event %s has been denied by security policy", evtStr.c_str());
 			return true;
 		}
 		if(delegate.matches(evt, context)) {
@@ -196,19 +206,32 @@ public:
 	}
 };
 
-template<typename Delegate, typename SystemPolicy = policy::RequireNoSystem, typename SecurityPolicy = policy::Security<> >
+template<typename Delegate, typename SystemPolicy = policy::RequireNoSystem, typename SecurityPolicy = void>
 struct Handler : public HandlerHelper<SystemPolicy::enabled, Delegate, SecurityPolicy>
 {
 };
 
-template<typename Begin, typename End>
+template<typename DefaultSecurityPolicy, typename HandlerType>
+struct ApplyDefaultSecurityPolicy
+{
+	typedef HandlerType type;
+};
+
+template<typename DefaultSecurityPolicy, typename Delegate, typename SystemPolicy>
+struct ApplyDefaultSecurityPolicy<DefaultSecurityPolicy, Handler<Delegate, SystemPolicy, void> >
+{
+	typedef Handler<Delegate, SystemPolicy, DefaultSecurityPolicy> type;
+};
+
+template<typename DefaultSecurityPolicy, typename Begin, typename End>
 struct InputEventHandlerChainHelper
 {
 private:
 	typedef typename boost::mpl::next<Begin>::type next_iterator_type;
-	typedef InputEventHandlerChainHelper<next_iterator_type, End> next_in_chain;
+	typedef InputEventHandlerChainHelper<DefaultSecurityPolicy, next_iterator_type, End> next_in_chain;
 
-	typedef typename boost::mpl::deref<Begin>::type handler_type;
+	typedef typename boost::mpl::deref<Begin>::type handler_entry_type;
+	typedef typename ApplyDefaultSecurityPolicy<DefaultSecurityPolicy, handler_entry_type>::type handler_type;
 
 	handler_type _handler;
 	next_in_chain _next;
@@ -239,8 +262,8 @@ public:
 	}
 };
 
-template<typename End>
-struct InputEventHandlerChainHelper<End, End>
+template<typename DefaultSecurityPolicy, typename End>
+struct InputEventHandlerChainHelper<DefaultSecurityPolicy, End, End>
 {
 	void handle(InputEvent const&, InputEventContext const* context = 0) {
 		// do nothing
@@ -261,8 +284,11 @@ struct InputEventHandlerChainHelper<End, End>
 	}
 };
 
-template<typename Collection>
-struct InputEventHandlerChain : public InputEventHandlerChainHelper<typename boost::mpl::begin<Collection>::type, typename boost::mpl::end<Collection>::type>
+template<typename DefaultSecurityPolicy, typename Collection>
+struct InputEventHandlerChain :
+	public InputEventHandlerChainHelper<DefaultSecurityPolicy,
+		typename boost::mpl::begin<Collection>::type,
+		typename boost::mpl::end<Collection>::type>
 {
 };
 
diff --git a/src/input/inputHandlerChain.h b/src/input/inputHandlerChain.h
index 8bcb1d8..b012aa6 100644
--- a/src/input/inputHandlerChain.h
+++ b/src/input/inputHandlerChain.h
@@ -34,14 +34,14 @@ typedef boost::mpl::list<
 		Handler<PrivilegedHandlerForwarder>
 >::type unprivileged_handler_list;
 
-typedef InputEventHandlerChain<unprivileged_handler_list> unprivileged_handler_chain;
+typedef InputEventHandlerChain<policy::SecurityAllowAny, unprivileged_handler_list> unprivileged_handler_chain;
 
 typedef boost::mpl::list<
-		Handler<SayHelloHandler>,
-		Handler<KillX11Handler, policy::RequireSystem<policy::Linux>, policy::Security<policy::SEC_PHYSICAL_SEAT> >,
-		Handler<RebootLinuxSystemHandler, policy::RequireSystem<policy::Linux>, policy::Security<policy::SEC_PHYSICAL_SEAT> >
+		Handler<SayHelloHandler, policy::RequireNoSystem, policy::SecurityAllowAny >,
+		Handler<KillX11Handler, policy::RequireSystem<policy::Linux> >,
+		Handler<RebootLinuxSystemHandler, policy::RequireSystem<policy::Linux> >
 >::type privileged_handler_list;
 
-typedef InputEventHandlerChain<privileged_handler_list> privileged_handler_chain;
+typedef InputEventHandlerChain<policy::SecurityAllowPhysicalOrPrivileged, privileged_handler_list> privileged_handler_chain;
 
 #endif /* INPUTHANDLERCHAIN_H_ */
-- 
cgit v1.2.3-55-g7522