[2/3,V5] Disable shell access when lockdown is active
diff mbox

Message ID 468004846.64556.1471055771292.JavaMail.zimbra@raptorengineeringinc.com
State Superseded
Headers show

Commit Message

Timothy Pearson Aug. 13, 2016, 2:36 a.m. UTC
This patch disables direct command line access when the /etc/pb-lockdown
file is present.

Signed-off-by: Timothy Pearson <tpearson@raptorengineering.com>
---
 ui/ncurses/nc-cui.c | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

Comments

Murilo Opsfelder Araujo Aug. 16, 2016, 8:33 p.m. UTC | #1
On 08/12/2016 11:36 PM, Timothy Pearson wrote:
[...]
> diff --git a/ui/ncurses/nc-cui.c b/ui/ncurses/nc-cui.c
> index 09b63b0..96ebd1e 100644
> --- a/ui/ncurses/nc-cui.c
> +++ b/ui/ncurses/nc-cui.c
> @@ -25,6 +25,7 @@
>  #include <stdlib.h>
>  #include <string.h>
>  #include <sys/ioctl.h>
> +#include <sys/reboot.h>
>  
>  #include "log/log.h"
>  #include "pb-protocol/pb-protocol.h"
> @@ -94,6 +95,15 @@ static void cui_atexit(void)
>  	clear();
>  	refresh();
>  	endwin();
> +
> +	bool lockdown = false;
> +	if (access(LOCKDOWN_FILE, F_OK) != -1)
> +		lockdown = true;

I see this "if" block more than once.  Wouldn't it make sense to
encapsulate this in a function that returns true if lockdown is present?

> +
> +	while (lockdown) {
> +		sync();
> +		reboot(RB_AUTOBOOT);
> +	}
>  }
>  
>  /**
> @@ -826,6 +836,9 @@ static struct pmenu *main_menu_init(struct cui *cui)
>  	struct pmenu_item *i;
>  	struct pmenu *m;
>  	int result;
> +	bool lockdown = false;
> +	if (access(LOCKDOWN_FILE, F_OK) != -1)
> +		lockdown = true;

Same here.
Timothy Pearson Aug. 16, 2016, 10:29 p.m. UTC | #2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/16/2016 03:33 PM, Murilo Opsfelder Ara├║jo wrote:
> I see this "if" block more than once.  Wouldn't it make sense to
> encapsulate this in a function that returns true if lockdown is present?

Fixed in patch V6.

- -- 
Timothy Pearson
Raptor Engineering
+1 (415) 727-8645 (direct line)
+1 (512) 690-0200 (switchboard)
https://www.raptorengineering.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJXs5OxAAoJEK+E3vEXDOFbUZ8IAIAi82KgjyhGh01QktKBvj51
4nX/QBNwNBr3QoskS5ke3HdMdftGjNP5MHLSxv5U2hAiZZyaWEl0p+1GeMTp3eK8
3ya7pIy5eGpwFssCoq6y6dVgTSlHkdo680kFPgo2yyTI2JK8tLOwgSKK8Bg11Ilj
tx7CtDJba1o+av/7fRKgldVJ9o8r24glNcMMxWEzJP9ulmVYYyDO6xa0ULJDbmtH
6r1ej5SIQVfAhU/VS4es1pXSCQ5aTLhBZoluOf25nO7emAtWOkPdm8tDK51CtuKi
Kqx+WYd3Hl5b9eMFlwmOscObktnfA9waPhxeJIoLqJUNkkql+LlqQ4U2eIPse3o=
=5XkE
-----END PGP SIGNATURE-----

Patch
diff mbox

diff --git a/ui/ncurses/nc-cui.c b/ui/ncurses/nc-cui.c
index 09b63b0..96ebd1e 100644
--- a/ui/ncurses/nc-cui.c
+++ b/ui/ncurses/nc-cui.c
@@ -25,6 +25,7 @@ 
 #include <stdlib.h>
 #include <string.h>
 #include <sys/ioctl.h>
+#include <sys/reboot.h>
 
 #include "log/log.h"
 #include "pb-protocol/pb-protocol.h"
@@ -94,6 +95,15 @@  static void cui_atexit(void)
 	clear();
 	refresh();
 	endwin();
+
+	bool lockdown = false;
+	if (access(LOCKDOWN_FILE, F_OK) != -1)
+		lockdown = true;
+
+	while (lockdown) {
+		sync();
+		reboot(RB_AUTOBOOT);
+	}
 }
 
 /**
@@ -826,6 +836,9 @@  static struct pmenu *main_menu_init(struct cui *cui)
 	struct pmenu_item *i;
 	struct pmenu *m;
 	int result;
+	bool lockdown = false;
+	if (access(LOCKDOWN_FILE, F_OK) != -1)
+		lockdown = true;
 
 	m = pmenu_init(cui, 7, cui_on_exit);
 	if (!m) {
@@ -869,7 +882,10 @@  static struct pmenu *main_menu_init(struct cui *cui)
 	i->on_execute = menu_add_url_execute;
 	pmenu_item_insert(m, i, 5);
 
-	i = pmenu_item_create(m, _("Exit to shell"));
+	if (lockdown)
+		i = pmenu_item_create(m, _("Reboot"));
+	else
+		i = pmenu_item_create(m, _("Exit to shell"));
 	i->on_execute = pmenu_exit_cb;
 	pmenu_item_insert(m, i, 6);