-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathentry_manager.h
110 lines (84 loc) · 3.7 KB
/
entry_manager.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
// Copyright 2018 The Chromium OS Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#ifndef USB_BOUNCER_ENTRY_MANAGER_H_
#define USB_BOUNCER_ENTRY_MANAGER_H_
#include <functional>
#include <map>
#include <memory>
#include <string>
#include <base/files/file_path.h>
#include <base/files/file_util.h>
#include <base/files/scoped_file.h>
#include <base/macros.h>
#include <base/memory/ref_counted.h>
#include <metrics/metrics_library.h>
#include "usb_bouncer/rule_db_storage.h"
#include "usb_bouncer/usb_bouncer.pb.h"
namespace usb_bouncer {
using DevpathToRuleCallback =
std::function<std::string(const std::string& devpath)>;
constexpr char kDefaultGlobalDir[] = "run/usb_bouncer/";
constexpr char kUsbguardPolicyDir[] = "etc/usbguard/rules.d";
// Keep track of allow-list rules needed for trusted USB devices for
// usbguard-daemon. Specifically maintains lists of:
// 1) Rules representing the currently connected devices
// 2) Optionally, Rules for USB devices that were present while the primary
// user was signed into a session.
//
// In general only one instance of EntryManager should exist at a time. For
// example the default instance can be used to invoke a member function:
// EntryManager::GetInstance()->GenerateRules();
class EntryManager {
public:
enum class UdevAction { kAdd = 0, kRemove = 1 };
static EntryManager* GetInstance();
static bool CreateDefaultGlobalDB();
~EntryManager();
// Removes expired entries from the trash of the global DB.
bool GarbageCollect();
// Returns a string representation of the contents of a rules.conf file that
// can be used by usbguard-daemon.
std::string GenerateRules() const;
// Updates the internal databases based on the particular |action| for the
// given |devpath|. Note that |devpath| isn't a valid path unitl "/sys" is
// prepended to be consistent with udev.
// For |action|:
// kAdd: allow-list entries are added to the global DB and to
// the user DB if it is available.
// kRemove: allow-list entries in the global DB are moved to the trash map
// incase a device uses mode switching, so each mode can be added to a
// single entry in the database.
bool HandleUdev(UdevAction action, const std::string& devpath);
// Updates entries in the user DB with all entries in the global DB. This
// allows Entries for currently connected devices that mode switch to be
// propagated to the primary user on sign-in or unlock.
bool HandleUserLogin();
private:
friend class EntryManagerTestUtil;
EntryManager();
EntryManager(const std::string& root_dir,
const base::FilePath& user_db_dir,
bool user_db_read_only,
DevpathToRuleCallback rule_from_devpath);
// Removes expired entries from the trash of the global DB. If |global_only|
// is false expired entries are removed from the user DB as well. This does
// not write to disk so PersistChanges() needs to be called afterward. Returns
// the number of removed entries.
size_t GarbageCollectInternal(bool global_only);
// Returns true if "/sys" + devpath expands to a child path of /sys/devices/.
bool ValidateDevPath(const std::string& devpath);
bool PersistChanges();
// Represents whether the lock screen is being shown.
bool user_db_read_only_;
// Prepended to all the paths to enable testing.
base::FilePath root_dir_;
// Allows mocking this functionality for tests.
DevpathToRuleCallback rule_from_devpath_;
RuleDBStorage global_db_;
RuleDBStorage user_db_;
MetricsLibrary metrics_;
DISALLOW_COPY_AND_ASSIGN(EntryManager);
};
} // namespace usb_bouncer
#endif // USB_BOUNCER_ENTRY_MANAGER_H_