file: add path based read/write/exec ACL checks
authorJo-Philipp Wich <jo@mein.io>
Sun, 1 Sep 2019 16:05:19 +0000 (18:05 +0200)
committerJo-Philipp Wich <jo@mein.io>
Sun, 1 Sep 2019 16:29:03 +0000 (18:29 +0200)
commit821045f6ce341fdc39fc8dafc765411b0f4954d1
treedee5099495e45849aafa26deccba5cd4452593d0
parentfb337e5a082b7f31664ebec092c3a3f96f4f7d76
file: add path based read/write/exec ACL checks

Introduce ACL checks to verify that the requested path may be read, written
or executed. This allows to restrict ubus file commands to specific paths.

To setup the required ACLs, the following ubus command may be used
on the command line:

ubus call session grant '{
  "ubus_rpc_session": "d41d8cd98f00b204e9800998ecf8427e",
  "scope": "file",
  "objects": [
    [ "/etc", "read" ],
    [ "/etc/*", "write" ],
    [ "/sbin/sysupgrade", "exec" ]
  ]
}'

The "read", "list", "stat" and "md5" procedures require "read" permissions,
the "write" procedure requires "write" permission and the "exec" procedure
requires "exec" permissions.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
file.c