Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / intel-ipmi-oem / 65b66ad8db83a9b1b1ec2e2ef2372d059a9033cb^! / .
commit65b66ad8db83a9b1b1ec2e2ef2372d059a9033cb[log] [tgz]
authorSnehalatha V <snehalathaX.v@intel.com>Thu Jul 09 14:58:39 2020 +0000
committerAppaRao Puli <apparao.puli@linux.intel.com>Fri Jul 17 19:31:04 2020 +0000
tree85dc0769705c7c97106cd2bd12c77797ff48624e
parent4634783c7f62aa2a00ed811251e15b700cccb563 [diff]
whitelist-filter: Fix for non-whitelist commands

Issue: Non-whitelist commands are resulting improper Completion Code
       as CommandNotAvailable.

Fix: Change the completion code to Insufficient privilege level as
     expected.

Tested:
Verified using ipmitool raw command from Linux OS
1. Set restriction mode as ProvisionedHostWhitelist
Command: busctl set-property xyz.openbmc_project.RestrictionMode.Manager
         /xyz/openbmc_project/control/security/restriction_mode
         xyz.openbmc_project.Control.Security.RestrictionMode
         RestrictionMode s "xyz.openbmc_project.Control.Security.
         RestrictionMode.Modes.ProvisionedHostWhitelist"
Response:            //Success
2. Check the restriction mode
Command: ipmitool raw 0x30 0xb3
Response: 04 00
3. Execute cold reset command from Linux OS terminal
Command : ipmitool raw 0x06 0x02
Response: Unable to send RAW command (channel=0x0 netfn=0x6 lun=0x0
          cmd=0x2 rsp=0xd4): Insufficient privilege level

Signed-off-by: Snehalatha V <snehalathaX.v@intel.com>
Change-Id: I75180ed4a72e180ef968868a8011f70513558abd

diff --git a/src/whitelist-filter.cpp b/src/whitelist-filter.cpp
index 18ff4d5..c7e4086 100644
--- a/src/whitelist-filter.cpp
+++ b/src/whitelist-filter.cpp

@@ -451,7 +451,7 @@
                              entry("CHANNEL=0x%X", request->ctx->channel),
                              entry("NETFN=0x%X", int(request->ctx->netFn)),
                              entry("CMD=0x%X", int(request->ctx->cmd)));
-            return ipmi::ccCommandNotAvailable;
+            return ipmi::ccInsufficientPrivilege;
         }
         return ipmi::ccSuccess;
     }
@@ -459,8 +459,8 @@
     // for system interface, filtering is done as follows:
     // Allow All:  preboot ? ccSuccess : ccSuccess
     // Restricted: preboot ? ccSuccess :
-    //                  ( whitelist ? ccSuccess : // ccCommandNotAvailable )
-    // Deny All:   preboot ? ccSuccess : ccCommandNotAvailable
+    //                  ( whitelist ? ccSuccess : ccInsufficientPrivilege )
+    // Deny All:   preboot ? ccSuccess : ccInsufficientPrivilege
 
     if (!(postCompleted || coreBIOSDone))
     {
@@ -489,7 +489,7 @@
             break;
         }
         default: // for whitelist and blacklist
-            return ipmi::ccCommandNotAvailable;
+            return ipmi::ccInsufficientPrivilege;
     }
 
     if (!whitelisted)
@@ -498,7 +498,7 @@
                          entry("CHANNEL=0x%X", request->ctx->channel),
                          entry("NETFN=0x%X", int(request->ctx->netFn)),
                          entry("CMD=0x%X", int(request->ctx->cmd)));
-        return ipmi::ccCommandNotAvailable;
+        return ipmi::ccInsufficientPrivilege;
     }
     return ipmi::ccSuccess;
 } // namespace