commit 9a61b4f4e9213608653852ba2388fa89663029c3
author Tom Joseph <tomjoseph@in.ibm.com> Mon Jul 11 06:56:11 2016 -0500
committer Patrick Williams <patrick@stwcx.xyz> Mon Aug 08 20:05:34 2016 +0000
tree b52f1f75a4feeda1c3fbc9284fd17ec910f639ab
parent 3551868f8b46bec8711887c72b26f4c628d1600f

Whitelist IPMI commands based on Restricted mode

Whitelisting of IPMI commands is done to ensure that in restricted
mode only whitelisted commands are executed. Commands that are not
whitelisted is restricted and insufficient privilege is returned as the
completion code.

When the server is deployed it would be set to restricted mode. In this
scenario certain IPMI commands need to be restricted which would not be
added to the whitelist.

Change-Id: I90b8124e34263c4ffc5bcf06a28a7e88231aaf40
Signed-off-by: Tom Joseph <tomjoseph@in.ibm.com>

Makefile

diff --git a/Makefile b/Makefile
index 08900ca..447b129 100644
--- a/Makefile
+++ b/Makefile
@@ -5,7 +5,8 @@
 TESTADDSEL = testaddsel
 
 DAEMON = ipmid
-DAEMON_OBJ  = ipmid.o
+DAEMON_OBJ  =  ipmid.o \
+               ipmiwhitelist.o
 
 LIB_APP_OBJ = apphandler.o     \
               sensorhandler.o  \
@@ -44,8 +45,14 @@
 INCLUDEDIR ?= /usr/include
 LIBDIR ?= /usr/lib
 
+WHITELIST_SRC = ipmiwhitelist.C
+WHITELIST_CONF ?= host-ipmid-whitelist.conf
+
 all: $(DAEMON) $(LIB_APP) $(LIB_HOST_SRV) $(TESTER)
 
+$(WHITELIST_SRC) : generate_whitelist.sh $(WHITELIST_CONF)
+	./$^ > $@
+
 %.o: %.C
 	$(CXX) -std=c++14 -fpic -c $< $(CXXFLAGS) $(INC_FLAG) $(IPMID_PATH) -o $@
 
@@ -62,11 +69,11 @@
 	$(CXX) $^ $(LDFLAGS) $(LIB_FLAG) -o $@ -ldl
 
 clean:
-	rm -f $(DAEMON) $(TESTER) *.o *.so
+	rm -f $(DAEMON) $(TESTER) *.o *.so $(WHITELIST_SRC)
 
 $(TESTADDSEL): $(TESTADDSEL_OBJ)
 	$(CXX) $^ $(LDFLAGS) $(LIB_FLAG) -o $@ -ldl
-		
+
 install:
 		install -m 0755 -d $(DESTDIR)$(SBINDIR)
 		install -m 0755 ipmid $(DESTDIR)$(SBINDIR)
@@ -75,3 +82,4 @@
 		install -m 0755 -d $(DESTDIR)$(INCLUDEDIR)/host-ipmid
 		install -m 0644 $(INSTALLED_HEADERS) $(DESTDIR)$(INCLUDEDIR)/host-ipmid
 
+