Command execution restriction based on privilege
Restrict IPMI command execution based on privilege of
the user session.
Unit test:
1. Verified the command execution as per the privilege
2. Executing higher privilege IPMI command fails
Change-Id: I5901f2b18f4f7ecb6311882de558f75b61836109
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>
diff --git a/command_table.cpp b/command_table.cpp
index 90ff145..26859a5 100644
--- a/command_table.cpp
+++ b/command_table.cpp
@@ -1,5 +1,6 @@
#include "command_table.hpp"
+#include "main.hpp"
#include "message_handler.hpp"
#include "message_parsers.hpp"
#include "sessions_manager.hpp"
@@ -95,20 +96,32 @@
std::vector<uint8_t> response(message::parser::MAX_PAYLOAD_SIZE - 1);
size_t respSize = commandData.size();
ipmi_ret_t ipmiRC = IPMI_CC_UNSPECIFIED_ERROR;
- try
+ std::shared_ptr<session::Session> session =
+ std::get<session::Manager&>(singletonPool)
+ .getSession(handler.sessionID);
+
+ if (session->curPrivLevel >= Entry::getPrivilege())
{
- ipmiRC = functor(0, 0, reinterpret_cast<void*>(commandData.data()),
- reinterpret_cast<void*>(response.data() + 1),
- &respSize, NULL);
+ try
+ {
+ ipmiRC = functor(0, 0, reinterpret_cast<void*>(commandData.data()),
+ reinterpret_cast<void*>(response.data() + 1),
+ &respSize, NULL);
+ }
+ // IPMI command handlers can throw unhandled exceptions, catch those
+ // and return sane error code.
+ catch (const std::exception& e)
+ {
+ std::cerr << "E> Unspecified error for command 0x" << std::hex
+ << command.command << " - " << e.what() << "\n";
+ respSize = 0;
+ // fall through
+ }
}
- // IPMI command handlers can throw unhandled exceptions, catch those
- // and return sane error code.
- catch (const std::exception& e)
+ else
{
- std::cerr << "E> Unspecified error for command 0x" << std::hex
- << command.command << " - " << e.what() << "\n";
respSize = 0;
- // fall through
+ ipmiRC = IPMI_CC_INSUFFICIENT_PRIVILEGE;
}
/*
* respSize gets you the size of the response data for the IPMI command. The