libfwupdplugin: add a helper to set a config file to secure

2025-06-05 10:40:20 +00:00 · 2021-12-17 08:48:10 -06:00 · 2021-12-17 08:48:10 -06:00 · 17db067d13
commit 17db067d13
parent 1b9bdb1659
3 changed files with 50 additions and 0 deletions
--- a/libfwupdplugin/fu-plugin.c
+++ b/libfwupdplugin/fu-plugin.c
@ -10,6 +10,7 @@

 #include <errno.h>
 #include <fwupd.h>
+#include <glib/gstdio.h>
 #include <gmodule.h>
 #include <string.h>
 #include <unistd.h>
@ -2260,6 +2261,49 @@ fu_plugin_set_config_value(FuPlugin *self, const gchar *key, const gchar *value,
 	return g_key_file_save_to_file(keyfile, conf_path, error);
 }

+/**
+ * fu_plugin_set_secure_config_value:
+ * @self: a #FuPlugin
+ * @key: a settings key
+ * @value: (nullable): a settings value
+ * @error: (nullable): optional return location for an error
+ *
+ * Sets a plugin config file value and updates file so that non-privileged users
+ * cannot read it.
+ *
+ * Returns: %TRUE for success
+ *
+ * Since: 1.7.4
+ **/
+gboolean
+fu_plugin_set_secure_config_value(FuPlugin *self,
+				  const gchar *key,
+				  const gchar *value,
+				  GError **error)
+{
+	g_autofree gchar *conf_path = fu_plugin_get_config_filename(self);
+	gint ret;
+
+	g_return_val_if_fail(FU_IS_PLUGIN(self), FALSE);
+	g_return_val_if_fail(error == NULL || *error == NULL, FALSE);
+
+	if (!g_file_test(conf_path, G_FILE_TEST_EXISTS)) {
+		g_set_error(error, FWUPD_ERROR, FWUPD_ERROR_NOT_FOUND, "%s is missing", conf_path);
+		return FALSE;
+	}
+	ret = g_chmod(conf_path, 0660);
+	if (ret == -1) {
+		g_set_error(error,
+			    FWUPD_ERROR,
+			    FWUPD_ERROR_INTERNAL,
+			    "failed to set permissions on %s",
+			    conf_path);
+		return FALSE;
+	}
+
+	return fu_plugin_set_config_value(self, key, value, error);
+}
+
 /**
 * fu_plugin_get_config_value_boolean:
 * @self: a #FuPlugin
--- a/libfwupdplugin/fu-plugin.h
+++ b/libfwupdplugin/fu-plugin.h
@ -434,6 +434,11 @@ fu_plugin_add_report_metadata(FuPlugin *self, const gchar *key, const gchar *val
 gchar *
 fu_plugin_get_config_value(FuPlugin *self, const gchar *key);
 gboolean
+fu_plugin_set_secure_config_value(FuPlugin *self,
+				  const gchar *key,
+				  const gchar *value,
+				  GError **error);
+gboolean
 fu_plugin_get_config_value_boolean(FuPlugin *self, const gchar *key);
 gboolean
 fu_plugin_set_config_value(FuPlugin *self, const gchar *key, const gchar *value, GError **error);
--- a/libfwupdplugin/fwupdplugin.map
+++ b/libfwupdplugin/fwupdplugin.map
@ -984,5 +984,6 @@ LIBFWUPDPLUGIN_1.7.4 {
    fu_cfi_device_set_block_size;
    fu_common_get_contents_stream;
    fu_memmem_safe;
+    fu_plugin_set_secure_config_value;
  local: *;
 } LIBFWUPDPLUGIN_1.7.3;