+enum {
+ DENY,
+ ALLOW,
+ DUNNO,
+};
+
+static const char *verdict_to_string(int v) {
+ switch (v) {
+
+ case DENY:
+ return "DENY";
+ case ALLOW:
+ return "ALLOW";
+ case DUNNO:
+ return "DUNNO";
+ }
+
+ return NULL;
+}
+
+struct policy_check_filter {
+ PolicyItemClass class;
+ uid_t uid;
+ gid_t gid;
+ int message_type;
+ const char *name;
+ const char *interface;
+ const char *path;
+ const char *member;
+};
+
+static int is_permissive(PolicyItem *i) {
+
+ assert(i);
+
+ return (i->type == POLICY_ITEM_ALLOW) ? ALLOW : DENY;
+}
+
+static int check_policy_item(PolicyItem *i, const struct policy_check_filter *filter) {
+
+ assert(i);
+ assert(filter);
+
+ switch (i->class) {
+ case POLICY_ITEM_SEND:
+ case POLICY_ITEM_RECV:
+
+ if (i->name && !streq_ptr(i->name, filter->name))
+ break;
+
+ if ((i->message_type != 0) && (i->message_type != filter->message_type))
+ break;
+
+ if (i->path && !streq_ptr(i->path, filter->path))
+ break;
+
+ if (i->member && !streq_ptr(i->member, filter->member))
+ break;
+
+ if (i->interface && !streq_ptr(i->interface, filter->interface))
+ break;
+
+ return is_permissive(i);
+
+ case POLICY_ITEM_OWN:
+ assert(filter->name);
+
+ if (streq(i->name, "*") || streq(i->name, filter->name))
+ return is_permissive(i);
+ break;
+
+ case POLICY_ITEM_OWN_PREFIX:
+ assert(filter->name);
+
+ if (streq(i->name, "*") || service_name_startswith(filter->name, i->name))
+ return is_permissive(i);
+ break;
+
+ case POLICY_ITEM_USER:
+ if (filter->uid != UID_INVALID)
+ if ((streq_ptr(i->name, "*") || (i->uid_valid && i->uid == filter->uid)))
+ return is_permissive(i);
+ break;
+
+ case POLICY_ITEM_GROUP:
+ if (filter->gid != GID_INVALID)
+ if ((streq_ptr(i->name, "*") || (i->gid_valid && i->gid == filter->gid)))
+ return is_permissive(i);
+ break;
+
+ case POLICY_ITEM_IGNORE:
+ default:
+ break;
+ }
+
+ return DUNNO;
+}
+
+static int check_policy_items(PolicyItem *items, const struct policy_check_filter *filter) {
+
+ PolicyItem *i;
+ int verdict = DUNNO;
+
+ assert(filter);
+
+ /* Check all policies in a set - a broader one might be followed by a more specific one,
+ * and the order of rules in policy definitions matters */
+ LIST_FOREACH(items, i, items) {
+ int v;
+
+ if (i->class != filter->class &&
+ !(i->class == POLICY_ITEM_OWN_PREFIX && filter->class == POLICY_ITEM_OWN))
+ continue;
+
+ v = check_policy_item(i, filter);
+ if (v != DUNNO)
+ verdict = v;
+ }
+
+ return verdict;
+}
+
+static int policy_check(Policy *p, const struct policy_check_filter *filter) {
+
+ PolicyItem *items;
+ int verdict, v;
+
+ assert(p);
+ assert(filter);
+
+ assert(IN_SET(filter->class, POLICY_ITEM_SEND, POLICY_ITEM_RECV, POLICY_ITEM_OWN, POLICY_ITEM_USER, POLICY_ITEM_GROUP));
+
+ /*
+ * The policy check is implemented by the following logic:
+ *
+ * 1. Check default items
+ * 2. Check group items
+ * 3. Check user items
+ * 4. Check mandatory items
+ *
+ * Later rules override earlier rules.
+ */
+
+ verdict = check_policy_items(p->default_items, filter);
+
+ if (filter->gid != GID_INVALID) {
+ items = hashmap_get(p->group_items, UINT32_TO_PTR(filter->gid));
+ if (items) {
+ v = check_policy_items(items, filter);
+ if (v != DUNNO)
+ verdict = v;
+ }
+ }
+
+ if (filter->uid != UID_INVALID) {
+ items = hashmap_get(p->user_items, UINT32_TO_PTR(filter->uid));
+ if (items) {
+ v = check_policy_items(items, filter);
+ if (v != DUNNO)
+ verdict = v;
+ }
+ }
+
+ v = check_policy_items(p->mandatory_items, filter);
+ if (v != DUNNO)
+ verdict = v;
+
+ return verdict;
+}
+
+bool policy_check_own(Policy *p, uid_t uid, gid_t gid, const char *name) {
+
+ struct policy_check_filter filter = {
+ .class = POLICY_ITEM_OWN,
+ .uid = uid,
+ .gid = gid,
+ .name = name,
+ };
+
+ int verdict;
+
+ assert(p);
+ assert(name);
+
+ verdict = policy_check(p, &filter);
+
+ log_full(LOG_AUTH | (verdict != ALLOW ? LOG_WARNING : LOG_DEBUG),
+ "Ownership permission check for uid=" UID_FMT " gid=" GID_FMT" name=%s: %s",
+ uid, gid, strna(name), strna(verdict_to_string(verdict)));
+
+ return verdict == ALLOW;
+}
+
+bool policy_check_hello(Policy *p, uid_t uid, gid_t gid) {
+
+ struct policy_check_filter filter = {
+ .uid = uid,
+ .gid = gid,
+ };
+ int verdict;
+
+ assert(p);
+
+ filter.class = POLICY_ITEM_USER;
+ verdict = policy_check(p, &filter);
+
+ if (verdict != DENY) {
+ int v;
+
+ filter.class = POLICY_ITEM_GROUP;
+ v = policy_check(p, &filter);
+ if (v != DUNNO)
+ verdict = v;
+ }
+
+ log_full(LOG_AUTH | (verdict != ALLOW ? LOG_WARNING : LOG_DEBUG),
+ "Hello permission check for uid=" UID_FMT " gid=" GID_FMT": %s",
+ uid, gid, strna(verdict_to_string(verdict)));
+
+ return verdict == ALLOW;
+}
+
+bool policy_check_recv(Policy *p,
+ uid_t uid,
+ gid_t gid,
+ int message_type,
+ const char *name,
+ const char *path,
+ const char *interface,
+ const char *member) {
+
+ struct policy_check_filter filter = {
+ .class = POLICY_ITEM_RECV,
+ .uid = uid,
+ .gid = gid,
+ .message_type = message_type,
+ .name = name,
+ .interface = interface,
+ .path = path,
+ .member = member,
+ };
+
+ int verdict;
+
+ assert(p);
+
+ verdict = policy_check(p, &filter);
+
+ log_full(LOG_AUTH | (verdict != ALLOW ? LOG_WARNING : LOG_DEBUG),
+ "Recieve permission check for uid=" UID_FMT " gid=" GID_FMT" message=%s name=%s interface=%s path=%s member=%s: %s",
+ uid, gid, bus_message_type_to_string(message_type), strna(name), strna(path), strna(interface), strna(member), strna(verdict_to_string(verdict)));
+
+ return verdict == ALLOW;
+}
+
+bool policy_check_send(Policy *p,
+ uid_t uid,
+ gid_t gid,
+ int message_type,
+ const char *name,
+ const char *path,
+ const char *interface,
+ const char *member) {
+
+ struct policy_check_filter filter = {
+ .class = POLICY_ITEM_SEND,
+ .uid = uid,
+ .gid = gid,
+ .message_type = message_type,
+ .name = name,
+ .interface = interface,
+ .path = path,
+ .member = member,
+ };
+
+ int verdict;
+
+ assert(p);
+
+ verdict = policy_check(p, &filter);
+
+ log_full(LOG_AUTH | (verdict != ALLOW ? LOG_WARNING : LOG_DEBUG),
+ "Send permission check for uid=" UID_FMT " gid=" GID_FMT" message=%s name=%s interface=%s path=%s member=%s: %s",
+ uid, gid, bus_message_type_to_string(message_type), strna(name), strna(path), strna(interface), strna(member), strna(verdict_to_string(verdict)));
+
+ return verdict == ALLOW;
+}
+