static int is_permissive(PolicyItem *i) {
+ assert(i);
+
return (i->type == POLICY_ITEM_ALLOW) ? ALLOW : DENY;
}
static int check_policy_item(PolicyItem *i, const struct policy_check_filter *filter) {
+ assert(i);
+ assert(filter);
+
switch (i->class) {
case POLICY_ITEM_SEND:
case POLICY_ITEM_RECV:
return is_permissive(i);
case POLICY_ITEM_OWN:
+ assert(filter->member);
+
if (streq(i->name, filter->member))
return is_permissive(i);
break;
case POLICY_ITEM_OWN_PREFIX:
+ assert(filter->member);
+
if (startswith(i->name, filter->member))
return is_permissive(i);
break;
case POLICY_ITEM_USER:
+ assert(filter->ucred);
+
if ((streq_ptr(i->name, "*") || (i->uid_valid && i->uid == filter->ucred->uid)))
return is_permissive(i);
break;
case POLICY_ITEM_GROUP:
+ assert(filter->ucred);
+
if ((streq_ptr(i->name, "*") || (i->gid_valid && i->gid == filter->ucred->gid)))
return is_permissive(i);
break;
PolicyItem *i;
int r, ret = DUNNO;
+ assert(items);
+ assert(filter);
+
/* Check all policies in a set - a broader one might be followed by a more specific one,
* and the order of rules in policy definitions matters */
LIST_FOREACH(items, i, items) {
PolicyItem *items;
int r;
+ assert(p);
+ assert(filter);
+
/*
* The policy check is implemented by the following logic:
*
~ianmdlvl / elogind.git / blobdiff