};
struct policy_check_filter {
- int class;
+ PolicyItemClass class;
const struct ucred *ucred;
int message_type;
+ const char *name;
const char *interface;
const char *path;
const char *member;
- char **names_strv;
- Hashmap *names_hash;
};
static int is_permissive(PolicyItem *i) {
case POLICY_ITEM_SEND:
case POLICY_ITEM_RECV:
- if (i->name) {
- if (filter->names_hash && !hashmap_contains(filter->names_hash, i->name))
- break;
-
- if (filter->names_strv && !strv_contains(filter->names_strv, i->name))
- break;
- }
+ if (i->name && !streq_ptr(i->name, filter->name))
+ break;
- if (i->message_type && (i->message_type != filter->message_type))
+ if ((i->message_type != 0) && (i->message_type != filter->message_type))
break;
if (i->path && !streq_ptr(i->path, filter->path))
return is_permissive(i);
case POLICY_ITEM_OWN:
- assert(filter->member);
+ assert(filter->name);
- if (streq(i->name, filter->member))
+ if (streq(i->name, "*") || streq(i->name, filter->name))
return is_permissive(i);
break;
case POLICY_ITEM_OWN_PREFIX:
- assert(filter->member);
+ assert(filter->name);
- if (startswith(i->name, filter->member))
+ if (streq(i->name, "*") || service_name_startswith(filter->name, i->name))
return is_permissive(i);
break;
/* Check all policies in a set - a broader one might be followed by a more specific one,
* and the order of rules in policy definitions matters */
LIST_FOREACH(items, i, items) {
- if (i->class != filter->class)
+ if (i->class != filter->class &&
+ !(i->class == POLICY_ITEM_OWN_PREFIX && filter->class == POLICY_ITEM_OWN))
continue;
r = check_policy_item(i, filter);
assert(p);
assert(filter);
+ assert(IN_SET(filter->class, POLICY_ITEM_SEND, POLICY_ITEM_RECV, POLICY_ITEM_OWN, POLICY_ITEM_USER, POLICY_ITEM_GROUP));
+
/*
* The policy check is implemented by the following logic:
*
bool policy_check_own(Policy *p, const struct ucred *ucred, const char *name) {
struct policy_check_filter filter = {
- .class = POLICY_ITEM_OWN,
- .ucred = ucred,
- .member = name,
+ .class = POLICY_ITEM_OWN,
+ .ucred = ucred,
+ .name = name,
};
return policy_check(p, &filter) == ALLOW;
bool policy_check_hello(Policy *p, const struct ucred *ucred) {
struct policy_check_filter filter = {
- .class = POLICY_ITEM_USER,
.ucred = ucred,
};
int user, group;
+ filter.class = POLICY_ITEM_USER;
user = policy_check(p, &filter);
if (user == DENY)
return false;
filter.class = POLICY_ITEM_GROUP;
group = policy_check(p, &filter);
- if (user == DUNNO && group == DUNNO)
+ if (group == DENY)
return false;
- return !(user == DENY || group == DENY);
+ return !(user == DUNNO && group == DUNNO);
}
bool policy_check_recv(Policy *p,
const struct ucred *ucred,
- Hashmap *names,
int message_type,
+ const char *name,
const char *path,
const char *interface,
const char *member) {
struct policy_check_filter filter = {
.class = POLICY_ITEM_RECV,
.ucred = ucred,
- .names_hash = names,
.message_type = message_type,
+ .name = name,
.interface = interface,
.path = path,
.member = member,
bool policy_check_send(Policy *p,
const struct ucred *ucred,
- char **names,
int message_type,
+ const char *name,
const char *path,
const char *interface,
const char *member) {
struct policy_check_filter filter = {
.class = POLICY_ITEM_SEND,
.ucred = ucred,
- .names_strv = names,
.message_type = message_type,
+ .name = name,
.interface = interface,
.path = path,
.member = member,