bus-policy: actually test messages against the newly added test.conf

[elogind.git] / src / bus-proxyd / bus-policy.c

diff --git a/src/bus-proxyd/bus-policy.c b/src/bus-proxyd/bus-policy.c
index 2ff5d646f15a38c66bfb905a0525ade770eb75f0..d543bf9af42700998f9e9006b2444a55ea10edc3 100644 (file)
--- a/src/bus-proxyd/bus-policy.c
+++ b/src/bus-proxyd/bus-policy.c
@@ -599,14 +599,13 @@ enum {
 };
 
 struct policy_check_filter {
-        int class;
+        PolicyItemClass class;
         const struct ucred *ucred;
         int message_type;
+        const char *name;
         const char *interface;
         const char *path;
         const char *member;
-        char **names_strv;
-        Hashmap *names_hash;
 };
 
 static int is_permissive(PolicyItem *i) {
@@ -625,15 +624,10 @@ static int check_policy_item(PolicyItem *i, const struct policy_check_filter *fi
         case POLICY_ITEM_SEND:
         case POLICY_ITEM_RECV:
 
-                if (i->name) {
-                        if (filter->names_hash && !hashmap_contains(filter->names_hash, i->name))
-                                break;
-
-                        if (filter->names_strv && !strv_contains(filter->names_strv, i->name))
-                                break;
-                }
+                if (i->name && !streq_ptr(i->name, filter->name))
+                        break;
 
-                if (i->message_type && (i->message_type != filter->message_type))
+                if ((i->message_type != 0) && (i->message_type != filter->message_type))
                         break;
 
                 if (i->path && !streq_ptr(i->path, filter->path))
@@ -648,16 +642,16 @@ static int check_policy_item(PolicyItem *i, const struct policy_check_filter *fi
                 return is_permissive(i);
 
         case POLICY_ITEM_OWN:
-                assert(filter->member);
+                assert(filter->name);
 
-                if (streq(i->name, filter->member))
+                if (streq(i->name, "*") || streq(i->name, filter->name))
                         return is_permissive(i);
                 break;
 
         case POLICY_ITEM_OWN_PREFIX:
-                assert(filter->member);
+                assert(filter->name);
 
-                if (startswith(i->name, filter->member))
+                if (streq(i->name, "*") || service_name_startswith(filter->name, i->name))
                         return is_permissive(i);
                 break;
 
@@ -693,7 +687,8 @@ static int check_policy_items(PolicyItem *items, const struct policy_check_filte
         /* Check all policies in a set - a broader one might be followed by a more specific one,
          * and the order of rules in policy definitions matters */
         LIST_FOREACH(items, i, items) {
-                if (i->class != filter->class)
+                if (i->class != filter->class &&
+                    !(i->class == POLICY_ITEM_OWN_PREFIX && filter->class == POLICY_ITEM_OWN))
                         continue;
 
                 r = check_policy_item(i, filter);
@@ -712,6 +707,8 @@ static int policy_check(Policy *p, const struct policy_check_filter *filter) {
         assert(p);
         assert(filter);
 
+        assert(IN_SET(filter->class, POLICY_ITEM_SEND, POLICY_ITEM_RECV, POLICY_ITEM_OWN, POLICY_ITEM_USER, POLICY_ITEM_GROUP));
+
         /*
          * The policy check is implemented by the following logic:
          *
@@ -747,9 +744,9 @@ static int policy_check(Policy *p, const struct policy_check_filter *filter) {
 bool policy_check_own(Policy *p, const struct ucred *ucred, const char *name) {
 
         struct policy_check_filter filter = {
-                .class  = POLICY_ITEM_OWN,
-                .ucred  = ucred,
-                .member = name,
+                .class = POLICY_ITEM_OWN,
+                .ucred = ucred,
+                .name  = name,
         };
 
         return policy_check(p, &filter) == ALLOW;
@@ -758,27 +755,27 @@ bool policy_check_own(Policy *p, const struct ucred *ucred, const char *name) {
 bool policy_check_hello(Policy *p, const struct ucred *ucred) {
 
         struct policy_check_filter filter = {
-                .class  = POLICY_ITEM_USER,
                 .ucred  = ucred,
         };
         int user, group;
 
+        filter.class = POLICY_ITEM_USER;
         user = policy_check(p, &filter);
         if (user == DENY)
                 return false;
 
         filter.class = POLICY_ITEM_GROUP;
         group = policy_check(p, &filter);
-        if (user == DUNNO && group == DUNNO)
+        if (group == DENY)
                 return false;
 
-        return !(user == DENY || group == DENY);
+        return !(user == DUNNO && group == DUNNO);
 }
 
 bool policy_check_recv(Policy *p,
                        const struct ucred *ucred,
-                       Hashmap *names,
                        int message_type,
+                       const char *name,
                        const char *path,
                        const char *interface,
                        const char *member) {
@@ -786,8 +783,8 @@ bool policy_check_recv(Policy *p,
         struct policy_check_filter filter = {
                 .class        = POLICY_ITEM_RECV,
                 .ucred        = ucred,
-                .names_hash   = names,
                 .message_type = message_type,
+                .name         = name,
                 .interface    = interface,
                 .path         = path,
                 .member       = member,
@@ -798,8 +795,8 @@ bool policy_check_recv(Policy *p,
 
 bool policy_check_send(Policy *p,
                        const struct ucred *ucred,
-                       char **names,
                        int message_type,
+                       const char *name,
                        const char *path,
                        const char *interface,
                        const char *member) {
@@ -807,8 +804,8 @@ bool policy_check_send(Policy *p,
         struct policy_check_filter filter = {
                 .class        = POLICY_ITEM_SEND,
                 .ucred        = ucred,
-                .names_strv   = names,
                 .message_type = message_type,
+                .name         = name,
                 .interface    = interface,
                 .path         = path,
                 .member       = member,