};
struct policy_check_filter {
- int class;
+ PolicyItemClass class;
const struct ucred *ucred;
int message_type;
const char *name;
if (i->name && !streq_ptr(i->name, filter->name))
break;
- if ((i->message_type != _POLICY_ITEM_CLASS_UNSET) && (i->message_type != filter->message_type))
+ if ((i->message_type != 0) && (i->message_type != filter->message_type))
break;
if (i->path && !streq_ptr(i->path, filter->path))
case POLICY_ITEM_OWN_PREFIX:
assert(filter->name);
- if (streq(i->name, "*") || startswith(i->name, filter->name))
+ if (streq(i->name, "*") || service_name_startswith(filter->name, i->name))
return is_permissive(i);
break;
/* Check all policies in a set - a broader one might be followed by a more specific one,
* and the order of rules in policy definitions matters */
LIST_FOREACH(items, i, items) {
- if (i->class != filter->class)
+ if (i->class != filter->class &&
+ !(i->class == POLICY_ITEM_OWN_PREFIX && filter->class == POLICY_ITEM_OWN))
continue;
r = check_policy_item(i, filter);
assert(p);
assert(filter);
+ assert(IN_SET(filter->class, POLICY_ITEM_SEND, POLICY_ITEM_RECV, POLICY_ITEM_OWN, POLICY_ITEM_USER, POLICY_ITEM_GROUP));
+
/*
* The policy check is implemented by the following logic:
*