ic = POLICY_ITEM_GROUP;
else if (streq(name, "eavesdrop")) {
log_debug("Unsupported attribute %s= at %s:%u, ignoring.", name, path, line);
- i->class = POLICY_ITEM_IGNORE;
state = STATE_ALLOW_DENY_OTHER_ATTRIBUTE;
break;
} else {
}
if (i->class != _POLICY_ITEM_CLASS_UNSET && ic != i->class) {
- log_error("send_ and receive_ fields mixed on same tag at %s:%u.", path, line);
+ log_error("send_, receive_/eavesdrop fields mixed on same tag at %s:%u.", path, line);
return -EINVAL;
}
} else if (t == XML_TAG_CLOSE_EMPTY ||
(t == XML_TAG_CLOSE && streq(name, i->type == POLICY_ITEM_ALLOW ? "allow" : "deny"))) {
- if (i->class == _POLICY_ITEM_CLASS_UNSET) {
- log_error("Policy not set at %s:%u.", path, line);
- return -EINVAL;
- }
+ /* If the tag is fully empty so far, we consider it a recv */
+ if (i->class == _POLICY_ITEM_CLASS_UNSET)
+ i->class = POLICY_ITEM_RECV;
if (policy_category == POLICY_CATEGORY_DEFAULT)
item_append(i, &p->default_items);
return -EINVAL;
}
- i->interface = name;
- name = NULL;
+ if (!streq(name, "*")) {
+ i->interface = name;
+ name = NULL;
+ }
state = STATE_ALLOW_DENY;
} else {
log_error("Unexpected token (9) at %s:%u.", path, line);
return -EINVAL;
}
- i->member = name;
- name = NULL;
+ if (!streq(name, "*")) {
+ i->member = name;
+ name = NULL;
+ }
state = STATE_ALLOW_DENY;
} else {
log_error("Unexpected token (10) in %s:%u.", path, line);
return -EINVAL;
}
- i->error = name;
- name = NULL;
+ if (!streq(name, "*")) {
+ i->error = name;
+ name = NULL;
+ }
state = STATE_ALLOW_DENY;
} else {
log_error("Unexpected token (11) in %s:%u.", path, line);
return -EINVAL;
}
- i->path = name;
- name = NULL;
+ if (!streq(name, "*")) {
+ i->path = name;
+ name = NULL;
+ }
state = STATE_ALLOW_DENY;
} else {
log_error("Unexpected token (12) in %s:%u.", path, line);
return -EINVAL;
}
- r = bus_message_type_from_string(name, &i->message_type);
- if (r < 0) {
- log_error("Invalid message type in %s:%u.", path, line);
- return -EINVAL;
+ if (!streq(name, "*")) {
+ r = bus_message_type_from_string(name, &i->message_type);
+ if (r < 0) {
+ log_error("Invalid message type in %s:%u.", path, line);
+ return -EINVAL;
+ }
}
state = STATE_ALLOW_DENY;
i->gid_valid = true;
}
break;
+
+ case POLICY_ITEM_SEND:
+ case POLICY_ITEM_RECV:
+
+ if (streq(name, "*")) {
+ free(name);
+ name = NULL;
+ }
+ break;
+
+
default:
break;
}
const char *name,
const char *path,
const char *interface,
- const char *member) {
+ const char *member,
+ bool dbus_to_kernel) {
struct policy_check_filter filter = {
.class = POLICY_ITEM_RECV,
verdict = policy_check(p, &filter);
log_full(LOG_AUTH | (verdict != ALLOW ? LOG_WARNING : LOG_DEBUG),
- "Receive permission check for uid=" UID_FMT " gid=" GID_FMT" message=%s name=%s interface=%s path=%s member=%s: %s",
- uid, gid, bus_message_type_to_string(message_type), strna(name), strna(path), strna(interface), strna(member), strna(verdict_to_string(verdict)));
+ "Receive permission check %s for uid=" UID_FMT " gid=" GID_FMT" message=%s name=%s path=%s interface=%s member=%s: %s",
+ dbus_to_kernel ? "dbus-1 to kernel" : "kernel to dbus-1", uid, gid, bus_message_type_to_string(message_type), strna(name),
+ strna(path), strna(interface), strna(member), strna(verdict_to_string(verdict)));
return verdict == ALLOW;
}
const char *name,
const char *path,
const char *interface,
- const char *member) {
+ const char *member,
+ bool dbus_to_kernel) {
struct policy_check_filter filter = {
.class = POLICY_ITEM_SEND,
verdict = policy_check(p, &filter);
log_full(LOG_AUTH | (verdict != ALLOW ? LOG_WARNING : LOG_DEBUG),
- "Send permission check for uid=" UID_FMT " gid=" GID_FMT" message=%s name=%s interface=%s path=%s member=%s: %s",
- uid, gid, bus_message_type_to_string(message_type), strna(name), strna(path), strna(interface), strna(member), strna(verdict_to_string(verdict)));
+ "Send permission check %s for uid=" UID_FMT " gid=" GID_FMT" message=%s name=%s path=%s interface=%s member=%s: %s",
+ dbus_to_kernel ? "dbus-1 to kernel" : "kernel to dbus-1", uid, gid, bus_message_type_to_string(message_type), strna(name),
+ strna(path), strna(interface), strna(member), strna(verdict_to_string(verdict)));
return verdict == ALLOW;
}
printf("%s Mandatory Items:\n", draw_special_char(DRAW_ARROW));
dump_items(p->mandatory_items, "\t");
+
+ fflush(stdout);
}
static const char* const policy_item_type_table[_POLICY_ITEM_TYPE_MAX] = {