chiark / gitweb /
~ianmdlvl / elogind.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
bus-proxy: print message direction in policy logs
[elogind.git] / src / bus-proxyd / bus-xml-policy.c
diff --git a/src/bus-proxyd/bus-xml-policy.c b/src/bus-proxyd/bus-xml-policy.c
index cf39c52546d68c9c2fbb026f31f83301cffd5d06..a5c4313327c467ebf6ab1b8d8155a1a6a306c321 100644 (file)
--- a/src/bus-proxyd/bus-xml-policy.c
+++ b/src/bus-proxyd/bus-xml-policy.c
@@ -279,7 +279,6 @@ static int file_load(Policy *p, const char *path) {
                                         ic = POLICY_ITEM_GROUP;
                                 else if (streq(name, "eavesdrop")) {
                                         log_debug("Unsupported attribute %s= at %s:%u, ignoring.", name, path, line);
-                                        i->class = POLICY_ITEM_IGNORE;
                                         state = STATE_ALLOW_DENY_OTHER_ATTRIBUTE;
                                         break;
                                 } else {
@@ -289,7 +288,7 @@ static int file_load(Policy *p, const char *path) {
                                 }
 
                                 if (i->class != _POLICY_ITEM_CLASS_UNSET && ic != i->class) {
-                                        log_error("send_ and receive_ fields mixed on same tag at %s:%u.", path, line);
+                                        log_error("send_, receive_/eavesdrop fields mixed on same tag at %s:%u.", path, line);
                                         return -EINVAL;
                                 }
 
@@ -330,10 +329,9 @@ static int file_load(Policy *p, const char *path) {
                         } else if (t == XML_TAG_CLOSE_EMPTY ||
                                    (t == XML_TAG_CLOSE && streq(name, i->type == POLICY_ITEM_ALLOW ? "allow" : "deny"))) {
 
-                                if (i->class == _POLICY_ITEM_CLASS_UNSET) {
-                                        log_error("Policy not set at %s:%u.", path, line);
-                                        return -EINVAL;
-                                }
+                                /* If the tag is fully empty so far, we consider it a recv */
+                                if (i->class == _POLICY_ITEM_CLASS_UNSET)
+                                        i->class = POLICY_ITEM_RECV;
 
                                 if (policy_category == POLICY_CATEGORY_DEFAULT)
                                         item_append(i, &p->default_items);
@@ -423,8 +421,10 @@ static int file_load(Policy *p, const char *path) {
                                         return -EINVAL;
                                 }
 
-                                i->interface = name;
-                                name = NULL;
+                                if (!streq(name, "*")) {
+                                        i->interface = name;
+                                        name = NULL;
+                                }
                                 state = STATE_ALLOW_DENY;
                         } else {
                                 log_error("Unexpected token (9) at %s:%u.", path, line);
@@ -442,8 +442,10 @@ static int file_load(Policy *p, const char *path) {
                                         return -EINVAL;
                                 }
 
-                                i->member = name;
-                                name = NULL;
+                                if (!streq(name, "*")) {
+                                        i->member = name;
+                                        name = NULL;
+                                }
                                 state = STATE_ALLOW_DENY;
                         } else {
                                 log_error("Unexpected token (10) in %s:%u.", path, line);
@@ -461,8 +463,10 @@ static int file_load(Policy *p, const char *path) {
                                         return -EINVAL;
                                 }
 
-                                i->error = name;
-                                name = NULL;
+                                if (!streq(name, "*")) {
+                                        i->error = name;
+                                        name = NULL;
+                                }
                                 state = STATE_ALLOW_DENY;
                         } else {
                                 log_error("Unexpected token (11) in %s:%u.", path, line);
@@ -480,8 +484,10 @@ static int file_load(Policy *p, const char *path) {
                                         return -EINVAL;
                                 }
 
-                                i->path = name;
-                                name = NULL;
+                                if (!streq(name, "*")) {
+                                        i->path = name;
+                                        name = NULL;
+                                }
                                 state = STATE_ALLOW_DENY;
                         } else {
                                 log_error("Unexpected token (12) in %s:%u.", path, line);
@@ -500,10 +506,12 @@ static int file_load(Policy *p, const char *path) {
                                         return -EINVAL;
                                 }
 
-                                r = bus_message_type_from_string(name, &i->message_type);
-                                if (r < 0) {
-                                        log_error("Invalid message type in %s:%u.", path, line);
-                                        return -EINVAL;
+                                if (!streq(name, "*")) {
+                                        r = bus_message_type_from_string(name, &i->message_type);
+                                        if (r < 0) {
+                                                log_error("Invalid message type in %s:%u.", path, line);
+                                                return -EINVAL;
+                                        }
                                 }
 
                                 state = STATE_ALLOW_DENY;
@@ -546,6 +554,17 @@ static int file_load(Policy *p, const char *path) {
                                                         i->gid_valid = true;
                                         }
                                         break;
+
+                                case POLICY_ITEM_SEND:
+                                case POLICY_ITEM_RECV:
+
+                                        if (streq(name, "*")) {
+                                                free(name);
+                                                name = NULL;
+                                        }
+                                        break;
+
+
                                 default:
                                         break;
                                 }
@@ -818,7 +837,8 @@ bool policy_check_recv(Policy *p,
                        const char *name,
                        const char *path,
                        const char *interface,
-                       const char *member) {
+                       const char *member,
+                       bool dbus_to_kernel) {
 
         struct policy_check_filter filter = {
                 .class        = POLICY_ITEM_RECV,
@@ -838,8 +858,9 @@ bool policy_check_recv(Policy *p,
         verdict = policy_check(p, &filter);
 
         log_full(LOG_AUTH | (verdict != ALLOW ? LOG_WARNING : LOG_DEBUG),
-                 "Receive permission check for uid=" UID_FMT " gid=" GID_FMT" message=%s name=%s interface=%s path=%s member=%s: %s",
-                 uid, gid, bus_message_type_to_string(message_type), strna(name), strna(path), strna(interface), strna(member), strna(verdict_to_string(verdict)));
+                 "Receive permission check %s for uid=" UID_FMT " gid=" GID_FMT" message=%s name=%s path=%s interface=%s member=%s: %s",
+                 dbus_to_kernel ? "dbus-1 to kernel" : "kernel to dbus-1", uid, gid, bus_message_type_to_string(message_type), strna(name),
+                 strna(path), strna(interface), strna(member), strna(verdict_to_string(verdict)));
 
         return verdict == ALLOW;
 }
@@ -851,7 +872,8 @@ bool policy_check_send(Policy *p,
                        const char *name,
                        const char *path,
                        const char *interface,
-                       const char *member) {
+                       const char *member,
+                       bool dbus_to_kernel) {
 
         struct policy_check_filter filter = {
                 .class        = POLICY_ITEM_SEND,
@@ -871,8 +893,9 @@ bool policy_check_send(Policy *p,
         verdict = policy_check(p, &filter);
 
         log_full(LOG_AUTH | (verdict != ALLOW ? LOG_WARNING : LOG_DEBUG),
-                 "Send permission check for uid=" UID_FMT " gid=" GID_FMT" message=%s name=%s interface=%s path=%s member=%s: %s",
-                 uid, gid, bus_message_type_to_string(message_type), strna(name), strna(path), strna(interface), strna(member), strna(verdict_to_string(verdict)));
+                 "Send permission check %s for uid=" UID_FMT " gid=" GID_FMT" message=%s name=%s path=%s interface=%s member=%s: %s",
+                 dbus_to_kernel ? "dbus-1 to kernel" : "kernel to dbus-1", uid, gid, bus_message_type_to_string(message_type), strna(name),
+                 strna(path), strna(interface), strna(member), strna(verdict_to_string(verdict)));
 
         return verdict == ALLOW;
 }
@@ -1028,6 +1051,8 @@ void policy_dump(Policy *p) {
 
         printf("%s Mandatory Items:\n", draw_special_char(DRAW_ARROW));
         dump_items(p->mandatory_items, "\t");
+
+        fflush(stdout);
 }
 
 static const char* const policy_item_type_table[_POLICY_ITEM_TYPE_MAX] = {
Unnamed repository; edit this file 'description' to name the repository.