X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=elogind.git;a=blobdiff_plain;f=src%2Fbus-proxyd%2Fbus-xml-policy.c;h=a5c4313327c467ebf6ab1b8d8155a1a6a306c321;hp=9e4cc454cf36af9f8813151cc1ca45b4a025f093;hb=b49c7806a395fd655edd19785f56874b28f5a24c;hpb=fe21f16764147d51819a904d57ac36967f9913e3 diff --git a/src/bus-proxyd/bus-xml-policy.c b/src/bus-proxyd/bus-xml-policy.c index 9e4cc454c..a5c431332 100644 --- a/src/bus-proxyd/bus-xml-policy.c +++ b/src/bus-proxyd/bus-xml-policy.c @@ -280,7 +280,7 @@ static int file_load(Policy *p, const char *path) { else if (streq(name, "eavesdrop")) { log_debug("Unsupported attribute %s= at %s:%u, ignoring.", name, path, line); state = STATE_ALLOW_DENY_OTHER_ATTRIBUTE; - ic = POLICY_ITEM_RECV; /* eavesdrop is a type of receive attribute match! */ + break; } else { log_error("Unknown attribute %s= at %s:%u, ignoring.", name, path, line); state = STATE_ALLOW_DENY_OTHER_ATTRIBUTE; @@ -329,10 +329,9 @@ static int file_load(Policy *p, const char *path) { } else if (t == XML_TAG_CLOSE_EMPTY || (t == XML_TAG_CLOSE && streq(name, i->type == POLICY_ITEM_ALLOW ? "allow" : "deny"))) { - if (i->class == _POLICY_ITEM_CLASS_UNSET) { - log_error("Policy not set at %s:%u.", path, line); - return -EINVAL; - } + /* If the tag is fully empty so far, we consider it a recv */ + if (i->class == _POLICY_ITEM_CLASS_UNSET) + i->class = POLICY_ITEM_RECV; if (policy_category == POLICY_CATEGORY_DEFAULT) item_append(i, &p->default_items); @@ -422,8 +421,10 @@ static int file_load(Policy *p, const char *path) { return -EINVAL; } - i->interface = name; - name = NULL; + if (!streq(name, "*")) { + i->interface = name; + name = NULL; + } state = STATE_ALLOW_DENY; } else { log_error("Unexpected token (9) at %s:%u.", path, line); @@ -441,8 +442,10 @@ static int file_load(Policy *p, const char *path) { return -EINVAL; } - i->member = name; - name = NULL; + if (!streq(name, "*")) { + i->member = name; + name = NULL; + } state = STATE_ALLOW_DENY; } else { log_error("Unexpected token (10) in %s:%u.", path, line); @@ -460,8 +463,10 @@ static int file_load(Policy *p, const char *path) { return -EINVAL; } - i->error = name; - name = NULL; + if (!streq(name, "*")) { + i->error = name; + name = NULL; + } state = STATE_ALLOW_DENY; } else { log_error("Unexpected token (11) in %s:%u.", path, line); @@ -479,8 +484,10 @@ static int file_load(Policy *p, const char *path) { return -EINVAL; } - i->path = name; - name = NULL; + if (!streq(name, "*")) { + i->path = name; + name = NULL; + } state = STATE_ALLOW_DENY; } else { log_error("Unexpected token (12) in %s:%u.", path, line); @@ -499,10 +506,12 @@ static int file_load(Policy *p, const char *path) { return -EINVAL; } - r = bus_message_type_from_string(name, &i->message_type); - if (r < 0) { - log_error("Invalid message type in %s:%u.", path, line); - return -EINVAL; + if (!streq(name, "*")) { + r = bus_message_type_from_string(name, &i->message_type); + if (r < 0) { + log_error("Invalid message type in %s:%u.", path, line); + return -EINVAL; + } } state = STATE_ALLOW_DENY; @@ -545,6 +554,17 @@ static int file_load(Policy *p, const char *path) { i->gid_valid = true; } break; + + case POLICY_ITEM_SEND: + case POLICY_ITEM_RECV: + + if (streq(name, "*")) { + free(name); + name = NULL; + } + break; + + default: break; } @@ -817,7 +837,8 @@ bool policy_check_recv(Policy *p, const char *name, const char *path, const char *interface, - const char *member) { + const char *member, + bool dbus_to_kernel) { struct policy_check_filter filter = { .class = POLICY_ITEM_RECV, @@ -837,8 +858,9 @@ bool policy_check_recv(Policy *p, verdict = policy_check(p, &filter); log_full(LOG_AUTH | (verdict != ALLOW ? LOG_WARNING : LOG_DEBUG), - "Receive permission check for uid=" UID_FMT " gid=" GID_FMT" message=%s name=%s interface=%s path=%s member=%s: %s", - uid, gid, bus_message_type_to_string(message_type), strna(name), strna(path), strna(interface), strna(member), strna(verdict_to_string(verdict))); + "Receive permission check %s for uid=" UID_FMT " gid=" GID_FMT" message=%s name=%s path=%s interface=%s member=%s: %s", + dbus_to_kernel ? "dbus-1 to kernel" : "kernel to dbus-1", uid, gid, bus_message_type_to_string(message_type), strna(name), + strna(path), strna(interface), strna(member), strna(verdict_to_string(verdict))); return verdict == ALLOW; } @@ -850,7 +872,8 @@ bool policy_check_send(Policy *p, const char *name, const char *path, const char *interface, - const char *member) { + const char *member, + bool dbus_to_kernel) { struct policy_check_filter filter = { .class = POLICY_ITEM_SEND, @@ -870,8 +893,9 @@ bool policy_check_send(Policy *p, verdict = policy_check(p, &filter); log_full(LOG_AUTH | (verdict != ALLOW ? LOG_WARNING : LOG_DEBUG), - "Send permission check for uid=" UID_FMT " gid=" GID_FMT" message=%s name=%s interface=%s path=%s member=%s: %s", - uid, gid, bus_message_type_to_string(message_type), strna(name), strna(path), strna(interface), strna(member), strna(verdict_to_string(verdict))); + "Send permission check %s for uid=" UID_FMT " gid=" GID_FMT" message=%s name=%s path=%s interface=%s member=%s: %s", + dbus_to_kernel ? "dbus-1 to kernel" : "kernel to dbus-1", uid, gid, bus_message_type_to_string(message_type), strna(name), + strna(path), strna(interface), strna(member), strna(verdict_to_string(verdict))); return verdict == ALLOW; } @@ -1027,6 +1051,8 @@ void policy_dump(Policy *p) { printf("%s Mandatory Items:\n", draw_special_char(DRAW_ARROW)); dump_items(p->mandatory_items, "\t"); + + fflush(stdout); } static const char* const policy_item_type_table[_POLICY_ITEM_TYPE_MAX] = {