From 3a9cca11042331fc053ac1aa6363603622f1188c Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Wed, 26 Nov 2014 20:22:22 +0100 Subject: [PATCH] bus-policy: steal a test case for prefix ownership from dbus1, and make sure it passes with the bus proxy enforcement --- Makefile.am | 3 ++- src/bus-proxyd/bus-policy.c | 7 ++++--- src/bus-proxyd/test-bus-policy.c | 16 ++++++++++++++++ test/bus-policy/check-own-rules.conf | 14 ++++++++++++++ 4 files changed, 36 insertions(+), 4 deletions(-) create mode 100644 test/bus-policy/check-own-rules.conf diff --git a/Makefile.am b/Makefile.am index b52ff8e77..5545aa187 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1383,7 +1383,8 @@ EXTRA_DIST += \ test/bus-policy/hello.conf \ test/bus-policy/methods.conf \ test/bus-policy/ownerships.conf \ - test/bus-policy/signals.conf + test/bus-policy/signals.conf \ + test/bus-policy/check-own-rules.conf EXTRA_DIST += \ diff --git a/src/bus-proxyd/bus-policy.c b/src/bus-proxyd/bus-policy.c index cb0726aa3..ff6a3e4e1 100644 --- a/src/bus-proxyd/bus-policy.c +++ b/src/bus-proxyd/bus-policy.c @@ -599,7 +599,7 @@ enum { }; struct policy_check_filter { - int class; + PolicyItemClass class; const struct ucred *ucred; int message_type; const char *name; @@ -651,7 +651,7 @@ static int check_policy_item(PolicyItem *i, const struct policy_check_filter *fi case POLICY_ITEM_OWN_PREFIX: assert(filter->name); - if (streq(i->name, "*") || service_name_startswith(i->name, filter->name)) + if (streq(i->name, "*") || service_name_startswith(filter->name, i->name)) return is_permissive(i); break; @@ -687,7 +687,8 @@ static int check_policy_items(PolicyItem *items, const struct policy_check_filte /* Check all policies in a set - a broader one might be followed by a more specific one, * and the order of rules in policy definitions matters */ LIST_FOREACH(items, i, items) { - if (i->class != filter->class) + if (i->class != filter->class && + IN_SET(i->class, POLICY_ITEM_OWN, POLICY_ITEM_OWN_PREFIX) != IN_SET(filter->class, POLICY_ITEM_OWN, POLICY_ITEM_OWN_PREFIX)) continue; r = check_policy_item(i, filter); diff --git a/src/bus-proxyd/test-bus-policy.c b/src/bus-proxyd/test-bus-policy.c index c9a027e87..a4b7b6af0 100644 --- a/src/bus-proxyd/test-bus-policy.c +++ b/src/bus-proxyd/test-bus-policy.c @@ -131,5 +131,21 @@ int main(int argc, char *argv[]) { policy_free(&p); + /* dbus1 test file: ownership */ + + assert_se(test_policy_load(&p, "check-own-rules.conf") >= 0); + policy_dump(&p); + + assert_se(policy_check_own(&p, &ucred, "org.freedesktop") == false); + assert_se(policy_check_own(&p, &ucred, "org.freedesktop.ManySystem") == false); + assert_se(policy_check_own(&p, &ucred, "org.freedesktop.ManySystems") == true); + assert_se(policy_check_own(&p, &ucred, "org.freedesktop.ManySystems.foo") == true); + assert_se(policy_check_own(&p, &ucred, "org.freedesktop.ManySystems.foo.bar") == true); + assert_se(policy_check_own(&p, &ucred, "org.freedesktop.ManySystems2") == false); + assert_se(policy_check_own(&p, &ucred, "org.freedesktop.ManySystems2.foo") == false); + assert_se(policy_check_own(&p, &ucred, "org.freedesktop.ManySystems2.foo.bar") == false); + + policy_free(&p); + return EXIT_SUCCESS; } diff --git a/test/bus-policy/check-own-rules.conf b/test/bus-policy/check-own-rules.conf new file mode 100644 index 000000000..bc2f415fc --- /dev/null +++ b/test/bus-policy/check-own-rules.conf @@ -0,0 +1,14 @@ + + + mybususer + unix:path=/foo/bar + tcp:port=1234 + /usr/share/foo + + + + + + + -- 2.30.2