1 /* -*- mode: C; c-file-style: "gnu" -*- */
2 /* policy.c Bus security policy
4 * Copyright (C) 2003 Red Hat, Inc.
6 * Licensed under the Academic Free License version 1.2
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
28 #include <dbus/dbus-list.h>
29 #include <dbus/dbus-hash.h>
30 #include <dbus/dbus-internals.h>
33 bus_policy_rule_new (BusPolicyRuleType type,
38 rule = dbus_new0 (BusPolicyRule, 1);
48 case BUS_POLICY_RULE_USER:
49 rule->d.user.uid = DBUS_UID_UNSET;
51 case BUS_POLICY_RULE_GROUP:
52 rule->d.group.gid = DBUS_GID_UNSET;
54 case BUS_POLICY_RULE_SEND:
55 case BUS_POLICY_RULE_RECEIVE:
56 case BUS_POLICY_RULE_OWN:
64 bus_policy_rule_ref (BusPolicyRule *rule)
66 _dbus_assert (rule->refcount > 0);
72 bus_policy_rule_unref (BusPolicyRule *rule)
74 _dbus_assert (rule->refcount > 0);
78 if (rule->refcount == 0)
82 case BUS_POLICY_RULE_SEND:
83 dbus_free (rule->d.send.message_name);
84 dbus_free (rule->d.send.destination);
86 case BUS_POLICY_RULE_RECEIVE:
87 dbus_free (rule->d.receive.message_name);
88 dbus_free (rule->d.receive.origin);
90 case BUS_POLICY_RULE_OWN:
91 dbus_free (rule->d.own.service_name);
93 case BUS_POLICY_RULE_USER:
95 case BUS_POLICY_RULE_GROUP:
107 DBusList *default_rules; /**< Default policy rules */
108 DBusList *mandatory_rules; /**< Mandatory policy rules */
109 DBusHashTable *rules_by_uid; /**< per-UID policy rules */
110 DBusHashTable *rules_by_gid; /**< per-GID policy rules */
114 free_rule_func (void *data,
117 BusPolicyRule *rule = data;
119 bus_policy_rule_unref (rule);
123 free_rule_list_func (void *data)
125 DBusList **list = data;
127 if (list == NULL) /* DBusHashTable is on crack */
130 _dbus_list_foreach (list, free_rule_func, NULL);
132 _dbus_list_clear (list);
138 bus_policy_new (void)
142 policy = dbus_new0 (BusPolicy, 1);
146 policy->refcount = 1;
148 policy->rules_by_uid = _dbus_hash_table_new (DBUS_HASH_ULONG,
150 free_rule_list_func);
151 if (policy->rules_by_uid == NULL)
154 policy->rules_by_gid = _dbus_hash_table_new (DBUS_HASH_ULONG,
156 free_rule_list_func);
157 if (policy->rules_by_gid == NULL)
163 bus_policy_unref (policy);
168 bus_policy_ref (BusPolicy *policy)
170 _dbus_assert (policy->refcount > 0);
172 policy->refcount += 1;
176 bus_policy_unref (BusPolicy *policy)
178 _dbus_assert (policy->refcount > 0);
180 policy->refcount -= 1;
182 if (policy->refcount == 0)
184 _dbus_list_foreach (&policy->default_rules, free_rule_func, NULL);
185 _dbus_list_clear (&policy->default_rules);
187 _dbus_list_foreach (&policy->mandatory_rules, free_rule_func, NULL);
188 _dbus_list_clear (&policy->mandatory_rules);
190 if (policy->rules_by_uid)
192 _dbus_hash_table_unref (policy->rules_by_uid);
193 policy->rules_by_uid = NULL;
196 if (policy->rules_by_gid)
198 _dbus_hash_table_unref (policy->rules_by_gid);
199 policy->rules_by_gid = NULL;
207 add_list_to_client (DBusList **list,
208 BusClientPolicy *client)
212 link = _dbus_list_get_first_link (list);
215 BusPolicyRule *rule = link->data;
216 link = _dbus_list_get_next_link (list, link);
220 case BUS_POLICY_RULE_USER:
221 case BUS_POLICY_RULE_GROUP:
222 /* These aren't per-connection policies */
225 case BUS_POLICY_RULE_OWN:
226 case BUS_POLICY_RULE_SEND:
227 case BUS_POLICY_RULE_RECEIVE:
228 /* These are per-connection */
229 if (!bus_client_policy_append_rule (client, rule))
239 bus_policy_create_client_policy (BusPolicy *policy,
240 DBusConnection *connection,
243 BusClientPolicy *client;
246 _dbus_assert (dbus_connection_get_is_authenticated (connection));
247 _DBUS_ASSERT_ERROR_IS_CLEAR (error);
249 client = bus_client_policy_new ();
253 if (!add_list_to_client (&policy->default_rules,
257 /* we avoid the overhead of looking up user's groups
258 * if we don't have any group rules anyway
260 if (_dbus_hash_table_get_n_entries (policy->rules_by_gid) > 0)
262 unsigned long *groups;
266 if (!bus_connection_get_groups (connection, &groups, &n_groups, error))
274 list = _dbus_hash_table_lookup_ulong (policy->rules_by_gid,
279 if (!add_list_to_client (list, client))
292 if (!dbus_connection_get_unix_user (connection, &uid))
294 dbus_set_error (error, DBUS_ERROR_FAILED,
295 "No user ID known for connection, cannot determine security policy\n");
299 if (_dbus_hash_table_get_n_entries (policy->rules_by_uid) > 0)
303 list = _dbus_hash_table_lookup_ulong (policy->rules_by_uid,
308 if (!add_list_to_client (list, client))
313 if (!add_list_to_client (&policy->mandatory_rules,
317 bus_client_policy_optimize (client);
324 _DBUS_ASSERT_ERROR_IS_SET (error);
326 bus_client_policy_unref (client);
331 list_allows_user (dbus_bool_t def,
334 const unsigned long *group_ids,
342 link = _dbus_list_get_first_link (list);
345 BusPolicyRule *rule = link->data;
346 link = _dbus_list_get_next_link (list, link);
348 if (rule->type == BUS_POLICY_RULE_USER)
350 _dbus_verbose ("List %p user rule uid="DBUS_UID_FORMAT"\n",
351 list, rule->d.user.uid);
353 if (rule->d.user.uid == DBUS_UID_UNSET)
355 else if (rule->d.user.uid != uid)
358 else if (rule->type == BUS_POLICY_RULE_GROUP)
360 _dbus_verbose ("List %p group rule uid="DBUS_UID_FORMAT"\n",
361 list, rule->d.user.uid);
363 if (rule->d.group.gid == DBUS_GID_UNSET)
370 while (i < n_group_ids)
372 if (rule->d.group.gid == group_ids[i])
377 if (i == n_group_ids)
384 allowed = rule->allow;
391 bus_policy_allow_user (BusPolicy *policy,
392 DBusUserDatabase *user_database,
396 unsigned long *group_ids;
399 /* On OOM or error we always reject the user */
400 if (!_dbus_user_database_get_groups (user_database,
401 uid, &group_ids, &n_group_ids, NULL))
403 _dbus_verbose ("Did not get any groups for UID %lu\n",
410 allowed = list_allows_user (allowed,
411 &policy->default_rules,
413 group_ids, n_group_ids);
415 allowed = list_allows_user (allowed,
416 &policy->mandatory_rules,
418 group_ids, n_group_ids);
420 dbus_free (group_ids);
422 _dbus_verbose ("UID %lu allowed = %d\n", uid, allowed);
428 bus_policy_append_default_rule (BusPolicy *policy,
431 if (!_dbus_list_append (&policy->default_rules, rule))
434 bus_policy_rule_ref (rule);
440 bus_policy_append_mandatory_rule (BusPolicy *policy,
443 if (!_dbus_list_append (&policy->mandatory_rules, rule))
446 bus_policy_rule_ref (rule);
452 get_list (DBusHashTable *hash,
457 list = _dbus_hash_table_lookup_ulong (hash, key);
461 list = dbus_new0 (DBusList*, 1);
465 if (!_dbus_hash_table_insert_ulong (hash, key, list))
476 bus_policy_append_user_rule (BusPolicy *policy,
482 list = get_list (policy->rules_by_uid, uid);
487 if (!_dbus_list_append (list, rule))
490 bus_policy_rule_ref (rule);
496 bus_policy_append_group_rule (BusPolicy *policy,
502 list = get_list (policy->rules_by_gid, gid);
507 if (!_dbus_list_append (list, rule))
510 bus_policy_rule_ref (rule);
516 append_copy_of_policy_list (DBusList **list,
517 DBusList **to_append)
524 /* Preallocate all our links */
525 link = _dbus_list_get_first_link (to_append);
528 if (!_dbus_list_append (&tmp_list, link->data))
530 _dbus_list_clear (&tmp_list);
534 link = _dbus_list_get_next_link (to_append, link);
537 /* Now append them */
538 while ((link = _dbus_list_pop_first_link (&tmp_list)))
540 bus_policy_rule_ref (link->data);
541 _dbus_list_append_link (list, link);
548 merge_id_hash (DBusHashTable *dest,
549 DBusHashTable *to_absorb)
553 _dbus_hash_iter_init (to_absorb, &iter);
554 while (_dbus_hash_iter_next (&iter))
556 unsigned long id = _dbus_hash_iter_get_ulong_key (&iter);
557 DBusList **list = _dbus_hash_iter_get_value (&iter);
558 DBusList **target = get_list (dest, id);
563 if (!append_copy_of_policy_list (target, list))
571 bus_policy_merge (BusPolicy *policy,
572 BusPolicy *to_absorb)
574 /* Not properly atomic, but as used for configuration files
575 * we don't rely on it.
577 if (!append_copy_of_policy_list (&policy->default_rules,
578 &to_absorb->default_rules))
581 if (!append_copy_of_policy_list (&policy->mandatory_rules,
582 &to_absorb->mandatory_rules))
585 if (!merge_id_hash (policy->rules_by_uid,
586 to_absorb->rules_by_uid))
589 if (!merge_id_hash (policy->rules_by_gid,
590 to_absorb->rules_by_gid))
596 struct BusClientPolicy
604 bus_client_policy_new (void)
606 BusClientPolicy *policy;
608 policy = dbus_new0 (BusClientPolicy, 1);
612 policy->refcount = 1;
618 bus_client_policy_ref (BusClientPolicy *policy)
620 _dbus_assert (policy->refcount > 0);
622 policy->refcount += 1;
626 rule_unref_foreach (void *data,
629 BusPolicyRule *rule = data;
631 bus_policy_rule_unref (rule);
635 bus_client_policy_unref (BusClientPolicy *policy)
637 _dbus_assert (policy->refcount > 0);
639 policy->refcount -= 1;
641 if (policy->refcount == 0)
643 _dbus_list_foreach (&policy->rules,
647 _dbus_list_clear (&policy->rules);
654 remove_rules_by_type_up_to (BusClientPolicy *policy,
655 BusPolicyRuleType type,
660 link = _dbus_list_get_first_link (&policy->rules);
661 while (link != up_to)
663 BusPolicyRule *rule = link->data;
664 DBusList *next = _dbus_list_get_next_link (&policy->rules, link);
666 if (rule->type == type)
668 _dbus_list_remove_link (&policy->rules, link);
669 bus_policy_rule_unref (rule);
677 bus_client_policy_optimize (BusClientPolicy *policy)
681 /* The idea here is that if we have:
683 * <allow send="foo"/>
686 * (for example) the deny will always override the allow. So we
687 * delete the allow. Ditto for deny followed by allow, etc. This is
688 * a dumb thing to put in a config file, but the <include> feature
689 * of files allows for an "inheritance and override" pattern where
690 * it could make sense. If an included file wants to "start over"
691 * with a blanket deny, no point keeping the rules from the parent
695 _dbus_verbose ("Optimizing policy with %d rules\n",
696 _dbus_list_get_length (&policy->rules));
698 link = _dbus_list_get_first_link (&policy->rules);
703 dbus_bool_t remove_preceding;
705 next = _dbus_list_get_next_link (&policy->rules, link);
708 remove_preceding = FALSE;
710 _dbus_assert (rule != NULL);
714 case BUS_POLICY_RULE_SEND:
716 rule->d.send.message_name == NULL &&
717 rule->d.send.destination == NULL;
719 case BUS_POLICY_RULE_RECEIVE:
721 rule->d.receive.message_name == NULL &&
722 rule->d.receive.origin == NULL;
724 case BUS_POLICY_RULE_OWN:
726 rule->d.own.service_name == NULL;
728 case BUS_POLICY_RULE_USER:
729 case BUS_POLICY_RULE_GROUP:
730 _dbus_assert_not_reached ("invalid rule");
734 if (remove_preceding)
735 remove_rules_by_type_up_to (policy, rule->type,
741 _dbus_verbose ("After optimization, policy has %d rules\n",
742 _dbus_list_get_length (&policy->rules));
746 bus_client_policy_append_rule (BusClientPolicy *policy,
749 _dbus_verbose ("Appending rule %p with type %d to policy %p\n",
750 rule, rule->type, policy);
752 if (!_dbus_list_append (&policy->rules, rule))
755 bus_policy_rule_ref (rule);
761 bus_client_policy_check_can_send (BusClientPolicy *policy,
762 BusRegistry *registry,
763 DBusConnection *receiver,
764 DBusMessage *message)
769 /* policy->rules is in the order the rules appeared
770 * in the config file, i.e. last rule that applies wins
773 _dbus_verbose (" (policy) checking send rules\n");
776 link = _dbus_list_get_first_link (&policy->rules);
779 BusPolicyRule *rule = link->data;
781 link = _dbus_list_get_next_link (&policy->rules, link);
783 /* Rule is skipped if it specifies a different
784 * message name from the message, or a different
785 * destination from the message
788 if (rule->type != BUS_POLICY_RULE_SEND)
790 _dbus_verbose (" (policy) skipping non-send rule\n");
794 if (rule->d.send.message_name != NULL)
796 if (!dbus_message_has_name (message,
797 rule->d.send.message_name))
799 _dbus_verbose (" (policy) skipping rule for different message name\n");
804 if (rule->d.send.destination != NULL)
806 /* receiver can be NULL for messages that are sent to the
807 * message bus itself, we check the strings in that case as
808 * built-in services don't have a DBusConnection but messages
809 * to them have a destination service name.
811 if (receiver == NULL)
813 if (!dbus_message_has_destination (message,
814 rule->d.send.destination))
816 _dbus_verbose (" (policy) skipping rule because message dest is not %s\n",
817 rule->d.send.destination);
826 _dbus_string_init_const (&str, rule->d.send.destination);
828 service = bus_registry_lookup (registry, &str);
831 _dbus_verbose (" (policy) skipping rule because dest %s doesn't exist\n",
832 rule->d.send.destination);
836 if (!bus_service_has_owner (service, receiver))
838 _dbus_verbose (" (policy) skipping rule because dest %s isn't owned by receiver\n",
839 rule->d.send.destination);
846 allowed = rule->allow;
848 _dbus_verbose (" (policy) used rule, allow now = %d\n",
856 bus_client_policy_check_can_receive (BusClientPolicy *policy,
857 BusRegistry *registry,
858 DBusConnection *sender,
859 DBusMessage *message)
864 /* policy->rules is in the order the rules appeared
865 * in the config file, i.e. last rule that applies wins
868 _dbus_verbose (" (policy) checking receive rules\n");
871 link = _dbus_list_get_first_link (&policy->rules);
874 BusPolicyRule *rule = link->data;
876 link = _dbus_list_get_next_link (&policy->rules, link);
878 /* Rule is skipped if it specifies a different
879 * message name from the message, or a different
880 * origin from the message
883 if (rule->type != BUS_POLICY_RULE_RECEIVE)
885 _dbus_verbose (" (policy) skipping non-receive rule\n");
889 if (rule->d.receive.message_name != NULL)
891 if (!dbus_message_has_name (message,
892 rule->d.receive.message_name))
894 _dbus_verbose (" (policy) skipping rule for different message name\n");
899 if (rule->d.receive.origin != NULL)
901 /* sender can be NULL for messages that originate from the
902 * message bus itself, we check the strings in that case as
903 * built-in services don't have a DBusConnection but will
904 * still set the sender on their messages.
908 if (!dbus_message_has_sender (message,
909 rule->d.receive.origin))
911 _dbus_verbose (" (policy) skipping rule because message sender is not %s\n",
912 rule->d.receive.origin);
921 _dbus_string_init_const (&str, rule->d.receive.origin);
923 service = bus_registry_lookup (registry, &str);
927 _dbus_verbose (" (policy) skipping rule because origin %s doesn't exist\n",
928 rule->d.receive.origin);
932 if (!bus_service_has_owner (service, sender))
934 _dbus_verbose (" (policy) skipping rule because origin %s isn't owned by sender\n",
935 rule->d.receive.origin);
942 allowed = rule->allow;
944 _dbus_verbose (" (policy) used rule, allow now = %d\n",
952 bus_client_policy_check_can_own (BusClientPolicy *policy,
953 DBusConnection *connection,
954 const DBusString *service_name)
959 /* policy->rules is in the order the rules appeared
960 * in the config file, i.e. last rule that applies wins
964 link = _dbus_list_get_first_link (&policy->rules);
967 BusPolicyRule *rule = link->data;
969 link = _dbus_list_get_next_link (&policy->rules, link);
971 /* Rule is skipped if it specifies a different service name from
975 if (rule->type != BUS_POLICY_RULE_OWN)
978 if (rule->d.own.service_name != NULL)
980 if (!_dbus_string_equal_c_str (service_name,
981 rule->d.own.service_name))
986 allowed = rule->allow;
992 #ifdef DBUS_BUILD_TESTS
995 bus_policy_test (const DBusString *test_data_dir)
997 /* This doesn't do anything for now because I decided to do it in
998 * dispatch.c instead by having some of the clients in dispatch.c
999 * have particular policies applied to them.
1005 #endif /* DBUS_BUILD_TESTS */