1 /* -*- mode: C; c-file-style: "gnu"; indent-tabs-mode: nil; -*- */
2 /* policy.c Bus security policy
4 * Copyright (C) 2003, 2004 Red Hat, Inc.
6 * Licensed under the Academic Free License version 2.1
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
30 #include <dbus/dbus-list.h>
31 #include <dbus/dbus-hash.h>
32 #include <dbus/dbus-internals.h>
35 bus_policy_rule_new (BusPolicyRuleType type,
36 BusPolicyRuleAccess access)
40 rule = dbus_new0 (BusPolicyRule, 1);
46 rule->access = access;
50 case BUS_POLICY_RULE_USER:
51 rule->d.user.uid = DBUS_UID_UNSET;
53 case BUS_POLICY_RULE_GROUP:
54 rule->d.group.gid = DBUS_GID_UNSET;
56 case BUS_POLICY_RULE_SEND:
57 rule->d.send.message_type = DBUS_MESSAGE_TYPE_INVALID;
58 /* allow rules default to TRUE (only requested replies allowed)
59 * check rules default to TRUE (only requested replies are checked)
60 * deny rules default to FALSE (only unrequested replies denied)
62 rule->d.send.requested_reply = rule->access != BUS_POLICY_RULE_ACCESS_DENY;
64 case BUS_POLICY_RULE_RECEIVE:
65 rule->d.receive.message_type = DBUS_MESSAGE_TYPE_INVALID;
66 /* allow rules default to TRUE (only requested replies allowed)
67 * check rules default to TRUE (only requested replies are checked)
68 * deny rules default to FALSE (only unrequested replies denied)
70 rule->d.receive.requested_reply = rule->access != BUS_POLICY_RULE_ACCESS_DENY;
72 case BUS_POLICY_RULE_OWN:
80 bus_policy_rule_ref (BusPolicyRule *rule)
82 _dbus_assert (rule->refcount > 0);
90 bus_policy_rule_unref (BusPolicyRule *rule)
92 _dbus_assert (rule->refcount > 0);
96 if (rule->refcount == 0)
100 case BUS_POLICY_RULE_SEND:
101 dbus_free (rule->d.send.path);
102 dbus_free (rule->d.send.interface);
103 dbus_free (rule->d.send.member);
104 dbus_free (rule->d.send.error);
105 dbus_free (rule->d.send.destination);
107 case BUS_POLICY_RULE_RECEIVE:
108 dbus_free (rule->d.receive.path);
109 dbus_free (rule->d.receive.interface);
110 dbus_free (rule->d.receive.member);
111 dbus_free (rule->d.receive.error);
112 dbus_free (rule->d.receive.origin);
114 case BUS_POLICY_RULE_OWN:
115 dbus_free (rule->d.own.service_name);
117 case BUS_POLICY_RULE_USER:
119 case BUS_POLICY_RULE_GROUP:
123 dbus_free (rule->privilege);
132 DBusList *default_rules; /**< Default policy rules */
133 DBusList *mandatory_rules; /**< Mandatory policy rules */
134 DBusHashTable *rules_by_uid; /**< per-UID policy rules */
135 DBusHashTable *rules_by_gid; /**< per-GID policy rules */
136 DBusList *at_console_true_rules; /**< console user policy rules where at_console="true"*/
137 DBusList *at_console_false_rules; /**< console user policy rules where at_console="false"*/
141 free_rule_func (void *data,
144 BusPolicyRule *rule = data;
146 bus_policy_rule_unref (rule);
150 free_rule_list_func (void *data)
152 DBusList **list = data;
154 if (list == NULL) /* DBusHashTable is on crack */
157 _dbus_list_foreach (list, free_rule_func, NULL);
159 _dbus_list_clear (list);
165 bus_policy_new (void)
169 policy = dbus_new0 (BusPolicy, 1);
173 policy->refcount = 1;
175 policy->rules_by_uid = _dbus_hash_table_new (DBUS_HASH_UINTPTR,
177 free_rule_list_func);
178 if (policy->rules_by_uid == NULL)
181 policy->rules_by_gid = _dbus_hash_table_new (DBUS_HASH_UINTPTR,
183 free_rule_list_func);
184 if (policy->rules_by_gid == NULL)
190 bus_policy_unref (policy);
195 bus_policy_ref (BusPolicy *policy)
197 _dbus_assert (policy->refcount > 0);
199 policy->refcount += 1;
205 bus_policy_unref (BusPolicy *policy)
207 _dbus_assert (policy->refcount > 0);
209 policy->refcount -= 1;
211 if (policy->refcount == 0)
213 _dbus_list_foreach (&policy->default_rules, free_rule_func, NULL);
214 _dbus_list_clear (&policy->default_rules);
216 _dbus_list_foreach (&policy->mandatory_rules, free_rule_func, NULL);
217 _dbus_list_clear (&policy->mandatory_rules);
219 _dbus_list_foreach (&policy->at_console_true_rules, free_rule_func, NULL);
220 _dbus_list_clear (&policy->at_console_true_rules);
222 _dbus_list_foreach (&policy->at_console_false_rules, free_rule_func, NULL);
223 _dbus_list_clear (&policy->at_console_false_rules);
225 if (policy->rules_by_uid)
227 _dbus_hash_table_unref (policy->rules_by_uid);
228 policy->rules_by_uid = NULL;
231 if (policy->rules_by_gid)
233 _dbus_hash_table_unref (policy->rules_by_gid);
234 policy->rules_by_gid = NULL;
242 add_list_to_client (DBusList **list,
243 BusClientPolicy *client)
247 link = _dbus_list_get_first_link (list);
250 BusPolicyRule *rule = link->data;
251 link = _dbus_list_get_next_link (list, link);
255 case BUS_POLICY_RULE_USER:
256 case BUS_POLICY_RULE_GROUP:
257 /* These aren't per-connection policies */
260 case BUS_POLICY_RULE_OWN:
261 case BUS_POLICY_RULE_SEND:
262 case BUS_POLICY_RULE_RECEIVE:
263 /* These are per-connection */
264 if (!bus_client_policy_append_rule (client, rule))
274 bus_policy_create_client_policy (BusPolicy *policy,
275 DBusConnection *connection,
278 BusClientPolicy *client;
280 dbus_bool_t at_console;
282 _dbus_assert (dbus_connection_get_is_authenticated (connection));
283 _DBUS_ASSERT_ERROR_IS_CLEAR (error);
285 client = bus_client_policy_new ();
289 if (!add_list_to_client (&policy->default_rules,
293 /* we avoid the overhead of looking up user's groups
294 * if we don't have any group rules anyway
296 if (_dbus_hash_table_get_n_entries (policy->rules_by_gid) > 0)
298 unsigned long *groups;
302 if (!bus_connection_get_unix_groups (connection, &groups, &n_groups, error))
310 list = _dbus_hash_table_lookup_uintptr (policy->rules_by_gid,
315 if (!add_list_to_client (list, client))
328 if (dbus_connection_get_unix_user (connection, &uid))
330 if (_dbus_hash_table_get_n_entries (policy->rules_by_uid) > 0)
334 list = _dbus_hash_table_lookup_uintptr (policy->rules_by_uid,
339 if (!add_list_to_client (list, client))
344 /* Add console rules */
345 at_console = _dbus_unix_user_is_at_console (uid, error);
349 if (!add_list_to_client (&policy->at_console_true_rules, client))
352 else if (dbus_error_is_set (error) == TRUE)
356 else if (!add_list_to_client (&policy->at_console_false_rules, client))
362 if (!add_list_to_client (&policy->mandatory_rules,
366 bus_client_policy_optimize (client);
373 _DBUS_ASSERT_ERROR_IS_SET (error);
375 bus_client_policy_unref (client);
380 list_allows_user (dbus_bool_t def,
383 const unsigned long *group_ids,
391 link = _dbus_list_get_first_link (list);
394 BusPolicyRule *rule = link->data;
395 link = _dbus_list_get_next_link (list, link);
397 if (rule->type == BUS_POLICY_RULE_USER)
399 _dbus_verbose ("List %p user rule uid="DBUS_UID_FORMAT"\n",
400 list, rule->d.user.uid);
402 if (rule->d.user.uid == DBUS_UID_UNSET)
404 else if (rule->d.user.uid != uid)
407 else if (rule->type == BUS_POLICY_RULE_GROUP)
409 _dbus_verbose ("List %p group rule gid="DBUS_GID_FORMAT"\n",
410 list, rule->d.group.gid);
412 if (rule->d.group.gid == DBUS_GID_UNSET)
419 while (i < n_group_ids)
421 if (rule->d.group.gid == group_ids[i])
426 if (i == n_group_ids)
433 /* We don't intend to support <check user="..." /> and <check group="..." />
434 rules. They are treated like deny.
436 allowed = rule->access == BUS_POLICY_RULE_ACCESS_ALLOW;
443 bus_policy_allow_unix_user (BusPolicy *policy,
447 unsigned long *group_ids;
450 /* On OOM or error we always reject the user */
451 if (!_dbus_unix_groups_from_uid (uid, &group_ids, &n_group_ids))
453 _dbus_verbose ("Did not get any groups for UID %lu\n",
458 /* Default to "user owning bus" can connect */
459 allowed = _dbus_unix_user_is_process_owner (uid);
461 allowed = list_allows_user (allowed,
462 &policy->default_rules,
464 group_ids, n_group_ids);
466 allowed = list_allows_user (allowed,
467 &policy->mandatory_rules,
469 group_ids, n_group_ids);
471 dbus_free (group_ids);
473 _dbus_verbose ("UID %lu allowed = %d\n", uid, allowed);
478 /* For now this is never actually called because the default
479 * DBusConnection behavior of 'same user that owns the bus can
480 * connect' is all it would do. Set the windows user function in
481 * connection.c if the config file ever supports doing something
485 bus_policy_allow_windows_user (BusPolicy *policy,
486 const char *windows_sid)
488 /* Windows has no policies here since only the session bus
489 * is really used for now, so just checking that the
490 * connecting person is the same as the bus owner is fine.
492 return _dbus_windows_user_is_process_owner (windows_sid);
496 bus_policy_append_default_rule (BusPolicy *policy,
499 if (!_dbus_list_append (&policy->default_rules, rule))
502 bus_policy_rule_ref (rule);
508 bus_policy_append_mandatory_rule (BusPolicy *policy,
511 if (!_dbus_list_append (&policy->mandatory_rules, rule))
514 bus_policy_rule_ref (rule);
522 get_list (DBusHashTable *hash,
527 list = _dbus_hash_table_lookup_uintptr (hash, key);
531 list = dbus_new0 (DBusList*, 1);
535 if (!_dbus_hash_table_insert_uintptr (hash, key, list))
546 bus_policy_append_user_rule (BusPolicy *policy,
552 list = get_list (policy->rules_by_uid, uid);
557 if (!_dbus_list_append (list, rule))
560 bus_policy_rule_ref (rule);
566 bus_policy_append_group_rule (BusPolicy *policy,
572 list = get_list (policy->rules_by_gid, gid);
577 if (!_dbus_list_append (list, rule))
580 bus_policy_rule_ref (rule);
586 bus_policy_append_console_rule (BusPolicy *policy,
587 dbus_bool_t at_console,
592 if (!_dbus_list_append (&policy->at_console_true_rules, rule))
597 if (!_dbus_list_append (&policy->at_console_false_rules, rule))
601 bus_policy_rule_ref (rule);
608 append_copy_of_policy_list (DBusList **list,
609 DBusList **to_append)
616 /* Preallocate all our links */
617 link = _dbus_list_get_first_link (to_append);
620 if (!_dbus_list_append (&tmp_list, link->data))
622 _dbus_list_clear (&tmp_list);
626 link = _dbus_list_get_next_link (to_append, link);
629 /* Now append them */
630 while ((link = _dbus_list_pop_first_link (&tmp_list)))
632 bus_policy_rule_ref (link->data);
633 _dbus_list_append_link (list, link);
640 merge_id_hash (DBusHashTable *dest,
641 DBusHashTable *to_absorb)
645 _dbus_hash_iter_init (to_absorb, &iter);
646 while (_dbus_hash_iter_next (&iter))
648 unsigned long id = _dbus_hash_iter_get_uintptr_key (&iter);
649 DBusList **list = _dbus_hash_iter_get_value (&iter);
650 DBusList **target = get_list (dest, id);
655 if (!append_copy_of_policy_list (target, list))
663 bus_policy_merge (BusPolicy *policy,
664 BusPolicy *to_absorb)
666 /* FIXME Not properly atomic, but as used for configuration files we
667 * don't rely on it quite so much.
670 if (!append_copy_of_policy_list (&policy->default_rules,
671 &to_absorb->default_rules))
674 if (!append_copy_of_policy_list (&policy->mandatory_rules,
675 &to_absorb->mandatory_rules))
678 if (!append_copy_of_policy_list (&policy->at_console_true_rules,
679 &to_absorb->at_console_true_rules))
682 if (!append_copy_of_policy_list (&policy->at_console_false_rules,
683 &to_absorb->at_console_false_rules))
686 if (!merge_id_hash (policy->rules_by_uid,
687 to_absorb->rules_by_uid))
690 if (!merge_id_hash (policy->rules_by_gid,
691 to_absorb->rules_by_gid))
697 struct BusClientPolicy
705 bus_client_policy_new (void)
707 BusClientPolicy *policy;
709 policy = dbus_new0 (BusClientPolicy, 1);
713 policy->refcount = 1;
719 bus_client_policy_ref (BusClientPolicy *policy)
721 _dbus_assert (policy->refcount > 0);
723 policy->refcount += 1;
729 rule_unref_foreach (void *data,
732 BusPolicyRule *rule = data;
734 bus_policy_rule_unref (rule);
738 bus_client_policy_unref (BusClientPolicy *policy)
740 _dbus_assert (policy->refcount > 0);
742 policy->refcount -= 1;
744 if (policy->refcount == 0)
746 _dbus_list_foreach (&policy->rules,
750 _dbus_list_clear (&policy->rules);
757 remove_rules_by_type_up_to (BusClientPolicy *policy,
758 BusPolicyRuleType type,
763 link = _dbus_list_get_first_link (&policy->rules);
764 while (link != up_to)
766 BusPolicyRule *rule = link->data;
767 DBusList *next = _dbus_list_get_next_link (&policy->rules, link);
769 if (rule->type == type)
771 _dbus_list_remove_link (&policy->rules, link);
772 bus_policy_rule_unref (rule);
780 bus_client_policy_optimize (BusClientPolicy *policy)
784 /* The idea here is that if we have:
786 * <allow send_interface="foo.bar"/>
787 * <deny send_interface="*"/>
789 * (for example) the deny will always override the allow. So we
790 * delete the allow. Ditto for deny followed by allow, etc. This is
791 * a dumb thing to put in a config file, but the <include> feature
792 * of files allows for an "inheritance and override" pattern where
793 * it could make sense. If an included file wants to "start over"
794 * with a blanket deny, no point keeping the rules from the parent
798 _dbus_verbose ("Optimizing policy with %d rules\n",
799 _dbus_list_get_length (&policy->rules));
801 link = _dbus_list_get_first_link (&policy->rules);
806 dbus_bool_t remove_preceding;
808 next = _dbus_list_get_next_link (&policy->rules, link);
811 remove_preceding = FALSE;
813 _dbus_assert (rule != NULL);
817 case BUS_POLICY_RULE_SEND:
819 rule->d.send.message_type == DBUS_MESSAGE_TYPE_INVALID &&
820 rule->d.send.path == NULL &&
821 rule->d.send.interface == NULL &&
822 rule->d.send.member == NULL &&
823 rule->d.send.error == NULL &&
824 rule->d.send.destination == NULL;
826 case BUS_POLICY_RULE_RECEIVE:
828 rule->d.receive.message_type == DBUS_MESSAGE_TYPE_INVALID &&
829 rule->d.receive.path == NULL &&
830 rule->d.receive.interface == NULL &&
831 rule->d.receive.member == NULL &&
832 rule->d.receive.error == NULL &&
833 rule->d.receive.origin == NULL;
835 case BUS_POLICY_RULE_OWN:
837 rule->d.own.service_name == NULL;
839 case BUS_POLICY_RULE_USER:
840 case BUS_POLICY_RULE_GROUP:
841 _dbus_assert_not_reached ("invalid rule");
845 if (remove_preceding)
846 remove_rules_by_type_up_to (policy, rule->type,
852 _dbus_verbose ("After optimization, policy has %d rules\n",
853 _dbus_list_get_length (&policy->rules));
857 bus_client_policy_append_rule (BusClientPolicy *policy,
860 _dbus_verbose ("Appending rule %p with type %d to policy %p\n",
861 rule, rule->type, policy);
863 if (!_dbus_list_append (&policy->rules, rule))
866 bus_policy_rule_ref (rule);
872 bus_client_policy_check_can_send (DBusConnection *sender,
873 BusClientPolicy *policy,
874 BusRegistry *registry,
875 dbus_bool_t requested_reply,
876 DBusConnection *addressed_recipient,
877 DBusConnection *receiver,
878 DBusMessage *message,
879 dbus_int32_t *toggles,
881 const char **privilege_param,
882 BusDeferredMessage **deferred_message)
886 const char *privilege;
888 /* policy->rules is in the order the rules appeared
889 * in the config file, i.e. last rule that applies wins
892 _dbus_verbose (" (policy) checking send rules\n");
895 result = BUS_RESULT_FALSE;
896 link = _dbus_list_get_first_link (&policy->rules);
899 BusPolicyRule *rule = link->data;
901 link = _dbus_list_get_next_link (&policy->rules, link);
903 /* Rule is skipped if it specifies a different
904 * message name from the message, or a different
905 * destination from the message
908 if (rule->type != BUS_POLICY_RULE_SEND)
910 _dbus_verbose (" (policy) skipping non-send rule\n");
914 if (rule->d.send.message_type != DBUS_MESSAGE_TYPE_INVALID)
916 if (dbus_message_get_type (message) != rule->d.send.message_type)
918 _dbus_verbose (" (policy) skipping rule for different message type\n");
923 /* If it's a reply, the requested_reply flag kicks in */
924 if (dbus_message_get_reply_serial (message) != 0)
926 /* for allow or check requested_reply=true means the rule applies
927 * only when reply was requested. requested_reply=false means the
928 * rule always applies
930 if (!requested_reply && rule->access != BUS_POLICY_RULE_ACCESS_DENY && rule->d.send.requested_reply && !rule->d.send.eavesdrop)
932 _dbus_verbose (" (policy) skipping %s rule since it only applies to requested replies and does not allow eavesdropping\n",
933 rule->access == BUS_POLICY_RULE_ACCESS_ALLOW ? "allow" : "check");
937 /* for deny, requested_reply=false means the rule applies only
938 * when the reply was not requested. requested_reply=true means the
939 * rule always applies.
941 if (requested_reply && rule->access == BUS_POLICY_RULE_ACCESS_DENY && !rule->d.send.requested_reply)
943 _dbus_verbose (" (policy) skipping deny rule since it only applies to unrequested replies\n");
948 if (rule->d.send.path != NULL)
950 if (dbus_message_get_path (message) != NULL &&
951 strcmp (dbus_message_get_path (message),
952 rule->d.send.path) != 0)
954 _dbus_verbose (" (policy) skipping rule for different path\n");
959 if (rule->d.send.interface != NULL)
961 /* The interface is optional in messages. For allow rules, if the message
962 * has no interface we want to skip the rule (and thus not allow);
963 * for deny rules, if the message has no interface we want to use the
964 * rule (and thus deny). Check rules are meant to be used like allow
965 * rules (they can grant access, but not remove it), so we treat it like
968 dbus_bool_t no_interface;
970 no_interface = dbus_message_get_interface (message) == NULL;
972 if ((no_interface && rule->access != BUS_POLICY_RULE_ACCESS_DENY) ||
974 strcmp (dbus_message_get_interface (message),
975 rule->d.send.interface) != 0))
977 _dbus_verbose (" (policy) skipping rule for different interface\n");
982 if (rule->d.send.member != NULL)
984 if (dbus_message_get_member (message) != NULL &&
985 strcmp (dbus_message_get_member (message),
986 rule->d.send.member) != 0)
988 _dbus_verbose (" (policy) skipping rule for different member\n");
993 if (rule->d.send.error != NULL)
995 if (dbus_message_get_error_name (message) != NULL &&
996 strcmp (dbus_message_get_error_name (message),
997 rule->d.send.error) != 0)
999 _dbus_verbose (" (policy) skipping rule for different error name\n");
1004 if (rule->d.send.destination != NULL)
1006 /* receiver can be NULL for messages that are sent to the
1007 * message bus itself, we check the strings in that case as
1008 * built-in services don't have a DBusConnection but messages
1009 * to them have a destination service name.
1011 if (receiver == NULL)
1013 if (!dbus_message_has_destination (message,
1014 rule->d.send.destination))
1016 _dbus_verbose (" (policy) skipping rule because message dest is not %s\n",
1017 rule->d.send.destination);
1024 BusService *service;
1026 _dbus_string_init_const (&str, rule->d.send.destination);
1028 service = bus_registry_lookup (registry, &str);
1029 if (service == NULL)
1031 _dbus_verbose (" (policy) skipping rule because dest %s doesn't exist\n",
1032 rule->d.send.destination);
1036 if (!bus_service_has_owner (service, receiver))
1038 _dbus_verbose (" (policy) skipping rule because dest %s isn't owned by receiver\n",
1039 rule->d.send.destination);
1046 switch (rule->access)
1048 case BUS_POLICY_RULE_ACCESS_ALLOW:
1049 result = BUS_RESULT_TRUE;
1051 case BUS_POLICY_RULE_ACCESS_DENY:
1052 result = BUS_RESULT_FALSE;
1054 case BUS_POLICY_RULE_ACCESS_CHECK:
1055 result = BUS_RESULT_LATER;
1056 privilege = rule->privilege;
1060 *log = rule->d.send.log;
1063 _dbus_verbose (" (policy) used rule, result now = %d\n",
1067 if (result == BUS_RESULT_LATER)
1069 BusContext *context = bus_connection_get_context(sender);
1070 BusCheck *check = bus_context_get_check(context);
1072 result = bus_check_privilege(check, message, sender, addressed_recipient, receiver,
1073 privilege, BUS_DEFERRED_MESSAGE_CHECK_SEND, deferred_message);
1074 if (result == BUS_RESULT_LATER && deferred_message != NULL)
1075 bus_deferred_message_set_policy_check_info(*deferred_message, requested_reply,
1076 *toggles, privilege);
1081 if (privilege_param != NULL)
1082 *privilege_param = privilege;
1087 /* See docs on what the args mean on bus_context_check_security_policy()
1091 bus_client_policy_check_can_receive (BusClientPolicy *policy,
1092 BusRegistry *registry,
1093 dbus_bool_t requested_reply,
1094 DBusConnection *sender,
1095 DBusConnection *addressed_recipient,
1096 DBusConnection *proposed_recipient,
1097 DBusMessage *message,
1098 dbus_int32_t *toggles,
1099 const char **privilege_param,
1100 BusDeferredMessage **deferred_message)
1103 dbus_bool_t eavesdropping;
1105 const char *privilege;
1108 addressed_recipient != proposed_recipient &&
1109 dbus_message_get_destination (message) != NULL;
1111 /* policy->rules is in the order the rules appeared
1112 * in the config file, i.e. last rule that applies wins
1115 _dbus_verbose (" (policy) checking receive rules, eavesdropping = %d\n", eavesdropping);
1118 result = BUS_RESULT_FALSE;
1119 link = _dbus_list_get_first_link (&policy->rules);
1120 while (link != NULL)
1122 BusPolicyRule *rule = link->data;
1124 link = _dbus_list_get_next_link (&policy->rules, link);
1126 if (rule->type != BUS_POLICY_RULE_RECEIVE)
1128 _dbus_verbose (" (policy) skipping non-receive rule\n");
1132 if (rule->d.receive.message_type != DBUS_MESSAGE_TYPE_INVALID)
1134 if (dbus_message_get_type (message) != rule->d.receive.message_type)
1136 _dbus_verbose (" (policy) skipping rule for different message type\n");
1142 /* for allow or check, eavesdrop=false means the rule doesn't apply when
1143 * eavesdropping. eavesdrop=true means the rule always applies
1145 if (eavesdropping && rule->access != BUS_POLICY_RULE_ACCESS_DENY && !rule->d.receive.eavesdrop)
1147 _dbus_verbose (" (policy) skipping %s rule since it doesn't apply to eavesdropping\n",
1148 rule->access == BUS_POLICY_RULE_ACCESS_ALLOW ? "allow" : "check");
1152 /* for deny, eavesdrop=true means the rule applies only when
1153 * eavesdropping; eavesdrop=false means always deny.
1155 if (!eavesdropping && rule->access == BUS_POLICY_RULE_ACCESS_DENY && rule->d.receive.eavesdrop)
1157 _dbus_verbose (" (policy) skipping deny rule since it only applies to eavesdropping\n");
1161 /* If it's a reply, the requested_reply flag kicks in */
1162 if (dbus_message_get_reply_serial (message) != 0)
1164 /* for allow or check requested_reply=true means the rule applies
1165 * only when reply was requested. requested_reply=false means the
1166 * rule always applies
1168 if (!requested_reply && rule->access != BUS_POLICY_RULE_ACCESS_DENY && rule->d.send.requested_reply && !rule->d.send.eavesdrop)
1170 _dbus_verbose (" (policy) skipping %s rule since it only applies to requested replies and does not allow eavesdropping\n",
1171 rule->access == BUS_POLICY_RULE_ACCESS_DENY ? "allow" : "deny");
1175 /* for deny, requested_reply=false means the rule applies only
1176 * when the reply was not requested. requested_reply=true means the
1177 * rule always applies.
1179 if (requested_reply && rule->access == BUS_POLICY_RULE_ACCESS_DENY && !rule->d.receive.requested_reply)
1181 _dbus_verbose (" (policy) skipping deny rule since it only applies to unrequested replies\n");
1186 if (rule->d.receive.path != NULL)
1188 if (dbus_message_get_path (message) != NULL &&
1189 strcmp (dbus_message_get_path (message),
1190 rule->d.receive.path) != 0)
1192 _dbus_verbose (" (policy) skipping rule for different path\n");
1197 if (rule->d.receive.interface != NULL)
1199 /* The interface is optional in messages. For allow rules, if the message
1200 * has no interface we want to skip the rule (and thus not allow);
1201 * for deny rules, if the message has no interface we want to use the
1202 * rule (and thus deny). Check rules are treated like allow rules.
1204 dbus_bool_t no_interface;
1206 no_interface = dbus_message_get_interface (message) == NULL;
1208 if ((no_interface && rule->access != BUS_POLICY_RULE_ACCESS_DENY) ||
1210 strcmp (dbus_message_get_interface (message),
1211 rule->d.receive.interface) != 0))
1213 _dbus_verbose (" (policy) skipping rule for different interface\n");
1218 if (rule->d.receive.member != NULL)
1220 if (dbus_message_get_member (message) != NULL &&
1221 strcmp (dbus_message_get_member (message),
1222 rule->d.receive.member) != 0)
1224 _dbus_verbose (" (policy) skipping rule for different member\n");
1229 if (rule->d.receive.error != NULL)
1231 if (dbus_message_get_error_name (message) != NULL &&
1232 strcmp (dbus_message_get_error_name (message),
1233 rule->d.receive.error) != 0)
1235 _dbus_verbose (" (policy) skipping rule for different error name\n");
1240 if (rule->d.receive.origin != NULL)
1242 /* sender can be NULL for messages that originate from the
1243 * message bus itself, we check the strings in that case as
1244 * built-in services don't have a DBusConnection but will
1245 * still set the sender on their messages.
1249 if (!dbus_message_has_sender (message,
1250 rule->d.receive.origin))
1252 _dbus_verbose (" (policy) skipping rule because message sender is not %s\n",
1253 rule->d.receive.origin);
1259 BusService *service;
1262 _dbus_string_init_const (&str, rule->d.receive.origin);
1264 service = bus_registry_lookup (registry, &str);
1266 if (service == NULL)
1268 _dbus_verbose (" (policy) skipping rule because origin %s doesn't exist\n",
1269 rule->d.receive.origin);
1273 if (!bus_service_has_owner (service, sender))
1275 _dbus_verbose (" (policy) skipping rule because origin %s isn't owned by sender\n",
1276 rule->d.receive.origin);
1283 switch (rule->access)
1285 case BUS_POLICY_RULE_ACCESS_ALLOW:
1286 result = BUS_RESULT_TRUE;
1288 case BUS_POLICY_RULE_ACCESS_DENY:
1289 result = BUS_RESULT_FALSE;
1291 case BUS_POLICY_RULE_ACCESS_CHECK:
1292 result = BUS_RESULT_LATER;
1293 privilege = rule->privilege;
1299 _dbus_verbose (" (policy) used rule, result now = %d\n",
1304 if (result == BUS_RESULT_LATER)
1306 BusContext *context = bus_connection_get_context(proposed_recipient);
1307 BusCheck *check = bus_context_get_check(context);
1309 result = bus_check_privilege(check, message, sender, addressed_recipient, proposed_recipient,
1310 privilege, BUS_DEFERRED_MESSAGE_CHECK_RECEIVE, deferred_message);
1311 if (result == BUS_RESULT_LATER && deferred_message != NULL)
1312 bus_deferred_message_set_policy_check_info(*deferred_message, requested_reply,
1313 *toggles, privilege);
1318 if (privilege_param != NULL)
1319 *privilege_param = privilege;
1327 bus_rules_check_can_own (DBusList *rules,
1328 const DBusString *service_name,
1329 DBusConnection *connection,
1330 DBusMessage *message)
1334 const char *privilege;
1336 /* rules is in the order the rules appeared
1337 * in the config file, i.e. last rule that applies wins
1340 result = BUS_RESULT_FALSE;
1341 link = _dbus_list_get_first_link (&rules);
1342 while (link != NULL)
1344 BusPolicyRule *rule = link->data;
1346 link = _dbus_list_get_next_link (&rules, link);
1348 /* Rule is skipped if it specifies a different service name from
1352 if (rule->type != BUS_POLICY_RULE_OWN)
1355 if (!rule->d.own.prefix && rule->d.own.service_name != NULL)
1357 if (!_dbus_string_equal_c_str (service_name,
1358 rule->d.own.service_name))
1361 else if (rule->d.own.prefix)
1365 if (!_dbus_string_starts_with_c_str (service_name,
1366 rule->d.own.service_name))
1369 data = _dbus_string_get_const_data (service_name);
1370 next_char = data[strlen (rule->d.own.service_name)];
1371 if (next_char != '\0' && next_char != '.')
1376 switch (rule->access)
1378 case BUS_POLICY_RULE_ACCESS_ALLOW:
1379 result = BUS_RESULT_TRUE;
1381 case BUS_POLICY_RULE_ACCESS_DENY:
1382 result = BUS_RESULT_FALSE;
1384 case BUS_POLICY_RULE_ACCESS_CHECK:
1385 result = BUS_RESULT_LATER;
1386 privilege = rule->privilege;
1391 if (result == BUS_RESULT_LATER)
1393 BusContext *context = bus_connection_get_context(connection);
1394 BusCheck *check = bus_context_get_check(context);
1395 BusDeferredMessage *deferred_message;
1397 result = bus_check_privilege(check, message, connection, NULL, NULL,
1398 privilege, BUS_DEFERRED_MESSAGE_CHECK_OWN, &deferred_message);
1399 if (result == BUS_RESULT_LATER)
1401 bus_deferred_message_disable_sender(deferred_message);
1409 bus_client_policy_check_can_own (BusClientPolicy *policy,
1410 const DBusString *service_name,
1411 DBusConnection *connection,
1412 DBusMessage *message)
1414 return bus_rules_check_can_own (policy->rules, service_name, connection, message);
1417 #ifdef DBUS_ENABLE_EMBEDDED_TESTS
1419 bus_policy_check_can_own (BusPolicy *policy,
1420 const DBusString *service_name)
1422 return bus_rules_check_can_own (policy->default_rules, service_name, NULL, NULL);
1424 #endif /* DBUS_ENABLE_EMBEDDED_TESTS */