1 /* -*- mode: C; c-file-style: "gnu" -*- */
2 /* policy.c Bus security policy
4 * Copyright (C) 2003, 2004 Red Hat, Inc.
6 * Licensed under the Academic Free License version 2.0
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
28 #include <dbus/dbus-list.h>
29 #include <dbus/dbus-hash.h>
30 #include <dbus/dbus-internals.h>
33 bus_policy_rule_new (BusPolicyRuleType type,
38 rule = dbus_new0 (BusPolicyRule, 1);
48 case BUS_POLICY_RULE_USER:
49 rule->d.user.uid = DBUS_UID_UNSET;
51 case BUS_POLICY_RULE_GROUP:
52 rule->d.group.gid = DBUS_GID_UNSET;
54 case BUS_POLICY_RULE_SEND:
55 rule->d.send.message_type = DBUS_MESSAGE_TYPE_INVALID;
57 /* allow rules default to TRUE (only requested replies allowed)
58 * deny rules default to FALSE (only unrequested replies denied)
60 rule->d.send.requested_reply = rule->allow;
62 case BUS_POLICY_RULE_RECEIVE:
63 rule->d.receive.message_type = DBUS_MESSAGE_TYPE_INVALID;
64 /* allow rules default to TRUE (only requested replies allowed)
65 * deny rules default to FALSE (only unrequested replies denied)
67 rule->d.receive.requested_reply = rule->allow;
69 case BUS_POLICY_RULE_OWN:
77 bus_policy_rule_ref (BusPolicyRule *rule)
79 _dbus_assert (rule->refcount > 0);
87 bus_policy_rule_unref (BusPolicyRule *rule)
89 _dbus_assert (rule->refcount > 0);
93 if (rule->refcount == 0)
97 case BUS_POLICY_RULE_SEND:
98 dbus_free (rule->d.send.path);
99 dbus_free (rule->d.send.interface);
100 dbus_free (rule->d.send.member);
101 dbus_free (rule->d.send.error);
102 dbus_free (rule->d.send.destination);
104 case BUS_POLICY_RULE_RECEIVE:
105 dbus_free (rule->d.receive.path);
106 dbus_free (rule->d.receive.interface);
107 dbus_free (rule->d.receive.member);
108 dbus_free (rule->d.receive.error);
109 dbus_free (rule->d.receive.origin);
111 case BUS_POLICY_RULE_OWN:
112 dbus_free (rule->d.own.service_name);
114 case BUS_POLICY_RULE_USER:
116 case BUS_POLICY_RULE_GROUP:
128 DBusList *default_rules; /**< Default policy rules */
129 DBusList *mandatory_rules; /**< Mandatory policy rules */
130 DBusHashTable *rules_by_uid; /**< per-UID policy rules */
131 DBusHashTable *rules_by_gid; /**< per-GID policy rules */
135 free_rule_func (void *data,
138 BusPolicyRule *rule = data;
140 bus_policy_rule_unref (rule);
144 free_rule_list_func (void *data)
146 DBusList **list = data;
148 if (list == NULL) /* DBusHashTable is on crack */
151 _dbus_list_foreach (list, free_rule_func, NULL);
153 _dbus_list_clear (list);
159 bus_policy_new (void)
163 policy = dbus_new0 (BusPolicy, 1);
167 policy->refcount = 1;
169 policy->rules_by_uid = _dbus_hash_table_new (DBUS_HASH_ULONG,
171 free_rule_list_func);
172 if (policy->rules_by_uid == NULL)
175 policy->rules_by_gid = _dbus_hash_table_new (DBUS_HASH_ULONG,
177 free_rule_list_func);
178 if (policy->rules_by_gid == NULL)
184 bus_policy_unref (policy);
189 bus_policy_ref (BusPolicy *policy)
191 _dbus_assert (policy->refcount > 0);
193 policy->refcount += 1;
199 bus_policy_unref (BusPolicy *policy)
201 _dbus_assert (policy->refcount > 0);
203 policy->refcount -= 1;
205 if (policy->refcount == 0)
207 _dbus_list_foreach (&policy->default_rules, free_rule_func, NULL);
208 _dbus_list_clear (&policy->default_rules);
210 _dbus_list_foreach (&policy->mandatory_rules, free_rule_func, NULL);
211 _dbus_list_clear (&policy->mandatory_rules);
213 if (policy->rules_by_uid)
215 _dbus_hash_table_unref (policy->rules_by_uid);
216 policy->rules_by_uid = NULL;
219 if (policy->rules_by_gid)
221 _dbus_hash_table_unref (policy->rules_by_gid);
222 policy->rules_by_gid = NULL;
230 add_list_to_client (DBusList **list,
231 BusClientPolicy *client)
235 link = _dbus_list_get_first_link (list);
238 BusPolicyRule *rule = link->data;
239 link = _dbus_list_get_next_link (list, link);
243 case BUS_POLICY_RULE_USER:
244 case BUS_POLICY_RULE_GROUP:
245 /* These aren't per-connection policies */
248 case BUS_POLICY_RULE_OWN:
249 case BUS_POLICY_RULE_SEND:
250 case BUS_POLICY_RULE_RECEIVE:
251 /* These are per-connection */
252 if (!bus_client_policy_append_rule (client, rule))
262 bus_policy_create_client_policy (BusPolicy *policy,
263 DBusConnection *connection,
266 BusClientPolicy *client;
269 _dbus_assert (dbus_connection_get_is_authenticated (connection));
270 _DBUS_ASSERT_ERROR_IS_CLEAR (error);
272 client = bus_client_policy_new ();
276 if (!add_list_to_client (&policy->default_rules,
280 /* we avoid the overhead of looking up user's groups
281 * if we don't have any group rules anyway
283 if (_dbus_hash_table_get_n_entries (policy->rules_by_gid) > 0)
285 unsigned long *groups;
289 if (!bus_connection_get_groups (connection, &groups, &n_groups, error))
297 list = _dbus_hash_table_lookup_ulong (policy->rules_by_gid,
302 if (!add_list_to_client (list, client))
315 if (!dbus_connection_get_unix_user (connection, &uid))
317 dbus_set_error (error, DBUS_ERROR_FAILED,
318 "No user ID known for connection, cannot determine security policy\n");
322 if (_dbus_hash_table_get_n_entries (policy->rules_by_uid) > 0)
326 list = _dbus_hash_table_lookup_ulong (policy->rules_by_uid,
331 if (!add_list_to_client (list, client))
336 if (!add_list_to_client (&policy->mandatory_rules,
340 bus_client_policy_optimize (client);
347 _DBUS_ASSERT_ERROR_IS_SET (error);
349 bus_client_policy_unref (client);
354 list_allows_user (dbus_bool_t def,
357 const unsigned long *group_ids,
365 link = _dbus_list_get_first_link (list);
368 BusPolicyRule *rule = link->data;
369 link = _dbus_list_get_next_link (list, link);
371 if (rule->type == BUS_POLICY_RULE_USER)
373 _dbus_verbose ("List %p user rule uid="DBUS_UID_FORMAT"\n",
374 list, rule->d.user.uid);
376 if (rule->d.user.uid == DBUS_UID_UNSET)
378 else if (rule->d.user.uid != uid)
381 else if (rule->type == BUS_POLICY_RULE_GROUP)
383 _dbus_verbose ("List %p group rule uid="DBUS_UID_FORMAT"\n",
384 list, rule->d.user.uid);
386 if (rule->d.group.gid == DBUS_GID_UNSET)
393 while (i < n_group_ids)
395 if (rule->d.group.gid == group_ids[i])
400 if (i == n_group_ids)
407 allowed = rule->allow;
414 bus_policy_allow_user (BusPolicy *policy,
415 DBusUserDatabase *user_database,
419 unsigned long *group_ids;
422 /* On OOM or error we always reject the user */
423 if (!_dbus_user_database_get_groups (user_database,
424 uid, &group_ids, &n_group_ids, NULL))
426 _dbus_verbose ("Did not get any groups for UID %lu\n",
433 allowed = list_allows_user (allowed,
434 &policy->default_rules,
436 group_ids, n_group_ids);
438 allowed = list_allows_user (allowed,
439 &policy->mandatory_rules,
441 group_ids, n_group_ids);
443 dbus_free (group_ids);
445 _dbus_verbose ("UID %lu allowed = %d\n", uid, allowed);
451 bus_policy_append_default_rule (BusPolicy *policy,
454 if (!_dbus_list_append (&policy->default_rules, rule))
457 bus_policy_rule_ref (rule);
463 bus_policy_append_mandatory_rule (BusPolicy *policy,
466 if (!_dbus_list_append (&policy->mandatory_rules, rule))
469 bus_policy_rule_ref (rule);
475 get_list (DBusHashTable *hash,
480 list = _dbus_hash_table_lookup_ulong (hash, key);
484 list = dbus_new0 (DBusList*, 1);
488 if (!_dbus_hash_table_insert_ulong (hash, key, list))
499 bus_policy_append_user_rule (BusPolicy *policy,
505 list = get_list (policy->rules_by_uid, uid);
510 if (!_dbus_list_append (list, rule))
513 bus_policy_rule_ref (rule);
519 bus_policy_append_group_rule (BusPolicy *policy,
525 list = get_list (policy->rules_by_gid, gid);
530 if (!_dbus_list_append (list, rule))
533 bus_policy_rule_ref (rule);
539 append_copy_of_policy_list (DBusList **list,
540 DBusList **to_append)
547 /* Preallocate all our links */
548 link = _dbus_list_get_first_link (to_append);
551 if (!_dbus_list_append (&tmp_list, link->data))
553 _dbus_list_clear (&tmp_list);
557 link = _dbus_list_get_next_link (to_append, link);
560 /* Now append them */
561 while ((link = _dbus_list_pop_first_link (&tmp_list)))
563 bus_policy_rule_ref (link->data);
564 _dbus_list_append_link (list, link);
571 merge_id_hash (DBusHashTable *dest,
572 DBusHashTable *to_absorb)
576 _dbus_hash_iter_init (to_absorb, &iter);
577 while (_dbus_hash_iter_next (&iter))
579 unsigned long id = _dbus_hash_iter_get_ulong_key (&iter);
580 DBusList **list = _dbus_hash_iter_get_value (&iter);
581 DBusList **target = get_list (dest, id);
586 if (!append_copy_of_policy_list (target, list))
594 bus_policy_merge (BusPolicy *policy,
595 BusPolicy *to_absorb)
597 /* FIXME Not properly atomic, but as used for configuration files we
598 * don't rely on it quite so much.
601 if (!append_copy_of_policy_list (&policy->default_rules,
602 &to_absorb->default_rules))
605 if (!append_copy_of_policy_list (&policy->mandatory_rules,
606 &to_absorb->mandatory_rules))
609 if (!merge_id_hash (policy->rules_by_uid,
610 to_absorb->rules_by_uid))
613 if (!merge_id_hash (policy->rules_by_gid,
614 to_absorb->rules_by_gid))
620 struct BusClientPolicy
628 bus_client_policy_new (void)
630 BusClientPolicy *policy;
632 policy = dbus_new0 (BusClientPolicy, 1);
636 policy->refcount = 1;
642 bus_client_policy_ref (BusClientPolicy *policy)
644 _dbus_assert (policy->refcount > 0);
646 policy->refcount += 1;
652 rule_unref_foreach (void *data,
655 BusPolicyRule *rule = data;
657 bus_policy_rule_unref (rule);
661 bus_client_policy_unref (BusClientPolicy *policy)
663 _dbus_assert (policy->refcount > 0);
665 policy->refcount -= 1;
667 if (policy->refcount == 0)
669 _dbus_list_foreach (&policy->rules,
673 _dbus_list_clear (&policy->rules);
680 remove_rules_by_type_up_to (BusClientPolicy *policy,
681 BusPolicyRuleType type,
686 link = _dbus_list_get_first_link (&policy->rules);
687 while (link != up_to)
689 BusPolicyRule *rule = link->data;
690 DBusList *next = _dbus_list_get_next_link (&policy->rules, link);
692 if (rule->type == type)
694 _dbus_list_remove_link (&policy->rules, link);
695 bus_policy_rule_unref (rule);
703 bus_client_policy_optimize (BusClientPolicy *policy)
707 /* The idea here is that if we have:
709 * <allow send_interface="foo.bar"/>
710 * <deny send_interface="*"/>
712 * (for example) the deny will always override the allow. So we
713 * delete the allow. Ditto for deny followed by allow, etc. This is
714 * a dumb thing to put in a config file, but the <include> feature
715 * of files allows for an "inheritance and override" pattern where
716 * it could make sense. If an included file wants to "start over"
717 * with a blanket deny, no point keeping the rules from the parent
721 _dbus_verbose ("Optimizing policy with %d rules\n",
722 _dbus_list_get_length (&policy->rules));
724 link = _dbus_list_get_first_link (&policy->rules);
729 dbus_bool_t remove_preceding;
731 next = _dbus_list_get_next_link (&policy->rules, link);
734 remove_preceding = FALSE;
736 _dbus_assert (rule != NULL);
740 case BUS_POLICY_RULE_SEND:
742 rule->d.send.message_type == DBUS_MESSAGE_TYPE_INVALID &&
743 rule->d.send.path == NULL &&
744 rule->d.send.interface == NULL &&
745 rule->d.send.member == NULL &&
746 rule->d.send.error == NULL &&
747 rule->d.send.destination == NULL;
749 case BUS_POLICY_RULE_RECEIVE:
751 rule->d.receive.message_type == DBUS_MESSAGE_TYPE_INVALID &&
752 rule->d.receive.path == NULL &&
753 rule->d.receive.interface == NULL &&
754 rule->d.receive.member == NULL &&
755 rule->d.receive.error == NULL &&
756 rule->d.receive.origin == NULL;
758 case BUS_POLICY_RULE_OWN:
760 rule->d.own.service_name == NULL;
762 case BUS_POLICY_RULE_USER:
763 case BUS_POLICY_RULE_GROUP:
764 _dbus_assert_not_reached ("invalid rule");
768 if (remove_preceding)
769 remove_rules_by_type_up_to (policy, rule->type,
775 _dbus_verbose ("After optimization, policy has %d rules\n",
776 _dbus_list_get_length (&policy->rules));
780 bus_client_policy_append_rule (BusClientPolicy *policy,
783 _dbus_verbose ("Appending rule %p with type %d to policy %p\n",
784 rule, rule->type, policy);
786 if (!_dbus_list_append (&policy->rules, rule))
789 bus_policy_rule_ref (rule);
795 bus_client_policy_check_can_send (BusClientPolicy *policy,
796 BusRegistry *registry,
797 dbus_bool_t requested_reply,
798 DBusConnection *receiver,
799 DBusMessage *message)
804 /* policy->rules is in the order the rules appeared
805 * in the config file, i.e. last rule that applies wins
808 _dbus_verbose (" (policy) checking send rules\n");
811 link = _dbus_list_get_first_link (&policy->rules);
814 BusPolicyRule *rule = link->data;
816 link = _dbus_list_get_next_link (&policy->rules, link);
818 /* Rule is skipped if it specifies a different
819 * message name from the message, or a different
820 * destination from the message
823 if (rule->type != BUS_POLICY_RULE_SEND)
825 _dbus_verbose (" (policy) skipping non-send rule\n");
829 if (rule->d.send.message_type != DBUS_MESSAGE_TYPE_INVALID)
831 if (dbus_message_get_type (message) != rule->d.send.message_type)
833 _dbus_verbose (" (policy) skipping rule for different message type\n");
838 /* If it's a reply, the requested_reply flag kicks in */
839 if (dbus_message_get_reply_serial (message) != 0)
841 /* for allow, requested_reply=true means the rule applies
842 * only when reply was requested. requested_reply=false means
845 if (!requested_reply && rule->allow && rule->d.send.requested_reply)
847 _dbus_verbose (" (policy) skipping allow rule since it only applies to requested replies\n");
851 /* for deny, requested_reply=false means the rule applies only
852 * when the reply was not requested. requested_reply=true means the
853 * rule always applies.
855 if (requested_reply && !rule->allow && !rule->d.send.requested_reply)
857 _dbus_verbose (" (policy) skipping deny rule since it only applies to unrequested replies\n");
862 if (rule->d.send.path != NULL)
864 if (dbus_message_get_path (message) != NULL &&
865 strcmp (dbus_message_get_path (message),
866 rule->d.send.path) != 0)
868 _dbus_verbose (" (policy) skipping rule for different path\n");
873 if (rule->d.send.interface != NULL)
875 if (dbus_message_get_interface (message) != NULL &&
876 strcmp (dbus_message_get_interface (message),
877 rule->d.send.interface) != 0)
879 _dbus_verbose (" (policy) skipping rule for different interface\n");
884 if (rule->d.send.member != NULL)
886 if (dbus_message_get_member (message) != NULL &&
887 strcmp (dbus_message_get_member (message),
888 rule->d.send.member) != 0)
890 _dbus_verbose (" (policy) skipping rule for different member\n");
895 if (rule->d.send.error != NULL)
897 if (dbus_message_get_error_name (message) != NULL &&
898 strcmp (dbus_message_get_error_name (message),
899 rule->d.send.error) != 0)
901 _dbus_verbose (" (policy) skipping rule for different error name\n");
906 if (rule->d.send.destination != NULL)
908 /* receiver can be NULL for messages that are sent to the
909 * message bus itself, we check the strings in that case as
910 * built-in services don't have a DBusConnection but messages
911 * to them have a destination service name.
913 if (receiver == NULL)
915 if (!dbus_message_has_destination (message,
916 rule->d.send.destination))
918 _dbus_verbose (" (policy) skipping rule because message dest is not %s\n",
919 rule->d.send.destination);
928 _dbus_string_init_const (&str, rule->d.send.destination);
930 service = bus_registry_lookup (registry, &str);
933 _dbus_verbose (" (policy) skipping rule because dest %s doesn't exist\n",
934 rule->d.send.destination);
938 if (!bus_service_has_owner (service, receiver))
940 _dbus_verbose (" (policy) skipping rule because dest %s isn't owned by receiver\n",
941 rule->d.send.destination);
948 allowed = rule->allow;
950 _dbus_verbose (" (policy) used rule, allow now = %d\n",
957 /* See docs on what the args mean on bus_context_check_security_policy()
961 bus_client_policy_check_can_receive (BusClientPolicy *policy,
962 BusRegistry *registry,
963 dbus_bool_t requested_reply,
964 DBusConnection *sender,
965 DBusConnection *addressed_recipient,
966 DBusConnection *proposed_recipient,
967 DBusMessage *message)
971 dbus_bool_t eavesdropping;
974 addressed_recipient != proposed_recipient &&
975 dbus_message_get_destination (message) != NULL;
977 /* policy->rules is in the order the rules appeared
978 * in the config file, i.e. last rule that applies wins
981 _dbus_verbose (" (policy) checking receive rules, eavesdropping = %d\n", eavesdropping);
984 link = _dbus_list_get_first_link (&policy->rules);
987 BusPolicyRule *rule = link->data;
989 link = _dbus_list_get_next_link (&policy->rules, link);
991 if (rule->type != BUS_POLICY_RULE_RECEIVE)
993 _dbus_verbose (" (policy) skipping non-receive rule\n");
997 if (rule->d.receive.message_type != DBUS_MESSAGE_TYPE_INVALID)
999 if (dbus_message_get_type (message) != rule->d.receive.message_type)
1001 _dbus_verbose (" (policy) skipping rule for different message type\n");
1006 /* for allow, eavesdrop=false means the rule doesn't apply when
1007 * eavesdropping. eavesdrop=true means always allow.
1009 if (eavesdropping && rule->allow && !rule->d.receive.eavesdrop)
1011 _dbus_verbose (" (policy) skipping allow rule since it doesn't apply to eavesdropping\n");
1015 /* for deny, eavesdrop=true means the rule applies only when
1016 * eavesdropping; eavesdrop=false means always deny.
1018 if (!eavesdropping && !rule->allow && rule->d.receive.eavesdrop)
1020 _dbus_verbose (" (policy) skipping deny rule since it only applies to eavesdropping\n");
1024 /* If it's a reply, the requested_reply flag kicks in */
1025 if (dbus_message_get_reply_serial (message) != 0)
1027 /* for allow, requested_reply=true means the rule applies
1028 * only when reply was requested. requested_reply=false means
1031 if (!requested_reply && rule->allow && rule->d.receive.requested_reply)
1033 _dbus_verbose (" (policy) skipping allow rule since it only applies to requested replies\n");
1037 /* for deny, requested_reply=false means the rule applies only
1038 * when the reply was not requested. requested_reply=true means the
1039 * rule always applies.
1041 if (requested_reply && !rule->allow && !rule->d.receive.requested_reply)
1043 _dbus_verbose (" (policy) skipping deny rule since it only applies to unrequested replies\n");
1048 if (rule->d.receive.path != NULL)
1050 if (dbus_message_get_path (message) != NULL &&
1051 strcmp (dbus_message_get_path (message),
1052 rule->d.receive.path) != 0)
1054 _dbus_verbose (" (policy) skipping rule for different path\n");
1059 if (rule->d.receive.interface != NULL)
1061 if (dbus_message_get_interface (message) != NULL &&
1062 strcmp (dbus_message_get_interface (message),
1063 rule->d.receive.interface) != 0)
1065 _dbus_verbose (" (policy) skipping rule for different interface\n");
1070 if (rule->d.receive.member != NULL)
1072 if (dbus_message_get_member (message) != NULL &&
1073 strcmp (dbus_message_get_member (message),
1074 rule->d.receive.member) != 0)
1076 _dbus_verbose (" (policy) skipping rule for different member\n");
1081 if (rule->d.receive.error != NULL)
1083 if (dbus_message_get_error_name (message) != NULL &&
1084 strcmp (dbus_message_get_error_name (message),
1085 rule->d.receive.error) != 0)
1087 _dbus_verbose (" (policy) skipping rule for different error name\n");
1092 if (rule->d.receive.origin != NULL)
1094 /* sender can be NULL for messages that originate from the
1095 * message bus itself, we check the strings in that case as
1096 * built-in services don't have a DBusConnection but will
1097 * still set the sender on their messages.
1101 if (!dbus_message_has_sender (message,
1102 rule->d.receive.origin))
1104 _dbus_verbose (" (policy) skipping rule because message sender is not %s\n",
1105 rule->d.receive.origin);
1111 BusService *service;
1114 _dbus_string_init_const (&str, rule->d.receive.origin);
1116 service = bus_registry_lookup (registry, &str);
1118 if (service == NULL)
1120 _dbus_verbose (" (policy) skipping rule because origin %s doesn't exist\n",
1121 rule->d.receive.origin);
1125 if (!bus_service_has_owner (service, sender))
1127 _dbus_verbose (" (policy) skipping rule because origin %s isn't owned by sender\n",
1128 rule->d.receive.origin);
1135 allowed = rule->allow;
1137 _dbus_verbose (" (policy) used rule, allow now = %d\n",
1145 bus_client_policy_check_can_own (BusClientPolicy *policy,
1146 DBusConnection *connection,
1147 const DBusString *service_name)
1150 dbus_bool_t allowed;
1152 /* policy->rules is in the order the rules appeared
1153 * in the config file, i.e. last rule that applies wins
1157 link = _dbus_list_get_first_link (&policy->rules);
1158 while (link != NULL)
1160 BusPolicyRule *rule = link->data;
1162 link = _dbus_list_get_next_link (&policy->rules, link);
1164 /* Rule is skipped if it specifies a different service name from
1168 if (rule->type != BUS_POLICY_RULE_OWN)
1171 if (rule->d.own.service_name != NULL)
1173 if (!_dbus_string_equal_c_str (service_name,
1174 rule->d.own.service_name))
1179 allowed = rule->allow;
1185 #ifdef DBUS_BUILD_TESTS
1188 bus_policy_test (const DBusString *test_data_dir)
1190 /* This doesn't do anything for now because I decided to do it in
1191 * dispatch.c instead by having some of the clients in dispatch.c
1192 * have particular policies applied to them.
1198 #endif /* DBUS_BUILD_TESTS */
projects / platform / upstream / dbus.git / blob