1 /* -*- mode: C; c-file-style: "gnu" -*- */
2 /* policy.c Bus security policy
4 * Copyright (C) 2003 Red Hat, Inc.
6 * Licensed under the Academic Free License version 1.2
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
28 #include <dbus/dbus-list.h>
29 #include <dbus/dbus-hash.h>
30 #include <dbus/dbus-internals.h>
33 bus_policy_rule_new (BusPolicyRuleType type,
38 rule = dbus_new0 (BusPolicyRule, 1);
48 case BUS_POLICY_RULE_USER:
49 rule->d.user.uid = DBUS_UID_UNSET;
51 case BUS_POLICY_RULE_GROUP:
52 rule->d.group.gid = DBUS_GID_UNSET;
54 case BUS_POLICY_RULE_SEND:
55 case BUS_POLICY_RULE_RECEIVE:
56 case BUS_POLICY_RULE_OWN:
64 bus_policy_rule_ref (BusPolicyRule *rule)
66 _dbus_assert (rule->refcount > 0);
72 bus_policy_rule_unref (BusPolicyRule *rule)
74 _dbus_assert (rule->refcount > 0);
78 if (rule->refcount == 0)
82 case BUS_POLICY_RULE_SEND:
83 dbus_free (rule->d.send.interface);
84 dbus_free (rule->d.send.member);
85 dbus_free (rule->d.send.error);
86 dbus_free (rule->d.send.destination);
88 case BUS_POLICY_RULE_RECEIVE:
89 dbus_free (rule->d.receive.interface);
90 dbus_free (rule->d.receive.member);
91 dbus_free (rule->d.receive.error);
92 dbus_free (rule->d.receive.origin);
94 case BUS_POLICY_RULE_OWN:
95 dbus_free (rule->d.own.service_name);
97 case BUS_POLICY_RULE_USER:
99 case BUS_POLICY_RULE_GROUP:
111 DBusList *default_rules; /**< Default policy rules */
112 DBusList *mandatory_rules; /**< Mandatory policy rules */
113 DBusHashTable *rules_by_uid; /**< per-UID policy rules */
114 DBusHashTable *rules_by_gid; /**< per-GID policy rules */
118 free_rule_func (void *data,
121 BusPolicyRule *rule = data;
123 bus_policy_rule_unref (rule);
127 free_rule_list_func (void *data)
129 DBusList **list = data;
131 if (list == NULL) /* DBusHashTable is on crack */
134 _dbus_list_foreach (list, free_rule_func, NULL);
136 _dbus_list_clear (list);
142 bus_policy_new (void)
146 policy = dbus_new0 (BusPolicy, 1);
150 policy->refcount = 1;
152 policy->rules_by_uid = _dbus_hash_table_new (DBUS_HASH_ULONG,
154 free_rule_list_func);
155 if (policy->rules_by_uid == NULL)
158 policy->rules_by_gid = _dbus_hash_table_new (DBUS_HASH_ULONG,
160 free_rule_list_func);
161 if (policy->rules_by_gid == NULL)
167 bus_policy_unref (policy);
172 bus_policy_ref (BusPolicy *policy)
174 _dbus_assert (policy->refcount > 0);
176 policy->refcount += 1;
180 bus_policy_unref (BusPolicy *policy)
182 _dbus_assert (policy->refcount > 0);
184 policy->refcount -= 1;
186 if (policy->refcount == 0)
188 _dbus_list_foreach (&policy->default_rules, free_rule_func, NULL);
189 _dbus_list_clear (&policy->default_rules);
191 _dbus_list_foreach (&policy->mandatory_rules, free_rule_func, NULL);
192 _dbus_list_clear (&policy->mandatory_rules);
194 if (policy->rules_by_uid)
196 _dbus_hash_table_unref (policy->rules_by_uid);
197 policy->rules_by_uid = NULL;
200 if (policy->rules_by_gid)
202 _dbus_hash_table_unref (policy->rules_by_gid);
203 policy->rules_by_gid = NULL;
211 add_list_to_client (DBusList **list,
212 BusClientPolicy *client)
216 link = _dbus_list_get_first_link (list);
219 BusPolicyRule *rule = link->data;
220 link = _dbus_list_get_next_link (list, link);
224 case BUS_POLICY_RULE_USER:
225 case BUS_POLICY_RULE_GROUP:
226 /* These aren't per-connection policies */
229 case BUS_POLICY_RULE_OWN:
230 case BUS_POLICY_RULE_SEND:
231 case BUS_POLICY_RULE_RECEIVE:
232 /* These are per-connection */
233 if (!bus_client_policy_append_rule (client, rule))
243 bus_policy_create_client_policy (BusPolicy *policy,
244 DBusConnection *connection,
247 BusClientPolicy *client;
250 _dbus_assert (dbus_connection_get_is_authenticated (connection));
251 _DBUS_ASSERT_ERROR_IS_CLEAR (error);
253 client = bus_client_policy_new ();
257 if (!add_list_to_client (&policy->default_rules,
261 /* we avoid the overhead of looking up user's groups
262 * if we don't have any group rules anyway
264 if (_dbus_hash_table_get_n_entries (policy->rules_by_gid) > 0)
266 unsigned long *groups;
270 if (!bus_connection_get_groups (connection, &groups, &n_groups, error))
278 list = _dbus_hash_table_lookup_ulong (policy->rules_by_gid,
283 if (!add_list_to_client (list, client))
296 if (!dbus_connection_get_unix_user (connection, &uid))
298 dbus_set_error (error, DBUS_ERROR_FAILED,
299 "No user ID known for connection, cannot determine security policy\n");
303 if (_dbus_hash_table_get_n_entries (policy->rules_by_uid) > 0)
307 list = _dbus_hash_table_lookup_ulong (policy->rules_by_uid,
312 if (!add_list_to_client (list, client))
317 if (!add_list_to_client (&policy->mandatory_rules,
321 bus_client_policy_optimize (client);
328 _DBUS_ASSERT_ERROR_IS_SET (error);
330 bus_client_policy_unref (client);
335 list_allows_user (dbus_bool_t def,
338 const unsigned long *group_ids,
346 link = _dbus_list_get_first_link (list);
349 BusPolicyRule *rule = link->data;
350 link = _dbus_list_get_next_link (list, link);
352 if (rule->type == BUS_POLICY_RULE_USER)
354 _dbus_verbose ("List %p user rule uid="DBUS_UID_FORMAT"\n",
355 list, rule->d.user.uid);
357 if (rule->d.user.uid == DBUS_UID_UNSET)
359 else if (rule->d.user.uid != uid)
362 else if (rule->type == BUS_POLICY_RULE_GROUP)
364 _dbus_verbose ("List %p group rule uid="DBUS_UID_FORMAT"\n",
365 list, rule->d.user.uid);
367 if (rule->d.group.gid == DBUS_GID_UNSET)
374 while (i < n_group_ids)
376 if (rule->d.group.gid == group_ids[i])
381 if (i == n_group_ids)
388 allowed = rule->allow;
395 bus_policy_allow_user (BusPolicy *policy,
396 DBusUserDatabase *user_database,
400 unsigned long *group_ids;
403 /* On OOM or error we always reject the user */
404 if (!_dbus_user_database_get_groups (user_database,
405 uid, &group_ids, &n_group_ids, NULL))
407 _dbus_verbose ("Did not get any groups for UID %lu\n",
414 allowed = list_allows_user (allowed,
415 &policy->default_rules,
417 group_ids, n_group_ids);
419 allowed = list_allows_user (allowed,
420 &policy->mandatory_rules,
422 group_ids, n_group_ids);
424 dbus_free (group_ids);
426 _dbus_verbose ("UID %lu allowed = %d\n", uid, allowed);
432 bus_policy_append_default_rule (BusPolicy *policy,
435 if (!_dbus_list_append (&policy->default_rules, rule))
438 bus_policy_rule_ref (rule);
444 bus_policy_append_mandatory_rule (BusPolicy *policy,
447 if (!_dbus_list_append (&policy->mandatory_rules, rule))
450 bus_policy_rule_ref (rule);
456 get_list (DBusHashTable *hash,
461 list = _dbus_hash_table_lookup_ulong (hash, key);
465 list = dbus_new0 (DBusList*, 1);
469 if (!_dbus_hash_table_insert_ulong (hash, key, list))
480 bus_policy_append_user_rule (BusPolicy *policy,
486 list = get_list (policy->rules_by_uid, uid);
491 if (!_dbus_list_append (list, rule))
494 bus_policy_rule_ref (rule);
500 bus_policy_append_group_rule (BusPolicy *policy,
506 list = get_list (policy->rules_by_gid, gid);
511 if (!_dbus_list_append (list, rule))
514 bus_policy_rule_ref (rule);
520 append_copy_of_policy_list (DBusList **list,
521 DBusList **to_append)
528 /* Preallocate all our links */
529 link = _dbus_list_get_first_link (to_append);
532 if (!_dbus_list_append (&tmp_list, link->data))
534 _dbus_list_clear (&tmp_list);
538 link = _dbus_list_get_next_link (to_append, link);
541 /* Now append them */
542 while ((link = _dbus_list_pop_first_link (&tmp_list)))
544 bus_policy_rule_ref (link->data);
545 _dbus_list_append_link (list, link);
552 merge_id_hash (DBusHashTable *dest,
553 DBusHashTable *to_absorb)
557 _dbus_hash_iter_init (to_absorb, &iter);
558 while (_dbus_hash_iter_next (&iter))
560 unsigned long id = _dbus_hash_iter_get_ulong_key (&iter);
561 DBusList **list = _dbus_hash_iter_get_value (&iter);
562 DBusList **target = get_list (dest, id);
567 if (!append_copy_of_policy_list (target, list))
575 bus_policy_merge (BusPolicy *policy,
576 BusPolicy *to_absorb)
578 /* Not properly atomic, but as used for configuration files
579 * we don't rely on it.
581 if (!append_copy_of_policy_list (&policy->default_rules,
582 &to_absorb->default_rules))
585 if (!append_copy_of_policy_list (&policy->mandatory_rules,
586 &to_absorb->mandatory_rules))
589 if (!merge_id_hash (policy->rules_by_uid,
590 to_absorb->rules_by_uid))
593 if (!merge_id_hash (policy->rules_by_gid,
594 to_absorb->rules_by_gid))
600 struct BusClientPolicy
608 bus_client_policy_new (void)
610 BusClientPolicy *policy;
612 policy = dbus_new0 (BusClientPolicy, 1);
616 policy->refcount = 1;
622 bus_client_policy_ref (BusClientPolicy *policy)
624 _dbus_assert (policy->refcount > 0);
626 policy->refcount += 1;
630 rule_unref_foreach (void *data,
633 BusPolicyRule *rule = data;
635 bus_policy_rule_unref (rule);
639 bus_client_policy_unref (BusClientPolicy *policy)
641 _dbus_assert (policy->refcount > 0);
643 policy->refcount -= 1;
645 if (policy->refcount == 0)
647 _dbus_list_foreach (&policy->rules,
651 _dbus_list_clear (&policy->rules);
658 remove_rules_by_type_up_to (BusClientPolicy *policy,
659 BusPolicyRuleType type,
664 link = _dbus_list_get_first_link (&policy->rules);
665 while (link != up_to)
667 BusPolicyRule *rule = link->data;
668 DBusList *next = _dbus_list_get_next_link (&policy->rules, link);
670 if (rule->type == type)
672 _dbus_list_remove_link (&policy->rules, link);
673 bus_policy_rule_unref (rule);
681 bus_client_policy_optimize (BusClientPolicy *policy)
685 /* The idea here is that if we have:
687 * <allow send_interface="foo.bar"/>
688 * <deny send_interface="*"/>
690 * (for example) the deny will always override the allow. So we
691 * delete the allow. Ditto for deny followed by allow, etc. This is
692 * a dumb thing to put in a config file, but the <include> feature
693 * of files allows for an "inheritance and override" pattern where
694 * it could make sense. If an included file wants to "start over"
695 * with a blanket deny, no point keeping the rules from the parent
699 _dbus_verbose ("Optimizing policy with %d rules\n",
700 _dbus_list_get_length (&policy->rules));
702 link = _dbus_list_get_first_link (&policy->rules);
707 dbus_bool_t remove_preceding;
709 next = _dbus_list_get_next_link (&policy->rules, link);
712 remove_preceding = FALSE;
714 _dbus_assert (rule != NULL);
718 case BUS_POLICY_RULE_SEND:
720 rule->d.send.interface == NULL &&
721 rule->d.send.member == NULL &&
722 rule->d.send.error == NULL &&
723 rule->d.send.destination == NULL;
725 case BUS_POLICY_RULE_RECEIVE:
727 rule->d.receive.interface == NULL &&
728 rule->d.receive.member == NULL &&
729 rule->d.receive.error == NULL &&
730 rule->d.receive.origin == NULL;
732 case BUS_POLICY_RULE_OWN:
734 rule->d.own.service_name == NULL;
736 case BUS_POLICY_RULE_USER:
737 case BUS_POLICY_RULE_GROUP:
738 _dbus_assert_not_reached ("invalid rule");
742 if (remove_preceding)
743 remove_rules_by_type_up_to (policy, rule->type,
749 _dbus_verbose ("After optimization, policy has %d rules\n",
750 _dbus_list_get_length (&policy->rules));
754 bus_client_policy_append_rule (BusClientPolicy *policy,
757 _dbus_verbose ("Appending rule %p with type %d to policy %p\n",
758 rule, rule->type, policy);
760 if (!_dbus_list_append (&policy->rules, rule))
763 bus_policy_rule_ref (rule);
769 bus_client_policy_check_can_send (BusClientPolicy *policy,
770 BusRegistry *registry,
771 DBusConnection *receiver,
772 DBusMessage *message)
777 /* policy->rules is in the order the rules appeared
778 * in the config file, i.e. last rule that applies wins
781 _dbus_verbose (" (policy) checking send rules\n");
784 link = _dbus_list_get_first_link (&policy->rules);
787 BusPolicyRule *rule = link->data;
789 link = _dbus_list_get_next_link (&policy->rules, link);
791 /* Rule is skipped if it specifies a different
792 * message name from the message, or a different
793 * destination from the message
796 if (rule->type != BUS_POLICY_RULE_SEND)
798 _dbus_verbose (" (policy) skipping non-send rule\n");
802 if (rule->d.send.interface != NULL)
804 if (!dbus_message_has_interface (message,
805 rule->d.send.interface))
807 _dbus_verbose (" (policy) skipping rule for different interface\n");
811 else if (rule->d.send.member != NULL)
813 if (!dbus_message_has_member (message,
814 rule->d.send.member))
816 _dbus_verbose (" (policy) skipping rule for different member\n");
820 else if (rule->d.send.error != NULL)
822 if (!dbus_message_has_error_name (message,
825 _dbus_verbose (" (policy) skipping rule for different error name\n");
830 if (rule->d.send.destination != NULL)
832 /* receiver can be NULL for messages that are sent to the
833 * message bus itself, we check the strings in that case as
834 * built-in services don't have a DBusConnection but messages
835 * to them have a destination service name.
837 if (receiver == NULL)
839 if (!dbus_message_has_destination (message,
840 rule->d.send.destination))
842 _dbus_verbose (" (policy) skipping rule because message dest is not %s\n",
843 rule->d.send.destination);
852 _dbus_string_init_const (&str, rule->d.send.destination);
854 service = bus_registry_lookup (registry, &str);
857 _dbus_verbose (" (policy) skipping rule because dest %s doesn't exist\n",
858 rule->d.send.destination);
862 if (!bus_service_has_owner (service, receiver))
864 _dbus_verbose (" (policy) skipping rule because dest %s isn't owned by receiver\n",
865 rule->d.send.destination);
872 allowed = rule->allow;
874 _dbus_verbose (" (policy) used rule, allow now = %d\n",
882 bus_client_policy_check_can_receive (BusClientPolicy *policy,
883 BusRegistry *registry,
884 DBusConnection *sender,
885 DBusMessage *message)
890 /* policy->rules is in the order the rules appeared
891 * in the config file, i.e. last rule that applies wins
894 _dbus_verbose (" (policy) checking receive rules\n");
897 link = _dbus_list_get_first_link (&policy->rules);
900 BusPolicyRule *rule = link->data;
902 link = _dbus_list_get_next_link (&policy->rules, link);
904 /* Rule is skipped if it specifies a different
905 * message name from the message, or a different
906 * origin from the message
909 if (rule->type != BUS_POLICY_RULE_RECEIVE)
911 _dbus_verbose (" (policy) skipping non-receive rule\n");
915 if (rule->d.receive.interface != NULL)
917 if (!dbus_message_has_interface (message,
918 rule->d.receive.interface))
920 _dbus_verbose (" (policy) skipping rule for different interface\n");
924 else if (rule->d.receive.member != NULL)
926 if (!dbus_message_has_member (message,
927 rule->d.receive.member))
929 _dbus_verbose (" (policy) skipping rule for different member\n");
933 else if (rule->d.receive.error != NULL)
935 if (!dbus_message_has_error_name (message,
936 rule->d.receive.error))
938 _dbus_verbose (" (policy) skipping rule for different error name\n");
943 if (rule->d.receive.origin != NULL)
945 /* sender can be NULL for messages that originate from the
946 * message bus itself, we check the strings in that case as
947 * built-in services don't have a DBusConnection but will
948 * still set the sender on their messages.
952 if (!dbus_message_has_sender (message,
953 rule->d.receive.origin))
955 _dbus_verbose (" (policy) skipping rule because message sender is not %s\n",
956 rule->d.receive.origin);
965 _dbus_string_init_const (&str, rule->d.receive.origin);
967 service = bus_registry_lookup (registry, &str);
971 _dbus_verbose (" (policy) skipping rule because origin %s doesn't exist\n",
972 rule->d.receive.origin);
976 if (!bus_service_has_owner (service, sender))
978 _dbus_verbose (" (policy) skipping rule because origin %s isn't owned by sender\n",
979 rule->d.receive.origin);
986 allowed = rule->allow;
988 _dbus_verbose (" (policy) used rule, allow now = %d\n",
996 bus_client_policy_check_can_own (BusClientPolicy *policy,
997 DBusConnection *connection,
998 const DBusString *service_name)
1001 dbus_bool_t allowed;
1003 /* policy->rules is in the order the rules appeared
1004 * in the config file, i.e. last rule that applies wins
1008 link = _dbus_list_get_first_link (&policy->rules);
1009 while (link != NULL)
1011 BusPolicyRule *rule = link->data;
1013 link = _dbus_list_get_next_link (&policy->rules, link);
1015 /* Rule is skipped if it specifies a different service name from
1019 if (rule->type != BUS_POLICY_RULE_OWN)
1022 if (rule->d.own.service_name != NULL)
1024 if (!_dbus_string_equal_c_str (service_name,
1025 rule->d.own.service_name))
1030 allowed = rule->allow;
1036 #ifdef DBUS_BUILD_TESTS
1039 bus_policy_test (const DBusString *test_data_dir)
1041 /* This doesn't do anything for now because I decided to do it in
1042 * dispatch.c instead by having some of the clients in dispatch.c
1043 * have particular policies applied to them.
1049 #endif /* DBUS_BUILD_TESTS */