1 /* -*- mode: C; c-file-style: "gnu" -*- */
2 /* policy.c Bus security policy
4 * Copyright (C) 2003 Red Hat, Inc.
6 * Licensed under the Academic Free License version 1.2
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
28 #include <dbus/dbus-list.h>
29 #include <dbus/dbus-hash.h>
30 #include <dbus/dbus-internals.h>
33 bus_policy_rule_new (BusPolicyRuleType type,
38 rule = dbus_new0 (BusPolicyRule, 1);
48 case BUS_POLICY_RULE_USER:
49 rule->d.user.uid = DBUS_UID_UNSET;
51 case BUS_POLICY_RULE_GROUP:
52 rule->d.group.gid = DBUS_GID_UNSET;
54 case BUS_POLICY_RULE_SEND:
55 rule->d.send.message_type = DBUS_MESSAGE_TYPE_INVALID;
57 case BUS_POLICY_RULE_RECEIVE:
58 rule->d.receive.message_type = DBUS_MESSAGE_TYPE_INVALID;
60 case BUS_POLICY_RULE_OWN:
68 bus_policy_rule_ref (BusPolicyRule *rule)
70 _dbus_assert (rule->refcount > 0);
76 bus_policy_rule_unref (BusPolicyRule *rule)
78 _dbus_assert (rule->refcount > 0);
82 if (rule->refcount == 0)
86 case BUS_POLICY_RULE_SEND:
87 dbus_free (rule->d.send.path);
88 dbus_free (rule->d.send.interface);
89 dbus_free (rule->d.send.member);
90 dbus_free (rule->d.send.error);
91 dbus_free (rule->d.send.destination);
93 case BUS_POLICY_RULE_RECEIVE:
94 dbus_free (rule->d.receive.path);
95 dbus_free (rule->d.receive.interface);
96 dbus_free (rule->d.receive.member);
97 dbus_free (rule->d.receive.error);
98 dbus_free (rule->d.receive.origin);
100 case BUS_POLICY_RULE_OWN:
101 dbus_free (rule->d.own.service_name);
103 case BUS_POLICY_RULE_USER:
105 case BUS_POLICY_RULE_GROUP:
117 DBusList *default_rules; /**< Default policy rules */
118 DBusList *mandatory_rules; /**< Mandatory policy rules */
119 DBusHashTable *rules_by_uid; /**< per-UID policy rules */
120 DBusHashTable *rules_by_gid; /**< per-GID policy rules */
124 free_rule_func (void *data,
127 BusPolicyRule *rule = data;
129 bus_policy_rule_unref (rule);
133 free_rule_list_func (void *data)
135 DBusList **list = data;
137 if (list == NULL) /* DBusHashTable is on crack */
140 _dbus_list_foreach (list, free_rule_func, NULL);
142 _dbus_list_clear (list);
148 bus_policy_new (void)
152 policy = dbus_new0 (BusPolicy, 1);
156 policy->refcount = 1;
158 policy->rules_by_uid = _dbus_hash_table_new (DBUS_HASH_ULONG,
160 free_rule_list_func);
161 if (policy->rules_by_uid == NULL)
164 policy->rules_by_gid = _dbus_hash_table_new (DBUS_HASH_ULONG,
166 free_rule_list_func);
167 if (policy->rules_by_gid == NULL)
173 bus_policy_unref (policy);
178 bus_policy_ref (BusPolicy *policy)
180 _dbus_assert (policy->refcount > 0);
182 policy->refcount += 1;
186 bus_policy_unref (BusPolicy *policy)
188 _dbus_assert (policy->refcount > 0);
190 policy->refcount -= 1;
192 if (policy->refcount == 0)
194 _dbus_list_foreach (&policy->default_rules, free_rule_func, NULL);
195 _dbus_list_clear (&policy->default_rules);
197 _dbus_list_foreach (&policy->mandatory_rules, free_rule_func, NULL);
198 _dbus_list_clear (&policy->mandatory_rules);
200 if (policy->rules_by_uid)
202 _dbus_hash_table_unref (policy->rules_by_uid);
203 policy->rules_by_uid = NULL;
206 if (policy->rules_by_gid)
208 _dbus_hash_table_unref (policy->rules_by_gid);
209 policy->rules_by_gid = NULL;
217 add_list_to_client (DBusList **list,
218 BusClientPolicy *client)
222 link = _dbus_list_get_first_link (list);
225 BusPolicyRule *rule = link->data;
226 link = _dbus_list_get_next_link (list, link);
230 case BUS_POLICY_RULE_USER:
231 case BUS_POLICY_RULE_GROUP:
232 /* These aren't per-connection policies */
235 case BUS_POLICY_RULE_OWN:
236 case BUS_POLICY_RULE_SEND:
237 case BUS_POLICY_RULE_RECEIVE:
238 /* These are per-connection */
239 if (!bus_client_policy_append_rule (client, rule))
249 bus_policy_create_client_policy (BusPolicy *policy,
250 DBusConnection *connection,
253 BusClientPolicy *client;
256 _dbus_assert (dbus_connection_get_is_authenticated (connection));
257 _DBUS_ASSERT_ERROR_IS_CLEAR (error);
259 client = bus_client_policy_new ();
263 if (!add_list_to_client (&policy->default_rules,
267 /* we avoid the overhead of looking up user's groups
268 * if we don't have any group rules anyway
270 if (_dbus_hash_table_get_n_entries (policy->rules_by_gid) > 0)
272 unsigned long *groups;
276 if (!bus_connection_get_groups (connection, &groups, &n_groups, error))
284 list = _dbus_hash_table_lookup_ulong (policy->rules_by_gid,
289 if (!add_list_to_client (list, client))
302 if (!dbus_connection_get_unix_user (connection, &uid))
304 dbus_set_error (error, DBUS_ERROR_FAILED,
305 "No user ID known for connection, cannot determine security policy\n");
309 if (_dbus_hash_table_get_n_entries (policy->rules_by_uid) > 0)
313 list = _dbus_hash_table_lookup_ulong (policy->rules_by_uid,
318 if (!add_list_to_client (list, client))
323 if (!add_list_to_client (&policy->mandatory_rules,
327 bus_client_policy_optimize (client);
334 _DBUS_ASSERT_ERROR_IS_SET (error);
336 bus_client_policy_unref (client);
341 list_allows_user (dbus_bool_t def,
344 const unsigned long *group_ids,
352 link = _dbus_list_get_first_link (list);
355 BusPolicyRule *rule = link->data;
356 link = _dbus_list_get_next_link (list, link);
358 if (rule->type == BUS_POLICY_RULE_USER)
360 _dbus_verbose ("List %p user rule uid="DBUS_UID_FORMAT"\n",
361 list, rule->d.user.uid);
363 if (rule->d.user.uid == DBUS_UID_UNSET)
365 else if (rule->d.user.uid != uid)
368 else if (rule->type == BUS_POLICY_RULE_GROUP)
370 _dbus_verbose ("List %p group rule uid="DBUS_UID_FORMAT"\n",
371 list, rule->d.user.uid);
373 if (rule->d.group.gid == DBUS_GID_UNSET)
380 while (i < n_group_ids)
382 if (rule->d.group.gid == group_ids[i])
387 if (i == n_group_ids)
394 allowed = rule->allow;
401 bus_policy_allow_user (BusPolicy *policy,
402 DBusUserDatabase *user_database,
406 unsigned long *group_ids;
409 /* On OOM or error we always reject the user */
410 if (!_dbus_user_database_get_groups (user_database,
411 uid, &group_ids, &n_group_ids, NULL))
413 _dbus_verbose ("Did not get any groups for UID %lu\n",
420 allowed = list_allows_user (allowed,
421 &policy->default_rules,
423 group_ids, n_group_ids);
425 allowed = list_allows_user (allowed,
426 &policy->mandatory_rules,
428 group_ids, n_group_ids);
430 dbus_free (group_ids);
432 _dbus_verbose ("UID %lu allowed = %d\n", uid, allowed);
438 bus_policy_append_default_rule (BusPolicy *policy,
441 if (!_dbus_list_append (&policy->default_rules, rule))
444 bus_policy_rule_ref (rule);
450 bus_policy_append_mandatory_rule (BusPolicy *policy,
453 if (!_dbus_list_append (&policy->mandatory_rules, rule))
456 bus_policy_rule_ref (rule);
462 get_list (DBusHashTable *hash,
467 list = _dbus_hash_table_lookup_ulong (hash, key);
471 list = dbus_new0 (DBusList*, 1);
475 if (!_dbus_hash_table_insert_ulong (hash, key, list))
486 bus_policy_append_user_rule (BusPolicy *policy,
492 list = get_list (policy->rules_by_uid, uid);
497 if (!_dbus_list_append (list, rule))
500 bus_policy_rule_ref (rule);
506 bus_policy_append_group_rule (BusPolicy *policy,
512 list = get_list (policy->rules_by_gid, gid);
517 if (!_dbus_list_append (list, rule))
520 bus_policy_rule_ref (rule);
526 append_copy_of_policy_list (DBusList **list,
527 DBusList **to_append)
534 /* Preallocate all our links */
535 link = _dbus_list_get_first_link (to_append);
538 if (!_dbus_list_append (&tmp_list, link->data))
540 _dbus_list_clear (&tmp_list);
544 link = _dbus_list_get_next_link (to_append, link);
547 /* Now append them */
548 while ((link = _dbus_list_pop_first_link (&tmp_list)))
550 bus_policy_rule_ref (link->data);
551 _dbus_list_append_link (list, link);
558 merge_id_hash (DBusHashTable *dest,
559 DBusHashTable *to_absorb)
563 _dbus_hash_iter_init (to_absorb, &iter);
564 while (_dbus_hash_iter_next (&iter))
566 unsigned long id = _dbus_hash_iter_get_ulong_key (&iter);
567 DBusList **list = _dbus_hash_iter_get_value (&iter);
568 DBusList **target = get_list (dest, id);
573 if (!append_copy_of_policy_list (target, list))
581 bus_policy_merge (BusPolicy *policy,
582 BusPolicy *to_absorb)
584 /* Not properly atomic, but as used for configuration files
585 * we don't rely on it.
587 if (!append_copy_of_policy_list (&policy->default_rules,
588 &to_absorb->default_rules))
591 if (!append_copy_of_policy_list (&policy->mandatory_rules,
592 &to_absorb->mandatory_rules))
595 if (!merge_id_hash (policy->rules_by_uid,
596 to_absorb->rules_by_uid))
599 if (!merge_id_hash (policy->rules_by_gid,
600 to_absorb->rules_by_gid))
606 struct BusClientPolicy
614 bus_client_policy_new (void)
616 BusClientPolicy *policy;
618 policy = dbus_new0 (BusClientPolicy, 1);
622 policy->refcount = 1;
628 bus_client_policy_ref (BusClientPolicy *policy)
630 _dbus_assert (policy->refcount > 0);
632 policy->refcount += 1;
636 rule_unref_foreach (void *data,
639 BusPolicyRule *rule = data;
641 bus_policy_rule_unref (rule);
645 bus_client_policy_unref (BusClientPolicy *policy)
647 _dbus_assert (policy->refcount > 0);
649 policy->refcount -= 1;
651 if (policy->refcount == 0)
653 _dbus_list_foreach (&policy->rules,
657 _dbus_list_clear (&policy->rules);
664 remove_rules_by_type_up_to (BusClientPolicy *policy,
665 BusPolicyRuleType type,
670 link = _dbus_list_get_first_link (&policy->rules);
671 while (link != up_to)
673 BusPolicyRule *rule = link->data;
674 DBusList *next = _dbus_list_get_next_link (&policy->rules, link);
676 if (rule->type == type)
678 _dbus_list_remove_link (&policy->rules, link);
679 bus_policy_rule_unref (rule);
687 bus_client_policy_optimize (BusClientPolicy *policy)
691 /* The idea here is that if we have:
693 * <allow send_interface="foo.bar"/>
694 * <deny send_interface="*"/>
696 * (for example) the deny will always override the allow. So we
697 * delete the allow. Ditto for deny followed by allow, etc. This is
698 * a dumb thing to put in a config file, but the <include> feature
699 * of files allows for an "inheritance and override" pattern where
700 * it could make sense. If an included file wants to "start over"
701 * with a blanket deny, no point keeping the rules from the parent
705 _dbus_verbose ("Optimizing policy with %d rules\n",
706 _dbus_list_get_length (&policy->rules));
708 link = _dbus_list_get_first_link (&policy->rules);
713 dbus_bool_t remove_preceding;
715 next = _dbus_list_get_next_link (&policy->rules, link);
718 remove_preceding = FALSE;
720 _dbus_assert (rule != NULL);
724 case BUS_POLICY_RULE_SEND:
726 rule->d.send.message_type == DBUS_MESSAGE_TYPE_INVALID &&
727 rule->d.send.path == NULL &&
728 rule->d.send.interface == NULL &&
729 rule->d.send.member == NULL &&
730 rule->d.send.error == NULL &&
731 rule->d.send.destination == NULL;
733 case BUS_POLICY_RULE_RECEIVE:
735 rule->d.receive.message_type == DBUS_MESSAGE_TYPE_INVALID &&
736 rule->d.receive.path == NULL &&
737 rule->d.receive.interface == NULL &&
738 rule->d.receive.member == NULL &&
739 rule->d.receive.error == NULL &&
740 rule->d.receive.origin == NULL;
742 case BUS_POLICY_RULE_OWN:
744 rule->d.own.service_name == NULL;
746 case BUS_POLICY_RULE_USER:
747 case BUS_POLICY_RULE_GROUP:
748 _dbus_assert_not_reached ("invalid rule");
752 if (remove_preceding)
753 remove_rules_by_type_up_to (policy, rule->type,
759 _dbus_verbose ("After optimization, policy has %d rules\n",
760 _dbus_list_get_length (&policy->rules));
764 bus_client_policy_append_rule (BusClientPolicy *policy,
767 _dbus_verbose ("Appending rule %p with type %d to policy %p\n",
768 rule, rule->type, policy);
770 if (!_dbus_list_append (&policy->rules, rule))
773 bus_policy_rule_ref (rule);
779 bus_client_policy_check_can_send (BusClientPolicy *policy,
780 BusRegistry *registry,
781 DBusConnection *receiver,
782 DBusMessage *message)
787 /* policy->rules is in the order the rules appeared
788 * in the config file, i.e. last rule that applies wins
791 _dbus_verbose (" (policy) checking send rules\n");
794 link = _dbus_list_get_first_link (&policy->rules);
797 BusPolicyRule *rule = link->data;
799 link = _dbus_list_get_next_link (&policy->rules, link);
801 /* Rule is skipped if it specifies a different
802 * message name from the message, or a different
803 * destination from the message
806 if (rule->type != BUS_POLICY_RULE_SEND)
808 _dbus_verbose (" (policy) skipping non-send rule\n");
812 if (rule->d.send.message_type != DBUS_MESSAGE_TYPE_INVALID)
814 if (dbus_message_get_type (message) != rule->d.send.message_type)
816 _dbus_verbose (" (policy) skipping rule for different message type\n");
821 if (rule->d.send.path != NULL)
823 if (dbus_message_get_path (message) != NULL &&
824 strcmp (dbus_message_get_path (message),
825 rule->d.send.path) != 0)
827 _dbus_verbose (" (policy) skipping rule for different path\n");
832 if (rule->d.send.interface != NULL)
834 if (dbus_message_get_interface (message) != NULL &&
835 strcmp (dbus_message_get_interface (message),
836 rule->d.send.interface) != 0)
838 _dbus_verbose (" (policy) skipping rule for different interface\n");
843 if (rule->d.send.member != NULL)
845 if (dbus_message_get_member (message) != NULL &&
846 strcmp (dbus_message_get_member (message),
847 rule->d.send.member) != 0)
849 _dbus_verbose (" (policy) skipping rule for different member\n");
854 if (rule->d.send.error != NULL)
856 if (dbus_message_get_error_name (message) != NULL &&
857 strcmp (dbus_message_get_error_name (message),
858 rule->d.send.error) != 0)
860 _dbus_verbose (" (policy) skipping rule for different error name\n");
865 if (rule->d.send.destination != NULL)
867 /* receiver can be NULL for messages that are sent to the
868 * message bus itself, we check the strings in that case as
869 * built-in services don't have a DBusConnection but messages
870 * to them have a destination service name.
872 if (receiver == NULL)
874 if (!dbus_message_has_destination (message,
875 rule->d.send.destination))
877 _dbus_verbose (" (policy) skipping rule because message dest is not %s\n",
878 rule->d.send.destination);
887 _dbus_string_init_const (&str, rule->d.send.destination);
889 service = bus_registry_lookup (registry, &str);
892 _dbus_verbose (" (policy) skipping rule because dest %s doesn't exist\n",
893 rule->d.send.destination);
897 if (!bus_service_has_owner (service, receiver))
899 _dbus_verbose (" (policy) skipping rule because dest %s isn't owned by receiver\n",
900 rule->d.send.destination);
907 allowed = rule->allow;
909 _dbus_verbose (" (policy) used rule, allow now = %d\n",
917 bus_client_policy_check_can_receive (BusClientPolicy *policy,
918 BusRegistry *registry,
919 DBusConnection *sender,
920 DBusConnection *addressed_recipient,
921 DBusConnection *proposed_recipient,
922 DBusMessage *message)
926 dbus_bool_t eavesdropping;
928 /* NULL sender, proposed_recipient means the bus driver. NULL
929 * addressed_recipient means the message didn't specify an explicit
930 * target. If proposed_recipient is NULL, then addressed_recipient
931 * is also NULL but is implicitly the bus driver.
934 _dbus_assert (proposed_recipient == NULL ||
935 (dbus_message_get_destination (message) == NULL ||
936 addressed_recipient != NULL));
939 (proposed_recipient == NULL || /* explicitly to bus driver */
940 (addressed_recipient && addressed_recipient != proposed_recipient)); /* explicitly to a different recipient */
942 /* policy->rules is in the order the rules appeared
943 * in the config file, i.e. last rule that applies wins
946 _dbus_verbose (" (policy) checking receive rules, eavesdropping = %d\n", eavesdropping);
949 link = _dbus_list_get_first_link (&policy->rules);
952 BusPolicyRule *rule = link->data;
954 link = _dbus_list_get_next_link (&policy->rules, link);
956 if (rule->type != BUS_POLICY_RULE_RECEIVE)
958 _dbus_verbose (" (policy) skipping non-receive rule\n");
962 if (rule->d.receive.message_type != DBUS_MESSAGE_TYPE_INVALID)
964 if (dbus_message_get_type (message) != rule->d.receive.message_type)
966 _dbus_verbose (" (policy) skipping rule for different message type\n");
971 /* for allow, eavesdrop=false means the rule doesn't apply when
972 * eavesdropping. eavesdrop=true means always allow.
974 if (eavesdropping && rule->allow && !rule->d.receive.eavesdrop)
976 _dbus_verbose (" (policy) skipping allow rule since it doesn't apply to eavesdropping\n");
980 /* for deny, eavesdrop=true means the rule applies only when
981 * eavesdropping; eavesdrop=false means always deny.
983 if (!eavesdropping && !rule->allow && rule->d.receive.eavesdrop)
985 _dbus_verbose (" (policy) skipping deny rule since it only applies to eavesdropping\n");
989 if (rule->d.receive.path != NULL)
991 if (dbus_message_get_path (message) != NULL &&
992 strcmp (dbus_message_get_path (message),
993 rule->d.receive.path) != 0)
995 _dbus_verbose (" (policy) skipping rule for different path\n");
1000 if (rule->d.receive.interface != NULL)
1002 if (dbus_message_get_interface (message) != NULL &&
1003 strcmp (dbus_message_get_interface (message),
1004 rule->d.receive.interface) != 0)
1006 _dbus_verbose (" (policy) skipping rule for different interface\n");
1011 if (rule->d.receive.member != NULL)
1013 if (dbus_message_get_member (message) != NULL &&
1014 strcmp (dbus_message_get_member (message),
1015 rule->d.receive.member) != 0)
1017 _dbus_verbose (" (policy) skipping rule for different member\n");
1022 if (rule->d.receive.error != NULL)
1024 if (dbus_message_get_error_name (message) != NULL &&
1025 strcmp (dbus_message_get_error_name (message),
1026 rule->d.receive.error) != 0)
1028 _dbus_verbose (" (policy) skipping rule for different error name\n");
1033 if (rule->d.receive.origin != NULL)
1035 /* sender can be NULL for messages that originate from the
1036 * message bus itself, we check the strings in that case as
1037 * built-in services don't have a DBusConnection but will
1038 * still set the sender on their messages.
1042 if (!dbus_message_has_sender (message,
1043 rule->d.receive.origin))
1045 _dbus_verbose (" (policy) skipping rule because message sender is not %s\n",
1046 rule->d.receive.origin);
1052 BusService *service;
1055 _dbus_string_init_const (&str, rule->d.receive.origin);
1057 service = bus_registry_lookup (registry, &str);
1059 if (service == NULL)
1061 _dbus_verbose (" (policy) skipping rule because origin %s doesn't exist\n",
1062 rule->d.receive.origin);
1066 if (!bus_service_has_owner (service, sender))
1068 _dbus_verbose (" (policy) skipping rule because origin %s isn't owned by sender\n",
1069 rule->d.receive.origin);
1076 allowed = rule->allow;
1078 _dbus_verbose (" (policy) used rule, allow now = %d\n",
1086 bus_client_policy_check_can_own (BusClientPolicy *policy,
1087 DBusConnection *connection,
1088 const DBusString *service_name)
1091 dbus_bool_t allowed;
1093 /* policy->rules is in the order the rules appeared
1094 * in the config file, i.e. last rule that applies wins
1098 link = _dbus_list_get_first_link (&policy->rules);
1099 while (link != NULL)
1101 BusPolicyRule *rule = link->data;
1103 link = _dbus_list_get_next_link (&policy->rules, link);
1105 /* Rule is skipped if it specifies a different service name from
1109 if (rule->type != BUS_POLICY_RULE_OWN)
1112 if (rule->d.own.service_name != NULL)
1114 if (!_dbus_string_equal_c_str (service_name,
1115 rule->d.own.service_name))
1120 allowed = rule->allow;
1126 #ifdef DBUS_BUILD_TESTS
1129 bus_policy_test (const DBusString *test_data_dir)
1131 /* This doesn't do anything for now because I decided to do it in
1132 * dispatch.c instead by having some of the clients in dispatch.c
1133 * have particular policies applied to them.
1139 #endif /* DBUS_BUILD_TESTS */
projects / platform / upstream / dbus.git / blob