1 /* -*- mode: C; c-file-style: "gnu"; indent-tabs-mode: nil; -*- */
2 /* policy.c Bus security policy
4 * Copyright (C) 2003, 2004 Red Hat, Inc.
6 * Licensed under the Academic Free License version 2.1
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
30 #include <dbus/dbus-list.h>
31 #include <dbus/dbus-hash.h>
32 #include <dbus/dbus-internals.h>
33 #include <dbus/dbus-message-internal.h>
35 static dbus_bool_t bus_client_policy_append_rule (BusClientPolicy *policy,
39 bus_policy_rule_new (BusPolicyRuleType type,
40 BusPolicyRuleAccess access)
44 rule = dbus_new0 (BusPolicyRule, 1);
50 rule->access = access;
54 case BUS_POLICY_RULE_USER:
55 rule->d.user.uid = DBUS_UID_UNSET;
57 case BUS_POLICY_RULE_GROUP:
58 rule->d.group.gid = DBUS_GID_UNSET;
60 case BUS_POLICY_RULE_SEND:
61 rule->d.send.message_type = DBUS_MESSAGE_TYPE_INVALID;
62 /* allow rules default to TRUE (only requested replies allowed)
63 * check rules default to TRUE (only requested replies are checked)
64 * deny rules default to FALSE (only unrequested replies denied)
66 rule->d.send.requested_reply = rule->access != BUS_POLICY_RULE_ACCESS_DENY;
68 case BUS_POLICY_RULE_RECEIVE:
69 rule->d.receive.message_type = DBUS_MESSAGE_TYPE_INVALID;
70 /* allow rules default to TRUE (only requested replies allowed)
71 * check rules default to TRUE (only requested replies are checked)
72 * deny rules default to FALSE (only unrequested replies denied)
74 rule->d.receive.requested_reply = rule->access != BUS_POLICY_RULE_ACCESS_DENY;
76 case BUS_POLICY_RULE_OWN:
79 _dbus_assert_not_reached ("invalid rule");
86 bus_policy_rule_ref (BusPolicyRule *rule)
88 _dbus_assert (rule->refcount > 0);
96 bus_policy_rule_unref (BusPolicyRule *rule)
98 _dbus_assert (rule->refcount > 0);
102 if (rule->refcount == 0)
106 case BUS_POLICY_RULE_SEND:
107 dbus_free (rule->d.send.path);
108 dbus_free (rule->d.send.interface);
109 dbus_free (rule->d.send.member);
110 dbus_free (rule->d.send.error);
111 dbus_free (rule->d.send.destination);
113 case BUS_POLICY_RULE_RECEIVE:
114 dbus_free (rule->d.receive.path);
115 dbus_free (rule->d.receive.interface);
116 dbus_free (rule->d.receive.member);
117 dbus_free (rule->d.receive.error);
118 dbus_free (rule->d.receive.origin);
120 case BUS_POLICY_RULE_OWN:
121 dbus_free (rule->d.own.service_name);
123 case BUS_POLICY_RULE_USER:
125 case BUS_POLICY_RULE_GROUP:
128 _dbus_assert_not_reached ("invalid rule");
131 dbus_free (rule->privilege);
140 DBusList *default_rules; /**< Default policy rules */
141 DBusList *mandatory_rules; /**< Mandatory policy rules */
142 DBusHashTable *rules_by_uid; /**< per-UID policy rules */
143 DBusHashTable *rules_by_gid; /**< per-GID policy rules */
144 DBusList *at_console_true_rules; /**< console user policy rules where at_console="true"*/
145 DBusList *at_console_false_rules; /**< console user policy rules where at_console="false"*/
149 free_rule_func (void *data,
152 BusPolicyRule *rule = data;
154 bus_policy_rule_unref (rule);
158 free_rule_list_func (void *data)
160 DBusList **list = data;
162 if (list == NULL) /* DBusHashTable is on crack */
165 _dbus_list_foreach (list, free_rule_func, NULL);
167 _dbus_list_clear (list);
173 bus_policy_new (void)
177 policy = dbus_new0 (BusPolicy, 1);
181 policy->refcount = 1;
183 policy->rules_by_uid = _dbus_hash_table_new (DBUS_HASH_UINTPTR,
185 free_rule_list_func);
186 if (policy->rules_by_uid == NULL)
189 policy->rules_by_gid = _dbus_hash_table_new (DBUS_HASH_UINTPTR,
191 free_rule_list_func);
192 if (policy->rules_by_gid == NULL)
198 bus_policy_unref (policy);
203 bus_policy_ref (BusPolicy *policy)
205 _dbus_assert (policy->refcount > 0);
207 policy->refcount += 1;
213 bus_policy_unref (BusPolicy *policy)
215 _dbus_assert (policy->refcount > 0);
217 policy->refcount -= 1;
219 if (policy->refcount == 0)
221 _dbus_list_foreach (&policy->default_rules, free_rule_func, NULL);
222 _dbus_list_clear (&policy->default_rules);
224 _dbus_list_foreach (&policy->mandatory_rules, free_rule_func, NULL);
225 _dbus_list_clear (&policy->mandatory_rules);
227 _dbus_list_foreach (&policy->at_console_true_rules, free_rule_func, NULL);
228 _dbus_list_clear (&policy->at_console_true_rules);
230 _dbus_list_foreach (&policy->at_console_false_rules, free_rule_func, NULL);
231 _dbus_list_clear (&policy->at_console_false_rules);
233 if (policy->rules_by_uid)
235 _dbus_hash_table_unref (policy->rules_by_uid);
236 policy->rules_by_uid = NULL;
239 if (policy->rules_by_gid)
241 _dbus_hash_table_unref (policy->rules_by_gid);
242 policy->rules_by_gid = NULL;
250 add_list_to_client (DBusList **list,
251 BusClientPolicy *client)
255 link = _dbus_list_get_first_link (list);
258 BusPolicyRule *rule = link->data;
259 link = _dbus_list_get_next_link (list, link);
263 case BUS_POLICY_RULE_USER:
264 case BUS_POLICY_RULE_GROUP:
265 /* These aren't per-connection policies */
268 case BUS_POLICY_RULE_OWN:
269 case BUS_POLICY_RULE_SEND:
270 case BUS_POLICY_RULE_RECEIVE:
271 /* These are per-connection */
272 if (!bus_client_policy_append_rule (client, rule))
277 _dbus_assert_not_reached ("invalid rule");
285 bus_policy_create_client_policy (BusPolicy *policy,
286 DBusConnection *connection,
289 BusClientPolicy *client;
291 dbus_bool_t at_console;
293 _dbus_assert (dbus_connection_get_is_authenticated (connection));
294 _DBUS_ASSERT_ERROR_IS_CLEAR (error);
296 client = bus_client_policy_new ();
300 if (!add_list_to_client (&policy->default_rules,
304 /* we avoid the overhead of looking up user's groups
305 * if we don't have any group rules anyway
307 if (_dbus_hash_table_get_n_entries (policy->rules_by_gid) > 0)
309 unsigned long *groups;
313 if (!bus_connection_get_unix_groups (connection, &groups, &n_groups, error))
321 list = _dbus_hash_table_lookup_uintptr (policy->rules_by_gid,
326 if (!add_list_to_client (list, client))
339 if (dbus_connection_get_unix_user (connection, &uid))
341 if (_dbus_hash_table_get_n_entries (policy->rules_by_uid) > 0)
345 list = _dbus_hash_table_lookup_uintptr (policy->rules_by_uid,
350 if (!add_list_to_client (list, client))
355 /* Add console rules */
356 at_console = _dbus_unix_user_is_at_console (uid, error);
360 if (!add_list_to_client (&policy->at_console_true_rules, client))
363 else if (dbus_error_is_set (error) == TRUE)
367 else if (!add_list_to_client (&policy->at_console_false_rules, client))
373 if (!add_list_to_client (&policy->mandatory_rules,
382 _DBUS_ASSERT_ERROR_IS_SET (error);
384 bus_client_policy_unref (client);
389 list_allows_user (dbus_bool_t def,
392 const unsigned long *group_ids,
400 link = _dbus_list_get_first_link (list);
403 BusPolicyRule *rule = link->data;
404 link = _dbus_list_get_next_link (list, link);
406 if (rule->type == BUS_POLICY_RULE_USER)
408 _dbus_verbose ("List %p user rule uid="DBUS_UID_FORMAT"\n",
409 list, rule->d.user.uid);
411 if (rule->d.user.uid == DBUS_UID_UNSET)
413 else if (rule->d.user.uid != uid)
416 else if (rule->type == BUS_POLICY_RULE_GROUP)
418 _dbus_verbose ("List %p group rule gid="DBUS_GID_FORMAT"\n",
419 list, rule->d.group.gid);
421 if (rule->d.group.gid == DBUS_GID_UNSET)
428 while (i < n_group_ids)
430 if (rule->d.group.gid == group_ids[i])
435 if (i == n_group_ids)
442 /* We don't intend to support <check user="..." /> and <check group="..." />
443 rules. They are treated like deny.
445 allowed = rule->access == BUS_POLICY_RULE_ACCESS_ALLOW;
452 bus_policy_allow_unix_user (BusPolicy *policy,
456 unsigned long *group_ids;
459 /* On OOM or error we always reject the user */
460 if (!_dbus_unix_groups_from_uid (uid, &group_ids, &n_group_ids))
462 _dbus_verbose ("Did not get any groups for UID %lu\n",
467 /* Default to "user owning bus" can connect */
468 allowed = _dbus_unix_user_is_process_owner (uid);
470 allowed = list_allows_user (allowed,
471 &policy->default_rules,
473 group_ids, n_group_ids);
475 allowed = list_allows_user (allowed,
476 &policy->mandatory_rules,
478 group_ids, n_group_ids);
480 dbus_free (group_ids);
482 _dbus_verbose ("UID %lu allowed = %d\n", uid, allowed);
487 /* For now this is never actually called because the default
488 * DBusConnection behavior of 'same user that owns the bus can
489 * connect' is all it would do. Set the windows user function in
490 * connection.c if the config file ever supports doing something
494 bus_policy_allow_windows_user (BusPolicy *policy,
495 const char *windows_sid)
497 /* Windows has no policies here since only the session bus
498 * is really used for now, so just checking that the
499 * connecting person is the same as the bus owner is fine.
501 return _dbus_windows_user_is_process_owner (windows_sid);
505 bus_policy_append_default_rule (BusPolicy *policy,
508 if (!_dbus_list_append (&policy->default_rules, rule))
511 bus_policy_rule_ref (rule);
517 bus_policy_append_mandatory_rule (BusPolicy *policy,
520 if (!_dbus_list_append (&policy->mandatory_rules, rule))
523 bus_policy_rule_ref (rule);
531 get_list (DBusHashTable *hash,
536 list = _dbus_hash_table_lookup_uintptr (hash, key);
540 list = dbus_new0 (DBusList*, 1);
544 if (!_dbus_hash_table_insert_uintptr (hash, key, list))
555 bus_policy_append_user_rule (BusPolicy *policy,
561 list = get_list (policy->rules_by_uid, uid);
566 if (!_dbus_list_append (list, rule))
569 bus_policy_rule_ref (rule);
575 bus_policy_append_group_rule (BusPolicy *policy,
581 list = get_list (policy->rules_by_gid, gid);
586 if (!_dbus_list_append (list, rule))
589 bus_policy_rule_ref (rule);
595 bus_policy_append_console_rule (BusPolicy *policy,
596 dbus_bool_t at_console,
601 if (!_dbus_list_append (&policy->at_console_true_rules, rule))
606 if (!_dbus_list_append (&policy->at_console_false_rules, rule))
610 bus_policy_rule_ref (rule);
617 append_copy_of_policy_list (DBusList **list,
618 DBusList **to_append)
625 /* Preallocate all our links */
626 link = _dbus_list_get_first_link (to_append);
629 if (!_dbus_list_append (&tmp_list, link->data))
631 _dbus_list_clear (&tmp_list);
635 link = _dbus_list_get_next_link (to_append, link);
638 /* Now append them */
639 while ((link = _dbus_list_pop_first_link (&tmp_list)))
641 bus_policy_rule_ref (link->data);
642 _dbus_list_append_link (list, link);
649 merge_id_hash (DBusHashTable *dest,
650 DBusHashTable *to_absorb)
654 _dbus_hash_iter_init (to_absorb, &iter);
655 while (_dbus_hash_iter_next (&iter))
657 unsigned long id = _dbus_hash_iter_get_uintptr_key (&iter);
658 DBusList **list = _dbus_hash_iter_get_value (&iter);
659 DBusList **target = get_list (dest, id);
664 if (!append_copy_of_policy_list (target, list))
672 bus_policy_merge (BusPolicy *policy,
673 BusPolicy *to_absorb)
675 /* FIXME Not properly atomic, but as used for configuration files we
676 * don't rely on it quite so much.
679 if (!append_copy_of_policy_list (&policy->default_rules,
680 &to_absorb->default_rules))
683 if (!append_copy_of_policy_list (&policy->mandatory_rules,
684 &to_absorb->mandatory_rules))
687 if (!append_copy_of_policy_list (&policy->at_console_true_rules,
688 &to_absorb->at_console_true_rules))
691 if (!append_copy_of_policy_list (&policy->at_console_false_rules,
692 &to_absorb->at_console_false_rules))
695 if (!merge_id_hash (policy->rules_by_uid,
696 to_absorb->rules_by_uid))
699 if (!merge_id_hash (policy->rules_by_gid,
700 to_absorb->rules_by_gid))
706 struct BusClientPolicy
714 bus_client_policy_new (void)
716 BusClientPolicy *policy;
718 policy = dbus_new0 (BusClientPolicy, 1);
722 policy->refcount = 1;
728 bus_client_policy_ref (BusClientPolicy *policy)
730 _dbus_assert (policy->refcount > 0);
732 policy->refcount += 1;
738 rule_unref_foreach (void *data,
741 BusPolicyRule *rule = data;
743 bus_policy_rule_unref (rule);
747 bus_client_policy_unref (BusClientPolicy *policy)
749 _dbus_assert (policy->refcount > 0);
751 policy->refcount -= 1;
753 if (policy->refcount == 0)
755 _dbus_list_foreach (&policy->rules,
759 _dbus_list_clear (&policy->rules);
766 bus_client_policy_append_rule (BusClientPolicy *policy,
769 _dbus_verbose ("Appending rule %p with type %d to policy %p\n",
770 rule, rule->type, policy);
772 if (!_dbus_list_append (&policy->rules, rule))
775 bus_policy_rule_ref (rule);
780 #define _dbus_string_append_printf_err_check(str, fmt, args...) \
781 if (!_dbus_string_append_printf(str, fmt, ##args)) \
783 _dbus_string_free (str); \
788 bus_policy_rule_to_string (BusPolicyRule *rule,
794 const char *msg_type[] = {"Invalid", "method_call", "method_return", "signal", "error"};
799 switch (rule->access)
801 case BUS_POLICY_RULE_ACCESS_ALLOW:
804 case BUS_POLICY_RULE_ACCESS_DENY:
807 case BUS_POLICY_RULE_ACCESS_CHECK:
812 if (rule->type == BUS_POLICY_RULE_SEND)
815 dest = "destination";
817 else if (rule->type == BUS_POLICY_RULE_RECEIVE)
825 /* generate xml format */
826 if (!_dbus_string_init (&str))
829 _dbus_string_append_printf_err_check (&str, "<%s ", access);
831 if (rule->d.send.destination_prefix)
833 _dbus_string_append_printf_err_check (&str, "%s_destination_prefix=\"%s\" ", sr, rule->d.send.destination);
835 else if (rule->d.send.destination)
837 _dbus_string_append_printf_err_check (&str, "%s_%s=\"%s\" ", sr, dest, rule->d.send.destination);
840 if (rule->d.send.path)
841 _dbus_string_append_printf_err_check (&str, "%s_path=\"%s\" ", sr, rule->d.send.path);
842 if (rule->d.send.interface)
843 _dbus_string_append_printf_err_check (&str, "%s_interface=\"%s\" ", sr, rule->d.send.interface);
844 if (rule->d.send.member)
845 _dbus_string_append_printf_err_check (&str, "%s_member=\"%s\" ", sr, rule->d.send.member);
846 if (rule->d.send.message_type)
847 _dbus_string_append_printf_err_check (&str, "%s_type=\"%s\" ", sr, msg_type[rule->d.send.message_type]);
849 _dbus_string_append_printf_err_check (&str, "privilege=\"%s\" ", rule->privilege);
851 if (!_dbus_string_append (&str, "/>"))
853 _dbus_string_free (&str);
857 if (!_dbus_string_steal_data (&str, out_rule))
860 _dbus_string_free (&str);
864 _dbus_string_free (&str);
869 struct MatchSendRuleParams {
870 BusRegistry *registry;
871 dbus_bool_t requested_reply;
872 DBusConnection *receiver;
873 DBusMessage *message;
877 check_send_rule (const BusPolicyRule *rule,
878 const struct MatchSendRuleParams *match_params,
880 const char **privilege)
882 /* Rule is skipped if it specifies a different
883 * message name from the message, or a different
884 * destination from the message
886 if (rule->type != BUS_POLICY_RULE_SEND)
888 _dbus_verbose (" (policy) skipping non-send rule\n");
892 if (rule->d.send.message_type != DBUS_MESSAGE_TYPE_INVALID)
894 if (dbus_message_get_type (match_params->message) != rule->d.send.message_type)
896 _dbus_verbose (" (policy) skipping rule for different message type\n");
901 /* If it's a reply, the requested_reply flag kicks in */
902 if (dbus_message_get_reply_serial (match_params->message) != 0)
904 /* for allow or check requested_reply=true means the rule applies
905 * only when reply was requested. requested_reply=false means the
906 * rule always applies
908 if (!match_params->requested_reply && rule->access != BUS_POLICY_RULE_ACCESS_DENY && rule->d.send.requested_reply && !rule->d.send.eavesdrop)
910 _dbus_verbose (" (policy) skipping %s rule since it only applies to requested replies and does not allow eavesdropping\n",
911 rule->access == BUS_POLICY_RULE_ACCESS_ALLOW ? "allow" : "check");
915 /* for deny, requested_reply=false means the rule applies only
916 * when the reply was not requested. requested_reply=true means the
917 * rule always applies.
919 if (match_params->requested_reply && rule->access == BUS_POLICY_RULE_ACCESS_DENY && !rule->d.send.requested_reply)
921 _dbus_verbose (" (policy) skipping deny rule since it only applies to unrequested replies\n");
926 if (rule->d.send.path != NULL)
928 if (dbus_message_get_path (match_params->message) != NULL &&
929 strcmp (dbus_message_get_path (match_params->message),
930 rule->d.send.path) != 0)
932 _dbus_verbose (" (policy) skipping rule for different path\n");
937 if (rule->d.send.interface != NULL)
939 /* The interface is optional in messages. For allow rules, if the message
940 * has no interface we want to skip the rule (and thus not allow);
941 * for deny rules, if the message has no interface we want to use the
942 * rule (and thus deny). Check rules are meant to be used like allow
943 * rules (they can grant access, but not remove it), so we treat it like
946 dbus_bool_t no_interface;
948 no_interface = dbus_message_get_interface (match_params->message) == NULL;
950 if ((no_interface && rule->access != BUS_POLICY_RULE_ACCESS_DENY) ||
952 strcmp (dbus_message_get_interface (match_params->message),
953 rule->d.send.interface) != 0))
955 _dbus_verbose (" (policy) skipping rule for different interface\n");
960 if (rule->d.send.member != NULL)
962 if (dbus_message_get_member (match_params->message) != NULL &&
963 strcmp (dbus_message_get_member (match_params->message),
964 rule->d.send.member) != 0)
966 _dbus_verbose (" (policy) skipping rule for different member\n");
971 if (rule->d.send.error != NULL)
973 if (dbus_message_get_error_name (match_params->message) != NULL &&
974 strcmp (dbus_message_get_error_name (match_params->message),
975 rule->d.send.error) != 0)
977 _dbus_verbose (" (policy) skipping rule for different error name\n");
982 if (rule->d.send.broadcast != BUS_POLICY_TRISTATE_ANY)
984 if (dbus_message_get_destination (match_params->message) == NULL &&
985 dbus_message_get_type (match_params->message) == DBUS_MESSAGE_TYPE_SIGNAL)
987 /* it's a broadcast */
988 if (rule->d.send.broadcast == BUS_POLICY_TRISTATE_FALSE)
990 _dbus_verbose (" (policy) skipping rule because message is a broadcast\n");
994 /* else it isn't a broadcast: there is some destination */
995 else if (rule->d.send.broadcast == BUS_POLICY_TRISTATE_TRUE)
997 _dbus_verbose (" (policy) skipping rule because message is not a broadcast\n");
1002 if (rule->d.send.destination != NULL)
1004 if (!rule->d.send.destination_prefix)
1006 /* receiver can be NULL for messages that are sent to the
1007 * message bus itself, we check the strings in that case as
1008 * built-in services don't have a DBusConnection but messages
1009 * to them have a destination service name.
1011 * Similarly, receiver can be NULL when we're deciding whether
1012 * activation should be allowed; we make the authorization decision
1013 * on the assumption that the activated service will have the
1014 * requested name and no others.
1016 if (match_params->receiver == NULL)
1018 if (!dbus_message_has_destination (match_params->message,
1019 rule->d.send.destination))
1021 _dbus_verbose (" (policy) skipping rule because message dest is not %s\n",
1022 rule->d.send.destination);
1029 BusService *service;
1031 _dbus_string_init_const (&str, rule->d.send.destination);
1033 service = bus_registry_lookup (match_params->registry, &str);
1034 if (service == NULL)
1036 _dbus_verbose (" (policy) skipping rule because dest %s doesn't exist\n",
1037 rule->d.send.destination);
1041 if (!bus_service_has_owner (service, match_params->receiver))
1043 _dbus_verbose (" (policy) skipping rule because dest %s isn't owned by receiver\n",
1044 rule->d.send.destination);
1049 else if (rule->d.send.destination_prefix)
1051 /* receiver can be NULL - the same as in !send.destination_prefix */
1052 if (match_params->receiver == NULL)
1054 const char *destination = dbus_message_get_destination (match_params->message);
1055 DBusString dest_name;
1057 if (destination == NULL)
1059 _dbus_verbose (" (policy) skipping rule because message has no dest\n");
1063 _dbus_string_init_const (&dest_name, destination);
1065 if (!_dbus_string_starts_with_words_c_str (&dest_name,
1066 rule->d.send.destination,
1069 _dbus_verbose (" (policy) skipping rule because message dest doesn't start with %s\n",
1070 rule->d.send.destination);
1076 if (!bus_connection_is_service_owner_by_prefix (match_params->receiver,
1077 rule->d.send.destination))
1079 _dbus_verbose (" (policy) skipping rule because no dest with prefix %s is owned by receiver\n",
1080 rule->d.send.destination);
1087 if (rule->d.send.min_fds > 0 ||
1088 rule->d.send.max_fds < DBUS_MAXIMUM_MESSAGE_UNIX_FDS)
1090 unsigned int n_fds = _dbus_message_get_n_unix_fds (match_params->message);
1092 if (n_fds < rule->d.send.min_fds || n_fds > rule->d.send.max_fds)
1094 _dbus_verbose (" (policy) skipping rule because message has %u fds "
1095 "and that is outside range [%u,%u]",
1096 n_fds, rule->d.send.min_fds, rule->d.send.max_fds);
1102 switch (rule->access)
1104 case BUS_POLICY_RULE_ACCESS_ALLOW:
1105 *result = BUS_RESULT_TRUE;
1107 case BUS_POLICY_RULE_ACCESS_DENY:
1108 *result = BUS_RESULT_FALSE;
1110 case BUS_POLICY_RULE_ACCESS_CHECK:
1111 *result = BUS_RESULT_LATER;
1112 *privilege = rule->privilege;
1120 bus_client_policy_check_can_send (DBusConnection *sender,
1121 BusClientPolicy *policy,
1122 BusRegistry *registry,
1123 dbus_bool_t requested_reply,
1124 DBusConnection *addressed_recipient,
1125 DBusConnection *receiver,
1126 DBusMessage *message,
1127 dbus_int32_t *toggles,
1129 const char **privilege_param,
1130 BusDeferredMessage **deferred_message,
1135 const char *privilege;
1136 BusPolicyRule *matched_rule = NULL;
1137 struct MatchSendRuleParams params;
1139 params.registry = registry;
1140 params.requested_reply = requested_reply;
1141 params.receiver = receiver;
1142 params.message = message;
1144 /* policy->rules is in the order the rules appeared
1145 * in the config file, i.e. last rule that applies wins
1148 _dbus_verbose (" (policy) checking send rules\n");
1151 result = BUS_RESULT_FALSE;
1152 link = _dbus_list_get_first_link (&policy->rules);
1153 while (link != NULL)
1155 const BusPolicyRule *rule = link->data;
1157 link = _dbus_list_get_next_link (&policy->rules, link);
1159 if (check_send_rule (rule, ¶ms, &result, &privilege))
1161 *log = rule->d.send.log;
1163 matched_rule = (BusPolicyRule *)rule;
1165 _dbus_verbose (" (policy) used rule, result now = %d\n",
1170 if (result == BUS_RESULT_LATER)
1172 BusContext *context = bus_connection_get_context(sender);
1173 BusCheck *check = bus_context_get_check(context);
1175 result = bus_check_privilege(check, message, sender, addressed_recipient, receiver,
1176 privilege, BUS_DEFERRED_MESSAGE_CHECK_SEND, deferred_message);
1177 if (result == BUS_RESULT_LATER && deferred_message != NULL)
1178 bus_deferred_message_set_policy_check_info(*deferred_message, requested_reply,
1179 *toggles, privilege);
1184 if (privilege_param != NULL)
1185 *privilege_param = privilege;
1187 if (result == BUS_RESULT_FALSE)
1189 if (matched_rule && out_rule)
1190 bus_policy_rule_to_string (matched_rule, out_rule);
1196 struct MatchReceiveRuleParams {
1197 BusRegistry *registry;
1198 dbus_bool_t requested_reply;
1199 DBusConnection *sender;
1200 DBusMessage *message;
1201 dbus_bool_t eavesdropping;
1205 check_receive_rule (const BusPolicyRule *rule,
1206 const struct MatchReceiveRuleParams *match_params,
1208 const char **privilege)
1210 if (rule->type != BUS_POLICY_RULE_RECEIVE)
1212 _dbus_verbose (" (policy) skipping non-receive rule\n");
1216 if (rule->d.receive.message_type != DBUS_MESSAGE_TYPE_INVALID)
1218 if (dbus_message_get_type (match_params->message) != rule->d.receive.message_type)
1220 _dbus_verbose (" (policy) skipping rule for different message type\n");
1226 /* for allow or check, eavesdrop=false means the rule doesn't apply when
1227 * eavesdropping. eavesdrop=true means the rule always applies
1229 if (match_params->eavesdropping && rule->access != BUS_POLICY_RULE_ACCESS_DENY && !rule->d.receive.eavesdrop)
1231 _dbus_verbose (" (policy) skipping %s rule since it doesn't apply to eavesdropping\n",
1232 rule->access == BUS_POLICY_RULE_ACCESS_ALLOW ? "allow" : "check");
1236 /* for deny, eavesdrop=true means the rule applies only when
1237 * eavesdropping; eavesdrop=false means always deny.
1239 if (!match_params->eavesdropping && rule->access == BUS_POLICY_RULE_ACCESS_DENY && rule->d.receive.eavesdrop)
1241 _dbus_verbose (" (policy) skipping deny rule since it only applies to eavesdropping\n");
1245 /* If it's a reply, the requested_reply flag kicks in */
1246 if (dbus_message_get_reply_serial (match_params->message) != 0)
1248 /* for allow or check requested_reply=true means the rule applies
1249 * only when reply was requested. requested_reply=false means the
1250 * rule always applies
1252 if (!match_params->requested_reply && rule->access != BUS_POLICY_RULE_ACCESS_DENY && rule->d.send.requested_reply && !rule->d.send.eavesdrop)
1254 _dbus_verbose (" (policy) skipping %s rule since it only applies to requested replies and does not allow eavesdropping\n",
1255 rule->access == BUS_POLICY_RULE_ACCESS_DENY ? "allow" : "deny");
1259 /* for deny, requested_reply=false means the rule applies only
1260 * when the reply was not requested. requested_reply=true means the
1261 * rule always applies.
1263 if (match_params->requested_reply && rule->access == BUS_POLICY_RULE_ACCESS_DENY && !rule->d.receive.requested_reply)
1265 _dbus_verbose (" (policy) skipping deny rule since it only applies to unrequested replies\n");
1270 if (rule->d.receive.path != NULL)
1272 if (dbus_message_get_path (match_params->message) != NULL &&
1273 strcmp (dbus_message_get_path (match_params->message),
1274 rule->d.receive.path) != 0)
1276 _dbus_verbose (" (policy) skipping rule for different path\n");
1281 if (rule->d.receive.interface != NULL)
1283 /* The interface is optional in messages. For allow rules, if the message
1284 * has no interface we want to skip the rule (and thus not allow);
1285 * for deny rules, if the message has no interface we want to use the
1286 * rule (and thus deny). Check rules are treated like allow rules.
1288 dbus_bool_t no_interface;
1290 no_interface = dbus_message_get_interface (match_params->message) == NULL;
1292 if ((no_interface && rule->access != BUS_POLICY_RULE_ACCESS_DENY) ||
1294 strcmp (dbus_message_get_interface (match_params->message),
1295 rule->d.receive.interface) != 0))
1297 _dbus_verbose (" (policy) skipping rule for different interface\n");
1302 if (rule->d.receive.member != NULL)
1304 if (dbus_message_get_member (match_params->message) != NULL &&
1305 strcmp (dbus_message_get_member (match_params->message),
1306 rule->d.receive.member) != 0)
1308 _dbus_verbose (" (policy) skipping rule for different member\n");
1313 if (rule->d.receive.error != NULL)
1315 if (dbus_message_get_error_name (match_params->message) != NULL &&
1316 strcmp (dbus_message_get_error_name (match_params->message),
1317 rule->d.receive.error) != 0)
1319 _dbus_verbose (" (policy) skipping rule for different error name\n");
1324 if (rule->d.receive.origin != NULL)
1326 /* sender can be NULL for messages that originate from the
1327 * message bus itself, we check the strings in that case as
1328 * built-in services don't have a DBusConnection but will
1329 * still set the sender on their messages.
1331 if (match_params->sender == NULL)
1333 if (!dbus_message_has_sender (match_params->message,
1334 rule->d.receive.origin))
1336 _dbus_verbose (" (policy) skipping rule because message sender is not %s\n",
1337 rule->d.receive.origin);
1343 BusService *service;
1346 _dbus_string_init_const (&str, rule->d.receive.origin);
1348 service = bus_registry_lookup (match_params->registry, &str);
1350 if (service == NULL)
1352 _dbus_verbose (" (policy) skipping rule because origin %s doesn't exist\n",
1353 rule->d.receive.origin);
1357 if (!bus_service_has_owner (service, match_params->sender))
1359 _dbus_verbose (" (policy) skipping rule because origin %s isn't owned by sender\n",
1360 rule->d.receive.origin);
1366 if (rule->d.receive.min_fds > 0 ||
1367 rule->d.receive.max_fds < DBUS_MAXIMUM_MESSAGE_UNIX_FDS)
1369 unsigned int n_fds = _dbus_message_get_n_unix_fds (match_params->message);
1371 if (n_fds < rule->d.receive.min_fds || n_fds > rule->d.receive.max_fds)
1373 _dbus_verbose (" (policy) skipping rule because message has %u fds "
1374 "and that is outside range [%u,%u]",
1375 n_fds, rule->d.receive.min_fds,
1376 rule->d.receive.max_fds);
1382 switch (rule->access)
1384 case BUS_POLICY_RULE_ACCESS_ALLOW:
1385 *result = BUS_RESULT_TRUE;
1387 case BUS_POLICY_RULE_ACCESS_DENY:
1388 *result = BUS_RESULT_FALSE;
1390 case BUS_POLICY_RULE_ACCESS_CHECK:
1391 *result = BUS_RESULT_LATER;
1392 *privilege = rule->privilege;
1399 /* See docs on what the args mean on bus_context_check_security_policy()
1403 bus_client_policy_check_can_receive (BusClientPolicy *policy,
1404 BusRegistry *registry,
1405 dbus_bool_t requested_reply,
1406 DBusConnection *sender,
1407 DBusConnection *addressed_recipient,
1408 DBusConnection *proposed_recipient,
1409 DBusMessage *message,
1410 dbus_int32_t *toggles,
1411 const char **privilege_param,
1412 BusDeferredMessage **deferred_message,
1417 const char *privilege;
1418 BusPolicyRule *matched_rule = NULL;
1419 struct MatchReceiveRuleParams params;
1421 params.eavesdropping =
1422 addressed_recipient != proposed_recipient &&
1423 dbus_message_get_destination (message) != NULL;
1424 params.registry = registry;
1425 params.requested_reply = requested_reply;
1426 params.sender = sender;
1427 params.message = message;
1429 /* policy->rules is in the order the rules appeared
1430 * in the config file, i.e. last rule that applies wins
1433 _dbus_verbose (" (policy) checking receive rules, eavesdropping = %d\n", eavesdropping);
1436 result = BUS_RESULT_FALSE;
1437 link = _dbus_list_get_first_link (&policy->rules);
1438 while (link != NULL)
1440 const BusPolicyRule *rule = link->data;
1442 link = _dbus_list_get_next_link (&policy->rules, link);
1444 if (check_receive_rule (rule, ¶ms, &result, &privilege))
1447 matched_rule = (BusPolicyRule *)rule;
1449 _dbus_verbose (" (policy) used rule, result now = %d\n",
1455 if (result == BUS_RESULT_LATER)
1457 BusContext *context = bus_connection_get_context(proposed_recipient);
1458 BusCheck *check = bus_context_get_check(context);
1460 result = bus_check_privilege(check, message, sender, addressed_recipient, proposed_recipient,
1461 privilege, BUS_DEFERRED_MESSAGE_CHECK_RECEIVE, deferred_message);
1462 if (result == BUS_RESULT_LATER && deferred_message != NULL)
1463 bus_deferred_message_set_policy_check_info(*deferred_message, requested_reply,
1464 *toggles, privilege);
1469 if (privilege_param != NULL)
1470 *privilege_param = privilege;
1472 if (result == BUS_RESULT_FALSE)
1474 if (matched_rule && out_rule)
1475 bus_policy_rule_to_string (matched_rule, out_rule);
1482 check_own_rule (const BusPolicyRule *rule,
1483 const DBusString *service_name,
1485 const char **privilege)
1487 /* Rule is skipped if it specifies a different service name from
1491 if (rule->type != BUS_POLICY_RULE_OWN)
1494 if (!rule->d.own.prefix && rule->d.own.service_name != NULL)
1496 if (!_dbus_string_equal_c_str (service_name,
1497 rule->d.own.service_name))
1500 else if (rule->d.own.prefix)
1502 if (!_dbus_string_starts_with_words_c_str (service_name,
1503 rule->d.own.service_name,
1509 switch (rule->access)
1511 case BUS_POLICY_RULE_ACCESS_ALLOW:
1512 *result = BUS_RESULT_TRUE;
1514 case BUS_POLICY_RULE_ACCESS_DENY:
1515 *result = BUS_RESULT_FALSE;
1517 case BUS_POLICY_RULE_ACCESS_CHECK:
1518 *result = BUS_RESULT_LATER;
1519 *privilege = rule->privilege;
1527 bus_rules_check_can_own (DBusList *rules,
1528 const DBusString *service_name,
1529 DBusConnection *connection,
1530 DBusMessage *message)
1534 const char *privilege;
1536 /* rules is in the order the rules appeared
1537 * in the config file, i.e. last rule that applies wins
1540 result = BUS_RESULT_FALSE;
1541 link = _dbus_list_get_first_link (&rules);
1542 while (link != NULL)
1544 const BusPolicyRule *rule = link->data;
1546 link = _dbus_list_get_next_link (&rules, link);
1548 check_own_rule (rule, service_name, &result, &privilege);
1551 if (result == BUS_RESULT_LATER)
1553 BusContext *context = bus_connection_get_context(connection);
1554 BusCheck *check = bus_context_get_check(context);
1555 BusDeferredMessage *deferred_message;
1557 result = bus_check_privilege(check, message, connection, NULL, NULL,
1558 privilege, BUS_DEFERRED_MESSAGE_CHECK_OWN, &deferred_message);
1559 if (result == BUS_RESULT_LATER)
1561 bus_deferred_message_disable_sender(deferred_message);
1569 bus_client_policy_check_can_own (BusClientPolicy *policy,
1570 const DBusString *service_name,
1571 DBusConnection *connection,
1572 DBusMessage *message)
1574 return bus_rules_check_can_own (policy->rules, service_name, connection, message);
1577 #ifdef DBUS_ENABLE_EMBEDDED_TESTS
1579 bus_policy_check_can_own (BusPolicy *policy,
1580 const DBusString *service_name)
1582 return bus_rules_check_can_own (policy->default_rules, service_name, NULL, NULL);
1584 #endif /* DBUS_ENABLE_EMBEDDED_TESTS */