1 <?xml version='1.0'?> <!--*-nxml-*-->
2 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
3 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
5 <refentry id="kdbus.policy">
8 <title>kdbus.policy</title>
9 <productname>kdbus.policy</productname>
13 <refentrytitle>kdbus.policy</refentrytitle>
14 <manvolnum>7</manvolnum>
18 <refname>kdbus.policy</refname>
19 <refpurpose>kdbus policy</refpurpose>
23 <title>Description</title>
26 A kdbus policy restricts the possibilities of connections to own, see and
27 talk to well-known names. A policy can be associated with a bus (through a
28 policy holder connection) or a custom endpoint. kdbus stores its policy
29 information in a database that can be accessed through the following
35 <term><constant>KDBUS_CMD_HELLO</constant></term>
37 When creating, or updating, a policy holder connection. See
39 <refentrytitle>kdbus.connection</refentrytitle>
40 <manvolnum>7</manvolnum>
46 <term><constant>KDBUS_CMD_ENDPOINT_MAKE</constant></term>
47 <term><constant>KDBUS_CMD_ENDPOINT_UPDATE</constant></term>
49 When creating, or updating, a bus custom endpoint. See
51 <refentrytitle>kdbus.endpoint</refentrytitle>
52 <manvolnum>7</manvolnum>
59 In all cases, the name and policy access information is stored in items
60 of type <constant>KDBUS_ITEM_NAME</constant> and
61 <constant>KDBUS_ITEM_POLICY_ACCESS</constant>. For this transport, the
62 following rules apply.
68 An item of type <constant>KDBUS_ITEM_NAME</constant> must be followed
69 by at least one <constant>KDBUS_ITEM_POLICY_ACCESS</constant> item.
75 An item of type <constant>KDBUS_ITEM_NAME</constant> can be followed
76 by an arbitrary number of
77 <constant>KDBUS_ITEM_POLICY_ACCESS</constant> items.
83 An arbitrary number of groups of names and access levels can be given.
89 Names passed in items of type <constant>KDBUS_ITEM_NAME</constant> must
90 comply to the rules of valid kdbus.name. See
92 <refentrytitle>kdbus.name</refentrytitle>
93 <manvolnum>7</manvolnum>
97 The payload of an item of type
98 <constant>KDBUS_ITEM_POLICY_ACCESS</constant> is defined by the following
99 struct. For more information on the layout of items, please refer to
101 <refentrytitle>kdbus.item</refentrytitle>
102 <manvolnum>7</manvolnum>
107 struct kdbus_policy_access {
114 <para>The fields in this struct are described below.</para>
118 <term><varname>type</varname></term>
121 One of the following.
126 <term><constant>KDBUS_POLICY_ACCESS_USER</constant></term>
128 Grant access to a user with the UID stored in the
129 <varname>id</varname> field.
134 <term><constant>KDBUS_POLICY_ACCESS_GROUP</constant></term>
136 Grant access to a user with the GID stored in the
137 <varname>id</varname> field.
142 <term><constant>KDBUS_POLICY_ACCESS_WORLD</constant></term>
144 Grant access to everyone. The <varname>id</varname> field
153 <term><varname>access</varname></term>
156 The access to grant. One of the following.
161 <term><constant>KDBUS_POLICY_SEE</constant></term>
163 Allow the name to be seen.
168 <term><constant>KDBUS_POLICY_TALK</constant></term>
170 Allow the name to be talked to.
175 <term><constant>KDBUS_POLICY_OWN</constant></term>
177 Allow the name to be owned.
185 <term><varname>id</varname></term>
187 For <constant>KDBUS_POLICY_ACCESS_USER</constant>, stores the UID.
188 For <constant>KDBUS_POLICY_ACCESS_GROUP</constant>, stores the GID.
195 All endpoints of buses have an empty policy database by default.
196 Therefore, unless policy rules are added, all operations will also be
197 denied by default. Also see
199 <refentrytitle>kdbus.endpoint</refentrytitle>
200 <manvolnum>7</manvolnum>
206 <title>Wildcard names</title>
208 Policy holder connections may upload names that contain the wildcard
209 suffix (<literal>".*"</literal>). Such a policy entry is effective for
210 every well-known name that extends the provided name by exactly one more
213 For example, the name <literal>foo.bar.*</literal> matches both
214 <literal>"foo.bar.baz"</literal> and
215 <literal>"foo.bar.bazbaz"</literal> are, but not
216 <literal>"foo.bar.baz.baz"</literal>.
218 This allows connections to take control over multiple names that the
219 policy holder doesn't need to know about when uploading the policy.
221 Such wildcard entries are not allowed for custom endpoints.
226 <title>Privileged connections</title>
228 The policy database is overruled when action is taken by a privileged
229 connection. Please refer to
231 <refentrytitle>kdbus.connection</refentrytitle>
232 <manvolnum>7</manvolnum>
234 for more information on what makes a connection privileged.
239 <title>Examples</title>
241 For instance, a set of policy rules may look like this:
245 KDBUS_ITEM_NAME: str='org.foo.bar'
246 KDBUS_ITEM_POLICY_ACCESS: type=USER, access=OWN, ID=1000
247 KDBUS_ITEM_POLICY_ACCESS: type=USER, access=TALK, ID=1001
248 KDBUS_ITEM_POLICY_ACCESS: type=WORLD, access=SEE
250 KDBUS_ITEM_NAME: str='org.blah.baz'
251 KDBUS_ITEM_POLICY_ACCESS: type=USER, access=OWN, ID=0
252 KDBUS_ITEM_POLICY_ACCESS: type=WORLD, access=TALK
256 That means that 'org.foo.bar' may only be owned by UID 1000, but every
257 user on the bus is allowed to see the name. However, only UID 1001 may
258 actually send a message to the connection and receive a reply from it.
260 The second rule allows 'org.blah.baz' to be owned by UID 0 only, but
261 every user may talk to it.
266 <title>TALK access and multiple well-known names per connection</title>
268 Note that TALK access is checked against all names of a connection. For
269 example, if a connection owns both <constant>'org.foo.bar'</constant> and
270 <constant>'org.blah.baz'</constant>, and the policy database allows
271 <constant>'org.blah.baz'</constant> to be talked to by WORLD, then this
272 permission is also granted to <constant>'org.foo.bar'</constant>. That
273 might sound illogical, but after all, we allow messages to be directed to
274 either the ID or a well-known name, and policy is applied to the
275 connection, not the name. In other words, the effective TALK policy for a
276 connection is the most permissive of all names the connection owns.
278 For broadcast messages, the receiver needs TALK permissions to the sender
279 to receive the broadcast.
282 Both the endpoint and the bus policy databases are consulted to allow
283 name registry listing, owning a well-known name and message delivery.
284 If either one fails, the operation is failed with
285 <varname>errno</varname> set to <constant>EPERM</constant>.
287 For best practices, connections that own names with a restricted TALK
288 access should not install matches. This avoids cases where the sent
289 message may pass the bloom filter due to false-positives and may also
290 satisfy the policy rules.
294 <refentrytitle>kdbus.match</refentrytitle>
295 <manvolnum>7</manvolnum>
301 <title>Implicit policies</title>
303 Depending on the type of the endpoint, a set of implicit rules that
304 override installed policies might be enforced.
306 On default endpoints, the following set is enforced and checked before
307 any user-supplied policy is checked.
313 Privileged connections always override any installed policy. Those
314 connections could easily install their own policies, so there is no
315 reason to enforce installed policies.
320 Connections can always talk to connections of the same user. This
321 includes broadcast messages.
327 Custom endpoints have stricter policies. The following rules apply:
333 Policy rules are always enforced, even if the connection is a
334 privileged connection.
339 Policy rules are always enforced for <constant>TALK</constant> access,
340 even if both ends are running under the same user. This includes
346 To restrict the set of names that can be seen, endpoint policies can
347 install <constant>SEE</constant> policies.
354 <title>See Also</title>
355 <simplelist type="inline">
358 <refentrytitle>kdbus</refentrytitle>
359 <manvolnum>7</manvolnum>
364 <refentrytitle>kdbus.bus</refentrytitle>
365 <manvolnum>7</manvolnum>
370 <refentrytitle>kdbus.endpoint</refentrytitle>
371 <manvolnum>7</manvolnum>
376 <refentrytitle>kdbus.fs</refentrytitle>
377 <manvolnum>7</manvolnum>
382 <refentrytitle>kdbus.item</refentrytitle>
383 <manvolnum>7</manvolnum>
388 <refentrytitle>kdbus.message</refentrytitle>
389 <manvolnum>7</manvolnum>
394 <refentrytitle>kdbus.name</refentrytitle>
395 <manvolnum>7</manvolnum>
400 <refentrytitle>kdbus.pool</refentrytitle>
401 <manvolnum>7</manvolnum>