-/* -*- mode: C; c-file-style: "gnu" -*- */
+/* -*- mode: C; c-file-style: "gnu"; indent-tabs-mode: nil; -*- */
/* policy.c Bus security policy
*
- * Copyright (C) 2003 Red Hat, Inc.
+ * Copyright (C) 2003, 2004 Red Hat, Inc.
*
- * Licensed under the Academic Free License version 1.2
+ * Licensed under the Academic Free License version 2.1
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*
*/
+#include <config.h>
#include "policy.h"
#include "services.h"
#include "test.h"
rule->d.group.gid = DBUS_GID_UNSET;
break;
case BUS_POLICY_RULE_SEND:
+ rule->d.send.message_type = DBUS_MESSAGE_TYPE_INVALID;
+
+ /* allow rules default to TRUE (only requested replies allowed)
+ * deny rules default to FALSE (only unrequested replies denied)
+ */
+ rule->d.send.requested_reply = rule->allow;
+ break;
case BUS_POLICY_RULE_RECEIVE:
+ rule->d.receive.message_type = DBUS_MESSAGE_TYPE_INVALID;
+ /* allow rules default to TRUE (only requested replies allowed)
+ * deny rules default to FALSE (only unrequested replies denied)
+ */
+ rule->d.receive.requested_reply = rule->allow;
+ break;
case BUS_POLICY_RULE_OWN:
break;
}
return rule;
}
-void
+BusPolicyRule *
bus_policy_rule_ref (BusPolicyRule *rule)
{
_dbus_assert (rule->refcount > 0);
rule->refcount += 1;
+
+ return rule;
}
void
switch (rule->type)
{
case BUS_POLICY_RULE_SEND:
+ dbus_free (rule->d.send.path);
dbus_free (rule->d.send.interface);
dbus_free (rule->d.send.member);
dbus_free (rule->d.send.error);
dbus_free (rule->d.send.destination);
break;
case BUS_POLICY_RULE_RECEIVE:
+ dbus_free (rule->d.receive.path);
dbus_free (rule->d.receive.interface);
dbus_free (rule->d.receive.member);
dbus_free (rule->d.receive.error);
{
int refcount;
- DBusList *default_rules; /**< Default policy rules */
- DBusList *mandatory_rules; /**< Mandatory policy rules */
- DBusHashTable *rules_by_uid; /**< per-UID policy rules */
- DBusHashTable *rules_by_gid; /**< per-GID policy rules */
+ DBusList *default_rules; /**< Default policy rules */
+ DBusList *mandatory_rules; /**< Mandatory policy rules */
+ DBusHashTable *rules_by_uid; /**< per-UID policy rules */
+ DBusHashTable *rules_by_gid; /**< per-GID policy rules */
+ DBusList *at_console_true_rules; /**< console user policy rules where at_console="true"*/
+ DBusList *at_console_false_rules; /**< console user policy rules where at_console="false"*/
};
static void
policy->refcount = 1;
- policy->rules_by_uid = _dbus_hash_table_new (DBUS_HASH_ULONG,
+ policy->rules_by_uid = _dbus_hash_table_new (DBUS_HASH_UINTPTR,
NULL,
free_rule_list_func);
if (policy->rules_by_uid == NULL)
goto failed;
- policy->rules_by_gid = _dbus_hash_table_new (DBUS_HASH_ULONG,
+ policy->rules_by_gid = _dbus_hash_table_new (DBUS_HASH_UINTPTR,
NULL,
free_rule_list_func);
if (policy->rules_by_gid == NULL)
goto failed;
-
+
return policy;
failed:
return NULL;
}
-void
+BusPolicy *
bus_policy_ref (BusPolicy *policy)
{
_dbus_assert (policy->refcount > 0);
policy->refcount += 1;
+
+ return policy;
}
void
_dbus_list_foreach (&policy->mandatory_rules, free_rule_func, NULL);
_dbus_list_clear (&policy->mandatory_rules);
-
+
+ _dbus_list_foreach (&policy->at_console_true_rules, free_rule_func, NULL);
+ _dbus_list_clear (&policy->at_console_true_rules);
+
+ _dbus_list_foreach (&policy->at_console_false_rules, free_rule_func, NULL);
+ _dbus_list_clear (&policy->at_console_false_rules);
+
if (policy->rules_by_uid)
{
_dbus_hash_table_unref (policy->rules_by_uid);
DBusError *error)
{
BusClientPolicy *client;
- unsigned long uid;
+ dbus_uid_t uid;
+ dbus_bool_t at_console;
_dbus_assert (dbus_connection_get_is_authenticated (connection));
_DBUS_ASSERT_ERROR_IS_CLEAR (error);
int n_groups;
int i;
- if (!bus_connection_get_groups (connection, &groups, &n_groups, error))
+ if (!bus_connection_get_unix_groups (connection, &groups, &n_groups, error))
goto failed;
i = 0;
{
DBusList **list;
- list = _dbus_hash_table_lookup_ulong (policy->rules_by_gid,
+ list = _dbus_hash_table_lookup_uintptr (policy->rules_by_gid,
groups[i]);
if (list != NULL)
dbus_free (groups);
}
-
- if (!dbus_connection_get_unix_user (connection, &uid))
+
+ if (dbus_connection_get_unix_user (connection, &uid))
{
- dbus_set_error (error, DBUS_ERROR_FAILED,
- "No user ID known for connection, cannot determine security policy\n");
- goto failed;
- }
+ if (_dbus_hash_table_get_n_entries (policy->rules_by_uid) > 0)
+ {
+ DBusList **list;
+
+ list = _dbus_hash_table_lookup_uintptr (policy->rules_by_uid,
+ uid);
+
+ if (list != NULL)
+ {
+ if (!add_list_to_client (list, client))
+ goto nomem;
+ }
+ }
- if (_dbus_hash_table_get_n_entries (policy->rules_by_uid) > 0)
- {
- DBusList **list;
+ /* Add console rules */
+ at_console = _dbus_unix_user_is_at_console (uid, error);
- list = _dbus_hash_table_lookup_ulong (policy->rules_by_uid,
- uid);
-
- if (list != NULL)
+ if (at_console)
{
- if (!add_list_to_client (list, client))
+ if (!add_list_to_client (&policy->at_console_true_rules, client))
goto nomem;
}
+ else if (dbus_error_is_set (error) == TRUE)
+ {
+ goto failed;
+ }
+ else if (!add_list_to_client (&policy->at_console_false_rules, client))
+ {
+ goto nomem;
+ }
}
if (!add_list_to_client (&policy->mandatory_rules,
{
BusPolicyRule *rule = link->data;
link = _dbus_list_get_next_link (list, link);
-
+
if (rule->type == BUS_POLICY_RULE_USER)
{
_dbus_verbose ("List %p user rule uid="DBUS_UID_FORMAT"\n",
}
else if (rule->type == BUS_POLICY_RULE_GROUP)
{
- _dbus_verbose ("List %p group rule uid="DBUS_UID_FORMAT"\n",
- list, rule->d.user.uid);
+ _dbus_verbose ("List %p group rule gid="DBUS_GID_FORMAT"\n",
+ list, rule->d.group.gid);
if (rule->d.group.gid == DBUS_GID_UNSET)
; /* '*' wildcard */
}
dbus_bool_t
-bus_policy_allow_user (BusPolicy *policy,
- DBusUserDatabase *user_database,
- unsigned long uid)
+bus_policy_allow_unix_user (BusPolicy *policy,
+ unsigned long uid)
{
dbus_bool_t allowed;
unsigned long *group_ids;
int n_group_ids;
/* On OOM or error we always reject the user */
- if (!_dbus_user_database_get_groups (user_database,
- uid, &group_ids, &n_group_ids, NULL))
+ if (!_dbus_unix_groups_from_uid (uid, &group_ids, &n_group_ids))
{
_dbus_verbose ("Did not get any groups for UID %lu\n",
uid);
return FALSE;
}
-
- allowed = FALSE;
+
+ /* Default to "user owning bus" can connect */
+ allowed = _dbus_unix_user_is_process_owner (uid);
allowed = list_allows_user (allowed,
&policy->default_rules,
return allowed;
}
+/* For now this is never actually called because the default
+ * DBusConnection behavior of 'same user that owns the bus can
+ * connect' is all it would do. Set the windows user function in
+ * connection.c if the config file ever supports doing something
+ * interesting here.
+ */
+dbus_bool_t
+bus_policy_allow_windows_user (BusPolicy *policy,
+ const char *windows_sid)
+{
+ /* Windows has no policies here since only the session bus
+ * is really used for now, so just checking that the
+ * connecting person is the same as the bus owner is fine.
+ */
+ return _dbus_windows_user_is_process_owner (windows_sid);
+}
+
dbus_bool_t
bus_policy_append_default_rule (BusPolicy *policy,
BusPolicyRule *rule)
return TRUE;
}
+
+
static DBusList**
get_list (DBusHashTable *hash,
unsigned long key)
{
DBusList **list;
- list = _dbus_hash_table_lookup_ulong (hash, key);
+ list = _dbus_hash_table_lookup_uintptr (hash, key);
if (list == NULL)
{
if (list == NULL)
return NULL;
- if (!_dbus_hash_table_insert_ulong (hash, key, list))
+ if (!_dbus_hash_table_insert_uintptr (hash, key, list))
{
dbus_free (list);
return NULL;
return TRUE;
}
+dbus_bool_t
+bus_policy_append_console_rule (BusPolicy *policy,
+ dbus_bool_t at_console,
+ BusPolicyRule *rule)
+{
+ if (at_console)
+ {
+ if (!_dbus_list_append (&policy->at_console_true_rules, rule))
+ return FALSE;
+ }
+ else
+ {
+ if (!_dbus_list_append (&policy->at_console_false_rules, rule))
+ return FALSE;
+ }
+
+ bus_policy_rule_ref (rule);
+
+ return TRUE;
+
+}
+
static dbus_bool_t
append_copy_of_policy_list (DBusList **list,
DBusList **to_append)
_dbus_hash_iter_init (to_absorb, &iter);
while (_dbus_hash_iter_next (&iter))
{
- unsigned long id = _dbus_hash_iter_get_ulong_key (&iter);
+ unsigned long id = _dbus_hash_iter_get_uintptr_key (&iter);
DBusList **list = _dbus_hash_iter_get_value (&iter);
DBusList **target = get_list (dest, id);
bus_policy_merge (BusPolicy *policy,
BusPolicy *to_absorb)
{
- /* Not properly atomic, but as used for configuration files
- * we don't rely on it.
- */
+ /* FIXME Not properly atomic, but as used for configuration files we
+ * don't rely on it quite so much.
+ */
+
if (!append_copy_of_policy_list (&policy->default_rules,
&to_absorb->default_rules))
return FALSE;
&to_absorb->mandatory_rules))
return FALSE;
+ if (!append_copy_of_policy_list (&policy->at_console_true_rules,
+ &to_absorb->at_console_true_rules))
+ return FALSE;
+
+ if (!append_copy_of_policy_list (&policy->at_console_false_rules,
+ &to_absorb->at_console_false_rules))
+ return FALSE;
+
if (!merge_id_hash (policy->rules_by_uid,
to_absorb->rules_by_uid))
return FALSE;
return policy;
}
-void
+BusClientPolicy *
bus_client_policy_ref (BusClientPolicy *policy)
{
_dbus_assert (policy->refcount > 0);
policy->refcount += 1;
+
+ return policy;
}
static void
NULL);
_dbus_list_clear (&policy->rules);
-
+
dbus_free (policy);
}
}
{
case BUS_POLICY_RULE_SEND:
remove_preceding =
+ rule->d.send.message_type == DBUS_MESSAGE_TYPE_INVALID &&
+ rule->d.send.path == NULL &&
rule->d.send.interface == NULL &&
rule->d.send.member == NULL &&
rule->d.send.error == NULL &&
break;
case BUS_POLICY_RULE_RECEIVE:
remove_preceding =
+ rule->d.receive.message_type == DBUS_MESSAGE_TYPE_INVALID &&
+ rule->d.receive.path == NULL &&
rule->d.receive.interface == NULL &&
rule->d.receive.member == NULL &&
rule->d.receive.error == NULL &&
dbus_bool_t
bus_client_policy_check_can_send (BusClientPolicy *policy,
BusRegistry *registry,
+ dbus_bool_t requested_reply,
DBusConnection *receiver,
- DBusMessage *message)
+ DBusMessage *message,
+ dbus_int32_t *toggles,
+ dbus_bool_t *log)
{
DBusList *link;
dbus_bool_t allowed;
*/
_dbus_verbose (" (policy) checking send rules\n");
+ *toggles = 0;
allowed = FALSE;
link = _dbus_list_get_first_link (&policy->rules);
continue;
}
+ if (rule->d.send.message_type != DBUS_MESSAGE_TYPE_INVALID)
+ {
+ if (dbus_message_get_type (message) != rule->d.send.message_type)
+ {
+ _dbus_verbose (" (policy) skipping rule for different message type\n");
+ continue;
+ }
+ }
+
+ /* If it's a reply, the requested_reply flag kicks in */
+ if (dbus_message_get_reply_serial (message) != 0)
+ {
+ /* for allow, requested_reply=true means the rule applies
+ * only when reply was requested. requested_reply=false means
+ * always allow.
+ */
+ if (!requested_reply && rule->allow && rule->d.send.requested_reply && !rule->d.send.eavesdrop)
+ {
+ _dbus_verbose (" (policy) skipping allow rule since it only applies to requested replies and does not allow eavesdropping\n");
+ continue;
+ }
+
+ /* for deny, requested_reply=false means the rule applies only
+ * when the reply was not requested. requested_reply=true means the
+ * rule always applies.
+ */
+ if (requested_reply && !rule->allow && !rule->d.send.requested_reply)
+ {
+ _dbus_verbose (" (policy) skipping deny rule since it only applies to unrequested replies\n");
+ continue;
+ }
+ }
+
+ if (rule->d.send.path != NULL)
+ {
+ if (dbus_message_get_path (message) != NULL &&
+ strcmp (dbus_message_get_path (message),
+ rule->d.send.path) != 0)
+ {
+ _dbus_verbose (" (policy) skipping rule for different path\n");
+ continue;
+ }
+ }
+
if (rule->d.send.interface != NULL)
{
- if (dbus_message_get_interface (message) != NULL &&
- strcmp (dbus_message_get_interface (message),
- rule->d.send.interface) != 0)
+ /* The interface is optional in messages. For allow rules, if the message
+ * has no interface we want to skip the rule (and thus not allow);
+ * for deny rules, if the message has no interface we want to use the
+ * rule (and thus deny).
+ */
+ dbus_bool_t no_interface;
+
+ no_interface = dbus_message_get_interface (message) == NULL;
+
+ if ((no_interface && rule->allow) ||
+ (!no_interface &&
+ strcmp (dbus_message_get_interface (message),
+ rule->d.send.interface) != 0))
{
_dbus_verbose (" (policy) skipping rule for different interface\n");
continue;
/* Use this rule */
allowed = rule->allow;
+ *log = rule->d.send.log;
+ (*toggles)++;
_dbus_verbose (" (policy) used rule, allow now = %d\n",
allowed);
return allowed;
}
+/* See docs on what the args mean on bus_context_check_security_policy()
+ * comment
+ */
dbus_bool_t
bus_client_policy_check_can_receive (BusClientPolicy *policy,
BusRegistry *registry,
+ dbus_bool_t requested_reply,
DBusConnection *sender,
- DBusMessage *message)
+ DBusConnection *addressed_recipient,
+ DBusConnection *proposed_recipient,
+ DBusMessage *message,
+ dbus_int32_t *toggles)
{
DBusList *link;
dbus_bool_t allowed;
+ dbus_bool_t eavesdropping;
+
+ eavesdropping =
+ addressed_recipient != proposed_recipient &&
+ dbus_message_get_destination (message) != NULL;
/* policy->rules is in the order the rules appeared
* in the config file, i.e. last rule that applies wins
*/
- _dbus_verbose (" (policy) checking receive rules\n");
+ _dbus_verbose (" (policy) checking receive rules, eavesdropping = %d\n", eavesdropping);
+ *toggles = 0;
allowed = FALSE;
link = _dbus_list_get_first_link (&policy->rules);
_dbus_verbose (" (policy) skipping non-receive rule\n");
continue;
}
+
+ if (rule->d.receive.message_type != DBUS_MESSAGE_TYPE_INVALID)
+ {
+ if (dbus_message_get_type (message) != rule->d.receive.message_type)
+ {
+ _dbus_verbose (" (policy) skipping rule for different message type\n");
+ continue;
+ }
+ }
+
+ /* for allow, eavesdrop=false means the rule doesn't apply when
+ * eavesdropping. eavesdrop=true means always allow.
+ */
+ if (eavesdropping && rule->allow && !rule->d.receive.eavesdrop)
+ {
+ _dbus_verbose (" (policy) skipping allow rule since it doesn't apply to eavesdropping\n");
+ continue;
+ }
+
+ /* for deny, eavesdrop=true means the rule applies only when
+ * eavesdropping; eavesdrop=false means always deny.
+ */
+ if (!eavesdropping && !rule->allow && rule->d.receive.eavesdrop)
+ {
+ _dbus_verbose (" (policy) skipping deny rule since it only applies to eavesdropping\n");
+ continue;
+ }
+
+ /* If it's a reply, the requested_reply flag kicks in */
+ if (dbus_message_get_reply_serial (message) != 0)
+ {
+ /* for allow, requested_reply=true means the rule applies
+ * only when reply was requested. requested_reply=false means
+ * always allow.
+ */
+ if (!requested_reply && rule->allow && rule->d.receive.requested_reply && !rule->d.receive.eavesdrop)
+ {
+ _dbus_verbose (" (policy) skipping allow rule since it only applies to requested replies and does not allow eavesdropping\n");
+ continue;
+ }
+
+ /* for deny, requested_reply=false means the rule applies only
+ * when the reply was not requested. requested_reply=true means the
+ * rule always applies.
+ */
+ if (requested_reply && !rule->allow && !rule->d.receive.requested_reply)
+ {
+ _dbus_verbose (" (policy) skipping deny rule since it only applies to unrequested replies\n");
+ continue;
+ }
+ }
+
+ if (rule->d.receive.path != NULL)
+ {
+ if (dbus_message_get_path (message) != NULL &&
+ strcmp (dbus_message_get_path (message),
+ rule->d.receive.path) != 0)
+ {
+ _dbus_verbose (" (policy) skipping rule for different path\n");
+ continue;
+ }
+ }
if (rule->d.receive.interface != NULL)
{
- if (dbus_message_get_interface (message) != NULL &&
- strcmp (dbus_message_get_interface (message),
- rule->d.receive.interface) != 0)
+ /* The interface is optional in messages. For allow rules, if the message
+ * has no interface we want to skip the rule (and thus not allow);
+ * for deny rules, if the message has no interface we want to use the
+ * rule (and thus deny).
+ */
+ dbus_bool_t no_interface;
+
+ no_interface = dbus_message_get_interface (message) == NULL;
+
+ if ((no_interface && rule->allow) ||
+ (!no_interface &&
+ strcmp (dbus_message_get_interface (message),
+ rule->d.receive.interface) != 0))
{
_dbus_verbose (" (policy) skipping rule for different interface\n");
continue;
}
}
}
-
+
/* Use this rule */
allowed = rule->allow;
+ (*toggles)++;
_dbus_verbose (" (policy) used rule, allow now = %d\n",
allowed);
return allowed;
}
-dbus_bool_t
-bus_client_policy_check_can_own (BusClientPolicy *policy,
- DBusConnection *connection,
- const DBusString *service_name)
+
+
+static dbus_bool_t
+bus_rules_check_can_own (DBusList *rules,
+ const DBusString *service_name)
{
DBusList *link;
dbus_bool_t allowed;
- /* policy->rules is in the order the rules appeared
+ /* rules is in the order the rules appeared
* in the config file, i.e. last rule that applies wins
*/
allowed = FALSE;
- link = _dbus_list_get_first_link (&policy->rules);
+ link = _dbus_list_get_first_link (&rules);
while (link != NULL)
{
BusPolicyRule *rule = link->data;
- link = _dbus_list_get_next_link (&policy->rules, link);
+ link = _dbus_list_get_next_link (&rules, link);
/* Rule is skipped if it specifies a different service name from
* the desired one.
if (rule->type != BUS_POLICY_RULE_OWN)
continue;
- if (rule->d.own.service_name != NULL)
+ if (!rule->d.own.prefix && rule->d.own.service_name != NULL)
{
if (!_dbus_string_equal_c_str (service_name,
rule->d.own.service_name))
continue;
}
+ else if (rule->d.own.prefix)
+ {
+ const char *data;
+ char next_char;
+ if (!_dbus_string_starts_with_c_str (service_name,
+ rule->d.own.service_name))
+ continue;
+
+ data = _dbus_string_get_const_data (service_name);
+ next_char = data[strlen (rule->d.own.service_name)];
+ if (next_char != '\0' && next_char != '.')
+ continue;
+ }
/* Use this rule */
allowed = rule->allow;
return allowed;
}
-#ifdef DBUS_BUILD_TESTS
+dbus_bool_t
+bus_client_policy_check_can_own (BusClientPolicy *policy,
+ const DBusString *service_name)
+{
+ return bus_rules_check_can_own (policy->rules, service_name);
+}
+#ifdef DBUS_ENABLE_EMBEDDED_TESTS
dbus_bool_t
-bus_policy_test (const DBusString *test_data_dir)
+bus_policy_check_can_own (BusPolicy *policy,
+ const DBusString *service_name)
{
- /* This doesn't do anything for now because I decided to do it in
- * dispatch.c instead by having some of the clients in dispatch.c
- * have particular policies applied to them.
- */
-
- return TRUE;
+ return bus_rules_check_can_own (policy->default_rules, service_name);
}
+#endif /* DBUS_ENABLE_EMBEDDED_TESTS */
-#endif /* DBUS_BUILD_TESTS */