X-Git-Url: http://review.tizen.org/git/?a=blobdiff_plain;f=bus%2Fpolicy.c;h=27c89ac2f5525824f928ca1184a2e9c4134dd767;hb=dbecdeabb20e0ce11121819c63373f0afba57c58;hp=2d462fb632f61455924632f96bf86e6d2559ef1e;hpb=a683a80c409cc4f2e57ba6a3e60d52f91b8657d0;p=platform%2Fupstream%2Fdbus.git diff --git a/bus/policy.c b/bus/policy.c index 2d462fb..27c89ac 100644 --- a/bus/policy.c +++ b/bus/policy.c @@ -1,9 +1,9 @@ -/* -*- mode: C; c-file-style: "gnu" -*- */ +/* -*- mode: C; c-file-style: "gnu"; indent-tabs-mode: nil; -*- */ /* policy.c Bus security policy * - * Copyright (C) 2003 Red Hat, Inc. + * Copyright (C) 2003, 2004 Red Hat, Inc. * - * Licensed under the Academic Free License version 1.2 + * Licensed under the Academic Free License version 2.1 * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -17,10 +17,11 @@ * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA * */ +#include #include "policy.h" #include "services.h" #include "test.h" @@ -53,9 +54,18 @@ bus_policy_rule_new (BusPolicyRuleType type, break; case BUS_POLICY_RULE_SEND: rule->d.send.message_type = DBUS_MESSAGE_TYPE_INVALID; + + /* allow rules default to TRUE (only requested replies allowed) + * deny rules default to FALSE (only unrequested replies denied) + */ + rule->d.send.requested_reply = rule->allow; break; case BUS_POLICY_RULE_RECEIVE: rule->d.receive.message_type = DBUS_MESSAGE_TYPE_INVALID; + /* allow rules default to TRUE (only requested replies allowed) + * deny rules default to FALSE (only unrequested replies denied) + */ + rule->d.receive.requested_reply = rule->allow; break; case BUS_POLICY_RULE_OWN: break; @@ -64,12 +74,14 @@ bus_policy_rule_new (BusPolicyRuleType type, return rule; } -void +BusPolicyRule * bus_policy_rule_ref (BusPolicyRule *rule) { _dbus_assert (rule->refcount > 0); rule->refcount += 1; + + return rule; } void @@ -114,10 +126,12 @@ struct BusPolicy { int refcount; - DBusList *default_rules; /**< Default policy rules */ - DBusList *mandatory_rules; /**< Mandatory policy rules */ - DBusHashTable *rules_by_uid; /**< per-UID policy rules */ - DBusHashTable *rules_by_gid; /**< per-GID policy rules */ + DBusList *default_rules; /**< Default policy rules */ + DBusList *mandatory_rules; /**< Mandatory policy rules */ + DBusHashTable *rules_by_uid; /**< per-UID policy rules */ + DBusHashTable *rules_by_gid; /**< per-GID policy rules */ + DBusList *at_console_true_rules; /**< console user policy rules where at_console="true"*/ + DBusList *at_console_false_rules; /**< console user policy rules where at_console="false"*/ }; static void @@ -166,7 +180,7 @@ bus_policy_new (void) free_rule_list_func); if (policy->rules_by_gid == NULL) goto failed; - + return policy; failed: @@ -174,12 +188,14 @@ bus_policy_new (void) return NULL; } -void +BusPolicy * bus_policy_ref (BusPolicy *policy) { _dbus_assert (policy->refcount > 0); policy->refcount += 1; + + return policy; } void @@ -196,7 +212,13 @@ bus_policy_unref (BusPolicy *policy) _dbus_list_foreach (&policy->mandatory_rules, free_rule_func, NULL); _dbus_list_clear (&policy->mandatory_rules); - + + _dbus_list_foreach (&policy->at_console_true_rules, free_rule_func, NULL); + _dbus_list_clear (&policy->at_console_true_rules); + + _dbus_list_foreach (&policy->at_console_false_rules, free_rule_func, NULL); + _dbus_list_clear (&policy->at_console_false_rules); + if (policy->rules_by_uid) { _dbus_hash_table_unref (policy->rules_by_uid); @@ -251,7 +273,8 @@ bus_policy_create_client_policy (BusPolicy *policy, DBusError *error) { BusClientPolicy *client; - unsigned long uid; + dbus_uid_t uid; + dbus_bool_t at_console; _dbus_assert (dbus_connection_get_is_authenticated (connection)); _DBUS_ASSERT_ERROR_IS_CLEAR (error); @@ -273,7 +296,7 @@ bus_policy_create_client_policy (BusPolicy *policy, int n_groups; int i; - if (!bus_connection_get_groups (connection, &groups, &n_groups, error)) + if (!bus_connection_get_unix_groups (connection, &groups, &n_groups, error)) goto failed; i = 0; @@ -298,26 +321,39 @@ bus_policy_create_client_policy (BusPolicy *policy, dbus_free (groups); } - - if (!dbus_connection_get_unix_user (connection, &uid)) + + if (dbus_connection_get_unix_user (connection, &uid)) { - dbus_set_error (error, DBUS_ERROR_FAILED, - "No user ID known for connection, cannot determine security policy\n"); - goto failed; - } + if (_dbus_hash_table_get_n_entries (policy->rules_by_uid) > 0) + { + DBusList **list; + + list = _dbus_hash_table_lookup_ulong (policy->rules_by_uid, + uid); + + if (list != NULL) + { + if (!add_list_to_client (list, client)) + goto nomem; + } + } - if (_dbus_hash_table_get_n_entries (policy->rules_by_uid) > 0) - { - DBusList **list; + /* Add console rules */ + at_console = _dbus_unix_user_is_at_console (uid, error); - list = _dbus_hash_table_lookup_ulong (policy->rules_by_uid, - uid); - - if (list != NULL) + if (at_console) { - if (!add_list_to_client (list, client)) + if (!add_list_to_client (&policy->at_console_true_rules, client)) goto nomem; } + else if (dbus_error_is_set (error) == TRUE) + { + goto failed; + } + else if (!add_list_to_client (&policy->at_console_false_rules, client)) + { + goto nomem; + } } if (!add_list_to_client (&policy->mandatory_rules, @@ -354,7 +390,7 @@ list_allows_user (dbus_bool_t def, { BusPolicyRule *rule = link->data; link = _dbus_list_get_next_link (list, link); - + if (rule->type == BUS_POLICY_RULE_USER) { _dbus_verbose ("List %p user rule uid="DBUS_UID_FORMAT"\n", @@ -398,24 +434,23 @@ list_allows_user (dbus_bool_t def, } dbus_bool_t -bus_policy_allow_user (BusPolicy *policy, - DBusUserDatabase *user_database, - unsigned long uid) +bus_policy_allow_unix_user (BusPolicy *policy, + unsigned long uid) { dbus_bool_t allowed; unsigned long *group_ids; int n_group_ids; /* On OOM or error we always reject the user */ - if (!_dbus_user_database_get_groups (user_database, - uid, &group_ids, &n_group_ids, NULL)) + if (!_dbus_unix_groups_from_uid (uid, &group_ids, &n_group_ids)) { _dbus_verbose ("Did not get any groups for UID %lu\n", uid); return FALSE; } - - allowed = FALSE; + + /* Default to "user owning bus" can connect */ + allowed = _dbus_unix_user_is_process_owner (uid); allowed = list_allows_user (allowed, &policy->default_rules, @@ -434,6 +469,23 @@ bus_policy_allow_user (BusPolicy *policy, return allowed; } +/* For now this is never actually called because the default + * DBusConnection behavior of 'same user that owns the bus can + * connect' is all it would do. Set the windows user function in + * connection.c if the config file ever supports doing something + * interesting here. + */ +dbus_bool_t +bus_policy_allow_windows_user (BusPolicy *policy, + const char *windows_sid) +{ + /* Windows has no policies here since only the session bus + * is really used for now, so just checking that the + * connecting person is the same as the bus owner is fine. + */ + return _dbus_windows_user_is_process_owner (windows_sid); +} + dbus_bool_t bus_policy_append_default_rule (BusPolicy *policy, BusPolicyRule *rule) @@ -458,6 +510,8 @@ bus_policy_append_mandatory_rule (BusPolicy *policy, return TRUE; } + + static DBusList** get_list (DBusHashTable *hash, unsigned long key) @@ -522,6 +576,28 @@ bus_policy_append_group_rule (BusPolicy *policy, return TRUE; } +dbus_bool_t +bus_policy_append_console_rule (BusPolicy *policy, + dbus_bool_t at_console, + BusPolicyRule *rule) +{ + if (at_console) + { + if (!_dbus_list_append (&policy->at_console_true_rules, rule)) + return FALSE; + } + else + { + if (!_dbus_list_append (&policy->at_console_false_rules, rule)) + return FALSE; + } + + bus_policy_rule_ref (rule); + + return TRUE; + +} + static dbus_bool_t append_copy_of_policy_list (DBusList **list, DBusList **to_append) @@ -581,9 +657,10 @@ dbus_bool_t bus_policy_merge (BusPolicy *policy, BusPolicy *to_absorb) { - /* Not properly atomic, but as used for configuration files - * we don't rely on it. - */ + /* FIXME Not properly atomic, but as used for configuration files we + * don't rely on it quite so much. + */ + if (!append_copy_of_policy_list (&policy->default_rules, &to_absorb->default_rules)) return FALSE; @@ -592,6 +669,14 @@ bus_policy_merge (BusPolicy *policy, &to_absorb->mandatory_rules)) return FALSE; + if (!append_copy_of_policy_list (&policy->at_console_true_rules, + &to_absorb->at_console_true_rules)) + return FALSE; + + if (!append_copy_of_policy_list (&policy->at_console_false_rules, + &to_absorb->at_console_false_rules)) + return FALSE; + if (!merge_id_hash (policy->rules_by_uid, to_absorb->rules_by_uid)) return FALSE; @@ -624,12 +709,14 @@ bus_client_policy_new (void) return policy; } -void +BusClientPolicy * bus_client_policy_ref (BusClientPolicy *policy) { _dbus_assert (policy->refcount > 0); policy->refcount += 1; + + return policy; } static void @@ -655,7 +742,7 @@ bus_client_policy_unref (BusClientPolicy *policy) NULL); _dbus_list_clear (&policy->rules); - + dbus_free (policy); } } @@ -778,8 +865,11 @@ bus_client_policy_append_rule (BusClientPolicy *policy, dbus_bool_t bus_client_policy_check_can_send (BusClientPolicy *policy, BusRegistry *registry, + dbus_bool_t requested_reply, DBusConnection *receiver, - DBusMessage *message) + DBusMessage *message, + dbus_int32_t *toggles, + dbus_bool_t *log) { DBusList *link; dbus_bool_t allowed; @@ -789,6 +879,7 @@ bus_client_policy_check_can_send (BusClientPolicy *policy, */ _dbus_verbose (" (policy) checking send rules\n"); + *toggles = 0; allowed = FALSE; link = _dbus_list_get_first_link (&policy->rules); @@ -817,6 +908,30 @@ bus_client_policy_check_can_send (BusClientPolicy *policy, continue; } } + + /* If it's a reply, the requested_reply flag kicks in */ + if (dbus_message_get_reply_serial (message) != 0) + { + /* for allow, requested_reply=true means the rule applies + * only when reply was requested. requested_reply=false means + * always allow. + */ + if (!requested_reply && rule->allow && rule->d.send.requested_reply && !rule->d.send.eavesdrop) + { + _dbus_verbose (" (policy) skipping allow rule since it only applies to requested replies and does not allow eavesdropping\n"); + continue; + } + + /* for deny, requested_reply=false means the rule applies only + * when the reply was not requested. requested_reply=true means the + * rule always applies. + */ + if (requested_reply && !rule->allow && !rule->d.send.requested_reply) + { + _dbus_verbose (" (policy) skipping deny rule since it only applies to unrequested replies\n"); + continue; + } + } if (rule->d.send.path != NULL) { @@ -831,9 +946,19 @@ bus_client_policy_check_can_send (BusClientPolicy *policy, if (rule->d.send.interface != NULL) { - if (dbus_message_get_interface (message) != NULL && - strcmp (dbus_message_get_interface (message), - rule->d.send.interface) != 0) + /* The interface is optional in messages. For allow rules, if the message + * has no interface we want to skip the rule (and thus not allow); + * for deny rules, if the message has no interface we want to use the + * rule (and thus deny). + */ + dbus_bool_t no_interface; + + no_interface = dbus_message_get_interface (message) == NULL; + + if ((no_interface && rule->allow) || + (!no_interface && + strcmp (dbus_message_get_interface (message), + rule->d.send.interface) != 0)) { _dbus_verbose (" (policy) skipping rule for different interface\n"); continue; @@ -905,6 +1030,8 @@ bus_client_policy_check_can_send (BusClientPolicy *policy, /* Use this rule */ allowed = rule->allow; + *log = rule->d.send.log; + (*toggles)++; _dbus_verbose (" (policy) used rule, allow now = %d\n", allowed); @@ -913,37 +1040,33 @@ bus_client_policy_check_can_send (BusClientPolicy *policy, return allowed; } +/* See docs on what the args mean on bus_context_check_security_policy() + * comment + */ dbus_bool_t bus_client_policy_check_can_receive (BusClientPolicy *policy, BusRegistry *registry, + dbus_bool_t requested_reply, DBusConnection *sender, DBusConnection *addressed_recipient, DBusConnection *proposed_recipient, - DBusMessage *message) + DBusMessage *message, + dbus_int32_t *toggles) { DBusList *link; dbus_bool_t allowed; dbus_bool_t eavesdropping; - - /* NULL sender, proposed_recipient means the bus driver. NULL - * addressed_recipient means the message didn't specify an explicit - * target. If proposed_recipient is NULL, then addressed_recipient - * is also NULL but is implicitly the bus driver. - */ - _dbus_assert (proposed_recipient == NULL || - (dbus_message_get_destination (message) == NULL || - addressed_recipient != NULL)); - eavesdropping = - (proposed_recipient == NULL || /* explicitly to bus driver */ - (addressed_recipient && addressed_recipient != proposed_recipient)); /* explicitly to a different recipient */ + addressed_recipient != proposed_recipient && + dbus_message_get_destination (message) != NULL; /* policy->rules is in the order the rules appeared * in the config file, i.e. last rule that applies wins */ _dbus_verbose (" (policy) checking receive rules, eavesdropping = %d\n", eavesdropping); + *toggles = 0; allowed = FALSE; link = _dbus_list_get_first_link (&policy->rules); @@ -985,6 +1108,30 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy, _dbus_verbose (" (policy) skipping deny rule since it only applies to eavesdropping\n"); continue; } + + /* If it's a reply, the requested_reply flag kicks in */ + if (dbus_message_get_reply_serial (message) != 0) + { + /* for allow, requested_reply=true means the rule applies + * only when reply was requested. requested_reply=false means + * always allow. + */ + if (!requested_reply && rule->allow && rule->d.receive.requested_reply && !rule->d.receive.eavesdrop) + { + _dbus_verbose (" (policy) skipping allow rule since it only applies to requested replies and does not allow eavesdropping\n"); + continue; + } + + /* for deny, requested_reply=false means the rule applies only + * when the reply was not requested. requested_reply=true means the + * rule always applies. + */ + if (requested_reply && !rule->allow && !rule->d.receive.requested_reply) + { + _dbus_verbose (" (policy) skipping deny rule since it only applies to unrequested replies\n"); + continue; + } + } if (rule->d.receive.path != NULL) { @@ -999,9 +1146,19 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy, if (rule->d.receive.interface != NULL) { - if (dbus_message_get_interface (message) != NULL && - strcmp (dbus_message_get_interface (message), - rule->d.receive.interface) != 0) + /* The interface is optional in messages. For allow rules, if the message + * has no interface we want to skip the rule (and thus not allow); + * for deny rules, if the message has no interface we want to use the + * rule (and thus deny). + */ + dbus_bool_t no_interface; + + no_interface = dbus_message_get_interface (message) == NULL; + + if ((no_interface && rule->allow) || + (!no_interface && + strcmp (dbus_message_get_interface (message), + rule->d.receive.interface) != 0)) { _dbus_verbose (" (policy) skipping rule for different interface\n"); continue; @@ -1074,6 +1231,7 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy, /* Use this rule */ allowed = rule->allow; + (*toggles)++; _dbus_verbose (" (policy) used rule, allow now = %d\n", allowed);