projects / platform / core / system / dbus-tools.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 47790c8)
policychecker: allow signal rules if send_path is present 09/197509/1 accepted/tizen/unified/20190115.173220 submit/tizen/20190115.084148
authorAdrian Szyndela <adrian.s@samsung.com>
Thu, 10 Jan 2019 11:29:12 +0000 (12:29 +0100)
committerAdrian Szyndela <adrian.s@samsung.com>
Fri, 11 Jan 2019 14:32:50 +0000 (15:32 +0100)
In case a rule contained send_path, we required it also to have
send_destination or send_destination_prefix.
However, a rule may be crafted for signals, which are broadcast,
therefore they don't have any destination at all.
This patch relaxes the requirement a bit, allowing rules
having send_path without send_destination under condition that
the rule contains send_interface and send_type='signal' attributes.

Change-Id: I99ff19271121f726df81e2aed8a124a78f7eadbc

policychecker/rules.xsl patch | blob | history

diff --git a/policychecker/rules.xsl b/policychecker/rules.xsl
index d022d9c5a40ce70691cee9cde1981d40e1b293f6..0b408a5600e1a156b89fde22b51a35b71677e998 100644 (file)
--- a/policychecker/rules.xsl
+++ b/policychecker/rules.xsl
@@ -73,7 +73,7 @@
                        <sch:assert test="@send_interface">Unconstrained allows are not allowed in context default and context mandatory: missing send_interface, but send_type="method_call" is present.</sch:assert>
                </sch:rule>
                <sch:rule context="policy[@context]/allow[@send_path]">
-                       <sch:assert test="@send_destination or @send_destination_prefix">Unconstrained allows are not allowed in context default and context mandatory: missing send_destination or send_destination_prefix, but send_path is present.</sch:assert>
+                       <sch:assert test="@send_destination or @send_destination_prefix or (@send_interface and @send_type='signal')">Unconstrained allows are not allowed in context default and context mandatory: missing send_destination or send_destination_prefix for non-signal, but send_path is present.</sch:assert>
                </sch:rule>
                <sch:rule context="policy[@context]/allow[@receive_type='method_call']">
                        <sch:assert test="@receive_sender">Unconstrained allows are not allowed in context default and context mandatory: missing receive_sender, but receive_type="method_call" is present.</sch:assert>
@@ -87,7 +87,7 @@
                        <sch:assert test="@send_destination or @send_destination_prefix">Unconstrained allows are not allowed in user or group context: missing send_destination or send_destination_prefix, but send_type="method_call" is present.</sch:assert>
                </sch:rule>
                <sch:rule context="policy[@user]/allow[@send_path] | policy[@group]/allow[@send_path]">
-                       <sch:assert test="@send_destination or @send_destination_prefix">Unconstrained allows are not allowed in user or group context: missing send_destination or send_destination_prefix, but send_path is present.</sch:assert>
+                       <sch:assert test="@send_destination or @send_destination_prefix or (@send_interface and @send_type='signal')">Unconstrained allows are not allowed in user or group context: missing send_destination or send_destination_prefix for non-signal, but send_path is present.</sch:assert>
                </sch:rule>
                <sch:rule context="policy[@user]/allow[@receive_type='method_call'] | policy[@group]/allow[@receive_type='method_call']">
                        <sch:assert test="@receive_sender">Unconstrained allows are not allowed in user or group context: missing receive_sender, but receive_type="method_call" is present.</sch:assert>
Domain: System / IPC;