</sch:pattern>
<sch:pattern name="Unconstrained allow in default context (or mandatory)">
- <!-- use true() to issue an error for each allow and not only once per policy -->
- <sch:rule context="policy[@context = 'default']/allow | policy[@context = 'mandatory']/allow">
- <sch:report test="true()">Unconstrained allows are not allowed in context default and context mandatory.</sch:report>
+ <!-- policy[@context] means that it applies to both default and mandatory contexts -->
+ <sch:rule context="policy[@context]/allow[@send_type='method_call']">
+ <sch:assert test="@send_destination">Unconstrained allows are not allowed in context default and context mandatory: missing send_destination, but send_type="method_call" is present.</sch:assert>
+ <sch:assert test="@send_interface">Unconstrained allows are not allowed in context default and context mandatory: missing send_interface, but send_type="method_call" is present.</sch:assert>
+ </sch:rule>
+ <sch:rule context="policy[@context]/allow[@send_path]">
+ <sch:assert test="@send_destination">Unconstrained allows are not allowed in context default and context mandatory: missing send_destination, but send_path is present.</sch:assert>
+ </sch:rule>
+ <sch:rule context="policy[@context]/allow[@receive_type='method_call']">
+ <sch:assert test="@receive_sender">Unconstrained allows are not allowed in context default and context mandatory: missing receive_sender, but receive_type="method_call" is present.</sch:assert>
+ <sch:assert test="@receive_interface">Unconstrained allows are not allowed in context default and context mandatory: missing receive_interface, but receive_type="method_call" is present.</sch:assert>
+ </sch:rule>
+ <sch:rule context="policy[@context]/allow[@receive_path]">
+ <sch:assert test="@receive_sender">Unconstrained allows are not allowed in context default and context mandatory: missing receive_sender, but receive_path is present.</sch:assert>
+ </sch:rule>
+ <!-- user and group contexts need at least send_destination -->
+ <sch:rule context="policy[@user]/allow[@send_type='method_call'] | policy[@group]/allow[@send_type='method_call']">
+ <sch:assert test="@send_destination">Unconstrained allows are not allowed in user or group context: missing send_destination, but send_type="method_call" is present.</sch:assert>
+ </sch:rule>
+ <sch:rule context="policy[@user]/allow[@send_path] | policy[@group]/allow[@send_path]">
+ <sch:assert test="@send_destination">Unconstrained allows are not allowed in user or group context: missing send_destination, but send_path is present.</sch:assert>
+ </sch:rule>
+ <sch:rule context="policy[@user]/allow[@receive_type='method_call'] | policy[@group]/allow[@receive_type='method_call']">
+ <sch:assert test="@receive_sender">Unconstrained allows are not allowed in user or group context: missing receive_sender, but receive_type="method_call" is present.</sch:assert>
+ </sch:rule>
+ <sch:rule context="policy[@user]/allow[@receive_path] | policy[@group]/allow[@receive_path]">
+ <sch:assert test="@receive_sender">Unconstrained allows are not allowed in user or group context: missing receive_sender, but receive_path is present.</sch:assert>
</sch:rule>
</sch:pattern>
<!-- additional rule -->
projects / platform / core / system / dbus-tools.git / commitdiff