#define DBUSPOLICY_MESSAGE_TYPE_METHOD_RETURN 2
#define DBUSPOLICY_MESSAGE_TYPE_ERROR 3
#define DBUSPOLICY_MESSAGE_TYPE_SIGNAL 4
-
#define DBUSPOLICY_RESULT_ALLOW 1
#define DBUSPOLICY_RESULT_DENY 0
#define DBUSPOLICY_RESULT_DEST_NOT_AVAILABLE -1
}
CynaraResult Cynara::check(const char* label, const char* privilege, const char* uid) {
-
- const char* _label="";
- const char* _uid="";
- const char* _privilege="";
+ const char* _label = "";
+ const char* _uid = "";
+ const char* _privilege = "";
CynaraResult ret;
-
if (label)
- _label=label;
-
+ _label = label;
if (privilege)
- _privilege=privilege;
-
+ _privilege = privilege;
if (uid)
- _uid=uid;
-
+ _uid = uid;
pthread_mutex_lock(&__mutex);
Cynara& c = Cynara::getInstance();
- if (!c.init())
+ if (!c.init()) {
ret = CynaraResult::ERROR_INIT;
- else {
- int r = cynara_check (c.__cynara, _label, c.__session, _uid, _privilege);
+ } else {
+ int r = cynara_check(c.__cynara, _label, c.__session, _uid, _privilege);
if (r == CYNARA_API_ACCESS_ALLOWED)
ret = CynaraResult::ALLOW;
else if (r == CYNARA_API_ACCESS_DENIED)
const char* const member,
int type)
{
- ldp_xml_parser::MatchItemSR matcher (interface, member, path, static_cast<ldp_xml_parser::MessageType>(type), ldp_xml_parser::MessageDirection::SEND);
+ ldp_xml_parser::MatchItemSR matcher(interface, member, path, static_cast<ldp_xml_parser::MessageType>(type), ldp_xml_parser::MessageDirection::SEND);
if (!matcher.addNames(destination)) {
if (tslog::verbose())
- std::cout << "Destination too long: "<<destination<<std::endl;
+ std::cout << "Destination too long: " << destination << std::endl;
return false;
}
-
return static_cast<int>(policy_checker.check(bus_type, user, group, label, matcher, ldp_xml_parser::ItemType::SEND));
}
int type)
{
int i = 0;
- ldp_xml_parser::MatchItemSR matcher (interface, member, path, static_cast<ldp_xml_parser::MessageType>(type), ldp_xml_parser::MessageDirection::SEND);
+ ldp_xml_parser::MatchItemSR matcher(interface, member, path, static_cast<ldp_xml_parser::MessageType>(type), ldp_xml_parser::MessageDirection::SEND);
if (destination)
while (destination[i++]) {
matcher.addName(destination[i]);
const char* const member,
int type)
{
- ldp_xml_parser::MatchItemSR matcher (interface, member, path, static_cast<ldp_xml_parser::MessageType>(type), ldp_xml_parser::MessageDirection::RECEIVE);
+ ldp_xml_parser::MatchItemSR matcher(interface, member, path, static_cast<ldp_xml_parser::MessageType>(type), ldp_xml_parser::MessageDirection::RECEIVE);
if (!matcher.addNames(sender)) {
if (tslog::verbose())
- std::cout << "Sender too long: "<<sender<<std::endl;
+ std::cout << "Sender too long: " << sender << std::endl;
return false;
}
return static_cast<int>(policy_checker.check(bus_type, user, group, label, matcher, ldp_xml_parser::ItemType::RECEIVE));
bool is_error() const {
return (m_err < 0);
}
-
};
} //namespace
return *m_adapter;
}
-
-
NaivePolicyDb& NaivePolicyChecker::getPolicyDb(bool type) {
return m_bus_db[type];
}
uid_t uid,
const char* label,
const char* privilege) {
-
char uid_str[17];
if (tslog::verbose()) {
- std::cout<<"----Decision made\n";
+ std::cout << "----Decision made\n";
}
switch (decision)
{
- case Decision::ALLOW:
- return DecisionResult::ALLOW;
- case Decision::ANY:
- case Decision::DENY:
- return DecisionResult::DENY;
- case Decision::CHECK:
- {
- std::snprintf(uid_str, sizeof(uid_str) - 1, "%lu", (unsigned long)uid);
- ldp_cynara::CynaraResult ret = ldp_cynara::Cynara::check(label, privilege, uid_str);
- if (ret == ldp_cynara::CynaraResult::ALLOW)
+ case Decision::ALLOW:
return DecisionResult::ALLOW;
- else if (ret == ldp_cynara::CynaraResult::DENY)
+ case Decision::ANY:
+ case Decision::DENY:
return DecisionResult::DENY;
- else
- return DecisionResult::CYNARA_ERROR;
- }
+ case Decision::CHECK:
+ {
+ std::snprintf(uid_str, sizeof(uid_str) - 1, "%lu", (unsigned long)uid);
+ ldp_cynara::CynaraResult ret = ldp_cynara::Cynara::check(label, privilege, uid_str);
+ if (ret == ldp_cynara::CynaraResult::ALLOW)
+ return DecisionResult::ALLOW;
+ else if (ret == ldp_cynara::CynaraResult::DENY)
+ return DecisionResult::DENY;
+ else
+ return DecisionResult::CYNARA_ERROR;
+ }
}
return DecisionResult::DENY;
}
if (tslog::verbose()) {
__log_item(item);
}
-
for (auto i : policy) {
if (tslog::verbose()) {
char tmp[MAX_LOG_LINE];
return i->getDecision().getDecision();
}
}
-
return Decision::ANY;
}
Decision NaivePolicyChecker::checkPolicyOwn(const NaivePolicyDb::PolicyOwn& policy, const ItemOwn& item, const char*& privilege) {
-
if (tslog::verbose()) {
__log_item(item);
}
int childIndex = 0;
assert(node);
Decision ret = Decision::ANY;
-
- while((name != NULL)&& (*name != '\0')){
-
-
+ while ((name != NULL) && (*name != '\0')) {
childIndex = char_map[*name];
- if(childIndex > 64){
- /*name contains forbidden char*/
+ if (childIndex > 64) {
+ /* name contains forbidden char */
privilege = NULL;
return Decision::DENY;
}
- /*Current node is prefix, remeber decision*/
- if(node->__is_prefix){
+ /* Current node is prefix, remeber decision */
+ if (node->__is_prefix) {
ret = node->__decisionItem.getDecision();;
privilege = node->__decisionItem.getPrivilege();
}
-
- /*Node for this letter dont exist*/
- if(node->children[childIndex] == NULL){
+ /* Node for this letter dont exist */
+ if (node->children[childIndex] == NULL) {
goto out;
- }
- else{/*if it exists check for next letter in its child*/
+ } else { /* if it exists check for next letter in its child */
node = node->children[childIndex];
}
-
name++;
-
}
out:
- if(ret == Decision::ANY){
+ if (ret == Decision::ANY) {
privilege = node->__decisionItem.getPrivilege();
return node->__decisionItem.getDecision();
- }
- else
-
+ } else {
return ret;
-
+ }
}
-
-
-
DecisionResult NaivePolicyChecker::checkItemOwn(bool bus_type, uid_t uid, gid_t gid, const char* label, const ItemOwn& item, const ItemType type) {
-
NaivePolicyDb& policy_db = getPolicyDb(bus_type);
Decision ret = Decision::ANY;
const char* privilege;
const NaivePolicyDb::PolicyOwn* curr_policy = NULL;
if (ret == Decision::ANY) {
-
if (policy_db.getPolicy(type, PolicyType::CONTEXT, PolicyTypeValue(ContextType::MANDATORY), curr_policy))
-
ret = checkPolicyOwn(*curr_policy, item, privilege);
}
-
if (ret == Decision::ANY) {
-
if (policy_db.getPolicy(type, PolicyType::USER, PolicyTypeValue(uid), curr_policy))
-
ret = checkPolicyOwn(*curr_policy, item, privilege);
}
-
if (ret == Decision::ANY) {
-
if (policy_db.getPolicy(type, PolicyType::GROUP, PolicyTypeValue(gid), curr_policy))
-
ret = checkPolicyOwn(*curr_policy, item, privilege);
}
-
if (ret == Decision::ANY) {
-
if (policy_db.getPolicy(type, PolicyType::CONTEXT, PolicyTypeValue(ContextType::DEFAULT), curr_policy))
-
ret = checkPolicyOwn(*curr_policy, item, privilege);
}
- if (ret != Decision::ANY){
-
+ if (ret != Decision::ANY) {
return parseDecision(ret, uid, label, privilege);
- }
- else
+ } else {
return DecisionResult::DENY;
+ }
}
+
DecisionResult NaivePolicyChecker::checkItemSR(bool bus_type, uid_t uid, gid_t gid, const char* label, const MatchItemSR& item, const ItemType type) {
NaivePolicyDb& policy_db = getPolicyDb(bus_type);
Decision ret = Decision::ANY;
const char* privilege;
const NaivePolicyDb::PolicySR* curr_policy = NULL;
-
if (ret == Decision::ANY) {
if (policy_db.getPolicy(type, PolicyType::CONTEXT, PolicyTypeValue(ContextType::MANDATORY), curr_policy))
ret = checkPolicySR(*curr_policy, item, privilege);
}
-
if (ret == Decision::ANY) {
if (policy_db.getPolicy(type, PolicyType::USER, PolicyTypeValue(uid), curr_policy))
ret = checkPolicySR(*curr_policy, item, privilege);
}
-
if (ret == Decision::ANY) {
if (policy_db.getPolicy(type, PolicyType::GROUP, PolicyTypeValue(gid), curr_policy))
ret = checkPolicySR(*curr_policy, item, privilege);
}
-
if (ret == Decision::ANY) {
if (policy_db.getPolicy(type, PolicyType::CONTEXT, PolicyTypeValue(ContextType::DEFAULT), curr_policy))
ret = checkPolicySR(*curr_policy, item, privilege);
}
-
if (ret != Decision::ANY)
return parseDecision(ret, uid, label, privilege);
else
Decision checkPolicyOwn(const NaivePolicyDb::PolicyOwn& policy,
const ItemOwn& item,
const char*& privilege);
+
DecisionResult parseDecision(Decision decision,
uid_t uid,
const char* label,
NaivePolicyDb::~NaivePolicyDb() {
-
}
NaivePolicyDb::PolicyOwn::PolicyOwn(){
-
treeRootPtr = new struct TreeNode;
treeRootPtr->__decisionItem = {Decision::ANY, NULL};
treeRootPtr->__nameChar = '\0';
treeRootPtr->__is_prefix = false;
- for(int i = 0; i < MAX_CHILDREN; i++){
+ for (int i = 0; i < MAX_CHILDREN; i++) {
treeRootPtr->children[i] = NULL;
}
-
-
}
NaivePolicyDb::PolicyOwn::~PolicyOwn(){
}
void NaivePolicyDb::PolicyOwn::nodeRemove(TreeNode **node){
- if(!*node){
+ if (!*node) {
return;
}
- for(int i = 0 ; i<MAX_CHILDREN; i++){
- if((*node)->children[i] != NULL){
+ for (int i = 0 ; i < MAX_CHILDREN; i++) {
+ if ((*node)->children[i] != NULL) {
nodeRemove(&(*node)->children[i]);
}
}
if (tslog::enabled()) {
char tmp[MAX_LOG_LINE];
const char* i_str = item->toString(tmp);
- std::cout<<"Add item: "<< i_str <<std::endl;
+ std::cout << "Add item: " << i_str << std::endl;
}
const MessageDirection dir = item->getDirection();
- if (dir == MessageDirection::SEND)
+ if (dir == MessageDirection::SEND) {
addItem(m_send_set, policy_type, policy_type_value, item);
- else if (dir == MessageDirection::RECEIVE)
+ } else if (dir == MessageDirection::RECEIVE) {
addItem(m_receive_set, policy_type, policy_type_value, item);
- else {
+ } else {
addItem(m_send_set, policy_type, policy_type_value, item);
addItem(m_receive_set, policy_type, policy_type_value, item);
}
if (tslog::enabled()) {
char tmp[MAX_LOG_LINE];
const char* i_str = item->toString(tmp);
- std::cout<<"Add item: "<< i_str <<std::endl;
+ std::cout << "Add item: " << i_str << std::endl;
}
addItem(m_own_set, policy_type, policy_type_value, item);
return treeRootPtr;
}
void NaivePolicyDb::PolicyOwn::addItem(ItemOwn* item) {
-
const char *name = item->getName();
- /*TODO move this few layers up*/
- if(!name){
+
+ if (!name) {
return;
}
assert(node);
const char *tmp = name;
- while(tmp && *tmp != '\0'){
- if(char_map[*tmp]>64){
- /*Forbidden char*/
+ while (tmp && *tmp != '\0') {
+ if (char_map[*tmp] > 64) {
+ /* Forbidden char */
return;
}
tmp++;
}
int childIndex = 0;
- while(name && *name != '\0'){
-
+ while (name && *name != '\0') {
childIndex = char_map[*name];
-
- if(node->children[childIndex] == NULL){
-
+ if (node->children[childIndex] == NULL) {
node->children[childIndex] = new struct TreeNode;
-
node->children[childIndex]->__decisionItem = {Decision::ANY, NULL};
node->children[childIndex]->__nameChar = *name;
node->children[childIndex]->__is_prefix = false;
-
- for(int k = 0; k < MAX_CHILDREN; k++){
+ for (int k = 0; k < MAX_CHILDREN; k++) {
node->children[childIndex]->children[k] = NULL;
}
node = node->children[childIndex];
- }
-
- else {
+ } else {
node = node->children[childIndex];
}
-
name++;
}
node->__decisionItem = item->getDecision();
const NaivePolicyDb::PolicySR*& policy) const
{
if (tslog::enabled())
- std::cout<<"---policy_type =";
+ std::cout << "---policy_type =";
try {
switch (policy_type) {
case PolicyType::CONTEXT:
const NaivePolicyDb::PolicyOwn*& policy) const
{
if (tslog::enabled())
- std::cout<<"---policy_type =";
+ std::cout << "---policy_type =";
try {
switch (policy_type) {
case PolicyType::CONTEXT:
{
class NaivePolicyDb {
public:
-
-
class PolicySR {
private:
std::vector<ItemSendReceive*> m_items;
~PolicyOwn();
void addItem(ItemOwn* item);
const TreeNode* getTreeRoot() const;
-
};
~NaivePolicyDb();
const PolicyType policy_type,
const PolicyTypeValue policy_type_value,
const PolicyOwn*& policy) const;
-
};
-
-
}
#endif
state& t,
bool& attr) {
const char* value = NULL;
- if(v.first == "allow" && t == POLICY) {
+ if (v.first == "allow" && t == POLICY) {
__builder.reset();
__builder.addDecision(Decision::ALLOW);
t = ALLOW_DENY_CHECK;
attr = false;
- } else if(v.first == "deny" && t == POLICY) {
+ } else if (v.first == "deny" && t == POLICY) {
__builder.reset();
__builder.addDecision(Decision::DENY);
t = ALLOW_DENY_CHECK;
attr = false;
- } else if(v.first == "check" && t == POLICY) {
+ } else if (v.first == "check" && t == POLICY) {
__builder.reset();
__builder.addDecision(Decision::CHECK);
t = ALLOW_DENY_CHECK;
attr = false;
- } else if(v.first == "<xmlattr>") {
+ } else if (v.first == "<xmlattr>") {
attr = true;
- } else if(attr && t == POLICY) {
+ } else if (attr && t == POLICY) {
if (v.second.data() != "*")
value = v.second.data().c_str();
- if(v.first == "context") {
- if(std::strcmp(value,"mandatory") == 0 ) {
+ if (v.first == "context") {
+ if (std::strcmp(value, "mandatory") == 0 ) {
policy_type = PolicyType::CONTEXT;
policy_type_value.context = ContextType::MANDATORY;
- } else if(std::strcmp(value, "default") == 0) {
+ } else if (std::strcmp(value, "default") == 0) {
policy_type = PolicyType::CONTEXT;
policy_type_value.context = ContextType::DEFAULT;
}
- } else if(v.first == "user") {
+ } else if (v.first == "user") {
policy_type = PolicyType::USER;
policy_type_value.user = convertToUid(value);
- } else if(v.first == "group") {
+ } else if (v.first == "group") {
policy_type = PolicyType::GROUP;
policy_type_value.group = convertToGid(value);
} else {
if (v.second.data() != "*")
value = v.second.data().c_str();
- if(field_has(v, "send_")) {
+ if (field_has(v, "send_")) {
__builder.addDirection(MessageDirection::SEND);
- } else if(field_has(v, "receive_")) {
+ } else if (field_has(v, "receive_")) {
__builder.addDirection(MessageDirection::RECEIVE);
- } else if(v.first == "own") {
+ } else if (v.first == "own") {
__builder.addOwner(value);
__builder.setPrefix(false);
- } else if(v.first == "own_prefix") {
+ } else if (v.first == "own_prefix") {
__builder.addOwner(value);
__builder.setPrefix(true);
- } else if(v.first == "privilege")
+ } else if (v.first == "privilege") {
__builder.addPrivilege(value);
+ }
- if(field_has(v, "_destination"))
+ if (field_has(v, "_destination"))
__builder.addName(value);
- else if(field_has(v, "_sender"))
+ else if (field_has(v, "_sender"))
__builder.addName(value);
- else if(field_has(v, "_path"))
+ else if (field_has(v, "_path"))
__builder.addPath(value);
- else if(field_has(v, "_interface"))
+ else if (field_has(v, "_interface"))
__builder.addInterface(value);
- else if(field_has(v, "_member"))
+ else if (field_has(v, "_member"))
__builder.addMember(value);
- else if(field_has(v, "_type"))
+ else if (field_has(v, "_type"))
__builder.addMessageType(__str_to_message_type(value));
} else {
attr = false;
bool attr,
int level) {
static const int Q_XML_MAX_LEVEL = 10;
- if(level < Q_XML_MAX_LEVEL) {
+ if (level < Q_XML_MAX_LEVEL) {
for(const auto& v : pt) {
- if(v.first == "<xmlcomment>") { continue; }
+ if (v.first == "<xmlcomment>") { continue; }
state t = tag;
updateDecision(v, policy_type, policy_type_value, t, attr);
xmlTraversal(bus, v.second, t, policy_type, policy_type_value, attr, level + 1);
}
- if(!pt.empty() && level > 1) {
+ if (!pt.empty() && level > 1) {
if (bus)
__builder.generateItem(__session_db, policy_type, policy_type_value);
else
const auto& children = xmlTree.get_child("busconfig");
PolicyType policy_type;
PolicyTypeValue policy_type_value;
- for(const auto& x : children) {
- if(x.first == "policy") {
+ for (const auto& x : children) {
+ if (x.first == "policy") {
__tag_state = POLICY;
__attr = false;
xmlTraversal(bus, x.second, POLICY, policy_type, policy_type_value);
Decision decision,
const char* privilege)
: __decision(DecisionItem(decision, privilege)), __name(name) {
-
}
ItemType ItemOwn::getType() const {
if (!c) {
--i;
len = i-j;
- } else
+ } else {
len = i-j-1;
+ }
names[names_num++] = NameSR(name + j, len);
}
if (names_num >= KDBUS_CONN_MAX_NAMES + 1)
__path(path),
__type(type),
__direction(direction) {
-
}
const char* ItemSendReceive::toString(char* str) const {
ItemBuilder::~ItemBuilder(){
if (__current_sr)
delete __current_sr;
-
}
void ItemBuilder::reset() {
sr->__name.len = 0;
}
- if (!name)
+ if (!name) {
sr->__name.name = NULL;
- else {
+ } else {
sr->__name.name = duplicate(name);
sr->__name.len = std::strlen(name);
}
err = parse(bus, true, filename, incl_files);
if (err.is_ok())
- for(const auto& x : incl_files) {
+ for (const auto& x : incl_files) {
err = parse(bus, false, x, incl_files);
if (err.is_error()) break;
}
void getIncludedFiles(const std::string& filename, const std::string& incldir, std::vector<std::string>& files) {
DIR *dir;
struct dirent *ent;
- std::string fname(filename);
- std::string dname = dirname(const_cast<char*>(fname.c_str()));
+ std::string dname = dirname(const_cast<char*>(filename.c_str()));
if (incldir[0] != '/')
dname += (std::string("/") + incldir);
else
dname = incldir;
files.clear();
- if((dir = opendir(dname.c_str())) != NULL) {
- while((ent = readdir(dir)) != NULL) {
+ if ((dir = opendir(dname.c_str())) != NULL) {
+ while ((ent = readdir(dir)) != NULL) {
std::string s(ent->d_name);
- if(s.find(".conf") != std::string::npos) {
+ if (s.find(".conf") != std::string::npos) {
files.push_back(dname + std::string("/") + s);
}
}
std::copy(files.begin(), files.end(), std::ostream_iterator<std::string>(std::cout, "\n"));
std::cout << '\n';
}
- } else if (tslog::enabled())
+ } else if (tslog::enabled()) {
std::cout << "could not open directory " << dname << '\n';
+ }
}
std::pair<ErrCode, std::string> parseXml(bool bus, const std::string& filename, std::vector<std::string>& incl_dirs) {
if (!pt.empty()) {
__adapter->updateDb(bus, pt, incl_dirs);
}
- } catch(const boost::property_tree::xml_parser::xml_parser_error& ex) {
+ } catch (const boost::property_tree::xml_parser::xml_parser_error& ex) {
ret.first = ErrCode::error(ex.what());
- } catch(const boost::property_tree::ptree_error& ex) {
+ } catch (const boost::property_tree::ptree_error& ex) {
ret.first = ErrCode::error(ex.what());
- } catch(...) {
+ } catch (...) {
ret.first = ErrCode::error(filename + std::string(": unknown error while parsing XML"));
}
bool flag = true;
bool ret = true;
__internal_init(false, "tests/system.conf");
- for (i = 0;i < sizeof(method_tests)/sizeof(struct MethodTest);i++) {
+ for (i = 0; i < sizeof(method_tests)/sizeof(struct MethodTest); i++) {
if (method_tests[i].recv_send == MessageDirection::SEND)
{
ret = __internal_can_send(false, method_tests[i].user, method_tests[i].group, method_tests[i].label, method_tests[i].name, method_tests[i].path, method_tests[i].interface, method_tests[i].member, static_cast<int>(method_tests[i].type));
return flag;
}
-int main () {
+int main() {
__internal_init_once();
if (!method_test())
return -1;
bool flag = true;
bool ret = true;
__internal_init(false, "tests/system.conf");
- for (i = 0;i < sizeof(ownership_tests)/sizeof(struct OwnershipTest);i++) {
+ for (i = 0; i < sizeof(ownership_tests)/sizeof(struct OwnershipTest); i++) {
ret = __internal_can_own(false, ownership_tests[i].user, ownership_tests[i].group, ownership_tests[i].label, ownership_tests[i].service);
if ( (int)((ownership_tests[i].expected_result)) != ret) {
printf("[ERROR][%d] ownership test failed: %d %d ", i, (int)((ownership_tests[i].expected_result)), ret);
return flag;
}
-int main () {
+int main() {
__internal_init_once();
if (!ownership_test())
return -1;
bool flag = true;
bool ret = true;
__internal_init(false, "tests/system.conf");
- for (i = 0;i < sizeof(signal_tests)/sizeof(struct SignalTest);i++) {
+ for (i = 0; i < sizeof(signal_tests)/sizeof(struct SignalTest); i++) {
ret = __internal_can_send(false, signal_tests[i].user, signal_tests[i].group, signal_tests[i].label, signal_tests[i].dest, NULL, signal_tests[i].interface, NULL, DBUSPOLICY_MESSAGE_TYPE_SIGNAL);
if ( (int)((signal_tests[i].expected_result)) != ret) {
printf("[ERROR][%d] signal test failed: %d %d ", i, (int)((signal_tests[i].expected_result)), ret);
return flag;
}
-int main () {
+int main() {
__internal_init_once();
if (!signal_test())
return -1;