policychecker: is allow own for me present?

This adds two checks which can help with detecting
config files that have no "allow own" or "check own" or "allow own_prefix"
or "check own_prefix" for services the config file is for.

This works by adding two checking rules:
1. a rule that - for a config file containing policy rule "deny own" - warns
   if the file does not contain corresponding "allow own" or "check own"
   policy rule with the same name.
2. a rule that does the same, but for 'own_prefix' instead of 'own'.

Change-Id: I758974724ffc5d5af821c44f4737ed87c9f63f59

diff --git a/policychecker/rules.xsl b/policychecker/rules.xsl
index 7f20b0fc87fbe58092edb36e70fef8c49a3ef43f..bc306d9badc28d0768ced01fd5194de98d069c24 100644 (file)
--- a/policychecker/rules.xsl
+++ b/policychecker/rules.xsl
@@ -64,6 +64,14 @@
                        <sch:let name="dest_name" value="@own_prefix"/>
                        <sch:assert test="//policy[@context='default']/deny[@own_prefix = $dest_name]">For each allow own_prefix you must add a deny own_prefix in default context.</sch:assert>
                </sch:rule>
+               <sch:rule context="deny[@own]">
+                       <sch:let name="dest_name" value="@own"/>
+                       <sch:assert test="//policy/allow[@own = $dest_name] or //policy/check[@own = $dest_name]">"deny own" present, but no "allow own" or "check own" for that name.</sch:assert>
+               </sch:rule>
+               <sch:rule context="deny[@own_prefix]">
+                       <sch:let name="dest_name" value="@own_prefix"/>
+                       <sch:assert test="//policy/allow[@own_prefix = $dest_name] or //policy/check[@own_prefix = $dest_name]">"deny own_prefix" present, but no "allow own_prefix" or "check own_prefix" for that name.</sch:assert>
+               </sch:rule>
        </sch:pattern>
 
        <sch:pattern name="Unconstrained allow in default context (or mandatory)">