src/libdbuspolicy1.c \
src/internal/internal.cpp \
src/internal/naive_policy_checker.cpp \
- src/internal/naive_policy_db.cpp \
src/internal/policy.cpp \
src/internal/policy_containers.cpp \
src/internal/own_tree.cpp \
#include <dbuspolicy1/libdbuspolicy1.h>
#include "xml_parser.hpp"
#include "policy.hpp"
-#include "naive_policy_db.hpp"
#include "naive_policy_checker.hpp"
#include "internal.h"
#include "tslog.hpp"
#include "naive_policy_checker.hpp"
#include "cynara.hpp"
#include "tslog.hpp"
+#include "groups_proxy.hpp"
/**
* \file
* \ingroup Implementation
*/
-using namespace ldp_xml_parser;
DEF_NODESTRUCT_GLOBAL(ldp_xml_parser::NaivePolicyChecker, policy_checker_system)
DEF_NODESTRUCT_GLOBAL(ldp_xml_parser::NaivePolicyChecker, policy_checker_session)
+namespace ldp_xml_parser {
+
+template <typename T>
+VGid &NaivePolicyChecker::getMapGroup(uid_t uid)
+{
+ return mapGroups[type_list::IDX<T, MatchItemTypes>::idx][uid];
+}
+
+void NaivePolicyChecker::updateSupplementaryGroups(const VGid &groups, uid_t uid, gid_t gid) {
+ auto &vsend = getMapGroup<MatchItemSend>(uid);
+ auto &vrecv = getMapGroup<MatchItemReceive>(uid);
+ auto &vaccess = getMapGroup<MatchItemAccess>(uid);
+
+ if (groups.empty()) {
+ vsend.push_back(gid);
+ vrecv.push_back(gid);
+ vaccess.push_back(gid);
+ return;
+ }
+
+ /* insert supplementary group */
+ for (const auto group : groups) {
+ if (getPolicyDb().existsPolicyForGroup<MatchItemSend>(group))
+ vsend.push_back(group);
+ if (getPolicyDb().existsPolicyForGroup<MatchItemReceive>(group))
+ vrecv.push_back(group);
+ vaccess.push_back(group); // no filtering, it will be used once
+ }
+
+ if (vsend.empty())
+ vsend.push_back(-1);
+ if (vrecv.empty())
+ vrecv.push_back(-1);
+}
+
+void NaivePolicyChecker::updateSupplementaryGroupsOwn(const VGid &groups, uid_t uid, gid_t gid) {
+ auto &vown = getMapGroup<MatchItemOwn>(uid);
+ if (groups.empty()) {
+ vown.push_back(gid);
+ } else {
+ for (const auto group : groups) {
+ if (getPolicyDb().existsPolicyForGroup<MatchItemOwn>(group))
+ vown.push_back(group);
+ }
+ }
+}
+
+template <>
+const VGid *NaivePolicyChecker::getGroups<MatchItemOwn>(uid_t uid, gid_t)
+{
+ return &getMapGroup<MatchItemOwn>(uid);
+}
+
+template <>
+const VGid *NaivePolicyChecker::getGroups<MatchItemAccess>(uid_t uid, gid_t)
+{
+ return &getMapGroup<MatchItemAccess>(uid);
+}
+
+template <typename T>
+const VGid *NaivePolicyChecker::getGroups(uid_t uid, gid_t gid)
+{
+ if (uid == getuid() && gid == getgid())
+ return &getMapGroup<T>(uid);
+
+ pthread_mutex_lock(&mutexGroup);
+ auto &vgid = getMapGroup<T>(uid);
+
+ if (vgid.empty())
+ updateSupplementaryGroups(get_groups(uid, gid), uid, gid);
+ pthread_mutex_unlock(&mutexGroup);
+
+ if (vgid[0] == (gid_t)-1)
+ return nullptr;
+
+ return &vgid;
+}
+
DecisionResult NaivePolicyChecker::parseDecision(const DecisionItem& decision,
uid_t uid,
const char* label) const {
DecisionItem NaivePolicyChecker::checkItemAccess(const MatchItemAccess& item)
{
- const NaivePolicyDb& policy_db = getPolicyDb();
+ const ldp_xml::StorageBackendXML &policy_db = getPolicyDb();
DecisionItem ret = policy_db.getDecisionItemContextMandatory(item);
// access rules can be defined only in default/mandatory context
uid_t uid,
gid_t gid,
const char* const label) {
- const auto &gids = *getPolicyDb().getGroups<MatchItemAccess>(uid, gid);
+ const auto &gids = *getGroups<MatchItemAccess>(uid, gid);
auto ret = checkItemAccess(MatchItemAccess(uid, gids));
if (ret.getDecision() == Decision::ANY) {
if (bus_owner == uid) {
template<typename T>
DecisionItem NaivePolicyChecker::checkItem(uid_t uid, gid_t gid, const T& item) {
- const NaivePolicyDb& policy_db = getPolicyDb();
+ const ldp_xml::StorageBackendXML &policy_db = getPolicyDb();
DecisionItem ret = policy_db.getDecisionItemContextMandatory(item);
template<typename T>
DecisionItem NaivePolicyChecker::checkGroupPolicies(uid_t uid, gid_t gid, const T& item) {
- const NaivePolicyDb& policy_db = getPolicyDb();
-
- const auto *sgroups = policy_db.getGroups<T>(uid, gid);
+ const auto *sgroups = getGroups<T>(uid, gid);
if (sgroups == nullptr)
return Decision::ANY;
for (const auto sgid : *sgroups) {
- DecisionItem ret = policy_db.getDecisionItemGroup(sgid, item);
+ DecisionItem ret = getPolicyDb().getDecisionItemGroup(sgid, item);
if (ret.getDecision() != Decision::ANY)
return ret;
void NaivePolicyChecker::updateGroupDb(uid_t uid, gid_t gid)
{
- getPolicyDb().initializeGroups(uid, gid);
+ pthread_mutex_lock(&mutexGroup);
+
+ for (auto &mapGroup : mapGroups)
+ mapGroup.clear();
+
+ auto groups = get_groups(uid, gid);
+ updateSupplementaryGroups(groups, uid, gid);
+ updateSupplementaryGroupsOwn(groups, uid, gid);
+
+ pthread_mutex_unlock(&mutexGroup);
}
bool NaivePolicyChecker::initDb(const char *config_name)
void NaivePolicyChecker::printContent()
{
getPolicyDb().printContent();
+
+ for (const auto &mapGroup : mapGroups) {
+ std::cerr << std::endl << "---- mapGroup ----" << std::endl;
+ int size = sizeof(mapGroup);
+ size += mapGroup.size() * sizeof(typename std::remove_reference<decltype(mapGroup)>::type::value_type);
+
+ for (const auto& i : mapGroup) {
+ size += i.second.capacity() * sizeof(gid_t);
+ std::cerr << "uid: " << i.first << " | gids: ";
+ for (auto j : i.second)
+ std::cerr << " " << j << ",";
+ std::cerr << std::endl;
+ }
+ std::cerr << "Memory consumption: " << size << " B" << std::endl;
+ }
}
+
+} // namespace ldp_xml_parser
#define _NAIVE_DECISIONER_H
#include "policy.hpp"
-#include "naive_policy_db.hpp"
#include "global_nodestruct.hpp"
+#include "storage_backend_xml.hpp"
namespace ldp_xml_parser
{
+ typedef std::vector<gid_t> VGid;
+
/* Class which checks rights in policies retrieved from policy db
* \ingroup Implementation
*/
class NaivePolicyChecker {
private:
- /** Policy databases for system and session bus */
- NaivePolicyDb m_bus_db;
+ /** Policy database */
+ ldp_xml::StorageBackendXML m_bus_db;
/** Parses delivered decision. In case of Decision::CHECK calls cynara.
* \param[in] decision Decision from checkers
* \param[in] uid User id
* \param[in] label User label
- * \param[in] privilege Privilege string
* \return Returns deny=0, allow=1 or cynara error
* \ingroup Implementation
*/
gid_t gid,
const T& item);
+ /* group maps management */
+ std::map<uid_t, VGid> mapGroups[MatchItemTypes::count];
+ /* A mutex for mapGroups */
+ pthread_mutex_t mutexGroup = PTHREAD_MUTEX_INITIALIZER;
+
+ template <typename T>
+ VGid &getMapGroup(uid_t uid);
+
+ void updateSupplementaryGroups(const VGid &groups, uid_t uid, gid_t gid);
+ void updateSupplementaryGroupsOwn(const VGid &groups, uid_t uid, gid_t gid);
+
public:
/** Retrieves policy db
- * \return Returns reference to chosen bus policy db
+ * \return Returns reference to the policy db
*/
- NaivePolicyDb& getPolicyDb() { return m_bus_db; }
+ ldp_xml::StorageBackendXML &getPolicyDb() { return m_bus_db; }
+ const ldp_xml::StorageBackendXML &getPolicyDb() const { return m_bus_db; }
/** Clears all db data, useful for reloading configuration
* during testing.
void updateGroupDb(uid_t uid, gid_t gid);
+ template <typename T>
+ const VGid *getGroups(uid_t uid, gid_t gid);
+
/** Prints to stderr the structures and the amount of their memory */
void printContent();
+++ /dev/null
-#include "policy_containers.hpp"
-#include "naive_policy_db.hpp"
-#include "cynara.hpp"
-#include "groups_proxy.hpp"
-#include "print_content.hpp"
-#include "tslog.hpp"
-#include "type_list.h"
-#include "storage_backend_xml.hpp"
-
-#include <cassert>
-#include <map>
-
-/**
- * \file
- * \ingroup Implementation
- */
-
-namespace ldp_xml_parser {
-
-void NaivePolicyDb::updateSupplementaryGroups(const VGid &groups, uid_t uid, gid_t gid) const {
- auto &vsend = getMapGroup<MatchItemSend>(uid);
- auto &vrecv = getMapGroup<MatchItemReceive>(uid);
- auto &vaccess = getMapGroup<MatchItemAccess>(uid);
-
- if (groups.empty()) {
- vsend.push_back(gid);
- vrecv.push_back(gid);
- vaccess.push_back(gid);
- return;
- }
-
- /* insert supplementary group */
- for (const auto group : groups) {
- if (backend.existsPolicyForGroup<MatchItemSend>(group))
- vsend.push_back(group);
- if (backend.existsPolicyForGroup<MatchItemReceive>(group))
- vrecv.push_back(group);
- vaccess.push_back(group); // no filtering, it will be used once
- }
-
- if (vsend.empty())
- vsend.push_back(-1);
- if (vrecv.empty())
- vrecv.push_back(-1);
-}
-
-void NaivePolicyDb::updateSupplementaryGroupsOwn(const VGid &groups, uid_t uid, gid_t gid) const {
- auto &vown = getMapGroup<MatchItemOwn>(uid);
- if (groups.empty()) {
- vown.push_back(gid);
- } else {
- for (const auto group : groups) {
- if (backend.existsPolicyForGroup<MatchItemOwn>(group))
- vown.push_back(group);
- }
- }
-}
-
-/********************* NaivePolicyDb **********************/
-void NaivePolicyDb::printContent() const
-{
- backend.printContent();
-
- for (const auto &mapGroup : mapGroups) {
- std::cerr << std::endl << "---- mapGroup ----" << std::endl;
- int size = sizeof(mapGroup);
- size += mapGroup.size() * sizeof(typename std::remove_reference<decltype(mapGroup)>::type::value_type);
-
- for (const auto& i : mapGroup) {
- size += i.second.capacity() * sizeof(gid_t);
- std::cerr << "uid: " << i.first << " | gids: ";
- for (auto j : i.second)
- std::cerr << " " << j << ",";
- std::cerr << std::endl;
- }
- std::cerr << "Memory consumption: " << size << " B" << std::endl;
- }
-}
-
-template <>
-const VGid *NaivePolicyDb::getGroups<MatchItemOwn>(uid_t uid, gid_t) const
-{
- return &getMapGroup<MatchItemOwn>(uid);
-}
-
-template <>
-const VGid *NaivePolicyDb::getGroups<MatchItemAccess>(uid_t uid, gid_t) const
-{
- return &getMapGroup<MatchItemAccess>(uid);
-}
-
-template <typename T>
-const VGid *NaivePolicyDb::getGroups(uid_t uid, gid_t gid) const
-{
- if (uid == getuid() && gid == getgid())
- return &getMapGroup<T>(uid);
-
- pthread_mutex_lock(&mutexGroup);
- auto &vgid = getMapGroup<T>(uid);
-
- if (vgid.empty())
- updateSupplementaryGroups(get_groups(uid, gid), uid, gid);
- pthread_mutex_unlock(&mutexGroup);
-
- if (vgid[0] == (gid_t)-1)
- return nullptr;
-
- return &vgid;
-}
-
-void NaivePolicyDb::initializeGroups(uid_t uid, gid_t gid)
-{
- pthread_mutex_lock(&mutexGroup);
-
- for (auto &mapGroup : mapGroups)
- mapGroup.clear();
-
- auto groups = get_groups(uid, gid);
- updateSupplementaryGroups(groups, uid, gid);
- updateSupplementaryGroupsOwn(groups, uid, gid);
-
- pthread_mutex_unlock(&mutexGroup);
-}
-
-template <typename T>
-VGid &NaivePolicyDb::getMapGroup(uid_t uid) const
-{
- return mapGroups[type_list::IDX<T, MatchItemTypes>::idx][uid];
-}
-
-bool NaivePolicyDb::init(const char *filename) {
- return backend.init(filename);
-}
-
-template <typename T>
-const T &NaivePolicyDb::getPolicyContextMandatory() const {
- return backend.getPolicyContextMandatory<T>();
-}
-
-template <typename T>
-const T &NaivePolicyDb::getPolicyContextDefault() const {
- return backend.getPolicyContextDefault<T>();
-}
-
-template <typename T>
-const std::map<uid_t, T> &NaivePolicyDb::getPoliciesUser() const {
- return backend.getPoliciesUser<T>();
-}
-
-template <typename T>
-const std::map<gid_t, T> &NaivePolicyDb::getPoliciesGroup() const {
- return backend.getPoliciesGroup<T>();
-}
-
-/* Explicit instantiation is needed for used public template methods defined in this file.
- */
-#define T_INSTANTIATION(T) \
- template const VGid *NaivePolicyDb::getGroups<MatchItem##T>(uid_t, gid_t) const; \
- template const Policy##T &NaivePolicyDb::getPolicyContextMandatory() const; \
- template const Policy##T &NaivePolicyDb::getPolicyContextDefault() const;
-
-T_INSTANTIATION(Own)
-T_INSTANTIATION(Send)
-T_INSTANTIATION(Receive)
-T_INSTANTIATION(Access)
-
-#undef T_INSTANTIATION
-
-#define T_INSTANTIATION(T) \
- template const std::map<uid_t, Policy##T> &NaivePolicyDb::getPoliciesGroup() const; \
- template const std::map<gid_t, Policy##T> &NaivePolicyDb::getPoliciesUser() const;
-
-T_INSTANTIATION(Own)
-T_INSTANTIATION(Send)
-T_INSTANTIATION(Receive)
-
-#undef T_INSTANTIATION
-
-} // namespace ldp_xml_parser
+++ /dev/null
-/*
- * Copyright (c) 2015 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
-*/
-#ifndef _NAIVE_DB_H
-#define _NAIVE_DB_H
-
-#include "storage_backend_xml.hpp"
-#include <memory>
-#include <vector>
-#include <map>
-#include <sys/types.h>
-#include "policy.hpp"
-
-/**
- * \file
- * \ingroup Implementation
- */
-
-namespace ldp_xml_parser
-{
- typedef std::vector<gid_t> VGid;
-
- /** Database class, contains policies for ownership and send/receive */
- class NaivePolicyDb {
- private:
- ldp_xml::StorageBackendXML backend;
-
- mutable std::map<uid_t, VGid> mapGroups[MatchItemTypes::count];
- /* A mutex for mapGroups */
- mutable pthread_mutex_t mutexGroup = PTHREAD_MUTEX_INITIALIZER;
-
- template <typename T>
- VGid &getMapGroup(uid_t uid) const;
-
- void updateSupplementaryGroups(const VGid &groups, uid_t uid, gid_t gid) const;
- void updateSupplementaryGroupsOwn(const VGid &groups, uid_t uid, gid_t gid) const;
-
- public:
- /***** Common interface for all backends ******/
- void printContent() const;
-
- template <typename T>
- DecisionItem getDecisionItemContextMandatory(const T &item) const
- { return backend.getDecisionItemContextMandatory(item); }
-
- template <typename T>
- DecisionItem getDecisionItemContextDefault(const T &item) const
- { return backend.getDecisionItemContextDefault(item); }
-
- template <typename T>
- DecisionItem getDecisionItemUser(uid_t uid, const T &item) const
- { return backend.getDecisionItemUser(uid, item); }
-
- template <typename T>
- DecisionItem getDecisionItemGroup(gid_t gid, const T &item) const
- { return backend.getDecisionItemGroup(gid, item); }
-
- /******* Common interface for group maps management **********/
- template <typename T>
- const VGid *getGroups(uid_t uid, gid_t gid) const;
-
- void initializeGroups(uid_t uid, gid_t gid);
-
- /******* Interface for read-write backends (e.g. XML-based) */
- /* This will be probably moved from here */
-
- /** Adds item to a policy
- * \param[in] policy_type Policy type
- * \param[in] policy_type_value Policy type value
- * \param[in] item Item to add
- */
- template <typename T>
- void addItem(const PolicyType policy_type,
- const PolicyTypeValue policy_type_value,
- T &item);
-
- bool init(const char *filename);
-
- // The getPolicy*() methods are intended for Serializers to get
- // access to policy structures.
- // Supported template parameters are: PolicyOwn, PolicySend, PolicyReceive
- // and for PolicyAccess only getPolicyContext*()
- template <typename T>
- const T &getPolicyContextMandatory() const;
- template <typename T>
- const T &getPolicyContextDefault() const;
- template <typename T>
- const std::map<uid_t, T> &getPoliciesUser() const;
- template <typename T>
- const std::map<gid_t, T> &getPoliciesGroup() const;
- };
-}
-#endif
#include "policy.hpp"
#include "naive_policy_checker.hpp"
-#include "naive_policy_db.hpp"
#include "tslog.hpp"
#include <cstdlib>
#include "internal.h"
#include "naive_policy_checker.hpp"
-#include "naive_policy_db.hpp"
#include "serializer.hpp"
#include "include/flatbuffers/flatbuffers.h"
#include "include/fb_generated.h"
static constexpr auto create_item = &FB::CreateItemAccess;
};
-uint8_t* Serializer::serialize(const NaivePolicyDb &db, size_t &size) {
+uint8_t* Serializer::serialize(const ldp_xml::StorageBackendXML &db, size_t &size) {
m_db = &db;
auto own_set = serialize_set<PolicyOwn>();
#include "include/flatbuffers/flatbuffers.h"
#include "include/fb_generated.h"
-#include "naive_policy_db.hpp"
+#include "storage_backend_xml.hpp"
#include "policy_containers.hpp"
using namespace std;
template <typename T>
struct type_helper;
- const NaivePolicyDb *m_db;
+ const ldp_xml::StorageBackendXML *m_db;
flatbuffers::FlatBufferBuilder m_builder;
template <typename T>
FbOff<TFP> context_mandatory)
-> FbOff<typename type_helper<TP>::set>;
public:
- uint8_t *serialize(const NaivePolicyDb &db, size_t &size);
+ uint8_t *serialize(const ldp_xml::StorageBackendXML &db, size_t &size);
uint8_t *serialize(const std::string config_path, size_t &size);
void serialize(const std::string config_path, ostream &output);
friend class SerializerTests;
const std::map<gid_t, T> &getPoliciesGroup() const;
// This works with T set to MatchItemOwn, MatchItemSend or MatchItemReceive
- // This is needed for filtering mapGroups. Check NaivePolicyDb.
+ // This is needed for filtering mapGroups. Check NaivePolicyChecker.
template <typename T>
bool existsPolicyForGroup(gid_t gid) const;
#include "internal/internal.h"
#include "internal/policy.hpp"
#include "internal/naive_policy_checker.hpp"
-#include "internal/naive_policy_db.hpp"
#include "internal/serializer.hpp"
#include "internal/include/fb_generated.h"
#include "internal/storage_backend_serialized.hpp"
for (const auto& test : test_setup) {
__internal_init_sup_group(bus_type, test.user, test.group);
- auto *policydb = &policy_checker(bus_type).getPolicyDb();
+ auto &checker = policy_checker(bus_type);
- const auto &gids = *policydb->getGroups<MatchItemAccess>(test.user, test.group);
+ const auto &gids = *checker.getGroups<MatchItemAccess>(test.user, test.group);
auto m_item = MatchItemAccess(test.user, gids);
auto decision = db.getDecisionItemContextMandatory(m_item).getDecision();
if (decision == Decision::ANY)
#include "internal/include/flatbuffers/flatbuffers.h"
#include "internal/include/fb_generated.h"
-#include "internal/naive_policy_db.hpp"
#include "internal/policy_containers.hpp"
#include "internal/serializer.hpp"
projects / platform / core / system / libdbuspolicy.git / commitdiff