int __internal_init(BusType bus_type, const char* const config_name)
{
- auto ok = policy_checker().initDb(bus_type, get_str(config_name));
+ auto ok = policy_checker(bus_type).initDb(get_str(config_name));
if (tslog::enabled())
memory_dump(bus_type);
return ok ? 0 : -1;
void memory_dump(BusType bus_type)
{
- policy_checker().printContent(bus_type);
+ policy_checker(bus_type).printContent();
}
void __internal_init_once()
void __internal_init_sup_group(BusType bus_type, uid_t uid, gid_t gid)
{
- policy_checker().updateGroupDb(bus_type, uid, gid);
+ policy_checker(bus_type).updateGroupDb(uid, gid);
}
void __internal_enter()
gid_t group,
const char* const label)
{
- return static_cast<int>(policy_checker().check(bus_type, bus_owner, user, group, label));
+ return static_cast<int>(policy_checker(bus_type).check(bus_owner, user, group, label));
}
int __internal_can_send(BusType bus_type,
tslog::log_verbose("Destination too long: ", destination, "\n");
return false;
}
- return static_cast<int>(policy_checker().check(bus_type, user, group, label, matcher));
+ return static_cast<int>(policy_checker(bus_type).check(user, group, label, matcher));
}
int __internal_can_send_multi_dest(BusType bus_type,
while (destination[i]) {
matcher.addName(destination[i++]);
}
- return static_cast<int>(policy_checker().check(bus_type, user, group, label, matcher));
+ return static_cast<int>(policy_checker(bus_type).check(user, group, label, matcher));
}
int __internal_can_recv(BusType bus_type,
tslog::log_verbose("Sender too long: ", sender, "\n");
return false;
}
- return static_cast<int>(policy_checker().check(bus_type, user, group, label, matcher));
+ return static_cast<int>(policy_checker(bus_type).check(user, group, label, matcher));
}
int __internal_can_recv_multi(BusType bus_type,
while (sender[i]) {
matcher.addName(sender[i++]);
}
- return static_cast<int>(policy_checker().check(bus_type, user, group, label, matcher));
+ return static_cast<int>(policy_checker(bus_type).check(user, group, label, matcher));
}
const char* const label,
const char* const service)
{
- return static_cast<int>(policy_checker().check(bus_type, user, group, label, MatchItemOwn(service)));
+ return static_cast<int>(policy_checker(bus_type).check(user, group, label, MatchItemOwn(service)));
}
using namespace ldp_xml_parser;
-DEF_NODESTRUCT_GLOBAL(ldp_xml_parser::NaivePolicyChecker, policy_checker)
-
-NaivePolicyDb& NaivePolicyChecker::getPolicyDb(BusType type) {
- return m_bus_db[type];
-}
+DEF_NODESTRUCT_GLOBAL(ldp_xml_parser::NaivePolicyChecker, policy_checker_system)
+DEF_NODESTRUCT_GLOBAL(ldp_xml_parser::NaivePolicyChecker, policy_checker_session)
DecisionResult NaivePolicyChecker::parseDecision(const DecisionItem& decision,
uid_t uid,
return DecisionResult::DENY;
}
-DecisionItem NaivePolicyChecker::checkItemAccess(BusType bus_type, const MatchItemAccess& item)
+DecisionItem NaivePolicyChecker::checkItemAccess(const MatchItemAccess& item)
{
- const NaivePolicyDb& policy_db = getPolicyDb(bus_type);
+ const NaivePolicyDb& policy_db = getPolicyDb();
DecisionItem ret = policy_db.getDecisionItemContextMandatory(item);
// access rules can be defined only in default/mandatory context
return ret;
}
-DecisionResult NaivePolicyChecker::check(BusType bus_type,
- uid_t bus_owner,
+DecisionResult NaivePolicyChecker::check(uid_t bus_owner,
uid_t uid,
gid_t gid,
const char* const label) {
- const auto &gids = *getPolicyDb(bus_type).getGroups<MatchItemAccess>(uid, gid);
- auto ret = checkItemAccess(bus_type, MatchItemAccess(uid, gids));
+ const auto &gids = *getPolicyDb().getGroups<MatchItemAccess>(uid, gid);
+ auto ret = checkItemAccess(MatchItemAccess(uid, gids));
if (ret.getDecision() == Decision::ANY) {
if (bus_owner == uid) {
ret = Decision::ALLOW;
}
template <typename T>
-DecisionResult NaivePolicyChecker::check(BusType bus_type,
- uid_t uid,
+DecisionResult NaivePolicyChecker::check(uid_t uid,
gid_t gid,
const char* const label,
const T &matchItem) {
- auto ret = checkItem(bus_type, uid, gid, matchItem);
+ auto ret = checkItem(uid, gid, matchItem);
return parseDecision(ret, uid, label);
}
-template DecisionResult NaivePolicyChecker::check(BusType, uid_t, gid_t, const char *, const MatchItemOwn &);
-template DecisionResult NaivePolicyChecker::check(BusType, uid_t, gid_t, const char *, const MatchItemSend &);
-template DecisionResult NaivePolicyChecker::check(BusType, uid_t, gid_t, const char *, const MatchItemReceive &);
+template DecisionResult NaivePolicyChecker::check(uid_t, gid_t, const char *, const MatchItemOwn &);
+template DecisionResult NaivePolicyChecker::check(uid_t, gid_t, const char *, const MatchItemSend &);
+template DecisionResult NaivePolicyChecker::check(uid_t, gid_t, const char *, const MatchItemReceive &);
template<typename T>
-DecisionItem NaivePolicyChecker::checkItem(BusType bus_type, uid_t uid, gid_t gid, const T& item) {
- const NaivePolicyDb& policy_db = getPolicyDb(bus_type);
+DecisionItem NaivePolicyChecker::checkItem(uid_t uid, gid_t gid, const T& item) {
+ const NaivePolicyDb& policy_db = getPolicyDb();
DecisionItem ret = policy_db.getDecisionItemContextMandatory(item);
ret = policy_db.getDecisionItemUser(uid, item);
if (ret.getDecision() == Decision::ANY)
- ret = checkGroupPolicies<T>(policy_db, uid, gid, item);
+ ret = checkGroupPolicies<T>(uid, gid, item);
if (ret.getDecision() == Decision::ANY)
ret = policy_db.getDecisionItemContextDefault(item);
}
template<typename T>
-DecisionItem NaivePolicyChecker::checkGroupPolicies(const NaivePolicyDb& policy_db, uid_t uid, gid_t gid, const T& item) {
+DecisionItem NaivePolicyChecker::checkGroupPolicies(uid_t uid, gid_t gid, const T& item) {
+ const NaivePolicyDb& policy_db = getPolicyDb();
+
const auto *sgroups = policy_db.getGroups<T>(uid, gid);
if (sgroups == nullptr)
return Decision::ANY;
return Decision::ANY;
}
-void NaivePolicyChecker::updateGroupDb(BusType bus_type, uid_t uid, gid_t gid)
+void NaivePolicyChecker::updateGroupDb(uid_t uid, gid_t gid)
{
- getPolicyDb(bus_type).initializeGroups(uid, gid);
+ getPolicyDb().initializeGroups(uid, gid);
}
-bool NaivePolicyChecker::initDb(BusType bus_type, const char *config_name)
+bool NaivePolicyChecker::initDb(const char *config_name)
{
- return getPolicyDb(bus_type).init(config_name);
+ return getPolicyDb().init(config_name);
}
-void NaivePolicyChecker::printContent(BusType bus_type)
+void NaivePolicyChecker::printContent()
{
- getPolicyDb(bus_type).printContent();
+ getPolicyDb().printContent();
}
private:
/** Policy databases for system and session bus */
- NaivePolicyDb m_bus_db[2];
+ NaivePolicyDb m_bus_db;
/** Parses delivered decision. In case of Decision::CHECK calls cynara.
* \param[in] decision Decision from checkers
const char* label) const;
/** Checks policy for a given own, send or receive item
- * \param[in] bus_type Bus type (system/session)
* \param[in] uid User id
* \param[in] gid User group id
* \param[in] item Item to check
* \ingroup Implementation
*/
template<typename T>
- DecisionItem checkItem(BusType bus_type,
- uid_t uid,
+ DecisionItem checkItem(uid_t uid,
gid_t gid,
const T& item);
/** Checks policy for a given access item
- * \param[in] bus_type Bus type (system/session)
* \param[in] item Item to check
* \return Returns deny=0, allow=1 or cynara error
* \ingroup Implementation
*/
- DecisionItem checkItemAccess(BusType bus_type, const MatchItemAccess &item);
+ DecisionItem checkItemAccess(const MatchItemAccess &item);
template<typename T>
- DecisionItem checkGroupPolicies(const NaivePolicyDb& policy_db,
- uid_t uid,
+ DecisionItem checkGroupPolicies(uid_t uid,
gid_t gid,
const T& item);
public:
/** Retrieves policy db
- * \param[in] type Type of database (system/session bus)
* \return Returns reference to chosen bus policy db
*/
- NaivePolicyDb& getPolicyDb(BusType type);
+ NaivePolicyDb& getPolicyDb() { return m_bus_db; }
/** Clears all db data, useful for reloading configuration
* during testing.
*/
- bool initDb(BusType bus_type, const char *filename);
+ bool initDb(const char *filename);
- void updateGroupDb(BusType bus_type, uid_t uid, gid_t gid);
+ void updateGroupDb(uid_t uid, gid_t gid);
/** Prints to stderr the structures and the amount of their memory */
- void printContent(BusType bus_type);
+ void printContent();
/** Checks access/open policy for given item
- * \param[in] bus_type Bus type (system/session)
* \param[in] uid User id
* \param[in] gid User group id
* \return Returns deny=0, allow=1 or cynara error
* \ingroup Implementation
*/
- DecisionResult check(BusType bus_type,
- uid_t bus_owner,
+ DecisionResult check(uid_t bus_owner,
uid_t uid,
gid_t gid,
const char* const label);
/** Checks send/receive/ownership policy for given item
- * \param[in] bus_type Bus type (system/session)
* \param[in] uid User id
* \param[in] gid User group id
* \param[in] label User label
* \ingroup Implementation
*/
template <typename T>
- DecisionResult check(BusType bus_type,
- uid_t uid,
+ DecisionResult check(uid_t uid,
gid_t gid,
const char* const label,
const T &matchItem);
};
}
-DCL_NODESTRUCT_GLOBAL(ldp_xml_parser::NaivePolicyChecker, policy_checker)
+DCL_NODESTRUCT_GLOBAL(ldp_xml_parser::NaivePolicyChecker, policy_checker_system)
+DCL_NODESTRUCT_GLOBAL(ldp_xml_parser::NaivePolicyChecker, policy_checker_session)
+
+inline ldp_xml_parser::NaivePolicyChecker &policy_checker(BusType bus_type) {
+ if (SESSION_BUS == bus_type)
+ return policy_checker_session();
+ return policy_checker_system();
+}
#endif
static constexpr auto create_item = &FB::CreateItemAccess;
};
-uint8_t* Serializer::serialize(const BusType bus_type, size_t &size) {
- m_db = &policy_checker().getPolicyDb(bus_type);
+uint8_t* Serializer::serialize(const NaivePolicyDb &db, size_t &size) {
+ m_db = &db;
auto own_set = serialize_set<PolicyOwn>();
auto send_set = serialize_set<PolicySend>();
if (__internal_init(BusType::SYSTEM_BUS, config_path.c_str()) != 0)
cout << "internal_init error" << endl;
- return serialize(BusType::SYSTEM_BUS, size);
+ return serialize(policy_checker_system().getPolicyDb(), size);
}
void Serializer::serialize(const std::string config_path, ostream &output) {
FbOff<TFP> context_mandatory)
-> FbOff<typename type_helper<TP>::set>;
public:
- uint8_t *serialize(const BusType bus_type, size_t &size);
+ uint8_t *serialize(const NaivePolicyDb &db, size_t &size);
uint8_t *serialize(const std::string config_path, size_t &size);
void serialize(const std::string config_path, ostream &output);
friend class SerializerTests;
void run_policy_db(const char *conf_file, size_t count) {
__internal_init(SYSTEM_BUS, conf_file);
- auto &db = policy_checker().getPolicyDb(SYSTEM_BUS);
+ auto &db = policy_checker_system().getPolicyDb();
printf("XML:\n");
run_x_times([&db](){ send_prefix_test(db); }, count);
for (const auto& test : test_setup) {
__internal_init_sup_group(bus_type, test.user, test.group);
- auto *policydb = &policy_checker().getPolicyDb(bus_type);
+ auto *policydb = &policy_checker(bus_type).getPolicyDb();
const auto &gids = *policydb->getGroups<MatchItemAccess>(test.user, test.group);
auto m_item = MatchItemAccess(test.user, gids);
__internal_init(SESSION_BUS, session_bus_setup.first.c_str());
}
- auto *sys_db = &policy_checker().getPolicyDb(SYSTEM_BUS);
- auto *ses_db = &policy_checker().getPolicyDb(SESSION_BUS);
+ auto *sys_db = &policy_checker_system().getPolicyDb();
+ auto *ses_db = &policy_checker_session().getPolicyDb();
printf("POLICY_DB:\n");
return run_tests_for_bus(*sys_db, SYSTEM_BUS, system_bus_setup.second, i, passed) &&
bool run_policy_db() {
__internal_init(SYSTEM_BUS, "tests/default_allow/system.conf");
- auto &db = policy_checker().getPolicyDb(SYSTEM_BUS);
+ auto &db = policy_checker_system().getPolicyDb();
printf("POLICY_DB:\n");
return method_test(db);
}
bool run_policy_db() {
__internal_init(SYSTEM_BUS, "tests/default_deny/system.conf");
- auto &db = policy_checker().getPolicyDb(SYSTEM_BUS);
+ auto &db = policy_checker_system().getPolicyDb();
printf("POLICY_DB:\n");
return ownership_test(db);
}
bool run_policy_db() {
__internal_init(SYSTEM_BUS, "tests/default_allow/system.conf");
- auto &db = policy_checker().getPolicyDb(SYSTEM_BUS);
+ auto &db = policy_checker_system().getPolicyDb();
printf("POLICY DB:\n");
return ownership_test(db);
}
bool run_policy_db() {
__internal_init(SYSTEM_BUS, "tests/default_deny/system.conf");
- auto &db = policy_checker().getPolicyDb(SYSTEM_BUS);
+ auto &db = policy_checker_system().getPolicyDb();
printf("POLICY_DB:\n");
return send_prefix_test(db);
}
bool run_policy_db() {
__internal_init(SYSTEM_BUS, "tests/default_allow/system.conf");
- auto &db = policy_checker().getPolicyDb(SYSTEM_BUS);
+ auto &db = policy_checker_system().getPolicyDb();
printf("POLICY_DB:\n");
return signal_test(db);