Affects dependencies, which also lost unnecessary params.
Policy classes can be now private, it allows single private
and single public section in NaivePolicyDb.
Change-Id: I5f01d2e43f2ffd3f58ef2aa76b1cd06d83365b7b
gid_t gid,
const char* const label) {
const auto &gids = *getPolicyDb(bus_type).getGroups(uid, gid, ItemType::ACCESS);
- auto ret = checkItem<NaivePolicyDb::PolicyAccess, MatchItemAccess>(bus_type, uid, gid, MatchItemAccess(uid, gids), ItemType::ACCESS);
+ auto ret = checkItem<MatchItemAccess>(bus_type, uid, gid, MatchItemAccess(uid, gids), ItemType::ACCESS);
if (ret.getDecision() == Decision::ANY) {
if (bus_owner == uid) {
ret = Decision::ALLOW;
gid_t gid,
const char* const label,
const char* const name) {
- auto ret = checkItem<NaivePolicyDb::PolicyOwn, MatchItemOwn>(bus_type, uid, gid, name, ItemType::OWN);
+ auto ret = checkItem<MatchItemOwn>(bus_type, uid, gid, name, ItemType::OWN);
return parseDecision(ret, uid, label);
}
const char* const label,
MatchItemSend &matcher,
ItemType type) {
- auto ret = checkItem<NaivePolicyDb::PolicySend, MatchItemSend>(bus_type, uid, gid, matcher, type);
+ auto ret = checkItem<MatchItemSend>(bus_type, uid, gid, matcher, type);
return parseDecision(ret, uid, label);
}
const char* const label,
MatchItemReceive &matcher,
ItemType type) {
- auto ret = checkItem<NaivePolicyDb::PolicyReceive, MatchItemReceive>(bus_type, uid, gid, matcher, type);
+ auto ret = checkItem<MatchItemReceive>(bus_type, uid, gid, matcher, type);
return parseDecision(ret, uid, label);
}
-template<typename P, typename T>
+template<typename T>
DecisionItem NaivePolicyChecker::checkItem(bool bus_type, uid_t uid, gid_t gid, const T& item, const ItemType type) {
const NaivePolicyDb& policy_db = getPolicyDb(bus_type);
- DecisionItem ret = policy_db.getDecisionItem<P, T>(PolicyType::CONTEXT, PolicyTypeValue(ContextType::MANDATORY), item);
+ DecisionItem ret = policy_db.getDecisionItem<T>(PolicyType::CONTEXT, PolicyTypeValue(ContextType::MANDATORY), item);
// access rules can be defined only in default/mandatory context
// defining them elsewhere is considered as policy syntax error by dbus-daemon
if (type != ItemType::ACCESS) {
if (ret.getDecision() == Decision::ANY)
- ret = policy_db.getDecisionItem<P, T>(PolicyType::USER, PolicyTypeValue(uid), item);
+ ret = policy_db.getDecisionItem<T>(PolicyType::USER, PolicyTypeValue(uid), item);
if (ret.getDecision() == Decision::ANY)
- ret = checkGroupPolicies<P, T>(policy_db, uid, gid, item, type);
+ ret = checkGroupPolicies<T>(policy_db, uid, gid, item, type);
}
if (ret.getDecision() == Decision::ANY)
- ret = policy_db.getDecisionItem<P, T>(PolicyType::CONTEXT, PolicyTypeValue(ContextType::DEFAULT), item);
+ ret = policy_db.getDecisionItem<T>(PolicyType::CONTEXT, PolicyTypeValue(ContextType::DEFAULT), item);
return ret;
}
-template<typename P, typename T>
+template<typename T>
DecisionItem NaivePolicyChecker::checkGroupPolicies(const NaivePolicyDb& policy_db, uid_t uid, gid_t gid, const T& item, const ItemType type) {
const auto *sgroups = policy_db.getGroups(uid, gid, type);
if (sgroups == nullptr)
return Decision::ANY;
for (auto sgid : *sgroups) {
- DecisionItem ret = policy_db.getDecisionItem<P, T>(PolicyType::GROUP, PolicyTypeValue(sgid), item);
+ DecisionItem ret = policy_db.getDecisionItem<T>(PolicyType::GROUP, PolicyTypeValue(sgid), item);
if (ret.getDecision() != Decision::ANY)
return ret;
* \return Returns deny=0, allow=1 or cynara error
* \ingroup Implementation
*/
- template<typename P, typename T>
+ template<typename T>
DecisionItem checkItem(bool bus_type,
uid_t uid,
gid_t gid,
const T& item,
const ItemType type);
- template<typename P, typename T>
+ template<typename T>
DecisionItem checkGroupPolicies(const NaivePolicyDb& policy_db,
uid_t uid,
gid_t gid,
using namespace ldp_xml_parser;
+namespace ldp_xml_parser {
+
+/* Tie MatchItems with proper policy sets.
+ * Parameters: T - MatchItem* type
+ * field - one of m_*_set fields from NaivePolicyDb
+ *
+ * The below DEF_GET_POLICY_SET defines specialization for MatchPolicy<T> template.
+ *
+ * Specialization for MatchPolicy<T> provides field 'policy_type' which specifies
+ * a type of policy used within 'field' parameter, and field 'policy_set_type'
+ * which specifies a type of the 'field' parameter.
+ *
+ * For example: DEF_GET_POLICY_SET(MatchItemOwn, m_own_set) defines equivalent to
+ * MatchPolicy<MatchItemOwn> {
+ * typedef PolicyOwn policy_type;
+ * typedef PolicySet<PolicyOwn> policy_set_type;
+ * }
+ *
+ * Thanks to this construction we do not need to manually specify PolicyOwn in functions that
+ * know MatchItemOwn - it is inferred.
+ *
+ */
+#define DEF_GET_POLICY_SET(T, field) \
+ template <> struct NaivePolicyDb::MatchPolicy<T> { \
+ typedef decltype(field)::type policy_type; \
+ typedef decltype(field) policy_set_type; \
+ }; \
+
+DEF_GET_POLICY_SET(MatchItemOwn, m_own_set)
+DEF_GET_POLICY_SET(MatchItemSend, m_send_set)
+DEF_GET_POLICY_SET(MatchItemReceive, m_receive_set)
+DEF_GET_POLICY_SET(MatchItemAccess, m_access_set)
+
+#undef DEF_GET_POLICY_SET
+
+} // namespace ldp_xml_parser
+
namespace {
template <typename T>
void log_item_add(const T &item) {
#undef PRINT_MAP
}
-template <typename P, typename T>
+template <typename T>
DecisionItem NaivePolicyDb::getDecisionItem(PolicyType policy_type,
PolicyTypeValue policy_type_value,
const T &item) const {
- auto policy = getPolicy<P>(policy_type, policy_type_value);
+ auto policy = getPolicy<typename MatchPolicy<T>::policy_type>(policy_type, policy_type_value);
if (nullptr == policy)
return Decision::ANY;
- tslog::log_verbose("Checking ", P::name, " policy for: ", item, "\n");
+ tslog::log_verbose("Checking ", MatchPolicy<T>::policy_type::name, " policy for: ", item, "\n");
return policy->getDecisionItem(item);
}
-template DecisionItem NaivePolicyDb::getDecisionItem<NaivePolicyDb::PolicyOwn, MatchItemOwn>(PolicyType policy_type, PolicyTypeValue policy_type_value, const MatchItemOwn &item) const;
-template DecisionItem NaivePolicyDb::getDecisionItem<NaivePolicyDb::PolicySend, MatchItemSend>(PolicyType policy_type, PolicyTypeValue policy_type_value, const MatchItemSend &item) const;
-template DecisionItem NaivePolicyDb::getDecisionItem<NaivePolicyDb::PolicyReceive, MatchItemReceive>(PolicyType policy_type, PolicyTypeValue policy_type_value, const MatchItemReceive &item) const;
-template DecisionItem NaivePolicyDb::getDecisionItem<NaivePolicyDb::PolicyAccess, MatchItemAccess>(PolicyType policy_type, PolicyTypeValue policy_type_value, const MatchItemAccess &item) const;
+template DecisionItem NaivePolicyDb::getDecisionItem<MatchItemOwn>(PolicyType policy_type, PolicyTypeValue policy_type_value, const MatchItemOwn &item) const;
+template DecisionItem NaivePolicyDb::getDecisionItem<MatchItemSend>(PolicyType policy_type, PolicyTypeValue policy_type_value, const MatchItemSend &item) const;
+template DecisionItem NaivePolicyDb::getDecisionItem<MatchItemReceive>(PolicyType policy_type, PolicyTypeValue policy_type_value, const MatchItemReceive &item) const;
+template DecisionItem NaivePolicyDb::getDecisionItem<MatchItemAccess>(PolicyType policy_type, PolicyTypeValue policy_type_value, const MatchItemAccess &item) const;
template <typename P>
const P *NaivePolicyDb::getPolicy(const PolicyType policy_type,
{
/** Database class, contains policies for ownership and send/receive */
class NaivePolicyDb {
- public:
+ private:
/** Class containing policy with send/receive rules */
template <typename TI, typename TM>
class PolicySR {
static constexpr const char *name = "access";
};
- private:
template <typename P>
const P *getPolicy(const PolicyType policy_type,
const PolicyTypeValue policy_type_value) const;
class PolicySet {
mutable std::map<gid_t, VGid> mapGroup;
public:
+ typedef P type;
/** Policies for all contexts */
P context[static_cast<std::size_t>(ContextType::MAX)];
/** Map with policies for different users */
/* A mutex for mapGroups within sets */
mutable pthread_mutex_t mutexGroup = PTHREAD_MUTEX_INITIALIZER;
+ template <typename T>
+ struct MatchPolicy; // provide policy_type in specializations
+
void updateSupplementaryGroups(const VGid &groups, uid_t uid, gid_t gid) const;
void updateSupplementaryGroupsOwn(const VGid &groups, uid_t uid, gid_t gid) const;
public:
const PolicyTypeValue policy_type_value,
ItemAccess &item);
- template <typename P, typename T>
+ template <typename T>
DecisionItem getDecisionItem(PolicyType policy_type, PolicyTypeValue policy_type_value,
const T &item) const;
};