From: Adrian Szyndela <adrian.s@samsung.com>
Date: Wed, 9 Jan 2019 15:46:32 +0000 (+0100)
Subject: policychecker: add rules for send_destination_prefix
X-Git-Tag: submit/tizen/20180808.030253~5
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=47790c834576d4731df612f31a5aa14649d92096;p=platform%2Fcore%2Fsystem%2Fdbus-tools.git

policychecker: add rules for send_destination_prefix

Added rules for send_destination_prefix.

Additionally, modified 'default denials' rule to take into account
possible own_prefix values. This is limited by XPath/Schematron
possibilities, and is currently set to 8 prefixes for each
tested destination.

Change-Id: I7a653b1f55339e67e63e9c97b0c6ba37ff2c9b73
---

diff --git a/policychecker/rules.xsl b/policychecker/rules.xsl
index d05fd3b..d022d9c 100644
--- a/policychecker/rules.xsl
+++ b/policychecker/rules.xsl
@@ -10,11 +10,51 @@
 		</sch:rule>
 	</sch:pattern>
 
-	<sch:pattern name="Default denials not specified (send_destination, own, own_prefix)">
+	<sch:pattern name="Default denials not specified (send_destination, send_destination_prefix, own, own_prefix)">
 		<sch:rule context="allow[@send_destination]">
 			<sch:let name="dest_name" value="@send_destination"/>
+			<!-- We need to check if there is 'deny own_prefix' for any prefix of send_destination.
+			     Thus, we generate 8 (this is an arbitrary number) prefixes and check against them.
+
+				 For example, if send_destination="a.b.c.d.e.f.g.h.i", then the generated prefixes are:
+				 a, a.b, a.b.c, a.b.c.d, a.b.c.d.e, a.b.c.d.e.f, a.b.c.d.e.f.g, a.b.c.d.e.f.g.h
+				 A warning will show up if there is no 'deny own' for a.b.c.d.e.f.g.h.i and
+				 no 'deny own_prefix' for a.b.c.d.e.f.g.h.i and all the above prefixes.
+
+				 In case of some shorter destinations, e.g. a.b.c, the generated prefixes are:
+				 a, a.b, a.b., a.b.., a.b..., a.b...., a.b....., a.b......
+				 but only two of them are valid values anyway.
+				 A warning will show up if there is no 'deny own' for a.b.c and
+				 no 'deny own_prefix' for a.b.c and all the above prefixes.
+
+				 It probably covers most cases. If not, it can be extended.
+			-->
+			<sch:let name="prefix1" value="substring-before($dest_name, '.')"/>
+			<sch:let name="prefix2" value="concat(concat($prefix1, '.'), substring-before(substring-after($dest_name, concat($prefix1, '.')), '.'))"/>
+			<sch:let name="prefix3" value="concat(concat($prefix2, '.'), substring-before(substring-after($dest_name, concat($prefix2, '.')), '.'))"/>
+			<sch:let name="prefix4" value="concat(concat($prefix3, '.'), substring-before(substring-after($dest_name, concat($prefix3, '.')), '.'))"/>
+			<sch:let name="prefix5" value="concat(concat($prefix4, '.'), substring-before(substring-after($dest_name, concat($prefix4, '.')), '.'))"/>
+			<sch:let name="prefix6" value="concat(concat($prefix5, '.'), substring-before(substring-after($dest_name, concat($prefix5, '.')), '.'))"/>
+			<sch:let name="prefix7" value="concat(concat($prefix6, '.'), substring-before(substring-after($dest_name, concat($prefix6, '.')), '.'))"/>
+			<sch:let name="prefix8" value="concat(concat($prefix7, '.'), substring-before(substring-after($dest_name, concat($prefix7, '.')), '.'))"/>
 			<sch:assert test="//policy[@context='default']/deny[@send_destination = $dest_name]">For each allow send_destination you must add a deny send_destination in default context.</sch:assert>
-			<sch:assert test="//policy[@context='default']/deny[@own = $dest_name]">For each allow send_destination you must add a deny own in default context.</sch:assert>
+			<sch:assert test="//policy[@context='default']/deny[@own = $dest_name] or
+			                  //policy[@context='default']/deny[@own_prefix = $dest_name] or
+			                  //policy[@context='default']/deny[@own_prefix = $prefix1] or
+			                  //policy[@context='default']/deny[@own_prefix = $prefix2] or
+			                  //policy[@context='default']/deny[@own_prefix = $prefix3] or
+			                  //policy[@context='default']/deny[@own_prefix = $prefix4] or
+			                  //policy[@context='default']/deny[@own_prefix = $prefix5] or
+			                  //policy[@context='default']/deny[@own_prefix = $prefix6] or
+			                  //policy[@context='default']/deny[@own_prefix = $prefix7] or
+			                  //policy[@context='default']/deny[@own_prefix = $prefix8]
+				">For each allow send_destination you must add a deny own or deny own_prefix in default context.
+			</sch:assert>
+		</sch:rule>
+		<sch:rule context="allow[@send_destination_prefix]">
+			<sch:let name="dest_name" value="@send_destination_prefix"/>
+			<sch:assert test="//policy[@context='default']/deny[@send_destination_prefix = $dest_name]">For each allow send_destination_prefix you must add a deny send_destination_prefix in default context.</sch:assert>
+			<sch:assert test="//policy[@context='default']/deny[@own_prefix = $dest_name]">For each allow send_destination_prefix you must add a deny own_prefix in default context</sch:assert>
 		</sch:rule>
 		<sch:rule context="allow[@own]">
 			<sch:let name="dest_name" value="@own"/>
@@ -29,11 +69,11 @@
 	<sch:pattern name="Unconstrained allow in default context (or mandatory)">
 		<!-- policy[@context] means that it applies to both default and mandatory contexts -->
 		<sch:rule context="policy[@context]/allow[@send_type='method_call']">
-			<sch:assert test="@send_destination">Unconstrained allows are not allowed in context default and context mandatory: missing send_destination, but send_type="method_call" is present.</sch:assert>
+			<sch:assert test="@send_destination or @send_destination_prefix">Unconstrained allows are not allowed in context default and context mandatory: missing send_destination or send_destination_prefix, but send_type="method_call" is present.</sch:assert>
 			<sch:assert test="@send_interface">Unconstrained allows are not allowed in context default and context mandatory: missing send_interface, but send_type="method_call" is present.</sch:assert>
 		</sch:rule>
 		<sch:rule context="policy[@context]/allow[@send_path]">
-			<sch:assert test="@send_destination">Unconstrained allows are not allowed in context default and context mandatory: missing send_destination, but send_path is present.</sch:assert>
+			<sch:assert test="@send_destination or @send_destination_prefix">Unconstrained allows are not allowed in context default and context mandatory: missing send_destination or send_destination_prefix, but send_path is present.</sch:assert>
 		</sch:rule>
 		<sch:rule context="policy[@context]/allow[@receive_type='method_call']">
 			<sch:assert test="@receive_sender">Unconstrained allows are not allowed in context default and context mandatory: missing receive_sender, but receive_type="method_call" is present.</sch:assert>
@@ -44,10 +84,10 @@
 		</sch:rule>
 		<!-- user and group contexts need at least send_destination -->
 		<sch:rule context="policy[@user]/allow[@send_type='method_call'] | policy[@group]/allow[@send_type='method_call']">
-			<sch:assert test="@send_destination">Unconstrained allows are not allowed in user or group context: missing send_destination, but send_type="method_call" is present.</sch:assert>
+			<sch:assert test="@send_destination or @send_destination_prefix">Unconstrained allows are not allowed in user or group context: missing send_destination or send_destination_prefix, but send_type="method_call" is present.</sch:assert>
 		</sch:rule>
 		<sch:rule context="policy[@user]/allow[@send_path] | policy[@group]/allow[@send_path]">
-			<sch:assert test="@send_destination">Unconstrained allows are not allowed in user or group context: missing send_destination, but send_path is present.</sch:assert>
+			<sch:assert test="@send_destination or @send_destination_prefix">Unconstrained allows are not allowed in user or group context: missing send_destination or send_destination_prefix, but send_path is present.</sch:assert>
 		</sch:rule>
 		<sch:rule context="policy[@user]/allow[@receive_type='method_call'] | policy[@group]/allow[@receive_type='method_call']">
 			<sch:assert test="@receive_sender">Unconstrained allows are not allowed in user or group context: missing receive_sender, but receive_type="method_call" is present.</sch:assert>
@@ -63,8 +103,8 @@
 			<sch:assert test="policy[@context='default']">You must provide a policy context-default section.</sch:assert>
 		</sch:rule>
 		<sch:rule context="policy[@context='default']">
-			<sch:assert test="deny[@own]">You must define a 'deny own="yourname"' rule in context-default policy to avoid depending on a global 'deny own="*"'.</sch:assert>
-			<sch:assert test="deny[@send_destination]">You must define a 'deny send_destination="yourname"' rule in context-default policy to avoid depending on a global deny.</sch:assert>
+			<sch:assert test="deny[@own] or deny[@own_prefix]">You must define a 'deny own="yourname"' or 'deny own_prefix="yourname"' rule in context-default policy to avoid depending on a global 'deny own="*"'.</sch:assert>
+			<sch:assert test="deny[@send_destination] or deny[@send_destination_prefix]">You must define a 'deny send_destination="yourname"' or 'deny send_destination_prefix="yourname"' rule in context-default policy to avoid depending on a global deny.</sch:assert>
 
 			<!-- TODO what constraints should be made on send_destination and receive sender? -->
 		</sch:rule>
@@ -137,7 +177,7 @@
 
 	<sch:pattern name="No send_interface without send_destination">
 		<sch:rule context="*[@send_interface]">
-			<sch:assert test="@send_destination or @send_type='signal'">You mustn't use send_interface without send_destination, unless you limit the rule to only signals with send_type="signal"</sch:assert>
+			<sch:assert test="@send_destination or @send_destination_prefix or @send_type='signal'">You mustn't use send_interface without send_destination or send_destination_prefix, unless you limit the rule to only signals with send_type="signal"</sch:assert>
 		</sch:rule>
 		<sch:rule context="*[@receive_interface]">
 			<sch:assert test="@receive_sender">You mustn't use receive_interface without receive_sender</sch:assert>
@@ -146,7 +186,7 @@
 
 	<sch:pattern name="No send and receive in one rule">
 		<sch:rule context="allow|deny">
-			<sch:report test="(@send_interface or @send_member or @send_error or @send_broadcast or @send_destination or @send_type or @send_path or @send_requested_reply) and (@receive_interface or @receive_member or @receive_error or @receive_sender or @receive_type or @receive_path or @receive_requsted_reply)">You mustn't use send_ and receive_ attributes in one rule.</sch:report>
+			<sch:report test="(@send_interface or @send_member or @send_error or @send_broadcast or @send_destination or @send_destination_prefix or @send_type or @send_path or @send_requested_reply) and (@receive_interface or @receive_member or @receive_error or @receive_sender or @receive_type or @receive_path or @receive_requsted_reply)">You mustn't use send_ and receive_ attributes in one rule.</sch:report>
 		</sch:rule>
 	</sch:pattern>