From 97c11fe28633e5da65a2b5a0353204ce68d6140b Mon Sep 17 00:00:00 2001
From: Alban Crequy <alban.crequy@collabora.co.uk>
Date: Sun, 4 Mar 2012 15:18:38 +0000
Subject: [PATCH] doc: update documentation with own_prefix policy rules

https://bugs.freedesktop.org/show_bug.cgi?id=46886
---
 cmake/bus/dbus-daemon.xml |  8 ++++++++
 doc/dbus-daemon.1.in      | 10 ++++++++++
 2 files changed, 18 insertions(+)

diff --git a/cmake/bus/dbus-daemon.xml b/cmake/bus/dbus-daemon.xml
index c6f4db0..f331699 100644
--- a/cmake/bus/dbus-daemon.xml
+++ b/cmake/bus/dbus-daemon.xml
@@ -512,6 +512,7 @@ statements, and works just like &lt;deny&gt; but with the inverse meaning.</para
    eavesdrop="true" | "false"
 
    own="name"
+   own_prefix="name"
    user="username"
    group="groupname"
 </literallayout> <!-- .fi -->
@@ -590,6 +591,13 @@ the character "*" can be substituted, meaning "any." Complex globs
 like "foo.bar.*" aren't allowed for now because they'd be work to
 implement and maybe encourage sloppy security anyway.</para>
 
+<para>&lt;allow own_prefix="a.b"/&gt; allows you to own the name "a.b" or any
+name whose first dot-separated elements are "a.b": in particular,
+you can own "a.b.c" or "a.b.c.d", but not "a.bc" or "a.c".
+This is useful when services like Telepathy and ReserveDevice
+define a meaning for subtrees of well-known names, such as
+org.freedesktop.Telepathy.ConnectionManager.(anything)
+and org.freedesktop.ReserveDevice1.(anything).</para>
 
 <para>It does not make sense to deny a user or group inside a &lt;policy&gt;
 for a user or group; user/group denials can only be inside
diff --git a/doc/dbus-daemon.1.in b/doc/dbus-daemon.1.in
index b063e64..53856e9 100644
--- a/doc/dbus-daemon.1.in
+++ b/doc/dbus-daemon.1.in
@@ -501,6 +501,7 @@ The possible attributes of these elements are:
    eavesdrop="true" | "false"
 
    own="name"
+   own_prefix="name"
    user="username"
    group="groupname"
 .fi
@@ -573,6 +574,15 @@ like "foo.bar.*" aren't allowed for now because they'd be work to
 implement and maybe encourage sloppy security anyway.
 
 .PP
+<allow own_prefix="a.b"/> allows you to own the name "a.b" or any
+name whose first dot-separated elements are "a.b": in particular,
+you can own "a.b.c" or "a.b.c.d", but not "a.bc" or "a.c".
+This is useful when services like Telepathy and ReserveDevice
+define a meaning for subtrees of well-known names, such as
+org.freedesktop.Telepathy.ConnectionManager.(anything)
+and org.freedesktop.ReserveDevice1.(anything).
+
+.PP
 It does not make sense to deny a user or group inside a <policy>
 for a user or group; user/group denials can only be inside
 context="default" or context="mandatory" policies.
-- 
2.7.4