call for design review: 'own_prefix' policy statements in dbus-daemon

[Simon McVittie]

<https://bugs.freedesktop.org/show_bug.cgi?id=46886> requests a way to
allow/deny ownership of whole subtrees of names. This would allow APIs
analogous to Telepathy <http://telepathy.freedesktop.org/> and ReserveDevice
<http://git.0pointer.de/?p=reserve.git;a=blob_plain;f=reserve.txt> to be
used on the system bus, or on a modified session bus where not all
services are equally privileged.

I proposed this, and Alban Crequy has implemented it:

>     <allow own_prefix="a.b"/> allows you to own the name "a.b" or any
>     name whose first dot-separated elements are "a.b": in particular,
>     you can own "a.b.c" or "a.b.c.d", but not "a.bc" or "a.c".
>     This is useful when services like Telepathy and ReserveDevice
>     define a meaning for subtrees of well-known names, such as
>     org.freedesktop.Telepathy.ConnectionManager.(anything)
>     and org.freedesktop.ReserveDevice1.(anything).

If anyone objects to this landing in D-Bus 1.6, please reply to the bug
and we can discuss it there. I will merge it soon if nobody objects.

Name ownership is currently done via <allow own="*"/> and <allow
own="a.b"/>, and the deny equivalents. Only the literal string "*" is
allowed: arbitrary glob expressions like "a.b.*" and "a.*.b" are not
supported.

I suggested own_prefix to resemble arg0prefix in signal match rules, and
because I think it has the semantics people will actually want, in
practice: "a.b.*" doesn't match "a.b", "a.b*" matches too much
(including "a.bc"), and there's no sensible use-case for monsters like
"a.b.*.?c".

Regards,
    Simon