[systemd-commits] 3 commits - src/bus-proxyd
Lennart Poettering
lennart at kemper.freedesktop.org
Fri Jan 9 10:31:02 PST 2015
src/bus-proxyd/bus-proxyd.c | 9 +++++-
src/bus-proxyd/bus-xml-policy.c | 47 ++++++++++++++++++++++++++---------
src/bus-proxyd/test-bus-xml-policy.c | 26 ++++++++++++++++++-
3 files changed, 68 insertions(+), 14 deletions(-)
New commits:
commit 48aae6d6a051acd9c0630fab1e79b82c847e538b
Author: Lennart Poettering <lennart at poettering.net>
Date: Fri Jan 9 19:30:01 2015 +0100
bus-proxy-test: show parsed system/session policy
diff --git a/src/bus-proxyd/bus-xml-policy.c b/src/bus-proxyd/bus-xml-policy.c
index 119c731..8d14828 100644
--- a/src/bus-proxyd/bus-xml-policy.c
+++ b/src/bus-proxyd/bus-xml-policy.c
@@ -1047,6 +1047,8 @@ void policy_dump(Policy *p) {
printf("%s Mandatory Items:\n", draw_special_char(DRAW_ARROW));
dump_items(p->mandatory_items, "\t");
+
+ fflush(stdout);
}
static const char* const policy_item_type_table[_POLICY_ITEM_TYPE_MAX] = {
diff --git a/src/bus-proxyd/test-bus-xml-policy.c b/src/bus-proxyd/test-bus-xml-policy.c
index b0f4ed7..c22409c 100644
--- a/src/bus-proxyd/test-bus-xml-policy.c
+++ b/src/bus-proxyd/test-bus-xml-policy.c
@@ -50,17 +50,41 @@ static int test_policy_load(Policy *p, const char *name) {
assert_se(path);
if (access(path, R_OK) == 0)
- policy_load(p, STRV_MAKE(path));
+ r = policy_load(p, STRV_MAKE(path));
else
r = -ENOENT;
return r;
}
+static int show_policy(const char *fn) {
+ Policy p = {};
+ int r;
+
+ r = policy_load(&p, STRV_MAKE(fn));
+ if (r < 0) {
+ log_error_errno(r, "Failed to load policy %s: %m", fn);
+ return r;
+ }
+
+ policy_dump(&p);
+ policy_free(&p);
+
+ return 0;
+}
+
int main(int argc, char *argv[]) {
Policy p = {};
+ printf("Showing session policy BEGIN\n");
+ show_policy("/etc/dbus-1/session.conf");
+ printf("Showing session policy END\n");
+
+ printf("Showing system policy BEGIN\n");
+ show_policy("/etc/dbus-1/system.conf");
+ printf("Showing system policy END\n");
+
/* Ownership tests */
assert_se(test_policy_load(&p, "ownerships.conf") == 0);
commit 585b46db6baedf61aa94bf8fe9322a97bd06013d
Author: Lennart Poettering <lennart at poettering.net>
Date: Fri Jan 9 19:28:18 2015 +0100
bus-proxy: eat up "*" matches, they are pointless
diff --git a/src/bus-proxyd/bus-xml-policy.c b/src/bus-proxyd/bus-xml-policy.c
index 5824103..119c731 100644
--- a/src/bus-proxyd/bus-xml-policy.c
+++ b/src/bus-proxyd/bus-xml-policy.c
@@ -421,8 +421,10 @@ static int file_load(Policy *p, const char *path) {
return -EINVAL;
}
- i->interface = name;
- name = NULL;
+ if (!streq(name, "*")) {
+ i->interface = name;
+ name = NULL;
+ }
state = STATE_ALLOW_DENY;
} else {
log_error("Unexpected token (9) at %s:%u.", path, line);
@@ -440,8 +442,10 @@ static int file_load(Policy *p, const char *path) {
return -EINVAL;
}
- i->member = name;
- name = NULL;
+ if (!streq(name, "*")) {
+ i->member = name;
+ name = NULL;
+ }
state = STATE_ALLOW_DENY;
} else {
log_error("Unexpected token (10) in %s:%u.", path, line);
@@ -459,8 +463,10 @@ static int file_load(Policy *p, const char *path) {
return -EINVAL;
}
- i->error = name;
- name = NULL;
+ if (!streq(name, "*")) {
+ i->error = name;
+ name = NULL;
+ }
state = STATE_ALLOW_DENY;
} else {
log_error("Unexpected token (11) in %s:%u.", path, line);
@@ -478,8 +484,10 @@ static int file_load(Policy *p, const char *path) {
return -EINVAL;
}
- i->path = name;
- name = NULL;
+ if (!streq(name, "*")) {
+ i->path = name;
+ name = NULL;
+ }
state = STATE_ALLOW_DENY;
} else {
log_error("Unexpected token (12) in %s:%u.", path, line);
@@ -498,10 +506,12 @@ static int file_load(Policy *p, const char *path) {
return -EINVAL;
}
- r = bus_message_type_from_string(name, &i->message_type);
- if (r < 0) {
- log_error("Invalid message type in %s:%u.", path, line);
- return -EINVAL;
+ if (!streq(name, "*")) {
+ r = bus_message_type_from_string(name, &i->message_type);
+ if (r < 0) {
+ log_error("Invalid message type in %s:%u.", path, line);
+ return -EINVAL;
+ }
}
state = STATE_ALLOW_DENY;
@@ -544,6 +554,17 @@ static int file_load(Policy *p, const char *path) {
i->gid_valid = true;
}
break;
+
+ case POLICY_ITEM_SEND:
+ case POLICY_ITEM_RECV:
+
+ if (streq(name, "*")) {
+ free(name);
+ name = NULL;
+ }
+ break;
+
+
default:
break;
}
commit f5886c92ace2fdd5b9d389eaf3883ac3034050fa
Author: Lennart Poettering <lennart at poettering.net>
Date: Fri Jan 9 19:25:23 2015 +0100
bus-proxy: dbus-daemon implies that connections from UIDs that are identical to the bus owner should be allowed
Hence, copy this behaviour for bus-proxy too.
diff --git a/src/bus-proxyd/bus-proxyd.c b/src/bus-proxyd/bus-proxyd.c
index 21cd4e2..6101a20 100644
--- a/src/bus-proxyd/bus-proxyd.c
+++ b/src/bus-proxyd/bus-proxyd.c
@@ -1282,6 +1282,7 @@ int main(int argc, char *argv[]) {
_cleanup_free_ char *peersec = NULL;
Policy policy_buffer = {}, *policy = NULL;
_cleanup_set_free_free_ Set *owned_names = NULL;
+ uid_t original_uid;
log_set_target(LOG_TARGET_JOURNAL_OR_KMSG);
log_parse_environment();
@@ -1303,6 +1304,8 @@ int main(int argc, char *argv[]) {
goto finish;
}
+ original_uid = getuid();
+
is_unix =
sd_is_socket(in_fd, AF_UNIX, 0, 0) > 0 &&
sd_is_socket(out_fd, AF_UNIX, 0, 0) > 0;
@@ -1444,7 +1447,11 @@ int main(int argc, char *argv[]) {
policy = &policy_buffer;
/* policy_dump(policy); */
- if (!policy_check_hello(policy, ucred.uid, ucred.gid)) {
+ if (ucred.uid == original_uid)
+ log_debug("Permitting access, since bus owner matches bus client.");
+ else if (policy_check_hello(policy, ucred.uid, ucred.gid))
+ log_debug("Permitting access due to XML policy.");
+ else {
r = log_error_errno(EPERM, "Policy denied connection.");
goto finish;
}
More information about the systemd-commits
mailing list