bus-policy: steal a test case for prefix ownership from dbus1, and make sure it passes with the bus proxy enforcement

2014-11-26 20:22:22 +01:00 · 2014-11-26 20:22:22 +01:00 · 3a9cca1104
parent cf226cfc24
commit 3a9cca1104
4 changed files with 36 additions and 4 deletions
--- a/Makefile.am
+++ b/Makefile.am
@ -1383,7 +1383,8 @@ EXTRA_DIST += \
 	test/bus-policy/hello.conf \
 	test/bus-policy/methods.conf \
 	test/bus-policy/ownerships.conf \
-	test/bus-policy/signals.conf
+	test/bus-policy/signals.conf \
+	test/bus-policy/check-own-rules.conf


 EXTRA_DIST += \
--- a/src/bus-proxyd/bus-policy.c
+++ b/src/bus-proxyd/bus-policy.c
@ -599,7 +599,7 @@ enum {
 };

 struct policy_check_filter {
-        int class;
+        PolicyItemClass class;
        const struct ucred *ucred;
        int message_type;
        const char *name;
@ -651,7 +651,7 @@ static int check_policy_item(PolicyItem *i, const struct policy_check_filter *fi
        case POLICY_ITEM_OWN_PREFIX:
                assert(filter->name);

-                if (streq(i->name, "*") || service_name_startswith(i->name, filter->name))
+                if (streq(i->name, "*") || service_name_startswith(filter->name, i->name))
                        return is_permissive(i);
                break;

@ -687,7 +687,8 @@ static int check_policy_items(PolicyItem *items, const struct policy_check_filte
        /* Check all policies in a set - a broader one might be followed by a more specific one,
         * and the order of rules in policy definitions matters */
        LIST_FOREACH(items, i, items) {
-                if (i->class != filter->class)
+                if (i->class != filter->class &&
+                    IN_SET(i->class, POLICY_ITEM_OWN, POLICY_ITEM_OWN_PREFIX) != IN_SET(filter->class, POLICY_ITEM_OWN, POLICY_ITEM_OWN_PREFIX))
                        continue;

                r = check_policy_item(i, filter);
--- a/src/bus-proxyd/test-bus-policy.c
+++ b/src/bus-proxyd/test-bus-policy.c
@ -131,5 +131,21 @@ int main(int argc, char *argv[]) {

        policy_free(&p);

+        /* dbus1 test file: ownership */
+
+        assert_se(test_policy_load(&p, "check-own-rules.conf") >= 0);
+        policy_dump(&p);
+
+        assert_se(policy_check_own(&p, &ucred, "org.freedesktop") == false);
+        assert_se(policy_check_own(&p, &ucred, "org.freedesktop.ManySystem") == false);
+        assert_se(policy_check_own(&p, &ucred, "org.freedesktop.ManySystems") == true);
+        assert_se(policy_check_own(&p, &ucred, "org.freedesktop.ManySystems.foo") == true);
+        assert_se(policy_check_own(&p, &ucred, "org.freedesktop.ManySystems.foo.bar") == true);
+        assert_se(policy_check_own(&p, &ucred, "org.freedesktop.ManySystems2") == false);
+        assert_se(policy_check_own(&p, &ucred, "org.freedesktop.ManySystems2.foo") == false);
+        assert_se(policy_check_own(&p, &ucred, "org.freedesktop.ManySystems2.foo.bar") == false);
+
+        policy_free(&p);
+
        return EXIT_SUCCESS;
 }
--- a/test/bus-policy/check-own-rules.conf
+++ b/test/bus-policy/check-own-rules.conf
@ -0,0 +1,14 @@
+<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+<busconfig>
+  <user>mybususer</user>
+  <listen>unix:path=/foo/bar</listen>
+  <listen>tcp:port=1234</listen>
+  <servicedir>/usr/share/foo</servicedir>
+  <policy context="default">
+    <allow user="*"/>
+    <deny own="*"/>
+    <allow own_prefix="org.freedesktop.ManySystems"/>
+  </policy>
+
+</busconfig>