diff --git a/src/bus-proxyd/bus-policy.c b/src/bus-proxyd/bus-policy.c index ff6a3e4e193..d543bf9af42 100644 --- a/src/bus-proxyd/bus-policy.c +++ b/src/bus-proxyd/bus-policy.c @@ -627,7 +627,7 @@ static int check_policy_item(PolicyItem *i, const struct policy_check_filter *fi if (i->name && !streq_ptr(i->name, filter->name)) break; - if ((i->message_type != _POLICY_ITEM_CLASS_UNSET) && (i->message_type != filter->message_type)) + if ((i->message_type != 0) && (i->message_type != filter->message_type)) break; if (i->path && !streq_ptr(i->path, filter->path)) @@ -688,7 +688,7 @@ static int check_policy_items(PolicyItem *items, const struct policy_check_filte * and the order of rules in policy definitions matters */ LIST_FOREACH(items, i, items) { if (i->class != filter->class && - IN_SET(i->class, POLICY_ITEM_OWN, POLICY_ITEM_OWN_PREFIX) != IN_SET(filter->class, POLICY_ITEM_OWN, POLICY_ITEM_OWN_PREFIX)) + !(i->class == POLICY_ITEM_OWN_PREFIX && filter->class == POLICY_ITEM_OWN)) continue; r = check_policy_item(i, filter); @@ -707,6 +707,8 @@ static int policy_check(Policy *p, const struct policy_check_filter *filter) { assert(p); assert(filter); + assert(IN_SET(filter->class, POLICY_ITEM_SEND, POLICY_ITEM_RECV, POLICY_ITEM_OWN, POLICY_ITEM_USER, POLICY_ITEM_GROUP)); + /* * The policy check is implemented by the following logic: * diff --git a/src/bus-proxyd/test-bus-policy.c b/src/bus-proxyd/test-bus-policy.c index 3140e083c2e..1c1d1ef9ed6 100644 --- a/src/bus-proxyd/test-bus-policy.c +++ b/src/bus-proxyd/test-bus-policy.c @@ -157,6 +157,25 @@ int main(int argc, char *argv[]) { assert_se(test_policy_load(&p, "test.conf") >= 0); policy_dump(&p); + + ucred.uid = 0; + assert_se(policy_check_own(&p, &ucred, "org.foo.FooService") == true); + assert_se(policy_check_own(&p, &ucred, "org.foo.FooService2") == false); + assert_se(policy_check_send(&p, &ucred, SD_BUS_MESSAGE_METHOD_CALL, "org.test.test1", "/an/object/path", "org.test.int2", "Member") == false); + assert_se(policy_check_send(&p, &ucred, SD_BUS_MESSAGE_METHOD_CALL, "org.test.test1", "/an/object/path", "org.foo.FooBroadcastInterface", "Member") == true); + assert_se(policy_check_recv(&p, &ucred, SD_BUS_MESSAGE_METHOD_CALL, "org.foo.FooService", "/an/object/path", "org.foo.FooBroadcastInterface", "Member") == true); + assert_se(policy_check_recv(&p, &ucred, SD_BUS_MESSAGE_METHOD_CALL, "org.foo.FooService", "/an/object/path", "org.foo.FooBroadcastInterface2", "Member") == false); + assert_se(policy_check_recv(&p, &ucred, SD_BUS_MESSAGE_METHOD_CALL, "org.foo.FooService2", "/an/object/path", "org.foo.FooBroadcastInterface", "Member") == false); + + ucred.uid = 100; + assert_se(policy_check_own(&p, &ucred, "org.foo.FooService") == false); + assert_se(policy_check_own(&p, &ucred, "org.foo.FooService2") == false); + assert_se(policy_check_send(&p, &ucred, SD_BUS_MESSAGE_METHOD_CALL, "org.test.test1", "/an/object/path", "org.test.int2", "Member") == false); + assert_se(policy_check_send(&p, &ucred, SD_BUS_MESSAGE_METHOD_CALL, "org.test.test1", "/an/object/path", "org.foo.FooBroadcastInterface", "Member") == false); + assert_se(policy_check_recv(&p, &ucred, SD_BUS_MESSAGE_METHOD_CALL, "org.foo.FooService", "/an/object/path", "org.foo.FooBroadcastInterface", "Member") == true); + assert_se(policy_check_recv(&p, &ucred, SD_BUS_MESSAGE_METHOD_CALL, "org.foo.FooService", "/an/object/path", "org.foo.FooBroadcastInterface2", "Member") == false); + assert_se(policy_check_recv(&p, &ucred, SD_BUS_MESSAGE_METHOD_CALL, "org.foo.FooService2", "/an/object/path", "org.foo.FooBroadcastInterface", "Member") == false); + policy_free(&p); return EXIT_SUCCESS;