diff options
author | Adrian Szyndela <adrian.s@samsung.com> | 2018-06-28 14:49:42 +0200 |
---|---|---|
committer | Adrian Szyndela <adrian.s@samsung.com> | 2018-06-29 11:18:16 +0200 |
commit | 72750f98f330cfe49c7afbfd373f40f5449541f8 (patch) | |
tree | 01b53afa7df1f77113d51a791f724ffaeaa8806f /policychecker | |
parent | df5a8ce5c27058e2878c473b1fee5f7a4e22989d (diff) | |
download | dbus-tools-72750f98f330cfe49c7afbfd373f40f5449541f8.tar.gz dbus-tools-72750f98f330cfe49c7afbfd373f40f5449541f8.tar.bz2 dbus-tools-72750f98f330cfe49c7afbfd373f40f5449541f8.zip |
packaging, integrating with Tizensubmit/tizen/20180705.081312accepted/tizen/unified/20180705.172727
Also, some improvements in shell scripts.
Change-Id: I10a06b8b30f45722746361b7ce27364baaebc957
Diffstat (limited to 'policychecker')
-rw-r--r-- | policychecker/Makefile.in | 11 | ||||
-rw-r--r-- | policychecker/README | 10 | ||||
-rwxr-xr-x | policychecker/check | 88 | ||||
-rwxr-xr-x | policychecker/check.in | 68 | ||||
-rw-r--r-- | policychecker/configure.ac | 11 | ||||
-rwxr-xr-x | policychecker/get_privileges | 14 | ||||
-rwxr-xr-x | policychecker/get_privileges.in | 15 |
7 files changed, 113 insertions, 104 deletions
diff --git a/policychecker/Makefile.in b/policychecker/Makefile.in new file mode 100644 index 0000000..6d4a1a9 --- /dev/null +++ b/policychecker/Makefile.in @@ -0,0 +1,11 @@ +INSTALL_DIR=$(DESTDIR)/@datadir@/dbus-tools/policychecker +BIN_DIR=$(DESTDIR)/@bindir@ + +install: + mkdir -p $(INSTALL_DIR) + install -m 0644 *.xsl README $(INSTALL_DIR) + install -m 0755 check get_privileges $(INSTALL_DIR) + mkdir -p $(INSTALL_DIR)/xslt + install -m 0644 xslt/* $(INSTALL_DIR)/xslt + mkdir -p $(BIN_DIR) + ln -s @datadir@/dbus-tools/policychecker/check $(BIN_DIR)/dbus-policychecker diff --git a/policychecker/README b/policychecker/README index 72ad67c..57e7020 100644 --- a/policychecker/README +++ b/policychecker/README @@ -1,4 +1,10 @@ -./check ./test-policy.conf +This is the policy checker for D-Bus. Run it with a D-Bus policy file as an argument: -for i in /etc/dbus-1/system.d/*.conf; do ./check "$i" | wc -l ; done +dbus-policycheck ./test-policy.conf + +It shows found violations checked with rules defined in rules.xsl. + +To count all violations in system policy config files, run + +for i in /etc/dbus-1/system.d/*.conf; do dbus-policycheck "$i" | wc -l ; done diff --git a/policychecker/check b/policychecker/check deleted file mode 100755 index ce3f4ad..0000000 --- a/policychecker/check +++ /dev/null @@ -1,88 +0,0 @@ -#!/bin/bash - -xslt_processor="xsltproc --nonet --novalid --maxdepth 20000" -tmpdir="./tmp/" - -function exit_with_code() { - rm -rf $tmpdir - exit $1 -} - - -if [ "$#" -ne 1 ]; then - echo "Usage: $0 config-file" - exit 1 -fi - -config_file=$1 -schema_file="./rules.xsl" - -if [ ! -f $config_file ]; then - echo "config file does not exist" - exit 1 -fi - -if [ -d "$tmpdir" ]; then - rm -rf "$tmpdir" -fi - -rm -rf error*.log -mkdir $tmpdir - - -# TEST 1/3: check cynara privileges existence (there are too many to perform this check using xsltproc) -system_privileges_file="$tmpdir/privileges_system" -conf_privileges_file="$tmpdir/privileges_conf" -grep "http://tizen.org/privilege" /var/cynara/db/* | sed "s/;[^;]*;$//g" | sed "s/.*http/http/g" | uniq > $system_privileges_file -$xslt_processor ./extract_privilege.xsl $config_file | uniq > $conf_privileges_file -grep -Fxv -f $system_privileges_file $conf_privileges_file | while read line ; do echo "FAILED(cynara) no privilege in cynara db: $line" ; done - -# TEST 2/3: check allow/deny duplicates (impossible to do directly with xpath 1.0, I don't know how to embed it into schematron config) -$xslt_processor ./same.xsl $config_file - - -# TEST 3/3: apply schematron rules - -# build a test (@user = x or @user = y or ...) at runtime -users_test=$(cat /etc/passwd | sed "s/:.*//g" | sort | paste -sd "," | sed "s/,/' or @user = '/g" | sed "s/^/@user = '/" | sed "s/$/'/") -groups_test=$(cat /etc/group | sed "s/:.*//g" | sort | paste -sd "," | sed "s/,/' or @group = '/g" | sed "s/^/@group = '/" | sed "s/$/'/") - -tmpname="$tmpdir$(basename $schema_file)" - -cat $schema_file | sed "s/USERS_TEST/$users_test/g" | sed "s/GROUPS_TEST/$groups_test/g" > $tmpname.0 2> error.0.log -if [ $? != 0 ]; then - echo "XSL Phase 0 failed, error log saved to error.0.log" - exit_with_code 1 -fi - -$xslt_processor xslt/iso_dsdl_include.xsl $tmpname.0 > $tmpname.1 2> error.1.log -if [ $? != 0 ]; then - echo "XSL Phase 1 failed, error log saved to error.1.log" - exit_with_code 1 -fi - -$xslt_processor xslt/iso_abstract_expand.xsl $tmpname.1 > $tmpname.2 2> error.2.log -if [ ! $? == 0 ]; then - echo "XSL Phase 2 failed, error log saved to error.2.log" - exit 1 -fi - -$xslt_processor xslt/iso_svrl_for_xslt1.xsl $tmpname.2 > $tmpname.3 2> error.3.log -if [ $? != 0 ]; then - echo "XSL Phase 3 failed, error log saved to error.3.log" - exit_with_code 1 -fi - -$xslt_processor $tmpname.3 $config_file > $tmpname.4 2> error.4.log -if [ $? != 0 ]; then - echo "Schematron test failed, error log saved to error.4.log" - exit_with_code 1 -fi - -$xslt_processor report.xsl $tmpname.4 2> error.5.log -if [ $? != 0 ]; then - echo "Formatting test results failed, error log saved to error.5.log" - exit_with_code 1 -fi - -exit_with_code 0 diff --git a/policychecker/check.in b/policychecker/check.in new file mode 100755 index 0000000..da5b3ad --- /dev/null +++ b/policychecker/check.in @@ -0,0 +1,68 @@ +#!/bin/sh + +set -e + +xslt_processor="xsltproc --nonet --novalid --maxdepth 20000" +tmpdir=`mktemp -d` +checker_dir="@datadir@/dbus-tools/policychecker" +schematron_dir="@datadir@/dbus-tools/policychecker/xslt" +config_file=$1 +schema_file="$checker_dir/rules.xsl" + +system_privileges_file="$tmpdir/privileges_system" +conf_privileges_file="$tmpdir/privileges_conf" + +cleanup() { + rm -rf $tmpdir + exit $1 +} + +trap cleanup 0 + +if [ "$#" -ne 1 ]; then + echo "Usage: $0 config-file" + exit 1 +fi + +if [ ! -f $config_file ]; then + echo "config file does not exist" + exit 1 +fi + +if [ ! -d /var/cynara/db ]; then + echo "Cynara database not found" + exit 1 +fi + +# TEST 1/3: check cynara privileges existence (there are too many to perform this check using xsltproc) +grep "http://tizen.org/privilege" /var/cynara/db/* | sed -e "s/;[^;]*;$//g" -e "s/.*http/http/g" | uniq > $system_privileges_file +$xslt_processor $checker_dir/extract_privilege.xsl $config_file | uniq > $conf_privileges_file +grep -Fxv -f $system_privileges_file $conf_privileges_file | while read line ; do echo "FAILED(cynara) no privilege in cynara db: $line" ; exit 1; done + +# TEST 2/3: check allow/deny duplicates (impossible to do directly with xpath 1.0, I don't know how to embed it into schematron config) +$xslt_processor $checker_dir/same.xsl $config_file + +# TEST 3/3: apply schematron rules + +# build a test (@user = x or @user = y or ...) at runtime +prepare_test() { + echo $(getent $1 | sort -r | awk -F: '{entries[n++] = $1} END { while (n>0) {printf "@'"$2"' = '\''%s'\''%s", entries[n-1], (n > 1 ? " or " : ""); n--} }') +} + +users_test=$(prepare_test passwd user) +groups_test=$(prepare_test group group) + +tmpname="$tmpdir/$(basename $schema_file)" + +cat $schema_file | sed -e "s/USERS_TEST/$users_test/g" -e "s/GROUPS_TEST/$groups_test/g" > $tmpname.0 + +$xslt_processor $schematron_dir/iso_dsdl_include.xsl $tmpname.0 > $tmpname.1 +$xslt_processor $schematron_dir/iso_abstract_expand.xsl $tmpname.1 > $tmpname.2 +$xslt_processor $schematron_dir/iso_svrl_for_xslt1.xsl $tmpname.2 > $tmpname.3 +$xslt_processor $tmpname.3 $config_file > $tmpname.4 +$xslt_processor $checker_dir/report.xsl $tmpname.4 + +# end-of-output, a new line for pretty printing +echo + +exit 0 diff --git a/policychecker/configure.ac b/policychecker/configure.ac new file mode 100644 index 0000000..17b88c2 --- /dev/null +++ b/policychecker/configure.ac @@ -0,0 +1,11 @@ +# -*- Autoconf -*- +# Process this file with autoconf to produce a configure script. + +AC_PREREQ(2.61) +AC_INIT([dbus-policychecker], [0.1]) + +AC_SUBST([bindir]) +AC_SUBST([datadir]) +AC_CONFIG_FILES([Makefile check get_privileges]) + +AC_OUTPUT diff --git a/policychecker/get_privileges b/policychecker/get_privileges deleted file mode 100755 index 753b460..0000000 --- a/policychecker/get_privileges +++ /dev/null @@ -1,14 +0,0 @@ -#!/bin/bash - -cmd="xsltproc --nonet --novalid " - -privileges="" - -for i in `ls ./*.conf`; do - new="$($cmd extract_privilege.xsl $i)" - privileges="$privileges \ - $new" -done - -echo "$privileges" | uniq -u -exit 0 diff --git a/policychecker/get_privileges.in b/policychecker/get_privileges.in new file mode 100755 index 0000000..e7f69e2 --- /dev/null +++ b/policychecker/get_privileges.in @@ -0,0 +1,15 @@ +#!/bin/sh +# This script extracts and lists privileges from all D-Bus conf files in current directory + +cmd="xsltproc --nonet --novalid " + +privileges="" + +for i in *.conf +do + new="$($cmd @datadir@/dbus-tools/policychecker/extract_privilege.xsl $i)" + privileges="$privileges\n$new" +done + +echo -e "$privileges" | sort | uniq +exit 0 |