diff options
author | Adrian Szyndela <adrian.s@samsung.com> | 2019-09-03 11:59:41 +0200 |
---|---|---|
committer | Adrian Szyndela <adrian.s@samsung.com> | 2019-09-03 11:59:41 +0200 |
commit | 7866cf537e7c37ed89a00a5c0c155f3b6fd363c1 (patch) | |
tree | 56c8a4c502c02ac1b2c2a280c472d8cc3763a6fa /policychecker | |
parent | 76686bcf11a366b08c878ba72bfc34a259224a91 (diff) | |
download | dbus-tools-7866cf537e7c37ed89a00a5c0c155f3b6fd363c1.tar.gz dbus-tools-7866cf537e7c37ed89a00a5c0c155f3b6fd363c1.tar.bz2 dbus-tools-7866cf537e7c37ed89a00a5c0c155f3b6fd363c1.zip |
policychecker: is allow own for me present?
This adds two checks which can help with detecting
config files that have no "allow own" or "check own" or "allow own_prefix"
or "check own_prefix" for services the config file is for.
This works by adding two checking rules:
1. a rule that - for a config file containing policy rule "deny own" - warns
if the file does not contain corresponding "allow own" or "check own"
policy rule with the same name.
2. a rule that does the same, but for 'own_prefix' instead of 'own'.
Change-Id: I758974724ffc5d5af821c44f4737ed87c9f63f59
Diffstat (limited to 'policychecker')
-rw-r--r-- | policychecker/rules.xsl | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/policychecker/rules.xsl b/policychecker/rules.xsl index 7f20b0f..bc306d9 100644 --- a/policychecker/rules.xsl +++ b/policychecker/rules.xsl @@ -64,6 +64,14 @@ <sch:let name="dest_name" value="@own_prefix"/> <sch:assert test="//policy[@context='default']/deny[@own_prefix = $dest_name]">For each allow own_prefix you must add a deny own_prefix in default context.</sch:assert> </sch:rule> + <sch:rule context="deny[@own]"> + <sch:let name="dest_name" value="@own"/> + <sch:assert test="//policy/allow[@own = $dest_name] or //policy/check[@own = $dest_name]">"deny own" present, but no "allow own" or "check own" for that name.</sch:assert> + </sch:rule> + <sch:rule context="deny[@own_prefix]"> + <sch:let name="dest_name" value="@own_prefix"/> + <sch:assert test="//policy/allow[@own_prefix = $dest_name] or //policy/check[@own_prefix = $dest_name]">"deny own_prefix" present, but no "allow own_prefix" or "check own_prefix" for that name.</sch:assert> + </sch:rule> </sch:pattern> <sch:pattern name="Unconstrained allow in default context (or mandatory)"> |