policychecker: is allow own for me present?

This adds two checks which can help with detecting
config files that have no "allow own" or "check own" or "allow own_prefix"
or "check own_prefix" for services the config file is for.

This works by adding two checking rules:
1. a rule that - for a config file containing policy rule "deny own" - warns
   if the file does not contain corresponding "allow own" or "check own"
   policy rule with the same name.
2. a rule that does the same, but for 'own_prefix' instead of 'own'.

Change-Id: I758974724ffc5d5af821c44f4737ed87c9f63f59

1 files changed, 8 insertions, 0 deletions

diff --git a/policychecker/rules.xsl b/policychecker/rules.xsl
index 7f20b0f..bc306d9 100644
--- a/policychecker/rules.xsl
+++ b/policychecker/rules.xsl
@@ -64,6 +64,14 @@
 			<sch:let name="dest_name" value="@own_prefix"/>
 			<sch:assert test="//policy[@context='default']/deny[@own_prefix = $dest_name]">For each allow own_prefix you must add a deny own_prefix in default context.</sch:assert>
 		</sch:rule>
+		<sch:rule context="deny[@own]">
+			<sch:let name="dest_name" value="@own"/>
+			<sch:assert test="//policy/allow[@own = $dest_name] or //policy/check[@own = $dest_name]">"deny own" present, but no "allow own" or "check own" for that name.</sch:assert>
+		</sch:rule>
+		<sch:rule context="deny[@own_prefix]">
+			<sch:let name="dest_name" value="@own_prefix"/>
+			<sch:assert test="//policy/allow[@own_prefix = $dest_name] or //policy/check[@own_prefix = $dest_name]">"deny own_prefix" present, but no "allow own_prefix" or "check own_prefix" for that name.</sch:assert>
+		</sch:rule>
 	</sch:pattern>
 
 	<sch:pattern name="Unconstrained allow in default context (or mandatory)">