| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Change-Id: I07dbeffd02cf67f98ec0363b7b4aaa55e8f34e02
Signed-off-by: sanghyeok.oh <sanghyeok.oh@samsung.com>
|
|
* change option argument (--system,--session) to (-s,-u)
* add option (-v, -p) for checker developement
* skip preprocessor
policy checker using single schema file(rules.xsl) and it doesn't need XPath syntax check.
This reduce policy checking time. (3min -> 19sec at tm1)
Schematron's readme.txt states this:
1) First, preprocess your Schematron schema with iso_dsdl_include.xsl.
This is a macro processor to assemble the schema from various parts.
If your schema is not in separate parts, you can skip this stage.
This stage also generates error messages for some common XPath syntax problems.
Change-Id: Id8dbf03d3a4a5107440823b9bcb0ce1830cc4380
Signed-off-by: sanghyeok.oh <sanghyeok.oh@samsung.com>
|
|
This adds a set of checking rules that check for typos, misspellings
in attributes and some of values of attributes, such as send_type.
Based on manual for dbus-daemon, which defines the policy tags
and attributes.
Change-Id: Ieb4795cdb1a4f0642684f8685092675e84e223ea
|
|
Change-Id: Idf5d2cbbb0173461a609fa7e323b82e31e9618e7
Signed-off-by: sanghyeok.oh <sanghyeok.oh@samsung.com>
|
|
This adds two checks which can help with detecting
config files that have no "allow own" or "check own" or "allow own_prefix"
or "check own_prefix" for services the config file is for.
This works by adding two checking rules:
1. a rule that - for a config file containing policy rule "deny own" - warns
if the file does not contain corresponding "allow own" or "check own"
policy rule with the same name.
2. a rule that does the same, but for 'own_prefix' instead of 'own'.
Change-Id: I758974724ffc5d5af821c44f4737ed87c9f63f59
|
|
This allows specifying of checking rules for signals without
specifying receive_sender. That is, it allows telling who can
receive some kind of signals without telling who can send them.
Without this change every receive checking rule needed receive_sender field.
This change is analogous to sending signals without send_destination.
Change-Id: Ifb0a596980631315d175b33460ad2579265c1e5e
|
|
This allows configurations that do not concern any owned names, e.g.
configurations for specifying who can receive some specific signals.
Without this change, the checking rules ensure that every policy
configuration file contains at least one <deny send_destination/prefix>
and one <deny own> policy rule. This was introduced when there
was "global default allow" policy in some uses. Nowadays, such policies
are probably long gone.
Anyway, there are still other checking rules present, which complain for
not having proper <deny> rules in default context, if <allow>
rules for a name are present in the configuration file.
Change-Id: Ic4eeee3ff5c8524fda58d17874fe6fdb37fb4d1c
|
|
It seems that the checking rules that require all the policy rules
with send_type="method_call" to have specified send_interface
are too strong.
This relaxes the checking rules a bit by allowing rules that:
- are in the "default" or "mandatory" contexts;
- have 'send_type' or 'receive_type set' to "method_call";
- have specified 'send_destination' or 'receive_sender'.
That is, we don't require "send_interface" or "receive interface" anymore
for such rules.
Change-Id: Iefa9bb5a5e23319c7549fa597ab00b5c88600585
|
|
Use 'dbuspolicy-' as prefix of dbus policy related tool name
Change-Id: I72a6ab822312346a4efc51bd9a5737c52ce90a11
Signed-off-by: sanghyeok.oh <sanghyeok.oh@samsung.com>
|
|
/usr/share/security-manager/policy/privilege-group.list
In case of App, 'priv_*' group is assigned by it's cynara privilege.
But, user daemon also has related 'priv_*' groups.
Due to this group assignment policy rule for group priv_* affects application, user daemons and process who has priv_*.
To prevent this unintended situation, block rule for group 'priv_*'.
Change-Id: I888f28375b017ec00c5fb85bc59557b2145bffbc
Signed-off-by: sanghyeok.oh <sanghyeok.oh@samsung.com>
|
|
Change-Id: If9f558321e170d9653df6715047949dcbf82900d
Signed-off-by: Hyotaek Shim <hyotaek.shim@samsung.com>
|
|
In case a rule contained send_path, we required it also to have
send_destination or send_destination_prefix.
However, a rule may be crafted for signals, which are broadcast,
therefore they don't have any destination at all.
This patch relaxes the requirement a bit, allowing rules
having send_path without send_destination under condition that
the rule contains send_interface and send_type='signal' attributes.
Change-Id: I99ff19271121f726df81e2aed8a124a78f7eadbc
|
|
Added rules for send_destination_prefix.
Additionally, modified 'default denials' rule to take into account
possible own_prefix values. This is limited by XPath/Schematron
possibilities, and is currently set to 8 prefixes for each
tested destination.
Change-Id: I7a653b1f55339e67e63e9c97b0c6ba37ff2c9b73
|
|
Maxdepth 20000 for xsltproc seems to be too low, as it complains
for "potential infinite recursion" when there is no infinite recursion.
Change-Id: I873c8a9a4ba4fd58e13557308bb55cf2470d9b82
|
|
If the global policy for signals is deny, then we need a way
to choose who can send signals. They (usually) have no destination,
so the allowing rules can't have destination.
This commit changes checking rules to allow policy rules with
send_interface constraint, without send_destination, when
send_type="signal" is allows specified.
Change-Id: I041b4e409cbffeae2edaaec8bb2dfa8f60e3994f
|
|
Privilege field selection was selected using two seds,
but it is sufficient to use one cut, as it is suited
precisely for such tasks.
Additionally, minor improvements:
- removed array in favor of space separated string to avoid bash dependency;
- added call to sort for uniq to work properly;
- introduced a variable for cynara database path.
Change-Id: Ica9455cc14f714a2fe0acbea7fe019d067cbf9eb
|
|
Change-Id: I3a620bd89deed55231a7c2b52f3abb154c28c805
Signed-off-by: Hyotaek Shim <hyotaek.shim@samsung.com>
|
|
Added three more types of privileges.
Requested by bro kim.
Change-Id: I3219a7b10cd4b5c784a88abe1fb034dde10bb0ff
|
|
At_console has its own "deprecated" checking rule, so we assume that
at_console rules are those to be removed. Thus, there is no point
in showing "duplicate" warning for duplicate rules in other contexts.
Change-Id: Ifdf7e3745d7ece49772ba3a3aad01a213b657d0c
|
|
Unconstrained allow rule was reporting any allow in context default
or mandatory.
Now, it reports those rules in both contexts that:
- allow send_type='method_call' but do not specify destination and interface;
- allow send_path but do not specify destination;
- allow receive_type='method_call' but do not specify sender and interface;
- allow receive_path but do not specify sender.
Additionally, in user and group context send_destination is required
when send_type="method_call" or send_path is present, and receive_sender
is required when receive_type="method_call" or receive_path is present.
Change-Id: Icd822bf4b3e2f105a07e80ca61415410faaeb00a
|
|
Change-Id: Ib7aafe0ce59da009259f22469d83cfc7bf25f701
|
|
Change-Id: I8b61b31c52ff190ac6541e90762fd0895ed018e8
|
|
Also, some improvements in shell scripts.
Change-Id: I10a06b8b30f45722746361b7ce27364baaebc957
|
|
Policy checker is based on Schematron, which allows writing
declarative checks for xml files (see rules.xml file for details) and
yields xml output (which is converted to plain text for readability, but it
can be converted to any format). The checker is a shell script, it
depends only on xsltproc (libxslt-tools package in Tizen), so it's very
lightweight.
We can run the checker on any single dbus configuration file, e.g.:
./check ./test-policy.conf (a test policy containing violations of all
the implemented rules). So, during a package installation we can run
the checker on it's dbus configuration file.
Change-Id: I523b7a730fc93a0d4f99bc8ba750be7b6f0e051c
|
|
|
