summaryrefslogtreecommitdiff
path: root/policychecker/check.in
blob: da5b3ad0fbab7968f106287cf254c2f5a909dc8a (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68

#!/bin/sh

set -e

xslt_processor="xsltproc --nonet --novalid --maxdepth 20000"
tmpdir=`mktemp -d`
checker_dir="@datadir@/dbus-tools/policychecker"
schematron_dir="@datadir@/dbus-tools/policychecker/xslt"
config_file=$1
schema_file="$checker_dir/rules.xsl"

system_privileges_file="$tmpdir/privileges_system"
conf_privileges_file="$tmpdir/privileges_conf"

cleanup() {
	rm -rf $tmpdir
	exit $1
}

trap cleanup 0

if [ "$#" -ne 1 ]; then
	echo "Usage: $0 config-file"
	exit 1
fi

if [ ! -f $config_file ]; then
	echo "config file does not exist"
	exit 1
fi

if [ ! -d /var/cynara/db ]; then
	echo "Cynara database not found"
	exit 1
fi

# TEST 1/3: check cynara privileges existence (there are too many to perform this check using xsltproc)
grep "http://tizen.org/privilege" /var/cynara/db/* | sed -e "s/;[^;]*;$//g" -e "s/.*http/http/g" | uniq > $system_privileges_file
$xslt_processor $checker_dir/extract_privilege.xsl $config_file | uniq > $conf_privileges_file
grep -Fxv -f $system_privileges_file $conf_privileges_file | while read line ; do echo "FAILED(cynara) no privilege in cynara db: $line" ; exit 1; done

# TEST 2/3: check allow/deny duplicates (impossible to do directly with xpath 1.0, I don't know how to embed it into schematron config)
$xslt_processor $checker_dir/same.xsl $config_file

# TEST 3/3: apply schematron rules

# build a test (@user = x or @user = y or ...) at runtime
prepare_test() {
	echo $(getent $1 | sort -r | awk -F: '{entries[n++] = $1} END { while (n>0) {printf "@'"$2"' = '\''%s'\''%s", entries[n-1], (n > 1 ? " or " : ""); n--} }')
}

users_test=$(prepare_test passwd user)
groups_test=$(prepare_test group group)

tmpname="$tmpdir/$(basename $schema_file)"

cat $schema_file | sed -e "s/USERS_TEST/$users_test/g" -e "s/GROUPS_TEST/$groups_test/g" > $tmpname.0

$xslt_processor $schematron_dir/iso_dsdl_include.xsl $tmpname.0 > $tmpname.1
$xslt_processor $schematron_dir/iso_abstract_expand.xsl $tmpname.1 > $tmpname.2
$xslt_processor $schematron_dir/iso_svrl_for_xslt1.xsl $tmpname.2 > $tmpname.3
$xslt_processor $tmpname.3 $config_file > $tmpname.4
$xslt_processor $checker_dir/report.xsl $tmpname.4

# end-of-output, a new line for pretty printing
echo

exit 0
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-29 15:30:00 +0000