blob: acb559be40841b1a420862c227b5ec9d69be4e37 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
|
#!/bin/sh
set -e
xslt_processor="xsltproc --nonet --novalid --maxdepth 20000"
tmpdir=`mktemp -d`
checker_dir="@datadir@/dbus-tools/policychecker"
schematron_dir="@datadir@/dbus-tools/policychecker/xslt"
config_file=$1
schema_file="$checker_dir/rules.xsl"
system_privileges_file="$tmpdir/privileges_system"
conf_privileges_file="$tmpdir/privileges_conf"
cynara_db="/var/cynara/db"
cleanup() {
rm -rf $tmpdir
exit $1
}
trap cleanup 0
if [ "$#" -ne 1 ]; then
echo "Usage: $0 config-file"
exit 1
fi
if [ ! -f $config_file ]; then
echo "config file does not exist"
exit 1
fi
if [ ! -d $cynara_db ]; then
echo "Cynara database not found"
exit 1
fi
# Cynara privilege formats can be various.
# For example,
# SR: http://tizen.org/privilege/${privilege_name}
# DA: http://samsung.com/tizen/privilege/${privilege_name}
# IM: http://developer.samsung.com/tizen/privilege/${privilege_name}
# VD: http://developer.samsung.com/privilege/${privilege_name}
PRIVILEGES="
http://tizen.org/privilege
http://samsung.com/tizen/privilege
http://developer.samsung.com/tizen/privilege
http://developer.samsung.com/privilege
"
# TEST 1/3: check cynara privileges existence (there are too many to perform this check using xsltproc)
for p in $PRIVILEGES; do
grep $p $cynara_db/* | cut -d\; -f3 | sort -u >> $system_privileges_file
done
$xslt_processor $checker_dir/extract_privilege.xsl $config_file | sort -u > $conf_privileges_file
grep -Fxv -f $system_privileges_file $conf_privileges_file | while read line ; do echo "FAILED(cynara) no privilege in cynara db: $line" ; exit 1; done
# TEST 2/3: check allow/deny duplicates (impossible to do directly with xpath 1.0, I don't know how to embed it into schematron config)
$xslt_processor $checker_dir/same.xsl $config_file
# TEST 3/3: apply schematron rules
# build a test (@user = x or @user = y or ...) at runtime
prepare_test() {
echo $(getent $1 | sort -r | awk -F: '{entries[n++] = $1} END { while (n>0) {printf "@'"$2"' = '\''%s'\''%s", entries[n-1], (n > 1 ? " or " : ""); n--} }')
}
users_test=$(prepare_test passwd user)
groups_test=$(prepare_test group group)
tmpname="$tmpdir/$(basename $schema_file)"
cat $schema_file | sed -e "s/USERS_TEST/$users_test/g" -e "s/GROUPS_TEST/$groups_test/g" > $tmpname.0
$xslt_processor $schematron_dir/iso_dsdl_include.xsl $tmpname.0 > $tmpname.1
$xslt_processor $schematron_dir/iso_abstract_expand.xsl $tmpname.1 > $tmpname.2
$xslt_processor $schematron_dir/iso_svrl_for_xslt1.xsl $tmpname.2 > $tmpname.3
$xslt_processor $tmpname.3 $config_file > $tmpname.4
$xslt_processor $checker_dir/report.xsl $tmpname.4
# end-of-output, a new line for pretty printing
echo
exit 0
|
