diff options
| -rw-r--r-- | src/core/meson.build | 2 | ||||
| -rw-r--r-- | test/bus-policy/check-own-rules.conf | 14 | ||||
| -rw-r--r-- | test/bus-policy/hello.conf | 14 | ||||
| -rw-r--r-- | test/bus-policy/many-rules.conf | 61 | ||||
| -rw-r--r-- | test/bus-policy/methods.conf | 17 | ||||
| -rw-r--r-- | test/bus-policy/ownerships.conf | 24 | ||||
| -rw-r--r-- | test/bus-policy/signals.conf | 15 | ||||
| -rw-r--r-- | test/bus-policy/test.conf | 20 | ||||
| -rw-r--r-- | test/meson.build | 7 |
9 files changed, 174 insertions, 0 deletions
diff --git a/src/core/meson.build b/src/core/meson.build index 4355f9ca6d..7bffe27c57 100644 --- a/src/core/meson.build +++ b/src/core/meson.build @@ -5,6 +5,8 @@ libcore_la_sources = ''' automount.h bpf-firewall.c bpf-firewall.h + bus-policy.c + bus-policy.h cgroup.c cgroup.h chown-recursive.c diff --git a/test/bus-policy/check-own-rules.conf b/test/bus-policy/check-own-rules.conf new file mode 100644 index 0000000000..bc2f415fcb --- /dev/null +++ b/test/bus-policy/check-own-rules.conf @@ -0,0 +1,14 @@ +<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN" + "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd"> +<busconfig> + <user>mybususer</user> + <listen>unix:path=/foo/bar</listen> + <listen>tcp:port=1234</listen> + <servicedir>/usr/share/foo</servicedir> + <policy context="default"> + <allow user="*"/> + <deny own="*"/> + <allow own_prefix="org.freedesktop.ManySystems"/> + </policy> + +</busconfig> diff --git a/test/bus-policy/hello.conf b/test/bus-policy/hello.conf new file mode 100644 index 0000000000..af09893de6 --- /dev/null +++ b/test/bus-policy/hello.conf @@ -0,0 +1,14 @@ +<?xml version="1.0"?> <!--*-nxml-*--> +<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN" + "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd"> + +<busconfig> + + <policy context="default"> + <allow user="*"/> + + <deny user="1"/> + <deny group="1"/> + </policy> + +</busconfig> diff --git a/test/bus-policy/many-rules.conf b/test/bus-policy/many-rules.conf new file mode 100644 index 0000000000..70dd538c11 --- /dev/null +++ b/test/bus-policy/many-rules.conf @@ -0,0 +1,61 @@ +<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN" + "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd"> +<busconfig> + <user>mybususer</user> + <listen>unix:path=/foo/bar</listen> + <listen>tcp:port=1234</listen> + <includedir>basic.d</includedir> + <standard_session_servicedirs /> + <servicedir>/usr/share/foo</servicedir> + <include ignore_missing="yes">nonexistent.conf</include> + <policy context="default"> + <allow user="*"/> + <deny send_interface="org.freedesktop.System" send_member="Reboot"/> + <deny receive_interface="org.freedesktop.System" receive_member="Reboot"/> + <deny send_path="/foo/bar/SystemObjectThing" send_member="Reboot"/> + <deny own="org.freedesktop.System"/> + <deny own_prefix="org.freedesktop.ManySystems"/> + <deny send_destination="org.freedesktop.System"/> + <deny receive_sender="org.freedesktop.System"/> + <deny user="root"/> + <deny group="bin"/> + <allow send_type="error"/> + <allow send_type="method_call"/> + <allow send_type="method_return"/> + <allow send_type="signal"/> + <deny send_destination="org.freedesktop.Bar" send_interface="org.freedesktop.Foo"/> + <deny send_destination="org.freedesktop.Bar" send_interface="org.freedesktop.Foo" send_type="method_call"/> + </policy> + + <policy context="mandatory"> + <allow user="*"/> + <deny send_interface="org.freedesktop.System" send_member="Reboot"/> + <deny receive_interface="org.freedesktop.System" receive_member="Reboot"/> + <deny send_path="/foo/bar/SystemObjectThing" send_member="Reboot"/> + <deny own="org.freedesktop.System"/> + <deny own_prefix="org.freedesktop.ManySystems"/> + <deny send_destination="org.freedesktop.System"/> + <deny receive_sender="org.freedesktop.System"/> + <deny user="root"/> + <deny group="bin"/> + <allow send_type="error"/> + <allow send_type="method_call"/> + <allow send_type="method_return"/> + <allow send_type="signal"/> + <deny send_destination="org.freedesktop.Bar" send_interface="org.freedesktop.Foo"/> + <deny send_destination="org.freedesktop.Bar" send_interface="org.freedesktop.Foo" send_type="method_call"/> + </policy> + + <limit name="max_incoming_bytes">5000</limit> + <limit name="max_outgoing_bytes">5000</limit> + <limit name="max_message_size">300</limit> + <limit name="service_start_timeout">5000</limit> + <limit name="auth_timeout">6000</limit> + <limit name="max_completed_connections">50</limit> + <limit name="max_incomplete_connections">80</limit> + <limit name="max_connections_per_user">64</limit> + <limit name="max_pending_service_starts">64</limit> + <limit name="max_names_per_connection">256</limit> + <limit name="max_match_rules_per_connection">512</limit> + +</busconfig> diff --git a/test/bus-policy/methods.conf b/test/bus-policy/methods.conf new file mode 100644 index 0000000000..4bc38f9151 --- /dev/null +++ b/test/bus-policy/methods.conf @@ -0,0 +1,17 @@ +<?xml version="1.0"?> <!--*-nxml-*--> +<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN" + "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd"> + +<busconfig> + + <policy context="default"> + <deny send_type="method_call"/> + + <deny send_destination="org.test.test1"/> + <allow send_destination="org.test.test1" send_interface="org.test.int1"/> + <allow send_destination="org.test.test1" send_interface="org.test.int2"/> + + <allow receive_sender="org.test.test3" receive_interface="org.test.int3" receive_member="Member111"/> + </policy> + +</busconfig> diff --git a/test/bus-policy/ownerships.conf b/test/bus-policy/ownerships.conf new file mode 100644 index 0000000000..bc3a230a26 --- /dev/null +++ b/test/bus-policy/ownerships.conf @@ -0,0 +1,24 @@ +<?xml version="1.0"?> <!--*-nxml-*--> +<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN" + "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd"> + +<busconfig> + + <policy context="default"> + <allow own="org.test.test1"/> + </policy> + + <policy context="mandatory"> + <deny own="org.test.test3"/> + </policy> + + <policy user="root"> + <allow own="org.test.test2"/> + <allow own="org.test.test3"/> + </policy> + + <policy user="1"> + <allow own="org.test.test4"/> + </policy> + +</busconfig> diff --git a/test/bus-policy/signals.conf b/test/bus-policy/signals.conf new file mode 100644 index 0000000000..440e3fe6d0 --- /dev/null +++ b/test/bus-policy/signals.conf @@ -0,0 +1,15 @@ +<?xml version="1.0"?> <!--*-nxml-*--> +<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN" + "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd"> + +<busconfig> + + <policy context="default"> + <allow send_type="signal"/> + </policy> + + <policy user="1"> + <deny send_type="signal"/> + </policy> + +</busconfig> diff --git a/test/bus-policy/test.conf b/test/bus-policy/test.conf new file mode 100644 index 0000000000..ee6afcdfbb --- /dev/null +++ b/test/bus-policy/test.conf @@ -0,0 +1,20 @@ +<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN" + "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd"> +<busconfig> + <!-- The following demonstrates how to punch holes in a default deny-all + policy so that a particular user can own a service, and other + connections can get messages from it --> + + <!-- Only root can own the FooService service, and + this user can only send the one kind of message --> + <policy user="root"> + <allow own="org.foo.FooService"/> + <allow send_interface="org.foo.FooBroadcastInterface"/> + </policy> + + <!-- Allow any connection to receive the message, but + only if the message is sent by the owner of FooService --> + <policy context="default"> + <allow receive_interface="org.foo.FooBroadcastInterface" receive_sender="org.foo.FooService"/> + </policy> +</busconfig> diff --git a/test/meson.build b/test/meson.build index 995a971778..37ad97bc01 100644 --- a/test/meson.build +++ b/test/meson.build @@ -128,6 +128,13 @@ test_data_files = ''' test-execute/exec-read-only-path-succeed.service test-execute/exec-privatedevices-yes-capability-sys-rawio.service test-execute/exec-privatedevices-no-capability-sys-rawio.service + bus-policy/hello.conf + bus-policy/methods.conf + bus-policy/ownerships.conf + bus-policy/signals.conf + bus-policy/check-own-rules.conf + bus-policy/many-rules.conf + bus-policy/test.conf hwdb/10-bad.hwdb journal-data/journal-1.txt journal-data/journal-2.txt |