[lintian] 02/06: dbus: capture <policy> for each <allow> or <deny> rule
This is an automated email from the git hooks/post-receive script.
nthykier pushed a commit to branch master
in repository lintian.
commit b5bb0b11edb3ab2c7fc58c6e73b64cecb4d7c8aa
Author: Simon McVittie <smcv@debian.org>
Date: Mon Jan 5 16:49:51 2015 +0000
dbus: capture <policy> for each <allow> or <deny> rule
Seeing a rule that says <allow send_interface="x.y.z"/>
doesn't tell you whether it is
<policy user="root"><allow send_interface="x.y.z"/> (usually an
anti-pattern, but sometimes necessary for the "agent" pattern as seen
in BlueZ) or <policy context="default"><allow send_interface="x.y.z"/>
(which should ring alarm bells).
To solve this, capture the enclosing <policy> for each <allow> or
<deny> rule.
This also means our output for the at_console check can indicate
precisely which rules apply to console users.
---
checks/dbus.pm | 31 +++++++++++++++-------
.../debian/etc/dbus-1/system.d/at-console.conf | 2 ++
t/tests/dbus-policy/tags | 9 ++++---
3 files changed, 29 insertions(+), 13 deletions(-)
diff --git a/checks/dbus.pm b/checks/dbus.pm
index 23ea0cd..2aecae8 100644
--- a/checks/dbus.pm
+++ b/checks/dbus.pm
@@ -70,20 +70,33 @@ sub _check_policy {
# note that we are parsing the entire file as one big string,
# so that we catch <policy\nat_console="true"\n> or whatever.
- if ($xml =~ m{<policy[^>]+at_console=(["'])true\1.*?</policy>}s) {
- tag('dbus-policy-at-console', $file);
- }
-
my @rules;
- while ($xml =~ m{(<(?:allow|deny)[^>]+send_\w+=[^>]+>)}sg) {
- push(@rules, $1);
+ # a small rubbish state machine: we want to match a <policy> containing
+ # any <allow> or <deny> rule that is about sending
+ my $policy = '';
+ while ($xml =~ m{(<policy[^>]*>)|(</policy\s*>)|(<(?:allow|deny)[^>]*>)}sg)
+ {
+ if (defined $1) {
+ $policy = $1;
+ } elsif (defined $2) {
+ $policy = '';
+ } else {
+ push(@rules, $policy.$3);
+ }
}
foreach my $rule (@rules) {
- if ($rule !~ m{send_destination=}) {
- # normalize whitespace a bit
- $rule =~ s{\s+}{ }g;
+ # normalize whitespace a bit so we can report it sensibly:
+ # typically it will now look like
+ # <policy context="default"><allow send_destination="com.example.Foo"/>
+ $rule =~ s{\s+}{ }g;
+
+ if ($rule =~ m{send_} && $rule !~ m{send_destination=}) {
tag('dbus-policy-without-send-destination', $file, $rule);
}
+
+ if ($rule =~ m{at_console=['"]true}) {
+ tag('dbus-policy-at-console', $file, $rule);
+ }
}
return;
diff --git a/t/tests/dbus-policy/debian/etc/dbus-1/system.d/at-console.conf b/t/tests/dbus-policy/debian/etc/dbus-1/system.d/at-console.conf
index 06d96c8..8c47adb 100644
--- a/t/tests/dbus-policy/debian/etc/dbus-1/system.d/at-console.conf
+++ b/t/tests/dbus-policy/debian/etc/dbus-1/system.d/at-console.conf
@@ -4,10 +4,12 @@
<!-- this is OK, at least for now -->
<policy group="bluetooth">
<allow send_destination="com.example.Service"/>
+ <allow send_destination="com.example.Other"/>
</policy>
<!-- this is deprecated -->
<policy at_console="true">
<allow send_destination="com.example.Service"/>
+ <allow send_destination="com.example.Other"/>
</policy>
</busconfig>
diff --git a/t/tests/dbus-policy/tags b/t/tests/dbus-policy/tags
index 0705661..f9028e6 100644
--- a/t/tests/dbus-policy/tags
+++ b/t/tests/dbus-policy/tags
@@ -1,4 +1,5 @@
-X: dbus-policy: dbus-policy-at-console etc/dbus-1/system.d/at-console.conf
-X: dbus-policy: dbus-policy-without-send-destination etc/dbus-1/system.d/send-destination.conf <allow send_interface="org.freedesktop.DBus.ObjectManager"/>
-X: dbus-policy: dbus-policy-without-send-destination etc/dbus-1/system.d/send-destination.conf <allow send_member="AreYouReallySureThisMethodIsAlwaysOK"/>
-X: dbus-policy: dbus-policy-without-send-destination etc/dbus-1/system.d/send-destination.conf <allow send_path="/com/example/Here"/>
+X: dbus-policy: dbus-policy-at-console etc/dbus-1/system.d/at-console.conf <policy at_console="true"><allow send_destination="com.example.Other"/>
+X: dbus-policy: dbus-policy-at-console etc/dbus-1/system.d/at-console.conf <policy at_console="true"><allow send_destination="com.example.Service"/>
+X: dbus-policy: dbus-policy-without-send-destination etc/dbus-1/system.d/send-destination.conf <policy context="default"><allow send_interface="org.freedesktop.DBus.ObjectManager"/>
+X: dbus-policy: dbus-policy-without-send-destination etc/dbus-1/system.d/send-destination.conf <policy context="default"><allow send_member="AreYouReallySureThisMethodIsAlwaysOK"/>
+X: dbus-policy: dbus-policy-without-send-destination etc/dbus-1/system.d/send-destination.conf <policy context="default"><allow send_path="/com/example/Here"/>
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/lintian/lintian.git
Reply to: