Skip to content

Commit

Permalink
🔧 Ignore rule attributes ignored by dbus-broker
Browse files Browse the repository at this point in the history
  • Loading branch information
jokeyrhyme committed Nov 12, 2024
1 parent fcaee57 commit ce0eae5
Showing 1 changed file with 167 additions and 25 deletions.
192 changes: 167 additions & 25 deletions src/config.rs
Original file line number Diff line number Diff line change
Expand Up @@ -309,8 +309,8 @@ pub struct Limits {
pub enum Operation {
Connect,
Own,
Receive,
Send,
Receive(ReceiveOperation),
Send(SendOperation),
}
type OptionalOperation = Option<Operation>;
impl TryFrom<RuleAttributes> for OptionalOperation {
Expand All @@ -320,8 +320,7 @@ impl TryFrom<RuleAttributes> for OptionalOperation {
let has_connect = false;
let has_own = value.own.is_some();
let has_send = value.send_destination.is_some();
let has_receive =
value.receive_sender.is_some() || (!has_send && value.eavesdrop.is_some());
let has_receive = value.receive_sender.is_some();

let operations_count: i8 = vec![has_connect, has_own, has_receive, has_send]
.into_iter()
Expand All @@ -337,9 +336,13 @@ impl TryFrom<RuleAttributes> for OptionalOperation {
} else if has_own {
Ok(Some(Operation::Own))
} else if has_receive {
Ok(Some(Operation::Receive))
Ok(Some(Operation::Receive(ReceiveOperation {
sender: value.receive_sender.unwrap_or(String::from("*")),
})))
} else if has_send {
Ok(Some(Operation::Send))
Ok(Some(Operation::Send(SendOperation {
destination: value.send_destination.unwrap_or(String::from("*")),
})))
} else {
Err(Error::msg(format!("rule must specify supported attributes for connect, own, receive, or send operations: {value:?}")))
}
Expand Down Expand Up @@ -433,16 +436,87 @@ struct PolicyElement {
user: Option<String>,
}

#[derive(Clone, Debug, Default, PartialEq)]
pub struct ReceiveOperation {
pub sender: String,
}

type OptionalRule = Option<Rule>;
impl TryFrom<RuleElement> for OptionalRule {
type Error = Error;

fn try_from(value: RuleElement) -> std::result::Result<Self, Self::Error> {
match value {
RuleElement::Allow(attrs) => match OptionalOperation::try_from(attrs)? {
Some(some) => Ok(Some((Access::Allow, some))),
None => Ok(None),
},
RuleElement::Allow(RuleAttributes {
eavesdrop: Some(true),
group: None,
own: None,
receive_sender: None,
receive_requested_reply: None,
send_destination: None,
send_requested_reply: None,
user: None,
}) => {
// see: https://github.com/dbus2/busd/pull/146#issuecomment-2408429760
eprintln!(
r#"warning: eavesdropping is deprecated and ignored: `<allow eavesdrop="true" />`"#
);
Ok(None)
}
RuleElement::Allow(
RuleAttributes {
receive_requested_reply: Some(false),
..
}
| RuleAttributes {
send_requested_reply: Some(false),
..
},
) => {
// see: https://github.com/dbus2/busd/pull/146#issuecomment-2408429760
eprintln!(
"warning: explicit policies on replies and errors are deprecated and ignored: `<allow ... (receive|send)_requested_reply=...`"
);
Ok(None)
}
RuleElement::Allow(attrs) => {
if attrs.eavesdrop == Some(true) {
// see: https://github.com/dbus2/busd/pull/146#issuecomment-2408429760
eprintln!(
r#"warning: eavesdropping is deprecated and ignored: `<allow ... eavesdrop="true" ...`"#
);
}
match OptionalOperation::try_from(attrs)? {
Some(some) => Ok(Some((Access::Allow, some))),
None => Ok(None),
}
}
RuleElement::Deny(RuleAttributes {
eavesdrop: Some(true),
..
}) => {
// see: https://github.com/dbus2/busd/pull/146#issuecomment-2408429760
eprintln!(
r#"warning: eavesdropping is deprecated and ignored: `<deny ... eavesdrop="true" ...`"#
);
Ok(None)
}
RuleElement::Deny(
RuleAttributes {
receive_requested_reply: Some(true),
..
}
| RuleAttributes {
send_requested_reply: Some(true),
..
},
) => {
// see: https://github.com/dbus2/busd/pull/146#issuecomment-2408429760
eprintln!(
"warning: explicit policies on replies and errors are deprecated and ignored: `<deny ... (receive|send)_requested_reply=...`"
);
Ok(None)
}
RuleElement::Deny(attrs) => match OptionalOperation::try_from(attrs)? {
Some(some) => Ok(Some((Access::Deny, some))),
None => Ok(None),
Expand All @@ -467,15 +541,19 @@ pub type Rule = (Access, Operation);
#[derive(Clone, Debug, Default, Deserialize, PartialEq)]
struct RuleAttributes {
#[serde(rename = "@eavesdrop")]
eavesdrop: Option<String>,
eavesdrop: Option<bool>,
#[serde(rename = "@group")]
group: Option<String>,
#[serde(rename = "@own")]
own: Option<String>,
#[serde(rename = "@receive_sender")]
receive_sender: Option<String>,
#[serde(rename = "@receive_requested_reply")]
receive_requested_reply: Option<bool>,
#[serde(rename = "@send_destination")]
send_destination: Option<String>,
#[serde(rename = "@send_requested_reply")]
send_requested_reply: Option<bool>,
#[serde(rename = "@user")]
user: Option<String>,
}
Expand All @@ -487,6 +565,11 @@ enum RuleElement {
Deny(RuleAttributes),
}

#[derive(Clone, Debug, Default, PartialEq)]
pub struct SendOperation {
pub destination: String,
}

#[derive(Clone, Debug, Deserialize, PartialEq)]
#[serde(rename_all = "lowercase")]
pub enum Type {
Expand Down Expand Up @@ -664,13 +747,8 @@ mod tests {
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
<policy context="default">
<allow send_destination="*" eavesdrop="true"/>
<allow eavesdrop="true"/>
<allow own="*"/>
</policy>
<policy at_console="true">
<allow send_destination="org.freedesktop.DBus" send_interface="org.freedesktop.systemd1.Activator"/>
</policy>
<policy user="root">
<allow send_destination="org.freedesktop.DBus" send_interface="org.freedesktop.systemd1.Activator"/>
</policy>
Expand All @@ -690,23 +768,87 @@ mod tests {
busconfig,
BusConfig {
policies: vec![
Policy::DefaultContext(vec![
(Access::Allow, Operation::Send),
(Access::Allow, Operation::Receive),
(Access::Allow, Operation::Own),
]),
Policy::DefaultContext(vec![(Access::Allow, Operation::Own),]),
Policy::User(
vec![(Access::Allow, Operation::Send),],
vec![(
Access::Allow,
Operation::Send(SendOperation {
destination: String::from("org.freedesktop.DBus")
})
),],
String::from("root")
),
Policy::Group(
vec![
(Access::Allow, Operation::Send),
(Access::Allow, Operation::Receive),
(
Access::Allow,
Operation::Send(SendOperation {
destination: String::from("org.freedesktop.Avahi")
})
),
(
Access::Allow,
Operation::Receive(ReceiveOperation {
sender: String::from("org.freedesktop.Avahi")
})
),
],
String::from("network")
),
Policy::MandatoryContext(vec![(Access::Deny, Operation::Send),]),
Policy::MandatoryContext(vec![(
Access::Deny,
Operation::Send(SendOperation {
destination: String::from("net.connman.iwd")
})
),]),
],
..Default::default()
}
);
}

#[test]
fn bus_config_parse_with_policies_with_ignored_rules_and_rule_attributes_ok() {
let input = r#"<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-Bus Bus Configuration 1.0//EN"
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
<policy context="default">
<allow send_destination="*" eavesdrop="true"/>
<allow eavesdrop="true"/>
<deny eavesdrop="true"/>
<deny send_requested_reply="true" send_type="method_return"/>
<allow send_requested_reply="false" send_type="method_return"/>
<deny receive_requested_reply="true" receive_type="error"/>
<allow receive_requested_reply="false" receive_type="error"/>
</policy>
<policy at_console="true">
<allow send_destination="org.freedesktop.DBus" send_interface="org.freedesktop.systemd1.Activator"/>
</policy>
</busconfig>
"#;

let busconfig = BusConfig::parse(input).expect("should parse XML input");

assert_eq!(
busconfig,
BusConfig {
policies: vec![
Policy::DefaultContext(vec![
(
Access::Allow,
// `eavesdrop="true"` is dropped, keep other attributes
Operation::Send(SendOperation {
destination: String::from("*")
})
),
// `<allow eavesdrop="true"/>` has nothing left after dropping eavesdrop
// `<deny eavesdrop="true" ...` is completely ignored
// `<deny send_requested_reply="true" ...` is completely ignored
// `<allow send_requested_reply="false" ...` is completely ignored
// `<deny receive_requested_reply="true" ...` is completely ignored
// `<allow receive_requested_reply="false" ...` is completely ignored
]),
// `<policy at_console="true">` is completely ignored
],
..Default::default()
}
Expand Down

0 comments on commit ce0eae5

Please sign in to comment.