diff --git a/CheckDBusPolicy.py b/CheckDBusPolicy.py new file mode 100644 index 0000000..58d02c4 --- /dev/null +++ b/CheckDBusPolicy.py @@ -0,0 +1,80 @@ +# vim:sw=4:et +############################################################################# +# File : CheckDBusPolicy.py +# Package : rpmlint +# Author : Ludwig Nussel +# Purpose : Check for broken DBus policies +############################################################################# + +# causes extraction of package if it contains files in /etc/dbus-1/system.d/ + +from Filter import * +import AbstractCheck +from xml.dom.minidom import parse + +class DBusPolicyCheck(AbstractCheck.AbstractCheck): + def __init__(self): + AbstractCheck.AbstractCheck.__init__(self, "CheckDBusPolicy") + + def check(self, pkg): + + if pkg.isSource(): + return + + files = pkg.files() + + for f in files: + if f in pkg.ghostFiles(): + continue + + # catch xml exceptions + try: + if f.startswith("/etc/dbus-1/system.d/"): + send_policy_seen = False + lf = pkg.dirName() + f + xml = parse(lf) + for p in xml.getElementsByTagName("policy"): + for allow in p.getElementsByTagName("allow"): + if ( allow.hasAttribute('send_interface') \ + or allow.hasAttribute('send_member') \ + or allow.hasAttribute('send_path')) \ + and not allow.hasAttribute('send_destination'): + send_policy_seen = True + printError(pkg, 'dbus-policy-allow-without-destination', "%(file)s: %(xml)s" % { 'file':f, 'xml':allow.toxml() }) + elif allow.hasAttribute('send_destination'): + send_policy_seen = True + + if allow.hasAttribute('receive_sender') \ + or allow.hasAttribute('receive_interface'): + printInfo(pkg, 'dbus-policy-allow-receive', "%(file)s: %(xml)s" % { 'file':f, 'xml':allow.toxml() }) + + for deny in p.getElementsByTagName("deny"): + if ( deny.hasAttribute('send_interface') \ + and not deny.hasAttribute('send_destination')): + printError(pkg, 'dbus-policy-deny-without-destination', "%(file)s: %(xml)s" % { 'file':f, 'xml':deny.toxml() }) + + if not send_policy_seen: + printError(pkg, 'dbus-policy-missing-allow', "%(file)s does not allow communication" % { 'file':f }) + + except Exception, x: + printError(pkg, 'rpmlint-exception', "%(file)s raised an exception: %(x)s" % {'file':f, 'x':x}) + continue + +check=DBusPolicyCheck() + +if Config.info: + addDetails( +'dbus-policy-allow-without-destination', +"""'allow' directives must always specify a 'send_destination'""", +'dbus-policy-allow-receive', +"""allow receive_* is normally not needed as that is the default""", +'dbus-policy-deny-without-destination', +"""'deny' directives must always specify a 'send_destination' otherwise messages to other services could be blocked""", +'dbus-policy-missing-allow', +"""every dbus config normally needs a line of the form + +or similar. If that is missing the service will not work with a dbus that uses +deny as default policy""", +'rpmlint-exception', +"""A python exception was raised which prevents further analysis""", +) diff --git a/config b/config index e2d61df..396bb28 100644 --- a/config +++ b/config @@ -29,6 +29,7 @@ addCheck("CheckSUIDPermissions") # polkit-default-privs would need to be installed always #addCheck("CheckPolkitPrivs") addCheck("CheckDBUSServices") +addCheck("CheckDBusPolicy") addCheck("CheckFilelist") addCheck("CheckKDE4Deps") addCheck("KMPPolicyCheck") diff --git a/config.in b/config.in index d08a6cb..ab7bc18 100644 --- a/config.in +++ b/config.in @@ -29,6 +29,7 @@ addCheck("CheckSUIDPermissions") # polkit-default-privs would need to be installed always #addCheck("CheckPolkitPrivs") addCheck("CheckDBUSServices") +addCheck("CheckDBusPolicy") addCheck("CheckFilelist") # stuff autobuild takes care about diff --git a/rpmlint.changes b/rpmlint.changes index 23b5348..e2547dd 100644 --- a/rpmlint.changes +++ b/rpmlint.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Fri Jan 23 14:00:24 CET 2009 - lnussel@suse.de + +- add check for DBus Policy problems + ------------------------------------------------------------------- Tue Jan 13 15:59:15 CET 2009 - lnussel@suse.de diff --git a/rpmlint.spec b/rpmlint.spec index c8c1dbf..481d8bc 100644 --- a/rpmlint.spec +++ b/rpmlint.spec @@ -22,7 +22,7 @@ Name: rpmlint BuildRequires: rpm-python Summary: Rpm correctness checker Version: 0.84 -Release: 11 +Release: 12 Source0: %{name}-%{version}.tar.bz2 Source1: config Source1001: config.in @@ -42,6 +42,7 @@ Source14: CheckSUIDPermissions.py Source15: CheckPolkitPrivs.py Source16: CheckDBUSServices.py Source17: CheckFilelist.py +Source18: CheckDBusPolicy.py Source100: syntax-validator.py Url: http://rpmlint.zarb.org/ License: GPL v2 or later @@ -194,6 +195,7 @@ cp -p %{SOURCE14} . cp -p %{SOURCE15} . cp -p %{SOURCE16} . cp -p %{SOURCE17} . +cp -p %{SOURCE18} . %build make @@ -220,6 +222,8 @@ rm -rf $RPM_BUILD_ROOT /usr/share/man/man1/rpmlint.1.gz %changelog +* Fri Jan 23 2009 lnussel@suse.de +- add check for DBus Policy problems * Tue Jan 13 2009 lnussel@suse.de - CheckFilelist: optimize FHS check to only complain about wrong directories rather than hundreds of individual files