fixed entries to add acl related keys only if there is a device

Fixed existing entries to add acl related keys only if there is also a device to which HAL can add the ACL rules.
author: Danny Kukawka <danny.kukawka@web.de> 2009-01-28 14:14:02 +0100
committer: Danny Kukawka <danny.kukawka@web.de> 2009-01-28 14:14:02 +0100
commit: 101c34aef06dcd8074d7de9e61f296c546996b5d (patch)
tree: 2766ce7ecabc160cf5872d7e473566c047804acc
parent: 59d66b8ebcef20f3a48ca6744cc5ee6f5b0c212f (diff)
1 files changed, 110 insertions, 82 deletions
diff --git a/fdi/policy/10osvendor/20-acl-management.fdi b/fdi/policy/10osvendor/20-acl-management.fdi
index 5ad2ab46..98f8c88c 100644
--- a/fdi/policy/10osvendor/20-acl-management.fdi
+++ b/fdi/policy/10osvendor/20-acl-management.fdi
@@ -9,96 +9,112 @@
 
     <!-- sound card (ALSA) -->
     <match key="info.capabilities" contains="alsa">
-      <addset key="info.capabilities" type="strlist">access_control</addset>
-      <merge key="access_control.file" type="copy_property">alsa.device_file</merge>
-      <merge key="access_control.type" type="string">sound</merge>
+      <match key="alsa.device_file" exists="true">
+        <addset key="info.capabilities" type="strlist">access_control</addset>
+        <merge key="access_control.file" type="copy_property">alsa.device_file</merge>
+        <merge key="access_control.type" type="string">sound</merge>
+      </match>
     </match>
 
     <!-- sound card (OSS) -->
     <match key="info.capabilities" contains="oss">
-      <addset key="info.capabilities" type="strlist">access_control</addset>
-      <merge key="access_control.file" type="copy_property">oss.device_file</merge>
-      <merge key="access_control.type" type="string">sound</merge>
+      <match key="oss.device_file" exists="true">
+        <addset key="info.capabilities" type="strlist">access_control</addset>
+        <merge key="access_control.file" type="copy_property">oss.device_file</merge>
+        <merge key="access_control.type" type="string">sound</merge>
+      </match>
     </match>
 
     <!-- video4linux devices -->
     <match key="info.capabilities" contains="video4linux">
-      <addset key="info.capabilities" type="strlist">access_control</addset>
-      <merge key="access_control.file" type="copy_property">video4linux.device</merge>
-      <merge key="access_control.type" type="string">video4linux</merge>
+      <match key="video4linux.device" exists="true">
+        <addset key="info.capabilities" type="strlist">access_control</addset>
+        <merge key="access_control.file" type="copy_property">video4linux.device</merge>
+        <merge key="access_control.type" type="string">video4linux</merge>
+      </match>
     </match>
 
     <!-- Removable block devices -->
     <match key="info.capabilities" contains="block">
-      <match key="@block.storage_device:storage.removable" bool="true">
-        <!-- do not set acls on unpartitioned volumes, parent gets them -->
-        <match key="block.is_volume" bool="true"> 
-          <match key="volume.is_partition" bool="true"> 
+      <match key="block.device" exists="true">
+        <match key="@block.storage_device:storage.removable" bool="true">
+          <!-- do not set acls on unpartitioned volumes, parent gets them -->
+          <match key="block.is_volume" bool="true"> 
+            <match key="volume.is_partition" bool="true"> 
+              <addset key="info.capabilities" type="strlist">access_control</addset>
+              <merge key="access_control.file" type="copy_property">block.device</merge>
+              <merge key="access_control.type" type="string">removable-block</merge>
+            </match>
+          </match>
+          <match key="block.is_volume" bool="false"> 
             <addset key="info.capabilities" type="strlist">access_control</addset>
             <merge key="access_control.file" type="copy_property">block.device</merge>
             <merge key="access_control.type" type="string">removable-block</merge>
           </match>
         </match>
-        <match key="block.is_volume" bool="false"> 
-          <addset key="info.capabilities" type="strlist">access_control</addset>
-          <merge key="access_control.file" type="copy_property">block.device</merge>
-          <merge key="access_control.type" type="string">removable-block</merge>
-        </match>
       </match>
     </match>
 
     <!-- optical drives -->
     <match key="info.capabilities" contains="storage.cdrom">
-      <addset key="info.capabilities" type="strlist">access_control</addset>
-      <merge key="access_control.file" type="copy_property">block.device</merge>
-      <merge key="access_control.type" type="string">cdrom</merge>
+      <match key="block.device" exists="true">
+        <addset key="info.capabilities" type="strlist">access_control</addset>
+        <merge key="access_control.file" type="copy_property">block.device</merge>
+        <merge key="access_control.type" type="string">cdrom</merge>
+      </match>
     </match>
 
     <!-- scsi generic device for optical drives -->
     <match key="info.capabilities" contains="scsi_generic">
-      <match key="@info.parent:scsi.type" string="cdrom">
-	<addset key="info.capabilities" type="strlist">access_control</addset>
-	<merge key="access_control.file" type="copy_property">scsi_generic.device</merge>
-	<merge key="access_control.type" type="string">cdrom</merge>
-      </match>
-      <match key="info.capabilities" contains="scanner">
-	<addset key="info.capabilities" type="strlist">access_control</addset>
-	<merge key="access_control.file" type="copy_property">scsi_generic.device</merge>
-	<merge key="access_control.type" type="string">scanner</merge>
-      </match>
-      <!-- usb floppy bnc#336327 -->
-      <match key="@info.parent:@info.parent:@info.parent:usb.interface.class" int="8">
-	<match key="@info.parent:@info.parent:@info.parent:usb.interface.subclass" int="4">
+      <match key="scsi_generic.device" exists="true">
+        <match key="@info.parent:scsi.type" string="cdrom">
 	  <addset key="info.capabilities" type="strlist">access_control</addset>
 	  <merge key="access_control.file" type="copy_property">scsi_generic.device</merge>
-	  <merge key="access_control.type" type="string">floppy</merge>
-	</match>
+	  <merge key="access_control.type" type="string">cdrom</merge>
+        </match>
+        <match key="info.capabilities" contains="scanner">
+  	  <addset key="info.capabilities" type="strlist">access_control</addset>
+	  <merge key="access_control.file" type="copy_property">scsi_generic.device</merge>
+	  <merge key="access_control.type" type="string">scanner</merge>
+        </match>
+        <!-- usb floppy bnc#336327 -->
+        <match key="@info.parent:@info.parent:@info.parent:usb.interface.class" int="8">
+ 	  <match key="@info.parent:@info.parent:@info.parent:usb.interface.subclass" int="4">
+	    <addset key="info.capabilities" type="strlist">access_control</addset>
+	    <merge key="access_control.file" type="copy_property">scsi_generic.device</merge>
+	    <merge key="access_control.type" type="string">floppy</merge>
+	  </match>
+        </match>
       </match>
     </match>
 
     <!-- DVB cards -->
     <match key="info.capabilities" contains="dvb">
-      <addset key="info.capabilities" type="strlist">access_control</addset>
-      <merge key="access_control.file" type="copy_property">dvb.device</merge>
-      <merge key="access_control.type" type="string">dvb</merge>
+      <match key="dvb.device" exists="true">
+        <addset key="info.capabilities" type="strlist">access_control</addset>
+        <merge key="access_control.file" type="copy_property">dvb.device</merge>
+        <merge key="access_control.type" type="string">dvb</merge>
+      </match>
     </match>
 
     <!-- support for Linux USB stack where device node is on a child of the main USB device -->
     <match key="info.capabilities" contains="usbraw">
-      <match key="info.capabilities" sibling_contains="camera">
-	<addset key="info.capabilities" type="strlist">access_control</addset>
-	<merge key="access_control.file" type="copy_property">usbraw.device</merge>
-        <merge key="access_control.type" type="string">camera</merge>
-      </match>
-      <match key="info.capabilities" sibling_contains="scanner">
-	<addset key="info.capabilities" type="strlist">access_control</addset>
-	<merge key="access_control.file" type="copy_property">usbraw.device</merge>
-	<merge key="access_control.type" type="string">scanner</merge>
-      </match>
-      <match key="info.capabilities" sibling_contains="biometic.fingerprint_reader">
-	<addset key="info.capabilities" type="strlist">access_control</addset>
-	<merge key="access_control.file" type="copy_property">usbraw.device</merge>
-	<merge key="access_control.type" type="string">fingerprint-reader</merge>
+      <match key="usbraw.device" exists="true">
+        <match key="info.capabilities" sibling_contains="camera">
+  	  <addset key="info.capabilities" type="strlist">access_control</addset>
+	  <merge key="access_control.file" type="copy_property">usbraw.device</merge>
+          <merge key="access_control.type" type="string">camera</merge>
+        </match>
+        <match key="info.capabilities" sibling_contains="scanner">
+	  <addset key="info.capabilities" type="strlist">access_control</addset>
+	  <merge key="access_control.file" type="copy_property">usbraw.device</merge>
+	  <merge key="access_control.type" type="string">scanner</merge>
+        </match>
+        <match key="info.capabilities" sibling_contains="biometic.fingerprint_reader">
+	  <addset key="info.capabilities" type="strlist">access_control</addset>
+	  <merge key="access_control.file" type="copy_property">usbraw.device</merge>
+	  <merge key="access_control.type" type="string">fingerprint-reader</merge>
+        </match>
       </match>
     </match>
 
@@ -136,14 +152,18 @@
 
     <!-- Firewire devices are mostly driven by userspace libraries -->
     <match key="info.capabilities" contains="ieee1394_unit.iidc">
-      <addset key="info.capabilities" type="strlist">access_control</addset>
-      <merge key="access_control.file" type="copy_property">@ieee1394_unit.originating_device:ieee1394.device</merge>
-      <merge key="access_control.type" type="string">ieee1394-iidc</merge>
+      <match key="@ieee1394_unit.originating_device:ieee1394.device" exists="true">
+        <addset key="info.capabilities" type="strlist">access_control</addset>
+        <merge key="access_control.file" type="copy_property">@ieee1394_unit.originating_device:ieee1394.device</merge>
+        <merge key="access_control.type" type="string">ieee1394-iidc</merge>
+      </match>
     </match>
     <match key="info.capabilities" contains="ieee1394_unit.avc">
-      <addset key="info.capabilities" type="strlist">access_control</addset>
-      <merge key="access_control.file" type="copy_property">@ieee1394_unit.originating_device:ieee1394.device</merge>
-      <merge key="access_control.type" type="string">ieee1394-avc</merge>
+      <match key="@ieee1394_unit.originating_device:ieee1394.device" exists="true">
+        <addset key="info.capabilities" type="strlist">access_control</addset>
+        <merge key="access_control.file" type="copy_property">@ieee1394_unit.originating_device:ieee1394.device</merge>
+        <merge key="access_control.type" type="string">ieee1394-avc</merge>
+      </match>
     </match>
 
     <!-- serial devices are assumed to be modems by default (no access) -->
@@ -157,7 +177,7 @@
 
     <!-- serial devices are assumed to be modems by default (no access) -->
     <match key="info.category" string="ppdev">
-      <match key="serial.device" exists="true">
+      <match key="linux.device_file" exists="true">
 	<addset key="info.capabilities" type="strlist">access_control</addset>
 	<merge key="access_control.file" type="copy_property">linux.device_file</merge>
 	<merge key="access_control.type" type="string">ppdev</merge>
@@ -180,43 +200,51 @@
 
     <!-- plain old floppy -->
     <match key="storage.drive_type" string="floppy">
-      <match key="storage.no_partitions_hint" bool="true">
-	<match key="access_control.type" exists="false">
-	  <addset key="info.capabilities" type="strlist">access_control</addset>
-	  <merge key="access_control.file" type="copy_property">block.device</merge>
-	  <merge key="access_control.type" type="string">floppy</merge>
+      <match key="block.device" exists="true">
+        <match key="storage.no_partitions_hint" bool="true">
+	  <match key="access_control.type" exists="false">
+	    <addset key="info.capabilities" type="strlist">access_control</addset>
+	    <merge key="access_control.file" type="copy_property">block.device</merge>
+	    <merge key="access_control.type" type="string">floppy</merge>
+	  </match>
 	</match>
       </match>
     </match>
 
     <!-- linux input devices (needed e.g. for games) -->
     <match key="linux.subsystem" string="input">
-      <!-- joysticks -->
-      <match key="info.capabilities" contains="input.joystick">
-	<addset key="info.capabilities" type="strlist">access_control</addset>
-	<merge key="access_control.file" type="copy_property">input.device</merge>
-	<merge key="access_control.type" type="string">joystick</merge>
-      </match>
-      <!-- mice -->
-      <match key="info.capabilities" contains="input.mouse">
-	<addset key="info.capabilities" type="strlist">access_control</addset>
-	<merge key="access_control.file" type="copy_property">input.device</merge>
-	<merge key="access_control.type" type="string">mouse</merge>
+      <match key="input.device" exists="true">
+        <!-- joysticks -->
+        <match key="info.capabilities" contains="input.joystick">
+	  <addset key="info.capabilities" type="strlist">access_control</addset>
+	  <merge key="access_control.file" type="copy_property">input.device</merge>
+	  <merge key="access_control.type" type="string">joystick</merge>
+        </match>
+        <!-- mice -->
+        <match key="info.capabilities" contains="input.mouse">
+	  <addset key="info.capabilities" type="strlist">access_control</addset>
+ 	  <merge key="access_control.file" type="copy_property">input.device</merge>
+	  <merge key="access_control.type" type="string">mouse</merge>
+        </match>
       </match>
     </match>
 
     <!-- graphics cards, e.g. for 3d accelleration -->
     <match key="info.capabilities" contains="drm">
-      <addset key="info.capabilities" type="strlist">access_control</addset>
-      <merge key="access_control.file" type="copy_property">linux.device_file</merge>
-      <merge key="access_control.type" type="string">video</merge>
+      <match key="linux.device_file" exists="true">
+        <addset key="info.capabilities" type="strlist">access_control</addset>
+        <merge key="access_control.file" type="copy_property">linux.device_file</merge>
+        <merge key="access_control.type" type="string">video</merge>
+      </match>
     </match>
 
     <!-- printer devices -->
     <match key="info.capabilities" contains="printer">
-      <addset key="info.capabilities" type="strlist">access_control</addset>
-      <merge key="access_control.file" type="copy_property">printer.device</merge>
-      <merge key="access_control.type" type="string">printer</merge>
+      <match key="printer.device" exists="true">
+        <addset key="info.capabilities" type="strlist">access_control</addset>
+        <merge key="access_control.file" type="copy_property">printer.device</merge>
+        <merge key="access_control.type" type="string">printer</merge>
+      </match>
     </match>
 
     <!-- enforcement of policy goes here -->
author	Danny Kukawka <danny.kukawka@web.de>	2009-01-28 14:14:02 +0100
committer	Danny Kukawka <danny.kukawka@web.de>	2009-01-28 14:14:02 +0100
commit	101c34aef06dcd8074d7de9e61f296c546996b5d (patch)
tree	2766ce7ecabc160cf5872d7e473566c047804acc
parent	59d66b8ebcef20f3a48ca6744cc5ee6f5b0c212f (diff)