/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/

/***
  This file is part of systemd.

  Copyright 2013 Lennart Poettering

  systemd is free software; you can redistribute it and/or modify it
  under the terms of the GNU Lesser General Public License as published by
  the Free Software Foundation; either version 2.1 of the License, or
  (at your option) any later version.

  systemd is distributed in the hope that it will be useful, but
  WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  Lesser General Public License for more details.

  You should have received a copy of the GNU Lesser General Public License
  along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/

#include "xml.h"
#include "fileio.h"
#include "strv.h"
#include "conf-files.h"
#include "bus-internal.h"
#include "bus-message.h"
#include "bus-xml-policy.h"
#include "sd-login.h"

static void policy_item_free(PolicyItem *i) {
        assert(i);

        free(i->interface);
        free(i->member);
        free(i->error);
        free(i->name);
        free(i->path);
        free(i);
}

DEFINE_TRIVIAL_CLEANUP_FUNC(PolicyItem*, policy_item_free);

static void item_append(PolicyItem *i, PolicyItem **list) {

        PolicyItem *tail;

        LIST_FIND_TAIL(items, *list, tail);
        LIST_INSERT_AFTER(items, *list, tail, i);
}

static int file_load(Policy *p, const char *path) {

        _cleanup_free_ char *c = NULL, *policy_user = NULL, *policy_group = NULL;
        _cleanup_(policy_item_freep) PolicyItem *i = NULL;
        void *xml_state = NULL;
        unsigned n_other = 0;
        const char *q;
        int r;

        enum {
                STATE_OUTSIDE,
                STATE_BUSCONFIG,
                STATE_POLICY,
                STATE_POLICY_CONTEXT,
                STATE_POLICY_CONSOLE,
                STATE_POLICY_USER,
                STATE_POLICY_GROUP,
                STATE_POLICY_OTHER_ATTRIBUTE,
                STATE_ALLOW_DENY,
                STATE_ALLOW_DENY_INTERFACE,
                STATE_ALLOW_DENY_MEMBER,
                STATE_ALLOW_DENY_ERROR,
                STATE_ALLOW_DENY_PATH,
                STATE_ALLOW_DENY_MESSAGE_TYPE,
                STATE_ALLOW_DENY_NAME,
                STATE_ALLOW_DENY_OTHER_ATTRIBUTE,
                STATE_OTHER,
        } state = STATE_OUTSIDE;

        enum {
                POLICY_CATEGORY_NONE,
                POLICY_CATEGORY_DEFAULT,
                POLICY_CATEGORY_MANDATORY,
                POLICY_CATEGORY_ON_CONSOLE,
                POLICY_CATEGORY_NO_CONSOLE,
                POLICY_CATEGORY_USER,
                POLICY_CATEGORY_GROUP
        } policy_category = POLICY_CATEGORY_NONE;

        unsigned line = 0;

        assert(p);

        r = read_full_file(path, &c, NULL);
        if (r < 0) {
                if (r == -ENOENT)
                        return 0;
                if (r == -EISDIR)
                        return r;

                return log_error_errno(r, "Failed to load %s: %m", path);
        }

        q = c;
        for (;;) {
                _cleanup_free_ char *name = NULL;
                int t;

                t = xml_tokenize(&q, &name, &xml_state, &line);
                if (t < 0)
                        return log_error_errno(t, "XML parse failure in %s: %m", path);

                switch (state) {

                case STATE_OUTSIDE:

                        if (t == XML_TAG_OPEN) {
                                if (streq(name, "busconfig"))
                                        state = STATE_BUSCONFIG;
                                else {
                                        log_error("Unexpected tag %s at %s:%u.", name, path, line);
                                        return -EINVAL;
                                }

                        } else if (t == XML_END)
                                return 0;
                        else if (t != XML_TEXT || !in_charset(name, WHITESPACE)) {
                                log_error("Unexpected token (1) at %s:%u.", path, line);
                                return -EINVAL;
                        }

                        break;

                case STATE_BUSCONFIG:

                        if (t == XML_TAG_OPEN) {
                                if (streq(name, "policy")) {
                                        state = STATE_POLICY;
                                        policy_category = POLICY_CATEGORY_NONE;
                                        free(policy_user);
                                        free(policy_group);
                                        policy_user = policy_group = NULL;
                                } else {
                                        state = STATE_OTHER;
                                        n_other = 0;
                                }
                        } else if (t == XML_TAG_CLOSE_EMPTY ||
                                   (t == XML_TAG_CLOSE && streq(name, "busconfig")))
                                state = STATE_OUTSIDE;
                        else if (t != XML_TEXT || !in_charset(name, WHITESPACE)) {
                                log_error("Unexpected token (2) at %s:%u.", path, line);
                                return -EINVAL;
                        }

                        break;

                case STATE_POLICY:

                        if (t == XML_ATTRIBUTE_NAME) {
                                if (streq(name, "context"))
                                        state = STATE_POLICY_CONTEXT;
                                else if (streq(name, "at_console"))
                                        state = STATE_POLICY_CONSOLE;
                                else if (streq(name, "user"))
                                        state = STATE_POLICY_USER;
                                else if (streq(name, "group"))
                                        state = STATE_POLICY_GROUP;
                                else {
                                        log_warning("Attribute %s of <policy> tag unknown at %s:%u, ignoring.", name, path, line);
                                        state = STATE_POLICY_OTHER_ATTRIBUTE;
                                }
                        } else if (t == XML_TAG_CLOSE_EMPTY ||
                                   (t == XML_TAG_CLOSE && streq(name, "policy")))
                                state = STATE_BUSCONFIG;
                        else if (t == XML_TAG_OPEN) {
                                PolicyItemType it;

                                if (streq(name, "allow"))
                                        it = POLICY_ITEM_ALLOW;
                                else if (streq(name, "deny"))
                                        it = POLICY_ITEM_DENY;
                                else {
                                        log_warning("Unknown tag %s in <policy> %s:%u.", name, path, line);
                                        return -EINVAL;
                                }

                                assert(!i);
                                i = new0(PolicyItem, 1);
                                if (!i)
                                        return log_oom();

                                i->type = it;
                                state = STATE_ALLOW_DENY;

                        } else if (t != XML_TEXT || !in_charset(name, WHITESPACE)) {
                                log_error("Unexpected token (3) at %s:%u.", path, line);
                                return -EINVAL;
                        }

                        break;

                case STATE_POLICY_CONTEXT:

                        if (t == XML_ATTRIBUTE_VALUE) {
                                if (streq(name, "default")) {
                                        policy_category = POLICY_CATEGORY_DEFAULT;
                                        state = STATE_POLICY;
                                } else if (streq(name, "mandatory")) {
                                        policy_category = POLICY_CATEGORY_MANDATORY;
                                        state = STATE_POLICY;
                                } else {
                                        log_error("context= parameter %s unknown for <policy> at %s:%u.", name, path, line);
                                        return -EINVAL;
                                }
                        } else {
                                log_error("Unexpected token (4) at %s:%u.", path, line);
                                return -EINVAL;
                        }

                        break;

                case STATE_POLICY_CONSOLE:

                        if (t == XML_ATTRIBUTE_VALUE) {
                                if (streq(name, "true")) {
                                        policy_category = POLICY_CATEGORY_ON_CONSOLE;
                                        state = STATE_POLICY;
                                } else if (streq(name, "false")) {
                                        policy_category = POLICY_CATEGORY_NO_CONSOLE;
                                        state = STATE_POLICY;
                                } else {
                                        log_error("at_console= parameter %s unknown for <policy> at %s:%u.", name, path, line);
                                        return -EINVAL;
                                }
                        } else {
                                log_error("Unexpected token (4.1) at %s:%u.", path, line);
                                return -EINVAL;
                        }

                        break;

                case STATE_POLICY_USER:

                        if (t == XML_ATTRIBUTE_VALUE) {
                                free(policy_user);
                                policy_user = name;
                                name = NULL;
                                policy_category = POLICY_CATEGORY_USER;
                                state = STATE_POLICY;
                        } else {
                                log_error("Unexpected token (5) in %s:%u.", path, line);
                                return -EINVAL;
                        }

                        break;

                case STATE_POLICY_GROUP:

                        if (t == XML_ATTRIBUTE_VALUE) {
                                free(policy_group);
                                policy_group = name;
                                name = NULL;
                                policy_category = POLICY_CATEGORY_GROUP;
                                state = STATE_POLICY;
                        } else {
                                log_error("Unexpected token (6) at %s:%u.", path, line);
                                return -EINVAL;
                        }

                        break;

                case STATE_POLICY_OTHER_ATTRIBUTE:

                        if (t == XML_ATTRIBUTE_VALUE)
                                state = STATE_POLICY;
                        else {
                                log_error("Unexpected token (7) in %s:%u.", path, line);
                                return -EINVAL;
                        }

                        break;

                case STATE_ALLOW_DENY:

                        assert(i);

                        if (t == XML_ATTRIBUTE_NAME) {
                                PolicyItemClass ic;

                                if (startswith(name, "send_"))
                                        ic = POLICY_ITEM_SEND;
                                else if (startswith(name, "receive_"))
                                        ic = POLICY_ITEM_RECV;
                                else if (streq(name, "own"))
                                        ic = POLICY_ITEM_OWN;
                                else if (streq(name, "own_prefix"))
                                        ic = POLICY_ITEM_OWN_PREFIX;
                                else if (streq(name, "user"))
                                        ic = POLICY_ITEM_USER;
                                else if (streq(name, "group"))
                                        ic = POLICY_ITEM_GROUP;
                                else if (streq(name, "eavesdrop")) {
                                        log_debug("Unsupported attribute %s= at %s:%u, ignoring.", name, path, line);
                                        state = STATE_ALLOW_DENY_OTHER_ATTRIBUTE;
                                        break;
                                } else {
                                        log_error("Unknown attribute %s= at %s:%u, ignoring.", name, path, line);
                                        state = STATE_ALLOW_DENY_OTHER_ATTRIBUTE;
                                        break;
                                }

                                if (i->class != _POLICY_ITEM_CLASS_UNSET && ic != i->class) {
                                        log_error("send_, receive_/eavesdrop fields mixed on same tag at %s:%u.", path, line);
                                        return -EINVAL;
                                }

                                i->class = ic;

                                if (ic == POLICY_ITEM_SEND || ic == POLICY_ITEM_RECV) {
                                        const char *u;

                                        u = strchr(name, '_');
                                        assert(u);

                                        u++;

                                        if (streq(u, "interface"))
                                                state = STATE_ALLOW_DENY_INTERFACE;
                                        else if (streq(u, "member"))
                                                state = STATE_ALLOW_DENY_MEMBER;
                                        else if (streq(u, "error"))
                                                state = STATE_ALLOW_DENY_ERROR;
                                        else if (streq(u, "path"))
                                                state = STATE_ALLOW_DENY_PATH;
                                        else if (streq(u, "type"))
                                                state = STATE_ALLOW_DENY_MESSAGE_TYPE;
                                        else if ((streq(u, "destination") && ic == POLICY_ITEM_SEND) ||
                                                 (streq(u, "sender") && ic == POLICY_ITEM_RECV))
                                                state = STATE_ALLOW_DENY_NAME;
                                        else {
                                                if (streq(u, "requested_reply"))
                                                        log_debug("Unsupported attribute %s= at %s:%u, ignoring.", name, path, line);
                                                else
                                                        log_error("Unknown attribute %s= at %s:%u, ignoring.", name, path, line);
                                                state = STATE_ALLOW_DENY_OTHER_ATTRIBUTE;
                                                break;
                                        }
                                } else
                                        state = STATE_ALLOW_DENY_NAME;

                        } else if (t == XML_TAG_CLOSE_EMPTY ||
                                   (t == XML_TAG_CLOSE && streq(name, i->type == POLICY_ITEM_ALLOW ? "allow" : "deny"))) {

                                /* If the tag is fully empty so far, we consider it a recv */
                                if (i->class == _POLICY_ITEM_CLASS_UNSET)
                                        i->class = POLICY_ITEM_RECV;

                                if (policy_category == POLICY_CATEGORY_DEFAULT)
                                        item_append(i, &p->default_items);
                                else if (policy_category == POLICY_CATEGORY_MANDATORY)
                                        item_append(i, &p->mandatory_items);
                                else if (policy_category == POLICY_CATEGORY_ON_CONSOLE)
                                        item_append(i, &p->on_console_items);
                                else if (policy_category == POLICY_CATEGORY_NO_CONSOLE)
                                        item_append(i, &p->no_console_items);
                                else if (policy_category == POLICY_CATEGORY_USER) {
                                        const char *u = policy_user;

                                        assert_cc(sizeof(uid_t) == sizeof(uint32_t));

                                        r = hashmap_ensure_allocated(&p->user_items, NULL);
                                        if (r < 0)
                                                return log_oom();

                                        if (!u) {
                                                log_error("User policy without name");
                                                return -EINVAL;
                                        }

                                        r = get_user_creds(&u, &i->uid, NULL, NULL, NULL);
                                        if (r < 0) {
                                                log_error_errno(r, "Failed to resolve user %s, ignoring policy: %m", u);
                                                free(i);
                                        } else {
                                                PolicyItem *first;

                                                first = hashmap_get(p->user_items, UINT32_TO_PTR(i->uid));
                                                item_append(i, &first);
                                                i->uid_valid = true;

                                                r = hashmap_replace(p->user_items, UINT32_TO_PTR(i->uid), first);
                                                if (r < 0) {
                                                        LIST_REMOVE(items, first, i);
                                                        return log_oom();
                                                }
                                        }

                                } else if (policy_category == POLICY_CATEGORY_GROUP) {
                                        const char *g = policy_group;

                                        assert_cc(sizeof(gid_t) == sizeof(uint32_t));

                                        r = hashmap_ensure_allocated(&p->group_items, NULL);
                                        if (r < 0)
                                                return log_oom();

                                        if (!g) {
                                                log_error("Group policy without name");
                                                return -EINVAL;
                                        }

                                        r = get_group_creds(&g, &i->gid);
                                        if (r < 0) {
                                                log_error_errno(r, "Failed to resolve group %s, ignoring policy: %m", g);
                                                free(i);
                                        } else {
                                                PolicyItem *first;

                                                first = hashmap_get(p->group_items, UINT32_TO_PTR(i->gid));
                                                item_append(i, &first);
                                                i->gid_valid = true;

                                                r = hashmap_replace(p->group_items, UINT32_TO_PTR(i->gid), first);
                                                if (r < 0) {
                                                        LIST_REMOVE(items, first, i);
                                                        return log_oom();
                                                }
                                        }
                                }

                                state = STATE_POLICY;
                                i = NULL;

                        } else if (t != XML_TEXT || !in_charset(name, WHITESPACE)) {
                                log_error("Unexpected token (8) at %s:%u.", path, line);
                                return -EINVAL;
                        }

                        break;

                case STATE_ALLOW_DENY_INTERFACE:

                        if (t == XML_ATTRIBUTE_VALUE) {
                                assert(i);
                                if (i->interface) {
                                        log_error("Duplicate interface at %s:%u.", path, line);
                                        return -EINVAL;
                                }

                                if (!streq(name, "*")) {
                                        i->interface = name;
                                        name = NULL;
                                }
                                state = STATE_ALLOW_DENY;
                        } else {
                                log_error("Unexpected token (9) at %s:%u.", path, line);
                                return -EINVAL;
                        }

                        break;

                case STATE_ALLOW_DENY_MEMBER:

                        if (t == XML_ATTRIBUTE_VALUE) {
                                assert(i);
                                if (i->member) {
                                        log_error("Duplicate member in %s:%u.", path, line);
                                        return -EINVAL;
                                }

                                if (!streq(name, "*")) {
                                        i->member = name;
                                        name = NULL;
                                }
                                state = STATE_ALLOW_DENY;
                        } else {
                                log_error("Unexpected token (10) in %s:%u.", path, line);
                                return -EINVAL;
                        }

                        break;

                case STATE_ALLOW_DENY_ERROR:

                        if (t == XML_ATTRIBUTE_VALUE) {
                                assert(i);
                                if (i->error) {
                                        log_error("Duplicate error in %s:%u.", path, line);
                                        return -EINVAL;
                                }

                                if (!streq(name, "*")) {
                                        i->error = name;
                                        name = NULL;
                                }
                                state = STATE_ALLOW_DENY;
                        } else {
                                log_error("Unexpected token (11) in %s:%u.", path, line);
                                return -EINVAL;
                        }

                        break;

                case STATE_ALLOW_DENY_PATH:

                        if (t == XML_ATTRIBUTE_VALUE) {
                                assert(i);
                                if (i->path) {
                                        log_error("Duplicate path in %s:%u.", path, line);
                                        return -EINVAL;
                                }

                                if (!streq(name, "*")) {
                                        i->path = name;
                                        name = NULL;
                                }
                                state = STATE_ALLOW_DENY;
                        } else {
                                log_error("Unexpected token (12) in %s:%u.", path, line);
                                return -EINVAL;
                        }

                        break;

                case STATE_ALLOW_DENY_MESSAGE_TYPE:

                        if (t == XML_ATTRIBUTE_VALUE) {
                                assert(i);

                                if (i->message_type != 0) {
                                        log_error("Duplicate message type in %s:%u.", path, line);
                                        return -EINVAL;
                                }

                                if (!streq(name, "*")) {
                                        r = bus_message_type_from_string(name, &i->message_type);
                                        if (r < 0) {
                                                log_error("Invalid message type in %s:%u.", path, line);
                                                return -EINVAL;
                                        }
                                }

                                state = STATE_ALLOW_DENY;
                        } else {
                                log_error("Unexpected token (13) in %s:%u.", path, line);
                                return -EINVAL;
                        }

                        break;

                case STATE_ALLOW_DENY_NAME:

                        if (t == XML_ATTRIBUTE_VALUE) {
                                assert(i);
                                if (i->name) {
                                        log_error("Duplicate name in %s:%u.", path, line);
                                        return -EINVAL;
                                }

                                switch (i->class) {
                                case POLICY_ITEM_USER:
                                        if (!streq(name, "*")) {
                                                const char *u = name;

                                                r = get_user_creds(&u, &i->uid, NULL, NULL, NULL);
                                                if (r < 0)
                                                        log_error_errno(r, "Failed to resolve user %s: %m", name);
                                                else
                                                        i->uid_valid = true;
                                        }
                                        break;
                                case POLICY_ITEM_GROUP:
                                        if (!streq(name, "*")) {
                                                const char *g = name;

                                                r = get_group_creds(&g, &i->gid);
                                                if (r < 0)
                                                        log_error_errno(r, "Failed to resolve group %s: %m", name);
                                                else
                                                        i->gid_valid = true;
                                        }
                                        break;

                                case POLICY_ITEM_SEND:
                                case POLICY_ITEM_RECV:

                                        if (streq(name, "*")) {
                                                free(name);
                                                name = NULL;
                                        }
                                        break;


                                default:
                                        break;
                                }

                                i->name = name;
                                name = NULL;

                                state = STATE_ALLOW_DENY;
                        } else {
                                log_error("Unexpected token (14) in %s:%u.", path, line);
                                return -EINVAL;
                        }

                        break;

                case STATE_ALLOW_DENY_OTHER_ATTRIBUTE:

                        if (t == XML_ATTRIBUTE_VALUE)
                                state = STATE_ALLOW_DENY;
                        else {
                                log_error("Unexpected token (15) in %s:%u.", path, line);
                                return -EINVAL;
                        }

                        break;

                case STATE_OTHER:

                        if (t == XML_TAG_OPEN)
                                n_other++;
                        else if (t == XML_TAG_CLOSE || t == XML_TAG_CLOSE_EMPTY) {

                                if (n_other == 0)
                                        state = STATE_BUSCONFIG;
                                else
                                        n_other--;
                        }

                        break;
                }
        }
}

enum {
        DENY,
        ALLOW,
        DUNNO,
};

static const char *verdict_to_string(int v) {
        switch (v) {

        case DENY:
                return "DENY";
        case ALLOW:
                return "ALLOW";
        case DUNNO:
                return "DUNNO";
        }

        return NULL;
}

struct policy_check_filter {
        PolicyItemClass class;
        uid_t uid;
        gid_t gid;
        int message_type;
        const char *name;
        const char *interface;
        const char *path;
        const char *member;
};

static int is_permissive(PolicyItem *i) {

        assert(i);

        return (i->type == POLICY_ITEM_ALLOW) ? ALLOW : DENY;
}

static int check_policy_item(PolicyItem *i, const struct policy_check_filter *filter) {

        assert(i);
        assert(filter);

        switch (i->class) {
        case POLICY_ITEM_SEND:
        case POLICY_ITEM_RECV:

                if (i->name && !streq_ptr(i->name, filter->name))
                        break;

                if ((i->message_type != 0) && (i->message_type != filter->message_type))
                        break;

                if (i->path && !streq_ptr(i->path, filter->path))
                        break;

                if (i->member && !streq_ptr(i->member, filter->member))
                        break;

                if (i->interface && !streq_ptr(i->interface, filter->interface))
                        break;

                return is_permissive(i);

        case POLICY_ITEM_OWN:
                assert(filter->name);

                if (streq(i->name, "*") || streq(i->name, filter->name))
                        return is_permissive(i);
                break;

        case POLICY_ITEM_OWN_PREFIX:
                assert(filter->name);

                if (streq(i->name, "*") || service_name_startswith(filter->name, i->name))
                        return is_permissive(i);
                break;

        case POLICY_ITEM_USER:
                if (filter->uid != UID_INVALID)
                        if ((streq_ptr(i->name, "*") || (i->uid_valid && i->uid == filter->uid)))
                                return is_permissive(i);
                break;

        case POLICY_ITEM_GROUP:
                if (filter->gid != GID_INVALID)
                        if ((streq_ptr(i->name, "*") || (i->gid_valid && i->gid == filter->gid)))
                                return is_permissive(i);
                break;

        case POLICY_ITEM_IGNORE:
        default:
                break;
        }

        return DUNNO;
}

static int check_policy_items(PolicyItem *items, const struct policy_check_filter *filter) {

        PolicyItem *i;
        int verdict = DUNNO;

        assert(filter);

        /* Check all policies in a set - a broader one might be followed by a more specific one,
         * and the order of rules in policy definitions matters */
        LIST_FOREACH(items, i, items) {
                int v;

                if (i->class != filter->class &&
                    !(i->class == POLICY_ITEM_OWN_PREFIX && filter->class == POLICY_ITEM_OWN))
                        continue;

                v = check_policy_item(i, filter);
                if (v != DUNNO)
                        verdict = v;
        }

        return verdict;
}

static int policy_check(Policy *p, const struct policy_check_filter *filter) {

        PolicyItem *items;
        int verdict, v;

        assert(p);
        assert(filter);

        assert(IN_SET(filter->class, POLICY_ITEM_SEND, POLICY_ITEM_RECV, POLICY_ITEM_OWN, POLICY_ITEM_USER, POLICY_ITEM_GROUP));

        /*
         * The policy check is implemented by the following logic:
         *
         *  1. Check default items
         *  2. Check group items
         *  3. Check user items
         *  4. Check on/no_console items
         *  5. Check mandatory items
         *
         *  Later rules override earlier rules.
         */

        verdict = check_policy_items(p->default_items, filter);

        if (filter->gid != GID_INVALID) {
                items = hashmap_get(p->group_items, UINT32_TO_PTR(filter->gid));
                if (items) {
                        v = check_policy_items(items, filter);
                        if (v != DUNNO)
                                verdict = v;
                }
        }

        if (filter->uid != UID_INVALID) {
                items = hashmap_get(p->user_items, UINT32_TO_PTR(filter->uid));
                if (items) {
                        v = check_policy_items(items, filter);
                        if (v != DUNNO)
                                verdict = v;
                }
        }

        if (filter->uid != UID_INVALID && sd_uid_get_seats(filter->uid, -1, NULL) > 0)
                v = check_policy_items(p->on_console_items, filter);
        else
                v = check_policy_items(p->no_console_items, filter);
        if (v != DUNNO)
                verdict = v;

        v = check_policy_items(p->mandatory_items, filter);
        if (v != DUNNO)
                verdict = v;

        return verdict;
}

bool policy_check_own(Policy *p, uid_t uid, gid_t gid, const char *name) {

        struct policy_check_filter filter = {
                .class = POLICY_ITEM_OWN,
                .uid   = uid,
                .gid   = gid,
                .name  = name,
        };

        int verdict;

        assert(p);
        assert(name);

        verdict = policy_check(p, &filter);

        log_full(LOG_AUTH | (verdict != ALLOW ? LOG_WARNING : LOG_DEBUG),
                 "Ownership permission check for uid=" UID_FMT " gid=" GID_FMT" name=%s: %s",
                 uid, gid, strna(name), strna(verdict_to_string(verdict)));

        return verdict == ALLOW;
}

bool policy_check_hello(Policy *p, uid_t uid, gid_t gid) {

        struct policy_check_filter filter = {
                .uid = uid,
                .gid = gid,
        };
        int verdict;

        assert(p);

        filter.class = POLICY_ITEM_USER;
        verdict = policy_check(p, &filter);

        if (verdict != DENY) {
                int v;

                filter.class = POLICY_ITEM_GROUP;
                v = policy_check(p, &filter);
                if (v != DUNNO)
                        verdict = v;
        }

        log_full(LOG_AUTH | (verdict != ALLOW ? LOG_WARNING : LOG_DEBUG),
                 "Hello permission check for uid=" UID_FMT " gid=" GID_FMT": %s",
                 uid, gid, strna(verdict_to_string(verdict)));

        return verdict == ALLOW;
}

bool policy_check_recv(Policy *p,
                       uid_t uid,
                       gid_t gid,
                       int message_type,
                       const char *name,
                       const char *path,
                       const char *interface,
                       const char *member,
                       bool dbus_to_kernel) {

        struct policy_check_filter filter = {
                .class        = POLICY_ITEM_RECV,
                .uid          = uid,
                .gid          = gid,
                .message_type = message_type,
                .name         = name,
                .interface    = interface,
                .path         = path,
                .member       = member,
        };

        int verdict;

        assert(p);

        verdict = policy_check(p, &filter);

        log_full(LOG_AUTH | (verdict != ALLOW ? LOG_WARNING : LOG_DEBUG),
                 "Receive permission check %s for uid=" UID_FMT " gid=" GID_FMT" message=%s name=%s path=%s interface=%s member=%s: %s",
                 dbus_to_kernel ? "dbus-1 to kernel" : "kernel to dbus-1", uid, gid, bus_message_type_to_string(message_type), strna(name),
                 strna(path), strna(interface), strna(member), strna(verdict_to_string(verdict)));

        return verdict == ALLOW;
}

bool policy_check_send(Policy *p,
                       uid_t uid,
                       gid_t gid,
                       int message_type,
                       const char *name,
                       const char *path,
                       const char *interface,
                       const char *member,
                       bool dbus_to_kernel) {

        struct policy_check_filter filter = {
                .class        = POLICY_ITEM_SEND,
                .uid          = uid,
                .gid          = gid,
                .message_type = message_type,
                .name         = name,
                .interface    = interface,
                .path         = path,
                .member       = member,
        };

        int verdict;

        assert(p);

        verdict = policy_check(p, &filter);

        log_full(LOG_AUTH | (verdict != ALLOW ? LOG_WARNING : LOG_DEBUG),
                 "Send permission check %s for uid=" UID_FMT " gid=" GID_FMT" message=%s name=%s path=%s interface=%s member=%s: %s",
                 dbus_to_kernel ? "dbus-1 to kernel" : "kernel to dbus-1", uid, gid, bus_message_type_to_string(message_type), strna(name),
                 strna(path), strna(interface), strna(member), strna(verdict_to_string(verdict)));

        return verdict == ALLOW;
}

int policy_load(Policy *p, char **files) {
        char **i;
        int r;

        assert(p);

        STRV_FOREACH(i, files) {

                r = file_load(p, *i);
                if (r == -EISDIR) {
                        _cleanup_strv_free_ char **l = NULL;
                        char **j;

                        r = conf_files_list(&l, ".conf", NULL, *i, NULL);
                        if (r < 0)
                                return log_error_errno(r, "Failed to get configuration file list: %m");

                        STRV_FOREACH(j, l)
                                file_load(p, *j);
                }

                /* We ignore all errors but EISDIR, and just proceed. */
        }

        return 0;
}

void policy_free(Policy *p) {
        PolicyItem *i, *first;

        if (!p)
                return;

        while ((i = p->default_items)) {
                LIST_REMOVE(items, p->default_items, i);
                policy_item_free(i);
        }

        while ((i = p->mandatory_items)) {
                LIST_REMOVE(items, p->mandatory_items, i);
                policy_item_free(i);
        }

        while ((i = p->on_console_items)) {
                LIST_REMOVE(items, p->on_console_items, i);
                policy_item_free(i);
        }

        while ((i = p->no_console_items)) {
                LIST_REMOVE(items, p->no_console_items, i);
                policy_item_free(i);
        }

        while ((first = hashmap_steal_first(p->user_items))) {

                while ((i = first)) {
                        LIST_REMOVE(items, first, i);
                        policy_item_free(i);
                }
        }

        while ((first = hashmap_steal_first(p->group_items))) {

                while ((i = first)) {
                        LIST_REMOVE(items, first, i);
                        policy_item_free(i);
                }
        }

        hashmap_free(p->user_items);
        hashmap_free(p->group_items);

        p->user_items = p->group_items = NULL;
}

static void dump_items(PolicyItem *items, const char *prefix) {

        PolicyItem *i;

        if (!items)
                return;

        if (!prefix)
                prefix = "";

        LIST_FOREACH(items, i, items) {

                printf("%sType: %s\n"
                       "%sClass: %s\n",
                       prefix, policy_item_type_to_string(i->type),
                       prefix, policy_item_class_to_string(i->class));

                if (i->interface)
                        printf("%sInterface: %s\n",
                               prefix, i->interface);

                if (i->member)
                        printf("%sMember: %s\n",
                               prefix, i->member);

                if (i->error)
                        printf("%sError: %s\n",
                               prefix, i->error);

                if (i->path)
                        printf("%sPath: %s\n",
                               prefix, i->path);

                if (i->name)
                        printf("%sName: %s\n",
                               prefix, i->name);

                if (i->message_type != 0)
                        printf("%sMessage Type: %s\n",
                               prefix, bus_message_type_to_string(i->message_type));

                if (i->uid_valid) {
                        _cleanup_free_ char *user;

                        user = uid_to_name(i->uid);

                        printf("%sUser: %s (%d)\n",
                               prefix, strna(user), i->uid);
                }

                if (i->gid_valid) {
                        _cleanup_free_ char *group;

                        group = gid_to_name(i->gid);

                        printf("%sGroup: %s (%d)\n",
                               prefix, strna(group), i->gid);
                }
                printf("%s-\n", prefix);
        }
}

static void dump_hashmap_items(Hashmap *h) {
        PolicyItem *i;
        Iterator j;
        void *k;

        HASHMAP_FOREACH_KEY(i, k, h, j) {
                printf("\t%s Item for %u:\n", draw_special_char(DRAW_ARROW), PTR_TO_UINT(k));
                dump_items(i, "\t\t");
        }
}

void policy_dump(Policy *p) {

        printf("%s Default Items:\n", draw_special_char(DRAW_ARROW));
        dump_items(p->default_items, "\t");

        printf("%s Group Items:\n", draw_special_char(DRAW_ARROW));
        dump_hashmap_items(p->group_items);

        printf("%s User Items:\n", draw_special_char(DRAW_ARROW));
        dump_hashmap_items(p->user_items);

        printf("%s On-Console Items:\n", draw_special_char(DRAW_ARROW));
        dump_items(p->on_console_items, "\t");

        printf("%s No-Console Items:\n", draw_special_char(DRAW_ARROW));
        dump_items(p->no_console_items, "\t");

        printf("%s Mandatory Items:\n", draw_special_char(DRAW_ARROW));
        dump_items(p->mandatory_items, "\t");

        fflush(stdout);
}

int shared_policy_new(SharedPolicy **out) {
        SharedPolicy *sp;
        int r;

        sp = new0(SharedPolicy, 1);
        if (!sp)
                return log_oom();

        r = pthread_mutex_init(&sp->lock, NULL);
        if (r < 0) {
                log_error_errno(r, "Cannot initialize shared policy mutex: %m");
                goto exit_free;
        }

        r = pthread_rwlock_init(&sp->rwlock, NULL);
        if (r < 0) {
                log_error_errno(r, "Cannot initialize shared policy rwlock: %m");
                goto exit_mutex;
        }

        *out = sp;
        sp = NULL;
        return 0;

        /* pthread lock destruction is not fail-safe... meh! */
exit_mutex:
        pthread_mutex_destroy(&sp->lock);
exit_free:
        free(sp);
        return r;
}

SharedPolicy *shared_policy_free(SharedPolicy *sp) {
        if (!sp)
                return NULL;

        policy_free(sp->policy);
        pthread_rwlock_destroy(&sp->rwlock);
        pthread_mutex_destroy(&sp->lock);
        free(sp);

        return NULL;
}

static int shared_policy_reload_unlocked(SharedPolicy *sp, char **configuration) {
        Policy old, buffer = {};
        bool free_old;
        int r;

        assert(sp);

        r = policy_load(&buffer, configuration);
        if (r < 0)
                return log_error_errno(r, "Failed to load policy: %m");

        /* policy_dump(&buffer); */

        pthread_rwlock_wrlock(&sp->rwlock);
        memcpy(&old, &sp->buffer, sizeof(old));
        memcpy(&sp->buffer, &buffer, sizeof(buffer));
        free_old = !!sp->policy;
        sp->policy = &sp->buffer;
        pthread_rwlock_unlock(&sp->rwlock);

        if (free_old)
                policy_free(&old);

        return 0;
}

int shared_policy_reload(SharedPolicy *sp, char **configuration) {
        int r;

        assert(sp);

        pthread_mutex_lock(&sp->lock);
        r = shared_policy_reload_unlocked(sp, configuration);
        pthread_mutex_unlock(&sp->lock);

        return r;
}

int shared_policy_preload(SharedPolicy *sp, char **configuration) {
        int r;

        assert(sp);

        pthread_mutex_lock(&sp->lock);
        if (!sp->policy)
                r = shared_policy_reload_unlocked(sp, configuration);
        else
                r = 0;
        pthread_mutex_unlock(&sp->lock);

        return r;
}

Policy *shared_policy_acquire(SharedPolicy *sp) {
        assert(sp);

        pthread_rwlock_rdlock(&sp->rwlock);
        if (sp->policy)
                return sp->policy;
        pthread_rwlock_unlock(&sp->rwlock);

        return NULL;
}

void shared_policy_release(SharedPolicy *sp, Policy *p) {
        assert(sp);
        assert(!p || sp->policy == p);

        if (p)
                pthread_rwlock_unlock(&sp->rwlock);
}

static const char* const policy_item_type_table[_POLICY_ITEM_TYPE_MAX] = {
        [_POLICY_ITEM_TYPE_UNSET] = "unset",
        [POLICY_ITEM_ALLOW] = "allow",
        [POLICY_ITEM_DENY] = "deny",
};
DEFINE_STRING_TABLE_LOOKUP(policy_item_type, PolicyItemType);

static const char* const policy_item_class_table[_POLICY_ITEM_CLASS_MAX] = {
        [_POLICY_ITEM_CLASS_UNSET] = "unset",
        [POLICY_ITEM_SEND] = "send",
        [POLICY_ITEM_RECV] = "recv",
        [POLICY_ITEM_OWN] = "own",
        [POLICY_ITEM_OWN_PREFIX] = "own-prefix",
        [POLICY_ITEM_USER] = "user",
        [POLICY_ITEM_GROUP] = "group",
        [POLICY_ITEM_IGNORE] = "ignore",
};
DEFINE_STRING_TABLE_LOOKUP(policy_item_class, PolicyItemClass);