fdo-mirrors/dbus
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/dbus/dbus.git synced 2026-05-07 09:48:02 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Stop using selinux_set_mapping() function

Browse source 
Currently, if the "dbus" security class or the associated AV doesn't
exist, dbus-daemon fails to initialize and exits immediately. Also the
security classes or access vector cannot be reordered in the policy.
This can be a problem for people developing their own policy or trying
to access a machine where, for some reasons, there is not policy defined
at all.

The code here copy the behaviour of the selinux_check_access() function.
We cannot use this function here as it doesn't allow us to define the
AVC entry reference.

See the discussion at https://marc.info/?l=selinux&m=152163374332372&w=2

Resolves: https://gitlab.freedesktop.org/dbus/dbus/issues/198
This commit is contained in:
Laurent Bigonville 2018-03-03 11:15:23 +01:00
parent baffedbac9
commit 6072f8b241
1 changed files with 42 additions and 33 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

75
bus/selinux.c
View file

@ -232,24 +232,6 @@ bus_selinux_pre_init (void)
#endif
}
/*
* Private Flask definitions; the order of these constants must
* exactly match that of the structure array below!
*/
/* security dbus class constants */
#define SECCLASS_DBUS 1
/* dbus's per access vector constants */
#define DBUS__ACQUIRE_SVC 1
#define DBUS__SEND_MSG 2
#ifdef HAVE_SELINUX
static struct security_class_mapping dbus_map[] = {
{ "dbus", { "acquire_svc", "send_msg", NULL } },
{ NULL }
};
#endif /* HAVE_SELINUX */
/**
* Establish dynamic object class and permission mapping and
* initialize the user space access vector cache (AVC) for D-Bus and set up
@ -271,13 +253,6 @@ bus_selinux_full_init (BusContext *context, DBusError *error)
_dbus_verbose ("SELinux is enabled in this kernel.\n");
if (selinux_set_mapping (dbus_map) < 0)
{
_dbus_warn ("Failed to set up security class mapping (selinux_set_mapping():%s).",
strerror (errno));
return FALSE;
}
avc_entry_ref_init (&aeref);
if (avc_open (NULL, 0) < 0)
{
@ -392,19 +367,53 @@ error:
static dbus_bool_t
bus_selinux_check (BusSELinuxID *sender_sid,
BusSELinuxID *override_sid,
security_class_t target_class,
access_vector_t requested,
DBusString *auxdata)
const char *target_class,
const char *requested,
DBusString *auxdata)
{
int saved_errno;
security_class_t security_class;
access_vector_t requested_access;
if (!selinux_enabled)
return TRUE;
security_class = string_to_security_class (target_class);
if (security_class == 0)
{
saved_errno = errno;
log_callback (SELINUX_ERROR, "Unknown class %s", target_class);
if (security_deny_unknown () == 0)
{
return TRUE;
}
_dbus_verbose ("Unknown class %s\n", target_class);
errno = saved_errno;
return FALSE;
}
requested_access = string_to_av_perm (security_class, requested);
if (requested_access == 0)
{
saved_errno = errno;
log_callback (SELINUX_ERROR, "Unknown permission %s for class %s", requested, target_class);
if (security_deny_unknown () == 0)
{
return TRUE;
}
_dbus_verbose ("Unknown permission %s for class %s\n", requested, target_class);
errno = saved_errno;
return FALSE;
}
/* Make the security check. AVC checks enforcing mode here as well. */
if (avc_has_perm (SELINUX_SID_FROM_BUS (sender_sid),
override_sid ?
SELINUX_SID_FROM_BUS (override_sid) :
bus_sid,
target_class, requested, &aeref, auxdata) < 0)
security_class, requested_access, &aeref, auxdata) < 0)
{
switch (errno)
{
@ -471,8 +480,8 @@ bus_selinux_allows_acquire_service (DBusConnection *connection,
ret = bus_selinux_check (connection_sid,
service_sid,
SECCLASS_DBUS,
DBUS__ACQUIRE_SVC,
"dbus",
"acquire_svc",
&auxdata);
_dbus_string_free (&auxdata);
@ -600,8 +609,8 @@ bus_selinux_allows_send (DBusConnection *sender,
ret = bus_selinux_check (sender_sid,
recipient_sid,
SECCLASS_DBUS,
DBUS__SEND_MSG,
"dbus",
"send_msg",
&auxdata);
_dbus_string_free (&auxdata);