fdo-mirrors/dbus
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/dbus/dbus.git synced 2026-05-08 06:48:01 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Initialize SELinux and Apparmor after capabilities are set

Browse source 
avc_init() in the SELinux code path is creating a new thread, we need to
set to capabilities before it gets created so it has the permission to
send audit messages.

It also make more sense to open the audit netlink before the different
logging callbacks are set.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=92832
[smcv: add comments explaining why initialization must happen in this
specific order]
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
This commit is contained in:
Laurent Bigonville 2015-11-17 21:47:05 +01:00 committed by Simon McVittie
parent 1fcb37d0a3
commit a3a5935a0a
1 changed files with 26 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

40
bus/bus.c
View file

@ -931,6 +931,27 @@ bus_context_new (const DBusString *config_file,
!_dbus_pipe_is_stdout_or_stderr (print_pid_pipe))
_dbus_pipe_close (print_pid_pipe, NULL);
/* Here we change our credentials if required,
* as soon as we've set up our sockets and pidfile.
* This must be done before initializing LSMs, so that the netlink
* monitoring thread started by avc_init() will not lose CAP_AUDIT_WRITE
* when the main thread calls setuid().
* https://bugs.freedesktop.org/show_bug.cgi?id=92832
*/
if (context->user != NULL)
{
if (!_dbus_change_to_daemon_user (context->user, error))
{
_DBUS_ASSERT_ERROR_IS_SET (error);
goto failed;
}
}
/* Auditing should be initialized before LSMs, so that the LSMs are able
* to log audit-events that happen during their initialization.
*/
bus_audit_init (context);
if (!bus_selinux_full_init ())
{
bus_context_log (context, DBUS_SYSTEM_LOG_FATAL, "SELinux enabled but D-Bus initialization failed; check system log\n");
@ -950,6 +971,11 @@ bus_context_new (const DBusString *config_file,
"AppArmor D-Bus mediation is enabled\n");
}
/* When SELinux is used, this must happen after bus_selinux_full_init()
* so that it has access to the access vector cache, which is required
* to process <associate/> elements.
* http://lists.freedesktop.org/archives/dbus/2008-October/010491.html
*/
if (!process_config_postinit (context, parser, error))
{
_DBUS_ASSERT_ERROR_IS_SET (error);
@ -962,20 +988,6 @@ bus_context_new (const DBusString *config_file,
parser = NULL;
}
/* Here we change our credentials if required,
* as soon as we've set up our sockets and pidfile
*/
if (context->user != NULL)
{
if (!_dbus_change_to_daemon_user (context->user, error))
{
_DBUS_ASSERT_ERROR_IS_SET (error);
goto failed;
}
}
bus_audit_init (context);
dbus_server_free_data_slot (&server_data_slot);
return context;