diff options
author | Havoc Pennington <hp@redhat.com> | 2004-07-30 05:59:34 +0000 |
---|---|---|
committer | Havoc Pennington <hp@redhat.com> | 2004-07-30 05:59:34 +0000 |
commit | 1e9b185b0c274ef0d684b1e43418388225321e72 (patch) | |
tree | 66bb08beb9ea1b4250953294134e2c995f8adf34 /bus/services.c | |
parent | 4076d31c71bee332c4a697597a93345b45850b33 (diff) |
2004-07-24 Havoc Pennington <hp@redhat.com>
SELinux support from Matthew Rickard <mjricka@epoch.ncsc.mil>
* bus/selinux.c, bus/selinux.h: new file encapsulating selinux
functionality
* configure.in: add --enable-selinux
* bus/policy.c (bus_policy_merge): add FIXME to a comment
* bus/main.c (main): initialize and shut down selinux
* bus/connection.c: store SELinux ID on each connection, to avoid
repeated getting of the string context and converting it into
an ID
* bus/bus.c (bus_context_get_policy): new accessor, though it
isn't used
(bus_context_check_security_policy): check whether the security
context of sender connection can send to the security context of
recipient connection
* bus/config-parser.c: add parsing for <selinux> and <associate>
* dbus/dbus-transport.c (_dbus_transport_get_unix_fd): to
implement dbus_connection_get_unix_fd()
* dbus/dbus-connection.c (dbus_connection_get_unix_fd): new
function, used by the selinux stuff
Diffstat (limited to 'bus/services.c')
-rw-r--r-- | bus/services.c | 42 |
1 files changed, 41 insertions, 1 deletions
diff --git a/bus/services.c b/bus/services.c index 33caded6..81e3eaf3 100644 --- a/bus/services.c +++ b/bus/services.c @@ -31,6 +31,8 @@ #include "utils.h" #include "activation.h" #include "policy.h" +#include "bus.h" +#include "selinux.h" struct BusService { @@ -51,6 +53,8 @@ struct BusRegistry DBusHashTable *service_hash; DBusMemPool *service_pool; + + DBusHashTable *service_sid_table; }; BusRegistry* @@ -75,6 +79,8 @@ bus_registry_new (BusContext *context) if (registry->service_pool == NULL) goto failed; + registry->service_sid_table = NULL; + return registry; failed: @@ -103,7 +109,9 @@ bus_registry_unref (BusRegistry *registry) _dbus_hash_table_unref (registry->service_hash); if (registry->service_pool) _dbus_mem_pool_free (registry->service_pool); - + if (registry->service_sid_table) + _dbus_hash_table_unref (registry->service_sid_table); + dbus_free (registry); } } @@ -263,6 +271,7 @@ bus_registry_acquire_service (BusRegistry *registry, BusClientPolicy *policy; BusService *service; BusActivation *activation; + BusSELinuxID *sid; retval = FALSE; @@ -292,6 +301,24 @@ bus_registry_acquire_service (BusRegistry *registry, policy = bus_connection_get_policy (connection); _dbus_assert (policy != NULL); + /* Note that if sid is #NULL then the bus's own context gets used + * in bus_connection_selinux_allows_acquire_service() + */ + sid = bus_selinux_id_table_lookup (registry->service_sid_table, + service_name); + + if (!bus_selinux_allows_acquire_service (connection, sid)) + { + dbus_set_error (error, DBUS_ERROR_ACCESS_DENIED, + "Connection \"%s\" is not allowed to own the service \"%s\" due " + "to SELinux policy", + bus_connection_is_active (connection) ? + bus_connection_get_name (connection) : + "(inactive)", + service_name); + goto out; + } + if (!bus_client_policy_check_can_own (policy, connection, service_name)) { @@ -387,6 +414,19 @@ bus_registry_acquire_service (BusRegistry *registry, return retval; } +void +bus_registry_set_service_sid_table (BusRegistry *registry, + DBusHashTable *table) +{ + _dbus_assert (registry->service_sid_table != table); + + if (registry->service_sid_table) + _dbus_hash_table_unref (registry->service_sid_table); + + registry->service_sid_table = table; + _dbus_hash_table_ref (table); +} + static void bus_service_unlink_owner (BusService *service, DBusConnection *owner) |