| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Stephen Smalley wrote:
> On Tue, 2009-04-21 at 16:32 -0400, Joshua Brindle wrote:
>
>> Stephen Smalley wrote:
>>
>>> On Thu, 2009-04-16 at 20:47 -0400, Eamon Walsh wrote:
>>>
>>>> Stephen Smalley wrote:
>>>>
>> <snip>
>>
>>
>>> No, I don't want to change the behavior upon context_to_sid calls in
>>> general, as we otherwise lose all context validity checking in
>>> permissive mode.
>>>
>>> I think I'd rather change compute_sid behavior to preclude the situation
>>> from arising in the first place, possibly altering the behavior in
>>> permissive mode upon an invalid context to fall back on the ssid
>>> (process) or the tsid (object). But I'm not entirely convinced any
>>> change is required here.
>>>
>>>
>> I just want to follow up to make sure we are all on the same page here. Was the
>> suggestion to change avc_has_perm in libselinux or context_to_sid in the kernel
>> or leave the code as is and fix the callers of avc_has_perm to correctly handle
>> error codes?
>>
>> I prefer the last approach because of Eamon's explanation, EINVAL is already
>> passed in errno to specify the context was invalid (and if object managers
>> aren't handling that correctly now there is a good chance they aren't handling
>> the ENOMEM case either).
>>
>
> I'd be inclined to change compute_sid (not context_to_sid) in the kernel
> to prevent invalid contexts from being formed even in permissive mode
> (scenario is a type transition where role is not authorized for the new
> type). That was originally to allow the system to boot in permissive
> mode. But an alternative would be to just stay in the caller's context
> (ssid) in that situation.
>
> Changing the callers of avc_has_perm() to handle EINVAL and/or ENOMEM
> may make sense, but that logic should not depend on enforcing vs.
> permissive mode.
>
>
FWIW, the following patch to D-Bus should help:
bfo21072 - Log SELinux denials better by checking errno for the cause
Note that this does not fully address the bug report since
EINVAL can still be returned in permissive mode. However the log
messages will now reflect the proper cause of the denial.
Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
Signed-off-by: Colin Walters <walters@verbum.org>
|
|
|
|
|
|
| |
* dbus/dbus-sysdeps-unix.c: define _GNU_SOURCE
* bus/selinux.c: include limits.h
* Patch by Matthias Clasen <mclasen at redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
_dbus_string_copy_to_buffer weird behavior.
2007-10-31 Havoc Pennington <hp@redhat.com>
* bus/selinux.c (log_audit_callback): rewrite to use
_dbus_string_copy_to_buffer_with_nul()
* dbus/dbus-string.c (_dbus_string_copy_to_buffer): change to NOT
nul-terminate the buffer; fail an assertion if there is not enough
space in the target buffer. This fixes two bugs where
copy_to_buffer was used to copy the binary bytes in a UUID, where
nul termination did not make sense. Bug reported by David Castelow.
(_dbus_string_copy_to_buffer_with_nul): new function that always
nul-terminates the buffer, and fails an assertion if there is not
enough space in the buffer.
|
|
|
|
|
|
|
|
|
|
|
|
| |
namespace it
2007-10-23 Havoc Pennington <hp@redhat.com>
* bus/bus.c (bus_context_new): use the new name here
* bus/selinux.c (bus_selinux_audit_init): rename from audit_init()
to avoid possible libc conflict, and declare it in .h file to
avoid a warning
|
|
|
|
|
|
|
|
|
| |
* patch by Dan Walsh <dwalsh@redhat.com>
* https://bugs.freedesktop.org/show_bug.cgi?id=12429
* Reverse we_were_root check to setpcap if we were root. Also only init
audit if we were root. So error dbus message will not show up when policy
reload happens. dbus -session will no longer try to send audit message,
only system will.
|
|
|
|
| |
* Add indent-tabs-mode: nil to all file headers.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* dbus/dbus-sysdeps.c (_dbus_set_errno_to_zero)
(_dbus_get_is_errno_nonzero, _dbus_get_is_errno_eintr)
(_dbus_strerror_from_errno): family of functions to abstract
errno, though these are somewhat bogus (really we should make our
socket wrappers not use errno probably - the issue is that any
usage of errno that isn't socket-related probably is not
cross-platform, so should either be in a unix-only file that can
use errno directly, or is a bug - these general errno wrappers
hide issues of this nature in non-socket code, while
socket-specific API changes would not since sockets are allowed
cross-platform)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* dbus/dbus-server-socket.c (_dbus_server_listen_socket): support
all_interfaces=true|false for tcp servers
* dbus/dbus-sysdeps-unix.c (_dbus_listen_tcp_socket): support
inaddr_any flag
* bus/selinux.c: fix some missing includes
* dbus/dbus-server-socket.c (_dbus_server_listen_socket): allow
port to simply be omitted in addition to specifying 0
|
|
|
|
|
|
|
|
|
|
|
| |
* configure.ac, bus/selinux.c, dbus/dbus-sysdeps-unix-util.c: add
libaudit support, no clue what this means really but now we have
it. Patches from Fedora package.
* bus/bus.c (bus_context_new): move selinux initialization after
changing to daemon user, patch from Fedora package
* dbus/dbus-transport.c (auth_via_unix_user_function): fix a typo
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
with cleanups of bugs found from Coverity reports:
* dbus/dbus-sysdeps-util.c (_dbus_write_pid_file):
close the file on error to avoid a leak
* bus/expirelist.c (bus_expire_list_test):
Check for NULL on dbus_new0
* bus/activation.c (update_directory):
remove dead code
* bus/config-parser.c (merge_service_context_hash, start_selinux_child):
Fix some leaks
* bus/bus.c (process_config_every_time):
Fixed a leak
* bus/desktop-file.c (parse_key_value):
Fixed leak
* bus/selinux.c (bus_selinux_id_table_insert):
Fixed leak
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* bus/driver.c (bus_driver_handle_get_connection_selinux_security_context): Renamed
from bus_driver_handle_get_connection_unix_security_context. Update for
error usage.
(message_handlers): Update for renames.
* bus/selinux.c (bus_selinux_allows_send): Handle OOM on
_dbus_string_init failure correctly.
(bus_selinux_append_context): Convert SID to context. Append it
as a byte array.
(bus_selinux_shutdown): Handle the case where bus_selinux_full_init
hasn't been called.
* bus/selinux.h: Update prototype.
* dbus/dbus-protocol.h (DBUS_ERROR_SELINUX_SECURITY_CONTEXT_UNKNOWN): Renamed
from DBUS_ERROR_UNIX_SECURITY_CONTEXT_UNKNOWN.
|
|
|
|
|
| |
* bus/selinux.c (bus_selinux_append_context): Wrap in
HAVE_SELINUX.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* bus/driver.c
(bus_driver_handle_get_connection_unix_security_context): New function.
(message_handlers): Add.
* bus/selinux.c (bus_selinux_append_context): New function; appends
security context to message.
* bus/selinux.h: Prototype.
* dbus/dbus-protocol.h (DBUS_ERROR_UNIX_SECURITY_CONTEXT_UNKNOWN): New.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* bus/selinux.c: Add c-file-style to top of file
(log_audit_callback): Don't free the data here anymore
(bus_selinux_check): Don't take spid and tpid since appending
that to auxdata may OOM.
(bus_selinux_allows_acquire_service): Handle OOM and signal back
to the caller if we are OOM by taking an error object.
(bus_selinux_allows_send): -do-
* bus/selinux.h: Fix prototypes for bus_selinux_allows_acquire_service
and bus_selinux_allows_send
* bus/bus.c (bus_context_check_security_policy): Pass error and
pass on OOM thrown by bus_selinux_allows_send()
* bus/services.c (bus_registry_acquire_service): Pass error and
pass on OOM thrown by bus_selinux_allows_acquire_service()
|
|
|
|
|
| |
* bus/selinux.c (bus_selinux_allows_send): Handle NULL for
sender or proposed_recipient.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* dbus/dbus-string.c (_dbus_string_get_length): New
function, writes DBusString to C buffer.
* dbus/dbus-string.h: Prototype it.
* dbus/dbus-message.c (dbus_message_type_to_string): New
function, converts message type into C string.
* dbus/dbus-message.h: Prototype it.
* bus/selinux.c (bus_selinux_check): Take source pid,
target pid, and audit data. Pass audit data to
avc_has_perm.
(log_audit_callback): New function, appends extra
audit information.
(bus_selinux_allows_acquire_service): Also take
service name, add it to audit data.
(bus_selinux_allows_send): Also take message
type, interface, method member, error name,
and destination, and add them to audit data.
(log_cb): Initialize func_audit.
* bus/selinux.h (bus_selinux_allows_acquire_service)
(bus_selinux_allows_send): Update prototypes
* bus/services.c (bus_registry_acquire_service): Pass
service name to bus_selinux_allows_acquire_service.
* bus/bus.c (bus_context_check_security_policy): Pass
additional audit data. Move assignment of dest
to its own line.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* bus/bus.c (load_config): Break into three
separate functions: process_config_first_time_only,
process_config_every_time, and process_config_postinit.
(process_config_every_time): Move call of
bus_registry_set_service_context_table into
process_config_postinit.
(process_config_postinit): New function, does
any processing that needs to happen late
in initialization (and also on reload).
(bus_context_new): Instead of calling load_config,
open config parser here and call process_config_first_time_only
and process_config_every_time directly. Later, after
we have forked but before changing UID,
invoke bus_selinux_full_init, and then call
process_config_postinit.
(bus_context_reload_config): As in bus_context_new,
load parse file inside here, and call process_config_every_time
and process_config_postinit.
* bus/services.h, bus/services.c
(bus_registry_set_service_context_table): Rename
from bus_registry_set_sid_table. Take string hash from config
parser, and convert them here into SIDs.
* bus/config-parser.c (struct BusConfigParser): Have
config parser only store a mapping of service->context
string.
(merge_service_context_hash): New function.
(merge_included): Merge context string hashes instead
of using bus_selinux_id_table_union.
(bus_config_parser_new): Don't use bus_selinux_id_table_new;
simply create a new string hash.
(bus_config_parser_unref): Unref it.
(start_selinux_child): Simply insert strings into hash,
don't call bus_selinux_id_table_copy_over.
* bus/selinux.h, bus/selinux.c (bus_selinux_id_table_union)
(bus_selinux_id_table_copy_over): Delete.
|
| |
|
|
|
|
|
| |
* bus/selinux.c (bus_selinux_pre_init): Kill some unused
variables.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* bus/selinux.c (bus_selinux_init): Split into two functions,
bus_selinux_pre_init and bus_selinux_post_init.
(bus_selinux_pre_init): Just determine whether SELinux is
enabled.
(bus_selinux_post_init): Do everything else.
* bus/main.c (main): Call bus_selinux_pre_init before parsing
config file, and bus_selinux_post_init after. This ensures that
we don't lose the policyreload notification thread that
bus_selinux_init created before forking previously.
* bus/test-main.c (test_pre_hook): Update for split.
|
|
|
|
|
| |
* bus/selinux.c (bus_selinux_enabled): Handle
--disable-selinux case.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* bus/selinux.h: Add bus_selinux_enabled.
* bus/selinux.c (bus_selinux_enabled): Implement it.
* bus/config-parser.c (struct include): Add
if_selinux_enabled member.
(start_busconfig_child): Parse if_selinux_enabled
attribute for include.
(bus_config_parser_content): Handle it.
* bus/session.conf.in, bus/system.conf.in: Add
inclusion of context mapping to default config files;
conditional on SELinux being enabled.
* doc/busconfig.dtd: Add to if_selinux_enabled to default DTD.
* test/data/invalid-config-files/badselinux-1.conf,
test/data/invalid-config-files/badselinux-2.conf:
Test files for bad syntax.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* bus/selinux.h: Prototype bus_selinux_get_policy_root.
* bus/selinux.c: Create a thread for policy reload notification.
(bus_selinux_get_policy_root): Implement.
Updated SELinux support from Matthew Rickard <mjricka@epoch.ncsc.mil>
* bus/config-parser.c (start_busconfig_child)
(bus_config_parser_content): Support SELinux-root relative
inclusion.
* configure.in <HAVE_SELINUX>: Add -lpthread.
* bus/test-main.c (test_pre_hook, test_post_hook): New.
(test_post_hook): Move memory checking into here.
(test_pre_hook, test_post_hook): Move SELinux checks in
here, but conditional on a DBUS_TEST_SELINUX environment
variable. Unfortunately we can't run the SELinux checks
as a normal user, since they won't have any permissions
for /selinux. So this will have to be tested manually
for now, until we have virtualization for most of
libselinux.
|
|
|
|
|
|
|
|
| |
* bus/config-parser.c (start_busconfig_child): Remove some unused
variables.
* bus/selinux.c (bus_selinux_id_table_insert): Avoid compiler
warning.
|
|
|
|
|
| |
* COPYING: switch to Academic Free License version 2.1 instead of
2.0, to resolve complaints about patent termination clause.
|
|
|
|
|
| |
* bus/selinux.c <HAVE_SELINUX>: Include utils.h to get
BUS_SET_OOM.
|
|
SELinux support from Matthew Rickard <mjricka@epoch.ncsc.mil>
* bus/selinux.c, bus/selinux.h: new file encapsulating selinux
functionality
* configure.in: add --enable-selinux
* bus/policy.c (bus_policy_merge): add FIXME to a comment
* bus/main.c (main): initialize and shut down selinux
* bus/connection.c: store SELinux ID on each connection, to avoid
repeated getting of the string context and converting it into
an ID
* bus/bus.c (bus_context_get_policy): new accessor, though it
isn't used
(bus_context_check_security_policy): check whether the security
context of sender connection can send to the security context of
recipient connection
* bus/config-parser.c: add parsing for <selinux> and <associate>
* dbus/dbus-transport.c (_dbus_transport_get_unix_fd): to
implement dbus_connection_get_unix_fd()
* dbus/dbus-connection.c (dbus_connection_get_unix_fd): new
function, used by the selinux stuff
|