From 935a41a04c3f638134fa905503fc41ddbd18902f Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Tue, 9 Nov 2004 06:11:33 +0000 Subject: 2004-11-09 Colin Walters * dbus/dbus-string.c (_dbus_string_get_length): New function, writes DBusString to C buffer. * dbus/dbus-string.h: Prototype it. * dbus/dbus-message.c (dbus_message_type_to_string): New function, converts message type into C string. * dbus/dbus-message.h: Prototype it. * bus/selinux.c (bus_selinux_check): Take source pid, target pid, and audit data. Pass audit data to avc_has_perm. (log_audit_callback): New function, appends extra audit information. (bus_selinux_allows_acquire_service): Also take service name, add it to audit data. (bus_selinux_allows_send): Also take message type, interface, method member, error name, and destination, and add them to audit data. (log_cb): Initialize func_audit. * bus/selinux.h (bus_selinux_allows_acquire_service) (bus_selinux_allows_send): Update prototypes * bus/services.c (bus_registry_acquire_service): Pass service name to bus_selinux_allows_acquire_service. * bus/bus.c (bus_context_check_security_policy): Pass additional audit data. Move assignment of dest to its own line. --- bus/bus.c | 24 +++++++++++++++++++----- 1 file changed, 19 insertions(+), 5 deletions(-) (limited to 'bus/bus.c') diff --git a/bus/bus.c b/bus/bus.c index 65e396c3..a80636b1 100644 --- a/bus/bus.c +++ b/bus/bus.c @@ -1127,12 +1127,20 @@ bus_context_check_security_policy (BusContext *context, if (sender != NULL) { + const char *dest; + + dest = dbus_message_get_destination (message); + /* First verify the SELinux access controls. If allowed then * go on with the standard checks. */ - if (!bus_selinux_allows_send (sender, proposed_recipient)) + if (!bus_selinux_allows_send (sender, proposed_recipient, + dbus_message_type_to_string (dbus_message_get_type (message)), + dbus_message_get_interface (message), + dbus_message_get_member (message), + dbus_message_get_error_name (message), + dest ? dest : DBUS_SERVICE_ORG_FREEDESKTOP_DBUS)) { - const char *dest = dbus_message_get_destination (message); dbus_set_error (error, DBUS_ERROR_ACCESS_DENIED, "An SELinux policy prevents this sender " "from sending this message to this recipient " @@ -1255,7 +1263,9 @@ bus_context_check_security_policy (BusContext *context, proposed_recipient, message)) { - const char *dest = dbus_message_get_destination (message); + const char *dest; + + dest = dbus_message_get_destination (message); dbus_set_error (error, DBUS_ERROR_ACCESS_DENIED, "A security policy in place prevents this sender " "from sending this message to this recipient, " @@ -1280,7 +1290,9 @@ bus_context_check_security_policy (BusContext *context, addressed_recipient, proposed_recipient, message)) { - const char *dest = dbus_message_get_destination (message); + const char *dest; + + dest = dbus_message_get_destination (message); dbus_set_error (error, DBUS_ERROR_ACCESS_DENIED, "A security policy in place prevents this recipient " "from receiving this message from this sender, " @@ -1304,7 +1316,9 @@ bus_context_check_security_policy (BusContext *context, dbus_connection_get_outgoing_size (proposed_recipient) > context->limits.max_outgoing_bytes) { - const char *dest = dbus_message_get_destination (message); + const char *dest; + + dest = dbus_message_get_destination (message); dbus_set_error (error, DBUS_ERROR_LIMITS_EXCEEDED, "The destination service \"%s\" has a full message queue", dest ? dest : (proposed_recipient ? -- cgit