From 8fad15265fd0f405a67eebbece81520b47d7ba5f Mon Sep 17 00:00:00 2001 From: Tomas Hoger Date: Thu, 4 Dec 2008 15:19:13 -0500 Subject: Bug 18229 - Change system.conf to correctly deny non-reply sends by default The previous rule was actually applied to all messages, even if they weren't a reply. This meant that in fact the default DBus policy was effectively allow, rather than deny as claimed. This fix ensures that the above rule only applies to actual reply messages. Signed-off-by: Colin Walters --- bus/system.conf.in | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) (limited to 'bus') diff --git a/bus/system.conf.in b/bus/system.conf.in index 6a71926e..ac2822fa 100644 --- a/bus/system.conf.in +++ b/bus/system.conf.in @@ -50,9 +50,19 @@ even if they aren't in here --> - - + + + + + Date: Tue, 9 Dec 2008 09:15:06 -0500 Subject: Bug 18229: Allow signals Our previous fix went too far towards lockdown; many things rely on signals to work, and there's no really good reason to restrict which signals can be emitted on the bus because we can't tie them to a particular sender. --- bus/system.conf.in | 2 ++ 1 file changed, 2 insertions(+) (limited to 'bus') diff --git a/bus/system.conf.in b/bus/system.conf.in index ac2822fa..1b6e716a 100644 --- a/bus/system.conf.in +++ b/bus/system.conf.in @@ -50,6 +50,8 @@ even if they aren't in here --> + + -- cgit From 120604d272ef47b9ab05e478b147ca4a0312c8db Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Tue, 9 Dec 2008 09:18:49 -0500 Subject: Add at_console docs to manpage, as well as brief foreward We need some sort of general advice here. --- bus/dbus-daemon.1.in | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) (limited to 'bus') diff --git a/bus/dbus-daemon.1.in b/bus/dbus-daemon.1.in index 5599afe6..826353c3 100644 --- a/bus/dbus-daemon.1.in +++ b/bus/dbus-daemon.1.in @@ -410,15 +410,28 @@ they are analogous to a firewall in that they allow expected traffic and prevent unexpected traffic. .PP -The element has one of three attributes: +Currently, the system bus has a default-deny policy for sending method calls +and owning bus names. Everything else, in particular reply messages, receive +checks, and signals has a default allow policy. + +.PP +In general, it is best to keep system services as small, targeted programs which +run in their own process and provide a single bus name. Then, all that is needed +is an rule for the "own" permission to let the process claim the bus +name, and a "send_destination" rule to allow traffic from some or all uids to +your service. + +.PP +The element has one of four attributes: +daemon.1.in .nf context="(default|mandatory)" + at_console="(true|false)" user="username or userid" group="group name or gid" .fi .PP - Policies are applied to a connection as follows: .nf - all context="default" policies are applied @@ -426,6 +439,8 @@ Policies are applied to a connection as follows: in undefined order - all user="connection's auth user" policies are applied in undefined order + - all at_console="true" policies are applied + - all at_console="false" policies are applied - all context="mandatory" policies are applied .fi -- cgit From df09db0d4204f1bfb8188f5af52fc542d4ef94b7 Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Tue, 9 Dec 2008 10:15:49 -0500 Subject: Another manpage update explicitly mentioning bare send_interface We need to fix all of the bare send_interface rules; see: https://bugs.freedesktop.org/show_bug.cgi?id=18961 --- bus/dbus-daemon.1.in | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'bus') diff --git a/bus/dbus-daemon.1.in b/bus/dbus-daemon.1.in index 826353c3..81439343 100644 --- a/bus/dbus-daemon.1.in +++ b/bus/dbus-daemon.1.in @@ -1,6 +1,6 @@ .\" .\" dbus-daemon manual page. -.\" Copyright (C) 2003 Red Hat, Inc. +.\" Copyright (C) 2003,2008 Red Hat, Inc. .\" .TH dbus-daemon 1 .SH NAME @@ -581,7 +581,11 @@ received" are evaluated separately. .PP Be careful with send_interface/receive_interface, because the -interface field in messages is optional. +interface field in messages is optional. In particular, do NOT +specify ! This will cause +no-interface messages to be blocked for all services, which is +almost certainly not what you intended. Always use rules of +the form: .TP .I "" -- cgit From 3d6abf64d0abb2718e082e120f14f8f923a4af59 Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Fri, 12 Dec 2008 14:50:21 -0500 Subject: Clean up and clarify default system policy The former was too reliant on old bugs and was generally unclear. This one makes explicit exactly what is allowed and not. --- bus/system.conf.in | 42 +++++++++++++++++++----------------------- 1 file changed, 19 insertions(+), 23 deletions(-) (limited to 'bus') diff --git a/bus/system.conf.in b/bus/system.conf.in index 1b6e716a..677ffdff 100644 --- a/bus/system.conf.in +++ b/bus/system.conf.in @@ -39,33 +39,29 @@ @DBUS_SYSTEM_BUS_DEFAULT_ADDRESS@ - - - - - + - - - - - + + + + + + - - - - - + + + + + + + + + + -- cgit From 69ed32cbccbec9d613447cb64e9d7b1ffa11ce3c Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Wed, 10 Dec 2008 14:17:02 -0500 Subject: Add syslog of security denials and configuration file reloads We need to start logging denials so that they become more easily trackable and debuggable. --- bus/bus.c | 90 +++++++++++++++++++++++++++++++++++++++------- bus/bus.h | 6 ++++ bus/config-parser-common.c | 8 ++++- bus/config-parser-common.h | 3 +- bus/config-parser.c | 25 +++++++++++++ bus/config-parser.h | 1 + bus/policy.c | 10 ++++-- bus/policy.h | 6 ++-- bus/system.conf.in | 3 ++ 9 files changed, 133 insertions(+), 19 deletions(-) (limited to 'bus') diff --git a/bus/bus.c b/bus/bus.c index a28a2672..195a6fd4 100644 --- a/bus/bus.c +++ b/bus/bus.c @@ -54,6 +54,7 @@ struct BusContext BusMatchmaker *matchmaker; BusLimits limits; unsigned int fork : 1; + unsigned int syslog : 1; }; static dbus_int32_t server_data_slot = -1; @@ -384,6 +385,7 @@ process_config_first_time_only (BusContext *context, } context->fork = bus_config_parser_get_fork (parser); + context->syslog = bus_config_parser_get_syslog (parser); _DBUS_ASSERT_ERROR_IS_CLEAR (error); retval = TRUE; @@ -826,7 +828,10 @@ bus_context_reload_config (BusContext *context, } ret = TRUE; + bus_context_log_info (context, "Reloaded configuration"); failed: + if (!ret) + bus_context_log_info (context, "Unable to reload configuration: %s", error->message); if (parser != NULL) bus_config_parser_unref (parser); return ret; @@ -1107,6 +1112,32 @@ bus_context_get_reply_timeout (BusContext *context) return context->limits.reply_timeout; } +void +bus_context_log_info (BusContext *context, const char *msg, ...) +{ + va_list args; + + va_start (args, msg); + + if (context->syslog) + _dbus_log_info (msg, args); + + va_end (args); +} + +void +bus_context_log_security (BusContext *context, const char *msg, ...) +{ + va_list args; + + va_start (args, msg); + + if (context->syslog) + _dbus_log_security (msg, args); + + va_end (args); +} + /* * addressed_recipient is the recipient specified in the message. * @@ -1131,8 +1162,10 @@ bus_context_check_security_policy (BusContext *context, { BusClientPolicy *sender_policy; BusClientPolicy *recipient_policy; + dbus_int32_t toggles; int type; dbus_bool_t requested_reply; + const char *sender_name; type = dbus_message_get_type (message); @@ -1143,6 +1176,12 @@ bus_context_check_security_policy (BusContext *context, _dbus_assert (type == DBUS_MESSAGE_TYPE_SIGNAL || addressed_recipient != NULL || strcmp (dbus_message_get_destination (message), DBUS_SERVICE_DBUS) == 0); + + /* Used in logging below */ + if (sender != NULL) + sender_name = bus_connection_get_name (sender); + else + sender_name = NULL; switch (type) { @@ -1185,8 +1224,9 @@ bus_context_check_security_policy (BusContext *context, dbus_set_error (error, DBUS_ERROR_ACCESS_DENIED, "An SELinux policy prevents this sender " "from sending this message to this recipient " - "(rejected message had interface \"%s\" " + "(rejected message had sender \"%s\" interface \"%s\" " "member \"%s\" error name \"%s\" destination \"%s\")", + sender_name ? sender_name : "(unset)", dbus_message_get_interface (message) ? dbus_message_get_interface (message) : "(unset)", dbus_message_get_member (message) ? @@ -1304,16 +1344,16 @@ bus_context_check_security_policy (BusContext *context, context->registry, requested_reply, proposed_recipient, - message)) + message, &toggles)) { const char *dest; + const char *msg = "Rejected send message, %d matched rules; " + "sender=\"%s\" interface=\"%s\" member=\"%s\" error name=\"%s\" destination=\"%s\")"; dest = dbus_message_get_destination (message); - dbus_set_error (error, DBUS_ERROR_ACCESS_DENIED, - "A security policy in place prevents this sender " - "from sending this message to this recipient, " - "see message bus configuration file (rejected message " - "had interface \"%s\" member \"%s\" error name \"%s\" destination \"%s\")", + dbus_set_error (error, DBUS_ERROR_ACCESS_DENIED, msg, + toggles, + sender_name ? sender_name : "(unset)", dbus_message_get_interface (message) ? dbus_message_get_interface (message) : "(unset)", dbus_message_get_member (message) ? @@ -1321,6 +1361,17 @@ bus_context_check_security_policy (BusContext *context, dbus_message_get_error_name (message) ? dbus_message_get_error_name (message) : "(unset)", dest ? dest : DBUS_SERVICE_DBUS); + /* Needs to be duplicated to avoid calling malloc and having to handle OOM */ + bus_context_log_security (context, msg, + toggles, + sender_name ? sender_name : "(unset)", + dbus_message_get_interface (message) ? + dbus_message_get_interface (message) : "(unset)", + dbus_message_get_member (message) ? + dbus_message_get_member (message) : "(unset)", + dbus_message_get_error_name (message) ? + dbus_message_get_error_name (message) : "(unset)", + dest ? dest : DBUS_SERVICE_DBUS); _dbus_verbose ("security policy disallowing message due to sender policy\n"); return FALSE; } @@ -1331,16 +1382,16 @@ bus_context_check_security_policy (BusContext *context, requested_reply, sender, addressed_recipient, proposed_recipient, - message)) + message, &toggles)) { + const char *msg = "Rejected receive message, %d matched rules; " + "sender=\"%s\" interface=\"%s\" member=\"%s\" error name=\"%s\" destination=\"%s\" reply serial=%u requested_reply=%d)"; const char *dest; dest = dbus_message_get_destination (message); - dbus_set_error (error, DBUS_ERROR_ACCESS_DENIED, - "A security policy in place prevents this recipient " - "from receiving this message from this sender, " - "see message bus configuration file (rejected message " - "had interface \"%s\" member \"%s\" error name \"%s\" destination \"%s\" reply serial %u requested_reply=%d)", + dbus_set_error (error, DBUS_ERROR_ACCESS_DENIED, msg, + toggles, + sender_name ? sender_name : "(unset)", dbus_message_get_interface (message) ? dbus_message_get_interface (message) : "(unset)", dbus_message_get_member (message) ? @@ -1350,6 +1401,19 @@ bus_context_check_security_policy (BusContext *context, dest ? dest : DBUS_SERVICE_DBUS, dbus_message_get_reply_serial (message), requested_reply); + /* Needs to be duplicated to avoid calling malloc and having to handle OOM */ + bus_context_log_security (context, msg, + toggles, + sender_name ? sender_name : "(unset)", + dbus_message_get_interface (message) ? + dbus_message_get_interface (message) : "(unset)", + dbus_message_get_member (message) ? + dbus_message_get_member (message) : "(unset)", + dbus_message_get_error_name (message) ? + dbus_message_get_error_name (message) : "(unset)", + dest ? dest : DBUS_SERVICE_DBUS, + dbus_message_get_reply_serial (message), + requested_reply); _dbus_verbose ("security policy disallowing message due to recipient policy\n"); return FALSE; } diff --git a/bus/bus.h b/bus/bus.h index ad231040..74bdb821 100644 --- a/bus/bus.h +++ b/bus/bus.h @@ -107,6 +107,12 @@ int bus_context_get_max_services_per_connection (BusContext int bus_context_get_max_match_rules_per_connection (BusContext *context); int bus_context_get_max_replies_per_connection (BusContext *context); int bus_context_get_reply_timeout (BusContext *context); +void bus_context_log_info (BusContext *context, + const char *msg, + ...); +void bus_context_log_security (BusContext *context, + const char *msg, + ...); dbus_bool_t bus_context_check_security_policy (BusContext *context, BusTransaction *transaction, DBusConnection *sender, diff --git a/bus/config-parser-common.c b/bus/config-parser-common.c index 6e4bb701..ce590861 100644 --- a/bus/config-parser-common.c +++ b/bus/config-parser-common.c @@ -114,6 +114,10 @@ bus_config_parser_element_name_to_type (const char *name) { return ELEMENT_ASSOCIATE; } + else if (strcmp (name, "syslog") == 0) + { + return ELEMENT_SYSLOG; + } return ELEMENT_NONE; } @@ -162,7 +166,9 @@ bus_config_parser_element_type_to_name (ElementType type) return "selinux"; case ELEMENT_ASSOCIATE: return "associate"; - } + case ELEMENT_SYSLOG: + return "syslog"; + } _dbus_assert_not_reached ("bad element type"); diff --git a/bus/config-parser-common.h b/bus/config-parser-common.h index 3718c958..4ecaa8d8 100644 --- a/bus/config-parser-common.h +++ b/bus/config-parser-common.h @@ -47,7 +47,8 @@ typedef enum ELEMENT_SELINUX, ELEMENT_ASSOCIATE, ELEMENT_STANDARD_SESSION_SERVICEDIRS, - ELEMENT_STANDARD_SYSTEM_SERVICEDIRS + ELEMENT_STANDARD_SYSTEM_SERVICEDIRS, + ELEMENT_SYSLOG } ElementType; ElementType bus_config_parser_element_name_to_type (const char *element_name); diff --git a/bus/config-parser.c b/bus/config-parser.c index f9e0b7d7..f4d7c501 100644 --- a/bus/config-parser.c +++ b/bus/config-parser.c @@ -111,6 +111,8 @@ struct BusConfigParser unsigned int fork : 1; /**< TRUE to fork into daemon mode */ + unsigned int syslog : 1; /**< TRUE to enable syslog */ + unsigned int is_toplevel : 1; /**< FALSE if we are a sub-config-file inside another one */ }; @@ -696,6 +698,21 @@ start_busconfig_child (BusConfigParser *parser, parser->fork = TRUE; + return TRUE; + } + else if (element_type == ELEMENT_SYSLOG) + { + if (!check_no_attributes (parser, "syslog", attribute_names, attribute_values, error)) + return FALSE; + + if (push_element (parser, ELEMENT_SYSLOG) == NULL) + { + BUS_SET_OOM (error); + return FALSE; + } + + parser->syslog = TRUE; + return TRUE; } else if (element_type == ELEMENT_PIDFILE) @@ -1947,6 +1964,7 @@ bus_config_parser_end_element (BusConfigParser *parser, case ELEMENT_ALLOW: case ELEMENT_DENY: case ELEMENT_FORK: + case ELEMENT_SYSLOG: case ELEMENT_SELINUX: case ELEMENT_ASSOCIATE: case ELEMENT_STANDARD_SESSION_SERVICEDIRS: @@ -2232,6 +2250,7 @@ bus_config_parser_content (BusConfigParser *parser, case ELEMENT_ALLOW: case ELEMENT_DENY: case ELEMENT_FORK: + case ELEMENT_SYSLOG: case ELEMENT_STANDARD_SESSION_SERVICEDIRS: case ELEMENT_STANDARD_SYSTEM_SERVICEDIRS: case ELEMENT_SELINUX: @@ -2554,6 +2573,12 @@ bus_config_parser_get_fork (BusConfigParser *parser) return parser->fork; } +dbus_bool_t +bus_config_parser_get_syslog (BusConfigParser *parser) +{ + return parser->syslog; +} + const char * bus_config_parser_get_pidfile (BusConfigParser *parser) { diff --git a/bus/config-parser.h b/bus/config-parser.h index ec0dfed1..fcc5f5dc 100644 --- a/bus/config-parser.h +++ b/bus/config-parser.h @@ -65,6 +65,7 @@ const char* bus_config_parser_get_type (BusConfigParser *parser); DBusList** bus_config_parser_get_addresses (BusConfigParser *parser); DBusList** bus_config_parser_get_mechanisms (BusConfigParser *parser); dbus_bool_t bus_config_parser_get_fork (BusConfigParser *parser); +dbus_bool_t bus_config_parser_get_syslog (BusConfigParser *parser); const char* bus_config_parser_get_pidfile (BusConfigParser *parser); const char* bus_config_parser_get_servicehelper (BusConfigParser *parser); DBusList** bus_config_parser_get_service_dirs (BusConfigParser *parser); diff --git a/bus/policy.c b/bus/policy.c index caa544e7..2c1a3541 100644 --- a/bus/policy.c +++ b/bus/policy.c @@ -866,7 +866,8 @@ bus_client_policy_check_can_send (BusClientPolicy *policy, BusRegistry *registry, dbus_bool_t requested_reply, DBusConnection *receiver, - DBusMessage *message) + DBusMessage *message, + dbus_int32_t *toggles) { DBusList *link; dbus_bool_t allowed; @@ -876,6 +877,7 @@ bus_client_policy_check_can_send (BusClientPolicy *policy, */ _dbus_verbose (" (policy) checking send rules\n"); + *toggles = 0; allowed = FALSE; link = _dbus_list_get_first_link (&policy->rules); @@ -1026,6 +1028,7 @@ bus_client_policy_check_can_send (BusClientPolicy *policy, /* Use this rule */ allowed = rule->allow; + (*toggles)++; _dbus_verbose (" (policy) used rule, allow now = %d\n", allowed); @@ -1044,7 +1047,8 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy, DBusConnection *sender, DBusConnection *addressed_recipient, DBusConnection *proposed_recipient, - DBusMessage *message) + DBusMessage *message, + dbus_int32_t *toggles) { DBusList *link; dbus_bool_t allowed; @@ -1059,6 +1063,7 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy, */ _dbus_verbose (" (policy) checking receive rules, eavesdropping = %d\n", eavesdropping); + *toggles = 0; allowed = FALSE; link = _dbus_list_get_first_link (&policy->rules); @@ -1223,6 +1228,7 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy, /* Use this rule */ allowed = rule->allow; + (*toggles)++; _dbus_verbose (" (policy) used rule, allow now = %d\n", allowed); diff --git a/bus/policy.h b/bus/policy.h index adb9a059..91fde99f 100644 --- a/bus/policy.h +++ b/bus/policy.h @@ -141,14 +141,16 @@ dbus_bool_t bus_client_policy_check_can_send (BusClientPolicy *policy, BusRegistry *registry, dbus_bool_t requested_reply, DBusConnection *receiver, - DBusMessage *message); + DBusMessage *message, + dbus_int32_t *toggles); dbus_bool_t bus_client_policy_check_can_receive (BusClientPolicy *policy, BusRegistry *registry, dbus_bool_t requested_reply, DBusConnection *sender, DBusConnection *addressed_recipient, DBusConnection *proposed_recipient, - DBusMessage *message); + DBusMessage *message, + dbus_int32_t *toggles); dbus_bool_t bus_client_policy_check_can_own (BusClientPolicy *policy, DBusConnection *connection, const DBusString *service_name); diff --git a/bus/system.conf.in b/bus/system.conf.in index 1b6e716a..41e1bb1a 100644 --- a/bus/system.conf.in +++ b/bus/system.conf.in @@ -29,6 +29,9 @@ @DBUS_SYSTEM_PID_FILE@ + + + EXTERNAL -- cgit From 8cbe86da9089901c574387e4032f0858e8249c79 Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Fri, 12 Dec 2008 16:58:06 -0500 Subject: Add message type to security syslog entries It's part of the security check, we should have it in the log. --- bus/bus.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'bus') diff --git a/bus/bus.c b/bus/bus.c index 195a6fd4..ab986b93 100644 --- a/bus/bus.c +++ b/bus/bus.c @@ -1348,11 +1348,12 @@ bus_context_check_security_policy (BusContext *context, { const char *dest; const char *msg = "Rejected send message, %d matched rules; " - "sender=\"%s\" interface=\"%s\" member=\"%s\" error name=\"%s\" destination=\"%s\")"; + "type=\"%s\", sender=\"%s\" interface=\"%s\" member=\"%s\" error name=\"%s\" destination=\"%s\")"; dest = dbus_message_get_destination (message); dbus_set_error (error, DBUS_ERROR_ACCESS_DENIED, msg, toggles, + dbus_message_type_to_string (dbus_message_get_type (message)), sender_name ? sender_name : "(unset)", dbus_message_get_interface (message) ? dbus_message_get_interface (message) : "(unset)", @@ -1364,6 +1365,7 @@ bus_context_check_security_policy (BusContext *context, /* Needs to be duplicated to avoid calling malloc and having to handle OOM */ bus_context_log_security (context, msg, toggles, + dbus_message_type_to_string (dbus_message_get_type (message)), sender_name ? sender_name : "(unset)", dbus_message_get_interface (message) ? dbus_message_get_interface (message) : "(unset)", @@ -1385,12 +1387,13 @@ bus_context_check_security_policy (BusContext *context, message, &toggles)) { const char *msg = "Rejected receive message, %d matched rules; " - "sender=\"%s\" interface=\"%s\" member=\"%s\" error name=\"%s\" destination=\"%s\" reply serial=%u requested_reply=%d)"; + "type=\"%s\" sender=\"%s\" interface=\"%s\" member=\"%s\" error name=\"%s\" destination=\"%s\" reply serial=%u requested_reply=%d)"; const char *dest; dest = dbus_message_get_destination (message); dbus_set_error (error, DBUS_ERROR_ACCESS_DENIED, msg, toggles, + dbus_message_type_to_string (dbus_message_get_type (message)), sender_name ? sender_name : "(unset)", dbus_message_get_interface (message) ? dbus_message_get_interface (message) : "(unset)", @@ -1404,6 +1407,7 @@ bus_context_check_security_policy (BusContext *context, /* Needs to be duplicated to avoid calling malloc and having to handle OOM */ bus_context_log_security (context, msg, toggles, + dbus_message_type_to_string (dbus_message_get_type (message)), sender_name ? sender_name : "(unset)", dbus_message_get_interface (message) ? dbus_message_get_interface (message) : "(unset)", -- cgit From 427ff01f9d656700b370bb905fe738e76602a842 Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Tue, 16 Dec 2008 11:57:27 -0500 Subject: Add optional logging on allow rules This lets us have a backwards compatibility allow rule but still easily see when that rule is being used. --- bus/bus.c | 37 +++++++++++++++++++++++-------------- bus/config-parser.c | 5 +++++ bus/policy.c | 4 +++- bus/policy.h | 4 +++- 4 files changed, 34 insertions(+), 16 deletions(-) (limited to 'bus') diff --git a/bus/bus.c b/bus/bus.c index ab986b93..b749d309 100644 --- a/bus/bus.c +++ b/bus/bus.c @@ -1160,22 +1160,25 @@ bus_context_check_security_policy (BusContext *context, DBusMessage *message, DBusError *error) { + const char *dest; BusClientPolicy *sender_policy; BusClientPolicy *recipient_policy; dbus_int32_t toggles; + dbus_bool_t log; int type; dbus_bool_t requested_reply; const char *sender_name; type = dbus_message_get_type (message); + dest = dbus_message_get_destination (message); /* dispatch.c was supposed to ensure these invariants */ - _dbus_assert (dbus_message_get_destination (message) != NULL || + _dbus_assert (dest != NULL || type == DBUS_MESSAGE_TYPE_SIGNAL || (sender == NULL && !bus_connection_is_active (proposed_recipient))); _dbus_assert (type == DBUS_MESSAGE_TYPE_SIGNAL || addressed_recipient != NULL || - strcmp (dbus_message_get_destination (message), DBUS_SERVICE_DBUS) == 0); + strcmp (dest, DBUS_SERVICE_DBUS) == 0); /* Used in logging below */ if (sender != NULL) @@ -1205,10 +1208,6 @@ bus_context_check_security_policy (BusContext *context, if (sender != NULL) { - const char *dest; - - dest = dbus_message_get_destination (message); - /* First verify the SELinux access controls. If allowed then * go on with the standard checks. */ @@ -1339,18 +1338,18 @@ bus_context_check_security_policy (BusContext *context, (proposed_recipient != NULL && sender == NULL && recipient_policy == NULL) || (proposed_recipient == NULL && recipient_policy == NULL)); + log = FALSE; if (sender_policy && !bus_client_policy_check_can_send (sender_policy, context->registry, requested_reply, proposed_recipient, - message, &toggles)) + message, &toggles, &log)) { - const char *dest; const char *msg = "Rejected send message, %d matched rules; " "type=\"%s\", sender=\"%s\" interface=\"%s\" member=\"%s\" error name=\"%s\" destination=\"%s\")"; - dest = dbus_message_get_destination (message); + dbus_set_error (error, DBUS_ERROR_ACCESS_DENIED, msg, toggles, dbus_message_type_to_string (dbus_message_get_type (message)), @@ -1378,6 +1377,21 @@ bus_context_check_security_policy (BusContext *context, return FALSE; } + if (log) + bus_context_log_security (context, + "Would reject message, %d matched rules; " + "type=\"%s\", sender=\"%s\" interface=\"%s\" member=\"%s\" error name=\"%s\" destination=\"%s\")", + toggles, + dbus_message_type_to_string (dbus_message_get_type (message)), + sender_name ? sender_name : "(unset)", + dbus_message_get_interface (message) ? + dbus_message_get_interface (message) : "(unset)", + dbus_message_get_member (message) ? + dbus_message_get_member (message) : "(unset)", + dbus_message_get_error_name (message) ? + dbus_message_get_error_name (message) : "(unset)", + dest ? dest : DBUS_SERVICE_DBUS); + if (recipient_policy && !bus_client_policy_check_can_receive (recipient_policy, context->registry, @@ -1388,9 +1402,7 @@ bus_context_check_security_policy (BusContext *context, { const char *msg = "Rejected receive message, %d matched rules; " "type=\"%s\" sender=\"%s\" interface=\"%s\" member=\"%s\" error name=\"%s\" destination=\"%s\" reply serial=%u requested_reply=%d)"; - const char *dest; - dest = dbus_message_get_destination (message); dbus_set_error (error, DBUS_ERROR_ACCESS_DENIED, msg, toggles, dbus_message_type_to_string (dbus_message_get_type (message)), @@ -1427,9 +1439,6 @@ bus_context_check_security_policy (BusContext *context, dbus_connection_get_outgoing_size (proposed_recipient) > context->limits.max_outgoing_bytes) { - const char *dest; - - dest = dbus_message_get_destination (message); dbus_set_error (error, DBUS_ERROR_LIMITS_EXCEEDED, "The destination service \"%s\" has a full message queue", dest ? dest : (proposed_recipient ? diff --git a/bus/config-parser.c b/bus/config-parser.c index f4d7c501..a8de3ff3 100644 --- a/bus/config-parser.c +++ b/bus/config-parser.c @@ -1090,6 +1090,7 @@ append_rule_from_element (BusConfigParser *parser, dbus_bool_t allow, DBusError *error) { + const char *log; const char *send_interface; const char *send_member; const char *send_error; @@ -1133,6 +1134,7 @@ append_rule_from_element (BusConfigParser *parser, "own", &own, "user", &user, "group", &group, + "log", &log, NULL)) return FALSE; @@ -1337,6 +1339,9 @@ append_rule_from_element (BusConfigParser *parser, if (eavesdrop) rule->d.send.eavesdrop = (strcmp (eavesdrop, "true") == 0); + if (log) + rule->d.send.log = (strcmp (log, "true") == 0); + if (send_requested_reply) rule->d.send.requested_reply = (strcmp (send_requested_reply, "true") == 0); diff --git a/bus/policy.c b/bus/policy.c index 2c1a3541..ef31800f 100644 --- a/bus/policy.c +++ b/bus/policy.c @@ -867,7 +867,8 @@ bus_client_policy_check_can_send (BusClientPolicy *policy, dbus_bool_t requested_reply, DBusConnection *receiver, DBusMessage *message, - dbus_int32_t *toggles) + dbus_int32_t *toggles, + dbus_bool_t *log) { DBusList *link; dbus_bool_t allowed; @@ -1028,6 +1029,7 @@ bus_client_policy_check_can_send (BusClientPolicy *policy, /* Use this rule */ allowed = rule->allow; + *log = rule->d.send.log; (*toggles)++; _dbus_verbose (" (policy) used rule, allow now = %d\n", diff --git a/bus/policy.h b/bus/policy.h index 91fde99f..a75e0dd9 100644 --- a/bus/policy.h +++ b/bus/policy.h @@ -65,6 +65,7 @@ struct BusPolicyRule char *destination; unsigned int eavesdrop : 1; unsigned int requested_reply : 1; + unsigned int log : 1; } send; struct @@ -142,7 +143,8 @@ dbus_bool_t bus_client_policy_check_can_send (BusClientPolicy *policy, dbus_bool_t requested_reply, DBusConnection *receiver, DBusMessage *message, - dbus_int32_t *toggles); + dbus_int32_t *toggles, + dbus_bool_t *log); dbus_bool_t bus_client_policy_check_can_receive (BusClientPolicy *policy, BusRegistry *registry, dbus_bool_t requested_reply, -- cgit From 9a1657e8e1c0106bb5f1411fe9ea3c4ef6ec826f Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Wed, 17 Dec 2008 16:01:28 -0500 Subject: Add uid, pid, and command to security logs Extend the current security logs with even more relevant information than just the message content. This requires some utility code to look up and cache (as a string) the data such as the uid/pid/command when a connection is authenticated. --- bus/bus.c | 42 ++++++++++++++++------ bus/connection.c | 105 +++++++++++++++++++++++++++++++++++++++++++++++++------ bus/connection.h | 1 + 3 files changed, 127 insertions(+), 21 deletions(-) (limited to 'bus') diff --git a/bus/bus.c b/bus/bus.c index b749d309..db3556fa 100644 --- a/bus/bus.c +++ b/bus/bus.c @@ -1168,6 +1168,8 @@ bus_context_check_security_policy (BusContext *context, int type; dbus_bool_t requested_reply; const char *sender_name; + const char *sender_loginfo; + const char *proposed_recipient_loginfo; type = dbus_message_get_type (message); dest = dbus_message_get_destination (message); @@ -1182,9 +1184,20 @@ bus_context_check_security_policy (BusContext *context, /* Used in logging below */ if (sender != NULL) - sender_name = bus_connection_get_name (sender); + { + sender_name = bus_connection_get_name (sender); + sender_loginfo = bus_connection_get_loginfo (sender); + } + else + { + sender_name = NULL; + sender_loginfo = "(bus)"; + } + + if (proposed_recipient != NULL) + proposed_recipient_loginfo = bus_connection_get_loginfo (proposed_recipient); else - sender_name = NULL; + proposed_recipient_loginfo = "bus"; switch (type) { @@ -1347,32 +1360,35 @@ bus_context_check_security_policy (BusContext *context, message, &toggles, &log)) { const char *msg = "Rejected send message, %d matched rules; " - "type=\"%s\", sender=\"%s\" interface=\"%s\" member=\"%s\" error name=\"%s\" destination=\"%s\")"; - + "type=\"%s\", sender=\"%s\" (%s) interface=\"%s\" member=\"%s\" error name=\"%s\" destination=\"%s\" (%s))"; dbus_set_error (error, DBUS_ERROR_ACCESS_DENIED, msg, toggles, dbus_message_type_to_string (dbus_message_get_type (message)), sender_name ? sender_name : "(unset)", + sender_loginfo, dbus_message_get_interface (message) ? dbus_message_get_interface (message) : "(unset)", dbus_message_get_member (message) ? dbus_message_get_member (message) : "(unset)", dbus_message_get_error_name (message) ? dbus_message_get_error_name (message) : "(unset)", - dest ? dest : DBUS_SERVICE_DBUS); + dest ? dest : DBUS_SERVICE_DBUS, + proposed_recipient_loginfo); /* Needs to be duplicated to avoid calling malloc and having to handle OOM */ bus_context_log_security (context, msg, toggles, dbus_message_type_to_string (dbus_message_get_type (message)), sender_name ? sender_name : "(unset)", + sender_loginfo, dbus_message_get_interface (message) ? dbus_message_get_interface (message) : "(unset)", dbus_message_get_member (message) ? dbus_message_get_member (message) : "(unset)", dbus_message_get_error_name (message) ? dbus_message_get_error_name (message) : "(unset)", - dest ? dest : DBUS_SERVICE_DBUS); + dest ? dest : DBUS_SERVICE_DBUS, + proposed_recipient_loginfo); _dbus_verbose ("security policy disallowing message due to sender policy\n"); return FALSE; } @@ -1401,35 +1417,39 @@ bus_context_check_security_policy (BusContext *context, message, &toggles)) { const char *msg = "Rejected receive message, %d matched rules; " - "type=\"%s\" sender=\"%s\" interface=\"%s\" member=\"%s\" error name=\"%s\" destination=\"%s\" reply serial=%u requested_reply=%d)"; + "type=\"%s\" sender=\"%s\" (%s) interface=\"%s\" member=\"%s\" error name=\"%s\" reply serial=%u requested_reply=%d destination=\"%s\" (%s))"; dbus_set_error (error, DBUS_ERROR_ACCESS_DENIED, msg, toggles, dbus_message_type_to_string (dbus_message_get_type (message)), sender_name ? sender_name : "(unset)", + sender_loginfo, dbus_message_get_interface (message) ? dbus_message_get_interface (message) : "(unset)", dbus_message_get_member (message) ? dbus_message_get_member (message) : "(unset)", dbus_message_get_error_name (message) ? dbus_message_get_error_name (message) : "(unset)", - dest ? dest : DBUS_SERVICE_DBUS, dbus_message_get_reply_serial (message), - requested_reply); + requested_reply, + dest ? dest : DBUS_SERVICE_DBUS, + proposed_recipient_loginfo); /* Needs to be duplicated to avoid calling malloc and having to handle OOM */ bus_context_log_security (context, msg, toggles, dbus_message_type_to_string (dbus_message_get_type (message)), sender_name ? sender_name : "(unset)", + sender_loginfo, dbus_message_get_interface (message) ? dbus_message_get_interface (message) : "(unset)", dbus_message_get_member (message) ? dbus_message_get_member (message) : "(unset)", dbus_message_get_error_name (message) ? dbus_message_get_error_name (message) : "(unset)", - dest ? dest : DBUS_SERVICE_DBUS, dbus_message_get_reply_serial (message), - requested_reply); + requested_reply, + dest ? dest : DBUS_SERVICE_DBUS, + proposed_recipient_loginfo); _dbus_verbose ("security policy disallowing message due to recipient policy\n"); return FALSE; } diff --git a/bus/connection.c b/bus/connection.c index ed1b1391..ab99fa5f 100644 --- a/bus/connection.c +++ b/bus/connection.c @@ -32,6 +32,9 @@ #include #include +/* Trim executed commands to this length; we want to keep logs readable */ +#define MAX_LOG_COMMAND_LEN 50 + static void bus_connection_remove_transactions (DBusConnection *connection); typedef struct @@ -76,6 +79,7 @@ typedef struct DBusPreallocatedSend *oom_preallocated; BusClientPolicy *policy; + char *cached_loginfo_string; BusSELinuxID *selinux_id; long connection_tv_sec; /**< Time when we connected (seconds component) */ @@ -406,6 +410,8 @@ free_connection_data (void *data) if (d->selinux_id) bus_selinux_id_unref (d->selinux_id); + dbus_free (d->cached_loginfo_string); + dbus_free (d->name); dbus_free (d); @@ -537,13 +543,73 @@ bus_connections_unref (BusConnections *connections) } } +/* Used for logging */ +static dbus_bool_t +cache_peer_loginfo_string (BusConnectionData *d, + DBusConnection *connection) +{ + DBusString loginfo_buf; + unsigned long uid; + unsigned long pid; + char *windows_sid; + dbus_bool_t prev_added; + + if (!_dbus_string_init (&loginfo_buf)) + return FALSE; + + prev_added = FALSE; + if (dbus_connection_get_unix_user (connection, &uid)) + { + if (!_dbus_string_append_printf (&loginfo_buf, "uid=%ld", uid)) + goto oom; + else + prev_added = TRUE; + } + + if (dbus_connection_get_unix_process_id (connection, &pid)) + { + if (prev_added) + { + if (!_dbus_string_append_byte (&loginfo_buf, ' ')) + goto oom; + } + if (!_dbus_string_append_printf (&loginfo_buf, "pid=%ld comm=\"", pid)) + goto oom; + /* Ignore errors here */ + if (_dbus_command_for_pid (pid, &loginfo_buf, MAX_LOG_COMMAND_LEN, NULL)) + { + if (!_dbus_string_append_byte (&loginfo_buf, '"')) + goto oom; + } + } + + if (dbus_connection_get_windows_user (connection, &windows_sid)) + { + if (!_dbus_string_append_printf (&loginfo_buf, "sid=\"%s\" ", windows_sid)) + goto oom; + dbus_free (windows_sid); + } + + if (!_dbus_string_steal_data (&loginfo_buf, &(d->cached_loginfo_string))) + goto oom; + + _dbus_string_free (&loginfo_buf); + + return TRUE; +oom: + _dbus_string_free (&loginfo_buf); + return FALSE; +} + dbus_bool_t bus_connections_setup_connection (BusConnections *connections, DBusConnection *connection) { + BusConnectionData *d; dbus_bool_t retval; DBusError error; + d = dbus_new0 (BusConnectionData, 1); @@ -583,7 +649,7 @@ bus_connections_setup_connection (BusConnections *connections, dbus_error_free (&error); goto out; } - + if (!dbus_connection_set_watch_functions (connection, add_connection_watch, remove_connection_watch, @@ -842,6 +908,18 @@ bus_connection_is_in_unix_group (DBusConnection *connection, return FALSE; } +const char * +bus_connection_get_loginfo (DBusConnection *connection) +{ + BusConnectionData *d; + + d = BUS_CONNECTION_DATA (connection); + + if (!bus_connection_is_active (connection)) + return "inactive"; + return d->cached_loginfo_string; +} + BusClientPolicy* bus_connection_get_policy (DBusConnection *connection) { @@ -1302,16 +1380,15 @@ bus_connection_complete (DBusConnection *connection, { if (!adjust_connections_for_uid (d->connections, uid, 1)) - { - BUS_SET_OOM (error); - dbus_free (d->name); - d->name = NULL; - bus_client_policy_unref (d->policy); - d->policy = NULL; - return FALSE; - } + goto fail; } - + + /* Create and cache a string which holds information about the + * peer process; used for logging purposes. + */ + if (!cache_peer_loginfo_string (d, connection)) + goto fail; + /* Now the connection is active, move it between lists */ _dbus_list_unlink (&d->connections->incomplete, d->link_in_connection_list); @@ -1329,6 +1406,14 @@ bus_connection_complete (DBusConnection *connection, _dbus_assert (bus_connection_is_active (connection)); return TRUE; +fail: + BUS_SET_OOM (error); + dbus_free (d->name); + d->name = NULL; + if (d->policy) + bus_client_policy_unref (d->policy); + d->policy = NULL; + return FALSE; } const char * diff --git a/bus/connection.h b/bus/connection.h index 5099bcf9..4f352169 100644 --- a/bus/connection.h +++ b/bus/connection.h @@ -50,6 +50,7 @@ BusConnections* bus_connection_get_connections (DBusConnection BusRegistry* bus_connection_get_registry (DBusConnection *connection); BusActivation* bus_connection_get_activation (DBusConnection *connection); BusMatchmaker* bus_connection_get_matchmaker (DBusConnection *connection); +const char * bus_connection_get_loginfo (DBusConnection *connection); BusSELinuxID* bus_connection_get_selinux_id (DBusConnection *connection); dbus_bool_t bus_connections_check_limits (BusConnections *connections, DBusConnection *requesting_completion, -- cgit From 788e592b32c71c3570fe9034cf3041acadc83f9d Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Wed, 17 Dec 2008 19:29:39 -0500 Subject: Add requested_reply to send denials, and connection loginfo to "would deny" The requested_reply field is necessary in send denials too because it's used in the policy language. The connection loginfo lack in "would deny" was just an oversight. --- bus/bus.c | 69 +++++++++++++++++++++++++++++++++++---------------------------- 1 file changed, 38 insertions(+), 31 deletions(-) (limited to 'bus') diff --git a/bus/bus.c b/bus/bus.c index db3556fa..e38d4a23 100644 --- a/bus/bus.c +++ b/bus/bus.c @@ -1360,7 +1360,7 @@ bus_context_check_security_policy (BusContext *context, message, &toggles, &log)) { const char *msg = "Rejected send message, %d matched rules; " - "type=\"%s\", sender=\"%s\" (%s) interface=\"%s\" member=\"%s\" error name=\"%s\" destination=\"%s\" (%s))"; + "type=\"%s\", sender=\"%s\" (%s) interface=\"%s\" member=\"%s\" error name=\"%s\" requested_reply=%d destination=\"%s\" (%s))"; dbus_set_error (error, DBUS_ERROR_ACCESS_DENIED, msg, toggles, @@ -1373,22 +1373,25 @@ bus_context_check_security_policy (BusContext *context, dbus_message_get_member (message) : "(unset)", dbus_message_get_error_name (message) ? dbus_message_get_error_name (message) : "(unset)", + requested_reply, dest ? dest : DBUS_SERVICE_DBUS, proposed_recipient_loginfo); /* Needs to be duplicated to avoid calling malloc and having to handle OOM */ - bus_context_log_security (context, msg, - toggles, - dbus_message_type_to_string (dbus_message_get_type (message)), - sender_name ? sender_name : "(unset)", - sender_loginfo, - dbus_message_get_interface (message) ? - dbus_message_get_interface (message) : "(unset)", - dbus_message_get_member (message) ? - dbus_message_get_member (message) : "(unset)", - dbus_message_get_error_name (message) ? - dbus_message_get_error_name (message) : "(unset)", - dest ? dest : DBUS_SERVICE_DBUS, - proposed_recipient_loginfo); + if (addressed_recipient == proposed_recipient) + bus_context_log_security (context, msg, + toggles, + dbus_message_type_to_string (dbus_message_get_type (message)), + sender_name ? sender_name : "(unset)", + sender_loginfo, + dbus_message_get_interface (message) ? + dbus_message_get_interface (message) : "(unset)", + dbus_message_get_member (message) ? + dbus_message_get_member (message) : "(unset)", + dbus_message_get_error_name (message) ? + dbus_message_get_error_name (message) : "(unset)", + requested_reply, + dest ? dest : DBUS_SERVICE_DBUS, + proposed_recipient_loginfo); _dbus_verbose ("security policy disallowing message due to sender policy\n"); return FALSE; } @@ -1396,17 +1399,20 @@ bus_context_check_security_policy (BusContext *context, if (log) bus_context_log_security (context, "Would reject message, %d matched rules; " - "type=\"%s\", sender=\"%s\" interface=\"%s\" member=\"%s\" error name=\"%s\" destination=\"%s\")", + "type=\"%s\", sender=\"%s\" (%s) interface=\"%s\" member=\"%s\" error name=\"%s\" requested_reply=%d destination=\"%s\" (%s))", toggles, dbus_message_type_to_string (dbus_message_get_type (message)), sender_name ? sender_name : "(unset)", + sender_loginfo, dbus_message_get_interface (message) ? dbus_message_get_interface (message) : "(unset)", dbus_message_get_member (message) ? dbus_message_get_member (message) : "(unset)", dbus_message_get_error_name (message) ? dbus_message_get_error_name (message) : "(unset)", - dest ? dest : DBUS_SERVICE_DBUS); + requested_reply, + dest ? dest : DBUS_SERVICE_DBUS, + proposed_recipient_loginfo); if (recipient_policy && !bus_client_policy_check_can_receive (recipient_policy, @@ -1435,21 +1441,22 @@ bus_context_check_security_policy (BusContext *context, dest ? dest : DBUS_SERVICE_DBUS, proposed_recipient_loginfo); /* Needs to be duplicated to avoid calling malloc and having to handle OOM */ - bus_context_log_security (context, msg, - toggles, - dbus_message_type_to_string (dbus_message_get_type (message)), - sender_name ? sender_name : "(unset)", - sender_loginfo, - dbus_message_get_interface (message) ? - dbus_message_get_interface (message) : "(unset)", - dbus_message_get_member (message) ? - dbus_message_get_member (message) : "(unset)", - dbus_message_get_error_name (message) ? - dbus_message_get_error_name (message) : "(unset)", - dbus_message_get_reply_serial (message), - requested_reply, - dest ? dest : DBUS_SERVICE_DBUS, - proposed_recipient_loginfo); + if (addressed_recipient == proposed_recipient) + bus_context_log_security (context, msg, + toggles, + dbus_message_type_to_string (dbus_message_get_type (message)), + sender_name ? sender_name : "(unset)", + sender_loginfo, + dbus_message_get_interface (message) ? + dbus_message_get_interface (message) : "(unset)", + dbus_message_get_member (message) ? + dbus_message_get_member (message) : "(unset)", + dbus_message_get_error_name (message) ? + dbus_message_get_error_name (message) : "(unset)", + dbus_message_get_reply_serial (message), + requested_reply, + dest ? dest : DBUS_SERVICE_DBUS, + proposed_recipient_loginfo); _dbus_verbose ("security policy disallowing message due to recipient policy\n"); return FALSE; } -- cgit From 4e4f0de8cc8c3127641013fd833349dab34b676b Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Fri, 19 Dec 2008 18:54:59 -0500 Subject: Various compiler warning fixes --- bus/config-parser.h | 1 + bus/driver.c | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) (limited to 'bus') diff --git a/bus/config-parser.h b/bus/config-parser.h index fcc5f5dc..b951d1d2 100644 --- a/bus/config-parser.h +++ b/bus/config-parser.h @@ -65,6 +65,7 @@ const char* bus_config_parser_get_type (BusConfigParser *parser); DBusList** bus_config_parser_get_addresses (BusConfigParser *parser); DBusList** bus_config_parser_get_mechanisms (BusConfigParser *parser); dbus_bool_t bus_config_parser_get_fork (BusConfigParser *parser); +dbus_bool_t bus_config_parser_get_allow_anonymous (BusConfigParser *parser); dbus_bool_t bus_config_parser_get_syslog (BusConfigParser *parser); const char* bus_config_parser_get_pidfile (BusConfigParser *parser); const char* bus_config_parser_get_servicehelper (BusConfigParser *parser); diff --git a/bus/driver.c b/bus/driver.c index 05ecd56c..c97bff5d 100644 --- a/bus/driver.c +++ b/bus/driver.c @@ -1411,7 +1411,7 @@ bus_driver_handle_get_adt_audit_session_data (DBusConnection *connection, BusService *serv; DBusConnection *conn; DBusMessage *reply; - char *data = NULL; + void *data = NULL; dbus_uint32_t data_size; _DBUS_ASSERT_ERROR_IS_CLEAR (error); -- cgit From eebad8668d2b56a4b9a269f65513592eb1882b68 Mon Sep 17 00:00:00 2001 From: Peter Breitenlohner Date: Tue, 6 Jan 2009 16:48:39 -0500 Subject: Avoid possible use of uninitialized variable Signed-off-by: Colin Walters --- bus/activation.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'bus') diff --git a/bus/activation.c b/bus/activation.c index 18630958..a273c4ad 100644 --- a/bus/activation.c +++ b/bus/activation.c @@ -679,7 +679,7 @@ populate_environment (BusActivation *activation) DBusString value; int i; char **environment; - dbus_bool_t retval; + dbus_bool_t retval = FALSE; environment = _dbus_get_environment (); -- cgit From 6663d1dd35f94717209cd6fca86045bca853ef79 Mon Sep 17 00:00:00 2001 From: Matt McCutchen Date: Mon, 10 Nov 2008 08:55:27 -0500 Subject: Bug 18446: Keep umask for session bus Signed-off-by: Colin Walters --- bus/bus.c | 5 ++++- bus/config-parser-common.c | 8 +++++++- bus/config-parser-common.h | 3 ++- bus/config-parser.c | 32 +++++++++++++++++++++++++++++++- bus/config-parser.h | 1 + bus/dbus-daemon.1.in | 7 +++++++ bus/session.conf.in | 4 ++++ 7 files changed, 56 insertions(+), 4 deletions(-) (limited to 'bus') diff --git a/bus/bus.c b/bus/bus.c index e38d4a23..f5b6e7ec 100644 --- a/bus/bus.c +++ b/bus/bus.c @@ -55,6 +55,7 @@ struct BusContext BusLimits limits; unsigned int fork : 1; unsigned int syslog : 1; + unsigned int keep_umask : 1; }; static dbus_int32_t server_data_slot = -1; @@ -386,6 +387,7 @@ process_config_first_time_only (BusContext *context, context->fork = bus_config_parser_get_fork (parser); context->syslog = bus_config_parser_get_syslog (parser); + context->keep_umask = bus_config_parser_get_keep_umask (parser); _DBUS_ASSERT_ERROR_IS_CLEAR (error); retval = TRUE; @@ -710,7 +712,8 @@ bus_context_new (const DBusString *config_file, if (!_dbus_become_daemon (context->pidfile ? &u : NULL, print_pid_pipe, - error)) + error, + context->keep_umask)) { _DBUS_ASSERT_ERROR_IS_SET (error); goto failed; diff --git a/bus/config-parser-common.c b/bus/config-parser-common.c index ce590861..88e099ac 100644 --- a/bus/config-parser-common.c +++ b/bus/config-parser-common.c @@ -118,6 +118,10 @@ bus_config_parser_element_name_to_type (const char *name) { return ELEMENT_SYSLOG; } + else if (strcmp (name, "keep_umask") == 0) + { + return ELEMENT_KEEP_UMASK; + } return ELEMENT_NONE; } @@ -168,7 +172,9 @@ bus_config_parser_element_type_to_name (ElementType type) return "associate"; case ELEMENT_SYSLOG: return "syslog"; - } + case ELEMENT_KEEP_UMASK: + return "keep_umask"; + } _dbus_assert_not_reached ("bad element type"); diff --git a/bus/config-parser-common.h b/bus/config-parser-common.h index 4ecaa8d8..ae40d089 100644 --- a/bus/config-parser-common.h +++ b/bus/config-parser-common.h @@ -48,7 +48,8 @@ typedef enum ELEMENT_ASSOCIATE, ELEMENT_STANDARD_SESSION_SERVICEDIRS, ELEMENT_STANDARD_SYSTEM_SERVICEDIRS, - ELEMENT_SYSLOG + ELEMENT_SYSLOG, + ELEMENT_KEEP_UMASK } ElementType; ElementType bus_config_parser_element_name_to_type (const char *element_name); diff --git a/bus/config-parser.c b/bus/config-parser.c index a8de3ff3..38ce8a1d 100644 --- a/bus/config-parser.c +++ b/bus/config-parser.c @@ -112,6 +112,7 @@ struct BusConfigParser unsigned int fork : 1; /**< TRUE to fork into daemon mode */ unsigned int syslog : 1; /**< TRUE to enable syslog */ + unsigned int keep_umask : 1; /**< TRUE to keep original umask when forking */ unsigned int is_toplevel : 1; /**< FALSE if we are a sub-config-file inside another one */ }; @@ -308,6 +309,9 @@ merge_included (BusConfigParser *parser, if (included->fork) parser->fork = TRUE; + if (included->keep_umask) + parser->keep_umask = TRUE; + if (included->pidfile != NULL) { dbus_free (parser->pidfile); @@ -710,9 +714,24 @@ start_busconfig_child (BusConfigParser *parser, BUS_SET_OOM (error); return FALSE; } - + parser->syslog = TRUE; + return TRUE; + } + else if (element_type == ELEMENT_KEEP_UMASK) + { + if (!check_no_attributes (parser, "keep_umask", attribute_names, attribute_values, error)) + return FALSE; + + if (push_element (parser, ELEMENT_KEEP_UMASK) == NULL) + { + BUS_SET_OOM (error); + return FALSE; + } + + parser->keep_umask = TRUE; + return TRUE; } else if (element_type == ELEMENT_PIDFILE) @@ -1970,6 +1989,7 @@ bus_config_parser_end_element (BusConfigParser *parser, case ELEMENT_DENY: case ELEMENT_FORK: case ELEMENT_SYSLOG: + case ELEMENT_KEEP_UMASK: case ELEMENT_SELINUX: case ELEMENT_ASSOCIATE: case ELEMENT_STANDARD_SESSION_SERVICEDIRS: @@ -2256,6 +2276,7 @@ bus_config_parser_content (BusConfigParser *parser, case ELEMENT_DENY: case ELEMENT_FORK: case ELEMENT_SYSLOG: + case ELEMENT_KEEP_UMASK: case ELEMENT_STANDARD_SESSION_SERVICEDIRS: case ELEMENT_STANDARD_SYSTEM_SERVICEDIRS: case ELEMENT_SELINUX: @@ -2584,6 +2605,12 @@ bus_config_parser_get_syslog (BusConfigParser *parser) return parser->syslog; } +dbus_bool_t +bus_config_parser_get_keep_umask (BusConfigParser *parser) +{ + return parser->keep_umask; +} + const char * bus_config_parser_get_pidfile (BusConfigParser *parser) { @@ -2977,6 +3004,9 @@ config_parsers_equal (const BusConfigParser *a, if (! bools_equal (a->fork, b->fork)) return FALSE; + if (! bools_equal (a->keep_umask, b->keep_umask)) + return FALSE; + if (! bools_equal (a->is_toplevel, b->is_toplevel)) return FALSE; diff --git a/bus/config-parser.h b/bus/config-parser.h index b951d1d2..bb3a30f4 100644 --- a/bus/config-parser.h +++ b/bus/config-parser.h @@ -67,6 +67,7 @@ DBusList** bus_config_parser_get_mechanisms (BusConfigParser *parser); dbus_bool_t bus_config_parser_get_fork (BusConfigParser *parser); dbus_bool_t bus_config_parser_get_allow_anonymous (BusConfigParser *parser); dbus_bool_t bus_config_parser_get_syslog (BusConfigParser *parser); +dbus_bool_t bus_config_parser_get_keep_umask (BusConfigParser *parser); const char* bus_config_parser_get_pidfile (BusConfigParser *parser); const char* bus_config_parser_get_servicehelper (BusConfigParser *parser); DBusList** bus_config_parser_get_service_dirs (BusConfigParser *parser); diff --git a/bus/dbus-daemon.1.in b/bus/dbus-daemon.1.in index 81439343..8342600e 100644 --- a/bus/dbus-daemon.1.in +++ b/bus/dbus-daemon.1.in @@ -213,6 +213,13 @@ If present, the bus daemon becomes a real daemon (forks into the background, etc.). This is generally used rather than the \-\-fork command line option. +.TP +.I "" + +.PP +If present, the bus daemon keeps its original umask when forking. +This may be useful to avoid affecting the behavior of child processes. + .TP .I "" diff --git a/bus/session.conf.in b/bus/session.conf.in index b2dee5b3..794eb8da 100644 --- a/bus/session.conf.in +++ b/bus/session.conf.in @@ -8,6 +8,10 @@ session + + + unix:tmpdir=@DBUS_SESSION_SOCKET_DIR@ -- cgit From 100027007254aaec3ba0388bd0f42e29e512a678 Mon Sep 17 00:00:00 2001 From: Tor Lillqvist Date: Thu, 18 Sep 2008 19:40:50 -0400 Subject: [win32] Protect usage of SIGHUP with #ifdef Signed-off-by: Colin Walters --- bus/main.c | 23 ++++++++++++++--------- 1 file changed, 14 insertions(+), 9 deletions(-) (limited to 'bus') diff --git a/bus/main.c b/bus/main.c index 161de19c..51538fe7 100644 --- a/bus/main.c +++ b/bus/main.c @@ -44,7 +44,6 @@ static void close_reload_pipe (void); static void signal_handler (int sig) { - DBusString str; switch (sig) { @@ -52,16 +51,20 @@ signal_handler (int sig) case SIGIO: /* explicit fall-through */ #endif /* DBUS_BUS_ENABLE_DNOTIFY_ON_LINUX */ +#ifdef SIGHUP case SIGHUP: - _dbus_string_init_const (&str, "foo"); - if ((reload_pipe[RELOAD_WRITE_END] > 0) && - !_dbus_write_socket (reload_pipe[RELOAD_WRITE_END], &str, 0, 1)) - { - _dbus_warn ("Unable to write to reload pipe.\n"); - close_reload_pipe (); - } + { + DBusString str; + _dbus_string_init_const (&str, "foo"); + if ((reload_pipe[RELOAD_WRITE_END] > 0) && + !_dbus_write_socket (reload_pipe[RELOAD_WRITE_END], &str, 0, 1)) + { + _dbus_warn ("Unable to write to reload pipe.\n"); + close_reload_pipe (); + } + } break; - +#endif case SIGTERM: _dbus_loop_quit (bus_context_get_loop (context)); break; @@ -458,7 +461,9 @@ main (int argc, char **argv) setup_reload_pipe (bus_context_get_loop (context)); +#ifdef SIGHUP _dbus_set_signal_handler (SIGHUP, signal_handler); +#endif _dbus_set_signal_handler (SIGTERM, signal_handler); #ifdef DBUS_BUS_ENABLE_DNOTIFY_ON_LINUX _dbus_set_signal_handler (SIGIO, signal_handler); -- cgit From 1f3bcd241e5a54fa4ad8b515893783323eff6feb Mon Sep 17 00:00:00 2001 From: James Carter Date: Wed, 1 Oct 2008 16:40:33 -0400 Subject: Initialize AVC earlier so we can look up service security contexts * bus/bus.c: Initialize AVC earlier: http://lists.freedesktop.org/archives/dbus/2008-October/010493.html Signed-off-by: Colin Walters --- bus/bus.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'bus') diff --git a/bus/bus.c b/bus/bus.c index f5b6e7ec..f9cf118b 100644 --- a/bus/bus.c +++ b/bus/bus.c @@ -741,6 +741,11 @@ bus_context_new (const DBusString *config_file, if (print_pid_pipe && _dbus_pipe_is_valid (print_pid_pipe) && !_dbus_pipe_is_stdout_or_stderr (print_pid_pipe)) _dbus_pipe_close (print_pid_pipe, NULL); + + if (!bus_selinux_full_init ()) + { + _dbus_warn ("SELinux initialization failed\n"); + } if (!process_config_postinit (context, parser, error)) { @@ -771,11 +776,6 @@ bus_context_new (const DBusString *config_file, #endif } - if (!bus_selinux_full_init ()) - { - _dbus_warn ("SELinux initialization failed\n"); - } - dbus_server_free_data_slot (&server_data_slot); return context; -- cgit