diff options
| author | osmond sun <osmond.sun@gmail.com> | 2013-11-06 00:53:18 +0800 |
|---|---|---|
| committer | Colin Walters <walters@verbum.org> | 2013-11-07 14:52:27 -0500 |
| commit | ba088208bc0c35ca418a097a8482c4a7705f4a43 (patch) | |
| tree | 1ac7e8e71852e414338808a8587c46863cea8331 /bus/selinux.c | |
| parent | 4cf2df1355e0f22e86395453d78a615a19fa958d (diff) | |
| download | dbus-ba088208bc0c35ca418a097a8482c4a7705f4a43.tar.gz | |
selinux: Use selinux_set_mapping() to avoid hardcoded constants for policy
Previous to the introduction of selinux_set_mapping(), DBus pulled
constants generated from the system's policy at build time. But this
means it's impossible to replace the system policy without rebuilding
userspace components.
This patch maps from arbitrary class/perm indices used by D-Bus and
the policy values and handles all the translation at runtime on
avc_has_perm() calls.
Bug: https://bugs.freedesktop.org/attachment.cgi?id=88719
Reviewed-By: Colin Walters <walters@verbum.org>
Tested-By: Colin Walters <walters@verbum.org>
Diffstat (limited to 'bus/selinux.c')
| -rw-r--r-- | bus/selinux.c | 30 |
1 files changed, 27 insertions, 3 deletions
diff --git a/bus/selinux.c b/bus/selinux.c index 768e55ef..99994ca9 100644 --- a/bus/selinux.c +++ b/bus/selinux.c @@ -44,8 +44,6 @@ #include <syslog.h> #include <selinux/selinux.h> #include <selinux/avc.h> -#include <selinux/av_permissions.h> -#include <selinux/flask.h> #include <signal.h> #include <stdarg.h> #include <stdio.h> @@ -314,8 +312,27 @@ bus_selinux_pre_init (void) #endif } +/* + * Private Flask definitions; the order of these constants must + * exactly match that of the structure array below! + */ +/* security dbus class constants */ +#define SECCLASS_DBUS 1 + +/* dbus's per access vector constants */ +#define DBUS__ACQUIRE_SVC 1 +#define DBUS__SEND_MSG 2 + +#ifdef HAVE_SELINUX +static struct security_class_mapping dbus_map[] = { + { "dbus", { "acquire_svc", "send_msg", NULL } }, + { NULL } +}; +#endif /* HAVE_SELINUX */ + /** - * Initialize the user space access vector cache (AVC) for D-Bus and set up + * Establish dynamic object class and permission mapping and + * initialize the user space access vector cache (AVC) for D-Bus and set up * logging callbacks. */ dbus_bool_t @@ -334,6 +351,13 @@ bus_selinux_full_init (void) _dbus_verbose ("SELinux is enabled in this kernel.\n"); + if (selinux_set_mapping (dbus_map) < 0) + { + _dbus_warn ("Failed to set up security class mapping (selinux_set_mapping():%s).\n", + strerror (errno)); + return FALSE; + } + avc_entry_ref_init (&aeref); if (avc_init ("avc", &mem_cb, &log_cb, &thread_cb, &lock_cb) < 0) { |