| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
| |
The full license texts are not added because they were already
added in a previous commit.
Signed-off-by: Ralf Habacker <ralf.habacker@freenet.de>
see #394
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
We don't usually mass-remove trailing whitespace from the actual source
code because it would complicate cherry-picking bug fixes to older
branches, but that reasoning doesn't really apply to the comments
containing copyright and licensing notices.
Removing trailing whitespace makes it much easier to move code around:
we have a commit hook that rejects commits containing trailing
whitespace, but that commit hook counts moving a file as a delete + add
pair, so it objects to moving code that contains trailing whitespace.
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
| |
|
|
|
|
|
|
| |
Stop using avc_init() and use avc_open() instead. With this commit
dbus-daemon will stop using a thread to monitor the avc netlink and will
poll it instead.
https://gitlab.freedesktop.org/dbus/dbus/issues/134
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently when asked the SELinux context of the owner of
org.freedesktop.DBus, the dbus-daemon is returning an error.
In the same situation when asked about the Unix user or the PID, the
daemon would return its own user or pid. Do the same for the SELinux
context by returning the daemon one.
In particular this avoids an issue seen with systemd --user, where
dbus-daemon responds to UpdateActivationEnvironment() by passing on the
new environment to systemd with o.fd.systemd1.Manager.SetEnvironment(),
but systemd cannot get the caller's SELinux context and so rejects the
SetEnvironment() call.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101315
[smcv: Extend commit message to describe the symptom this fixes]
Reviewed-by: Simon McVittie <smcv@collabora.com>
|
| |
|
|
|
|
|
|
|
| |
sidget and sidput functions are noop and deprecated since libselinux 2.0.86.
Also use pkg-config to detect libselinux and force version >= 2.0.86
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=100912
Reviewed-by: Simon McVittie <smcv@collabora.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We specifically do not check recipient policies, because
the recipient policy is based on properties of the
recipient process (in particular, its uid), which we do
not necessarily know until we have already started it.
In this initial implementation we do not check LSMs either,
because we cannot know what LSM context the recipient process
is going to have. However, LSM support will need to be added
to make this feature useful, because StartServiceByName is
normally allowed in non-LSM environments, and is more
powerful than auto-activation anyway.
The StartServiceByName method does not go through this check,
because if access to that method has been granted, then
it's somewhat obvious that you can start arbitrary services.
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98666
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This fixes various duplicated libaudit interactions in both
SELinux and AppArmor code paths, including opening two audit sockets
if both SELinux and AppArmor were enabled at compile time.
In particular, audit.c is now the only user of libcap-ng.
This commit is not intended to introduce any functional changes,
except for the de-duplication.
The actual audit_log_user_avc_message() call is still duplicated,
because the SELinux and AppArmor code paths use different mechanisms
to compose the audit message: the SELinux path uses a statically-sized
buffer on the stack which might be subject to truncation, whereas
the AppArmor path uses malloc() (via DBusString) and falls back to
using syslog on a memory allocation failure.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=89225
Reviewed-by: Colin Walters <walters@verbum.org>
[smcv: minor issues raised during review are subsequently fixed]
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
| |
|
|
|
|
| |
No comment.
Signed-off-by: Colin Walters <walters@verbum.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
namespace it
2007-10-23 Havoc Pennington <hp@redhat.com>
* bus/bus.c (bus_context_new): use the new name here
* bus/selinux.c (bus_selinux_audit_init): rename from audit_init()
to avoid possible libc conflict, and declare it in .h file to
avoid a warning
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* bus/driver.c (bus_driver_handle_get_connection_selinux_security_context): Renamed
from bus_driver_handle_get_connection_unix_security_context. Update for
error usage.
(message_handlers): Update for renames.
* bus/selinux.c (bus_selinux_allows_send): Handle OOM on
_dbus_string_init failure correctly.
(bus_selinux_append_context): Convert SID to context. Append it
as a byte array.
(bus_selinux_shutdown): Handle the case where bus_selinux_full_init
hasn't been called.
* bus/selinux.h: Update prototype.
* dbus/dbus-protocol.h (DBUS_ERROR_SELINUX_SECURITY_CONTEXT_UNKNOWN): Renamed
from DBUS_ERROR_UNIX_SECURITY_CONTEXT_UNKNOWN.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
* bus/driver.c
(bus_driver_handle_get_connection_unix_security_context): New function.
(message_handlers): Add.
* bus/selinux.c (bus_selinux_append_context): New function; appends
security context to message.
* bus/selinux.h: Prototype.
* dbus/dbus-protocol.h (DBUS_ERROR_UNIX_SECURITY_CONTEXT_UNKNOWN): New.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* bus/selinux.c: Add c-file-style to top of file
(log_audit_callback): Don't free the data here anymore
(bus_selinux_check): Don't take spid and tpid since appending
that to auxdata may OOM.
(bus_selinux_allows_acquire_service): Handle OOM and signal back
to the caller if we are OOM by taking an error object.
(bus_selinux_allows_send): -do-
* bus/selinux.h: Fix prototypes for bus_selinux_allows_acquire_service
and bus_selinux_allows_send
* bus/bus.c (bus_context_check_security_policy): Pass error and
pass on OOM thrown by bus_selinux_allows_send()
* bus/services.c (bus_registry_acquire_service): Pass error and
pass on OOM thrown by bus_selinux_allows_acquire_service()
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* dbus/dbus-string.c (_dbus_string_get_length): New
function, writes DBusString to C buffer.
* dbus/dbus-string.h: Prototype it.
* dbus/dbus-message.c (dbus_message_type_to_string): New
function, converts message type into C string.
* dbus/dbus-message.h: Prototype it.
* bus/selinux.c (bus_selinux_check): Take source pid,
target pid, and audit data. Pass audit data to
avc_has_perm.
(log_audit_callback): New function, appends extra
audit information.
(bus_selinux_allows_acquire_service): Also take
service name, add it to audit data.
(bus_selinux_allows_send): Also take message
type, interface, method member, error name,
and destination, and add them to audit data.
(log_cb): Initialize func_audit.
* bus/selinux.h (bus_selinux_allows_acquire_service)
(bus_selinux_allows_send): Update prototypes
* bus/services.c (bus_registry_acquire_service): Pass
service name to bus_selinux_allows_acquire_service.
* bus/bus.c (bus_context_check_security_policy): Pass
additional audit data. Move assignment of dest
to its own line.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* bus/bus.c (load_config): Break into three
separate functions: process_config_first_time_only,
process_config_every_time, and process_config_postinit.
(process_config_every_time): Move call of
bus_registry_set_service_context_table into
process_config_postinit.
(process_config_postinit): New function, does
any processing that needs to happen late
in initialization (and also on reload).
(bus_context_new): Instead of calling load_config,
open config parser here and call process_config_first_time_only
and process_config_every_time directly. Later, after
we have forked but before changing UID,
invoke bus_selinux_full_init, and then call
process_config_postinit.
(bus_context_reload_config): As in bus_context_new,
load parse file inside here, and call process_config_every_time
and process_config_postinit.
* bus/services.h, bus/services.c
(bus_registry_set_service_context_table): Rename
from bus_registry_set_sid_table. Take string hash from config
parser, and convert them here into SIDs.
* bus/config-parser.c (struct BusConfigParser): Have
config parser only store a mapping of service->context
string.
(merge_service_context_hash): New function.
(merge_included): Merge context string hashes instead
of using bus_selinux_id_table_union.
(bus_config_parser_new): Don't use bus_selinux_id_table_new;
simply create a new string hash.
(bus_config_parser_unref): Unref it.
(start_selinux_child): Simply insert strings into hash,
don't call bus_selinux_id_table_copy_over.
* bus/selinux.h, bus/selinux.c (bus_selinux_id_table_union)
(bus_selinux_id_table_copy_over): Delete.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* bus/selinux.c (bus_selinux_init): Split into two functions,
bus_selinux_pre_init and bus_selinux_post_init.
(bus_selinux_pre_init): Just determine whether SELinux is
enabled.
(bus_selinux_post_init): Do everything else.
* bus/main.c (main): Call bus_selinux_pre_init before parsing
config file, and bus_selinux_post_init after. This ensures that
we don't lose the policyreload notification thread that
bus_selinux_init created before forking previously.
* bus/test-main.c (test_pre_hook): Update for split.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* bus/selinux.h: Add bus_selinux_enabled.
* bus/selinux.c (bus_selinux_enabled): Implement it.
* bus/config-parser.c (struct include): Add
if_selinux_enabled member.
(start_busconfig_child): Parse if_selinux_enabled
attribute for include.
(bus_config_parser_content): Handle it.
* bus/session.conf.in, bus/system.conf.in: Add
inclusion of context mapping to default config files;
conditional on SELinux being enabled.
* doc/busconfig.dtd: Add to if_selinux_enabled to default DTD.
* test/data/invalid-config-files/badselinux-1.conf,
test/data/invalid-config-files/badselinux-2.conf:
Test files for bad syntax.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* bus/selinux.h: Prototype bus_selinux_get_policy_root.
* bus/selinux.c: Create a thread for policy reload notification.
(bus_selinux_get_policy_root): Implement.
Updated SELinux support from Matthew Rickard <mjricka@epoch.ncsc.mil>
* bus/config-parser.c (start_busconfig_child)
(bus_config_parser_content): Support SELinux-root relative
inclusion.
* configure.in <HAVE_SELINUX>: Add -lpthread.
* bus/test-main.c (test_pre_hook, test_post_hook): New.
(test_post_hook): Move memory checking into here.
(test_pre_hook, test_post_hook): Move SELinux checks in
here, but conditional on a DBUS_TEST_SELINUX environment
variable. Unfortunately we can't run the SELinux checks
as a normal user, since they won't have any permissions
for /selinux. So this will have to be tested manually
for now, until we have virtualization for most of
libselinux.
|
| |
|
|
|
| |
* COPYING: switch to Academic Free License version 2.1 instead of
2.0, to resolve complaints about patent termination clause.
|
|
|
SELinux support from Matthew Rickard <mjricka@epoch.ncsc.mil>
* bus/selinux.c, bus/selinux.h: new file encapsulating selinux
functionality
* configure.in: add --enable-selinux
* bus/policy.c (bus_policy_merge): add FIXME to a comment
* bus/main.c (main): initialize and shut down selinux
* bus/connection.c: store SELinux ID on each connection, to avoid
repeated getting of the string context and converting it into
an ID
* bus/bus.c (bus_context_get_policy): new accessor, though it
isn't used
(bus_context_check_security_policy): check whether the security
context of sender connection can send to the security context of
recipient connection
* bus/config-parser.c: add parsing for <selinux> and <associate>
* dbus/dbus-transport.c (_dbus_transport_get_unix_fd): to
implement dbus_connection_get_unix_fd()
* dbus/dbus-connection.c (dbus_connection_get_unix_fd): new
function, used by the selinux stuff
|
