summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2014-11-26 18:57:37 +0100
committerLennart Poettering <lennart@poettering.net>2014-11-26 18:57:39 +0100
commit8fd00193803fd20bed163832ec4d0d5ba2958b87 (patch)
tree9fe9998bc631f8cb168ded1f98de271205c9629d
parent6dae84cbdda6c0547b374119960b49c9da5aa481 (diff)
core: make sure we have enough information when doing selinux decisions
Let's ask for the security relevant bits in a race-free way, and augment the rest from /proc.
-rw-r--r--src/core/dbus.c8
-rw-r--r--src/core/selinux-access.c3
2 files changed, 10 insertions, 1 deletions
diff --git a/src/core/dbus.c b/src/core/dbus.c
index ec1c0d4336..e23d36fddc 100644
--- a/src/core/dbus.c
+++ b/src/core/dbus.c
@@ -776,6 +776,14 @@ static int bus_setup_api(Manager *m, sd_bus *bus) {
assert(m);
assert(bus);
+ /* Let's make sure we have enough credential bits so that we can make security and selinux decisions */
+ r = sd_bus_negotiate_creds(bus, 1,
+ SD_BUS_CREDS_PID|SD_BUS_CREDS_UID|
+ SD_BUS_CREDS_EUID|SD_BUS_CREDS_EFFECTIVE_CAPS|
+ SD_BUS_CREDS_SELINUX_CONTEXT);
+ if (r < 0)
+ log_warning("Failed to enable credential passing, ignoring: %s", strerror(-r));
+
r = bus_setup_api_vtables(m, bus);
if (r < 0)
return r;
diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c
index a4694b33f3..a50dec3961 100644
--- a/src/core/selinux-access.c
+++ b/src/core/selinux-access.c
@@ -207,7 +207,8 @@ int mac_selinux_generic_access_check(
message,
SD_BUS_CREDS_PID|SD_BUS_CREDS_UID|SD_BUS_CREDS_GID|
SD_BUS_CREDS_CMDLINE|SD_BUS_CREDS_AUDIT_LOGIN_UID|
- SD_BUS_CREDS_SELINUX_CONTEXT,
+ SD_BUS_CREDS_SELINUX_CONTEXT|
+ SD_BUS_CREDS_AUGMENT /* get more bits from /proc */,
&creds);
if (r < 0)
goto finish;