sd-bus: when augmenting creds, remember which ones were augmented

Also, when we do permissions checks using creds, verify that we don't do so based on augmented creds, as extra safety check.
author: Lennart Poettering <lennart@poettering.net> 2015-04-21 00:58:08 +0200
committer: Lennart Poettering <lennart@poettering.net> 2015-04-21 00:58:56 +0200
commit: 0f51442056157cfec2efc52ddbff7392b0ff674a (patch)
tree: d806661843f62a79fea36f50657728b185146d05 /src/core/selinux-access.c
parent: 822d9b6e4c2f0dc1ebc606006dc52257f06850c5 (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c
index 7058b7802d..5e9a4a5e02 100644
--- a/src/core/selinux-access.c
+++ b/src/core/selinux-access.c
@@ -222,6 +222,14 @@ int mac_selinux_generic_access_check(
         if (r < 0)
                 goto finish;
 
+        /* The SELinux context is something we really should have
+         * gotten directly from the message or sender, and not be an
+         * augmented field. If it was augmented we cannot use it for
+         * authorization, since this is racy and vulnerable. Let's add
+         * an extra check, just in case, even though this really
+         * shouldn't be possible. */
+        assert_return((sd_bus_creds_get_augmented_mask(creds) & SD_BUS_CREDS_SELINUX_CONTEXT) == 0, -EPERM);
+
         r = sd_bus_creds_get_selinux_context(creds, &scon);
         if (r < 0)
                 goto finish;
author	Lennart Poettering <lennart@poettering.net>	2015-04-21 00:58:08 +0200
committer	Lennart Poettering <lennart@poettering.net>	2015-04-21 00:58:56 +0200
commit	0f51442056157cfec2efc52ddbff7392b0ff674a (patch)
tree	d806661843f62a79fea36f50657728b185146d05 /src/core/selinux-access.c
parent	822d9b6e4c2f0dc1ebc606006dc52257f06850c5 (diff)