summaryrefslogtreecommitdiff
path: root/src/core
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2015-04-21 00:58:08 +0200
committerLennart Poettering <lennart@poettering.net>2015-04-21 00:58:56 +0200
commit0f51442056157cfec2efc52ddbff7392b0ff674a (patch)
treed806661843f62a79fea36f50657728b185146d05 /src/core
parent822d9b6e4c2f0dc1ebc606006dc52257f06850c5 (diff)
sd-bus: when augmenting creds, remember which ones were augmented
Also, when we do permissions checks using creds, verify that we don't do so based on augmented creds, as extra safety check.
Diffstat (limited to 'src/core')
-rw-r--r--src/core/selinux-access.c8
1 files changed, 8 insertions, 0 deletions
diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c
index 7058b7802d..5e9a4a5e02 100644
--- a/src/core/selinux-access.c
+++ b/src/core/selinux-access.c
@@ -222,6 +222,14 @@ int mac_selinux_generic_access_check(
if (r < 0)
goto finish;
+ /* The SELinux context is something we really should have
+ * gotten directly from the message or sender, and not be an
+ * augmented field. If it was augmented we cannot use it for
+ * authorization, since this is racy and vulnerable. Let's add
+ * an extra check, just in case, even though this really
+ * shouldn't be possible. */
+ assert_return((sd_bus_creds_get_augmented_mask(creds) & SD_BUS_CREDS_SELINUX_CONTEXT) == 0, -EPERM);
+
r = sd_bus_creds_get_selinux_context(creds, &scon);
if (r < 0)
goto finish;