diff options
author | Lennart Poettering <lennart@poettering.net> | 2015-04-21 00:58:08 +0200 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2015-04-21 00:58:56 +0200 |
commit | 0f51442056157cfec2efc52ddbff7392b0ff674a (patch) | |
tree | d806661843f62a79fea36f50657728b185146d05 /src/core | |
parent | 822d9b6e4c2f0dc1ebc606006dc52257f06850c5 (diff) |
sd-bus: when augmenting creds, remember which ones were augmented
Also, when we do permissions checks using creds, verify that we don't do
so based on augmented creds, as extra safety check.
Diffstat (limited to 'src/core')
-rw-r--r-- | src/core/selinux-access.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c index 7058b7802d..5e9a4a5e02 100644 --- a/src/core/selinux-access.c +++ b/src/core/selinux-access.c @@ -222,6 +222,14 @@ int mac_selinux_generic_access_check( if (r < 0) goto finish; + /* The SELinux context is something we really should have + * gotten directly from the message or sender, and not be an + * augmented field. If it was augmented we cannot use it for + * authorization, since this is racy and vulnerable. Let's add + * an extra check, just in case, even though this really + * shouldn't be possible. */ + assert_return((sd_bus_creds_get_augmented_mask(creds) & SD_BUS_CREDS_SELINUX_CONTEXT) == 0, -EPERM); + r = sd_bus_creds_get_selinux_context(creds, &scon); if (r < 0) goto finish; |