diff options
author | Lennart Poettering <lennart@poettering.net> | 2013-11-21 23:36:51 +0100 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2013-11-21 23:36:51 +0100 |
commit | 969987ea93a7fdcd2c87b551eb0adf0bd9338b32 (patch) | |
tree | 977186164514497136688bba7357662a60e6751a /src | |
parent | 9f5eb56a13dee1085cbf2560ac3afd73f72402cb (diff) |
bus: restore selinux access control to PID 1 for properties
Diffstat (limited to 'src')
-rw-r--r-- | src/core/dbus.c | 69 | ||||
-rw-r--r-- | src/libsystemd-bus/sd-bus.c | 2 |
2 files changed, 70 insertions, 1 deletions
diff --git a/src/core/dbus.c b/src/core/dbus.c index 3d8da1e6ad..1cb4d0fa7d 100644 --- a/src/core/dbus.c +++ b/src/core/dbus.c @@ -42,6 +42,8 @@ #include "bus-errors.h" #include "strxcpyx.h" #include "dbus-client-track.h" +#include "bus-internal.h" +#include "selinux-access.h" #define CONNECTIONS_MAX 512 @@ -209,6 +211,67 @@ failed: return 0; } +static int selinux_filter(sd_bus *bus, sd_bus_message *message, void *userdata, sd_bus_error *error) { + Manager *m = userdata; + const char *verb, *path; + Unit *u = NULL; + Job *j; + int r; + + assert(bus); + assert(message); + + /* Our own method calls are all protected individually with + * selinux checks, but the built-in interfaces need to be + * protected too. */ + + if (sd_bus_message_is_method_call(message, "org.freedesktop.DBus.Properties", "Set")) + verb = "reload"; + else if (sd_bus_message_is_method_call(message, "org.freedesktop.DBus.Introspectable", NULL) || + sd_bus_message_is_method_call(message, "org.freedesktop.DBus.Properties", NULL) || + sd_bus_message_is_method_call(message, "org.freedesktop.DBus.ObjectManager", NULL) || + sd_bus_message_is_method_call(message, "org.freedesktop.DBus.Peer", NULL)) + verb = "status"; + else + return 0; + + path = sd_bus_message_get_path(message); + + if (object_path_startswith("/org/freedesktop/systemd1", path)) { + + r = selinux_access_check(bus, message, verb, error); + if (r < 0) + return r; + + return 0; + } + + if (streq_ptr(path, "/org/freedesktop/systemd1/unit/self")) { + pid_t pid; + + r = sd_bus_get_owner_pid(bus, sd_bus_message_get_sender(message), &pid); + if (r < 0) + return 0; + + u = manager_get_unit_by_pid(m, pid); + } else { + r = manager_get_job_from_dbus_path(m, path, &j); + if (r >= 0) + u = j->unit; + else + manager_load_unit_from_dbus_path(m, path, NULL, &u); + } + + if (!u) + return 0; + + r = selinux_unit_access_check(u, bus, message, verb, error); + if (r < 0) + return r; + + return 0; +} + static int bus_job_find(sd_bus *bus, const char *path, const char *interface, void **found, void *userdata) { Manager *m = userdata; Job *j; @@ -458,6 +521,12 @@ static int bus_setup_api_vtables(Manager *m, sd_bus *bus) { assert(m); assert(bus); + r = sd_bus_add_filter(bus, selinux_filter, m); + if (r < 0) { + log_error("Failed to add SELinux access filter: %s", strerror(-r)); + return r; + } + r = sd_bus_add_object_vtable(bus, "/org/freedesktop/systemd1", "org.freedesktop.systemd1.Manager", bus_manager_vtable, m); if (r < 0) { log_error("Failed to register Manager vtable: %s", strerror(-r)); diff --git a/src/libsystemd-bus/sd-bus.c b/src/libsystemd-bus/sd-bus.c index 2604434467..4df649c9f7 100644 --- a/src/libsystemd-bus/sd-bus.c +++ b/src/libsystemd-bus/sd-bus.c @@ -1945,7 +1945,7 @@ static int process_filter(sd_bus *bus, sd_bus_message *m) { if (r < 0) return r; - r = l->callback(bus, m, &error_buffer, l->userdata); + r = l->callback(bus, m, l->userdata, &error_buffer); r = bus_maybe_reply_error(m, r, &error_buffer); if (r != 0) return r; |