diff options
-rw-r--r-- | src/bus-proxyd/bus-proxyd.c | 61 | ||||
-rw-r--r-- | units/systemd-bus-proxyd@.service.in | 2 | ||||
-rw-r--r-- | units/user/systemd-bus-proxyd@.service.in | 2 |
3 files changed, 38 insertions, 27 deletions
diff --git a/src/bus-proxyd/bus-proxyd.c b/src/bus-proxyd/bus-proxyd.c index a66197abe0..d2acb788d3 100644 --- a/src/bus-proxyd/bus-proxyd.c +++ b/src/bus-proxyd/bus-proxyd.c @@ -1381,39 +1381,50 @@ int main(int argc, char *argv[]) { } if (a->is_kernel) { - _cleanup_bus_creds_unref_ sd_bus_creds *bus_creds = NULL; - uid_t bus_uid; + if (!arg_configuration) { + const char *scope; - r = sd_bus_get_owner_creds(a, SD_BUS_CREDS_UID, &bus_creds); - if (r < 0) { - log_error_errno(r, "Failed to get bus creds: %m"); - goto finish; - } - - r = sd_bus_creds_get_uid(bus_creds, &bus_uid); - if (r < 0) { - log_error_errno(r, "Failed to get bus owner UID: %m"); - goto finish; - } - - if (bus_uid == 0) { - /* We only enforce the old XML policy on - * kernel busses owned by root users. */ - - r = policy_load(&policy_buffer, arg_configuration); + r = sd_bus_get_scope(a, &scope); if (r < 0) { - log_error_errno(r, "Failed to load policy: %m"); + log_error_errno(r, "Couldn't determine bus scope: %m"); goto finish; } - if (!policy_check_hello(&policy_buffer, ucred.uid, ucred.gid)) { - log_error("Policy denied connection"); - r = -EPERM; + if (streq(scope, "system")) + arg_configuration = strv_new( + "/etc/dbus-1/system.conf", + "/etc/dbus-1/system.d/", + "/etc/dbus-1/system-local.conf", + NULL); + else if (streq(scope, "user")) + arg_configuration = strv_new( + "/etc/dbus-1/session.conf", + "/etc/dbus-1/session.d/", + "/etc/dbus-1/session-local.conf", + NULL); + else { + log_error("Unknown scope %s, don't know which policy to load. Refusing.", scope); goto finish; } - policy_dump(&policy_buffer); - policy = &policy_buffer; + if (!arg_configuration) { + r = log_oom(); + goto finish; + } + } + + r = policy_load(&policy_buffer, arg_configuration); + if (r < 0) { + log_error_errno(r, "Failed to load policy: %m"); + goto finish; + } + + policy = &policy_buffer; + policy_dump(policy); + + if (!policy_check_hello(policy, ucred.uid, ucred.gid)) { + r = log_error_errno(EPERM, "Policy denied connection."); + goto finish; } } diff --git a/units/systemd-bus-proxyd@.service.in b/units/systemd-bus-proxyd@.service.in index fdcd3029fd..23b5ffa072 100644 --- a/units/systemd-bus-proxyd@.service.in +++ b/units/systemd-bus-proxyd@.service.in @@ -12,7 +12,7 @@ Description=Legacy D-Bus Protocol Compatibility Daemon # The first argument will be replaced by the service by information on # the process requesting the proxy, we need a placeholder to keep the # space available for this. -ExecStart=@rootlibexecdir@/systemd-bus-proxyd --drop-privileges --address=kernel:path=/sys/fs/kdbus/0-system/bus --configuration=/etc/dbus-1/system.conf --configuration=/etc/dbus-1/system-local.conf --configuration=/etc/dbus-1/system.d/ xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx +ExecStart=@rootlibexecdir@/systemd-bus-proxyd --drop-privileges --address=kernel:path=/sys/fs/kdbus/0-system/bus xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx NotifyAccess=main CapabilityBoundingSet=CAP_IPC_OWNER CAP_SETUID CAP_SETGID CAP_SETPCAP PrivateTmp=yes diff --git a/units/user/systemd-bus-proxyd@.service.in b/units/user/systemd-bus-proxyd@.service.in index 48294db266..0ab5462ed5 100644 --- a/units/user/systemd-bus-proxyd@.service.in +++ b/units/user/systemd-bus-proxyd@.service.in @@ -12,5 +12,5 @@ Description=Legacy D-Bus Protocol Compatibility Daemon # The first argument will be replaced by the service by information on # the process requesting the proxy, we need a placeholder to keep the # space available for this. -ExecStart=@rootlibexecdir@/systemd-bus-proxyd --address=kernel:path=/sys/fs/kdbus/%U-user/bus --configuration=/etc/dbus-1/session.conf --configuration=/etc/dbus-1/session-local.conf --configuration=/etc/dbus-1/session.d/ xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx +ExecStart=@rootlibexecdir@/systemd-bus-proxyd --address=kernel:path=/sys/fs/kdbus/%U-user/bus xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx NotifyAccess=main |