summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--src/bus-proxyd/bus-proxyd.c61
-rw-r--r--units/systemd-bus-proxyd@.service.in2
-rw-r--r--units/user/systemd-bus-proxyd@.service.in2
3 files changed, 38 insertions, 27 deletions
diff --git a/src/bus-proxyd/bus-proxyd.c b/src/bus-proxyd/bus-proxyd.c
index a66197abe0..d2acb788d3 100644
--- a/src/bus-proxyd/bus-proxyd.c
+++ b/src/bus-proxyd/bus-proxyd.c
@@ -1381,39 +1381,50 @@ int main(int argc, char *argv[]) {
}
if (a->is_kernel) {
- _cleanup_bus_creds_unref_ sd_bus_creds *bus_creds = NULL;
- uid_t bus_uid;
+ if (!arg_configuration) {
+ const char *scope;
- r = sd_bus_get_owner_creds(a, SD_BUS_CREDS_UID, &bus_creds);
- if (r < 0) {
- log_error_errno(r, "Failed to get bus creds: %m");
- goto finish;
- }
-
- r = sd_bus_creds_get_uid(bus_creds, &bus_uid);
- if (r < 0) {
- log_error_errno(r, "Failed to get bus owner UID: %m");
- goto finish;
- }
-
- if (bus_uid == 0) {
- /* We only enforce the old XML policy on
- * kernel busses owned by root users. */
-
- r = policy_load(&policy_buffer, arg_configuration);
+ r = sd_bus_get_scope(a, &scope);
if (r < 0) {
- log_error_errno(r, "Failed to load policy: %m");
+ log_error_errno(r, "Couldn't determine bus scope: %m");
goto finish;
}
- if (!policy_check_hello(&policy_buffer, ucred.uid, ucred.gid)) {
- log_error("Policy denied connection");
- r = -EPERM;
+ if (streq(scope, "system"))
+ arg_configuration = strv_new(
+ "/etc/dbus-1/system.conf",
+ "/etc/dbus-1/system.d/",
+ "/etc/dbus-1/system-local.conf",
+ NULL);
+ else if (streq(scope, "user"))
+ arg_configuration = strv_new(
+ "/etc/dbus-1/session.conf",
+ "/etc/dbus-1/session.d/",
+ "/etc/dbus-1/session-local.conf",
+ NULL);
+ else {
+ log_error("Unknown scope %s, don't know which policy to load. Refusing.", scope);
goto finish;
}
- policy_dump(&policy_buffer);
- policy = &policy_buffer;
+ if (!arg_configuration) {
+ r = log_oom();
+ goto finish;
+ }
+ }
+
+ r = policy_load(&policy_buffer, arg_configuration);
+ if (r < 0) {
+ log_error_errno(r, "Failed to load policy: %m");
+ goto finish;
+ }
+
+ policy = &policy_buffer;
+ policy_dump(policy);
+
+ if (!policy_check_hello(policy, ucred.uid, ucred.gid)) {
+ r = log_error_errno(EPERM, "Policy denied connection.");
+ goto finish;
}
}
diff --git a/units/systemd-bus-proxyd@.service.in b/units/systemd-bus-proxyd@.service.in
index fdcd3029fd..23b5ffa072 100644
--- a/units/systemd-bus-proxyd@.service.in
+++ b/units/systemd-bus-proxyd@.service.in
@@ -12,7 +12,7 @@ Description=Legacy D-Bus Protocol Compatibility Daemon
# The first argument will be replaced by the service by information on
# the process requesting the proxy, we need a placeholder to keep the
# space available for this.
-ExecStart=@rootlibexecdir@/systemd-bus-proxyd --drop-privileges --address=kernel:path=/sys/fs/kdbus/0-system/bus --configuration=/etc/dbus-1/system.conf --configuration=/etc/dbus-1/system-local.conf --configuration=/etc/dbus-1/system.d/ xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+ExecStart=@rootlibexecdir@/systemd-bus-proxyd --drop-privileges --address=kernel:path=/sys/fs/kdbus/0-system/bus xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
NotifyAccess=main
CapabilityBoundingSet=CAP_IPC_OWNER CAP_SETUID CAP_SETGID CAP_SETPCAP
PrivateTmp=yes
diff --git a/units/user/systemd-bus-proxyd@.service.in b/units/user/systemd-bus-proxyd@.service.in
index 48294db266..0ab5462ed5 100644
--- a/units/user/systemd-bus-proxyd@.service.in
+++ b/units/user/systemd-bus-proxyd@.service.in
@@ -12,5 +12,5 @@ Description=Legacy D-Bus Protocol Compatibility Daemon
# The first argument will be replaced by the service by information on
# the process requesting the proxy, we need a placeholder to keep the
# space available for this.
-ExecStart=@rootlibexecdir@/systemd-bus-proxyd --address=kernel:path=/sys/fs/kdbus/%U-user/bus --configuration=/etc/dbus-1/session.conf --configuration=/etc/dbus-1/session-local.conf --configuration=/etc/dbus-1/session.d/ xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+ExecStart=@rootlibexecdir@/systemd-bus-proxyd --address=kernel:path=/sys/fs/kdbus/%U-user/bus xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
NotifyAccess=main