diff options
Diffstat (limited to 'src/core/selinux-access.c')
-rw-r--r-- | src/core/selinux-access.c | 219 |
1 files changed, 41 insertions, 178 deletions
diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c index cca3df652a..21c7a8c5bc 100644 --- a/src/core/selinux-access.c +++ b/src/core/selinux-access.c @@ -41,91 +41,16 @@ #include "audit.h" #include "selinux-util.h" #include "audit-fd.h" +#include "strv.h" static bool initialized = false; -struct auditstruct { +struct audit_info { + sd_bus_creds *creds; const char *path; - char *cmdline; - uid_t loginuid; - uid_t uid; - gid_t gid; + const char *cmdline; }; -static int bus_get_selinux_security_context( - sd_bus *bus, - const char *name, - sd_bus_error *error, - char **ret) { - - _cleanup_bus_message_unref_ sd_bus_message *m = NULL; - const void *p; - size_t sz; - char *b; - int r; - - assert(bus); - assert(name); - assert(ret); - - r = sd_bus_call_method( - bus, - "org.freedesktop.DBus", - "/org/freedesktop/DBus", - "org.freedesktop.DBus", - "GetConnectionSELinuxSecurityContext", - error, &m, - "s", name); - if (r < 0) - return r; - - r = sd_bus_message_read_array(m, 'y', &p, &sz); - if (r < 0) - return r; - - b = strndup(p, sz); - if (!b) - return -ENOMEM; - - *ret = b; - return 0; -} - -static int bus_get_audit_data( - sd_bus *bus, - const char *name, - struct auditstruct *audit) { - - pid_t pid; - int r; - - assert(bus); - assert(name); - assert(audit); - - r = sd_bus_get_owner_pid(bus, name, &pid); - if (r < 0) - return r; - - r = audit_loginuid_from_pid(pid, &audit->loginuid); - if (r < 0) - return r; - - r = get_process_uid(pid, &audit->uid); - if (r < 0) - return r; - - r = get_process_gid(pid, &audit->gid); - if (r < 0) - return r; - - r = get_process_cmdline(pid, 0, true, &audit->cmdline); - if (r < 0) - return r; - - return 0; -} - /* Any time an access gets denied this callback will be called with the aduit data. We then need to just copy the audit data into the msgbuf. @@ -136,19 +61,19 @@ static int audit_callback( char *msgbuf, size_t msgbufsize) { - struct auditstruct *audit = (struct auditstruct *) auditdata; + const struct audit_info *audit = auditdata; + uid_t uid = 0, login_uid = 0; + gid_t gid = 0; + + sd_bus_creds_get_audit_login_uid(audit->creds, &login_uid); + sd_bus_creds_get_uid(audit->creds, &uid); + sd_bus_creds_get_gid(audit->creds, &gid); snprintf(msgbuf, msgbufsize, "auid=%d uid=%d gid=%d%s%s%s%s%s%s", - audit->loginuid, - audit->uid, - audit->gid, - (audit->path ? " path=\"" : ""), - strempty(audit->path), - (audit->path ? "\"" : ""), - (audit->cmdline ? " cmdline=\"" : ""), - strempty(audit->cmdline), - (audit->cmdline ? "\"" : "")); + login_uid, uid, gid, + audit->path ? " path=\"" : "", strempty(audit->path), audit->path ? "\"" : "", + audit->cmdline ? " cmdline=\"" : "", strempty(audit->cmdline), audit->cmdline ? "\"" : ""); msgbuf[msgbufsize-1] = 0; @@ -164,13 +89,12 @@ static int audit_callback( _printf_(2, 3) static int log_callback(int type, const char *fmt, ...) { va_list ap; - va_start(ap, fmt); - #ifdef HAVE_AUDIT if (get_audit_fd() >= 0) { _cleanup_free_ char *buf = NULL; int r; + va_start(ap, fmt); r = vasprintf(&buf, fmt, ap); va_end(ap); @@ -178,10 +102,10 @@ _printf_(2, 3) static int log_callback(int type, const char *fmt, ...) { audit_log_user_avc_message(get_audit_fd(), AUDIT_USER_AVC, buf, NULL, NULL, NULL, 0); return 0; } - - va_start(ap, fmt); } #endif + + va_start(ap, fmt); log_metav(LOG_USER | LOG_INFO, __FILE__, __LINE__, __FUNCTION__, fmt, ap); va_end(ap); @@ -238,76 +162,6 @@ void selinux_access_free(void) { initialized = false; } -static int get_audit_data( - sd_bus *bus, - sd_bus_message *message, - struct auditstruct *audit) { - - struct ucred ucred; - const char *sender; - socklen_t len; - int r, fd; - - sender = sd_bus_message_get_sender(message); - if (sender) - return bus_get_audit_data(bus, sender, audit); - - fd = sd_bus_get_fd(bus); - if (fd < 0) - return fd; - - len = sizeof(ucred); - r = getsockopt(fd, SOL_SOCKET, SO_PEERCRED, &ucred, &len); - if (r < 0) - return -errno; - - audit->uid = ucred.uid; - audit->gid = ucred.gid; - - r = audit_loginuid_from_pid(ucred.pid, &audit->loginuid); - if (r < 0) - return r; - - r = get_process_cmdline(ucred.pid, 0, true, &audit->cmdline); - if (r < 0) - return r; - - return 0; -} - -/* - This function returns the security context of the remote end of the dbus - connections. Whether it is on the bus or a local connection. -*/ -static int get_calling_context( - sd_bus *bus, - sd_bus_message *message, - sd_bus_error *error, - security_context_t *ret) { - - const char *sender; - int r, fd; - - /* - If sender exists then - if sender is NULL this indicates a local connection. Grab the fd - from dbus and do an getpeercon to peers process context - */ - sender = sd_bus_message_get_sender(message); - if (sender) - return bus_get_selinux_security_context(bus, sender, error, ret); - - fd = sd_bus_get_fd(bus); - if (fd < 0) - return fd; - - r = getpeercon(fd, ret); - if (r < 0) - return -errno; - - return 0; -} - /* This function communicates with the kernel to check whether or not it should allow the access. @@ -321,9 +175,12 @@ int selinux_generic_access_check( const char *permission, sd_bus_error *error) { - security_context_t scon = NULL, fcon = NULL; - const char *tclass = NULL; - struct auditstruct audit; + _cleanup_bus_creds_unref_ sd_bus_creds *creds = NULL; + const char *tclass = NULL, *scon = NULL; + struct audit_info audit_info = {}; + _cleanup_free_ char *cl = NULL; + security_context_t fcon = NULL; + char **cmdline = NULL; int r = 0; assert(bus); @@ -338,12 +195,16 @@ int selinux_generic_access_check( if (r < 0) return r; - audit.uid = audit.loginuid = (uid_t) -1; - audit.gid = (gid_t) -1; - audit.cmdline = NULL; - audit.path = path; + r = sd_bus_query_sender_creds( + message, + SD_BUS_CREDS_PID|SD_BUS_CREDS_UID|SD_BUS_CREDS_GID| + SD_BUS_CREDS_CMDLINE|SD_BUS_CREDS_AUDIT_LOGIN_UID| + SD_BUS_CREDS_SELINUX_CONTEXT, + &creds); + if (r < 0) + goto finish; - r = get_calling_context(bus, message, error, &scon); + r = sd_bus_creds_get_selinux_context(creds, &scon); if (r < 0) goto finish; @@ -367,21 +228,23 @@ int selinux_generic_access_check( tclass = "system"; } - get_audit_data(bus, message, &audit); + sd_bus_creds_get_cmdline(creds, &cmdline); + cl = strv_join(cmdline, " "); + + audit_info.creds = creds; + audit_info.path = path; + audit_info.cmdline = cl; - errno = 0; - r = selinux_check_access(scon, fcon, tclass, permission, &audit); + r = selinux_check_access((security_context_t) scon, fcon, tclass, permission, &audit_info); if (r < 0) r = sd_bus_error_setf(error, SD_BUS_ERROR_ACCESS_DENIED, "SELinux policy denies access."); - log_debug("SELinux access check scon=%s tcon=%s tclass=%s perm=%s path=%s cmdline=%s: %i", scon, fcon, tclass, permission, path, audit.cmdline, r); + log_debug("SELinux access check scon=%s tcon=%s tclass=%s perm=%s path=%s cmdline=%s: %i", scon, fcon, tclass, permission, path, cl, r); finish: - free(audit.cmdline); - freecon(scon); freecon(fcon); - if (r && security_getenforce() != 1) { + if (r < 0 && security_getenforce() != 1) { sd_bus_error_free(error); r = 0; } |