summaryrefslogtreecommitdiff
path: root/src/core/selinux-access.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/core/selinux-access.c')
-rw-r--r--src/core/selinux-access.c219
1 files changed, 41 insertions, 178 deletions
diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c
index cca3df652a..21c7a8c5bc 100644
--- a/src/core/selinux-access.c
+++ b/src/core/selinux-access.c
@@ -41,91 +41,16 @@
#include "audit.h"
#include "selinux-util.h"
#include "audit-fd.h"
+#include "strv.h"
static bool initialized = false;
-struct auditstruct {
+struct audit_info {
+ sd_bus_creds *creds;
const char *path;
- char *cmdline;
- uid_t loginuid;
- uid_t uid;
- gid_t gid;
+ const char *cmdline;
};
-static int bus_get_selinux_security_context(
- sd_bus *bus,
- const char *name,
- sd_bus_error *error,
- char **ret) {
-
- _cleanup_bus_message_unref_ sd_bus_message *m = NULL;
- const void *p;
- size_t sz;
- char *b;
- int r;
-
- assert(bus);
- assert(name);
- assert(ret);
-
- r = sd_bus_call_method(
- bus,
- "org.freedesktop.DBus",
- "/org/freedesktop/DBus",
- "org.freedesktop.DBus",
- "GetConnectionSELinuxSecurityContext",
- error, &m,
- "s", name);
- if (r < 0)
- return r;
-
- r = sd_bus_message_read_array(m, 'y', &p, &sz);
- if (r < 0)
- return r;
-
- b = strndup(p, sz);
- if (!b)
- return -ENOMEM;
-
- *ret = b;
- return 0;
-}
-
-static int bus_get_audit_data(
- sd_bus *bus,
- const char *name,
- struct auditstruct *audit) {
-
- pid_t pid;
- int r;
-
- assert(bus);
- assert(name);
- assert(audit);
-
- r = sd_bus_get_owner_pid(bus, name, &pid);
- if (r < 0)
- return r;
-
- r = audit_loginuid_from_pid(pid, &audit->loginuid);
- if (r < 0)
- return r;
-
- r = get_process_uid(pid, &audit->uid);
- if (r < 0)
- return r;
-
- r = get_process_gid(pid, &audit->gid);
- if (r < 0)
- return r;
-
- r = get_process_cmdline(pid, 0, true, &audit->cmdline);
- if (r < 0)
- return r;
-
- return 0;
-}
-
/*
Any time an access gets denied this callback will be called
with the aduit data. We then need to just copy the audit data into the msgbuf.
@@ -136,19 +61,19 @@ static int audit_callback(
char *msgbuf,
size_t msgbufsize) {
- struct auditstruct *audit = (struct auditstruct *) auditdata;
+ const struct audit_info *audit = auditdata;
+ uid_t uid = 0, login_uid = 0;
+ gid_t gid = 0;
+
+ sd_bus_creds_get_audit_login_uid(audit->creds, &login_uid);
+ sd_bus_creds_get_uid(audit->creds, &uid);
+ sd_bus_creds_get_gid(audit->creds, &gid);
snprintf(msgbuf, msgbufsize,
"auid=%d uid=%d gid=%d%s%s%s%s%s%s",
- audit->loginuid,
- audit->uid,
- audit->gid,
- (audit->path ? " path=\"" : ""),
- strempty(audit->path),
- (audit->path ? "\"" : ""),
- (audit->cmdline ? " cmdline=\"" : ""),
- strempty(audit->cmdline),
- (audit->cmdline ? "\"" : ""));
+ login_uid, uid, gid,
+ audit->path ? " path=\"" : "", strempty(audit->path), audit->path ? "\"" : "",
+ audit->cmdline ? " cmdline=\"" : "", strempty(audit->cmdline), audit->cmdline ? "\"" : "");
msgbuf[msgbufsize-1] = 0;
@@ -164,13 +89,12 @@ static int audit_callback(
_printf_(2, 3) static int log_callback(int type, const char *fmt, ...) {
va_list ap;
- va_start(ap, fmt);
-
#ifdef HAVE_AUDIT
if (get_audit_fd() >= 0) {
_cleanup_free_ char *buf = NULL;
int r;
+ va_start(ap, fmt);
r = vasprintf(&buf, fmt, ap);
va_end(ap);
@@ -178,10 +102,10 @@ _printf_(2, 3) static int log_callback(int type, const char *fmt, ...) {
audit_log_user_avc_message(get_audit_fd(), AUDIT_USER_AVC, buf, NULL, NULL, NULL, 0);
return 0;
}
-
- va_start(ap, fmt);
}
#endif
+
+ va_start(ap, fmt);
log_metav(LOG_USER | LOG_INFO, __FILE__, __LINE__, __FUNCTION__, fmt, ap);
va_end(ap);
@@ -238,76 +162,6 @@ void selinux_access_free(void) {
initialized = false;
}
-static int get_audit_data(
- sd_bus *bus,
- sd_bus_message *message,
- struct auditstruct *audit) {
-
- struct ucred ucred;
- const char *sender;
- socklen_t len;
- int r, fd;
-
- sender = sd_bus_message_get_sender(message);
- if (sender)
- return bus_get_audit_data(bus, sender, audit);
-
- fd = sd_bus_get_fd(bus);
- if (fd < 0)
- return fd;
-
- len = sizeof(ucred);
- r = getsockopt(fd, SOL_SOCKET, SO_PEERCRED, &ucred, &len);
- if (r < 0)
- return -errno;
-
- audit->uid = ucred.uid;
- audit->gid = ucred.gid;
-
- r = audit_loginuid_from_pid(ucred.pid, &audit->loginuid);
- if (r < 0)
- return r;
-
- r = get_process_cmdline(ucred.pid, 0, true, &audit->cmdline);
- if (r < 0)
- return r;
-
- return 0;
-}
-
-/*
- This function returns the security context of the remote end of the dbus
- connections. Whether it is on the bus or a local connection.
-*/
-static int get_calling_context(
- sd_bus *bus,
- sd_bus_message *message,
- sd_bus_error *error,
- security_context_t *ret) {
-
- const char *sender;
- int r, fd;
-
- /*
- If sender exists then
- if sender is NULL this indicates a local connection. Grab the fd
- from dbus and do an getpeercon to peers process context
- */
- sender = sd_bus_message_get_sender(message);
- if (sender)
- return bus_get_selinux_security_context(bus, sender, error, ret);
-
- fd = sd_bus_get_fd(bus);
- if (fd < 0)
- return fd;
-
- r = getpeercon(fd, ret);
- if (r < 0)
- return -errno;
-
- return 0;
-}
-
/*
This function communicates with the kernel to check whether or not it should
allow the access.
@@ -321,9 +175,12 @@ int selinux_generic_access_check(
const char *permission,
sd_bus_error *error) {
- security_context_t scon = NULL, fcon = NULL;
- const char *tclass = NULL;
- struct auditstruct audit;
+ _cleanup_bus_creds_unref_ sd_bus_creds *creds = NULL;
+ const char *tclass = NULL, *scon = NULL;
+ struct audit_info audit_info = {};
+ _cleanup_free_ char *cl = NULL;
+ security_context_t fcon = NULL;
+ char **cmdline = NULL;
int r = 0;
assert(bus);
@@ -338,12 +195,16 @@ int selinux_generic_access_check(
if (r < 0)
return r;
- audit.uid = audit.loginuid = (uid_t) -1;
- audit.gid = (gid_t) -1;
- audit.cmdline = NULL;
- audit.path = path;
+ r = sd_bus_query_sender_creds(
+ message,
+ SD_BUS_CREDS_PID|SD_BUS_CREDS_UID|SD_BUS_CREDS_GID|
+ SD_BUS_CREDS_CMDLINE|SD_BUS_CREDS_AUDIT_LOGIN_UID|
+ SD_BUS_CREDS_SELINUX_CONTEXT,
+ &creds);
+ if (r < 0)
+ goto finish;
- r = get_calling_context(bus, message, error, &scon);
+ r = sd_bus_creds_get_selinux_context(creds, &scon);
if (r < 0)
goto finish;
@@ -367,21 +228,23 @@ int selinux_generic_access_check(
tclass = "system";
}
- get_audit_data(bus, message, &audit);
+ sd_bus_creds_get_cmdline(creds, &cmdline);
+ cl = strv_join(cmdline, " ");
+
+ audit_info.creds = creds;
+ audit_info.path = path;
+ audit_info.cmdline = cl;
- errno = 0;
- r = selinux_check_access(scon, fcon, tclass, permission, &audit);
+ r = selinux_check_access((security_context_t) scon, fcon, tclass, permission, &audit_info);
if (r < 0)
r = sd_bus_error_setf(error, SD_BUS_ERROR_ACCESS_DENIED, "SELinux policy denies access.");
- log_debug("SELinux access check scon=%s tcon=%s tclass=%s perm=%s path=%s cmdline=%s: %i", scon, fcon, tclass, permission, path, audit.cmdline, r);
+ log_debug("SELinux access check scon=%s tcon=%s tclass=%s perm=%s path=%s cmdline=%s: %i", scon, fcon, tclass, permission, path, cl, r);
finish:
- free(audit.cmdline);
- freecon(scon);
freecon(fcon);
- if (r && security_getenforce() != 1) {
+ if (r < 0 && security_getenforce() != 1) {
sd_bus_error_free(error);
r = 0;
}