Age | Commit message (Collapse) | Author |
|
- actually return permission errors to clients
- use the right ucreds field
- fix error paths when we cannot keep track of locally acquired names
due to OOM
- avoid unnecessary global variables
- log when the policy denies access
- enforce correct policy rule order
- always request all the metadata its we need to make decisions
|
|
|
|
|
|
dbus1 only checks if these files parse correctly so let's do the same for now.
|
|
it passes with the bus proxy enforcement
|
|
KDBUS_ITEM_PIDS structure from KDBUS_ITEM_CREDS
Also:
- adds support for euid, suid, fsuid, egid, sgid, fsgid fields.
- makes augmentation of creds with data from /proc explicitly
controllable to give apps better control over this, given that this is
racy.
- enables augmentation for kdbus connections (previously we only did it
for dbus1). This is useful since with recent kdbus versions it is
possible for clients to control the metadata they want to send.
- changes sd_bus_query_sender_privilege() to take the euid of the client
into consideration, if known
- when we don't have permissions to read augmentation data from /proc,
don't fail, just don't add the data in
|
|
Our API calls check the validity of bus names anyway, hence we don't
have to do this before calling them...
|
|
|
|
The access check call was broken (as it tried to read a service name
from the UpdateActivationEnvironment() method call which doesn't carry
any). Also, it's unnecessary to make any access checks here, as we just
forward the call to PID 1 which should do the access checks necessary.
|
|
There are issues to investigate on with policies shipped by some
packages, which we'll address later. Move that topic out of the
way for now to bring sd-bus in sync with upstream kdbus.
|
|
In order to check for matching policy entries at message transfers, we
have to consider the following:
* check the currently owned names of both the sending and the receiving
peer. If the sending peer is connected via kdbus, the currently owned
names are already attached to the message. If it was originated by the
connection we're proxying for, we store the owned names in our own strv
so we can check against them.
* Walk the list of names to check which name would allow the message to
pass, and explicitly use that name as destination of the message. If the
destination is on kdbus, store both the connection's unique name and the
chosen well-known-name in the message. That way, the kernel will make sure
the supplied name is owned by the supplied unique name, at the time of
sending, and return -EREMCHG otherwise.
* Make the policy checks optional by retrieving the bus owner creds, and
when the uid matches the current user's uid and is non-null, don't check
the bus policy.
|
|
This reverts commit 5bb24cccbce846c0d77e71b70a3be7f4b2ba6c0e.
It does not even compile (unbalanced {)
|
|
Retrieve the bus owner creds, and when the uid matches the current user's
uid and is non-null, don't check the bus policy.
|
|
We need to figure out which of the possible names satisfied the policy,
so we cannot do the iteration in check_policy_item() but have to leave it
to the users.
Test cases amended accordingly.
|
|
|
|
|
|
|
|
Store names successfully acquired by the legacy client into a hashmap.
We need to take these names into account when checking for send policies.
|
|
In kdbus a "server id" is mostly a misnomer, as there isn't any "server"
involved anymore. Let's rename this to "owner" id hence, since it is an
ID that is picked by the owner of a bus or direct connection. This
matches nicely the sd_bus_get_owner_creds() call we already have.
|
|
kdbus recently renamed this concept, and so should we in what we expose
in userspace.
|
|
Catch up with some changes in kdbus.h:
* KDBUS_{ITEM,ATTACH}_CONN_NAME were renamed to
KDBUS_{ITEM,ATTACH}_CONN_DESCRIPTION, so the term 'name' is not
overloaded as much.
* The item types were re-ordered a little so they are lined up to the
order of the corresponding KDBUS_ATTACH flags
* A new item type KDBUS_ITEM_OWNED_NAME was introduced, designated to
store a struct kdbus_name in item->name. KDBUS_ITEM_NAME soley
stores data in item->str now
* Some kerneldoc fixes
|
|
We should use the data if we can (if stdin/stdout is an AF_UNIX socket),
but still work if we can't (if stdin/stdout are pipes, like in the SSH
case).
This effectively reverts 55534fb5e4742b0db9ae5e1e0202c53804147697
|
|
sd_bus_get_peer_creds()
Clean up the function namespace by renaming the following:
sd_bus_get_owner_uid() → sd_bus_get_name_creds_uid()
sd_bus_get_owner_machine_id() → sd_bus_get_name_machine_id()
sd_bus_get_peer_creds() → sd_bus_get_owner_creds()
|
|
In kdbus.h, the following details changed:
* All commands gained a 'kernel_flags' field to report the flags supported
by the driver. Before, this was done in the 'flags' field in a
bidirectional way, which turned out to be a problem for the code in
sd-bus, as many parts of it reuse the same ioctl struct more than once
and consider them to be owned by userspace.
* Name listings are now returned by a new struct instead of reusing struct
kdbus_cmd_name for that matter. This way, we don't add more unneeded
fields to it and make the API cleaner.
* 'conn_flags' was renamed to 'flags' in struct kdbus_cmd_hello to make
the API a bit more unified.
|
|
provides us with
|
|
This reverts commit b0f84d4d7832659f2216bda7a7cdf51f5e79c6eb.
get_creds_by_name() already translate the error nicely, we just need to
make use of it.
|
|
|
|
'GetConnectionUnixProcessID', 'GetConnectionUnixUser' and
'GetConnectionSELinuxSecurityContext' methods should return
'NameHasNoOwner' error (if chosen name is not available on bus)
with more detailed description - like dbus-1:
Could not get PID of name 'org.freedesktop.test': no such name.
Could not get UID of name 'org.freedesktop.test': no such name.
Could not get security context of name 'org.freedesktop.test': no such name.
Otherwise we have only laconic message without proper dbus error:
Error System.Error.ENXIO: No such device or address
|
|
'ListQueuedOwners' method should return 'NameHasNoOwner' error
if chosen name is not available on bus.
|
|
getpeersec() will fail for non-SELinux enabled machines, so don't make that
a hard error.
|
|
We need to figure out which of the possible names satisfied the policy,
so we cannot do the iteration in check_policy_item() but have to leave it
to the users.
Test cases amended accordingly.
|
|
Just some cleanups around policy checks that came up during review.
The code is still not productive.
|
|
If we can't get the remote peer or security creds, bail out.
Spotted by coverity.
|
|
The KDBUS_CMD_FREE ioctl now uses a struct rather than a direct pointer
to the offset to free.
The KDBUS_CMD_MSG_CANCEL ioctl has also changes, but there's no user of
it yet in systemd.
|
|
In pty.c there was both an include of our pty.h and the system installed pty.h.
The latter contains only two functions openpty and forkpty. We use neither so
I assume it was a typo and removed it. We still compile and pass all tests.
|
|
Check if strjoin worked and also use _cleanup_free_ since we are
here.
Found with Coverity. Fixes CID#1241962
|
|
'make distcheck' calls test-bus-policy outside of the source tree, so it
must consider the TEST_DIR variable to access its files.
|
|
|
|
Both as documentation, and to make Coverity happy.
Fixes CID #1241495 and #1241496.
|
|
Instead of operating on an sd_bus_message object, expose an API that has 4
functions:
policy_check_own()
policy_check_hello()
policy_check_recv()
policy_check_send()
This also allows dropping extra code to parse message contents - the bus
proxy already has dedicated code paths for that, and we can hook into
those later.
Tests amended accordingly.
|
|
The kdbus logic name registry logic was changed to transport the actual
name to acquire, release or report in a kdbus item.
This brings the name API a little more in line with other calls, and allows
for later augmentation.
Follow that change on the systemd side.
|
|
Add some test files and routines for dbus policy checking.
|
|
Add policy_check() to actually check whether an incoming message is allowed
by the policy. The code is not yet used from the proxy daemon, though.
|
|
|
|
This function is quite useful for debugging. Exiting from it seems
unnecessary.
|
|
Instead of making the function call itself recursively.
|
|
Do the lookup during parsing already, and set i->uid, or i->gid to the
numerical values.
|
|
|
|
In the D-Bus policy, the order of items matters, so make sure to store them
in the same order as they are parsed by the sax parser.
|
|
|