summaryrefslogtreecommitdiff
path: root/src/core/selinux-access.c
AgeCommit message (Collapse)Author
2016-04-21core: prefix selinux messages with "selinux: "Zbigniew Jędrzejewski-Szmek
SELinux outputs semi-random messages like "Unknown permission start for class system", and the user has to dig into message metadata to find out where they are comming from. Add a prefix to give a hint.
2016-02-10tree-wide: remove Emacs lines from all filesDaniel Mack
This should be handled fine now by .dir-locals.el, so need to carry that stuff in every file.
2015-11-30core: simplify selinux AVC initializationLennart Poettering
Let's merge access_init() and mac_selinux_access_init(), and only call mac_selinux_use() once, inside the merged function, instead of multiple times, including in the caller. See comments on: https://github.com/systemd/systemd/pull/2053
2015-11-27tree-wide: expose "p"-suffix unref calls in public APIs to make gcc cleanup easyLennart Poettering
GLIB has recently started to officially support the gcc cleanup attribute in its public API, hence let's do the same for our APIs. With this patch we'll define an xyz_unrefp() call for each public xyz_unref() call, to make it easy to use inside a __attribute__((cleanup())) expression. Then, all code is ported over to make use of this. The new calls are also documented in the man pages, with examples how to use them (well, I only added docs where the _unref() call itself already had docs, and the examples, only cover sd_bus_unrefp() and sd_event_unrefp()). This also renames sd_lldp_free() to sd_lldp_unref(), since that's how we tend to call our destructors these days. Note that this defines no public macro that wraps gcc's attribute and makes it easier to use. While I think it's our duty in the library to make our stuff easy to use, I figure it's not our duty to make gcc's own features easy to use on its own. Most likely, client code which wants to make use of this should define its own: #define _cleanup_(function) __attribute__((cleanup(function))) Or similar, to make the gcc feature easier to use. Making this logic public has the benefit that we can remove three header files whose only purpose was to define these functions internally. See #2008.
2015-11-16tree-wide: sort includesThomas Hindoe Paaboel Andersen
Sort the includes accoding to the new coding style.
2015-10-27util-lib: split out allocation calls into alloc-util.[ch]Lennart Poettering
2015-10-27util-lib: split out printf() helpers to stdio-util.hLennart Poettering
2015-10-19tree-wide: remove unused functionsThomas Hindoe Paaboel Andersen
2015-09-01selinux: always use *_raw API from libselinuxMichal Sekletar
When mcstransd* is running non-raw functions will return translated SELinux context. Problem is that libselinux will cache this information and in the future it will return same context even though mcstransd maybe not running at that time. If you then check with such context against SELinux policy then selinux_check_access may fail depending on whether mcstransd is running or not. To workaround this problem/bug in libselinux, we should always get raw context instead. Most users will not notice because result of access check is logged only in debug mode. * SELinux context translation service, which will translates labels to human readable form
2015-08-27selinux: drop mac_selinux_unit_access_check_strv()David Herrmann
It is not acceptable to load unit files during enable/disable operations just to figure out the selinux labels. systemd implements lazy loading for units, so the selinux hooks need to follow it. This drops the mac_selinux_unit_access_check_strv() helper which implements a non-acceptable policy check. If anyone cares for that functionality, you really should pass a callback+userdata to the helpers in src/shared/install.c which does policy checks on each touched file. See #1050 on github for more.
2015-08-26selinux: fix regression of systemctl subcommands when absolute unit file ↵HATAYAMA Daisuke
paths are specified The commit 4938696301a914ec26bcfc60bb99a1e9624e3789 overlooked the fact that unit files can be specified as unit file paths, not unit file names, wrongly passing a unit file path to the 1st argument of manager_load_unit() that handles it as a unit file name. As a result, the following 4 systemctl subcommands: enable disable reenable link mask unmask fail with the following error message: # systemctl enable /usr/lib/systemd/system/kdump.service Failed to execute operation: Unit name /usr/lib/systemd/system/kdump.service is not valid. # systemctl disable /usr/lib/systemd/system/kdump.service Failed to execute operation: Unit name /usr/lib/systemd/system/kdump.service is not valid. # systemctl reenable /usr/lib/systemd/system/kdump.service Failed to execute operation: Unit name /usr/lib/systemd/system/kdump.service is not valid. # cp /usr/lib/systemd/system/kdump.service /tmp/ # systemctl link /tmp/kdump.service Failed to execute operation: Unit name /tmp/kdump.service is not valid. # systemctl mask /usr/lib/systemd/system/kdump.service Failed to execute operation: Unit name /usr/lib/systemd/system/kdump.service is not valid. # systemctl unmask /usr/lib/systemd/system/kdump.service Failed to execute operation: Unit name /usr/lib/systemd/system/kdump.service is not valid. To fix the issue, first check whether a unit file is passed as a unit file name or a unit file path, and then pass the unit file to the appropreate argument of manager_load_unit(). By the way, even with this commit mask and unmask reject unit file paths as follows and this is a correct behavior: # systemctl mask /usr/lib/systemd/system/kdump.service Failed to execute operation: Invalid argument # systemctl unmask /usr/lib/systemd/system/kdump.service Failed to execute operation: Invalid argument
2015-06-25selinux: fix missing SELinux unit access checkHATAYAMA Daisuke
Currently, SELinux unit access check is not performed if a given unit file has not been registered in a hash table. This is because function manager_get_unit() only tries to pick up a Unit object from a Unit hash table. Instead, we use function manager_load_unit() searching Unit file pathes for the given Unit file.
2015-06-12selinux: whitespace fixesLennart Poettering
2015-06-09bus-creds: always set SD_BUS_CREDS_PID when we set pid in the maskZbigniew Jędrzejewski-Szmek
Also reorder the code a bit to be easier to parse.
2015-04-21sd-bus: when augmenting creds, remember which ones were augmentedLennart Poettering
Also, when we do permissions checks using creds, verify that we don't do so based on augmented creds, as extra safety check.
2015-04-14selinux: use different log priorites for log messagesZbigniew Jędrzejewski-Szmek
When selinux calls our callback with a log message, it specifies the type as AVC or INFO/WARNING/ERROR. The question is how to map this to audit types and/or log priorities. SELINUX_AVC maps to AUDIT_USER_AVC reasonably, but for the other messages we have no idea, hence we use AUDIT_USER_AVC for everything. When not using audit logging, we can map those selinux levels to LOG_INFO/WARNING/ERROR etc. Also update comment which was not valid anymore in light of journald sucking in audit logs, and was actually wrong from the beginning — libselinux uses the callback for everything, not just avcs. This stemmed out of https://bugzilla.redhat.com/show_bug.cgi?id=1195330, but does not solve it.
2015-02-23remove unused includesThomas Hindoe Paaboel Andersen
This patch removes includes that are not used. The removals were found with include-what-you-use which checks if any of the symbols from a header is in use.
2015-02-01Add a snprinf wrapper which checks that the buffer was big enoughZbigniew Jędrzejewski-Szmek
If we scale our buffer to be wide enough for the format string, we should expect that the calculation was correct. char_array_0() invocations are removed, since snprintf nul-terminates the output in any case. A similar wrapper is used for strftime calls, but only in timedatectl.c.
2015-01-18bus: use EUID over UID and fix unix-credsDavid Herrmann
Whenever a process performs an action on an object, the kernel uses the EUID of the process to do permission checks and to apply on any newly created objects. The UID of a process is only used if someone *ELSE* acts on the process. That is, the UID of a process defines who owns the process, the EUID defines what privileges are used by this process when performing an action. Process limits, on the other hand, are always applied to the real UID, not the effective UID. This is, because a process has a user object linked, which always corresponds to its UID. A process never has a user object linked for its EUID. Thus, accounting (and limits) is always done on the real UID. This commit fixes all sd-bus users to use the EUID when performing privilege checks and alike. Furthermore, it fixes unix-creds to be parsed as EUID, not UID (as the kernel always takes the EUID on UDS). Anyone using UID (eg., to do user-accounting) has to fall back to the EUID as UDS does not transmit the UID.
2014-11-28treewide: another round of simplificationsMichal Schmidt
Using the same scripts as in f647962d64e "treewide: yet more log_*_errno + return simplifications".
2014-11-28treewide: use log_*_errno whenever %m is in the format stringMichal Schmidt
If the format string contains %m, clearly errno must have a meaningful value, so we might as well use log_*_errno to have ERRNO= logged. Using: find . -name '*.[ch]' | xargs sed -r -i -e \ 's/log_(debug|info|notice|warning|error|emergency)\((".*%m.*")/log_\1_errno(errno, \2/' Plus some whitespace, linewrap, and indent adjustments.
2014-11-27selinux: log selinux log messages with LOG_AUTH facilityLennart Poettering
2014-11-27log: rearrange log function namingLennart Poettering
- Rename log_meta() → log_internal(), to follow naming scheme of most other log functions that are usually invoked through macros, but never directly. - Rename log_info_object() to log_object_info(), simply because the object should be before any other parameters, to follow OO-style programming style.
2014-11-27log: add an "error" parameter to all low-level logging calls and intrdouce ↵Lennart Poettering
log_error_errno() as log calls that take error numbers This change has two benefits: - The format string %m will now resolve to the specified error (or to errno if the specified error is 0. This allows getting rid of a ton of strerror() invocations, a function that is not thread-safe. - The specified error can be passed to the journal in the ERRNO= field. Now of course, we just need somebody to convert all cases of this: log_error("Something happened: %s", strerror(-r)); into thus: log_error_errno(-r, "Something happened: %m");
2014-11-26core: make sure we have enough information when doing selinux decisionsLennart Poettering
Let's ask for the security relevant bits in a race-free way, and augment the rest from /proc.
2014-10-28mac: add mac_ prefix to distinguish origin security apisWaLyong Cho
2014-10-27selinux: make sure we do not try to print missing fieldsZbigniew Jędrzejewski-Szmek
UID or GID of 0 is valid, so we cannot use that to distinguish whether calls to sd_bus_creds_get_* succeeded, and the return value from the function is the only way to know about missing fields. Print "n/a" if the fields are missing. CID #1238779
2014-10-23mac: also rename use_{smack,selinux,apparmor}() calls so that they share the ↵Lennart Poettering
new mac_{smack,selinux,apparmor}_xyz() convention
2014-10-08systemctl: add add-wants and add-requires verbsLukas Nykryn
2014-05-15selinux: fix build for non-selinux systemsLennart Poettering
2014-05-14core: no need to pass bus object to selinux access check calls anymoreLennart Poettering
2013-11-28bus: add new sd_bus_creds object to encapsulate process credentialsLennart Poettering
This way we can unify handling of credentials that are attached to messages, or can be queried for bus name owners or connection peers. This also adds the ability to extend incomplete credential information with data from /proc, Also, provide a convenience call that will automatically determine the most appropriate credential object for an incoming message, by using the the attached information if possible, the sending name information if available and otherwise the peer's credentials.
2013-11-21bus: rework message handlers to always take an error argumentLennart Poettering
Message handler callbacks can be simplified drastically if the dispatcher automatically replies to method calls if errors are returned. Thus: add an sd_bus_error argument to all message handlers. When we dispatch a message handler and it returns negative or a set sd_bus_error we send this as message error back to the client. This means errors returned by handlers by default are given back to clients instead of rippling all the way up to the event loop, which is desirable to make things robust. As a side-effect we can now easily turn the SELinux checks into normal function calls, since the method call dispatcher will generate the right error replies automatically now. Also, make sure we always pass the error structure to all property and method handlers as last argument to follow the usual style of passing variables for return values as last argument.
2013-11-21src/core/selinux-access: #include <sys/socket.h>Daniel Mack
Fixes the following build errors on Fedora 20: CC src/core/libsystemd_core_la-selinux-access.lo src/core/selinux-access.c: In function 'get_audit_data': src/core/selinux-access.c:245:22: error: storage size of 'ucred' isn't known struct ucred ucred; ^ src/core/selinux-access.c:259:9: warning: implicit declaration of function 'getsockopt' [-Wimplicit-function-declaration] r = getsockopt(fd, SOL_SOCKET, SO_PEERCRED, &ucred, &len); ^ src/core/selinux-access.c:259:28: error: 'SOL_SOCKET' undeclared (first use in this function) r = getsockopt(fd, SOL_SOCKET, SO_PEERCRED, &ucred, &len); ^ src/core/selinux-access.c:259:28: note: each undeclared identifier is reported only once for each function it appears in src/core/selinux-access.c:259:40: error: 'SO_PEERCRED' undeclared (first use in this function) r = getsockopt(fd, SOL_SOCKET, SO_PEERCRED, &ucred, &len); ^ src/core/selinux-access.c:245:22: warning: unused variable 'ucred' [-Wunused-variable] struct ucred ucred; ^ make[2]: *** [src/core/libsystemd_core_la-selinux-access.lo] Error 1 make[1]: *** [all-recursive] Error 1 make: *** [all] Error 2
2013-11-20core: convert PID 1 to libsystemd-busLennart Poettering
This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-10-16macro: clean up usage of gcc attributesLennart Poettering
Always use our own macros, and name all our own macros the same style.
2013-08-14selinux-access: move GPL to LGPL licenceKay Sievers
On Wed, Aug 14, 2013 at 10:31 PM, Daniel J Walsh <dwalsh@redhat.com> wrote: > On 08/14/2013 04:17 PM, Kay Sievers wrote: > > > > this patch added GPL code to systemd, which otherwise is all LGPL. We need > > to make sure we can always split out any code to a separate shared library > > ... > > > > Mind if I switch your src/core/selinux-access.[ch] files to LGPL? > I have no problem with it. Should be LGPL anyways.
2013-05-02Add __attribute__((const, pure, format)) in various placesZbigniew Jędrzejewski-Szmek
I'm assuming that it's fine if a _const_ or _pure_ function calls assert. It is assumed that the assert won't trigger, and even if it does, it can only trigger on the first call with a given set of parameters, and we don't care if the compiler moves the order of calls.
2013-02-13selinux: use a dynamically sized string when generating audit messagesLennart Poettering
https://bugzilla.redhat.com/show_bug.cgi?id=883043
2013-02-07systemd: fix uninitialized memory access in selinuxZbigniew Jędrzejewski-Szmek
==6129== Syscall param socketcall.getsockopt(optlen) points to uninitialised byte(s) ==6129== at 0x312D0F325A: getsockopt (syscall-template.S:81) ==6129== by 0x4615E6: get_audit_data (selinux-access.c:268) ==6129== by 0x461A81: selinux_access_check (selinux-access.c:394) ==6129== by 0x453B23: bus_manager_message_handler (dbus-manager.c:1395) ==6129== by 0x313581D9C4: _dbus_object_tree_dispatch_and_unlock (dbus-object-tree.c:862) ==6129== by 0x313580FC1F: dbus_connection_dispatch (dbus-connection.c:4672) ==6129== by 0x44CD4C: bus_dispatch (dbus.c:528) ==6129== by 0x41292F: manager_loop (manager.c:1573) ==6129== by 0x40CD8E: main (main.c:1735) ==6129== Address 0x7fefff2c0 is on thread 1's stack
2013-01-25selinux: we don't need that many debug messages by defaultLennart Poettering
2013-01-25selinux-access: Delete debugging message logged as an errorColin Walters
I don't see why this should be logged at all, so let's delete it.
2013-01-16systemctl,loginctl,cgls: do not ellipsize cgroup members when --full is ↵Lukas Nykryn
specified New file output.h with output flags and modes. --full parameter also for cgls and loginctl. Include 'all' parameter in flags (show_cgroup_by_path, show_cgroup, show_cgroup_and_extra, show_cgroup_and_extra_by_spec). get_process_cmdline with max_length == 0 will not ellipsize output. Replace LINE_MAX with 0 in some calls of get_process_cmdline. [zj: Default to --full when under pager for clgs. Drop '-f' since it wasn't documented and didn't actually work. Reindent a bit. ]
2012-10-18systemd: use structured logging for unit changesZbigniew Jędrzejewski-Szmek
Information which unit a log entry pertains to enables systemctl status to display more log messages.
2012-10-16SELinux patch still broken, in that we are not checking the correct source ↵Daniel J Walsh
context. This patch does the dbus calls correctly.
2012-10-03selinux: properly free dbus errorLennart Poettering
2012-10-02selinux: remove anything PID1-specific from selinux-access.[ch] so that we ↵Lennart Poettering
can reuse it in logind
2012-10-02audit: turn the audit fd into a static variableLennart Poettering
As audit is pretty much just a special kind of logging we should treat it similar, and manage the audit fd in a static variable. This simplifies the audit fd sharing with the SELinux access checking code quite a bit.
2012-10-02selinux: rework selinux access check logicLennart Poettering
a) Instead of parsing the bus messages inside of selinux-access.c simply pass everything pre-parsed in the functions b) implement the access checking with a macro that resolves to nothing on non-selinux builds c) split out the selinux checks into their own sources selinux-util.[ch] d) this unifies the job creation code behind the D-Bus calls Manager.StartUnit() and Unit.Start().
2012-09-28selinux: fix various problemsDaniel J Walsh