From 0f51442056157cfec2efc52ddbff7392b0ff674a Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Tue, 21 Apr 2015 00:58:08 +0200
Subject: sd-bus: when augmenting creds, remember which ones were augmented

Also, when we do permissions checks using creds, verify that we don't do
so based on augmented creds, as extra safety check.
---
 src/libsystemd/sd-bus/bus-convenience.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

(limited to 'src/libsystemd/sd-bus/bus-convenience.c')

diff --git a/src/libsystemd/sd-bus/bus-convenience.c b/src/libsystemd/sd-bus/bus-convenience.c
index 71ce757f70..28bc8d2818 100644
--- a/src/libsystemd/sd-bus/bus-convenience.c
+++ b/src/libsystemd/sd-bus/bus-convenience.c
@@ -499,10 +499,18 @@ _public_ int sd_bus_query_sender_privilege(sd_bus_message *call, int capability)
                 return -ENOTCONN;
 
         if (capability >= 0) {
+
                 r = sd_bus_query_sender_creds(call, SD_BUS_CREDS_UID|SD_BUS_CREDS_EUID|SD_BUS_CREDS_EFFECTIVE_CAPS, &creds);
                 if (r < 0)
                         return r;
 
+                /* We cannot use augmented caps for authorization,
+                 * since then data is acquired raceful from
+                 * /proc. This can never actually happen, but let's
+                 * better be safe than sorry, and do an extra check
+                 * here. */
+                assert_return((sd_bus_creds_get_augmented_mask(creds) & SD_BUS_CREDS_EFFECTIVE_CAPS) == 0, -EPERM);
+
                 /* Note that not even on kdbus we might have the caps
                  * field, due to faked identities, or namespace
                  * translation issues. */
@@ -523,6 +531,13 @@ _public_ int sd_bus_query_sender_privilege(sd_bus_message *call, int capability)
         if (our_uid != 0 || !know_caps || capability < 0) {
                 uid_t sender_uid;
 
+                /* We cannot use augmented uid/euid for authorization,
+                 * since then data is acquired raceful from
+                 * /proc. This can never actually happen, but let's
+                 * better be safe than sorry, and do an extra check
+                 * here. */
+                assert_return((sd_bus_creds_get_augmented_mask(creds) & (SD_BUS_CREDS_UID|SD_BUS_CREDS_EUID)) == 0, -EPERM);
+
                 /* Try to use the EUID, if we have it. */
                 r = sd_bus_creds_get_euid(creds, &sender_uid);
                 if (r < 0)
-- 
cgit v1.2.3-54-g00ecf