"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "bus/selinux.c" between
dbus-1.13.12.tar.xz and dbus-1.13.14.tar.xz

About: D-Bus is an inter-process communication (IPC) system, allowing multiple, concurrently-running applications to communicate with one another. D-Bus supplies both a system daemon and a per-user-login-session daemon. Development version.

selinux.c  (dbus-1.13.12.tar.xz):selinux.c  (dbus-1.13.14.tar.xz)
skipping to change at line 235 skipping to change at line 235
return FALSE; return FALSE;
} }
selinux_enabled = r != 0; selinux_enabled = r != 0;
return TRUE; return TRUE;
#else #else
return TRUE; return TRUE;
#endif #endif
} }
/*
* Private Flask definitions; the order of these constants must
* exactly match that of the structure array below!
*/
/* security dbus class constants */
#define SECCLASS_DBUS 1
/* dbus's per access vector constants */
#define DBUS__ACQUIRE_SVC 1
#define DBUS__SEND_MSG 2
#ifdef HAVE_SELINUX
static struct security_class_mapping dbus_map[] = {
{ "dbus", { "acquire_svc", "send_msg", NULL } },
{ NULL }
};
#endif /* HAVE_SELINUX */
/** /**
* Establish dynamic object class and permission mapping and * Establish dynamic object class and permission mapping and
* initialize the user space access vector cache (AVC) for D-Bus and set up * initialize the user space access vector cache (AVC) for D-Bus and set up
* logging callbacks. * logging callbacks.
*/ */
dbus_bool_t dbus_bool_t
bus_selinux_full_init (BusContext *context, DBusError *error) bus_selinux_full_init (BusContext *context, DBusError *error)
{ {
#ifdef HAVE_SELINUX #ifdef HAVE_SELINUX
char *bus_context; char *bus_context;
skipping to change at line 274 skipping to change at line 256
_dbus_assert (bus_sid == SECSID_WILD); _dbus_assert (bus_sid == SECSID_WILD);
if (!selinux_enabled) if (!selinux_enabled)
{ {
_dbus_verbose ("SELinux not enabled in this kernel.\n"); _dbus_verbose ("SELinux not enabled in this kernel.\n");
return TRUE; return TRUE;
} }
_dbus_verbose ("SELinux is enabled in this kernel.\n"); _dbus_verbose ("SELinux is enabled in this kernel.\n");
if (selinux_set_mapping (dbus_map) < 0)
{
_dbus_warn ("Failed to set up security class mapping (selinux_set_mapping(
):%s).",
strerror (errno));
return FALSE;
}
avc_entry_ref_init (&aeref); avc_entry_ref_init (&aeref);
if (avc_open (NULL, 0) < 0) if (avc_open (NULL, 0) < 0)
{ {
dbus_set_error (error, DBUS_ERROR_FAILED, dbus_set_error (error, DBUS_ERROR_FAILED,
"Failed to start Access Vector Cache (AVC): %s", "Failed to start Access Vector Cache (AVC): %s",
_dbus_strerror (errno)); _dbus_strerror (errno));
return FALSE; return FALSE;
} }
else else
{ {
skipping to change at line 395 skipping to change at line 370
* @param override_sid is the target security context. If SECSID_WILD this will * @param override_sid is the target security context. If SECSID_WILD this will
* use the context of the bus itself (e.g. the default). * use the context of the bus itself (e.g. the default).
* @param target_class is the target security class. * @param target_class is the target security class.
* @param requested is the requested permissions. * @param requested is the requested permissions.
* @returns #TRUE if security policy allows the send. * @returns #TRUE if security policy allows the send.
*/ */
#ifdef HAVE_SELINUX #ifdef HAVE_SELINUX
static dbus_bool_t static dbus_bool_t
bus_selinux_check (BusSELinuxID *sender_sid, bus_selinux_check (BusSELinuxID *sender_sid,
BusSELinuxID *override_sid, BusSELinuxID *override_sid,
security_class_t target_class, const char *target_class,
access_vector_t requested, const char *requested,
DBusString *auxdata) DBusString *auxdata)
{ {
int saved_errno;
security_class_t security_class;
access_vector_t requested_access;
if (!selinux_enabled) if (!selinux_enabled)
return TRUE; return TRUE;
security_class = string_to_security_class (target_class);
if (security_class == 0)
{
saved_errno = errno;
log_callback (SELINUX_ERROR, "Unknown class %s", target_class);
if (security_deny_unknown () == 0)
{
return TRUE;
}
_dbus_verbose ("Unknown class %s\n", target_class);
errno = saved_errno;
return FALSE;
}
requested_access = string_to_av_perm (security_class, requested);
if (requested_access == 0)
{
saved_errno = errno;
log_callback (SELINUX_ERROR, "Unknown permission %s for class %s", request
ed, target_class);
if (security_deny_unknown () == 0)
{
return TRUE;
}
_dbus_verbose ("Unknown permission %s for class %s\n", requested, target_c
lass);
errno = saved_errno;
return FALSE;
}
/* Make the security check. AVC checks enforcing mode here as well. */ /* Make the security check. AVC checks enforcing mode here as well. */
if (avc_has_perm (SELINUX_SID_FROM_BUS (sender_sid), if (avc_has_perm (SELINUX_SID_FROM_BUS (sender_sid),
override_sid ? override_sid ?
SELINUX_SID_FROM_BUS (override_sid) : SELINUX_SID_FROM_BUS (override_sid) :
bus_sid, bus_sid,
target_class, requested, &aeref, auxdata) < 0) security_class, requested_access, &aeref, auxdata) < 0)
{ {
switch (errno) switch (errno)
{ {
case EACCES: case EACCES:
_dbus_verbose ("SELinux denying due to security policy.\n"); _dbus_verbose ("SELinux denying due to security policy.\n");
return FALSE; return FALSE;
case EINVAL: case EINVAL:
_dbus_verbose ("SELinux denying due to invalid security context.\n"); _dbus_verbose ("SELinux denying due to invalid security context.\n");
return FALSE; return FALSE;
default: default:
skipping to change at line 474 skipping to change at line 483
{ {
if (!_dbus_string_append (&auxdata, " spid=")) if (!_dbus_string_append (&auxdata, " spid="))
goto oom; goto oom;
if (!_dbus_string_append_uint (&auxdata, spid)) if (!_dbus_string_append_uint (&auxdata, spid))
goto oom; goto oom;
} }
ret = bus_selinux_check (connection_sid, ret = bus_selinux_check (connection_sid,
service_sid, service_sid,
SECCLASS_DBUS, "dbus",
DBUS__ACQUIRE_SVC, "acquire_svc",
&auxdata); &auxdata);
_dbus_string_free (&auxdata); _dbus_string_free (&auxdata);
return ret; return ret;
oom: oom:
_dbus_string_free (&auxdata); _dbus_string_free (&auxdata);
BUS_SET_OOM (error); BUS_SET_OOM (error);
return FALSE; return FALSE;
skipping to change at line 603 skipping to change at line 612
sender_sid = bus_connection_get_selinux_id (sender); sender_sid = bus_connection_get_selinux_id (sender);
/* A NULL proposed_recipient with no activation entry means the bus itself. */ /* A NULL proposed_recipient with no activation entry means the bus itself. */
if (proposed_recipient) if (proposed_recipient)
recipient_sid = bus_connection_get_selinux_id (proposed_recipient); recipient_sid = bus_connection_get_selinux_id (proposed_recipient);
else else
recipient_sid = BUS_SID_FROM_SELINUX (bus_sid); recipient_sid = BUS_SID_FROM_SELINUX (bus_sid);
ret = bus_selinux_check (sender_sid, ret = bus_selinux_check (sender_sid,
recipient_sid, recipient_sid,
SECCLASS_DBUS, "dbus",
DBUS__SEND_MSG, "send_msg",
&auxdata); &auxdata);
_dbus_string_free (&auxdata); _dbus_string_free (&auxdata);
return ret; return ret;
oom: oom:
if (string_alloced) if (string_alloced)
_dbus_string_free (&auxdata); _dbus_string_free (&auxdata);
BUS_SET_OOM (error); BUS_SET_OOM (error);
 End of changes. 8 change blocks. 
34 lines changed or deleted 44 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)