From 6072f8b24153d844a3033108a17bcd0c1a967816 Mon Sep 17 00:00:00 2001 From: Laurent Bigonville Date: Sat, 3 Mar 2018 11:15:23 +0100 Subject: [PATCH] Stop using selinux_set_mapping() function Currently, if the "dbus" security class or the associated AV doesn't exist, dbus-daemon fails to initialize and exits immediately. Also the security classes or access vector cannot be reordered in the policy. This can be a problem for people developing their own policy or trying to access a machine where, for some reasons, there is not policy defined at all. The code here copy the behaviour of the selinux_check_access() function. We cannot use this function here as it doesn't allow us to define the AVC entry reference. See the discussion at https://marc.info/?l=selinux&m=152163374332372&w=2 Resolves: https://gitlab.freedesktop.org/dbus/dbus/issues/198 --- bus/selinux.c | 75 ++++++++++++++++++++++++++++----------------------- 1 file changed, 42 insertions(+), 33 deletions(-) Upstream-Status: Backport Signed-off-by: Nisha.Parrakat diff --git a/bus/selinux.c b/bus/selinux.c --- a/bus/selinux.c 2021-08-11 14:45:59.048513026 +0000 +++ b/bus/selinux.c 2021-08-11 14:57:47.144846966 +0000 @@ -311,24 +311,6 @@ #endif } -/* - * Private Flask definitions; the order of these constants must - * exactly match that of the structure array below! - */ -/* security dbus class constants */ -#define SECCLASS_DBUS 1 - -/* dbus's per access vector constants */ -#define DBUS__ACQUIRE_SVC 1 -#define DBUS__SEND_MSG 2 - -#ifdef HAVE_SELINUX -static struct security_class_mapping dbus_map[] = { - { "dbus", { "acquire_svc", "send_msg", NULL } }, - { NULL } -}; -#endif /* HAVE_SELINUX */ - /** * Establish dynamic object class and permission mapping and * initialize the user space access vector cache (AVC) for D-Bus and set up @@ -350,13 +332,6 @@ _dbus_verbose ("SELinux is enabled in this kernel.\n"); - if (selinux_set_mapping (dbus_map) < 0) - { - _dbus_warn ("Failed to set up security class mapping (selinux_set_mapping():%s).", - strerror (errno)); - return FALSE; - } - avc_entry_ref_init (&aeref); if (avc_init ("avc", &mem_cb, &log_cb, &thread_cb, &lock_cb) < 0) { @@ -421,19 +396,53 @@ static dbus_bool_t bus_selinux_check (BusSELinuxID *sender_sid, BusSELinuxID *override_sid, - security_class_t target_class, - access_vector_t requested, + const char *target_class, + const char *requested, DBusString *auxdata) { + int saved_errno; + security_class_t security_class; + access_vector_t requested_access; + if (!selinux_enabled) return TRUE; + security_class = string_to_security_class (target_class); + if (security_class == 0) + { + saved_errno = errno; + log_callback (SELINUX_ERROR, "Unknown class %s", target_class); + if (security_deny_unknown () == 0) + { + return TRUE; + } + + _dbus_verbose ("Unknown class %s\n", target_class); + errno = saved_errno; + return FALSE; + } + + requested_access = string_to_av_perm (security_class, requested); + if (requested_access == 0) + { + saved_errno = errno; + log_callback (SELINUX_ERROR, "Unknown permission %s for class %s", requested, target_class); + if (security_deny_unknown () == 0) + { + return TRUE; + } + + _dbus_verbose ("Unknown permission %s for class %s\n", requested, target_class); + errno = saved_errno; + return FALSE; + } + /* Make the security check. AVC checks enforcing mode here as well. */ if (avc_has_perm (SELINUX_SID_FROM_BUS (sender_sid), override_sid ? SELINUX_SID_FROM_BUS (override_sid) : bus_sid, - target_class, requested, &aeref, auxdata) < 0) + security_class, requested_access, &aeref, auxdata) < 0) { switch (errno) { @@ -500,8 +509,8 @@ ret = bus_selinux_check (connection_sid, service_sid, - SECCLASS_DBUS, - DBUS__ACQUIRE_SVC, + "dbus", + "acquire_svc", &auxdata); _dbus_string_free (&auxdata); @@ -629,8 +638,8 @@ ret = bus_selinux_check (sender_sid, recipient_sid, - SECCLASS_DBUS, - DBUS__SEND_MSG, + "dbus", + "send_msg", &auxdata); _dbus_string_free (&auxdata);