1. 02 Dec, 2015 1 commit
  2. 06 Aug, 2015 1 commit
    • Simon McVittie's avatar
      bus: move shared libaudit code to a new audit.[ch] · 327a52e4
      Simon McVittie authored
      This fixes various duplicated libaudit interactions in both
      SELinux and AppArmor code paths, including opening two audit sockets
      if both SELinux and AppArmor were enabled at compile time.
      In particular, audit.c is now the only user of libcap-ng.
      
      This commit is not intended to introduce any functional changes,
      except for the de-duplication.
      
      The actual audit_log_user_avc_message() call is still duplicated,
      because the SELinux and AppArmor code paths use different mechanisms
      to compose the audit message: the SELinux path uses a statically-sized
      buffer on the stack which might be subject to truncation, whereas
      the AppArmor path uses malloc() (via DBusString) and falls back to
      using syslog on a memory allocation failure.
      
      Bug: https://bugs.freedesktop.org/show_bug.cgi?id=89225Reviewed-by: Colin Walters's avatarColin Walters <walters@verbum.org>
      [smcv: minor issues raised during review are subsequently fixed]
      Signed-off-by: default avatarSimon McVittie <simon.mcvittie@collabora.co.uk>
      327a52e4
  3. 06 Jan, 2015 1 commit
  4. 07 Nov, 2013 1 commit
  5. 01 Nov, 2013 1 commit
  6. 13 Sep, 2013 1 commit
  7. 30 Aug, 2013 1 commit
  8. 23 Aug, 2013 1 commit
  9. 11 Aug, 2011 1 commit
  10. 01 Aug, 2011 1 commit
  11. 25 May, 2011 1 commit
  12. 19 Mar, 2010 1 commit
  13. 03 Mar, 2010 1 commit
  14. 03 Feb, 2010 1 commit
    • Colin Walters's avatar
      Fix compilation in --disable-selinux case · 15109202
      Colin Walters authored
      _dbus_change_to_daemon_user moved into selinux.c for the --with-selinux
      (and audit) case because that's where all of the relevant libcap headers
      were being used.  However in the --disable-selinux case this didn't
      compile and wasn't very clean.
      
      If we don't have libaudit, use the legacy direct setgid/setuid bits
      we had before in dbus-sysdeps-util-unix.c.
      15109202
  15. 02 Feb, 2010 1 commit
    • Colin Walters's avatar
      Fix compilation in --disable-selinux case · 3dac125d
      Colin Walters authored
      _dbus_change_to_daemon_user moved into selinux.c for the --with-selinux
      (and audit) case because that's where all of the relevant libcap headers
      were being used.  However in the --disable-selinux case this didn't
      compile and wasn't very clean.
      
      If we don't have libaudit, use the legacy direct setgid/setuid bits
      we had before in dbus-sysdeps-util-unix.c.
      3dac125d
  16. 29 Jan, 2010 1 commit
  17. 28 Jan, 2010 1 commit
  18. 14 Jul, 2009 1 commit
  19. 10 Jul, 2009 1 commit
  20. 06 May, 2009 1 commit
    • Eamon Walsh's avatar
      libselinux behavior in permissive mode wrt invalid domains · b38c433b
      Eamon Walsh authored
      Stephen Smalley wrote:
      > On Tue, 2009-04-21 at 16:32 -0400, Joshua Brindle wrote:
      >
      >> Stephen Smalley wrote:
      >>
      >>> On Thu, 2009-04-16 at 20:47 -0400, Eamon Walsh wrote:
      
      > >>>> Stephen Smalley wrote:
      > >>>>
      > >> <snip>
      > >>
      > >>
      > >>> No, I don't want to change the behavior upon context_to_sid calls in
      > >>> general, as we otherwise lose all context validity checking in
      > >>> permissive mode.
      
      >>> I think I'd rather change compute_sid behavior to preclude the situation
      >>> from arising in the first place, possibly altering the behavior in
      >>> permissive mode upon an invalid context to fall back on the ssid
      >>> (process) or the tsid (object).  But I'm not entirely convinced any
      >>> change is required here.
      >>>
      >>>
      >> I just want to follow up to make sure we are all on the same page here. Was the
      >> suggestion to change avc_has_perm in libselinux or context_to_sid in the kernel
      >> or leave the code as is and fix the callers of avc_has_perm to correctly handle
      >> error codes?
      >>
      >> I prefer the last approach because of Eamon's explanation, EINVAL is already
      >> passed in errno to specify the context was invalid (and if object managers
      >> aren't handling that correctly now there is a good chance they aren't handling
      >> the ENOMEM case either).
      >>
      >
      > I'd be inclined to change compute_sid (not context_to_sid) in the kernel
      > to prevent invalid contexts from being formed even in permissive mode
      > (scenario is a type transition where role is not authorized for the new
      > type).  That was originally to allow the system to boot in permissive
      > mode.  But an alternative would be to just stay in the caller's context
      > (ssid) in that situation.
      >
      > Changing the callers of avc_has_perm() to handle EINVAL and/or ENOMEM
      > may make sense, but that logic should not depend on enforcing vs.
      > permissive mode.
      >
      >
      
      FWIW, the following patch to D-Bus should help:
      
      bfo21072 - Log SELinux denials better by checking errno for the cause
      
          Note that this does not fully address the bug report since
          EINVAL can still be returned in permissive mode.  However the log
          messages will now reflect the proper cause of the denial.
      Signed-off-by: Eamon Walsh's avatarEamon Walsh <ewalsh@tycho.nsa.gov>
      Signed-off-by: Colin Walters's avatarColin Walters <walters@verbum.org>
      b38c433b
  21. 22 Apr, 2009 1 commit
    • Eamon Walsh's avatar
      libselinux behavior in permissive mode wrt invalid domains · 705b34f0
      Eamon Walsh authored
      Stephen Smalley wrote:
      > On Tue, 2009-04-21 at 16:32 -0400, Joshua Brindle wrote:
      >
      >> Stephen Smalley wrote:
      >>
      >>> On Thu, 2009-04-16 at 20:47 -0400, Eamon Walsh wrote:
      
      > >>>> Stephen Smalley wrote:
      > >>>>
      > >> <snip>
      > >>
      > >>
      > >>> No, I don't want to change the behavior upon context_to_sid calls in
      > >>> general, as we otherwise lose all context validity checking in
      > >>> permissive mode.
      
      >>> I think I'd rather change compute_sid behavior to preclude the situation
      >>> from arising in the first place, possibly altering the behavior in
      >>> permissive mode upon an invalid context to fall back on the ssid
      >>> (process) or the tsid (object).  But I'm not entirely convinced any
      >>> change is required here.
      >>>
      >>>
      >> I just want to follow up to make sure we are all on the same page here. Was the
      >> suggestion to change avc_has_perm in libselinux or context_to_sid in the kernel
      >> or leave the code as is and fix the callers of avc_has_perm to correctly handle
      >> error codes?
      >>
      >> I prefer the last approach because of Eamon's explanation, EINVAL is already
      >> passed in errno to specify the context was invalid (and if object managers
      >> aren't handling that correctly now there is a good chance they aren't handling
      >> the ENOMEM case either).
      >>
      >
      > I'd be inclined to change compute_sid (not context_to_sid) in the kernel
      > to prevent invalid contexts from being formed even in permissive mode
      > (scenario is a type transition where role is not authorized for the new
      > type).  That was originally to allow the system to boot in permissive
      > mode.  But an alternative would be to just stay in the caller's context
      > (ssid) in that situation.
      >
      > Changing the callers of avc_has_perm() to handle EINVAL and/or ENOMEM
      > may make sense, but that logic should not depend on enforcing vs.
      > permissive mode.
      >
      >
      
      FWIW, the following patch to D-Bus should help:
      
      bfo21072 - Log SELinux denials better by checking errno for the cause
      
          Note that this does not fully address the bug report since
          EINVAL can still be returned in permissive mode.  However the log
          messages will now reflect the proper cause of the denial.
      Signed-off-by: Eamon Walsh's avatarEamon Walsh <ewalsh@tycho.nsa.gov>
      Signed-off-by: Colin Walters's avatarColin Walters <walters@verbum.org>
      705b34f0
  22. 21 Feb, 2008 1 commit
  23. 31 Oct, 2007 1 commit
    • Havoc Pennington's avatar
      Fix a problem where a nul byte was wrongly introduced into UUIDs, due to... · bef4260a
      Havoc Pennington authored
      Fix a problem where a nul byte was wrongly introduced into UUIDs, due to _dbus_string_copy_to_buffer weird behavior.
      
      2007-10-31  Havoc Pennington  <hp@redhat.com>
      
      	* bus/selinux.c (log_audit_callback): rewrite to use
      	_dbus_string_copy_to_buffer_with_nul()
      
      	* dbus/dbus-string.c (_dbus_string_copy_to_buffer): change to NOT
      	nul-terminate the buffer; fail an assertion if there is not enough
      	space in the target buffer. This fixes two bugs where
      	copy_to_buffer was used to copy the binary bytes in a UUID, where
      	nul termination did not make sense. Bug reported by David Castelow.
      	(_dbus_string_copy_to_buffer_with_nul): new function that always
      	nul-terminates the buffer, and fails an assertion if there is not
      	enough space in the buffer.
      bef4260a
  24. 23 Oct, 2007 1 commit
  25. 03 Oct, 2007 1 commit
  26. 14 Jul, 2007 1 commit
  27. 15 Jun, 2007 1 commit
    • Havoc Pennington's avatar
      2007-06-15 Havoc Pennington <hp@redhat.com> · 43b944a0
      Havoc Pennington authored
      	* dbus/dbus-sysdeps.c (_dbus_set_errno_to_zero)
      	(_dbus_get_is_errno_nonzero, _dbus_get_is_errno_eintr)
      	(_dbus_strerror_from_errno): family of functions to abstract
      	errno, though these are somewhat bogus (really we should make our
      	socket wrappers not use errno probably - the issue is that any
      	usage of errno that isn't socket-related probably is not
      	cross-platform, so should either be in a unix-only file that can
      	use errno directly, or is a bug - these general errno wrappers
      	hide issues of this nature in non-socket code, while
      	socket-specific API changes would not since sockets are allowed
      	cross-platform)
      43b944a0
  28. 13 Jun, 2007 2 commits
    • Havoc Pennington's avatar
      2007-06-13 Havoc Pennington <hp@redhat.com> · 72697649
      Havoc Pennington authored
      	* dbus/dbus-server-socket.c (_dbus_server_listen_socket): support
      	all_interfaces=true|false for tcp servers
      
      	* dbus/dbus-sysdeps-unix.c (_dbus_listen_tcp_socket): support
      	inaddr_any flag
      
      	* bus/selinux.c: fix some missing includes
      
      	* dbus/dbus-server-socket.c (_dbus_server_listen_socket): allow
      	port to simply be omitted in addition to specifying 0
      72697649
    • Havoc Pennington's avatar
      2007-06-13 Havoc Pennington <hp@redhat.com> · e3d30a03
      Havoc Pennington authored
      	* configure.ac, bus/selinux.c, dbus/dbus-sysdeps-unix-util.c: add
      	libaudit support, no clue what this means really but now we have
      	it. Patches from Fedora package.
      
      	* bus/bus.c (bus_context_new): move selinux initialization after
      	changing to daemon user, patch from Fedora package
      
      	* dbus/dbus-transport.c (auth_via_unix_user_function): fix a typo
      e3d30a03
  29. 08 Aug, 2006 1 commit
    • John Palmieri's avatar
      These are all patches from Kjartan Maraas <kmaraas at gnome dot org> · 9a3145b9
      John Palmieri authored
      with cleanups of bugs found from Coverity reports:
      
      * dbus/dbus-sysdeps-util.c (_dbus_write_pid_file):
        close the file on error to avoid a leak
      
      * bus/expirelist.c (bus_expire_list_test):
        Check for NULL on dbus_new0
      
      * bus/activation.c (update_directory):
        remove dead code
      
      * bus/config-parser.c (merge_service_context_hash, start_selinux_child):
        Fix some leaks
      
      * bus/bus.c (process_config_every_time):
        Fixed a leak
      
      * bus/desktop-file.c (parse_key_value):
        Fixed leak
      
      * bus/selinux.c (bus_selinux_id_table_insert):
        Fixed leak
      9a3145b9
  30. 03 Aug, 2006 1 commit
  31. 16 Jul, 2005 1 commit
    • Colin Walters's avatar
      2005-07-16 Colin Walters <walters@verbum.org> · 9a94a135
      Colin Walters authored
      	* bus/driver.c (bus_driver_handle_get_connection_selinux_security_context): Renamed
      	from bus_driver_handle_get_connection_unix_security_context.  Update for
      	error usage.
      	(message_handlers): Update for renames.
      
      	* bus/selinux.c (bus_selinux_allows_send): Handle OOM on
      	_dbus_string_init failure correctly.
      	(bus_selinux_append_context): Convert SID to context.  Append it
      	as a byte array.
      	(bus_selinux_shutdown): Handle the case where bus_selinux_full_init
      	hasn't been called.
      
      	* bus/selinux.h: Update prototype.
      
      	* dbus/dbus-protocol.h (DBUS_ERROR_SELINUX_SECURITY_CONTEXT_UNKNOWN): Renamed
      	from DBUS_ERROR_UNIX_SECURITY_CONTEXT_UNKNOWN.
      9a94a135
  32. 15 Jul, 2005 1 commit
  33. 14 Jul, 2005 1 commit
    • Colin Walters's avatar
      2005-07-14 Colin Walters <walters@verbum.org> · 6c191520
      Colin Walters authored
      	* bus/driver.c
      	(bus_driver_handle_get_connection_unix_security_context): New function.
      	(message_handlers): Add.
      
      	* bus/selinux.c (bus_selinux_append_context): New function; appends
      	security context to message.
      
      	* bus/selinux.h: Prototype.
      
      	* dbus/dbus-protocol.h (DBUS_ERROR_UNIX_SECURITY_CONTEXT_UNKNOWN): New.
      6c191520
  34. 13 Apr, 2005 1 commit
    • David Zeuthen's avatar
      2005-04-13 David Zeuthen <davidz@redhat.com> · 44656f53
      David Zeuthen authored
      	* bus/selinux.c: Add c-file-style to top of file
      	(log_audit_callback): Don't free the data here anymore
      	(bus_selinux_check): Don't take spid and tpid since appending
      	that to auxdata may OOM.
      	(bus_selinux_allows_acquire_service): Handle OOM and signal back
      	to the caller if we are OOM by taking an error object.
      	(bus_selinux_allows_send): -do-
      
      	* bus/selinux.h: Fix prototypes for bus_selinux_allows_acquire_service
      	and bus_selinux_allows_send
      
      	* bus/bus.c (bus_context_check_security_policy): Pass error and
      	pass on OOM thrown by bus_selinux_allows_send()
      
      	* bus/services.c (bus_registry_acquire_service): Pass error and
      	pass on OOM thrown by bus_selinux_allows_acquire_service()
      44656f53
  35. 07 Feb, 2005 1 commit
  36. 09 Nov, 2004 1 commit
    • Colin Walters's avatar
      2004-11-09 Colin Walters <walters@verbum.org> · 935a41a0
      Colin Walters authored
      	* dbus/dbus-string.c (_dbus_string_get_length): New
      	function, writes DBusString to C buffer.
      
      	* dbus/dbus-string.h: Prototype it.
      
      	* dbus/dbus-message.c (dbus_message_type_to_string): New
      	function, converts message type into C string.
      
      	* dbus/dbus-message.h: Prototype it.
      
      	* bus/selinux.c (bus_selinux_check): Take source pid,
      	target pid, and audit data.  Pass audit data to
      	avc_has_perm.
      	(log_audit_callback): New function, appends extra
      	audit information.
      	(bus_selinux_allows_acquire_service): Also take
      	service name, add it to audit data.
      	(bus_selinux_allows_send): Also take message
      	type, interface, method member, error name,
      	and destination, and add them to audit data.
      	(log_cb): Initialize func_audit.
      
      	* bus/selinux.h (bus_selinux_allows_acquire_service)
      	(bus_selinux_allows_send): Update prototypes
      
      	* bus/services.c (bus_registry_acquire_service): Pass
      	service name to bus_selinux_allows_acquire_service.
      
      	* bus/bus.c (bus_context_check_security_policy): Pass
      	additional audit data.  Move assignment of dest
      	to its own line.
      935a41a0
  37. 07 Nov, 2004 1 commit
    • Colin Walters's avatar
      2004-11-07 Colin Walters <walters@verbum.org> · cdac3e05
      Colin Walters authored
      	* bus/bus.c (load_config): Break into three
      	separate functions: process_config_first_time_only,
      	process_config_every_time, and process_config_postinit.
      	(process_config_every_time): Move call of
      	bus_registry_set_service_context_table into
      	process_config_postinit.
      	(process_config_postinit): New function, does
      	any processing that needs to happen late
      	in initialization (and also on reload).
      	(bus_context_new): Instead of calling load_config,
      	open config parser here and call process_config_first_time_only
      	and process_config_every_time directly.  Later, after
      	we have forked but before changing UID,
      	invoke bus_selinux_full_init, and then call
      	process_config_postinit.
      	(bus_context_reload_config): As in bus_context_new,
      	load parse file inside here, and call process_config_every_time
      	and process_config_postinit.
      
      	* bus/services.h, bus/services.c
      	(bus_registry_set_service_context_table): Rename
      	from bus_registry_set_sid_table.  Take string hash from config
      	parser, and convert them here into SIDs.
      
      	* bus/config-parser.c (struct BusConfigParser): Have
      	config parser only store a mapping of service->context
      	string.
      	(merge_service_context_hash): New function.
      	(merge_included): Merge context string hashes instead
      	of using bus_selinux_id_table_union.
      	(bus_config_parser_new): Don't use bus_selinux_id_table_new;
      	simply create a new string hash.
      	(bus_config_parser_unref): Unref it.
      	(start_selinux_child): Simply insert strings into hash,
      	don't call bus_selinux_id_table_copy_over.
      
      	* bus/selinux.h, bus/selinux.c (bus_selinux_id_table_union)
      	(bus_selinux_id_table_copy_over): Delete.
      cdac3e05
  38. 04 Nov, 2004 2 commits