dbus-broker: backport patches to fix policy with SELinux nodes

Backport from master: https://github.com/bus1/dbus-broker/pull/213 Signed-off-by: Khem Raj <raj.khem@gmail.com>
author: Luca Boccassi <luca.boccassi@microsoft.com> 2020-02-06 14:08:24 +0000
committer: Khem Raj <raj.khem@gmail.com> 2020-02-06 07:20:04 -0800
commit: dda2962584e3a1616ba0e8e6e72e4eae6d56e652 (patch)
tree: d8a49b88d400ab99243da54dd3934d7af93ba227 /meta-oe/recipes-core/dbus
parent: 502084cc99ac04c6989c03c23b8aa9c04425e976 (diff)
download: meta-openembedded-dda2962584e3a1616ba0e8e6e72e4eae6d56e652.tar.gz
3 files changed, 111 insertions, 0 deletions
diff --git a/meta-oe/recipes-core/dbus/dbus-broker/0005-launch-policy-fix-crash-when-importing-selinux.patch b/meta-oe/recipes-core/dbus/dbus-broker/0005-launch-policy-fix-crash-when-importing-selinux.patch
new file mode 100644
index 000000000..c5f3092ee
--- /dev/null
+++ b/meta-oe/recipes-core/dbus/dbus-broker/0005-launch-policy-fix-crash-when-importing-selinux.patch
@@ -0,0 +1,50 @@
+From d28e59c451375e8b08fa431b1d64cb3ce9f078ee Mon Sep 17 00:00:00 2001
+From: Luca Boccassi <luca.boccassi@microsoft.com>
+Date: Fri, 25 Oct 2019 21:04:36 +0100
+Subject: [PATCH 1/2] launch/policy: fix crash when importing <selinux>
+If a policy contains a <selinux> element, dbus-broker-launch crashes:
+Oct 22 12:02:51 localhost dbus-broker-launch[885]: dbus-broker-launch: ../dbus-broker-19/src/launch/policy.c:232: policy_import_verdict: Assertion `cnode->parent->type == CONFIG_NODE_POLICY' failed.
+Minimal config to reproduce:
+<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+<busconfig>
+  <selinux>
+    <associate own="com.example1" context="system_u:object_r:example1_t" />
+    <associate own="com.example2" context="system_u:object_r:example2_t" />
+  </selinux>
+</busconfig>
+policy_import_verdict is being called on an associate element,
+but not only it cannot work as that function checks that the
+parent is a policy node (but it's a selinux node in this case),
+it is also not necessary as the selinux node only defines ownership,
+it does not have allow/deny.
+Fixes #212
+Signed-off-by: Luca Boccassi <luca.boccassi@microsoft.com>
+Upstream-Status: merged https://github.com/bus1/dbus-broker/pull/213
+---
+ src/launch/policy.c | 2 --
+ 1 file changed, 2 deletions(-)
+diff --git a/src/launch/policy.c b/src/launch/policy.c
+index a8ba8e7..466e4bd 100644
+--- a/src/launch/policy.c
+++ b/src/launch/policy.c
+@@ -613,8 +613,6 @@ static int policy_import_selinux(Policy *policy, ConfigNode *cnode) {
+         if (r)
+                 return error_trace(r);
+ 
+-        policy_import_verdict(policy, record, cnode);
+-
+         record->selinux.name = cnode->associate.own;
+         record->selinux.context = cnode->associate.context;
+ 
+-- 
+2.20.1
diff --git a/meta-oe/recipes-core/dbus/dbus-broker/0006-launch-policy-fix-crash-when-exporting-selinux.patch b/meta-oe/recipes-core/dbus/dbus-broker/0006-launch-policy-fix-crash-when-exporting-selinux.patch
new file mode 100644
index 000000000..51f45361b
--- /dev/null
+++ b/meta-oe/recipes-core/dbus/dbus-broker/0006-launch-policy-fix-crash-when-exporting-selinux.patch
@@ -0,0 +1,59 @@
+From f1cdef4d98ddbfeeb4a688712d54b3adc89bfe26 Mon Sep 17 00:00:00 2001
+From: Luca Boccassi <luca.boccassi@microsoft.com>
+Date: Fri, 25 Oct 2019 21:05:43 +0100
+Subject: [PATCH 2/2] launch/policy: fix crash when exporting <selinux>
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+If a policy contains a <selinux> element, dbus-broker-launch crashes:
+[   30.048705] dbus-broker-launch[221]: ERROR policy_export @ ../dbus-broker-21/src/launch/policy.c +1142: Return code 1
+[   30.050963] dbus-broker-launch[221]:       launcher_add_listener @ ../dbus-broker-21/src/launch/launcher.c +1130
+[   30.079620] dbus-broker[228]: Dispatched 0 messages @ 0(±0)μs / message.
+[   30.082613] dbus-broker-launch[221]:       launcher_run @ ../dbus-broker-21/src/launch/launcher.c +1389
+[   30.084426] dbus-broker-launch[221]:       run @ ../dbus-broker-21/src/launch/main.c +153
+[   30.085797] dbus-broker-launch[221]:       main @ ../dbus-broker-21/src/launch/main.c +181
+[   30.087208] dbus-broker-launch[221]: Exiting due to fatal error: -131
+Minimal config to reproduce:
+<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+<busconfig>
+  <selinux>
+    <associate own="com.example1" context="system_u:object_r:example1_t" />
+    <associate own="com.example2" context="system_u:object_r:example2_t" />
+  </selinux>
+</busconfig>
+As per the libsystemd API, sd_bus_message_append can return an int
+greater than 0 on success, which for example happens when processing
+vectors.
+The export function is treating every non-zero result as an error,
+which causes dbus-broker-launch to terminate.
+Fixes #212
+Signed-off-by: Luca Boccassi <luca.boccassi@microsoft.com>
+Upstream-Status: merged https://github.com/bus1/dbus-broker/pull/213
+---
+ src/launch/policy.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/src/launch/policy.c b/src/launch/policy.c
+index 466e4bd..f91f11b 100644
+--- a/src/launch/policy.c
+++ b/src/launch/policy.c
+@@ -1138,7 +1138,7 @@ int policy_export(Policy *policy, sd_bus_message *m, uint32_t *at_console_uids,
+                 r = sd_bus_message_append(m, "(ss)",
+                                           i_record->selinux.name,
+                                           i_record->selinux.context);
+-                if (r)
+                if (r < 0)
+                         return error_origin(r);
+         }
+ 
+-- 
+2.20.1
diff --git a/meta-oe/recipes-core/dbus/dbus-broker_21.bb b/meta-oe/recipes-core/dbus/dbus-broker_21.bb
index 8b4101aaf..bad442776 100644
--- a/meta-oe/recipes-core/dbus/dbus-broker_21.bb
+++ b/meta-oe/recipes-core/dbus/dbus-broker_21.bb
@@ -11,6 +11,8 @@ SRC_URI += " file://0001-launch-improve-error-handling-for-opendir.patch"
 SRC_URI += " file://0002-metrics-change-the-constant-used-for-invalid-timesta.patch"
 SRC_URI += " file://0003-dbus-socket-treat-MSG_CTRUNC-gracefully.patch"
 SRC_URI += " file://0004-launcher-fix-build-with-musl-libc.patch"
+SRC_URI += " file://0005-launch-policy-fix-crash-when-importing-selinux.patch"
+SRC_URI += " file://0006-launch-policy-fix-crash-when-exporting-selinux.patch"
 SRC_URI[md5sum] = "a17886a92ab1e0bc2e4b1a274339e388"
 SRC_URI[sha256sum] = "6fff9a831a514659e2c7d704e76867ce31ebcf43e8d7a62e080c6656f64cd39e"
author	Luca Boccassi <luca.boccassi@microsoft.com>	2020-02-06 14:08:24 +0000
committer	Khem Raj <raj.khem@gmail.com>	2020-02-06 07:20:04 -0800
commit	dda2962584e3a1616ba0e8e6e72e4eae6d56e652 (patch)
tree	d8a49b88d400ab99243da54dd3934d7af93ba227 /meta-oe/recipes-core/dbus
parent	502084cc99ac04c6989c03c23b8aa9c04425e976 (diff)
download	meta-openembedded-dda2962584e3a1616ba0e8e6e72e4eae6d56e652.tar.gz

diff --git a/meta-oe/recipes-core/dbus/dbus-broker/0005-launch-policy-fix-crash-when-importing-selinux.patch b/meta-oe/recipes-core/dbus/dbus-broker/0005-launch-policy-fix-crash-when-importing-selinux.patch new file mode 100644 index 000000000..c5f3092ee --- /dev/null +++ b/meta-oe/recipes-core/dbus/dbus-broker/0005-launch-policy-fix-crash-when-importing-selinux.patch
@@ -0,0 +1,50 @@
		1	From d28e59c451375e8b08fa431b1d64cb3ce9f078ee Mon Sep 17 00:00:00 2001
		2	From: Luca Boccassi <luca.boccassi@microsoft.com>
		3	Date: Fri, 25 Oct 2019 21:04:36 +0100
		4	Subject: [PATCH 1/2] launch/policy: fix crash when importing <selinux>
		5
		6	If a policy contains a <selinux> element, dbus-broker-launch crashes:
		7
		8	Oct 22 12:02:51 localhost dbus-broker-launch[885]: dbus-broker-launch: ../dbus-broker-19/src/launch/policy.c:232: policy_import_verdict: Assertion `cnode->parent->type == CONFIG_NODE_POLICY' failed.
		9
		10	Minimal config to reproduce:
		11
		12	<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
		13	"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
		14	<busconfig>
		15	<selinux>
		16	<associate own="com.example1" context="system_u:object_r:example1_t" />
		17	<associate own="com.example2" context="system_u:object_r:example2_t" />
		18	</selinux>
		19	</busconfig>
		20
		21	policy_import_verdict is being called on an associate element,
		22	but not only it cannot work as that function checks that the
		23	parent is a policy node (but it's a selinux node in this case),
		24	it is also not necessary as the selinux node only defines ownership,
		25	it does not have allow/deny.
		26
		27	Fixes #212
		28
		29	Signed-off-by: Luca Boccassi <luca.boccassi@microsoft.com>
		30	Upstream-Status: merged https://github.com/bus1/dbus-broker/pull/213
		31	---
		32	src/launch/policy.c \| 2 --
		33	1 file changed, 2 deletions(-)
		34
		35	diff --git a/src/launch/policy.c b/src/launch/policy.c
		36	index a8ba8e7..466e4bd 100644
		37	--- a/src/launch/policy.c
		38	+++ b/src/launch/policy.c
		39	@@ -613,8 +613,6 @@ static int policy_import_selinux(Policy policy, ConfigNode cnode) {
		40	if (r)
		41	return error_trace(r);
		42
		43	- policy_import_verdict(policy, record, cnode);
		44	-
		45	record->selinux.name = cnode->associate.own;
		46	record->selinux.context = cnode->associate.context;
		47
		48	--
		49	2.20.1
		50


diff --git a/meta-oe/recipes-core/dbus/dbus-broker/0006-launch-policy-fix-crash-when-exporting-selinux.patch b/meta-oe/recipes-core/dbus/dbus-broker/0006-launch-policy-fix-crash-when-exporting-selinux.patch new file mode 100644 index 000000000..51f45361b --- /dev/null +++ b/meta-oe/recipes-core/dbus/dbus-broker/0006-launch-policy-fix-crash-when-exporting-selinux.patch
@@ -0,0 +1,59 @@
		1	From f1cdef4d98ddbfeeb4a688712d54b3adc89bfe26 Mon Sep 17 00:00:00 2001
		2	From: Luca Boccassi <luca.boccassi@microsoft.com>
		3	Date: Fri, 25 Oct 2019 21:05:43 +0100
		4	Subject: [PATCH 2/2] launch/policy: fix crash when exporting <selinux>
		5	MIME-Version: 1.0
		6	Content-Type: text/plain; charset=UTF-8
		7	Content-Transfer-Encoding: 8bit
		8
		9	If a policy contains a <selinux> element, dbus-broker-launch crashes:
		10
		11	[ 30.048705] dbus-broker-launch[221]: ERROR policy_export @ ../dbus-broker-21/src/launch/policy.c +1142: Return code 1
		12	[ 30.050963] dbus-broker-launch[221]: launcher_add_listener @ ../dbus-broker-21/src/launch/launcher.c +1130
		13	[ 30.079620] dbus-broker[228]: Dispatched 0 messages @ 0(±0)μs / message.
		14	[ 30.082613] dbus-broker-launch[221]: launcher_run @ ../dbus-broker-21/src/launch/launcher.c +1389
		15	[ 30.084426] dbus-broker-launch[221]: run @ ../dbus-broker-21/src/launch/main.c +153
		16	[ 30.085797] dbus-broker-launch[221]: main @ ../dbus-broker-21/src/launch/main.c +181
		17	[ 30.087208] dbus-broker-launch[221]: Exiting due to fatal error: -131
		18
		19	Minimal config to reproduce:
		20
		21	<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
		22	"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
		23	<busconfig>
		24	<selinux>
		25	<associate own="com.example1" context="system_u:object_r:example1_t" />
		26	<associate own="com.example2" context="system_u:object_r:example2_t" />
		27	</selinux>
		28	</busconfig>
		29
		30	As per the libsystemd API, sd_bus_message_append can return an int
		31	greater than 0 on success, which for example happens when processing
		32	vectors.
		33	The export function is treating every non-zero result as an error,
		34	which causes dbus-broker-launch to terminate.
		35
		36	Fixes #212
		37
		38	Signed-off-by: Luca Boccassi <luca.boccassi@microsoft.com>
		39	Upstream-Status: merged https://github.com/bus1/dbus-broker/pull/213
		40	---
		41	src/launch/policy.c \| 2 +-
		42	1 file changed, 1 insertion(+), 1 deletion(-)
		43
		44	diff --git a/src/launch/policy.c b/src/launch/policy.c
		45	index 466e4bd..f91f11b 100644
		46	--- a/src/launch/policy.c
		47	+++ b/src/launch/policy.c
		48	@@ -1138,7 +1138,7 @@ int policy_export(Policy policy, sd_bus_message m, uint32_t *at_console_uids,
		49	r = sd_bus_message_append(m, "(ss)",
		50	i_record->selinux.name,
		51	i_record->selinux.context);
		52	- if (r)
		53	+ if (r < 0)
		54	return error_origin(r);
		55	}
		56
		57	--
		58	2.20.1
		59


diff --git a/meta-oe/recipes-core/dbus/dbus-broker_21.bb b/meta-oe/recipes-core/dbus/dbus-broker_21.bb index 8b4101aaf..bad442776 100644 --- a/meta-oe/recipes-core/dbus/dbus-broker_21.bb +++ b/meta-oe/recipes-core/dbus/dbus-broker_21.bb
@@ -11,6 +11,8 @@ SRC_URI += " file://0001-launch-improve-error-handling-for-opendir.patch"
11	SRC_URI += " file://0002-metrics-change-the-constant-used-for-invalid-timesta.patch"	11	SRC_URI += " file://0002-metrics-change-the-constant-used-for-invalid-timesta.patch"
12	SRC_URI += " file://0003-dbus-socket-treat-MSG_CTRUNC-gracefully.patch"	12	SRC_URI += " file://0003-dbus-socket-treat-MSG_CTRUNC-gracefully.patch"
13	SRC_URI += " file://0004-launcher-fix-build-with-musl-libc.patch"	13	SRC_URI += " file://0004-launcher-fix-build-with-musl-libc.patch"
		14	SRC_URI += " file://0005-launch-policy-fix-crash-when-importing-selinux.patch"
		15	SRC_URI += " file://0006-launch-policy-fix-crash-when-exporting-selinux.patch"
14	SRC_URI[md5sum] = "a17886a92ab1e0bc2e4b1a274339e388"	16	SRC_URI[md5sum] = "a17886a92ab1e0bc2e4b1a274339e388"
15	SRC_URI[sha256sum] = "6fff9a831a514659e2c7d704e76867ce31ebcf43e8d7a62e080c6656f64cd39e"	17	SRC_URI[sha256sum] = "6fff9a831a514659e2c7d704e76867ce31ebcf43e8d7a62e080c6656f64cd39e"
16		18