summaryrefslogtreecommitdiffstats
path: root/meta/recipes-core
diff options
context:
space:
mode:
authorNisha Parrakat <nishaparrakat@gmail.com>2021-08-13 07:22:02 +0000
committerRichard Purdie <richard.purdie@linuxfoundation.org>2021-08-13 22:43:56 +0100
commit8ff845c9ba1ca55e2f984f93944804c02f807dcc (patch)
treedfcb94b8d62697c2764b68053e7210ed376ba358 /meta/recipes-core
parentddd4b8c9a1bf590f784ba5ced84fb1fef198cd10 (diff)
downloadpoky-8ff845c9ba1ca55e2f984f93944804c02f807dcc.tar.gz
dbus_%.bbappend: stop using selinux_set_mapping
https://gitlab.freedesktop.org/dbus/dbus/-/issues/198 https://gitlab.freedesktop.org/dbus/dbus/-/commit/6072f8b24153d844a3033108a17bcd0c1a967816 Currently, if the "dbus" security class or the associated AV doesn't exist, dbus-daemon fails to initialize and exits immediately. Also the security classes or access vector cannot be reordered in the policy. This can be a problem for people developing their own policy or trying to access a machine where, for some reasons, there is not policy defined at all. The code here copy the behaviour of the selinux_check_access() function. We cannot use this function here as it doesn't allow us to define the AVC entry reference. See the discussion at https://marc.info/?l=selinux&m=152163374332372&w=2 (From OE-Core rev: 0441b53d55a919b5ac42e997f4092053b017b553) Signed-off-by: Nisha Parrakat <nishaparrakat@gmail.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-core')
-rw-r--r--meta/recipes-core/dbus/dbus.inc1
-rw-r--r--meta/recipes-core/dbus/dbus/stop_using_selinux_set_mapping.patch148
2 files changed, 149 insertions, 0 deletions
diff --git a/meta/recipes-core/dbus/dbus.inc b/meta/recipes-core/dbus/dbus.inc
index f0eeffacc8..adc138bf10 100644
--- a/meta/recipes-core/dbus/dbus.inc
+++ b/meta/recipes-core/dbus/dbus.inc
@@ -8,6 +8,7 @@ SRC_URI = "https://dbus.freedesktop.org/releases/dbus/dbus-${PV}.tar.gz \
8 file://tmpdir.patch \ 8 file://tmpdir.patch \
9 file://dbus-1.init \ 9 file://dbus-1.init \
10 file://clear-guid_from_server-if-send_negotiate_unix_f.patch \ 10 file://clear-guid_from_server-if-send_negotiate_unix_f.patch \
11 file://stop_using_selinux_set_mapping.patch \
11" 12"
12 13
13SRC_URI[md5sum] = "dfe8a71f412e0b53be26ed4fbfdc91c4" 14SRC_URI[md5sum] = "dfe8a71f412e0b53be26ed4fbfdc91c4"
diff --git a/meta/recipes-core/dbus/dbus/stop_using_selinux_set_mapping.patch b/meta/recipes-core/dbus/dbus/stop_using_selinux_set_mapping.patch
new file mode 100644
index 0000000000..7035098e41
--- /dev/null
+++ b/meta/recipes-core/dbus/dbus/stop_using_selinux_set_mapping.patch
@@ -0,0 +1,148 @@
1From 6072f8b24153d844a3033108a17bcd0c1a967816 Mon Sep 17 00:00:00 2001
2From: Laurent Bigonville <bigon@bigon.be>
3Date: Sat, 3 Mar 2018 11:15:23 +0100
4Subject: [PATCH] Stop using selinux_set_mapping() function
5
6Currently, if the "dbus" security class or the associated AV doesn't
7exist, dbus-daemon fails to initialize and exits immediately. Also the
8security classes or access vector cannot be reordered in the policy.
9This can be a problem for people developing their own policy or trying
10to access a machine where, for some reasons, there is not policy defined
11at all.
12
13The code here copy the behaviour of the selinux_check_access() function.
14We cannot use this function here as it doesn't allow us to define the
15AVC entry reference.
16
17See the discussion at https://marc.info/?l=selinux&m=152163374332372&w=2
18
19Resolves: https://gitlab.freedesktop.org/dbus/dbus/issues/198
20---
21 bus/selinux.c | 75 ++++++++++++++++++++++++++++-----------------------
22 1 file changed, 42 insertions(+), 33 deletions(-)
23
24
25Upstream-Status: Backport
26Signed-off-by: Nisha.Parrakat <Nisha.Parrakat@kpit.com>
27diff --git a/bus/selinux.c b/bus/selinux.c
28
29--- a/bus/selinux.c 2021-08-11 14:45:59.048513026 +0000
30+++ b/bus/selinux.c 2021-08-11 14:57:47.144846966 +0000
31@@ -311,24 +311,6 @@
32 #endif
33 }
34
35-/*
36- * Private Flask definitions; the order of these constants must
37- * exactly match that of the structure array below!
38- */
39-/* security dbus class constants */
40-#define SECCLASS_DBUS 1
41-
42-/* dbus's per access vector constants */
43-#define DBUS__ACQUIRE_SVC 1
44-#define DBUS__SEND_MSG 2
45-
46-#ifdef HAVE_SELINUX
47-static struct security_class_mapping dbus_map[] = {
48- { "dbus", { "acquire_svc", "send_msg", NULL } },
49- { NULL }
50-};
51-#endif /* HAVE_SELINUX */
52-
53 /**
54 * Establish dynamic object class and permission mapping and
55 * initialize the user space access vector cache (AVC) for D-Bus and set up
56@@ -350,13 +332,6 @@
57
58 _dbus_verbose ("SELinux is enabled in this kernel.\n");
59
60- if (selinux_set_mapping (dbus_map) < 0)
61- {
62- _dbus_warn ("Failed to set up security class mapping (selinux_set_mapping():%s).",
63- strerror (errno));
64- return FALSE;
65- }
66-
67 avc_entry_ref_init (&aeref);
68 if (avc_init ("avc", &mem_cb, &log_cb, &thread_cb, &lock_cb) < 0)
69 {
70@@ -421,19 +396,53 @@
71 static dbus_bool_t
72 bus_selinux_check (BusSELinuxID *sender_sid,
73 BusSELinuxID *override_sid,
74- security_class_t target_class,
75- access_vector_t requested,
76+ const char *target_class,
77+ const char *requested,
78 DBusString *auxdata)
79 {
80+ int saved_errno;
81+ security_class_t security_class;
82+ access_vector_t requested_access;
83+
84 if (!selinux_enabled)
85 return TRUE;
86
87+ security_class = string_to_security_class (target_class);
88+ if (security_class == 0)
89+ {
90+ saved_errno = errno;
91+ log_callback (SELINUX_ERROR, "Unknown class %s", target_class);
92+ if (security_deny_unknown () == 0)
93+ {
94+ return TRUE;
95+ }
96+
97+ _dbus_verbose ("Unknown class %s\n", target_class);
98+ errno = saved_errno;
99+ return FALSE;
100+ }
101+
102+ requested_access = string_to_av_perm (security_class, requested);
103+ if (requested_access == 0)
104+ {
105+ saved_errno = errno;
106+ log_callback (SELINUX_ERROR, "Unknown permission %s for class %s", requested, target_class);
107+ if (security_deny_unknown () == 0)
108+ {
109+ return TRUE;
110+ }
111+
112+ _dbus_verbose ("Unknown permission %s for class %s\n", requested, target_class);
113+ errno = saved_errno;
114+ return FALSE;
115+ }
116+
117 /* Make the security check. AVC checks enforcing mode here as well. */
118 if (avc_has_perm (SELINUX_SID_FROM_BUS (sender_sid),
119 override_sid ?
120 SELINUX_SID_FROM_BUS (override_sid) :
121 bus_sid,
122- target_class, requested, &aeref, auxdata) < 0)
123+ security_class, requested_access, &aeref, auxdata) < 0)
124 {
125 switch (errno)
126 {
127@@ -500,8 +509,8 @@
128
129 ret = bus_selinux_check (connection_sid,
130 service_sid,
131- SECCLASS_DBUS,
132- DBUS__ACQUIRE_SVC,
133+ "dbus",
134+ "acquire_svc",
135 &auxdata);
136
137 _dbus_string_free (&auxdata);
138@@ -629,8 +638,8 @@
139
140 ret = bus_selinux_check (sender_sid,
141 recipient_sid,
142- SECCLASS_DBUS,
143- DBUS__SEND_MSG,
144+ "dbus",
145+ "send_msg",
146 &auxdata);
147
148 _dbus_string_free (&auxdata);