dbus_%.bbappend: stop using selinux_set_mapping

https://gitlab.freedesktop.org/dbus/dbus/-/issues/198 https://gitlab.freedesktop.org/dbus/dbus/-/commit/6072f8b24153d844a3033108a17bcd0c1a967816 Currently, if the "dbus" security class or the associated AV doesn't exist, dbus-daemon fails to initialize and exits immediately. Also the security classes or access vector cannot be reordered in the policy. This can be a problem for people developing their own policy or trying to access a machine where, for some reasons, there is not policy defined at all. The code here copy the behaviour of the selinux_check_access() function. We cannot use this function here as it doesn't allow us to define the AVC entry reference. See the discussion at https://marc.info/?l=selinux&m=152163374332372&w=2 (From OE-Core rev: 0441b53d55a919b5ac42e997f4092053b017b553) Signed-off-by: Nisha Parrakat <nishaparrakat@gmail.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Nisha Parrakat <nishaparrakat@gmail.com> 2021-08-13 07:22:02 +0000
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-08-13 22:43:56 +0100
commit: 8ff845c9ba1ca55e2f984f93944804c02f807dcc (patch)
tree: dfcb94b8d62697c2764b68053e7210ed376ba358 /meta
parent: ddd4b8c9a1bf590f784ba5ced84fb1fef198cd10 (diff)
download: poky-8ff845c9ba1ca55e2f984f93944804c02f807dcc.tar.gz
2 files changed, 149 insertions, 0 deletions
diff --git a/meta/recipes-core/dbus/dbus.inc b/meta/recipes-core/dbus/dbus.inc
index f0eeffacc8..adc138bf10 100644
--- a/meta/recipes-core/dbus/dbus.inc
+++ b/meta/recipes-core/dbus/dbus.inc
@@ -8,6 +8,7 @@ SRC_URI = "https://dbus.freedesktop.org/releases/dbus/dbus-${PV}.tar.gz \
           file://tmpdir.patch \
           file://dbus-1.init \
           file://clear-guid_from_server-if-send_negotiate_unix_f.patch \
+           file://stop_using_selinux_set_mapping.patch \
 "
 SRC_URI[md5sum] = "dfe8a71f412e0b53be26ed4fbfdc91c4"
diff --git a/meta/recipes-core/dbus/dbus/stop_using_selinux_set_mapping.patch b/meta/recipes-core/dbus/dbus/stop_using_selinux_set_mapping.patch
new file mode 100644
index 0000000000..7035098e41
--- /dev/null
+++ b/meta/recipes-core/dbus/dbus/stop_using_selinux_set_mapping.patch
@@ -0,0 +1,148 @@
+From 6072f8b24153d844a3033108a17bcd0c1a967816 Mon Sep 17 00:00:00 2001
+From: Laurent Bigonville <bigon@bigon.be>
+Date: Sat, 3 Mar 2018 11:15:23 +0100
+Subject: [PATCH] Stop using selinux_set_mapping() function
+Currently, if the "dbus" security class or the associated AV doesn't
+exist, dbus-daemon fails to initialize and exits immediately. Also the
+security classes or access vector cannot be reordered in the policy.
+This can be a problem for people developing their own policy or trying
+to access a machine where, for some reasons, there is not policy defined
+at all.
+The code here copy the behaviour of the selinux_check_access() function.
+We cannot use this function here as it doesn't allow us to define the
+AVC entry reference.
+See the discussion at https://marc.info/?l=selinux&m=152163374332372&w=2
+Resolves: https://gitlab.freedesktop.org/dbus/dbus/issues/198
+---
+ bus/selinux.c | 75 ++++++++++++++++++++++++++++-----------------------
+ 1 file changed, 42 insertions(+), 33 deletions(-)
+Upstream-Status: Backport
+Signed-off-by: Nisha.Parrakat <Nisha.Parrakat@kpit.com>
+diff --git a/bus/selinux.c b/bus/selinux.c
+--- a/bus/selinux.c     2021-08-11 14:45:59.048513026 +0000
+++ b/bus/selinux.c     2021-08-11 14:57:47.144846966 +0000
+@@ -311,24 +311,6 @@
+ #endif
+ }
+ 
+-/*
+- * Private Flask definitions; the order of these constants must
+- * exactly match that of the structure array below!
+- */
+-/* security dbus class constants */
+-#define SECCLASS_DBUS       1
+-
+-/* dbus's per access vector constants */
+-#define DBUS__ACQUIRE_SVC   1
+-#define DBUS__SEND_MSG      2
+-
+-#ifdef HAVE_SELINUX
+-static struct security_class_mapping dbus_map[] = {
+-  { "dbus", { "acquire_svc", "send_msg", NULL } },
+-  { NULL }
+-};
+-#endif /* HAVE_SELINUX */
+-
+ /**
+  * Establish dynamic object class and permission mapping and
+  * initialize the user space access vector cache (AVC) for D-Bus and set up
+@@ -350,13 +332,6 @@
+ 
+   _dbus_verbose ("SELinux is enabled in this kernel.\n");
+ 
+-  if (selinux_set_mapping (dbus_map) < 0)
+-    {
+-      _dbus_warn ("Failed to set up security class mapping (selinux_set_mapping():%s).",
+-                   strerror (errno));
+-      return FALSE; 
+-    }
+-
+   avc_entry_ref_init (&aeref);
+   if (avc_init ("avc", &mem_cb, &log_cb, &thread_cb, &lock_cb) < 0)
+     {
+@@ -421,19 +396,53 @@
+ static dbus_bool_t
+ bus_selinux_check (BusSELinuxID        *sender_sid,
+                    BusSELinuxID        *override_sid,
+-                   security_class_t     target_class,
+-                   access_vector_t      requested,
+                   const char          *target_class,
+                   const char          *requested,
+                   DBusString          *auxdata)
+ {
+  int saved_errno;
+  security_class_t security_class;
+  access_vector_t requested_access;
+
+   if (!selinux_enabled)
+     return TRUE;
+ 
+  security_class = string_to_security_class (target_class);
+  if (security_class == 0)
+    {
+      saved_errno = errno;
+      log_callback (SELINUX_ERROR, "Unknown class %s", target_class);
+      if (security_deny_unknown () == 0)
+        {
+          return TRUE;
+       }
+
+      _dbus_verbose ("Unknown class %s\n", target_class);
+      errno = saved_errno;
+      return FALSE;
+    }
+
+  requested_access = string_to_av_perm (security_class, requested);
+  if (requested_access == 0)
+    {
+      saved_errno = errno;
+      log_callback (SELINUX_ERROR, "Unknown permission %s for class %s", requested, target_class);
+      if (security_deny_unknown () == 0)
+        {
+          return TRUE;
+       }
+
+      _dbus_verbose ("Unknown permission %s for class %s\n", requested, target_class);
+      errno = saved_errno;
+      return FALSE;
+    }
+
+   /* Make the security check.  AVC checks enforcing mode here as well. */
+   if (avc_has_perm (SELINUX_SID_FROM_BUS (sender_sid),
+                     override_sid ?
+                     SELINUX_SID_FROM_BUS (override_sid) :
+                     bus_sid,
+-                    target_class, requested, &aeref, auxdata) < 0)
+                    security_class, requested_access, &aeref, auxdata) < 0)
+     {
+     switch (errno)
+       {
+@@ -500,8 +509,8 @@
+   
+   ret = bus_selinux_check (connection_sid,
+                           service_sid,
+-                          SECCLASS_DBUS,
+-                          DBUS__ACQUIRE_SVC,
+                          "dbus",
+                          "acquire_svc",
+                           &auxdata);
+ 
+   _dbus_string_free (&auxdata);
+@@ -629,8 +638,8 @@
+ 
+   ret = bus_selinux_check (sender_sid, 
+                           recipient_sid,
+-                          SECCLASS_DBUS, 
+-                          DBUS__SEND_MSG,
+                          "dbus", 
+                          "send_msg",
+                           &auxdata);
+ 
+   _dbus_string_free (&auxdata);
author	Nisha Parrakat <nishaparrakat@gmail.com>	2021-08-13 07:22:02 +0000
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-08-13 22:43:56 +0100
commit	8ff845c9ba1ca55e2f984f93944804c02f807dcc (patch)
tree	dfcb94b8d62697c2764b68053e7210ed376ba358 /meta
parent	ddd4b8c9a1bf590f784ba5ced84fb1fef198cd10 (diff)
download	poky-8ff845c9ba1ca55e2f984f93944804c02f807dcc.tar.gz

diff --git a/meta/recipes-core/dbus/dbus.inc b/meta/recipes-core/dbus/dbus.inc index f0eeffacc8..adc138bf10 100644 --- a/meta/recipes-core/dbus/dbus.inc +++ b/meta/recipes-core/dbus/dbus.inc
@@ -8,6 +8,7 @@ SRC_URI = "https://dbus.freedesktop.org/releases/dbus/dbus-${PV}.tar.gz \
8	file://tmpdir.patch \	8	file://tmpdir.patch \
9	file://dbus-1.init \	9	file://dbus-1.init \
10	file://clear-guid_from_server-if-send_negotiate_unix_f.patch \	10	file://clear-guid_from_server-if-send_negotiate_unix_f.patch \
		11	file://stop_using_selinux_set_mapping.patch \
11	"	12	"
12		13
13	SRC_URI[md5sum] = "dfe8a71f412e0b53be26ed4fbfdc91c4"	14	SRC_URI[md5sum] = "dfe8a71f412e0b53be26ed4fbfdc91c4"


diff --git a/meta/recipes-core/dbus/dbus/stop_using_selinux_set_mapping.patch b/meta/recipes-core/dbus/dbus/stop_using_selinux_set_mapping.patch new file mode 100644 index 0000000000..7035098e41 --- /dev/null +++ b/meta/recipes-core/dbus/dbus/stop_using_selinux_set_mapping.patch
@@ -0,0 +1,148 @@
		1	From 6072f8b24153d844a3033108a17bcd0c1a967816 Mon Sep 17 00:00:00 2001
		2	From: Laurent Bigonville <bigon@bigon.be>
		3	Date: Sat, 3 Mar 2018 11:15:23 +0100
		4	Subject: [PATCH] Stop using selinux_set_mapping() function
		5
		6	Currently, if the "dbus" security class or the associated AV doesn't
		7	exist, dbus-daemon fails to initialize and exits immediately. Also the
		8	security classes or access vector cannot be reordered in the policy.
		9	This can be a problem for people developing their own policy or trying
		10	to access a machine where, for some reasons, there is not policy defined
		11	at all.
		12
		13	The code here copy the behaviour of the selinux_check_access() function.
		14	We cannot use this function here as it doesn't allow us to define the
		15	AVC entry reference.
		16
		17	See the discussion at https://marc.info/?l=selinux&m=152163374332372&w=2
		18
		19	Resolves: https://gitlab.freedesktop.org/dbus/dbus/issues/198
		20	---
		21	bus/selinux.c \| 75 ++++++++++++++++++++++++++++-----------------------
		22	1 file changed, 42 insertions(+), 33 deletions(-)
		23
		24
		25	Upstream-Status: Backport
		26	Signed-off-by: Nisha.Parrakat <Nisha.Parrakat@kpit.com>
		27	diff --git a/bus/selinux.c b/bus/selinux.c
		28
		29	--- a/bus/selinux.c 2021-08-11 14:45:59.048513026 +0000
		30	+++ b/bus/selinux.c 2021-08-11 14:57:47.144846966 +0000
		31	@@ -311,24 +311,6 @@
		32	#endif
		33	}
		34
		35	-/*
		36	- * Private Flask definitions; the order of these constants must
		37	- * exactly match that of the structure array below!
		38	- */
		39	-/* security dbus class constants */
		40	-#define SECCLASS_DBUS 1
		41	-
		42	-/* dbus's per access vector constants */
		43	-#define DBUS__ACQUIRE_SVC 1
		44	-#define DBUS__SEND_MSG 2
		45	-
		46	-#ifdef HAVE_SELINUX
		47	-static struct security_class_mapping dbus_map[] = {
		48	- { "dbus", { "acquire_svc", "send_msg", NULL } },
		49	- { NULL }
		50	-};
		51	-#endif /* HAVE_SELINUX */
		52	-
		53	/**
		54	* Establish dynamic object class and permission mapping and
		55	* initialize the user space access vector cache (AVC) for D-Bus and set up
		56	@@ -350,13 +332,6 @@
		57
		58	_dbus_verbose ("SELinux is enabled in this kernel.\n");
		59
		60	- if (selinux_set_mapping (dbus_map) < 0)
		61	- {
		62	- _dbus_warn ("Failed to set up security class mapping (selinux_set_mapping():%s).",
		63	- strerror (errno));
		64	- return FALSE;
		65	- }
		66	-
		67	avc_entry_ref_init (&aeref);
		68	if (avc_init ("avc", &mem_cb, &log_cb, &thread_cb, &lock_cb) < 0)
		69	{
		70	@@ -421,19 +396,53 @@
		71	static dbus_bool_t
		72	bus_selinux_check (BusSELinuxID *sender_sid,
		73	BusSELinuxID *override_sid,
		74	- security_class_t target_class,
		75	- access_vector_t requested,
		76	+ const char *target_class,
		77	+ const char *requested,
		78	DBusString *auxdata)
		79	{
		80	+ int saved_errno;
		81	+ security_class_t security_class;
		82	+ access_vector_t requested_access;
		83	+
		84	if (!selinux_enabled)
		85	return TRUE;
		86
		87	+ security_class = string_to_security_class (target_class);
		88	+ if (security_class == 0)
		89	+ {
		90	+ saved_errno = errno;
		91	+ log_callback (SELINUX_ERROR, "Unknown class %s", target_class);
		92	+ if (security_deny_unknown () == 0)
		93	+ {
		94	+ return TRUE;
		95	+ }
		96	+
		97	+ _dbus_verbose ("Unknown class %s\n", target_class);
		98	+ errno = saved_errno;
		99	+ return FALSE;
		100	+ }
		101	+
		102	+ requested_access = string_to_av_perm (security_class, requested);
		103	+ if (requested_access == 0)
		104	+ {
		105	+ saved_errno = errno;
		106	+ log_callback (SELINUX_ERROR, "Unknown permission %s for class %s", requested, target_class);
		107	+ if (security_deny_unknown () == 0)
		108	+ {
		109	+ return TRUE;
		110	+ }
		111	+
		112	+ _dbus_verbose ("Unknown permission %s for class %s\n", requested, target_class);
		113	+ errno = saved_errno;
		114	+ return FALSE;
		115	+ }
		116	+
		117	/* Make the security check. AVC checks enforcing mode here as well. */
		118	if (avc_has_perm (SELINUX_SID_FROM_BUS (sender_sid),
		119	override_sid ?
		120	SELINUX_SID_FROM_BUS (override_sid) :
		121	bus_sid,
		122	- target_class, requested, &aeref, auxdata) < 0)
		123	+ security_class, requested_access, &aeref, auxdata) < 0)
		124	{
		125	switch (errno)
		126	{
		127	@@ -500,8 +509,8 @@
		128
		129	ret = bus_selinux_check (connection_sid,
		130	service_sid,
		131	- SECCLASS_DBUS,
		132	- DBUS__ACQUIRE_SVC,
		133	+ "dbus",
		134	+ "acquire_svc",
		135	&auxdata);
		136
		137	_dbus_string_free (&auxdata);
		138	@@ -629,8 +638,8 @@
		139
		140	ret = bus_selinux_check (sender_sid,
		141	recipient_sid,
		142	- SECCLASS_DBUS,
		143	- DBUS__SEND_MSG,
		144	+ "dbus",
		145	+ "send_msg",
		146	&auxdata);
		147
		148	_dbus_string_free (&auxdata);