1 /* -*- mode: C; c-file-style: "gnu"; indent-tabs-mode: nil; -*-
2 * selinux.c SELinux security checks for D-Bus
3 *
4 * Author: Matthew Rickard <mjricka@epoch.ncsc.mil>
5 *
6 * Licensed under the Academic Free License version 2.1
7 *
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
21 *
22 */
23
24 #include <config.h>
25 #include <dbus/dbus-internals.h>
26 #include <dbus/dbus-string.h>
27 #ifndef DBUS_WIN
28 #include <dbus/dbus-userdb.h>
29 #endif
30 #include "selinux.h"
31 #include "services.h"
32 #include "policy.h"
33 #include "utils.h"
34 #include "config-parser.h"
35
36 #ifdef HAVE_ERRNO_H
37 #include <errno.h>
38 #endif
39 #ifdef HAVE_SELINUX
40 #include <sys/types.h>
41 #include <unistd.h>
42 #include <limits.h>
43 #include <pthread.h>
44 #include <syslog.h>
45 #include <selinux/selinux.h>
46 #include <selinux/avc.h>
47 #include <selinux/av_permissions.h>
48 #include <selinux/flask.h>
49 #include <signal.h>
50 #include <stdarg.h>
51 #include <stdio.h>
52 #include <grp.h>
53 #endif /* HAVE_SELINUX */
54 #ifdef HAVE_LIBAUDIT
55 #include <cap-ng.h>
56 #include <libaudit.h>
57 #endif /* HAVE_LIBAUDIT */
58
59 #define BUS_SID_FROM_SELINUX(sid) ((BusSELinuxID*) (sid))
60 #define SELINUX_SID_FROM_BUS(sid) ((security_id_t) (sid))
61
62 #ifdef HAVE_SELINUX
63 /* Store the value telling us if SELinux is enabled in the kernel. */
64 static dbus_bool_t selinux_enabled = FALSE;
65
66 /* Store an avc_entry_ref to speed AVC decisions. */
67 static struct avc_entry_ref aeref;
68
69 /* Store the SID of the bus itself to use as the default. */
70 static security_id_t bus_sid = SECSID_WILD;
71
72 /* Thread to listen for SELinux status changes via netlink. */
73 static pthread_t avc_notify_thread;
74
75 /* Prototypes for AVC callback functions. */
76 static void log_callback (const char *fmt, ...);
77 static void log_audit_callback (void *data, security_class_t class, char *buf, size_t bufleft);
78 static void *avc_create_thread (void (*run) (void));
79 static void avc_stop_thread (void *thread);
80 static void *avc_alloc_lock (void);
81 static void avc_get_lock (void *lock);
82 static void avc_release_lock (void *lock);
83 static void avc_free_lock (void *lock);
84
85 /* AVC callback structures for use in avc_init. */
86 static const struct avc_memory_callback mem_cb =
87 {
88 .func_malloc = dbus_malloc,
89 .func_free = dbus_free
90 };
91 static const struct avc_log_callback log_cb =
92 {
93 .func_log = log_callback,
94 .func_audit = log_audit_callback
95 };
96 static const struct avc_thread_callback thread_cb =
97 {
98 .func_create_thread = avc_create_thread,
99 .func_stop_thread = avc_stop_thread
100 };
101 static const struct avc_lock_callback lock_cb =
102 {
103 .func_alloc_lock = avc_alloc_lock,
104 .func_get_lock = avc_get_lock,
105 .func_release_lock = avc_release_lock,
106 .func_free_lock = avc_free_lock
107 };
108 #endif /* HAVE_SELINUX */
109
110 /**
111 * Log callback to log denial messages from the AVC.
112 * This is used in avc_init. Logs to both standard
113 * error and syslogd.
114 *
115 * @param fmt the format string
116 * @param variable argument list
117 */
118 #ifdef HAVE_SELINUX
119
120 #ifdef HAVE_LIBAUDIT
121 static int audit_fd = -1;
122 #endif
123
124 void
bus_selinux_audit_init(void)125 bus_selinux_audit_init(void)
126 {
127 #ifdef HAVE_LIBAUDIT
128 audit_fd = audit_open ();
129
130 if (audit_fd < 0)
131 {
132 /* If kernel doesn't support audit, bail out */
133 if (errno == EINVAL || errno == EPROTONOSUPPORT || errno == EAFNOSUPPORT)
134 return;
135 /* If user bus, bail out */
136 if (errno == EPERM && getuid() != 0)
137 return;
138 _dbus_warn ("Failed opening connection to the audit subsystem");
139 }
140 #endif /* HAVE_LIBAUDIT */
141 }
142
143 static void
log_callback(const char * fmt,...)144 log_callback (const char *fmt, ...)
145 {
146 va_list ap;
147
148 va_start(ap, fmt);
149
150 #ifdef HAVE_LIBAUDIT
151 if (audit_fd >= 0)
152 {
153 capng_get_caps_process();
154 if (capng_have_capability(CAPNG_EFFECTIVE, CAP_AUDIT_WRITE))
155 {
156 char buf[PATH_MAX*2];
157
158 /* FIXME: need to change this to show real user */
159 vsnprintf(buf, sizeof(buf), fmt, ap);
160 audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL,
161 NULL, getuid());
162 return;
163 }
164 }
165 #endif /* HAVE_LIBAUDIT */
166
167 vsyslog (LOG_USER | LOG_INFO, fmt, ap);
168 va_end(ap);
169 }
170
171 /**
172 * On a policy reload we need to reparse the SELinux configuration file, since
173 * this could have changed. Send a SIGHUP to reload all configs.
174 */
175 static int
policy_reload_callback(u_int32_t event,security_id_t ssid,security_id_t tsid,security_class_t tclass,access_vector_t perms,access_vector_t * out_retained)176 policy_reload_callback (u_int32_t event, security_id_t ssid,
177 security_id_t tsid, security_class_t tclass,
178 access_vector_t perms, access_vector_t *out_retained)
179 {
180 if (event == AVC_CALLBACK_RESET)
181 return raise (SIGHUP);
182
183 return 0;
184 }
185
186 /**
187 * Log any auxiliary data
188 */
189 static void
log_audit_callback(void * data,security_class_t class,char * buf,size_t bufleft)190 log_audit_callback (void *data, security_class_t class, char *buf, size_t bufleft)
191 {
192 DBusString *audmsg = data;
193
194 if (bufleft > (size_t) _dbus_string_get_length(audmsg))
195 {
196 _dbus_string_copy_to_buffer_with_nul (audmsg, buf, bufleft);
197 }
198 else
199 {
200 DBusString s;
201
202 _dbus_string_init_const(&s, "Buffer too small for audit message");
203
204 if (bufleft > (size_t) _dbus_string_get_length(&s))
205 _dbus_string_copy_to_buffer_with_nul (&s, buf, bufleft);
206 }
207 }
208
209 /**
210 * Create thread to notify the AVC of enforcing and policy reload
211 * changes via netlink.
212 *
213 * @param run the thread run function
214 * @return pointer to the thread
215 */
216 static void *
avc_create_thread(void (* run)(void))217 avc_create_thread (void (*run) (void))
218 {
219 int rc;
220
221 rc = pthread_create (&avc_notify_thread, NULL, (void *(*) (void *)) run, NULL);
222 if (rc != 0)
223 {
224 _dbus_warn ("Failed to start AVC thread: %s\n", _dbus_strerror (rc));
225 exit (1);
226 }
227 return &avc_notify_thread;
228 }
229
230 /* Stop AVC netlink thread. */
231 static void
avc_stop_thread(void * thread)232 avc_stop_thread (void *thread)
233 {
234 pthread_cancel (*(pthread_t *) thread);
235 }
236
237 /* Allocate a new AVC lock. */
238 static void *
avc_alloc_lock(void)239 avc_alloc_lock (void)
240 {
241 pthread_mutex_t *avc_mutex;
242
243 avc_mutex = dbus_new (pthread_mutex_t, 1);
244 if (avc_mutex == NULL)
245 {
246 _dbus_warn ("Could not create mutex: %s\n", _dbus_strerror (errno));
247 exit (1);
248 }
249 pthread_mutex_init (avc_mutex, NULL);
250
251 return avc_mutex;
252 }
253
254 /* Acquire an AVC lock. */
255 static void
avc_get_lock(void * lock)256 avc_get_lock (void *lock)
257 {
258 pthread_mutex_lock (lock);
259 }
260
261 /* Release an AVC lock. */
262 static void
avc_release_lock(void * lock)263 avc_release_lock (void *lock)
264 {
265 pthread_mutex_unlock (lock);
266 }
267
268 /* Free an AVC lock. */
269 static void
avc_free_lock(void * lock)270 avc_free_lock (void *lock)
271 {
272 pthread_mutex_destroy (lock);
273 dbus_free (lock);
274 }
275 #endif /* HAVE_SELINUX */
276
277 /**
278 * Return whether or not SELinux is enabled; must be
279 * called after bus_selinux_init.
280 */
281 dbus_bool_t
bus_selinux_enabled(void)282 bus_selinux_enabled (void)
283 {
284 #ifdef HAVE_SELINUX
285 return selinux_enabled;
286 #else
287 return FALSE;
288 #endif /* HAVE_SELINUX */
289 }
290
291 /**
292 * Do early initialization; determine whether SELinux is enabled.
293 */
294 dbus_bool_t
bus_selinux_pre_init(void)295 bus_selinux_pre_init (void)
296 {
297 #ifdef HAVE_SELINUX
298 int r;
299 _dbus_assert (bus_sid == SECSID_WILD);
300
301 /* Determine if we are running an SELinux kernel. */
302 r = is_selinux_enabled ();
303 if (r < 0)
304 {
305 _dbus_warn ("Could not tell if SELinux is enabled: %s\n",
306 _dbus_strerror (errno));
307 return FALSE;
308 }
309
310 selinux_enabled = r != 0;
311 return TRUE;
312 #else
313 return TRUE;
314 #endif
315 }
316
317 /**
318 * Initialize the user space access vector cache (AVC) for D-Bus and set up
319 * logging callbacks.
320 */
321 dbus_bool_t
bus_selinux_full_init(void)322 bus_selinux_full_init (void)
323 {
324 #ifdef HAVE_SELINUX
325 char *bus_context;
326
327 _dbus_assert (bus_sid == SECSID_WILD);
328
329 if (!selinux_enabled)
330 {
331 _dbus_verbose ("SELinux not enabled in this kernel.\n");
332 return TRUE;
333 }
334
335 _dbus_verbose ("SELinux is enabled in this kernel.\n");
336
337 avc_entry_ref_init (&aeref);
338 if (avc_init ("avc", &mem_cb, &log_cb, &thread_cb, &lock_cb) < 0)
339 {
340 _dbus_warn ("Failed to start Access Vector Cache (AVC).\n");
341 return FALSE;
342 }
343 else
344 {
345 _dbus_verbose ("Access Vector Cache (AVC) started.\n");
346 }
347
348 if (avc_add_callback (policy_reload_callback, AVC_CALLBACK_RESET,
349 NULL, NULL, 0, 0) < 0)
350 {
351 _dbus_warn ("Failed to add policy reload callback: %s\n",
352 _dbus_strerror (errno));
353 avc_destroy ();
354 return FALSE;
355 }
356
357 bus_context = NULL;
358 bus_sid = SECSID_WILD;
359
360 if (getcon (&bus_context) < 0)
361 {
362 _dbus_verbose ("Error getting context of bus: %s\n",
363 _dbus_strerror (errno));
364 return FALSE;
365 }
366
367 if (avc_context_to_sid (bus_context, &bus_sid) < 0)
368 {
369 _dbus_verbose ("Error getting SID from bus context: %s\n",
370 _dbus_strerror (errno));
371 freecon (bus_context);
372 return FALSE;
373 }
374
375 freecon (bus_context);
376
377 #endif /* HAVE_SELINUX */
378 return TRUE;
379 }
380
381 /**
382 * Decrement SID reference count.
383 *
384 * @param sid the SID to decrement
385 */
386 void
bus_selinux_id_unref(BusSELinuxID * sid)387 bus_selinux_id_unref (BusSELinuxID *sid)
388 {
389 #ifdef HAVE_SELINUX
390 if (!selinux_enabled)
391 return;
392
393 _dbus_assert (sid != NULL);
394
395 sidput (SELINUX_SID_FROM_BUS (sid));
396 #endif /* HAVE_SELINUX */
397 }
398
399 void
bus_selinux_id_ref(BusSELinuxID * sid)400 bus_selinux_id_ref (BusSELinuxID *sid)
401 {
402 #ifdef HAVE_SELINUX
403 if (!selinux_enabled)
404 return;
405
406 _dbus_assert (sid != NULL);
407
408 sidget (SELINUX_SID_FROM_BUS (sid));
409 #endif /* HAVE_SELINUX */
410 }
411
412 /**
413 * Determine if the SELinux security policy allows the given sender
414 * security context to go to the given recipient security context.
415 * This function determines if the requested permissions are to be
416 * granted from the connection to the message bus or to another
417 * optionally supplied security identifier (e.g. for a service
418 * context). Currently these permissions are either send_msg or
419 * acquire_svc in the dbus class.
420 *
421 * @param sender_sid source security context
422 * @param override_sid is the target security context. If SECSID_WILD this will
423 * use the context of the bus itself (e.g. the default).
424 * @param target_class is the target security class.
425 * @param requested is the requested permissions.
426 * @returns #TRUE if security policy allows the send.
427 */
428 #ifdef HAVE_SELINUX
429 static dbus_bool_t
bus_selinux_check(BusSELinuxID * sender_sid,BusSELinuxID * override_sid,security_class_t target_class,access_vector_t requested,DBusString * auxdata)430 bus_selinux_check (BusSELinuxID *sender_sid,
431 BusSELinuxID *override_sid,
432 security_class_t target_class,
433 access_vector_t requested,
434 DBusString *auxdata)
435 {
436 if (!selinux_enabled)
437 return TRUE;
438
439 /* Make the security check. AVC checks enforcing mode here as well. */
440 if (avc_has_perm (SELINUX_SID_FROM_BUS (sender_sid),
441 override_sid ?
442 SELINUX_SID_FROM_BUS (override_sid) :
443 SELINUX_SID_FROM_BUS (bus_sid),
444 target_class, requested, &aeref, auxdata) < 0)
445 {
446 switch (errno)
447 {
448 case EACCES:
449 _dbus_verbose ("SELinux denying due to security policy.\n");
450 return FALSE;
451 case EINVAL:
452 _dbus_verbose ("SELinux denying due to invalid security context.\n");
453 return FALSE;
454 default:
455 _dbus_verbose ("SELinux denying due to: %s\n", _dbus_strerror (errno));
456 return FALSE;
457 }
458 }
459 else
460 return TRUE;
461 }
462 #endif /* HAVE_SELINUX */
463
464 /**
465 * Returns true if the given connection can acquire a service,
466 * assuming the given security ID is needed for that service.
467 *
468 * @param connection connection that wants to own the service
469 * @param service_sid the SID of the service from the table
470 * @returns #TRUE if acquire is permitted.
471 */
472 dbus_bool_t
bus_selinux_allows_acquire_service(DBusConnection * connection,BusSELinuxID * service_sid,const char * service_name,DBusError * error)473 bus_selinux_allows_acquire_service (DBusConnection *connection,
474 BusSELinuxID *service_sid,
475 const char *service_name,
476 DBusError *error)
477 {
478 #ifdef HAVE_SELINUX
479 BusSELinuxID *connection_sid;
480 unsigned long spid;
481 DBusString auxdata;
482 dbus_bool_t ret;
483
484 if (!selinux_enabled)
485 return TRUE;
486
487 connection_sid = bus_connection_get_selinux_id (connection);
488 if (!dbus_connection_get_unix_process_id (connection, &spid))
489 spid = 0;
490
491 if (!_dbus_string_init (&auxdata))
492 goto oom;
493
494 if (!_dbus_string_append (&auxdata, "service="))
495 goto oom;
496
497 if (!_dbus_string_append (&auxdata, service_name))
498 goto oom;
499
500 if (spid)
501 {
502 if (!_dbus_string_append (&auxdata, " spid="))
503 goto oom;
504
505 if (!_dbus_string_append_uint (&auxdata, spid))
506 goto oom;
507 }
508
509 ret = bus_selinux_check (connection_sid,
510 service_sid,
511 SECCLASS_DBUS,
512 DBUS__ACQUIRE_SVC,
513 &auxdata);
514
515 _dbus_string_free (&auxdata);
516 return ret;
517
518 oom:
519 _dbus_string_free (&auxdata);
520 BUS_SET_OOM (error);
521 return FALSE;
522
523 #else
524 return TRUE;
525 #endif /* HAVE_SELINUX */
526 }
527
528 /**
529 * Check if SELinux security controls allow the message to be sent to a
530 * particular connection based on the security context of the sender and
531 * that of the receiver. The destination connection need not be the
532 * addressed recipient, it could be an "eavesdropper"
533 *
534 * @param sender the sender of the message.
535 * @param proposed_recipient the connection the message is to be sent to.
536 * @returns whether to allow the send
537 */
538 dbus_bool_t
bus_selinux_allows_send(DBusConnection * sender,DBusConnection * proposed_recipient,const char * msgtype,const char * interface,const char * member,const char * error_name,const char * destination,DBusError * error)539 bus_selinux_allows_send (DBusConnection *sender,
540 DBusConnection *proposed_recipient,
541 const char *msgtype,
542 const char *interface,
543 const char *member,
544 const char *error_name,
545 const char *destination,
546 DBusError *error)
547 {
548 #ifdef HAVE_SELINUX
549 BusSELinuxID *recipient_sid;
550 BusSELinuxID *sender_sid;
551 unsigned long spid, tpid;
552 DBusString auxdata;
553 dbus_bool_t ret;
554 dbus_bool_t string_alloced;
555
556 if (!selinux_enabled)
557 return TRUE;
558
559 if (!sender || !dbus_connection_get_unix_process_id (sender, &spid))
560 spid = 0;
561 if (!proposed_recipient || !dbus_connection_get_unix_process_id (proposed_recipient, &tpid))
562 tpid = 0;
563
564 string_alloced = FALSE;
565 if (!_dbus_string_init (&auxdata))
566 goto oom;
567 string_alloced = TRUE;
568
569 if (!_dbus_string_append (&auxdata, "msgtype="))
570 goto oom;
571
572 if (!_dbus_string_append (&auxdata, msgtype))
573 goto oom;
574
575 if (interface)
576 {
577 if (!_dbus_string_append (&auxdata, " interface="))
578 goto oom;
579 if (!_dbus_string_append (&auxdata, interface))
580 goto oom;
581 }
582
583 if (member)
584 {
585 if (!_dbus_string_append (&auxdata, " member="))
586 goto oom;
587 if (!_dbus_string_append (&auxdata, member))
588 goto oom;
589 }
590
591 if (error_name)
592 {
593 if (!_dbus_string_append (&auxdata, " error_name="))
594 goto oom;
595 if (!_dbus_string_append (&auxdata, error_name))
596 goto oom;
597 }
598
599 if (destination)
600 {
601 if (!_dbus_string_append (&auxdata, " dest="))
602 goto oom;
603 if (!_dbus_string_append (&auxdata, destination))
604 goto oom;
605 }
606
607 if (spid)
608 {
609 if (!_dbus_string_append (&auxdata, " spid="))
610 goto oom;
611
612 if (!_dbus_string_append_uint (&auxdata, spid))
613 goto oom;
614 }
615
616 if (tpid)
617 {
618 if (!_dbus_string_append (&auxdata, " tpid="))
619 goto oom;
620
621 if (!_dbus_string_append_uint (&auxdata, tpid))
622 goto oom;
623 }
624
625 sender_sid = bus_connection_get_selinux_id (sender);
626 /* A NULL proposed_recipient means the bus itself. */
627 if (proposed_recipient)
628 recipient_sid = bus_connection_get_selinux_id (proposed_recipient);
629 else
630 recipient_sid = BUS_SID_FROM_SELINUX (bus_sid);
631
632 ret = bus_selinux_check (sender_sid,
633 recipient_sid,
634 SECCLASS_DBUS,
635 DBUS__SEND_MSG,
636 &auxdata);
637
638 _dbus_string_free (&auxdata);
639
640 return ret;
641
642 oom:
643 if (string_alloced)
644 _dbus_string_free (&auxdata);
645 BUS_SET_OOM (error);
646 return FALSE;
647
648 #else
649 return TRUE;
650 #endif /* HAVE_SELINUX */
651 }
652
653 dbus_bool_t
bus_selinux_append_context(DBusMessage * message,BusSELinuxID * sid,DBusError * error)654 bus_selinux_append_context (DBusMessage *message,
655 BusSELinuxID *sid,
656 DBusError *error)
657 {
658 #ifdef HAVE_SELINUX
659 char *context;
660
661 if (avc_sid_to_context (SELINUX_SID_FROM_BUS (sid), &context) < 0)
662 {
663 if (errno == ENOMEM)
664 BUS_SET_OOM (error);
665 else
666 dbus_set_error (error, DBUS_ERROR_FAILED,
667 "Error getting context from SID: %s\n",
668 _dbus_strerror (errno));
669 return FALSE;
670 }
671 if (!dbus_message_append_args (message,
672 DBUS_TYPE_ARRAY,
673 DBUS_TYPE_BYTE,
674 &context,
675 strlen (context),
676 DBUS_TYPE_INVALID))
677 {
678 _DBUS_SET_OOM (error);
679 return FALSE;
680 }
681 freecon (context);
682 return TRUE;
683 #else
684 return TRUE;
685 #endif
686 }
687
688 /**
689 * Gets the security context of a connection to the bus. It is up to
690 * the caller to freecon() when they are done.
691 *
692 * @param connection the connection to get the context of.
693 * @param con the location to store the security context.
694 * @returns #TRUE if context is successfully obtained.
695 */
696 #ifdef HAVE_SELINUX
697 static dbus_bool_t
bus_connection_read_selinux_context(DBusConnection * connection,char ** con)698 bus_connection_read_selinux_context (DBusConnection *connection,
699 char **con)
700 {
701 int fd;
702
703 if (!selinux_enabled)
704 return FALSE;
705
706 _dbus_assert (connection != NULL);
707
708 if (!dbus_connection_get_unix_fd (connection, &fd))
709 {
710 _dbus_verbose ("Failed to get file descriptor of socket.\n");
711 return FALSE;
712 }
713
714 if (getpeercon (fd, con) < 0)
715 {
716 _dbus_verbose ("Error getting context of socket peer: %s\n",
717 _dbus_strerror (errno));
718 return FALSE;
719 }
720
721 _dbus_verbose ("Successfully read connection context.\n");
722 return TRUE;
723 }
724 #endif /* HAVE_SELINUX */
725
726 /**
727 * Read the SELinux ID from the connection.
728 *
729 * @param connection the connection to read from
730 * @returns the SID if successfully determined, #NULL otherwise.
731 */
732 BusSELinuxID*
bus_selinux_init_connection_id(DBusConnection * connection,DBusError * error)733 bus_selinux_init_connection_id (DBusConnection *connection,
734 DBusError *error)
735 {
736 #ifdef HAVE_SELINUX
737 char *con;
738 security_id_t sid;
739
740 if (!selinux_enabled)
741 return NULL;
742
743 if (!bus_connection_read_selinux_context (connection, &con))
744 {
745 dbus_set_error (error, DBUS_ERROR_FAILED,
746 "Failed to read an SELinux context from connection");
747 _dbus_verbose ("Error getting peer context.\n");
748 return NULL;
749 }
750
751 _dbus_verbose ("Converting context to SID to store on connection\n");
752
753 if (avc_context_to_sid (con, &sid) < 0)
754 {
755 if (errno == ENOMEM)
756 BUS_SET_OOM (error);
757 else
758 dbus_set_error (error, DBUS_ERROR_FAILED,
759 "Error getting SID from context \"%s\": %s\n",
760 con, _dbus_strerror (errno));
761
762 _dbus_warn ("Error getting SID from context \"%s\": %s\n",
763 con, _dbus_strerror (errno));
764
765 freecon (con);
766 return NULL;
767 }
768
769 freecon (con);
770 return BUS_SID_FROM_SELINUX (sid);
771 #else
772 return NULL;
773 #endif /* HAVE_SELINUX */
774 }
775
776
777 /**
778 * Function for freeing hash table data. These SIDs
779 * should no longer be referenced.
780 */
781 static void
bus_selinux_id_table_free_value(BusSELinuxID * sid)782 bus_selinux_id_table_free_value (BusSELinuxID *sid)
783 {
784 #ifdef HAVE_SELINUX
785 /* NULL sometimes due to how DBusHashTable works */
786 if (sid)
787 bus_selinux_id_unref (sid);
788 #endif /* HAVE_SELINUX */
789 }
790
791 /**
792 * Creates a new table mapping service names to security ID.
793 * A security ID is a "compiled" security context, a security
794 * context is just a string.
795 *
796 * @returns the new table or #NULL if no memory
797 */
798 DBusHashTable*
bus_selinux_id_table_new(void)799 bus_selinux_id_table_new (void)
800 {
801 return _dbus_hash_table_new (DBUS_HASH_STRING,
802 (DBusFreeFunction) dbus_free,
803 (DBusFreeFunction) bus_selinux_id_table_free_value);
804 }
805
806 /**
807 * Hashes a service name and service context into the service SID
808 * table as a string and a SID.
809 *
810 * @param service_name is the name of the service.
811 * @param service_context is the context of the service.
812 * @param service_table is the table to hash them into.
813 * @return #FALSE if not enough memory
814 */
815 dbus_bool_t
bus_selinux_id_table_insert(DBusHashTable * service_table,const char * service_name,const char * service_context)816 bus_selinux_id_table_insert (DBusHashTable *service_table,
817 const char *service_name,
818 const char *service_context)
819 {
820 #ifdef HAVE_SELINUX
821 dbus_bool_t retval;
822 security_id_t sid;
823 char *key;
824
825 if (!selinux_enabled)
826 return TRUE;
827
828 sid = SECSID_WILD;
829 retval = FALSE;
830
831 key = _dbus_strdup (service_name);
832 if (key == NULL)
833 return retval;
834
835 if (avc_context_to_sid ((char *) service_context, &sid) < 0)
836 {
837 if (errno == ENOMEM)
838 {
839 dbus_free (key);
840 return FALSE;
841 }
842
843 _dbus_warn ("Error getting SID from context \"%s\": %s\n",
844 (char *) service_context,
845 _dbus_strerror (errno));
846 goto out;
847 }
848
849 if (!_dbus_hash_table_insert_string (service_table,
850 key,
851 BUS_SID_FROM_SELINUX (sid)))
852 goto out;
853
854 _dbus_verbose ("Parsed \tservice: %s \n\t\tcontext: %s\n",
855 key,
856 sid->ctx);
857
858 /* These are owned by the hash, so clear them to avoid unref */
859 key = NULL;
860 sid = SECSID_WILD;
861
862 retval = TRUE;
863
864 out:
865 if (sid != SECSID_WILD)
866 sidput (sid);
867
868 if (key)
869 dbus_free (key);
870
871 return retval;
872 #else
873 return TRUE;
874 #endif /* HAVE_SELINUX */
875 }
876
877
878 /**
879 * Find the security identifier associated with a particular service
880 * name. Return a pointer to this SID, or #NULL/SECSID_WILD if the
881 * service is not found in the hash table. This should be nearly a
882 * constant time operation. If SELinux support is not available,
883 * always return NULL.
884 *
885 * @param service_table the hash table to check for service name.
886 * @param service_name the name of the service to look for.
887 * @returns the SELinux ID associated with the service
888 */
889 BusSELinuxID*
bus_selinux_id_table_lookup(DBusHashTable * service_table,const DBusString * service_name)890 bus_selinux_id_table_lookup (DBusHashTable *service_table,
891 const DBusString *service_name)
892 {
893 #ifdef HAVE_SELINUX
894 security_id_t sid;
895
896 sid = SECSID_WILD; /* default context */
897
898 if (!selinux_enabled)
899 return NULL;
900
901 _dbus_verbose ("Looking up service SID for %s\n",
902 _dbus_string_get_const_data (service_name));
903
904 sid = _dbus_hash_table_lookup_string (service_table,
905 _dbus_string_get_const_data (service_name));
906
907 if (sid == SECSID_WILD)
908 _dbus_verbose ("Service %s not found\n",
909 _dbus_string_get_const_data (service_name));
910 else
911 _dbus_verbose ("Service %s found\n",
912 _dbus_string_get_const_data (service_name));
913
914 return BUS_SID_FROM_SELINUX (sid);
915 #endif /* HAVE_SELINUX */
916 return NULL;
917 }
918
919 /**
920 * Get the SELinux policy root. This is used to find the D-Bus
921 * specific config file within the policy.
922 */
923 const char *
bus_selinux_get_policy_root(void)924 bus_selinux_get_policy_root (void)
925 {
926 #ifdef HAVE_SELINUX
927 return selinux_policy_root ();
928 #else
929 return NULL;
930 #endif /* HAVE_SELINUX */
931 }
932
933 /**
934 * For debugging: Print out the current hash table of service SIDs.
935 */
936 void
bus_selinux_id_table_print(DBusHashTable * service_table)937 bus_selinux_id_table_print (DBusHashTable *service_table)
938 {
939 #ifdef DBUS_ENABLE_VERBOSE_MODE
940 #ifdef HAVE_SELINUX
941 DBusHashIter iter;
942
943 if (!selinux_enabled)
944 return;
945
946 _dbus_verbose ("Service SID Table:\n");
947 _dbus_hash_iter_init (service_table, &iter);
948 while (_dbus_hash_iter_next (&iter))
949 {
950 const char *key = _dbus_hash_iter_get_string_key (&iter);
951 security_id_t sid = _dbus_hash_iter_get_value (&iter);
952 _dbus_verbose ("The key is %s\n", key);
953 _dbus_verbose ("The context is %s\n", sid->ctx);
954 _dbus_verbose ("The refcount is %d\n", sid->refcnt);
955 }
956 #endif /* HAVE_SELINUX */
957 #endif /* DBUS_ENABLE_VERBOSE_MODE */
958 }
959
960
961 #ifdef DBUS_ENABLE_VERBOSE_MODE
962 #ifdef HAVE_SELINUX
963 /**
964 * Print out some AVC statistics.
965 */
966 static void
bus_avc_print_stats(void)967 bus_avc_print_stats (void)
968 {
969 struct avc_cache_stats cstats;
970
971 if (!selinux_enabled)
972 return;
973
974 _dbus_verbose ("AVC Statistics:\n");
975 avc_cache_stats (&cstats);
976 avc_av_stats ();
977 _dbus_verbose ("AVC Cache Statistics:\n");
978 _dbus_verbose ("Entry lookups: %d\n", cstats.entry_lookups);
979 _dbus_verbose ("Entry hits: %d\n", cstats.entry_hits);
980 _dbus_verbose ("Entry misses %d\n", cstats.entry_misses);
981 _dbus_verbose ("Entry discards: %d\n", cstats.entry_discards);
982 _dbus_verbose ("CAV lookups: %d\n", cstats.cav_lookups);
983 _dbus_verbose ("CAV hits: %d\n", cstats.cav_hits);
984 _dbus_verbose ("CAV probes: %d\n", cstats.cav_probes);
985 _dbus_verbose ("CAV misses: %d\n", cstats.cav_misses);
986 }
987 #endif /* HAVE_SELINUX */
988 #endif /* DBUS_ENABLE_VERBOSE_MODE */
989
990
991 /**
992 * Destroy the AVC before we terminate.
993 */
994 void
bus_selinux_shutdown(void)995 bus_selinux_shutdown (void)
996 {
997 #ifdef HAVE_SELINUX
998 if (!selinux_enabled)
999 return;
1000
1001 _dbus_verbose ("AVC shutdown\n");
1002
1003 if (bus_sid != SECSID_WILD)
1004 {
1005 sidput (bus_sid);
1006 bus_sid = SECSID_WILD;
1007
1008 #ifdef DBUS_ENABLE_VERBOSE_MODE
1009
1010 if (_dbus_is_verbose())
1011 bus_avc_print_stats ();
1012
1013 #endif /* DBUS_ENABLE_VERBOSE_MODE */
1014
1015 avc_destroy ();
1016 #ifdef HAVE_LIBAUDIT
1017 audit_close (audit_fd);
1018 #endif /* HAVE_LIBAUDIT */
1019 }
1020 #endif /* HAVE_SELINUX */
1021 }
1022
1023 /* The !HAVE_LIBAUDIT case lives in dbus-sysdeps-util-unix.c */
1024 #ifdef HAVE_LIBAUDIT
1025 /**
1026 * Changes the user and group the bus is running as.
1027 *
1028 * @param user the user to become
1029 * @param error return location for errors
1030 * @returns #FALSE on failure
1031 */
1032 dbus_bool_t
_dbus_change_to_daemon_user(const char * user,DBusError * error)1033 _dbus_change_to_daemon_user (const char *user,
1034 DBusError *error)
1035 {
1036 dbus_uid_t uid;
1037 dbus_gid_t gid;
1038 DBusString u;
1039
1040 _dbus_string_init_const (&u, user);
1041
1042 if (!_dbus_get_user_id_and_primary_group (&u, &uid, &gid))
1043 {
1044 dbus_set_error (error, DBUS_ERROR_FAILED,
1045 "User '%s' does not appear to exist?",
1046 user);
1047 return FALSE;
1048 }
1049
1050 /* If we were root */
1051 if (_dbus_geteuid () == 0)
1052 {
1053 int rc;
1054
1055 capng_clear (CAPNG_SELECT_BOTH);
1056 capng_update (CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED,
1057 CAP_AUDIT_WRITE);
1058 rc = capng_change_id (uid, gid, CAPNG_DROP_SUPP_GRP);
1059 if (rc)
1060 {
1061 switch (rc) {
1062 default:
1063 dbus_set_error (error, DBUS_ERROR_FAILED,
1064 "Failed to drop capabilities: %s\n",
1065 _dbus_strerror (errno));
1066 break;
1067 case -4:
1068 dbus_set_error (error, _dbus_error_from_errno (errno),
1069 "Failed to set GID to %lu: %s", gid,
1070 _dbus_strerror (errno));
1071 break;
1072 case -5:
1073 _dbus_warn ("Failed to drop supplementary groups: %s\n",
1074 _dbus_strerror (errno));
1075 break;
1076 case -6:
1077 dbus_set_error (error, _dbus_error_from_errno (errno),
1078 "Failed to set UID to %lu: %s", uid,
1079 _dbus_strerror (errno));
1080 break;
1081 case -7:
1082 dbus_set_error (error, _dbus_error_from_errno (errno),
1083 "Failed to unset keep-capabilities: %s\n",
1084 _dbus_strerror (errno));
1085 break;
1086 }
1087 return FALSE;
1088 }
1089 }
1090
1091 return TRUE;
1092 }
1093 #endif
1094