MIRRORS/poky
1
0
Fork 0
mirror of git://git.yoctoproject.org/poky.git synced 2025-07-19 21:09:03 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity

dbus_%.bbappend: stop using selinux_set_mapping

Browse Source 
https://gitlab.freedesktop.org/dbus/dbus/-/issues/198
6072f8b241

Currently, if the "dbus" security class or the associated AV doesn't
exist, dbus-daemon fails to initialize and exits immediately. Also the
security classes or access vector cannot be reordered in the policy.
This can be a problem for people developing their own policy or trying
to access a machine where, for some reasons, there is not policy defined
at all.

The code here copy the behaviour of the selinux_check_access() function.
We cannot use this function here as it doesn't allow us to define the
AVC entry reference.

See the discussion at https://marc.info/?l=selinux&m=152163374332372&w=2

(From OE-Core rev: 0441b53d55a919b5ac42e997f4092053b017b553)

Signed-off-by: Nisha Parrakat <nishaparrakat@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Nisha Parrakat 2021-08-13 07:22:02 +00:00 committed by Richard Purdie
parent ddd4b8c9a1
commit 8ff845c9ba
2 changed files with 149 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
meta/recipes-core/dbus/dbus.inc
View File

@ -8,6 +8,7 @@ SRC_URI = "https://dbus.freedesktop.org/releases/dbus/dbus-${PV}.tar.gz \
file://tmpdir.patch \
file://dbus-1.init \
file://clear-guid_from_server-if-send_negotiate_unix_f.patch \
file://stop_using_selinux_set_mapping.patch \
"
SRC_URI[md5sum] = "dfe8a71f412e0b53be26ed4fbfdc91c4"

148
meta/recipes-core/dbus/dbus/stop_using_selinux_set_mapping.patch Normal file
View File

@ -0,0 +1,148 @@
From 6072f8b24153d844a3033108a17bcd0c1a967816 Mon Sep 17 00:00:00 2001
From: Laurent Bigonville <bigon@bigon.be>
Date: Sat, 3 Mar 2018 11:15:23 +0100
Subject: [PATCH] Stop using selinux_set_mapping() function
Currently, if the "dbus" security class or the associated AV doesn't
exist, dbus-daemon fails to initialize and exits immediately. Also the
security classes or access vector cannot be reordered in the policy.
This can be a problem for people developing their own policy or trying
to access a machine where, for some reasons, there is not policy defined
at all.
The code here copy the behaviour of the selinux_check_access() function.
We cannot use this function here as it doesn't allow us to define the
AVC entry reference.
See the discussion at https://marc.info/?l=selinux&m=152163374332372&w=2
Resolves: https://gitlab.freedesktop.org/dbus/dbus/issues/198
---
bus/selinux.c | 75 ++++++++++++++++++++++++++++-----------------------
1 file changed, 42 insertions(+), 33 deletions(-)
Upstream-Status: Backport
Signed-off-by: Nisha.Parrakat <Nisha.Parrakat@kpit.com>
diff --git a/bus/selinux.c b/bus/selinux.c
--- a/bus/selinux.c 2021-08-11 14:45:59.048513026 +0000
+++ b/bus/selinux.c 2021-08-11 14:57:47.144846966 +0000
@@ -311,24 +311,6 @@
#endif
}
-/*
- * Private Flask definitions; the order of these constants must
- * exactly match that of the structure array below!
- */
-/* security dbus class constants */
-#define SECCLASS_DBUS 1
-
-/* dbus's per access vector constants */
-#define DBUS__ACQUIRE_SVC 1
-#define DBUS__SEND_MSG 2
-
-#ifdef HAVE_SELINUX
-static struct security_class_mapping dbus_map[] = {
- { "dbus", { "acquire_svc", "send_msg", NULL } },
- { NULL }
-};
-#endif /* HAVE_SELINUX */
-
/**
* Establish dynamic object class and permission mapping and
* initialize the user space access vector cache (AVC) for D-Bus and set up
@@ -350,13 +332,6 @@
_dbus_verbose ("SELinux is enabled in this kernel.\n");
- if (selinux_set_mapping (dbus_map) < 0)
- {
- _dbus_warn ("Failed to set up security class mapping (selinux_set_mapping():%s).",
- strerror (errno));
- return FALSE;
- }
-
avc_entry_ref_init (&aeref);
if (avc_init ("avc", &mem_cb, &log_cb, &thread_cb, &lock_cb) < 0)
{
@@ -421,19 +396,53 @@
static dbus_bool_t
bus_selinux_check (BusSELinuxID *sender_sid,
BusSELinuxID *override_sid,
- security_class_t target_class,
- access_vector_t requested,
+ const char *target_class,
+ const char *requested,
DBusString *auxdata)
{
+ int saved_errno;
+ security_class_t security_class;
+ access_vector_t requested_access;
+
if (!selinux_enabled)
return TRUE;
+ security_class = string_to_security_class (target_class);
+ if (security_class == 0)
+ {
+ saved_errno = errno;
+ log_callback (SELINUX_ERROR, "Unknown class %s", target_class);
+ if (security_deny_unknown () == 0)
+ {
+ return TRUE;
+ }
+
+ _dbus_verbose ("Unknown class %s\n", target_class);
+ errno = saved_errno;
+ return FALSE;
+ }
+
+ requested_access = string_to_av_perm (security_class, requested);
+ if (requested_access == 0)
+ {
+ saved_errno = errno;
+ log_callback (SELINUX_ERROR, "Unknown permission %s for class %s", requested, target_class);
+ if (security_deny_unknown () == 0)
+ {
+ return TRUE;
+ }
+
+ _dbus_verbose ("Unknown permission %s for class %s\n", requested, target_class);
+ errno = saved_errno;
+ return FALSE;
+ }
+
/* Make the security check. AVC checks enforcing mode here as well. */
if (avc_has_perm (SELINUX_SID_FROM_BUS (sender_sid),
override_sid ?
SELINUX_SID_FROM_BUS (override_sid) :
bus_sid,
- target_class, requested, &aeref, auxdata) < 0)
+ security_class, requested_access, &aeref, auxdata) < 0)
{
switch (errno)
{
@@ -500,8 +509,8 @@
ret = bus_selinux_check (connection_sid,
service_sid,
- SECCLASS_DBUS,
- DBUS__ACQUIRE_SVC,
+ "dbus",
+ "acquire_svc",
&auxdata);
_dbus_string_free (&auxdata);
@@ -629,8 +638,8 @@
ret = bus_selinux_check (sender_sid,
recipient_sid,
- SECCLASS_DBUS,
- DBUS__SEND_MSG,
+ "dbus",
+ "send_msg",
&auxdata);
_dbus_string_free (&auxdata);