diff options
| author | Laurent Bigonville <bigon@bigon.be> | 2017-06-06 16:06:11 +0200 |
|---|---|---|
| committer | Simon McVittie <smcv@collabora.com> | 2017-06-12 11:56:13 +0100 |
| commit | dcf02f80656da21db501b8c9605ad9c67d7c4dc9 (patch) | |
| tree | 7ba9c8ebbd935b9070e474d954af6447c9a8667f /bus | |
| parent | 0203c48d5243a0cdc2c438b32fd9d9ad4d96f71a (diff) | |
Return the dbus-daemon SELinux context when asking about org.freedesktop.DBus
Currently when asked the SELinux context of the owner of
org.freedesktop.DBus, the dbus-daemon is returning an error.
In the same situation when asked about the Unix user or the PID, the
daemon would return its own user or pid. Do the same for the SELinux
context by returning the daemon one.
In particular this avoids an issue seen with systemd --user, where
dbus-daemon responds to UpdateActivationEnvironment() by passing on the
new environment to systemd with o.fd.systemd1.Manager.SetEnvironment(),
but systemd cannot get the caller's SELinux context and so rejects the
SetEnvironment() call.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101315
[smcv: Extend commit message to describe the symptom this fixes]
Reviewed-by: Simon McVittie <smcv@collabora.com>
Diffstat (limited to 'bus')
| -rw-r--r-- | bus/driver.c | 5 | ||||
| -rw-r--r-- | bus/selinux.c | 13 | ||||
| -rw-r--r-- | bus/selinux.h | 2 |
3 files changed, 18 insertions, 2 deletions
diff --git a/bus/driver.c b/bus/driver.c index 5ecfc7766..d3ad878f0 100644 --- a/bus/driver.c +++ b/bus/driver.c @@ -1854,8 +1854,9 @@ bus_driver_handle_get_connection_selinux_security_context (DBusConnection *conne if (reply == NULL) goto oom; - /* FIXME: Obtain the SELinux security context for the bus daemon itself */ - if (found == BUS_DRIVER_FOUND_PEER) + if (found == BUS_DRIVER_FOUND_SELF) + context = bus_selinux_get_self (); + else if (found == BUS_DRIVER_FOUND_PEER) context = bus_connection_get_selinux_id (conn); else context = NULL; diff --git a/bus/selinux.c b/bus/selinux.c index cc1114672..d09afb4b3 100644 --- a/bus/selinux.c +++ b/bus/selinux.c @@ -272,6 +272,19 @@ bus_selinux_enabled (void) #endif /* HAVE_SELINUX */ } +BusSELinuxID* +bus_selinux_get_self (void) +{ +#ifdef HAVE_SELINUX + if(bus_selinux_enabled ()) + return BUS_SID_FROM_SELINUX (bus_sid); + else + return NULL; +#else + return NULL; +#endif /* HAVE_SELINUX */ +} + /** * Do early initialization; determine whether SELinux is enabled. */ diff --git a/bus/selinux.h b/bus/selinux.h index 8c7cb0a31..a0383cddb 100644 --- a/bus/selinux.h +++ b/bus/selinux.h @@ -33,6 +33,8 @@ void bus_selinux_shutdown (void); dbus_bool_t bus_selinux_enabled (void); +BusSELinuxID *bus_selinux_get_self (void); + DBusHashTable* bus_selinux_id_table_new (void); BusSELinuxID* bus_selinux_id_table_lookup (DBusHashTable *service_table, const DBusString *service_name); |