1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/os/ossrv/ofdbus/dbus/bus/selinux.c Fri Jun 15 03:10:57 2012 +0200
1.3 @@ -0,0 +1,943 @@
1.4 +/* -*- mode: C; c-file-style: "gnu"; indent-tabs-mode: nil; -*-
1.5 + * Portion Copyright © 2008 Nokia Corporation and/or its subsidiary(-ies). All rights reserved.
1.6 + * selinux.c SELinux security checks for D-Bus
1.7 + *
1.8 + * Author: Matthew Rickard <mjricka@epoch.ncsc.mil>
1.9 + *
1.10 + * Licensed under the Academic Free License version 2.1
1.11 + *
1.12 + * This program is free software; you can redistribute it and/or modify
1.13 + * it under the terms of the GNU General Public License as published by
1.14 + * the Free Software Foundation; either version 2 of the License, or
1.15 + * (at your option) any later version.
1.16 + *
1.17 + * This program is distributed in the hope that it will be useful,
1.18 + * but WITHOUT ANY WARRANTY; without even the implied warranty of
1.19 + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
1.20 + * GNU General Public License for more details.
1.21 + *
1.22 + * You should have received a copy of the GNU General Public License
1.23 + * along with this program; if not, write to the Free Software
1.24 + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
1.25 + *
1.26 + */
1.27 +#ifndef __SYMBIAN32__
1.28 +#include <dbus/dbus-internals.h>
1.29 +#include <dbus/dbus-string.h>
1.30 +#else
1.31 +#include "dbus-internals.h"
1.32 +#include "dbus-string.h"
1.33 +#endif //__SYMBIAN32__
1.34 +#include "selinux.h"
1.35 +#include "services.h"
1.36 +#include "policy.h"
1.37 +#include "utils.h"
1.38 +#include "config-parser.h"
1.39 +
1.40 +#ifdef HAVE_SELINUX
1.41 +#include <errno.h>
1.42 +#include <pthread.h>
1.43 +#include <syslog.h>
1.44 +#include <selinux/selinux.h>
1.45 +#include <selinux/avc.h>
1.46 +#include <selinux/av_permissions.h>
1.47 +#include <selinux/flask.h>
1.48 +#include <signal.h>
1.49 +#include <stdarg.h>
1.50 +#endif /* HAVE_SELINUX */
1.51 +
1.52 +#define BUS_SID_FROM_SELINUX(sid) ((BusSELinuxID*) (sid))
1.53 +#define SELINUX_SID_FROM_BUS(sid) ((security_id_t) (sid))
1.54 +
1.55 +#ifdef HAVE_SELINUX
1.56 +/* Store the value telling us if SELinux is enabled in the kernel. */
1.57 +static dbus_bool_t selinux_enabled = FALSE;
1.58 +
1.59 +/* Store an avc_entry_ref to speed AVC decisions. */
1.60 +static struct avc_entry_ref aeref;
1.61 +
1.62 +/* Store the SID of the bus itself to use as the default. */
1.63 +static security_id_t bus_sid = SECSID_WILD;
1.64 +
1.65 +/* Thread to listen for SELinux status changes via netlink. */
1.66 +static pthread_t avc_notify_thread;
1.67 +
1.68 +/* Prototypes for AVC callback functions. */
1.69 +static void log_callback (const char *fmt, ...);
1.70 +static void log_audit_callback (void *data, security_class_t class, char *buf, size_t bufleft);
1.71 +static void *avc_create_thread (void (*run) (void));
1.72 +static void avc_stop_thread (void *thread);
1.73 +static void *avc_alloc_lock (void);
1.74 +static void avc_get_lock (void *lock);
1.75 +static void avc_release_lock (void *lock);
1.76 +static void avc_free_lock (void *lock);
1.77 +
1.78 +/* AVC callback structures for use in avc_init. */
1.79 +static const struct avc_memory_callback mem_cb =
1.80 +{
1.81 + .func_malloc = dbus_malloc,
1.82 + .func_free = dbus_free
1.83 +};
1.84 +static const struct avc_log_callback log_cb =
1.85 +{
1.86 + .func_log = log_callback,
1.87 + .func_audit = log_audit_callback
1.88 +};
1.89 +static const struct avc_thread_callback thread_cb =
1.90 +{
1.91 + .func_create_thread = avc_create_thread,
1.92 + .func_stop_thread = avc_stop_thread
1.93 +};
1.94 +static const struct avc_lock_callback lock_cb =
1.95 +{
1.96 + .func_alloc_lock = avc_alloc_lock,
1.97 + .func_get_lock = avc_get_lock,
1.98 + .func_release_lock = avc_release_lock,
1.99 + .func_free_lock = avc_free_lock
1.100 +};
1.101 +#endif /* HAVE_SELINUX */
1.102 +
1.103 +/**
1.104 + * Log callback to log denial messages from the AVC.
1.105 + * This is used in avc_init. Logs to both standard
1.106 + * error and syslogd.
1.107 + *
1.108 + * @param fmt the format string
1.109 + * @param variable argument list
1.110 + */
1.111 +#ifdef HAVE_SELINUX
1.112 +static void
1.113 +log_callback (const char *fmt, ...)
1.114 +{
1.115 + va_list ap;
1.116 + va_start(ap, fmt);
1.117 + vsyslog (LOG_INFO, fmt, ap);
1.118 + va_end(ap);
1.119 +}
1.120 +
1.121 +/**
1.122 + * On a policy reload we need to reparse the SELinux configuration file, since
1.123 + * this could have changed. Send a SIGHUP to reload all configs.
1.124 + */
1.125 +static int
1.126 +policy_reload_callback (u_int32_t event, security_id_t ssid,
1.127 + security_id_t tsid, security_class_t tclass,
1.128 + access_vector_t perms, access_vector_t *out_retained)
1.129 +{
1.130 + if (event == AVC_CALLBACK_RESET)
1.131 + return raise (SIGHUP);
1.132 +
1.133 + return 0;
1.134 +}
1.135 +
1.136 +/**
1.137 + * Log any auxiliary data
1.138 + */
1.139 +static void
1.140 +log_audit_callback (void *data, security_class_t class, char *buf, size_t bufleft)
1.141 +{
1.142 + DBusString *audmsg = data;
1.143 + _dbus_string_copy_to_buffer (audmsg, buf, bufleft);
1.144 +}
1.145 +
1.146 +/**
1.147 + * Create thread to notify the AVC of enforcing and policy reload
1.148 + * changes via netlink.
1.149 + *
1.150 + * @param run the thread run function
1.151 + * @return pointer to the thread
1.152 + */
1.153 +static void *
1.154 +avc_create_thread (void (*run) (void))
1.155 +{
1.156 + int rc;
1.157 +
1.158 + rc = pthread_create (&avc_notify_thread, NULL, (void *(*) (void *)) run, NULL);
1.159 + if (rc != 0)
1.160 + {
1.161 + _dbus_warn ("Failed to start AVC thread: %s\n", _dbus_strerror (rc));
1.162 + exit (1);
1.163 + }
1.164 + return &avc_notify_thread;
1.165 +}
1.166 +
1.167 +/* Stop AVC netlink thread. */
1.168 +static void
1.169 +avc_stop_thread (void *thread)
1.170 +{
1.171 + pthread_cancel (*(pthread_t *) thread);
1.172 +}
1.173 +
1.174 +/* Allocate a new AVC lock. */
1.175 +static void *
1.176 +avc_alloc_lock (void)
1.177 +{
1.178 + pthread_mutex_t *avc_mutex;
1.179 +
1.180 + avc_mutex = dbus_new (pthread_mutex_t, 1);
1.181 + if (avc_mutex == NULL)
1.182 + {
1.183 + _dbus_warn ("Could not create mutex: %s\n", _dbus_strerror (errno));
1.184 + exit (1);
1.185 + }
1.186 + pthread_mutex_init (avc_mutex, NULL);
1.187 +
1.188 + return avc_mutex;
1.189 +}
1.190 +
1.191 +/* Acquire an AVC lock. */
1.192 +static void
1.193 +avc_get_lock (void *lock)
1.194 +{
1.195 + pthread_mutex_lock (lock);
1.196 +}
1.197 +
1.198 +/* Release an AVC lock. */
1.199 +static void
1.200 +avc_release_lock (void *lock)
1.201 +{
1.202 + pthread_mutex_unlock (lock);
1.203 +}
1.204 +
1.205 +/* Free an AVC lock. */
1.206 +static void
1.207 +avc_free_lock (void *lock)
1.208 +{
1.209 + pthread_mutex_destroy (lock);
1.210 + dbus_free (lock);
1.211 +}
1.212 +#endif /* HAVE_SELINUX */
1.213 +
1.214 +/**
1.215 + * Return whether or not SELinux is enabled; must be
1.216 + * called after bus_selinux_init.
1.217 + */
1.218 +dbus_bool_t
1.219 +bus_selinux_enabled (void)
1.220 +{
1.221 +#ifdef HAVE_SELINUX
1.222 + return selinux_enabled;
1.223 +#else
1.224 + return FALSE;
1.225 +#endif /* HAVE_SELINUX */
1.226 +}
1.227 +
1.228 +/**
1.229 + * Do early initialization; determine whether SELinux is enabled.
1.230 + */
1.231 +dbus_bool_t
1.232 +bus_selinux_pre_init (void)
1.233 +{
1.234 +#ifdef HAVE_SELINUX
1.235 + int r;
1.236 + _dbus_assert (bus_sid == SECSID_WILD);
1.237 +
1.238 + /* Determine if we are running an SELinux kernel. */
1.239 + r = is_selinux_enabled ();
1.240 + if (r < 0)
1.241 + {
1.242 + _dbus_warn ("Could not tell if SELinux is enabled: %s\n",
1.243 + _dbus_strerror (errno));
1.244 + return FALSE;
1.245 + }
1.246 +
1.247 + selinux_enabled = r != 0;
1.248 + return TRUE;
1.249 +#else
1.250 + return TRUE;
1.251 +#endif
1.252 +}
1.253 +
1.254 +/**
1.255 + * Initialize the user space access vector cache (AVC) for D-Bus and set up
1.256 + * logging callbacks.
1.257 + */
1.258 +dbus_bool_t
1.259 +bus_selinux_full_init (void)
1.260 +{
1.261 +#ifdef HAVE_SELINUX
1.262 + char *bus_context;
1.263 +
1.264 + _dbus_assert (bus_sid == SECSID_WILD);
1.265 +
1.266 + if (!selinux_enabled)
1.267 + {
1.268 + _dbus_verbose ("SELinux not enabled in this kernel.\n");
1.269 + return TRUE;
1.270 + }
1.271 +
1.272 + _dbus_verbose ("SELinux is enabled in this kernel.\n");
1.273 +
1.274 + avc_entry_ref_init (&aeref);
1.275 + if (avc_init ("avc", &mem_cb, &log_cb, &thread_cb, &lock_cb) < 0)
1.276 + {
1.277 + _dbus_warn ("Failed to start Access Vector Cache (AVC).\n");
1.278 + return FALSE;
1.279 + }
1.280 + else
1.281 + {
1.282 + openlog ("dbus", LOG_PERROR, LOG_USER);
1.283 + _dbus_verbose ("Access Vector Cache (AVC) started.\n");
1.284 + }
1.285 +
1.286 + if (avc_add_callback (policy_reload_callback, AVC_CALLBACK_RESET,
1.287 + NULL, NULL, 0, 0) < 0)
1.288 + {
1.289 + _dbus_warn ("Failed to add policy reload callback: %s\n",
1.290 + _dbus_strerror (errno));
1.291 + avc_destroy ();
1.292 + return FALSE;
1.293 + }
1.294 +
1.295 + bus_context = NULL;
1.296 + bus_sid = SECSID_WILD;
1.297 +
1.298 + if (getcon (&bus_context) < 0)
1.299 + {
1.300 + _dbus_verbose ("Error getting context of bus: %s\n",
1.301 + _dbus_strerror (errno));
1.302 + return FALSE;
1.303 + }
1.304 +
1.305 + if (avc_context_to_sid (bus_context, &bus_sid) < 0)
1.306 + {
1.307 + _dbus_verbose ("Error getting SID from bus context: %s\n",
1.308 + _dbus_strerror (errno));
1.309 + freecon (bus_context);
1.310 + return FALSE;
1.311 + }
1.312 +
1.313 + freecon (bus_context);
1.314 +
1.315 + return TRUE;
1.316 +#else
1.317 + return TRUE;
1.318 +#endif /* HAVE_SELINUX */
1.319 +}
1.320 +
1.321 +/**
1.322 + * Decrement SID reference count.
1.323 + *
1.324 + * @param sid the SID to decrement
1.325 + */
1.326 +void
1.327 +bus_selinux_id_unref (BusSELinuxID *sid)
1.328 +{
1.329 +#ifdef HAVE_SELINUX
1.330 + if (!selinux_enabled)
1.331 + return;
1.332 +
1.333 + _dbus_assert (sid != NULL);
1.334 +
1.335 + sidput (SELINUX_SID_FROM_BUS (sid));
1.336 +#endif /* HAVE_SELINUX */
1.337 +}
1.338 +
1.339 +void
1.340 +bus_selinux_id_ref (BusSELinuxID *sid)
1.341 +{
1.342 +#ifdef HAVE_SELINUX
1.343 + if (!selinux_enabled)
1.344 + return;
1.345 +
1.346 + _dbus_assert (sid != NULL);
1.347 +
1.348 + sidget (SELINUX_SID_FROM_BUS (sid));
1.349 +#endif /* HAVE_SELINUX */
1.350 +}
1.351 +
1.352 +/**
1.353 + * Determine if the SELinux security policy allows the given sender
1.354 + * security context to go to the given recipient security context.
1.355 + * This function determines if the requested permissions are to be
1.356 + * granted from the connection to the message bus or to another
1.357 + * optionally supplied security identifier (e.g. for a service
1.358 + * context). Currently these permissions are either send_msg or
1.359 + * acquire_svc in the dbus class.
1.360 + *
1.361 + * @param sender_sid source security context
1.362 + * @param override_sid is the target security context. If SECSID_WILD this will
1.363 + * use the context of the bus itself (e.g. the default).
1.364 + * @param target_class is the target security class.
1.365 + * @param requested is the requested permissions.
1.366 + * @returns #TRUE if security policy allows the send.
1.367 + */
1.368 +#ifdef HAVE_SELINUX
1.369 +static dbus_bool_t
1.370 +bus_selinux_check (BusSELinuxID *sender_sid,
1.371 + BusSELinuxID *override_sid,
1.372 + security_class_t target_class,
1.373 + access_vector_t requested,
1.374 + DBusString *auxdata)
1.375 +{
1.376 + if (!selinux_enabled)
1.377 + return TRUE;
1.378 +
1.379 + /* Make the security check. AVC checks enforcing mode here as well. */
1.380 + if (avc_has_perm (SELINUX_SID_FROM_BUS (sender_sid),
1.381 + override_sid ?
1.382 + SELINUX_SID_FROM_BUS (override_sid) :
1.383 + SELINUX_SID_FROM_BUS (bus_sid),
1.384 + target_class, requested, &aeref, auxdata) < 0)
1.385 + {
1.386 + _dbus_verbose ("SELinux denying due to security policy.\n");
1.387 + return FALSE;
1.388 + }
1.389 + else
1.390 + return TRUE;
1.391 +}
1.392 +#endif /* HAVE_SELINUX */
1.393 +
1.394 +/**
1.395 + * Returns true if the given connection can acquire a service,
1.396 + * assuming the given security ID is needed for that service.
1.397 + *
1.398 + * @param connection connection that wants to own the service
1.399 + * @param service_sid the SID of the service from the table
1.400 + * @returns #TRUE if acquire is permitted.
1.401 + */
1.402 +dbus_bool_t
1.403 +bus_selinux_allows_acquire_service (DBusConnection *connection,
1.404 + BusSELinuxID *service_sid,
1.405 + const char *service_name,
1.406 + DBusError *error)
1.407 +{
1.408 +#ifdef HAVE_SELINUX
1.409 + BusSELinuxID *connection_sid;
1.410 + unsigned long spid;
1.411 + DBusString auxdata;
1.412 + dbus_bool_t ret;
1.413 +
1.414 + if (!selinux_enabled)
1.415 + return TRUE;
1.416 +
1.417 + connection_sid = bus_connection_get_selinux_id (connection);
1.418 + if (!dbus_connection_get_unix_process_id (connection, &spid))
1.419 + spid = 0;
1.420 +
1.421 + if (!_dbus_string_init (&auxdata))
1.422 + goto oom;
1.423 +
1.424 + if (!_dbus_string_append (&auxdata, "service="))
1.425 + goto oom;
1.426 +
1.427 + if (!_dbus_string_append (&auxdata, service_name))
1.428 + goto oom;
1.429 +
1.430 + if (spid)
1.431 + {
1.432 + if (!_dbus_string_append (&auxdata, " spid="))
1.433 + goto oom;
1.434 +
1.435 + if (!_dbus_string_append_uint (&auxdata, spid))
1.436 + goto oom;
1.437 + }
1.438 +
1.439 + ret = bus_selinux_check (connection_sid,
1.440 + service_sid,
1.441 + SECCLASS_DBUS,
1.442 + DBUS__ACQUIRE_SVC,
1.443 + &auxdata);
1.444 +
1.445 + _dbus_string_free (&auxdata);
1.446 + return ret;
1.447 +
1.448 + oom:
1.449 + _dbus_string_free (&auxdata);
1.450 + BUS_SET_OOM (error);
1.451 + return FALSE;
1.452 +
1.453 +#else
1.454 + return TRUE;
1.455 +#endif /* HAVE_SELINUX */
1.456 +}
1.457 +
1.458 +/**
1.459 + * Check if SELinux security controls allow the message to be sent to a
1.460 + * particular connection based on the security context of the sender and
1.461 + * that of the receiver. The destination connection need not be the
1.462 + * addressed recipient, it could be an "eavesdropper"
1.463 + *
1.464 + * @param sender the sender of the message.
1.465 + * @param proposed_recipient the connection the message is to be sent to.
1.466 + * @returns whether to allow the send
1.467 + */
1.468 +dbus_bool_t
1.469 +bus_selinux_allows_send (DBusConnection *sender,
1.470 + DBusConnection *proposed_recipient,
1.471 + const char *msgtype,
1.472 + const char *interface,
1.473 + const char *member,
1.474 + const char *error_name,
1.475 + const char *destination,
1.476 + DBusError *error)
1.477 +{
1.478 +#ifdef HAVE_SELINUX
1.479 + BusSELinuxID *recipient_sid;
1.480 + BusSELinuxID *sender_sid;
1.481 + unsigned long spid, tpid;
1.482 + DBusString auxdata;
1.483 + dbus_bool_t ret;
1.484 + dbus_bool_t string_alloced;
1.485 +
1.486 + if (!selinux_enabled)
1.487 + return TRUE;
1.488 +
1.489 + if (!sender || !dbus_connection_get_unix_process_id (sender, &spid))
1.490 + spid = 0;
1.491 + if (!proposed_recipient || !dbus_connection_get_unix_process_id (proposed_recipient, &tpid))
1.492 + tpid = 0;
1.493 +
1.494 + string_alloced = FALSE;
1.495 + if (!_dbus_string_init (&auxdata))
1.496 + goto oom;
1.497 + string_alloced = TRUE;
1.498 +
1.499 + if (!_dbus_string_append (&auxdata, "msgtype="))
1.500 + goto oom;
1.501 +
1.502 + if (!_dbus_string_append (&auxdata, msgtype))
1.503 + goto oom;
1.504 +
1.505 + if (interface)
1.506 + {
1.507 + if (!_dbus_string_append (&auxdata, " interface="))
1.508 + goto oom;
1.509 + if (!_dbus_string_append (&auxdata, interface))
1.510 + goto oom;
1.511 + }
1.512 +
1.513 + if (member)
1.514 + {
1.515 + if (!_dbus_string_append (&auxdata, " member="))
1.516 + goto oom;
1.517 + if (!_dbus_string_append (&auxdata, member))
1.518 + goto oom;
1.519 + }
1.520 +
1.521 + if (error_name)
1.522 + {
1.523 + if (!_dbus_string_append (&auxdata, " error_name="))
1.524 + goto oom;
1.525 + if (!_dbus_string_append (&auxdata, error_name))
1.526 + goto oom;
1.527 + }
1.528 +
1.529 + if (destination)
1.530 + {
1.531 + if (!_dbus_string_append (&auxdata, " dest="))
1.532 + goto oom;
1.533 + if (!_dbus_string_append (&auxdata, destination))
1.534 + goto oom;
1.535 + }
1.536 +
1.537 + if (spid)
1.538 + {
1.539 + if (!_dbus_string_append (&auxdata, " spid="))
1.540 + goto oom;
1.541 +
1.542 + if (!_dbus_string_append_uint (&auxdata, spid))
1.543 + goto oom;
1.544 + }
1.545 +
1.546 + if (tpid)
1.547 + {
1.548 + if (!_dbus_string_append (&auxdata, " tpid="))
1.549 + goto oom;
1.550 +
1.551 + if (!_dbus_string_append_uint (&auxdata, tpid))
1.552 + goto oom;
1.553 + }
1.554 +
1.555 + sender_sid = bus_connection_get_selinux_id (sender);
1.556 + /* A NULL proposed_recipient means the bus itself. */
1.557 + if (proposed_recipient)
1.558 + recipient_sid = bus_connection_get_selinux_id (proposed_recipient);
1.559 + else
1.560 + recipient_sid = BUS_SID_FROM_SELINUX (bus_sid);
1.561 +
1.562 + ret = bus_selinux_check (sender_sid,
1.563 + recipient_sid,
1.564 + SECCLASS_DBUS,
1.565 + DBUS__SEND_MSG,
1.566 + &auxdata);
1.567 +
1.568 + _dbus_string_free (&auxdata);
1.569 +
1.570 + return ret;
1.571 +
1.572 + oom:
1.573 + if (string_alloced)
1.574 + _dbus_string_free (&auxdata);
1.575 + BUS_SET_OOM (error);
1.576 + return FALSE;
1.577 +
1.578 +#else
1.579 + return TRUE;
1.580 +#endif /* HAVE_SELINUX */
1.581 +}
1.582 +
1.583 +dbus_bool_t
1.584 +bus_selinux_append_context (DBusMessage *message,
1.585 + BusSELinuxID *sid,
1.586 + DBusError *error)
1.587 +{
1.588 +#ifdef HAVE_SELINUX
1.589 + char *context;
1.590 +
1.591 + if (avc_sid_to_context (SELINUX_SID_FROM_BUS (sid), &context) < 0)
1.592 + {
1.593 + if (errno == ENOMEM)
1.594 + BUS_SET_OOM (error);
1.595 + else
1.596 + dbus_set_error (error, DBUS_ERROR_FAILED,
1.597 + "Error getting context from SID: %s\n",
1.598 + _dbus_strerror (errno));
1.599 + return FALSE;
1.600 + }
1.601 + if (!dbus_message_append_args (message,
1.602 + DBUS_TYPE_ARRAY,
1.603 + DBUS_TYPE_BYTE,
1.604 + &context,
1.605 + strlen (context),
1.606 + DBUS_TYPE_INVALID))
1.607 + {
1.608 + _DBUS_SET_OOM (error);
1.609 + return FALSE;
1.610 + }
1.611 + freecon (context);
1.612 + return TRUE;
1.613 +#else
1.614 + return TRUE;
1.615 +#endif
1.616 +}
1.617 +
1.618 +/**
1.619 + * Gets the security context of a connection to the bus. It is up to
1.620 + * the caller to freecon() when they are done.
1.621 + *
1.622 + * @param connection the connection to get the context of.
1.623 + * @param con the location to store the security context.
1.624 + * @returns #TRUE if context is successfully obtained.
1.625 + */
1.626 +#ifdef HAVE_SELINUX
1.627 +static dbus_bool_t
1.628 +bus_connection_read_selinux_context (DBusConnection *connection,
1.629 + char **con)
1.630 +{
1.631 + int fd;
1.632 +
1.633 + if (!selinux_enabled)
1.634 + return FALSE;
1.635 +
1.636 + _dbus_assert (connection != NULL);
1.637 +
1.638 + if (!dbus_connection_get_unix_fd (connection, &fd))
1.639 + {
1.640 + _dbus_verbose ("Failed to get file descriptor of socket.\n");
1.641 + return FALSE;
1.642 + }
1.643 +
1.644 + if (getpeercon (fd, con) < 0)
1.645 + {
1.646 + _dbus_verbose ("Error getting context of socket peer: %s\n",
1.647 + _dbus_strerror (errno));
1.648 + return FALSE;
1.649 + }
1.650 +
1.651 + _dbus_verbose ("Successfully read connection context.\n");
1.652 + return TRUE;
1.653 +}
1.654 +#endif /* HAVE_SELINUX */
1.655 +
1.656 +/**
1.657 + * Read the SELinux ID from the connection.
1.658 + *
1.659 + * @param connection the connection to read from
1.660 + * @returns the SID if successfully determined, #NULL otherwise.
1.661 + */
1.662 +BusSELinuxID*
1.663 +bus_selinux_init_connection_id (DBusConnection *connection,
1.664 + DBusError *error)
1.665 +{
1.666 +#ifdef HAVE_SELINUX
1.667 + char *con;
1.668 + security_id_t sid;
1.669 +
1.670 + if (!selinux_enabled)
1.671 + return NULL;
1.672 +
1.673 + if (!bus_connection_read_selinux_context (connection, &con))
1.674 + {
1.675 + dbus_set_error (error, DBUS_ERROR_FAILED,
1.676 + "Failed to read an SELinux context from connection");
1.677 + _dbus_verbose ("Error getting peer context.\n");
1.678 + return NULL;
1.679 + }
1.680 +
1.681 + _dbus_verbose ("Converting context to SID to store on connection\n");
1.682 +
1.683 + if (avc_context_to_sid (con, &sid) < 0)
1.684 + {
1.685 + if (errno == ENOMEM)
1.686 + BUS_SET_OOM (error);
1.687 + else
1.688 + dbus_set_error (error, DBUS_ERROR_FAILED,
1.689 + "Error getting SID from context \"%s\": %s\n",
1.690 + con, _dbus_strerror (errno));
1.691 +
1.692 + _dbus_warn ("Error getting SID from context \"%s\": %s\n",
1.693 + con, _dbus_strerror (errno));
1.694 +
1.695 + freecon (con);
1.696 + return NULL;
1.697 + }
1.698 +
1.699 + freecon (con);
1.700 + return BUS_SID_FROM_SELINUX (sid);
1.701 +#else
1.702 + return NULL;
1.703 +#endif /* HAVE_SELINUX */
1.704 +}
1.705 +
1.706 +
1.707 +/**
1.708 + * Function for freeing hash table data. These SIDs
1.709 + * should no longer be referenced.
1.710 + */
1.711 +static void
1.712 +bus_selinux_id_table_free_value (BusSELinuxID *sid)
1.713 +{
1.714 +#ifdef HAVE_SELINUX
1.715 + /* NULL sometimes due to how DBusHashTable works */
1.716 + if (sid)
1.717 + bus_selinux_id_unref (sid);
1.718 +#endif /* HAVE_SELINUX */
1.719 +}
1.720 +
1.721 +/**
1.722 + * Creates a new table mapping service names to security ID.
1.723 + * A security ID is a "compiled" security context, a security
1.724 + * context is just a string.
1.725 + *
1.726 + * @returns the new table or #NULL if no memory
1.727 + */
1.728 +DBusHashTable*
1.729 +bus_selinux_id_table_new (void)
1.730 +{
1.731 + return _dbus_hash_table_new (DBUS_HASH_STRING,
1.732 + (DBusFreeFunction) dbus_free,
1.733 + (DBusFreeFunction) bus_selinux_id_table_free_value);
1.734 +}
1.735 +
1.736 +/**
1.737 + * Hashes a service name and service context into the service SID
1.738 + * table as a string and a SID.
1.739 + *
1.740 + * @param service_name is the name of the service.
1.741 + * @param service_context is the context of the service.
1.742 + * @param service_table is the table to hash them into.
1.743 + * @return #FALSE if not enough memory
1.744 + */
1.745 +dbus_bool_t
1.746 +bus_selinux_id_table_insert (DBusHashTable *service_table,
1.747 + const char *service_name,
1.748 + const char *service_context)
1.749 +{
1.750 +#ifdef HAVE_SELINUX
1.751 + dbus_bool_t retval;
1.752 + security_id_t sid;
1.753 + char *key;
1.754 +
1.755 + if (!selinux_enabled)
1.756 + return TRUE;
1.757 +
1.758 + sid = SECSID_WILD;
1.759 + retval = FALSE;
1.760 +
1.761 + key = _dbus_strdup (service_name);
1.762 + if (key == NULL)
1.763 + return retval;
1.764 +
1.765 + if (avc_context_to_sid ((char *) service_context, &sid) < 0)
1.766 + {
1.767 + if (errno == ENOMEM)
1.768 + {
1.769 + dbus_free (key);
1.770 + return FALSE;
1.771 + }
1.772 +
1.773 + _dbus_warn ("Error getting SID from context \"%s\": %s\n",
1.774 + (char *) service_context,
1.775 + _dbus_strerror (errno));
1.776 + goto out;
1.777 + }
1.778 +
1.779 + if (!_dbus_hash_table_insert_string (service_table,
1.780 + key,
1.781 + BUS_SID_FROM_SELINUX (sid)))
1.782 + goto out;
1.783 +
1.784 + _dbus_verbose ("Parsed \tservice: %s \n\t\tcontext: %s\n",
1.785 + key,
1.786 + sid->ctx);
1.787 +
1.788 + /* These are owned by the hash, so clear them to avoid unref */
1.789 + key = NULL;
1.790 + sid = SECSID_WILD;
1.791 +
1.792 + retval = TRUE;
1.793 +
1.794 + out:
1.795 + if (sid != SECSID_WILD)
1.796 + sidput (sid);
1.797 +
1.798 + if (key)
1.799 + dbus_free (key);
1.800 +
1.801 + return retval;
1.802 +#else
1.803 + return TRUE;
1.804 +#endif /* HAVE_SELINUX */
1.805 +}
1.806 +
1.807 +
1.808 +/**
1.809 + * Find the security identifier associated with a particular service
1.810 + * name. Return a pointer to this SID, or #NULL/SECSID_WILD if the
1.811 + * service is not found in the hash table. This should be nearly a
1.812 + * constant time operation. If SELinux support is not available,
1.813 + * always return NULL.
1.814 + *
1.815 + * @param service_table the hash table to check for service name.
1.816 + * @param service_name the name of the service to look for.
1.817 + * @returns the SELinux ID associated with the service
1.818 + */
1.819 +BusSELinuxID*
1.820 +bus_selinux_id_table_lookup (DBusHashTable *service_table,
1.821 + const DBusString *service_name)
1.822 +{
1.823 +#ifdef HAVE_SELINUX
1.824 + security_id_t sid;
1.825 +
1.826 + sid = SECSID_WILD; /* default context */
1.827 +
1.828 + if (!selinux_enabled)
1.829 + return NULL;
1.830 +
1.831 + _dbus_verbose ("Looking up service SID for %s\n",
1.832 + _dbus_string_get_const_data (service_name));
1.833 +
1.834 + sid = _dbus_hash_table_lookup_string (service_table,
1.835 + _dbus_string_get_const_data (service_name));
1.836 +
1.837 + if (sid == SECSID_WILD)
1.838 + _dbus_verbose ("Service %s not found\n",
1.839 + _dbus_string_get_const_data (service_name));
1.840 + else
1.841 + _dbus_verbose ("Service %s found\n",
1.842 + _dbus_string_get_const_data (service_name));
1.843 +
1.844 + return BUS_SID_FROM_SELINUX (sid);
1.845 +#endif /* HAVE_SELINUX */
1.846 + return NULL;
1.847 +}
1.848 +
1.849 +/**
1.850 + * Get the SELinux policy root. This is used to find the D-Bus
1.851 + * specific config file within the policy.
1.852 + */
1.853 +const char *
1.854 +bus_selinux_get_policy_root (void)
1.855 +{
1.856 +#ifdef HAVE_SELINUX
1.857 + return selinux_policy_root ();
1.858 +#else
1.859 + return NULL;
1.860 +#endif /* HAVE_SELINUX */
1.861 +}
1.862 +
1.863 +/**
1.864 + * For debugging: Print out the current hash table of service SIDs.
1.865 + */
1.866 +void
1.867 +bus_selinux_id_table_print (DBusHashTable *service_table)
1.868 +{
1.869 +#ifdef DBUS_ENABLE_VERBOSE_MODE
1.870 +#ifdef HAVE_SELINUX
1.871 + DBusHashIter iter;
1.872 +
1.873 + if (!selinux_enabled)
1.874 + return;
1.875 +
1.876 + _dbus_verbose ("Service SID Table:\n");
1.877 + _dbus_hash_iter_init (service_table, &iter);
1.878 + while (_dbus_hash_iter_next (&iter))
1.879 + {
1.880 + const char *key = _dbus_hash_iter_get_string_key (&iter);
1.881 + security_id_t sid = _dbus_hash_iter_get_value (&iter);
1.882 + _dbus_verbose ("The key is %s\n", key);
1.883 + _dbus_verbose ("The context is %s\n", sid->ctx);
1.884 + _dbus_verbose ("The refcount is %d\n", sid->refcnt);
1.885 + }
1.886 +#endif /* HAVE_SELINUX */
1.887 +#endif /* DBUS_ENABLE_VERBOSE_MODE */
1.888 +}
1.889 +
1.890 +
1.891 +#ifdef DBUS_ENABLE_VERBOSE_MODE
1.892 +#ifdef HAVE_SELINUX
1.893 +/**
1.894 + * Print out some AVC statistics.
1.895 + */
1.896 +static void
1.897 +bus_avc_print_stats (void)
1.898 +{
1.899 + struct avc_cache_stats cstats;
1.900 +
1.901 + if (!selinux_enabled)
1.902 + return;
1.903 +
1.904 + _dbus_verbose ("AVC Statistics:\n");
1.905 + avc_cache_stats (&cstats);
1.906 + avc_av_stats ();
1.907 + _dbus_verbose ("AVC Cache Statistics:\n");
1.908 + _dbus_verbose ("Entry lookups: %d\n", cstats.entry_lookups);
1.909 + _dbus_verbose ("Entry hits: %d\n", cstats.entry_hits);
1.910 + _dbus_verbose ("Entry misses %d\n", cstats.entry_misses);
1.911 + _dbus_verbose ("Entry discards: %d\n", cstats.entry_discards);
1.912 + _dbus_verbose ("CAV lookups: %d\n", cstats.cav_lookups);
1.913 + _dbus_verbose ("CAV hits: %d\n", cstats.cav_hits);
1.914 + _dbus_verbose ("CAV probes: %d\n", cstats.cav_probes);
1.915 + _dbus_verbose ("CAV misses: %d\n", cstats.cav_misses);
1.916 +}
1.917 +#endif /* HAVE_SELINUX */
1.918 +#endif /* DBUS_ENABLE_VERBOSE_MODE */
1.919 +
1.920 +
1.921 +/**
1.922 + * Destroy the AVC before we terminate.
1.923 + */
1.924 +void
1.925 +bus_selinux_shutdown (void)
1.926 +{
1.927 +#ifdef HAVE_SELINUX
1.928 + if (!selinux_enabled)
1.929 + return;
1.930 +
1.931 + _dbus_verbose ("AVC shutdown\n");
1.932 +
1.933 + if (bus_sid != SECSID_WILD)
1.934 + {
1.935 + sidput (bus_sid);
1.936 + bus_sid = SECSID_WILD;
1.937 +
1.938 +#ifdef DBUS_ENABLE_VERBOSE_MODE
1.939 + bus_avc_print_stats ();
1.940 +#endif /* DBUS_ENABLE_VERBOSE_MODE */
1.941 +
1.942 + avc_destroy ();
1.943 + }
1.944 +#endif /* HAVE_SELINUX */
1.945 +}
1.946 +