1 /* -*- mode: C; c-file-style: "gnu"; indent-tabs-mode: nil; -*-
2 * Portion Copyright © 2008 Nokia Corporation and/or its subsidiary(-ies). All rights reserved.
3 * selinux.c SELinux security checks for D-Bus
5 * Author: Matthew Rickard <mjricka@epoch.ncsc.mil>
7 * Licensed under the Academic Free License version 2.1
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 2 of the License, or
12 * (at your option) any later version.
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
19 * You should have received a copy of the GNU General Public License
20 * along with this program; if not, write to the Free Software
21 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
25 #include <dbus/dbus-internals.h>
26 #include <dbus/dbus-string.h>
28 #include "dbus-internals.h"
29 #include "dbus-string.h"
30 #endif //__SYMBIAN32__
35 #include "config-parser.h"
41 #include <selinux/selinux.h>
42 #include <selinux/avc.h>
43 #include <selinux/av_permissions.h>
44 #include <selinux/flask.h>
47 #endif /* HAVE_SELINUX */
49 #define BUS_SID_FROM_SELINUX(sid) ((BusSELinuxID*) (sid))
50 #define SELINUX_SID_FROM_BUS(sid) ((security_id_t) (sid))
53 /* Store the value telling us if SELinux is enabled in the kernel. */
54 static dbus_bool_t selinux_enabled = FALSE;
56 /* Store an avc_entry_ref to speed AVC decisions. */
57 static struct avc_entry_ref aeref;
59 /* Store the SID of the bus itself to use as the default. */
60 static security_id_t bus_sid = SECSID_WILD;
62 /* Thread to listen for SELinux status changes via netlink. */
63 static pthread_t avc_notify_thread;
65 /* Prototypes for AVC callback functions. */
66 static void log_callback (const char *fmt, ...);
67 static void log_audit_callback (void *data, security_class_t class, char *buf, size_t bufleft);
68 static void *avc_create_thread (void (*run) (void));
69 static void avc_stop_thread (void *thread);
70 static void *avc_alloc_lock (void);
71 static void avc_get_lock (void *lock);
72 static void avc_release_lock (void *lock);
73 static void avc_free_lock (void *lock);
75 /* AVC callback structures for use in avc_init. */
76 static const struct avc_memory_callback mem_cb =
78 .func_malloc = dbus_malloc,
79 .func_free = dbus_free
81 static const struct avc_log_callback log_cb =
83 .func_log = log_callback,
84 .func_audit = log_audit_callback
86 static const struct avc_thread_callback thread_cb =
88 .func_create_thread = avc_create_thread,
89 .func_stop_thread = avc_stop_thread
91 static const struct avc_lock_callback lock_cb =
93 .func_alloc_lock = avc_alloc_lock,
94 .func_get_lock = avc_get_lock,
95 .func_release_lock = avc_release_lock,
96 .func_free_lock = avc_free_lock
98 #endif /* HAVE_SELINUX */
101 * Log callback to log denial messages from the AVC.
102 * This is used in avc_init. Logs to both standard
105 * @param fmt the format string
106 * @param variable argument list
110 log_callback (const char *fmt, ...)
114 vsyslog (LOG_INFO, fmt, ap);
119 * On a policy reload we need to reparse the SELinux configuration file, since
120 * this could have changed. Send a SIGHUP to reload all configs.
123 policy_reload_callback (u_int32_t event, security_id_t ssid,
124 security_id_t tsid, security_class_t tclass,
125 access_vector_t perms, access_vector_t *out_retained)
127 if (event == AVC_CALLBACK_RESET)
128 return raise (SIGHUP);
134 * Log any auxiliary data
137 log_audit_callback (void *data, security_class_t class, char *buf, size_t bufleft)
139 DBusString *audmsg = data;
140 _dbus_string_copy_to_buffer (audmsg, buf, bufleft);
144 * Create thread to notify the AVC of enforcing and policy reload
145 * changes via netlink.
147 * @param run the thread run function
148 * @return pointer to the thread
151 avc_create_thread (void (*run) (void))
155 rc = pthread_create (&avc_notify_thread, NULL, (void *(*) (void *)) run, NULL);
158 _dbus_warn ("Failed to start AVC thread: %s\n", _dbus_strerror (rc));
161 return &avc_notify_thread;
164 /* Stop AVC netlink thread. */
166 avc_stop_thread (void *thread)
168 pthread_cancel (*(pthread_t *) thread);
171 /* Allocate a new AVC lock. */
173 avc_alloc_lock (void)
175 pthread_mutex_t *avc_mutex;
177 avc_mutex = dbus_new (pthread_mutex_t, 1);
178 if (avc_mutex == NULL)
180 _dbus_warn ("Could not create mutex: %s\n", _dbus_strerror (errno));
183 pthread_mutex_init (avc_mutex, NULL);
188 /* Acquire an AVC lock. */
190 avc_get_lock (void *lock)
192 pthread_mutex_lock (lock);
195 /* Release an AVC lock. */
197 avc_release_lock (void *lock)
199 pthread_mutex_unlock (lock);
202 /* Free an AVC lock. */
204 avc_free_lock (void *lock)
206 pthread_mutex_destroy (lock);
209 #endif /* HAVE_SELINUX */
212 * Return whether or not SELinux is enabled; must be
213 * called after bus_selinux_init.
216 bus_selinux_enabled (void)
219 return selinux_enabled;
222 #endif /* HAVE_SELINUX */
226 * Do early initialization; determine whether SELinux is enabled.
229 bus_selinux_pre_init (void)
233 _dbus_assert (bus_sid == SECSID_WILD);
235 /* Determine if we are running an SELinux kernel. */
236 r = is_selinux_enabled ();
239 _dbus_warn ("Could not tell if SELinux is enabled: %s\n",
240 _dbus_strerror (errno));
244 selinux_enabled = r != 0;
252 * Initialize the user space access vector cache (AVC) for D-Bus and set up
256 bus_selinux_full_init (void)
261 _dbus_assert (bus_sid == SECSID_WILD);
263 if (!selinux_enabled)
265 _dbus_verbose ("SELinux not enabled in this kernel.\n");
269 _dbus_verbose ("SELinux is enabled in this kernel.\n");
271 avc_entry_ref_init (&aeref);
272 if (avc_init ("avc", &mem_cb, &log_cb, &thread_cb, &lock_cb) < 0)
274 _dbus_warn ("Failed to start Access Vector Cache (AVC).\n");
279 openlog ("dbus", LOG_PERROR, LOG_USER);
280 _dbus_verbose ("Access Vector Cache (AVC) started.\n");
283 if (avc_add_callback (policy_reload_callback, AVC_CALLBACK_RESET,
284 NULL, NULL, 0, 0) < 0)
286 _dbus_warn ("Failed to add policy reload callback: %s\n",
287 _dbus_strerror (errno));
293 bus_sid = SECSID_WILD;
295 if (getcon (&bus_context) < 0)
297 _dbus_verbose ("Error getting context of bus: %s\n",
298 _dbus_strerror (errno));
302 if (avc_context_to_sid (bus_context, &bus_sid) < 0)
304 _dbus_verbose ("Error getting SID from bus context: %s\n",
305 _dbus_strerror (errno));
306 freecon (bus_context);
310 freecon (bus_context);
315 #endif /* HAVE_SELINUX */
319 * Decrement SID reference count.
321 * @param sid the SID to decrement
324 bus_selinux_id_unref (BusSELinuxID *sid)
327 if (!selinux_enabled)
330 _dbus_assert (sid != NULL);
332 sidput (SELINUX_SID_FROM_BUS (sid));
333 #endif /* HAVE_SELINUX */
337 bus_selinux_id_ref (BusSELinuxID *sid)
340 if (!selinux_enabled)
343 _dbus_assert (sid != NULL);
345 sidget (SELINUX_SID_FROM_BUS (sid));
346 #endif /* HAVE_SELINUX */
350 * Determine if the SELinux security policy allows the given sender
351 * security context to go to the given recipient security context.
352 * This function determines if the requested permissions are to be
353 * granted from the connection to the message bus or to another
354 * optionally supplied security identifier (e.g. for a service
355 * context). Currently these permissions are either send_msg or
356 * acquire_svc in the dbus class.
358 * @param sender_sid source security context
359 * @param override_sid is the target security context. If SECSID_WILD this will
360 * use the context of the bus itself (e.g. the default).
361 * @param target_class is the target security class.
362 * @param requested is the requested permissions.
363 * @returns #TRUE if security policy allows the send.
367 bus_selinux_check (BusSELinuxID *sender_sid,
368 BusSELinuxID *override_sid,
369 security_class_t target_class,
370 access_vector_t requested,
373 if (!selinux_enabled)
376 /* Make the security check. AVC checks enforcing mode here as well. */
377 if (avc_has_perm (SELINUX_SID_FROM_BUS (sender_sid),
379 SELINUX_SID_FROM_BUS (override_sid) :
380 SELINUX_SID_FROM_BUS (bus_sid),
381 target_class, requested, &aeref, auxdata) < 0)
383 _dbus_verbose ("SELinux denying due to security policy.\n");
389 #endif /* HAVE_SELINUX */
392 * Returns true if the given connection can acquire a service,
393 * assuming the given security ID is needed for that service.
395 * @param connection connection that wants to own the service
396 * @param service_sid the SID of the service from the table
397 * @returns #TRUE if acquire is permitted.
400 bus_selinux_allows_acquire_service (DBusConnection *connection,
401 BusSELinuxID *service_sid,
402 const char *service_name,
406 BusSELinuxID *connection_sid;
411 if (!selinux_enabled)
414 connection_sid = bus_connection_get_selinux_id (connection);
415 if (!dbus_connection_get_unix_process_id (connection, &spid))
418 if (!_dbus_string_init (&auxdata))
421 if (!_dbus_string_append (&auxdata, "service="))
424 if (!_dbus_string_append (&auxdata, service_name))
429 if (!_dbus_string_append (&auxdata, " spid="))
432 if (!_dbus_string_append_uint (&auxdata, spid))
436 ret = bus_selinux_check (connection_sid,
442 _dbus_string_free (&auxdata);
446 _dbus_string_free (&auxdata);
452 #endif /* HAVE_SELINUX */
456 * Check if SELinux security controls allow the message to be sent to a
457 * particular connection based on the security context of the sender and
458 * that of the receiver. The destination connection need not be the
459 * addressed recipient, it could be an "eavesdropper"
461 * @param sender the sender of the message.
462 * @param proposed_recipient the connection the message is to be sent to.
463 * @returns whether to allow the send
466 bus_selinux_allows_send (DBusConnection *sender,
467 DBusConnection *proposed_recipient,
469 const char *interface,
471 const char *error_name,
472 const char *destination,
476 BusSELinuxID *recipient_sid;
477 BusSELinuxID *sender_sid;
478 unsigned long spid, tpid;
481 dbus_bool_t string_alloced;
483 if (!selinux_enabled)
486 if (!sender || !dbus_connection_get_unix_process_id (sender, &spid))
488 if (!proposed_recipient || !dbus_connection_get_unix_process_id (proposed_recipient, &tpid))
491 string_alloced = FALSE;
492 if (!_dbus_string_init (&auxdata))
494 string_alloced = TRUE;
496 if (!_dbus_string_append (&auxdata, "msgtype="))
499 if (!_dbus_string_append (&auxdata, msgtype))
504 if (!_dbus_string_append (&auxdata, " interface="))
506 if (!_dbus_string_append (&auxdata, interface))
512 if (!_dbus_string_append (&auxdata, " member="))
514 if (!_dbus_string_append (&auxdata, member))
520 if (!_dbus_string_append (&auxdata, " error_name="))
522 if (!_dbus_string_append (&auxdata, error_name))
528 if (!_dbus_string_append (&auxdata, " dest="))
530 if (!_dbus_string_append (&auxdata, destination))
536 if (!_dbus_string_append (&auxdata, " spid="))
539 if (!_dbus_string_append_uint (&auxdata, spid))
545 if (!_dbus_string_append (&auxdata, " tpid="))
548 if (!_dbus_string_append_uint (&auxdata, tpid))
552 sender_sid = bus_connection_get_selinux_id (sender);
553 /* A NULL proposed_recipient means the bus itself. */
554 if (proposed_recipient)
555 recipient_sid = bus_connection_get_selinux_id (proposed_recipient);
557 recipient_sid = BUS_SID_FROM_SELINUX (bus_sid);
559 ret = bus_selinux_check (sender_sid,
565 _dbus_string_free (&auxdata);
571 _dbus_string_free (&auxdata);
577 #endif /* HAVE_SELINUX */
581 bus_selinux_append_context (DBusMessage *message,
588 if (avc_sid_to_context (SELINUX_SID_FROM_BUS (sid), &context) < 0)
593 dbus_set_error (error, DBUS_ERROR_FAILED,
594 "Error getting context from SID: %s\n",
595 _dbus_strerror (errno));
598 if (!dbus_message_append_args (message,
605 _DBUS_SET_OOM (error);
616 * Gets the security context of a connection to the bus. It is up to
617 * the caller to freecon() when they are done.
619 * @param connection the connection to get the context of.
620 * @param con the location to store the security context.
621 * @returns #TRUE if context is successfully obtained.
625 bus_connection_read_selinux_context (DBusConnection *connection,
630 if (!selinux_enabled)
633 _dbus_assert (connection != NULL);
635 if (!dbus_connection_get_unix_fd (connection, &fd))
637 _dbus_verbose ("Failed to get file descriptor of socket.\n");
641 if (getpeercon (fd, con) < 0)
643 _dbus_verbose ("Error getting context of socket peer: %s\n",
644 _dbus_strerror (errno));
648 _dbus_verbose ("Successfully read connection context.\n");
651 #endif /* HAVE_SELINUX */
654 * Read the SELinux ID from the connection.
656 * @param connection the connection to read from
657 * @returns the SID if successfully determined, #NULL otherwise.
660 bus_selinux_init_connection_id (DBusConnection *connection,
667 if (!selinux_enabled)
670 if (!bus_connection_read_selinux_context (connection, &con))
672 dbus_set_error (error, DBUS_ERROR_FAILED,
673 "Failed to read an SELinux context from connection");
674 _dbus_verbose ("Error getting peer context.\n");
678 _dbus_verbose ("Converting context to SID to store on connection\n");
680 if (avc_context_to_sid (con, &sid) < 0)
685 dbus_set_error (error, DBUS_ERROR_FAILED,
686 "Error getting SID from context \"%s\": %s\n",
687 con, _dbus_strerror (errno));
689 _dbus_warn ("Error getting SID from context \"%s\": %s\n",
690 con, _dbus_strerror (errno));
697 return BUS_SID_FROM_SELINUX (sid);
700 #endif /* HAVE_SELINUX */
705 * Function for freeing hash table data. These SIDs
706 * should no longer be referenced.
709 bus_selinux_id_table_free_value (BusSELinuxID *sid)
712 /* NULL sometimes due to how DBusHashTable works */
714 bus_selinux_id_unref (sid);
715 #endif /* HAVE_SELINUX */
719 * Creates a new table mapping service names to security ID.
720 * A security ID is a "compiled" security context, a security
721 * context is just a string.
723 * @returns the new table or #NULL if no memory
726 bus_selinux_id_table_new (void)
728 return _dbus_hash_table_new (DBUS_HASH_STRING,
729 (DBusFreeFunction) dbus_free,
730 (DBusFreeFunction) bus_selinux_id_table_free_value);
734 * Hashes a service name and service context into the service SID
735 * table as a string and a SID.
737 * @param service_name is the name of the service.
738 * @param service_context is the context of the service.
739 * @param service_table is the table to hash them into.
740 * @return #FALSE if not enough memory
743 bus_selinux_id_table_insert (DBusHashTable *service_table,
744 const char *service_name,
745 const char *service_context)
752 if (!selinux_enabled)
758 key = _dbus_strdup (service_name);
762 if (avc_context_to_sid ((char *) service_context, &sid) < 0)
770 _dbus_warn ("Error getting SID from context \"%s\": %s\n",
771 (char *) service_context,
772 _dbus_strerror (errno));
776 if (!_dbus_hash_table_insert_string (service_table,
778 BUS_SID_FROM_SELINUX (sid)))
781 _dbus_verbose ("Parsed \tservice: %s \n\t\tcontext: %s\n",
785 /* These are owned by the hash, so clear them to avoid unref */
792 if (sid != SECSID_WILD)
801 #endif /* HAVE_SELINUX */
806 * Find the security identifier associated with a particular service
807 * name. Return a pointer to this SID, or #NULL/SECSID_WILD if the
808 * service is not found in the hash table. This should be nearly a
809 * constant time operation. If SELinux support is not available,
810 * always return NULL.
812 * @param service_table the hash table to check for service name.
813 * @param service_name the name of the service to look for.
814 * @returns the SELinux ID associated with the service
817 bus_selinux_id_table_lookup (DBusHashTable *service_table,
818 const DBusString *service_name)
823 sid = SECSID_WILD; /* default context */
825 if (!selinux_enabled)
828 _dbus_verbose ("Looking up service SID for %s\n",
829 _dbus_string_get_const_data (service_name));
831 sid = _dbus_hash_table_lookup_string (service_table,
832 _dbus_string_get_const_data (service_name));
834 if (sid == SECSID_WILD)
835 _dbus_verbose ("Service %s not found\n",
836 _dbus_string_get_const_data (service_name));
838 _dbus_verbose ("Service %s found\n",
839 _dbus_string_get_const_data (service_name));
841 return BUS_SID_FROM_SELINUX (sid);
842 #endif /* HAVE_SELINUX */
847 * Get the SELinux policy root. This is used to find the D-Bus
848 * specific config file within the policy.
851 bus_selinux_get_policy_root (void)
854 return selinux_policy_root ();
857 #endif /* HAVE_SELINUX */
861 * For debugging: Print out the current hash table of service SIDs.
864 bus_selinux_id_table_print (DBusHashTable *service_table)
866 #ifdef DBUS_ENABLE_VERBOSE_MODE
870 if (!selinux_enabled)
873 _dbus_verbose ("Service SID Table:\n");
874 _dbus_hash_iter_init (service_table, &iter);
875 while (_dbus_hash_iter_next (&iter))
877 const char *key = _dbus_hash_iter_get_string_key (&iter);
878 security_id_t sid = _dbus_hash_iter_get_value (&iter);
879 _dbus_verbose ("The key is %s\n", key);
880 _dbus_verbose ("The context is %s\n", sid->ctx);
881 _dbus_verbose ("The refcount is %d\n", sid->refcnt);
883 #endif /* HAVE_SELINUX */
884 #endif /* DBUS_ENABLE_VERBOSE_MODE */
888 #ifdef DBUS_ENABLE_VERBOSE_MODE
891 * Print out some AVC statistics.
894 bus_avc_print_stats (void)
896 struct avc_cache_stats cstats;
898 if (!selinux_enabled)
901 _dbus_verbose ("AVC Statistics:\n");
902 avc_cache_stats (&cstats);
904 _dbus_verbose ("AVC Cache Statistics:\n");
905 _dbus_verbose ("Entry lookups: %d\n", cstats.entry_lookups);
906 _dbus_verbose ("Entry hits: %d\n", cstats.entry_hits);
907 _dbus_verbose ("Entry misses %d\n", cstats.entry_misses);
908 _dbus_verbose ("Entry discards: %d\n", cstats.entry_discards);
909 _dbus_verbose ("CAV lookups: %d\n", cstats.cav_lookups);
910 _dbus_verbose ("CAV hits: %d\n", cstats.cav_hits);
911 _dbus_verbose ("CAV probes: %d\n", cstats.cav_probes);
912 _dbus_verbose ("CAV misses: %d\n", cstats.cav_misses);
914 #endif /* HAVE_SELINUX */
915 #endif /* DBUS_ENABLE_VERBOSE_MODE */
919 * Destroy the AVC before we terminate.
922 bus_selinux_shutdown (void)
925 if (!selinux_enabled)
928 _dbus_verbose ("AVC shutdown\n");
930 if (bus_sid != SECSID_WILD)
933 bus_sid = SECSID_WILD;
935 #ifdef DBUS_ENABLE_VERBOSE_MODE
936 bus_avc_print_stats ();
937 #endif /* DBUS_ENABLE_VERBOSE_MODE */
941 #endif /* HAVE_SELINUX */