All of lore.kernel.org
 help / color / mirror / Atom feed
* [poky][master][PATCH] dbus_%.bbappend: stop using selinux_set_mapping
@ 2021-08-13  7:22 Nisha Parrakat
  0 siblings, 0 replies; only message in thread
From: Nisha Parrakat @ 2021-08-13  7:22 UTC (permalink / raw)
  To: openembedded-core, raj.khem; +Cc: nisha.parrakat

https://gitlab.freedesktop.org/dbus/dbus/-/issues/198
https://gitlab.freedesktop.org/dbus/dbus/-/commit/6072f8b24153d844a3033108a17bcd0c1a967816

Currently, if the "dbus" security class or the associated AV doesn't
exist, dbus-daemon fails to initialize and exits immediately. Also the
security classes or access vector cannot be reordered in the policy.
This can be a problem for people developing their own policy or trying
to access a machine where, for some reasons, there is not policy defined
at all.

The code here copy the behaviour of the selinux_check_access() function.
We cannot use this function here as it doesn't allow us to define the
AVC entry reference.

See the discussion at https://marc.info/?l=selinux&m=152163374332372&w=2

Signed-off-by: Nisha Parrakat <nishaparrakat@gmail.com>
---
 meta/recipes-core/dbus/dbus.inc               |   1 +
 .../dbus/stop_using_selinux_set_mapping.patch | 148 ++++++++++++++++++
 2 files changed, 149 insertions(+)
 create mode 100644 meta/recipes-core/dbus/dbus/stop_using_selinux_set_mapping.patch

diff --git a/meta/recipes-core/dbus/dbus.inc b/meta/recipes-core/dbus/dbus.inc
index b237476493..8c7daed5ef 100644
--- a/meta/recipes-core/dbus/dbus.inc
+++ b/meta/recipes-core/dbus/dbus.inc
@@ -8,6 +8,7 @@ SRC_URI = "https://dbus.freedesktop.org/releases/dbus/dbus-${PV}.tar.gz \
            file://tmpdir.patch \
            file://dbus-1.init \
            file://clear-guid_from_server-if-send_negotiate_unix_f.patch \
+           file://stop_using_selinux_set_mapping.patch \
 "
 
 SRC_URI[md5sum] = "dfe8a71f412e0b53be26ed4fbfdc91c4"
diff --git a/meta/recipes-core/dbus/dbus/stop_using_selinux_set_mapping.patch b/meta/recipes-core/dbus/dbus/stop_using_selinux_set_mapping.patch
new file mode 100644
index 0000000000..7035098e41
--- /dev/null
+++ b/meta/recipes-core/dbus/dbus/stop_using_selinux_set_mapping.patch
@@ -0,0 +1,148 @@
+From 6072f8b24153d844a3033108a17bcd0c1a967816 Mon Sep 17 00:00:00 2001
+From: Laurent Bigonville <bigon@bigon.be>
+Date: Sat, 3 Mar 2018 11:15:23 +0100
+Subject: [PATCH] Stop using selinux_set_mapping() function
+
+Currently, if the "dbus" security class or the associated AV doesn't
+exist, dbus-daemon fails to initialize and exits immediately. Also the
+security classes or access vector cannot be reordered in the policy.
+This can be a problem for people developing their own policy or trying
+to access a machine where, for some reasons, there is not policy defined
+at all.
+
+The code here copy the behaviour of the selinux_check_access() function.
+We cannot use this function here as it doesn't allow us to define the
+AVC entry reference.
+
+See the discussion at https://marc.info/?l=selinux&m=152163374332372&w=2
+
+Resolves: https://gitlab.freedesktop.org/dbus/dbus/issues/198
+---
+ bus/selinux.c | 75 ++++++++++++++++++++++++++++-----------------------
+ 1 file changed, 42 insertions(+), 33 deletions(-)
+
+
+Upstream-Status: Backport
+Signed-off-by: Nisha.Parrakat <Nisha.Parrakat@kpit.com>
+diff --git a/bus/selinux.c b/bus/selinux.c
+
+--- a/bus/selinux.c	2021-08-11 14:45:59.048513026 +0000
++++ b/bus/selinux.c	2021-08-11 14:57:47.144846966 +0000
+@@ -311,24 +311,6 @@
+ #endif
+ }
+ 
+-/*
+- * Private Flask definitions; the order of these constants must
+- * exactly match that of the structure array below!
+- */
+-/* security dbus class constants */
+-#define SECCLASS_DBUS       1
+-
+-/* dbus's per access vector constants */
+-#define DBUS__ACQUIRE_SVC   1
+-#define DBUS__SEND_MSG      2
+-
+-#ifdef HAVE_SELINUX
+-static struct security_class_mapping dbus_map[] = {
+-  { "dbus", { "acquire_svc", "send_msg", NULL } },
+-  { NULL }
+-};
+-#endif /* HAVE_SELINUX */
+-
+ /**
+  * Establish dynamic object class and permission mapping and
+  * initialize the user space access vector cache (AVC) for D-Bus and set up
+@@ -350,13 +332,6 @@
+ 
+   _dbus_verbose ("SELinux is enabled in this kernel.\n");
+ 
+-  if (selinux_set_mapping (dbus_map) < 0)
+-    {
+-      _dbus_warn ("Failed to set up security class mapping (selinux_set_mapping():%s).",
+-                   strerror (errno));
+-      return FALSE; 
+-    }
+-
+   avc_entry_ref_init (&aeref);
+   if (avc_init ("avc", &mem_cb, &log_cb, &thread_cb, &lock_cb) < 0)
+     {
+@@ -421,19 +396,53 @@
+ static dbus_bool_t
+ bus_selinux_check (BusSELinuxID        *sender_sid,
+                    BusSELinuxID        *override_sid,
+-                   security_class_t     target_class,
+-                   access_vector_t      requested,
++                   const char          *target_class,
++                   const char          *requested,
+ 		   DBusString          *auxdata)
+ {
++  int saved_errno;
++  security_class_t security_class;
++  access_vector_t requested_access;
++
+   if (!selinux_enabled)
+     return TRUE;
+ 
++  security_class = string_to_security_class (target_class);
++  if (security_class == 0)
++    {
++      saved_errno = errno;
++      log_callback (SELINUX_ERROR, "Unknown class %s", target_class);
++      if (security_deny_unknown () == 0)
++        {
++          return TRUE;
++	}
++
++      _dbus_verbose ("Unknown class %s\n", target_class);
++      errno = saved_errno;
++      return FALSE;
++    }
++
++  requested_access = string_to_av_perm (security_class, requested);
++  if (requested_access == 0)
++    {
++      saved_errno = errno;
++      log_callback (SELINUX_ERROR, "Unknown permission %s for class %s", requested, target_class);
++      if (security_deny_unknown () == 0)
++        {
++          return TRUE;
++	}
++
++      _dbus_verbose ("Unknown permission %s for class %s\n", requested, target_class);
++      errno = saved_errno;
++      return FALSE;
++    }
++
+   /* Make the security check.  AVC checks enforcing mode here as well. */
+   if (avc_has_perm (SELINUX_SID_FROM_BUS (sender_sid),
+                     override_sid ?
+                     SELINUX_SID_FROM_BUS (override_sid) :
+                     bus_sid,
+-                    target_class, requested, &aeref, auxdata) < 0)
++                    security_class, requested_access, &aeref, auxdata) < 0)
+     {
+     switch (errno)
+       {
+@@ -500,8 +509,8 @@
+   
+   ret = bus_selinux_check (connection_sid,
+ 			   service_sid,
+-			   SECCLASS_DBUS,
+-			   DBUS__ACQUIRE_SVC,
++			   "dbus",
++			   "acquire_svc",
+ 			   &auxdata);
+ 
+   _dbus_string_free (&auxdata);
+@@ -629,8 +638,8 @@
+ 
+   ret = bus_selinux_check (sender_sid, 
+ 			   recipient_sid,
+-			   SECCLASS_DBUS, 
+-			   DBUS__SEND_MSG,
++			   "dbus", 
++			   "send_msg",
+ 			   &auxdata);
+ 
+   _dbus_string_free (&auxdata);
-- 
2.17.1


^ permalink raw reply related	[flat|nested] only message in thread
only message in thread, other threads:[~2021-08-13  7:22 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-08-13  7:22 [poky][master][PATCH] dbus_%.bbappend: stop using selinux_set_mapping Nisha Parrakat

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.