aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNisha Parrakat <nishaparrakat@gmail.com>2021-08-13 07:22:02 +0000
committerRichard Purdie <richard.purdie@linuxfoundation.org>2021-08-13 22:43:50 +0100
commit0441b53d55a919b5ac42e997f4092053b017b553 (patch)
tree88f2e26ec3da319df8251298d16e8965f2c73051
parent8f96a2d13bbae8fb70ed7feafdcff26544e3710d (diff)
downloadopenembedded-core-0441b53d55a919b5ac42e997f4092053b017b553.tar.gz
openembedded-core-0441b53d55a919b5ac42e997f4092053b017b553.tar.bz2
openembedded-core-0441b53d55a919b5ac42e997f4092053b017b553.zip
dbus_%.bbappend: stop using selinux_set_mapping
https://gitlab.freedesktop.org/dbus/dbus/-/issues/198 https://gitlab.freedesktop.org/dbus/dbus/-/commit/6072f8b24153d844a3033108a17bcd0c1a967816 Currently, if the "dbus" security class or the associated AV doesn't exist, dbus-daemon fails to initialize and exits immediately. Also the security classes or access vector cannot be reordered in the policy. This can be a problem for people developing their own policy or trying to access a machine where, for some reasons, there is not policy defined at all. The code here copy the behaviour of the selinux_check_access() function. We cannot use this function here as it doesn't allow us to define the AVC entry reference. See the discussion at https://marc.info/?l=selinux&m=152163374332372&w=2 Signed-off-by: Nisha Parrakat <nishaparrakat@gmail.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-core/dbus/dbus.inc1
-rw-r--r--meta/recipes-core/dbus/dbus/stop_using_selinux_set_mapping.patch148
2 files changed, 149 insertions, 0 deletions
diff --git a/meta/recipes-core/dbus/dbus.inc b/meta/recipes-core/dbus/dbus.inc
index f0eeffacc8..adc138bf10 100644
--- a/meta/recipes-core/dbus/dbus.inc
+++ b/meta/recipes-core/dbus/dbus.inc
@@ -8,6 +8,7 @@ SRC_URI = "https://dbus.freedesktop.org/releases/dbus/dbus-${PV}.tar.gz \
file://tmpdir.patch \
file://dbus-1.init \
file://clear-guid_from_server-if-send_negotiate_unix_f.patch \
+ file://stop_using_selinux_set_mapping.patch \
"
SRC_URI[md5sum] = "dfe8a71f412e0b53be26ed4fbfdc91c4"
diff --git a/meta/recipes-core/dbus/dbus/stop_using_selinux_set_mapping.patch b/meta/recipes-core/dbus/dbus/stop_using_selinux_set_mapping.patch
new file mode 100644
index 0000000000..7035098e41
--- /dev/null
+++ b/meta/recipes-core/dbus/dbus/stop_using_selinux_set_mapping.patch
@@ -0,0 +1,148 @@
+From 6072f8b24153d844a3033108a17bcd0c1a967816 Mon Sep 17 00:00:00 2001
+From: Laurent Bigonville <bigon@bigon.be>
+Date: Sat, 3 Mar 2018 11:15:23 +0100
+Subject: [PATCH] Stop using selinux_set_mapping() function
+
+Currently, if the "dbus" security class or the associated AV doesn't
+exist, dbus-daemon fails to initialize and exits immediately. Also the
+security classes or access vector cannot be reordered in the policy.
+This can be a problem for people developing their own policy or trying
+to access a machine where, for some reasons, there is not policy defined
+at all.
+
+The code here copy the behaviour of the selinux_check_access() function.
+We cannot use this function here as it doesn't allow us to define the
+AVC entry reference.
+
+See the discussion at https://marc.info/?l=selinux&m=152163374332372&w=2
+
+Resolves: https://gitlab.freedesktop.org/dbus/dbus/issues/198
+---
+ bus/selinux.c | 75 ++++++++++++++++++++++++++++-----------------------
+ 1 file changed, 42 insertions(+), 33 deletions(-)
+
+
+Upstream-Status: Backport
+Signed-off-by: Nisha.Parrakat <Nisha.Parrakat@kpit.com>
+diff --git a/bus/selinux.c b/bus/selinux.c
+
+--- a/bus/selinux.c 2021-08-11 14:45:59.048513026 +0000
++++ b/bus/selinux.c 2021-08-11 14:57:47.144846966 +0000
+@@ -311,24 +311,6 @@
+ #endif
+ }
+
+-/*
+- * Private Flask definitions; the order of these constants must
+- * exactly match that of the structure array below!
+- */
+-/* security dbus class constants */
+-#define SECCLASS_DBUS 1
+-
+-/* dbus's per access vector constants */
+-#define DBUS__ACQUIRE_SVC 1
+-#define DBUS__SEND_MSG 2
+-
+-#ifdef HAVE_SELINUX
+-static struct security_class_mapping dbus_map[] = {
+- { "dbus", { "acquire_svc", "send_msg", NULL } },
+- { NULL }
+-};
+-#endif /* HAVE_SELINUX */
+-
+ /**
+ * Establish dynamic object class and permission mapping and
+ * initialize the user space access vector cache (AVC) for D-Bus and set up
+@@ -350,13 +332,6 @@
+
+ _dbus_verbose ("SELinux is enabled in this kernel.\n");
+
+- if (selinux_set_mapping (dbus_map) < 0)
+- {
+- _dbus_warn ("Failed to set up security class mapping (selinux_set_mapping():%s).",
+- strerror (errno));
+- return FALSE;
+- }
+-
+ avc_entry_ref_init (&aeref);
+ if (avc_init ("avc", &mem_cb, &log_cb, &thread_cb, &lock_cb) < 0)
+ {
+@@ -421,19 +396,53 @@
+ static dbus_bool_t
+ bus_selinux_check (BusSELinuxID *sender_sid,
+ BusSELinuxID *override_sid,
+- security_class_t target_class,
+- access_vector_t requested,
++ const char *target_class,
++ const char *requested,
+ DBusString *auxdata)
+ {
++ int saved_errno;
++ security_class_t security_class;
++ access_vector_t requested_access;
++
+ if (!selinux_enabled)
+ return TRUE;
+
++ security_class = string_to_security_class (target_class);
++ if (security_class == 0)
++ {
++ saved_errno = errno;
++ log_callback (SELINUX_ERROR, "Unknown class %s", target_class);
++ if (security_deny_unknown () == 0)
++ {
++ return TRUE;
++ }
++
++ _dbus_verbose ("Unknown class %s\n", target_class);
++ errno = saved_errno;
++ return FALSE;
++ }
++
++ requested_access = string_to_av_perm (security_class, requested);
++ if (requested_access == 0)
++ {
++ saved_errno = errno;
++ log_callback (SELINUX_ERROR, "Unknown permission %s for class %s", requested, target_class);
++ if (security_deny_unknown () == 0)
++ {
++ return TRUE;
++ }
++
++ _dbus_verbose ("Unknown permission %s for class %s\n", requested, target_class);
++ errno = saved_errno;
++ return FALSE;
++ }
++
+ /* Make the security check. AVC checks enforcing mode here as well. */
+ if (avc_has_perm (SELINUX_SID_FROM_BUS (sender_sid),
+ override_sid ?
+ SELINUX_SID_FROM_BUS (override_sid) :
+ bus_sid,
+- target_class, requested, &aeref, auxdata) < 0)
++ security_class, requested_access, &aeref, auxdata) < 0)
+ {
+ switch (errno)
+ {
+@@ -500,8 +509,8 @@
+
+ ret = bus_selinux_check (connection_sid,
+ service_sid,
+- SECCLASS_DBUS,
+- DBUS__ACQUIRE_SVC,
++ "dbus",
++ "acquire_svc",
+ &auxdata);
+
+ _dbus_string_free (&auxdata);
+@@ -629,8 +638,8 @@
+
+ ret = bus_selinux_check (sender_sid,
+ recipient_sid,
+- SECCLASS_DBUS,
+- DBUS__SEND_MSG,
++ "dbus",
++ "send_msg",
+ &auxdata);
+
+ _dbus_string_free (&auxdata);