journal: add debug mode for mmap-cache (--enable-debug=mmap-cache)

[elogind.git] / src / bus-proxyd / bus-proxyd.c

diff --git a/src/bus-proxyd/bus-proxyd.c b/src/bus-proxyd/bus-proxyd.c
index 8fb204ca592317951b1050a61208c49ce04f83bf..5d304538fd757db56006f9bef807062ac35a6ef6 100644 (file)
--- a/src/bus-proxyd/bus-proxyd.c
+++ b/src/bus-proxyd/bus-proxyd.c
@@ -45,6 +45,8 @@
 #include "def.h"
 #include "capability.h"
 #include "bus-policy.h"
+#include "bus-control.h"
+#include "smack-util.h"
 
 static char *arg_address = NULL;
 static char *arg_command_line_buffer = NULL;
@@ -1002,7 +1004,7 @@ static int process_policy(sd_bus *from, sd_bus *to, sd_bus_message *m, Policy *p
                 }
 
                 if (granted) {
-                        /* Then check whether us, the recipient can recieve from the sender's name */
+                        /* Then check whether us (the recipient) can recieve from the sender's name */
                         if (strv_isempty(sender_names)) {
                                 if (policy_check_recv(policy, our_ucred->uid, our_ucred->gid, m->header->type, NULL, m->path, m->interface, m->member))
                                         return 0;
@@ -1038,9 +1040,10 @@ static int process_policy(sd_bus *from, sd_bus *to, sd_bus_message *m, Policy *p
 
                 /* The message came from the legacy client, and is sent to kdbus. */
                 if (m->destination) {
-                        r = sd_bus_get_name_creds(to, m->destination,
-                                                  SD_BUS_CREDS_WELL_KNOWN_NAMES|SD_BUS_CREDS_UNIQUE_NAME|
-                                                  SD_BUS_CREDS_UID|SD_BUS_CREDS_GID|SD_BUS_CREDS_PID, &destination_creds);
+                        r = bus_get_name_creds_kdbus(to, m->destination,
+                                                     SD_BUS_CREDS_WELL_KNOWN_NAMES|SD_BUS_CREDS_UNIQUE_NAME|
+                                                     SD_BUS_CREDS_UID|SD_BUS_CREDS_GID|SD_BUS_CREDS_PID,
+                                                     true, &destination_creds);
                         if (r < 0)
                                 return r;
 
@@ -1056,7 +1059,7 @@ static int process_policy(sd_bus *from, sd_bus *to, sd_bus_message *m, Policy *p
                         (void) sd_bus_creds_get_gid(destination_creds, &destination_gid);
                 }
 
-                /* First check if we, the sender can send to this name */
+                /* First check if we (the sender) can send to this name */
                 if (strv_isempty(destination_names)) {
                         if (policy_check_send(policy, our_ucred->uid, our_ucred->gid, m->header->type, NULL, m->path, m->interface, m->member))
                                 granted = true;
@@ -1233,6 +1236,23 @@ static int patch_sender(sd_bus *a, sd_bus_message *m) {
         return 0;
 }
 
+static int mac_smack_apply_label_and_drop_cap_mac_admin(pid_t its_pid, const char *new_label) {
+#ifdef HAVE_SMACK
+        int r = 0, k;
+
+        if (!mac_smack_use())
+                return 0;
+
+        if (new_label && its_pid > 0)
+                r = mac_smack_apply_pid(its_pid, new_label);
+
+        k = drop_capability(CAP_MAC_ADMIN);
+        return r < 0 ? r : k;
+#else
+        return 0;
+#endif
+}
+
 int main(int argc, char *argv[]) {
 
         _cleanup_bus_close_unref_ sd_bus *a = NULL, *b = NULL;
@@ -1272,6 +1292,10 @@ int main(int argc, char *argv[]) {
         if (is_unix) {
                 (void) getpeercred(in_fd, &ucred);
                 (void) getpeersec(in_fd, &peersec);
+
+                r = mac_smack_apply_label_and_drop_cap_mac_admin(getpid(), peersec);
+                if (r < 0)
+                        log_warning_errno(r, "Failed to set SMACK label (%s) and drop CAP_MAC_ADMIN: %m", peersec);
         }
 
         if (arg_drop_privileges) {
@@ -1400,7 +1424,7 @@ int main(int argc, char *argv[]) {
                 }
 
                 policy = &policy_buffer;
-                policy_dump(policy);
+                /* policy_dump(policy); */
 
                 if (!policy_check_hello(policy, ucred.uid, ucred.gid)) {
                         r = log_error_errno(EPERM, "Policy denied connection.");