chiark / gitweb /
bus: use EUID over UID and fix unix-creds
[elogind.git] / src / core / selinux-access.c
index b933698..f638958 100644 (file)
@@ -6,16 +6,16 @@
   Copyright 2012 Dan Walsh
 
   systemd is free software; you can redistribute it and/or modify it
-  under the terms of the GNU General Public License as published by
-  the Free Software Foundation; either version 2 of the License, or
+  under the terms of the GNU Lesser General Public License as published by
+  the Free Software Foundation; either version 2.1 of the License, or
   (at your option) any later version.
 
   systemd is distributed in the hope that it will be useful, but
   WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-  General Public License for more details.
+  Lesser General Public License for more details.
 
-  You should have received a copy of the GNU General Public License
+  You should have received a copy of the GNU Lesser General Public License
   along with systemd; If not, see <http://www.gnu.org/licenses/>.
 ***/
 
 #include <limits.h>
 #include <selinux/selinux.h>
 #include <selinux/avc.h>
+#include <sys/socket.h>
 #ifdef HAVE_AUDIT
 #include <libaudit.h>
 #endif
-#include <dbus.h>
 
+#include "sd-bus.h"
+#include "bus-util.h"
 #include "util.h"
 #include "log.h"
-#include "bus-errors.h"
-#include "dbus-common.h"
 #include "audit.h"
 #include "selinux-util.h"
 #include "audit-fd.h"
+#include "strv.h"
 
 static bool initialized = false;
 
-struct auditstruct {
+struct audit_info {
+        sd_bus_creds *creds;
         const char *path;
-        char *cmdline;
-        uid_t loginuid;
-        uid_t uid;
-        gid_t gid;
+        const char *cmdline;
 };
 
-static int bus_get_selinux_security_context(
-                DBusConnection *connection,
-                const char *name,
-                char **scon,
-                DBusError *error) {
-
-        _cleanup_dbus_message_unref_ DBusMessage *m = NULL, *reply = NULL;
-        DBusMessageIter iter, sub;
-        const char *bytes;
-        char *b;
-        int nbytes;
-
-        m = dbus_message_new_method_call(
-                        DBUS_SERVICE_DBUS,
-                        DBUS_PATH_DBUS,
-                        DBUS_INTERFACE_DBUS,
-                        "GetConnectionSELinuxSecurityContext");
-        if (!m) {
-                dbus_set_error_const(error, DBUS_ERROR_NO_MEMORY, NULL);
-                return -ENOMEM;
-        }
-
-        if (!dbus_message_append_args(
-                            m,
-                            DBUS_TYPE_STRING, &name,
-                            DBUS_TYPE_INVALID)) {
-                dbus_set_error_const(error, DBUS_ERROR_NO_MEMORY, NULL);
-                return -ENOMEM;
-        }
-
-        reply = dbus_connection_send_with_reply_and_block(connection, m, -1, error);
-        if (!reply)
-                return -EIO;
-
-        if (dbus_set_error_from_message(error, reply))
-                return -EIO;
-
-        if (!dbus_message_iter_init(reply, &iter))
-                return -EIO;
-
-        if (dbus_message_iter_get_arg_type(&iter) != DBUS_TYPE_ARRAY)
-                return -EIO;
-
-        dbus_message_iter_recurse(&iter, &sub);
-        dbus_message_iter_get_fixed_array(&sub, &bytes, &nbytes);
-
-        b = strndup(bytes, nbytes);
-        if (!b)
-                return -ENOMEM;
-
-        *scon = b;
-
-        log_debug("GetConnectionSELinuxSecurityContext %s (pid %ld)", *scon, (long) bus_get_unix_process_id(connection, name, error));
-
-        return 0;
-}
-
-static int bus_get_audit_data(
-                DBusConnection *connection,
-                const char *name,
-                struct auditstruct *audit,
-                DBusError *error) {
-
-        pid_t pid;
-        int r;
-
-        pid = bus_get_unix_process_id(connection, name, error);
-        if (pid <= 0)
-                return -EIO;
-
-        r = audit_loginuid_from_pid(pid, &audit->loginuid);
-        if (r < 0)
-                return r;
-
-        r = get_process_uid(pid, &audit->uid);
-        if (r < 0)
-                return r;
-
-        r = get_process_gid(pid, &audit->gid);
-        if (r < 0)
-                return r;
-
-        r = get_process_cmdline(pid, 0, true, &audit->cmdline);
-        if (r < 0)
-                return r;
-
-        return 0;
-}
-
 /*
    Any time an access gets denied this callback will be called
-   with the aduit data.  We then need to just copy the audit data into the msgbuf.
+   with the audit data.  We then need to just copy the audit data into the msgbuf.
 */
 static int audit_callback(
                 void *auditdata,
@@ -151,19 +61,25 @@ static int audit_callback(
                 char *msgbuf,
                 size_t msgbufsize) {
 
-        struct auditstruct *audit = (struct auditstruct *) auditdata;
+        const struct audit_info *audit = auditdata;
+        uid_t uid = 0, login_uid = 0;
+        gid_t gid = 0;
+        char login_uid_buf[DECIMAL_STR_MAX(uid_t)] = "n/a";
+        char uid_buf[DECIMAL_STR_MAX(uid_t)] = "n/a";
+        char gid_buf[DECIMAL_STR_MAX(gid_t)] = "n/a";
+
+        if (sd_bus_creds_get_audit_login_uid(audit->creds, &login_uid) >= 0)
+                snprintf(login_uid_buf, sizeof(login_uid_buf), UID_FMT, login_uid);
+        if (sd_bus_creds_get_euid(audit->creds, &uid) >= 0)
+                snprintf(uid_buf, sizeof(uid_buf), UID_FMT, uid);
+        if (sd_bus_creds_get_egid(audit->creds, &gid) >= 0)
+                snprintf(gid_buf, sizeof(gid_buf), GID_FMT, gid);
 
         snprintf(msgbuf, msgbufsize,
-                 "auid=%d uid=%d gid=%d%s%s%s%s%s%s",
-                 audit->loginuid,
-                 audit->uid,
-                 audit->gid,
-                 (audit->path ? " path=\"" : ""),
-                 strempty(audit->path),
-                 (audit->path ? "\"" : ""),
-                 (audit->cmdline ? " cmdline=\"" : ""),
-                 strempty(audit->cmdline),
-                 (audit->cmdline ? "\"" : ""));
+                 "auid=%s uid=%s gid=%s%s%s%s%s%s%s",
+                 login_uid_buf, uid_buf, gid_buf,
+                 audit->path ? " path=\"" : "", strempty(audit->path), audit->path ? "\"" : "",
+                 audit->cmdline ? " cmdline=\"" : "", strempty(audit->cmdline), audit->cmdline ? "\"" : "");
 
         msgbuf[msgbufsize-1] = 0;
 
@@ -176,23 +92,27 @@ static int audit_callback(
    user_avc's into the /var/log/audit/audit.log, otherwise they will be
    sent to syslog.
 */
-static int log_callback(int type, const char *fmt, ...) {
+_printf_(2, 3) static int log_callback(int type, const char *fmt, ...) {
         va_list ap;
 
-        va_start(ap, fmt);
-
 #ifdef HAVE_AUDIT
         if (get_audit_fd() >= 0) {
-                char buf[LINE_MAX];
+                _cleanup_free_ char *buf = NULL;
+                int r;
 
-                vsnprintf(buf, sizeof(buf), fmt, ap);
-                audit_log_user_avc_message(get_audit_fd(), AUDIT_USER_AVC, buf, NULL, NULL, NULL, 0);
+                va_start(ap, fmt);
+                r = vasprintf(&buf, fmt, ap);
                 va_end(ap);
 
-                return 0;
+                if (r >= 0) {
+                        audit_log_user_avc_message(get_audit_fd(), AUDIT_USER_AVC, buf, NULL, NULL, NULL, 0);
+                        return 0;
+                }
         }
 #endif
-        log_metav(LOG_USER | LOG_INFO, __FILE__, __LINE__, __FUNCTION__, fmt, ap);
+
+        va_start(ap, fmt);
+        log_internalv(LOG_AUTH | LOG_INFO, 0, __FILE__, __LINE__, __FUNCTION__, fmt, ap);
         va_end(ap);
 
         return 0;
@@ -204,133 +124,49 @@ static int log_callback(int type, const char *fmt, ...) {
    If you want to cleanup memory you should need to call selinux_access_finish.
 */
 static int access_init(void) {
-        int r;
+        int r = 0;
 
-        if (avc_open(NULL, 0)) {
-                log_error("avc_open() failed: %m");
-                return -errno;
-        }
+        if (avc_open(NULL, 0))
+                return log_error_errno(errno, "avc_open() failed: %m");
 
         selinux_set_callback(SELINUX_CB_AUDIT, (union selinux_callback) audit_callback);
         selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback) log_callback);
 
-        if (security_getenforce() >= 0)
-                return 0;
-
-        r = -errno;
-        avc_destroy();
+        if (security_getenforce() < 0){
+                r = -errno;
+                avc_destroy();
+        }
 
         return r;
 }
 
-static int selinux_access_init(DBusError *error) {
+static int mac_selinux_access_init(sd_bus_error *error) {
         int r;
 
         if (initialized)
                 return 0;
 
-        if (use_selinux()) {
-                r = access_init();
-                if (r < 0) {
-                        dbus_set_error(error, DBUS_ERROR_ACCESS_DENIED, "Failed to initialize SELinux.");
-                        return r;
-                }
-        }
+        if (!mac_selinux_use())
+                return 0;
+
+        r = access_init();
+        if (r < 0)
+                return sd_bus_error_set(error, SD_BUS_ERROR_ACCESS_DENIED, "Failed to initialize SELinux.");
 
         initialized = true;
         return 0;
 }
+#endif
+
+void mac_selinux_access_free(void) {
 
-void selinux_access_free(void) {
+#ifdef HAVE_SELINUX
         if (!initialized)
                 return;
 
         avc_destroy();
         initialized = false;
-}
-
-static int get_audit_data(
-                DBusConnection *connection,
-                DBusMessage *message,
-                struct auditstruct *audit,
-                DBusError *error) {
-
-        const char *sender;
-        int r, fd;
-        struct ucred ucred;
-        socklen_t len;
-
-        sender = dbus_message_get_sender(message);
-        if (sender)
-                return bus_get_audit_data(connection, sender, audit, error);
-
-        if (!dbus_connection_get_unix_fd(connection, &fd))
-                return -EINVAL;
-
-        r = getsockopt(fd, SOL_SOCKET, SO_PEERCRED, &ucred, &len);
-        if (r < 0) {
-                log_error("Failed to determine peer credentials: %m");
-                return -errno;
-        }
-
-        audit->uid = ucred.uid;
-        audit->gid = ucred.gid;
-
-        r = audit_loginuid_from_pid(ucred.pid, &audit->loginuid);
-        if (r < 0)
-                return r;
-
-        r = get_process_cmdline(ucred.pid, 0, true, &audit->cmdline);
-        if (r < 0)
-                return r;
-
-        return 0;
-}
-
-/*
-   This function returns the security context of the remote end of the dbus
-   connections.  Whether it is on the bus or a local connection.
-*/
-static int get_calling_context(
-                DBusConnection *connection,
-                DBusMessage *message,
-                security_context_t *scon,
-                DBusError *error) {
-
-        const char *sender;
-        int r;
-        int fd;
-
-        /*
-           If sender exists then
-           if sender is NULL this indicates a local connection.  Grab the fd
-           from dbus and do an getpeercon to peers process context
-        */
-        sender = dbus_message_get_sender(message);
-        if (sender) {
-                log_error("SELinux Got Sender %s", sender);
-
-                r = bus_get_selinux_security_context(connection, sender, scon, error);
-                if (r >= 0)
-                        return r;
-
-                log_error("bus_get_selinux_security_context failed: %m");
-                return r;
-        }
-
-        log_debug("SELinux No Sender");
-        if (!dbus_connection_get_unix_fd(connection, &fd)) {
-                log_error("bus_connection_get_unix_fd failed %m");
-                return -EINVAL;
-        }
-
-        r = getpeercon(fd, scon);
-        if (r < 0) {
-                log_error("getpeercon failed %m");
-                return -errno;
-        }
-
-        return 0;
+#endif
 }
 
 /*
@@ -339,103 +175,111 @@ static int get_calling_context(
    If the machine is in permissive mode it will return ok.  Audit messages will
    still be generated if the access would be denied in enforcing mode.
 */
-int selinux_access_check(
-                DBusConnection *connection,
-                DBusMessage *message,
+int mac_selinux_generic_access_check(
+                sd_bus_message *message,
                 const char *path,
                 const char *permission,
-                DBusError *error) {
+                sd_bus_error *error) {
 
-        security_context_t scon = NULL, fcon = NULL;
+#ifdef HAVE_SELINUX
+        _cleanup_bus_creds_unref_ sd_bus_creds *creds = NULL;
+        const char *tclass = NULL, *scon = NULL;
+        struct audit_info audit_info = {};
+        _cleanup_free_ char *cl = NULL;
+        security_context_t fcon = NULL;
+        char **cmdline = NULL;
         int r = 0;
-        const char *tclass = NULL;
-        struct auditstruct audit;
 
-        assert(connection);
         assert(message);
         assert(permission);
         assert(error);
 
-        if (!use_selinux())
+        if (!mac_selinux_use())
                 return 0;
 
-        r = selinux_access_init(error);
+        r = mac_selinux_access_init(error);
         if (r < 0)
                 return r;
 
-        log_debug("SELinux access check for path=%s permission=%s", strna(path), permission);
-
-        audit.uid = audit.loginuid = (uid_t) -1;
-        audit.gid = (gid_t) -1;
-        audit.cmdline = NULL;
-        audit.path = path;
+        r = sd_bus_query_sender_creds(
+                        message,
+                        SD_BUS_CREDS_PID|SD_BUS_CREDS_EUID|SD_BUS_CREDS_EGID|
+                        SD_BUS_CREDS_CMDLINE|SD_BUS_CREDS_AUDIT_LOGIN_UID|
+                        SD_BUS_CREDS_SELINUX_CONTEXT|
+                        SD_BUS_CREDS_AUGMENT /* get more bits from /proc */,
+                        &creds);
+        if (r < 0)
+                goto finish;
 
-        r = get_calling_context(connection, message, &scon, error);
-        if (r < 0) {
-                log_error("Failed to get caller's security context on: %m");
+        r = sd_bus_creds_get_selinux_context(creds, &scon);
+        if (r < 0)
                 goto finish;
-        }
 
         if (path) {
-                tclass = "service";
-                /* get the file context of the unit file */
+                /* Get the file context of the unit file */
+
                 r = getfilecon(path, &fcon);
                 if (r < 0) {
-                        dbus_set_error(error, DBUS_ERROR_ACCESS_DENIED, "Failed to get file context on %s.", path);
-                        r = -errno;
-                        log_error("Failed to get security context on %s: %m",path);
+                        r = sd_bus_error_setf(error, SD_BUS_ERROR_ACCESS_DENIED, "Failed to get file context on %s.", path);
                         goto finish;
                 }
 
+                tclass = "service";
         } else {
-                tclass = "system";
                 r = getcon(&fcon);
                 if (r < 0) {
-                        dbus_set_error(error, DBUS_ERROR_ACCESS_DENIED, "Failed to get current context.");
-                        r = -errno;
-                        log_error("Failed to get current process context on: %m");
+                        r = sd_bus_error_setf(error, SD_BUS_ERROR_ACCESS_DENIED, "Failed to get current context.");
                         goto finish;
                 }
+
+                tclass = "system";
         }
 
-        (void) get_audit_data(connection, message, &audit, error);
+        sd_bus_creds_get_cmdline(creds, &cmdline);
+        cl = strv_join(cmdline, " ");
 
-        errno = 0;
-        r = selinux_check_access(scon, fcon, tclass, permission, &audit);
-        if (r < 0) {
-                dbus_set_error(error, DBUS_ERROR_ACCESS_DENIED, "SELinux policy denies access.");
-                r = -errno;
-                log_error("SELinux policy denies access.");
-        }
+        audit_info.creds = creds;
+        audit_info.path = path;
+        audit_info.cmdline = cl;
+
+        r = selinux_check_access((security_context_t) scon, fcon, tclass, permission, &audit_info);
+        if (r < 0)
+                r = sd_bus_error_setf(error, SD_BUS_ERROR_ACCESS_DENIED, "SELinux policy denies access.");
 
-        log_debug("SELinux access check scon=%s tcon=%s tclass=%s perm=%s path=%s cmdline=%s: %i", scon, fcon, tclass, permission, path, audit.cmdline, r);
+        log_debug("SELinux access check scon=%s tcon=%s tclass=%s perm=%s path=%s cmdline=%s: %i", scon, fcon, tclass, permission, path, cl, r);
 
 finish:
-        free(audit.cmdline);
-        freecon(scon);
         freecon(fcon);
 
-        if (r && security_getenforce() != 1) {
-                dbus_error_init(error);
+        if (r < 0 && security_getenforce() != 1) {
+                sd_bus_error_free(error);
                 r = 0;
         }
 
         return r;
-}
-
 #else
-
-int selinux_access_check(
-                DBusConnection *connection,
-                DBusMessage *message,
-                const char *path,
-                const char *permission,
-                DBusError *error) {
-
         return 0;
+#endif
 }
 
-void selinux_access_free(void) {
-}
+int mac_selinux_unit_access_check_strv(char **units,
+                                sd_bus_message *message,
+                                Manager *m,
+                                const char *permission,
+                                sd_bus_error *error) {
+#ifdef HAVE_SELINUX
+        char **i;
+        Unit *u;
+        int r;
 
+        STRV_FOREACH(i, units) {
+                u = manager_get_unit(m, *i);
+                if (u) {
+                        r = mac_selinux_unit_access_check(u, message, permission, error);
+                        if (r < 0)
+                                return r;
+                }
+        }
 #endif
+        return 0;
+}