X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=elogind.git;a=blobdiff_plain;f=src%2Fbus-proxyd%2Fbus-proxyd.c;h=3cbbab718bd139bed498e67ce2c5857e606d6998;hp=44e16fcd15c6b87a536cd1a66aee62a981fe28a3;hb=0042d824e3616aaf2e3eec23d3b2e6aec7c0470c;hpb=426bb5ddb8ff122d3e08b0480466718b68485e70 diff --git a/src/bus-proxyd/bus-proxyd.c b/src/bus-proxyd/bus-proxyd.c index 44e16fcd1..3cbbab718 100644 --- a/src/bus-proxyd/bus-proxyd.c +++ b/src/bus-proxyd/bus-proxyd.c @@ -992,6 +992,22 @@ static int process_policy(sd_bus *from, sd_bus *to, sd_bus_message *m, Policy *p if (!policy) return 0; + /* + * dbus-1 distinguishes expected and non-expected replies by tracking + * method-calls and timeouts. By default, DENY rules are *NEVER* applied + * on expected replies, unless explicitly specified. But we dont track + * method-calls, thus, we cannot know whether a reply is expected. + * Fortunately, the kdbus forbids non-expected replies, so we can safely + * ignore any policy on those and let the kernel deal with it. + * + * TODO: To be correct, we should only ignore policy-tags that are + * applied on non-expected replies. However, so far we don't parse those + * tags so we let everything pass. I haven't seen a DENY policy tag on + * expected-replies, ever, so don't bother.. + */ + if (m->reply_cookie > 0) + return 0; + if (from->is_kernel) { uid_t sender_uid = UID_INVALID; gid_t sender_gid = GID_INVALID; @@ -1008,6 +1024,24 @@ static int process_policy(sd_bus *from, sd_bus *to, sd_bus_message *m, Policy *p (void) sd_bus_creds_get_uid(&m->creds, &sender_uid); (void) sd_bus_creds_get_gid(&m->creds, &sender_gid); + if (sender_uid == UID_INVALID || sender_gid == GID_INVALID) { + _cleanup_bus_creds_unref_ sd_bus_creds *sender_creds = NULL; + + /* If the message came from another legacy + * client, then the message creds will be + * missing, simply because on legacy clients + * per-message creds were unknown. In this + * case, query the creds of the peer + * instead. */ + + r = bus_get_name_creds_kdbus(from, m->sender, SD_BUS_CREDS_UID|SD_BUS_CREDS_GID, true, &sender_creds); + if (r < 0) + return handle_policy_error(m, r); + + (void) sd_bus_creds_get_uid(sender_creds, &sender_uid); + (void) sd_bus_creds_get_gid(sender_creds, &sender_gid); + } + /* First check whether the sender can send the message to our name */ if (set_isempty(owned_names)) { if (policy_check_send(policy, sender_uid, sender_gid, m->header->type, NULL, m->path, m->interface, m->member)) @@ -1282,6 +1316,7 @@ int main(int argc, char *argv[]) { _cleanup_free_ char *peersec = NULL; Policy policy_buffer = {}, *policy = NULL; _cleanup_set_free_free_ Set *owned_names = NULL; + uid_t original_uid; log_set_target(LOG_TARGET_JOURNAL_OR_KMSG); log_parse_environment(); @@ -1303,6 +1338,8 @@ int main(int argc, char *argv[]) { goto finish; } + original_uid = getuid(); + is_unix = sd_is_socket(in_fd, AF_UNIX, 0, 0) > 0 && sd_is_socket(out_fd, AF_UNIX, 0, 0) > 0; @@ -1444,7 +1481,11 @@ int main(int argc, char *argv[]) { policy = &policy_buffer; /* policy_dump(policy); */ - if (!policy_check_hello(policy, ucred.uid, ucred.gid)) { + if (ucred.uid == original_uid) + log_debug("Permitting access, since bus owner matches bus client."); + else if (policy_check_hello(policy, ucred.uid, ucred.gid)) + log_debug("Permitting access due to XML policy."); + else { r = log_error_errno(EPERM, "Policy denied connection."); goto finish; } @@ -1605,14 +1646,26 @@ int main(int argc, char *argv[]) { if (!processed) { k = sd_bus_send(b, m, NULL); if (k < 0) { - if (k == -ECONNRESET) + if (k == -ECONNRESET) { r = 0; - else { + goto finish; + } else if (k == -EPERM && m->reply_cookie > 0) { + /* If the peer tries to send a reply and it is rejected with EPERM + * by the kernel, we ignore the error. This catches cases where the + * original method-call didn't had EXPECT_REPLY set, but the proxy-peer + * still sends a reply. This is allowed in dbus1, but not in kdbus. We + * don't want to track reply-windows in the proxy, so we simply ignore + * EPERM for all replies. The only downside is, that callers are no + * longer notified if their replies are dropped. However, this is + * equivalent to the caller's timeout to expire, so this should be + * acceptable. Nobody sane sends replies without a matching method-call, + * so nobody should care. */ + r = 1; + } else { r = k; log_error_errno(r, "Failed to send message to client: %m"); + goto finish; } - - goto finish; } else r = 1; } @@ -1682,17 +1735,20 @@ int main(int argc, char *argv[]) { k = sd_bus_send(a, m, NULL); if (k < 0) { - if (k == -EREMCHG) + if (k == -EREMCHG) { /* The name database changed since the policy check, hence let's check again */ continue; - else if (k == -ECONNRESET) + } else if (k == -ECONNRESET) { r = 0; - else { + goto finish; + } else if (k == -EPERM && m->reply_cookie > 0) { + /* see above why EPERM is ignored for replies */ + r = 1; + } else { r = k; log_error_errno(r, "Failed to send message to bus: %m"); + goto finish; } - - goto finish; } else r = 1;