X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=blobdiff_plain;f=src%2Fbus-proxyd%2Fbus-proxyd.c;h=07995ec83255c6147793a6e341045fbc1554e678;hb=9339db7187c61eb7ae7e6ffcddb2b2f2686954eb;hp=e095d61ffbd6a1dd8ce1b8c997b8324325fe22db;hpb=19befb2d5fc087f96e40ddc432b2cc9385666209;p=elogind.git diff --git a/src/bus-proxyd/bus-proxyd.c b/src/bus-proxyd/bus-proxyd.c index e095d61ff..07995ec83 100644 --- a/src/bus-proxyd/bus-proxyd.c +++ b/src/bus-proxyd/bus-proxyd.c @@ -44,18 +44,24 @@ #include "build.h" #include "strv.h" #include "def.h" +#include "capability.h" +#include "bus-policy.h" -static const char *arg_address = DEFAULT_SYSTEM_BUS_PATH; +static const char *arg_address = KERNEL_SYSTEM_BUS_PATH; static char *arg_command_line_buffer = NULL; +static bool arg_drop_privileges = false; +static char **arg_configuration = NULL; static int help(void) { printf("%s [OPTIONS...]\n\n" "Connect STDIO or a socket to a given bus address.\n\n" - " -h --help Show this help\n" - " --version Show package version\n" - " --address=ADDRESS Connect to the bus specified by ADDRESS\n" - " (default: " DEFAULT_SYSTEM_BUS_PATH ")\n", + " -h --help Show this help\n" + " --version Show package version\n" + " --drop-privileges Drop privileges\n" + " --configuration=PATH Configuration file or directory\n" + " --address=ADDRESS Connect to the bus specified by ADDRESS\n" + " (default: " KERNEL_SYSTEM_BUS_PATH ")\n", program_invocation_short_name); return 0; @@ -66,16 +72,20 @@ static int parse_argv(int argc, char *argv[]) { enum { ARG_VERSION = 0x100, ARG_ADDRESS, + ARG_DROP_PRIVILEGES, + ARG_CONFIGURATION, }; static const struct option options[] = { - { "help", no_argument, NULL, 'h' }, - { "version", no_argument, NULL, ARG_VERSION }, - { "address", required_argument, NULL, ARG_ADDRESS }, - { NULL, 0, NULL, 0 } + { "help", no_argument, NULL, 'h' }, + { "version", no_argument, NULL, ARG_VERSION }, + { "address", required_argument, NULL, ARG_ADDRESS }, + { "drop-privileges", no_argument, NULL, ARG_DROP_PRIVILEGES }, + { "configuration", required_argument, NULL, ARG_CONFIGURATION }, + { NULL, 0, NULL, 0 }, }; - int c; + int c, r; assert(argc >= 0); assert(argv); @@ -97,6 +107,16 @@ static int parse_argv(int argc, char *argv[]) { arg_address = optarg; break; + case ARG_DROP_PRIVILEGES: + arg_drop_privileges = true; + break; + + case ARG_CONFIGURATION: + r = strv_extend(&arg_configuration, optarg); + if (r < 0) + return log_oom(); + break; + case '?': return -EINVAL; @@ -440,7 +460,6 @@ static int peer_is_privileged(sd_bus *bus, sd_bus_message *m) { return false; } - static int process_driver(sd_bus *a, sd_bus *b, sd_bus_message *m) { int r; @@ -1035,6 +1054,7 @@ int main(int argc, char *argv[]) { bool is_unix; struct ucred ucred = {}; _cleanup_free_ char *peersec = NULL; + Policy policy = {}; log_set_target(LOG_TARGET_JOURNAL_OR_KMSG); log_parse_environment(); @@ -1044,6 +1064,14 @@ int main(int argc, char *argv[]) { if (r <= 0) goto finish; + r = policy_load(&policy, arg_configuration); + if (r < 0) { + log_error("Failed to load policy: %s", strerror(-r)); + goto finish; + } + + /* policy_dump(&policy); */ + r = sd_listen_fds(0); if (r == 0) { in_fd = STDIN_FILENO; @@ -1065,6 +1093,22 @@ int main(int argc, char *argv[]) { getpeersec(in_fd, &peersec); } + if (arg_drop_privileges) { + const char *user = "systemd-bus-proxy"; + uid_t uid; + gid_t gid; + + r = get_user_creds(&user, &uid, &gid, NULL, NULL); + if (r < 0) { + log_error("Cannot resolve user name %s: %s", user, strerror(-r)); + goto finish; + } + + r = drop_privileges(uid, gid, 1ULL << CAP_IPC_OWNER); + if (r < 0) + goto finish; + } + r = sd_bus_new(&a); if (r < 0) { log_error("Failed to allocate bus: %s", strerror(-r)); @@ -1390,5 +1434,8 @@ finish: sd_bus_flush(a); sd_bus_flush(b); + policy_free(&policy); + strv_free(arg_configuration); + return r < 0 ? EXIT_FAILURE : EXIT_SUCCESS; }