From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 26 Nov 2014 17:57:37 +0000 (+0100)
Subject: core: make sure we have enough information when doing selinux decisions
X-Git-Tag: v218~325
X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=commitdiff_plain;h=8fd00193803fd20bed163832ec4d0d5ba2958b87;p=elogind.git

core: make sure we have enough information when doing selinux decisions

Let's ask for the security relevant bits in a race-free way, and augment
the rest from /proc.
---

diff --git a/src/core/dbus.c b/src/core/dbus.c
index ec1c0d433..e23d36fdd 100644
--- a/src/core/dbus.c
+++ b/src/core/dbus.c
@@ -776,6 +776,14 @@ static int bus_setup_api(Manager *m, sd_bus *bus) {
         assert(m);
         assert(bus);
 
+        /* Let's make sure we have enough credential bits so that we can make security and selinux decisions */
+        r = sd_bus_negotiate_creds(bus, 1,
+                                   SD_BUS_CREDS_PID|SD_BUS_CREDS_UID|
+                                   SD_BUS_CREDS_EUID|SD_BUS_CREDS_EFFECTIVE_CAPS|
+                                   SD_BUS_CREDS_SELINUX_CONTEXT);
+        if (r < 0)
+                log_warning("Failed to enable credential passing, ignoring: %s", strerror(-r));
+
         r = bus_setup_api_vtables(m, bus);
         if (r < 0)
                 return r;
diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c
index a4694b33f..a50dec396 100644
--- a/src/core/selinux-access.c
+++ b/src/core/selinux-access.c
@@ -207,7 +207,8 @@ int mac_selinux_generic_access_check(
                         message,
                         SD_BUS_CREDS_PID|SD_BUS_CREDS_UID|SD_BUS_CREDS_GID|
                         SD_BUS_CREDS_CMDLINE|SD_BUS_CREDS_AUDIT_LOGIN_UID|
-                        SD_BUS_CREDS_SELINUX_CONTEXT,
+                        SD_BUS_CREDS_SELINUX_CONTEXT|
+                        SD_BUS_CREDS_AUGMENT /* get more bits from /proc */,
                         &creds);
         if (r < 0)
                 goto finish;