X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=elogind.git;a=blobdiff_plain;f=src%2Fbus-proxyd%2Fproxy.c;h=2a3de709580c876b398de42ef32b3e2d82648ca3;hp=744b11da5c94ebf19698b492eb8357cca849b252;hb=0a6f50c0afdfc434b492493bd9efab20cbee8623;hpb=c0395aeb903cde25bd9e81fba3334f63335fe0ef diff --git a/src/bus-proxyd/proxy.c b/src/bus-proxyd/proxy.c index 744b11da5..2a3de7095 100644 --- a/src/bus-proxyd/proxy.c +++ b/src/bus-proxyd/proxy.c @@ -29,7 +29,7 @@ #include #include #include -#include +#include #include #include @@ -73,7 +73,7 @@ static int proxy_create_dest(Proxy *p, const char *dest, const char *local_sec, if (r < 0) return log_error_errno(r, "Failed to set FD negotiation: %m"); - r = sd_bus_negotiate_creds(b, true, SD_BUS_CREDS_UID|SD_BUS_CREDS_PID|SD_BUS_CREDS_GID|SD_BUS_CREDS_SELINUX_CONTEXT); + r = sd_bus_negotiate_creds(b, true, SD_BUS_CREDS_EUID|SD_BUS_CREDS_PID|SD_BUS_CREDS_EGID|SD_BUS_CREDS_SELINUX_CONTEXT); if (r < 0) return log_error_errno(r, "Failed to set credential negotiation: %m"); @@ -82,13 +82,13 @@ static int proxy_create_dest(Proxy *p, const char *dest, const char *local_sec, b->fake_pids_valid = true; b->fake_creds.uid = p->local_creds.uid; - b->fake_creds.euid = UID_INVALID; - b->fake_creds.suid = UID_INVALID; - b->fake_creds.fsuid = UID_INVALID; + b->fake_creds.euid = p->local_creds.uid; + b->fake_creds.suid = p->local_creds.uid; + b->fake_creds.fsuid = p->local_creds.uid; b->fake_creds.gid = p->local_creds.gid; - b->fake_creds.egid = GID_INVALID; - b->fake_creds.sgid = GID_INVALID; - b->fake_creds.fsgid = GID_INVALID; + b->fake_creds.egid = p->local_creds.gid; + b->fake_creds.sgid = p->local_creds.gid; + b->fake_creds.fsgid = p->local_creds.gid; b->fake_creds_valid = true; } @@ -134,7 +134,7 @@ static int proxy_create_local(Proxy *p, int in_fd, int out_fd, bool negotiate_fd if (r < 0) return log_error_errno(r, "Failed to set FD negotiation: %m"); - r = sd_bus_negotiate_creds(b, true, SD_BUS_CREDS_UID|SD_BUS_CREDS_PID|SD_BUS_CREDS_GID|SD_BUS_CREDS_SELINUX_CONTEXT); + r = sd_bus_negotiate_creds(b, true, SD_BUS_CREDS_EUID|SD_BUS_CREDS_PID|SD_BUS_CREDS_EGID|SD_BUS_CREDS_SELINUX_CONTEXT); if (r < 0) return log_error_errno(r, "Failed to set credential negotiation: %m"); @@ -255,16 +255,27 @@ Proxy *proxy_free(Proxy *p) { return NULL; } -int proxy_load_policy(Proxy *p, char **configuration) { +int proxy_set_policy(Proxy *p, SharedPolicy *sp, char **configuration) { _cleanup_strv_free_ char **strv = NULL; + Policy *policy; int r; assert(p); + assert(sp); /* no need to load legacy policy if destination is not kdbus */ if (!p->dest_bus->is_kernel) return 0; + p->policy = sp; + + policy = shared_policy_acquire(sp); + if (policy) { + /* policy already pre-loaded */ + shared_policy_release(sp, policy); + return 0; + } + if (!configuration) { const char *scope; @@ -291,30 +302,30 @@ int proxy_load_policy(Proxy *p, char **configuration) { configuration = strv; } - r = policy_load(&p->policy_buffer, configuration); - if (r < 0) - return log_error_errno(r, "Failed to load policy: %m"); - - p->policy = &p->policy_buffer; - /* policy_dump(p->policy); */ - - return 0; + return shared_policy_preload(sp, configuration); } int proxy_hello_policy(Proxy *p, uid_t original_uid) { + Policy *policy; + int r = 0; + assert(p); if (!p->policy) return 0; + policy = shared_policy_acquire(p->policy); + if (p->local_creds.uid == original_uid) log_debug("Permitting access, since bus owner matches bus client."); - else if (policy_check_hello(p->policy, p->local_creds.uid, p->local_creds.gid)) + else if (policy_check_hello(policy, p->local_creds.uid, p->local_creds.gid)) log_debug("Permitting access due to XML policy."); else - return log_error_errno(EPERM, "Policy denied connection."); + r = log_error_errno(EPERM, "Policy denied connection."); - return 0; + shared_policy_release(p->policy, policy); + + return r; } static int proxy_wait(Proxy *p) { @@ -384,7 +395,7 @@ static int handle_policy_error(sd_bus_message *m, int r) { return r; } -static int process_policy(sd_bus *from, sd_bus *to, sd_bus_message *m, Policy *policy, const struct ucred *our_ucred, Set *owned_names) { +static int process_policy_unlocked(sd_bus *from, sd_bus *to, sd_bus_message *m, Policy *policy, const struct ucred *our_ucred, Set *owned_names) { int r; assert(from); @@ -414,7 +425,6 @@ static int process_policy(sd_bus *from, sd_bus *to, sd_bus_message *m, Policy *p uid_t sender_uid = UID_INVALID; gid_t sender_gid = GID_INVALID; char **sender_names = NULL; - bool granted = false; /* Driver messages are always OK */ if (streq_ptr(m->sender, "org.freedesktop.DBus")) @@ -423,8 +433,8 @@ static int process_policy(sd_bus *from, sd_bus *to, sd_bus_message *m, Policy *p /* The message came from the kernel, and is sent to our legacy client. */ sd_bus_creds_get_well_known_names(&m->creds, &sender_names); - (void) sd_bus_creds_get_uid(&m->creds, &sender_uid); - (void) sd_bus_creds_get_gid(&m->creds, &sender_gid); + (void) sd_bus_creds_get_euid(&m->creds, &sender_uid); + (void) sd_bus_creds_get_egid(&m->creds, &sender_gid); if (sender_uid == UID_INVALID || sender_gid == GID_INVALID) { _cleanup_bus_creds_unref_ sd_bus_creds *sender_creds = NULL; @@ -436,43 +446,18 @@ static int process_policy(sd_bus *from, sd_bus *to, sd_bus_message *m, Policy *p * case, query the creds of the peer * instead. */ - r = bus_get_name_creds_kdbus(from, m->sender, SD_BUS_CREDS_UID|SD_BUS_CREDS_GID, true, &sender_creds); + r = bus_get_name_creds_kdbus(from, m->sender, SD_BUS_CREDS_EUID|SD_BUS_CREDS_EGID, true, &sender_creds); if (r < 0) return handle_policy_error(m, r); - (void) sd_bus_creds_get_uid(sender_creds, &sender_uid); - (void) sd_bus_creds_get_gid(sender_creds, &sender_gid); + (void) sd_bus_creds_get_euid(sender_creds, &sender_uid); + (void) sd_bus_creds_get_egid(sender_creds, &sender_gid); } /* First check whether the sender can send the message to our name */ - if (set_isempty(owned_names)) { - if (policy_check_send(policy, sender_uid, sender_gid, m->header->type, NULL, m->path, m->interface, m->member, false)) - granted = true; - } else { - Iterator i; - char *n; - - SET_FOREACH(n, owned_names, i) - if (policy_check_send(policy, sender_uid, sender_gid, m->header->type, n, m->path, m->interface, m->member, false)) { - granted = true; - break; - } - } - - if (granted) { - /* Then check whether us (the recipient) can receive from the sender's name */ - if (strv_isempty(sender_names)) { - if (policy_check_recv(policy, our_ucred->uid, our_ucred->gid, m->header->type, NULL, m->path, m->interface, m->member, false)) - return 0; - } else { - char **n; - - STRV_FOREACH(n, sender_names) { - if (policy_check_recv(policy, our_ucred->uid, our_ucred->gid, m->header->type, *n, m->path, m->interface, m->member, false)) - return 0; - } - } - } + if (policy_check_send(policy, sender_uid, sender_gid, m->header->type, owned_names, NULL, m->path, m->interface, m->member, false, NULL) && + policy_check_recv(policy, our_ucred->uid, our_ucred->gid, m->header->type, NULL, sender_names, m->path, m->interface, m->member, false)) + return 0; /* Return an error back to the caller */ if (m->header->type == SD_BUS_MESSAGE_METHOD_CALL) @@ -488,7 +473,7 @@ static int process_policy(sd_bus *from, sd_bus *to, sd_bus_message *m, Policy *p gid_t destination_gid = GID_INVALID; const char *destination_unique = NULL; char **destination_names = NULL; - bool granted = false; + char *n; /* Driver messages are always OK */ if (streq_ptr(m->destination, "org.freedesktop.DBus")) @@ -498,7 +483,7 @@ static int process_policy(sd_bus *from, sd_bus *to, sd_bus_message *m, Policy *p if (m->destination) { r = bus_get_name_creds_kdbus(to, m->destination, SD_BUS_CREDS_WELL_KNOWN_NAMES|SD_BUS_CREDS_UNIQUE_NAME| - SD_BUS_CREDS_UID|SD_BUS_CREDS_GID|SD_BUS_CREDS_PID, + SD_BUS_CREDS_EUID|SD_BUS_CREDS_EGID|SD_BUS_CREDS_PID, true, &destination_creds); if (r < 0) return handle_policy_error(m, r); @@ -509,47 +494,29 @@ static int process_policy(sd_bus *from, sd_bus *to, sd_bus_message *m, Policy *p sd_bus_creds_get_well_known_names(destination_creds, &destination_names); - (void) sd_bus_creds_get_uid(destination_creds, &destination_uid); - (void) sd_bus_creds_get_gid(destination_creds, &destination_gid); + (void) sd_bus_creds_get_euid(destination_creds, &destination_uid); + (void) sd_bus_creds_get_egid(destination_creds, &destination_gid); } /* First check if we (the sender) can send to this name */ - if (strv_isempty(destination_names)) { - if (policy_check_send(policy, our_ucred->uid, our_ucred->gid, m->header->type, NULL, m->path, m->interface, m->member, true)) - granted = true; - } else { - char **n; - - STRV_FOREACH(n, destination_names) { - if (policy_check_send(policy, our_ucred->uid, our_ucred->gid, m->header->type, *n, m->path, m->interface, m->member, true)) { - - /* If we made a receiver decision, - then remember which name's policy - we used, and to which unique ID it - mapped when we made the - decision. Then, let's pass this to - the kernel when sending the - message, so that it refuses the - operation should the name and - unique ID not map to each other - anymore. */ - - r = free_and_strdup(&m->destination_ptr, *n); - if (r < 0) - return r; - - r = bus_kernel_parse_unique_name(destination_unique, &m->verify_destination_id); - if (r < 0) - break; - - granted = true; - break; - } + if (policy_check_send(policy, our_ucred->uid, our_ucred->gid, m->header->type, NULL, destination_names, m->path, m->interface, m->member, true, &n)) { + if (n) { + /* If we made a receiver decision, then remember which + * name's policy we used, and to which unique ID it + * mapped when we made the decision. Then, let's pass + * this to the kernel when sending the message, so that + * it refuses the operation should the name and unique + * ID not map to each other anymore. */ + + r = free_and_strdup(&m->destination_ptr, n); + if (r < 0) + return r; + + r = bus_kernel_parse_unique_name(destination_unique, &m->verify_destination_id); + if (r < 0) + return r; } - } - /* Then check if the recipient can receive from our name */ - if (granted) { if (sd_bus_message_is_signal(m, NULL, NULL)) { /* If we forward a signal from dbus-1 to kdbus, * we have no idea who the recipient is. @@ -560,16 +527,8 @@ static int process_policy(sd_bus *from, sd_bus *to, sd_bus_message *m, Policy *p * receiver policies to the message. Therefore, * skip policy checks in this case. */ return 0; - } else if (set_isempty(owned_names)) { - if (policy_check_recv(policy, destination_uid, destination_gid, m->header->type, NULL, m->path, m->interface, m->member, true)) - return 0; - } else { - Iterator i; - char *n; - - SET_FOREACH(n, owned_names, i) - if (policy_check_recv(policy, destination_uid, destination_gid, m->header->type, n, m->path, m->interface, m->member, true)) - return 0; + } else if (policy_check_recv(policy, destination_uid, destination_gid, m->header->type, owned_names, NULL, m->path, m->interface, m->member, true)) { + return 0; } } @@ -584,6 +543,19 @@ static int process_policy(sd_bus *from, sd_bus *to, sd_bus_message *m, Policy *p return 0; } +static int process_policy(sd_bus *from, sd_bus *to, sd_bus_message *m, SharedPolicy *sp, const struct ucred *our_ucred, Set *owned_names) { + Policy *policy; + int r; + + assert(sp); + + policy = shared_policy_acquire(sp); + r = process_policy_unlocked(from, to, m, policy, our_ucred, owned_names); + shared_policy_release(sp, policy); + + return r; +} + static int process_hello(Proxy *p, sd_bus_message *m) { _cleanup_bus_message_unref_ sd_bus_message *n = NULL; bool is_hello;