[systemd-devel] SELinux patch still broken, in that we are not checking the correct source context.

Lennart Poettering lennart at poettering.net
Mon Oct 15 17:00:23 PDT 2012 

On Thu, 11.10.12 17:06, Daniel J Walsh (dwalsh at redhat.com) wrote:

Applied both patches, with minor changes (replaced calloc+strncpy with
strndup()).

> diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c
> index d9c3f9b..974e9fe 100644
> --- a/src/core/selinux-access.c
> +++ b/src/core/selinux-access.c
> @@ -59,7 +59,11 @@ static int bus_get_selinux_security_context(
>                  DBusError *error) {
>  
>          _cleanup_dbus_message_unref_ DBusMessage *m = NULL, *reply = NULL;
> +	DBusMessageIter iter, sub;
> +	char *bytes;
> +	int nbytes;
>  
> +        log_debug("GetConnectionSELinuxSecurityContext");
>          m = dbus_message_new_method_call(
>                          DBUS_SERVICE_DBUS,
>                          DBUS_PATH_DBUS,
> @@ -85,11 +89,21 @@ static int bus_get_selinux_security_context(
>          if (dbus_set_error_from_message(error, reply))
>                  return -EIO;
>  
> -        if (!dbus_message_get_args(
> -                            reply, error,
> -                            DBUS_TYPE_STRING, scon,
> -                            DBUS_TYPE_INVALID))
> -                return -EIO;
> +        if (!dbus_message_iter_init (reply, &iter))
> +		return -EIO;
> +
> +        if (dbus_message_iter_get_arg_type (&iter) != DBUS_TYPE_ARRAY)
> +		return -EIO;
> +
> +	dbus_message_iter_recurse (&iter, &sub);
> +	dbus_message_iter_get_fixed_array (&sub, &bytes, &nbytes);
> +
> +	*scon = calloc(1, nbytes + 1);
> +	if (!*scon)
> +                return -ENOMEM;
> +	strncpy(*scon, bytes, nbytes);
> +
> +        log_debug("GetConnectionSELinuxSecurityContext %s (pid %ld)", *scon, (long) bus_get_unix_process_id(connection, name, error));
>  
>          return 0;
>  }
> @@ -293,14 +307,17 @@ static int get_calling_context(
>          */
>          sender = dbus_message_get_sender(message);
>          if (sender) {
> +                log_error("SELinux Got Sender %s", sender);
> +
>                  r = bus_get_selinux_security_context(connection, sender, scon, error);
>                  if (r >= 0)
>                          return r;
>  
> -                log_debug("bus_get_selinux_security_context failed %m");
> -                dbus_error_free(error);
> +                log_error("bus_get_selinux_security_context failed %m");
> +                return r;
>          }
>  
> +        log_debug("SELinux No Sender");
>          if (!dbus_connection_get_unix_fd(connection, &fd)) {
>                  log_error("bus_connection_get_unix_fd failed %m");
>                  return -EINVAL;

> _______________________________________________
> systemd-devel mailing list
> systemd-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/systemd-devel



Lennart

-- 
Lennart Poettering - Red Hat, Inc.

More information about the systemd-devel mailing list