From 8b74179ee31652bbaaf979777b9e829b426053ef Mon Sep 17 00:00:00 2001

From: David King <dking@redhat.com>

Date: Tue, 4 Nov 2014 10:10:36 +0000

Subject: [PATCH] selinux: Check ListNames permissions with MLS

https://bugzilla.redhat.com/show_bug.cgi?id=1118399

---

 bus/driver.c  |  52 +++++++++++++++++++++++++

 bus/selinux.c | 123 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

 bus/selinux.h |   5 +++

 3 files changed, 180 insertions(+)

diff --git a/bus/driver.c b/bus/driver.c

index 574e0f3..20cc940 100644

--- a/bus/driver.c

+++ b/bus/driver.c

@@ -379,6 +379,9 @@ bus_driver_handle_list_services (DBusConnection *connection,

   char **services;

   BusRegistry *registry;

   int i;

+#ifdef HAVE_SELINUX

+  dbus_bool_t mls_enabled;

+#endif

   DBusMessageIter iter;

   DBusMessageIter sub;

@@ -425,9 +428,58 @@ bus_driver_handle_list_services (DBusConnection *connection,

       }

   }

+#ifdef HAVE_SELINUX

+  mls_enabled = bus_selinux_mls_enabled ();

+#endif

   i = 0;

   while (i < len)

     {

+#ifdef HAVE_SELINUX

+      if (mls_enabled)

+        {

+          const char *requester;

+          BusService *service;

+          DBusString str;

+          DBusConnection *service_conn;

+          DBusConnection *requester_conn;

+

+          requester = dbus_message_get_destination (reply);

+          _dbus_string_init_const (&str, requester);

+          service = bus_registry_lookup (registry, &str);

+

+          if (service == NULL)

+            {

+              _dbus_warn_check_failed ("service lookup failed: %s", requester);

+              ++i;

+              continue;

+            }

+          requester_conn = bus_service_get_primary_owners_connection (service);

+          _dbus_string_init_const (&str, services[i]);

+          service = bus_registry_lookup (registry, &str);

+          if (service == NULL)

+            {

+              _dbus_warn_check_failed ("service lookup failed: %s", services[i]);

+              ++i;

+              continue;

+            }

+          service_conn = bus_service_get_primary_owners_connection (service);

+

+          if (!bus_selinux_allows_name (requester_conn, service_conn, error))

+            {

+              if (dbus_error_is_set (error) &&

+                  dbus_error_has_name (error, DBUS_ERROR_NO_MEMORY))

+                {

+                  dbus_free_string_array (services);

+                  dbus_message_unref (reply);

+                  return FALSE;

+                }

+

+              /* Skip any services which are disallowed by SELinux policy. */

+              ++i;

+              continue;

+            }

+        }

+#endif

       if (!dbus_message_iter_append_basic (&sub, DBUS_TYPE_STRING,

                                            &services[i]))

         {

diff --git a/bus/selinux.c b/bus/selinux.c

index 36287e9..6442b79 100644

--- a/bus/selinux.c

+++ b/bus/selinux.c

@@ -63,6 +63,9 @@

 /* Store the value telling us if SELinux is enabled in the kernel. */

 static dbus_bool_t selinux_enabled = FALSE;

+/* Store the value telling us if SELinux with MLS is enabled in the kernel. */

+static dbus_bool_t selinux_mls_enabled = FALSE;

+

 /* Store an avc_entry_ref to speed AVC decisions. */

 static struct avc_entry_ref aeref;

@@ -289,6 +292,20 @@ bus_selinux_enabled (void)

 }

 /**

+ * Return whether or not SELinux with MLS support is enabled; must be

+ * called after bus_selinux_init.

+ */

+dbus_bool_t

+bus_selinux_mls_enabled (void)

+{

+#ifdef HAVE_SELINUX

+  return selinux_mls_enabled;

+#else

+  return FALSE;

+#endif /* HAVE_SELINUX */

+}

+

+/**

  * Do early initialization; determine whether SELinux is enabled.

  */

 dbus_bool_t

@@ -308,6 +325,16 @@ bus_selinux_pre_init (void)

     }

   selinux_enabled = r != 0;

+

+  r = is_selinux_mls_enabled ();

+  if (r < 0)

+    {

+      _dbus_warn ("Could not tell if SELinux MLS is enabled: %s\n",

+                  _dbus_strerror (errno));

+      return FALSE;

+    }

+

+  selinux_mls_enabled = r != 0;

   return TRUE;

 #else

   return TRUE;

@@ -724,6 +751,102 @@ bus_connection_read_selinux_context (DBusConnection     *connection,

 #endif /* HAVE_SELINUX */

 /**

+ * Check if SELinux security controls allow one connection to determine the

+ * name of the other, taking into account MLS considerations.

+ *

+ * @param source the requester of the name.

+ * @param destination the name being requested.

+ * @returns whether the name should be visible by the source of the request

+ */

+dbus_bool_t

+bus_selinux_allows_name (DBusConnection     *source,

+                         DBusConnection     *destination,

+                         DBusError          *error)

+{

+#ifdef HAVE_SELINUX

+  int err;

+  char *policy_type;

+  unsigned long spid, tpid;

+  BusSELinuxID *source_sid;

+  BusSELinuxID *dest_sid;

+  dbus_bool_t ret;

+  dbus_bool_t string_alloced;

+  DBusString auxdata;

+

+  if (!selinux_mls_enabled)

+    return TRUE;

+

+  err = selinux_getpolicytype (&policy_type);

+  if (err < 0)

+    {

+      dbus_set_error_const (error, DBUS_ERROR_IO_ERROR,

+                            "Failed to get SELinux policy type");

+      return FALSE;

+    }

+

+  /* Only check against MLS policy if running under that policy. */

+  if (strcmp (policy_type, "mls") != 0)

+    {

+      free (policy_type);

+      return TRUE;

+    }

+

+  free (policy_type);

+

+  _dbus_assert (source != NULL);

+  _dbus_assert (destination != NULL);

+

+  if (!source || !dbus_connection_get_unix_process_id (source, &spid))

+    spid = 0;

+  if (!destination || !dbus_connection_get_unix_process_id (destination, &tpid))

+    tpid = 0;

+

+  string_alloced = FALSE;

+  if (!_dbus_string_init (&auxdata))

+    goto oom;

+  string_alloced = TRUE;

+

+  if (spid)

+    {

+      if (!_dbus_string_append (&auxdata, " spid="))

+	goto oom;

+

+      if (!_dbus_string_append_uint (&auxdata, spid))

+	goto oom;

+    }

+

+  if (tpid)

+    {

+      if (!_dbus_string_append (&auxdata, " tpid="))

+	goto oom;

+

+      if (!_dbus_string_append_uint (&auxdata, tpid))

+	goto oom;

+    }

+

+  source_sid = bus_connection_get_selinux_id (source);

+  dest_sid = bus_connection_get_selinux_id (destination);

+

+  ret = bus_selinux_check (source_sid,

+                           dest_sid,

+                           SECCLASS_CONTEXT,

+                           CONTEXT__CONTAINS,

+                           &auxdata);

+

+  _dbus_string_free (&auxdata);

+  return ret;

+

+ oom:

+  if (string_alloced)

+    _dbus_string_free (&auxdata);

+  BUS_SET_OOM (error);

+  return FALSE;

+#else

+  return TRUE;

+#endif /* HAVE_SELINUX */

+}

+

+/**

  * Read the SELinux ID from the connection.

  *

  * @param connection the connection to read from

diff --git a/bus/selinux.h b/bus/selinux.h

index 3bab36d..fcaac5f 100644

--- a/bus/selinux.h

+++ b/bus/selinux.h

@@ -32,6 +32,7 @@ dbus_bool_t bus_selinux_full_init(void);

 void        bus_selinux_shutdown (void);

 dbus_bool_t bus_selinux_enabled  (void);

+dbus_bool_t bus_selinux_mls_enabled (void);

 void bus_selinux_id_ref    (BusSELinuxID *sid);

 void bus_selinux_id_unref  (BusSELinuxID *sid);

@@ -54,6 +55,10 @@ dbus_bool_t bus_selinux_allows_acquire_service (DBusConnection *connection,

 						const char     *service_name,

 						DBusError      *error);

+dbus_bool_t bus_selinux_allows_name            (DBusConnection *source,

+                                                DBusConnection *destination,

+                                                DBusError      *error);

+

 dbus_bool_t bus_selinux_allows_send            (DBusConnection *sender,

                                                 DBusConnection *proposed_recipient,

 						const char     *msgtype, /* Supplementary audit data */

-- 

2.1.0