Do LSM checks after determining if the message is a requested reply

Move the call to bus_selinux_allows_send() after the call to
bus_connections_check_reply().

This allows LSMs to know if the message is a reply and whether or not it
was requested.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=75113
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>

1 files changed, 29 insertions, 24 deletions

diff --git a/bus/bus.c b/bus/bus.c
index 2c2c5649..ca8da37d 100644
--- a/bus/bus.c
+++ b/bus/bus.c
@@ -1562,30 +1562,6 @@ bus_context_check_security_policy (BusContext     *context,
 
   if (sender != NULL)
     {
-      /* First verify the SELinux access controls.  If allowed then
-       * go on with the standard checks.
-       */
-      if (!bus_selinux_allows_send (sender, proposed_recipient,
-				    dbus_message_type_to_string (dbus_message_get_type (message)),
-				    dbus_message_get_interface (message),
-				    dbus_message_get_member (message),
-				    dbus_message_get_error_name (message),
-				    dest ? dest : DBUS_SERVICE_DBUS, error))
-        {
-          if (error != NULL && !dbus_error_is_set (error))
-            {
-              /* don't syslog this, just set the error: avc_has_perm should
-               * have already written to either the audit log or syslog */
-              complain_about_message (context, DBUS_ERROR_ACCESS_DENIED,
-                  "An SELinux policy prevents this sender from sending this "
-                  "message to this recipient",
-                  0, message, sender, proposed_recipient, FALSE, FALSE, error);
-              _dbus_verbose ("SELinux security check denying send to service\n");
-            }
-
-          return FALSE;
-        }
-
       if (bus_connection_is_active (sender))
         {
           sender_policy = bus_connection_get_policy (sender);
@@ -1616,6 +1592,35 @@ bus_context_check_security_policy (BusContext     *context,
         }
       else
         {
+          sender_policy = NULL;
+        }
+
+      /* First verify the SELinux access controls.  If allowed then
+       * go on with the standard checks.
+       */
+      if (!bus_selinux_allows_send (sender, proposed_recipient,
+				    dbus_message_type_to_string (dbus_message_get_type (message)),
+				    dbus_message_get_interface (message),
+				    dbus_message_get_member (message),
+				    dbus_message_get_error_name (message),
+				    dest ? dest : DBUS_SERVICE_DBUS, error))
+        {
+          if (error != NULL && !dbus_error_is_set (error))
+            {
+              /* don't syslog this, just set the error: avc_has_perm should
+               * have already written to either the audit log or syslog */
+              complain_about_message (context, DBUS_ERROR_ACCESS_DENIED,
+                  "An SELinux policy prevents this sender from sending this "
+                  "message to this recipient",
+                  0, message, sender, proposed_recipient, FALSE, FALSE, error);
+              _dbus_verbose ("SELinux security check denying send to service\n");
+            }
+
+          return FALSE;
+        }
+
+      if (!bus_connection_is_active (sender))
+        {
           /* Policy for inactive connections is that they can only send
            * the hello message to the bus driver
            */