diff options
Diffstat (limited to 'bus/driver.c')
| -rw-r--r-- | bus/driver.c | 323 |
1 files changed, 213 insertions, 110 deletions
diff --git a/bus/driver.c b/bus/driver.c index 574e0f3d..f5d3ebe2 100644 --- a/bus/driver.c +++ b/bus/driver.c @@ -32,12 +32,56 @@ #include "signals.h" #include "stats.h" #include "utils.h" + +#include <dbus/dbus-asv-util.h> #include <dbus/dbus-string.h> #include <dbus/dbus-internals.h> #include <dbus/dbus-message.h> #include <dbus/dbus-marshal-recursive.h> #include <string.h> +static DBusConnection * +bus_driver_get_conn_helper (DBusConnection *connection, + DBusMessage *message, + const char *what_we_want, + const char **name_p, + DBusError *error) +{ + const char *name; + BusRegistry *registry; + BusService *serv; + DBusString str; + DBusConnection *conn; + + if (!dbus_message_get_args (message, error, + DBUS_TYPE_STRING, &name, + DBUS_TYPE_INVALID)) + return NULL; + + _dbus_assert (name != NULL); + _dbus_verbose ("asked for %s of connection %s\n", what_we_want, name); + + registry = bus_connection_get_registry (connection); + _dbus_string_init_const (&str, name); + serv = bus_registry_lookup (registry, &str); + + if (serv == NULL) + { + dbus_set_error (error, DBUS_ERROR_NAME_HAS_NO_OWNER, + "Could not get %s of name '%s': no such name", + what_we_want, name); + return NULL; + } + + conn = bus_service_get_primary_owners_connection (serv); + _dbus_assert (conn != NULL); + + if (name_p != NULL) + *name_p = name; + + return conn; +} + static dbus_bool_t bus_driver_send_welcome_message (DBusConnection *connection, DBusMessage *hello_message, BusTransaction *transaction, @@ -834,6 +878,44 @@ bus_driver_handle_update_activation_environment (DBusConnection *connection, _DBUS_ASSERT_ERROR_IS_CLEAR (error); + if (!bus_driver_check_message_is_for_us (message, error)) + return FALSE; + +#ifdef DBUS_UNIX + { + /* UpdateActivationEnvironment is basically a recipe for privilege + * escalation so let's be extra-careful: do not allow the sysadmin + * to shoot themselves in the foot. */ + unsigned long uid; + + if (!dbus_connection_get_unix_user (connection, &uid)) + { + bus_context_log (bus_transaction_get_context (transaction), + DBUS_SYSTEM_LOG_SECURITY, + "rejected attempt to call UpdateActivationEnvironment by " + "unknown uid"); + dbus_set_error (error, DBUS_ERROR_ACCESS_DENIED, + "rejected attempt to call UpdateActivationEnvironment by " + "unknown uid"); + return FALSE; + } + + /* On the system bus, we could in principle allow uid 0 to call + * UpdateActivationEnvironment; but they should know better anyway, + * and our default system.conf has always forbidden it */ + if (!_dbus_unix_user_is_process_owner (uid)) + { + bus_context_log (bus_transaction_get_context (transaction), + DBUS_SYSTEM_LOG_SECURITY, + "rejected attempt to call UpdateActivationEnvironment by uid %lu", + uid); + dbus_set_error (error, DBUS_ERROR_ACCESS_DENIED, + "rejected attempt to call UpdateActivationEnvironment"); + return FALSE; + } + } +#endif + activation = bus_connection_get_activation (connection); dbus_message_iter_init (message, &iter); @@ -841,13 +923,7 @@ bus_driver_handle_update_activation_environment (DBusConnection *connection, /* The message signature has already been checked for us, * so let's just assert it's right. */ -#ifndef DBUS_DISABLE_ASSERT - { - int msg_type = dbus_message_iter_get_arg_type (&iter); - - _dbus_assert (msg_type == DBUS_TYPE_ARRAY); - } -#endif + _dbus_assert (dbus_message_iter_get_arg_type (&iter) == DBUS_TYPE_ARRAY); dbus_message_iter_recurse (&iter, &dict_iter); @@ -1262,40 +1338,21 @@ bus_driver_handle_get_connection_unix_user (DBusConnection *connection, DBusMessage *message, DBusError *error) { - const char *service; - DBusString str; - BusRegistry *registry; - BusService *serv; DBusConnection *conn; DBusMessage *reply; unsigned long uid; dbus_uint32_t uid32; + const char *service; _DBUS_ASSERT_ERROR_IS_CLEAR (error); - registry = bus_connection_get_registry (connection); - - service = NULL; reply = NULL; - if (! dbus_message_get_args (message, error, - DBUS_TYPE_STRING, &service, - DBUS_TYPE_INVALID)) - goto failed; - - _dbus_verbose ("asked for UID of connection %s\n", service); - - _dbus_string_init_const (&str, service); - serv = bus_registry_lookup (registry, &str); - if (serv == NULL) - { - dbus_set_error (error, - DBUS_ERROR_NAME_HAS_NO_OWNER, - "Could not get UID of name '%s': no such name", service); - goto failed; - } + conn = bus_driver_get_conn_helper (connection, message, "UID", &service, + error); - conn = bus_service_get_primary_owners_connection (serv); + if (conn == NULL) + goto failed; reply = dbus_message_new_method_return (message); if (reply == NULL) @@ -1338,40 +1395,21 @@ bus_driver_handle_get_connection_unix_process_id (DBusConnection *connection, DBusMessage *message, DBusError *error) { - const char *service; - DBusString str; - BusRegistry *registry; - BusService *serv; DBusConnection *conn; DBusMessage *reply; unsigned long pid; dbus_uint32_t pid32; + const char *service; _DBUS_ASSERT_ERROR_IS_CLEAR (error); - registry = bus_connection_get_registry (connection); - - service = NULL; reply = NULL; - if (! dbus_message_get_args (message, error, - DBUS_TYPE_STRING, &service, - DBUS_TYPE_INVALID)) - goto failed; - - _dbus_verbose ("asked for PID of connection %s\n", service); - - _dbus_string_init_const (&str, service); - serv = bus_registry_lookup (registry, &str); - if (serv == NULL) - { - dbus_set_error (error, - DBUS_ERROR_NAME_HAS_NO_OWNER, - "Could not get PID of name '%s': no such name", service); - goto failed; - } + conn = bus_driver_get_conn_helper (connection, message, "PID", &service, + error); - conn = bus_service_get_primary_owners_connection (serv); + if (conn == NULL) + goto failed; reply = dbus_message_new_method_return (message); if (reply == NULL) @@ -1414,40 +1452,21 @@ bus_driver_handle_get_adt_audit_session_data (DBusConnection *connection, DBusMessage *message, DBusError *error) { - const char *service; - DBusString str; - BusRegistry *registry; - BusService *serv; DBusConnection *conn; DBusMessage *reply; void *data = NULL; dbus_uint32_t data_size; + const char *service; _DBUS_ASSERT_ERROR_IS_CLEAR (error); - registry = bus_connection_get_registry (connection); - - service = NULL; reply = NULL; - if (! dbus_message_get_args (message, error, - DBUS_TYPE_STRING, &service, - DBUS_TYPE_INVALID)) - goto failed; - - _dbus_verbose ("asked for audit session data for connection %s\n", service); - - _dbus_string_init_const (&str, service); - serv = bus_registry_lookup (registry, &str); - if (serv == NULL) - { - dbus_set_error (error, - DBUS_ERROR_NAME_HAS_NO_OWNER, - "Could not get audit session data for name '%s': no such name", service); - goto failed; - } + conn = bus_driver_get_conn_helper (connection, message, + "audit session data", &service, error); - conn = bus_service_get_primary_owners_connection (serv); + if (conn == NULL) + goto failed; reply = dbus_message_new_method_return (message); if (reply == NULL) @@ -1489,39 +1508,20 @@ bus_driver_handle_get_connection_selinux_security_context (DBusConnection *conne DBusMessage *message, DBusError *error) { - const char *service; - DBusString str; - BusRegistry *registry; - BusService *serv; DBusConnection *conn; DBusMessage *reply; BusSELinuxID *context; + const char *service; _DBUS_ASSERT_ERROR_IS_CLEAR (error); - registry = bus_connection_get_registry (connection); - - service = NULL; reply = NULL; - if (! dbus_message_get_args (message, error, - DBUS_TYPE_STRING, &service, - DBUS_TYPE_INVALID)) - goto failed; - - _dbus_verbose ("asked for security context of connection %s\n", service); + conn = bus_driver_get_conn_helper (connection, message, "security context", + &service, error); - _dbus_string_init_const (&str, service); - serv = bus_registry_lookup (registry, &str); - if (serv == NULL) - { - dbus_set_error (error, - DBUS_ERROR_NAME_HAS_NO_OWNER, - "Could not get security context of name '%s': no such name", service); - goto failed; - } - - conn = bus_service_get_primary_owners_connection (serv); + if (conn == NULL) + goto failed; reply = dbus_message_new_method_return (message); if (reply == NULL) @@ -1557,6 +1557,80 @@ bus_driver_handle_get_connection_selinux_security_context (DBusConnection *conne } static dbus_bool_t +bus_driver_handle_get_connection_credentials (DBusConnection *connection, + BusTransaction *transaction, + DBusMessage *message, + DBusError *error) +{ + DBusConnection *conn; + DBusMessage *reply; + DBusMessageIter reply_iter; + DBusMessageIter array_iter; + unsigned long ulong_val; + const char *service; + + _DBUS_ASSERT_ERROR_IS_CLEAR (error); + + reply = NULL; + + conn = bus_driver_get_conn_helper (connection, message, "credentials", + &service, error); + + if (conn == NULL) + goto failed; + + reply = _dbus_asv_new_method_return (message, &reply_iter, &array_iter); + if (reply == NULL) + goto oom; + + /* we can't represent > 32-bit pids; if your system needs them, please + * add ProcessID64 to the spec or something */ + if (dbus_connection_get_unix_process_id (conn, &ulong_val) && + ulong_val <= _DBUS_UINT32_MAX) + { + if (!_dbus_asv_add_uint32 (&array_iter, "ProcessID", ulong_val)) + goto oom; + } + + /* we can't represent > 32-bit uids; if your system needs them, please + * add UnixUserID64 to the spec or something */ + if (dbus_connection_get_unix_user (conn, &ulong_val) && + ulong_val <= _DBUS_UINT32_MAX) + { + if (!_dbus_asv_add_uint32 (&array_iter, "UnixUserID", ulong_val)) + goto oom; + } + + if (!_dbus_asv_close (&reply_iter, &array_iter)) + goto oom; + + if (! bus_transaction_send_from_driver (transaction, connection, reply)) + { + /* this time we don't want to close the iterator again, so just + * get rid of the message */ + dbus_message_unref (reply); + reply = NULL; + goto oom; + } + + return TRUE; + + oom: + BUS_SET_OOM (error); + + failed: + _DBUS_ASSERT_ERROR_IS_SET (error); + + if (reply) + { + _dbus_asv_abandon (&reply_iter, &array_iter); + dbus_message_unref (reply); + } + + return FALSE; +} + +static dbus_bool_t bus_driver_handle_reload_config (DBusConnection *connection, BusTransaction *transaction, DBusMessage *message, @@ -1736,6 +1810,8 @@ static const MessageHandler dbus_message_handlers[] = { "", DBUS_TYPE_STRING_AS_STRING, bus_driver_handle_get_id }, + { "GetConnectionCredentials", "s", "a{sv}", + bus_driver_handle_get_connection_credentials }, { NULL, NULL, NULL, NULL } }; @@ -1927,6 +2003,38 @@ bus_driver_handle_introspect (DBusConnection *connection, return FALSE; } +/* + * Set @error and return FALSE if the message is not directed to the + * dbus-daemon by its canonical object path. This is hardening against + * system services with poorly-written security policy files, which + * might allow sending dangerously broad equivalence classes of messages + * such as "anything with this assumed-to-be-safe object path". + * + * dbus-daemon is unusual in that it normally ignores the object path + * of incoming messages; we need to keep that behaviour for the "read" + * read-only method calls like GetConnectionUnixUser for backwards + * compatibility, but it seems safer to be more restrictive for things + * intended to be root-only or privileged-developers-only. + * + * It is possible that there are other system services with the same + * quirk as dbus-daemon. + */ +dbus_bool_t +bus_driver_check_message_is_for_us (DBusMessage *message, + DBusError *error) +{ + if (!dbus_message_has_path (message, DBUS_PATH_DBUS)) + { + dbus_set_error (error, DBUS_ERROR_ACCESS_DENIED, + "Method '%s' is only available at the canonical object path '%s'", + dbus_message_get_member (message), DBUS_PATH_DBUS); + + return FALSE; + } + + return TRUE; +} + dbus_bool_t bus_driver_handle_message (DBusConnection *connection, BusTransaction *transaction, @@ -1964,13 +2072,8 @@ bus_driver_handle_message (DBusConnection *connection, _dbus_verbose ("Driver got a method call: %s\n", name); /* security checks should have kept this from getting here */ -#ifndef DBUS_DISABLE_ASSERT - { - const char *sender = dbus_message_get_sender (message); - - _dbus_assert (sender != NULL || strcmp (name, "Hello") == 0); - } -#endif + _dbus_assert (dbus_message_get_sender (message) != NULL || + strcmp (name, "Hello") == 0); for (ih = interface_handlers; ih->name != NULL; ih++) { |