| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
|
|
The bus_apparmor_confinement_unref() function definition must exist even
when building with --disable-apparmor.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=75113
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
|
This reverts commit 24f1502e42b58a7c238779c023c6bfe870dc78cc,
which wasn't meant to go upstream (it's backwards compatibility
with older versions of this patchset).
|
|
This is not intended for upstream inclusion. It implements a bus method
(GetConnectionAppArmorSecurityContext) to get a connection's AppArmor
security context but upstream D-Bus has recently added a generic way of
getting a connection's security credentials (GetConnectionCredentials).
Ubuntu should carry this patch until packages in the archive are moved
over to the new, generic method of getting a connection's credentials.
[Altered by Simon McVittie: survive non-UTF-8 contexts which
would otherwise be a local denial of service, except that Ubuntu
inherits a non-fatal warnings patch from Debian; new commit message
taken from the Ubuntu changelog; do not emit unreachable code if
AppArmor is disabled.]
|
|
The thing returned by SO_PEERSEC (which we're calling LinuxSecurityLabel
within D-Bus) can have a different meaning for each LSM. In AppArmor
it's the AppArmor context, which is made up of an AppArmor label and an
optional confinement mode; the label further subdivides into one
or more profiles. See
https://bazaar.launchpad.net/~apparmor-dev/apparmor/master/revision/2862
and subsequent commits for recent clarification of this terminology.
In practice, the part that dbus-daemon deals with is the label,
and occasionally also the mode.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=75113
Reviewed-by: Tyler Hicks <tyhicks@canonical.com>
|
|
When an AppArmor confined process wants to become a monitor, a check is
performed to see if eavesdropping should be allowed.
The check is based on the connection's label and the bus type.
This patch reuses the bus_apparmor_allows_eavesdropping() hook.
An example AppArmor rule that would allow a process to become a monitor
on the system bus would be:
dbus eavesdrop bus=system,
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=75113
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
|
When an AppArmor confined process wants to eavesdrop on a bus, a check
is performed to see if the action should be allowed.
The check is based on the connection's label and the bus type.
This patch adds a new hook, which was not previously included in the
SELinux mediation, to mediate eavesdropping from
bus_driver_handle_add_match().
A new function is added to bus/signals.c to see if a match rule is an
eavesdropping rule since the rule flags field is private to signals.c.
An example AppArmor rule that would allow a process to eavesdrop on the
session bus would be:
dbus eavesdrop bus=session,
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=75113
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
|
When an AppArmor confined process wants to send or receive a message, a
check is performed to see if the action should be allowed.
When a message is going through dbus-daemon, there are two checks
performed at once. One for the sending process and one for the receiving
process.
The checks are based on the process's label, the bus type, destination,
path, interface, and member, as well as the peer's label and/or
destination name.
This allows for the traditional connection-based enforcement, as well as
any fine-grained filtering desired by the system administrator.
It is important to note that error and method_return messages are
allowed to cut down on the amount of rules needed. If a process was
allowed to send a message, it can receive error and method_return
messages.
An example AppArmor rule that would be needed to allow a process to call
the UpdateActivationEnvironment method of the session bus itself would be:
dbus send bus=session path=/org/freedesktop/DBus
interface=org.freedesktop.DBus member=UpdateActivationEnvironment
peer=(name=org.freedesktop.DBus),
To receive any message on the system bus from a process confined by
the "confined-client" AppArmor profile:
dbus receive bus=system peer=(label=confined-client),
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=75113
Signed-off-by: John Johansen <john.johansen@canonical.com>
[tyhicks: Use BusAppArmorConfinement, bug fixes, cleanup, commit msg]
[tyhicks: Pass the message type to the AppArmor hook]
[tyhicks: Don't audit unrequested reply message denials]
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
[smcv: when AA denies sending, don't label requested_reply as "matched rules"]
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Tyler Hicks <tyhicks@canonical.com>
|
|
Move the call to bus_selinux_allows_send() after the call to
bus_connections_check_reply().
This allows LSMs to know if the message is a reply and whether or not it
was requested.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=75113
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
|
When an AppArmor confined process wants to acquire a well-known name, a
check is performed to see if the action should be allowed.
The check is based on the connection's label, the bus type, and the name
being requested.
An example AppArmor rule that would allow the name
"com.example.ExampleName" to be acquired on the system bus would be:
dbus bind bus=system name=com.example.ExampleName,
To let a process acquire any name on any bus, the rule would be:
dbus bind,
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=75113
Signed-off-by: John Johansen <john.johansen@canonical.com>
[tyhicks: Use BusAppArmorConfinement, bug fixes, cleanup, commit msg]
[tyhicks: initialize reserved area at the start of the query string]
[tyhicks: Use empty string for NULL bustypes when building queries]
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
|
When processes connect the bus, the AppArmor confinement context should
be stored for later use when checks are to be done during message
sending/receiving, acquire a name, and eavesdropping.
Code outside of apparmor.c will need to initialize and unreference the
confinement context, so bus_apparmor_confinement_unref() can no longer
be a static function.
[Move bus_apparmor_confinement_unref back to its old location for
a more reasonable diff -smcv]
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=75113
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
|
During dbus-daemon initialization, the AppArmor confinement context
should be stored for later use when checks are to be done on messages
to/from the bus itself.
AppArmor confinement contexts are documented in aa_getcon(2). They
contain a confinement string and a mode string. The confinement string
is typically the name of the AppArmor profile confining a given process.
The mode string gives the current enforcement mode of the process
confinement. For example, it may indicate that the confinement should be
enforced or it may indicate that the confinement should allow all
actions with the caveat that actions which would be denied should be
audited.
It is important to note that libapparmor mallocs a single buffer to
store the con and mode strings and separates them with a NUL terminator.
Because of this, only con should be freed.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=75113
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
[smcv: use BUS_SET_OOM]
[smcv: dbus_set_error doesn't need extra newlines]
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Tyler Hicks <tyhicks@canonical.com>
|
|
When starting dbus-daemon, autodetect AppArmor kernel support and use
the results from parsing the busconfig to determine if mediation should
be enabled.
In the busconfig, "enabled" means that kernel support is autodetected
and, if available, AppArmor mediation occurs in dbus-daemon. In
"enabled" mode, if kernel support is not detected, mediation is
disabled. "disabled" means that mediation does not occur. "required"
means that kernel support must be detected for dbus-daemon to start.
Additionally, when libaudit support is built into dbus-daemon, the
AppArmor initialization routines set up the audit connection.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=75113
Signed-off-by: John Johansen <john.johansen@canonical.com>
[tyhicks: Honor enforcement modes and detect AppArmor dbus rule support]
[tyhicks: fix unreachable return when AppArmor support is built]
[tyhicks: make bus_apparmor_full_init() able to raise a DBusError]
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
[smcv: _bus_apparmor_aa_supports_dbus: document necessary kernel API guarantee]
[smcv: bus_apparmor_pre_init: distinguish between OOM and AppArmor not enabled]
[smcv: document why we open() and not just stat()]
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Tyler Hicks <tyhicks@canonical.com>
|
|
The <apparmor> element can contain a single mode attribute that has one
of three values:
"enabled"
"disabled"
"required"
"enabled" means that kernel support is autodetected and, if available,
AppArmor mediation occurs in dbus-daemon. If kernel support is not
detected, mediation is disabled. "disabled" means that mediation does
not occur. "required" means that kernel support must be detected for
dbus-daemon to start.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=75113
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
|
AppArmor support can be configured at build time with --enable-apparmor
and --disable-apparmor. By default, the build time decision is
automatically decided by checking if a sufficient libapparmor is
available.
A minimum required libapparmor is version 2.8.95.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=75113
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
[smcv: avoid potential non-portability from "test EXPR -a EXPR"]
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Tyler Hicks <tyhicks@canonical.com>
|
|
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=75113
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
|
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=75113
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
|
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=89041
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
|
|
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=89041
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
|
|
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=89041
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov> (for SELinux)
Acked-by: John Johansen <john.johansen@canonical.com> (for AppArmor)
Acked-by: Casey Schaufler <casey@schaufler-ca.com> (for Smack)
Tested-by: Tyler Hicks <tyhicks@canonical.com>
|
|
Create a new helper for using a byte array as the value in the mapping
from string to variant.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=75113
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=89041
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
|
|
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=89165
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
|
unify platform related format string.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=89165
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
|
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=89109
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
|
This guide gives some pointers on how to write D-Bus APIs which are nice
to use.
It adds an optional dependency on Ducktype and yelp-build from
yelp-tools. These are used when available, but are not required unless
--enable-ducktype-docs is passed to configure. They are required for
uploading the docs, however.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88994
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
|
|
|
- change "ref serial" to "in_reply_to" (avoiding whitespace for easy
visual parsing)
- prefix with # to clarify that these are not part of the data
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=89165
Reviewed-by: Ralf Habacker <ralf.habacker@freenet.de>
|
|
header.
[rebase onto correctly indented version -smcv]
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=89165
Reviewed-by: Ralf Habacker <ralf.habacker@freenet.de>
|
|
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=89165
Reviewed-by: Ralf Habacker <ralf.habacker@freenet.de>
|
|
dbus-send could already pretty-print bytestrings that do not have
\0 termination, but those are awkward to work with (they need copying),
so they are now discouraged. Teach it to print bytestrings that
do have \0 termination as well.
In the process, rewrite this part of the message parser
to use dbus_message_iter_get_fixed_array(), which is the Right way
to get arrays of numbers out of a message.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=89109
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
|
|
As in CMake, it is restricted to Windows builds, since the
functionality that it tests is not present in Unix builds.
|
|
DBUS_ENABLE_VERBOSE_MODE.
This interface contains methods 'EnableVerbose' and 'DisableVerbose'
to control verbose mode on daemon runtime.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88896
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
|
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=83539
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
|
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=89086
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
|
|
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=89086
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
|
|
dbus_connection_get_windows_user is documented to return TRUE but
put NULL in its argument if OOM is reached.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=89041
Reviewed-by: Ralf Habacker <ralf.habacker@freenet.de>
|
|
It was relying on a higher-than-default fd limit; cut it down to
more than 256 but rather less than 1024, since the default Linux
limit is 1024 fds per user.
Also automatically skip this test if our rlimit is too small.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88998
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
|
|
MSDN recommands to use GetCurrentProcess() for current process.
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=54445
|
|
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=54445
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
|
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=54445
|
|
|
|
|
|
|
|
|
|
Conflicts:
NEWS
bus/system.conf.in
configure.ac
|
|
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88998
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
|
|
Without this code change, non-systemd processes can make dbus-daemon
think systemd failed to activate a system service, resulting in an
error reply back to the requester. In practice we can address this in
system.conf by only allowing root to forge these messages, but this
check is the real solution, particularly on systems where root is
not all-powerful.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88811
Reviewed-by: Alban Crequy
Reviewed-by: David King
Reviewed-by: Philip Withnall
|
|
We need this, or something equivalent, to address CVE-2015-0245 via
code changes.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88811
Reviewed-by: Alban Crequy
Reviewed-by: David King
Reviewed-by: Philip Withnall
|
|
|
