summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTyler Hicks <tyhicks@canonical.com>2014-03-14 12:12:46 -0500
committerSimon McVittie <simon.mcvittie@collabora.co.uk>2015-02-18 17:29:00 +0000
commitad209bd0904e01586bf4e540efd5efa4ea99e2ff (patch)
tree691f5fed55b20e675c197943fb8f875935af49d5
parentc2686d53f3065dc9443bb2744f3fbe50992962ea (diff)
downloaddbus-ad209bd0904e01586bf4e540efd5efa4ea99e2ff.tar.gz
Do LSM checks after determining if the message is a requested reply
Move the call to bus_selinux_allows_send() after the call to bus_connections_check_reply(). This allows LSMs to know if the message is a reply and whether or not it was requested. Bug: https://bugs.freedesktop.org/show_bug.cgi?id=75113 Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
-rw-r--r--bus/bus.c53
1 files changed, 29 insertions, 24 deletions
diff --git a/bus/bus.c b/bus/bus.c
index 2c2c5649..ca8da37d 100644
--- a/bus/bus.c
+++ b/bus/bus.c
@@ -1562,30 +1562,6 @@ bus_context_check_security_policy (BusContext *context,
if (sender != NULL)
{
- /* First verify the SELinux access controls. If allowed then
- * go on with the standard checks.
- */
- if (!bus_selinux_allows_send (sender, proposed_recipient,
- dbus_message_type_to_string (dbus_message_get_type (message)),
- dbus_message_get_interface (message),
- dbus_message_get_member (message),
- dbus_message_get_error_name (message),
- dest ? dest : DBUS_SERVICE_DBUS, error))
- {
- if (error != NULL && !dbus_error_is_set (error))
- {
- /* don't syslog this, just set the error: avc_has_perm should
- * have already written to either the audit log or syslog */
- complain_about_message (context, DBUS_ERROR_ACCESS_DENIED,
- "An SELinux policy prevents this sender from sending this "
- "message to this recipient",
- 0, message, sender, proposed_recipient, FALSE, FALSE, error);
- _dbus_verbose ("SELinux security check denying send to service\n");
- }
-
- return FALSE;
- }
-
if (bus_connection_is_active (sender))
{
sender_policy = bus_connection_get_policy (sender);
@@ -1616,6 +1592,35 @@ bus_context_check_security_policy (BusContext *context,
}
else
{
+ sender_policy = NULL;
+ }
+
+ /* First verify the SELinux access controls. If allowed then
+ * go on with the standard checks.
+ */
+ if (!bus_selinux_allows_send (sender, proposed_recipient,
+ dbus_message_type_to_string (dbus_message_get_type (message)),
+ dbus_message_get_interface (message),
+ dbus_message_get_member (message),
+ dbus_message_get_error_name (message),
+ dest ? dest : DBUS_SERVICE_DBUS, error))
+ {
+ if (error != NULL && !dbus_error_is_set (error))
+ {
+ /* don't syslog this, just set the error: avc_has_perm should
+ * have already written to either the audit log or syslog */
+ complain_about_message (context, DBUS_ERROR_ACCESS_DENIED,
+ "An SELinux policy prevents this sender from sending this "
+ "message to this recipient",
+ 0, message, sender, proposed_recipient, FALSE, FALSE, error);
+ _dbus_verbose ("SELinux security check denying send to service\n");
+ }
+
+ return FALSE;
+ }
+
+ if (!bus_connection_is_active (sender))
+ {
/* Policy for inactive connections is that they can only send
* the hello message to the bus driver
*/