diff options
| author | John Johansen <john.johansen@canonical.com> | 2014-02-13 13:07:32 -0600 |
|---|---|---|
| committer | Simon McVittie <simon.mcvittie@collabora.co.uk> | 2015-02-18 18:59:23 +0000 |
| commit | d9a2fdb96adf18d6876406a6cd4335b802d66af7 (patch) | |
| tree | 9574f1f4981ee7e164b7e586e4f85a3a36afa2e4 /bus/bus.c | |
| parent | ad209bd0904e01586bf4e540efd5efa4ea99e2ff (diff) | |
| download | dbus-d9a2fdb96adf18d6876406a6cd4335b802d66af7.tar.gz | |
Mediation of processes sending and receiving messages
When an AppArmor confined process wants to send or receive a message, a
check is performed to see if the action should be allowed.
When a message is going through dbus-daemon, there are two checks
performed at once. One for the sending process and one for the receiving
process.
The checks are based on the process's label, the bus type, destination,
path, interface, and member, as well as the peer's label and/or
destination name.
This allows for the traditional connection-based enforcement, as well as
any fine-grained filtering desired by the system administrator.
It is important to note that error and method_return messages are
allowed to cut down on the amount of rules needed. If a process was
allowed to send a message, it can receive error and method_return
messages.
An example AppArmor rule that would be needed to allow a process to call
the UpdateActivationEnvironment method of the session bus itself would be:
dbus send bus=session path=/org/freedesktop/DBus
interface=org.freedesktop.DBus member=UpdateActivationEnvironment
peer=(name=org.freedesktop.DBus),
To receive any message on the system bus from a process confined by
the "confined-client" AppArmor profile:
dbus receive bus=system peer=(label=confined-client),
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=75113
Signed-off-by: John Johansen <john.johansen@canonical.com>
[tyhicks: Use BusAppArmorConfinement, bug fixes, cleanup, commit msg]
[tyhicks: Pass the message type to the AppArmor hook]
[tyhicks: Don't audit unrequested reply message denials]
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
[smcv: when AA denies sending, don't label requested_reply as "matched rules"]
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Tyler Hicks <tyhicks@canonical.com>
Diffstat (limited to 'bus/bus.c')
| -rw-r--r-- | bus/bus.c | 19 |
1 files changed, 18 insertions, 1 deletions
@@ -1521,7 +1521,7 @@ bus_context_check_security_policy (BusContext *context, DBusMessage *message, DBusError *error) { - const char *dest; + const char *src, *dest; BusClientPolicy *sender_policy; BusClientPolicy *recipient_policy; dbus_int32_t toggles; @@ -1530,6 +1530,7 @@ bus_context_check_security_policy (BusContext *context, dbus_bool_t requested_reply; type = dbus_message_get_type (message); + src = dbus_message_get_sender (message); dest = dbus_message_get_destination (message); /* dispatch.c was supposed to ensure these invariants */ @@ -1619,6 +1620,22 @@ bus_context_check_security_policy (BusContext *context, return FALSE; } + /* next verify AppArmor access controls. If allowed then + * go on with the standard checks. + */ + if (!bus_apparmor_allows_send (sender, proposed_recipient, + requested_reply, + bus_context_get_type (context), + dbus_message_get_type (message), + dbus_message_get_path (message), + dbus_message_get_interface (message), + dbus_message_get_member (message), + dbus_message_get_error_name (message), + dest ? dest : DBUS_SERVICE_DBUS, + src ? src : DBUS_SERVICE_DBUS, + error)) + return FALSE; + if (!bus_connection_is_active (sender)) { /* Policy for inactive connections is that they can only send |