diff options
| author | Tyler Hicks <tyhicks@canonical.com> | 2014-03-14 12:12:46 -0500 |
|---|---|---|
| committer | Simon McVittie <simon.mcvittie@collabora.co.uk> | 2015-02-18 17:29:00 +0000 |
| commit | ad209bd0904e01586bf4e540efd5efa4ea99e2ff (patch) | |
| tree | 691f5fed55b20e675c197943fb8f875935af49d5 /bus | |
| parent | c2686d53f3065dc9443bb2744f3fbe50992962ea (diff) | |
| download | dbus-ad209bd0904e01586bf4e540efd5efa4ea99e2ff.tar.gz | |
Do LSM checks after determining if the message is a requested reply
Move the call to bus_selinux_allows_send() after the call to
bus_connections_check_reply().
This allows LSMs to know if the message is a reply and whether or not it
was requested.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=75113
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Diffstat (limited to 'bus')
| -rw-r--r-- | bus/bus.c | 53 |
1 files changed, 29 insertions, 24 deletions
@@ -1562,30 +1562,6 @@ bus_context_check_security_policy (BusContext *context, if (sender != NULL) { - /* First verify the SELinux access controls. If allowed then - * go on with the standard checks. - */ - if (!bus_selinux_allows_send (sender, proposed_recipient, - dbus_message_type_to_string (dbus_message_get_type (message)), - dbus_message_get_interface (message), - dbus_message_get_member (message), - dbus_message_get_error_name (message), - dest ? dest : DBUS_SERVICE_DBUS, error)) - { - if (error != NULL && !dbus_error_is_set (error)) - { - /* don't syslog this, just set the error: avc_has_perm should - * have already written to either the audit log or syslog */ - complain_about_message (context, DBUS_ERROR_ACCESS_DENIED, - "An SELinux policy prevents this sender from sending this " - "message to this recipient", - 0, message, sender, proposed_recipient, FALSE, FALSE, error); - _dbus_verbose ("SELinux security check denying send to service\n"); - } - - return FALSE; - } - if (bus_connection_is_active (sender)) { sender_policy = bus_connection_get_policy (sender); @@ -1616,6 +1592,35 @@ bus_context_check_security_policy (BusContext *context, } else { + sender_policy = NULL; + } + + /* First verify the SELinux access controls. If allowed then + * go on with the standard checks. + */ + if (!bus_selinux_allows_send (sender, proposed_recipient, + dbus_message_type_to_string (dbus_message_get_type (message)), + dbus_message_get_interface (message), + dbus_message_get_member (message), + dbus_message_get_error_name (message), + dest ? dest : DBUS_SERVICE_DBUS, error)) + { + if (error != NULL && !dbus_error_is_set (error)) + { + /* don't syslog this, just set the error: avc_has_perm should + * have already written to either the audit log or syslog */ + complain_about_message (context, DBUS_ERROR_ACCESS_DENIED, + "An SELinux policy prevents this sender from sending this " + "message to this recipient", + 0, message, sender, proposed_recipient, FALSE, FALSE, error); + _dbus_verbose ("SELinux security check denying send to service\n"); + } + + return FALSE; + } + + if (!bus_connection_is_active (sender)) + { /* Policy for inactive connections is that they can only send * the hello message to the bus driver */ |