summaryrefslogtreecommitdiffstats
path: root/src/bus-proxyd/bus-proxyd.c
diff options
context:
space:
mode:
authorPrzemyslaw Kedzierski <p.kedzierski@samsung.com>2014-12-09 12:17:24 +0100
committerLennart Poettering <lennart@poettering.net>2014-12-09 18:23:24 +0100
commitdd5ae4c36c89da5dbe8d1628939b26c00db98753 (patch)
tree70732de11f8d613b3c3a5117009f9802301774e7 /src/bus-proxyd/bus-proxyd.c
parentrun: introduce timer support option (diff)
downloadsystemd-dd5ae4c36c89da5dbe8d1628939b26c00db98753.tar.xz
systemd-dd5ae4c36c89da5dbe8d1628939b26c00db98753.zip
bus-proxy: cloning smack label
When dbus client connects to systemd-bus-proxyd through Unix domain socket proxy takes client's smack label and sets for itself. It is done before and independent of dropping privileges. The reason of such soluton is fact that tests of access rights performed by lsm may take place inside kernel, not only in userspace of recipient of message. The bus-proxyd needs CAP_MAC_ADMIN to manipulate its label. In case of systemd running in system mode, CAP_MAC_ADMIN should be added to CapabilityBoundingSet in service file of bus-proxyd. In case of systemd running in user mode ('systemd --user') it can be achieved by addition Capabilities=cap_mac_admin=i and SecureBits=keep-caps to user@.service file and setting cap_mac_admin+ei on bus-proxyd binary.
Diffstat (limited to 'src/bus-proxyd/bus-proxyd.c')
-rw-r--r--src/bus-proxyd/bus-proxyd.c22
1 files changed, 22 insertions, 0 deletions
diff --git a/src/bus-proxyd/bus-proxyd.c b/src/bus-proxyd/bus-proxyd.c
index 42fb0da0ef..5d304538fd 100644
--- a/src/bus-proxyd/bus-proxyd.c
+++ b/src/bus-proxyd/bus-proxyd.c
@@ -46,6 +46,7 @@
#include "capability.h"
#include "bus-policy.h"
#include "bus-control.h"
+#include "smack-util.h"
static char *arg_address = NULL;
static char *arg_command_line_buffer = NULL;
@@ -1235,6 +1236,23 @@ static int patch_sender(sd_bus *a, sd_bus_message *m) {
return 0;
}
+static int mac_smack_apply_label_and_drop_cap_mac_admin(pid_t its_pid, const char *new_label) {
+#ifdef HAVE_SMACK
+ int r = 0, k;
+
+ if (!mac_smack_use())
+ return 0;
+
+ if (new_label && its_pid > 0)
+ r = mac_smack_apply_pid(its_pid, new_label);
+
+ k = drop_capability(CAP_MAC_ADMIN);
+ return r < 0 ? r : k;
+#else
+ return 0;
+#endif
+}
+
int main(int argc, char *argv[]) {
_cleanup_bus_close_unref_ sd_bus *a = NULL, *b = NULL;
@@ -1274,6 +1292,10 @@ int main(int argc, char *argv[]) {
if (is_unix) {
(void) getpeercred(in_fd, &ucred);
(void) getpeersec(in_fd, &peersec);
+
+ r = mac_smack_apply_label_and_drop_cap_mac_admin(getpid(), peersec);
+ if (r < 0)
+ log_warning_errno(r, "Failed to set SMACK label (%s) and drop CAP_MAC_ADMIN: %m", peersec);
}
if (arg_drop_privileges) {