shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2024-11-06 16:59:03 +03:00
Code
0ccad099d4
systemd/src/core/selinux-access.h

63 lines
2.7 KiB
C
Raw Normal View History

selinux: add bus service access control -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This patch adds the ability to look at the calling process that is trying to do dbus calls into systemd, then it checks with the SELinux policy to see if the calling process is allowed to do the activity. The basic idea is we want to allow NetworkManager_t to be able to start and stop ntpd.service, but not necessarly mysqld.service. Similarly we want to allow a root admin webadm_t that can only manage the apache environment. systemctl enable httpd.service, systemctl disable iptables.service bad. To make this code cleaner, we really need to refactor the dbus-manager.c code. This has just become a huge if-then-else blob, which makes doing the correct check difficult. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBJBi8ACgkQrlYvE4MpobOzTwCdEUikbvRWUCwOb83KlVF0Nuy5 lRAAnjZZNuc19Z+aNxm3k3nwD4p/JYco =yops -----END PGP SIGNATURE-----
2012-09-07 00:23:11 +04:00
/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
selinux: rework selinux access check logic a) Instead of parsing the bus messages inside of selinux-access.c simply pass everything pre-parsed in the functions b) implement the access checking with a macro that resolves to nothing on non-selinux builds c) split out the selinux checks into their own sources selinux-util.[ch] d) this unifies the job creation code behind the D-Bus calls Manager.StartUnit() and Unit.Start().
2012-10-03 01:07:00 +04:00
#pragma once
selinux: add bus service access control -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This patch adds the ability to look at the calling process that is trying to do dbus calls into systemd, then it checks with the SELinux policy to see if the calling process is allowed to do the activity. The basic idea is we want to allow NetworkManager_t to be able to start and stop ntpd.service, but not necessarly mysqld.service. Similarly we want to allow a root admin webadm_t that can only manage the apache environment. systemctl enable httpd.service, systemctl disable iptables.service bad. To make this code cleaner, we really need to refactor the dbus-manager.c code. This has just become a huge if-then-else blob, which makes doing the correct check difficult. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBJBi8ACgkQrlYvE4MpobOzTwCdEUikbvRWUCwOb83KlVF0Nuy5 lRAAnjZZNuc19Z+aNxm3k3nwD4p/JYco =yops -----END PGP SIGNATURE-----
2012-09-07 00:23:11 +04:00
/***
This file is part of systemd.
Copyright 2012 Dan Walsh
systemd is free software; you can redistribute it and/or modify it
selinux-access: move GPL to LGPL licence On Wed, Aug 14, 2013 at 10:31 PM, Daniel J Walsh <dwalsh@redhat.com> wrote: > On 08/14/2013 04:17 PM, Kay Sievers wrote: > > > > this patch added GPL code to systemd, which otherwise is all LGPL. We need > > to make sure we can always split out any code to a separate shared library > > ... > > > > Mind if I switch your src/core/selinux-access.[ch] files to LGPL? > I have no problem with it. Should be LGPL anyways.
2013-08-15 00:34:41 +04:00
under the terms of the GNU Lesser General Public License as published by
the Free Software Foundation; either version 2.1 of the License, or
selinux: add bus service access control -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This patch adds the ability to look at the calling process that is trying to do dbus calls into systemd, then it checks with the SELinux policy to see if the calling process is allowed to do the activity. The basic idea is we want to allow NetworkManager_t to be able to start and stop ntpd.service, but not necessarly mysqld.service. Similarly we want to allow a root admin webadm_t that can only manage the apache environment. systemctl enable httpd.service, systemctl disable iptables.service bad. To make this code cleaner, we really need to refactor the dbus-manager.c code. This has just become a huge if-then-else blob, which makes doing the correct check difficult. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBJBi8ACgkQrlYvE4MpobOzTwCdEUikbvRWUCwOb83KlVF0Nuy5 lRAAnjZZNuc19Z+aNxm3k3nwD4p/JYco =yops -----END PGP SIGNATURE-----
2012-09-07 00:23:11 +04:00
(at your option) any later version.
systemd is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
selinux-access: move GPL to LGPL licence On Wed, Aug 14, 2013 at 10:31 PM, Daniel J Walsh <dwalsh@redhat.com> wrote: > On 08/14/2013 04:17 PM, Kay Sievers wrote: > > > > this patch added GPL code to systemd, which otherwise is all LGPL. We need > > to make sure we can always split out any code to a separate shared library > > ... > > > > Mind if I switch your src/core/selinux-access.[ch] files to LGPL? > I have no problem with it. Should be LGPL anyways.
2013-08-15 00:34:41 +04:00
Lesser General Public License for more details.
selinux: add bus service access control -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This patch adds the ability to look at the calling process that is trying to do dbus calls into systemd, then it checks with the SELinux policy to see if the calling process is allowed to do the activity. The basic idea is we want to allow NetworkManager_t to be able to start and stop ntpd.service, but not necessarly mysqld.service. Similarly we want to allow a root admin webadm_t that can only manage the apache environment. systemctl enable httpd.service, systemctl disable iptables.service bad. To make this code cleaner, we really need to refactor the dbus-manager.c code. This has just become a huge if-then-else blob, which makes doing the correct check difficult. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBJBi8ACgkQrlYvE4MpobOzTwCdEUikbvRWUCwOb83KlVF0Nuy5 lRAAnjZZNuc19Z+aNxm3k3nwD4p/JYco =yops -----END PGP SIGNATURE-----
2012-09-07 00:23:11 +04:00
selinux-access: move GPL to LGPL licence On Wed, Aug 14, 2013 at 10:31 PM, Daniel J Walsh <dwalsh@redhat.com> wrote: > On 08/14/2013 04:17 PM, Kay Sievers wrote: > > > > this patch added GPL code to systemd, which otherwise is all LGPL. We need > > to make sure we can always split out any code to a separate shared library > > ... > > > > Mind if I switch your src/core/selinux-access.[ch] files to LGPL? > I have no problem with it. Should be LGPL anyways.
2013-08-15 00:34:41 +04:00
You should have received a copy of the GNU Lesser General Public License
selinux: add bus service access control -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This patch adds the ability to look at the calling process that is trying to do dbus calls into systemd, then it checks with the SELinux policy to see if the calling process is allowed to do the activity. The basic idea is we want to allow NetworkManager_t to be able to start and stop ntpd.service, but not necessarly mysqld.service. Similarly we want to allow a root admin webadm_t that can only manage the apache environment. systemctl enable httpd.service, systemctl disable iptables.service bad. To make this code cleaner, we really need to refactor the dbus-manager.c code. This has just become a huge if-then-else blob, which makes doing the correct check difficult. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBJBi8ACgkQrlYvE4MpobOzTwCdEUikbvRWUCwOb83KlVF0Nuy5 lRAAnjZZNuc19Z+aNxm3k3nwD4p/JYco =yops -----END PGP SIGNATURE-----
2012-09-07 00:23:11 +04:00
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-20 00:12:59 +04:00
#include "sd-bus.h"
#include "bus-error.h"
#include "bus-util.h"
selinux: remove anything PID1-specific from selinux-access.[ch] so that we can reuse it in logind
2012-10-03 01:56:54 +04:00
void selinux_access_free(void);
core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-20 00:12:59 +04:00
int selinux_access_check(sd_bus *bus, sd_bus_message *message, const char *path, const char *permission, sd_bus_error *error);
selinux: rework selinux access check logic a) Instead of parsing the bus messages inside of selinux-access.c simply pass everything pre-parsed in the functions b) implement the access checking with a macro that resolves to nothing on non-selinux builds c) split out the selinux checks into their own sources selinux-util.[ch] d) this unifies the job creation code behind the D-Bus calls Manager.StartUnit() and Unit.Start().
2012-10-03 01:07:00 +04:00
#ifdef HAVE_SELINUX
core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-20 00:12:59 +04:00
#define SELINUX_ACCESS_CHECK(bus, message, permission) \
selinux: rework selinux access check logic a) Instead of parsing the bus messages inside of selinux-access.c simply pass everything pre-parsed in the functions b) implement the access checking with a macro that resolves to nothing on non-selinux builds c) split out the selinux checks into their own sources selinux-util.[ch] d) this unifies the job creation code behind the D-Bus calls Manager.StartUnit() and Unit.Start().
2012-10-03 01:07:00 +04:00
do { \
core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-20 00:12:59 +04:00
_cleanup_bus_error_free_ sd_bus_error _error = SD_BUS_ERROR_NULL; \
sd_bus_message *_m = (message); \
sd_bus *_b = (bus); \
selinux: rework selinux access check logic a) Instead of parsing the bus messages inside of selinux-access.c simply pass everything pre-parsed in the functions b) implement the access checking with a macro that resolves to nothing on non-selinux builds c) split out the selinux checks into their own sources selinux-util.[ch] d) this unifies the job creation code behind the D-Bus calls Manager.StartUnit() and Unit.Start().
2012-10-03 01:07:00 +04:00
int _r; \
core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-20 00:12:59 +04:00
_r = selinux_access_check(_b, _m, NULL, (permission), &_error); \
selinux: rework selinux access check logic a) Instead of parsing the bus messages inside of selinux-access.c simply pass everything pre-parsed in the functions b) implement the access checking with a macro that resolves to nothing on non-selinux builds c) split out the selinux checks into their own sources selinux-util.[ch] d) this unifies the job creation code behind the D-Bus calls Manager.StartUnit() and Unit.Start().
2012-10-03 01:07:00 +04:00
if (_r < 0) \
bus: let's simplify things by getting rid of unnecessary bus parameters
2013-11-21 04:51:16 +04:00
return sd_bus_reply_method_errno(_m, _r, &_error); \
selinux: rework selinux access check logic a) Instead of parsing the bus messages inside of selinux-access.c simply pass everything pre-parsed in the functions b) implement the access checking with a macro that resolves to nothing on non-selinux builds c) split out the selinux checks into their own sources selinux-util.[ch] d) this unifies the job creation code behind the D-Bus calls Manager.StartUnit() and Unit.Start().
2012-10-03 01:07:00 +04:00
} while (false)
core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-20 00:12:59 +04:00
#define SELINUX_UNIT_ACCESS_CHECK(unit, bus, message, permission) \
selinux: rework selinux access check logic a) Instead of parsing the bus messages inside of selinux-access.c simply pass everything pre-parsed in the functions b) implement the access checking with a macro that resolves to nothing on non-selinux builds c) split out the selinux checks into their own sources selinux-util.[ch] d) this unifies the job creation code behind the D-Bus calls Manager.StartUnit() and Unit.Start().
2012-10-03 01:07:00 +04:00
do { \
core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-20 00:12:59 +04:00
_cleanup_bus_error_free_ sd_bus_error _error = SD_BUS_ERROR_NULL; \
sd_bus_message *_m = (message); \
sd_bus *_b = (bus); \
selinux: remove anything PID1-specific from selinux-access.[ch] so that we can reuse it in logind
2012-10-03 01:56:54 +04:00
Unit *_u = (unit); \
core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-20 00:12:59 +04:00
int _r; \
_r = selinux_access_check(_b, _m, _u->source_path ?: _u->fragment_path, (permission), &_error); \
selinux: rework selinux access check logic a) Instead of parsing the bus messages inside of selinux-access.c simply pass everything pre-parsed in the functions b) implement the access checking with a macro that resolves to nothing on non-selinux builds c) split out the selinux checks into their own sources selinux-util.[ch] d) this unifies the job creation code behind the D-Bus calls Manager.StartUnit() and Unit.Start().
2012-10-03 01:07:00 +04:00
if (_r < 0) \
bus: let's simplify things by getting rid of unnecessary bus parameters
2013-11-21 04:51:16 +04:00
return sd_bus_reply_method_errno(_m, _r, &_error); \
selinux: rework selinux access check logic a) Instead of parsing the bus messages inside of selinux-access.c simply pass everything pre-parsed in the functions b) implement the access checking with a macro that resolves to nothing on non-selinux builds c) split out the selinux checks into their own sources selinux-util.[ch] d) this unifies the job creation code behind the D-Bus calls Manager.StartUnit() and Unit.Start().
2012-10-03 01:07:00 +04:00
} while (false)
#else
core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-20 00:12:59 +04:00
#define SELINUX_ACCESS_CHECK(bus, message, permission) do { } while (false)
#define SELINUX_UNIT_ACCESS_CHECK(unit, bus, message, permission) do { } while (false)
selinux: rework selinux access check logic a) Instead of parsing the bus messages inside of selinux-access.c simply pass everything pre-parsed in the functions b) implement the access checking with a macro that resolves to nothing on non-selinux builds c) split out the selinux checks into their own sources selinux-util.[ch] d) this unifies the job creation code behind the D-Bus calls Manager.StartUnit() and Unit.Start().
2012-10-03 01:07:00 +04:00
selinux: add bus service access control -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This patch adds the ability to look at the calling process that is trying to do dbus calls into systemd, then it checks with the SELinux policy to see if the calling process is allowed to do the activity. The basic idea is we want to allow NetworkManager_t to be able to start and stop ntpd.service, but not necessarly mysqld.service. Similarly we want to allow a root admin webadm_t that can only manage the apache environment. systemctl enable httpd.service, systemctl disable iptables.service bad. To make this code cleaner, we really need to refactor the dbus-manager.c code. This has just become a huge if-then-else blob, which makes doing the correct check difficult. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBJBi8ACgkQrlYvE4MpobOzTwCdEUikbvRWUCwOb83KlVF0Nuy5 lRAAnjZZNuc19Z+aNxm3k3nwD4p/JYco =yops -----END PGP SIGNATURE-----
2012-09-07 00:23:11 +04:00
#endif
Copy Permalink