systemd/src/core/selinux-access.h

/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/

#pragma once

/***
  This file is part of systemd.

  Copyright 2012 Dan Walsh

  systemd is free software; you can redistribute it and/or modify it
  under the terms of the GNU General Public License as published by
  the Free Software Foundation; either version 2 of the License, or
  (at your option) any later version.

  systemd is distributed in the hope that it will be useful, but
  WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  General Public License for more details.

  You should have received a copy of the GNU General Public License
  along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/

#include <dbus.h>

void selinux_access_free(void);

int selinux_access_check(DBusConnection *connection, DBusMessage *message, const char *path, const char *permission, DBusError *error);

#ifdef HAVE_SELINUX

#define SELINUX_ACCESS_CHECK(connection, message, permission) \
        do {                                                            \
                DBusError _error;                                       \
                int _r;                                                 \
                DBusConnection *_c = (connection);                      \
                DBusMessage *_m = (message);                            \
                dbus_error_init(&_error);                               \
                _r = selinux_access_check(_c, _m, NULL, (permission), &_error); \
                if (_r < 0)                                             \
                        return bus_send_error_reply(_c, _m, &_error, _r); \
        } while (false)

#define SELINUX_UNIT_ACCESS_CHECK(unit, connection, message, permission) \
        do {                                                            \
                DBusError _error;                                       \
                int _r;                                                 \
                DBusConnection *_c = (connection);                      \
                DBusMessage *_m = (message);                            \
                Unit *_u = (unit);                                      \
                dbus_error_init(&_error);                               \
                _r = selinux_access_check(_c, _m, _u->source_path ?: _u->fragment_path, (permission), &_error); \
                if (_r < 0)                                             \
                        return bus_send_error_reply(_c, _m, &_error, _r); \
        } while (false)

#else

#define SELINUX_ACCESS_CHECK(connection, message, permission) do { } while (false)
#define SELINUX_UNIT_ACCESS_CHECK(unit, connection, message, permission) do { } while (false)

#endif
selinux: add bus service access control -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This patch adds the ability to look at the calling process that is trying to do dbus calls into systemd, then it checks with the SELinux policy to see if the calling process is allowed to do the activity. The basic idea is we want to allow NetworkManager_t to be able to start and stop ntpd.service, but not necessarly mysqld.service. Similarly we want to allow a root admin webadm_t that can only manage the apache environment. systemctl enable httpd.service, systemctl disable iptables.service bad. To make this code cleaner, we really need to refactor the dbus-manager.c code. This has just become a huge if-then-else blob, which makes doing the correct check difficult. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBJBi8ACgkQrlYvE4MpobOzTwCdEUikbvRWUCwOb83KlVF0Nuy5 lRAAnjZZNuc19Z+aNxm3k3nwD4p/JYco =yops -----END PGP SIGNATURE----- 2012-09-07 00:23:11 +04:00			`/-- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil --/`

selinux: rework selinux access check logic a) Instead of parsing the bus messages inside of selinux-access.c simply pass everything pre-parsed in the functions b) implement the access checking with a macro that resolves to nothing on non-selinux builds c) split out the selinux checks into their own sources selinux-util.[ch] d) this unifies the job creation code behind the D-Bus calls Manager.StartUnit() and Unit.Start(). 2012-10-03 01:07:00 +04:00			`#pragma once`
selinux: add bus service access control -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This patch adds the ability to look at the calling process that is trying to do dbus calls into systemd, then it checks with the SELinux policy to see if the calling process is allowed to do the activity. The basic idea is we want to allow NetworkManager_t to be able to start and stop ntpd.service, but not necessarly mysqld.service. Similarly we want to allow a root admin webadm_t that can only manage the apache environment. systemctl enable httpd.service, systemctl disable iptables.service bad. To make this code cleaner, we really need to refactor the dbus-manager.c code. This has just become a huge if-then-else blob, which makes doing the correct check difficult. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBJBi8ACgkQrlYvE4MpobOzTwCdEUikbvRWUCwOb83KlVF0Nuy5 lRAAnjZZNuc19Z+aNxm3k3nwD4p/JYco =yops -----END PGP SIGNATURE----- 2012-09-07 00:23:11 +04:00
			`/***`
			`This file is part of systemd.`

			`Copyright 2012 Dan Walsh`

			`systemd is free software; you can redistribute it and/or modify it`
			`under the terms of the GNU General Public License as published by`
			`the Free Software Foundation; either version 2 of the License, or`
			`(at your option) any later version.`

			`systemd is distributed in the hope that it will be useful, but`
			`WITHOUT ANY WARRANTY; without even the implied warranty of`
			`MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU`
			`General Public License for more details.`

			`You should have received a copy of the GNU General Public License`
			`along with systemd; If not, see <http://www.gnu.org/licenses/>.`
			`***/`

selinux: remove anything PID1-specific from selinux-access.[ch] so that we can reuse it in logind 2012-10-03 01:56:54 +04:00			`#include <dbus.h>`

			`void selinux_access_free(void);`

			`int selinux_access_check(DBusConnection connection, DBusMessage message, const char path, const char permission, DBusError *error);`
selinux: rework selinux access check logic a) Instead of parsing the bus messages inside of selinux-access.c simply pass everything pre-parsed in the functions b) implement the access checking with a macro that resolves to nothing on non-selinux builds c) split out the selinux checks into their own sources selinux-util.[ch] d) this unifies the job creation code behind the D-Bus calls Manager.StartUnit() and Unit.Start(). 2012-10-03 01:07:00 +04:00
			`#ifdef HAVE_SELINUX`

selinux: remove anything PID1-specific from selinux-access.[ch] so that we can reuse it in logind 2012-10-03 01:56:54 +04:00			`#define SELINUX_ACCESS_CHECK(connection, message, permission) \`
selinux: rework selinux access check logic a) Instead of parsing the bus messages inside of selinux-access.c simply pass everything pre-parsed in the functions b) implement the access checking with a macro that resolves to nothing on non-selinux builds c) split out the selinux checks into their own sources selinux-util.[ch] d) this unifies the job creation code behind the D-Bus calls Manager.StartUnit() and Unit.Start(). 2012-10-03 01:07:00 +04:00			`do { \`
			`DBusError _error; \`
			`int _r; \`
			`DBusConnection *_c = (connection); \`
			`DBusMessage *_m = (message); \`
			`dbus_error_init(&_error); \`
selinux: remove anything PID1-specific from selinux-access.[ch] so that we can reuse it in logind 2012-10-03 01:56:54 +04:00			`_r = selinux_access_check(_c, _m, NULL, (permission), &_error); \`
selinux: rework selinux access check logic a) Instead of parsing the bus messages inside of selinux-access.c simply pass everything pre-parsed in the functions b) implement the access checking with a macro that resolves to nothing on non-selinux builds c) split out the selinux checks into their own sources selinux-util.[ch] d) this unifies the job creation code behind the D-Bus calls Manager.StartUnit() and Unit.Start(). 2012-10-03 01:07:00 +04:00			`if (_r < 0) \`
			`return bus_send_error_reply(_c, _m, &_error, _r); \`
			`} while (false)`

			`#define SELINUX_UNIT_ACCESS_CHECK(unit, connection, message, permission) \`
			`do { \`
			`DBusError _error; \`
			`int _r; \`
			`DBusConnection *_c = (connection); \`
			`DBusMessage *_m = (message); \`
selinux: remove anything PID1-specific from selinux-access.[ch] so that we can reuse it in logind 2012-10-03 01:56:54 +04:00			`Unit *_u = (unit); \`
selinux: rework selinux access check logic a) Instead of parsing the bus messages inside of selinux-access.c simply pass everything pre-parsed in the functions b) implement the access checking with a macro that resolves to nothing on non-selinux builds c) split out the selinux checks into their own sources selinux-util.[ch] d) this unifies the job creation code behind the D-Bus calls Manager.StartUnit() and Unit.Start(). 2012-10-03 01:07:00 +04:00			`dbus_error_init(&_error); \`
selinux: remove anything PID1-specific from selinux-access.[ch] so that we can reuse it in logind 2012-10-03 01:56:54 +04:00			`_r = selinux_access_check(_c, _m, _u->source_path ?: _u->fragment_path, (permission), &_error); \`
selinux: rework selinux access check logic a) Instead of parsing the bus messages inside of selinux-access.c simply pass everything pre-parsed in the functions b) implement the access checking with a macro that resolves to nothing on non-selinux builds c) split out the selinux checks into their own sources selinux-util.[ch] d) this unifies the job creation code behind the D-Bus calls Manager.StartUnit() and Unit.Start(). 2012-10-03 01:07:00 +04:00			`if (_r < 0) \`
			`return bus_send_error_reply(_c, _m, &_error, _r); \`
			`} while (false)`

			`#else`

selinux: remove anything PID1-specific from selinux-access.[ch] so that we can reuse it in logind 2012-10-03 01:56:54 +04:00			`#define SELINUX_ACCESS_CHECK(connection, message, permission) do { } while (false)`
selinux: rework selinux access check logic a) Instead of parsing the bus messages inside of selinux-access.c simply pass everything pre-parsed in the functions b) implement the access checking with a macro that resolves to nothing on non-selinux builds c) split out the selinux checks into their own sources selinux-util.[ch] d) this unifies the job creation code behind the D-Bus calls Manager.StartUnit() and Unit.Start(). 2012-10-03 01:07:00 +04:00			`#define SELINUX_UNIT_ACCESS_CHECK(unit, connection, message, permission) do { } while (false)`

selinux: add bus service access control -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This patch adds the ability to look at the calling process that is trying to do dbus calls into systemd, then it checks with the SELinux policy to see if the calling process is allowed to do the activity. The basic idea is we want to allow NetworkManager_t to be able to start and stop ntpd.service, but not necessarly mysqld.service. Similarly we want to allow a root admin webadm_t that can only manage the apache environment. systemctl enable httpd.service, systemctl disable iptables.service bad. To make this code cleaner, we really need to refactor the dbus-manager.c code. This has just become a huge if-then-else blob, which makes doing the correct check difficult. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBJBi8ACgkQrlYvE4MpobOzTwCdEUikbvRWUCwOb83KlVF0Nuy5 lRAAnjZZNuc19Z+aNxm3k3nwD4p/JYco =yops -----END PGP SIGNATURE----- 2012-09-07 00:23:11 +04:00			`#endif`