bus-proxy: automatically detect scope of bus and derive which XML snippets to load from that

2025-01-05 13:18:06 +03:00 · 2014-11-28 16:14:39 +01:00 · 2014-11-28 16:14:39 +01:00 · 2e43ad9ca6
commit 2e43ad9ca6
parent e3afaf6b8e
3 changed files with 38 additions and 27 deletions
--- a/src/bus-proxyd/bus-proxyd.c
+++ b/src/bus-proxyd/bus-proxyd.c
@ -1381,24 +1381,37 @@ int main(int argc, char *argv[]) {
        }
        if (a->is_kernel) {
-                _cleanup_bus_creds_unref_ sd_bus_creds *bus_creds = NULL;
+                if (!arg_configuration) {
-                uid_t bus_uid;
+                        const char *scope;
-                r = sd_bus_get_owner_creds(a, SD_BUS_CREDS_UID, &bus_creds);
+                        r = sd_bus_get_scope(a, &scope);
                        if (r < 0) {
-                        log_error_errno(r, "Failed to get bus creds: %m");
+                                log_error_errno(r, "Couldn't determine bus scope: %m");
                                goto finish;
                        }
-                r = sd_bus_creds_get_uid(bus_creds, &bus_uid);
+                        if (streq(scope, "system"))
-                if (r < 0) {
+                                arg_configuration = strv_new(
-                        log_error_errno(r, "Failed to get bus owner UID: %m");
+                                                "/etc/dbus-1/system.conf",
                                                "/etc/dbus-1/system.d/",
                                                "/etc/dbus-1/system-local.conf",
                                                NULL);
                        else if (streq(scope, "user"))
                                arg_configuration = strv_new(
                                                "/etc/dbus-1/session.conf",
                                                "/etc/dbus-1/session.d/",
                                                "/etc/dbus-1/session-local.conf",
                                                NULL);
                        else {
                                log_error("Unknown scope %s, don't know which policy to load. Refusing.", scope);
                                goto finish;
                        }
-                if (bus_uid == 0) {
+                        if (!arg_configuration) {
-                        /* We only enforce the old XML policy on
+                                r = log_oom();
-                         * kernel busses owned by root users. */
+                                goto finish;
                        }
                }
                r = policy_load(&policy_buffer, arg_configuration);
                if (r < 0) {
@ -1406,14 +1419,12 @@ int main(int argc, char *argv[]) {
                        goto finish;
                }
                        if (!policy_check_hello(&policy_buffer, ucred.uid, ucred.gid)) {
                                log_error("Policy denied connection");
                                r = -EPERM;
                                goto finish;
                        }
                        policy_dump(&policy_buffer);
                policy = &policy_buffer;
                policy_dump(policy);
                if (!policy_check_hello(policy, ucred.uid, ucred.gid)) {
                        r = log_error_errno(EPERM, "Policy denied connection.");
                        goto finish;
                }
        }
--- a/units/systemd-bus-proxyd@.service.in
+++ b/units/systemd-bus-proxyd@.service.in
@ -12,7 +12,7 @@ Description=Legacy D-Bus Protocol Compatibility Daemon
 # The first argument will be replaced by the service by information on
 # the process requesting the proxy, we need a placeholder to keep the
 # space available for this.
-ExecStart=@rootlibexecdir@/systemd-bus-proxyd --drop-privileges --address=kernel:path=/sys/fs/kdbus/0-system/bus --configuration=/etc/dbus-1/system.conf --configuration=/etc/dbus-1/system-local.conf --configuration=/etc/dbus-1/system.d/ xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+ExecStart=@rootlibexecdir@/systemd-bus-proxyd --drop-privileges --address=kernel:path=/sys/fs/kdbus/0-system/bus xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 NotifyAccess=main
 CapabilityBoundingSet=CAP_IPC_OWNER CAP_SETUID CAP_SETGID CAP_SETPCAP
 PrivateTmp=yes
--- a/units/user/systemd-bus-proxyd@.service.in
+++ b/units/user/systemd-bus-proxyd@.service.in
@ -12,5 +12,5 @@ Description=Legacy D-Bus Protocol Compatibility Daemon
 # The first argument will be replaced by the service by information on
 # the process requesting the proxy, we need a placeholder to keep the
 # space available for this.
-ExecStart=@rootlibexecdir@/systemd-bus-proxyd --address=kernel:path=/sys/fs/kdbus/%U-user/bus --configuration=/etc/dbus-1/session.conf --configuration=/etc/dbus-1/session-local.conf --configuration=/etc/dbus-1/session.d/ xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+ExecStart=@rootlibexecdir@/systemd-bus-proxyd --address=kernel:path=/sys/fs/kdbus/%U-user/bus xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 NotifyAccess=main