Re: [systemd-devel] SELinux patch still broken, in that we are not checking the correct source context.

Lennart Poettering Mon, 15 Oct 2012 17:00:30 -0700

On Thu, 11.10.12 17:06, Daniel J Walsh ([email protected]) wrote:

Applied both patches, with minor changes (replaced calloc+strncpy with
strndup()).


> diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c
> index d9c3f9b..974e9fe 100644
> --- a/src/core/selinux-access.c
> +++ b/src/core/selinux-access.c
> @@ -59,7 +59,11 @@ static int bus_get_selinux_security_context(
>                  DBusError *error) {
>  
>          _cleanup_dbus_message_unref_ DBusMessage *m = NULL, *reply = NULL;
> +     DBusMessageIter iter, sub;
> +     char *bytes;
> +     int nbytes;
>  
> +        log_debug("GetConnectionSELinuxSecurityContext");
>          m = dbus_message_new_method_call(
>                          DBUS_SERVICE_DBUS,
>                          DBUS_PATH_DBUS,
> @@ -85,11 +89,21 @@ static int bus_get_selinux_security_context(
>          if (dbus_set_error_from_message(error, reply))
>                  return -EIO;
>  
> -        if (!dbus_message_get_args(
> -                            reply, error,
> -                            DBUS_TYPE_STRING, scon,
> -                            DBUS_TYPE_INVALID))
> -                return -EIO;
> +        if (!dbus_message_iter_init (reply, &iter))
> +             return -EIO;
> +
> +        if (dbus_message_iter_get_arg_type (&iter) != DBUS_TYPE_ARRAY)
> +             return -EIO;
> +
> +     dbus_message_iter_recurse (&iter, &sub);
> +     dbus_message_iter_get_fixed_array (&sub, &bytes, &nbytes);
> +
> +     *scon = calloc(1, nbytes + 1);
> +     if (!*scon)
> +                return -ENOMEM;
> +     strncpy(*scon, bytes, nbytes);
> +
> +        log_debug("GetConnectionSELinuxSecurityContext %s (pid %ld)", *scon, 
> (long) bus_get_unix_process_id(connection, name, error));
>  
>          return 0;
>  }
> @@ -293,14 +307,17 @@ static int get_calling_context(
>          */
>          sender = dbus_message_get_sender(message);
>          if (sender) {
> +                log_error("SELinux Got Sender %s", sender);
> +
>                  r = bus_get_selinux_security_context(connection, sender, 
> scon, error);
>                  if (r >= 0)
>                          return r;
>  
> -                log_debug("bus_get_selinux_security_context failed %m");
> -                dbus_error_free(error);
> +                log_error("bus_get_selinux_security_context failed %m");
> +                return r;
>          }
>  
> +        log_debug("SELinux No Sender");
>          if (!dbus_connection_get_unix_fd(connection, &fd)) {
>                  log_error("bus_connection_get_unix_fd failed %m");
>                  return -EINVAL;

> _______________________________________________
> systemd-devel mailing list
> [email protected]
> http://lists.freedesktop.org/mailman/listinfo/systemd-devel



Lennart

-- 
Lennart Poettering - Red Hat, Inc.
_______________________________________________
systemd-devel mailing list
[email protected]
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] SELinux patch still broken, in that we are not checking the correct source context.

Reply via email to