From 592ee6169469a2c8b796740b838a6c1d33f88278 Mon Sep 17 00:00:00 2001 From: Brian McGillion Date: Mon, 19 Dec 2011 19:54:54 +0200 Subject: [PATCH 1/2] Enable checking of smack context from DBus interface Signed-off-by: Brian McGillion --- bus/Makefile.am | 4 ++ bus/driver.c | 6 ++ bus/smack.c | 132 ++++++++++++++++++++++++++++++++++++++++++++++ bus/smack.h | 36 +++++++++++++ cmake/CMakeLists.txt | 3 + cmake/bus/CMakeLists.txt | 4 +- configure.ac | 17 +++++- 7 files changed, 199 insertions(+), 3 deletions(-) create mode 100644 bus/smack.c create mode 100644 bus/smack.h diff --git a/bus/Makefile.am b/bus/Makefile.am index 6cbc09a..7f63d86 100644 --- a/bus/Makefile.am +++ b/bus/Makefile.am @@ -7,6 +7,7 @@ DBUS_BUS_LIBS = \ $(THREAD_LIBS) \ $(ADT_LIBS) \ $(NETWORK_libs) \ + $(LIBSMACK_LIBS) \ $(NULL) DBUS_LAUNCHER_LIBS = \ @@ -21,6 +22,7 @@ AM_CPPFLAGS = \ -DDBUS_SYSTEM_CONFIG_FILE=\""$(configdir)/system.conf"\" \ -DDBUS_COMPILATION \ -DDBUS_STATIC_BUILD \ + $(LIBSMACK_CFLAGS) \ $(NULL) # if assertions are enabled, improve backtraces @@ -93,6 +95,8 @@ BUS_SOURCES= \ services.h \ signals.c \ signals.h \ + smack.c \ + smack.h \ stats.c \ stats.h \ test.c \ diff --git a/bus/driver.c b/bus/driver.c index 574e0f3..c6298d7 100644 --- a/bus/driver.c +++ b/bus/driver.c @@ -30,6 +30,7 @@ #include "services.h" #include "selinux.h" #include "signals.h" +#include "smack.h" #include "stats.h" #include "utils.h" #include @@ -38,6 +39,7 @@ #include #include + static dbus_bool_t bus_driver_send_welcome_message (DBusConnection *connection, DBusMessage *hello_message, BusTransaction *transaction, @@ -1736,6 +1738,10 @@ static const MessageHandler dbus_message_handlers[] = { "", DBUS_TYPE_STRING_AS_STRING, bus_driver_handle_get_id }, + { "GetConnectionSmackContext", + DBUS_TYPE_STRING_AS_STRING, + DBUS_TYPE_STRING_AS_STRING, + bus_smack_handle_get_connection_context }, { NULL, NULL, NULL, NULL } }; diff --git a/bus/smack.c b/bus/smack.c new file mode 100644 index 0000000..b8542c2 --- /dev/null +++ b/bus/smack.c @@ -0,0 +1,132 @@ +/* smack.c - Provide interface to query smack context + * + * Author: Brian McGillion + * Copyright © 2011 Intel Corporation + * + * Licensed under the Academic Free License version 2.1 + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301 USA + */ + +#include +#include "smack.h" + +#include + +#include "connection.h" +#include "services.h" +#include "utils.h" + +#ifdef DBUS_ENABLE_SMACK +#include +#endif + +#ifdef DBUS_ENABLE_SMACK +static char * +bus_smack_get_label (DBusConnection *connection) +{ + char *label; + int sock_fd; + + if (!dbus_connection_get_socket(connection, &sock_fd)) + return NULL; + + if (smack_new_label_from_socket(sock_fd, &label) < 0) + return NULL; + return label; +} +#endif + +dbus_bool_t +bus_smack_handle_get_connection_context (DBusConnection *connection, + BusTransaction *transaction, + DBusMessage *message, + DBusError *error) +{ +#ifdef DBUS_ENABLE_SMACK + const char *remote_end = NULL; + BusRegistry *registry; + DBusString remote_end_str; + BusService *service; + DBusConnection *remote_connection; + DBusMessage *reply = NULL; + char *label; + + _DBUS_ASSERT_ERROR_IS_CLEAR (error); + + registry = bus_connection_get_registry (connection); + + if (!dbus_message_get_args (message, error, DBUS_TYPE_STRING, &remote_end, + DBUS_TYPE_INVALID)) + return FALSE; + + _dbus_verbose ("asked for label of connection %s\n", remote_end); + + _dbus_string_init_const (&remote_end_str, remote_end); + + service = bus_registry_lookup (registry, &remote_end_str); + if (service == NULL) + { + dbus_set_error (error, DBUS_ERROR_NAME_HAS_NO_OWNER, + "Bus name '%s' has no owner", remote_end); + return FALSE; + } + + remote_connection = bus_service_get_primary_owners_connection (service); + if (remote_connection == NULL) + goto oom; + + reply = dbus_message_new_method_return (message); + if (reply == NULL) + goto oom; + + label = bus_smack_get_label (remote_connection); + if (label == NULL) + { + dbus_set_error (error, DBUS_ERROR_FAILED, + "Failed to get the socket fd of the connection", + remote_end); + goto err; + } + + if (!dbus_message_append_args (reply, DBUS_TYPE_STRING, + &label, DBUS_TYPE_INVALID)) + goto oom; + + if (!bus_transaction_send_from_driver (transaction, connection, reply)) + goto oom; + + dbus_message_unref (reply); + dbus_free(label); + + return TRUE; + +oom: + BUS_SET_OOM (error); + +err: + if (reply != NULL) + dbus_message_unref (reply); + + dbus_free(label); + + return FALSE; +#else + dbus_set_error (error, DBUS_ERROR_NOT_SUPPORTED, + "SMACK support is not enabled"); + return FALSE; +#endif +} diff --git a/bus/smack.h b/bus/smack.h new file mode 100644 index 0000000..04a4a2a --- /dev/null +++ b/bus/smack.h @@ -0,0 +1,36 @@ +/* smack.h - Provide interface to query smack context + * + * Author: Brian McGillion + * Copyright © 2011 Intel Corporation + * + * Based on example from Stats interface + * + * Licensed under the Academic Free License version 2.1 + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301 USA + */ + +#ifndef SMACK_H +#define SMACK_H + +#include "bus.h" + +dbus_bool_t bus_smack_handle_get_connection_context (DBusConnection *connection, + BusTransaction *transaction, + DBusMessage *message, + DBusError *error); + +#endif // SMACK_H diff --git a/cmake/CMakeLists.txt b/cmake/CMakeLists.txt index ba44d57..75c7794 100644 --- a/cmake/CMakeLists.txt +++ b/cmake/CMakeLists.txt @@ -92,6 +92,8 @@ option (DBUS_ENABLE_STATS "enable bus daemon usage statistics" OFF) option (DBUS_ENABLE_STATS "enable bus daemon usage statistics" OFF) +option (DBUS_ENABLE_SMACK "enable smack checks in the daemon" OFF) + if (DBUS_USE_EXPAT) find_package(LibExpat) else () @@ -553,6 +555,7 @@ message(" Building bus stats API: ${DBUS_ENABLE_STATS} " message(" installing system libs: ${DBUS_INSTALL_SYSTEM_LIBS} ") #message(" Building SELinux support: ${have_selinux} ") #message(" Building dnotify support: ${have_dnotify} ") +message(" Building Smack support: ${DBUS_ENABLE_SMACK} ") message(" Building Doxygen docs: ${DBUS_ENABLE_DOXYGEN_DOCS} ") message(" Building XML docs: ${DBUS_ENABLE_XML_DOCS} ") #message(" Gettext libs (empty OK): ${INTLLIBS} ") diff --git a/cmake/bus/CMakeLists.txt b/cmake/bus/CMakeLists.txt index faf9a8e..5d8c718 100644 --- a/cmake/bus/CMakeLists.txt +++ b/cmake/bus/CMakeLists.txt @@ -69,7 +69,9 @@ set (BUS_SOURCES ${BUS_DIR}/test.c ${BUS_DIR}/test.h ${BUS_DIR}/utils.c - ${BUS_DIR}/utils.h + ${BUS_DIR}/utils.h + ${BUS_DIR}/smack.c + ${BUS_DIR}/smack.h ${XML_SOURCES} ${DIR_WATCH_SOURCE} ) diff --git a/configure.ac b/configure.ac index 7bd4ddf..ed64a2e 100644 --- a/configure.ac +++ b/configure.ac @@ -188,6 +188,9 @@ if test "x$enable_embedded_tests" = xyes; then [Define to build test code into the library and binaries]) fi +# call early to ensure availability +PKG_PROG_PKG_CONFIG + # DBUS_ENABLE_MODULAR_TESTS controls tests that work based on public API. # These use GTest, from GLib, because life's too short. They're enabled by # default (unless you don't have GLib), because they don't bloat the library @@ -877,8 +880,6 @@ fi # unix:path=/foo or unix:abstract=/foo AC_SUBST(DBUS_PATH_OR_ABSTRACT) -PKG_PROG_PKG_CONFIG - #### Sort out XML library # see what we have @@ -1672,6 +1673,17 @@ if test "x$enable_stats" = xyes; then [Define to enable bus daemon usage statistics]) fi +#enable smack label support +AC_ARG_ENABLE([smack], [AS_HELP_STRING([--enable-smack], [enable SMACK security checks])], [], [enable_smack=no]) +if test "x$enable_smack" = xyes; then + PKG_CHECK_MODULES([LIBSMACK], [libsmack >= 1.0], + [AC_DEFINE([DBUS_ENABLE_SMACK], [1], [Define to enable SMACK security features])], + [AC_MSG_ERROR([libsmack is required to enable smack support])]) +fi + +AC_SUBST([LIBSMACK_CFLAGS]) +AC_SUBST([LIBSMACK_LIBS]) + AC_CONFIG_FILES([ Doxyfile dbus/versioninfo.rc @@ -1749,6 +1761,7 @@ echo " Building checks: ${enable_checks} Building bus stats API: ${enable_stats} Building SELinux support: ${have_selinux} + Building SMACK support: ${enable_smack} Building inotify support: ${have_inotify} Building dnotify support: ${have_dnotify} Building kqueue support: ${have_kqueue} -- 1.7.5.4