From 0eccf2126ab985374ecc977b619b4cd02a274173 Mon Sep 17 00:00:00 2001
From: osmond sun <osmond.sun@gmail.com>
Date: Tue, 5 Nov 2013 11:08:57 +0800
Subject: [PATCH] Get the dbus's class value and perm access vector bit from
 policy

Get the class value and perm access vector bit according to the selinux policy,
instead of the hard coded value from flask.h and av_permission.h.
If we use the hardcodes, the indices value of "dbus" class must be 52 in the
selinux's policy, elsewise there will be "SELinux: Invalid class 52". SELinux
can dynamically discover class and permission values upon policy load, I think we
should let dbus correctly get class/perm indices.
---
 bus/selinux.c | 134 ++++++++++++++++++++++++++++++++++++++++++++++++++++------
 1 file changed, 122 insertions(+), 12 deletions(-)

diff --git a/bus/selinux.c b/bus/selinux.c
index 36287e9..1296792 100644
--- a/bus/selinux.c
+++ b/bus/selinux.c
@@ -459,6 +459,86 @@ bus_selinux_check (BusSELinuxID        *sender_sid,
   else
     return TRUE;
 }
+
+/**
+ * Get dbus's class value and its access vecotr bit from policy instead of
+ * hard coded.
+ * If we can't get find the class from the policy, use deny_unknown bit to
+ * determine the queries
+ *
+ * @param perm_str the access vector name
+ * @param class_dbus used to return the class value
+ * @param dbus_perm used to return the access vector bit
+ * @returns CONTINUE_WITH_CHECK get the class value and access vector success
+ *          DENY_ALL deny all the request
+ *          ALLOW_ALL allow all the request
+ */
+typedef enum 
+  {
+    CONTINUE_WITH_CHECK,
+    DENY_ALL,
+    ALLOW_ALL
+  } GetClassPermResult;
+
+static GetClassPermResult 
+bus_selinux_get_class_perm_value (char * perm_str,
+                                  security_class_t * class_dbus,
+                                  access_vector_t * dbus_perm)
+{
+  int deny_unknown;
+  security_class_t cls;
+  access_vector_t pm;
+  
+  deny_unknown = security_deny_unknown();
+  if (deny_unknown == -1)
+    {
+      _dbus_system_log (DBUS_SYSTEM_LOG_SECURITY,
+                        "Could not determine SELinux policy, assuming unknown class or perm should be denied(security_deny_unknown():%s)",
+                        strerror (errno));
+      /*if security_deny_unknown error, we treat the queries as being denied;*/
+      deny_unknown = 1;
+    }
+  cls = string_to_security_class ("dbus");
+  if (cls == 0)
+    {
+      _dbus_system_log(DBUS_SYSTEM_LOG_SECURITY,
+                       "Could not determine \"dbus\" class value(string_to_security_class():%s)",
+                       strerror (errno));
+      goto error;
+    }
+  else
+    {
+      if (class_dbus != NULL)
+        *class_dbus = cls;
+      else
+        goto error;
+    }
+
+  pm = string_to_av_perm(cls, perm_str);
+  if (pm == 0)
+    {
+      _dbus_system_log(DBUS_SYSTEM_LOG_SECURITY,
+                       "Could not determine dbus's access vector bit:%s (string_to_av_perm():%s)",
+                       perm_str,
+                       strerror (errno));
+      goto error;
+    }
+  else
+    {
+      if (pm != NULL)
+        *dbus_perm = pm;
+      else
+        goto error;
+    }
+
+  return CONTINUE_WITH_CHECK; 
+
+error:
+  if (deny_unknown)
+    return DENY_ALL;
+  else
+    return ALLOW_ALL;
+}
 #endif /* HAVE_SELINUX */
 
 /**
@@ -480,7 +560,9 @@ bus_selinux_allows_acquire_service (DBusConnection     *connection,
   unsigned long spid;
   DBusString auxdata;
   dbus_bool_t ret;
-  
+  GetClassPermResult get_class_ret;
+  security_class_t class_dbus;
+  access_vector_t dbus_av_perm;
   if (!selinux_enabled)
     return TRUE;
   
@@ -505,13 +587,25 @@ bus_selinux_allows_acquire_service (DBusConnection     *connection,
       if (!_dbus_string_append_uint (&auxdata, spid))
 	goto oom;
     }
-  
-  ret = bus_selinux_check (connection_sid,
-			   service_sid,
-			   SECCLASS_DBUS,
-			   DBUS__ACQUIRE_SVC,
-			   &auxdata);
+  get_class_ret = bus_selinux_get_class_perm_value ("acquire_svc",
+                                                    &class_dbus,
+                                                    &dbus_av_perm);
 
+  if (get_class_ret == CONTINUE_WITH_CHECK)
+    {
+      ret = bus_selinux_check (connection_sid,
+                               service_sid,
+                               class_dbus,
+                               dbus_av_perm,
+                               &auxdata);
+    }
+  else
+    {
+      if (get_class_ret == ALLOW_ALL)
+        ret = TRUE;
+      else
+        ret = FALSE;
+    }
   _dbus_string_free (&auxdata);
   return ret;
 
@@ -552,6 +646,9 @@ bus_selinux_allows_send (DBusConnection     *sender,
   DBusString auxdata;
   dbus_bool_t ret;
   dbus_bool_t string_alloced;
+  GetClassPermResult get_class_ret;
+  security_class_t class_dbus;
+  access_vector_t dbus_av_perm;
 
   if (!selinux_enabled)
     return TRUE;
@@ -629,11 +726,24 @@ bus_selinux_allows_send (DBusConnection     *sender,
   else
     recipient_sid = BUS_SID_FROM_SELINUX (bus_sid);
 
-  ret = bus_selinux_check (sender_sid, 
-			   recipient_sid,
-			   SECCLASS_DBUS, 
-			   DBUS__SEND_MSG,
-			   &auxdata);
+  get_class_ret = bus_selinux_get_class_perm_value ("send_msg",
+                                                    &class_dbus,
+                                                    &dbus_av_perm);
+  if(get_class_ret == CONTINUE_WITH_CHECK)
+    {
+      ret = bus_selinux_check (sender_sid,
+                               recipient_sid,
+                               class_dbus,
+                               dbus_av_perm,
+			       &auxdata);
+    }
+  else
+    {
+      if (get_class_ret == ALLOW_ALL)
+        ret = TRUE;
+      else
+        ret = FALSE;
+    }
 
   _dbus_string_free (&auxdata);
 
-- 
1.8.3.1