From acebfabeab1bb52defc76566812b04631b54be2e Mon Sep 17 00:00:00 2001 From: Brian McGillion Date: Mon, 23 Apr 2012 17:41:33 +0300 Subject: [PATCH] get Smack context for connection Signed-off-by: Brian McGillion --- bus/Makefile.am | 4 +++ bus/connection.c | 34 +++++++++++++++++++++ bus/connection.h | 1 + bus/driver.c | 14 +++++++++ bus/smack.c | 74 ++++++++++++++++++++++++++++++++++++++++++++++ bus/smack.h | 35 ++++++++++++++++++++++ cmake/CMakeLists.txt | 3 ++ cmake/bus/CMakeLists.txt | 4 ++- configure.ac | 12 ++++++++ 9 files changed, 180 insertions(+), 1 deletion(-) create mode 100644 bus/smack.c create mode 100644 bus/smack.h diff --git a/bus/Makefile.am b/bus/Makefile.am index 6cbc09a..7f63d86 100644 --- a/bus/Makefile.am +++ b/bus/Makefile.am @@ -7,6 +7,7 @@ DBUS_BUS_LIBS = \ $(THREAD_LIBS) \ $(ADT_LIBS) \ $(NETWORK_libs) \ + $(LIBSMACK_LIBS) \ $(NULL) DBUS_LAUNCHER_LIBS = \ @@ -21,6 +22,7 @@ AM_CPPFLAGS = \ -DDBUS_SYSTEM_CONFIG_FILE=\""$(configdir)/system.conf"\" \ -DDBUS_COMPILATION \ -DDBUS_STATIC_BUILD \ + $(LIBSMACK_CFLAGS) \ $(NULL) # if assertions are enabled, improve backtraces @@ -93,6 +95,8 @@ BUS_SOURCES= \ services.h \ signals.c \ signals.h \ + smack.c \ + smack.h \ stats.c \ stats.h \ test.c \ diff --git a/bus/connection.c b/bus/connection.c index 97e5f64..92b5356 100644 --- a/bus/connection.c +++ b/bus/connection.c @@ -30,6 +30,7 @@ #include "signals.h" #include "expirelist.h" #include "selinux.h" +#include "smack.h" #include #include #include @@ -102,6 +103,10 @@ typedef struct int peak_match_rules; int peak_bus_names; #endif + +#ifdef DBUS_ENABLE_SMACK + char *smack_label; +#endif } BusConnectionData; static dbus_bool_t bus_pending_reply_expired (BusExpireList *list, @@ -409,6 +414,10 @@ free_connection_data (void *data) dbus_free (d->name); +#ifdef DBUS_ENABLE_SMACK + bus_smack_label_free (d->smack_label); +#endif + dbus_free (d); } @@ -626,6 +635,11 @@ bus_connections_setup_connection (BusConnections *connections, dbus_error_init (&error); d->selinux_id = bus_selinux_init_connection_id (connection, &error); + +#ifdef DBUS_ENABLE_SMACK + d->smack_label = bus_smack_get_label (connection, &error); +#endif + if (dbus_error_is_set (&error)) { /* This is a bit bogus because we pretend all errors @@ -723,6 +737,10 @@ bus_connections_setup_connection (BusConnections *connections, bus_selinux_id_unref (d->selinux_id); d->selinux_id = NULL; +#ifdef DBUS_ENABLE_SMACK + bus_smack_label_free (d->smack_label); +#endif + if (!dbus_connection_set_watch_functions (connection, NULL, NULL, NULL, connection, @@ -1107,6 +1125,22 @@ bus_connection_get_selinux_id (DBusConnection *connection) return d->selinux_id; } +const char * +bus_connection_get_smack_label (DBusConnection *connection) +{ +#ifdef DBUS_ENABLE_SMACK + BusConnectionData *d; + + d = BUS_CONNECTION_DATA (connection); + + _dbus_assert (d != NULL); + + return d->smack_label; +#else + return NULL; +#endif +} + /** * Checks whether the connection is registered with the message bus. * diff --git a/bus/connection.h b/bus/connection.h index c936021..7043bd8 100644 --- a/bus/connection.h +++ b/bus/connection.h @@ -78,6 +78,7 @@ const char *bus_connection_get_name (DBusConnection *connection); dbus_bool_t bus_connection_preallocate_oom_error (DBusConnection *connection); void bus_connection_send_oom_error (DBusConnection *connection, DBusMessage *in_reply_to); +const char *bus_connection_get_smack_label (DBusConnection *connection); /* called by signals.c */ dbus_bool_t bus_connection_add_match_rule (DBusConnection *connection, diff --git a/bus/driver.c b/bus/driver.c index f341ebe..6652ea4 100644 --- a/bus/driver.c +++ b/bus/driver.c @@ -1545,6 +1545,10 @@ bus_driver_handle_get_connection_credentials (DBusConnection *connection, BusSELinuxID *sid; #endif +#ifdef DBUS_ENABLE_SMACK + const char *smack_label; +#endif + _DBUS_ASSERT_ERROR_IS_CLEAR (error); reply = NULL; @@ -1624,6 +1628,16 @@ bus_driver_handle_get_connection_credentials (DBusConnection *connection, } #endif +#ifdef DBUS_ENABLE_SMACK + smack_label = bus_connection_get_smack_label (conn); + + if (smack_label != NULL) + { + if (!_dbus_asv_add_string (&array_iter, "SmackSecurityContext", smack_label)) + goto oom; + } +#endif + if (!_dbus_asv_close (&reply_iter, &array_iter)) goto oom; diff --git a/bus/smack.c b/bus/smack.c new file mode 100644 index 0000000..34e99c1 --- /dev/null +++ b/bus/smack.c @@ -0,0 +1,74 @@ +/* smack.c - Provide interface to query smack context + * + * Author: Brian McGillion + * Copyright © 2011 Intel Corporation + * + * Licensed under the Academic Free License version 2.1 + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301 USA + */ + +#include +#include "smack.h" + +#include + +#include "connection.h" +#include "services.h" +#include "utils.h" + +#ifdef DBUS_ENABLE_SMACK +#include +#include +#endif + +char * +bus_smack_get_label (DBusConnection *connection, DBusError *error) +{ +#ifdef DBUS_ENABLE_SMACK + char *label; + int sock_fd; + + if (!dbus_connection_get_socket (connection, &sock_fd)) + { + dbus_set_error (error, DBUS_ERROR_FAILED, + "Failed to get the socket descriptor of the connection"); + _dbus_verbose ("Failed to get socket descriptor of connection for Smack check.\n"); + return NULL; + } + + if (smack_new_label_from_socket (sock_fd, &label) < 0) + { + dbus_set_error (error, DBUS_ERROR_FAILED, + "Failed to read the Smack context from the connection.\n"); + _dbus_verbose ("Failed to read the Smack context from the connection.\n"); + return NULL; + } + return label; +#else + return NULL; +#endif +} + +void +bus_smack_label_free (void *label) +{ +#ifdef DBUS_ENABLE_SMACK + if (label) + free (label); + label = NULL; +#endif +} diff --git a/bus/smack.h b/bus/smack.h new file mode 100644 index 0000000..6e48dff --- /dev/null +++ b/bus/smack.h @@ -0,0 +1,35 @@ +/* smack.h - Provide interface to query smack context + * + * Author: Brian McGillion + * Copyright © 2011 Intel Corporation + * + * Based on example from Stats interface + * + * Licensed under the Academic Free License version 2.1 + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301 USA + */ + +#ifndef SMACK_H +#define SMACK_H + +#include "bus.h" + +char *bus_smack_get_label (DBusConnection *connection, DBusError *error); + +void bus_smack_label_free (void *label); + +#endif // SMACK_H diff --git a/cmake/CMakeLists.txt b/cmake/CMakeLists.txt index ba44d57..75c7794 100644 --- a/cmake/CMakeLists.txt +++ b/cmake/CMakeLists.txt @@ -92,6 +92,8 @@ option (DBUS_ENABLE_STATS "enable bus daemon usage statistics" OFF) option (DBUS_ENABLE_STATS "enable bus daemon usage statistics" OFF) +option (DBUS_ENABLE_SMACK "enable smack checks in the daemon" OFF) + if (DBUS_USE_EXPAT) find_package(LibExpat) else () @@ -553,6 +555,7 @@ message(" Building bus stats API: ${DBUS_ENABLE_STATS} " message(" installing system libs: ${DBUS_INSTALL_SYSTEM_LIBS} ") #message(" Building SELinux support: ${have_selinux} ") #message(" Building dnotify support: ${have_dnotify} ") +message(" Building Smack support: ${DBUS_ENABLE_SMACK} ") message(" Building Doxygen docs: ${DBUS_ENABLE_DOXYGEN_DOCS} ") message(" Building XML docs: ${DBUS_ENABLE_XML_DOCS} ") #message(" Gettext libs (empty OK): ${INTLLIBS} ") diff --git a/cmake/bus/CMakeLists.txt b/cmake/bus/CMakeLists.txt index faf9a8e..5d8c718 100644 --- a/cmake/bus/CMakeLists.txt +++ b/cmake/bus/CMakeLists.txt @@ -69,7 +69,9 @@ set (BUS_SOURCES ${BUS_DIR}/test.c ${BUS_DIR}/test.h ${BUS_DIR}/utils.c - ${BUS_DIR}/utils.h + ${BUS_DIR}/utils.h + ${BUS_DIR}/smack.c + ${BUS_DIR}/smack.h ${XML_SOURCES} ${DIR_WATCH_SOURCE} ) diff --git a/configure.ac b/configure.ac index 59b23d2..a0f96d1 100644 --- a/configure.ac +++ b/configure.ac @@ -1676,6 +1676,17 @@ if test "x$enable_stats" = xyes; then [Define to enable bus daemon usage statistics]) fi +#enable smack label support +AC_ARG_ENABLE([smack], [AS_HELP_STRING([--enable-smack], [enable SMACK security checks])], [], [enable_smack=no]) +if test "x$enable_smack" = xyes; then + PKG_CHECK_MODULES([LIBSMACK], [libsmack >= 1.0], + [AC_DEFINE([DBUS_ENABLE_SMACK], [1], [Define to enable SMACK security features])], + [AC_MSG_ERROR([libsmack is required to enable smack support])]) +fi + +AC_SUBST([LIBSMACK_CFLAGS]) +AC_SUBST([LIBSMACK_LIBS]) + AC_CONFIG_FILES([ Doxyfile dbus/versioninfo.rc @@ -1754,6 +1765,7 @@ echo " Building checks: ${enable_checks} Building bus stats API: ${enable_stats} Building SELinux support: ${have_selinux} + Building SMACK support: ${enable_smack} Building inotify support: ${have_inotify} Building dnotify support: ${have_dnotify} Building kqueue support: ${have_kqueue} -- 1.7.10