1 /* selinux.c SELinux security checks for D-BUS
3 * Author: Matthew Rickard <mjricka@epoch.ncsc.mil>
5 * Licensed under the Academic Free License version 2.0
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 2 of the License, or
10 * (at your option) any later version.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
22 #include <dbus/dbus-internals.h>
23 #include <dbus/dbus-string.h>
27 #include "config-parser.h"
32 #include <selinux/selinux.h>
33 #include <selinux/avc.h>
34 #include <selinux/av_permissions.h>
35 #include <selinux/flask.h>
37 #endif /* HAVE_SELINUX */
39 #define BUS_SID_FROM_SELINUX(sid) ((BusSELinuxID*) (sid))
40 #define SELINUX_SID_FROM_BUS(sid) ((security_id_t) (sid))
43 /* Store the value telling us if SELinux is enabled in the kernel. */
44 static dbus_bool_t selinux_enabled = FALSE;
46 /* Store an avc_entry_ref to speed AVC decisions. */
47 static struct avc_entry_ref aeref;
49 static security_id_t bus_sid = SECSID_WILD;
50 #endif /* HAVE_SELINUX */
53 * Log callback to log denial messages from the AVC.
54 * This is used in avc_init. Logs to both standard
57 * @param fmt the format string
58 * @param variable argument list
62 log_callback (const char *fmt, ...)
66 vsyslog (LOG_INFO, fmt, ap);
69 #endif /* HAVE_SELINUX */
73 * Initialize the user space access vector cache (AVC) for D-BUS and set up
77 bus_selinux_init (void)
80 struct avc_log_callback log_cb = {(void*)log_callback, NULL};
84 _dbus_assert (bus_sid == SECSID_WILD);
86 /* Determine if we are running an SELinux kernel. */
87 r = is_selinux_enabled ();
90 _dbus_warn ("Could not tell if SELinux is enabled: %s\n",
91 _dbus_strerror (errno));
95 selinux_enabled = r != 0;
99 _dbus_verbose ("SELinux not enabled in this kernel.\n");
103 _dbus_verbose ("SELinux is enabled in this kernel.\n");
105 avc_entry_ref_init (&aeref);
106 if (avc_init ("avc", NULL, &log_cb, NULL, NULL) < 0)
108 _dbus_warn ("Failed to start Access Vector Cache (AVC).\n");
113 openlog ("dbus", LOG_PERROR, LOG_USER);
114 _dbus_verbose ("Access Vector Cache (AVC) started.\n");
118 bus_sid = SECSID_WILD;
120 if (getcon (&bus_context) < 0)
122 _dbus_verbose ("Error getting context of bus: %s\n",
123 _dbus_strerror (errno));
127 if (avc_context_to_sid (bus_context, &bus_sid) < 0)
129 _dbus_verbose ("Error getting SID from bus context: %s\n",
130 _dbus_strerror (errno));
131 freecon (bus_context);
135 freecon (bus_context);
140 #endif /* HAVE_SELINUX */
145 * Decrement SID reference count.
147 * @param sid the SID to decrement
150 bus_selinux_id_unref (BusSELinuxID *sid)
153 if (!selinux_enabled)
156 _dbus_assert (sid != NULL);
158 sidput (SELINUX_SID_FROM_BUS (sid));
159 #endif /* HAVE_SELINUX */
163 bus_selinux_id_ref (BusSELinuxID *sid)
166 if (!selinux_enabled)
169 _dbus_assert (sid != NULL);
171 sidget (SELINUX_SID_FROM_BUS (sid));
172 #endif /* HAVE_SELINUX */
176 * Determine if the SELinux security policy allows the given sender
177 * security context to go to the given recipient security context.
178 * This function determines if the requested permissions are to be
179 * granted from the connection to the message bus or to another
180 * optionally supplied security identifier (e.g. for a service
181 * context). Currently these permissions are either send_msg or
182 * acquire_svc in the dbus class.
184 * @param sender_sid source security context
185 * @param override_sid is the target security context. If SECSID_WILD this will
186 * use the context of the bus itself (e.g. the default).
187 * @param target_class is the target security class.
188 * @param requested is the requested permissions.
189 * @returns #TRUE if security policy allows the send.
193 bus_selinux_check (BusSELinuxID *sender_sid,
194 BusSELinuxID *override_sid,
195 security_class_t target_class,
196 access_vector_t requested)
198 if (!selinux_enabled)
201 /* Make the security check. AVC checks enforcing mode here as well. */
202 if (avc_has_perm (SELINUX_SID_FROM_BUS (sender_sid),
204 SELINUX_SID_FROM_BUS (override_sid) :
205 SELINUX_SID_FROM_BUS (bus_sid),
206 target_class, requested, &aeref, NULL) < 0)
208 _dbus_verbose ("SELinux denying due to security policy.\n");
214 #endif /* HAVE_SELINUX */
217 * Returns true if the given connection can acquire a service,
218 * assuming the given security ID is needed for that service.
220 * @param connection connection that wants to own the service
221 * @param service_sid the SID of the service from the table
222 * @returns #TRUE if acquire is permitted.
225 bus_selinux_allows_acquire_service (DBusConnection *connection,
226 BusSELinuxID *service_sid)
229 BusSELinuxID *connection_sid;
231 if (!selinux_enabled)
234 connection_sid = bus_connection_get_selinux_id (connection);
236 return bus_selinux_check (connection_sid,
242 #endif /* HAVE_SELINUX */
246 * Check if SELinux security controls allow the message to be sent to a
247 * particular connection based on the security context of the sender and
248 * that of the receiver. The destination connection need not be the
249 * addressed recipient, it could be an "eavesdropper"
251 * @param sender the sender of the message.
252 * @param proposed_recipient the connection the message is to be sent to.
253 * @returns whether to allow the send
256 bus_selinux_allows_send (DBusConnection *sender,
257 DBusConnection *proposed_recipient)
260 BusSELinuxID *recipient_sid;
261 BusSELinuxID *sender_sid;
263 if (!selinux_enabled)
266 sender_sid = bus_connection_get_selinux_id (sender);
267 /* A NULL proposed_recipient means the bus itself. */
268 if (proposed_recipient)
269 recipient_sid = bus_connection_get_selinux_id (proposed_recipient);
271 recipient_sid = BUS_SID_FROM_SELINUX (bus_sid);
273 return bus_selinux_check (sender_sid, recipient_sid,
274 SECCLASS_DBUS, DBUS__SEND_MSG);
277 #endif /* HAVE_SELINUX */
281 * Gets the security context of a connection to the bus. It is up to
282 * the caller to freecon() when they are done.
284 * @param connection the connection to get the context of.
285 * @param con the location to store the security context.
286 * @returns #TRUE if context is successfully obtained.
290 bus_connection_read_selinux_context (DBusConnection *connection,
295 if (!selinux_enabled)
298 _dbus_assert (connection != NULL);
300 if (!dbus_connection_get_unix_fd (connection, &fd))
302 _dbus_verbose ("Failed to get file descriptor of socket.\n");
306 if (getpeercon (fd, con) < 0)
308 _dbus_verbose ("Error getting context of socket peer: %s\n",
309 _dbus_strerror (errno));
313 _dbus_verbose ("Successfully read connection context.\n");
316 #endif /* HAVE_SELINUX */
319 * Read the SELinux ID from the connection.
321 * @param connection the connection to read from
322 * @returns the SID if successfully determined, #NULL otherwise.
325 bus_selinux_init_connection_id (DBusConnection *connection,
332 if (!selinux_enabled)
335 if (!bus_connection_read_selinux_context (connection, &con))
337 dbus_set_error (error, DBUS_ERROR_FAILED,
338 "Failed to read an SELinux context from connection");
339 _dbus_verbose ("Error getting peer context.\n");
343 _dbus_verbose ("Converting context to SID to store on connection\n");
345 if (avc_context_to_sid (con, &sid) < 0)
350 dbus_set_error (error, DBUS_ERROR_FAILED,
351 "Error getting SID from context: %s\n",
352 _dbus_strerror (errno));
354 _dbus_warn ("Error getting SID from context: %s\n",
355 _dbus_strerror (errno));
362 return BUS_SID_FROM_SELINUX (sid);
365 #endif /* HAVE_SELINUX */
369 /* Function for freeing hash table data. These SIDs
370 * should no longer be referenced.
373 bus_selinux_id_table_free_value (BusSELinuxID *sid)
376 /* NULL sometimes due to how DBusHashTable works */
378 bus_selinux_id_unref (sid);
379 #endif /* HAVE_SELINUX */
383 * Creates a new table mapping service names to security ID.
384 * A security ID is a "compiled" security context, a security
385 * context is just a string.
387 * @returns the new table or #NULL if no memory
390 bus_selinux_id_table_new (void)
392 return _dbus_hash_table_new (DBUS_HASH_STRING,
393 (DBusFreeFunction) dbus_free,
394 (DBusFreeFunction) bus_selinux_id_table_free_value);
398 * Hashes a service name and service context into the service SID
399 * table as a string and a SID.
401 * @param service_name is the name of the service.
402 * @param service_context is the context of the service.
403 * @param service_table is the table to hash them into.
404 * @return #FALSE if not enough memory
407 bus_selinux_id_table_insert (DBusHashTable *service_table,
408 const char *service_name,
409 const char *service_context)
416 if (!selinux_enabled)
422 key = _dbus_strdup (service_name);
426 if (avc_context_to_sid (service_context, &sid) < 0)
428 _dbus_assert (errno == ENOMEM);
432 if (!_dbus_hash_table_insert_string (service_table,
434 BUS_SID_FROM_SELINUX (sid)))
437 _dbus_verbose ("Parsed \tservice: %s \n\t\tcontext: %s\n",
441 /* These are owned by the hash, so clear them to avoid unref */
448 if (sid != SECSID_WILD)
457 #endif /* HAVE_SELINUX */
462 * Find the security identifier associated with a particular service
463 * name. Return a pointer to this SID, or #NULL/SECSID_WILD if the
464 * service is not found in the hash table. This should be nearly a
465 * constant time operation. If SELinux support is not available,
466 * always return NULL.
468 * @todo This should return a const security_id_t since we don't
469 * want the caller to mess with it.
471 * @param service_table the hash table to check for service name.
472 * @param service_name the name of the service to look for.
473 * @returns the SELinux ID associated with the service
476 bus_selinux_id_table_lookup (DBusHashTable *service_table,
477 const DBusString *service_name)
482 sid = SECSID_WILD; /* default context */
484 if (!selinux_enabled)
487 _dbus_verbose ("Looking up service SID for %s\n",
488 _dbus_string_get_const_data (service_name));
490 sid = _dbus_hash_table_lookup_string (service_table,
491 _dbus_string_get_const_data (service_name));
493 if (sid == SECSID_WILD)
494 _dbus_verbose ("Service %s not found\n",
495 _dbus_string_get_const_data (service_name));
497 _dbus_verbose ("Service %s found\n",
498 _dbus_string_get_const_data (service_name));
500 return BUS_SID_FROM_SELINUX (sid);
501 #endif /* HAVE_SELINUX */
507 bus_selinux_id_table_copy_over (DBusHashTable *dest,
508 DBusHashTable *override)
515 _dbus_hash_iter_init (override, &iter);
516 while (_dbus_hash_iter_next (&iter))
518 key = _dbus_hash_iter_get_string_key (&iter);
519 sid = _dbus_hash_iter_get_value (&iter);
521 key_copy = _dbus_strdup (key);
522 if (key_copy == NULL)
525 if (!_dbus_hash_table_insert_string (dest,
529 dbus_free (key_copy);
533 bus_selinux_id_ref (sid);
538 #endif /* HAVE_SELINUX */
541 * Creates the union of the two tables (each table maps a service
542 * name to a security ID). In case of the same service name in
543 * both tables, the security ID from "override" will be used.
545 * @param base the base table
546 * @param override the table that takes precedence in the merge
547 * @returns the new table, or #NULL if out of memory
550 bus_selinux_id_table_union (DBusHashTable *base,
551 DBusHashTable *override)
553 DBusHashTable *combined_table;
555 combined_table = bus_selinux_id_table_new ();
557 if (combined_table == NULL)
561 if (!selinux_enabled)
562 return combined_table;
564 if (!bus_selinux_id_table_copy_over (combined_table, base))
566 _dbus_hash_table_unref (combined_table);
570 if (!bus_selinux_id_table_copy_over (combined_table, override))
572 _dbus_hash_table_unref (combined_table);
575 #endif /* HAVE_SELINUX */
577 return combined_table;
581 * For debugging: Print out the current hash table of service SIDs.
584 bus_selinux_id_table_print (DBusHashTable *service_table)
586 #ifdef DBUS_ENABLE_VERBOSE_MODE
590 if (!selinux_enabled)
593 _dbus_verbose ("Service SID Table:\n");
594 _dbus_hash_iter_init (service_table, &iter);
595 while (_dbus_hash_iter_next (&iter))
597 const char *key = _dbus_hash_iter_get_string_key (&iter);
598 security_id_t sid = _dbus_hash_iter_get_value (&iter);
599 _dbus_verbose ("The key is %s\n", key);
600 _dbus_verbose ("The context is %s\n", sid->ctx);
601 _dbus_verbose ("The refcount is %d\n", sid->refcnt);
603 #endif /* HAVE_SELINUX */
604 #endif /* DBUS_ENABLE_VERBOSE_MODE */
608 #ifdef DBUS_ENABLE_VERBOSE_MODE
611 * Print out some AVC statistics.
614 bus_avc_print_stats (void)
616 struct avc_cache_stats cstats;
618 if (!selinux_enabled)
621 _dbus_verbose ("AVC Statistics:\n");
622 avc_cache_stats (&cstats);
624 _dbus_verbose ("AVC Cache Statistics:\n");
625 _dbus_verbose ("Entry lookups: %d\n", cstats.entry_lookups);
626 _dbus_verbose ("Entry hits: %d\n", cstats.entry_hits);
627 _dbus_verbose ("Entry misses %d\n", cstats.entry_misses);
628 _dbus_verbose ("Entry discards: %d\n", cstats.entry_discards);
629 _dbus_verbose ("CAV lookups: %d\n", cstats.cav_lookups);
630 _dbus_verbose ("CAV hits: %d\n", cstats.cav_hits);
631 _dbus_verbose ("CAV probes: %d\n", cstats.cav_probes);
632 _dbus_verbose ("CAV misses: %d\n", cstats.cav_misses);
634 #endif /* HAVE_SELINUX */
635 #endif /* DBUS_ENABLE_VERBOSE_MODE */
639 * Destroy the AVC before we terminate.
642 bus_selinux_shutdown (void)
645 if (!selinux_enabled)
649 bus_sid = SECSID_WILD;
651 #ifdef DBUS_ENABLE_VERBOSE_MODE
652 bus_avc_print_stats ();
653 #endif /* DBUS_ENABLE_VERBOSE_MODE */
656 #endif /* HAVE_SELINUX */