1 /* selinux.c SELinux security checks for D-BUS
3 * Author: Matthew Rickard <mjricka@epoch.ncsc.mil>
5 * Licensed under the Academic Free License version 2.1
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 2 of the License, or
10 * (at your option) any later version.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
22 #include <dbus/dbus-internals.h>
23 #include <dbus/dbus-string.h>
28 #include "config-parser.h"
34 #include <selinux/selinux.h>
35 #include <selinux/avc.h>
36 #include <selinux/av_permissions.h>
37 #include <selinux/flask.h>
40 #endif /* HAVE_SELINUX */
42 #define BUS_SID_FROM_SELINUX(sid) ((BusSELinuxID*) (sid))
43 #define SELINUX_SID_FROM_BUS(sid) ((security_id_t) (sid))
46 /* Store the value telling us if SELinux is enabled in the kernel. */
47 static dbus_bool_t selinux_enabled = FALSE;
49 /* Store an avc_entry_ref to speed AVC decisions. */
50 static struct avc_entry_ref aeref;
52 /* Store the SID of the bus itself to use as the default. */
53 static security_id_t bus_sid = SECSID_WILD;
55 /* Thread to listen for SELinux status changes via netlink. */
56 static pthread_t avc_notify_thread;
58 /* Prototypes for AVC callback functions. */
59 static void log_callback (const char *fmt, ...);
60 static void *avc_create_thread (void (*run) (void));
61 static void avc_stop_thread (void *thread);
62 static void *avc_alloc_lock (void);
63 static void avc_get_lock (void *lock);
64 static void avc_release_lock (void *lock);
65 static void avc_free_lock (void *lock);
67 /* AVC callback structures for use in avc_init. */
68 static const struct avc_memory_callback mem_cb =
70 .func_malloc = dbus_malloc,
71 .func_free = dbus_free
73 static const struct avc_log_callback log_cb =
75 .func_log = log_callback,
78 static const struct avc_thread_callback thread_cb =
80 .func_create_thread = avc_create_thread,
81 .func_stop_thread = avc_stop_thread
83 static const struct avc_lock_callback lock_cb =
85 .func_alloc_lock = avc_alloc_lock,
86 .func_get_lock = avc_get_lock,
87 .func_release_lock = avc_release_lock,
88 .func_free_lock = avc_free_lock
90 #endif /* HAVE_SELINUX */
93 * Log callback to log denial messages from the AVC.
94 * This is used in avc_init. Logs to both standard
97 * @param fmt the format string
98 * @param variable argument list
102 log_callback (const char *fmt, ...)
106 vsyslog (LOG_INFO, fmt, ap);
111 * On a policy reload we need to reparse the SELinux configuration file, since
112 * this could have changed. Send a SIGHUP to reload all configs.
115 policy_reload_callback (u_int32_t event, security_id_t ssid,
116 security_id_t tsid, security_class_t tclass,
117 access_vector_t perms, access_vector_t *out_retained)
119 if (event == AVC_CALLBACK_RESET)
120 return raise (SIGHUP);
126 * Create thread to notify the AVC of enforcing and policy reload
127 * changes via netlink.
129 * @param run the thread run function
130 * @return pointer to the thread
133 avc_create_thread (void (*run) (void))
137 rc = pthread_create (&avc_notify_thread, NULL, (void *(*) (void *)) run, NULL);
140 _dbus_warn ("Failed to start AVC thread: %s\n", _dbus_strerror (rc));
143 return &avc_notify_thread;
146 /* Stop AVC netlink thread. */
148 avc_stop_thread (void *thread)
150 pthread_cancel (*(pthread_t *) thread);
153 /* Allocate a new AVC lock. */
155 avc_alloc_lock (void)
157 pthread_mutex_t *avc_mutex;
159 avc_mutex = dbus_new (pthread_mutex_t, 1);
160 if (avc_mutex == NULL)
162 _dbus_warn ("Could not create mutex: %s\n", _dbus_strerror (errno));
165 pthread_mutex_init (avc_mutex, NULL);
170 /* Acquire an AVC lock. */
172 avc_get_lock (void *lock)
174 pthread_mutex_lock (lock);
177 /* Release an AVC lock. */
179 avc_release_lock (void *lock)
181 pthread_mutex_unlock (lock);
184 /* Free an AVC lock. */
186 avc_free_lock (void *lock)
188 pthread_mutex_destroy (lock);
191 #endif /* HAVE_SELINUX */
194 * Return whether or not SELinux is enabled; must be
195 * called after bus_selinux_init.
198 bus_selinux_enabled (void)
201 return selinux_enabled;
204 #endif /* HAVE_SELINUX */
208 * Do early initialization; determine whether SELinux is enabled.
211 bus_selinux_pre_init (void)
217 _dbus_assert (bus_sid == SECSID_WILD);
219 /* Determine if we are running an SELinux kernel. */
220 r = is_selinux_enabled ();
223 _dbus_warn ("Could not tell if SELinux is enabled: %s\n",
224 _dbus_strerror (errno));
228 selinux_enabled = r != 0;
236 * Initialize the user space access vector cache (AVC) for D-BUS and set up
240 bus_selinux_full_init (void)
246 _dbus_assert (bus_sid == SECSID_WILD);
248 if (!selinux_enabled)
250 _dbus_verbose ("SELinux not enabled in this kernel.\n");
254 _dbus_verbose ("SELinux is enabled in this kernel.\n");
256 avc_entry_ref_init (&aeref);
257 if (avc_init ("avc", &mem_cb, &log_cb, &thread_cb, &lock_cb) < 0)
259 _dbus_warn ("Failed to start Access Vector Cache (AVC).\n");
264 openlog ("dbus", LOG_PERROR, LOG_USER);
265 _dbus_verbose ("Access Vector Cache (AVC) started.\n");
268 if (avc_add_callback (policy_reload_callback, AVC_CALLBACK_RESET,
269 NULL, NULL, 0, 0) < 0)
271 _dbus_warn ("Failed to add policy reload callback: %s\n",
272 _dbus_strerror (errno));
278 bus_sid = SECSID_WILD;
280 if (getcon (&bus_context) < 0)
282 _dbus_verbose ("Error getting context of bus: %s\n",
283 _dbus_strerror (errno));
287 if (avc_context_to_sid (bus_context, &bus_sid) < 0)
289 _dbus_verbose ("Error getting SID from bus context: %s\n",
290 _dbus_strerror (errno));
291 freecon (bus_context);
295 freecon (bus_context);
300 #endif /* HAVE_SELINUX */
304 * Decrement SID reference count.
306 * @param sid the SID to decrement
309 bus_selinux_id_unref (BusSELinuxID *sid)
312 if (!selinux_enabled)
315 _dbus_assert (sid != NULL);
317 sidput (SELINUX_SID_FROM_BUS (sid));
318 #endif /* HAVE_SELINUX */
322 bus_selinux_id_ref (BusSELinuxID *sid)
325 if (!selinux_enabled)
328 _dbus_assert (sid != NULL);
330 sidget (SELINUX_SID_FROM_BUS (sid));
331 #endif /* HAVE_SELINUX */
335 * Determine if the SELinux security policy allows the given sender
336 * security context to go to the given recipient security context.
337 * This function determines if the requested permissions are to be
338 * granted from the connection to the message bus or to another
339 * optionally supplied security identifier (e.g. for a service
340 * context). Currently these permissions are either send_msg or
341 * acquire_svc in the dbus class.
343 * @param sender_sid source security context
344 * @param override_sid is the target security context. If SECSID_WILD this will
345 * use the context of the bus itself (e.g. the default).
346 * @param target_class is the target security class.
347 * @param requested is the requested permissions.
348 * @returns #TRUE if security policy allows the send.
352 bus_selinux_check (BusSELinuxID *sender_sid,
353 BusSELinuxID *override_sid,
354 security_class_t target_class,
355 access_vector_t requested)
357 if (!selinux_enabled)
360 /* Make the security check. AVC checks enforcing mode here as well. */
361 if (avc_has_perm (SELINUX_SID_FROM_BUS (sender_sid),
363 SELINUX_SID_FROM_BUS (override_sid) :
364 SELINUX_SID_FROM_BUS (bus_sid),
365 target_class, requested, &aeref, NULL) < 0)
367 _dbus_verbose ("SELinux denying due to security policy.\n");
373 #endif /* HAVE_SELINUX */
376 * Returns true if the given connection can acquire a service,
377 * assuming the given security ID is needed for that service.
379 * @param connection connection that wants to own the service
380 * @param service_sid the SID of the service from the table
381 * @returns #TRUE if acquire is permitted.
384 bus_selinux_allows_acquire_service (DBusConnection *connection,
385 BusSELinuxID *service_sid)
388 BusSELinuxID *connection_sid;
390 if (!selinux_enabled)
393 connection_sid = bus_connection_get_selinux_id (connection);
395 return bus_selinux_check (connection_sid,
401 #endif /* HAVE_SELINUX */
405 * Check if SELinux security controls allow the message to be sent to a
406 * particular connection based on the security context of the sender and
407 * that of the receiver. The destination connection need not be the
408 * addressed recipient, it could be an "eavesdropper"
410 * @param sender the sender of the message.
411 * @param proposed_recipient the connection the message is to be sent to.
412 * @returns whether to allow the send
415 bus_selinux_allows_send (DBusConnection *sender,
416 DBusConnection *proposed_recipient)
419 BusSELinuxID *recipient_sid;
420 BusSELinuxID *sender_sid;
422 if (!selinux_enabled)
425 sender_sid = bus_connection_get_selinux_id (sender);
426 /* A NULL proposed_recipient means the bus itself. */
427 if (proposed_recipient)
428 recipient_sid = bus_connection_get_selinux_id (proposed_recipient);
430 recipient_sid = BUS_SID_FROM_SELINUX (bus_sid);
432 return bus_selinux_check (sender_sid, recipient_sid,
433 SECCLASS_DBUS, DBUS__SEND_MSG);
436 #endif /* HAVE_SELINUX */
440 * Gets the security context of a connection to the bus. It is up to
441 * the caller to freecon() when they are done.
443 * @param connection the connection to get the context of.
444 * @param con the location to store the security context.
445 * @returns #TRUE if context is successfully obtained.
449 bus_connection_read_selinux_context (DBusConnection *connection,
454 if (!selinux_enabled)
457 _dbus_assert (connection != NULL);
459 if (!dbus_connection_get_unix_fd (connection, &fd))
461 _dbus_verbose ("Failed to get file descriptor of socket.\n");
465 if (getpeercon (fd, con) < 0)
467 _dbus_verbose ("Error getting context of socket peer: %s\n",
468 _dbus_strerror (errno));
472 _dbus_verbose ("Successfully read connection context.\n");
475 #endif /* HAVE_SELINUX */
478 * Read the SELinux ID from the connection.
480 * @param connection the connection to read from
481 * @returns the SID if successfully determined, #NULL otherwise.
484 bus_selinux_init_connection_id (DBusConnection *connection,
491 if (!selinux_enabled)
494 if (!bus_connection_read_selinux_context (connection, &con))
496 dbus_set_error (error, DBUS_ERROR_FAILED,
497 "Failed to read an SELinux context from connection");
498 _dbus_verbose ("Error getting peer context.\n");
502 _dbus_verbose ("Converting context to SID to store on connection\n");
504 if (avc_context_to_sid (con, &sid) < 0)
509 dbus_set_error (error, DBUS_ERROR_FAILED,
510 "Error getting SID from context: %s\n",
511 _dbus_strerror (errno));
513 _dbus_warn ("Error getting SID from context: %s\n",
514 _dbus_strerror (errno));
521 return BUS_SID_FROM_SELINUX (sid);
524 #endif /* HAVE_SELINUX */
529 * Function for freeing hash table data. These SIDs
530 * should no longer be referenced.
533 bus_selinux_id_table_free_value (BusSELinuxID *sid)
536 /* NULL sometimes due to how DBusHashTable works */
538 bus_selinux_id_unref (sid);
539 #endif /* HAVE_SELINUX */
543 * Creates a new table mapping service names to security ID.
544 * A security ID is a "compiled" security context, a security
545 * context is just a string.
547 * @returns the new table or #NULL if no memory
550 bus_selinux_id_table_new (void)
552 return _dbus_hash_table_new (DBUS_HASH_STRING,
553 (DBusFreeFunction) dbus_free,
554 (DBusFreeFunction) bus_selinux_id_table_free_value);
558 * Hashes a service name and service context into the service SID
559 * table as a string and a SID.
561 * @param service_name is the name of the service.
562 * @param service_context is the context of the service.
563 * @param service_table is the table to hash them into.
564 * @return #FALSE if not enough memory
567 bus_selinux_id_table_insert (DBusHashTable *service_table,
568 const char *service_name,
569 const char *service_context)
576 if (!selinux_enabled)
582 key = _dbus_strdup (service_name);
586 if (avc_context_to_sid ((char *) service_context, &sid) < 0)
588 _dbus_assert (errno == ENOMEM);
592 if (!_dbus_hash_table_insert_string (service_table,
594 BUS_SID_FROM_SELINUX (sid)))
597 _dbus_verbose ("Parsed \tservice: %s \n\t\tcontext: %s\n",
601 /* These are owned by the hash, so clear them to avoid unref */
608 if (sid != SECSID_WILD)
617 #endif /* HAVE_SELINUX */
622 * Find the security identifier associated with a particular service
623 * name. Return a pointer to this SID, or #NULL/SECSID_WILD if the
624 * service is not found in the hash table. This should be nearly a
625 * constant time operation. If SELinux support is not available,
626 * always return NULL.
628 * @param service_table the hash table to check for service name.
629 * @param service_name the name of the service to look for.
630 * @returns the SELinux ID associated with the service
633 bus_selinux_id_table_lookup (DBusHashTable *service_table,
634 const DBusString *service_name)
639 sid = SECSID_WILD; /* default context */
641 if (!selinux_enabled)
644 _dbus_verbose ("Looking up service SID for %s\n",
645 _dbus_string_get_const_data (service_name));
647 sid = _dbus_hash_table_lookup_string (service_table,
648 _dbus_string_get_const_data (service_name));
650 if (sid == SECSID_WILD)
651 _dbus_verbose ("Service %s not found\n",
652 _dbus_string_get_const_data (service_name));
654 _dbus_verbose ("Service %s found\n",
655 _dbus_string_get_const_data (service_name));
657 return BUS_SID_FROM_SELINUX (sid);
658 #endif /* HAVE_SELINUX */
663 * Copy security ID table mapping from one table into another.
665 * @param dest the table to copy into
666 * @param override the table to copy from
667 * @returns #FALSE if out of memory
671 bus_selinux_id_table_copy_over (DBusHashTable *dest,
672 DBusHashTable *override)
679 _dbus_hash_iter_init (override, &iter);
680 while (_dbus_hash_iter_next (&iter))
682 key = _dbus_hash_iter_get_string_key (&iter);
683 sid = _dbus_hash_iter_get_value (&iter);
685 key_copy = _dbus_strdup (key);
686 if (key_copy == NULL)
689 if (!_dbus_hash_table_insert_string (dest,
693 dbus_free (key_copy);
697 bus_selinux_id_ref (sid);
702 #endif /* HAVE_SELINUX */
705 * Creates the union of the two tables (each table maps a service
706 * name to a security ID). In case of the same service name in
707 * both tables, the security ID from "override" will be used.
709 * @param base the base table
710 * @param override the table that takes precedence in the merge
711 * @returns the new table, or #NULL if out of memory
714 bus_selinux_id_table_union (DBusHashTable *base,
715 DBusHashTable *override)
717 DBusHashTable *combined_table;
719 combined_table = bus_selinux_id_table_new ();
721 if (combined_table == NULL)
725 if (!selinux_enabled)
726 return combined_table;
728 if (!bus_selinux_id_table_copy_over (combined_table, base))
730 _dbus_hash_table_unref (combined_table);
734 if (!bus_selinux_id_table_copy_over (combined_table, override))
736 _dbus_hash_table_unref (combined_table);
739 #endif /* HAVE_SELINUX */
741 return combined_table;
745 * Get the SELinux policy root. This is used to find the D-BUS
746 * specific config file within the policy.
749 bus_selinux_get_policy_root (void)
752 return selinux_policy_root ();
755 #endif /* HAVE_SELINUX */
759 * For debugging: Print out the current hash table of service SIDs.
762 bus_selinux_id_table_print (DBusHashTable *service_table)
764 #ifdef DBUS_ENABLE_VERBOSE_MODE
768 if (!selinux_enabled)
771 _dbus_verbose ("Service SID Table:\n");
772 _dbus_hash_iter_init (service_table, &iter);
773 while (_dbus_hash_iter_next (&iter))
775 const char *key = _dbus_hash_iter_get_string_key (&iter);
776 security_id_t sid = _dbus_hash_iter_get_value (&iter);
777 _dbus_verbose ("The key is %s\n", key);
778 _dbus_verbose ("The context is %s\n", sid->ctx);
779 _dbus_verbose ("The refcount is %d\n", sid->refcnt);
781 #endif /* HAVE_SELINUX */
782 #endif /* DBUS_ENABLE_VERBOSE_MODE */
786 #ifdef DBUS_ENABLE_VERBOSE_MODE
789 * Print out some AVC statistics.
792 bus_avc_print_stats (void)
794 struct avc_cache_stats cstats;
796 if (!selinux_enabled)
799 _dbus_verbose ("AVC Statistics:\n");
800 avc_cache_stats (&cstats);
802 _dbus_verbose ("AVC Cache Statistics:\n");
803 _dbus_verbose ("Entry lookups: %d\n", cstats.entry_lookups);
804 _dbus_verbose ("Entry hits: %d\n", cstats.entry_hits);
805 _dbus_verbose ("Entry misses %d\n", cstats.entry_misses);
806 _dbus_verbose ("Entry discards: %d\n", cstats.entry_discards);
807 _dbus_verbose ("CAV lookups: %d\n", cstats.cav_lookups);
808 _dbus_verbose ("CAV hits: %d\n", cstats.cav_hits);
809 _dbus_verbose ("CAV probes: %d\n", cstats.cav_probes);
810 _dbus_verbose ("CAV misses: %d\n", cstats.cav_misses);
812 #endif /* HAVE_SELINUX */
813 #endif /* DBUS_ENABLE_VERBOSE_MODE */
817 * Destroy the AVC before we terminate.
820 bus_selinux_shutdown (void)
823 if (!selinux_enabled)
827 bus_sid = SECSID_WILD;
829 #ifdef DBUS_ENABLE_VERBOSE_MODE
830 bus_avc_print_stats ();
831 #endif /* DBUS_ENABLE_VERBOSE_MODE */
834 #endif /* HAVE_SELINUX */