* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*
*/
+
+#include <config.h>
#include <dbus/dbus-internals.h>
#include <dbus/dbus-string.h>
#ifndef DBUS_WIN
#include "utils.h"
#include "config-parser.h"
-#ifdef HAVE_SELINUX
-#include <sys/types.h>
-#include <unistd.h>
#ifdef HAVE_ERRNO_H
#include <errno.h>
#endif
+#ifdef HAVE_SELINUX
+#include <sys/types.h>
+#include <unistd.h>
#include <limits.h>
#include <pthread.h>
#include <syslog.h>
#include <stdarg.h>
#include <stdio.h>
#include <grp.h>
+#endif /* HAVE_SELINUX */
#ifdef HAVE_LIBAUDIT
#include <cap-ng.h>
#include <libaudit.h>
#endif /* HAVE_LIBAUDIT */
-#endif /* HAVE_SELINUX */
#define BUS_SID_FROM_SELINUX(sid) ((BusSELinuxID*) (sid))
#define SELINUX_SID_FROM_BUS(sid) ((security_id_t) (sid))
}
#endif /* HAVE_LIBAUDIT */
- vsyslog (LOG_INFO, fmt, ap);
+ vsyslog (LOG_USER | LOG_INFO, fmt, ap);
va_end(ap);
}
}
else
{
- openlog ("dbus", LOG_PERROR, LOG_USER);
_dbus_verbose ("Access Vector Cache (AVC) started.\n");
}
void
bus_selinux_id_table_print (DBusHashTable *service_table)
{
-#ifdef DBUS_ENABLE_VERBOSE_MODE
-#ifdef HAVE_SELINUX
+#if defined (DBUS_ENABLE_VERBOSE_MODE) && defined (HAVE_SELINUX)
DBusHashIter iter;
if (!selinux_enabled)
_dbus_verbose ("The context is %s\n", sid->ctx);
_dbus_verbose ("The refcount is %d\n", sid->refcnt);
}
-#endif /* HAVE_SELINUX */
-#endif /* DBUS_ENABLE_VERBOSE_MODE */
+#endif /* DBUS_ENABLE_VERBOSE_MODE && HAVE_SELINUX */
}
-#ifdef DBUS_ENABLE_VERBOSE_MODE
-#ifdef HAVE_SELINUX
/**
* Print out some AVC statistics.
*/
+#ifdef HAVE_SELINUX
static void
bus_avc_print_stats (void)
{
+#ifdef DBUS_ENABLE_VERBOSE_MODE
struct avc_cache_stats cstats;
if (!selinux_enabled)
_dbus_verbose ("CAV hits: %d\n", cstats.cav_hits);
_dbus_verbose ("CAV probes: %d\n", cstats.cav_probes);
_dbus_verbose ("CAV misses: %d\n", cstats.cav_misses);
+#endif /* DBUS_ENABLE_VERBOSE_MODE */
}
#endif /* HAVE_SELINUX */
-#endif /* DBUS_ENABLE_VERBOSE_MODE */
-
/**
* Destroy the AVC before we terminate.
sidput (bus_sid);
bus_sid = SECSID_WILD;
-#ifdef DBUS_ENABLE_VERBOSE_MODE
-
- if (_dbus_is_verbose())
- bus_avc_print_stats ();
-
-#endif /* DBUS_ENABLE_VERBOSE_MODE */
+ bus_avc_print_stats ();
avc_destroy ();
#ifdef HAVE_LIBAUDIT
#endif /* HAVE_SELINUX */
}
-#ifndef DBUS_WIN
+/* The !HAVE_LIBAUDIT case lives in dbus-sysdeps-util-unix.c */
+#ifdef HAVE_LIBAUDIT
/**
* Changes the user and group the bus is running as.
*
return FALSE;
}
-#ifdef HAVE_LIBAUDIT
/* If we were root */
if (_dbus_geteuid () == 0)
{
capng_clear (CAPNG_SELECT_BOTH);
capng_update (CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED,
CAP_AUDIT_WRITE);
- rc = capng_change_id (uid, gid, 0);
+ rc = capng_change_id (uid, gid, CAPNG_DROP_SUPP_GRP);
if (rc)
{
switch (rc) {
return FALSE;
}
}
-#else
- /* setgroups() only works if we are a privileged process,
- * so we don't return error on failure; the only possible
- * failure is that we don't have perms to do it.
- *
- * not sure this is right, maybe if setuid()
- * is going to work then setgroups() should also work.
- */
- if (setgroups (0, NULL) < 0)
- _dbus_warn ("Failed to drop supplementary groups: %s\n",
- _dbus_strerror (errno));
-
- /* Set GID first, or the setuid may remove our permission
- * to change the GID
- */
- if (setgid (gid) < 0)
- {
- dbus_set_error (error, _dbus_error_from_errno (errno),
- "Failed to set GID to %lu: %s", gid,
- _dbus_strerror (errno));
- return FALSE;
- }
-
- if (setuid (uid) < 0)
- {
- dbus_set_error (error, _dbus_error_from_errno (errno),
- "Failed to set UID to %lu: %s", uid,
- _dbus_strerror (errno));
- return FALSE;
- }
-#endif /* !HAVE_LIBAUDIT */
return TRUE;
}
-
#endif
-