names: on KDBUS_CMD_NAME_RELEASE check that connection can see the name

Before trying to release a name verify that the connection is able to
see the name on the endpoint, we do this since custom endpoint may
install policies to restrict SEE access if we do not perform this check,
then a connection may try KDBUS_CMD_NAME_RELEASE ioctl() and brute force
names owned by other connections, in this case it will get the
-EADDRINUSE error which indicates that the name is in use, later it can
monitor the name by re-trying the call, this way it can bypass the
notification checks that are done for
{KDBUS_ITEM_NAME_ADD|KDBUS_ITEM_NAME_REMOVE}.

The kdbus_ep_policy_check_notification() checks first if the connection
is able to see the notifications. So follow and don't leak hints from
KDBUS_CMD_NAME_RELEASE.

No need to check for OWN access, since for other connections as stated
above a name will fail with -EADDRINUSE.

Signed-off-by: Djalal Harouni <tixxdz@opendz.org>

diff --git a/names.c b/names.c
index 9b69f1332a57597e763963e3fa0c4efe7e95c20d..cc68a2f269c4f5dc8bfd21a4971f3a5a0485546c 100644 (file)
--- a/names.c
+++ b/names.c
@@ -696,6 +696,10 @@ int kdbus_cmd_name_release(struct kdbus_name_registry *reg,
        if (ret < 0)
                return -EINVAL;
 
+       ret = kdbus_ep_policy_check_see_access(conn->ep, conn, name);
+       if (ret < 0)
+               return ret;
+
        ret = kdbus_name_release(reg, conn, name);
 
        kdbus_notify_flush(conn->bus);