On Sat, 03 Jan 2009 at 17:58:47 +0000, Matthew Johnson wrote:
> In order to fix CVE-2008-4311 the default permissions on the system bus
> have been tightened up. This has revealed bugs in the configurations
> shipped with a number of services using the system bus which relied on
> the broken behaviour and will now break.
I've uploaded source and i386 binaries for a "release candidate" which has
deny-by-default and all of upstream's logging improvements:
http://people.debian.org/~smcv/dbus-cve-2008-4311/
codehelp is compiling amd64 binaries which we'll upload to the same place when
they're ready. Please use this and try out your packages. If things are
denied, you'll get syslog spam like this:
Jan 4 16:56:34 carbon dbus-daemon: Rejected send message, 1 matched rules; type="method_call", sender=":1.4" (uid=0 pid=18344 comm="/usr/sbin/NetworkManager --pid-file /var/run/Netwo") interface="org.freedesktop.Hal.Device.KillSwitch" member="GetPower" error name="(unset)" requested_reply=0 destination="org.freedesktop.Hal" (uid=0 pid=18252 comm="/usr/sbin/hald "))
We're still looking into the fallout from this, so we're not uploading
to unstable right now. http://wiki.debian.org/DBusPermissions has the
gory details.
(1.2.8 in experimental has the deny-by-default and some (but not all) of
the logging improvements; I think you're better off with my version for
debugging.)
Regards,
Simon
(Adapted version of the patch below: changes to test/ removed. -smcv@debian.org)
From 69ed32cbccbec9d613447cb64e9d7b1ffa11ce3c Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Wed, 10 Dec 2008 14:17:02 -0500
Subject: [PATCH] Add syslog of security denials and configuration file reloads
We need to start logging denials so that they become more easily trackable
and debuggable.
---
bus/bus.c | 90 +++++++++++++++++++++++----
bus/bus.h | 6 ++
bus/config-parser-common.c | 8 ++-
bus/config-parser-common.h | 3 +-
bus/config-parser.c | 25 ++++++++
bus/config-parser.h | 1 +
bus/policy.c | 10 +++-
bus/policy.h | 6 +-
bus/system.conf.in | 3 +
dbus/dbus-sysdeps-unix.c | 1 -
dbus/dbus-sysdeps-util-unix.c | 32 ++++++++++
dbus/dbus-sysdeps.h | 4 +
test/name-test/tmp-session-like-system.conf | 4 +-
13 files changed, 170 insertions(+), 23 deletions(-)
diff --git a/bus/bus.c b/bus/bus.c
index a28a267..195a6fd 100644
--- a/bus/bus.c
+++ b/bus/bus.c
@@ -54,6 +54,7 @@ struct BusContext
BusMatchmaker *matchmaker;
BusLimits limits;
unsigned int fork : 1;
+ unsigned int syslog : 1;
};
static dbus_int32_t server_data_slot = -1;
@@ -384,6 +385,7 @@ process_config_first_time_only (BusContext *context,
}
context->fork = bus_config_parser_get_fork (parser);
+ context->syslog = bus_config_parser_get_syslog (parser);
_DBUS_ASSERT_ERROR_IS_CLEAR (error);
retval = TRUE;
@@ -826,7 +828,10 @@ bus_context_reload_config (BusContext *context,
}
ret = TRUE;
+ bus_context_log_info (context, "Reloaded configuration");
failed:
+ if (!ret)
+ bus_context_log_info (context, "Unable to reload configuration: %s", error->message);
if (parser != NULL)
bus_config_parser_unref (parser);
return ret;
@@ -1107,6 +1112,32 @@ bus_context_get_reply_timeout (BusContext *context)
return context->limits.reply_timeout;
}
+void
+bus_context_log_info (BusContext *context, const char *msg, ...)
+{
+ va_list args;
+
+ va_start (args, msg);
+
+ if (context->syslog)
+ _dbus_log_info (msg, args);
+
+ va_end (args);
+}
+
+void
+bus_context_log_security (BusContext *context, const char *msg, ...)
+{
+ va_list args;
+
+ va_start (args, msg);
+
+ if (context->syslog)
+ _dbus_log_security (msg, args);
+
+ va_end (args);
+}
+
/*
* addressed_recipient is the recipient specified in the message.
*
@@ -1131,8 +1162,10 @@ bus_context_check_security_policy (BusContext *context,
{
BusClientPolicy *sender_policy;
BusClientPolicy *recipient_policy;
+ dbus_int32_t toggles;
int type;
dbus_bool_t requested_reply;
+ const char *sender_name;
type = dbus_message_get_type (message);
@@ -1143,6 +1176,12 @@ bus_context_check_security_policy (BusContext *context,
_dbus_assert (type == DBUS_MESSAGE_TYPE_SIGNAL ||
addressed_recipient != NULL ||
strcmp (dbus_message_get_destination (message), DBUS_SERVICE_DBUS) == 0);
+
+ /* Used in logging below */
+ if (sender != NULL)
+ sender_name = bus_connection_get_name (sender);
+ else
+ sender_name = NULL;
switch (type)
{
@@ -1185,8 +1224,9 @@ bus_context_check_security_policy (BusContext *context,
dbus_set_error (error, DBUS_ERROR_ACCESS_DENIED,
"An SELinux policy prevents this sender "
"from sending this message to this recipient "
- "(rejected message had interface \"%s\" "
+ "(rejected message had sender \"%s\" interface \"%s\" "
"member \"%s\" error name \"%s\" destination \"%s\")",
+ sender_name ? sender_name : "(unset)",
dbus_message_get_interface (message) ?
dbus_message_get_interface (message) : "(unset)",
dbus_message_get_member (message) ?
@@ -1304,16 +1344,16 @@ bus_context_check_security_policy (BusContext *context,
context->registry,
requested_reply,
proposed_recipient,
- message))
+ message, &toggles))
{
const char *dest;
+ const char *msg = "Rejected send message, %d matched rules; "
+ "sender=\"%s\" interface=\"%s\" member=\"%s\" error name=\"%s\" destination=\"%s\")";
dest = dbus_message_get_destination (message);
- dbus_set_error (error, DBUS_ERROR_ACCESS_DENIED,
- "A security policy in place prevents this sender "
- "from sending this message to this recipient, "
- "see message bus configuration file (rejected message "
- "had interface \"%s\" member \"%s\" error name \"%s\" destination \"%s\")",
+ dbus_set_error (error, DBUS_ERROR_ACCESS_DENIED, msg,
+ toggles,
+ sender_name ? sender_name : "(unset)",
dbus_message_get_interface (message) ?
dbus_message_get_interface (message) : "(unset)",
dbus_message_get_member (message) ?
@@ -1321,6 +1361,17 @@ bus_context_check_security_policy (BusContext *context,
dbus_message_get_error_name (message) ?
dbus_message_get_error_name (message) : "(unset)",
dest ? dest : DBUS_SERVICE_DBUS);
+ /* Needs to be duplicated to avoid calling malloc and having to handle OOM */
+ bus_context_log_security (context, msg,
+ toggles,
+ sender_name ? sender_name : "(unset)",
+ dbus_message_get_interface (message) ?
+ dbus_message_get_interface (message) : "(unset)",
+ dbus_message_get_member (message) ?
+ dbus_message_get_member (message) : "(unset)",
+ dbus_message_get_error_name (message) ?
+ dbus_message_get_error_name (message) : "(unset)",
+ dest ? dest : DBUS_SERVICE_DBUS);
_dbus_verbose ("security policy disallowing message due to sender policy\n");
return FALSE;
}
@@ -1331,16 +1382,16 @@ bus_context_check_security_policy (BusContext *context,
requested_reply,
sender,
addressed_recipient, proposed_recipient,
- message))
+ message, &toggles))
{
+ const char *msg = "Rejected receive message, %d matched rules; "
+ "sender=\"%s\" interface=\"%s\" member=\"%s\" error name=\"%s\" destination=\"%s\" reply serial=%u requested_reply=%d)";
const char *dest;
dest = dbus_message_get_destination (message);
- dbus_set_error (error, DBUS_ERROR_ACCESS_DENIED,
- "A security policy in place prevents this recipient "
- "from receiving this message from this sender, "
- "see message bus configuration file (rejected message "
- "had interface \"%s\" member \"%s\" error name \"%s\" destination \"%s\" reply serial %u requested_reply=%d)",
+ dbus_set_error (error, DBUS_ERROR_ACCESS_DENIED, msg,
+ toggles,
+ sender_name ? sender_name : "(unset)",
dbus_message_get_interface (message) ?
dbus_message_get_interface (message) : "(unset)",
dbus_message_get_member (message) ?
@@ -1350,6 +1401,19 @@ bus_context_check_security_policy (BusContext *context,
dest ? dest : DBUS_SERVICE_DBUS,
dbus_message_get_reply_serial (message),
requested_reply);
+ /* Needs to be duplicated to avoid calling malloc and having to handle OOM */
+ bus_context_log_security (context, msg,
+ toggles,
+ sender_name ? sender_name : "(unset)",
+ dbus_message_get_interface (message) ?
+ dbus_message_get_interface (message) : "(unset)",
+ dbus_message_get_member (message) ?
+ dbus_message_get_member (message) : "(unset)",
+ dbus_message_get_error_name (message) ?
+ dbus_message_get_error_name (message) : "(unset)",
+ dest ? dest : DBUS_SERVICE_DBUS,
+ dbus_message_get_reply_serial (message),
+ requested_reply);
_dbus_verbose ("security policy disallowing message due to recipient policy\n");
return FALSE;
}
diff --git a/bus/bus.h b/bus/bus.h
index ad23104..74bdb82 100644
--- a/bus/bus.h
+++ b/bus/bus.h
@@ -107,6 +107,12 @@ int bus_context_get_max_services_per_connection (BusContext
int bus_context_get_max_match_rules_per_connection (BusContext *context);
int bus_context_get_max_replies_per_connection (BusContext *context);
int bus_context_get_reply_timeout (BusContext *context);
+void bus_context_log_info (BusContext *context,
+ const char *msg,
+ ...);
+void bus_context_log_security (BusContext *context,
+ const char *msg,
+ ...);
dbus_bool_t bus_context_check_security_policy (BusContext *context,
BusTransaction *transaction,
DBusConnection *sender,
diff --git a/bus/config-parser-common.c b/bus/config-parser-common.c
index 6e4bb70..ce59086 100644
--- a/bus/config-parser-common.c
+++ b/bus/config-parser-common.c
@@ -114,6 +114,10 @@ bus_config_parser_element_name_to_type (const char *name)
{
return ELEMENT_ASSOCIATE;
}
+ else if (strcmp (name, "syslog") == 0)
+ {
+ return ELEMENT_SYSLOG;
+ }
return ELEMENT_NONE;
}
@@ -162,7 +166,9 @@ bus_config_parser_element_type_to_name (ElementType type)
return "selinux";
case ELEMENT_ASSOCIATE:
return "associate";
- }
+ case ELEMENT_SYSLOG:
+ return "syslog";
+ }
_dbus_assert_not_reached ("bad element type");
diff --git a/bus/config-parser-common.h b/bus/config-parser-common.h
index 3718c95..4ecaa8d 100644
--- a/bus/config-parser-common.h
+++ b/bus/config-parser-common.h
@@ -47,7 +47,8 @@ typedef enum
ELEMENT_SELINUX,
ELEMENT_ASSOCIATE,
ELEMENT_STANDARD_SESSION_SERVICEDIRS,
- ELEMENT_STANDARD_SYSTEM_SERVICEDIRS
+ ELEMENT_STANDARD_SYSTEM_SERVICEDIRS,
+ ELEMENT_SYSLOG
} ElementType;
ElementType bus_config_parser_element_name_to_type (const char *element_name);
diff --git a/bus/config-parser.c b/bus/config-parser.c
index f9e0b7d..f4d7c50 100644
--- a/bus/config-parser.c
+++ b/bus/config-parser.c
@@ -111,6 +111,8 @@ struct BusConfigParser
unsigned int fork : 1; /**< TRUE to fork into daemon mode */
+ unsigned int syslog : 1; /**< TRUE to enable syslog */
+
unsigned int is_toplevel : 1; /**< FALSE if we are a sub-config-file inside another one */
};
@@ -698,6 +700,21 @@ start_busconfig_child (BusConfigParser *parser,
return TRUE;
}
+ else if (element_type == ELEMENT_SYSLOG)
+ {
+ if (!check_no_attributes (parser, "syslog", attribute_names, attribute_values, error))
+ return FALSE;
+
+ if (push_element (parser, ELEMENT_SYSLOG) == NULL)
+ {
+ BUS_SET_OOM (error);
+ return FALSE;
+ }
+
+ parser->syslog = TRUE;
+
+ return TRUE;
+ }
else if (element_type == ELEMENT_PIDFILE)
{
if (!check_no_attributes (parser, "pidfile", attribute_names, attribute_values, error))
@@ -1947,6 +1964,7 @@ bus_config_parser_end_element (BusConfigParser *parser,
case ELEMENT_ALLOW:
case ELEMENT_DENY:
case ELEMENT_FORK:
+ case ELEMENT_SYSLOG:
case ELEMENT_SELINUX:
case ELEMENT_ASSOCIATE:
case ELEMENT_STANDARD_SESSION_SERVICEDIRS:
@@ -2232,6 +2250,7 @@ bus_config_parser_content (BusConfigParser *parser,
case ELEMENT_ALLOW:
case ELEMENT_DENY:
case ELEMENT_FORK:
+ case ELEMENT_SYSLOG:
case ELEMENT_STANDARD_SESSION_SERVICEDIRS:
case ELEMENT_STANDARD_SYSTEM_SERVICEDIRS:
case ELEMENT_SELINUX:
@@ -2554,6 +2573,12 @@ bus_config_parser_get_fork (BusConfigParser *parser)
return parser->fork;
}
+dbus_bool_t
+bus_config_parser_get_syslog (BusConfigParser *parser)
+{
+ return parser->syslog;
+}
+
const char *
bus_config_parser_get_pidfile (BusConfigParser *parser)
{
diff --git a/bus/config-parser.h b/bus/config-parser.h
index ec0dfed..fcc5f5d 100644
--- a/bus/config-parser.h
+++ b/bus/config-parser.h
@@ -65,6 +65,7 @@ const char* bus_config_parser_get_type (BusConfigParser *parser);
DBusList** bus_config_parser_get_addresses (BusConfigParser *parser);
DBusList** bus_config_parser_get_mechanisms (BusConfigParser *parser);
dbus_bool_t bus_config_parser_get_fork (BusConfigParser *parser);
+dbus_bool_t bus_config_parser_get_syslog (BusConfigParser *parser);
const char* bus_config_parser_get_pidfile (BusConfigParser *parser);
const char* bus_config_parser_get_servicehelper (BusConfigParser *parser);
DBusList** bus_config_parser_get_service_dirs (BusConfigParser *parser);
diff --git a/bus/policy.c b/bus/policy.c
index caa544e..2c1a354 100644
--- a/bus/policy.c
+++ b/bus/policy.c
@@ -866,7 +866,8 @@ bus_client_policy_check_can_send (BusClientPolicy *policy,
BusRegistry *registry,
dbus_bool_t requested_reply,
DBusConnection *receiver,
- DBusMessage *message)
+ DBusMessage *message,
+ dbus_int32_t *toggles)
{
DBusList *link;
dbus_bool_t allowed;
@@ -876,6 +877,7 @@ bus_client_policy_check_can_send (BusClientPolicy *policy,
*/
_dbus_verbose (" (policy) checking send rules\n");
+ *toggles = 0;
allowed = FALSE;
link = _dbus_list_get_first_link (&policy->rules);
@@ -1026,6 +1028,7 @@ bus_client_policy_check_can_send (BusClientPolicy *policy,
/* Use this rule */
allowed = rule->allow;
+ (*toggles)++;
_dbus_verbose (" (policy) used rule, allow now = %d\n",
allowed);
@@ -1044,7 +1047,8 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy,
DBusConnection *sender,
DBusConnection *addressed_recipient,
DBusConnection *proposed_recipient,
- DBusMessage *message)
+ DBusMessage *message,
+ dbus_int32_t *toggles)
{
DBusList *link;
dbus_bool_t allowed;
@@ -1059,6 +1063,7 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy,
*/
_dbus_verbose (" (policy) checking receive rules, eavesdropping = %d\n", eavesdropping);
+ *toggles = 0;
allowed = FALSE;
link = _dbus_list_get_first_link (&policy->rules);
@@ -1223,6 +1228,7 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy,
/* Use this rule */
allowed = rule->allow;
+ (*toggles)++;
_dbus_verbose (" (policy) used rule, allow now = %d\n",
allowed);
diff --git a/bus/policy.h b/bus/policy.h
index adb9a05..91fde99 100644
--- a/bus/policy.h
+++ b/bus/policy.h
@@ -141,14 +141,16 @@ dbus_bool_t bus_client_policy_check_can_send (BusClientPolicy *policy,
BusRegistry *registry,
dbus_bool_t requested_reply,
DBusConnection *receiver,
- DBusMessage *message);
+ DBusMessage *message,
+ dbus_int32_t *toggles);
dbus_bool_t bus_client_policy_check_can_receive (BusClientPolicy *policy,
BusRegistry *registry,
dbus_bool_t requested_reply,
DBusConnection *sender,
DBusConnection *addressed_recipient,
DBusConnection *proposed_recipient,
- DBusMessage *message);
+ DBusMessage *message,
+ dbus_int32_t *toggles);
dbus_bool_t bus_client_policy_check_can_own (BusClientPolicy *policy,
DBusConnection *connection,
const DBusString *service_name);
diff --git a/bus/system.conf.in b/bus/system.conf.in
index 1b6e716..41e1bb1 100644
--- a/bus/system.conf.in
+++ b/bus/system.conf.in
@@ -29,6 +29,9 @@
<!-- Write a pid file -->
<pidfile>@DBUS_SYSTEM_PID_FILE@</pidfile>
+ <!-- Enable logging to syslog -->
+ <syslog/>
+
<!-- Only allow socket-credentials-based authentication -->
<auth>EXTERNAL</auth>
diff --git a/dbus/dbus-sysdeps-unix.c b/dbus/dbus-sysdeps-unix.c
index 24a3774..ccb8483 100644
--- a/dbus/dbus-sysdeps-unix.c
+++ b/dbus/dbus-sysdeps-unix.c
@@ -2780,7 +2780,6 @@ _dbus_full_duplex_pipe (int *fd1,
#endif
}
-
/**
* Measure the length of the given format string and arguments,
* not including the terminating nul.
diff --git a/dbus/dbus-sysdeps-util-unix.c b/dbus/dbus-sysdeps-util-unix.c
index 0343a90..3f2a233 100644
--- a/dbus/dbus-sysdeps-util-unix.c
+++ b/dbus/dbus-sysdeps-util-unix.c
@@ -451,6 +451,38 @@ _dbus_change_to_daemon_user (const char *user,
return FALSE;
}
+void
+_dbus_init_system_log (void)
+{
+ openlog ("dbus", LOG_PID, LOG_DAEMON);
+}
+
+/**
+ * Log an informative message. Intended for use primarily by
+ * the system bus.
+ *
+ * @param msg a printf-style format string
+ * @param args arguments for the format string
+ */
+void
+_dbus_log_info (const char *msg, va_list args)
+{
+ vsyslog (LOG_DAEMON|LOG_NOTICE, msg, args);
+}
+
+/**
+ * Log a security-related message. Intended for use primarily by
+ * the system bus.
+ *
+ * @param msg a printf-style format string
+ * @param args arguments for the format string
+ */
+void
+_dbus_log_security (const char *msg, va_list args)
+{
+ vsyslog (LOG_AUTH|LOG_NOTICE, msg, args);
+}
+
/** Installs a UNIX signal handler
*
* @param sig the signal to handle
diff --git a/dbus/dbus-sysdeps.h b/dbus/dbus-sysdeps.h
index 80236f0..5f4b00e 100644
--- a/dbus/dbus-sysdeps.h
+++ b/dbus/dbus-sysdeps.h
@@ -420,6 +420,10 @@ void _dbus_set_signal_handler (int sig,
dbus_bool_t _dbus_user_at_console (const char *username,
DBusError *error);
+void _dbus_init_system_log (void);
+void _dbus_log_info (const char *msg, va_list args);
+void _dbus_log_security (const char *msg, va_list args);
+
/* Define DBUS_VA_COPY() to do the right thing for copying va_list variables.
* config.h may have already defined DBUS_VA_COPY as va_copy or __va_copy.
*/
--
1.5.6.5
From 8cbe86da9089901c574387e4032f0858e8249c79 Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Fri, 12 Dec 2008 16:58:06 -0500
Subject: [PATCH] Add message type to security syslog entries
It's part of the security check, we should have it in the log.
---
bus/bus.c | 8 ++++++--
1 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/bus/bus.c b/bus/bus.c
index 195a6fd..ab986b9 100644
--- a/bus/bus.c
+++ b/bus/bus.c
@@ -1348,11 +1348,12 @@ bus_context_check_security_policy (BusContext *context,
{
const char *dest;
const char *msg = "Rejected send message, %d matched rules; "
- "sender=\"%s\" interface=\"%s\" member=\"%s\" error name=\"%s\" destination=\"%s\")";
+ "type=\"%s\", sender=\"%s\" interface=\"%s\" member=\"%s\" error name=\"%s\" destination=\"%s\")";
dest = dbus_message_get_destination (message);
dbus_set_error (error, DBUS_ERROR_ACCESS_DENIED, msg,
toggles,
+ dbus_message_type_to_string (dbus_message_get_type (message)),
sender_name ? sender_name : "(unset)",
dbus_message_get_interface (message) ?
dbus_message_get_interface (message) : "(unset)",
@@ -1364,6 +1365,7 @@ bus_context_check_security_policy (BusContext *context,
/* Needs to be duplicated to avoid calling malloc and having to handle OOM */
bus_context_log_security (context, msg,
toggles,
+ dbus_message_type_to_string (dbus_message_get_type (message)),
sender_name ? sender_name : "(unset)",
dbus_message_get_interface (message) ?
dbus_message_get_interface (message) : "(unset)",
@@ -1385,12 +1387,13 @@ bus_context_check_security_policy (BusContext *context,
message, &toggles))
{
const char *msg = "Rejected receive message, %d matched rules; "
- "sender=\"%s\" interface=\"%s\" member=\"%s\" error name=\"%s\" destination=\"%s\" reply serial=%u requested_reply=%d)";
+ "type=\"%s\" sender=\"%s\" interface=\"%s\" member=\"%s\" error name=\"%s\" destination=\"%s\" reply serial=%u requested_reply=%d)";
const char *dest;
dest = dbus_message_get_destination (message);
dbus_set_error (error, DBUS_ERROR_ACCESS_DENIED, msg,
toggles,
+ dbus_message_type_to_string (dbus_message_get_type (message)),
sender_name ? sender_name : "(unset)",
dbus_message_get_interface (message) ?
dbus_message_get_interface (message) : "(unset)",
@@ -1404,6 +1407,7 @@ bus_context_check_security_policy (BusContext *context,
/* Needs to be duplicated to avoid calling malloc and having to handle OOM */
bus_context_log_security (context, msg,
toggles,
+ dbus_message_type_to_string (dbus_message_get_type (message)),
sender_name ? sender_name : "(unset)",
dbus_message_get_interface (message) ?
dbus_message_get_interface (message) : "(unset)",
--
1.5.6.5
From 427ff01f9d656700b370bb905fe738e76602a842 Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Tue, 16 Dec 2008 11:57:27 -0500
Subject: [PATCH] Add optional logging on allow rules
This lets us have a backwards compatibility allow rule but still easily
see when that rule is being used.
---
bus/bus.c | 37 +++++++++++++++++++++++--------------
bus/config-parser.c | 5 +++++
bus/policy.c | 4 +++-
bus/policy.h | 4 +++-
4 files changed, 34 insertions(+), 16 deletions(-)
diff --git a/bus/bus.c b/bus/bus.c
index ab986b9..b749d30 100644
--- a/bus/bus.c
+++ b/bus/bus.c
@@ -1160,22 +1160,25 @@ bus_context_check_security_policy (BusContext *context,
DBusMessage *message,
DBusError *error)
{
+ const char *dest;
BusClientPolicy *sender_policy;
BusClientPolicy *recipient_policy;
dbus_int32_t toggles;
+ dbus_bool_t log;
int type;
dbus_bool_t requested_reply;
const char *sender_name;
type = dbus_message_get_type (message);
+ dest = dbus_message_get_destination (message);
/* dispatch.c was supposed to ensure these invariants */
- _dbus_assert (dbus_message_get_destination (message) != NULL ||
+ _dbus_assert (dest != NULL ||
type == DBUS_MESSAGE_TYPE_SIGNAL ||
(sender == NULL && !bus_connection_is_active (proposed_recipient)));
_dbus_assert (type == DBUS_MESSAGE_TYPE_SIGNAL ||
addressed_recipient != NULL ||
- strcmp (dbus_message_get_destination (message), DBUS_SERVICE_DBUS) == 0);
+ strcmp (dest, DBUS_SERVICE_DBUS) == 0);
/* Used in logging below */
if (sender != NULL)
@@ -1205,10 +1208,6 @@ bus_context_check_security_policy (BusContext *context,
if (sender != NULL)
{
- const char *dest;
-
- dest = dbus_message_get_destination (message);
-
/* First verify the SELinux access controls. If allowed then
* go on with the standard checks.
*/
@@ -1339,18 +1338,18 @@ bus_context_check_security_policy (BusContext *context,
(proposed_recipient != NULL && sender == NULL && recipient_policy == NULL) ||
(proposed_recipient == NULL && recipient_policy == NULL));
+ log = FALSE;
if (sender_policy &&
!bus_client_policy_check_can_send (sender_policy,
context->registry,
requested_reply,
proposed_recipient,
- message, &toggles))
+ message, &toggles, &log))
{
- const char *dest;
const char *msg = "Rejected send message, %d matched rules; "
"type=\"%s\", sender=\"%s\" interface=\"%s\" member=\"%s\" error name=\"%s\" destination=\"%s\")";
- dest = dbus_message_get_destination (message);
+
dbus_set_error (error, DBUS_ERROR_ACCESS_DENIED, msg,
toggles,
dbus_message_type_to_string (dbus_message_get_type (message)),
@@ -1378,6 +1377,21 @@ bus_context_check_security_policy (BusContext *context,
return FALSE;
}
+ if (log)
+ bus_context_log_security (context,
+ "Would reject message, %d matched rules; "
+ "type=\"%s\", sender=\"%s\" interface=\"%s\" member=\"%s\" error name=\"%s\" destination=\"%s\")",
+ toggles,
+ dbus_message_type_to_string (dbus_message_get_type (message)),
+ sender_name ? sender_name : "(unset)",
+ dbus_message_get_interface (message) ?
+ dbus_message_get_interface (message) : "(unset)",
+ dbus_message_get_member (message) ?
+ dbus_message_get_member (message) : "(unset)",
+ dbus_message_get_error_name (message) ?
+ dbus_message_get_error_name (message) : "(unset)",
+ dest ? dest : DBUS_SERVICE_DBUS);
+
if (recipient_policy &&
!bus_client_policy_check_can_receive (recipient_policy,
context->registry,
@@ -1388,9 +1402,7 @@ bus_context_check_security_policy (BusContext *context,
{
const char *msg = "Rejected receive message, %d matched rules; "
"type=\"%s\" sender=\"%s\" interface=\"%s\" member=\"%s\" error name=\"%s\" destination=\"%s\" reply serial=%u requested_reply=%d)";
- const char *dest;
- dest = dbus_message_get_destination (message);
dbus_set_error (error, DBUS_ERROR_ACCESS_DENIED, msg,
toggles,
dbus_message_type_to_string (dbus_message_get_type (message)),
@@ -1427,9 +1439,6 @@ bus_context_check_security_policy (BusContext *context,
dbus_connection_get_outgoing_size (proposed_recipient) >
context->limits.max_outgoing_bytes)
{
- const char *dest;
-
- dest = dbus_message_get_destination (message);
dbus_set_error (error, DBUS_ERROR_LIMITS_EXCEEDED,
"The destination service \"%s\" has a full message queue",
dest ? dest : (proposed_recipient ?
diff --git a/bus/config-parser.c b/bus/config-parser.c
index f4d7c50..a8de3ff 100644
--- a/bus/config-parser.c
+++ b/bus/config-parser.c
@@ -1090,6 +1090,7 @@ append_rule_from_element (BusConfigParser *parser,
dbus_bool_t allow,
DBusError *error)
{
+ const char *log;
const char *send_interface;
const char *send_member;
const char *send_error;
@@ -1133,6 +1134,7 @@ append_rule_from_element (BusConfigParser *parser,
"own", &own,
"user", &user,
"group", &group,
+ "log", &log,
NULL))
return FALSE;
@@ -1337,6 +1339,9 @@ append_rule_from_element (BusConfigParser *parser,
if (eavesdrop)
rule->d.send.eavesdrop = (strcmp (eavesdrop, "true") == 0);
+ if (log)
+ rule->d.send.log = (strcmp (log, "true") == 0);
+
if (send_requested_reply)
rule->d.send.requested_reply = (strcmp (send_requested_reply, "true") == 0);
diff --git a/bus/policy.c b/bus/policy.c
index 2c1a354..ef31800 100644
--- a/bus/policy.c
+++ b/bus/policy.c
@@ -867,7 +867,8 @@ bus_client_policy_check_can_send (BusClientPolicy *policy,
dbus_bool_t requested_reply,
DBusConnection *receiver,
DBusMessage *message,
- dbus_int32_t *toggles)
+ dbus_int32_t *toggles,
+ dbus_bool_t *log)
{
DBusList *link;
dbus_bool_t allowed;
@@ -1028,6 +1029,7 @@ bus_client_policy_check_can_send (BusClientPolicy *policy,
/* Use this rule */
allowed = rule->allow;
+ *log = rule->d.send.log;
(*toggles)++;
_dbus_verbose (" (policy) used rule, allow now = %d\n",
diff --git a/bus/policy.h b/bus/policy.h
index 91fde99..a75e0dd 100644
--- a/bus/policy.h
+++ b/bus/policy.h
@@ -65,6 +65,7 @@ struct BusPolicyRule
char *destination;
unsigned int eavesdrop : 1;
unsigned int requested_reply : 1;
+ unsigned int log : 1;
} send;
struct
@@ -142,7 +143,8 @@ dbus_bool_t bus_client_policy_check_can_send (BusClientPolicy *policy,
dbus_bool_t requested_reply,
DBusConnection *receiver,
DBusMessage *message,
- dbus_int32_t *toggles);
+ dbus_int32_t *toggles,
+ dbus_bool_t *log);
dbus_bool_t bus_client_policy_check_can_receive (BusClientPolicy *policy,
BusRegistry *registry,
dbus_bool_t requested_reply,
--
1.5.6.5
From 9bc79bc768defaa779fae45845a42301b557a908 Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Wed, 17 Dec 2008 16:01:28 -0500
Subject: [PATCH] Add uid, pid, and command to security logs
Extend the current security logs with even more relevant
information than just the message content. This requires
some utility code to look up and cache (as a string)
the data such as the uid/pid/command when a connection is
authenticated.
---
bus/bus.c | 42 ++++++++++++----
bus/connection.c | 105 +++++++++++++++++++++++++++++++++++++----
bus/connection.h | 1 +
dbus/dbus-sysdeps-util-unix.c | 96 +++++++++++++++++++++++++++++++++++++
dbus/dbus-sysdeps.h | 5 ++
5 files changed, 228 insertions(+), 21 deletions(-)
diff --git a/bus/bus.c b/bus/bus.c
index b749d30..db3556f 100644
--- a/bus/bus.c
+++ b/bus/bus.c
@@ -1168,6 +1168,8 @@ bus_context_check_security_policy (BusContext *context,
int type;
dbus_bool_t requested_reply;
const char *sender_name;
+ const char *sender_loginfo;
+ const char *proposed_recipient_loginfo;
type = dbus_message_get_type (message);
dest = dbus_message_get_destination (message);
@@ -1182,9 +1184,20 @@ bus_context_check_security_policy (BusContext *context,
/* Used in logging below */
if (sender != NULL)
- sender_name = bus_connection_get_name (sender);
+ {
+ sender_name = bus_connection_get_name (sender);
+ sender_loginfo = bus_connection_get_loginfo (sender);
+ }
+ else
+ {
+ sender_name = NULL;
+ sender_loginfo = "(bus)";
+ }
+
+ if (proposed_recipient != NULL)
+ proposed_recipient_loginfo = bus_connection_get_loginfo (proposed_recipient);
else
- sender_name = NULL;
+ proposed_recipient_loginfo = "bus";
switch (type)
{
@@ -1347,32 +1360,35 @@ bus_context_check_security_policy (BusContext *context,
message, &toggles, &log))
{
const char *msg = "Rejected send message, %d matched rules; "
- "type=\"%s\", sender=\"%s\" interface=\"%s\" member=\"%s\" error name=\"%s\" destination=\"%s\")";
-
+ "type=\"%s\", sender=\"%s\" (%s) interface=\"%s\" member=\"%s\" error name=\"%s\" destination=\"%s\" (%s))";
dbus_set_error (error, DBUS_ERROR_ACCESS_DENIED, msg,
toggles,
dbus_message_type_to_string (dbus_message_get_type (message)),
sender_name ? sender_name : "(unset)",
+ sender_loginfo,
dbus_message_get_interface (message) ?
dbus_message_get_interface (message) : "(unset)",
dbus_message_get_member (message) ?
dbus_message_get_member (message) : "(unset)",
dbus_message_get_error_name (message) ?
dbus_message_get_error_name (message) : "(unset)",
- dest ? dest : DBUS_SERVICE_DBUS);
+ dest ? dest : DBUS_SERVICE_DBUS,
+ proposed_recipient_loginfo);
/* Needs to be duplicated to avoid calling malloc and having to handle OOM */
bus_context_log_security (context, msg,
toggles,
dbus_message_type_to_string (dbus_message_get_type (message)),
sender_name ? sender_name : "(unset)",
+ sender_loginfo,
dbus_message_get_interface (message) ?
dbus_message_get_interface (message) : "(unset)",
dbus_message_get_member (message) ?
dbus_message_get_member (message) : "(unset)",
dbus_message_get_error_name (message) ?
dbus_message_get_error_name (message) : "(unset)",
- dest ? dest : DBUS_SERVICE_DBUS);
+ dest ? dest : DBUS_SERVICE_DBUS,
+ proposed_recipient_loginfo);
_dbus_verbose ("security policy disallowing message due to sender policy\n");
return FALSE;
}
@@ -1401,35 +1417,39 @@ bus_context_check_security_policy (BusContext *context,
message, &toggles))
{
const char *msg = "Rejected receive message, %d matched rules; "
- "type=\"%s\" sender=\"%s\" interface=\"%s\" member=\"%s\" error name=\"%s\" destination=\"%s\" reply serial=%u requested_reply=%d)";
+ "type=\"%s\" sender=\"%s\" (%s) interface=\"%s\" member=\"%s\" error name=\"%s\" reply serial=%u requested_reply=%d destination=\"%s\" (%s))";
dbus_set_error (error, DBUS_ERROR_ACCESS_DENIED, msg,
toggles,
dbus_message_type_to_string (dbus_message_get_type (message)),
sender_name ? sender_name : "(unset)",
+ sender_loginfo,
dbus_message_get_interface (message) ?
dbus_message_get_interface (message) : "(unset)",
dbus_message_get_member (message) ?
dbus_message_get_member (message) : "(unset)",
dbus_message_get_error_name (message) ?
dbus_message_get_error_name (message) : "(unset)",
- dest ? dest : DBUS_SERVICE_DBUS,
dbus_message_get_reply_serial (message),
- requested_reply);
+ requested_reply,
+ dest ? dest : DBUS_SERVICE_DBUS,
+ proposed_recipient_loginfo);
/* Needs to be duplicated to avoid calling malloc and having to handle OOM */
bus_context_log_security (context, msg,
toggles,
dbus_message_type_to_string (dbus_message_get_type (message)),
sender_name ? sender_name : "(unset)",
+ sender_loginfo,
dbus_message_get_interface (message) ?
dbus_message_get_interface (message) : "(unset)",
dbus_message_get_member (message) ?
dbus_message_get_member (message) : "(unset)",
dbus_message_get_error_name (message) ?
dbus_message_get_error_name (message) : "(unset)",
- dest ? dest : DBUS_SERVICE_DBUS,
dbus_message_get_reply_serial (message),
- requested_reply);
+ requested_reply,
+ dest ? dest : DBUS_SERVICE_DBUS,
+ proposed_recipient_loginfo);
_dbus_verbose ("security policy disallowing message due to recipient policy\n");
return FALSE;
}
diff --git a/bus/connection.c b/bus/connection.c
index ed1b139..ab99fa5 100644
--- a/bus/connection.c
+++ b/bus/connection.c
@@ -32,6 +32,9 @@
#include <dbus/dbus-hash.h>
#include <dbus/dbus-timeout.h>
+/* Trim executed commands to this length; we want to keep logs readable */
+#define MAX_LOG_COMMAND_LEN 50
+
static void bus_connection_remove_transactions (DBusConnection *connection);
typedef struct
@@ -76,6 +79,7 @@ typedef struct
DBusPreallocatedSend *oom_preallocated;
BusClientPolicy *policy;
+ char *cached_loginfo_string;
BusSELinuxID *selinux_id;
long connection_tv_sec; /**< Time when we connected (seconds component) */
@@ -406,6 +410,8 @@ free_connection_data (void *data)
if (d->selinux_id)
bus_selinux_id_unref (d->selinux_id);
+ dbus_free (d->cached_loginfo_string);
+
dbus_free (d->name);
dbus_free (d);
@@ -537,13 +543,73 @@ bus_connections_unref (BusConnections *connections)
}
}
+/* Used for logging */
+static dbus_bool_t
+cache_peer_loginfo_string (BusConnectionData *d,
+ DBusConnection *connection)
+{
+ DBusString loginfo_buf;
+ unsigned long uid;
+ unsigned long pid;
+ char *windows_sid;
+ dbus_bool_t prev_added;
+
+ if (!_dbus_string_init (&loginfo_buf))
+ return FALSE;
+
+ prev_added = FALSE;
+ if (dbus_connection_get_unix_user (connection, &uid))
+ {
+ if (!_dbus_string_append_printf (&loginfo_buf, "uid=%ld", uid))
+ goto oom;
+ else
+ prev_added = TRUE;
+ }
+
+ if (dbus_connection_get_unix_process_id (connection, &pid))
+ {
+ if (prev_added)
+ {
+ if (!_dbus_string_append_byte (&loginfo_buf, ' '))
+ goto oom;
+ }
+ if (!_dbus_string_append_printf (&loginfo_buf, "pid=%ld comm=\"", pid))
+ goto oom;
+ /* Ignore errors here */
+ if (_dbus_command_for_pid (pid, &loginfo_buf, MAX_LOG_COMMAND_LEN, NULL))
+ {
+ if (!_dbus_string_append_byte (&loginfo_buf, '"'))
+ goto oom;
+ }
+ }
+
+ if (dbus_connection_get_windows_user (connection, &windows_sid))
+ {
+ if (!_dbus_string_append_printf (&loginfo_buf, "sid=\"%s\" ", windows_sid))
+ goto oom;
+ dbus_free (windows_sid);
+ }
+
+ if (!_dbus_string_steal_data (&loginfo_buf, &(d->cached_loginfo_string)))
+ goto oom;
+
+ _dbus_string_free (&loginfo_buf);
+
+ return TRUE;
+oom:
+ _dbus_string_free (&loginfo_buf);
+ return FALSE;
+}
+
dbus_bool_t
bus_connections_setup_connection (BusConnections *connections,
DBusConnection *connection)
{
+
BusConnectionData *d;
dbus_bool_t retval;
DBusError error;
+
d = dbus_new0 (BusConnectionData, 1);
@@ -583,7 +649,7 @@ bus_connections_setup_connection (BusConnections *connections,
dbus_error_free (&error);
goto out;
}
-
+
if (!dbus_connection_set_watch_functions (connection,
add_connection_watch,
remove_connection_watch,
@@ -842,6 +908,18 @@ bus_connection_is_in_unix_group (DBusConnection *connection,
return FALSE;
}
+const char *
+bus_connection_get_loginfo (DBusConnection *connection)
+{
+ BusConnectionData *d;
+
+ d = BUS_CONNECTION_DATA (connection);
+
+ if (!bus_connection_is_active (connection))
+ return "inactive";
+ return d->cached_loginfo_string;
+}
+
BusClientPolicy*
bus_connection_get_policy (DBusConnection *connection)
{
@@ -1302,16 +1380,15 @@ bus_connection_complete (DBusConnection *connection,
{
if (!adjust_connections_for_uid (d->connections,
uid, 1))
- {
- BUS_SET_OOM (error);
- dbus_free (d->name);
- d->name = NULL;
- bus_client_policy_unref (d->policy);
- d->policy = NULL;
- return FALSE;
- }
+ goto fail;
}
-
+
+ /* Create and cache a string which holds information about the
+ * peer process; used for logging purposes.
+ */
+ if (!cache_peer_loginfo_string (d, connection))
+ goto fail;
+
/* Now the connection is active, move it between lists */
_dbus_list_unlink (&d->connections->incomplete,
d->link_in_connection_list);
@@ -1329,6 +1406,14 @@ bus_connection_complete (DBusConnection *connection,
_dbus_assert (bus_connection_is_active (connection));
return TRUE;
+fail:
+ BUS_SET_OOM (error);
+ dbus_free (d->name);
+ d->name = NULL;
+ if (d->policy)
+ bus_client_policy_unref (d->policy);
+ d->policy = NULL;
+ return FALSE;
}
const char *
diff --git a/bus/connection.h b/bus/connection.h
index 5099bcf..4f35216 100644
--- a/bus/connection.h
+++ b/bus/connection.h
@@ -50,6 +50,7 @@ BusConnections* bus_connection_get_connections (DBusConnection
BusRegistry* bus_connection_get_registry (DBusConnection *connection);
BusActivation* bus_connection_get_activation (DBusConnection *connection);
BusMatchmaker* bus_connection_get_matchmaker (DBusConnection *connection);
+const char * bus_connection_get_loginfo (DBusConnection *connection);
BusSELinuxID* bus_connection_get_selinux_id (DBusConnection *connection);
dbus_bool_t bus_connections_check_limits (BusConnections *connections,
DBusConnection *requesting_completion,
diff --git a/dbus/dbus-sysdeps-util-unix.c b/dbus/dbus-sysdeps-util-unix.c
index 3f2a233..6ca662b 100644
--- a/dbus/dbus-sysdeps-util-unix.c
+++ b/dbus/dbus-sysdeps-util-unix.c
@@ -1132,3 +1132,99 @@ _dbus_string_get_dirname (const DBusString *filename,
}
/** @} */ /* DBusString stuff */
+static void
+string_squash_nonprintable (DBusString *str)
+{
+ char *buf;
+ int i, len;
+
+ buf = _dbus_string_get_data (str);
+ len = _dbus_string_get_length (str);
+
+ for (i = 0; i < len; i++)
+ if (buf[i] == '\0')
+ buf[i] = ' ';
+ else if (buf[i] < 0x20 || buf[i] > 127)
+ buf[i] = '?';
+}
+
+/**
+ * Get a printable string describing the command used to execute
+ * the process with pid. This string should only be used for
+ * informative purposes such as logging; it may not be trusted.
+ *
+ * The command is guaranteed to be printable ASCII and no longer
+ * than max_len.
+ *
+ * @param pid Process id
+ * @param str Append command to this string
+ * @param max_len Maximum length of returned command
+ * @param error return location for errors
+ * @returns #FALSE on error
+ */
+dbus_bool_t
+_dbus_command_for_pid (unsigned long pid,
+ DBusString *str,
+ int max_len,
+ DBusError *error)
+{
+ /* This is all Linux-specific for now */
+ DBusString path;
+ DBusString cmdline;
+ int fd;
+
+ if (!_dbus_string_init (&path))
+ {
+ _DBUS_SET_OOM (error);
+ return FALSE;
+ }
+
+ if (!_dbus_string_init (&cmdline))
+ {
+ _DBUS_SET_OOM (error);
+ _dbus_string_free (&path);
+ return FALSE;
+ }
+
+ if (!_dbus_string_append_printf (&path, "/proc/%ld/cmdline", pid))
+ goto oom;
+
+ fd = open (_dbus_string_get_const_data (&path), O_RDONLY);
+ if (fd < 0)
+ {
+ dbus_set_error (error,
+ _dbus_error_from_errno (errno),
+ "Failed to open \"%s\": %s",
+ _dbus_string_get_const_data (&path),
+ _dbus_strerror (errno));
+ goto fail;
+ }
+
+ if (!_dbus_read (fd, &cmdline, max_len))
+ {
+ dbus_set_error (error,
+ _dbus_error_from_errno (errno),
+ "Failed to read from \"%s\": %s",
+ _dbus_string_get_const_data (&path),
+ _dbus_strerror (errno));
+ goto fail;
+ }
+
+ if (!_dbus_close (fd, error))
+ goto fail;
+
+ string_squash_nonprintable (&cmdline);
+
+ if (!_dbus_string_copy (&cmdline, 0, str, _dbus_string_get_length (str)))
+ goto oom;
+
+ _dbus_string_free (&cmdline);
+ _dbus_string_free (&path);
+ return TRUE;
+oom:
+ _DBUS_SET_OOM (error);
+fail:
+ _dbus_string_free (&cmdline);
+ _dbus_string_free (&path);
+ return FALSE;
+}
\ No newline at end of file
diff --git a/dbus/dbus-sysdeps.h b/dbus/dbus-sysdeps.h
index 5f4b00e..2662b27 100644
--- a/dbus/dbus-sysdeps.h
+++ b/dbus/dbus-sysdeps.h
@@ -411,6 +411,11 @@ dbus_bool_t _dbus_write_pid_to_file_and_pipe (const DBusString *pidfile,
dbus_pid_t pid_to_write,
DBusError *error);
+dbus_bool_t _dbus_command_for_pid (unsigned long pid,
+ DBusString *str,
+ int max_len,
+ DBusError *error);
+
/** A UNIX signal handler */
typedef void (* DBusSignalHandler) (int sig);
--
1.5.6.5
From 1e44dc90859ae005da3de7a005a98eea3251a65b Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Wed, 17 Dec 2008 19:29:39 -0500
Subject: [PATCH] Add requested_reply to send denials, and connection loginfo to "would deny"
The requested_reply field is necessary in send denials too because
it's used in the policy language. The connection loginfo lack in
"would deny" was just an oversight.
---
bus/bus.c | 69 +++++++++++++++++++++++++++++++++---------------------------
1 files changed, 38 insertions(+), 31 deletions(-)
diff --git a/bus/bus.c b/bus/bus.c
index db3556f..e38d4a2 100644
--- a/bus/bus.c
+++ b/bus/bus.c
@@ -1360,7 +1360,7 @@ bus_context_check_security_policy (BusContext *context,
message, &toggles, &log))
{
const char *msg = "Rejected send message, %d matched rules; "
- "type=\"%s\", sender=\"%s\" (%s) interface=\"%s\" member=\"%s\" error name=\"%s\" destination=\"%s\" (%s))";
+ "type=\"%s\", sender=\"%s\" (%s) interface=\"%s\" member=\"%s\" error name=\"%s\" requested_reply=%d destination=\"%s\" (%s))";
dbus_set_error (error, DBUS_ERROR_ACCESS_DENIED, msg,
toggles,
@@ -1373,22 +1373,25 @@ bus_context_check_security_policy (BusContext *context,
dbus_message_get_member (message) : "(unset)",
dbus_message_get_error_name (message) ?
dbus_message_get_error_name (message) : "(unset)",
+ requested_reply,
dest ? dest : DBUS_SERVICE_DBUS,
proposed_recipient_loginfo);
/* Needs to be duplicated to avoid calling malloc and having to handle OOM */
- bus_context_log_security (context, msg,
- toggles,
- dbus_message_type_to_string (dbus_message_get_type (message)),
- sender_name ? sender_name : "(unset)",
- sender_loginfo,
- dbus_message_get_interface (message) ?
- dbus_message_get_interface (message) : "(unset)",
- dbus_message_get_member (message) ?
- dbus_message_get_member (message) : "(unset)",
- dbus_message_get_error_name (message) ?
- dbus_message_get_error_name (message) : "(unset)",
- dest ? dest : DBUS_SERVICE_DBUS,
- proposed_recipient_loginfo);
+ if (addressed_recipient == proposed_recipient)
+ bus_context_log_security (context, msg,
+ toggles,
+ dbus_message_type_to_string (dbus_message_get_type (message)),
+ sender_name ? sender_name : "(unset)",
+ sender_loginfo,
+ dbus_message_get_interface (message) ?
+ dbus_message_get_interface (message) : "(unset)",
+ dbus_message_get_member (message) ?
+ dbus_message_get_member (message) : "(unset)",
+ dbus_message_get_error_name (message) ?
+ dbus_message_get_error_name (message) : "(unset)",
+ requested_reply,
+ dest ? dest : DBUS_SERVICE_DBUS,
+ proposed_recipient_loginfo);
_dbus_verbose ("security policy disallowing message due to sender policy\n");
return FALSE;
}
@@ -1396,17 +1399,20 @@ bus_context_check_security_policy (BusContext *context,
if (log)
bus_context_log_security (context,
"Would reject message, %d matched rules; "
- "type=\"%s\", sender=\"%s\" interface=\"%s\" member=\"%s\" error name=\"%s\" destination=\"%s\")",
+ "type=\"%s\", sender=\"%s\" (%s) interface=\"%s\" member=\"%s\" error name=\"%s\" requested_reply=%d destination=\"%s\" (%s))",
toggles,
dbus_message_type_to_string (dbus_message_get_type (message)),
sender_name ? sender_name : "(unset)",
+ sender_loginfo,
dbus_message_get_interface (message) ?
dbus_message_get_interface (message) : "(unset)",
dbus_message_get_member (message) ?
dbus_message_get_member (message) : "(unset)",
dbus_message_get_error_name (message) ?
dbus_message_get_error_name (message) : "(unset)",
- dest ? dest : DBUS_SERVICE_DBUS);
+ requested_reply,
+ dest ? dest : DBUS_SERVICE_DBUS,
+ proposed_recipient_loginfo);
if (recipient_policy &&
!bus_client_policy_check_can_receive (recipient_policy,
@@ -1435,21 +1441,22 @@ bus_context_check_security_policy (BusContext *context,
dest ? dest : DBUS_SERVICE_DBUS,
proposed_recipient_loginfo);
/* Needs to be duplicated to avoid calling malloc and having to handle OOM */
- bus_context_log_security (context, msg,
- toggles,
- dbus_message_type_to_string (dbus_message_get_type (message)),
- sender_name ? sender_name : "(unset)",
- sender_loginfo,
- dbus_message_get_interface (message) ?
- dbus_message_get_interface (message) : "(unset)",
- dbus_message_get_member (message) ?
- dbus_message_get_member (message) : "(unset)",
- dbus_message_get_error_name (message) ?
- dbus_message_get_error_name (message) : "(unset)",
- dbus_message_get_reply_serial (message),
- requested_reply,
- dest ? dest : DBUS_SERVICE_DBUS,
- proposed_recipient_loginfo);
+ if (addressed_recipient == proposed_recipient)
+ bus_context_log_security (context, msg,
+ toggles,
+ dbus_message_type_to_string (dbus_message_get_type (message)),
+ sender_name ? sender_name : "(unset)",
+ sender_loginfo,
+ dbus_message_get_interface (message) ?
+ dbus_message_get_interface (message) : "(unset)",
+ dbus_message_get_member (message) ?
+ dbus_message_get_member (message) : "(unset)",
+ dbus_message_get_error_name (message) ?
+ dbus_message_get_error_name (message) : "(unset)",
+ dbus_message_get_reply_serial (message),
+ requested_reply,
+ dest ? dest : DBUS_SERVICE_DBUS,
+ proposed_recipient_loginfo);
_dbus_verbose ("security policy disallowing message due to recipient policy\n");
return FALSE;
}
--
1.5.6.5
diff -ru dbus-1.2.1~/dbus/dbus-sysdeps-util-unix.c dbus-1.2.1/dbus/dbus-sysdeps-util-unix.c --- dbus-1.2.1~/dbus/dbus-sysdeps-util-unix.c 2009-01-04 00:33:12.000000000 +0000 +++ dbus-1.2.1/dbus/dbus-sysdeps-util-unix.c 2009-01-04 00:35:31.000000000 +0000 @@ -48,6 +48,7 @@ #include <sys/capability.h> #include <libaudit.h> #endif /* HAVE_LIBAUDIT */ +#include <syslog.h> #ifdef HAVE_SYS_SYSLIMITS_H #include <sys/syslimits.h>
diff -Naur dbus-1.2.1.orig/bus/system.conf.in dbus-1.2.1/bus/system.conf.in
--- dbus-1.2.1.orig/bus/system.conf.in 2008-12-07 12:42:13.000000000 +0000
+++ dbus-1.2.1/bus/system.conf.in 2008-12-07 13:06:55.000000000 +0000
@@ -50,9 +50,19 @@
even if they aren't in here -->
<allow send_destination="org.freedesktop.DBus"/>
<allow receive_sender="org.freedesktop.DBus"/>
- <!-- valid replies are always allowed -->
- <allow send_requested_reply="true"/>
+ <!-- allow sending valid replies -->
+ <allow send_requested_reply="true" send_type="method_return"/>
+ <allow send_requested_reply="true" send_type="error"/>
+ <!-- allow receiving valid replies -->
<allow receive_requested_reply="true"/>
+ <!-- Note: the rule above also allows receiving of all non-reply messages
+ that are not denied later. See:
+ https://bugs.freedesktop.org/show_bug.cgi?id=18229
+ Potentially this will be replaced in the future by the
+ following two rules:
+ <allow receive_requested_reply="true" receive_type="method_return"/>
+ <allow receive_requested_reply="true" receive_type="error"/>
+ -->
</policy>
<!-- Config files are placed here that among other things, punch
(Patch edited to remove changes in test/ which don't apply -smcv@debian.org)
commit d899734475f09068dfa410c91e126e1442b0325e
Author: Colin Walters <walters@verbum.org>
Date: 2008-12-09 09:15:06 -0500
Bug 18229: Allow signals
Our previous fix went too far towards lockdown; many things rely
on signals to work, and there's no really good reason to restrict
which signals can be emitted on the bus because we can't tie
them to a particular sender.
diff --git a/bus/system.conf.in b/bus/system.conf.in
index ac2822f..1b6e716 100644
--- a/bus/system.conf.in
+++ b/bus/system.conf.in
@@ -50,6 +50,8 @@
even if they aren't in here -->
<allow send_destination="org.freedesktop.DBus"/>
<allow receive_sender="org.freedesktop.DBus"/>
+ <!-- Allow all signals to be sent by default -->
+ <allow send_type="signal"/>
<!-- allow sending valid replies -->
<allow send_requested_reply="true" send_type="method_return"/>
<allow send_requested_reply="true" send_type="error"/>
Attachment:
signature.asc
Description: Digital signature