|
 |
6c002b |
From a82e1be24d0211d4358d8ff3b8cd06dae71a9993 Mon Sep 17 00:00:00 2001
|
|
|
6c002b |
From: David King <dking@redhat.com>
|
|
|
6c002b |
Date: Mon, 22 Aug 2016 09:43:29 +0100
|
|
|
6c002b |
Subject: [PATCH] Use _raw() calls to avoid SELinux context translation
|
|
|
6c002b |
|
|
|
6c002b |
When the credentials obtained from the client socket are used in future
|
|
|
6c002b |
security checks, no context translation should be performed, so
|
|
|
6c002b |
getpeercon() should be replaced with getpeercon_raw(), and similar
|
|
|
6c002b |
changes should me be made for other calls such as avc_sid_to_context()
|
|
|
6c002b |
and getcon().
|
|
|
6c002b |
|
|
|
6c002b |
https://bugzilla.redhat.com/show_bug.cgi?id=1356141
|
|
|
6c002b |
---
|
|
|
6c002b |
bus/selinux.c | 10 +++++-----
|
|
|
6c002b |
1 file changed, 5 insertions(+), 5 deletions(-)
|
|
|
6c002b |
|
|
|
6c002b |
diff --git a/bus/selinux.c b/bus/selinux.c
|
|
|
6c002b |
index 2fb4a8b..13361aa 100644
|
|
|
6c002b |
--- a/bus/selinux.c
|
|
|
6c002b |
+++ b/bus/selinux.c
|
|
|
6c002b |
@@ -412,14 +412,14 @@ bus_selinux_full_init (void)
|
|
|
6c002b |
bus_context = NULL;
|
|
|
6c002b |
bus_sid = SECSID_WILD;
|
|
|
6c002b |
|
|
|
6c002b |
- if (getcon (&bus_context) < 0)
|
|
|
6c002b |
+ if (getcon_raw (&bus_context) < 0)
|
|
|
6c002b |
{
|
|
|
6c002b |
_dbus_verbose ("Error getting context of bus: %s\n",
|
|
|
6c002b |
_dbus_strerror (errno));
|
|
|
6c002b |
return FALSE;
|
|
|
6c002b |
}
|
|
|
6c002b |
|
|
|
6c002b |
- if (avc_context_to_sid (bus_context, &bus_sid) < 0)
|
|
|
6c002b |
+ if (avc_context_to_sid_raw (bus_context, &bus_sid) < 0)
|
|
|
6c002b |
{
|
|
|
6c002b |
_dbus_verbose ("Error getting SID from bus context: %s\n",
|
|
|
6c002b |
_dbus_strerror (errno));
|
|
|
6c002b |
@@ -713,7 +713,7 @@ bus_selinux_append_context (DBusMessage *message,
|
|
|
6c002b |
#ifdef HAVE_SELINUX
|
|
|
6c002b |
char *context;
|
|
|
6c002b |
|
|
|
6c002b |
- if (avc_sid_to_context (SELINUX_SID_FROM_BUS (sid), &context) < 0)
|
|
|
6c002b |
+ if (avc_sid_to_context_raw (SELINUX_SID_FROM_BUS (sid), &context) < 0)
|
|
|
6c002b |
{
|
|
|
6c002b |
if (errno == ENOMEM)
|
|
|
6c002b |
BUS_SET_OOM (error);
|
|
|
6c002b |
@@ -766,7 +766,7 @@ bus_connection_read_selinux_context (DBusConnection *connection,
|
|
|
6c002b |
return FALSE;
|
|
|
6c002b |
}
|
|
|
6c002b |
|
|
|
6c002b |
- if (getpeercon (fd, con) < 0)
|
|
|
6c002b |
+ if (getpeercon_raw (fd, con) < 0)
|
|
|
6c002b |
{
|
|
|
6c002b |
_dbus_verbose ("Error getting context of socket peer: %s\n",
|
|
|
6c002b |
_dbus_strerror (errno));
|
|
|
6c002b |
@@ -901,7 +901,7 @@ bus_selinux_init_connection_id (DBusConnection *connection,
|
|
|
6c002b |
|
|
|
6c002b |
_dbus_verbose ("Converting context to SID to store on connection\n");
|
|
|
6c002b |
|
|
|
6c002b |
- if (avc_context_to_sid (con, &sid) < 0)
|
|
|
6c002b |
+ if (avc_context_to_sid_raw (con, &sid) < 0)
|
|
|
6c002b |
{
|
|
|
6c002b |
if (errno == ENOMEM)
|
|
|
6c002b |
BUS_SET_OOM (error);
|
|
|
6c002b |
--
|
|
|
6c002b |
2.7.4
|
|
|
6c002b |
|