diff options
author | Luca Boccassi <luca.boccassi@microsoft.com> | 2020-02-06 14:08:24 +0000 |
---|---|---|
committer | Khem Raj <raj.khem@gmail.com> | 2020-02-06 07:20:04 -0800 |
commit | dda2962584e3a1616ba0e8e6e72e4eae6d56e652 (patch) | |
tree | d8a49b88d400ab99243da54dd3934d7af93ba227 | |
parent | 502084cc99ac04c6989c03c23b8aa9c04425e976 (diff) | |
download | meta-openembedded-dda2962584e3a1616ba0e8e6e72e4eae6d56e652.tar.gz |
dbus-broker: backport patches to fix policy with SELinux nodes
Backport from master: https://github.com/bus1/dbus-broker/pull/213
Signed-off-by: Khem Raj <raj.khem@gmail.com>
3 files changed, 111 insertions, 0 deletions
diff --git a/meta-oe/recipes-core/dbus/dbus-broker/0005-launch-policy-fix-crash-when-importing-selinux.patch b/meta-oe/recipes-core/dbus/dbus-broker/0005-launch-policy-fix-crash-when-importing-selinux.patch new file mode 100644 index 0000000000..c5f3092ee9 --- /dev/null +++ b/meta-oe/recipes-core/dbus/dbus-broker/0005-launch-policy-fix-crash-when-importing-selinux.patch @@ -0,0 +1,50 @@ +From d28e59c451375e8b08fa431b1d64cb3ce9f078ee Mon Sep 17 00:00:00 2001 +From: Luca Boccassi <luca.boccassi@microsoft.com> +Date: Fri, 25 Oct 2019 21:04:36 +0100 +Subject: [PATCH 1/2] launch/policy: fix crash when importing <selinux> + +If a policy contains a <selinux> element, dbus-broker-launch crashes: + +Oct 22 12:02:51 localhost dbus-broker-launch[885]: dbus-broker-launch: ../dbus-broker-19/src/launch/policy.c:232: policy_import_verdict: Assertion `cnode->parent->type == CONFIG_NODE_POLICY' failed. + +Minimal config to reproduce: + +<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN" + "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd"> +<busconfig> + <selinux> + <associate own="com.example1" context="system_u:object_r:example1_t" /> + <associate own="com.example2" context="system_u:object_r:example2_t" /> + </selinux> +</busconfig> + +policy_import_verdict is being called on an associate element, +but not only it cannot work as that function checks that the +parent is a policy node (but it's a selinux node in this case), +it is also not necessary as the selinux node only defines ownership, +it does not have allow/deny. + +Fixes #212 + +Signed-off-by: Luca Boccassi <luca.boccassi@microsoft.com> +Upstream-Status: merged https://github.com/bus1/dbus-broker/pull/213 +--- + src/launch/policy.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/src/launch/policy.c b/src/launch/policy.c +index a8ba8e7..466e4bd 100644 +--- a/src/launch/policy.c ++++ b/src/launch/policy.c +@@ -613,8 +613,6 @@ static int policy_import_selinux(Policy *policy, ConfigNode *cnode) { + if (r) + return error_trace(r); + +- policy_import_verdict(policy, record, cnode); +- + record->selinux.name = cnode->associate.own; + record->selinux.context = cnode->associate.context; + +-- +2.20.1 + diff --git a/meta-oe/recipes-core/dbus/dbus-broker/0006-launch-policy-fix-crash-when-exporting-selinux.patch b/meta-oe/recipes-core/dbus/dbus-broker/0006-launch-policy-fix-crash-when-exporting-selinux.patch new file mode 100644 index 0000000000..51f45361b7 --- /dev/null +++ b/meta-oe/recipes-core/dbus/dbus-broker/0006-launch-policy-fix-crash-when-exporting-selinux.patch @@ -0,0 +1,59 @@ +From f1cdef4d98ddbfeeb4a688712d54b3adc89bfe26 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi <luca.boccassi@microsoft.com> +Date: Fri, 25 Oct 2019 21:05:43 +0100 +Subject: [PATCH 2/2] launch/policy: fix crash when exporting <selinux> +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If a policy contains a <selinux> element, dbus-broker-launch crashes: + +[ 30.048705] dbus-broker-launch[221]: ERROR policy_export @ ../dbus-broker-21/src/launch/policy.c +1142: Return code 1 +[ 30.050963] dbus-broker-launch[221]: launcher_add_listener @ ../dbus-broker-21/src/launch/launcher.c +1130 +[ 30.079620] dbus-broker[228]: Dispatched 0 messages @ 0(±0)μs / message. +[ 30.082613] dbus-broker-launch[221]: launcher_run @ ../dbus-broker-21/src/launch/launcher.c +1389 +[ 30.084426] dbus-broker-launch[221]: run @ ../dbus-broker-21/src/launch/main.c +153 +[ 30.085797] dbus-broker-launch[221]: main @ ../dbus-broker-21/src/launch/main.c +181 +[ 30.087208] dbus-broker-launch[221]: Exiting due to fatal error: -131 + +Minimal config to reproduce: + +<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN" + "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd"> +<busconfig> + <selinux> + <associate own="com.example1" context="system_u:object_r:example1_t" /> + <associate own="com.example2" context="system_u:object_r:example2_t" /> + </selinux> +</busconfig> + +As per the libsystemd API, sd_bus_message_append can return an int +greater than 0 on success, which for example happens when processing +vectors. +The export function is treating every non-zero result as an error, +which causes dbus-broker-launch to terminate. + +Fixes #212 + +Signed-off-by: Luca Boccassi <luca.boccassi@microsoft.com> +Upstream-Status: merged https://github.com/bus1/dbus-broker/pull/213 +--- + src/launch/policy.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/launch/policy.c b/src/launch/policy.c +index 466e4bd..f91f11b 100644 +--- a/src/launch/policy.c ++++ b/src/launch/policy.c +@@ -1138,7 +1138,7 @@ int policy_export(Policy *policy, sd_bus_message *m, uint32_t *at_console_uids, + r = sd_bus_message_append(m, "(ss)", + i_record->selinux.name, + i_record->selinux.context); +- if (r) ++ if (r < 0) + return error_origin(r); + } + +-- +2.20.1 + diff --git a/meta-oe/recipes-core/dbus/dbus-broker_21.bb b/meta-oe/recipes-core/dbus/dbus-broker_21.bb index 8b4101aaf3..bad442776a 100644 --- a/meta-oe/recipes-core/dbus/dbus-broker_21.bb +++ b/meta-oe/recipes-core/dbus/dbus-broker_21.bb @@ -11,6 +11,8 @@ SRC_URI += " file://0001-launch-improve-error-handling-for-opendir.patch" SRC_URI += " file://0002-metrics-change-the-constant-used-for-invalid-timesta.patch" SRC_URI += " file://0003-dbus-socket-treat-MSG_CTRUNC-gracefully.patch" SRC_URI += " file://0004-launcher-fix-build-with-musl-libc.patch" +SRC_URI += " file://0005-launch-policy-fix-crash-when-importing-selinux.patch" +SRC_URI += " file://0006-launch-policy-fix-crash-when-exporting-selinux.patch" SRC_URI[md5sum] = "a17886a92ab1e0bc2e4b1a274339e388" SRC_URI[sha256sum] = "6fff9a831a514659e2c7d704e76867ce31ebcf43e8d7a62e080c6656f64cd39e" |