dbus-broker: backport patches to fix policy with SELinux nodes

Backport from master: https://github.com/bus1/dbus-broker/pull/213

Signed-off-by: Khem Raj <raj.khem@gmail.com>

3 files changed, 111 insertions, 0 deletions

diff --git a/meta-oe/recipes-core/dbus/dbus-broker/0005-launch-policy-fix-crash-when-importing-selinux.patch b/meta-oe/recipes-core/dbus/dbus-broker/0005-launch-policy-fix-crash-when-importing-selinux.patch
new file mode 100644
index 0000000000..c5f3092ee9
--- /dev/null
+++ b/meta-oe/recipes-core/dbus/dbus-broker/0005-launch-policy-fix-crash-when-importing-selinux.patch
@@ -0,0 +1,50 @@
+From d28e59c451375e8b08fa431b1d64cb3ce9f078ee Mon Sep 17 00:00:00 2001
+From: Luca Boccassi <luca.boccassi@microsoft.com>
+Date: Fri, 25 Oct 2019 21:04:36 +0100
+Subject: [PATCH 1/2] launch/policy: fix crash when importing <selinux>
+
+If a policy contains a <selinux> element, dbus-broker-launch crashes:
+
+Oct 22 12:02:51 localhost dbus-broker-launch[885]: dbus-broker-launch: ../dbus-broker-19/src/launch/policy.c:232: policy_import_verdict: Assertion `cnode->parent->type == CONFIG_NODE_POLICY' failed.
+
+Minimal config to reproduce:
+
+<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+<busconfig>
+  <selinux>
+    <associate own="com.example1" context="system_u:object_r:example1_t" />
+    <associate own="com.example2" context="system_u:object_r:example2_t" />
+  </selinux>
+</busconfig>
+
+policy_import_verdict is being called on an associate element,
+but not only it cannot work as that function checks that the
+parent is a policy node (but it's a selinux node in this case),
+it is also not necessary as the selinux node only defines ownership,
+it does not have allow/deny.
+
+Fixes #212
+
+Signed-off-by: Luca Boccassi <luca.boccassi@microsoft.com>
+Upstream-Status: merged https://github.com/bus1/dbus-broker/pull/213
+---
+ src/launch/policy.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/src/launch/policy.c b/src/launch/policy.c
+index a8ba8e7..466e4bd 100644
+--- a/src/launch/policy.c
++++ b/src/launch/policy.c
+@@ -613,8 +613,6 @@ static int policy_import_selinux(Policy *policy, ConfigNode *cnode) {
+         if (r)
+                 return error_trace(r);
+ 
+-        policy_import_verdict(policy, record, cnode);
+-
+         record->selinux.name = cnode->associate.own;
+         record->selinux.context = cnode->associate.context;
+ 
+-- 
+2.20.1
+
diff --git a/meta-oe/recipes-core/dbus/dbus-broker/0006-launch-policy-fix-crash-when-exporting-selinux.patch b/meta-oe/recipes-core/dbus/dbus-broker/0006-launch-policy-fix-crash-when-exporting-selinux.patch
new file mode 100644
index 0000000000..51f45361b7
--- /dev/null
+++ b/meta-oe/recipes-core/dbus/dbus-broker/0006-launch-policy-fix-crash-when-exporting-selinux.patch
@@ -0,0 +1,59 @@
+From f1cdef4d98ddbfeeb4a688712d54b3adc89bfe26 Mon Sep 17 00:00:00 2001
+From: Luca Boccassi <luca.boccassi@microsoft.com>
+Date: Fri, 25 Oct 2019 21:05:43 +0100
+Subject: [PATCH 2/2] launch/policy: fix crash when exporting <selinux>
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If a policy contains a <selinux> element, dbus-broker-launch crashes:
+
+[   30.048705] dbus-broker-launch[221]: ERROR policy_export @ ../dbus-broker-21/src/launch/policy.c +1142: Return code 1
+[   30.050963] dbus-broker-launch[221]:       launcher_add_listener @ ../dbus-broker-21/src/launch/launcher.c +1130
+[   30.079620] dbus-broker[228]: Dispatched 0 messages @ 0(±0)μs / message.
+[   30.082613] dbus-broker-launch[221]:       launcher_run @ ../dbus-broker-21/src/launch/launcher.c +1389
+[   30.084426] dbus-broker-launch[221]:       run @ ../dbus-broker-21/src/launch/main.c +153
+[   30.085797] dbus-broker-launch[221]:       main @ ../dbus-broker-21/src/launch/main.c +181
+[   30.087208] dbus-broker-launch[221]: Exiting due to fatal error: -131
+
+Minimal config to reproduce:
+
+<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+<busconfig>
+  <selinux>
+    <associate own="com.example1" context="system_u:object_r:example1_t" />
+    <associate own="com.example2" context="system_u:object_r:example2_t" />
+  </selinux>
+</busconfig>
+
+As per the libsystemd API, sd_bus_message_append can return an int
+greater than 0 on success, which for example happens when processing
+vectors.
+The export function is treating every non-zero result as an error,
+which causes dbus-broker-launch to terminate.
+
+Fixes #212
+
+Signed-off-by: Luca Boccassi <luca.boccassi@microsoft.com>
+Upstream-Status: merged https://github.com/bus1/dbus-broker/pull/213
+---
+ src/launch/policy.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/launch/policy.c b/src/launch/policy.c
+index 466e4bd..f91f11b 100644
+--- a/src/launch/policy.c
++++ b/src/launch/policy.c
+@@ -1138,7 +1138,7 @@ int policy_export(Policy *policy, sd_bus_message *m, uint32_t *at_console_uids,
+                 r = sd_bus_message_append(m, "(ss)",
+                                           i_record->selinux.name,
+                                           i_record->selinux.context);
+-                if (r)
++                if (r < 0)
+                         return error_origin(r);
+         }
+ 
+-- 
+2.20.1
+
diff --git a/meta-oe/recipes-core/dbus/dbus-broker_21.bb b/meta-oe/recipes-core/dbus/dbus-broker_21.bb
index 8b4101aaf3..bad442776a 100644
--- a/meta-oe/recipes-core/dbus/dbus-broker_21.bb
+++ b/meta-oe/recipes-core/dbus/dbus-broker_21.bb
@@ -11,6 +11,8 @@ SRC_URI += " file://0001-launch-improve-error-handling-for-opendir.patch"
 SRC_URI += " file://0002-metrics-change-the-constant-used-for-invalid-timesta.patch"
 SRC_URI += " file://0003-dbus-socket-treat-MSG_CTRUNC-gracefully.patch"
 SRC_URI += " file://0004-launcher-fix-build-with-musl-libc.patch"
+SRC_URI += " file://0005-launch-policy-fix-crash-when-importing-selinux.patch"
+SRC_URI += " file://0006-launch-policy-fix-crash-when-exporting-selinux.patch"
 SRC_URI[md5sum] = "a17886a92ab1e0bc2e4b1a274339e388"
 SRC_URI[sha256sum] = "6fff9a831a514659e2c7d704e76867ce31ebcf43e8d7a62e080c6656f64cd39e"