powerel7
/
base
2
0
Fork 0
Code Issues Pull Requests Releases Activity

dbus package update 

Signed-off-by: basebuilder_pel7x64builder0 <basebuilder@powerel.org>
master
basebuilder_pel7x64builder0 2019-01-25 10:41:00 +01:00
parent 3e93349f1b
commit 6429e21437
9 changed files with 2216 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
SOURCES/00-start-message-bus.sh Executable file
View File

@ -0,0 +1,17 @@
#!/bin/sh
# Copyright (C) 2008 Red Hat, Inc.
#
# All rights reserved. This copyrighted material is made available to anyone
# wishing to use, modify, copy, or redistribute it subject to the terms and
# conditions of the GNU General Public License version 2.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
#

DBUS_SESSION_BUS_ADDRESS=`printenv DBUS_SESSION_BUS_ADDRESS`

if [ -z "$DBUS_SESSION_BUS_ADDRESS" ]; then
eval `dbus-launch --sh-syntax --exit-with-session`
fi

28
SOURCES/0001-bus-raise-fd-limits-before-dropping-privs.patch Normal file
View File

@ -0,0 +1,28 @@
From 8e3c46c33f32290bc2f205de62a7d9ba01994f72 Mon Sep 17 00:00:00 2001
From: David King <dking@redhat.com>
Date: Wed, 7 Feb 2018 14:37:24 +0000
Subject: [PATCH] bus: raise fd limits before dropping privs

https://bugzilla.redhat.com/show_bug.cgi?id=1529044
---
bus/bus.c | 5 +++++
1 file changed, 5 insertions(+)

diff --git a/bus/bus.c b/bus/bus.c
index a6f8db47..4b922a89 100644
--- a/bus/bus.c
+++ b/bus/bus.c
@@ -940,6 +940,11 @@ bus_context_new (const DBusString *confi
*/
if (context->user != NULL)
{
+ /* Raise the file descriptor limits before dropping the privileges
+ * required to do so.
+ */
+ raise_file_descriptor_limit (context);
+
if (!_dbus_change_to_daemon_user (context->user, error))
{
_DBUS_ASSERT_ERROR_IS_SET (error);
--
2.14.3

27
SOURCES/dbus-1.10.22-reduce-session-conf-fd-limits.patch Normal file
View File

@ -0,0 +1,27 @@
From f988e7327e5d8f372cc0c7d1478d12a74be113d3 Mon Sep 17 00:00:00 2001
From: David King <amigadave@amigadave.com>
Date: Fri, 15 Sep 2017 14:01:53 +0100
Subject: [PATCH] Reduce default session bus max fd limits

https://bugzilla.redhat.com/show_bug.cgi?id=1133732
---
bus/session.conf.in | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/bus/session.conf.in b/bus/session.conf.in
index affa7f1d..294a051d 100644
--- a/bus/session.conf.in
+++ b/bus/session.conf.in
@@ -69,8 +69,8 @@
<limit name="service_start_timeout">120000</limit>
<limit name="auth_timeout">240000</limit>
<limit name="pending_fd_timeout">150000</limit>
- <limit name="max_completed_connections">100000</limit>
- <limit name="max_incomplete_connections">10000</limit>
+ <limit name="max_completed_connections">900</limit>
+ <limit name="max_incomplete_connections">92</limit>
<limit name="max_connections_per_user">100000</limit>
<limit name="max_pending_service_starts">10000</limit>
<limit name="max_names_per_connection">50000</limit>
--
2.13.5

500
SOURCES/dbus-1.10.24-dbus-launch-chdir.patch Normal file
View File

@ -0,0 +1,500 @@
From dc2074588d3e7b5a216cb8c0b82094157c3cf773 Mon Sep 17 00:00:00 2001
From: David King <dking@redhat.com>
Date: Mon, 25 Jun 2018 14:46:14 -0400
Subject: [PATCH] daemon: use HOME as the working directory

Session buses started as part of a systemd --user session are launched
with the current working directory being the home directory of the user.
Applications which are launched via dbus activation inherit the working
directory from the session bus dbus-daemon.

When dbus-launch is used to start dbus-daemon, as is commonly the case
with a session manager such as gnome-session, this leads to applications
having a default working directory of "/", which is undesirable (as an
example, the default directory in a GTK+ save dialog becomes "/").

As an improvement, make dbus-launch use the value of the environment
variable HOME, if it is set, as the current working directory.

Signed-off-by: David King <dking@redhat.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=106987
Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1470310
---
bus/bus.c | 9 +++++++++
dbus/dbus-sysdeps-util-unix.c | 8 +++++---
dbus/dbus-sysdeps-util-win.c | 2 ++
dbus/dbus-sysdeps.h | 1 +
doc/dbus-launch.1.xml.in | 4 ++++
tools/dbus-launch.c | 22 ++++++++++++++--------
6 files changed, 35 insertions(+), 11 deletions(-)

diff --git a/bus/bus.c b/bus/bus.c
index f788e677..da2b2c1f 100644
--- a/bus/bus.c
+++ b/bus/bus.c
@@ -870,63 +870,72 @@ bus_context_new (const DBusString *config_file,

context->matchmaker = bus_matchmaker_new ();
if (context->matchmaker == NULL)
{
BUS_SET_OOM (error);
goto failed;
}

/* check user before we fork */
if (context->user != NULL)
{
if (!_dbus_verify_daemon_user (context->user))
{
dbus_set_error (error, DBUS_ERROR_FAILED,
"Could not get UID and GID for username \"%s\"",
context->user);
goto failed;
}
}

/* Now become a daemon if appropriate and write out pid file in any case */
{
DBusString u;

if (context->pidfile)
_dbus_string_init_const (&u, context->pidfile);

if (((flags & BUS_CONTEXT_FLAG_FORK_NEVER) == 0 && context->fork) ||
(flags & BUS_CONTEXT_FLAG_FORK_ALWAYS))
{
+ const char *working_dir = NULL;
+
_dbus_verbose ("Forking and becoming daemon\n");

+ if (context->type != NULL && strcmp (context->type, "session") == 0)
+ working_dir = _dbus_getenv ("HOME");
+
+ if (working_dir == NULL)
+ working_dir = "/";
+
if (!_dbus_become_daemon (context->pidfile ? &u : NULL,
+ working_dir,
print_pid_pipe,
error,
context->keep_umask))
{
_DBUS_ASSERT_ERROR_IS_SET (error);
goto failed;
}
}
else
{
_dbus_verbose ("Fork not requested\n");

/* Need to write PID file and to PID pipe for ourselves,
* not for the child process. This is a no-op if the pidfile
* is NULL and print_pid_pipe is NULL.
*/
if (!_dbus_write_pid_to_file_and_pipe (context->pidfile ? &u : NULL,
print_pid_pipe,
_dbus_getpid (),
error))
{
_DBUS_ASSERT_ERROR_IS_SET (error);
goto failed;
}
}
}

if (print_pid_pipe && _dbus_pipe_is_valid (print_pid_pipe) &&
!_dbus_pipe_is_stdout_or_stderr (print_pid_pipe))
_dbus_pipe_close (print_pid_pipe, NULL);
diff --git a/dbus/dbus-sysdeps-util-unix.c b/dbus/dbus-sysdeps-util-unix.c
index 9b724cc9..30bb1441 100644
--- a/dbus/dbus-sysdeps-util-unix.c
+++ b/dbus/dbus-sysdeps-util-unix.c
@@ -49,82 +49,84 @@
#include <sys/socket.h>
#include <dirent.h>
#include <sys/un.h>

#ifdef HAVE_SYSLOG_H
#include <syslog.h>
#endif

#ifdef HAVE_SYS_SYSLIMITS_H
#include <sys/syslimits.h>
#endif

#ifdef HAVE_SYSTEMD
#include <systemd/sd-daemon.h>
#endif

#ifndef O_BINARY
#define O_BINARY 0
#endif

/**
* @addtogroup DBusInternalsUtils
* @{
*/


/**
* Does the chdir, fork, setsid, etc. to become a daemon process.
*
* @param pidfile #NULL, or pidfile to create
+ * @param working_dir directory to chdir to
* @param print_pid_pipe pipe to print daemon's pid to, or -1 for none
* @param error return location for errors
* @param keep_umask #TRUE to keep the original umask
* @returns #FALSE on failure
*/
dbus_bool_t
_dbus_become_daemon (const DBusString *pidfile,
+ const char *working_dir,
DBusPipe *print_pid_pipe,
DBusError *error,
dbus_bool_t keep_umask)
{
const char *s;
pid_t child_pid;
int dev_null_fd;

_dbus_verbose ("Becoming a daemon...\n");

- _dbus_verbose ("chdir to /\n");
- if (chdir ("/") < 0)
+ _dbus_verbose ("chdir to %s\n", working_dir);
+ if (chdir (working_dir) < 0)
{
dbus_set_error (error, DBUS_ERROR_FAILED,
- "Could not chdir() to root directory");
+ "Could not chdir() to working directory (%s)", working_dir);
return FALSE;
}

_dbus_verbose ("forking...\n");
switch ((child_pid = fork ()))
{
case -1:
_dbus_verbose ("fork failed\n");
dbus_set_error (error, _dbus_error_from_errno (errno),
"Failed to fork daemon: %s", _dbus_strerror (errno));
return FALSE;
break;

case 0:
_dbus_verbose ("in child, closing std file descriptors\n");

/* silently ignore failures here, if someone
* doesn't have /dev/null we may as well try
* to continue anyhow
*/

dev_null_fd = open ("/dev/null", O_RDWR);
if (dev_null_fd >= 0)
{
dup2 (dev_null_fd, 0);
dup2 (dev_null_fd, 1);

s = _dbus_getenv ("DBUS_DEBUG_OUTPUT");
if (s == NULL || *s == '\0')
dup2 (dev_null_fd, 2);
diff --git a/dbus/dbus-sysdeps-util-win.c b/dbus/dbus-sysdeps-util-win.c
index 3b754dbf..bfc1cb90 100644
--- a/dbus/dbus-sysdeps-util-win.c
+++ b/dbus/dbus-sysdeps-util-win.c
@@ -27,67 +27,69 @@
#define STRSAFE_NO_DEPRECATE

#include "dbus-sysdeps.h"
#include "dbus-internals.h"
#include "dbus-protocol.h"
#include "dbus-string.h"
#include "dbus-sysdeps.h"
#include "dbus-sysdeps-win.h"
#include "dbus-sockets-win.h"
#include "dbus-memory.h"
#include "dbus-pipe.h"

#include <stdio.h>
#include <stdlib.h>
#if HAVE_ERRNO_H
#include <errno.h>
#endif
#include <winsock2.h> // WSA error codes

#ifndef DBUS_WINCE
#include <io.h>
#include <lm.h>
#include <sys/stat.h>
#endif


/**
* Does the chdir, fork, setsid, etc. to become a daemon process.
*
* @param pidfile #NULL, or pidfile to create
+ * @param working_dir directory to chdir to
* @param print_pid_pipe file descriptor to print daemon's pid to, or -1 for none
* @param error return location for errors
* @param keep_umask #TRUE to keep the original umask
* @returns #FALSE on failure
*/
dbus_bool_t
_dbus_become_daemon (const DBusString *pidfile,
+ const char *working_dir,
DBusPipe *print_pid_pipe,
DBusError *error,
dbus_bool_t keep_umask)
{
dbus_set_error (error, DBUS_ERROR_NOT_SUPPORTED,
"Cannot daemonize on Windows");
return FALSE;
}

/**
* Creates a file containing the process ID.
*
* @param filename the filename to write to
* @param pid our process ID
* @param error return location for errors
* @returns #FALSE on failure
*/
static dbus_bool_t
_dbus_write_pid_file (const DBusString *filename,
unsigned long pid,
DBusError *error)
{
const char *cfilename;
HANDLE hnd;
char pidstr[20];
int total;
int bytes_to_write;

_DBUS_ASSERT_ERROR_IS_CLEAR (error);

diff --git a/dbus/dbus-sysdeps.h b/dbus/dbus-sysdeps.h
index 0ee45c97..e569b545 100644
--- a/dbus/dbus-sysdeps.h
+++ b/dbus/dbus-sysdeps.h
@@ -498,60 +498,61 @@ int _dbus_printf_string_upper_bound (const char *format,
va_list args);


/**
* Portable struct with stat() results
*/
typedef struct
{
unsigned long mode; /**< File mode */
unsigned long nlink; /**< Number of hard links */
dbus_uid_t uid; /**< User owning file */
dbus_gid_t gid; /**< Group owning file */
unsigned long size; /**< Size of file */
unsigned long atime; /**< Access time */
unsigned long mtime; /**< Modify time */
unsigned long ctime; /**< Creation time */
} DBusStat;

dbus_bool_t _dbus_stat (const DBusString *filename,
DBusStat *statbuf,
DBusError *error);
DBUS_PRIVATE_EXPORT
dbus_bool_t _dbus_socketpair (DBusSocket *fd1,
DBusSocket *fd2,
dbus_bool_t blocking,
DBusError *error);

void _dbus_print_backtrace (void);

dbus_bool_t _dbus_become_daemon (const DBusString *pidfile,
+ const char *working_dir,
DBusPipe *print_pid_pipe,
DBusError *error,
dbus_bool_t keep_umask);

dbus_bool_t _dbus_verify_daemon_user (const char *user);
dbus_bool_t _dbus_change_to_daemon_user (const char *user,
DBusError *error);

dbus_bool_t _dbus_write_pid_to_file_and_pipe (const DBusString *pidfile,
DBusPipe *print_pid_pipe,
dbus_pid_t pid_to_write,
DBusError *error);

dbus_bool_t _dbus_command_for_pid (unsigned long pid,
DBusString *str,
int max_len,
DBusError *error);

/** A UNIX signal handler */
typedef void (* DBusSignalHandler) (int sig);

void _dbus_set_signal_handler (int sig,
DBusSignalHandler handler);

dbus_bool_t _dbus_user_at_console (const char *username,
DBusError *error);

void _dbus_init_system_log (dbus_bool_t is_daemon);

typedef enum {
diff --git a/doc/dbus-launch.1.xml.in b/doc/dbus-launch.1.xml.in
index 5135d9ca..606c65be 100644
--- a/doc/dbus-launch.1.xml.in
+++ b/doc/dbus-launch.1.xml.in
@@ -23,60 +23,64 @@
<command>dbus-launch</command>
<arg choice='opt'>--version </arg>
<arg choice='opt'>--help </arg>
<arg choice='opt'>--sh-syntax </arg>
<arg choice='opt'>--csh-syntax </arg>
<arg choice='opt'>--auto-syntax </arg>
<arg choice='opt'>--binary-syntax </arg>
<arg choice='opt'>--close-stderr </arg>
<arg choice='opt'>--exit-with-session </arg>
<arg choice='opt'>--autolaunch=<replaceable>MACHINEID</replaceable></arg>
<arg choice='opt'>--config-file=<replaceable>FILENAME</replaceable></arg>
<arg choice='opt'><replaceable>PROGRAM</replaceable></arg>
<arg choice='opt' rep='repeat'><replaceable>ARGS</replaceable></arg>
<sbr/>
</cmdsynopsis>
</refsynopsisdiv>


<refsect1 id='description'><title>DESCRIPTION</title>
<para>The <command>dbus-launch</command> command is used to start a session bus
instance of <emphasis remap='I'>dbus-daemon</emphasis> from a shell script.
It would normally be called from a user's login
scripts. Unlike the daemon itself, <command>dbus-launch</command> exits, so
backticks or the $() construct can be used to read information from
<command>dbus-launch</command>.</para>

<para>With no arguments, <command>dbus-launch</command> will launch a session bus
instance and print the address and PID of that instance to standard
output.</para>

+<para>If the environment variable HOME is set, it is used as the current
+working directory. Otherwise, the root directory (<filename>/</filename>) is
+used.</para>
+
<para>You may specify a program to be run; in this case, <command>dbus-launch</command>
will launch a session bus instance, set the appropriate environment
variables so the specified program can find the bus, and then execute the
specified program, with the specified arguments. See below for
examples.</para>

<para>If you launch a program, <command>dbus-launch</command> will not print the
information about the new bus to standard output.</para>

<para>When <command>dbus-launch</command> prints bus information to standard output, by
default it is in a simple key-value pairs format. However, you may
request several alternate syntaxes using the --sh-syntax, --csh-syntax,
--binary-syntax, or
--auto-syntax options. Several of these cause <command>dbus-launch</command> to emit shell code
to set up the environment.</para>

<para>With the --auto-syntax option, <command>dbus-launch</command> looks at the value
of the SHELL environment variable to determine which shell syntax
should be used. If SHELL ends in "csh", then csh-compatible code is
emitted; otherwise Bourne shell code is emitted. Instead of passing
--auto-syntax, you may explicitly specify a particular one by using
--sh-syntax for Bourne syntax, or --csh-syntax for csh syntax.
In scripts, it's more robust to avoid --auto-syntax and you hopefully
know which shell your script is written in.</para>


<para>See <ulink url='http://www.freedesktop.org/software/dbus/'>http://www.freedesktop.org/software/dbus/</ulink> for more information
about D-Bus. See also the man page for <emphasis remap='I'>dbus-daemon</emphasis>.</para>

</refsect1>
diff --git a/tools/dbus-launch.c b/tools/dbus-launch.c
index 80e4a241..a956684c 100644
--- a/tools/dbus-launch.c
+++ b/tools/dbus-launch.c
@@ -592,71 +592,77 @@ kill_bus_when_session_ends (void)
/* This shouldn't happen I don't think; to avoid
* spinning on the fd forever we exit.
*/
fprintf (stderr, "dbus-launch: error reading from stdin: %s\n",
strerror (errno));
kill_bus_and_exit (0);
}
}
else if (FD_ISSET (tty_fd, &err_set))
{
verbose ("TTY has error condition\n");

kill_bus_and_exit (0);
}
}
}
}

static void
babysit (int exit_with_session,
pid_t child_pid,
int read_bus_pid_fd) /* read pid from here */
{
int ret;
int dev_null_fd;
const char *s;

verbose ("babysitting, exit_with_session = %d, child_pid = %ld, read_bus_pid_fd = %d\n",
exit_with_session, (long) child_pid, read_bus_pid_fd);

- /* We chdir ("/") since we are persistent and daemon-like, and fork
- * again so dbus-launch can reap the parent. However, we don't
- * setsid() or close fd 0 because the idea is to remain attached
- * to the tty and the X server in order to kill the message bus
- * when the session ends.
+ /* We chdir () since we are persistent and daemon-like, either to $HOME
+ * to match the behaviour of a session bus started by systemd --user, or
+ * otherwise "/". We fork again so dbus-launch can reap the parent.
+ * However, we don't setsid() or close fd 0 because the idea is to
+ * remain attached to the tty and the X server in order to kill the
+ * message bus when the session ends.
*/

- if (chdir ("/") < 0)
+ s = getenv ("HOME");
+
+ if (s == NULL || *s == '\0')
+ s = "/";
+
+ if (chdir (s) < 0)
{
- fprintf (stderr, "Could not change to root directory: %s\n",
- strerror (errno));
+ fprintf (stderr, "Could not change to working directory \"%s\": %s\n",
+ s, strerror (errno));
exit (1);
}

/* Close stdout/stderr so we don't block an "eval" or otherwise
* lock up. stdout is still chaining through to dbus-launch
* and in turn to the parent shell.
*/
dev_null_fd = open ("/dev/null", O_RDWR);
if (dev_null_fd >= 0)
{
if (!exit_with_session)
dup2 (dev_null_fd, 0);
dup2 (dev_null_fd, 1);
s = getenv ("DBUS_DEBUG_OUTPUT");
if (s == NULL || *s == '\0')
dup2 (dev_null_fd, 2);
close (dev_null_fd);
}
else
{
fprintf (stderr, "Failed to open /dev/null: %s\n",
strerror (errno));
/* continue, why not */
}

ret = fork ();

if (ret < 0)
{
fprintf (stderr, "fork() failed in babysitter: %s\n",
--
2.17.1

26
SOURCES/dbus-1.10.24-dbus-send-man-page-typo.patch Normal file
View File

@ -0,0 +1,26 @@
From b98c85f2803434eec3192cdc3e9e86425fe33428 Mon Sep 17 00:00:00 2001
From: David King <dking@redhat.com>
Date: Tue, 3 Oct 2017 13:34:03 +0100
Subject: [PATCH] doc: Fix dbus-send.1 uint16 typo

https://bugs.freedesktop.org/show_bug.cgi?id=103075
https://bugzilla.redhat.com/show_bug.cgi?id=1467415
---
doc/dbus-send.1.xml.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc/dbus-send.1.xml.in b/doc/dbus-send.1.xml.in
index 67b6dfd2..271435ca 100644
--- a/doc/dbus-send.1.xml.in
+++ b/doc/dbus-send.1.xml.in
@@ -65,7 +65,7 @@ may include containers (arrays, dicts, and variants) as described below.</para>
&lt;array&gt; ::= array:&lt;type&gt;:&lt;value&gt;[,&lt;value&gt;...]
&lt;dict&gt; ::= dict:&lt;type&gt;:&lt;type&gt;:&lt;key&gt;,&lt;value&gt;[,&lt;key&gt;,&lt;value&gt;...]
&lt;variant&gt; ::= variant:&lt;type&gt;:&lt;value&gt;
-&lt;type&gt; ::= string | int16 | uint 16 | int32 | uint32 | int64 | uint64 | double | byte | boolean | objpath
+&lt;type&gt; ::= string | int16 | uint16 | int32 | uint32 | int64 | uint64 | double | byte | boolean | objpath
</literallayout> <!-- .fi -->

<para>D-Bus supports more types than these, but <command>dbus-send</command> currently
--
2.13.6

268
SOURCES/dbus-1.10.24-mls-listnames.patch Normal file
View File

@ -0,0 +1,268 @@
diff -urN dbus-1.10.24.old/bus/driver.c dbus-1.10.24/bus/driver.c
--- dbus-1.10.24.old/bus/driver.c 2017-09-25 16:20:08.000000000 +0100
+++ dbus-1.10.24/bus/driver.c 2018-02-13 10:15:09.570439595 +0000
@@ -555,6 +555,9 @@
char **services;
BusRegistry *registry;
int i;
+#ifdef HAVE_SELINUX
+ dbus_bool_t mls_enabled;
+#endif
DBusMessageIter iter;
DBusMessageIter sub;

@@ -601,9 +604,58 @@
}
}

+#ifdef HAVE_SELINUX
+ mls_enabled = bus_selinux_mls_enabled ();
+#endif
i = 0;
while (i < len)
{
+#ifdef HAVE_SELINUX
+ if (mls_enabled)
+ {
+ const char *requester;
+ BusService *service;
+ DBusString str;
+ DBusConnection *service_conn;
+ DBusConnection *requester_conn;
+
+ requester = dbus_message_get_destination (reply);
+ _dbus_string_init_const (&str, requester);
+ service = bus_registry_lookup (registry, &str);
+
+ if (service == NULL)
+ {
+ _dbus_warn_check_failed ("service lookup failed: %s", requester);
+ ++i;
+ continue;
+ }
+ requester_conn = bus_service_get_primary_owners_connection (service);
+ _dbus_string_init_const (&str, services[i]);
+ service = bus_registry_lookup (registry, &str);
+ if (service == NULL)
+ {
+ _dbus_warn_check_failed ("service lookup failed: %s", services[i]);
+ ++i;
+ continue;
+ }
+ service_conn = bus_service_get_primary_owners_connection (service);
+
+ if (!bus_selinux_allows_name (requester_conn, service_conn, error))
+ {
+ if (dbus_error_is_set (error) &&
+ dbus_error_has_name (error, DBUS_ERROR_NO_MEMORY))
+ {
+ dbus_free_string_array (services);
+ dbus_message_unref (reply);
+ return FALSE;
+ }
+
+ /* Skip any services which are disallowed by SELinux policy. */
+ ++i;
+ continue;
+ }
+ }
+#endif
if (!dbus_message_iter_append_basic (&sub, DBUS_TYPE_STRING,
&services[i]))
{
diff -urN dbus-1.10.24.old/bus/selinux.c dbus-1.10.24/bus/selinux.c
--- dbus-1.10.24.old/bus/selinux.c 2017-07-28 07:24:16.000000000 +0100
+++ dbus-1.10.24/bus/selinux.c 2018-02-13 10:35:14.311477447 +0000
@@ -61,6 +61,9 @@
/* Store the value telling us if SELinux is enabled in the kernel. */
static dbus_bool_t selinux_enabled = FALSE;

+/* Store the value telling us if SELinux with MLS is enabled in the kernel. */
+static dbus_bool_t selinux_mls_enabled = FALSE;
+
/* Store an avc_entry_ref to speed AVC decisions. */
static struct avc_entry_ref aeref;

@@ -273,6 +276,20 @@
}

/**
+ * Return whether or not SELinux with MLS support is enabled; must be
+ * called after bus_selinux_init.
+ */
+dbus_bool_t
+bus_selinux_mls_enabled (void)
+{
+#ifdef HAVE_SELINUX
+ return selinux_mls_enabled;
+#else
+ return FALSE;
+#endif /* HAVE_SELINUX */
+}
+
+/**
* Do early initialization; determine whether SELinux is enabled.
*/
dbus_bool_t
@@ -292,6 +309,16 @@
}

selinux_enabled = r != 0;
+
+ r = is_selinux_mls_enabled ();
+ if (r < 0)
+ {
+ _dbus_warn ("Could not tell if SELinux MLS is enabled: %s\n",
+ _dbus_strerror (errno));
+ return FALSE;
+ }
+
+ selinux_mls_enabled = r != 0;
return TRUE;
#else
return TRUE;
@@ -304,14 +331,18 @@
*/
/* security dbus class constants */
#define SECCLASS_DBUS 1
+#define SECCLASS_CONTEXT 2

/* dbus's per access vector constants */
#define DBUS__ACQUIRE_SVC 1
#define DBUS__SEND_MSG 2

+#define CONTEXT__CONTAINS 1
+
#ifdef HAVE_SELINUX
static struct security_class_mapping dbus_map[] = {
{ "dbus", { "acquire_svc", "send_msg", NULL } },
+ { "context", { "contains", NULL } },
{ NULL }
};
#endif /* HAVE_SELINUX */
@@ -734,6 +765,102 @@
#endif /* HAVE_SELINUX */

/**
+ * Check if SELinux security controls allow one connection to determine the
+ * name of the other, taking into account MLS considerations.
+ *
+ * @param source the requester of the name.
+ * @param destination the name being requested.
+ * @returns whether the name should be visible by the source of the request
+ */
+dbus_bool_t
+bus_selinux_allows_name (DBusConnection *source,
+ DBusConnection *destination,
+ DBusError *error)
+{
+#ifdef HAVE_SELINUX
+ int err;
+ char *policy_type;
+ unsigned long spid, tpid;
+ BusSELinuxID *source_sid;
+ BusSELinuxID *dest_sid;
+ dbus_bool_t ret;
+ dbus_bool_t string_alloced;
+ DBusString auxdata;
+
+ if (!selinux_mls_enabled)
+ return TRUE;
+
+ err = selinux_getpolicytype (&policy_type);
+ if (err < 0)
+ {
+ dbus_set_error_const (error, DBUS_ERROR_IO_ERROR,
+ "Failed to get SELinux policy type");
+ return FALSE;
+ }
+
+ /* Only check against MLS policy if running under that policy. */
+ if (strcmp (policy_type, "mls") != 0)
+ {
+ free (policy_type);
+ return TRUE;
+ }
+
+ free (policy_type);
+
+ _dbus_assert (source != NULL);
+ _dbus_assert (destination != NULL);
+
+ if (!source || !dbus_connection_get_unix_process_id (source, &spid))
+ spid = 0;
+ if (!destination || !dbus_connection_get_unix_process_id (destination, &tpid))
+ tpid = 0;
+
+ string_alloced = FALSE;
+ if (!_dbus_string_init (&auxdata))
+ goto oom;
+ string_alloced = TRUE;
+
+ if (spid)
+ {
+ if (!_dbus_string_append (&auxdata, " spid="))
+ goto oom;
+
+ if (!_dbus_string_append_uint (&auxdata, spid))
+ goto oom;
+ }
+
+ if (tpid)
+ {
+ if (!_dbus_string_append (&auxdata, " tpid="))
+ goto oom;
+
+ if (!_dbus_string_append_uint (&auxdata, tpid))
+ goto oom;
+ }
+
+ source_sid = bus_connection_get_selinux_id (source);
+ dest_sid = bus_connection_get_selinux_id (destination);
+
+ ret = bus_selinux_check (source_sid,
+ dest_sid,
+ SECCLASS_CONTEXT,
+ CONTEXT__CONTAINS,
+ &auxdata);
+
+ _dbus_string_free (&auxdata);
+ return ret;
+
+ oom:
+ if (string_alloced)
+ _dbus_string_free (&auxdata);
+ BUS_SET_OOM (error);
+ return FALSE;
+#else
+ return TRUE;
+#endif /* HAVE_SELINUX */
+}
+
+/**
* Read the SELinux ID from the connection.
*
* @param connection the connection to read from
Binary files dbus-1.10.24.old/bus/.selinux.c.swp and dbus-1.10.24/bus/.selinux.c.swp differ
diff -urN dbus-1.10.24.old/bus/selinux.h dbus-1.10.24/bus/selinux.h
--- dbus-1.10.24.old/bus/selinux.h 2017-07-28 07:24:16.000000000 +0100
+++ dbus-1.10.24/bus/selinux.h 2018-02-13 10:15:09.573439444 +0000
@@ -32,6 +32,7 @@
void bus_selinux_shutdown (void);

dbus_bool_t bus_selinux_enabled (void);
+dbus_bool_t bus_selinux_mls_enabled (void);

void bus_selinux_id_ref (BusSELinuxID *sid);
void bus_selinux_id_unref (BusSELinuxID *sid);
@@ -54,6 +55,10 @@
const char *service_name,
DBusError *error);

+dbus_bool_t bus_selinux_allows_name (DBusConnection *source,
+ DBusConnection *destination,
+ DBusError *error);
+
dbus_bool_t bus_selinux_allows_send (DBusConnection *sender,
DBusConnection *proposed_recipient,
const char *msgtype, /* Supplementary audit data */

46
SOURCES/dbus-1.6.12-auth-process-ok-message-dispatch-test-fix.patch Normal file
View File

@ -0,0 +1,46 @@
From b17615cda8a7ec80692d84e544b71e8183461aa5 Mon Sep 17 00:00:00 2001
From: Roy Li <rongqing.li@windriver.com>
Date: Wed, 21 Jan 2015 09:28:53 +0000
Subject: [PATCH] dbus: clear guid_from_server if send_negotiate_unix_fd failed

Once send_negotiate_unix_fd failed, this failure will happen, since
auth->guid_from_server has been set to some value before
send_negotiate_unix_fd. send_negotiate_unix_fd failure will lead to this
auth be handled by process_ok again, but this auth->guid_from_server is
not zero.

So we should clear auth->guid_from_server if send_negotiate_unix_fd
failed.

http://lists.freedesktop.org/archives/dbus/2014-February/016122.html
https://bugs.freedesktop.org/show_bug.cgi?id=75589
https://bugzilla.redhat.com/show_bug.cgi?id=1183755

Signed-off-by: Roy Li <rongqing.li@windriver.com>
---
dbus/dbus-auth.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/dbus/dbus-auth.c b/dbus/dbus-auth.c
index d2c37a7..dd6e61d 100644
--- a/dbus/dbus-auth.c
+++ b/dbus/dbus-auth.c
@@ -1572,7 +1572,15 @@ process_ok(DBusAuth *auth,
_dbus_string_get_const_data (& DBUS_AUTH_CLIENT (auth)->guid_from_server));

if (auth->unix_fd_possible)
- return send_negotiate_unix_fd(auth);
+ {
+ if (!send_negotiate_unix_fd (auth))
+ {
+ _dbus_string_set_length (& DBUS_AUTH_CLIENT (auth)->guid_from_server, 0);
+ return FALSE;
+ }
+
+ return TRUE;
+ }

_dbus_verbose("Not negotiating unix fd passing, since not possible\n");
return send_begin (auth);
--
2.2.1

66
SOURCES/dbus-1.6.12-avoid-selinux-context-translation.patch Normal file
View File

@ -0,0 +1,66 @@
From a82e1be24d0211d4358d8ff3b8cd06dae71a9993 Mon Sep 17 00:00:00 2001
From: David King <dking@redhat.com>
Date: Mon, 22 Aug 2016 09:43:29 +0100
Subject: [PATCH] Use _raw() calls to avoid SELinux context translation

When the credentials obtained from the client socket are used in future
security checks, no context translation should be performed, so
getpeercon() should be replaced with getpeercon_raw(), and similar
changes should me be made for other calls such as avc_sid_to_context()
and getcon().

https://bugzilla.redhat.com/show_bug.cgi?id=1356141
---
bus/selinux.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/bus/selinux.c b/bus/selinux.c
index 2fb4a8b..13361aa 100644
--- a/bus/selinux.c
+++ b/bus/selinux.c
@@ -412,14 +412,14 @@ bus_selinux_full_init (void)
bus_context = NULL;
bus_sid = SECSID_WILD;

- if (getcon (&bus_context) < 0)
+ if (getcon_raw (&bus_context) < 0)
{
_dbus_verbose ("Error getting context of bus: %s\n",
_dbus_strerror (errno));
return FALSE;
}

- if (avc_context_to_sid (bus_context, &bus_sid) < 0)
+ if (avc_context_to_sid_raw (bus_context, &bus_sid) < 0)
{
_dbus_verbose ("Error getting SID from bus context: %s\n",
_dbus_strerror (errno));
@@ -713,7 +713,7 @@ bus_selinux_append_context (DBusMessage *message,
#ifdef HAVE_SELINUX
char *context;

- if (avc_sid_to_context (SELINUX_SID_FROM_BUS (sid), &context) < 0)
+ if (avc_sid_to_context_raw (SELINUX_SID_FROM_BUS (sid), &context) < 0)
{
if (errno == ENOMEM)
BUS_SET_OOM (error);
@@ -766,7 +766,7 @@ bus_connection_read_selinux_context (DBusConnection *connection,
return FALSE;
}

- if (getpeercon (fd, con) < 0)
+ if (getpeercon_raw (fd, con) < 0)
{
_dbus_verbose ("Error getting context of socket peer: %s\n",
_dbus_strerror (errno));
@@ -901,7 +901,7 @@ bus_selinux_init_connection_id (DBusConnection *connection,

_dbus_verbose ("Converting context to SID to store on connection\n");

- if (avc_context_to_sid (con, &sid) < 0)
+ if (avc_context_to_sid_raw (con, &sid) < 0)
{
if (errno == ENOMEM)
BUS_SET_OOM (error);
--
2.7.4

1238
SPECS/dbus.spec Normal file
View File

File diff suppressed because it is too large Load Diff