From abd219a34fcc521ca60feb9a89a88594fa5e4328 Mon Sep 17 00:00:00 2001 From: "John (J5) Palmieri" Date: Mon, 17 Apr 2006 22:16:40 +0000 Subject: [PATCH] - New audit patch --- dbus-0.61-selinux-avc-audit.patch | 187 ++++++++++++++++++++---------- dbus.spec | 7 +- 2 files changed, 129 insertions(+), 65 deletions(-) diff --git a/dbus-0.61-selinux-avc-audit.patch b/dbus-0.61-selinux-avc-audit.patch index a9fc57d..31d79ff 100644 --- a/dbus-0.61-selinux-avc-audit.patch +++ b/dbus-0.61-selinux-avc-audit.patch @@ -1,66 +1,3 @@ ---- dbus-0.61/dbus/dbus-sysdeps-util.c.selinux-avc-audit 2006-02-24 10:46:45.000000000 -0500 -+++ dbus-0.61/dbus/dbus-sysdeps-util.c 2006-02-24 14:41:15.000000000 -0500 -@@ -42,6 +42,10 @@ - #include - #include - #include -+#ifdef HAVE_LIBAUDIT -+#include -+#include -+#endif /* HAVE_LIBAUDIT */ - - #ifndef O_BINARY - #define O_BINARY 0 -@@ -247,6 +251,12 @@ - dbus_gid_t gid, - DBusError *error) - { -+#ifdef HAVE_LIBAUDIT -+ int priv = !getuid(); -+ if (priv) -+ prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0); -+#endif /* HAVE_LIBAUDIT */ -+ - /* setgroups() only works if we are a privileged process, - * so we don't return error on failure; the only possible - * failure is that we don't have perms to do it. -@@ -265,6 +275,10 @@ - dbus_set_error (error, _dbus_error_from_errno (errno), - "Failed to set GID to %lu: %s", gid, - _dbus_strerror (errno)); -+#ifdef HAVE_LIBAUDIT -+ if (priv) -+ prctl(PR_SET_KEEPCAPS, 0, 0, 0, 0); -+#endif /* HAVE_LIBAUDIT */ - return FALSE; - } - -@@ -273,9 +287,25 @@ - dbus_set_error (error, _dbus_error_from_errno (errno), - "Failed to set UID to %lu: %s", uid, - _dbus_strerror (errno)); -+#ifdef HAVE_LIBAUDIT -+ if (priv) -+ prctl(PR_SET_KEEPCAPS, 0, 0, 0, 0); -+#endif /* HAVE_LIBAUDIT */ - return FALSE; - } - -+#ifdef HAVE_LIBAUDIT -+ if (priv) { -+ cap_t new_caps; -+ cap_value_t cap_list[] = { CAP_AUDIT_WRITE }; -+ -+ prctl(PR_SET_KEEPCAPS, 0, 0, 0, 0); -+ new_caps = cap_init(); -+ cap_set_flag(new_caps, CAP_PERMITTED, 1, cap_list, CAP_SET); -+ cap_set_flag(new_caps, CAP_EFFECTIVE, 1, cap_list, CAP_SET); -+ cap_set_proc(new_caps); -+ } -+#endif /* HAVE_LIBAUDIT */ - return TRUE; - } - --- dbus-0.61/bus/selinux.c.selinux-avc-audit 2006-02-24 14:41:15.000000000 -0500 +++ dbus-0.61/bus/selinux.c 2006-02-24 14:41:15.000000000 -0500 @@ -38,6 +38,9 @@ @@ -173,3 +110,127 @@ #### Set up final flags DBUS_CLIENT_CFLAGS= DBUS_CLIENT_LIBS= +--- dbus-0.61-orig/dbus/dbus-sysdeps-util.c.selinux-avc-audit 2006-02-24 10:46:45.000000000 -0500 ++++ dbus-0.61/dbus/dbus-sysdeps-util.c 2006-04-04 13:00:04.000000000 -0400 +@@ -42,6 +42,11 @@ + #include + #include + #include ++#ifdef HAVE_LIBAUDIT ++#include ++#include ++#include ++#endif /* HAVE_LIBAUDIT */ + + #ifndef O_BINARY + #define O_BINARY 0 +@@ -247,6 +252,55 @@ + dbus_gid_t gid, + DBusError *error) + { ++ int priv = FALSE; ++ ++#ifdef HAVE_LIBAUDIT ++ /* have a tmp set of caps that we use to transition to the usr/grp dbus should ++ * run as ... doesn't really help. But keeps people happy. ++ */ ++ cap_t new_caps = NULL; ++ ++ priv = !getuid(); ++ if (priv) ++ { ++ cap_value_t new_cap_list[] = { CAP_AUDIT_WRITE }; ++ cap_value_t tmp_cap_list[] = { CAP_AUDIT_WRITE, CAP_SETUID, CAP_SETGID }; ++ cap_t tmp_caps = cap_init(); ++ ++ if (!tmp_caps || !(new_caps = cap_init())) ++ { ++ dbus_set_error (error, DBUS_ERROR_FAILED, ++ "Failed to initialize drop of capabilities\n"); ++ if (tmp_caps) ++ cap_free(tmp_caps); ++ return FALSE; ++ } ++ ++ /* assume these work... */ ++ cap_set_flag(new_caps, CAP_PERMITTED, 1, new_cap_list, CAP_SET); ++ cap_set_flag(new_caps, CAP_EFFECTIVE, 1, new_cap_list, CAP_SET); ++ cap_set_flag(tmp_caps, CAP_PERMITTED, 3, tmp_cap_list, CAP_SET); ++ cap_set_flag(tmp_caps, CAP_EFFECTIVE, 3, tmp_cap_list, CAP_SET); ++ ++ if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) == -1) ++ { ++ dbus_set_error (error, _dbus_error_from_errno (errno), ++ "Failed to set keep-capabilities: %s\n", ++ _dbus_strerror (errno)); ++ cap_free(tmp_caps); ++ goto fail; ++ } ++ if (cap_set_proc(tmp_caps)) ++ { ++ dbus_set_error (error, DBUS_ERROR_FAILED, ++ "Failed to drop capabilities\n"); ++ cap_free(tmp_caps); ++ goto fail; ++ } ++ cap_free(tmp_caps); ++ } ++#endif /* HAVE_LIBAUDIT */ ++ + /* setgroups() only works if we are a privileged process, + * so we don't return error on failure; the only possible + * failure is that we don't have perms to do it. +@@ -265,7 +319,7 @@ + dbus_set_error (error, _dbus_error_from_errno (errno), + "Failed to set GID to %lu: %s", gid, + _dbus_strerror (errno)); +- return FALSE; ++ goto fail; + } + + if (setuid (uid) < 0) +@@ -273,10 +327,42 @@ + dbus_set_error (error, _dbus_error_from_errno (errno), + "Failed to set UID to %lu: %s", uid, + _dbus_strerror (errno)); +- return FALSE; ++ goto fail; + } + +- return TRUE; ++#ifdef HAVE_LIBAUDIT ++ if (priv) ++ { ++ if (cap_set_proc(new_caps)) ++ { ++ dbus_set_error (error, DBUS_ERROR_FAILED, ++ "Failed to drop capabilities\n"); ++ goto fail; ++ } ++ cap_free(new_caps); ++ ++ if (prctl(PR_SET_KEEPCAPS, 0, 0, 0, 0) == -1) ++ { /* should always work, if it did above */ ++ dbus_set_error (error, _dbus_error_from_errno (errno), ++ "Failed to unset keep-capabilities: %s\n", ++ _dbus_strerror (errno)); ++ return FALSE; ++ } ++ } ++#endif ++ ++ return TRUE; ++ ++ fail: ++#ifdef HAVE_LIBAUDIT ++ if (priv) ++ { ++ /* should always work, if it did above */ ++ prctl(PR_SET_KEEPCAPS, 0, 0, 0, 0); ++ cap_free(new_caps); ++ } ++#endif ++ return FALSE; + } + + /** Installs a UNIX signal handler diff --git a/dbus.spec b/dbus.spec index aa25fff..349c236 100644 --- a/dbus.spec +++ b/dbus.spec @@ -19,7 +19,7 @@ Summary: D-BUS message bus Name: dbus Version: 0.61 -Release: 3 +Release: 4 URL: http://www.freedesktop.org/software/dbus/ Source0: %{name}-%{version}.tar.gz License: AFL/GPL @@ -342,7 +342,10 @@ fi %endif %changelog -* Fri Feb 24 2006 John (J5) Palmieri 0.61-2 +* Mon Apr 17 2006 John (J5) Palmieri 0.61-4 +- New audit patch + +* Fri Feb 24 2006 John (J5) Palmieri 0.61-3 - ABI hasn't changed so add patch that makes dbus-sharp think it is still 0.60 (mono uses hard version names so any change means apps need to recompile)