203 lines
6.4 KiB
Diff
203 lines
6.4 KiB
Diff
--- dbus-1.2.16.orig/bus/selinux.c 2009-11-01 09:58:22.000000000 -0500
|
|
+++ dbus-1.2.16.orig/bus/selinux.c 2009-11-01 11:30:45.000000000 -0500
|
|
@@ -1015,3 +1015,74 @@ bus_selinux_shutdown (void)
|
|
#endif /* HAVE_SELINUX */
|
|
}
|
|
|
|
+/**
|
|
+ * Changes the user and group the bus is running as.
|
|
+ *
|
|
+ * @param user the user to become
|
|
+ * @param error return location for errors
|
|
+ * @returns #FALSE on failure
|
|
+ */
|
|
+dbus_bool_t
|
|
+_dbus_change_to_daemon_user (const char *user,
|
|
+ DBusError *error)
|
|
+{
|
|
+ dbus_uid_t uid;
|
|
+ dbus_gid_t gid;
|
|
+ DBusString u;
|
|
+
|
|
+ _dbus_string_init_const (&u, user);
|
|
+
|
|
+ if (!_dbus_get_user_id_and_primary_group (&u, &uid, &gid))
|
|
+ {
|
|
+ dbus_set_error (error, DBUS_ERROR_FAILED,
|
|
+ "User '%s' does not appear to exist?",
|
|
+ user);
|
|
+ return FALSE;
|
|
+ }
|
|
+
|
|
+#ifdef HAVE_LIBAUDIT
|
|
+ /* If we were root */
|
|
+ if (_dbus_geteuid () == 0)
|
|
+ {
|
|
+ int rc;
|
|
+
|
|
+ capng_clear(CAPNG_SELECT_BOTH);
|
|
+ capng_update(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED,
|
|
+ CAP_AUDIT_WRITE);
|
|
+ rc = capng_change_id(uid, gid, 0);
|
|
+ if (rc)
|
|
+ {
|
|
+ switch (rc) {
|
|
+ default:
|
|
+ dbus_set_error (error, DBUS_ERROR_FAILED,
|
|
+ "Failed to drop capabilities: %s\n",
|
|
+ _dbus_strerror (errno));
|
|
+ break;
|
|
+ case -4:
|
|
+ dbus_set_error (error, _dbus_error_from_errno (errno),
|
|
+ "Failed to set GID to %lu: %s", gid,
|
|
+ _dbus_strerror (errno));
|
|
+ break;
|
|
+ case -5:
|
|
+ _dbus_warn ("Failed to drop supplementary groups: %s\n",
|
|
+ _dbus_strerror (errno));
|
|
+ break;
|
|
+ case -6:
|
|
+ dbus_set_error (error, _dbus_error_from_errno (errno),
|
|
+ "Failed to set UID to %lu: %s", uid,
|
|
+ _dbus_strerror (errno));
|
|
+ break;
|
|
+ case -7:
|
|
+ dbus_set_error (error, _dbus_error_from_errno (errno),
|
|
+ "Failed to unset keep-capabilities: %s\n",
|
|
+ _dbus_strerror (errno));
|
|
+ break;
|
|
+ }
|
|
+ return FALSE;
|
|
+ }
|
|
+ }
|
|
+#endif /* HAVE_LIBAUDIT */
|
|
+
|
|
+ return TRUE;
|
|
+}
|
|
+
|
|
--- dbus-1.2.16.orig/bus/selinux.h 2009-11-01 09:58:22.000000000 -0500
|
|
+++ dbus-1.2.16.orig/bus/selinux.h 2009-11-01 11:33:15.000000000 -0500
|
|
@@ -68,5 +68,7 @@ BusSELinuxID* bus_selinux_init_connectio
|
|
|
|
|
|
void bus_selinux_audit_init(void);
|
|
+dbus_bool_t _dbus_change_to_daemon_user (const char *user,
|
|
+ DBusError *error);
|
|
|
|
#endif /* BUS_SELINUX_H */
|
|
--- dbus-1.2.16.orig/configure.in 2009-11-01 09:58:22.000000000 -0500
|
|
+++ dbus-1.2.16.orig/configure.in 2009-11-01 11:30:45.000000000 -0500
|
|
@@ -852,8 +852,7 @@ fi
|
|
AM_CONDITIONAL(HAVE_LIBAUDIT, test x$have_libaudit = xyes)
|
|
|
|
if test x$have_libaudit = xyes ; then
|
|
- SELINUX_LIBS="$SELINUX_LIBS -laudit"
|
|
- LIBS="-lcap-ng $LIBS"
|
|
+ SELINUX_LIBS="$SELINUX_LIBS -laudit -lcap-ng"
|
|
AC_DEFINE(HAVE_LIBAUDIT,1,[audit daemon SELinux support])
|
|
fi
|
|
|
|
--- dbus-1.2.16.orig/dbus/dbus-sysdeps.h 2009-11-01 09:58:22.000000000 -0500
|
|
+++ dbus-1.2.16.orig/dbus/dbus-sysdeps.h 2009-11-01 11:33:08.000000000 -0500
|
|
@@ -418,8 +418,6 @@ dbus_bool_t _dbus_become_daemon (const
|
|
dbus_bool_t keep_umask);
|
|
|
|
dbus_bool_t _dbus_verify_daemon_user (const char *user);
|
|
-dbus_bool_t _dbus_change_to_daemon_user (const char *user,
|
|
- DBusError *error);
|
|
|
|
dbus_bool_t _dbus_write_pid_to_file_and_pipe (const DBusString *pidfile,
|
|
DBusPipe *print_pid_pipe,
|
|
--- dbus-1.2.16.orig/dbus/dbus-sysdeps-util-unix.c 2009-11-01 09:58:22.000000000 -0500
|
|
+++ dbus-1.2.16.orig/dbus/dbus-sysdeps-util-unix.c 2009-11-01 11:30:45.000000000 -0500
|
|
@@ -45,10 +45,6 @@
|
|
#include <sys/un.h>
|
|
#include <syslog.h>
|
|
#include <syslog.h>
|
|
-#ifdef HAVE_LIBAUDIT
|
|
-#include <cap-ng.h>
|
|
-#include <libaudit.h>
|
|
-#endif /* HAVE_LIBAUDIT */
|
|
|
|
#ifdef HAVE_SYS_SYSLIMITS_H
|
|
#include <sys/syslimits.h>
|
|
@@ -308,77 +304,6 @@ _dbus_verify_daemon_user (const char *us
|
|
return _dbus_get_user_id_and_primary_group (&u, NULL, NULL);
|
|
}
|
|
|
|
-/**
|
|
- * Changes the user and group the bus is running as.
|
|
- *
|
|
- * @param user the user to become
|
|
- * @param error return location for errors
|
|
- * @returns #FALSE on failure
|
|
- */
|
|
-dbus_bool_t
|
|
-_dbus_change_to_daemon_user (const char *user,
|
|
- DBusError *error)
|
|
-{
|
|
- dbus_uid_t uid;
|
|
- dbus_gid_t gid;
|
|
- DBusString u;
|
|
-
|
|
- _dbus_string_init_const (&u, user);
|
|
-
|
|
- if (!_dbus_get_user_id_and_primary_group (&u, &uid, &gid))
|
|
- {
|
|
- dbus_set_error (error, DBUS_ERROR_FAILED,
|
|
- "User '%s' does not appear to exist?",
|
|
- user);
|
|
- return FALSE;
|
|
- }
|
|
-
|
|
-#ifdef HAVE_LIBAUDIT
|
|
- /* If we were root */
|
|
- if (_dbus_geteuid () == 0)
|
|
- {
|
|
- int rc;
|
|
-
|
|
- capng_clear(CAPNG_SELECT_BOTH);
|
|
- capng_update(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED,
|
|
- CAP_AUDIT_WRITE);
|
|
- rc = capng_change_id(uid, gid, 0);
|
|
- if (rc)
|
|
- {
|
|
- switch (rc) {
|
|
- default:
|
|
- dbus_set_error (error, DBUS_ERROR_FAILED,
|
|
- "Failed to drop capabilities: %s\n",
|
|
- _dbus_strerror (errno));
|
|
- break;
|
|
- case -4:
|
|
- dbus_set_error (error, _dbus_error_from_errno (errno),
|
|
- "Failed to set GID to %lu: %s", gid,
|
|
- _dbus_strerror (errno));
|
|
- break;
|
|
- case -5:
|
|
- _dbus_warn ("Failed to drop supplementary groups: %s\n",
|
|
- _dbus_strerror (errno));
|
|
- break;
|
|
- case -6:
|
|
- dbus_set_error (error, _dbus_error_from_errno (errno),
|
|
- "Failed to set UID to %lu: %s", uid,
|
|
- _dbus_strerror (errno));
|
|
- break;
|
|
- case -7:
|
|
- dbus_set_error (error, _dbus_error_from_errno (errno),
|
|
- "Failed to unset keep-capabilities: %s\n",
|
|
- _dbus_strerror (errno));
|
|
- break;
|
|
- }
|
|
- return FALSE;
|
|
- }
|
|
- }
|
|
-#endif /* HAVE_LIBAUDIT */
|
|
-
|
|
- return TRUE;
|
|
-}
|
|
-
|
|
void
|
|
_dbus_init_system_log (void)
|
|
{
|
|
|