bus-proxy: automatically detect scope of bus and derive which XML snippets to load from that

3 files changed, 38 insertions, 27 deletions

diff --git a/src/bus-proxyd/bus-proxyd.c b/src/bus-proxyd/bus-proxyd.c
index a66197abe..d2acb788d 100644
--- a/src/bus-proxyd/bus-proxyd.c
+++ b/src/bus-proxyd/bus-proxyd.c
@@ -1381,39 +1381,50 @@ int main(int argc, char *argv[]) {
         }
 
         if (a->is_kernel) {
-                _cleanup_bus_creds_unref_ sd_bus_creds *bus_creds = NULL;
-                uid_t bus_uid;
+                if (!arg_configuration) {
+                        const char *scope;
 
-                r = sd_bus_get_owner_creds(a, SD_BUS_CREDS_UID, &bus_creds);
-                if (r < 0) {
-                        log_error_errno(r, "Failed to get bus creds: %m");
-                        goto finish;
-                }
-
-                r = sd_bus_creds_get_uid(bus_creds, &bus_uid);
-                if (r < 0) {
-                        log_error_errno(r, "Failed to get bus owner UID: %m");
-                        goto finish;
-                }
-
-                if (bus_uid == 0) {
-                        /* We only enforce the old XML policy on
-                         * kernel busses owned by root users. */
-
-                        r = policy_load(&policy_buffer, arg_configuration);
+                        r = sd_bus_get_scope(a, &scope);
                         if (r < 0) {
-                                log_error_errno(r, "Failed to load policy: %m");
+                                log_error_errno(r, "Couldn't determine bus scope: %m");
                                 goto finish;
                         }
 
-                        if (!policy_check_hello(&policy_buffer, ucred.uid, ucred.gid)) {
-                                log_error("Policy denied connection");
-                                r = -EPERM;
+                        if (streq(scope, "system"))
+                                arg_configuration = strv_new(
+                                                "/etc/dbus-1/system.conf",
+                                                "/etc/dbus-1/system.d/",
+                                                "/etc/dbus-1/system-local.conf",
+                                                NULL);
+                        else if (streq(scope, "user"))
+                                arg_configuration = strv_new(
+                                                "/etc/dbus-1/session.conf",
+                                                "/etc/dbus-1/session.d/",
+                                                "/etc/dbus-1/session-local.conf",
+                                                NULL);
+                        else {
+                                log_error("Unknown scope %s, don't know which policy to load. Refusing.", scope);
                                 goto finish;
                         }
 
-                        policy_dump(&policy_buffer);
-                        policy = &policy_buffer;
+                        if (!arg_configuration) {
+                                r = log_oom();
+                                goto finish;
+                        }
+                }
+
+                r = policy_load(&policy_buffer, arg_configuration);
+                if (r < 0) {
+                        log_error_errno(r, "Failed to load policy: %m");
+                        goto finish;
+                }
+
+                policy = &policy_buffer;
+                policy_dump(policy);
+
+                if (!policy_check_hello(policy, ucred.uid, ucred.gid)) {
+                        r = log_error_errno(EPERM, "Policy denied connection.");
+                        goto finish;
                 }
         }
 
diff --git a/units/systemd-bus-proxyd@.service.in b/units/systemd-bus-proxyd@.service.in
index fdcd3029f..23b5ffa07 100644
--- a/units/systemd-bus-proxyd@.service.in
+++ b/units/systemd-bus-proxyd@.service.in
@@ -12,7 +12,7 @@ Description=Legacy D-Bus Protocol Compatibility Daemon
 # The first argument will be replaced by the service by information on
 # the process requesting the proxy, we need a placeholder to keep the
 # space available for this.
-ExecStart=@rootlibexecdir@/systemd-bus-proxyd --drop-privileges --address=kernel:path=/sys/fs/kdbus/0-system/bus --configuration=/etc/dbus-1/system.conf --configuration=/etc/dbus-1/system-local.conf --configuration=/etc/dbus-1/system.d/ xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+ExecStart=@rootlibexecdir@/systemd-bus-proxyd --drop-privileges --address=kernel:path=/sys/fs/kdbus/0-system/bus xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 NotifyAccess=main
 CapabilityBoundingSet=CAP_IPC_OWNER CAP_SETUID CAP_SETGID CAP_SETPCAP
 PrivateTmp=yes
diff --git a/units/user/systemd-bus-proxyd@.service.in b/units/user/systemd-bus-proxyd@.service.in
index 48294db26..0ab5462ed 100644
--- a/units/user/systemd-bus-proxyd@.service.in
+++ b/units/user/systemd-bus-proxyd@.service.in
@@ -12,5 +12,5 @@ Description=Legacy D-Bus Protocol Compatibility Daemon
 # The first argument will be replaced by the service by information on
 # the process requesting the proxy, we need a placeholder to keep the
 # space available for this.
-ExecStart=@rootlibexecdir@/systemd-bus-proxyd --address=kernel:path=/sys/fs/kdbus/%U-user/bus --configuration=/etc/dbus-1/session.conf --configuration=/etc/dbus-1/session-local.conf --configuration=/etc/dbus-1/session.d/ xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+ExecStart=@rootlibexecdir@/systemd-bus-proxyd --address=kernel:path=/sys/fs/kdbus/%U-user/bus xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 NotifyAccess=main