CVE-2015-0245: discard forged ActivationFailure messages

Without this code change, non-systemd processes can make dbus-daemon
think systemd failed to activate a system service, resulting in an
error reply back to the requester. In practice we can address this in
system.conf by only allowing root to forge these messages, but this
check is the real solution, particularly on systems where root is
not all-powerful.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88811
Reviewed-by: Alban Crequy
Reviewed-by: David King
Reviewed-by: Philip Withnall

diff --git a/bus/driver.c b/bus/driver.c
index 9551f3d4068bc06866cea94a1cbe931b89af91bd..f494170c666201fe73a9eb8108f9110d1c6d6aa8 100644 (file)
--- a/bus/driver.c
+++ b/bus/driver.c
@@ -2061,8 +2061,26 @@ bus_driver_handle_message (DBusConnection *connection,
   if (dbus_message_is_signal (message, "org.freedesktop.systemd1.Activator", "ActivationFailure"))
     {
       BusContext *context;
+      DBusConnection *systemd;
 
       context = bus_connection_get_context (connection);
+      systemd = bus_driver_get_owner_of_name (connection,
+          "org.freedesktop.systemd1");
+
+      if (systemd != connection)
+        {
+          const char *attacker;
+
+          attacker = bus_connection_get_name (connection);
+          bus_context_log (context, DBUS_SYSTEM_LOG_SECURITY,
+                           "Ignoring forged ActivationFailure message from "
+                           "connection %s (%s)",
+                           attacker ? attacker : "(unauthenticated)",
+                           bus_connection_get_loginfo (connection));
+          /* ignore it */
+          return TRUE;
+        }
+
       return dbus_activation_systemd_failure(bus_context_get_activation(context), message);
     }