bus-proxy: drop priviliges if we can

Either become uid/gid of the client we have been forked for, or become
the "systemd-bus-proxy" user if the client was root. We retain
CAP_IPC_OWNER so that we can tell kdbus we are actually our own client.

Makefile.am

@@ -2033,6 +2033,7 @@ systemd_bus_proxyd_SOURCES = \
 	src/bus-proxyd/bus-proxyd.c
 
 systemd_bus_proxyd_LDADD = \
+	libsystemd-capability.la \
 	libsystemd-internal.la \
 	libsystemd-shared.la
 

src/bus-proxyd/bus-proxyd.c

@@ -44,9 +44,11 @@
 #include "build.h"
 #include "strv.h"
 #include "def.h"
+#include "capability.h"
 
 static const char *arg_address = DEFAULT_SYSTEM_BUS_PATH;
 static char *arg_command_line_buffer = NULL;
+static bool arg_drop_privileges = false;
 
 static int help(void) {
 
@@ -54,6 +56,7 @@ static int help(void) {
                "Connect STDIO or a socket to a given bus address.\n\n"
                "  -h --help              Show this help\n"
                "     --version           Show package version\n"
+               "     --drop-privileges   Drop privileges\n"
                "     --address=ADDRESS   Connect to the bus specified by ADDRESS\n"
                "                         (default: " DEFAULT_SYSTEM_BUS_PATH ")\n",
                program_invocation_short_name);
@@ -66,13 +69,15 @@ static int parse_argv(int argc, char *argv[]) {
         enum {
                 ARG_VERSION = 0x100,
                 ARG_ADDRESS,
+                ARG_DROP_PRIVILEGES,
         };
 
         static const struct option options[] = {
-                { "help",       no_argument,       NULL, 'h'            },
-                { "version",    no_argument,       NULL, ARG_VERSION    },
-                { "address",    required_argument, NULL, ARG_ADDRESS    },
-                { NULL,         0,                 NULL, 0              }
+                { "help",            no_argument,       NULL, 'h'                 },
+                { "version",         no_argument,       NULL, ARG_VERSION         },
+                { "address",         required_argument, NULL, ARG_ADDRESS         },
+                { "drop-privileges", no_argument,       NULL, ARG_DROP_PRIVILEGES },
+                { NULL,              0,                 NULL, 0                   },
         };
 
         int c;
@@ -97,6 +102,10 @@ static int parse_argv(int argc, char *argv[]) {
                         arg_address = optarg;
                         break;
 
+                case ARG_DROP_PRIVILEGES:
+                        arg_drop_privileges = true;
+                        break;
+
                 case '?':
                         return -EINVAL;
 
@@ -440,7 +449,6 @@ static int peer_is_privileged(sd_bus *bus, sd_bus_message *m) {
         return false;
 }
 
-
 static int process_driver(sd_bus *a, sd_bus *b, sd_bus_message *m) {
         int r;
 
@@ -1065,6 +1073,22 @@ int main(int argc, char *argv[]) {
                 getpeersec(in_fd, &peersec);
         }
 
+        if (arg_drop_privileges) {
+                const char *user = "systemd-bus-proxy";
+                uid_t uid;
+                gid_t gid;
+
+                r = get_user_creds(&user, &uid, &gid, NULL, NULL);
+                if (r < 0) {
+                        log_error("Cannot resolve user name %s: %s", user, strerror(-r));
+                        goto finish;
+                }
+
+                r = drop_privileges(uid, gid, 1ULL << CAP_IPC_OWNER);
+                if (r < 0)
+                        goto finish;
+        }
+
         r = sd_bus_new(&a);
         if (r < 0) {
                 log_error("Failed to allocate bus: %s", strerror(-r));

src/shared/capability.c

@@ -85,9 +85,9 @@ unsigned long cap_last_cap(void) {
 }
 
 int capability_bounding_set_drop(uint64_t drop, bool right_now) {
-        unsigned long i;
-        _cleanup_cap_free_ cap_t after_cap = NULL, temp_cap = NULL;
+        _cleanup_cap_free_ cap_t after_cap = NULL;
         cap_flag_value_t fv;
+        unsigned long i;
         int r;
 
         /* If we are run as PID 1 we will lack CAP_SETPCAP by default
@@ -103,6 +103,7 @@ int capability_bounding_set_drop(uint64_t drop, bool right_now) {
                 return -errno;
 
         if (fv != CAP_SET) {
+                _cleanup_cap_free_ cap_t temp_cap = NULL;
                 static const cap_value_t v = CAP_SETPCAP;
 
                 temp_cap = cap_dup(after_cap);
@@ -217,8 +218,6 @@ int capability_bounding_set_drop_usermode(uint64_t drop) {
 int drop_privileges(uid_t uid, gid_t gid, uint64_t keep_capabilities) {
 
         _cleanup_cap_free_ cap_t d = NULL;
-        cap_value_t bits[sizeof(keep_capabilities)*8];
-        unsigned i, j = 0;
         int r;
 
         /* Unfortunately we cannot leave privilege dropping to PID 1
@@ -265,6 +264,9 @@ int drop_privileges(uid_t uid, gid_t gid, uint64_t keep_capabilities) {
                 return log_oom();
 
         if (keep_capabilities) {
+                cap_value_t bits[sizeof(keep_capabilities)*8];
+                unsigned i, j = 0;
+
                 for (i = 0; i < sizeof(keep_capabilities)*8; i++)
                         if (keep_capabilities & (1ULL << i))
                                 bits[j++] = i;

units/systemd-bus-proxyd@.service.in

@@ -12,9 +12,11 @@ Description=Legacy D-Bus Protocol Compatibility Daemon
 # The first argument will be replaced by the service by information on
 # the process requesting the proxy, we need a placeholder to keep the
 # space available for this.
-ExecStart=@rootlibexecdir@/systemd-bus-proxyd xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+ExecStart=@rootlibexecdir@/systemd-bus-proxyd --drop-privileges xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 NotifyAccess=main
-CapabilityBoundingSet=CAP_IPC_OWNER
+CapabilityBoundingSet=CAP_IPC_OWNER CAP_SETUID CAP_SETGID CAP_SETPCAP
 PrivateTmp=yes
 PrivateDevices=yes
 PrivateNetwork=yes
+ReadOnlySystem=yes
+ProtectedHome=yes