diff options
| author | Tyler Hicks <tyhicks@canonical.com> | 2014-02-13 09:59:53 -0600 |
|---|---|---|
| committer | Simon McVittie <simon.mcvittie@collabora.co.uk> | 2015-02-18 17:04:05 +0000 |
| commit | cd23a5df10b0465c99f91b5f9c4e160480078c1a (patch) | |
| tree | 0ba4cd5181b2f6a36ab43457a28871b48b1a2087 /bus/apparmor.c | |
| parent | e8b0248eef31e2960a895613f3a9102675a7baf8 (diff) | |
| download | dbus-cd23a5df10b0465c99f91b5f9c4e160480078c1a.tar.gz | |
Store AppArmor label of connecting processes
When processes connect the bus, the AppArmor confinement context should
be stored for later use when checks are to be done during message
sending/receiving, acquire a name, and eavesdropping.
Code outside of apparmor.c will need to initialize and unreference the
confinement context, so bus_apparmor_confinement_unref() can no longer
be a static function.
[Move bus_apparmor_confinement_unref back to its old location for
a more reasonable diff -smcv]
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=75113
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Diffstat (limited to 'bus/apparmor.c')
| -rw-r--r-- | bus/apparmor.c | 54 |
1 files changed, 51 insertions, 3 deletions
diff --git a/bus/apparmor.c b/bus/apparmor.c index 3b2be352..d22ac672 100644 --- a/bus/apparmor.c +++ b/bus/apparmor.c @@ -48,6 +48,8 @@ #include <syslog.h> #endif /* HAVE_LIBAUDIT */ +#include "utils.h" + /* Store the value telling us if AppArmor D-Bus mediation is enabled. */ static dbus_bool_t apparmor_enabled = FALSE; @@ -72,8 +74,6 @@ struct BusAppArmorConfinement const char *mode; /* AppArmor confinement mode (freed by freeing *context) */ }; -typedef struct BusAppArmorConfinement BusAppArmorConfinement; - static BusAppArmorConfinement *bus_con = NULL; /** @@ -103,9 +103,10 @@ bus_apparmor_confinement_new (char *context, const char *mode) return confinement; } -static void +void bus_apparmor_confinement_unref (BusAppArmorConfinement *confinement) { +#ifdef HAVE_APPARMOR if (!apparmor_enabled) return; @@ -123,6 +124,7 @@ bus_apparmor_confinement_unref (BusAppArmorConfinement *confinement) free (confinement->context); dbus_free (confinement); } +#endif } void @@ -339,3 +341,49 @@ bus_apparmor_enabled (void) return FALSE; #endif } + +BusAppArmorConfinement* +bus_apparmor_init_connection_confinement (DBusConnection *connection, + DBusError *error) +{ +#ifdef HAVE_APPARMOR + BusAppArmorConfinement *confinement; + char *context, *mode; + int fd; + + if (!apparmor_enabled) + return NULL; + + _dbus_assert (connection != NULL); + + if (!dbus_connection_get_socket (connection, &fd)) + { + dbus_set_error (error, DBUS_ERROR_FAILED, + "Failed to get socket file descriptor of connection"); + return NULL; + } + + if (aa_getpeercon (fd, &context, &mode) == -1) + { + if (errno == ENOMEM) + BUS_SET_OOM (error); + else + dbus_set_error (error, _dbus_error_from_errno (errno), + "Failed to get AppArmor confinement information of socket peer: %s", + _dbus_strerror (errno)); + return NULL; + } + + confinement = bus_apparmor_confinement_new (context, mode); + if (confinement == NULL) + { + BUS_SET_OOM (error); + free (context); + return NULL; + } + + return confinement; +#else + return NULL; +#endif /* HAVE_APPARMOR */ +} |