diff options
author | John Johansen <john.johansen@canonical.com> | 2014-02-13 12:55:52 -0600 |
---|---|---|
committer | Simon McVittie <simon.mcvittie@collabora.co.uk> | 2015-02-18 17:28:42 +0000 |
commit | c2686d53f3065dc9443bb2744f3fbe50992962ea (patch) | |
tree | 2d0facedd2504695e661cf973fa684c453bd8a8d /bus/apparmor.h | |
parent | cd23a5df10b0465c99f91b5f9c4e160480078c1a (diff) | |
download | dbus-c2686d53f3065dc9443bb2744f3fbe50992962ea.tar.gz |
Mediation of processes that acquire well-known names
When an AppArmor confined process wants to acquire a well-known name, a
check is performed to see if the action should be allowed.
The check is based on the connection's label, the bus type, and the name
being requested.
An example AppArmor rule that would allow the name
"com.example.ExampleName" to be acquired on the system bus would be:
dbus bind bus=system name=com.example.ExampleName,
To let a process acquire any name on any bus, the rule would be:
dbus bind,
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=75113
Signed-off-by: John Johansen <john.johansen@canonical.com>
[tyhicks: Use BusAppArmorConfinement, bug fixes, cleanup, commit msg]
[tyhicks: initialize reserved area at the start of the query string]
[tyhicks: Use empty string for NULL bustypes when building queries]
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Diffstat (limited to 'bus/apparmor.h')
-rw-r--r-- | bus/apparmor.h | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/bus/apparmor.h b/bus/apparmor.h index 861094e7..4f57c8b3 100644 --- a/bus/apparmor.h +++ b/bus/apparmor.h @@ -38,7 +38,13 @@ void bus_apparmor_shutdown (void); dbus_bool_t bus_apparmor_enabled (void); void bus_apparmor_confinement_unref (BusAppArmorConfinement *confinement); +void bus_apparmor_confinement_ref (BusAppArmorConfinement *confinement); BusAppArmorConfinement* bus_apparmor_init_connection_confinement (DBusConnection *connection, DBusError *error); +dbus_bool_t bus_apparmor_allows_acquire_service (DBusConnection *connection, + const char *bustype, + const char *service_name, + DBusError *error); + #endif /* BUS_APPARMOR_H */ |