Mediation of processes eavesdropping

When an AppArmor confined process wants to eavesdrop on a bus, a check
is performed to see if the action should be allowed.

The check is based on the connection's label and the bus type.

This patch adds a new hook, which was not previously included in the
SELinux mediation, to mediate eavesdropping from
bus_driver_handle_add_match().

A new function is added to bus/signals.c to see if a match rule is an
eavesdropping rule since the rule flags field is private to signals.c.

An example AppArmor rule that would allow a process to eavesdrop on the
session bus would be:

  dbus eavesdrop bus=session,

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=75113
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>

1 files changed, 9 insertions, 1 deletions

diff --git a/bus/driver.c b/bus/driver.c
index 442dd01d..53bd5590 100644
--- a/bus/driver.c
+++ b/bus/driver.c
@@ -24,6 +24,7 @@
 
 #include <config.h>
 #include "activation.h"
+#include "apparmor.h"
 #include "connection.h"
 #include "driver.h"
 #include "dispatch.h"
@@ -1110,9 +1111,10 @@ bus_driver_handle_add_match (DBusConnection *connection,
                              DBusError      *error)
 {
   BusMatchRule *rule;
-  const char *text;
+  const char *text, *bustype;
   DBusString str;
   BusMatchmaker *matchmaker;
+  BusContext *context;
 
   _DBUS_ASSERT_ERROR_IS_CLEAR (error);
 
@@ -1145,6 +1147,12 @@ bus_driver_handle_add_match (DBusConnection *connection,
   if (rule == NULL)
     goto failed;
 
+  context = bus_transaction_get_context (transaction);
+  bustype = context ? bus_context_get_type (context) : NULL;
+  if (bus_match_rule_get_client_is_eavesdropping (rule) &&
+      !bus_apparmor_allows_eavesdropping (connection, bustype, error))
+    goto failed;
+
   matchmaker = bus_connection_get_matchmaker (connection);
 
   if (!bus_matchmaker_add_rule (matchmaker, rule))