From 771f9ef9608828746f5787d88ed302f33ee88dde Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Fri, 9 Jun 2017 13:43:25 +0100
Subject: [PATCH 36/49] bus/driver: Add a flag for methods that can't be
 invoked by containers

We can consider relaxing AddContainerServer() from PRIVILEGED to
NOT_CONTAINERS when we've put resource limits in place.

Signed-off-by: Simon McVittie <smcv@collabora.com>
---
 bus/driver.c | 32 ++++++++++++++++++++++++++------
 1 file changed, 26 insertions(+), 6 deletions(-)

diff --git a/bus/driver.c b/bus/driver.c
index 49205e8c..8c15935a 100644
--- a/bus/driver.c
+++ b/bus/driver.c
@@ -2397,9 +2397,16 @@ typedef enum
 
   /* If set, callers must be privileged. On Unix, the uid of the connection
    * must either be the uid of this process, or 0 (root). On Windows,
-   * the SID of the connection must be the SID of this process. */
+   * the SID of the connection must be the SID of this process.
+   *
+   * This flag effectively implies METHOD_FLAG_NO_CONTAINERS. */
   METHOD_FLAG_PRIVILEGED = (1 << 1),
 
+  /* If set, callers must be privileged. On Unix, the uid of the connection
+   * must either be the uid of this process, or 0 (root). On Windows,
+   * the SID of the connection must be the SID of this process. */
+  METHOD_FLAG_NO_CONTAINERS = (1 << 2),
+
   METHOD_FLAG_NONE = 0
 } MethodFlags;
 
@@ -2968,12 +2975,25 @@ bus_driver_handle_message (DBusConnection *connection,
 
           _dbus_verbose ("Found driver handler for %s\n", name);
 
-          if ((mh->flags & METHOD_FLAG_PRIVILEGED) &&
-              !bus_driver_check_caller_is_privileged (connection, transaction,
-                                                      message, error))
+          if (mh->flags & METHOD_FLAG_PRIVILEGED)
             {
-              _DBUS_ASSERT_ERROR_IS_SET (error);
-              return FALSE;
+              if (!bus_driver_check_caller_is_privileged (connection,
+                                                          transaction, message,
+                                                          error))
+                {
+                  _DBUS_ASSERT_ERROR_IS_SET (error);
+                  return FALSE;
+                }
+            }
+          else if (mh->flags & METHOD_FLAG_NO_CONTAINERS)
+            {
+              if (!bus_driver_check_caller_is_not_container (connection,
+                                                             transaction,
+                                                             message, error))
+                {
+                  _DBUS_ASSERT_ERROR_IS_SET (error);
+                  return FALSE;
+                }
             }
 
           if (!(is_canonical_path || (mh->flags & METHOD_FLAG_ANY_PATH)))
-- 
2.11.0