From 73fd9446e6a17a1f08aee59839951221a76db57d Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Thu, 22 Jun 2017 18:02:00 +0100
Subject: [PATCH] bus/containers: Require connecting uid to match caller of
 AddContainerServer

If we're strict now, we can relax this later (either with a named
parameter or always); but if we're lenient now, we'll be stuck with it
forever, so be strict.

Signed-off-by: Simon McVittie <smcv@collabora.com>
---
 bus/containers.c | 43 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)

diff --git a/bus/containers.c b/bus/containers.c
index 3462b473..4a908e32 100644
--- a/bus/containers.c
+++ b/bus/containers.c
@@ -31,6 +31,8 @@
 # error DBUS_ENABLE_CONTAINERS requires DBUS_UNIX
 #endif
 
+#include <sys/types.h>
+
 #include "dbus/dbus-hash.h"
 #include "dbus/dbus-message-internal.h"
 #include "dbus/dbus-sysdeps-unix.h"
@@ -52,6 +54,7 @@ typedef struct
   BusContext *context;
   BusContainers *containers;
   DBusServer *server;
+  unsigned long uid;
 } BusContainerInstance;
 
 /*
@@ -280,6 +283,22 @@ static const char * const auth_mechanisms[] =
   NULL
 };
 
+/* Statically assert that we can store a uid in a void *, losslessly.
+ *
+ * In practice this is always true on Unix. For now we don't support this
+ * feature on systems where it isn't. */
+_DBUS_STATIC_ASSERT (sizeof (uid_t) <= sizeof (uintptr_t));
+/* True by definition. */
+_DBUS_STATIC_ASSERT (sizeof (void *) == sizeof (uintptr_t));
+
+static dbus_bool_t
+allow_same_uid_only (DBusConnection *connection,
+                     unsigned long   uid,
+                     void           *data)
+{
+  return (uid == (uintptr_t) data);
+}
+
 static void
 new_connection_cb (DBusServer     *server,
                    DBusConnection *new_connection,
@@ -289,6 +308,23 @@ new_connection_cb (DBusServer     *server,
 
   if (!bus_context_add_incoming_connection (instance->context, new_connection))
     return;
+
+  /* We'd like to check the uid here, but we can't yet. Instead clear the
+   * BusContext's unix_user_function, which results in us getting the
+   * default behaviour: only the user that owns the bus can connect.
+   *
+   * TODO: For the system bus we might want a way to opt-in to allowing
+   * other uids, in which case we would refrain from overwriting the
+   * BusContext's unix_user_function; but that isn't part of the
+   * lowest-common-denominator implementation. */
+  dbus_connection_set_unix_user_function (new_connection,
+                                          allow_same_uid_only,
+                                          /* The static assertion above
+                                           * allow_same_uid_only ensures that
+                                           * this cast does not lose
+                                           * information */
+                                          (void *) (uintptr_t) instance->uid,
+                                          NULL);
 }
 
 static const char *
@@ -427,6 +463,13 @@ bus_containers_handle_add_container_server (DBusConnection *connection,
   if (instance == NULL)
     goto fail;
 
+  if (!dbus_connection_get_unix_user (connection, &instance->uid))
+    {
+      dbus_set_error (error, DBUS_ERROR_FAILED,
+                      "Unable to determine user ID of caller");
+      goto fail;
+    }
+
   /* We already checked this in bus_driver_handle_message() */
   _dbus_assert (dbus_message_has_signature (message, "ssa{sv}a{sv}"));
 
-- 
2.13.2