From ca210908a353a428ee8b3f318ea0b918db7673b8 Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Thu, 31 May 2018 17:18:20 +0100
Subject: [PATCH 34/39] containers: Containers with an Allow policy cannot
 activate services

Signed-off-by: Simon McVittie <smcv@collabora.com>
---
 bus/containers.c | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/bus/containers.c b/bus/containers.c
index bb1c6429..a695d37f 100644
--- a/bus/containers.c
+++ b/bus/containers.c
@@ -1550,10 +1550,32 @@ bus_containers_check_can_activate (DBusConnection *caller,
                                    const char *name,
                                    DBusError *error)
 {
+#ifdef DBUS_ENABLE_CONTAINERS
+  BusContainerInstance *instance;
+#endif
+
   _dbus_assert (caller != NULL);
   _dbus_assert (name != NULL);
   _DBUS_ASSERT_ERROR_IS_CLEAR (error);
 
+#ifdef DBUS_ENABLE_CONTAINERS
+  instance = connection_get_instance (caller);
+
+  if (instance == NULL)
+    return TRUE;
+
+  if (instance->has_policy)
+    {
+      dbus_set_error (error, DBUS_ERROR_ACCESS_DENIED,
+                      "Connection \"%s\" (%s) is in a container that is "
+                      "not allowed to activate \"%s\"",
+                      bus_connection_get_name (caller),
+                      bus_connection_get_loginfo (caller),
+                      name);
+      return FALSE;
+    }
+#endif /* DBUS_ENABLE_CONTAINERS */
+
   return TRUE;
 }
 
-- 
2.17.0