From 085aa3e6083a0aa63f043dd116fc07c568ee6398 Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Thu, 31 May 2018 17:25:45 +0100
Subject: [PATCH 36/39] containers: Limit the messages sent by connections with
 an Allow policy

The baseline rules for connections in containers with a policy are
as follows:

* Can send legitimate replies that don't contain Unix fds
* Can't send Unix fds (as an easy way to mitigate the complexity
  and low arbitrary limits of Unix fd passing, which carries a risk
  of exploitable bugs)
* Can send messages to the dbus-daemon that don't contain Unix fds
* Can send messages to connections in the same container (including,
  as a trivial case, themselves)
* Can't send anything not explicitly allowed

Signed-off-by: Simon McVittie <smcv@collabora.com>
---
 bus/containers.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)

diff --git a/bus/containers.c b/bus/containers.c
index d0bfe510..1d9f3011 100644
--- a/bus/containers.c
+++ b/bus/containers.c
@@ -1672,6 +1672,54 @@ bus_containers_check_can_send (DBusConnection *sender,
                           bus_connection_get_loginfo (sender));
           return FALSE;
         }
+
+      /* Requested replies that contain Unix fds are covered by policy
+       * (fall through). Requested replies that don't contain Unix fds
+       * are unconditionally allowed. */
+      if (!dbus_message_contains_unix_fds (message))
+        return TRUE;
+    }
+
+  if (instance->has_policy)
+    {
+      BusContainerInstance *recipient_instance;
+
+      if (dbus_message_contains_unix_fds (message))
+        {
+          dbus_set_error (error, DBUS_ERROR_ACCESS_DENIED,
+                          "Connection \"%s\" (%s) is in a container that is "
+                          "not allowed to send file descriptors",
+                          bus_connection_get_name (sender),
+                          bus_connection_get_loginfo (sender));
+          return FALSE;
+        }
+
+      if (proposed_recipient == NULL)
+        {
+          const char *dest = dbus_message_get_destination (message);
+
+          /* Containers can always talk to the dbus-daemon itself */
+          if (dest != NULL && strcmp (dest, DBUS_SERVICE_DBUS) == 0)
+            return TRUE;
+        }
+
+      recipient_instance = connection_get_instance (proposed_recipient);
+
+      if (recipient_instance == instance)
+        {
+          /* Messages pass freely within a container */
+          return TRUE;
+        }
+
+      /* TODO: Have a policy by which containers can optionally send
+       * messages to the outside */
+
+      dbus_set_error (error, DBUS_ERROR_ACCESS_DENIED,
+                      "Connection \"%s\" (%s) is in a container that is "
+                      "not allowed to send most messages",
+                      bus_connection_get_name (sender),
+                      bus_connection_get_loginfo (sender));
+      return FALSE;
     }
 #endif /* DBUS_ENABLE_CONTAINERS */
 
-- 
2.17.0