From b1d018a8785e35787c5a1a03dd024dcb197e7dbb Mon Sep 17 00:00:00 2001 From: Tyler Hicks Date: Thu, 13 Feb 2014 13:21:51 -0600 Subject: [PATCH 13/13] Add AppArmor support to GetConnectionCredentials Allow for querying the AppArmor context and mode of a given bus connection using the org.freedesktop.DBus.GetConnectionCredentials method. By calling GetConnectionCredentials with the connection name as the argument, the AppArmor confinement context will be included in the returned dictionary. The key is "AppArmorContext" and the value is a byte string, which may not be UTF-8. Additionally, the confinement mode for the connection is made available. The key is "AppArmorMode" and the value is a byte string. There are no documented constraints regarding the mode string in the AppArmor documentation, so a byte string is used. Signed-off-by: Tyler Hicks --- * New patch for v2 of the series bus/apparmor.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++ bus/apparmor.h | 4 ++++ bus/driver.c | 3 +++ doc/dbus-specification.xml | 16 ++++++++++++++++ 4 files changed, 69 insertions(+) diff --git a/bus/apparmor.c b/bus/apparmor.c index a2283ae..ab00161 100644 --- a/bus/apparmor.c +++ b/bus/apparmor.c @@ -28,6 +28,7 @@ #ifdef HAVE_APPARMOR +#include #include #include #include @@ -560,6 +561,51 @@ bus_apparmor_init_connection_confinement (DBusConnection *connection, #endif /* HAVE_APPARMOR */ } +dbus_bool_t +bus_apparmor_get_connection_credentials (DBusConnection *conn, + DBusMessageIter *array_iter, + DBusError *error) +{ +#if HAVE_APPARMOR + BusAppArmorConfinement *confinement; + char *context, *mode; + + _DBUS_ASSERT_ERROR_IS_CLEAR (error); + + confinement = bus_connection_dup_apparmor_confinement (conn); + if (confinement == NULL) + return TRUE; + + context = confinement->context; + mode = confinement->mode; + + if (context != NULL) + { + if (!_dbus_asv_add_byte_array (array_iter, "AppArmorContext", + context, strlen (context))) + goto oom; + } + + if (mode != NULL) + { + if (!_dbus_asv_add_byte_array (array_iter, "AppArmorMode", + mode, strlen (mode))) + goto oom; + } + + bus_apparmor_confinement_unref (confinement); + return TRUE; + + oom: + BUS_SET_OOM (error); + + bus_apparmor_confinement_unref (confinement); + return FALSE; +#else + return TRUE; +#endif /* HAVE_APPARMOR */ +} + /** * Returns true if the given connection can acquire a service, * using the tasks security context diff --git a/bus/apparmor.h b/bus/apparmor.h index 5bc864a..e107286 100644 --- a/bus/apparmor.h +++ b/bus/apparmor.h @@ -42,6 +42,10 @@ void bus_apparmor_confinement_ref (BusAppArmorConfinement *confinement); BusAppArmorConfinement* bus_apparmor_init_connection_confinement (DBusConnection *connection, DBusError *error); +dbus_bool_t bus_apparmor_get_connection_credentials (DBusConnection *conn, + DBusMessageIter *array_iter, + DBusError *error); + dbus_bool_t bus_apparmor_allows_acquire_service (DBusConnection *connection, BusSELinuxID *service_sid, const char *bustype, diff --git a/bus/driver.c b/bus/driver.c index 820c48a..5588ddb 100644 --- a/bus/driver.c +++ b/bus/driver.c @@ -1571,6 +1571,9 @@ bus_driver_handle_get_connection_credentials (DBusConnection *connection, goto oom; } + if (!bus_apparmor_get_connection_credentials (conn, &array_iter, error)) + goto failed; + if (!_dbus_asv_close (&reply_iter, &array_iter)) goto oom; diff --git a/doc/dbus-specification.xml b/doc/dbus-specification.xml index 3276f2b..01d718c 100644 --- a/doc/dbus-specification.xml +++ b/doc/dbus-specification.xml @@ -5837,6 +5837,22 @@ this concept. On Unix, this is the process ID defined by POSIX. + + AppArmorContext + ARRAY of BYTE + The AppArmor confinement context of the connection. This + byte string, which may not be UTF-8, is the same string as + returned in the *con argument by the aa_getcon() family of + AppArmor functions. + + + AppArmorMode + ARRAY of BYTE + The AppArmor confinement mode for the connection. This + byte string, which may not be UTF-8, is the same string as + returned in the *mode argument by the aa_getcon() family of + AppArmor functions. + -- 1.9.0