From 5f02e343dc3982b3606cbf55c8de2976cb401833 Mon Sep 17 00:00:00 2001 From: Tyler Hicks Date: Thu, 13 Feb 2014 13:21:51 -0600 Subject: [PATCH v3 13/13] Add AppArmor support to GetConnectionCredentials Allow for querying the AppArmor context and mode of a given bus connection using the org.freedesktop.DBus.GetConnectionCredentials method. By calling GetConnectionCredentials with the connection name as the argument, the AppArmor confinement context will be included in the returned dictionary. The key is "AppArmorContext" and the value is a byte string, which may not be UTF-8. Additionally, the confinement mode for the connection is made available. The key is "AppArmorMode" and the value is a byte string. There are no documented constraints regarding the mode string in the AppArmor documentation, so a byte string is used. Bug: https://bugs.freedesktop.org/show_bug.cgi?id=75113 Signed-off-by: Tyler Hicks --- * New patch for v2 of the series * Changes in v3: - Added Bug link in commit message bus/apparmor.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++ bus/apparmor.h | 4 ++++ bus/driver.c | 3 +++ doc/dbus-specification.xml | 16 ++++++++++++++++ 4 files changed, 69 insertions(+) diff --git a/bus/apparmor.c b/bus/apparmor.c index bcae4db..b164874 100644 --- a/bus/apparmor.c +++ b/bus/apparmor.c @@ -28,6 +28,7 @@ #ifdef HAVE_APPARMOR +#include #include #include #include @@ -563,6 +564,51 @@ bus_apparmor_init_connection_confinement (DBusConnection *connection, #endif /* HAVE_APPARMOR */ } +dbus_bool_t +bus_apparmor_get_connection_credentials (DBusConnection *conn, + DBusMessageIter *array_iter, + DBusError *error) +{ +#if HAVE_APPARMOR + BusAppArmorConfinement *confinement; + char *context, *mode; + + _DBUS_ASSERT_ERROR_IS_CLEAR (error); + + confinement = bus_connection_dup_apparmor_confinement (conn); + if (confinement == NULL) + return TRUE; + + context = confinement->context; + mode = confinement->mode; + + if (context != NULL) + { + if (!_dbus_asv_add_byte_array (array_iter, "AppArmorContext", + context, strlen (context))) + goto oom; + } + + if (mode != NULL) + { + if (!_dbus_asv_add_byte_array (array_iter, "AppArmorMode", + mode, strlen (mode))) + goto oom; + } + + bus_apparmor_confinement_unref (confinement); + return TRUE; + + oom: + BUS_SET_OOM (error); + + bus_apparmor_confinement_unref (confinement); + return FALSE; +#else + return TRUE; +#endif /* HAVE_APPARMOR */ +} + /** * Returns true if the given connection can acquire a service, * using the tasks security context diff --git a/bus/apparmor.h b/bus/apparmor.h index 625b67f..70b05d2 100644 --- a/bus/apparmor.h +++ b/bus/apparmor.h @@ -42,6 +42,10 @@ void bus_apparmor_confinement_ref (BusAppArmorConfinement *confinement); BusAppArmorConfinement* bus_apparmor_init_connection_confinement (DBusConnection *connection, DBusError *error); +dbus_bool_t bus_apparmor_get_connection_credentials (DBusConnection *conn, + DBusMessageIter *array_iter, + DBusError *error); + dbus_bool_t bus_apparmor_allows_acquire_service (DBusConnection *connection, const char *bustype, const char *service_name, diff --git a/bus/driver.c b/bus/driver.c index 820c48a..5588ddb 100644 --- a/bus/driver.c +++ b/bus/driver.c @@ -1571,6 +1571,9 @@ bus_driver_handle_get_connection_credentials (DBusConnection *connection, goto oom; } + if (!bus_apparmor_get_connection_credentials (conn, &array_iter, error)) + goto failed; + if (!_dbus_asv_close (&reply_iter, &array_iter)) goto oom; diff --git a/doc/dbus-specification.xml b/doc/dbus-specification.xml index 3276f2b..01d718c 100644 --- a/doc/dbus-specification.xml +++ b/doc/dbus-specification.xml @@ -5837,6 +5837,22 @@ this concept. On Unix, this is the process ID defined by POSIX. + + AppArmorContext + ARRAY of BYTE + The AppArmor confinement context of the connection. This + byte string, which may not be UTF-8, is the same string as + returned in the *con argument by the aa_getcon() family of + AppArmor functions. + + + AppArmorMode + ARRAY of BYTE + The AppArmor confinement mode for the connection. This + byte string, which may not be UTF-8, is the same string as + returned in the *mode argument by the aa_getcon() family of + AppArmor functions. + -- 1.9.1