Commit 24f1502e authored by Tyler Hicks's avatar Tyler Hicks Committed by Simon McVittie

Add DBus method to return the AA context of a connection

This is not intended for upstream inclusion. It implements a bus method
(GetConnectionAppArmorSecurityContext) to get a connection's AppArmor
security context but upstream D-Bus has recently added a generic way of
getting a connection's security credentials (GetConnectionCredentials).
Ubuntu should carry this patch until packages in the archive are moved
over to the new, generic method of getting a connection's credentials.

[Altered by Simon McVittie: survive non-UTF-8 contexts which
would otherwise be a local denial of service, except that Ubuntu
inherits a non-fatal warnings patch from Debian; new commit message
taken from the Ubuntu changelog; do not emit unreachable code if
AppArmor is disabled.]
parent eac45c04
...@@ -105,6 +105,21 @@ bus_apparmor_confinement_new (char *label, ...@@ -105,6 +105,21 @@ bus_apparmor_confinement_new (char *label,
return confinement; return confinement;
} }
const char*
bus_apparmor_confinement_get_label (BusAppArmorConfinement *confinement)
if (!apparmor_enabled)
return NULL;
_dbus_assert (confinement != NULL);
return confinement->label;
return NULL;
void void
bus_apparmor_confinement_unref (BusAppArmorConfinement *confinement) bus_apparmor_confinement_unref (BusAppArmorConfinement *confinement)
{ {
...@@ -39,6 +39,7 @@ dbus_bool_t bus_apparmor_enabled (void); ...@@ -39,6 +39,7 @@ dbus_bool_t bus_apparmor_enabled (void);
void bus_apparmor_confinement_unref (BusAppArmorConfinement *confinement); void bus_apparmor_confinement_unref (BusAppArmorConfinement *confinement);
void bus_apparmor_confinement_ref (BusAppArmorConfinement *confinement); void bus_apparmor_confinement_ref (BusAppArmorConfinement *confinement);
const char* bus_apparmor_confinement_get_label (BusAppArmorConfinement *confinement);
BusAppArmorConfinement* bus_apparmor_init_connection_confinement (DBusConnection *connection, BusAppArmorConfinement* bus_apparmor_init_connection_confinement (DBusConnection *connection,
DBusError *error); DBusError *error);
...@@ -1759,6 +1759,91 @@ bus_driver_handle_get_connection_credentials (DBusConnection *connection, ...@@ -1759,6 +1759,91 @@ bus_driver_handle_get_connection_credentials (DBusConnection *connection,
return FALSE; return FALSE;
} }
static dbus_bool_t
bus_driver_handle_get_connection_apparmor_security_context (DBusConnection *connection,
BusTransaction *transaction,
DBusMessage *message,
DBusError *error)
const char *service;
DBusString str;
BusRegistry *registry;
BusService *serv;
DBusConnection *primary_connection;
DBusMessage *reply;
BusAppArmorConfinement *confinement;
const char *label;
registry = bus_connection_get_registry (connection);
service = NULL;
reply = NULL;
confinement = NULL;
if (! dbus_message_get_args (message, error, DBUS_TYPE_STRING, &service,
goto failed;
_dbus_verbose ("asked for security context of connection %s\n", service);
_dbus_string_init_const (&str, service);
serv = bus_registry_lookup (registry, &str);
if (serv == NULL)
dbus_set_error (error,
"Could not get security context of name '%s': no such name", service);
goto failed;
primary_connection = bus_service_get_primary_owners_connection (serv);
reply = dbus_message_new_method_return (message);
if (reply == NULL)
goto oom;
confinement = bus_connection_dup_apparmor_confinement (primary_connection);
label = bus_apparmor_confinement_get_label (confinement);
if (label == NULL)
dbus_set_error (error,
"Could not determine security context for '%s'", service);
goto failed;
if (!dbus_validate_utf8 (label, error))
goto failed;
if (! dbus_message_append_args (reply,
goto failed;
if (! bus_transaction_send_from_driver (transaction, connection, reply))
goto oom;
bus_apparmor_confinement_unref (confinement);
dbus_message_unref (reply);
return TRUE;
BUS_SET_OOM (error);
if (confinement)
bus_apparmor_confinement_unref (confinement);
if (reply)
dbus_message_unref (reply);
return FALSE;
static dbus_bool_t static dbus_bool_t
bus_driver_handle_reload_config (DBusConnection *connection, bus_driver_handle_reload_config (DBusConnection *connection,
BusTransaction *transaction, BusTransaction *transaction,
...@@ -2115,6 +2200,10 @@ static const MessageHandler dbus_message_handlers[] = { ...@@ -2115,6 +2200,10 @@ static const MessageHandler dbus_message_handlers[] = {
bus_driver_handle_get_connection_selinux_security_context }, bus_driver_handle_get_connection_selinux_security_context },
{ "GetConnectionAppArmorSecurityContext",
bus_driver_handle_get_connection_apparmor_security_context },
{ "ReloadConfig", { "ReloadConfig",
"", "",
"", "",
...@@ -444,6 +444,8 @@ extern "C" { ...@@ -444,6 +444,8 @@ extern "C" {
#define DBUS_ERROR_INVALID_FILE_CONTENT "org.freedesktop.DBus.Error.InvalidFileContent" #define DBUS_ERROR_INVALID_FILE_CONTENT "org.freedesktop.DBus.Error.InvalidFileContent"
/** Asked for SELinux security context and it wasn't available. */ /** Asked for SELinux security context and it wasn't available. */
#define DBUS_ERROR_SELINUX_SECURITY_CONTEXT_UNKNOWN "org.freedesktop.DBus.Error.SELinuxSecurityContextUnknown" #define DBUS_ERROR_SELINUX_SECURITY_CONTEXT_UNKNOWN "org.freedesktop.DBus.Error.SELinuxSecurityContextUnknown"
/** Asked for AppArmor security context and it wasn't available. */
#define DBUS_ERROR_APPARMOR_SECURITY_CONTEXT_UNKNOWN "org.freedesktop.DBus.Error.AppArmorSecurityContextUnknown"
/** Asked for ADT audit data and it wasn't available. */ /** Asked for ADT audit data and it wasn't available. */
#define DBUS_ERROR_ADT_AUDIT_DATA_UNKNOWN "org.freedesktop.DBus.Error.AdtAuditDataUnknown" #define DBUS_ERROR_ADT_AUDIT_DATA_UNKNOWN "org.freedesktop.DBus.Error.AdtAuditDataUnknown"
/** There's already an object with the requested object path. */ /** There's already an object with the requested object path. */
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment