From c2686d53f3065dc9443bb2744f3fbe50992962ea Mon Sep 17 00:00:00 2001 From: John Johansen Date: Thu, 13 Feb 2014 12:55:52 -0600 Subject: Mediation of processes that acquire well-known names When an AppArmor confined process wants to acquire a well-known name, a check is performed to see if the action should be allowed. The check is based on the connection's label, the bus type, and the name being requested. An example AppArmor rule that would allow the name "com.example.ExampleName" to be acquired on the system bus would be: dbus bind bus=system name=com.example.ExampleName, To let a process acquire any name on any bus, the rule would be: dbus bind, Bug: https://bugs.freedesktop.org/show_bug.cgi?id=75113 Signed-off-by: John Johansen [tyhicks: Use BusAppArmorConfinement, bug fixes, cleanup, commit msg] [tyhicks: initialize reserved area at the start of the query string] [tyhicks: Use empty string for NULL bustypes when building queries] Signed-off-by: Tyler Hicks Reviewed-by: Simon McVittie --- bus/connection.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) (limited to 'bus/connection.c') diff --git a/bus/connection.c b/bus/connection.c index 93f99674..690f3a5d 100644 --- a/bus/connection.c +++ b/bus/connection.c @@ -1223,6 +1223,19 @@ bus_connection_get_selinux_id (DBusConnection *connection) return d->selinux_id; } +BusAppArmorConfinement* +bus_connection_dup_apparmor_confinement (DBusConnection *connection) +{ + BusConnectionData *d; + + d = BUS_CONNECTION_DATA (connection); + + _dbus_assert (d != NULL); + + bus_apparmor_confinement_ref (d->apparmor_confinement); + return d->apparmor_confinement; +} + /** * Checks whether the connection is registered with the message bus. * -- cgit v1.2.3