review.tizen.org Git - platform/upstream/dbus.git/commit

author	Simon McVittie <simon.mcvittie@collabora.co.uk>
	Mon, 21 Nov 2016 20:56:55 +0000 (20:56 +0000)
committer	Hyotaek Shim <hyotaek.shim@samsung.com>
	Thu, 15 Nov 2018 03:19:01 +0000 (03:19 +0000)
commit	83d1082e192ddaad5602e9c9e3e7398f6d6d1938
tree	31a1fb71b84a23f7c13c1416c5e611cbe101d810	tree \| snapshot
parent	3685060543e59acc45b3aa7ce5077069bb337365	commit \| diff

Do not auto-activate services if we could not send a message

We specifically do not check recipient policies, because
the recipient policy is based on properties of the
recipient process (in particular, its uid), which we do
not necessarily know until we have already started it.

In this initial implementation we do not check LSMs either,
because we cannot know what LSM context the recipient process
is going to have. However, LSM support will need to be added
to make this feature useful, because StartServiceByName is
normally allowed in non-LSM environments, and is more
powerful than auto-activation anyway.

The StartServiceByName method does not go through this check,
because if access to that method has been granted, then
it's somewhat obvious that you can start arbitrary services.

Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98666

Change-Id: I53ff4f6d02e631fcd09bf1c5c306b8828f075963

bus/activation.c		diff \| blob \| history
bus/apparmor.c		diff \| blob \| history
bus/apparmor.h		diff \| blob \| history
bus/bus.c		diff \| blob \| history
bus/bus.h		diff \| blob \| history
bus/check.c		diff \| blob \| history
bus/connection.c		diff \| blob \| history
bus/dispatch.c		diff \| blob \| history
bus/policy.c		diff \| blob \| history
bus/selinux.c		diff \| blob \| history
bus/selinux.h		diff \| blob \| history
test/sd-activation.c		diff \| blob \| history