From 6ff40513f8184d2c29db311a30fc77801bdadb07 Mon Sep 17 00:00:00 2001 From: Daniel Wagner Date: Fri, 2 Nov 2012 17:26:20 +0100 Subject: [PATCH] session_policy_ivi: Get SELinux context of session owner --- plugins/session_policy_ivi.c | 96 +++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 95 insertions(+), 1 deletion(-) diff --git a/plugins/session_policy_ivi.c b/plugins/session_policy_ivi.c index 2c30b05..40a1f99 100644 --- a/plugins/session_policy_ivi.c +++ b/plugins/session_policy_ivi.c @@ -37,13 +37,107 @@ static DBusConnection *connection; +struct create_data { + struct connman_session *session; + connman_session_config_cb callback; + void *user_data; +}; + +static char *parse_ident(const unsigned char *context) +{ + char *str, *ident, **tokens; + + /* + * SELinux combines Role-Based Access Control (RBAC), Type + * Enforcment (TE) and optionally Multi-Level Security (MLS). + * + * When SELinux is enabled all processes and files are labeled + * with a contex that contains information such as user, role + * type (and optionally a level). E.g. + * + * $ ls -Z + * -rwxrwxr-x. wagi wagi unconfined_u:object_r:haifux_exec_t:s0 session_ui.py + * + * For identifyng application we (ab)using the type + * information. In the above example the haifux_exec_t type + * will be transfered to haifux_t as defined in the domain + * transition and thus we are able to identify the application + * as haifux_t. + */ + + str = g_strdup((const gchar*)context); + if (str == NULL) + return NULL; + + DBG("SELinux context %s", str); + + tokens = g_strsplit(str, ":", 0); + if (tokens == NULL) { + g_free(str); + return NULL; + } + + /* Use the SELinux type as identification token. */ + ident = g_strdup(tokens[2]); + + g_strfreev(tokens); + g_free(str); + + return ident; +} + +static void selinux_context_reply(const unsigned char *context, void *user_data, + int err) +{ + struct create_data *data = user_data; + char *ident; + + DBG("session %p", data->session); + + if (err < 0) + goto done; + + ident = parse_ident(context); + + DBG("ident %s", ident); + +done: + (*data->callback)(data->session, NULL, data->user_data, err); + + g_free(data); + g_free(ident); +} + static int policy_ivi_create(struct connman_session *session, connman_session_config_cb callback, void *user_data) { + struct create_data *data; + const char *owner; + int err; + DBG("session %p", session); - return -ENOMEM; + data = g_try_new0(struct create_data, 1); + if (data == NULL) + return -ENOMEM; + + data->session = session; + data->callback = callback; + data->user_data = user_data; + + owner = connman_session_get_owner(session); + + err = connman_dbus_get_selinux_context(connection, owner, + selinux_context_reply, + data); + if (err < 0) { + connman_error("Could not get SELinux context"); + g_free(data); + return err; + } + + return 0; } static void policy_ivi_destroy(struct connman_session *session) -- 2.7.4