From 7931aeacc417b1dddd849f839c8a882acbf5afc0 Mon Sep 17 00:00:00 2001
From: Kay Sievers <kay@vrfy.org>
Date: Mon, 6 Jan 2014 00:53:12 +0400
Subject: [PATCH] policy: require privileges for seeting the endpoint's policy

---
 TODO     | 1 +
 handle.c | 6 ++++++
 2 files changed, 7 insertions(+)

diff --git a/TODO b/TODO
index 1c15ec9..a71f76e 100644
--- a/TODO
+++ b/TODO
@@ -7,6 +7,7 @@ Features:
      - $UID prefix
      - ns creation
      - ep prefixing
+     - policy, policy for custom endpoints
 
   - attach seclabel to names?
 
diff --git a/handle.c b/handle.c
index d003912..2a7c3f4 100644
--- a/handle.c
+++ b/handle.c
@@ -442,6 +442,12 @@ static long kdbus_handle_ioctl_ep_connected(struct file *file, unsigned int cmd,
 			break;
 		}
 
+		/* mangling policy is a privileged operation */
+		if (!kdbus_bus_uid_is_privileged(bus)) {
+			ret = -EFAULT;
+			break;
+		}
+
 		if (!conn->ep->policy_db) {
 			ret = kdbus_policy_db_new(&conn->ep->policy_db);
 			if (ret < 0)
-- 
2.34.1