Mediation of processes becoming a monitor

When an AppArmor confined process wants to become a monitor, a check is
performed to see if eavesdropping should be allowed.

The check is based on the connection's label and the bus type.

This patch reuses the bus_apparmor_allows_eavesdropping() hook.

An example AppArmor rule that would allow a process to become a monitor
on the system bus would be:

  dbus eavesdrop bus=system,

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=75113
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>

diff --git a/bus/driver.c b/bus/driver.c
index 53bd5590c66d5e1b0dd28fa13ac861cb9890bde8..aab922ae739ccf7c5f6df0a494599cecca2da3a0 100644 (file)
--- a/bus/driver.c
+++ b/bus/driver.c
@@ -1924,6 +1924,8 @@ bus_driver_handle_become_monitor (DBusConnection *connection,
                                   DBusError      *error)
 {
   char **match_rules = NULL;
+  const char *bustype;
+  BusContext *context;
   BusMatchRule *rule;
   DBusList *rules = NULL;
   DBusList *iter;
@@ -1938,6 +1940,11 @@ bus_driver_handle_become_monitor (DBusConnection *connection,
   if (!bus_driver_check_message_is_for_us (message, error))
     goto out;
 
+  context = bus_transaction_get_context (transaction);
+  bustype = context ? bus_context_get_type (context) : NULL;
+  if (!bus_apparmor_allows_eavesdropping (connection, bustype, error))
+    goto out;
+
   if (!bus_driver_check_caller_is_privileged (connection, transaction,
                                               message, error))
     goto out;