From eec885de3b4b9559a2f28be7c17bf21ca8d2382f Mon Sep 17 00:00:00 2001
From: Simon McVittie <simon.mcvittie@collabora.co.uk>
Date: Fri, 19 Dec 2014 18:51:04 +0000
Subject: [PATCH] Hardening: only accept Stats function calls at the canonical
 object path

These function calls are not a privilege escalation risk like
UpdateActivationEnvironment, but they might provide sensitive
information or be enhanced to provide sensitive information
in future, so the default system.conf locks them down to root-only.
Apply the same canonical-object-path hardening as for
UpdateActivationEnvironment.

We do not apply the uid check here because they are less dangerous
than UpdateActivationEnvironment, and because the ability to unlock
these function calls for specific uids is a documented configuration
for developers.

Reviewed-by: Thiago Macieira <thiago@kde.org>
[added missing #include; extended commit message -smcv]
---
 bus/stats.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/bus/stats.c b/bus/stats.c
index 24308eb5e..20321e5e7 100644
--- a/bus/stats.c
+++ b/bus/stats.c
@@ -29,6 +29,7 @@
 #include <dbus/dbus-connection-internal.h>
 
 #include "connection.h"
+#include "driver.h"
 #include "services.h"
 #include "utils.h"
 
@@ -49,6 +50,9 @@ bus_stats_handle_get_stats (DBusConnection *connection,
 
   _DBUS_ASSERT_ERROR_IS_CLEAR (error);
 
+  if (!bus_driver_check_message_is_for_us (message, error))
+    return FALSE;
+
   context = bus_transaction_get_context (transaction);
   connections = bus_context_get_connections (context);
 
@@ -131,6 +135,9 @@ bus_stats_handle_get_connection_stats (DBusConnection *caller_connection,
 
   _DBUS_ASSERT_ERROR_IS_CLEAR (error);
 
+  if (!bus_driver_check_message_is_for_us (message, error))
+    return FALSE;
+
   registry = bus_connection_get_registry (caller_connection);
 
   if (! dbus_message_get_args (message, error,
-- 
2.47.3