From 1e9b185b0c274ef0d684b1e43418388225321e72 Mon Sep 17 00:00:00 2001
From: Havoc Pennington <hp@redhat.com>
Date: Fri, 30 Jul 2004 05:59:34 +0000
Subject: 2004-07-24  Havoc Pennington  <hp@redhat.com>

	SELinux support from Matthew Rickard <mjricka@epoch.ncsc.mil>

	* bus/selinux.c, bus/selinux.h: new file encapsulating selinux
	functionality

	* configure.in: add --enable-selinux

	* bus/policy.c (bus_policy_merge): add FIXME to a comment

	* bus/main.c (main): initialize and shut down selinux

	* bus/connection.c: store SELinux ID on each connection, to avoid
	repeated getting of the string context and converting it into
	an ID

	* bus/bus.c (bus_context_get_policy): new accessor, though it
	isn't used
	(bus_context_check_security_policy): check whether the security
	context of sender connection can send to the security context of
	recipient connection

	* bus/config-parser.c: add parsing for <selinux> and <associate>

	* dbus/dbus-transport.c (_dbus_transport_get_unix_fd): to
	implement dbus_connection_get_unix_fd()

	* dbus/dbus-connection.c (dbus_connection_get_unix_fd): new
	function, used by the selinux stuff
---
 dbus/dbus-connection.c          | 31 +++++++++++++++++++++++++++++++
 dbus/dbus-connection.h          |  3 +++
 dbus/dbus-transport-protected.h |  5 +++++
 dbus/dbus-transport-unix.c      | 15 ++++++++++++++-
 dbus/dbus-transport.c           | 29 +++++++++++++++++++++++++++++
 dbus/dbus-transport.h           |  3 +++
 6 files changed, 85 insertions(+), 1 deletion(-)

(limited to 'dbus')

diff --git a/dbus/dbus-connection.c b/dbus/dbus-connection.c
index 58ab7900..91a2100e 100644
--- a/dbus/dbus-connection.c
+++ b/dbus/dbus-connection.c
@@ -2952,6 +2952,37 @@ dbus_connection_set_dispatch_status_function (DBusConnection             *connec
     (*old_free_data) (old_data);
 }
 
+/**
+ * Get the UNIX file descriptor of the connection, if any.  This can
+ * be used for SELinux access control checks with getpeercon() for
+ * example. DO NOT read or write to the file descriptor, or try to
+ * select() on it; use DBusWatch for main loop integration. Not all
+ * connections will have a file descriptor. So for adding descriptors
+ * to the main loop, use dbus_watch_get_fd() and so forth.
+ *
+ * @param connection the connection
+ * @param fd return location for the file descriptor.
+ * @returns #TRUE if fd is successfully obtained.
+ */
+dbus_bool_t
+dbus_connection_get_unix_fd (DBusConnection *connection,
+                             int            *fd)
+{
+  dbus_bool_t retval;
+
+  _dbus_return_val_if_fail (connection != NULL, FALSE);
+  _dbus_return_val_if_fail (connection->transport != NULL, FALSE);
+  
+  CONNECTION_LOCK (connection);
+  
+  retval = _dbus_transport_get_unix_fd (connection->transport,
+                                        fd);
+
+  CONNECTION_UNLOCK (connection);
+
+  return retval;
+}
+
 /**
  * Gets the UNIX user ID of the connection if any.
  * Returns #TRUE if the uid is filled in.
diff --git a/dbus/dbus-connection.h b/dbus/dbus-connection.h
index 12de0c05..c8c66a39 100644
--- a/dbus/dbus-connection.h
+++ b/dbus/dbus-connection.h
@@ -242,6 +242,9 @@ dbus_bool_t dbus_connection_list_registered        (DBusConnection
                                                     const char                  *parent_path,
                                                     char                      ***child_entries);
 
+dbus_bool_t dbus_connection_get_unix_fd            (DBusConnection              *connection,
+                                                    int                         *fd);
+
 DBUS_END_DECLS;
 
 #endif /* DBUS_CONNECTION_H */
diff --git a/dbus/dbus-transport-protected.h b/dbus/dbus-transport-protected.h
index 409e683b..4a9ce96d 100644
--- a/dbus/dbus-transport-protected.h
+++ b/dbus/dbus-transport-protected.h
@@ -71,6 +71,10 @@ struct DBusTransportVTable
 
   void        (* live_messages_changed) (DBusTransport *transport);
   /**< Outstanding messages counter changed */
+
+  dbus_bool_t (* get_unix_fd) (DBusTransport *transport,
+                               int           *fd_p);
+  /**< Get UNIX file descriptor */
 };
 
 /**
@@ -102,6 +106,7 @@ struct DBusTransport
   
   DBusAllowUnixUserFunction unix_user_function; /**< Function for checking whether a user is authorized. */
   void *unix_user_data;                         /**< Data for unix_user_function */
+  
   DBusFreeFunction free_unix_user_data;         /**< Function to free unix_user_data */
   
   unsigned int disconnected : 1;              /**< #TRUE if we are disconnected. */
diff --git a/dbus/dbus-transport-unix.c b/dbus/dbus-transport-unix.c
index 37825f1c..3447ae1d 100644
--- a/dbus/dbus-transport-unix.c
+++ b/dbus/dbus-transport-unix.c
@@ -948,6 +948,18 @@ unix_live_messages_changed (DBusTransport *transport)
   check_read_watch (transport);
 }
 
+
+static dbus_bool_t
+unix_get_unix_fd (DBusTransport *transport,
+                  int           *fd_p)
+{
+  DBusTransportUnix *unix_transport = (DBusTransportUnix*) transport;
+  
+  *fd_p = unix_transport->fd;
+
+  return TRUE;
+}
+
 static DBusTransportVTable unix_vtable = {
   unix_finalize,
   unix_handle_watch,
@@ -955,7 +967,8 @@ static DBusTransportVTable unix_vtable = {
   unix_connection_set,
   unix_messages_pending,
   unix_do_iteration,
-  unix_live_messages_changed
+  unix_live_messages_changed,
+  unix_get_unix_fd
 };
 
 /**
diff --git a/dbus/dbus-transport.c b/dbus/dbus-transport.c
index ada960d4..dde1c6d2 100644
--- a/dbus/dbus-transport.c
+++ b/dbus/dbus-transport.c
@@ -636,6 +636,35 @@ _dbus_transport_messages_pending (DBusTransport  *transport,
   _dbus_transport_unref (transport);
 }
 
+/**
+ * Get the UNIX file descriptor, if any.
+ *
+ * @param transport the transport
+ * @param fd_p pointer to fill in with the descriptor
+ * @returns #TRUE if a descriptor was available
+ */
+dbus_bool_t
+_dbus_transport_get_unix_fd (DBusTransport *transport,
+                             int           *fd_p)
+{
+  dbus_bool_t retval;
+  
+  if (transport->vtable->get_unix_fd == NULL)
+    return FALSE;
+
+  if (transport->disconnected)
+    return FALSE;
+
+  _dbus_transport_ref (transport);
+
+  retval = (* transport->vtable->get_unix_fd) (transport,
+                                               fd_p);
+  
+  _dbus_transport_unref (transport);
+
+  return retval;
+}
+
 /**
  * Performs a single poll()/select() on the transport's file
  * descriptors and then reads/writes data as appropriate,
diff --git a/dbus/dbus-transport.h b/dbus/dbus-transport.h
index b6c7a4ec..88193f38 100644
--- a/dbus/dbus-transport.h
+++ b/dbus/dbus-transport.h
@@ -59,6 +59,9 @@ void               _dbus_transport_set_max_received_size  (DBusTransport
 long               _dbus_transport_get_max_received_size  (DBusTransport              *transport);
 dbus_bool_t        _dbus_transport_get_unix_user          (DBusTransport              *transport,
                                                            unsigned long              *uid);
+dbus_bool_t        _dbus_transport_get_unix_fd            (DBusTransport              *transport,
+                                                           int                        *fd_p);
+
 dbus_bool_t        _dbus_transport_get_unix_process_id     (DBusTransport              *transport,
                                                            unsigned long              *pid);
 void               _dbus_transport_set_unix_user_function (DBusTransport              *transport,
-- 
cgit