[PATCH v3 11/15] session_policy_ivi: Get SELinux context of session owner

Fri, 02 Nov 2012 09:31:03 -0700 

From: Daniel Wagner <[email protected]>

---
 plugins/session_policy_ivi.c | 96 +++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 95 insertions(+), 1 deletion(-)

diff --git a/plugins/session_policy_ivi.c b/plugins/session_policy_ivi.c
index 2c30b05..40a1f99 100644
--- a/plugins/session_policy_ivi.c
+++ b/plugins/session_policy_ivi.c
@@ -37,13 +37,107 @@
 
 static DBusConnection *connection;
 
+struct create_data {
+       struct connman_session *session;
+       connman_session_config_cb callback;
+       void *user_data;
+};
+
+static char *parse_ident(const unsigned char *context)
+{
+       char *str, *ident, **tokens;
+
+       /*
+        * SELinux combines Role-Based Access Control (RBAC), Type
+        * Enforcment (TE) and optionally Multi-Level Security (MLS).
+        *
+        * When SELinux is enabled all processes and files are labeled
+        * with a contex that contains information such as user, role
+        * type (and optionally a level). E.g.
+        *
+        * $ ls -Z
+        * -rwxrwxr-x. wagi wagi unconfined_u:object_r:haifux_exec_t:s0 
session_ui.py
+        *
+        * For identifyng application we (ab)using the type
+        * information. In the above example the haifux_exec_t type
+        * will be transfered to haifux_t as defined in the domain
+        * transition and thus we are able to identify the application
+        * as haifux_t.
+        */
+
+       str = g_strdup((const gchar*)context);
+       if (str == NULL)
+               return NULL;
+
+       DBG("SELinux context %s", str);
+
+       tokens = g_strsplit(str, ":", 0);
+       if (tokens == NULL) {
+               g_free(str);
+               return NULL;
+       }
+
+       /* Use the SELinux type as identification token. */
+       ident = g_strdup(tokens[2]);
+
+       g_strfreev(tokens);
+       g_free(str);
+
+       return ident;
+}
+
+static void selinux_context_reply(const unsigned char *context, void 
*user_data,
+                                       int err)
+{
+       struct create_data *data = user_data;
+       char *ident;
+
+       DBG("session %p", data->session);
+
+       if (err < 0)
+               goto done;
+
+       ident = parse_ident(context);
+
+       DBG("ident %s", ident);
+
+done:
+       (*data->callback)(data->session, NULL, data->user_data, err);
+
+       g_free(data);
+       g_free(ident);
+}
+
 static int policy_ivi_create(struct connman_session *session,
                                connman_session_config_cb callback,
                                void *user_data)
 {
+       struct create_data *data;
+       const char *owner;
+       int err;
+
        DBG("session %p", session);
 
-       return -ENOMEM;
+       data = g_try_new0(struct create_data, 1);
+       if (data == NULL)
+               return -ENOMEM;
+
+       data->session = session;
+       data->callback = callback;
+       data->user_data = user_data;
+
+       owner = connman_session_get_owner(session);
+
+       err = connman_dbus_get_selinux_context(connection, owner,
+                                       selinux_context_reply,
+                                       data);
+       if (err < 0) {
+               connman_error("Could not get SELinux context");
+               g_free(data);
+               return err;
+       }
+
+       return 0;
 }
 
 static void policy_ivi_destroy(struct connman_session *session)
-- 
1.7.11.7

_______________________________________________
connman mailing list
[email protected]
http://lists.connman.net/listinfo/connman

Reply via email to