[PATCH v4 14/18] session_policy_ivi: Get SELinux context of session owner

Daniel Wagner wagi at monom.org
Wed Nov 14 08:26:13 PST 2012


From: Daniel Wagner <daniel.wagner at bmw-carit.de>

---
 plugins/session_policy_ivi.c | 96 +++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 95 insertions(+), 1 deletion(-)

diff --git a/plugins/session_policy_ivi.c b/plugins/session_policy_ivi.c
index 2c30b05..40a1f99 100644
--- a/plugins/session_policy_ivi.c
+++ b/plugins/session_policy_ivi.c
@@ -37,13 +37,107 @@
 
 static DBusConnection *connection;
 
+struct create_data {
+	struct connman_session *session;
+	connman_session_config_cb callback;
+	void *user_data;
+};
+
+static char *parse_ident(const unsigned char *context)
+{
+	char *str, *ident, **tokens;
+
+	/*
+	 * SELinux combines Role-Based Access Control (RBAC), Type
+	 * Enforcment (TE) and optionally Multi-Level Security (MLS).
+	 *
+	 * When SELinux is enabled all processes and files are labeled
+	 * with a contex that contains information such as user, role
+	 * type (and optionally a level). E.g.
+	 *
+	 * $ ls -Z
+	 * -rwxrwxr-x. wagi wagi unconfined_u:object_r:haifux_exec_t:s0 session_ui.py
+	 *
+	 * For identifyng application we (ab)using the type
+	 * information. In the above example the haifux_exec_t type
+	 * will be transfered to haifux_t as defined in the domain
+	 * transition and thus we are able to identify the application
+	 * as haifux_t.
+	 */
+
+	str = g_strdup((const gchar*)context);
+	if (str == NULL)
+		return NULL;
+
+	DBG("SELinux context %s", str);
+
+	tokens = g_strsplit(str, ":", 0);
+	if (tokens == NULL) {
+		g_free(str);
+		return NULL;
+	}
+
+	/* Use the SELinux type as identification token. */
+	ident = g_strdup(tokens[2]);
+
+	g_strfreev(tokens);
+	g_free(str);
+
+	return ident;
+}
+
+static void selinux_context_reply(const unsigned char *context, void *user_data,
+					int err)
+{
+	struct create_data *data = user_data;
+	char *ident;
+
+	DBG("session %p", data->session);
+
+	if (err < 0)
+		goto done;
+
+	ident = parse_ident(context);
+
+	DBG("ident %s", ident);
+
+done:
+	(*data->callback)(data->session, NULL, data->user_data, err);
+
+	g_free(data);
+	g_free(ident);
+}
+
 static int policy_ivi_create(struct connman_session *session,
 				connman_session_config_cb callback,
 				void *user_data)
 {
+	struct create_data *data;
+	const char *owner;
+	int err;
+
 	DBG("session %p", session);
 
-	return -ENOMEM;
+	data = g_try_new0(struct create_data, 1);
+	if (data == NULL)
+		return -ENOMEM;
+
+	data->session = session;
+	data->callback = callback;
+	data->user_data = user_data;
+
+	owner = connman_session_get_owner(session);
+
+	err = connman_dbus_get_selinux_context(connection, owner,
+					selinux_context_reply,
+					data);
+	if (err < 0) {
+		connman_error("Could not get SELinux context");
+		g_free(data);
+		return err;
+	}
+
+	return 0;
 }
 
 static void policy_ivi_destroy(struct connman_session *session)
-- 
1.8.0.rc0




More information about the connman mailing list