Merge branch 'jb50148' into 'master'

Limit D-Bus vpn user change requests to connmand See merge request mer-core/connman!292
sailfishos · Oct 28, 2020 · 6f0081b · 6f0081b
2 parents 3c7bcb6 + 9d86dc9
commit 6f0081b
Show file tree

Hide file tree

Showing 6 changed files with 576 additions and 3 deletions.
diff --git a/connman/src/connman.h b/connman/src/connman.h
@@ -326,6 +326,9 @@ struct connman_storage_callbacks {
 	/* Callback to check if connman-vpnd storage user change is allowed */
 	bool (*vpn_access_change_user) (const char *sender, const char *arg,
 				bool default_access);
+
+	/* Callback to return the dbus name of the peer (e.g., connman/vpnd) */
+	const char* (*get_peer_dbus_name) (void);
 };
 
 typedef void (*connman_storage_change_user_result_cb_t)(uid_t uid, int err,

diff --git a/connman/src/storage.c b/connman/src/storage.c
@@ -2180,6 +2180,9 @@ static void change_user_reply(DBusPendingCall *call, void *user_data)
 				g_str_has_suffix(error.name, ".TimedOut")) {
 			DBG("Timeout with D-Bus occurred");
 			err = -ETIMEDOUT;
+		} else if (g_str_has_suffix(error.name, ".NotConnected")) {
+			DBG("D-Bus peering not complete yet, try later");
+			err = -ENOTCONN;
 		} else if (g_str_has_suffix(error.name, ".UnknownMethod") ||
 				g_str_has_suffix(error.name, ".NoReply")) {
 			DBG("vpnd server not available, try later");
@@ -2212,6 +2215,8 @@ static void change_user_reply(DBusPendingCall *call, void *user_data)
 		delay += USER_CHANGE_DELAY;
 	case -ETIMEDOUT:
 		/* fall through */
+	case -ENOTCONN:
+		/* fall through */
 	case -ENONET:
 		if (!init_delayed_user_change(data, delay)) {
 			send_vpnd_change_user = true;
@@ -2446,6 +2451,22 @@ static DBusMessage *change_user_vpn(DBusConnection *conn,
 		return __connman_error_invalid_arguments(msg);
 	}
 
+	if (cbs && cbs->get_peer_dbus_name) {
+		const char *sender = dbus_message_get_sender(msg);
+		const char *connman_dbus_name = cbs->get_peer_dbus_name();
+
+		if (!connman_dbus_name) {
+			connman_warn("D-Bus peer name not established yet");
+			return __connman_error_not_connected(msg);
+		}
+
+		if (g_strcmp0(sender, connman_dbus_name)) {
+			connman_warn("user change from %s, expected %s",
+						sender, connman_dbus_name);
+			return __connman_error_permission_denied(msg);
+		}
+	}
+
 	if (cbs && cbs->vpn_access_change_user) {
 		const char *sender = dbus_message_get_sender(msg);
 		char *userid = g_strdup_printf("%d", uid);