node: Track (if possible) the peer selinux type

This is mainly doable for UDS sockets, but will allow us to limit what name can register by the selinux label.
eclipse-bluechi · Jan 10, 2025 · aab58fb · aab58fb
1 parent 7038888
commit aab58fb
Show file tree

Hide file tree

Showing 2 changed files with 52 additions and 0 deletions.
diff --git a/src/controller/node.c b/src/controller/node.c
@@ -5,6 +5,10 @@
  */
 #include <systemd/sd-bus.h>
 
+#ifdef CONFIG_H_USE_SELINUX
+#include <selinux/selinux.h>
+#endif
+
 #include "libbluechi/bus/bus.h"
 #include "libbluechi/bus/utils.h"
 #include "libbluechi/common/parse-util.h"
@@ -186,6 +190,7 @@ Node *node_new(Controller *controller, const char *name) {
                 }
         }
         node->peer_ip = NULL;
+        node->peer_selinux_context = NULL;
 
         node->is_shutdown = false;
 
@@ -654,6 +659,38 @@ static int node_on_match_proxy_removed(sd_bus_message *m, void *userdata, UNUSED
         return 0;
 }
 
+static char *get_selinux_type(const char *context)
+{
+        /* Format is user:role:type:level */
+
+        /* Skip user */
+        char *s = strchr(context, ':');
+        if (s == NULL) {
+                return NULL;
+        }
+        s++;
+        if (*s == 0) {
+                return NULL;
+        }
+
+        /* Skip role */
+        s = strchr(s, ':');
+        if (s == NULL) {
+                return NULL;
+        }
+        s++;
+        if (*s == 0) {
+                return NULL;
+        }
+
+        char *end = strchr(s, ':');
+        if (end == NULL) {
+                return NULL;
+        }
+
+        return strndup(s, end - s);
+}
+
 bool node_set_agent_bus(Node *node, sd_bus *bus) {
         int r = 0;
 
@@ -674,6 +711,19 @@ bool node_set_agent_bus(Node *node, sd_bus *bus) {
                 node->peer_ip = steal_pointer(&peer_ip);
         }
 
+#ifdef CONFIG_H_USE_SELINUX
+        char *peercon;
+        if (getpeercon(sd_bus_get_fd(bus), &peercon) == 0) {
+                node->peer_selinux_context = get_selinux_type(peercon);
+                freecon(peercon);
+                if (node->peer_selinux_context == NULL) {
+                        bc_log_errorf("Failed to parse peer selinux type '%s'", peercon);
+                } else {
+                        bc_log_debugf("Node peer selinux context: %s", node->peer_selinux_context);
+                }
+        }
+#endif
+
         if (node->name == NULL) {
                 // We only connect to this on the unnamed nodes so register
                 // can be called. We can't reconnect it during migration.
@@ -869,6 +919,7 @@ void node_unset_agent_bus(Node *node) {
         sd_bus_unrefp(&node->agent_bus);
         node->agent_bus = NULL;
 
+        free_and_null(node->peer_selinux_context);
         free_and_null(node->peer_ip);
 
         if (was_online) {

diff --git a/src/controller/node.h b/src/controller/node.h
@@ -54,6 +54,7 @@ struct Node {
         char *name; /* NULL for not yet registered nodes */
         char *object_path;
         char *peer_ip;
+        char *peer_selinux_context;
 
         LIST_HEAD(AgentRequest, outstanding_requests);
         LIST_HEAD(ProxyMonitor, proxy_monitors);