[patch] Add GetConnectionUnixSecurityContext

David Zeuthen david at fubar.dk
Sat Jul 16 10:39:54 EST 2005 

On Fri, 2005-07-15 at 17:56 -0400, Colin Walters wrote:
> > My point is that maybe it's better to actually call this  
> > GetConnectionSELinuxSecurityContext() much like we call it  
> > GetConnectionUnixUser() and GetConnectionUnixProcessId() cause Win32  
> > is different here (and UnixUser and UnixProcessId is covered by e.g.  
> > POSIX).
> 
> Well, I was going to rename it, but J5 just did 0.35...so it would
> probably be a bad idea.  

Don't agree entirely; it's a brand new interface so no one is using it
yet. As an historical point we've changed some few rarely-used (and not
so rarely-used, e.g. NameOwnerChanged during 0.23.x!) things (both
syntax and semantics) without bumping .so names and no-one / few people
complained. After all, this is unstable software and users even have to
do the DBUS_ACKNOWLEDGE_API_IS_NOT_STABLE blah blah.

> In any case I don't think the current name is
> too terrible.  Other Unix systems don't have a concept of a security
> context in their mainstream OSes.  FreeBSD hackers are working Trusted
> BSD which will use the same technology as SELinux, so it should be
> compatible.

I don't know. There may be really subtle differences in the semantics
(now or in the future) so I'd be much happier if we change it - this is
especially important as code relying on such things as security context
usually need to be really secure.

So, in my view, we should just do a 0.35.1 with this change (and
possibly other changes, e.g. someone mentioned that dbus_bindings.pxd.in
was missing). What do you think?

> I'm not sure how to do that since it requires a SELinux-enabled kernel
> and I don't think we can depend on that in the testsuite.
> 
> The only way I can see to do it is a fake libselinux you could
> LD_PRELOAD.  We should do that at some point, it's just not trivial.

I would just test that you get the same security context as the test,
per design of the test suite, is running in the same context; if SELinux
is not enabled we'd get a test case but at least some developers on
SELinux system will 'make check' once in a while.

In another mail you wrote:
> > Btw, another thing is that you should probably add convenience  
> > functions to dbus/dbus-connection.[ch] much like we have for
> UnixUser  
> > and UnixProcessId.
> 
> Yeah...although every application is using some binding and so they
> don't need the convenience methods right? =)
> 
> I don't have time to do it at the moment, but I added something to
> TODO.

Sounds good enough to me :-)

Cheers,
David

More information about the dbus mailing list