security: Verify session pid against DBus connection

author Alessandro Astone <ales.astone@gmail.com>

Sun, 22 Jan 2023 15:42:06 +0000 (16:42 +0100)

committer Alessandro Astone <ales.astone@gmail.com>

Sun, 22 Jan 2023 15:42:25 +0000 (16:42 +0100)
author Alessandro Astone <ales.astone@gmail.com>
Sun, 22 Jan 2023 15:42:06 +0000 (16:42 +0100)
committer Alessandro Astone <ales.astone@gmail.com>
Sun, 22 Jan 2023 15:42:25 +0000 (16:42 +0100)
diff --git a/tools/actions/container_manager.py b/tools/actions/container_manager.py

index e537e1843a7eb715d36ecbe004c3f44cc258fcde..5a6fe71b3e0641e4ff0740992d7b7b4949a66324 100644 (file)
--- a/tools/actions/container_manager.py
+++ b/tools/actions/container_manager.py
@@ -28,6 +28,9 @@ class DbusContainerManager(dbus.service.Object):
          uid = dbus_info.GetConnectionUnixUser(sender)
          if str(uid) not in ["0", session["user_id"]]:
              raise RuntimeError("Cannot start a session on behalf of another user")
+        pid = dbus_info.GetConnectionUnixProcessID(sender)
+        if str(uid) != "0" and str(pid) != session["pid"]:
+            raise RuntimeError("Invalid session pid")
          do_start(self.args, session)
  
      @dbus.service.method("id.waydro.ContainerManager", in_signature='b', out_signature='')
author	Alessandro Astone <ales.astone@gmail.com>
	Sun, 22 Jan 2023 15:42:06 +0000 (16:42 +0100)
committer	Alessandro Astone <ales.astone@gmail.com>
	Sun, 22 Jan 2023 15:42:25 +0000 (16:42 +0100)