From 556d281233a640a4f8c1a3c7c2bd28aefd512210 Mon Sep 17 00:00:00 2001
From: Alessandro Astone <ales.astone@gmail.com>
Date: Sun, 22 Jan 2023 16:42:06 +0100
Subject: [PATCH] security: Verify session pid against DBus connection

---
 tools/actions/container_manager.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/tools/actions/container_manager.py b/tools/actions/container_manager.py
index e537e18..5a6fe71 100644
--- a/tools/actions/container_manager.py
+++ b/tools/actions/container_manager.py
@@ -28,6 +28,9 @@ class DbusContainerManager(dbus.service.Object):
         uid = dbus_info.GetConnectionUnixUser(sender)
         if str(uid) not in ["0", session["user_id"]]:
             raise RuntimeError("Cannot start a session on behalf of another user")
+        pid = dbus_info.GetConnectionUnixProcessID(sender)
+        if str(uid) != "0" and str(pid) != session["pid"]:
+            raise RuntimeError("Invalid session pid")
         do_start(self.args, session)
 
     @dbus.service.method("id.waydro.ContainerManager", in_signature='b', out_signature='')
-- 
2.47.3