From 190bd70567336a5b63e0b21f10aafd7d44e1517d Mon Sep 17 00:00:00 2001
From: John Johansen <john@jjmx.net>
Date: Wed, 13 Jun 2018 18:16:59 +0000
Subject: [PATCH] Update AppArmorDBus

---
 AppArmorDBus.md | 60 +++++++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 58 insertions(+), 2 deletions(-)

diff --git a/AppArmorDBus.md b/AppArmorDBus.md
index ac07fcd..a877a38 100644
--- a/AppArmorDBus.md
+++ b/AppArmorDBus.md
@@ -22,9 +22,65 @@ DBus activation/launcher ???
 
 ???
 
-# Querying DBus peer label
+# Querying DBus Peer Security Context
 
-???
+The apparmor security context of a peer's connection can be found
+using the org.freedesktop.DBus.GetConnectionCredentials() bus method.
+
+Example. in C++
+
+```
+  struct BusDaemon {
+    static const std::string &name() {
+        static std::string s = “org.freedesktop.DBus”;
+        return s;
+    }
+    struct GetConnectionCredentials {
+        typedef BusDaemon Interface;
+        static const std::string &name() {
+            static std::string s = “GetConnectionCredentials”;
+            return s;
+        }
+        static const std::chrono::milliseconds default_timeout() {
+            return std::chrono::seconds{1};
+        }
+    };
+  };
+  std::string get_client_apparmor_context(const [Message::Ptr](Message::Ptr) &message) {
+        if (!aa_is_enabled()) {
+            return “unconfined”;
+        }
+        auto service = core::dbus::[Service::use_service](Service::use_service)(
+            impl->access_bus(), “org.freedesktop.DBus”);
+        auto obj = service->object_for_path(
+            ObjectPath(“/org/freedesktop/DBus”));
+        core::dbus::Result<std::map<std::string,Variant>> result;
+        try {
+            result = obj->invoke_method_synchronously<BusDaemon::GetConnectionCredentials,std::map<std::string,Variant>>(message->sender());
+        } catch (const std::exception &e) {
+            fprintf(stderr, “Error getting connection credentials: %s\n”, e.what());
+            return std::string();
+        }
+        if (result.is_error()) {
+            fprintf(stderr, “Error getting connection credentials: %s\n”, result.error().print().c_str());
+            return std::string();
+        }
+        const auto& creds = result.value();
+        auto it = creds.find(“LinuxSecurityLabel”);
+        if (it == creds.end()) {
+            fprintf(stderr, “Connection credentials don't include security label”);
+            return std::string();
+        }
+        std::vector<int8_t> label;
+        try {
+            label = it->second.as<std::vector<int8_t>>();
+        } catch (const std::exception &e) {
+            fprintf(stderr, “Could not convert security label to byte array”);
+            return std::string();
+        }
+        return std::string(aa_splitcon(reinterpret_cast<char*>(&label[0]), nullptr));
+    }
+```
 
 # Implementation details