From 885ed2fa39d68890f6b47345c38ad25a30345c99 Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Thu, 31 May 2018 17:17:53 +0100
Subject: [PATCH 33/39] containers: Containers with an Allow policy cannot own
 names

In future we will offer a way to allow them to own names, but this is
not yet implemented.

Signed-off-by: Simon McVittie <smcv@collabora.com>
---
 bus/containers.c | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/bus/containers.c b/bus/containers.c
index 242dd7ce..bb1c6429 100644
--- a/bus/containers.c
+++ b/bus/containers.c
@@ -1565,10 +1565,35 @@ bus_containers_check_can_own (DBusConnection *connection,
                               const char *bus_name,
                               DBusError *error)
 {
+#ifdef DBUS_ENABLE_CONTAINERS
+  BusContainerInstance *instance;
+#endif
+
   _dbus_assert (connection != NULL);
   _dbus_assert (bus_name != NULL);
   _DBUS_ASSERT_ERROR_IS_CLEAR (error);
 
+#ifdef DBUS_ENABLE_CONTAINERS
+  instance = connection_get_instance (connection);
+
+  if (instance == NULL)
+    return TRUE;
+
+  if (instance->has_policy)
+    {
+      /* TODO: Later we should iterate through the policy and see
+       * whether it allows owning the name, but for now we assume that
+       * the only non-trivial policy is "forbid all" */
+      dbus_set_error (error, DBUS_ERROR_ACCESS_DENIED,
+                      "Connection \"%s\" (%s) is in a container that is "
+                      "not allowed to own name \"%s\"",
+                      bus_connection_get_name (connection),
+                      bus_connection_get_loginfo (connection),
+                      bus_name);
+      return FALSE;
+    }
+#endif /* DBUS_ENABLE_CONTAINERS */
+
   return TRUE;
 }
 
-- 
2.17.0