diff options
Diffstat (limited to 'custodia/httpd/server.py')
-rw-r--r-- | custodia/httpd/server.py | 18 |
1 files changed, 16 insertions, 2 deletions
diff --git a/custodia/httpd/server.py b/custodia/httpd/server.py index 8bd71e2..7a84526 100644 --- a/custodia/httpd/server.py +++ b/custodia/httpd/server.py @@ -23,7 +23,10 @@ except ImportError: from custodia.log import debug as log_debug from custodia.log import stacktrace -SO_PEERCRED = 17 + +SO_PEERCRED = getattr(socket, 'SO_PEERCRED', 17) +SO_PEERSEC = getattr(socket, 'SO_PEERSEC', 31) +SELINUX_CONTEXT_LEN = 256 MAX_REQUEST_SIZE = 10 * 1024 * 1024 # For now limit body to 10MiB @@ -83,6 +86,9 @@ class LocalHTTPRequestHandler(BaseHTTPRequestHandler): the uid,gid and pid of the process on the other side of the unix socket on which the request has been made. This can be used for authentication and/or authorization purposes. + The 'creds' structure is further augmented with a 'context' option + containing the Selinux Context string for the calling process, if + available. after the request is parsed the server's pipeline() function is invoked in order to handle it. The pipeline() should return a response object, @@ -133,7 +139,15 @@ class LocalHTTPRequestHandler(BaseHTTPRequestHandler): creds = self.request.getsockopt(socket.SOL_SOCKET, SO_PEERCRED, struct.calcsize('3i')) pid, uid, gid = struct.unpack('3i', creds) - return {'pid': pid, 'uid': uid, 'gid': gid} + try: + creds = self.request.getsockopt(socket.SOL_SOCKET, SO_PEERSEC, + SELINUX_CONTEXT_LEN) + context = creds.decode('utf-8') + except Exception as e: + log_debug("Couldn't retrieve SELinux Context: (%s)" % str(e)) + context = None + + return {'pid': pid, 'uid': uid, 'gid': gid, 'context': context} def parse_request(self, *args, **kwargs): if not BaseHTTPRequestHandler.parse_request(self, *args, **kwargs): |