projects / platform / core / security / ode.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 5f70491) | patch
Set proper label for notification sockets 90/154090/7
authorKrzysztof Jackiewicz <k.jackiewicz@samsung.com>
Thu, 5 Oct 2017 14:26:49 +0000 (16:26 +0200)
committerKrzysztof Jackiewicz <k.jackiewicz@samsung.com>
Fri, 13 Oct 2017 15:45:16 +0000 (17:45 +0200)
commit49cb9a09d7fa9f1c81efffe9f6d584986449eebf
tree3d3838bba90988f30e9256b63d69e0500adbfe54tree | snapshot
parent5f704919d8216bf352cfad77ad686e459b83635ecommit | diff
Set proper label for notification sockets

When a client registers for notification it receives a socket to wait on. The
socket descriptor is transferred using ancillary data. In such cases Smack
checks if Smack rules allow the process that is about to receive it to write to
socket's IPOUT (System::Privileged) and if socket IPIN is allowed to write the
process. CAP_MAC_OVERRIDE is ignored (this may be a bug in Smack). As a result
any process not having System::Privileged label (including ode-admin-cli and UI
apps) is not able to receive the notification socket.

By default notification sockets receive the server's label that is
System::Privileged. This patch sets the IPOUT socket label to '@' so that all
processes can write it and receive the notification socket.

Change-Id: I473099f48e253c4bfe3cebee1a21857d9ea2b963
packaging/ode.spec diff | blob | history
server/CMakeLists.txt diff | blob | history
server/server.cpp diff | blob | history
Domain: Security / Utilities;