static int prepareAppInitialSetupAndFetch(const std::string &appName, const MountNS::PrivilegePathsMap &privilegePathsMap, std::string &label,
std::string &pkgName, bool &enabledSharedRO, std::vector<gid_t> &forbiddenGroups, std::vector<gid_t> &allowedGroups,
- std::vector<bool> &privilegeStatusVector)
+ std::vector<bool> &privPathsStatusVector)
{
ClientRequest request(SecurityModuleCall::PREPARE_APP);
if (request.send(appName, serializeKeysAsVector(privilegePathsMap)).failed()) {
return request.getStatus();
}
- request.recv(forbiddenGroups, allowedGroups, privilegeStatusVector, label, pkgName, enabledSharedRO);
+ request.recv(forbiddenGroups, allowedGroups, privPathsStatusVector, label, pkgName, enabledSharedRO);
return SECURITY_MANAGER_SUCCESS;
}
}
static int applyPrivileges(const MountNS::PrivilegePathsMap &privilegePathMap,
- const std::vector<bool> &privilegeStatusVector, const std::string &appLabel)
+ const std::vector<bool> &privPathsStatusVector, const std::string &appLabel)
{
- if (privilegeStatusVector.empty())
+ if (privPathsStatusVector.empty())
return SECURITY_MANAGER_SUCCESS;
auto it = privilegePathMap.begin();
- for (const auto &privilegeStatus : privilegeStatusVector) {
+ for (const auto &privilegeStatus : privPathsStatusVector) {
for (auto &privilegePath : it->second) {
if (FS::directoryStatus(privilegePath.dstPath) == 0) {
}
static inline int security_manager_setup_namespace_internal(const MountNS::PrivilegePathsMap &privilegePathMap,
- const std::string &pkg_name, bool enabledSharedRO, const std::vector<bool> &privilegeStatusVector,
+ const std::string &pkg_name, bool enabledSharedRO, const std::vector<bool> &privPathsStatusVector,
const std::string &app_label)
{
// mount namespace setup was made by other process when userAppsRWSharedDir is read only, we can skip it
return ret;
}
- ret = applyPrivileges(privilegePathMap, privilegeStatusVector, app_label);
+ ret = applyPrivileges(privilegePathMap, privPathsStatusVector, app_label);
if (ret != SECURITY_MANAGER_SUCCESS) {
LogError("Failed to setup app namespace: " << security_manager_strerror(static_cast<lib_retcode>(ret)));
return ret;
std::string appLabel, pkgName;
bool enabledSharedRO;
std::vector<gid_t> forbiddenGroups, allowedGroups;
- std::vector<bool> privilegeStatusVector;
+ std::vector<bool> privPathsStatusVector;
auto privilegePathMap = MountNS::getPrivilegePathMap(getuid());
int ret = prepareAppInitialSetupAndFetch(app_name, privilegePathMap, appLabel, pkgName, enabledSharedRO,
- forbiddenGroups, allowedGroups, privilegeStatusVector);
+ forbiddenGroups, allowedGroups, privPathsStatusVector);
if (ret != SECURITY_MANAGER_SUCCESS) {
LogError("Failed to get app info for appName: " << app_name);
return ret;
return ret;
}
- ret = security_manager_setup_namespace_internal(privilegePathMap, pkgName, enabledSharedRO, privilegeStatusVector, appLabel);
+ ret = security_manager_setup_namespace_internal(privilegePathMap, pkgName, enabledSharedRO, privPathsStatusVector, appLabel);
if (ret != SECURITY_MANAGER_SUCCESS) {
LogError("Unable to setup namespace for application " << app_name);
return ret;
/**
* Get app info (process label, package name, shared_ro flag)
*
- * @param[in] creds credentials of the requesting process
- * @param[in] appName application identifier
- * @param[in] privilegeVector privileges to query
+ * @param[in] creds credentials of the requesting process
+ * @param[in] appName application identifier
+ * @param[in] pathPrivVector paths related privileges to query
* @param[out] label generated label
* @param[out] pkgName application package name
* @param[out] enabledSharedRO placeholder for check shared_ro result
* @param[out] forbiddenGroups sorted vector of forbidden groups
* @param[out] allowedGroups sorted vector of allowed groups
- * @param[out] privilegeStatusVector results of respective privilege queries
+ * @param[out] pathPrivStatusVector results of respective paths related privilege queries
*
* @return API return code, as defined in protocols.h
*/
- int prepareApp(const Credentials &creds, const std::string &appName, const std::vector<std::string> &privilegeVector,
+ int prepareApp(const Credentials &creds, const std::string &appName, const std::vector<std::string> &privPathsVector,
std::string &label, std::string &pkgName, bool &enabledSharedRO,
- std::vector<gid_t> &forbiddenGroups, std::vector<gid_t> &allowedGroups, std::vector<bool> &privilegeStatusVector);
+ std::vector<gid_t> &forbiddenGroups, std::vector<gid_t> &allowedGroups, std::vector<bool> &privPathsStatusVector);
private:
int appInstallInitialChecks(const Credentials &creds,
int appInstallSmackRules(app_inst_req &req, InstallHelper &ih);
int appSetupNamespace(const Credentials &creds, const std::string &appProcessLabel,
- const std::vector<std::string> &privilegeVector, std::vector<bool> &privilegeStatusVector);
+ const std::vector<std::string> &privPathsVector, std::vector<bool> &privPathsStatusVector);
int appUninstallInitialChecks(const Credentials &creds,
app_inst_req &req,
}
int ServiceImpl::appSetupNamespace(const Credentials &creds, const std::string &appProcessLabel,
- const std::vector<std::string> &privilegeVector, std::vector<bool> &privilegeStatusVector)
+ const std::vector<std::string> &privPathsVector, std::vector<bool> &privPathsStatusVector)
{
int ret;
if (!authenticate(creds, PRIVILEGE_APP_NAMESPACE)) {
return ret;
}
- privilegeStatusVector.reserve(privilegeVector.size());
- for (auto &privilege : privilegeVector)
- privilegeStatusVector.push_back(m_cynara.check(appProcessLabel, privilege, uidStr, {}));
+ privPathsStatusVector.reserve(privPathsVector.size());
+ for (auto &privilege : privPathsVector)
+ privPathsStatusVector.push_back(m_cynara.check(appProcessLabel, privilege, uidStr, {}));
} catch (const PrivilegeDb::Exception::Base &e) {
LogError("Error while getting shared_ro flag from database: " << e.DumpToString());
return getAppProcessLabel(appName);
}
-int ServiceImpl::prepareApp(const Credentials &creds, const std::string &appName, const std::vector<std::string> &privilegeVector,
+int ServiceImpl::prepareApp(const Credentials &creds, const std::string &appName, const std::vector<std::string> &privPathsVector,
std::string &label, std::string &pkgName, bool &enabledSharedRO,
- std::vector<gid_t> &forbiddenGroups, std::vector<gid_t> &allowedGroups, std::vector<bool> &privilegeStatusVector)
+ std::vector<gid_t> &forbiddenGroups, std::vector<gid_t> &allowedGroups, std::vector<bool> &privPathsStatusVector)
{
LogDebug("Requested prepareApp for application " << appName);
bool isHybrid;
ret = getForbiddenAndAllowedGroups(label, allowedPrivileges, forbiddenGroups,
allowedGroups);
return ret != SECURITY_MANAGER_SUCCESS ? ret
- : appSetupNamespace(creds, label, privilegeVector, privilegeStatusVector);
+ : appSetupNamespace(creds, label, privPathsVector, privPathsStatusVector);
}
} /* namespace SecurityManager */
{
std::string appName, pkgName, label;
bool enabledSharedRO;
- std::vector<std::string> privilegeVector;
+ std::vector<std::string> privPathsVector;
std::vector<gid_t> forbiddenGroups, allowedGroups;
- std::vector<bool> privilegeStatusVector;
- Deserialization::Deserialize(buffer, appName, privilegeVector);
- int ret = serviceImpl.prepareApp(creds, appName, privilegeVector,
- label, pkgName, enabledSharedRO, forbiddenGroups, allowedGroups, privilegeStatusVector);
+ std::vector<bool> privPathsStatusVector;
+ Deserialization::Deserialize(buffer, appName, privPathsVector);
+ int ret = serviceImpl.prepareApp(creds, appName, privPathsVector,
+ label, pkgName, enabledSharedRO, forbiddenGroups, allowedGroups, privPathsStatusVector);
Serialization::Serialize(send, ret);
if (ret == SECURITY_MANAGER_SUCCESS)
- Serialization::Serialize(send, forbiddenGroups, allowedGroups, privilegeStatusVector, label, pkgName, enabledSharedRO);
+ Serialization::Serialize(send, forbiddenGroups, allowedGroups, privPathsStatusVector, label, pkgName, enabledSharedRO);
}
} // namespace SecurityManager
projects / platform / core / security / security-manager.git / commitdiff