Set proper label for notification sockets

When a client registers for notification it receives a socket to wait on. The
socket descriptor is transferred using ancillary data. In such cases Smack
checks if Smack rules allow the process that is about to receive it to write to
socket's IPOUT (System::Privileged) and if socket IPIN is allowed to write the
process. CAP_MAC_OVERRIDE is ignored (this may be a bug in Smack). As a result
any process not having System::Privileged label (including ode-admin-cli and UI
apps) is not able to receive the notification socket.

By default notification sockets receive the server's label that is
System::Privileged. This patch sets the IPOUT socket label to '@' so that all
processes can write it and receive the notification socket.

Change-Id: I473099f48e253c4bfe3cebee1a21857d9ea2b963

diff --git a/packaging/ode.spec b/packaging/ode.spec
index b5e0d577a07e36361897eec5e0d39b4ebd8bbcde..4c82c3d7e63414920e8d2dbdba20dbf884aafe3d 100755 (executable)
--- a/packaging/ode.spec
+++ b/packaging/ode.spec
@@ -19,6 +19,7 @@ BuildRequires: pkgconfig(key-manager)
 BuildRequires: pkgconfig(cynara-client)
 BuildRequires: pkgconfig(cynara-session)
 BuildRequires: pkgconfig(openssl)
+BuildRequires: pkgconfig(libsmack)
 Requires: cryptsetup
 
 %description

diff --git a/server/CMakeLists.txt b/server/CMakeLists.txt
index ee73f4ca20f790bc142ee4b4067659df0c058071..9258da25fec539448c8a5ee8bca4966c52f0e2cd 100644 (file)
--- a/server/CMakeLists.txt
+++ b/server/CMakeLists.txt
@@ -47,6 +47,7 @@ SET(DEPENDENCY        klay
                                cynara-client
                                cynara-session
                                openssl
+                               libsmack
 )
 
 SET(SERVER_NAME ${PROJECT_NAME}d)

diff --git a/server/server.cpp b/server/server.cpp
index e3ff24feac56f5d7dbd045141f757c8b1cb308df..e69d3ea8b15897d2f4d5808acfec10814cfa0ff9 100644 (file)
--- a/server/server.cpp
+++ b/server/server.cpp
@@ -15,6 +15,7 @@
  */
 #include <cynara-client.h>
 #include <cynara-session.h>
+#include <sys/smack.h>
 
 #include <klay/audit/dlog-sink.h>
 
@@ -94,7 +95,18 @@ runtime::FileDescriptor ServerContext::registerNotificationSubscriber(const std:
 {
        INFO(SINK, "registerNotificationSubscriber");
        INFO(SINK, name);
-       return runtime::FileDescriptor(subscribeNotification(name), true);
+       int fd = subscribeNotification(name);
+
+       /**
+        *  Set @ label so that smack_file_receive() in kernel succeeds in checking
+        *  'w' access between the client and the IPOUT of the socket.
+        */
+       if (smack_fsetlabel(fd, "@", SMACK_LABEL_IPOUT) != 0) {
+               ERROR(SINK, "Setting IPOUT label failed");
+               throw runtime::Exception("Setting IPOUT label failed");
+       }
+
+       return runtime::FileDescriptor(fd, true);
 }
 
 int ServerContext::unregisterNotificationSubscriber(const std::string& name, int id)