} catch (const CynaraException::Base &e) {
LogError("Error while updating Cynara rules: " << e.DumpToString());
return SECURITY_MANAGER_ERROR_SERVER_ERROR;
+ } catch (const FS::Exception::Base &e) {
+ LogError("Filesystem error: " << e.DumpToString());
+ return SECURITY_MANAGER_ERROR_SERVER_ERROR;
} catch (const std::bad_alloc &e) {
LogError("Memory allocation error while updating Cynara rules: " << e.what());
return SECURITY_MANAGER_ERROR_SERVER_ERROR;
Smack::Label &label, std::string &pkgName, PrepareAppFlags &prepareAppFlags,
std::vector<gid_t> &forbiddenGroups, std::vector<gid_t> &allowedGroups, std::vector<bool> &privPathsStatusVector)
{
- LogDebug("Requested prepareApp for application " << appName);
+ try {
+ LogDebug("Requested prepareApp for application " << appName);
- bool isHybrid, enabledSharedRO;
- if (!m_privilegeDb.GetAppPkgInfo(appName, pkgName, isHybrid, enabledSharedRO))
- return SECURITY_MANAGER_ERROR_UNKNOWN;
- prepareAppFlags = m_prepareAppFlags | (enabledSharedRO ? PREPARE_APP_SHARED_RO_FLAG : 0);
- label = SmackLabels::generateProcessLabel(appName, pkgName, isHybrid);
+ bool isHybrid, enabledSharedRO;
+ if (!m_privilegeDb.GetAppPkgInfo(appName, pkgName, isHybrid, enabledSharedRO))
+ return SECURITY_MANAGER_ERROR_UNKNOWN;
+ prepareAppFlags = m_prepareAppFlags | (enabledSharedRO ? PREPARE_APP_SHARED_RO_FLAG : 0);
+ label = SmackLabels::generateProcessLabel(appName, pkgName, isHybrid);
- std::vector<std::string> allowedPrivileges;
- int ret = getAppAllowedPrivileges(label, creds.uid, allowedPrivileges);
- if (ret != SECURITY_MANAGER_SUCCESS) {
- LogError("Failed to fetch allowed privileges for " << label);
- return ret;
- }
+ std::vector<std::string> allowedPrivileges;
+ int ret = getAppAllowedPrivileges(label, creds.uid, allowedPrivileges);
+ if (ret != SECURITY_MANAGER_SUCCESS) {
+ LogError("Failed to fetch allowed privileges for " << label);
+ return ret;
+ }
- std::string authorHash;
- m_privilegeDb.GetPkgAuthorHash(pkgName, authorHash);
+ std::string authorHash;
+ m_privilegeDb.GetPkgAuthorHash(pkgName, authorHash);
- std::vector<std::string> pkgLabels;
- getPkgLabels(pkgName, pkgLabels);
+ std::vector<std::string> pkgLabels;
+ getPkgLabels(pkgName, pkgLabels);
- if (m_smackRules.isPrivilegeMappingEnabled()) {
- // We have to remove all possible privilege related Smack rules, because application
- // policy might have changed from last prepareApp
- // (e.g. application new version was installed)
- m_smackRules.disableAllPrivilegeRules(label, pkgName, authorHash);
+ if (m_smackRules.isPrivilegeMappingEnabled()) {
+ // We have to remove all possible privilege related Smack rules, because application
+ // policy might have changed from last prepareApp
+ // (e.g. application new version was installed)
+ m_smackRules.disableAllPrivilegeRules(label, pkgName, authorHash);
- // TODO: Optimization is welcomed here
- auto runningApps = MountNS::getMountNSApps();
- if (isMultiUser({label, std::to_string(creds.uid)}, runningApps)) {
- LogWarning("Detected multiuser instance of " << appName
- << ". Privilege related Smack rules are cleared and won't be reapplied.");
- } else {
- m_smackRules.enablePrivilegeRules(label, pkgName, authorHash, allowedPrivileges);
+ // TODO: Optimization is welcomed here
+ auto runningApps = MountNS::getMountNSApps();
+ if (isMultiUser({label, std::to_string(creds.uid)}, runningApps)) {
+ LogWarning("Detected multiuser instance of " << appName
+ << ". Privilege related Smack rules are cleared and won't be reapplied.");
+ } else {
+ m_smackRules.enablePrivilegeRules(label, pkgName, authorHash, allowedPrivileges);
+ }
}
- }
- ret = getForbiddenAndAllowedGroups(label, allowedPrivileges, forbiddenGroups,
- allowedGroups);
- return ret != SECURITY_MANAGER_SUCCESS ? ret
- : appSetupNamespace(creds, label, privPathsVector, privPathsStatusVector);
+ ret = getForbiddenAndAllowedGroups(label, allowedPrivileges, forbiddenGroups,
+ allowedGroups);
+ return ret != SECURITY_MANAGER_SUCCESS ? ret
+ : appSetupNamespace(creds, label, privPathsVector, privPathsStatusVector);
+ } catch (const FS::Exception::Base &e) {
+ LogError("Filesystem error: " << e.DumpToString());
+ return SECURITY_MANAGER_ERROR_SERVER_ERROR;
+ }
}
} /* namespace SecurityManager */