Previous patch didn't work for PontusM smack-enabled environment.
Now this patch ensures that WITHOUT dev_wos flag, there is definitely
no difference in logic of security-manager, even in the absence of Smack
(ie. during image creation).
Change-Id: If37d9ceae8bcb5727e82f7310acff0358b820240
{
LogDebug("security_manager_drop_process_privileges() called");
- if (!smack_check()) {
+ if (!smack_simple_check()) {
LogWarning("Running in no-smack mode, not dropping capabilities");
return SECURITY_MANAGER_SUCCESS;
}
{
LogDebug("security_manager_prepare_app_candidate() called");
- if (!smack_check()) {
+ if (!smack_simple_check()) {
LogWarning("Running in no-smack mode, exiting earlier without setting up namespaces");
return SECURITY_MANAGER_SUCCESS;
}
return ret;
}
- if (!smack_check()) {
+ if (!smack_simple_check()) {
LogWarning("Running in no-smack mode, exiting with success from prepare_app2 - not setting namespaces any further, or Smack, or caps");
return (int)SECURITY_MANAGER_SUCCESS;
}
return SECURITY_MANAGER_ERROR_INPUT_PARAM;
}
- if (!smack_check()) {
+ if (!smack_simple_check()) {
LogWarning("Running in no-smack mode, not cleaning namespaces");
return SECURITY_MANAGER_SUCCESS;
}
int security_manager_identify_app_from_socket(int sockfd, char **pkg_name, char **app_name)
{
return try_catch([&] {
- if(!smack_check()) {
+ if(!smack_simple_check()) {
LogWarning("Running in no-smack mode, returning static pkg_name default_app_no_Smack_mode & empty app_name");
*pkg_name = strdup("default_app_no_Smack_mode");
return *pkg_name ? (int)SECURITY_MANAGER_SUCCESS : (int)SECURITY_MANAGER_ERROR_MEMORY;
int security_manager_identify_app_from_pid(pid_t pid, char **pkg_name, char **app_name)
{
return try_catch([&] {
- if(!smack_check()) {
+ if(!smack_simple_check()) {
LogWarning("Running in no-smack mode, returning static pkg_name default_app_no_Smack_mode & empty app_name");
*pkg_name = strdup("default_app_no_Smack_mode");
return *pkg_name ? (int)SECURITY_MANAGER_SUCCESS : (int)SECURITY_MANAGER_ERROR_MEMORY;
{
if (!app)
return SECURITY_MANAGER_ERROR_INPUT_PARAM;
- if (!smack_check()) {
+ if (!smack_simple_check()) {
LogWarning("Running in no-smack mode, can't (yet) determine if a process is an app or not");
return SECURITY_MANAGER_ERROR_NO_SUCH_OBJECT;
}
if (!result || !app_name || !privilege) {
return SECURITY_MANAGER_ERROR_INPUT_PARAM;
}
- if (!smack_check()) {
+ if (!smack_simple_check()) {
LogWarning("Running in no-smack mode, treating all apps as having all privileges");
*result = 1;
return SECURITY_MANAGER_SUCCESS;
SECURITY_MANAGER_API
int security_manager_private_sharing_req_new(private_sharing_req **pp_req)
{
- if (!smack_check()) {
+ if (!smack_simple_check()) {
LogWarning("Running in no-smack mode, private sharing is a no-op, due to no Smack");
return SECURITY_MANAGER_SUCCESS;
}
SECURITY_MANAGER_API
void security_manager_private_sharing_req_free(private_sharing_req *p_req)
{
- if (!smack_check()) {
+ if (!smack_simple_check()) {
LogWarning("Running in no-smack mode, private sharing is a no-op, due to no Smack");
return;
}
int security_manager_private_sharing_req_set_owner_appid(
private_sharing_req *p_req, const char *app_name)
{
- if (!smack_check()) {
+ if (!smack_simple_check()) {
LogWarning("Running in no-smack mode, private sharing is a no-op, due to no Smack");
return SECURITY_MANAGER_SUCCESS;
}
int security_manager_private_sharing_req_set_target_appid(
private_sharing_req *p_req, const char *app_name)
{
- if (!smack_check()) {
+ if (!smack_simple_check()) {
LogWarning("Running in no-smack mode, private sharing is a no-op, due to no Smack");
return SECURITY_MANAGER_SUCCESS;
}
const char **pp_paths,
size_t path_count)
{
- if (!smack_check()) {
+ if (!smack_simple_check()) {
LogWarning("Running in no-smack mode, private sharing is a no-op, due to no Smack");
return SECURITY_MANAGER_SUCCESS;
}
SECURITY_MANAGER_API
int security_manager_private_sharing_apply(const private_sharing_req *p_req)
{
- if (!smack_check()) {
+ if (!smack_simple_check()) {
LogWarning("Running in no-smack mode, private sharing is a no-op, due to no Smack");
return SECURITY_MANAGER_SUCCESS;
}
SECURITY_MANAGER_API
int security_manager_private_sharing_drop(const private_sharing_req *p_req)
{
- if (!smack_check()) {
+ if (!smack_simple_check()) {
LogWarning("Running in no-smack mode, private sharing is a no-op, due to no Smack");
return SECURITY_MANAGER_SUCCESS;
}
process_type type,
const char *app_id = nullptr)
{
- if (!smack_check()) {
+ if (!smack_simple_check()) {
LogWarning("Running in no-smack mode, exiting with success from security_manager_set_identity - not setting Smack");
return SECURITY_MANAGER_SUCCESS;
}
if (getsockopt(sock, SOL_SOCKET, SO_PEERCRED, &cr, &len) == -1)
ThrowMsg(Exception::SocketError, "Failed to read peer credentials for sockfd " << sock);
- return Credentials(cr.pid, cr.uid, cr.gid, smack_check() ? SmackLabels::getSmackLabelFromSocket(sock) : "");
+ return Credentials(cr.pid, cr.uid, cr.gid, smack_simple_check() ? SmackLabels::getSmackLabelFromSocket(sock) : "");
}
Credentials Credentials::getCredentialsFromFd(int fd)
if (-1 == fstat(fd, &buf))
ThrowMsg(Exception::FdError, "Failed to read credentials from filefd " << fd);
- return Credentials(-1, buf.st_uid, buf.st_gid, smack_check() ? SmackLabels::getSmackLabelFromFd(fd) : "");
+ return Credentials(-1, buf.st_uid, buf.st_gid, smack_simple_check() ? SmackLabels::getSmackLabelFromFd(fd) : "");
}
} // namespace SecurityManager
int smack_runtime_check(void);
/*
- * A very simple runtime check for SMACK on the platform
+ * A very simple runtime check for SMACK support on the platform.
* Returns 1 if SMACK is present, 0 otherwise. If SMACK_ENABLED is not defined
- * It returns 0.
+ * always returns 0.
*/
int smack_check(void);
+/*
+ * An even simpler check for SMACK being enabled at build-time.
+ * Returns 1 if SMACK_ENABLED was defined at built time, 0 otherwise.
+ */
+int smack_simple_check(void);
+
} // namespace SecurityManager
m_privilegeDb.GetGroupsRelatedPrivileges(group_privileges);
m_privilegeGids.init(group_privileges);
- if (!underlying(offline) && smack_check()) {
+ if (!underlying(offline) && smack_simple_check()) {
const auto checkProperDropFlags = CheckProperDrop::computeFlags();
if (checkProperDropFlags < 0)
ThrowMsg(FS::Exception::FileError, "Error computing CheckProperDrop flags."
{
try {
- if (!smack_check()) {
+ if (!smack_simple_check()) {
LogWarning("Running in no-smack mode, not labeling any paths");
if (!m_privilegeDb.PkgNameExists(pkgName)) {
LogError("No such package: " << pkgName);
std::string authorHash = std::string();
Smack::Labels pkgLabels;
- if (!smack_check()) {
+ if (!smack_simple_check()) {
LogWarning("Running in no-smack mode, not installing any Smack rules");
return SECURITY_MANAGER_SUCCESS;
}
LogWarning("GetPkgAuthorHash returned : " << authorHash);
- if (m_smackRules.isPrivilegeMappingEnabled() && smack_check()) {
+ if (m_smackRules.isPrivilegeMappingEnabled() && smack_simple_check()) {
// We have to remove all possible privilege related Smack rules, because application
// policy might have changed from last prepareApp
// (e.g. application new version was installed)
LogWarning("getForbiddenAndAllowedGroups returned: " << ret);
- if (!smack_check()) {
+ if (!smack_simple_check()) {
LogWarning("Running in no-smack mode, exiting without setting up namespaces");
return ret;
}
#endif
}
+int smack_simple_check(void)
+{
+#ifndef SMACK_ENABLED
+ return 0;
+ #else
+ return 1;
+ #endif
+ }
+
} // namespace SecurityManager
addFromTemplate(smackRules, TemplateManager::Type::PKG_RULES_TEMPLATE,
std::string(), pkgName, std::string());
generatePackageCrossDeps(smackRules, pkgLabels);
- if (smack_check())
+ if (smack_simple_check())
smackRules.clear();
}
appLabel, pkgName, authorHash);
if (isPrivilegeMappingEnabled())
addPrivilegesRules(smackRules, appLabel, pkgName, authorHash, m_templateMgr.getAllMappedPrivs());
- if (smack_check()) {
+ if (smack_simple_check()) {
smackRules.clear();
SmackLabels::revokeSubject(appLabel);
}
SmackAccesses smackRules;
addFromTemplate(smackRules, TemplateManager::Type::AUTHOR_RULES_TEMPLATE,
std::string(), std::string(), authorHash);
- if (smack_check())
+ if (smack_simple_check())
smackRules.clear();
}
rules.add(SMACK_SYSTEM_PRIVILEGED, pathLabel, SMACK_APP_PATH_SYSTEM_PERMS);
}
rules.add(targetLabel, pathLabel, SMACK_APP_PATH_TARGET_PERMS);
- if (smack_check())
+ if (smack_simple_check())
rules.apply();
}
rules.addModify(SMACK_SYSTEM_PRIVILEGED, pathLabel, "", SMACK_APP_PATH_SYSTEM_PERMS);
}
rules.addModify(targetLabel, pathLabel, "", SMACK_APP_PATH_TARGET_PERMS);
- if (smack_check())
+ if (smack_simple_check())
rules.apply();
}
int call_type_int;
Deserialization::Deserialize(msg.buffer, call_type_int);
SecurityModuleCall call_type = static_cast<SecurityModuleCall>(call_type_int);
- if (!smack_check()) {
+ if (!smack_simple_check()) {
LogWarning("Running in no-smack mode, treating connection as authenticated - privileges will not be checked!");
msg.creds.authenticated = true;
}
projects / platform / core / security / security-manager.git / commitdiff