Use function smack_pid_have_access() from libprivilege-control instead smack_have_acc...

author Janusz Kozerski <j.kozerski@samsung.com>

Tue, 7 May 2013 12:19:09 +0000 (14:19 +0200)

committer Bartlomiej Grzelewski <b.grzelewski@samsung.com>

Thu, 6 Feb 2014 16:09:36 +0000 (17:09 +0100)
author Janusz Kozerski <j.kozerski@samsung.com>
Tue, 7 May 2013 12:19:09 +0000 (14:19 +0200)
committer Bartlomiej Grzelewski <b.grzelewski@samsung.com>
Thu, 6 Feb 2014 16:09:36 +0000 (17:09 +0100)
diff --git a/src/client/security-server-client.c b/src/client/security-server-client.c

index 4fa8957..4e74132 100644 (file)
--- a/src/client/security-server-client.c
+++ b/src/client/security-server-client.c
@@ -462,7 +462,7 @@ int security_server_check_privilege_by_sockfd(int sockfd,
  
      //for get socket options
      struct ucred cr;
-    unsigned int len;
+    unsigned int len = sizeof(cr);
  
      //SMACK runtime check
      if (!smack_runtime_check())
@@ -478,11 +478,20 @@ int security_server_check_privilege_by_sockfd(int sockfd,
      }
  
      ret = getsockopt(sockfd, SOL_SOCKET, SO_PEERCRED, &cr, &len);
-    if (ret < 0)
-        SEC_SVR_DBG("Error in getsockopt()");
+    if (ret < 0) {
+        SEC_SVR_ERR("Error in getsockopt(). Errno: %s", strerror(errno));
+        ret = 0;
+        goto err;
+    }
+    path = read_exe_path_from_proc(cr.pid);
+
+    ret = security_server_check_privilege_by_pid(cr.pid, object, access_rights);
+    if (ret == SECURITY_SERVER_RETURN_CODE_SUCCESS)
+        ret = 1;
      else
-        path = read_exe_path_from_proc(cr.pid);
-    ret = smack_have_access(subject, object, access_rights);
+        ret = 0;
+
+err:
  
      SEC_SVR_DBG("SMACK have access returned %d", ret);
      if (ret > 0)
@@ -1256,4 +1265,3 @@ error:
      retval = convert_to_public_error_code(retval);
      return retval;
  }
-
diff --git a/src/server/security-server-cookie.c b/src/server/security-server-cookie.c

index 9bd4fc2..7103e44 100644 (file)
--- a/src/server/security-server-cookie.c
+++ b/src/server/security-server-cookie.c
@@ -280,7 +280,7 @@ cookie_list *search_cookie_new(const cookie_list *c_list,
              SEC_SVR_DBG("%s", "cookie has been found");
              if (smack_check())
              {
-                ret = smack_have_access(current->smack_label, object, access_rights);
+                ret = smack_pid_have_access(current->pid, object, access_rights);
  
                  SEC_SVR_DBG("SMACK have access returned %d", ret);
                  if (ret > 0)
diff --git a/src/server/security-server-main.c b/src/server/security-server-main.c

index 0d2211b..63a10a6 100644 (file)
--- a/src/server/security-server-main.c
+++ b/src/server/security-server-main.c
@@ -925,11 +925,9 @@ int process_pid_privilege_check(int sockfd, int datasize)
      char * object = NULL;
      char * access_rights = NULL;
      unsigned char return_code;
-    //file descriptor
-    int fd = -1;
-    const int B_SIZE = 64;
-    char buff[B_SIZE];
      char * path = NULL;
+    char subject[SMACK_LABEL_LEN + 1];
+    subject[0] = '\0';
  
      //authenticate client
      retval = authenticate_client_middleware(sockfd, &client_pid);
@@ -961,46 +959,28 @@ int process_pid_privilege_check(int sockfd, int datasize)
          goto error;
      }
  
-    bzero(buff, B_SIZE);
      if (smack_check()) {
-        //get SMACK label of process
-        snprintf(buff, B_SIZE, "/proc/%d/attr/current", pid);
-
-        fd = open(buff, O_RDONLY, 0644);
-        if (fd < 0) {
-            SEC_SVR_ERR("%s", "Error open()");
-            retval = SECURITY_SERVER_ERROR_UNKNOWN;
-            goto error;
+        retval = smack_pid_have_access(pid, object, access_rights);
+        SEC_SVR_DBG("smack_pid_have_access returned %d", retval);
+
+        if(get_smack_label_from_process(pid, subject) != PC_OPERATION_SUCCESS) {
+            // subject label is set to empty string
+            SEC_SVR_ERR("get_smack_label_from_process failed. Subject label has not been read.");
+        } else {
+            SEC_SVR_DBG("Subject label of client PID %d is: %s", pid, subject);
          }
-
-        bzero(buff, B_SIZE);
-        retval = read(fd, buff, B_SIZE);
-        if (retval < 0) {
-            SEC_SVR_ERR("%s", "Error read()");
-            retval = SECURITY_SERVER_ERROR_UNKNOWN;
-            goto error;
-        }
-
-        //now we have SMACK label in buff and we call libsmack
-        SEC_SVR_DBG("Subject label of client PID %d is: %s", pid, buff);
-        retval = smack_have_access(buff, object, access_rights);
-        SEC_SVR_DBG("SMACK have access returned %d", retval);
      } else {
          SEC_SVR_DBG("SMACK is not available. Subject label has not been read.");
          retval = 1;
      }
  
      path = read_exe_path_from_proc(pid);
-    //now we have SMACK label in buff and we call libsmack
-    SEC_SVR_DBG("Subject label of client PID %d is: %s", pid, buff);
  
-    retval = smack_have_access(buff, object, access_rights);
-    SEC_SVR_DBG("SMACK have access returned %d", retval);
      if (retval > 0)
-        SEC_SVR_DBG("SS_SMACK: caller_pid=%d, subject=%s, object=%s, access=%s, result=%d, caller_path=%s", pid, buff, object, access_rights, retval, path);
+        SEC_SVR_DBG("SS_SMACK: caller_pid=%d, subject=%s, object=%s, access=%s, result=%d, caller_path=%s", pid, subject, object, access_rights, retval, path);
      else
-        SEC_SVR_ERR("SS_SMACK: caller_pid=%d, subject=%s, object=%s, access=%s, result=%d, caller_path=%s", pid, buff, object, access_rights, retval, path);
-    
+        SEC_SVR_ERR("SS_SMACK: caller_pid=%d, subject=%s, object=%s, access=%s, result=%d, caller_path=%s", pid, subject, object, access_rights, retval, path);
+
      if (path != NULL)
          free(path);
  
@@ -1018,8 +998,6 @@ int process_pid_privilege_check(int sockfd, int datasize)
          SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
  
  error:
-    if (fd >= 0)
-        close(fd);
  
      if (object != NULL)
          free(object);
@@ -1138,15 +1116,27 @@ int client_has_access(int sockfd, const char *object) {
      int ret = 0;
      int pid = -1;
      int uid = -1;
+    int retval;
+    struct ucred socopt;
+    unsigned int socoptSize = sizeof(socopt);
  
      if (smack_check())
      {
-
-        if(smack_new_label_from_socket(sockfd, &label))
+        retval = getsockopt(sockfd, SOL_SOCKET, SO_PEERCRED, &socopt, &socoptSize);
+        if (retval != 0) {
+            SEC_SVR_DBG("%s", "Error on getsockopt");
              return 0;
+        }
+        //now we have PID in sockopt.pid
  
-        if (0 >= (ret = smack_have_access(label, object, "rw")))
+        if(smack_new_label_from_socket(sockfd, &label)) {
+            SEC_SVR_ERR("%s", "Error on smack_new_label_from_socket");
+            label = NULL;
+        }
+
+        if (0 >= (ret = smack_pid_have_access(socopt.pid, object, "rw"))) {
              ret = 0;
+        }
      }
  
      if (SECURITY_SERVER_SUCCESS == authenticate_client_application(sockfd, &pid, &uid))
author	Janusz Kozerski <j.kozerski@samsung.com>
	Tue, 7 May 2013 12:19:09 +0000 (14:19 +0200)
committer	Bartlomiej Grzelewski <b.grzelewski@samsung.com>
	Thu, 6 Feb 2014 16:09:36 +0000 (17:09 +0100)
src/client/security-server-client.c		patch \| blob \| history
src/server/security-server-cookie.c		patch \| blob \| history
src/server/security-server-main.c		patch \| blob \| history