//for get socket options
struct ucred cr;
- unsigned int len;
+ unsigned int len = sizeof(cr);
//SMACK runtime check
if (!smack_runtime_check())
}
ret = getsockopt(sockfd, SOL_SOCKET, SO_PEERCRED, &cr, &len);
- if (ret < 0)
- SEC_SVR_DBG("Error in getsockopt()");
+ if (ret < 0) {
+ SEC_SVR_ERR("Error in getsockopt(). Errno: %s", strerror(errno));
+ ret = 0;
+ goto err;
+ }
+ path = read_exe_path_from_proc(cr.pid);
+
+ ret = security_server_check_privilege_by_pid(cr.pid, object, access_rights);
+ if (ret == SECURITY_SERVER_RETURN_CODE_SUCCESS)
+ ret = 1;
else
- path = read_exe_path_from_proc(cr.pid);
- ret = smack_have_access(subject, object, access_rights);
+ ret = 0;
+
+err:
SEC_SVR_DBG("SMACK have access returned %d", ret);
if (ret > 0)
retval = convert_to_public_error_code(retval);
return retval;
}
-
char * object = NULL;
char * access_rights = NULL;
unsigned char return_code;
- //file descriptor
- int fd = -1;
- const int B_SIZE = 64;
- char buff[B_SIZE];
char * path = NULL;
+ char subject[SMACK_LABEL_LEN + 1];
+ subject[0] = '\0';
//authenticate client
retval = authenticate_client_middleware(sockfd, &client_pid);
goto error;
}
- bzero(buff, B_SIZE);
if (smack_check()) {
- //get SMACK label of process
- snprintf(buff, B_SIZE, "/proc/%d/attr/current", pid);
-
- fd = open(buff, O_RDONLY, 0644);
- if (fd < 0) {
- SEC_SVR_ERR("%s", "Error open()");
- retval = SECURITY_SERVER_ERROR_UNKNOWN;
- goto error;
+ retval = smack_pid_have_access(pid, object, access_rights);
+ SEC_SVR_DBG("smack_pid_have_access returned %d", retval);
+
+ if(get_smack_label_from_process(pid, subject) != PC_OPERATION_SUCCESS) {
+ // subject label is set to empty string
+ SEC_SVR_ERR("get_smack_label_from_process failed. Subject label has not been read.");
+ } else {
+ SEC_SVR_DBG("Subject label of client PID %d is: %s", pid, subject);
}
-
- bzero(buff, B_SIZE);
- retval = read(fd, buff, B_SIZE);
- if (retval < 0) {
- SEC_SVR_ERR("%s", "Error read()");
- retval = SECURITY_SERVER_ERROR_UNKNOWN;
- goto error;
- }
-
- //now we have SMACK label in buff and we call libsmack
- SEC_SVR_DBG("Subject label of client PID %d is: %s", pid, buff);
- retval = smack_have_access(buff, object, access_rights);
- SEC_SVR_DBG("SMACK have access returned %d", retval);
} else {
SEC_SVR_DBG("SMACK is not available. Subject label has not been read.");
retval = 1;
}
path = read_exe_path_from_proc(pid);
- //now we have SMACK label in buff and we call libsmack
- SEC_SVR_DBG("Subject label of client PID %d is: %s", pid, buff);
- retval = smack_have_access(buff, object, access_rights);
- SEC_SVR_DBG("SMACK have access returned %d", retval);
if (retval > 0)
- SEC_SVR_DBG("SS_SMACK: caller_pid=%d, subject=%s, object=%s, access=%s, result=%d, caller_path=%s", pid, buff, object, access_rights, retval, path);
+ SEC_SVR_DBG("SS_SMACK: caller_pid=%d, subject=%s, object=%s, access=%s, result=%d, caller_path=%s", pid, subject, object, access_rights, retval, path);
else
- SEC_SVR_ERR("SS_SMACK: caller_pid=%d, subject=%s, object=%s, access=%s, result=%d, caller_path=%s", pid, buff, object, access_rights, retval, path);
-
+ SEC_SVR_ERR("SS_SMACK: caller_pid=%d, subject=%s, object=%s, access=%s, result=%d, caller_path=%s", pid, subject, object, access_rights, retval, path);
+
if (path != NULL)
free(path);
SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
error:
- if (fd >= 0)
- close(fd);
if (object != NULL)
free(object);
int ret = 0;
int pid = -1;
int uid = -1;
+ int retval;
+ struct ucred socopt;
+ unsigned int socoptSize = sizeof(socopt);
if (smack_check())
{
-
- if(smack_new_label_from_socket(sockfd, &label))
+ retval = getsockopt(sockfd, SOL_SOCKET, SO_PEERCRED, &socopt, &socoptSize);
+ if (retval != 0) {
+ SEC_SVR_DBG("%s", "Error on getsockopt");
return 0;
+ }
+ //now we have PID in sockopt.pid
- if (0 >= (ret = smack_have_access(label, object, "rw")))
+ if(smack_new_label_from_socket(sockfd, &label)) {
+ SEC_SVR_ERR("%s", "Error on smack_new_label_from_socket");
+ label = NULL;
+ }
+
+ if (0 >= (ret = smack_pid_have_access(socopt.pid, object, "rw"))) {
ret = 0;
+ }
}
if (SECURITY_SERVER_SUCCESS == authenticate_client_application(sockfd, &pid, &uid))