char *message_buffer = NULL;
char *client_label = NULL;
char *provider_label = NULL;
+ struct smack_accesses *smack = NULL;
int ret = SECURITY_SERVER_ERROR_SERVER_ERROR;
int send_message_id = SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE;
int send_error_id = SECURITY_SERVER_RETURN_CODE_SERVER_ERROR;
int client_pid = 0;
+ static const char * const revoke = "-----";
+ const char *permissions = "rwxat";
message_buffer = malloc(msg_len+1);
if (!message_buffer)
goto error;
}
+ // Currently we don't use client_pid
memcpy(&client_pid, message_buffer, sizeof(int));
client_label = message_buffer + sizeof(int);
goto error;
}
- if (PC_OPERATION_SUCCESS != app_give_access(client_label, provider_label, "rwxat")) {
- SEC_SVR_ERR("%s", "Error in app_give_access");
+ if (!util_smack_label_is_valid(client_label)) {
+ send_error_id = SECURITY_SERVER_RETURN_CODE_BAD_REQUEST;
goto error;
}
+
+ if (smack_accesses_new(&smack))
+ goto error;
+
+ if (smack_accesses_add_modify(smack, client_label,
+ provider_label, permissions, revoke))
+ goto error;
+
+ if (smack_accesses_apply(smack)){
+ send_message_id = SECURITY_SERVER_RETURN_CODE_ACCESS_DENIED;
+ goto error;
+ }
+
}
ret = SECURITY_SERVER_SUCCESS;
send_message_id = SECURITY_SERVER_MSG_TYPE_APP_GIVE_ACCESS_RESPONSE;
send_error_id = SECURITY_SERVER_RETURN_CODE_SUCCESS;
- if (!netlink_enabled) {
- SEC_SVR_ERR("Netlink not supported: Garbage collector inactive.");
- goto error;
- }
-
- if (smack_check()) {
- if (0 != rules_revoker_add(client_pid, client_label, provider_label))
- SEC_SVR_ERR("%s", "Error in rules_revoker_add.");
- }
error:
retval = send_generic_response(sockfd, send_message_id, send_error_id);
free(message_buffer);
free(provider_label);
+ smack_accesses_free(smack);
return ret;
}
#include <stdlib.h>
#include <sys/socket.h>
#include <sys/types.h>
+#include <sys/smack.h>
#include <fcntl.h>
#include <sys/un.h>
#include <errno.h>
return ret;
}
+
+int util_smack_label_is_valid(const char *smack_label){
+ int i;
+
+ if (!smack_label || smack_label[0] == '\0' || smack_label[0] == '-')
+ goto err;
+
+ for (i = 0; smack_label[i]; ++i) {
+ if (i >= SMACK_LABEL_LEN)
+ return 0;
+ switch (smack_label[i]) {
+ case '~':
+ case ' ':
+ case '/':
+ case '"':
+ case '\\':
+ case '\'':
+ goto err;
+ default:
+ break;
+ }
+ }
+
+ return 1;
+err:
+ SEC_SVR_ERR("ERROR: Invalid Smack label: %s", smack_label);
+ return 0;
+}