return ret < 0 ? -1 : 0;
}
+// Checks if caller has CAP_MAC_ADMIN configured properly.
+// In cases where the capability is missing, this function
+// will write proper error logs for faster debugging.
+//
+// TODO the function would also probably need to check
+// list of "relabel-self" labels set in the process, but
+// libsmack doesn't have such function available (as of Oct 2024).
+//
+// Thats why its a void function & it doesn't abort too
+// (if capability is missing, we CAN have relabel-self configured).
+static inline void security_manager_pre_check()
+{
+ cap_t my_caps = cap_get_proc();
+ if (!my_caps) {
+ LogError("Unable to allocate capability object");
+ return;
+ }
+ cap_flag_value_t cap_flags_value;
+ if (cap_get_flag(my_caps, CAP_MAC_ADMIN, CAP_EFFECTIVE, &cap_flags_value) != 0) {
+ LogError("Can't check if process has CAP_MAC_ADMIN!!!");
+ cap_free(my_caps);
+ return;
+ }
+ if(cap_flags_value != CAP_SET) {
+ LogWarning("Process ****doesn't**** have effective CAP_MAC_ADMIN!"
+ " It can still have dyntransition/relabel-self configured");
+ cap_free(my_caps);
+ return;
+ }
+ cap_free(my_caps);
+}
+
static inline int security_manager_sync_threads_internal(const std::string &app_label)
{
static_assert(ATOMIC_INT_LOCK_FREE == 2, "std::atomic<int> is not always lock free");
(subsession_id ?: "(default)") + ")", Credentials::getCredentialsFromSelf());
return try_catch([&] {
+ security_manager_pre_check();
std::string appLabel, pkgName;
PrepareAppFlags prepareAppFlags;
projects / platform / core / security / security-manager.git / commitdiff