Adding cap check after smack_have_access in security-server and displaying logs

regarding this call.

[Issue#]        SSDWSSP-454
[Bug/Feature]   SECURE_SLOG* macros used after smack_have_access() and its wrapper
                don't write messages to dlog and CAP_MAC_OVERRIDE is not checked.
[Cause]         SECURE_SLOG* macros depend on TIZEN_ENGINEER_MODE flag in dlog.h
                which is turned off.
[Solution]      Changing SECURE_SLOG* to SEC_SVR_* and Log* macros and adding check for
                CAP_MAC_OVERRIDE after smack_have_access.
[Verification]  Check dlogutil for those logs.

Change-Id: I167dea72f9c1bcbcc2c4ea7008eea3a6bbbd9c82

diff --git a/src/server2/service/privilege-by-pid.cpp b/src/server2/service/privilege-by-pid.cpp
index 826b54f..8067996 100644 (file)
--- a/src/server2/service/privilege-by-pid.cpp
+++ b/src/server2/service/privilege-by-pid.cpp
@@ -88,7 +88,7 @@ bool PrivilegeByPidService::readOne(const ConnectionID &conn, SocketBuffer &buff
     int pid;
     std::string object;
     std::string access_rights;
-
+    char subject[SMACK_LABEL_LEN + 1] = {0};
 
     int retCode = SECURITY_SERVER_API_ERROR_SERVER_ERROR;
 
@@ -109,8 +109,6 @@ bool PrivilegeByPidService::readOne(const ConnectionID &conn, SocketBuffer &buff
     }
 
     if (smack_check()) {
-        char subject[SMACK_LABEL_LEN + 1];
-        subject[0]='\0';
         retval = smack_pid_have_access(pid, object.c_str(), access_rights.c_str());
         LogDebug("smack_pid_have_access returned " << retval);
 
@@ -128,9 +126,21 @@ bool PrivilegeByPidService::readOne(const ConnectionID &conn, SocketBuffer &buff
     char *path = read_exe_path_from_proc(pid);
 
     if (retval > 0)
-        SECURE_SLOGD("SS_SMACK: caller_pid=%d, subject=%s, object=%s, access=%s, result=%d, caller_path=%s", pid, subject, object, access_rights, retval, path);
+        LogDebug("SS_SMACK: "
+                << "caller_pid=" << pid
+                << ", subject=" << subject
+                << ", object=" << object
+                << ", access=" << access_rights
+                << ", result=" << retval
+                << ", caller_path=" << path);
     else
-        SECURE_SLOGW("SS_SMACK: caller_pid=%d, subject=%s, object=%s, access=%s, result=%d, caller_path=%s", pid, subject, object, access_rights, retval, path);
+        LogError("SS_SMACK: "
+                << "caller_pid=" << pid
+                << ", subject=" << subject
+                << ", object=" << object
+                << ", access=" << access_rights
+                << ", result=" << retval
+                << ", caller_path=" << path);
 
     if (path != NULL)
         free(path);

diff --git a/src/util/security-server-util-common.c b/src/util/security-server-util-common.c
index 0d95f60..8734a34 100644 (file)
--- a/src/util/security-server-util-common.c
+++ b/src/util/security-server-util-common.c
@@ -454,6 +454,7 @@ char *read_exe_path_from_proc(pid_t pid)
 int authorize_SS_API_caller_socket(int sockfd, char *required_API_label, char *required_rule)
 {
     int retval;
+    int checkval;
     char *label = NULL;
     char *path = NULL;
     //for getting socket options
@@ -475,20 +476,37 @@ int authorize_SS_API_caller_socket(int sockfd, char *required_API_label, char *r
         goto end;
     }
 
+    retval = smack_have_access(label, required_API_label, required_rule);
+
     len = sizeof(cr);
-    retval = getsockopt(sockfd, SOL_SOCKET, SO_PEERCRED, &cr, &len);
-    if (retval < 0)
-        SEC_SVR_ERR("Error in getsockopt() and getting binary path");
-    else
+    checkval = getsockopt(sockfd, SOL_SOCKET, SO_PEERCRED, &cr, &len);
+
+    if (checkval < 0) {
+        SEC_SVR_ERR("Error in getsockopt(): client pid is unknown.");
+        if (retval) {
+            SEC_SVR_DBG("SS_SMACK: subject=%s, object=%s, access=%s, result=%d", label, required_API_label, required_rule, retval);
+        } else {
+            SEC_SVR_ERR("SS_SMACK: subject=%s, object=%s, access=%s, result=%d", label, required_API_label, required_rule, retval);
+        }
+    } else {
         path = read_exe_path_from_proc(cr.pid);
 
-    retval = smack_have_access(label, required_API_label, required_rule);
+        if (retval == 0) {
+            retval = smack_pid_have_access(cr.pid, required_API_label, required_rule);
+        }
 
-    //some log in SMACK format
-    if (retval > 0)
-        SECURE_SLOGD("SS_SMACK: caller_pid=%d, subject=%s, object=%s, access=%s, result=%d, caller_path=%s", cr.pid, label, required_API_label, required_rule, retval, path);
-    else
-        SECURE_SLOGW("SS_SMACK: caller_pid=%d, subject=%s, object=%s, access=%s, result=%d, caller_path=%s", cr.pid, label, required_API_label, required_rule, retval, path);
+        const char *cap_info = "";
+        if (retval == 0)
+            cap_info = ", no CAP_MAC_OVERRIDE";
+
+        if (retval > 0) {
+            SEC_SVR_DBG("SS_SMACK: caller_pid=%d, subject=%s, object=%s, access=%s, result=%d, caller_path=%s",
+                        cr.pid, label, required_API_label, required_rule, retval, path);
+        } else {
+            SEC_SVR_ERR("SS_SMACK: caller_pid=%d, subject=%s, object=%s, access=%s, result=%d, caller_path=%s%s",
+                        cr.pid, label, required_API_label, required_rule, retval, path, cap_info);
+        }
+    }
 
 end:
     if (path != NULL)