int pid;
std::string object;
std::string access_rights;
-
+ char subject[SMACK_LABEL_LEN + 1] = {0};
int retCode = SECURITY_SERVER_API_ERROR_SERVER_ERROR;
}
if (smack_check()) {
- char subject[SMACK_LABEL_LEN + 1];
- subject[0]='\0';
retval = smack_pid_have_access(pid, object.c_str(), access_rights.c_str());
LogDebug("smack_pid_have_access returned " << retval);
char *path = read_exe_path_from_proc(pid);
if (retval > 0)
- SECURE_SLOGD("SS_SMACK: caller_pid=%d, subject=%s, object=%s, access=%s, result=%d, caller_path=%s", pid, subject, object, access_rights, retval, path);
+ LogDebug("SS_SMACK: "
+ << "caller_pid=" << pid
+ << ", subject=" << subject
+ << ", object=" << object
+ << ", access=" << access_rights
+ << ", result=" << retval
+ << ", caller_path=" << path);
else
- SECURE_SLOGW("SS_SMACK: caller_pid=%d, subject=%s, object=%s, access=%s, result=%d, caller_path=%s", pid, subject, object, access_rights, retval, path);
+ LogError("SS_SMACK: "
+ << "caller_pid=" << pid
+ << ", subject=" << subject
+ << ", object=" << object
+ << ", access=" << access_rights
+ << ", result=" << retval
+ << ", caller_path=" << path);
if (path != NULL)
free(path);
int authorize_SS_API_caller_socket(int sockfd, char *required_API_label, char *required_rule)
{
int retval;
+ int checkval;
char *label = NULL;
char *path = NULL;
//for getting socket options
goto end;
}
+ retval = smack_have_access(label, required_API_label, required_rule);
+
len = sizeof(cr);
- retval = getsockopt(sockfd, SOL_SOCKET, SO_PEERCRED, &cr, &len);
- if (retval < 0)
- SEC_SVR_ERR("Error in getsockopt() and getting binary path");
- else
+ checkval = getsockopt(sockfd, SOL_SOCKET, SO_PEERCRED, &cr, &len);
+
+ if (checkval < 0) {
+ SEC_SVR_ERR("Error in getsockopt(): client pid is unknown.");
+ if (retval) {
+ SEC_SVR_DBG("SS_SMACK: subject=%s, object=%s, access=%s, result=%d", label, required_API_label, required_rule, retval);
+ } else {
+ SEC_SVR_ERR("SS_SMACK: subject=%s, object=%s, access=%s, result=%d", label, required_API_label, required_rule, retval);
+ }
+ } else {
path = read_exe_path_from_proc(cr.pid);
- retval = smack_have_access(label, required_API_label, required_rule);
+ if (retval == 0) {
+ retval = smack_pid_have_access(cr.pid, required_API_label, required_rule);
+ }
- //some log in SMACK format
- if (retval > 0)
- SECURE_SLOGD("SS_SMACK: caller_pid=%d, subject=%s, object=%s, access=%s, result=%d, caller_path=%s", cr.pid, label, required_API_label, required_rule, retval, path);
- else
- SECURE_SLOGW("SS_SMACK: caller_pid=%d, subject=%s, object=%s, access=%s, result=%d, caller_path=%s", cr.pid, label, required_API_label, required_rule, retval, path);
+ const char *cap_info = "";
+ if (retval == 0)
+ cap_info = ", no CAP_MAC_OVERRIDE";
+
+ if (retval > 0) {
+ SEC_SVR_DBG("SS_SMACK: caller_pid=%d, subject=%s, object=%s, access=%s, result=%d, caller_path=%s",
+ cr.pid, label, required_API_label, required_rule, retval, path);
+ } else {
+ SEC_SVR_ERR("SS_SMACK: caller_pid=%d, subject=%s, object=%s, access=%s, result=%d, caller_path=%s%s",
+ cr.pid, label, required_API_label, required_rule, retval, path, cap_info);
+ }
+ }
end:
if (path != NULL)