return SECURITY_MANAGER_SUCCESS;
}
-static int getAppGroups(const std::string appName, std::vector<gid_t> &groups)
+static int getAppGroups(const std::string appProcessLabel, std::vector<gid_t> &groups)
{
ClientRequest request(SecurityModuleCall::APP_GET_GROUPS);
- if (request.send(appName).failed()) {
+ if (request.send(appProcessLabel).failed()) {
LogError("Failed to get list of groups from security-manager service.");
return request.getStatus();
}
return 0;
}
-static inline int security_manager_sync_threads_internal(const char *app_name)
+static inline int security_manager_sync_threads_internal(const std::string &app_label)
{
- LogDebug("security_manager_sync_threads_internal called for app_name: " << app_name);
-
if (ATOMIC_INT_LOCK_FREE != 2) {
LogError("std::atomic<int> is not always lock free");
return SECURITY_MANAGER_ERROR_UNKNOWN;
uid_t cur_tid = Syscall::gettid();
pid_t cur_pid = getpid();
- int ret = fetchLabelForProcess(app_name, g_app_label);
- if (ret != SECURITY_MANAGER_SUCCESS)
- return ret;
+ g_app_label = app_label;
g_threads_count = 0;
g_tid_attr_current_map.clear();
g_smack_present = smack_check();
return SECURITY_MANAGER_SUCCESS;
}
-SECURITY_MANAGER_API
-int security_manager_set_process_groups_from_appid(const char *app_name)
+static int security_manager_set_process_groups_internal(const std::string &app_label)
{
using namespace SecurityManager;
int ret;
- LogDebug("security_manager_set_process_groups_from_appid() called");
-
return try_catch([&]() -> int {
- //checking parameters
-
- if (app_name == nullptr) {
- LogError("app_name is NULL");
- return SECURITY_MANAGER_ERROR_INPUT_PARAM;
- }
std::vector<gid_t> currentGroups;
ret = getProcessGroups(currentGroups);
LogDebug("All privileged supplementary groups count: " << privilegedGroups.size());
std::vector<gid_t> allowedGroups;
- ret = getAppGroups(app_name, allowedGroups);
+ ret = getAppGroups(app_label, allowedGroups);
if (ret != SECURITY_MANAGER_SUCCESS)
return ret;
LogDebug("Allowed privileged supplementary groups count: " << allowedGroups.size());
}
SECURITY_MANAGER_API
+int security_manager_set_process_groups_from_appid(const char *app_name)
+{
+ using namespace SecurityManager;
+
+ LogDebug("security_manager_set_process_groups_from_appid() called");
+
+ return try_catch([&]() -> int {
+ //checking parameters
+
+ if (app_name == nullptr) {
+ LogError("app_name is NULL");
+ return SECURITY_MANAGER_ERROR_INPUT_PARAM;
+ }
+
+ std::string app_label;
+ int ret = fetchLabelForProcess(app_name, app_label);
+ if (ret != SECURITY_MANAGER_SUCCESS) {
+ LogError("Failed to generate smack label for appName: " << app_name);
+ return ret;
+ }
+
+ return security_manager_set_process_groups_internal(app_label);
+ });
+}
+
+SECURITY_MANAGER_API
int security_manager_drop_process_privileges(void)
{
LogDebug("security_manager_drop_process_privileges() called");
return SECURITY_MANAGER_SUCCESS;
}
-static int setupMountNamespace(const std::string appName, std::vector<std::pair<std::string, bool>> &privilegeStatusVector)
+static int setupMountNamespace(const std::string &appProcessLabel, std::vector<std::pair<std::string, bool>> &privilegeStatusVector)
{
ClientRequest request(SecurityModuleCall::APP_SETUP_NAMESPACE);
- if (request.send(appName).failed())
+ if (request.send(appProcessLabel).failed())
return request.getStatus();
request.recv(privilegeStatusVector);
return SECURITY_MANAGER_SUCCESS;
}
-static inline int security_manager_create_namespace_internal(const char *app_name)
+static inline int security_manager_create_namespace_internal(const std::string &app_label)
{
if (!MountNS::isMountNamespaceEnabled())
return SECURITY_MANAGER_SUCCESS;
return ret;
std::vector<std::pair<std::string, bool>> privilegeStatusVector;
- ret = setupMountNamespace(app_name, privilegeStatusVector);
+ ret = setupMountNamespace(app_label, privilegeStatusVector);
if (ret != SECURITY_MANAGER_SUCCESS) {
- LogError("Failed to setup app namespace: " << security_manager_strerror(static_cast<lib_retcode>(ret)) << " App name:" << app_name);
+ LogError("Failed to setup app namespace: " << security_manager_strerror(static_cast<lib_retcode>(ret)));
return ret;
}
for (auto &privilegePath : it->second) {
if (FS::directoryStatus(privilegePath.dstPath) == 0) {
- LogWarning("Not enforcing privilege " << it->first << " for application " << app_name << " : " <<
+ LogWarning("Not enforcing privilege " << it->first << " for application " << app_label << " : " <<
"directory " << privilegePath.dstPath << " doesn't exist");
continue;
}
return static_cast<int>(SECURITY_MANAGER_ERROR_INPUT_PARAM);
}
- int ret = security_manager_set_process_groups_from_appid(app_name);
+ std::string app_label;
+ int ret = fetchLabelForProcess(app_name, app_label);
+ if (ret != SECURITY_MANAGER_SUCCESS) {
+ LogError("Failed to generate smack label for appName: " << app_name);
+ return ret;
+ }
+
+ ret = security_manager_set_process_groups_internal(app_label);
if (ret != SECURITY_MANAGER_SUCCESS) {
LogError("Unable to setup process groups for application " << app_name);
return ret;
}
- ret = security_manager_create_namespace_internal(app_name);
+ ret = security_manager_create_namespace_internal(app_label);
if (ret != SECURITY_MANAGER_SUCCESS) {
LogError("Unable to setup namespace for application " << app_name);
return ret;
}
- ret = security_manager_sync_threads_internal(app_name);
+ ret = security_manager_sync_threads_internal(app_label);
if (ret != SECURITY_MANAGER_SUCCESS) {
LogError("Can't properly setup application threads (Smack label & capabilities) for application " << app_name);
return ret;
/**
* Process query for supplementary groups allowed for the application.
- * For given \ref appName and \ref uid, calculate allowed privileges that give
+ * For given \ref appProcessLabel and \ref uid, calculate allowed privileges that give
* direct access to file system resources. For each permission Cynara will be
* queried.
* Returns set of group ids that are permitted.
*
* @param[in] creds credentials of the requesting process
- * @param[in] appName application identifier
+ * @param[in] appProcessLabel application identifier
* @param[out] groups returned vector of allowed groups
*
* @return API return code, as defined in protocols.h
*/
- int getAppGroups(const Credentials &creds, const std::string &appName,
+ int getAppGroups(const Credentials &creds, const std::string &appProcessLabel,
std::vector<gid_t> &groups);
/**
* Setup app namespace
*
* @param[in] creds credentials of the requesting process
- * @param[in] appName application identifier
+ * @param[in] appProcessLabel application identifier
* @param[out] privilegeStatusVector returned vector of privilege-status pair
*
* @return API return code, as defined in protocols.h
*/
- int appSetupNamespace(const Credentials &creds, const std::string &appName,
+ int appSetupNamespace(const Credentials &creds, const std::string &appProcessLabel,
std::vector<std::pair<std::string, bool>> &privilegeStatusVector);
/**
return SECURITY_MANAGER_SUCCESS;
}
-int ServiceImpl::getAppGroups(const Credentials &creds, const std::string &appName,
+int ServiceImpl::getAppGroups(const Credentials &creds, const std::string &appProcessLabel,
std::vector<gid_t> &groups)
{
try {
- LogDebug("appName: " << appName);
- std::string appProcessLabel = getAppProcessLabel(appName);
LogDebug("smack label: " << appProcessLabel);
std::vector<std::string> privileges;
return SECURITY_MANAGER_SUCCESS;
}
-int ServiceImpl::appSetupNamespace(const Credentials &creds, const std::string &appName,
+int ServiceImpl::appSetupNamespace(const Credentials &creds, const std::string &appProcessLabel,
std::vector<std::pair<std::string, bool>> &privilegeStatusVector)
{
int ret;
}
try {
- const std::string appProcessLabel = getAppProcessLabel(appName);
const std::string uidStr = std::to_string(creds.uid);
const std::string appsDir = MountNS::getUserAppsMountPointsPath(creds.uid);
const std::string appFile = MountNS::getUserAppMountPointPath(creds.uid, appProcessLabel);
void Service::processGetAppGroups(MessageBuffer &buffer, MessageBuffer &send, const Credentials &creds)
{
- std::string appName;
+ std::string appProcessLabel;
std::vector<gid_t> groups;
int ret;
- Deserialization::Deserialize(buffer, appName);
- ret = serviceImpl.getAppGroups(creds, appName, groups);
+ Deserialization::Deserialize(buffer, appProcessLabel);
+ ret = serviceImpl.getAppGroups(creds, appProcessLabel, groups);
Serialization::Serialize(send, ret);
if (ret == SECURITY_MANAGER_SUCCESS)
Serialization::Serialize(send, groups);
void Service::processAppSetupNamespace(MessageBuffer &buffer, MessageBuffer &send, const Credentials &creds)
{
- std::string appName;
+ std::string appProcessLabel;
std::vector<std::pair<std::string, bool>> privilegeStatusVector;
- Deserialization::Deserialize(buffer, appName);
- int ret = serviceImpl.appSetupNamespace(creds, appName, privilegeStatusVector);
+ Deserialization::Deserialize(buffer, appProcessLabel);
+ int ret = serviceImpl.appSetupNamespace(creds, appProcessLabel, privilegeStatusVector);
Serialization::Serialize(send, ret);
if (ret == SECURITY_MANAGER_SUCCESS)
Serialization::Serialize(send, privilegeStatusVector);