From: Rafal Krypa <r.krypa@samsung.com>
Date: Thu, 30 Nov 2017 08:38:45 +0000 (+0100)
Subject: Don't enable mount namespace code when the config file is missing or empty
X-Git-Tag: accepted/tizen/unified/20171207.124721~1
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=e359f39cd0bfb7d246e517c1ce58e5f457a4f50a;p=platform%2Fcore%2Fsecurity%2Fsecurity-manager.git

Don't enable mount namespace code when the config file is missing or empty

Function isMountNamespaceEnabled will read the privilege-mount.list config
file and return false when reading of that file fails or when it doesn't
contain any proper configuration entries.

Change-Id: I20fabefde1523e204c02e5ab8eb8bbdd532a8b4f
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
---

diff --git a/src/common/mount-namespace.cpp b/src/common/mount-namespace.cpp
index 63f9dc6..88266c5 100644
--- a/src/common/mount-namespace.cpp
+++ b/src/common/mount-namespace.cpp
@@ -25,6 +25,7 @@
 
 #include <pwd.h>
 #include <sys/mount.h>
+#include <sys/stat.h>
 #include <sys/types.h>
 #include <fcntl.h>
 #include <unistd.h>
@@ -120,7 +121,25 @@ std::string getUserAppMountPointPath(uid_t uid, const std::string &appName)
 bool isMountNamespaceEnabled(void)
 {
     auto getStatus = []() -> bool {
-        return (access(SELF_MOUNT_NAMESPACE.c_str(), F_OK) != -1) ? true : false;
+        try {
+            if (access(SELF_MOUNT_NAMESPACE.c_str(), F_OK) == -1)
+                return false;
+
+            struct stat st;
+            if (stat(Config::PRIVILEGE_MOUNT_LIST_FILE.c_str(), &st) == -1)
+                return false;
+            if (st.st_size == 0)
+                return false;
+
+            // File exists and is not empty.
+            // Let's check if it contains any relevant configuration entries.
+            if (getPrivilegePathMap(getuid()).empty())
+                return false;
+        } catch (...) {
+            return false;
+        }
+
+        return true;
     };
 
     static bool isMountNamespaceEnabled = getStatus();