From 86d52dd1295c80ca7b456fed3dcecf3231de5892 Mon Sep 17 00:00:00 2001
From: Vyacheslav Cherkashin <v.cherkashin@samsung.com>
Date: Thu, 7 Sep 2017 17:34:07 +0300
Subject: [PATCH] utils: add SMACK permission of connected client checking

Used in auxd and memd for rejected connection process without
'System' smack label.

Change-Id: I71b1c68f1a667c44df8ee3a1f3d30f772266ff26
Signed-off-by: Vyacheslav Cherkashin <v.cherkashin@samsung.com>
---
 src/utils/CMakeLists.txt       |  5 ++++-
 src/utils/unix/unix_server.cpp | 21 +++++++++++++++++++++
 2 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/src/utils/CMakeLists.txt b/src/utils/CMakeLists.txt
index a77575b..b2e9801 100644
--- a/src/utils/CMakeLists.txt
+++ b/src/utils/CMakeLists.txt
@@ -37,7 +37,10 @@ set(SRC
 
 
 add_library(${PROJECT_NAME} SHARED ${SRC})
-target_link_libraries(${PROJECT_NAME} libsystemd.so)
+target_link_libraries(${PROJECT_NAME}
+  libsystemd.so
+  libsmack.so
+)
 
 
 install(TARGETS ${PROJECT_NAME} DESTINATION ${LIBDIR})
diff --git a/src/utils/unix/unix_server.cpp b/src/utils/unix/unix_server.cpp
index 6bfdf4d..a7b907a 100644
--- a/src/utils/unix/unix_server.cpp
+++ b/src/utils/unix/unix_server.cpp
@@ -29,6 +29,7 @@
 #include <stdio.h>
 #include <unistd.h>
 #include <string.h>
+#include <sys/smack.h>
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <sys/un.h>
@@ -83,6 +84,19 @@ static int create_unix_socket_sd(const std::string &name, int backlog)
     throw std::runtime_error("Cannot find sd_unix socket");
 }
 
+static std::string get_socket_smack_label(int sock_fd)
+{
+    char *label;
+    int ret = smack_new_label_from_socket(sock_fd, &label);
+    if (ret < 0)
+        return "";
+
+    std::string out(label);
+    ::free(label);
+
+    return out;
+}
+
 
 namespace Unix {
 
@@ -132,6 +146,13 @@ Socket *Server::accept(unsigned int timeout)
     if (sock_fd == -1)
         throw std::runtime_error("Server accept error, errno=" + std::to_string(errno));
 
+    /* Workaround: Check SMACK permission of connected client */
+    std::string label = get_socket_smack_label(sock_fd);
+    if (label != "System") {
+        ::close(sock_fd);
+        throw std::runtime_error("Unauthorized access attempt, SMACK label='" + label + "'");
+    }
+
     return new Socket(sock_fd);
 }
 
-- 
2.7.4