Reimplementing process_app_get_access_request

[Issue#] SSDWSSP-229
[Feature] No revoking for label given by this function
[Cause] N/A
[Solution] Rewriting function inside security-server code,
not using libprivilege-control
[Verification] Build and run tests (testcases for revoking label
may fail)

Change-Id: Ie1d682f1dc76c108da7c602c958d8db9d33519ad

diff --git a/src/include/security-server-util.h b/src/include/security-server-util.h
index 32c9f72..14f89e1 100644 (file)
--- a/src/include/security-server-util.h
+++ b/src/include/security-server-util.h
@@ -34,6 +34,6 @@
 int util_process_all_cookie(int sockfd, cookie_list* list);
 int util_process_cookie_from_pid(int sockfd, cookie_list* list);
 int util_process_cookie_from_cookie(int sockfd, cookie_list* list);
-
+int util_smack_label_is_valid(const char *smack_label);
 
 #endif

diff --git a/src/server/security-server-main.c b/src/server/security-server-main.c
index 5235d3c..42518b0 100644 (file)
--- a/src/server/security-server-main.c
+++ b/src/server/security-server-main.c
@@ -1470,10 +1470,13 @@ int process_app_get_access_request(int sockfd, size_t msg_len)
     char *message_buffer = NULL;
     char *client_label = NULL;
     char *provider_label = NULL;
+    struct smack_accesses *smack = NULL;
     int ret = SECURITY_SERVER_ERROR_SERVER_ERROR;
     int send_message_id = SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE;
     int send_error_id = SECURITY_SERVER_RETURN_CODE_SERVER_ERROR;
     int client_pid = 0;
+    static const char * const revoke = "-----";
+    const char *permissions = "rwxat";
 
     message_buffer = malloc(msg_len+1);
     if (!message_buffer)
@@ -1489,6 +1492,7 @@ int process_app_get_access_request(int sockfd, size_t msg_len)
         goto error;
     }
 
+    // Currently we don't use client_pid
     memcpy(&client_pid, message_buffer, sizeof(int));
     client_label = message_buffer + sizeof(int);
 
@@ -1498,25 +1502,29 @@ int process_app_get_access_request(int sockfd, size_t msg_len)
             goto error;
         }
 
-        if (PC_OPERATION_SUCCESS != app_give_access(client_label, provider_label, "rwxat")) {
-            SEC_SVR_DBG("%s", "Error in app_give_access");
+        if (!util_smack_label_is_valid(client_label)) {
+            send_error_id = SECURITY_SERVER_RETURN_CODE_BAD_REQUEST;
             goto error;
         }
+
+        if (smack_accesses_new(&smack))
+            goto error;
+
+        if (smack_accesses_add_modify(smack, client_label,
+                    provider_label, permissions, revoke))
+            goto error;
+
+        if (smack_accesses_apply(smack)){
+            send_message_id = SECURITY_SERVER_RETURN_CODE_ACCESS_DENIED;
+            goto error;
+        }
+
     }
 
     ret = SECURITY_SERVER_SUCCESS;
     send_message_id = SECURITY_SERVER_MSG_TYPE_APP_GIVE_ACCESS_RESPONSE;
     send_error_id = SECURITY_SERVER_RETURN_CODE_SUCCESS;
 
-    if (!netlink_enabled) {
-        SEC_SVR_DBG("Netlink not supported: Garbage collector inactive.");
-        goto error;
-    }
-
-    if (smack_check()) {
-        if (0 != rules_revoker_add(client_pid, client_label, provider_label))
-            SEC_SVR_DBG("%s", "Error in rules_revoker_add.");
-    }
 
 error:
     retval = send_generic_response(sockfd, send_message_id, send_error_id);
@@ -1525,6 +1533,7 @@ error:
 
     free(message_buffer);
     free(provider_label);
+    smack_accesses_free(smack);
     return ret;
 }
 

diff --git a/src/util/security-server-util-common.c b/src/util/security-server-util-common.c
index 6270dea..f79287e 100644 (file)
--- a/src/util/security-server-util-common.c
+++ b/src/util/security-server-util-common.c
@@ -25,6 +25,7 @@
 #include <stdlib.h>
 #include <sys/socket.h>
 #include <sys/types.h>
+#include <sys/smack.h>
 #include <fcntl.h>
 #include <sys/un.h>
 #include <errno.h>
@@ -366,3 +367,31 @@ int util_process_cookie_from_cookie(int sockfd, cookie_list* list)
        
        return ret;
 }
+
+int util_smack_label_is_valid(const char *smack_label){
+       int i;
+
+       if (!smack_label || smack_label[0] == '\0' || smack_label[0] == '-')
+               goto err;
+
+       for (i = 0; smack_label[i]; ++i) {
+               if (i >= SMACK_LABEL_LEN)
+                       return 0;
+               switch (smack_label[i]) {
+               case '~':
+               case ' ':
+               case '/':
+               case '"':
+               case '\\':
+               case '\'':
+                       goto err;
+               default:
+                       break;
+               }
+       }
+
+       return 1;
+err:
+       SEC_SVR_ERR("ERROR: Invalid Smack label: %s", smack_label);
+       return 0;
+}