BuildRequires: libattr-devel
BuildRequires: libcap-devel
BuildRequires: pkgconfig(libsmack)
+BuildRequires: pkgconfig(libcap)
BuildRequires: pkgconfig(libsystemd-daemon)
BuildRequires: pkgconfig(libsystemd-journal)
BuildRequires: pkgconfig(libtzplatform-config)
PKG_CHECK_MODULES(CLIENT_DEP
REQUIRED
libsmack
+ libcap
)
SET(CLIENT_VERSION_MAJOR 0)
#include <grp.h>
#include <sys/types.h>
#include <sys/smack.h>
+#include <sys/capability.h>
#include <dpl/log/log.h>
#include <dpl/exception.h>
return SECURITY_MANAGER_SUCCESS;
});
}
+
+SECURITY_MANAGER_API
+int security_manager_drop_process_privileges(void)
+{
+ LogDebug("security_manager_drop_process_privileges() called");
+
+ int ret;
+ cap_t cap = cap_init();
+ if (!cap) {
+ LogError("Unable to allocate capability object");
+ return SECURITY_MANAGER_ERROR_MEMORY;
+ }
+
+ ret = cap_clear(cap);
+ if (ret) {
+ LogError("Unable to initialize capability object");
+ cap_free(cap);
+ return SECURITY_MANAGER_ERROR_UNKNOWN;
+ }
+
+ ret = cap_set_proc(cap);
+ if (ret) {
+ LogError("Unable to drop process capabilities");
+ cap_free(cap);
+ return SECURITY_MANAGER_ERROR_UNKNOWN;
+ }
+
+ cap_free(cap);
+ return SECURITY_MANAGER_SUCCESS;
+}
*/
int security_manager_set_process_groups_from_appid(const char *app_id);
+/**
+ * The above launcher functions, manipulating process Smack label and group,
+ * require elevated privileges. Since they will be called by launcher after fork,
+ * in the process for the application, privileges should be dropped before
+ * running an actual application. This function is a helper for that purpose -
+ * it drops capabilities from the process.
+ *
+ * \return API return code or error code
+ */
+int security_manager_drop_process_privileges(void);
+
#ifdef __cplusplus
}