Provide a function for launchers for dropping process capabilities

The functions for launchers, manipulating process Smack label and groups,
require elevated privileges. Since they will be called by launcher after
fork, in the process for the application, privileges should be dropped
before running an actual application.
This patch introduces a convenience function for launchers for dropping
capabilities from a process: security_manager_drop_process_privileges.

Change-Id: Iff06554bdcf2d51d0163e4dcb83ea9b976896740
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>

diff --git a/packaging/security-manager.spec b/packaging/security-manager.spec
index a589b8a..a5d904f 100644 (file)
--- a/packaging/security-manager.spec
+++ b/packaging/security-manager.spec
@@ -13,6 +13,7 @@ BuildRequires: zip
 BuildRequires: libattr-devel
 BuildRequires: libcap-devel
 BuildRequires: pkgconfig(libsmack)
+BuildRequires: pkgconfig(libcap)
 BuildRequires: pkgconfig(libsystemd-daemon)
 BuildRequires: pkgconfig(libsystemd-journal)
 BuildRequires: pkgconfig(libtzplatform-config)

diff --git a/src/client/CMakeLists.txt b/src/client/CMakeLists.txt
index f0dfe20..5721503 100644 (file)
--- a/src/client/CMakeLists.txt
+++ b/src/client/CMakeLists.txt
@@ -1,6 +1,7 @@
 PKG_CHECK_MODULES(CLIENT_DEP
     REQUIRED
     libsmack
+    libcap
     )
 
 SET(CLIENT_VERSION_MAJOR 0)

diff --git a/src/client/client-security-manager.cpp b/src/client/client-security-manager.cpp
index c40097a..4081c29 100644 (file)
--- a/src/client/client-security-manager.cpp
+++ b/src/client/client-security-manager.cpp
@@ -32,6 +32,7 @@
 #include <grp.h>
 #include <sys/types.h>
 #include <sys/smack.h>
+#include <sys/capability.h>
 
 #include <dpl/log/log.h>
 #include <dpl/exception.h>
@@ -379,3 +380,33 @@ int security_manager_set_process_groups_from_appid(const char *app_id)
         return SECURITY_MANAGER_SUCCESS;
     });
 }
+
+SECURITY_MANAGER_API
+int security_manager_drop_process_privileges(void)
+{
+    LogDebug("security_manager_drop_process_privileges() called");
+
+    int ret;
+    cap_t cap = cap_init();
+    if (!cap) {
+        LogError("Unable to allocate capability object");
+        return SECURITY_MANAGER_ERROR_MEMORY;
+    }
+
+    ret = cap_clear(cap);
+    if (ret) {
+        LogError("Unable to initialize capability object");
+        cap_free(cap);
+        return SECURITY_MANAGER_ERROR_UNKNOWN;
+    }
+
+    ret = cap_set_proc(cap);
+    if (ret) {
+        LogError("Unable to drop process capabilities");
+        cap_free(cap);
+        return SECURITY_MANAGER_ERROR_UNKNOWN;
+    }
+
+    cap_free(cap);
+    return SECURITY_MANAGER_SUCCESS;
+}

diff --git a/src/include/security-manager.h b/src/include/security-manager.h
index 7267091..82a3431 100644 (file)
--- a/src/include/security-manager.h
+++ b/src/include/security-manager.h
@@ -182,6 +182,17 @@ int security_manager_set_process_label_from_appid(const char *app_id);
  */
 int security_manager_set_process_groups_from_appid(const char *app_id);
 
+/**
+ * The above launcher functions, manipulating process Smack label and group,
+ * require elevated privileges. Since they will be called by launcher after fork,
+ * in the process for the application, privileges should be dropped before
+ * running an actual application. This function is a helper for that purpose -
+ * it drops capabilities from the process.
+ *
+ * \return API return code or error code
+ */
+int security_manager_drop_process_privileges(void);
+
 
 #ifdef __cplusplus
 }