diff options
author | Marius Vlad <marius.vlad@collabora.com> | 2020-06-10 13:50:55 +0300 |
---|---|---|
committer | Jan-Simon Moeller <jsmoeller@linuxfoundation.org> | 2020-06-26 15:00:49 +0000 |
commit | ea317303ac428ea6c49b30f97d01ff9c92af1268 (patch) | |
tree | e2ae172dfeee14720a76e207f95fe17ef95a04de | |
parent | bbf173123cdd4c64330fbf77631a9ae120e7d09f (diff) |
policy-default: Use libsmack to check client label
Use the client file descriptor to find out the SMACK label of that
client. Enforces homescreen to bind to agl_shell and launcher and
alexa-viewer to bind to the agl-shell-desktop interface. Allows access
to agl_shell_desktop to tbtnavi and hvac as those contain example code
on use it for moving it to other outputs.
Bug-AGL: SPEC-3396
Signed-off-by: Marius Vlad <marius.vlad@collabora.com>
Change-Id: I1a1abf2d2786624ffa484b6577de17f5010d5ac6
-rw-r--r-- | meson.build | 6 | ||||
-rw-r--r-- | src/policy-default.c | 48 |
2 files changed, 54 insertions, 0 deletions
diff --git a/meson.build b/meson.build index bc65c1c..ad996e8 100644 --- a/meson.build +++ b/meson.build @@ -41,6 +41,7 @@ foreach func: optional_libc_funcs endforeach dep_libsystemd = dependency('libsystemd', required: false) +dep_libsmack = dependency('libsmack', required: false) dep_scanner = dependency('wayland-scanner', native: true) prog_scanner = find_program(dep_scanner.get_pkgconfig_variable('wayland_scanner')) dep_wp = dependency('wayland-protocols', version: '>= 1.18') @@ -180,6 +181,11 @@ if deps_remoting.length() == depnames.length() message('Found remoting depends, enabling remoting') endif +if dep_libsmack.found() + config_h.set('HAVE_SMACK', 1) + deps_libweston += dep_libsmack +endif + configure_file(output: 'config.h', configuration: config_h) exe_agl_compositor = executable( diff --git a/src/policy-default.c b/src/policy-default.c index 23842ab..a09bb1a 100644 --- a/src/policy-default.c +++ b/src/policy-default.c @@ -26,6 +26,12 @@ #include "ivi-compositor.h" #include "policy.h" +#ifdef HAVE_SMACK +#include <sys/smack.h> +#endif + +#include <string.h> + /* * default policy implementation allows every action to be possible * @@ -78,11 +84,52 @@ ivi_policy_default_surface_advertise_state_change(struct ivi_surface *surf, void return true; } +#ifdef HAVE_SMACK +static bool +ivi_policy_default_shell_bind_interface(void *client, void *interface) +{ + struct wl_interface *shell_interface = interface; + struct wl_client *conn_client = client; + + pid_t pid, uid, gid; + int client_fd; + char *label; + bool ret = false; + + wl_client_get_credentials(conn_client, &pid, &uid, &gid); + + client_fd = wl_client_get_fd(conn_client); + if (smack_new_label_from_socket(client_fd, &label) < 0) { + return ret; + } + + if (strcmp(shell_interface->name, "agl_shell") == 0) + if (strcmp(label, "User::App::homescreen") == 0) + ret = true; + + if (strcmp(shell_interface->name, "agl_shell_desktop") == 0) + if (strcmp(label, "User::App::launcher") == 0 || + strcmp(label, "User::App::alexa-viewer") == 0 || + strcmp(label, "User::App::tbtnavi") == 0 || + strcmp(label, "User::App::hvac") == 0) + ret = true; + + if (ret) + weston_log("Client with pid %d, uid %d, gid %d, allowed " + "to bind to %s for label %s\n", pid, uid, gid, + shell_interface->name, label); + + /* client responsible for free'ing */ + free(label); + return ret; +} +#else static bool ivi_policy_default_shell_bind_interface(void *client, void *interface) { return true; } +#endif static bool ivi_policy_default_allow_to_add(void *user_data) @@ -131,5 +178,6 @@ ivi_policy_init(struct ivi_compositor *ivi) if (!ivi->policy) return -1; + weston_log("Installing 'allow-all' policy engine\n"); return 0; } |