summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMarius Vlad <marius.vlad@collabora.com>2020-06-10 13:50:55 +0300
committerJan-Simon Moeller <jsmoeller@linuxfoundation.org>2020-06-26 15:00:49 +0000
commitea317303ac428ea6c49b30f97d01ff9c92af1268 (patch)
treee2ae172dfeee14720a76e207f95fe17ef95a04de
parentbbf173123cdd4c64330fbf77631a9ae120e7d09f (diff)
policy-default: Use libsmack to check client label
Use the client file descriptor to find out the SMACK label of that client. Enforces homescreen to bind to agl_shell and launcher and alexa-viewer to bind to the agl-shell-desktop interface. Allows access to agl_shell_desktop to tbtnavi and hvac as those contain example code on use it for moving it to other outputs. Bug-AGL: SPEC-3396 Signed-off-by: Marius Vlad <marius.vlad@collabora.com> Change-Id: I1a1abf2d2786624ffa484b6577de17f5010d5ac6
-rw-r--r--meson.build6
-rw-r--r--src/policy-default.c48
2 files changed, 54 insertions, 0 deletions
diff --git a/meson.build b/meson.build
index bc65c1c..ad996e8 100644
--- a/meson.build
+++ b/meson.build
@@ -41,6 +41,7 @@ foreach func: optional_libc_funcs
endforeach
dep_libsystemd = dependency('libsystemd', required: false)
+dep_libsmack = dependency('libsmack', required: false)
dep_scanner = dependency('wayland-scanner', native: true)
prog_scanner = find_program(dep_scanner.get_pkgconfig_variable('wayland_scanner'))
dep_wp = dependency('wayland-protocols', version: '>= 1.18')
@@ -180,6 +181,11 @@ if deps_remoting.length() == depnames.length()
message('Found remoting depends, enabling remoting')
endif
+if dep_libsmack.found()
+ config_h.set('HAVE_SMACK', 1)
+ deps_libweston += dep_libsmack
+endif
+
configure_file(output: 'config.h', configuration: config_h)
exe_agl_compositor = executable(
diff --git a/src/policy-default.c b/src/policy-default.c
index 23842ab..a09bb1a 100644
--- a/src/policy-default.c
+++ b/src/policy-default.c
@@ -26,6 +26,12 @@
#include "ivi-compositor.h"
#include "policy.h"
+#ifdef HAVE_SMACK
+#include <sys/smack.h>
+#endif
+
+#include <string.h>
+
/*
* default policy implementation allows every action to be possible
*
@@ -78,11 +84,52 @@ ivi_policy_default_surface_advertise_state_change(struct ivi_surface *surf, void
return true;
}
+#ifdef HAVE_SMACK
+static bool
+ivi_policy_default_shell_bind_interface(void *client, void *interface)
+{
+ struct wl_interface *shell_interface = interface;
+ struct wl_client *conn_client = client;
+
+ pid_t pid, uid, gid;
+ int client_fd;
+ char *label;
+ bool ret = false;
+
+ wl_client_get_credentials(conn_client, &pid, &uid, &gid);
+
+ client_fd = wl_client_get_fd(conn_client);
+ if (smack_new_label_from_socket(client_fd, &label) < 0) {
+ return ret;
+ }
+
+ if (strcmp(shell_interface->name, "agl_shell") == 0)
+ if (strcmp(label, "User::App::homescreen") == 0)
+ ret = true;
+
+ if (strcmp(shell_interface->name, "agl_shell_desktop") == 0)
+ if (strcmp(label, "User::App::launcher") == 0 ||
+ strcmp(label, "User::App::alexa-viewer") == 0 ||
+ strcmp(label, "User::App::tbtnavi") == 0 ||
+ strcmp(label, "User::App::hvac") == 0)
+ ret = true;
+
+ if (ret)
+ weston_log("Client with pid %d, uid %d, gid %d, allowed "
+ "to bind to %s for label %s\n", pid, uid, gid,
+ shell_interface->name, label);
+
+ /* client responsible for free'ing */
+ free(label);
+ return ret;
+}
+#else
static bool
ivi_policy_default_shell_bind_interface(void *client, void *interface)
{
return true;
}
+#endif
static bool
ivi_policy_default_allow_to_add(void *user_data)
@@ -131,5 +178,6 @@ ivi_policy_init(struct ivi_compositor *ivi)
if (!ivi->policy)
return -1;
+ weston_log("Installing 'allow-all' policy engine\n");
return 0;
}