summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJosé Bollo <jose.bollo@iot.bzh>2016-10-20 10:35:08 +0200
committerJosé Bollo <jose.bollo@iot.bzh>2016-10-20 12:00:52 +0200
commit62a07cae0e40181daafdb0204c275af66d0f6d64 (patch)
treeb4a6e88e9b5cd12d3f0eba10fcc7d5b06c4d0fa7
parent18103e986d89b9e329f49d9329d8bc40dffd39eb (diff)
afm-run: set smack attributes to user directory
The home directory for applications of a user that was created by the daemon also gets a security label and encures that there is no transmutation. It also simplifies allocation of the directory string. Signed-off-by: José Bollo <jose.bollo@iot.bzh>
-rw-r--r--CMakeLists.txt2
-rw-r--r--src/afm-run.c44
2 files changed, 33 insertions, 13 deletions
diff --git a/CMakeLists.txt b/CMakeLists.txt
index d649186..3c41f58 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -42,6 +42,7 @@ set(afm_icondir "${afm_datadir}/icons" CACHE STRING "Directory for i
set(afm_prefix "urn:AGL:" CACHE STRING "Prefix for uniform resource name")
set(afm_prefix_binding "${afm_prefix}binding:" CACHE STRING "URN for bindings")
set(afm_user_appdir "app-data" CACHE STRING "User subdirectory for applications")
+set(afm_user_appdir_label "User::App-Shared" CACHE STRING "Smack label of the user subdirectory for applications")
set(wgtpkg_trusted_cert_dir "${afm_confdir}/certs" CACHE STRING "Path to internal certificates")
if(USE_SIMULATION)
@@ -58,6 +59,7 @@ add_definitions(
-DFWK_USER_APP_DIR="${afm_user_appdir}"
-DWGTPKG_TRUSTED_CERT_DIR="${wgtpkg_trusted_cert_dir}"
-DFWK_LAUNCH_CONF="${afm_confdir}/afm-launch.conf"
+ -DFWK_USER_APP_DIR_LABEL="${afm_user_appdir_label}"
)
add_subdirectory(src)
diff --git a/src/afm-run.c b/src/afm-run.c
index c5d1552..425189e 100644
--- a/src/afm-run.c
+++ b/src/afm-run.c
@@ -16,6 +16,8 @@
limitations under the License.
*/
+#define _GNU_SOURCE
+
#include <fcntl.h>
#include <unistd.h>
#include <signal.h>
@@ -27,6 +29,13 @@
#include <limits.h>
#include <string.h>
+#include <linux/xattr.h>
+#if SIMULATE_LIBSMACK
+#include "simulation/smack.h"
+#else
+#include <sys/smack.h>
+#endif
+
#include <json-c/json.h>
#include "verbose.h"
@@ -95,6 +104,7 @@ static int runnerid = 0;
* home directory of the user.
*/
static const char fwk_user_app_dir[] = FWK_USER_APP_DIR;
+static const char fwk_user_app_label[] = FWK_USER_APP_DIR_LABEL;
/*
* Path of the root directory for applications of the
@@ -613,7 +623,6 @@ struct json_object *afm_run_state(int runid)
int afm_run_init()
{
char buf[2048];
- char dir[PATH_MAX];
int rc;
uid_t me;
struct passwd passwd, *pw;
@@ -632,25 +641,34 @@ int afm_run_init()
ERROR("getpwuid_r failed for uid=%d: %m",(int)me);
return -1;
}
- rc = snprintf(dir, sizeof dir, "%s/%s", passwd.pw_dir,
- fwk_user_app_dir);
- if (rc >= (int)sizeof dir) {
- ERROR("buffer overflow in user_app_dir for uid=%d",(int)me);
+ rc = asprintf(&homeappdir, "%s/%s", passwd.pw_dir, fwk_user_app_dir);
+ if (rc < 0) {
+ errno = ENOMEM;
+ ERROR("allocating homeappdir for uid=%d failed", (int)me);
return -1;
}
- rc = create_directory(dir, 0755, 1);
+ rc = create_directory(homeappdir, 0755, 1);
if (rc && errno != EEXIST) {
- ERROR("creation of directory %s failed in user_app_dir: %m",
- dir);
+ ERROR("creation of directory %s failed: %m", homeappdir);
+ free(homeappdir);
return -1;
}
- homeappdir = strdup(dir);
- if (homeappdir == NULL) {
- errno = ENOMEM;
- ERROR("out of memory in user_app_dir for %s : %m", dir);
+ rc = smack_remove_label_for_path(homeappdir,
+ XATTR_NAME_SMACKTRANSMUTE, 0);
+ if (rc < 0 && errno != ENODATA) {
+ ERROR("can't remove smack transmutation of directory %s: %m",
+ homeappdir);
+ free(homeappdir);
+ return -1;
+ }
+ rc = smack_set_label_for_path(homeappdir, XATTR_NAME_SMACK, 0,
+ fwk_user_app_label);
+ if (rc < 0) {
+ ERROR("can't set smack label %s to directory %s: %m",
+ fwk_user_app_label, homeappdir);
+ free(homeappdir);
return -1;
}
-
/* install signal handlers */
siga.sa_flags = SA_SIGINFO | SA_NOCLDWAIT;
sigemptyset(&siga.sa_mask);