diff options
author | José Bollo <jose.bollo@iot.bzh> | 2016-10-20 10:35:08 +0200 |
---|---|---|
committer | José Bollo <jose.bollo@iot.bzh> | 2016-10-20 12:00:52 +0200 |
commit | 62a07cae0e40181daafdb0204c275af66d0f6d64 (patch) | |
tree | b4a6e88e9b5cd12d3f0eba10fcc7d5b06c4d0fa7 | |
parent | 18103e986d89b9e329f49d9329d8bc40dffd39eb (diff) |
afm-run: set smack attributes to user directory
The home directory for applications of a user
that was created by the daemon also gets a
security label and encures that there is no
transmutation.
It also simplifies allocation of the directory string.
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
-rw-r--r-- | CMakeLists.txt | 2 | ||||
-rw-r--r-- | src/afm-run.c | 44 |
2 files changed, 33 insertions, 13 deletions
diff --git a/CMakeLists.txt b/CMakeLists.txt index d649186..3c41f58 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -42,6 +42,7 @@ set(afm_icondir "${afm_datadir}/icons" CACHE STRING "Directory for i set(afm_prefix "urn:AGL:" CACHE STRING "Prefix for uniform resource name") set(afm_prefix_binding "${afm_prefix}binding:" CACHE STRING "URN for bindings") set(afm_user_appdir "app-data" CACHE STRING "User subdirectory for applications") +set(afm_user_appdir_label "User::App-Shared" CACHE STRING "Smack label of the user subdirectory for applications") set(wgtpkg_trusted_cert_dir "${afm_confdir}/certs" CACHE STRING "Path to internal certificates") if(USE_SIMULATION) @@ -58,6 +59,7 @@ add_definitions( -DFWK_USER_APP_DIR="${afm_user_appdir}" -DWGTPKG_TRUSTED_CERT_DIR="${wgtpkg_trusted_cert_dir}" -DFWK_LAUNCH_CONF="${afm_confdir}/afm-launch.conf" + -DFWK_USER_APP_DIR_LABEL="${afm_user_appdir_label}" ) add_subdirectory(src) diff --git a/src/afm-run.c b/src/afm-run.c index c5d1552..425189e 100644 --- a/src/afm-run.c +++ b/src/afm-run.c @@ -16,6 +16,8 @@ limitations under the License. */ +#define _GNU_SOURCE + #include <fcntl.h> #include <unistd.h> #include <signal.h> @@ -27,6 +29,13 @@ #include <limits.h> #include <string.h> +#include <linux/xattr.h> +#if SIMULATE_LIBSMACK +#include "simulation/smack.h" +#else +#include <sys/smack.h> +#endif + #include <json-c/json.h> #include "verbose.h" @@ -95,6 +104,7 @@ static int runnerid = 0; * home directory of the user. */ static const char fwk_user_app_dir[] = FWK_USER_APP_DIR; +static const char fwk_user_app_label[] = FWK_USER_APP_DIR_LABEL; /* * Path of the root directory for applications of the @@ -613,7 +623,6 @@ struct json_object *afm_run_state(int runid) int afm_run_init() { char buf[2048]; - char dir[PATH_MAX]; int rc; uid_t me; struct passwd passwd, *pw; @@ -632,25 +641,34 @@ int afm_run_init() ERROR("getpwuid_r failed for uid=%d: %m",(int)me); return -1; } - rc = snprintf(dir, sizeof dir, "%s/%s", passwd.pw_dir, - fwk_user_app_dir); - if (rc >= (int)sizeof dir) { - ERROR("buffer overflow in user_app_dir for uid=%d",(int)me); + rc = asprintf(&homeappdir, "%s/%s", passwd.pw_dir, fwk_user_app_dir); + if (rc < 0) { + errno = ENOMEM; + ERROR("allocating homeappdir for uid=%d failed", (int)me); return -1; } - rc = create_directory(dir, 0755, 1); + rc = create_directory(homeappdir, 0755, 1); if (rc && errno != EEXIST) { - ERROR("creation of directory %s failed in user_app_dir: %m", - dir); + ERROR("creation of directory %s failed: %m", homeappdir); + free(homeappdir); return -1; } - homeappdir = strdup(dir); - if (homeappdir == NULL) { - errno = ENOMEM; - ERROR("out of memory in user_app_dir for %s : %m", dir); + rc = smack_remove_label_for_path(homeappdir, + XATTR_NAME_SMACKTRANSMUTE, 0); + if (rc < 0 && errno != ENODATA) { + ERROR("can't remove smack transmutation of directory %s: %m", + homeappdir); + free(homeappdir); + return -1; + } + rc = smack_set_label_for_path(homeappdir, XATTR_NAME_SMACK, 0, + fwk_user_app_label); + if (rc < 0) { + ERROR("can't set smack label %s to directory %s: %m", + fwk_user_app_label, homeappdir); + free(homeappdir); return -1; } - /* install signal handlers */ siga.sa_flags = SA_SIGINFO | SA_NOCLDWAIT; sigemptyset(&siga.sa_mask); |