aiden
/
appmotor
mirror of https://github.com/cutefishos/appmotor
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Fixes: NB#187583 - Update application launcher to use creds_confine2() for credential setup.

Browse Source
pull/1/head
Antti Kervinen 15 years ago
parent 73b1794412
commit eca50a4466
6 changed files with 70 additions and 10 deletions
Show Stats Download Patch File Download Diff File

2
debian/applauncherd-invoker.aegis vendored
Unescape Escape View File

@ -1,6 +1,6 @@
<aegis> <aegis>
<request> <request policy="add">
<credential name="applauncherd-launcher::access"/> <credential name="applauncherd-launcher::access"/>
<for path="/usr/bin/invoker" id="client"/> <for path="/usr/bin/invoker" id="client"/>
</request> </request>

28
src/launcher/appdata.cpp
Unescape Escape View File

@ -19,6 +19,10 @@
#include "appdata.h" #include "appdata.h"
#ifdef HAVE_CREDS
#include <sys/creds.h>
#endif
AppData::AppData() : AppData::AppData() :
m_options(0), m_options(0),
m_argc(0), m_argc(0),
@ -30,6 +34,9 @@ AppData::AppData() :
m_ioDescriptors(), m_ioDescriptors(),
m_gid(0), m_gid(0),
m_uid(0) m_uid(0)
#if defined (HAVE_CREDS)
, m_peerCreds(NULL)
#endif
{} {}
void AppData::setOptions(int newOptions) void AppData::setOptions(int newOptions)
@ -143,7 +150,28 @@ void AppData::deleteArgv()
} }
} }
#if defined (HAVE_CREDS)
void AppData::setPeerCreds(creds_t peerCreds)
{
m_peerCreds = peerCreds;
}
creds_t AppData::peerCreds() const
{
return m_peerCreds;
}
void AppData::deletePeerCreds()
{
creds_free(m_peerCreds);
m_peerCreds = NULL;
}
#endif // defined (HAVE_CREDS)
AppData::~AppData() AppData::~AppData()
{ {
deleteArgv(); deleteArgv();
#if defined (HAVE_CREDS)
deletePeerCreds();
#endif
} }

19
src/launcher/appdata.h
Unescape Escape View File

@ -20,6 +20,10 @@
#ifndef APPDATA_H #ifndef APPDATA_H
#define APPDATA_H #define APPDATA_H
#ifdef HAVE_CREDS
#include <sys/creds.h>
#endif
#include <string> #include <string>
using std::string; using std::string;
@ -101,6 +105,17 @@ public:
//! Frees the memory reserved for argv //! Frees the memory reserved for argv
void deleteArgv(); void deleteArgv();
#if defined (HAVE_CREDS)
//! Store security credentials
void setPeerCreds(creds_t peerCreds);
//! Get the stored credentials
creds_t peerCreds() const;
//! Free the memory reserved for credentials
void deletePeerCreds();
#endif
private: private:
AppData(const AppData & r); AppData(const AppData & r);
@ -117,6 +132,10 @@ private:
gid_t m_gid; gid_t m_gid;
uid_t m_uid; uid_t m_uid;
#if defined (HAVE_CREDS)
creds_t m_peerCreds;
#endif
}; };
#endif // APPDATA_H #endif // APPDATA_H

11
src/launcher/booster.cpp
Unescape Escape View File

@ -60,7 +60,7 @@ bool Booster::readCommand()
m_conn = new Connection(socketId()); m_conn = new Connection(socketId());
// Accept a new invocation. // Accept a new invocation.
if (m_conn->acceptConn()) if (m_conn->acceptConn(m_app))
{ {
bool res = m_conn->receiveApplicationData(m_app); bool res = m_conn->receiveApplicationData(m_app);
if(!res) if(!res)
@ -214,7 +214,14 @@ void* Booster::loadMain()
{ {
#ifdef HAVE_CREDS #ifdef HAVE_CREDS
// Set application's platform security credentials // Set application's platform security credentials
creds_confine(m_app.fileName().c_str()); int err = creds_confine2(m_app.fileName().c_str(), credp_str2flags("set", NULL), m_app.peerCreds());
m_app.deletePeerCreds();
if (err < 0)
{
// Credential setup has failed, abort.
Logger::logErrorAndDie(EXIT_FAILURE, "Failed to setup credentials for launching application: %d\n", err);
}
#endif #endif
// Load the application as a library // Load the application as a library

13
src/launcher/connection.cpp
Unescape Escape View File

@ -120,7 +120,7 @@ void Connection::initSocket(const string socketId)
} }
} }
bool Connection::acceptConn() bool Connection::acceptConn(AppData & rApp)
{ {
m_fd = accept(m_curSocket, NULL, NULL); m_fd = accept(m_curSocket, NULL, NULL);
@ -130,13 +130,15 @@ bool Connection::acceptConn()
return false; return false;
} }
#if defined (HAVE_CREDS) && ! defined (DISABLE_VERIFICATION) #if defined (HAVE_CREDS)
creds_t ccreds = creds_getpeer(m_fd); creds_t ccreds = creds_getpeer(m_fd);
int allow = creds_have_p(ccreds, m_credsType, m_credsValue); // Fetched peer creds will be free'd with rApp.deletePeerCreds
rApp.setPeerCreds(ccreds);
creds_free(ccreds); #if ! defined (DISABLE_VERIFICATION)
int allow = creds_have_p(ccreds, m_credsType, m_credsValue);
if (!allow) if (!allow)
{ {
@ -146,8 +148,9 @@ bool Connection::acceptConn()
closeConn(); closeConn();
return false; return false;
} }
#endif // ! defined (DISABLE_VERIFICATION)
#endif #endif // defined (HAVE_CREDS)
return true; return true;
} }

7
src/launcher/connection.h
Unescape Escape View File

@ -65,9 +65,12 @@ public:
/*! \brief Accept connection. /*! \brief Accept connection.
* Accept a socket connection from the invoker. * Accept a socket connection from the invoker.
* Stores security credentials of the connected
* peer to rApp, if security is enabled. The credentials
* in rApp must be released by the caller.
* \return true on success. * \return true on success.
*/ */
bool acceptConn(); bool acceptConn(AppData & rApp);
//! \brief Close the socket connection. //! \brief Close the socket connection.
void closeConn(); void closeConn();
@ -170,7 +173,7 @@ private:
gid_t m_gid; gid_t m_gid;
uid_t m_uid; uid_t m_uid;
#if defined (HAVE_CREDS) && ! defined (DISABLE_VERIFICATION) #if defined (HAVE_CREDS)
static const char * m_credsStr; static const char * m_credsStr;
creds_value_t m_credsValue; creds_value_t m_credsValue;
creds_type_t m_credsType; creds_type_t m_credsType;

Write Preview
Loading…
Cancel
Save