Fixes: NB#187583 - Update application launcher to use creds_confine2() for credential setup.

15 years ago · eca50a4466
parent 73b1794412
commit eca50a4466
6 changed files with 70 additions and 10 deletions
--- a/debian/applauncherd-invoker.aegis
+++ b/debian/applauncherd-invoker.aegis
@ -1,6 +1,6 @@
 <aegis>

-  <request>
+  <request policy="add">
        <credential name="applauncherd-launcher::access"/>
    	<for path="/usr/bin/invoker" id="client"/>
  </request>
--- a/src/launcher/appdata.cpp
+++ b/src/launcher/appdata.cpp
@ -19,6 +19,10 @@

 #include "appdata.h"

+#ifdef HAVE_CREDS
+    #include <sys/creds.h>
+#endif
+
 AppData::AppData() :
    m_options(0),
    m_argc(0),
@ -30,6 +34,9 @@ AppData::AppData() :
    m_ioDescriptors(),
    m_gid(0),
    m_uid(0)
+#if defined (HAVE_CREDS)
+  , m_peerCreds(NULL)
+#endif
 {}

 void AppData::setOptions(int newOptions)
@ -143,7 +150,28 @@ void AppData::deleteArgv()
    }
 }

+#if defined (HAVE_CREDS)
+void AppData::setPeerCreds(creds_t peerCreds)
+{
+    m_peerCreds = peerCreds;
+}
+
+creds_t AppData::peerCreds() const
+{
+    return m_peerCreds;
+}
+
+void AppData::deletePeerCreds()
+{
+    creds_free(m_peerCreds);
+    m_peerCreds = NULL;
+}
+#endif // defined (HAVE_CREDS)
+
 AppData::~AppData()
 {
    deleteArgv();
+#if defined (HAVE_CREDS)
+    deletePeerCreds();
+#endif
 }
--- a/src/launcher/appdata.h
+++ b/src/launcher/appdata.h
@ -20,6 +20,10 @@
 #ifndef APPDATA_H
 #define APPDATA_H

+#ifdef HAVE_CREDS
+    #include <sys/creds.h>
+#endif
+
 #include <string>

 using std::string;
@ -101,6 +105,17 @@ public:
    //! Frees the memory reserved for argv
    void deleteArgv();

+#if defined (HAVE_CREDS)
+    //! Store security credentials
+    void setPeerCreds(creds_t peerCreds);
+
+    //! Get the stored credentials
+    creds_t peerCreds() const;
+    
+    //! Free the memory reserved for credentials
+    void deletePeerCreds();
+#endif
+
 private:

    AppData(const AppData & r);
@ -117,6 +132,10 @@ private:
    gid_t       m_gid;
    uid_t       m_uid;

+#if defined (HAVE_CREDS)
+    creds_t     m_peerCreds;
+#endif
+
 };

 #endif // APPDATA_H
--- a/src/launcher/booster.cpp
+++ b/src/launcher/booster.cpp
@ -60,7 +60,7 @@ bool Booster::readCommand()
    m_conn = new Connection(socketId());

    // Accept a new invocation.
-    if (m_conn->acceptConn())
+    if (m_conn->acceptConn(m_app))
    {
        bool res = m_conn->receiveApplicationData(m_app);
        if(!res)
@ -214,7 +214,14 @@ void* Booster::loadMain()
 {
 #ifdef HAVE_CREDS
    // Set application's platform security credentials
-    creds_confine(m_app.fileName().c_str());
+    int err = creds_confine2(m_app.fileName().c_str(), credp_str2flags("set", NULL), m_app.peerCreds());
+    m_app.deletePeerCreds();
+
+    if (err < 0)
+    {
+	// Credential setup has failed, abort.
+	Logger::logErrorAndDie(EXIT_FAILURE, "Failed to setup credentials for launching application: %d\n", err);
+    }
 #endif

    // Load the application as a library
--- a/src/launcher/connection.cpp
+++ b/src/launcher/connection.cpp
@ -120,7 +120,7 @@ void Connection::initSocket(const string socketId)
    }
 }

-bool Connection::acceptConn()
+bool Connection::acceptConn(AppData & rApp)
 {
    m_fd = accept(m_curSocket, NULL, NULL);

@ -130,13 +130,15 @@ bool Connection::acceptConn()
        return false;
    }

-#if defined (HAVE_CREDS) && ! defined (DISABLE_VERIFICATION)
+#if defined (HAVE_CREDS)

    creds_t ccreds = creds_getpeer(m_fd);

-    int allow = creds_have_p(ccreds, m_credsType, m_credsValue);
+    // Fetched peer creds will be free'd with rApp.deletePeerCreds
+    rApp.setPeerCreds(ccreds);

-    creds_free(ccreds);
+#if ! defined (DISABLE_VERIFICATION)
+    int allow = creds_have_p(ccreds, m_credsType, m_credsValue);

    if (!allow)
    {
@ -146,8 +148,9 @@ bool Connection::acceptConn()
        closeConn();
        return false;
    }
+#endif // ! defined (DISABLE_VERIFICATION)

-#endif
+#endif // defined (HAVE_CREDS)

    return true;
 }
--- a/src/launcher/connection.h
+++ b/src/launcher/connection.h
@ -65,9 +65,12 @@ public:

    /*! \brief Accept connection.
     * Accept a socket connection from the invoker.
+     * Stores security credentials of the connected
+     * peer to rApp, if security is enabled. The credentials
+     * in rApp must be released by the caller.
     * \return true on success.
     */
-    bool acceptConn();
+    bool acceptConn(AppData & rApp);

    //! \brief Close the socket connection.
    void closeConn();
@ -170,7 +173,7 @@ private:
    gid_t    m_gid;
    uid_t    m_uid;

-#if defined (HAVE_CREDS) && ! defined (DISABLE_VERIFICATION)
+#if defined (HAVE_CREDS)
    static const char * m_credsStr;
    creds_value_t m_credsValue;
    creds_type_t  m_credsType;