Revert "Revert "ACL based on getCallingSid""
This reverts commit 17ef8885d95fbd683ef628190274960aea63e625.
This enables getting security contexts from the kernel.
Bug: 121035042
Test: boot patch w/ w/o kernel patch on cuttlefish and check for
security logs.
Test: check for cnd failures on crosshatch.
Change-Id: I79856555937d0d367e2d00f0155d98bd7fcb260e
Merged-In: I79856555937d0d367e2d00f0155d98bd7fcb260e
(cherry picked from commit f252cf16be806fcdc68ecc6a96fbb1913b84499c)
diff --git a/AccessControl.cpp b/AccessControl.cpp
index 0c73dc6..aa5d43e 100644
--- a/AccessControl.cpp
+++ b/AccessControl.cpp
@@ -14,11 +14,11 @@
struct audit_data {
const char* interfaceName;
+ const char* sid;
pid_t pid;
};
using android::FQName;
-using Context = AccessControl::Context;
AccessControl::AccessControl() {
mSeHandle = selinux_android_hw_service_context_handle();
@@ -37,7 +37,7 @@
selinux_set_callback(SELINUX_CB_LOG, mSeCallbacks);
}
-bool AccessControl::canAdd(const std::string& fqName, const Context &context, pid_t pid) {
+bool AccessControl::canAdd(const std::string& fqName, const CallingContext& callingContext) {
FQName fqIface;
if (!FQName::parse(fqName, &fqIface)) {
@@ -45,10 +45,10 @@
}
const std::string checkName = fqIface.package() + "::" + fqIface.name();
- return checkPermission(context, pid, kPermissionAdd, checkName.c_str());
+ return checkPermission(callingContext, kPermissionAdd, checkName.c_str());
}
-bool AccessControl::canGet(const std::string& fqName, pid_t pid) {
+bool AccessControl::canGet(const std::string& fqName, const CallingContext& callingContext) {
FQName fqIface;
if (!FQName::parse(fqName, &fqIface)) {
@@ -56,42 +56,45 @@
}
const std::string checkName = fqIface.package() + "::" + fqIface.name();
- return checkPermission(getContext(pid), pid, kPermissionGet, checkName.c_str());
+ return checkPermission(callingContext, kPermissionGet, checkName.c_str());
}
-bool AccessControl::canList(pid_t pid) {
- return checkPermission(getContext(pid), pid, mSeContext, kPermissionList, nullptr);
+bool AccessControl::canList(const CallingContext& callingContext) {
+ return checkPermission(callingContext, mSeContext, kPermissionList, nullptr);
}
-Context AccessControl::getContext(pid_t sourcePid) {
+AccessControl::CallingContext AccessControl::getCallingContext(pid_t sourcePid) {
char *sourceContext = nullptr;
if (getpidcon(sourcePid, &sourceContext) < 0) {
ALOGE("SELinux: failed to retrieve process context for pid %d", sourcePid);
- return Context(nullptr, freecon);
+ return { false, "", sourcePid };
}
- return Context(sourceContext, freecon);
+ std::string context = sourceContext;
+ freecon(sourceContext);
+ return { true, context, sourcePid };
}
-bool AccessControl::checkPermission(const Context &context, pid_t sourceAuditPid, const char *targetContext, const char *perm, const char *interface) {
- if (context == nullptr) {
+bool AccessControl::checkPermission(const CallingContext& source, const char *targetContext, const char *perm, const char *interface) {
+ if (!source.sidPresent) {
return false;
}
bool allowed = false;
- struct audit_data ad;
- ad.pid = sourceAuditPid;
+ struct audit_data ad;
+ ad.pid = source.pid;
+ ad.sid = source.sid.c_str();
ad.interfaceName = interface;
- allowed = (selinux_check_access(context.get(), targetContext, "hwservice_manager",
+ allowed = (selinux_check_access(source.sid.c_str(), targetContext, "hwservice_manager",
perm, (void *) &ad) == 0);
return allowed;
}
-bool AccessControl::checkPermission(const Context &context, pid_t sourceAuditPid, const char *perm, const char *interface) {
+bool AccessControl::checkPermission(const CallingContext& source, const char *perm, const char *interface) {
char *targetContext = nullptr;
bool allowed = false;
@@ -101,7 +104,7 @@
return false;
}
- allowed = checkPermission(context, sourceAuditPid, targetContext, perm, interface);
+ allowed = checkPermission(source, targetContext, perm, interface);
freecon(targetContext);
@@ -116,7 +119,9 @@
return 0;
}
- snprintf(buf, len, "interface=%s pid=%d", ad->interfaceName, ad->pid);
+ const char* sid = ad->sid ? ad->sid : "N/A";
+
+ snprintf(buf, len, "interface=%s sid=%s pid=%d", ad->interfaceName, sid, ad->pid);
return 0;
}