Merge "Expose service context name in denial." into stage-aosp-master am: 2834797055 am: b707b3e48e

am: 8cf36ab3b7 Change-Id: I431a303c61e4376789d21d5e85135eefefadc668
author: Steven Moreland <smoreland@google.com> 2019-08-01 14:47:48 -0700
committer: android-build-merger <android-build-merger@google.com> 2019-08-01 14:47:48 -0700
commit: c0a1d9a1385ad37438e30a89dedb3d332bc83c89 (patch)
tree: 0626f82d1b2403bea4263f973dbf6306dafb0d0e
parent: 3e1b23b387ed73229c1c05de318176e6718ea346 (diff)
parent: 8cf36ab3b76e02d966fd7ba96208cce7c29293a4 (diff)
2 files changed, 21 insertions, 7 deletions
diff --git a/cmds/servicemanager/Access.cpp b/cmds/servicemanager/Access.cpp
index d936dbe3a2..606477fee7 100644
--- a/cmds/servicemanager/Access.cpp
+++ b/cmds/servicemanager/Access.cpp
@@ -61,15 +61,21 @@ static struct selabel_handle* getSehandle() {
     return gSehandle;
 }
 
+struct AuditCallbackData {
+    const Access::CallingContext* context;
+    const std::string* tname;
+};
+
 static int auditCallback(void *data, security_class_t /*cls*/, char *buf, size_t len) {
-    const Access::CallingContext* ad = reinterpret_cast<Access::CallingContext*>(data);
+    const AuditCallbackData* ad = reinterpret_cast<AuditCallbackData*>(data);
 
     if (!ad) {
         LOG(ERROR) << "No service manager audit data";
         return 0;
     }
 
-    snprintf(buf, len, "pid=%d uid=%d", ad->debugPid, ad->uid);
+    snprintf(buf, len, "pid=%d uid=%d name=%s", ad->context->debugPid, ad->context->uid,
+        ad->tname->c_str());
     return 0;
 }
 
@@ -113,13 +119,20 @@ bool Access::canAdd(const CallingContext& ctx, const std::string& name) {
 }
 
 bool Access::canList(const CallingContext& ctx) {
-    return actionAllowed(ctx, mThisProcessContext, "list");
+    return actionAllowed(ctx, mThisProcessContext, "list", "service_manager");
 }
 
-bool Access::actionAllowed(const CallingContext& sctx, const char* tctx, const char* perm) {
+bool Access::actionAllowed(const CallingContext& sctx, const char* tctx, const char* perm,
+        const std::string& tname) {
     const char* tclass = "service_manager";
 
-    return 0 == selinux_check_access(sctx.sid.c_str(), tctx, tclass, perm, reinterpret_cast<void*>(const_cast<CallingContext*>((&sctx))));
+    AuditCallbackData data = {
+        .context = &sctx,
+        .tname = &tname,
+    };
+
+    return 0 == selinux_check_access(sctx.sid.c_str(), tctx, tclass, perm,
+        reinterpret_cast<void*>(&data));
 }
 
 bool Access::actionAllowedFromLookup(const CallingContext& sctx, const std::string& name, const char *perm) {
@@ -129,7 +142,7 @@ bool Access::actionAllowedFromLookup(const CallingContext& sctx, const std::stri
         return false;
     }
 
-    bool allowed = actionAllowed(sctx, tctx, perm);
+    bool allowed = actionAllowed(sctx, tctx, perm, name);
     freecon(tctx);
     return allowed;
 }
diff --git a/cmds/servicemanager/Access.h b/cmds/servicemanager/Access.h
index 05a60d33f1..77c2cd4ed6 100644
--- a/cmds/servicemanager/Access.h
+++ b/cmds/servicemanager/Access.h
@@ -45,7 +45,8 @@ public:
     virtual bool canList(const CallingContext& ctx);
 
 private:
-    bool actionAllowed(const CallingContext& sctx, const char* tctx, const char* perm);
+    bool actionAllowed(const CallingContext& sctx, const char* tctx, const char* perm,
+            const std::string& tname);
     bool actionAllowedFromLookup(const CallingContext& sctx, const std::string& name,
             const char *perm);
author	Steven Moreland <smoreland@google.com>	2019-08-01 14:47:48 -0700
committer	android-build-merger <android-build-merger@google.com>	2019-08-01 14:47:48 -0700
commit	c0a1d9a1385ad37438e30a89dedb3d332bc83c89 (patch)
tree	0626f82d1b2403bea4263f973dbf6306dafb0d0e
parent	3e1b23b387ed73229c1c05de318176e6718ea346 (diff)
parent	8cf36ab3b76e02d966fd7ba96208cce7c29293a4 (diff)