diff options
| author | 2019-07-31 19:44:16 -0700 | |
|---|---|---|
| committer | 2019-08-01 02:47:59 +0000 | |
| commit | 68039a17002f310216fc660faf97026ff7f6037b (patch) | |
| tree | 21bf6e82dbc529056edb58f1f594f0bfbcc7aaa2 | |
| parent | 102e62527efa031443f4b57d4947f3e3d950f67f (diff) | |
Expose service context name in denial.
In order to better debug errors!
Bug: 136023468
Test: boot, make and check denials
Change-Id: I97a0b29b2b9a96fa4f2f53b9cbecfafb56ee2d0f
| -rw-r--r-- | cmds/servicemanager/Access.cpp | 25 | ||||
| -rw-r--r-- | cmds/servicemanager/Access.h | 3 |
2 files changed, 21 insertions, 7 deletions
diff --git a/cmds/servicemanager/Access.cpp b/cmds/servicemanager/Access.cpp index d936dbe3a2..606477fee7 100644 --- a/cmds/servicemanager/Access.cpp +++ b/cmds/servicemanager/Access.cpp @@ -61,15 +61,21 @@ static struct selabel_handle* getSehandle() { return gSehandle; } +struct AuditCallbackData { + const Access::CallingContext* context; + const std::string* tname; +}; + static int auditCallback(void *data, security_class_t /*cls*/, char *buf, size_t len) { - const Access::CallingContext* ad = reinterpret_cast<Access::CallingContext*>(data); + const AuditCallbackData* ad = reinterpret_cast<AuditCallbackData*>(data); if (!ad) { LOG(ERROR) << "No service manager audit data"; return 0; } - snprintf(buf, len, "pid=%d uid=%d", ad->debugPid, ad->uid); + snprintf(buf, len, "pid=%d uid=%d name=%s", ad->context->debugPid, ad->context->uid, + ad->tname->c_str()); return 0; } @@ -113,13 +119,20 @@ bool Access::canAdd(const CallingContext& ctx, const std::string& name) { } bool Access::canList(const CallingContext& ctx) { - return actionAllowed(ctx, mThisProcessContext, "list"); + return actionAllowed(ctx, mThisProcessContext, "list", "service_manager"); } -bool Access::actionAllowed(const CallingContext& sctx, const char* tctx, const char* perm) { +bool Access::actionAllowed(const CallingContext& sctx, const char* tctx, const char* perm, + const std::string& tname) { const char* tclass = "service_manager"; - return 0 == selinux_check_access(sctx.sid.c_str(), tctx, tclass, perm, reinterpret_cast<void*>(const_cast<CallingContext*>((&sctx)))); + AuditCallbackData data = { + .context = &sctx, + .tname = &tname, + }; + + return 0 == selinux_check_access(sctx.sid.c_str(), tctx, tclass, perm, + reinterpret_cast<void*>(&data)); } bool Access::actionAllowedFromLookup(const CallingContext& sctx, const std::string& name, const char *perm) { @@ -129,7 +142,7 @@ bool Access::actionAllowedFromLookup(const CallingContext& sctx, const std::stri return false; } - bool allowed = actionAllowed(sctx, tctx, perm); + bool allowed = actionAllowed(sctx, tctx, perm, name); freecon(tctx); return allowed; } diff --git a/cmds/servicemanager/Access.h b/cmds/servicemanager/Access.h index 05a60d33f1..77c2cd4ed6 100644 --- a/cmds/servicemanager/Access.h +++ b/cmds/servicemanager/Access.h @@ -45,7 +45,8 @@ public: virtual bool canList(const CallingContext& ctx); private: - bool actionAllowed(const CallingContext& sctx, const char* tctx, const char* perm); + bool actionAllowed(const CallingContext& sctx, const char* tctx, const char* perm, + const std::string& tname); bool actionAllowedFromLookup(const CallingContext& sctx, const std::string& name, const char *perm); |