commit dc995ee0651e4045389b0655b73a52e8b87c9146
author Steven Moreland <smoreland@google.com> Thu Aug 01 15:10:49 2019 -0700
committer android-build-merger <android-build-merger@google.com> Thu Aug 01 15:10:49 2019 -0700
tree b35e071b1c330fa99e958e230c15c89957643013
parent 0bebf2c1b132ae0e8e38980bf9f96e270f36a62a
parent c0a1d9a1385ad37438e30a89dedb3d332bc83c89

Merge "Expose service context name in denial." into stage-aosp-master am: 2834797055 am: b707b3e48e am: 8cf36ab3b7
am: c0a1d9a138

Change-Id: Ieca8234d053a47cee242021985f12a380d29ccf0

cmds/servicemanager/Access.cpp

diff --git a/cmds/servicemanager/Access.cpp b/cmds/servicemanager/Access.cpp
index d936dbe..606477f 100644
--- a/cmds/servicemanager/Access.cpp
+++ b/cmds/servicemanager/Access.cpp
@@ -61,15 +61,21 @@
     return gSehandle;
 }
 
+struct AuditCallbackData {
+    const Access::CallingContext* context;
+    const std::string* tname;
+};
+
 static int auditCallback(void *data, security_class_t /*cls*/, char *buf, size_t len) {
-    const Access::CallingContext* ad = reinterpret_cast<Access::CallingContext*>(data);
+    const AuditCallbackData* ad = reinterpret_cast<AuditCallbackData*>(data);
 
     if (!ad) {
         LOG(ERROR) << "No service manager audit data";
         return 0;
     }
 
-    snprintf(buf, len, "pid=%d uid=%d", ad->debugPid, ad->uid);
+    snprintf(buf, len, "pid=%d uid=%d name=%s", ad->context->debugPid, ad->context->uid,
+        ad->tname->c_str());
     return 0;
 }
 
@@ -113,13 +119,20 @@
 }
 
 bool Access::canList(const CallingContext& ctx) {
-    return actionAllowed(ctx, mThisProcessContext, "list");
+    return actionAllowed(ctx, mThisProcessContext, "list", "service_manager");
 }
 
-bool Access::actionAllowed(const CallingContext& sctx, const char* tctx, const char* perm) {
+bool Access::actionAllowed(const CallingContext& sctx, const char* tctx, const char* perm,
+        const std::string& tname) {
     const char* tclass = "service_manager";
 
-    return 0 == selinux_check_access(sctx.sid.c_str(), tctx, tclass, perm, reinterpret_cast<void*>(const_cast<CallingContext*>((&sctx))));
+    AuditCallbackData data = {
+        .context = &sctx,
+        .tname = &tname,
+    };
+
+    return 0 == selinux_check_access(sctx.sid.c_str(), tctx, tclass, perm,
+        reinterpret_cast<void*>(&data));
 }
 
 bool Access::actionAllowedFromLookup(const CallingContext& sctx, const std::string& name, const char *perm) {
@@ -129,7 +142,7 @@
         return false;
     }
 
-    bool allowed = actionAllowed(sctx, tctx, perm);
+    bool allowed = actionAllowed(sctx, tctx, perm, name);
     freecon(tctx);
     return allowed;
 }

cmds/servicemanager/Access.h

diff --git a/cmds/servicemanager/Access.h b/cmds/servicemanager/Access.h
index 05a60d3..77c2cd4 100644
--- a/cmds/servicemanager/Access.h
+++ b/cmds/servicemanager/Access.h
@@ -45,7 +45,8 @@
     virtual bool canList(const CallingContext& ctx);
 
 private:
-    bool actionAllowed(const CallingContext& sctx, const char* tctx, const char* perm);
+    bool actionAllowed(const CallingContext& sctx, const char* tctx, const char* perm,
+            const std::string& tname);
     bool actionAllowedFromLookup(const CallingContext& sctx, const std::string& name,
             const char *perm);