provider/download-provider-security.c

   1 /*
   2  * Copyright (c) 2013 Samsung Electronics Co., Ltd All Rights Reserved
   3  *
   4  * Licensed under the Apache License, Version 2.0 (the License);
   5  * you may not use this file except in compliance with the License.
   6  * You may obtain a copy of the License at
   7  *
   8  * http://www.apache.org/licenses/LICENSE-2.0
   9  *
  10  * Unless required by applicable law or agreed to in writing, software
  11  * distributed under the License is distributed on an AS IS BASIS,
  12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13  * See the License for the specific language governing permissions and
  14  * limitations under the License.
  15  */
  16
  17 #include <stdio.h>
  18 #include <stdlib.h>
  19 #include <errno.h>
  20 #include <sys/statfs.h>
  21 #include <sys/types.h>
  22 #include <sys/stat.h>
  23 #include <unistd.h>
  24 #include <limits.h>
  25
  26 #include <download-provider.h>
  27 #include <download-provider-log.h>
  28 #include <download-provider-utils.h>
  29
  30 #include <cynara-client.h>
  31 #include <cynara-client-async.h>
  32 #include <cynara-creds-socket.h>
  33 #include <cynara-creds-dbus.h>
  34
  35 #include <app_manager.h>
  36 #include <tzplatform_config.h>
  37
  38 #include "download-provider-security.h"
  39
  40 #define MAX_ARRAY_LEN 1024
  41 #define SECURITY_ATTRIBUTES_PATH "/proc/%d/attr/current"
  42 #define TEMP_DIR "/tmp/"
  43
  44 static int dp_is_exist_dir(const char *dirpath)
  45 {
  46         struct stat dir_state;
  47         int stat_ret;
  48         if (dirpath == NULL) {
  49                 TRACE_ERROR("check path");
  50                 return -1;
  51         }
  52         stat_ret = stat(dirpath, &dir_state);
  53         if (stat_ret == 0 && S_ISDIR(dir_state.st_mode))
  54                 return 0;
  55         return -1;
  56 }
  57
  58 static char *_dp_get_pkg_id(dp_credential cred)
  59 {
  60         char *app_id = NULL;
  61         char *pkg_id = NULL;
  62         app_info_h app_info = NULL;
  63
  64         if (app_manager_get_app_id(cred.pid, &app_id) != APP_MANAGER_ERROR_NONE) {
  65                 TRACE_ERROR("Failed to get application ID");
  66                 return NULL;
  67         }
  68
  69         if (app_info_create(app_id, &app_info) != APP_MANAGER_ERROR_NONE) {
  70                 TRACE_ERROR("Failed to create app_info");
  71                 free(app_id);
  72                 return NULL;
  73         }
  74
  75         if (app_info_get_package(app_info, &pkg_id) != APP_MANAGER_ERROR_NONE) {
  76                 TRACE_ERROR("Failed to get package ID");
  77                 app_info_destroy(app_info);
  78                 free(app_id);
  79                 free(pkg_id);
  80                 return NULL;
  81         }
  82
  83         app_info_destroy(app_info);
  84         free(app_id);
  85
  86         return pkg_id;
  87 }
  88
  89 static int _dp_check_dir_permission(dp_credential cred, const char *privilege)
  90 {
  91         FILE *fd;
  92         int ret;
  93         char client_smack[MAX_ARRAY_LEN + 1] = {0, };
  94         char client_smack_path[MAX_ARRAY_LEN + 1] = {0, };
  95         char uid[20] = {0, };
  96         char *client_session = "";
  97         cynara *p_cynara = NULL;
  98
  99         if (CYNARA_API_SUCCESS != cynara_initialize(&p_cynara, NULL)) {
 100                 TRACE_ERROR("Failed to initialize cynara structure\n");
 101                 return -1;
 102         }
 103
 104         snprintf(client_smack_path, MAX_ARRAY_LEN, SECURITY_ATTRIBUTES_PATH, cred.pid);
 105         fd = fopen(client_smack_path, "r");
 106         if (fd == NULL) {
 107                 TRACE_ERROR("Failed to open %s", client_smack_path);
 108                 cynara_finish(p_cynara);
 109                 return -1;
 110         }
 111         ret = fread(client_smack, 1, MAX_ARRAY_LEN, fd);
 112         if (ferror(fd)) {
 113                 TRACE_ERROR("Failed to read %s", client_smack_path);
 114                 fclose(fd);
 115                 cynara_finish(p_cynara);
 116                 return -1;
 117         }
 118         fclose(fd);
 119         client_smack[ret] = '\0';
 120
 121         snprintf(uid, sizeof(uid), "%d", cred.uid);
 122
 123         TRACE_DEBUG("pid: %d, uid: %s, checked privilege:%s", cred.pid, uid, privilege);
 124         ret = cynara_check(p_cynara, client_smack, client_session, uid, privilege);
 125         cynara_finish(p_cynara);
 126
 127         return (ret == CYNARA_API_ACCESS_ALLOWED) ? 0 : -1;
 128 }
 129
 130 int dp_is_valid_dir(dp_credential cred, const char *dirpath)
 131 {
 132         char default_storage[PATH_MAX + 1] = {0, };
 133         char media_storage[PATH_MAX + 1] = {0, };
 134         char external_storage[PATH_MAX + 1] = {0, };
 135         char apps_storage[PATH_MAX + 1] = {0, };
 136         char resolved_path[PATH_MAX + 1] = {0 , };
 137         char *res = NULL;
 138         char *pkg_id = NULL;
 139         const char *temp = NULL;
 140         int end = 0;
 141
 142         res = realpath(dirpath, NULL);
 143         if (res == NULL) {
 144                 TRACE_ERROR("Failed to get absolute path");
 145                 return DP_ERROR_INVALID_DESTINATION;
 146         }
 147
 148         strncpy(resolved_path, res, PATH_MAX - 1);
 149         free(res);
 150
 151         end = strlen(resolved_path) - 1;
 152         if (resolved_path[end] != '/')
 153                 resolved_path[end + 1] = '/';
 154
 155         TRACE_INFO("%s -> %s", dirpath, resolved_path);
 156
 157         // Check whether directory is exist or not.
 158         if (dp_is_exist_dir(resolved_path) < 0) {
 159                 TRACE_ERROR("%s is not exist.", resolved_path);
 160                 return DP_ERROR_INVALID_DESTINATION;
 161         }
 162
 163         // Check whether directory is temporary directory or not.
 164         if (strncmp(resolved_path, TEMP_DIR, strlen(TEMP_DIR)) == 0)
 165                 return DP_ERROR_NONE;
 166
 167         tzplatform_set_user(cred.uid);
 168
 169         // Check whether directory is default directory or not.
 170         temp = tzplatform_getenv(TZ_USER_DOWNLOADS);
 171         if (temp) {
 172                 snprintf(default_storage, PATH_MAX - 1, "%s/", temp);
 173                 if (strncmp(resolved_path, default_storage,
 174                                         strlen(default_storage)) == 0)
 175                                 return DP_ERROR_NONE;
 176                 temp = NULL;
 177         }
 178
 179         // Check permission: media storage
 180         temp = tzplatform_getenv(TZ_USER_CONTENT);
 181         if (temp) {
 182                 snprintf(media_storage, PATH_MAX - 1, "%s/", temp);
 183                 if (strncmp(resolved_path, media_storage,
 184                                         strlen(media_storage)) == 0) {
 185                         if (_dp_check_dir_permission(cred, MEDIA_STORAGE_PRIVILEGE) < 0) {
 186                                 TRACE_ERROR("Permission denied: %s needs %s privilege",
 187                                                 resolved_path, MEDIA_STORAGE_PRIVILEGE);
 188                                 return DP_ERROR_INVALID_DESTINATION;
 189                         }
 190                         return DP_ERROR_NONE;
 191                 }
 192                 temp = NULL;
 193         }
 194
 195         // Check permission: external storage
 196         temp = tzplatform_getenv(TZ_SYS_STORAGE);
 197         if (temp) {
 198                 snprintf(external_storage, PATH_MAX - 1, "%s/", temp);
 199                 if (strncmp(resolved_path, external_storage,
 200                                         strlen(external_storage)) == 0) {
 201                         if (_dp_check_dir_permission(cred, EXTERNAL_STORAGE_PRIVILEGE) < 0) {
 202                                 TRACE_ERROR("Permission denied: %s needs %s privilege",
 203                                                 resolved_path, EXTERNAL_STORAGE_PRIVILEGE);
 204                                 return DP_ERROR_INVALID_DESTINATION;
 205                         }
 206                         return DP_ERROR_NONE;
 207                 }
 208                 temp = NULL;
 209         }
 210
 211         // Check permission: private storage
 212         temp = tzplatform_getenv(TZ_USER_APP);
 213         if (temp) {
 214                 snprintf(apps_storage, PATH_MAX - 1, "%s/", temp);
 215                 if (strncmp(resolved_path, apps_storage,
 216                                         strlen(apps_storage)) == 0) {
 217                         pkg_id = _dp_get_pkg_id(cred);
 218                         if (!pkg_id)
 219                                 return DP_ERROR_INVALID_DESTINATION;
 220
 221                         TRACE_INFO("pkg_id: %s", pkg_id);
 222                         if (strncmp(resolved_path + strlen(apps_storage),
 223                                                 pkg_id, strlen(pkg_id)) != 0) {
 224                                 TRACE_ERROR("Permission denied");
 225                                 free(pkg_id);
 226                                 return DP_ERROR_INVALID_DESTINATION;
 227                         }
 228                         free(pkg_id);
 229                         return DP_ERROR_NONE;
 230                 }
 231                 temp = NULL;
 232         }
 233
 234         // Check whether directory is shared directory or not.
 235         temp = tzplatform_getenv(TZ_USER_SHARE);
 236         if (temp) {
 237                 if (strncmp(resolved_path, temp,
 238                                         strlen(temp)) == 0)
 239                         return DP_ERROR_NONE;
 240                 temp = NULL;
 241         }
 242
 243         return DP_ERROR_INVALID_DESTINATION;
 244 }
 245
 246 void dp_rebuild_dir(const char *dirpath, mode_t mode)
 247 {
 248         if (dp_is_exist_dir(dirpath) < 0) {
 249                 if (mkdir(dirpath, mode) == 0)
 250                         TRACE_INFO("check directory:%s", dirpath);
 251                 else
 252                         TRACE_ERROR("failed to create directory:%s", dirpath);
 253         }
 254 }
 255
 256 int dp_check_permission(int clientfd, const char *pkgname)
 257 {
 258         int ret;
 259         int result = DP_ERROR_NONE;
 260         cynara *p_cynara = NULL;
 261         cynara_configuration *p_conf = NULL;
 262         size_t cache_size = 100;
 263         const char *client_session = "";
 264         char *client_smack = NULL;
 265         char *uid = NULL;
 266
 267         TRACE_DEBUG("clientfd[%d] pkgname[%s]", clientfd, pkgname);
 268         if (CYNARA_API_SUCCESS != cynara_configuration_create(&p_conf)) {
 269                 TRACE_DEBUG("failed to create cynara configuration");
 270                 result = DP_ERROR_PERMISSION_DENIED;
 271                 goto DONE;
 272         }
 273
 274         if (CYNARA_API_SUCCESS != cynara_configuration_set_cache_size(p_conf, cache_size)) {
 275                 TRACE_DEBUG("failed to set cache size");
 276                 result = DP_ERROR_PERMISSION_DENIED;
 277                 goto DONE;
 278         }
 279
 280         ret = cynara_initialize(&p_cynara, NULL);
 281         if (ret != CYNARA_API_SUCCESS) {
 282                 TRACE_DEBUG("failed to initialize cynara");
 283                 result = DP_ERROR_PERMISSION_DENIED;
 284                 goto DONE;
 285         }
 286
 287         // Get client peer credential
 288         ret = cynara_creds_socket_get_client(clientfd, CLIENT_METHOD_SMACK, &client_smack);
 289         if (ret != CYNARA_API_SUCCESS) {
 290                 TRACE_DEBUG("failed to createsa client identification string");
 291                 result = DP_ERROR_PERMISSION_DENIED;
 292                 goto DONE;
 293         }
 294
 295         ret = cynara_creds_socket_get_user(clientfd, USER_METHOD_UID, &uid);
 296         if (ret != CYNARA_API_SUCCESS) {
 297                 TRACE_DEBUG("failed to create a user identification string");
 298                 result = DP_ERROR_PERMISSION_DENIED;
 299                 goto DONE;
 300         }
 301
 302         // Cynara check
 303         ret = cynara_check(p_cynara, client_smack, client_session, uid, DOWNLOAD_PRIVILEGE);
 304         if (ret == CYNARA_API_ACCESS_ALLOWED) {
 305                 TRACE_DEBUG("CYNARA_API_ACCESS_ALLOWED");
 306         } else {
 307                 TRACE_DEBUG("DP_ERROR_PERMISSION_DENIED");
 308                 result = DP_ERROR_PERMISSION_DENIED;
 309         }
 310
 311 DONE:
 312         if (p_conf)
 313                 cynara_configuration_destroy(p_conf);
 314         if (p_cynara)
 315                 cynara_finish(p_cynara);
 316         free(client_smack);
 317         free(uid);
 318         return result;
 319 }