4 * Copyright (c) 2000 - 2011 Samsung Electronics Co., Ltd All Rights Reserved
6 * Contact: Bumjin Im <bj.im@samsung.com>
8 * Licensed under the Apache License, Version 2.0 (the "License");
9 * you may not use this file except in compliance with the License.
10 * You may obtain a copy of the License at
12 * http://www.apache.org/licenses/LICENSE-2.0
14 * Unless required by applicable law or agreed to in writing, software
15 * distributed under the License is distributed on an "AS IS" BASIS,
16 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17 * See the License for the specific language governing permissions and
18 * limitations under the License
27 #include <sys/types.h>
28 #include <sys/smack.h>
34 #include <sys/smack.h>
35 #include <sys/types.h>
36 #include <sys/socket.h>
40 #include <privilege-control.h>
41 #include <security-server-system-observer.h>
42 #include <security-server-rules-revoker.h>
44 #include "security-server-cookie.h"
45 #include "security-server-common.h"
46 #include "security-server-password.h"
47 #include "security-server-comm.h"
48 #include "smack-check.h"
50 const char * const LABEL_SECURITY_SERVER_API_DATA_SHARE = "security-server::api-data-share";
52 /* Set cookie as a global variable */
54 pthread_mutex_t cookie_mutex;
55 int thread_status[SECURITY_SERVER_NUM_THREADS];
56 struct security_server_thread_param {
62 int process_app_get_access_request(int sockfd, size_t msg_len);
63 static int netlink_enabled = 1; /* prevent memory leaks when netlink is disabled */
66 /************************************************************************************************/
67 /* Just for test. This code must be removed on release */
68 #include "security-server-util.h"
69 /************************************************************************************************/
72 void printhex(unsigned char *data, int size)
80 printf("%X ", data[i]);
81 if(((i+1) % 16) == 0 && i != 0)
87 void print_cookie(cookie_list *list)
90 printf("%s", "cookie:\n");
91 printhex(list->cookie, SECURITY_SERVER_COOKIE_LEN);
92 printf("path_len: %d\n", list->path_len);
93 printf("permission_len: %d\n", list->permission_len);
94 printf("PID: %d\n", list->pid);
95 printf("path: %s\n", list->path);
96 printf("%s", "permissions: ");
97 for(i=0;i<list->permission_len;i++)
99 printf("%d ", list->permissions[i]);
102 printf("prev: %p\n", list->prev);
103 printf("next: %p\n", list->next);
107 /* Object name is actually name of a Group ID *
108 * This function opens /etc/group file and search group ID and
109 * returns the string */
110 int search_object_name(int gid, char *obj, int obj_size)
113 char *linebuf = NULL, *token = NULL, *token2, *tempstr = NULL;
114 int ret = 0, tmp_gid, bufsize;
115 fp = fopen("/etc/group", "r");
118 /* cannot open /etc/group */
119 SEC_SVR_DBG("%s", "Cannot open /etc/group");
120 return SECURITY_SERVER_ERROR_FILE_OPERATION;
123 linebuf = malloc(128);
127 ret = SECURITY_SERVER_ERROR_OUT_OF_MEMORY;
128 SEC_SVR_DBG("%s", "cannot malloc()");
132 bzero(linebuf, bufsize);
133 ret = SECURITY_SERVER_ERROR_NO_SUCH_OBJECT;
134 while(fgets(linebuf, bufsize, fp) != NULL)
136 while(linebuf[bufsize -2] != 0)
138 linebuf[bufsize -1] = (char) fgetc(fp);
139 tempstr = realloc(linebuf, bufsize + 128);
142 ret = SECURITY_SERVER_ERROR_OUT_OF_MEMORY;
146 bzero(linebuf + bufsize, 128);
147 fgets(linebuf + bufsize, 128, fp);
151 token = strtok(linebuf, ":"); /* group name */
154 SEC_SVR_DBG("/etc/group is not valid. cannot find gid: [%s]", linebuf);
155 ret = SECURITY_SERVER_ERROR_SERVER_ERROR;
158 token2 = strtok(NULL, ":"); /* group password */
161 SEC_SVR_DBG("/etc/group is not valid. cannot find gid: [%s]", linebuf);
162 ret = SECURITY_SERVER_ERROR_SERVER_ERROR;
165 token2 = strtok(NULL, ":"); /* gid */
168 SEC_SVR_DBG("/etc/group is not valid. cannot find gid: [%s]", linebuf);
169 ret = SECURITY_SERVER_ERROR_SERVER_ERROR;
174 tmp_gid = strtoul(token2, 0, 10);
177 SEC_SVR_DBG("cannot change string to integer [%s]", token2);
178 ret = SECURITY_SERVER_ERROR_SERVER_ERROR;
185 if((int)strlen(token) > obj_size)
187 ret = SECURITY_SERVER_ERROR_BUFFER_TOO_SMALL;
188 SEC_SVR_DBG("buffer is too small. %d --> %d", obj_size, strlen(token));
191 strncpy(obj, token, strlen(token));
192 obj[strlen(token)] = 0;
193 ret = SECURITY_SERVER_SUCCESS;
196 bzero(linebuf, bufsize);
207 /* Search GID from group name *
208 * This function opens /etc/group and search group name by given gid */
209 int search_gid(const char *obj)
212 char *linebuf = NULL, *token = NULL, *token2, *tempstr = NULL;
213 int ret = SECURITY_SERVER_ERROR_NO_SUCH_OBJECT, tmp_gid, bufsize;
215 SEC_SVR_DBG("Searching for object %s", obj);
217 fp = fopen("/etc/group", "r");
220 /* cannot open /etc/group */
221 SEC_SVR_DBG("%s", "cannot open /etc/group");
222 return SECURITY_SERVER_ERROR_FILE_OPERATION;
225 linebuf = malloc(128);
229 ret = SECURITY_SERVER_ERROR_OUT_OF_MEMORY;
230 SEC_SVR_DBG("%s", "Out Of Memory");
234 bzero(linebuf, bufsize);
235 while(fgets(linebuf, bufsize, fp) != NULL)
237 while(linebuf[bufsize -2] != 0 )
239 linebuf[bufsize -1] = (char) fgetc(fp);
240 tempstr = realloc(linebuf, bufsize + 128);
243 ret = SECURITY_SERVER_ERROR_OUT_OF_MEMORY;
247 bzero(linebuf + bufsize, 128);
248 fgets(linebuf + bufsize, 128, fp);
252 token = strtok(linebuf, ":"); /* group name */
253 token2 = strtok(NULL, ":"); /* group password */
254 token2 = strtok(NULL, ":"); /* gid */
257 SEC_SVR_DBG("/etc/group is not valid. cannot find gid: [%s]", linebuf);
258 ret = SECURITY_SERVER_ERROR_SERVER_ERROR;
262 tmp_gid = strtoul(token2, 0, 10);
265 SEC_SVR_DBG("cannot change string to integer [%s]", token2);
266 ret = SECURITY_SERVER_ERROR_SERVER_ERROR;
270 if(strcmp(obj, token) == 0)
274 SEC_SVR_DBG("GID of %s is found: %d", obj, ret);
277 bzero(linebuf, bufsize);
288 /* Signal handler for processes */
289 static void security_server_sig_child(int signo, siginfo_t *info, void *data)
298 child_pgid = getpgid(info->si_pid);
299 SEC_SVR_DBG("Signal handler: dead_pid=%d, pgid=%d",info->si_pid,child_pgid);
301 while ((child_pid = waitpid(-1, &status, WNOHANG)) > 0) {
302 if(child_pid == child_pgid)
303 killpg(child_pgid,SIGKILL);
309 /* Execute a debugging tool by fork() and execve() */
310 int execute_debug_tool(int argc, char *const *argv, int server_sockfd, int client_sockfd)
313 SEC_SVR_DBG("%s", "Executing tool");
320 close(client_sockfd);
321 close(server_sockfd);
327 ret = execv(argv[0], argv);
330 SEC_SVR_DBG("Error:Failed to execute [%d]", errno);
336 SEC_SVR_DBG("Error: Failed to fork [%d]", errno);
337 return SECURITY_SERVER_ERROR_SERVER_ERROR;
339 return SECURITY_SERVER_SUCCESS;
342 int process_cookie_request(int sockfd)
344 int retval, client_pid, client_uid;
345 cookie_list *created_cookie = NULL;
347 /* Authenticate client */
348 retval = authenticate_client_application(sockfd, &client_pid, &client_uid);
349 if(retval != SECURITY_SERVER_SUCCESS)
351 SEC_SVR_DBG("%s", "Client Authentication Failed");
352 retval = send_generic_response(sockfd,
353 SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE,
354 SECURITY_SERVER_RETURN_CODE_AUTHENTICATION_FAILED);
355 if(retval != SECURITY_SERVER_SUCCESS)
357 SEC_SVR_DBG("ERROR: Cannot send generic response: %d", retval);
361 /* If client application is root process, just respond default cookie */
365 SEC_SVR_DBG("%s", "Requested application is a root process");
366 created_cookie = c_list;
369 SEC_SVR_DBG("%s", "Cannot read default cookie");
376 //TODO: Remove above code if there will be no crashes without it
377 //All process should be treaded the same
378 /* Create a new cookie. or find existing one */
379 pthread_mutex_lock(&cookie_mutex);
380 created_cookie = create_cookie_item(client_pid, sockfd, c_list);
381 pthread_mutex_unlock(&cookie_mutex);
382 if(created_cookie == NULL)
384 SEC_SVR_DBG("%s","Cannot create a cookie");
388 //let others know if this cookie belongs to root process
390 created_cookie->is_roots_process = 1;
392 created_cookie->is_roots_process = 0;
395 /* send cookie as response */
396 retval = send_cookie(sockfd, created_cookie->cookie);
397 if(retval != SECURITY_SERVER_SUCCESS)
399 SEC_SVR_DBG("ERROR: Cannot send generic response: %d", retval);
401 SEC_SVR_DBG("Server: Cookie created for client PID %d LABEL >%s<",
403 (created_cookie->smack_label)?(created_cookie->smack_label):"NULL");
405 SEC_SVR_DBG("%s", "Server: Cookie has been sent to client");
411 int process_check_privilege_request(int sockfd)
413 /* Authenticate client */
414 int retval, client_pid, requested_privilege;
416 unsigned char requested_cookie[SECURITY_SERVER_COOKIE_LEN];
417 cookie_list *search_result = NULL;
419 retval = authenticate_client_middleware(sockfd, &client_pid);
420 if(retval != SECURITY_SERVER_SUCCESS)
422 SEC_SVR_DBG("%s", "Client Authentication Failed");
423 retval = send_generic_response(sockfd,
424 SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_RESPONSE,
425 SECURITY_SERVER_RETURN_CODE_AUTHENTICATION_FAILED);
426 if(retval != SECURITY_SERVER_SUCCESS)
428 SEC_SVR_DBG("ERROR: Cannot send generic response: %d", retval);
433 retval = recv_check_privilege_request(sockfd,
434 requested_cookie, &requested_privilege);
435 if(retval == SECURITY_SERVER_ERROR_RECV_FAILED)
437 SEC_SVR_DBG("%s", "Receiving request failed");
438 retval = send_generic_response(sockfd,
439 SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_RESPONSE,
440 SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
441 if(retval != SECURITY_SERVER_SUCCESS)
443 SEC_SVR_DBG("ERROR: Cannot send generic response: %d", retval);
448 if(requested_privilege < 1)
450 SEC_SVR_DBG("Requiring bad privilege [%d]", requested_privilege);
451 retval = send_generic_response(sockfd,
452 SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_RESPONSE,
453 SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
454 if(retval != SECURITY_SERVER_SUCCESS)
456 SEC_SVR_DBG("ERROR: Cannot send generic response: %d", retval);
461 /* Search cookie list */
462 pthread_mutex_lock(&cookie_mutex);
463 privileges[0] = requested_privilege;
464 search_result = search_cookie(c_list, requested_cookie, privileges, 1);
465 pthread_mutex_unlock(&cookie_mutex);
466 if(search_result != NULL)
469 SEC_SVR_DBG("We found the cookie with %d privilege and pid:%d", requested_privilege, client_pid);
470 SEC_SVR_DBG("%s", "Cookie comparison succeeded. Access granted.");
471 retval = send_generic_response(sockfd,
472 SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_RESPONSE,
473 SECURITY_SERVER_RETURN_CODE_ACCESS_GRANTED);
474 if(retval != SECURITY_SERVER_SUCCESS)
476 SEC_SVR_DBG("ERROR: Cannot send generic response: %d", retval);
482 SEC_SVR_DBG("Could not find the cookie with %d privilege", requested_privilege);
483 retval = send_generic_response(sockfd,
484 SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_RESPONSE,
485 SECURITY_SERVER_RETURN_CODE_ACCESS_DENIED);
486 if(retval != SECURITY_SERVER_SUCCESS)
488 SEC_SVR_DBG("ERROR: Cannot send generic response: %d", retval);
495 int process_check_privilege_new_request(int sockfd)
497 /* Authenticate client */
498 int retval, client_pid;
499 unsigned char requested_cookie[SECURITY_SERVER_COOKIE_LEN];
500 cookie_list *search_result = NULL;
501 char object_label[MAX_OBJECT_LABEL_LEN+1];
502 char access_rights[MAX_MODE_STR_LEN+1];
504 retval = authenticate_client_middleware(sockfd, &client_pid);
505 if(retval != SECURITY_SERVER_SUCCESS)
507 SEC_SVR_DBG("%s", "Client Authentication Failed");
508 retval = send_generic_response(sockfd,
509 SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_NEW_RESPONSE,
510 SECURITY_SERVER_RETURN_CODE_AUTHENTICATION_FAILED);
511 if(retval != SECURITY_SERVER_SUCCESS)
513 SEC_SVR_DBG("ERROR: Cannot send generic response: %d", retval);
518 retval = recv_check_privilege_new_request(
519 sockfd, requested_cookie, object_label, access_rights);
520 if(retval == SECURITY_SERVER_ERROR_RECV_FAILED)
522 SEC_SVR_DBG("%s", "Receiving request failed");
523 retval = send_generic_response(sockfd,
524 SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_NEW_RESPONSE,
525 SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
526 if(retval != SECURITY_SERVER_SUCCESS)
528 SEC_SVR_DBG("ERROR: Cannot send generic response: %d", retval);
533 /* Search cookie list */
534 pthread_mutex_lock(&cookie_mutex);
535 search_result = search_cookie_new(c_list, requested_cookie, object_label, access_rights);
536 pthread_mutex_unlock(&cookie_mutex);
538 if(search_result != NULL)
541 SEC_SVR_DBG("We found the cookie with %s rights and pid:%d", access_rights, client_pid);
542 SEC_SVR_DBG("%s", "Cookie comparison succeeded. Access granted.");
543 retval = send_generic_response(sockfd,
544 SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_NEW_RESPONSE,
545 SECURITY_SERVER_RETURN_CODE_ACCESS_GRANTED);
546 if(retval != SECURITY_SERVER_SUCCESS)
548 SEC_SVR_DBG("ERROR: Cannot send generic response: %d", retval);
554 SEC_SVR_DBG("Could not find the cookie with %s rights", access_rights);
555 retval = send_generic_response(sockfd,
556 SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_NEW_RESPONSE,
557 SECURITY_SERVER_RETURN_CODE_ACCESS_DENIED);
558 if(retval != SECURITY_SERVER_SUCCESS)
560 SEC_SVR_DBG("ERROR: Cannot send generic response: %d", retval);
569 int process_object_name_request(int sockfd)
571 int retval, client_pid, requested_privilege;
572 char object_name[SECURITY_SERVER_MAX_OBJ_NAME];
574 /* Authenticate client */
575 retval = authenticate_client_middleware(sockfd, &client_pid);
576 if(retval != SECURITY_SERVER_SUCCESS)
578 SEC_SVR_DBG("%s", "Client Authentication Failed");
579 retval = send_generic_response(sockfd,
580 SECURITY_SERVER_MSG_TYPE_OBJECT_NAME_RESPONSE,
581 SECURITY_SERVER_RETURN_CODE_AUTHENTICATION_FAILED);
582 if(retval != SECURITY_SERVER_SUCCESS)
584 SEC_SVR_DBG("ERROR: Cannot send generic response: %d", retval);
590 retval = TEMP_FAILURE_RETRY(read(sockfd, &requested_privilege, sizeof(requested_privilege)));
591 if (retval < (int)sizeof(requested_privilege))
593 SEC_SVR_DBG("%s", "Receiving request failed");
594 retval = send_generic_response(sockfd,
595 SECURITY_SERVER_MSG_TYPE_OBJECT_NAME_RESPONSE,
596 SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
597 if(retval != SECURITY_SERVER_SUCCESS)
599 SEC_SVR_DBG("ERROR: Cannot send generic response: %d", retval);
604 /* Search from /etc/group */
605 retval = search_object_name(requested_privilege,
607 SECURITY_SERVER_MAX_OBJ_NAME);
608 if (retval == SECURITY_SERVER_ERROR_NO_SUCH_OBJECT)
611 SEC_SVR_DBG("There is no such object for gid [%d]", requested_privilege);
612 retval = send_generic_response(sockfd,
613 SECURITY_SERVER_MSG_TYPE_OBJECT_NAME_RESPONSE,
614 SECURITY_SERVER_RETURN_CODE_NO_SUCH_OBJECT);
615 if(retval != SECURITY_SERVER_SUCCESS)
617 SEC_SVR_DBG("ERROR: Cannot send generic response: %d", retval);
621 if(retval != SECURITY_SERVER_SUCCESS)
624 SEC_SVR_DBG("Error on searching object name [%d]", retval);
625 retval = send_generic_response(sockfd,
626 SECURITY_SERVER_MSG_TYPE_OBJECT_NAME_RESPONSE,
627 SECURITY_SERVER_RETURN_CODE_SERVER_ERROR);
628 if(retval != SECURITY_SERVER_SUCCESS)
630 SEC_SVR_DBG("ERROR: Cannot send generic response: %d", retval);
636 SEC_SVR_DBG("We found object: %s", object_name);
637 retval = send_object_name(sockfd, object_name);
638 if(retval != SECURITY_SERVER_SUCCESS)
640 SEC_SVR_DBG("ERROR: Cannot send generic response: %d", retval);
647 int process_gid_request(int sockfd, int msg_len)
649 int retval, client_pid;
650 char object_name[SECURITY_SERVER_MAX_OBJ_NAME];
651 /* Authenticate client as middleware daemon */
652 retval = authenticate_client_middleware(sockfd, &client_pid);
653 if(retval != SECURITY_SERVER_SUCCESS)
655 SEC_SVR_DBG("%s", "Client authentication failed");
656 retval = send_generic_response(sockfd,
657 SECURITY_SERVER_MSG_TYPE_GID_RESPONSE,
658 SECURITY_SERVER_RETURN_CODE_AUTHENTICATION_FAILED);
659 if(retval != SECURITY_SERVER_SUCCESS)
661 SEC_SVR_DBG("ERROR: Cannot send generic response: %d", retval);
666 if(msg_len >= SECURITY_SERVER_MAX_OBJ_NAME)
668 /* Too big ojbect name */
669 SEC_SVR_DBG("%s", "Object name is too big");
670 retval = send_generic_response(sockfd,
671 SECURITY_SERVER_MSG_TYPE_GID_RESPONSE,
672 SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
673 if(retval != SECURITY_SERVER_SUCCESS)
675 SEC_SVR_DBG("ERROR: Cannot send generic response: %d", retval);
680 /* Receive group name */
681 retval = TEMP_FAILURE_RETRY(read(sockfd, object_name, msg_len));
682 if (retval < msg_len )
684 SEC_SVR_DBG("%s", "Failed to read object name");
685 retval = send_generic_response(sockfd,
686 SECURITY_SERVER_MSG_TYPE_GID_RESPONSE,
687 SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
688 if(retval != SECURITY_SERVER_SUCCESS)
690 SEC_SVR_DBG("ERROR: Cannot send generic response: %d", retval);
694 object_name[msg_len] = 0;
696 /* Search /etc/group for the given group name */
697 retval = search_gid(object_name);
698 if (retval == SECURITY_SERVER_ERROR_NO_SUCH_OBJECT)
701 SEC_SVR_DBG("The object [%s] is not exist", object_name);
702 retval = send_generic_response(sockfd,
703 SECURITY_SERVER_MSG_TYPE_GID_RESPONSE,
704 SECURITY_SERVER_RETURN_CODE_NO_SUCH_OBJECT);
705 if(retval != SECURITY_SERVER_SUCCESS)
707 SEC_SVR_DBG("ERROR: Cannot send generic response: %d", retval);
715 SEC_SVR_DBG("Cannot send the response. %d", retval);
716 retval = send_generic_response(sockfd,
717 SECURITY_SERVER_MSG_TYPE_GID_RESPONSE,
718 SECURITY_SERVER_RETURN_CODE_SERVER_ERROR);
719 if(retval != SECURITY_SERVER_SUCCESS)
721 SEC_SVR_DBG("ERROR: Cannot send generic response: %d", retval);
727 retval = send_gid(sockfd, retval);
728 if(retval != SECURITY_SERVER_SUCCESS)
730 SEC_SVR_DBG("ERROR: Cannot gid response: %d", retval);
736 int process_pid_request(int sockfd)
738 int retval, client_pid;
739 unsigned char requested_cookie[SECURITY_SERVER_COOKIE_LEN];
740 int * privileges = NULL;
741 cookie_list *search_result = NULL;
743 /* Authenticate client */
744 retval = authenticate_client_middleware(sockfd, &client_pid);
745 if(retval != SECURITY_SERVER_SUCCESS)
747 SEC_SVR_DBG("%s", "Client Authentication Failed");
748 retval = send_generic_response(sockfd,
749 SECURITY_SERVER_MSG_TYPE_PID_RESPONSE,
750 SECURITY_SERVER_RETURN_CODE_AUTHENTICATION_FAILED);
751 if(retval != SECURITY_SERVER_SUCCESS)
753 SEC_SVR_DBG("ERROR: Cannot send generic response: %d", retval);
758 retval = recv_pid_request(sockfd, requested_cookie);
759 if(retval == SECURITY_SERVER_ERROR_RECV_FAILED)
761 SEC_SVR_DBG("%s", "Receiving request failed");
762 retval = send_generic_response(sockfd,
763 SECURITY_SERVER_MSG_TYPE_PID_RESPONSE,
764 SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
765 if(retval != SECURITY_SERVER_SUCCESS)
767 SEC_SVR_DBG("ERROR: Cannot send generic response: %d", retval);
772 retval = get_client_gid_list(sockfd, &privileges);
775 SEC_SVR_DBG("ERROR: Cannot get GID list");
779 /* Search cookie list */
780 pthread_mutex_lock(&cookie_mutex);
781 search_result = search_cookie(c_list, requested_cookie, privileges, retval);
782 pthread_mutex_unlock(&cookie_mutex);
786 if(search_result != NULL)
789 SEC_SVR_DBG("We found the cookie and pid:%d", search_result->pid);
790 SEC_SVR_DBG("%s", "Cookie comparison succeeded. Access granted.");
791 retval = send_pid(sockfd, search_result->pid);
793 if(retval != SECURITY_SERVER_SUCCESS)
795 SEC_SVR_DBG("ERROR: Cannot send generic response: %d", retval);
801 SEC_SVR_DBG("%s", "Could not find the cookie");
802 retval = send_generic_response(sockfd,
803 SECURITY_SERVER_MSG_TYPE_PID_RESPONSE,
804 SECURITY_SERVER_RETURN_CODE_NO_SUCH_COOKIE);
805 if(retval != SECURITY_SERVER_SUCCESS)
807 SEC_SVR_DBG("ERROR: Cannot send pid response: %d", retval);
814 int process_smack_request(int sockfd)
816 int retval, client_pid;
817 int * privileges = NULL;
818 unsigned char requested_cookie[SECURITY_SERVER_COOKIE_LEN];
819 cookie_list *search_result = NULL;
820 //handler for SMACK label
823 /* Authenticate client */
824 retval = authenticate_client_middleware(sockfd, &client_pid);
825 if(retval != SECURITY_SERVER_SUCCESS)
827 SEC_SVR_DBG("%s", "Client Authentication Failed");
828 retval = send_generic_response(sockfd,
829 SECURITY_SERVER_MSG_TYPE_SMACK_RESPONSE,
830 SECURITY_SERVER_RETURN_CODE_AUTHENTICATION_FAILED);
831 if(retval != SECURITY_SERVER_SUCCESS)
833 SEC_SVR_DBG("ERROR: Cannot send generic response: %d", retval);
838 retval = recv_smack_request(sockfd, requested_cookie);
839 if(retval == SECURITY_SERVER_ERROR_RECV_FAILED)
841 SEC_SVR_DBG("%s", "Receiving request failed");
842 retval = send_generic_response(sockfd,
843 SECURITY_SERVER_MSG_TYPE_SMACK_RESPONSE,
844 SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
845 if(retval != SECURITY_SERVER_SUCCESS)
847 SEC_SVR_DBG("ERROR: Cannot send generic response: %d", retval);
852 retval = get_client_gid_list(sockfd, &privileges);
855 SEC_SVR_DBG("ERROR: Cannot get GID list");
859 /* Search cookie list */
860 pthread_mutex_lock(&cookie_mutex);
861 search_result = search_cookie(c_list, requested_cookie, privileges, retval);
862 pthread_mutex_unlock(&cookie_mutex);
866 if(search_result != NULL)
869 SEC_SVR_DBG("We found the cookie and pid:%d", search_result->pid);
870 SEC_SVR_DBG("%s", "Cookie comparison succeeded. Access granted.");
872 label = search_result->smack_label;
876 SEC_SVR_DBG("%s", "No SMACK support on device - returning empty label");
880 SEC_SVR_DBG("Read label is: %s\n", label);
882 retval = send_smack(sockfd, label);
884 if(retval != SECURITY_SERVER_SUCCESS)
886 SEC_SVR_DBG("ERROR: Cannot send generic response: %d", retval);
892 SEC_SVR_DBG("%s", "Could not find the cookie");
893 retval = send_generic_response(sockfd,
894 SECURITY_SERVER_MSG_TYPE_SMACK_RESPONSE,
895 SECURITY_SERVER_RETURN_CODE_NO_SUCH_COOKIE);
896 if(retval != SECURITY_SERVER_SUCCESS)
898 SEC_SVR_DBG("ERROR: Cannot send SMACK label response: %d", retval);
905 int process_pid_privilege_check(int sockfd, int datasize)
907 //In this function we parsing received PID privilege check request
911 char * object = NULL;
912 char * access_rights = NULL;
913 unsigned char return_code;
916 const int B_SIZE = 64;
919 //authenticate client
920 retval = authenticate_client_middleware(sockfd, &client_pid);
922 if (retval != SECURITY_SERVER_SUCCESS) {
923 SEC_SVR_DBG("%s", "Client Authentication Failed");
924 retval = send_generic_response(sockfd,
925 SECURITY_SERVER_MSG_TYPE_CHECK_PID_PRIVILEGE_RESPONSE,
926 SECURITY_SERVER_RETURN_CODE_AUTHENTICATION_FAILED);
928 if (retval != SECURITY_SERVER_SUCCESS)
929 SEC_SVR_DBG("ERROR: Cannot send generic response: %d", retval);
935 retval = recv_pid_privilege_request(sockfd, datasize, &pid, &object, &access_rights);
937 if (retval == SECURITY_SERVER_ERROR_RECV_FAILED) {
938 SEC_SVR_DBG("%s", "Receiving request failed");
939 retval = send_generic_response(sockfd,
940 SECURITY_SERVER_MSG_TYPE_CHECK_PID_PRIVILEGE_RESPONSE,
941 SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
943 if (retval != SECURITY_SERVER_SUCCESS)
944 SEC_SVR_DBG("ERROR: Cannot send generic response: %d", retval);
951 //get SMACK label of process
952 snprintf(buff, B_SIZE, "/proc/%d/attr/current", pid);
954 fd = open(buff, O_RDONLY, 0644);
956 SEC_SVR_DBG("%s", "Error open()");
957 retval = SECURITY_SERVER_ERROR_UNKNOWN;
962 retval = read(fd, buff, B_SIZE);
964 SEC_SVR_DBG("%s", "Error read()");
965 retval = SECURITY_SERVER_ERROR_UNKNOWN;
969 //now we have SMACK label in buff and we call libsmack
970 SEC_SVR_DBG("Subject label of client PID %d is: %s", pid, buff);
971 retval = smack_have_access(buff, object, access_rights);
972 SEC_SVR_DBG("SMACK have access returned %d", retval);
974 SEC_SVR_DBG("SMACK is not available. Subject label has not been read.");
978 SEC_SVR_DBG("SS_SMACK: caller_pid=%d, subject=%s, object=%s, access=%s, result=%d", pid, buff, object, access_rights, retval);
980 if (retval == 1) //there is permission
981 return_code = SECURITY_SERVER_RETURN_CODE_SUCCESS;
982 else //there is no permission
983 return_code = SECURITY_SERVER_RETURN_CODE_ACCESS_DENIED;
986 retval = send_generic_response(sockfd,
987 SECURITY_SERVER_MSG_TYPE_CHECK_PID_PRIVILEGE_RESPONSE,
990 if (retval != SECURITY_SERVER_SUCCESS)
991 SEC_SVR_DBG("ERROR: Cannot send generic response: %d", retval);
999 if (access_rights != NULL)
1000 free(access_rights);
1005 int process_tool_request(int client_sockfd, int server_sockfd)
1007 int retval, argcnum = 0;
1008 char **recved_argv = NULL;
1010 /* Authenticate client */
1011 retval = authenticate_developer_shell(client_sockfd);
1012 if(retval != SECURITY_SERVER_SUCCESS)
1014 SEC_SVR_DBG("%s", "Client Authentication Failed");
1015 retval = send_generic_response(client_sockfd,
1016 SECURITY_SERVER_MSG_TYPE_TOOL_RESPONSE,
1017 SECURITY_SERVER_RETURN_CODE_AUTHENTICATION_FAILED);
1018 if(retval != SECURITY_SERVER_SUCCESS)
1020 SEC_SVR_DBG("ERROR: Cannot send generic response: %d", retval);
1025 /* Receive Total number of argv */
1026 retval = TEMP_FAILURE_RETRY(read(client_sockfd, &argcnum, sizeof(int)));
1027 if((retval < (int)sizeof(int)) || argcnum > (UINT_MAX/sizeof(char *))-2 || argcnum < 0)
1029 SEC_SVR_DBG("Error: argc recieve failed: %d", retval);
1030 retval = send_generic_response(client_sockfd,
1031 SECURITY_SERVER_MSG_TYPE_TOOL_RESPONSE,
1032 SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
1033 if(retval != SECURITY_SERVER_SUCCESS)
1035 SEC_SVR_DBG("ERROR: Cannot send generic response: %d", retval);
1040 recved_argv = (char **)malloc(sizeof(char *) * argcnum);
1041 if(recved_argv == NULL)
1043 SEC_SVR_DBG("Error: malloc() failed: %d", retval);
1044 retval = send_generic_response(client_sockfd,
1045 SECURITY_SERVER_MSG_TYPE_TOOL_RESPONSE,
1046 SECURITY_SERVER_RETURN_CODE_SERVER_ERROR);
1047 if(retval != SECURITY_SERVER_SUCCESS)
1049 SEC_SVR_DBG("ERROR: Cannot send generic response: %d", retval);
1053 memset(recved_argv, 0, sizeof(char *) * argcnum);
1055 retval = recv_launch_tool_request(client_sockfd, argcnum-1, recved_argv);
1056 if(retval == SECURITY_SERVER_ERROR_RECV_FAILED || retval == SECURITY_SERVER_ERROR_OUT_OF_MEMORY)
1058 SEC_SVR_DBG("%s", "Receiving request failed");
1059 retval = send_generic_response(client_sockfd,
1060 SECURITY_SERVER_MSG_TYPE_TOOL_RESPONSE,
1061 SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
1062 if(retval != SECURITY_SERVER_SUCCESS)
1064 SEC_SVR_DBG("ERROR: Cannot send generic response: %d", retval);
1070 SEC_SVR_DBG("Error: Too small number of argv [%d]", argcnum);
1071 retval = send_generic_response(client_sockfd,
1072 SECURITY_SERVER_MSG_TYPE_TOOL_RESPONSE,
1073 SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
1074 if(retval != SECURITY_SERVER_SUCCESS)
1076 SEC_SVR_DBG("ERROR: Cannot send generic response: %d", retval);
1080 /* Execute the command */
1081 retval = execute_debug_tool(argcnum, recved_argv, server_sockfd, client_sockfd);
1082 if(retval != SECURITY_SERVER_SUCCESS)
1084 SEC_SVR_DBG("Error: Cannot execute debug tool [%d]", retval);
1085 retval = send_generic_response(client_sockfd,
1086 SECURITY_SERVER_MSG_TYPE_TOOL_RESPONSE,
1087 SECURITY_SERVER_RETURN_CODE_SERVER_ERROR);
1088 if(retval != SECURITY_SERVER_SUCCESS)
1090 SEC_SVR_DBG("ERROR: Cannot send generic response: %d", retval);
1095 SEC_SVR_DBG("%s", "Tool has been executed");
1096 retval = send_generic_response(client_sockfd,
1097 SECURITY_SERVER_MSG_TYPE_TOOL_RESPONSE,
1098 SECURITY_SERVER_RETURN_CODE_SUCCESS);
1099 if(retval != SECURITY_SERVER_SUCCESS)
1101 SEC_SVR_DBG("ERROR: Cannot send generic response: %d", retval);
1105 free_argv(recved_argv, argcnum);
1109 int client_has_access(int sockfd, const char *object) {
1116 if(smack_new_label_from_socket(sockfd, &label))
1119 if (0 >= (ret = smack_have_access(label, object, "rw")))
1126 void *security_server_thread(void *param)
1128 int client_sockfd = -1, client_uid, client_pid;
1129 int server_sockfd, retval;
1130 basic_header basic_hdr;
1131 struct security_server_thread_param *my_param;
1133 my_param = (struct security_server_thread_param *) param;
1134 client_sockfd = my_param->client_sockfd;
1135 server_sockfd = my_param->server_sockfd;
1137 /* Receive request header */
1138 retval = recv_hdr(client_sockfd, &basic_hdr);
1139 if(retval == SECURITY_SERVER_ERROR_TIMEOUT || retval == SECURITY_SERVER_ERROR_RECV_FAILED
1140 || retval == SECURITY_SERVER_ERROR_SOCKET)
1142 SEC_SVR_DBG("Receiving header error [%d]",retval);
1143 close(client_sockfd);
1148 if(retval != SECURITY_SERVER_SUCCESS)
1151 SEC_SVR_DBG("Receiving header error [%d]",retval);
1152 retval = send_generic_response(client_sockfd,
1153 SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE,
1154 SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
1155 if(retval != SECURITY_SERVER_SUCCESS)
1157 SEC_SVR_DBG("ERROR: Cannot send generic response: %d", retval);
1160 safe_server_sock_close(client_sockfd);
1165 /* Act different for request message ID */
1166 switch(basic_hdr.msg_id)
1168 case SECURITY_SERVER_MSG_TYPE_COOKIE_REQUEST:
1169 SEC_SVR_DBG("%s", "Cookie request received");
1170 process_cookie_request(client_sockfd);
1173 case SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_REQUEST:
1174 SEC_SVR_DBG("%s", "Privilege check received");
1175 process_check_privilege_request(client_sockfd);
1178 case SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_NEW_REQUEST:
1179 SEC_SVR_DBG("%s", "Privilege check (new mode) received");
1180 process_check_privilege_new_request(client_sockfd);
1183 case SECURITY_SERVER_MSG_TYPE_OBJECT_NAME_REQUEST:
1184 SEC_SVR_DBG("%s", "Get object name request received");
1185 process_object_name_request(client_sockfd);
1188 case SECURITY_SERVER_MSG_TYPE_GID_REQUEST:
1189 SEC_SVR_DBG("%s", "Get GID received");
1190 process_gid_request(client_sockfd, (int)basic_hdr.msg_len);
1193 case SECURITY_SERVER_MSG_TYPE_PID_REQUEST:
1194 SEC_SVR_DBG("%s", "pid request received");
1195 process_pid_request(client_sockfd);
1198 case SECURITY_SERVER_MSG_TYPE_SMACK_REQUEST:
1199 SEC_SVR_DBG("%s", "SMACK label request received");
1200 process_smack_request(client_sockfd);
1203 case SECURITY_SERVER_MSG_TYPE_CHECK_PID_PRIVILEGE_REQUEST:
1204 SEC_SVR_DBG("%s", "PID privilege check request received");
1205 //pass data size to function
1206 process_pid_privilege_check(client_sockfd, basic_hdr.msg_len);
1209 case SECURITY_SERVER_MSG_TYPE_TOOL_REQUEST:
1210 SEC_SVR_DBG("%s", "launch tool request received");
1211 process_tool_request(client_sockfd, server_sockfd);
1214 case SECURITY_SERVER_MSG_TYPE_VALID_PWD_REQUEST:
1215 SEC_SVR_DBG("%s", "Server: validate password request received");
1216 process_valid_pwd_request(client_sockfd);
1219 case SECURITY_SERVER_MSG_TYPE_SET_PWD_REQUEST:
1220 SEC_SVR_DBG("%s", "Server: set password request received");
1221 process_set_pwd_request(client_sockfd);
1224 case SECURITY_SERVER_MSG_TYPE_RESET_PWD_REQUEST:
1225 SEC_SVR_DBG("%s", "Server: reset password request received");
1226 process_reset_pwd_request(client_sockfd);
1229 case SECURITY_SERVER_MSG_TYPE_CHK_PWD_REQUEST:
1230 SEC_SVR_DBG("%s", "Server: check password request received");
1231 process_chk_pwd_request(client_sockfd);
1234 case SECURITY_SERVER_MSG_TYPE_SET_PWD_HISTORY_REQUEST:
1235 SEC_SVR_DBG("%s", "Server: set password histroy request received");
1236 process_set_pwd_history_request(client_sockfd);
1239 case SECURITY_SERVER_MSG_TYPE_SET_PWD_MAX_CHALLENGE_REQUEST:
1240 SEC_SVR_DBG("%s", "Server: set password max challenge request received");
1241 process_set_pwd_max_challenge_request(client_sockfd);
1244 case SECURITY_SERVER_MSG_TYPE_SET_PWD_VALIDITY_REQUEST:
1245 SEC_SVR_DBG("%s", "Server: set password validity request received");
1246 process_set_pwd_validity_request(client_sockfd);
1249 case SECURITY_SERVER_MSG_TYPE_APP_GIVE_ACCESS_REQUEST:
1250 if (client_has_access(client_sockfd, LABEL_SECURITY_SERVER_API_DATA_SHARE)) {
1251 SEC_SVR_DBG("%s", "Server: app give access request received");
1252 process_app_get_access_request(client_sockfd,
1253 basic_hdr.msg_len - sizeof(basic_hdr));
1255 SEC_SVR_DBG("%s", "Server: app give access request received (API DENIED - request will not proceed)");
1256 send_generic_response(client_sockfd,
1257 SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE,
1258 SECURITY_SERVER_RETURN_CODE_ACCESS_DENIED);
1261 /************************************************************************************************/
1262 /* Just for test. This code must be removed on release */
1263 case SECURITY_SERVER_MSG_TYPE_GET_ALL_COOKIES_REQUEST:
1264 SEC_SVR_DBG("%s", "all cookie info request received -- NEED TO BE DELETED ON RELEASE");
1265 retval = authenticate_client_application(client_sockfd, &client_pid, &client_uid);
1266 if(retval != SECURITY_SERVER_SUCCESS)
1268 SEC_SVR_DBG("%s", "Client Authentication Failed");
1269 retval = send_generic_response(client_sockfd,
1270 SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE,
1271 SECURITY_SERVER_RETURN_CODE_AUTHENTICATION_FAILED);
1272 if(retval != SECURITY_SERVER_SUCCESS)
1274 SEC_SVR_DBG("ERROR: Cannot send generic response: %d", retval);
1278 retval = util_process_all_cookie(client_sockfd, c_list);
1279 if(retval != SECURITY_SERVER_SUCCESS)
1281 SEC_SVR_DBG("ERROR: Cannot send all cookie info: %d", retval);
1285 case SECURITY_SERVER_MSG_TYPE_GET_COOKIEINFO_FROM_PID_REQUEST:
1286 SEC_SVR_DBG("%s", "cookie info from pid request received -- NEED TO BE DELETED ON RELEASE");
1287 if(retval != SECURITY_SERVER_SUCCESS)
1289 SEC_SVR_DBG("%s", "Client Authentication Failed");
1290 retval = send_generic_response(client_sockfd,
1291 SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE,
1292 SECURITY_SERVER_RETURN_CODE_AUTHENTICATION_FAILED);
1293 if(retval != SECURITY_SERVER_SUCCESS)
1295 SEC_SVR_DBG("ERROR: Cannot send generic response: %d", retval);
1299 util_process_cookie_from_pid(client_sockfd, c_list);
1302 case SECURITY_SERVER_MSG_TYPE_GET_COOKIEINFO_FROM_COOKIE_REQUEST:
1303 SEC_SVR_DBG("%s", "cookie info from cookie request received -- NEED TO BE DELETED ON RELEASE");
1304 if(retval != SECURITY_SERVER_SUCCESS)
1306 SEC_SVR_DBG("%s", "Client Authentication Failed");
1307 retval = send_generic_response(client_sockfd,
1308 SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE,
1309 SECURITY_SERVER_RETURN_CODE_AUTHENTICATION_FAILED);
1310 if(retval != SECURITY_SERVER_SUCCESS)
1312 SEC_SVR_DBG("ERROR: Cannot send generic response: %d", retval);
1316 util_process_cookie_from_cookie(client_sockfd, c_list);
1318 /************************************************************************************************/
1322 SEC_SVR_DBG("Unknown msg ID :%d", basic_hdr.msg_id);
1323 /* Unknown message ID */
1324 retval = send_generic_response(client_sockfd,
1325 SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE,
1326 SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
1327 if(retval != SECURITY_SERVER_SUCCESS)
1329 SEC_SVR_DBG("ERROR: Cannot send generic response: %d", retval);
1334 if(client_sockfd > 0)
1336 safe_server_sock_close(client_sockfd);
1341 if(client_sockfd > 0)
1342 close(client_sockfd);
1343 thread_status[my_param->thread_status] = 0;
1344 pthread_detach(pthread_self());
1348 void *security_server_main_thread(void *data)
1350 int server_sockfd = 0, retval, client_sockfd = -1, rc;
1351 struct sigaction act, dummy;
1352 pthread_t threads[SECURITY_SERVER_NUM_THREADS];
1353 struct security_server_thread_param param[SECURITY_SERVER_NUM_THREADS];
1357 SEC_SVR_DBG("%s", "Starting Security Server main thread");
1359 /* security server must be executed by root */
1362 fprintf(stderr, "%s\n", "You are not root. exiting...");
1366 for(retval = 0 ; retval < SECURITY_SERVER_NUM_THREADS; retval++)
1367 thread_status[retval] = 0;
1370 /* Create and bind a Unix domain socket */
1371 retval = create_new_socket(&server_sockfd);
1372 if(retval != SECURITY_SERVER_SUCCESS)
1374 SEC_SVR_DBG("%s", "cannot create socket. exiting...");
1378 if(listen(server_sockfd, 5) < 0)
1380 SEC_SVR_DBG("%s", "listen() failed. exiting...");
1384 /* Create a default cookie --> Cookie for root process */
1385 c_list = create_default_cookie();
1388 SEC_SVR_DBG("%s", "cannot make a default cookie. exiting...");
1392 /* Init signal handler */
1393 act.sa_handler = NULL;
1394 act.sa_sigaction = security_server_sig_child;
1395 sigemptyset(&act.sa_mask);
1396 act.sa_flags = SA_NOCLDSTOP | SA_SIGINFO;
1398 if (sigaction(SIGCHLD, &act, &dummy) < 0)
1400 SEC_SVR_DBG("%s", "cannot change session");
1403 pthread_mutex_init(&cookie_mutex, NULL);
1407 /* Accept a new client */
1408 if(client_sockfd < 0)
1409 client_sockfd = accept_client(server_sockfd);
1411 if(client_sockfd == SECURITY_SERVER_ERROR_TIMEOUT)
1413 if(client_sockfd < 0)
1415 SEC_SVR_DBG("Server: new connection has been accepted: %d", client_sockfd);
1419 if(thread_status[retval] == 0)
1421 thread_status[retval] = 1;
1422 param[retval].client_sockfd = client_sockfd;
1423 param[retval].server_sockfd = server_sockfd;
1424 param[retval].thread_status= retval;
1425 SEC_SVR_DBG("Server: Creating a new thread: %d", retval);
1426 rc =pthread_create(&threads[retval], NULL, security_server_thread, (void *)¶m[retval]);
1429 SEC_SVR_DBG("Error: Server: Cannot create thread:%d", rc);
1435 if(retval >= SECURITY_SERVER_NUM_THREADS)
1441 if(server_sockfd > 0)
1442 close(server_sockfd);
1444 pthread_detach(pthread_self());
1448 ssize_t read_wrapper(int sockfd, void *buffer, size_t len) {
1449 unsigned char *buff = (unsigned char *)buffer;
1451 while(done < (int)len) {
1452 struct pollfd fds = { sockfd, POLLIN, 0};
1453 if (0 >= poll(&fds, 1, 1000))
1455 ssize_t ret = read(sockfd, buff+done, len-done);
1462 if (-1 == ret && EAGAIN != errno && EINTR != errno)
1468 int process_app_get_access_request(int sockfd, size_t msg_len)
1470 char *message_buffer = NULL;
1471 char *client_label = NULL;
1472 char *provider_label = NULL;
1473 int ret = SECURITY_SERVER_ERROR_SERVER_ERROR;
1474 int send_message_id = SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE;
1475 int send_error_id = SECURITY_SERVER_RETURN_CODE_SERVER_ERROR;
1478 message_buffer = malloc(msg_len+1);
1479 if (!message_buffer)
1480 return SECURITY_SERVER_ERROR_OUT_OF_MEMORY;
1481 message_buffer[msg_len] = 0;
1483 ssize_t retval = read_wrapper(sockfd, message_buffer, msg_len);
1485 if (retval < (ssize_t)msg_len) {
1486 SEC_SVR_DBG("%s", "Error in read. Message too short");
1487 send_error_id = SECURITY_SERVER_RETURN_CODE_BAD_REQUEST;
1488 ret = SECURITY_SERVER_ERROR_BAD_REQUEST;
1492 memcpy(&client_pid, message_buffer, sizeof(int));
1493 client_label = message_buffer + sizeof(int);
1495 if (smack_check()) {
1496 if (0 != smack_new_label_from_socket(sockfd, &provider_label)) {
1497 SEC_SVR_DBG("%s", "Error in smack_new_label_from_socket");
1501 if (PC_OPERATION_SUCCESS != app_give_access(client_label, provider_label, "rwxat")) {
1502 SEC_SVR_DBG("%s", "Error in app_give_access");
1507 ret = SECURITY_SERVER_SUCCESS;
1508 send_message_id = SECURITY_SERVER_MSG_TYPE_APP_GIVE_ACCESS_RESPONSE;
1509 send_error_id = SECURITY_SERVER_RETURN_CODE_SUCCESS;
1511 if (!netlink_enabled) {
1512 SEC_SVR_DBG("Netlink not supported: Garbage collector inactive.");
1516 if (smack_check()) {
1517 if (0 != rules_revoker_add(client_pid, client_label, provider_label))
1518 SEC_SVR_DBG("%s", "Error in rules_revoker_add.");
1522 retval = send_generic_response(sockfd, send_message_id, send_error_id);
1523 if(retval != SECURITY_SERVER_SUCCESS)
1524 SEC_SVR_DBG("Server ERROR: Cannot send response: %d", retval);
1526 free(message_buffer);
1527 free(provider_label);
1531 void *system_observer_main_thread(void *data) {
1532 system_observer_main(data);
1533 SEC_SVR_DBG("%s", "System observer: exit. No garbage collector support.");
1534 netlink_enabled = 0;
1535 pthread_detach(pthread_self());
1539 int main(int argc, char* argv[])
1542 pthread_t main_thread;
1547 // create observer thread only if smack is enabled
1548 if (smack_check()) {
1549 pthread_t system_observer;
1550 system_observer_config so_config;
1551 so_config.event_callback = rules_revoker_callback;
1553 res = pthread_create(&system_observer, NULL, system_observer_main_thread, (void*)&so_config);
1559 SEC_SVR_DBG("SMACK is not available. Observer thread disabled.");
1562 res = pthread_create(&main_thread, NULL, security_server_main_thread, NULL);
1570 SEC_SVR_DBG("Error: Server: Cannot create main security server thread: %d", res);