4 * Copyright (c) 2000 - 2011 Samsung Electronics Co., Ltd All Rights Reserved
6 * Contact: Bumjin Im <bj.im@samsung.com>
8 * Licensed under the Apache License, Version 2.0 (the "License");
9 * you may not use this file except in compliance with the License.
10 * You may obtain a copy of the License at
12 * http://www.apache.org/licenses/LICENSE-2.0
14 * Unless required by applicable law or agreed to in writing, software
15 * distributed under the License is distributed on an "AS IS" BASIS,
16 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17 * See the License for the specific language governing permissions and
18 * limitations under the License
27 #include <sys/types.h>
28 #include <sys/smack.h>
34 #include <sys/smack.h>
35 #include <sys/types.h>
36 #include <sys/socket.h>
42 #include <server2-main.h>
44 #include <privilege-control.h>
46 #include "security-server-cookie.h"
47 #include "security-server-common.h"
48 #include "security-server-password.h"
49 #include "security-server-comm.h"
50 #include "smack-check.h"
52 //definitions of security-server API labels
53 #define API_PASSWD_SET "security-server::api-password-set"
54 #define API_PASSWD_CHECK "security-server::api-password-check"
55 #define API_DATA_SHARE "security-server::api-data-share"
56 #define API_MIDDLEWARE "security-server::api-middleware"
57 #define API_FREE_ACCESS "*"
60 #define API_RULE_REQUIRED "w"
62 /* Set cookie as a global variable */
64 pthread_mutex_t cookie_mutex;
65 int thread_status[SECURITY_SERVER_NUM_THREADS];
66 struct security_server_thread_param {
73 /************************************************************************************************/
74 /* Just for test. This code must be removed on release */
75 #include "security-server-util.h"
76 /************************************************************************************************/
79 void printhex(unsigned char *data, int size)
82 for (i = 0; i < size; i++)
87 printf("%X ", data[i]);
88 if (((i + 1) % 16) == 0 && i != 0)
94 void print_cookie(cookie_list *list)
97 printf("%s", "cookie:\n");
98 printhex(list->cookie, SECURITY_SERVER_COOKIE_LEN);
99 printf("path_len: %d\n", list->path ? strlen(list->path) : 0);
100 printf("permission_len: %d\n", list->permission_len);
101 printf("PID: %d\n", list->pid);
102 printf("path: %s\n", list->path);
103 printf("%s", "permissions: ");
104 for (i = 0; i < list->permission_len; i++)
106 printf("%d ", list->permissions[i]);
109 printf("prev: %p\n", list->prev);
110 printf("next: %p\n", list->next);
116 /* Object name is actually name of a Group ID *
117 * This function opens /etc/group file and search group ID and
118 * returns the string */
119 int search_object_name(int gid, char *obj, int obj_size)
122 char *linebuf = NULL, *token = NULL, *token2, *tempstr = NULL;
123 int ret = 0, tmp_gid, bufsize;
124 fp = fopen("/etc/group", "r");
127 /* cannot open /etc/group */
128 SEC_SVR_ERR("%s", "Cannot open /etc/group");
129 return SECURITY_SERVER_ERROR_FILE_OPERATION;
132 linebuf = malloc(128);
136 ret = SECURITY_SERVER_ERROR_OUT_OF_MEMORY;
137 SEC_SVR_ERR("%s", "cannot malloc()");
141 bzero(linebuf, bufsize);
142 ret = SECURITY_SERVER_ERROR_NO_SUCH_OBJECT;
143 while (fgets(linebuf, bufsize, fp) != NULL)
145 while (linebuf[bufsize - 2] != 0)
147 linebuf[bufsize - 1] = (char) fgetc(fp);
148 tempstr = realloc(linebuf, bufsize + 128);
151 ret = SECURITY_SERVER_ERROR_OUT_OF_MEMORY;
155 bzero(linebuf + bufsize, 128);
156 if((fgets(linebuf + bufsize, 128, fp) == NULL) && !feof(fp))
158 ret = SECURITY_SERVER_ERROR_FILE_OPERATION;
164 token = strtok(linebuf, ":"); /* group name */
167 SEC_SVR_ERR("/etc/group is not valid. cannot find gid: [%s]", linebuf);
168 ret = SECURITY_SERVER_ERROR_SERVER_ERROR;
171 token2 = strtok(NULL, ":"); /* group password */
174 SEC_SVR_ERR("/etc/group is not valid. cannot find gid: [%s]", linebuf);
175 ret = SECURITY_SERVER_ERROR_SERVER_ERROR;
178 token2 = strtok(NULL, ":"); /* gid */
181 SEC_SVR_ERR("/etc/group is not valid. cannot find gid: [%s]", linebuf);
182 ret = SECURITY_SERVER_ERROR_SERVER_ERROR;
187 tmp_gid = strtoul(token2, 0, 10);
190 SEC_SVR_ERR("cannot change string to integer [%s]", token2);
191 ret = SECURITY_SERVER_ERROR_SERVER_ERROR;
198 if ((int)strlen(token) > obj_size)
200 ret = SECURITY_SERVER_ERROR_BUFFER_TOO_SMALL;
201 SEC_SVR_ERR("buffer is too small. %d --> %d", obj_size, strlen(token));
204 strncpy(obj, token, strlen(token));
205 obj[strlen(token)] = 0;
206 ret = SECURITY_SERVER_SUCCESS;
209 bzero(linebuf, bufsize);
222 * Searches for group ID by given group name
225 int search_gid(const char *obj)
228 struct group *grpbuf = NULL;
231 char *bigger_buf = NULL;
232 long int max_buf_size = 0;
235 * The maximum needed size for buf can be found using sysconf(3) with the argument _SC_GETGR_R_SIZE_MAX
236 * If _SC_GETGR_R_SIZE_MAX is not returned we set max_buf_size to 1024 bytes. Enough to store few groups.
238 max_buf_size = sysconf(_SC_GETGR_R_SIZE_MAX);
239 if (max_buf_size == -1)
242 buf = malloc((size_t)max_buf_size);
245 ret = SECURITY_SERVER_ERROR_OUT_OF_MEMORY;
246 SEC_SVR_ERR("Out Of Memory");
251 * There can be some corner cases when for example user is assigned to a lot of groups.
252 * In that case if buffer is to small getgrnam_r will return ERANGE error.
253 * Solution could be calling getgrnam_r with bigger buffer until it's enough big.
255 while ((ret = getgrnam_r(obj, &grp, buf, (size_t)max_buf_size, &grpbuf)) == ERANGE) {
258 bigger_buf = realloc(buf, (size_t)max_buf_size);
259 if (bigger_buf == NULL) {
260 ret = SECURITY_SERVER_ERROR_OUT_OF_MEMORY;
261 SEC_SVR_ERR("Out Of Memory");
270 ret = SECURITY_SERVER_ERROR_SERVER_ERROR;
271 SEC_SVR_ERR("getgrnam_r failed with error %s\n", strerror(errno));
273 } else if (grpbuf == NULL) {
274 ret = SECURITY_SERVER_ERROR_NO_SUCH_OBJECT;
275 SEC_SVR_ERR("Cannot find gid for group %s\n", obj);
279 ret = grpbuf->gr_gid;
286 /* Signal handler for processes */
287 static void security_server_sig_child(int signo, siginfo_t *info, void *data)
296 child_pgid = getpgid(info->si_pid);
297 SEC_SVR_DBG("Signal handler: dead_pid=%d, pgid=%d",info->si_pid,child_pgid);
299 while ((child_pid = waitpid(-1, &status, WNOHANG)) > 0) {
300 if (child_pid == child_pgid)
301 killpg(child_pgid,SIGKILL);
307 int process_cookie_request(int sockfd)
309 int retval, client_pid, client_uid;
310 cookie_list *created_cookie = NULL;
311 unsigned char cookie[SECURITY_SERVER_COOKIE_LEN];
313 char *cookie_label = NULL;
315 /* Authenticate client */
316 retval = authenticate_client_application(sockfd, &client_pid, &client_uid);
317 if (retval != SECURITY_SERVER_SUCCESS)
319 SEC_SVR_ERR("%s", "Client Authentication Failed");
320 retval = send_generic_response(sockfd,
321 SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE,
322 SECURITY_SERVER_RETURN_CODE_AUTHENTICATION_FAILED);
323 if (retval != SECURITY_SERVER_SUCCESS)
325 SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
329 /* If client application is root process, just respond default cookie */
333 SEC_SVR_DBG("%s", "Requested application is a root process");
334 created_cookie = c_list;
337 SEC_SVR_DBG("%s", "Cannot read default cookie");
344 //TODO: Remove above code if there will be no crashes without it
345 //All process should be treaded the same
347 /* Create a new cookie. or find existing one */
348 pthread_mutex_lock(&cookie_mutex);
349 created_cookie = create_cookie_item(client_pid, sockfd, c_list);
350 if (created_cookie == NULL)
352 pthread_mutex_unlock(&cookie_mutex);
353 SEC_SVR_ERR("%s","Cannot create a cookie");
357 //let others know if this cookie belongs to root process
359 created_cookie->is_roots_process = 1;
361 created_cookie->is_roots_process = 0;
362 memcpy(cookie, created_cookie->cookie, SECURITY_SERVER_COOKIE_LEN);
363 cookie_pid = created_cookie->pid;
364 if (created_cookie->smack_label)
365 cookie_label = strdup(created_cookie->smack_label);
367 cookie_label = strdup("NULL");
368 pthread_mutex_unlock(&cookie_mutex);
371 /* send cookie as response */
372 retval = send_cookie(sockfd, cookie);
373 if (retval != SECURITY_SERVER_SUCCESS)
375 SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
377 SECURE_SLOGD("Server: Cookie created for client PID %d LABEL >%s<",
378 cookie_pid, cookie_label);
380 SEC_SVR_DBG("%s", "Server: Cookie has been sent to client");
387 int process_check_privilege_request(int sockfd)
389 /* Authenticate client */
390 int retval, client_pid, requested_privilege;
392 unsigned char requested_cookie[SECURITY_SERVER_COOKIE_LEN];
393 cookie_list *search_result = NULL;
395 retval = authenticate_client_middleware(sockfd, &client_pid);
396 if (retval != SECURITY_SERVER_SUCCESS)
398 SEC_SVR_ERR("%s", "Client Authentication Failed");
399 retval = send_generic_response(sockfd,
400 SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_RESPONSE,
401 SECURITY_SERVER_RETURN_CODE_AUTHENTICATION_FAILED);
402 if (retval != SECURITY_SERVER_SUCCESS)
404 SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
409 retval = recv_check_privilege_request(sockfd,
410 requested_cookie, &requested_privilege);
411 if (retval == SECURITY_SERVER_ERROR_RECV_FAILED)
413 SEC_SVR_ERR("%s", "Receiving request failed");
414 retval = send_generic_response(sockfd,
415 SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_RESPONSE,
416 SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
417 if (retval != SECURITY_SERVER_SUCCESS)
419 SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
424 if (requested_privilege < 1)
426 SEC_SVR_ERR("Requiring bad privilege [%d]", requested_privilege);
427 retval = send_generic_response(sockfd,
428 SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_RESPONSE,
429 SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
430 if (retval != SECURITY_SERVER_SUCCESS)
432 SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
437 /* Search cookie list */
438 pthread_mutex_lock(&cookie_mutex);
439 privileges[0] = requested_privilege;
440 search_result = search_cookie(c_list, requested_cookie, privileges, 1);
441 pthread_mutex_unlock(&cookie_mutex);
442 if (search_result != NULL)
445 SEC_SVR_DBG("We found the cookie with %d privilege and pid:%d", requested_privilege, client_pid);
446 SEC_SVR_DBG("%s", "Cookie comparison succeeded. Access granted.");
447 retval = send_generic_response(sockfd,
448 SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_RESPONSE,
449 SECURITY_SERVER_RETURN_CODE_ACCESS_GRANTED);
450 if (retval != SECURITY_SERVER_SUCCESS)
452 SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
458 SEC_SVR_WRN("Could not find the cookie with %d privilege", requested_privilege);
459 retval = send_generic_response(sockfd,
460 SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_RESPONSE,
461 SECURITY_SERVER_RETURN_CODE_ACCESS_DENIED);
462 if (retval != SECURITY_SERVER_SUCCESS)
464 SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
471 int process_check_privilege_new_request(int sockfd)
473 /* Authenticate client */
474 int retval, client_pid;
475 unsigned char requested_cookie[SECURITY_SERVER_COOKIE_LEN];
476 cookie_list *search_result = NULL;
477 char object_label[MAX_OBJECT_LABEL_LEN + 1];
478 char access_rights[MAX_MODE_STR_LEN + 1];
480 retval = authenticate_client_middleware(sockfd, &client_pid);
481 if (retval != SECURITY_SERVER_SUCCESS)
483 SEC_SVR_ERR("%s", "Client Authentication Failed");
484 retval = send_generic_response(sockfd,
485 SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_NEW_RESPONSE,
486 SECURITY_SERVER_RETURN_CODE_AUTHENTICATION_FAILED);
487 if (retval != SECURITY_SERVER_SUCCESS)
489 SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
494 retval = recv_check_privilege_new_request(
495 sockfd, requested_cookie, object_label, access_rights);
496 if (retval == SECURITY_SERVER_ERROR_RECV_FAILED)
498 SEC_SVR_ERR("%s", "Receiving request failed");
499 retval = send_generic_response(sockfd,
500 SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_NEW_RESPONSE,
501 SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
502 if (retval != SECURITY_SERVER_SUCCESS)
504 SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
509 /* Search cookie list */
510 pthread_mutex_lock(&cookie_mutex);
511 search_result = search_cookie_new(c_list, requested_cookie, object_label, access_rights);
512 pthread_mutex_unlock(&cookie_mutex);
514 if (search_result != NULL)
517 SEC_SVR_DBG("We found the cookie with %s rights and pid:%d", access_rights, client_pid);
518 SEC_SVR_DBG("%s", "Cookie comparison succeeded. Access granted.");
519 retval = send_generic_response(sockfd,
520 SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_NEW_RESPONSE,
521 SECURITY_SERVER_RETURN_CODE_ACCESS_GRANTED);
522 if (retval != SECURITY_SERVER_SUCCESS)
524 SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
530 SEC_SVR_WRN("Could not find the cookie with %s rights", access_rights);
531 retval = send_generic_response(sockfd,
532 SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_NEW_RESPONSE,
533 SECURITY_SERVER_RETURN_CODE_ACCESS_DENIED);
534 if (retval != SECURITY_SERVER_SUCCESS)
536 SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
543 // int process_object_name_request(int sockfd)
545 // int retval, client_pid, requested_privilege;
546 // char object_name[SECURITY_SERVER_MAX_OBJ_NAME];
548 // /* Authenticate client */
549 // retval = authenticate_client_middleware(sockfd, &client_pid);
550 // if (retval != SECURITY_SERVER_SUCCESS)
552 // SEC_SVR_ERR("%s", "Client Authentication Failed");
553 // retval = send_generic_response(sockfd,
554 // SECURITY_SERVER_MSG_TYPE_OBJECT_NAME_RESPONSE,
555 // SECURITY_SERVER_RETURN_CODE_AUTHENTICATION_FAILED);
556 // if (retval != SECURITY_SERVER_SUCCESS)
558 // SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
564 // retval = TEMP_FAILURE_RETRY(read(sockfd, &requested_privilege, sizeof(requested_privilege)));
565 // if (retval < (int)sizeof(requested_privilege))
567 // SEC_SVR_ERR("%s", "Receiving request failed");
568 // retval = send_generic_response(sockfd,
569 // SECURITY_SERVER_MSG_TYPE_OBJECT_NAME_RESPONSE,
570 // SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
571 // if (retval != SECURITY_SERVER_SUCCESS)
573 // SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
578 // /* Search from /etc/group */
579 // retval = search_object_name(requested_privilege,
581 // SECURITY_SERVER_MAX_OBJ_NAME);
582 // if (retval == SECURITY_SERVER_ERROR_NO_SUCH_OBJECT)
584 // /* It's not exist */
585 // SEC_SVR_ERR("There is no such object for gid [%d]", requested_privilege);
586 // retval = send_generic_response(sockfd,
587 // SECURITY_SERVER_MSG_TYPE_OBJECT_NAME_RESPONSE,
588 // SECURITY_SERVER_RETURN_CODE_NO_SUCH_OBJECT);
589 // if (retval != SECURITY_SERVER_SUCCESS)
591 // SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
595 // if (retval != SECURITY_SERVER_SUCCESS)
597 // /* Error occurred */
598 // SEC_SVR_ERR("Error on searching object name [%d]", retval);
599 // retval = send_generic_response(sockfd,
600 // SECURITY_SERVER_MSG_TYPE_OBJECT_NAME_RESPONSE,
601 // SECURITY_SERVER_RETURN_CODE_SERVER_ERROR);
602 // if (retval != SECURITY_SERVER_SUCCESS)
604 // SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
610 // SECURE_SLOGD("We found object: %s", object_name);
611 // retval = send_object_name(sockfd, object_name);
612 // if (retval != SECURITY_SERVER_SUCCESS)
614 // SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
620 int process_gid_request(int sockfd, int msg_len)
622 int retval, client_pid;
623 char object_name[SECURITY_SERVER_MAX_OBJ_NAME];
624 /* Authenticate client as middleware daemon */
625 retval = authenticate_client_middleware(sockfd, &client_pid);
626 if (retval != SECURITY_SERVER_SUCCESS)
628 SEC_SVR_ERR("%s", "Client authentication failed");
629 retval = send_generic_response(sockfd,
630 SECURITY_SERVER_MSG_TYPE_GID_RESPONSE,
631 SECURITY_SERVER_RETURN_CODE_AUTHENTICATION_FAILED);
632 if (retval != SECURITY_SERVER_SUCCESS)
634 SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
638 if (msg_len >= SECURITY_SERVER_MAX_OBJ_NAME)
640 /* Too big ojbect name */
641 SECURE_SLOGE("%s", "Object name is too big");
642 retval = send_generic_response(sockfd,
643 SECURITY_SERVER_MSG_TYPE_GID_RESPONSE,
644 SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
645 if (retval != SECURITY_SERVER_SUCCESS)
647 SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
652 /* Receive group name */
653 retval = TEMP_FAILURE_RETRY(read(sockfd, object_name, msg_len));
654 if (retval < msg_len)
656 SECURE_SLOGE("%s", "Failed to read object name");
657 retval = send_generic_response(sockfd,
658 SECURITY_SERVER_MSG_TYPE_GID_RESPONSE,
659 SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
660 if (retval != SECURITY_SERVER_SUCCESS)
662 SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
666 object_name[msg_len] = 0;
668 /* Search /etc/group for the given group name */
669 retval = search_gid(object_name);
670 if (retval == SECURITY_SERVER_ERROR_NO_SUCH_OBJECT)
673 SECURE_SLOGD("The object [%s] is not exist", object_name);
674 retval = send_generic_response(sockfd,
675 SECURITY_SERVER_MSG_TYPE_GID_RESPONSE,
676 SECURITY_SERVER_RETURN_CODE_NO_SUCH_OBJECT);
677 if (retval != SECURITY_SERVER_SUCCESS)
679 SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
687 SEC_SVR_ERR("Cannot send the response. %d", retval);
688 retval = send_generic_response(sockfd,
689 SECURITY_SERVER_MSG_TYPE_GID_RESPONSE,
690 SECURITY_SERVER_RETURN_CODE_SERVER_ERROR);
691 if (retval != SECURITY_SERVER_SUCCESS)
693 SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
699 retval = send_gid(sockfd, retval);
700 if (retval != SECURITY_SERVER_SUCCESS)
702 SEC_SVR_ERR("ERROR: Cannot gid response: %d", retval);
708 int process_pid_request(int sockfd)
710 int retval, client_pid;
711 unsigned char requested_cookie[SECURITY_SERVER_COOKIE_LEN];
712 int *privileges = NULL;
713 cookie_list *search_result = NULL;
714 pid_t cookie_pid = 0;
716 /* Authenticate client */
717 retval = authenticate_client_middleware(sockfd, &client_pid);
718 if (retval != SECURITY_SERVER_SUCCESS)
720 SEC_SVR_ERR("%s", "Client Authentication Failed");
721 retval = send_generic_response(sockfd,
722 SECURITY_SERVER_MSG_TYPE_PID_RESPONSE,
723 SECURITY_SERVER_RETURN_CODE_AUTHENTICATION_FAILED);
724 if (retval != SECURITY_SERVER_SUCCESS)
726 SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
731 retval = recv_pid_request(sockfd, requested_cookie);
732 if (retval == SECURITY_SERVER_ERROR_RECV_FAILED)
734 SEC_SVR_ERR("%s", "Receiving request failed");
735 retval = send_generic_response(sockfd,
736 SECURITY_SERVER_MSG_TYPE_PID_RESPONSE,
737 SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
738 if (retval != SECURITY_SERVER_SUCCESS)
740 SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
745 retval = get_client_gid_list(sockfd, &privileges);
748 SEC_SVR_ERR("ERROR: Cannot get GID list");
752 /* Search cookie list */
753 pthread_mutex_lock(&cookie_mutex);
754 search_result = search_cookie(c_list, requested_cookie, privileges, retval);
756 cookie_pid = search_result->pid;
757 pthread_mutex_unlock(&cookie_mutex);
761 if (search_result != NULL)
764 SEC_SVR_DBG("We found the cookie and pid:%d", cookie_pid);
765 SEC_SVR_DBG("%s", "Cookie comparison succeeded. Access granted.");
766 retval = send_pid(sockfd, cookie_pid);
768 if (retval != SECURITY_SERVER_SUCCESS)
770 SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
776 SEC_SVR_ERR("%s", "Could not find the cookie");
777 retval = send_generic_response(sockfd,
778 SECURITY_SERVER_MSG_TYPE_PID_RESPONSE,
779 SECURITY_SERVER_RETURN_CODE_NO_SUCH_COOKIE);
780 if (retval != SECURITY_SERVER_SUCCESS)
782 SEC_SVR_ERR("ERROR: Cannot send pid response: %d", retval);
789 int process_smack_request(int sockfd)
791 int retval, client_pid;
792 int *privileges = NULL;
793 unsigned char requested_cookie[SECURITY_SERVER_COOKIE_LEN];
794 cookie_list *search_result = NULL;
795 //handler for SMACK label
798 /* Authenticate client */
799 retval = authenticate_client_middleware(sockfd, &client_pid);
800 if (retval != SECURITY_SERVER_SUCCESS)
802 SEC_SVR_ERR("%s", "Client Authentication Failed");
803 retval = send_generic_response(sockfd,
804 SECURITY_SERVER_MSG_TYPE_SMACK_RESPONSE,
805 SECURITY_SERVER_RETURN_CODE_AUTHENTICATION_FAILED);
806 if (retval != SECURITY_SERVER_SUCCESS)
808 SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
813 retval = recv_smack_request(sockfd, requested_cookie);
814 if (retval == SECURITY_SERVER_ERROR_RECV_FAILED)
816 SEC_SVR_ERR("%s", "Receiving request failed");
817 retval = send_generic_response(sockfd,
818 SECURITY_SERVER_MSG_TYPE_SMACK_RESPONSE,
819 SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
820 if (retval != SECURITY_SERVER_SUCCESS)
822 SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
827 retval = get_client_gid_list(sockfd, &privileges);
830 SEC_SVR_ERR("ERROR: Cannot get GID list");
834 /* Search cookie list */
835 pthread_mutex_lock(&cookie_mutex);
836 search_result = search_cookie(c_list, requested_cookie, privileges, retval);
838 if (search_result->smack_label)
839 label = strdup(search_result->smack_label);
841 SEC_SVR_DBG("%s", "No SMACK support on device - returning empty label");
845 pthread_mutex_unlock(&cookie_mutex);
849 if (search_result != NULL)
852 SEC_SVR_DBG("We found the cookie and pid:%d", search_result->pid);
853 SEC_SVR_DBG("%s", "Cookie comparison succeeded. Access granted.");
854 SECURE_SLOGD("Read label is: %s\n", label);
856 retval = send_smack(sockfd, label);
858 if (retval != SECURITY_SERVER_SUCCESS)
860 SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
866 SEC_SVR_ERR("%s", "Could not find the cookie");
867 retval = send_generic_response(sockfd,
868 SECURITY_SERVER_MSG_TYPE_SMACK_RESPONSE,
869 SECURITY_SERVER_RETURN_CODE_NO_SUCH_COOKIE);
870 if (retval != SECURITY_SERVER_SUCCESS)
872 SEC_SVR_ERR("ERROR: Cannot send SMACK label response: %d", retval);
879 #ifdef USE_SEC_SRV1_FOR_CHECK_PRIVILEGE_BY_PID
880 int process_pid_privilege_check(int sockfd, int datasize)
882 //In this function we parsing received PID privilege check request
887 char *access_rights = NULL;
888 unsigned char return_code;
890 char subject[SMACK_LABEL_LEN + 1];
893 //authenticate client
894 retval = authenticate_client_middleware(sockfd, &client_pid);
896 if (retval != SECURITY_SERVER_SUCCESS) {
897 SEC_SVR_ERR("%s", "Client Authentication Failed");
898 retval = send_generic_response(sockfd,
899 SECURITY_SERVER_MSG_TYPE_CHECK_PID_PRIVILEGE_RESPONSE,
900 SECURITY_SERVER_RETURN_CODE_AUTHENTICATION_FAILED);
902 if (retval != SECURITY_SERVER_SUCCESS)
903 SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
909 retval = recv_pid_privilege_request(sockfd, datasize, &pid, &object, &access_rights);
911 if (retval == SECURITY_SERVER_ERROR_RECV_FAILED) {
912 SEC_SVR_ERR("%s", "Receiving request failed");
913 retval = send_generic_response(sockfd,
914 SECURITY_SERVER_MSG_TYPE_CHECK_PID_PRIVILEGE_RESPONSE,
915 SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
917 if (retval != SECURITY_SERVER_SUCCESS)
918 SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
924 retval = smack_pid_have_access(pid, object, access_rights);
925 SEC_SVR_DBG("smack_pid_have_access returned %d", retval);
927 if (get_smack_label_from_process(pid, subject) != PC_OPERATION_SUCCESS) {
928 // subject label is set to empty string
929 SEC_SVR_ERR("get_smack_label_from_process failed. Subject label has not been read.");
931 SECURE_SLOGD("Subject label of client PID %d is: %s", pid, subject);
934 SEC_SVR_DBG("SMACK is not available. Subject label has not been read.");
938 path = read_exe_path_from_proc(pid);
941 SECURE_SLOGD("SS_SMACK: caller_pid=%d, subject=%s, object=%s, access=%s, result=%d, caller_path=%s", pid, subject, object, access_rights, retval, path);
943 SECURE_SLOGW("SS_SMACK: caller_pid=%d, subject=%s, object=%s, access=%s, result=%d, caller_path=%s", pid, subject, object, access_rights, retval, path);
948 if (retval == 1) //there is permission
949 return_code = SECURITY_SERVER_RETURN_CODE_SUCCESS;
950 else //there is no permission
951 return_code = SECURITY_SERVER_RETURN_CODE_ACCESS_DENIED;
954 retval = send_generic_response(sockfd,
955 SECURITY_SERVER_MSG_TYPE_CHECK_PID_PRIVILEGE_RESPONSE,
958 if (retval != SECURITY_SERVER_SUCCESS)
959 SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
965 if (access_rights != NULL)
973 int client_has_access(int sockfd, const char *object)
981 unsigned int socoptSize = sizeof(socopt);
985 retval = getsockopt(sockfd, SOL_SOCKET, SO_PEERCRED, &socopt, &socoptSize);
987 SEC_SVR_DBG("%s", "Error on getsockopt");
990 //now we have PID in sockopt.pid
992 if (smack_new_label_from_socket(sockfd, &label)) {
993 SEC_SVR_ERR("%s", "Error on smack_new_label_from_socket");
997 if (0 >= (ret = smack_pid_have_access(socopt.pid, object, "rw"))) {
1002 if (SECURITY_SERVER_SUCCESS == authenticate_client_application(sockfd, &pid, &uid))
1003 SECURE_SLOGD("SS_SMACK: caller_pid=%d, subject=%s, object=%s, access=rw, result=%d",
1004 pid, label, object, ret);
1010 void *security_server_thread(void *param)
1012 int client_sockfd = -1, client_uid, client_pid;
1013 int server_sockfd, retval;
1014 basic_header basic_hdr;
1015 struct security_server_thread_param *my_param;
1017 my_param = (struct security_server_thread_param*) param;
1018 client_sockfd = my_param->client_sockfd;
1019 server_sockfd = my_param->server_sockfd;
1021 /* Receive request header */
1022 retval = recv_hdr(client_sockfd, &basic_hdr);
1023 if (retval == SECURITY_SERVER_ERROR_TIMEOUT || retval == SECURITY_SERVER_ERROR_RECV_FAILED
1024 || retval == SECURITY_SERVER_ERROR_SOCKET)
1026 SEC_SVR_ERR("Receiving header error [%d]",retval);
1027 close(client_sockfd);
1032 if (retval != SECURITY_SERVER_SUCCESS)
1035 SEC_SVR_ERR("Receiving header error [%d]",retval);
1036 retval = send_generic_response(client_sockfd,
1037 SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE,
1038 SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
1039 if (retval != SECURITY_SERVER_SUCCESS)
1041 SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
1044 safe_server_sock_close(client_sockfd);
1049 //TODO: Below authorize_SS_API_caller_socket() is used for authorize API caller by SMACK,
1050 // at the moment return value is not checked and each access is allowed.
1051 // If we realy want to restrict access it must be changed in future.
1053 /* Act different for request message ID */
1054 switch (basic_hdr.msg_id)
1056 case SECURITY_SERVER_MSG_TYPE_COOKIE_REQUEST:
1057 SEC_SVR_DBG("%s", "Cookie request received");
1058 authorize_SS_API_caller_socket(client_sockfd, API_FREE_ACCESS, API_RULE_REQUIRED);
1059 process_cookie_request(client_sockfd);
1062 case SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_REQUEST:
1063 SEC_SVR_DBG("%s", "Privilege check received");
1064 authorize_SS_API_caller_socket(client_sockfd, API_MIDDLEWARE, API_RULE_REQUIRED);
1065 process_check_privilege_request(client_sockfd);
1068 case SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_NEW_REQUEST:
1069 SEC_SVR_DBG("%s", "Privilege check (new mode) received");
1070 authorize_SS_API_caller_socket(client_sockfd, API_MIDDLEWARE, API_RULE_REQUIRED);
1071 process_check_privilege_new_request(client_sockfd);
1074 // case SECURITY_SERVER_MSG_TYPE_OBJECT_NAME_REQUEST:
1075 // SECURE_SLOGD("%s", "Get object name request received");
1076 // authorize_SS_API_caller_socket(client_sockfd, API_MIDDLEWARE, API_RULE_REQUIRED);
1077 // process_object_name_request(client_sockfd);
1080 case SECURITY_SERVER_MSG_TYPE_GID_REQUEST:
1081 SEC_SVR_DBG("%s", "Get GID received");
1082 authorize_SS_API_caller_socket(client_sockfd, API_MIDDLEWARE, API_RULE_REQUIRED);
1083 process_gid_request(client_sockfd, (int)basic_hdr.msg_len);
1086 case SECURITY_SERVER_MSG_TYPE_PID_REQUEST:
1087 SEC_SVR_DBG("%s", "pid request received");
1088 authorize_SS_API_caller_socket(client_sockfd, API_MIDDLEWARE, API_RULE_REQUIRED);
1089 process_pid_request(client_sockfd);
1092 case SECURITY_SERVER_MSG_TYPE_SMACK_REQUEST:
1093 SEC_SVR_DBG("%s", "SMACK label request received");
1094 authorize_SS_API_caller_socket(client_sockfd, API_MIDDLEWARE, API_RULE_REQUIRED);
1095 process_smack_request(client_sockfd);
1098 #ifdef USE_SEC_SRV1_FOR_CHECK_PRIVILEGE_BY_PID
1099 case SECURITY_SERVER_MSG_TYPE_CHECK_PID_PRIVILEGE_REQUEST:
1100 SEC_SVR_DBG("%s", "PID privilege check request received");
1101 authorize_SS_API_caller_socket(client_sockfd, API_MIDDLEWARE, API_RULE_REQUIRED);
1102 //pass data size to function
1103 process_pid_privilege_check(client_sockfd, basic_hdr.msg_len);
1107 case SECURITY_SERVER_MSG_TYPE_VALID_PWD_REQUEST:
1108 SECURE_SLOGD("%s", "Server: validate password request received");
1109 authorize_SS_API_caller_socket(client_sockfd, API_PASSWD_CHECK, API_RULE_REQUIRED);
1110 process_valid_pwd_request(client_sockfd);
1113 case SECURITY_SERVER_MSG_TYPE_SET_PWD_REQUEST:
1114 SECURE_SLOGD("%s", "Server: set password request received");
1115 authorize_SS_API_caller_socket(client_sockfd, API_PASSWD_SET, API_RULE_REQUIRED);
1116 process_set_pwd_request(client_sockfd);
1119 case SECURITY_SERVER_MSG_TYPE_RESET_PWD_REQUEST:
1120 SECURE_SLOGD("%s", "Server: reset password request received");
1121 authorize_SS_API_caller_socket(client_sockfd, API_PASSWD_SET, API_RULE_REQUIRED);
1122 process_reset_pwd_request(client_sockfd);
1125 case SECURITY_SERVER_MSG_TYPE_CHK_PWD_REQUEST:
1126 SECURE_SLOGD("%s", "Server: check password request received");
1127 authorize_SS_API_caller_socket(client_sockfd, API_PASSWD_CHECK, API_RULE_REQUIRED);
1128 process_chk_pwd_request(client_sockfd);
1131 case SECURITY_SERVER_MSG_TYPE_SET_PWD_HISTORY_REQUEST:
1132 SECURE_SLOGD("%s", "Server: set password histroy request received");
1133 authorize_SS_API_caller_socket(client_sockfd, API_PASSWD_SET, API_RULE_REQUIRED);
1134 process_set_pwd_history_request(client_sockfd);
1137 case SECURITY_SERVER_MSG_TYPE_SET_PWD_MAX_CHALLENGE_REQUEST:
1138 SECURE_SLOGD("%s", "Server: set password max challenge request received");
1139 authorize_SS_API_caller_socket(client_sockfd, API_PASSWD_SET, API_RULE_REQUIRED);
1140 process_set_pwd_max_challenge_request(client_sockfd);
1143 case SECURITY_SERVER_MSG_TYPE_SET_PWD_VALIDITY_REQUEST:
1144 SECURE_SLOGD("%s", "Server: set password validity request received");
1145 authorize_SS_API_caller_socket(client_sockfd, API_PASSWD_SET, API_RULE_REQUIRED);
1146 process_set_pwd_validity_request(client_sockfd);
1149 /************************************************************************************************/
1150 /* Just for test. This code must be removed on release */
1151 case SECURITY_SERVER_MSG_TYPE_GET_ALL_COOKIES_REQUEST:
1152 SEC_SVR_DBG("%s", "all cookie info request received -- NEED TO BE DELETED ON RELEASE");
1153 retval = authenticate_client_application(client_sockfd, &client_pid, &client_uid);
1154 if (retval != SECURITY_SERVER_SUCCESS)
1156 SEC_SVR_ERR("%s", "Client Authentication Failed");
1157 retval = send_generic_response(client_sockfd,
1158 SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE,
1159 SECURITY_SERVER_RETURN_CODE_AUTHENTICATION_FAILED);
1160 if (retval != SECURITY_SERVER_SUCCESS)
1162 SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
1166 retval = util_process_all_cookie(client_sockfd, c_list);
1167 if (retval != SECURITY_SERVER_SUCCESS)
1169 SEC_SVR_ERR("ERROR: Cannot send all cookie info: %d", retval);
1173 case SECURITY_SERVER_MSG_TYPE_GET_COOKIEINFO_FROM_PID_REQUEST:
1174 SEC_SVR_DBG("%s", "cookie info from pid request received -- NEED TO BE DELETED ON RELEASE");
1175 if (retval != SECURITY_SERVER_SUCCESS)
1177 SEC_SVR_ERR("%s", "Client Authentication Failed");
1178 retval = send_generic_response(client_sockfd,
1179 SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE,
1180 SECURITY_SERVER_RETURN_CODE_AUTHENTICATION_FAILED);
1181 if (retval != SECURITY_SERVER_SUCCESS)
1183 SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
1187 util_process_cookie_from_pid(client_sockfd, c_list);
1190 case SECURITY_SERVER_MSG_TYPE_GET_COOKIEINFO_FROM_COOKIE_REQUEST:
1191 SEC_SVR_DBG("%s", "cookie info from cookie request received -- NEED TO BE DELETED ON RELEASE");
1192 if (retval != SECURITY_SERVER_SUCCESS)
1194 SEC_SVR_ERR("%s", "Client Authentication Failed");
1195 retval = send_generic_response(client_sockfd,
1196 SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE,
1197 SECURITY_SERVER_RETURN_CODE_AUTHENTICATION_FAILED);
1198 if (retval != SECURITY_SERVER_SUCCESS)
1200 SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
1204 util_process_cookie_from_cookie(client_sockfd, c_list);
1206 /************************************************************************************************/
1210 SEC_SVR_ERR("Unknown msg ID :%d", basic_hdr.msg_id);
1211 /* Unknown message ID */
1212 retval = send_generic_response(client_sockfd,
1213 SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE,
1214 SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
1215 if (retval != SECURITY_SERVER_SUCCESS)
1217 SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
1222 if (client_sockfd > 0)
1224 safe_server_sock_close(client_sockfd);
1229 if (client_sockfd > 0)
1230 close(client_sockfd);
1231 thread_status[my_param->thread_status] = 0;
1232 pthread_detach(pthread_self());
1236 void *security_server_main_thread(void *data)
1238 int server_sockfd = 0, retval, client_sockfd = -1, rc;
1239 struct sigaction act, dummy;
1240 pthread_t threads[SECURITY_SERVER_NUM_THREADS];
1241 struct security_server_thread_param param[SECURITY_SERVER_NUM_THREADS];
1245 SECURE_SLOGD("%s", "Starting Security Server main thread");
1247 /* security server must be executed by root */
1250 fprintf(stderr, "%s\n", "You are not root. exiting...");
1254 for (retval = 0; retval < SECURITY_SERVER_NUM_THREADS; retval++)
1255 thread_status[retval] = 0;
1258 /* Create and bind a Unix domain socket */
1259 if(SECURITY_SERVER_SUCCESS != get_socket_from_systemd(&server_sockfd))
1261 SEC_SVR_ERR("%s", "Error in get_socket_from_systemd");
1262 retval = create_new_socket(&server_sockfd);
1263 if (retval != SECURITY_SERVER_SUCCESS)
1265 SEC_SVR_ERR("%s", "cannot create socket. exiting...");
1269 if (listen(server_sockfd, 5) < 0)
1271 SEC_SVR_ERR("%s", "listen() failed. exiting...");
1275 SEC_SVR_ERR("%s", "Socket was passed by systemd");
1278 /* Create a default cookie --> Cookie for root process */
1279 c_list = create_default_cookie();
1282 SEC_SVR_ERR("%s", "cannot make a default cookie. exiting...");
1286 /* Init signal handler */
1287 act.sa_handler = NULL;
1288 act.sa_sigaction = security_server_sig_child;
1289 sigemptyset(&act.sa_mask);
1290 act.sa_flags = SA_NOCLDSTOP | SA_SIGINFO;
1292 if (sigaction(SIGCHLD, &act, &dummy) < 0)
1294 SEC_SVR_ERR("%s", "cannot change session");
1297 pthread_mutex_init(&cookie_mutex, NULL);
1301 /* Accept a new client */
1302 if (client_sockfd < 0)
1303 client_sockfd = accept_client(server_sockfd);
1305 if (client_sockfd == SECURITY_SERVER_ERROR_TIMEOUT)
1307 if (client_sockfd < 0)
1309 SEC_SVR_DBG("Server: new connection has been accepted: %d", client_sockfd);
1313 if (thread_status[retval] == 0)
1315 thread_status[retval] = 1;
1316 param[retval].client_sockfd = client_sockfd;
1317 param[retval].server_sockfd = server_sockfd;
1318 param[retval].thread_status = retval;
1319 SEC_SVR_DBG("Server: Creating a new thread: %d", retval);
1320 rc = pthread_create(&threads[retval], NULL, security_server_thread, (void*)¶m[retval]);
1323 SEC_SVR_ERR("Error: Server: Cannot create thread:%d", rc);
1329 if (retval >= SECURITY_SERVER_NUM_THREADS)
1335 if (server_sockfd > 0)
1336 close(server_sockfd);
1338 pthread_detach(pthread_self());
1342 ssize_t read_wrapper(int sockfd, void *buffer, size_t len)
1344 unsigned char *buff = (unsigned char*)buffer;
1346 while (done < (int)len) {
1347 struct pollfd fds = { sockfd, POLLIN, 0};
1348 if (0 >= poll(&fds, 1, 1000))
1350 ssize_t ret = read(sockfd, buff + done, len - done);
1357 if (-1 == ret && EAGAIN != errno && EINTR != errno)
1363 int main(int argc, char *argv[])
1366 pthread_t main_thread;
1371 if (0 != (res = pthread_create(&main_thread, NULL, security_server_main_thread, NULL))) {
1372 SEC_SVR_ERR("Error: Server: Cannot create main security server thread: %s", strerror(res));