4 * Copyright (c) 2000 - 2011 Samsung Electronics Co., Ltd All Rights Reserved
6 * Contact: Bumjin Im <bj.im@samsung.com>
8 * Licensed under the Apache License, Version 2.0 (the "License");
9 * you may not use this file except in compliance with the License.
10 * You may obtain a copy of the License at
12 * http://www.apache.org/licenses/LICENSE-2.0
14 * Unless required by applicable law or agreed to in writing, software
15 * distributed under the License is distributed on an "AS IS" BASIS,
16 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17 * See the License for the specific language governing permissions and
18 * limitations under the License
27 #include <sys/types.h>
28 #include <sys/smack.h>
34 #include <sys/smack.h>
35 #include <sys/types.h>
36 #include <sys/socket.h>
40 #include <privilege-control.h>
41 #include <security-server-system-observer.h>
42 #include <security-server-rules-revoker.h>
44 #include "security-server-cookie.h"
45 #include "security-server-common.h"
46 #include "security-server-password.h"
47 #include "security-server-comm.h"
48 #include "smack-check.h"
50 const char * const LABEL_SECURITY_SERVER_API_DATA_SHARE = "security-server::api-data-share";
52 /* Set cookie as a global variable */
54 pthread_mutex_t cookie_mutex;
55 int thread_status[SECURITY_SERVER_NUM_THREADS];
56 struct security_server_thread_param {
62 int process_app_get_access_request(int sockfd, size_t msg_len);
63 static int netlink_enabled = 1; /* prevent memory leaks when netlink is disabled */
66 /************************************************************************************************/
67 /* Just for test. This code must be removed on release */
68 #include "security-server-util.h"
69 /************************************************************************************************/
72 void printhex(unsigned char *data, int size)
80 printf("%X ", data[i]);
81 if(((i+1) % 16) == 0 && i != 0)
87 void print_cookie(cookie_list *list)
90 printf("%s", "cookie:\n");
91 printhex(list->cookie, SECURITY_SERVER_COOKIE_LEN);
92 printf("path_len: %d\n", list->path_len);
93 printf("permission_len: %d\n", list->permission_len);
94 printf("PID: %d\n", list->pid);
95 printf("path: %s\n", list->path);
96 printf("%s", "permissions: ");
97 for(i=0;i<list->permission_len;i++)
99 printf("%d ", list->permissions[i]);
102 printf("prev: %p\n", list->prev);
103 printf("next: %p\n", list->next);
107 /* Object name is actually name of a Group ID *
108 * This function opens /etc/group file and search group ID and
109 * returns the string */
110 int search_object_name(int gid, char *obj, int obj_size)
113 char *linebuf = NULL, *token = NULL, *token2, *tempstr = NULL;
114 int ret = 0, tmp_gid, bufsize;
115 fp = fopen("/etc/group", "r");
118 /* cannot open /etc/group */
119 SEC_SVR_ERR("%s", "Cannot open /etc/group");
120 return SECURITY_SERVER_ERROR_FILE_OPERATION;
123 linebuf = malloc(128);
127 ret = SECURITY_SERVER_ERROR_OUT_OF_MEMORY;
128 SEC_SVR_ERR("%s", "cannot malloc()");
132 bzero(linebuf, bufsize);
133 ret = SECURITY_SERVER_ERROR_NO_SUCH_OBJECT;
134 while(fgets(linebuf, bufsize, fp) != NULL)
136 while(linebuf[bufsize -2] != 0)
138 linebuf[bufsize -1] = (char) fgetc(fp);
139 tempstr = realloc(linebuf, bufsize + 128);
142 ret = SECURITY_SERVER_ERROR_OUT_OF_MEMORY;
146 bzero(linebuf + bufsize, 128);
147 fgets(linebuf + bufsize, 128, fp);
151 token = strtok(linebuf, ":"); /* group name */
154 SEC_SVR_ERR("/etc/group is not valid. cannot find gid: [%s]", linebuf);
155 ret = SECURITY_SERVER_ERROR_SERVER_ERROR;
158 token2 = strtok(NULL, ":"); /* group password */
161 SEC_SVR_ERR("/etc/group is not valid. cannot find gid: [%s]", linebuf);
162 ret = SECURITY_SERVER_ERROR_SERVER_ERROR;
165 token2 = strtok(NULL, ":"); /* gid */
168 SEC_SVR_ERR("/etc/group is not valid. cannot find gid: [%s]", linebuf);
169 ret = SECURITY_SERVER_ERROR_SERVER_ERROR;
174 tmp_gid = strtoul(token2, 0, 10);
177 SEC_SVR_ERR("cannot change string to integer [%s]", token2);
178 ret = SECURITY_SERVER_ERROR_SERVER_ERROR;
185 if((int)strlen(token) > obj_size)
187 ret = SECURITY_SERVER_ERROR_BUFFER_TOO_SMALL;
188 SEC_SVR_ERR("buffer is too small. %d --> %d", obj_size, strlen(token));
191 strncpy(obj, token, strlen(token));
192 obj[strlen(token)] = 0;
193 ret = SECURITY_SERVER_SUCCESS;
196 bzero(linebuf, bufsize);
207 /* Search GID from group name *
208 * This function opens /etc/group and search group name by given gid */
209 int search_gid(const char *obj)
212 char *linebuf = NULL, *token = NULL, *token2, *tempstr = NULL;
213 int ret = SECURITY_SERVER_ERROR_NO_SUCH_OBJECT, tmp_gid, bufsize;
215 SEC_SVR_DBG("Searching for object %s", obj);
217 fp = fopen("/etc/group", "r");
220 /* cannot open /etc/group */
221 SEC_SVR_ERR("%s", "cannot open /etc/group");
222 return SECURITY_SERVER_ERROR_FILE_OPERATION;
225 linebuf = malloc(128);
229 ret = SECURITY_SERVER_ERROR_OUT_OF_MEMORY;
230 SEC_SVR_ERR("%s", "Out Of Memory");
234 bzero(linebuf, bufsize);
235 while(fgets(linebuf, bufsize, fp) != NULL)
237 while(linebuf[bufsize -2] != 0 )
239 linebuf[bufsize -1] = (char) fgetc(fp);
240 tempstr = realloc(linebuf, bufsize + 128);
243 ret = SECURITY_SERVER_ERROR_OUT_OF_MEMORY;
247 bzero(linebuf + bufsize, 128);
248 fgets(linebuf + bufsize, 128, fp);
252 token = strtok(linebuf, ":"); /* group name */
253 token2 = strtok(NULL, ":"); /* group password */
254 token2 = strtok(NULL, ":"); /* gid */
257 SEC_SVR_ERR("/etc/group is not valid. cannot find gid: [%s]", linebuf);
258 ret = SECURITY_SERVER_ERROR_SERVER_ERROR;
262 tmp_gid = strtoul(token2, 0, 10);
265 SEC_SVR_ERR("cannot change string to integer [%s]", token2);
266 ret = SECURITY_SERVER_ERROR_SERVER_ERROR;
270 if(strcmp(obj, token) == 0)
274 SEC_SVR_DBG("GID of %s is found: %d", obj, ret);
277 bzero(linebuf, bufsize);
288 /* Signal handler for processes */
289 static void security_server_sig_child(int signo, siginfo_t *info, void *data)
298 child_pgid = getpgid(info->si_pid);
299 SEC_SVR_DBG("Signal handler: dead_pid=%d, pgid=%d",info->si_pid,child_pgid);
301 while ((child_pid = waitpid(-1, &status, WNOHANG)) > 0) {
302 if(child_pid == child_pgid)
303 killpg(child_pgid,SIGKILL);
309 /* Execute a debugging tool by fork() and execve() */
310 int execute_debug_tool(int argc, char *const *argv, int server_sockfd, int client_sockfd)
313 SEC_SVR_DBG("%s", "Executing tool");
320 close(client_sockfd);
321 close(server_sockfd);
327 ret = execv(argv[0], argv);
330 SEC_SVR_ERR("Error:Failed to execute [%d]", errno);
336 SEC_SVR_ERR("Error: Failed to fork [%d]", errno);
337 return SECURITY_SERVER_ERROR_SERVER_ERROR;
339 return SECURITY_SERVER_SUCCESS;
342 int process_cookie_request(int sockfd)
344 int retval, client_pid, client_uid;
345 cookie_list *created_cookie = NULL;
347 /* Authenticate client */
348 retval = authenticate_client_application(sockfd, &client_pid, &client_uid);
349 if(retval != SECURITY_SERVER_SUCCESS)
351 SEC_SVR_ERR("%s", "Client Authentication Failed");
352 retval = send_generic_response(sockfd,
353 SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE,
354 SECURITY_SERVER_RETURN_CODE_AUTHENTICATION_FAILED);
355 if(retval != SECURITY_SERVER_SUCCESS)
357 SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
361 /* If client application is root process, just respond default cookie */
365 SEC_SVR_DBG("%s", "Requested application is a root process");
366 created_cookie = c_list;
369 SEC_SVR_DBG("%s", "Cannot read default cookie");
376 //TODO: Remove above code if there will be no crashes without it
377 //All process should be treaded the same
378 /* Create a new cookie. or find existing one */
379 pthread_mutex_lock(&cookie_mutex);
380 created_cookie = create_cookie_item(client_pid, sockfd, c_list);
381 pthread_mutex_unlock(&cookie_mutex);
382 if(created_cookie == NULL)
384 SEC_SVR_ERR("%s","Cannot create a cookie");
388 //let others know if this cookie belongs to root process
390 created_cookie->is_roots_process = 1;
392 created_cookie->is_roots_process = 0;
395 /* send cookie as response */
396 retval = send_cookie(sockfd, created_cookie->cookie);
397 if(retval != SECURITY_SERVER_SUCCESS)
399 SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
401 SEC_SVR_DBG("Server: Cookie created for client PID %d LABEL >%s<",
403 (created_cookie->smack_label)?(created_cookie->smack_label):"NULL");
405 SEC_SVR_DBG("%s", "Server: Cookie has been sent to client");
411 int process_check_privilege_request(int sockfd)
413 /* Authenticate client */
414 int retval, client_pid, requested_privilege;
416 unsigned char requested_cookie[SECURITY_SERVER_COOKIE_LEN];
417 cookie_list *search_result = NULL;
419 retval = authenticate_client_middleware(sockfd, &client_pid);
420 if(retval != SECURITY_SERVER_SUCCESS)
422 SEC_SVR_ERR("%s", "Client Authentication Failed");
423 retval = send_generic_response(sockfd,
424 SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_RESPONSE,
425 SECURITY_SERVER_RETURN_CODE_AUTHENTICATION_FAILED);
426 if(retval != SECURITY_SERVER_SUCCESS)
428 SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
433 retval = recv_check_privilege_request(sockfd,
434 requested_cookie, &requested_privilege);
435 if(retval == SECURITY_SERVER_ERROR_RECV_FAILED)
437 SEC_SVR_ERR("%s", "Receiving request failed");
438 retval = send_generic_response(sockfd,
439 SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_RESPONSE,
440 SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
441 if(retval != SECURITY_SERVER_SUCCESS)
443 SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
448 if(requested_privilege < 1)
450 SEC_SVR_ERR("Requiring bad privilege [%d]", requested_privilege);
451 retval = send_generic_response(sockfd,
452 SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_RESPONSE,
453 SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
454 if(retval != SECURITY_SERVER_SUCCESS)
456 SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
461 /* Search cookie list */
462 pthread_mutex_lock(&cookie_mutex);
463 privileges[0] = requested_privilege;
464 search_result = search_cookie(c_list, requested_cookie, privileges, 1);
465 pthread_mutex_unlock(&cookie_mutex);
466 if(search_result != NULL)
469 SEC_SVR_DBG("We found the cookie with %d privilege and pid:%d", requested_privilege, client_pid);
470 SEC_SVR_DBG("%s", "Cookie comparison succeeded. Access granted.");
471 retval = send_generic_response(sockfd,
472 SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_RESPONSE,
473 SECURITY_SERVER_RETURN_CODE_ACCESS_GRANTED);
474 if(retval != SECURITY_SERVER_SUCCESS)
476 SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
482 SEC_SVR_ERR("Could not find the cookie with %d privilege", requested_privilege);
483 retval = send_generic_response(sockfd,
484 SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_RESPONSE,
485 SECURITY_SERVER_RETURN_CODE_ACCESS_DENIED);
486 if(retval != SECURITY_SERVER_SUCCESS)
488 SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
495 int process_check_privilege_new_request(int sockfd)
497 /* Authenticate client */
498 int retval, client_pid;
499 unsigned char requested_cookie[SECURITY_SERVER_COOKIE_LEN];
500 cookie_list *search_result = NULL;
501 char object_label[MAX_OBJECT_LABEL_LEN+1];
502 char access_rights[MAX_MODE_STR_LEN+1];
504 retval = authenticate_client_middleware(sockfd, &client_pid);
505 if(retval != SECURITY_SERVER_SUCCESS)
507 SEC_SVR_ERR("%s", "Client Authentication Failed");
508 retval = send_generic_response(sockfd,
509 SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_NEW_RESPONSE,
510 SECURITY_SERVER_RETURN_CODE_AUTHENTICATION_FAILED);
511 if(retval != SECURITY_SERVER_SUCCESS)
513 SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
518 retval = recv_check_privilege_new_request(
519 sockfd, requested_cookie, object_label, access_rights);
520 if(retval == SECURITY_SERVER_ERROR_RECV_FAILED)
522 SEC_SVR_ERR("%s", "Receiving request failed");
523 retval = send_generic_response(sockfd,
524 SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_NEW_RESPONSE,
525 SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
526 if(retval != SECURITY_SERVER_SUCCESS)
528 SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
533 /* Search cookie list */
534 pthread_mutex_lock(&cookie_mutex);
535 search_result = search_cookie_new(c_list, requested_cookie, object_label, access_rights);
536 pthread_mutex_unlock(&cookie_mutex);
538 if(search_result != NULL)
541 SEC_SVR_DBG("We found the cookie with %s rights and pid:%d", access_rights, client_pid);
542 SEC_SVR_DBG("%s", "Cookie comparison succeeded. Access granted.");
543 retval = send_generic_response(sockfd,
544 SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_NEW_RESPONSE,
545 SECURITY_SERVER_RETURN_CODE_ACCESS_GRANTED);
546 if(retval != SECURITY_SERVER_SUCCESS)
548 SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
554 SEC_SVR_ERR("Could not find the cookie with %s rights", access_rights);
555 retval = send_generic_response(sockfd,
556 SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_NEW_RESPONSE,
557 SECURITY_SERVER_RETURN_CODE_ACCESS_DENIED);
558 if(retval != SECURITY_SERVER_SUCCESS)
560 SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
569 int process_object_name_request(int sockfd)
571 int retval, client_pid, requested_privilege;
572 char object_name[SECURITY_SERVER_MAX_OBJ_NAME];
574 /* Authenticate client */
575 retval = authenticate_client_middleware(sockfd, &client_pid);
576 if(retval != SECURITY_SERVER_SUCCESS)
578 SEC_SVR_ERR("%s", "Client Authentication Failed");
579 retval = send_generic_response(sockfd,
580 SECURITY_SERVER_MSG_TYPE_OBJECT_NAME_RESPONSE,
581 SECURITY_SERVER_RETURN_CODE_AUTHENTICATION_FAILED);
582 if(retval != SECURITY_SERVER_SUCCESS)
584 SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
590 retval = TEMP_FAILURE_RETRY(read(sockfd, &requested_privilege, sizeof(requested_privilege)));
591 if (retval < (int)sizeof(requested_privilege))
593 SEC_SVR_ERR("%s", "Receiving request failed");
594 retval = send_generic_response(sockfd,
595 SECURITY_SERVER_MSG_TYPE_OBJECT_NAME_RESPONSE,
596 SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
597 if(retval != SECURITY_SERVER_SUCCESS)
599 SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
604 /* Search from /etc/group */
605 retval = search_object_name(requested_privilege,
607 SECURITY_SERVER_MAX_OBJ_NAME);
608 if (retval == SECURITY_SERVER_ERROR_NO_SUCH_OBJECT)
611 SEC_SVR_ERR("There is no such object for gid [%d]", requested_privilege);
612 retval = send_generic_response(sockfd,
613 SECURITY_SERVER_MSG_TYPE_OBJECT_NAME_RESPONSE,
614 SECURITY_SERVER_RETURN_CODE_NO_SUCH_OBJECT);
615 if(retval != SECURITY_SERVER_SUCCESS)
617 SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
621 if(retval != SECURITY_SERVER_SUCCESS)
624 SEC_SVR_ERR("Error on searching object name [%d]", retval);
625 retval = send_generic_response(sockfd,
626 SECURITY_SERVER_MSG_TYPE_OBJECT_NAME_RESPONSE,
627 SECURITY_SERVER_RETURN_CODE_SERVER_ERROR);
628 if(retval != SECURITY_SERVER_SUCCESS)
630 SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
636 SEC_SVR_DBG("We found object: %s", object_name);
637 retval = send_object_name(sockfd, object_name);
638 if(retval != SECURITY_SERVER_SUCCESS)
640 SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
647 int process_gid_request(int sockfd, int msg_len)
649 int retval, client_pid;
650 char object_name[SECURITY_SERVER_MAX_OBJ_NAME];
651 /* Authenticate client as middleware daemon */
652 retval = authenticate_client_middleware(sockfd, &client_pid);
653 if(retval != SECURITY_SERVER_SUCCESS)
655 SEC_SVR_ERR("%s", "Client authentication failed");
656 retval = send_generic_response(sockfd,
657 SECURITY_SERVER_MSG_TYPE_GID_RESPONSE,
658 SECURITY_SERVER_RETURN_CODE_AUTHENTICATION_FAILED);
659 if(retval != SECURITY_SERVER_SUCCESS)
661 SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
666 if(msg_len >= SECURITY_SERVER_MAX_OBJ_NAME)
668 /* Too big ojbect name */
669 SEC_SVR_ERR("%s", "Object name is too big");
670 retval = send_generic_response(sockfd,
671 SECURITY_SERVER_MSG_TYPE_GID_RESPONSE,
672 SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
673 if(retval != SECURITY_SERVER_SUCCESS)
675 SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
680 /* Receive group name */
681 retval = TEMP_FAILURE_RETRY(read(sockfd, object_name, msg_len));
682 if (retval < msg_len )
684 SEC_SVR_ERR("%s", "Failed to read object name");
685 retval = send_generic_response(sockfd,
686 SECURITY_SERVER_MSG_TYPE_GID_RESPONSE,
687 SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
688 if(retval != SECURITY_SERVER_SUCCESS)
690 SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
694 object_name[msg_len] = 0;
696 /* Search /etc/group for the given group name */
697 retval = search_gid(object_name);
698 if (retval == SECURITY_SERVER_ERROR_NO_SUCH_OBJECT)
701 SEC_SVR_ERR("The object [%s] is not exist", object_name);
702 retval = send_generic_response(sockfd,
703 SECURITY_SERVER_MSG_TYPE_GID_RESPONSE,
704 SECURITY_SERVER_RETURN_CODE_NO_SUCH_OBJECT);
705 if(retval != SECURITY_SERVER_SUCCESS)
707 SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
715 SEC_SVR_ERR("Cannot send the response. %d", retval);
716 retval = send_generic_response(sockfd,
717 SECURITY_SERVER_MSG_TYPE_GID_RESPONSE,
718 SECURITY_SERVER_RETURN_CODE_SERVER_ERROR);
719 if(retval != SECURITY_SERVER_SUCCESS)
721 SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
727 retval = send_gid(sockfd, retval);
728 if(retval != SECURITY_SERVER_SUCCESS)
730 SEC_SVR_ERR("ERROR: Cannot gid response: %d", retval);
736 int process_pid_request(int sockfd)
738 int retval, client_pid;
739 unsigned char requested_cookie[SECURITY_SERVER_COOKIE_LEN];
740 int * privileges = NULL;
741 cookie_list *search_result = NULL;
743 /* Authenticate client */
744 retval = authenticate_client_middleware(sockfd, &client_pid);
745 if(retval != SECURITY_SERVER_SUCCESS)
747 SEC_SVR_ERR("%s", "Client Authentication Failed");
748 retval = send_generic_response(sockfd,
749 SECURITY_SERVER_MSG_TYPE_PID_RESPONSE,
750 SECURITY_SERVER_RETURN_CODE_AUTHENTICATION_FAILED);
751 if(retval != SECURITY_SERVER_SUCCESS)
753 SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
758 retval = recv_pid_request(sockfd, requested_cookie);
759 if(retval == SECURITY_SERVER_ERROR_RECV_FAILED)
761 SEC_SVR_ERR("%s", "Receiving request failed");
762 retval = send_generic_response(sockfd,
763 SECURITY_SERVER_MSG_TYPE_PID_RESPONSE,
764 SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
765 if(retval != SECURITY_SERVER_SUCCESS)
767 SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
772 retval = get_client_gid_list(sockfd, &privileges);
775 SEC_SVR_ERR("ERROR: Cannot get GID list");
779 /* Search cookie list */
780 pthread_mutex_lock(&cookie_mutex);
781 search_result = search_cookie(c_list, requested_cookie, privileges, retval);
782 pthread_mutex_unlock(&cookie_mutex);
786 if(search_result != NULL)
789 SEC_SVR_DBG("We found the cookie and pid:%d", search_result->pid);
790 SEC_SVR_DBG("%s", "Cookie comparison succeeded. Access granted.");
791 retval = send_pid(sockfd, search_result->pid);
793 if(retval != SECURITY_SERVER_SUCCESS)
795 SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
801 SEC_SVR_ERR("%s", "Could not find the cookie");
802 retval = send_generic_response(sockfd,
803 SECURITY_SERVER_MSG_TYPE_PID_RESPONSE,
804 SECURITY_SERVER_RETURN_CODE_NO_SUCH_COOKIE);
805 if(retval != SECURITY_SERVER_SUCCESS)
807 SEC_SVR_ERR("ERROR: Cannot send pid response: %d", retval);
814 int process_smack_request(int sockfd)
816 int retval, client_pid;
817 int * privileges = NULL;
818 unsigned char requested_cookie[SECURITY_SERVER_COOKIE_LEN];
819 cookie_list *search_result = NULL;
820 //handler for SMACK label
823 /* Authenticate client */
824 retval = authenticate_client_middleware(sockfd, &client_pid);
825 if(retval != SECURITY_SERVER_SUCCESS)
827 SEC_SVR_ERR("%s", "Client Authentication Failed");
828 retval = send_generic_response(sockfd,
829 SECURITY_SERVER_MSG_TYPE_SMACK_RESPONSE,
830 SECURITY_SERVER_RETURN_CODE_AUTHENTICATION_FAILED);
831 if(retval != SECURITY_SERVER_SUCCESS)
833 SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
838 retval = recv_smack_request(sockfd, requested_cookie);
839 if(retval == SECURITY_SERVER_ERROR_RECV_FAILED)
841 SEC_SVR_ERR("%s", "Receiving request failed");
842 retval = send_generic_response(sockfd,
843 SECURITY_SERVER_MSG_TYPE_SMACK_RESPONSE,
844 SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
845 if(retval != SECURITY_SERVER_SUCCESS)
847 SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
852 retval = get_client_gid_list(sockfd, &privileges);
855 SEC_SVR_ERR("ERROR: Cannot get GID list");
859 /* Search cookie list */
860 pthread_mutex_lock(&cookie_mutex);
861 search_result = search_cookie(c_list, requested_cookie, privileges, retval);
862 pthread_mutex_unlock(&cookie_mutex);
866 if(search_result != NULL)
869 SEC_SVR_DBG("We found the cookie and pid:%d", search_result->pid);
870 SEC_SVR_DBG("%s", "Cookie comparison succeeded. Access granted.");
872 label = search_result->smack_label;
876 SEC_SVR_DBG("%s", "No SMACK support on device - returning empty label");
880 SEC_SVR_DBG("Read label is: %s\n", label);
882 retval = send_smack(sockfd, label);
884 if(retval != SECURITY_SERVER_SUCCESS)
886 SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
892 SEC_SVR_ERR("%s", "Could not find the cookie");
893 retval = send_generic_response(sockfd,
894 SECURITY_SERVER_MSG_TYPE_SMACK_RESPONSE,
895 SECURITY_SERVER_RETURN_CODE_NO_SUCH_COOKIE);
896 if(retval != SECURITY_SERVER_SUCCESS)
898 SEC_SVR_ERR("ERROR: Cannot send SMACK label response: %d", retval);
905 int process_pid_privilege_check(int sockfd, int datasize)
907 //In this function we parsing received PID privilege check request
911 char * object = NULL;
912 char * access_rights = NULL;
913 unsigned char return_code;
916 const int B_SIZE = 64;
920 //authenticate client
921 retval = authenticate_client_middleware(sockfd, &client_pid);
923 if (retval != SECURITY_SERVER_SUCCESS) {
924 SEC_SVR_ERR("%s", "Client Authentication Failed");
925 retval = send_generic_response(sockfd,
926 SECURITY_SERVER_MSG_TYPE_CHECK_PID_PRIVILEGE_RESPONSE,
927 SECURITY_SERVER_RETURN_CODE_AUTHENTICATION_FAILED);
929 if (retval != SECURITY_SERVER_SUCCESS)
930 SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
936 retval = recv_pid_privilege_request(sockfd, datasize, &pid, &object, &access_rights);
938 if (retval == SECURITY_SERVER_ERROR_RECV_FAILED) {
939 SEC_SVR_ERR("%s", "Receiving request failed");
940 retval = send_generic_response(sockfd,
941 SECURITY_SERVER_MSG_TYPE_CHECK_PID_PRIVILEGE_RESPONSE,
942 SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
944 if (retval != SECURITY_SERVER_SUCCESS)
945 SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
952 //get SMACK label of process
953 snprintf(buff, B_SIZE, "/proc/%d/attr/current", pid);
955 fd = open(buff, O_RDONLY, 0644);
957 SEC_SVR_ERR("%s", "Error open()");
958 retval = SECURITY_SERVER_ERROR_UNKNOWN;
963 retval = read(fd, buff, B_SIZE);
965 SEC_SVR_ERR("%s", "Error read()");
966 retval = SECURITY_SERVER_ERROR_UNKNOWN;
970 //now we have SMACK label in buff and we call libsmack
971 SEC_SVR_DBG("Subject label of client PID %d is: %s", pid, buff);
972 retval = smack_have_access(buff, object, access_rights);
973 SEC_SVR_DBG("SMACK have access returned %d", retval);
975 SEC_SVR_DBG("SMACK is not available. Subject label has not been read.");
979 path = read_exe_path_from_proc(pid);
980 //now we have SMACK label in buff and we call libsmack
981 SEC_SVR_DBG("Subject label of client PID %d is: %s", pid, buff);
983 retval = smack_have_access(buff, object, access_rights);
984 SEC_SVR_DBG("SMACK have access returned %d", retval);
986 SEC_SVR_DBG("SS_SMACK: caller_pid=%d, subject=%s, object=%s, access=%s, result=%d, caller_path=%s", pid, buff, object, access_rights, retval, path);
988 SEC_SVR_ERR("SS_SMACK: caller_pid=%d, subject=%s, object=%s, access=%s, result=%d, caller_path=%s", pid, buff, object, access_rights, retval, path);
993 if (retval == 1) //there is permission
994 return_code = SECURITY_SERVER_RETURN_CODE_SUCCESS;
995 else //there is no permission
996 return_code = SECURITY_SERVER_RETURN_CODE_ACCESS_DENIED;
999 retval = send_generic_response(sockfd,
1000 SECURITY_SERVER_MSG_TYPE_CHECK_PID_PRIVILEGE_RESPONSE,
1003 if (retval != SECURITY_SERVER_SUCCESS)
1004 SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
1012 if (access_rights != NULL)
1013 free(access_rights);
1018 int process_tool_request(int client_sockfd, int server_sockfd)
1020 int retval, argcnum = 0;
1021 char **recved_argv = NULL;
1023 /* Authenticate client */
1024 retval = authenticate_developer_shell(client_sockfd);
1025 if(retval != SECURITY_SERVER_SUCCESS)
1027 SEC_SVR_ERR("%s", "Client Authentication Failed");
1028 retval = send_generic_response(client_sockfd,
1029 SECURITY_SERVER_MSG_TYPE_TOOL_RESPONSE,
1030 SECURITY_SERVER_RETURN_CODE_AUTHENTICATION_FAILED);
1031 if(retval != SECURITY_SERVER_SUCCESS)
1033 SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
1038 /* Receive Total number of argv */
1039 retval = TEMP_FAILURE_RETRY(read(client_sockfd, &argcnum, sizeof(int)));
1040 if((retval < (int)sizeof(int)) || argcnum > (UINT_MAX/sizeof(char *))-2 || argcnum < 0)
1042 SEC_SVR_ERR("Error: argc recieve failed: %d", retval);
1043 retval = send_generic_response(client_sockfd,
1044 SECURITY_SERVER_MSG_TYPE_TOOL_RESPONSE,
1045 SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
1046 if(retval != SECURITY_SERVER_SUCCESS)
1048 SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
1053 recved_argv = (char **)malloc(sizeof(char *) * argcnum);
1054 if(recved_argv == NULL)
1056 SEC_SVR_ERR("Error: malloc() failed: %d", retval);
1057 retval = send_generic_response(client_sockfd,
1058 SECURITY_SERVER_MSG_TYPE_TOOL_RESPONSE,
1059 SECURITY_SERVER_RETURN_CODE_SERVER_ERROR);
1060 if(retval != SECURITY_SERVER_SUCCESS)
1062 SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
1066 memset(recved_argv, 0, sizeof(char *) * argcnum);
1068 retval = recv_launch_tool_request(client_sockfd, argcnum-1, recved_argv);
1069 if(retval == SECURITY_SERVER_ERROR_RECV_FAILED || retval == SECURITY_SERVER_ERROR_OUT_OF_MEMORY)
1071 SEC_SVR_ERR("%s", "Receiving request failed");
1072 retval = send_generic_response(client_sockfd,
1073 SECURITY_SERVER_MSG_TYPE_TOOL_RESPONSE,
1074 SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
1075 if(retval != SECURITY_SERVER_SUCCESS)
1077 SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
1083 SEC_SVR_ERR("Error: Too small number of argv [%d]", argcnum);
1084 retval = send_generic_response(client_sockfd,
1085 SECURITY_SERVER_MSG_TYPE_TOOL_RESPONSE,
1086 SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
1087 if(retval != SECURITY_SERVER_SUCCESS)
1089 SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
1093 /* Execute the command */
1094 retval = execute_debug_tool(argcnum, recved_argv, server_sockfd, client_sockfd);
1095 if(retval != SECURITY_SERVER_SUCCESS)
1097 SEC_SVR_ERR("Error: Cannot execute debug tool [%d]", retval);
1098 retval = send_generic_response(client_sockfd,
1099 SECURITY_SERVER_MSG_TYPE_TOOL_RESPONSE,
1100 SECURITY_SERVER_RETURN_CODE_SERVER_ERROR);
1101 if(retval != SECURITY_SERVER_SUCCESS)
1103 SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
1108 SEC_SVR_DBG("%s", "Tool has been executed");
1109 retval = send_generic_response(client_sockfd,
1110 SECURITY_SERVER_MSG_TYPE_TOOL_RESPONSE,
1111 SECURITY_SERVER_RETURN_CODE_SUCCESS);
1112 if(retval != SECURITY_SERVER_SUCCESS)
1114 SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
1118 free_argv(recved_argv, argcnum);
1122 int client_has_access(int sockfd, const char *object) {
1131 if(smack_new_label_from_socket(sockfd, &label))
1134 if (0 >= (ret = smack_have_access(label, object, "rw")))
1138 if (SECURITY_SERVER_SUCCESS == authenticate_client_application(sockfd, &pid, &uid))
1139 SEC_SVR_DBG("SS_SMACK: caller_pid=%d, subject=%s, object=%s, access=rw, result=%d",
1140 pid, label, object, ret);
1146 void *security_server_thread(void *param)
1148 int client_sockfd = -1, client_uid, client_pid;
1149 int server_sockfd, retval;
1150 basic_header basic_hdr;
1151 struct security_server_thread_param *my_param;
1153 my_param = (struct security_server_thread_param *) param;
1154 client_sockfd = my_param->client_sockfd;
1155 server_sockfd = my_param->server_sockfd;
1157 /* Receive request header */
1158 retval = recv_hdr(client_sockfd, &basic_hdr);
1159 if(retval == SECURITY_SERVER_ERROR_TIMEOUT || retval == SECURITY_SERVER_ERROR_RECV_FAILED
1160 || retval == SECURITY_SERVER_ERROR_SOCKET)
1162 SEC_SVR_ERR("Receiving header error [%d]",retval);
1163 close(client_sockfd);
1168 if(retval != SECURITY_SERVER_SUCCESS)
1171 SEC_SVR_ERR("Receiving header error [%d]",retval);
1172 retval = send_generic_response(client_sockfd,
1173 SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE,
1174 SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
1175 if(retval != SECURITY_SERVER_SUCCESS)
1177 SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
1180 safe_server_sock_close(client_sockfd);
1185 /* Act different for request message ID */
1186 switch(basic_hdr.msg_id)
1188 case SECURITY_SERVER_MSG_TYPE_COOKIE_REQUEST:
1189 SEC_SVR_DBG("%s", "Cookie request received");
1190 process_cookie_request(client_sockfd);
1193 case SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_REQUEST:
1194 SEC_SVR_DBG("%s", "Privilege check received");
1195 process_check_privilege_request(client_sockfd);
1198 case SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_NEW_REQUEST:
1199 SEC_SVR_DBG("%s", "Privilege check (new mode) received");
1200 process_check_privilege_new_request(client_sockfd);
1203 case SECURITY_SERVER_MSG_TYPE_OBJECT_NAME_REQUEST:
1204 SEC_SVR_DBG("%s", "Get object name request received");
1205 process_object_name_request(client_sockfd);
1208 case SECURITY_SERVER_MSG_TYPE_GID_REQUEST:
1209 SEC_SVR_DBG("%s", "Get GID received");
1210 process_gid_request(client_sockfd, (int)basic_hdr.msg_len);
1213 case SECURITY_SERVER_MSG_TYPE_PID_REQUEST:
1214 SEC_SVR_DBG("%s", "pid request received");
1215 process_pid_request(client_sockfd);
1218 case SECURITY_SERVER_MSG_TYPE_SMACK_REQUEST:
1219 SEC_SVR_DBG("%s", "SMACK label request received");
1220 process_smack_request(client_sockfd);
1223 case SECURITY_SERVER_MSG_TYPE_CHECK_PID_PRIVILEGE_REQUEST:
1224 SEC_SVR_DBG("%s", "PID privilege check request received");
1225 //pass data size to function
1226 process_pid_privilege_check(client_sockfd, basic_hdr.msg_len);
1229 case SECURITY_SERVER_MSG_TYPE_TOOL_REQUEST:
1230 SEC_SVR_DBG("%s", "launch tool request received");
1231 process_tool_request(client_sockfd, server_sockfd);
1234 case SECURITY_SERVER_MSG_TYPE_VALID_PWD_REQUEST:
1235 SEC_SVR_DBG("%s", "Server: validate password request received");
1236 process_valid_pwd_request(client_sockfd);
1239 case SECURITY_SERVER_MSG_TYPE_SET_PWD_REQUEST:
1240 SEC_SVR_DBG("%s", "Server: set password request received");
1241 process_set_pwd_request(client_sockfd);
1244 case SECURITY_SERVER_MSG_TYPE_RESET_PWD_REQUEST:
1245 SEC_SVR_DBG("%s", "Server: reset password request received");
1246 process_reset_pwd_request(client_sockfd);
1249 case SECURITY_SERVER_MSG_TYPE_CHK_PWD_REQUEST:
1250 SEC_SVR_DBG("%s", "Server: check password request received");
1251 process_chk_pwd_request(client_sockfd);
1254 case SECURITY_SERVER_MSG_TYPE_SET_PWD_HISTORY_REQUEST:
1255 SEC_SVR_DBG("%s", "Server: set password histroy request received");
1256 process_set_pwd_history_request(client_sockfd);
1259 case SECURITY_SERVER_MSG_TYPE_SET_PWD_MAX_CHALLENGE_REQUEST:
1260 SEC_SVR_DBG("%s", "Server: set password max challenge request received");
1261 process_set_pwd_max_challenge_request(client_sockfd);
1264 case SECURITY_SERVER_MSG_TYPE_SET_PWD_VALIDITY_REQUEST:
1265 SEC_SVR_DBG("%s", "Server: set password validity request received");
1266 process_set_pwd_validity_request(client_sockfd);
1269 case SECURITY_SERVER_MSG_TYPE_APP_GIVE_ACCESS_REQUEST:
1270 if (client_has_access(client_sockfd, LABEL_SECURITY_SERVER_API_DATA_SHARE)) {
1271 SEC_SVR_DBG("%s", "Server: app give access request received");
1272 process_app_get_access_request(client_sockfd,
1273 basic_hdr.msg_len - sizeof(basic_hdr));
1275 SEC_SVR_DBG("%s", "Server: app give access request received (API DENIED - request will not proceed)");
1276 send_generic_response(client_sockfd,
1277 SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE,
1278 SECURITY_SERVER_RETURN_CODE_ACCESS_DENIED);
1281 /************************************************************************************************/
1282 /* Just for test. This code must be removed on release */
1283 case SECURITY_SERVER_MSG_TYPE_GET_ALL_COOKIES_REQUEST:
1284 SEC_SVR_DBG("%s", "all cookie info request received -- NEED TO BE DELETED ON RELEASE");
1285 retval = authenticate_client_application(client_sockfd, &client_pid, &client_uid);
1286 if(retval != SECURITY_SERVER_SUCCESS)
1288 SEC_SVR_ERR("%s", "Client Authentication Failed");
1289 retval = send_generic_response(client_sockfd,
1290 SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE,
1291 SECURITY_SERVER_RETURN_CODE_AUTHENTICATION_FAILED);
1292 if(retval != SECURITY_SERVER_SUCCESS)
1294 SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
1298 retval = util_process_all_cookie(client_sockfd, c_list);
1299 if(retval != SECURITY_SERVER_SUCCESS)
1301 SEC_SVR_ERR("ERROR: Cannot send all cookie info: %d", retval);
1305 case SECURITY_SERVER_MSG_TYPE_GET_COOKIEINFO_FROM_PID_REQUEST:
1306 SEC_SVR_DBG("%s", "cookie info from pid request received -- NEED TO BE DELETED ON RELEASE");
1307 if(retval != SECURITY_SERVER_SUCCESS)
1309 SEC_SVR_ERR("%s", "Client Authentication Failed");
1310 retval = send_generic_response(client_sockfd,
1311 SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE,
1312 SECURITY_SERVER_RETURN_CODE_AUTHENTICATION_FAILED);
1313 if(retval != SECURITY_SERVER_SUCCESS)
1315 SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
1319 util_process_cookie_from_pid(client_sockfd, c_list);
1322 case SECURITY_SERVER_MSG_TYPE_GET_COOKIEINFO_FROM_COOKIE_REQUEST:
1323 SEC_SVR_DBG("%s", "cookie info from cookie request received -- NEED TO BE DELETED ON RELEASE");
1324 if(retval != SECURITY_SERVER_SUCCESS)
1326 SEC_SVR_ERR("%s", "Client Authentication Failed");
1327 retval = send_generic_response(client_sockfd,
1328 SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE,
1329 SECURITY_SERVER_RETURN_CODE_AUTHENTICATION_FAILED);
1330 if(retval != SECURITY_SERVER_SUCCESS)
1332 SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
1336 util_process_cookie_from_cookie(client_sockfd, c_list);
1338 /************************************************************************************************/
1342 SEC_SVR_ERR("Unknown msg ID :%d", basic_hdr.msg_id);
1343 /* Unknown message ID */
1344 retval = send_generic_response(client_sockfd,
1345 SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE,
1346 SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
1347 if(retval != SECURITY_SERVER_SUCCESS)
1349 SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
1354 if(client_sockfd > 0)
1356 safe_server_sock_close(client_sockfd);
1361 if(client_sockfd > 0)
1362 close(client_sockfd);
1363 thread_status[my_param->thread_status] = 0;
1364 pthread_detach(pthread_self());
1368 void *security_server_main_thread(void *data)
1370 int server_sockfd = 0, retval, client_sockfd = -1, rc;
1371 struct sigaction act, dummy;
1372 pthread_t threads[SECURITY_SERVER_NUM_THREADS];
1373 struct security_server_thread_param param[SECURITY_SERVER_NUM_THREADS];
1377 SEC_SVR_DBG("%s", "Starting Security Server main thread");
1379 /* security server must be executed by root */
1382 fprintf(stderr, "%s\n", "You are not root. exiting...");
1386 for(retval = 0 ; retval < SECURITY_SERVER_NUM_THREADS; retval++)
1387 thread_status[retval] = 0;
1390 /* Create and bind a Unix domain socket */
1391 retval = create_new_socket(&server_sockfd);
1392 if(retval != SECURITY_SERVER_SUCCESS)
1394 SEC_SVR_ERR("%s", "cannot create socket. exiting...");
1398 if(listen(server_sockfd, 5) < 0)
1400 SEC_SVR_ERR("%s", "listen() failed. exiting...");
1404 /* Create a default cookie --> Cookie for root process */
1405 c_list = create_default_cookie();
1408 SEC_SVR_ERR("%s", "cannot make a default cookie. exiting...");
1412 /* Init signal handler */
1413 act.sa_handler = NULL;
1414 act.sa_sigaction = security_server_sig_child;
1415 sigemptyset(&act.sa_mask);
1416 act.sa_flags = SA_NOCLDSTOP | SA_SIGINFO;
1418 if (sigaction(SIGCHLD, &act, &dummy) < 0)
1420 SEC_SVR_ERR("%s", "cannot change session");
1423 pthread_mutex_init(&cookie_mutex, NULL);
1427 /* Accept a new client */
1428 if(client_sockfd < 0)
1429 client_sockfd = accept_client(server_sockfd);
1431 if(client_sockfd == SECURITY_SERVER_ERROR_TIMEOUT)
1433 if(client_sockfd < 0)
1435 SEC_SVR_DBG("Server: new connection has been accepted: %d", client_sockfd);
1439 if(thread_status[retval] == 0)
1441 thread_status[retval] = 1;
1442 param[retval].client_sockfd = client_sockfd;
1443 param[retval].server_sockfd = server_sockfd;
1444 param[retval].thread_status= retval;
1445 SEC_SVR_DBG("Server: Creating a new thread: %d", retval);
1446 rc =pthread_create(&threads[retval], NULL, security_server_thread, (void *)¶m[retval]);
1449 SEC_SVR_ERR("Error: Server: Cannot create thread:%d", rc);
1455 if(retval >= SECURITY_SERVER_NUM_THREADS)
1461 if(server_sockfd > 0)
1462 close(server_sockfd);
1464 pthread_detach(pthread_self());
1468 ssize_t read_wrapper(int sockfd, void *buffer, size_t len) {
1469 unsigned char *buff = (unsigned char *)buffer;
1471 while(done < (int)len) {
1472 struct pollfd fds = { sockfd, POLLIN, 0};
1473 if (0 >= poll(&fds, 1, 1000))
1475 ssize_t ret = read(sockfd, buff+done, len-done);
1482 if (-1 == ret && EAGAIN != errno && EINTR != errno)
1488 int process_app_get_access_request(int sockfd, size_t msg_len)
1490 char *message_buffer = NULL;
1491 char *client_label = NULL;
1492 char *provider_label = NULL;
1493 int ret = SECURITY_SERVER_ERROR_SERVER_ERROR;
1494 int send_message_id = SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE;
1495 int send_error_id = SECURITY_SERVER_RETURN_CODE_SERVER_ERROR;
1498 message_buffer = malloc(msg_len+1);
1499 if (!message_buffer)
1500 return SECURITY_SERVER_ERROR_OUT_OF_MEMORY;
1501 message_buffer[msg_len] = 0;
1503 ssize_t retval = read_wrapper(sockfd, message_buffer, msg_len);
1505 if (retval < (ssize_t)msg_len) {
1506 SEC_SVR_ERR("%s", "Error in read. Message too short");
1507 send_error_id = SECURITY_SERVER_RETURN_CODE_BAD_REQUEST;
1508 ret = SECURITY_SERVER_ERROR_BAD_REQUEST;
1512 memcpy(&client_pid, message_buffer, sizeof(int));
1513 client_label = message_buffer + sizeof(int);
1515 if (smack_check()) {
1516 if (0 != smack_new_label_from_socket(sockfd, &provider_label)) {
1517 SEC_SVR_ERR("%s", "Error in smack_new_label_from_socket");
1521 if (PC_OPERATION_SUCCESS != app_give_access(client_label, provider_label, "rwxat")) {
1522 SEC_SVR_ERR("%s", "Error in app_give_access");
1527 ret = SECURITY_SERVER_SUCCESS;
1528 send_message_id = SECURITY_SERVER_MSG_TYPE_APP_GIVE_ACCESS_RESPONSE;
1529 send_error_id = SECURITY_SERVER_RETURN_CODE_SUCCESS;
1531 if (!netlink_enabled) {
1532 SEC_SVR_ERR("Netlink not supported: Garbage collector inactive.");
1536 if (smack_check()) {
1537 if (0 != rules_revoker_add(client_pid, client_label, provider_label))
1538 SEC_SVR_ERR("%s", "Error in rules_revoker_add.");
1542 retval = send_generic_response(sockfd, send_message_id, send_error_id);
1543 if(retval != SECURITY_SERVER_SUCCESS)
1544 SEC_SVR_ERR("Server ERROR: Cannot send response: %d", retval);
1546 free(message_buffer);
1547 free(provider_label);
1551 void *system_observer_main_thread(void *data) {
1552 system_observer_main(data);
1553 SEC_SVR_ERR("%s", "System observer: exit. No garbage collector support.");
1554 netlink_enabled = 0;
1555 pthread_detach(pthread_self());
1559 int main(int argc, char* argv[])
1562 pthread_t main_thread;
1567 // create observer thread only if smack is enabled
1568 if (smack_check()) {
1569 pthread_t system_observer;
1570 system_observer_config so_config;
1571 so_config.event_callback = rules_revoker_callback;
1573 res = pthread_create(&system_observer, NULL, system_observer_main_thread, (void*)&so_config);
1579 SEC_SVR_DBG("SMACK is not available. Observer thread disabled.");
1582 res = pthread_create(&main_thread, NULL, security_server_main_thread, NULL);
1590 SEC_SVR_ERR("Error: Server: Cannot create main security server thread: %d", res);
projects / framework / security / security-server.git / blob