#include <unistd.h>
#include <grp.h>
+#include <dirent.h>
#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/xattr.h>
#include <sys/smack.h>
#include <sys/capability.h>
#include <client-common.h>
#include <protocols.h>
#include <smack-common.h>
+#include <service_impl.h>
+#include <file-lock.h>
#include <security-manager.h>
+/**
+ * Mapping of lib_retcode error codes to theirs strings equivalents
+ */
+static std::map<enum lib_retcode, std::string> lib_retcode_string_map = {
+ {SECURITY_MANAGER_SUCCESS, "Success"},
+ {SECURITY_MANAGER_ERROR_UNKNOWN, "Unknown error"},
+ {SECURITY_MANAGER_ERROR_INPUT_PARAM, "Invalid function parameter was given"},
+ {SECURITY_MANAGER_ERROR_MEMORY, "Memory allocation error"},
+ {SECURITY_MANAGER_ERROR_REQ_NOT_COMPLETE, "Incomplete data in application request"},
+ {SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED, "User does not have sufficient "
+ "rigths to perform an operation"}
+};
+SECURITY_MANAGER_API
+const char *security_manager_strerror(enum lib_retcode rc)
+{
+ try {
+ return lib_retcode_string_map.at(rc).c_str();
+ } catch (const std::out_of_range &e) {
+ return "Unknown error code";
+ }
+}
SECURITY_MANAGER_API
int security_manager_app_inst_req_new(app_inst_req **pp_req)
} catch (std::bad_alloc& ex) {
return SECURITY_MANAGER_ERROR_MEMORY;
}
-
+ (*pp_req)->uid = geteuid();
return SECURITY_MANAGER_SUCCESS;
}
}
SECURITY_MANAGER_API
+int security_manager_app_inst_req_set_uid(app_inst_req *p_req,
+ const uid_t uid)
+{
+ if (!p_req)
+ return SECURITY_MANAGER_ERROR_INPUT_PARAM;
+
+ p_req->uid = uid;
+
+ return SECURITY_MANAGER_SUCCESS;
+}
+
+SECURITY_MANAGER_API
int security_manager_app_inst_req_set_app_id(app_inst_req *p_req, const char *app_id)
{
if (!p_req || !app_id)
int security_manager_app_install(const app_inst_req *p_req)
{
using namespace SecurityManager;
- MessageBuffer send, recv;
return try_catch([&] {
//checking parameters
if (p_req->appId.empty() || p_req->pkgId.empty())
return SECURITY_MANAGER_ERROR_REQ_NOT_COMPLETE;
- //put data into buffer
- Serialization::Serialize(send, (int)SecurityModuleCall::APP_INSTALL);
- Serialization::Serialize(send, p_req->appId);
- Serialization::Serialize(send, p_req->pkgId);
- Serialization::Serialize(send, p_req->privileges);
- Serialization::Serialize(send, p_req->appPaths);
-
- //send buffer to server
- int retval = sendToServer(SERVICE_SOCKET, send.Pop(), recv);
- if (retval != SECURITY_MANAGER_API_SUCCESS) {
- LogError("Error in sendToServer. Error code: " << retval);
- return SECURITY_MANAGER_ERROR_UNKNOWN;
+ bool offlineMode;
+ int retval;
+
+ try {
+ SecurityManager::FileLocker serviceLock(SecurityManager::SERVICE_LOCK_FILE);
+ if ((offlineMode = serviceLock.Locked())) {
+ LogInfo("Working in offline mode.");
+ retval = SecurityManager::ServiceImpl::appInstall(*p_req, geteuid());
+ }
+ } catch (const SecurityManager::FileLocker::Exception::Base &e) {
+ offlineMode = false;
}
+ if (!offlineMode) {
+ MessageBuffer send, recv;
+
+ //put data into buffer
+ Serialization::Serialize(send, (int)SecurityModuleCall::APP_INSTALL);
+ Serialization::Serialize(send, p_req->appId);
+ Serialization::Serialize(send, p_req->pkgId);
+ Serialization::Serialize(send, p_req->privileges);
+ Serialization::Serialize(send, p_req->appPaths);
+ Serialization::Serialize(send, p_req->uid);
+
+ //send buffer to server
+ retval = sendToServer(SERVICE_SOCKET, send.Pop(), recv);
+ if (retval != SECURITY_MANAGER_API_SUCCESS) {
+ LogError("Error in sendToServer. Error code: " << retval);
+ return SECURITY_MANAGER_ERROR_UNKNOWN;
+ }
- //receive response from server
- Deserialization::Deserialize(recv, retval);
+ //receive response from server
+ Deserialization::Deserialize(recv, retval);
+ }
switch(retval) {
case SECURITY_MANAGER_API_SUCCESS:
return SECURITY_MANAGER_SUCCESS;
case SECURITY_MANAGER_API_ERROR_AUTHENTICATION_FAILED:
return SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED;
+ case SECURITY_MANAGER_API_ERROR_INPUT_PARAM:
+ return SECURITY_MANAGER_ERROR_INPUT_PARAM;
default:
return SECURITY_MANAGER_ERROR_UNKNOWN;
}
});
}
-SECURITY_MANAGER_API
-int security_manager_set_process_label_from_binary(const char *path)
+static bool setup_smack(const char *label)
{
- char *smack_label;
- int ret;
+ int labelSize = strlen(label);
- LogDebug("security_manager_set_process_label_from_binary() called");
+ // Set Smack label for open socket file descriptors
- if (smack_smackfs_path() == NULL)
- return SECURITY_MANAGER_SUCCESS;
-
- if (path == NULL) {
- LogError("security_manager_set_process_label_from_binary: path is NULL");
- return SECURITY_MANAGER_ERROR_INPUT_PARAM;
+ std::unique_ptr<DIR, std::function<int(DIR*)>> dir(
+ opendir("/proc/self/fd"), closedir);
+ if (!dir.get()) {
+ LogError("Unable to read list of open file descriptors: " <<
+ strerror(errno));
+ return SECURITY_MANAGER_ERROR_UNKNOWN;
}
- ret = SecurityManager::getSmackLabelFromBinary(&smack_label, path);
- if (ret == SECURITY_MANAGER_SUCCESS && smack_label != NULL) {
- if (smack_set_label_for_self(smack_label) != 0) {
- ret = SECURITY_MANAGER_ERROR_UNKNOWN;
- LogError("Failed to set smack label " << smack_label << " for current process");
+ do {
+ errno = 0;
+ struct dirent *dirEntry = readdir(dir.get());
+ if (dirEntry == nullptr) {
+ if (errno == 0) // NULL return value also signals end of directory
+ break;
+
+ LogError("Unable to read list of open file descriptors: " <<
+ strerror(errno));
+ return SECURITY_MANAGER_ERROR_UNKNOWN;
}
- free(smack_label);
- }
- return ret;
+ // Entries with numerical names specify file descriptors, ignore the rest
+ if (!isdigit(dirEntry->d_name[0]))
+ continue;
+
+ struct stat statBuf;
+ int fd = atoi(dirEntry->d_name);
+ int ret = fstat(fd, &statBuf);
+ if (ret != 0) {
+ LogWarning("fstat failed on file descriptor " << fd << ": " <<
+ strerror(errno));
+ continue;
+ }
+ if (S_ISSOCK(statBuf.st_mode)) {
+ ret = fsetxattr(fd, XATTR_NAME_SMACKIPIN, label, labelSize, 0);
+ if (ret != 0) {
+ LogError("Setting Smack label failed on file descriptor " <<
+ fd << ": " << strerror(errno));
+ return SECURITY_MANAGER_ERROR_UNKNOWN;
+ }
+
+ ret = fsetxattr(fd, XATTR_NAME_SMACKIPOUT, label, labelSize, 0);
+ if (ret != 0) {
+ LogError("Setting Smack label failed on file descriptor " <<
+ fd << ": " << strerror(errno));
+ return SECURITY_MANAGER_ERROR_UNKNOWN;
+ }
+ }
+ } while (true);
+
+ // Set Smack label of current process
+ smack_set_label_for_self(label);
+
+ return SECURITY_MANAGER_SUCCESS;
}
SECURITY_MANAGER_API
}
if (SecurityManager::generateAppLabel(std::string(pkg_id), appLabel)) {
- if (smack_set_label_for_self(appLabel.c_str()) != 0) {
+ ret = setup_smack(appLabel.c_str());
+ if (ret != SECURITY_MANAGER_SUCCESS) {
LogError("Failed to set smack label " << appLabel << " for current process");
- ret = SECURITY_MANAGER_ERROR_UNKNOWN;
}
}
else {
cap_free(cap);
return SECURITY_MANAGER_SUCCESS;
}
+
+SECURITY_MANAGER_API
+int security_manager_prepare_app(const char *app_id)
+{
+ LogDebug("security_manager_prepare_app() called");
+ int ret;
+
+ ret = security_manager_set_process_label_from_appid(app_id);
+ if (ret != SECURITY_MANAGER_SUCCESS)
+ return ret;
+
+ ret = security_manager_set_process_groups_from_appid(app_id);
+ if (ret != SECURITY_MANAGER_SUCCESS)
+ return ret;
+
+ ret = security_manager_drop_process_privileges();
+ return ret;
+}
+
+SECURITY_MANAGER_API
+int security_manager_user_req_new(user_req **pp_req)
+{
+ if (!pp_req)
+ return SECURITY_MANAGER_ERROR_INPUT_PARAM;
+ try {
+ *pp_req = new user_req;
+ } catch (std::bad_alloc& ex) {
+ return SECURITY_MANAGER_ERROR_MEMORY;
+ }
+ return SECURITY_MANAGER_SUCCESS;
+}
+
+SECURITY_MANAGER_API
+void security_manager_user_req_free(user_req *p_req)
+{
+ delete p_req;
+}
+
+SECURITY_MANAGER_API
+int security_manager_user_req_set_uid(user_req *p_req, uid_t uid)
+{
+ if (!p_req)
+ return SECURITY_MANAGER_ERROR_INPUT_PARAM;
+
+ p_req->uid = uid;
+
+ return SECURITY_MANAGER_SUCCESS;
+}
+
+SECURITY_MANAGER_API
+int security_manager_user_req_set_user_type(user_req *p_req, security_manager_user_type utype)
+{
+ if (!p_req)
+ return SECURITY_MANAGER_ERROR_INPUT_PARAM;
+
+ p_req->utype = static_cast<int>(utype);
+
+ return SECURITY_MANAGER_SUCCESS;
+}
+
+SECURITY_MANAGER_API
+int security_manager_user_add(const user_req *p_req)
+{
+ using namespace SecurityManager;
+ MessageBuffer send, recv;
+ if (!p_req)
+ return SECURITY_MANAGER_ERROR_INPUT_PARAM;
+ return try_catch([&] {
+
+ //put data into buffer
+ Serialization::Serialize(send, static_cast<int>(SecurityModuleCall::USER_ADD));
+
+ Serialization::Serialize(send, p_req->uid);
+ Serialization::Serialize(send, p_req->utype);
+
+ //send buffer to server
+ int retval = sendToServer(SERVICE_SOCKET, send.Pop(), recv);
+ if (retval != SECURITY_MANAGER_API_SUCCESS) {
+ LogError("Error in sendToServer. Error code: " << retval);
+ return SECURITY_MANAGER_ERROR_UNKNOWN;
+ }
+
+ //receive response from server
+ Deserialization::Deserialize(recv, retval);
+ switch(retval) {
+ case SECURITY_MANAGER_API_SUCCESS:
+ return SECURITY_MANAGER_SUCCESS;
+ case SECURITY_MANAGER_API_ERROR_AUTHENTICATION_FAILED:
+ return SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED;
+ default:
+ return SECURITY_MANAGER_ERROR_UNKNOWN;
+ }
+ });
+}
+
+SECURITY_MANAGER_API
+int security_manager_user_delete(const user_req *p_req)
+{
+ using namespace SecurityManager;
+ MessageBuffer send, recv;
+ if (!p_req)
+ return SECURITY_MANAGER_ERROR_INPUT_PARAM;
+ return try_catch([&] {
+
+ //put data into buffer
+ Serialization::Serialize(send, static_cast<int>(SecurityModuleCall::USER_DELETE));
+
+ Serialization::Serialize(send, p_req->uid);
+
+
+ //send buffer to server
+ int retval = sendToServer(SERVICE_SOCKET, send.Pop(), recv);
+ if (retval != SECURITY_MANAGER_API_SUCCESS) {
+ LogError("Error in sendToServer. Error code: " << retval);
+ return SECURITY_MANAGER_ERROR_UNKNOWN;
+ }
+
+ //receive response from server
+ Deserialization::Deserialize(recv, retval);
+ switch(retval) {
+ case SECURITY_MANAGER_API_SUCCESS:
+ return SECURITY_MANAGER_SUCCESS;
+ case SECURITY_MANAGER_API_ERROR_AUTHENTICATION_FAILED:
+ return SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED;
+ default:
+ return SECURITY_MANAGER_ERROR_UNKNOWN;
+ }
+ });
+}