)
SET(SECURITY_SERVER_PATH ${PROJECT_SOURCE_DIR}/src)
-SET(SERVER2_PATH ${PROJECT_SOURCE_DIR}/src/server2)
+SET(SERVER2_PATH ${PROJECT_SOURCE_DIR}/src/server)
SET(SECURITY_SERVER_SOURCES
- ${SECURITY_SERVER_PATH}/communication/security-server-comm.c
- ${SECURITY_SERVER_PATH}/server/security-server-main.c
- ${SECURITY_SERVER_PATH}/util/security-server-util-common.c
- ${SECURITY_SERVER_PATH}/util/smack-check.c
+ ${SERVER2_PATH}/main/security-server-util.cpp
${SERVER2_PATH}/main/generic-socket-manager.cpp
${SERVER2_PATH}/main/socket-manager.cpp
${SERVER2_PATH}/main/server2-main.cpp
${SERVER2_PATH}/service/data-share.cpp
- ${SERVER2_PATH}/service/echo.cpp
${SERVER2_PATH}/service/get-gid.cpp
${SERVER2_PATH}/service/app-permissions.cpp
${SERVER2_PATH}/service/cookie.cpp
SET(SECURITY_CLIENT_VERSION ${SECURITY_CLIENT_VERSION_MAJOR}.0.1)
INCLUDE_DIRECTORIES(
- ${SECURITY_SERVER_PATH}/server2/client
- ${SECURITY_SERVER_PATH}/server2/common
- ${SECURITY_SERVER_PATH}/server2/dpl/core/include
- ${SECURITY_SERVER_PATH}/server2/dpl/log/include
+ ${SERVER2_PATH}/client
+ ${SERVER2_PATH}/common
+ ${SERVER2_PATH}/dpl/core/include
+ ${SERVER2_PATH}/dpl/log/include
)
SET(SECURITY_CLIENT_SOURCES
- ${SECURITY_SERVER_PATH}/server2/client/client-common.cpp
- ${SECURITY_SERVER_PATH}/server2/client/client-shared-memory.cpp
- ${SECURITY_SERVER_PATH}/server2/client/client-get-gid.cpp
- ${SECURITY_SERVER_PATH}/server2/client/client-app-permissions.cpp
- ${SECURITY_SERVER_PATH}/server2/client/client-cookie.cpp
- ${SECURITY_SERVER_PATH}/server2/client/client-privilege-by-pid.cpp
- ${SECURITY_SERVER_PATH}/server2/client/client-socket-privilege.cpp
- ${SECURITY_SERVER_PATH}/server2/client/client-get-object-name.cpp
- ${SECURITY_SERVER_PATH}/server2/client/client-open-for.cpp
- ${SECURITY_SERVER_PATH}/server2/client/client-password.cpp
- ${SECURITY_SERVER_PATH}/communication/security-server-comm.c
- ${SECURITY_SERVER_PATH}/util/smack-check.c
+ ${SERVER2_PATH}/client/client-common.cpp
+ ${SERVER2_PATH}/client/client-shared-memory.cpp
+ ${SERVER2_PATH}/client/client-get-gid.cpp
+ ${SERVER2_PATH}/client/client-app-permissions.cpp
+ ${SERVER2_PATH}/client/client-cookie.cpp
+ ${SERVER2_PATH}/client/client-privilege-by-pid.cpp
+ ${SERVER2_PATH}/client/client-socket-privilege.cpp
+ ${SERVER2_PATH}/client/client-get-object-name.cpp
+ ${SERVER2_PATH}/client/client-open-for.cpp
+ ${SERVER2_PATH}/client/client-password.cpp
)
ADD_LIBRARY(${TARGET_SECURITY_CLIENT} SHARED ${SECURITY_CLIENT_SOURCES})
################################################################################
-ADD_SUBDIRECTORY(server2)
+ADD_SUBDIRECTORY(server)
+++ /dev/null
-/*
- * security-server
- *
- * Copyright (c) 2000 - 2011 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Contact: Bumjin Im <bj.im@samsung.com>
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License
- *
- */
-
-#include <sys/poll.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <sys/socket.h>
-#include <sys/types.h>
-#include <sys/smack.h>
-#include <fcntl.h>
-#include <pwd.h>
-#include <sys/un.h>
-#include <errno.h>
-#include <unistd.h>
-#include <sys/stat.h>
-#include <limits.h>
-#include <ctype.h>
-
-#include <systemd/sd-daemon.h>
-
-#include "security-server-common.h"
-#include "security-server-comm.h"
-#include "smack-check.h"
-
-void printhex(const unsigned char *data, int size)
-{
- int i;
- for (i = 0; i < size; i++)
- {
- if (data[i] < 0xF)
- printf("0");
-
- printf("%X ", data[i]);
- if (((i + 1) % 16) == 0 && i != 0)
- printf("\n");
- }
- printf("\n");
-}
-
-/* Return code in packet is positive integer *
- * We need to convert them to error code which are negative integer */
-int return_code_to_error_code(int ret_code)
-{
- int ret;
- switch (ret_code)
- {
- case SECURITY_SERVER_RETURN_CODE_SUCCESS:
- case SECURITY_SERVER_RETURN_CODE_ACCESS_GRANTED:
- ret = SECURITY_SERVER_SUCCESS;
- break;
- case SECURITY_SERVER_RETURN_CODE_BAD_REQUEST:
- ret = SECURITY_SERVER_ERROR_BAD_REQUEST;
- break;
- case SECURITY_SERVER_RETURN_CODE_AUTHENTICATION_FAILED:
- ret = SECURITY_SERVER_ERROR_AUTHENTICATION_FAILED;
- break;
- case SECURITY_SERVER_RETURN_CODE_ACCESS_DENIED:
- ret = SECURITY_SERVER_ERROR_ACCESS_DENIED;
- break;
- case SECURITY_SERVER_RETURN_CODE_NO_SUCH_OBJECT:
- ret = SECURITY_SERVER_ERROR_NO_SUCH_OBJECT;
- break;
- case SECURITY_SERVER_RETURN_CODE_SERVER_ERROR:
- ret = SECURITY_SERVER_ERROR_SERVER_ERROR;
- break;
- case SECURITY_SERVER_RETURN_CODE_NO_SUCH_COOKIE:
- ret = SECURITY_SERVER_ERROR_NO_SUCH_COOKIE;
- break;
- default:
- ret = SECURITY_SERVER_ERROR_UNKNOWN;
- break;
- }
- return ret;
-}
-
-int check_socket_poll(int sockfd, int event, int timeout)
-{
- struct pollfd poll_fd[1];
- int retval = SECURITY_SERVER_ERROR_POLL;
-
- poll_fd[0].fd = sockfd;
- poll_fd[0].events = event;
- retval = poll(poll_fd, 1, timeout);
- if (retval < 0)
- {
- SEC_SVR_ERR("poll() error. errno=%d", errno);
- if (errno != EINTR)
- return SECURITY_SERVER_ERROR_POLL;
- else
- {
- /* Chile process has been closed. Not poll() problem. Call it once again */
- return check_socket_poll(sockfd, event, timeout);
- }
- }
-
- /* Timed out */
- if (retval == 0)
- {
- return SECURITY_SERVER_ERROR_TIMEOUT;
- }
-
- if (poll_fd[0].revents != event)
- {
- SEC_SVR_ERR("Something wrong on the peer socket. event=0x%x", poll_fd[0].revents);
- return SECURITY_SERVER_ERROR_POLL;
- }
- return SECURITY_SERVER_SUCCESS;
-}
-
-int safe_server_sock_close(int client_sockfd)
-{
- struct pollfd poll_fd[1];
- poll_fd[0].fd = client_sockfd;
- poll_fd[0].events = POLLRDHUP;
- if (0 > poll(poll_fd, 1, SECURITY_SERVER_SOCKET_TIMEOUT_MILISECOND)) {
- SECURE_SLOGE("%s", "Unable to poll from socket");
- return SECURITY_SERVER_ERROR_SOCKET;
- }
- SEC_SVR_DBG("%s", "Server: Closing server socket");
- close(client_sockfd);
- return SECURITY_SERVER_SUCCESS;
-}
-
-/* Get socket from systemd */
-int get_socket_from_systemd(int *sockfd)
-{
- int n = sd_listen_fds(0);
- int fd;
-
- for(fd = SD_LISTEN_FDS_START; fd < SD_LISTEN_FDS_START+n; ++fd) {
- if (0 < sd_is_socket_unix(fd, SOCK_STREAM, 1,
- SECURITY_SERVER_SOCK_PATH, 0))
- {
- *sockfd = fd;
- return SECURITY_SERVER_SUCCESS;
- }
- }
- return SECURITY_SERVER_ERROR_SOCKET;
-}
-
-/* Create a Unix domain socket and bind */
-int create_new_socket(int *sockfd)
-{
- int retval = 0, localsockfd = 0, flags;
- struct sockaddr_un serveraddr;
- mode_t sock_mode;
-
- /* Deleted garbage Unix domain socket file */
- retval = remove(SECURITY_SERVER_SOCK_PATH);
-
- if (retval == -1 && errno != ENOENT) {
- retval = SECURITY_SERVER_ERROR_UNKNOWN;
- localsockfd = -1;
- SECURE_SLOGE("%s", "Unable to remove /tmp/.security_server.sock");
- goto error;
- }
-
- /* Create Unix domain socket */
- if ((localsockfd = socket(AF_UNIX, SOCK_STREAM, 0)) < 0)
- {
- retval = SECURITY_SERVER_ERROR_SOCKET;
- localsockfd = -1;
- SEC_SVR_ERR("%s", "Socket creation failed");
- goto error;
- }
-
- // If SMACK is present we have to label our sockets regardless of SMACK_ENABLED flag
- if (smack_runtime_check()) {
- if (smack_fsetlabel(localsockfd, "@", SMACK_LABEL_IPOUT) != 0)
- {
- SEC_SVR_ERR("%s", "SMACK labeling failed");
- if (errno != EOPNOTSUPP)
- {
- retval = SECURITY_SERVER_ERROR_SOCKET;
- close(localsockfd);
- localsockfd = -1;
- goto error;
- }
- }
- if (smack_fsetlabel(localsockfd, "*", SMACK_LABEL_IPIN) != 0)
- { SEC_SVR_ERR("%s", "SMACK labeling failed");
- if (errno != EOPNOTSUPP)
- {
- retval = SECURITY_SERVER_ERROR_SOCKET;
- close(localsockfd);
- localsockfd = -1;
- goto error;
- }}
- }
- else {
- SEC_SVR_DBG("SMACK is not available. Sockets won't be labeled.");
- }
-
- /* Make socket as non blocking */
- if ((flags = fcntl(localsockfd, F_GETFL, 0)) < 0 ||
- fcntl(localsockfd, F_SETFL, flags | O_NONBLOCK) < 0)
- {
- retval = SECURITY_SERVER_ERROR_SOCKET;
- close(localsockfd);
- localsockfd = -1;
- SEC_SVR_ERR("%s", "Cannot go to nonblocking mode");
- goto error;
- }
-
- bzero (&serveraddr, sizeof(serveraddr));
- serveraddr.sun_family = AF_UNIX;
- strncpy(serveraddr.sun_path, SECURITY_SERVER_SOCK_PATH,
- strlen(SECURITY_SERVER_SOCK_PATH));
- serveraddr.sun_path[strlen(SECURITY_SERVER_SOCK_PATH)] = 0;
-
- /* Bind the socket */
- if ((bind(localsockfd, (struct sockaddr*)&serveraddr, sizeof(serveraddr))) < 0)
- {
- retval = SECURITY_SERVER_ERROR_SOCKET_BIND;
- SEC_SVR_ERR("%s", "Cannot bind");
- close(localsockfd);
- localsockfd = -1;
- goto error;
- }
-
-
- /* Change permission to accept all processes that has different uID/gID */
- sock_mode = (S_IRWXU | S_IRWXG | S_IRWXO);
- /* Flawfinder hits this chmod function as level 5 CRITICAL as race condition flaw *
- * Flawfinder recommends to user fchmod insted of chmod
- * But, fchmod doesn't work on socket file so there is no other choice at this point */
- if (chmod(SECURITY_SERVER_SOCK_PATH, sock_mode) < 0) /* Flawfinder: ignore */
- {
- SEC_SVR_ERR("%s", "chmod() error");
- retval = SECURITY_SERVER_ERROR_SOCKET;
- close(localsockfd);
- localsockfd = -1;
- goto error;
- }
-
- retval = SECURITY_SERVER_SUCCESS;
-
-error:
- *sockfd = localsockfd;
- return retval;
-}
-
-/* Authenticate peer that it's really security server.
- * Check UID that is root
- */
-int authenticate_server(int sockfd)
-{
- int retval;
- struct ucred cr;
- unsigned int cl = sizeof(cr);
-/* char *exe = NULL;*/
-
- /* get socket peer credential */
- if (getsockopt(sockfd, SOL_SOCKET, SO_PEERCRED, &cr, &cl) != 0)
- {
- retval = SECURITY_SERVER_ERROR_SOCKET;
- SEC_SVR_ERR("%s", "getsockopt() failed");
- goto error;
- }
-
- /* Security server must run as root */
- if (cr.uid != 0)
- {
- retval = SECURITY_SERVER_ERROR_AUTHENTICATION_FAILED;
- SEC_SVR_ERR("Peer is not root: uid=%d", cr.uid);
- goto error;
- }
- else
- retval = SECURITY_SERVER_SUCCESS;
-
- /* Read command line of the PID from proc fs */
- /* This is commented out because non root process cannot read link of /proc/pid/exe */
-/* exe = read_exe_path_from_proc(cr.pid);
-
- if(strcmp(exe, SECURITY_SERVER_DAEMON_PATH) != 0)
- {
- retval = SECURITY_SERVER_ERROR_AUTHENTICATION_FAILED;
- SEC_SVR_DBG("Executable path is different. auth failed. Exe path=%s", exe);
- }
- else
- {
- retval = SECURITY_SERVER_SUCCESS;
- SEC_SVR_DBG("Server authenticatd. %s, sockfd=%d", exe, sockfd);
- }
-*/
-error:
-/* if(exe != NULL)
- free(exe);
-*/
- return retval;
-}
-
-/* Create a socket and connect to Security Server */
-int connect_to_server(int *fd)
-{
- struct sockaddr_un clientaddr;
- int client_len = 0, localsockfd, ret, flags;
- *fd = -1;
-
- /* Create a socket */
- localsockfd = socket(AF_UNIX, SOCK_STREAM, 0);
- if (localsockfd < 0)
- {
- SEC_SVR_ERR("%s", "Error on socket()");
- return SECURITY_SERVER_ERROR_SOCKET;
- }
-
- /* Make socket as non blocking */
- if ((flags = fcntl(localsockfd, F_GETFL, 0)) < 0 ||
- fcntl(localsockfd, F_SETFL, flags | O_NONBLOCK) < 0)
- {
- close(localsockfd);
- SEC_SVR_ERR("%s", "Cannot go to nonblocking mode");
- return SECURITY_SERVER_ERROR_SOCKET;
- }
-
- bzero(&clientaddr, sizeof(clientaddr));
- clientaddr.sun_family = AF_UNIX;
- strncpy(clientaddr.sun_path, SECURITY_SERVER_SOCK_PATH, strlen(SECURITY_SERVER_SOCK_PATH));
- clientaddr.sun_path[strlen(SECURITY_SERVER_SOCK_PATH)] = 0;
- client_len = sizeof(clientaddr);
-
- ret = connect(localsockfd, (struct sockaddr*)&clientaddr, client_len);
- if (ret < 0)
- {
- if (errno == EINPROGRESS)
- {
- SEC_SVR_DBG("%s", "Connection is in progress");
- ret = check_socket_poll(localsockfd, POLLOUT, SECURITY_SERVER_SOCKET_TIMEOUT_MILISECOND);
- if (ret == SECURITY_SERVER_ERROR_POLL)
- {
- SEC_SVR_ERR("%s", "poll() error");
- close(localsockfd);
- return SECURITY_SERVER_ERROR_SOCKET;
- }
- if (ret == SECURITY_SERVER_ERROR_TIMEOUT)
- {
- SEC_SVR_ERR("%s", "poll() timeout");
- close(localsockfd);
- return SECURITY_SERVER_ERROR_SOCKET;
- }
- ret = connect(localsockfd, (struct sockaddr*)&clientaddr, client_len);
- if (ret < 0)
- {
- SEC_SVR_ERR("%s", "connection failed");
- close(localsockfd);
- return SECURITY_SERVER_ERROR_SOCKET;
- }
- }
- else
- {
- SEC_SVR_ERR("%s", "Connection failed");
- close(localsockfd);
- return SECURITY_SERVER_ERROR_SOCKET;
- }
- }
-
- /* Authenticate the peer is actually security server */
- ret = authenticate_server(localsockfd);
- if (ret != SECURITY_SERVER_SUCCESS)
- {
- close(localsockfd);
- SEC_SVR_ERR("Authentication failed. %d", ret);
- return ret;
- }
- *fd = localsockfd;
- return SECURITY_SERVER_SUCCESS;
-}
-
-/* Accept a new client connection */
-int accept_client(int server_sockfd)
-{
- /* Call poll() to wait for socket connection */
- int retval, localsockfd;
- struct sockaddr_un clientaddr;
- unsigned int client_len;
-
- client_len = sizeof(clientaddr);
-
- /* Check poll */
- retval = check_socket_poll(server_sockfd, POLLIN, SECURITY_SERVER_ACCEPT_TIMEOUT_MILISECOND);
- if (retval == SECURITY_SERVER_ERROR_POLL)
- {
- SEC_SVR_ERR("%s", "Error on polling");
- return SECURITY_SERVER_ERROR_SOCKET;
- }
-
- /* Timed out */
- if (retval == SECURITY_SERVER_ERROR_TIMEOUT)
- {
- /*SEC_SVR_DBG("%s", "accept() timeout");*/
- return SECURITY_SERVER_ERROR_TIMEOUT;
- }
-
- localsockfd = accept(server_sockfd,
- (struct sockaddr*)&clientaddr,
- &client_len);
-
- if (localsockfd < 0)
- {
- SEC_SVR_ERR("Cannot accept client. errno=%d", errno);
- return SECURITY_SERVER_ERROR_SOCKET;
- }
- return localsockfd;
-}
-
-/* Minimal check of request packet */
-int validate_header(basic_header hdr)
-{
- if (hdr.version != SECURITY_SERVER_MSG_VERSION)
- return SECURITY_SERVER_ERROR_BAD_REQUEST;
-
- return SECURITY_SERVER_SUCCESS;
-}
-
-/* Send generic response packet to client
- *
- * Generic Response Packet Format
- 0 1 2 3
- 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-|---------------------------------------------------------------|
-| version=0x01 | Message ID |Message Length (without header)|
-|---------------------------------------------------------------|
-| return code |
------------------
-*/
-int send_generic_response (int sockfd, unsigned char msgid, unsigned char return_code)
-{
- response_header hdr;
- int size;
-
- /* Assemble header */
- hdr.basic_hdr.version = SECURITY_SERVER_MSG_VERSION;
- hdr.basic_hdr.msg_id = msgid;
- hdr.basic_hdr.msg_len = 0;
- hdr.return_code = return_code;
-
- /* Check poll */
- size = check_socket_poll(sockfd, POLLOUT, SECURITY_SERVER_SOCKET_TIMEOUT_MILISECOND);
- if (size == SECURITY_SERVER_ERROR_POLL)
- {
- SEC_SVR_ERR("%s", "poll() error");
- return SECURITY_SERVER_ERROR_SEND_FAILED;
- }
- if (size == SECURITY_SERVER_ERROR_TIMEOUT)
- {
- SEC_SVR_ERR("%s", "poll() timeout");
- return SECURITY_SERVER_ERROR_SEND_FAILED;
- }
-
- /* Send to client */
- size = TEMP_FAILURE_RETRY(write(sockfd, &hdr, sizeof(hdr)));
-
- if (size < (int)sizeof(hdr))
- return SECURITY_SERVER_ERROR_SEND_FAILED;
- return SECURITY_SERVER_SUCCESS;
-}
-
-
-/* Send Object name response *
- * Get Object name response packet format
- * 0 1 2 3
- * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- * |---------------------------------------------------------------|
- * | version=0x01 |MessageID=0x06 | Message Length |
- * |---------------------------------------------------------------|
- * | return code | |
- * ----------------- |
- * | object name |
- * |---------------------------------------------------------------|
-*/
-int send_object_name(int sockfd, char *obj)
-{
- response_header hdr;
- unsigned char msg[strlen(obj) + sizeof(hdr)];
- int ret;
-
- hdr.basic_hdr.version = SECURITY_SERVER_MSG_VERSION;
- hdr.basic_hdr.msg_id = 0x06;
- hdr.basic_hdr.msg_len = strlen(obj);
- hdr.return_code = SECURITY_SERVER_RETURN_CODE_SUCCESS;
-
- memcpy(msg, &hdr, sizeof(hdr));
- memcpy(msg + sizeof(hdr), obj, strlen(obj));
-
- /* Check poll */
- ret = check_socket_poll(sockfd, POLLOUT, SECURITY_SERVER_SOCKET_TIMEOUT_MILISECOND);
- if (ret == SECURITY_SERVER_ERROR_POLL)
- {
- SEC_SVR_ERR("%s", "poll() error");
- return SECURITY_SERVER_ERROR_SEND_FAILED;
- }
- if (ret == SECURITY_SERVER_ERROR_TIMEOUT)
- {
- SEC_SVR_ERR("%s", "poll() timeout");
- return SECURITY_SERVER_ERROR_SEND_FAILED;
- }
-
- ret = TEMP_FAILURE_RETRY(write(sockfd, msg, sizeof(hdr) + strlen(obj)));
- if (ret < (int)(sizeof(hdr) + strlen(obj)))
- {
- /* Error on writing */
- SEC_SVR_ERR("Error on write: %d", ret);
- ret = SECURITY_SERVER_ERROR_SEND_FAILED;
- return ret;
- }
- return SECURITY_SERVER_SUCCESS;
-}
-
-/* Send GID response to client
- *
- * Get GID response packet format
- * 0 1 2 3
- * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- * |---------------------------------------------------------------|
- * | version=0x01 |MessageID=0x08 | Message Length = 4 |
- * |---------------------------------------------------------------|
- * | return code | gid (first 3 words) |
- * |---------------------------------------------------------------|
- * |gid(last word) |
- * |---------------|
-*/
-int send_gid(int sockfd, int gid)
-{
- response_header hdr;
- unsigned char msg[sizeof(gid) + sizeof(hdr)];
- int ret;
-
- /* Assemble header */
- hdr.basic_hdr.version = SECURITY_SERVER_MSG_VERSION;
- hdr.basic_hdr.msg_id = SECURITY_SERVER_MSG_TYPE_GID_RESPONSE;
- hdr.basic_hdr.msg_len = sizeof(gid);
- hdr.return_code = SECURITY_SERVER_RETURN_CODE_SUCCESS;
-
- /* Perpare packet */
- memcpy(msg, &hdr, sizeof(hdr));
- memcpy(msg + sizeof(hdr), &gid, sizeof(gid));
-
- /* Check poll */
- ret = check_socket_poll(sockfd, POLLOUT, SECURITY_SERVER_SOCKET_TIMEOUT_MILISECOND);
- if (ret == SECURITY_SERVER_ERROR_POLL)
- {
- SEC_SVR_ERR("%s", "poll() error");
- return SECURITY_SERVER_ERROR_SEND_FAILED;
- }
- if (ret == SECURITY_SERVER_ERROR_TIMEOUT)
- {
- SEC_SVR_ERR("%s", "poll() timeout");
- return SECURITY_SERVER_ERROR_SEND_FAILED;
- }
-
- /* Send it */
- ret = TEMP_FAILURE_RETRY(write(sockfd, msg, sizeof(hdr) + sizeof(gid)));
- if (ret < (int)(sizeof(hdr) + sizeof(gid)))
- {
- /* Error on writing */
- SEC_SVR_ERR("Error on write(): %d", ret);
- ret = SECURITY_SERVER_ERROR_SEND_FAILED;
- return ret;
- }
- return SECURITY_SERVER_SUCCESS;
-}
-
-
-/* Send Check password response to client
- *
- * Check password response packet format
- * 0 1 2 3
- * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- * |---------------------------------------------------------------|
- * | version=0x01 | MessageID | Message Length = 12 |
- * |---------------------------------------------------------------|
- * | return code | attempts (first 3 words) |
- * |---------------------------------------------------------------|
- * |attempts(rest) | max_attempts (first 3 words) |
- * |---------------|-----------------------------------------------|
- * | max_attempts | expire_in_days (first 3 words) |
- * |---------------------------------------------------------------|
- * |expire_in_days |
- * |----------------
- */
-int send_pwd_response(const int sockfd,
- const unsigned char msg_id,
- const unsigned char return_code,
- const unsigned int current_attempts,
- const unsigned int max_attempts,
- const unsigned int expire_time)
-{
- response_header hdr;
- unsigned int expire_secs;
- unsigned char msg[sizeof(hdr) + sizeof(current_attempts) + sizeof(max_attempts) + sizeof(expire_secs)];
- int ret, ptr = 0;
-
-
- /* Assemble header */
- hdr.basic_hdr.version = SECURITY_SERVER_MSG_VERSION;
- hdr.basic_hdr.msg_id = msg_id;
- hdr.basic_hdr.msg_len = sizeof(unsigned int) * 3;
- hdr.return_code = return_code;
-
- /* Perpare packet */
- memcpy(msg, &hdr, sizeof(hdr));
- ptr += sizeof(hdr);
- memcpy(msg + ptr, ¤t_attempts, sizeof(current_attempts));
- ptr += sizeof(current_attempts);
- memcpy(msg + ptr, &max_attempts, sizeof(max_attempts));
- ptr += sizeof(max_attempts);
- memcpy(msg + ptr, &expire_time, sizeof(expire_time));
- ptr += sizeof(expire_time);
-
- /* Check poll */
- ret = check_socket_poll(sockfd, POLLOUT, SECURITY_SERVER_SOCKET_TIMEOUT_MILISECOND);
- if (ret == SECURITY_SERVER_ERROR_POLL)
- {
- SEC_SVR_ERR("%s", "Server: poll() error");
- return SECURITY_SERVER_ERROR_SEND_FAILED;
- }
- if (ret == SECURITY_SERVER_ERROR_TIMEOUT)
- {
- SEC_SVR_ERR("%s", "Server: poll() timeout");
- return SECURITY_SERVER_ERROR_SEND_FAILED;
- }
-
- /* Send it */
- ret = TEMP_FAILURE_RETRY(write(sockfd, msg, ptr));
- if (ret < ptr)
- {
- /* Error on writing */
- SEC_SVR_ERR("Server: ERROR on write(): %d", ret);
- ret = SECURITY_SERVER_ERROR_SEND_FAILED;
- return ret;
- }
- return SECURITY_SERVER_SUCCESS;
-}
-
-/* Send GID request message to security server
- *
- * Message format
- * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- * |---------------------------------------------------------------|
- * | version=0x01 |MessageID=0x07 | Message Length = variable |
- * |---------------------------------------------------------------|
- * | |
- * | Object name (variable) |
- * | |
- * |---------------------------------------------------------------|
- */
-int send_gid_request(int sock_fd, const char *object)
-{
- basic_header hdr;
- int retval = 0, send_len = 0;
- unsigned char *buf = NULL;
-
- if (strlen(object) > SECURITY_SERVER_MAX_OBJ_NAME)
- {
- /* Object name is too big*/
- SEC_SVR_ERR("Object name is too big %dbytes", strlen(object));
- return SECURITY_SERVER_ERROR_INPUT_PARAM;
- }
-
- hdr.version = SECURITY_SERVER_MSG_VERSION;
- hdr.msg_id = SECURITY_SERVER_MSG_TYPE_GID_REQUEST;
- hdr.msg_len = strlen(object);
-
- send_len = sizeof(hdr) + strlen(object);
-
- buf = malloc(send_len);
- if (buf == NULL)
- {
- SEC_SVR_ERR("%s", "out of memory");
- return SECURITY_SERVER_ERROR_OUT_OF_MEMORY;
- }
-
- memcpy(buf, &hdr, sizeof(hdr));
- memcpy(buf + sizeof(hdr), object, strlen(object));
-
- /* Check poll */
- retval = check_socket_poll(sock_fd, POLLOUT, SECURITY_SERVER_SOCKET_TIMEOUT_MILISECOND);
- if (retval == SECURITY_SERVER_ERROR_POLL)
- {
- SEC_SVR_ERR("%s", "poll() error");
- retval = SECURITY_SERVER_ERROR_SEND_FAILED;
- goto error;
- }
- if (retval == SECURITY_SERVER_ERROR_TIMEOUT)
- {
- SEC_SVR_ERR("%s", "poll() timeout");
- retval = SECURITY_SERVER_ERROR_SEND_FAILED;
- goto error;
- }
-
- retval = TEMP_FAILURE_RETRY(write(sock_fd, buf, send_len));
- if (retval < send_len)
- {
- /* Write error */
- SEC_SVR_ERR("Error on write(): %d. errno=%d, sockfd=%d", retval, errno, sock_fd);
- retval = SECURITY_SERVER_ERROR_SEND_FAILED;
- }
- else
- retval = SECURITY_SERVER_SUCCESS;
-
-error:
- if (buf != NULL)
- free(buf);
-
- return retval;
-}
-
-/* Send object name request message to security server *
- *
- * Message format
- * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- * |---------------------------------------------------------------|
- * | version=0x01 |MessageID=0x05 | Message Length = 4 |
- * |---------------------------------------------------------------|
- * | gid |
- * |---------------------------------------------------------------|
- */
-// int send_object_name_request(int sock_fd, int gid)
-// {
-// basic_header hdr;
-// int retval;
-// unsigned char buf[sizeof(hdr) + sizeof(gid)];
-
-// /* Assemble header */
-// hdr.version = SECURITY_SERVER_MSG_VERSION;
-// hdr.msg_id = SECURITY_SERVER_MSG_TYPE_OBJECT_NAME_REQUEST;
-// hdr.msg_len = sizeof(gid);
-
-// memcpy(buf, &hdr, sizeof(hdr));
-// memcpy(buf + sizeof(hdr), &gid, sizeof(gid));
-
-// /* Check poll */
-// retval = check_socket_poll(sock_fd, POLLOUT, SECURITY_SERVER_SOCKET_TIMEOUT_MILISECOND);
-// if (retval == SECURITY_SERVER_ERROR_POLL)
-// {
-// SEC_SVR_ERR("%s", "poll() error");
-// return SECURITY_SERVER_ERROR_SEND_FAILED;
-// }
-// if (retval == SECURITY_SERVER_ERROR_TIMEOUT)
-// {
-// SEC_SVR_ERR("%s", "poll() timeout");
-// return SECURITY_SERVER_ERROR_SEND_FAILED;
-// }
-
-// /* Send to server */
-// retval = TEMP_FAILURE_RETRY(write(sock_fd, buf, sizeof(buf)));
-// if (retval < sizeof(buf))
-// {
-// /* Write error */
-// SEC_SVR_ERR("Error on write(): %d", retval);
-// return SECURITY_SERVER_ERROR_SEND_FAILED;
-// }
-// return SECURITY_SERVER_SUCCESS;
-// }
-
-/* Receive request header */
-int recv_hdr(int client_sockfd, basic_header *basic_hdr)
-{
- int retval;
-
- /* Check poll */
- retval = check_socket_poll(client_sockfd, POLLIN, SECURITY_SERVER_SOCKET_TIMEOUT_MILISECOND);
- if (retval == SECURITY_SERVER_ERROR_POLL)
- {
- SEC_SVR_ERR("%s", "poll() error");
- return SECURITY_SERVER_ERROR_SOCKET;
- }
- if (retval == SECURITY_SERVER_ERROR_TIMEOUT)
- {
- SEC_SVR_ERR("%s", "poll() timeout");
- return SECURITY_SERVER_ERROR_TIMEOUT;
- }
-
- /* Receive request header first */
- retval = TEMP_FAILURE_RETRY(read(client_sockfd, basic_hdr, sizeof(basic_header)));
- if (retval < (int)sizeof(basic_header))
- {
- SEC_SVR_ERR("read failed. closing socket %d", retval);
- return SECURITY_SERVER_ERROR_RECV_FAILED;
- }
-
- /* Validate header */
- retval = validate_header(*basic_hdr);
- return retval;
-}
-
-int recv_generic_response(int sockfd, response_header *hdr)
-{
- int retval;
-
- /* Check poll */
- retval = check_socket_poll(sockfd, POLLIN, SECURITY_SERVER_SOCKET_TIMEOUT_MILISECOND);
- if (retval == SECURITY_SERVER_ERROR_POLL)
- {
- SEC_SVR_ERR("%s", "Client: poll() error");
- return SECURITY_SERVER_ERROR_RECV_FAILED;
- }
- if (retval == SECURITY_SERVER_ERROR_TIMEOUT)
- {
- SEC_SVR_ERR("%s", "Client: poll() timeout");
- return SECURITY_SERVER_ERROR_RECV_FAILED;
- }
-
- /* Receive response */
- retval = TEMP_FAILURE_RETRY(read(sockfd, hdr, sizeof(response_header)));
- if (retval < (int)sizeof(response_header))
- {
- /* Error on socket */
- SEC_SVR_ERR("Client: Receive failed %d", retval);
- return SECURITY_SERVER_ERROR_RECV_FAILED;
- }
-
- if (hdr->return_code != SECURITY_SERVER_RETURN_CODE_SUCCESS)
- {
- /* Return codes
- * SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_REQUEST
- * SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_RESPONSE
- * are not errors but warnings
- */
- SEC_SVR_WRN("Client: return code is not success: %d", hdr->return_code);
- return return_code_to_error_code(hdr->return_code);
- }
- return SECURITY_SERVER_SUCCESS;
-}
-
-int recv_get_gid_response(int sockfd, response_header *hdr, int *gid)
-{
- int retval;
-
- retval = recv_generic_response(sockfd, hdr);
- if (retval != SECURITY_SERVER_SUCCESS)
- return return_code_to_error_code(hdr->return_code);
-
- retval = TEMP_FAILURE_RETRY(read(sockfd, gid, sizeof(int)));
- if (retval < (int)sizeof(int))
- {
- /* Error on socket */
- SEC_SVR_ERR("Receive failed %d", retval);
- return SECURITY_SERVER_ERROR_RECV_FAILED;
- }
- return SECURITY_SERVER_SUCCESS;
-}
-
-int recv_get_object_name(int sockfd, response_header *hdr, char *object, int max_object_size)
-{
- int retval;
- char *local_obj_name = NULL;
-
- /* Check poll */
- retval = check_socket_poll(sockfd, POLLIN, SECURITY_SERVER_SOCKET_TIMEOUT_MILISECOND);
- if (retval == SECURITY_SERVER_ERROR_POLL)
- {
- SEC_SVR_ERR("%s", "poll() error");
- return SECURITY_SERVER_ERROR_RECV_FAILED;
- }
- if (retval == SECURITY_SERVER_ERROR_TIMEOUT)
- {
- SEC_SVR_ERR("%s", "poll() timeout");
- return SECURITY_SERVER_ERROR_RECV_FAILED;
- }
-
- /* Read response */
- retval = TEMP_FAILURE_RETRY(read(sockfd, hdr, sizeof(response_header)));
- if (retval < (int)sizeof(response_header))
- {
- /* Error on socket */
- SEC_SVR_ERR("cannot recv respons: %d", retval);
- return SECURITY_SERVER_ERROR_RECV_FAILED;
- }
-
- if (hdr->return_code == SECURITY_SERVER_RETURN_CODE_SUCCESS)
- {
- if (max_object_size < hdr->basic_hdr.msg_len)
- {
- SEC_SVR_ERR("Object name is too small need %d bytes, but %d bytes", hdr->basic_hdr.msg_len, max_object_size);
- return SECURITY_SERVER_ERROR_BUFFER_TOO_SMALL;
- }
- if (hdr->basic_hdr.msg_len > SECURITY_SERVER_MAX_OBJ_NAME)
- {
- SEC_SVR_ERR("Received object name is too big. %d", hdr->basic_hdr.msg_len);
- return SECURITY_SERVER_ERROR_BAD_RESPONSE;
- }
-
- local_obj_name = malloc(hdr->basic_hdr.msg_len + 1);
- if (local_obj_name == NULL)
- {
- SEC_SVR_ERR("%s", "Out of memory error");
- return SECURITY_SERVER_ERROR_OUT_OF_MEMORY;
- }
-
- retval = TEMP_FAILURE_RETRY(read(sockfd, local_obj_name, hdr->basic_hdr.msg_len));
- if (retval < (hdr->basic_hdr.msg_len))
- {
- /* Error on socket */
- SEC_SVR_ERR("read() failed: %d", retval);
- if (local_obj_name != NULL)
- free(local_obj_name);
- return SECURITY_SERVER_ERROR_RECV_FAILED;
- }
- memcpy(object, local_obj_name, hdr->basic_hdr.msg_len);
- object[hdr->basic_hdr.msg_len] = 0;
- retval = SECURITY_SERVER_SUCCESS;
- }
- else
- {
- SEC_SVR_ERR("Error received. return code: %d", hdr->return_code);
- retval = return_code_to_error_code(hdr->return_code);
- return retval;
- }
-
- if (local_obj_name != NULL)
- free(local_obj_name);
- return SECURITY_SERVER_SUCCESS;
-}
-
-/* Authenticate client application *
- * Currently it only gets peer's credential information only *
- * If we need, we can extend in the futer */
-int authenticate_client_application(int sockfd, int *pid, int *uid)
-{
- struct ucred cr;
- unsigned int cl = sizeof(cr);
-
- /* get PID of socket peer */
- if (getsockopt(sockfd, SOL_SOCKET, SO_PEERCRED, &cr, &cl) != 0)
- {
- SEC_SVR_ERR("%s", "getsockopt failed");
- return SECURITY_SERVER_ERROR_SOCKET;
- }
- *pid = cr.pid;
- *uid = cr.uid;
- return SECURITY_SERVER_SUCCESS;
-}
-
-/* Authenticate the application is middleware daemon
- * The middleware must run as root (or middleware user) and the cmd line must be
- * pre listed for authentication to succeed */
-int authenticate_client_middleware(int sockfd, int *pid)
-{
- int uid;
- return authenticate_client_application(sockfd, pid, &uid);
-#if 0
- int retval = SECURITY_SERVER_SUCCESS;
- struct ucred cr;
- unsigned int cl = sizeof(cr);
- char *exe = NULL;
- struct passwd pw, *ppw;
- size_t buf_size;
- char *buf;
- static uid_t middleware_uid = 0;
-
- *pid = 0;
-
- /* get PID of socket peer */
- if (getsockopt(sockfd, SOL_SOCKET, SO_PEERCRED, &cr, &cl) != 0)
- {
- retval = SECURITY_SERVER_ERROR_SOCKET;
- SEC_SVR_ERR("%s", "Error on getsockopt");
- goto error;
- }
-
- if (!middleware_uid)
- {
- buf_size = sysconf(_SC_GETPW_R_SIZE_MAX);
- if (buf_size == -1)
- buf_size = 1024;
-
- buf = malloc(buf_size);
-
- /* This test isn't essential, skip it in case of error */
- if (buf) {
- if (getpwnam_r(SECURITY_SERVER_MIDDLEWARE_USER, &pw, buf, buf_size, &ppw) == 0 && ppw)
- middleware_uid = pw.pw_uid;
-
- free(buf);
- }
- }
-
- /* Middleware services need to run as root or middleware/app user */
- if (cr.uid != 0 && cr.uid != middleware_uid)
- {
- retval = SECURITY_SERVER_ERROR_AUTHENTICATION_FAILED;
- SEC_SVR_ERR("Non root process has called API: %d", cr.uid);
- goto error;
- }
-
- /* Read command line of the PID from proc fs */
- exe = read_exe_path_from_proc(cr.pid);
- if (exe == NULL)
- {
- /* It's weired. no file in proc file system, */
- retval = SECURITY_SERVER_ERROR_FILE_OPERATION;
- SEC_SVR_ERR("Error on opening /proc/%d/exe", cr.pid);
- goto error;
- }
-
- *pid = cr.pid;
-
-error:
- if (exe != NULL)
- free(exe);
-
- return retval;
-#endif
-}
-
-/* Get app PID from socked and read its privilege (GID) list
- * from /proc/<PID>/status.
- *
- * param 1: socket descriptor
- * param 2: pointer for hold returned array
- *
- * ret: size of array or -1 in case of error
- *
- * Notice that user must free space allocated in this function and
- * returned by second parameter (int * privileges)
- * */
-int get_client_gid_list(int sockfd, int **privileges)
-{
- int ret;
- //for read socket options
- struct ucred socopt;
- unsigned int socoptSize = sizeof(socopt);
- //buffer for store /proc/<PID>/status filepath
- const int PATHSIZE = 24;
- char path[PATHSIZE];
- //file pointer
- FILE *fp = NULL;
- //buffer for filelines
- const int LINESIZE = 256;
- char fileLine[LINESIZE];
- //for parsing file
- char delim[] = ": ";
- char *token = NULL;
-
-
- //clear pointer
- *privileges = NULL;
-
- //read socket options
- ret = getsockopt(sockfd, SOL_SOCKET, SO_PEERCRED, &socopt, &socoptSize);
- if (ret != 0)
- {
- SEC_SVR_ERR("%s", "Error on getsockopt");
- return -1;
- }
-
- //now we have PID in sockopt.pid
- bzero(path, PATHSIZE);
- snprintf(path, PATHSIZE, "/proc/%d/status", socopt.pid);
-
- fp = fopen(path, "r");
- if (fp == NULL)
- {
- SEC_SVR_ERR("%s", "Error on fopen");
- return -1;
- }
-
- bzero(fileLine, LINESIZE);
-
- //search for line beginning with "Groups:"
- while (strncmp(fileLine, "Groups:", 7) != 0)
- {
- if (NULL == fgets(fileLine, LINESIZE, fp))
- {
- SEC_SVR_ERR("%s", "Error on fgets");
- fclose(fp);
- return -1;
- }
- }
-
- fclose(fp);
-
- //now we have "Groups:" line in fileLine[]
- ret = 0;
- strtok(fileLine, delim);
- while ((token = strtok(NULL, delim)))
- {
- //add found GID
- if (*privileges == NULL)
- {
- //first GID on list
- *privileges = (int*)malloc(sizeof(int) * 1);
- if (*privileges == NULL)
- {
- SEC_SVR_ERR("%s", "Error on malloc");
- return -1;
- }
- (*privileges)[0] = atoi(token);
- }
- else
- {
- *privileges = realloc(*privileges, sizeof(int) * (ret + 1));
- (*privileges)[ret] = atoi(token);
- }
-
- ret++;
- }
-
- //check if we found any GIDs for process
- if (*privileges == NULL)
- {
- SEC_SVR_DBG("%s %d", "No GIDs found for PID:", socopt.pid);
- }
- else
- {
- SEC_SVR_DBG("%s %d", "Number of GIDs found:", ret);
- }
-
- return ret;
-}
-
+++ /dev/null
-/**
- * @defgroup SLP_PG_SECURITY Security and Permissions
- * @ingroup SLP_PG
- * @{
- * @brief <em class="ref">Also see </em> [ @ref SecurityFW ]
- * @defgroup CertificateManager_PG
- * @defgroup Security_Server_PG
- * @defgroup SecureStorage_PG
- * @}
- * @defgroup SLP_PG_SECURITY
- * @ingroup SLP_PG
- * @{
-
-<h1 class="pg">Security Requirements</h1>
-<h2>Privileges </h2>
-<p>All processes MUST have least privilege to operate their own purpose. middleware daemons might run as root to satisfy their functional requirements, but there MUST BE NO application process which is running as root. In this document application represents all processes which has user interface to the end user.</p>
-<p>Each application process should have different privileges to satisfy least privilege, therefore there should be an entity to take care of process privileges.</p>
-<p>If an application process requires higher (system or root) privilege to provide some function, the function must be implemented in a middleware daemon and the function must be provided as an API to application</p>
-<h2>Application Sandboxing</h2>
-<p>All applications MUST NOT interfere each other. Interference covers killing other processes, modify or delete other application's files, overwrite or read other application process' memory area, masquerading other applications, and reading other application's sensitive files.</p>
-<h2>Middleware Resource Protection</h2>
-<p>All middleware resources MUST be protected by unauthorized access from applications. If the middleware is a daemon process, the process must not be interfered by applications, if the middleware is a library and the resources of the middleware are files, then the files must not be modified by unauthorized process.</p>
-<p>The resources must be protected at the resource level, not API level because API could be easily detoured</p>
-<h2>Privilege Escalation</h2>
-<p>There should be no privilege escalation, but by some management and/or manufacturing reason, unpredicted privilege escalation might be necessary. In this situation the modules which require privilege escalation MUST be highly reviewed and managed by developers and security manager.</p>
-<h1 class="pg">Security Model</h1>
-<h2>Background Information</h2>
-<h3>Discretionary Access Control</h3>
-<p>Linux kernel have supported discretionary access control (DAC) from the very beginning which controls access based on user ID, group ID of a process and owner of file that the process tries to access. This access control mechanism has been evolved with the Linux system evolution, additionally, SLP is not an embedded Linux platform but a normal Linux platform, therefore SLP has full support on DAC.</p>
-<p>In Linux all process is executed with user ID and groups, normally inherited by parent process. The processes which are executed in booting script will be executed as root user because the parent process "init" is root process. Any other user processes including user shell will be executed as an user that is logged in by the console login process. The groups that the process belongs to are also inherited by parent process, the list of group ID is assigned when the user is logged in based on "/etc/group" file. A process can be belonged more than thousand of groups (max 65,536 but I think too many groups might occur some problem).</p>
-<p>Only root process can change user ID and groups of the process by calling setuid() and setgroups() function, so if a root process is changed user to non root, then it can never change its user ID and groups again.</p>
-<p>There is a special feature to change user ID even the process is not owned by root user. If the executable file has setuid sticky bit, then the process will be executed as the owner of executable files. This is very important for access control because it can produce "privilege escalation" which can harm the platform security. In Linux PC, utilities such as "sudo" and "su" has this feature because these command need to change user to root or other user ID. These utilities first executed as root user and then changes to other user ID if needed.</p>
-<p>In Linux file system, all files are labeled with security context which describes owner user ID and group ID of the file and the permission of each accessible entity which are owner, group, and others. Permissions are consisting of read, write, and execute for each entity. If accessing process's user ID is same to owner of the file to be accessed, then the owner's permission is applied, if the process has the group that is labeled on the file, then the group's permission is applied, if not, then the other's permission is applied. All these functions are implemented in Linux kernel, so you don't need anything more for the feature. By the way, root process bypasses all the permission checking, that is root process can access all files. You can refer to Linux fundamental documents for this feature.</p>
-<p>The owner of a file can change permission of the file but, cannot change owner of the file. Only root process can change owner of the file, so if you want to change owner of a file, you have to be root.</p>
-<h3>Mandatory Access Control</h3>
-<p>DAC is great security feature of Linux, but sometime DAC is not sufficient to protect platform. DAC is based on user ID, group and file’s permissions, the granularity is limited to user ID level, in some way platform may need more precise access control than DAC. Mandatory Access Control (MAC) provides this security feature to give better and precise access control based on labeling and policy.</p>
-<p>MAC was not a part of standard Linux in the beginning, but since there were several requirements, so from kernel 2.6 version, some of the MAC mechanisms have been added to main line kernel source as optional features.</p>
-<p>MAC needs security context labeling and policy to control. Usually, all files have its security context described in extended attribute(xattr) of file system or some other places if xattr is not supported. Policy describes which subject (process) has permission to do something (operation) to some object. It doesn’t refer to owner and permission of the DAC field, just refer to security context of subject and object, and then searches allowed operations. Object can be files, directories, system calls, sockets and so on, each MAC mechanism has different set of objects.</p>
-<p>Using MAC, even root process can be denied to access some important object and some chosen root process can be allowed. Currently there are many MAC mechanisms such as SELinux, App-Armor, SMACK, RBAC, grsecurity and so on, and each of them has different objectives and approach.</p>
-<h2>Security Model</h2>
-<p>Since SLP is a Linux platform, its security model is similar to other Linux platform’s security model. In SLP, DAC and MAC are used, but biggest difference is that we need user space access control such as telephony, system management and so on.</p>
-<h3>Discretionary Access Control</h3>
-<p>- <b><i>User ID policy for processes</i></b></p>
-<p>All middleware daemons are running as root user ID, it's natural because daemons are executed by init process which is root process. There are a few exceptions that are not running as root even though the process is executed by init process. They are menu-screen, voice-call-daemon, and indicator. The reason is that the exceptional processes are executed by init process but they are not middleware, but applications. These special processes maybe increased at any time.</p>
-<p>Normal applications are executed as non root user ID. To achieve application sandboxing, all applications should run as all different user IDs, but it might occur complexity to the platform, so all the inhouse applications are executed as same user, and each 3rd party application will be executed as each different user ID.</p>
-<p><b><i>- Group ID for fine grained access control</i></b></p>
-<p>In Linux, a single process can be owned by a single user ID, but it can be belonged to multiple group IDs (max 65,536). In current desktop Linux such as Ubuntu, they use group ID to enforce access control for shared objects, such as CD-ROM, printer, audio, and so on. In SLP, we will use group ID as same usage, but the object will be different than normal desktop Linux, such as telephony, contact, and so on.</p>
-<p>As a result, each application will be given different group IDs based on its required privilege.</p>
-<p><i><b>- Security context on files</b></i></p>
-<p>For security and safety reason, basically all files in SLP owned by root as other Linux platform does, and then, non root user process cannot modify any files. The permission of normal files will be "rw-r--r--" which means only owner can modify or delete and the group member and others only can read, this is also same as other Linux platform. Lastly permission of executive files will be "rwxr-xr-x", so anybody can execute them, and also same as others.</p>
-<p>But there are many special files to be shared and modified by non root processes for example database files and device files in dev file system. In these cases, group ID of file is used. A shared file is owned by root but belonged to proper group ID which describes the file's content or object. The permission of the file could be "rw-rw-r--" to allow the processes belonged to the group can modify the file.</p>
-<p>There are some secret files to be protected by unauthorized read operation, then we can use same method as above but only difference will be no read permission to others, such as "rw-------", or "rw-rw----".</p>
-<p>Finally, there will be newly created files from middleware daemons and applications. There is default umask "022" , so if the created file is from middleware daemon, then the context of the file will be "root:root rw-r--r--", which means only root can modify and other users can read the file, if an application creates a file, then context wiil be "app_user:app_user rw-r--r--", so only the application can modify the file. This is normal usage but there must be some special cases which the file should be shared within applications. But, chown command and function only works under root privilege so applications cannot change owner of created files, so only thing possible is to change permission by chmod function. But there is only one option, share to none or share to all.</p>
-<h3>Mandatory Access Control</h3>
-<p>Mandatory access control(MAC) is currently out of scope of the SLP because there is almost no concrete threat which could be protected by MAC. Only one possible threat is that the network access by unauthorized process when there is a connected interface is already created. The adversary can monitor network interface status and if there is a new interface created, then it can use socket directly and it's possible to send some data by the socket. It's not possible to protect only by DAC.</p>
-<h2>User Space</h2>
-<p>There are many objects in user space such as making a phone call, sending a SMS message, which are not recognizable by kernel because thses objects are implemented in a daemon process, applications will request access by IPC and the kernel cannot manage inside of IPC messages. In these cases we must have a user space trusted entity which judges and controls access to such objects, which sits between applications and middleware daemons.</p>
-<p>To enable this, the entity must get identity of the subject application and object to be accessed, but it's not easy because some of the IPC mechanisms don't support peer's identity acquisition. For example all the dbus messages are routed by dbus daemon, so the receiver only guarantees dbus daemon sent the message, not the original sender of the message. Therefore, we have to support such mechanism to guarantee the original sender's identity to the final receiver along with reliable and secure access decision mechanism.</p>
-<p>To enforce access control, there must be an access policy which should be stored securely and it must be reliable. In SLP we utilized group ID for this policy. All processes have their user ID and groups which are controlled by kernel, each user space object is described as a group ID and the subject process will have the group ID if the application process has corresponding group ID then the access to be allowed, if not, the access will be denied.</p>
-<p>One more function required is that the enforcing entity needs to know other processes groups information. proc file system can be used. In proc file system, there is a file named "status", which describes various information about a process including all groups that the process belong to.</p>
-<h1 class="pg">Implementation</h1>
-<h2>User ID and Group ID Administration for Processes</h2>
-<p>As described above, all the daemons will be run by root, this is natural because all the booting scripts are executed by init process which is a root process, so all the processes executed by booting scripts will be run as root automatically. But there are some exceptions. There are some processes which are executed by booting scripts but not actually daemons such as menu screen and indicator. These processes must drop their privilege to a normal user, so in the beginning of their code, they change their user ID and groups to a normal user.</p>
-<p>All other applications will be executed by AUL (application utility library). When a new application process is requested to be executed, AUL daemon (launchpad) which is a root process receives the request, fork() and execute requested application in the child process. During this process, after forking a process, the launchpad child process changes its user ID to a corresponding user ID, changes matching groups, changes home directory, and execute the application. This is similar to su command in Linux environment.</p>
-<p>When a new application is installed, package manager adds a new user which has same user name with package name but substituting dot '.' to underscore '_'. But this feature is currently out of scope of the SLP.</p>
-<p>The group ID will be described as manifest permission item which described in control file of the debian package. Manifest permission items and group IDs will not correspond 1 to 1, basically one permission item will mean a set of group IDs to enable the permission, the sets might consist of 1 group ID or many group IDs. When a new application is installed, these groups will be assigned to the user ID, this could be implemented by adduser command. But this feature is currently out of scope of the SLP.</p>
-<h2>Changing Owner, Group and Permissions for Files</h2>
-<p>Since SLP uses debian package for the internal build system, all files which are installed by debian are automatically owned by root and their permissions set to 0644 (rw-r--r--), which means only root can modify and other processes only can read. But in the platform there are various files which should be modified by applications also, so we need to modify the ownership and permission intentionally.</p>
-<p>The only way to do this is by using postinst script of each of the debian package. On each package if there are some files should be shared, the package developer should add a few line to postinst file to change owner ship and permission to the files. To change owner, of a file, you have to be a root, if you are using fakeroot, the chown will not be affected.</p>
-*/
-/**
-*@}
-*/
+++ /dev/null
-/**
- *
- * @ingroup SLP_PG
- * @defgroup Security_Server_PG Security Server
-@{
-
-<h1 class="pg">Introduction</h1>
-<p>In Linux system, access control is enforced in the kernel space objects such as file, socket, directory, and device which are all described as files. In SLP, many objects are defined in user space which cannot be described as file, for example, make a phone call, send a SMS message, connect to the Internet, and modify SIM password. Some of the objects in user space are very sensitive to the platform and the phone business as well as user's property. Therefore the user space objects needed to be protected.</p>
-<p>To protect such user space objects, there must be a kind of credential to decide access result, and the credential must be trusted. Since process has privileges and the objects only has label, so some trusted entity should check the process has right privilege to access objects, and the security hooks to check this privilege should be located in the each middleware service daemons which provide the objects to the applications.</p>
-<p>Security Server uses group IDs of Linux system that are assigned to each process. In detail, if a process requests to get some user-space service to a middleware daemon, the middleware daemon requests to check privilege of some process, then the security server checks given gid is assigned to the process or not. If yes, then return yes, if no, then return no.</p>
-<p>If an application and middleware daemon uses Linux standard IPC such as Unix domain socket, there is no need to introduce 3rd party process to check gid that the process has. But some of service uses non Linux standard IPC such as telephony - using dbus - which the peer's credential is not propagated to the other peer. As a result to meet all the system's environment, we introduce Security Server.</p>
-<p>
-Security Server uses a random token named "cookie" to identify a process, the cookie needed not to be abled to guess easily, so it's quite long (currently 20 bytes), and only kept by Security Server process memory</p>
-
-<h1 class="pg">Security Server Architecture</h1>
-@image html SLP_Security-Server_PG_image001.png
-<p>Above fiture explains software architecture of Security Server. It is client-server structure, and communicates by IPC. The IPC must be point-2-point mechanism such as UNIX domain socket, not server related IPC such as dbus, because it's not easy to guarantee the other peer's security.</p>
-<p>Application or middleware process can call Security Server API to assign a new cookie or checking privilege of the given cookie. In this case, client library authenticates IPC peer and check the peer is Security Server process. In the same sense, Security Server authenticates client also.</p>
-<p>Application requests cookie to Security Server before requesting the service to the middleware daemon. Security Server authenticates the client, generates a random cookie, stores the cookie into local memory, and responds to the client with the cookie value. Client loads the cookie in the request message and sends to the middleware server, then the receiver middleware daemon check the privilege of the given cookie by calling Security Server API. Security Server compares received cookie value with stored cookie, checks and responds to the middleware daemon. Finally middleware daemon knows the client's privilege and it decides continue or block the request.</p>
-
-<h2>Sub components</h2>
-
-<h3>Client library</h3>
-@image html SLP_Security-Server_PG_image002.png
-<p>Client library is linked to application or middleware daemon. Therefore it belongs to the caller process, so uid, pid, and groups are also same. If the application calls cookie request API, the client compose cookie request message and sends to the Security Server and wait for the response. After receiving the response, first checks the response is from Security Server, and if it's true, it stores cookie into cookie container.</p>
-<p>Middleware daemon also links same client library, but by the difference of the calling APIs, the functions are different. Middleware daemon first receives cookie value loaded in service request from the client, and then the middleware calls Security Server API to check the cookie has the privilege to the service and waits for the response. After receiving the response, it authenticates the response is really from Security Server, and continue service by the result of the API.</p>
-
-<h3>Security Server Daemon</h3>
-@image html SLP_Security-Server_PG_image003.png
-<p>Security Server daemon is a Unix domain socket server, but it only has single thread and single process to get rid of race condition for the proc file system and cookie list to be shared. It’s easy to manage, more secure and the Security Server itself doesn't need to maintain a session for a long time.</p>
-<p>When request API is received from the client, Security Server first parses, and authenticates the message, and creates cookie or checks privilege. Cookie is a 20 bytes random string too hard to be guessed. So it's hard to be spoofed.</p>
-<p>Cookie generator generates a cookie based on proc file system information of the client process with group IDs the client belongs to, and privilege checker searches received cookie value with stored cookie list and checks the privilege.</p>
-<p>Cookie list is a linked list implemented in memory and it stores and manages generated cookie.</p>
-
-<h1 class="pg">Dependency</h1>
-<p>The Security Server has high dependency on Linux kernel, precisely the proc file system. Since Security Server refers to proc file system with processes group ID, so the kernel must support group ID representation on the proc file system.</p>
-<p>In kernel version 2.6, there is a file in proc file system "/proc/[pid]/status" which describes various information about the process as text, it has a line named "Groups:" and it lists the group IDs that the process is belonged to. But there is a drawback in this file, it only shows at most 32 group IDs, if number of groups of the process is bigger than 32, it ignores them.</p>
-<p>To enable to show all the groups you have to patch the kernel source code to show more groups than 32, but there is another drawback. All files in the proc file system has size limit to 4k bytes because the file buffer size is 4k bytes, so it's not possible to show all possible groups of the process (64k), but currently number of all groups in the LiMo platform is much lower than the size, so it's not a big problem. But near future we need to apply this patch into kernel mainline source code by any form.</p>
-
-<h1 class="pg">Scenarios</h1>
-@image html SLP_Security-Server_PG_image004.png
-<p>Security Server process view is described in figure above. It's explained in above, so it's not necessary to explain again. But one possible question may arise, that why do we need Security Server, that the service daemon can authenticates application process by the IPC, and the daemon can check proc file system by itself, so it seems that we may not need to have Security Server at all<p>
-@image html SLP_Security-Server_PG_image005.png
-<p>But there is exceptional process view described in figure above. If the middleware's IPC mechanism is dbus, then the daemon cannot guarantee the identity of the requesting application. In this case, there is no possible way to check and authenticate application from the middleware daemon directly. We need a trusted 3rd party to guarantee such identity and privilege, therefore Security Server is required.</p>
-<p>As described above, the cookie value is the key of the security of Security Server. The cookie value must not to be exposed into the platform, the cookie value must be stored securely that only Security Server and the application process knows the value. Even the middleware daemon should not cache the cookie for the security reason</p>
-
-<h1 class="pg">APIs</h1>
-
-<h3 class="pg">security_server_get_gid</h3>
-<table>
- <tr>
- <td>
- API Name:
- </td>
- <td>
- gid_t security_server_get_gid(const char *object)
- </td>
- </tr>
- <tr>
- <td>
- Input Parameter:
- </td>
- <td>
- object name as Null terminated string
- </td>
- </tr>
- <tr>
- <td>
- Output Parameter:
- </td>
- <td>
- N/A
- </td>
- </tr>
- <tr>
- <td>
- Return value:
- </td>
- <td>
- On success, returns the integer gid of requested object.<br>
- On fail, returns negative integer
- </td>
- </tr>
-</table>
-This API returns the gid from given object name. This API is only allowed to be called from middleware service daemon which is running under root privilege
-
-<h3 class="pg">security_server_get_object_name</h3>
-<table>
- <tr>
- <td>
- API Name:
- </td>
- <td>
- int security_server_get_object_name(gid_t gid, char *object, size_t max_object_size)
- </td>
- </tr>
- <tr>
- <td>
- Input Parameter:
- </td>
- <td>
- gid, max_object_size
- </td>
- </tr>
- <tr>
- <td>
- Output Parameter:
- </td>
- <td>
- object as null terminated string
- </td>
- </tr>
- <tr>
- <td>
- Return value:
- </td>
- <td>
- On success, returns 0<br>
- On fail, returns negative integer
- </td>
- </tr>
-</table>
-This API is opposite with security_server_get_gid(). It converts given gid to object name which buffer size is max_object_size. If object name is bigger then max_object_size then it returns SECURITY_SERVER_API_ERROR_BUFFER_TOO_SMAL error.
-
-<h3 class="pg">security_server_request_cookie</h3>
-<table>
- <tr>
- <td>
- API Name:
- </td>
- <td>
- gid_t security_server_request_cookie(char *cookie, size_t max_cookie)
- </td>
- </tr>
- <tr>
- <td>
- Input Parameter:
- </td>
- <td>
- max_cookie
- </td>
- </tr>
- <tr>
- <td>
- Output Parameter:
- </td>
- <td>
- cookie
- </td>
- </tr>
- <tr>
- <td>
- Return value:
- </td>
- <td>
- On success, returns 0<br>
- On fail, returns negative integer
- </td>
- </tr>
-</table>
-This API requests a cookie to Security Server. max_cookie is the size of buffer cookie to be filled with cookie value, if max_cookie smaller then cookie size, then this API returns SECURITY_SERVER_API_ERROR_BUFFER_TOO_SMAL error.
-
-<h3 class="pg">security_server_get_cookie_size</h3>
-<table>
- <tr>
- <td>
- API Name:
- </td>
- <td>
- int security_server_get_cookie_size(void)
- </td>
- </tr>
- <tr>
- <td>
- Input Parameter:
- </td>
- <td>
- N/A
- </td>
- </tr>
- <tr>
- <td>
- Output Parameter:
- </td>
- <td>
- N/A
- </td>
- </tr>
- <tr>
- <td>
- Return value:
- </td>
- <td>
- size of cookie value
- </td>
- </tr>
-</table>
-This API simply returns the size of cookie.
-
-<h3 class="pg">security_server_check_privilege</h3>
-<table>
- <tr>
- <td>
- API Name:
- </td>
- <td>
- int security_server_check_privilege(const char *cookie, gid_t privilege)
- </td>
- </tr>
- <tr>
- <td>
- Input Parameter:
- </td>
- <td>
- cookie, privilege
- </td>
- </tr>
- <tr>
- <td>
- Output Parameter:
- </td>
- <td>
- N/A
- </td>
- </tr>
- <tr>
- <td>
- Return value:
- </td>
- <td>
- On success, returns 0<br>
- On fail, returns negative integer
- </td>
- </tr>
-</table>
-This API checks the cookie value has privilege for given gid. This API should be called by middleware server only after application embed cookie into the request message and sent to the middleware server. The middleware server should aware with the privilege parameter because it knows the object which the client application tries to access.
-
-
-<h1 class="pg">Implementation Guide</h1>
-
-<h2>Middleware server side</h2>
-<p>
-In middleware, implementation is focused on checking privilege of the requested client application. To call security_server_check_privilege() API, you have to get the gid value first, and this can be achieved by calling security_server_get_gid() API. The pre-condition of this scenario is that the middleware server knows the name of the object. Once you get the gid values, you can cache them for better performance. </p>
-<p>
-Once a client application requests to access the middleware’s object, the client should embed cookie into the request message. If not, the security is not guaranteed. After getting request and embedded cookie, the middleware server call security_server_check_privilege() API to check the client is allowed to access the object, the security server will respond the result. Finally the server need to decide continue the service or not.</p>
-
-@code
-static gid_t g_gid;
-
-int get_gid()
-{
- int ret;
- // Get gid of telephony call - example object
- ret = security_server_get_gid("telephony_call");
- if(ret < 0)
- {
- return -1;
- }
- g_gid = ret;
- return 0;
-}
-
-int main(int argc, char * argv[])
-{
- char *cookie = NULL;
- int ret, cookie_size;
-
-
- ...
-
-
- // Initially get gid about the object which is interested in
- if(get_gid() < 0)
- exit(-1);
-
- // get cookie size and malloc it if you want
- cookie_size = security_server_get_cookie_size();
- cookie = malloc(cookie_size);
-
- ...
-
- // If a request has been received
- // First parse the request and get the cookie value
- // Let's assume that the buffer cookie is filled with received cookie value
- ret = security_server_check_privilege(cookie, cookie_size);
- if(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED)
- {
- // Access denied
- // Send error message to client application
- }
- else if( ret != SECURITY_SERVER_SUCCESS)
- {
- // Error occurred
- // Check error condition
- }
- else
- {
- // Access granted
- // Continue service
- ...
- }
-
-
- ...
-
-
- free(cookie);
- ...
-}
-@endcode
-
-<h2>Client application side</h2>
-<p>
-In client application, what you need is just request a cookie and embed it into request message</p>
-
-@code
-int some_platform_api()
-{
- char *cookie = NULL;
- int cookie_size, ret;
-
- ...
-
-
- // malloc the cookie
- cookie_size = security_server_get_cookie_size();
- cookie = malloc(cookie_size);
-
- ...
-
-
- // Request cookie from the security server
- ret = security_server_request_cookie(cookie, cookie_size);
- if(ret < 0)
- {
- // Some error occurred
- return -1;
- }
-
- // embed cookie into the message and send to the server
-
- ...
- free(cookie);
-}
-@endcode
-
-*/
-/**
-*@}
-*/
+++ /dev/null
-/*
- * security-server
- *
- * Copyright (c) 2000 - 2012 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Contact: Bumjin Im <bj.im@samsung.com>
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License
- *
- */
-
-#ifndef SECURITY_SERVER_COMM_H
-#define SECURITY_SERVER_COMM_H
-
-/* Message */
-typedef struct
-{
- unsigned char version;
- unsigned char msg_id;
- unsigned short msg_len;
-} basic_header;
-
-typedef struct
-{
- basic_header basic_hdr;
- unsigned char return_code;
-} response_header;
-
-#define SECURITY_SERVER_MIDDLEWARE_USER "app"
-
-/* Message Types */
-// #define SECURITY_SERVER_MSG_TYPE_OBJECT_NAME_REQUEST 0x05
-// #define SECURITY_SERVER_MSG_TYPE_OBJECT_NAME_RESPONSE 0x06
-#define SECURITY_SERVER_MSG_TYPE_GID_REQUEST 0x07
-#define SECURITY_SERVER_MSG_TYPE_GID_RESPONSE 0x08
-#define SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE 0xff
-
-/* Return code */
-#define SECURITY_SERVER_RETURN_CODE_SUCCESS 0x00
-#define SECURITY_SERVER_RETURN_CODE_BAD_REQUEST 0x01
-#define SECURITY_SERVER_RETURN_CODE_AUTHENTICATION_FAILED 0x02
-#define SECURITY_SERVER_RETURN_CODE_ACCESS_GRANTED 0x03
-#define SECURITY_SERVER_RETURN_CODE_ACCESS_DENIED 0x04
-#define SECURITY_SERVER_RETURN_CODE_NO_SUCH_OBJECT 0x05
-#define SECURITY_SERVER_RETURN_CODE_NO_SUCH_COOKIE 0x06
-#define SECURITY_SERVER_RETURN_CODE_SERVER_ERROR 0x0e
-
-int return_code_to_error_code(int ret_code);
-int create_new_socket(int *sockfd);
-int safe_server_sock_close(int client_sockfd);
-int connect_to_server(int *fd);
-int accept_client(int server_sockfd);
-int authenticate_client_application(int sockfd, int *pid, int *uid);
-int authenticate_client_middleware(int sockfd, int *pid);
-int get_client_gid_list(int sockfd, int **privileges);
-int send_generic_response (int sockfd, unsigned char msgid, unsigned char return_code);
-int send_object_name(int sockfd, char *obj);
-int send_gid(int sockfd, int gid);
-int send_gid_request(int sock_fd, const char *object);
-int send_object_name_request(int sock_fd, int gid);
-int recv_get_gid_response(int sockfd, response_header *hdr, int *gid);
-int recv_get_object_name(int sockfd, response_header *hdr, char *object, int max_object_size);
-
-int recv_hdr(int client_sockfd, basic_header *basic_hdr);
-
-int recv_generic_response(int sockfd, response_header *hdr);
-int check_socket_poll(int sockfd, int event, int timeout);
-int free_argv(char **argv, int argc);
-int get_socket_from_systemd(int *sockfd);
-
-#endif
+++ /dev/null
-/*
- * security-server
- *
- * Copyright (c) 2000 - 2011 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Contact: Bumjin Im <bj.im@samsung.com>
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License
- *
- */
-
-#ifndef SECURITY_SERVER_COMMON_H
-#define SECURITY_SERVER_COMMON_H
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-#include <sys/types.h>
-#include <dlog.h>
-
-/* Definitions *********************************************************/
-/* Return value. Continuing from return value of the client header file */
-#define SECURITY_SERVER_SUCCESS 0
-#define SECURITY_SERVER_ERROR_SOCKET -1
-#define SECURITY_SERVER_ERROR_BAD_REQUEST -2
-#define SECURITY_SERVER_ERROR_BAD_RESPONSE -3
-#define SECURITY_SERVER_ERROR_SEND_FAILED -4
-#define SECURITY_SERVER_ERROR_RECV_FAILED -5
-#define SECURITY_SERVER_ERROR_NO_SUCH_OBJECT -6
-#define SECURITY_SERVER_ERROR_AUTHENTICATION_FAILED -7
-#define SECURITY_SERVER_ERROR_INPUT_PARAM -8
-#define SECURITY_SERVER_ERROR_BUFFER_TOO_SMALL -9
-#define SECURITY_SERVER_ERROR_OUT_OF_MEMORY -10
-#define SECURITY_SERVER_ERROR_ACCESS_DENIED -11
-#define SECURITY_SERVER_ERROR_SERVER_ERROR -12
-#define SECURITY_SERVER_ERROR_NO_SUCH_COOKIE -13
-#define SECURITY_SERVER_ERROR_NO_PASSWORD -14
-#define SECURITY_SERVER_ERROR_SOCKET_BIND -21
-#define SECURITY_SERVER_ERROR_FILE_OPERATION -22
-#define SECURITY_SERVER_ERROR_TIMEOUT -23
-#define SECURITY_SERVER_ERROR_POLL -24
-#define SECURITY_SERVER_ERROR_UNKNOWN -255
-
-/* Miscellaneous Definitions */
-#define SECURITY_SERVER_SOCK_PATH "/tmp/.security_server.sock"
-#define SECURITY_SERVER_DEFAULT_COOKIE_PATH "/tmp/.security_server.coo"
-#define SECURITY_SERVER_DAEMON_PATH "/usr/bin/security-server"
-#define SECURITY_SERVER_COOKIE_LEN 20
-#define MAX_OBJECT_LABEL_LEN 32
-#define MAX_MODE_STR_LEN 16
-#define SECURITY_SERVER_MAX_OBJ_NAME 30
-#define SECURITY_SERVER_MSG_VERSION 0x01
-#define SECURITY_SERVER_ACCEPT_TIMEOUT_MILISECOND 10000
-#define SECURITY_SERVER_SOCKET_TIMEOUT_MILISECOND 3000
-#define SECURITY_SERVER_DEVELOPER_UID 5100
-#define SECURITY_SERVER_NUM_THREADS 10
-#define MESSAGE_MAX_LEN 1048576
-
-/* API prefix */
-#ifndef SECURITY_SERVER_API
-#define SECURITY_SERVER_API __attribute__((visibility("default")))
-#endif
-
-
-
-/* Data types *****************************************************************/
-
-
-/* Cookie List data type */
-typedef struct _cookie_list
-{
- unsigned char cookie[SECURITY_SERVER_COOKIE_LEN]; /* 20 bytes random Cookie */
- int permission_len; /* Client process permissions (aka group IDs) */
- pid_t pid; /* Client process's PID */
- char *path; /* Client process's executable path */
- int *permissions; /* Array of GID that the client process has */
- char *smack_label; /* SMACK label of the client process */
- char is_roots_process; /* Is cookie belongs to roots process */
- struct _cookie_list *prev; /* Next cookie list */
- struct _cookie_list *next; /* Previous cookie list */
-} cookie_list;
-
-
-/* Function prototypes ******************************************************/
-/* IPC */
-
-void printhex(const unsigned char *data, int size);
-
-/* Debug */
-#ifdef SECURITY_SERVER_DEBUG_TO_CONSOLE /* debug msg will be printed in console */
-#define SEC_SVR_DBG(FMT, ARG ...) fprintf(stderr, "[DBG:%s:%d] " FMT "\n", \
- __FILE__, __LINE__, ##ARG)
-#define SEC_SVR_WRN(FMT, ARG ...) fprintf(stderr, "[WRN:%s:%d] " FMT "\n", \
- __FILE__, __LINE__, ##ARG)
-#define SEC_SVR_ERR(FMT, ARG ...) fprintf(stderr, "[ERR:%s:%d] " FMT "\n", \
- __FILE__, __LINE__, ##ARG)
-
-#else
-#ifdef LOG_TAG
- #undef LOG_TAG
-#endif
-#define LOG_TAG "SECURITY_SERVER"
-#define SEC_SVR_ERR SLOGE
-#ifdef BUILD_TYPE_DEBUG /* debug msg will be printed by dlog daemon */
-#define SEC_SVR_DBG SLOGD
-#define SEC_SVR_WRN SLOGW
-#else /* No debug output */
-
-#define SEC_SVR_DBG(FMT, ARG ...) do { } while(0)
-#define SEC_SVR_WRN(FMT, ARG ...) do { } while(0)
-#ifdef SECURE_SLOGD
- #undef SECURE_SLOGD
-#endif
-#define SECURE_SLOGD(FMT, ARG ...) do { } while(0)
-#ifdef SECURE_SLOGW
- #undef SECURE_SLOGW
-#endif
-#define SECURE_SLOGW(FMT, ARG ...) do { } while(0)
-
-#endif // BUILD_TYPE_DEBUG
-#endif // SECURITY_SERVER_DEBUG_TO_CONSOLE
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif
REQUIRED
)
-SET(COMMON_PATH ${PROJECT_SOURCE_DIR}/src/server2)
+SET(COMMON_PATH ${PROJECT_SOURCE_DIR}/src/server)
SET(COMMON_SOURCES
${COMMON_PATH}/common/protocols.cpp
${COMMON_PATH}/common/message-buffer.cpp
+ ${COMMON_PATH}/common/smack-check.cpp
${COMMON_PATH}/dpl/log/src/abstract_log_provider.cpp
${COMMON_PATH}/dpl/log/src/dlog_log_provider.cpp
${COMMON_PATH}/dpl/log/src/log.cpp
#include <privilege-control.h>
#include <security-server.h>
-#include <security-server-common.h>
SECURITY_SERVER_API
#include <message-buffer.h>
-#ifndef SECURITY_SERVER_API
#define SECURITY_SERVER_API __attribute__((visibility("default")))
-#endif
extern "C" {
struct msghdr;
#include <protocols.h>
#include <security-server.h>
-#include <security-server-common.h>
-
SECURITY_SERVER_API
int security_server_get_cookie_size(void)
#include <protocols.h>
#include <security-server.h>
-#include <security-server-common.h>
SECURITY_SERVER_API
int security_server_get_gid(const char *objectName) {
#include <protocols.h>
#include <security-server.h>
-#include <security-server-common.h>
SECURITY_SERVER_API
int security_server_get_object_name(gid_t gid, char *pObjectName, size_t maxObjectSize)
#include <sys/socket.h>
#include <security-server.h>
-#include <security-server-common.h>
SECURITY_SERVER_API
int security_server_open_for(const char *filename, int *fd)
try {
if (NULL == filename || std::string(filename).empty()) {
LogError("Error input param.");
- return SECURITY_SERVER_ERROR_INPUT_PARAM;
+ return SECURITY_SERVER_API_ERROR_INPUT_PARAM;
}
MessageBuffer send;
return result;
}
- if ((hdr.msg_flags & MSG_CTRUNC) == MSG_CTRUNC) {
+ if (hdr.msg_flags & MSG_CTRUNC) {
LogError("Not enough space for ancillary element array.");
*fd = -1;
return SECURITY_SERVER_API_ERROR_BUFFER_TOO_SMALL;
#include <protocols.h>
#include <security-server.h>
-#include <security-server-common.h>
+
+namespace {
inline bool isPasswordIncorrect(const char* pwd)
{
return (pwd == NULL || strlen(pwd) == 0 || strlen(pwd) > SecurityServer::MAX_PASSWORD_LEN);
}
+} // namespace anonymous
+
SECURITY_SERVER_API
int security_server_is_pwd_valid(unsigned int *current_attempts,
unsigned int *max_attempts,
#include <signal.h>
#include <security-server.h>
-#include <security-server-common.h>
SECURITY_SERVER_API
int security_server_check_privilege_by_pid(
#include <smack-check.h>
#include <security-server.h>
-#include <security-server-common.h>
SECURITY_SERVER_API
int security_server_app_give_access(const char *customer_label, int customer_pid) {
#include <smack-check.h>
#include <security-server.h>
-#include <security-server-common.h>
//static int get_exec_path(pid_t pid, std::string &exe)
//{
size_t len = sizeof(struct ucred);
//SMACK runtime check
- if (!smack_runtime_check())
+ if (!SecurityServer::smack_runtime_check())
{
LogDebug("No SMACK support on device");
return SECURITY_SERVER_API_SUCCESS;
{
char *label = NULL;
- if (!smack_check())
+ if (!SecurityServer::smack_check())
{
LogDebug("No SMACK support on device");
label = (char*) malloc(1);
const size_t MAX_PASSWORD_LEN = 32;
const unsigned int MAX_PASSWORD_HISTORY = 50;
+const int SECURITY_SERVER_MAX_OBJ_NAME = 30;
+
} // namespace SecurityServer
extern const size_t MAX_PASSWORD_LEN;
extern const unsigned int MAX_PASSWORD_HISTORY;
+extern const int SECURITY_SERVER_MAX_OBJ_NAME;
+
} // namespace SecuritySever
#endif // _SECURITY_SERVER_PROTOCOLS_
+#include <smack-check.h>
+
+#include <stdlib.h>
#include <sys/smack.h>
-#include <security-server-common.h>
-#include <smack-check.h>
+#include <dpl/log/log.h>
+
+namespace SecurityServer {
int smack_runtime_check(void)
{
static int smack_present = -1;
if (-1 == smack_present) {
if (NULL == smack_smackfs_path()) {
- SECURE_SLOGD("%s","security-server: no smack found on device");
+ LogDebug("no smack found on device");
smack_present = 0;
} else {
- SECURE_SLOGD("%s","security-server: found smack on device");
+ LogDebug("found smack on device");
smack_present = 1;
}
}
return smack_runtime_check();
#endif
}
+
+} // namespace SecurityServer
#ifndef _SMACK_CHECK_H_
#define _SMACK_CHECK_H_
-#ifdef __cplusplus
-extern "C" {
-#endif
+namespace SecurityServer {
/*
* A very simple runtime check for SMACK on the platform
*/
int smack_check(void);
-#ifdef __cplusplus
-}
-#endif
+} // namespace SecurityServer
#endif // _SMACK_CHECK_H_
--- /dev/null
+/*
+ * security-server
+ *
+ * Copyright (c) 2000 - 2011 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Contact: Bumjin Im <bj.im@samsung.com>
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ *
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/smack.h>
+#include <unistd.h>
+
+#include <limits>
+
+#include <security-server-util.h>
+#include <dpl/log/log.h>
+
+namespace {
+const size_t SIZE_T_MAX = std::numeric_limits<size_t>::max();
+} // namespace anonymous
+
+namespace SecurityServer {
+
+int util_smack_label_is_valid(const char *smack_label)
+{
+ int i;
+
+ if (!smack_label || smack_label[0] == '\0' || smack_label[0] == '-')
+ goto err;
+
+ for (i = 0; smack_label[i]; ++i) {
+ if (i >= SMACK_LABEL_LEN)
+ return 0;
+ switch (smack_label[i]) {
+ case '~':
+ case ' ':
+ case '/':
+ case '"':
+ case '\\':
+ case '\'':
+ goto err;
+ default:
+ break;
+ }
+ }
+
+ return 1;
+err:
+ LogError("Invalid Smack label: " << smack_label);
+ return 0;
+}
+
+char *read_exe_path_from_proc(pid_t pid)
+{
+ char link[32];
+ char *exe = NULL;
+ size_t size = 64;
+ ssize_t cnt = 0;
+
+ // get link to executable
+ snprintf(link, sizeof(link), "/proc/%d/exe", pid);
+
+ for (;;)
+ {
+ exe = (char*) malloc(size);
+ if (exe == NULL)
+ {
+ LogError("Out of memory");
+ return NULL;
+ }
+
+ // read link target
+ cnt = readlink(link, exe, size);
+
+ // error
+ if (cnt < 0 || (size_t) cnt > size)
+ {
+ LogError("Can't locate process binary for pid=" << pid);
+ free(exe);
+ return NULL;
+ }
+
+ // read less than requested
+ if ((size_t) cnt < size)
+ break;
+
+ // read exactly the number of bytes requested
+ free(exe);
+ if (size > (SIZE_T_MAX >> 1))
+ {
+ LogError("Exe path too long (more than " << size << " characters)");
+ return NULL;
+ }
+ size <<= 1;
+ }
+ // readlink does not append null byte to buffer.
+ exe[cnt] = '\0';
+ return exe;
+}
+
+} // namespace SecurityServer
+
#ifndef SECURITY_SERVER_UTIL_H
#define SECURITY_SERVER_UTIL_H
-#ifdef __cplusplus
-extern "C" {
-#endif
+#include <sys/types.h>
+
+namespace SecurityServer {
-#include "security-server-common.h"
int util_smack_label_is_valid(const char *smack_label);
char *read_exe_path_from_proc(pid_t pid);
-int authorize_SS_API_caller_socket(int sockfd, char *required_API_label, char *required_rule);
-#ifdef __cplusplus
-}
-#endif
+} // namespace SecurityServer
#endif /*SECURITY_SERVER_UTIL_H*/
* @version 1.0
* @brief Implementation of security-server2
*/
-
-#include <server2-main.h>
+#include <stdlib.h>
+#include <signal.h>
#include <dpl/log/log.h>
#include <dpl/singleton.h>
#include <dpl/singleton_safe_impl.h>
-#include <service-thread.h>
#include <socket-manager.h>
#include <data-share.h>
#include <cookie.h>
#include <open-for.h>
#include <password.h>
-#include <echo.h>
IMPLEMENT_SAFE_SINGLETON(SecurityServer::Log::LogSystem);
-int server2(void) {
+int main(void) {
+
UNHANDLED_EXCEPTION_HANDLER_BEGIN
{
- SecurityServer::Singleton<SecurityServer::Log::LogSystem>::Instance().SetTag("SECURITY_SERVER2");
- LogInfo("Start!");
- SecurityServer::SocketManager manager;
+ SecurityServer::Singleton<SecurityServer::Log::LogSystem>::Instance().SetTag("SECURITY_SERVER");
-// This will be used only by tests
-// SecurityServer::EchoService *echoService = new SecurityServer::EchoService;
-// echoService->Create();
-// manager.RegisterSocketService(echoService);
+ sigset_t mask;
+ sigemptyset(&mask);
+ sigaddset(&mask, SIGTERM);
+ sigaddset(&mask, SIGPIPE);
+ if (-1 == pthread_sigmask(SIG_BLOCK, &mask, NULL)) {
+ LogError("Error in pthread_sigmask");
+ return 1;
+ }
+ LogInfo("Start!");
+ SecurityServer::SocketManager manager;
SecurityServer::OpenForService *openForService = new SecurityServer::OpenForService;
openForService->Create();
+++ /dev/null
-/*
- * security-server
- *
- * Copyright (c) 2000 - 2011 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Contact: Bumjin Im <bj.im@samsung.com>
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License
- *
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <stdlib.h>
-#include <string.h>
-#include <sys/types.h>
-#include <sys/smack.h>
-#include <errno.h>
-#include <signal.h>
-#include <pthread.h>
-#include <limits.h>
-#include <fcntl.h>
-#include <sys/smack.h>
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <sys/wait.h>
-#include <poll.h>
-#include <grp.h>
-#include <stdint.h>
-
-#include <server2-main.h>
-
-#include <privilege-control.h>
-
-#include "security-server-common.h"
-#include "security-server-comm.h"
-#include "security-server-util.h"
-#include "smack-check.h"
-
-//definitions of security-server API labels
-#define API_PASSWD_SET "security-server::api-password-set"
-#define API_PASSWD_CHECK "security-server::api-password-check"
-#define API_DATA_SHARE "security-server::api-data-share"
-#define API_MIDDLEWARE "security-server::api-middleware"
-#define API_FREE_ACCESS "*"
-
-//required rule type
-#define API_RULE_REQUIRED "w"
-
-int thread_status[SECURITY_SERVER_NUM_THREADS];
-struct security_server_thread_param {
- int client_sockfd;
- int server_sockfd;
- int thread_status;
-};
-
-
-/*
- * Searches for group ID by given group name
- */
-
-int search_gid(const char *obj)
-{
- int ret = 0;
- struct group *grpbuf = NULL;
- struct group grp;
- char *buf = NULL;
- char *bigger_buf = NULL;
- long int max_buf_size = 0;
-
- /*
- * The maximum needed size for buf can be found using sysconf(3) with the argument _SC_GETGR_R_SIZE_MAX
- * If _SC_GETGR_R_SIZE_MAX is not returned we set max_buf_size to 1024 bytes. Enough to store few groups.
- */
- max_buf_size = sysconf(_SC_GETGR_R_SIZE_MAX);
- if (max_buf_size == -1)
- max_buf_size = 1024;
-
- buf = malloc((size_t)max_buf_size);
- if (buf == NULL)
- {
- ret = SECURITY_SERVER_ERROR_OUT_OF_MEMORY;
- SEC_SVR_ERR("Out Of Memory");
- goto error;
- }
-
- /*
- * There can be some corner cases when for example user is assigned to a lot of groups.
- * In that case if buffer is to small getgrnam_r will return ERANGE error.
- * Solution could be calling getgrnam_r with bigger buffer until it's enough big.
- */
- while ((ret = getgrnam_r(obj, &grp, buf, (size_t)max_buf_size, &grpbuf)) == ERANGE) {
- max_buf_size *= 2;
-
- bigger_buf = realloc(buf, (size_t)max_buf_size);
- if (bigger_buf == NULL) {
- ret = SECURITY_SERVER_ERROR_OUT_OF_MEMORY;
- SEC_SVR_ERR("Out Of Memory");
- goto error;
- }
-
- buf = bigger_buf;
- }
-
- if (ret != 0)
- {
- ret = SECURITY_SERVER_ERROR_SERVER_ERROR;
- SEC_SVR_ERR("getgrnam_r failed with error %s\n", strerror(errno));
- goto error;
- } else if (grpbuf == NULL) {
- ret = SECURITY_SERVER_ERROR_NO_SUCH_OBJECT;
- SEC_SVR_ERR("Cannot find gid for group %s\n", obj);
- goto error;
- }
-
- ret = grpbuf->gr_gid;
-
-error:
- free(buf);
- return ret;
-}
-
-/* Signal handler for processes */
-static void security_server_sig_child(int signo, siginfo_t *info, void *data)
-{
- int status;
- pid_t child_pid;
- pid_t child_pgid;
-
- (void)signo;
- (void)data;
-
- child_pgid = getpgid(info->si_pid);
- SEC_SVR_DBG("Signal handler: dead_pid=%d, pgid=%d",info->si_pid,child_pgid);
-
- while ((child_pid = waitpid(-1, &status, WNOHANG)) > 0) {
- if (child_pid == child_pgid)
- killpg(child_pgid,SIGKILL);
- }
-
- return;
-}
-
-// int process_object_name_request(int sockfd)
-// {
-// int retval, client_pid, requested_privilege;
-// char object_name[SECURITY_SERVER_MAX_OBJ_NAME];
-
-// /* Authenticate client */
-// retval = authenticate_client_middleware(sockfd, &client_pid);
-// if (retval != SECURITY_SERVER_SUCCESS)
-// {
-// SEC_SVR_ERR("%s", "Client Authentication Failed");
-// retval = send_generic_response(sockfd,
-// SECURITY_SERVER_MSG_TYPE_OBJECT_NAME_RESPONSE,
-// SECURITY_SERVER_RETURN_CODE_AUTHENTICATION_FAILED);
-// if (retval != SECURITY_SERVER_SUCCESS)
-// {
-// SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
-// }
-// goto error;
-// }
-
-// /* Receive GID */
-// retval = TEMP_FAILURE_RETRY(read(sockfd, &requested_privilege, sizeof(requested_privilege)));
-// if (retval < (int)sizeof(requested_privilege))
-// {
-// SEC_SVR_ERR("%s", "Receiving request failed");
-// retval = send_generic_response(sockfd,
-// SECURITY_SERVER_MSG_TYPE_OBJECT_NAME_RESPONSE,
-// SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
-// if (retval != SECURITY_SERVER_SUCCESS)
-// {
-// SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
-// }
-// goto error;
-// }
-
-// /* Search from /etc/group */
-// retval = search_object_name(requested_privilege,
-// object_name,
-// SECURITY_SERVER_MAX_OBJ_NAME);
-// if (retval == SECURITY_SERVER_ERROR_NO_SUCH_OBJECT)
-// {
-// /* It's not exist */
-// SEC_SVR_ERR("There is no such object for gid [%d]", requested_privilege);
-// retval = send_generic_response(sockfd,
-// SECURITY_SERVER_MSG_TYPE_OBJECT_NAME_RESPONSE,
-// SECURITY_SERVER_RETURN_CODE_NO_SUCH_OBJECT);
-// if (retval != SECURITY_SERVER_SUCCESS)
-// {
-// SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
-// }
-// goto error;
-// }
-// if (retval != SECURITY_SERVER_SUCCESS)
-// {
-// /* Error occurred */
-// SEC_SVR_ERR("Error on searching object name [%d]", retval);
-// retval = send_generic_response(sockfd,
-// SECURITY_SERVER_MSG_TYPE_OBJECT_NAME_RESPONSE,
-// SECURITY_SERVER_RETURN_CODE_SERVER_ERROR);
-// if (retval != SECURITY_SERVER_SUCCESS)
-// {
-// SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
-// }
-// goto error;
-// }
-
-// /* We found */
-// SECURE_SLOGD("We found object: %s", object_name);
-// retval = send_object_name(sockfd, object_name);
-// if (retval != SECURITY_SERVER_SUCCESS)
-// {
-// SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
-// }
-// error:
-// return retval;
-// }
-
-int process_gid_request(int sockfd, int msg_len)
-{
- int retval, client_pid;
- char object_name[SECURITY_SERVER_MAX_OBJ_NAME];
- /* Authenticate client as middleware daemon */
- retval = authenticate_client_middleware(sockfd, &client_pid);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("%s", "Client authentication failed");
- retval = send_generic_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_GID_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_AUTHENTICATION_FAILED);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
- }
- goto error;
- }
- if (msg_len >= SECURITY_SERVER_MAX_OBJ_NAME)
- {
- /* Too big ojbect name */
- SECURE_SLOGE("%s", "Object name is too big");
- retval = send_generic_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_GID_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
- }
- goto error;
- }
-
- /* Receive group name */
- retval = TEMP_FAILURE_RETRY(read(sockfd, object_name, msg_len));
- if (retval < msg_len)
- {
- SECURE_SLOGE("%s", "Failed to read object name");
- retval = send_generic_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_GID_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
- }
- goto error;
- }
- object_name[msg_len] = 0;
-
- /* Search /etc/group for the given group name */
- retval = search_gid(object_name);
- if (retval == SECURITY_SERVER_ERROR_NO_SUCH_OBJECT)
- {
- /* Not exist */
- SECURE_SLOGD("The object [%s] is not exist", object_name);
- retval = send_generic_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_GID_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_NO_SUCH_OBJECT);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
- }
- goto error;
- }
-
- if (retval < 0)
- {
- /* Error occurred */
- SEC_SVR_ERR("Cannot send the response. %d", retval);
- retval = send_generic_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_GID_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_SERVER_ERROR);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
- }
-
- goto error;
- }
- /* We found */
- retval = send_gid(sockfd, retval);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("ERROR: Cannot gid response: %d", retval);
- }
-error:
- return retval;
-}
-
-int client_has_access(int sockfd, const char *object)
-{
- char *label = NULL;
- int ret = 0;
- int pid = -1;
- int uid = -1;
- int retval;
- struct ucred socopt;
- unsigned int socoptSize = sizeof(socopt);
-
- if (smack_check())
- {
- retval = getsockopt(sockfd, SOL_SOCKET, SO_PEERCRED, &socopt, &socoptSize);
- if (retval != 0) {
- SEC_SVR_DBG("%s", "Error on getsockopt");
- return 0;
- }
- //now we have PID in sockopt.pid
-
- if (smack_new_label_from_socket(sockfd, &label) < 0) {
- SEC_SVR_ERR("%s", "Error on smack_new_label_from_socket");
- label = NULL;
- }
-
- if (0 >= (ret = smack_pid_have_access(socopt.pid, object, "rw"))) {
- ret = 0;
- }
- }
-
- if (SECURITY_SERVER_SUCCESS == authenticate_client_application(sockfd, &pid, &uid))
- SECURE_SLOGD("SS_SMACK: caller_pid=%d, subject=%s, object=%s, access=rw, result=%d",
- pid, label, object, ret);
-
- free(label);
- return ret;
-}
-
-void *security_server_thread(void *param)
-{
- int client_sockfd = -1;
- int retval;
- basic_header basic_hdr;
- struct security_server_thread_param *my_param;
-
- my_param = (struct security_server_thread_param*) param;
- client_sockfd = my_param->client_sockfd;
-
- /* Receive request header */
- retval = recv_hdr(client_sockfd, &basic_hdr);
- if (retval == SECURITY_SERVER_ERROR_TIMEOUT || retval == SECURITY_SERVER_ERROR_RECV_FAILED
- || retval == SECURITY_SERVER_ERROR_SOCKET)
- {
- SEC_SVR_ERR("Receiving header error [%d]",retval);
- close(client_sockfd);
- client_sockfd = -1;
- goto error;;
- }
-
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- /* Response */
- SEC_SVR_ERR("Receiving header error [%d]",retval);
- retval = send_generic_response(client_sockfd,
- SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
- goto error;
- }
- safe_server_sock_close(client_sockfd);
- client_sockfd = -1;
- goto error;
- }
-
- //TODO: Below authorize_SS_API_caller_socket() is used for authorize API caller by SMACK,
- // at the moment return value is not checked and each access is allowed.
- // If we realy want to restrict access it must be changed in future.
-
- /* Act different for request message ID */
- switch (basic_hdr.msg_id)
- {
- // case SECURITY_SERVER_MSG_TYPE_OBJECT_NAME_REQUEST:
- // SECURE_SLOGD("%s", "Get object name request received");
- // authorize_SS_API_caller_socket(client_sockfd, API_MIDDLEWARE, API_RULE_REQUIRED);
- // process_object_name_request(client_sockfd);
- // break;
-
- case SECURITY_SERVER_MSG_TYPE_GID_REQUEST:
- SEC_SVR_DBG("%s", "Get GID received");
- authorize_SS_API_caller_socket(client_sockfd, API_MIDDLEWARE, API_RULE_REQUIRED);
- process_gid_request(client_sockfd, (int)basic_hdr.msg_len);
- break;
-
- default:
- SEC_SVR_ERR("Unknown msg ID :%d", basic_hdr.msg_id);
- /* Unknown message ID */
- retval = send_generic_response(client_sockfd,
- SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
- }
- break;
- }
-
- if (client_sockfd > 0)
- {
- safe_server_sock_close(client_sockfd);
- client_sockfd = -1;
- }
-
-error:
- if (client_sockfd > 0)
- close(client_sockfd);
- thread_status[my_param->thread_status] = 0;
- pthread_detach(pthread_self());
- pthread_exit(NULL);
-}
-
-void *security_server_main_thread(void *data)
-{
- int server_sockfd = 0, retval, client_sockfd = -1, rc;
- struct sigaction act, dummy;
- pthread_t threads[SECURITY_SERVER_NUM_THREADS];
- struct security_server_thread_param param[SECURITY_SERVER_NUM_THREADS];
-
- (void)data;
-
- SECURE_SLOGD("%s", "Starting Security Server main thread");
-
- /* security server must be executed by root */
- if (getuid() != 0)
- {
- fprintf(stderr, "%s\n", "You are not root. exiting...");
- goto error;
- }
-
- for (retval = 0; retval < SECURITY_SERVER_NUM_THREADS; retval++)
- thread_status[retval] = 0;
-
- /* Create and bind a Unix domain socket */
- if(SECURITY_SERVER_SUCCESS != get_socket_from_systemd(&server_sockfd))
- {
- SEC_SVR_ERR("%s", "Error in get_socket_from_systemd");
- retval = create_new_socket(&server_sockfd);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("%s", "cannot create socket. exiting...");
- goto error;
- }
-
- if (listen(server_sockfd, 5) < 0)
- {
- SEC_SVR_ERR("%s", "listen() failed. exiting...");
- goto error;
- }
- } else {
- SEC_SVR_ERR("%s", "Socket was passed by systemd");
- }
-
- /* Init signal handler */
- act.sa_handler = NULL;
- act.sa_sigaction = security_server_sig_child;
- sigemptyset(&act.sa_mask);
- act.sa_flags = SA_NOCLDSTOP | SA_SIGINFO;
-
- if (sigaction(SIGCHLD, &act, &dummy) < 0)
- {
- SEC_SVR_ERR("%s", "cannot change session");
- }
-
- while (1)
- {
- /* Accept a new client */
- if (client_sockfd < 0)
- client_sockfd = accept_client(server_sockfd);
-
- if (client_sockfd == SECURITY_SERVER_ERROR_TIMEOUT)
- continue;
- if (client_sockfd < 0)
- goto error;
- SEC_SVR_DBG("Server: new connection has been accepted: %d", client_sockfd);
- retval = 0;
- while (1)
- {
- if (thread_status[retval] == 0)
- {
- thread_status[retval] = 1;
- param[retval].client_sockfd = client_sockfd;
- param[retval].server_sockfd = server_sockfd;
- param[retval].thread_status = retval;
- SEC_SVR_DBG("Server: Creating a new thread: %d", retval);
- rc = pthread_create(&threads[retval], NULL, security_server_thread, (void*)¶m[retval]);
- if (rc)
- {
- SEC_SVR_ERR("Error: Server: Cannot create thread:%d", rc);
- goto error;
- }
- break;
- }
- retval++;
- if (retval >= SECURITY_SERVER_NUM_THREADS)
- retval = 0;
- }
- client_sockfd = -1;
- }
-error:
- if (server_sockfd > 0)
- close(server_sockfd);
-
- pthread_detach(pthread_self());
- pthread_exit(NULL);
-}
-
-ssize_t read_wrapper(int sockfd, void *buffer, size_t len)
-{
- unsigned char *buff = (unsigned char*)buffer;
- ssize_t done = 0;
- while (done < (int)len) {
- struct pollfd fds = { sockfd, POLLIN, 0};
- if (0 >= poll(&fds, 1, 1000))
- break;
- ssize_t ret = read(sockfd, buff + done, len - done);
- if (0 < ret) {
- done += ret;
- continue;
- }
- if (0 == ret)
- break;
- if (-1 == ret && EAGAIN != errno && EINTR != errno)
- break;
- }
- return done;
-}
-
-int main(int argc, char *argv[])
-{
- int res;
- pthread_t main_thread;
-
- (void)argc;
- (void)argv;
-
- sigset_t mask;
- sigemptyset(&mask);
- sigaddset(&mask, SIGTERM);
- sigaddset(&mask, SIGPIPE);
- if (-1 == pthread_sigmask(SIG_BLOCK, &mask, NULL)) {
- SEC_SVR_ERR("Error in pthread_sigmask");
- }
-
- if (0 != (res = pthread_create(&main_thread, NULL, security_server_main_thread, NULL))) {
- SEC_SVR_ERR("Error: Server: Cannot create main security server thread: %s", strerror(res));
- return -1;
- }
-
- server2();
- exit(0);
- return 0;
-}
-
#include <app-permissions.h>
#include <protocols.h>
#include <security-server.h>
-#include <security-server-common.h>
-
-namespace SecurityServer {
+#include <privilege-control.h>
namespace {
}
// interface ids
-const InterfaceID CHANGE_APP_PERMISSIONS = 0;
-const InterfaceID CHECK_APP_PRIVILEGE = 1;
+const SecurityServer::InterfaceID CHANGE_APP_PERMISSIONS = 0;
+const SecurityServer::InterfaceID CHECK_APP_PRIVILEGE = 1;
} // namespace anonymous
+namespace SecurityServer {
+
GenericSocketService::ServiceDescriptionVector AppPermissionsService::GetServiceDescription() {
return ServiceDescriptionVector {
{ SERVICE_SOCKET_APP_PERMISSIONS,
#include <dpl/serialization.h>
#include <message-buffer.h>
#include <connection-info.h>
-#include <security-server-common.h>
namespace SecurityServer {
#include <dpl/serialization.h>
#include <protocols.h>
#include <security-server.h>
-#include <security-server-common.h>
#include <cookie.h>
#include <smack-check.h>
#include <sys/types.h>
#include <dpl/serialization.h>
#include <message-buffer.h>
#include <connection-info.h>
-#include <security-server-common.h>
#include <cookie-jar.h>
namespace SecurityServer {
#include <dpl/serialization.h>
#include <message-buffer.h>
-#include <security-server-common.h>
-
namespace SecurityServer {
class GetGidService :
#include <dpl/serialization.h>
#include <message-buffer.h>
-#include <security-server-common.h>
-
namespace SecurityServer {
class GetObjectNameService :
#include "open-for-manager.h"
+#include <string.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <dirent.h>
#include <security-server.h>
#include <security-server-util.h>
-#include <security-server-comm.h>
const std::string DATA_DIR = "/var/run/security-server";
const std::string PROHIBITED_STR = "..";
#ifndef _OPEN_FOR_MANAGER_H_
#define _OPEN_FOR_MANAGER_H_
-#include "security-server-common.h"
-
#include <sys/socket.h>
#include <sys/types.h>
#include <security-server.h>
#include <security-server-util.h>
-#include <security-server-comm.h>
namespace {
// Service may open more than one socket.
#include <generic-socket-manager.h>
#include <message-buffer.h>
-#include "security-server-common.h"
#include "open-for-manager.h"
namespace SecurityServer
#include <dpl/log/log.h>
-#include <security-server.h>
#include <protocols.h>
+#include <security-server.h>
+
namespace {
bool calculateExpiredTime(unsigned int receivedDays, unsigned int &validSecs)
{
// subject label is set to empty string
LogError("get_smack_label_from_process failed. Subject label has not been read.");
} else {
- SECURE_SLOGD("Subject label of client PID %d is: %s", pid, subject);
+ LogSecureDebug("Subject label of client PID " << pid << " is: " << subject);
}
} else {
LogDebug("SMACK is not available. Subject label has not been read.");
+++ /dev/null
-/*
- * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Contact: Bumjin Im <bj.im@samsung.com>
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License
- */
-/*
- * @file server-main2.h
- * @author Bartlomiej Grzelewski (b.grzelewski@samsung.com)
- * @version 1.0
- * @brief Implementation of sample service.
- */
-
-#include <dpl/log/log.h>
-
-#include <protocols.h>
-#include <echo.h>
-
-namespace SecurityServer {
-
-GenericSocketService::ServiceDescriptionVector EchoService::GetServiceDescription() {
- return ServiceDescriptionVector
- {{SERVICE_SOCKET_ECHO, "security-server::api-echo"}};
-}
-
-void EchoService::accept(const AcceptEvent &event) {
- LogDebug("Accept event. ConnectionID: " << event.connectionID.sock
- << " ServiceID: " << event.interfaceID);
-}
-
-void EchoService::write(const WriteEvent &event) {
- LogDebug("WriteEvent. ConnectionID: " << event.connectionID.sock <<
- " Size: " << event.size << " Left: " << event.left);
- if (event.left == 0)
- m_serviceManager->Close(event.connectionID);
-}
-
-void EchoService::process(const ReadEvent &event) {
- LogDebug("ReadEvent. ConnectionID: " << event.connectionID.sock <<
- " Buffer size: " << event.rawBuffer.size());
- m_serviceManager->Write(event.connectionID, event.rawBuffer);
- LogDebug("Write completed");
-}
-
-void EchoService::close(const CloseEvent &event) {
- LogDebug("CloseEvent. ConnectionID: " << event.connectionID.sock);
-}
-
-} // namespace SecurityServer
-
+++ /dev/null
-/*
- * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Contact: Bumjin Im <bj.im@samsung.com>
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License
- */
-/*
- * @file echo.h
- * @author Bartlomiej Grzelewski (b.grzelewski@samsung.com)
- * @version 1.0
- * @brief Sample service implementation.
- */
-
-#ifndef _SECURITY_SERVER_ECHO_
-#define _SECURITY_SERVER_ECHO_
-
-#include <service-thread.h>
-#include <generic-socket-manager.h>
-
-#include <dpl/serialization.h>
-
-#include <message-buffer.h>
-
-namespace SecurityServer {
-
-class EchoService
- : public SecurityServer::GenericSocketService
- , public SecurityServer::ServiceThread<EchoService>
-{
-public:
- ServiceDescriptionVector GetServiceDescription();
-
- DECLARE_THREAD_EVENT(AcceptEvent, accept)
- DECLARE_THREAD_EVENT(WriteEvent, write)
- DECLARE_THREAD_EVENT(ReadEvent, process)
- DECLARE_THREAD_EVENT(CloseEvent, close)
-
- void accept(const AcceptEvent &event);
- void write(const WriteEvent &event);
- void process(const ReadEvent &event);
- void close(const CloseEvent &event);
-};
-
-} // namespace SecurityServer
-
-#endif // _SECURITY_SERVER_ECHO_
+++ /dev/null
-/*
- * security-server
- *
- * Copyright (c) 2000 - 2011 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Contact: Bumjin Im <bj.im@samsung.com>
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License
- *
- */
-
-
-#include <poll.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <sys/socket.h>
-#include <sys/types.h>
-#include <sys/smack.h>
-#include <fcntl.h>
-#include <sys/un.h>
-#include <errno.h>
-#include <unistd.h>
-#include <stdint.h>
-
-#include <smack-check.h>
-
-#include "security-server-common.h"
-#include "security-server-comm.h"
-#include "security-server-util.h"
-#include "security-server.h"
-
-
-int util_smack_label_is_valid(const char *smack_label)
-{
- int i;
-
- if (!smack_label || smack_label[0] == '\0' || smack_label[0] == '-')
- goto err;
-
- for (i = 0; smack_label[i]; ++i) {
- if (i >= SMACK_LABEL_LEN)
- return 0;
- switch (smack_label[i]) {
- case '~':
- case ' ':
- case '/':
- case '"':
- case '\\':
- case '\'':
- goto err;
- default:
- break;
- }
- }
-
- return 1;
-err:
- SEC_SVR_ERR("ERROR: Invalid Smack label: %s", smack_label);
- return 0;
-}
-
-char *read_exe_path_from_proc(pid_t pid)
-{
- char link[32];
- char *exe = NULL;
- size_t size = 64;
- ssize_t cnt = 0;
-
- // get link to executable
- snprintf(link, sizeof(link), "/proc/%d/exe", pid);
-
- for (;;)
- {
- exe = malloc(size);
- if (exe == NULL)
- {
- SEC_SVR_ERR("Out of memory");
- return NULL;
- }
-
- // read link target
- cnt = readlink(link, exe, size);
-
- // error
- if (cnt < 0 || (size_t) cnt > size)
- {
- SEC_SVR_ERR("Can't locate process binary for pid[%d]", pid);
- free(exe);
- return NULL;
- }
-
- // read less than requested
- if ((size_t) cnt < size)
- break;
-
- // read exactly the number of bytes requested
- free(exe);
- if (size > (SIZE_MAX >> 1))
- {
- SEC_SVR_ERR("Exe path too long (more than %d characters)", size);
- return NULL;
- }
- size <<= 1;
- }
- // readlink does not append null byte to buffer.
- exe[cnt] = '\0';
- return exe;
-}
-
-/*
- * Function that checks if API caller have access to specified label.
- * In positive case (caller has access to the API) returns 1.
- * In case of no access returns 0, and -1 in case of error.
- */
-int authorize_SS_API_caller_socket(int sockfd, char *required_API_label, char *required_rule)
-{
- int retval;
- int checkval;
- char *label = NULL;
-// char *path = NULL;
- //for getting socket options
- struct ucred cr;
- unsigned int len;
-
- SEC_SVR_DBG("Checking client SMACK access to SS API");
-
- if (!smack_check()) {
- SEC_SVR_ERR("No SMACK on device found, API PROTECTION DISABLED!!!");
- retval = 1;
- goto end;
- }
-
- retval = smack_new_label_from_socket(sockfd, &label);
- if (retval < 0) {
- SEC_SVR_ERR("%s", "Error in getting label from socket");
- retval = -1;
- goto end;
- }
-
- retval = smack_have_access(label, required_API_label, required_rule);
-
- len = sizeof(cr);
- checkval = getsockopt(sockfd, SOL_SOCKET, SO_PEERCRED, &cr, &len);
-
- if (checkval < 0) {
- SEC_SVR_ERR("Error in getsockopt(): client pid is unknown.");
-// if (retval) {
-// SEC_SVR_DBG("SS_SMACK: subject=%s, object=%s, access=%s, result=%d", label, required_API_label, required_rule, retval);
-// } else {
-// SEC_SVR_ERR("SS_SMACK: subject=%s, object=%s, access=%s, result=%d", label, required_API_label, required_rule, retval);
-// }
- } else {
-// path = read_exe_path_from_proc(cr.pid);
-
- if (retval == 0) {
- retval = smack_pid_have_access(cr.pid, required_API_label, required_rule);
- }
-
- const char *cap_info = "";
- if (retval == 0)
- cap_info = ", no CAP_MAC_OVERRIDE";
-
-// if (retval > 0) {
-// SEC_SVR_DBG("SS_SMACK: caller_pid=%d, subject=%s, object=%s, access=%s, result=%d, caller_path=%s",
-// cr.pid, label, required_API_label, required_rule, retval, path);
-// } else {
-// SEC_SVR_ERR("SS_SMACK: caller_pid=%d, subject=%s, object=%s, access=%s, result=%d, caller_path=%s%s",
-// cr.pid, label, required_API_label, required_rule, retval, path, cap_info);
-// }
- }
-
-end:
-// if (path != NULL)
-// free(path);
- if (label != NULL)
- free(label);
-
- return retval;
-}
projects / platform / core / security / security-manager.git / commitdiff