ADD_DEFINITIONS("-DDATA_ROOT_DIR=\"${DATA_ROOT_DIR}\"")
ADD_DEFINITIONS("-DPOLICY_DIR=\"${POLICY_DIR}\"")
-############################## file names #####################################
-
-SET(PRIVILEGE_GROUP_LIST_FILE
- "privilege-group.list"
- CACHE PATH
- "File with mapping from privileges into groups")
-
-ADD_DEFINITIONS("-DPRIVILEGE_GROUP_LIST_FILE=\"${PRIVILEGE_GROUP_LIST_FILE}\"")
-
############################# compiler flags ##################################
SET(CMAKE_CXX_FLAGS_PROFILING "-g -std=c++0x -O0 -pg -Wp,-U_FORTIFY_SOURCE")
PATH=/bin:/usr/bin:/sbin:/usr/sbin
POLICY_PATH=@POLICY_DIR@
-PRIVILEGE_GROUP_MAPPING=$POLICY_PATH/@PRIVILEGE_GROUP_LIST_FILE@
+PRIVILEGE_GROUP_MAPPING=$POLICY_PATH/privilege-group.list
DB_FILE=`tzplatform-get TZ_SYS_DB | cut -d= -f2`/.security-manager.db
#include <cstdio>
#include <cstdlib>
#include <functional>
-#include <fstream>
#include <memory>
#include <unordered_set>
#include <utility>
#include <check-proper-drop.h>
#include <utils.h>
#include <group2gid.h>
+#include <config.h>
+#include <config-file.h>
#include <security-manager.h>
#include <client-offline.h>
delete[] levels;
}
-static void loadGroups(std::vector<gid_t> &vgroups) {
- static const int LINEMAX = 256;
- char line[LINEMAX];
- std::ifstream input(POLICY_DIR "/" PRIVILEGE_GROUP_LIST_FILE);
+static void loadGroups(std::vector<gid_t> &vgroups)
+{
+ auto groupsMapData = ConfigFile(Config::PRIVILEGE_GROUP_LIST_FILE).read();
+ for (const auto &groupsMapEntry : groupsMapData) {
+ if (groupsMapEntry.size() != 2)
+ continue;
- Group2Gid g2g;
+ const std::string &groupName = groupsMapEntry[1];
+ std::vector<char> buf(1024);
+ group *result = nullptr;
+ group grp;
- while(input.getline(line, LINEMAX)) {
- if (line[0] == '#')
- continue;
- char *pos = strchr(line, ' ');
- if (pos == NULL)
- continue;
- pos++;
- vgroups.push_back(g2g.get(std::string(pos)));
+ for (;;) {
+ int ret = TEMP_FAILURE_RETRY(getgrnam_r(groupName.c_str(), &grp, buf.data(), buf.size(), &result));
+ if (ret == ERANGE) {
+ buf.resize(buf.size() * 2);
+ continue;
+ }
+ if (result == nullptr && ret == 0)
+ ret = ENOENT;
+
+ if (ret != 0)
+ throw std::system_error(ret, std::system_category(), "getgrnam_r() failed");
+ break;
+ }
+ vgroups.push_back(result->gr_gid);
}
}
${DPL_PATH}/db/src/naive_synchronization_object.cpp
${DPL_PATH}/db/src/sql_connection.cpp
${COMMON_PATH}/config.cpp
+ ${COMMON_PATH}/config-file.cpp
${COMMON_PATH}/connection.cpp
${COMMON_PATH}/credentials.cpp
${COMMON_PATH}/cynara.cpp
--- /dev/null
+/*
+ * Copyright (c) 2017 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Contact: Rafal Krypa <r.krypa@samsung.com>
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+/*
+ * @file config-file.cpp
+ * @author Rafal Krypa (r.krypa@samsung.com)
+ * @version 1.0
+ * @brief
+ */
+
+#include <iterator>
+#include <sstream>
+#include <string>
+#include <vector>
+
+#include <config-file.h>
+#include <filesystem.h>
+
+namespace SecurityManager {
+
+std::vector<std::vector<std::string>> ConfigFile::read()
+{
+ std::vector<std::vector<std::string>> ret;
+ std::istringstream stream(FS::getTextFileContents(m_path));
+
+ std::string line;
+ while (getline(stream, line)) {
+ if (line.empty() || line[0] == '#')
+ continue;
+
+ std::istringstream stream(line);
+ ret.emplace_back(std::istream_iterator<std::string>(stream), std::istream_iterator<std::string>());
+ }
+
+ return ret;
+}
+
+} // namespace SecurityManager
const std::string APPS_LABELS_FILE = "apps-labels";
const std::string SKEL_DIR = "/etc/skel";
+const std::string PRIVILEGE_GROUP_LIST_FILE = POLICY_DIR "/privilege-group.list";
+
const std::string PRIVACY_POLICY_DESC = "Ask user";
#ifdef ASKUSER_ENABLED
const bool IS_ASKUSER_ENABLED = true;
--- /dev/null
+/*
+ * Copyright (c) 2017 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Contact: Rafal Krypa <r.krypa@samsung.com>
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+/*
+ * @file config-file.h
+ * @author Rafal Krypa (r.krypa@samsung.com)
+ * @version 1.0
+ * @brief
+ */
+
+#pragma once
+
+#include <vector>
+#include <string>
+
+namespace SecurityManager {
+
+class ConfigFile {
+public:
+ ConfigFile(const std::string &path) : m_path(path) {}
+ std::vector<std::vector<std::string>> read();
+
+private:
+ const std::string m_path;
+};
+
+} // namespace SecurityManager
namespace SecurityManager {
namespace Config {
-/* Service name */
+/* Service name */
extern const std::string SERVICE_NAME;
/* Privileges required from users of our API */
/* Files used in permitted label managment */
extern const std::string APPS_LABELS_FILE;
+/* Policy files */
+extern const std::string PRIVILEGE_GROUP_LIST_FILE;
+
extern const std::string SKEL_DIR;
/* Ask-user policy description */
class SmackRules
{
public:
- typedef std::string Rule;
+ typedef std::vector<std::string> Rule;
typedef std::vector<Rule> RuleVector;
typedef std::vector<std::string> Pkgs;
typedef std::vector<std::string> Labels;
#include <memory>
#include <algorithm>
+#include "config-file.h"
#include "dpl/log/log.h"
#include "dpl/errno_string.h"
#include "dpl/fstream_accessors.h"
const std::string &pkgName,
const int authorId)
{
- RuleVector templateRules;
- std::string line;
- std::ifstream templateRulesFile(templatePath);
-
- if (!templateRulesFile.is_open()) {
- LogError("Cannot open rules template file: " << templatePath);
- ThrowMsg(SmackException::FileError, "Cannot open rules template file: " << templatePath);
- }
-
- while (std::getline(templateRulesFile, line))
- if (!line.empty())
- templateRules.push_back(line);
-
- if (templateRulesFile.bad()) {
+ try {
+ addFromTemplate(ConfigFile(templatePath).read(), appProcessLabel, pkgName, authorId);
+ } catch (FS::Exception::Base) {
LogError("Error reading template file: " << templatePath);
ThrowMsg(SmackException::FileError, "Error reading template file: " << templatePath);
}
-
- addFromTemplate(templateRules, appProcessLabel, pkgName, authorId);
}
void SmackRules::addFromTemplate(
if (authorId >= 0)
pathTrustedLabel = SmackLabels::generatePathTrustedLabel(authorId);
- for (auto rule : templateRules) {
- if (rule.empty())
- continue;
-
- std::stringstream stream(rule);
- std::string subject, object, permissions;
- stream >> subject >> object >> permissions;
-
- if (stream.fail() || !stream.eof()) {
- LogError("Invalid rule template: " << rule);
- ThrowMsg(SmackException::FileError, "Invalid rule template: " << rule);
+ for (auto &rule : templateRules) {
+ if (rule.size() != 3) {
+ LogError("Invalid rule template: " << rule.size() << " tokens");
+ ThrowMsg(SmackException::FileError, "Invalid rule template: " << rule.size() << " tokens");
}
+ std::string subject = rule[0];
+ std::string object = rule[1];
+ std::string permissions = rule[2];
+
strReplace(subject, SMACK_PROCESS_LABEL_TEMPLATE, appProcessLabel);
strReplace(object, SMACK_PROCESS_LABEL_TEMPLATE, appProcessLabel);
strReplace(object, SMACK_PATH_RW_LABEL_TEMPLATE, pathRWLabel);
${DPL_PATH}/log/src/abstract_log_provider.cpp
${DPL_PATH}/log/src/log.cpp
${DPL_PATH}/log/src/old_style_log_provider.cpp
+ ${PROJECT_SOURCE_DIR}/src/common/config-file.cpp
${PROJECT_SOURCE_DIR}/src/common/file-lock.cpp
${PROJECT_SOURCE_DIR}/src/common/privilege_db.cpp
${PROJECT_SOURCE_DIR}/src/common/smack-check.cpp
BOOST_FIXTURE_TEST_CASE(T1130_smack_rules_templates, RulesFixture)
{
- SmackRules::RuleVector templateRules = { "System ~PROCESS~ rwxat",
- "~PROCESS~ System wx",
- "~PROCESS~ ~PATH_RW~ rwxat",
- "~PROCESS~ ~PATH_RO~ rxl",
- "~PROCESS~ ~PATH_SHARED_RO~ rwxat",
- "~PROCESS~ ~PATH_TRUSTED~ rwxat" };
+ SmackRules::RuleVector templateRules = {{"System", "~PROCESS~", "rwxat"},
+ {"~PROCESS~", "System", "wx"},
+ {"~PROCESS~", "~PATH_RW~", "rwxat"},
+ {"~PROCESS~", "~PATH_RO~", "rxl"},
+ {"~PROCESS~", "~PATH_SHARED_RO~", "rwxat"},
+ {"~PROCESS~", "~PATH_TRUSTED~", "rwxat"}};
std::ofstream templateRulesFile;
templateRulesFile.open(templateRulesFilePath);
- for (auto templateRule : templateRules)
- templateRulesFile << templateRule << std::endl;
+ for (auto &templateRule : templateRules) {
+ for (auto &templateRuleToken : templateRule)
+ templateRulesFile << templateRuleToken << ' ';
+ templateRulesFile << std::endl;
+ }
templateRulesFile.close();
- SmackRules::RuleVector expectedRules = { "System User::Pkg::pkgNameT1130 rwxat-",
+ std::vector<std::string> expectedRules = { "System User::Pkg::pkgNameT1130 rwxat-",
"User::Pkg::pkgNameT1130 System -wx---",
"User::Pkg::pkgNameT1130 User::Pkg::pkgNameT1130 rwxat-",
"User::Pkg::pkgNameT1130 User::Pkg::pkgNameT1130::RO r-x--l",
projects / platform / core / security / security-manager.git / commitdiff