cp LICENSE %{buildroot}/usr/share/license/libsecurity-manager-client
mkdir -p %{buildroot}/etc/security/
cp security-server-audit.conf %{buildroot}/etc/security/
-mkdir -p %{buildroot}/etc/smack/
-cp app-rules-template.smack %{buildroot}/etc/smack/
%make_install
mkdir -p %{buildroot}/usr/lib/systemd/system/multi-user.target.wants
%attr(-,root,root) /usr/lib/systemd/system/security-server-cookie-check.socket
%attr(-,root,root) /usr/lib/systemd/system/sockets.target.wants/security-server-app-privilege-by-name.socket
%attr(-,root,root) /usr/lib/systemd/system/security-server-app-privilege-by-name.socket
+%attr(-,root,root) /etc/security/security-server-audit.conf
%attr(-,root,root) /usr/lib/systemd/system/sockets.target.wants/security-server-password-check.socket
%attr(-,root,root) /usr/lib/systemd/system/security-server-password-check.socket
%attr(-,root,root) /usr/lib/systemd/system/sockets.target.wants/security-server-password-set.socket
%attr(-,root,root) /usr/lib/systemd/system/security-server-password-reset.socket
%attr(-,root,root) /usr/lib/systemd/system/sockets.target.wants/security-manager-installer.socket
%attr(-,root,root) /usr/lib/systemd/system/security-manager-installer.socket
-%attr(-,root,root) /etc/security/security-server-audit.conf
-%attr(-,root,root) /etc/smack/app-rules-template.smack
+
%{_datadir}/license/%{name}
%files -n libsecurity-server-client
*/
/*
* @file installer.cpp
- * @author Michal Witanowski <m.witanowski@samsung.com>
- * @author Jacek Bukarewicz <j.bukarewicz@samsung.com>
+ * @author Michal Witanowski (m.witanowski@samsung.com)
* @brief Implementation of installer service for libprivilege-control encapsulation.
*/
#include "protocols.h"
#include "security-server.h"
#include "security-manager.h"
-#include "smack-rules.h"
namespace SecurityServer {
}
}
- // TODO: This should be done only for the first application in the package
- if (!SecurityManager::SmackRules::installPackageRules(req.pkgId)) {
- LogError("Failed to apply package-specific smack rules");
- goto error_label;
- }
-
// finish database transaction
result = perm_end();
LogDebug("perm_end() returned " << result);
if (PC_OPERATION_SUCCESS != result) {
- // TODO: Uncomment once proper pkgId -> smack label mapping is implemented (currently all
- // applications are mapped to user label and removal of such rules would be harmful)
- //SecurityManager::SmackRules::uninstallPackageRules(req.pkgId);
-
// error in libprivilege-control
Serialization::Serialize(send, SECURITY_SERVER_API_ERROR_SERVER_ERROR);
return false;
return false;
}
- // TODO: Uncomment once proper pkgId -> smack label mapping is implemented (currently all
- // applications are mapped to user label and removal of such rules would be harmful)
- // TODO: This should be performed only for the last application in the package
- // TODO: retrieve pkgId as it's not available in the request
- //if (!SecurityManager::SmackRules::uninstallPackageRules(pkgId)) {
- // LogError("Error on uninstallation of package-specific smack rules");
- // result = perm_rollback();
- // LogDebug("perm_rollback() returned " << result);
- // Serialization::Serialize(send, SECURITY_SERVER_API_ERROR_SERVER_ERROR);
- // return false;
- //}
-
// finish database transaction
result = perm_end();
LogDebug("perm_end() returned " << result);
+++ /dev/null
-/*
- * Copyright (c) 2014 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Contact: Rafal Krypa <r.krypa@samsung.com>
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License
- */
-/**
- * @file smack-rules.cpp
- * @author Jacek Bukarewicz <j.bukarewicz@samsung.com>
- * @version 1.0
- * @brief Implementation of a class managing smack rules
- *
- */
-
-#include <unistd.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <sys/smack.h>
-#include <fcntl.h>
-#include <fstream>
-
-#include <dpl/log/log.h>
-
-#include "smack-rules.h"
-#include "security-manager-common.h"
-
-namespace SecurityManager {
-
-const char *const SMACK_APP_LABEL_TEMPLATE = "~APP~";
-const char *const APP_RULES_TEMPLATE_FILE_PATH = "/etc/smack/app-rules-template.smack";
-const char *const APP_RULES_DIRECTORY = "/etc/smack/accesses.d/";
-
-SmackRules::SmackRules()
-{
- if (smack_accesses_new(&m_handle) < 0) {
- LogError("Failed to create smack_accesses handle");
- throw std::bad_alloc();
- }
-}
-
-SmackRules::~SmackRules() {
- smack_accesses_free(m_handle);
-}
-
-bool SmackRules::add(const std::string &subject, const std::string &object,
- const std::string &permissions)
-{
- return 0 == smack_accesses_add(m_handle, subject.c_str(), object.c_str(), permissions.c_str());
-}
-
-bool SmackRules::clear() const
-{
- return 0 == smack_accesses_clear(m_handle);
-}
-
-bool SmackRules::apply() const
-{
- return 0 == smack_accesses_apply(m_handle);
-}
-
-bool SmackRules::loadFromFile(const std::string &path)
-{
- int fd;
- bool ret = true;
-
- fd = open(path.c_str(), O_RDONLY);
- if (fd == -1) {
- LogError("Failed to open file: %s" << path);
- return false;
- }
-
- if (smack_accesses_add_from_file(m_handle, fd)) {
- LogError("Failed to load smack rules from file: %s" << path);
- ret = false;
- }
-
- close(fd);
- return ret;
-}
-
-bool SmackRules::saveToFile(const std::string &path) const
-{
- int fd;
- bool ret = true;
-
- fd = open(path.c_str(), O_CREAT | O_WRONLY | O_TRUNC, 0644);
- if (fd == -1) {
- LogError("Failed to create file: %s" << path);
- return false;
- }
-
- if (smack_accesses_save(m_handle, fd)) {
- LogError("Failed to save rules to file: %s" << path);
- unlink(path.c_str());
- ret = false;
- }
-
- close(fd);
- return ret;
-}
-
-
-bool SmackRules::addFromTemplateFile(const std::string &pkgId)
-{
- std::vector<std::string> templateRules;
- std::string line;
- std::ifstream templateRulesFile(APP_RULES_TEMPLATE_FILE_PATH);
-
- if (!templateRulesFile.is_open()) {
- LogError("Cannot open rules template file: " << APP_RULES_TEMPLATE_FILE_PATH);
- return false;
- }
-
- while (std::getline(templateRulesFile, line)) {
- templateRules.push_back(line);
- }
-
- if (templateRulesFile.bad()) {
- LogError("Error reading template file: " << APP_RULES_TEMPLATE_FILE_PATH);
- return false;
- }
-
- return addFromTemplate(templateRules, pkgId);
-}
-
-bool SmackRules::addFromTemplate(const std::vector<std::string> &templateRules,
- const std::string &pkgId)
-{
- std::string tokens[3];
- std::string &subject = tokens[0];
- std::string &object = tokens[1];
- std::string &permissions = tokens[2];
-
- for (auto rule = templateRules.begin(); rule != templateRules.end(); ++rule) {
- if (rule->length() == 0)
- continue;
-
- if (!tokenizeRule(*rule, tokens, sizeof(tokens) / sizeof(*tokens))) {
- return false;
- }
-
- bool subjectIsTemplate = (subject == SMACK_APP_LABEL_TEMPLATE);
- bool objectIsTemplate = (object == SMACK_APP_LABEL_TEMPLATE);
-
- if (objectIsTemplate == subjectIsTemplate) {
- LogError("Invalid rule template. Exactly one app label template expected: " << *rule);
- return false;
- }
-
- if (subjectIsTemplate) {
- if (!SecurityManager::generateAppLabel(pkgId, subject)) {
- LogError("Failed to generate app label from pkgid: " << pkgId);
- return false;
- }
- }
-
- if (objectIsTemplate) {
- if (!SecurityManager::generateAppLabel(pkgId, object)) {
- LogError("Failed to generate app label from pkgid: " << pkgId);
- return false;
- }
- }
-
- if (!add(subject, object, permissions)) {
- LogError("Failed to add rule: " << subject << " " << object << " " << permissions);
- return false;
- }
- }
-
- return true;
-}
-
-
-bool SmackRules::tokenizeRule(const std::string &rule, std::string tokens[], int size)
-{
- size_t startPos;
- size_t endPos = 0;
- const char delimiters[] = " \t\n\r";
-
- for (int i = 0; i < size; i++) {
- startPos = rule.find_first_not_of(delimiters, endPos);
- if (startPos == std::string::npos) {
- LogError("Unexpected end of rule: " << rule);
- return false;
- }
-
- endPos = rule.find_first_of(delimiters, startPos);
- tokens[i] = rule.substr(startPos, endPos - startPos);
- }
-
- if (endPos != std::string::npos &&
- rule.find_first_not_of(delimiters, endPos) != std::string::npos) {
- LogError("Too many tokens found in rule: " << rule);
- return false;
- }
-
- return true;
-}
-
-std::string SmackRules::getPackageRulesFilePath(const std::string &pkgId)
-{
- std::string path(APP_RULES_DIRECTORY);
- path.append(pkgId);
- path.append(".smack");
- return path;
-}
-
-bool SmackRules::installPackageRules(const std::string &pkgId) {
- try {
- SmackRules smackRules;
- std::string path = getPackageRulesFilePath(pkgId);
-
- if (!smackRules.addFromTemplateFile(pkgId)) {
- LogError("Failed to load smack rules for pkgId " << pkgId);
- return false;
- }
-
- if (!smackRules.apply()) {
- LogError("Failed to apply application rules to kernel");
- return false;
- }
-
- if (!smackRules.saveToFile(path)) {
- smackRules.clear();
- return false;
- }
-
- return true;
- } catch (const std::bad_alloc &e) {
- LogError("Out of memory while trying to install smack rules for pkgId " << pkgId);
- return false;
- }
-}
-
-bool SmackRules::uninstallPackageRules(const std::string &pkgId) {
- std::string path = getPackageRulesFilePath(pkgId);
- if (access(path.c_str(), F_OK) == -1) {
- if (errno == ENOENT) {
- LogWarning("Smack rules were not installed for pkgId: " << pkgId);
- return true;
- }
-
- LogWarning("Cannot access smack rules path: " << path);
- return false;
- }
-
- try {
- SmackRules rules;
- if (rules.loadFromFile(path)) {
- if (!rules.clear()) {
- LogWarning("Failed to clear smack kernel rules for pkgId: " << pkgId);
- // don't stop uninstallation
- }
- } else {
- LogWarning("Failed to load rules from file: " << path);
- // don't stop uninstallation
- }
-
- if (unlink(path.c_str()) == -1) {
- LogError("Failed to remove smack rules file: " << path);
- return false;
- }
-
- return true;
- } catch (const std::bad_alloc &e) {
- LogError("Out of memory while trying to uninstall smack rules for pkgId: " << pkgId);
- return false;
- }
-}
-
-} // namespace SecurityManager
-
+++ /dev/null
-/*
- * Copyright (c) 2014 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Contact: Rafal Krypa <r.krypa@samsung.com>
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License
- */
-/**
- * @file smack-rules.h
- * @author Jacek Bukarewicz <j.bukarewicz@samsung.com>
- * @version 1.0
- * @brief Header file of a class managing smack rules
- *
- */
-#ifndef _SMACK_RULES_H_
-#define _SMACK_RULES_H_
-
-#include <vector>
-#include <string>
-
-struct smack_accesses;
-
-namespace SecurityManager {
-
-class SmackRules
-{
-public:
- SmackRules();
- virtual ~SmackRules();
-
- bool add(const std::string &subject, const std::string &object,
- const std::string &permissions);
- bool loadFromFile(const std::string &path);
- bool addFromTemplate(const std::vector<std::string> &templateRules, const std::string &pkgId);
- bool addFromTemplateFile(const std::string &pkgId);
-
- bool apply() const;
- bool clear() const;
- bool saveToFile(const std::string &path) const;
-
- /**
- * Install package-specific smack rules.
- *
- * Function creates smack rules using predefined template. Rules are applied
- * to the kernel and saved on persistent storage so they are loaded on system boot.
- *
- * @param[in] pkgId - package identifier
- * @return true on success, false on error
- */
- static bool installPackageRules(const std::string &pkgId);
- /**
- * Uninstall package-specific smack rules.
- *
- * Function loads package-specific smack rules, revokes them from the kernel
- * and removes from persistent storage.
- *
- * @param[in] pkgId - package identifier
- * @return true if smack rule file has been uninstalled or didn't exist
- * false otherwise
- */
- static bool uninstallPackageRules(const std::string &pkgId);
-private:
- static bool tokenizeRule(const std::string &rule, std::string tokens[], int size);
- static std::string getPackageRulesFilePath(const std::string &pkgId);
-
- smack_accesses *m_handle;
-};
-
-} // namespace SecurityManager
-
-#endif /* _SMACK_RULES_H_ */
projects / platform / core / security / security-server.git / commitdiff