ln -s ../security-server-exec-path.socket %{buildroot}/usr/lib/systemd/system/sockets.target.wants/security-server-exec-path.socket
ln -s ../security-server-get-object-name.socket %{buildroot}/usr/lib/systemd/system/sockets.target.wants/security-server-get-object-name.socket
ln -s ../security-server-app-permissions.socket %{buildroot}/usr/lib/systemd/system/sockets.target.wants/security-server-app-permissions.socket
+ln -s ../security-server-cookie-get.socket %{buildroot}/usr/lib/systemd/system/sockets.target.wants/security-server-cookie-get.socket
+ln -s ../security-server-cookie-check.socket %{buildroot}/usr/lib/systemd/system/sockets.target.wants/security-server-cookie-check.socket
%clean
rm -rf %{buildroot}
%attr(-,root,root) /usr/lib/systemd/system/security-server-get-object-name.socket
%attr(-,root,root) /usr/lib/systemd/system/sockets.target.wants/security-server-app-permissions.socket
%attr(-,root,root) /usr/lib/systemd/system/security-server-app-permissions.socket
+%attr(-,root,root) /usr/lib/systemd/system/sockets.target.wants/security-server-cookie-get.socket
+%attr(-,root,root) /usr/lib/systemd/system/security-server-cookie-get.socket
+%attr(-,root,root) /usr/lib/systemd/system/sockets.target.wants/security-server-cookie-check.socket
+%attr(-,root,root) /usr/lib/systemd/system/security-server-cookie-check.socket
+
%{_datadir}/license/%{name}
SET(SECURITY_SERVER_SOURCES
${SECURITY_SERVER_PATH}/communication/security-server-comm.c
- ${SECURITY_SERVER_PATH}/server/security-server-cookie.c
${SECURITY_SERVER_PATH}/server/security-server-main.c
${SECURITY_SERVER_PATH}/server/security-server-password.c
${SECURITY_SERVER_PATH}/util/security-server-util-common.c
${SERVER2_PATH}/service/echo.cpp
${SERVER2_PATH}/service/get-gid.cpp
${SERVER2_PATH}/service/app-permissions.cpp
+ ${SERVER2_PATH}/service/cookie.cpp
+ ${SERVER2_PATH}/service/cookie-jar.cpp
${SERVER2_PATH}/service/privilege-by-pid.cpp
${SERVER2_PATH}/service/exec-path.cpp
${SERVER2_PATH}/service/get-object-name.cpp
${SECURITY_SERVER_PATH}/server2/client/client-shared-memory.cpp
${SECURITY_SERVER_PATH}/server2/client/client-get-gid.cpp
${SECURITY_SERVER_PATH}/server2/client/client-app-permissions.cpp
+ ${SECURITY_SERVER_PATH}/server2/client/client-cookie.cpp
${SECURITY_SERVER_PATH}/server2/client/client-privilege-by-pid.cpp
${SECURITY_SERVER_PATH}/server2/client/client-socket-privilege.cpp
${SECURITY_SERVER_PATH}/server2/client/client-get-object-name.cpp
// }
-
-SECURITY_SERVER_API
-int security_server_request_cookie(char *cookie, size_t max_cookie)
-{
- int sockfd = -1, retval;
- response_header hdr;
-
- if (cookie == NULL)
- {
- retval = SECURITY_SERVER_ERROR_INPUT_PARAM;
- goto error;
- }
- if (max_cookie < SECURITY_SERVER_COOKIE_LEN)
- {
- retval = SECURITY_SERVER_ERROR_BUFFER_TOO_SMALL;
- goto error;
- }
-
- SECURE_SLOGD("%s", "Client: security_server_request_cookie() is called");
- retval = connect_to_server(&sockfd);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- /* Error on socket */
- SEC_SVR_ERR("%s", "Client: connection failed");
- goto error;
- }
-
- /* make request packet */
- retval = send_cookie_request(sockfd);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- /* Error on socket */
- SEC_SVR_ERR("Client: send cookie failed: %d", retval);
- goto error;
- }
- SEC_SVR_DBG("%s", "Client: cookie request sent");
- retval = recv_cookie(sockfd, &hdr, cookie);
-
- if (hdr.basic_hdr.msg_id != SECURITY_SERVER_MSG_TYPE_COOKIE_RESPONSE) /* Wrong response */
- {
- if (hdr.basic_hdr.msg_id == SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE)
- {
- /* There must be some error */
- SEC_SVR_ERR("Client ERROR: There is an error on response. return code:%d", hdr.return_code);
- retval = return_code_to_error_code(hdr.return_code);
- }
- else
- {
- /* Something wrong with response */
- SEC_SVR_ERR("Client ERROR: Unexpected error occurred:%d", retval);
- retval = SECURITY_SERVER_ERROR_BAD_RESPONSE;
- }
- goto error;
- }
- SEC_SVR_DBG("%s", "Client: cookie received");
-
-error:
- if (sockfd > 0)
- close(sockfd);
-
- retval = convert_to_public_error_code(retval);
- return retval;
-}
-
-
-
-
-
-SECURITY_SERVER_API
-int security_server_check_privilege(const char *cookie, gid_t privilege)
-{
- int sockfd = -1, retval;
- response_header hdr;
-
- if (cookie == NULL)
- {
- retval = SECURITY_SERVER_ERROR_INPUT_PARAM;
- goto error;
- }
-
- retval = connect_to_server(&sockfd);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- /* Error on socket */
- goto error;
- }
-
- /* make request packet */
- retval = send_privilege_check_request(sockfd, cookie, privilege);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- /* Error on socket */
- SEC_SVR_ERR("Send failed: %d", retval);
- goto error;
- }
-
- retval = recv_privilege_check_response(sockfd, &hdr);
-
- retval = return_code_to_error_code(hdr.return_code);
- if (hdr.basic_hdr.msg_id != SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_RESPONSE) /* Wrong response */
- {
- if (hdr.basic_hdr.msg_id == SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE)
- {
- /* There must be some error */
- SEC_SVR_ERR("Client: Error has been received. return code:%d", hdr.return_code);
- }
- else
- {
- /* Something wrong with response */
- SEC_SVR_ERR("Client ERROR: Unexpected error occurred:%d", retval);
- retval = SECURITY_SERVER_ERROR_BAD_RESPONSE;
- }
- goto error;
- }
-
-error:
- if (sockfd > 0)
- close(sockfd);
-
- retval = convert_to_public_error_code(retval);
- return retval;
-}
-
-
-SECURITY_SERVER_API
-int security_server_check_privilege_by_cookie(const char *cookie,
- const char *object,
- const char *access_rights)
-{
- int sockfd = -1, retval;
- int olen, alen;
- response_header hdr;
-
- if (cookie == NULL || object == NULL || access_rights == NULL)
- {
- retval = SECURITY_SERVER_ERROR_INPUT_PARAM;
- goto error;
- }
-
- olen = strlen(object);
- alen = strlen(access_rights);
-
- if (olen > SMACK_LABEL_LEN || alen > MAX_MODE_STR_LEN)
- {
- retval = SECURITY_SERVER_ERROR_INPUT_PARAM;
- goto error;
- }
-
- retval = connect_to_server(&sockfd);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- /* Error on socket */
- goto error;
- }
-
- /* make request packet */
- retval = send_privilege_check_new_request(
- sockfd, cookie, object, access_rights);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- /* Error on socket */
- SEC_SVR_ERR("Send failed: %d", retval);
- goto error;
- }
-
- retval = recv_privilege_check_new_response(sockfd, &hdr);
-
- retval = return_code_to_error_code(hdr.return_code);
- if (hdr.basic_hdr.msg_id != SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_NEW_RESPONSE)
- /* Wrong response */
- {
- if (hdr.basic_hdr.msg_id == SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE)
- {
- /* There must be some error */
- SEC_SVR_ERR("Client: Error has been received. return code:%d",
- hdr.return_code);
- }
- else
- {
- /* Something wrong with response */
- SEC_SVR_ERR("Client ERROR: Unexpected error occurred:%d", retval);
- retval = SECURITY_SERVER_ERROR_BAD_RESPONSE;
- }
- goto error;
- }
-
-error:
- if (sockfd >= 0)
- close(sockfd);
-
- retval = convert_to_public_error_code(retval);
- return retval;
-}
-
-SECURITY_SERVER_API
-int security_server_get_cookie_size(void)
-{
- return SECURITY_SERVER_COOKIE_LEN;
-}
-
-
-SECURITY_SERVER_API
-int security_server_get_cookie_pid(const char *cookie)
-{
- int sockfd = -1, retval, pid = -1;
- response_header hdr;
-
- if (cookie == NULL)
- {
- retval = SECURITY_SERVER_ERROR_INPUT_PARAM;
- goto error;
- }
-
- retval = connect_to_server(&sockfd);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- /* Error on socket */
- goto error;
- }
-
- /* make request packet */
- retval = send_pid_request(sockfd, cookie);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- /* Error on socket */
- SEC_SVR_ERR("Client: Send failed: %d", retval);
- goto error;
- }
-
- retval = recv_pid_response(sockfd, &hdr, &pid);
-
- retval = return_code_to_error_code(hdr.return_code);
- if (hdr.basic_hdr.msg_id != SECURITY_SERVER_MSG_TYPE_PID_RESPONSE) /* Wrong response */
- {
- if (hdr.basic_hdr.msg_id == SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE)
- {
- /* There must be some error */
- SEC_SVR_ERR("Client: Error has been received. return code:%d", hdr.return_code);
- }
- else
- {
- /* Something wrong with response */
- SEC_SVR_ERR("Client ERROR: Unexpected error occurred:%d", retval);
- retval = SECURITY_SERVER_ERROR_BAD_RESPONSE;
- }
- goto error;
- }
- if (hdr.return_code == SECURITY_SERVER_RETURN_CODE_NO_SUCH_COOKIE)
- {
- SEC_SVR_ERR("%s"," Client: There is no such cookie exist");
- }
-
-error:
- if (sockfd > 0)
- close(sockfd);
-
- retval = convert_to_public_error_code(retval);
- if (retval == 0)
- return pid;
-
- return retval;
-}
-
-
SECURITY_SERVER_API
int security_server_is_pwd_valid(unsigned int *current_attempts,
unsigned int *max_attempts,
return retval;
}
-SECURITY_SERVER_API
-char *security_server_get_smacklabel_cookie(const char *cookie)
-{
- char *label = NULL;
- int sockfd = -1, retval;
- response_header hdr;
-
- if (cookie == NULL)
- {
- retval = SECURITY_SERVER_ERROR_INPUT_PARAM;
- goto error;
- }
-
- retval = connect_to_server(&sockfd);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- /* Error on socket */
- goto error;
- }
-
- /* make request packet */
- retval = send_smack_request(sockfd, cookie);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- /* Error on socket */
- SEC_SVR_ERR("Client: Send failed: %d", retval);
- goto error;
- }
-
- //allocating buffer for storing SMACK label received from server
- label = calloc(SMACK_LABEL_LEN + 1, 1);
- if (NULL == label)
- {
- SEC_SVR_ERR("Client ERROR: Memory allocation error");
- goto error;
- }
-
- retval = recv_smack_response(sockfd, &hdr, label);
-
- retval = return_code_to_error_code(hdr.return_code);
- if (hdr.basic_hdr.msg_id != SECURITY_SERVER_MSG_TYPE_SMACK_RESPONSE) /* Wrong response */
- {
- if (hdr.basic_hdr.msg_id == SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE)
- {
- /* There must be some error */
- SEC_SVR_ERR("Client: Error has been received. return code:%d", hdr.return_code);
- }
- else
- {
- /* Something wrong with response */
- SEC_SVR_ERR("Client ERROR: Unexpected error occurred:%d", retval);
- retval = SECURITY_SERVER_ERROR_BAD_RESPONSE;
- }
- goto error;
- }
- if (hdr.return_code == SECURITY_SERVER_RETURN_CODE_NO_SUCH_COOKIE)
- {
- SEC_SVR_ERR("%s"," Client: There is no such cookie exist");
- }
-
-error:
- if (sockfd > 0)
- close(sockfd);
-
- retval = convert_to_public_error_code(retval);
- if (retval == 0)
- return label;
-
- if (NULL != label)
- free(label);
-
- return NULL;
-}
-
#ifdef USE_SEC_SRV1_FOR_CHECK_PRIVILEGE_BY_PID
SECURITY_SERVER_API
return SECURITY_SERVER_SUCCESS;
}
-/* Send cookie response to client
- *
- * Get Cookie response packet format
- * 0 1 2 3
- * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- * |---------------------------------------------------------------|
- * | version=0x01 |MessageID=0x02 | Message Length =20 |
- * |---------------------------------------------------------------|
- * | return code | |
- * ----------------- |
- * | cookie (20 bytes) |
- * |---------------------------------------------------------------|
-*/
-int send_cookie(int sockfd, unsigned char *cookie)
-{
- response_header hdr;
- unsigned char msg[SECURITY_SERVER_COOKIE_LEN + sizeof(hdr)];
- int ret;
-
- /* Assemble header */
- hdr.basic_hdr.version = SECURITY_SERVER_MSG_VERSION;
- hdr.basic_hdr.msg_id = SECURITY_SERVER_MSG_TYPE_COOKIE_RESPONSE;
- hdr.basic_hdr.msg_len = SECURITY_SERVER_COOKIE_LEN;
- hdr.return_code = SECURITY_SERVER_RETURN_CODE_SUCCESS;
-
- memcpy(msg, &hdr, sizeof(hdr));
- memcpy(msg + sizeof(hdr), cookie, SECURITY_SERVER_COOKIE_LEN);
-
- /* Check poll */
- ret = check_socket_poll(sockfd, POLLOUT, SECURITY_SERVER_SOCKET_TIMEOUT_MILISECOND);
- if (ret == SECURITY_SERVER_ERROR_POLL)
- {
- SEC_SVR_ERR("%s", "poll() error");
- return SECURITY_SERVER_ERROR_SEND_FAILED;
- }
- if (ret == SECURITY_SERVER_ERROR_TIMEOUT)
- {
- SEC_SVR_ERR("%s", "poll() timeout");
- return SECURITY_SERVER_ERROR_SEND_FAILED;
- }
-
- ret = TEMP_FAILURE_RETRY(write(sockfd, msg, sizeof(hdr) + SECURITY_SERVER_COOKIE_LEN));
- if (ret < (int)(sizeof(hdr) + SECURITY_SERVER_COOKIE_LEN))
- {
- /* Error on writing */
- SEC_SVR_ERR("Error on write: %d", ret);
- ret = SECURITY_SERVER_ERROR_SEND_FAILED;
- return ret;
- }
- return SECURITY_SERVER_SUCCESS;
-}
/* Send Object name response *
* Get Object name response packet format
return SECURITY_SERVER_SUCCESS;
}
-/* Send PID response to client
- *
- * Get PID response packet format
- * 0 1 2 3
- * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- * |---------------------------------------------------------------|
- * | version=0x01 |MessageID=0x0a | Message Length = 4 |
- * |---------------------------------------------------------------|
- * | return code | pid (first 3 words) |
- * |---------------------------------------------------------------|
- * |pid(last word) |
- * |---------------|
-*/
-int send_pid(int sockfd, int pid)
-{
- response_header hdr;
- unsigned char msg[sizeof(pid) + sizeof(hdr)];
- int ret;
-
- /* Assemble header */
- hdr.basic_hdr.version = SECURITY_SERVER_MSG_VERSION;
- hdr.basic_hdr.msg_id = SECURITY_SERVER_MSG_TYPE_PID_RESPONSE;
- hdr.basic_hdr.msg_len = sizeof(pid);
- hdr.return_code = SECURITY_SERVER_RETURN_CODE_SUCCESS;
-
- /* Perpare packet */
- memcpy(msg, &hdr, sizeof(hdr));
- memcpy(msg + sizeof(hdr), &pid, sizeof(pid));
-
- /* Check poll */
- ret = check_socket_poll(sockfd, POLLOUT, SECURITY_SERVER_SOCKET_TIMEOUT_MILISECOND);
- if (ret == SECURITY_SERVER_ERROR_POLL)
- {
- SEC_SVR_ERR("%s", "poll() error");
- return SECURITY_SERVER_ERROR_SEND_FAILED;
- }
- if (ret == SECURITY_SERVER_ERROR_TIMEOUT)
- {
- SEC_SVR_ERR("%s", "poll() timeout");
- return SECURITY_SERVER_ERROR_SEND_FAILED;
- }
-
- /* Send it */
- ret = TEMP_FAILURE_RETRY(write(sockfd, msg, sizeof(hdr) + sizeof(pid)));
- if (ret < (int)(sizeof(hdr) + sizeof(pid)))
- {
- /* Error on writing */
- SEC_SVR_ERR("Error on write(): %d", ret);
- ret = SECURITY_SERVER_ERROR_SEND_FAILED;
- return ret;
- }
- return SECURITY_SERVER_SUCCESS;
-}
-
-/* Send SMACK label to client with lenght N
- * 0 1 2 3
- * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- * |---------------------------------------------------------------|
- * | version=0x01 |MessageID=0x1e | Message Length = SMACK_LABEL_LEN + 1
- * |---------------------------------------------------------------|
- * | return code | SMACK label byte 0 |
- * |---------------------------------------------------------------|
- * | .................. |
- * |---------------------------------------------------------------|
- * | SMACK label byte N |
- * |---------------------------------------------------------------|
-*/
-int send_smack(int sockfd, char *label)
-{
- response_header hdr;
- //added 1 to the size is for NULL terminating label
- int LABEL_SIZE = SMACK_LABEL_LEN + 1;
- int PACKET_SIZE = sizeof(hdr) + LABEL_SIZE;
- unsigned char msg[PACKET_SIZE];
- int ret;
-
- /* Assemble header */
- hdr.basic_hdr.version = SECURITY_SERVER_MSG_VERSION;
- hdr.basic_hdr.msg_id = SECURITY_SERVER_MSG_TYPE_SMACK_RESPONSE;
- hdr.basic_hdr.msg_len = LABEL_SIZE;
- hdr.return_code = SECURITY_SERVER_RETURN_CODE_SUCCESS;
-
- /* Perpare packet */
- memcpy(msg, &hdr, sizeof(hdr));
- memcpy(msg + sizeof(hdr), label, LABEL_SIZE);
- memset(msg + sizeof(hdr) + SMACK_LABEL_LEN, 0x00, 1); //adding NULL ad the label end
-
- /* Check poll */
- ret = check_socket_poll(sockfd, POLLOUT, SECURITY_SERVER_SOCKET_TIMEOUT_MILISECOND);
- if (ret == SECURITY_SERVER_ERROR_POLL)
- {
- SEC_SVR_ERR("%s", "poll() error");
- return SECURITY_SERVER_ERROR_SEND_FAILED;
- }
- if (ret == SECURITY_SERVER_ERROR_TIMEOUT)
- {
- SEC_SVR_ERR("%s", "poll() timeout");
- return SECURITY_SERVER_ERROR_SEND_FAILED;
- }
-
- /* Send it */
- ret = TEMP_FAILURE_RETRY(write(sockfd, msg, PACKET_SIZE));
- if (ret < PACKET_SIZE)
- {
- /* Error on writing */
- SEC_SVR_ERR("Error on write(): %d", ret);
- ret = SECURITY_SERVER_ERROR_SEND_FAILED;
- return ret;
- }
- return SECURITY_SERVER_SUCCESS;
-}
/* Send Check password response to client
*
return SECURITY_SERVER_SUCCESS;
}
-/* Send cookie request packet to security server *
- *
- * Message format
- * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- * |---------------------------------------------------------------|
- * | version=0x01 |MessageID=0x01 | Message Length = 0 |
- * |---------------------------------------------------------------|
- */
-int send_cookie_request(int sock_fd)
-{
- basic_header hdr;
- int retval;
-
- /* Assemble header */
- hdr.version = SECURITY_SERVER_MSG_VERSION;
- hdr.msg_id = SECURITY_SERVER_MSG_TYPE_COOKIE_REQUEST;
- hdr.msg_len = 0;
-
- /* Check poll */
- retval = check_socket_poll(sock_fd, POLLOUT, SECURITY_SERVER_SOCKET_TIMEOUT_MILISECOND);
- if (retval == SECURITY_SERVER_ERROR_POLL)
- {
- SEC_SVR_ERR("%s", "poll() error");
- return SECURITY_SERVER_ERROR_SEND_FAILED;
- }
- if (retval == SECURITY_SERVER_ERROR_TIMEOUT)
- {
- SEC_SVR_ERR("%s", "poll() timeout");
- return SECURITY_SERVER_ERROR_SEND_FAILED;
- }
-
- /* Send to server */
- retval = TEMP_FAILURE_RETRY(write(sock_fd, &hdr, sizeof(hdr)));
- if (retval < (int)sizeof(hdr))
- {
- /* Write error */
- SEC_SVR_ERR("Error on write(): %d", retval);
- return SECURITY_SERVER_ERROR_SEND_FAILED;
- }
- return SECURITY_SERVER_SUCCESS;
-}
-
/* Send GID request message to security server
*
* Message format
// return SECURITY_SERVER_SUCCESS;
// }
-/* Send privilege check request message to security server *
- *
- * Message format
- * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- * |---------------------------------------------------------------|
- * | version=0x01 |MessageID=0x03 | Message Length = 24 |
- * |---------------------------------------------------------------|
- * | |
- * | |
- * | Cookie (20bytes) |
- * | |
- * | |
- * |---------------------------------------------------------------|
- * | GID |
- * |---------------------------------------------------------------|
- */
-int send_privilege_check_request(int sock_fd, const char *cookie, int gid)
-{
- basic_header hdr;
- int retval;
- unsigned char buf[sizeof(hdr) + sizeof(gid) + SECURITY_SERVER_COOKIE_LEN];
-
- /* Assemble header */
- hdr.version = SECURITY_SERVER_MSG_VERSION;
- hdr.msg_id = SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_REQUEST;
- hdr.msg_len = sizeof(gid) + SECURITY_SERVER_COOKIE_LEN;
-
- memcpy(buf, &hdr, sizeof(hdr));
- memcpy(buf + sizeof(hdr), cookie, SECURITY_SERVER_COOKIE_LEN);
- memcpy(buf + sizeof(hdr) + SECURITY_SERVER_COOKIE_LEN, &gid, sizeof(gid));
-
- /* Check poll */
- retval = check_socket_poll(sock_fd, POLLOUT, SECURITY_SERVER_SOCKET_TIMEOUT_MILISECOND);
- if (retval == SECURITY_SERVER_ERROR_POLL)
- {
- SEC_SVR_ERR("%s", "poll() error");
- return SECURITY_SERVER_ERROR_SEND_FAILED;
- }
- if (retval == SECURITY_SERVER_ERROR_TIMEOUT)
- {
- SEC_SVR_ERR("%s", "poll() timeout");
- return SECURITY_SERVER_ERROR_SEND_FAILED;
- }
-
- /* Send to server */
- retval = TEMP_FAILURE_RETRY(write(sock_fd, buf, sizeof(buf)));
- if (retval < (int)sizeof(buf))
- {
- /* Write error */
- SEC_SVR_ERR("Error on write(): %d", retval);
- return SECURITY_SERVER_ERROR_SEND_FAILED;
- }
- return SECURITY_SERVER_SUCCESS;
-}
-
-int send_privilege_check_new_request(int sock_fd,
- const char *cookie,
- const char *object,
- const char *access_rights)
-{
- basic_header hdr;
- int retval;
- int olen, alen;
- int size;
-
- olen = strlen(object);
- alen = strlen(access_rights);
- if (olen > MAX_OBJECT_LABEL_LEN || alen > MAX_MODE_STR_LEN)
- {
- return SECURITY_SERVER_ERROR_INPUT_PARAM;
- }
-
- unsigned char buf[sizeof(hdr) + SECURITY_SERVER_COOKIE_LEN +
- 2 * sizeof(int) + MAX_OBJECT_LABEL_LEN + MAX_MODE_STR_LEN];
-
- /* Assemble header */
- hdr.version = SECURITY_SERVER_MSG_VERSION;
- hdr.msg_id = SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_NEW_REQUEST;
- hdr.msg_len = SECURITY_SERVER_COOKIE_LEN + 2 * sizeof(int) + olen + alen;
-
- memcpy(buf, &hdr, sizeof(hdr));
- memcpy(buf + sizeof(hdr), cookie, SECURITY_SERVER_COOKIE_LEN);
- memcpy(buf + sizeof(hdr) + SECURITY_SERVER_COOKIE_LEN, &olen, sizeof(int));
- memcpy(buf + sizeof(hdr) + SECURITY_SERVER_COOKIE_LEN + sizeof(int),
- &alen, sizeof(int));
- memcpy(buf + sizeof(hdr) + SECURITY_SERVER_COOKIE_LEN + 2 * sizeof(int), object, olen);
- memcpy(buf + sizeof(hdr) + SECURITY_SERVER_COOKIE_LEN + 2 * sizeof(int) + olen,
- access_rights, alen);
-
- /* Check poll */
- retval = check_socket_poll(sock_fd, POLLOUT, SECURITY_SERVER_SOCKET_TIMEOUT_MILISECOND);
- if (retval == SECURITY_SERVER_ERROR_POLL)
- {
- SEC_SVR_ERR("%s", "poll() error");
- return SECURITY_SERVER_ERROR_SEND_FAILED;
- }
- if (retval == SECURITY_SERVER_ERROR_TIMEOUT)
- {
- SEC_SVR_ERR("%s", "poll() timeout");
- return SECURITY_SERVER_ERROR_SEND_FAILED;
- }
-
- size = sizeof(hdr) + SECURITY_SERVER_COOKIE_LEN + 2 * sizeof(int) + olen + alen;
- /* Send to server */
- retval = TEMP_FAILURE_RETRY(write(sock_fd, buf, size));
- if (retval < size)
- {
- /* Write error */
- SEC_SVR_ERR("Error on write(): %d", retval);
- return SECURITY_SERVER_ERROR_SEND_FAILED;
- }
- return SECURITY_SERVER_SUCCESS;
-}
-
-/* Send SMACK request message to security server *
- *
- * Message format
- * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- * |---------------------------------------------------------------|
- * | version=0x01 |MessageID=0x1d | Message Length = 20 |
- * |---------------------------------------------------------------|
- * | |
- * | |
- * | Cookie (20bytes) |
- * | |
- * | |
- * |---------------------------------------------------------------|
- */
-int send_smack_request(int sock_fd, const char *cookie)
-{
- basic_header hdr;
- int retval;
- unsigned char buf[sizeof(hdr) + SECURITY_SERVER_COOKIE_LEN];
-
- /* Assemble header */
- hdr.version = SECURITY_SERVER_MSG_VERSION;
- hdr.msg_id = SECURITY_SERVER_MSG_TYPE_SMACK_REQUEST;
- hdr.msg_len = SECURITY_SERVER_COOKIE_LEN;
-
- memcpy(buf, &hdr, sizeof(hdr));
- memcpy(buf + sizeof(hdr), cookie, SECURITY_SERVER_COOKIE_LEN);
-
- /* Check poll */
- retval = check_socket_poll(sock_fd, POLLOUT, SECURITY_SERVER_SOCKET_TIMEOUT_MILISECOND);
- if (retval == SECURITY_SERVER_ERROR_POLL)
- {
- SEC_SVR_ERR("%s", "poll() error");
- return SECURITY_SERVER_ERROR_SEND_FAILED;
- }
- if (retval == SECURITY_SERVER_ERROR_TIMEOUT)
- {
- SEC_SVR_ERR("%s", "poll() timeout");
- return SECURITY_SERVER_ERROR_SEND_FAILED;
- }
-
- /* Send to server */
- retval = TEMP_FAILURE_RETRY(write(sock_fd, buf, sizeof(buf)));
- if (retval < (int)sizeof(buf))
- {
- /* Write error */
- SEC_SVR_ERR("Error on write(): %d", retval);
- return SECURITY_SERVER_ERROR_SEND_FAILED;
- }
- return SECURITY_SERVER_SUCCESS;
-}
-
#ifdef USE_SEC_SRV1_FOR_CHECK_PRIVILEGE_BY_PID
//VERSION: 0x01
//MSG_ID: 0x1f (SECURITY_SERVER_MSG_TYPE_CHECK_PID_PRIVILEGE_REQUEST)
}
#endif
-/* Send PID check request message to security server *
- *
- * Message format
- * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- * |---------------------------------------------------------------|
- * | version=0x01 |MessageID=0x09 | Message Length = 20 |
- * |---------------------------------------------------------------|
- * | |
- * | |
- * | Cookie (20bytes) |
- * | |
- * | |
- * |---------------------------------------------------------------|
- */
-int send_pid_request(int sock_fd, const char *cookie)
-{
- basic_header hdr;
- int retval;
- unsigned char buf[sizeof(hdr) + SECURITY_SERVER_COOKIE_LEN];
-
- /* Assemble header */
- hdr.version = SECURITY_SERVER_MSG_VERSION;
- hdr.msg_id = SECURITY_SERVER_MSG_TYPE_PID_REQUEST;
- hdr.msg_len = SECURITY_SERVER_COOKIE_LEN;
-
- memcpy(buf, &hdr, sizeof(hdr));
- memcpy(buf + sizeof(hdr), cookie, SECURITY_SERVER_COOKIE_LEN);
-
- /* Check poll */
- retval = check_socket_poll(sock_fd, POLLOUT, SECURITY_SERVER_SOCKET_TIMEOUT_MILISECOND);
- if (retval == SECURITY_SERVER_ERROR_POLL)
- {
- SEC_SVR_ERR("%s", "poll() error");
- return SECURITY_SERVER_ERROR_SEND_FAILED;
- }
- if (retval == SECURITY_SERVER_ERROR_TIMEOUT)
- {
- SEC_SVR_ERR("%s", "poll() timeout");
- return SECURITY_SERVER_ERROR_SEND_FAILED;
- }
-
- /* Send to server */
- retval = TEMP_FAILURE_RETRY(write(sock_fd, buf, sizeof(buf)));
- if (retval < (int)sizeof(buf))
- {
- /* Write error */
- SEC_SVR_ERR("Error on write(): %d", retval);
- return SECURITY_SERVER_ERROR_SEND_FAILED;
- }
- return SECURITY_SERVER_SUCCESS;
-}
-
-
/* Send validate password request message to security server *
*
* Message format
return retval;
}
-
-/* Receive check privilege request packet body */
-int recv_check_privilege_request(int sockfd, unsigned char *requested_cookie, int *requested_privilege)
-{
- int retval;
- retval = TEMP_FAILURE_RETRY(read(sockfd, requested_cookie, SECURITY_SERVER_COOKIE_LEN));
- if (retval < SECURITY_SERVER_COOKIE_LEN)
- {
- SEC_SVR_ERR("Received cookie size is too small: %d", retval);
- return SECURITY_SERVER_ERROR_RECV_FAILED;
- }
-
- retval = TEMP_FAILURE_RETRY(read(sockfd, requested_privilege, sizeof(int)));
- if (retval < (int)sizeof(int))
- {
- SEC_SVR_ERR("privilege size is too small: %d", retval);
- return SECURITY_SERVER_ERROR_RECV_FAILED;
- }
- return SECURITY_SERVER_SUCCESS;
-}
-
-/* Receive check privilege request packet body (new mode)*/
-int recv_check_privilege_new_request(int sockfd,
- unsigned char *requested_cookie,
- char *object_label,
- char *access_rights)
-{
- int retval;
- int olen, alen;
-
- retval = TEMP_FAILURE_RETRY(read(sockfd, requested_cookie, SECURITY_SERVER_COOKIE_LEN));
- if (retval < SECURITY_SERVER_COOKIE_LEN)
- {
- SEC_SVR_ERR("Received cookie size is too small: %d", retval);
- return SECURITY_SERVER_ERROR_RECV_FAILED;
- }
-
- retval = TEMP_FAILURE_RETRY(read(sockfd, &olen, sizeof(int)));
- if (retval < (int)sizeof(int) || olen < 0 || olen > MAX_OBJECT_LABEL_LEN)
- {
- SEC_SVR_ERR("error reading object_label len: %d", retval);
- return SECURITY_SERVER_ERROR_RECV_FAILED;
- }
-
- retval = TEMP_FAILURE_RETRY(read(sockfd, &alen, sizeof(int)));
- if (retval < (int)sizeof(int) || alen < 0 || alen > MAX_MODE_STR_LEN)
- {
- SEC_SVR_ERR("error reading access_rights len: %d", retval);
- return SECURITY_SERVER_ERROR_RECV_FAILED;
- }
-
- retval = TEMP_FAILURE_RETRY(read(sockfd, object_label, olen));
- if (retval < olen)
- {
- SEC_SVR_ERR("error reading object_label: %d", retval);
- return SECURITY_SERVER_ERROR_RECV_FAILED;
- }
- object_label[olen] = '\0';
-
- retval = TEMP_FAILURE_RETRY(read(sockfd, access_rights, alen));
- if (retval < alen)
- {
- SEC_SVR_ERR("error reading access_rights: %d", retval);
- return SECURITY_SERVER_ERROR_RECV_FAILED;
- }
- access_rights[alen] = '\0';
-
- return SECURITY_SERVER_SUCCESS;
-}
-
-/* Receive pid request packet body */
-int recv_pid_request(int sockfd, unsigned char *requested_cookie)
-{
- int retval;
- retval = TEMP_FAILURE_RETRY(read(sockfd, requested_cookie, SECURITY_SERVER_COOKIE_LEN));
- if (retval < SECURITY_SERVER_COOKIE_LEN)
- {
- SEC_SVR_ERR("Received cookie size is too small: %d", retval);
- return SECURITY_SERVER_ERROR_RECV_FAILED;
- }
- return SECURITY_SERVER_SUCCESS;
-}
-
-/* receiving cookie from package */
-int recv_smack_request(int sockfd, unsigned char *requested_cookie)
-{
- int retval;
- retval = TEMP_FAILURE_RETRY(read(sockfd, requested_cookie, SECURITY_SERVER_COOKIE_LEN));
- if (retval < SECURITY_SERVER_COOKIE_LEN)
- {
- SEC_SVR_ERR("Received cookie size is too small: %d", retval);
- return SECURITY_SERVER_ERROR_RECV_FAILED;
- }
- return SECURITY_SERVER_SUCCESS;
-}
-
#ifdef USE_SEC_SRV1_FOR_CHECK_PRIVILEGE_BY_PID
int recv_pid_privilege_request(int sockfd, int datasize, int *pid, char **object, char **access_rights)
{
return SECURITY_SERVER_SUCCESS;
}
-int recv_cookie(int sockfd, response_header *hdr, char *cookie)
-{
- int retval;
-
- retval = recv_generic_response(sockfd, hdr);
- if (retval != SECURITY_SERVER_SUCCESS)
- return return_code_to_error_code(hdr->return_code);
-
- retval = TEMP_FAILURE_RETRY(read(sockfd, cookie, SECURITY_SERVER_COOKIE_LEN));
- if (retval < SECURITY_SERVER_COOKIE_LEN)
- {
- /* Error on socket */
- SEC_SVR_ERR("read() failed: %d", retval);
- return SECURITY_SERVER_ERROR_RECV_FAILED;
- }
- return SECURITY_SERVER_SUCCESS;
-}
-
-int recv_privilege_check_response(int sockfd, response_header *hdr)
-{
- int retval;
-
- retval = recv_generic_response(sockfd, hdr);
- if (hdr->return_code != SECURITY_SERVER_RETURN_CODE_ACCESS_GRANTED &&
- hdr->return_code != SECURITY_SERVER_RETURN_CODE_ACCESS_DENIED)
- {
- SEC_SVR_ERR("response error: %d", hdr->return_code);
- return return_code_to_error_code(hdr->return_code);
- }
- return SECURITY_SERVER_SUCCESS;
-}
-
-int recv_privilege_check_new_response(int sockfd, response_header *hdr)
-{
- int retval;
-
- retval = recv_generic_response(sockfd, hdr);
- if (hdr->return_code != SECURITY_SERVER_RETURN_CODE_ACCESS_GRANTED &&
- hdr->return_code != SECURITY_SERVER_RETURN_CODE_ACCESS_DENIED)
- {
- SEC_SVR_ERR("response error: %d", hdr->return_code);
- return return_code_to_error_code(hdr->return_code);
- }
- return SECURITY_SERVER_SUCCESS;
-}
-
-int recv_smack_response(int sockfd, response_header *hdr, char *label)
-{
- int retval;
-
- retval = recv_generic_response(sockfd, hdr);
- if (retval != SECURITY_SERVER_SUCCESS)
- return return_code_to_error_code(hdr->return_code);
-
- retval = TEMP_FAILURE_RETRY(read(sockfd, label, SMACK_LABEL_LEN + 1));
- if (retval < (int)sizeof(int))
- {
- /* Error on socket */
- SEC_SVR_ERR("Client: Receive failed %d", retval);
- return SECURITY_SERVER_ERROR_RECV_FAILED;
- }
- return SECURITY_SERVER_SUCCESS;
-}
-
#ifdef USE_SEC_SRV1_FOR_CHECK_PRIVILEGE_BY_PID
int recv_pid_privilege_response(int sockfd, response_header *hdr)
{
return SECURITY_SERVER_SUCCESS;
}
#endif
-int recv_pid_response(int sockfd, response_header *hdr, int *pid)
-{
- int retval;
-
- retval = recv_generic_response(sockfd, hdr);
- if (retval != SECURITY_SERVER_SUCCESS)
- return return_code_to_error_code(hdr->return_code);
-
- retval = TEMP_FAILURE_RETRY(read(sockfd, pid, sizeof(int)));
- if (retval < (int)sizeof(int))
- {
- /* Error on socket */
- SEC_SVR_ERR("Client: Receive failed %d", retval);
- return SECURITY_SERVER_ERROR_RECV_FAILED;
- }
- return SECURITY_SERVER_SUCCESS;
-}
-
int recv_pwd_response(int sockfd, response_header *hdr,
unsigned int *current_attempts,
#define SECURITY_SERVER_MIDDLEWARE_USER "app"
/* Message Types */
-#define SECURITY_SERVER_MSG_TYPE_COOKIE_REQUEST 0x01
-#define SECURITY_SERVER_MSG_TYPE_COOKIE_RESPONSE 0x02
-#define SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_REQUEST 0x03
-#define SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_RESPONSE 0x04
// #define SECURITY_SERVER_MSG_TYPE_OBJECT_NAME_REQUEST 0x05
// #define SECURITY_SERVER_MSG_TYPE_OBJECT_NAME_RESPONSE 0x06
#define SECURITY_SERVER_MSG_TYPE_GID_REQUEST 0x07
#define SECURITY_SERVER_MSG_TYPE_GID_RESPONSE 0x08
-#define SECURITY_SERVER_MSG_TYPE_PID_REQUEST 0x09
-#define SECURITY_SERVER_MSG_TYPE_PID_RESPONSE 0x0a
#define SECURITY_SERVER_MSG_TYPE_VALID_PWD_REQUEST 0x0d
#define SECURITY_SERVER_MSG_TYPE_VALID_PWD_RESPONSE 0x0e
#define SECURITY_SERVER_MSG_TYPE_SET_PWD_REQUEST 0x0f
#define SECURITY_SERVER_MSG_TYPE_CHK_PWD_RESPONSE 0x14
#define SECURITY_SERVER_MSG_TYPE_SET_PWD_HISTORY_REQUEST 0x15
#define SECURITY_SERVER_MSG_TYPE_SET_PWD_HISTORY_RESPONSE 0x16
-#define SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_NEW_REQUEST 0x17
-#define SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_NEW_RESPONSE 0x18
#define SECURITY_SERVER_MSG_TYPE_SET_PWD_MAX_CHALLENGE_REQUEST 0x19
#define SECURITY_SERVER_MSG_TYPE_SET_PWD_MAX_CHALLENGE_RESPONSE 0x1a
#define SECURITY_SERVER_MSG_TYPE_SET_PWD_VALIDITY_REQUEST 0x1b
#define SECURITY_SERVER_MSG_TYPE_SET_PWD_VALIDITY_RESPONSE 0x1c
-#define SECURITY_SERVER_MSG_TYPE_SMACK_REQUEST 0x1d
-#define SECURITY_SERVER_MSG_TYPE_SMACK_RESPONSE 0x1e
#ifdef USE_SEC_SRV1_FOR_CHECK_PRIVILEGE_BY_PID
#define SECURITY_SERVER_MSG_TYPE_CHECK_PID_PRIVILEGE_REQUEST 0x21
#define SECURITY_SERVER_MSG_TYPE_CHECK_PID_PRIVILEGE_RESPONSE 0x22
int authenticate_client_middleware(int sockfd, int *pid);
int get_client_gid_list(int sockfd, int **privileges);
int send_generic_response (int sockfd, unsigned char msgid, unsigned char return_code);
-int send_cookie(int sockfd, unsigned char *cookie);
int send_object_name(int sockfd, char *obj);
int send_gid(int sockfd, int gid);
-int send_cookie_request(int sock_fd);
int send_gid_request(int sock_fd, const char *object);
int send_object_name_request(int sock_fd, int gid);
-int send_privilege_check_request(int sock_fd, const char *cookie, int gid);
-int send_privilege_check_new_request(int sock_fd,
- const char *cookie,
- const char *object,
- const char *access_rights);
int recv_get_gid_response(int sockfd, response_header *hdr, int *gid);
int recv_get_object_name(int sockfd, response_header *hdr, char *object, int max_object_size);
-int recv_cookie(int sockfd, response_header *hdr, char *cookie);
-int recv_privilege_check_response(int sockfd, response_header *hdr);
-int recv_privilege_check_new_response(int sockfd, response_header *hdr);
-int recv_hdr(int client_sockfd, basic_header *basic_hdr);
-int recv_check_privilege_request(int sockfd, unsigned char *requested_cookie, int *requested_privilege);
-int recv_check_privilege_new_request(int sockfd,
- unsigned char *requested_cookie,
- char *object_label,
- char *access_rights);
-int send_pid_request(int sock_fd, const char *cookie);
-int recv_pid_request(int sockfd, unsigned char *requested_cookie);
-int send_pid(int sockfd, int pid);
-int recv_pid_response(int sockfd, response_header *hdr, int *pid);
-int send_smack_request(int sockfd, const char *cookie);
-int recv_smack_request(int sockfd, unsigned char *requested_cookie);
-int send_smack(int sockfd, char *label);
-int recv_smack_response(int sockfd, response_header *hdr, char *label);
+int recv_hdr(int client_sockfd, basic_header *basic_hdr);
#ifdef USE_SEC_SRV1_FOR_CHECK_PRIVILEGE_BY_PID
int send_pid_privilege_request(int sockfd, int pid, const char *object, const char *access_rights);
+++ /dev/null
-/*
- * security-server
- *
- * Copyright (c) 2000 - 2012 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Contact: Bumjin Im <bj.im@samsung.com>
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License
- *
- */
-
-#ifndef SECURITY_SERVER_COOKIE_H
-#define SECURITY_SERVER_COOKIE_H
-
-#include "security-server-common.h"
-
-void free_cookie_item(cookie_list *cookie);
-cookie_list *delete_cookie_item(cookie_list *cookie);
-cookie_list *search_existing_cookie(int pid, const cookie_list *c_list);
-cookie_list *search_cookie(const cookie_list *c_list, const unsigned char *cookie, int *privileges, int privilegesSize);
-cookie_list *search_cookie_new(const cookie_list *c_list,
- const unsigned char *cookie,
- const char *object,
- const char *access_rights);
-int generate_random_cookie(unsigned char *cookie, int size);
-cookie_list *create_cookie_item(int pid, int sockfd, cookie_list *c_list);
-cookie_list *create_default_cookie(void);
-cookie_list *garbage_collection(cookie_list *cookie);
-cookie_list *search_cookie_from_pid(cookie_list *c_list, int pid);
-void printhex(const unsigned char *data, int size);
-
-#endif
#endif
#include "security-server-common.h"
-
-/* Only for test */
-/* These msg type MUST BE REMOVED before release **************************/
-#define SECURITY_SERVER_MSG_TYPE_GET_ALL_COOKIES_REQUEST 0x51
-#define SECURITY_SERVER_MSG_TYPE_GET_ALL_COOKIES_RESPONSE 0x52
-#define SECURITY_SERVER_MSG_TYPE_GET_COOKIEINFO_FROM_PID_REQUEST 0x53
-#define SECURITY_SERVER_MSG_TYPE_GET_COOKIEINFO_RESPONSE 0x54
-#define SECURITY_SERVER_MSG_TYPE_GET_COOKIEINFO_FROM_COOKIE_REQUEST 0x55
-/**********************************************************************/
-
-int util_process_all_cookie(int sockfd, cookie_list *list);
-int util_process_cookie_from_pid(int sockfd, cookie_list *list);
-int util_process_cookie_from_cookie(int sockfd, cookie_list *list);
int util_smack_label_is_valid(const char *smack_label);
-
char *read_exe_path_from_proc(pid_t pid);
int authorize_SS_API_caller_socket(int sockfd, char *required_API_label, char *required_rule);
* ...
* \endcode
*/
-int security_server_request_cookie(char *cookie, size_t max_cookie);
+int security_server_request_cookie(char *cookie, size_t bufferSize);
+++ /dev/null
-/*
- * security-server
- * Copyright (c) 2000 - 2011 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Contact: Bumjin Im <bj.im@samsung.com>
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License
- *
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <sys/stat.h>
-#include <errno.h>
-#include <unistd.h>
-#include <string.h>
-#include <sys/types.h>
-#include <fcntl.h>
-#include <sys/smack.h>
-
-#include <security-server-cookie.h>
-#include <security-server-comm.h>
-#include <security-server-util.h>
-#include <smack-check.h>
-
-#include <privilege-control.h>
-
-/* Delete useless cookie item *
- * then connect prev and next */
-void free_cookie_item(cookie_list *cookie)
-{
- free(cookie->path);
- free(cookie->permissions);
- free(cookie->smack_label);
- if (cookie->prev != NULL)
- cookie->prev->next = cookie->next;
- if (cookie->next != NULL)
- cookie->next->prev = cookie->prev;
- free(cookie);
-}
-
-/* Cut the link of the current cookie item and connect previous link and next line *
- * That is remove a cookie item *
- * Returns next cookie item if exist, NULL for no more cookie item */
-cookie_list *delete_cookie_item(cookie_list *cookie)
-{
- cookie_list *retval = NULL;
- if (cookie == NULL)
- {
- SEC_SVR_ERR("%s", "Cannot delete null cookie");
- return retval;
- }
-
- /* Reconnect cookie item */
- if (cookie->next != NULL)
- {
- cookie->prev->next = cookie->next;
- cookie->next->prev = cookie->prev;
- retval = cookie->next;
- }
- else
- {
- cookie->prev->next = NULL;
- }
-
- free_cookie_item(cookie);
- return retval;
-}
-
-cookie_list *garbage_collection(cookie_list *cookie)
-{
- char path[17];
- cookie_list *retval = NULL;
- struct stat statbuf;
- int ret;
-
- while (cookie != NULL)
- {
- /* Skip default cookie */
- if (cookie->pid == 0)
- return cookie;
-
- /* Try to find the PID directory from proc fs */
- snprintf(path, sizeof(path), "/proc/%d", cookie->pid);
- path[16] = 0;
- ret = stat(path, &statbuf);
- if (ret != 0)
- {
- /* If it's not exist, delete the cookie */
- if (errno == ENOENT)
- {
- SEC_SVR_DBG("Garbage found. PID:%d, deleting...", cookie->pid);
- cookie = delete_cookie_item(cookie);
- continue;
- }
- else
- {
- /* Some error occurred */
- SEC_SVR_ERR("Error occurred on stat: errno = %d", errno);
- return cookie;
- }
- }
- else
- {
- /* This is not a garbage. returning */
- return cookie;
- }
- }
- return retval;
-}
-
-/* Search existing cookie from the cookie list for the client process *
- * At the same time, it collects garbage cookie which PID is no longer exist and delete them */
-cookie_list *search_existing_cookie(int pid, const cookie_list *c_list)
-{
- cookie_list *current = (cookie_list*)c_list, *cookie = NULL;
- char *exe = NULL;
-
- /* Search from the list */
- while (current != NULL)
- {
- /* print_cookie(current);*/
- current = garbage_collection(current);
- if (current == NULL)
- break;
-
- /* PID must be same */
- if (current->pid == pid)
- {
- /* Found cookie for the pid. Check the cookie is reused by dirrent executable */
- /* Check the path of the process */
- exe = read_exe_path_from_proc(pid);
- if (exe == NULL)
- {
- SEC_SVR_ERR("%s", "cannot read cmdline");
- return NULL;
- }
- /* Check the path is different. */
- if (strcmp(exe, current->path) != 0)
- {
- /* Delete cookie for reused pid. This is an extremely rare situation. */
- SEC_SVR_DBG("Pid [%d] for exec [%s] has been reused by [%s]. Deleting the old cookie.", pid, current->path, exe);
- current = delete_cookie_item(current);
- }
- else
- {
- SEC_SVR_DBG("%s", "cookie found");
- cookie = current;
- }
-
- if (exe != NULL)
- {
- free(exe);
- exe = NULL;
- }
- }
- current = current->next;
- }
- return cookie;
-}
-
-/* Search existing cookie from the cookie list for matching pid *
- * Default cookie (meaning PID 0) is not allowed in here */
-cookie_list *search_cookie_from_pid(cookie_list *c_list, int pid)
-{
- cookie_list *current = (cookie_list*)c_list, *retval = NULL;
-
- /* Search from the list */
- while (current != NULL)
- {
- /* print_cookie(current);*/
- /* PID must be same */
- current = garbage_collection(current);
- if (current == NULL)
- break;
-
- if (current->pid == pid)
- {
- SEC_SVR_DBG("%s", "cookie has been found");
- retval = current;
- goto finish;
- }
- current = current->next;
- }
-finish:
- return retval;
-}
-
-/* Search existing cookie from the cookie list for matching cookie and privilege */
-/* If privilege is 0, just search cookie exists or not */
-cookie_list *search_cookie(const cookie_list *c_list, const unsigned char *cookie, int *privileges, int privilegesSize)
-{
- cookie_list *current = (cookie_list*)c_list, *retval = NULL;
- int i, j;
-
- /* Search from the list */
- while (current != NULL)
- {
- /* print_cookie(current);*/
- /* PID must be same */
- current = garbage_collection(current);
- if (current == NULL)
- break;
-
- //searching for cookie
- if (memcmp(current->cookie, cookie, SECURITY_SERVER_COOKIE_LEN) == 0)
- {
- SEC_SVR_DBG("%s", "Cookie has been found");
-
- //check if this cookie belongs to root process (root process created it)
- if (current->is_roots_process == 1)
- {
- SEC_SVR_DBG("%s", "Root process cookie, special privileges");
- //we can skip privilege checking
- retval = current;
- goto finish;
- }
-
- if ((privileges == NULL) || (privilegesSize == 0))
- {
- SEC_SVR_DBG("%s", "No privileges to search in cookie!");
- }
- else if (current->permissions == NULL)
- {
- SEC_SVR_DBG("%s", "Cookie has no privileges inside!");
- }
- else
- {
- SEC_SVR_DBG("%s", "Searching for privileges");
- SEC_SVR_DBG("%s %d", "Privileges in cookie:", current->permission_len);
- SEC_SVR_DBG("%s %d", "Privileges to search:", privilegesSize);
-
- for (j = 0; j < privilegesSize; j++)
- {
- for (i = 0; i < current->permission_len; i++)
- {
- if (privileges[j] == current->permissions[i])
- {
- SEC_SVR_DBG("Found privilege %d", privileges[j]);
- retval = current;
- goto finish;
- }
- }
- }
- }
- }
- current = current->next;
- }
-finish:
- return retval;
-}
-
-
-cookie_list *search_cookie_new(const cookie_list *c_list,
- const unsigned char *cookie,
- const char *object,
- const char *access_rights)
-{
- cookie_list *current = (cookie_list*)c_list, *retval = NULL;
- int ret;
-
- /* Search from the list */
- while (current != NULL)
- {
- /* print_cookie(current);*/
- /* PID must be same */
- current = garbage_collection(current);
- if (current == NULL)
- break;
-
- if (memcmp(current->cookie, cookie, SECURITY_SERVER_COOKIE_LEN) == 0)
- {
- SEC_SVR_DBG("%s", "cookie has been found");
- if (smack_check())
- {
- ret = smack_pid_have_access(current->pid, object, access_rights);
-
- SEC_SVR_DBG("SMACK have access returned %d", ret);
- if (ret > 0)
- SECURE_SLOGD("SS_SMACK: caller_pid=%d, subject=%s, object=%s, access=%s, result=%d, caller_path=%s", current->pid, current->smack_label, object, access_rights, ret, current->path);
- else
- SECURE_SLOGW("SS_SMACK: caller_pid=%d, subject=%s, object=%s, access=%s, result=%d, caller_path=%s", current->pid, current->smack_label, object, access_rights, ret, current->path);
-
- if (ret == 1)
- {
- retval = current;
- goto finish;
- }
- } else {
- retval = current;
- goto finish;
- }
- }
- current = current->next;
- }
-finish:
- return retval;
-}
-
-
-/* Generage a random stream value of size to cookie *
- * by reading /dev/uranddom file */
-int generate_random_cookie(unsigned char *cookie, int size)
-{
- int fd, ret;
-
- if (cookie == NULL) {
- SEC_SVR_ERR("%s", "Null pointer passed to function");
- return SECURITY_SERVER_ERROR_UNKNOWN;
- }
- fd = open("/dev/urandom", O_RDONLY);
- if (fd < 0)
- {
- SEC_SVR_ERR("%s", "Cannot open /dev/urandom");
- return SECURITY_SERVER_ERROR_FILE_OPERATION;
- }
- ret = TEMP_FAILURE_RETRY(read(fd, cookie, size));
- if (ret < size)
- {
- SEC_SVR_ERR("Cannot read /dev/urandom: %d", ret);
- ret = SECURITY_SERVER_ERROR_FILE_OPERATION;
- goto error;
- }
- ret = SECURITY_SERVER_SUCCESS;
-error:
- if (fd >= 0)
- close(fd);
- return ret;
-}
-
-/* Create a cookie item from PID */
-cookie_list *create_cookie_item(int pid, int sockfd, cookie_list *c_list)
-{
- int ret;
- cookie_list *added = NULL, *current = NULL;
- char path[24], *exe = NULL;
- char delim[] = ": ", *token = NULL;
- int *permissions = NULL, perm_num = 1, *tempperm = NULL;
- char *smack_label = NULL;
- FILE *fp = NULL;
- size_t line_len = 0;
- char* line = NULL;
-
- current = search_existing_cookie(pid, c_list);
- if (current != NULL)
- {
- /* There is a cookie for this process already */
- added = current;
- SEC_SVR_DBG("%s", "Existing cookie found");
- goto error;
- }
-
- /* Read command line of the PID from proc fs */
- exe = (char*)read_exe_path_from_proc(pid);
- if (exe == NULL)
- {
- SEC_SVR_ERR("Error on reading /proc/%d/exe", pid);
- goto error;
- }
-
- /*
- * modified by security part
- * - get gid from /etc/group
- */
- /* Read group info of the PID from proc fs - /proc/[PID]/status */
- snprintf(path, sizeof(path), "/proc/%d/status", pid);
- fp = fopen(path, "r");
-
- /* Find the line which starts with 'Groups:' */
- while (1)
- {
- /* get one line from /proc/[PID]/status */
- free(line);
- line = NULL;
- if(-1 == getline(&line,&line_len,fp))
- goto out_of_while;
-
- /* find 'Groups:' */
- if (strncmp(line, "Groups:", 7) == 0)
- {
- /* get gid from the line and insert to 'permissions' array */
- token = strtok(line, delim); // first string is "Groups"
- while ((token = strtok(NULL, delim)))
- {
- tempperm = realloc(permissions, sizeof(int) * perm_num);
- if (tempperm == NULL)
- {
- SEC_SVR_ERR("%s", "Error on realloc()");
- goto error;
- }
- permissions = tempperm;
- errno = 0;
- permissions[perm_num - 1] = strtoul(token, 0, 10);
- if (errno != 0)
- {
- SEC_SVR_ERR("cannot change string to integer [%s]", token);
- ret = SECURITY_SERVER_ERROR_SERVER_ERROR;
- goto error;
- }
- perm_num++;
- }
- perm_num--;
-
- /* goto out of while loop */
- break;
- }
- }
-out_of_while:
-
- /* Each group ID is stored in each line of the file */
- // while(fgets(permline, sizeof(permline), fp) != NULL)
- // {
- // permissions = realloc(permissions, sizeof(int) * perm_num);
- // if(permissions == NULL)
- // {
- // SEC_SVR_DBG("%s", "Error on realloc()");
- // goto error;
- // }
- // permissions[perm_num -1] = strtoul(permline, 0, 10);
- // perm_num++;
- // }
- // perm_num--;
- /*
- * modifying end
- */
-
- /* Go to last cookie from the list */
- current = c_list;
- while (current->next != NULL)
- {
- current = current->next;
- }
-
- /* Create a new one and assign values */
- added = malloc(sizeof(cookie_list));
- if (added == NULL)
- goto error;
-
- ret = generate_random_cookie(added->cookie, SECURITY_SERVER_COOKIE_LEN);
- if (ret != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("Error on making random cookie: %d", ret);
- free(added);
- added = NULL;
- goto error;
- }
-
- /* Check SMACK label */
- if (smack_check())
- {
- ret = smack_new_label_from_socket(sockfd, &smack_label);
- if (ret < 0)
- {
- SEC_SVR_ERR("Error checking peer label: %d", ret);
- free(added);
- added = NULL;
- goto error;
- }
- }
-
- added->path = exe;
- exe = NULL;
- added->permission_len = perm_num;
- added->pid = pid;
- added->permissions = permissions;
- permissions = NULL;
- added->smack_label = smack_label;
- added->prev = current;
- current->next = added;
- added->next = NULL;
-
-error:
- free(line);
- free(exe);
- if (fp != NULL)
- fclose(fp);
- free(permissions);
-
- return added;
-}
-
-/* Check stored default cookie, if it's not exist make a new one and store it */
-int check_stored_cookie(unsigned char *cookie, int size)
-{
- int fd, ret;
-
- /* First, check the default cookie is stored */
- fd = open(SECURITY_SERVER_DEFAULT_COOKIE_PATH, O_RDONLY);
- if (fd < 0)
- {
- if (errno != ENOENT)
- {
- SEC_SVR_ERR("Cannot open default cookie. errno=%d", errno);
- ret = SECURITY_SERVER_ERROR_FILE_OPERATION;
- unlink(SECURITY_SERVER_DEFAULT_COOKIE_PATH);
- }
-
- ret = generate_random_cookie(cookie, size);
-
- /* Save cookie to disk */
- fd = open(SECURITY_SERVER_DEFAULT_COOKIE_PATH, O_WRONLY | O_CREAT, 0600);
- if (fd < 0)
- {
- SEC_SVR_ERR("Cannot open default cookie errno=%d", errno);
- ret = SECURITY_SERVER_ERROR_FILE_OPERATION;
- goto error;
- }
- ret = TEMP_FAILURE_RETRY(write(fd, cookie, size));
- if (ret < size)
- {
- SEC_SVR_ERR("%s", "Cannot save default cookie");
- ret = SECURITY_SERVER_ERROR_FILE_OPERATION;
- goto error;
- }
-
- close(fd);
- return SECURITY_SERVER_SUCCESS;
- }
-
- ret = TEMP_FAILURE_RETRY(read(fd, cookie, size));
- if (ret < size)
- {
- SEC_SVR_ERR("Cannot read default cookie errno=%d", errno);
- ret = SECURITY_SERVER_ERROR_FILE_OPERATION;
- goto error;
- }
- ret = SECURITY_SERVER_SUCCESS;
-
-error:
- if (fd >= 0)
- close(fd);
- return ret;
-}
-/* Create a cookie item from PID */
-
-/* Create a default cookie when security server is executed *
- * Default cookie is for root processes that needs cookie */
-cookie_list *create_default_cookie(void)
-{
- cookie_list *first = NULL;
- int ret;
-
- first = malloc(sizeof(cookie_list));
-
- ret = check_stored_cookie(first->cookie, SECURITY_SERVER_COOKIE_LEN);
- if (ret != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("Error on making random cookie: %d", ret);
- free(first);
- return NULL;
- }
-
- first->permission_len = 0;
- first->pid = 0;
- first->path = NULL;
- first->permissions = NULL;
- first->smack_label = NULL;
- first->prev = NULL;
- first->next = NULL;
- return first;
-}
#include <privilege-control.h>
-#include "security-server-cookie.h"
#include "security-server-common.h"
#include "security-server-password.h"
#include "security-server-comm.h"
+#include "security-server-util.h"
#include "smack-check.h"
//definitions of security-server API labels
//required rule type
#define API_RULE_REQUIRED "w"
-/* Set cookie as a global variable */
-cookie_list *c_list;
-pthread_mutex_t cookie_mutex;
int thread_status[SECURITY_SERVER_NUM_THREADS];
struct security_server_thread_param {
int client_sockfd;
};
-/************************************************************************************************/
-/* Just for test. This code must be removed on release */
-#include "security-server-util.h"
-/************************************************************************************************/
-
-#if 0
-void printhex(unsigned char *data, int size)
-{
- int i;
- for (i = 0; i < size; i++)
- {
- if (data[i] < 0xF)
- printf("0");
-
- printf("%X ", data[i]);
- if (((i + 1) % 16) == 0 && i != 0)
- printf("\n");
- }
- printf("\n");
-}
-
-void print_cookie(cookie_list *list)
-{
- int i;
- printf("%s", "cookie:\n");
- printhex(list->cookie, SECURITY_SERVER_COOKIE_LEN);
- printf("path_len: %d\n", list->path ? strlen(list->path) : 0);
- printf("permission_len: %d\n", list->permission_len);
- printf("PID: %d\n", list->pid);
- printf("path: %s\n", list->path);
- printf("%s", "permissions: ");
- for (i = 0; i < list->permission_len; i++)
- {
- printf("%d ", list->permissions[i]);
- }
- printf("%s", "\n");
- printf("prev: %p\n", list->prev);
- printf("next: %p\n", list->next);
-}
-#endif
-
/*
* Searches for group ID by given group name
*/
return;
}
-int process_cookie_request(int sockfd)
-{
- int retval, client_pid, client_uid;
- cookie_list *created_cookie = NULL;
- unsigned char cookie[SECURITY_SERVER_COOKIE_LEN];
- pid_t cookie_pid;
- char *cookie_label = NULL;
-
- /* Authenticate client */
- retval = authenticate_client_application(sockfd, &client_pid, &client_uid);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("%s", "Client Authentication Failed");
- retval = send_generic_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_AUTHENTICATION_FAILED);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
- }
- goto error;
- }
- /* If client application is root process, just respond default cookie */
- /*
- if( client_uid == 0)
- {
- SEC_SVR_DBG("%s", "Requested application is a root process");
- created_cookie = c_list;
- if(c_list == NULL)
- {
- SEC_SVR_DBG("%s", "Cannot read default cookie");
- goto error;
- }
- }
- else
- {
- */
- //TODO: Remove above code if there will be no crashes without it
- //All process should be treaded the same
-
- /* Create a new cookie. or find existing one */
- pthread_mutex_lock(&cookie_mutex);
- created_cookie = create_cookie_item(client_pid, sockfd, c_list);
- if (created_cookie == NULL)
- {
- pthread_mutex_unlock(&cookie_mutex);
- SEC_SVR_ERR("%s","Cannot create a cookie");
- goto error;
- }
-
- //let others know if this cookie belongs to root process
- if (client_uid == 0)
- created_cookie->is_roots_process = 1;
- else
- created_cookie->is_roots_process = 0;
- memcpy(cookie, created_cookie->cookie, SECURITY_SERVER_COOKIE_LEN);
- cookie_pid = created_cookie->pid;
- if (created_cookie->smack_label)
- cookie_label = strdup(created_cookie->smack_label);
- else
- cookie_label = strdup("NULL");
- pthread_mutex_unlock(&cookie_mutex);
-
- //}
- /* send cookie as response */
- retval = send_cookie(sockfd, cookie);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
- }
- SECURE_SLOGD("Server: Cookie created for client PID %d LABEL >%s<",
- cookie_pid, cookie_label);
-
- SEC_SVR_DBG("%s", "Server: Cookie has been sent to client");
- free(cookie_label);
-
-error:
- return retval;
-}
-
-int process_check_privilege_request(int sockfd)
-{
- /* Authenticate client */
- int retval, client_pid, requested_privilege;
- int privileges[1];
- unsigned char requested_cookie[SECURITY_SERVER_COOKIE_LEN];
- cookie_list *search_result = NULL;
-
- retval = authenticate_client_middleware(sockfd, &client_pid);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("%s", "Client Authentication Failed");
- retval = send_generic_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_AUTHENTICATION_FAILED);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
- }
- goto error;;
- }
-
- retval = recv_check_privilege_request(sockfd,
- requested_cookie, &requested_privilege);
- if (retval == SECURITY_SERVER_ERROR_RECV_FAILED)
- {
- SEC_SVR_ERR("%s", "Receiving request failed");
- retval = send_generic_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
- }
- goto error;;
- }
-
- if (requested_privilege < 1)
- {
- SEC_SVR_ERR("Requiring bad privilege [%d]", requested_privilege);
- retval = send_generic_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
- }
- goto error;
- }
-
- /* Search cookie list */
- pthread_mutex_lock(&cookie_mutex);
- privileges[0] = requested_privilege;
- search_result = search_cookie(c_list, requested_cookie, privileges, 1);
- pthread_mutex_unlock(&cookie_mutex);
- if (search_result != NULL)
- {
- /* We found */
- SEC_SVR_DBG("We found the cookie with %d privilege and pid:%d", requested_privilege, client_pid);
- SEC_SVR_DBG("%s", "Cookie comparison succeeded. Access granted.");
- retval = send_generic_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_ACCESS_GRANTED);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
- }
- }
- else
- {
- /* It's not exist */
- SEC_SVR_WRN("Could not find the cookie with %d privilege", requested_privilege);
- retval = send_generic_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_ACCESS_DENIED);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
- }
- }
-error:
- return retval;
-}
-
-int process_check_privilege_new_request(int sockfd)
-{
- /* Authenticate client */
- int retval, client_pid;
- unsigned char requested_cookie[SECURITY_SERVER_COOKIE_LEN];
- cookie_list *search_result = NULL;
- char object_label[MAX_OBJECT_LABEL_LEN + 1];
- char access_rights[MAX_MODE_STR_LEN + 1];
-
- retval = authenticate_client_middleware(sockfd, &client_pid);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("%s", "Client Authentication Failed");
- retval = send_generic_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_NEW_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_AUTHENTICATION_FAILED);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
- }
- goto error;;
- }
-
- retval = recv_check_privilege_new_request(
- sockfd, requested_cookie, object_label, access_rights);
- if (retval == SECURITY_SERVER_ERROR_RECV_FAILED)
- {
- SEC_SVR_ERR("%s", "Receiving request failed");
- retval = send_generic_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_NEW_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
- }
- goto error;;
- }
-
- /* Search cookie list */
- pthread_mutex_lock(&cookie_mutex);
- search_result = search_cookie_new(c_list, requested_cookie, object_label, access_rights);
- pthread_mutex_unlock(&cookie_mutex);
-
- if (search_result != NULL)
- {
- /* We found */
- SEC_SVR_DBG("We found the cookie with %s rights and pid:%d", access_rights, client_pid);
- SEC_SVR_DBG("%s", "Cookie comparison succeeded. Access granted.");
- retval = send_generic_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_NEW_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_ACCESS_GRANTED);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
- }
- }
- else
- {
- /* It's not exist */
- SEC_SVR_WRN("Could not find the cookie with %s rights", access_rights);
- retval = send_generic_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_NEW_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_ACCESS_DENIED);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
- }
- }
-error:
- return retval;
-}
-
// int process_object_name_request(int sockfd)
// {
// int retval, client_pid, requested_privilege;
return retval;
}
-int process_pid_request(int sockfd)
-{
- int retval, client_pid;
- unsigned char requested_cookie[SECURITY_SERVER_COOKIE_LEN];
- int *privileges = NULL;
- cookie_list *search_result = NULL;
- pid_t cookie_pid = 0;
-
- /* Authenticate client */
- retval = authenticate_client_middleware(sockfd, &client_pid);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("%s", "Client Authentication Failed");
- retval = send_generic_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_PID_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_AUTHENTICATION_FAILED);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
- }
- goto error;
- }
-
- retval = recv_pid_request(sockfd, requested_cookie);
- if (retval == SECURITY_SERVER_ERROR_RECV_FAILED)
- {
- SEC_SVR_ERR("%s", "Receiving request failed");
- retval = send_generic_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_PID_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
- }
- goto error;
- }
-
- retval = get_client_gid_list(sockfd, &privileges);
- if (retval < 0)
- {
- SEC_SVR_ERR("ERROR: Cannot get GID list");
- goto error;
- }
-
- /* Search cookie list */
- pthread_mutex_lock(&cookie_mutex);
- search_result = search_cookie(c_list, requested_cookie, privileges, retval);
- if (search_result)
- cookie_pid = search_result->pid;
- pthread_mutex_unlock(&cookie_mutex);
-
- free(privileges);
-
- if (search_result != NULL)
- {
- /* We found */
- SEC_SVR_DBG("We found the cookie and pid:%d", cookie_pid);
- SEC_SVR_DBG("%s", "Cookie comparison succeeded. Access granted.");
- retval = send_pid(sockfd, cookie_pid);
-
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
- }
- }
- else
- {
- /* It's not exist */
- SEC_SVR_ERR("%s", "Could not find the cookie");
- retval = send_generic_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_PID_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_NO_SUCH_COOKIE);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("ERROR: Cannot send pid response: %d", retval);
- }
- }
-error:
- return retval;
-}
-
-int process_smack_request(int sockfd)
-{
- int retval, client_pid;
- int *privileges = NULL;
- unsigned char requested_cookie[SECURITY_SERVER_COOKIE_LEN];
- cookie_list *search_result = NULL;
- //handler for SMACK label
- char *label = NULL;
-
- /* Authenticate client */
- retval = authenticate_client_middleware(sockfd, &client_pid);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("%s", "Client Authentication Failed");
- retval = send_generic_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_SMACK_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_AUTHENTICATION_FAILED);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
- }
- goto error;
- }
-
- retval = recv_smack_request(sockfd, requested_cookie);
- if (retval == SECURITY_SERVER_ERROR_RECV_FAILED)
- {
- SEC_SVR_ERR("%s", "Receiving request failed");
- retval = send_generic_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_SMACK_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
- }
- goto error;
- }
-
- retval = get_client_gid_list(sockfd, &privileges);
- if (retval < 0)
- {
- SEC_SVR_ERR("ERROR: Cannot get GID list");
- goto error;
- }
-
- /* Search cookie list */
- pthread_mutex_lock(&cookie_mutex);
- search_result = search_cookie(c_list, requested_cookie, privileges, retval);
- if (search_result) {
- if (search_result->smack_label)
- label = strdup(search_result->smack_label);
- else {
- SEC_SVR_DBG("%s", "No SMACK support on device - returning empty label");
- label = strdup("");
- }
- }
- pthread_mutex_unlock(&cookie_mutex);
-
- free(privileges);
-
- if (search_result != NULL)
- {
- /* We found */
- SEC_SVR_DBG("We found the cookie and pid:%d", search_result->pid);
- SEC_SVR_DBG("%s", "Cookie comparison succeeded. Access granted.");
- SECURE_SLOGD("Read label is: %s\n", label);
-
- retval = send_smack(sockfd, label);
-
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
- }
- }
- else
- {
- /* It's not exist */
- SEC_SVR_ERR("%s", "Could not find the cookie");
- retval = send_generic_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_SMACK_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_NO_SUCH_COOKIE);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("ERROR: Cannot send SMACK label response: %d", retval);
- }
- }
- free(label);
-error:
- return retval;
-}
#ifdef USE_SEC_SRV1_FOR_CHECK_PRIVILEGE_BY_PID
int process_pid_privilege_check(int sockfd, int datasize)
{
void *security_server_thread(void *param)
{
- int client_sockfd = -1, client_uid, client_pid;
+ int client_sockfd = -1;
int server_sockfd, retval;
basic_header basic_hdr;
struct security_server_thread_param *my_param;
/* Act different for request message ID */
switch (basic_hdr.msg_id)
{
- case SECURITY_SERVER_MSG_TYPE_COOKIE_REQUEST:
- SEC_SVR_DBG("%s", "Cookie request received");
- authorize_SS_API_caller_socket(client_sockfd, API_FREE_ACCESS, API_RULE_REQUIRED);
- process_cookie_request(client_sockfd);
- break;
-
- case SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_REQUEST:
- SEC_SVR_DBG("%s", "Privilege check received");
- authorize_SS_API_caller_socket(client_sockfd, API_MIDDLEWARE, API_RULE_REQUIRED);
- process_check_privilege_request(client_sockfd);
- break;
-
- case SECURITY_SERVER_MSG_TYPE_CHECK_PRIVILEGE_NEW_REQUEST:
- SEC_SVR_DBG("%s", "Privilege check (new mode) received");
- authorize_SS_API_caller_socket(client_sockfd, API_MIDDLEWARE, API_RULE_REQUIRED);
- process_check_privilege_new_request(client_sockfd);
- break;
-
// case SECURITY_SERVER_MSG_TYPE_OBJECT_NAME_REQUEST:
// SECURE_SLOGD("%s", "Get object name request received");
// authorize_SS_API_caller_socket(client_sockfd, API_MIDDLEWARE, API_RULE_REQUIRED);
process_gid_request(client_sockfd, (int)basic_hdr.msg_len);
break;
- case SECURITY_SERVER_MSG_TYPE_PID_REQUEST:
- SEC_SVR_DBG("%s", "pid request received");
- authorize_SS_API_caller_socket(client_sockfd, API_MIDDLEWARE, API_RULE_REQUIRED);
- process_pid_request(client_sockfd);
- break;
-
- case SECURITY_SERVER_MSG_TYPE_SMACK_REQUEST:
- SEC_SVR_DBG("%s", "SMACK label request received");
- authorize_SS_API_caller_socket(client_sockfd, API_MIDDLEWARE, API_RULE_REQUIRED);
- process_smack_request(client_sockfd);
- break;
-
#ifdef USE_SEC_SRV1_FOR_CHECK_PRIVILEGE_BY_PID
case SECURITY_SERVER_MSG_TYPE_CHECK_PID_PRIVILEGE_REQUEST:
SEC_SVR_DBG("%s", "PID privilege check request received");
process_set_pwd_validity_request(client_sockfd);
break;
- /************************************************************************************************/
- /* Just for test. This code must be removed on release */
- case SECURITY_SERVER_MSG_TYPE_GET_ALL_COOKIES_REQUEST:
- SEC_SVR_DBG("%s", "all cookie info request received -- NEED TO BE DELETED ON RELEASE");
- retval = authenticate_client_application(client_sockfd, &client_pid, &client_uid);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("%s", "Client Authentication Failed");
- retval = send_generic_response(client_sockfd,
- SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_AUTHENTICATION_FAILED);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
- }
- break;
- }
- retval = util_process_all_cookie(client_sockfd, c_list);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("ERROR: Cannot send all cookie info: %d", retval);
- }
- break;
-
- case SECURITY_SERVER_MSG_TYPE_GET_COOKIEINFO_FROM_PID_REQUEST:
- SEC_SVR_DBG("%s", "cookie info from pid request received -- NEED TO BE DELETED ON RELEASE");
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("%s", "Client Authentication Failed");
- retval = send_generic_response(client_sockfd,
- SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_AUTHENTICATION_FAILED);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
- }
- break;
- }
- util_process_cookie_from_pid(client_sockfd, c_list);
- break;
-
- case SECURITY_SERVER_MSG_TYPE_GET_COOKIEINFO_FROM_COOKIE_REQUEST:
- SEC_SVR_DBG("%s", "cookie info from cookie request received -- NEED TO BE DELETED ON RELEASE");
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("%s", "Client Authentication Failed");
- retval = send_generic_response(client_sockfd,
- SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_AUTHENTICATION_FAILED);
- if (retval != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
- }
- break;
- }
- util_process_cookie_from_cookie(client_sockfd, c_list);
- break;
- /************************************************************************************************/
-
-
default:
SEC_SVR_ERR("Unknown msg ID :%d", basic_hdr.msg_id);
/* Unknown message ID */
SEC_SVR_ERR("%s", "Socket was passed by systemd");
}
- /* Create a default cookie --> Cookie for root process */
- c_list = create_default_cookie();
- if (c_list == NULL)
- {
- SEC_SVR_ERR("%s", "cannot make a default cookie. exiting...");
- goto error;
- }
-
/* Init signal handler */
act.sa_handler = NULL;
act.sa_sigaction = security_server_sig_child;
SEC_SVR_ERR("%s", "cannot change session");
}
- pthread_mutex_init(&cookie_mutex, NULL);
-
while (1)
{
/* Accept a new client */
--- /dev/null
+/*
+ * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Contact: Bumjin Im <bj.im@samsung.com>
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+/*
+ * @file client-cookie.cpp
+ * @author Pawel Polawski (p.polawski@partner.samsung.com)
+ * @version 1.0
+ * @brief This file contain implementation of cookie functions for getting cookies
+ */
+
+
+#include <cstdio>
+
+#include <dpl/log/log.h>
+#include <dpl/exception.h>
+
+#include <socket-buffer.h>
+#include <client-common.h>
+#include <protocols.h>
+
+#include <security-server.h>
+#include <security-server-common.h>
+
+
+SECURITY_SERVER_API
+int security_server_get_cookie_size(void)
+{
+ return SecurityServer::COOKIE_SIZE;
+}
+
+SECURITY_SERVER_API
+int security_server_request_cookie(char *cookie, size_t bufferSize)
+{
+ using namespace SecurityServer;
+ SocketBuffer send, recv;
+ std::vector<char> receivedCookie;
+
+ LogDebug("security_server_request_cookie() called");
+
+ try {
+ //checking parameters
+ if (bufferSize < COOKIE_SIZE) {
+ LogDebug("Buffer for cookie too small");
+ return SECURITY_SERVER_API_ERROR_BUFFER_TOO_SMALL;
+ }
+ if (cookie == NULL) {
+ LogDebug("Cookie pointer empty");
+ return SECURITY_SERVER_API_ERROR_INPUT_PARAM;
+ }
+
+ //put data into buffer
+ Serialization::Serialize(send, (int)CookieGet::COOKIE);
+
+ //send buffer to server
+ int retval = sendToServer(SERVICE_SOCKET_COOKIE_GET, send.Pop(), recv);
+ if (retval != SECURITY_SERVER_API_SUCCESS) {
+ LogDebug("Error in sendToServer. Error code: " << retval);
+ return retval;
+ }
+
+ //receive response from server
+ Deserialization::Deserialize(recv, retval);
+ if (retval != SECURITY_SERVER_API_SUCCESS)
+ return retval;
+
+ Deserialization::Deserialize(recv, receivedCookie);
+ if (receivedCookie.size() != COOKIE_SIZE) {
+ LogDebug("No match in cookie size");
+ return SECURITY_SERVER_API_ERROR_BAD_RESPONSE;
+ }
+
+ memcpy(cookie, &receivedCookie[0], receivedCookie.size());
+ return retval;
+
+ } catch (SocketBuffer::Exception::Base &e) {
+ LogDebug("SecurityServer::SocketBuffer::Exception " << e.DumpToString());
+ } catch (std::exception &e) {
+ LogDebug("STD exception " << e.what());
+ } catch (...) {
+ LogDebug("Unknown exception occured");
+ }
+
+ return SECURITY_SERVER_API_ERROR_UNKNOWN;
+}
+
+SECURITY_SERVER_API
+int security_server_get_cookie_pid(const char *cookie)
+{
+ using namespace SecurityServer;
+ SocketBuffer send, recv;
+ int pid;
+ int retval = SECURITY_SERVER_API_ERROR_UNKNOWN;
+
+ LogDebug("security_server_get_cookie_pid() called");
+
+ if (cookie == NULL)
+ return SECURITY_SERVER_API_ERROR_INPUT_PARAM;
+
+ //preprae cookie to send
+ std::vector<char> key(cookie, cookie + COOKIE_SIZE);
+
+ try {
+ //put data into buffer
+ Serialization::Serialize(send, (int)CookieGet::PID);
+ Serialization::Serialize(send, key);
+
+ //send buffer to server
+ retval = sendToServer(SERVICE_SOCKET_COOKIE_CHECK, send.Pop(), recv);
+ if (retval != SECURITY_SERVER_API_SUCCESS) {
+ LogDebug("Error in sendToServer. Error code: " << retval);
+ return retval;
+ }
+
+ //receive response from server
+ Deserialization::Deserialize(recv, retval);
+ if (retval != SECURITY_SERVER_API_SUCCESS)
+ return retval;
+
+ Deserialization::Deserialize(recv, pid);
+ return pid;
+
+ } catch (SocketBuffer::Exception::Base &e) {
+ LogDebug("SecurityServer::SocketBuffer::Exception " << e.DumpToString());
+ } catch (std::exception &e) {
+ LogDebug("STD exception " << e.what());
+ } catch (...) {
+ LogDebug("Unknown exception occured");
+ }
+
+ return SECURITY_SERVER_API_ERROR_UNKNOWN;
+}
+
+SECURITY_SERVER_API
+char * security_server_get_smacklabel_cookie(const char *cookie)
+{
+ using namespace SecurityServer;
+ SocketBuffer send, recv;
+ int retval = SECURITY_SERVER_API_ERROR_UNKNOWN;
+ std::string label;
+
+ LogDebug("security_server_get_smacklabel_cookie() called");
+
+ if (cookie == NULL)
+ return NULL;
+
+ //preprae cookie to send
+ std::vector<char> key(cookie, cookie + COOKIE_SIZE);
+
+ try {
+ //put data into buffer
+ Serialization::Serialize(send, (int)CookieGet::SMACKLABEL);
+ Serialization::Serialize(send, key);
+
+ //send buffer to server
+ retval = sendToServer(SERVICE_SOCKET_COOKIE_CHECK, send.Pop(), recv);
+ if (retval != SECURITY_SERVER_API_SUCCESS) {
+ LogDebug("Error in sendToServer. Error code: " << retval);
+ return NULL;
+ }
+
+ //receive response from server
+ Deserialization::Deserialize(recv, retval);
+ if (retval != SECURITY_SERVER_API_SUCCESS)
+ return NULL;
+
+ Deserialization::Deserialize(recv, label);
+
+ return strdup(label.c_str());
+
+ } catch (SocketBuffer::Exception::Base &e) {
+ LogDebug("SecurityServer::SocketBuffer::Exception " << e.DumpToString());
+ } catch (std::exception &e) {
+ LogDebug("STD exception " << e.what());
+ } catch (...) {
+ LogDebug("Unknown exception occured");
+ }
+
+ return NULL;
+}
+
+SECURITY_SERVER_API
+int security_server_check_privilege(const char *cookie, gid_t privilege)
+{
+ using namespace SecurityServer;
+ SocketBuffer send, recv;
+ int retval = SECURITY_SERVER_API_ERROR_UNKNOWN;
+
+ LogDebug("security_server_check_privilege() called");
+
+ if (cookie == NULL)
+ return SECURITY_SERVER_API_ERROR_INPUT_PARAM;
+
+ //preprae cookie to send
+ std::vector<char> key(cookie, cookie + COOKIE_SIZE);
+
+ try {
+ //put data into buffer
+ Serialization::Serialize(send, (int)CookieGet::PRIVILEGE_GID);
+ Serialization::Serialize(send, key);
+ Serialization::Serialize(send, (int)privilege);
+
+ //send buffer to server
+ retval = sendToServer(SERVICE_SOCKET_COOKIE_CHECK, send.Pop(), recv);
+ if (retval != SECURITY_SERVER_API_SUCCESS) {
+ LogDebug("Error in sendToServer. Error code: " << retval);
+ return retval;
+ }
+
+ //receive response from server
+ Deserialization::Deserialize(recv, retval);
+ return retval;
+
+ } catch (SocketBuffer::Exception::Base &e) {
+ LogDebug("SecurityServer::SocketBuffer::Exception " << e.DumpToString());
+ } catch (std::exception &e) {
+ LogDebug("STD exception " << e.what());
+ } catch (...) {
+ LogDebug("Unknown exception occured");
+ }
+
+ return SECURITY_SERVER_API_ERROR_UNKNOWN;
+}
+
+SECURITY_SERVER_API
+int security_server_check_privilege_by_cookie(const char *cookie, const char *object, const char *access_rights)
+{
+ using namespace SecurityServer;
+ SocketBuffer send, recv;
+ int retval = SECURITY_SERVER_API_ERROR_UNKNOWN;
+
+ LogDebug("security_server_check_privilege_by_cookie() called");
+
+ if ((cookie == NULL) || (object == NULL) || (access_rights == NULL))
+ return SECURITY_SERVER_API_ERROR_INPUT_PARAM;
+
+ //preprae cookie to send
+ std::vector<char> key(cookie, cookie + COOKIE_SIZE);
+
+ std::string obj(object);
+ std::string access(access_rights);
+
+ try {
+ //put data into buffer
+ Serialization::Serialize(send, (int)CookieGet::PRIVILEGE);
+ Serialization::Serialize(send, key);
+ Serialization::Serialize(send, obj);
+ Serialization::Serialize(send, access);
+
+ //send buffer to server
+ retval = sendToServer(SERVICE_SOCKET_COOKIE_CHECK, send.Pop(), recv);
+ if (retval != SECURITY_SERVER_API_SUCCESS) {
+ LogDebug("Error in sendToServer. Error code: " << retval);
+ return retval;
+ }
+
+ //receive response from server
+ Deserialization::Deserialize(recv, retval);
+ return retval;
+
+ } catch (SocketBuffer::Exception::Base &e) {
+ LogDebug("SecurityServer::SocketBuffer::Exception " << e.DumpToString());
+ } catch (std::exception &e) {
+ LogDebug("STD exception " << e.what());
+ } catch (...) {
+ LogDebug("Unknown exception occured");
+ }
+
+ return SECURITY_SERVER_API_ERROR_UNKNOWN;
+}
*/
#include <protocols.h>
+#include <cstddef>
namespace SecurityServer {
"/tmp/.security-server-api-get-object-name.sock";
char const * const SERVICE_SOCKET_APP_PERMISSIONS =
"/tmp/.security-server-api-app-permissions.sock";
+char const * const SERVICE_SOCKET_COOKIE_GET =
+ "/tmp/.security-server-api-cookie-get.sock";
+char const * const SERVICE_SOCKET_COOKIE_CHECK =
+ "/tmp/.security-server-api-cookie-check.sock";
+
+const size_t COOKIE_SIZE = 20;
} // namespace SecurityServer
#ifndef _SECURITY_SERVER_PROTOCOLS_
#define _SECURITY_SERVER_PROTOCOLS_
+#include <cstddef>
+
namespace SecurityServer {
extern char const * const SERVICE_SOCKET_SHARED_MEMORY;
extern char const * const SERVICE_SOCKET_EXEC_PATH;
extern char const * const SERVICE_SOCKET_GET_OBJECT_NAME;
extern char const * const SERVICE_SOCKET_APP_PERMISSIONS;
+extern char const * const SERVICE_SOCKET_COOKIE_GET;
+extern char const * const SERVICE_SOCKET_COOKIE_CHECK;
+
+enum class AppPermissionsAction { ENABLE, DISABLE };
+
+enum class CookieGet
+{
+ COOKIE_SIZE,
+ COOKIE,
+ PID,
+ SMACKLABEL,
+ PRIVILEGE_GID,
+ PRIVILEGE
+};
-enum class AppPermissionsAction { ENABLE, DISABLE};
+extern const size_t COOKIE_SIZE;
} // namespace SecuritySever
object->Serialize(stream);
}
+ // char
+ static void Serialize(IStream& stream, const char value)
+ {
+ stream.Write(sizeof(value), &value);
+ }
+ static void Serialize(IStream& stream, const char* const value)
+ {
+ stream.Write(sizeof(*value), value);
+ }
+
// unsigned int
static void Serialize(IStream& stream, const unsigned value)
{
object = new T(stream);
}
+ // char
+ static void Deserialize(IStream& stream, char& value)
+ {
+ stream.Read(sizeof(value), &value);
+ }
+ static void Deserialize(IStream& stream, char*& value)
+ {
+ value = new char;
+ stream.Read(sizeof(*value), value);
+ }
+
// unsigned int
static void Deserialize(IStream& stream, unsigned& value)
{
#include <exec-path.h>
#include <get-object-name.h>
#include <app-permissions.h>
+#include <cookie.h>
#include <echo.h>
IMPLEMENT_SAFE_SINGLETON(SecurityServer::Log::LogSystem);
// echoService->Create();
// manager.RegisterSocketService(echoService);
+
+ SecurityServer::CookieService *cookieService = new SecurityServer::CookieService;
+ cookieService->Create();
+ manager.RegisterSocketService(cookieService);
+
SecurityServer::SharedMemoryService *shmService = new SecurityServer::SharedMemoryService;
shmService->Create();
manager.RegisterSocketService(shmService);
*/
/*
* @file app-permissions.h
- * @author Pawel Polawski (pawel.polawski@partner.samsung.com)
+ * @author Pawel Polawski (p.polawski@partner.samsung.com)
* @version 1.0
* @brief This function contain header for implementation of security_server_app_enable_permissions
* and SS_app_disable_permissions on server side
*/
#ifndef _SECURITY_SERVER_APP_PERMISSIONS_
-#define _SECURITY_SERVER_APP_PERMISSIONS__
+#define _SECURITY_SERVER_APP_PERMISSIONS_
#include <service-thread.h>
#include <generic-socket-manager.h>
--- /dev/null
+/*
+ * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Contact: Bumjin Im <bj.im@samsung.com>
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+/*
+ * @file cookie-jar.cpp
+ * @author Pawel Polawski (p.polawski@partner.samsung.com)
+ * @version 1.0
+ * @brief This function contain implementation of CookieJar class which holds cookies structures
+ */
+
+#include <cookie-jar.h>
+#include <protocols.h>
+#include <dpl/log/log.h>
+#include <dpl/exception.h>
+#include <vector>
+#include <stdbool.h>
+#include <unistd.h>
+#include <smack-check.h>
+#include <privilege-control.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <sys/types.h>
+#include <fstream>
+#include <linux/limits.h>
+
+namespace SecurityServer {
+
+CookieJar::CookieJar(void)
+{
+ LogDebug("Created CookieJar for handling cookies");
+}
+
+CookieJar::~CookieJar(void)
+{
+ LogDebug("Deleted CookieJar");
+}
+
+const Cookie * CookieJar::GenerateCookie(int pid)
+{
+ char key[COOKIE_SIZE];
+ int retval;
+
+ LogDebug("Cookie creation called");
+
+ //create empty cookie class
+ Cookie newCookie;
+ newCookie.pid = pid;
+
+ //check if there is no cookie for specified PID
+ const Cookie *searchResult = SearchCookie(newCookie, CompareType::PID);
+ if (searchResult != NULL) {
+ LogDebug("Cookie exist for specified PID");
+ return searchResult;
+ }
+
+ searchResult = &newCookie; //only for searchResult != NULL
+ while(searchResult != NULL) {
+ //generate unique key
+ std::ifstream urandom("/dev/urandom", std::ifstream::binary);
+ urandom.read(key, COOKIE_SIZE);
+ newCookie.cookieId.assign(key, key + COOKIE_SIZE);
+
+ //check if key is unique
+ searchResult = SearchCookie(newCookie, CompareType::COOKIE_ID);
+ if (searchResult != NULL)
+ LogDebug("Key is not unique");
+ }
+
+ //obtain process path
+ char link[PATH_MAX];
+ char path[PATH_MAX];
+
+ snprintf(link, PATH_MAX, "/proc/%d/exe", pid);
+ retval = readlink(link, path, PATH_MAX);
+ if (retval < 0) {
+ LogDebug("Unable to get process path");
+ return NULL;
+ }
+ path[retval] = '\0';
+ newCookie.binaryPath = path;
+
+ //get smack label if smack enabled
+ if (smack_check()) {
+ char label[SMACK_LABEL_LEN + 1];
+ retval = get_smack_label_from_process(pid, label);
+ if (retval != PC_OPERATION_SUCCESS) {
+ LogDebug("Unable to get smack label of process");
+ return NULL;
+ }
+ newCookie.smackLabel = label;
+ } else
+ newCookie.smackLabel = "smack_disabled";
+
+
+ //get GID list
+ const int LINE_LEN = 128;
+ const int NAME_SIZE = 64;
+ char line[LINE_LEN]; //for storing parsed lines
+ char filename[NAME_SIZE];
+
+ snprintf(filename, NAME_SIZE, "/proc/%d/status", pid);
+ std::ifstream status(filename, std::ifstream::binary);
+
+ while (status.getline(line, LINE_LEN)) { //read line from file
+ if (strncmp(line, "Groups:", 7) == 0)
+ break;
+ }
+
+ char delim[] = ": "; //separators for strtok: ' ' and ':'
+ char *token = strtok(line, delim); //1st string is "Group:"
+ while ((token = strtok(NULL, delim))) {
+ int gid = atoi(token);
+ newCookie.permissions.push_back(gid);
+ }
+
+ //DEBUG ONLY
+ //print info about cookie
+ LogDebug("Cookie created");
+ LogDebug("PID: " << newCookie.pid);
+ LogDebug("PATH: " << newCookie.binaryPath);
+ LogDebug("LABEL: " << newCookie.smackLabel);
+ for (size_t k = 0; k < newCookie.permissions.size(); k++)
+ LogDebug("GID: " << newCookie.permissions[k]);
+
+ m_cookieList.push_back(newCookie);
+ return &m_cookieList[m_cookieList.size() - 1];
+}
+
+void CookieJar::DeleteCookie(const Cookie &pattern, CompareType criterion)
+{
+ if (m_cookieList.size() == 0) {
+ LogDebug("Cookie list empty");
+ return;
+ }
+
+ //for each cookie in list
+ for (size_t i = 0; i < m_cookieList.size();) {
+ if (CompareCookies(pattern, m_cookieList[i], criterion)) {
+ LogDebug("Deleting cookie");
+ if (i != m_cookieList.size() - 1)
+ m_cookieList[i] = *m_cookieList.rbegin();
+ m_cookieList.pop_back();
+ } else
+ ++i;
+ }
+}
+
+const Cookie * CookieJar::SearchCookie(const Cookie &pattern, CompareType criterion) const
+{
+ LogDebug("Searching for cookie");
+
+ if (m_cookieList.size() == 0) {
+ LogDebug("Cookie list empty");
+ return NULL;
+ }
+
+ //for each cookie in list
+ for (size_t i = 0; i < m_cookieList.size(); i++) {
+ if (CompareCookies(pattern, m_cookieList[i], criterion)) {
+ LogDebug("Cookie found");
+ return &(m_cookieList[i]);
+ }
+ }
+
+ LogDebug("Cookie not found");
+ return NULL;
+}
+
+bool CookieJar::CompareCookies(const Cookie &c1, const Cookie &c2, CompareType criterion) const
+{
+ size_t permSize1 = c1.permissions.size();
+ size_t permSize2 = c2.permissions.size();
+
+ switch(criterion) {
+ case CompareType::COOKIE_ID:
+ return (c1.cookieId == c2.cookieId);
+
+ case CompareType::PID:
+ return (c1.pid == c2.pid);
+
+ case CompareType::PATH:
+ return (c1.binaryPath == c2.binaryPath);
+
+ case CompareType::SMACKLABEL:
+ return (c1.smackLabel == c2.smackLabel);
+
+ case CompareType::PERMISSIONS:
+ //we search for at least one the same GID
+ for(size_t i = 0; i < permSize1; i++)
+ for (size_t k = 0; k < permSize2; k++)
+ if (c1.permissions[i] == c2.permissions[k])
+ return true;
+ return false;
+
+ default:
+ LogDebug("Wrong function parameters");
+ return false;
+ };
+}
+
+} // namespace SecurityServer
--- /dev/null
+/*
+ * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Contact: Bumjin Im <bj.im@samsung.com>
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+/*
+ * @file cookie-jar.h
+ * @author Pawel Polawski (p.polawski@partner.samsung.com)
+ * @version 1.0
+ * @brief This function contain header of CookieJar class which holds cookies structures
+ */
+
+#ifndef _SECURITY_SERVER_COOKIE_JAR_
+#define _SECURITY_SERVER_COOKIE_JAR_
+
+#include <stdio.h>
+
+#include <dpl/log/log.h>
+#include <dpl/exception.h>
+#include <vector>
+#include <stdbool.h>
+
+
+namespace SecurityServer {
+
+enum class CompareType
+{
+ COOKIE_ID,
+ PID,
+ PATH,
+ SMACKLABEL,
+ PERMISSIONS
+};
+
+
+struct Cookie
+{
+ std::vector<char> cookieId; //ID key
+ pid_t pid; //owner PID
+ std::string binaryPath; //path to owner binary
+ std::string smackLabel; //owner SMACK label
+ std::vector<int> permissions; //owner GIDs
+};
+
+
+class CookieJar
+{
+public:
+ CookieJar(void);
+ ~CookieJar(void);
+
+ const Cookie * GenerateCookie(int pid);
+ void DeleteCookie(const Cookie &pattern, CompareType criterion);
+
+ const Cookie * SearchCookie(const Cookie &pattern, CompareType criterion) const;
+ bool CompareCookies(const Cookie &c1, const Cookie &c2, CompareType criterion) const;
+
+private:
+ std::vector<Cookie> m_cookieList;
+};
+
+
+} // namespace SecurityServer
+#endif // _SECURITY_SERVER_COOKIE_JAR_
--- /dev/null
+/*
+ * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Contact: Bumjin Im <bj.im@samsung.com>
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+/*
+ * @file cookie.cpp
+ * @author Pawel Polawski (p.polawski@partner.samsung.com)
+ * @version 1.0
+ * @brief This function contain implementation of CookieService
+ */
+
+#include <memory>
+#include <dpl/log/log.h>
+#include <dpl/serialization.h>
+#include <protocols.h>
+#include <security-server.h>
+#include <security-server-common.h>
+#include <cookie.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+
+//interfaces ID
+const int INTERFACE_GET = 0;
+const int INTERFACE_CHECK = 1;
+
+namespace SecurityServer {
+
+GenericSocketService::ServiceDescriptionVector CookieService::GetServiceDescription() {
+ ServiceDescription sd1 = {
+ "security-server::api-cookie-get",
+ INTERFACE_GET,
+ SERVICE_SOCKET_COOKIE_GET
+ };
+ ServiceDescription sd2 = {
+ "security-server::api-cookie-check",
+ INTERFACE_CHECK,
+ SERVICE_SOCKET_COOKIE_CHECK
+ };
+ ServiceDescriptionVector v;
+ v.push_back(sd1);
+ v.push_back(sd2);
+ return v;
+}
+
+void CookieService::accept(const AcceptEvent &event) {
+ LogDebug("Accept event. ConnectionID.sock: " << event.connectionID.sock
+ << " ConnectionID.counter: " << event.connectionID.counter
+ << " ServiceID: " << event.interfaceID);
+ auto &info = m_socketInfoMap[event.connectionID.counter];
+ info.interfaceID = event.interfaceID;
+}
+
+void CookieService::write(const WriteEvent &event) {
+ LogDebug("WriteEvent. ConnectionID: " << event.connectionID.sock <<
+ " Size: " << event.size << " Left: " << event.left);
+ if (event.left == 0)
+ m_serviceManager->Close(event.connectionID);
+}
+
+void CookieService::read(const ReadEvent &event) {
+ LogDebug("Read event for counter: " << event.connectionID.counter);
+ auto &info = m_socketInfoMap[event.connectionID.counter];
+ info.buffer.Push(event.rawBuffer);
+
+ // We can get several requests in one package.
+ // Extract and process them all
+ while(readOne(event.connectionID, info.buffer, info.interfaceID));
+}
+
+void CookieService::close(const CloseEvent &event) {
+ LogDebug("CloseEvent. ConnectionID: " << event.connectionID.sock);
+ m_socketInfoMap.erase(event.connectionID.counter);
+}
+
+void CookieService::error(const ErrorEvent &event) {
+ LogDebug("ErrorEvent. ConnectionID: " << event.connectionID.sock);
+ m_serviceManager->Close(event.connectionID);
+}
+
+bool CookieService::readOne(const ConnectionID &conn, SocketBuffer &buffer, int interfaceID)
+{
+ LogDebug("Iteration begin");
+ SocketBuffer send, recv;
+ int msgType;
+
+ //waiting for all data
+ if (!buffer.Ready()) {
+ return false;
+ }
+
+ //receive data from buffer and check MSG_ID
+ Try {
+ Deserialization::Deserialize(buffer, msgType); //receive MSG_ID
+ } Catch (SocketBuffer::Exception::Base) {
+ LogDebug("Broken protocol. Closing socket.");
+ m_serviceManager->Close(conn);
+ return false;
+ }
+
+ bool retval = false;
+
+ //use received data
+ if (interfaceID == INTERFACE_GET) {
+ switch(msgType) {
+ case CookieGet::COOKIE:
+ LogDebug("Entering get-cookie server side handler");
+ retval = cookieRequest(send, conn.sock);
+ break;
+
+ default:
+ LogDebug("Error, unknown function called by client");
+ retval = false;
+ break;
+ };
+ } else if (interfaceID == INTERFACE_CHECK) {
+ switch(msgType) {
+ case CookieGet::PID:
+ LogDebug("Entering pid-by-cookie server side handler");
+ retval = pidByCookieRequest(buffer, send);
+ break;
+
+ case CookieGet::SMACKLABEL:
+ LogDebug("Entering smacklabel-by-cookie server side handler");
+ retval = smackLabelByCookieRequest(buffer, send);
+ break;
+
+ case CookieGet::PRIVILEGE_GID:
+ LogDebug("Entering check-privilege-by-cookie-gid server side handler");
+ retval = privilegeByCookieGidRequest(buffer, send);
+ break;
+
+ case CookieGet::PRIVILEGE:
+ LogDebug("Entering check-privilege-by-cookie side handler");
+ retval = privilegeByCookieRequest(buffer, send);
+ break;
+
+ default:
+ LogDebug("Error, unknown function called by client");
+ retval = false;
+ break;
+ };
+ } else {
+ LogDebug("Error, wrong interface");
+ retval = false;
+ }
+
+ if (retval == false) { //something goes wrong with communication
+ LogDebug("Closing socket because of error");
+ m_serviceManager->Close(conn);
+ return retval;
+ } else {
+ //send response
+ m_serviceManager->Write(conn, send.Pop());
+ return retval;
+ }
+}
+
+bool CookieService::cookieRequest(SocketBuffer &send, int socket)
+{
+ struct ucred cr;
+ unsigned len = sizeof(cr);
+
+ if (0 != getsockopt(socket, SOL_SOCKET, SO_PEERCRED, &cr, &len))
+ return false;
+
+ const Cookie *generatedCookie = m_cookieJar.GenerateCookie(cr.pid);
+ if (generatedCookie != NULL) {
+ //cookie created correct
+ Serialization::Serialize(send, (int)SECURITY_SERVER_API_SUCCESS);
+ Serialization::Serialize(send, generatedCookie->cookieId);
+ } else {
+ //unable to create cookie
+ Serialization::Serialize(send, (int)SECURITY_SERVER_API_ERROR_UNKNOWN);
+ }
+
+ return true;
+}
+
+bool CookieService::pidByCookieRequest(SocketBuffer &buffer, SocketBuffer &send)
+{
+ std::vector<char> cookieKey;
+
+ Try {
+ Deserialization::Deserialize(buffer, cookieKey);
+ } Catch (SocketBuffer::Exception::Base) {
+ LogDebug("Broken protocol. Closing socket.");
+ return false;
+ }
+
+ Cookie searchPattern;
+ searchPattern.cookieId = cookieKey;
+
+ const Cookie *searchResult = m_cookieJar.SearchCookie(searchPattern, CompareType::COOKIE_ID);
+
+ if (searchResult != NULL) {
+ Serialization::Serialize(send, (int)SECURITY_SERVER_API_SUCCESS);
+ Serialization::Serialize(send, searchResult->pid);
+ } else {
+ Serialization::Serialize(send, (int)SECURITY_SERVER_API_ERROR_NO_SUCH_COOKIE);
+ }
+
+ return true;
+}
+
+bool CookieService::smackLabelByCookieRequest(SocketBuffer &buffer, SocketBuffer &send)
+{
+ std::vector<char> cookieKey;
+
+ Try {
+ Deserialization::Deserialize(buffer, cookieKey);
+ } Catch (SocketBuffer::Exception::Base) {
+ LogDebug("Broken protocol. Closing socket.");
+ return false;
+ }
+
+ Cookie searchPattern;
+ searchPattern.cookieId = cookieKey;
+
+ const Cookie *searchResult = m_cookieJar.SearchCookie(searchPattern, CompareType::COOKIE_ID);
+
+ if (searchResult != NULL) {
+ Serialization::Serialize(send, (int)SECURITY_SERVER_API_SUCCESS);
+ Serialization::Serialize(send, searchResult->smackLabel);
+ } else {
+ Serialization::Serialize(send, (int)SECURITY_SERVER_API_ERROR_NO_SUCH_COOKIE);
+ }
+
+ return true;
+}
+
+bool CookieService::privilegeByCookieGidRequest(SocketBuffer &buffer, SocketBuffer &send)
+{
+ std::vector<char> cookieKey;
+ int gid;
+
+ Try {
+ Deserialization::Deserialize(buffer, cookieKey);
+ Deserialization::Deserialize(buffer, gid);
+ } Catch (SocketBuffer::Exception::Base) {
+ LogDebug("Broken protocol. Closing socket.");
+ return false;
+ }
+
+ Cookie searchPattern;
+ searchPattern.cookieId = cookieKey;
+
+ const Cookie *searchResult = m_cookieJar.SearchCookie(searchPattern, CompareType::COOKIE_ID);
+
+ if (searchResult != NULL)
+ //search for specified GID on permissions list
+ for (size_t i = 0; i < searchResult->permissions.size(); i++)
+ if (searchResult->permissions[i] == gid) {
+ Serialization::Serialize(send, (int)SECURITY_SERVER_API_SUCCESS);
+ return true;
+ }
+
+ Serialization::Serialize(send, (int)SECURITY_SERVER_API_ERROR_ACCESS_DENIED);
+
+ return true;
+}
+
+bool CookieService::privilegeByCookieRequest(SocketBuffer &buffer, SocketBuffer &send)
+{
+ std::vector<char> cookieKey;
+ std::string subject;
+ std::string object;
+ std::string access;
+
+ Try {
+ Deserialization::Deserialize(buffer, cookieKey);
+ Deserialization::Deserialize(buffer, object);
+ Deserialization::Deserialize(buffer, access);
+ } Catch (SocketBuffer::Exception::Base) {
+ LogDebug("Broken protocol. Closing socket.");
+ return false;
+ }
+
+ Cookie searchPattern;
+ searchPattern.cookieId = cookieKey;
+
+ const Cookie *searchResult = m_cookieJar.SearchCookie(searchPattern, CompareType::COOKIE_ID);
+
+ if (searchResult != NULL) {
+ subject = searchResult->smackLabel;
+
+ if (smack_have_access(subject.c_str(), object.c_str(), access.c_str()) == 1)
+ Serialization::Serialize(send, (int)SECURITY_SERVER_API_SUCCESS);
+ else
+ Serialization::Serialize(send, (int)SECURITY_SERVER_API_ERROR_ACCESS_DENIED);
+ } else {
+ Serialization::Serialize(send, (int)SECURITY_SERVER_API_ERROR_NO_SUCH_COOKIE);
+ }
+
+ return true;
+}
+
+} // namespace SecurityServer
+
--- /dev/null
+/*
+ * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Contact: Bumjin Im <bj.im@samsung.com>
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+/*
+ * @file cookie.h
+ * @author Pawel Polawski (p.polawski@partner.samsung.com)
+ * @version 1.0
+ * @brief This function contain header for implementation of cookie get API
+ */
+
+#ifndef _SECURITY_SERVER_COOKIE_GET_
+#define _SECURITY_SERVER_COOKIE_GET_
+
+#include <service-thread.h>
+#include <generic-socket-manager.h>
+#include <dpl/serialization.h>
+#include <socket-buffer.h>
+#include <security-server-common.h>
+#include <cookie-jar.h>
+
+namespace SecurityServer {
+
+class CookieService :
+ public SecurityServer::GenericSocketService
+ , public SecurityServer::ServiceThread<CookieService>
+{
+public:
+ struct SocketInfo
+ {
+ int interfaceID;
+ SocketBuffer buffer;
+ };
+
+ typedef std::map<int, SocketInfo> SocketInfoMap;
+
+ ServiceDescriptionVector GetServiceDescription();
+
+ DECLARE_THREAD_EVENT(AcceptEvent, accept)
+ DECLARE_THREAD_EVENT(WriteEvent, write)
+ DECLARE_THREAD_EVENT(ReadEvent, read)
+ DECLARE_THREAD_EVENT(CloseEvent, close)
+ DECLARE_THREAD_EVENT(ErrorEvent, error)
+
+ void accept(const AcceptEvent &event);
+ void write(const WriteEvent &event);
+ void read(const ReadEvent &event);
+ void close(const CloseEvent &event);
+ void error(const ErrorEvent &event);
+
+private:
+ bool readOne(const ConnectionID &conn, SocketBuffer &buffer, int interfaceID);
+
+ bool cookieRequest(SocketBuffer &send, int socket);
+
+ bool pidByCookieRequest(SocketBuffer &buffer, SocketBuffer &send);
+ bool smackLabelByCookieRequest(SocketBuffer &buffer, SocketBuffer &send);
+ bool privilegeByCookieGidRequest(SocketBuffer &buffer, SocketBuffer &send);
+ bool privilegeByCookieRequest(SocketBuffer &buffer, SocketBuffer &send);
+
+ CookieJar m_cookieJar;
+
+ SocketInfoMap m_socketInfoMap;
+};
+
+} // namespace SecurityServer
+
+#endif // _SECURITY_SERVER_APP_ENABLE_PERMISSIONS_
#include <smack-check.h>
#include "security-server-common.h"
-#include "security-server-cookie.h"
#include "security-server-comm.h"
#include "security-server-util.h"
#include "security-server.h"
-/*
- * @buffer output buffer
- * @position target position in output buffer
- * @source source data
- * @len source data length
- */
-static void append_to_buffer(unsigned char *buffer, int *position, const void *source, size_t len)
-{
- if (len <= 0) {
- SEC_SVR_DBG("Appending nothing.");
- return;
- }
- memcpy(buffer + *position, source, len);
- *position += len;
-}
-
-static void append_cookie(unsigned char *buffer, int *position, const cookie_list *cookie)
-{
- int i;
- int path_len = cookie->path ? strlen(cookie->path) : 0;
-
- append_to_buffer(buffer, position, &path_len, sizeof(int));
- append_to_buffer(buffer, position, &cookie->permission_len, sizeof(int));
- append_to_buffer(buffer, position, &cookie->cookie, SECURITY_SERVER_COOKIE_LEN);
- append_to_buffer(buffer, position, &cookie->pid, sizeof(pid_t));
- append_to_buffer(buffer, position, &cookie->path, path_len);
-
- for (i = 0; i < cookie->permission_len; ++i)
- append_to_buffer(buffer, position, &cookie->permissions[i], sizeof(int));
-}
-
-/* Get all cookie info response *
- * packet format
- * 0 1 2 3
- * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- * |---------------------------------------------------------------|
- * | version=0x01 |MessageID=0x52 | Message Length |
- * |---------------------------------------------------------------|
- * | return code | tot # of cooks (32bit) |
- * |---------------------------------------------------------------|
- * | cont'd... | 1st cmdline_len (32bit) |
- * |---------------------------------------------------------------|
- * | cont'd... | 1st permission_len (32bit) |
- * ----------------------------------------------------------------|
- * | cont'd... | |
- * |---------------- |
- * | 1st cookie |
- * | |
- * |---------------------------------------------------------------|
- * | 1st PID (32bit) |
- * |---------------------------------------------------------------|
- * | 1st cmdline (string) |
- * |---------------------------------------------------------------|
- * | 1st perm_1 |
- * |---------------------------------------------------------------|
- * | 1st perm_2 |
- * |---------------------------------------------------------------|
- * | ... |
- * |---------------------------------------------------------------|
- * | 2nd cmdline_len (32bit) |
- * |---------------------------------------------------------------|
- * | 2nd permission_len (32bit) |
- * |---------------------------------------------------------------|
- * | |
- * | 2nd cookie |
- * | |
- * |---------------------------------------------------------------|
- * | 2nd PID (32 bit) |
- * |---------------------------------------------------------------|
- * | 2nd cmdline (string) |
- * |---------------------------------------------------------------|
- * | 2st perm_1 |
- * |---------------------------------------------------------------|
- * | 2st perm_2 |
- * |---------------------------------------------------------------|
- * | ... |
- * |---------------------------------------------------------------|
- * | |
- * | ... |
- * | |
- * | |
- */
-unsigned char *get_all_cookie_info(cookie_list *list, int *size)
-{
- cookie_list *current = list;
- int ptr, total_num, total_size, path_len;
- unsigned char *buf = NULL, *tempptr = NULL;
- response_header hdr;
-
- total_size = sizeof(hdr) + sizeof(int);
-
- buf = malloc(total_size); /* header size */
- ptr = sizeof(hdr) + sizeof(int);
- total_num = 0; /* Total # of cookies initial value */
-
- while (current != NULL)
- {
- current = garbage_collection(current);
- if (current == NULL)
- break;
-
- total_num++;
- path_len = current->path ? strlen(current->path) : 0;
- total_size += sizeof(int) + sizeof(int) + SECURITY_SERVER_COOKIE_LEN + sizeof(pid_t) + path_len + (current->permission_len * sizeof(int));
- tempptr = realloc(buf, total_size);
- if (tempptr == NULL)
- {
- SEC_SVR_ERR("%s", "Out of memory");
- return NULL;
- }
- buf = tempptr;
-
- append_cookie(buf, &ptr, current);
- current = current->next;
- }
-
- if (total_size > 65530)
- {
- SEC_SVR_ERR("Packet too big. message length overflow: %d", total_size);
- free(buf);
- return NULL;
- }
-
- hdr.basic_hdr.version = SECURITY_SERVER_MSG_VERSION;
- hdr.basic_hdr.msg_id = SECURITY_SERVER_MSG_TYPE_GET_ALL_COOKIES_RESPONSE;
- hdr.basic_hdr.msg_len = (unsigned short)(total_size - sizeof(hdr));
- hdr.return_code = SECURITY_SERVER_RETURN_CODE_SUCCESS;
-
- // reset buffer position to the beginning of buffer and insert header
- ptr = 0;
- append_to_buffer(buf, &ptr, &hdr, sizeof(hdr));
- append_to_buffer(buf, &ptr, &total_num, sizeof(total_num));
- *size = total_size;
- return buf;
-}
-
-int send_all_cookie_info(const unsigned char *buf, int size, int sockfd)
-{
- int ret;
- /* Check poll */
- ret = check_socket_poll(sockfd, POLLOUT, SECURITY_SERVER_SOCKET_TIMEOUT_MILISECOND);
- if (ret == SECURITY_SERVER_ERROR_POLL)
- {
- SEC_SVR_ERR("%s", "poll() error");
- return SECURITY_SERVER_ERROR_SEND_FAILED;
- }
- if (ret == SECURITY_SERVER_ERROR_TIMEOUT)
- {
- SEC_SVR_ERR("%s", "poll() timeout");
- return SECURITY_SERVER_ERROR_SEND_FAILED;
- }
-
- /* Send to client */
- ret = TEMP_FAILURE_RETRY(write(sockfd, buf, size));
-
- if (ret < size)
- return SECURITY_SERVER_ERROR_SEND_FAILED;
- return SECURITY_SERVER_SUCCESS;
-}
-
-/* Get one cookie info response *
- * packet format
- * 0 1 2 3
- * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- * |---------------------------------------------------------------|
- * | version=0x01 |MessageID=0x54 | Message Length |
- * |---------------------------------------------------------------|
- * | return code | cmdline_len (32bit)t) |
- * |---------------------------------------------------------------|
- * | cont'd... | permission_len (32bit) |
- * ----------------------------------------------------------------|
- * | cont'd... | |
- * |---------------- |
- * | cookie |
- * | |
- * |---------------------------------------------------------------|
- * | PID (32bit) |
- * |---------------------------------------------------------------|
- * | cmdline (string) |
- * |---------------------------------------------------------------|
- * | perm_1 |
- * |---------------------------------------------------------------|
- * | perm_2 |
- * |---------------------------------------------------------------|
- * | ... |
- * |---------------------------------------------------------------|
-*/
-int send_one_cookie_info(const cookie_list *list, int sockfd)
-{
- unsigned char *buf = NULL;
- response_header hdr;
- int total_size, ptr = 0, ret, path_len;
-
- path_len = list->path ? strlen(list->path) : 0;
-
- total_size = sizeof(hdr) + sizeof(int) + sizeof(int) + SECURITY_SERVER_COOKIE_LEN + sizeof(pid_t) + path_len + (list->permission_len * sizeof(int));
- buf = malloc(total_size);
- if (buf == NULL)
- {
- SEC_SVR_ERR("%s", "Out of memory");
- return SECURITY_SERVER_ERROR_OUT_OF_MEMORY;
- }
-
- hdr.basic_hdr.version = SECURITY_SERVER_MSG_VERSION;
- hdr.basic_hdr.msg_id = SECURITY_SERVER_MSG_TYPE_GET_COOKIEINFO_RESPONSE;
- hdr.basic_hdr.msg_len = sizeof(int) + sizeof(int) + SECURITY_SERVER_COOKIE_LEN + sizeof(pid_t) + path_len + (list->permission_len * sizeof(int));
- hdr.return_code = SECURITY_SERVER_RETURN_CODE_SUCCESS;
-
- // header
- append_to_buffer(buf, &ptr, &hdr, sizeof(hdr));
- // cookie
- append_cookie(buf, &ptr, list);
-
- ret = check_socket_poll(sockfd, POLLOUT, SECURITY_SERVER_SOCKET_TIMEOUT_MILISECOND);
- if (ret == SECURITY_SERVER_ERROR_POLL)
- {
- SEC_SVR_ERR("%s", "poll() error");
- free(buf);
- return SECURITY_SERVER_ERROR_SEND_FAILED;
- }
- if (ret == SECURITY_SERVER_ERROR_TIMEOUT)
- {
- SEC_SVR_ERR("%s", "poll() timeout");
- free(buf);
- return SECURITY_SERVER_ERROR_SEND_FAILED;
- }
-
- /* Send to client */
- ret = TEMP_FAILURE_RETRY(write(sockfd, buf, total_size));
- free(buf);
- if (ret < total_size)
- return SECURITY_SERVER_ERROR_SEND_FAILED;
- return SECURITY_SERVER_SUCCESS;
-}
-
-int util_process_all_cookie(int sockfd, cookie_list *list)
-{
- unsigned char *buf = NULL;
- int ret;
- buf = get_all_cookie_info(list, &ret);
- if (buf == NULL)
- {
- return SECURITY_SERVER_ERROR_OUT_OF_MEMORY;
- }
-
- ret = send_all_cookie_info(buf, ret, sockfd);
-
- if (buf != NULL)
- free(buf);
- return ret;
-}
-int util_process_cookie_from_pid(int sockfd, cookie_list *list)
-{
- int pid, ret;
- cookie_list *result = NULL;
-
- ret = TEMP_FAILURE_RETRY(read(sockfd, &pid, sizeof(int)));
- if (ret < (int)sizeof(int))
- {
- SEC_SVR_ERR("Received cookie size is too small: %d", ret);
- return SECURITY_SERVER_ERROR_RECV_FAILED;
- }
- if (pid == 0)
- {
- SEC_SVR_ERR("%s", "ERROR: Default cookie is not allowed to be retrieved");
- ret = send_generic_response(sockfd, SECURITY_SERVER_MSG_TYPE_GET_COOKIEINFO_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
- if (ret != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("ERROR: Cannot send generic response: %d", ret);
- }
- }
- result = search_cookie_from_pid(list, pid);
- if (result == NULL)
- {
- ret = send_generic_response(sockfd, SECURITY_SERVER_MSG_TYPE_GET_COOKIEINFO_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_NO_SUCH_COOKIE);
- if (ret != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("ERROR: Cannot send generic response: %d", ret);
- }
- }
- else
- {
- ret = send_one_cookie_info(result, sockfd);
- if (ret != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("ERROR: Cannot send cookie info response: %d", ret);
- }
- }
-
- return ret;
-}
-
-int util_process_cookie_from_cookie(int sockfd, cookie_list *list)
-{
- unsigned char cookie[SECURITY_SERVER_COOKIE_LEN];
- int ret;
- int privileges[] = { 0 }; //only one privilege to check - root
- cookie_list *result = NULL;
-
- ret = TEMP_FAILURE_RETRY(read(sockfd, cookie, SECURITY_SERVER_COOKIE_LEN));
- if (ret < SECURITY_SERVER_COOKIE_LEN)
- {
- SEC_SVR_ERR("Received cookie size is too small: %d", ret);
- return SECURITY_SERVER_ERROR_RECV_FAILED;
- }
- result = search_cookie(list, cookie, privileges, 1);
- if (result == NULL)
- {
- ret = send_generic_response(sockfd, SECURITY_SERVER_MSG_TYPE_GET_COOKIEINFO_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_NO_SUCH_COOKIE);
- if (ret != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("ERROR: Cannot send generic response: %d", ret);
- }
- }
- else
- {
- ret = send_one_cookie_info(result, sockfd);
- if (ret != SECURITY_SERVER_SUCCESS)
- {
- SEC_SVR_ERR("ERROR: Cannot send cookie info response: %d", ret);
- }
- }
-
- return ret;
-}
int util_smack_label_is_valid(const char *smack_label)
{
${CMAKE_SOURCE_DIR}/systemd/security-server-exec-path.socket
${CMAKE_SOURCE_DIR}/systemd/security-server-get-object-name.socket
${CMAKE_SOURCE_DIR}/systemd/security-server-app-permissions.socket
+ ${CMAKE_SOURCE_DIR}/systemd/security-server-cookie-get.socket
+ ${CMAKE_SOURCE_DIR}/systemd/security-server-cookie-check.socket
DESTINATION
/usr/lib/systemd/system
)
--- /dev/null
+[Socket]
+ListenStream=/tmp/.security-server-api-cookie-check.sock
+SocketMode=0777
+#SmackLabelIPIn=security-server::api-cookie-check
+SmackLabelIPIn=*
+SmackLabelIPOut=@
+
+Service=security-server.service
+
+[Install]
+WantedBy=sockets.target
--- /dev/null
+[Socket]
+ListenStream=/tmp/.security-server-api-cookie-get.sock
+SocketMode=0777
+#SmackLabelIPIn=security-server::api-cookie-get
+SmackLabelIPIn=*
+SmackLabelIPOut=@
+
+Service=security-server.service
+
+[Install]
+WantedBy=sockets.target
Sockets=security-server-exec-path.socket
Sockets=security-server-get-object-name.socket
Sockets=security-server-app-permissions.socket
+Sockets=security-server-cookie-get.socket
+Sockets=security-server-cookie-check.socket
[Install]
WantedBy=multi-user.target