User level smack permission check is applied.

User level smack permission check code is implemented.
But in this patch, even if it fails to check the permission, service will be going on.
After two weeks later, it will be rejected if it has no permission to get service.

Change-Id: I6ea53665dd3f4ceb27edf90f56b7c368c8f6b31e

diff --git a/packaging/data-provider-master.spec b/packaging/data-provider-master.spec
index 17922f9..ccebe1f 100644 (file)
--- a/packaging/data-provider-master.spec
+++ b/packaging/data-provider-master.spec
@@ -1,6 +1,6 @@
 Name: data-provider-master
 Summary: Master service provider for liveboxes.
-Version: 0.24.9
+Version: 0.24.10
 Release: 1
 Group: HomeTF/Livebox
 License: Flora License

diff --git a/src/badge_service.c b/src/badge_service.c
index 96050f3..5b50595 100644 (file)
--- a/src/badge_service.c
+++ b/src/badge_service.c
@@ -26,6 +26,7 @@
 
 #include <badge.h>
 #include <badge_db.h>
+#include <security-server.h>
 
 #include "service_common.h"
 #include "debug.h"
@@ -45,9 +46,11 @@ struct context {
        double seq;
 };
 
-struct noti_service {
+struct badge_service {
        const char *cmd;
        void (*handler)(struct tcb *tcb, struct packet *packet, void *data);
+       const char *rule;
+       const char *access;
 };
 
 /*!
@@ -281,6 +284,22 @@ static void _handler_service_register(struct tcb *tcb, struct packet *packet, vo
        }
 }
 
+static int _is_valid_permission(int fd, struct badge_service *service)
+{
+       int ret;
+
+       if (service->rule != NULL && service->access != NULL) {
+               ret = security_server_check_privilege_by_sockfd(fd, service->rule, service->access);
+               if (ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED) {
+                       ErrPrint("SMACK:Access denied\n");
+
+                       return 0;
+               }
+       }
+
+       return 1;
+}
+
 /*!
  * SERVICE THREAD
  */
@@ -288,30 +307,42 @@ static int service_thread_main(struct tcb *tcb, struct packet *packet, void *dat
 {
        int i = 0;
        const char *command;
-       static struct noti_service service_req_table[] = {
+       static struct badge_service service_req_table[] = {
                {
                        .cmd = "insert_badge",
                        .handler = _handler_insert_badge,
+                       .rule = "data-provider-master::badge.client",
+                       .access = "w",
                },
                {
                        .cmd = "delete_badge",
                        .handler = _handler_delete_badge,
+                       .rule = "data-provider-master::badge.client",
+                       .access = "w",
                },
                {
                        .cmd = "set_badge_count",
                        .handler = _handler_set_badge_count,
+                       .rule = "data-provider-master::badge.client",
+                       .access = "w",
                },
                {
                        .cmd = "set_disp_option",
                        .handler = _handler_set_display_option,
+                       .rule = "data-provider-master::badge.client",
+                       .access = "w",
                },
                {
                        .cmd = "service_register",
                        .handler = _handler_service_register,
+                       .rule = NULL,
+                       .access = NULL,
                },
                {
                        .cmd = NULL,
                        .handler = NULL,
+                       .rule = NULL,
+                       .access = NULL,
                },
        };
 
@@ -334,6 +365,7 @@ static int service_thread_main(struct tcb *tcb, struct packet *packet, void *dat
                        if (strcmp(service_req_table[i].cmd, command))
                                continue;
 
+                       _is_valid_permission(tcb_fd(tcb), &(service_req_table[i]));
                        service_req_table[i].handler(tcb, packet, data);
                        break;
                }

diff --git a/src/shortcut_service.c b/src/shortcut_service.c
index 690c08b..b5b1d82 100644 (file)
--- a/src/shortcut_service.c
+++ b/src/shortcut_service.c
@@ -94,6 +94,7 @@ static inline struct tcb *get_reply_context(double seq)
 static int service_thread_main(struct tcb *tcb, struct packet *packet, void *data)
 {
        const char *command;
+       int ret;
 
        if (!packet) {
                DbgPrint("TCB: %p is terminated (NIL packet)\n", tcb);
@@ -108,8 +109,21 @@ static int service_thread_main(struct tcb *tcb, struct packet *packet, void *dat
 
        switch (packet_type(packet)) {
        case PACKET_REQ:
+
                /* Need to send reply packet */
                DbgPrint("%p REQ: Command: [%s]\n", tcb, command);
+               if (!strcmp(command, "add_livebox")) {
+                       ret = security_server_check_privilege_by_sockfd(tcb_fd(tcb), "data-provider-master::shortcut.livebox", "w");
+                       if (ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED) {
+                               ErrPrint("SMACK:Access denied\n");
+                       }
+               } else if (!strcmp(command, "add_shortcut")) {
+                       ret = security_server_check_privilege_by_sockfd(tcb_fd(tcb), "data-provider-master::shortcut.shortcut", "w");
+                       if (ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED) {
+                               ErrPrint("SMACK:Access denied\n");
+                       }
+               }
+
                if (service_common_multicast_packet(tcb, packet, TCB_CLIENT_TYPE_SERVICE) < 0)
                        ErrPrint("Unable to send service request packet\n");
                else