[API Changed] Refine launch API

[AS-IS]
- Installer should save data(1):"whether app uses sysCerts or not".
- Launcher should be able to get data(1).

[TO-BE]
- Installer does not need to save data(1).
- Launcher does not need to get data(1).

Change-Id: I7f622b90d5f38dd9e52633a563f9ebcfc0dea001
Signed-off-by: sangwan.kwon <sangwan.kwon@samsung.com>

diff --git a/CMakeLists.txt b/CMakeLists.txt
index a496720..8f03b61 100644 (file)
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -37,6 +37,7 @@ ADD_DEFINITIONS("-DTANCHOR_USR_DIR=\"${TANCHOR_USR}\"")
 ADD_DEFINITIONS("-DTANCHOR_GLOBAL_DIR=\"${TANCHOR_GLOBAL}\"")
 ADD_DEFINITIONS("-DTANCHOR_TEST_DIR=\"${TANCHOR_TEST}\"")
 ADD_DEFINITIONS("-DTANCHOR_BUNDLE=\"${TANCHOR_BUNDLE}\"")
+ADD_DEFINITIONS("-DTANCHOR_SYSCA=\"${TANCHOR_SYSCA}\"")
 ADD_DEFINITIONS("-DTZ_SYS_CA_CERTS=\"${TZ_SYS_CA_CERTS}\"")
 ADD_DEFINITIONS("-DTZ_SYS_CA_BUNDLE=\"${TZ_SYS_CA_BUNDLE}\"")
 

diff --git a/api/tanchor/trust-anchor.h b/api/tanchor/trust-anchor.h
index c32b90a..3b1f78d 100644 (file)
--- a/api/tanchor/trust-anchor.h
+++ b/api/tanchor/trust-anchor.h
@@ -88,7 +88,6 @@ int trust_anchor_usr_install(const char *package_id,
  * @details After lauching trust anchor, app can use custom certificates.
  * @param[in] package_id Package id
  * @param[in] app_certificates_path App custom certificates path
- * @param[in] with_system_certificates Whether system certificates use or not
  * @return #TRUST_ANCHOR_ERROR_NONE on success,
  *         negative on error
  * @retval #TRUST_ANCHOR_ERROR_NONE Successful
@@ -100,8 +99,7 @@ int trust_anchor_usr_install(const char *package_id,
  * @see trust_anchor_global_install()
  */
 int trust_anchor_global_launch(const char *package_id,
-                                                          const char *app_certificates_path,
-                                                          bool with_system_certificates);
+                                                          const char *app_certificates_path);
 
 
 /**
@@ -110,7 +108,6 @@ int trust_anchor_global_launch(const char *package_id,
  * @param[in] package_id Package id
  * @param[in] app_certificates_path App custom certificates path
  * @param[in] uid user id
- * @param[in] with_system_certificates Whether system certificates use or not
  * @return #TRUST_ANCHOR_ERROR_NONE on success,
  *         negative on error
  * @retval #TRUST_ANCHOR_ERROR_NONE Successful
@@ -123,8 +120,7 @@ int trust_anchor_global_launch(const char *package_id,
  */
 int trust_anchor_usr_launch(const char *package_id,
                                                        const char *app_certificates_path,
-                                                       uid_t uid,
-                                                       bool with_system_certificates);
+                                                       uid_t uid);
 
 
 /**

diff --git a/api/tanchor/trust-anchor.hxx b/api/tanchor/trust-anchor.hxx
index ef6e910..f3596ad 100644 (file)
--- a/api/tanchor/trust-anchor.hxx
+++ b/api/tanchor/trust-anchor.hxx
@@ -50,7 +50,7 @@ public:
 
        int install(bool withSystemCerts) noexcept;
        int uninstall(void) noexcept;
-       int launch(bool withSystemCerts) noexcept;
+       int launch(void) noexcept;
 
 private:
        class Impl;

diff --git a/examples/launcher.c b/examples/launcher.c
index 21df3ac..947180c 100644 (file)
--- a/examples/launcher.c
+++ b/examples/launcher.c
@@ -37,11 +37,8 @@ int main()
         *
         * [pre-condition]
         * 1. Launcher should have CAP_SYS_ADMIN.
-        * 2. Get with_sys_certs information.(It should be saved when app installed.)
         */
-       bool with_sys = false;
-
-       int ret = trust_anchor_global_launch("pkgid", "/app_certs_path", with_sys);
+       int ret = trust_anchor_global_launch("pkgid", "/app_certs_path");
        if (ret != TRUST_ANCHOR_ERROR_NONE) {
                printf("Failed to launch operation");
                return -1;

diff --git a/packaging/trust-anchor.spec b/packaging/trust-anchor.spec
index 3bd67f7..cea4289 100644 (file)
--- a/packaging/trust-anchor.spec
+++ b/packaging/trust-anchor.spec
@@ -25,6 +25,7 @@ Requires(postun): /sbin/ldconfig
 %global tanchor_usr     %{tanchor_base}/usr
 %global tanchor_global  %{tanchor_base}/global
 %global tanchor_bundle  %{tanchor_base}/ca-bundle.pem
+%global tanchor_sysca   %{tanchor_base}/.sysca
 %global tanchor_test    %{tanchor_base}/test
 %global tanchor_example %{tanchor_base}/example
 
@@ -37,10 +38,11 @@ SSL root certificates for its HTTPS communication.
 %license LICENSE
 %{_libdir}/lib%{lib_name}.so.0
 %{_libdir}/lib%{lib_name}.so.%{version}
-%dir %attr(770, %{user_name}, %{group_name}) %{tanchor_base}
+%dir %attr(-, %{user_name}, %{group_name}) %{tanchor_base}
 %dir %attr(-, %{user_name}, %{group_name}) %{tanchor_usr}
 %dir %attr(-, %{user_name}, %{group_name}) %{tanchor_global}
 %attr(-, %{user_name}, %{group_name}) %{tanchor_bundle}
+%attr(444 %{user_name}, %{group_name}) %{tanchor_sysca}
 
 %prep
 %setup -q
@@ -63,6 +65,7 @@ SSL root certificates for its HTTPS communication.
                 -DTANCHOR_USR=%{tanchor_usr} \
                 -DTANCHOR_GLOBAL=%{tanchor_global} \
                 -DTANCHOR_BUNDLE=%{tanchor_bundle} \
+                -DTANCHOR_SYSCA=%{tanchor_sysca} \
                 -DTANCHOR_TEST=%{tanchor_test} \
                 -DTANCHOR_EXAMPLE=%{tanchor_example} \
                 -DTZ_SYS_CA_CERTS=%{TZ_SYS_CA_CERTS} \
@@ -79,6 +82,7 @@ mkdir -p %{buildroot}%{tanchor_usr}
 mkdir -p %{buildroot}%{tanchor_global}
 
 touch %{buildroot}%{tanchor_bundle}
+touch %{buildroot}%{tanchor_sysca}
 
 %post -p /sbin/ldconfig
 

diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index 849d68c..2de205d 100644 (file)
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -34,12 +34,10 @@ ADD_LIBRARY(${TARGET_TANCHOR_LIB} SHARED ${${TARGET_TANCHOR_LIB}_SRCS})
 SET_TARGET_PROPERTIES(${TARGET_TANCHOR_LIB}
        PROPERTIES COMPILE_FLAGS "-D_GNU_SOURCE -fPIC -fvisibility=hidden"
                           SOVERSION ${API_VERSION}
-                          VERSION ${LIB_VERSION}
-)
+                          VERSION ${LIB_VERSION})
 
 TARGET_LINK_LIBRARIES(${TARGET_TANCHOR_LIB}
-       ${${TARGET_TANCHOR_LIB}_DEP_LIBRARIES}
-)
+       ${${TARGET_TANCHOR_LIB}_DEP_LIBRARIES})
 
 INSTALL(TARGETS ${TARGET_TANCHOR_LIB}
                DESTINATION ${LIB_INSTALL_DIR})

diff --git a/src/api.cpp b/src/api.cpp
index 45abae7..885cbf0 100644 (file)
--- a/src/api.cpp
+++ b/src/api.cpp
@@ -47,21 +47,19 @@ int trust_anchor_usr_install(const char *package_id,
 
 TANCHOR_API
 int trust_anchor_global_launch(const char *package_id,
-                                                          const char *app_certificates_path,
-                                                          bool with_system_certificates)
+                                                          const char *app_certificates_path)
 {
        TrustAnchor ta(package_id, app_certificates_path);
-       return ta.launch(with_system_certificates);
+       return ta.launch();
 }
 
 TANCHOR_API
 int trust_anchor_usr_launch(const char *package_id,
                                                        const char *app_certificates_path,
-                                                       uid_t uid,
-                                                       bool with_system_certificates)
+                                                       uid_t uid)
 {
        TrustAnchor ta(package_id, app_certificates_path, uid);
-       return ta.launch(with_system_certificates);
+       return ta.launch();
 }
 
 TANCHOR_API

diff --git a/src/trust-anchor.cpp b/src/trust-anchor.cpp
index 52166cc..ad09c68 100644 (file)
--- a/src/trust-anchor.cpp
+++ b/src/trust-anchor.cpp
@@ -46,6 +46,7 @@ namespace {
 const std::string BASE_USR_PATH(TANCHOR_USR_DIR);
 const std::string BASE_GLOBAL_PATH(TANCHOR_GLOBAL_DIR);
 const std::string TANCHOR_BUNDLE_PATH(TANCHOR_BUNDLE);
+const std::string TANCHOR_SYSCA_PATH(TANCHOR_SYSCA);
 const std::string SYS_CERTS_PATH(TZ_SYS_CA_CERTS);
 const std::string SYS_BUNDLE_PATH(TZ_SYS_CA_BUNDLE);
 const std::string MOUNT_POINT_CERTS(TZ_SYS_CA_CERTS);
@@ -65,15 +66,17 @@ public:
 
        int install(bool withSystemCerts) noexcept;
        int uninstall(bool isRollback = false) noexcept;
-       int launch(bool withSystemCerts);
+       int launch(void);
 
 private:
        void preInstall(void) const;
+       void preLaunch(void);
        void linkTo(const std::string &src, const std::string &dst) const;
+       void makeCustomCerts(bool withSystemCerts);
        void makeCustomBundle(bool withSystemCerts);
        std::string readLink(const std::string &path) const;
        std::string getUniqueHashName(const std::string &hashName) const;
-       std::string getBundleName(void) const;
+       std::string getFileName(const std::string &path) const;
        bool isSystemCertsModified(void) const;
        void checkFileValidity(const runtime::File &file) const;
 
@@ -117,7 +120,7 @@ TrustAnchor::Impl::Impl(const std::string &packageId,
 std::string TrustAnchor::Impl::readLink(const std::string &path) const
 {
        std::vector<char> buf(PATH_MAX);
-       ssize_t count = readlink(path.c_str(), buf.data(), buf.size());
+       ssize_t count = ::readlink(path.c_str(), buf.data(), buf.size());
        return std::string(buf.data(), (count > 0) ? count : 0);
 }
 
@@ -160,31 +163,7 @@ int TrustAnchor::Impl::install(bool withSystemCerts) noexcept
 
        this->preInstall();
 
-       if (withSystemCerts) {
-               // link system certificates to the custom directory
-               runtime::DirectoryIterator iter(SYS_CERTS_PATH), end;
-               while (iter != end) {
-                       linkTo(readLink(iter->getPath()),
-                                  this->m_customCertsPath + "/" + iter->getName());
-                       this->m_customCertNameSet.emplace(iter->getName());
-                       ++iter;
-               }
-               DEBUG("Success to migrate system certificates.");
-       }
-
-       // link app certificates to the custom directory as subjectNameHash
-       runtime::DirectoryIterator iter(this->m_appCertsPath), end;
-       while (iter != end) {
-               Certificate cert(iter->getPath());
-               std::string hashName = this->getUniqueHashName(cert.getSubjectNameHash());
-               linkTo(iter->getPath(),
-                          this->m_customCertsPath + "/" + hashName);
-               this->m_customCertNameSet.emplace(std::move(hashName));
-
-               this->m_customCertsData.emplace_back(cert.getCertificateData());
-               ++iter;
-       }
-
+       this->makeCustomCerts(withSystemCerts);
        this->makeCustomBundle(withSystemCerts);
 
        INFO("Success to install[" << this->m_packageId <<
@@ -230,7 +209,8 @@ bool TrustAnchor::Impl::isSystemCertsModified(void) const
        if (::stat(SYS_BUNDLE_PATH.c_str(), &systemAttr))
                ThrowErrno(errno, SYS_BUNDLE_PATH);
 
-       auto customBundle = this->m_customBundlePath + "/" + this->getBundleName();
+       auto customBundle = this->m_customBundlePath + "/" +
+                                               this->getFileName(SYS_BUNDLE_PATH);
        if (::stat(customBundle.c_str(), &customAttr))
                ThrowErrno(errno, customBundle);
 
@@ -240,12 +220,30 @@ bool TrustAnchor::Impl::isSystemCertsModified(void) const
        return systemAttr.st_mtime > customAttr.st_mtime;
 }
 
-int TrustAnchor::Impl::launch(bool withSystemCerts)
+void TrustAnchor::Impl::preLaunch(void)
 {
-       EXCEPTION_GUARD_START
+       // check whether system certificates use or not
+       runtime::File customSysCA(this->m_customBasePath + "/" +
+                                                         this->getFileName(TANCHOR_SYSCA_PATH));
+       if (!customSysCA.exists()) {
+               INFO("This package only use custom certificates.");
+               return;
+       }
 
-       if (withSystemCerts && this->isSystemCertsModified())
+       INFO("This package use system certificates.");
+       if (this->isSystemCertsModified()) {
+               WARN("System certificates be changed. Remake custom bundle.");
                this->makeCustomBundle(true);
+       }
+
+       DEBUG("Success to pre-install stage.");
+}
+
+int TrustAnchor::Impl::launch()
+{
+       EXCEPTION_GUARD_START
+
+       this->preLaunch();
 
        errno = 0;
        // disassociate from the parent namespace
@@ -265,7 +263,8 @@ int TrustAnchor::Impl::launch(bool withSystemCerts)
                                                  this->m_customCertsPath + "] to dst[" +
                                                  MOUNT_POINT_CERTS + "]");
 
-       auto bundle = this->m_customBundlePath + "/" + this->getBundleName();
+       auto bundle = this->m_customBundlePath + "/" +
+                                 this->getFileName(SYS_BUNDLE_PATH);
        if (::mount(bundle.c_str(),
                                MOUNT_POINT_BUNDLE.c_str(),
                                NULL,
@@ -280,13 +279,13 @@ int TrustAnchor::Impl::launch(bool withSystemCerts)
        EXCEPTION_GUARD_END
 }
 
-std::string TrustAnchor::Impl::getBundleName(void) const
+std::string TrustAnchor::Impl::getFileName(const std::string &path) const
 {
-       size_t pos = SYS_BUNDLE_PATH.rfind('/');
+       size_t pos = path.rfind('/');
        if (pos == std::string::npos)
-               throw std::logic_error("Bundle path is wrong." + SYS_BUNDLE_PATH);
+               throw std::logic_error("Path is wrong. > " + path);
 
-       return SYS_BUNDLE_PATH.substr(pos + 1);
+       return path.substr(pos + 1);
 }
 
 std::string TrustAnchor::Impl::getUniqueHashName(
@@ -302,10 +301,44 @@ std::string TrustAnchor::Impl::getUniqueHashName(
        return uniqueName;
 }
 
+void TrustAnchor::Impl::makeCustomCerts(bool withSystemCerts)
+{
+       if (withSystemCerts) {
+               // link system certificates to the custom directory
+               runtime::DirectoryIterator iter(SYS_CERTS_PATH), end;
+               while (iter != end) {
+                       linkTo(this->readLink(iter->getPath()),
+                                  this->m_customCertsPath + "/" + iter->getName());
+                       this->m_customCertNameSet.emplace(iter->getName());
+                       ++iter;
+               }
+               DEBUG("Success to migrate system certificates.");
+
+               // copy sysca(withSystemCerts flag) and check at launching time
+               runtime::File tanchorSysCA(TANCHOR_SYSCA_PATH);
+               this->checkFileValidity(tanchorSysCA);
+               tanchorSysCA.copyTo(this->m_customBasePath);
+               DEBUG("Success to set SYSCA flag.");
+       }
+
+       // link app certificates to the custom directory as subjectNameHash
+       runtime::DirectoryIterator iter(this->m_appCertsPath), end;
+       while (iter != end) {
+               Certificate cert(iter->getPath());
+               std::string hashName = this->getUniqueHashName(cert.getSubjectNameHash());
+               linkTo(iter->getPath(),
+                          this->m_customCertsPath + "/" + hashName);
+               this->m_customCertNameSet.emplace(std::move(hashName));
+
+               this->m_customCertsData.emplace_back(cert.getCertificateData());
+               ++iter;
+       }
+}
+
 void TrustAnchor::Impl::makeCustomBundle(bool withSystemCerts)
 {
        runtime::File customBundle(this->m_customBundlePath + "/" +
-                                                          this->getBundleName());
+                                                          this->getFileName(SYS_BUNDLE_PATH));
        if (customBundle.exists()) {
                WARN("App custom bundle is already exist. remove it!");
                customBundle.remove();
@@ -377,12 +410,12 @@ int TrustAnchor::uninstall(void) noexcept
        return this->m_pImpl->uninstall();
 }
 
-int TrustAnchor::launch(bool withSystemCerts) noexcept
+int TrustAnchor::launch(void) noexcept
 {
        if (this->m_pImpl == nullptr)
                return TRUST_ANCHOR_ERROR_OUT_OF_MEMORY;
 
-       return this->m_pImpl->launch(withSystemCerts);
+       return this->m_pImpl->launch();
 }
 
 } // namespace tanchor

diff --git a/tests/test-capi-launcher.cpp b/tests/test-capi-launcher.cpp
index 0457db7..90c9e22 100644 (file)
--- a/tests/test-capi-launcher.cpp
+++ b/tests/test-capi-launcher.cpp
@@ -41,7 +41,7 @@ TESTCASE(CAPI_TRUST_ANCHOR_LAUNCH)
        int pid = fork();
 
        if (pid == 0) {
-               ret = trust_anchor_global_launch(DUMMY_PKG_ID, APP_CERTS_DIR, true);
+               ret = trust_anchor_global_launch(DUMMY_PKG_ID, APP_CERTS_DIR);
                TEST_EXPECT(true, ret == 0);
 
                auto afterLsChild = test::util::ls(TZ_SYS_RO_CA_CERTS);

diff --git a/tests/test-curl.cpp b/tests/test-curl.cpp
index ecc325e..1095458 100644 (file)
--- a/tests/test-curl.cpp
+++ b/tests/test-curl.cpp
@@ -57,7 +57,7 @@ TESTCASE(TRUST_ANCHOR_LAUNCH)
        TEST_EXPECT(true, pid >= 0);
 
        if (pid == 0) {
-               ret = ta.launch(false);
+               ret = ta.launch();
                TEST_EXPECT(true, ret == 0);
 
                // check SSL communication
@@ -94,7 +94,7 @@ TESTCASE(TRUST_ANCHOR_LAUNCH_WITH_SYS)
        TEST_EXPECT(true, pid >= 0);
 
        if (pid == 0) {
-               ret = ta.launch(true);
+               ret = ta.launch();
                TEST_EXPECT(true, ret == 0);
 
                // check SSL communication

diff --git a/tests/test-launcher.cpp b/tests/test-launcher.cpp
index 1e44923..89493fb 100644 (file)
--- a/tests/test-launcher.cpp
+++ b/tests/test-launcher.cpp
@@ -47,7 +47,7 @@ TESTCASE(TRUST_ANCHOR_LAUNCH)
 
        if (pid == 0) {
                TIME_MEASURE_START
-               ret = ta.launch(false);
+               ret = ta.launch();
                TIME_MEASURE_END
                TEST_EXPECT(true, ret == 0);
 
@@ -83,7 +83,7 @@ TESTCASE(TRUST_ANCHOR_LAUNCH_WITH_SYS)
 
        if (pid == 0) {
                TIME_MEASURE_START
-               ret = ta.launch(true);
+               ret = ta.launch();
                TIME_MEASURE_END
                TEST_EXPECT(true, ret == 0);