${COMMON_PATH}/smack-common.cpp
${COMMON_PATH}/smack-rules.cpp
${COMMON_PATH}/smack-check.cpp
+ ${COMMON_PATH}/template-manager.cpp
${COMMON_PATH}/service_impl.cpp
${COMMON_PATH}/service_impl_utils.cpp
${COMMON_PATH}/tzplatform-config.cpp
#define PRIVILEGE_GROUP_LIST_FILE POLICY_INSTALL_DIR "/privilege-group.list"
#define PRIVILEGE_MOUNT_LIST_FILE POLICY_INSTALL_DIR "/privilege-mount.list"
-#define PRIVILEGE_SMACK_LIST_FILE POLICY_INSTALL_DIR "/privilege-smack.list"
#define PRIVILEGE_SYSTEMD_LIST_FILE POLICY_INSTALL_DIR "/privilege-managed-by-systemd-for-daemons.list"
#define SKEL_DIR "/etc/skel"
#include <string>
#include <utility>
+#include <config.h>
#include <smack-accesses.h>
#include <smack-common.h>
+#include <template-manager.h>
namespace SecurityManager {
class SmackRules {
public:
+ SmackRules() : m_templateMgr(POLICY_INSTALL_DIR) {
+ m_templateMgr.init();
+ }
+
/**
* Install package-specific smack rules plus add rules for specified external apps.
*
void addFromTemplate(
SmackAccesses &rules,
- const Smack::TemplateRules &templateRules,
- const Smack::Label &appProcessLabel,
- const std::string &pkgName,
- const int authorId);
-
- void addFromTemplateFile(
- SmackAccesses &rules,
- const std::string &templatePath,
+ TemplateManager::Type type,
const Smack::Label &appProcessLabel,
const std::string &pkgName,
const int authorId);
void addFromPrivTemplate(
SmackAccesses &rules,
- const Smack::TemplateRules &templateRules,
+ TemplateManager::Type type,
+ const std::string &privilege,
const Smack::Label &appProcessLabel,
const Smack::Label &privilegeLable,
const std::string &pkgName,
const int authorId);
- void addFromPrivTemplateFile(
- SmackAccesses &rules,
- const std::string &templatePath,
- const Smack::Label &appProcessLabel,
- const Smack::Label &privilegeLabel,
- const std::string &pkgName,
- int AuthorId);
-
void useTemplate(
- const std::string &templatePath,
+ TemplateManager::Type type,
const Smack::Label &appProcessLabel,
const std::string &pkgName,
const int authorId = -1);
*/
void generatePackageCrossDeps(SmackAccesses &rules, const Smack::Labels &pkgLabels);
+ TemplateManager m_templateMgr;
};
} // namespace SecurityManager
--- /dev/null
+/*
+ * Copyright (c) 2020 Samsung Electronics Co., Ltd. All rights reserved
+ *
+ * Contact: Rafal Krypa <r.krypa@samsung.com>
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+/**
+ * @file templates-manager.h
+ * @author Zofia Abramowska <z.abramowska@samsung.com>
+ * @version 1.0
+ * @brief Header file of a smack rules template manager
+ */
+
+#include <map>
+#include <string>
+
+#include <smack-common.h>
+
+#include "config-file.h"
+
+namespace SecurityManager {
+
+class TemplateManager {
+public:
+ explicit TemplateManager(const std::string &rootDir) : m_rootDir(rootDir){}
+ enum Type {
+ APP_RULES_TEMPLATE,
+ PKG_RULES_TEMPLATE,
+ AUTHOR_RULES_TEMPLATE,
+ PRIV_DEFAULT_RULES_TEMPLATE,
+ PRIV_RULES_TEMPLATE
+ };
+ void init();
+ Smack::TemplateRules getRules(Type type, const std::string &privName = "") const;
+ Smack::Label getPrivilegeLabel(const std::string &privName) const;
+
+private:
+ void loadFiles();
+ typedef std::string PrivilegeName;
+ typedef std::string Path;
+ typedef std::string FileName;
+
+ struct PrivMapping {
+ Smack::Label label;
+ FileName fileName;
+ };
+
+ std::string getPolicyFile(enum TemplateManager::Type policyFile,
+ const std::string &privFile = "") const ;
+ PrivMapping getPrivMapping(const std::string &privName) const;
+
+ std::string m_rootDir;
+ std::map<Path, Smack::TemplateRules> m_templateRules;
+ std::map<PrivilegeName, PrivMapping> m_privMapping;
+};
+
+} // namespace SecurityManager
#include <config-file.h>
#include <dpl/log/log.h>
#include <dpl/errno_string.h>
-#include <filesystem.h>
#include <smack-check.h>
#include <smack-exceptions.h>
#include <smack-labels.h>
const std::string SMACK_PATH_TRUSTED_LABEL_TEMPLATE = "~PATH_TRUSTED~";
const std::string SMACK_PRIVILEGE_LABEL_TEMPLATE = "~PRIVILEGE~";
-enum POLICY_FILE {
- APP_RULES_TEMPLATE,
- PKG_RULES_TEMPLATE,
- AUTHOR_RULES_TEMPLATE,
- PRIV_DEFAULT_RULES_TEMPLATE,
- PRIV_RULES_TEMPLATE
-};
-
-const std::string POLICY_DIR_STR = POLICY_INSTALL_DIR;
-const std::string PRIV_MAPPING_DIR_STR = POLICY_INSTALL_DIR "/" PRIV_MAPPING_INSTALL_SUBDIR;
-
-std::map<POLICY_FILE, std::string> POLICY_FILE_PATH_MAP = {
- {POLICY_FILE::APP_RULES_TEMPLATE, POLICY_DIR_STR + "/app-rules-template.smack"},
- {POLICY_FILE::PKG_RULES_TEMPLATE, POLICY_DIR_STR + "/pkg-rules-template.smack"},
- {POLICY_FILE::AUTHOR_RULES_TEMPLATE, POLICY_DIR_STR + "/author-rules-template.smack"},
- {POLICY_FILE::PRIV_DEFAULT_RULES_TEMPLATE,
- PRIV_MAPPING_DIR_STR + "/priv-rules-default-template.smack"}
-};
-
-std::string getPolicyFile(enum POLICY_FILE policyFile, const std::string &privFile = "") {
- if (policyFile == POLICY_FILE::PRIV_RULES_TEMPLATE) {
- return PRIV_MAPPING_DIR_STR + "/" + privFile;
- }
- return POLICY_FILE_PATH_MAP[policyFile];
-}
-
const std::string SMACK_APP_IN_PACKAGE_PERMS = "rwxat";
const std::string SMACK_APP_PATH_OWNER_PERMS = "rwxat";
const std::string SMACK_APP_PATH_TARGET_PERMS = "rxl";
const std::string SMACK_APP_PATH_SYSTEM_PERMS = "rwxat";
const std::string SMACK_APP_PATH_USER_PERMS = "rwxat";
-const std::string PRIV_TEMPLATE_DEFAULT = "default";
-
} // namespace anonymous
-void SmackRules::addFromTemplateFile(
- SmackAccesses &rules,
- const std::string &templatePath,
- const Smack::Label &appProcessLabel,
- const std::string &pkgName,
- const int authorId)
-{
- try {
- addFromTemplate(rules, Smack::fromConfig(templatePath), appProcessLabel, pkgName, authorId);
- } catch (FS::Exception::Base &) {
- LogError("Error reading template file: " << templatePath);
- ThrowMsg(SmackException::FileError, "Error reading template file: " << templatePath);
- }
-}
-
void SmackRules::addFromTemplate(
SmackAccesses &rules,
- const Smack::Rules &templateRules,
+ TemplateManager::Type type,
const Smack::Label &appProcessLabel,
const std::string &pkgName,
const int authorId)
if (authorId >= 0)
pathTrustedLabel = SmackLabels::generatePathTrustedLabel(authorId);
+ Smack::TemplateRules templateRules = m_templateMgr.getRules(type);
+
for (auto rule : templateRules) {
strReplace(rule.subject, SMACK_PROCESS_LABEL_TEMPLATE, appProcessLabel);
strReplace(rule.object, SMACK_PROCESS_LABEL_TEMPLATE, appProcessLabel);
void SmackRules::addFromPrivTemplate(
SmackAccesses &rules,
- const Smack::TemplateRules &templateRules,
+ TemplateManager::Type type,
+ const std::string &privilege,
const Smack::Label &appProcessLabel,
const Smack::Label &privilegeLabel,
const std::string &pkgName,
if (authorId >= 0)
pathTrustedLabel = SmackLabels::generatePathTrustedLabel(authorId);
+ Smack::TemplateRules templateRules = m_templateMgr.getRules(type, privilege);
for (auto rule : templateRules) {
if (rule.subject[0] != '~' || rule.object[0] != '~') {
LogWarning("Unsupported rule <"
}
}
-void SmackRules::addFromPrivTemplateFile(
- SmackAccesses &rules,
- const std::string &templatePath,
- const Smack::Label &appProcessLabel,
- const Smack::Label &privilegeLabel,
- const std::string &pkgName,
- int authorId)
-{
- try {
- addFromPrivTemplate(rules, Smack::fromConfig(templatePath), appProcessLabel, privilegeLabel,
- pkgName, authorId);
- } catch (FS::Exception::Base &) {
- LogError("Error reading template file: " << templatePath);
- ThrowMsg(SmackException::FileError, "Error reading template file: " << templatePath);
- }
-}
-
void SmackRules::generatePackageCrossDeps(SmackAccesses &rules, const Smack::Labels &pkgLabels)
{
LogDebug("Generating cross-package rules");
}
void SmackRules::useTemplate(
- const std::string &templatePath,
+ TemplateManager::Type type,
const Smack::Label &appProcessLabel,
const std::string &pkgName,
const int authorId)
{
SmackAccesses smackRules;
- addFromTemplateFile(smackRules, templatePath, appProcessLabel, pkgName, authorId);
+ addFromTemplate(smackRules, type, appProcessLabel, pkgName, authorId);
if (smack_check())
smackRules.apply();
const int authorId,
const Smack::Labels &pkgLabels)
{
- useTemplate(getPolicyFile(POLICY_FILE::APP_RULES_TEMPLATE), appProcessLabel, pkgName, authorId);
+ useTemplate(TemplateManager::Type::APP_RULES_TEMPLATE, appProcessLabel, pkgName, authorId);
if (authorId >= 0)
- useTemplate(getPolicyFile(POLICY_FILE::AUTHOR_RULES_TEMPLATE), appProcessLabel, pkgName, authorId);
+ useTemplate(TemplateManager::Type::AUTHOR_RULES_TEMPLATE, appProcessLabel, pkgName, authorId);
updatePackageRules(pkgName, pkgLabels);
}
SmackAccesses smackRules;
- auto privMapping = ConfigFile(PRIVILEGE_SMACK_LIST_FILE).read();
-
- for (auto &mapping : privMapping) {
- if (mapping.size() != 3)
+ for (auto &privilege : privileges) {
+ auto privLabel = m_templateMgr.getPrivilegeLabel(privilege);
+ if (privLabel.empty())
continue;
-
- auto &privName = mapping[0];
- auto &privLabel = mapping[1];
- auto &privTemplate = mapping[2];
-
- if (privTemplate == PRIV_TEMPLATE_DEFAULT) {
- privTemplate = getPolicyFile(POLICY_FILE::PRIV_DEFAULT_RULES_TEMPLATE);
- } else {
- privTemplate = getPolicyFile(POLICY_FILE::PRIV_RULES_TEMPLATE, privTemplate);
- }
-
- for (auto &privilege : privileges) {
- if (privilege == privName) {
- addFromPrivTemplateFile(smackRules, privTemplate, appProcessLabel, privLabel,
- pkgName, authorId);
- break;
- }
- }
+ addFromPrivTemplate(smackRules, TemplateManager::Type::PRIV_RULES_TEMPLATE, privilege,
+ appProcessLabel, privLabel, pkgName, authorId);
}
if (smack_check())
const Smack::Labels &pkgLabels)
{
SmackAccesses smackRules;
- addFromTemplateFile(smackRules,
- getPolicyFile(POLICY_FILE::PKG_RULES_TEMPLATE),
+ addFromTemplate(smackRules,
+ TemplateManager::Type::PKG_RULES_TEMPLATE,
std::string(),
pkgName,
-1);
const Smack::Labels &pkgLabels)
{
SmackAccesses smackRules;
- addFromTemplateFile(smackRules, getPolicyFile(POLICY_FILE::PKG_RULES_TEMPLATE), {}, pkgName, -1);
+ addFromTemplate(smackRules, TemplateManager::Type::PKG_RULES_TEMPLATE,
+ std::string(), pkgName, -1);
generatePackageCrossDeps(smackRules, pkgLabels);
smackRules.clear();
}
const int authorId)
{
SmackAccesses smackRules;
- addFromTemplateFile(smackRules, getPolicyFile(POLICY_FILE::APP_RULES_TEMPLATE), appLabel, pkgName, authorId);
+ addFromTemplate(smackRules, TemplateManager::Type::APP_RULES_TEMPLATE,
+ appLabel, pkgName, authorId);
smackRules.clear();
SmackLabels::revokeSubject(appLabel);
}
void SmackRules::uninstallAuthorRules(const int authorId)
{
SmackAccesses smackRules;
- addFromTemplateFile(smackRules, getPolicyFile(POLICY_FILE::AUTHOR_RULES_TEMPLATE), {}, {}, authorId);
+ addFromTemplate(smackRules, TemplateManager::Type::AUTHOR_RULES_TEMPLATE,
+ std::string(), std::string(), authorId);
smackRules.clear();
}
--- /dev/null
+/*
+ * Copyright (c) 2020 Samsung Electronics Co., Ltd. All rights reserved
+ *
+ * Contact: Rafal Krypa <r.krypa@samsung.com>
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+/**
+ * @file templates-manager.cpp
+ * @author Zofia Abramowska <z.abramowska@samsung.com>
+ * @version 1.0
+ * @brief Source file of a smack rules template manager
+ */
+
+#include <config.h>
+#include <config-file.h>
+#include <dpl/log/log.h>
+#include <filesystem.h>
+#include <smack-exceptions.h>
+
+#include "template-manager.h"
+
+namespace SecurityManager {
+
+namespace {
+
+const std::string PRIV_MAPPING_SUBDIR = PRIV_MAPPING_INSTALL_SUBDIR;
+
+const std::string PRIV_TEMPLATE_DEFAULT_FILE = PRIV_MAPPING_SUBDIR + "/"
+ + "priv-rules-default-template.smack";
+
+const std::map<TemplateManager::Type, std::string> TEMPLATE_PATH_MAP = {
+ {TemplateManager::Type::APP_RULES_TEMPLATE, "app-rules-template.smack"},
+ {TemplateManager::Type::PKG_RULES_TEMPLATE, "pkg-rules-template.smack"},
+ {TemplateManager::Type::AUTHOR_RULES_TEMPLATE, "author-rules-template.smack"},
+ {TemplateManager::Type::PRIV_DEFAULT_RULES_TEMPLATE, PRIV_TEMPLATE_DEFAULT_FILE}
+};
+
+const std::string PRIV_TEMPLATE_DEFAULT = "default";
+const std::string PRIVILEGE_SMACK_LIST_FILE = "privilege-smack.list";
+
+} // namespace anonymous
+
+void TemplateManager::init()
+{
+ try {
+ loadFiles();
+ } catch (FS::Exception::Base &e) {
+ LogError("Error loading config files: " << e.DumpToString());
+ } catch (SmackException::FileError &e) {
+ LogError("Error parsing config files: " << e.DumpToString());
+ }
+}
+
+std::string TemplateManager::getPolicyFile(enum TemplateManager::Type policyFile,
+ const std::string &privFile) const
+{
+ if (policyFile == TemplateManager::Type::PRIV_RULES_TEMPLATE) {
+ return m_rootDir + "/" + privFile;
+ }
+ return m_rootDir + "/" + TEMPLATE_PATH_MAP.at(policyFile);
+}
+
+void TemplateManager::loadFiles()
+{
+ std::string path = m_rootDir + "/" + PRIVILEGE_SMACK_LIST_FILE;
+ auto raw = ConfigFile(path).read();
+ for(auto &privMapping : raw) {
+
+ if (privMapping.size() != 3) {
+ std::string errorMsg = "Invalid mapping template: " + std::to_string(privMapping.size())
+ + " tokens in file " + path + ". Expected 3.";
+ LogError(errorMsg);
+ ThrowMsg(SmackException::FileError, errorMsg);
+ }
+
+ auto &privName = privMapping[0];
+ auto &privLabel = privMapping[1];
+ auto &privFile = privMapping[2];
+
+ if (privFile == PRIV_TEMPLATE_DEFAULT) {
+ privFile = PRIV_TEMPLATE_DEFAULT_FILE;
+ } else {
+ privFile = PRIV_MAPPING_SUBDIR + "/" + privFile;
+ }
+ m_privMapping[privName] = {privLabel, privFile};
+ }
+
+ std::vector<Type> types = {Type::APP_RULES_TEMPLATE, Type::PKG_RULES_TEMPLATE,
+ Type::AUTHOR_RULES_TEMPLATE, Type::PRIV_DEFAULT_RULES_TEMPLATE};
+ for (auto &type : types) {
+ auto path = getPolicyFile(type);
+ m_templateRules[path] = Smack::fromConfig(path);
+ }
+
+ for (auto &privMapping : m_privMapping) {
+ auto path = getPolicyFile(PRIV_RULES_TEMPLATE, privMapping.second.fileName);
+ m_templateRules[path] = Smack::fromConfig(path);
+ }
+}
+
+TemplateManager::PrivMapping
+TemplateManager::getPrivMapping(const std::string &privName) const
+{
+ auto it = m_privMapping.find(privName);
+ if (it == m_privMapping.end())
+ return {"", ""};
+ return it->second;
+}
+
+Smack::Label TemplateManager::getPrivilegeLabel(const std::string &privName) const
+{
+ auto privMapping = getPrivMapping(privName);
+ return privMapping.label;
+}
+
+Smack::TemplateRules
+TemplateManager::getRules(TemplateManager::Type type, const std::string &privName) const
+{
+ std::string privTemplateFile;
+ if (!privName.empty()) {
+ privTemplateFile = getPrivMapping(privName).fileName;
+ }
+
+ std::string filePath = getPolicyFile(type, privTemplateFile);
+ auto it = m_templateRules.find(filePath);
+ if (it == m_templateRules.end()) {
+ return {};
+ }
+ return it->second;
+}
+
+} // namespace SecurityManager
${PROJECT_SOURCE_DIR}/src/common/smack-check.cpp
${PROJECT_SOURCE_DIR}/src/common/smack-labels.cpp
${PROJECT_SOURCE_DIR}/src/common/smack-rules.cpp
+ ${PROJECT_SOURCE_DIR}/src/common/template-manager.cpp
${PROJECT_SOURCE_DIR}/src/common/filesystem.cpp
${PROJECT_SOURCE_DIR}/src/common/tzplatform-config.cpp
${PROJECT_SOURCE_DIR}/src/common/utils.cpp
SmackException::LibsmackError);
}
-BOOST_FIXTURE_TEST_CASE(T1130_smack_rules_templates, RulesFixture)
-{
- Smack::TemplateRules templateRules = {{"System", "~PROCESS~", "rwxat"},
- {"~PROCESS~", "System", "wx"},
- {"~PROCESS~", "~PATH_RW~", "rwxat"},
- {"~PROCESS~", "~PATH_RO~", "rxl"},
- {"~PROCESS~", "~PATH_TRUSTED~", "rwxat"}};
-
- std::ofstream templateRulesFile;
- templateRulesFile.open(templateRulesFilePath);
- for (auto &templateRule : templateRules) {
- templateRulesFile << templateRule.subject << ' ' << templateRule.object << ' '
- << templateRule.permissions << std::endl;
- }
- templateRulesFile.close();
-
- const std::string appName = "appNameT1130";
- const std::string pkgName = "pkgNameT1130";
- const std::string appProcessLabel = generateProcessLabel(appName, pkgName, false);
- const int authorId = 5000;
- SmackAccesses smackAccessesFromTemplate, smackAccessesFromFileTemplate;
- SmackRules smackRules;
-
- BOOST_REQUIRE_NO_THROW(smackRules.addFromTemplate(
- smackAccessesFromTemplate,
- templateRules,
- appProcessLabel,
- pkgName,
- authorId));
-
- const std::string noExistingFilePath = "/tmp/SecurityManagerUTNoExistingFile";
- BOOST_REQUIRE_THROW(smackRules.addFromTemplateFile(
- smackAccessesFromFileTemplate,
- noExistingFilePath,
- appProcessLabel,
- pkgName,
- authorId),
- SmackException::FileError);
-
- BOOST_REQUIRE_NO_THROW(smackRules.addFromTemplateFile(
- smackAccessesFromFileTemplate,
- templateRulesFilePath,
- appProcessLabel,
- pkgName,
- authorId));
-}
-
BOOST_AUTO_TEST_SUITE_END()
projects / platform / core / security / security-manager.git / commitdiff