INCLUDE(FindPkgConfig)
-############################# compilation defines #############################
-
-# EMPTY
-
############################# compiler flags ##################################
-#SET(CMAKE_C_FLAGS "-g")
-#SET(CMAKE_CXX_FLAGS "-g -std=c++0x")
SET(CMAKE_C_FLAGS_PROFILING "-g -O0 -pg")
SET(CMAKE_CXX_FLAGS_PROFILING "-g -std=c++0x -O0 -pg")
SET(CMAKE_C_FLAGS_DEBUG "-g -O0 -ggdb")
ADD_DEFINITIONS("-DAPI_VERSION=\"$(API_VERSION)\"")
ADD_DEFINITIONS("-DSMACK_ENABLED")
ADD_DEFINITIONS("-DDPL_LOGS_ENABLED") # Enable LOGS in security-server2
-#ADD_DEFINITIONS("-DUSE_SEC_SRV1_FOR_CHECK_PRIVILEGE_BY_PID") #use old security-server 1.0 for check-privilege-by-pid API
SET(TARGET_SECURITY_SERVER "security-server")
SET(TARGET_SECURITY_CLIENT "security-server-client")
return retval;
}
-
-#ifdef USE_SEC_SRV1_FOR_CHECK_PRIVILEGE_BY_PID
-SECURITY_SERVER_API
-int security_server_check_privilege_by_pid(int pid, const char *object, const char *access_rights)
-{
- //This function check SMACK privilege betwen subject and object.
- //Subject is identified by PID number, object is function parameter.
-
- int sockfd = -1;
- int retval;
- response_header hdr;
-
- //check for input PID param
- if (pid < 0) {
- retval = SECURITY_SERVER_ERROR_INPUT_PARAM;
- goto error;
- }
-
- SEC_SVR_DBG("%s","Check privilige by PID called");
- SEC_SVR_DBG("%s %d","PID", pid);
- SEC_SVR_DBG("%s %s", "OBJECT:", object);
- SEC_SVR_DBG("%s %s", "ACCESS_RIGHTS", access_rights);
-
- //check if able to connect
- retval = connect_to_server(&sockfd);
- if (retval != SECURITY_SERVER_SUCCESS)
- goto error;
-
- //send request
- retval = send_pid_privilege_request(sockfd, pid, object, access_rights);
- if (retval != SECURITY_SERVER_SUCCESS) {
- /* Error on socket */
- SEC_SVR_ERR("Client: Send failed: %d", retval);
- goto error;
- }
-
- //get response
- retval = recv_pid_privilege_response(sockfd, &hdr);
-
- //convert error code
- retval = return_code_to_error_code(hdr.return_code);
-
- //check if frame has correct MSG_ID
- if (hdr.basic_hdr.msg_id != SECURITY_SERVER_MSG_TYPE_CHECK_PID_PRIVILEGE_RESPONSE) {
- if (hdr.basic_hdr.msg_id == SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE) {
- /* There must be some error */
- SEC_SVR_ERR("Client: Error has been received. return code:%d", hdr.return_code);
- }
- else {
- /* Something wrong with response */
- SEC_SVR_ERR("Client ERROR: Unexpected error occurred:%d", retval);
- retval = SECURITY_SERVER_ERROR_BAD_RESPONSE;
- }
- goto error;
- }
-
- //debug info about checking result
-
- if (hdr.return_code == SECURITY_SERVER_RETURN_CODE_SUCCESS) {
- SEC_SVR_DBG("%s","Client: There is privilege match");
- retval = SECURITY_SERVER_SUCCESS;
- } else {
- SEC_SVR_WRN("%s","Client: There is no privilege match");
- retval = SECURITY_SERVER_ERROR_ACCESS_DENIED;
- }
-
-error:
- if (sockfd > 0)
- close(sockfd);
-
- retval = convert_to_public_error_code(retval);
- return retval;
-}
-#endif
// return SECURITY_SERVER_SUCCESS;
// }
-#ifdef USE_SEC_SRV1_FOR_CHECK_PRIVILEGE_BY_PID
-//VERSION: 0x01
-//MSG_ID: 0x1f (SECURITY_SERVER_MSG_TYPE_CHECK_PID_PRIVILEGE_REQUEST)
-//DATA_SIZE: strlen(object) + 1 + strlen(access_rights) + 1
-int send_pid_privilege_request(int sockfd, int pid, const char *object, const char *access_rights)
-{
- //header structure
- basic_header hdr;
- int retval;
- int message_size;
- //buffer for data
- char *buff = NULL;
- int offset = 0;
-
- if (pid < 0) {
- SEC_SVR_ERR("%s", "Error input param");
- retval = SECURITY_SERVER_ERROR_INPUT_PARAM;
- goto error;
- }
-
- if (object == NULL) {
- SEC_SVR_ERR("%s", "Error input param");
- retval = SECURITY_SERVER_ERROR_INPUT_PARAM;
- goto error;
- }
-
- //allocate buffer
- //+1 for the '\0' at string end
-
- message_size = sizeof(int) + strlen(object) + 1 + strlen(access_rights) + 1;
- buff = (char*)malloc(message_size + sizeof(hdr));
- if (buff == NULL) {
- SEC_SVR_ERR("%s", "malloc() error");
- retval = SECURITY_SERVER_ERROR_OUT_OF_MEMORY;
- goto error;
- }
-
- //clear buffer
- bzero(buff, message_size + sizeof(hdr));
-
- //create header
- hdr.version = SECURITY_SERVER_MSG_VERSION;
- //MSG_ID
- hdr.msg_id = SECURITY_SERVER_MSG_TYPE_CHECK_PID_PRIVILEGE_REQUEST;
- //set message size without header (data size)
- hdr.msg_len = message_size;
-
- //copy message fields to buffer
- offset = 0;
- memcpy(&buff[offset], &hdr, sizeof(hdr));
- offset += sizeof(hdr);
- //add PID
- memcpy(&buff[offset], &pid, sizeof(pid));
- offset += sizeof(pid);
- //add *object with NULL at the end
- memcpy(&buff[offset], object, strlen(object));
- offset += strlen(object);
- buff[offset] = 0;
- offset += 1;
- //add *access_rights with NULL at the end
- memcpy(&buff[offset], access_rights, strlen(access_rights));
- offset += strlen(access_rights);
- buff[offset] = 0;
-
- //check pool
- retval = check_socket_poll(sockfd, POLLOUT, SECURITY_SERVER_SOCKET_TIMEOUT_MILISECOND);
- if (retval == SECURITY_SERVER_ERROR_POLL) {
- SEC_SVR_ERR("%s", "poll() error");
- retval = SECURITY_SERVER_ERROR_SEND_FAILED;
- goto error;
- }
- if (retval == SECURITY_SERVER_ERROR_TIMEOUT) {
- SEC_SVR_ERR("%s", "poll() timeout");
- retval = SECURITY_SERVER_ERROR_SEND_FAILED;
- goto error;
- }
-
- //send message
- retval = TEMP_FAILURE_RETRY(write(sockfd, buff, message_size + sizeof(hdr)));
- if (retval < message_size) {
- //error on write
- SEC_SVR_ERR("Error on write(): %d", retval);
- retval = SECURITY_SERVER_ERROR_SEND_FAILED;
- goto error;
- }
- retval = SECURITY_SERVER_SUCCESS;
-error:
- if (buff != NULL)
- free(buff);
-
- return retval;
-}
-#endif
-
/* Send validate password request message to security server *
*
* Message format
return retval;
}
-#ifdef USE_SEC_SRV1_FOR_CHECK_PRIVILEGE_BY_PID
-int recv_pid_privilege_request(int sockfd, int datasize, int *pid, char **object, char **access_rights)
-{
- int retval;
- char *buff = NULL;
- int object_size = 0;
- int access_rights_size = 0;
-
- buff = (char*)malloc(datasize);
- if (buff == NULL)
- return SECURITY_SERVER_ERROR_OUT_OF_MEMORY;
-
- //receive all data to buffer
- retval = TEMP_FAILURE_RETRY(read(sockfd, buff, datasize));
- if (retval < datasize) {
- SEC_SVR_ERR("Received data size is too small: %d / %d", retval, datasize);
- retval = SECURITY_SERVER_ERROR_RECV_FAILED;
- goto error;
- }
-
- //getPID
- memcpy(pid, buff, sizeof(int));
-
- //get object
- while (buff[sizeof(int) + object_size] != '\0') {
- object_size++;
-
- if (object_size > datasize) {
- SEC_SVR_ERR("%s", "Wrong object_size");
- retval = SECURITY_SERVER_ERROR_UNKNOWN;
- goto error;
- }
- }
- object_size++; //for '\0' at end
-
- *object = (char*)malloc(object_size);
- memcpy(*object, buff + sizeof(int), object_size);
-
- //get access_rights
- access_rights_size = datasize - object_size - sizeof(int);
- *access_rights = (char*)malloc(access_rights_size);
- memcpy(*access_rights, buff + sizeof(int) + object_size, access_rights_size);
-
- SEC_SVR_DBG("%s %d", "Received PID:", *pid);
- SEC_SVR_DBG("%s %s", "Received object:", *object);
- SEC_SVR_DBG("%s %s", "Received privileges:", *access_rights);
-
- retval = SECURITY_SERVER_SUCCESS;
-
-error:
- if (buff != NULL)
- free(buff);
-
- return retval;
-}
-#endif
-
int recv_generic_response(int sockfd, response_header *hdr)
{
int retval;
return SECURITY_SERVER_SUCCESS;
}
-#ifdef USE_SEC_SRV1_FOR_CHECK_PRIVILEGE_BY_PID
-int recv_pid_privilege_response(int sockfd, response_header *hdr)
-{
- int retval;
-
- retval = recv_generic_response(sockfd, hdr);
-
- if (retval != SECURITY_SERVER_SUCCESS)
- return return_code_to_error_code(hdr->return_code);
-
- return SECURITY_SERVER_SUCCESS;
-}
-#endif
-
int recv_pwd_response(int sockfd, response_header *hdr,
unsigned int *current_attempts,
unsigned int *max_attempts,
#define SECURITY_SERVER_MSG_TYPE_SET_PWD_MAX_CHALLENGE_RESPONSE 0x1a
#define SECURITY_SERVER_MSG_TYPE_SET_PWD_VALIDITY_REQUEST 0x1b
#define SECURITY_SERVER_MSG_TYPE_SET_PWD_VALIDITY_RESPONSE 0x1c
-#ifdef USE_SEC_SRV1_FOR_CHECK_PRIVILEGE_BY_PID
-#define SECURITY_SERVER_MSG_TYPE_CHECK_PID_PRIVILEGE_REQUEST 0x21
-#define SECURITY_SERVER_MSG_TYPE_CHECK_PID_PRIVILEGE_RESPONSE 0x22
-#endif
#define SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE 0xff
/* Return code */
int recv_hdr(int client_sockfd, basic_header *basic_hdr);
-#ifdef USE_SEC_SRV1_FOR_CHECK_PRIVILEGE_BY_PID
-int send_pid_privilege_request(int sockfd, int pid, const char *object, const char *access_rights);
-int recv_pid_privilege_request(int sockfd, int datasize, int *pid, char **object, char **access_rights);
-int recv_pid_privilege_response(int sockfdi, response_header *hdr);
-#endif
-
int recv_generic_response(int sockfd, response_header *hdr);
int recv_pwd_response(int sockfd, response_header *hdr, unsigned int *current_attempts,
unsigned int *max_attempts, unsigned int *valid_days);
return retval;
}
-#ifdef USE_SEC_SRV1_FOR_CHECK_PRIVILEGE_BY_PID
-int process_pid_privilege_check(int sockfd, int datasize)
-{
- //In this function we parsing received PID privilege check request
- int retval;
- int client_pid;
- int pid;
- char *object = NULL;
- char *access_rights = NULL;
- unsigned char return_code;
- char *path = NULL;
- char subject[SMACK_LABEL_LEN + 1];
- subject[0] = '\0';
-
- //authenticate client
- retval = authenticate_client_middleware(sockfd, &client_pid);
-
- if (retval != SECURITY_SERVER_SUCCESS) {
- SEC_SVR_ERR("%s", "Client Authentication Failed");
- retval = send_generic_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_CHECK_PID_PRIVILEGE_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_AUTHENTICATION_FAILED);
-
- if (retval != SECURITY_SERVER_SUCCESS)
- SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
-
- goto error;
- }
-
- //receive request
- retval = recv_pid_privilege_request(sockfd, datasize, &pid, &object, &access_rights);
-
- if (retval == SECURITY_SERVER_ERROR_RECV_FAILED) {
- SEC_SVR_ERR("%s", "Receiving request failed");
- retval = send_generic_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_CHECK_PID_PRIVILEGE_RESPONSE,
- SECURITY_SERVER_RETURN_CODE_BAD_REQUEST);
-
- if (retval != SECURITY_SERVER_SUCCESS)
- SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
-
- goto error;
- }
-
- if (smack_check()) {
- retval = smack_pid_have_access(pid, object, access_rights);
- SEC_SVR_DBG("smack_pid_have_access returned %d", retval);
-
- if (get_smack_label_from_process(pid, subject) != PC_OPERATION_SUCCESS) {
- // subject label is set to empty string
- SEC_SVR_ERR("get_smack_label_from_process failed. Subject label has not been read.");
- } else {
- SECURE_SLOGD("Subject label of client PID %d is: %s", pid, subject);
- }
- } else {
- SEC_SVR_DBG("SMACK is not available. Subject label has not been read.");
- retval = 1;
- }
-
- path = read_exe_path_from_proc(pid);
-
- if (retval > 0)
- SECURE_SLOGD("SS_SMACK: caller_pid=%d, subject=%s, object=%s, access=%s, result=%d, caller_path=%s", pid, subject, object, access_rights, retval, path);
- else
- SECURE_SLOGW("SS_SMACK: caller_pid=%d, subject=%s, object=%s, access=%s, result=%d, caller_path=%s", pid, subject, object, access_rights, retval, path);
-
- if (path != NULL)
- free(path);
-
- if (retval == 1) //there is permission
- return_code = SECURITY_SERVER_RETURN_CODE_SUCCESS;
- else //there is no permission
- return_code = SECURITY_SERVER_RETURN_CODE_ACCESS_DENIED;
-
- //send response
- retval = send_generic_response(sockfd,
- SECURITY_SERVER_MSG_TYPE_CHECK_PID_PRIVILEGE_RESPONSE,
- return_code);
-
- if (retval != SECURITY_SERVER_SUCCESS)
- SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval);
-
-error:
-
- if (object != NULL)
- free(object);
- if (access_rights != NULL)
- free(access_rights);
-
- return retval;
-}
-#endif
-
int client_has_access(int sockfd, const char *object)
{
char *label = NULL;
process_gid_request(client_sockfd, (int)basic_hdr.msg_len);
break;
-#ifdef USE_SEC_SRV1_FOR_CHECK_PRIVILEGE_BY_PID
- case SECURITY_SERVER_MSG_TYPE_CHECK_PID_PRIVILEGE_REQUEST:
- SEC_SVR_DBG("%s", "PID privilege check request received");
- authorize_SS_API_caller_socket(client_sockfd, API_MIDDLEWARE, API_RULE_REQUIRED);
- //pass data size to function
- process_pid_privilege_check(client_sockfd, basic_hdr.msg_len);
- break;
-#endif
-
case SECURITY_SERVER_MSG_TYPE_VALID_PWD_REQUEST:
SECURE_SLOGD("%s", "Server: validate password request received");
authorize_SS_API_caller_socket(client_sockfd, API_PASSWD_CHECK, API_RULE_REQUIRED);
#include <security-server.h>
#include <security-server-common.h>
-#ifndef USE_SEC_SRV1_FOR_CHECK_PRIVILEGE_BY_PID
SECURITY_SERVER_API
int security_server_check_privilege_by_pid(
int pid,
}
return SECURITY_SERVER_API_ERROR_UNKNOWN;
}
-#endif