apply sdbd smack rule
authoryoonki.park <yoonki.park@samsung.com>
Thu, 9 May 2013 14:14:02 +0000 (23:14 +0900)
committeryoonki.park <yoonki.park@samsung.com>
Thu, 9 May 2013 14:14:02 +0000 (23:14 +0900)
Change-Id: I8d8358aee50e8a234e2ca72e3fcbcc9c42189ec5
Signed-off-by: yoonki.park <yoonki.park@samsung.com>
packaging/sdbd.spec
sdbd.manifest
src/sdb.c
src/sdb.h
src/sdktools.c
src/sdktools.h

index 4235639fcf87ad9d97637e8f0fac1c151031eb8c..d0e982b6c4914a2caafd7a5daffe95e284af5170 100644 (file)
@@ -1,7 +1,7 @@
 Name:       sdbd
 Summary:    SDB daemon
 Version:    2.1.2
-Release:    1
+Release:    2
 Group:      TO_BE/FILLED_IN
 License:    TO BE FILLED IN
 Source0:    %{name}-%{version}.tar.gz
index 86dbb267f3202345dbbfb1f3d3bbcdea30e15ff0..6a16a4f432f5ab01f81a2e289db638396f515b88 100644 (file)
@@ -1,5 +1,26 @@
 <manifest>
+    <define>
+        <domain name="sdbd" policy="shared" />
+        <provide>
+            <label name="sdbd::home" />
+        </provide>
+        <request>
+            <smack request="sys-assert::core" type="rwxat" />
+            <smack request="device::app_logging" type="rwxat" />
+            <smack request="device::sys_logging" type="rwxat" />
+            <smack request="pkgmgr" type="rx" />
+            <smack request="pkgmgr-server" type="r" />
+            <smack request="aul" type="rx" />
+            <smack request="wrt::wrt-launcher" type="rx" />
+            <smack request="system::media" type="rwxat" />
+            <smack request="sdbd::home" type="rwxat" />
+        </request>
+        <permit>
+            <smack permit="system::use_internet" type="w" />
+            <smack permit="aul" type="rx" />
+        </permit>
+    </define>
     <request>
-        <domain name="_" />
+        <domain name="sdbd" />
     </request>
 </manifest>
index 5634d551523a6a86e37c9e76ff824a27c08e8ce7..c0cb7320f83598fb547bbaeeddd4fd2c6db7722f 100644 (file)
--- a/src/sdb.c
+++ b/src/sdb.c
@@ -985,7 +985,7 @@ int should_drop_privileges() {
 }
 
 int set_developer_privileges() {
-    gid_t groups[] = { SID_DEVELOPER, SID_APP_LOGGING, SID_SYS_LOGGING };
+    gid_t groups[] = { SID_DEVELOPER, SID_APP_LOGGING, SID_SYS_LOGGING, SID_INPUT };
     if (setgroups(sizeof(groups) / sizeof(groups[0]), groups) != 0) {
         fprintf(stderr, "set groups failed (errno: %d, %s)\n", errno, strerror(errno));
         //exit(1);
index 41ce73475965f94c8c96379718e5a039fb72da99..99e05f3238ad3e690f6ae103e99cc501b7e718b0 100644 (file)
--- a/src/sdb.h
+++ b/src/sdb.h
@@ -330,6 +330,7 @@ int rootshell_mode;// 0: developer, 1: root
 #define SID_DEVELOPER   5100 /* developer with SDK */
 #define SID_APP_LOGGING 6509
 #define SID_SYS_LOGGING 6527
+#define SID_INPUT       1004
 
 #endif
 
index b5f71b8ff5f4d2915b0515b7a4331960a737f048..3e7bb29cc8c990e0d65be5720e43806b04a8b96d 100644 (file)
 
 struct sudo_command root_commands[] = {
     /* 0 */ {"killall", "/usr/bin/killall"},
-    /* 1 */ {"pkgcmd", "/usr/bin/pkgcmd"},
-    /* 2 */ {"launch_app", "/usr/bin/launch_app"},
-    /* 3 */ {"dlogutil", "/usr/bin/dlogutil"},
+    /* 1 */ //{"pkgcmd", "/usr/bin/pkgcmd"},
+    /* 2 */ //{"launch_app", "/usr/bin/launch_app"},
+    /* 3 */ //{"dlogutil", "/usr/bin/dlogutil"},
     /* 4 */ {"zypper", "/usr/bin/zypper"},
-    /* 5 */ {"pkginfo", "/usr/bin/pkginfo"},
+    /* 5 */ //{"pkginfo", "/usr/bin/pkginfo"},
     /* 6 */ {"da_command", "/usr/bin/da_command"},
     /* 7 */ {"oprofile", "/usr/bin/oprofile_command"},
-    /* 8 */ {"wrt-launcher", "/usr/bin/wrt-launcher"},
+    /* 8 */ //{"wrt-launcher", "/usr/bin/wrt-launcher"},
     /* end */ {NULL, NULL}
 };
 
@@ -139,12 +139,10 @@ int verify_root_commands(const char *arg1) {
 }
 
 int verify_app_path(const char* path) {
-
     char buf[PATH_MAX];
-    snprintf(buf, sizeof buf, "^((%s)|(%s))/[a-zA-Z0-9]{%d}/bin/[a-zA-Z0-9_\\-]{1,}(\\.exe)?$", APP_INSTALL_PATH_PREFIX1, APP_INSTALL_PATH_PREFIX2, 10);
-    int reg_cmp = regcmp(buf, path);
 
-    return reg_cmp;
+    snprintf(buf, sizeof buf, "^((%s)|(%s))/[a-zA-Z0-9]{%d}/bin/[a-zA-Z0-9_\\-]{1,}(\\.exe)?$", APP_INSTALL_PATH_PREFIX1, APP_INSTALL_PATH_PREFIX2, APPID_MAX_LENGTH);
+    return regcmp(buf, path);
 }
 
 int regcmp(const char* pattern, const char* str) {
@@ -218,7 +216,7 @@ int exec_app_standalone(const char* path) {
             // TODO: check evn setting
         }
         // TODO: i length check
-        if (!strcmp(tokens[i], GDBSERVER_PATH) || !strcmp(tokens[i], GDBSERVER_PLATFORM_PATH)) { //gdbserver :11 --attach 2332 (cnt=4,)
+        if (!strcmp(tokens[i], GDBSERVER_PATH)) { //gdbserver :11 --attach 2332 (cnt=4,)
             char *gdb_attach_arg_pattern = "^:[1-9][0-9]{2,5} \\-\\-attach [1-9][0-9]{2,5}$";
             int argcnt = cnt-i-1;
             if (argcnt == 3 && !strcmp("--attach", tokens[i+2])) {
@@ -243,12 +241,10 @@ int exec_app_standalone(const char* path) {
                     }
                 }
             }
-            else if (argcnt >= 2) {
-                if(should_drop_privileges() == 0 || verify_app_path(tokens[i+2])) {
-                    D("parsing.... debug run as mode\n");
-                    if (set_smack_rules_for_gdbserver(tokens[i+2], 0)) {
-                        ret = 1;
-                    }
+            if (argcnt >= 2 && verify_app_path(tokens[i+2])) {
+                D("parsing.... debug run as mode\n");
+                if (set_smack_rules_for_gdbserver(tokens[i+2], 0)) {
+                    ret = 1;
                 }
             }
             D("finished debug launch mode\n");
@@ -258,6 +254,9 @@ int exec_app_standalone(const char* path) {
                 char *appid = NULL;
                 int rc = smack_lgetlabel(path, &appid, SMACK_LABEL_ACCESS);
                 if (rc == 0 && appid != NULL) {
+                    if (apply_sdb_rules(SDBD_LABEL_NAME, appid, "rx") < 0) {
+                        D("unable to set sdbd rules to %s\n", appid);
+                    }
                     if (smack_set_label_for_self(appid) != -1) {
                         D("set smack lebel [%s] appid to %s\n", appid, SMACK_LEBEL_SUBJECT_PATH);
                         apply_app_process();
@@ -288,17 +287,19 @@ char* clone_gdbserver_label_from_app(const char* app_path) {
     char appid[APPID_MAX_LENGTH+1];
     char *buffer = NULL;
 
-#if 0
     if (!verify_app_path(app_path)) {
         D("not be able to access %s\n", app_path);
         return NULL;
     }
-#endif
 
     int rc = smack_lgetlabel(app_path, &buffer, SMACK_LABEL_ACCESS);
 
     if (rc == 0 && buffer != NULL) {
-        strcpy(appid, buffer);
+        if (strlen(buffer) == APPID_MAX_LENGTH) {
+            strcpy(appid, buffer);
+        } else {
+            strcpy(appid, "_");
+        }
         free(buffer);
     } else {
         strcpy(appid, "_");
@@ -334,6 +335,12 @@ int set_smack_rules_for_gdbserver(const char* apppath, int mode) {
     // in case of debug as mode
     char *new_appid = clone_gdbserver_label_from_app(apppath);
     if (new_appid != NULL) {
+        if (apply_sdb_rules(SDBD_LABEL_NAME, new_appid, "w") < 0) {
+            D("unable to set sdbd rules\n");
+        }
+        if (apply_sdb_rules(new_appid, SDK_HOME_LABEL_NAME, "rx") < 0) {
+            D("unable to set sdbd home rules\n");
+        }
         if (smack_set_label_for_self(new_appid) != -1) {
             D("set smack lebel [%s] appid to %s\n", new_appid, SMACK_LEBEL_SUBJECT_PATH);
             // apply app precess only if not attach mode
@@ -350,16 +357,34 @@ int set_smack_rules_for_gdbserver(const char* apppath, int mode) {
     return 0;
 }
 
+int apply_sdb_rules(const char* subject, const char* object, const char* access_type) {
+    struct smack_accesses *rules = NULL;
+    int ret = 0;
+
+    if (smack_accesses_new(&rules))
+        return -1;
+
+    if (smack_accesses_add(rules, subject, object, access_type)) {
+        smack_accesses_free(rules);
+        return -1;
+    }
+
+    ret = smack_accesses_apply(rules);
+    smack_accesses_free(rules);
+
+    return ret;
+}
+
 void apply_app_process() {
     set_appuser_groups();
 
     if (setgid(SID_APP) != 0) {
-        fprintf(stderr, "set group id failed errno: %d\n", errno);
+        //fprintf(stderr, "set group id failed errno: %d\n", errno);
         exit(1);
     }
 
     if (setuid(SID_APP) != 0) {
-        fprintf(stderr, "set user id failed errno: %d\n", errno);
+        //fprintf(stderr, "set user id failed errno: %d\n", errno);
         exit(1);
     }
 }
index 5c58298748a756ddb1e7ead4880d311cafa70c29..469cf5434a9d23299fe2d0b1f52887df2b998722 100644 (file)
@@ -26,11 +26,12 @@ struct arg_permit_rule
 #define APP_INSTALL_PATH_PREFIX1                "/opt/apps"
 #define APP_INSTALL_PATH_PREFIX2                "/opt/usr/apps"
 #define GDBSERVER_PATH                          "/home/developer/sdk_tools/gdbserver/gdbserver"
-#define GDBSERVER_PLATFORM_PATH        "/home/developer/sdk_tools/gdbserver-platform/gdbserver"
 #define SMACK_LEBEL_SUBJECT_PATH                "/proc/self/attr/current"
 #define APP_GROUPS_MAX                          100
 #define APP_GROUP_LIST                          "/usr/share/privilege-control/app_group_list"
-#define APPID_MAX_LENGTH                        50
+#define APPID_MAX_LENGTH                        10
+#define SDBD_LABEL_NAME                          "sdbd"
+#define SDK_HOME_LABEL_NAME                      "sdbd::home"
 
 int verify_commands(const char *arg1);
 int verify_root_commands(const char *arg1);
@@ -42,6 +43,7 @@ int set_smack_rules_for_gdbserver(const char* apppath, int mode);
 void apply_app_process();
 void set_appuser_groups(void);
 int is_root_commands(const char *command);
+int apply_sdb_rules(const char* subject, const char* object, const char* access_type);
 
 #ifdef __cplusplus
 }