Add socket API for getting a list of sensitive directories

New socket command will be accessible only for processes with 'User' label.

Change-Id: If07a28e7382a14dcce3a33c905e489b0422203d9

diff --git a/src/common/include/protocols.h b/src/common/include/protocols.h
index fcf13141235dfbe9093b184cabd785102f04725b..e003152c1aae583cc9766df27c612d74e09e6176 100644 (file)
--- a/src/common/include/protocols.h
+++ b/src/common/include/protocols.h
@@ -88,6 +88,7 @@ enum class SecurityModuleCall
     GROUPS_FOR_UID,
     LABEL_FOR_PROCESS,
     SHM_APP_NAME,
+    PATHS_GET_SENSITIVE,
     NOOP = 0x90,
 };
 

diff --git a/src/common/include/service_impl.h b/src/common/include/service_impl.h
index aeeb1693420e0a6a36e4967b4c0ea3576e024c76..00338a2b58f301355f00a2d104d48385b7301960 100644 (file)
--- a/src/common/include/service_impl.h
+++ b/src/common/include/service_impl.h
@@ -248,6 +248,19 @@ public:
     int shmAppName(const Credentials &creds,
                    const std::string &shmName,
                    const std::string &appName);
+
+    /*
+     * Retrieve a list of sensitive directories for given package
+     *
+     * @param[in] creds credentials of the requesting process
+     * @param[in] pkgName package identifier
+     * @param[out] paths vector of paths to sensitive directories
+     *
+     * @return API return code, as defined in protocols.h
+     */
+    int getSensitiveDirs(const Credentials &creds,
+                         const std::string &pkgName,
+                         std::vector<std::string> &paths);
 private:
     bool authenticate(const Credentials &creds, const std::string &privilege);
 

diff --git a/src/common/service_impl.cpp b/src/common/service_impl.cpp
index 103d7b8ef127d4b6d7da87fb284a93735a7c431b..7e8e9ec0cfb486f2cebc54964aef9a91f7562912 100644 (file)
--- a/src/common/service_impl.cpp
+++ b/src/common/service_impl.cpp
@@ -1722,4 +1722,41 @@ int ServiceImpl::shmAppName(const Credentials &creds, const std::string &shmName
     return SECURITY_MANAGER_SUCCESS;
 }
 
+int ServiceImpl::getSensitiveDirs(const Credentials &creds,
+                                  const std::string &pkgName,
+                                  std::vector<std::string> &paths)
+{
+    try {
+        // TODO: Ask cynara for permission (User label -> read sensitive paths)
+        if (creds.label != "User") {
+            LogError("Request from uid=" << creds.uid << ", Smack=" << creds.label <<
+                            " for list of sensitive directories denied");
+            return SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED;
+        }
+
+        ScopedTransaction trans(m_priviligeDb);
+
+        if(!m_priviligeDb.PkgNameExists(pkgName)) {
+            LogError("Package " << pkgName << " does not exist");
+            return SECURITY_MANAGER_ERROR_INPUT_PARAM;
+        }
+
+        m_priviligeDb.GetSensitiveDirs(pkgName, creds.uid, paths);
+
+        return SECURITY_MANAGER_SUCCESS;
+    } catch (const PrivilegeDb::Exception::Base &e) {
+        LogError("Error while querying db for sensitive directories: " << e.DumpToString());
+        return SECURITY_MANAGER_ERROR_SERVER_ERROR;
+    } catch (const std::bad_alloc &e) {
+        LogError("Memory allocation failed: " << e.what());
+        return SECURITY_MANAGER_ERROR_MEMORY;
+    } catch (const std::exception &e) {
+        LogError("Some exception thrown: " << e.what());
+        return SECURITY_MANAGER_ERROR_UNKNOWN;
+    } catch (...) {
+        LogError("Unknown exception thrown");
+        return SECURITY_MANAGER_ERROR_UNKNOWN;
+    }
+}
+
 } /* namespace SecurityManager */

diff --git a/src/server/service/include/service.h b/src/server/service/include/service.h
index 90c8ed8d93bd596c1e55b71ba580eb828ce7e141..c265e1b25d3154be6e34dc296ddd277dbdec6327 100644 (file)
--- a/src/server/service/include/service.h
+++ b/src/server/service/include/service.h
@@ -202,6 +202,15 @@ private:
      * @param  creds  credentials of the requesting process
      */
     void processShmAppName(MessageBuffer &recv, MessageBuffer &send, const Credentials &creds);
+
+    /**
+     * Process get sensitive dirs request
+     *
+     * @param  recv   Raw received data buffer
+     * @param  send   Raw data buffer to be sent
+     * @param  creds  credentials of the requesting process
+     */
+    void processGetSensitiveDirs(MessageBuffer &recv, MessageBuffer &send, const Credentials &creds);
 };
 
 } // namespace SecurityManager

diff --git a/src/server/service/service.cpp b/src/server/service/service.cpp
index fe4f865b99c5b190c424fe918ecd5d8e0d9fa548..232a830b1cd721ae12f4979ebf3b9798d5cb7bdc 100644 (file)
--- a/src/server/service/service.cpp
+++ b/src/server/service/service.cpp
@@ -150,6 +150,9 @@ bool Service::processOne(const ConnectionID &conn, MessageBuffer &buffer,
                 case SecurityModuleCall::SHM_APP_NAME:
                     processShmAppName(buffer, send, creds);
                     break;
+                case SecurityModuleCall::PATHS_GET_SENSITIVE:
+                    processGetSensitiveDirs(buffer, send, creds);
+                    break;
                 default:
                     LogError("Invalid call: " << call_type_int);
                     Throw(ServiceException::InvalidAction);
@@ -418,4 +421,15 @@ void Service::processShmAppName(MessageBuffer &recv, MessageBuffer &send, const
     Serialization::Serialize(send, ret);
 }
 
+void Service::processGetSensitiveDirs(MessageBuffer &recv, MessageBuffer &send, const Credentials &creds)
+{
+    std::string appName;
+    Deserialization::Deserialize(recv, appName);
+    std::vector<std::string> paths;
+    int ret = serviceImpl.getSensitiveDirs(creds, appName, paths);
+    Serialization::Serialize(send, ret);
+    if (ret == SECURITY_MANAGER_SUCCESS)
+        Serialization::Serialize(send, paths);
+}
+
 } // namespace SecurityManager