BuildRequires: pkgconfig(libsystemd-journal)
BuildRequires: pkgconfig(libxml-2.0)
BuildRequires: pkgconfig(capi-system-info)
+BuildRequires: pkgconfig(security-manager)
BuildRequires: boost-devel
Requires: libkey-manager-common = %{version}-%{release}
%{?systemd_requires}
capi-system-info
vconf
libxml-2.0
+ security-manager
)
FIND_PACKAGE(Threads REQUIRED)
SET(KEY_MANAGER_SOURCES
${KEY_MANAGER_PATH}/main/generic-socket-manager.cpp
${KEY_MANAGER_PATH}/main/socket-manager.cpp
+ ${KEY_MANAGER_PATH}/main/socket-2-id.cpp
${KEY_MANAGER_PATH}/main/key-manager-main.cpp
${KEY_MANAGER_PATH}/main/smack-check.cpp
${KEY_MANAGER_PATH}/main/thread-service.cpp
* @{
*/
+/*
+ * Note: on tizen 3.0 owner id is equal to pkgId.
+ * Preinstalled system(uid < 5000) and user (uid >= 5000) applications
+ * does not have any pkgId. Thats why ckm uses special "virtual"
+ * pkgid for them. The virtual strings are defined under:
+ * ckmc_ownerid_system
+ * ckmc_ownerid_user
+ *
+ */
+
/**
* @brief Separator between alias and label.
* @since_tizen 2.3
KEY_MANAGER_CAPI extern char const * const ckmc_label_name_separator;
/**
+ * This is deprecated: Tizen 3.0 does not use smack labels directly.
+ * You should use pkgId instead.
+ *
* @brief Shared owner label
* @since_tizen 3.0
* @remarks Shared database label - user may be given permission to access shared
KEY_MANAGER_CAPI extern char const * const ckmc_label_shared_owner;
/**
+ * alias can be provided as an alias alone, or together with owner id - in this
+ * case, separator " " (space bar) is used to separate id and alias.
+ * @see key-manager_doc.h
+ */
+KEY_MANAGER_CAPI extern char const * const ckmc_owner_id_separator;
+
+/**
+ * ckmc_owner_id_system constains id connected with all SYSTEM applications that runs
+ * with uid less then 5000.
+ *
+ * Client should use ckmc_owner_id_system to access data owned by system application
+ * and stored in system database.
+ *
+ * Note: Client must have permission to access proper row.
+ */
+KEY_MANAGER_CAPI extern char const * const ckmc_owner_id_system;
+
+/**
* @brief Enumeration for key types of key manager.
* @since_tizen 2.3
*/
const char * const ckmc_label_name_separator = CKM::LABEL_NAME_SEPARATOR;
-const char * const ckmc_label_shared_owner = CKM::LABEL_SYSTEM_DB;
+const char * const ckmc_label_shared_owner = CKM::OWNER_ID_SYSTEM;
+const char * const ckmc_owner_id_separator = CKM::LABEL_NAME_SEPARATOR;
+const char * const ckmc_owner_id_system = CKM::OWNER_ID_SYSTEM;
KEY_MANAGER_CAPI
int ckmc_key_new(unsigned char *raw_key, size_t key_size, ckmc_key_type_e key_type, char *password, ckmc_key_s **ppkey)
char const * const SERVICE_SOCKET_OCSP = "/tmp/.central-key-manager-api-ocsp.sock";
char const * const SERVICE_SOCKET_ENCRYPTION = "/tmp/.central-key-manager-api-encryption.sock";
char const * const LABEL_NAME_SEPARATOR = " ";
-char const * const LABEL_SYSTEM_DB = "/";
-
+char const * const OWNER_ID_SYSTEM = "/System";
PKCS12Serializable::PKCS12Serializable() {}
PKCS12Serializable::PKCS12Serializable(const PKCS12 &pkcs)
// (client side) Alias = (service side) Label::Name
COMMON_API extern char const * const LABEL_NAME_SEPARATOR;
-COMMON_API extern char const * const LABEL_SYSTEM_DB;
+COMMON_API extern char const * const OWNER_ID_SYSTEM;
+
typedef std::string Name;
typedef std::vector<std::pair<Label, Name> > LabelNameVector;
// save data
Policy policy(m_password, m_exportable);
int ec = m_db_logic.verifyAndSaveDataHelper(
- Credentials(CKMLogic::SYSTEM_DB_UID, LABEL_SYSTEM_DB),
+ Credentials(CKMLogic::SYSTEM_DB_UID, OWNER_ID_SYSTEM),
m_name,
- LABEL_SYSTEM_DB,
+ OWNER_ID_SYSTEM,
m_bufferHandler->getData(),
getDataType(),
PolicySerializable(policy));
for(const auto & permission : m_permissions)
{
ec = m_db_logic.setPermissionHelper(
- Credentials(CKMLogic::SYSTEM_DB_UID, LABEL_SYSTEM_DB),
+ Credentials(CKMLogic::SYSTEM_DB_UID, OWNER_ID_SYSTEM),
m_name,
- LABEL_SYSTEM_DB,
+ OWNER_ID_SYSTEM,
permission->getAccessor(),
Permission::READ);
if(CKM_API_SUCCESS != ec)
--- /dev/null
+/*
+ * Copyright (c) 2000 - 2015 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+/*
+ * @file socket-2-id.cpp
+ * @author Bartlomiej Grzelewski (b.grzelewski@samsung.com)
+ * @version 1.0
+ */
+#include <sys/smack.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+
+#include <security-manager.h>
+
+#include <dpl/log/log.h>
+#include <protocols.h>
+#include <socket-2-id.h>
+
+namespace CKM {
+namespace {
+
+int getCredentialsFromSocket(int sock, std::string &res) {
+ std::vector<char> result(1);
+ socklen_t length = 1;
+
+ if ((0 > getsockopt(sock, SOL_SOCKET, SO_PEERSEC, result.data(), &length))
+ && errno != ERANGE)
+ {
+ LogError("getsockopt failed");
+ return -1;
+ }
+
+ result.resize(length);
+
+ if (0 > getsockopt(sock, SOL_SOCKET, SO_PEERSEC, result.data(), &length)) {
+ LogError("getsockopt failed");
+ return -1;
+ }
+
+ result.push_back('\0');
+ res = result.data();
+ return 0;
+}
+
+int getPkgIdFromSmack(const std::string &smack, std::string &pkgId) {
+ // TODO
+ // Conversion from smack label to pkgId should be done
+ // by security-manager. Current version of security-manager
+ // does not support this feature yet.
+
+ static const std::string SMACK_PREFIX_APPID = "User::App::";
+
+ if (smack.empty()) {
+ LogError("Smack is empty. Connection will be rejected");
+ return -1;
+ }
+
+ if (smack.compare(0, SMACK_PREFIX_APPID.size(), SMACK_PREFIX_APPID)) {
+ pkgId = "/" + smack;
+ LogDebug("Smack: " << smack << " Was translated to owner id: " << pkgId);
+ return 0;
+ }
+
+ std::string appId = smack.substr(SMACK_PREFIX_APPID.size(), std::string::npos);
+
+ char *pkg = nullptr;
+
+ if (0 > security_manager_get_app_pkgid(&pkg, appId.c_str())) {
+ LogError("Error in security_manager_get_app_pkgid");
+ return -1;
+ }
+
+ if (!pkg) {
+ LogError("PkgId could not be NULL");
+ return -1;
+ }
+
+ pkgId = pkg;
+ free(pkg);
+ LogDebug("Smack: " << smack << " Was translated to owner id: " << pkgId);
+ return 0;
+}
+
+} // namespace anonymous
+
+
+int Socket2Id::translate(int sock, std::string &result) {
+ std::string smack;
+
+ if (0 > getCredentialsFromSocket(sock, smack)) {
+ return -1;
+ }
+
+ StringMap::iterator it = m_stringMap.find(smack);
+
+ if (it != m_stringMap.end()) {
+ result = it->second;
+ return 0;
+ }
+
+ std::string pkgId;
+ if (0 > getPkgIdFromSmack(smack, pkgId)) {
+ return -1;
+ }
+
+ result = pkgId;
+ m_stringMap.emplace(std::move(smack), std::move(pkgId));
+ return 0;
+}
+
+void Socket2Id::resetCache() {
+ m_stringMap.clear();
+}
+
+} // namespace CKM
+
--- /dev/null
+/*
+ * Copyright (c) 2000 - 2015 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+/*
+ * @file socket-2-id.h
+ * @author Bartlomiej Grzelewski (b.grzelewski@samsung.com)
+ * @version 1.0
+ */
+#pragma once
+
+#include <map>
+#include <string>
+
+namespace CKM {
+
+class Socket2Id {
+public:
+ Socket2Id() {}
+
+ int translate(int sock, std::string &result);
+ void resetCache();
+
+ virtual ~Socket2Id() {}
+private:
+ typedef std::map<std::string, std::string> StringMap;
+ StringMap m_stringMap;
+};
+
+} // namespace CKM
+
/*
- * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Contact: Bumjin Im <bj.im@samsung.com>
+ * Copyright (c) 2000 - 2015 Samsung Electronics Co., Ltd All Rights Reserved
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
#include <smack-check.h>
#include <socket-manager.h>
+#include <socket-2-id.h>
namespace {
const time_t SOCKET_TIMEOUT = 1000;
int getCredentialsFromSocket(int sock, CKM::Credentials &cred) {
- std::vector<char> result(1);
- socklen_t length = 1;
- ucred peerCred;
-
- if ((0 > getsockopt(sock, SOL_SOCKET, SO_PEERSEC, result.data(), &length))
- && errno != ERANGE)
- {
- LogError("getsockopt failed");
- return -1;
- }
-
- result.resize(length);
+ static CKM::Socket2Id sock2id;
+ std::string ownerId;
- if (0 > getsockopt(sock, SOL_SOCKET, SO_PEERSEC, result.data(), &length)) {
- LogError("getsockopt failed");
+ if (0 > sock2id.translate(sock, ownerId)) {
return -1;
}
- length = sizeof(ucred);
+ ucred peerCred;
+ socklen_t length = sizeof(ucred);
if (0 > getsockopt(sock, SOL_SOCKET, SO_PEERCRED, &peerCred, &length)) {
LogError("getsockopt failed");
return -1;
}
- result.push_back('\0');
- cred = CKM::Credentials(peerCred.uid, result.data());
+ cred = CKM::Credentials(peerCred.uid, std::move(ownerId));
return 0;
}
if (0 == m_userDataMap.count(cred.clientUid))
ThrowErr(Exc::DatabaseLocked, "database with UID: ", cred.clientUid, " locked");
- if (0 != incoming_label.compare(LABEL_SYSTEM_DB))
+ if (0 != incoming_label.compare(OWNER_ID_SYSTEM))
return m_userDataMap[cred.clientUid];
}
{
// lookup system DB
retCode = getDataListHelper(Credentials(SYSTEM_DB_UID,
- LABEL_SYSTEM_DB),
+ OWNER_ID_SYSTEM),
dataType,
systemVector);
}
// use client label if not explicitly provided
const Label &ownerLabel = label.empty() ? cred.smackLabel : label;
- if( m_accessControl.isSystemService(cred) && ownerLabel.compare(LABEL_SYSTEM_DB)!=0)
+ if( m_accessControl.isSystemService(cred) && ownerLabel.compare(OWNER_ID_SYSTEM)!=0)
return CKM_API_ERROR_INPUT_PARAM;
// check if save is possible
// use client label if not explicitly provided
const Label &ownerLabel = label.empty() ? cred.smackLabel : label;
- if( m_accessControl.isSystemService(cred) && ownerLabel.compare(LABEL_SYSTEM_DB)!=0)
+ if( m_accessControl.isSystemService(cred) && ownerLabel.compare(OWNER_ID_SYSTEM)!=0)
return CKM_API_ERROR_INPUT_PARAM;
// check if save is possible
return CKM_API_ERROR_INPUT_PARAM;
// system database does not support write/remove permissions
- if ((0 == ownerLabel.compare(LABEL_SYSTEM_DB)) &&
+ if ((0 == ownerLabel.compare(OWNER_ID_SYSTEM)) &&
(permissionMask & Permission::REMOVE))
return CKM_API_ERROR_INPUT_PARAM;