The permission checking logic can be simply changed to check the uid.
Change-Id: Ia12c6330b09ae0348961e346e67ceadf177c4ad3
Signed-off-by: Changgyu Choi <changyu.choi@samsung.com>
ADD_DEFINITIONS("-DTIZEN_FEATURE_SET_PERSONALITY_32")
ENDIF(_TIZEN_FEATURE_SET_PERSONALITY_32)
-IF(_TIZEN_FEATURE_SMACK_DISABLE)
-MESSAGE(STATUS "[SMACK] Disable")
-ADD_DEFINITIONS("-DTIZEN_FEATURE_SMACK_DISABLE")
-ELSE(_TIZEN_FEATURE_SMACK_DISABLE)
-MESSAGE(STATUS "[SMACK] Enable")
-ENDIF(_TIZEN_FEATURE_SMACK_DISABLE)
-
ADD_DEFINITIONS("-DSHARE_PREFIX=\"/usr/share/aul\"")
ADD_DEFINITIONS("-DLAUNCHPAD_LOG")
ADD_DEFINITIONS("-DPRELOAD_ACTIVATE")
%define tizen_feature_prelink 0
%endif
-%if "%{?dev_wos}" == "1"
-%define tizen_feature_smack_disable 1
-%else
-%define tizen_feature_smack_disable 0
-%endif
-
%global real_crate_name rust_lux
%global rustc_edition 2021
HW_LOADER_THREADS=8
%endif
-%if 0%{?tizen_feature_smack_disable}
-_TIZEN_FEATURE_SMACK_DISABLE=ON
-%endif
-
MAJORVER=`echo %{version} | awk 'BEGIN {FS="."}{print $1}'`
%cmake -DVERSION=%{version} \
-DMAJORVER=${MAJORVER} \
-D_TIZEN_FEATURE_SET_PERSONALITY_32:BOOL=${_TIZEN_FEATURE_SET_PERSONALITY_32} \
-D_TIZEN_FEATURE_PRELINK:BOOL=${_TIZEN_FEATURE_PRELINK} \
-D_TIZEN_FEATURE_LOADER_ARCH64:BOOL=${_TIZEN_FEATURE_LOADER_ARCH64} \
- -D_TIZEN_FEATURE_SMACK_DISABLE:BOOL=${_TIZEN_FEATURE_SMACK_DISABLE} \
.
%__make %{?_smp_mflags}
#include <string>
#include <peer_credentials.hh>
-#include <procfs.hh>
#include <sigchld_info.hh>
#include "launchpad-process-pool/log_private.hh"
constexpr const char HYDRA_SIGCHLD_SOCK[] = "@org.tizen.appfw.hydra-sigchld";
const int MAX_PENDING_CONNECTION = 128;
const int MAX_RECEIVE_BUFFER = 131071;
+const int REGULAR_UID_MIN = 5000;
-bool IsSmackDisabled() {
-#ifdef TIZEN_FEATURE_SMACK_DISABLE
- return true;
-#else
- return false;
-#endif // TIZEN_FEATURE_SMACK_DISABLE
-}
-
-int CheckPermission(pid_t pid) {
- if (IsSmackDisabled()) return 0;
-
- std::string attr = Procfs::GetAttrCurrent(pid);
- if (attr.empty()) return -1;
-
- if (attr.compare("User") == 0 || attr.compare("System") == 0 ||
- attr.compare("System::Privileged") == 0)
- return 0;
-
- _E("Permission denied. peer(%d:%s)", pid, attr.c_str());
- return -1;
+bool CheckPermission(uid_t uid) {
+ return uid < REGULAR_UID_MIN;
}
} // namespace
auto peer_creds = PeerCredentials::Get(client_socket->GetFd());
if (!peer_creds) return;
- if (CheckPermission(peer_creds->GetPid()) != 0) return;
+ if (!CheckPermission(peer_creds->GetUid())) return;
size_t data_size = 0;
int ret = client_socket->Receive(&data_size, sizeof(data_size));
SECURE_LOGD("pkg_type: %s", app_info->GetPkgType().c_str());
}
-bool IsSmackDisabled() {
-#ifdef TIZEN_FEATURE_SMACK_DISABLE
- return true;
-#else
- return false;
-#endif // TIZEN_FEATURE_SMACK_DISABLE
-}
-
-int CheckCallerPermission(pid_t caller_pid) {
- if (IsSmackDisabled()) return 0;
-
- std::string attr_current = Procfs::GetAttrCurrent(caller_pid);
- if (attr_current.empty()) return -1;
-
- if (attr_current.compare("User") == 0 ||
- attr_current.compare("System") == 0 ||
- attr_current.compare("System::Privileged") == 0)
- return 0;
-
- return -1;
-}
-
int GetLoaderIdFromBundle(const tizen_base::Bundle& b) {
auto loader_id = b.GetString(kAulLoaderId);
if (loader_id.empty()) return -1;
auto request = std::make_shared<Request>(std::move(client_socket));
_W("cmd(%d), caller(%d)", request->GetCmd(), request->GetCallerPid());
if (request->GetCallerUid() >= kRegularUidMin) {
- if (CheckCallerPermission(request->GetCallerPid()) < 0) {
- _E("Permission denied. pid(%d)", request->GetCallerPid());
- request->SendResult(-EPERM);
- return;
- }
+ _E("Permission denied. pid(%d)", request->GetCallerPid());
+ request->SendResult(-EPERM);
+ return;
}
auto found = handlers_.find(request->GetCmd());
*mem_pss = total_pss;
}
-std::string Procfs::GetAttrCurrent(pid_t pid) {
- const std::string path = "/proc/" + std::to_string(pid) + "/attr/current";
- std::ifstream file(path);
- if (!file.is_open()) {
- _E("%s is not opened", path.c_str());
- return {};
- }
-
- std::stringstream buffer;
- buffer << file.rdbuf();
- file.close();
-
- const std::string result = buffer.str();
- if (result.empty()) {
- _E("file is empty");
- return {};
- }
-
- return result;
-}
-
void Procfs::SetComm(pid_t pid, const std::string& comm) {
const std::string path = "/proc/" + std::to_string(pid) + "/comm";
std::ofstream comm_file;
projects / platform / core / appfw / launchpad.git / commitdiff