Implemet data control solution for OSP apps.

[Issue#]   SSDWSSP-177
[Bug]      N/A
[Cause]    OPS application need to share memory.
[Solution] Add cross rules between OSP application.

[Verification] Build.

Change-Id: I5085e5f0130ff687aaa142006837110077ba00be

diff --git a/src/client/security-server-client.c b/src/client/security-server-client.c
index 6550946..6542057 100644 (file)
--- a/src/client/security-server-client.c
+++ b/src/client/security-server-client.c
@@ -1161,75 +1161,3 @@ out:
     return convert_to_public_error_code(retval);
 }
 
-SECURITY_SERVER_API
-int security_server_check_privilege_by_pid(int pid, const char *object, const char *access_rights)
-{
-    //This function check SMACK privilege betwen subject and object.
-    //Subject is identified by PID number, object is function parameter.
-
-    int sockfd = -1;
-    int retval;
-    response_header hdr;
-
-    //check for input PID param
-    if (pid < 0) {
-        retval = SECURITY_SERVER_ERROR_INPUT_PARAM;
-        goto error;
-    }
-
-    SEC_SVR_DBG("%s","Check privilige by PID called");
-    SEC_SVR_DBG("%s %d","PID", pid);
-    SEC_SVR_DBG("%s %s", "OBJECT:", object);
-    SEC_SVR_DBG("%s %s", "ACCESS_RIGHTS", access_rights);
-
-    //check if able to connect
-    retval = connect_to_server(&sockfd);
-    if (retval != SECURITY_SERVER_SUCCESS)
-        goto error;
-
-    //send request
-    retval = send_pid_privilege_request(sockfd, pid, object, access_rights);
-    if (retval != SECURITY_SERVER_SUCCESS) {
-        /* Error on socket */
-        SEC_SVR_DBG("Client: Send failed: %d", retval);
-        goto error;
-    }
-
-    //get response
-    retval = recv_pid_privilege_response(sockfd, &hdr);
-
-    //convert error code
-    retval = return_code_to_error_code(hdr.return_code);
-
-    //check if frame has correct MSG_ID
-    if (hdr.basic_hdr.msg_id != SECURITY_SERVER_MSG_TYPE_CHECK_PID_PRIVILEGE_RESPONSE) {
-        if (hdr.basic_hdr.msg_id == SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE) {
-            /* There must be some error */
-            SEC_SVR_DBG("Client: Error has been received. return code:%d", hdr.return_code);
-        }
-        else {
-            /* Something wrong with response */
-            SEC_SVR_DBG("Client ERROR: Unexpected error occurred:%d", retval);
-            retval = SECURITY_SERVER_ERROR_BAD_RESPONSE;
-        }
-        goto error;
-    }
-
-    //debug info about checking result
-    
-    if (hdr.return_code == SECURITY_SERVER_RETURN_CODE_SUCCESS) {
-        SEC_SVR_DBG("%s","Client: There is privilege match");
-        retval = SECURITY_SERVER_SUCCESS;
-    } else {
-        SEC_SVR_DBG("%s","Client: There is no privilege match");
-        retval = SECURITY_SERVER_ERROR_ACCESS_DENIED;
-    }
-
-error:
-    if(sockfd > 0)
-        close(sockfd);
-
-    retval = convert_to_public_error_code(retval);
-    return retval;
-}
-

diff --git a/src/include/security-server-comm.h b/src/include/security-server-comm.h
index e30303e..873a4fe 100644 (file)
--- a/src/include/security-server-comm.h
+++ b/src/include/security-server-comm.h
@@ -71,8 +71,6 @@ typedef struct
 #define SECURITY_SERVER_MSG_TYPE_SMACK_RESPONSE        0x1e
 #define SECURITY_SERVER_MSG_TYPE_APP_GIVE_ACCESS_REQUEST 0x1f
 #define SECURITY_SERVER_MSG_TYPE_APP_GIVE_ACCESS_RESPONSE 0x20
-#define SECURITY_SERVER_MSG_TYPE_CHECK_PID_PRIVILEGE_REQUEST    0x21
-#define SECURITY_SERVER_MSG_TYPE_CHECK_PID_PRIVILEGE_RESPONSE   0x22
 #define SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE      0xff
 
 /* Return code */

diff --git a/src/include/security-server.h b/src/include/security-server.h
index 6e960ca..bff9a68 100644 (file)
--- a/src/include/security-server.h
+++ b/src/include/security-server.h
@@ -1019,20 +1019,6 @@ char * security_server_get_smacklabel_sockfd(int fd);
  * */
 int security_server_app_give_access(const char* customer_label, int customer_pid);
 
-/*
- * This function allows middleware to check priviliges of process with specified PID.
- * Service is able to check proces acces to the specified object label with specified
- * access rights.
- * 
- * \param[in] PID number of process to be checked
- * \param[in] SMACK object label
- * \param[in] SMACK access rights to be checked
- *
- * \return Privilege confirm or error code
- * SECURITY_SERVER_SUCCESS - on succes
- */
-int security_server_check_privilege_by_pid(int pid, const char *object, const char *access_rights);
-
 #ifdef __cplusplus
 }
 #endif

diff --git a/src/server/security-server-main.c b/src/server/security-server-main.c
index 7010370..8c72744 100644 (file)
--- a/src/server/security-server-main.c
+++ b/src/server/security-server-main.c
@@ -38,6 +38,7 @@
 #include <poll.h>
 
 #include <privilege-control.h>
+
 #include <security-server-system-observer.h>
 #include <security-server-rules-revoker.h>
 
@@ -61,7 +62,7 @@ struct security_server_thread_param {
 
 int process_app_get_access_request(int sockfd, size_t msg_len);
 static int netlink_enabled = 1; /* prevent memory leaks when netlink is disabled */
-static system_observer_config so_config;
+
 
 /************************************************************************************************/
 /* Just for test. This code must be removed on release */
@@ -1247,16 +1248,8 @@ void *security_server_thread(void *param)
             break;
 
         case SECURITY_SERVER_MSG_TYPE_APP_GIVE_ACCESS_REQUEST:
-            if (client_has_access(client_sockfd, LABEL_SECURITY_SERVER_API_DATA_SHARE)) {
-                SEC_SVR_DBG("%s", "Server: app give access request received");
-                process_app_get_access_request(client_sockfd,
-                    basic_hdr.msg_len - sizeof(basic_hdr));
-            } else {
-                SEC_SVR_DBG("%s", "Server: app give access request received (API DENIED - request will not proceed)");
-                send_generic_response(client_sockfd,
-                    SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE,
-                    SECURITY_SERVER_RETURN_CODE_ACCESS_DENIED);
-            }
+            SEC_SVR_DBG("%s", "Server: app give access requset received");
+            process_app_get_access_request(client_sockfd, basic_hdr.msg_len - sizeof(basic_hdr));
             break;
 /************************************************************************************************/
 /* Just for test. This code must be removed on release */
@@ -1470,13 +1463,10 @@ int process_app_get_access_request(int sockfd, size_t msg_len)
     char *message_buffer = NULL;
     char *client_label = NULL;
     char *provider_label = NULL;
-    struct smack_accesses *smack = NULL;
     int ret = SECURITY_SERVER_ERROR_SERVER_ERROR;
     int send_message_id = SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE;
     int send_error_id = SECURITY_SERVER_RETURN_CODE_SERVER_ERROR;
     int client_pid = 0;
-    static const char * const revoke = "-----";
-    const char *permissions = "rwxat";
 
     message_buffer = malloc(msg_len+1);
     if (!message_buffer)
@@ -1492,39 +1482,30 @@ int process_app_get_access_request(int sockfd, size_t msg_len)
         goto error;
     }
 
-    // Currently we don't use client_pid
     memcpy(&client_pid, message_buffer, sizeof(int));
     client_label = message_buffer + sizeof(int);
 
-    if (smack_check()) {
-        if (0 != smack_new_label_from_socket(sockfd, &provider_label)) {
-            SEC_SVR_DBG("%s", "Error in smack_new_label_from_socket");
-            goto error;
-        }
-
-        if (!util_smack_label_is_valid(client_label)) {
-            send_error_id = SECURITY_SERVER_RETURN_CODE_BAD_REQUEST;
-            goto error;
-        }
-
-        if (smack_accesses_new(&smack))
-            goto error;
-
-        if (smack_accesses_add_modify(smack, client_label,
-                    provider_label, permissions, revoke))
-            goto error;
-
-        if (smack_accesses_apply(smack)){
-            send_message_id = SECURITY_SERVER_RETURN_CODE_ACCESS_DENIED;
-            goto error;
-        }
+    if (0 != smack_new_label_from_socket(sockfd, &provider_label)) {
+        SEC_SVR_DBG("%s", "Error in smack_new_label_from_socket");
+        goto error;
+    }
 
+    if (PC_OPERATION_SUCCESS != app_give_access(client_label, provider_label, "rwxat")) {
+        SEC_SVR_DBG("%s", "Error in app_give_access");
+        goto error;
     }
 
     ret = SECURITY_SERVER_SUCCESS;
     send_message_id = SECURITY_SERVER_MSG_TYPE_APP_GIVE_ACCESS_RESPONSE;
     send_error_id = SECURITY_SERVER_RETURN_CODE_SUCCESS;
 
+    if (!netlink_enabled) {
+        SEC_SVR_DBG("Netlink not supported: Garbage collector inactive.");
+        goto error;
+    }
+
+    if (0 != rules_revoker_add(client_pid, client_label, provider_label))
+        SEC_SVR_DBG("%s", "Error in rules_revoker_add.");
 
 error:
     retval = send_generic_response(sockfd, send_message_id, send_error_id);
@@ -1533,7 +1514,6 @@ error:
 
     free(message_buffer);
     free(provider_label);
-    smack_accesses_free(smack);
     return ret;
 }
 
@@ -1549,23 +1529,18 @@ int main(int argc, char* argv[])
 {
     int res;
     pthread_t main_thread;
+    pthread_t system_observer;
 
     (void)argc;
     (void)argv;
 
-    // create observer thread only if smack is enabled
-    if (smack_check()) {
-        pthread_t system_observer;
-        so_config.event_callback = rules_revoker_callback;
+    system_observer_config so_config;
+    so_config.event_callback = rules_revoker_callback;
 
-        res = pthread_create(&system_observer, NULL, system_observer_main_thread, (void*)&so_config);
+    res = pthread_create(&system_observer, NULL, system_observer_main_thread, (void*)&so_config);
 
-        if (res != 0)
-            return -1;
-    }
-    else {
-        SEC_SVR_DBG("SMACK is not available. Observer thread disabled.");
-    }
+    if (res != 0)
+        return -1;
 
     res = pthread_create(&main_thread, NULL, security_server_main_thread, NULL);
     if (res == 0)