File readable check by ::fopen instead of ::access

To adjust CAP_DAC_READ_SEARCH capability for scanning app directory in
platform v3.0, we cannot use ::access. Because the capability isn't
giving permission to force out all of DAC checking, but it just bypass
to check it. So if it's checked explicitly by ::access, we cannot
bypass. So we use ::fopen with "rb" mode instead.

Change-Id: If9c79f28978ab95b607f4bffbb605f57b8b51fa9
Signed-off-by: Kyungwook Tak <k.tak@samsung.com>

diff --git a/src/framework/service/cs-logic.cpp b/src/framework/service/cs-logic.cpp
index 108b8d3..a15d6ad 100644 (file)
--- a/src/framework/service/cs-logic.cpp
+++ b/src/framework/service/cs-logic.cpp
@@ -26,13 +26,15 @@
 #include <cerrno>
 #include <unistd.h>
 
+#include <csr-error.h>
+
 #include "common/audit/logger.h"
 #include "common/exception.h"
 #include "service/type-converter.h"
 #include "service/core-usage.h"
 #include "service/dir-blacklist.h"
+#include "service/fs-utils.h"
 #include "ui/askuser.h"
-#include <csr-error.h>
 
 namespace Csr {
 
@@ -110,7 +112,7 @@ std::string canonicalizePath(const std::string &path, bool checkAccess)
        auto resolved = resolvePath(path);
        auto target = File::getPkgPath(resolved);
 
-       if (checkAccess && ::access(target.c_str(), R_OK) != 0) {
+       if (checkAccess && !isReadable(path)) {
                const int err = errno;
                if (err == ENOENT)
                        ThrowExc(CSR_ERROR_FILE_DO_NOT_EXIST, "File do not exist: " << target);
@@ -625,7 +627,7 @@ RawBuffer CsLogic::getDetectedList(const StrSet &_dirSet)
        Db::RowShPtrs rows;
        for (const auto &dir : dirSet) {
                for (auto &row : this->m_db->getDetectedByNameOnDir(dir)) {
-                       if (::access(row->targetName.c_str(), R_OK) != 0) {
+                       if (!isReadable(row->targetName)) {
                                WARN("Exclude not-accessable malware detected file from the list: " <<
                                         row->targetName);
                                this->m_db->deleteDetectedByNameOnPath(row->targetName);
@@ -670,7 +672,7 @@ RawBuffer CsLogic::getIgnoredList(const StrSet &_dirSet)
        Db::RowShPtrs rows;
        for (const auto &dir : dirSet) {
                for (auto &row : this->m_db->getDetectedByNameOnDir(dir)) {
-                       if (::access(row->targetName.c_str(), R_OK) != 0) {
+                       if (!isReadable(row->targetName)) {
                                WARN("Exclude not-accessable malware detected file from the list: " <<
                                         row->targetName);
                                this->m_db->deleteDetectedByNameOnPath(row->targetName);

diff --git a/src/framework/service/fs-utils.cpp b/src/framework/service/fs-utils.cpp
index ada4b08..aab708a 100644 (file)
--- a/src/framework/service/fs-utils.cpp
+++ b/src/framework/service/fs-utils.cpp
@@ -35,6 +35,18 @@
 
 namespace Csr {
 
+bool isReadable(const std::string &target)
+{
+       FILE *f = ::fopen(target.c_str(), "rb");
+
+       if (f == nullptr) {
+               return false;
+       } else {
+               ::fclose(f);
+               return true;
+       }
+}
+
 uid_t getUid(const std::string &username)
 {
        auto bufsize = ::sysconf(_SC_GETPW_R_SIZE_MAX);
@@ -76,10 +88,10 @@ std::unique_ptr<struct stat> getStat(const std::string &target)
        }
 
        // if no permission to read, return nullptr
-       if (::access(target.c_str(), R_OK) != 0)
-               return nullptr;
-       else
+       if (isReadable(target))
                return statptr;
+       else
+               return nullptr;
 }
 
 }

diff --git a/src/framework/service/fs-utils.h b/src/framework/service/fs-utils.h
index 629b1fa..570aec7 100644 (file)
--- a/src/framework/service/fs-utils.h
+++ b/src/framework/service/fs-utils.h
@@ -28,6 +28,8 @@
 
 namespace Csr {
 
+bool isReadable(const std::string &target);
+
 uid_t getUid(const std::string &username);
 
 std::unique_ptr<struct stat> getStat(const std::string &target);

diff --git a/test/engine/content-screening/sample-engine.cpp b/test/engine/content-screening/sample-engine.cpp
index c5e83d5..0964fa3 100644 (file)
--- a/test/engine/content-screening/sample-engine.cpp
+++ b/test/engine/content-screening/sample-engine.cpp
@@ -409,9 +409,6 @@ int csre_cs_scan_file(csre_cs_context_h handle,
        if (file_path == nullptr)
                return CSRE_ERROR_INVALID_PARAMETER;
 
-       if (::access(file_path, R_OK) != 0)
-               return CSRE_ERROR_FILE_NOT_FOUND;
-
        if (handle == nullptr)
                return CSRE_ERROR_INVALID_HANDLE;
 

diff --git a/test/internals/test-file-system.cpp b/test/internals/test-file-system.cpp
index 6baa676..0c22437 100644 (file)
--- a/test/internals/test-file-system.cpp
+++ b/test/internals/test-file-system.cpp
@@ -59,7 +59,7 @@ void __assertFile(const File &file, const std::string &path,
 
 void __createFile(const std::string &path)
 {
-       if (access(path.c_str(), R_OK | W_OK) == 0)
+       if (::access(path.c_str(), R_OK | W_OK) == 0)
                return; // already exist
 
        int fd = creat(path.c_str(), S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);