Set LibTEEC shm file group to the TEE group

Change-Id: Ic7ff46edb8662e955aa032c0a3a9d96fc88eca82
Signed-off-by: Igor Kotrasinski <i.kotrasinsk@partner.samsung.com>

diff --git a/CMakeLists.txt b/CMakeLists.txt
index d0f1ceb1d40344ce2858aab66b8acd72a4e2c5db..28dde03987d76aa551e9817d0765f10c16ed7aa9 100644 (file)
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -50,6 +50,11 @@ ADD_DEFINITIONS("-Werror")                      # Make all warnings into errors.
 
 ADD_DEFINITIONS("-D_ARCH_=${ARCH}")
 
+IF (NOT DEFINED TEE_USER_GROUP_NAME)
+    SET(TEE_USER_GROUP_NAME "priv_tee_client")
+ENDIF (NOT DEFINED TEE_USER_GROUP_NAME)
+ADD_DEFINITIONS(-DTEE_USER_GROUP_NAME="${TEE_USER_GROUP_NAME}")
+
 # Enable tizen-specific preprocessor defines
 IF(DEFINED TIZEN)
     ADD_DEFINITIONS("-D__TIZEN__")

diff --git a/TEECLib/src/teec_api.c b/TEECLib/src/teec_api.c
index 4d988d1bbe8afb23fc50c4fb0ea6a13d1b88163f..dfcc132f190d604c1dbb3a7ca73d86a764761175 100644 (file)
--- a/TEECLib/src/teec_api.c
+++ b/TEECLib/src/teec_api.c
@@ -32,6 +32,8 @@
 #include <stdint.h>
 #include <sys/stat.h>
 #include <sys/mman.h>
+#include <sys/types.h>
+#include <grp.h>
 
 /*-----------------------------------------------------------------------------
  *  MACROS
@@ -41,6 +43,7 @@
 
 #define SHM_MAX_ID              INT32_MAX
 #define SHM_NAME_TEMPLATE       "/teec_shm%d"
+
 #define SHM_FILE_MODE           0660
 /*-----------------------------------------------------------------------------
  *  Globals
@@ -82,6 +85,51 @@ static uint32_t alignSize(uint32_t size)
        return retSize;
 }
 
+/*
+ * ===  FUNCTION  ======================================================================
+ *         Name:  set_shm_permissions
+ *  Description:  Set group and permissions of the shm file underneath shared memory
+ *   Parameters:  fd_shm - shm file FD
+ *                shm_name - shm file name (for logging)
+ *       Return:  TEEC return value indicating success of failure
+ * =====================================================================================
+ */
+static int32_t set_shm_permissions(int fd_shm, const char *shm_name) {
+       int res;
+       struct group *tee_group = NULL;
+
+       res = fchmod(fd_shm, SHM_FILE_MODE);
+       if (res == -1) {
+               LOGE(TEEC_LIB,
+                    "Cannot change permission of the %s shared memory file, error: %s",
+                    shm_name, strerror(errno));
+                    return TEEC_ERROR_GENERIC;
+       }
+
+       errno = 0;
+       tee_group = getgrnam(TEE_USER_GROUP_NAME);
+       if (!tee_group) {
+               if (!errno) {
+                       LOGE(TEEC_LIB,
+                            "Failed to get TEE group: group %s does not exist",
+                            TEE_USER_GROUP_NAME);
+               } else {
+                       LOGE(TEEC_LIB,
+                            "Failed to set TEE group, error: %s",
+                            strerror(errno));
+               }
+               return TEEC_ERROR_GENERIC;
+       }
+       res = fchown(fd_shm, -1, tee_group->gr_gid);
+       if (res == -1) {
+               LOGE(TEEC_LIB,
+                    "Failed to set TEE group of the %s shared memory file, error: %s",
+                    shm_name, strerror(errno));
+               return errno == EPERM ? TEEC_ERROR_ACCESS_DENIED : TEEC_ERROR_GENERIC;
+       }
+       return TEEC_SUCCESS;
+}
+
 /*
  * ===  FUNCTION  ======================================================================
  *         Name:  allocateSharedMemory
@@ -127,14 +175,9 @@ static int32_t allocateSharedMemory(TEEC_SharedMemory *shm)
                goto exit;
        }
 
-       res = fchmod(fd_shm, SHM_FILE_MODE);
-       if (res == -1) {
-               LOGE(TEEC_LIB,
-                    "Cannot change permission of the %s shared memory file, error: %s",
-                    shm_name, strerror(errno));
-               tee_result = TEEC_ERROR_GENERIC;
+       tee_result = set_shm_permissions(fd_shm, shm_name);
+       if (tee_result != TEEC_SUCCESS)
                goto cleanup_shm;
-       }
 
        size = alignSize(size);
        if (ftruncate(fd_shm, size) == -1) {

diff --git a/packaging/tef-simulator.spec b/packaging/tef-simulator.spec
index 36e0fc404b88469ece649b8ea1af70aba1914fc5..eb872bb4346c9e75f126393724fdcc0a2434816b 100644 (file)
--- a/packaging/tef-simulator.spec
+++ b/packaging/tef-simulator.spec
@@ -36,6 +36,7 @@ PreReq: tef-libteec
 %define build_unit_dir %{buildroot}%{_unitdir}
 
 %define smack_domain_name System
+%define tee_user_group_name priv_tee_client
 
 %description
 TEF Simulator provides a TrustZone simulated environment
@@ -85,6 +86,7 @@ cmake . \
         -DPKGCFG_PREFIX=/usr \
         -DPKGCFG_VERSION=%{version} \
         -DSMACK_DOMAIN_NAME=%{smack_domain_name} \
+        -DTEE_USER_GROUP_NAME=%{tee_user_group_name} \
         -DARCH=%{__isa_bits} \
         -DTIZEN=1
 make %{?jobs:-j%jobs}

diff --git a/systemd/tef-simulator.service.in b/systemd/tef-simulator.service.in
index a9b767c7f5350427d8e07db975a2a67d24962467..3131a34f9eced85826766611b904a8a4b628d165 100644 (file)
--- a/systemd/tef-simulator.service.in
+++ b/systemd/tef-simulator.service.in
@@ -6,7 +6,7 @@ BindsTo=tef-simulator.socket
 [Service]
 User=security_fw
 Group=security_fw
-SupplementaryGroups=users
+SupplementaryGroups=users @TEE_USER_GROUP_NAME@
 CapabilityBoundingSet=
 SmackProcessLabel=@SMACK_DOMAIN_NAME@
 ExecStart=@SYSTEMD_CFG_BIN_DIR@/tef-simulator-daemon