From: Jaemin Ryu Date: Sun, 19 Feb 2017 22:52:39 +0000 (+0900) Subject: Add audit trail for remote method call X-Git-Tag: submit/tizen/20170220.004424~1 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=0b16c01535887627326d53cef3e8b473b57f1ae6;p=platform%2Fcore%2Fsecurity%2Fklay.git Add audit trail for remote method call Change-Id: Ideb4f96f55b650e8adb2640355659cd50631f8ef Signed-off-by: Jaemin Ryu --- diff --git a/include/klay/rmi/service.h b/include/klay/rmi/service.h index 9db9d28..883b63b 100644 --- a/include/klay/rmi/service.h +++ b/include/klay/rmi/service.h @@ -143,6 +143,7 @@ namespace rmi { typedef std::function ConnectionCallback; typedef std::function PrivilegeChecker; +typedef std::function AuditTrail; class Service { public: @@ -155,6 +156,7 @@ public: void start(bool useGMainloop = false); void stop(); + void setAuditTrail(const AuditTrail& trail); void setPrivilegeChecker(const PrivilegeChecker& checker); void setNewConnectionCallback(const ConnectionCallback& callback); void setCloseConnectionCallback(const ConnectionCallback& callback); @@ -220,7 +222,8 @@ private: CallbackDispatcher onNewConnection; CallbackDispatcher onCloseConnection; - PrivilegeChecker onMethodCall; + PrivilegeChecker onPrivilegeCheck; + AuditTrail onAuditTrail; MethodRegistry methodRegistry; NotificationRegistry notificationRegistry; diff --git a/src/rmi/service.cpp b/src/rmi/service.cpp index 8fc2fb9..df9d2ff 100644 --- a/src/rmi/service.cpp +++ b/src/rmi/service.cpp @@ -34,9 +34,12 @@ Service::Service(const std::string& path) : setNewConnectionCallback(nullptr); setCloseConnectionCallback(nullptr); - onMethodCall = [](const Credentials& cred, const std::string& privilege) { + onPrivilegeCheck = [](const Credentials& cred, const std::string& privilege) { return true; }; + + onAuditTrail = [](const Credentials& cred, const std::string& name, int condition) { + }; } Service::~Service() @@ -72,7 +75,12 @@ Service::ConnectionRegistry::iterator Service::getConnectionIterator(const int i void Service::setPrivilegeChecker(const PrivilegeChecker& checker) { - onMethodCall = std::move(checker); + onPrivilegeCheck = std::move(checker); +} + +void Service::setAuditTrail(const AuditTrail& trail) +{ + onAuditTrail = std::move(trail); } void Service::setNewConnectionCallback(const ConnectionCallback& connectionCallback) @@ -192,7 +200,9 @@ void Service::onMessageProcess(const std::shared_ptr& connection) std::shared_ptr methodContext = methodRegistry.at(request.target()); processingContext = ProcessingContext(connection); - if (onMethodCall(processingContext.credentials, methodContext->privilege) != true) { + bool allowed = onPrivilegeCheck(processingContext.credentials, methodContext->privilege); + onAuditTrail(processingContext.credentials, request.target(), allowed); + if (!allowed) { throw runtime::Exception("Permission denied"); } diff --git a/test/rmi.cpp b/test/rmi.cpp index 2b0ed4c..ab54fad 100644 --- a/test/rmi.cpp +++ b/test/rmi.cpp @@ -32,8 +32,17 @@ #include +namespace { + const std::string IPC_TEST_ADDRESS = "/tmp/.dpm-test"; +void AuditTrail(const rmi::Credentials& cred, const std::string& method, int condition) +{ + std::cout << "AuditTrail pid: " << cred.pid << " method: " << method << std::endl; +} + +}; + class TestServer { public: TestServer() @@ -51,6 +60,8 @@ public: service->expose(this, "", (int)(TestServer::sendSignal)()); service->expose(this, "", (int)(TestServer::sendPolicyChangeNotification)()); + service->setAuditTrail(AuditTrail); + service->createNotification("TestPolicyChanged"); service->createNotification("TestSignal"); }