From: Zofia Abramowska Date: Tue, 7 Apr 2020 17:12:55 +0000 (+0200) Subject: Remove privilege related Smack rules when multi-user is detected X-Git-Tag: submit/tizen/20200421.142342~8 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=0e48b12e5fd0e1b0393c142d1a34466f296d8fe8;p=platform%2Fcore%2Fsecurity%2Fsecurity-manager.git Remove privilege related Smack rules when multi-user is detected Privilege related Smack rules can only be used, when applications can be launched for only one user. When multiple instances of one application for different users are detected, all privilege related Smack rules for this application will be revoked. This isn't a permanent state. When application is launched only for one user it will acquire all needed permissions. Change-Id: Ibda63d3ce4ce072f48fff4ff0e2c083c69fe66d7 --- diff --git a/src/common/include/service_impl.h b/src/common/include/service_impl.h index ff98d510..7e63ba37 100644 --- a/src/common/include/service_impl.h +++ b/src/common/include/service_impl.h @@ -443,6 +443,8 @@ private: const std::string &path); static bool updateRunningAppSmackPolicy(app_context_h app_context, void *user_data); + static bool checkRunningApps(app_context_h app_context, void *user_data); + void updatePermissibleSet(uid_t uid, int type); Smack::Label getAppProcessLabel(const std::string &appName, const std::string &pkgName); diff --git a/src/common/service_impl.cpp b/src/common/service_impl.cpp index a1c145a7..5308991c 100644 --- a/src/common/service_impl.cpp +++ b/src/common/service_impl.cpp @@ -2254,6 +2254,23 @@ Smack::Label ServiceImpl::getProcessLabel(const std::string &appName) return getAppProcessLabel(appName); } +struct AppMgrCheckAppsCbContext { + std::string appName; + bool isRunning; +}; + +bool ServiceImpl::checkRunningApps(app_context_h app_context, void *user_data) +{ + AppMgrCheckAppsCbContext *context = reinterpret_cast(user_data); + std::string appId = getAppIdFromContext(app_context); + if (appId == context->appName) { + context->isRunning = true; + return false; + } + + return true; +} + int ServiceImpl::prepareApp(const Credentials &creds, const std::string &appName, const std::vector &privPathsVector, Smack::Label &label, std::string &pkgName, bool &enabledSharedRO, std::vector &forbiddenGroups, std::vector &allowedGroups, std::vector &privPathsStatusVector) @@ -2279,10 +2296,39 @@ int ServiceImpl::prepareApp(const Credentials &creds, const std::string &appName getPkgLabels(pkgName, pkgLabels); if (m_smackRules.isPrivilegeMappingEnabled()) { - m_appIdUidMap[appName] = creds.uid; + uid_t savedUid; + auto it = m_appIdUidMap.find(appName); + if (it == m_appIdUidMap.end()) { + m_appIdUidMap[appName] = creds.uid; + savedUid = creds.uid; + } else { + savedUid = it->second; + } + // We have to remove all possible privilege related Smack rules, because application + // policy might have changed from last prepareApp + // (e.g. application new version was installed) m_smackRules.disableAllPrivilegeRules(label, pkgName, authorId); - m_smackRules.enablePrivilegeRules(label, pkgName, authorId, allowedPrivileges); + + if (savedUid != creds.uid) { + LogDebug("Possible second instance detected. Checking all running apps"); + + AppMgrCheckAppsCbContext context{appName, false}; + int ret = app_manager_foreach_running_app_context(&ServiceImpl::checkRunningApps, + &context); + if (ret != APP_MANAGER_ERROR_NONE) { + LogError("Couldn't check running apps. No Smack policy will be applied for " + << appName); + } else if (context.isRunning) { + LogError("Application is already running! No Smack policy will be applied for " + << appName); + } else { + m_smackRules.enablePrivilegeRules(label, pkgName, authorId, allowedPrivileges); + } + m_appIdUidMap[appName] = creds.uid; + } else { + m_smackRules.enablePrivilegeRules(label, pkgName, authorId, allowedPrivileges); + } } ret = getForbiddenAndAllowedGroups(label, allowedPrivileges, forbiddenGroups,