From: Suchang Woo <suchang.woo@samsung.com>
Date: Fri, 8 May 2015 07:25:22 +0000 (+0900)
Subject: Support SMACK permissive mode in Buxton
X-Git-Tag: accepted/tizen/common/20150511.125557^0
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=47c3d23ebc6c9c1bfa3d5868a4261e62703d9e37;hp=e113af469291708b73b3f7fe0b3b838fbb8ac2b4;p=platform%2Fupstream%2Fbuxton.git

Support SMACK permissive mode in Buxton

If Kernel SMACK module is supporting the permissive mode,
Buxton should also support it.

Signed-off-by: Suchang Woo <suchang.woo@samsung.com>
Change-Id: Ib976fa0d5330afbffed09c1e31dc97c4976468d1
---

diff --git a/Makefile.am b/Makefile.am
index a613e6d..e73892c 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -20,7 +20,8 @@ AM_CPPFLAGS = \
 	-D_DEFAULT_CONFIGURATION_FILE=\"$(CONFPATH)\" \
 	-D_DB_PATH=\"$(DB_PATH)\" \
 	-D_BUXTON_SOCKET=\"$(BUXTON_SOCKET)\" \
-	-D_SMACK_LOAD_FILE=\"$(SMACK_LOAD_FILE)\"
+	-D_SMACK_LOAD_FILE=\"$(SMACK_LOAD_FILE)\" \
+	-D_SMACK_PERMISSIVE=\"$(SMACK_PERMISSIVE)\"
 
 AM_LDFLAGS = \
 	-rdynamic
diff --git a/Makefile.in b/Makefile.in
index 92e4716..58c1597 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -872,6 +872,7 @@ SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SMACK_LOAD_FILE = @SMACK_LOAD_FILE@
+SMACK_PERMISSIVE = @SMACK_PERMISSIVE@
 STRIP = @STRIP@
 SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@
 SYSTEMD_LIBS = @SYSTEMD_LIBS@
@@ -946,7 +947,8 @@ AM_CPPFLAGS = \
 	-D_DEFAULT_CONFIGURATION_FILE=\"$(CONFPATH)\" \
 	-D_DB_PATH=\"$(DB_PATH)\" \
 	-D_BUXTON_SOCKET=\"$(BUXTON_SOCKET)\" \
-	-D_SMACK_LOAD_FILE=\"$(SMACK_LOAD_FILE)\"
+	-D_SMACK_LOAD_FILE=\"$(SMACK_LOAD_FILE)\" \
+	-D_SMACK_PERMISSIVE=\"$(SMACK_PERMISSIVE)\"
 
 AM_LDFLAGS = \
 	-rdynamic
diff --git a/configure b/configure
index d2af2e9..376223a 100755
--- a/configure
+++ b/configure
@@ -649,6 +649,7 @@ MANPAGE_FALSE
 MANPAGE_TRUE
 DEBUG_FALSE
 DEBUG_TRUE
+SMACK_PERMISSIVE
 SMACK_LOAD_FILE
 BUXTON_SOCKET
 DB_PATH
@@ -804,6 +805,7 @@ with_config_path
 with_db_path
 with_socket_path
 with_smack_load_file
+with_smack_permissive
 enable_debug
 enable_manpages
 enable_coverage
@@ -1487,6 +1489,8 @@ Optional Packages:
                           path to buxton socket file
   --with-smack-load-file=SMACKLOADFILE
                           path to smack load2 file
+  --with-smack-permissive=SMACKPERMISSIVE
+                          path to smack permissive file
 
 Some influential environment variables:
   CC          C compiler command
@@ -14431,6 +14435,17 @@ fi
 SMACK_LOAD_FILE="${smack_load_file}"
 
 
+
+# Check whether --with-smack-permissive was given.
+if test "${with_smack_permissive+set}" = set; then :
+  withval=$with_smack_permissive; smack_permissive=${withval}
+else
+  smack_permissive="/sys/fs/smackfs/permissive"
+fi
+
+SMACK_PERMISSIVE="${smack_permissive}"
+
+
 # Check whether --enable-debug was given.
 if test "${enable_debug+set}" = set; then :
   enableval=$enable_debug;
diff --git a/configure.ac b/configure.ac
index 1d5aff2..b3ed9c5 100644
--- a/configure.ac
+++ b/configure.ac
@@ -154,6 +154,12 @@ AC_ARG_WITH([smack-load-file], AS_HELP_STRING([--with-smack-load-file=SMACKLOADF
 SMACK_LOAD_FILE="${smack_load_file}"
 AC_SUBST(SMACK_LOAD_FILE)
 
+AC_ARG_WITH([smack-permissive], AS_HELP_STRING([--with-smack-permissive=SMACKPERMISSIVE],
+	[path to smack permissive file]), [smack_permissive=${withval}],
+	[smack_permissive="/sys/fs/smackfs/permissive"])
+SMACK_PERMISSIVE="${smack_permissive}"
+AC_SUBST(SMACK_PERMISSIVE)
+
 AC_ARG_ENABLE(debug, AS_HELP_STRING([--enable-debug], [enable debug mode @<:@default=no@:>@]),
 	      [], [enable_debug=no])
 AS_IF([test "x$enable_debug" = "xyes"],
diff --git a/src/security/smack.c b/src/security/smack.c
index 8927236..4a87524 100644
--- a/src/security/smack.c
+++ b/src/security/smack.c
@@ -30,6 +30,7 @@
 static Hashmap *_smackrules = NULL;
 /* set to true unless Smack support is not detected by the daemon */
 static bool have_smack = true;
+static bool permissive;
 
 #define smack_check() do { if (!have_smack) { return true; } } while (0);
 
@@ -39,6 +40,27 @@ bool buxton_smack_enabled(void)
 	return have_smack;
 }
 
+static bool buxton_get_permissive_mode(void)
+{
+	FILE *fp;
+	int d;
+	int r;
+
+	fp = fopen(buxton_smack_permissive(), "r");
+	if (!fp)
+		return false;
+
+	r = fscanf(fp, "%d\n", &d);
+	fclose(fp);
+
+	if (r != 1)
+		return false;
+
+	buxton_log("Smack permissive mode %s\n", d ? "On" : "Off");
+
+	return !!d;
+}
+
 bool buxton_cache_smack_rules(void)
 {
 	smack_check();
@@ -66,6 +88,8 @@ bool buxton_cache_smack_rules(void)
 		goto end;
 	}
 
+	permissive = buxton_get_permissive_mode();
+
 	load_file = fopen(buxton_smack_load_file(), "r");
 
 	if (!load_file) {
@@ -160,6 +184,10 @@ bool buxton_check_smack_access(BuxtonString *subject, BuxtonString *object, Buxt
 	buxton_debug("Subject: %s\n", subject->value);
 	buxton_debug("Object: %s\n", object->value);
 
+	/* permissive mode */
+	if (permissive)
+		return true;
+
 	/* check the builtin Smack rules first */
 	if (streq(subject->value, "*")) {
 		return false;
@@ -243,6 +271,10 @@ int buxton_watch_smack_rules(void)
 		buxton_log("inotify_add_watch(): %m\n");
 		return -1;
 	}
+
+	/* If permissive mode is supported */
+	inotify_add_watch(fd, buxton_smack_permissive(), IN_CLOSE_WRITE);
+
 	return fd;
 }
 
diff --git a/src/shared/configurator.c b/src/shared/configurator.c
index 7816cd7..289e72e 100644
--- a/src/shared/configurator.c
+++ b/src/shared/configurator.c
@@ -62,7 +62,8 @@ static const char *KS[CONFIG_MAX] = {
 	"BUXTON_MODULE_DIR",
 	"BUXTON_DB_PATH",
 	"BUXTON_SMACK_LOAD_FILE",
-	"BUXTON_BUXTON_SOCKET"
+	"BUXTON_BUXTON_SOCKET",
+	"BUXTON_SMACK_PERMISSIVE"
 };
 
 /**
@@ -75,7 +76,8 @@ static const char *config_keys[CONFIG_MAX] = {
 	"ModuleDirectory",
 	"DatabasePath",
 	"SmackLoadFile",
-	"SocketPath"
+	"SocketPath",
+	"SmackPermissive"
 };
 
 static const char *COMPILE_DEFAULT[CONFIG_MAX] = {
@@ -84,7 +86,8 @@ static const char *COMPILE_DEFAULT[CONFIG_MAX] = {
 	_MODULE_DIRECTORY,
 	_DB_PATH,
 	_SMACK_LOAD_FILE,
-	_BUXTON_SOCKET
+	_BUXTON_SOCKET,
+	_SMACK_PERMISSIVE
 };
 
 /**
@@ -276,6 +279,12 @@ const char* buxton_smack_load_file(void)
 	return (const char*)conf.keys[CONFIG_SMACK_LOAD_FILE];
 }
 
+const char* buxton_smack_permissive(void)
+{
+	initialize();
+	return (const char*)conf.keys[CONFIG_SMACK_PERMISSIVE];
+}
+
 const char* buxton_socket(void)
 {
 	initialize();
diff --git a/src/shared/configurator.h b/src/shared/configurator.h
index c2a37ee..fdd274a 100644
--- a/src/shared/configurator.h
+++ b/src/shared/configurator.h
@@ -27,6 +27,7 @@ typedef enum ConfigKey {
 	CONFIG_DB_PATH,
 	CONFIG_SMACK_LOAD_FILE,
 	CONFIG_BUXTON_SOCKET,
+	CONFIG_SMACK_PERMISSIVE,
 	CONFIG_MAX
 } ConfigKey;
 
@@ -96,6 +97,17 @@ const char *buxton_smack_load_file(void)
 
 /**
  * @internal
+ * @brief Get the path of the smack permissive.
+ *
+ *
+ * @return the path of the smack permissive file. Do not free this pointer.
+ * It belongs to configurator.
+ */
+const char *buxton_smack_permissive(void)
+	__attribute__((warn_unused_result));
+
+/**
+ * @internal
  * @brief Get the path of the buxton socket.
  *
  *