From: Zofia Abramowska Date: Fri, 2 Sep 2016 14:51:14 +0000 (+0200) Subject: Change names of smack rules templates X-Git-Tag: submit/tizen/20160930.022920~3^2~8 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=b2354a2f438d80b10206a80cc0ada1c9733e7d5d;p=platform%2Fcore%2Fsecurity%2Fsecurity-manager.git Change names of smack rules templates Change-Id: Ifa2ca9aa7b53dec6ae1a5a09de4f452c994ea056 --- diff --git a/policy/app-rules-template.smack b/policy/app-rules-template.smack index 693d979e..9d247887 100644 --- a/policy/app-rules-template.smack +++ b/policy/app-rules-template.smack @@ -1,16 +1,16 @@ -System ~APP~ rwx -System::Privileged ~APP~ rwx -~APP~ System wx -~APP~ System::Privileged wx -~APP~ System::Shared rxl -~APP~ System::Run rwxat -~APP~ System::Log rwxa -~APP~ _ l -User ~APP~ rwx -~APP~ User wx -~APP~ User::Home rxl -~APP~ User::App::Shared rwxat -~APP~ ~PKG~ rwxat -~APP~ ~PKG~::RO rxl -~APP~ ~PKG~::SharedRO rwxat -~APP~ ~AUTHOR~ rwxat +System ~PROCESS~ rwx +System::Privileged ~PROCESS~ rwx +~PROCESS~ System wx +~PROCESS~ System::Privileged wx +~PROCESS~ System::Shared rxl +~PROCESS~ System::Run rwxat +~PROCESS~ System::Log rwxa +~PROCESS~ _ l +User ~PROCESS~ rwx +~PROCESS~ User wx +~PROCESS~ User::Home rxl +~PROCESS~ User::App::Shared rwxat +~PROCESS~ ~PATH_RW~ rwxat +~PROCESS~ ~PATH_RO~ rxl +~PROCESS~ ~PATH_SHARED_RO~ rwxat +~PROCESS~ ~PATH_TRUSTED~ rwxat diff --git a/policy/author-rules-template.smack b/policy/author-rules-template.smack index 56e9aa5d..2e584a77 100644 --- a/policy/author-rules-template.smack +++ b/policy/author-rules-template.smack @@ -1,3 +1,3 @@ -User ~AUTHOR~ rwxat -System ~AUTHOR~ rwxat -System::Privileged ~AUTHOR~ rwxat +User ~PATH_TRUSTED~ rwxat +System ~PATH_TRUSTED~ rwxat +System::Privileged ~PATH_TRUSTED~ rwxat diff --git a/policy/pkg-rules-template.smack b/policy/pkg-rules-template.smack index 6b98a98f..0ec8b1d8 100644 --- a/policy/pkg-rules-template.smack +++ b/policy/pkg-rules-template.smack @@ -1,10 +1,10 @@ -System ~PKG~ rwxat -System ~PKG~::RO rwxat -System ~PKG~::SharedRO rwxat -System::Privileged ~PKG~ rwxat -System::Privileged ~PKG~::RO rwxat -System::Privileged ~PKG~::SharedRO rwxat -User ~PKG~ rwxat -User ~PKG~::RO rwxat -User ~PKG~::SharedRO rwxat +System ~PATH_RW~ rwxat +System ~PATH_RO~ rwxat +System ~PATH_SHARED_RO~ rwxat +System::Privileged ~PATH_RW~ rwxat +System::Privileged ~PATH_RO~ rwxat +System::Privileged ~PATH_SHARED_RO~ rwxat +User ~PATH_RW~ rwxat +User ~PATH_RO~ rwxat +User ~PATH_SHARED_RO~ rwxat diff --git a/src/client/client-label-monitor.cpp b/src/client/client-label-monitor.cpp index c06a06c4..b52f655a 100644 --- a/src/client/client-label-monitor.cpp +++ b/src/client/client-label-monitor.cpp @@ -70,7 +70,7 @@ static lib_retcode apply_relabel_list(const std::string &global_label_file, PermissibleSet::readNamesFromPermissibleFile(user_label_file, names); std::vector temp; std::transform(names.begin(), names.end(), std::back_inserter(temp), - [] (std::string &label) {label = SmackLabels::generateAppLabel(label); + [] (std::string &label) {label = SmackLabels::generateProcessLabel(label); return label.c_str();}); if (smack_set_relabel_self(const_cast(temp.data()), temp.size()) != 0) { LogError("smack_set_relabel_self failed"); diff --git a/src/client/client-security-manager.cpp b/src/client/client-security-manager.cpp index d9035743..e5cc93f7 100644 --- a/src/client/client-security-manager.cpp +++ b/src/client/client-security-manager.cpp @@ -375,7 +375,7 @@ int security_manager_set_process_label_from_appid(const char *app_name) return SECURITY_MANAGER_SUCCESS; try { - appLabel = SecurityManager::SmackLabels::generateAppLabel(app_name); + appLabel = SecurityManager::SmackLabels::generateProcessLabel(app_name); } catch (...) { LogError("Failed to generate smack label for appName: " << app_name); return SECURITY_MANAGER_ERROR_NO_SUCH_OBJECT; @@ -532,7 +532,7 @@ static inline int security_manager_sync_threads_internal(const char *app_name) uid_t cur_tid = gettid(); pid_t cur_pid = getpid(); - g_app_label = SecurityManager::SmackLabels::generateAppLabel(app_name); + g_app_label = SecurityManager::SmackLabels::generateProcessLabel(app_name); g_threads_count = 0; g_tid_attr_current_map.clear(); g_smack_fs_path = smack_smackfs_path() != NULL; diff --git a/src/common/include/smack-labels.h b/src/common/include/smack-labels.h index 07b10795..15372082 100644 --- a/src/common/include/smack-labels.h +++ b/src/common/include/smack-labels.h @@ -77,7 +77,7 @@ std::string generateAppNameFromLabel(const std::string &label); * @param[in] appName application identifier * @return resulting Smack label */ -std::string generateAppLabel(const std::string &appName); +std::string generateProcessLabel(const std::string &appName); /** * Generates label for an application with @ref pkgName, specific @@ -86,7 +86,7 @@ std::string generateAppLabel(const std::string &appName); * @param[in] pkgName application package identifier * @return resulting Smack label */ -std::string generatePkgLabelOwnerRWothersRO(const std::string &pkgName); +std::string generatePathSharedROLabel(const std::string &pkgName); /** * Generates label for a package identifier @@ -94,7 +94,7 @@ std::string generatePkgLabelOwnerRWothersRO(const std::string &pkgName); * @param[in] pkgName package identifier * @return resulting Smack label */ -std::string generatePkgLabel(const std::string &pkgName); +std::string generatePathRWLabel(const std::string &pkgName); /** * Generates label for private application RO files with package identifier @ref pkgName @@ -102,7 +102,7 @@ std::string generatePkgLabel(const std::string &pkgName); * @param[in] pkgName package identifier * @return resulting Smack label */ -std::string generatePkgROLabel(const std::string &pkgName); +std::string generatePathROLabel(const std::string &pkgName); /** * Generates unique label per path for private path sharing. @@ -120,7 +120,7 @@ std::string generateSharedPrivateLabel(const std::string &pkgName, const std::st * @param[in] authorId * @return resulting Smack label */ -std::string generateAuthorLabel(const int authorId); +std::string generatePathTrustedLabel(const int authorId); /** * Returns smack label for given socket diff --git a/src/common/service_impl.cpp b/src/common/service_impl.cpp index 96be37f8..fad26cc8 100644 --- a/src/common/service_impl.cpp +++ b/src/common/service_impl.cpp @@ -127,7 +127,7 @@ static inline int validatePolicy(policy_entry &policyEntry, std::string uidStr, cyap = std::move(CynaraAdminPolicy( policyEntry.appName.compare(SECURITY_MANAGER_ANY) ? - SmackLabels::generateAppLabel(policyEntry.appName) : CYNARA_ADMIN_WILDCARD, + SmackLabels::generateProcessLabel(policyEntry.appName) : CYNARA_ADMIN_WILDCARD, policyEntry.user, policyEntry.privilege, level, @@ -517,8 +517,8 @@ int ServiceImpl::appInstall(const Credentials &creds, app_inst_req &&req) return SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED; } - appLabel = SmackLabels::generateAppLabel(req.appName); - pkgLabel = SmackLabels::generatePkgLabel(req.pkgName); + appLabel = SmackLabels::generateProcessLabel(req.appName); + pkgLabel = SmackLabels::generatePathRWLabel(req.pkgName); LogDebug("Generated install parameters: app label: " << appLabel << ", pkg label: " << pkgLabel); @@ -635,7 +635,7 @@ int ServiceImpl::appUninstall(const Credentials &creds, app_inst_req &&req) return SECURITY_MANAGER_SUCCESS; } - smackLabel = SmackLabels::generateAppLabel(req.appName); + smackLabel = SmackLabels::generateProcessLabel(req.appName); LogDebug("Generated uninstall parameters: pkgName=" << req.pkgName << " Smack label=" << smackLabel); @@ -779,7 +779,7 @@ int ServiceImpl::getAppGroups(const Credentials &creds, const std::string &appNa { try { LogDebug("appName: " << appName); - std::string smackLabel = SmackLabels::generateAppLabel(appName); + std::string smackLabel = SmackLabels::generateProcessLabel(appName); LogDebug("smack label: " << smackLabel); std::vector privileges; @@ -981,7 +981,7 @@ int ServiceImpl::getConfiguredPolicy(const Credentials &creds, bool forAdmin, std::vector listOfPolicies; //convert appName to smack label - std::string appLabel = filter.appName.compare(SECURITY_MANAGER_ANY) ? SmackLabels::generateAppLabel(filter.appName) : CYNARA_ADMIN_ANY; + std::string appLabel = filter.appName.compare(SECURITY_MANAGER_ANY) ? SmackLabels::generateProcessLabel(filter.appName) : CYNARA_ADMIN_ANY; std::string user = filter.user.compare(SECURITY_MANAGER_ANY) ? filter.user : CYNARA_ADMIN_ANY; std::string privilege = filter.privilege.compare(SECURITY_MANAGER_ANY) ? filter.privilege : CYNARA_ADMIN_ANY; @@ -1128,7 +1128,7 @@ int ServiceImpl::getPolicy(const Credentials &creds, const policy_entry &filter, for (const std::string &appName : listOfApps) { LogDebug("App: " << appName); - std::string smackLabelForApp = SmackLabels::generateAppLabel(appName); + std::string smackLabelForApp = SmackLabels::generateProcessLabel(appName); std::vector listOfPrivileges; CynaraAdmin::getInstance().GetAppPolicy(smackLabelForApp, userStr, listOfPrivileges); @@ -1293,7 +1293,7 @@ int ServiceImpl::appHasPrivilege( bool &result) { try { - std::string appLabel = SmackLabels::generateAppLabel(appName); + std::string appLabel = SmackLabels::generateProcessLabel(appName); std::string uidStr = std::to_string(uid); result = Cynara::getInstance().check(appLabel, privilege, uidStr, ""); LogDebug("result = " << result); @@ -1390,7 +1390,7 @@ int ServiceImpl::applyPrivatePathSharing( for(const auto &path : paths) { std::string pathLabel = SmackLabels::getSmackLabelFromPath(path); - if (pathLabel != SmackLabels::generatePkgLabel(ownerPkgName)) { + if (pathLabel != SmackLabels::generatePathRWLabel(ownerPkgName)) { std::string generatedPathLabel = SmackLabels::generateSharedPrivateLabel(ownerPkgName, path); if (generatedPathLabel != pathLabel) { LogError("Path " << path << " has label " << pathLabel << " and dosen't belong" @@ -1490,7 +1490,7 @@ int ServiceImpl::dropPrivatePathSharing( return SECURITY_MANAGER_ERROR_INPUT_PARAM; } std::string pathLabel = SmackLabels::getSmackLabelFromPath(path); - if (pathLabel != SmackLabels::generatePkgLabel(ownerPkgName)) { + if (pathLabel != SmackLabels::generatePathRWLabel(ownerPkgName)) { std::string generatedPathLabel = SmackLabels::generateSharedPrivateLabel(ownerPkgName, path); if (generatedPathLabel != pathLabel) { LogError("Path " << path << " has label " << pathLabel << " and dosen't belong" diff --git a/src/common/smack-labels.cpp b/src/common/smack-labels.cpp index 16710a2a..285d6ff1 100644 --- a/src/common/smack-labels.cpp +++ b/src/common/smack-labels.cpp @@ -141,12 +141,12 @@ void setupPath( switch (pathType) { case SECURITY_MANAGER_PATH_RW: - label = generatePkgLabel(pkgName); + label = generatePathRWLabel(pkgName); label_executables = false; label_transmute = true; break; case SECURITY_MANAGER_PATH_RO: - label = generatePkgROLabel(pkgName); + label = generatePathROLabel(pkgName); label_executables = false; label_transmute = false; break; @@ -156,14 +156,14 @@ void setupPath( label_transmute = true; break; case SECURITY_MANAGER_PATH_OWNER_RW_OTHER_RO: - label = generatePkgLabelOwnerRWothersRO(pkgName); + label = generatePathSharedROLabel(pkgName); label_executables = false; label_transmute = true; break; case SECURITY_MANAGER_PATH_TRUSTED_RW: if (authorId < 0) ThrowMsg(SmackException::InvalidParam, "You must define author to use PATH_TRUSED_RW"); - label = generateAuthorLabel(authorId); + label = generatePathTrustedLabel(authorId); label_executables = false; label_transmute = true; break; @@ -199,7 +199,7 @@ std::string generateAppNameFromLabel(const std::string &label) return ret; } -std::string generateAppLabel(const std::string &appName) +std::string generateProcessLabel(const std::string &appName) { std::string label = "User::App::" + appName; @@ -209,7 +209,7 @@ std::string generateAppLabel(const std::string &appName) return label; } -std::string generatePkgLabelOwnerRWothersRO(const std::string &pkgName) +std::string generatePathSharedROLabel(const std::string &pkgName) { std::string label = "User::Pkg::" + pkgName + "::SharedRO"; @@ -219,7 +219,7 @@ std::string generatePkgLabelOwnerRWothersRO(const std::string &pkgName) return label; } -std::string generatePkgLabel(const std::string &pkgName) +std::string generatePathRWLabel(const std::string &pkgName) { std::string label = "User::Pkg::" + pkgName; @@ -229,7 +229,7 @@ std::string generatePkgLabel(const std::string &pkgName) return label; } -std::string generatePkgROLabel(const std::string &pkgName) +std::string generatePathROLabel(const std::string &pkgName) { std::string label = "User::Pkg::" + pkgName + "::RO"; @@ -301,7 +301,7 @@ std::string getSmackLabelFromPid(pid_t pid) return result; } -std::string generateAuthorLabel(const int authorId) +std::string generatePathTrustedLabel(const int authorId) { if (authorId < 0) { LogError("Author was not set. It's not possible to generate label for unknown author."); diff --git a/src/common/smack-rules.cpp b/src/common/smack-rules.cpp index 54fcecd3..9a2880f0 100644 --- a/src/common/smack-rules.cpp +++ b/src/common/smack-rules.cpp @@ -46,9 +46,11 @@ namespace SecurityManager { -const std::string SMACK_APP_LABEL_TEMPLATE = "~APP~"; -const std::string SMACK_PKG_LABEL_TEMPLATE = "~PKG~"; -const std::string SMACK_AUTHOR_LABEL_TEMPLATE = "~AUTHOR~"; +const std::string SMACK_PROCESS_LABEL_TEMPLATE = "~PROCESS~"; +const std::string SMACK_PATH_RW_LABEL_TEMPLATE = "~PATH_RW~"; +const std::string SMACK_PATH_RO_LABEL_TEMPLATE = "~PATH_RO~"; +const std::string SMACK_PATH_SHARED_RO_LABEL_TEMPLATE = "~PATH_SHARED_RO~"; +const std::string SMACK_PATH_TRUSTED_LABEL_TEMPLATE = "~PATH_TRUSTED~"; const std::string APP_RULES_TEMPLATE_FILE_PATH = TizenPlatformConfig::makePath(TZ_SYS_RO_SHARE, "security-manager", "policy", "app-rules-template.smack"); const std::string PKG_RULES_TEMPLATE_FILE_PATH = TizenPlatformConfig::makePath(TZ_SYS_RO_SHARE, "security-manager", "policy", "pkg-rules-template.smack"); const std::string AUTHOR_RULES_TEMPLATE_FILE_PATH = TizenPlatformConfig::makePath(TZ_SYS_RO_SHARE, "security-manager", "policy", "author-rules-template.smack"); @@ -198,18 +200,21 @@ void SmackRules::addFromTemplate( const std::string &pkgName, const int authorId) { - std::string appLabel; - std::string pkgLabel; - std::string authorLabel; + std::string processLabel; + std::string pathRWLabel, pathROLabel, pathSharedROLabel; + std::string pathTrustedLabel; if (!appName.empty()) - appLabel = SmackLabels::generateAppLabel(appName); + processLabel = SmackLabels::generateProcessLabel(appName); - if (!pkgName.empty()) - pkgLabel = SmackLabels::generatePkgLabel(pkgName); + if (!pkgName.empty()) { + pathRWLabel = SmackLabels::generatePathRWLabel(pkgName); + pathROLabel = SmackLabels::generatePathROLabel(pkgName); + pathSharedROLabel = SmackLabels::generatePathSharedROLabel(pkgName); + } if (authorId >= 0) - authorLabel = SmackLabels::generateAuthorLabel(authorId); + pathTrustedLabel = SmackLabels::generatePathTrustedLabel(authorId); for (auto rule : templateRules) { if (rule.empty()) @@ -224,11 +229,12 @@ void SmackRules::addFromTemplate( ThrowMsg(SmackException::FileError, "Invalid rule template: " << rule); } - strReplace(subject, SMACK_APP_LABEL_TEMPLATE, appLabel); - strReplace(subject, SMACK_PKG_LABEL_TEMPLATE, pkgLabel); - strReplace(object, SMACK_APP_LABEL_TEMPLATE, appLabel); - strReplace(object, SMACK_PKG_LABEL_TEMPLATE, pkgLabel); - strReplace(object, SMACK_AUTHOR_LABEL_TEMPLATE, authorLabel); + strReplace(subject, SMACK_PROCESS_LABEL_TEMPLATE, processLabel); + strReplace(object, SMACK_PROCESS_LABEL_TEMPLATE, processLabel); + strReplace(object, SMACK_PATH_RW_LABEL_TEMPLATE, pathRWLabel); + strReplace(object, SMACK_PATH_RO_LABEL_TEMPLATE, pathROLabel); + strReplace(object, SMACK_PATH_SHARED_RO_LABEL_TEMPLATE, pathSharedROLabel); + strReplace(object, SMACK_PATH_TRUSTED_LABEL_TEMPLATE, pathTrustedLabel); if (subject.empty() || object.empty()) continue; @@ -249,9 +255,10 @@ void SmackRules::generatePackageCrossDeps(const std::vector &pkgCon if (object == subject) continue; - subjectLabel = SmackLabels::generateAppLabel(subject); - objectLabel = SmackLabels::generateAppLabel(object); - LogDebug ("Trying to add rule subject: " << subjectLabel << " object: " << objectLabel << " perms: " << appsInPackagePerms); + subjectLabel = SmackLabels::generateProcessLabel(subject); + objectLabel = SmackLabels::generateProcessLabel(object); + LogDebug ("Trying to add rule subject: " << subjectLabel + << " object: " << objectLabel << " perms: " << appsInPackagePerms); add(subjectLabel, objectLabel, appsInPackagePerms); } } @@ -264,13 +271,13 @@ void SmackRules::generateSharedRORules(PkgsApps &pkgsApps, PkgsApps &sharedROPkg SmackRules rules; for (size_t i = 0; i < pkgsApps.size(); ++i) { for (const std::string &appName : pkgsApps[i].second) { - std::string appLabel = SmackLabels::generateAppLabel(appName); + std::string appLabel = SmackLabels::generateProcessLabel(appName); for (size_t j = 0; j < sharedROPkgsApps.size(); ++j) { // Rules for SharedRO files from own pkg are generated elsewhere if (pkgsApps[i] != sharedROPkgsApps[j]) { const std::string &pkgName = sharedROPkgsApps[j].first; rules.add(appLabel, - SmackLabels::generatePkgLabelOwnerRWothersRO(pkgName), + SmackLabels::generatePathSharedROLabel(pkgName), SMACK_APP_CROSS_PKG_PERMS); } } @@ -293,9 +300,9 @@ void SmackRules::revokeSharedRORules(PkgsApps &pkgsApps, const std::string &revo SmackRules rules; for (size_t i = 0; i < pkgsApps.size(); ++i) { for (const std::string &appName : pkgsApps[i].second) { - std::string appLabel = SmackLabels::generateAppLabel(appName); + std::string appLabel = SmackLabels::generateProcessLabel(appName); rules.add(appLabel, - SmackLabels::generatePkgLabelOwnerRWothersRO(revokePkg), + SmackLabels::generatePathSharedROLabel(revokePkg), SMACK_APP_CROSS_PKG_PERMS); } } @@ -444,7 +451,7 @@ void SmackRules::updatePackageRules( void SmackRules::revokeAppSubject(const std::string &appName) { - if (smack_revoke_subject(SmackLabels::generateAppLabel(appName).c_str())) + if (smack_revoke_subject(SmackLabels::generateProcessLabel(appName).c_str())) ThrowMsg(SmackException::LibsmackError, "smack_revoke_subject"); } @@ -509,16 +516,16 @@ void SmackRules::applyPrivateSharingRules( bool isTargetSharingAlready) { SmackRules rules; - const std::string &targetLabel = SmackLabels::generateAppLabel(targetAppName); + const std::string &targetLabel = SmackLabels::generateProcessLabel(targetAppName); if (!isTargetSharingAlready) { rules.add(targetLabel, - SmackLabels::generatePkgLabel(ownerPkgName), + SmackLabels::generatePathRWLabel(ownerPkgName), SMACK_APP_DIR_TARGET_PERMS); } if (!isPathSharedAlready) { for (const auto &app: ownerPkgContents) { - const std::string appLabel = SmackLabels::generateAppLabel(app); + const std::string appLabel = SmackLabels::generateProcessLabel(app); rules.add(appLabel, pathLabel, SMACK_APP_PATH_OWNER_PERMS); } rules.add(SMACK_USER, pathLabel, SMACK_APP_PATH_USER_PERMS); @@ -538,15 +545,15 @@ void SmackRules::dropPrivateSharingRules( bool isTargetSharingNoMore) { SmackRules rules; - const std::string &targetLabel = SmackLabels::generateAppLabel(targetAppName); + const std::string &targetLabel = SmackLabels::generateProcessLabel(targetAppName); if (isTargetSharingNoMore) { rules.addModify(targetLabel, - SmackLabels::generatePkgLabel(ownerPkgName), + SmackLabels::generatePathRWLabel(ownerPkgName), "", SMACK_APP_DIR_TARGET_PERMS); } if (isPathSharedNoMore) { for (const auto &app: ownerPkgContents) { - const std::string appLabel = SmackLabels::generateAppLabel(app); + const std::string appLabel = SmackLabels::generateProcessLabel(app); rules.addModify(appLabel, pathLabel, "", SMACK_APP_PATH_OWNER_PERMS); } rules.addModify(SMACK_USER, pathLabel, "", SMACK_APP_PATH_USER_PERMS);