From: Hwankyu Jhun Date: Thu, 23 Jun 2016 07:12:29 +0000 (+0900) Subject: Prevent app sockets from being deleted by attacker X-Git-Tag: accepted/tizen/common/20160703.125824^0 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=c0bbda2fb8bbfa29181c7636471ba16583e79809;p=platform%2Fcore%2Fappfw%2Fdebug-launchpad.git Prevent app sockets from being deleted by attacker - Requires: https://review.tizen.org/gerrit/#/c/76214/ Change-Id: I761a86f219f0c9c7513930430c38c699d3fd1625 Signed-off-by: Hwankyu Jhun --- diff --git a/include/common.h b/include/common.h index c01d142..9210790 100644 --- a/include/common.h +++ b/include/common.h @@ -69,6 +69,7 @@ void _set_env(appinfo_t *app_info, bundle *kb); char **_create_argc_argv(bundle *kb, int *margc, const char *app_path); int _proc_check_cmdline_bypid(int pid); void _prepare_listen_sock(void); +int _delete_sock_path(int pid, uid_t uid); #endif /* __COMMON_H__ */ diff --git a/src/common.c b/src/common.c index 6b19d93..0f14356 100644 --- a/src/common.c +++ b/src/common.c @@ -28,6 +28,7 @@ #include #include #include +#include #include #include #ifdef _APPFW_FEATURE_SOCKET_ACTIVATION @@ -77,6 +78,7 @@ static int __create_server_socket(bool is_app) { struct sockaddr_un saddr; int fd; + int ret; if (is_app) fd = socket(AF_UNIX, SOCK_STREAM, 0); @@ -103,6 +105,25 @@ static int __create_server_socket(bool is_app) snprintf(saddr.sun_path, sizeof(saddr.sun_path), "%s/apps/%d/%d", SOCKET_PATH, getuid(), getpid()); + ret = mkdir(saddr.sun_path, 0700); + if (ret != 0) { + if (errno == EEXIST) { + if (access(saddr.sun_path, R_OK) != 0) { + _E("Failed to access %s directory - %d", + saddr.sun_path, errno); + close(fd); + return -1; + } + } else { + _E("Failed to create %s directory - %d", + saddr.sun_path, errno); + close(fd); + return -1; + } + } + snprintf(saddr.sun_path, sizeof(saddr.sun_path), + "%s/apps/%d/%d/.app-sock", + SOCKET_PATH, getuid(), getpid()); } else { snprintf(saddr.sun_path, sizeof(saddr.sun_path), "%s/daemons/%d/.debug-launchpad-sock", @@ -799,3 +820,53 @@ void _prepare_listen_sock(void) setenv("AUL_LISTEN_SOCK", buf, 1); } +static int __delete_dir(const char *path) +{ + DIR *dp; + struct dirent dentry; + struct dirent *result = NULL; + char buf[PATH_MAX]; + struct stat statbuf; + int ret; + + if (path == NULL) + return -1; + + dp = opendir(path); + if (dp == NULL) + return -1; + + while (readdir_r(dp, &dentry, &result) == 0 && result) { + if (!strcmp(dentry.d_name, ".") || !strcmp(dentry.d_name, "..")) + continue; + + snprintf(buf, sizeof(buf), "%s/%s", path, dentry.d_name); + ret = stat(buf, &statbuf); + if (ret == 0) { + if (S_ISDIR(statbuf.st_mode)) + __delete_dir(buf); + else + unlink(buf); + } + } + + rmdir(path); + closedir(dp); + + return 0; +} + +int _delete_sock_path(int pid, uid_t uid) +{ + char path[PATH_MAX]; + + snprintf(path, sizeof(path), "/run/aul/apps/%d/%d", uid, pid); + if (access(path, F_OK) == 0) + __delete_dir(path); + + if (access(path, F_OK) == 0) + return -1; + + return 0; +} + diff --git a/src/signal_util.c b/src/signal_util.c index 8b1d62f..f0e8dee 100644 --- a/src/signal_util.c +++ b/src/signal_util.c @@ -15,6 +15,7 @@ */ #include +#include #include #include #include @@ -55,9 +56,7 @@ static void __socket_garbage_collector(void) snprintf(path, sizeof(path), "/proc/%s", dentry->d_name); if (access(path, F_OK) != 0) { /* Flawfinder: ignore */ - snprintf(path, sizeof(path), "%s/apps/%d/%s", - SOCKET_PATH, getuid(), dentry->d_name); - unlink(path); + _delete_sock_path(atoi(dentry->d_name), getuid()); continue; } } @@ -146,9 +145,7 @@ static int __sigchild_action(pid_t dead_pid) _send_app_dead_signal(dead_pid); - snprintf(buf, MAX_LOCAL_BUFSZ, "%s/apps/%d/%d", - SOCKET_PATH, getuid(), dead_pid); - unlink(buf); + _delete_sock_path(dead_pid, getuid()); __socket_garbage_collector();