From: r.tyminski Date: Fri, 6 Oct 2017 15:08:44 +0000 (+0200) Subject: Verify privileges only ones. X-Git-Tag: submit/tizen/20171011.123005^0 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=refs%2Fchanges%2F06%2F154106%2F1;p=platform%2Fcore%2Fsecurity%2Ftef-optee_client.git Verify privileges only ones. We verify privileges in tee-supplicant when it loads TA. OpTEE OS loads TA twice. We need to verify privileges only at the first time. Change-Id: I0f90b34e648d3b12a62a293d275feaab65e0bc06 --- diff --git a/tee-supplicant/src/tee_supplicant.c b/tee-supplicant/src/tee_supplicant.c index dc710df..f98de5a 100644 --- a/tee-supplicant/src/tee_supplicant.c +++ b/tee-supplicant/src/tee_supplicant.c @@ -269,8 +269,20 @@ static TEEC_Result allow_access(char* uuid, char** ta_dir) { int ca_fd = -1; const char* permission = "http://tizen.org/privilege/tee.client"; + struct stat sb; - ca_fd = open_socket_for_ca(uuid, &open_sock_list); + char path[MAX_PATH_LENGTH] = {0}; + sprintf(path, SOCK_PATH_PREFIX"%s", uuid); + + if ((stat(path, &sb) == 0) && S_ISSOCK(sb.st_mode)) { + DMSG("We verified this connection already."); + if (get_allowed_path(path, ta_dir, &open_sock_list) < 0) { + EMSG("Socket existes but hasn't allowed path."); + return TEEC_ERROR_GENERIC; + } + return TEEC_SUCCESS; + } + ca_fd = open_socket_for_ca(path, &open_sock_list); if (ca_fd < 0) { EMSG("Open socket error"); return TEEC_ERROR_GENERIC; @@ -291,6 +303,10 @@ static TEEC_Result allow_access(char* uuid, char** ta_dir) return TEEC_ERROR_ITEM_NOT_FOUND; } + if (set_allowed_path(path, *ta_dir, &open_sock_list) < 0) { + EMSG("Setting allowed path has failed."); + return TEEC_ERROR_GENERIC; + } return TEEC_SUCCESS; } @@ -334,7 +350,7 @@ static uint32_t load_ta(size_t num_params, struct tee_ioctl_param *params) size = shm_ta.size; ta_found = TEECI_LoadSecureModule(ta_dir, &uuid, shm_ta.buffer, &size); - free(ta_dir); + //free(ta_dir); if (ta_found != TA_BINARY_FOUND) { EMSG(" TA not found"); return TEEC_ERROR_ITEM_NOT_FOUND; diff --git a/tee-supplicant/src/unix_socket.c b/tee-supplicant/src/unix_socket.c index 7bfc2d4..c49b43a 100644 --- a/tee-supplicant/src/unix_socket.c +++ b/tee-supplicant/src/unix_socket.c @@ -34,18 +34,37 @@ #include #define WAIT_SEC 10 -#define SOCK_PATH_PREFIX "/tmp/" -int open_socket_for_ca(const char *ca_id, struct sock_data* open_sockets[]) + +int get_allowed_path(const char *path, char **allowed_path, struct sock_data* open_sockets[]) +{ + for (int i = 0; i < MAX_TA_NUMBER; ++i) { + if (open_sockets[i] && strcmp(path, open_sockets[i]->addr) == 0) { + *allowed_path = open_sockets[i]->allowed_path; + return 0; + } + } + return -1; +} + +int set_allowed_path(const char *path, const char *allowed_path, struct sock_data* open_sockets[]) +{ + for (int i = 0; i < MAX_TA_NUMBER; ++i) { + if (open_sockets[i] && strcmp(path, open_sockets[i]->addr) == 0) { + asprintf(&(open_sockets[i]->allowed_path), "%s", allowed_path); + return 0; + } + } + return -1; +} + +int open_socket_for_ca(const char *path, struct sock_data* open_sockets[]) { int sockfd = -1; int newsockfd = -1; int portno = 0; int free_index = -1; - char path[MAX_PATH_LENGTH] = {0}; - sprintf(path, SOCK_PATH_PREFIX"%s", ca_id); - if (access(path, F_OK) == -1) { DMSG("Socket file doesn't exist. Creating"); close_socket_by_addr(path, open_sockets); diff --git a/tee-supplicant/src/unix_socket.h b/tee-supplicant/src/unix_socket.h index fcd70de..9137e68 100644 --- a/tee-supplicant/src/unix_socket.h +++ b/tee-supplicant/src/unix_socket.h @@ -37,13 +37,19 @@ #define MAX_PATH_LENGTH 100 #define N_CONNECTIONS 5 #define MAX_TA_NUMBER 10 +#define SOCK_PATH_PREFIX "/tmp/" struct sock_data { int fd, parent_fd; char* addr; + char* allowed_path; }; +int get_allowed_path(const char *path, char **allowed_path, struct sock_data* open_sockets[]); + +int set_allowed_path(const char *path, const char *allowed_path, struct sock_data* open_sockets[]); + /* Open socket on adress /tmp/ca_id and add it to the list of open sockets * Returns file descriptor of opened socket * struct sock_data* conn_list[] - list of open sockets which add new socket to*/