From: Tomasz Swierczek Date: Fri, 14 Feb 2025 11:11:04 +0000 (+0100) Subject: Configure app access to /run/user/ for existing users X-Git-Tag: accepted/tizen/unified/20250217.155039~3 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=refs%2Fchanges%2F66%2F319666%2F7;p=platform%2Fcore%2Fsecurity%2Fsecurity-manager.git Configure app access to /run/user/ for existing users Apps are least privileged entities in the OS and need access to that diretory. This is a temporary solution - long term, a group would have to be created for each real user & that user's (that UID's) path would need to be accessible only to apps having that group. This commit is a workaround to enable further work on no-smack images. Change-Id: I6bd1d0df8939d47813b7f3807551b455b0b72ec1 --- diff --git a/src/common/include/service_impl.h b/src/common/include/service_impl.h index 1f4bbc55..df5ac100 100644 --- a/src/common/include/service_impl.h +++ b/src/common/include/service_impl.h @@ -518,6 +518,8 @@ private: int getAppDefinedPrivilegeDescription(uid_t uid, const std::string &privilege, std::string &appName, std::string &pkgName, std::string &license); + void setupAccessToRunUserDir(uid_t uid); + // Objects below have to be accessed under a mutex each time - need to be thread safe at usage Cynara m_cynara; // added api mutex SmackRules m_smackRules; // seems to work out of the box, assuming that libsmack can be used from many threads at once diff --git a/src/common/service_impl.cpp b/src/common/service_impl.cpp index edf12599..68e1f1f0 100644 --- a/src/common/service_impl.cpp +++ b/src/common/service_impl.cpp @@ -193,6 +193,51 @@ ServiceImpl::ServiceImpl(Offline offline) : m_prepareAppFlags = PrepareAppFlags(checkProperDropFlags) << PREPARE_APP_CPD_FLAG_SHIFT; static_assert(CheckProperDrop::N_FLAG_BITS + PREPARE_APP_CPD_FLAG_SHIFT <= 8 * sizeof m_prepareAppFlags, "CheckProperDrop flags too large for prepareAppFlags"); + if (!smack_simple_check()) { + // In dev_wos mode apps will have PUIDs instead of actual user IDs, + // so we need to make sure that users that exist in the system have their + // /run/user/ paths accessible to apps with PUIDs. + // + // Since apps are the least privileged entities in the system and all need access + // to that path, we're doing the configuration here temporarily. + // + // Long-term a solution is needed to ensure that all apps of given actual user + // would have ie. one common group and ACL should be configured to give ccess to the /run/user/ + // path for that group. Proper solution would probably include modifications around systemd + // or adding separate service for doing that before security-manager starts setting up + // user processes with PUIDs, also dynamic addition of new users has to be considered just in case. + std::vector listOfUsers; + m_cynaraAdmin.listUsers(listOfUsers); + for (auto &uid : listOfUsers) + setupAccessToRunUserDir(uid); + } + } +} + +// This code attempts to add others+rwx on /run/user/ directory to allow PUIDed apps to access it. +// If an error is encountered, its logged but logic continues. +// +// On Smack-enabled image this is how permissions look like: +// +// root:/run/user> ls -lZ +// total 0 +// drwxr-x--- 8 owner system_share * 260 Feb 14 18:37 5001 +void ServiceImpl::setupAccessToRunUserDir(uid_t uid) +{ + try { + std::string path = TizenPlatformConfig::makePath(TZ_SYS_RUN, "user", std::to_string(uid)); + mode_t other_mode = S_IROTH | S_IWOTH | S_IXOTH; // others + rwx + struct stat statbuf; + if (stat(path.c_str(), &statbuf) == -1) { + LogErrno("Error getting file status on path: " << path); + return; + } + other_mode |= statbuf.st_mode; + if (-1 == chmod(path.c_str(), other_mode)) { + LogErrno("Error in setting up /run/user/ path for path: " << path << " - chmod failed!"); + } + } catch (...) { + LogError("Error in setting up /run/user/ path for uid: " << uid); } }