From: Filip Skrzeczkowski Date: Wed, 28 May 2025 18:16:55 +0000 (+0200) Subject: Introduce the uid_app_sandboxing build flag X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=refs%2Fheads%2Ftizen;p=platform%2Fcore%2Fsecurity%2Fsecurity-manager.git Introduce the uid_app_sandboxing build flag Change-Id: I6854e0af9eda5b28869de48ebb5433fdb53eea7a --- diff --git a/CMakeLists.txt b/CMakeLists.txt index a2ade2e3..6a65c99e 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -120,6 +120,9 @@ ADD_DEFINITIONS("-DBUILD_TYPE_${CMAKE_BUILD_TYPE}") IF(SUPPORT_SMACK) ADD_DEFINITIONS("-DSMACK_ENABLED") ENDIF() +IF(SUPPORT_UID_SANDBOXING) + ADD_DEFINITIONS("-DUID_SANDBOXING_ENABLED") +ENDIF() SET(INCLUDE_PATH ${PROJECT_SOURCE_DIR}/src/include) SET(COMMON_PATH ${PROJECT_SOURCE_DIR}/src/common) diff --git a/packaging/security-manager.spec b/packaging/security-manager.spec index db187b92..9e1464c2 100644 --- a/packaging/security-manager.spec +++ b/packaging/security-manager.spec @@ -155,7 +155,6 @@ export LDFLAGS+="-Wl,--rpath=%{_libdir}" %global db_test_dir %{_datadir}/sm-db-test %global coverage_dir %{_datadir}/security-manager-coverage -%global sm_permissive_mode %{?dev_wos:%dev_wos}%{!?dev_wos:0} %cmake . \ -DVERSION=%{version} \ @@ -167,8 +166,11 @@ export LDFLAGS+="-Wl,--rpath=%{_libdir}" -DDB_LOGS=OFF \ -DCMAKE_BUILD_TYPE=%{build_type} \ -DCMAKE_VERBOSE_MAKEFILE=ON \ -%if %{sm_permissive_mode} == 0 +%if "%{?dev_wos}" != "1" -DSUPPORT_SMACK="ON"\ +%endif +%if "%{?dev_wos}" == "1" || "%{?uid_app_sandboxing}" == "1" + -DSUPPORT_UID_SANDBOXING="ON"\ %endif -DCOVERAGE_DIR=%{coverage_dir} make %{?jobs:-j%jobs} @@ -209,7 +211,7 @@ cp -a %{SOURCE1} %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} %{SOURCE install -m 644 %{SOURCE8} %{buildroot}%{_unitdir}/security-manager-iptables.service -%if %{sm_permissive_mode} == 0 +%if "%{?dev_wos}" != "1" && "%{?uid_app_sandboxing}" != "1" install -m 600 %{SOURCE9} %{buildroot}%{_sysconfdir}/security-manager-iptables.rules install -m 600 %{SOURCE10} %{buildroot}%{_sysconfdir}/security-manager-ip6tables.rules %else diff --git a/src/client/client-label-monitor.cpp b/src/client/client-label-monitor.cpp index 3893c790..6686613b 100644 --- a/src/client/client-label-monitor.cpp +++ b/src/client/client-label-monitor.cpp @@ -194,8 +194,8 @@ int security_manager_app_labels_monitor_init(app_labels_monitor **monitor) { return try_catch([&] { LogDebug("security_manager_app_labels_monitor_init() called"); - if (!smack_simple_check()) { - LogWarning("App label monitor disabled in no-smack mode"); + if (uid_sandboxing_check()) { + LogWarning("App label monitor disabled in uid-sandboxing mode"); return SECURITY_MANAGER_SUCCESS; } @@ -237,7 +237,7 @@ void security_manager_app_labels_monitor_finish(app_labels_monitor *monitor) { (void)try_catch([&] { LogDebug("security_manager_app_labels_monitor_finish() called"); - if (!smack_simple_check()) { + if (uid_sandboxing_check()) { LogWarning("App label monitor disabled in no-smack mode"); return SECURITY_MANAGER_SUCCESS; } @@ -256,7 +256,7 @@ int security_manager_app_labels_monitor_get_fd(app_labels_monitor const *monitor return try_catch([&] { LogDebug("security_manager_app_labels_monitor_get_fd() called"); - if (!smack_simple_check()) { + if (uid_sandboxing_check()) { LogWarning("App label monitor disabled in no-smack mode"); return SECURITY_MANAGER_SUCCESS; } @@ -287,7 +287,7 @@ int security_manager_app_labels_monitor_process(app_labels_monitor *monitor) { return try_catch([&] { LogDebug("security_manager_app_labels_process() called"); - if (!smack_simple_check()) { + if (uid_sandboxing_check()) { LogWarning("App label monitor disabled in no-smack mode"); return SECURITY_MANAGER_SUCCESS; } diff --git a/src/client/client-security-manager.cpp b/src/client/client-security-manager.cpp index dd0731c1..ff495f81 100644 --- a/src/client/client-security-manager.cpp +++ b/src/client/client-security-manager.cpp @@ -717,7 +717,7 @@ static inline void security_manager_pre_check() return true; }; - if (smack_simple_check()) { + if (!uid_sandboxing_check()) { (void)cap_check(CAP_MAC_ADMIN); } else { if (!cap_check(CAP_SETUID) || !cap_check(CAP_SETGID)) { @@ -927,7 +927,7 @@ static inline int security_manager_sync_threads_internal(const ProcessId &proces static_assert(ATOMIC_INT_LOCK_FREE == 2, "std::atomic is not always lock free"); // First setuid and setgid. We won't be able to do it when threads drop the caps - if (!smack_simple_check()) { + if (uid_sandboxing_check()) { while (setuid(process_id.uid) != 0) { if (errno != EAGAIN) { LogErrno("setuid"); @@ -1007,7 +1007,7 @@ static inline int security_manager_sync_threads_internal(const ProcessId &proces // is currently going on in the process except this thread & waiting signal handlers g_th_barrier++; // this starts the signal handlers - they will proceed once they wake up - if (!smack_simple_check()) { + if (uid_sandboxing_check()) { // In no smack mode we don't care about threads with mixed caps talking to each other. // Let the signal handlers return freely. g_th_barrier++; @@ -1031,13 +1031,13 @@ static inline int security_manager_sync_threads_internal(const ProcessId &proces /* * Change attributes of one last thread, the main thread. */ - if (smack_simple_check() && g_p_app_label) + if (!uid_sandboxing_check() && g_p_app_label) label_for_self_internal(own_tid, []{ errnoAbort.call(); }); if (cap_set_proc(g_cap)) errnoAbort.call(); - if (smack_simple_check()) { + if (!uid_sandboxing_check()) { // This starts signal handlers to proceed once they wake up - logic in app starts in env // where all have changed labels. g_th_barrier++; @@ -1310,7 +1310,7 @@ static inline int security_manager_setup_namespace_internal(const MountNS::Privi return SECURITY_MANAGER_SUCCESS; } - if (smack_simple_check()) { + if (!uid_sandboxing_check()) { ret = setupSharedRO(pkg_name, enabledSharedRO, userAppsRWDir, userAppsRWSharedDir); if (ret != SECURITY_MANAGER_SUCCESS) { LogError("Failed to setup app SharedRO: " << security_manager_strerror(static_cast(ret))); @@ -1923,7 +1923,7 @@ SECURITY_MANAGER_API int security_manager_identify_app_from_socket(int sockfd, char **pkg_name, char **app_name) { return try_catch([&]() -> int { - if(smack_simple_check()) { + if(!uid_sandboxing_check()) { return security_manager_identify_app([&] { return SmackLabels::getSmackLabelFromSocket(sockfd); }, pkg_name, app_name); @@ -1947,7 +1947,7 @@ int security_manager_identify_app_from_pid(pid_t pid, char **pkg_name, char **ap return SECURITY_MANAGER_ERROR_INPUT_PARAM; return try_catch([&]() -> int { - if(smack_simple_check()) { + if(!uid_sandboxing_check()) { return security_manager_identify_app([&] { return SmackLabels::getSmackLabelFromPid(pid); }, pkg_name, app_name); @@ -2040,7 +2040,7 @@ int security_manager_get_app_owner_uid(pid_t pid, uid_t *uid) return ret; } - if (smack_simple_check()) { + if (!uid_sandboxing_check()) { *uid = puid; return SECURITY_MANAGER_SUCCESS; } @@ -2077,7 +2077,7 @@ int security_manager_get_app_full_credentials_from_pid(pid_t pid, uid_t *owner_u return ret; } - if (smack_simple_check()) { + if (!uid_sandboxing_check()) { // no need to call daemon at all, all in-place, reading the label & uid from /proc *owner_uid = puid; return security_manager_identify_app_from_pid(pid, pkg_id, app_id); @@ -2526,7 +2526,7 @@ int security_manager_set_identity( { security_manager_pre_check(); - if (smack_simple_check()) { + if (!uid_sandboxing_check()) { switch (type) { case (process_type::SM_PROCESS_TYPE_SYSTEM): if (smack_set_label_for_self(SMACK_SYSTEM.c_str()) != 0) { diff --git a/src/common/cynara.cpp b/src/common/cynara.cpp index 1d5da17d..243fc2d3 100644 --- a/src/common/cynara.cpp +++ b/src/common/cynara.cpp @@ -373,7 +373,7 @@ void CynaraAdmin::updateAppPolicy( // 1st, performing operation on MANIFESTS_GLOBAL/MANIFESTS_LOCAL bucket std::string cynaraUser, bucket; - if (!smack_simple_check()) { + if (uid_sandboxing_check()) { cynaraUser = std::to_string(static_cast(uid)); bucket = Buckets.at(Bucket::MANIFESTS_GLOBAL); } else if (global) { @@ -421,7 +421,7 @@ void CynaraAdmin::updateAppPolicy( } // 2nd, performing operation on PRIVACY_MANAGER bucket for all affected users - if (smack_simple_check()) { + if (!uid_sandboxing_check()) { std::vector users; if (cynaraUser == CYNARA_ADMIN_WILDCARD) { // perform bucket setting for all users in the system, app is installed for everyone @@ -471,7 +471,7 @@ void CynaraAdmin::updateAppDefinedPolicy( std::vector oldLicensedPolicies; std::string cynaraUser; - if (global && smack_simple_check()) + if (global && !uid_sandboxing_check()) cynaraUser = CYNARA_ADMIN_WILDCARD; else cynaraUser = std::to_string(static_cast(uid)); @@ -516,7 +516,7 @@ void CynaraAdmin::getAppPolicy(const std::string &label, const std::string &user { std::vector policies; - std::string bucket = (!smack_simple_check() || user == CYNARA_ADMIN_WILDCARD) ? + std::string bucket = (uid_sandboxing_check() || user == CYNARA_ADMIN_WILDCARD) ? CynaraAdmin::Buckets.at(Bucket::MANIFESTS_GLOBAL) : CynaraAdmin::Buckets.at(Bucket::MANIFESTS_LOCAL); @@ -557,7 +557,7 @@ void CynaraAdmin::userInit(uid_t uid, security_manager_user_type userType) ThrowMsg(CynaraException::InvalidParam, "User type incorrect"); } - if (!smack_simple_check()) { + if (uid_sandboxing_check()) { policies.emplace_back(CynaraAdminPolicy( CYNARA_ADMIN_WILDCARD, userStr, CYNARA_ADMIN_WILDCARD, static_cast(CynaraAdminPolicy::Operation::Allow), diff --git a/src/common/include/protocols.h b/src/common/include/protocols.h index 4dfef7eb..49801bc9 100644 --- a/src/common/include/protocols.h +++ b/src/common/include/protocols.h @@ -221,7 +221,7 @@ struct ProcessId : public ISerializable { ProcessId() = default; ProcessId(IStream &stream) : ProcessId() { - if (smack_simple_check()) + if (!uid_sandboxing_check()) Deserialization::Deserialize(stream, label); else Deserialization::Deserialize(stream, uid); @@ -229,7 +229,7 @@ struct ProcessId : public ISerializable { virtual void Serialize(IStream &stream) const { - if (smack_simple_check()) + if (!uid_sandboxing_check()) Serialization::Serialize(stream, label); else Serialization::Serialize(stream, uid); diff --git a/src/common/include/smack-check.h b/src/common/include/smack-check.h index 39b2c777..e1bc1309 100644 --- a/src/common/include/smack-check.h +++ b/src/common/include/smack-check.h @@ -24,23 +24,24 @@ namespace SecurityManager { /* - * A very simple runtime check for SMACK on the platform - * Returns 1 if SMACK is present, 0 otherwise + * A very simple runtime check for SMACK on the platform. + * Returns whether SMACK is present. */ -int smack_runtime_check(void); +bool smack_runtime_check(); /* * A very simple runtime check for SMACK support on the platform. - * Returns 1 if SMACK is present, 0 otherwise. If SMACK_ENABLED is not defined - * always returns 0. + * Returns whether SMACK is present. If SMACK_ENABLED is not defined + * always returns false. */ -int smack_check(void); +bool smack_check(); /* - * An even simpler check for SMACK being enabled at build-time. - * Returns 1 if SMACK_ENABLED was defined at built time, 0 otherwise. + * An simple check for UID app sandboxing support being enabled at build-time. + * Returns true if either UID_SANDBOXING_ENABLED was defined at build time or SMACK_ENABLED was not, + * false otherwise. */ -int smack_simple_check(void); +bool uid_sandboxing_check(); } // namespace SecurityManager diff --git a/src/common/pid-to-owner.cpp b/src/common/pid-to-owner.cpp index 6234132d..87d3a54e 100644 --- a/src/common/pid-to-owner.cpp +++ b/src/common/pid-to-owner.cpp @@ -27,7 +27,7 @@ namespace SecurityManager { void PidToOwner::add(pid_t pid, uid_t owner) { - if (smack_simple_check()) + if (!uid_sandboxing_check()) return; std::lock_guard guard(m_apiMutex); @@ -36,7 +36,7 @@ void PidToOwner::add(pid_t pid, uid_t owner) void PidToOwner::remove(pid_t pid) { - if (smack_simple_check()) + if (!uid_sandboxing_check()) return; std::lock_guard guard(m_apiMutex); @@ -45,7 +45,7 @@ void PidToOwner::remove(pid_t pid) std::optional PidToOwner::get(pid_t pid) const { - if (smack_simple_check()) + if (!uid_sandboxing_check()) return std::nullopt; std::lock_guard guard(m_apiMutex); diff --git a/src/common/privilege_db.cpp b/src/common/privilege_db.cpp index 80fc67f2..ce76492c 100644 --- a/src/common/privilege_db.cpp +++ b/src/common/privilege_db.cpp @@ -375,7 +375,7 @@ void PrivilegeDb::AddApplication( command->BindString(4, targetTizenVer); authorName.empty() ? command->BindNull(5) : command->BindString(5, getAuthorHash(authorName)); command->BindInteger(6, isHybrid ? 1 : 0); - if (smack_simple_check()) { + if (!uid_sandboxing_check()) { command->BindNull(7); command->BindNull(8); command->BindNull(9); diff --git a/src/common/service_impl.cpp b/src/common/service_impl.cpp index e1738187..deaf0285 100644 --- a/src/common/service_impl.cpp +++ b/src/common/service_impl.cpp @@ -198,8 +198,8 @@ ServiceImpl::ServiceImpl(Offline offline) : m_prepareAppFlags = PrepareAppFlags(checkProperDropFlags) << PREPARE_APP_CPD_FLAG_SHIFT; static_assert(CheckProperDrop::N_FLAG_BITS + PREPARE_APP_CPD_FLAG_SHIFT <= 8 * sizeof m_prepareAppFlags, "CheckProperDrop flags too large for prepareAppFlags"); - if (!smack_simple_check()) { - // In dev_wos mode apps will have PUIDs instead of actual user IDs, + if (uid_sandboxing_check()) { + // In uid-sandboxing mode apps will have PUIDs instead of actual user IDs, // so we need to make sure that users that exist in the system have their // /run/user/ paths accessible to apps with PUIDs. // @@ -431,7 +431,7 @@ int ServiceImpl::labelPaths(const path_req &req, if (!pathsCheck(req.pkgPaths, pkgLegalBaseDirs)) return SECURITY_MANAGER_ERROR_NOT_PATH_OWNER; - if (smack_simple_check() && isSharedRO) { + if (!uid_sandboxing_check() && isSharedRO) { LogWarning("Labeling shared_ro paths"); // Label shared_ro base paths for bind mounting labelSharedPaths(homePath, req.pkgName); @@ -444,7 +444,7 @@ int ServiceImpl::labelPaths(const path_req &req, for (const auto &pkgPath : req.pkgPaths) { const std::string &path = pkgPath.first; app_install_path_type pathType = static_cast(pkgPath.second); - if (smack_simple_check()) { + if (!uid_sandboxing_check()) { SmackSetup::setupPath(req.pkgName, path, pathType, authorHash); } else { gid_t authorGId; @@ -458,7 +458,7 @@ int ServiceImpl::labelPaths(const path_req &req, LogWarning("Labeling base paths"); for (const auto &basePath : pkgLegalBaseDirs) { if (containSubDir(basePath, req.pkgPaths)) { - if (smack_simple_check()) + if (!uid_sandboxing_check()) SmackSetup::setupPkgBasePath(basePath); else DacSetup::setupPkgBasePath(req.uid, basePath, processUIds); @@ -557,12 +557,12 @@ void ServiceImpl::appInstallPrivileges(app_inst_req::app &app, app_inst_req &req uid_t ServiceImpl::getProcessUId(app_inst_req::app& app, app_inst_req& req) { uid_t uid; -#ifdef SMACK_ENABLED - (void)app; - uid = req.uid; -#else +#ifdef UID_SANDBOXING_ENABLED if (!m_privilegeDb.GetProcessUId(req.pkgName, app.appName, uid)) ThrowMsg(PrivilegeDb::Exception::InternalError, "Failed to get process UId from the db"); +#else + (void)app; + uid = req.uid; #endif return uid; } @@ -606,8 +606,8 @@ int ServiceImpl::appInstallSmackRules(app_inst_req &req, InstallHelper &ih) std::string authorHash = std::string(); Smack::Labels pkgLabels; - if (!smack_simple_check()) { - LogWarning("Running in no-smack mode, not installing any Smack rules"); + if (uid_sandboxing_check()) { + LogWarning("Running in uid-sandboxing mode, not installing any Smack rules"); return SECURITY_MANAGER_SUCCESS; } @@ -697,7 +697,7 @@ int ServiceImpl::appInstall(const Credentials &creds, app_inst_req &req) Smack::Labels oldLabels; - if (smack_simple_check() && ih.isUserPkgInstalled) + if (!uid_sandboxing_check() && ih.isUserPkgInstalled) getPkgLabels(req.pkgName, oldLabels); // [db] begin @@ -713,7 +713,7 @@ int ServiceImpl::appInstall(const Credentials &creds, app_inst_req &req) appInstallCynaraPolicies(app, req, ih); // collect process uids - if (!smack_simple_check() && (req.isHybrid || processUids.empty())) + if (uid_sandboxing_check() && (req.isHybrid || processUids.empty())) processUids.emplace_back(getProcessUId(app, req)); } @@ -727,7 +727,7 @@ int ServiceImpl::appInstall(const Credentials &creds, app_inst_req &req) trans.commit(); LogDebug("Application installation commited to database"); - if (smack_simple_check()) { + if (!uid_sandboxing_check()) { LogWarning("Configuring permissible file"); Smack::Labels newLabels; getPkgLabels(req.pkgName, newLabels); @@ -798,7 +798,7 @@ int ServiceImpl::appUpdate(const Credentials &creds, app_inst_req &req) if (ih.isUserPkgInstalled) { LogWarning("Package already installed, need to remove some packages"); - if (smack_simple_check()) + if (!uid_sandboxing_check()) getPkgLabels(req.pkgName, oldLabels); // search for installed apps in the request std::vector requestedApps; @@ -844,7 +844,7 @@ int ServiceImpl::appUpdate(const Credentials &creds, app_inst_req &req) appInstallCynaraPolicies(app, req, ih); // collect process uids - if (!smack_simple_check() && (req.isHybrid || processUids.empty())) + if (uid_sandboxing_check() && (req.isHybrid || processUids.empty())) processUids.emplace_back(getProcessUId(app, req)); } @@ -857,7 +857,7 @@ int ServiceImpl::appUpdate(const Credentials &creds, app_inst_req &req) trans.commit(); LogDebug("Application installation commited to database"); - if (smack_simple_check()) { + if (!uid_sandboxing_check()) { Smack::Labels newLabels; getPkgLabels(req.pkgName, newLabels); @@ -1018,7 +1018,7 @@ void ServiceImpl::appUninstallCynaraPolicies(app_inst_req::app& app, app_inst_re } void ServiceImpl::appUninstallPrivateSharing(app_inst_req::app &app) { - if (smack_simple_check()) { + if (!uid_sandboxing_check()) { // Nothing to do, as Smack can revoke subject return; } @@ -1164,7 +1164,7 @@ int ServiceImpl::appUninstall(const Credentials &creds, app_inst_req &req) trans.commit(); LogDebug("Application uninstallation commited to database"); - if (smack_simple_check()) { + if (!uid_sandboxing_check()) { Smack::Labels newLabels; if(!uh.removePkg) // only if we didn't remove entire pkg, some labels can stay @@ -1373,7 +1373,7 @@ int ServiceImpl::userDelete(const Credentials &creds, uid_t uidDeleted) m_cynaraAdmin.userRemove(uidDeleted); - if (!smack_simple_check()) { + if (uid_sandboxing_check()) { std::lock_guard lock(m_runUserUidMutex); m_runUserUidsConfigured.erase(uidDeleted); } @@ -1452,7 +1452,7 @@ int ServiceImpl::policyUpdate(const Credentials &creds, const std::vector> appsAllowedPrivileges; std::vector allPackages; - if (smack_simple_check() && m_smackRules.isPrivilegeMappingEnabled()) { + if (!uid_sandboxing_check() && m_smackRules.isPrivilegeMappingEnabled()) { auto runningApps = MountNS::getMountNSApps(); for (auto &appContext: runningApps) { auto &appProcessLabel = appContext.appProcessLabel; @@ -1464,7 +1464,7 @@ int ServiceImpl::policyUpdate(const Credentials &creds, const std::vector listOfPrivileges; std::string userStrForCynara; - if (smack_simple_check()) { + if (!uid_sandboxing_check()) { userStrForCynara = userStr; } else { std::string pkgName; @@ -1855,7 +1855,7 @@ int ServiceImpl::getAppAllowedPrivileges(const std::string &appName, { std::string label = getProcessLabel(appName); - if (!smack_simple_check()) { + if (uid_sandboxing_check()) { std::string pkgName; int ret = getPkgName(appName, pkgName); if (ret != SECURITY_MANAGER_SUCCESS) @@ -1939,7 +1939,7 @@ int ServiceImpl::getForbiddenAndAllowedGroups( forbiddenGroups.reserve(gids.size() + 1); std::set_difference(gids.begin(), gids.end(), allowedGroups.begin(), allowedGroups.end(), std::back_inserter(forbiddenGroups)); // sorted - if (!smack_simple_check()) + if (uid_sandboxing_check()) forbiddenGroups.emplace_back(getSystemAccessGid()); } catch (const std::runtime_error &) { return SECURITY_MANAGER_ERROR_UNKNOWN; @@ -2033,7 +2033,7 @@ int ServiceImpl::appHasPrivilege( LogError("Not enough privilege to access other process policies"); return SECURITY_MANAGER_ERROR_ACCESS_DENIED; } - if (!smack_simple_check()) { + if (uid_sandboxing_check()) { std::string pkgName; if (getPkgName(appName, pkgName) != SECURITY_MANAGER_SUCCESS) { LogWarning("Failed to get pkg name of " << appName); @@ -2086,7 +2086,7 @@ int ServiceImpl::dropOnePrivateSharing( const std::string &targetAppName, const std::string &path) { - assert(!smack_simple_check()); + assert(uid_sandboxing_check()); return dropOnePrivateSharing(ownerAppName, "", {}, targetAppName, "", path); } @@ -2113,9 +2113,9 @@ int ServiceImpl::dropOnePrivateSharing( } //This function can be also called when application is uninstalled, so path won't exist if (FS::fileExists(path)) { - if (smack_simple_check() && pathCount < 1) { + if (!uid_sandboxing_check() && pathCount < 1) { SmackSetup::setupPath(ownerPkgName, path, SECURITY_MANAGER_PATH_RW); - } else if (!smack_simple_check()) { + } else if (uid_sandboxing_check()) { std::string target_puid, owner_puid, unused_agid; m_privilegeDb.GetAppPuidAndAgid(targetAppName, target_puid, unused_agid); m_privilegeDb.GetAppPuidAndAgid(ownerAppName, owner_puid, unused_agid); @@ -2153,7 +2153,7 @@ int ServiceImpl::dropOnePrivateSharing( } } - if (smack_simple_check()) { + if (!uid_sandboxing_check()) { Smack::Label pathLabel = SmackLabels::generateSharedPrivateLabel(ownerPkgName, path); m_smackRules.dropPrivateSharingRules(ownerPkgName, ownerPkgLabels, targetAppLabel, pathLabel, pathCount < 1, ownerTargetCount < 1); @@ -2212,14 +2212,14 @@ int ServiceImpl::applyPrivatePathSharing( } uid_t owner_uid = 0; - if (!smack_simple_check()) { + if (uid_sandboxing_check()) { std::string owner_puid, unused_owner_agid; m_privilegeDb.GetAppPuidAndAgid(ownerAppName, owner_puid, unused_owner_agid); owner_uid = std::stoul(owner_puid); } for (const auto &path : paths) { - if (smack_simple_check()){ + if (!uid_sandboxing_check()){ std::string pathLabel = SmackLabels::getSmackLabelFromPath(path); if (pathLabel != SmackLabels::generatePathRWLabel(ownerPkgName)) { Smack::Label generatedPathLabel = @@ -2262,7 +2262,7 @@ int ServiceImpl::applyPrivatePathSharing( //Nothing to do, only counter needed incrementing continue; } - if (smack_simple_check()) { + if (!uid_sandboxing_check()) { m_smackRules.applyPrivateSharingRules(ownerPkgName, pkgsLabels, targetAppLabel, pathLabel, (pathCount > 0), @@ -2441,7 +2441,7 @@ int ServiceImpl::pathsRegister(const Credentials &creds, path_req req) m_privilegeDb.SetSharedROPackage(req.pkgName); - if (!smack_simple_check()) { + if (uid_sandboxing_check()) { // collect process uids std::vector apps; m_privilegeDb.GetUserAppsFromPkg(req.uid, req.pkgName, apps); @@ -2716,7 +2716,7 @@ int ServiceImpl::getAppManifestPolicy(const Credentials &creds, const std::strin std::string cynaraClient = getAppProcessLabel(appName); std::string uidStr = m_privilegeDb.IsUserPkgInstalled(pkgName, uid) ? std::to_string(uid) : CYNARA_ADMIN_WILDCARD; - if (!smack_simple_check()) { + if (uid_sandboxing_check()) { uid_t uid; if (!m_privilegeDb.GetProcessUId(pkgName, appName, uid)) { LogError("Failed to get process UId of " << appName << " from pkg " << pkgName); @@ -2794,7 +2794,7 @@ int ServiceImpl::prepareApp(const Credentials &creds, const std::string &appName prepareAppFlags = m_prepareAppFlags | (enabledSharedRO ? PREPARE_APP_SHARED_RO_FLAG : 0); id.label = SmackLabels::generateProcessLabel(appName, pkgName, isHybrid); - if (smack_simple_check()) { + if (!uid_sandboxing_check()) { id.uid = creds.uid; } else { if (!m_privilegeDb.GetProcessUId(pkgName, appName, id.uid)) { @@ -2822,7 +2822,7 @@ int ServiceImpl::prepareApp(const Credentials &creds, const std::string &appName LogWarning("Allowed privileges returned - number: " << allowedPrivileges.size()); - if (smack_simple_check()) { + if (!uid_sandboxing_check()) { std::string authorHash; m_privilegeDb.GetPkgAuthorHash(pkgName, authorHash); @@ -2865,7 +2865,7 @@ int ServiceImpl::prepareApp(const Credentials &creds, const std::string &appName int ServiceImpl::repairPermissibleFileForClient(uid_t uid, app_install_type installationType) { try { - if (!smack_simple_check()) { + if (uid_sandboxing_check()) { LogWarning("Permissible file unsupported in no-smack mode"); return SECURITY_MANAGER_ERROR_SERVER_ERROR; } diff --git a/src/common/smack-check.cpp b/src/common/smack-check.cpp index b94f960a..c9678b12 100644 --- a/src/common/smack-check.cpp +++ b/src/common/smack-check.cpp @@ -29,37 +29,39 @@ namespace SecurityManager { -int smack_runtime_check(void) +bool smack_runtime_check() { - static int smack_present = -1; - if (-1 == smack_present) { - if (NULL == smack_smackfs_path()) { + static bool smack_present = [] { + bool smack_present; + if (smack_smackfs_path() == nullptr) { LogDebug("no smack found on device"); - smack_present = 0; + smack_present = false; } else { LogDebug("found smack on device"); - smack_present = 1; + smack_present = true; } - } + return smack_present; + }(); + return smack_present; } -int smack_check(void) +bool smack_check() { -#ifndef SMACK_ENABLED - return 0; -#else +#ifdef SMACK_ENABLED return smack_runtime_check(); +#else + return false; #endif } -int smack_simple_check(void) +bool uid_sandboxing_check() { -#ifndef SMACK_ENABLED - return 0; - #else - return 1; - #endif - } +#ifdef UID_SANDBOXING_ENABLED + return true; +#else + return false; +#endif +} } // namespace SecurityManager diff --git a/src/common/smack-labels.cpp b/src/common/smack-labels.cpp index 012d59e2..8ae4306a 100644 --- a/src/common/smack-labels.cpp +++ b/src/common/smack-labels.cpp @@ -86,7 +86,7 @@ void generateAppPkgNameFromLabel(const Smack::Label &label, Smack::Label generateProcessLabel(const std::string &appName, const std::string &pkgName, bool isHybrid) { - if (!smack_simple_check()) + if (uid_sandboxing_check()) return NO_SMACK_LABEL; Smack::Label label = "User::Pkg::" + pkgName; @@ -102,7 +102,7 @@ Smack::Label generateProcessLabel(const std::string &appName, const std::string Smack::Label generatePathSharedROLabel() { - if (!smack_simple_check()) + if (uid_sandboxing_check()) return NO_SMACK_LABEL; return "User::App::Shared"; @@ -110,7 +110,7 @@ Smack::Label generatePathSharedROLabel() Smack::Label generatePathRWLabel(const std::string &pkgName) { - if (!smack_simple_check()) + if (uid_sandboxing_check()) return NO_SMACK_LABEL; Smack::Label label = "User::Pkg::" + pkgName; @@ -124,7 +124,7 @@ Smack::Label generatePathRWLabel(const std::string &pkgName) Smack::Label generatePathROLabel(const std::string &pkgName) { - if (!smack_simple_check()) + if (uid_sandboxing_check()) return NO_SMACK_LABEL; Smack::Label label = "User::Pkg::" + pkgName + "::RO"; @@ -138,7 +138,7 @@ Smack::Label generatePathROLabel(const std::string &pkgName) Smack::Label generateSharedPrivateLabel(const std::string &pkgName, const std::string &path) { - if (!smack_simple_check()) + if (uid_sandboxing_check()) return NO_SMACK_LABEL; // Prefix $1$ causes crypt() to use MD5 function @@ -160,7 +160,7 @@ Smack::Label generateSharedPrivateLabel(const std::string &pkgName, const std::s template static Smack::Label getSmackLabel(FuncType func, ArgsType... args) { - if (!smack_simple_check()) + if (uid_sandboxing_check()) return NO_SMACK_LABEL; char *label; diff --git a/src/common/smack-rules.cpp b/src/common/smack-rules.cpp index faf4d719..3aab42b8 100644 --- a/src/common/smack-rules.cpp +++ b/src/common/smack-rules.cpp @@ -298,7 +298,7 @@ void SmackRules::uninstallPackageRules(const std::string &pkgName, addFromTemplate(smackRules, TemplateManager::Type::PKG_RULES_TEMPLATE, std::string(), pkgName, std::string()); generatePackageCrossDeps(smackRules, pkgLabels); - if (smack_simple_check()) + if (!uid_sandboxing_check()) smackRules.clear(); } @@ -312,7 +312,7 @@ void SmackRules::uninstallApplicationRules( appLabel, pkgName, authorHash); if (isPrivilegeMappingEnabled()) addPrivilegesRules(smackRules, appLabel, pkgName, authorHash, m_templateMgr.getAllMappedPrivs()); - if (smack_simple_check()) { + if (!uid_sandboxing_check()) { smackRules.clear(); SmackLabels::revokeSubject(appLabel); } @@ -323,7 +323,7 @@ void SmackRules::uninstallAuthorRules(const std::string &authorHash) SmackAccesses smackRules; addFromTemplate(smackRules, TemplateManager::Type::AUTHOR_RULES_TEMPLATE, std::string(), std::string(), authorHash); - if (smack_simple_check()) + if (!uid_sandboxing_check()) smackRules.clear(); } @@ -351,7 +351,7 @@ void SmackRules::applyPrivateSharingRules( rules.add(SMACK_SYSTEM_PRIVILEGED, pathLabel, SMACK_APP_PATH_SYSTEM_PERMS); } rules.add(targetLabel, pathLabel, SMACK_APP_PATH_TARGET_PERMS); - if (smack_simple_check()) + if (!uid_sandboxing_check()) rules.apply(); } @@ -378,7 +378,7 @@ void SmackRules::dropPrivateSharingRules( rules.addModify(SMACK_SYSTEM_PRIVILEGED, pathLabel, "", SMACK_APP_PATH_SYSTEM_PERMS); } rules.addModify(targetLabel, pathLabel, "", SMACK_APP_PATH_TARGET_PERMS); - if (smack_simple_check()) + if (!uid_sandboxing_check()) rules.apply(); } diff --git a/src/server/rules-loader/security-manager-rules-loader.cpp b/src/server/rules-loader/security-manager-rules-loader.cpp index ea8efb51..e83a0f9c 100644 --- a/src/server/rules-loader/security-manager-rules-loader.cpp +++ b/src/server/rules-loader/security-manager-rules-loader.cpp @@ -65,12 +65,12 @@ static_assert(dbVersion == arraySize(dbUpdateScript)); static_assert(allTrue(dbUpdateScript)); // we don't want to add more files to speed up operation & make binary smaller -int smack_simple_check(void) +bool uid_sandboxing_check() { -#ifdef SMACK_ENABLED - return 1; +#ifdef UID_SANDBOXING_ENABLED + return true; #else - return 0; + return false; #endif } @@ -1142,7 +1142,7 @@ int main(int argc, char *argv[]) { // database bringup successful, stop now if not going to write rules // also, stop of working in no-smack env. - if (unlikely(noLoad2) || (testLoader && unlikely(fallbackOnly)) || !smack_simple_check()) + if (unlikely(noLoad2) || (testLoader && unlikely(fallbackOnly)) || uid_sandboxing_check()) return EXIT_SUCCESS; // open load2 for writing diff --git a/test/test_process_id.cpp b/test/test_process_id.cpp index 766d7184..85e21954 100644 --- a/test/test_process_id.cpp +++ b/test/test_process_id.cpp @@ -41,7 +41,7 @@ POSITIVE_TEST_CASE(T310_Serialization) buffer.ModeOutput(); buffer.ModeStreaming(); Deserialization::Deserialize(buffer, id2); - if (smack_simple_check()) { + if (!uid_sandboxing_check()) { BOOST_REQUIRE(id.label == id2.label); BOOST_REQUIRE(id.uid != id2.uid); } else {