From: Igor Kotrasinski <i.kotrasinsk@partner.samsung.com>
Date: Fri, 16 Mar 2018 10:16:57 +0000 (+0100)
Subject: Set LibTEEC shm file group to the TEE group
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=refs%2Fheads%2Ftizen_4.0;p=platform%2Fcore%2Fsecurity%2Ftef-simulator.git

Set LibTEEC shm file group to the TEE group

Change-Id: Ic7ff46edb8662e955aa032c0a3a9d96fc88eca82
Signed-off-by: Igor Kotrasinski <i.kotrasinsk@partner.samsung.com>
---

diff --git a/CMakeLists.txt b/CMakeLists.txt
index d0f1ceb..28dde03 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -50,6 +50,11 @@ ADD_DEFINITIONS("-Werror")                      # Make all warnings into errors.
 
 ADD_DEFINITIONS("-D_ARCH_=${ARCH}")
 
+IF (NOT DEFINED TEE_USER_GROUP_NAME)
+    SET(TEE_USER_GROUP_NAME "priv_tee_client")
+ENDIF (NOT DEFINED TEE_USER_GROUP_NAME)
+ADD_DEFINITIONS(-DTEE_USER_GROUP_NAME="${TEE_USER_GROUP_NAME}")
+
 # Enable tizen-specific preprocessor defines
 IF(DEFINED TIZEN)
     ADD_DEFINITIONS("-D__TIZEN__")
diff --git a/TEECLib/src/teec_api.c b/TEECLib/src/teec_api.c
index 4d988d1..dfcc132 100644
--- a/TEECLib/src/teec_api.c
+++ b/TEECLib/src/teec_api.c
@@ -32,6 +32,8 @@
 #include <stdint.h>
 #include <sys/stat.h>
 #include <sys/mman.h>
+#include <sys/types.h>
+#include <grp.h>
 
 /*-----------------------------------------------------------------------------
  *  MACROS
@@ -41,6 +43,7 @@
 
 #define SHM_MAX_ID              INT32_MAX
 #define SHM_NAME_TEMPLATE       "/teec_shm%d"
+
 #define SHM_FILE_MODE           0660
 /*-----------------------------------------------------------------------------
  *  Globals
@@ -82,6 +85,51 @@ static uint32_t alignSize(uint32_t size)
 	return retSize;
 }
 
+/*
+ * ===  FUNCTION  ======================================================================
+ *         Name:  set_shm_permissions
+ *  Description:  Set group and permissions of the shm file underneath shared memory
+ *   Parameters:  fd_shm - shm file FD
+ *                shm_name - shm file name (for logging)
+ *       Return:  TEEC return value indicating success of failure
+ * =====================================================================================
+ */
+static int32_t set_shm_permissions(int fd_shm, const char *shm_name) {
+	int res;
+	struct group *tee_group = NULL;
+
+	res = fchmod(fd_shm, SHM_FILE_MODE);
+	if (res == -1) {
+		LOGE(TEEC_LIB,
+		     "Cannot change permission of the %s shared memory file, error: %s",
+		     shm_name, strerror(errno));
+		     return TEEC_ERROR_GENERIC;
+	}
+
+	errno = 0;
+	tee_group = getgrnam(TEE_USER_GROUP_NAME);
+	if (!tee_group) {
+		if (!errno) {
+			LOGE(TEEC_LIB,
+			     "Failed to get TEE group: group %s does not exist",
+			     TEE_USER_GROUP_NAME);
+		} else {
+			LOGE(TEEC_LIB,
+			     "Failed to set TEE group, error: %s",
+			     strerror(errno));
+		}
+		return TEEC_ERROR_GENERIC;
+	}
+	res = fchown(fd_shm, -1, tee_group->gr_gid);
+	if (res == -1) {
+		LOGE(TEEC_LIB,
+		     "Failed to set TEE group of the %s shared memory file, error: %s",
+		     shm_name, strerror(errno));
+		return errno == EPERM ? TEEC_ERROR_ACCESS_DENIED : TEEC_ERROR_GENERIC;
+	}
+	return TEEC_SUCCESS;
+}
+
 /*
  * ===  FUNCTION  ======================================================================
  *         Name:  allocateSharedMemory
@@ -127,14 +175,9 @@ static int32_t allocateSharedMemory(TEEC_SharedMemory *shm)
 		goto exit;
 	}
 
-	res = fchmod(fd_shm, SHM_FILE_MODE);
-	if (res == -1) {
-		LOGE(TEEC_LIB,
-		     "Cannot change permission of the %s shared memory file, error: %s",
-		     shm_name, strerror(errno));
-		tee_result = TEEC_ERROR_GENERIC;
+	tee_result = set_shm_permissions(fd_shm, shm_name);
+	if (tee_result != TEEC_SUCCESS)
 		goto cleanup_shm;
-	}
 
 	size = alignSize(size);
 	if (ftruncate(fd_shm, size) == -1) {
diff --git a/packaging/tef-simulator.spec b/packaging/tef-simulator.spec
index 36e0fc4..eb872bb 100644
--- a/packaging/tef-simulator.spec
+++ b/packaging/tef-simulator.spec
@@ -36,6 +36,7 @@ PreReq: tef-libteec
 %define build_unit_dir %{buildroot}%{_unitdir}
 
 %define smack_domain_name System
+%define tee_user_group_name priv_tee_client
 
 %description
 TEF Simulator provides a TrustZone simulated environment
@@ -85,6 +86,7 @@ cmake . \
         -DPKGCFG_PREFIX=/usr \
         -DPKGCFG_VERSION=%{version} \
         -DSMACK_DOMAIN_NAME=%{smack_domain_name} \
+        -DTEE_USER_GROUP_NAME=%{tee_user_group_name} \
         -DARCH=%{__isa_bits} \
         -DTIZEN=1
 make %{?jobs:-j%jobs}
diff --git a/systemd/tef-simulator.service.in b/systemd/tef-simulator.service.in
index a9b767c..3131a34 100644
--- a/systemd/tef-simulator.service.in
+++ b/systemd/tef-simulator.service.in
@@ -6,7 +6,7 @@ BindsTo=tef-simulator.socket
 [Service]
 User=security_fw
 Group=security_fw
-SupplementaryGroups=users
+SupplementaryGroups=users @TEE_USER_GROUP_NAME@
 CapabilityBoundingSet=
 SmackProcessLabel=@SMACK_DOMAIN_NAME@
 ExecStart=@SYSTEMD_CFG_BIN_DIR@/tef-simulator-daemon