platform/core/security/security-manager.git
6 years agoRefactor security_manager_prepare_app() 69/166969/5
Dariusz Michaluk [Fri, 12 Jan 2018 11:09:32 +0000 (12:09 +0100)]
Refactor security_manager_prepare_app()

This change reduces the number of IPCs and SQL queries needed to smack label generation.
The goal is to reduce the application start time.

Change-Id: I2871a51b663b300836459b834d968f2d15cd47e0

6 years agoRefactor security_manager_create_namespace_internal() 57/166757/4
Dariusz Michaluk [Thu, 11 Jan 2018 15:39:44 +0000 (16:39 +0100)]
Refactor security_manager_create_namespace_internal()

This change reduces the number of IPCs and SQL queries needed to setup mount namespace.
The goal is to reduce the application start time.

Change-Id: Ib6ee820f097f07add9228346cd9a191abb16a97c

6 years agoMajor Fix : Fix API for freeing policy entries 43/162643/4
Zofia Grzelewska [Mon, 4 Dec 2017 12:51:08 +0000 (13:51 +0100)]
Major Fix : Fix API for freeing policy entries

security_manager_policy_entries_free was supposed
to free table of pointers to policy_entry, but was
implemented improperly. Because function had wrong
signature (taking pointer to structure instead of
pointer of table) and without change, it causes double
free and not using proper function results in memory leak,
this function has to be changed, thus breaking the ABI.

Change-Id: I6d285c04eb1a77f5492c10d6709d0f47ebdd36f1

6 years agoAdd explicit dependency on libnss-security-manager 84/162484/3
Rafal Krypa [Wed, 17 Jan 2018 17:35:42 +0000 (18:35 +0100)]
Add explicit dependency on libnss-security-manager

Make sure that the nss plugin gets installed to properly support
privileges enforced by gids to non-application processes.

Change-Id: I7f95503c71a2fbf18df24df7e07d8d12a4d17a3f
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
6 years agoChange license-manager package name. 59/167359/1
jin-gyu.kim [Wed, 17 Jan 2018 07:11:36 +0000 (16:11 +0900)]
Change license-manager package name.

There could be naming conflicts with another package.
Therefore, change as security-license-manager.
Also, add explicit dependency with this name to install properly.

Change-Id: Iee0853b3191cd19361fc5b0c9b95509b0addad01

6 years agoAdd security_manager_cleanup_app() API 35/164335/5
Dariusz Michaluk [Mon, 18 Dec 2017 15:41:00 +0000 (16:41 +0100)]
Add security_manager_cleanup_app() API

This function is intended for launchers for cleaning security context for an
application process. It should be called after application termination.

Change-Id: I93de1d4aad4f9ea7d2e70dff95e173677be80426

6 years agoRefactoring: make NSMountLogic class responsible for Channel and MntMonitor 12/164112/5
Rafal Krypa [Fri, 15 Dec 2017 08:25:25 +0000 (09:25 +0100)]
Refactoring: make NSMountLogic class responsible for Channel and MntMonitor

NSMountLogic class will now be solely responsible for making updates to
mount namespaces of running applications. It's single instance will be
persistent in ServiceImpl class. NSMountLogic now owns Channel for
communicating with the Worker process and sends requests for mount updates.
It also listens to mount events from MntMonitor and sends appropriate
requests to worker.

All required synchronization should be done in NSMountLogic.
NSMountLogic::check() method needs to be thread-safe because it may be
called concurrently from ServiceImpl and from MntMonitor thread.

Change-Id: I8cb4be25e5f9c8da4360d7ddff34993836f9f169
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
6 years agoMonitor mount/umount events on the system and update app mount namespaces 12/164012/6
Rafal Krypa [Thu, 14 Dec 2017 14:20:18 +0000 (15:20 +0100)]
Monitor mount/umount events on the system and update app mount namespaces

It is possible that file system path that has access guarded by a privilege
is not available when application starts, but becomes available later.
The reason for this is because a parent directory containing such path
may be a mount point that is not yet mounted at the time when application
starts.

If the application doesn't hold privilege to the directory in question,
it should have a dummy, empty directory mounted over that path. But this
cannot be done properly when application starts and the privileged directory
is not yet available.

Later, while application is running, the parent mount point may be mounted.
This mount will be propagated to mount namespaces of all running applications.
Then the applications that do not hold the required privilege will be able
to access privileged directory in that mount points, because dummy bind
mount wasn't done.

This patch implements a watcher keeping track of mount/unmount events in
the system. When such event is detected, mount namespaces of all running
applications will be reevaluated. If a privileged directory shows up in
mount namespace of an already running application and the application doesn't
hold required privilege, the directory will be hidden from the app.

Change-Id: Idb7044d764a620b64666bfa5e6b1724b504866f0
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
6 years agoAdd core privilege: devicecertificate 22/165622/1
Yunjin Lee [Wed, 3 Jan 2018 01:49:45 +0000 (10:49 +0900)]
Add core privilege: devicecertificate

- Refers to: https://review.tizen.org/gerrit/#/c/165621/

Change-Id: I74518afab72d31acabde8b80f9c31f6cfdbff095
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
6 years agoclient: do not add application process to hardcoded groups 88/164488/4
Rafal Krypa [Tue, 19 Dec 2017 09:00:15 +0000 (10:00 +0100)]
client: do not add application process to hardcoded groups

Initial implementation of privilege enforcement with mount namespaces
included client code that added all application processes to hardcoded
set of groups: priv_externalstorage and priv_mediastorage.
This is wrong. Enforcement of privileges by either groups or mount
namespaces is to be configured in respectively privilege-group.list and
privilege-mount.list. Application process should be added to a group
if and only if it holds a privilege that is configured to be enforced
with a group. Similarly proper mounts and umounts will be done in application
mount namespace based on privilege status.
There is no need to hardcode groups. If a privilege is enforced with mount
namespace, it should not require additional group assignment. If it used
to be enforced with a group, but it has been switched to enforcement with
mount, filesystem permissions need to be adjusted, not security-manager code.

Privileges mediastorage and external storage are now enforced with bind
mounts. They are being removed from privilege-group mapping - combining
these two mechanisms is undesired.

Change-Id: I41204daa24329e8e9648b3ecb4e53d87c763b35b
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
6 years agoDuring application start, privileged directory enforced by bind mount may be missing 15/164015/4
Rafal Krypa [Thu, 14 Dec 2017 15:54:39 +0000 (16:54 +0100)]
During application start, privileged directory enforced by bind mount may be missing

When trying to prepare mount namespace for application process, check whether a
directory that requires privilege and should be bind mounted is missing. In such
case ignore it and continue preparation.

Change-Id: I08d5295440bb018d93295cb2817c643211b88c5f
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
6 years agoIdentify apps by Smack label instead of appName in NSMountLogic 22/164022/3
Rafal Krypa [Thu, 14 Dec 2017 16:21:27 +0000 (17:21 +0100)]
Identify apps by Smack label instead of appName in NSMountLogic

NSMountLogic and Worker code used to take appName as application identifier
and then needed to translate it to Smack label. It was very awkward, because
such conversion needs access to PrivilegeDB in order to check hybrid status.

Now Smack label is being passed to that code right away, eliminating the
need for fetching Smack label.

Change-Id: I62c137ad08a5d7d271aa8d6adcb25e8bb56bdfe1
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
6 years agoFix NSMountLogic in case when user has no running applications 11/164011/2
Rafal Krypa [Thu, 14 Dec 2017 15:35:11 +0000 (16:35 +0100)]
Fix NSMountLogic in case when user has no running applications

In some cases directory /run/user/UID/ may exist, but /run/user/UID/apps/
might not. Such case was incorrectly handled in NSMountLogic::readFiles(),
it caused an exception to be thrown.

Fixed implementation first checks whether directory exists before trying
to read it.

Change-Id: Ibae0415eac066672d50cf184d82aa3f53c7efdf0
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
6 years agoFix MountNS::isPathBound() 04/164704/1
Rafal Krypa [Wed, 20 Dec 2017 08:10:19 +0000 (09:10 +0100)]
Fix MountNS::isPathBound()

Previous implementation of the method checking whether given source path
is bind-mounted on a given destination path was unreliable.
By careless pattern matching in /proc/self/mountinfo it could easily
return false positive (determine that bind mount exists when it doesn't)
or false negative (say that bind mount doesn't exist when it does).

New implementation relies on calling lstat() on both paths and comparing
results. If both paths have the same ID of containing device and the same
inode number, they are considered to be bind mounted.

Change-Id: I63386dd44f2c1d114705b93a76993a9bc812a90d
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
6 years agoRelease 1.2.30 17/163017/1 accepted/tizen/unified/20171207.124721 submit/tizen/20171207.025457
jin-gyu.kim [Thu, 7 Dec 2017 02:09:09 +0000 (11:09 +0900)]
Release 1.2.30

* Fix bugs found in the code by static analysis
* Fix the bug for clearing SharedRO Smack rules
* Fix the potential memory leak.
* security-manager-cmd: add new option "manage-privilege" for policy manipulation
* Add hybrid flag setting to security-manager-cmd
* Add ConfigFile class for run-time reading and parsing of config files
* Allow privilege enforcement with bind mounts to be configured
* Don't enable mount namespace code when the config file is missing or empty

Change-Id: I848d24b8cbbaa3e557722d9a0665f9c3a984c7fb

6 years agoDon't enable mount namespace code when the config file is missing or empty 28/162328/3
Rafal Krypa [Thu, 30 Nov 2017 08:38:45 +0000 (09:38 +0100)]
Don't enable mount namespace code when the config file is missing or empty

Function isMountNamespaceEnabled will read the privilege-mount.list config
file and return false when reading of that file fails or when it doesn't
contain any proper configuration entries.

Change-Id: I20fabefde1523e204c02e5ab8eb8bbdd532a8b4f
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
6 years agoAllow privilege enforcement with bind mounts to be configured 01/162001/2
Rafal Krypa [Tue, 28 Nov 2017 12:01:38 +0000 (13:01 +0100)]
Allow privilege enforcement with bind mounts to be configured

Add configuration file describing which privileges are to be enforced
with bind mounts and how. New config privilege-mount.list now assigns
privileges to their mount points and specifies source directory to bind
mount.

Change-Id: I7e2fb7a483803d0a8877d142b8e1df7a37ae18e3
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
6 years agoAdd ConfigFile class for run-time reading and parsing of config files 00/162000/2
Rafal Krypa [Tue, 28 Nov 2017 07:49:46 +0000 (08:49 +0100)]
Add ConfigFile class for run-time reading and parsing of config files

New code reads config file and splits it into lines to vector, with one
element per file line. Each line is represented as vector itself, with
one element per white space separated token.
Lines that are empty or start with '#' are ignored.

New code is now used for parsing Smack policy templates and privilege to
group mapping.

Change-Id: I009cf2a33f0233a170666cfe27fd7604fb7f4340
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
6 years agoAdd hybrid flag setting to security-manager-cmd 07/150407/3
akoszewski [Mon, 11 Sep 2017 13:15:49 +0000 (15:15 +0200)]
Add hybrid flag setting to security-manager-cmd

Change-Id: Ifca5479d87ec44de856b0bda6625960e010e31ba

6 years agosecurity-manager-cmd: add new option "manage-privilege" for policy manipulation 23/140023/30
Dariusz Michaluk [Mon, 24 Jul 2017 11:07:21 +0000 (13:07 +0200)]
security-manager-cmd: add new option "manage-privilege" for policy manipulation

Allow/deny privilege for application and user.

Change-Id: I371549ed2aa06ba7b2deef8543c0eff712ed8bd0

6 years agoFix the potential memory leak. 03/108103/5
jin-gyu.kim [Tue, 3 Jan 2017 04:42:08 +0000 (13:42 +0900)]
Fix the potential memory leak.

- Dynamic memory referenced by 'array' can be lost in error case.

Change-Id: Iea68a69be02dcddc74c560792502464a9a1e19bb

6 years agoFix the bug for clearing SharedRO Smack rules 74/128974/3
jin-gyu.kim [Fri, 12 May 2017 07:33:04 +0000 (16:33 +0900)]
Fix the bug for clearing SharedRO Smack rules

- Some SharedRO Smack rules were not cleared in uninstallation.
- Include the missing SharedRO rules in uninstalltion.

Change-Id: Ic63468a78002aca4d2c0b6c1bdc925faa5050580

6 years agoFix bugs found in the code by static analysis 20/160920/1
Bartlomiej Grzelewski [Mon, 20 Nov 2017 16:35:53 +0000 (17:35 +0100)]
Fix bugs found in the code by static analysis

Change-Id: I662d10db09931d6d3154dd263f6e6aaaa2fbf0b4

6 years agoRelease 1.2.29 52/160652/1 accepted/tizen/unified/20171120.065108 submit/tizen/20171117.090517
Tomasz Swierczek [Fri, 17 Nov 2017 09:03:52 +0000 (10:03 +0100)]
Release 1.2.29

* Adding privilege group priv_tee_client.
* Include empty rules.merged file in the package

Change-Id: I9c58f5c82f0d9e95e5805f3ee95500cd94e7c9c3

6 years agoAdding privilege group priv_tee_client. 54/159554/2
r.tyminski [Thu, 9 Nov 2017 15:16:47 +0000 (16:16 +0100)]
Adding privilege group priv_tee_client.

Adding priv_tee_client group for http://tizen.org/privilege/tee.client

Change-Id: I40dbdce238fe2be4640e0e18339178303ddcbe78

7 years agoInclude empty rules.merged file in the package 44/159544/1
Rafal Krypa [Wed, 8 Nov 2017 15:11:35 +0000 (16:11 +0100)]
Include empty rules.merged file in the package

This is to fix startup of security-manager-rules-loader.service systemd
unit in case when no applications are registered in security-manager.

This is a rare scenario, that wasn't considered until now, because there
were always some preloaded applications on snapshot images. But IoT images
are actually built with no preloaded applications, triggering the bug.

Empty file with aggregated Smack rules is provided to handle such case.
In case of package upgrade, existing file will not be overwritten thanks
to %config(noreplace) directive.

Change-Id: I1743672547abcdd42f520b34eba45c67402b37b1
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
7 years agoRelease 1.2.28 19/158819/1 accepted/tizen/unified/20171106.073107 submit/tizen/20171103.080247 submit/tizen/20171114.102837
jin-gyu.kim [Fri, 3 Nov 2017 08:00:18 +0000 (17:00 +0900)]
Release 1.2.28

* Add support for external storage directories
* When preparation of database connection fails, indicate this with a file fleg
* Fix security-manager package installation/update
* Remove duplicated -fPIC flag
* Fix database script
* Add test to check TizenVersion update in database.

Change-Id: I7f0f1f9c8d70f6439a13c90b860c4497fb2bd48b

7 years agoAdd support for external storage directories 59/155559/18
Zofia Abramowska [Fri, 13 Oct 2017 10:46:07 +0000 (12:46 +0200)]
Add support for external storage directories

Applications can be also installed on external storages.
Security-manager has to accept such paths during application
installation. This commit adds such support for local and
global apps.

Change-Id: Idc6fa2930aa6fdcae9191844597da31ae13ecc20

7 years agoWhen preparation of database connection fails, indicate this with a file fleg 85/155585/2
Rafal Krypa [Fri, 13 Oct 2017 16:46:50 +0000 (18:46 +0200)]
When preparation of database connection fails, indicate this with a file fleg

A special file flag will be created by security-manager if it fails to
open its database or fails to initialize prepared statements.
This would indicate that database is either missing or broken. In such case
an empty file will be created at TZ_SYS_DB/.security-manager.db-broken

Change-Id: I6461b71134d6ce706d4295851a45840b3cf0be39
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
7 years agoFix security-manager package installation/update 63/148363/7
Dariusz Michaluk [Thu, 7 Sep 2017 14:18:18 +0000 (16:18 +0200)]
Fix security-manager package installation/update

Change-Id: I117f2694ab042a05d6d5f05e3c79ee4fcc0aca9f

7 years agoRemove duplicated -fPIC flag 08/144708/7
Dariusz Michaluk [Thu, 17 Aug 2017 12:28:18 +0000 (14:28 +0200)]
Remove duplicated -fPIC flag

Change-Id: I1ef9791b0a283e497b33b2508926673a390dff89

7 years agoFix database script 80/157380/2
Bartlomiej Grzelewski [Tue, 24 Oct 2017 09:02:00 +0000 (11:02 +0200)]
Fix database script

Fix update of Tizen Version during application installation.

Change-Id: I17db2e6948aefcf625c9db3d2595a5667a74c054

7 years agoAdd test to check TizenVersion update in database. 68/146268/3
Bartlomiej Grzelewski [Fri, 25 Aug 2017 12:26:38 +0000 (14:26 +0200)]
Add test to check TizenVersion update in database.

Change-Id: I8271b61cd1a40eb87edce474df83d9157f9e7031

7 years agoRelease 1.2.27 61/156461/1 accepted/tizen/4.0/unified/20171019.082002 submit/tizen_4.0/20171018.111837
jin-gyu.kim [Wed, 18 Oct 2017 11:12:11 +0000 (20:12 +0900)]
Release 1.2.27

* Prepare app_inst_req for handling multiple app_ids at once
* Add new API for installing pkg_id with multiple app_ids at once
* Add new functions to filesystem operations wrapper
* Add mount namespace operations wrapper
* Add IPC channel implementation
* Prepare app to launch in mount namespace
* Modify app launched in mount namespace
* Gotta catch 'em all (TizenPlatformConfig::Exception)
* Fix: Check if file exist before umount is made

Change-Id: I896cbafa175b134634a762dd55d0182ba0e570b7

7 years agoFix: Check if file exist before umount is made 03/156403/1
Dariusz Michaluk [Wed, 18 Oct 2017 08:13:31 +0000 (10:13 +0200)]
Fix: Check if file exist before umount is made

Change-Id: I03aaa60dd23021fd19d716ccf995a0ff737f108c

7 years agoGotta catch 'em all (TizenPlatformConfig::Exception) 71/110671/12
Krzysztof Jackiewicz [Fri, 29 Sep 2017 10:56:03 +0000 (12:56 +0200)]
Gotta catch 'em all (TizenPlatformConfig::Exception)

There are still several places in code where TizenPlatformConfig::Exception is
thrown and unhandled. Missing catches added. Code refactored to avoid throwing
exceptions during global data initialization.

Change-Id: I6ae7bda10152c33fff9fcaa6c98b23222a1aeb81

7 years agoModify app launched in mount namespace 81/139781/30
Dariusz Michaluk [Mon, 2 Oct 2017 13:14:48 +0000 (15:14 +0200)]
Modify app launched in mount namespace

This commit adds worker that will be able to manage with mount namespace.
If mount namespace is not supported, security-manager will run without worker,
otherwise worker will be communicated with security-manager through IPC channel.

If app privilege status changes, worker will allow/deny access to filesystem directory
associated with this privilege.

Change-Id: I056cd752c228335c7b67a607bddc0934c7a79ddd

7 years agoPrepare app to launch in mount namespace 85/139385/24
Dariusz Michaluk [Mon, 2 Oct 2017 12:26:19 +0000 (14:26 +0200)]
Prepare app to launch in mount namespace

This commit changes security_manager_prepare_app() behaviour.
The new functionality requires CAP_SYS_ADMIN capability added to the calling process.

Changes include:
 - runtime detection of namespace support (check access to "/proc/self/ns/mnt"
   which exists in kernel 3.8+ only),
 - if mount namespace is not supported, app launch in the old way,
   privileges are handled by groups,
 - if mount namespace support is detected, app launch in mount namespace,
   some privileges are handled in the new way,
 - these privileges are:
    a) http://tizen.org/privilege/externalstorage
       (mapped to /opt/media filesystem directory)
    b) http://tizen.org/privilege/mediastorage
       (mapped to /opt/usr/media filesystem directory)
 - if app privilege status is set to deny, the above directory
   is bind mounted to dummy directory (no access to filesystem)

Change-Id: Ic41ea9eb48c369934bcafe406aa1b4207f67523d

7 years agoAdd IPC channel implementation 80/153880/3
Dariusz Michaluk [Mon, 2 Oct 2017 13:04:08 +0000 (15:04 +0200)]
Add IPC channel implementation

Change-Id: I18a7de2933e3a3543dca6c738c0cb9a6dcc74eb1

7 years agoAdd mount namespace operations wrapper 79/153879/3
Dariusz Michaluk [Mon, 2 Oct 2017 11:59:06 +0000 (13:59 +0200)]
Add mount namespace operations wrapper

This commit adds:
 - mount namespace helper functions,
 - privilege to filesystem paths mapping,
 - application to mount namespace mapping.

Change-Id: I572b316297c7512455829305674fd1be2ea07656

7 years agoAdd new functions to filesystem operations wrapper 78/153878/3
Dariusz Michaluk [Mon, 2 Oct 2017 11:08:12 +0000 (13:08 +0200)]
Add new functions to filesystem operations wrapper

This commit adds:
 - create/remove directory/files functions,
 - get text file contents function,
 - error handling improvement,
 - function names convention.

Change-Id: I7861f26d14cb1e61af990881044eaea047b3f345

7 years agoAdd new API for installing pkg_id with multiple app_ids at once 79/153279/4
Rafal Krypa [Tue, 26 Sep 2017 15:13:02 +0000 (17:13 +0200)]
Add new API for installing pkg_id with multiple app_ids at once

New client function security_manager_app_inst_req_next() enables installer
to add information about multiple applications. Each application in
request has its own app_id, privileges and app-defined privileges.
All other parameters set on the installation request are shared.

Sample usage of the new API (simplified, no error checking):

security_manager_app_inst_req_new(&p_req);

/* Per-package attributes */
security_manager_app_inst_req_set_pkg_id(p_req, pkgId);

/* Per-app attributes */
security_manager_app_inst_req_set_app_id(p_req, appId1);
security_manager_app_inst_req_add_privilege(p_req, appId1_priv1);
security_manager_app_inst_req_next(p_req);
security_manager_app_inst_req_set_app_id(p_req, appId2);
security_manager_app_inst_req_add_privilege(p_req, appId2_priv1);

security_manager_app_install(p_req);
security_manager_app_inst_req_free(p_req);

Change-Id: Ia1a42071bcf7356f17622c1d110778e803d3f39a
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
7 years agoPrepare app_inst_req for handling multiple app_ids at once 87/151687/10
Rafal Krypa [Wed, 20 Sep 2017 10:19:49 +0000 (12:19 +0200)]
Prepare app_inst_req for handling multiple app_ids at once

Application install and uninstall requests will enable support for
handling multiple app_ids from single package in one shot.
The app_inst_req structure is modified to include an array of application
parameters, i.e.:
- app_id
- privileges
- app defined privileges

To make use of this feature, a new API will be added in next commits.
For now the modified request data structure will serve the existing API,
holding only single element in array of app parameters.

Change-Id: If961ad3625f9397358487021982f07886cee1e28
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
7 years agoFix coding style in security-manager-cmd.cpp 90/151690/3
Rafal Krypa [Thu, 21 Sep 2017 13:19:23 +0000 (15:19 +0200)]
Fix coding style in security-manager-cmd.cpp

Change-Id: Iedfee86a382b45c50f8f3717a9e187da09413657
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
7 years agoRelease 1.2.26 82/153282/1 accepted/tizen/4.0/unified/20170929.080133 accepted/tizen/unified/20170929.081538 submit/tizen/20170928.073535 submit/tizen_4.0/20170928.073544 tizen_4.0.IoT.p1_release
Yunjin Lee [Thu, 28 Sep 2017 07:29:42 +0000 (16:29 +0900)]
Release 1.2.26

* Add core privilege: peripheralio
* Remove core privilege: d2d.datasharing
* Remove redundant file info from SM dlog logs

Change-Id: I0ba6e51ffa1d5080a8daf211b503bab5aaa36b00
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
7 years agoAdd core privilege: peripheralio 78/153278/1
Yunjin Lee [Thu, 28 Sep 2017 07:20:37 +0000 (16:20 +0900)]
Add core privilege: peripheralio

- privilege required to communicate with peripherals

Change-Id: If2f2e08fead8fad34525b56b06b3a6eca0e570d7
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
7 years agoRemove core privilege: d2d.datasharing 68/152568/1
Yunjin Lee [Tue, 26 Sep 2017 10:20:32 +0000 (19:20 +0900)]
Remove core privilege: d2d.datasharing

Change-Id: I99815d92c5cef15ce012323e2f1e5c66b93e8b10
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
7 years agoRemove redundant file info from SM dlog logs 00/149800/4
Pawel Kowalski [Wed, 13 Sep 2017 06:23:59 +0000 (08:23 +0200)]
Remove redundant file info from SM dlog logs

Security-manager uses code adapted from DPL for logging. Currently
a dlog backed is utilized. Both DPL and dlog include information
like file name, line and function from where the log was triggered.
It lead to redundant file info in logs.

In order to remove this redundant information, dlog macro SLOG was
replaced with the macro called print_system_log. The print_system_log
macro does not add its own set of information (it displays only
a message prepared by the developer). The print_system_log macro is
labeled as an 'internal' in dlog-internal.h header file but in this
case 'internal' means that macro should not be used by applications
but may be used by system/platform deamons.

Also the FormatMessage was modified in order to display a log message
in a dlog style.

Change-Id: I54b9ebe6240a407609512b4906257ec655d0d8a3

7 years agoRelease 1.2.25 91/150791/1 accepted/tizen/4.0/unified/20170920.081731 accepted/tizen/unified/20170922.194236 submit/tizen/20170919.093121 submit/tizen_4.0/20170918.152308
Zofia Abramowska [Fri, 15 Sep 2017 15:48:07 +0000 (17:48 +0200)]
Release 1.2.25

Fix SVACE defects:
* Redo C-style var args methods
* User dynamic cast for base-to-derived conversion

Change-Id: Ic852b4751387f1590d0103c20a5d2214fdfaf737

7 years agoRedo C-style var args methods 61/150461/2
Zofia Abramowska [Fri, 15 Sep 2017 15:48:07 +0000 (17:48 +0200)]
Redo C-style var args methods

Change-Id: I28e6ca056a094739b60e17cdad54ef260475e3c3

7 years agoUser dynamic cast for base-to-derived conversion 60/150460/1
Zofia Abramowska [Fri, 15 Sep 2017 15:42:06 +0000 (17:42 +0200)]
User dynamic cast for base-to-derived conversion

Change-Id: I4f3f9c4062197941cb23fa5c40c883c6d26d877f

7 years agoRelease: 1.2.24 58/143358/2 accepted/tizen/4.0/unified/20170829.020126 accepted/tizen/unified/20170810.172045 submit/tizen/20170809.105839 submit/tizen_4.0/20170828.100004 submit/tizen_4.0/20170828.110004
keeho.yang [Wed, 9 Aug 2017 10:44:18 +0000 (19:44 +0900)]
Release: 1.2.24

*Fix license-manager rpm install/update/erase
*Enforce PIE through main CMakeLists

Change-Id: I5c8adad9bd4901b2647b3754733f0e81b6beada4

7 years agoEnforce PIE through main CMakeLists 77/140577/7
Igor Kotrasinski [Tue, 25 Jul 2017 07:37:36 +0000 (09:37 +0200)]
Enforce PIE through main CMakeLists

Fixes security-manager-cmd not building as PIE and removes hardcoded
-fPIE and -pie flags.

Change-Id: I6be0ef5864066b0be83e75671e8f3b124610b88b
Signed-off-by: Igor Kotrasinski <i.kotrasinsk@partner.samsung.com>
7 years agoFix license-manager rpm install/update/erase 13/142613/3
Dariusz Michaluk [Fri, 4 Aug 2017 14:23:40 +0000 (16:23 +0200)]
Fix license-manager rpm install/update/erase

Change-Id: I81358665747f71738e3a23f8a1d27f084ed3bf09

7 years agoRelease 1.2.23 32/142732/1 accepted/tizen/unified/20170808.171237 submit/tizen/20170807.095318
jin-gyu.kim [Mon, 7 Aug 2017 06:17:34 +0000 (15:17 +0900)]
Release 1.2.23

* Add core privilege: gesturegrab, gestureactivation
* Fix bugs reported by C++Test and SVACE
* Change coding style in socket-manager.cpp
* Fix database upgrading from v10 to v11
* Fix buffer overflow in exception.h
* Replace getgrent with getgrnam_r in security_manager_groups_get
* Fix race condition in reading credentials

Change-Id: I6e662155ae04b63b0cb3a6bfba3f3b1a03a666cb

7 years agoAdd core privilege: gesturegrab, gestureactivation 80/141080/2
Yunjin Lee [Fri, 28 Jul 2017 05:31:33 +0000 (14:31 +0900)]
Add core privilege: gesturegrab, gestureactivation

- gesturegrab privilege allows app to grab touch gesture
- gestureactivation privilege allows app to activate/deactivate the grabbing

Change-Id: Ic3897a26405962bc74ed6add54f3f0d33525e492
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
7 years agoChange coding style in socket-manager.cpp 26/139826/7
Bartlomiej Grzelewski [Thu, 20 Jul 2017 12:56:43 +0000 (14:56 +0200)]
Change coding style in socket-manager.cpp

Change-Id: I15803fd3548a19d328cef57426762a2052ca9b1f

7 years agoFix bugs reported by C++Test and SVACE 07/139607/4
Bartlomiej Grzelewski [Wed, 19 Jul 2017 12:16:09 +0000 (14:16 +0200)]
Fix bugs reported by C++Test and SVACE

Change-Id: Id8c2ee63159b6df768a9e818bcb929c4a70d57b0

7 years agoFix database upgrading from v10 to v11 24/142124/3
Dariusz Michaluk [Wed, 2 Aug 2017 15:10:12 +0000 (17:10 +0200)]
Fix database upgrading from v10 to v11

Change-Id: I54778accfcc2479dd899285c66ba4c3a95329b10

7 years agoFix buffer overflow in exception.h 22/139322/2
Bartlomiej Grzelewski [Mon, 17 Jul 2017 17:04:36 +0000 (19:04 +0200)]
Fix buffer overflow in exception.h

Change-Id: Idaf6e6c8afa4936370e97c5870dfb5b7b5149e24

7 years agoReplace getgrent with getgrnam_r in security_manager_groups_get 71/141771/7
Krzysztof Jackiewicz [Wed, 2 Aug 2017 07:25:28 +0000 (09:25 +0200)]
Replace getgrent with getgrnam_r in security_manager_groups_get

Group2Gid constructor used getgrent which is not thread-safe. The class is used
in security-manager's server which is single threaded and in a nss plugin. The
nss plugin is called in the same context as initgroups() and as such can be
called from concurrent threads simultaneously although it makes no sense. Also
initgroups() manual does not mention anything about thread-safety.

It's impossible to get groups mapping thread-safely using getgrent_r if we are
not controlling all of the threads (which is the case in SM's client library).
Instead the getgrnam_r() was used.

Change-Id: I753f88ee0f85bb28c0907ae590e522a075873ffb

7 years agoFix race condition in reading credentials 31/140331/2
Bartlomiej Grzelewski [Mon, 24 Jul 2017 12:00:29 +0000 (14:00 +0200)]
Fix race condition in reading credentials

Race condition scenario:
1. Client connects to service and gets descriptor D.
2. Client sends request R.
3. Client closes connection.
4. Second client connects to service and gets descriptor D
5. Service thread starts to process request R and calls
   getCredentialsFromSocket. Function returns credentials of
   second client.

Change-Id: Id42d58b90147157df9772dd856d4769b8698434b

7 years agoRelease 1.2.22 71/139671/1 accepted/tizen/4.0/unified/20170816.011622 accepted/tizen/4.0/unified/20170816.014833 accepted/tizen/unified/20170720.164945 submit/tizen/20170720.052357 submit/tizen/20170720.054830 submit/tizen_4.0/20170811.094300 submit/tizen_4.0/20170814.115522 submit/tizen_4.0_unified/20170814.115522
jin-gyu.kim [Thu, 20 Jul 2017 05:22:57 +0000 (14:22 +0900)]
Release 1.2.22

* Fix segfault in nss plugin

Change-Id: I49a37725b3297a4bbd62b944f071bcba9a681c90

7 years agoFix segfault in nss plugin 58/139558/3
Krzysztof Jackiewicz [Wed, 19 Jul 2017 09:34:17 +0000 (11:34 +0200)]
Fix segfault in nss plugin

- Initialize groups pointer to NULL
- Delay wrapping with unique_ptr until we are sure that function returning
  groups succeeded
- Treat empty group list as a correct result

Change-Id: I9cf7493d819f3c1afdc2a378bc52f24d0f3f53b9

7 years agoRelease 1.2.21 55/138055/1 accepted/tizen/unified/20170713.153304 submit/tizen/20170711.023607 submit/tizen/20170712.102507
jin-gyu.kim [Tue, 11 Jul 2017 02:30:22 +0000 (11:30 +0900)]
Release 1.2.21

* Allow application to fetch its own policy
* Optimize group processing performance
* Add core privilege: blocknumber.read, blocknumber.write

Change-Id: I2320777e489a094eb23e87a1747e5a0b6f0200a6

7 years agoAllow application to fetch its own policy 91/135791/6
Zofia Abramowska [Mon, 26 Jun 2017 11:42:35 +0000 (13:42 +0200)]
Allow application to fetch its own policy

Application requires checking its privacy privilege
status to decide wether invoking askuser popup is
required. This change allows apps to fetch its own
policy (for the same app_id and user) without any
additional privilege.

Change-Id: Ie351f002107e58ad90b71f44ec25026469e38cb5

7 years agoOptimize group processing performance 35/126135/11
Rafal Krypa [Fri, 7 Jul 2017 16:16:16 +0000 (18:16 +0200)]
Optimize group processing performance

- Map group names to gids during server startup.
- Return gids instead of group names to client.
- Modify API used by NSS plugin to return gids and update the plugin.
- Cache privilege->gid mapping and privilege related gids on server side.

Change-Id: I30480565495e9591d893279f2df622fa21b6e1b9

7 years agoAdd core privilege: blocknumber.read, blocknumber.write 40/137340/1
Yunjin Lee [Wed, 5 Jul 2017 08:45:31 +0000 (17:45 +0900)]
Add core privilege: blocknumber.read, blocknumber.write

Change-Id: Ibf991198a1a3a401a0b3e003a485e3ae9ee5dbdd
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
7 years agoRelease 1.2.20 03/136603/1 accepted/tizen/unified/20170703.064244 submit/tizen/20170630.100553 submit/tizen/20170703.021739
Piotr Sawicki [Fri, 30 Jun 2017 10:02:34 +0000 (12:02 +0200)]
Release 1.2.20

* Remove dependency to Nether
* Add missing else keyword
* Fix memory allocation loop
* Apply -fPIE and -pie flag to license-manager
* Verify if certificate CN entry is equal to pkgId.
* Refactor error handling on app_defined_privilege/client_license table
* Change license-manager-agent uid/gid to security_fw
* Accept null as appId during license extraction
* New schema of database
* Apply coding rules
* Implement certificate verification inside agent
* Improve implementation of appdefined privilege API
* Remove outdated 'CREATE INDEX + performance tests required' TODO
* security-manager-cmd: add new option manager-apps for app install/uninstall
* Support security_manager_app_uninstall calling in off-line mode

Change-Id: I7894668ea52634b226b5c0d699661a2be33f9707

7 years agoRemove dependency to Nether 91/136291/1
jin-gyu.kim [Thu, 29 Jun 2017 04:47:44 +0000 (13:47 +0900)]
Remove dependency to Nether

Security-manager has the dependency to Nether to install it.
Nether can be installed independently. [TRE-1330]
Therefore, remove the dependency.

Change-Id: Ibb3b2f18aad6be934737238f9412189e59d23f01

7 years agoAdd missing else keyword 01/133501/4
Bartlomiej Grzelewski [Mon, 12 Jun 2017 10:34:53 +0000 (12:34 +0200)]
Add missing else keyword

Change-Id: I092cf2c807d6a1445de4d33b308717d8f8ee87e0

7 years agoFix memory allocation loop 00/133500/4
Bartlomiej Grzelewski [Mon, 12 Jun 2017 10:14:19 +0000 (12:14 +0200)]
Fix memory allocation loop

Old implementation always exit loop after buffer resize without
any try to input data once again.

Change-Id: I6307748a6744e3d7677be140943220d4f1974aa7

7 years agoApply -fPIE and -pie flag to license-manager 96/134996/2
Dariusz Michaluk [Tue, 20 Jun 2017 10:50:30 +0000 (12:50 +0200)]
Apply -fPIE and -pie flag to license-manager

Change-Id: I7bf99eab5c89f2859ec62667842aa3a65482b8c2

7 years agoVerify if certificate CN entry is equal to pkgId. 57/134457/2
Dariusz Michaluk [Fri, 16 Jun 2017 11:54:39 +0000 (13:54 +0200)]
Verify if certificate CN entry is equal to pkgId.

Change-Id: I2f5465f4fd57e72956ae0c75146402d3c3d2ebe6

7 years agoRefactor error handling on app_defined_privilege/client_license table 27/133527/3
Dariusz Michaluk [Mon, 12 Jun 2017 14:54:46 +0000 (16:54 +0200)]
Refactor error handling on app_defined_privilege/client_license table

Change-Id: I7fc95510376b0f5e6136fad4b5914ec14f5e884e

7 years agoChange license-manager-agent uid/gid to security_fw 13/133513/3
Dariusz Michaluk [Mon, 12 Jun 2017 12:36:04 +0000 (14:36 +0200)]
Change license-manager-agent uid/gid to security_fw

Change-Id: Ic833a5406f88baf37717732346a79b7559ca6d22

7 years agoAccept null as appId during license extraction 78/132178/9
Bartlomiej Grzelewski [Thu, 1 Jun 2017 10:12:09 +0000 (12:12 +0200)]
Accept null as appId during license extraction

In non-hybrid application appId is not placed
inside smack label. Non-hybrid application could
not be idenitified. We can only retrieve its pkgId.

Change-Id: I52d35fab45dbf494dfc8a2de84c38d63d29b781d

7 years agoNew schema of database 28/131528/10
Bartlomiej Grzelewski [Mon, 29 May 2017 15:43:36 +0000 (17:43 +0200)]
New schema of database

non-hybrid application are identified with pkgId only.
New schema will allow to identify privilege license by
using pkgId instead appId.

Changes are applied to:
 * app_defined_privilege_view
 * client_license_view

Change-Id: Iae343b7fabb32a5a49957c362935eacc915390eb

7 years agoApply coding rules 87/132487/2
Bartlomiej Grzelewski [Mon, 5 Jun 2017 15:46:52 +0000 (17:46 +0200)]
Apply coding rules

Change-Id: Id8d0070851bd03ac94a86c8148bfe0dd35e87a58

7 years agoImplement certificate verification inside agent 06/129706/7
Bartlomiej Grzelewski [Wed, 17 May 2017 16:23:17 +0000 (18:23 +0200)]
Implement certificate verification inside agent

* Read certificate in PEM and DER format

Change-Id: Iccfa3778a8e8c3d07a258622c4985fea67a6095a

7 years agoImprove implementation of appdefined privilege API 66/130266/4
Bartlomiej Grzelewski [Fri, 19 May 2017 13:22:32 +0000 (15:22 +0200)]
Improve implementation of appdefined privilege API

* Remove deprecated attribute from security-manager API. Depracated
  attribute may cause build break in project compiled with -Werror flag.
* Add validation of license parameter in
      security_manager_app_inst_req_add_client_privilege
      security_manager_app_inst_req_add_app_defined_privilege
* Change function description in API

Change-Id: I03abb03a8d47a61d25cfe0ef91c14c0ddb9581dd

7 years agoRemove outdated 'CREATE INDEX + performance tests required' TODO 14/130214/3
Dariusz Michaluk [Fri, 19 May 2017 11:53:19 +0000 (13:53 +0200)]
Remove outdated 'CREATE INDEX + performance tests required' TODO

Although indexes are intended to enhance a database's performance,
they should not be used on small tables.
The tests have shown that there is no speed up on tables with 3k rows.

Change-Id: Id6ac9e6b47ef8978dacbcd1c2b71e8e6b9be02e2

7 years agosecurity-manager-cmd: add new option "manager-apps" for app install/uninstall 16/130916/1
Rafal Krypa [Wed, 24 May 2017 09:01:33 +0000 (11:01 +0200)]
security-manager-cmd: add new option "manager-apps" for app install/uninstall

Cmd previously supported only app installation (--install), but not removal.
The new option --manage-apps, in line with already existing --manage-users
will support both app installation and removal.
Old --install is kept for now for backward compatibility.

Change-Id: I20e589e8ff40b1d49a6409ee71bd9351e6140b69

7 years agoSupport security_manager_app_uninstall calling in off-line mode 15/130915/1
Rafal Krypa [Wed, 24 May 2017 09:58:28 +0000 (11:58 +0200)]
Support security_manager_app_uninstall calling in off-line mode

Change-Id: If3d2b9ee4d7e9dbfc0a5555743b542161a52d4ba

7 years agoRelease 1.2.19 68/130168/1 accepted/tizen/unified/20170519.200655 submit/tizen/20170519.102945 tizen_4.0.m1_release
jin-gyu.kim [Fri, 19 May 2017 09:15:11 +0000 (18:15 +0900)]
Release 1.2.19

Merge remote-tracking branch 'origin/appdefined' into tizen
Add core privilege: tee.client
Add core privilege: zigbee, zigbee.admin

Change-Id: I67e6c89fe707ff2fa39d6f2525d88ea7d7c8e68e

7 years agoAdd core privilege: zigbee, zigbee.admin 34/130134/1
Yunjin Lee [Fri, 19 May 2017 08:01:06 +0000 (17:01 +0900)]
Add core privilege: zigbee, zigbee.admin

Change-Id: I4dd5f172a5ca021a17949aa564877eb7c50883b0
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
7 years agoAdd core privilege: tee.client 66/130066/1
Yunjin Lee [Fri, 19 May 2017 04:22:34 +0000 (13:22 +0900)]
Add core privilege: tee.client

Change-Id: Ib06e59ba9bc0c15d510820c18a171eb73b6a9972
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
7 years agoMerge remote-tracking branch 'origin/appdefined' into tizen 55/129655/1
Bartlomiej Grzelewski [Wed, 17 May 2017 09:46:32 +0000 (11:46 +0200)]
Merge remote-tracking branch 'origin/appdefined' into tizen

Change-Id: Ie9e886dd62ef73830cab714aa9fe32f35d2e018a

7 years agoPrevent from collision with system privileges 42/129242/2 appdefined
Dariusz Michaluk [Mon, 15 May 2017 12:50:18 +0000 (14:50 +0200)]
Prevent from collision with system privileges

Change-Id: If307f2b4609d5af45126cdd1aac2e577d8ad5cac

7 years agoPrevent from saving empty license 66/129066/2
Bartlomiej Grzelewski [Fri, 12 May 2017 17:18:37 +0000 (19:18 +0200)]
Prevent from saving empty license

Change-Id: Ib89bf970c56d5f337a680334c432a1ec660e77bf

7 years agoExtend privilegeDb api 62/129062/2
Bartlomiej Grzelewski [Fri, 12 May 2017 15:46:34 +0000 (17:46 +0200)]
Extend privilegeDb api

The function will not directly inform caller if row was found in
database. In previous implmentation functions may return empty
string if row was not found in database. It could be translated as row
contained empty string or no row was found.

Change-Id: Id44a5337e2ceb53b35be914962e442e4b5aeec0f

7 years agoMerge remote-tracking branch 'origin/tizen' into appdefined 65/129065/1
Bartlomiej Grzelewski [Fri, 12 May 2017 16:58:00 +0000 (18:58 +0200)]
Merge remote-tracking branch 'origin/tizen' into appdefined

Change-Id: I1d8894b37ebb11aecb9a040548bfcc754f25587d

7 years agoBlock the possibility of privilege redefinition 24/128624/3
Dariusz Michaluk [Wed, 10 May 2017 14:12:44 +0000 (16:12 +0200)]
Block the possibility of privilege redefinition

Change-Id: I897915c799ab03ad93d8f9f191ecbd96da885f60

7 years agoTests for client license in db 44/128544/3
Dariusz Michaluk [Wed, 10 May 2017 09:42:46 +0000 (11:42 +0200)]
Tests for client license in db

Change-Id: I8b19fa8d40fc7e34820ee6b758e46a546a964ebc

7 years agoAdd serialization of tuple 57/128857/2
Bartlomiej Grzelewski [Thu, 11 May 2017 17:50:09 +0000 (19:50 +0200)]
Add serialization of tuple

Change-Id: I9f6f2855a6073b8493d531e381f880d70ab6c3cb

7 years agoPrepare database to store license 35/127535/6
Bartlomiej Grzelewski [Wed, 26 Apr 2017 13:38:55 +0000 (15:38 +0200)]
Prepare database to store license

Security-manager does not use license directly. Licenses
will be used by license-manager. Security manager just store
information about it's location and information about
dependencies between licenses and app defined privileges.

In current api both provider and client may store license.
License stored by provider should be treated more as a key
that will be used to verify signature stored as client license.

Change-Id: If54724aa7daf49be727aab67ac614047f035a05a

7 years agoPrepare API to support licensed privileges 54/128854/1
Bartlomiej Grzelewski [Thu, 11 May 2017 14:26:03 +0000 (16:26 +0200)]
Prepare API to support licensed privileges

Change-Id: I870ff76dc9fc8e5a2e53070a9deeab9ecba416f4

7 years agoRelease 1.2.18 63/127463/1 accepted/tizen/unified/20170508.153200 submit/tizen/20170508.021828
Tomasz Swierczek [Thu, 27 Apr 2017 10:02:32 +0000 (12:02 +0200)]
Release 1.2.18

* Adjust UT case T520_add_application_two_tizen_versions_to_same_package
* Adjust tests to boost 1.62
* Fix issues detected by SVACE
* Revert of changes related to privacy popups
* Do not show toast fail launch popup for white list app.
* Handle HW key input case from askuser popup.
* Adapt requirement names for askuser-notification to new naming
* Migrate existing application policy to use new ask-user policies
* Implement security_manager_prepare_app_privacy
* Add new API for handling privacy privileges during application launch
* Replace usage of Ask User plugin with Privacy Deny Plugin
* Change labelPaths logic for FOTA

Change-Id: I1ebe131cd04d9d5327e4c39a76d2bf4f5fe3f219

7 years agoAdjust UT case T520_add_application_two_tizen_versions_to_same_package 31/121731/3
Radoslaw Bartosiak [Tue, 28 Mar 2017 14:12:16 +0000 (16:12 +0200)]
Adjust UT case T520_add_application_two_tizen_versions_to_same_package

Adapt to a new change in security-manager that allows platform version
for an app to be changed during app upgrade, which was
introduced in commit: 942b8ffe8ddc07e4037abac2f69f3460ade8585d.

Change-Id: Ice783a7f5fa5e32df8fdcc3fcbabbab7717fc777
Signed-off-by: Radoslaw Bartosiak <r.bartosiak@samsung.com>
7 years agoAdjust tests to boost 1.62 94/126994/5
Zofia Abramowska [Mon, 24 Apr 2017 10:35:09 +0000 (12:35 +0200)]
Adjust tests to boost 1.62

* Fix missing file
* Fix missing virtual methods
* Fix missing semicolons after macros
* Support boost version before 1.59
* Fix custom types printing
* Still support boost before 1.59 version

Change-Id: I872dff727aef3f4253e4995e36654ad93d1b979d