platform/core/security/security-manager.git
5 years agoDo not fail NS worker action if mount point doesn't exist 00/215100/2
Tomasz Swierczek [Tue, 1 Oct 2019 11:05:53 +0000 (13:05 +0200)]
Do not fail NS worker action if mount point doesn't exist

This mimics actions taken at app launch, where privileges
defined for nonexisting mount points are not causing
the launch to be failed.

Change-Id: I4e8f14452d379ee86efc31412aa940a4aa67b463

5 years agoRefactor service_impl.cpp 96/214496/2
Tomasz Swierczek [Mon, 23 Sep 2019 08:30:48 +0000 (10:30 +0200)]
Refactor service_impl.cpp

Moved static functions to separate file in SecurityManager namespace.
This should improve module's SAM score.

Change-Id: I33eb34068072d1c52f3331ea8b8ca667657fef21

5 years agoRelease 1.5.10 24/213224/1 accepted/tizen/unified/20190904.011515 submit/tizen/20190903.051704
Tomasz Swierczek [Tue, 3 Sep 2019 04:43:03 +0000 (06:43 +0200)]
Release 1.5.10

* Disable http://tizen.org/privilege/internal/sysadmin for non-applications

Change-Id: I274bdbac2b70a970f11d8f20c3aa2b0b70bb8ac9

5 years agoDisable http://tizen.org/privilege/internal/sysadmin for non-applications 42/212942/2
Tomasz Swierczek [Wed, 28 Aug 2019 09:14:15 +0000 (11:14 +0200)]
Disable tizen.org/privilege/internal/sysadmin for non-applications

By default, system (&user-session) services were granted access to all privileges.
As we work towards fine-grained access control for system services, we need
to disable granting all privileges for services.

This 1st experimental step disables the sysadmin privilege, to be used
to control access to activationd daemon.

For internal applications, sysadmin privilege will be used in manifests, so
Cynara will be able to find exact match for applications' Smack label
in its manifest bucket; for policy evaluation to return success in such case,
all is needed is addition of this new privilege to user-types whitelists
(*.profile files).

For system services, access control to activationd will be limited
to list of user-IDs listed in DBus policy, hence the privilege can't
be automatically enabled for processes with labels User, System & System::Privileged.

For user-session services, this privilege will not be used at the moment.

The (possible) target solution for providing per-service access control
can be based on supplementary groups defined in systemd service files
(or applied as a conequence of cynara policy by security-manager nss plugin).

However, using supplementary groups with DBus policy is not possible at the moment
as both: kernel and DBus will have to be patched to use SO_PEERGROUPS (1)

(1) : https://www.spinics.net/lists/netdev/msg441568.html

Change-Id: Ie41a60d67d39c49b1ed6a49e0c17b9e5d2dabd86

5 years agoRelease 1.5.9 71/212571/3 accepted/tizen/unified/20190828.011043 submit/tizen/20190826.095036
Tomasz Swierczek [Fri, 23 Aug 2019 06:08:40 +0000 (08:08 +0200)]
Release 1.5.9

* Fix for synchronization of per-thread mount namespace setup
* Add check for proper synchronization of threads namespaces
* Fix licence comments in source code files

Change-Id: Iaf0352154b51ef33980f5a100d1891105cc4eb2e

5 years agoFix for synchronization of per-thread mount namespace setup 99/212399/7
Tomasz Swierczek [Wed, 21 Aug 2019 06:48:15 +0000 (08:48 +0200)]
Fix for synchronization of per-thread mount namespace setup

According to manual (1):

A process may not be reassociated with a new mount namespace
if it is multithreaded.

Also, unshare system call (2) is only creating new namespace
for the caller thread. This means that application candidate
processes that have more than 1 thread are doomed to always have
some threads still in the main mount namespace, without
enforcement of privilege policy connected to mount namespaces.
This renders the mount-namespace-based access control a bad solution.

This patch introduces a special API call to be used by app launchers
just to prepare app candidate processes. This API call doesn't take
any arguments - it just checks if mount-namespaces are enabled
and if yes, just calls unshare(), checking beforehand if the process
has only one thread.

(1) : http://man7.org/linux/man-pages/man2/setns.2.html
(2) : http://man7.org/linux/man-pages/man1/unshare.1.html

Change-Id: I82aefca3d5eb4915041df99ff0313896cbc769cb

5 years agoAdd check for proper synchronization of threads namespaces 04/212504/5
Tomasz Swierczek [Thu, 22 Aug 2019 06:24:14 +0000 (08:24 +0200)]
Add check for proper synchronization of threads namespaces

Change-Id: I743d755c2b7cf24bc0542c1e9e964f3c863aeb02

5 years agoFix licence comments in source code files 32/211132/1
Tomasz Swierczek [Tue, 30 Jul 2019 08:13:32 +0000 (10:13 +0200)]
Fix licence comments in source code files

Change-Id: I24556d7a2fa49091e6f7b0888fe2cad4992f562f

5 years agoRelease 1.5.8 93/210093/1 accepted/tizen/unified/20190725.042914 submit/tizen/20190715.152548 submit/tizen/20190718.095643 submit/tizen/20190722.094000 submit/tizen/20190724.083637
Dariusz Michaluk [Mon, 15 Jul 2019 15:16:08 +0000 (17:16 +0200)]
Release 1.5.8

* Prevent starting service without the socket
* Make GetErrnoString not throwing
* Optimize nss plugin memory usage
* Remove unnecessary setting
* Migrate to openssl 1.1

Change-Id: Ic4043d29bcbda9da9f8304403dcd6a388af21424

5 years agoPrevent starting service without the socket 85/210085/2
Dariusz Michaluk [Mon, 15 Jul 2019 14:30:50 +0000 (16:30 +0200)]
Prevent starting service without the socket

Change-Id: I88415e55586dbe436bb44792d6808aadd5a48bc5

5 years agoMake GetErrnoString not throwing 72/209972/2
Tomasz Swierczek [Fri, 12 Jul 2019 17:01:53 +0000 (19:01 +0200)]
Make GetErrnoString not throwing

The function is already made for processing error situations,
there is no point in throwing an error inside of it.

Change-Id: I2be841a30ba36cf699907fa23bbf4d0ffe85b2ea

5 years agoOptimize nss plugin memory usage 88/209388/12
Tomasz Swierczek [Fri, 5 Jul 2019 05:21:11 +0000 (07:21 +0200)]
Optimize nss plugin memory usage

Made the nss module not linked with commons or client library.
Using security-manager client library in nss module caused
additional memory usage by private data in each loaded libaries
out of which most were not needed for nss (smack, pcap, procps, rt,
sqlite, cynara-*, security-privilege-manager, mount, crypt, blkid,
pkgmgr_parser, vconf, minizip, pcre, uuid, xml2, gio, z, buxton2,
lzma, gmodule, resolv, ffi, tzplatformconfig, dlog).

Linking with dlog & tzplatformconfig left only in debug mode.

To test it, use "gdb id", break point on getgrgid, measure change of PSS after
finishing the function execution with vs. without the patch.

The PSS value of id process should go down by approx. 0.4 - 0.5 MB
(depending on the system load & number of processes).

Change-Id: If2cede89885320ea83ca79fd54770a7ea24d87d8

5 years agoRemove unnecessary setting 80/209580/1
INSUN PYO [Tue, 9 Jul 2019 05:04:24 +0000 (14:04 +0900)]
Remove unnecessary setting

Change-Id: I695a16bf83a7292422369490dda1e62a8ca30691

5 years agoMigrate to openssl 1.1 88/206888/2
Konrad Lipinski [Tue, 28 May 2019 13:20:14 +0000 (15:20 +0200)]
Migrate to openssl 1.1

Change-Id: Ied1db6cd18d336fa8a6b9aebd402b1f4eead30d3

5 years agoRelease 1.5.7 accepted/tizen/unified/20190612.111715 submit/tizen/20190611.044719
Tomasz Swierczek [Tue, 11 Jun 2019 04:46:29 +0000 (06:46 +0200)]
Release 1.5.7

* Add additional check for threads supgid pointers
* Add logging of server-side operation handling time

Change-Id: I0f62ddaaefac6af7e754a0f6f7161ae584196832

5 years agoAdd additional check for threads supgid pointers 46/207646/2
Tomasz Swierczek [Mon, 10 Jun 2019 10:18:51 +0000 (12:18 +0200)]
Add additional check for threads supgid pointers

According to implementation of readtask (proc/readproc.c),
the pointers could be NULL in specific implementations.

Change-Id: If1e8308c517ddbfbd500f7c5822c80dd3225df0c

5 years agoAdd logging of server-side operation handling time 56/206256/7
Tomasz Swierczek [Wed, 15 May 2019 09:31:33 +0000 (11:31 +0200)]
Add logging of server-side operation handling time

Logs are added only in debug mode for each service
method that implements API exposed by the daemon.

Change-Id: I90412b9d6c32edd0d7559f5eb713117ba0a1fecd

5 years agoRelease 1.5.6 43/207543/1 submit/tizen/20190606.151034
Tomasz Swierczek [Thu, 6 Jun 2019 14:01:09 +0000 (16:01 +0200)]
Release 1.5.6

* Improve security_manager_prepare_app() performance
* Stop forcing logs from server-side write() and close() operations
* Revert "Enhance logs in case of socket problems, client hangs on waitForSocket()"
* Properly handle EINPROGRESS error from connect()

Change-Id: I02c5e576882d3f9bb713b924a7f90f7287165f96

5 years agoImprove security_manager_prepare_app() performance 51/207351/2
Dariusz Michaluk [Fri, 31 May 2019 13:10:55 +0000 (15:10 +0200)]
Improve security_manager_prepare_app() performance

This commit merges getPrivilegedGroups() and getAppGroups() into one client request.

Change-Id: I77b42773845b264794398af7995bba087320689d

5 years agoStop forcing logs from server-side write() and close() operations 33/206233/1
Tomasz Swierczek [Wed, 15 May 2019 09:13:05 +0000 (11:13 +0200)]
Stop forcing logs from server-side write() and close() operations

This reverts commit 7ad04ef8ccaebe23cc30f90f3e9ffa04b3acd698 (DEBUG ONLY ErrorLogs).
Logging sockef fd was left, but in LogDebug logs, also in CloseSocket.

Change-Id: I3582b9080de7e2368a08030d75d0df15ed81c68e

5 years agoRevert "Enhance logs in case of socket problems, client hangs on waitForSocket()" 40/206140/2
Dariusz Michaluk [Tue, 14 May 2019 14:26:27 +0000 (14:26 +0000)]
Revert "Enhance logs in case of socket problems, client hangs on waitForSocket()"

This reverts commit 3f59f6b73c66bdc4cc3fd91eaa7eef1d2abe1aa0.

Change-Id: I279ddc1a9b4213429960afd9060af049f0f4c057

5 years agoProperly handle EINPROGRESS error from connect() 39/206139/1
Krzysztof Jackiewicz [Fri, 10 May 2019 08:39:20 +0000 (10:39 +0200)]
Properly handle EINPROGRESS error from connect()

If connect() fails with EINPROGRESS, the connection may be completed
by polling/selecting the socket for writing. This commit replaces
POLLIN with POLLOUT to handle it properly.

Change-Id: If332634c6d517d7ec00f19a5970e7fe16ee9bb06
(cherry picked from commit e4adb53b99b0011037a3dfc408026cc6a40be349)

5 years agoRelease 1.5.5 46/205146/1 submit/tizen/20190430.132225
Krzysztof Jackiewicz [Mon, 29 Apr 2019 12:26:12 +0000 (14:26 +0200)]
Release 1.5.5

- Remove dbus.service.wants dependency

Change-Id: I2df523a40e4abf551bedfa9a45f78d4cc49127c9

5 years agoRemove dbus.service.wants dependency 24/204624/2
INSUN PYO [Thu, 25 Apr 2019 05:57:56 +0000 (14:57 +0900)]
Remove dbus.service.wants dependency

Change-Id: I54c7abd0158ddd993ab09982171c6994d41bc08b

5 years agoRelease 1.5.4 23/204823/1 accepted/tizen/unified/20190429.103747 submit/tizen/20190426.145014
Dariusz Michaluk [Fri, 26 Apr 2019 14:44:43 +0000 (16:44 +0200)]
Release 1.5.4

- Enhance logs in case of socket problems, client hangs on waitForSocket()
- Increase backlog for listening sockets

Change-Id: Ibf652e8bd8597d8ed1fd88fa5127cb8621af1a69

5 years agoEnhance logs in case of socket problems, client hangs on waitForSocket() 08/204808/3
Dariusz Michaluk [Fri, 26 Apr 2019 12:12:19 +0000 (14:12 +0200)]
Enhance logs in case of socket problems, client hangs on waitForSocket()

Change-Id: I30c3add6e1e21c3c28ae7a7b3b8c6e66477ea9ae

5 years agoIncrease backlog for listening sockets 09/204809/1
Dariusz Michaluk [Fri, 26 Apr 2019 12:18:41 +0000 (14:18 +0200)]
Increase backlog for listening sockets

When systemd's socket activaction is utilized, the default backlog
parameter passed to the listen() function is set to SOMAXCONN,
which is equal to 128. In distributions where systemd is not used
for socket activation, the default UNIX socket
implementation sets the backlog value to 5.
This may lead to rare overflow of an internal connection queue.
This manifests itself as the -EAGAIN error returned by connect().

To mitigate the issue, the backlog parameter has been set
to SOMAXCONN, which is a default value used by systemd.

Change-Id: I42b277d8d66c23335474fdf63db937ef22b8e171

5 years agoRelease 1.5.3 59/203459/1 accepted/tizen/unified/20190416.071449 submit/tizen/20190415.060512
Yunjin Lee [Mon, 15 Apr 2019 04:09:19 +0000 (13:09 +0900)]
Release 1.5.3

- Add core privilege: d2d.datasharing, d2d.remotelaunch

Change-Id: Iddf2b61f70c87a4e4fbe6f3ee06fe1ec0bce27e5
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
5 years agoAdd core privilege: d2d.datasharing, d2d.remotelaunch 52/203452/1
Yunjin Lee [Mon, 15 Apr 2019 02:41:59 +0000 (11:41 +0900)]
Add core privilege: d2d.datasharing, d2d.remotelaunch

- d2d.datasharing: Application with this privilege can share data with
other devices
- d2d.remotelaunch: Application with this privilege can be launched by
applications on other devices

Change-Id: I423d56309fefc64942a8f8e6fe2f755727bddae6
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
5 years agoRelease 1.5.2 84/203184/1 accepted/tizen/unified/20190411.144016 submit/tizen/20190410.103749
Dariusz Michaluk [Wed, 10 Apr 2019 10:30:28 +0000 (12:30 +0200)]
Release 1.5.2

- Add new rules-loader options

Change-Id: I9974c82d251730f12582a9db126d93cce1fa1b8e

5 years agoAdd new rules-loader options 58/202458/5
Dariusz Michaluk [Thu, 14 Mar 2019 15:46:06 +0000 (16:46 +0100)]
Add new rules-loader options

--default - write all System/User rules (subject is not a package name)
--packages - write rules for list of packages
--exclude - write rules for all packages except list of packages

Change-Id: I66b2aa55f3419df8e93709e3191963d3f8e74ee4

5 years agoRelease 1.5.1 18/200618/2 accepted/tizen/unified/20190405.015727 submit/tizen/20190329.053841 submit/tizen/20190404.021824
Yunjin Lee [Wed, 27 Feb 2019 09:45:40 +0000 (18:45 +0900)]
Release 1.5.1

- Add core privilege: windowsystem.admin
- Make waitpid(WNOHANG) call more explicit to appease SVACE

Change-Id: Ia20386770e804219c63ebbcb111f0ebc9c64075d
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
5 years agoAdd core privilege: windowsystem.admin 12/200612/2
Yunjin Lee [Wed, 27 Feb 2019 09:16:28 +0000 (18:16 +0900)]
Add core privilege: windowsystem.admin

- The application with this privilege can change the settings for
services provided by display server, such as the quick panel and softkey
bar.

Change-Id: Ic0d441a820f687d1e36cfe20e7e3ca8a485168d1
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
5 years agoMake waitpid(WNOHANG) call more explicit to appease SVACE 60/201460/1
Konrad Lipinski [Thu, 14 Mar 2019 09:44:14 +0000 (10:44 +0100)]
Make waitpid(WNOHANG) call more explicit to appease SVACE

Change-Id: I63e7bddca2a729658d9ab8da94587a1780c7d32b

5 years agoRelease 1.5.0 71/200871/4 accepted/tizen/unified/20190307.231033 submit/tizen/20190305.095610
Tomasz Swierczek [Tue, 5 Mar 2019 08:18:04 +0000 (09:18 +0100)]
Release 1.5.0

* Replace time(NULL) with monotonic clock usage
* Enhance logs in case of writing errors

This release changes numbering to differentiate older branches of code.

tizen branch will continue to use 1.5.X numbering while tizen_5.0 version
will contininue to use 1.4.X numbering (for bugfixes/maintenance).

Change-Id: I752e69c738e565de27c5097381cbb11b2ac6ad48

5 years agoReplace time(NULL) with monotonic clock usage 64/200864/4
Tomasz Swierczek [Tue, 5 Mar 2019 07:14:11 +0000 (08:14 +0100)]
Replace time(NULL) with monotonic clock usage

Calculating timeout for socket connections should
use monotonic clock.

Change-Id: Ie791173cf2663fdf0b94381f391bd5504b3e5e06

5 years agoEnhance logs in case of writing errors & socket problems 58/200858/3
Tomasz Swierczek [Tue, 5 Mar 2019 06:26:04 +0000 (07:26 +0100)]
Enhance logs in case of writing errors & socket problems

In rare case security-manager is closing connections to clients
and after that, it tries to write responses to already closed connections.

With these enhanced logs it would be possible to match if the closed connections
(already appearing in logs) are for same socket number like ignored packets.

Change-Id: Ia105c8731d64d83d8d83182e12ae8adee1b961f0

5 years agoRelease 1.4.14 78/199578/1 accepted/tizen/unified/20190214.060632 submit/tizen/20190213.072219
Tomasz Swierczek [Wed, 13 Feb 2019 06:15:11 +0000 (07:15 +0100)]
Release 1.4.14

* Force logging server-side write() and close() operations
* Add logging response buffer size in debug mode

Change-Id: I8ccbbe45a48e14c7ee43781a7a5c71242fa85c09

5 years agoForce logging server-side write() and close() operations 17/199517/4
Tomasz Swierczek [Tue, 12 Feb 2019 09:24:34 +0000 (10:24 +0100)]
Force logging server-side write() and close() operations

In some cases on TV, client gets 0 from recv while it should receive
an int with status from server. At the same time, there are no error
logs from server side and no issues with systemd service perceived.

This patch is a temporary solution to force logging relevant actions
on server side, to check whether server actually properly processes data.

Logs were added as ErrorLog to make sure these are visible during robustness
tests of TV (where platform code is synced automatically).

This patch WILL BE REVERTED after 31.03

Change-Id: I9284c42b87e49d333261a4dde7aedeae5261343c

5 years agoAdd logging response buffer size in debug mode 16/199516/3
Tomasz Swierczek [Tue, 12 Feb 2019 09:12:01 +0000 (10:12 +0100)]
Add logging response buffer size in debug mode

Change-Id: I551b93aadc5b09b252bb0a0c2a9433c3f57f6491

5 years agoRelease 1.4.13 80/197480/1 accepted/tizen/unified/20190114.060147 submit/tizen/20190111.113023 submit/tizen_5.0/20190114.002221
Dariusz Michaluk [Fri, 11 Jan 2019 10:37:38 +0000 (11:37 +0100)]
Release 1.4.13

* Apply db fallback is present and the db is an empty file
* Loader: add pragma legacy_alter_table for compatibility with sqlite 3.25.2+
* Add missing spaces in log messages

Change-Id: I236b26abb46ad0e8302127e6cb95f7b086220c8d

5 years agoApply db fallback is present and the db is an empty file 76/197476/1
Konrad Lipinski [Wed, 9 Jan 2019 12:33:23 +0000 (13:33 +0100)]
Apply db fallback is present and the db is an empty file

Change-Id: Idfa81003639c5452ae85e79257aa5425547d42ea

5 years agoLoader: add pragma legacy_alter_table for compatibility with sqlite 3.25.2+ 75/197475/1
Konrad Lipinski [Thu, 10 Jan 2019 16:46:20 +0000 (17:46 +0100)]
Loader: add pragma legacy_alter_table for compatibility with sqlite 3.25.2+

Change-Id: Iad4595cb9a12b3ebb23beca092b3057502ef822c

5 years agoAdd missing spaces in log messages 71/196971/1
Pawel Kowalski [Tue, 8 Jan 2019 08:31:06 +0000 (09:31 +0100)]
Add missing spaces in log messages

Change-Id: I6b99ba86b6d2511067a4ac00a082c6584a952d04

5 years agoRelease: 1.4.12 49/195849/1 accepted/tizen/unified/20181220.061549 submit/tizen/20181219.022100 submit/tizen/20181219.065218
Yunjin Lee [Wed, 19 Dec 2018 01:43:16 +0000 (10:43 +0900)]
Release: 1.4.12

* Add core privileges
* Set nullptr to reused data pointer
* Fix issues raised by static analysis
* Change local permissible file location to use UID rather than username

Change-Id: If59a47236554892817a389b3433548a8a59db782
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
5 years agoAdd core privileges 93/195793/1
Yunjin Lee [Tue, 18 Dec 2018 05:47:17 +0000 (14:47 +0900)]
Add core privileges

- autofillmanager: The application with this privilege can manage
installed autofill services. It can set which autofill service to use
and get the currently configured autofill service.

- internal/buxton/systemsettings: Internal privilege to fix
Web setting privilege's level mismatched mapping to the core
systemsettings.admin privilege. The application with this privilege
can read and write buxton keys for homescreen/lockscreen bg image,
incoming call ringtone, and email notification alert tone.

- filesystem,read, filesystem.write: Web filesystem.read and
filesystem.write are public level privilege and native
systemsettings.admin is platform level privilege. They were mapped
because of the 2.X smack rules but checked that Web
filesystem.read/write privileged device APIs are not wrappers of native
systemsetting.admin privileged APIs. Hence add core privilege for
filesystem.read and write separately and remove mapping to the
systemsettings.admin.

Change-Id: I73047f251c280d554ab13b3449eaa768a7ef7a86
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
5 years agoSet nullptr to reused data pointer 84/195184/1
Zofia Grzelewska [Tue, 11 Dec 2018 10:11:21 +0000 (11:11 +0100)]
Set nullptr to reused data pointer

Data pointer is reused in a loop and should be set to nullptr
after freeing

Change-Id: If4ab9dd89db73f0dc110279e40bd5608a0eee9d0

5 years agoFix issues raised by static analysis 11/193811/1
Konrad Lipinski [Mon, 26 Nov 2018 13:43:37 +0000 (14:43 +0100)]
Fix issues raised by static analysis

Change-Id: I8d8877f933335bf03511264576e15e75896e7411

5 years agoChange local permissible file location to use UID rather than username 40/193140/6
Tomasz Swierczek [Thu, 15 Nov 2018 06:22:26 +0000 (07:22 +0100)]
Change local permissible file location to use UID rather than username

This is a protection against possible malicious user names.

Change-Id: I4a254fc4f9976fd9bc85d9d4488ba0b49a039da7

5 years agoRelease 1.4.11 28/193628/1 accepted/tizen/5.0/unified/20181205.065328 accepted/tizen/unified/20181123.165012 submit/tizen/20181122.101858 submit/tizen_5.0/20181122.101912 submit/tizen_5.0/20181205.011542
Dariusz Michaluk [Thu, 22 Nov 2018 09:54:32 +0000 (10:54 +0100)]
Release 1.4.11

* Protect security_manager_app_has_privilege with privilege check
* Check some poll() and mount() errors
* Fix documentation headers with required privilege descriptions
* Fix function name spelling error
* Change config.cpp variables to #define

Change-Id: I671eb10c1958b076a8bda3e1bae00c3db8c1539f

5 years agoProtect security_manager_app_has_privilege with privilege check 52/193152/2
Tomasz Swierczek [Thu, 15 Nov 2018 08:59:13 +0000 (09:59 +0100)]
Protect security_manager_app_has_privilege with privilege check

This API serves similar data like fetching policy but wasn't protected
with privilege check. This change introduces the same entry checks.

Change-Id: I3fb2be619d05ebc770fd5c3b994baa13ff07c2a0

5 years agoCheck some poll() and mount() errors 78/193178/2
Konrad Lipinski [Thu, 15 Nov 2018 14:26:40 +0000 (15:26 +0100)]
Check some poll() and mount() errors

Change-Id: I62a7769a70dd35f5cfb8ba781216318105844e3f

5 years agoFix documentation headers with required privilege descriptions 53/193153/2
Tomasz Swierczek [Thu, 15 Nov 2018 09:22:19 +0000 (10:22 +0100)]
Fix documentation headers with required privilege descriptions

Change-Id: I51a92ec289cdd82cbb8ca5caeaad7ef8bd29f50f

6 years agoFix function name spelling error 02/193102/1
Tomasz Swierczek [Wed, 14 Nov 2018 13:20:54 +0000 (14:20 +0100)]
Fix function name spelling error

Change-Id: I66849856b28519b299cd2cc05e55fb3111ce67de

6 years agoChange config.cpp variables to #define 54/193054/1
Tomasz Swierczek [Wed, 14 Nov 2018 05:58:28 +0000 (06:58 +0100)]
Change config.cpp variables to #define

security-manager may be used in processes with many threads.
Destruction of global variables may be in race condition with
child thread's operation & usage of these variables.

While such problem should be fixed in proper threads management,
there may be problems with open-source components that we may
not easily modify (and security-manager provides nss plugin
that may be used in unexpected places).

Change-Id: I057abc0bd2ed8a82d74f3777f6b95d386bc9b9f4

6 years agoRelease 1.4.10 accepted/tizen/5.0/unified/20181108.172404 accepted/tizen/unified/20181107.081818 submit/tizen/20181102.061359 submit/tizen_5.0/20181102.061620
Tomasz Swierczek [Fri, 2 Nov 2018 05:53:45 +0000 (06:53 +0100)]
Release 1.4.10

* Replace runtime production/test db choice with compile-time policy
* Replace smack rule storage with straight-from-db rule loader
* Optimize package installation
* Prevent smack rules leaking during multi-app hybrid pkg uninstall
* Enable additional sqlite pragmas for robustness

Change-Id: Ic7132eef89713d3fb3f41053b156dacf73b28c2f

6 years agoReplace runtime production/test db choice with compile-time policy 76/191276/1
Konrad Lipinski [Mon, 15 Oct 2018 07:31:41 +0000 (09:31 +0200)]
Replace runtime production/test db choice with compile-time policy

Change-Id: Ia13c7ec92f0ffdf4c2341b395a31b8097b4eeddd

6 years agoReplace smack rule storage with straight-from-db rule loader 14/189014/38
Konrad Lipinski [Fri, 14 Sep 2018 12:14:17 +0000 (14:14 +0200)]
Replace smack rule storage with straight-from-db rule loader

Details:
* remove %{TZ_SYS_VAR}/security-manager/rules{,-merged} directories
* add security-manager-rules-loader that
** performs database migration/recovery
** writes smack rules from a coherent database directly to load2
* add generate-rule-code generator that translates rule templates
  (*.smack files) into c++ code for use in the loader
* remove security-manager-init-db binary and replace its invocation with
  sh$ security-manager-rules-loader no-load
* replace dd invocation with security-manager-rules-loader in the rule
  loader service
* add explicit dependency to ensure the loader runs before the manager
* refactor manager code
** remove the majority of database migration/recovery code on grounds of
   loader having run beforehand
** replace defensive remnants of said code with an emergency invocation
   sh$ security-manager-rules-loader fallback-only
   to apply fallback on database schmea errors
** remove rule file maintenance (not needed anymore)

TODO:
* *.smack template files are still used by the manager at runtime,
  removing them is optional and would require a substantial refactor
  best placed in a separate commit

Pros:
* optimize flash usage (rule files were prone to quadratic explosion)
* solve database-rulefiles coherence problem
* make the rule loader performance more scalable and typically better
* simplify and speed up the manager a bit by dropping rule file code

Change-Id: I7d79d5ec7e66c9dfe6563dbb3f76bf6ab6669589

6 years agoOptimize package installation 62/190662/1
Konrad Lipinski [Thu, 4 Oct 2018 11:56:14 +0000 (13:56 +0200)]
Optimize package installation

appInstallSmackRules no longer updates the same rules repeatedly for
non-hybrid packages with multiple applications (every application has
the same process label so it's enough to do just one).

Change-Id: I4ba581a9ad5c297f87d591c647a6c56780d4978a

6 years agoPrevent smack rules leaking during multi-app hybrid pkg uninstall 25/190525/3
Konrad Lipinski [Wed, 3 Oct 2018 09:12:31 +0000 (11:12 +0200)]
Prevent smack rules leaking during multi-app hybrid pkg uninstall

Package hybridity would be detected after database modifications and
change from 1 to 0 for the last application as a result, leading to
wrong process labels being considered (User::Pkg::$pkgName as opposed
to User::Pkg::$pkgName::App::$appName).

Hybridity is now checked ahead of time to prevent the issue.

Change-Id: Ibe08d443d5fe29d36dabd6df023123da82286d21

6 years agoEnable additional sqlite pragmas for robustness 38/189238/2
Konrad Lipinski [Fri, 14 Sep 2018 12:14:17 +0000 (14:14 +0200)]
Enable additional sqlite pragmas for robustness

Change-Id: Ideaa585912143665ba9e288506af9d41679b029b

6 years agoRelease 1.4.9 accepted/tizen/5.0/unified/20181102.021129 accepted/tizen/unified/20180928.080621 submit/tizen/20180927.110544 submit/tizen_5.0/20181101.000004
Tomasz Swierczek [Thu, 27 Sep 2018 11:02:05 +0000 (13:02 +0200)]
Release 1.4.9

* Add privilege for checking app permission

Change-Id: I4ae3a5301442f05de06554de3673d25e03f670d5

6 years agoAdd privilege for checking app permission 49/189949/2
Pawel Kowalski [Mon, 24 Sep 2018 12:27:50 +0000 (14:27 +0200)]
Add privilege for checking app permission

New privilege http://tizen.org/privilege/permission.check was added
to enable the requesting app to check the permission of other app.

Change-Id: Ia0123e4716496852609371c228a41a477e94959e

6 years agoRelease 1.4.8 accepted/tizen/unified/20180920.155219 submit/tizen/20180920.051012
Tomasz Swierczek [Thu, 20 Sep 2018 05:07:19 +0000 (07:07 +0200)]
Release 1.4.8

* Fix security-manager/libsecurity-manager-client cyclic dependency

Change-Id: I5b3b2bd33e7e1b08e4323001fbb1837effaa9666

6 years agoFix security-manager/libsecurity-manager-client cyclic dependency 21/189421/2
Dariusz Michaluk [Mon, 17 Sep 2018 12:16:33 +0000 (14:16 +0200)]
Fix security-manager/libsecurity-manager-client cyclic dependency

Change-Id: Ic4c66e520964b54a1f8f6cc273517405d29b6b6a

6 years agoRelease 1.4.7 submit/tizen/20180918.015947
Tomasz Swierczek [Tue, 18 Sep 2018 12:03:10 +0000 (14:03 +0200)]
Release 1.4.7

* Fix build break with 1.65.1 boost version

Change-Id: If2738dfc0ab73111520655c6a6cf75e3aaafcd41

6 years agoFix build break with 1.65.1 boost version 54/189554/1
Lukasz Wojciechowski [Tue, 18 Sep 2018 11:50:48 +0000 (13:50 +0200)]
Fix build break with 1.65.1 boost version

This is a quick syntax fix. In other places of security-manager tests
a colon is used after BOOST_GLOBAL_FIXTURE macro usage, see:
tests/security-manager-tests.cpp:53:BOOST_GLOBAL_FIXTURE(TestConfig);
tests/security-manager-tests.cpp:54:BOOST_GLOBAL_FIXTURE(LogSetup);

The macro should be replaced anyway as it is deprecated according
to the boost documentation:
https://www.boost.org/doc/libs/1_65_1/libs/test/doc/html/boost_test/utf_reference/test_org_reference/test_org_boost_global_fixture.html

Change-Id: Ib0ee486ae617b83b6f2e66a1b9b0d158b7cbfbec
Signed-off-by: Lukasz Wojciechowski <l.wojciechow@partner.samsung.com>
6 years agoRelease 1.4.6 27/189327/1 accepted/tizen/unified/20180918.062826 submit/tizen/20180917.052721
Yunjin Lee [Mon, 17 Sep 2018 05:05:22 +0000 (14:05 +0900)]
Release 1.4.6

* Add core privilege: updatecontrol.admin and permission.check

Change-Id: Ic5cdbb475338ca26a37e3cc9b60bd6944563dba7
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
6 years agoAdd core privilege: updatecontrol.admin and permission.check 17/189317/1
Yunjin Lee [Mon, 17 Sep 2018 04:46:03 +0000 (13:46 +0900)]
Add core privilege: updatecontrol.admin and permission.check

- updatecontrol.admin allows app to control system software update
procedure

- permission.check allows app to get other apps' permission statuses

Change-Id: I122c9734f9e5bc8b17387724cc05146193f3fd8c
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
6 years agoRelease 1.4.5 26/189126/1 accepted/tizen/unified/20180914.073215 submit/tizen/20180913.140552
Dariusz Michaluk [Thu, 13 Sep 2018 13:19:48 +0000 (15:19 +0200)]
Release 1.4.5

* Move standard users group management from GUM to security-manager
* Lazily initialize variables that need tz-platform-config
* Attempt database fallback recovery on some schema errors
* Change naming of recovery-management file & functions
* Optimize application uninstallation
* Simplify array size calculation
* Prefer std::vector::emplace_back to push_back in db code

Change-Id: I51d8c32ae4ff0ad40408440526c02c7575350d0f

6 years agoMove standard users group management from GUM to security-manager 49/186449/4
Karol Lewandowski [Wed, 12 Sep 2018 14:33:53 +0000 (16:33 +0200)]
Move standard users group management from GUM to security-manager

Till now users created with "gum" tools were added
to predefined set of supplementary groups - audio,
display, video.  This gave the users needed permissions
to access to various device nodes.

Unfortunately, this model does not work with multiple
"passwd/group" databases - /etc/{passwd,group} on read-only
storage, /opt/etc/{passwd,group} on read-writable storage.
This is because to assign user 'kitty' to the some system
group - defined in /etc/group, this file would need to be
modified, i.e.

  video:x:44:media,system,multimedia_fw,owner,kitty

As noted - this can not be done because /opt/group is
supposed to be on read-only storage.

To address this issue security manager is used.  It does
already provide NSS module which can assign logged in users
to predefined groups.  The groups membership is based on
privileges assigned to given user type.

This commit:
 - introduces three new privileges
 - introduces mapping from new privileges to Unix groups
 - assigns the new privileges to 'admin', 'normal', 'security',
   'system' & 'guest' users
 - adds the new privileges to global & local manifests

Change-Id: I465acc69cfa92bd4162f5aa603696bdfa7ace64e

6 years agoLazily initialize variables that need tz-platform-config 36/187936/5
Krzysztof Jackiewicz [Wed, 29 Aug 2018 13:12:11 +0000 (15:12 +0200)]
Lazily initialize variables that need tz-platform-config

Recent change in tz-platform-config made it use libc API for accessing
passwd/groups databases. As a result, each call to tz-platform-config will make
NSS load security-manager's NSS plugin with all dependent libraries initializing
their global variables.

The common library which is linked with nss plugin initializes two global
variables that use tz-platform-config which will lead to recursive call
prohibited by NSS.

This commit makes these variables lazily initialized to avoid the call to
tz-platform-config in security-manager's nss plugin initialization.

Change-Id: Ie290051f3d3d11c1b5f980d2cba683350a639042

6 years agoAttempt database fallback recovery on some schema errors 47/188047/3
Konrad Lipinski [Thu, 30 Aug 2018 14:04:38 +0000 (16:04 +0200)]
Attempt database fallback recovery on some schema errors

Done per HQ request for extra robustness in the face of unforeseen
database corruption.

Schema error detection amounts to preparing sqlite query templates. It
takes place at the end of database connection bringup (once the database
is verified to be up to date and passes integrity checks) by means of
calling sqlite3_prepare_v2 for every statement template ever to be used
at runtime. Sqlite statement compilation may fail due to lack of schema
compatibility.  If such a failure occurs, fallback recovery is attempted
unless already tried.

Change-Id: I6ef8a262f8db11552f3e92ed3a601227558c3899

6 years agoChange naming of recovery-management file & functions 73/187773/4
Tomasz Swierczek [Tue, 28 Aug 2018 08:35:19 +0000 (10:35 +0200)]
Change naming of recovery-management file & functions

The flag file is a sign for other system components to
feed DB with user-installed-apps, so they'd probably want to
know that DB 'was recovered' to initial state, rather than
know that 'DB used to be broken' (if the DB was broken,
and recovery to initial state is not successful, system
will not boot properly anyway).

Change-Id: Icc3b71b56c8299ba37a3acf3b8f20667af352e15

6 years agoOptimize application uninstallation 89/187489/3
Konrad Lipinski [Thu, 23 Aug 2018 14:03:58 +0000 (16:03 +0200)]
Optimize application uninstallation

Many operations were needlessly performed. Mitigated some of those
deficiencies by constraining lifetimes of some automatic variables and
hoisting redundant operations out of the loop.

Change-Id: I19e37f1cb73ec57ecf525b7bc125d0e2e90cc573

6 years agoSimplify array size calculation 55/186255/3
Krzysztof Jackiewicz [Wed, 8 Aug 2018 09:27:10 +0000 (11:27 +0200)]
Simplify array size calculation

Change-Id: I8d5af79702a1b4b2e61813b99a246fbbac559320

6 years agoPrefer std::vector::emplace_back to push_back in db code 93/187493/3
Konrad Lipinski [Thu, 23 Aug 2018 15:08:06 +0000 (17:08 +0200)]
Prefer std::vector::emplace_back to push_back in db code

Rationale: promote efficient idioms.

Change-Id: Idc7f48c9b8a4e32a3a21de0fc234b705d51e69ec

6 years agoRelease 1.4.4 82/187582/2 accepted/tizen/unified/20180827.071635 submit/tizen/20180824.134752
Tomasz Swierczek [Fri, 24 Aug 2018 09:47:51 +0000 (11:47 +0200)]
Release 1.4.4

* Initialize database and restart service in policy-reload
* Give internet privilege to kernel thread(@)
* Add error logs when translating group names to gids
* Drop unused destroyAt()
* Fix: Remove all SharedRO rules after pkg uninstallation.
* Fix: launch security-manager-cleanup after /opt/usr is mounted.
* Remove fileExists() duplicates
* Add Apache 2.0 license header
* Change way of displaying performance test results
* Rework security-manager-migration script as a policy update script
* Remove unused source code

Change-Id: I8a25e757ad5f0c7d4f4596f6b1743049ac8252fb

6 years agoInitialize database and restart service in policy-reload 72/187472/10
Konrad Lipinski [Thu, 23 Aug 2018 11:57:03 +0000 (13:57 +0200)]
Initialize database and restart service in policy-reload

Added the security-manager-cmd --init-db option that replicates manager
startup database bringup semantics.

Amended security-manager-policy-reload.in to:
* stop the service before inserting into the database to avoid
  concurrent modification
* call security-manager-cmd --init-db to make sure the database exists
  and is coherent prior to modifying it
* perform the database transaction
* start the service so that it reads the modified database

Rationale: prior to the patch, the manager would work on stale data as
the service was already running during policy-reload invocation.

While at it, homogenized systemctl {start,stop} invocations.

Said invocations are now of the form:
systemctl {start,stop} security-manager.service security-manager.socket

Rationale:
* strive for code uniformity
* leverage systemd's automatic dependency resolution
* speed up a bit

Change-Id: I21b254345abaa617b6a389dfd060fb4a4799a148

6 years agoGive internet privilege to kernel thread(@) 07/185107/2
jin-gyu.kim [Wed, 11 Jul 2018 05:32:11 +0000 (14:32 +0900)]
Give internet privilege to kernel thread(@)

In some cases, sending DNS packet is blocked by Nether.
This is due to packet has "@" label, which seems to be originated from kernel.
All packets marked as "@" need to be passed, so give the default cynara rule.

Change-Id: I4a2ba553738c8be783401ca3e71bf69b942f5496

6 years agoAdd error logs when translating group names to gids 54/187454/2
Tomasz Swierczek [Thu, 23 Aug 2018 08:59:13 +0000 (10:59 +0200)]
Add error logs when translating group names to gids

Daemon or client failure is probably the best way to fail-early
in case of bad system config; however, system logs should have clear information
on what has failed in such case.

Change-Id: Ia119bac5795b5a38e4004b7d66c8a64f3a45ac69

6 years agoDrop unused destroyAt() 59/187159/2
Konrad Lipinski [Mon, 20 Aug 2018 09:31:29 +0000 (11:31 +0200)]
Drop unused destroyAt()

Change-Id: Ib04ce2151ab1625dab729ea098f7ccba00b3561e

6 years agoFix: Remove all SharedRO rules after pkg uninstallation. 36/184636/9
Dariusz Michaluk [Tue, 17 Jul 2018 16:34:16 +0000 (18:34 +0200)]
Fix: Remove all SharedRO rules after pkg uninstallation.

Change-Id: Icf7d14507170bc98f61a7aaa3f5f37437b769bb9

6 years agoFix: launch security-manager-cleanup after /opt/usr is mounted. 40/183240/11
Dariusz Michaluk [Tue, 3 Jul 2018 14:06:10 +0000 (16:06 +0200)]
Fix: launch security-manager-cleanup after /opt/usr is mounted.

Change-Id: I1f6f4b2a9b9712ee5ed1a1a539a3059249a90b04

6 years agoRemove fileExists() duplicates 56/186956/1
Dariusz Michaluk [Thu, 16 Aug 2018 09:49:30 +0000 (11:49 +0200)]
Remove fileExists() duplicates

Change-Id: I1ec14dd6d1a60bc481dbe04ec21e70be70c8715e

6 years agoAdd Apache 2.0 license header 94/186894/1
Pawel Kowalski [Thu, 16 Aug 2018 09:41:20 +0000 (11:41 +0200)]
Add Apache 2.0 license header

Change-Id: I43fefb11a6998097c778d76e6d08cab211206d20

6 years agoChange way of displaying performance test results 90/170390/7
Zofia Grzelewska [Mon, 19 Feb 2018 17:51:47 +0000 (18:51 +0100)]
Change way of displaying performance test results

Performance tests didn't show enough info about test parameters.
Ratios differ greatly between test cases, it is nice to have
more infomation, as to why it might be this way.
Added displaying of initial db size and for how many apps
app defined privileges were installed.
Also changed tests names to better describe test case.

Change-Id: Icd1816ec56fd70d15d717231c0b70dc25964741e

6 years agoRework security-manager-migration script as a policy update script 04/158404/5
Rafal Krypa [Mon, 30 Oct 2017 14:39:36 +0000 (15:39 +0100)]
Rework security-manager-migration script as a policy update script

This original framework was first policy migration script that appeared
in security-manager. It should be adopted by the policy update framework,
that was introduced later, but it was overlooked.
In order to merge these update infrastructures, migration directory is
removed and the original migration script is renamed and adapted as a
version 1 policy update, which was previously a no-op.

Change-Id: I96c84103d9eda0746bd8d919bc6dd42c3a50a232
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
6 years agoRemove unused source code 38/186138/2
Dariusz Michaluk [Tue, 7 Aug 2018 11:27:58 +0000 (13:27 +0200)]
Remove unused source code

Change-Id: I40230e07b459d73907986ba916e1e15628e5d9cb

6 years agoRelease 1.4.3 accepted/tizen/unified/20180810.062838 submit/tizen/20180808.100258
Tomasz Swierczek [Tue, 7 Aug 2018 06:43:56 +0000 (08:43 +0200)]
Release 1.4.3

* Add removal of DB broken flag before atempt to setup DB
* Add database snapshotting and recovery
* Pull db migration into manager binary at startup
* Sanitize privilege_db query storage
* Fix memleak in PrivilegeDb()
* Add /opt/usr/media to privilege-mount.list again
* Retrieve package manager privilege from User::Shell client
* Make spec compliant with gbs --incremental
* Add TZ_SYS_MEDIASHARED to privilege-mount.list
* Change log message in realPath
* Make server keep its original log tag
* Fix hybrid pkg uninstallation

Change-Id: I9b410a6c9ceed3d63a13265aad7d33e858e37c8c

6 years agoAdd removal of DB broken flag before atempt to setup DB
Tomasz Swierczek [Tue, 7 Aug 2018 05:26:55 +0000 (07:26 +0200)]
Add removal of DB broken flag before atempt to setup DB

This way, we ensure that on next booting there will be no information
on previous problems (the flag exists to tell other system components
that user-installed applications require re-registration in security-manager).

Change-Id: I5c7a9962adeb66125664f9a6c293355136456ded

6 years agoAdd database snapshotting and recovery
Konrad Lipinski [Fri, 20 Jul 2018 13:29:00 +0000 (15:29 +0200)]
Add database snapshotting and recovery

A snapshot of a working database can be established by running
  security-manager-cmd --backup
This effectively copies "$TZ_SYS_DB/.security-manager.db" over
"$TZ_SYS_RO_SHARE/security-manager/.security-manager.db" (journal is not
being copied).

NOTE: backup does not check for concurrent access of the db file so the
user has to make sure no concurrent modification takes place in the
interim.

The manager performs an integrity check of the database at every startup
(see below). If the check fails, it truncates the database journal and
overwrites the database file with the latest snapshot, then reattempts
connection, migration and redoes the integrity check on the resulting
database.

As a first shot, integrity check uses the most aggressive possible form
achievable by sqlite pragmas by
* checking if the file exists (to prevent sqlite autovivifying it)
* checking 'pragma intergrity_check'
* checking 'pragma foreign_key_check'

TODO: for product acceptance, actual latency introduced by the integrity
check should be measured. If too high, the check can be made faster by
* dropping foreign_key_check
* replacing integrity_check with quick_check

To help make the decision, lax measurement were taken using
  time sqlite3 >/dev/null /opt/dbspace/.security-manager.db 'pragma..'
time[ms] foreign_key_check integrity_check quick_check
TM1                     17              20          18
emulator                 5               2           2

Change-Id: I01a4ed0879b10bdcadde78ab086776420850e13c

6 years agoPull db migration into manager binary at startup
Konrad Lipinski [Mon, 16 Jul 2018 09:28:14 +0000 (11:28 +0200)]
Pull db migration into manager binary at startup

Done at VD's request to make concurrent db access less likely. Update
scripts and the schema are no longer present at runtime. Migration is
performed in privilege_db.h instead, based on src/gen/db.h generated at
build time from db/{db.sql,updates/*}.

Change-Id: I35e09390b45b4b82a892f92f356eba6f55287268

6 years agoSanitize privilege_db query storage
Konrad Lipinski [Thu, 12 Jul 2018 15:28:29 +0000 (17:28 +0200)]
Sanitize privilege_db query storage

* replace PrivilegeDb::Queries map with a static array
* replace PrivilegeDb::m_commands vector with a fixed size array
* make module require C++ 14

Rationale:
* safety
* efficiency
* memory footprint

Change-Id: If69ab4525c293ae836c1d35af19b8cebf7bbff57

6 years agoFix memleak in PrivilegeDb() 16/184216/10
Konrad Lipinski [Fri, 13 Jul 2018 11:21:59 +0000 (13:21 +0200)]
Fix memleak in PrivilegeDb()

PrivilegeDb::mSqlConnection would leak if an exception was thrown during
PrivilegeDb().

Solved by:
* making PrivilegeDb::mSqlConnection a member
* making SqlConnection() noexcept
* making SqlConnection::Connect() public

Devirtualized and simplified some parts while at it.

Change-Id: I48947fd63b6ea4a72fcd86491417f83a303ec238

6 years agoRemove dependency on libslp-db-util 31/168731/4
Rafal Krypa [Mon, 22 Jan 2018 11:54:14 +0000 (12:54 +0100)]
Remove dependency on libslp-db-util

DPL class SqlConnection had some small dependency on db-util, but this
code path was never used in security-manager.
Remove dependency to reduce memory requirements.

Change-Id: I5551f71a7f665886aa6717bb3b39f0ce8e30ffb5
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
6 years agoCleanup: remove unused and duplicated macros 95/89195/3
Radoslaw Bartosiak [Thu, 22 Sep 2016 10:23:48 +0000 (12:23 +0200)]
Cleanup: remove unused and duplicated macros

Change-Id: I2ded9109ae8b68c8879f649f0abf86eb4c0062d8
Signed-off-by: Radoslaw Bartosiak <r.bartosiak@samsung.com>
6 years agoAdd /opt/usr/media to privilege-mount.list again 33/185633/4
jin-gyu.kim [Wed, 1 Aug 2018 07:57:05 +0000 (16:57 +0900)]
Add /opt/usr/media to privilege-mount.list again

"/opt/usr/media" was removed in commit 23b4001.
It was wrong, because app's mount namespace is set as SLAVE after unshare().
In case of SLAVE, "/opt/usr/media" is not changed by dummy mount to TZ_USER_CONTENT.
Therefore, it should be added in the list again.

Change-Id: I504c3c8dcdac8e9b31a61dfc03c66abf09a386bc

6 years agoRetrieve package manager privilege from User::Shell client 93/180293/2
jin-gyu.kim [Thu, 24 May 2018 08:23:07 +0000 (17:23 +0900)]
Retrieve package manager privilege from User::Shell client

When user uses dbus-send in the shell process, these privileges can be allowed.
Therefore, privilege checks for these were meaningless.
pkgcmd tools will have "System" execute label,
so we can remove these privileges from User:Shell client.

Change-Id: I56bb4c3d2ef270fada6ce8725eccb4390e2b718f

6 years agoMake spec compliant with gbs --incremental 51/183551/1
Konrad Lipinski [Fri, 6 Jul 2018 10:39:14 +0000 (12:39 +0200)]
Make spec compliant with gbs --incremental

According to [1], %prep section of the spec file should contain a single
%setup macro, nothing else. According to [2], manifest files are best
copied to %{buildroot}%{_datadir} in the %install section.

Moved manifest copy operations from %prep to %install accordingly.

As a byproduct, got a warning about an installed but unpackaged file:
  security-manager-tests.manifest
Corrected the '%files -n security-manager-tests' accordingly by spelling
out the file name verbatim.

References
[1] https://source.tizen.org/documentation/reference/git-build-system/usage/gbs-build
[2] https://wiki.tizen.org/Security/Application_installation_and_Manifest

Change-Id: I29beaccfc83ae65698833696497c0f8791651ffc