Tomasz Swierczek [Wed, 14 Jun 2023 07:45:05 +0000 (09:45 +0200)]
Change the way threads are checked at the end of prepare_app call
It was verified experimentally(*), that even if functions:
(1) smack_set_label_for_self()
(2) cap_set_proc()
have successfully changed process (main thread) security attributes,
even then /proc can contain stale/older data when implementation
in file:
check-proper-drop.cpp (the client side)
is checking whether all threads are properly synchronized.
Assuming mentioned functions operate properly and we trust their
return values, we can assume that checking in check-proper-drop.cpp
can be limited to checking if any new thread was spawned that was not
on the list of threads during call to function:
security_manager_sync_threads_internal()
This way, we're not relying on contents of /proc in terms of actual
security attributes, just the list of thread-IDs.
(*)
Following error (abort in client library) has been detected during
automated testing of VD image:
19548.940 E/SECURITY_MANAGER_CLIENT(P11930, T11930): check-proper-drop.cpp: checkThreads(175) > Offending taskId is: 11930
which means, that even though (1) and (2) succeeded for current taskId
(these had to, analysing the logic of our client library), there was an issue
in checking the contents of /proc for current taskId.
Change-Id: Ida49acd8981eea8c3df30ef32f23a1f4b0ef1ae3
Tomasz Swierczek [Tue, 30 May 2023 12:24:33 +0000 (14:24 +0200)]
Release 1.8.2
* Abort app candidate process in case of wrong setup
Change-Id: I13c0e803d1a39b50f4956b5fbb8facd7d8eea3cd
Tomasz Swierczek [Tue, 30 May 2023 11:46:12 +0000 (13:46 +0200)]
Abort app candidate process in case of wrong setup
When offending thread with higher privileges is detected,
new error log is added and security-manager-client library
forces entire app candidate process to abort.
This will effectively block possibility of privilege escalation
if a new thread was spawned ie. by Chromium during prepare_app call.
Abort will also generate coredump, making it easier to debug
the source of offending thread.
Change-Id: I16772d0e51aa112548acb64f7b82ccf87948ded9
Tomasz Swierczek [Wed, 24 May 2023 12:54:55 +0000 (14:54 +0200)]
Release 1.8.1
* Optimize operations on file with list of Smack labels
* Change order of items checking during getDirectoryContents() loop
* Small fixes in unit tests
Change-Id: I2acc5605bb54366700f1c05f4b856b96b1f82d70
Tomasz Swierczek [Mon, 8 May 2023 09:20:18 +0000 (11:20 +0200)]
Optimize operations on file with list of Smack labels
There's no need to call DB and tz-platform-config for each
label of given user; it makes sense to re-use the fact
that update is called always on update/install/uninstall of precisely
specified package, so changes only affect labels of that package,
be it removal or addition to the set.
Change-Id: I88686341fc49186afe60ed9f86dbdb98c1258064
Tomasz Swierczek [Tue, 2 May 2023 06:44:53 +0000 (08:44 +0200)]
Change order of items checking during getDirectoryContents() loop
Previously, the function called fstatat() even on . and .. which
could have been not wanted by the caller to get listed/analyzed.
This change was inspired by an issue where an error happened during
call to prepare_app() - error happened on calling fstatat(), during
checking if threads properly dropped capabilities/changed labels;
error was in accessing ".." element inside /proc/self/task,
while the audit logged, at the same time, a Smack error of access
attempt from label User::Pkg::<ID> to System::Privileged on
proc filesystem.
While this change doesn't fix that issue on its own, it optimizes
the code.
Change-Id: I83fda49530fb32776cf6edcc364dc574a7ee08f9
Tomasz Swierczek [Wed, 22 Feb 2023 14:22:05 +0000 (15:22 +0100)]
Small fixes in unit tests
Spellcheck & another few negative tests for filesystem.
Change-Id: If905479a78f29f341487168483e2b68c13da0ee4
Tomasz Swierczek [Tue, 21 Feb 2023 09:11:54 +0000 (10:11 +0100)]
Release 1.8.0
Package versioning bump to 1.8.X as Tizen 6.5 got update
(non-fast-forward) to 1.7.14.
This release is intended for tizen and tizen_7.0 branches.
Change-Id: I0c7fe641bb210c7ccfe5bf2e5db59f943083c9f4
Tomasz Swierczek [Thu, 2 Feb 2023 06:28:39 +0000 (07:28 +0100)]
Release 1.7.13
* Fix static analysis
Change-Id: I04137e1db4e557a6b4cdc828541773a2fad9b955
Tomasz Swierczek [Thu, 26 Jan 2023 10:19:22 +0000 (11:19 +0100)]
Fix static analysis
Printing moved object is useless, even in debug logs.
The order of operation (logging vs moving) was changed.
Change-Id: I49ad49991e773ecf5ac65aa331b1cfb2bf1ad7cc
Tomasz Swierczek [Thu, 22 Dec 2022 10:30:01 +0000 (11:30 +0100)]
Release 1.7.12
* Change some logs into warnings
Change-Id: Ic77c3be5eb1b28648fecdce67ae14ebae9bac0d5
Tomasz Swierczek [Thu, 15 Dec 2022 11:54:50 +0000 (12:54 +0100)]
Change some logs into warnings
Per specific request of Visual Display Division.
Change-Id: I4e5f579dafa16aab7f7f443a9f57e15c443862b4
Tomasz Swierczek [Mon, 28 Nov 2022 11:13:28 +0000 (12:13 +0100)]
Release 1.7.11
* Add additional logs to security-manager
Change-Id: I430b7392a2176330b1fce3054a1ba1ca5ec49af6
Tomasz Swierczek [Mon, 28 Nov 2022 11:11:50 +0000 (12:11 +0100)]
Add additional logs to security-manager
Per explicit request of Visual Display division.
One log changed to warning, also for specific request.
Change-Id: I6fbfc528002a78afd78e60699e342795248f4a1b
Tomasz Swierczek [Tue, 22 Nov 2022 09:53:19 +0000 (10:53 +0100)]
Release 1.7.10
* Disable LTO
Change-Id: If7bb805b212c5574a6cb501cb3893c2f037c9235
Tomasz Swierczek [Tue, 22 Nov 2022 09:44:42 +0000 (10:44 +0100)]
Disable LTO
In case LTO is enabled, function defined in asm (and declared as such)
generates error at linking stage (client-security-manager.cpp, function
__restore_rt).
Change-Id: I31ff9de14755b9b531f25e777c439f7153c6548c
Tomasz Swierczek [Thu, 10 Nov 2022 14:31:26 +0000 (15:31 +0100)]
Release 1.7.9
* Change delay for setting cpu_inheritance
Change-Id: I5e362885ee4029b67062247011fd9d55a2942739
Tomasz Swierczek [Thu, 10 Nov 2022 14:31:08 +0000 (15:31 +0100)]
Change delay for setting cpu_inheritance
Change-Id: If46ba6429226c4fcd7a64179fb93d715c84f1635
Tomasz Swierczek [Mon, 17 Oct 2022 11:38:07 +0000 (13:38 +0200)]
Release 1.7.8
* Change logic of security_manager_app_update()
Change-Id: If230c9a5aa87b294066c830b9582b678c6e6ad1c
Tomasz Swierczek [Mon, 17 Oct 2022 08:31:09 +0000 (10:31 +0200)]
Change logic of security_manager_app_update()
Now the function allows to update package & remove not-requested
appIds present before even if no hybrid status change has been done.
Change-Id: I3f13dddd726c57e6a1572ce3a608eaf16768ad55
Tomasz Swierczek [Wed, 7 Sep 2022 06:33:51 +0000 (08:33 +0200)]
Release 1.7.7
* Appease SVACE
Change-Id: If5cdbb74949e2728859bbdb73be17a6626f05b4d
Konrad Lipinski [Wed, 24 Aug 2022 12:07:36 +0000 (14:07 +0200)]
Appease SVACE
Change-Id: I9da1046731377e5c47096f34769f38aa67a23ae2
Konrad Lipinski [Thu, 11 Aug 2022 10:49:58 +0000 (12:49 +0200)]
Release 1.7.6
* Fix out of bounds socket description vector access
* Delay service thread construction until dependencies are initialized
* Decrease message buffer test payload size to avoid bad_alloc
* Refactor errno logging
Change-Id: I8287171336f96d277ea7608213cb5b26c5901dbb
Konrad Lipinski [Thu, 11 Aug 2022 08:50:44 +0000 (10:50 +0200)]
Fix out of bounds socket description vector access
Change-Id: Iacfa7ad31ad1aa5e7f4743fc114e283acc58af8e
Konrad Lipinski [Thu, 11 Aug 2022 08:30:16 +0000 (10:30 +0200)]
Delay service thread construction until dependencies are initialized
Change-Id: I386c56804eae770e0bb90acbecc705d14010d804
Konrad Lipinski [Wed, 10 Aug 2022 15:23:54 +0000 (17:23 +0200)]
Decrease message buffer test payload size to avoid bad_alloc
Change-Id: I24c1b17e5b8e8d224b7c8d47dbe0942467e528bf
Konrad Lipinski [Tue, 2 Aug 2022 13:33:07 +0000 (15:33 +0200)]
Refactor errno logging
* Macros to factor out common patterns.
* Minor error detection optimization at sites that happened to be nearby.
Change-Id: Ibd14776e5d52fa59c00098317bc8031fb351eb0b
Konrad Lipinski [Thu, 4 Aug 2022 14:07:37 +0000 (16:07 +0200)]
Release 1.7.5
* Add subsession bind mount isolation
Change-Id: Idee1eac89d529884900b97847b64ad239d4252b7
Konrad Lipinski [Tue, 26 Jul 2022 10:52:49 +0000 (12:52 +0200)]
Add subsession bind mount isolation
By introducing prepare_app2(app_id, subsession_id) and implementing
prepare_app(app_id) as prepare_app2(app_id, nullptr). Null subsession_id
indicates the default subsession.
The selected subsession is mounted over the "apps_rw" directory. Other
subsessions are hidden by mounting an empty directory over the user's
"subsession" directory if it exists.
Change-Id: I19c884bdd64c53b82fef3447470378c8a8cfae3e
Konrad Lipinski [Wed, 3 Aug 2022 10:15:39 +0000 (12:15 +0200)]
Release 1.7.4
* Drop std::function from try_catch() and friends, deficient edition
* Simplify socket-manager timeout logic
* Switch to CLOCK_MONOTONIC_COARSE
* Refrain from calling sessiond in offline mode
* Prioritize requests based on cpu boosting level
* Simplify service and IO thread's class hierarchies
* Make socket manager counters more robust
* Refactor MessageBuffer and dependencies
Change-Id: Id35cf58156eef658907b312df06637e51ce5e9dd
Konrad Lipinski [Mon, 16 May 2022 17:39:29 +0000 (19:39 +0200)]
Drop std::function from try_catch() and friends, deficient edition
When used as an argument to try_catch() and similar functions,
std::function may potentially introduce runtime overhead on the
exception-free path, possibly even allocate (and thus throw
std::bad_alloc).
This can be prevented by rewriting try_catch() as a generic wrapper with
perfect forwarding.
This has been coded deficiently on purpose, refusing to leverage any and
all kinds of bloat reduction opportunities. For the rationale, please
consult code review participants as I have none to give.
"I'm only following orders."
- A nameless soldier
Change-Id: I00adf24213a2e6bf8d148db8375a14200c64ff4f
Konrad Lipinski [Mon, 18 Jul 2022 08:14:44 +0000 (10:14 +0200)]
Simplify socket-manager timeout logic
The intention of the timeout logic is to close stale sockets (ones that
have been inactive for SOCKET_TIMEOUT seconds). The closure doesn't
really have to happen immediately after that, as long as it happens
eventually when, say, security-manager's IO thread wakes up.
* use select() without timeout
* replace timeout priority queue with generation-based management
* each generation lasts at least SOCKET_TIMEOUT seconds
* maintain per-socket activity booleans for the current generation
* a socket becomes active when performing or getting primed for IO
* when a new generation begins, loop through all sockets, time out all
inactive ones, set all remaining to inactive
Change-Id: I50a06f1566806fa9d7d69fe2367d6ade0f93acf5
Konrad Lipinski [Tue, 2 Aug 2022 07:35:50 +0000 (09:35 +0200)]
Switch to CLOCK_MONOTONIC_COARSE
All uses of clock_gettime() are fine with coarse granularity. Renamed
monotonicNow() to monotonicCoarseNow() to reflect that.
Change-Id: Id60e79ca28a888ad98907184b7c11dd9d0b4aeee
Konrad Lipinski [Thu, 28 Jul 2022 07:53:10 +0000 (09:53 +0200)]
Refrain from calling sessiond in offline mode
Change-Id: I0e182d45f75cc99cbc11d692c29e6c7c0bcc0719
Konrad Lipinski [Wed, 13 Jul 2022 14:46:48 +0000 (16:46 +0200)]
Prioritize requests based on cpu boosting level
There are three boosting levels at present, hence three distinct
priorities are introduced. Since the priority space is small, the
priority queue is implemented via an array of FIFO queues.
CPU priority inheritance from client to server is also included.
The boosting level and priority inheritance facilities are provided by
the capi-system-resource module. According to said facilities'
designers, querying the boosting level is most efficient when done
directly in the queried thread. Thus, when making a security manager
client request, the boosting level is obtained and prepended to the
request payload. This is also makes requests atomic and mitigates the
potential for priority races.
Change-Id: Icc10fb5e40fa74eafe16726d28ac66cd8b560810
Konrad Lipinski [Wed, 20 Jul 2022 11:57:14 +0000 (13:57 +0200)]
Simplify service and IO thread's class hierarchies
* get rid of useless Generic* and Base* classes that do nothing
* shift what little functionality they provided to other entities
* make a few leaf classes final
* devirtualize a few methods across the hierarchy, either by making them
local or via CRTP
* replace the virtual Event hierarchy and handlers by a single
statically known Event type
Change-Id: Id3afef98ff99a5b0eb3966f1cfdf0dcaa52cd909
Konrad Lipinski [Wed, 13 Jul 2022 13:25:52 +0000 (15:25 +0200)]
Make socket manager counters more robust
Now that the service no longer needs to maintain a dictionary of all
socket connections, socket counters no longer need to be globally
unique. The only remaining use for those counters now involves checking
whether a particular socket descriptor has gone stale. Per-descriptor
counters are enough for that, incremented every time a particular
descriptor is reopened.
* use per-socket counters instead of a global one
* use unsigned for guaranteed wraparound
* increment counter when closing instead of when opening to make the
check for isOpen unnecessary when checking connections enqueued in
m_closeQueue or m_writeBufferQueue
Change-Id: I5b9102c6fe3f9eb183ce456d1334173ac37aab4b
Konrad Lipinski [Tue, 12 Jul 2022 09:01:37 +0000 (11:01 +0200)]
Refactor MessageBuffer and dependencies
Security manager's protocol assumes there's at most one message in
flight per connection at any given time. The MessageBuffer class can
hold one such message in various stages of completion, assembled via
either input or serialization and disposed of via either output or
deserialization.
This conceptual interface can be satisfied in a much simpler way than
what's currently present. All that is require for a MessageBuffer is a
single contiguous memory block and a little management on the side
(the block's size, the message size, offset into the block).
Since the protocol has the payload size stored as a size_t header prior
to a message's payload, there's no need to even store it separately - it
can be stored before the payload, just as in the protocol.
Implications:
* less memory copying/shuffling
* read the full message directly into a buffer in binary form
* deserialize directly from that buffer (no Pop(), no copies)
* reuse the buffer space for serialization of the return message
* output the return message into the socket without copying
* socket manager now assembles full messages before handing them to the
service, at no performance hit
* one MessageEvent per socket instead of Accept/Close/Read/Write events
* no need for the service to maintain connection state - it now operates
on a per-message basis
Change-Id: I45f6009ce09ae2f852cfee86a32426389bcf7a30
Konrad Lipinski [Tue, 19 Jul 2022 10:56:07 +0000 (12:56 +0200)]
Release 1.7.3
* Decrease service thread lock thrashing
* Fix subsession paths
Change-Id: I5fafb902584edfb88b6566ace91126cbe44761fa
Konrad Lipinski [Wed, 13 Jul 2022 14:13:55 +0000 (16:13 +0200)]
Decrease service thread lock thrashing
By not releasing the lock right after wait() returns.
Change-Id: Ic689aed448b9a00370252be2b09d7cb653bdcdc5
Konrad Lipinski [Mon, 18 Jul 2022 10:22:49 +0000 (12:22 +0200)]
Fix subsession paths
* place the "subsession" dir in TZ_USER_HOME instead of TZ_USER_APP
* skip over the empty subsession as returned by sessiond
* add sharedRO paths if applicable
* refrain from labelling paths inside skelDir for local installations
* refactor related code to reduce redundancy and improve robustness
Change-Id: I2ede9f53f490c9bf57d390796e2ca5a1774f8a09
Konrad Lipinski [Fri, 15 Jul 2022 08:41:01 +0000 (10:41 +0200)]
Release 1.7.2
* Basic integration with sessiond
* Drop socket manager multi service support
* Handle signals locally in socket manager main loop
* Switch socket manager notification from pipe to eventfd
* Remove unused sendmsg functionality
Change-Id: I9f21d9709dd6d0b7d8b2e446590d738d7f6d7504
Tomasz Swierczek [Wed, 30 Mar 2022 11:40:54 +0000 (13:40 +0200)]
Basic integration with sessiond
Allow ~/subsession/$light_username/apps_rw/$pkgName as legal package
directories as needed by the lightweight multiuser feature.
New paths are in force ONLY for local app installation
(for SM_APP_INSTALL_LOCAL install type in security-manager's API).
Lacks bind-mounting per-user relevant datadirs (separation of user
data). This is supposed to be added at later stage.
Change-Id: Ia042e608781c139651578475c94d4283ddf70a47
Konrad Lipinski [Tue, 12 Jul 2022 14:01:11 +0000 (16:01 +0200)]
Drop socket manager multi service support
That feature has never been used, it's always been dead weight.
Security manager is a single service so that's unlikely to ever change.
Implications:
* no need to store/check interface ID
* one service per socket manager - less bookkeeping, simpler destructor
* socket descriptors now only apply to accepted sockets
Change-Id: I84ce915f0ff6929df45a40a0a8f5cbf7a4214694
Konrad Lipinski [Tue, 12 Jul 2022 11:36:59 +0000 (13:36 +0200)]
Handle signals locally in socket manager main loop
* replace SignalService with a local descriptor
* handle the descriptor directly in the main loop
* drop the now unused m_working and MainLoopStop()
White at it, also drop the harmful TEMP_FAILURE_RETRY when calling
close() on service sockets.
Change-Id: I172456d1762aaed4c4f0dd46a49732aa28d9c5d6
Konrad Lipinski [Tue, 12 Jul 2022 09:49:53 +0000 (11:49 +0200)]
Switch socket manager notification from pipe to eventfd
* use eventfd for a more efficient wakeup mechanism
* handle it directly in the manager thread to reduce thrashing
* drop the now useless DummyService and SIGPIPE-related code
* check m_working in the main loop only if eventfd is ready for reading
Change-Id: I090d90a50f3c789445dd6d0daa637abf0d189348
Krzysztof Jackiewicz [Thu, 7 Jul 2022 12:00:27 +0000 (14:00 +0200)]
Remove unused sendmsg functionality
Kind of reverts
0798413641b7961a0132050aef6bd03270936625
Change-Id: I815e63a370528762f69b760340398e068b541b74
Tomasz Swierczek [Wed, 18 May 2022 07:00:01 +0000 (09:00 +0200)]
Release 1.7.1
* Enhance DB recovery logic
* Minor fix of wording in comment
* Remove unused code
Change-Id: Ide32e4e3257810994bcb8dfe6695c455e5c0007f
Tomasz Swierczek [Thu, 28 Apr 2022 09:13:42 +0000 (11:13 +0200)]
Enhance DB recovery logic
"If we are wise, let us prepare for the worst."
- George Washington
Previously, the logic of DB recovery was:
1. Remove the "-recovered" file flag, IF it survived reboot (shouldn't)
2. Check DB for corruption
3. IF corruption occured, then:
a. Replace original DB with fallback made at image creation
b. Create the "-recovered" file next to DB file that signals rest of the system some apps may be missing
If sudden poweroff happens between 3a and 3b, system will not get informed
about missing app installation data.
This patch changes order of operations 3a and 3b, and also removes
operation number 1. From now on, the system-level scripts responsible
for recovery should remove the flag, when full recovery was complete.
Changing order of 3a with 3b ensures the flag is created when
DB error was found and is not prone to sudden power-off.
The flag is meant to be used for file-existance signalling of the need
to reinstall apps that were not in the backed-up DB. Since its existence
can trigger app installation, which in turn, can launch & use security-manager
(which will also attemt to access the DB), it MUST be ensured that rules-loader
is not running concurrently with any other processes/services that may use security-manager's DB
(the recovery of DB from fallback/backup has to be complete). This is achieved
by systemd's "Before=" service option in rules-loader service file which prohibits
security-manager's socket & service start before rules loader-ends operation.
Change-Id: I472c09d9398f69a97e118b69aad61dc016e3d22d
Tomasz Swierczek [Wed, 4 May 2022 06:42:32 +0000 (08:42 +0200)]
Minor fix of wording in comment
Change-Id: I48e795f72a7ca2ad720ea475c611d57d1007a622
Tomasz Swierczek [Wed, 30 Mar 2022 11:10:38 +0000 (13:10 +0200)]
Remove unused code
Change-Id: I7ae95050e5018d3a38ee79401553b46e3dfc849b
Tomasz Swierczek [Mon, 6 Dec 2021 11:05:47 +0000 (12:05 +0100)]
Release 1.7.0
Bump versioning to 1.7.X as tizen_6.0 has branched-off.
This change should be synced to tizen_6.5 branch, too.
Change-Id: Ibed180c8cbc9df8d96b3e0bf0188b8c3d6d5bf9f
Tomasz Swierczek [Wed, 3 Nov 2021 06:45:41 +0000 (07:45 +0100)]
Release 1.6.21
* Retry blocking waitpid() on EINTR
Change-Id: I20c9a73a6e7573dddc8d4b3495e74031e620d036
Konrad Lipinski [Fri, 29 Oct 2021 12:19:54 +0000 (14:19 +0200)]
Retry blocking waitpid() on EINTR
Change-Id: I0b7bcc0ce1964a229b77a8456266696f4ae0a80b
Jin-gyu Kim [Wed, 25 Aug 2021 19:22:30 +0000 (04:22 +0900)]
Release 1.6.20
* Adding privilege group priv_platform.
Change-Id: If9dc65658e85143ef77cd0d117cc4fd22124215c
Jin-gyu Kim [Wed, 25 Aug 2021 02:25:22 +0000 (11:25 +0900)]
Adding privilege group priv_platform.
Adding group for http://tizen.org/privilege/internal/default/platform
Change-Id: Ib8c4d82e08b48d6cb233a626960806fe0f69c4ae
Jin-gyu Kim [Thu, 24 Jun 2021 04:05:55 +0000 (13:05 +0900)]
Release 1.6.19
* Adding privilege group priv_peripheralio
* Make prepare_app() safer in non-main threads
Change-Id: I8d25212ea1ae5042b0a894b172884b49ce38f3b7
Jin-gyu Kim [Wed, 23 Jun 2021 02:01:00 +0000 (11:01 +0900)]
Adding privilege group priv_peripheralio.
Adding priv_peripheralio group for http://tizen.org/privilege/peripheralio
Change-Id: I2a8ef3344d4d4840b918f72a1a836bfc0be7a4ce
Konrad Lipinski [Mon, 7 Jun 2021 16:44:55 +0000 (18:44 +0200)]
Make prepare_app() safer in non-main threads
Calling prepare_app() from a non-main thread in a multithreaded
process could fail. While labels for other threads were being correctly
set by writing to /proc/<tid>/attr/current, the prepare_app thread used
smack_set_label_for_self() and thus /proc/self/attr/current.
This is easily fixed by reusing label_for_self_internal() so that all
threads are uniformly treated, each using its own tid.
Change-Id: Id5b3071b08057200331d64bf8d6cd172ae729df1
Yunjin Lee [Mon, 19 Apr 2021 05:06:41 +0000 (14:06 +0900)]
Release 1.6.18
* Add core privileges: usb.host and log
Change-Id: Ic5ede43127e8c194943e18846b4ec10d4da220e9
Yunjin Lee [Fri, 9 Apr 2021 04:29:36 +0000 (13:29 +0900)]
Add core privileges: usb.host and log
- usb.host: app can access to connected external USB devices
- log: app can access to platform log data
- both are platform level
- http://tizen.org/privilege/log is mapped to gid log
- http://tizen.org/privilege/usb.host is mapped to gid usb_device
Change-Id: I1726b463c077921071ff9b9f0348effe80ade38c
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
Yunjin Lee [Fri, 9 Apr 2021 01:42:50 +0000 (10:42 +0900)]
Release 1.6.17
* Fix issue from static analysis
Change-Id: I30597162967bc6bd2ee073030e4cd4cef82402b8
Tomasz Swierczek [Thu, 8 Apr 2021 12:39:19 +0000 (14:39 +0200)]
Fix issue from static analysis
The ChannelCreator::closeAll(), when called in copy constructor,
may operate on uninitialized data.
Change-Id: Iaec6b3edc7e685ce14f7ea8e4d94eb3f59c9f4b7
Yunjin Lee [Tue, 23 Mar 2021 03:07:07 +0000 (12:07 +0900)]
Release 1.6.16
* Add core privilege: bugreport.admin
* Fix coverage generation in rpm 4.14.1
Change-Id: I0886eb78e3f1fbdb94d48c20a62a9b4468af9560
Yunjin Lee [Tue, 23 Mar 2021 01:13:07 +0000 (10:13 +0900)]
Add core privilege: bugreport.admin
With http://tizen.org/privilege/bugreport.admin, app can request
creation of system or app's bugreport.
Change-Id: I4826ad7d7543d1945fae016f6f7146702287d6fc
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
Tomasz Swierczek [Wed, 3 Mar 2021 13:55:09 +0000 (14:55 +0100)]
Fix coverage generation in rpm 4.14.1
Debug source package directories now have different names.
Change-Id: Icffd332802d5d37d4d9d61fa96d75fdaad78a538
Tomasz Swierczek [Tue, 9 Feb 2021 10:21:58 +0000 (11:21 +0100)]
Release 1.6.15
* Change systemd-devel package name
* Drop http://tizen.org/privilege/internal/livecoredump mapping to priv_livecoredump
Change-Id: Ibcaf231abb98267472226761ef404da021eab000
INSUN PYO [Wed, 3 Feb 2021 04:35:56 +0000 (13:35 +0900)]
Change systemd-devel package name
Change-Id: I25635d30ce598200c1e14cc0287ecd5da40c9eff
Karol Lewandowski [Mon, 25 Jan 2021 15:12:13 +0000 (16:12 +0100)]
Drop tizen.org/privilege/internal/livecoredump mapping to priv_livecoredump
The priv_livecoredump group was supposed to be used by system services
wanting to use livecoredump API. (For applications it's granted by app
manifest.)
Unfortunately, it's not allowed by tizen sanity checkers to specify priv_*
groups in dbus policy, which renders the mapping useless. System services
must use other means to grant access to the API (as described in livecoredump
repository).
Change-Id: I58984358d095515a57d217ca277e3b06cda40703
Tomasz Swierczek [Tue, 10 Nov 2020 07:32:31 +0000 (08:32 +0100)]
Release 1.6.14
* Add Requires=local-fs.target dependency to security-manager-rules-loader.service
* Automate code coverage measurement
Change-Id: Ib6a86a3361b2eebb7e2ba121e54c558514b24a91
INSUN PYO [Thu, 8 Oct 2020 08:41:28 +0000 (17:41 +0900)]
Add Requires=local-fs.target dependency to security-manager-rules-loader.service
In emergency mode, local-fs.target always fails.
So, you have to check if local-fs.target is successful.
Change-Id: I4a946f573dd714f77b510ae818497c7d24ea4e4d
Dariusz Michaluk [Tue, 1 Sep 2020 12:33:41 +0000 (14:33 +0200)]
Automate code coverage measurement
To gather unit tests coverage report:
- use COVERAGE build_type,
- instal security-manager-coverage rpm,
- run security-manager-coverage.sh script.
Change-Id: I34960e55e4cff81d0e99864e3c3ed4d5d3c48385
Tomasz Swierczek [Thu, 29 Oct 2020 08:56:29 +0000 (09:56 +0100)]
Release 1.6.13
* Add check for $TZ_SYS_RUN/lock existance in update scripts
Change-Id: I57e51af38527cdac9b350bcf0561094744f83290
Tomasz Swierczek [Thu, 29 Oct 2020 08:55:09 +0000 (09:55 +0100)]
Add check for $TZ_SYS_RUN/lock existance in update scripts
The location for locking directory can be not mounted/not created
yet at update running time. TV images should not run security-manager
at this moment, so the updaring script should continue normally
Change-Id: I8d84af74a33354efd5e5dcae672340793d3d961d
Tomasz Swierczek [Mon, 26 Oct 2020 11:06:18 +0000 (12:06 +0100)]
Release 1.6.12
* Relax exit-on-error in update scripts
* Change FileLocker implemenation from POSIX to libc flocks
Change-Id: If53124c609da6f196feab8a3e9e68c46a2ea7714
Tomasz Swierczek [Fri, 23 Oct 2020 06:54:16 +0000 (08:54 +0200)]
Relax exit-on-error in update scripts
These scripts use systemctl systemd command to start & stop service/socket
of security-manager. On systems where systemd is not used to manage
security-manager (ie. some TV images), this can result in update
script being not executed properly.
Added "set +e/set -e" before each systemctl invocation.
With this set of changes, it is assumed that whatever mechanism
is actually used to manage security-manager service, it is ensuring
that the daemon is NOT running when updates are being executed and that
it IS started after the update.
Updated scripts will try to lock the $TZ_SYS_RUN/lock/security-manager.lock
file, usually taken by daemon at its startup; if that fails,
updates will exit with an error.
Change-Id: If452415465a6c31ba7360f4b0272d51708602242
Tomasz Swierczek [Mon, 26 Oct 2020 10:07:14 +0000 (11:07 +0100)]
Change FileLocker implemenation from POSIX to libc flocks
Thanks to this change, same locking could be used in sh/bash
scripts and in security-manager daemon (which previously
used the POSIX-based boost locks).
Change-Id: Ia4f2a5251d3556a40a68234fc2dc1ea51ac48188
Konrad Lipinski [Thu, 22 Oct 2020 11:29:17 +0000 (13:29 +0200)]
Release 1.6.11
* Apply private sharing rules before relabeling
Change-Id: I19d5882969ba5f65049e014b89f7dafd5534fca4
Konrad Lipinski [Tue, 20 Oct 2020 13:35:20 +0000 (15:35 +0200)]
Apply private sharing rules before relabeling
Prior to this commit, applyPrivatePathSharing does this:
1. Relabel a privately shared file.
2. Enable the package to rwxat the file's label.
Thus, there's a window between steps 1 & 2 where the package is unable
to access the file. This can be remedied by changing the order to:
1. Enable the package to rwxat the file's label.
2. Relabel the privately shared file.
The change preserves current semantics post-return but eliminates the
window.
The context:
Reportedly, the utc_rpc_port_set_private_sharing_array_p TCT test has
revealed a possibility of a race condition where a package owner would
get a smack access error when trying to unlink one of its own privately
shared files. This has reportedly happened on TM1 and some unspecified
TV product.
HQ inserted a 10ms sleep into ServiceImpl::applyPrivatePathSharing right
before return and, reportedly, it seems to have fixed the issue. They
seem partial to the assumption that the root cause is related to a race
condition in the kernel (as in: smack rules are being applied with a
delay). Thus, an idea for a possible solution involved checking smack
access client-side to make sure all is well before private sharing is
considered applied.
Given the fact that smack has been in place for quite some time now, I
find the possibility of a race condition unlikely. Unfortunately, I
haven't been able to prove anything. I couldn't reproduce the problem
and failed to find any obvious faults in the TCT test.
If there is a race condition, checking smack access client-side may not
be enough (it would only guarantee the client process or thread to be
race-free, TCT tests or the platform may need stronger guarantees). I'm
not inclined to do that unless there's proof. Such messy defensive code
tends to do more harm then good, especially if the race condition is
elsewhere.
Change-Id: I0a57edd6535eb1889d9bb8e5aaa6ddab58ca7009
Tomasz Swierczek [Mon, 19 Oct 2020 09:07:58 +0000 (11:07 +0200)]
Release 1.6.10
* Change author labels recursively in the upgrade script.
* Increase timeout waiting for signal delivery to 2 seconds
Change-Id: I6221d76c44eef78cb33f3d75f1b5bec52fac13df
jin-gyu.kim [Mon, 19 Oct 2020 06:12:42 +0000 (15:12 +0900)]
Change author labels recursively in the upgrade script.
SMACK labels of all resources in trusted directory should be updated.
Change-Id: I992ac67fbcb635455fd5eda93e9d8f1a1d0da5a1
Tomasz Swierczek [Mon, 19 Oct 2020 06:57:18 +0000 (08:57 +0200)]
Increase timeout waiting for signal delivery to 2 seconds
The prepare_app is synchronizing threads security attributes in app
candidate process, which can be multithreaded. Security-Manager's
implementation mimics implementation in libc for smack label synchronization,
using signal handlers to do that.
In some systems under heavy load current timeout we're waiting for signal
delivery can be not enough, hence increasing the timeout.
Change-Id: I2b73c743fee61acbaeb834566a43b0f427218aab
jin-gyu.kim [Fri, 16 Oct 2020 00:58:03 +0000 (09:58 +0900)]
Release 1.6.9
* Fix a typo in privilege-smack.list
Change-Id: Ibd8eb6ad3cd7ecba214106ee56704e08b88999a1
jin-gyu.kim [Fri, 16 Oct 2020 00:51:06 +0000 (09:51 +0900)]
Fix a typo in privilege-smack.list
System::Privilege:AppDebugging -> System::Privilege::AppDebugging
Change-Id: I4307d3d93aff5b068e8f7923d72a6e5182f4becc
Mateusz Cegielka [Fri, 2 Oct 2020 13:14:52 +0000 (15:14 +0200)]
Release 1.6.8
* Fix segfault when iterating directories
* Remove unused code from sha1.c
* Revert "Add listing running apps based on namespace"
* Remove redundant author name from db
Change-Id: I3ba9a55a02ff08a48563ec3941fc8adf904a4fa9
Mateusz Cegielka [Mon, 28 Sep 2020 16:25:51 +0000 (18:25 +0200)]
Fix segfault when iterating directories
Code used for iterating directories recursively with Boost calls .pop()
if the iteration returns an error, so that it exits the current
directory and continues the iteration. However, this can cause
segmentation faults, and if it doesn't, it causes some other directories
to be indeterministically skipped instead.
What is the proper way to do this then...? Boost apparently does not
place too much focus on stability, because the behaviour is different in
every version I checked (1.65.0 from Ubuntu 18.04, 1.71.0 from Tizen and
1.72.0 from Arch). Also, since 1.72.0 it'll be impossible to both
continue the iteration and log that anything was wrong.
I changed the behaviour to stop iteration on errors and return an
internal error instead. The immediate reason is making sure a Boost
update won't break this code, but a system service receiving filesystem
errors in directories it created is a pathological case indicating other
problems with system configuration that should not be accepted.
Change-Id: I69b7fb75f2b58d0ca1418b6bbb3ccd2480296918
Krzysztof Jackiewicz [Mon, 28 Sep 2020 18:23:31 +0000 (20:23 +0200)]
Remove unused code from sha1.c
Change-Id: I28c8f71b8e6c7bc4a98dc7e43ebfaba099351c40
Dariusz Michaluk [Tue, 1 Sep 2020 11:50:30 +0000 (13:50 +0200)]
Revert "Add listing running apps based on namespace"
It seems that this tool is unused.
This reverts commit
1a680bb1d2592a4110ca5d026c06dd11222d4e7c.
Change-Id: Ic7bd3f469a771d97e6a07af21912cd33140be46c
Krzysztof Jackiewicz [Mon, 28 Sep 2020 12:01:51 +0000 (14:01 +0200)]
Remove redundant author name from db
Remove author's name from db as it's no longer needed. Make few minor changes
related to author.
Change-Id: I03f195298f6aa69d970f5d384b2ab441220f82e4
Tomasz Swierczek [Mon, 21 Sep 2020 05:48:51 +0000 (07:48 +0200)]
Release 1.6.7
* Optimize loading group information.
* Fix author_id mismatch after DB upgrade
Change-Id: I16cc8e235ea1f39a8974df2f90f12341cbb1d0b0
jin-gyu.kim [Thu, 10 Sep 2020 07:11:32 +0000 (07:11 +0000)]
Optimize loading group information.
Store group ids in a new configuartion file to avoid calculating it every time.
Those are written in $POLICY_PATH/group-id.list when policy rpm is installed.
These changes will speed up about 10 times for calulating group ids.
Change-Id: I0d71a44fdb7513a1c63c107062bfbe344b6889e8
Dariusz Michaluk [Mon, 20 Jul 2020 12:20:07 +0000 (14:20 +0200)]
Fix author_id mismatch after DB upgrade
author_id is a DB table primary key and depends on apps instalation
order. Instead of using author_id in SMACK label, use 64 bits (16 character string)
of SHA1(author_name) in hex format.
This commit includes:
- sqlite3-sha1 extension copied from:
https://github.com/sqlite/sqlite/blob/master/ext/misc/sha1.c
- new DB schema and migration script,
- rules loader adjustment to new SMACK label,
- filesystem (SECURITY_MANAGER_PATH_TRUSTED_RW) relabeling,
- app instalation changes.
Change-Id: I4f478e0b9dfde06ef752d250d5bc7ef3183cde19
Tomasz Swierczek [Tue, 15 Sep 2020 09:46:01 +0000 (11:46 +0200)]
Release 1.6.6
* Add configuration for appdebugging & internet Smack-controlled privileges
* Calculate application privilege level based on manifest data passed by installer
* Remove unused GetAuthorIdByName()
Change-Id: I53d3b6eab4d32fca6ff97e7f9681fded1fb6c323
Tomasz Swierczek [Fri, 7 Aug 2020 12:46:27 +0000 (14:46 +0200)]
Add configuration for appdebugging & internet Smack-controlled privileges
1st step in changing nether to Smack-based network access control
is to provide alternative configuration.
Change-Id: I811750af88a68b85cb7454d53b536a22884cdd6a
Tomasz Swierczek [Mon, 10 Aug 2020 12:22:35 +0000 (14:22 +0200)]
Calculate application privilege level based on manifest data passed by installer
privilege-checker soon will need the cert-level information to calculate
application privilege attributes (blacklisted or privacy).
This cert-level will be, in target solution, passed as installation argument to
install request (see commit
eb065339daf1ed9b091add719128f64e2372fd0e).
However, because that API was only recently introduced,
simply storing this data in security-manager.db at app install time and then
reusing it at userInit stage will not do the trick in a FOTA scenario (userInit
called after a FOTA where some apps are already in the DB).
Preparing a new DB field and running a migration script to calculate that field could
be a solution to the problem, but it would require additional sql query to get
application privilege-level inside implementation of userInit routine.
Alternative solution, exercised by this patch, is to rely on the installer,
which seems to be always adding the:
http://tizen.org/privilege/internal/default/[public | partner | platform]
privileges to install request, depending on the actual privilege level of package.
Since CynaraAdmin::userInit already has the global manifest bucket listed in memory,
there's no need for additional DB fetch - only one more iteration over the list to get
the highest privilege level available for given app.
Change-Id: Ib860e7f4d09e7f434197ddc08ae3777a119734d0
Dariusz Michaluk [Mon, 20 Jul 2020 13:59:19 +0000 (15:59 +0200)]
Remove unused GetAuthorIdByName()
Change-Id: Ie83236411ece80754f0edd1428aedfda13796098
Yunjin Lee [Thu, 20 Aug 2020 04:32:13 +0000 (13:32 +0900)]
Release 1.6.5 (modified)
* Add setting package type and privilege level in app install cmd
* Add core privilege: network.route
* Previous release commit missed 1 commit to include but merged hence
made modified release commit to fix that
Change-Id: Id4dc8cfa73290d8b70d6caa8321f70616a547939
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
Yunjin Lee [Wed, 19 Aug 2020 07:43:22 +0000 (16:43 +0900)]
Release 1.6.5
* Add core privilege: network.route
Change-Id: Iab41934cc11f55fb6f5227d876c08b991182160d
Mateusz Cegielka [Thu, 6 Aug 2020 13:17:59 +0000 (15:17 +0200)]
Add setting package type and privilege level in app install cmd
Patch I518eb4524c9c1f3ff2e6d68ea25c037591f6634b has added two new
properties that can be set when installing an application. However, the
cmd tool used for installing applications was not updated.
This patch adds the missing options to the security-manager-cmd tool.
Change-Id: I02b00a75528e870be5f22e6d37cb49796b95fd82
Yunjin Lee [Wed, 19 Aug 2020 05:21:29 +0000 (14:21 +0900)]
Add core privilege: network.route
- network.route: With this privilege, app can add or remove route table
entries.
Change-Id: Ia97c7fb018f5522d60b41c1055677b2e6a544e5f
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>