Konrad Lipinski [Mon, 7 Jun 2021 16:44:55 +0000 (18:44 +0200)]
Make prepare_app() safer in non-main threads
Calling prepare_app() from a non-main thread in a multithreaded
process could fail. While labels for other threads were being correctly
set by writing to /proc/<tid>/attr/current, the prepare_app thread used
smack_set_label_for_self() and thus /proc/self/attr/current.
This is easily fixed by reusing label_for_self_internal() so that all
threads are uniformly treated, each using its own tid.
Change-Id: Id5b3071b08057200331d64bf8d6cd172ae729df1
Yunjin Lee [Mon, 19 Apr 2021 05:06:41 +0000 (14:06 +0900)]
Release 1.6.18
* Add core privileges: usb.host and log
Change-Id: Ic5ede43127e8c194943e18846b4ec10d4da220e9
Yunjin Lee [Fri, 9 Apr 2021 04:29:36 +0000 (13:29 +0900)]
Add core privileges: usb.host and log
- usb.host: app can access to connected external USB devices
- log: app can access to platform log data
- both are platform level
- http://tizen.org/privilege/log is mapped to gid log
- http://tizen.org/privilege/usb.host is mapped to gid usb_device
Change-Id: I1726b463c077921071ff9b9f0348effe80ade38c
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
Yunjin Lee [Fri, 9 Apr 2021 01:42:50 +0000 (10:42 +0900)]
Release 1.6.17
* Fix issue from static analysis
Change-Id: I30597162967bc6bd2ee073030e4cd4cef82402b8
Tomasz Swierczek [Thu, 8 Apr 2021 12:39:19 +0000 (14:39 +0200)]
Fix issue from static analysis
The ChannelCreator::closeAll(), when called in copy constructor,
may operate on uninitialized data.
Change-Id: Iaec6b3edc7e685ce14f7ea8e4d94eb3f59c9f4b7
Yunjin Lee [Tue, 23 Mar 2021 03:07:07 +0000 (12:07 +0900)]
Release 1.6.16
* Add core privilege: bugreport.admin
* Fix coverage generation in rpm 4.14.1
Change-Id: I0886eb78e3f1fbdb94d48c20a62a9b4468af9560
Yunjin Lee [Tue, 23 Mar 2021 01:13:07 +0000 (10:13 +0900)]
Add core privilege: bugreport.admin
With http://tizen.org/privilege/bugreport.admin, app can request
creation of system or app's bugreport.
Change-Id: I4826ad7d7543d1945fae016f6f7146702287d6fc
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
Tomasz Swierczek [Wed, 3 Mar 2021 13:55:09 +0000 (14:55 +0100)]
Fix coverage generation in rpm 4.14.1
Debug source package directories now have different names.
Change-Id: Icffd332802d5d37d4d9d61fa96d75fdaad78a538
Tomasz Swierczek [Tue, 9 Feb 2021 10:21:58 +0000 (11:21 +0100)]
Release 1.6.15
* Change systemd-devel package name
* Drop http://tizen.org/privilege/internal/livecoredump mapping to priv_livecoredump
Change-Id: Ibcaf231abb98267472226761ef404da021eab000
INSUN PYO [Wed, 3 Feb 2021 04:35:56 +0000 (13:35 +0900)]
Change systemd-devel package name
Change-Id: I25635d30ce598200c1e14cc0287ecd5da40c9eff
Karol Lewandowski [Mon, 25 Jan 2021 15:12:13 +0000 (16:12 +0100)]
Drop tizen.org/privilege/internal/livecoredump mapping to priv_livecoredump
The priv_livecoredump group was supposed to be used by system services
wanting to use livecoredump API. (For applications it's granted by app
manifest.)
Unfortunately, it's not allowed by tizen sanity checkers to specify priv_*
groups in dbus policy, which renders the mapping useless. System services
must use other means to grant access to the API (as described in livecoredump
repository).
Change-Id: I58984358d095515a57d217ca277e3b06cda40703
Tomasz Swierczek [Tue, 10 Nov 2020 07:32:31 +0000 (08:32 +0100)]
Release 1.6.14
* Add Requires=local-fs.target dependency to security-manager-rules-loader.service
* Automate code coverage measurement
Change-Id: Ib6a86a3361b2eebb7e2ba121e54c558514b24a91
INSUN PYO [Thu, 8 Oct 2020 08:41:28 +0000 (17:41 +0900)]
Add Requires=local-fs.target dependency to security-manager-rules-loader.service
In emergency mode, local-fs.target always fails.
So, you have to check if local-fs.target is successful.
Change-Id: I4a946f573dd714f77b510ae818497c7d24ea4e4d
Dariusz Michaluk [Tue, 1 Sep 2020 12:33:41 +0000 (14:33 +0200)]
Automate code coverage measurement
To gather unit tests coverage report:
- use COVERAGE build_type,
- instal security-manager-coverage rpm,
- run security-manager-coverage.sh script.
Change-Id: I34960e55e4cff81d0e99864e3c3ed4d5d3c48385
Tomasz Swierczek [Thu, 29 Oct 2020 08:56:29 +0000 (09:56 +0100)]
Release 1.6.13
* Add check for $TZ_SYS_RUN/lock existance in update scripts
Change-Id: I57e51af38527cdac9b350bcf0561094744f83290
Tomasz Swierczek [Thu, 29 Oct 2020 08:55:09 +0000 (09:55 +0100)]
Add check for $TZ_SYS_RUN/lock existance in update scripts
The location for locking directory can be not mounted/not created
yet at update running time. TV images should not run security-manager
at this moment, so the updaring script should continue normally
Change-Id: I8d84af74a33354efd5e5dcae672340793d3d961d
Tomasz Swierczek [Mon, 26 Oct 2020 11:06:18 +0000 (12:06 +0100)]
Release 1.6.12
* Relax exit-on-error in update scripts
* Change FileLocker implemenation from POSIX to libc flocks
Change-Id: If53124c609da6f196feab8a3e9e68c46a2ea7714
Tomasz Swierczek [Fri, 23 Oct 2020 06:54:16 +0000 (08:54 +0200)]
Relax exit-on-error in update scripts
These scripts use systemctl systemd command to start & stop service/socket
of security-manager. On systems where systemd is not used to manage
security-manager (ie. some TV images), this can result in update
script being not executed properly.
Added "set +e/set -e" before each systemctl invocation.
With this set of changes, it is assumed that whatever mechanism
is actually used to manage security-manager service, it is ensuring
that the daemon is NOT running when updates are being executed and that
it IS started after the update.
Updated scripts will try to lock the $TZ_SYS_RUN/lock/security-manager.lock
file, usually taken by daemon at its startup; if that fails,
updates will exit with an error.
Change-Id: If452415465a6c31ba7360f4b0272d51708602242
Tomasz Swierczek [Mon, 26 Oct 2020 10:07:14 +0000 (11:07 +0100)]
Change FileLocker implemenation from POSIX to libc flocks
Thanks to this change, same locking could be used in sh/bash
scripts and in security-manager daemon (which previously
used the POSIX-based boost locks).
Change-Id: Ia4f2a5251d3556a40a68234fc2dc1ea51ac48188
Konrad Lipinski [Thu, 22 Oct 2020 11:29:17 +0000 (13:29 +0200)]
Release 1.6.11
* Apply private sharing rules before relabeling
Change-Id: I19d5882969ba5f65049e014b89f7dafd5534fca4
Konrad Lipinski [Tue, 20 Oct 2020 13:35:20 +0000 (15:35 +0200)]
Apply private sharing rules before relabeling
Prior to this commit, applyPrivatePathSharing does this:
1. Relabel a privately shared file.
2. Enable the package to rwxat the file's label.
Thus, there's a window between steps 1 & 2 where the package is unable
to access the file. This can be remedied by changing the order to:
1. Enable the package to rwxat the file's label.
2. Relabel the privately shared file.
The change preserves current semantics post-return but eliminates the
window.
The context:
Reportedly, the utc_rpc_port_set_private_sharing_array_p TCT test has
revealed a possibility of a race condition where a package owner would
get a smack access error when trying to unlink one of its own privately
shared files. This has reportedly happened on TM1 and some unspecified
TV product.
HQ inserted a 10ms sleep into ServiceImpl::applyPrivatePathSharing right
before return and, reportedly, it seems to have fixed the issue. They
seem partial to the assumption that the root cause is related to a race
condition in the kernel (as in: smack rules are being applied with a
delay). Thus, an idea for a possible solution involved checking smack
access client-side to make sure all is well before private sharing is
considered applied.
Given the fact that smack has been in place for quite some time now, I
find the possibility of a race condition unlikely. Unfortunately, I
haven't been able to prove anything. I couldn't reproduce the problem
and failed to find any obvious faults in the TCT test.
If there is a race condition, checking smack access client-side may not
be enough (it would only guarantee the client process or thread to be
race-free, TCT tests or the platform may need stronger guarantees). I'm
not inclined to do that unless there's proof. Such messy defensive code
tends to do more harm then good, especially if the race condition is
elsewhere.
Change-Id: I0a57edd6535eb1889d9bb8e5aaa6ddab58ca7009
Tomasz Swierczek [Mon, 19 Oct 2020 09:07:58 +0000 (11:07 +0200)]
Release 1.6.10
* Change author labels recursively in the upgrade script.
* Increase timeout waiting for signal delivery to 2 seconds
Change-Id: I6221d76c44eef78cb33f3d75f1b5bec52fac13df
jin-gyu.kim [Mon, 19 Oct 2020 06:12:42 +0000 (15:12 +0900)]
Change author labels recursively in the upgrade script.
SMACK labels of all resources in trusted directory should be updated.
Change-Id: I992ac67fbcb635455fd5eda93e9d8f1a1d0da5a1
Tomasz Swierczek [Mon, 19 Oct 2020 06:57:18 +0000 (08:57 +0200)]
Increase timeout waiting for signal delivery to 2 seconds
The prepare_app is synchronizing threads security attributes in app
candidate process, which can be multithreaded. Security-Manager's
implementation mimics implementation in libc for smack label synchronization,
using signal handlers to do that.
In some systems under heavy load current timeout we're waiting for signal
delivery can be not enough, hence increasing the timeout.
Change-Id: I2b73c743fee61acbaeb834566a43b0f427218aab
jin-gyu.kim [Fri, 16 Oct 2020 00:58:03 +0000 (09:58 +0900)]
Release 1.6.9
* Fix a typo in privilege-smack.list
Change-Id: Ibd8eb6ad3cd7ecba214106ee56704e08b88999a1
jin-gyu.kim [Fri, 16 Oct 2020 00:51:06 +0000 (09:51 +0900)]
Fix a typo in privilege-smack.list
System::Privilege:AppDebugging -> System::Privilege::AppDebugging
Change-Id: I4307d3d93aff5b068e8f7923d72a6e5182f4becc
Mateusz Cegielka [Fri, 2 Oct 2020 13:14:52 +0000 (15:14 +0200)]
Release 1.6.8
* Fix segfault when iterating directories
* Remove unused code from sha1.c
* Revert "Add listing running apps based on namespace"
* Remove redundant author name from db
Change-Id: I3ba9a55a02ff08a48563ec3941fc8adf904a4fa9
Mateusz Cegielka [Mon, 28 Sep 2020 16:25:51 +0000 (18:25 +0200)]
Fix segfault when iterating directories
Code used for iterating directories recursively with Boost calls .pop()
if the iteration returns an error, so that it exits the current
directory and continues the iteration. However, this can cause
segmentation faults, and if it doesn't, it causes some other directories
to be indeterministically skipped instead.
What is the proper way to do this then...? Boost apparently does not
place too much focus on stability, because the behaviour is different in
every version I checked (1.65.0 from Ubuntu 18.04, 1.71.0 from Tizen and
1.72.0 from Arch). Also, since 1.72.0 it'll be impossible to both
continue the iteration and log that anything was wrong.
I changed the behaviour to stop iteration on errors and return an
internal error instead. The immediate reason is making sure a Boost
update won't break this code, but a system service receiving filesystem
errors in directories it created is a pathological case indicating other
problems with system configuration that should not be accepted.
Change-Id: I69b7fb75f2b58d0ca1418b6bbb3ccd2480296918
Krzysztof Jackiewicz [Mon, 28 Sep 2020 18:23:31 +0000 (20:23 +0200)]
Remove unused code from sha1.c
Change-Id: I28c8f71b8e6c7bc4a98dc7e43ebfaba099351c40
Dariusz Michaluk [Tue, 1 Sep 2020 11:50:30 +0000 (13:50 +0200)]
Revert "Add listing running apps based on namespace"
It seems that this tool is unused.
This reverts commit
1a680bb1d2592a4110ca5d026c06dd11222d4e7c.
Change-Id: Ic7bd3f469a771d97e6a07af21912cd33140be46c
Krzysztof Jackiewicz [Mon, 28 Sep 2020 12:01:51 +0000 (14:01 +0200)]
Remove redundant author name from db
Remove author's name from db as it's no longer needed. Make few minor changes
related to author.
Change-Id: I03f195298f6aa69d970f5d384b2ab441220f82e4
Tomasz Swierczek [Mon, 21 Sep 2020 05:48:51 +0000 (07:48 +0200)]
Release 1.6.7
* Optimize loading group information.
* Fix author_id mismatch after DB upgrade
Change-Id: I16cc8e235ea1f39a8974df2f90f12341cbb1d0b0
jin-gyu.kim [Thu, 10 Sep 2020 07:11:32 +0000 (07:11 +0000)]
Optimize loading group information.
Store group ids in a new configuartion file to avoid calculating it every time.
Those are written in $POLICY_PATH/group-id.list when policy rpm is installed.
These changes will speed up about 10 times for calulating group ids.
Change-Id: I0d71a44fdb7513a1c63c107062bfbe344b6889e8
Dariusz Michaluk [Mon, 20 Jul 2020 12:20:07 +0000 (14:20 +0200)]
Fix author_id mismatch after DB upgrade
author_id is a DB table primary key and depends on apps instalation
order. Instead of using author_id in SMACK label, use 64 bits (16 character string)
of SHA1(author_name) in hex format.
This commit includes:
- sqlite3-sha1 extension copied from:
https://github.com/sqlite/sqlite/blob/master/ext/misc/sha1.c
- new DB schema and migration script,
- rules loader adjustment to new SMACK label,
- filesystem (SECURITY_MANAGER_PATH_TRUSTED_RW) relabeling,
- app instalation changes.
Change-Id: I4f478e0b9dfde06ef752d250d5bc7ef3183cde19
Tomasz Swierczek [Tue, 15 Sep 2020 09:46:01 +0000 (11:46 +0200)]
Release 1.6.6
* Add configuration for appdebugging & internet Smack-controlled privileges
* Calculate application privilege level based on manifest data passed by installer
* Remove unused GetAuthorIdByName()
Change-Id: I53d3b6eab4d32fca6ff97e7f9681fded1fb6c323
Tomasz Swierczek [Fri, 7 Aug 2020 12:46:27 +0000 (14:46 +0200)]
Add configuration for appdebugging & internet Smack-controlled privileges
1st step in changing nether to Smack-based network access control
is to provide alternative configuration.
Change-Id: I811750af88a68b85cb7454d53b536a22884cdd6a
Tomasz Swierczek [Mon, 10 Aug 2020 12:22:35 +0000 (14:22 +0200)]
Calculate application privilege level based on manifest data passed by installer
privilege-checker soon will need the cert-level information to calculate
application privilege attributes (blacklisted or privacy).
This cert-level will be, in target solution, passed as installation argument to
install request (see commit
eb065339daf1ed9b091add719128f64e2372fd0e).
However, because that API was only recently introduced,
simply storing this data in security-manager.db at app install time and then
reusing it at userInit stage will not do the trick in a FOTA scenario (userInit
called after a FOTA where some apps are already in the DB).
Preparing a new DB field and running a migration script to calculate that field could
be a solution to the problem, but it would require additional sql query to get
application privilege-level inside implementation of userInit routine.
Alternative solution, exercised by this patch, is to rely on the installer,
which seems to be always adding the:
http://tizen.org/privilege/internal/default/[public | partner | platform]
privileges to install request, depending on the actual privilege level of package.
Since CynaraAdmin::userInit already has the global manifest bucket listed in memory,
there's no need for additional DB fetch - only one more iteration over the list to get
the highest privilege level available for given app.
Change-Id: Ib860e7f4d09e7f434197ddc08ae3777a119734d0
Dariusz Michaluk [Mon, 20 Jul 2020 13:59:19 +0000 (15:59 +0200)]
Remove unused GetAuthorIdByName()
Change-Id: Ie83236411ece80754f0edd1428aedfda13796098
Yunjin Lee [Thu, 20 Aug 2020 04:32:13 +0000 (13:32 +0900)]
Release 1.6.5 (modified)
* Add setting package type and privilege level in app install cmd
* Add core privilege: network.route
* Previous release commit missed 1 commit to include but merged hence
made modified release commit to fix that
Change-Id: Id4dc8cfa73290d8b70d6caa8321f70616a547939
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
Yunjin Lee [Wed, 19 Aug 2020 07:43:22 +0000 (16:43 +0900)]
Release 1.6.5
* Add core privilege: network.route
Change-Id: Iab41934cc11f55fb6f5227d876c08b991182160d
Mateusz Cegielka [Thu, 6 Aug 2020 13:17:59 +0000 (15:17 +0200)]
Add setting package type and privilege level in app install cmd
Patch I518eb4524c9c1f3ff2e6d68ea25c037591f6634b has added two new
properties that can be set when installing an application. However, the
cmd tool used for installing applications was not updated.
This patch adds the missing options to the security-manager-cmd tool.
Change-Id: I02b00a75528e870be5f22e6d37cb49796b95fd82
Yunjin Lee [Wed, 19 Aug 2020 05:21:29 +0000 (14:21 +0900)]
Add core privilege: network.route
- network.route: With this privilege, app can add or remove route table
entries.
Change-Id: Ia97c7fb018f5522d60b41c1055677b2e6a544e5f
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
Dariusz Michaluk [Wed, 29 Jul 2020 12:18:46 +0000 (14:18 +0200)]
Release 1.6.4
* Switch security-manager to dual license (Apache 2.0 or MIT)
* Remove unneeded dependencies from nss plugin
* Test recently added queries to privilege database
Change-Id: I9ee77eb102771a6ef388331e5d15fb5237d46fdc
Dariusz Michaluk [Fri, 24 Jul 2020 10:41:33 +0000 (12:41 +0200)]
Switch security-manager to dual license (Apache 2.0 or MIT)
Change-Id: Ic6566ca8fe012b4c4ebba2a411c04976c70b1abc
Dariusz Michaluk [Fri, 24 Jul 2020 09:59:51 +0000 (11:59 +0200)]
Remove unneeded dependencies from nss plugin
Dlog dependency was replaced by systemd journal on HQ request.
Change-Id: Ibb8ab3ba11ef9295721cfedfcbc0336dadf5d2bb
Mateusz Cegielka [Fri, 10 Jul 2020 14:19:53 +0000 (16:19 +0200)]
Test recently added queries to privilege database
The PrivilegeDb class contains wrappers for running SQLite requests.
Since unit tests for it were created, more kinds of supported
statements have been added, but the tests were not updated.
I have added new tests that cover the GetAppPkgInfo, GetUserAppsFromPkg
SetSharedROPackage and IsUserPkgInstalled queries. I have also modified
existing privilege license tests to also cover
GetLicenseForClientPrivilegeAndPkg and AddAppDefinedPrivileges queries.
Change-Id: I3b43942f579cfc692b44203a2ea99b8c41d7be80
Tomasz Swierczek [Fri, 10 Jul 2020 06:51:59 +0000 (08:51 +0200)]
Release 1.6.3
* Fix CheckProperDrop tests
* Reimplement prepare_app proper drop checking
* Add smack-rules positive tests
* Enhance testability of TemplateManager class
* Add logging classes to unit tests
* Add unit tests for template manager class
* Remove unused code from sql_connection.cpp
* Add negative test cases wherever possible
* Add unit tests for functions in utils.cpp and other files
* Add tests for service_impl_utils.cpp functions
* Remove almost unused code from filesystem.cpp/.h
* Remove unused code from filesystem.cpp/.h
* Add test cases for filesystem.cpp functions
* Set C++ 17 flags
* Categorize unit test cases as negative or positive
* Disable assert() for release builds
Change-Id: I2871e378cf3f1002098df774b05fc7ee9b7b17eb
Konrad Lipinski [Mon, 15 Jun 2020 15:31:10 +0000 (17:31 +0200)]
Fix CheckProperDrop tests
Moved into a separate commit at a reviewer's request.
Accommodate the new implementation:
* Run each test inside a fork() so that caps can be freely zeroed.
* Add namespace unsharing, uid, gid and groups tests.
Change-Id: Ic8c608b2cd301b2898cbcd3b1ae3dcc3f62cecda
Konrad Lipinski [Tue, 21 Apr 2020 17:32:17 +0000 (19:32 +0200)]
Reimplement prepare_app proper drop checking
Procps-ng does not reliably check for errors. They are for the most part
silently ignored. The only way to approximately check for success is by
checking errno. That's what we've been doing up till now. However, errno
is not mentioned in the contract at all. Syscalls that succeed may zero
errno and mask prior errors.
Pre-3.12 kernels require CAP_SYS_PTRACE for task namespace inspection.
In particular, contemporary TM1 images feature a 3.10 kernel. On such
devices, PROC_FILLNS may result in errno being set to EACCES (unless
overwritten as per the previous paragraph). Such is the case on TM1,
making CheckProperDrop::checkThreads() fail whenever there are two or
more threads.
Checking for identical caps is not enough to ensure proper drop. A rogue
thread may survive sync_threads_internal() (which is racy by nature),
use capset() to set main thread's caps to zero, then terminate before
CheckProperDrop::getThreads() starts due to a lucky interleaving. This
can be guarded against by mandating capabilities to be zeroed for all
threads.
* Replace procps-ng usage with local code.
* Assert zero caps instead of identical caps.
* Refrain from checking pid and user namespaces, kernel guarantees
consistency across threads (see man unshare(2)).
* Compute the set of checked namespace kinds as a bitmask at manager
startup, ipc the bitmask to clients in prepare_app return payload.
* Set bitmask to zero for pre-3.12 kernels that require CAP_SYS_PTRACE
for task namespace inspection.
* Disable compilation of test_check_proper_drop.cpp. The tests were
written under the assumption that caps do not have to be zeroed. This
is no longer the case. Zeroing caps requires fork support, there are
also new edge cases to test. This makes the needed change substantial.
By review request it will be included in a future commit.
Change-Id: I4814cfd92dc524c02d87926236d8beb97d633c82
Tomasz Swierczek [Fri, 22 May 2020 07:51:23 +0000 (09:51 +0200)]
Add smack-rules positive tests
The goal of this commit is to increase code coverage of unit-tests.
Change-Id: I800695c7c31d192a46371b1c9138da9159f7f773
Tomasz Swierczek [Tue, 2 Jun 2020 07:00:17 +0000 (09:00 +0200)]
Enhance testability of TemplateManager class
The getAllMappedPrivs() method used to have a static variable
holding mapped privileges - the configuration was meant to be loaded
only once to improve performance, effectively by limiting runtime
allocation of a std::vector<std::string>.
However, the class holds other data in instance variables, that can
be filled at init() call on each object creation. This can cause
inconsistency that make ie. the test T1138_all_mapped_privileges
to fail because of different configuration loaded vs. stored in static
variable.
This commit removes the static variable, calculating the instance-level
variable on init() instead - this allows various configurations to be
tested in single unit test framework binary and keeps the performance
optimization, while wasting some memory.
Change-Id: Ic18bf1ca34e4a8deba2e0d876a735c29a277f4f6
Tomasz Swierczek [Fri, 22 May 2020 06:02:04 +0000 (08:02 +0200)]
Add logging classes to unit tests
Change-Id: Ife01f17db01dc2657c005ab3d8b741826ce6ed17
Zofia Abramowska [Tue, 24 Mar 2020 17:21:29 +0000 (18:21 +0100)]
Add unit tests for template manager class
Change-Id: I2781dcd3b87ddbeea9578ff15d073c909cf4deb3
Tomasz Swierczek [Tue, 5 May 2020 08:57:36 +0000 (10:57 +0200)]
Remove unused code from sql_connection.cpp
Change-Id: Id467ec93c5c202da5f2333444a6c3145c1857083
Tomasz Swierczek [Thu, 9 Apr 2020 12:51:20 +0000 (14:51 +0200)]
Add negative test cases wherever possible
Yes, repeating same test code body many times
to test each unprintable character below ' '
is not elegant, but it gets us to > 50%
of negative test cases, with room for improvement.
Yes, this seems ugly, but does the job.
Yes, I will have to wash my hands after committing this.
So here I am, with this patch, before you,
Dear Reviewer, so you don't have to make it.
Titan! to whose immortal eyes
The sufferings of mortality,
Seen in their sad reality,
Were not as things that gods despise;
(...)
Lord Byron, Prometheus
Change-Id: I48d7466ef6ca4143bf759d9b70ce60bdd347935c
Tomasz Swierczek [Thu, 2 Apr 2020 11:47:45 +0000 (13:47 +0200)]
Add unit tests for functions in utils.cpp and other files
This commit is aimed at increasing UT code coverage as well
as to increase negative test case to positive ratio.
Change-Id: I7f1576d1c6f1234359a1f5a0df6610e26450dd08
Tomasz Swierczek [Fri, 27 Mar 2020 14:35:47 +0000 (15:35 +0100)]
Add tests for service_impl_utils.cpp functions
This patch is aimed at increasing unit test code coverage.
Change-Id: I1392355c4933659b0f0ede136ae600ca0356936c
Tomasz Swierczek [Thu, 18 Jun 2020 07:52:36 +0000 (09:52 +0200)]
Remove almost unused code from filesystem.cpp/.h
fileSize was used only in one place, in tests
Change-Id: Ib2580f488c65d379059cf977f9533e27e93bdd47
Tomasz Swierczek [Wed, 17 Jun 2020 09:34:41 +0000 (11:34 +0200)]
Remove unused code from filesystem.cpp/.h
Change-Id: I5a4b722e34ba1bb691a0edf576b3e83a3b9499e0
Tomasz Swierczek [Mon, 23 Mar 2020 18:59:14 +0000 (19:59 +0100)]
Add test cases for filesystem.cpp functions
Previously, unit tests covered only about 26% of the lines,
this patch aims to increase the file coverage to at least 80%.
Change-Id: I985a2b690fdf1bbb355edb94753bf8c54108b9cf
Tomasz Swierczek [Wed, 17 Jun 2020 14:01:32 +0000 (16:01 +0200)]
Set C++ 17 flags
Will be needed later for inline static variables in class declaration
Change-Id: I203bf0f593a2bca4a95b06d98a85f609533b8039
Tomasz Swierczek [Wed, 18 Mar 2020 13:51:59 +0000 (14:51 +0100)]
Categorize unit test cases as negative or positive
Macros adding NEGATIVE_ or POSITIVE_ prefix to test name added too.
Some tests split for proper distinction of negative & positive tests.
Change-Id: I98b1c3b657cd84f01c364254aff064bf40b8b456
Konrad Lipinski [Wed, 20 May 2020 09:42:08 +0000 (11:42 +0200)]
Disable assert() for release builds
Change-Id: I61861dc2b181ff6c70a66af9e30b21ff0c9805d7
Tomasz Swierczek [Thu, 14 May 2020 08:38:45 +0000 (10:38 +0200)]
Release 1.6.2
* Add new arguments for installation requests
* Properly handle missing/invalid smack privilege policy
* Catch TizenPlatformConfig exception in NSMountLogic
* Get distinct app names from pkg
* Add listing running apps based on namespace
* Don't assume that default privilege Smack rules template exists
* Let template manager throw for configuration errors
* Fix enterMountNamespace() error handling.
Change-Id: I37322a85aeebd0e23274231e8acabc0106af5e92
Tomasz Swierczek [Mon, 6 Apr 2020 09:03:47 +0000 (11:03 +0200)]
Add new arguments for installation requests
Added arguments are:
* pkg_type (none, wrt, core, metadata)
* pkg_privilege_level (none, public, platform, partner)
This change is adjusting usage of privilege-checker functions
to its API changes.
Before this patch, privilege-checker used pkgmgr to check these data
about newly installed app. Because security-manager calls
privilege-checker at app install time, this required the pkgmgr db to be
filled before calling security-manager in app installer.
However, installer is currently changing its order of operation
and we can't rely on its data being available at this time.
Since this data is known explicitly by installer, its easy to add this
information to the installation request (per pkg).
If not set ("none" values), privilege-checker consults pkgmgr
like it used to.
Adding this API will also ease the situation in security-tests, where
pkgmgr DB had to be filled manually before each *fake* app installation
done only for purpose of security-manager API tests.
Now, the installation request in security-tests can be filled with
other-than-none values for both variables, which will result
in pkgmgr DB not being checked at app install time.
Change-Id: I518eb4524c9c1f3ff2e6d68ea25c037591f6634b
Krzysztof Jackiewicz [Mon, 27 Apr 2020 08:41:32 +0000 (10:41 +0200)]
Properly handle missing/invalid smack privilege policy
Continue to read other config files if smack privilege policy is missing.
Do ignore invalid smack-privilege template rules.
Remove unnecessary code.
Change-Id: I105e541b321523fa98556614509837cbbc5c5b13
Krzysztof Jackiewicz [Mon, 4 May 2020 10:53:07 +0000 (12:53 +0200)]
Catch TizenPlatformConfig exception in NSMountLogic
It may happen if there are some leftovers in /run/user/. Until now an
unknown exception was logged.
Change-Id: I02bbe251bd4ee094965810f8eeb228be78d7081a
Krzysztof Jackiewicz [Thu, 16 Apr 2020 13:00:36 +0000 (15:00 +0200)]
Get distinct app names from pkg
The same app can be installed for several users. This commit adds DISTINCT to
EGetAppsInPkg query to avoid duplicates.
Change-Id: Ic277ab899cf46aae2e1c08790e8db0e7e29c80ac
Zofia Abramowska [Fri, 10 Apr 2020 10:47:47 +0000 (12:47 +0200)]
Add listing running apps based on namespace
Change-Id: I8240646edef06fc267cc4a2177764494ec081fdb
Zofia Abramowska [Fri, 24 Apr 2020 15:29:03 +0000 (17:29 +0200)]
Don't assume that default privilege Smack rules template exists
Change-Id: I03c0fadeaf95885d191937d8c3e04fde70de047b
Zofia Abramowska [Fri, 24 Apr 2020 15:08:33 +0000 (17:08 +0200)]
Let template manager throw for configuration errors
Change-Id: Iec25cd08ae5cff6ef721b77022d07f734898f773
Dariusz Michaluk [Wed, 29 Apr 2020 14:42:59 +0000 (16:42 +0200)]
Fix enterMountNamespace() error handling.
There is a TOCTOU race condition between checking/entering app namespaces.
In this small time window, app can be killed,
so updating app namespace doesn't make sense, we can skip this step.
Change-Id: I27f8e0d5fed42a11b96dd79fc83b36be60aeca5e
Dariusz Michaluk [Wed, 22 Apr 2020 11:51:02 +0000 (13:51 +0200)]
Release 1.6.1
* Properly handle ENOENT error on encrypted device
* Move initial namespace setup to security_manager_prepare_app_candidate()
Change-Id: Ic99978f8d3b3b46d3322aae478bf698eb8b4f35c
Dariusz Michaluk [Tue, 21 Apr 2020 12:22:46 +0000 (14:22 +0200)]
Properly handle ENOENT error on encrypted device
Change-Id: Ica5318462304b9f96096f0376885d676e5e087ba
Dariusz Michaluk [Tue, 21 Apr 2020 11:21:25 +0000 (13:21 +0200)]
Move initial namespace setup to security_manager_prepare_app_candidate()
Change-Id: I43f316b8e074ff18462388b64793cbc3e2d895c1
Tomasz Swierczek [Tue, 21 Apr 2020 12:21:11 +0000 (14:21 +0200)]
Release 1.6.0
Add RPM package for iptables rules needed for GID-based internet access control
Add new privilege-enforcing mechanism that uses privilege-Smack mapping
Mount namespace enhancements & fixes
With this release, versioning differs from branch tizen_5.5.
With this release, Tizen has 3 mechanisms for controlling internet access:
* nether
- supports mutltiuser
- allows dynamic policy change for app, during application runtime
- complicated support for many protocols, many dependencies (mostly in kernel)
* iptables + privilege-to-GID mapping
- supports multiuser
- dissallows dynamic policy change
- requires patches from upstream kernel & iptables
* privilege-to-Smack mapping
- allows dynamic policy change
- doesn't require any custom kernel changes
- doesn't support simultaneous multiuser
Change-Id: I9984ce4f9a761be9182535ec60ee11dbb13acc77
Dariusz Michaluk [Thu, 16 Apr 2020 13:22:02 +0000 (15:22 +0200)]
Fix security_manager_cleanup_app()
After introducing sharedRO mount namespace setup,
every app should cleanup own namespace after termination.
Change-Id: I358007e3f47213f3038e6c3f2a05cbe5e273627f
Lukasz Pawelczyk [Thu, 11 Apr 2019 15:48:40 +0000 (17:48 +0200)]
Add group mapping for internal/appdebugging privilege
Change-Id: I4eca8498ffec4521fcbcba3535b7c1573c9edb25
Lukasz Pawelczyk [Fri, 12 Apr 2019 11:14:34 +0000 (13:14 +0200)]
Create new RPM for loading iptables rules at system start
iptables rules can be used by security network control with
internet and internal/appdebugging priviledges.
Mapping internet GID privilege with this set of iptables rules
can be much simpler alternative to nether, which also supports multiuser
but doesn't support runtime policy change for running apps.
Change-Id: I033b36c64fc14de5a275db00aab5825dad61341d
Krzysztof Jackiewicz [Tue, 14 Apr 2020 19:48:49 +0000 (21:48 +0200)]
Properly handle nonexisting apps uninstallation
If one or more of apps to uninstall is missing (e.g. already uninstalled) the
app_inst_req::app::appName is cleared and the UninstallHelper::removeApps has
no flag for given app. As a result nonexistent app is unnecessarily processed
in ServiceImpl::appUninstallSmackRules and smack rules of some apps may be
left untouched.
This is a fix for both issues.
Change-Id: Ifa6499f454cdff3d9f9d9570e6670c2998cc857b
Zofia Abramowska [Tue, 21 Apr 2020 10:01:57 +0000 (12:01 +0200)]
Disable Smack privilege mapping configuration
Change-Id: I89870a7aa63812b08255b05c195b1c6e85a3bb96
Zofia Abramowska [Mon, 20 Apr 2020 14:19:13 +0000 (16:19 +0200)]
Fix multi-user detection
With appId->uid mapping, we cannot properly handle this use case:
* user1 launches app A -> (appA, user1)
* user1 launches app B -> conflict detected, Smack not applied,
mapping saved to (appB, user1)
* user1 launches app B again -> no conflict detected, Smack applied
(This won't be fixed if mapping is only updated, when multi-user is
not detected)
This commit changes multi-user detection to be only based on apps
running taken from MountNS fs structure.
Change-Id: I69c729e85e05cce498abdcb4e6832df634789765
Zofia Abramowska [Tue, 14 Apr 2020 16:49:34 +0000 (18:49 +0200)]
Use mount namespace mount points to find running apps
Change-Id: Ifef7a3aa2fb9666e20f428270c41850ce7319208
Zofia Abramowska [Tue, 7 Apr 2020 17:12:55 +0000 (19:12 +0200)]
Remove privilege related Smack rules when multi-user is detected
Privilege related Smack rules can only be used, when applications
can be launched for only one user. When multiple instances of
one application for different users are detected, all privilege
related Smack rules for this application will be revoked.
This isn't a permanent state. When application is launched only
for one user it will acquire all needed permissions.
Change-Id: Ibda63d3ce4ce072f48fff4ff0e2c083c69fe66d7
Zofia Abramowska [Tue, 7 Apr 2020 15:30:03 +0000 (17:30 +0200)]
Change privilege related Smack rules on cynara policy change
When policy is updated recalculate privilege related Smack rules
for all running applications.
Change-Id: Ic6a0341399186d10404f1ce189217d963707e7be
Zofia Abramowska [Fri, 27 Mar 2020 17:51:36 +0000 (18:51 +0100)]
Remove privilege Smack mapping rules on application uninstallation
Disable all privilege related Smack rules on application
uninstallation and instead of revoke subject before application
launch (to clear old rules before applying new ones).
Change-Id: I30d67d8d16e8cd0632ac43d22e5e876bbb2bc47b
Zofia Abramowska [Fri, 3 Apr 2020 17:42:41 +0000 (19:42 +0200)]
Check if smack privilege mapping is enabled
Check is Smack privilege mapping contains any configuration -
meaning if it is enabled.
Change-Id: Iac9aaa79ed8e3fdd854826c12d93e11a5ee4cba0
Zofia Abramowska [Mon, 23 Mar 2020 18:05:48 +0000 (19:05 +0100)]
Add Smack template files manager
Add Smack template rule files manager to speedup the process
of loading template files.
Change-Id: I148438dafdf355be7a77f4a8662ffa0b4e0b6ac1
Zofia Grzelewska [Tue, 3 Mar 2020 15:10:19 +0000 (16:10 +0100)]
Split smack API wrapper and rules management
Split smack API wrapper (SmackAccesses) and rules generation and management
(SmackRules) into separate classes. Make SmackRules a class,
not a namespace, in a preparation for pre-loading of rules template files.
Change-Id: I695a7cbaef404462909b80271d0775a2c725d4f3
Zofia Grzelewska [Fri, 28 Feb 2020 16:25:45 +0000 (17:25 +0100)]
Add restriction for privilege smack mapping rules
Do not support rules, which are not based only on privilege or
application based labels.
Change-Id: Ib86cac1c8b362f8b4549148be96915a16e323e65
Zofia Abramowska [Thu, 26 Mar 2020 12:47:59 +0000 (13:47 +0100)]
Change privilege and privilege status vector names for clarity
PrivilegeVector and privilegeStatusVector passed to prepareApp are not
general privileges, but privileges related to paths. This commit
changes variables names to make it more clear.
Change-Id: I66a05ea0db305ded53ed1d47f60496cd5fda8636
Zofia Abramowska [Mon, 30 Mar 2020 14:22:36 +0000 (16:22 +0200)]
Change cynara client check to admin check for allowed privs
Cynara client check will trigger custom plugins evaluation.
This would be an unwanted behavior, as getAppAllowedPrivileges
should return current state without involvement of the user.
Using Cynara admin check we can achieve the same thing without
triggering of the plugins.
Change-Id: I6d60f9d70fa0d39ac6e9d108fef40227ba9e62d6
Zofia Grzelewska [Wed, 12 Feb 2020 17:50:21 +0000 (18:50 +0100)]
Add privilege-Smack mapping
Add privilege-Smack mapping configuration:
* privilege-smack.list which describes privilege mapping
to Smack label and Smack rules template
* priv-rules-default-template.smack which is an example
of Smack rules template for privilege
* this implementation currently only applies policy on
application launch (no runtime policy changes modify it)
and draft implementation.
IMPORTANT: This mechanism can be used, when *only one* user
is used on Tizen.
Change-Id: Iafc999793e6fe465279d0e63ca087ae6b836181a
Dariusz Michaluk [Tue, 14 Apr 2020 13:09:35 +0000 (15:09 +0200)]
Fix security-manager worker
Move worker process to main mount namespace after finishing job.
Change-Id: Ic0ed8011ecc8fab04a237c6a96190f4a8cc5d266
Tomasz Swierczek [Fri, 10 Apr 2020 10:43:39 +0000 (12:43 +0200)]
Release 0.5.22
* Make prepare_app more robust with respect to thread termination
* Fix ignoring ENOENT
* CheckProperDrop class unit tests
* Add new core privilege: notification.admin
* Do not ignore EACCES (and other errors) while getting threads info
* Unify path generation
* Add single manifest file for each RPM package
Change-Id: I3ba0fcd56821fa453947e3efa3543d5babcc56a5
Konrad Lipinski [Thu, 9 Apr 2020 14:19:08 +0000 (16:19 +0200)]
Make prepare_app more robust with respect to thread termination
Since CheckProperDrop now silently ignores ENOENT when reading thread
proc entries, security_manager_sync_threads_internal should strive to do
the same when signalling threads via tgkill. This will not, of course,
eliminate race conditions - the entire thing is inherently racy.
Bonus:
* prepare_app contract prohibits concurrent thread creation/termination
* per HQ request, EACCES readproc log now suggests a possible race
condition in the caller
Change-Id: Icf5d3e732540c4832d47e3e80f1592dab6f3ce35
Lukasz Pawelczyk [Wed, 8 Apr 2020 10:55:23 +0000 (12:55 +0200)]
Fix ignoring ENOENT
Also better error logging for check-proper-drop
Change-Id: I42bfff586d3a5d14a39ffbe16a8dfddea720d085
Lukasz Pawelczyk [Thu, 19 Mar 2020 15:54:04 +0000 (16:54 +0100)]
CheckProperDrop class unit tests
Change-Id: I1c867a319a5c14cf5ba67eb502e85505d00291c5
Yunjin Lee [Tue, 7 Apr 2020 03:59:23 +0000 (12:59 +0900)]
Add new core privilege: notification.admin
- notification.admin: Application with this privilege can manage
notifications. For example, the app can get all notificaitons and
update, delete or hide them.
Change-Id: I4fc3c500f7f84f95dd443ebfde4b953a175112ad
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
Lukasz Pawelczyk [Thu, 5 Mar 2020 16:22:29 +0000 (17:22 +0100)]
Do not ignore EACCES (and other errors) while getting threads info
Unfortunately procps-ng library ignores errors while reading thread
info and will silently go to the next thread in case of an error.
Reimplement readtask() with error checking.
Change-Id: Ibfa5ce72eedddec8ea0b2a2330ce679c94a2592f