Dariusz Michaluk [Wed, 29 May 2019 14:35:21 +0000 (16:35 +0200)]
Implement SharedRO with mount namespace
Perform three bind mounts to implement SharedRO
policy.
Change-Id: Ib30cf1537bdb1357ef53b77ead52a00b469566d1
Dariusz Michaluk [Wed, 29 May 2019 11:18:40 +0000 (13:18 +0200)]
Remove package generated SharedRO rules
Remove SharedRO rules and labels generated from
package name and replace them with "User::App::Shared".
Change-Id: I8d164be27e1d91dbf8787906a4aa083a63b4a1b7
Tomasz Swierczek [Wed, 13 Nov 2019 05:34:45 +0000 (06:34 +0100)]
Release 1.5.13
* Add fsync after DB recovery.
Change-Id: I0dab12f010f35af2c32ec949a83a06202ded5ad8
jin-gyu.kim [Wed, 6 Nov 2019 05:42:21 +0000 (14:42 +0900)]
Add fsync after DB recovery.
To ensure the safety of the file, add fsync in security-manager-rules-loader.
Change-Id: I7de479c92f090d20d4f32d1147e803111eab85cd
Yunjin Lee [Fri, 11 Oct 2019 07:31:17 +0000 (16:31 +0900)]
Release 1.5.12
* Add core privileges: securesysteminfo and voicecontrol.tts
Change-Id: Ib0c157382df418323a0a2c2ff4d5263baa68d5a3
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
Yunjin Lee [Fri, 11 Oct 2019 05:51:52 +0000 (14:51 +0900)]
Add core privileges: securesysteminfo and voicecontrol.tts
- securesysteminfo: This privilege allows app to read non-resettable
secure deivce information such as IMEI.
- voicecontrol.tts: This privilege allows app to request voice control
engine to synthesize text to speech using its own voice.
Change-Id: I8eb1c6bb38efe07cf4d8b3262e81b4279a6b2ea9
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
Yunjin Lee [Fri, 11 Oct 2019 05:51:52 +0000 (14:51 +0900)]
Add core privileges: securesysteminfo and voicecontrol.tts
- securesysteminfo: This privilege allows app to read non-resettable
secure deivce information such as IMEI.
- voicecontrol.tts: This privilege allows app to request voice control
engine to systhesize text to speech using its own voice.
Change-Id: I8eb1c6bb38efe07cf4d8b3262e81b4279a6b2ea9
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
Krzysztof Jackiewicz [Wed, 9 Oct 2019 08:55:09 +0000 (10:55 +0200)]
Release 1.5.11
* Do not fail NS worker action if mount point doesn't exist
* Refactor service_impl.cpp
Change-Id: If8a0fd4ef2c4669da6087fcafc136ee19a74cd50
Tomasz Swierczek [Tue, 1 Oct 2019 11:05:53 +0000 (13:05 +0200)]
Do not fail NS worker action if mount point doesn't exist
This mimics actions taken at app launch, where privileges
defined for nonexisting mount points are not causing
the launch to be failed.
Change-Id: I4e8f14452d379ee86efc31412aa940a4aa67b463
Tomasz Swierczek [Mon, 23 Sep 2019 08:30:48 +0000 (10:30 +0200)]
Refactor service_impl.cpp
Moved static functions to separate file in SecurityManager namespace.
This should improve module's SAM score.
Change-Id: I33eb34068072d1c52f3331ea8b8ca667657fef21
Tomasz Swierczek [Tue, 3 Sep 2019 04:43:03 +0000 (06:43 +0200)]
Release 1.5.10
* Disable http://tizen.org/privilege/internal/sysadmin for non-applications
Change-Id: I274bdbac2b70a970f11d8f20c3aa2b0b70bb8ac9
Tomasz Swierczek [Wed, 28 Aug 2019 09:14:15 +0000 (11:14 +0200)]
Disable tizen.org/privilege/internal/sysadmin for non-applications
By default, system (&user-session) services were granted access to all privileges.
As we work towards fine-grained access control for system services, we need
to disable granting all privileges for services.
This 1st experimental step disables the sysadmin privilege, to be used
to control access to activationd daemon.
For internal applications, sysadmin privilege will be used in manifests, so
Cynara will be able to find exact match for applications' Smack label
in its manifest bucket; for policy evaluation to return success in such case,
all is needed is addition of this new privilege to user-types whitelists
(*.profile files).
For system services, access control to activationd will be limited
to list of user-IDs listed in DBus policy, hence the privilege can't
be automatically enabled for processes with labels User, System & System::Privileged.
For user-session services, this privilege will not be used at the moment.
The (possible) target solution for providing per-service access control
can be based on supplementary groups defined in systemd service files
(or applied as a conequence of cynara policy by security-manager nss plugin).
However, using supplementary groups with DBus policy is not possible at the moment
as both: kernel and DBus will have to be patched to use SO_PEERGROUPS (1)
(1) : https://www.spinics.net/lists/netdev/msg441568.html
Change-Id: Ie41a60d67d39c49b1ed6a49e0c17b9e5d2dabd86
Tomasz Swierczek [Fri, 23 Aug 2019 06:08:40 +0000 (08:08 +0200)]
Release 1.5.9
* Fix for synchronization of per-thread mount namespace setup
* Add check for proper synchronization of threads namespaces
* Fix licence comments in source code files
Change-Id: Iaf0352154b51ef33980f5a100d1891105cc4eb2e
Tomasz Swierczek [Wed, 21 Aug 2019 06:48:15 +0000 (08:48 +0200)]
Fix for synchronization of per-thread mount namespace setup
According to manual (1):
A process may not be reassociated with a new mount namespace
if it is multithreaded.
Also, unshare system call (2) is only creating new namespace
for the caller thread. This means that application candidate
processes that have more than 1 thread are doomed to always have
some threads still in the main mount namespace, without
enforcement of privilege policy connected to mount namespaces.
This renders the mount-namespace-based access control a bad solution.
This patch introduces a special API call to be used by app launchers
just to prepare app candidate processes. This API call doesn't take
any arguments - it just checks if mount-namespaces are enabled
and if yes, just calls unshare(), checking beforehand if the process
has only one thread.
(1) : http://man7.org/linux/man-pages/man2/setns.2.html
(2) : http://man7.org/linux/man-pages/man1/unshare.1.html
Change-Id: I82aefca3d5eb4915041df99ff0313896cbc769cb
Tomasz Swierczek [Thu, 22 Aug 2019 06:24:14 +0000 (08:24 +0200)]
Add check for proper synchronization of threads namespaces
Change-Id: I743d755c2b7cf24bc0542c1e9e964f3c863aeb02
Tomasz Swierczek [Tue, 30 Jul 2019 08:13:32 +0000 (10:13 +0200)]
Fix licence comments in source code files
Change-Id: I24556d7a2fa49091e6f7b0888fe2cad4992f562f
Dariusz Michaluk [Mon, 15 Jul 2019 15:16:08 +0000 (17:16 +0200)]
Release 1.5.8
* Prevent starting service without the socket
* Make GetErrnoString not throwing
* Optimize nss plugin memory usage
* Remove unnecessary setting
* Migrate to openssl 1.1
Change-Id: Ic4043d29bcbda9da9f8304403dcd6a388af21424
Dariusz Michaluk [Mon, 15 Jul 2019 14:30:50 +0000 (16:30 +0200)]
Prevent starting service without the socket
Change-Id: I88415e55586dbe436bb44792d6808aadd5a48bc5
Tomasz Swierczek [Fri, 12 Jul 2019 17:01:53 +0000 (19:01 +0200)]
Make GetErrnoString not throwing
The function is already made for processing error situations,
there is no point in throwing an error inside of it.
Change-Id: I2be841a30ba36cf699907fa23bbf4d0ffe85b2ea
Tomasz Swierczek [Fri, 5 Jul 2019 05:21:11 +0000 (07:21 +0200)]
Optimize nss plugin memory usage
Made the nss module not linked with commons or client library.
Using security-manager client library in nss module caused
additional memory usage by private data in each loaded libaries
out of which most were not needed for nss (smack, pcap, procps, rt,
sqlite, cynara-*, security-privilege-manager, mount, crypt, blkid,
pkgmgr_parser, vconf, minizip, pcre, uuid, xml2, gio, z, buxton2,
lzma, gmodule, resolv, ffi, tzplatformconfig, dlog).
Linking with dlog & tzplatformconfig left only in debug mode.
To test it, use "gdb id", break point on getgrgid, measure change of PSS after
finishing the function execution with vs. without the patch.
The PSS value of id process should go down by approx. 0.4 - 0.5 MB
(depending on the system load & number of processes).
Change-Id: If2cede89885320ea83ca79fd54770a7ea24d87d8
INSUN PYO [Tue, 9 Jul 2019 05:04:24 +0000 (14:04 +0900)]
Remove unnecessary setting
Change-Id: I695a16bf83a7292422369490dda1e62a8ca30691
Konrad Lipinski [Tue, 28 May 2019 13:20:14 +0000 (15:20 +0200)]
Migrate to openssl 1.1
Change-Id: Ied1db6cd18d336fa8a6b9aebd402b1f4eead30d3
Tomasz Swierczek [Tue, 11 Jun 2019 04:46:29 +0000 (06:46 +0200)]
Release 1.5.7
* Add additional check for threads supgid pointers
* Add logging of server-side operation handling time
Change-Id: I0f62ddaaefac6af7e754a0f6f7161ae584196832
Tomasz Swierczek [Mon, 10 Jun 2019 10:18:51 +0000 (12:18 +0200)]
Add additional check for threads supgid pointers
According to implementation of readtask (proc/readproc.c),
the pointers could be NULL in specific implementations.
Change-Id: If1e8308c517ddbfbd500f7c5822c80dd3225df0c
Tomasz Swierczek [Wed, 15 May 2019 09:31:33 +0000 (11:31 +0200)]
Add logging of server-side operation handling time
Logs are added only in debug mode for each service
method that implements API exposed by the daemon.
Change-Id: I90412b9d6c32edd0d7559f5eb713117ba0a1fecd
Tomasz Swierczek [Thu, 6 Jun 2019 14:01:09 +0000 (16:01 +0200)]
Release 1.5.6
* Improve security_manager_prepare_app() performance
* Stop forcing logs from server-side write() and close() operations
* Revert "Enhance logs in case of socket problems, client hangs on waitForSocket()"
* Properly handle EINPROGRESS error from connect()
Change-Id: I02c5e576882d3f9bb713b924a7f90f7287165f96
Dariusz Michaluk [Fri, 31 May 2019 13:10:55 +0000 (15:10 +0200)]
Improve security_manager_prepare_app() performance
This commit merges getPrivilegedGroups() and getAppGroups() into one client request.
Change-Id: I77b42773845b264794398af7995bba087320689d
Tomasz Swierczek [Wed, 15 May 2019 09:13:05 +0000 (11:13 +0200)]
Stop forcing logs from server-side write() and close() operations
This reverts commit
7ad04ef8ccaebe23cc30f90f3e9ffa04b3acd698 (DEBUG ONLY ErrorLogs).
Logging sockef fd was left, but in LogDebug logs, also in CloseSocket.
Change-Id: I3582b9080de7e2368a08030d75d0df15ed81c68e
Dariusz Michaluk [Tue, 14 May 2019 14:26:27 +0000 (14:26 +0000)]
Revert "Enhance logs in case of socket problems, client hangs on waitForSocket()"
This reverts commit
3f59f6b73c66bdc4cc3fd91eaa7eef1d2abe1aa0.
Change-Id: I279ddc1a9b4213429960afd9060af049f0f4c057
Krzysztof Jackiewicz [Fri, 10 May 2019 08:39:20 +0000 (10:39 +0200)]
Properly handle EINPROGRESS error from connect()
If connect() fails with EINPROGRESS, the connection may be completed
by polling/selecting the socket for writing. This commit replaces
POLLIN with POLLOUT to handle it properly.
Change-Id: If332634c6d517d7ec00f19a5970e7fe16ee9bb06
(cherry picked from commit
e4adb53b99b0011037a3dfc408026cc6a40be349)
Krzysztof Jackiewicz [Mon, 29 Apr 2019 12:26:12 +0000 (14:26 +0200)]
Release 1.5.5
- Remove dbus.service.wants dependency
Change-Id: I2df523a40e4abf551bedfa9a45f78d4cc49127c9
INSUN PYO [Thu, 25 Apr 2019 05:57:56 +0000 (14:57 +0900)]
Remove dbus.service.wants dependency
Change-Id: I54c7abd0158ddd993ab09982171c6994d41bc08b
Dariusz Michaluk [Fri, 26 Apr 2019 14:44:43 +0000 (16:44 +0200)]
Release 1.5.4
- Enhance logs in case of socket problems, client hangs on waitForSocket()
- Increase backlog for listening sockets
Change-Id: Ibf652e8bd8597d8ed1fd88fa5127cb8621af1a69
Dariusz Michaluk [Fri, 26 Apr 2019 12:12:19 +0000 (14:12 +0200)]
Enhance logs in case of socket problems, client hangs on waitForSocket()
Change-Id: I30c3add6e1e21c3c28ae7a7b3b8c6e66477ea9ae
Dariusz Michaluk [Fri, 26 Apr 2019 12:18:41 +0000 (14:18 +0200)]
Increase backlog for listening sockets
When systemd's socket activaction is utilized, the default backlog
parameter passed to the listen() function is set to SOMAXCONN,
which is equal to 128. In distributions where systemd is not used
for socket activation, the default UNIX socket
implementation sets the backlog value to 5.
This may lead to rare overflow of an internal connection queue.
This manifests itself as the -EAGAIN error returned by connect().
To mitigate the issue, the backlog parameter has been set
to SOMAXCONN, which is a default value used by systemd.
Change-Id: I42b277d8d66c23335474fdf63db937ef22b8e171
Yunjin Lee [Mon, 15 Apr 2019 04:09:19 +0000 (13:09 +0900)]
Release 1.5.3
- Add core privilege: d2d.datasharing, d2d.remotelaunch
Change-Id: Iddf2b61f70c87a4e4fbe6f3ee06fe1ec0bce27e5
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
Yunjin Lee [Mon, 15 Apr 2019 02:41:59 +0000 (11:41 +0900)]
Add core privilege: d2d.datasharing, d2d.remotelaunch
- d2d.datasharing: Application with this privilege can share data with
other devices
- d2d.remotelaunch: Application with this privilege can be launched by
applications on other devices
Change-Id: I423d56309fefc64942a8f8e6fe2f755727bddae6
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
Dariusz Michaluk [Wed, 10 Apr 2019 10:30:28 +0000 (12:30 +0200)]
Release 1.5.2
- Add new rules-loader options
Change-Id: I9974c82d251730f12582a9db126d93cce1fa1b8e
Dariusz Michaluk [Thu, 14 Mar 2019 15:46:06 +0000 (16:46 +0100)]
Add new rules-loader options
--default - write all System/User rules (subject is not a package name)
--packages - write rules for list of packages
--exclude - write rules for all packages except list of packages
Change-Id: I66b2aa55f3419df8e93709e3191963d3f8e74ee4
Yunjin Lee [Wed, 27 Feb 2019 09:45:40 +0000 (18:45 +0900)]
Release 1.5.1
- Add core privilege: windowsystem.admin
- Make waitpid(WNOHANG) call more explicit to appease SVACE
Change-Id: Ia20386770e804219c63ebbcb111f0ebc9c64075d
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
Yunjin Lee [Wed, 27 Feb 2019 09:16:28 +0000 (18:16 +0900)]
Add core privilege: windowsystem.admin
- The application with this privilege can change the settings for
services provided by display server, such as the quick panel and softkey
bar.
Change-Id: Ic0d441a820f687d1e36cfe20e7e3ca8a485168d1
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
Konrad Lipinski [Thu, 14 Mar 2019 09:44:14 +0000 (10:44 +0100)]
Make waitpid(WNOHANG) call more explicit to appease SVACE
Change-Id: I63e7bddca2a729658d9ab8da94587a1780c7d32b
Tomasz Swierczek [Tue, 5 Mar 2019 08:18:04 +0000 (09:18 +0100)]
Release 1.5.0
* Replace time(NULL) with monotonic clock usage
* Enhance logs in case of writing errors
This release changes numbering to differentiate older branches of code.
tizen branch will continue to use 1.5.X numbering while tizen_5.0 version
will contininue to use 1.4.X numbering (for bugfixes/maintenance).
Change-Id: I752e69c738e565de27c5097381cbb11b2ac6ad48
Tomasz Swierczek [Tue, 5 Mar 2019 07:14:11 +0000 (08:14 +0100)]
Replace time(NULL) with monotonic clock usage
Calculating timeout for socket connections should
use monotonic clock.
Change-Id: Ie791173cf2663fdf0b94381f391bd5504b3e5e06
Tomasz Swierczek [Tue, 5 Mar 2019 06:26:04 +0000 (07:26 +0100)]
Enhance logs in case of writing errors & socket problems
In rare case security-manager is closing connections to clients
and after that, it tries to write responses to already closed connections.
With these enhanced logs it would be possible to match if the closed connections
(already appearing in logs) are for same socket number like ignored packets.
Change-Id: Ia105c8731d64d83d8d83182e12ae8adee1b961f0
Tomasz Swierczek [Wed, 13 Feb 2019 06:15:11 +0000 (07:15 +0100)]
Release 1.4.14
* Force logging server-side write() and close() operations
* Add logging response buffer size in debug mode
Change-Id: I8ccbbe45a48e14c7ee43781a7a5c71242fa85c09
Tomasz Swierczek [Tue, 12 Feb 2019 09:24:34 +0000 (10:24 +0100)]
Force logging server-side write() and close() operations
In some cases on TV, client gets 0 from recv while it should receive
an int with status from server. At the same time, there are no error
logs from server side and no issues with systemd service perceived.
This patch is a temporary solution to force logging relevant actions
on server side, to check whether server actually properly processes data.
Logs were added as ErrorLog to make sure these are visible during robustness
tests of TV (where platform code is synced automatically).
This patch WILL BE REVERTED after 31.03
Change-Id: I9284c42b87e49d333261a4dde7aedeae5261343c
Tomasz Swierczek [Tue, 12 Feb 2019 09:12:01 +0000 (10:12 +0100)]
Add logging response buffer size in debug mode
Change-Id: I551b93aadc5b09b252bb0a0c2a9433c3f57f6491
Dariusz Michaluk [Fri, 11 Jan 2019 10:37:38 +0000 (11:37 +0100)]
Release 1.4.13
* Apply db fallback is present and the db is an empty file
* Loader: add pragma legacy_alter_table for compatibility with sqlite 3.25.2+
* Add missing spaces in log messages
Change-Id: I236b26abb46ad0e8302127e6cb95f7b086220c8d
Konrad Lipinski [Wed, 9 Jan 2019 12:33:23 +0000 (13:33 +0100)]
Apply db fallback is present and the db is an empty file
Change-Id: Idfa81003639c5452ae85e79257aa5425547d42ea
Konrad Lipinski [Thu, 10 Jan 2019 16:46:20 +0000 (17:46 +0100)]
Loader: add pragma legacy_alter_table for compatibility with sqlite 3.25.2+
Change-Id: Iad4595cb9a12b3ebb23beca092b3057502ef822c
Pawel Kowalski [Tue, 8 Jan 2019 08:31:06 +0000 (09:31 +0100)]
Add missing spaces in log messages
Change-Id: I6b99ba86b6d2511067a4ac00a082c6584a952d04
Yunjin Lee [Wed, 19 Dec 2018 01:43:16 +0000 (10:43 +0900)]
Release: 1.4.12
* Add core privileges
* Set nullptr to reused data pointer
* Fix issues raised by static analysis
* Change local permissible file location to use UID rather than username
Change-Id: If59a47236554892817a389b3433548a8a59db782
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
Yunjin Lee [Tue, 18 Dec 2018 05:47:17 +0000 (14:47 +0900)]
Add core privileges
- autofillmanager: The application with this privilege can manage
installed autofill services. It can set which autofill service to use
and get the currently configured autofill service.
- internal/buxton/systemsettings: Internal privilege to fix
Web setting privilege's level mismatched mapping to the core
systemsettings.admin privilege. The application with this privilege
can read and write buxton keys for homescreen/lockscreen bg image,
incoming call ringtone, and email notification alert tone.
- filesystem,read, filesystem.write: Web filesystem.read and
filesystem.write are public level privilege and native
systemsettings.admin is platform level privilege. They were mapped
because of the 2.X smack rules but checked that Web
filesystem.read/write privileged device APIs are not wrappers of native
systemsetting.admin privileged APIs. Hence add core privilege for
filesystem.read and write separately and remove mapping to the
systemsettings.admin.
Change-Id: I73047f251c280d554ab13b3449eaa768a7ef7a86
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
Zofia Grzelewska [Tue, 11 Dec 2018 10:11:21 +0000 (11:11 +0100)]
Set nullptr to reused data pointer
Data pointer is reused in a loop and should be set to nullptr
after freeing
Change-Id: If4ab9dd89db73f0dc110279e40bd5608a0eee9d0
Konrad Lipinski [Mon, 26 Nov 2018 13:43:37 +0000 (14:43 +0100)]
Fix issues raised by static analysis
Change-Id: I8d8877f933335bf03511264576e15e75896e7411
Tomasz Swierczek [Thu, 15 Nov 2018 06:22:26 +0000 (07:22 +0100)]
Change local permissible file location to use UID rather than username
This is a protection against possible malicious user names.
Change-Id: I4a254fc4f9976fd9bc85d9d4488ba0b49a039da7
Dariusz Michaluk [Thu, 22 Nov 2018 09:54:32 +0000 (10:54 +0100)]
Release 1.4.11
* Protect security_manager_app_has_privilege with privilege check
* Check some poll() and mount() errors
* Fix documentation headers with required privilege descriptions
* Fix function name spelling error
* Change config.cpp variables to #define
Change-Id: I671eb10c1958b076a8bda3e1bae00c3db8c1539f
Tomasz Swierczek [Thu, 15 Nov 2018 08:59:13 +0000 (09:59 +0100)]
Protect security_manager_app_has_privilege with privilege check
This API serves similar data like fetching policy but wasn't protected
with privilege check. This change introduces the same entry checks.
Change-Id: I3fb2be619d05ebc770fd5c3b994baa13ff07c2a0
Konrad Lipinski [Thu, 15 Nov 2018 14:26:40 +0000 (15:26 +0100)]
Check some poll() and mount() errors
Change-Id: I62a7769a70dd35f5cfb8ba781216318105844e3f
Tomasz Swierczek [Thu, 15 Nov 2018 09:22:19 +0000 (10:22 +0100)]
Fix documentation headers with required privilege descriptions
Change-Id: I51a92ec289cdd82cbb8ca5caeaad7ef8bd29f50f
Tomasz Swierczek [Wed, 14 Nov 2018 13:20:54 +0000 (14:20 +0100)]
Fix function name spelling error
Change-Id: I66849856b28519b299cd2cc05e55fb3111ce67de
Tomasz Swierczek [Wed, 14 Nov 2018 05:58:28 +0000 (06:58 +0100)]
Change config.cpp variables to #define
security-manager may be used in processes with many threads.
Destruction of global variables may be in race condition with
child thread's operation & usage of these variables.
While such problem should be fixed in proper threads management,
there may be problems with open-source components that we may
not easily modify (and security-manager provides nss plugin
that may be used in unexpected places).
Change-Id: I057abc0bd2ed8a82d74f3777f6b95d386bc9b9f4
Tomasz Swierczek [Fri, 2 Nov 2018 05:53:45 +0000 (06:53 +0100)]
Release 1.4.10
* Replace runtime production/test db choice with compile-time policy
* Replace smack rule storage with straight-from-db rule loader
* Optimize package installation
* Prevent smack rules leaking during multi-app hybrid pkg uninstall
* Enable additional sqlite pragmas for robustness
Change-Id: Ic7132eef89713d3fb3f41053b156dacf73b28c2f
Konrad Lipinski [Mon, 15 Oct 2018 07:31:41 +0000 (09:31 +0200)]
Replace runtime production/test db choice with compile-time policy
Change-Id: Ia13c7ec92f0ffdf4c2341b395a31b8097b4eeddd
Konrad Lipinski [Fri, 14 Sep 2018 12:14:17 +0000 (14:14 +0200)]
Replace smack rule storage with straight-from-db rule loader
Details:
* remove %{TZ_SYS_VAR}/security-manager/rules{,-merged} directories
* add security-manager-rules-loader that
** performs database migration/recovery
** writes smack rules from a coherent database directly to load2
* add generate-rule-code generator that translates rule templates
(*.smack files) into c++ code for use in the loader
* remove security-manager-init-db binary and replace its invocation with
sh$ security-manager-rules-loader no-load
* replace dd invocation with security-manager-rules-loader in the rule
loader service
* add explicit dependency to ensure the loader runs before the manager
* refactor manager code
** remove the majority of database migration/recovery code on grounds of
loader having run beforehand
** replace defensive remnants of said code with an emergency invocation
sh$ security-manager-rules-loader fallback-only
to apply fallback on database schmea errors
** remove rule file maintenance (not needed anymore)
TODO:
* *.smack template files are still used by the manager at runtime,
removing them is optional and would require a substantial refactor
best placed in a separate commit
Pros:
* optimize flash usage (rule files were prone to quadratic explosion)
* solve database-rulefiles coherence problem
* make the rule loader performance more scalable and typically better
* simplify and speed up the manager a bit by dropping rule file code
Change-Id: I7d79d5ec7e66c9dfe6563dbb3f76bf6ab6669589
Konrad Lipinski [Thu, 4 Oct 2018 11:56:14 +0000 (13:56 +0200)]
Optimize package installation
appInstallSmackRules no longer updates the same rules repeatedly for
non-hybrid packages with multiple applications (every application has
the same process label so it's enough to do just one).
Change-Id: I4ba581a9ad5c297f87d591c647a6c56780d4978a
Konrad Lipinski [Wed, 3 Oct 2018 09:12:31 +0000 (11:12 +0200)]
Prevent smack rules leaking during multi-app hybrid pkg uninstall
Package hybridity would be detected after database modifications and
change from 1 to 0 for the last application as a result, leading to
wrong process labels being considered (User::Pkg::$pkgName as opposed
to User::Pkg::$pkgName::App::$appName).
Hybridity is now checked ahead of time to prevent the issue.
Change-Id: Ibe08d443d5fe29d36dabd6df023123da82286d21
Konrad Lipinski [Fri, 14 Sep 2018 12:14:17 +0000 (14:14 +0200)]
Enable additional sqlite pragmas for robustness
Change-Id: Ideaa585912143665ba9e288506af9d41679b029b
Tomasz Swierczek [Thu, 27 Sep 2018 11:02:05 +0000 (13:02 +0200)]
Release 1.4.9
* Add privilege for checking app permission
Change-Id: I4ae3a5301442f05de06554de3673d25e03f670d5
Pawel Kowalski [Mon, 24 Sep 2018 12:27:50 +0000 (14:27 +0200)]
Add privilege for checking app permission
New privilege http://tizen.org/privilege/permission.check was added
to enable the requesting app to check the permission of other app.
Change-Id: Ia0123e4716496852609371c228a41a477e94959e
Tomasz Swierczek [Thu, 20 Sep 2018 05:07:19 +0000 (07:07 +0200)]
Release 1.4.8
* Fix security-manager/libsecurity-manager-client cyclic dependency
Change-Id: I5b3b2bd33e7e1b08e4323001fbb1837effaa9666
Dariusz Michaluk [Mon, 17 Sep 2018 12:16:33 +0000 (14:16 +0200)]
Fix security-manager/libsecurity-manager-client cyclic dependency
Change-Id: Ic4c66e520964b54a1f8f6cc273517405d29b6b6a
Tomasz Swierczek [Tue, 18 Sep 2018 12:03:10 +0000 (14:03 +0200)]
Release 1.4.7
* Fix build break with 1.65.1 boost version
Change-Id: If2738dfc0ab73111520655c6a6cf75e3aaafcd41
Lukasz Wojciechowski [Tue, 18 Sep 2018 11:50:48 +0000 (13:50 +0200)]
Fix build break with 1.65.1 boost version
This is a quick syntax fix. In other places of security-manager tests
a colon is used after BOOST_GLOBAL_FIXTURE macro usage, see:
tests/security-manager-tests.cpp:53:BOOST_GLOBAL_FIXTURE(TestConfig);
tests/security-manager-tests.cpp:54:BOOST_GLOBAL_FIXTURE(LogSetup);
The macro should be replaced anyway as it is deprecated according
to the boost documentation:
https://www.boost.org/doc/libs/1_65_1/libs/test/doc/html/boost_test/utf_reference/test_org_reference/test_org_boost_global_fixture.html
Change-Id: Ib0ee486ae617b83b6f2e66a1b9b0d158b7cbfbec
Signed-off-by: Lukasz Wojciechowski <l.wojciechow@partner.samsung.com>
Yunjin Lee [Mon, 17 Sep 2018 05:05:22 +0000 (14:05 +0900)]
Release 1.4.6
* Add core privilege: updatecontrol.admin and permission.check
Change-Id: Ic5cdbb475338ca26a37e3cc9b60bd6944563dba7
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
Yunjin Lee [Mon, 17 Sep 2018 04:46:03 +0000 (13:46 +0900)]
Add core privilege: updatecontrol.admin and permission.check
- updatecontrol.admin allows app to control system software update
procedure
- permission.check allows app to get other apps' permission statuses
Change-Id: I122c9734f9e5bc8b17387724cc05146193f3fd8c
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
Dariusz Michaluk [Thu, 13 Sep 2018 13:19:48 +0000 (15:19 +0200)]
Release 1.4.5
* Move standard users group management from GUM to security-manager
* Lazily initialize variables that need tz-platform-config
* Attempt database fallback recovery on some schema errors
* Change naming of recovery-management file & functions
* Optimize application uninstallation
* Simplify array size calculation
* Prefer std::vector::emplace_back to push_back in db code
Change-Id: I51d8c32ae4ff0ad40408440526c02c7575350d0f
Karol Lewandowski [Wed, 12 Sep 2018 14:33:53 +0000 (16:33 +0200)]
Move standard users group management from GUM to security-manager
Till now users created with "gum" tools were added
to predefined set of supplementary groups - audio,
display, video. This gave the users needed permissions
to access to various device nodes.
Unfortunately, this model does not work with multiple
"passwd/group" databases - /etc/{passwd,group} on read-only
storage, /opt/etc/{passwd,group} on read-writable storage.
This is because to assign user 'kitty' to the some system
group - defined in /etc/group, this file would need to be
modified, i.e.
video:x:44:media,system,multimedia_fw,owner,kitty
As noted - this can not be done because /opt/group is
supposed to be on read-only storage.
To address this issue security manager is used. It does
already provide NSS module which can assign logged in users
to predefined groups. The groups membership is based on
privileges assigned to given user type.
This commit:
- introduces three new privileges
- introduces mapping from new privileges to Unix groups
- assigns the new privileges to 'admin', 'normal', 'security',
'system' & 'guest' users
- adds the new privileges to global & local manifests
Change-Id: I465acc69cfa92bd4162f5aa603696bdfa7ace64e
Krzysztof Jackiewicz [Wed, 29 Aug 2018 13:12:11 +0000 (15:12 +0200)]
Lazily initialize variables that need tz-platform-config
Recent change in tz-platform-config made it use libc API for accessing
passwd/groups databases. As a result, each call to tz-platform-config will make
NSS load security-manager's NSS plugin with all dependent libraries initializing
their global variables.
The common library which is linked with nss plugin initializes two global
variables that use tz-platform-config which will lead to recursive call
prohibited by NSS.
This commit makes these variables lazily initialized to avoid the call to
tz-platform-config in security-manager's nss plugin initialization.
Change-Id: Ie290051f3d3d11c1b5f980d2cba683350a639042
Konrad Lipinski [Thu, 30 Aug 2018 14:04:38 +0000 (16:04 +0200)]
Attempt database fallback recovery on some schema errors
Done per HQ request for extra robustness in the face of unforeseen
database corruption.
Schema error detection amounts to preparing sqlite query templates. It
takes place at the end of database connection bringup (once the database
is verified to be up to date and passes integrity checks) by means of
calling sqlite3_prepare_v2 for every statement template ever to be used
at runtime. Sqlite statement compilation may fail due to lack of schema
compatibility. If such a failure occurs, fallback recovery is attempted
unless already tried.
Change-Id: I6ef8a262f8db11552f3e92ed3a601227558c3899
Tomasz Swierczek [Tue, 28 Aug 2018 08:35:19 +0000 (10:35 +0200)]
Change naming of recovery-management file & functions
The flag file is a sign for other system components to
feed DB with user-installed-apps, so they'd probably want to
know that DB 'was recovered' to initial state, rather than
know that 'DB used to be broken' (if the DB was broken,
and recovery to initial state is not successful, system
will not boot properly anyway).
Change-Id: Icc3b71b56c8299ba37a3acf3b8f20667af352e15
Konrad Lipinski [Thu, 23 Aug 2018 14:03:58 +0000 (16:03 +0200)]
Optimize application uninstallation
Many operations were needlessly performed. Mitigated some of those
deficiencies by constraining lifetimes of some automatic variables and
hoisting redundant operations out of the loop.
Change-Id: I19e37f1cb73ec57ecf525b7bc125d0e2e90cc573
Krzysztof Jackiewicz [Wed, 8 Aug 2018 09:27:10 +0000 (11:27 +0200)]
Simplify array size calculation
Change-Id: I8d5af79702a1b4b2e61813b99a246fbbac559320
Konrad Lipinski [Thu, 23 Aug 2018 15:08:06 +0000 (17:08 +0200)]
Prefer std::vector::emplace_back to push_back in db code
Rationale: promote efficient idioms.
Change-Id: Idc7f48c9b8a4e32a3a21de0fc234b705d51e69ec
Tomasz Swierczek [Fri, 24 Aug 2018 09:47:51 +0000 (11:47 +0200)]
Release 1.4.4
* Initialize database and restart service in policy-reload
* Give internet privilege to kernel thread(@)
* Add error logs when translating group names to gids
* Drop unused destroyAt()
* Fix: Remove all SharedRO rules after pkg uninstallation.
* Fix: launch security-manager-cleanup after /opt/usr is mounted.
* Remove fileExists() duplicates
* Add Apache 2.0 license header
* Change way of displaying performance test results
* Rework security-manager-migration script as a policy update script
* Remove unused source code
Change-Id: I8a25e757ad5f0c7d4f4596f6b1743049ac8252fb
Konrad Lipinski [Thu, 23 Aug 2018 11:57:03 +0000 (13:57 +0200)]
Initialize database and restart service in policy-reload
Added the security-manager-cmd --init-db option that replicates manager
startup database bringup semantics.
Amended security-manager-policy-reload.in to:
* stop the service before inserting into the database to avoid
concurrent modification
* call security-manager-cmd --init-db to make sure the database exists
and is coherent prior to modifying it
* perform the database transaction
* start the service so that it reads the modified database
Rationale: prior to the patch, the manager would work on stale data as
the service was already running during policy-reload invocation.
While at it, homogenized systemctl {start,stop} invocations.
Said invocations are now of the form:
systemctl {start,stop} security-manager.service security-manager.socket
Rationale:
* strive for code uniformity
* leverage systemd's automatic dependency resolution
* speed up a bit
Change-Id: I21b254345abaa617b6a389dfd060fb4a4799a148
jin-gyu.kim [Wed, 11 Jul 2018 05:32:11 +0000 (14:32 +0900)]
Give internet privilege to kernel thread(@)
In some cases, sending DNS packet is blocked by Nether.
This is due to packet has "@" label, which seems to be originated from kernel.
All packets marked as "@" need to be passed, so give the default cynara rule.
Change-Id: I4a2ba553738c8be783401ca3e71bf69b942f5496
Tomasz Swierczek [Thu, 23 Aug 2018 08:59:13 +0000 (10:59 +0200)]
Add error logs when translating group names to gids
Daemon or client failure is probably the best way to fail-early
in case of bad system config; however, system logs should have clear information
on what has failed in such case.
Change-Id: Ia119bac5795b5a38e4004b7d66c8a64f3a45ac69
Konrad Lipinski [Mon, 20 Aug 2018 09:31:29 +0000 (11:31 +0200)]
Drop unused destroyAt()
Change-Id: Ib04ce2151ab1625dab729ea098f7ccba00b3561e
Dariusz Michaluk [Tue, 17 Jul 2018 16:34:16 +0000 (18:34 +0200)]
Fix: Remove all SharedRO rules after pkg uninstallation.
Change-Id: Icf7d14507170bc98f61a7aaa3f5f37437b769bb9
Dariusz Michaluk [Tue, 3 Jul 2018 14:06:10 +0000 (16:06 +0200)]
Fix: launch security-manager-cleanup after /opt/usr is mounted.
Change-Id: I1f6f4b2a9b9712ee5ed1a1a539a3059249a90b04
Dariusz Michaluk [Thu, 16 Aug 2018 09:49:30 +0000 (11:49 +0200)]
Remove fileExists() duplicates
Change-Id: I1ec14dd6d1a60bc481dbe04ec21e70be70c8715e
Pawel Kowalski [Thu, 16 Aug 2018 09:41:20 +0000 (11:41 +0200)]
Add Apache 2.0 license header
Change-Id: I43fefb11a6998097c778d76e6d08cab211206d20
Zofia Grzelewska [Mon, 19 Feb 2018 17:51:47 +0000 (18:51 +0100)]
Change way of displaying performance test results
Performance tests didn't show enough info about test parameters.
Ratios differ greatly between test cases, it is nice to have
more infomation, as to why it might be this way.
Added displaying of initial db size and for how many apps
app defined privileges were installed.
Also changed tests names to better describe test case.
Change-Id: Icd1816ec56fd70d15d717231c0b70dc25964741e
Rafal Krypa [Mon, 30 Oct 2017 14:39:36 +0000 (15:39 +0100)]
Rework security-manager-migration script as a policy update script
This original framework was first policy migration script that appeared
in security-manager. It should be adopted by the policy update framework,
that was introduced later, but it was overlooked.
In order to merge these update infrastructures, migration directory is
removed and the original migration script is renamed and adapted as a
version 1 policy update, which was previously a no-op.
Change-Id: I96c84103d9eda0746bd8d919bc6dd42c3a50a232
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Dariusz Michaluk [Tue, 7 Aug 2018 11:27:58 +0000 (13:27 +0200)]
Remove unused source code
Change-Id: I40230e07b459d73907986ba916e1e15628e5d9cb
Tomasz Swierczek [Tue, 7 Aug 2018 06:43:56 +0000 (08:43 +0200)]
Release 1.4.3
* Add removal of DB broken flag before atempt to setup DB
* Add database snapshotting and recovery
* Pull db migration into manager binary at startup
* Sanitize privilege_db query storage
* Fix memleak in PrivilegeDb()
* Add /opt/usr/media to privilege-mount.list again
* Retrieve package manager privilege from User::Shell client
* Make spec compliant with gbs --incremental
* Add TZ_SYS_MEDIASHARED to privilege-mount.list
* Change log message in realPath
* Make server keep its original log tag
* Fix hybrid pkg uninstallation
Change-Id: I9b410a6c9ceed3d63a13265aad7d33e858e37c8c
Tomasz Swierczek [Tue, 7 Aug 2018 05:26:55 +0000 (07:26 +0200)]
Add removal of DB broken flag before atempt to setup DB
This way, we ensure that on next booting there will be no information
on previous problems (the flag exists to tell other system components
that user-installed applications require re-registration in security-manager).
Change-Id: I5c7a9962adeb66125664f9a6c293355136456ded
Konrad Lipinski [Fri, 20 Jul 2018 13:29:00 +0000 (15:29 +0200)]
Add database snapshotting and recovery
A snapshot of a working database can be established by running
security-manager-cmd --backup
This effectively copies "$TZ_SYS_DB/.security-manager.db" over
"$TZ_SYS_RO_SHARE/security-manager/.security-manager.db" (journal is not
being copied).
NOTE: backup does not check for concurrent access of the db file so the
user has to make sure no concurrent modification takes place in the
interim.
The manager performs an integrity check of the database at every startup
(see below). If the check fails, it truncates the database journal and
overwrites the database file with the latest snapshot, then reattempts
connection, migration and redoes the integrity check on the resulting
database.
As a first shot, integrity check uses the most aggressive possible form
achievable by sqlite pragmas by
* checking if the file exists (to prevent sqlite autovivifying it)
* checking 'pragma intergrity_check'
* checking 'pragma foreign_key_check'
TODO: for product acceptance, actual latency introduced by the integrity
check should be measured. If too high, the check can be made faster by
* dropping foreign_key_check
* replacing integrity_check with quick_check
To help make the decision, lax measurement were taken using
time sqlite3 >/dev/null /opt/dbspace/.security-manager.db 'pragma..'
time[ms] foreign_key_check integrity_check quick_check
TM1 17 20 18
emulator 5 2 2
Change-Id: I01a4ed0879b10bdcadde78ab086776420850e13c