Tomasz Swierczek [Mon, 23 Mar 2020 18:59:14 +0000 (19:59 +0100)]
Add test cases for filesystem.cpp functions
Previously, unit tests covered only about 26% of the lines,
this patch aims to increase the file coverage to at least 80%.
Change-Id: I985a2b690fdf1bbb355edb94753bf8c54108b9cf
Tomasz Swierczek [Wed, 17 Jun 2020 14:01:32 +0000 (16:01 +0200)]
Set C++ 17 flags
Will be needed later for inline static variables in class declaration
Change-Id: I203bf0f593a2bca4a95b06d98a85f609533b8039
Tomasz Swierczek [Wed, 18 Mar 2020 13:51:59 +0000 (14:51 +0100)]
Categorize unit test cases as negative or positive
Macros adding NEGATIVE_ or POSITIVE_ prefix to test name added too.
Some tests split for proper distinction of negative & positive tests.
Change-Id: I98b1c3b657cd84f01c364254aff064bf40b8b456
Konrad Lipinski [Wed, 20 May 2020 09:42:08 +0000 (11:42 +0200)]
Disable assert() for release builds
Change-Id: I61861dc2b181ff6c70a66af9e30b21ff0c9805d7
Tomasz Swierczek [Thu, 14 May 2020 08:38:45 +0000 (10:38 +0200)]
Release 1.6.2
* Add new arguments for installation requests
* Properly handle missing/invalid smack privilege policy
* Catch TizenPlatformConfig exception in NSMountLogic
* Get distinct app names from pkg
* Add listing running apps based on namespace
* Don't assume that default privilege Smack rules template exists
* Let template manager throw for configuration errors
* Fix enterMountNamespace() error handling.
Change-Id: I37322a85aeebd0e23274231e8acabc0106af5e92
Tomasz Swierczek [Mon, 6 Apr 2020 09:03:47 +0000 (11:03 +0200)]
Add new arguments for installation requests
Added arguments are:
* pkg_type (none, wrt, core, metadata)
* pkg_privilege_level (none, public, platform, partner)
This change is adjusting usage of privilege-checker functions
to its API changes.
Before this patch, privilege-checker used pkgmgr to check these data
about newly installed app. Because security-manager calls
privilege-checker at app install time, this required the pkgmgr db to be
filled before calling security-manager in app installer.
However, installer is currently changing its order of operation
and we can't rely on its data being available at this time.
Since this data is known explicitly by installer, its easy to add this
information to the installation request (per pkg).
If not set ("none" values), privilege-checker consults pkgmgr
like it used to.
Adding this API will also ease the situation in security-tests, where
pkgmgr DB had to be filled manually before each *fake* app installation
done only for purpose of security-manager API tests.
Now, the installation request in security-tests can be filled with
other-than-none values for both variables, which will result
in pkgmgr DB not being checked at app install time.
Change-Id: I518eb4524c9c1f3ff2e6d68ea25c037591f6634b
Krzysztof Jackiewicz [Mon, 27 Apr 2020 08:41:32 +0000 (10:41 +0200)]
Properly handle missing/invalid smack privilege policy
Continue to read other config files if smack privilege policy is missing.
Do ignore invalid smack-privilege template rules.
Remove unnecessary code.
Change-Id: I105e541b321523fa98556614509837cbbc5c5b13
Krzysztof Jackiewicz [Mon, 4 May 2020 10:53:07 +0000 (12:53 +0200)]
Catch TizenPlatformConfig exception in NSMountLogic
It may happen if there are some leftovers in /run/user/. Until now an
unknown exception was logged.
Change-Id: I02bbe251bd4ee094965810f8eeb228be78d7081a
Krzysztof Jackiewicz [Thu, 16 Apr 2020 13:00:36 +0000 (15:00 +0200)]
Get distinct app names from pkg
The same app can be installed for several users. This commit adds DISTINCT to
EGetAppsInPkg query to avoid duplicates.
Change-Id: Ic277ab899cf46aae2e1c08790e8db0e7e29c80ac
Zofia Abramowska [Fri, 10 Apr 2020 10:47:47 +0000 (12:47 +0200)]
Add listing running apps based on namespace
Change-Id: I8240646edef06fc267cc4a2177764494ec081fdb
Zofia Abramowska [Fri, 24 Apr 2020 15:29:03 +0000 (17:29 +0200)]
Don't assume that default privilege Smack rules template exists
Change-Id: I03c0fadeaf95885d191937d8c3e04fde70de047b
Zofia Abramowska [Fri, 24 Apr 2020 15:08:33 +0000 (17:08 +0200)]
Let template manager throw for configuration errors
Change-Id: Iec25cd08ae5cff6ef721b77022d07f734898f773
Dariusz Michaluk [Wed, 29 Apr 2020 14:42:59 +0000 (16:42 +0200)]
Fix enterMountNamespace() error handling.
There is a TOCTOU race condition between checking/entering app namespaces.
In this small time window, app can be killed,
so updating app namespace doesn't make sense, we can skip this step.
Change-Id: I27f8e0d5fed42a11b96dd79fc83b36be60aeca5e
Dariusz Michaluk [Wed, 22 Apr 2020 11:51:02 +0000 (13:51 +0200)]
Release 1.6.1
* Properly handle ENOENT error on encrypted device
* Move initial namespace setup to security_manager_prepare_app_candidate()
Change-Id: Ic99978f8d3b3b46d3322aae478bf698eb8b4f35c
Dariusz Michaluk [Tue, 21 Apr 2020 12:22:46 +0000 (14:22 +0200)]
Properly handle ENOENT error on encrypted device
Change-Id: Ica5318462304b9f96096f0376885d676e5e087ba
Dariusz Michaluk [Tue, 21 Apr 2020 11:21:25 +0000 (13:21 +0200)]
Move initial namespace setup to security_manager_prepare_app_candidate()
Change-Id: I43f316b8e074ff18462388b64793cbc3e2d895c1
Tomasz Swierczek [Tue, 21 Apr 2020 12:21:11 +0000 (14:21 +0200)]
Release 1.6.0
Add RPM package for iptables rules needed for GID-based internet access control
Add new privilege-enforcing mechanism that uses privilege-Smack mapping
Mount namespace enhancements & fixes
With this release, versioning differs from branch tizen_5.5.
With this release, Tizen has 3 mechanisms for controlling internet access:
* nether
- supports mutltiuser
- allows dynamic policy change for app, during application runtime
- complicated support for many protocols, many dependencies (mostly in kernel)
* iptables + privilege-to-GID mapping
- supports multiuser
- dissallows dynamic policy change
- requires patches from upstream kernel & iptables
* privilege-to-Smack mapping
- allows dynamic policy change
- doesn't require any custom kernel changes
- doesn't support simultaneous multiuser
Change-Id: I9984ce4f9a761be9182535ec60ee11dbb13acc77
Dariusz Michaluk [Thu, 16 Apr 2020 13:22:02 +0000 (15:22 +0200)]
Fix security_manager_cleanup_app()
After introducing sharedRO mount namespace setup,
every app should cleanup own namespace after termination.
Change-Id: I358007e3f47213f3038e6c3f2a05cbe5e273627f
Lukasz Pawelczyk [Thu, 11 Apr 2019 15:48:40 +0000 (17:48 +0200)]
Add group mapping for internal/appdebugging privilege
Change-Id: I4eca8498ffec4521fcbcba3535b7c1573c9edb25
Lukasz Pawelczyk [Fri, 12 Apr 2019 11:14:34 +0000 (13:14 +0200)]
Create new RPM for loading iptables rules at system start
iptables rules can be used by security network control with
internet and internal/appdebugging priviledges.
Mapping internet GID privilege with this set of iptables rules
can be much simpler alternative to nether, which also supports multiuser
but doesn't support runtime policy change for running apps.
Change-Id: I033b36c64fc14de5a275db00aab5825dad61341d
Krzysztof Jackiewicz [Tue, 14 Apr 2020 19:48:49 +0000 (21:48 +0200)]
Properly handle nonexisting apps uninstallation
If one or more of apps to uninstall is missing (e.g. already uninstalled) the
app_inst_req::app::appName is cleared and the UninstallHelper::removeApps has
no flag for given app. As a result nonexistent app is unnecessarily processed
in ServiceImpl::appUninstallSmackRules and smack rules of some apps may be
left untouched.
This is a fix for both issues.
Change-Id: Ifa6499f454cdff3d9f9d9570e6670c2998cc857b
Zofia Abramowska [Tue, 21 Apr 2020 10:01:57 +0000 (12:01 +0200)]
Disable Smack privilege mapping configuration
Change-Id: I89870a7aa63812b08255b05c195b1c6e85a3bb96
Zofia Abramowska [Mon, 20 Apr 2020 14:19:13 +0000 (16:19 +0200)]
Fix multi-user detection
With appId->uid mapping, we cannot properly handle this use case:
* user1 launches app A -> (appA, user1)
* user1 launches app B -> conflict detected, Smack not applied,
mapping saved to (appB, user1)
* user1 launches app B again -> no conflict detected, Smack applied
(This won't be fixed if mapping is only updated, when multi-user is
not detected)
This commit changes multi-user detection to be only based on apps
running taken from MountNS fs structure.
Change-Id: I69c729e85e05cce498abdcb4e6832df634789765
Zofia Abramowska [Tue, 14 Apr 2020 16:49:34 +0000 (18:49 +0200)]
Use mount namespace mount points to find running apps
Change-Id: Ifef7a3aa2fb9666e20f428270c41850ce7319208
Zofia Abramowska [Tue, 7 Apr 2020 17:12:55 +0000 (19:12 +0200)]
Remove privilege related Smack rules when multi-user is detected
Privilege related Smack rules can only be used, when applications
can be launched for only one user. When multiple instances of
one application for different users are detected, all privilege
related Smack rules for this application will be revoked.
This isn't a permanent state. When application is launched only
for one user it will acquire all needed permissions.
Change-Id: Ibda63d3ce4ce072f48fff4ff0e2c083c69fe66d7
Zofia Abramowska [Tue, 7 Apr 2020 15:30:03 +0000 (17:30 +0200)]
Change privilege related Smack rules on cynara policy change
When policy is updated recalculate privilege related Smack rules
for all running applications.
Change-Id: Ic6a0341399186d10404f1ce189217d963707e7be
Zofia Abramowska [Fri, 27 Mar 2020 17:51:36 +0000 (18:51 +0100)]
Remove privilege Smack mapping rules on application uninstallation
Disable all privilege related Smack rules on application
uninstallation and instead of revoke subject before application
launch (to clear old rules before applying new ones).
Change-Id: I30d67d8d16e8cd0632ac43d22e5e876bbb2bc47b
Zofia Abramowska [Fri, 3 Apr 2020 17:42:41 +0000 (19:42 +0200)]
Check if smack privilege mapping is enabled
Check is Smack privilege mapping contains any configuration -
meaning if it is enabled.
Change-Id: Iac9aaa79ed8e3fdd854826c12d93e11a5ee4cba0
Zofia Abramowska [Mon, 23 Mar 2020 18:05:48 +0000 (19:05 +0100)]
Add Smack template files manager
Add Smack template rule files manager to speedup the process
of loading template files.
Change-Id: I148438dafdf355be7a77f4a8662ffa0b4e0b6ac1
Zofia Grzelewska [Tue, 3 Mar 2020 15:10:19 +0000 (16:10 +0100)]
Split smack API wrapper and rules management
Split smack API wrapper (SmackAccesses) and rules generation and management
(SmackRules) into separate classes. Make SmackRules a class,
not a namespace, in a preparation for pre-loading of rules template files.
Change-Id: I695a7cbaef404462909b80271d0775a2c725d4f3
Zofia Grzelewska [Fri, 28 Feb 2020 16:25:45 +0000 (17:25 +0100)]
Add restriction for privilege smack mapping rules
Do not support rules, which are not based only on privilege or
application based labels.
Change-Id: Ib86cac1c8b362f8b4549148be96915a16e323e65
Zofia Abramowska [Thu, 26 Mar 2020 12:47:59 +0000 (13:47 +0100)]
Change privilege and privilege status vector names for clarity
PrivilegeVector and privilegeStatusVector passed to prepareApp are not
general privileges, but privileges related to paths. This commit
changes variables names to make it more clear.
Change-Id: I66a05ea0db305ded53ed1d47f60496cd5fda8636
Zofia Abramowska [Mon, 30 Mar 2020 14:22:36 +0000 (16:22 +0200)]
Change cynara client check to admin check for allowed privs
Cynara client check will trigger custom plugins evaluation.
This would be an unwanted behavior, as getAppAllowedPrivileges
should return current state without involvement of the user.
Using Cynara admin check we can achieve the same thing without
triggering of the plugins.
Change-Id: I6d60f9d70fa0d39ac6e9d108fef40227ba9e62d6
Zofia Grzelewska [Wed, 12 Feb 2020 17:50:21 +0000 (18:50 +0100)]
Add privilege-Smack mapping
Add privilege-Smack mapping configuration:
* privilege-smack.list which describes privilege mapping
to Smack label and Smack rules template
* priv-rules-default-template.smack which is an example
of Smack rules template for privilege
* this implementation currently only applies policy on
application launch (no runtime policy changes modify it)
and draft implementation.
IMPORTANT: This mechanism can be used, when *only one* user
is used on Tizen.
Change-Id: Iafc999793e6fe465279d0e63ca087ae6b836181a
Dariusz Michaluk [Tue, 14 Apr 2020 13:09:35 +0000 (15:09 +0200)]
Fix security-manager worker
Move worker process to main mount namespace after finishing job.
Change-Id: Ic0ed8011ecc8fab04a237c6a96190f4a8cc5d266
Tomasz Swierczek [Fri, 10 Apr 2020 10:43:39 +0000 (12:43 +0200)]
Release 0.5.22
* Make prepare_app more robust with respect to thread termination
* Fix ignoring ENOENT
* CheckProperDrop class unit tests
* Add new core privilege: notification.admin
* Do not ignore EACCES (and other errors) while getting threads info
* Unify path generation
* Add single manifest file for each RPM package
Change-Id: I3ba0fcd56821fa453947e3efa3543d5babcc56a5
Konrad Lipinski [Thu, 9 Apr 2020 14:19:08 +0000 (16:19 +0200)]
Make prepare_app more robust with respect to thread termination
Since CheckProperDrop now silently ignores ENOENT when reading thread
proc entries, security_manager_sync_threads_internal should strive to do
the same when signalling threads via tgkill. This will not, of course,
eliminate race conditions - the entire thing is inherently racy.
Bonus:
* prepare_app contract prohibits concurrent thread creation/termination
* per HQ request, EACCES readproc log now suggests a possible race
condition in the caller
Change-Id: Icf5d3e732540c4832d47e3e80f1592dab6f3ce35
Lukasz Pawelczyk [Wed, 8 Apr 2020 10:55:23 +0000 (12:55 +0200)]
Fix ignoring ENOENT
Also better error logging for check-proper-drop
Change-Id: I42bfff586d3a5d14a39ffbe16a8dfddea720d085
Lukasz Pawelczyk [Thu, 19 Mar 2020 15:54:04 +0000 (16:54 +0100)]
CheckProperDrop class unit tests
Change-Id: I1c867a319a5c14cf5ba67eb502e85505d00291c5
Yunjin Lee [Tue, 7 Apr 2020 03:59:23 +0000 (12:59 +0900)]
Add new core privilege: notification.admin
- notification.admin: Application with this privilege can manage
notifications. For example, the app can get all notificaitons and
update, delete or hide them.
Change-Id: I4fc3c500f7f84f95dd443ebfde4b953a175112ad
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
Lukasz Pawelczyk [Thu, 5 Mar 2020 16:22:29 +0000 (17:22 +0100)]
Do not ignore EACCES (and other errors) while getting threads info
Unfortunately procps-ng library ignores errors while reading thread
info and will silently go to the next thread in case of an error.
Reimplement readtask() with error checking.
Change-Id: Ibfa5ce72eedddec8ea0b2a2330ce679c94a2592f
Zofia Grzelewska [Thu, 5 Mar 2020 17:47:56 +0000 (18:47 +0100)]
Unify path generation
Change-Id: I9baaf7bf66faa9176919d46b3ddd0b2a54dbcea8
Tomasz Swierczek [Thu, 19 Mar 2020 07:48:18 +0000 (08:48 +0100)]
Add single manifest file for each RPM package
Change-Id: I625369d432a8251a80b456d659f483a074a2326d
Tomasz Swierczek [Fri, 28 Feb 2020 13:31:12 +0000 (14:31 +0100)]
Release 1.5.21
* Indicate tgkill failure in error log with errno
* Fix static analysis issues
Change-Id: Ic2de53c56c8fe1226cfd5ad318503a1264a1baf2
Tomasz Swierczek [Thu, 27 Feb 2020 08:38:21 +0000 (09:38 +0100)]
Indicate tgkill failure in error log with errno
Change-Id: Ief80fdf01064dabbed57be2816fcfd792f03542a
Tomasz Swierczek [Wed, 26 Feb 2020 07:57:20 +0000 (08:57 +0100)]
Fix static analysis issues
Change-Id: I202fff30f54d5ebab946f73d4e8fa827b49b3e35
Konrad Lipinski [Thu, 6 Feb 2020 15:55:47 +0000 (16:55 +0100)]
Release 1.5.20
* Fix app_update not setting sharedRO to false in db
* Refactor ServiceThread
* Reintroduce checks for directory existance in sharedRO setup
Change-Id: I2078b91fa5d5518440f5d92d82d3ea0f6389bfde
Konrad Lipinski [Thu, 6 Feb 2020 13:15:17 +0000 (14:15 +0100)]
Fix app_update not setting sharedRO to false in db
Change-Id: I502a00b4946ba3ef3c82c81f665e10c1b50d2e2b
Konrad Lipinski [Mon, 20 Jan 2020 16:05:25 +0000 (17:05 +0100)]
Refactor ServiceThread
* avoid runtime member ptr indirection and storage
* retrieve Service via CRTP instead of storing it
* make ServiceThread a concrete class
Change-Id: I871602912ca7eb4ec9c4144fc104949931a60fc4
Tomasz Swierczek [Wed, 5 Feb 2020 09:13:45 +0000 (10:13 +0100)]
Reintroduce checks for directory existance in sharedRO setup
While directories connected with per-app sharedRO should exist
if an application package has been declared to use the feature,
previous behaviour of security-manager allowed these dirs
to be nonexistent while still silently ignoring the misconfiguration
(pre-1.5.18 versions).
On already released product images, some apps, improperly installed
by installer as using sharedRO and NOT having actual folder structure,
could be already running in the wilderness. Update to new
security-manager, while true to original sharedRO-bind-mount design
(dirs SHOULD exist as designed), may introduce runtime errors.
This patch reintroduces existance checks for directories which are
arguments to bind mounts.
Alternative to this patch would be a migration script that would be much more
complicated and should be accompanied with security-manager commandline tool
used to update DB contents OR appfw script that would re-do the directory
structure. Both ways would be much more time-consuming & error prone
than reintroducing these checks, which I'm doing in this patch.
Change-Id: I9f25a85ae87e4189b81621f1ec3863a2d1cc9d2a
Tomasz Swierczek [Mon, 3 Feb 2020 08:02:35 +0000 (09:02 +0100)]
Release 1.5.19
* Remove nss plugin IPC with security-manager daemon
* Fix Svace defect, remove unreachable statement.
* Refactor macro usage within CheckProperDrop::checkThreads()
Change-Id: I9f36e37e2448791ef761b86a6efd9c64c521217a
Tomasz Swierczek [Thu, 9 Jan 2020 13:29:43 +0000 (14:29 +0100)]
Remove nss plugin IPC with security-manager daemon
Communication was needed to ensure the GID list is calculated based on
Cynara's privilege DB, which contains also per-user information of allowed
privileges.
It was agreed among security and platform teams that system daemons
have statically defined list of GIDs/privileges that doesn't change
over time and also, that this list is the same regardless of the user type
(gumd defines various user types).
This patch changes meaning of per-user-type policy files and Cynara's
per-user-type policy buckets. From now on, the Cynara policy for given user
is applicable as-is only for that user's applications. The user-level
& system-level daemons that may run with "User", "System" or "System::Privileged"
Smack labels have no longer their policy consulted with Cynara.
Instead, they are being given all the privilege-mapped GIDs, with exception
of GIDs that can be mapped to:
http://tizen.org/privilege/internal/livecoredump (priv_livecoredump)
http://tizen.org/privilege/internal/sysadmin (currently no GID associated)
These privileges are used by system team to control inter-service
access to certain DBus interfaces and if any GID is associated with them,
that GID should not be granted by nss plugin. Instead, that GID should
be added as supplementary group of particular service that should be granted
corresponding privilege (ie. using systemd service file or by assigning GID
as supplementary to UID under which the service is running).
When systemd SupplementaryGroup option in service files will be used
to declare all "privileges" for all services, the security-manager nss plugin
will not be needed anymore.
Change-Id: I8da6385cfaf502cfd6117b3805e5986ae3c28b80
Dariusz Michaluk [Wed, 29 Jan 2020 16:47:48 +0000 (17:47 +0100)]
Fix Svace defect, remove unreachable statement.
Change-Id: I0bd14456de4e8b54e1753dfa8be2cf8d0b1b5217
Konrad Lipinski [Thu, 19 Dec 2019 14:44:33 +0000 (15:44 +0100)]
Refactor macro usage within CheckProperDrop::checkThreads()
Change-Id: Iadef9bacd076a666d8a527e79165b01cf2daf544
Tomasz Swierczek [Thu, 23 Jan 2020 07:04:14 +0000 (08:04 +0100)]
Release 1.5.18
* prepare_app optimization
Change-Id: Ie25de8f2cd3c345769267b15efe6e02a840a0ed6
Konrad Lipinski [Thu, 19 Dec 2019 14:44:33 +0000 (15:44 +0100)]
db: drop redundant IsPackageSharedRO query
Change-Id: I90273f0f48290930c275685480627701e83bbc2a
Konrad Lipinski [Thu, 19 Dec 2019 14:44:33 +0000 (15:44 +0100)]
prepare_app: refactor supplementary group assignment
* use a stack array for syscalls
* stream forbiddenGroups = privilegedGroups \ allowedGroups instead of
privilegedGroups, making IPC thinner
Change-Id: I343af0052fd90f1ed4fd37d41b7b8c7a1a5a7858
Konrad Lipinski [Thu, 19 Dec 2019 14:44:33 +0000 (15:44 +0100)]
prepare_app: coalesce all client->mgr IPCs into one
Change-Id: I28398b36b9a14fd4e4d30570f15848a8f29c5ef1
Konrad Lipinski [Wed, 15 Jan 2020 17:32:10 +0000 (18:32 +0100)]
Make prepare_app_candidate faster
Change-Id: Ie875ff190aa032cbaa21e7ef9b72da98faf3b8b4
Konrad Lipinski [Wed, 15 Jan 2020 17:19:36 +0000 (18:19 +0100)]
prepare_app: optimize setupSharedRO
Change-Id: Ifb52a67a09122847c2241db3c86bf8c15bc69438
Konrad Lipinski [Wed, 15 Jan 2020 15:44:43 +0000 (16:44 +0100)]
prepare_app: simplify thread syncing
Change-Id: If78f4688d71213f06c525462cedb9d259f8d406b
Konrad Lipinski [Mon, 20 Jan 2020 12:16:09 +0000 (13:16 +0100)]
prepare_app: return errcode on CheckProperDrop failure
Change-Id: I3a8953650c1dcee4d2cbe6b4171cd2bb3e84993e
Konrad Lipinski [Tue, 21 Jan 2020 11:00:47 +0000 (12:00 +0100)]
Throw exception on failed config file read
Change-Id: I8b19bd1863f1df84ef3e10548be644e9632dcb5c
Zofia Grzelewska [Thu, 19 Dec 2019 16:59:51 +0000 (17:59 +0100)]
Don't copy socket events
Change-Id: If103f7800e202bbd6e27b472668ea7feba7dbf38
Konrad Lipinski [Wed, 15 Jan 2020 14:58:22 +0000 (15:58 +0100)]
Drop intermediate istringstream in ConfigFile::read()
Change-Id: Ib6a2017a39fb20576eccc766e289eaae8de65098
Konrad Lipinski [Wed, 15 Jan 2020 15:28:27 +0000 (16:28 +0100)]
Drop useless cap_clear() following cap_init()
"The initial value of all flags are cleared." (https://linux.die.net/man/3/cap_init)
Change-Id: I6f55acaf0676daca3befe3b37fb249902c59e91e
Konrad Lipinski [Wed, 15 Jan 2020 17:53:30 +0000 (18:53 +0100)]
Nanoooptimize mount-namespace.cpp
Change-Id: I8fce33fce888cff5f5bea416099346b36004ff30
Tomasz Swierczek [Fri, 17 Jan 2020 07:40:47 +0000 (08:40 +0100)]
Release 1.5.17
* Add even more gcc 9 fixes after Wall enabling
Change-Id: Iec7c4a8acd9a605364dbdd217a1e83fc6993d740
Tomasz Swierczek [Wed, 15 Jan 2020 09:46:03 +0000 (10:46 +0100)]
Add even more gcc 9 fixes after Wall enabling
Needed to disable -Wcast-function-type for service-thread.h file only.
service-thread.h will require some fundamental rework later.
Change-Id: If9d13dfe8e3ae78ac658a140e9582130e98e2b6a
Tomasz Swierczek [Thu, 9 Jan 2020 08:35:42 +0000 (09:35 +0100)]
Release 1.5.16
* Fix build for gcc 9
* Revert "Mark colour_log_formatter methods as override"
Change-Id: If053989e9f7aa8c4e9474483a3f0849c7f5fe5e3
Tomasz Swierczek [Wed, 8 Jan 2020 07:37:40 +0000 (08:37 +0100)]
Fix build for gcc 9
Change-Id: Iba39f4a644d5f676e8f1606bbc283efe97f2dd9c
Tomasz Swierczek [Mon, 23 Dec 2019 05:58:53 +0000 (06:58 +0100)]
Revert "Mark colour_log_formatter methods as override"
This reverts commit
31bba785d8f2c84207f68e862751ec5fc421c2c5.
With older versions of boost, build-time errors occur with this patch
(marked 'override', but does not override).
Change-Id: I1dff4b41703a2896de60c1dbae82536f83636c04
Dariusz Michaluk [Fri, 20 Dec 2019 08:20:42 +0000 (09:20 +0100)]
Release 1.5.15
* Remove duplicated mount namespace setup
* Skip mount namespace setup specific to privacy privileges
* Enhance few logs around application launching.
* Add http://tizen.org/privilege/internal/livecoredump and disable it for non-applications
* Add user context to fetching tzplatform_config variable
* Mark colour_log_formatter methods as override
* Make colour_log_formatter compatible w/ boost 1.70
Change-Id: Icd275c4b19043a3251336cf26a13dd8492f981c1
Dariusz Michaluk [Tue, 17 Dec 2019 14:37:22 +0000 (15:37 +0100)]
Remove duplicated mount namespace setup
When security_manager_prepare_app() is called twice by multi-process app zygote
mount namespace setup is duplicated.
This solution has race condition, but inter process synchronization
adds more overhead than benefits.
Change-Id: I92b9bead82c8caf3522b483a662e7a837f67a311
Dariusz Michaluk [Tue, 17 Dec 2019 17:54:40 +0000 (18:54 +0100)]
Skip mount namespace setup specific to privacy privileges
In case of empty privacy privilege to filesystem path mapping (privilege-mount.list file)
we can skip mount namespace setup specific to privacy privileges.
Change-Id: I7f1f4ef8e5f0614d7b232529f4ff665c2dfeaf5f
Tomasz Swierczek [Wed, 18 Dec 2019 07:19:32 +0000 (08:19 +0100)]
Enhance few logs around application launching.
It was reported that some checks during our launching could be more verbose
and informative about what is going on. Added few more sentences to clearly
state if application process is improperly setup and why.
Change-Id: I47d6578dceff957cf76aa8ee690420d5a5cc9d7f
Karol Lewandowski [Wed, 13 Nov 2019 10:44:11 +0000 (11:44 +0100)]
Add tizen.org/privilege/internal/livecoredump and disable it for non-applications
This commit adds new privilege for triggering coredump from running (live)
process. The coredump can contain private information so additional security
measures are needed to disallow all system services from requesting livedump
for any process.
The functionality it's supposed to be used by (verified and approved) set of
processes only.
To implement this the privilege is provided in disabled state - no system service
gets it automatically. To use it one has to add membership to priv_livecoredump
group (or supplementary group).
Change-Id: I3c6664b3befae0a572ef263b94b39e0cec7fce04
Zofia Grzelewska [Fri, 29 Nov 2019 17:39:52 +0000 (18:39 +0100)]
Add user context to fetching tzplatform_config variable
Change-Id: I45cbea2d73d5c5fd3079df6f0925a8250eb005c4
Konrad Lipinski [Tue, 10 Dec 2019 14:04:37 +0000 (15:04 +0100)]
Mark colour_log_formatter methods as override
Change-Id: I321149df1a390be56bf9a3ee1bcf83b726a01dc8
Konrad Lipinski [Tue, 10 Dec 2019 13:37:08 +0000 (14:37 +0100)]
Make colour_log_formatter compatible w/ boost 1.70
Change-Id: I58a52805d98b3571662cc36aec9b170272012671
Tomasz Swierczek [Thu, 28 Nov 2019 10:26:12 +0000 (11:26 +0100)]
Release 1.5.14
* Add SharedRO skel path labelling when labeling any dir as SharedRO
* Add release script
* Label package base paths for SHARED_RO bind mounting
* Label SHARED_RO directory under symlink
* Add new $APP_HOME/.shared/$PKG_NAME dir to legal paths
* Implement SharedRO with mount namespace
* Remove package generated SharedRO rules
Change-Id: Iefa023963d135c29aef636d223a31419ed9115d2
Tomasz Swierczek [Wed, 27 Nov 2019 05:58:05 +0000 (06:58 +0100)]
Add SharedRO skel path labelling when labeling any dir as SharedRO
security-manager relies on specific path layout for SharedRO mount points.
This patch adds labeling of skel subdirs for given package, if these exist.
Change-Id: Id8e3b0986eff47bc628849fcc6d51fa6176cde54
Zofia Grzelewska [Wed, 20 Nov 2019 13:04:25 +0000 (14:04 +0100)]
Add release script
Change-Id: I199a2333c989bed23a8eee47a5ba9b645363fd2d
Zofia Grzelewska [Tue, 12 Nov 2019 14:27:11 +0000 (15:27 +0100)]
Label package base paths for SHARED_RO bind mounting
Label $APP_HOME/.shared/$PKG_NAME and $APP_HOME/.shared/$PKG_NAME
paths with "User::Home" to allow bind mount in application context.
Change-Id: Ib19de4e87766f5a313f1e5e0542e1da8b30f8a40
Zofia Grzelewska [Mon, 4 Nov 2019 16:41:27 +0000 (17:41 +0100)]
Label SHARED_RO directory under symlink
SharedRO directories from previous implementation
are now symlinks pointing to new SharedRO directories.
This commits assures, that all contents under this symlink
are properly labeled.
Change-Id: I672aaf38ffca3ed6608d9c0aaa2ad7253df16349
Zofia Grzelewska [Thu, 10 Oct 2019 15:34:34 +0000 (17:34 +0200)]
Add new $APP_HOME/.shared/$PKG_NAME dir to legal paths
Add new SharedRO directory for bind mount implementation
of SharedRO.
Change-Id: Ie8dc40234b2cbdef7cb788e8883ef9508abb59bf
Dariusz Michaluk [Wed, 29 May 2019 14:35:21 +0000 (16:35 +0200)]
Implement SharedRO with mount namespace
Perform three bind mounts to implement SharedRO
policy.
Change-Id: Ib30cf1537bdb1357ef53b77ead52a00b469566d1
Dariusz Michaluk [Wed, 29 May 2019 11:18:40 +0000 (13:18 +0200)]
Remove package generated SharedRO rules
Remove SharedRO rules and labels generated from
package name and replace them with "User::App::Shared".
Change-Id: I8d164be27e1d91dbf8787906a4aa083a63b4a1b7
Tomasz Swierczek [Wed, 13 Nov 2019 05:34:45 +0000 (06:34 +0100)]
Release 1.5.13
* Add fsync after DB recovery.
Change-Id: I0dab12f010f35af2c32ec949a83a06202ded5ad8
jin-gyu.kim [Wed, 6 Nov 2019 05:42:21 +0000 (14:42 +0900)]
Add fsync after DB recovery.
To ensure the safety of the file, add fsync in security-manager-rules-loader.
Change-Id: I7de479c92f090d20d4f32d1147e803111eab85cd
Yunjin Lee [Fri, 11 Oct 2019 07:31:17 +0000 (16:31 +0900)]
Release 1.5.12
* Add core privileges: securesysteminfo and voicecontrol.tts
Change-Id: Ib0c157382df418323a0a2c2ff4d5263baa68d5a3
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
Yunjin Lee [Fri, 11 Oct 2019 05:51:52 +0000 (14:51 +0900)]
Add core privileges: securesysteminfo and voicecontrol.tts
- securesysteminfo: This privilege allows app to read non-resettable
secure deivce information such as IMEI.
- voicecontrol.tts: This privilege allows app to request voice control
engine to synthesize text to speech using its own voice.
Change-Id: I8eb1c6bb38efe07cf4d8b3262e81b4279a6b2ea9
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
Yunjin Lee [Fri, 11 Oct 2019 05:51:52 +0000 (14:51 +0900)]
Add core privileges: securesysteminfo and voicecontrol.tts
- securesysteminfo: This privilege allows app to read non-resettable
secure deivce information such as IMEI.
- voicecontrol.tts: This privilege allows app to request voice control
engine to systhesize text to speech using its own voice.
Change-Id: I8eb1c6bb38efe07cf4d8b3262e81b4279a6b2ea9
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
Krzysztof Jackiewicz [Wed, 9 Oct 2019 08:55:09 +0000 (10:55 +0200)]
Release 1.5.11
* Do not fail NS worker action if mount point doesn't exist
* Refactor service_impl.cpp
Change-Id: If8a0fd4ef2c4669da6087fcafc136ee19a74cd50
Tomasz Swierczek [Tue, 1 Oct 2019 11:05:53 +0000 (13:05 +0200)]
Do not fail NS worker action if mount point doesn't exist
This mimics actions taken at app launch, where privileges
defined for nonexisting mount points are not causing
the launch to be failed.
Change-Id: I4e8f14452d379ee86efc31412aa940a4aa67b463
Tomasz Swierczek [Mon, 23 Sep 2019 08:30:48 +0000 (10:30 +0200)]
Refactor service_impl.cpp
Moved static functions to separate file in SecurityManager namespace.
This should improve module's SAM score.
Change-Id: I33eb34068072d1c52f3331ea8b8ca667657fef21
Tomasz Swierczek [Tue, 3 Sep 2019 04:43:03 +0000 (06:43 +0200)]
Release 1.5.10
* Disable http://tizen.org/privilege/internal/sysadmin for non-applications
Change-Id: I274bdbac2b70a970f11d8f20c3aa2b0b70bb8ac9
Tomasz Swierczek [Wed, 28 Aug 2019 09:14:15 +0000 (11:14 +0200)]
Disable tizen.org/privilege/internal/sysadmin for non-applications
By default, system (&user-session) services were granted access to all privileges.
As we work towards fine-grained access control for system services, we need
to disable granting all privileges for services.
This 1st experimental step disables the sysadmin privilege, to be used
to control access to activationd daemon.
For internal applications, sysadmin privilege will be used in manifests, so
Cynara will be able to find exact match for applications' Smack label
in its manifest bucket; for policy evaluation to return success in such case,
all is needed is addition of this new privilege to user-types whitelists
(*.profile files).
For system services, access control to activationd will be limited
to list of user-IDs listed in DBus policy, hence the privilege can't
be automatically enabled for processes with labels User, System & System::Privileged.
For user-session services, this privilege will not be used at the moment.
The (possible) target solution for providing per-service access control
can be based on supplementary groups defined in systemd service files
(or applied as a conequence of cynara policy by security-manager nss plugin).
However, using supplementary groups with DBus policy is not possible at the moment
as both: kernel and DBus will have to be patched to use SO_PEERGROUPS (1)
(1) : https://www.spinics.net/lists/netdev/msg441568.html
Change-Id: Ie41a60d67d39c49b1ed6a49e0c17b9e5d2dabd86
Tomasz Swierczek [Fri, 23 Aug 2019 06:08:40 +0000 (08:08 +0200)]
Release 1.5.9
* Fix for synchronization of per-thread mount namespace setup
* Add check for proper synchronization of threads namespaces
* Fix licence comments in source code files
Change-Id: Iaf0352154b51ef33980f5a100d1891105cc4eb2e
Tomasz Swierczek [Wed, 21 Aug 2019 06:48:15 +0000 (08:48 +0200)]
Fix for synchronization of per-thread mount namespace setup
According to manual (1):
A process may not be reassociated with a new mount namespace
if it is multithreaded.
Also, unshare system call (2) is only creating new namespace
for the caller thread. This means that application candidate
processes that have more than 1 thread are doomed to always have
some threads still in the main mount namespace, without
enforcement of privilege policy connected to mount namespaces.
This renders the mount-namespace-based access control a bad solution.
This patch introduces a special API call to be used by app launchers
just to prepare app candidate processes. This API call doesn't take
any arguments - it just checks if mount-namespaces are enabled
and if yes, just calls unshare(), checking beforehand if the process
has only one thread.
(1) : http://man7.org/linux/man-pages/man2/setns.2.html
(2) : http://man7.org/linux/man-pages/man1/unshare.1.html
Change-Id: I82aefca3d5eb4915041df99ff0313896cbc769cb
projects / platform / core / security / security-manager.git / log