Konrad Lipinski [Fri, 6 Jul 2018 10:39:14 +0000 (12:39 +0200)]
Make spec compliant with gbs --incremental
According to [1], %prep section of the spec file should contain a single
%setup macro, nothing else. According to [2], manifest files are best
copied to %{buildroot}%{_datadir} in the %install section.
Moved manifest copy operations from %prep to %install accordingly.
As a byproduct, got a warning about an installed but unpackaged file:
security-manager-tests.manifest
Corrected the '%files -n security-manager-tests' accordingly by spelling
out the file name verbatim.
References
[1] https://source.tizen.org/documentation/reference/git-build-system/usage/gbs-build
[2] https://wiki.tizen.org/Security/Application_installation_and_Manifest
Change-Id: I29beaccfc83ae65698833696497c0f8791651ffc
jin-gyu.kim [Fri, 19 Jan 2018 07:51:10 +0000 (16:51 +0900)]
Add TZ_SYS_MEDIASHARED to privilege-mount.list
TZ_SYS_MEDIASHARED is also controlled under mediastorage priv.
Therefore, adding TZ_SYS_MEDIASHARED for default list.
By the way, "/opt/usr/media" is not needed here.
It is bount-mounted from "TZ_USER_CONTENT", can cover "/opt/usr/media" also.
Change-Id: I4a9a4688632243998a9d4ab9ace73e6743d67cde
akoszewski [Tue, 26 Jun 2018 12:43:14 +0000 (14:43 +0200)]
Change log message in realPath
Change log message in realPath function from error to warning
Change-Id: I33adac5cc32b3ac36bb521d6825c59a14926575d
Krzysztof Jackiewicz [Fri, 16 Feb 2018 15:55:03 +0000 (16:55 +0100)]
Make server keep its original log tag
Server uses Group2Gid to map group names to gids. Group2Gid calls getgrent
which uses nss which loads (but doesn't call) nss_securitymanager plugin which
loads security-manager-client which sets the log tag to SECURITY_MANAGER_CLIENT
upon loading.
Don't set log tag in client library if it has been set before.
Change-Id: I6d5469903f88c3f561c3a0737bcba0b61446b093
Tomasz Swierczek [Wed, 20 Jun 2018 12:31:59 +0000 (14:31 +0200)]
Fix hybrid pkg uninstallation
Removal of last app in pkg removed also pkg information from DB.
This meant that subsequent Cynara policy removal could not calculate
proper Smack label of the app, hence not removing policy & keeping
artifacts in Cynara DB.
Change-Id: Ib647b16f5e0d46e4f31bbaa7b823f04071e827d7
Tomasz Swierczek [Wed, 20 Jun 2018 09:10:47 +0000 (11:10 +0200)]
Release 1.4.2
* Adjust build to boost 1.65.1
* Add detection of bad sizes/lengths of deserialized containers
* Add protection against leaking memory during deserialization
Change-Id: I2d33c46a555e181628f0ba115ee353fa0843685c
Tomasz Swierczek [Tue, 19 Jun 2018 05:02:21 +0000 (07:02 +0200)]
Adjust build to boost 1.65.1
Change-Id: I51af6f76f114b8b997f1e1d1bdc5c452ac236533
Tomasz Swierczek [Thu, 14 Jun 2018 09:41:16 +0000 (11:41 +0200)]
Add detection of bad sizes/lengths of deserialized containers
Change-Id: I1b2dcf494f8ee48a39009710bb02a7222c67ee00
Tomasz Swierczek [Thu, 14 Jun 2018 08:41:26 +0000 (10:41 +0200)]
Add protection against leaking memory during deserialization
Change-Id: Ie4e2b4fed97e73368554d779f3cb83c2678dcdfc
jin-gyu.kim [Thu, 17 May 2018 04:18:17 +0000 (13:18 +0900)]
Release 1.4.1
* Refactoring/removing unnecessary branches
* Add %build in spec file
* Fix mount namespace setup in case of multiple apps in one pkg
Change-Id: I4a1e7f7d88360c3d523421e697f7c15c560bcc42
Dariusz Michaluk [Tue, 15 May 2018 16:00:01 +0000 (18:00 +0200)]
Fix mount namespace setup in case of multiple apps in one pkg
Change-Id: I1da757ba4ab40b47e9935ab1981df272ab8a4e5e
Tomasz Swierczek [Fri, 27 Apr 2018 08:54:08 +0000 (10:54 +0200)]
Add %build in spec file
Its needed to prepare debug packages in mobile environment.
Change-Id: Ic3f3fec05aa2e8f37c52f91d8398db115d8ca63c
Tomasz Swierczek [Thu, 26 Apr 2018 12:29:40 +0000 (14:29 +0200)]
Refactoring/removing unnecessary branches
Removal of unnecessary checking of old package hybrid status
& removal of not needed conditional branch in cynara.cpp
Change-Id: Ibceca51adcb94279ab9c3fce3a6521879cfeacd4
Tomasz Swierczek [Wed, 25 Apr 2018 04:37:52 +0000 (06:37 +0200)]
Release 1.4.0
* New API: app_update (allows ie. is_hybrid flag change during app upgrade)
This release changes numbering to differentiate older branches of code.
This branch will continue to use 1.4.X numbering while older versions
will contininue to use 1.3.X numbering (for bugfixes/maintenance).
Change-Id: I27231012b22de42f875f99e3b2ec9174cf97e2e9
Pawel Kowalski [Wed, 28 Mar 2018 12:01:35 +0000 (14:01 +0200)]
Allow is_hybrid flag change during app upgrade
The patch includes:
- Update of database to v13
- Split appInstall and appUninstall functions into separate
smaller functions dedicated to updates of subsequent modules:
Cynara, Privlege DB and Smack (refactoring)
- Add the appUpdate function and the API function
security_manager_app_update for updates that allow to change the
hybridity of the package
- Add modifications to allow the change of the app Smack label
(now in functions calculatePolicicies and updateAppPolicies it is
possible to give both old and new Smack labels)
Change-Id: I6e22e2750ae7982750acc9212dc14808d8ff6ecd
Yunjin Lee [Thu, 5 Apr 2018 04:25:27 +0000 (13:25 +0900)]
Release 1.3.3
* Add core privilege voicecontrol.manager, softap and softap.admin
Change-Id: I62d6a8afea6245954cec2ccadc6705f7276e5aba
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
Yunjin Lee [Wed, 4 Apr 2018 08:47:47 +0000 (17:47 +0900)]
Add core privilege voicecontrol.manager, softap and softap.admin
Change-Id: I01779a1b0c06d19c243cc54ebfb66595cf1961a9
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
Tomasz Swierczek [Wed, 4 Apr 2018 08:24:51 +0000 (10:24 +0200)]
Release 1.3.2
* Fix build error regarding to Cmake upgrade
Change-Id: I9fae9e6a3407ab92cd7621b9f97260bc2468d7f9
Taejin Woo [Fri, 16 Mar 2018 06:00:45 +0000 (15:00 +0900)]
Fix build error regarding to Cmake upgrade
Change-Id: I77f6f7822be072a7d3c44a8a5f7caf82674fdf29
Tomasz Swierczek [Wed, 28 Feb 2018 08:59:52 +0000 (09:59 +0100)]
Release 1.3.1
* Allow application to fetch its own manifest
* Add get_app_manifest_policy API
* Database Performance Test
* license-manager-agent: fix memory leak
Change-Id: Ie7112eebd88f9fd2c9a5908a81084f4ca0aab737
Zofia Grzelewska [Wed, 28 Feb 2018 16:10:19 +0000 (17:10 +0100)]
Allow application to fetch its own manifest
security_manager_get_manifest_policy didn't allow application
to fetch its own manifest in case of global application run in
unprivileged user context. This is required for PPM API to work
properly.
Change-Id: Ib5c72f2b3fdea170b1eb51e4d0ed4d7c31f293b9
Tomasz Swierczek [Mon, 12 Feb 2018 15:41:36 +0000 (16:41 +0100)]
Add full get_app_manifest_policy API implementation
Connected serviceImpl methods to IPC to provide fully functional
get_app_manifest_policy API
Change-Id: I7d94d15771330ca2352d3885698361ba8bc557a1
Tomasz Swierczek [Mon, 12 Feb 2018 15:13:23 +0000 (16:13 +0100)]
Add serviceImpl of getAppManifestPolicy function
Method to be used as implementation of security_manager_get_app_manifest_policy function
Change-Id: I897187234222d0fb17a70a20983492a91072bca7
Tomasz Swierczek [Mon, 12 Feb 2018 11:29:04 +0000 (12:29 +0100)]
API prototypes for checking app manifest policy
API needed for askuser/privacy privilege manager modules
to recognize if privilege was declared by manifest or not
Change-Id: Ica847792db05177d8afa17dde919590b6dde0636
Ernest Borowski [Fri, 11 Aug 2017 11:10:24 +0000 (13:10 +0200)]
Database Performance Test
Tests are measuring performance loss when Apps count increase
Tests are measuring: Adding app, Removing app, Adding Privileges for app
Change-Id: Ia091c67a9e36f499ada7194d6d751ffe511a981c
Signed-off-by: Ernest Borowski <e.borowski@partner.samsung.com>
Rafal Krypa [Mon, 29 Jan 2018 13:17:54 +0000 (14:17 +0100)]
license-manager-agent: fix memory leak
Data allocated by cynara_agent_get_request() must be freed with the
free() function.
Change-Id: Ifedeebfd82d06217c833145e298c36c4b3f2cc34
Rafal Krypa [Wed, 17 Jan 2018 18:38:14 +0000 (19:38 +0100)]
Release 1.3.0
* Fix MountNS::isPathBound()
* Fix NSMountLogic in case when user has no running applications
* Identify apps by Smack label instead of appName in NSMountLogic
* During application start, privileged directory enforced by bind mount may be missing
* client: do not add application process to hardcoded groups
* Add core privilege: devicecertificate
* Monitor mount/umount events on the system and update app mount namespaces
* Refactoring: make NSMountLogic class responsible for Channel and MntMonitor
* Add security_manager_cleanup_app() API
* Change license-manager package name
* Add explicit dependency on libnss-security-manager
* Fix API for freeing policy entries
* Refactor security_manager_create_namespace_internal()
* Refactor security_manager_prepare_app()
* Optimize tracking of application mount namespace
Change-Id: I2df2ed1298655a46aa23ebb9d9dbd3a4690886b7
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Rafal Krypa [Fri, 12 Jan 2018 12:53:33 +0000 (13:53 +0100)]
Optimize tracking of application mount namespace
Instead of bind-mounting mount namespace descriptor of application during
security_manager_prepare_app, make a symlink to it. It will make it much
faster and avoid triggering internal mount watcher that tries to update
bind mounts. It is assumed that children processes of the main application
process will never live longer than the main app process itself. This is
supposedly guaranteed by the app framework.
Change-Id: I9fcbdd670278c3884ea4a703e934065608c2fed0
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Dariusz Michaluk [Wed, 17 Jan 2018 11:05:07 +0000 (12:05 +0100)]
Restore mediastorage/externalstorage privilege to group mapping
Change-Id: I04206d26566f37f0b78e6e19c56c1dbb51caacfe
Dariusz Michaluk [Fri, 12 Jan 2018 11:09:32 +0000 (12:09 +0100)]
Refactor security_manager_prepare_app()
This change reduces the number of IPCs and SQL queries needed to smack label generation.
The goal is to reduce the application start time.
Change-Id: I2871a51b663b300836459b834d968f2d15cd47e0
Dariusz Michaluk [Thu, 11 Jan 2018 15:39:44 +0000 (16:39 +0100)]
Refactor security_manager_create_namespace_internal()
This change reduces the number of IPCs and SQL queries needed to setup mount namespace.
The goal is to reduce the application start time.
Change-Id: Ib6ee820f097f07add9228346cd9a191abb16a97c
Zofia Grzelewska [Mon, 4 Dec 2017 12:51:08 +0000 (13:51 +0100)]
Major Fix : Fix API for freeing policy entries
security_manager_policy_entries_free was supposed
to free table of pointers to policy_entry, but was
implemented improperly. Because function had wrong
signature (taking pointer to structure instead of
pointer of table) and without change, it causes double
free and not using proper function results in memory leak,
this function has to be changed, thus breaking the ABI.
Change-Id: I6d285c04eb1a77f5492c10d6709d0f47ebdd36f1
Rafal Krypa [Wed, 17 Jan 2018 17:35:42 +0000 (18:35 +0100)]
Add explicit dependency on libnss-security-manager
Make sure that the nss plugin gets installed to properly support
privileges enforced by gids to non-application processes.
Change-Id: I7f95503c71a2fbf18df24df7e07d8d12a4d17a3f
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
jin-gyu.kim [Wed, 17 Jan 2018 07:11:36 +0000 (16:11 +0900)]
Change license-manager package name.
There could be naming conflicts with another package.
Therefore, change as security-license-manager.
Also, add explicit dependency with this name to install properly.
Change-Id: Iee0853b3191cd19361fc5b0c9b95509b0addad01
Dariusz Michaluk [Mon, 18 Dec 2017 15:41:00 +0000 (16:41 +0100)]
Add security_manager_cleanup_app() API
This function is intended for launchers for cleaning security context for an
application process. It should be called after application termination.
Change-Id: I93de1d4aad4f9ea7d2e70dff95e173677be80426
Rafal Krypa [Fri, 15 Dec 2017 08:25:25 +0000 (09:25 +0100)]
Refactoring: make NSMountLogic class responsible for Channel and MntMonitor
NSMountLogic class will now be solely responsible for making updates to
mount namespaces of running applications. It's single instance will be
persistent in ServiceImpl class. NSMountLogic now owns Channel for
communicating with the Worker process and sends requests for mount updates.
It also listens to mount events from MntMonitor and sends appropriate
requests to worker.
All required synchronization should be done in NSMountLogic.
NSMountLogic::check() method needs to be thread-safe because it may be
called concurrently from ServiceImpl and from MntMonitor thread.
Change-Id: I8cb4be25e5f9c8da4360d7ddff34993836f9f169
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Rafal Krypa [Thu, 14 Dec 2017 14:20:18 +0000 (15:20 +0100)]
Monitor mount/umount events on the system and update app mount namespaces
It is possible that file system path that has access guarded by a privilege
is not available when application starts, but becomes available later.
The reason for this is because a parent directory containing such path
may be a mount point that is not yet mounted at the time when application
starts.
If the application doesn't hold privilege to the directory in question,
it should have a dummy, empty directory mounted over that path. But this
cannot be done properly when application starts and the privileged directory
is not yet available.
Later, while application is running, the parent mount point may be mounted.
This mount will be propagated to mount namespaces of all running applications.
Then the applications that do not hold the required privilege will be able
to access privileged directory in that mount points, because dummy bind
mount wasn't done.
This patch implements a watcher keeping track of mount/unmount events in
the system. When such event is detected, mount namespaces of all running
applications will be reevaluated. If a privileged directory shows up in
mount namespace of an already running application and the application doesn't
hold required privilege, the directory will be hidden from the app.
Change-Id: Idb7044d764a620b64666bfa5e6b1724b504866f0
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Yunjin Lee [Wed, 3 Jan 2018 01:49:45 +0000 (10:49 +0900)]
Add core privilege: devicecertificate
- Refers to: https://review.tizen.org/gerrit/#/c/165621/
Change-Id: I74518afab72d31acabde8b80f9c31f6cfdbff095
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
Rafal Krypa [Tue, 19 Dec 2017 09:00:15 +0000 (10:00 +0100)]
client: do not add application process to hardcoded groups
Initial implementation of privilege enforcement with mount namespaces
included client code that added all application processes to hardcoded
set of groups: priv_externalstorage and priv_mediastorage.
This is wrong. Enforcement of privileges by either groups or mount
namespaces is to be configured in respectively privilege-group.list and
privilege-mount.list. Application process should be added to a group
if and only if it holds a privilege that is configured to be enforced
with a group. Similarly proper mounts and umounts will be done in application
mount namespace based on privilege status.
There is no need to hardcode groups. If a privilege is enforced with mount
namespace, it should not require additional group assignment. If it used
to be enforced with a group, but it has been switched to enforcement with
mount, filesystem permissions need to be adjusted, not security-manager code.
Privileges mediastorage and external storage are now enforced with bind
mounts. They are being removed from privilege-group mapping - combining
these two mechanisms is undesired.
Change-Id: I41204daa24329e8e9648b3ecb4e53d87c763b35b
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Rafal Krypa [Thu, 14 Dec 2017 15:54:39 +0000 (16:54 +0100)]
During application start, privileged directory enforced by bind mount may be missing
When trying to prepare mount namespace for application process, check whether a
directory that requires privilege and should be bind mounted is missing. In such
case ignore it and continue preparation.
Change-Id: I08d5295440bb018d93295cb2817c643211b88c5f
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Rafal Krypa [Thu, 14 Dec 2017 16:21:27 +0000 (17:21 +0100)]
Identify apps by Smack label instead of appName in NSMountLogic
NSMountLogic and Worker code used to take appName as application identifier
and then needed to translate it to Smack label. It was very awkward, because
such conversion needs access to PrivilegeDB in order to check hybrid status.
Now Smack label is being passed to that code right away, eliminating the
need for fetching Smack label.
Change-Id: I62c137ad08a5d7d271aa8d6adcb25e8bb56bdfe1
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Rafal Krypa [Thu, 14 Dec 2017 15:35:11 +0000 (16:35 +0100)]
Fix NSMountLogic in case when user has no running applications
In some cases directory /run/user/UID/ may exist, but /run/user/UID/apps/
might not. Such case was incorrectly handled in NSMountLogic::readFiles(),
it caused an exception to be thrown.
Fixed implementation first checks whether directory exists before trying
to read it.
Change-Id: Ibae0415eac066672d50cf184d82aa3f53c7efdf0
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Rafal Krypa [Wed, 20 Dec 2017 08:10:19 +0000 (09:10 +0100)]
Fix MountNS::isPathBound()
Previous implementation of the method checking whether given source path
is bind-mounted on a given destination path was unreliable.
By careless pattern matching in /proc/self/mountinfo it could easily
return false positive (determine that bind mount exists when it doesn't)
or false negative (say that bind mount doesn't exist when it does).
New implementation relies on calling lstat() on both paths and comparing
results. If both paths have the same ID of containing device and the same
inode number, they are considered to be bind mounted.
Change-Id: I63386dd44f2c1d114705b93a76993a9bc812a90d
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
jin-gyu.kim [Thu, 7 Dec 2017 02:09:09 +0000 (11:09 +0900)]
Release 1.2.30
* Fix bugs found in the code by static analysis
* Fix the bug for clearing SharedRO Smack rules
* Fix the potential memory leak.
* security-manager-cmd: add new option "manage-privilege" for policy manipulation
* Add hybrid flag setting to security-manager-cmd
* Add ConfigFile class for run-time reading and parsing of config files
* Allow privilege enforcement with bind mounts to be configured
* Don't enable mount namespace code when the config file is missing or empty
Change-Id: I848d24b8cbbaa3e557722d9a0665f9c3a984c7fb
Rafal Krypa [Thu, 30 Nov 2017 08:38:45 +0000 (09:38 +0100)]
Don't enable mount namespace code when the config file is missing or empty
Function isMountNamespaceEnabled will read the privilege-mount.list config
file and return false when reading of that file fails or when it doesn't
contain any proper configuration entries.
Change-Id: I20fabefde1523e204c02e5ab8eb8bbdd532a8b4f
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Rafal Krypa [Tue, 28 Nov 2017 12:01:38 +0000 (13:01 +0100)]
Allow privilege enforcement with bind mounts to be configured
Add configuration file describing which privileges are to be enforced
with bind mounts and how. New config privilege-mount.list now assigns
privileges to their mount points and specifies source directory to bind
mount.
Change-Id: I7e2fb7a483803d0a8877d142b8e1df7a37ae18e3
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Rafal Krypa [Tue, 28 Nov 2017 07:49:46 +0000 (08:49 +0100)]
Add ConfigFile class for run-time reading and parsing of config files
New code reads config file and splits it into lines to vector, with one
element per file line. Each line is represented as vector itself, with
one element per white space separated token.
Lines that are empty or start with '#' are ignored.
New code is now used for parsing Smack policy templates and privilege to
group mapping.
Change-Id: I009cf2a33f0233a170666cfe27fd7604fb7f4340
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
akoszewski [Mon, 11 Sep 2017 13:15:49 +0000 (15:15 +0200)]
Add hybrid flag setting to security-manager-cmd
Change-Id: Ifca5479d87ec44de856b0bda6625960e010e31ba
Dariusz Michaluk [Mon, 24 Jul 2017 11:07:21 +0000 (13:07 +0200)]
security-manager-cmd: add new option "manage-privilege" for policy manipulation
Allow/deny privilege for application and user.
Change-Id: I371549ed2aa06ba7b2deef8543c0eff712ed8bd0
jin-gyu.kim [Tue, 3 Jan 2017 04:42:08 +0000 (13:42 +0900)]
Fix the potential memory leak.
- Dynamic memory referenced by 'array' can be lost in error case.
Change-Id: Iea68a69be02dcddc74c560792502464a9a1e19bb
jin-gyu.kim [Fri, 12 May 2017 07:33:04 +0000 (16:33 +0900)]
Fix the bug for clearing SharedRO Smack rules
- Some SharedRO Smack rules were not cleared in uninstallation.
- Include the missing SharedRO rules in uninstalltion.
Change-Id: Ic63468a78002aca4d2c0b6c1bdc925faa5050580
Bartlomiej Grzelewski [Mon, 20 Nov 2017 16:35:53 +0000 (17:35 +0100)]
Fix bugs found in the code by static analysis
Change-Id: I662d10db09931d6d3154dd263f6e6aaaa2fbf0b4
Tomasz Swierczek [Fri, 17 Nov 2017 09:03:52 +0000 (10:03 +0100)]
Release 1.2.29
* Adding privilege group priv_tee_client.
* Include empty rules.merged file in the package
Change-Id: I9c58f5c82f0d9e95e5805f3ee95500cd94e7c9c3
r.tyminski [Thu, 9 Nov 2017 15:16:47 +0000 (16:16 +0100)]
Adding privilege group priv_tee_client.
Adding priv_tee_client group for http://tizen.org/privilege/tee.client
Change-Id: I40dbdce238fe2be4640e0e18339178303ddcbe78
Rafal Krypa [Wed, 8 Nov 2017 15:11:35 +0000 (16:11 +0100)]
Include empty rules.merged file in the package
This is to fix startup of security-manager-rules-loader.service systemd
unit in case when no applications are registered in security-manager.
This is a rare scenario, that wasn't considered until now, because there
were always some preloaded applications on snapshot images. But IoT images
are actually built with no preloaded applications, triggering the bug.
Empty file with aggregated Smack rules is provided to handle such case.
In case of package upgrade, existing file will not be overwritten thanks
to %config(noreplace) directive.
Change-Id: I1743672547abcdd42f520b34eba45c67402b37b1
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
jin-gyu.kim [Fri, 3 Nov 2017 08:00:18 +0000 (17:00 +0900)]
Release 1.2.28
* Add support for external storage directories
* When preparation of database connection fails, indicate this with a file fleg
* Fix security-manager package installation/update
* Remove duplicated -fPIC flag
* Fix database script
* Add test to check TizenVersion update in database.
Change-Id: I7f0f1f9c8d70f6439a13c90b860c4497fb2bd48b
Zofia Abramowska [Fri, 13 Oct 2017 10:46:07 +0000 (12:46 +0200)]
Add support for external storage directories
Applications can be also installed on external storages.
Security-manager has to accept such paths during application
installation. This commit adds such support for local and
global apps.
Change-Id: Idc6fa2930aa6fdcae9191844597da31ae13ecc20
Rafal Krypa [Fri, 13 Oct 2017 16:46:50 +0000 (18:46 +0200)]
When preparation of database connection fails, indicate this with a file fleg
A special file flag will be created by security-manager if it fails to
open its database or fails to initialize prepared statements.
This would indicate that database is either missing or broken. In such case
an empty file will be created at TZ_SYS_DB/.security-manager.db-broken
Change-Id: I6461b71134d6ce706d4295851a45840b3cf0be39
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Dariusz Michaluk [Thu, 7 Sep 2017 14:18:18 +0000 (16:18 +0200)]
Fix security-manager package installation/update
Change-Id: I117f2694ab042a05d6d5f05e3c79ee4fcc0aca9f
Dariusz Michaluk [Thu, 17 Aug 2017 12:28:18 +0000 (14:28 +0200)]
Remove duplicated -fPIC flag
Change-Id: I1ef9791b0a283e497b33b2508926673a390dff89
Bartlomiej Grzelewski [Tue, 24 Oct 2017 09:02:00 +0000 (11:02 +0200)]
Fix database script
Fix update of Tizen Version during application installation.
Change-Id: I17db2e6948aefcf625c9db3d2595a5667a74c054
Bartlomiej Grzelewski [Fri, 25 Aug 2017 12:26:38 +0000 (14:26 +0200)]
Add test to check TizenVersion update in database.
Change-Id: I8271b61cd1a40eb87edce474df83d9157f9e7031
jin-gyu.kim [Wed, 18 Oct 2017 11:12:11 +0000 (20:12 +0900)]
Release 1.2.27
* Prepare app_inst_req for handling multiple app_ids at once
* Add new API for installing pkg_id with multiple app_ids at once
* Add new functions to filesystem operations wrapper
* Add mount namespace operations wrapper
* Add IPC channel implementation
* Prepare app to launch in mount namespace
* Modify app launched in mount namespace
* Gotta catch 'em all (TizenPlatformConfig::Exception)
* Fix: Check if file exist before umount is made
Change-Id: I896cbafa175b134634a762dd55d0182ba0e570b7
Dariusz Michaluk [Wed, 18 Oct 2017 08:13:31 +0000 (10:13 +0200)]
Fix: Check if file exist before umount is made
Change-Id: I03aaa60dd23021fd19d716ccf995a0ff737f108c
Krzysztof Jackiewicz [Fri, 29 Sep 2017 10:56:03 +0000 (12:56 +0200)]
Gotta catch 'em all (TizenPlatformConfig::Exception)
There are still several places in code where TizenPlatformConfig::Exception is
thrown and unhandled. Missing catches added. Code refactored to avoid throwing
exceptions during global data initialization.
Change-Id: I6ae7bda10152c33fff9fcaa6c98b23222a1aeb81
Dariusz Michaluk [Mon, 2 Oct 2017 13:14:48 +0000 (15:14 +0200)]
Modify app launched in mount namespace
This commit adds worker that will be able to manage with mount namespace.
If mount namespace is not supported, security-manager will run without worker,
otherwise worker will be communicated with security-manager through IPC channel.
If app privilege status changes, worker will allow/deny access to filesystem directory
associated with this privilege.
Change-Id: I056cd752c228335c7b67a607bddc0934c7a79ddd
Dariusz Michaluk [Mon, 2 Oct 2017 12:26:19 +0000 (14:26 +0200)]
Prepare app to launch in mount namespace
This commit changes security_manager_prepare_app() behaviour.
The new functionality requires CAP_SYS_ADMIN capability added to the calling process.
Changes include:
- runtime detection of namespace support (check access to "/proc/self/ns/mnt"
which exists in kernel 3.8+ only),
- if mount namespace is not supported, app launch in the old way,
privileges are handled by groups,
- if mount namespace support is detected, app launch in mount namespace,
some privileges are handled in the new way,
- these privileges are:
a) http://tizen.org/privilege/externalstorage
(mapped to /opt/media filesystem directory)
b) http://tizen.org/privilege/mediastorage
(mapped to /opt/usr/media filesystem directory)
- if app privilege status is set to deny, the above directory
is bind mounted to dummy directory (no access to filesystem)
Change-Id: Ic41ea9eb48c369934bcafe406aa1b4207f67523d
Dariusz Michaluk [Mon, 2 Oct 2017 13:04:08 +0000 (15:04 +0200)]
Add IPC channel implementation
Change-Id: I18a7de2933e3a3543dca6c738c0cb9a6dcc74eb1
Dariusz Michaluk [Mon, 2 Oct 2017 11:59:06 +0000 (13:59 +0200)]
Add mount namespace operations wrapper
This commit adds:
- mount namespace helper functions,
- privilege to filesystem paths mapping,
- application to mount namespace mapping.
Change-Id: I572b316297c7512455829305674fd1be2ea07656
Dariusz Michaluk [Mon, 2 Oct 2017 11:08:12 +0000 (13:08 +0200)]
Add new functions to filesystem operations wrapper
This commit adds:
- create/remove directory/files functions,
- get text file contents function,
- error handling improvement,
- function names convention.
Change-Id: I7861f26d14cb1e61af990881044eaea047b3f345
Rafal Krypa [Tue, 26 Sep 2017 15:13:02 +0000 (17:13 +0200)]
Add new API for installing pkg_id with multiple app_ids at once
New client function security_manager_app_inst_req_next() enables installer
to add information about multiple applications. Each application in
request has its own app_id, privileges and app-defined privileges.
All other parameters set on the installation request are shared.
Sample usage of the new API (simplified, no error checking):
security_manager_app_inst_req_new(&p_req);
/* Per-package attributes */
security_manager_app_inst_req_set_pkg_id(p_req, pkgId);
/* Per-app attributes */
security_manager_app_inst_req_set_app_id(p_req, appId1);
security_manager_app_inst_req_add_privilege(p_req, appId1_priv1);
security_manager_app_inst_req_next(p_req);
security_manager_app_inst_req_set_app_id(p_req, appId2);
security_manager_app_inst_req_add_privilege(p_req, appId2_priv1);
security_manager_app_install(p_req);
security_manager_app_inst_req_free(p_req);
Change-Id: Ia1a42071bcf7356f17622c1d110778e803d3f39a
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Rafal Krypa [Wed, 20 Sep 2017 10:19:49 +0000 (12:19 +0200)]
Prepare app_inst_req for handling multiple app_ids at once
Application install and uninstall requests will enable support for
handling multiple app_ids from single package in one shot.
The app_inst_req structure is modified to include an array of application
parameters, i.e.:
- app_id
- privileges
- app defined privileges
To make use of this feature, a new API will be added in next commits.
For now the modified request data structure will serve the existing API,
holding only single element in array of app parameters.
Change-Id: If961ad3625f9397358487021982f07886cee1e28
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Rafal Krypa [Thu, 21 Sep 2017 13:19:23 +0000 (15:19 +0200)]
Fix coding style in security-manager-cmd.cpp
Change-Id: Iedfee86a382b45c50f8f3717a9e187da09413657
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Yunjin Lee [Thu, 28 Sep 2017 07:29:42 +0000 (16:29 +0900)]
Release 1.2.26
* Add core privilege: peripheralio
* Remove core privilege: d2d.datasharing
* Remove redundant file info from SM dlog logs
Change-Id: I0ba6e51ffa1d5080a8daf211b503bab5aaa36b00
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
Yunjin Lee [Thu, 28 Sep 2017 07:20:37 +0000 (16:20 +0900)]
Add core privilege: peripheralio
- privilege required to communicate with peripherals
Change-Id: If2f2e08fead8fad34525b56b06b3a6eca0e570d7
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
Yunjin Lee [Tue, 26 Sep 2017 10:20:32 +0000 (19:20 +0900)]
Remove core privilege: d2d.datasharing
Change-Id: I99815d92c5cef15ce012323e2f1e5c66b93e8b10
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
Pawel Kowalski [Wed, 13 Sep 2017 06:23:59 +0000 (08:23 +0200)]
Remove redundant file info from SM dlog logs
Security-manager uses code adapted from DPL for logging. Currently
a dlog backed is utilized. Both DPL and dlog include information
like file name, line and function from where the log was triggered.
It lead to redundant file info in logs.
In order to remove this redundant information, dlog macro SLOG was
replaced with the macro called print_system_log. The print_system_log
macro does not add its own set of information (it displays only
a message prepared by the developer). The print_system_log macro is
labeled as an 'internal' in dlog-internal.h header file but in this
case 'internal' means that macro should not be used by applications
but may be used by system/platform deamons.
Also the FormatMessage was modified in order to display a log message
in a dlog style.
Change-Id: I54b9ebe6240a407609512b4906257ec655d0d8a3
Zofia Abramowska [Fri, 15 Sep 2017 15:48:07 +0000 (17:48 +0200)]
Release 1.2.25
Fix SVACE defects:
* Redo C-style var args methods
* User dynamic cast for base-to-derived conversion
Change-Id: Ic852b4751387f1590d0103c20a5d2214fdfaf737
Zofia Abramowska [Fri, 15 Sep 2017 15:48:07 +0000 (17:48 +0200)]
Redo C-style var args methods
Change-Id: I28e6ca056a094739b60e17cdad54ef260475e3c3
Zofia Abramowska [Fri, 15 Sep 2017 15:42:06 +0000 (17:42 +0200)]
User dynamic cast for base-to-derived conversion
Change-Id: I4f3f9c4062197941cb23fa5c40c883c6d26d877f
keeho.yang [Wed, 9 Aug 2017 10:44:18 +0000 (19:44 +0900)]
Release: 1.2.24
*Fix license-manager rpm install/update/erase
*Enforce PIE through main CMakeLists
Change-Id: I5c8adad9bd4901b2647b3754733f0e81b6beada4
Igor Kotrasinski [Tue, 25 Jul 2017 07:37:36 +0000 (09:37 +0200)]
Enforce PIE through main CMakeLists
Fixes security-manager-cmd not building as PIE and removes hardcoded
-fPIE and -pie flags.
Change-Id: I6be0ef5864066b0be83e75671e8f3b124610b88b
Signed-off-by: Igor Kotrasinski <i.kotrasinsk@partner.samsung.com>
Dariusz Michaluk [Fri, 4 Aug 2017 14:23:40 +0000 (16:23 +0200)]
Fix license-manager rpm install/update/erase
Change-Id: I81358665747f71738e3a23f8a1d27f084ed3bf09
jin-gyu.kim [Mon, 7 Aug 2017 06:17:34 +0000 (15:17 +0900)]
Release 1.2.23
* Add core privilege: gesturegrab, gestureactivation
* Fix bugs reported by C++Test and SVACE
* Change coding style in socket-manager.cpp
* Fix database upgrading from v10 to v11
* Fix buffer overflow in exception.h
* Replace getgrent with getgrnam_r in security_manager_groups_get
* Fix race condition in reading credentials
Change-Id: I6e662155ae04b63b0cb3a6bfba3f3b1a03a666cb
Yunjin Lee [Fri, 28 Jul 2017 05:31:33 +0000 (14:31 +0900)]
Add core privilege: gesturegrab, gestureactivation
- gesturegrab privilege allows app to grab touch gesture
- gestureactivation privilege allows app to activate/deactivate the grabbing
Change-Id: Ic3897a26405962bc74ed6add54f3f0d33525e492
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
Bartlomiej Grzelewski [Thu, 20 Jul 2017 12:56:43 +0000 (14:56 +0200)]
Change coding style in socket-manager.cpp
Change-Id: I15803fd3548a19d328cef57426762a2052ca9b1f
Bartlomiej Grzelewski [Wed, 19 Jul 2017 12:16:09 +0000 (14:16 +0200)]
Fix bugs reported by C++Test and SVACE
Change-Id: Id8c2ee63159b6df768a9e818bcb929c4a70d57b0
Dariusz Michaluk [Wed, 2 Aug 2017 15:10:12 +0000 (17:10 +0200)]
Fix database upgrading from v10 to v11
Change-Id: I54778accfcc2479dd899285c66ba4c3a95329b10
Bartlomiej Grzelewski [Mon, 17 Jul 2017 17:04:36 +0000 (19:04 +0200)]
Fix buffer overflow in exception.h
Change-Id: Idaf6e6c8afa4936370e97c5870dfb5b7b5149e24
Krzysztof Jackiewicz [Wed, 2 Aug 2017 07:25:28 +0000 (09:25 +0200)]
Replace getgrent with getgrnam_r in security_manager_groups_get
Group2Gid constructor used getgrent which is not thread-safe. The class is used
in security-manager's server which is single threaded and in a nss plugin. The
nss plugin is called in the same context as initgroups() and as such can be
called from concurrent threads simultaneously although it makes no sense. Also
initgroups() manual does not mention anything about thread-safety.
It's impossible to get groups mapping thread-safely using getgrent_r if we are
not controlling all of the threads (which is the case in SM's client library).
Instead the getgrnam_r() was used.
Change-Id: I753f88ee0f85bb28c0907ae590e522a075873ffb
Bartlomiej Grzelewski [Mon, 24 Jul 2017 12:00:29 +0000 (14:00 +0200)]
Fix race condition in reading credentials
Race condition scenario:
1. Client connects to service and gets descriptor D.
2. Client sends request R.
3. Client closes connection.
4. Second client connects to service and gets descriptor D
5. Service thread starts to process request R and calls
getCredentialsFromSocket. Function returns credentials of
second client.
Change-Id: Id42d58b90147157df9772dd856d4769b8698434b
jin-gyu.kim [Thu, 20 Jul 2017 05:22:57 +0000 (14:22 +0900)]
Release 1.2.22
* Fix segfault in nss plugin
Change-Id: I49a37725b3297a4bbd62b944f071bcba9a681c90
Krzysztof Jackiewicz [Wed, 19 Jul 2017 09:34:17 +0000 (11:34 +0200)]
Fix segfault in nss plugin
- Initialize groups pointer to NULL
- Delay wrapping with unique_ptr until we are sure that function returning
groups succeeded
- Treat empty group list as a correct result
Change-Id: I9cf7493d819f3c1afdc2a378bc52f24d0f3f53b9
jin-gyu.kim [Tue, 11 Jul 2017 02:30:22 +0000 (11:30 +0900)]
Release 1.2.21
* Allow application to fetch its own policy
* Optimize group processing performance
* Add core privilege: blocknumber.read, blocknumber.write
Change-Id: I2320777e489a094eb23e87a1747e5a0b6f0200a6
Zofia Abramowska [Mon, 26 Jun 2017 11:42:35 +0000 (13:42 +0200)]
Allow application to fetch its own policy
Application requires checking its privacy privilege
status to decide wether invoking askuser popup is
required. This change allows apps to fetch its own
policy (for the same app_id and user) without any
additional privilege.
Change-Id: Ie351f002107e58ad90b71f44ec25026469e38cb5
Rafal Krypa [Fri, 7 Jul 2017 16:16:16 +0000 (18:16 +0200)]
Optimize group processing performance
- Map group names to gids during server startup.
- Return gids instead of group names to client.
- Modify API used by NSS plugin to return gids and update the plugin.
- Cache privilege->gid mapping and privilege related gids on server side.
Change-Id: I30480565495e9591d893279f2df622fa21b6e1b9
Yunjin Lee [Wed, 5 Jul 2017 08:45:31 +0000 (17:45 +0900)]
Add core privilege: blocknumber.read, blocknumber.write
Change-Id: Ibf991198a1a3a401a0b3e003a485e3ae9ee5dbdd
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
Piotr Sawicki [Fri, 30 Jun 2017 10:02:34 +0000 (12:02 +0200)]
Release 1.2.20
* Remove dependency to Nether
* Add missing else keyword
* Fix memory allocation loop
* Apply -fPIE and -pie flag to license-manager
* Verify if certificate CN entry is equal to pkgId.
* Refactor error handling on app_defined_privilege/client_license table
* Change license-manager-agent uid/gid to security_fw
* Accept null as appId during license extraction
* New schema of database
* Apply coding rules
* Implement certificate verification inside agent
* Improve implementation of appdefined privilege API
* Remove outdated 'CREATE INDEX + performance tests required' TODO
* security-manager-cmd: add new option manager-apps for app install/uninstall
* Support security_manager_app_uninstall calling in off-line mode
Change-Id: I7894668ea52634b226b5c0d699661a2be33f9707
jin-gyu.kim [Thu, 29 Jun 2017 04:47:44 +0000 (13:47 +0900)]
Remove dependency to Nether
Security-manager has the dependency to Nether to install it.
Nether can be installed independently. [TRE-1330]
Therefore, remove the dependency.
Change-Id: Ibb3b2f18aad6be934737238f9412189e59d23f01
Bartlomiej Grzelewski [Mon, 12 Jun 2017 10:34:53 +0000 (12:34 +0200)]
Add missing else keyword
Change-Id: I092cf2c807d6a1445de4d33b308717d8f8ee87e0
projects / platform / core / security / security-manager.git / log