platform/core/security/security-manager.git
4 years agoRemove almost unused code from filesystem.cpp/.h 81/236581/3
Tomasz Swierczek [Thu, 18 Jun 2020 07:52:36 +0000 (09:52 +0200)]
Remove almost unused code from filesystem.cpp/.h

fileSize was used only in one place, in tests

Change-Id: Ib2580f488c65d379059cf977f9533e27e93bdd47

4 years agoRemove unused code from filesystem.cpp/.h 81/236481/7
Tomasz Swierczek [Wed, 17 Jun 2020 09:34:41 +0000 (11:34 +0200)]
Remove unused code from filesystem.cpp/.h

Change-Id: I5a4b722e34ba1bb691a0edf576b3e83a3b9499e0

4 years agoAdd test cases for filesystem.cpp functions 38/228538/31
Tomasz Swierczek [Mon, 23 Mar 2020 18:59:14 +0000 (19:59 +0100)]
Add test cases for filesystem.cpp functions

Previously, unit tests covered only about 26% of the lines,
this patch aims to increase the file coverage to at least 80%.

Change-Id: I985a2b690fdf1bbb355edb94753bf8c54108b9cf

4 years agoSet C++ 17 flags 09/236509/2
Tomasz Swierczek [Wed, 17 Jun 2020 14:01:32 +0000 (16:01 +0200)]
Set C++ 17 flags

Will be needed later for inline static variables in class declaration

Change-Id: I203bf0f593a2bca4a95b06d98a85f609533b8039

4 years agoCategorize unit test cases as negative or positive 61/228061/17
Tomasz Swierczek [Wed, 18 Mar 2020 13:51:59 +0000 (14:51 +0100)]
Categorize unit test cases as negative or positive

Macros adding NEGATIVE_ or POSITIVE_ prefix to test name added too.
Some tests split for proper distinction of negative & positive tests.

Change-Id: I98b1c3b657cd84f01c364254aff064bf40b8b456

4 years agoDisable assert() for release builds 32/233932/1
Konrad Lipinski [Wed, 20 May 2020 09:42:08 +0000 (11:42 +0200)]
Disable assert() for release builds

Change-Id: I61861dc2b181ff6c70a66af9e30b21ff0c9805d7

4 years agoRelease 1.6.2 90/233390/1 accepted/tizen/unified/20200529.124059 submit/tizen/20200514.103903 submit/tizen/20200528.071929 submit/tizen/20200529.012726
Tomasz Swierczek [Thu, 14 May 2020 08:38:45 +0000 (10:38 +0200)]
Release 1.6.2

* Add new arguments for installation requests
* Properly handle missing/invalid smack privilege policy
* Catch TizenPlatformConfig exception in NSMountLogic
* Get distinct app names from pkg
* Add listing running apps based on namespace
* Don't assume that default privilege Smack rules template exists
* Let template manager throw for configuration errors
* Fix enterMountNamespace() error handling.

Change-Id: I37322a85aeebd0e23274231e8acabc0106af5e92

4 years agoAdd new arguments for installation requests 95/229895/10
Tomasz Swierczek [Mon, 6 Apr 2020 09:03:47 +0000 (11:03 +0200)]
Add new arguments for installation requests

Added arguments are:
* pkg_type (none, wrt, core, metadata)
* pkg_privilege_level (none, public, platform, partner)

This change is adjusting usage of privilege-checker functions
to its API changes.

Before this patch, privilege-checker used pkgmgr to check these data
about newly installed app. Because security-manager calls
privilege-checker at app install time, this required the pkgmgr db to be
filled before calling security-manager in app installer.
However, installer is currently changing its order of operation
and we can't rely on its data being available at this time.

Since this data is known explicitly by installer, its easy to add this
information to the installation request (per pkg).

If not set ("none" values), privilege-checker consults pkgmgr
like it used to.

Adding this API will also ease the situation in security-tests, where
pkgmgr DB had to be filled manually before each *fake* app installation
done only for purpose of security-manager API tests.
Now, the installation request in security-tests can be filled with
other-than-none values for both variables, which will result
in pkgmgr DB not being checked at app install time.

Change-Id: I518eb4524c9c1f3ff2e6d68ea25c037591f6634b

4 years agoProperly handle missing/invalid smack privilege policy 01/232001/6
Krzysztof Jackiewicz [Mon, 27 Apr 2020 08:41:32 +0000 (10:41 +0200)]
Properly handle missing/invalid smack privilege policy

Continue to read other config files if smack privilege policy is missing.
Do ignore invalid smack-privilege template rules.
Remove unnecessary code.

Change-Id: I105e541b321523fa98556614509837cbbc5c5b13

4 years agoCatch TizenPlatformConfig exception in NSMountLogic 25/232425/2
Krzysztof Jackiewicz [Mon, 4 May 2020 10:53:07 +0000 (12:53 +0200)]
Catch TizenPlatformConfig exception in NSMountLogic

It may happen if there are some leftovers in /run/user/. Until now an
unknown exception was logged.

Change-Id: I02bbe251bd4ee094965810f8eeb228be78d7081a

4 years agoGet distinct app names from pkg 11/231011/2
Krzysztof Jackiewicz [Thu, 16 Apr 2020 13:00:36 +0000 (15:00 +0200)]
Get distinct app names from pkg

The same app can be installed for several users. This commit adds DISTINCT to
EGetAppsInPkg query to avoid duplicates.

Change-Id: Ic277ab899cf46aae2e1c08790e8db0e7e29c80ac

4 years agoAdd listing running apps based on namespace 61/230561/8
Zofia Abramowska [Fri, 10 Apr 2020 10:47:47 +0000 (12:47 +0200)]
Add listing running apps based on namespace

Change-Id: I8240646edef06fc267cc4a2177764494ec081fdb

4 years agoDon't assume that default privilege Smack rules template exists 89/231889/2
Zofia Abramowska [Fri, 24 Apr 2020 15:29:03 +0000 (17:29 +0200)]
Don't assume that default privilege Smack rules template exists

Change-Id: I03c0fadeaf95885d191937d8c3e04fde70de047b

4 years agoLet template manager throw for configuration errors 88/231888/2
Zofia Abramowska [Fri, 24 Apr 2020 15:08:33 +0000 (17:08 +0200)]
Let template manager throw for configuration errors

Change-Id: Iec25cd08ae5cff6ef721b77022d07f734898f773

4 years agoFix enterMountNamespace() error handling. 86/232286/2
Dariusz Michaluk [Wed, 29 Apr 2020 14:42:59 +0000 (16:42 +0200)]
Fix enterMountNamespace() error handling.

There is a TOCTOU race condition between checking/entering app namespaces.
In this small time window, app can be killed,
so updating app namespace doesn't make sense, we can skip this step.

Change-Id: I27f8e0d5fed42a11b96dd79fc83b36be60aeca5e

4 years agoRelease 1.6.1 70/231570/1 accepted/tizen/unified/20200423.054604 submit/tizen/20200422.125336
Dariusz Michaluk [Wed, 22 Apr 2020 11:51:02 +0000 (13:51 +0200)]
Release 1.6.1

* Properly handle ENOENT error on encrypted device
* Move initial namespace setup to security_manager_prepare_app_candidate()

Change-Id: Ic99978f8d3b3b46d3322aae478bf698eb8b4f35c

4 years agoProperly handle ENOENT error on encrypted device 87/231387/2
Dariusz Michaluk [Tue, 21 Apr 2020 12:22:46 +0000 (14:22 +0200)]
Properly handle ENOENT error on encrypted device

Change-Id: Ica5318462304b9f96096f0376885d676e5e087ba

4 years agoMove initial namespace setup to security_manager_prepare_app_candidate() 68/231368/2
Dariusz Michaluk [Tue, 21 Apr 2020 11:21:25 +0000 (13:21 +0200)]
Move initial namespace setup to security_manager_prepare_app_candidate()

Change-Id: I43f316b8e074ff18462388b64793cbc3e2d895c1

4 years agoRelease 1.6.0 65/231365/5 submit/tizen/20200421.142342
Tomasz Swierczek [Tue, 21 Apr 2020 12:21:11 +0000 (14:21 +0200)]
Release 1.6.0

Add RPM package for iptables rules needed for GID-based internet access control
Add new privilege-enforcing mechanism that uses privilege-Smack mapping
Mount namespace enhancements & fixes

With this release, versioning differs from branch tizen_5.5.

With this release, Tizen has 3 mechanisms for controlling internet access:

* nether
  - supports mutltiuser
  - allows dynamic policy change for app, during application runtime
  - complicated support for many protocols, many dependencies (mostly in kernel)
* iptables + privilege-to-GID mapping
  - supports multiuser
  - dissallows dynamic policy change
  - requires patches from upstream kernel & iptables
* privilege-to-Smack mapping
  - allows dynamic policy change
  - doesn't require any custom kernel changes
  - doesn't support simultaneous multiuser

Change-Id: I9984ce4f9a761be9182535ec60ee11dbb13acc77

4 years agoFix security_manager_cleanup_app() 12/231012/3
Dariusz Michaluk [Thu, 16 Apr 2020 13:22:02 +0000 (15:22 +0200)]
Fix security_manager_cleanup_app()

After introducing sharedRO mount namespace setup,
every app should cleanup own namespace after termination.

Change-Id: I358007e3f47213f3038e6c3f2a05cbe5e273627f

4 years agoAdd group mapping for internal/appdebugging privilege 41/203441/5
Lukasz Pawelczyk [Thu, 11 Apr 2019 15:48:40 +0000 (17:48 +0200)]
Add group mapping for internal/appdebugging privilege

Change-Id: I4eca8498ffec4521fcbcba3535b7c1573c9edb25

4 years agoCreate new RPM for loading iptables rules at system start 42/203442/11
Lukasz Pawelczyk [Fri, 12 Apr 2019 11:14:34 +0000 (13:14 +0200)]
Create new RPM for loading iptables rules at system start

iptables rules can be used by security network control with
internet and internal/appdebugging priviledges.

Mapping internet GID privilege with this set of iptables rules
can be much simpler alternative to nether, which also supports multiuser
but doesn't support runtime policy change for running apps.

Change-Id: I033b36c64fc14de5a275db00aab5825dad61341d

4 years agoProperly handle nonexisting apps uninstallation 50/230850/7
Krzysztof Jackiewicz [Tue, 14 Apr 2020 19:48:49 +0000 (21:48 +0200)]
Properly handle nonexisting apps uninstallation

If one or more of apps to uninstall is missing (e.g. already uninstalled) the
app_inst_req::app::appName is cleared and the UninstallHelper::removeApps has
no flag for given app. As a result nonexistent app is unnecessarily processed
in ServiceImpl::appUninstallSmackRules and smack rules of some apps may be
left untouched.

This is a fix for both issues.

Change-Id: Ifa6499f454cdff3d9f9d9570e6670c2998cc857b

4 years agoDisable Smack privilege mapping configuration 52/231352/2
Zofia Abramowska [Tue, 21 Apr 2020 10:01:57 +0000 (12:01 +0200)]
Disable Smack privilege mapping configuration

Change-Id: I89870a7aa63812b08255b05c195b1c6e85a3bb96

4 years agoFix multi-user detection 60/231260/1
Zofia Abramowska [Mon, 20 Apr 2020 14:19:13 +0000 (16:19 +0200)]
Fix multi-user detection

With appId->uid mapping, we cannot properly handle this use case:
* user1 launches app A -> (appA, user1)
* user1 launches app B -> conflict detected, Smack not applied,
                          mapping saved to (appB, user1)
* user1 launches app B again -> no conflict detected, Smack applied
(This won't be fixed if mapping is only updated, when multi-user is
not detected)
This commit changes multi-user detection to be only based on apps
running taken from MountNS fs structure.

Change-Id: I69c729e85e05cce498abdcb4e6832df634789765

4 years agoUse mount namespace mount points to find running apps 49/230849/5
Zofia Abramowska [Tue, 14 Apr 2020 16:49:34 +0000 (18:49 +0200)]
Use mount namespace mount points to find running apps

Change-Id: Ifef7a3aa2fb9666e20f428270c41850ce7319208

4 years agoRemove privilege related Smack rules when multi-user is detected 70/230070/6
Zofia Abramowska [Tue, 7 Apr 2020 17:12:55 +0000 (19:12 +0200)]
Remove privilege related Smack rules when multi-user is detected

Privilege related Smack rules can only be used, when applications
can be launched for only one user. When multiple instances of
one application for different users are detected, all privilege
related Smack rules for this application will be revoked.
This isn't a permanent state. When application is launched only
for one user it will acquire all needed permissions.

Change-Id: Ibda63d3ce4ce072f48fff4ff0e2c083c69fe66d7

4 years agoChange privilege related Smack rules on cynara policy change 84/229384/11
Zofia Abramowska [Tue, 7 Apr 2020 15:30:03 +0000 (17:30 +0200)]
Change privilege related Smack rules on cynara policy change

When policy is updated recalculate privilege related Smack rules
for all running applications.

Change-Id: Ic6a0341399186d10404f1ce189217d963707e7be

4 years agoRemove privilege Smack mapping rules on application uninstallation 85/229085/9
Zofia Abramowska [Fri, 27 Mar 2020 17:51:36 +0000 (18:51 +0100)]
Remove privilege Smack mapping rules on application uninstallation

Disable all privilege related Smack rules on application
uninstallation and instead of revoke subject before application
launch (to clear old rules before applying new ones).

Change-Id: I30d67d8d16e8cd0632ac43d22e5e876bbb2bc47b

4 years agoCheck if smack privilege mapping is enabled 12/229812/7
Zofia Abramowska [Fri, 3 Apr 2020 17:42:41 +0000 (19:42 +0200)]
Check if smack privilege mapping is enabled

Check is Smack privilege mapping contains any configuration -
meaning if it is enabled.

Change-Id: Iac9aaa79ed8e3fdd854826c12d93e11a5ee4cba0

4 years agoAdd Smack template files manager 36/228536/10
Zofia Abramowska [Mon, 23 Mar 2020 18:05:48 +0000 (19:05 +0100)]
Add Smack template files manager

Add Smack template rule files manager to speedup the process
of loading template files.

Change-Id: I148438dafdf355be7a77f4a8662ffa0b4e0b6ac1

4 years agoSplit smack API wrapper and rules management 12/228212/12
Zofia Grzelewska [Tue, 3 Mar 2020 15:10:19 +0000 (16:10 +0100)]
Split smack API wrapper and rules management

Split smack API wrapper (SmackAccesses) and rules generation and management
(SmackRules) into separate classes. Make SmackRules a class,
not a namespace, in a preparation for pre-loading of rules template files.

Change-Id: I695a7cbaef404462909b80271d0775a2c725d4f3

4 years agoAdd restriction for privilege smack mapping rules 74/226974/12
Zofia Grzelewska [Fri, 28 Feb 2020 16:25:45 +0000 (17:25 +0100)]
Add restriction for privilege smack mapping rules

Do not support rules, which are not based only on privilege or
application based labels.

Change-Id: Ib86cac1c8b362f8b4549148be96915a16e323e65

4 years agoChange privilege and privilege status vector names for clarity 74/228974/8
Zofia Abramowska [Thu, 26 Mar 2020 12:47:59 +0000 (13:47 +0100)]
Change privilege and privilege status vector names for clarity

PrivilegeVector and privilegeStatusVector passed to prepareApp are not
general privileges, but privileges related to paths. This commit
changes variables names to make it more clear.

Change-Id: I66a05ea0db305ded53ed1d47f60496cd5fda8636

4 years agoChange cynara client check to admin check for allowed privs 57/229257/6
Zofia Abramowska [Mon, 30 Mar 2020 14:22:36 +0000 (16:22 +0200)]
Change cynara client check to admin check for allowed privs

Cynara client check will trigger custom plugins evaluation.
This would be an unwanted behavior, as getAppAllowedPrivileges
should return current state without involvement of the user.
Using Cynara admin check we can achieve the same thing without
triggering of the plugins.

Change-Id: I6d60f9d70fa0d39ac6e9d108fef40227ba9e62d6

4 years agoAdd privilege-Smack mapping 62/224862/13
Zofia Grzelewska [Wed, 12 Feb 2020 17:50:21 +0000 (18:50 +0100)]
Add privilege-Smack mapping

Add privilege-Smack mapping configuration:
* privilege-smack.list which describes privilege mapping
  to Smack label and Smack rules template
* priv-rules-default-template.smack which is an example
  of Smack rules template for privilege
* this implementation currently only applies policy on
  application launch (no runtime policy changes modify it)
and draft implementation.

IMPORTANT: This mechanism can be used, when *only one* user
           is used on Tizen.

Change-Id: Iafc999793e6fe465279d0e63ca087ae6b836181a

4 years agoFix security-manager worker 69/168869/8
Dariusz Michaluk [Tue, 14 Apr 2020 13:09:35 +0000 (15:09 +0200)]
Fix security-manager worker

Move worker process to main mount namespace after finishing job.

Change-Id: Ic0ed8011ecc8fab04a237c6a96190f4a8cc5d266

4 years agoRelease 0.5.22 43/230543/2 accepted/tizen/unified/20200413.130917 submit/tizen/20200410.113048
Tomasz Swierczek [Fri, 10 Apr 2020 10:43:39 +0000 (12:43 +0200)]
Release 0.5.22

* Make prepare_app more robust with respect to thread termination
* Fix ignoring ENOENT
* CheckProperDrop class unit tests
* Add new core privilege: notification.admin
* Do not ignore EACCES (and other errors) while getting threads info
* Unify path generation
* Add single manifest file for each RPM package

Change-Id: I3ba0fcd56821fa453947e3efa3543d5babcc56a5

4 years agoMake prepare_app more robust with respect to thread termination 80/230380/5
Konrad Lipinski [Thu, 9 Apr 2020 14:19:08 +0000 (16:19 +0200)]
Make prepare_app more robust with respect to thread termination

Since CheckProperDrop now silently ignores ENOENT when reading thread
proc entries, security_manager_sync_threads_internal should strive to do
the same when signalling threads via tgkill. This will not, of course,
eliminate race conditions - the entire thing is inherently racy.

Bonus:
* prepare_app contract prohibits concurrent thread creation/termination
* per HQ request, EACCES readproc log now suggests a possible race
  condition in the caller

Change-Id: Icf5d3e732540c4832d47e3e80f1592dab6f3ce35

4 years agoFix ignoring ENOENT 04/230204/6
Lukasz Pawelczyk [Wed, 8 Apr 2020 10:55:23 +0000 (12:55 +0200)]
Fix ignoring ENOENT

Also better error logging for check-proper-drop

Change-Id: I42bfff586d3a5d14a39ffbe16a8dfddea720d085

4 years agoCheckProperDrop class unit tests 10/228210/16
Lukasz Pawelczyk [Thu, 19 Mar 2020 15:54:04 +0000 (16:54 +0100)]
CheckProperDrop class unit tests

Change-Id: I1c867a319a5c14cf5ba67eb502e85505d00291c5

4 years agoAdd new core privilege: notification.admin 76/229976/1
Yunjin Lee [Tue, 7 Apr 2020 03:59:23 +0000 (12:59 +0900)]
Add new core privilege: notification.admin

- notification.admin: Application with this privilege can manage
notifications. For example, the app can get all notificaitons and
update, delete or hide them.

Change-Id: I4fc3c500f7f84f95dd443ebfde4b953a175112ad
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
4 years agoDo not ignore EACCES (and other errors) while getting threads info 40/226940/4
Lukasz Pawelczyk [Thu, 5 Mar 2020 16:22:29 +0000 (17:22 +0100)]
Do not ignore EACCES (and other errors) while getting threads info

Unfortunately procps-ng library ignores errors while reading thread
info and will silently go to the next thread in case of an error.

Reimplement readtask() with error checking.

Change-Id: Ibfa5ce72eedddec8ea0b2a2330ce679c94a2592f

4 years agoUnify path generation 73/226973/4
Zofia Grzelewska [Thu, 5 Mar 2020 17:47:56 +0000 (18:47 +0100)]
Unify path generation

Change-Id: I9baaf7bf66faa9176919d46b3ddd0b2a54dbcea8

4 years agoAdd single manifest file for each RPM package 34/228134/2
Tomasz Swierczek [Thu, 19 Mar 2020 07:48:18 +0000 (08:48 +0100)]
Add single manifest file for each RPM package

Change-Id: I625369d432a8251a80b456d659f483a074a2326d

4 years agoRelease 1.5.21 82/226282/1 accepted/tizen/unified/20200302.042005 submit/tizen/20200228.133513
Tomasz Swierczek [Fri, 28 Feb 2020 13:31:12 +0000 (14:31 +0100)]
Release 1.5.21

* Indicate tgkill failure in error log with errno
* Fix static analysis issues

Change-Id: Ic2de53c56c8fe1226cfd5ad318503a1264a1baf2

4 years agoIndicate tgkill failure in error log with errno 71/226171/2
Tomasz Swierczek [Thu, 27 Feb 2020 08:38:21 +0000 (09:38 +0100)]
Indicate tgkill failure in error log with errno

Change-Id: Ief80fdf01064dabbed57be2816fcfd792f03542a

4 years agoFix static analysis issues 38/226038/5
Tomasz Swierczek [Wed, 26 Feb 2020 07:57:20 +0000 (08:57 +0100)]
Fix static analysis issues

Change-Id: I202fff30f54d5ebab946f73d4e8fa827b49b3e35

4 years agoRelease 1.5.20 57/224157/1 accepted/tizen/unified/20200207.122346 submit/tizen/20200206.161502
Konrad Lipinski [Thu, 6 Feb 2020 15:55:47 +0000 (16:55 +0100)]
Release 1.5.20

* Fix app_update not setting sharedRO to false in db
* Refactor ServiceThread
* Reintroduce checks for directory existance in sharedRO setup

Change-Id: I2078b91fa5d5518440f5d92d82d3ea0f6389bfde

4 years agoFix app_update not setting sharedRO to false in db 40/224140/3
Konrad Lipinski [Thu, 6 Feb 2020 13:15:17 +0000 (14:15 +0100)]
Fix app_update not setting sharedRO to false in db

Change-Id: I502a00b4946ba3ef3c82c81f665e10c1b50d2e2b

4 years agoRefactor ServiceThread 44/222844/6
Konrad Lipinski [Mon, 20 Jan 2020 16:05:25 +0000 (17:05 +0100)]
Refactor ServiceThread

* avoid runtime member ptr indirection and storage
* retrieve Service via CRTP instead of storing it
* make ServiceThread a concrete class

Change-Id: I871602912ca7eb4ec9c4144fc104949931a60fc4

4 years agoReintroduce checks for directory existance in sharedRO setup 90/223990/3
Tomasz Swierczek [Wed, 5 Feb 2020 09:13:45 +0000 (10:13 +0100)]
Reintroduce checks for directory existance in sharedRO setup

While directories connected with per-app sharedRO should exist
if an application package has been declared to use the feature,
previous behaviour of security-manager allowed these dirs
to be nonexistent while still silently ignoring the misconfiguration
(pre-1.5.18 versions).

On already released product images, some apps, improperly installed
by installer as using sharedRO and NOT having actual folder structure,
could be already running in the wilderness. Update to new
security-manager, while true to original sharedRO-bind-mount design
(dirs SHOULD exist as designed), may introduce runtime errors.

This patch reintroduces existance checks for directories which are
arguments to bind mounts.

Alternative to this patch would be a migration script that would be much more
complicated and should be accompanied with security-manager commandline tool
used to update DB contents OR appfw script that would re-do the directory
structure. Both ways would be much more time-consuming & error prone
than reintroducing these checks, which I'm doing in this patch.

Change-Id: I9f25a85ae87e4189b81621f1ec3863a2d1cc9d2a

4 years agoRelease 1.5.19 19/223719/1 accepted/tizen/5.5/unified/20200326.232322 accepted/tizen/unified/20200204.125818 submit/tizen/20200203.111649 submit/tizen_5.5/20200325.102441
Tomasz Swierczek [Mon, 3 Feb 2020 08:02:35 +0000 (09:02 +0100)]
Release 1.5.19

* Remove nss plugin IPC with security-manager daemon
* Fix Svace defect, remove unreachable statement.
* Refactor macro usage within CheckProperDrop::checkThreads()

Change-Id: I9f36e37e2448791ef761b86a6efd9c64c521217a

4 years agoRemove nss plugin IPC with security-manager daemon 99/222099/14
Tomasz Swierczek [Thu, 9 Jan 2020 13:29:43 +0000 (14:29 +0100)]
Remove nss plugin IPC with security-manager daemon

Communication was needed to ensure the GID list is calculated based on
Cynara's privilege DB, which contains also per-user information of allowed
privileges.

It was agreed among security and platform teams that system daemons
have statically defined list of GIDs/privileges that doesn't change
over time and also, that this list is the same regardless of the user type
(gumd defines various user types).

This patch changes meaning of per-user-type policy files and Cynara's
per-user-type policy buckets. From now on, the Cynara policy for given user
is applicable as-is only for that user's applications. The user-level
& system-level daemons that may run with "User", "System" or "System::Privileged"
Smack labels have no longer their policy consulted with Cynara.
Instead, they are being given all the privilege-mapped GIDs, with exception
of GIDs that can be mapped to:

http://tizen.org/privilege/internal/livecoredump (priv_livecoredump)
http://tizen.org/privilege/internal/sysadmin (currently no GID associated)

These privileges are used by system team to control inter-service
access to certain DBus interfaces and if any GID is associated with them,
that GID should not be granted by nss plugin. Instead, that GID should
be added as supplementary group of particular service that should be granted
corresponding privilege (ie. using systemd service file or by assigning GID
as supplementary to UID under which the service is running).

When systemd SupplementaryGroup option in service files will be used
to declare all  "privileges" for all services, the security-manager nss plugin
will not be needed anymore.

Change-Id: I8da6385cfaf502cfd6117b3805e5986ae3c28b80

4 years agoFix Svace defect, remove unreachable statement. 30/223430/3
Dariusz Michaluk [Wed, 29 Jan 2020 16:47:48 +0000 (17:47 +0100)]
Fix Svace defect, remove unreachable statement.

Change-Id: I0bd14456de4e8b54e1753dfa8be2cf8d0b1b5217

4 years agoRefactor macro usage within CheckProperDrop::checkThreads() 37/220737/2
Konrad Lipinski [Thu, 19 Dec 2019 14:44:33 +0000 (15:44 +0100)]
Refactor macro usage within CheckProperDrop::checkThreads()

Change-Id: Iadef9bacd076a666d8a527e79165b01cf2daf544

4 years agoRelease 1.5.18 37/223137/1 accepted/tizen/5.5/unified/20200312.234628 accepted/tizen/unified/20200129.022634 submit/tizen/20200123.073443 submit/tizen_5.5/20200311.033315 submit/tizen_5.5_tv/20200311.054720
Tomasz Swierczek [Thu, 23 Jan 2020 07:04:14 +0000 (08:04 +0100)]
Release 1.5.18

* prepare_app optimization

Change-Id: Ie25de8f2cd3c345769267b15efe6e02a840a0ed6

4 years agodb: drop redundant IsPackageSharedRO query 13/222513/6
Konrad Lipinski [Thu, 19 Dec 2019 14:44:33 +0000 (15:44 +0100)]
db: drop redundant IsPackageSharedRO query

Change-Id: I90273f0f48290930c275685480627701e83bbc2a

4 years agoprepare_app: refactor supplementary group assignment 12/222512/7
Konrad Lipinski [Thu, 19 Dec 2019 14:44:33 +0000 (15:44 +0100)]
prepare_app: refactor supplementary group assignment

* use a stack array for syscalls
* stream forbiddenGroups = privilegedGroups \ allowedGroups instead of
  privilegedGroups, making IPC thinner

Change-Id: I343af0052fd90f1ed4fd37d41b7b8c7a1a5a7858

4 years agoprepare_app: coalesce all client->mgr IPCs into one 11/222511/6
Konrad Lipinski [Thu, 19 Dec 2019 14:44:33 +0000 (15:44 +0100)]
prepare_app: coalesce all client->mgr IPCs into one

Change-Id: I28398b36b9a14fd4e4d30570f15848a8f29c5ef1

4 years agoMake prepare_app_candidate faster 09/222509/5
Konrad Lipinski [Wed, 15 Jan 2020 17:32:10 +0000 (18:32 +0100)]
Make prepare_app_candidate faster

Change-Id: Ie875ff190aa032cbaa21e7ef9b72da98faf3b8b4

4 years agoprepare_app: optimize setupSharedRO 08/222508/4
Konrad Lipinski [Wed, 15 Jan 2020 17:19:36 +0000 (18:19 +0100)]
prepare_app: optimize setupSharedRO

Change-Id: Ifb52a67a09122847c2241db3c86bf8c15bc69438

4 years agoprepare_app: simplify thread syncing 07/222507/6
Konrad Lipinski [Wed, 15 Jan 2020 15:44:43 +0000 (16:44 +0100)]
prepare_app: simplify thread syncing

Change-Id: If78f4688d71213f06c525462cedb9d259f8d406b

4 years agoprepare_app: return errcode on CheckProperDrop failure 37/222837/3
Konrad Lipinski [Mon, 20 Jan 2020 12:16:09 +0000 (13:16 +0100)]
prepare_app: return errcode on CheckProperDrop failure

Change-Id: I3a8953650c1dcee4d2cbe6b4171cd2bb3e84993e

4 years agoThrow exception on failed config file read 47/222947/3
Konrad Lipinski [Tue, 21 Jan 2020 11:00:47 +0000 (12:00 +0100)]
Throw exception on failed config file read

Change-Id: I8b19bd1863f1df84ef3e10548be644e9632dcb5c

4 years agoDon't copy socket events 92/220592/3
Zofia Grzelewska [Thu, 19 Dec 2019 16:59:51 +0000 (17:59 +0100)]
Don't copy socket events

Change-Id: If103f7800e202bbd6e27b472668ea7feba7dbf38

4 years agoDrop intermediate istringstream in ConfigFile::read() 04/222504/2
Konrad Lipinski [Wed, 15 Jan 2020 14:58:22 +0000 (15:58 +0100)]
Drop intermediate istringstream in ConfigFile::read()

Change-Id: Ib6a2017a39fb20576eccc766e289eaae8de65098

4 years agoDrop useless cap_clear() following cap_init() 06/222506/3
Konrad Lipinski [Wed, 15 Jan 2020 15:28:27 +0000 (16:28 +0100)]
Drop useless cap_clear() following cap_init()

"The initial value of all flags are cleared." (https://linux.die.net/man/3/cap_init)

Change-Id: I6f55acaf0676daca3befe3b37fb249902c59e91e

4 years agoNanoooptimize mount-namespace.cpp 10/222510/2
Konrad Lipinski [Wed, 15 Jan 2020 17:53:30 +0000 (18:53 +0100)]
Nanoooptimize mount-namespace.cpp

Change-Id: I8fce33fce888cff5f5bea416099346b36004ff30

4 years agoRelease 1.5.17 92/222692/1 accepted/tizen/unified/20200117.075031 submit/tizen/20200117.074218
Tomasz Swierczek [Fri, 17 Jan 2020 07:40:47 +0000 (08:40 +0100)]
Release 1.5.17

* Add even more gcc 9 fixes after Wall enabling

Change-Id: Iec7c4a8acd9a605364dbdd217a1e83fc6993d740

4 years agoAdd even more gcc 9 fixes after Wall enabling 94/222494/2
Tomasz Swierczek [Wed, 15 Jan 2020 09:46:03 +0000 (10:46 +0100)]
Add even more gcc 9 fixes after Wall enabling

Needed to disable -Wcast-function-type for service-thread.h file only.
service-thread.h will require some fundamental rework later.

Change-Id: If9d13dfe8e3ae78ac658a140e9582130e98e2b6a

4 years agoRelease 1.5.16 accepted/tizen/unified/20200113.130714 submit/tizen/20200109.083615
Tomasz Swierczek [Thu, 9 Jan 2020 08:35:42 +0000 (09:35 +0100)]
Release 1.5.16

* Fix build for gcc 9
* Revert "Mark colour_log_formatter methods as override"

Change-Id: If053989e9f7aa8c4e9474483a3f0849c7f5fe5e3

4 years agoFix build for gcc 9 03/221903/2
Tomasz Swierczek [Wed, 8 Jan 2020 07:37:40 +0000 (08:37 +0100)]
Fix build for gcc 9

Change-Id: Iba39f4a644d5f676e8f1606bbc283efe97f2dd9c

4 years agoRevert "Mark colour_log_formatter methods as override" 67/220767/1 accepted/tizen/5.5/unified/20200105.221111 submit/tizen_5.5/20200103.003447
Tomasz Swierczek [Mon, 23 Dec 2019 05:58:53 +0000 (06:58 +0100)]
Revert "Mark colour_log_formatter methods as override"

This reverts commit 31bba785d8f2c84207f68e862751ec5fc421c2c5.

With older versions of boost, build-time errors occur with this patch
(marked 'override', but does not override).

Change-Id: I1dff4b41703a2896de60c1dbae82536f83636c04

4 years agoRelease 1.5.15 89/220689/1 accepted/tizen/unified/20191223.060214 submit/tizen/20191220.095458 submit/tizen_5.5/20191220.095710
Dariusz Michaluk [Fri, 20 Dec 2019 08:20:42 +0000 (09:20 +0100)]
Release 1.5.15

* Remove duplicated mount namespace setup
* Skip mount namespace setup specific to privacy privileges
* Enhance few logs around application launching.
* Add http://tizen.org/privilege/internal/livecoredump and disable it for non-applications
* Add user context to fetching tzplatform_config variable
* Mark colour_log_formatter methods as override
* Make colour_log_formatter compatible w/ boost 1.70

Change-Id: Icd275c4b19043a3251336cf26a13dd8492f981c1

4 years agoRemove duplicated mount namespace setup 57/220357/2
Dariusz Michaluk [Tue, 17 Dec 2019 14:37:22 +0000 (15:37 +0100)]
Remove duplicated mount namespace setup

When security_manager_prepare_app() is called twice by multi-process app zygote
mount namespace setup is duplicated.

This solution has race condition, but inter process synchronization
adds more overhead than benefits.

Change-Id: I92b9bead82c8caf3522b483a662e7a837f67a311

4 years agoSkip mount namespace setup specific to privacy privileges 80/220480/2
Dariusz Michaluk [Tue, 17 Dec 2019 17:54:40 +0000 (18:54 +0100)]
Skip mount namespace setup specific to privacy privileges

In case of empty privacy privilege to filesystem path mapping (privilege-mount.list file)
we can skip mount namespace setup specific to privacy privileges.

Change-Id: I7f1f4ef8e5f0614d7b232529f4ff665c2dfeaf5f

4 years agoEnhance few logs around application launching. 42/220442/1
Tomasz Swierczek [Wed, 18 Dec 2019 07:19:32 +0000 (08:19 +0100)]
Enhance few logs around application launching.

It was reported that some checks during our launching could be more verbose
and informative about what is going on. Added few more sentences to clearly
state if application process is improperly setup and why.

Change-Id: I47d6578dceff957cf76aa8ee690420d5a5cc9d7f

4 years agoAdd http://tizen.org/privilege/internal/livecoredump and disable it for non-applications 08/217708/3
Karol Lewandowski [Wed, 13 Nov 2019 10:44:11 +0000 (11:44 +0100)]
Add tizen.org/privilege/internal/livecoredump and disable it for non-applications

This commit adds new privilege for triggering coredump from running (live)
process.  The coredump can contain private information so additional security
measures are needed to disallow all system services from requesting livedump
for any process.

The functionality it's supposed to be used by (verified and approved) set of
processes only.

To implement this the privilege is provided in disabled state - no system service
gets it automatically.  To use it one has to add membership to priv_livecoredump
group (or supplementary group).

Change-Id: I3c6664b3befae0a572ef263b94b39e0cec7fce04

4 years agoAdd user context to fetching tzplatform_config variable 53/219153/2
Zofia Grzelewska [Fri, 29 Nov 2019 17:39:52 +0000 (18:39 +0100)]
Add user context to fetching tzplatform_config variable

Change-Id: I45cbea2d73d5c5fd3079df6f0925a8250eb005c4

4 years agoMark colour_log_formatter methods as override 37/219837/2
Konrad Lipinski [Tue, 10 Dec 2019 14:04:37 +0000 (15:04 +0100)]
Mark colour_log_formatter methods as override

Change-Id: I321149df1a390be56bf9a3ee1bcf83b726a01dc8

4 years agoMake colour_log_formatter compatible w/ boost 1.70 35/219835/2
Konrad Lipinski [Tue, 10 Dec 2019 13:37:08 +0000 (14:37 +0100)]
Make colour_log_formatter compatible w/ boost 1.70

Change-Id: I58a52805d98b3571662cc36aec9b170272012671

4 years agoRelease 1.5.14 accepted/tizen/unified/20191201.221523 submit/tizen/20191128.101053 submit/tizen_5.5/20191204.061724 submit/tizen_5.5/20191205.065343
Tomasz Swierczek [Thu, 28 Nov 2019 10:26:12 +0000 (11:26 +0100)]
Release 1.5.14

* Add SharedRO skel path labelling when labeling any dir as SharedRO
* Add release script
* Label package base paths for SHARED_RO bind mounting
* Label SHARED_RO directory under symlink
* Add new $APP_HOME/.shared/$PKG_NAME dir to legal paths
* Implement SharedRO with mount namespace
* Remove package generated SharedRO rules

Change-Id: Iefa023963d135c29aef636d223a31419ed9115d2

4 years agoAdd SharedRO skel path labelling when labeling any dir as SharedRO 00/218700/3
Tomasz Swierczek [Wed, 27 Nov 2019 05:58:05 +0000 (06:58 +0100)]
Add SharedRO skel path labelling when labeling any dir as SharedRO

security-manager relies on specific path layout for SharedRO mount points.
This patch adds labeling of skel subdirs for given package, if these exist.

Change-Id: Id8e3b0986eff47bc628849fcc6d51fa6176cde54

4 years agoAdd release script 42/218242/1
Zofia Grzelewska [Wed, 20 Nov 2019 13:04:25 +0000 (14:04 +0100)]
Add release script

Change-Id: I199a2333c989bed23a8eee47a5ba9b645363fd2d

4 years agoLabel package base paths for SHARED_RO bind mounting 89/217589/3
Zofia Grzelewska [Tue, 12 Nov 2019 14:27:11 +0000 (15:27 +0100)]
Label package base paths for SHARED_RO bind mounting

Label $APP_HOME/.shared/$PKG_NAME and $APP_HOME/.shared/$PKG_NAME
paths with "User::Home" to allow bind mount in application context.

Change-Id: Ib19de4e87766f5a313f1e5e0542e1da8b30f8a40

4 years agoLabel SHARED_RO directory under symlink 25/217125/3
Zofia Grzelewska [Mon, 4 Nov 2019 16:41:27 +0000 (17:41 +0100)]
Label SHARED_RO directory under symlink

SharedRO directories from previous implementation
are now symlinks pointing to new SharedRO directories.
This commits assures, that all contents under this symlink
are properly labeled.

Change-Id: I672aaf38ffca3ed6608d9c0aaa2ad7253df16349

4 years agoAdd new $APP_HOME/.shared/$PKG_NAME dir to legal paths 37/215937/4
Zofia Grzelewska [Thu, 10 Oct 2019 15:34:34 +0000 (17:34 +0200)]
Add new $APP_HOME/.shared/$PKG_NAME dir to legal paths

Add new SharedRO directory for bind mount implementation
of SharedRO.

Change-Id: Ie8dc40234b2cbdef7cb788e8883ef9508abb59bf

4 years agoImplement SharedRO with mount namespace 38/207538/11
Dariusz Michaluk [Wed, 29 May 2019 14:35:21 +0000 (16:35 +0200)]
Implement SharedRO with mount namespace

Perform three bind mounts to implement SharedRO
policy.

Change-Id: Ib30cf1537bdb1357ef53b77ead52a00b469566d1

4 years agoRemove package generated SharedRO rules 36/207536/10
Dariusz Michaluk [Wed, 29 May 2019 11:18:40 +0000 (13:18 +0200)]
Remove package generated SharedRO rules

Remove SharedRO rules and labels generated from
package name and replace them with "User::App::Shared".

Change-Id: I8d164be27e1d91dbf8787906a4aa083a63b4a1b7

5 years agoRelease 1.5.13 accepted/tizen/unified/20191113.123435 submit/tizen/20191113.053610
Tomasz Swierczek [Wed, 13 Nov 2019 05:34:45 +0000 (06:34 +0100)]
Release 1.5.13

* Add fsync after DB recovery.

Change-Id: I0dab12f010f35af2c32ec949a83a06202ded5ad8

5 years agoAdd fsync after DB recovery. 74/217074/2
jin-gyu.kim [Wed, 6 Nov 2019 05:42:21 +0000 (14:42 +0900)]
Add fsync after DB recovery.

To ensure the safety of the file, add fsync in security-manager-rules-loader.

Change-Id: I7de479c92f090d20d4f32d1147e803111eab85cd

5 years agoRelease 1.5.12 90/215590/2 accepted/tizen_5.5_unified_mobile_hotfix tizen_5.5_mobile_hotfix accepted/tizen/5.5/unified/20191031.022318 accepted/tizen/5.5/unified/mobile/hotfix/20201027.090144 accepted/tizen/unified/20191017.011721 accepted/tizen/unified/20191017.114033 submit/tizen/20191015.050025 submit/tizen/20191015.081321 submit/tizen_5.5/20191031.000004 submit/tizen_5.5_mobile_hotfix/20201026.185104 tizen_5.5.m2_release
Yunjin Lee [Fri, 11 Oct 2019 07:31:17 +0000 (16:31 +0900)]
Release 1.5.12

* Add core privileges: securesysteminfo and voicecontrol.tts

Change-Id: Ib0c157382df418323a0a2c2ff4d5263baa68d5a3
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
5 years agoAdd core privileges: securesysteminfo and voicecontrol.tts 87/215587/2
Yunjin Lee [Fri, 11 Oct 2019 05:51:52 +0000 (14:51 +0900)]
Add core privileges: securesysteminfo and voicecontrol.tts

- securesysteminfo: This privilege allows app to read non-resettable
secure deivce information such as IMEI.

- voicecontrol.tts: This privilege allows app to request voice control
engine to synthesize text to speech using its own voice.

Change-Id: I8eb1c6bb38efe07cf4d8b3262e81b4279a6b2ea9
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
5 years agoAdd core privileges: securesysteminfo and voicecontrol.tts
Yunjin Lee [Fri, 11 Oct 2019 05:51:52 +0000 (14:51 +0900)]
Add core privileges: securesysteminfo and voicecontrol.tts

- securesysteminfo: This privilege allows app to read non-resettable
secure deivce information such as IMEI.

- voicecontrol.tts: This privilege allows app to request voice control
engine to systhesize text to speech using its own voice.

Change-Id: I8eb1c6bb38efe07cf4d8b3262e81b4279a6b2ea9
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
5 years agoRelease 1.5.11 85/215485/1 accepted/tizen/unified/20191011.015409 submit/tizen/20191009.143649
Krzysztof Jackiewicz [Wed, 9 Oct 2019 08:55:09 +0000 (10:55 +0200)]
Release 1.5.11

* Do not fail NS worker action if mount point doesn't exist
* Refactor service_impl.cpp

Change-Id: If8a0fd4ef2c4669da6087fcafc136ee19a74cd50

5 years agoDo not fail NS worker action if mount point doesn't exist 00/215100/2
Tomasz Swierczek [Tue, 1 Oct 2019 11:05:53 +0000 (13:05 +0200)]
Do not fail NS worker action if mount point doesn't exist

This mimics actions taken at app launch, where privileges
defined for nonexisting mount points are not causing
the launch to be failed.

Change-Id: I4e8f14452d379ee86efc31412aa940a4aa67b463

5 years agoRefactor service_impl.cpp 96/214496/2
Tomasz Swierczek [Mon, 23 Sep 2019 08:30:48 +0000 (10:30 +0200)]
Refactor service_impl.cpp

Moved static functions to separate file in SecurityManager namespace.
This should improve module's SAM score.

Change-Id: I33eb34068072d1c52f3331ea8b8ca667657fef21

5 years agoRelease 1.5.10 24/213224/1 accepted/tizen/unified/20190904.011515 submit/tizen/20190903.051704
Tomasz Swierczek [Tue, 3 Sep 2019 04:43:03 +0000 (06:43 +0200)]
Release 1.5.10

* Disable http://tizen.org/privilege/internal/sysadmin for non-applications

Change-Id: I274bdbac2b70a970f11d8f20c3aa2b0b70bb8ac9

5 years agoDisable http://tizen.org/privilege/internal/sysadmin for non-applications 42/212942/2
Tomasz Swierczek [Wed, 28 Aug 2019 09:14:15 +0000 (11:14 +0200)]
Disable tizen.org/privilege/internal/sysadmin for non-applications

By default, system (&user-session) services were granted access to all privileges.
As we work towards fine-grained access control for system services, we need
to disable granting all privileges for services.

This 1st experimental step disables the sysadmin privilege, to be used
to control access to activationd daemon.

For internal applications, sysadmin privilege will be used in manifests, so
Cynara will be able to find exact match for applications' Smack label
in its manifest bucket; for policy evaluation to return success in such case,
all is needed is addition of this new privilege to user-types whitelists
(*.profile files).

For system services, access control to activationd will be limited
to list of user-IDs listed in DBus policy, hence the privilege can't
be automatically enabled for processes with labels User, System & System::Privileged.

For user-session services, this privilege will not be used at the moment.

The (possible) target solution for providing per-service access control
can be based on supplementary groups defined in systemd service files
(or applied as a conequence of cynara policy by security-manager nss plugin).

However, using supplementary groups with DBus policy is not possible at the moment
as both: kernel and DBus will have to be patched to use SO_PEERGROUPS (1)

(1) : https://www.spinics.net/lists/netdev/msg441568.html

Change-Id: Ie41a60d67d39c49b1ed6a49e0c17b9e5d2dabd86