From 2f361b618332ef8bac97f7f1e7a9c68851861a34 Mon Sep 17 00:00:00 2001 From: Zofia Abramowska Date: Mon, 4 Feb 2013 16:13:57 +0100 Subject: [PATCH] Changes for label settings on directories API [Issue#] SSDWSSP-70 [Feature] New API for setting label on application directory and application shared directory [Cause] N/A [Solution] N/A [Verification] Successful build Change-Id: I9b0d739ee2a4fa636a226f1ef81cd29d06cd6502 --- include/privilege-control.h | 18 +++--- src/privilege-control.c | 138 ++++++++++++++++++++++++++++++++++++-------- 2 files changed, 123 insertions(+), 33 deletions(-) diff --git a/include/privilege-control.h b/include/privilege-control.h index 80c842f..9e28e64 100644 --- a/include/privilege-control.h +++ b/include/privilege-control.h @@ -161,30 +161,32 @@ int app_add_permissions(const char* app_id, const char** perm_list); int app_revoke_permissions(const char* app_id); /** - * Recursively set SMACK labels for an application directory. + * Recursively set SMACK access labels for an application directory + * and execute labels for executable files. * This function should be called once during app installation. * Results will be persistent on the file system. * It must be called by privileged user. * - * @param label label name + * @param app_label label name * @param path directory path * @return PC_OPERATION_SUCCESS on success, PC_ERR_* on error */ -int app_label_dir(const char* label, const char* path); +int app_label_dir(const char* app_label, const char* path); /** - * Recursively set transmute for an application directory. + * Recursively set SMACK access and transmute labels for an application + * directory and adds SMACK rule for application. * This function should be called once during app installation. * Results will be persistent on the file system. * It must be called by privileged user. * - * @param on settings for transmute - * if equal to "" or "0", transmute will be turned off - * if equal to "1", transmute will be turned on + * @param app_label label name, used as subject for SMACK rule + * @param shared_label, used as object for SMACK rule * @param path directory path * @return PC_OPERATION_SUCCESS on success, PC_ERR_* on error */ -int app_transmute_dir(const char* on, const char* path); +int app_label_shared_dir(const char* app_label, const char* shared_label, + const char* path); #ifdef __cplusplus } diff --git a/src/privilege-control.c b/src/privilege-control.c index 956ceef..ccae127 100644 --- a/src/privilege-control.c +++ b/src/privilege-control.c @@ -870,53 +870,91 @@ API char* wrt_widget_id_from_socket(int sockfd) return widget_id; } -API int app_add_permissions(const char* app_id, const char** perm_list) + +static int load_smack_from_file(const char* app_id, struct smack_accesses** smack, int *fd) { C_LOGD("Enter function: %s", __func__); + char* path = NULL; - int i, ret; - int fd = -1; - struct smack_accesses *smack = NULL; + int ret; -#ifdef SMACK_ENABLED if (asprintf(&path, SMACK_RULES_DIR "/%s", app_id) == -1) { ret = PC_ERR_MEM_OPERATION; C_LOGE("asprintf failed"); goto out; } - if (smack_accesses_new(&smack)) { + if (smack_accesses_new(smack)) { ret = PC_ERR_MEM_OPERATION; C_LOGE("smack_accesses_new failed"); goto out; } - fd = open(path, O_CREAT|O_RDWR, 0644); - if (fd == -1) { + *fd = open(path, O_CREAT|O_RDWR, 0644); + if (*fd == -1) { ret = PC_ERR_FILE_OPERATION; C_LOGE("file open failed"); goto out; } - if (flock(fd, LOCK_EX)) { + if (flock(*fd, LOCK_EX)) { ret = PC_ERR_INVALID_OPERATION; C_LOGE("flock failed"); goto out; } - if (smack_accesses_add_from_file(smack, fd)) { + if (smack_accesses_add_from_file(*smack, *fd)) { ret = PC_ERR_INVALID_OPERATION; C_LOGE("smack_accesses_add_from_file failed"); goto out; } /* Rewind the file */ - if (lseek(fd, 0, SEEK_SET) == -1) { + if (lseek(*fd, 0, SEEK_SET) == -1) { ret = PC_ERR_FILE_OPERATION; C_LOGE("lseek failed"); goto out; } + ret = PC_OPERATION_SUCCESS; + +out: + free(path); + + return ret; +} + +static int save_smack_to_file(struct smack_accesses *smack, int fd) +{ + if (smack_accesses_apply(smack)) { + C_LOGE("smack_accesses_apply failed"); + return PC_ERR_INVALID_OPERATION; + } + + if (smack_accesses_save(smack, fd)) { + C_LOGE("smack_accesses_save failed"); + return PC_ERR_INVALID_OPERATION; + } + + return PC_OPERATION_SUCCESS; +} + + +API int app_add_permissions(const char* app_id, const char** perm_list) +{ + C_LOGD("Enter function: %s", __func__); + char* path = NULL; + int i, ret; + int fd = -1; + struct smack_accesses *smack = NULL; + +#ifdef SMACK_ENABLED + + ret = load_smack_from_file(app_id, &smack, &fd); + if (ret != PC_OPERATION_SUCCESS) { + C_LOGE("load_smack_from_file failed"); + goto out; + } for (i = 0; perm_list[i] != NULL; ++i) { ret = perm_to_smack(smack, app_id, perm_list[i]); C_LOGD("perm_to_smack params: app_id: %s, perm_list[%d]: %s", app_id, i, perm_list[i]); @@ -926,15 +964,9 @@ API int app_add_permissions(const char* app_id, const char** perm_list) } } - if (smack_accesses_apply(smack)) { - ret = PC_ERR_INVALID_OPERATION; - C_LOGE("smack_accesses_apply failed"); - goto out; - } - - if (smack_accesses_save(smack, fd)) { - ret = PC_ERR_FILE_OPERATION; - C_LOGE("smack_accesses_save failed"); + ret = save_smack_to_file(smack, fd); + if(ret != PC_OPERATION_SUCCESS){ + C_LOGE("save_smack_to_file failed"); goto out; } #endif @@ -1025,18 +1057,74 @@ API int app_label_dir(const char* label, const char* path) { C_LOGD("Enter function: %s", __func__); #ifdef SMACK_ENABLED - return dir_set_smack_r(path, label, SMACK_LABEL_ACCESS, ~0); + + int ret = PC_OPERATION_SUCCESS; + + //setting label on everything in given directory and below + ret = dir_set_smack_r(path, label, SMACK_LABEL_ACCESS, ~0); + if (PC_OPERATION_SUCCESS != ret) + return ret; + + //setting execute label for executable files + ret = dir_set_smack_r(path, label, SMACK_LABEL_EXEC, S_IFREG | S_IXUSR); + + return ret; #else return PC_OPERATION_SUCCESS; #endif } -API int app_transmute_dir(const char* on, const char* path) +API int app_label_shared_dir(const char* app_label, const char* shared_label, const char* path) { - C_LOGD("Enter function: %s", __func__); + C_LOGD("Enter function: %s", __func__); #ifdef SMACK_ENABLED - return dir_set_smack_r(path, on, SMACK_LABEL_TRANSMUTE, S_IFDIR); + int ret; + int fd = -1; + struct smack_accesses *smack = NULL; + + + //setting label on everything in given directory and below + ret = dir_set_smack_r(path, shared_label, SMACK_LABEL_ACCESS, ~0); + if(ret != PC_OPERATION_SUCCESS){ + C_LOGE("dir_set_smakc_r failed"); + goto out; + } + + //setting transmute on dir + ret = dir_set_smack_r(path, "1", SMACK_LABEL_TRANSMUTE, S_IFDIR); + if (ret != PC_OPERATION_SUCCESS) { + C_LOGE("dir_set_smakc_r failed"); + goto out; + } + + ret = load_smack_from_file(app_label, &smack, &fd); + if (ret != PC_OPERATION_SUCCESS) { + C_LOGE("load_smack_from_file failed"); + goto out; + } + + //setting access rule for application + if (smack_accesses_add(smack, app_label,shared_label, "wrxat") == -1) { + C_LOGE("smack_accesses_add failed"); + goto out; + } + + ret = save_smack_to_file(smack, fd); + if (ret != PC_OPERATION_SUCCESS) { + C_LOGE("save_smack_to_file failed"); + goto out; + } + + ret = PC_OPERATION_SUCCESS; +out: + if (fd != -1) + close(fd); + if (smack != NULL) + smack_accesses_free(smack); + return ret; #else - return PC_OPERATION_SUCCESS; + return PC_OPERATION_SUCCESS; #endif } + + -- 2.7.4