From 7000b9bda8dcaa5f36ce9e3b7b213def50d5a744 Mon Sep 17 00:00:00 2001 From: "r.tyminski" Date: Fri, 6 Oct 2017 17:08:44 +0200 Subject: [PATCH] Verify privileges only ones. We verify privileges in tee-supplicant when it loads TA. OpTEE OS loads TA twice. We need to verify privileges only at the first time. Change-Id: I0f90b34e648d3b12a62a293d275feaab65e0bc06 --- tee-supplicant/src/tee_supplicant.c | 20 ++++++++++++++++++-- tee-supplicant/src/unix_socket.c | 29 ++++++++++++++++++++++++----- tee-supplicant/src/unix_socket.h | 6 ++++++ 3 files changed, 48 insertions(+), 7 deletions(-) diff --git a/tee-supplicant/src/tee_supplicant.c b/tee-supplicant/src/tee_supplicant.c index dc710df..f98de5a 100644 --- a/tee-supplicant/src/tee_supplicant.c +++ b/tee-supplicant/src/tee_supplicant.c @@ -269,8 +269,20 @@ static TEEC_Result allow_access(char* uuid, char** ta_dir) { int ca_fd = -1; const char* permission = "http://tizen.org/privilege/tee.client"; + struct stat sb; - ca_fd = open_socket_for_ca(uuid, &open_sock_list); + char path[MAX_PATH_LENGTH] = {0}; + sprintf(path, SOCK_PATH_PREFIX"%s", uuid); + + if ((stat(path, &sb) == 0) && S_ISSOCK(sb.st_mode)) { + DMSG("We verified this connection already."); + if (get_allowed_path(path, ta_dir, &open_sock_list) < 0) { + EMSG("Socket existes but hasn't allowed path."); + return TEEC_ERROR_GENERIC; + } + return TEEC_SUCCESS; + } + ca_fd = open_socket_for_ca(path, &open_sock_list); if (ca_fd < 0) { EMSG("Open socket error"); return TEEC_ERROR_GENERIC; @@ -291,6 +303,10 @@ static TEEC_Result allow_access(char* uuid, char** ta_dir) return TEEC_ERROR_ITEM_NOT_FOUND; } + if (set_allowed_path(path, *ta_dir, &open_sock_list) < 0) { + EMSG("Setting allowed path has failed."); + return TEEC_ERROR_GENERIC; + } return TEEC_SUCCESS; } @@ -334,7 +350,7 @@ static uint32_t load_ta(size_t num_params, struct tee_ioctl_param *params) size = shm_ta.size; ta_found = TEECI_LoadSecureModule(ta_dir, &uuid, shm_ta.buffer, &size); - free(ta_dir); + //free(ta_dir); if (ta_found != TA_BINARY_FOUND) { EMSG(" TA not found"); return TEEC_ERROR_ITEM_NOT_FOUND; diff --git a/tee-supplicant/src/unix_socket.c b/tee-supplicant/src/unix_socket.c index 7bfc2d4..c49b43a 100644 --- a/tee-supplicant/src/unix_socket.c +++ b/tee-supplicant/src/unix_socket.c @@ -34,18 +34,37 @@ #include #define WAIT_SEC 10 -#define SOCK_PATH_PREFIX "/tmp/" -int open_socket_for_ca(const char *ca_id, struct sock_data* open_sockets[]) + +int get_allowed_path(const char *path, char **allowed_path, struct sock_data* open_sockets[]) +{ + for (int i = 0; i < MAX_TA_NUMBER; ++i) { + if (open_sockets[i] && strcmp(path, open_sockets[i]->addr) == 0) { + *allowed_path = open_sockets[i]->allowed_path; + return 0; + } + } + return -1; +} + +int set_allowed_path(const char *path, const char *allowed_path, struct sock_data* open_sockets[]) +{ + for (int i = 0; i < MAX_TA_NUMBER; ++i) { + if (open_sockets[i] && strcmp(path, open_sockets[i]->addr) == 0) { + asprintf(&(open_sockets[i]->allowed_path), "%s", allowed_path); + return 0; + } + } + return -1; +} + +int open_socket_for_ca(const char *path, struct sock_data* open_sockets[]) { int sockfd = -1; int newsockfd = -1; int portno = 0; int free_index = -1; - char path[MAX_PATH_LENGTH] = {0}; - sprintf(path, SOCK_PATH_PREFIX"%s", ca_id); - if (access(path, F_OK) == -1) { DMSG("Socket file doesn't exist. Creating"); close_socket_by_addr(path, open_sockets); diff --git a/tee-supplicant/src/unix_socket.h b/tee-supplicant/src/unix_socket.h index fcd70de..9137e68 100644 --- a/tee-supplicant/src/unix_socket.h +++ b/tee-supplicant/src/unix_socket.h @@ -37,13 +37,19 @@ #define MAX_PATH_LENGTH 100 #define N_CONNECTIONS 5 #define MAX_TA_NUMBER 10 +#define SOCK_PATH_PREFIX "/tmp/" struct sock_data { int fd, parent_fd; char* addr; + char* allowed_path; }; +int get_allowed_path(const char *path, char **allowed_path, struct sock_data* open_sockets[]); + +int set_allowed_path(const char *path, const char *allowed_path, struct sock_data* open_sockets[]); + /* Open socket on adress /tmp/ca_id and add it to the list of open sockets * Returns file descriptor of opened socket * struct sock_data* conn_list[] - list of open sockets which add new socket to*/ -- 2.34.1