From 75359d639feaa14c75c55048204fc329fa4f59bc Mon Sep 17 00:00:00 2001
From: "sangwan.kwon" <sangwan.kwon@samsung.com>
Date: Tue, 23 May 2017 14:51:29 +0900
Subject: [PATCH] [API Changed] Refine launch API

[AS-IS]
- Installer should save data(1):"whether app uses sysCerts or not".
- Launcher should be able to get data(1).

[TO-BE]
- Installer does not need to save data(1).
- Launcher does not need to get data(1).

Change-Id: I7f622b90d5f38dd9e52633a563f9ebcfc0dea001
Signed-off-by: sangwan.kwon <sangwan.kwon@samsung.com>
---
 CMakeLists.txt               |   1 +
 api/tanchor/trust-anchor.h   |   8 +--
 api/tanchor/trust-anchor.hxx |   2 +-
 examples/launcher.c          |   5 +-
 packaging/trust-anchor.spec  |   6 +-
 src/CMakeLists.txt           |   6 +-
 src/api.cpp                  |  10 ++--
 src/trust-anchor.cpp         | 113 ++++++++++++++++++++++-------------
 tests/test-capi-launcher.cpp |   2 +-
 tests/test-curl.cpp          |   4 +-
 tests/test-launcher.cpp      |   4 +-
 11 files changed, 94 insertions(+), 67 deletions(-)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index a496720..8f03b61 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -37,6 +37,7 @@ ADD_DEFINITIONS("-DTANCHOR_USR_DIR=\"${TANCHOR_USR}\"")
 ADD_DEFINITIONS("-DTANCHOR_GLOBAL_DIR=\"${TANCHOR_GLOBAL}\"")
 ADD_DEFINITIONS("-DTANCHOR_TEST_DIR=\"${TANCHOR_TEST}\"")
 ADD_DEFINITIONS("-DTANCHOR_BUNDLE=\"${TANCHOR_BUNDLE}\"")
+ADD_DEFINITIONS("-DTANCHOR_SYSCA=\"${TANCHOR_SYSCA}\"")
 ADD_DEFINITIONS("-DTZ_SYS_CA_CERTS=\"${TZ_SYS_CA_CERTS}\"")
 ADD_DEFINITIONS("-DTZ_SYS_CA_BUNDLE=\"${TZ_SYS_CA_BUNDLE}\"")
 
diff --git a/api/tanchor/trust-anchor.h b/api/tanchor/trust-anchor.h
index c32b90a..3b1f78d 100644
--- a/api/tanchor/trust-anchor.h
+++ b/api/tanchor/trust-anchor.h
@@ -88,7 +88,6 @@ int trust_anchor_usr_install(const char *package_id,
  * @details After lauching trust anchor, app can use custom certificates.
  * @param[in] package_id Package id
  * @param[in] app_certificates_path App custom certificates path
- * @param[in] with_system_certificates Whether system certificates use or not
  * @return #TRUST_ANCHOR_ERROR_NONE on success,
  *         negative on error
  * @retval #TRUST_ANCHOR_ERROR_NONE Successful
@@ -100,8 +99,7 @@ int trust_anchor_usr_install(const char *package_id,
  * @see trust_anchor_global_install()
  */
 int trust_anchor_global_launch(const char *package_id,
-							   const char *app_certificates_path,
-							   bool with_system_certificates);
+							   const char *app_certificates_path);
 
 
 /**
@@ -110,7 +108,6 @@ int trust_anchor_global_launch(const char *package_id,
  * @param[in] package_id Package id
  * @param[in] app_certificates_path App custom certificates path
  * @param[in] uid user id
- * @param[in] with_system_certificates Whether system certificates use or not
  * @return #TRUST_ANCHOR_ERROR_NONE on success,
  *         negative on error
  * @retval #TRUST_ANCHOR_ERROR_NONE Successful
@@ -123,8 +120,7 @@ int trust_anchor_global_launch(const char *package_id,
  */
 int trust_anchor_usr_launch(const char *package_id,
 							const char *app_certificates_path,
-							uid_t uid,
-							bool with_system_certificates);
+							uid_t uid);
 
 
 /**
diff --git a/api/tanchor/trust-anchor.hxx b/api/tanchor/trust-anchor.hxx
index ef6e910..f3596ad 100644
--- a/api/tanchor/trust-anchor.hxx
+++ b/api/tanchor/trust-anchor.hxx
@@ -50,7 +50,7 @@ public:
 
 	int install(bool withSystemCerts) noexcept;
 	int uninstall(void) noexcept;
-	int launch(bool withSystemCerts) noexcept;
+	int launch(void) noexcept;
 
 private:
 	class Impl;
diff --git a/examples/launcher.c b/examples/launcher.c
index 21df3ac..947180c 100644
--- a/examples/launcher.c
+++ b/examples/launcher.c
@@ -37,11 +37,8 @@ int main()
 	 *
 	 * [pre-condition]
 	 * 1. Launcher should have CAP_SYS_ADMIN.
-	 * 2. Get with_sys_certs information.(It should be saved when app installed.)
 	 */
-	bool with_sys = false;
-
-	int ret = trust_anchor_global_launch("pkgid", "/app_certs_path", with_sys);
+	int ret = trust_anchor_global_launch("pkgid", "/app_certs_path");
 	if (ret != TRUST_ANCHOR_ERROR_NONE) {
 		printf("Failed to launch operation");
 		return -1;
diff --git a/packaging/trust-anchor.spec b/packaging/trust-anchor.spec
index 3bd67f7..cea4289 100644
--- a/packaging/trust-anchor.spec
+++ b/packaging/trust-anchor.spec
@@ -25,6 +25,7 @@ Requires(postun): /sbin/ldconfig
 %global tanchor_usr     %{tanchor_base}/usr
 %global tanchor_global  %{tanchor_base}/global
 %global tanchor_bundle  %{tanchor_base}/ca-bundle.pem
+%global tanchor_sysca   %{tanchor_base}/.sysca
 %global tanchor_test    %{tanchor_base}/test
 %global tanchor_example %{tanchor_base}/example
 
@@ -37,10 +38,11 @@ SSL root certificates for its HTTPS communication.
 %license LICENSE
 %{_libdir}/lib%{lib_name}.so.0
 %{_libdir}/lib%{lib_name}.so.%{version}
-%dir %attr(770, %{user_name}, %{group_name}) %{tanchor_base}
+%dir %attr(-, %{user_name}, %{group_name}) %{tanchor_base}
 %dir %attr(-, %{user_name}, %{group_name}) %{tanchor_usr}
 %dir %attr(-, %{user_name}, %{group_name}) %{tanchor_global}
 %attr(-, %{user_name}, %{group_name}) %{tanchor_bundle}
+%attr(444 %{user_name}, %{group_name}) %{tanchor_sysca}
 
 %prep
 %setup -q
@@ -63,6 +65,7 @@ SSL root certificates for its HTTPS communication.
 		 -DTANCHOR_USR=%{tanchor_usr} \
 		 -DTANCHOR_GLOBAL=%{tanchor_global} \
 		 -DTANCHOR_BUNDLE=%{tanchor_bundle} \
+		 -DTANCHOR_SYSCA=%{tanchor_sysca} \
 		 -DTANCHOR_TEST=%{tanchor_test} \
 		 -DTANCHOR_EXAMPLE=%{tanchor_example} \
 		 -DTZ_SYS_CA_CERTS=%{TZ_SYS_CA_CERTS} \
@@ -79,6 +82,7 @@ mkdir -p %{buildroot}%{tanchor_usr}
 mkdir -p %{buildroot}%{tanchor_global}
 
 touch %{buildroot}%{tanchor_bundle}
+touch %{buildroot}%{tanchor_sysca}
 
 %post -p /sbin/ldconfig
 
diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index 849d68c..2de205d 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -34,12 +34,10 @@ ADD_LIBRARY(${TARGET_TANCHOR_LIB} SHARED ${${TARGET_TANCHOR_LIB}_SRCS})
 SET_TARGET_PROPERTIES(${TARGET_TANCHOR_LIB}
 	PROPERTIES COMPILE_FLAGS "-D_GNU_SOURCE -fPIC -fvisibility=hidden"
 			   SOVERSION ${API_VERSION}
-			   VERSION ${LIB_VERSION}
-)
+			   VERSION ${LIB_VERSION})
 
 TARGET_LINK_LIBRARIES(${TARGET_TANCHOR_LIB}
-	${${TARGET_TANCHOR_LIB}_DEP_LIBRARIES}
-)
+	${${TARGET_TANCHOR_LIB}_DEP_LIBRARIES})
 
 INSTALL(TARGETS ${TARGET_TANCHOR_LIB}
 		DESTINATION ${LIB_INSTALL_DIR})
diff --git a/src/api.cpp b/src/api.cpp
index 45abae7..885cbf0 100644
--- a/src/api.cpp
+++ b/src/api.cpp
@@ -47,21 +47,19 @@ int trust_anchor_usr_install(const char *package_id,
 
 TANCHOR_API
 int trust_anchor_global_launch(const char *package_id,
-							   const char *app_certificates_path,
-							   bool with_system_certificates)
+							   const char *app_certificates_path)
 {
 	TrustAnchor ta(package_id, app_certificates_path);
-	return ta.launch(with_system_certificates);
+	return ta.launch();
 }
 
 TANCHOR_API
 int trust_anchor_usr_launch(const char *package_id,
 							const char *app_certificates_path,
-							uid_t uid,
-							bool with_system_certificates)
+							uid_t uid)
 {
 	TrustAnchor ta(package_id, app_certificates_path, uid);
-	return ta.launch(with_system_certificates);
+	return ta.launch();
 }
 
 TANCHOR_API
diff --git a/src/trust-anchor.cpp b/src/trust-anchor.cpp
index 52166cc..ad09c68 100644
--- a/src/trust-anchor.cpp
+++ b/src/trust-anchor.cpp
@@ -46,6 +46,7 @@ namespace {
 const std::string BASE_USR_PATH(TANCHOR_USR_DIR);
 const std::string BASE_GLOBAL_PATH(TANCHOR_GLOBAL_DIR);
 const std::string TANCHOR_BUNDLE_PATH(TANCHOR_BUNDLE);
+const std::string TANCHOR_SYSCA_PATH(TANCHOR_SYSCA);
 const std::string SYS_CERTS_PATH(TZ_SYS_CA_CERTS);
 const std::string SYS_BUNDLE_PATH(TZ_SYS_CA_BUNDLE);
 const std::string MOUNT_POINT_CERTS(TZ_SYS_CA_CERTS);
@@ -65,15 +66,17 @@ public:
 
 	int install(bool withSystemCerts) noexcept;
 	int uninstall(bool isRollback = false) noexcept;
-	int launch(bool withSystemCerts);
+	int launch(void);
 
 private:
 	void preInstall(void) const;
+	void preLaunch(void);
 	void linkTo(const std::string &src, const std::string &dst) const;
+	void makeCustomCerts(bool withSystemCerts);
 	void makeCustomBundle(bool withSystemCerts);
 	std::string readLink(const std::string &path) const;
 	std::string getUniqueHashName(const std::string &hashName) const;
-	std::string getBundleName(void) const;
+	std::string getFileName(const std::string &path) const;
 	bool isSystemCertsModified(void) const;
 	void checkFileValidity(const runtime::File &file) const;
 
@@ -117,7 +120,7 @@ TrustAnchor::Impl::Impl(const std::string &packageId,
 std::string TrustAnchor::Impl::readLink(const std::string &path) const
 {
 	std::vector<char> buf(PATH_MAX);
-	ssize_t count = readlink(path.c_str(), buf.data(), buf.size());
+	ssize_t count = ::readlink(path.c_str(), buf.data(), buf.size());
 	return std::string(buf.data(), (count > 0) ? count : 0);
 }
 
@@ -160,31 +163,7 @@ int TrustAnchor::Impl::install(bool withSystemCerts) noexcept
 
 	this->preInstall();
 
-	if (withSystemCerts) {
-		// link system certificates to the custom directory
-		runtime::DirectoryIterator iter(SYS_CERTS_PATH), end;
-		while (iter != end) {
-			linkTo(readLink(iter->getPath()),
-				   this->m_customCertsPath + "/" + iter->getName());
-			this->m_customCertNameSet.emplace(iter->getName());
-			++iter;
-		}
-		DEBUG("Success to migrate system certificates.");
-	}
-
-	// link app certificates to the custom directory as subjectNameHash
-	runtime::DirectoryIterator iter(this->m_appCertsPath), end;
-	while (iter != end) {
-		Certificate cert(iter->getPath());
-		std::string hashName = this->getUniqueHashName(cert.getSubjectNameHash());
-		linkTo(iter->getPath(),
-			   this->m_customCertsPath + "/" + hashName);
-		this->m_customCertNameSet.emplace(std::move(hashName));
-
-		this->m_customCertsData.emplace_back(cert.getCertificateData());
-		++iter;
-	}
-
+	this->makeCustomCerts(withSystemCerts);
 	this->makeCustomBundle(withSystemCerts);
 
 	INFO("Success to install[" << this->m_packageId <<
@@ -230,7 +209,8 @@ bool TrustAnchor::Impl::isSystemCertsModified(void) const
 	if (::stat(SYS_BUNDLE_PATH.c_str(), &systemAttr))
 		ThrowErrno(errno, SYS_BUNDLE_PATH);
 
-	auto customBundle = this->m_customBundlePath + "/" + this->getBundleName();
+	auto customBundle = this->m_customBundlePath + "/" +
+						this->getFileName(SYS_BUNDLE_PATH);
 	if (::stat(customBundle.c_str(), &customAttr))
 		ThrowErrno(errno, customBundle);
 
@@ -240,12 +220,30 @@ bool TrustAnchor::Impl::isSystemCertsModified(void) const
 	return systemAttr.st_mtime > customAttr.st_mtime;
 }
 
-int TrustAnchor::Impl::launch(bool withSystemCerts)
+void TrustAnchor::Impl::preLaunch(void)
 {
-	EXCEPTION_GUARD_START
+	// check whether system certificates use or not
+	runtime::File customSysCA(this->m_customBasePath + "/" +
+							  this->getFileName(TANCHOR_SYSCA_PATH));
+	if (!customSysCA.exists()) {
+		INFO("This package only use custom certificates.");
+		return;
+	}
 
-	if (withSystemCerts && this->isSystemCertsModified())
+	INFO("This package use system certificates.");
+	if (this->isSystemCertsModified()) {
+		WARN("System certificates be changed. Remake custom bundle.");
 		this->makeCustomBundle(true);
+	}
+
+	DEBUG("Success to pre-install stage.");
+}
+
+int TrustAnchor::Impl::launch()
+{
+	EXCEPTION_GUARD_START
+
+	this->preLaunch();
 
 	errno = 0;
 	// disassociate from the parent namespace
@@ -265,7 +263,8 @@ int TrustAnchor::Impl::launch(bool withSystemCerts)
 						  this->m_customCertsPath + "] to dst[" +
 						  MOUNT_POINT_CERTS + "]");
 
-	auto bundle = this->m_customBundlePath + "/" + this->getBundleName();
+	auto bundle = this->m_customBundlePath + "/" +
+				  this->getFileName(SYS_BUNDLE_PATH);
 	if (::mount(bundle.c_str(),
 				MOUNT_POINT_BUNDLE.c_str(),
 				NULL,
@@ -280,13 +279,13 @@ int TrustAnchor::Impl::launch(bool withSystemCerts)
 	EXCEPTION_GUARD_END
 }
 
-std::string TrustAnchor::Impl::getBundleName(void) const
+std::string TrustAnchor::Impl::getFileName(const std::string &path) const
 {
-	size_t pos = SYS_BUNDLE_PATH.rfind('/');
+	size_t pos = path.rfind('/');
 	if (pos == std::string::npos)
-		throw std::logic_error("Bundle path is wrong." + SYS_BUNDLE_PATH);
+		throw std::logic_error("Path is wrong. > " + path);
 
-	return SYS_BUNDLE_PATH.substr(pos + 1);
+	return path.substr(pos + 1);
 }
 
 std::string TrustAnchor::Impl::getUniqueHashName(
@@ -302,10 +301,44 @@ std::string TrustAnchor::Impl::getUniqueHashName(
 	return uniqueName;
 }
 
+void TrustAnchor::Impl::makeCustomCerts(bool withSystemCerts)
+{
+	if (withSystemCerts) {
+		// link system certificates to the custom directory
+		runtime::DirectoryIterator iter(SYS_CERTS_PATH), end;
+		while (iter != end) {
+			linkTo(this->readLink(iter->getPath()),
+				   this->m_customCertsPath + "/" + iter->getName());
+			this->m_customCertNameSet.emplace(iter->getName());
+			++iter;
+		}
+		DEBUG("Success to migrate system certificates.");
+
+		// copy sysca(withSystemCerts flag) and check at launching time
+		runtime::File tanchorSysCA(TANCHOR_SYSCA_PATH);
+		this->checkFileValidity(tanchorSysCA);
+		tanchorSysCA.copyTo(this->m_customBasePath);
+		DEBUG("Success to set SYSCA flag.");
+	}
+
+	// link app certificates to the custom directory as subjectNameHash
+	runtime::DirectoryIterator iter(this->m_appCertsPath), end;
+	while (iter != end) {
+		Certificate cert(iter->getPath());
+		std::string hashName = this->getUniqueHashName(cert.getSubjectNameHash());
+		linkTo(iter->getPath(),
+			   this->m_customCertsPath + "/" + hashName);
+		this->m_customCertNameSet.emplace(std::move(hashName));
+
+		this->m_customCertsData.emplace_back(cert.getCertificateData());
+		++iter;
+	}
+}
+
 void TrustAnchor::Impl::makeCustomBundle(bool withSystemCerts)
 {
 	runtime::File customBundle(this->m_customBundlePath + "/" +
-							   this->getBundleName());
+							   this->getFileName(SYS_BUNDLE_PATH));
 	if (customBundle.exists()) {
 		WARN("App custom bundle is already exist. remove it!");
 		customBundle.remove();
@@ -377,12 +410,12 @@ int TrustAnchor::uninstall(void) noexcept
 	return this->m_pImpl->uninstall();
 }
 
-int TrustAnchor::launch(bool withSystemCerts) noexcept
+int TrustAnchor::launch(void) noexcept
 {
 	if (this->m_pImpl == nullptr)
 		return TRUST_ANCHOR_ERROR_OUT_OF_MEMORY;
 
-	return this->m_pImpl->launch(withSystemCerts);
+	return this->m_pImpl->launch();
 }
 
 } // namespace tanchor
diff --git a/tests/test-capi-launcher.cpp b/tests/test-capi-launcher.cpp
index 0457db7..90c9e22 100644
--- a/tests/test-capi-launcher.cpp
+++ b/tests/test-capi-launcher.cpp
@@ -41,7 +41,7 @@ TESTCASE(CAPI_TRUST_ANCHOR_LAUNCH)
 	int pid = fork();
 
 	if (pid == 0) {
-		ret = trust_anchor_global_launch(DUMMY_PKG_ID, APP_CERTS_DIR, true);
+		ret = trust_anchor_global_launch(DUMMY_PKG_ID, APP_CERTS_DIR);
 		TEST_EXPECT(true, ret == 0);
 
 		auto afterLsChild = test::util::ls(TZ_SYS_RO_CA_CERTS);
diff --git a/tests/test-curl.cpp b/tests/test-curl.cpp
index ecc325e..1095458 100644
--- a/tests/test-curl.cpp
+++ b/tests/test-curl.cpp
@@ -57,7 +57,7 @@ TESTCASE(TRUST_ANCHOR_LAUNCH)
 	TEST_EXPECT(true, pid >= 0);
 
 	if (pid == 0) {
-		ret = ta.launch(false);
+		ret = ta.launch();
 		TEST_EXPECT(true, ret == 0);
 
 		// check SSL communication
@@ -94,7 +94,7 @@ TESTCASE(TRUST_ANCHOR_LAUNCH_WITH_SYS)
 	TEST_EXPECT(true, pid >= 0);
 
 	if (pid == 0) {
-		ret = ta.launch(true);
+		ret = ta.launch();
 		TEST_EXPECT(true, ret == 0);
 
 		// check SSL communication
diff --git a/tests/test-launcher.cpp b/tests/test-launcher.cpp
index 1e44923..89493fb 100644
--- a/tests/test-launcher.cpp
+++ b/tests/test-launcher.cpp
@@ -47,7 +47,7 @@ TESTCASE(TRUST_ANCHOR_LAUNCH)
 
 	if (pid == 0) {
 		TIME_MEASURE_START
-		ret = ta.launch(false);
+		ret = ta.launch();
 		TIME_MEASURE_END
 		TEST_EXPECT(true, ret == 0);
 
@@ -83,7 +83,7 @@ TESTCASE(TRUST_ANCHOR_LAUNCH_WITH_SYS)
 
 	if (pid == 0) {
 		TIME_MEASURE_START
-		ret = ta.launch(true);
+		ret = ta.launch();
 		TIME_MEASURE_END
 		TEST_EXPECT(true, ret == 0);
 
-- 
2.34.1