From d36597915c51f4d043cff1fa6388a16b5c5bc8b8 Mon Sep 17 00:00:00 2001 From: Bartlomiej Grzelewski Date: Wed, 4 Sep 2013 14:43:33 +0200 Subject: [PATCH] Remove deprecated and unused code. Service responsible for function security_server_check_privileges_by_pid was written some time ago. This commit removes old implementation of this function. [Issue#] SSDWSSP-424 [Bug] N/A [Cause] N/A [Solution] N/A [Verification] Build. Run all tests. Change-Id: I69706853b0851e1c686a543b61a4e5d8d45b1b3f --- CMakeLists.txt | 7 -- src/client/security-server-client.c | 74 ----------- src/communication/security-server-comm.c | 165 ------------------------- src/include/security-server-comm.h | 10 -- src/server/security-server-main.c | 102 --------------- src/server2/client/client-privilege-by-pid.cpp | 2 - 6 files changed, 360 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index c147181..a0b62e0 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -26,14 +26,8 @@ PROJECT("security-server") INCLUDE(FindPkgConfig) -############################# compilation defines ############################# - -# EMPTY - ############################# compiler flags ################################## -#SET(CMAKE_C_FLAGS "-g") -#SET(CMAKE_CXX_FLAGS "-g -std=c++0x") SET(CMAKE_C_FLAGS_PROFILING "-g -O0 -pg") SET(CMAKE_CXX_FLAGS_PROFILING "-g -std=c++0x -O0 -pg") SET(CMAKE_C_FLAGS_DEBUG "-g -O0 -ggdb") @@ -59,7 +53,6 @@ STRING(REGEX MATCH "([^.]*)" API_VERSION "${VERSION}") ADD_DEFINITIONS("-DAPI_VERSION=\"$(API_VERSION)\"") ADD_DEFINITIONS("-DSMACK_ENABLED") ADD_DEFINITIONS("-DDPL_LOGS_ENABLED") # Enable LOGS in security-server2 -#ADD_DEFINITIONS("-DUSE_SEC_SRV1_FOR_CHECK_PRIVILEGE_BY_PID") #use old security-server 1.0 for check-privilege-by-pid API SET(TARGET_SECURITY_SERVER "security-server") SET(TARGET_SECURITY_CLIENT "security-server-client") diff --git a/src/client/security-server-client.c b/src/client/security-server-client.c index 855c82e..6377acc 100644 --- a/src/client/security-server-client.c +++ b/src/client/security-server-client.c @@ -654,77 +654,3 @@ error: return retval; } - -#ifdef USE_SEC_SRV1_FOR_CHECK_PRIVILEGE_BY_PID -SECURITY_SERVER_API -int security_server_check_privilege_by_pid(int pid, const char *object, const char *access_rights) -{ - //This function check SMACK privilege betwen subject and object. - //Subject is identified by PID number, object is function parameter. - - int sockfd = -1; - int retval; - response_header hdr; - - //check for input PID param - if (pid < 0) { - retval = SECURITY_SERVER_ERROR_INPUT_PARAM; - goto error; - } - - SEC_SVR_DBG("%s","Check privilige by PID called"); - SEC_SVR_DBG("%s %d","PID", pid); - SEC_SVR_DBG("%s %s", "OBJECT:", object); - SEC_SVR_DBG("%s %s", "ACCESS_RIGHTS", access_rights); - - //check if able to connect - retval = connect_to_server(&sockfd); - if (retval != SECURITY_SERVER_SUCCESS) - goto error; - - //send request - retval = send_pid_privilege_request(sockfd, pid, object, access_rights); - if (retval != SECURITY_SERVER_SUCCESS) { - /* Error on socket */ - SEC_SVR_ERR("Client: Send failed: %d", retval); - goto error; - } - - //get response - retval = recv_pid_privilege_response(sockfd, &hdr); - - //convert error code - retval = return_code_to_error_code(hdr.return_code); - - //check if frame has correct MSG_ID - if (hdr.basic_hdr.msg_id != SECURITY_SERVER_MSG_TYPE_CHECK_PID_PRIVILEGE_RESPONSE) { - if (hdr.basic_hdr.msg_id == SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE) { - /* There must be some error */ - SEC_SVR_ERR("Client: Error has been received. return code:%d", hdr.return_code); - } - else { - /* Something wrong with response */ - SEC_SVR_ERR("Client ERROR: Unexpected error occurred:%d", retval); - retval = SECURITY_SERVER_ERROR_BAD_RESPONSE; - } - goto error; - } - - //debug info about checking result - - if (hdr.return_code == SECURITY_SERVER_RETURN_CODE_SUCCESS) { - SEC_SVR_DBG("%s","Client: There is privilege match"); - retval = SECURITY_SERVER_SUCCESS; - } else { - SEC_SVR_WRN("%s","Client: There is no privilege match"); - retval = SECURITY_SERVER_ERROR_ACCESS_DENIED; - } - -error: - if (sockfd > 0) - close(sockfd); - - retval = convert_to_public_error_code(retval); - return retval; -} -#endif diff --git a/src/communication/security-server-comm.c b/src/communication/security-server-comm.c index bcd3c2e..c16656f 100644 --- a/src/communication/security-server-comm.c +++ b/src/communication/security-server-comm.c @@ -793,100 +793,6 @@ error: // return SECURITY_SERVER_SUCCESS; // } -#ifdef USE_SEC_SRV1_FOR_CHECK_PRIVILEGE_BY_PID -//VERSION: 0x01 -//MSG_ID: 0x1f (SECURITY_SERVER_MSG_TYPE_CHECK_PID_PRIVILEGE_REQUEST) -//DATA_SIZE: strlen(object) + 1 + strlen(access_rights) + 1 -int send_pid_privilege_request(int sockfd, int pid, const char *object, const char *access_rights) -{ - //header structure - basic_header hdr; - int retval; - int message_size; - //buffer for data - char *buff = NULL; - int offset = 0; - - if (pid < 0) { - SEC_SVR_ERR("%s", "Error input param"); - retval = SECURITY_SERVER_ERROR_INPUT_PARAM; - goto error; - } - - if (object == NULL) { - SEC_SVR_ERR("%s", "Error input param"); - retval = SECURITY_SERVER_ERROR_INPUT_PARAM; - goto error; - } - - //allocate buffer - //+1 for the '\0' at string end - - message_size = sizeof(int) + strlen(object) + 1 + strlen(access_rights) + 1; - buff = (char*)malloc(message_size + sizeof(hdr)); - if (buff == NULL) { - SEC_SVR_ERR("%s", "malloc() error"); - retval = SECURITY_SERVER_ERROR_OUT_OF_MEMORY; - goto error; - } - - //clear buffer - bzero(buff, message_size + sizeof(hdr)); - - //create header - hdr.version = SECURITY_SERVER_MSG_VERSION; - //MSG_ID - hdr.msg_id = SECURITY_SERVER_MSG_TYPE_CHECK_PID_PRIVILEGE_REQUEST; - //set message size without header (data size) - hdr.msg_len = message_size; - - //copy message fields to buffer - offset = 0; - memcpy(&buff[offset], &hdr, sizeof(hdr)); - offset += sizeof(hdr); - //add PID - memcpy(&buff[offset], &pid, sizeof(pid)); - offset += sizeof(pid); - //add *object with NULL at the end - memcpy(&buff[offset], object, strlen(object)); - offset += strlen(object); - buff[offset] = 0; - offset += 1; - //add *access_rights with NULL at the end - memcpy(&buff[offset], access_rights, strlen(access_rights)); - offset += strlen(access_rights); - buff[offset] = 0; - - //check pool - retval = check_socket_poll(sockfd, POLLOUT, SECURITY_SERVER_SOCKET_TIMEOUT_MILISECOND); - if (retval == SECURITY_SERVER_ERROR_POLL) { - SEC_SVR_ERR("%s", "poll() error"); - retval = SECURITY_SERVER_ERROR_SEND_FAILED; - goto error; - } - if (retval == SECURITY_SERVER_ERROR_TIMEOUT) { - SEC_SVR_ERR("%s", "poll() timeout"); - retval = SECURITY_SERVER_ERROR_SEND_FAILED; - goto error; - } - - //send message - retval = TEMP_FAILURE_RETRY(write(sockfd, buff, message_size + sizeof(hdr))); - if (retval < message_size) { - //error on write - SEC_SVR_ERR("Error on write(): %d", retval); - retval = SECURITY_SERVER_ERROR_SEND_FAILED; - goto error; - } - retval = SECURITY_SERVER_SUCCESS; -error: - if (buff != NULL) - free(buff); - - return retval; -} -#endif - /* Send validate password request message to security server * * * Message format @@ -1410,63 +1316,6 @@ int recv_hdr(int client_sockfd, basic_header *basic_hdr) return retval; } -#ifdef USE_SEC_SRV1_FOR_CHECK_PRIVILEGE_BY_PID -int recv_pid_privilege_request(int sockfd, int datasize, int *pid, char **object, char **access_rights) -{ - int retval; - char *buff = NULL; - int object_size = 0; - int access_rights_size = 0; - - buff = (char*)malloc(datasize); - if (buff == NULL) - return SECURITY_SERVER_ERROR_OUT_OF_MEMORY; - - //receive all data to buffer - retval = TEMP_FAILURE_RETRY(read(sockfd, buff, datasize)); - if (retval < datasize) { - SEC_SVR_ERR("Received data size is too small: %d / %d", retval, datasize); - retval = SECURITY_SERVER_ERROR_RECV_FAILED; - goto error; - } - - //getPID - memcpy(pid, buff, sizeof(int)); - - //get object - while (buff[sizeof(int) + object_size] != '\0') { - object_size++; - - if (object_size > datasize) { - SEC_SVR_ERR("%s", "Wrong object_size"); - retval = SECURITY_SERVER_ERROR_UNKNOWN; - goto error; - } - } - object_size++; //for '\0' at end - - *object = (char*)malloc(object_size); - memcpy(*object, buff + sizeof(int), object_size); - - //get access_rights - access_rights_size = datasize - object_size - sizeof(int); - *access_rights = (char*)malloc(access_rights_size); - memcpy(*access_rights, buff + sizeof(int) + object_size, access_rights_size); - - SEC_SVR_DBG("%s %d", "Received PID:", *pid); - SEC_SVR_DBG("%s %s", "Received object:", *object); - SEC_SVR_DBG("%s %s", "Received privileges:", *access_rights); - - retval = SECURITY_SERVER_SUCCESS; - -error: - if (buff != NULL) - free(buff); - - return retval; -} -#endif - int recv_generic_response(int sockfd, response_header *hdr) { int retval; @@ -1596,20 +1445,6 @@ int recv_get_object_name(int sockfd, response_header *hdr, char *object, int max return SECURITY_SERVER_SUCCESS; } -#ifdef USE_SEC_SRV1_FOR_CHECK_PRIVILEGE_BY_PID -int recv_pid_privilege_response(int sockfd, response_header *hdr) -{ - int retval; - - retval = recv_generic_response(sockfd, hdr); - - if (retval != SECURITY_SERVER_SUCCESS) - return return_code_to_error_code(hdr->return_code); - - return SECURITY_SERVER_SUCCESS; -} -#endif - int recv_pwd_response(int sockfd, response_header *hdr, unsigned int *current_attempts, unsigned int *max_attempts, diff --git a/src/include/security-server-comm.h b/src/include/security-server-comm.h index 818e642..12923e7 100644 --- a/src/include/security-server-comm.h +++ b/src/include/security-server-comm.h @@ -57,10 +57,6 @@ typedef struct #define SECURITY_SERVER_MSG_TYPE_SET_PWD_MAX_CHALLENGE_RESPONSE 0x1a #define SECURITY_SERVER_MSG_TYPE_SET_PWD_VALIDITY_REQUEST 0x1b #define SECURITY_SERVER_MSG_TYPE_SET_PWD_VALIDITY_RESPONSE 0x1c -#ifdef USE_SEC_SRV1_FOR_CHECK_PRIVILEGE_BY_PID -#define SECURITY_SERVER_MSG_TYPE_CHECK_PID_PRIVILEGE_REQUEST 0x21 -#define SECURITY_SERVER_MSG_TYPE_CHECK_PID_PRIVILEGE_RESPONSE 0x22 -#endif #define SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE 0xff /* Return code */ @@ -98,12 +94,6 @@ int recv_get_object_name(int sockfd, response_header *hdr, char *object, int max int recv_hdr(int client_sockfd, basic_header *basic_hdr); -#ifdef USE_SEC_SRV1_FOR_CHECK_PRIVILEGE_BY_PID -int send_pid_privilege_request(int sockfd, int pid, const char *object, const char *access_rights); -int recv_pid_privilege_request(int sockfd, int datasize, int *pid, char **object, char **access_rights); -int recv_pid_privilege_response(int sockfdi, response_header *hdr); -#endif - int recv_generic_response(int sockfd, response_header *hdr); int recv_pwd_response(int sockfd, response_header *hdr, unsigned int *current_attempts, unsigned int *max_attempts, unsigned int *valid_days); diff --git a/src/server/security-server-main.c b/src/server/security-server-main.c index fd299ff..9232f10 100644 --- a/src/server/security-server-main.c +++ b/src/server/security-server-main.c @@ -318,99 +318,6 @@ error: return retval; } -#ifdef USE_SEC_SRV1_FOR_CHECK_PRIVILEGE_BY_PID -int process_pid_privilege_check(int sockfd, int datasize) -{ - //In this function we parsing received PID privilege check request - int retval; - int client_pid; - int pid; - char *object = NULL; - char *access_rights = NULL; - unsigned char return_code; - char *path = NULL; - char subject[SMACK_LABEL_LEN + 1]; - subject[0] = '\0'; - - //authenticate client - retval = authenticate_client_middleware(sockfd, &client_pid); - - if (retval != SECURITY_SERVER_SUCCESS) { - SEC_SVR_ERR("%s", "Client Authentication Failed"); - retval = send_generic_response(sockfd, - SECURITY_SERVER_MSG_TYPE_CHECK_PID_PRIVILEGE_RESPONSE, - SECURITY_SERVER_RETURN_CODE_AUTHENTICATION_FAILED); - - if (retval != SECURITY_SERVER_SUCCESS) - SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval); - - goto error; - } - - //receive request - retval = recv_pid_privilege_request(sockfd, datasize, &pid, &object, &access_rights); - - if (retval == SECURITY_SERVER_ERROR_RECV_FAILED) { - SEC_SVR_ERR("%s", "Receiving request failed"); - retval = send_generic_response(sockfd, - SECURITY_SERVER_MSG_TYPE_CHECK_PID_PRIVILEGE_RESPONSE, - SECURITY_SERVER_RETURN_CODE_BAD_REQUEST); - - if (retval != SECURITY_SERVER_SUCCESS) - SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval); - - goto error; - } - - if (smack_check()) { - retval = smack_pid_have_access(pid, object, access_rights); - SEC_SVR_DBG("smack_pid_have_access returned %d", retval); - - if (get_smack_label_from_process(pid, subject) != PC_OPERATION_SUCCESS) { - // subject label is set to empty string - SEC_SVR_ERR("get_smack_label_from_process failed. Subject label has not been read."); - } else { - SECURE_SLOGD("Subject label of client PID %d is: %s", pid, subject); - } - } else { - SEC_SVR_DBG("SMACK is not available. Subject label has not been read."); - retval = 1; - } - - path = read_exe_path_from_proc(pid); - - if (retval > 0) - SECURE_SLOGD("SS_SMACK: caller_pid=%d, subject=%s, object=%s, access=%s, result=%d, caller_path=%s", pid, subject, object, access_rights, retval, path); - else - SECURE_SLOGW("SS_SMACK: caller_pid=%d, subject=%s, object=%s, access=%s, result=%d, caller_path=%s", pid, subject, object, access_rights, retval, path); - - if (path != NULL) - free(path); - - if (retval == 1) //there is permission - return_code = SECURITY_SERVER_RETURN_CODE_SUCCESS; - else //there is no permission - return_code = SECURITY_SERVER_RETURN_CODE_ACCESS_DENIED; - - //send response - retval = send_generic_response(sockfd, - SECURITY_SERVER_MSG_TYPE_CHECK_PID_PRIVILEGE_RESPONSE, - return_code); - - if (retval != SECURITY_SERVER_SUCCESS) - SEC_SVR_ERR("ERROR: Cannot send generic response: %d", retval); - -error: - - if (object != NULL) - free(object); - if (access_rights != NULL) - free(access_rights); - - return retval; -} -#endif - int client_has_access(int sockfd, const char *object) { char *label = NULL; @@ -506,15 +413,6 @@ void *security_server_thread(void *param) process_gid_request(client_sockfd, (int)basic_hdr.msg_len); break; -#ifdef USE_SEC_SRV1_FOR_CHECK_PRIVILEGE_BY_PID - case SECURITY_SERVER_MSG_TYPE_CHECK_PID_PRIVILEGE_REQUEST: - SEC_SVR_DBG("%s", "PID privilege check request received"); - authorize_SS_API_caller_socket(client_sockfd, API_MIDDLEWARE, API_RULE_REQUIRED); - //pass data size to function - process_pid_privilege_check(client_sockfd, basic_hdr.msg_len); - break; -#endif - case SECURITY_SERVER_MSG_TYPE_VALID_PWD_REQUEST: SECURE_SLOGD("%s", "Server: validate password request received"); authorize_SS_API_caller_socket(client_sockfd, API_PASSWD_CHECK, API_RULE_REQUIRED); diff --git a/src/server2/client/client-privilege-by-pid.cpp b/src/server2/client/client-privilege-by-pid.cpp index 6ce09f9..34ebee6 100644 --- a/src/server2/client/client-privilege-by-pid.cpp +++ b/src/server2/client/client-privilege-by-pid.cpp @@ -36,7 +36,6 @@ #include #include -#ifndef USE_SEC_SRV1_FOR_CHECK_PRIVILEGE_BY_PID SECURITY_SERVER_API int security_server_check_privilege_by_pid( int pid, @@ -73,5 +72,4 @@ int security_server_check_privilege_by_pid( } return SECURITY_SERVER_API_ERROR_UNKNOWN; } -#endif -- 2.7.4