From d953f154492dc3f7814426be2be125a984b257f6 Mon Sep 17 00:00:00 2001 From: Hyunwoo Kim Date: Mon, 5 Aug 2013 16:37:49 +0900 Subject: [PATCH] Remove logs and Add ACE API that returns privacy access checking result. Change-Id: I039d17bfd8c16e661c515269dc24140aeb85eff6 Signed-off-by: Hyunwoo Kim --- ace/engine/Attribute.cpp | 6 ++++- ace/engine/CombinerImpl.cpp | 3 ++- ace/engine/Condition.cpp | 2 ++ ace_client/include/ace-client/ace_client.h | 1 + ace_client/include/ace_api_client.h | 2 ++ ace_client/src/ace_api_client.cpp | 18 +++++++++++-- ace_client/src/ace_client.cpp | 31 ++++++++++------------- ace_common/include/ace_api_common.h | 7 +++++ packaging/wrt-security.changes | 4 +++ packaging/wrt-security.spec | 4 +-- socket_connection/client/SecuritySocketClient.cpp | 2 ++ src/CMakeLists.txt | 4 +-- src/daemon/sockets/security_socket_service.cpp | 18 ++++++------- systemd/wrt-security-daemon.service | 1 + systemd/wrt-security-daemon.socket | 2 ++ 15 files changed, 70 insertions(+), 35 deletions(-) create mode 100644 packaging/wrt-security.changes diff --git a/ace/engine/Attribute.cpp b/ace/engine/Attribute.cpp index 2471999..bc96a2b 100644 --- a/ace/engine/Attribute.cpp +++ b/ace/engine/Attribute.cpp @@ -161,11 +161,14 @@ Attribute::MatchResult Attribute::lists_comparator( if (result == MatchResult::MRTrue) { LogDebug("Returning TRUE"); +#ifdef ALL_LOGS } else if (result == MatchResult::MRFalse) { LogDebug("Returning FALSE"); } else if (result == MatchResult::MRUndetermined) { LogDebug("Returning UNDETERMINED"); +#endif } + return result; } @@ -214,10 +217,11 @@ Attribute::MatchResult Attribute::matchAttributes( myVal = this->value.front(); } +#ifdef ALL_LOGS LogDebug("Comparing attribute: " << this->m_name << "(" << myVal << ") with: " << tempNam << "(" << tempVal << ")"); - +#endif Assert( (this->m_name == *(attribute->getName())) && "Two completely different attributes are being compared!"); diff --git a/ace/engine/CombinerImpl.cpp b/ace/engine/CombinerImpl.cpp index bbd179c..dab775f 100644 --- a/ace/engine/CombinerImpl.cpp +++ b/ace/engine/CombinerImpl.cpp @@ -272,9 +272,10 @@ ExtendedEffect CombinerImpl::combine( Policy::CombineAlgorithm algorithm, ExtendedEffectList &effects) { +#ifdef ALL_LOGS LogDebug("Effects to be combined with algorithm: " << ::toString(algorithm)); showEffectList(effects); - +#endif switch (algorithm) { case Policy::DenyOverride: return denyOverrides(effects); diff --git a/ace/engine/Condition.cpp b/ace/engine/Condition.cpp index e6121a4..e92e681 100644 --- a/ace/engine/Condition.cpp +++ b/ace/engine/Condition.cpp @@ -42,10 +42,12 @@ Attribute::MatchResult Condition::evaluateCondition( bool undeterminedMatchFound = false; bool isFinalMatch = false; +#ifdef ALL_LOGS LogDebug("Attributes to be matched"); printAttributes(*attrSet); LogDebug("Condition attributes values"); printAttributes(attributes); +#endif if (this->isEmpty()) { LogDebug("Condition is empty, returning true"); diff --git a/ace_client/include/ace-client/ace_client.h b/ace_client/include/ace-client/ace_client.h index 4b4081b..024be70 100644 --- a/ace_client/include/ace-client/ace_client.h +++ b/ace_client/include/ace-client/ace_client.h @@ -45,6 +45,7 @@ class AceThinClient : private DPL::Noncopyable { }; bool checkFunctionCall(const AceRequest& ace_request) const; + bool checkPrivacy(const AceRequest& ace_request) const; AcePreference getWidgetResourcePreference( const AceResource& resource, const AceWidgetHandle& handle) const; diff --git a/ace_client/include/ace_api_client.h b/ace_client/include/ace_api_client.h index 817a988..c666442 100644 --- a/ace_client/include/ace_api_client.h +++ b/ace_client/include/ace_api_client.h @@ -111,6 +111,8 @@ ace_return_t ace_client_shutdown(void); */ ace_return_t ace_check_access(const ace_request_t* request, ace_bool_t* access); +ace_return_t ace_check_access_ex(const ace_request_t* request, ace_check_result_t* result); + #ifdef __cplusplus } #endif diff --git a/ace_client/src/ace_api_client.cpp b/ace_client/src/ace_api_client.cpp index 16d9f36..61c326f 100644 --- a/ace_client/src/ace_api_client.cpp +++ b/ace_client/src/ace_api_client.cpp @@ -55,7 +55,15 @@ ace_return_t ace_client_shutdown(void) ace_return_t ace_check_access(const ace_request_t* request, ace_bool_t* access) { - if (NULL == request || NULL == access) { + ace_check_result_t result = ACE_ACCESS_GRANTED; + ace_return_t ret = ace_check_access_ex(request, &result); + *access = (result == ACE_ACCESS_GRANTED) ? ACE_TRUE : ACE_FALSE; + return ret; +} + +ace_return_t ace_check_access_ex(const ace_request_t* request, ace_check_result_t* result) +{ + if (NULL == request || NULL == result) { LogError("NULL argument(s) passed"); return ACE_INVALID_ARGUMENTS; } @@ -102,7 +110,13 @@ ace_return_t ace_check_access(const ace_request_t* request, ace_bool_t* access) Try { ret = AceClient::AceThinClientSingleton:: Instance().checkFunctionCall(aceRequest); - *access = ret ? ACE_TRUE : ACE_FALSE; + *result = ret ? ACE_ACCESS_GRANTED : ACE_PRIVILEGE_DENIED; + + if (*result == ACE_ACCESS_GRANTED) { + ret = AceClient::AceThinClientSingleton:: + Instance().checkPrivacy(aceRequest); + *result = ret ? ACE_ACCESS_GRANTED : ACE_PRIVACY_DENIED; + } } Catch (AceClient::AceThinClient::Exception::AceThinClientException) { LogError("Ace client exception"); delete [] devCapNames; diff --git a/ace_client/src/ace_client.cpp b/ace_client/src/ace_client.cpp index c496c86..64e8909 100644 --- a/ace_client/src/ace_client.cpp +++ b/ace_client/src/ace_client.cpp @@ -92,6 +92,7 @@ class AceThinClientImpl { AcePreference getWidgetResourcePreference( const AceResource& resource, const AceWidgetHandle& handle) const; + bool checkPrivacy(const AceRequest& ace_request); AceResourcesPreferences* getGlobalResourcesPreferences() const; bool isInitialized() const; @@ -101,7 +102,7 @@ class AceThinClientImpl { protected: bool containsNetworkDevCap(const AceRequest &ace_request); bool checkFeatureList(const AceRequest& ace_request); - bool checkPrivacy(const AceRequest& ace_request); + private: WebRuntimeImpl* m_wrt; ResourceInformationImpl* m_res; @@ -128,11 +129,11 @@ class AceThinClientImpl { }; AceThinClientImpl::AceThinClientImpl() - : m_communicationClient(NULL), - m_popupValidationClient(NULL), - m_wrt(new WebRuntimeImpl()), + : m_wrt(new WebRuntimeImpl()), m_res(new ResourceInformationImpl()), m_sys(new OperationSystemImpl()), + m_communicationClient(NULL), + m_popupValidationClient(NULL), m_pip(m_wrt, m_res, m_sys) { AceDB::AceDAOReadOnly::attachToThreadRO(); @@ -203,19 +204,8 @@ bool AceThinClientImpl::checkFeatureList(const AceRequest& ace_request) bool AceThinClientImpl::checkPrivacy(const AceRequest& ace_request) { - pid_t pid; int res; - char* app_id; - - pid = getpid(); - - LogInfo("pid : " << pid); - res = app_manager_get_app_id(pid, &app_id); - if (res == APP_MANAGER_ERROR_NONE) { - LogInfo("Calling app_id : " << app_id); - } - WrtDB::WidgetDAOReadOnly dao(ace_request.widgetHandle); std::string tzPkgId = DPL::ToUTF8String(dao.getTzPkgId()); @@ -223,13 +213,14 @@ bool AceThinClientImpl::checkPrivacy(const AceRequest& ace_request) for (size_t i = 0; i < ace_request.apiFeatures.count; ++i) { res = privacy_checker_check_package_by_privilege(tzPkgId.c_str(), ace_request.apiFeatures.apiFeature[i]); - LogInfo(" privilege : " << ace_request.apiFeatures.apiFeature[i] << " : " << (res == PRIV_MGR_ERROR_SUCCESS) ? "true" : "false"); + LogInfo(" privilege : " << ace_request.apiFeatures.apiFeature[i] << " : " << ((res == PRIV_MGR_ERROR_SUCCESS) ? "true" : "false")); if (res != PRIV_MGR_ERROR_SUCCESS) return false; } return true; } + bool AceThinClientImpl::checkFunctionCall(const AceRequest& ace_request) { LogInfo("Enter"); @@ -460,8 +451,6 @@ bool AceThinClientImpl::checkFunctionCall(const AceRequest& ace_request) result = askUser(popupType, ace_request, request); } } - if (result) - result = checkPrivacy(ace_request); LogInfo("Result: " << (result ? "GRANTED" : "DENIED")); return result; @@ -670,6 +659,12 @@ bool AceThinClient::checkFunctionCall( return m_impl->checkFunctionCall(ace_request); } +bool AceThinClient::checkPrivacy( + const AceRequest& ace_request) const +{ + return m_impl->checkPrivacy(ace_request); +} + AcePreference AceThinClient::getWidgetResourcePreference( const AceResource& resource, const AceWidgetHandle& handle) const diff --git a/ace_common/include/ace_api_common.h b/ace_common/include/ace_api_common.h index 30fee60..b42d048 100644 --- a/ace_common/include/ace_api_common.h +++ b/ace_common/include/ace_api_common.h @@ -40,6 +40,13 @@ typedef enum typedef enum { + ACE_ACCESS_GRANTED, + ACE_PRIVILEGE_DENIED, + ACE_PRIVACY_DENIED +} ace_check_result_t; + +typedef enum +{ ACE_OK, // Operation succeeded ACE_INVALID_ARGUMENTS, // Invalid input parameters ACE_INTERNAL_ERROR, // ACE internal error diff --git a/packaging/wrt-security.changes b/packaging/wrt-security.changes new file mode 100644 index 0000000..0c77ed4 --- /dev/null +++ b/packaging/wrt-security.changes @@ -0,0 +1,4 @@ +* Mon Aug 5 2013 Hyunwoo Kim +- Add ace checking API that can return reason of access denial(Privilge or Privacy) +* Thu Jul 25 2013 Hyunwoo Kim +- Remove unused logs diff --git a/packaging/wrt-security.spec b/packaging/wrt-security.spec index 1accebf..58d9db6 100644 --- a/packaging/wrt-security.spec +++ b/packaging/wrt-security.spec @@ -1,8 +1,8 @@ #sbs-git:slp/pkgs/s/security-server security-server 0.0.37 Name: wrt-security Summary: Wrt security daemon. -Version: 0.0.62 -Release: 4 +Version: 0.0.65 +Release: 0 Group: TO_BE/FILLED_IN License: Apache License, Version 2.0 URL: N/A diff --git a/socket_connection/client/SecuritySocketClient.cpp b/socket_connection/client/SecuritySocketClient.cpp index 6ad4a7b..52330d9 100644 --- a/socket_connection/client/SecuritySocketClient.cpp +++ b/socket_connection/client/SecuritySocketClient.cpp @@ -39,7 +39,9 @@ void SecuritySocketClient::throwWithErrnoMessage(const std::string& specificInfo SecuritySocketClient::SecuritySocketClient(const std::string& interfaceName) { m_interfaceName = interfaceName; m_serverAddress = WrtSecurity::SecurityDaemonSocketConfig::SERVER_ADDRESS(); +#ifdef ALL_LOGS LogInfo("Client created"); +#endif } void SecuritySocketClient::connect(){ diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 5b90e4c..9aa2075 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -33,7 +33,7 @@ ENDIF(SMACK_ENABLE) PKG_CHECK_MODULES(DAEMON_DEP ${DAEMON_BASIC_DEP} - REQUIRED + REQUIRED libsystemd-daemon) SET(DAEMON_SOURCES_PATH ${PROJECT_SOURCE_DIR}/src) @@ -125,4 +125,4 @@ INSTALL(FILES ${PROJECT_SOURCE_DIR}/src/services/popup/popup_ace_data_types.h ${PROJECT_SOURCE_DIR}/src/daemon/dbus/security_daemon_dbus_config.h DESTINATION /usr/include/wrt-security - ) \ No newline at end of file + ) diff --git a/src/daemon/sockets/security_socket_service.cpp b/src/daemon/sockets/security_socket_service.cpp index 73da99a..1338c9c 100644 --- a/src/daemon/sockets/security_socket_service.cpp +++ b/src/daemon/sockets/security_socket_service.cpp @@ -284,7 +284,7 @@ void SecuritySocketService::mainLoop(){ ThrowMsg(DPL::Exception, "couldn't read whole siginfo"); } if((int)siginfo.ssi_signo == m_signalToClose){ - LogInfo("Server thread got signal to close"); + //LogInfo("Server thread got signal to close"); closeConnections(); return; } else { @@ -297,7 +297,7 @@ void SecuritySocketService::mainLoop(){ closeConnections(); throwWithErrnoMessage("accept()"); } - LogInfo("Got incoming connection"); + //LogInfo("Got incoming connection"); Connection_Info * connection = new Connection_Info(client_fd, (void *)this); int res; pthread_t client_thread; @@ -316,7 +316,7 @@ void * SecuritySocketService::connectionThread(void * data){ pthread_detach(pthread_self()); std::auto_ptr c (static_cast(data)); SecuritySocketService &t = *static_cast(c->data); - LogInfo("Starting connection thread"); + //LogInfo("Starting connection thread"); Try { t.connectionService(c->connfd); } Catch (DPL::Exception){ @@ -325,7 +325,7 @@ void * SecuritySocketService::connectionThread(void * data){ close(c->connfd); return (void*)1; } - LogInfo("Client serviced"); + //LogInfo("Client serviced"); return (void*)0; } @@ -341,8 +341,8 @@ void SecuritySocketService::connectionService(int fd){ ReThrowMsg(DPL::Exception, "Socket Connection read error"); } - LogDebug("Got interface : " << interfaceName); - LogDebug("Got method : " << methodName); + //LogDebug("Got interface : " << interfaceName); + //LogDebug("Got method : " << methodName); if( m_callbackMap.find(interfaceName) == m_callbackMap.end()){ LogError("Unknown interface : " << interfaceName); @@ -361,7 +361,7 @@ void SecuritySocketService::connectionService(int fd){ } } - LogInfo("Calling service"); + //LogInfo("Calling service"); Try{ m_callbackMap[interfaceName][methodName]->serviceCallback(&connector); } Catch (ServiceCallbackApi::Exception::ServiceCallbackException){ @@ -369,11 +369,11 @@ void SecuritySocketService::connectionService(int fd){ ReThrowMsg(DPL::Exception, "Service callback error"); } - LogInfo("Removing client"); + //LogInfo("Removing client"); removeClientSocket(fd); close(fd); - LogInfo("Call served"); + //LogInfo("Call served"); } diff --git a/systemd/wrt-security-daemon.service b/systemd/wrt-security-daemon.service index faabe0e..9104e10 100644 --- a/systemd/wrt-security-daemon.service +++ b/systemd/wrt-security-daemon.service @@ -6,6 +6,7 @@ Description=Wrt security daemon Type=notify ExecStart=/usr/bin/wrt-security-daemon Restart=always +RestartSec=0 [Install] WantedBy=multi-user.target diff --git a/systemd/wrt-security-daemon.socket b/systemd/wrt-security-daemon.socket index dc936a2..d5aa41f 100644 --- a/systemd/wrt-security-daemon.socket +++ b/systemd/wrt-security-daemon.socket @@ -6,3 +6,5 @@ ListenStream=/tmp/server SocketMode=0777 PassCredentials=yes Accept=false +SmackLabelIPIn=wrt-security-daemon +SmackLabelIPOut=wrt-security-daemon -- 2.7.4