From eaa9aab76a8fd55f3ffb20c11a2c497d7b516ac0 Mon Sep 17 00:00:00 2001 From: Krzysztof Jackiewicz Date: Thu, 23 Apr 2020 11:46:21 +0200 Subject: [PATCH] Add smack-privilege parsing to PolicyConfiguration Change-Id: I9fa0b5b86138725cb9520379e25f71f82a3e43f7 --- .../common/policy_configuration.cpp | 57 ++++++++++++++++++++++ .../common/policy_configuration.h | 5 ++ .../common/template_parser.h | 2 + 3 files changed, 64 insertions(+) diff --git a/src/security-manager-tests/common/policy_configuration.cpp b/src/security-manager-tests/common/policy_configuration.cpp index 64e3b9a..db34767 100644 --- a/src/security-manager-tests/common/policy_configuration.cpp +++ b/src/security-manager-tests/common/policy_configuration.cpp @@ -18,6 +18,7 @@ #include #include #include +#include #include #include @@ -34,6 +35,57 @@ namespace SecurityManagerTest { +namespace { + +PolicyConfiguration::SmackPrivRulesMap parsePrivilegeSmackList() { + constexpr char PRIVILEGE[] = "~PRIVILEGE~"; + PolicyConfiguration::SmackPrivRulesMap privilegeRules; + + std::ifstream templateFile(CONF_DIR "privilege-smack.list"); + + if (templateFile.fail()) + return privilegeRules; + + try { + std::string line; + while (getline(templateFile, line)) { + if (line.empty() || line[0] == '#') + continue; + + std::string privilege, label, rulesFileName; + std::istringstream stream(line); + stream >> privilege >> label >> rulesFileName; + + if (rulesFileName == "default") + rulesFileName = "priv-rules-default-template.smack"; + + std::ifstream rulesFile(std::string(CONF_DIR) + "privilege-mapping/" + rulesFileName); + std::string object, subject, access; + while (rulesFile >> subject >> object >> access) { + if (object.empty() || subject.empty()) + throw std::runtime_error("Malformed rule"); + + // ignore + if (object.front() != '~' || subject.front() != '~') + continue; + + if (object == PRIVILEGE) + object = label; + if (subject == PRIVILEGE) + subject = label; + privilegeRules[privilege].emplace_back(std::move(subject), + std::move(object), + std::move(access)); + } + } + } catch (const std::exception&) { + privilegeRules.clear(); + } + return privilegeRules; +} + +} // namespace anonymous + gid_t nameToGid(const char *name) { struct group entry, *gresult; char buffer[1024]; @@ -181,5 +233,10 @@ std::string PolicyConfiguration::getAppRulesFilePath() { return CONF_DIR "app-rules-template.smack"; } +const PolicyConfiguration::SmackPrivRulesMap& PolicyConfiguration::getSmackPrivRulesMap() { + const static auto smackPrivRulesMap = parsePrivilegeSmackList(); + return smackPrivRulesMap; +} + } // namespace SecurityManagerTest diff --git a/src/security-manager-tests/common/policy_configuration.h b/src/security-manager-tests/common/policy_configuration.h index 3d2c1a0..cd89dc9 100644 --- a/src/security-manager-tests/common/policy_configuration.h +++ b/src/security-manager-tests/common/policy_configuration.h @@ -19,9 +19,12 @@ #include #include #include +#include #include +#include + namespace SecurityManagerTest { gid_t nameToGid(const char *name); @@ -32,6 +35,7 @@ public: typedef std::vector GroupVector; typedef std::vector PrivVector; typedef std::map PrivGroupMap; + typedef std::unordered_map> SmackPrivRulesMap; struct UserDescription { PrivVector privVector; @@ -59,6 +63,7 @@ public: static bool getIsAskuserEnabled(); static std::string getPkgRulesFilePath(); static std::string getAppRulesFilePath(); + static const SmackPrivRulesMap& getSmackPrivRulesMap(); private: UserDescription loadUserDescription(UserType userType); diff --git a/src/security-manager-tests/common/template_parser.h b/src/security-manager-tests/common/template_parser.h index 81a3674..a1bad46 100644 --- a/src/security-manager-tests/common/template_parser.h +++ b/src/security-manager-tests/common/template_parser.h @@ -18,6 +18,8 @@ * @author Alicja Kluczek * @brief Parsing function for smack rules templates */ +#pragma once + #include #include -- 2.7.4