From 2abf94c4ef8bcaa292eeeb432524c8e7a890cf25 Mon Sep 17 00:00:00 2001 From: Mateusz Forc Date: Fri, 19 Aug 2016 12:52:01 +0200 Subject: [PATCH 01/16] Rewrite shared RO directory support in security-manager Extend support to all apps instead of only 2.x apps. Migrate database to version 7: Add shared_ro INTEGER column in pkg table Conflicts: src/common/include/privilege_db.h src/common/privilege_db.cpp Change-Id: Id925342c37651ee0d87cf14de4d806ef63c678fb --- db/db.sql | 3 +- db/updates/update-db-to-v7.sql | 11 +++++ src/common/include/privilege_db.h | 46 ++++++++++++++--- src/common/include/service_impl.h | 12 +++-- src/common/include/smack-rules.h | 16 +++--- src/common/privilege_db.cpp | 50 +++++++++++++++++-- src/common/service_impl.cpp | 96 ++++++++++++++++++++++++++---------- src/common/smack-rules.cpp | 19 +++---- src/include/security-manager-types.h | 3 +- 9 files changed, 194 insertions(+), 62 deletions(-) create mode 100644 db/updates/update-db-to-v7.sql diff --git a/db/db.sql b/db/db.sql index 805baa0..c85fc35 100644 --- a/db/db.sql +++ b/db/db.sql @@ -4,12 +4,13 @@ PRAGMA auto_vacuum = NONE; BEGIN EXCLUSIVE TRANSACTION; -PRAGMA user_version = 6; +PRAGMA user_version = 7; CREATE TABLE IF NOT EXISTS pkg ( pkg_id INTEGER PRIMARY KEY, name VARCHAR NOT NULL, author_id INTEGER, +shared_ro INTEGER NOT NULL DEFAULT 0, UNIQUE (name) FOREIGN KEY (author_id) REFERENCES author (author_id) ); diff --git a/db/updates/update-db-to-v7.sql b/db/updates/update-db-to-v7.sql new file mode 100644 index 0000000..4f93ef7 --- /dev/null +++ b/db/updates/update-db-to-v7.sql @@ -0,0 +1,11 @@ +BEGIN EXCLUSIVE TRANSACTION; + +PRAGMA user_version = 7; + +ALTER TABLE pkg ADD shared_ro INTEGER NOT NULL DEFAULT 0; + +UPDATE pkg +SET shared_ro = 1 +WHERE pkg_id IN (SELECT pkg_id FROM app WHERE version < 3); + +COMMIT TRANSACTION; diff --git a/src/common/include/privilege_db.h b/src/common/include/privilege_db.h index 5bc1519..1068699 100644 --- a/src/common/include/privilege_db.h +++ b/src/common/include/privilege_db.h @@ -66,12 +66,15 @@ enum class StmtType { EClearPrivatePaths, EGetPrivilegeGroups, EGetUserApps, - EGetTizen2XPackages, + EGetAllPackages, EGetAppsInPkg, EGetGroups, EGetPkgAuthorId, EAuthorIdExists, EGetAuthorIdByName, + EGetSharedROPackages, + ESetPackageSharedRO, + EIsPackageSharedRO, }; class PrivilegeDb { @@ -120,12 +123,15 @@ private: { StmtType::EClearPrivatePaths, "DELETE FROM shared_path;"}, { StmtType::EGetPrivilegeGroups, " SELECT group_name FROM privilege_group WHERE privilege_name = ?" }, { StmtType::EGetUserApps, "SELECT app_name FROM user_app_pkg_view WHERE uid=?" }, - { StmtType::EGetTizen2XPackages, "SELECT DISTINCT pkg_name FROM user_app_pkg_view WHERE version LIKE '2.%%'" }, + { StmtType::EGetAllPackages, "SELECT DISTINCT pkg_name FROM user_app_pkg_view" }, { StmtType::EGetAppsInPkg, " SELECT app_name FROM user_app_pkg_view WHERE pkg_name = ?" }, { StmtType::EGetGroups, "SELECT DISTINCT group_name, privilege_name FROM privilege_group" }, { StmtType::EGetPkgAuthorId, "SELECT author_id FROM pkg WHERE name = ? AND author_id IS NOT NULL"}, { StmtType::EAuthorIdExists, "SELECT count(*) FROM author where author_id=?"}, { StmtType::EGetAuthorIdByName, "SELECT author_id FROM author WHERE name=?"}, + { StmtType::EGetSharedROPackages, "SELECT DISTINCT name FROM pkg WHERE shared_ro = 1;"}, + { StmtType::ESetPackageSharedRO, "UPDATE pkg SET shared_ro=1 WHERE name=?"}, + { StmtType::EIsPackageSharedRO, "SELECT shared_ro FROM pkg WHERE name=?"}, }; /** @@ -416,15 +422,15 @@ public: void GetPkgApps(const std::string &pkgName, std::vector &appNames); /** - * Retrieve list of all Tizen 2.X packages + * Retrieve list of all packages * - * @param[out] packages - vector of package identifiers describing installed 2.x packages, - * this parameter do not need to be empty, but - * it is being overwritten during function call. + * @param[out] packages - vector of package identifiers describing installed packages, + * this parameter do not need to be empty, but + * it is being overwritten during function call. * @exception DB::SqlConnection::Exception::InternalError on internal error * @exception DB::SqlConnection::Exception::ConstraintError on constraint violation */ - void GetTizen2XPackages(std::vector &packages); + void GetAllPackages(std::vector &packages); /* Retrive an id of an author from database * @@ -464,6 +470,32 @@ public: */ void GetGroupsRelatedPrivileges(std::vector> &privileges); + /** + * Retrieve list of packages with shared RO set to 1 + * + * @param[out] packages - vector of package identifiers describing installed packages, + * this parameter do not need to be empty, but + * it is being overwritten during function call. + * @exception DB::SqlConnection::Exception::InternalError on internal error + * @exception DB::SqlConnection::Exception::ConstraintError on constraint violation + */ + void GetSharedROPackages(std::vector &packages); + + /** + * Set shared_ro field to 1 in package given by name + * + * @exception DB::SqlConnection::Exception::InternalError on internal error + * @exception DB::SqlConnection::Exception::ConstraintError on constraint violation + */ + void SetSharedROPackage(const std::string& pkgName); + + /** + * Check whether package has shared_ro field set to 1 in db + * + * @exception DB::SqlConnection::Exception::InternalError on internal error + * @exception DB::SqlConnection::Exception::ConstraintError on constraint violation + */ + bool IsPackageSharedRO(const std::string& pkgName); }; } //namespace SecurityManager diff --git a/src/common/include/service_impl.h b/src/common/include/service_impl.h index 82774ff..658c60b 100644 --- a/src/common/include/service_impl.h +++ b/src/common/include/service_impl.h @@ -66,11 +66,15 @@ private: const std::vector &allowedDirs); static int labelPaths(const pkg_paths &paths, - const std::string &pkgName, - app_install_type installationType, - const uid_t &uid); + const std::string &pkgName, + app_install_type installationType, + const uid_t &uid); - static void getTizen2XApps(SmackRules::PkgsApps &pkgsApps); + static void getAllApps(SmackRules::PkgsApps &pkgsApps); + + static void getSharedROApps(SmackRules::PkgsApps &sharedROPkgsApps); + + static bool isSharedRO(const pkg_paths& paths); static bool isPrivilegePrivacy(const std::string &privilege); diff --git a/src/common/include/smack-rules.h b/src/common/include/smack-rules.h index 4e8962b..9b96ba2 100644 --- a/src/common/include/smack-rules.h +++ b/src/common/include/smack-rules.h @@ -76,20 +76,22 @@ public: void generatePackageCrossDeps(const std::vector &pkgContents); /** - * Generate SharedRO rules for Tizen 2.x applications - * Each 2.X application gets read-only access to files shared by all other 2.X packages. + * Generate RO rules for all applications to SharedRO apps during appInstall/Uninstall + * Each application gets read-only access to files shared by SharedRO packages. * - * @param[in] pkgsApps vector of Tizen 2.X applications - each element contains - * a pair with package name and contents + * @param[in] pkgsApps vector of all applications - each element contains + * a pair with package name and contents + * @param[in] sharedROPkgsApps vector of applications having sharedRO directory in their package - + * each element contains a pair with package name and contents */ - static void generateSharedRORules(PkgsApps &pkgsApps); + static void generateSharedRORules(PkgsApps &pkgsApps, PkgsApps &sharedROPkgsApps); /** - * Revoke SharedRO rules for Tizen 2.x applications when a package is being removed + * Revoke SharedRO rules for applications when a package is being removed * Rules from all applications in \ref pkgsApps to SharedRO label of the package * under removal will be revoked from kernel. * - * @param[in] pkgsApps vector of Tizen 2.X applications - each element contains + * @param[in] pkgsApps vector of applications - each element contains * a pair with package name and contents * @param[in] revokePkg package name being removed */ diff --git a/src/common/privilege_db.cpp b/src/common/privilege_db.cpp index 3b70cac..895da45 100644 --- a/src/common/privilege_db.cpp +++ b/src/common/privilege_db.cpp @@ -407,15 +407,28 @@ void PrivilegeDb::GetUserApps(uid_t uid, std::vector &apps) }); } -void PrivilegeDb::GetTizen2XPackages(std::vector &packages) +void PrivilegeDb::GetAllPackages(std::vector &packages) { try_catch([&] { - auto command = getStatement(StmtType::EGetTizen2XPackages); + auto command = getStatement(StmtType::EGetAllPackages); packages.clear(); while (command->Step()) { - const std::string & tizen2XPkg = command->GetColumnString(0); - LogDebug("Found " << tizen2XPkg << " Tizen 2.X packages installed"); - packages.push_back(tizen2XPkg); + const std::string &pkg = command->GetColumnString(0); + LogDebug("Found " << pkg << " package installed"); + packages.push_back(pkg); + }; + }); +} + +void PrivilegeDb::GetSharedROPackages(std::vector &packages) +{ + try_catch([&] { + auto command = getStatement(StmtType::EGetSharedROPackages); + packages.clear(); + while (command->Step()) { + const std::string &pkg = command->GetColumnString(0); + LogDebug("Found " << pkg << " package installed"); + packages.push_back(pkg); }; }); } @@ -512,4 +525,31 @@ void PrivilegeDb::GetGroupsRelatedPrivileges(std::vector([&] { + auto command = getStatement(StmtType::ESetPackageSharedRO); + command->BindString(1, pkgName); + + if (command->Step()) + LogDebug("shared_ro has been set to 1 for pkg: " << pkgName); + }); +} + +bool PrivilegeDb::IsPackageSharedRO(const std::string &pkgName) +{ + return try_catch([&]() -> bool { + auto command = getStatement(StmtType::EIsPackageSharedRO); + command->BindString(1, pkgName); + int shared_ro = 0; + + if (command->Step()) + shared_ro = command->GetColumnInteger(0); + + LogDebug("Package " << pkgName << "has shared_ro set to " << shared_ro); + + return (shared_ro > 0); + }); +} + } //namespace SecurityManager diff --git a/src/common/service_impl.cpp b/src/common/service_impl.cpp index 25852bf..96be37f 100644 --- a/src/common/service_impl.cpp +++ b/src/common/service_impl.cpp @@ -137,16 +137,6 @@ static inline int validatePolicy(policy_entry &policyEntry, std::string uidStr, return SECURITY_MANAGER_SUCCESS; } -bool isTizen2XVersion(const std::string &version) -{ - std::size_t notWhitePos = version.find_first_not_of(" \t"); - if (notWhitePos == std::string::npos) - return false; - if (version.at(notWhitePos) == '2') - return true; - return false; -} - bool sharingExists(const std::string &targetAppName, const std::string &path) { int targetPathCount; @@ -450,10 +440,22 @@ int ServiceImpl::labelPaths(const pkg_paths &paths, } } -void ServiceImpl::getTizen2XApps(SmackRules::PkgsApps &pkgsApps) +void ServiceImpl::getAllApps(SmackRules::PkgsApps &pkgsApps) +{ + std::vector pkgs; + PrivilegeDb::getInstance().GetAllPackages(pkgs); + + pkgsApps.resize(pkgs.size()); + for (size_t i = 0; i < pkgs.size(); ++i) { + pkgsApps[i].first = std::move(pkgs[i]); + PrivilegeDb::getInstance().GetPkgApps(pkgsApps[i].first, pkgsApps[i].second); + } +} + +void ServiceImpl::getSharedROApps(SmackRules::PkgsApps &pkgsApps) { std::vector pkgs; - PrivilegeDb::getInstance().GetTizen2XPackages(pkgs); + PrivilegeDb::getInstance().GetSharedROPackages(pkgs); pkgsApps.resize(pkgs.size()); for (size_t i = 0; i < pkgs.size(); ++i) { @@ -477,6 +479,17 @@ bool ServiceImpl::isPrivilegePrivacy(const std::string &privilege) return false; } +bool ServiceImpl::isSharedRO(const pkg_paths& paths) +{ + for (const auto& pkgPath : paths) { + auto pathType = static_cast(pkgPath.second); + if (pathType == SECURITY_MANAGER_PATH_OWNER_RW_OTHER_RO) + return true; + } + + return false; +} + int ServiceImpl::appInstall(const Credentials &creds, app_inst_req &&req) { std::vector addedPermissions; @@ -486,8 +499,10 @@ int ServiceImpl::appInstall(const Credentials &creds, app_inst_req &&req) std::string pkgBasePath; std::string appLabel; std::string pkgLabel; - SmackRules::PkgsApps tizen2XpkgsApps; + SmackRules::PkgsApps sharedROPkgsApps; + SmackRules::PkgsApps allApps; int authorId; + bool hasSharedRO = isSharedRO(req.pkgPaths); try { installRequestMangle(req, cynaraUserStr); @@ -514,9 +529,9 @@ int ServiceImpl::appInstall(const Credentials &creds, app_inst_req &&req) PrivilegeDb::getInstance().GetPkgApps(req.pkgName, pkgContents); PrivilegeDb::getInstance().GetPkgAuthorId(req.pkgName, authorId); CynaraAdmin::getInstance().UpdateAppPolicy(appLabel, cynaraUserStr, req.privileges, isPrivilegePrivacy); - // if app is targetted to Tizen 2.X, give other 2.X apps RO rules to it's shared dir - if (isTizen2XVersion(req.tizenVersion)) - getTizen2XApps(tizen2XpkgsApps); + + if (hasSharedRO) + PrivilegeDb::getInstance().SetSharedROPackage(req.pkgName); // WTF? Why this commit is here? Shouldn't it be at the end of this function? PrivilegeDb::getInstance().CommitTransaction(); @@ -562,8 +577,10 @@ int ServiceImpl::appInstall(const Credentials &creds, app_inst_req &&req) << req.pkgName << ". Applications in package: " << pkgContents.size()); SmackRules::installApplicationRules(req.appName, req.pkgName, authorId, pkgContents); - if (isTizen2XVersion(req.tizenVersion)) - SmackRules::generateSharedRORules(tizen2XpkgsApps); + getSharedROApps(sharedROPkgsApps); + getAllApps(allApps); + + SmackRules::generateSharedRORules(allApps, sharedROPkgsApps); SmackRules::mergeRules(); } catch (const SmackException::InvalidParam &e) { @@ -591,7 +608,7 @@ int ServiceImpl::appUninstall(const Credentials &creds, app_inst_req &&req) bool removePkg = false; bool removeAuthor = false; std::string cynaraUserStr; - SmackRules::PkgsApps tizen2XpkgsApps; + SmackRules::PkgsApps pkgsApps, sharedROPkgsApps; std::map> asOwnerSharing; std::map> asTargetSharing; int authorId; @@ -665,9 +682,8 @@ int ServiceImpl::appUninstall(const Credentials &creds, app_inst_req &&req) PrivilegeDb::getInstance().RemoveApplication(req.appName, req.uid, removeApp, removePkg, removeAuthor); - // if uninstalled app is targetted to Tizen 2.X, remove other 2.X apps RO rules it's shared dir - if (isTizen2XVersion(req.tizenVersion)) - getTizen2XApps(tizen2XpkgsApps); + getAllApps(pkgsApps); + getSharedROApps(sharedROPkgsApps); CynaraAdmin::getInstance().UpdateAppPolicy(smackLabel, cynaraUserStr, std::vector(), isPrivilegePrivacy); PrivilegeDb::getInstance().CommitTransaction(); @@ -709,11 +725,9 @@ int ServiceImpl::appUninstall(const Credentials &creds, app_inst_req &&req) SmackRules::updatePackageRules(req.pkgName, pkgContents); } - if (isTizen2XVersion(req.tizenVersion)) { - SmackRules::generateSharedRORules(tizen2XpkgsApps); - if (removePkg) - SmackRules::revokeSharedRORules(tizen2XpkgsApps, req.pkgName); - } + SmackRules::generateSharedRORules(pkgsApps, sharedROPkgsApps); + if (removePkg) + SmackRules::revokeSharedRORules(pkgsApps, req.pkgName); } if (authorId != -1 && removeAuthor) { @@ -1551,6 +1565,34 @@ int ServiceImpl::pathsRegister(const Credentials &creds, path_req req) return SECURITY_MANAGER_ERROR_MEMORY; } + try { + if (isSharedRO(req.pkgPaths)) { + PrivilegeDb::getInstance().BeginTransaction(); + + if (!PrivilegeDb::getInstance().IsPackageSharedRO(req.pkgName)) { + + PrivilegeDb::getInstance().SetSharedROPackage(req.pkgName); + + SmackRules::PkgsApps pkgsApps; + SmackRules::PkgsApps allApps; + + getSharedROApps(pkgsApps); + getAllApps(allApps); + + SmackRules::generateSharedRORules(allApps, pkgsApps); + SmackRules::mergeRules(); + } + PrivilegeDb::getInstance().CommitTransaction(); + } + } catch (const PrivilegeDb::Exception::IOError &e) { + LogError("Cannot access application database: " << e.DumpToString()); + return SECURITY_MANAGER_ERROR_SERVER_ERROR; + } catch (const PrivilegeDb::Exception::InternalError &e) { + PrivilegeDb::getInstance().RollbackTransaction(); + LogError("Error while saving application info to database: " << e.DumpToString()); + return SECURITY_MANAGER_ERROR_SERVER_ERROR; + } + return labelPaths(req.pkgPaths, req.pkgName, static_cast(req.installationType), diff --git a/src/common/smack-rules.cpp b/src/common/smack-rules.cpp index b1a3a61..54fcecd 100644 --- a/src/common/smack-rules.cpp +++ b/src/common/smack-rules.cpp @@ -55,7 +55,7 @@ const std::string AUTHOR_RULES_TEMPLATE_FILE_PATH = TizenPlatformConfig::makePat const std::string SMACK_RULES_PATH_MERGED = LOCAL_STATE_DIR "/security-manager/rules-merged/rules.merged"; const std::string SMACK_RULES_PATH_MERGED_T = LOCAL_STATE_DIR "/security-manager/rules-merged/rules.merged.temp"; const std::string SMACK_RULES_PATH = LOCAL_STATE_DIR "/security-manager/rules"; -const std::string SMACK_RULES_SHARED_RO_PATH = LOCAL_STATE_DIR "/security-manager/rules/2x_shared_ro"; +const std::string SMACK_RULES_SHARED_RO_PATH = LOCAL_STATE_DIR "/security-manager/rules/shared_ro"; const std::string SMACK_APP_IN_PACKAGE_PERMS = "rwxat"; const std::string SMACK_APP_CROSS_PKG_PERMS = "rx"; const std::string SMACK_APP_PATH_OWNER_PERMS = "rwxat"; @@ -257,7 +257,7 @@ void SmackRules::generatePackageCrossDeps(const std::vector &pkgCon } } -void SmackRules::generateSharedRORules(PkgsApps &pkgsApps) +void SmackRules::generateSharedRORules(PkgsApps &pkgsApps, PkgsApps &sharedROPkgsApps) { LogDebug("Generating SharedRO rules"); @@ -265,12 +265,13 @@ void SmackRules::generateSharedRORules(PkgsApps &pkgsApps) for (size_t i = 0; i < pkgsApps.size(); ++i) { for (const std::string &appName : pkgsApps[i].second) { std::string appLabel = SmackLabels::generateAppLabel(appName); - for (size_t j = 0; j < pkgsApps.size(); ++j) { - if (j != i) { // Rules for SharedRO files from own pkg are generated elsewhere - std::string &pkgName = pkgsApps[j].first; + for (size_t j = 0; j < sharedROPkgsApps.size(); ++j) { + // Rules for SharedRO files from own pkg are generated elsewhere + if (pkgsApps[i] != sharedROPkgsApps[j]) { + const std::string &pkgName = sharedROPkgsApps[j].first; rules.add(appLabel, - SmackLabels::generatePkgLabelOwnerRWothersRO(pkgName), - SMACK_APP_CROSS_PKG_PERMS); + SmackLabels::generatePkgLabelOwnerRWothersRO(pkgName), + SMACK_APP_CROSS_PKG_PERMS); } } } @@ -294,8 +295,8 @@ void SmackRules::revokeSharedRORules(PkgsApps &pkgsApps, const std::string &revo for (const std::string &appName : pkgsApps[i].second) { std::string appLabel = SmackLabels::generateAppLabel(appName); rules.add(appLabel, - SmackLabels::generatePkgLabelOwnerRWothersRO(revokePkg), - SMACK_APP_CROSS_PKG_PERMS); + SmackLabels::generatePkgLabelOwnerRWothersRO(revokePkg), + SMACK_APP_CROSS_PKG_PERMS); } } diff --git a/src/include/security-manager-types.h b/src/include/security-manager-types.h index 0c2891e..7b8c8bb 100644 --- a/src/include/security-manager-types.h +++ b/src/include/security-manager-types.h @@ -63,8 +63,7 @@ enum app_install_path_type { SECURITY_MANAGER_PATH_RW, //! RO access for given application package SECURITY_MANAGER_PATH_RO, - //! RW access for the owner, RO for other 2.X applications - //! (other 3.0 apps will not have access to the shared folder) + //! RW access for the owner, RO for other applications SECURITY_MANAGER_PATH_OWNER_RW_OTHER_RO, //! RW access for application packages coming from the same author SECURITY_MANAGER_PATH_TRUSTED_RW, -- 2.7.4 From 931ab0c11115c8d3a51241278608b84ec0c00e4c Mon Sep 17 00:00:00 2001 From: "jin-gyu.kim" Date: Mon, 29 Aug 2016 10:22:31 +0900 Subject: [PATCH 02/16] Release version 1.1.16 Implement libnss_securitymanager Add security_manager_groups_for_uid() Rewrite shared RO directory support in security-manager Change-Id: Ia84f81babf4fef47eb21409c00a0c239570811ff --- packaging/security-manager.changes | 6 ++++++ packaging/security-manager.spec | 2 +- pc/security-manager.pc.in | 2 +- 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/packaging/security-manager.changes b/packaging/security-manager.changes index 232ccaf..438de3e 100644 --- a/packaging/security-manager.changes +++ b/packaging/security-manager.changes @@ -1,3 +1,9 @@ +* Mon Aug 29 2016 Jin-gyu Kim +- Version 1.1.16 +- Implement libnss_securitymanager +- Add security_manager_groups_for_uid() +- Rewrite shared RO directory support in security-manager + * Mon Aug 22 2016 Yunjin Lee - Version 1.1.15 - Add core privilege: appdir.shareddata diff --git a/packaging/security-manager.spec b/packaging/security-manager.spec index 6251681..0acdea5 100644 --- a/packaging/security-manager.spec +++ b/packaging/security-manager.spec @@ -1,6 +1,6 @@ Name: security-manager Summary: Security manager and utilities -Version: 1.1.15 +Version: 1.1.16 Release: 0 Group: Security/Service License: Apache-2.0 diff --git a/pc/security-manager.pc.in b/pc/security-manager.pc.in index f316db0..ea49f28 100644 --- a/pc/security-manager.pc.in +++ b/pc/security-manager.pc.in @@ -5,7 +5,7 @@ includedir=${prefix}/include Name: security-manager Description: Security Manager Package -Version: 1.1.15 +Version: 1.1.16 Requires: Libs: -L${libdir} -lsecurity-manager-client Cflags: -I${includedir}/security-manager -- 2.7.4 From e61e12482aee565960ffa787a33e75e9bd265881 Mon Sep 17 00:00:00 2001 From: Bartlomiej Grzelewski Date: Mon, 13 Jun 2016 11:42:22 +0200 Subject: [PATCH 03/16] Add variadic template for deserialization Similiar template already exist for serialization Change-Id: I922e8f08f658645a61b62a74eaa8928d7bb238c7 --- src/dpl/core/include/dpl/serialization.h | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/dpl/core/include/dpl/serialization.h b/src/dpl/core/include/dpl/serialization.h index 4782e1c..a370643 100644 --- a/src/dpl/core/include/dpl/serialization.h +++ b/src/dpl/core/include/dpl/serialization.h @@ -400,6 +400,13 @@ struct Deserialization { map = new std::map; Deserialize(stream, *map); } + + template + static void Deserialize(IStream& stream, T1 &first, T2 &second, Tail&... tail) + { + Deserialization::Deserialize(stream, first); + Deserialization::Deserialize(stream, second, tail...); + } }; // struct Deserialization } // namespace SecurityManager -- 2.7.4 From 329f735801325f764b839752d0faf361db88168b Mon Sep 17 00:00:00 2001 From: Krzysztof Jackiewicz Date: Wed, 24 Aug 2016 15:59:33 +0200 Subject: [PATCH 04/16] Replace obsolete tkill with tgkill Change-Id: I23c2ecf80802b7fdfb9a14c19265285579d69266 --- src/client/client-security-manager.cpp | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/client/client-security-manager.cpp b/src/client/client-security-manager.cpp index f184e6d..fae54c2 100644 --- a/src/client/client-security-manager.cpp +++ b/src/client/client-security-manager.cpp @@ -497,9 +497,9 @@ inline static uid_t gettid() return syscall(SYS_gettid); } -inline static void tkill(uid_t tid) +inline static void tgkill(pid_t tgid, uid_t tid) { - syscall(SYS_tkill, tid, SIGUSR1); + syscall(SYS_tgkill, tgid, tid, SIGUSR1); } inline static int label_for_self_internal() @@ -530,6 +530,7 @@ static inline int security_manager_sync_threads_internal(const char *app_name) FS::FileNameVector files = FS::getDirsFromDirectory("/proc/self/task"); uid_t cur_tid = gettid(); + pid_t cur_pid = getpid(); g_app_label = SecurityManager::SmackLabels::generateAppLabel(app_name); g_threads_count = 0; @@ -590,7 +591,7 @@ static inline int security_manager_sync_threads_internal(const char *app_name) g_tid_attr_current_map[tid] = "/proc/self/task/" + std::to_string(tid) + "/attr/current"; sent_signals_count++; - tkill(tid); + tgkill(cur_pid, tid); } LogDebug("sent_signals_count: " << sent_signals_count); -- 2.7.4 From 98c5be46d3870e726fea0ae569c9572c2eea3810 Mon Sep 17 00:00:00 2001 From: Krzysztof Jackiewicz Date: Wed, 24 Aug 2016 15:49:22 +0200 Subject: [PATCH 05/16] Move release fence after the last global variable is modified The global variable g_tid_attr_current_map is being read by other threads. To guarantee that its modification in main thread is visible in other threads the release fence should be set *after* the modification. Change-Id: Iff7bdd4053baa86f13a0465e52c599396e2dcb8f --- src/client/client-security-manager.cpp | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/src/client/client-security-manager.cpp b/src/client/client-security-manager.cpp index fae54c2..f972274 100644 --- a/src/client/client-security-manager.cpp +++ b/src/client/client-security-manager.cpp @@ -549,8 +549,6 @@ static inline int security_manager_sync_threads_internal(const char *app_name) return SECURITY_MANAGER_ERROR_UNKNOWN; } - std::atomic_thread_fence(std::memory_order_release); - struct sigaction act; struct sigaction old; memset(&act, '\0', sizeof(act)); @@ -590,8 +588,13 @@ static inline int security_manager_sync_threads_internal(const char *app_name) continue; g_tid_attr_current_map[tid] = "/proc/self/task/" + std::to_string(tid) + "/attr/current"; + } + + std::atomic_thread_fence(std::memory_order_release); + + for (auto const& t_pair : g_tid_attr_current_map) { sent_signals_count++; - tgkill(cur_pid, tid); + tgkill(cur_pid, t_pair.first); } LogDebug("sent_signals_count: " << sent_signals_count); -- 2.7.4 From db2a9b5a4a4d63a4a514e9fa11677d088b80899c Mon Sep 17 00:00:00 2001 From: Krzysztof Jackiewicz Date: Wed, 24 Aug 2016 16:45:21 +0200 Subject: [PATCH 06/16] Check tgkill() result tgkill() returns an error if we're attempting to send a signal to non-existing thread. If this is the case don't increment the sent signals counter. Change-Id: I1cf10fe5a056e7715660b02647dfdef4a6406ff3 --- src/client/client-security-manager.cpp | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/src/client/client-security-manager.cpp b/src/client/client-security-manager.cpp index f972274..e8e854a 100644 --- a/src/client/client-security-manager.cpp +++ b/src/client/client-security-manager.cpp @@ -497,9 +497,9 @@ inline static uid_t gettid() return syscall(SYS_gettid); } -inline static void tgkill(pid_t tgid, uid_t tid) +inline static bool tgkill(pid_t tgid, uid_t tid) { - syscall(SYS_tgkill, tgid, tid, SIGUSR1); + return syscall(SYS_tgkill, tgid, tid, SIGUSR1) == 0; } inline static int label_for_self_internal() @@ -593,8 +593,12 @@ static inline int security_manager_sync_threads_internal(const char *app_name) std::atomic_thread_fence(std::memory_order_release); for (auto const& t_pair : g_tid_attr_current_map) { + if (!tgkill(cur_pid, t_pair.first)) { + LogWarning("Error in tgkill()"); + continue; + } + sent_signals_count++; - tgkill(cur_pid, t_pair.first); } LogDebug("sent_signals_count: " << sent_signals_count); -- 2.7.4 From 1c896053831d436812b1de13ed1f9a342d7212aa Mon Sep 17 00:00:00 2001 From: Radoslaw Bartosiak Date: Mon, 22 Aug 2016 13:01:50 +0200 Subject: [PATCH 07/16] Fix log prefix (tag) for Pedantic log level Change-Id: If973da5d653d2a5f5bee49a2d321e1232968cedf SigODned-off-by: Radoslaw Bartosiak --- src/dpl/log/src/dlog_log_provider.cpp | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/src/dpl/log/src/dlog_log_provider.cpp b/src/dpl/log/src/dlog_log_provider.cpp index 79a7fd4..38a3334 100644 --- a/src/dpl/log/src/dlog_log_provider.cpp +++ b/src/dpl/log/src/dlog_log_provider.cpp @@ -99,10 +99,8 @@ void DLOGLogProvider::Pedantic(const char *message, int line, const char *function) { - SLOG(LOG_DEBUG, "SecurityManager", "%s", FormatMessage(message, - filename, - line, - function).c_str()); + SLOG(LOG_DEBUG, m_tag.get(), "%s", + FormatMessage(message, filename, line, function).c_str()); } } // nemespace Log -- 2.7.4 From 60173f27fe7d524ae0ad042c858c8fd115126210 Mon Sep 17 00:00:00 2001 From: Yunjin Lee Date: Fri, 12 Aug 2016 11:24:07 +0900 Subject: [PATCH 08/16] Remove core privilege : vpnservice.admin Refer to https://review.tizen.org/gerrit/#/c/83497/ Change-Id: Ieaf205d822bc560955b9c5464d2b98988c4cf08c Signed-off-by: Yunjin Lee --- policy/usertype-admin.profile | 1 - policy/usertype-guest.profile | 1 - policy/usertype-normal.profile | 1 - policy/usertype-system.profile | 1 - 4 files changed, 4 deletions(-) diff --git a/policy/usertype-admin.profile b/policy/usertype-admin.profile index f370af8..d138a6c 100644 --- a/policy/usertype-admin.profile +++ b/policy/usertype-admin.profile @@ -96,7 +96,6 @@ * http://tizen.org/privilege/use_ir * http://tizen.org/privilege/volume.set * http://tizen.org/privilege/vpnservice -* http://tizen.org/privilege/vpnservice.admin * http://tizen.org/privilege/web-history.admin * http://tizen.org/privilege/widget.viewer * http://tizen.org/privilege/wifidirect diff --git a/policy/usertype-guest.profile b/policy/usertype-guest.profile index 8e09af4..df32f8f 100644 --- a/policy/usertype-guest.profile +++ b/policy/usertype-guest.profile @@ -96,7 +96,6 @@ * http://tizen.org/privilege/use_ir * http://tizen.org/privilege/volume.set * http://tizen.org/privilege/vpnservice -* http://tizen.org/privilege/vpnservice.admin * http://tizen.org/privilege/web-history.admin * http://tizen.org/privilege/widget.viewer * http://tizen.org/privilege/wifidirect diff --git a/policy/usertype-normal.profile b/policy/usertype-normal.profile index 8ab2375..859b806 100644 --- a/policy/usertype-normal.profile +++ b/policy/usertype-normal.profile @@ -96,7 +96,6 @@ * http://tizen.org/privilege/use_ir * http://tizen.org/privilege/volume.set * http://tizen.org/privilege/vpnservice -* http://tizen.org/privilege/vpnservice.admin * http://tizen.org/privilege/web-history.admin * http://tizen.org/privilege/widget.viewer * http://tizen.org/privilege/wifidirect diff --git a/policy/usertype-system.profile b/policy/usertype-system.profile index df5b94b..e22f03a 100644 --- a/policy/usertype-system.profile +++ b/policy/usertype-system.profile @@ -96,7 +96,6 @@ * http://tizen.org/privilege/use_ir * http://tizen.org/privilege/volume.set * http://tizen.org/privilege/vpnservice -* http://tizen.org/privilege/vpnservice.admin * http://tizen.org/privilege/web-history.admin * http://tizen.org/privilege/widget.viewer * http://tizen.org/privilege/wifidirect -- 2.7.4 From 63b0ca3dd3a9ec286534f7417d3709c8fa68c89e Mon Sep 17 00:00:00 2001 From: Yunjin Lee Date: Wed, 31 Aug 2016 17:45:30 +0900 Subject: [PATCH 09/16] Add/remove core privilege - add fido.client - remove dpm.settings Change-Id: If4e4e15692f11afd11269c938e657d2fc6bf7680 Signed-off-by: Yunjin Lee --- policy/usertype-admin.profile | 2 +- policy/usertype-guest.profile | 2 +- policy/usertype-normal.profile | 2 +- policy/usertype-system.profile | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/policy/usertype-admin.profile b/policy/usertype-admin.profile index d138a6c..880aa94 100644 --- a/policy/usertype-admin.profile +++ b/policy/usertype-admin.profile @@ -41,7 +41,6 @@ * http://tizen.org/privilege/dpm.microphone * http://tizen.org/privilege/dpm.password * http://tizen.org/privilege/dpm.security -* http://tizen.org/privilege/dpm.settings * http://tizen.org/privilege/dpm.storage * http://tizen.org/privilege/dpm.usb * http://tizen.org/privilege/dpm.wifi @@ -51,6 +50,7 @@ * http://tizen.org/privilege/email.admin * http://tizen.org/privilege/externalstorage * http://tizen.org/privilege/externalstorage.appdata +* http://tizen.org/privilege/fido.client * http://tizen.org/privilege/haptic * http://tizen.org/privilege/healthinfo * http://tizen.org/privilege/ime diff --git a/policy/usertype-guest.profile b/policy/usertype-guest.profile index df32f8f..3f8f5ca 100644 --- a/policy/usertype-guest.profile +++ b/policy/usertype-guest.profile @@ -41,7 +41,6 @@ * http://tizen.org/privilege/dpm.microphone * http://tizen.org/privilege/dpm.password * http://tizen.org/privilege/dpm.security -* http://tizen.org/privilege/dpm.settings * http://tizen.org/privilege/dpm.storage * http://tizen.org/privilege/dpm.usb * http://tizen.org/privilege/dpm.wifi @@ -51,6 +50,7 @@ * http://tizen.org/privilege/email.admin * http://tizen.org/privilege/externalstorage * http://tizen.org/privilege/externalstorage.appdata +* http://tizen.org/privilege/fido.client * http://tizen.org/privilege/haptic * http://tizen.org/privilege/healthinfo * http://tizen.org/privilege/ime diff --git a/policy/usertype-normal.profile b/policy/usertype-normal.profile index 859b806..6d97372 100644 --- a/policy/usertype-normal.profile +++ b/policy/usertype-normal.profile @@ -41,7 +41,6 @@ * http://tizen.org/privilege/dpm.microphone * http://tizen.org/privilege/dpm.password * http://tizen.org/privilege/dpm.security -* http://tizen.org/privilege/dpm.settings * http://tizen.org/privilege/dpm.storage * http://tizen.org/privilege/dpm.usb * http://tizen.org/privilege/dpm.wifi @@ -51,6 +50,7 @@ * http://tizen.org/privilege/email.admin * http://tizen.org/privilege/externalstorage * http://tizen.org/privilege/externalstorage.appdata +* http://tizen.org/privilege/fido.client * http://tizen.org/privilege/haptic * http://tizen.org/privilege/healthinfo * http://tizen.org/privilege/ime diff --git a/policy/usertype-system.profile b/policy/usertype-system.profile index e22f03a..8ad1ea3 100644 --- a/policy/usertype-system.profile +++ b/policy/usertype-system.profile @@ -41,7 +41,6 @@ * http://tizen.org/privilege/dpm.microphone * http://tizen.org/privilege/dpm.password * http://tizen.org/privilege/dpm.security -* http://tizen.org/privilege/dpm.settings * http://tizen.org/privilege/dpm.storage * http://tizen.org/privilege/dpm.usb * http://tizen.org/privilege/dpm.wifi @@ -51,6 +50,7 @@ * http://tizen.org/privilege/email.admin * http://tizen.org/privilege/externalstorage * http://tizen.org/privilege/externalstorage.appdata +* http://tizen.org/privilege/fido.client * http://tizen.org/privilege/haptic * http://tizen.org/privilege/healthinfo * http://tizen.org/privilege/ime -- 2.7.4 From 939cd8ad67555d2e5a7f49cebd84b02d8e7bf3c0 Mon Sep 17 00:00:00 2001 From: Yunjin Lee Date: Mon, 5 Sep 2016 16:09:26 +0900 Subject: [PATCH 10/16] Release version 1.1.17 - Add/remove core privilege(fido.client/ dpm.settings) - Remove core privilege : vpnservice.admin - Fix log prefix (tag) for Pedantic log level - Check tgkill() result - Move release fence after the last global variable is modified - Replace obsolete tkill with tgkill - Add variadic template for deserialization Change-Id: Ida63ca692cfce636ca78a64ac2c2a5383abaf397 Signed-off-by: Yunjin Lee --- packaging/security-manager.changes | 10 ++++++++++ packaging/security-manager.spec | 2 +- pc/security-manager.pc.in | 2 +- 3 files changed, 12 insertions(+), 2 deletions(-) diff --git a/packaging/security-manager.changes b/packaging/security-manager.changes index 438de3e..5ac192c 100644 --- a/packaging/security-manager.changes +++ b/packaging/security-manager.changes @@ -1,3 +1,13 @@ +* Mon Sep 05 2016 Yunjin Lee +- Version 1.1.17 +- Add/remove core privilege(fido.client/ dpm.settings) +- Remove core privilege : vpnservice.admin +- Fix log prefix (tag) for Pedantic log level +- Check tgkill() result +- Move release fence after the last global variable is modified +- Replace obsolete tkill with tgkill +- Add variadic template for deserialization + * Mon Aug 29 2016 Jin-gyu Kim - Version 1.1.16 - Implement libnss_securitymanager diff --git a/packaging/security-manager.spec b/packaging/security-manager.spec index 0acdea5..112fdc0 100644 --- a/packaging/security-manager.spec +++ b/packaging/security-manager.spec @@ -1,6 +1,6 @@ Name: security-manager Summary: Security manager and utilities -Version: 1.1.16 +Version: 1.1.17 Release: 0 Group: Security/Service License: Apache-2.0 diff --git a/pc/security-manager.pc.in b/pc/security-manager.pc.in index ea49f28..1247da9 100644 --- a/pc/security-manager.pc.in +++ b/pc/security-manager.pc.in @@ -5,7 +5,7 @@ includedir=${prefix}/include Name: security-manager Description: Security Manager Package -Version: 1.1.16 +Version: 1.1.17 Requires: Libs: -L${libdir} -lsecurity-manager-client Cflags: -I${includedir}/security-manager -- 2.7.4 From b746072390e052623ce8c423008e23b88b26d52a Mon Sep 17 00:00:00 2001 From: jooseong lee Date: Mon, 25 Jul 2016 14:13:16 +0900 Subject: [PATCH 11/16] Add internal privilege for internal APIs MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Internal APIs are only for service daemons, which means any applications must not call them. To internal policy checking inside daemon’s code, we can use cynara check with this new internal privilege. * http://tizen.org/privilege/internal/service There are some internal privileges for the same purpose, such as inputdevice.block privilege. These privileges will be replaced to this privilege. Change-Id: I415e635f017fb83d8a326739077635b2537d4db7 Signed-off-by: jooseong lee --- policy/usertype-admin.profile | 1 + policy/usertype-guest.profile | 1 + policy/usertype-normal.profile | 1 + policy/usertype-system.profile | 1 + 4 files changed, 4 insertions(+) diff --git a/policy/usertype-admin.profile b/policy/usertype-admin.profile index 880aa94..190d63b 100644 --- a/policy/usertype-admin.profile +++ b/policy/usertype-admin.profile @@ -119,6 +119,7 @@ * http://tizen.org/privilege/internal/inputdevice.block * http://tizen.org/privilege/internal/usermanagement * http://tizen.org/privilege/internal/appdebugging +* http://tizen.org/privilege/internal/service * http://tizen.org/privilege/internal/web/appmanager.certificate * http://tizen.org/privilege/internal/web/datasync * http://tizen.org/privilege/internal/web/fullscreen diff --git a/policy/usertype-guest.profile b/policy/usertype-guest.profile index 3f8f5ca..ec3a3e1 100644 --- a/policy/usertype-guest.profile +++ b/policy/usertype-guest.profile @@ -118,6 +118,7 @@ * http://tizen.org/privilege/internal/dbus * http://tizen.org/privilege/internal/inputdevice.block * http://tizen.org/privilege/internal/appdebugging +* http://tizen.org/privilege/internal/service * http://tizen.org/privilege/internal/web/appmanager.certificate * http://tizen.org/privilege/internal/web/datasync * http://tizen.org/privilege/internal/web/fullscreen diff --git a/policy/usertype-normal.profile b/policy/usertype-normal.profile index 6d97372..e3ba432 100644 --- a/policy/usertype-normal.profile +++ b/policy/usertype-normal.profile @@ -118,6 +118,7 @@ * http://tizen.org/privilege/internal/dbus * http://tizen.org/privilege/internal/inputdevice.block * http://tizen.org/privilege/internal/appdebugging +* http://tizen.org/privilege/internal/service * http://tizen.org/privilege/internal/web/appmanager.certificate * http://tizen.org/privilege/internal/web/datasync * http://tizen.org/privilege/internal/web/fullscreen diff --git a/policy/usertype-system.profile b/policy/usertype-system.profile index 8ad1ea3..660411d 100644 --- a/policy/usertype-system.profile +++ b/policy/usertype-system.profile @@ -118,6 +118,7 @@ * http://tizen.org/privilege/internal/dbus * http://tizen.org/privilege/internal/inputdevice.block * http://tizen.org/privilege/internal/appdebugging +* http://tizen.org/privilege/internal/service * http://tizen.org/privilege/internal/web/appmanager.certificate * http://tizen.org/privilege/internal/web/datasync * http://tizen.org/privilege/internal/web/fullscreen -- 2.7.4 From c98745cce09ac0a7d6b650b7d1d942f114b3c4c2 Mon Sep 17 00:00:00 2001 From: Zofia Abramowska Date: Mon, 29 Aug 2016 15:19:14 +0200 Subject: [PATCH 12/16] Add support for USER_TYPE_SECURITY Change-Id: I45ba88fc3a69ec632af6b195f82e288a25388288 --- policy/usertype-security.profile | 131 +++++++++++++++++++++++++++++++++++ src/client/CMakeLists.txt | 2 +- src/cmd/security-manager-cmd.cpp | 3 +- src/common/cynara.cpp | 46 +++++++----- src/common/include/cynara.h | 1 + src/include/security-manager-types.h | 12 ++-- 6 files changed, 169 insertions(+), 26 deletions(-) create mode 100644 policy/usertype-security.profile diff --git a/policy/usertype-security.profile b/policy/usertype-security.profile new file mode 100644 index 0000000..8ab2375 --- /dev/null +++ b/policy/usertype-security.profile @@ -0,0 +1,131 @@ +'Normal usertype permissions +'app permission +* http://tizen.org/privilege/account.read +* http://tizen.org/privilege/account.write +* http://tizen.org/privilege/alarm.get +* http://tizen.org/privilege/alarm.set +* http://tizen.org/privilege/antivirus +* http://tizen.org/privilege/antivirus.admin +* http://tizen.org/privilege/antivirus.scan +* http://tizen.org/privilege/antivirus.webprotect +* http://tizen.org/privilege/appdir.shareddata +* http://tizen.org/privilege/apphistory.read +* http://tizen.org/privilege/appmanager.kill +* http://tizen.org/privilege/appmanager.kill.bgapp +* http://tizen.org/privilege/appmanager.launch +* http://tizen.org/privilege/bluetooth +* http://tizen.org/privilege/bluetooth.admin +* http://tizen.org/privilege/bookmark.admin +* http://tizen.org/privilege/calendar.read +* http://tizen.org/privilege/calendar.write +* http://tizen.org/privilege/call +* http://tizen.org/privilege/callhistory.read +* http://tizen.org/privilege/callhistory.write +* http://tizen.org/privilege/camera +* http://tizen.org/privilege/contact.read +* http://tizen.org/privilege/contact.write +* http://tizen.org/privilege/content.write +* http://tizen.org/privilege/d2d.datasharing +* http://tizen.org/privilege/datasharing +* http://tizen.org/privilege/display +* http://tizen.org/privilege/download +* http://tizen.org/privilege/dpm.bluetooth +* http://tizen.org/privilege/dpm.browser +* http://tizen.org/privilege/dpm.camera +* http://tizen.org/privilege/dpm.clipboard +* http://tizen.org/privilege/dpm.debugging +* http://tizen.org/privilege/dpm.email +* http://tizen.org/privilege/dpm.location +* http://tizen.org/privilege/dpm.lock +* http://tizen.org/privilege/dpm.message +* http://tizen.org/privilege/dpm.microphone +* http://tizen.org/privilege/dpm.password +* http://tizen.org/privilege/dpm.security +* http://tizen.org/privilege/dpm.settings +* http://tizen.org/privilege/dpm.storage +* http://tizen.org/privilege/dpm.usb +* http://tizen.org/privilege/dpm.wifi +* http://tizen.org/privilege/dpm.wipe +* http://tizen.org/privilege/dpm.zone +* http://tizen.org/privilege/email +* http://tizen.org/privilege/email.admin +* http://tizen.org/privilege/externalstorage +* http://tizen.org/privilege/externalstorage.appdata +* http://tizen.org/privilege/haptic +* http://tizen.org/privilege/healthinfo +* http://tizen.org/privilege/ime +* http://tizen.org/privilege/imemanager +* http://tizen.org/privilege/inputgenerator +* http://tizen.org/privilege/internet +* http://tizen.org/privilege/keygrab +* http://tizen.org/privilege/keymanager +* http://tizen.org/privilege/led +* http://tizen.org/privilege/location +* http://tizen.org/privilege/location.coarse +* http://tizen.org/privilege/location.enable +* http://tizen.org/privilege/mapservice +* http://tizen.org/privilege/mediacontroller.client +* http://tizen.org/privilege/mediacontroller.server +* http://tizen.org/privilege/mediahistory.read +* http://tizen.org/privilege/mediastorage +* http://tizen.org/privilege/message.read +* http://tizen.org/privilege/message.write +* http://tizen.org/privilege/minicontrol.provider +* http://tizen.org/privilege/network.get +* http://tizen.org/privilege/network.profile +* http://tizen.org/privilege/network.set +* http://tizen.org/privilege/nfc +* http://tizen.org/privilege/nfc.admin +* http://tizen.org/privilege/nfc.cardemulation +* http://tizen.org/privilege/notification +* http://tizen.org/privilege/packagemanager.admin +* http://tizen.org/privilege/packagemanager.clearcache +* http://tizen.org/privilege/packagemanager.info +* http://tizen.org/privilege/power +* http://tizen.org/privilege/push +* http://tizen.org/privilege/reboot +* http://tizen.org/privilege/recorder +* http://tizen.org/privilege/screenshot +* http://tizen.org/privilege/secureelement +* http://tizen.org/privilege/shortcut +* http://tizen.org/privilege/systemmonitor +* http://tizen.org/privilege/systemsettings.admin +* http://tizen.org/privilege/telephony +* http://tizen.org/privilege/telephony.admin +* http://tizen.org/privilege/tethering.admin +* http://tizen.org/privilege/use_ir +* http://tizen.org/privilege/volume.set +* http://tizen.org/privilege/vpnservice +* http://tizen.org/privilege/vpnservice.admin +* http://tizen.org/privilege/web-history.admin +* http://tizen.org/privilege/widget.viewer +* http://tizen.org/privilege/wifidirect +* http://tizen.org/privilege/window.priority.set +* http://tizen.org/privilege/notexist +* http://tizen.org/privilege/internal/default/public +* http://tizen.org/privilege/internal/default/partner +* http://tizen.org/privilege/internal/default/platform +* http://tizen.org/privilege/internal/buxton +* http://tizen.org/privilege/internal/buxton/account.read +* http://tizen.org/privilege/internal/buxton/camcorder +* http://tizen.org/privilege/internal/buxton/contact.read +* http://tizen.org/privilege/internal/buxton/location +* http://tizen.org/privilege/internal/buxton/message.read +* http://tizen.org/privilege/internal/buxton/network.get +* http://tizen.org/privilege/internal/buxton/nfc +* http://tizen.org/privilege/internal/buxton/nfc.cardemulation +* http://tizen.org/privilege/internal/buxton/readonly +* http://tizen.org/privilege/internal/buxton/telephony +* http://tizen.org/privilege/internal/dbus +* http://tizen.org/privilege/internal/inputdevice.block +* http://tizen.org/privilege/internal/appdebugging +* http://tizen.org/privilege/internal/web/appmanager.certificate +* http://tizen.org/privilege/internal/web/datasync +* http://tizen.org/privilege/internal/web/fullscreen +* http://tizen.org/privilege/internal/web/tv.audio +* http://tizen.org/privilege/internal/web/tv.channel +* http://tizen.org/privilege/internal/web/tv.display +* http://tizen.org/privilege/internal/web/tv.inputdevice +* http://tizen.org/privilege/internal/web/tv.window +* http://tizen.org/privilege/internal/web/unlimitedstorage +* http://tizen.org/privilege/internal/web/websetting diff --git a/src/client/CMakeLists.txt b/src/client/CMakeLists.txt index 44d898f..d1996a2 100644 --- a/src/client/CMakeLists.txt +++ b/src/client/CMakeLists.txt @@ -5,7 +5,7 @@ PKG_CHECK_MODULES(CLIENT_DEP libprocps ) -SET(CLIENT_VERSION_MAJOR 1) +SET(CLIENT_VERSION_MAJOR 2) SET(CLIENT_VERSION ${CLIENT_VERSION_MAJOR}.0.2) INCLUDE_DIRECTORIES(SYSTEM diff --git a/src/cmd/security-manager-cmd.cpp b/src/cmd/security-manager-cmd.cpp index 4dad63a..7c0806f 100644 --- a/src/cmd/security-manager-cmd.cpp +++ b/src/cmd/security-manager-cmd.cpp @@ -52,7 +52,8 @@ static std::map user_type_map = { {"system", SM_USER_TYPE_SYSTEM}, {"admin", SM_USER_TYPE_ADMIN}, {"guest", SM_USER_TYPE_GUEST}, - {"normal", SM_USER_TYPE_NORMAL} + {"normal", SM_USER_TYPE_NORMAL}, + {"security", SM_USER_TYPE_SECURITY} }; static std::map install_type_map = { diff --git a/src/common/cynara.cpp b/src/common/cynara.cpp index 04cff83..5580e11 100644 --- a/src/common/cynara.cpp +++ b/src/common/cynara.cpp @@ -59,6 +59,7 @@ namespace SecurityManager { * - USER_TYPE_ADMIN * - USER_TYPE_SYSTEM * - USER_TYPE_NORMAL + * - USER_TYPE_SECURITY * - USER_TYPE_GUEST - they store privileges from templates for apropriate * user type. ALLOW rules only. * - ADMIN - stores custom rules introduced by device administrator. @@ -82,23 +83,29 @@ namespace SecurityManager { * |---------------| | | |-------------------| * | <> |<--| * * * Bucket:MANIFESTS|---->| <> | * | USER_TYPE_SYST| |------------------------| | USER_TYPE_NORMAL | - * | | | | | | - * |---------------| | | |-------------------| - * | | | | - * | V V | - * | |---------------| |---------------| | - * | | <> | | <> | | - * | |USER_TYPE_GUEST| |USER_TYPE_ADMIN| | - * | | | | | | - * | |---------------| |---------------| | - * | | | | - * | |---- -----| | - * | | | | - * | V V | - * | |------------------| | - * |-------------> | <> | <---------------| - * | ADMIN | - * | | + * | | | | | | | + * |---------------| | | | |-------------------| + * | | | | | + * | V | V | + * | |---------------| | |---------------| | + * | | <> | | | <> | | + * | |USER_TYPE_GUEST| | |USER_TYPE_ADMIN| | + * | | | | | | | + * | |---------------| | |---------------| | + * | | V | | + * | | |------------------| | | + * | | | <> | | | + * | | |USER_TYPE_SECURITY| | | + * | | | | | | + * | | |------------------| | | + * | | | | | + * | | | | | + * | | | | | + * | | V | | + * | | |------------------| | | + * | |--->| <> |<----| | + * | | ADMIN | | + * |--------------->| |<----------------| * |------------------| * */ @@ -108,6 +115,7 @@ CynaraAdmin::BucketsMap CynaraAdmin::Buckets = { Bucket::MAIN, std::string("MAIN")}, { Bucket::USER_TYPE_ADMIN, std::string("USER_TYPE_ADMIN")}, { Bucket::USER_TYPE_NORMAL, std::string("USER_TYPE_NORMAL")}, + { Bucket::USER_TYPE_SECURITY, std::string("USER_TYPE_SECURITY")}, { Bucket::USER_TYPE_GUEST, std::string("USER_TYPE_GUEST") }, { Bucket::USER_TYPE_SYSTEM, std::string("USER_TYPE_SYSTEM")}, { Bucket::ADMIN, std::string("ADMIN")}, @@ -405,9 +413,11 @@ void CynaraAdmin::UserInit(uid_t uid, security_manager_user_type userType, case SM_USER_TYPE_NORMAL: bucket = Bucket::USER_TYPE_NORMAL; break; + case SM_USER_TYPE_SECURITY: + bucket = Bucket::USER_TYPE_SECURITY; + break; case SM_USER_TYPE_ANY: case SM_USER_TYPE_NONE: - case SM_USER_TYPE_END: default: ThrowMsg(CynaraException::InvalidParam, "User type incorrect"); } diff --git a/src/common/include/cynara.h b/src/common/include/cynara.h index ca8b4d6..cf33b19 100644 --- a/src/common/include/cynara.h +++ b/src/common/include/cynara.h @@ -48,6 +48,7 @@ enum class Bucket MAIN, USER_TYPE_ADMIN, USER_TYPE_NORMAL, + USER_TYPE_SECURITY, USER_TYPE_GUEST, USER_TYPE_SYSTEM, ADMIN, diff --git a/src/include/security-manager-types.h b/src/include/security-manager-types.h index 7b8c8bb..b3f6f59 100644 --- a/src/include/security-manager-types.h +++ b/src/include/security-manager-types.h @@ -87,12 +87,12 @@ typedef enum app_install_type app_install_type; */ enum security_manager_user_type { SM_USER_TYPE_NONE = 0,/*<-this should not be used, if it is used, there will be an error returned by SM*/ - SM_USER_TYPE_SYSTEM = 1, - SM_USER_TYPE_ADMIN = 2, - SM_USER_TYPE_GUEST = 3, - SM_USER_TYPE_NORMAL = 4, - SM_USER_TYPE_ANY = 5,/*<-this value may be used only for setting policies and not during user adding*/ - SM_USER_TYPE_END + SM_USER_TYPE_ANY = 1,/*<-this value may be used only for setting policies and not during user adding*/ + SM_USER_TYPE_SYSTEM = 2, + SM_USER_TYPE_ADMIN = 3, + SM_USER_TYPE_GUEST = 4, + SM_USER_TYPE_NORMAL = 5, + SM_USER_TYPE_SECURITY = 6, }; typedef enum security_manager_user_type security_manager_user_type; -- 2.7.4 From 09a8ccf4179fcc63b25a455712da50c3a903d7e0 Mon Sep 17 00:00:00 2001 From: Zofia Abramowska Date: Tue, 6 Sep 2016 11:33:24 +0200 Subject: [PATCH 13/16] Add policy versioning Policy versioning will be used to reload policy when the way it is generated changes. Additional script for reloading policy between versions will be provided when policy generation is changed. Change-Id: I778b6ebcdf6233924223921f65e2a037df0345b3 --- packaging/security-manager.spec | 1 + policy/CMakeLists.txt | 1 + policy/policy-version | 1 + 3 files changed, 3 insertions(+) create mode 100644 policy/policy-version diff --git a/packaging/security-manager.spec b/packaging/security-manager.spec index 112fdc0..4642dbc 100644 --- a/packaging/security-manager.spec +++ b/packaging/security-manager.spec @@ -221,5 +221,6 @@ fi %files -n security-manager-policy %manifest %{name}.manifest +%config(noreplace) %{TZ_SYS_VAR}/security-manager/policy-version %{_datadir}/security-manager/policy %attr(755,root,root) %{_bindir}/security-manager-policy-reload diff --git a/policy/CMakeLists.txt b/policy/CMakeLists.txt index 8daa099..60f3540 100644 --- a/policy/CMakeLists.txt +++ b/policy/CMakeLists.txt @@ -7,4 +7,5 @@ INSTALL(FILES "app-rules-template.smack" DESTINATION ${POLICY_DIR}) INSTALL(FILES "pkg-rules-template.smack" DESTINATION ${POLICY_DIR}) INSTALL(FILES "author-rules-template.smack" DESTINATION ${POLICY_DIR}) INSTALL(FILES "privilege-group.list" DESTINATION ${POLICY_DIR}) +INSTALL(FILES "policy-version" DESTINATION ${LOCAL_STATE_DIR}/security-manager/) INSTALL(PROGRAMS security-manager-policy-reload DESTINATION ${BIN_INSTALL_DIR}) diff --git a/policy/policy-version b/policy/policy-version new file mode 100644 index 0000000..d00491f --- /dev/null +++ b/policy/policy-version @@ -0,0 +1 @@ +1 -- 2.7.4 From 39b404f6b0f67ba948b6ca132f3961730cb6bfca Mon Sep 17 00:00:00 2001 From: Zofia Abramowska Date: Fri, 16 Sep 2016 11:57:35 +0200 Subject: [PATCH 14/16] Add API for identifying application from Cynara client Change-Id: I1f906cb2200fc38e99f5225b951b596ff2d5c507 --- src/client/client-security-manager.cpp | 15 +++++++++++++++ src/include/app-runtime.h | 18 ++++++++++++++++++ 2 files changed, 33 insertions(+) diff --git a/src/client/client-security-manager.cpp b/src/client/client-security-manager.cpp index e8e854a..d903574 100644 --- a/src/client/client-security-manager.cpp +++ b/src/client/client-security-manager.cpp @@ -1341,6 +1341,21 @@ int security_manager_identify_app_from_pid(pid_t pid, char **pkg_name, char **ap } SECURITY_MANAGER_API +int security_manager_identify_app_from_cynara_client(const char *client, char **pkg_name, + char **app_name) +{ + return try_catch([&] { + LogDebug(__PRETTY_FUNCTION__ << " called"); + + if (pkg_name == NULL && app_name == NULL) { + LogError("Both pkg_name and app_name are NULL"); + return SECURITY_MANAGER_ERROR_INPUT_PARAM; + } + return get_app_and_pkg_id_from_smack_label(client, pkg_name, app_name); + }); +} + +SECURITY_MANAGER_API int security_manager_app_has_privilege(const char *app_name, const char *privilege, uid_t uid, int *result) { diff --git a/src/include/app-runtime.h b/src/include/app-runtime.h index 3303523..1d7028c 100644 --- a/src/include/app-runtime.h +++ b/src/include/app-runtime.h @@ -162,6 +162,24 @@ int security_manager_identify_app_from_socket(int sockfd, char **pkg_id, char ** int security_manager_identify_app_from_pid(pid_t pid, char **pkg_id, char **app_id); /** + * Get package and application id of an application with given process Cynara client identifier + * + * On successful call pkg_id and app_id should be freed when caller is done with them. + * Both pkg_id and app_id are allocated with malloc() so they should be freed with free() function. + * Either app_id or pkg_id may be NULL. NULL-ed argument will be ignored. + * If both app_id and pkg_id are NULL then SECURITY_MANAGER_ERROR_INPUT_PARAM will be returned. + * When process identifier is incorrect or not related to any package, this function will + * return SECURITY_MANAGER_ERROR_NO_SUCH_OBJECT. + * + * + * \param[in] client Application Cynara client identifier + * \param[out] pkg_id Package id of the application + * \param[out] app_id Application id of the application + * \return API return code or error code + */ +int security_manager_identify_app_from_cynara_client(const char *client, char **pkg_id, + char **app_id); +/** * Check whether an application would have access to a privilege * * This enables queries for application's privileges when there is no application -- 2.7.4 From 3120d1b04c3e36c79edad0372ec65ec8693bbcd1 Mon Sep 17 00:00:00 2001 From: Rafal Krypa Date: Tue, 20 Sep 2016 13:41:36 +0200 Subject: [PATCH 15/16] Release version 1.2.0 - Add internal privilege for internal APIs - Add support for USER_TYPE_SECURITY - Add policy versioning - Add API for identifying application from Cynara client Change-Id: Ibe72a331a8acd08ff3eadc8749b34b91ea0d523c Signed-off-by: Rafal Krypa --- packaging/security-manager.changes | 7 +++++++ packaging/security-manager.spec | 2 +- pc/security-manager.pc.in | 2 +- 3 files changed, 9 insertions(+), 2 deletions(-) diff --git a/packaging/security-manager.changes b/packaging/security-manager.changes index 5ac192c..9d7c985 100644 --- a/packaging/security-manager.changes +++ b/packaging/security-manager.changes @@ -1,3 +1,10 @@ +* Tue Sep 20 2016 Rafal Krypa +- Version 1.2.0 +- Add internal privilege for internal APIs +- Add support for USER_TYPE_SECURITY +- Add policy versioning +- Add API for identifying application from Cynara client + * Mon Sep 05 2016 Yunjin Lee - Version 1.1.17 - Add/remove core privilege(fido.client/ dpm.settings) diff --git a/packaging/security-manager.spec b/packaging/security-manager.spec index 4642dbc..ae8db41 100644 --- a/packaging/security-manager.spec +++ b/packaging/security-manager.spec @@ -1,6 +1,6 @@ Name: security-manager Summary: Security manager and utilities -Version: 1.1.17 +Version: 1.2.0 Release: 0 Group: Security/Service License: Apache-2.0 diff --git a/pc/security-manager.pc.in b/pc/security-manager.pc.in index 1247da9..eba637a 100644 --- a/pc/security-manager.pc.in +++ b/pc/security-manager.pc.in @@ -5,7 +5,7 @@ includedir=${prefix}/include Name: security-manager Description: Security Manager Package -Version: 1.1.17 +Version: 1.2.0 Requires: Libs: -L${libdir} -lsecurity-manager-client Cflags: -I${includedir}/security-manager -- 2.7.4 From b2354a2f438d80b10206a80cc0ada1c9733e7d5d Mon Sep 17 00:00:00 2001 From: Zofia Abramowska Date: Fri, 2 Sep 2016 16:51:14 +0200 Subject: [PATCH 16/16] Change names of smack rules templates Change-Id: Ifa2ca9aa7b53dec6ae1a5a09de4f452c994ea056 --- policy/app-rules-template.smack | 32 ++++++++--------- policy/author-rules-template.smack | 6 ++-- policy/pkg-rules-template.smack | 18 +++++----- src/client/client-label-monitor.cpp | 2 +- src/client/client-security-manager.cpp | 4 +-- src/common/include/smack-labels.h | 10 +++--- src/common/service_impl.cpp | 20 +++++------ src/common/smack-labels.cpp | 18 +++++----- src/common/smack-rules.cpp | 65 +++++++++++++++++++--------------- 9 files changed, 91 insertions(+), 84 deletions(-) diff --git a/policy/app-rules-template.smack b/policy/app-rules-template.smack index 693d979..9d24788 100644 --- a/policy/app-rules-template.smack +++ b/policy/app-rules-template.smack @@ -1,16 +1,16 @@ -System ~APP~ rwx -System::Privileged ~APP~ rwx -~APP~ System wx -~APP~ System::Privileged wx -~APP~ System::Shared rxl -~APP~ System::Run rwxat -~APP~ System::Log rwxa -~APP~ _ l -User ~APP~ rwx -~APP~ User wx -~APP~ User::Home rxl -~APP~ User::App::Shared rwxat -~APP~ ~PKG~ rwxat -~APP~ ~PKG~::RO rxl -~APP~ ~PKG~::SharedRO rwxat -~APP~ ~AUTHOR~ rwxat +System ~PROCESS~ rwx +System::Privileged ~PROCESS~ rwx +~PROCESS~ System wx +~PROCESS~ System::Privileged wx +~PROCESS~ System::Shared rxl +~PROCESS~ System::Run rwxat +~PROCESS~ System::Log rwxa +~PROCESS~ _ l +User ~PROCESS~ rwx +~PROCESS~ User wx +~PROCESS~ User::Home rxl +~PROCESS~ User::App::Shared rwxat +~PROCESS~ ~PATH_RW~ rwxat +~PROCESS~ ~PATH_RO~ rxl +~PROCESS~ ~PATH_SHARED_RO~ rwxat +~PROCESS~ ~PATH_TRUSTED~ rwxat diff --git a/policy/author-rules-template.smack b/policy/author-rules-template.smack index 56e9aa5..2e584a7 100644 --- a/policy/author-rules-template.smack +++ b/policy/author-rules-template.smack @@ -1,3 +1,3 @@ -User ~AUTHOR~ rwxat -System ~AUTHOR~ rwxat -System::Privileged ~AUTHOR~ rwxat +User ~PATH_TRUSTED~ rwxat +System ~PATH_TRUSTED~ rwxat +System::Privileged ~PATH_TRUSTED~ rwxat diff --git a/policy/pkg-rules-template.smack b/policy/pkg-rules-template.smack index 6b98a98..0ec8b1d 100644 --- a/policy/pkg-rules-template.smack +++ b/policy/pkg-rules-template.smack @@ -1,10 +1,10 @@ -System ~PKG~ rwxat -System ~PKG~::RO rwxat -System ~PKG~::SharedRO rwxat -System::Privileged ~PKG~ rwxat -System::Privileged ~PKG~::RO rwxat -System::Privileged ~PKG~::SharedRO rwxat -User ~PKG~ rwxat -User ~PKG~::RO rwxat -User ~PKG~::SharedRO rwxat +System ~PATH_RW~ rwxat +System ~PATH_RO~ rwxat +System ~PATH_SHARED_RO~ rwxat +System::Privileged ~PATH_RW~ rwxat +System::Privileged ~PATH_RO~ rwxat +System::Privileged ~PATH_SHARED_RO~ rwxat +User ~PATH_RW~ rwxat +User ~PATH_RO~ rwxat +User ~PATH_SHARED_RO~ rwxat diff --git a/src/client/client-label-monitor.cpp b/src/client/client-label-monitor.cpp index c06a06c..b52f655 100644 --- a/src/client/client-label-monitor.cpp +++ b/src/client/client-label-monitor.cpp @@ -70,7 +70,7 @@ static lib_retcode apply_relabel_list(const std::string &global_label_file, PermissibleSet::readNamesFromPermissibleFile(user_label_file, names); std::vector temp; std::transform(names.begin(), names.end(), std::back_inserter(temp), - [] (std::string &label) {label = SmackLabels::generateAppLabel(label); + [] (std::string &label) {label = SmackLabels::generateProcessLabel(label); return label.c_str();}); if (smack_set_relabel_self(const_cast(temp.data()), temp.size()) != 0) { LogError("smack_set_relabel_self failed"); diff --git a/src/client/client-security-manager.cpp b/src/client/client-security-manager.cpp index d903574..e5cc93f 100644 --- a/src/client/client-security-manager.cpp +++ b/src/client/client-security-manager.cpp @@ -375,7 +375,7 @@ int security_manager_set_process_label_from_appid(const char *app_name) return SECURITY_MANAGER_SUCCESS; try { - appLabel = SecurityManager::SmackLabels::generateAppLabel(app_name); + appLabel = SecurityManager::SmackLabels::generateProcessLabel(app_name); } catch (...) { LogError("Failed to generate smack label for appName: " << app_name); return SECURITY_MANAGER_ERROR_NO_SUCH_OBJECT; @@ -532,7 +532,7 @@ static inline int security_manager_sync_threads_internal(const char *app_name) uid_t cur_tid = gettid(); pid_t cur_pid = getpid(); - g_app_label = SecurityManager::SmackLabels::generateAppLabel(app_name); + g_app_label = SecurityManager::SmackLabels::generateProcessLabel(app_name); g_threads_count = 0; g_tid_attr_current_map.clear(); g_smack_fs_path = smack_smackfs_path() != NULL; diff --git a/src/common/include/smack-labels.h b/src/common/include/smack-labels.h index 07b1079..1537208 100644 --- a/src/common/include/smack-labels.h +++ b/src/common/include/smack-labels.h @@ -77,7 +77,7 @@ std::string generateAppNameFromLabel(const std::string &label); * @param[in] appName application identifier * @return resulting Smack label */ -std::string generateAppLabel(const std::string &appName); +std::string generateProcessLabel(const std::string &appName); /** * Generates label for an application with @ref pkgName, specific @@ -86,7 +86,7 @@ std::string generateAppLabel(const std::string &appName); * @param[in] pkgName application package identifier * @return resulting Smack label */ -std::string generatePkgLabelOwnerRWothersRO(const std::string &pkgName); +std::string generatePathSharedROLabel(const std::string &pkgName); /** * Generates label for a package identifier @@ -94,7 +94,7 @@ std::string generatePkgLabelOwnerRWothersRO(const std::string &pkgName); * @param[in] pkgName package identifier * @return resulting Smack label */ -std::string generatePkgLabel(const std::string &pkgName); +std::string generatePathRWLabel(const std::string &pkgName); /** * Generates label for private application RO files with package identifier @ref pkgName @@ -102,7 +102,7 @@ std::string generatePkgLabel(const std::string &pkgName); * @param[in] pkgName package identifier * @return resulting Smack label */ -std::string generatePkgROLabel(const std::string &pkgName); +std::string generatePathROLabel(const std::string &pkgName); /** * Generates unique label per path for private path sharing. @@ -120,7 +120,7 @@ std::string generateSharedPrivateLabel(const std::string &pkgName, const std::st * @param[in] authorId * @return resulting Smack label */ -std::string generateAuthorLabel(const int authorId); +std::string generatePathTrustedLabel(const int authorId); /** * Returns smack label for given socket diff --git a/src/common/service_impl.cpp b/src/common/service_impl.cpp index 96be37f..fad26cc 100644 --- a/src/common/service_impl.cpp +++ b/src/common/service_impl.cpp @@ -127,7 +127,7 @@ static inline int validatePolicy(policy_entry &policyEntry, std::string uidStr, cyap = std::move(CynaraAdminPolicy( policyEntry.appName.compare(SECURITY_MANAGER_ANY) ? - SmackLabels::generateAppLabel(policyEntry.appName) : CYNARA_ADMIN_WILDCARD, + SmackLabels::generateProcessLabel(policyEntry.appName) : CYNARA_ADMIN_WILDCARD, policyEntry.user, policyEntry.privilege, level, @@ -517,8 +517,8 @@ int ServiceImpl::appInstall(const Credentials &creds, app_inst_req &&req) return SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED; } - appLabel = SmackLabels::generateAppLabel(req.appName); - pkgLabel = SmackLabels::generatePkgLabel(req.pkgName); + appLabel = SmackLabels::generateProcessLabel(req.appName); + pkgLabel = SmackLabels::generatePathRWLabel(req.pkgName); LogDebug("Generated install parameters: app label: " << appLabel << ", pkg label: " << pkgLabel); @@ -635,7 +635,7 @@ int ServiceImpl::appUninstall(const Credentials &creds, app_inst_req &&req) return SECURITY_MANAGER_SUCCESS; } - smackLabel = SmackLabels::generateAppLabel(req.appName); + smackLabel = SmackLabels::generateProcessLabel(req.appName); LogDebug("Generated uninstall parameters: pkgName=" << req.pkgName << " Smack label=" << smackLabel); @@ -779,7 +779,7 @@ int ServiceImpl::getAppGroups(const Credentials &creds, const std::string &appNa { try { LogDebug("appName: " << appName); - std::string smackLabel = SmackLabels::generateAppLabel(appName); + std::string smackLabel = SmackLabels::generateProcessLabel(appName); LogDebug("smack label: " << smackLabel); std::vector privileges; @@ -981,7 +981,7 @@ int ServiceImpl::getConfiguredPolicy(const Credentials &creds, bool forAdmin, std::vector listOfPolicies; //convert appName to smack label - std::string appLabel = filter.appName.compare(SECURITY_MANAGER_ANY) ? SmackLabels::generateAppLabel(filter.appName) : CYNARA_ADMIN_ANY; + std::string appLabel = filter.appName.compare(SECURITY_MANAGER_ANY) ? SmackLabels::generateProcessLabel(filter.appName) : CYNARA_ADMIN_ANY; std::string user = filter.user.compare(SECURITY_MANAGER_ANY) ? filter.user : CYNARA_ADMIN_ANY; std::string privilege = filter.privilege.compare(SECURITY_MANAGER_ANY) ? filter.privilege : CYNARA_ADMIN_ANY; @@ -1128,7 +1128,7 @@ int ServiceImpl::getPolicy(const Credentials &creds, const policy_entry &filter, for (const std::string &appName : listOfApps) { LogDebug("App: " << appName); - std::string smackLabelForApp = SmackLabels::generateAppLabel(appName); + std::string smackLabelForApp = SmackLabels::generateProcessLabel(appName); std::vector listOfPrivileges; CynaraAdmin::getInstance().GetAppPolicy(smackLabelForApp, userStr, listOfPrivileges); @@ -1293,7 +1293,7 @@ int ServiceImpl::appHasPrivilege( bool &result) { try { - std::string appLabel = SmackLabels::generateAppLabel(appName); + std::string appLabel = SmackLabels::generateProcessLabel(appName); std::string uidStr = std::to_string(uid); result = Cynara::getInstance().check(appLabel, privilege, uidStr, ""); LogDebug("result = " << result); @@ -1390,7 +1390,7 @@ int ServiceImpl::applyPrivatePathSharing( for(const auto &path : paths) { std::string pathLabel = SmackLabels::getSmackLabelFromPath(path); - if (pathLabel != SmackLabels::generatePkgLabel(ownerPkgName)) { + if (pathLabel != SmackLabels::generatePathRWLabel(ownerPkgName)) { std::string generatedPathLabel = SmackLabels::generateSharedPrivateLabel(ownerPkgName, path); if (generatedPathLabel != pathLabel) { LogError("Path " << path << " has label " << pathLabel << " and dosen't belong" @@ -1490,7 +1490,7 @@ int ServiceImpl::dropPrivatePathSharing( return SECURITY_MANAGER_ERROR_INPUT_PARAM; } std::string pathLabel = SmackLabels::getSmackLabelFromPath(path); - if (pathLabel != SmackLabels::generatePkgLabel(ownerPkgName)) { + if (pathLabel != SmackLabels::generatePathRWLabel(ownerPkgName)) { std::string generatedPathLabel = SmackLabels::generateSharedPrivateLabel(ownerPkgName, path); if (generatedPathLabel != pathLabel) { LogError("Path " << path << " has label " << pathLabel << " and dosen't belong" diff --git a/src/common/smack-labels.cpp b/src/common/smack-labels.cpp index 16710a2..285d6ff 100644 --- a/src/common/smack-labels.cpp +++ b/src/common/smack-labels.cpp @@ -141,12 +141,12 @@ void setupPath( switch (pathType) { case SECURITY_MANAGER_PATH_RW: - label = generatePkgLabel(pkgName); + label = generatePathRWLabel(pkgName); label_executables = false; label_transmute = true; break; case SECURITY_MANAGER_PATH_RO: - label = generatePkgROLabel(pkgName); + label = generatePathROLabel(pkgName); label_executables = false; label_transmute = false; break; @@ -156,14 +156,14 @@ void setupPath( label_transmute = true; break; case SECURITY_MANAGER_PATH_OWNER_RW_OTHER_RO: - label = generatePkgLabelOwnerRWothersRO(pkgName); + label = generatePathSharedROLabel(pkgName); label_executables = false; label_transmute = true; break; case SECURITY_MANAGER_PATH_TRUSTED_RW: if (authorId < 0) ThrowMsg(SmackException::InvalidParam, "You must define author to use PATH_TRUSED_RW"); - label = generateAuthorLabel(authorId); + label = generatePathTrustedLabel(authorId); label_executables = false; label_transmute = true; break; @@ -199,7 +199,7 @@ std::string generateAppNameFromLabel(const std::string &label) return ret; } -std::string generateAppLabel(const std::string &appName) +std::string generateProcessLabel(const std::string &appName) { std::string label = "User::App::" + appName; @@ -209,7 +209,7 @@ std::string generateAppLabel(const std::string &appName) return label; } -std::string generatePkgLabelOwnerRWothersRO(const std::string &pkgName) +std::string generatePathSharedROLabel(const std::string &pkgName) { std::string label = "User::Pkg::" + pkgName + "::SharedRO"; @@ -219,7 +219,7 @@ std::string generatePkgLabelOwnerRWothersRO(const std::string &pkgName) return label; } -std::string generatePkgLabel(const std::string &pkgName) +std::string generatePathRWLabel(const std::string &pkgName) { std::string label = "User::Pkg::" + pkgName; @@ -229,7 +229,7 @@ std::string generatePkgLabel(const std::string &pkgName) return label; } -std::string generatePkgROLabel(const std::string &pkgName) +std::string generatePathROLabel(const std::string &pkgName) { std::string label = "User::Pkg::" + pkgName + "::RO"; @@ -301,7 +301,7 @@ std::string getSmackLabelFromPid(pid_t pid) return result; } -std::string generateAuthorLabel(const int authorId) +std::string generatePathTrustedLabel(const int authorId) { if (authorId < 0) { LogError("Author was not set. It's not possible to generate label for unknown author."); diff --git a/src/common/smack-rules.cpp b/src/common/smack-rules.cpp index 54fcecd..9a2880f 100644 --- a/src/common/smack-rules.cpp +++ b/src/common/smack-rules.cpp @@ -46,9 +46,11 @@ namespace SecurityManager { -const std::string SMACK_APP_LABEL_TEMPLATE = "~APP~"; -const std::string SMACK_PKG_LABEL_TEMPLATE = "~PKG~"; -const std::string SMACK_AUTHOR_LABEL_TEMPLATE = "~AUTHOR~"; +const std::string SMACK_PROCESS_LABEL_TEMPLATE = "~PROCESS~"; +const std::string SMACK_PATH_RW_LABEL_TEMPLATE = "~PATH_RW~"; +const std::string SMACK_PATH_RO_LABEL_TEMPLATE = "~PATH_RO~"; +const std::string SMACK_PATH_SHARED_RO_LABEL_TEMPLATE = "~PATH_SHARED_RO~"; +const std::string SMACK_PATH_TRUSTED_LABEL_TEMPLATE = "~PATH_TRUSTED~"; const std::string APP_RULES_TEMPLATE_FILE_PATH = TizenPlatformConfig::makePath(TZ_SYS_RO_SHARE, "security-manager", "policy", "app-rules-template.smack"); const std::string PKG_RULES_TEMPLATE_FILE_PATH = TizenPlatformConfig::makePath(TZ_SYS_RO_SHARE, "security-manager", "policy", "pkg-rules-template.smack"); const std::string AUTHOR_RULES_TEMPLATE_FILE_PATH = TizenPlatformConfig::makePath(TZ_SYS_RO_SHARE, "security-manager", "policy", "author-rules-template.smack"); @@ -198,18 +200,21 @@ void SmackRules::addFromTemplate( const std::string &pkgName, const int authorId) { - std::string appLabel; - std::string pkgLabel; - std::string authorLabel; + std::string processLabel; + std::string pathRWLabel, pathROLabel, pathSharedROLabel; + std::string pathTrustedLabel; if (!appName.empty()) - appLabel = SmackLabels::generateAppLabel(appName); + processLabel = SmackLabels::generateProcessLabel(appName); - if (!pkgName.empty()) - pkgLabel = SmackLabels::generatePkgLabel(pkgName); + if (!pkgName.empty()) { + pathRWLabel = SmackLabels::generatePathRWLabel(pkgName); + pathROLabel = SmackLabels::generatePathROLabel(pkgName); + pathSharedROLabel = SmackLabels::generatePathSharedROLabel(pkgName); + } if (authorId >= 0) - authorLabel = SmackLabels::generateAuthorLabel(authorId); + pathTrustedLabel = SmackLabels::generatePathTrustedLabel(authorId); for (auto rule : templateRules) { if (rule.empty()) @@ -224,11 +229,12 @@ void SmackRules::addFromTemplate( ThrowMsg(SmackException::FileError, "Invalid rule template: " << rule); } - strReplace(subject, SMACK_APP_LABEL_TEMPLATE, appLabel); - strReplace(subject, SMACK_PKG_LABEL_TEMPLATE, pkgLabel); - strReplace(object, SMACK_APP_LABEL_TEMPLATE, appLabel); - strReplace(object, SMACK_PKG_LABEL_TEMPLATE, pkgLabel); - strReplace(object, SMACK_AUTHOR_LABEL_TEMPLATE, authorLabel); + strReplace(subject, SMACK_PROCESS_LABEL_TEMPLATE, processLabel); + strReplace(object, SMACK_PROCESS_LABEL_TEMPLATE, processLabel); + strReplace(object, SMACK_PATH_RW_LABEL_TEMPLATE, pathRWLabel); + strReplace(object, SMACK_PATH_RO_LABEL_TEMPLATE, pathROLabel); + strReplace(object, SMACK_PATH_SHARED_RO_LABEL_TEMPLATE, pathSharedROLabel); + strReplace(object, SMACK_PATH_TRUSTED_LABEL_TEMPLATE, pathTrustedLabel); if (subject.empty() || object.empty()) continue; @@ -249,9 +255,10 @@ void SmackRules::generatePackageCrossDeps(const std::vector &pkgCon if (object == subject) continue; - subjectLabel = SmackLabels::generateAppLabel(subject); - objectLabel = SmackLabels::generateAppLabel(object); - LogDebug ("Trying to add rule subject: " << subjectLabel << " object: " << objectLabel << " perms: " << appsInPackagePerms); + subjectLabel = SmackLabels::generateProcessLabel(subject); + objectLabel = SmackLabels::generateProcessLabel(object); + LogDebug ("Trying to add rule subject: " << subjectLabel + << " object: " << objectLabel << " perms: " << appsInPackagePerms); add(subjectLabel, objectLabel, appsInPackagePerms); } } @@ -264,13 +271,13 @@ void SmackRules::generateSharedRORules(PkgsApps &pkgsApps, PkgsApps &sharedROPkg SmackRules rules; for (size_t i = 0; i < pkgsApps.size(); ++i) { for (const std::string &appName : pkgsApps[i].second) { - std::string appLabel = SmackLabels::generateAppLabel(appName); + std::string appLabel = SmackLabels::generateProcessLabel(appName); for (size_t j = 0; j < sharedROPkgsApps.size(); ++j) { // Rules for SharedRO files from own pkg are generated elsewhere if (pkgsApps[i] != sharedROPkgsApps[j]) { const std::string &pkgName = sharedROPkgsApps[j].first; rules.add(appLabel, - SmackLabels::generatePkgLabelOwnerRWothersRO(pkgName), + SmackLabels::generatePathSharedROLabel(pkgName), SMACK_APP_CROSS_PKG_PERMS); } } @@ -293,9 +300,9 @@ void SmackRules::revokeSharedRORules(PkgsApps &pkgsApps, const std::string &revo SmackRules rules; for (size_t i = 0; i < pkgsApps.size(); ++i) { for (const std::string &appName : pkgsApps[i].second) { - std::string appLabel = SmackLabels::generateAppLabel(appName); + std::string appLabel = SmackLabels::generateProcessLabel(appName); rules.add(appLabel, - SmackLabels::generatePkgLabelOwnerRWothersRO(revokePkg), + SmackLabels::generatePathSharedROLabel(revokePkg), SMACK_APP_CROSS_PKG_PERMS); } } @@ -444,7 +451,7 @@ void SmackRules::updatePackageRules( void SmackRules::revokeAppSubject(const std::string &appName) { - if (smack_revoke_subject(SmackLabels::generateAppLabel(appName).c_str())) + if (smack_revoke_subject(SmackLabels::generateProcessLabel(appName).c_str())) ThrowMsg(SmackException::LibsmackError, "smack_revoke_subject"); } @@ -509,16 +516,16 @@ void SmackRules::applyPrivateSharingRules( bool isTargetSharingAlready) { SmackRules rules; - const std::string &targetLabel = SmackLabels::generateAppLabel(targetAppName); + const std::string &targetLabel = SmackLabels::generateProcessLabel(targetAppName); if (!isTargetSharingAlready) { rules.add(targetLabel, - SmackLabels::generatePkgLabel(ownerPkgName), + SmackLabels::generatePathRWLabel(ownerPkgName), SMACK_APP_DIR_TARGET_PERMS); } if (!isPathSharedAlready) { for (const auto &app: ownerPkgContents) { - const std::string appLabel = SmackLabels::generateAppLabel(app); + const std::string appLabel = SmackLabels::generateProcessLabel(app); rules.add(appLabel, pathLabel, SMACK_APP_PATH_OWNER_PERMS); } rules.add(SMACK_USER, pathLabel, SMACK_APP_PATH_USER_PERMS); @@ -538,15 +545,15 @@ void SmackRules::dropPrivateSharingRules( bool isTargetSharingNoMore) { SmackRules rules; - const std::string &targetLabel = SmackLabels::generateAppLabel(targetAppName); + const std::string &targetLabel = SmackLabels::generateProcessLabel(targetAppName); if (isTargetSharingNoMore) { rules.addModify(targetLabel, - SmackLabels::generatePkgLabel(ownerPkgName), + SmackLabels::generatePathRWLabel(ownerPkgName), "", SMACK_APP_DIR_TARGET_PERMS); } if (isPathSharedNoMore) { for (const auto &app: ownerPkgContents) { - const std::string appLabel = SmackLabels::generateAppLabel(app); + const std::string appLabel = SmackLabels::generateProcessLabel(app); rules.addModify(appLabel, pathLabel, "", SMACK_APP_PATH_OWNER_PERMS); } rules.addModify(SMACK_USER, pathLabel, "", SMACK_APP_PATH_USER_PERMS); -- 2.7.4