From bdaaa8e914baf89a727c013d6b3e00a81a100aff Mon Sep 17 00:00:00 2001 From: Sangjin Kim Date: Tue, 27 Dec 2016 04:50:41 -0800 Subject: [PATCH 01/16] Revert "remove mkdir for sdbd log file" This reverts commit 7d1c2eecd0f6ab44be3d4d4d1d9634af9b0a3aa7. Change-Id: I59138c8c1b068100e45eb5d0511934cdab7f0a4a --- packaging/sdbd.spec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/packaging/sdbd.spec b/packaging/sdbd.spec index dc10820..6ddcae3 100644 --- a/packaging/sdbd.spec +++ b/packaging/sdbd.spec @@ -112,8 +112,8 @@ fi cp -f /bin/sh /bin/sh-user chsmack -a "_" /bin/sh-user chsmack -e "User::Shell" /bin/sh-user -#mkdir -p %{TZ_SDK_HOME}/share/sdbdlog -#chown owner:users %{TZ_SDK_HOME}/share/sdbdlog +mkdir -p %{TZ_SDK_HOME}/share/sdbdlog +chown owner:users %{TZ_SDK_HOME}/share/sdbdlog %files %manifest sdbd.manifest -- 2.7.4 From 9acf96cbd8e41c699e2f059c1bef256910215178 Mon Sep 17 00:00:00 2001 From: Sangjin Kim Date: Tue, 27 Dec 2016 04:51:05 -0800 Subject: [PATCH 02/16] Revert "remove smack_setlabel function usage for security reason" This reverts commit 3b551c517915ee6b2c4709a57dc066ea64c29973. Change-Id: Ie6f76b81f12a736ac797ccb882ff7b922c0b621e --- packaging/sdbd.spec | 2 -- packaging/sdbd_device.service | 3 ++- packaging/sdbd_emulator.service | 3 ++- packaging/sdbd_tcp.service | 2 +- src/default_plugin_basic.c | 11 ++--------- src/file_sync_service.c | 4 +--- src/sdb.c | 4 ++++ src/services.c | 6 ++++++ 8 files changed, 18 insertions(+), 17 deletions(-) diff --git a/packaging/sdbd.spec b/packaging/sdbd.spec index 6ddcae3..15eb808 100644 --- a/packaging/sdbd.spec +++ b/packaging/sdbd.spec @@ -112,8 +112,6 @@ fi cp -f /bin/sh /bin/sh-user chsmack -a "_" /bin/sh-user chsmack -e "User::Shell" /bin/sh-user -mkdir -p %{TZ_SDK_HOME}/share/sdbdlog -chown owner:users %{TZ_SDK_HOME}/share/sdbdlog %files %manifest sdbd.manifest diff --git a/packaging/sdbd_device.service b/packaging/sdbd_device.service index 0537fcd..cd60922 100644 --- a/packaging/sdbd_device.service +++ b/packaging/sdbd_device.service @@ -6,10 +6,11 @@ After=tmp.mount [Service] Type=forking #location of SDBD log file +#Environment=SDBD_LOG_PATH=/tmp EnvironmentFile=-/run/tizen-system-env PIDFile=/tmp/.sdbd.pid Restart=on-failure -SmackProcessLabel=System +SmackProcessLabel=System::Privileged ExecStart=/usr/sbin/sdbd [Install] diff --git a/packaging/sdbd_emulator.service b/packaging/sdbd_emulator.service index 2129436..bed8cce 100644 --- a/packaging/sdbd_emulator.service +++ b/packaging/sdbd_emulator.service @@ -7,11 +7,12 @@ After=tmp.mount dbus.service [Service] Type=forking #location of SDBD log file +#Environment=SDBD_LOG_PATH=/tmp Environment=DISPLAY=:0 PIDFile=/tmp/.sdbd.pid RemainAfterExit=yes #ExecStartPre=/bin/bash -c "/bin/echo '10.0.2.15/32 system::debugging_network' >> /smack/netlabel" -SmackProcessLabel=System +SmackProcessLabel=System::Privileged ExecStart=/bin/sh -c "/usr/sbin/sdbd `/usr/bin/awk '{match($0, /sdb_port=([0-9]+)/,port_match); match($0, /vm_name=([^, ]*)/,vm_match); print \"--emulator=\" vm_match[1] \":\" port_match[1] \" --connect-to=10.0.2.2:26099\" \" --sensors=10.0.2.2:\"port_match[1]+3 }' /proc/cmdline`" [Install] diff --git a/packaging/sdbd_tcp.service b/packaging/sdbd_tcp.service index ade025c..e360a7c 100644 --- a/packaging/sdbd_tcp.service +++ b/packaging/sdbd_tcp.service @@ -7,5 +7,5 @@ Type=forking Environment=DISPLAY=:0 PIDFile=/tmp/.sdbd.pid RemainAfterExit=yes -SmackProcessLabel=System +SmackProcessLabel=System::Privileged ExecStart=/usr/sbin/sdbd --listen-port=26101 diff --git a/src/default_plugin_basic.c b/src/default_plugin_basic.c index 61611f6..91d8df2 100644 --- a/src/default_plugin_basic.c +++ b/src/default_plugin_basic.c @@ -20,8 +20,6 @@ #include #include -#include - #define TRACE_TAG TRACE_SDB #include "log.h" @@ -30,7 +28,7 @@ #include "sdbd_plugin.h" #include "sdktools.h" -#define LOG_DIRECTORY "/home/owner/share/sdbdlog" +#define LOG_DIRECTORY "/tmp" int get_plugin_capability ( parameters* in, parameters* out ) { @@ -77,12 +75,7 @@ int get_plugin_capability ( parameters* in, parameters* out ) } else if ( capability == CAPABILITY_LOG_ENABLE ) { make_string_parameter ( & ( out->array_of_parameter[0] ), "%s", PLUGIN_RET_DISABLED ); } else if ( capability == CAPABILITY_LOG_PATH ) { - const char* sdkhome = tzplatform_getenv(TZ_SDK_HOME); - if (sdkhome != NULL) { - make_string_parameter ( & ( out->array_of_parameter[0] ), "%s/share/sdbdlog", sdkhome ); - } else { - make_string_parameter ( & ( out->array_of_parameter[0] ), "%s", LOG_DIRECTORY ); - } + make_string_parameter ( & ( out->array_of_parameter[0] ), "%s", LOG_DIRECTORY ); } else if ( capability == CAPABILITY_APPCMD ) { make_string_parameter ( & ( out->array_of_parameter[0] ), "%s", PLUGIN_RET_ENABLED ); } else { diff --git a/src/file_sync_service.c b/src/file_sync_service.c index 81f6841..4dd0860 100644 --- a/src/file_sync_service.c +++ b/src/file_sync_service.c @@ -77,7 +77,6 @@ void init_sdk_sync_permit_rule_regx(void) } } -#if 0 static void set_syncfile_smack_label(char *src) { char *label_transmuted = NULL; char *label = NULL; @@ -128,7 +127,6 @@ static void set_syncfile_smack_label(char *src) { */ } } -#endif static int sync_send_label_notify(int s, const char *path, int success) { @@ -159,7 +157,7 @@ static void sync_read_label_notify(int s) char *path = buffer; path++; path++; - // set_syncfile_smack_label(path); + set_syncfile_smack_label(path); } } diff --git a/src/sdb.c b/src/sdb.c index b21303d..4a1ca97 100644 --- a/src/sdb.c +++ b/src/sdb.c @@ -1261,6 +1261,10 @@ void start_device_log(void) return; } + if (smack_setlabel(path, SDK_SHELL_LABEL_NAME, SMACK_LABEL_ACCESS) == -1) { + D("unable to set sdk shell smack label %s due to (errno:%d)\n", SDK_SHELL_LABEL_NAME, errno); + } + // redirect stdout and stderr to the log file dup2(fd, 1); dup2(fd, 2); diff --git a/src/services.c b/src/services.c index 9a40a83..2b52bc8 100644 --- a/src/services.c +++ b/src/services.c @@ -409,6 +409,12 @@ int create_subprocess(const char *cmd, pid_t *pid, char * const argv[], char * c return -1; } + if (smack_setlabel(devname, SDK_SHELL_LABEL_NAME, SMACK_LABEL_ACCESS) == -1) { + D("unable to set sdk shell smack label %s due to (errno:%d)\n", SDK_SHELL_LABEL_NAME, errno); + sdb_close(ptm); + return -1; + } + *pid = fork(); if(*pid < 0) { D("- fork failed: errno:%d -\n", errno); -- 2.7.4 From b3894c7aa4e819c5cde88c7d389fb8300af6fdb1 Mon Sep 17 00:00:00 2001 From: Sangjin Kim Date: Tue, 27 Dec 2016 04:51:21 -0800 Subject: [PATCH 03/16] Revert "Revert "Revert "Modify the SMACK label for SDB shell.""" This reverts commit cb4d1bb8af186a59661e4e35bdb13fecdc1a0163. Change-Id: I0e22b3fe0cb56f38cc562182bef7a65de998a59f --- packaging/sdbd.spec | 4 ---- src/default_plugin_appcmd.c | 5 ++--- src/sdb.c | 54 ++++++--------------------------------------- src/sdb.h | 3 +-- src/sdktools.h | 1 - src/services.c | 16 -------------- 6 files changed, 10 insertions(+), 73 deletions(-) diff --git a/packaging/sdbd.spec b/packaging/sdbd.spec index 15eb808..bc9408f 100644 --- a/packaging/sdbd.spec +++ b/packaging/sdbd.spec @@ -109,10 +109,6 @@ if ! getent passwd "${TZ_SDK_USER_NAME}" > /dev/null; then done fi -cp -f /bin/sh /bin/sh-user -chsmack -a "_" /bin/sh-user -chsmack -e "User::Shell" /bin/sh-user - %files %manifest sdbd.manifest %license LICENSE diff --git a/src/default_plugin_appcmd.c b/src/default_plugin_appcmd.c index c929cf2..07a41d1 100644 --- a/src/default_plugin_appcmd.c +++ b/src/default_plugin_appcmd.c @@ -38,7 +38,6 @@ #include -#define SHELL_COMMAND "/bin/sh" #define APPCMD_RESULT_BUFSIZE (4096) typedef struct appcmd_info appcmd_info; @@ -651,10 +650,10 @@ static void run_appcmd_appinstallpath(appcmd_info* p_info) { p_info->exitcode = -1; - const char* path = tzplatform_getenv(TZ_SDK_TOOLS); + const char* path = tzplatform_getenv(TZ_SDK_HOME); if (path != NULL) { p_info->exitcode = 0; - snprintf(result_buf, sizeof(result_buf), "\n%s:%s\n", MESSAGE_PREFIX_APPCMD_RETURN, path); + snprintf(result_buf, sizeof(result_buf), "\n%s:%s/apps_rw/\n", MESSAGE_PREFIX_APPCMD_RETURN, path); writex(p_info->fd, result_buf, strlen(result_buf)); } else { D("failed to get application install path from tzplatform_getenv."); diff --git a/src/sdb.c b/src/sdb.c index 4a1ca97..a07a881 100644 --- a/src/sdb.c +++ b/src/sdb.c @@ -31,7 +31,6 @@ #include #include #include -#include #include "sysdeps.h" #include "log.h" @@ -59,7 +58,6 @@ #define PROC_CMDLINE_PATH "/proc/cmdline" #define USB_SERIAL_PATH "/sys/class/usb_mode/usb0/iSerial" -#define APPID2PID_PATH "/usr/bin/appid2pid" #include #include @@ -127,29 +125,6 @@ int is_emulator(void) { #endif } -int is_appid2pid_supported(void) { - - if (access(APPID2PID_PATH, F_OK) == 0) { - /* It is necessary to confirm that it is possible - * to run "appid2pid" in the sdk user/group privileges. */ - struct stat st; - if (stat(APPID2PID_PATH, &st) == 0) { - D("appid2pid uid=%d, gid=%d, mode=0x%x.\n", st.st_uid, st.st_gid, st.st_mode); - if ( (st.st_uid == STATIC_SDK_USER_ID && st.st_mode & S_IXUSR) - || (st.st_gid == STATIC_SDK_GROUP_ID && st.st_mode & S_IXGRP) - || (st.st_mode & S_IXOTH) ) { - D("appid2pid is supported.\n"); - return 1; - } - } - } else { - D("failed to access appid2pid file: %d\n", errno); - } - - D("appid2pid is NOT supported.\n"); - return 0; -} - int is_container_enabled(void) { bool value; int ret; @@ -398,7 +373,7 @@ void print_packet(const char *label, apacket *p) #endif #ifdef SUPPORT_ENCRYPT -/* +/* desc. : 암호화 실패 메시지 전송 parameter : [in] apacket* p : sdbd로 들어온 메시지 [in] atransport *t : 현재 연결에 대한 atransport @@ -414,7 +389,7 @@ void send_encr_fail(apacket* p, atransport *t, unsigned failed_value){ //put_apacket(enc_p); } -/* +/* desc. : 암호화 메시지 핸들링 parameter : [in] apacket* p : sdbd로 들어온 메시지 [in/out] atransport *t : 현재 연결에 대한 atransport @@ -428,12 +403,12 @@ int handle_encr_packet(apacket* p, atransport *t){ if(p->msg.arg0 == ENCR_SET_ON_REQ){ // hello 메시지인 경우 t->sessionID = sessionID; - if((retVal = security_init(t->sessionID, NULL)) == 1){ // 암호화 handshaking을 위한 init + if((retVal = security_init(t->sessionID, NULL)) == 1){ // 암호화 handshaking을 위한 init if(security_parse_server_hello(t->sessionID, p) == 1){ // hello 메시지 파싱 D("security_parse_server_hello success\n"); enc_p = get_apacket(); if(security_gen_client_hello(t->sessionID, enc_p) == 1){ // hello 메시지 생성 - D("security_gen_client_hello success\n"); + D("security_gen_client_hello success\n"); enc_p->msg.command = A_ENCR; enc_p->msg.arg0 = ENCR_SET_ON_REQ; enc_p->msg.arg1 = p->msg.arg1; @@ -444,7 +419,7 @@ int handle_encr_packet(apacket* p, atransport *t){ D("security_gen_client_hello error\n"); send_encr_fail(p, t, ENCR_ON_FAIL); // 암호화 on 실패 메시지 전송 t->encryption = ENCR_OFF; // 암호화 모드는 off - security_deinit(t->sessionID); + security_deinit(t->sessionID); return -1; } } @@ -453,7 +428,7 @@ int handle_encr_packet(apacket* p, atransport *t){ send_encr_fail(p, t, ENCR_ON_FAIL); t->encryption = ENCR_OFF; security_deinit(t->sessionID); - + return -1; } } else { // init 실패 @@ -536,7 +511,7 @@ int handle_encr_packet(apacket* p, atransport *t){ } //put_apacket(enc_p); return 0; - + } #endif @@ -1261,10 +1236,6 @@ void start_device_log(void) return; } - if (smack_setlabel(path, SDK_SHELL_LABEL_NAME, SMACK_LABEL_ACCESS) == -1) { - D("unable to set sdk shell smack label %s due to (errno:%d)\n", SDK_SHELL_LABEL_NAME, errno); - } - // redirect stdout and stderr to the log file dup2(fd, 1); dup2(fd, 2); @@ -2029,17 +2000,6 @@ static void init_capabilities(void) { "%s", UNKNOWN); } - // appid2pid support - ret = is_appid2pid_supported(); - snprintf(g_capabilities.appid2pid_support, sizeof(g_capabilities.appid2pid_support), - "%s", ret == 1 ? ENABLED : DISABLED); - - - // pkgcmd debug mode support - snprintf(g_capabilities.pkgcmd_debugmode, sizeof(g_capabilities.pkgcmd_debugmode), - "%s", ENABLED); - - // Capability version snprintf(g_capabilities.sdbd_cap_version, sizeof(g_capabilities.sdbd_cap_version), "%d.%d", SDBD_CAP_VERSION_MAJOR, SDBD_CAP_VERSION_MINOR); diff --git a/src/sdb.h b/src/sdb.h index b339f26..226da64 100644 --- a/src/sdb.h +++ b/src/sdb.h @@ -279,8 +279,6 @@ typedef struct platform_capabilities char sockproto_support[CAPBUF_ITEMSIZE]; // enabled or disabled char appcmd_support[CAPBUF_ITEMSIZE]; // enabled or disabled char encryption_support[CAPBUF_ITEMSIZE]; // enabled or disabled - char appid2pid_support[CAPBUF_ITEMSIZE]; // enabled or disabled - char pkgcmd_debugmode[CAPBUF_ITEMSIZE]; // enabled or disabled char log_enable[CAPBUF_ITEMSIZE]; // enabled or disabled char log_path[CAPBUF_LL_ITEMSIZE]; // path of sdbd log @@ -549,6 +547,7 @@ int read_line(const int fd, char* ptr, const size_t maxlen); #define USB_FUNCFS_SDB_PATH "/dev/usbgadget/sdb" #define USB_NODE_FILE "/dev/samsung_sdb" +#define SHELL_COMMAND "/bin/sh" int create_subprocess(const char *cmd, pid_t *pid, char * const argv[], char * const envp[]); void get_env(char *key, char **env); diff --git a/src/sdktools.h b/src/sdktools.h index e73bfec..9027970 100644 --- a/src/sdktools.h +++ b/src/sdktools.h @@ -37,7 +37,6 @@ struct arg_permit_rule #define APPID_MAX_LENGTH 50 #define SDBD_LABEL_NAME "sdbd" #define SDK_HOME_LABEL_NAME "sdbd::home" -#define SDK_SHELL_LABEL_NAME "User::Shell" int verify_root_commands(const char *arg1); int verify_app_path(const char* path); diff --git a/src/services.c b/src/services.c index 2b52bc8..b0f2e08 100644 --- a/src/services.c +++ b/src/services.c @@ -44,7 +44,6 @@ #include "utils.h" #include #include -#include #include #include @@ -409,12 +408,6 @@ int create_subprocess(const char *cmd, pid_t *pid, char * const argv[], char * c return -1; } - if (smack_setlabel(devname, SDK_SHELL_LABEL_NAME, SMACK_LABEL_ACCESS) == -1) { - D("unable to set sdk shell smack label %s due to (errno:%d)\n", SDK_SHELL_LABEL_NAME, errno); - sdb_close(ptm); - return -1; - } - *pid = fork(); if(*pid < 0) { D("- fork failed: errno:%d -\n", errno); @@ -475,7 +468,6 @@ int create_subprocess(const char *cmd, pid_t *pid, char * const argv[], char * c } #endif /* !SDB_HOST */ -#define SHELL_COMMAND "/bin/sh-user" #define LOGIN_COMMAND "/bin/login" #define SUPER_USER "root" #define LOGIN_CONFIG "/etc/login.defs" @@ -967,14 +959,6 @@ static void get_capability(int fd, void *cookie) { offset += put_key_value_string(cap_buffer, offset, CAPBUF_SIZE, "appcmd_support", g_capabilities.appcmd_support); - // appid2pid support - offset += put_key_value_string(cap_buffer, offset, CAPBUF_SIZE, - "appid2pid_support", g_capabilities.appid2pid_support); - - // pkgcmd debug mode support - offset += put_key_value_string(cap_buffer, offset, CAPBUF_SIZE, - "pkgcmd_debugmode", g_capabilities.pkgcmd_debugmode); - offset++; // for '\0' character writex(fd, &offset, sizeof(uint16_t)); -- 2.7.4 From 6d784d7cf0b5ef9184be46123361318cb0e26ffb Mon Sep 17 00:00:00 2001 From: greatim Date: Thu, 12 Jan 2017 15:49:37 +0900 Subject: [PATCH 04/16] fix a bug that device is still offline when reboot (USB connected) modify broadcast_transport (send device status) not to send packet to offline devices Change-Id: Iabf9f6987a12f4f091089b5982c5f8cc45ab97f4 Signed-off-by: greatim --- src/transport.c | 59 +++++++++++++++++++++++++++++---------------------------- 1 file changed, 30 insertions(+), 29 deletions(-) diff --git a/src/transport.c b/src/transport.c index 7811628..8d889e3 100644 --- a/src/transport.c +++ b/src/transport.c @@ -74,6 +74,20 @@ static void dump_hex( const unsigned char* ptr, size_t len ) *pb++ = '\0'; DR("%s\n", buffer); } + +static const char *statename(atransport *t) +{ + switch(t->connection_state){ + case CS_OFFLINE: return "offline"; + case CS_BOOTLOADER: return "bootloader"; + case CS_DEVICE: return "device"; + case CS_HOST: return "host"; + case CS_RECOVERY: return "recovery"; + case CS_SIDELOAD: return "sideload"; + case CS_NOPERM: return "no permissions"; + default: return "unknown"; + } +} #endif void @@ -365,7 +379,7 @@ static void *input_thread(void *_t) } } else { if(active) { - D("%s: transport got packet, sending to remote\n", t->serial); + D("%s: transport got packet, sending to remote, state(%s)\n", t->serial, statename(t)); #ifdef SUPPORT_ENCRYPT if (t->encryption == ENCR_ON && p->msg.command != A_ENCR) // 현재 연결이 암호화 모드이고, 암호화 관련 메시지가 아닌 경우, 메시지를 암호화 @@ -865,20 +879,6 @@ atransport *acquire_one_transport(int state, transport_type ttype, const char* s } #if SDB_HOST -static const char *statename(atransport *t) -{ - switch(t->connection_state){ - case CS_OFFLINE: return "offline"; - case CS_BOOTLOADER: return "bootloader"; - case CS_DEVICE: return "device"; - case CS_HOST: return "host"; - case CS_RECOVERY: return "recovery"; - case CS_SIDELOAD: return "sideload"; - case CS_NOPERM: return "no permissions"; - default: return "unknown"; - } -} - int list_transports(char *buf, size_t bufsize) { char* p = buf; @@ -1068,23 +1068,24 @@ void broadcast_transport(apacket *p) atransport *t; sdb_mutex_lock(&transport_lock); for(t = transport_list.next; t != &transport_list; t = t->next) { - D("broadcast device transport:%d\n", t->connection_state); - apacket* ap = get_apacket(); - copy_packet(ap, p); - send_packet(ap, t); + D("broadcast device transport:%s\n", statename(t)); + if (t->connection_state != CS_OFFLINE && t->connection_state != CS_NOPERM) { + apacket* ap = get_apacket(); + copy_packet(ap, p); + send_packet(ap, t); - if (ap->msg.command == A_STAT && ap->msg.arg1 == 0) { - // lock state message - if (ap->msg.arg0 == 0) { - // unlocked - t->connection_state = CS_DEVICE; - } else { - // locked - t->connection_state = CS_PWLOCK; + if (ap->msg.command == A_STAT && ap->msg.arg1 == 0) { + // lock state message + if (ap->msg.arg0 == 0) { + // unlocked + t->connection_state = CS_DEVICE; + } else { + // locked + t->connection_state = CS_PWLOCK; + } } } - - } + } sdb_mutex_unlock(&transport_lock); } -- 2.7.4 From d728000742c24c5e921d47087e9630f6c2d378d6 Mon Sep 17 00:00:00 2001 From: Munkyu Im Date: Wed, 25 Jan 2017 18:04:22 +0900 Subject: [PATCH 05/16] cap: Add new "pkgcmd_debugmode" capability for pkgcmd debug mode To support screenshot, App should be installed with "pkgcmd -G" command. It is activated by enabling "pkgcmd_debugmode" capability. Change-Id: I0c65fbff2155f6d96cc1cfc39102844fce7c4ea6 Signed-off-by: Munkyu Im --- src/default_plugin_basic.c | 2 ++ src/sdb.c | 9 +++++++++ src/sdb.h | 1 + src/sdbd_plugin.h | 1 + src/services.c | 3 +++ 5 files changed, 16 insertions(+) diff --git a/src/default_plugin_basic.c b/src/default_plugin_basic.c index 91d8df2..1046bdc 100644 --- a/src/default_plugin_basic.c +++ b/src/default_plugin_basic.c @@ -78,6 +78,8 @@ int get_plugin_capability ( parameters* in, parameters* out ) make_string_parameter ( & ( out->array_of_parameter[0] ), "%s", LOG_DIRECTORY ); } else if ( capability == CAPABILITY_APPCMD ) { make_string_parameter ( & ( out->array_of_parameter[0] ), "%s", PLUGIN_RET_ENABLED ); + } else if (capability == CAPABILITY_DEBUGMODE ) { + make_string_parameter ( & ( out->array_of_parameter[0] ), "%s", PLUGIN_RET_ENABLED ); } else { out->number_of_parameter = 0; free ( out->array_of_parameter ); diff --git a/src/sdb.c b/src/sdb.c index a07a881..a5e853d 100644 --- a/src/sdb.c +++ b/src/sdb.c @@ -1867,6 +1867,15 @@ static void init_capabilities(void) { } + // pkgcmd debug mode support + if(!request_capability_to_plugin(CAPABILITY_DEBUGMODE, g_capabilities.pkgcmd_debugmode, + sizeof(g_capabilities.pkgcmd_debugmode))) { + D("failed to request. (%d:%d) \n", PLUGIN_SYNC_CMD_CAPABILITY, CAPABILITY_DEBUGMODE); + snprintf(g_capabilities.pkgcmd_debugmode, sizeof(g_capabilities.pkgcmd_debugmode), + "%s", ENABLED); + } + + // Zone support ret = is_container_enabled(); snprintf(g_capabilities.zone_support, sizeof(g_capabilities.zone_support), diff --git a/src/sdb.h b/src/sdb.h index 226da64..fd71307 100644 --- a/src/sdb.h +++ b/src/sdb.h @@ -294,6 +294,7 @@ typedef struct platform_capabilities char sdbd_version[CAPBUF_ITEMSIZE]; // sdbd version char sdbd_plugin_version[CAPBUF_ITEMSIZE]; // sdbd plugin version char sdbd_cap_version[CAPBUF_ITEMSIZE]; // capability version + char pkgcmd_debugmode[CAPBUF_ITEMSIZE]; // enabled or disabled } pcap; extern pcap g_capabilities; diff --git a/src/sdbd_plugin.h b/src/sdbd_plugin.h index e98ef69..0a9287a 100644 --- a/src/sdbd_plugin.h +++ b/src/sdbd_plugin.h @@ -73,6 +73,7 @@ #define CAPABILITY_LOG_PATH 10010 #define CAPABILITY_APPCMD 10011 #define CAPABILITY_ENCRYPTION 10012 +#define CAPABILITY_DEBUGMODE 10013 // =============================================================================== // priority definition diff --git a/src/services.c b/src/services.c index b0f2e08..6b61d94 100644 --- a/src/services.c +++ b/src/services.c @@ -955,6 +955,9 @@ static void get_capability(int fd, void *cookie) { offset += put_key_value_string(cap_buffer, offset, CAPBUF_SIZE, "log_path", g_capabilities.log_path); + offset += put_key_value_string(cap_buffer, offset, CAPBUF_SIZE, + "pkgcmd_debugmode", g_capabilities.pkgcmd_debugmode); + // Application command support offset += put_key_value_string(cap_buffer, offset, CAPBUF_SIZE, "appcmd_support", g_capabilities.appcmd_support); -- 2.7.4 From 588e1ea24c365e37236010893a42f5c07b8db890 Mon Sep 17 00:00:00 2001 From: Sooyoung Ha Date: Tue, 7 Feb 2017 15:50:10 +0900 Subject: [PATCH 06/16] Revert "Revert "Revert "Revert "Modify the SMACK label for SDB shell."""" This reverts commit b3894c7aa4e819c5cde88c7d389fb8300af6fdb1. Change-Id: I98cbf82cdc47392e8c3b8038c0e395bcc9e6ac3b Signed-off-by: Sooyoung Ha --- packaging/sdbd.spec | 4 ++++ src/default_plugin_appcmd.c | 5 +++-- src/sdb.c | 54 +++++++++++++++++++++++++++++++++++++++------ src/sdb.h | 3 ++- src/sdktools.h | 1 + src/services.c | 16 ++++++++++++++ 6 files changed, 73 insertions(+), 10 deletions(-) diff --git a/packaging/sdbd.spec b/packaging/sdbd.spec index bc9408f..15eb808 100644 --- a/packaging/sdbd.spec +++ b/packaging/sdbd.spec @@ -109,6 +109,10 @@ if ! getent passwd "${TZ_SDK_USER_NAME}" > /dev/null; then done fi +cp -f /bin/sh /bin/sh-user +chsmack -a "_" /bin/sh-user +chsmack -e "User::Shell" /bin/sh-user + %files %manifest sdbd.manifest %license LICENSE diff --git a/src/default_plugin_appcmd.c b/src/default_plugin_appcmd.c index 07a41d1..c929cf2 100644 --- a/src/default_plugin_appcmd.c +++ b/src/default_plugin_appcmd.c @@ -38,6 +38,7 @@ #include +#define SHELL_COMMAND "/bin/sh" #define APPCMD_RESULT_BUFSIZE (4096) typedef struct appcmd_info appcmd_info; @@ -650,10 +651,10 @@ static void run_appcmd_appinstallpath(appcmd_info* p_info) { p_info->exitcode = -1; - const char* path = tzplatform_getenv(TZ_SDK_HOME); + const char* path = tzplatform_getenv(TZ_SDK_TOOLS); if (path != NULL) { p_info->exitcode = 0; - snprintf(result_buf, sizeof(result_buf), "\n%s:%s/apps_rw/\n", MESSAGE_PREFIX_APPCMD_RETURN, path); + snprintf(result_buf, sizeof(result_buf), "\n%s:%s\n", MESSAGE_PREFIX_APPCMD_RETURN, path); writex(p_info->fd, result_buf, strlen(result_buf)); } else { D("failed to get application install path from tzplatform_getenv."); diff --git a/src/sdb.c b/src/sdb.c index a5e853d..452616f 100644 --- a/src/sdb.c +++ b/src/sdb.c @@ -31,6 +31,7 @@ #include #include #include +#include #include "sysdeps.h" #include "log.h" @@ -58,6 +59,7 @@ #define PROC_CMDLINE_PATH "/proc/cmdline" #define USB_SERIAL_PATH "/sys/class/usb_mode/usb0/iSerial" +#define APPID2PID_PATH "/usr/bin/appid2pid" #include #include @@ -125,6 +127,29 @@ int is_emulator(void) { #endif } +int is_appid2pid_supported(void) { + + if (access(APPID2PID_PATH, F_OK) == 0) { + /* It is necessary to confirm that it is possible + * to run "appid2pid" in the sdk user/group privileges. */ + struct stat st; + if (stat(APPID2PID_PATH, &st) == 0) { + D("appid2pid uid=%d, gid=%d, mode=0x%x.\n", st.st_uid, st.st_gid, st.st_mode); + if ( (st.st_uid == STATIC_SDK_USER_ID && st.st_mode & S_IXUSR) + || (st.st_gid == STATIC_SDK_GROUP_ID && st.st_mode & S_IXGRP) + || (st.st_mode & S_IXOTH) ) { + D("appid2pid is supported.\n"); + return 1; + } + } + } else { + D("failed to access appid2pid file: %d\n", errno); + } + + D("appid2pid is NOT supported.\n"); + return 0; +} + int is_container_enabled(void) { bool value; int ret; @@ -373,7 +398,7 @@ void print_packet(const char *label, apacket *p) #endif #ifdef SUPPORT_ENCRYPT -/* +/* desc. : 암호화 실패 메시지 전송 parameter : [in] apacket* p : sdbd로 들어온 메시지 [in] atransport *t : 현재 연결에 대한 atransport @@ -389,7 +414,7 @@ void send_encr_fail(apacket* p, atransport *t, unsigned failed_value){ //put_apacket(enc_p); } -/* +/* desc. : 암호화 메시지 핸들링 parameter : [in] apacket* p : sdbd로 들어온 메시지 [in/out] atransport *t : 현재 연결에 대한 atransport @@ -403,12 +428,12 @@ int handle_encr_packet(apacket* p, atransport *t){ if(p->msg.arg0 == ENCR_SET_ON_REQ){ // hello 메시지인 경우 t->sessionID = sessionID; - if((retVal = security_init(t->sessionID, NULL)) == 1){ // 암호화 handshaking을 위한 init + if((retVal = security_init(t->sessionID, NULL)) == 1){ // 암호화 handshaking을 위한 init if(security_parse_server_hello(t->sessionID, p) == 1){ // hello 메시지 파싱 D("security_parse_server_hello success\n"); enc_p = get_apacket(); if(security_gen_client_hello(t->sessionID, enc_p) == 1){ // hello 메시지 생성 - D("security_gen_client_hello success\n"); + D("security_gen_client_hello success\n"); enc_p->msg.command = A_ENCR; enc_p->msg.arg0 = ENCR_SET_ON_REQ; enc_p->msg.arg1 = p->msg.arg1; @@ -419,7 +444,7 @@ int handle_encr_packet(apacket* p, atransport *t){ D("security_gen_client_hello error\n"); send_encr_fail(p, t, ENCR_ON_FAIL); // 암호화 on 실패 메시지 전송 t->encryption = ENCR_OFF; // 암호화 모드는 off - security_deinit(t->sessionID); + security_deinit(t->sessionID); return -1; } } @@ -428,7 +453,7 @@ int handle_encr_packet(apacket* p, atransport *t){ send_encr_fail(p, t, ENCR_ON_FAIL); t->encryption = ENCR_OFF; security_deinit(t->sessionID); - + return -1; } } else { // init 실패 @@ -511,7 +536,7 @@ int handle_encr_packet(apacket* p, atransport *t){ } //put_apacket(enc_p); return 0; - + } #endif @@ -1236,6 +1261,10 @@ void start_device_log(void) return; } + if (smack_setlabel(path, SDK_SHELL_LABEL_NAME, SMACK_LABEL_ACCESS) == -1) { + D("unable to set sdk shell smack label %s due to (errno:%d)\n", SDK_SHELL_LABEL_NAME, errno); + } + // redirect stdout and stderr to the log file dup2(fd, 1); dup2(fd, 2); @@ -2009,6 +2038,17 @@ static void init_capabilities(void) { "%s", UNKNOWN); } + // appid2pid support + ret = is_appid2pid_supported(); + snprintf(g_capabilities.appid2pid_support, sizeof(g_capabilities.appid2pid_support), + "%s", ret == 1 ? ENABLED : DISABLED); + + + // pkgcmd debug mode support + snprintf(g_capabilities.pkgcmd_debugmode, sizeof(g_capabilities.pkgcmd_debugmode), + "%s", ENABLED); + + // Capability version snprintf(g_capabilities.sdbd_cap_version, sizeof(g_capabilities.sdbd_cap_version), "%d.%d", SDBD_CAP_VERSION_MAJOR, SDBD_CAP_VERSION_MINOR); diff --git a/src/sdb.h b/src/sdb.h index fd71307..0c4f7cc 100644 --- a/src/sdb.h +++ b/src/sdb.h @@ -279,6 +279,8 @@ typedef struct platform_capabilities char sockproto_support[CAPBUF_ITEMSIZE]; // enabled or disabled char appcmd_support[CAPBUF_ITEMSIZE]; // enabled or disabled char encryption_support[CAPBUF_ITEMSIZE]; // enabled or disabled + char appid2pid_support[CAPBUF_ITEMSIZE]; // enabled or disabled + char pkgcmd_debugmode[CAPBUF_ITEMSIZE]; // enabled or disabled char log_enable[CAPBUF_ITEMSIZE]; // enabled or disabled char log_path[CAPBUF_LL_ITEMSIZE]; // path of sdbd log @@ -548,7 +550,6 @@ int read_line(const int fd, char* ptr, const size_t maxlen); #define USB_FUNCFS_SDB_PATH "/dev/usbgadget/sdb" #define USB_NODE_FILE "/dev/samsung_sdb" -#define SHELL_COMMAND "/bin/sh" int create_subprocess(const char *cmd, pid_t *pid, char * const argv[], char * const envp[]); void get_env(char *key, char **env); diff --git a/src/sdktools.h b/src/sdktools.h index 9027970..e73bfec 100644 --- a/src/sdktools.h +++ b/src/sdktools.h @@ -37,6 +37,7 @@ struct arg_permit_rule #define APPID_MAX_LENGTH 50 #define SDBD_LABEL_NAME "sdbd" #define SDK_HOME_LABEL_NAME "sdbd::home" +#define SDK_SHELL_LABEL_NAME "User::Shell" int verify_root_commands(const char *arg1); int verify_app_path(const char* path); diff --git a/src/services.c b/src/services.c index 6b61d94..2e1b577 100644 --- a/src/services.c +++ b/src/services.c @@ -44,6 +44,7 @@ #include "utils.h" #include #include +#include #include #include @@ -408,6 +409,12 @@ int create_subprocess(const char *cmd, pid_t *pid, char * const argv[], char * c return -1; } + if (smack_setlabel(devname, SDK_SHELL_LABEL_NAME, SMACK_LABEL_ACCESS) == -1) { + D("unable to set sdk shell smack label %s due to (errno:%d)\n", SDK_SHELL_LABEL_NAME, errno); + sdb_close(ptm); + return -1; + } + *pid = fork(); if(*pid < 0) { D("- fork failed: errno:%d -\n", errno); @@ -468,6 +475,7 @@ int create_subprocess(const char *cmd, pid_t *pid, char * const argv[], char * c } #endif /* !SDB_HOST */ +#define SHELL_COMMAND "/bin/sh-user" #define LOGIN_COMMAND "/bin/login" #define SUPER_USER "root" #define LOGIN_CONFIG "/etc/login.defs" @@ -962,6 +970,14 @@ static void get_capability(int fd, void *cookie) { offset += put_key_value_string(cap_buffer, offset, CAPBUF_SIZE, "appcmd_support", g_capabilities.appcmd_support); + // appid2pid support + offset += put_key_value_string(cap_buffer, offset, CAPBUF_SIZE, + "appid2pid_support", g_capabilities.appid2pid_support); + + // pkgcmd debug mode support + offset += put_key_value_string(cap_buffer, offset, CAPBUF_SIZE, + "pkgcmd_debugmode", g_capabilities.pkgcmd_debugmode); + offset++; // for '\0' character writex(fd, &offset, sizeof(uint16_t)); -- 2.7.4 From 79579f5f65b6692dd234d7f031066d5971a0395b Mon Sep 17 00:00:00 2001 From: Sooyoung Ha Date: Tue, 7 Feb 2017 15:51:18 +0900 Subject: [PATCH 07/16] Revert "Revert "remove smack_setlabel function usage for security reason"" This reverts commit 9acf96cbd8e41c699e2f059c1bef256910215178. Change-Id: I75479ca94a011a79764556da3776587addf413c1 Signed-off-by: Sooyoung Ha --- packaging/sdbd.spec | 2 ++ packaging/sdbd_device.service | 3 +-- packaging/sdbd_emulator.service | 3 +-- packaging/sdbd_tcp.service | 2 +- src/default_plugin_basic.c | 11 +++++++++-- src/file_sync_service.c | 4 +++- src/sdb.c | 4 ---- src/services.c | 6 ------ 8 files changed, 17 insertions(+), 18 deletions(-) diff --git a/packaging/sdbd.spec b/packaging/sdbd.spec index 15eb808..6ddcae3 100644 --- a/packaging/sdbd.spec +++ b/packaging/sdbd.spec @@ -112,6 +112,8 @@ fi cp -f /bin/sh /bin/sh-user chsmack -a "_" /bin/sh-user chsmack -e "User::Shell" /bin/sh-user +mkdir -p %{TZ_SDK_HOME}/share/sdbdlog +chown owner:users %{TZ_SDK_HOME}/share/sdbdlog %files %manifest sdbd.manifest diff --git a/packaging/sdbd_device.service b/packaging/sdbd_device.service index cd60922..0537fcd 100644 --- a/packaging/sdbd_device.service +++ b/packaging/sdbd_device.service @@ -6,11 +6,10 @@ After=tmp.mount [Service] Type=forking #location of SDBD log file -#Environment=SDBD_LOG_PATH=/tmp EnvironmentFile=-/run/tizen-system-env PIDFile=/tmp/.sdbd.pid Restart=on-failure -SmackProcessLabel=System::Privileged +SmackProcessLabel=System ExecStart=/usr/sbin/sdbd [Install] diff --git a/packaging/sdbd_emulator.service b/packaging/sdbd_emulator.service index bed8cce..2129436 100644 --- a/packaging/sdbd_emulator.service +++ b/packaging/sdbd_emulator.service @@ -7,12 +7,11 @@ After=tmp.mount dbus.service [Service] Type=forking #location of SDBD log file -#Environment=SDBD_LOG_PATH=/tmp Environment=DISPLAY=:0 PIDFile=/tmp/.sdbd.pid RemainAfterExit=yes #ExecStartPre=/bin/bash -c "/bin/echo '10.0.2.15/32 system::debugging_network' >> /smack/netlabel" -SmackProcessLabel=System::Privileged +SmackProcessLabel=System ExecStart=/bin/sh -c "/usr/sbin/sdbd `/usr/bin/awk '{match($0, /sdb_port=([0-9]+)/,port_match); match($0, /vm_name=([^, ]*)/,vm_match); print \"--emulator=\" vm_match[1] \":\" port_match[1] \" --connect-to=10.0.2.2:26099\" \" --sensors=10.0.2.2:\"port_match[1]+3 }' /proc/cmdline`" [Install] diff --git a/packaging/sdbd_tcp.service b/packaging/sdbd_tcp.service index e360a7c..ade025c 100644 --- a/packaging/sdbd_tcp.service +++ b/packaging/sdbd_tcp.service @@ -7,5 +7,5 @@ Type=forking Environment=DISPLAY=:0 PIDFile=/tmp/.sdbd.pid RemainAfterExit=yes -SmackProcessLabel=System::Privileged +SmackProcessLabel=System ExecStart=/usr/sbin/sdbd --listen-port=26101 diff --git a/src/default_plugin_basic.c b/src/default_plugin_basic.c index 1046bdc..6078e7e 100644 --- a/src/default_plugin_basic.c +++ b/src/default_plugin_basic.c @@ -20,6 +20,8 @@ #include #include +#include + #define TRACE_TAG TRACE_SDB #include "log.h" @@ -28,7 +30,7 @@ #include "sdbd_plugin.h" #include "sdktools.h" -#define LOG_DIRECTORY "/tmp" +#define LOG_DIRECTORY "/home/owner/share/sdbdlog" int get_plugin_capability ( parameters* in, parameters* out ) { @@ -75,7 +77,12 @@ int get_plugin_capability ( parameters* in, parameters* out ) } else if ( capability == CAPABILITY_LOG_ENABLE ) { make_string_parameter ( & ( out->array_of_parameter[0] ), "%s", PLUGIN_RET_DISABLED ); } else if ( capability == CAPABILITY_LOG_PATH ) { - make_string_parameter ( & ( out->array_of_parameter[0] ), "%s", LOG_DIRECTORY ); + const char* sdkhome = tzplatform_getenv(TZ_SDK_HOME); + if (sdkhome != NULL) { + make_string_parameter ( & ( out->array_of_parameter[0] ), "%s/share/sdbdlog", sdkhome ); + } else { + make_string_parameter ( & ( out->array_of_parameter[0] ), "%s", LOG_DIRECTORY ); + } } else if ( capability == CAPABILITY_APPCMD ) { make_string_parameter ( & ( out->array_of_parameter[0] ), "%s", PLUGIN_RET_ENABLED ); } else if (capability == CAPABILITY_DEBUGMODE ) { diff --git a/src/file_sync_service.c b/src/file_sync_service.c index 4dd0860..81f6841 100644 --- a/src/file_sync_service.c +++ b/src/file_sync_service.c @@ -77,6 +77,7 @@ void init_sdk_sync_permit_rule_regx(void) } } +#if 0 static void set_syncfile_smack_label(char *src) { char *label_transmuted = NULL; char *label = NULL; @@ -127,6 +128,7 @@ static void set_syncfile_smack_label(char *src) { */ } } +#endif static int sync_send_label_notify(int s, const char *path, int success) { @@ -157,7 +159,7 @@ static void sync_read_label_notify(int s) char *path = buffer; path++; path++; - set_syncfile_smack_label(path); + // set_syncfile_smack_label(path); } } diff --git a/src/sdb.c b/src/sdb.c index 452616f..6d2bf42 100644 --- a/src/sdb.c +++ b/src/sdb.c @@ -1261,10 +1261,6 @@ void start_device_log(void) return; } - if (smack_setlabel(path, SDK_SHELL_LABEL_NAME, SMACK_LABEL_ACCESS) == -1) { - D("unable to set sdk shell smack label %s due to (errno:%d)\n", SDK_SHELL_LABEL_NAME, errno); - } - // redirect stdout and stderr to the log file dup2(fd, 1); dup2(fd, 2); diff --git a/src/services.c b/src/services.c index 2e1b577..cafffc9 100644 --- a/src/services.c +++ b/src/services.c @@ -409,12 +409,6 @@ int create_subprocess(const char *cmd, pid_t *pid, char * const argv[], char * c return -1; } - if (smack_setlabel(devname, SDK_SHELL_LABEL_NAME, SMACK_LABEL_ACCESS) == -1) { - D("unable to set sdk shell smack label %s due to (errno:%d)\n", SDK_SHELL_LABEL_NAME, errno); - sdb_close(ptm); - return -1; - } - *pid = fork(); if(*pid < 0) { D("- fork failed: errno:%d -\n", errno); -- 2.7.4 From f1ae83204b3faf6f7d2590efa987074cf0bbf200 Mon Sep 17 00:00:00 2001 From: Sooyoung Ha Date: Tue, 7 Feb 2017 15:51:40 +0900 Subject: [PATCH 08/16] Revert "Revert "remove mkdir for sdbd log file"" This reverts commit bdaaa8e914baf89a727c013d6b3e00a81a100aff. Change-Id: I980f16a44b33c0e8a60be956d04e9d36541d81ca Signed-off-by: Sooyoung Ha --- packaging/sdbd.spec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/packaging/sdbd.spec b/packaging/sdbd.spec index 6ddcae3..dc10820 100644 --- a/packaging/sdbd.spec +++ b/packaging/sdbd.spec @@ -112,8 +112,8 @@ fi cp -f /bin/sh /bin/sh-user chsmack -a "_" /bin/sh-user chsmack -e "User::Shell" /bin/sh-user -mkdir -p %{TZ_SDK_HOME}/share/sdbdlog -chown owner:users %{TZ_SDK_HOME}/share/sdbdlog +#mkdir -p %{TZ_SDK_HOME}/share/sdbdlog +#chown owner:users %{TZ_SDK_HOME}/share/sdbdlog %files %manifest sdbd.manifest -- 2.7.4 From e95df470e413ac5bf5fe76fbec00cec8c5ae2a0b Mon Sep 17 00:00:00 2001 From: Sooyoung Ha Date: Tue, 7 Feb 2017 15:52:06 +0900 Subject: [PATCH 09/16] Revert "Revert "remove mkdir again for sdbd log file"" This reverts commit 22ee2bf467e3e798ee9b0811fef172e6b231f93a. Change-Id: Ibdb42d07d508fe53f49ba75f4d0c2a9bff7d9df9 Signed-off-by: Sooyoung Ha --- packaging/sdbd.spec | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/packaging/sdbd.spec b/packaging/sdbd.spec index dc10820..1374f57 100644 --- a/packaging/sdbd.spec +++ b/packaging/sdbd.spec @@ -2,7 +2,7 @@ Name: sdbd Summary: SDB daemon -Version: 3.0.13 +Version: 3.0.14 Release: 0 License: Apache-2.0 Summary: SDB daemon @@ -112,8 +112,6 @@ fi cp -f /bin/sh /bin/sh-user chsmack -a "_" /bin/sh-user chsmack -e "User::Shell" /bin/sh-user -#mkdir -p %{TZ_SDK_HOME}/share/sdbdlog -#chown owner:users %{TZ_SDK_HOME}/share/sdbdlog %files %manifest sdbd.manifest -- 2.7.4 From a2ed67457f3df4457c73a09be8a4dfd51fc735aa Mon Sep 17 00:00:00 2001 From: Sooyoung Ha Date: Wed, 8 Feb 2017 15:39:52 +0900 Subject: [PATCH 11/16] sdb.h: remove duplicated member Change-Id: I11f7086dd60cefbe36be2a46b9e92e2585b14cf1 Signed-off-by: Sooyoung Ha --- src/sdb.h | 1 - 1 file changed, 1 deletion(-) diff --git a/src/sdb.h b/src/sdb.h index 0c4f7cc..b339f26 100644 --- a/src/sdb.h +++ b/src/sdb.h @@ -296,7 +296,6 @@ typedef struct platform_capabilities char sdbd_version[CAPBUF_ITEMSIZE]; // sdbd version char sdbd_plugin_version[CAPBUF_ITEMSIZE]; // sdbd plugin version char sdbd_cap_version[CAPBUF_ITEMSIZE]; // capability version - char pkgcmd_debugmode[CAPBUF_ITEMSIZE]; // enabled or disabled } pcap; extern pcap g_capabilities; -- 2.7.4 From c6a355e91b476b40205f8e7f7339bd54e1775b36 Mon Sep 17 00:00:00 2001 From: Sooyoung Ha Date: Wed, 8 Feb 2017 16:05:57 +0900 Subject: [PATCH 12/16] package: update version (3.0.15) Change-Id: I0085cc5980ebf1679f2c0193953c380831cd9ac7 Signed-off-by: Sooyoung Ha --- packaging/sdbd.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packaging/sdbd.spec b/packaging/sdbd.spec index 1374f57..6a2476b 100644 --- a/packaging/sdbd.spec +++ b/packaging/sdbd.spec @@ -2,7 +2,7 @@ Name: sdbd Summary: SDB daemon -Version: 3.0.14 +Version: 3.0.15 Release: 0 License: Apache-2.0 Summary: SDB daemon -- 2.7.4 From de9f966ccc66386af2643b9645f8eca73ef64cd0 Mon Sep 17 00:00:00 2001 From: "shingil.kang" Date: Fri, 5 Aug 2016 15:20:34 +0900 Subject: [PATCH 13/16] Add capability 'sdbd_rootperm' Change-Id: Ib63b4f3605506f62e3a8e8d7e32fb5937062ca3c Signed-off-by: shingil.kang Signed-off-by: Sooyoung Ha --- src/sdb.c | 3 +++ src/sdb.h | 1 + src/services.c | 4 ++++ 3 files changed, 8 insertions(+) diff --git a/src/sdb.c b/src/sdb.c index 6d2bf42..692e87f 100644 --- a/src/sdb.c +++ b/src/sdb.c @@ -1873,6 +1873,9 @@ static void init_capabilities(void) { "%s", DISABLED); } + // Sdbd root permission + snprintf(g_capabilities.root_permission, sizeof(g_capabilities.root_permission), + "%s", DISABLED); // Root command support if(!request_capability_to_plugin(CAPABILITY_ROOT_ONOFF, g_capabilities.rootonoff_support, diff --git a/src/sdb.h b/src/sdb.h index b339f26..2128616 100644 --- a/src/sdb.h +++ b/src/sdb.h @@ -281,6 +281,7 @@ typedef struct platform_capabilities char encryption_support[CAPBUF_ITEMSIZE]; // enabled or disabled char appid2pid_support[CAPBUF_ITEMSIZE]; // enabled or disabled char pkgcmd_debugmode[CAPBUF_ITEMSIZE]; // enabled or disabled + char root_permission[CAPBUF_ITEMSIZE]; // enabled or disabled char log_enable[CAPBUF_ITEMSIZE]; // enabled or disabled char log_path[CAPBUF_LL_ITEMSIZE]; // path of sdbd log diff --git a/src/services.c b/src/services.c index cafffc9..64dbd11 100644 --- a/src/services.c +++ b/src/services.c @@ -893,6 +893,10 @@ static void get_capability(int fd, void *cookie) { offset += put_key_value_string(cap_buffer, offset, CAPBUF_SIZE, "syncwinsz_support", g_capabilities.syncwinsz_support); + // sdbd root permission + offset += put_key_value_string(cap_buffer, offset, CAPBUF_SIZE, + "sdbd_rootperm", g_capabilities.root_permission); + // Root command support offset += put_key_value_string(cap_buffer, offset, CAPBUF_SIZE, "rootonoff_support", g_capabilities.rootonoff_support); -- 2.7.4 From e51486b368ca9d8ffd57f569903c8bad2d04dcf8 Mon Sep 17 00:00:00 2001 From: "shingil.kang" Date: Wed, 13 Jul 2016 14:20:27 +0900 Subject: [PATCH 14/16] Allowed 'sdb root on' command even if the UID of SDBD is non-root. - file IO(pull/push), shell service can be worked by root user with restricted priviliges. Change-Id: I37f4248443bd7f5231ec99e0d1737cd556b749b3 Signed-off-by: shingil.kang Signed-off-by: Sooyoung Ha --- src/file_sync_service.c | 17 +++--- src/sdb.c | 136 ++++++++++++++++++++++++++++++++++++++++-------- src/sdb.h | 17 +++++- src/services.c | 31 +++++------ 4 files changed, 151 insertions(+), 50 deletions(-) diff --git a/src/file_sync_service.c b/src/file_sync_service.c index 81f6841..1675cd2 100644 --- a/src/file_sync_service.c +++ b/src/file_sync_service.c @@ -159,7 +159,7 @@ static void sync_read_label_notify(int s) char *path = buffer; path++; path++; - // set_syncfile_smack_label(path); + //set_syncfile_smack_label(path); } } @@ -653,6 +653,14 @@ void file_sync_service(int fd, void *cookie) goto fail; } + if (should_drop_privileges()) { + if (set_sdk_user_privileges(DROP_CAPABILITIES_AFTER_FORK) < 0) { + goto fail; + } + } else { + set_root_privileges(); + } + for(;;) { D("sync: waiting for command for %d sec\n", SYNC_TIMEOUT); @@ -690,13 +698,6 @@ void file_sync_service(int fd, void *cookie) D("sync: '%s' '%s'\n", (char*) &msg.req, name); - if (should_drop_privileges() && !verify_sync_rule(name)) { - if (getuid() != g_sdk_user_id && set_sdk_user_privileges() < 0) { - fail_message(fd, "failed to set SDK user privileges."); - goto fail; - } - } - switch(msg.req.id) { case ID_STAT: if(do_stat(fd, name)) goto fail; diff --git a/src/sdb.c b/src/sdb.c index 692e87f..0e3a297 100644 --- a/src/sdb.c +++ b/src/sdb.c @@ -73,6 +73,8 @@ SDB_MUTEX_DEFINE( D_lock ); #endif int HOST = 0; + +// sdk user uid_t g_sdk_user_id; gid_t g_sdk_group_id; char* g_sdk_home_dir = NULL; @@ -81,6 +83,12 @@ pcap g_capabilities; int rootshell_mode; // 0: sdk user, 1: root int booting_done; // 0: platform booting is in progess 1: platform booting is done +// root user +uid_t g_root_user_id; +gid_t g_root_group_id; +char* g_root_home_dir = NULL; +char* g_root_home_dir_env = NULL; + struct group_info { const char *name; @@ -93,6 +101,7 @@ struct group_info g_default_groups[] = { {"log", -1}, {NULL, -1} }; + #define SDB_DEFAULT_GROUPS_CNT ((sizeof(g_default_groups)/sizeof(g_default_groups[0]))-1) int is_init_sdk_userinfo = 0; @@ -1565,40 +1574,40 @@ void register_bootdone_cb() { } } -static int sdbd_set_groups() { +static int sdbd_set_groups(const char *name, int gid, struct group_info default_groups[], int default_groups_size) { gid_t *group_ids = NULL; int ngroups = 0; int i, j = 0; int group_match = 0; int added_group_cnt = 0; - getgrouplist(SDK_USER_NAME, g_sdk_group_id, NULL, &ngroups); + getgrouplist(name, gid, NULL, &ngroups); D("group list : ngroups = %d\n", ngroups); - group_ids = malloc((ngroups + SDB_DEFAULT_GROUPS_CNT) * sizeof(gid_t)); + group_ids = malloc((ngroups + default_groups_size) * sizeof(gid_t)); if (group_ids == NULL) { - D("failed to allocate group_ids(%d)\n", (ngroups + SDB_DEFAULT_GROUPS_CNT) * sizeof(gid_t)); + D("failed to allocate group_ids(%d)\n", (ngroups + default_groups_size) * sizeof(gid_t)); return -1; } - if (getgrouplist(SDK_USER_NAME, g_sdk_group_id, group_ids, &ngroups) == -1) { + if (getgrouplist(name, gid, group_ids, &ngroups) == -1) { D("failed to getgrouplist(), ngroups = %d\n", ngroups); free(group_ids); return -1; } - - for (i = 0; g_default_groups[i].name != NULL; i++) { - for (j = 0; j < ngroups; j++) { - if (group_ids[j] == g_default_groups[i].gid) { - group_match = 1; - break; + if(default_groups_size >= 1) { + for (i = 0; default_groups[i].name != NULL; i++) { + for (j = 0; j < ngroups; j++) { + if (group_ids[j] == default_groups[i].gid) { + group_match = 1; + break; + } } + if (group_match == 0 && default_groups[i].gid != -1) { + group_ids[ngroups + added_group_cnt] = default_groups[i].gid; + added_group_cnt ++; + } + group_match = 0; } - if (group_match == 0 && g_default_groups[i].gid != -1) { - group_ids[ngroups + added_group_cnt] = g_default_groups[i].gid; - added_group_cnt ++; - } - group_match = 0; } - if (setgroups(ngroups+added_group_cnt, group_ids) != 0) { D("failed to setgroups().\n"); free(group_ids); @@ -1645,13 +1654,25 @@ static int sdbd_get_group(const char* group_name, struct group* grp, char* buf, return 0; } -int set_sdk_user_privileges() { +int set_sdk_user_privileges(int is_drop_capability_after_fork) { if (!is_init_sdk_userinfo) { D("failed to init sdk user information.\n"); return -1; } - if (sdbd_set_groups() < 0) { + /* + * If a process switches its real, effective, or saved uids from at least one being 0 to all being non-zero, + * then both the permitted and effective capabilities are cleared. + */ + if(is_drop_capability_after_fork) { + + if (setuid(g_root_user_id) != 0) { + D("set root user id failed (errno: %d)\n", errno); + return -1; + } + } + + if (sdbd_set_groups(SDK_USER_NAME, g_sdk_group_id, g_default_groups, SDB_DEFAULT_GROUPS_CNT) < 0) { D("set groups failed (errno: %d)\n", errno); return -1; } @@ -1664,6 +1685,9 @@ int set_sdk_user_privileges() { if (setuid(g_sdk_user_id) != 0) { D("set user id failed (errno: %d)\n", errno); return -1; +// if(is_drop_capability_after_fork) { +// return -1; +// } } if (chdir(g_sdk_home_dir) < 0) { @@ -1678,6 +1702,32 @@ int set_sdk_user_privileges() { return 0; } +int set_root_privileges() { + + if (sdbd_set_groups(ROOT_USER_NAME, g_root_group_id, NULL, 0) < 0) { + D("set root groups failed (errno: %d)\n", errno); + } + + if (setgid(g_root_group_id) != 0) { + D("set root group id failed (errno: %d)\n", errno); + } + + if (setuid(g_root_user_id) != 0) { + D("set root user id failed (errno: %d)\n", errno); + } + + if (chdir(g_root_home_dir) < 0) { + D("unable to change root working directory to %s\n", g_sdk_home_dir); + } + + // TODO: use pam later + if (g_root_home_dir_env) { + putenv(g_root_home_dir_env); + } + + return 0; +} + #define SDB_PW_GR_DEFAULT_SIZE (16*1024) static long get_passwd_bufsize() { long bufsize = 0; @@ -1727,12 +1777,53 @@ static int init_sdb_default_groups() { return 0; } -static void set_static_userinfo() { +static void set_static_root_userinfo() { + g_root_user_id = STATIC_ROOT_USER_ID; + g_root_group_id = STATIC_ROOT_GROUP_ID; + g_root_home_dir = STATIC_ROOT_HOME_DIR; +} + +static void set_static_sdk_userinfo() { g_sdk_user_id = STATIC_SDK_USER_ID; g_sdk_group_id = STATIC_SDK_GROUP_ID; g_sdk_home_dir = STATIC_SDK_HOME_DIR; } +static int init_root_userinfo() { + struct passwd pwd; + char *buf = NULL; + long bufsize = 0; + + bufsize = get_passwd_bufsize(); + buf = malloc(bufsize); + if (buf == NULL) { + D("failed to allocate passwd buf(%ld)\n", bufsize); + set_static_root_userinfo(); + } else { + if (sdbd_get_user_pwd(ROOT_USER_NAME, &pwd, buf, bufsize) < 0) { + D("failed to get root user passwd info.(errno: %d)\n", errno); + set_static_root_userinfo(); + } else { + D("username=%s, uid=%d, gid=%d, dir=%s\n", pwd.pw_name, pwd.pw_uid, pwd.pw_gid, pwd.pw_dir); + + g_root_user_id = pwd.pw_uid; + g_root_group_id = pwd.pw_gid; + g_root_home_dir = strdup(pwd.pw_dir); + } + free(buf); + } + + int env_size = strlen("HOME=") + strlen(g_root_home_dir) + 1; + g_root_home_dir_env = malloc(env_size); + if(g_root_home_dir_env == NULL) { + D("failed to allocate for home dir env string\n"); + } else { + snprintf(g_root_home_dir_env, env_size, "HOME=%s", g_root_home_dir); + } + + return 0; +} + static int init_sdk_userinfo() { struct passwd pwd; char *buf = NULL; @@ -1750,11 +1841,11 @@ static int init_sdk_userinfo() { buf = malloc(bufsize); if (buf == NULL) { D("failed to allocate passwd buf(%ld)\n", bufsize); - set_static_userinfo(); + set_static_sdk_userinfo(); } else { if (sdbd_get_user_pwd(SDK_USER_NAME, &pwd, buf, bufsize) < 0) { D("get user passwd info.(errno: %d)\n", errno); - set_static_userinfo(); + set_static_sdk_userinfo(); } else { D("username=%s, uid=%d, gid=%d, dir=%s\n", pwd.pw_name, pwd.pw_uid, pwd.pw_gid, pwd.pw_dir); @@ -1791,6 +1882,7 @@ static void init_sdk_requirements() { } init_sdk_userinfo(); + init_root_userinfo(); if (g_sdk_home_dir != NULL && stat(g_sdk_home_dir, &st) == 0) { if (st.st_uid != g_sdk_user_id || st.st_gid != g_sdk_group_id) { diff --git a/src/sdb.h b/src/sdb.h index 2128616..0fe7005 100644 --- a/src/sdb.h +++ b/src/sdb.h @@ -419,12 +419,22 @@ extern uid_t g_sdk_user_id; extern gid_t g_sdk_group_id; extern char* g_sdk_home_dir; extern char* g_sdk_home_dir_env; + +#define ROOT_USER_NAME "root" +#define STATIC_ROOT_USER_ID 0 +#define STATIC_ROOT_GROUP_ID 0 +#define STATIC_ROOT_HOME_DIR "/root" +extern uid_t g_root_user_id; +extern gid_t g_root_group_id; +extern char* g_root_home_dir; +extern char* g_root_home_dir_env; + #endif int should_drop_privileges(void); -int set_sdk_user_privileges(); -void set_root_privileges(); void send_device_status(); +int set_sdk_user_privileges(int is_drop_capability_after_fork); +int set_root_privileges(); int get_emulator_forward_port(void); int get_emulator_name(char str[], int str_size); @@ -553,3 +563,6 @@ int read_line(const int fd, char* ptr, const size_t maxlen); int create_subprocess(const char *cmd, pid_t *pid, char * const argv[], char * const envp[]); void get_env(char *key, char **env); +#define RESERVE_CAPABILITIES_AFTER_FORK 0 +#define DROP_CAPABILITIES_AFTER_FORK 1 + diff --git a/src/services.c b/src/services.c index 64dbd11..da73ff6 100644 --- a/src/services.c +++ b/src/services.c @@ -147,24 +147,17 @@ void rootshell_service(int fd, void *cookie) char *mode = (char*) cookie; if (!strcmp(mode, "on")) { - if (getuid() == 0) { - if (rootshell_mode == 1) { - //snprintf(buf, sizeof(buf), "Already changed to sdk user mode\n"); - // do not show message + if (rootshell_mode == 1) { + //snprintf(buf, sizeof(buf), "Already changed to sdk user mode\n"); + // do not show message + } else { + if (is_support_rootonoff()) { + rootshell_mode = 1; + //allows a permitted user to execute a command as the superuser + snprintf(buf, sizeof(buf), "Switched to 'root' account mode\n"); } else { - if (is_support_rootonoff()) { - rootshell_mode = 1; - //allows a permitted user to execute a command as the superuser - snprintf(buf, sizeof(buf), "Switched to 'root' account mode\n"); - } else { - snprintf(buf, sizeof(buf), "Permission denied\n"); - } - writex(fd, buf, strlen(buf)); + snprintf(buf, sizeof(buf), "Permission denied\n"); } - } else { - D("need root permission for root shell: %d\n", getuid()); - rootshell_mode = 0; - snprintf(buf, sizeof(buf), "Permission denied\n"); writex(fd, buf, strlen(buf)); } } else if (!strcmp(mode, "off")) { @@ -445,15 +438,17 @@ int create_subprocess(const char *cmd, pid_t *pid, char * const argv[], char * c } if (should_drop_privileges()) { - if (argv[2] != NULL && getuid() == 0 && request_validity_to_plugin(PLUGIN_SYNC_CMD_VERIFY_ROOTCMD, argv[2])) { + if (argv[2] != NULL && request_validity_to_plugin(PLUGIN_SYNC_CMD_VERIFY_ROOTCMD, argv[2])) { // do nothing D("sdb: executes root commands!!:%s\n", argv[2]); } else { - if (getuid() != g_sdk_user_id && set_sdk_user_privileges() < 0) { + if (getuid() != g_sdk_user_id && set_sdk_user_privileges(RESERVE_CAPABILITIES_AFTER_FORK) < 0) { fprintf(stderr, "failed to set SDK user privileges\n"); exit(-1); } } + } else { + set_root_privileges(); } redirect_and_exec(pts, cmd, argv, envp); fprintf(stderr, "- exec '%s' failed: (errno:%d) -\n", -- 2.7.4 From f8e0f4153bee5b958a43e0c6cccb21d67d24a142 Mon Sep 17 00:00:00 2001 From: Shingil Kang Date: Tue, 12 Jul 2016 22:18:27 -0700 Subject: [PATCH 15/16] Revert "Revert "Modify modules that need root permission."" This reverts commit 9395230cf70cc07bfd036f8aa374f5f9443c7983. Change-Id: I3fb22370706706e8e8042fedd58b79d95b889946 Signed-off-by: Sooyoung Ha --- packaging/sdbd_device.service | 2 ++ packaging/sdbd_emulator.service | 2 ++ src/file_sync_service.c | 62 ----------------------------------------- 3 files changed, 4 insertions(+), 62 deletions(-) diff --git a/packaging/sdbd_device.service b/packaging/sdbd_device.service index 0537fcd..b47e8f3 100644 --- a/packaging/sdbd_device.service +++ b/packaging/sdbd_device.service @@ -4,6 +4,8 @@ Requires=tizen-system-env.service After=tmp.mount [Service] +User=sdk +Group=sdk Type=forking #location of SDBD log file EnvironmentFile=-/run/tizen-system-env diff --git a/packaging/sdbd_emulator.service b/packaging/sdbd_emulator.service index 2129436..6e0ec0f 100644 --- a/packaging/sdbd_emulator.service +++ b/packaging/sdbd_emulator.service @@ -5,6 +5,8 @@ After=tmp.mount dbus.service #DefaultDependencies=false [Service] +User=sdk +Group=sdk Type=forking #location of SDBD log file Environment=DISPLAY=:0 diff --git a/src/file_sync_service.c b/src/file_sync_service.c index 1675cd2..b2c2f4c 100644 --- a/src/file_sync_service.c +++ b/src/file_sync_service.c @@ -41,42 +41,11 @@ #define SYNC_TIMEOUT 15 -struct sync_permit_rule -{ - const char *name; - char *regx; - int mode; // 0:push, 1: pull, 2: push&push -}; - -struct sync_permit_rule sdk_sync_permit_rule[] = { - /* 0 */ {"unitest", "", 1}, - /* 1 */ {"codecoverage", "", 1}, - /* 2 */ {"da", "", 1}, - /* end */ {NULL, NULL, 0} -}; - /* The typical default value for the umask is S_IWGRP | S_IWOTH (octal 022). * Before use the DIR_PERMISSION, the process umask value should be set 0 using umask(). */ #define DIR_PERMISSION 0777 -void init_sdk_sync_permit_rule_regx(void) -{ - int ret; - ret = asprintf(&sdk_sync_permit_rule[0].regx, "^((/tmp)|(%s)|(%s))/[a-zA-Z0-9]{10}/data/[a-zA-Z0-9_\\-]{1,50}\\.xml$", APP_INSTALL_PATH_PREFIX1, APP_INSTALL_PATH_PREFIX2); - if(ret < 0) { - D("failed to run asprintf for unittest\n"); - } - ret = asprintf(&sdk_sync_permit_rule[1].regx, "^((/tmp)|(%s)|(%s))/[a-zA-Z0-9]{10}/data/+(.)*\\.gcda$", APP_INSTALL_PATH_PREFIX1, APP_INSTALL_PATH_PREFIX2); - if (ret < 0) { - D("failed to run asprintf for codecoverage\n"); - } - ret = asprintf(&sdk_sync_permit_rule[2].regx, "^(/tmp/da/)*+[a-zA-Z0-9_\\-\\.]{1,50}\\.png$"); - if (ret < 0) { - D("failed to run asprintf for da\n"); - } -} - #if 0 static void set_syncfile_smack_label(char *src) { char *label_transmuted = NULL; @@ -592,37 +561,6 @@ static int do_recv(int s, const char *path, char *buffer) return 0; } -static int verify_sync_rule(const char* path) { - regex_t regex; - int ret; - char buf[PATH_MAX]; - int i=0; - - init_sdk_sync_permit_rule_regx(); - for (i=0; sdk_sync_permit_rule[i].regx != NULL; i++) { - ret = regcomp(®ex, sdk_sync_permit_rule[i].regx, REG_EXTENDED); - if(ret){ - return 0; - } - // execute regular expression - ret = regexec(®ex, path, 0, NULL, 0); - if(!ret){ - regfree(®ex); - D("found matched rule(%s) from %s path\n", sdk_sync_permit_rule[i].name, path); - return 1; - } else if( ret == REG_NOMATCH ){ - // do nothin - } else{ - regerror(ret, ®ex, buf, sizeof(buf)); - D("regex match failed(%s): %s\n",sdk_sync_permit_rule[i].name, buf); - } - } - regfree(®ex); - for (i=0; sdk_sync_permit_rule[i].regx != NULL; i++){ - free(sdk_sync_permit_rule[i].regx); - } - return 0; -} void file_sync_service(int fd, void *cookie) { -- 2.7.4 From 400c941ab0c774bf93774d463ce37ff90afad7ef Mon Sep 17 00:00:00 2001 From: Shingil Kang Date: Tue, 12 Jul 2016 22:18:07 -0700 Subject: [PATCH 16/16] Revert "Revert "sdb: change group and owner of sdb device node"" This reverts commit 45bfe8e57fd16c8bc2ad8073afeb3a842c3eb810. Change-Id: Iecfb11a43fb26135cc4f99260892d7edd1e69722 Signed-off-by: Sooyoung Ha --- packaging/sdbd.spec | 4 ++++ rules/99-sdbd.rules | 1 + 2 files changed, 5 insertions(+) create mode 100644 rules/99-sdbd.rules diff --git a/packaging/sdbd.spec b/packaging/sdbd.spec index 6a2476b..74888df 100644 --- a/packaging/sdbd.spec +++ b/packaging/sdbd.spec @@ -84,6 +84,9 @@ install -m 0644 %SOURCE1001 %{buildroot}%{_unitdir}/sdbd.service install -m 0644 %SOURCE1004 %{buildroot}%{_unitdir}/sdbd_tcp.service mkdir -p %{buildroot}/%{_unitdir}/multi-user.target.wants ln -s %{_unitdir}/sdbd.service %{buildroot}/%{_unitdir}/multi-user.target.wants/ + +mkdir -p %{buildroot}%{_prefix}/lib/udev/rules.d/ +install -m 644 rules/99-sdbd.rules %{buildroot}%{_prefix}/lib/udev/rules.d/ %endif mkdir -p %{buildroot}%{_prefix}/sbin @@ -126,6 +129,7 @@ chsmack -e "User::Shell" /bin/sh-user %else %{_unitdir}/sdbd_tcp.service %{_unitdir}/multi-user.target.wants/sdbd.service +%{_prefix}/lib/udev/rules.d/99-sdbd.rules %endif /usr/share/license/%{name} %{TZ_SYS_BIN}/profile_command diff --git a/rules/99-sdbd.rules b/rules/99-sdbd.rules new file mode 100644 index 0000000..c441d87 --- /dev/null +++ b/rules/99-sdbd.rules @@ -0,0 +1 @@ +KERNEL=="samsung_sdb", OWNER="sdk", GROUP="sdk", SECLABEL{smack}="*" -- 2.7.4