From 32c53d64b311b1e0a28759442d1c203afda4505c Mon Sep 17 00:00:00 2001 From: Dariusz Michaluk Date: Fri, 31 May 2019 15:10:55 +0200 Subject: [PATCH 01/16] Improve security_manager_prepare_app() performance This commit merges getPrivilegedGroups() and getAppGroups() into one client request. Change-Id: I77b42773845b264794398af7995bba087320689d --- src/client/client-security-manager.cpp | 24 ++------- src/common/include/protocols.h | 1 - src/common/include/service_impl.h | 40 ++++++-------- src/common/service_impl.cpp | 96 ++++++++++++++-------------------- src/server/service/include/service.h | 15 ++---- src/server/service/service.cpp | 29 +++------- 6 files changed, 70 insertions(+), 135 deletions(-) diff --git a/src/client/client-security-manager.cpp b/src/client/client-security-manager.cpp index cef785c..8c2a4f7 100644 --- a/src/client/client-security-manager.cpp +++ b/src/client/client-security-manager.cpp @@ -494,27 +494,16 @@ static int setProcessGroups(const std::vector &groups) return SECURITY_MANAGER_SUCCESS; } -static int getPrivilegedGroups(std::vector &groups) +static int getPrivilegedAndAppGroups(const std::string &appProcessLabel, std::vector &privilegedGroups, std::vector &appGroups) { ClientRequest request(SecurityModuleCall::GROUPS_GET); - if (request.send().failed()) { - LogError("Failed to get list of groups from security-manager service."); - return request.getStatus(); - } - - request.recv(groups); - return SECURITY_MANAGER_SUCCESS; -} -static int getAppGroups(const std::string appProcessLabel, std::vector &groups) -{ - ClientRequest request(SecurityModuleCall::APP_GET_GROUPS); if (request.send(appProcessLabel).failed()) { LogError("Failed to get list of groups from security-manager service."); return request.getStatus(); } - request.recv(groups); + request.recv(privilegedGroups, appGroups); return SECURITY_MANAGER_SUCCESS; } @@ -731,16 +720,11 @@ static int security_manager_set_process_groups_internal(const std::string &app_l return ret; LogDebug("Current supplementary groups count: " << currentGroups.size()); - std::vector privilegedGroups; - ret = getPrivilegedGroups(privilegedGroups); + std::vector privilegedGroups, allowedGroups; + ret = getPrivilegedAndAppGroups(app_label, privilegedGroups, allowedGroups); if (ret != SECURITY_MANAGER_SUCCESS) return ret; LogDebug("All privileged supplementary groups count: " << privilegedGroups.size()); - - std::vector allowedGroups; - ret = getAppGroups(app_label, allowedGroups); - if (ret != SECURITY_MANAGER_SUCCESS) - return ret; LogDebug("Allowed privileged supplementary groups count: " << allowedGroups.size()); std::unordered_set groupsSet(currentGroups.begin(), currentGroups.end()); diff --git a/src/common/include/protocols.h b/src/common/include/protocols.h index 5c61ad4..0275c0e 100644 --- a/src/common/include/protocols.h +++ b/src/common/include/protocols.h @@ -108,7 +108,6 @@ enum class SecurityModuleCall APP_UPDATE, APP_UNINSTALL, APP_GET_PKG_NAME, - APP_GET_GROUPS, APP_APPLY_PRIVATE_SHARING, APP_DROP_PRIVATE_SHARING, USER_ADD, diff --git a/src/common/include/service_impl.h b/src/common/include/service_impl.h index d213f1e..a3bd92f 100644 --- a/src/common/include/service_impl.h +++ b/src/common/include/service_impl.h @@ -112,22 +112,6 @@ public: int getPkgName(const std::string &appName, std::string &pkgName); /** - * Process query for supplementary groups allowed for the application. - * For given \ref appProcessLabel and \ref uid, calculate allowed privileges that give - * direct access to file system resources. For each permission Cynara will be - * queried. - * Returns set of group ids that are permitted. - * - * @param[in] creds credentials of the requesting process - * @param[in] appProcessLabel application identifier - * @param[out] groups returned vector of allowed groups - * - * @return API return code, as defined in protocols.h - */ - int getAppGroups(const Credentials &creds, const std::string &appProcessLabel, - std::vector &groups); - - /** * Process user adding request. * * @param[in] creds credentials of the requesting process @@ -186,20 +170,28 @@ public: /** * Process getting policy descriptions list. * - * @param[in] descriptions empty vector for descriptions strings + * @param[out] descriptions returned vector of descriptions strings * * @return API return code, as defined in protocols.h */ int policyGetDesc(std::vector &descriptions); /** - * Process getting resources group list. - * - * @param[out] groups empty vector for group strings - * - * @return API return code, as defined in protocols.h - */ - int policyGetGroups(std::vector &groups); + * Process query for resources group list and supplementary groups allowed for the application. + * For given \ref appProcessLabel and \ref uid, calculate allowed privileges that give + * direct access to file system resources. For each permission Cynara will be + * queried. + * Returns set of group ids that are permitted. + * + * @param[in] creds credentials of the requesting process + * @param[in] appProcessLabel application identifier + * @param[out] privilegedGroups returned vector of privileged groups + * @param[out] appGroups returned vector of allowed groups + * + * @return API return code, as defined in protocols.h + */ + int getPrivilegedAndAppGroups(const Credentials &creds, const std::string &appProcessLabel, + std::vector &privilegedGroups, std::vector &appGroups); /** * Receive groups connected with uid and add them diff --git a/src/common/service_impl.cpp b/src/common/service_impl.cpp index d8d9f9e..8362481 100644 --- a/src/common/service_impl.cpp +++ b/src/common/service_impl.cpp @@ -1175,56 +1175,6 @@ int ServiceImpl::getPkgName(const std::string &appName, std::string &pkgName) return SECURITY_MANAGER_SUCCESS; } -int ServiceImpl::getAppGroups(const Credentials &creds, const std::string &appProcessLabel, - std::vector &groups) -{ - try { - LogDebug("smack label: " << appProcessLabel); - - std::vector privileges; - - std::string uidStr = std::to_string(creds.uid); - m_cynaraAdmin.getAppPolicy(appProcessLabel, uidStr, privileges); - m_cynaraAdmin.getAppPolicy(appProcessLabel, CYNARA_ADMIN_WILDCARD, privileges); - m_cynaraAdmin.getAppPolicy(CYNARA_ADMIN_WILDCARD, CYNARA_ADMIN_WILDCARD, privileges); - - vectorRemoveDuplicates(privileges); - - std::string pidStr = std::to_string(creds.pid); - for (const auto &privilege : privileges) { - auto &pgids = m_privilegeGids.getGids(privilege); - - LogDebug("Considering privilege " << privilege << " with " << - pgids.size() << " groups assigned"); - - if (pgids.empty()) - continue; - - if (m_cynara.check(appProcessLabel, privilege, uidStr, pidStr)) { - groups.insert(groups.end(), pgids.begin(), pgids.end()); - LogDebug("Cynara allowed, adding groups"); - } else { - LogDebug("Cynara denied, not adding groups"); - } - } - vectorRemoveDuplicates(groups); - } catch (const PrivilegeDb::Exception::Base &e) { - LogError("Database error: " << e.DumpToString()); - return SECURITY_MANAGER_ERROR_SERVER_ERROR; - } catch (const CynaraException::Base &e) { - LogError("Error while querying Cynara for permissions: " << e.DumpToString()); - return SECURITY_MANAGER_ERROR_SERVER_ERROR; - } catch (const SmackException::InvalidLabel &e) { - LogError("Error while generating Smack labels: " << e.DumpToString()); - return SECURITY_MANAGER_ERROR_SERVER_ERROR; - } catch (const std::bad_alloc &e) { - LogError("Memory allocation failed: " << e.what()); - return SECURITY_MANAGER_ERROR_MEMORY; - } - - return SECURITY_MANAGER_SUCCESS; -} - int ServiceImpl::userAdd(const Credentials &creds, uid_t uidAdded, int userType) { if (!authenticate(creds, PRIVILEGE_USER_ADMIN)) { @@ -1620,19 +1570,51 @@ int ServiceImpl::policyGetDesc(std::vector &levels) return ret; } -int ServiceImpl::policyGetGroups(std::vector &groups) +int ServiceImpl::getPrivilegedAndAppGroups(const Credentials &creds, const std::string &appProcessLabel, + std::vector &privilegedGroups, std::vector &appGroups) { - int ret = SECURITY_MANAGER_SUCCESS; - try { + LogDebug("smack label: " << appProcessLabel); + auto &gids = m_privilegeGids.getGids(); - groups.insert(groups.end(), gids.begin(), gids.end()); - } catch (const PrivilegeDb::Exception::Base &e) { - LogError("Error while getting groups from database: " << e.DumpToString()); + privilegedGroups.insert(privilegedGroups.end(), gids.begin(), gids.end()); + + std::vector privileges; + + std::string uidStr = std::to_string(creds.uid); + m_cynaraAdmin.getAppPolicy(appProcessLabel, uidStr, privileges); + m_cynaraAdmin.getAppPolicy(appProcessLabel, CYNARA_ADMIN_WILDCARD, privileges); + m_cynaraAdmin.getAppPolicy(CYNARA_ADMIN_WILDCARD, CYNARA_ADMIN_WILDCARD, privileges); + + vectorRemoveDuplicates(privileges); + + std::string pidStr = std::to_string(creds.pid); + for (const auto &privilege : privileges) { + const auto &pgids = m_privilegeGids.getGids(privilege); + + LogDebug("Considering privilege " << privilege << " with " << + pgids.size() << " groups assigned"); + + if (pgids.empty()) + continue; + + if (m_cynara.check(appProcessLabel, privilege, uidStr, pidStr)) { + appGroups.insert(appGroups.end(), pgids.begin(), pgids.end()); + LogDebug("Cynara allowed, adding groups"); + } else { + LogDebug("Cynara denied, not adding groups"); + } + } + vectorRemoveDuplicates(appGroups); + } catch (const CynaraException::Base &e) { + LogError("Error while querying Cynara for permissions: " << e.DumpToString()); return SECURITY_MANAGER_ERROR_SERVER_ERROR; + } catch (const std::bad_alloc &e) { + LogError("Memory allocation failed: " << e.what()); + return SECURITY_MANAGER_ERROR_MEMORY; } - return ret; + return SECURITY_MANAGER_SUCCESS; } int ServiceImpl::policyGroupsForUid(uid_t uid, std::vector &groups) diff --git a/src/server/service/include/service.h b/src/server/service/include/service.h index 5805cf0..1c697b0 100644 --- a/src/server/service/include/service.h +++ b/src/server/service/include/service.h @@ -104,15 +104,6 @@ private: */ void processGetPkgName(MessageBuffer &buffer, MessageBuffer &send); - /** - * Process getting permitted group ids for app id - * - * @param buffer Raw received data buffer - * @param send Raw data buffer to be sent - * @param creds credentials of the requesting process - */ - void processGetAppGroups(MessageBuffer &buffer, MessageBuffer &send, const Credentials &creds); - void processUserAdd(MessageBuffer &buffer, MessageBuffer &send, const Credentials &creds); void processUserDelete(MessageBuffer &buffer, MessageBuffer &send, const Credentials &creds); @@ -160,11 +151,13 @@ private: void processPolicyGetDesc(MessageBuffer &send); /** - * Process getting groups bound with privileges + * Process getting groups bound with privileges and permitted group ids for app id * + * @param buffer Raw received data buffer * @param send Raw data buffer to be sent + * @param creds credentials of the requesting process */ - void processGroupsGet(MessageBuffer &send); + void processGetPrivilegedAndAppGroups(MessageBuffer &buffer, MessageBuffer &send, const Credentials &creds); /** * Process getting groups bound with privileges for given uid diff --git a/src/server/service/service.cpp b/src/server/service/service.cpp index d881866..043f4a8 100644 --- a/src/server/service/service.cpp +++ b/src/server/service/service.cpp @@ -93,10 +93,6 @@ bool Service::processOne(const ConnectionID &conn, MessageBuffer &buffer, LogDebug("call_type: SecurityModuleCall::APP_GET_PKG_NAME"); processGetPkgName(buffer, send); break; - case SecurityModuleCall::APP_GET_GROUPS: - LogDebug("call_type: SecurityModuleCall::APP_GET_GROUPS"); - processGetAppGroups(buffer, send, creds); - break; case SecurityModuleCall::USER_ADD: LogDebug("call_type: SecurityModuleCall::USER_ADD"); processUserAdd(buffer, send, creds); @@ -127,7 +123,7 @@ bool Service::processOne(const ConnectionID &conn, MessageBuffer &buffer, break; case SecurityModuleCall::GROUPS_GET: LogDebug("call_type: SecurityModuleCall::GROUPS_GET"); - processGroupsGet(send); + processGetPrivilegedAndAppGroups(buffer, send, creds); break; case SecurityModuleCall::GROUPS_FOR_UID: processGroupsForUid(buffer, send); @@ -265,19 +261,6 @@ void Service::processGetPkgName(MessageBuffer &buffer, MessageBuffer &send) Serialization::Serialize(send, pkgName); } -void Service::processGetAppGroups(MessageBuffer &buffer, MessageBuffer &send, const Credentials &creds) -{ - std::string appProcessLabel; - std::vector groups; - int ret; - - Deserialization::Deserialize(buffer, appProcessLabel); - ret = serviceImpl.getAppGroups(creds, appProcessLabel, groups); - Serialization::Serialize(send, ret); - if (ret == SECURITY_MANAGER_SUCCESS) - Serialization::Serialize(send, groups); -} - void Service::processUserAdd(MessageBuffer &buffer, MessageBuffer &send, const Credentials &creds) { int ret; @@ -362,14 +345,16 @@ void Service::processPolicyGetDesc(MessageBuffer &send) } } -void Service::processGroupsGet(MessageBuffer &send) +void Service::processGetPrivilegedAndAppGroups(MessageBuffer &buffer, MessageBuffer &send, const Credentials &creds) { - std::vector groups; - int ret = serviceImpl.policyGetGroups(groups); + std::string appProcessLabel; + std::vector privilegedGroups, appGroups; + Deserialization::Deserialize(buffer, appProcessLabel); + int ret = serviceImpl.getPrivilegedAndAppGroups(creds, appProcessLabel, privilegedGroups, appGroups); Serialization::Serialize(send, ret); if (ret == SECURITY_MANAGER_SUCCESS) { - Serialization::Serialize(send, groups); + Serialization::Serialize(send, privilegedGroups, appGroups); } } -- 2.7.4 From db98b1aa341cd08a4d78aadde31b3115bf7ccbac Mon Sep 17 00:00:00 2001 From: Tomasz Swierczek Date: Thu, 6 Jun 2019 16:01:09 +0200 Subject: [PATCH 02/16] Release 1.5.6 * Improve security_manager_prepare_app() performance * Stop forcing logs from server-side write() and close() operations * Revert "Enhance logs in case of socket problems, client hangs on waitForSocket()" * Properly handle EINPROGRESS error from connect() Change-Id: I02c5e576882d3f9bb713b924a7f90f7287165f96 --- packaging/security-manager.changes | 11 +++++++++++ packaging/security-manager.spec | 2 +- pc/security-manager.pc.in | 2 +- 3 files changed, 13 insertions(+), 2 deletions(-) diff --git a/packaging/security-manager.changes b/packaging/security-manager.changes index de28448..addc515 100644 --- a/packaging/security-manager.changes +++ b/packaging/security-manager.changes @@ -1,3 +1,14 @@ +Release: 1.5.6 +Date: 2019.06.06 +Name: Release 1.5.6 +Description: +Improve security_manager_prepare_app() performance +Stop forcing logs from server-side write() and close() operations +Revert "Enhance logs in case of socket problems, client hangs on waitForSocket()" +Properly handle EINPROGRESS error from connect() + +############################### + Release: 1.5.5 Date: 2019.04.29 Name: Release 1.5.5 diff --git a/packaging/security-manager.spec b/packaging/security-manager.spec index a6864a2..a4a49da 100644 --- a/packaging/security-manager.spec +++ b/packaging/security-manager.spec @@ -1,6 +1,6 @@ Name: security-manager Summary: Security manager and utilities -Version: 1.5.5 +Version: 1.5.6 Release: 0 Group: Security/Service License: Apache-2.0 diff --git a/pc/security-manager.pc.in b/pc/security-manager.pc.in index 4625400..ae55331 100644 --- a/pc/security-manager.pc.in +++ b/pc/security-manager.pc.in @@ -5,7 +5,7 @@ includedir=${prefix}/include Name: security-manager Description: Security Manager Package -Version: 1.5.5 +Version: 1.5.6 Requires: Libs: -L${libdir} -lsecurity-manager-client Cflags: -I${includedir}/security-manager -- 2.7.4 From 759cddc394bf1472e09c24c7eff7c4a972ff83c9 Mon Sep 17 00:00:00 2001 From: Tomasz Swierczek Date: Wed, 15 May 2019 11:31:33 +0200 Subject: [PATCH 03/16] Add logging of server-side operation handling time Logs are added only in debug mode for each service method that implements API exposed by the daemon. Change-Id: I90412b9d6c32edd0d7559f5eb713117ba0a1fecd --- src/common/CMakeLists.txt | 1 + src/common/include/protocols.h | 5 ++- src/common/include/utils.h | 27 ++++++++++++- src/common/protocols.cpp | 36 ++++++++++++++++- src/common/utils.cpp | 68 ++++++++++++++++++++++++++++++++ src/server/main/include/socket-manager.h | 2 - src/server/main/socket-manager.cpp | 11 +----- src/server/service/service.cpp | 5 ++- test/CMakeLists.txt | 1 + 9 files changed, 138 insertions(+), 18 deletions(-) create mode 100644 src/common/utils.cpp diff --git a/src/common/CMakeLists.txt b/src/common/CMakeLists.txt index cfd9047..6222ba6 100644 --- a/src/common/CMakeLists.txt +++ b/src/common/CMakeLists.txt @@ -66,6 +66,7 @@ SET(COMMON_SOURCES ${COMMON_PATH}/smack-check.cpp ${COMMON_PATH}/service_impl.cpp ${COMMON_PATH}/tzplatform-config.cpp + ${COMMON_PATH}/utils.cpp ${COMMON_PATH}/worker.cpp ${COMMON_PATH}/privilege-info.cpp ${COMMON_PATH}/privilege-gids.cpp diff --git a/src/common/include/protocols.h b/src/common/include/protocols.h index 0275c0e..006c8a7 100644 --- a/src/common/include/protocols.h +++ b/src/common/include/protocols.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000 - 2016 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2000 - 2019 Samsung Electronics Co., Ltd All Rights Reserved * * Contact: Rafal Krypa * @@ -132,6 +132,9 @@ enum class SecurityModuleCall NOOP = 0x90, }; +// returns stringified name of return call type +const char * SecurityModuleCallToString(SecurityModuleCall call_num); + } // namespace SecurityManager struct policy_entry : ISerializable { diff --git a/src/common/include/utils.h b/src/common/include/utils.h index b2d3a80..a1d0514 100644 --- a/src/common/include/utils.h +++ b/src/common/include/utils.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2016 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2016 - 2019 Samsung Electronics Co., Ltd All Rights Reserved * * Contact: Rafal Krypa * @@ -19,7 +19,7 @@ * @file utils.h * @author Rafal Krypa * @version 1.0 - * @brief Utility macros and templates + * @brief Utility functions, macros and templates */ #pragma once @@ -28,12 +28,35 @@ #include #include #include +#include #include #include #include +#include + +#include namespace SecurityManager { +time_t monotonicNow(); + +// Used for measuring function/method/scope execution time +class ScopedTimeStamper { +public: + ScopedTimeStamper(const std::string & location, const Credentials & creds); + virtual ~ScopedTimeStamper(); + +private: + struct timespec m_start; + std::string m_locationStr; +}; + +#ifdef BUILD_TYPE_DEBUG +#define LOG_EXECUTION_TIME(location, creds) ScopedTimeStamper __stamper(location, creds) +#else +#define LOG_EXECUTION_TIME(location, creds) do {} while (0) +#endif + // Pointer template std::unique_ptr makeUnique(T *ptr) diff --git a/src/common/protocols.cpp b/src/common/protocols.cpp index 798b9d6..465b844 100644 --- a/src/common/protocols.cpp +++ b/src/common/protocols.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000 - 2014 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2000 - 2019 Samsung Electronics Co., Ltd All Rights Reserved * * Contact: Rafal Krypa * @@ -33,5 +33,39 @@ namespace SecurityManager { char const * const SERVICE_SOCKET = SOCKET_PATH_PREFIX "security-manager.socket"; +#define SM_CODE_DESCRIBE(name) case name: return #name +const char * SecurityModuleCallToString(SecurityModuleCall call_num) { + switch (call_num) { + SM_CODE_DESCRIBE(SecurityModuleCall::APP_INSTALL); + SM_CODE_DESCRIBE(SecurityModuleCall::APP_UPDATE); + SM_CODE_DESCRIBE(SecurityModuleCall::APP_UNINSTALL); + SM_CODE_DESCRIBE(SecurityModuleCall::APP_GET_PKG_NAME); + SM_CODE_DESCRIBE(SecurityModuleCall::APP_APPLY_PRIVATE_SHARING); + SM_CODE_DESCRIBE(SecurityModuleCall::APP_DROP_PRIVATE_SHARING); + SM_CODE_DESCRIBE(SecurityModuleCall::USER_ADD); + SM_CODE_DESCRIBE(SecurityModuleCall::USER_DELETE); + SM_CODE_DESCRIBE(SecurityModuleCall::POLICY_UPDATE); + SM_CODE_DESCRIBE(SecurityModuleCall::GET_POLICY); + SM_CODE_DESCRIBE(SecurityModuleCall::GET_CONF_POLICY_ADMIN); + SM_CODE_DESCRIBE(SecurityModuleCall::GET_CONF_POLICY_SELF); + SM_CODE_DESCRIBE(SecurityModuleCall::POLICY_GET_DESCRIPTIONS); + SM_CODE_DESCRIBE(SecurityModuleCall::GROUPS_GET); + SM_CODE_DESCRIBE(SecurityModuleCall::APP_HAS_PRIVILEGE); + SM_CODE_DESCRIBE(SecurityModuleCall::PATHS_REGISTER); + SM_CODE_DESCRIBE(SecurityModuleCall::GROUPS_FOR_UID); + SM_CODE_DESCRIBE(SecurityModuleCall::LABEL_FOR_PROCESS); + SM_CODE_DESCRIBE(SecurityModuleCall::SHM_APP_NAME); + SM_CODE_DESCRIBE(SecurityModuleCall::GET_APP_DEFINED_PRIVILEGE_PROVIDER); + SM_CODE_DESCRIBE(SecurityModuleCall::GET_APP_DEFINED_PRIVILEGE_LICENSE); + SM_CODE_DESCRIBE(SecurityModuleCall::GET_CLIENT_PRIVILEGE_LICENSE); + SM_CODE_DESCRIBE(SecurityModuleCall::APP_SETUP_NAMESPACE); + SM_CODE_DESCRIBE(SecurityModuleCall::APP_CLEAN_NAMESPACE); + SM_CODE_DESCRIBE(SecurityModuleCall::GET_APP_MANIFEST_POLICY); + SM_CODE_DESCRIBE(SecurityModuleCall::NOOP); + default: return "Code not defined"; + } +} +#undef SM_CODE_DESCRIBE + } // namespace SecurityManager diff --git a/src/common/utils.cpp b/src/common/utils.cpp new file mode 100644 index 0000000..fb215ed --- /dev/null +++ b/src/common/utils.cpp @@ -0,0 +1,68 @@ +/* + * Copyright (c) 2019 Samsung Electronics Co., Ltd All Rights Reserved + * + * Contact: Tomasz Swierczek + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + */ +/* + * @file utils.cpp + * @author Tomasz Swierczek + * @version 1.0 + * @brief Implementation of utility functions + */ + +#include + +#include +#include + +namespace SecurityManager { + +time_t monotonicNow() { + struct timespec now; + if (clock_gettime(CLOCK_MONOTONIC_RAW, &now) == -1) { + int err = errno; + LogError("Can't access monotonic clock, error: " << GetErrnoString(err)); + return 0; + } + return now.tv_sec; +} + +ScopedTimeStamper::ScopedTimeStamper(const std::string & location, const Credentials & creds) +{ + m_locationStr = location + + ", caller uid = " + std::to_string(creds.uid) + + ", caller pid = " + std::to_string(creds.pid) + + ", caller label = " + creds.label; + + if (clock_gettime(CLOCK_MONOTONIC_RAW, &m_start) == -1) { + int err = errno; + LogError("Can't access monotonic clock, error: " << GetErrnoString(err)); + } +} + +ScopedTimeStamper::~ScopedTimeStamper() +{ + struct timespec end; + if (clock_gettime(CLOCK_MONOTONIC_RAW, &end) == -1) { + int err = errno; + LogError("Can't access monothonic clock, error: " << GetErrnoString(err)); + } + long ndiff = (end.tv_nsec - m_start.tv_nsec ) + (end.tv_sec - m_start.tv_sec ) * 1E9; + float sec(ndiff); + sec *= 0.000000001; + LogDebug("Execution of " << m_locationStr << " took " << sec << " seconds"); +} + +} /* namespace SecurityManager */ diff --git a/src/server/main/include/socket-manager.h b/src/server/main/include/socket-manager.h index 1395f4f..ae94f60 100644 --- a/src/server/main/include/socket-manager.h +++ b/src/server/main/include/socket-manager.h @@ -71,8 +71,6 @@ protected: void NotifyMe(void); void CloseSocket(int sock); - time_t monotonicNow(); - struct SocketDescription { bool isListen; bool isOpen; diff --git a/src/server/main/socket-manager.cpp b/src/server/main/socket-manager.cpp index 900647f..27daf7d 100644 --- a/src/server/main/socket-manager.cpp +++ b/src/server/main/socket-manager.cpp @@ -49,6 +49,7 @@ #include #include #include +#include namespace { @@ -762,14 +763,4 @@ void SocketManager::CloseSocket(int sock) { LogDebug("Closing socket: " << sock << " finished.."); } -time_t SocketManager::monotonicNow() { - struct timespec now; - if (clock_gettime(CLOCK_MONOTONIC_RAW, &now) == -1) { - int err = errno; - LogError("Can't access monothonic clock, error: " << GetErrnoString(err)); - return 0; - } - return now.tv_sec; -} - } // namespace SecurityManager diff --git a/src/server/service/service.cpp b/src/server/service/service.cpp index 043f4a8..f233f20 100644 --- a/src/server/service/service.cpp +++ b/src/server/service/service.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000 - 2016 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2000 - 2019 Samsung Electronics Co., Ltd All Rights Reserved * * Contact: Rafal Krypa * @@ -33,6 +33,7 @@ #include "protocols.h" #include "service.h" #include "service_impl.h" +#include "utils.h" namespace SecurityManager { @@ -71,7 +72,7 @@ bool Service::processOne(const ConnectionID &conn, MessageBuffer &buffer, int call_type_int; Deserialization::Deserialize(buffer, call_type_int); SecurityModuleCall call_type = static_cast(call_type_int); - + LOG_EXECUTION_TIME(SecurityModuleCallToString(call_type), creds); switch (call_type) { case SecurityModuleCall::NOOP: LogDebug("call_type: SecurityModuleCall::NOOP"); diff --git a/test/CMakeLists.txt b/test/CMakeLists.txt index a7046df..4efb856 100644 --- a/test/CMakeLists.txt +++ b/test/CMakeLists.txt @@ -81,6 +81,7 @@ SET(SM_TESTS_SOURCES ${PROJECT_SOURCE_DIR}/src/common/smack-rules.cpp ${PROJECT_SOURCE_DIR}/src/common/filesystem.cpp ${PROJECT_SOURCE_DIR}/src/common/tzplatform-config.cpp + ${PROJECT_SOURCE_DIR}/src/common/utils.cpp ${GEN_PATH}/db.h ) -- 2.7.4 From 5bb567b7221a59e3e0e1b306c57bc6ed7f3690e0 Mon Sep 17 00:00:00 2001 From: Tomasz Swierczek Date: Mon, 10 Jun 2019 12:18:51 +0200 Subject: [PATCH 04/16] Add additional check for threads supgid pointers According to implementation of readtask (proc/readproc.c), the pointers could be NULL in specific implementations. Change-Id: If1e8308c517ddbfbd500f7c5822c80dd3225df0c --- src/client/check-proper-drop.cpp | 30 ++++++++++++++++++------------ 1 file changed, 18 insertions(+), 12 deletions(-) diff --git a/src/client/check-proper-drop.cpp b/src/client/check-proper-drop.cpp index da00638..33c74a9 100644 --- a/src/client/check-proper-drop.cpp +++ b/src/client/check-proper-drop.cpp @@ -108,18 +108,24 @@ bool CheckProperDrop::checkThreads() REPORT_THREAD_ERROR(thread->tid, "Smack label", smackProc, smackThread); - if (strcmp(m_proc->supgid, thread->supgid)) - REPORT_THREAD_ERROR(thread->tid, "Supplementary groups", - m_proc->supgid, thread->supgid); - - CHECK_THREAD_CRED_FIELD(m_proc, thread, euid); - CHECK_THREAD_CRED_FIELD(m_proc, thread, egid); - CHECK_THREAD_CRED_FIELD(m_proc, thread, ruid); - CHECK_THREAD_CRED_FIELD(m_proc, thread, rgid); - CHECK_THREAD_CRED_FIELD(m_proc, thread, suid); - CHECK_THREAD_CRED_FIELD(m_proc, thread, sgid); - CHECK_THREAD_CRED_FIELD(m_proc, thread, fuid); - CHECK_THREAD_CRED_FIELD(m_proc, thread, fgid); + if (m_proc->supgid && thread->supgid) { + if (strcmp(m_proc->supgid, thread->supgid)) + REPORT_THREAD_ERROR(thread->tid, "Supplementary groups", + m_proc->supgid, thread->supgid); + } else { + if (m_proc->supgid != thread->supgid) + REPORT_THREAD_ERROR(thread->tid, "Supplementary groups", + m_proc->supgid ? m_proc->supgid : "", + thread->supgid ? thread->supgid : ""); + } + CHECK_THREAD_CRED_FIELD(m_proc, thread, euid); + CHECK_THREAD_CRED_FIELD(m_proc, thread, egid); + CHECK_THREAD_CRED_FIELD(m_proc, thread, ruid); + CHECK_THREAD_CRED_FIELD(m_proc, thread, rgid); + CHECK_THREAD_CRED_FIELD(m_proc, thread, suid); + CHECK_THREAD_CRED_FIELD(m_proc, thread, sgid); + CHECK_THREAD_CRED_FIELD(m_proc, thread, fuid); + CHECK_THREAD_CRED_FIELD(m_proc, thread, fgid); } return true; -- 2.7.4 From 8d0a3b7e1d5879b29569b3945975f65d48cc3e13 Mon Sep 17 00:00:00 2001 From: Tomasz Swierczek Date: Tue, 11 Jun 2019 06:46:29 +0200 Subject: [PATCH 05/16] Release 1.5.7 * Add additional check for threads supgid pointers * Add logging of server-side operation handling time Change-Id: I0f62ddaaefac6af7e754a0f6f7161ae584196832 --- packaging/security-manager.changes | 9 +++++++++ packaging/security-manager.spec | 2 +- pc/security-manager.pc.in | 2 +- 3 files changed, 11 insertions(+), 2 deletions(-) diff --git a/packaging/security-manager.changes b/packaging/security-manager.changes index addc515..502366c 100644 --- a/packaging/security-manager.changes +++ b/packaging/security-manager.changes @@ -1,3 +1,12 @@ +Release: 1.5.7 +Date: 2019.06.11 +Name: Release 1.5.7 +Description: +Add additional check for threads supgid pointers +Add logging of server-side operation handling time + +############################### + Release: 1.5.6 Date: 2019.06.06 Name: Release 1.5.6 diff --git a/packaging/security-manager.spec b/packaging/security-manager.spec index a4a49da..a6ec886 100644 --- a/packaging/security-manager.spec +++ b/packaging/security-manager.spec @@ -1,6 +1,6 @@ Name: security-manager Summary: Security manager and utilities -Version: 1.5.6 +Version: 1.5.7 Release: 0 Group: Security/Service License: Apache-2.0 diff --git a/pc/security-manager.pc.in b/pc/security-manager.pc.in index ae55331..8da9ab6 100644 --- a/pc/security-manager.pc.in +++ b/pc/security-manager.pc.in @@ -5,7 +5,7 @@ includedir=${prefix}/include Name: security-manager Description: Security Manager Package -Version: 1.5.6 +Version: 1.5.7 Requires: Libs: -L${libdir} -lsecurity-manager-client Cflags: -I${includedir}/security-manager -- 2.7.4 From fe514f096ff6661a55150e79fd5a8cd2ae60bcd6 Mon Sep 17 00:00:00 2001 From: Konrad Lipinski Date: Tue, 28 May 2019 15:20:14 +0200 Subject: [PATCH 06/16] Migrate to openssl 1.1 Change-Id: Ied1db6cd18d336fa8a6b9aebd402b1f4eead30d3 --- packaging/security-manager.spec | 2 +- src/license-manager/agent/CMakeLists.txt | 4 ++-- src/license-manager/agent/agent_logic.cpp | 8 ++++---- src/license-manager/agent/main.cpp | 5 ----- 4 files changed, 7 insertions(+), 12 deletions(-) diff --git a/packaging/security-manager.spec b/packaging/security-manager.spec index a6ec886..590c107 100644 --- a/packaging/security-manager.spec +++ b/packaging/security-manager.spec @@ -32,7 +32,7 @@ BuildRequires: pkgconfig(sqlite3) BuildRequires: pkgconfig(cynara-admin) BuildRequires: pkgconfig(cynara-client-async) BuildRequires: pkgconfig(security-privilege-manager) -BuildRequires: pkgconfig(openssl) +BuildRequires: pkgconfig(openssl1.1) BuildRequires: pkgconfig(mount) BuildRequires: boost-devel %{?systemd_requires} diff --git a/src/license-manager/agent/CMakeLists.txt b/src/license-manager/agent/CMakeLists.txt index a0cda30..42a31dc 100644 --- a/src/license-manager/agent/CMakeLists.txt +++ b/src/license-manager/agent/CMakeLists.txt @@ -1,4 +1,4 @@ -# Copyright (c) 2017 Samsung Electronics Co., Ltd All Rights Reserved +# Copyright (c) 2017-2019 Samsung Electronics Co., Ltd. All rights reserved # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -23,7 +23,7 @@ PKG_CHECK_MODULES(AGENT_DEP REQUIRED cynara-agent libsystemd - openssl + openssl1.1 ) SET(AGENT_SOURCES diff --git a/src/license-manager/agent/agent_logic.cpp b/src/license-manager/agent/agent_logic.cpp index 26a8355..93b8c41 100644 --- a/src/license-manager/agent/agent_logic.cpp +++ b/src/license-manager/agent/agent_logic.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2017 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2017-2019 Samsung Electronics Co., Ltd. All rights reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -63,7 +63,7 @@ int verifyCommonName(const CertPtr &cert, const char *pkgId) { int cn_pos = -1; X509_NAME_ENTRY *cn_entry = nullptr; ASN1_STRING *cn_asn1 = nullptr; - char *cn_str = nullptr; + const char *cn_str = nullptr; // Find the position of the CN field in the Subject field of the certificate cn_pos = X509_NAME_get_index_by_NID(X509_get_subject_name((X509 *) cert.get()), NID_commonName, -1); @@ -82,7 +82,7 @@ int verifyCommonName(const CertPtr &cert, const char *pkgId) { if (!cn_asn1) { return -1; } - cn_str = (char *) ASN1_STRING_data(cn_asn1); + cn_str = (const char *) ASN1_STRING_get0_data(cn_asn1); // Make sure there isn't an embedded NULL character in the CN if ((size_t)ASN1_STRING_length(cn_asn1) != strlen(cn_str)) { @@ -176,7 +176,7 @@ int verify(const std::string &smack, int uid, const std::string &privilege) { } else if (0 == X509_STORE_CTX_init(storeCtx.get(), store.get(), clientCert.get(), nullptr)) { // check this nullptr ALOGD("X509_STORE_CTX_init failed"); } else { - X509_VERIFY_PARAM_set_flags(storeCtx->param, X509_V_FLAG_X509_STRICT); + X509_VERIFY_PARAM_set_flags(X509_STORE_CTX_get0_param(storeCtx.get()), X509_V_FLAG_X509_STRICT); status = X509_verify_cert(storeCtx.get()); // 1 == ok; 0 == fail; -1 == error } diff --git a/src/license-manager/agent/main.cpp b/src/license-manager/agent/main.cpp index e5035d9..ba70a4d 100644 --- a/src/license-manager/agent/main.cpp +++ b/src/license-manager/agent/main.cpp @@ -64,11 +64,6 @@ int main(int, char **) { return EXIT_FAILURE; } - OpenSSL_add_all_algorithms(); - SSL_library_init(); - OPENSSL_config(NULL); - SSL_load_error_strings(); - try { LicenseManager::AgentLogic *logic = new LicenseManager::AgentLogic; -- 2.7.4 From 6615cac6337a2fde3da45f0ff1d8ef38acc13b79 Mon Sep 17 00:00:00 2001 From: INSUN PYO Date: Tue, 9 Jul 2019 14:04:24 +0900 Subject: [PATCH 07/16] Remove unnecessary setting Change-Id: I695a16bf83a7292422369490dda1e62a8ca30691 --- systemd/security-manager.service.in | 1 - systemd/security-manager.socket | 3 --- 2 files changed, 4 deletions(-) diff --git a/systemd/security-manager.service.in b/systemd/security-manager.service.in index 5205b36..a410c31 100644 --- a/systemd/security-manager.service.in +++ b/systemd/security-manager.service.in @@ -4,6 +4,5 @@ Description=Start the security manager [Service] Type=notify ExecStart=@BIN_INSTALL_DIR@/security-manager -Sockets=security-manager.socket Restart=always SmackProcessLabel=System::Privileged diff --git a/systemd/security-manager.socket b/systemd/security-manager.socket index af1c1da..211f4da 100644 --- a/systemd/security-manager.socket +++ b/systemd/security-manager.socket @@ -4,8 +4,5 @@ SocketMode=0777 SmackLabelIPIn=* SmackLabelIPOut=@ -# TODO: move to separate systemd service -Service=security-manager.service - [Install] WantedBy=sockets.target -- 2.7.4 From a3d50b0cc1f4bd2b48e9cc930830d3e4fcbd80fc Mon Sep 17 00:00:00 2001 From: Tomasz Swierczek Date: Fri, 5 Jul 2019 07:21:11 +0200 Subject: [PATCH 08/16] Optimize nss plugin memory usage Made the nss module not linked with commons or client library. Using security-manager client library in nss module caused additional memory usage by private data in each loaded libaries out of which most were not needed for nss (smack, pcap, procps, rt, sqlite, cynara-*, security-privilege-manager, mount, crypt, blkid, pkgmgr_parser, vconf, minizip, pcre, uuid, xml2, gio, z, buxton2, lzma, gmodule, resolv, ffi, tzplatformconfig, dlog). Linking with dlog & tzplatformconfig left only in debug mode. To test it, use "gdb id", break point on getgrgid, measure change of PSS after finishing the function execution with vs. without the patch. The PSS value of id process should go down by approx. 0.4 - 0.5 MB (depending on the system load & number of processes). Change-Id: If2cede89885320ea83ca79fd54770a7ea24d87d8 --- CMakeLists.txt | 41 ++++++---- src/client/CMakeLists.txt | 1 + src/client/client-common.cpp | 52 +------------ src/client/client-label-monitor.cpp | 3 +- src/client/client-offline.cpp | 4 +- src/client/client-security-manager-internal.cpp | 72 ++++++++++++++++++ src/client/client-security-manager.cpp | 87 +-------------------- src/client/include/client-common.h | 40 ---------- .../include/client-security-manager-internal.h | 32 ++++++++ src/cmd/security-manager-cmd.cpp | 3 +- src/common/CMakeLists.txt | 2 +- src/common/{config.cpp => db-config.cpp} | 13 ++-- src/common/include/config.h | 24 ------ src/common/include/db-config.h | 47 ++++++++++++ src/common/include/privilege_db.h | 3 +- src/common/include/utils.h | 12 +++ src/common/utils.cpp | 88 ++++++++++++++++++++++ src/nss/CMakeLists.txt | 34 ++++++++- src/nss/nss_securitymanager.cpp | 16 ++-- .../rules-loader/security-manager-rules-loader.cpp | 1 + test/CMakeLists.txt | 4 +- test/privilege_db_fixture.cpp | 1 + test/test_privilege_db_migration.cpp | 1 + 23 files changed, 345 insertions(+), 236 deletions(-) create mode 100644 src/client/client-security-manager-internal.cpp delete mode 100644 src/client/include/client-common.h create mode 100644 src/client/include/client-security-manager-internal.h rename src/common/{config.cpp => db-config.cpp} (75%) create mode 100644 src/common/include/db-config.h diff --git a/CMakeLists.txt b/CMakeLists.txt index 4e794c6..d6c8416 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -1,4 +1,4 @@ -# Copyright (c) 2011 - 2018 Samsung Electronics Co., Ltd All Rights Reserved +# Copyright (c) 2011 - 2019 Samsung Electronics Co., Ltd All Rights Reserved # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -73,18 +73,6 @@ ADD_DEFINITIONS("-DASKUSER_ENABLED") OPTION(DPL_WITH_DLOG "DPL DLOG backend" ON) OPTION(DPL_WITH_SYSTEMD_JOURNAL "DPL systemd-journal backend" OFF) -IF(DPL_WITH_DLOG) - ADD_DEFINITIONS("-DDPL_DLOG_ENABLED") -ENDIF(DPL_WITH_DLOG) - -IF(DPL_WITH_SYSTEMD_JOURNAL) - ADD_DEFINITIONS("-DDPL_SYSTEMD_JOURNAL_ENABLED") -ENDIF(DPL_WITH_SYSTEMD_JOURNAL) - -IF(DB_LOGS) - ADD_DEFINITIONS("-DDB_LOGS") -ENDIF(DB_LOGS) - ADD_DEFINITIONS("-DBUILD_TYPE_${CMAKE_BUILD_TYPE}") SET(INCLUDE_PATH ${PROJECT_SOURCE_DIR}/src/include) @@ -102,9 +90,9 @@ SET(TARGET_CLIENT "security-manager-client") SET(TARGET_COMMON "security-manager-commons") SET(TARGET_CMD "security-manager-cmd") SET(TARGET_CLEANUP "security-manager-cleanup") -SET(TARGET_NSS "security-manager-nss") SET(TARGET_LOADER "security-manager-rules-loader") SET(TARGET_TEST_LOADER "security-manager-test-rules-loader") +SET(TARGET_NSS "security-manager-nss") ADD_SUBDIRECTORY(src) ADD_SUBDIRECTORY(pc) @@ -112,3 +100,28 @@ ADD_SUBDIRECTORY(systemd) ADD_SUBDIRECTORY(db) ADD_SUBDIRECTORY(policy) ADD_SUBDIRECTORY(test) + +SET(LOG_TARGET_LIST ${TARGET_SERVER} + ${TARGET_CLIENT} + ${TARGET_COMMON} + ${TARGET_CMD} + ${TARGET_CLEANUP} + ${TARGET_LOADER} + ${TARGET_TEST_LOADER}) + +# NSS target doesn't get ANY logs by design in release mode +IF(CMAKE_BUILD_TYPE MATCHES "DEBUG") + LIST(APPEND ${LOG_TARGET_LIST} ${TARGET_NSS}) +ENDIF(CMAKE_BUILD_TYPE MATCHES "DEBUG") + +FOREACH(TARGET_NAME ${LOG_TARGET_LIST}) + IF(DPL_WITH_DLOG) + TARGET_COMPILE_DEFINITIONS(${TARGET_NAME} PRIVATE DPL_DLOG_ENABLED) + ENDIF(DPL_WITH_DLOG) + IF(DPL_WITH_SYSTEMD_JOURNAL) + TARGET_COMPILE_DEFINITIONS(${TARGET_NAME} PRIVATE DPL_SYSTEMD_JOURNAL_ENABLED) + ENDIF(DPL_WITH_SYSTEMD_JOURNAL) + IF(DB_LOGS) + TARGET_COMPILE_DEFINITIONS(${TARGET_NAME} PRIVATE DB_LOGS) + ENDIF(DB_LOGS) +ENDFOREACH(TARGET_NAME) diff --git a/src/client/CMakeLists.txt b/src/client/CMakeLists.txt index 8862ca0..d99027b 100644 --- a/src/client/CMakeLists.txt +++ b/src/client/CMakeLists.txt @@ -25,6 +25,7 @@ INCLUDE_DIRECTORIES( SET(CLIENT_SOURCES ${CLIENT_PATH}/client-security-manager.cpp + ${CLIENT_PATH}/client-security-manager-internal.cpp ${CLIENT_PATH}/client-common.cpp ${CLIENT_PATH}/client-offline.cpp ${CLIENT_PATH}/client-label-monitor.cpp diff --git a/src/client/client-common.cpp b/src/client/client-common.cpp index 16050f5..3ac353b 100644 --- a/src/client/client-common.cpp +++ b/src/client/client-common.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000 - 2016 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2000 - 2019 Samsung Electronics Co., Ltd All Rights Reserved * * Contact: Rafal Krypa * @@ -22,29 +22,9 @@ * @brief This file is implementation of client-common functions. */ -#include -#include -#include -#include - -#include -#include -#include -#include -#include -#include -#include -#include -#include - #include -#include #include -#include - -#include - namespace { void securityClientEnableLogSystem(void) { @@ -55,36 +35,6 @@ void securityClientEnableLogSystem(void) { } // namespace anonymous -namespace SecurityManager { - -int try_catch(const std::function& func) -{ - try { - return func(); - } catch (abi::__forced_unwind &) { - throw; - } catch (const Exception &e) { - LogError("SecurityManager::Exception " << e.DumpToString()); - std::cerr << "SecurityManager::Exception " << e.DumpToString() << std::endl; - } catch (const std::bad_alloc &e) { - LogError("Memory allocation failed: " << e.what()); - std::cerr << "Memory allocation failed: " << e.what() << std::endl; - return SECURITY_MANAGER_ERROR_MEMORY; - } catch (const std::system_error &e) { - LogError("STD system_error: " << e.code() << "-" << e.what()); - std::cerr << "STD system_error: " << e.code() << "-" << e.what() << std::endl; - } catch (const std::exception &e) { - LogError("STD exception " << e.what()); - std::cerr << "STD exception " << e.what() << std::endl; - } catch (...) { - LogError("Unknown exception occurred"); - std::cerr << "Unknown exception occurred" << std::endl; - } - return SECURITY_MANAGER_ERROR_UNKNOWN; -} - -} // namespace SecurityMANAGER - static void init_lib(void) __attribute__ ((constructor)); static void init_lib(void) { diff --git a/src/client/client-label-monitor.cpp b/src/client/client-label-monitor.cpp index 757be3a..10a5687 100644 --- a/src/client/client-label-monitor.cpp +++ b/src/client/client-label-monitor.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2016 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2016 - 2019 Samsung Electronics Co., Ltd All Rights Reserved * * Contact: Rafal Krypa * @@ -40,7 +40,6 @@ #include #include -#include #include #include #include diff --git a/src/client/client-offline.cpp b/src/client/client-offline.cpp index b8f39e8..87420d0 100644 --- a/src/client/client-offline.cpp +++ b/src/client/client-offline.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000 - 2014 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2000 - 2019 Samsung Electronics Co., Ltd All Rights Reserved * * Contact: Rafal Krypa * @@ -22,7 +22,7 @@ * @brief Helper class for client "off-line" mode detection */ -#include +#include #include #include #include diff --git a/src/client/client-security-manager-internal.cpp b/src/client/client-security-manager-internal.cpp new file mode 100644 index 0000000..b0c807c --- /dev/null +++ b/src/client/client-security-manager-internal.cpp @@ -0,0 +1,72 @@ +/* + * Copyright (c) 2019 Samsung Electronics Co., Ltd All Rights Reserved + * + * Contact: Tomasz Swierczek + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + * + * Security Manager NSS library + */ +/* + * @file client-security-manager-internal.cpp + * @author Tomasz Swierczek + * @version 1.0 + * @brief This file contains implementation of SM APIs needed to be linked separately into NSS module + */ + +#include + +#include + +#include +#include +#include + +int security_manager_groups_get_internal(gid_t **groups, size_t *groups_count) +{ + using namespace SecurityManager; + if (!groups || !groups_count) + return SECURITY_MANAGER_ERROR_INPUT_PARAM; + return try_catch([&]() -> int { + std::vector vgroups; + loadGroups(vgroups); + return group_vector_to_array(vgroups, groups, groups_count); + }); +} + +int security_manager_groups_get_for_user_internal(uid_t uid, gid_t **groups, size_t *groups_count) +{ + using namespace SecurityManager; + if (!groups || !groups_count) + return SECURITY_MANAGER_ERROR_INPUT_PARAM; + + // Security manager does not manage platform system daemons + // This 5000 value is defined only in this document: + // https://wiki.tizen.org/wiki/Security/User_and_group_ID_assignment_policy + // TODO: Value 5000 should be defined in tizen-platform-config + + if (uid < 5000) { + return SECURITY_MANAGER_ERROR_NO_SUCH_OBJECT; + } + + return try_catch([&]() -> int { + ClientRequest request(SecurityModuleCall::GROUPS_FOR_UID); + if (request.send(uid).failed()) + return request.getStatus(); + + std::vector vgroups; + request.recv(vgroups); + + return group_vector_to_array(vgroups, groups, groups_count); + }); +} diff --git a/src/client/client-security-manager.cpp b/src/client/client-security-manager.cpp index 8c2a4f7..3419094 100644 --- a/src/client/client-security-manager.cpp +++ b/src/client/client-security-manager.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000 - 2016 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2000 - 2019 Samsung Electronics Co., Ltd All Rights Reserved * * Contact: Rafal Krypa * @@ -54,8 +54,8 @@ #include #include #include -#include #include +#include #include #include #include @@ -1307,95 +1307,16 @@ void security_manager_policy_levels_free(char **levels, size_t levels_count) delete[] levels; } -static void loadGroups(std::vector &vgroups) -{ - auto groupsMapData = ConfigFile(PRIVILEGE_GROUP_LIST_FILE).read(); - for (const auto &groupsMapEntry : groupsMapData) { - if (groupsMapEntry.size() != 2) - continue; - - const std::string &groupName = groupsMapEntry[1]; - std::vector buf(1024); - group *result = nullptr; - group grp; - - for (;;) { - int ret = TEMP_FAILURE_RETRY(getgrnam_r(groupName.c_str(), &grp, buf.data(), buf.size(), &result)); - if (ret == ERANGE) { - buf.resize(buf.size() * 2); - continue; - } - if (result == nullptr && ret == 0) - ret = ENOENT; - - if (ret != 0) { - LogError("Cannot map group " + groupName + " to gid"); - throw std::system_error(ret, std::system_category(), "getgrnam_r() failed"); - } - break; - } - vgroups.push_back(result->gr_gid); - } -} - -static int group_vector_to_array(const std::vector &vgroups, gid_t **groups, size_t *groups_count) -{ - if (vgroups.empty()) { - *groups_count = 0; - *groups = NULL; - return SECURITY_MANAGER_SUCCESS; - } - - size_t size = vgroups.size() * sizeof(gid_t); - *groups = static_cast(malloc(size)); - if (*groups == nullptr) - return SECURITY_MANAGER_ERROR_MEMORY; - - *groups_count = vgroups.size(); - memcpy(*groups, vgroups.data(), size); - - return SECURITY_MANAGER_SUCCESS; -} - SECURITY_MANAGER_API int security_manager_groups_get(gid_t **groups, size_t *groups_count) { - using namespace SecurityManager; - if (!groups || !groups_count) - return SECURITY_MANAGER_ERROR_INPUT_PARAM; - return try_catch([&]() -> int { - std::vector vgroups; - loadGroups(vgroups); - return group_vector_to_array(vgroups, groups, groups_count); - }); + return security_manager_groups_get_internal(groups, groups_count); } SECURITY_MANAGER_API int security_manager_groups_get_for_user(uid_t uid, gid_t **groups, size_t *groups_count) { - using namespace SecurityManager; - if (!groups || !groups_count) - return SECURITY_MANAGER_ERROR_INPUT_PARAM; - - // Security manager does not manage platform system daemons - // This 5000 value is defined only in this document: - // https://wiki.tizen.org/wiki/Security/User_and_group_ID_assignment_policy - // TODO: Value 5000 should be defined in tizen-platform-config - - if (uid < 5000) { - return SECURITY_MANAGER_ERROR_NO_SUCH_OBJECT; - } - - return try_catch([&]() -> int { - ClientRequest request(SecurityModuleCall::GROUPS_FOR_UID); - if (request.send(uid).failed()) - return request.getStatus(); - - std::vector vgroups; - request.recv(vgroups); - - return group_vector_to_array(vgroups, groups, groups_count); - }); + return security_manager_groups_get_for_user_internal(uid, groups, groups_count); } static lib_retcode get_app_and_pkg_id_from_smack_label( diff --git a/src/client/include/client-common.h b/src/client/include/client-common.h deleted file mode 100644 index e9ff18e..0000000 --- a/src/client/include/client-common.h +++ /dev/null @@ -1,40 +0,0 @@ -/* - * Copyright (c) 2000 - 2016 Samsung Electronics Co., Ltd All Rights Reserved - * - * Contact: Rafal Krypa - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License - */ -/* - * @file client-common.h - * @author Bartlomiej Grzelewski (b.grzelewski@samsung.com) - * @version 1.0 - * @brief This file constains implementation of common types - * used in security manager. - */ - -#pragma once - -#include - -#define SECURITY_MANAGER_API __attribute__((visibility("default"))) - -namespace SecurityManager { - -/* - * Decorator function that performs frequently repeated exception handling in - * SS client API functions. Accepts lambda expression as an argument. - */ -int try_catch(const std::function& func); - -} // namespace SecurityManager diff --git a/src/client/include/client-security-manager-internal.h b/src/client/include/client-security-manager-internal.h new file mode 100644 index 0000000..e6c3578 --- /dev/null +++ b/src/client/include/client-security-manager-internal.h @@ -0,0 +1,32 @@ +/* + * Copyright (c) 2019 Samsung Electronics Co., Ltd All Rights Reserved + * + * Contact: Tomasz Swierczek + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + * + * Security Manager NSS library + */ +/* + * @file client-security-manager-internal.h + * @author Tomasz Swierczek + * @version 1.0 + * @brief This file contains declaration of SM APIs needed to be linked separately into NSS module + */ + +#pragma once + +#include + +int security_manager_groups_get_internal(gid_t **groups, size_t *groups_count); +int security_manager_groups_get_for_user_internal(uid_t uid, gid_t **groups, size_t *groups_count); diff --git a/src/cmd/security-manager-cmd.cpp b/src/cmd/security-manager-cmd.cpp index 89faebf..c200813 100644 --- a/src/cmd/security-manager-cmd.cpp +++ b/src/cmd/security-manager-cmd.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000 - 2018 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2000 - 2019 Samsung Electronics Co., Ltd All Rights Reserved * * Contact: Rafal Krypa * @@ -39,6 +39,7 @@ #include #include +#include #include namespace po = boost::program_options; diff --git a/src/common/CMakeLists.txt b/src/common/CMakeLists.txt index 6222ba6..2d1422a 100644 --- a/src/common/CMakeLists.txt +++ b/src/common/CMakeLists.txt @@ -49,11 +49,11 @@ SET(COMMON_SOURCES ${DPL_PATH}/db/src/naive_synchronization_object.cpp ${DPL_PATH}/db/src/sql_connection.cpp ${COMMON_PATH}/channel.cpp - ${COMMON_PATH}/config.cpp ${COMMON_PATH}/config-file.cpp ${COMMON_PATH}/connection.cpp ${COMMON_PATH}/credentials.cpp ${COMMON_PATH}/cynara.cpp + ${COMMON_PATH}/db-config.cpp ${COMMON_PATH}/filesystem.cpp ${COMMON_PATH}/file-lock.cpp ${COMMON_PATH}/permissible-set.cpp diff --git a/src/common/config.cpp b/src/common/db-config.cpp similarity index 75% rename from src/common/config.cpp rename to src/common/db-config.cpp index 17d3641..23ac592 100644 --- a/src/common/config.cpp +++ b/src/common/db-config.cpp @@ -1,7 +1,7 @@ /* - * Copyright (c) 2015 - 2018 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2019 Samsung Electronics Co., Ltd All Rights Reserved * - * Contact: Rafal Krypa + * Contact: Tomasz Swierczek * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -16,13 +16,14 @@ * limitations under the License */ /* - * @file config.cpp - * @author Zofia Abramowska + * @file db-config.cpp + * @author Tomasz Swierczek * @version 1.0 - * @brief Setting values of Configuration options + * @brief Configuration options for DB - implementation */ -#include +#include +#include namespace SecurityManager { diff --git a/src/common/include/config.h b/src/common/include/config.h index 230f15b..24e0eac 100644 --- a/src/common/include/config.h +++ b/src/common/include/config.h @@ -24,30 +24,6 @@ #pragma once -#include -#include - -namespace SecurityManager { - -namespace Config { - -std::string getPrivilegeDbPath(); -std::string getPrivilegeDbFallbackPath(); - -}; - -} /* namespace SecurityManager */ - -// If database initialization fails, restoration to a fallback snapshot is -// attempted. If the restoration succeeds, a file flag is created to notify -// other system components. -// For database placed in "$f" the filename is ("$f" DB_RECOVERED_SUFFIX). -#define DB_RECOVERED_SUFFIX "-recovered" -#define DB_JOURNAL_SUFFIX "-journal" - -#define DB_OK_MARKER "/tmp/.security-manager.db.ok" - - /* Service name */ #define SERVICE_NAME "security-manager" diff --git a/src/common/include/db-config.h b/src/common/include/db-config.h new file mode 100644 index 0000000..e4f0268 --- /dev/null +++ b/src/common/include/db-config.h @@ -0,0 +1,47 @@ +/* + * Copyright (c) 2019 Samsung Electronics Co., Ltd All Rights Reserved + * + * Contact: Tomasz Swierczek + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + */ +/* + * @file db-config.h + * @author Tomasz Swierczek + * @version 1.0 + * @brief Definition of configuration options for DB + */ + +#pragma once + +#include + +namespace SecurityManager { + +namespace Config { + +std::string getPrivilegeDbPath(); +std::string getPrivilegeDbFallbackPath(); + +}; + +} /* namespace SecurityManager */ + +// If database initialization fails, restoration to a fallback snapshot is +// attempted. If the restoration succeeds, a file flag is created to notify +// other system components. +// For database placed in "$f" the filename is ("$f" DB_RECOVERED_SUFFIX). +#define DB_RECOVERED_SUFFIX "-recovered" +#define DB_JOURNAL_SUFFIX "-journal" + +#define DB_OK_MARKER "/tmp/.security-manager.db.ok" diff --git a/src/common/include/privilege_db.h b/src/common/include/privilege_db.h index 8e20650..b84aa04 100644 --- a/src/common/include/privilege_db.h +++ b/src/common/include/privilege_db.h @@ -1,7 +1,7 @@ /* * security-manager, database access * - * Copyright (c) 2000 - 2018 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2000 - 2019 Samsung Electronics Co., Ltd All Rights Reserved * * Contact: Rafal Krypa * @@ -41,6 +41,7 @@ #include #include +#include #include #include #include "security-manager-types.h" diff --git a/src/common/include/utils.h b/src/common/include/utils.h index a1d0514..60e0200 100644 --- a/src/common/include/utils.h +++ b/src/common/include/utils.h @@ -36,8 +36,16 @@ #include +#define SECURITY_MANAGER_API __attribute__((visibility("default"))) + namespace SecurityManager { +/* + * Decorator function that performs frequently repeated exception handling in + * SS client API functions. Accepts lambda expression as an argument. + */ +int try_catch(const std::function& func); + time_t monotonicNow(); // Used for measuring function/method/scope execution time @@ -57,6 +65,10 @@ private: #define LOG_EXECUTION_TIME(location, creds) do {} while (0) #endif +// Group operations +void loadGroups(std::vector &vgroups); +int group_vector_to_array(const std::vector &vgroups, gid_t **groups, size_t *groups_count); + // Pointer template std::unique_ptr makeUnique(T *ptr) diff --git a/src/common/utils.cpp b/src/common/utils.cpp index fb215ed..32b06d6 100644 --- a/src/common/utils.cpp +++ b/src/common/utils.cpp @@ -22,13 +22,51 @@ * @brief Implementation of utility functions */ +#include +#include +#include +#include +#include +#include #include +#include +#include + #include #include +#include + +#include namespace SecurityManager { +int try_catch(const std::function& func) +{ + try { + return func(); + } catch (abi::__forced_unwind &) { + throw; + } catch (const Exception &e) { + LogError("SecurityManager::Exception " << e.DumpToString()); + std::cerr << "SecurityManager::Exception " << e.DumpToString() << std::endl; + } catch (const std::bad_alloc &e) { + LogError("Memory allocation failed: " << e.what()); + std::cerr << "Memory allocation failed: " << e.what() << std::endl; + return SECURITY_MANAGER_ERROR_MEMORY; + } catch (const std::system_error &e) { + LogError("STD system_error: " << e.code() << "-" << e.what()); + std::cerr << "STD system_error: " << e.code() << "-" << e.what() << std::endl; + } catch (const std::exception &e) { + LogError("STD exception " << e.what()); + std::cerr << "STD exception " << e.what() << std::endl; + } catch (...) { + LogError("Unknown exception occurred"); + std::cerr << "Unknown exception occurred" << std::endl; + } + return SECURITY_MANAGER_ERROR_UNKNOWN; +} + time_t monotonicNow() { struct timespec now; if (clock_gettime(CLOCK_MONOTONIC_RAW, &now) == -1) { @@ -65,4 +103,54 @@ ScopedTimeStamper::~ScopedTimeStamper() LogDebug("Execution of " << m_locationStr << " took " << sec << " seconds"); } +void loadGroups(std::vector &vgroups) +{ + auto groupsMapData = ConfigFile(PRIVILEGE_GROUP_LIST_FILE).read(); + for (const auto &groupsMapEntry : groupsMapData) { + if (groupsMapEntry.size() != 2) + continue; + + const std::string &groupName = groupsMapEntry[1]; + std::vector buf(1024); + group *result = nullptr; + group grp; + + for (;;) { + int ret = TEMP_FAILURE_RETRY(getgrnam_r(groupName.c_str(), &grp, buf.data(), buf.size(), &result)); + if (ret == ERANGE) { + buf.resize(buf.size() * 2); + continue; + } + if (result == nullptr && ret == 0) + ret = ENOENT; + + if (ret != 0) { + LogError("Cannot map group " + groupName + " to gid"); + throw std::system_error(ret, std::system_category(), "getgrnam_r() failed"); + } + break; + } + vgroups.push_back(result->gr_gid); + } +} + +int group_vector_to_array(const std::vector &vgroups, gid_t **groups, size_t *groups_count) +{ + if (vgroups.empty()) { + *groups_count = 0; + *groups = NULL; + return SECURITY_MANAGER_SUCCESS; + } + + size_t size = vgroups.size() * sizeof(gid_t); + *groups = static_cast(malloc(size)); + if (*groups == nullptr) + return SECURITY_MANAGER_ERROR_MEMORY; + + *groups_count = vgroups.size(); + memcpy(*groups, vgroups.data(), size); + + return SECURITY_MANAGER_SUCCESS; +} + } /* namespace SecurityManager */ diff --git a/src/nss/CMakeLists.txt b/src/nss/CMakeLists.txt index 446002d..29f8556 100644 --- a/src/nss/CMakeLists.txt +++ b/src/nss/CMakeLists.txt @@ -3,6 +3,10 @@ SET(NSS_PLUGIN_VERSION ${NSS_PLUGIN_VERSION_MAJOR}.0.0) SET(LIBRARY_FILE_NAME "nss_securitymanager") +IF(CMAKE_BUILD_TYPE MATCHES "DEBUG" AND DPL_WITH_DLOG) + PKG_CHECK_MODULES(NSS_DLOG_DEP REQUIRED dlog libtzplatform-config) +ENDIF(CMAKE_BUILD_TYPE MATCHES "DEBUG" AND DPL_WITH_DLOG) + INCLUDE_DIRECTORIES( ${INCLUDE_PATH} ${CLIENT_PATH}/include @@ -10,12 +14,37 @@ INCLUDE_DIRECTORIES( ${DPL_PATH}/core/include ${DPL_PATH}/log/include ${COMMON_PATH}/include + ${NSS_DLOG_DEP_INCLUDE_DIRS} ) SET(NSS_SOURCES ${NSS_PATH}/nss_securitymanager.cpp + ${DPL_PATH}/log/src/abstract_log_provider.cpp + ${DPL_PATH}/log/src/log.cpp + ${DPL_PATH}/log/src/old_style_log_provider.cpp + ${DPL_PATH}/core/src/assert.cpp + ${DPL_PATH}/core/src/binary_queue.cpp + ${DPL_PATH}/core/src/colors.cpp + ${DPL_PATH}/core/src/exception.cpp + ${DPL_PATH}/core/src/noncopyable.cpp + ${DPL_PATH}/core/src/serialization.cpp + ${DPL_PATH}/core/src/errno_string.cpp + ${COMMON_PATH}/channel.cpp + ${COMMON_PATH}/config-file.cpp + ${COMMON_PATH}/connection.cpp + ${COMMON_PATH}/filesystem.cpp + ${COMMON_PATH}/protocols.cpp + ${COMMON_PATH}/message-buffer.cpp + ${COMMON_PATH}/utils.cpp + ${CLIENT_PATH}/client-security-manager-internal.cpp ) +IF(CMAKE_BUILD_TYPE MATCHES "DEBUG" AND DPL_WITH_DLOG) + SET(NSS_SOURCES + ${NSS_SOURCES} + ${DPL_PATH}/log/src/dlog_log_provider.cpp) +ENDIF(CMAKE_BUILD_TYPE MATCHES "DEBUG" AND DPL_WITH_DLOG) + ADD_LIBRARY(${TARGET_NSS} SHARED ${NSS_SOURCES}) SET_TARGET_PROPERTIES(${TARGET_NSS} @@ -26,9 +55,6 @@ SET_TARGET_PROPERTIES(${TARGET_NSS} VERSION ${NSS_PLUGIN_VERSION} ) -TARGET_LINK_LIBRARIES(${TARGET_NSS} - ${TARGET_CLIENT} - ${TARGET_COMMON} - ) +TARGET_LINK_LIBRARIES(${TARGET_NSS} ${NSS_DLOG_DEP_LIBRARIES} "-z defs") INSTALL(TARGETS ${TARGET_NSS} LIBRARY DESTINATION ${LIB_INSTALL_DIR} NAMELINK_SKIP) diff --git a/src/nss/nss_securitymanager.cpp b/src/nss/nss_securitymanager.cpp index 4c7eef3..873622d 100644 --- a/src/nss/nss_securitymanager.cpp +++ b/src/nss/nss_securitymanager.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2016 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2016 - 2019 Samsung Electronics Co., Ltd All Rights Reserved * * Contact: Rafal Krypa * @@ -29,13 +29,16 @@ #include #include #include +#include #include #include - #include #include -#include +#include +#include +#include +#include #include namespace { @@ -87,6 +90,9 @@ enum nss_status _nss_securitymanager_initgroups_dyn(const char *user, gid_t grou std::vector buffer(BUFFER_SIZE); passwd pwnambuffer; passwd *pwnam = NULL; + auto& logSystem = SecurityManager::Singleton::Instance(); + + logSystem.SetTag("SECURITY_MANAGER_NSS"); while (ERANGE == (ret = TEMP_FAILURE_RETRY(getpwnam_r(user, &pwnambuffer, buffer.data(), buffer.size(), &pwnam))) && buffer.size() < MEMORY_LIMIT) @@ -106,11 +112,11 @@ enum nss_status _nss_securitymanager_initgroups_dyn(const char *user, gid_t grou gid_t *groups = NULL; size_t groupsCount; - ret = security_manager_groups_get_for_user(pwnam->pw_uid, &groups, &groupsCount); + ret = security_manager_groups_get_for_user_internal(pwnam->pw_uid, &groups, &groupsCount); if (ret == SECURITY_MANAGER_ERROR_NO_SUCH_OBJECT) { // If user is not managed by Security Manager, we want to apply all the groups - ret = security_manager_groups_get(&groups, &groupsCount); + ret = security_manager_groups_get_internal(&groups, &groupsCount); } if (ret == SECURITY_MANAGER_ERROR_MEMORY) { diff --git a/src/server/rules-loader/security-manager-rules-loader.cpp b/src/server/rules-loader/security-manager-rules-loader.cpp index 748f186..45d32c1 100644 --- a/src/server/rules-loader/security-manager-rules-loader.cpp +++ b/src/server/rules-loader/security-manager-rules-loader.cpp @@ -33,6 +33,7 @@ #include #include +#include #include #include diff --git a/test/CMakeLists.txt b/test/CMakeLists.txt index 4efb856..888162f 100644 --- a/test/CMakeLists.txt +++ b/test/CMakeLists.txt @@ -72,8 +72,8 @@ SET(SM_TESTS_SOURCES ${DPL_PATH}/log/src/abstract_log_provider.cpp ${DPL_PATH}/log/src/log.cpp ${DPL_PATH}/log/src/old_style_log_provider.cpp - ${PROJECT_SOURCE_DIR}/src/common/config.cpp ${PROJECT_SOURCE_DIR}/src/common/config-file.cpp + ${PROJECT_SOURCE_DIR}/src/common/db-config.cpp ${PROJECT_SOURCE_DIR}/src/common/file-lock.cpp ${PROJECT_SOURCE_DIR}/src/common/privilege_db.cpp ${PROJECT_SOURCE_DIR}/src/common/smack-check.cpp @@ -100,7 +100,7 @@ SET(SM_PERFORMANCE_TESTS_SOURCES ${DPL_PATH}/log/src/abstract_log_provider.cpp ${DPL_PATH}/log/src/log.cpp ${DPL_PATH}/log/src/old_style_log_provider.cpp - ${PROJECT_SOURCE_DIR}/src/common/config.cpp + ${PROJECT_SOURCE_DIR}/src/common/db-config.cpp ${PROJECT_SOURCE_DIR}/src/common/config-file.cpp #${PROJECT_SOURCE_DIR}/src/common/file-lock.cpp ${PROJECT_SOURCE_DIR}/src/common/privilege_db.cpp diff --git a/test/privilege_db_fixture.cpp b/test/privilege_db_fixture.cpp index 4643e62..4b352f7 100644 --- a/test/privilege_db_fixture.cpp +++ b/test/privilege_db_fixture.cpp @@ -29,6 +29,7 @@ #include #include +#include #include #include #include diff --git a/test/test_privilege_db_migration.cpp b/test/test_privilege_db_migration.cpp index 56b6a64..7b1a522 100644 --- a/test/test_privilege_db_migration.cpp +++ b/test/test_privilege_db_migration.cpp @@ -23,6 +23,7 @@ #include #include +#include #include #include #include "privilege_db.h" -- 2.7.4 From 2722907fb61dc48ef17a8b56e4233407ad00c785 Mon Sep 17 00:00:00 2001 From: Tomasz Swierczek Date: Fri, 12 Jul 2019 19:01:53 +0200 Subject: [PATCH 09/16] Make GetErrnoString not throwing The function is already made for processing error situations, there is no point in throwing an error inside of it. Change-Id: I2be841a30ba36cf699907fa23bbf4d0ffe85b2ea --- src/dpl/core/include/dpl/errno_string.h | 5 +---- src/dpl/core/src/errno_string.cpp | 6 +++--- 2 files changed, 4 insertions(+), 7 deletions(-) diff --git a/src/dpl/core/include/dpl/errno_string.h b/src/dpl/core/include/dpl/errno_string.h index b713845..43cdc75 100644 --- a/src/dpl/core/include/dpl/errno_string.h +++ b/src/dpl/core/include/dpl/errno_string.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2011 - 2016 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2011 - 2019 Samsung Electronics Co., Ltd All Rights Reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -21,12 +21,9 @@ */ #pragma once -#include #include #include namespace SecurityManager { -DECLARE_EXCEPTION_TYPE(SecurityManager::Exception, InvalidErrnoValue) - std::string GetErrnoString(int error = errno); } // namespace SecurityManager diff --git a/src/dpl/core/src/errno_string.cpp b/src/dpl/core/src/errno_string.cpp index b5de431..d2d9817 100644 --- a/src/dpl/core/src/errno_string.cpp +++ b/src/dpl/core/src/errno_string.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2011 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2011 - 2019 Samsung Electronics Co., Ltd All Rights Reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -84,7 +84,7 @@ std::string GetErrnoString(int error) case EINVAL: // We got an invalid errno value ::free(buffer); - ThrowMsg(InvalidErrnoValue, "Invalid errno value: " << error); + return std::string("Invalid errno value: ") + std::to_string(error); case ERANGE: // Incease buffer size and retry @@ -92,7 +92,7 @@ std::string GetErrnoString(int error) continue; default: - AssertMsg(0, "Invalid errno value after call to strerror_r!"); + return std::string("Invalid errno value after call to strerror_r!"); } } } -- 2.7.4 From 301401f1816cba3ff027836e2ccb0e0b8cf9f15d Mon Sep 17 00:00:00 2001 From: Dariusz Michaluk Date: Mon, 15 Jul 2019 16:30:50 +0200 Subject: [PATCH 10/16] Prevent starting service without the socket Change-Id: I88415e55586dbe436bb44792d6808aadd5a48bc5 --- systemd/security-manager-valgrind.service.in | 1 + systemd/security-manager.service.in | 1 + 2 files changed, 2 insertions(+) diff --git a/systemd/security-manager-valgrind.service.in b/systemd/security-manager-valgrind.service.in index 2338545..732d3df 100644 --- a/systemd/security-manager-valgrind.service.in +++ b/systemd/security-manager-valgrind.service.in @@ -1,5 +1,6 @@ [Unit] Description=Start the security manager +Requires=security-manager.socket [Service] Type=notify diff --git a/systemd/security-manager.service.in b/systemd/security-manager.service.in index a410c31..b6c2fb9 100644 --- a/systemd/security-manager.service.in +++ b/systemd/security-manager.service.in @@ -1,5 +1,6 @@ [Unit] Description=Start the security manager +Requires=security-manager.socket [Service] Type=notify -- 2.7.4 From 646e76611c93243bfbba1cf3debe93c70388636b Mon Sep 17 00:00:00 2001 From: Dariusz Michaluk Date: Mon, 15 Jul 2019 17:16:08 +0200 Subject: [PATCH 11/16] Release 1.5.8 * Prevent starting service without the socket * Make GetErrnoString not throwing * Optimize nss plugin memory usage * Remove unnecessary setting * Migrate to openssl 1.1 Change-Id: Ic4043d29bcbda9da9f8304403dcd6a388af21424 --- packaging/security-manager.changes | 12 ++++++++++++ packaging/security-manager.spec | 2 +- pc/security-manager.pc.in | 2 +- 3 files changed, 14 insertions(+), 2 deletions(-) diff --git a/packaging/security-manager.changes b/packaging/security-manager.changes index 502366c..c43c916 100644 --- a/packaging/security-manager.changes +++ b/packaging/security-manager.changes @@ -1,3 +1,15 @@ +Release: 1.5.8 +Date: 2019.07.15 +Name: Release 1.5.8 +Description: +Prevent starting service without the socket +Make GetErrnoString not throwing +Optimize nss plugin memory usage +Remove unnecessary setting +Migrate to openssl 1.1 + +############################### + Release: 1.5.7 Date: 2019.06.11 Name: Release 1.5.7 diff --git a/packaging/security-manager.spec b/packaging/security-manager.spec index 590c107..966ff95 100644 --- a/packaging/security-manager.spec +++ b/packaging/security-manager.spec @@ -1,6 +1,6 @@ Name: security-manager Summary: Security manager and utilities -Version: 1.5.7 +Version: 1.5.8 Release: 0 Group: Security/Service License: Apache-2.0 diff --git a/pc/security-manager.pc.in b/pc/security-manager.pc.in index 8da9ab6..fc6f2f8 100644 --- a/pc/security-manager.pc.in +++ b/pc/security-manager.pc.in @@ -5,7 +5,7 @@ includedir=${prefix}/include Name: security-manager Description: Security Manager Package -Version: 1.5.7 +Version: 1.5.8 Requires: Libs: -L${libdir} -lsecurity-manager-client Cflags: -I${includedir}/security-manager -- 2.7.4 From 7f58032029d4a465c2d377876d677e518d568a92 Mon Sep 17 00:00:00 2001 From: Tomasz Swierczek Date: Tue, 30 Jul 2019 10:13:32 +0200 Subject: [PATCH 12/16] Fix licence comments in source code files Change-Id: I24556d7a2fa49091e6f7b0888fe2cad4992f562f --- src/client/client-security-manager-internal.cpp | 2 -- src/client/include/client-security-manager-internal.h | 2 -- 2 files changed, 4 deletions(-) diff --git a/src/client/client-security-manager-internal.cpp b/src/client/client-security-manager-internal.cpp index b0c807c..e5b8827 100644 --- a/src/client/client-security-manager-internal.cpp +++ b/src/client/client-security-manager-internal.cpp @@ -14,8 +14,6 @@ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License - * - * Security Manager NSS library */ /* * @file client-security-manager-internal.cpp diff --git a/src/client/include/client-security-manager-internal.h b/src/client/include/client-security-manager-internal.h index e6c3578..1815e44 100644 --- a/src/client/include/client-security-manager-internal.h +++ b/src/client/include/client-security-manager-internal.h @@ -14,8 +14,6 @@ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License - * - * Security Manager NSS library */ /* * @file client-security-manager-internal.h -- 2.7.4 From b9396c5bcd18d8bed79fa3df713b7c85fdb4b7d6 Mon Sep 17 00:00:00 2001 From: Tomasz Swierczek Date: Thu, 22 Aug 2019 08:24:14 +0200 Subject: [PATCH 13/16] Add check for proper synchronization of threads namespaces Change-Id: I743d755c2b7cf24bc0542c1e9e964f3c863aeb02 --- src/client/check-proper-drop.cpp | 19 +++++++++++++++++-- src/client/client-security-manager.cpp | 4 ++-- src/client/include/check-proper-drop.h | 7 ++----- 3 files changed, 21 insertions(+), 9 deletions(-) diff --git a/src/client/check-proper-drop.cpp b/src/client/check-proper-drop.cpp index 33c74a9..bc9ac81 100644 --- a/src/client/check-proper-drop.cpp +++ b/src/client/check-proper-drop.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2015 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2015-2019 Samsung Electronics Co., Ltd All Rights Reserved * * Contact: Rafal Krypa * @@ -44,7 +44,7 @@ CheckProperDrop::~CheckProperDrop() void CheckProperDrop::getThreads() { pid_t pid[2] = {m_pid, 0}; - auto proctabPtr = makeUnique(openproc(PROC_FILLSTATUS | PROC_PID, pid), closeproc); + auto proctabPtr = makeUnique(openproc(PROC_FILLSTATUS | PROC_PID | PROC_FILLNS, pid), closeproc); if (!proctabPtr) ThrowMsg(Exception::ProcError, "Unable to open proc interface"); @@ -60,6 +60,7 @@ void CheckProperDrop::getThreads() else freeproc(thread); } + LogDebug("Reading proc data for " << m_threads.size() << " additional threads beside main thread"); } bool CheckProperDrop::checkThreads() @@ -76,6 +77,13 @@ bool CheckProperDrop::checkThreads() REPORT_THREAD_ERROR((T)->tid, #FIELD, pval, tval); \ } +#define CHECK_THREAD_CRED_FIELD_LONG(P, T, FIELD) { \ + long pval = (P)->FIELD, tval = (T)->FIELD; \ + if (pval != tval) \ + REPORT_THREAD_ERROR((T)->tid, #FIELD, pval, tval); \ +} + + std::string smackProc = SmackLabels::getSmackLabelFromPid(m_pid); auto capProcPtr = makeUnique(cap_get_pid(m_pid), cap_free); @@ -118,6 +126,7 @@ bool CheckProperDrop::checkThreads() m_proc->supgid ? m_proc->supgid : "", thread->supgid ? thread->supgid : ""); } + CHECK_THREAD_CRED_FIELD(m_proc, thread, euid); CHECK_THREAD_CRED_FIELD(m_proc, thread, egid); CHECK_THREAD_CRED_FIELD(m_proc, thread, ruid); @@ -126,6 +135,12 @@ bool CheckProperDrop::checkThreads() CHECK_THREAD_CRED_FIELD(m_proc, thread, sgid); CHECK_THREAD_CRED_FIELD(m_proc, thread, fuid); CHECK_THREAD_CRED_FIELD(m_proc, thread, fgid); + CHECK_THREAD_CRED_FIELD_LONG(m_proc, thread, ns[IPCNS]); + CHECK_THREAD_CRED_FIELD_LONG(m_proc, thread, ns[MNTNS]); + CHECK_THREAD_CRED_FIELD_LONG(m_proc, thread, ns[NETNS]); + CHECK_THREAD_CRED_FIELD_LONG(m_proc, thread, ns[PIDNS]); + CHECK_THREAD_CRED_FIELD_LONG(m_proc, thread, ns[USERNS]); + CHECK_THREAD_CRED_FIELD_LONG(m_proc, thread, ns[UTSNS]); } return true; diff --git a/src/client/client-security-manager.cpp b/src/client/client-security-manager.cpp index 3419094..dac0f6b 100644 --- a/src/client/client-security-manager.cpp +++ b/src/client/client-security-manager.cpp @@ -853,13 +853,13 @@ SECURITY_MANAGER_API int security_manager_prepare_app(const char *app_name) { return try_catch([&] { - LogDebug("security_manager_prepare_app() called"); - if (app_name == nullptr) { LogError("app_name is NULL"); return static_cast(SECURITY_MANAGER_ERROR_INPUT_PARAM); } + LogDebug("security_manager_prepare_app() called for app " << app_name); + std::string app_label; int ret = fetchLabelForProcess(app_name, app_label); if (ret != SECURITY_MANAGER_SUCCESS) { diff --git a/src/client/include/check-proper-drop.h b/src/client/include/check-proper-drop.h index 69ec403..18b0c35 100644 --- a/src/client/include/check-proper-drop.h +++ b/src/client/include/check-proper-drop.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2015-2016 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2015-2019 Samsung Electronics Co., Ltd All Rights Reserved * * Contact: Rafal Krypa * @@ -58,10 +58,7 @@ public: * - gids * - capabilities * - Smack labels - * - * It will terminate the calling process if any thread has different - * value than the other threads. This prevents security risks associated - * with improperly dropped privileges during application launch. + * - Namespaces */ bool checkThreads(); -- 2.7.4 From 7c4e79ab16423dfba16a56a48e464ee1759eea75 Mon Sep 17 00:00:00 2001 From: Tomasz Swierczek Date: Wed, 21 Aug 2019 08:48:15 +0200 Subject: [PATCH 14/16] Fix for synchronization of per-thread mount namespace setup According to manual (1): A process may not be reassociated with a new mount namespace if it is multithreaded. Also, unshare system call (2) is only creating new namespace for the caller thread. This means that application candidate processes that have more than 1 thread are doomed to always have some threads still in the main mount namespace, without enforcement of privilege policy connected to mount namespaces. This renders the mount-namespace-based access control a bad solution. This patch introduces a special API call to be used by app launchers just to prepare app candidate processes. This API call doesn't take any arguments - it just checks if mount-namespaces are enabled and if yes, just calls unshare(), checking beforehand if the process has only one thread. (1) : http://man7.org/linux/man-pages/man2/setns.2.html (2) : http://man7.org/linux/man-pages/man1/unshare.1.html Change-Id: I82aefca3d5eb4915041df99ff0313896cbc769cb --- src/client/client-security-manager.cpp | 27 ++++++++++++++++++++------- src/include/app-runtime.h | 34 +++++++++++++++++++++++++--------- 2 files changed, 45 insertions(+), 16 deletions(-) diff --git a/src/client/client-security-manager.cpp b/src/client/client-security-manager.cpp index dac0f6b..cc3d7bd 100644 --- a/src/client/client-security-manager.cpp +++ b/src/client/client-security-manager.cpp @@ -807,16 +807,29 @@ static int setupMountNamespace(const std::string &appProcessLabel, std::vector int { + LogDebug("security_manager_prepare_app_candidate() called"); + if (!MountNS::isMountNamespaceEnabled()) + return SECURITY_MANAGER_SUCCESS; + + FS::FileNameVector files = FS::getSubDirectoriesFromDirectory("/proc/self/task"); + if (files.size() > 3) { // 3 because we have ., we have .. and we should have only one thread here + LogError("Too many threads in current process, can't switch to new namespace safely in multithreaded program"); + return SECURITY_MANAGER_ERROR_INPUT_PARAM; + } + return MountNS::createMountNamespace(); + }); +} + +static inline int security_manager_setup_namespace_internal(const std::string &app_label) { if (!MountNS::isMountNamespaceEnabled()) return SECURITY_MANAGER_SUCCESS; - int ret = MountNS::createMountNamespace(); - if (ret != SECURITY_MANAGER_SUCCESS) - return ret; - - ret = MountNS::makeMountSlave("/"); + int ret = MountNS::makeMountSlave("/"); if (ret != SECURITY_MANAGER_SUCCESS) return ret; @@ -873,7 +886,7 @@ int security_manager_prepare_app(const char *app_name) return ret; } - ret = security_manager_create_namespace_internal(app_label); + ret = security_manager_setup_namespace_internal(app_label); if (ret != SECURITY_MANAGER_SUCCESS) { LogError("Unable to setup namespace for application " << app_name); return ret; diff --git a/src/include/app-runtime.h b/src/include/app-runtime.h index c51e626..96c7b46 100644 --- a/src/include/app-runtime.h +++ b/src/include/app-runtime.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000 - 2016 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2000 - 2019 Samsung Electronics Co., Ltd All Rights Reserved * * Contact: Rafal Krypa * @@ -76,14 +76,30 @@ int security_manager_drop_process_privileges(void); /** * A convenience function for launchers for preparing security context for an - * application process. It should be called after fork in the new process, before - * running the application in it. - * It is aimed to cover most common cases and will internally call other, more - * specialized security-manager functions for launchers. - * Currently it just calls: - * - security_manager_set_process_label_from_appid - * - security_manager_set_process_groups_from_appid - * - security_manager_drop_process_privileges + * application candidate process. It is aimed to cover these actions that + * are generic to all kinds of applications and MUST be called + * in single-threaded environment, after fork(), before the application launcher + * calls exec() on app candidate process binary (custom app loader). + * + * On systems with configured mount namespaces for privilege access control + * (non-empty file privilege-mount.list), this currently only sets up the new + * mount namespace. + * + * On systems without mount namespaces-controlled privileges, this is currently + * a no-op. + * + * \return API return code or error code + */ +int security_manager_prepare_app_candidate(void); + +/** + * A convenience function for launchers for preparing security context for an + * application process. It should be called before running actual application code. + * + * This function has to be called in a process where security_manager_prepare_app_candidate() was + * already called and all existing threads are already in the same namespaces. + * + * This function can be called in multithreaded environment. * * \param[in] app_id Application identifier * \return API return code or error code -- 2.7.4 From 10f36b0e08ef8aef8cf3b2d8caf2dacd7767eb24 Mon Sep 17 00:00:00 2001 From: Tomasz Swierczek Date: Fri, 23 Aug 2019 08:08:40 +0200 Subject: [PATCH 15/16] Release 1.5.9 * Fix for synchronization of per-thread mount namespace setup * Add check for proper synchronization of threads namespaces * Fix licence comments in source code files Change-Id: Iaf0352154b51ef33980f5a100d1891105cc4eb2e --- packaging/security-manager.changes | 10 ++++++++++ packaging/security-manager.spec | 2 +- pc/security-manager.pc.in | 2 +- 3 files changed, 12 insertions(+), 2 deletions(-) diff --git a/packaging/security-manager.changes b/packaging/security-manager.changes index c43c916..821dd2e 100644 --- a/packaging/security-manager.changes +++ b/packaging/security-manager.changes @@ -1,3 +1,13 @@ +Release: 1.5.9 +Date: 2019.08.23 +Name: Release 1.5.9 +Description: +Fix for synchronization of per-thread mount namespace setup +Add check for proper synchronization of threads namespaces +Fix licence comments in source code files + +############################### + Release: 1.5.8 Date: 2019.07.15 Name: Release 1.5.8 diff --git a/packaging/security-manager.spec b/packaging/security-manager.spec index 966ff95..d7ef268 100644 --- a/packaging/security-manager.spec +++ b/packaging/security-manager.spec @@ -1,6 +1,6 @@ Name: security-manager Summary: Security manager and utilities -Version: 1.5.8 +Version: 1.5.9 Release: 0 Group: Security/Service License: Apache-2.0 diff --git a/pc/security-manager.pc.in b/pc/security-manager.pc.in index fc6f2f8..82793eb 100644 --- a/pc/security-manager.pc.in +++ b/pc/security-manager.pc.in @@ -5,7 +5,7 @@ includedir=${prefix}/include Name: security-manager Description: Security Manager Package -Version: 1.5.8 +Version: 1.5.9 Requires: Libs: -L${libdir} -lsecurity-manager-client Cflags: -I${includedir}/security-manager -- 2.7.4 From fe1732e274d223e4eae0ef2ba569cedffa00513d Mon Sep 17 00:00:00 2001 From: Tomasz Swierczek Date: Wed, 28 Aug 2019 11:14:15 +0200 Subject: [PATCH 16/16] Disable http://tizen.org/privilege/internal/sysadmin for non-applications By default, system (&user-session) services were granted access to all privileges. As we work towards fine-grained access control for system services, we need to disable granting all privileges for services. This 1st experimental step disables the sysadmin privilege, to be used to control access to activationd daemon. For internal applications, sysadmin privilege will be used in manifests, so Cynara will be able to find exact match for applications' Smack label in its manifest bucket; for policy evaluation to return success in such case, all is needed is addition of this new privilege to user-types whitelists (*.profile files). For system services, access control to activationd will be limited to list of user-IDs listed in DBus policy, hence the privilege can't be automatically enabled for processes with labels User, System & System::Privileged. For user-session services, this privilege will not be used at the moment. The (possible) target solution for providing per-service access control can be based on supplementary groups defined in systemd service files (or applied as a conequence of cynara policy by security-manager nss plugin). However, using supplementary groups with DBus policy is not possible at the moment as both: kernel and DBus will have to be patched to use SO_PEERGROUPS (1) (1) : https://www.spinics.net/lists/netdev/msg441568.html Change-Id: Ie41a60d67d39c49b1ed6a49e0c17b9e5d2dabd86 --- policy/security-manager-policy-reload.in | 2 ++ policy/usertype-admin.profile | 1 + policy/usertype-guest.profile | 1 + policy/usertype-normal.profile | 1 + policy/usertype-security.profile | 1 + policy/usertype-system.profile | 1 + 6 files changed, 7 insertions(+) diff --git a/policy/security-manager-policy-reload.in b/policy/security-manager-policy-reload.in index 8141514..a5834fe 100755 --- a/policy/security-manager-policy-reload.in +++ b/policy/security-manager-policy-reload.in @@ -62,6 +62,8 @@ done for client in User System System::Privileged do cyad --set-policy --bucket=MANIFESTS_GLOBAL --client="$client" --user="*" --privilege="*" --type=ALLOW +# Non-application programs will have this privilege disabled in order NOT to get it automatically + cyad --set-policy --bucket=MANIFESTS_GLOBAL --client="$client" --user="*" --privilege="http://tizen.org/privilege/internal/sysadmin" --type=DENY done # Root shell get access to all privileges diff --git a/policy/usertype-admin.profile b/policy/usertype-admin.profile index 585a221..f70e96a 100644 --- a/policy/usertype-admin.profile +++ b/policy/usertype-admin.profile @@ -151,5 +151,6 @@ * http://tizen.org/privilege/internal/device/video * http://tizen.org/privilege/internal/inputdevice.block * http://tizen.org/privilege/internal/service +* http://tizen.org/privilege/internal/sysadmin * http://tizen.org/privilege/internal/usermanagement * http://tizen.org/privilege/notexist diff --git a/policy/usertype-guest.profile b/policy/usertype-guest.profile index 460f84c..10bd5c4 100644 --- a/policy/usertype-guest.profile +++ b/policy/usertype-guest.profile @@ -151,4 +151,5 @@ * http://tizen.org/privilege/internal/device/video * http://tizen.org/privilege/internal/inputdevice.block * http://tizen.org/privilege/internal/service +* http://tizen.org/privilege/internal/sysadmin * http://tizen.org/privilege/notexist diff --git a/policy/usertype-normal.profile b/policy/usertype-normal.profile index dca8d79..98e5dd6 100644 --- a/policy/usertype-normal.profile +++ b/policy/usertype-normal.profile @@ -151,4 +151,5 @@ * http://tizen.org/privilege/internal/device/video * http://tizen.org/privilege/internal/inputdevice.block * http://tizen.org/privilege/internal/service +* http://tizen.org/privilege/internal/sysadmin * http://tizen.org/privilege/notexist diff --git a/policy/usertype-security.profile b/policy/usertype-security.profile index aed54a4..91be288 100644 --- a/policy/usertype-security.profile +++ b/policy/usertype-security.profile @@ -151,4 +151,5 @@ * http://tizen.org/privilege/internal/device/video * http://tizen.org/privilege/internal/inputdevice.block * http://tizen.org/privilege/internal/service +* http://tizen.org/privilege/internal/sysadmin * http://tizen.org/privilege/notexist diff --git a/policy/usertype-system.profile b/policy/usertype-system.profile index 5a00322..e847f55 100644 --- a/policy/usertype-system.profile +++ b/policy/usertype-system.profile @@ -151,4 +151,5 @@ * http://tizen.org/privilege/internal/device/video * http://tizen.org/privilege/internal/inputdevice.block * http://tizen.org/privilege/internal/service +* http://tizen.org/privilege/internal/sysadmin * http://tizen.org/privilege/notexist -- 2.7.4