From 9843fa406cdd374633e2ef59fadae4aab2555986 Mon Sep 17 00:00:00 2001 From: Jan Cybulski Date: Fri, 23 May 2014 07:41:34 +0200 Subject: [PATCH 01/16] security manager: add generateAppLabel The similar function was declared as part of libprivilege-control Now as security manager is going to drop dependency on privilege-control, there is a need of implementing this function as part of security-manager. Change-Id: Ieb06e278fb7938a0a34e7592b5be7efa33af9b2d Signed-off-by: Jan Cybulski --- src/server/CMakeLists.txt | 1 + src/server/service/security-manager-common.cpp | 40 +++++++++++++++++++++++ src/server/service/security-manager-common.h | 45 ++++++++++++++++++++++++++ 3 files changed, 86 insertions(+) create mode 100644 src/server/service/security-manager-common.cpp create mode 100644 src/server/service/security-manager-common.h diff --git a/src/server/CMakeLists.txt b/src/server/CMakeLists.txt index 2cd6177..c52f61b 100644 --- a/src/server/CMakeLists.txt +++ b/src/server/CMakeLists.txt @@ -21,6 +21,7 @@ SET(COMMON_SOURCES ${COMMON_PATH}/dpl/core/src/noncopyable.cpp ${COMMON_PATH}/dpl/core/src/serialization.cpp ${COMMON_PATH}/dpl/core/src/singleton.cpp + ${COMMON_PATH}/service/security-manager-common.cpp ) INCLUDE_DIRECTORIES(SYSTEM diff --git a/src/server/service/security-manager-common.cpp b/src/server/service/security-manager-common.cpp new file mode 100644 index 0000000..2ae363a --- /dev/null +++ b/src/server/service/security-manager-common.cpp @@ -0,0 +1,40 @@ +/* + * Copyright (c) 2000 - 2014 Samsung Electronics Co., Ltd All Rights Reserved + * + * Contact: Rafal Krypa + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + */ +/** + * @file security-manager-common.cpp + * @author Jan Cybulski + * @version 1.0 + * @brief This file contains implementation of utility functions for security-manager + * + */ + + +#include "security-manager-common.h" + + +namespace SecurityManager { + +bool generateAppLabel(const std::string &appPkgId, std::string &label) +{ + (void) appPkgId; //todo use pkgId to generate label + label = "User"; + return true; +} + +} // namespace SecurityManager + diff --git a/src/server/service/security-manager-common.h b/src/server/service/security-manager-common.h new file mode 100644 index 0000000..2f1a24b --- /dev/null +++ b/src/server/service/security-manager-common.h @@ -0,0 +1,45 @@ +/* + * Copyright (c) 2000 - 2014 Samsung Electronics Co., Ltd All Rights Reserved + * + * Contact: Rafal Krypa + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + */ +/** + * @file security-manager-common.h + * @author Jan Cybulski + * @version 1.0 + * @brief This file is header for utility functions for security-manager + * + */ +#ifndef _SECURITY_MANAGER_COMMON_H_ +#define _SECURITY_MANAGER_COMMON_H_ + +#include + + +namespace SecurityManager { + +/** + * This function generates label for application with package identifier + * read from @ref appPkgId and assigns it to @ref label. + * @param[in] appPkgId application's package identifier. + * @param[out] label string into which application's label will be stored into. + * @return true on success, false on error. + */ +bool generateAppLabel(const std::string &appPkgId, std::string &label); + + +} // namespace SecurityManager + +#endif -- 2.7.4 From ed1e558fb166d8019512b6c02e899d1a1544e756 Mon Sep 17 00:00:00 2001 From: Jacek Bukarewicz Date: Tue, 27 May 2014 14:46:06 +0200 Subject: [PATCH 02/16] Installation/uninstallation of package-specific smack rules On installation rules are generated from predefined template, applied to the kernel and saved to disk so they are loaded on system boot. On uninstallation package-specific rules are revoked from kernel and removed from disk. Change-Id: Ib3ce4ecf909c4fe3c6bc1f5a77e24737b7acf918 --- app-rules-template.smack | 6 + packaging/security-server.spec | 6 +- src/CMakeLists.txt | 1 + src/server/service/installer.cpp | 26 +++- src/server/service/smack-rules.cpp | 283 +++++++++++++++++++++++++++++++++++++ src/server/service/smack-rules.h | 81 +++++++++++ 6 files changed, 400 insertions(+), 3 deletions(-) create mode 100644 app-rules-template.smack create mode 100644 src/server/service/smack-rules.cpp create mode 100644 src/server/service/smack-rules.h diff --git a/app-rules-template.smack b/app-rules-template.smack new file mode 100644 index 0000000..543e80c --- /dev/null +++ b/app-rules-template.smack @@ -0,0 +1,6 @@ +System ~APP~ rwx +~APP~ System wx +~APP~ System::Shared rx +~APP~ System::Run rwxat +~APP~ System::Log rwxa +~APP~ _ l diff --git a/packaging/security-server.spec b/packaging/security-server.spec index a0f15f1..cbbc9df 100644 --- a/packaging/security-server.spec +++ b/packaging/security-server.spec @@ -103,6 +103,8 @@ cp LICENSE %{buildroot}/usr/share/license/libsecurity-server-client cp LICENSE %{buildroot}/usr/share/license/libsecurity-manager-client mkdir -p %{buildroot}/etc/security/ cp security-server-audit.conf %{buildroot}/etc/security/ +mkdir -p %{buildroot}/etc/smack/ +cp app-rules-template.smack %{buildroot}/etc/smack/ %make_install mkdir -p %{buildroot}/usr/lib/systemd/system/multi-user.target.wants @@ -174,7 +176,6 @@ fi %attr(-,root,root) /usr/lib/systemd/system/security-server-cookie-check.socket %attr(-,root,root) /usr/lib/systemd/system/sockets.target.wants/security-server-app-privilege-by-name.socket %attr(-,root,root) /usr/lib/systemd/system/security-server-app-privilege-by-name.socket -%attr(-,root,root) /etc/security/security-server-audit.conf %attr(-,root,root) /usr/lib/systemd/system/sockets.target.wants/security-server-password-check.socket %attr(-,root,root) /usr/lib/systemd/system/security-server-password-check.socket %attr(-,root,root) /usr/lib/systemd/system/sockets.target.wants/security-server-password-set.socket @@ -183,7 +184,8 @@ fi %attr(-,root,root) /usr/lib/systemd/system/security-server-password-reset.socket %attr(-,root,root) /usr/lib/systemd/system/sockets.target.wants/security-manager-installer.socket %attr(-,root,root) /usr/lib/systemd/system/security-manager-installer.socket - +%attr(-,root,root) /etc/security/security-server-audit.conf +%attr(-,root,root) /etc/smack/app-rules-template.smack %{_datadir}/license/%{name} %files -n libsecurity-server-client diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index fc9c23b..02dbcf6 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -27,6 +27,7 @@ SET(SECURITY_SERVER_SOURCES ${SERVER2_PATH}/service/password-manager.cpp ${SERVER2_PATH}/service/password-file-buffer.cpp ${SERVER2_PATH}/service/smack-common.cpp + ${SERVER2_PATH}/service/smack-rules.cpp ${SERVER2_PATH}/service/installer.cpp ) diff --git a/src/server/service/installer.cpp b/src/server/service/installer.cpp index 16b270c..b02e22d 100644 --- a/src/server/service/installer.cpp +++ b/src/server/service/installer.cpp @@ -17,7 +17,8 @@ */ /* * @file installer.cpp - * @author Michal Witanowski (m.witanowski@samsung.com) + * @author Michal Witanowski + * @author Jacek Bukarewicz * @brief Implementation of installer service for libprivilege-control encapsulation. */ @@ -29,6 +30,7 @@ #include "protocols.h" #include "security-server.h" #include "security-manager.h" +#include "smack-rules.h" namespace SecurityServer { @@ -237,10 +239,20 @@ bool InstallerService::processAppInstall(MessageBuffer &buffer, MessageBuffer &s } } + // TODO: This should be done only for the first application in the package + if (!SecurityManager::SmackRules::installPackageRules(req.pkgId)) { + LogError("Failed to apply package-specific smack rules"); + goto error_label; + } + // finish database transaction result = perm_end(); LogDebug("perm_end() returned " << result); if (PC_OPERATION_SUCCESS != result) { + // TODO: Uncomment once proper pkgId -> smack label mapping is implemented (currently all + // applications are mapped to user label and removal of such rules would be harmful) + //SecurityManager::SmackRules::uninstallPackageRules(req.pkgId); + // error in libprivilege-control Serialization::Serialize(send, SECURITY_SERVER_API_ERROR_SERVER_ERROR); return false; @@ -285,6 +297,18 @@ bool InstallerService::processAppUninstall(MessageBuffer &buffer, MessageBuffer return false; } + // TODO: Uncomment once proper pkgId -> smack label mapping is implemented (currently all + // applications are mapped to user label and removal of such rules would be harmful) + // TODO: This should be performed only for the last application in the package + // TODO: retrieve pkgId as it's not available in the request + //if (!SecurityManager::SmackRules::uninstallPackageRules(pkgId)) { + // LogError("Error on uninstallation of package-specific smack rules"); + // result = perm_rollback(); + // LogDebug("perm_rollback() returned " << result); + // Serialization::Serialize(send, SECURITY_SERVER_API_ERROR_SERVER_ERROR); + // return false; + //} + // finish database transaction result = perm_end(); LogDebug("perm_end() returned " << result); diff --git a/src/server/service/smack-rules.cpp b/src/server/service/smack-rules.cpp new file mode 100644 index 0000000..24e9add --- /dev/null +++ b/src/server/service/smack-rules.cpp @@ -0,0 +1,283 @@ +/* + * Copyright (c) 2014 Samsung Electronics Co., Ltd All Rights Reserved + * + * Contact: Rafal Krypa + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + */ +/** + * @file smack-rules.cpp + * @author Jacek Bukarewicz + * @version 1.0 + * @brief Implementation of a class managing smack rules + * + */ + +#include +#include +#include +#include +#include +#include + +#include + +#include "smack-rules.h" +#include "security-manager-common.h" + +namespace SecurityManager { + +const char *const SMACK_APP_LABEL_TEMPLATE = "~APP~"; +const char *const APP_RULES_TEMPLATE_FILE_PATH = "/etc/smack/app-rules-template.smack"; +const char *const APP_RULES_DIRECTORY = "/etc/smack/accesses.d/"; + +SmackRules::SmackRules() +{ + if (smack_accesses_new(&m_handle) < 0) { + LogError("Failed to create smack_accesses handle"); + throw std::bad_alloc(); + } +} + +SmackRules::~SmackRules() { + smack_accesses_free(m_handle); +} + +bool SmackRules::add(const std::string &subject, const std::string &object, + const std::string &permissions) +{ + return 0 == smack_accesses_add(m_handle, subject.c_str(), object.c_str(), permissions.c_str()); +} + +bool SmackRules::clear() const +{ + return 0 == smack_accesses_clear(m_handle); +} + +bool SmackRules::apply() const +{ + return 0 == smack_accesses_apply(m_handle); +} + +bool SmackRules::loadFromFile(const std::string &path) +{ + int fd; + bool ret = true; + + fd = open(path.c_str(), O_RDONLY); + if (fd == -1) { + LogError("Failed to open file: %s" << path); + return false; + } + + if (smack_accesses_add_from_file(m_handle, fd)) { + LogError("Failed to load smack rules from file: %s" << path); + ret = false; + } + + close(fd); + return ret; +} + +bool SmackRules::saveToFile(const std::string &path) const +{ + int fd; + bool ret = true; + + fd = open(path.c_str(), O_CREAT | O_WRONLY | O_TRUNC, 0644); + if (fd == -1) { + LogError("Failed to create file: %s" << path); + return false; + } + + if (smack_accesses_save(m_handle, fd)) { + LogError("Failed to save rules to file: %s" << path); + unlink(path.c_str()); + ret = false; + } + + close(fd); + return ret; +} + + +bool SmackRules::addFromTemplateFile(const std::string &pkgId) +{ + std::vector templateRules; + std::string line; + std::ifstream templateRulesFile(APP_RULES_TEMPLATE_FILE_PATH); + + if (!templateRulesFile.is_open()) { + LogError("Cannot open rules template file: " << APP_RULES_TEMPLATE_FILE_PATH); + return false; + } + + while (std::getline(templateRulesFile, line)) { + templateRules.push_back(line); + } + + if (templateRulesFile.bad()) { + LogError("Error reading template file: " << APP_RULES_TEMPLATE_FILE_PATH); + return false; + } + + return addFromTemplate(templateRules, pkgId); +} + +bool SmackRules::addFromTemplate(const std::vector &templateRules, + const std::string &pkgId) +{ + std::string tokens[3]; + std::string &subject = tokens[0]; + std::string &object = tokens[1]; + std::string &permissions = tokens[2]; + + for (auto rule = templateRules.begin(); rule != templateRules.end(); ++rule) { + if (rule->length() == 0) + continue; + + if (!tokenizeRule(*rule, tokens, sizeof(tokens) / sizeof(*tokens))) { + return false; + } + + bool subjectIsTemplate = (subject == SMACK_APP_LABEL_TEMPLATE); + bool objectIsTemplate = (object == SMACK_APP_LABEL_TEMPLATE); + + if (objectIsTemplate == subjectIsTemplate) { + LogError("Invalid rule template. Exactly one app label template expected: " << *rule); + return false; + } + + if (subjectIsTemplate) { + if (!SecurityManager::generateAppLabel(pkgId, subject)) { + LogError("Failed to generate app label from pkgid: " << pkgId); + return false; + } + } + + if (objectIsTemplate) { + if (!SecurityManager::generateAppLabel(pkgId, object)) { + LogError("Failed to generate app label from pkgid: " << pkgId); + return false; + } + } + + if (!add(subject, object, permissions)) { + LogError("Failed to add rule: " << subject << " " << object << " " << permissions); + return false; + } + } + + return true; +} + + +bool SmackRules::tokenizeRule(const std::string &rule, std::string tokens[], int size) +{ + size_t startPos; + size_t endPos = 0; + const char delimiters[] = " \t\n\r"; + + for (int i = 0; i < size; i++) { + startPos = rule.find_first_not_of(delimiters, endPos); + if (startPos == std::string::npos) { + LogError("Unexpected end of rule: " << rule); + return false; + } + + endPos = rule.find_first_of(delimiters, startPos); + tokens[i] = rule.substr(startPos, endPos - startPos); + } + + if (endPos != std::string::npos && + rule.find_first_not_of(delimiters, endPos) != std::string::npos) { + LogError("Too many tokens found in rule: " << rule); + return false; + } + + return true; +} + +std::string SmackRules::getPackageRulesFilePath(const std::string &pkgId) +{ + std::string path(APP_RULES_DIRECTORY); + path.append(pkgId); + path.append(".smack"); + return path; +} + +bool SmackRules::installPackageRules(const std::string &pkgId) { + try { + SmackRules smackRules; + std::string path = getPackageRulesFilePath(pkgId); + + if (!smackRules.addFromTemplateFile(pkgId)) { + LogError("Failed to load smack rules for pkgId " << pkgId); + return false; + } + + if (!smackRules.apply()) { + LogError("Failed to apply application rules to kernel"); + return false; + } + + if (!smackRules.saveToFile(path)) { + smackRules.clear(); + return false; + } + + return true; + } catch (const std::bad_alloc &e) { + LogError("Out of memory while trying to install smack rules for pkgId " << pkgId); + return false; + } +} + +bool SmackRules::uninstallPackageRules(const std::string &pkgId) { + std::string path = getPackageRulesFilePath(pkgId); + if (access(path.c_str(), F_OK) == -1) { + if (errno == ENOENT) { + LogWarning("Smack rules were not installed for pkgId: " << pkgId); + return true; + } + + LogWarning("Cannot access smack rules path: " << path); + return false; + } + + try { + SmackRules rules; + if (rules.loadFromFile(path)) { + if (!rules.clear()) { + LogWarning("Failed to clear smack kernel rules for pkgId: " << pkgId); + // don't stop uninstallation + } + } else { + LogWarning("Failed to load rules from file: " << path); + // don't stop uninstallation + } + + if (unlink(path.c_str()) == -1) { + LogError("Failed to remove smack rules file: " << path); + return false; + } + + return true; + } catch (const std::bad_alloc &e) { + LogError("Out of memory while trying to uninstall smack rules for pkgId: " << pkgId); + return false; + } +} + +} // namespace SecurityManager + diff --git a/src/server/service/smack-rules.h b/src/server/service/smack-rules.h new file mode 100644 index 0000000..bf50a4d --- /dev/null +++ b/src/server/service/smack-rules.h @@ -0,0 +1,81 @@ +/* + * Copyright (c) 2014 Samsung Electronics Co., Ltd All Rights Reserved + * + * Contact: Rafal Krypa + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + */ +/** + * @file smack-rules.h + * @author Jacek Bukarewicz + * @version 1.0 + * @brief Header file of a class managing smack rules + * + */ +#ifndef _SMACK_RULES_H_ +#define _SMACK_RULES_H_ + +#include +#include + +struct smack_accesses; + +namespace SecurityManager { + +class SmackRules +{ +public: + SmackRules(); + virtual ~SmackRules(); + + bool add(const std::string &subject, const std::string &object, + const std::string &permissions); + bool loadFromFile(const std::string &path); + bool addFromTemplate(const std::vector &templateRules, const std::string &pkgId); + bool addFromTemplateFile(const std::string &pkgId); + + bool apply() const; + bool clear() const; + bool saveToFile(const std::string &path) const; + + /** + * Install package-specific smack rules. + * + * Function creates smack rules using predefined template. Rules are applied + * to the kernel and saved on persistent storage so they are loaded on system boot. + * + * @param[in] pkgId - package identifier + * @return true on success, false on error + */ + static bool installPackageRules(const std::string &pkgId); + /** + * Uninstall package-specific smack rules. + * + * Function loads package-specific smack rules, revokes them from the kernel + * and removes from persistent storage. + * + * @param[in] pkgId - package identifier + * @return true if smack rule file has been uninstalled or didn't exist + * false otherwise + */ + static bool uninstallPackageRules(const std::string &pkgId); +private: + static bool tokenizeRule(const std::string &rule, std::string tokens[], int size); + static std::string getPackageRulesFilePath(const std::string &pkgId); + + smack_accesses *m_handle; +}; + +} // namespace SecurityManager + +#endif /* _SMACK_RULES_H_ */ -- 2.7.4 From af33bcce7f9788be9545175dd41340e10b376dbd Mon Sep 17 00:00:00 2001 From: Jan Cybulski Date: Fri, 23 May 2014 07:39:36 +0200 Subject: [PATCH 03/16] security manager: function for labeling dirs Security manager used libprivilege-control's perm_app_setup_path. This commit removes this dependency by reimplementing the code that labels directories as internal function of installer service in security-manager. Change-Id: I57738ef310afddda235fe2bb45d95ee54d2ed587 Signed-off-by: Jan Cybulski --- src/server/service/installer.cpp | 243 ++++++++++++++++++++++++++++++++++----- src/server/service/installer.h | 2 + 2 files changed, 216 insertions(+), 29 deletions(-) diff --git a/src/server/service/installer.cpp b/src/server/service/installer.cpp index b02e22d..92d98ad 100644 --- a/src/server/service/installer.cpp +++ b/src/server/service/installer.cpp @@ -26,11 +26,21 @@ #include #include + +#include +#include +#include +#include +#include +#include +#include + #include "installer.h" #include "protocols.h" #include "security-server.h" #include "security-manager.h" #include "smack-rules.h" +#include "security-manager-common.h" namespace SecurityServer { @@ -38,31 +48,216 @@ namespace { const InterfaceID INSTALLER_IFACE = 0; +/* Const defined below is used to label links to executables */ +const char *const XATTR_NAME_TIZENEXEC = XATTR_SECURITY_PREFIX "TIZEN_EXEC_LABEL"; + /** - * Convert Security Mangager's API path type to libprivilege-control's API path type. - * @return true on success + * Return values + * -1 - error + * 0 - skip + * 1 - label */ -bool TranslateAppPathType(const app_install_path_type path_type, - app_path_type_t& lpc_path_type) +enum class FileDecision { + SKIP = 0, + LABEL = 1, + ERROR = -1 +}; + +typedef std::function LabelDecisionFn; + + +FileDecision labelAll(const FTSENT *ftsent __attribute__((unused))) +{ + LogSecureDebug("Entering function: " << __func__); + + return FileDecision::LABEL; +} + +FileDecision labelDirs(const FTSENT *ftsent) +{ + LogSecureDebug("Entering function: " << __func__); + + // label only directories + if (S_ISDIR(ftsent->fts_statp->st_mode)) + return FileDecision::LABEL; + return FileDecision::SKIP; +} + +FileDecision labelExecs(const FTSENT *ftsent) +{ + LogSecureDebug("Entering function: " << __func__); + + LogDebug("Mode = " << ftsent->fts_statp->st_mode); + // label only regular executable files + if (S_ISREG(ftsent->fts_statp->st_mode) && (ftsent->fts_statp->st_mode & S_IXUSR)) + return FileDecision::LABEL; + return FileDecision::SKIP; +} + + +FileDecision labelLinksToExecs(const FTSENT *ftsent) { - switch (path_type) { - case SECURITY_MANAGER_PATH_PRIVATE: - lpc_path_type = APP_PATH_PRIVATE; - break; - case SECURITY_MANAGER_PATH_PUBLIC: - lpc_path_type = APP_PATH_PUBLIC; - break; - case SECURITY_MANAGER_PATH_PUBLIC_RO: - lpc_path_type = APP_PATH_FLOOR; - break; - default: + LogSecureDebug("Entering function: " << __func__); + + struct stat buf; + char *target; + + // check if it's a link + if ( !S_ISLNK(ftsent->fts_statp->st_mode)) + return FileDecision::SKIP; + + target = realpath(ftsent->fts_path, NULL); + if (!target) { + LogSecureError("Getting link target for " << ftsent->fts_path << " failed (Error = " << strerror(errno) << ")"); + return FileDecision::ERROR; + } + if (-1 == stat(target, &buf)) { + LogSecureError("stat failed for " << target << " (Error = " << strerror(errno) << ")"); + return FileDecision::ERROR; + } + // skip if link target is not a regular executable file + if (buf.st_mode != (buf.st_mode | S_IXUSR | S_IFREG)) { + LogSecureDebug(target << "is not a regular executable file. Skipping."); + return FileDecision::SKIP; + } + + return FileDecision::LABEL; +} + +bool dirSetSmack(const std::string &path, const std::string &label, + const char *xattr_name, LabelDecisionFn fn) +{ + LogSecureDebug("Entering function: "<< __func__ <<". Params:" + " path=" << path << ", label=" << label << ", xattr=" << xattr_name); + + + char *const path_argv[] = {const_cast(path.c_str()), NULL}; + FTSENT *ftsent; + FileDecision ret; + + std::unique_ptr > fts( + fts_open(path_argv, FTS_PHYSICAL | FTS_NOCHDIR, NULL), + fts_close); + + if (fts.get() == NULL) { + LogError("fts_open failed."); + return false; + } + + while ((ftsent = fts_read(fts.get())) != NULL) { + /* Check for error (FTS_ERR) or failed stat(2) (FTS_NS) */ + if (ftsent->fts_info == FTS_ERR || ftsent->fts_info == FTS_NS) { + LogError("FTS_ERR error or failed stat(2) (FTS_NS)"); return false; - }; + } + + ret = fn(ftsent); + if (ret == FileDecision::ERROR) { + LogError("fn(ftsent) failed."); + return false; + } + + if (ret == FileDecision::LABEL) { + if (lsetxattr(ftsent->fts_path, xattr_name, label.c_str(), label.length(), 0) != 0) { + LogError("lsetxattr failed."); + return false; + } + } + + } + + /* If last call to fts_read() set errno, we need to return error. */ + if ((errno != 0) && (ftsent == NULL)) { + LogError("Last errno from fts_read: " << strerror(errno)); + return false; + } return true; } + +bool labelDir(const std::string &path, const std::string &label, + bool set_transmutable, bool set_executables) +{ + LogSecureDebug("Entering function: "<< __func__ <<". Params:" + " path=" << path << " label= " << label + << " set_transmutable= " << set_transmutable + << " set_executables= " << set_executables); + bool ret = true; + + // setting access label on everything in given directory and below + ret = dirSetSmack(path, label, XATTR_NAME_SMACK, labelAll); + if (!ret) { + LogError("dirSetSmack failed (access label)"); + return ret; + } + + if (set_transmutable) { + // setting transmute on dirs + ret = dirSetSmack(path, "TRUE", XATTR_NAME_SMACKTRANSMUTE, labelDirs); + if (!ret) { + LogError("dirSetSmack failed (transmute)"); + return ret; + } + } + + if (set_executables) { + ret = dirSetSmack(path, label, XATTR_NAME_SMACKEXEC, &labelExecs); + if (!ret) + { + LogError("dirSetSmack failed (execs)."); + return ret; + } + + //setting execute label for everything with permission to execute + ret = dirSetSmack(path, label, XATTR_NAME_TIZENEXEC, &labelLinksToExecs); + if (!ret) + { + LogError("dirSetSmack failed (link to execs)."); + return ret; + } + } + + return ret; +} + + +bool setupPath(const std::string &pkgId, const std::pair &appPath) +{ + using namespace SecurityManager; + + app_install_path_type pathType = static_cast(appPath.second); + std::string label; + bool label_executables, label_transmute; + + + switch (pathType) { + case SECURITY_MANAGER_PATH_PRIVATE: + if(!generateAppLabel(pkgId,label)) + return false; + label_executables = true; + label_transmute = false; + break; + case SECURITY_MANAGER_PATH_PUBLIC: + label.assign(InstallerService::LABEL_FOR_PUBLIC_APP_PATH); + label_executables = false; + label_transmute = true; + break; + case SECURITY_MANAGER_PATH_PUBLIC_RO: + label.assign("_"); + label_executables = false; + label_transmute = false; + break; + default: + LogError("Path type not known."); + return false; + } + return labelDir(appPath.first, label, label_transmute, label_executables); +} + } // namespace anonymous +/* Const defined below is used to label links to executables */ +const char *const InstallerService::LABEL_FOR_PUBLIC_APP_PATH = "User"; InstallerService::InstallerService() { @@ -222,19 +417,9 @@ bool InstallerService::processAppInstall(MessageBuffer &buffer, MessageBuffer &s // register paths for (const auto& appPath : req.appPaths) { - app_path_type_t path_type; - if (!TranslateAppPathType((app_install_path_type)appPath.second, - path_type)) { - LogError("Unrecognized path type: " << appPath.second); - goto error_label; - } - LogDebug("Adding path: " << appPath.first << " (type " << path_type << ")"); - - // TODO: use pkgId. - result = perm_app_setup_path(req.appId.c_str(), appPath.first.c_str(), path_type); - if (PC_OPERATION_SUCCESS != result) { - // libprivilege error - LogDebug("perm_app_setup_path() returned " << result); + result = setupPath(req.pkgId, appPath); + if (!result) { + LogDebug("setupPath() failed "); goto error_label; } } diff --git a/src/server/service/installer.h b/src/server/service/installer.h index 843dca8..45c95f6 100644 --- a/src/server/service/installer.h +++ b/src/server/service/installer.h @@ -56,6 +56,8 @@ public: void process(const ReadEvent &event); void close(const CloseEvent &event); + static const char *const LABEL_FOR_PUBLIC_APP_PATH; + private: ConnectionInfoMap m_connectionInfoMap; -- 2.7.4 From 9d7d2f242d036ed8f07e4afa108709524b1af409 Mon Sep 17 00:00:00 2001 From: Marcin Lis Date: Mon, 9 Jun 2014 17:55:09 +0200 Subject: [PATCH 04/16] Add smackfs check to Installer service. The app installation was failing under the non-smack environment. One additional check for the existence of the smack is now added to prevent the Installer from applying smack rules to the kernel, when there is no smack security enabled. The same kind of check is also added to uninstall-app functionality. Change-Id: I9ed29e7d60e34639173317ac83c1f5314100d6e4 Signed-off-by: Marcin Lis --- src/server/service/smack-rules.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/server/service/smack-rules.cpp b/src/server/service/smack-rules.cpp index 24e9add..4319ca9 100644 --- a/src/server/service/smack-rules.cpp +++ b/src/server/service/smack-rules.cpp @@ -226,7 +226,7 @@ bool SmackRules::installPackageRules(const std::string &pkgId) { return false; } - if (!smackRules.apply()) { + if (smack_smackfs_path() != NULL && !smackRules.apply()) { LogError("Failed to apply application rules to kernel"); return false; } @@ -258,7 +258,7 @@ bool SmackRules::uninstallPackageRules(const std::string &pkgId) { try { SmackRules rules; if (rules.loadFromFile(path)) { - if (!rules.clear()) { + if (smack_smackfs_path() != NULL && !rules.clear()) { LogWarning("Failed to clear smack kernel rules for pkgId: " << pkgId); // don't stop uninstallation } -- 2.7.4 From 6a804fab14e528da720691dded181d75da2c475a Mon Sep 17 00:00:00 2001 From: Jan Cybulski Date: Mon, 16 Jun 2014 14:38:01 +0200 Subject: [PATCH 05/16] Remove unnecessary security-server files This commit starts a fork from security-server repository, that initially security-manager was part of. All parts of security-server that was not needed by security-manager are removed. That means removing security-server-client and removing all services exept security-manager's ones. Change-Id: Id9a33033398811b4b5fc36738ff4ca411260315b Signed-off-by: Jan Cybulski --- CMakeLists.txt | 1 - build/CMakeLists.txt | 1 - build/security-server/CMakeLists.txt | 26 -- build/security-server/security-server.pc.in | 11 - packaging/libsecurity-server-client.manifest | 5 - packaging/security-server.changes | 7 - packaging/security-server.spec | 84 +--- src/CMakeLists.txt | 55 --- src/server/client/client-app-permissions.cpp | 95 ---- src/server/client/client-cookie.cpp | 291 ------------ src/server/client/client-get-gid.cpp | 75 ---- src/server/client/client-password.cpp | 277 ------------ src/server/client/client-privilege-by-pid.cpp | 86 ---- src/server/client/client-shared-memory.cpp | 66 --- src/server/client/client-socket-privilege.cpp | 111 ----- src/server/common/protocols.cpp | 30 -- src/server/common/protocols.h | 51 --- src/server/main/server2-main.cpp | 12 - src/server/service/app-permissions.cpp | 176 -------- src/server/service/app-permissions.h | 64 --- src/server/service/cookie-common.cpp | 24 - src/server/service/cookie-common.h | 33 -- src/server/service/cookie-jar.cpp | 251 ----------- src/server/service/cookie-jar.h | 85 ---- src/server/service/cookie.cpp | 395 ---------------- src/server/service/cookie.h | 75 ---- src/server/service/data-share.cpp | 138 ------ src/server/service/data-share.h | 61 --- src/server/service/get-gid.cpp | 158 ------- src/server/service/get-gid.h | 63 --- src/server/service/password-exception.h | 48 -- src/server/service/password-file-buffer.cpp | 108 ----- src/server/service/password-file-buffer.h | 56 --- src/server/service/password-file.cpp | 497 --------------------- src/server/service/password-file.h | 128 ------ src/server/service/password-manager.cpp | 276 ------------ src/server/service/password-manager.h | 59 --- src/server/service/password.cpp | 283 ------------ src/server/service/password.h | 80 ---- src/server/service/privilege-by-pid.cpp | 143 ------ src/server/service/privilege-by-pid.h | 60 --- systemd/CMakeLists.txt | 9 - .../security-server-app-privilege-by-name.socket | 14 - systemd/security-server-cookie-check.socket | 14 - systemd/security-server-cookie-get.socket | 14 - systemd/security-server-data-share.socket | 14 - systemd/security-server-get-gid.socket | 14 - systemd/security-server-password-check.socket | 14 - systemd/security-server-password-reset.socket | 14 - systemd/security-server-password-set.socket | 14 - systemd/security-server-privilege-by-pid.socket | 14 - 51 files changed, 1 insertion(+), 4679 deletions(-) delete mode 100644 build/security-server/CMakeLists.txt delete mode 100644 build/security-server/security-server.pc.in delete mode 100644 packaging/libsecurity-server-client.manifest delete mode 100644 packaging/security-server.changes delete mode 100644 src/server/client/client-app-permissions.cpp delete mode 100644 src/server/client/client-cookie.cpp delete mode 100644 src/server/client/client-get-gid.cpp delete mode 100644 src/server/client/client-password.cpp delete mode 100644 src/server/client/client-privilege-by-pid.cpp delete mode 100644 src/server/client/client-shared-memory.cpp delete mode 100644 src/server/client/client-socket-privilege.cpp delete mode 100644 src/server/service/app-permissions.cpp delete mode 100644 src/server/service/app-permissions.h delete mode 100644 src/server/service/cookie-common.cpp delete mode 100644 src/server/service/cookie-common.h delete mode 100644 src/server/service/cookie-jar.cpp delete mode 100644 src/server/service/cookie-jar.h delete mode 100644 src/server/service/cookie.cpp delete mode 100644 src/server/service/cookie.h delete mode 100644 src/server/service/data-share.cpp delete mode 100644 src/server/service/data-share.h delete mode 100644 src/server/service/get-gid.cpp delete mode 100644 src/server/service/get-gid.h delete mode 100644 src/server/service/password-exception.h delete mode 100644 src/server/service/password-file-buffer.cpp delete mode 100644 src/server/service/password-file-buffer.h delete mode 100644 src/server/service/password-file.cpp delete mode 100644 src/server/service/password-file.h delete mode 100644 src/server/service/password-manager.cpp delete mode 100644 src/server/service/password-manager.h delete mode 100644 src/server/service/password.cpp delete mode 100644 src/server/service/password.h delete mode 100644 src/server/service/privilege-by-pid.cpp delete mode 100644 src/server/service/privilege-by-pid.h delete mode 100644 systemd/security-server-app-privilege-by-name.socket delete mode 100644 systemd/security-server-cookie-check.socket delete mode 100644 systemd/security-server-cookie-get.socket delete mode 100644 systemd/security-server-data-share.socket delete mode 100644 systemd/security-server-get-gid.socket delete mode 100644 systemd/security-server-password-check.socket delete mode 100644 systemd/security-server-password-reset.socket delete mode 100644 systemd/security-server-password-set.socket delete mode 100644 systemd/security-server-privilege-by-pid.socket diff --git a/CMakeLists.txt b/CMakeLists.txt index 34ba7ff..d3e2657 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -59,7 +59,6 @@ IF (CMAKE_BUILD_TYPE MATCHES "DEBUG") ENDIF (CMAKE_BUILD_TYPE MATCHES "DEBUG") SET(TARGET_SECURITY_SERVER "security-server") -SET(TARGET_SECURITY_CLIENT "security-server-client") SET(TARGET_SECURITY_MANAGER_CLIENT "security-manager-client") SET(TARGET_SERVER_COMMON "security-server-commons") diff --git a/build/CMakeLists.txt b/build/CMakeLists.txt index cb8f1ee..77b8c60 100644 --- a/build/CMakeLists.txt +++ b/build/CMakeLists.txt @@ -16,5 +16,4 @@ # @author Tomasz Swierczek (t.swierczek@samsung.com) # -ADD_SUBDIRECTORY(security-server) ADD_SUBDIRECTORY(security-manager) diff --git a/build/security-server/CMakeLists.txt b/build/security-server/CMakeLists.txt deleted file mode 100644 index ddc0fb7..0000000 --- a/build/security-server/CMakeLists.txt +++ /dev/null @@ -1,26 +0,0 @@ -# Copyright (c) 2011 Samsung Electronics Co., Ltd All Rights Reserved -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# @file CMakeLists.txt -# @author Bartlomiej Grzelewski (b.grzelewski@samsung.com) -# @brief -# - -CONFIGURE_FILE(security-server.pc.in security-server.pc @ONLY) - -INSTALL(FILES - ${CMAKE_BINARY_DIR}/build/security-server/security-server.pc - DESTINATION - ${LIB_INSTALL_DIR}/pkgconfig - ) diff --git a/build/security-server/security-server.pc.in b/build/security-server/security-server.pc.in deleted file mode 100644 index a865f8a..0000000 --- a/build/security-server/security-server.pc.in +++ /dev/null @@ -1,11 +0,0 @@ -prefix=@CMAKE_INSTALL_PREFIX@ -exec_prefix=${prefix} -libdir=@LIB_INSTALL_DIR@ -includedir=${prefix}/include - -Name: security-server -Description: Security Server Package -Version: 1.0.1 -Requires: openssl libsmack libprivilege-control -Libs: -L${libdir} -lsecurity-server-client -Cflags: -I${includedir}/security-server diff --git a/packaging/libsecurity-server-client.manifest b/packaging/libsecurity-server-client.manifest deleted file mode 100644 index a76fdba..0000000 --- a/packaging/libsecurity-server-client.manifest +++ /dev/null @@ -1,5 +0,0 @@ - - - - - diff --git a/packaging/security-server.changes b/packaging/security-server.changes deleted file mode 100644 index a773a57..0000000 --- a/packaging/security-server.changes +++ /dev/null @@ -1,7 +0,0 @@ -* Fri Aug 23 2013 Rusty Lynch submit/tizen/20130716.223318@0e96d3e -- Cleanup spec and remove defunct system V startup scripts -- smack API has changed; smack_new_label_from socket returns the label length. - -* Fri Jul 12 2013 Patrick McCarty b7787d6 -- Fix the manifest installation - diff --git a/packaging/security-server.spec b/packaging/security-server.spec index cbbc9df..a2f085f 100644 --- a/packaging/security-server.spec +++ b/packaging/security-server.spec @@ -6,12 +6,10 @@ Group: Security/Service License: Apache-2.0 Source0: %{name}-%{version}.tar.gz Source1: security-server.manifest -Source2: libsecurity-server-client.manifest Source3: libsecurity-manager-client.manifest BuildRequires: cmake BuildRequires: zip BuildRequires: pkgconfig(dlog) -BuildRequires: pkgconfig(openssl) BuildRequires: libattr-devel BuildRequires: libcap-devel BuildRequires: pkgconfig(libsmack) @@ -22,25 +20,6 @@ BuildRequires: pkgconfig(libsystemd-daemon) %description Tizen security server and utilities -%package -n libsecurity-server-client -Summary: Security server (client) -Group: Security/Libraries -Requires: security-server = %{version}-%{release} -Requires(post): /sbin/ldconfig -Requires(postun): /sbin/ldconfig - -%description -n libsecurity-server-client -Tizen Security server client library - -%package -n libsecurity-server-client-devel -Summary: Security server (client-devel) -Group: Security/Development -Requires: libsecurity-server-client = %{version}-%{release} -Requires: libprivilege-control-devel - -%description -n libsecurity-server-client-devel -Development files needed for using the security client - %package -n libsecurity-manager-client Summary: Security manager (client) Group: Security/Libraries @@ -59,26 +38,9 @@ Requires: libsecurity-manager-client = %{version}-%{release} %description -n libsecurity-manager-client-devel Development files needed for using the security manager client -%package -n security-server-devel -Summary: for web applications (Development) -Group: Security/Development -Requires: security-server = %{version}-%{release} - -%description -n security-server-devel -Development files for the Tizen security server - -%package -n security-server-certs -Summary: Certificates for web applications. -Group: Security/Libraries -Requires: security-server - -%description -n security-server-certs -Certificates for the Tizen Web-Runtime - %prep %setup -q cp %{SOURCE1} . -cp %{SOURCE2} . cp %{SOURCE3} . %build @@ -99,7 +61,6 @@ make %{?jobs:-j%jobs} rm -rf %{buildroot} mkdir -p %{buildroot}/usr/share/license cp LICENSE %{buildroot}/usr/share/license/%{name} -cp LICENSE %{buildroot}/usr/share/license/libsecurity-server-client cp LICENSE %{buildroot}/usr/share/license/libsecurity-manager-client mkdir -p %{buildroot}/etc/security/ cp security-server-audit.conf %{buildroot}/etc/security/ @@ -110,15 +71,6 @@ cp app-rules-template.smack %{buildroot}/etc/smack/ mkdir -p %{buildroot}/usr/lib/systemd/system/multi-user.target.wants mkdir -p %{buildroot}/usr/lib/systemd/system/sockets.target.wants ln -s ../security-server.service %{buildroot}/usr/lib/systemd/system/multi-user.target.wants/security-server.service -ln -s ../security-server-data-share.socket %{buildroot}/usr/lib/systemd/system/sockets.target.wants/security-server-data-share.socket -ln -s ../security-server-get-gid.socket %{buildroot}/usr/lib/systemd/system/sockets.target.wants/security-server-get-gid.socket -ln -s ../security-server-privilege-by-pid.socket %{buildroot}/usr/lib/systemd/system/sockets.target.wants/security-server-privilege-by-pid.socket -ln -s ../security-server-cookie-get.socket %{buildroot}/usr/lib/systemd/system/sockets.target.wants/security-server-cookie-get.socket -ln -s ../security-server-cookie-check.socket %{buildroot}/usr/lib/systemd/system/sockets.target.wants/security-server-cookie-check.socket -ln -s ../security-server-app-privilege-by-name.socket %{buildroot}/usr/lib/systemd/system/sockets.target.wants/security-server-app-privilege-by-name.socket -ln -s ../security-server-password-check.socket %{buildroot}/usr/lib/systemd/system/sockets.target.wants/security-server-password-check.socket -ln -s ../security-server-password-set.socket %{buildroot}/usr/lib/systemd/system/sockets.target.wants/security-server-password-set.socket -ln -s ../security-server-password-reset.socket %{buildroot}/usr/lib/systemd/system/sockets.target.wants/security-server-password-reset.socket ln -s ../security-manager-installer.socket %{buildroot}/usr/lib/systemd/system/sockets.target.wants/security-manager-installer.socket %clean @@ -148,12 +100,8 @@ if [ $1 = 0 ]; then systemctl daemon-reload fi -%post -n libsecurity-server-client -p /sbin/ldconfig - %post -n libsecurity-manager-client -p /sbin/ldconfig -%postun -n libsecurity-server-client -p /sbin/ldconfig - %postun -n libsecurity-manager-client -p /sbin/ldconfig %files -n security-server @@ -164,43 +112,12 @@ fi %attr(-,root,root) /usr/lib/systemd/system/multi-user.target.wants/security-server.service %attr(-,root,root) /usr/lib/systemd/system/security-server.service %attr(-,root,root) /usr/lib/systemd/system/security-server.target -%attr(-,root,root) /usr/lib/systemd/system/sockets.target.wants/security-server-data-share.socket -%attr(-,root,root) /usr/lib/systemd/system/security-server-data-share.socket -%attr(-,root,root) /usr/lib/systemd/system/sockets.target.wants/security-server-get-gid.socket -%attr(-,root,root) /usr/lib/systemd/system/security-server-get-gid.socket -%attr(-,root,root) /usr/lib/systemd/system/sockets.target.wants/security-server-privilege-by-pid.socket -%attr(-,root,root) /usr/lib/systemd/system/security-server-privilege-by-pid.socket -%attr(-,root,root) /usr/lib/systemd/system/sockets.target.wants/security-server-cookie-get.socket -%attr(-,root,root) /usr/lib/systemd/system/security-server-cookie-get.socket -%attr(-,root,root) /usr/lib/systemd/system/sockets.target.wants/security-server-cookie-check.socket -%attr(-,root,root) /usr/lib/systemd/system/security-server-cookie-check.socket -%attr(-,root,root) /usr/lib/systemd/system/sockets.target.wants/security-server-app-privilege-by-name.socket -%attr(-,root,root) /usr/lib/systemd/system/security-server-app-privilege-by-name.socket -%attr(-,root,root) /usr/lib/systemd/system/sockets.target.wants/security-server-password-check.socket -%attr(-,root,root) /usr/lib/systemd/system/security-server-password-check.socket -%attr(-,root,root) /usr/lib/systemd/system/sockets.target.wants/security-server-password-set.socket -%attr(-,root,root) /usr/lib/systemd/system/security-server-password-set.socket -%attr(-,root,root) /usr/lib/systemd/system/sockets.target.wants/security-server-password-reset.socket -%attr(-,root,root) /usr/lib/systemd/system/security-server-password-reset.socket %attr(-,root,root) /usr/lib/systemd/system/sockets.target.wants/security-manager-installer.socket %attr(-,root,root) /usr/lib/systemd/system/security-manager-installer.socket %attr(-,root,root) /etc/security/security-server-audit.conf %attr(-,root,root) /etc/smack/app-rules-template.smack %{_datadir}/license/%{name} -%files -n libsecurity-server-client -%manifest libsecurity-server-client.manifest -%defattr(-,root,root,-) -%{_libdir}/libsecurity-server-client.so.* -%{_datadir}/license/libsecurity-server-client - -%files -n libsecurity-server-client-devel -%manifest %{name}.manifest -%defattr(-,root,root,-) -%{_libdir}/libsecurity-server-client.so -%{_libdir}/libsecurity-server-commons.so -%{_includedir}/security-server/security-server.h -%{_libdir}/pkgconfig/security-server.pc %files -n libsecurity-manager-client %manifest libsecurity-manager-client.manifest @@ -214,4 +131,5 @@ fi %{_libdir}/libsecurity-manager-client.so %{_libdir}/libsecurity-server-commons.so %{_includedir}/security-manager/security-manager.h +%{_includedir}/security-server/security-server.h %{_libdir}/pkgconfig/security-manager.pc diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 02dbcf6..f3fd02c 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -1,6 +1,5 @@ PKG_CHECK_MODULES(SECURITY_SERVER_DEP dlog - openssl libsmack libprivilege-control libsystemd-daemon @@ -15,17 +14,6 @@ SET(SECURITY_SERVER_SOURCES ${SERVER2_PATH}/main/generic-socket-manager.cpp ${SERVER2_PATH}/main/socket-manager.cpp ${SERVER2_PATH}/main/server2-main.cpp - ${SERVER2_PATH}/service/data-share.cpp - ${SERVER2_PATH}/service/get-gid.cpp - ${SERVER2_PATH}/service/app-permissions.cpp - ${SERVER2_PATH}/service/cookie.cpp - ${SERVER2_PATH}/service/cookie-jar.cpp - ${SERVER2_PATH}/service/cookie-common.cpp - ${SERVER2_PATH}/service/privilege-by-pid.cpp - ${SERVER2_PATH}/service/password.cpp - ${SERVER2_PATH}/service/password-file.cpp - ${SERVER2_PATH}/service/password-manager.cpp - ${SERVER2_PATH}/service/password-file-buffer.cpp ${SERVER2_PATH}/service/smack-common.cpp ${SERVER2_PATH}/service/smack-rules.cpp ${SERVER2_PATH}/service/installer.cpp @@ -57,43 +45,6 @@ TARGET_LINK_LIBRARIES(${TARGET_SECURITY_SERVER} -lcap ) -################################################################################ - -SET(SECURITY_CLIENT_VERSION_MAJOR 1) -SET(SECURITY_CLIENT_VERSION ${SECURITY_CLIENT_VERSION_MAJOR}.0.1) - -INCLUDE_DIRECTORIES( - ${SERVER2_PATH}/client - ${SERVER2_PATH}/common - ${SERVER2_PATH}/dpl/core/include - ${SERVER2_PATH}/dpl/log/include - ) - -SET(SECURITY_CLIENT_SOURCES - ${SERVER2_PATH}/client/client-common.cpp - ${SERVER2_PATH}/client/client-shared-memory.cpp - ${SERVER2_PATH}/client/client-get-gid.cpp - ${SERVER2_PATH}/client/client-app-permissions.cpp - ${SERVER2_PATH}/client/client-cookie.cpp - ${SERVER2_PATH}/client/client-privilege-by-pid.cpp - ${SERVER2_PATH}/client/client-socket-privilege.cpp - ${SERVER2_PATH}/client/client-password.cpp - ) - -ADD_LIBRARY(${TARGET_SECURITY_CLIENT} SHARED ${SECURITY_CLIENT_SOURCES}) - -SET_TARGET_PROPERTIES( - ${TARGET_SECURITY_CLIENT} - PROPERTIES - COMPILE_FLAGS "-D_GNU_SOURCE -fPIC -fvisibility=hidden" - SOVERSION ${SECURITY_CLIENT_VERSION_MAJOR} - VERSION ${SECURITY_CLIENT_VERSION} - ) - -TARGET_LINK_LIBRARIES(${TARGET_SECURITY_CLIENT} - ${SECURITY_SERVER_DEP_LIBRARIES} - ${TARGET_SERVER_COMMON} - ) ################################################################################ @@ -129,7 +80,6 @@ TARGET_LINK_LIBRARIES(${TARGET_SECURITY_MANAGER_CLIENT} ################################################################################ -INSTALL(TARGETS ${TARGET_SECURITY_CLIENT} DESTINATION ${LIB_INSTALL_DIR}) INSTALL(TARGETS ${TARGET_SECURITY_MANAGER_CLIENT} DESTINATION ${LIB_INSTALL_DIR}) INSTALL(TARGETS ${TARGET_SECURITY_SERVER} DESTINATION bin) @@ -146,9 +96,4 @@ INSTALL(FILES ################################################################################ -#CONFIGURE_FILE(security-server.pc.in security-server.pc @ONLY) -#INSTALL - -################################################################################ - ADD_SUBDIRECTORY(server) diff --git a/src/server/client/client-app-permissions.cpp b/src/server/client/client-app-permissions.cpp deleted file mode 100644 index 8c1d7b7..0000000 --- a/src/server/client/client-app-permissions.cpp +++ /dev/null @@ -1,95 +0,0 @@ -/* - * Copyright (c) 2000 - 2014 Samsung Electronics Co., Ltd All Rights Reserved - * - * Contact: Bartlomiej Grzelewski - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License - */ -/* - * @file client-app-permissions.cpp - * @author Pawel Polawski (pawel.polawski@partner.samsung.com) - * @version 1.0 - * @brief This file contains implementation of - * security_server_app_has_privilege function - */ - - -#include -#include - -#include -#include -#include - -#include -#include - -SECURITY_SERVER_API -int security_server_app_has_privilege(const char *app_label, - app_type_t app_type, - const char *privilege_name, - int *result) -{ - using namespace SecurityServer; - MessageBuffer send, recv; - - LogDebug("security_server_app_has_privilege() called"); - - try { - if ((NULL == app_label) || (strlen(app_label) == 0)) { - LogError("app_id is NULL or empty"); - return SECURITY_SERVER_API_ERROR_INPUT_PARAM; - } - if ((NULL == privilege_name) || (strlen(privilege_name) == 0)) { - LogError("privilege_name is NULL or empty"); - return SECURITY_SERVER_API_ERROR_INPUT_PARAM; - } - if (NULL == result) { - LogError("result is NULL"); - return SECURITY_SERVER_API_ERROR_INPUT_PARAM; - } - - LogDebug("app_label: " << app_label); - LogDebug("app_type: " << static_cast(app_type)); - LogDebug("privilege_name: " << privilege_name); - - //put data into buffer - Serialization::Serialize(send, static_cast(PrivilegeCheckHdrs::CHECK_GIVEN_APP)); - Serialization::Serialize(send, std::string(app_label)); - Serialization::Serialize(send, static_cast(app_type)); - Serialization::Serialize(send, std::string(privilege_name)); - - //send buffer to server - int apiResult = sendToServer(SERVICE_SOCKET_APP_PRIVILEGE_BY_NAME, send.Pop(), recv); - if (apiResult != SECURITY_SERVER_API_SUCCESS) { - LogError("Error in sendToServer. Error code: " << apiResult); - return apiResult; - } - - //receive response from server - Deserialization::Deserialize(recv, apiResult); - if (apiResult == SECURITY_SERVER_API_SUCCESS) { - Deserialization::Deserialize(recv, *result); - } - return apiResult; - - } catch (MessageBuffer::Exception::Base &e) { - LogError("SecurityServer::MessageBuffer::Exception " << e.DumpToString()); - } catch (std::exception &e) { - LogError("STD exception " << e.what()); - } catch (...) { - LogError("Unknown exception occured"); - } - - return SECURITY_SERVER_API_ERROR_UNKNOWN; -} diff --git a/src/server/client/client-cookie.cpp b/src/server/client/client-cookie.cpp deleted file mode 100644 index ca81514..0000000 --- a/src/server/client/client-cookie.cpp +++ /dev/null @@ -1,291 +0,0 @@ -/* - * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved - * - * Contact: Bumjin Im - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License - */ -/* - * @file client-cookie.cpp - * @author Pawel Polawski (p.polawski@partner.samsung.com) - * @version 1.0 - * @brief This file contain implementation of cookie functions for getting cookies - */ - - -#include - -#include -#include - -#include -#include -#include - -#include - -SECURITY_SERVER_API -int security_server_get_cookie_size(void) -{ - return SecurityServer::COOKIE_SIZE; -} - -SECURITY_SERVER_API -int security_server_request_cookie(char *cookie, size_t bufferSize) -{ - using namespace SecurityServer; - MessageBuffer send, recv; - std::vector receivedCookie; - - LogDebug("security_server_request_cookie() called"); - - return try_catch([&] { - //checking parameters - if (bufferSize < COOKIE_SIZE) { - LogDebug("Buffer for cookie too small"); - return SECURITY_SERVER_API_ERROR_BUFFER_TOO_SMALL; - } - if (cookie == NULL) { - LogDebug("Cookie pointer empty"); - return SECURITY_SERVER_API_ERROR_INPUT_PARAM; - } - - //put data into buffer - Serialization::Serialize(send, (int)CookieCall::GET_COOKIE); - - //send buffer to server - int retval = sendToServer(SERVICE_SOCKET_COOKIE_GET, send.Pop(), recv); - if (retval != SECURITY_SERVER_API_SUCCESS) { - LogDebug("Error in sendToServer. Error code: " << retval); - return retval; - } - - //receive response from server - Deserialization::Deserialize(recv, retval); - if (retval != SECURITY_SERVER_API_SUCCESS) - return retval; - - Deserialization::Deserialize(recv, receivedCookie); - if (receivedCookie.size() != COOKIE_SIZE) { - LogDebug("No match in cookie size"); - return SECURITY_SERVER_API_ERROR_BAD_RESPONSE; - } - - memcpy(cookie, &receivedCookie[0], receivedCookie.size()); - return retval; - }); -} - -SECURITY_SERVER_API -int security_server_get_cookie_pid(const char *cookie) -{ - using namespace SecurityServer; - MessageBuffer send, recv; - int pid; - int retval = SECURITY_SERVER_API_ERROR_UNKNOWN; - - LogDebug("security_server_get_cookie_pid() called"); - - if (cookie == NULL) - return SECURITY_SERVER_API_ERROR_INPUT_PARAM; - - //preprae cookie to send - std::vector key(cookie, cookie + COOKIE_SIZE); - - return try_catch([&] { - //put data into buffer - Serialization::Serialize(send, (int)CookieCall::CHECK_PID); - Serialization::Serialize(send, key); - - //send buffer to server - retval = sendToServer(SERVICE_SOCKET_COOKIE_CHECK, send.Pop(), recv); - if (retval != SECURITY_SERVER_API_SUCCESS) { - LogDebug("Error in sendToServer. Error code: " << retval); - return retval; - } - - //receive response from server - Deserialization::Deserialize(recv, retval); - if (retval != SECURITY_SERVER_API_SUCCESS) - return retval; - - Deserialization::Deserialize(recv, pid); - return pid; - }); -} - -SECURITY_SERVER_API -char * security_server_get_smacklabel_cookie(const char *cookie) -{ - using namespace SecurityServer; - MessageBuffer send, recv; - int retval = SECURITY_SERVER_API_ERROR_UNKNOWN; - std::string label; - - LogDebug("security_server_get_smacklabel_cookie() called"); - - if (cookie == NULL) - return NULL; - - //preprae cookie to send - std::vector key(cookie, cookie + COOKIE_SIZE); - - try { - //put data into buffer - Serialization::Serialize(send, (int)CookieCall::CHECK_SMACKLABEL); - Serialization::Serialize(send, key); - - //send buffer to server - retval = sendToServer(SERVICE_SOCKET_COOKIE_CHECK, send.Pop(), recv); - if (retval != SECURITY_SERVER_API_SUCCESS) { - LogDebug("Error in sendToServer. Error code: " << retval); - return NULL; - } - - //receive response from server - Deserialization::Deserialize(recv, retval); - if (retval != SECURITY_SERVER_API_SUCCESS) - return NULL; - - Deserialization::Deserialize(recv, label); - - return strdup(label.c_str()); - - } catch (MessageBuffer::Exception::Base &e) { - LogDebug("SecurityServer::MessageBuffer::Exception " << e.DumpToString()); - } catch (std::exception &e) { - LogDebug("STD exception " << e.what()); - } catch (...) { - LogDebug("Unknown exception occured"); - } - - return NULL; -} - -SECURITY_SERVER_API -int security_server_check_privilege(const char *cookie, gid_t privilege) -{ - using namespace SecurityServer; - MessageBuffer send, recv; - int retval = SECURITY_SERVER_API_ERROR_UNKNOWN; - - LogDebug("security_server_check_privilege() called"); - - if (cookie == NULL) - return SECURITY_SERVER_API_ERROR_INPUT_PARAM; - - //preprae cookie to send - std::vector key(cookie, cookie + COOKIE_SIZE); - - return try_catch([&] { - //put data into buffer - Serialization::Serialize(send, (int)CookieCall::CHECK_PRIVILEGE_GID); - Serialization::Serialize(send, key); - Serialization::Serialize(send, (int)privilege); - - //send buffer to server - retval = sendToServer(SERVICE_SOCKET_COOKIE_CHECK, send.Pop(), recv); - if (retval != SECURITY_SERVER_API_SUCCESS) { - LogDebug("Error in sendToServer. Error code: " << retval); - return retval; - } - - //receive response from server - Deserialization::Deserialize(recv, retval); - return retval; - }); -} - -SECURITY_SERVER_API -int security_server_check_privilege_by_cookie( - const char *cookie SECURITY_SERVER_UNUSED, - const char *object SECURITY_SERVER_UNUSED, - const char *access_rights SECURITY_SERVER_UNUSED) -{ -#if 0 - using namespace SecurityServer; - MessageBuffer send, recv; - int retval = SECURITY_SERVER_API_ERROR_UNKNOWN; - - LogDebug("security_server_check_privilege_by_cookie() called"); - - if ((cookie == NULL) || (object == NULL) || (access_rights == NULL)) - return SECURITY_SERVER_API_ERROR_INPUT_PARAM; - - //preprae cookie to send - std::vector key(cookie, cookie + COOKIE_SIZE); - - std::string obj(object); - std::string access(access_rights); - - return try_catch([&] { - //put data into buffer - Serialization::Serialize(send, (int)CookieCall::CHECK_PRIVILEGE); - Serialization::Serialize(send, key); - Serialization::Serialize(send, obj); - Serialization::Serialize(send, access); - - //send buffer to server - retval = sendToServer(SERVICE_SOCKET_COOKIE_CHECK, send.Pop(), recv); - if (retval != SECURITY_SERVER_API_SUCCESS) { - LogDebug("Error in sendToServer. Error code: " << retval); - return retval; - } - - //receive response from server - Deserialization::Deserialize(recv, retval); - return retval; - }); -#endif - return SECURITY_SERVER_API_SUCCESS; -} - -SECURITY_SERVER_API -int security_server_get_uid_by_cookie(const char *cookie, uid_t *uid) -{ - using namespace SecurityServer; - MessageBuffer send, recv; - int retval = SECURITY_SERVER_API_ERROR_UNKNOWN; - - LogDebug("security_server_get_uid_by_cookie() called"); - - if ((cookie == NULL) || (uid == NULL)) - return SECURITY_SERVER_API_ERROR_INPUT_PARAM; - - //preprae cookie to send - std::vector key(cookie, cookie + COOKIE_SIZE); - - return try_catch([&] { - //put data into buffer - Serialization::Serialize(send, (int)CookieCall::CHECK_UID); - Serialization::Serialize(send, key); - - //send buffer to server - retval = sendToServer(SERVICE_SOCKET_COOKIE_CHECK, send.Pop(), recv); - if (retval != SECURITY_SERVER_API_SUCCESS) { - LogDebug("Error in sendToServer. Error code: " << retval); - return retval; - } - - //receive response from server - Deserialization::Deserialize(recv, retval); - if (retval == SECURITY_SERVER_API_SUCCESS) { - int tmp; - Deserialization::Deserialize(recv, tmp); - *uid = static_cast(tmp); - } - - return retval; - }); -} - diff --git a/src/server/client/client-get-gid.cpp b/src/server/client/client-get-gid.cpp deleted file mode 100644 index 659e393..0000000 --- a/src/server/client/client-get-gid.cpp +++ /dev/null @@ -1,75 +0,0 @@ -/* - * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved - * - * Contact: Bumjin Im - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License - */ -/* - * @file client-get-gid.cpp - * @author Jan Olszak (j.olszak@samsung.com) - * @version 1.0 - * @brief This file constains implementation of get GID function. - */ - -#include - -#include -#include - -#include -#include -#include - -#include - -SECURITY_SERVER_API -int security_server_get_gid(const char *objectName) { - using namespace SecurityServer; - - return try_catch([&] { - if (NULL == objectName){ - LogDebug("Objects name is NULL"); - return SECURITY_SERVER_API_ERROR_INPUT_PARAM; - } - - int objectsNameLen = strlen(objectName); - if (0 == objectsNameLen || objectsNameLen > SECURITY_SERVER_MAX_OBJ_NAME){ - LogDebug("Objects name is empty or too long"); - return SECURITY_SERVER_API_ERROR_INPUT_PARAM; - } - - MessageBuffer send, recv; - Serialization::Serialize(send, std::string(objectName)); - - int retCode = sendToServer( - SERVICE_SOCKET_GET_GID, - send.Pop(), - recv); - - if (retCode != SECURITY_SERVER_API_SUCCESS) - return retCode; - - Deserialization::Deserialize(recv, retCode); - - // Return if errors - if (retCode < 0) - return retCode; - - // No errors, return gid - gid_t gid; - Deserialization::Deserialize(recv, gid); - return static_cast(gid); - }); -} - diff --git a/src/server/client/client-password.cpp b/src/server/client/client-password.cpp deleted file mode 100644 index 15b8c36..0000000 --- a/src/server/client/client-password.cpp +++ /dev/null @@ -1,277 +0,0 @@ -/* - * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved - * - * Contact: Bumjin Im - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License - */ -/* - * @file client-password.cpp - * @author Zbigniew Jasinski (z.jasinski@samsung.com) - * @author Lukasz Kostyra (l.kostyra@partner.samsung.com) - * @version 1.0 - * @brief This file contains implementation of password functions. - */ - -#include - -#include -#include - -#include -#include -#include - -#include - -namespace { - -inline bool isPasswordIncorrect(const char* pwd) -{ - return (pwd == NULL || strlen(pwd) == 0 || strlen(pwd) > SecurityServer::MAX_PASSWORD_LEN); -} - -} // namespace anonymous - -SECURITY_SERVER_API -int security_server_is_pwd_valid(unsigned int *current_attempts, - unsigned int *max_attempts, - unsigned int *valid_secs) -{ - using namespace SecurityServer; - - return try_catch([&] { - if (NULL == current_attempts || NULL == max_attempts || - NULL == valid_secs) { - - LogError("Wrong input param"); - return SECURITY_SERVER_API_ERROR_INPUT_PARAM; - } - - MessageBuffer send, recv; - - *current_attempts = 0; - *max_attempts = 0; - *valid_secs = 0; - - Serialization::Serialize(send, static_cast(PasswordHdrs::HDR_IS_PWD_VALID)); - - int retCode = sendToServer(SERVICE_SOCKET_PASSWD_CHECK, send.Pop(), recv); - if (SECURITY_SERVER_API_SUCCESS != retCode) { - LogDebug("Error in sendToServer. Error code: " << retCode); - return retCode; - } - - Deserialization::Deserialize(recv, retCode); - - if(retCode == SECURITY_SERVER_API_ERROR_PASSWORD_EXIST) { - Deserialization::Deserialize(recv, *current_attempts); - Deserialization::Deserialize(recv, *max_attempts); - Deserialization::Deserialize(recv, *valid_secs); - } - - return retCode; - }); -} - -SECURITY_SERVER_API -int security_server_chk_pwd(const char *challenge, - unsigned int *current_attempts, - unsigned int *max_attempts, - unsigned int *valid_secs) -{ - using namespace SecurityServer; - - return try_catch([&] { - if (current_attempts == NULL || max_attempts == NULL || valid_secs == NULL || - isPasswordIncorrect(challenge)) { - LogError("Wrong input param"); - return SECURITY_SERVER_API_ERROR_INPUT_PARAM; - } - - MessageBuffer send, recv; - - *current_attempts = 0; - *max_attempts = 0; - *valid_secs = 0; - - Serialization::Serialize(send, static_cast(PasswordHdrs::HDR_CHK_PWD)); - Serialization::Serialize(send, std::string(challenge)); - - int retCode = sendToServer(SERVICE_SOCKET_PASSWD_CHECK, send.Pop(), recv); - if (SECURITY_SERVER_API_SUCCESS != retCode) { - LogDebug("Error in sendToServer. Error code: " << retCode); - return retCode; - } - - Deserialization::Deserialize(recv, retCode); - - switch (retCode) { - case SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH: - case SECURITY_SERVER_API_ERROR_PASSWORD_MAX_ATTEMPTS_EXCEEDED: - case SECURITY_SERVER_API_ERROR_PASSWORD_EXPIRED: - case SECURITY_SERVER_API_SUCCESS: - Deserialization::Deserialize(recv, *current_attempts); - Deserialization::Deserialize(recv, *max_attempts); - Deserialization::Deserialize(recv, *valid_secs); - break; - default: - break; - } - - return retCode; - }); -} - -SECURITY_SERVER_API -int security_server_set_pwd(const char *cur_pwd, - const char *new_pwd, - const unsigned int max_challenge, - const unsigned int valid_period_in_days) -{ - using namespace SecurityServer; - - return try_catch([&] { - if (NULL == cur_pwd) - cur_pwd = ""; - - if (isPasswordIncorrect(new_pwd) || strlen(cur_pwd) > MAX_PASSWORD_LEN) { - LogError("Wrong input param."); - return SECURITY_SERVER_API_ERROR_INPUT_PARAM; - } - - MessageBuffer send, recv; - - Serialization::Serialize(send, static_cast(PasswordHdrs::HDR_SET_PWD)); - Serialization::Serialize(send, std::string(cur_pwd)); - Serialization::Serialize(send, std::string(new_pwd)); - Serialization::Serialize(send, max_challenge); - Serialization::Serialize(send, valid_period_in_days); - - int retCode = sendToServer(SERVICE_SOCKET_PASSWD_SET, send.Pop(), recv); - if (SECURITY_SERVER_API_SUCCESS != retCode) { - LogError("Error in sendToServer. Error code: " << retCode); - return retCode; - } - - Deserialization::Deserialize(recv, retCode); - - return retCode; - }); -} - -SECURITY_SERVER_API -int security_server_set_pwd_validity(const unsigned int valid_period_in_days) -{ - using namespace SecurityServer; - - return try_catch([&] { - MessageBuffer send, recv; - - Serialization::Serialize(send, static_cast(PasswordHdrs::HDR_SET_PWD_VALIDITY)); - Serialization::Serialize(send, valid_period_in_days); - - int retCode = sendToServer(SERVICE_SOCKET_PASSWD_SET, send.Pop(), recv); - if (SECURITY_SERVER_API_SUCCESS != retCode) { - LogError("Error in sendToServer. Error code: " << retCode); - return retCode; - } - - Deserialization::Deserialize(recv, retCode); - - return retCode; - }); -} - -SECURITY_SERVER_API -int security_server_set_pwd_max_challenge(const unsigned int max_challenge) -{ - using namespace SecurityServer; - - return try_catch([&] { - MessageBuffer send, recv; - - Serialization::Serialize(send, static_cast(PasswordHdrs::HDR_SET_PWD_MAX_CHALLENGE)); - Serialization::Serialize(send, max_challenge); - - int retCode = sendToServer(SERVICE_SOCKET_PASSWD_SET, send.Pop(), recv); - if (SECURITY_SERVER_API_SUCCESS != retCode) { - LogError("Error in sendToServer. Error code: " << retCode); - return retCode; - } - - Deserialization::Deserialize(recv, retCode); - - return retCode; - }); -} - -SECURITY_SERVER_API -int security_server_reset_pwd(const char *new_pwd, - const unsigned int max_challenge, - const unsigned int valid_period_in_days) -{ - using namespace SecurityServer; - - return try_catch([&] { - if (isPasswordIncorrect(new_pwd)) { - LogError("Wrong input param."); - return SECURITY_SERVER_API_ERROR_INPUT_PARAM; - } - - MessageBuffer send, recv; - - Serialization::Serialize(send, static_cast(PasswordHdrs::HDR_RST_PWD)); - Serialization::Serialize(send, std::string(new_pwd)); - Serialization::Serialize(send, max_challenge); - Serialization::Serialize(send, valid_period_in_days); - - int retCode = sendToServer(SERVICE_SOCKET_PASSWD_RESET, send.Pop(), recv); - if (SECURITY_SERVER_API_SUCCESS != retCode) { - LogError("Error in sendToServer. Error code: " << retCode); - return retCode; - } - - Deserialization::Deserialize(recv, retCode); - - return retCode; - }); -} - -SECURITY_SERVER_API -int security_server_set_pwd_history(int history_size) -{ - using namespace SecurityServer; - - return try_catch([&] { - if (history_size > static_cast(MAX_PASSWORD_HISTORY) || history_size < 0) { - LogError("Wrong input param."); - return SECURITY_SERVER_API_ERROR_INPUT_PARAM; - } - - MessageBuffer send, recv; - - Serialization::Serialize(send, static_cast(PasswordHdrs::HDR_SET_PWD_HISTORY)); - Serialization::Serialize(send, static_cast(history_size)); - - int retCode = sendToServer(SERVICE_SOCKET_PASSWD_SET, send.Pop(), recv); - if (SECURITY_SERVER_API_SUCCESS != retCode) { - LogError("Error in sendToServer. Error code: " << retCode); - return retCode; - } - - Deserialization::Deserialize(recv, retCode); - - return retCode; - }); -} diff --git a/src/server/client/client-privilege-by-pid.cpp b/src/server/client/client-privilege-by-pid.cpp deleted file mode 100644 index 92ac0dc..0000000 --- a/src/server/client/client-privilege-by-pid.cpp +++ /dev/null @@ -1,86 +0,0 @@ -/* - * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved - * - * Contact: Bumjin Im - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License - */ -/* - * @file client-check-privilege-by-pid.cpp - * @author Jan Cybulski (j.cybulski@samsung.com) - * @version 1.0 - * @brief This file constains implementation of security-server API for - * checking privilege by process id. - */ - -#include - -#include -#include - -#include -#include -#include -#include -#include - -#include - -SECURITY_SERVER_API -int security_server_check_privilege_by_pid( - int pid SECURITY_SERVER_UNUSED, - const char *object SECURITY_SERVER_UNUSED, - const char *access_rights SECURITY_SERVER_UNUSED) -{ -#if 0 - using namespace SecurityServer; - return try_catch([&] { - if (1 != smack_check()) - return SECURITY_SERVER_API_SUCCESS; - - // Checking whether a process with pid exists - if ((pid < 0) || ((kill(pid, 0) == -1) && (errno == ESRCH))) { - LogDebug("pid is invalid, process: " << pid << " does not exist"); - return SECURITY_SERVER_API_ERROR_INPUT_PARAM; - } - - if (NULL == object || 0 == strlen(object)) { - LogDebug("object param is NULL or empty"); - return SECURITY_SERVER_API_ERROR_INPUT_PARAM; - } - - if (NULL == access_rights || 0 == strlen(access_rights)) { - LogDebug("access_right param is NULL or empty"); - return SECURITY_SERVER_API_ERROR_INPUT_PARAM; - } - - MessageBuffer send, recv; - Serialization::Serialize(send, pid); - Serialization::Serialize(send, std::string(object)); - Serialization::Serialize(send, std::string(access_rights)); - - int result = sendToServer( - SERVICE_SOCKET_PRIVILEGE_BY_PID, - send.Pop(), - recv); - - if (result != SECURITY_SERVER_API_SUCCESS) - return result; - - Deserialization::Deserialize(recv, result); - return result; - }); -#endif - return SECURITY_SERVER_API_SUCCESS; -} - diff --git a/src/server/client/client-shared-memory.cpp b/src/server/client/client-shared-memory.cpp deleted file mode 100644 index f48dd69..0000000 --- a/src/server/client/client-shared-memory.cpp +++ /dev/null @@ -1,66 +0,0 @@ -/* - * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved - * - * Contact: Bumjin Im - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License - */ -/* - * @file client-shared-memory.cpp - * @author Bartlomiej Grzelewski (b.grzelewski@samsung.com) - * @version 1.0 - * @brief This file constains implementation of shared memory api. - */ - -#include - -#include -#include - -#include -#include -#include -#include - -#include - -SECURITY_SERVER_API -int security_server_app_give_access(const char *customer_label, int customer_pid) { - using namespace SecurityServer; - return try_catch([&] { - if (1 != smack_check()) - return SECURITY_SERVER_API_SUCCESS; - - if (NULL == customer_label || 0 == strlen(customer_label)) - { - LogDebug("customer_label is NULL or empty"); - return SECURITY_SERVER_API_ERROR_INPUT_PARAM; - } - - MessageBuffer send, recv; - Serialization::Serialize(send, std::string(customer_label)); - Serialization::Serialize(send, customer_pid); - - int result = sendToServer( - SERVICE_SOCKET_SHARED_MEMORY, - send.Pop(), - recv); - - if (result != SECURITY_SERVER_API_SUCCESS) - return result; - - Deserialization::Deserialize(recv, result); - return result; - }); -} - diff --git a/src/server/client/client-socket-privilege.cpp b/src/server/client/client-socket-privilege.cpp deleted file mode 100644 index b015785..0000000 --- a/src/server/client/client-socket-privilege.cpp +++ /dev/null @@ -1,111 +0,0 @@ -/* - * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved - * - * Contact: Bumjin Im - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License - */ -/* - * @file client-socket-privilege.cpp - * @author Zofia Abramowska (z.abramowska@samsung.com) - * @version 1.0 - * @brief This file constains implementation of socket privilege api. - */ -#include - -#include -#include - -#include -#include - -#include -#include -#include -#include - -#include - -SECURITY_SERVER_API -int security_server_check_privilege_by_sockfd( - int sockfd SECURITY_SERVER_UNUSED, - const char *object SECURITY_SERVER_UNUSED, - const char *access_rights SECURITY_SERVER_UNUSED) -{ -#if 0 - char *subject = NULL; - int ret; - std::string path; - std::unique_ptr subjectPtr(NULL, std::free); - - //for get socket options - struct ucred cr; - socklen_t len = sizeof(struct ucred); - - //SMACK runtime check - if (!SecurityServer::smack_runtime_check()) - { - LogDebug("No SMACK support on device"); - return SECURITY_SERVER_API_SUCCESS; - } - - if (sockfd < 0 || !object || !access_rights) - return SECURITY_SERVER_API_ERROR_INPUT_PARAM; - - ret = smack_new_label_from_socket(sockfd, &subject); - if (ret >= 0) { - subjectPtr.reset(subject); - subject = NULL; - } else { - LogError("Failed to get new label from socket. Object=" - << object << ", access=" << access_rights - << ", error=" << strerror(errno)); - return SECURITY_SERVER_API_ERROR_SOCKET; - } - - ret = getsockopt(sockfd, SOL_SOCKET, SO_PEERCRED, &cr, &len); - if (ret < 0) { - LogError("Error in getsockopt(). Errno: " - << strerror(errno) << ", subject=" - << (subjectPtr.get() ? subjectPtr.get() : "NULL") - << ", object=" << object << ", access=" << access_rights - << ", error=" << strerror(errno)); - return SECURITY_SERVER_API_ERROR_SOCKET; - } - - return security_server_check_privilege_by_pid(cr.pid, object, access_rights); -#endif - return SECURITY_SERVER_API_SUCCESS; -} - -SECURITY_SERVER_API -char *security_server_get_smacklabel_sockfd(int fd) -{ - char *label = NULL; - - if (!SecurityServer::smack_check()) - { - LogDebug("No SMACK support on device"); - label = (char*) malloc(1); - if (label) label[0] = '\0'; - return label; - } - - if (smack_new_label_from_socket(fd, &label) < 0) - { - LogError("Client ERROR: Unable to get socket SMACK label"); - return NULL; - } - - return label; -} diff --git a/src/server/common/protocols.cpp b/src/server/common/protocols.cpp index 1405e5f..7bc9564 100644 --- a/src/server/common/protocols.cpp +++ b/src/server/common/protocols.cpp @@ -29,40 +29,10 @@ namespace SecurityServer { #define SOCKET_PATH_PREFIX "/run/" -#define SOCKET_PATH_PREFIX_SECURITY_SERVER SOCKET_PATH_PREFIX "security-server/" #define SOCKET_PATH_PREFIX_SECURITY_MANAGER SOCKET_PATH_PREFIX "security-manager/" -char const * const SERVICE_SOCKET_SHARED_MEMORY = - SOCKET_PATH_PREFIX_SECURITY_SERVER "security-server-api-data-share.socket"; -char const * const SERVICE_SOCKET_GET_GID = - SOCKET_PATH_PREFIX_SECURITY_SERVER "security-server-api-get-gid.socket"; -char const * const SERVICE_SOCKET_PRIVILEGE_BY_PID = - SOCKET_PATH_PREFIX_SECURITY_SERVER "security-server-api-privilege-by-pid.socket"; -char const * const SERVICE_SOCKET_APP_PRIVILEGE_BY_NAME = - SOCKET_PATH_PREFIX_SECURITY_SERVER "security-server-api-app-privilege-by-name.socket"; -char const * const SERVICE_SOCKET_COOKIE_GET = - SOCKET_PATH_PREFIX_SECURITY_SERVER "security-server-api-cookie-get.socket"; -char const * const SERVICE_SOCKET_COOKIE_CHECK = - SOCKET_PATH_PREFIX_SECURITY_SERVER "security-server-api-cookie-check.socket"; -char const * const SERVICE_SOCKET_PASSWD_CHECK = - SOCKET_PATH_PREFIX_SECURITY_SERVER "security-server-api-password-check.socket"; -char const * const SERVICE_SOCKET_PASSWD_SET = - SOCKET_PATH_PREFIX_SECURITY_SERVER "security-server-api-password-set.socket"; -char const * const SERVICE_SOCKET_PASSWD_RESET = - SOCKET_PATH_PREFIX_SECURITY_SERVER "security-server-api-password-reset.socket"; - char const * const SERVICE_SOCKET_INSTALLER = SOCKET_PATH_PREFIX_SECURITY_MANAGER "security-manager-installer.socket"; -const size_t COOKIE_SIZE = 20; - -const size_t MAX_PASSWORD_LEN = 32; -const unsigned int MAX_PASSWORD_HISTORY = 50; -const unsigned int PASSWORD_INFINITE_EXPIRATION_DAYS = 0; -const unsigned int PASSWORD_INFINITE_ATTEMPT_COUNT = 0; -const unsigned int PASSWORD_API_NO_EXPIRATION = 0xFFFFFFFF; - -const int SECURITY_SERVER_MAX_OBJ_NAME = 30; - } // namespace SecurityServer diff --git a/src/server/common/protocols.h b/src/server/common/protocols.h index 9d364e3..7775ccd 100644 --- a/src/server/common/protocols.h +++ b/src/server/common/protocols.h @@ -25,10 +25,7 @@ #ifndef _SECURITY_SERVER_PROTOCOLS_ #define _SECURITY_SERVER_PROTOCOLS_ -#include -#include #include -#include #include struct app_inst_req { @@ -41,62 +38,14 @@ struct app_inst_req { namespace SecurityServer { -extern char const * const SERVICE_SOCKET_SHARED_MEMORY; -extern char const * const SERVICE_SOCKET_GET_GID; -extern char const * const SERVICE_SOCKET_PRIVILEGE_BY_PID; -extern char const * const SERVICE_SOCKET_APP_PRIVILEGE_BY_NAME; -extern char const * const SERVICE_SOCKET_COOKIE_GET; -extern char const * const SERVICE_SOCKET_COOKIE_CHECK; -extern char const * const SERVICE_SOCKET_PASSWD_CHECK; -extern char const * const SERVICE_SOCKET_PASSWD_SET; -extern char const * const SERVICE_SOCKET_PASSWD_RESET; extern char const * const SERVICE_SOCKET_INSTALLER; -enum class AppPermissionsAction { ENABLE, DISABLE }; - -enum class CookieCall -{ - GET_COOKIE, - CHECK_PID, - CHECK_SMACKLABEL, - CHECK_PRIVILEGE_GID, - CHECK_PRIVILEGE, - CHECK_GID, - CHECK_UID -}; - -enum class PrivilegeCheckHdrs -{ - CHECK_GIVEN_APP, - CHECK_CALLER_APP -}; -extern const size_t COOKIE_SIZE; - -enum class PasswordHdrs -{ - HDR_IS_PWD_VALID, - HDR_CHK_PWD, - HDR_SET_PWD, - HDR_SET_PWD_VALIDITY, - HDR_SET_PWD_MAX_CHALLENGE, - HDR_RST_PWD, - HDR_SET_PWD_HISTORY -}; - enum class SecurityModuleCall { APP_INSTALL, APP_UNINSTALL }; -extern const size_t MAX_PASSWORD_LEN; -extern const unsigned int MAX_PASSWORD_HISTORY; -extern const unsigned int PASSWORD_INFINITE_EXPIRATION_DAYS; -extern const unsigned int PASSWORD_INFINITE_ATTEMPT_COUNT; -extern const unsigned int PASSWORD_API_NO_EXPIRATION; - -extern const int SECURITY_SERVER_MAX_OBJ_NAME; - } // namespace SecuritySever #endif // _SECURITY_SERVER_PROTOCOLS_ diff --git a/src/server/main/server2-main.cpp b/src/server/main/server2-main.cpp index 60e6f8c..42f72e7 100644 --- a/src/server/main/server2-main.cpp +++ b/src/server/main/server2-main.cpp @@ -31,12 +31,6 @@ #include -#include -#include -#include -#include -#include -#include #include IMPLEMENT_SAFE_SINGLETON(SecurityServer::Log::LogSystem); @@ -94,12 +88,6 @@ int main(void) { LogInfo("Start!"); SecurityServer::SocketManager manager; - REGISTER_SOCKET_SERVICE(manager, SecurityServer::CookieService); - REGISTER_SOCKET_SERVICE(manager, SecurityServer::SharedMemoryService); - REGISTER_SOCKET_SERVICE(manager, SecurityServer::GetGidService); - REGISTER_SOCKET_SERVICE(manager, SecurityServer::PrivilegeByPidService); - REGISTER_SOCKET_SERVICE(manager, SecurityServer::AppPermissionsService); - REGISTER_SOCKET_SERVICE(manager, SecurityServer::PasswordService); REGISTER_SOCKET_SERVICE(manager, SecurityServer::InstallerService); manager.MainLoop(); diff --git a/src/server/service/app-permissions.cpp b/src/server/service/app-permissions.cpp deleted file mode 100644 index 24e8c31..0000000 --- a/src/server/service/app-permissions.cpp +++ /dev/null @@ -1,176 +0,0 @@ -/* - * Copyright (c) 2000 - 2014 Samsung Electronics Co., Ltd All Rights Reserved - * - * Contact: Bartlomiej Grzelewski - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License - */ -/* - * @file app-permissions.cpp - * @author Pawel Polawski (pawel.polawski@partner.samsung.com) - * @version 1.0 - * @brief This file contains implementation of security_server_app_has_permission - * on server side - */ - -#include -#include -#include -#include - -#include -#include -#include - -#include -#include -#include -#include - -namespace { - -int privilegeToSecurityServerError(int error) { - switch (error) { - case PC_OPERATION_SUCCESS: return SECURITY_SERVER_API_SUCCESS; - case PC_ERR_FILE_OPERATION: return SECURITY_SERVER_API_ERROR_UNKNOWN; - case PC_ERR_MEM_OPERATION: return SECURITY_SERVER_API_ERROR_OUT_OF_MEMORY; - case PC_ERR_NOT_PERMITTED: return SECURITY_SERVER_API_ERROR_ACCESS_DENIED; - case PC_ERR_INVALID_PARAM: return SECURITY_SERVER_API_ERROR_INPUT_PARAM; - case PC_ERR_INVALID_OPERATION: - case PC_ERR_DB_OPERATION: - default: - ; - } - return SECURITY_SERVER_API_ERROR_UNKNOWN; -} - -// interface ids -const SecurityServer::InterfaceID CHECK_APP_PRIVILEGE = 1; - -} // namespace anonymous - -namespace SecurityServer { - -GenericSocketService::ServiceDescriptionVector AppPermissionsService::GetServiceDescription() { - return ServiceDescriptionVector { - { SERVICE_SOCKET_APP_PRIVILEGE_BY_NAME, - "security-server::api-app-privilege-by-name", - CHECK_APP_PRIVILEGE } - }; -} - -void AppPermissionsService::accept(const AcceptEvent &event) { - LogDebug("Accept event. ConnectionID.sock: " << event.connectionID.sock - << " ConnectionID.counter: " << event.connectionID.counter - << " ServiceID: " << event.interfaceID); - auto &info = m_connectionInfoMap[event.connectionID.counter]; - info.interfaceID = event.interfaceID; -} - -void AppPermissionsService::write(const WriteEvent &event) { - LogDebug("WriteEvent. ConnectionID: " << event.connectionID.sock << - " Size: " << event.size << " Left: " << event.left); - if (event.left == 0) - m_serviceManager->Close(event.connectionID); -} - -void AppPermissionsService::process(const ReadEvent &event) { - LogDebug("Read event for counter: " << event.connectionID.counter); - auto &info = m_connectionInfoMap[event.connectionID.counter]; - info.buffer.Push(event.rawBuffer); - - // We can get several requests in one package. - // Extract and process them all - while(processOne(event.connectionID, info.buffer, info.interfaceID)); -} - -void AppPermissionsService::close(const CloseEvent &event) { - LogDebug("CloseEvent. ConnectionID: " << event.connectionID.sock); - m_connectionInfoMap.erase(event.connectionID.counter); -} - -bool AppPermissionsService::processOne(const ConnectionID &conn, - MessageBuffer &buffer, - InterfaceID interfaceID) -{ - LogDebug("Begin of an iteration"); - - //waiting for all data - if (!buffer.Ready()) { - return false; - } - - LogDebug("Entering app_permissions server side handler"); - - switch(interfaceID) { - - case CHECK_APP_PRIVILEGE: - return processCheckAppPrivilege(conn, buffer); - - default: - LogDebug("Unknown interfaceId. Closing socket."); - m_serviceManager->Close(conn); - return false; - } -} - -bool AppPermissionsService::processCheckAppPrivilege(const ConnectionID &conn, MessageBuffer &buffer) -{ - MessageBuffer send; - std::string privilege_name; - std::string app_label; - int result = SECURITY_SERVER_API_ERROR_SERVER_ERROR; - app_type_t app_type; - bool has_permission = false; - PrivilegeCheckHdrs checkType = PrivilegeCheckHdrs::CHECK_GIVEN_APP; - - LogDebug("Processing app privilege check request"); - - //receive data from buffer - Try { - int temp; - Deserialization::Deserialize(buffer, temp); // call type - checkType = static_cast(temp); - LogDebug("App privilege check call type: " - << (checkType == PrivilegeCheckHdrs::CHECK_GIVEN_APP ? - "CHECK_GIVEN_APP":"CHECK_CALLER_APP")); - if (checkType == PrivilegeCheckHdrs::CHECK_GIVEN_APP) { //app_label present only in this case - Deserialization::Deserialize(buffer, app_label); //get app_label - } - Deserialization::Deserialize(buffer, temp); //get app type - app_type = static_cast(temp); - - Deserialization::Deserialize(buffer, privilege_name); //get privilege name - } Catch (MessageBuffer::Exception::Base) { - LogDebug("Broken protocol. Closing socket."); - m_serviceManager->Close(conn); - return false; - } - - //print received data - LogDebug("app_label: " << app_label); - LogDebug("app_type: " << static_cast(app_type)); - LogDebug("privilege_name: " << privilege_name); - - LogDebug("Calling perm_app_has_permission()"); - result = perm_app_has_permission(app_label.c_str(), app_type, privilege_name.c_str(), &has_permission); - LogDebug("perm_app_has_permission() returned: " << result << " , permission enabled: " << has_permission); - - //send response - Serialization::Serialize(send, privilegeToSecurityServerError(result)); - Serialization::Serialize(send, static_cast(has_permission)); - m_serviceManager->Write(conn, send.Pop()); - return true; -} - -} // namespace SecurityServer diff --git a/src/server/service/app-permissions.h b/src/server/service/app-permissions.h deleted file mode 100644 index ccf5780..0000000 --- a/src/server/service/app-permissions.h +++ /dev/null @@ -1,64 +0,0 @@ -/* - * Copyright (c) 2000 - 2014 Samsung Electronics Co., Ltd All Rights Reserved - * - * Contact: Bartlomiej Grzelewski - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License - */ -/* - * @file app-permissions.h - * @author Pawel Polawski (p.polawski@partner.samsung.com) - * @version 1.0 - * @brief This function contains header for implementation of - * security_server_app_has_permissions on server side - */ - -#ifndef _SECURITY_SERVER_APP_PERMISSIONS_ -#define _SECURITY_SERVER_APP_PERMISSIONS_ - -#include -#include -#include -#include -#include - -namespace SecurityServer { - -class AppPermissionsService : - public SecurityServer::GenericSocketService - , public SecurityServer::ServiceThread -{ -public: - ServiceDescriptionVector GetServiceDescription(); - - DECLARE_THREAD_EVENT(AcceptEvent, accept) - DECLARE_THREAD_EVENT(WriteEvent, write) - DECLARE_THREAD_EVENT(ReadEvent, process) - DECLARE_THREAD_EVENT(CloseEvent, close) - - void accept(const AcceptEvent &event); - void write(const WriteEvent &event); - void process(const ReadEvent &event); - void close(const CloseEvent &event); - -private: - bool processOne(const ConnectionID &conn, MessageBuffer &buffer, InterfaceID interfaceID); - - bool processCheckAppPrivilege(const ConnectionID &conn, MessageBuffer &buffer); - - ConnectionInfoMap m_connectionInfoMap; -}; - -} // namespace SecurityServer - -#endif // _SECURITY_SERVER_APP_ENABLE_PERMISSIONS_ diff --git a/src/server/service/cookie-common.cpp b/src/server/service/cookie-common.cpp deleted file mode 100644 index 8f56b1d..0000000 --- a/src/server/service/cookie-common.cpp +++ /dev/null @@ -1,24 +0,0 @@ -#include -#include -#include -#include - -namespace SecurityServer { - -int getPidPath(char *path, unsigned int pathSize, int pid) -{ - int retval; - char link[pathSize]; - - snprintf(link, pathSize, "/proc/%d/exe", pid); - retval = readlink(link, path, pathSize-1); - if (retval < 0) { - LogDebug("Unable to get process path"); - return -1; - } - path[retval] = '\0'; - - return 0; -} - -} // namespace SecurityServer diff --git a/src/server/service/cookie-common.h b/src/server/service/cookie-common.h deleted file mode 100644 index fd4ae64..0000000 --- a/src/server/service/cookie-common.h +++ /dev/null @@ -1,33 +0,0 @@ -/* - * security-server - * - * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved - * - * Contact: Bumjin Im - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License - */ - -#ifndef _COOKIE_COMMON_H_ -#define _COOKIE_COMMON_H_ - -namespace SecurityServer { - -/* - * Simple function for translating PID to process path - */ -int getPidPath(char *path, unsigned int pathSize, int pid); - -} // namespace SecurityServer - -#endif // _COOKIE_COMMON_H_ diff --git a/src/server/service/cookie-jar.cpp b/src/server/service/cookie-jar.cpp deleted file mode 100644 index 757f9be..0000000 --- a/src/server/service/cookie-jar.cpp +++ /dev/null @@ -1,251 +0,0 @@ -/* - * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved - * - * Contact: Bumjin Im - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License - */ -/* - * @file cookie-jar.cpp - * @author Pawel Polawski (p.polawski@partner.samsung.com) - * @version 1.0 - * @brief This function contain implementation of CookieJar class which holds cookies structures - */ - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -namespace SecurityServer { - -CookieJar::CookieJar(void) - : m_position(0) -{ - LogDebug("Created CookieJar for handling cookies"); -} - -CookieJar::~CookieJar(void) -{ - LogDebug("Deleted CookieJar"); -} - -const Cookie * CookieJar::GenerateCookie(int pid) -{ - char key[COOKIE_SIZE]; - int retval; - - LogDebug("Cookie creation called"); - - //create empty cookie class - Cookie newCookie; - newCookie.pid = pid; - - //check if there is no cookie for specified PID - const Cookie *searchResult = SearchCookie(newCookie, CompareType::PID); - if (searchResult != NULL) { - LogDebug("Cookie exist for specified PID"); - return searchResult; - } - - searchResult = &newCookie; //only for searchResult != NULL during while loop init - while(searchResult != NULL) { - //generate unique key - std::ifstream urandom("/dev/urandom", std::ifstream::binary); - urandom.read(key, COOKIE_SIZE); - newCookie.cookieId.assign(key, key + COOKIE_SIZE); - - //check if key is unique - searchResult = SearchCookie(newCookie, CompareType::COOKIE_ID); - if (searchResult != NULL) - LogDebug("Key is not unique"); - } - - //obtain process path - char path[PATH_MAX]; - retval = getPidPath(path, PATH_MAX, pid); - if (retval < 0) { - LogDebug("Unable to get process path"); - return NULL; - } - newCookie.binaryPath = path; - - //get smack label if smack enabled - if (smack_check()) { - char label[SMACK_LABEL_LEN + 1]; - if (-1 == get_smack_label_from_process(pid, label)) { - LogDebug("Unable to get smack label of process"); - return NULL; - } - newCookie.smackLabel = label; - } else - newCookie.smackLabel = ""; - - - //get GID list - const int NAME_SIZE = 64; - char filename[NAME_SIZE]; - - snprintf(filename, NAME_SIZE, "/proc/%d/status", pid); - std::ifstream status(filename, std::ifstream::binary); - std::string line; - - while (std::getline(status, line)) { //read line from file - const char *tmp = line.c_str(); - if (strncmp(line.c_str(), "Uid:", 4) == 0) - newCookie.uid = atoi(&tmp[5]); - else if (strncmp(line.c_str(), "Gid:", 4) == 0) - newCookie.gid = atoi(&tmp[5]); - else if (strncmp(line.c_str(), "Groups:", 7) == 0) { - char delim[] = ": "; //separators for strtok: ' ' and ':' - char *token = strtok(const_cast(tmp), delim); //1st string is "Group:" - while ((token = strtok(NULL, delim))) { - int gid = atoi(token); - newCookie.permissions.push_back(gid); - } - } - } - - //DEBUG ONLY - //print info about cookie - LogDebug("Cookie created"); - LogDebug("PID: " << newCookie.pid); - LogDebug("UID: " << newCookie.uid); - LogDebug("GID: " << newCookie.gid); - LogDebug("PATH: " << newCookie.binaryPath); - LogDebug("LABEL: " << newCookie.smackLabel); - for (size_t k = 0; k < newCookie.permissions.size(); k++) - LogDebug("GID: " << newCookie.permissions[k]); - - //only when cookie ready store it - m_cookieList.push_back(newCookie); - return &m_cookieList[m_cookieList.size() - 1]; -} - -void CookieJar::DeleteCookie(const Cookie &pattern, CompareType criterion) -{ - if (m_cookieList.size() == 0) { - LogDebug("Cookie list empty"); - return; - } - - //for each cookie in list - for (size_t i = 0; i < m_cookieList.size();) { - if (CompareCookies(pattern, m_cookieList[i], criterion)) { - LogDebug("Deleting cookie"); - if (i != m_cookieList.size() - 1) - m_cookieList[i] = *m_cookieList.rbegin(); - m_cookieList.pop_back(); - } else - ++i; - } -} - -const Cookie * CookieJar::SearchCookie(const Cookie &pattern, CompareType criterion) const -{ - LogDebug("Searching for cookie"); - - if (m_cookieList.size() == 0) { - LogDebug("Cookie list empty"); - return NULL; - } - - //for each cookie in list - for (size_t i = 0; i < m_cookieList.size(); i++) { - if (CompareCookies(pattern, m_cookieList[i], criterion)) { - LogDebug("Cookie found"); - return &(m_cookieList[i]); - } - } - - LogDebug("Cookie not found"); - return NULL; -} - -bool CookieJar::CompareCookies(const Cookie &c1, const Cookie &c2, CompareType criterion) const -{ - size_t permSize1 = c1.permissions.size(); - size_t permSize2 = c2.permissions.size(); - - switch(criterion) { - case CompareType::COOKIE_ID: - return (c1.cookieId == c2.cookieId); - - case CompareType::PID: - return (c1.pid == c2.pid); - - case CompareType::PATH: - return (c1.binaryPath == c2.binaryPath); - - case CompareType::SMACKLABEL: - return (c1.smackLabel == c2.smackLabel); - - case CompareType::PERMISSIONS: - //we search for at least one the same GID - for(size_t i = 0; i < permSize1; i++) - for (size_t k = 0; k < permSize2; k++) - if (c1.permissions[i] == c2.permissions[k]) - return true; - return false; - - case CompareType::UID: - return (c1.uid == c2.uid); - - case CompareType::GID: - return (c1.gid == c2.gid); - - default: - LogDebug("Wrong function parameters"); - return false; - }; -} - -void CookieJar::GarbageCollector(size_t howMany) -{ - if ((howMany == 0) || (howMany > m_cookieList.size())) { - howMany = m_cookieList.size(); - } - - for (size_t i = 0; i < howMany; ++i) { - - if (m_position >= m_cookieList.size()) { - m_position = 0; - } - - if (kill(m_cookieList[m_position].pid, 0) && (errno == ESRCH)) { - LogDebug("Cookie deleted " << " PID:" << m_cookieList[m_position].pid); - if (m_position != (m_cookieList.size()-1)) - m_cookieList[m_position] = *m_cookieList.rbegin(); - m_cookieList.pop_back(); - } else { - ++m_position; - } - } -} - -} // namespace SecurityServer diff --git a/src/server/service/cookie-jar.h b/src/server/service/cookie-jar.h deleted file mode 100644 index 1f81c7a..0000000 --- a/src/server/service/cookie-jar.h +++ /dev/null @@ -1,85 +0,0 @@ -/* - * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved - * - * Contact: Bumjin Im - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License - */ -/* - * @file cookie-jar.h - * @author Pawel Polawski (p.polawski@partner.samsung.com) - * @version 1.0 - * @brief This function contain header of CookieJar class which holds cookies structures - */ - -#ifndef _SECURITY_SERVER_COOKIE_JAR_ -#define _SECURITY_SERVER_COOKIE_JAR_ - -#include - -#include -#include -#include -#include - - -namespace SecurityServer { - -enum class CompareType -{ - COOKIE_ID, - PID, - PATH, - SMACKLABEL, - PERMISSIONS, - UID, - GID -}; - - -struct Cookie -{ - std::vector cookieId; //ID key - pid_t pid; //owner PID - uid_t uid; //owner UID - gid_t gid; //owner GID - std::string binaryPath; //path to owner binary - std::string smackLabel; //owner SMACK label - std::vector permissions; //owner GIDs -}; - - -class CookieJar -{ -public: - CookieJar(void); - virtual ~CookieJar(void); - - const Cookie * GenerateCookie(int pid); - void DeleteCookie(const Cookie &pattern, CompareType criterion); - - const Cookie * SearchCookie(const Cookie &pattern, CompareType criterion) const; - bool CompareCookies(const Cookie &c1, const Cookie &c2, CompareType criterion) const; - - // howMany - number of cookies that will be checked. - // Set howMay to 0 to check all cookies. - void GarbageCollector(size_t howMany); - -private: - size_t m_position; - std::vector m_cookieList; -}; - - -} // namespace SecurityServer -#endif // _SECURITY_SERVER_COOKIE_JAR_ diff --git a/src/server/service/cookie.cpp b/src/server/service/cookie.cpp deleted file mode 100644 index 6a45273..0000000 --- a/src/server/service/cookie.cpp +++ /dev/null @@ -1,395 +0,0 @@ -/* - * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved - * - * Contact: Bumjin Im - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License - */ -/* - * @file cookie.cpp - * @author Pawel Polawski (p.polawski@partner.samsung.com) - * @version 1.0 - * @brief This function contain implementation of CookieService - */ - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -//interfaces ID -const int INTERFACE_GET = 0; -const int INTERFACE_CHECK = 1; - -namespace SecurityServer { - -GenericSocketService::ServiceDescriptionVector CookieService::GetServiceDescription() { - return ServiceDescriptionVector { - {SERVICE_SOCKET_COOKIE_GET, "*", INTERFACE_GET }, - {SERVICE_SOCKET_COOKIE_CHECK, "security-server::api-cookie-check", INTERFACE_CHECK} - }; - } - -void CookieService::accept(const AcceptEvent &event) { - LogDebug("Accept event. ConnectionID.sock: " << event.connectionID.sock - << " ConnectionID.counter: " << event.connectionID.counter - << " ServiceID: " << event.interfaceID); - auto &info = m_connectionInfoMap[event.connectionID.counter]; - info.interfaceID = event.interfaceID; -} - -void CookieService::write(const WriteEvent &event) { - LogDebug("WriteEvent. ConnectionID: " << event.connectionID.sock << - " Size: " << event.size << " Left: " << event.left); - if (event.left == 0) - m_serviceManager->Close(event.connectionID); -} - -void CookieService::process(const ReadEvent &event) { - LogDebug("Read event for counter: " << event.connectionID.counter); - auto &info = m_connectionInfoMap[event.connectionID.counter]; - info.buffer.Push(event.rawBuffer); - - // We can get several requests in one package. - // Extract and process them all - while(processOne(event.connectionID, info.buffer, info.interfaceID)); -} - -void CookieService::close(const CloseEvent &event) { - LogDebug("CloseEvent. ConnectionID: " << event.connectionID.sock); - m_connectionInfoMap.erase(event.connectionID.counter); -} - -bool CookieService::processOne(const ConnectionID &conn, MessageBuffer &buffer, InterfaceID interfaceID) -{ - LogDebug("Iteration begin"); - MessageBuffer send, recv; - CookieCall msgType; - bool removeGarbage = false; - - //waiting for all data - if (!buffer.Ready()) { - return false; - } - - //receive data from buffer and check MSG_ID - Try { - int msgTypeInt; - Deserialization::Deserialize(buffer, msgTypeInt); //receive MSG_ID - msgType = static_cast(msgTypeInt); - } Catch (MessageBuffer::Exception::Base) { - LogDebug("Broken protocol. Closing socket."); - m_serviceManager->Close(conn); - return false; - } - - bool retval = false; - - //use received data - if (interfaceID == INTERFACE_GET) { - switch(msgType) { - case CookieCall::GET_COOKIE: - LogDebug("Entering get-cookie server side handler"); - retval = cookieRequest(send, conn.sock); - removeGarbage = true; - break; - - default: - LogDebug("Error, unknown function called by client"); - retval = false; - break; - }; - } else if (interfaceID == INTERFACE_CHECK) { - switch(msgType) { - case CookieCall::CHECK_PID: - LogDebug("Entering pid-by-cookie server side handler"); - retval = pidByCookieRequest(buffer, send); - break; - - case CookieCall::CHECK_SMACKLABEL: - LogDebug("Entering smacklabel-by-cookie server side handler"); - retval = smackLabelByCookieRequest(buffer, send); - break; - - case CookieCall::CHECK_PRIVILEGE_GID: - LogDebug("Entering check-privilege-by-cookie-gid server side handler"); - retval = privilegeByCookieGidRequest(buffer, send); - break; - - case CookieCall::CHECK_PRIVILEGE: - LogDebug("Entering check-privilege-by-cookie side handler"); - retval = privilegeByCookieRequest(buffer, send); - break; - - case CookieCall::CHECK_UID: - LogDebug("Entering get-uid-by-cookie side handler"); - retval = uidByCookieRequest(buffer, send); - break; - - case CookieCall::CHECK_GID: - LogDebug("Entering get-gid-by-cookie side handler"); - retval = gidByCookieRequest(buffer, send); - break; - - default: - LogDebug("Error, unknown function called by client"); - retval = false; - break; - }; - } else { - LogDebug("Error, wrong interface"); - retval = false; - } - - if (retval) { - //send response - m_serviceManager->Write(conn, send.Pop()); - } else { - LogDebug("Closing socket because of error"); - m_serviceManager->Close(conn); - } - - // Each time you add one cookie check 2 others. - if (removeGarbage) - m_cookieJar.GarbageCollector(2); - - return retval; -} - -bool CookieService::cookieRequest(MessageBuffer &send, int socket) -{ - struct ucred cr; - unsigned len = sizeof(cr); - - if (0 != getsockopt(socket, SOL_SOCKET, SO_PEERCRED, &cr, &len)) - return false; - - const Cookie *generatedCookie = m_cookieJar.GenerateCookie(cr.pid); - - if (generatedCookie == NULL) { - //unable to create cookie - Serialization::Serialize(send, (int)SECURITY_SERVER_API_ERROR_UNKNOWN); - return true; - } - - //checking if binary path match created / found cookie - char path[PATH_MAX]; - int ret = getPidPath(path, PATH_MAX, cr.pid); - - if (ret < 0) { - LogError("Unable to check process binary path"); - Serialization::Serialize(send, (int)SECURITY_SERVER_API_ERROR_UNKNOWN); - } else { - if (generatedCookie->binaryPath.compare(path)) { - LogDebug("Found cookie but no match in bin path"); - Serialization::Serialize(send, (int)SECURITY_SERVER_API_ERROR_UNKNOWN); - } else { - Serialization::Serialize(send, (int)SECURITY_SERVER_API_SUCCESS); - Serialization::Serialize(send, generatedCookie->cookieId); - } - } - - return true; -} - -bool CookieService::pidByCookieRequest(MessageBuffer &buffer, MessageBuffer &send) -{ - std::vector cookieKey; - - Try { - Deserialization::Deserialize(buffer, cookieKey); - } Catch (MessageBuffer::Exception::Base) { - LogDebug("Broken protocol. Closing socket."); - return false; - } - - Cookie searchPattern; - searchPattern.cookieId = cookieKey; - - const Cookie *searchResult = m_cookieJar.SearchCookie(searchPattern, CompareType::COOKIE_ID); - - if (searchResult != NULL) { - Serialization::Serialize(send, (int)SECURITY_SERVER_API_SUCCESS); - Serialization::Serialize(send, (int)searchResult->pid); - } else { - Serialization::Serialize(send, (int)SECURITY_SERVER_API_ERROR_NO_SUCH_COOKIE); - } - - return true; -} - -bool CookieService::smackLabelByCookieRequest(MessageBuffer &buffer, MessageBuffer &send) -{ - std::vector cookieKey; - - Try { - Deserialization::Deserialize(buffer, cookieKey); - } Catch (MessageBuffer::Exception::Base) { - LogDebug("Broken protocol. Closing socket."); - return false; - } - - Cookie searchPattern; - searchPattern.cookieId = cookieKey; - - const Cookie *searchResult = m_cookieJar.SearchCookie(searchPattern, CompareType::COOKIE_ID); - - if (searchResult != NULL) { - Serialization::Serialize(send, (int)SECURITY_SERVER_API_SUCCESS); - Serialization::Serialize(send, searchResult->smackLabel); - } else { - Serialization::Serialize(send, (int)SECURITY_SERVER_API_ERROR_NO_SUCH_COOKIE); - } - - return true; -} - -bool CookieService::privilegeByCookieGidRequest(MessageBuffer &buffer, MessageBuffer &send) -{ - std::vector cookieKey; - int gid; - - Try { - Deserialization::Deserialize(buffer, cookieKey); - Deserialization::Deserialize(buffer, gid); - } Catch (MessageBuffer::Exception::Base) { - LogDebug("Broken protocol. Closing socket."); - return false; - } - - Cookie searchPattern; - searchPattern.cookieId = cookieKey; - - const Cookie *searchResult = m_cookieJar.SearchCookie(searchPattern, CompareType::COOKIE_ID); - - if (searchResult != NULL) - //search for specified GID on permissions list - for (size_t i = 0; i < searchResult->permissions.size(); i++) - if (searchResult->permissions[i] == gid) { - Serialization::Serialize(send, (int)SECURITY_SERVER_API_SUCCESS); - return true; - } - - Serialization::Serialize(send, (int)SECURITY_SERVER_API_ERROR_ACCESS_DENIED); - - return true; -} - -bool CookieService::privilegeByCookieRequest(MessageBuffer &buffer, MessageBuffer &send) -{ - std::vector cookieKey; - std::string subject; - std::string object; - std::string access; - - Try { - Deserialization::Deserialize(buffer, cookieKey); - Deserialization::Deserialize(buffer, object); - Deserialization::Deserialize(buffer, access); - } Catch (MessageBuffer::Exception::Base) { - LogDebug("Broken protocol. Closing socket."); - return false; - } - - Cookie searchPattern; - searchPattern.cookieId = cookieKey; - - const Cookie *searchResult = m_cookieJar.SearchCookie(searchPattern, CompareType::COOKIE_ID); - - if (searchResult != NULL) { - if (!smack_check()) { - Serialization::Serialize(send, (int)SECURITY_SERVER_API_SUCCESS); - } else { - subject = searchResult->smackLabel; - int retval; - - if ((retval = smack_have_access(subject.c_str(), object.c_str(), access.c_str())) == 1) - Serialization::Serialize(send, (int)SECURITY_SERVER_API_SUCCESS); - else { - Serialization::Serialize(send, (int)SECURITY_SERVER_API_ERROR_ACCESS_DENIED); - LogSmackAudit("SS_SMACK: " - << " subject=" << subject - << ", object=" << object - << ", access=" << access - << ", result=" << retval); - } - } - } else { - Serialization::Serialize(send, (int)SECURITY_SERVER_API_ERROR_NO_SUCH_COOKIE); - } - - return true; -} - -bool CookieService::uidByCookieRequest(MessageBuffer &buffer, MessageBuffer &send) -{ - std::vector cookieKey; - - Try { - Deserialization::Deserialize(buffer, cookieKey); - } Catch (MessageBuffer::Exception::Base) { - LogDebug("Broken protocol. Closing socket."); - return false; - } - - Cookie searchPattern; - searchPattern.cookieId = cookieKey; - - const Cookie *searchResult = m_cookieJar.SearchCookie(searchPattern, CompareType::COOKIE_ID); - - if (searchResult != NULL) { - Serialization::Serialize(send, (int)SECURITY_SERVER_API_SUCCESS); - Serialization::Serialize(send, (int)searchResult->uid); - } else { - Serialization::Serialize(send, (int)SECURITY_SERVER_API_ERROR_NO_SUCH_COOKIE); - } - - return true; -} - -bool CookieService::gidByCookieRequest(MessageBuffer &buffer, MessageBuffer &send) -{ - std::vector cookieKey; - - Try { - Deserialization::Deserialize(buffer, cookieKey); - } Catch (MessageBuffer::Exception::Base) { - LogDebug("Broken protocol. Closing socket."); - return false; - } - - Cookie searchPattern; - searchPattern.cookieId = cookieKey; - - const Cookie *searchResult = m_cookieJar.SearchCookie(searchPattern, CompareType::COOKIE_ID); - - if (searchResult != NULL) { - Serialization::Serialize(send, (int)SECURITY_SERVER_API_SUCCESS); - Serialization::Serialize(send, (int)searchResult->gid); - } else { - Serialization::Serialize(send, (int)SECURITY_SERVER_API_ERROR_NO_SUCH_COOKIE); - } - - return true; -} - -} // namespace SecurityServer - diff --git a/src/server/service/cookie.h b/src/server/service/cookie.h deleted file mode 100644 index 2a2a922..0000000 --- a/src/server/service/cookie.h +++ /dev/null @@ -1,75 +0,0 @@ -/* - * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved - * - * Contact: Bumjin Im - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License - */ -/* - * @file cookie.h - * @author Pawel Polawski (p.polawski@partner.samsung.com) - * @version 1.0 - * @brief This function contain header for implementation of cookie get API - */ - -#ifndef _SECURITY_SERVER_COOKIE_GET_ -#define _SECURITY_SERVER_COOKIE_GET_ - -#include -#include -#include -#include -#include -#include - -namespace SecurityServer { - -class CookieService : - public SecurityServer::GenericSocketService - , public SecurityServer::ServiceThread -{ -public: - - ServiceDescriptionVector GetServiceDescription(); - - DECLARE_THREAD_EVENT(AcceptEvent, accept) - DECLARE_THREAD_EVENT(WriteEvent, write) - DECLARE_THREAD_EVENT(ReadEvent, process) - DECLARE_THREAD_EVENT(CloseEvent, close) - - void accept(const AcceptEvent &event); - void write(const WriteEvent &event); - void process(const ReadEvent &event); - void close(const CloseEvent &event); - -private: - bool processOne(const ConnectionID &conn, MessageBuffer &buffer, InterfaceID interfaceID); - - bool cookieRequest(MessageBuffer &send, int socket); - - bool pidByCookieRequest(MessageBuffer &buffer, MessageBuffer &send); - bool smackLabelByCookieRequest(MessageBuffer &buffer, MessageBuffer &send); - bool privilegeByCookieGidRequest(MessageBuffer &buffer, MessageBuffer &send); - bool privilegeByCookieRequest(MessageBuffer &buffer, MessageBuffer &send); - - bool uidByCookieRequest(MessageBuffer &buffer, MessageBuffer &send); - bool gidByCookieRequest(MessageBuffer &buffer, MessageBuffer &send); - - CookieJar m_cookieJar; - - ConnectionInfoMap m_connectionInfoMap; -}; - -} // namespace SecurityServer - -#endif // _SECURITY_SERVER_APP_ENABLE_PERMISSIONS_ diff --git a/src/server/service/data-share.cpp b/src/server/service/data-share.cpp deleted file mode 100644 index b6b5fbe..0000000 --- a/src/server/service/data-share.cpp +++ /dev/null @@ -1,138 +0,0 @@ -/* - * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved - * - * Contact: Bumjin Im - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License - */ -/* - * @file data-share.cpp - * @author Bartlomiej Grzelewski (b.grzelewski@samsung.com) - * @version 1.0 - * @brief Implementation of api-data-share service. - */ - -#include - -#include -#include - -#include -#include -#include -#include -#include - -namespace SecurityServer { - -GenericSocketService::ServiceDescriptionVector SharedMemoryService::GetServiceDescription() { - return ServiceDescriptionVector - {{SERVICE_SOCKET_SHARED_MEMORY, "security-server::api-data-share"}}; -} - -void SharedMemoryService::accept(const AcceptEvent &event) { - LogDebug("Accept event. ConnectionID.sock: " << event.connectionID.sock - << " ConnectionID.counter: " << event.connectionID.counter - << " ServiceID: " << event.interfaceID); -} - -void SharedMemoryService::write(const WriteEvent &event) { - LogDebug("WriteEvent. ConnectionID: " << event.connectionID.sock << - " Size: " << event.size << " Left: " << event.left); - if (event.left == 0) - m_serviceManager->Close(event.connectionID); -} - -bool SharedMemoryService::processOne(const ConnectionID &conn, MessageBuffer &buffer) { - LogDebug("Iteration begin"); - static const char * const revoke = "-----"; - static const char * const permissions = "rwxat"; - char *providerLabel = NULL; - std::string clientLabel; - int clientPid = 0; - int retCode = SECURITY_SERVER_API_ERROR_SERVER_ERROR; - struct smack_accesses *smack = NULL; - - if (!buffer.Ready()) { - return false; - } - - Try { - Deserialization::Deserialize(buffer, clientLabel); - Deserialization::Deserialize(buffer, clientPid); - } Catch (MessageBuffer::Exception::Base) { - LogDebug("Broken protocol. Closing socket."); - m_serviceManager->Close(conn); - return false; - } - - if (smack_check()) { - if (0 > smack_new_label_from_socket(conn.sock, &providerLabel)) { - LogDebug("Error in smack_new_label_from_socket"); - retCode = SECURITY_SERVER_API_ERROR_GETTING_SOCKET_LABEL_FAILED; - goto end; - } - - if (!util_smack_label_is_valid(clientLabel.c_str())) { - LogDebug("Invalid smack label: " << clientLabel); - retCode = SECURITY_SERVER_API_ERROR_BAD_REQUEST; - goto end; - } - - if (smack_accesses_new(&smack)) { - LogDebug("Error in smack_accesses_new"); - goto end; - } - - if (smack_accesses_add_modify(smack, clientLabel.c_str(), providerLabel, - permissions, revoke)) - { - LogDebug("Error in smack_accesses_add_modify"); - goto end; - } - - if (smack_accesses_apply(smack)) { - LogDebug("Error in smack_accesses_apply"); - retCode = SECURITY_SERVER_API_ERROR_ACCESS_DENIED; - goto end; - } - LogDebug("Access granted. Subject: " << clientLabel << " Provider: " << providerLabel); - } - retCode = SECURITY_SERVER_API_SUCCESS; -end: - free(providerLabel); - smack_accesses_free(smack); - - MessageBuffer sendBuffer; - Serialization::Serialize(sendBuffer, retCode); - m_serviceManager->Write(conn, sendBuffer.Pop()); - return true; -} - -void SharedMemoryService::process(const ReadEvent &event) { - LogDebug("Read event for counter: " << event.connectionID.counter); - auto &buffer = m_messageBufferMap[event.connectionID.counter]; - buffer.Push(event.rawBuffer); - - // We can get several requests in one package. - // Extract and process them all - while(processOne(event.connectionID, buffer)); -} - -void SharedMemoryService::close(const CloseEvent &event) { - LogDebug("CloseEvent. ConnectionID: " << event.connectionID.sock); - m_messageBufferMap.erase(event.connectionID.counter); -} - -} // namespace SecurityServer - diff --git a/src/server/service/data-share.h b/src/server/service/data-share.h deleted file mode 100644 index 1626c32..0000000 --- a/src/server/service/data-share.h +++ /dev/null @@ -1,61 +0,0 @@ -/* - * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved - * - * Contact: Bumjin Im - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License - */ -/* - * @file data-share.h - * @author Bartlomiej Grzelewski (b.grzelewski@samsung.com) - * @version 1.0 - * @brief Implementation of api-data-share - */ - -#ifndef _SECURITY_SERVER_DATA_SHARE_ -#define _SECURITY_SERVER_DATA_SHARE_ - -#include -#include - -#include - -namespace SecurityServer { - -class SharedMemoryService - : public SecurityServer::GenericSocketService - , public SecurityServer::ServiceThread -{ -public: - typedef std::map MessageBufferMap; - - ServiceDescriptionVector GetServiceDescription(); - - DECLARE_THREAD_EVENT(AcceptEvent, accept) - DECLARE_THREAD_EVENT(WriteEvent, write) - DECLARE_THREAD_EVENT(ReadEvent, process) - DECLARE_THREAD_EVENT(CloseEvent, close) - - void accept(const AcceptEvent &event); - void write(const WriteEvent &event); - void process(const ReadEvent &event); - void close(const CloseEvent &event); -private: - bool processOne(const ConnectionID &conn, MessageBuffer &buffer); - - MessageBufferMap m_messageBufferMap; -}; - -} // namespace SecurityServer - -#endif // _SECURITY_SERVER_DATA_SHARE_ diff --git a/src/server/service/get-gid.cpp b/src/server/service/get-gid.cpp deleted file mode 100644 index a0e1b23..0000000 --- a/src/server/service/get-gid.cpp +++ /dev/null @@ -1,158 +0,0 @@ -/* - * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved - * - * Contact: Bumjin Im - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License - */ -/* - * @file get-gid.cpp - * @author Jan Olszak (j.olszak@samsung.com) - * @version 1.0 - * @brief Implementation of api-get-gid service. - */ - -#include -#include -#include -#include - -#include -#include - -#include -#include -#include - -namespace SecurityServer { - -GenericSocketService::ServiceDescriptionVector GetGidService::GetServiceDescription() { - return ServiceDescriptionVector - {{SERVICE_SOCKET_GET_GID, "security-server::api-get-gid"}}; -} - -void GetGidService::accept(const AcceptEvent &event) { - LogDebug("Accept event. ConnectionID.sock: " << event.connectionID.sock - << " ConnectionID.counter: " << event.connectionID.counter - << " ServiceID: " << event.interfaceID); -} - -void GetGidService::write(const WriteEvent &event) { - LogDebug("WriteEvent. ConnectionID: " << event.connectionID.sock << - " Size: " << event.size << " Left: " << event.left); - if (event.left == 0) - m_serviceManager->Close(event.connectionID); -} - - -/* - * Searches for group ID by given group name - */ -int GetGidService::setGid(std::string& obj) -{ - int ret = 0; - struct group *grpbuf = NULL; - struct group grp; - std::vector buf; - - /* - * The maximum needed size for buf can be found using sysconf(3) - * with the argument _SC_GETGR_R_SIZE_MAX. If _SC_GETGR_R_SIZE_MAX is not - * returned we set max_buf_size to 1024 bytes. Enough to store few groups. - */ - long int maxBufSize = sysconf(_SC_GETGR_R_SIZE_MAX); - if (maxBufSize == -1) - maxBufSize = 1024; - - - /* - * There can be some corner cases when for example user is assigned to a - * lot of groups. In that case if buffer is to small getgrnam_r will - * return ERANGE error. Solution could be calling getgrnam_r with bigger - * buffer until it's big enough. - */ - do { - try{ - buf.resize(maxBufSize); - }catch(std::bad_alloc&) { - ret = SECURITY_SERVER_API_ERROR_OUT_OF_MEMORY; - LogError("Out Of Memory"); - return ret; - } - maxBufSize *= 2; - } while ((ret = getgrnam_r(obj.c_str(), &grp, &(buf[0]), buf.size(), &grpbuf)) == ERANGE); - - // Check for errors: - if (ret != 0){ - ret = SECURITY_SERVER_API_ERROR_SERVER_ERROR; - LogError("getgrnam_r failed with error: " << strerror(errno)); - return ret; - - } else if (grpbuf == NULL) { - ret = SECURITY_SERVER_API_ERROR_NO_SUCH_OBJECT; - LogError("Cannot find gid for group: " << obj); - return ret; - } - - m_gid = grpbuf->gr_gid; - - return ret; -} - - -bool GetGidService::processOne(const ConnectionID &conn, MessageBuffer &buffer) { - LogDebug("Iteration begin"); - std::string objectName; - int retCode = SECURITY_SERVER_API_ERROR_SERVER_ERROR; - - if (!buffer.Ready()) { - return false; - } - - // Get objects name: - Try { - Deserialization::Deserialize(buffer, objectName); - } Catch (MessageBuffer::Exception::Base) { - LogDebug("Broken protocol. Closing socket."); - m_serviceManager->Close(conn); - return false; - } - - // Get GID - retCode = setGid(objectName); - - // Send the result - MessageBuffer sendBuffer; - Serialization::Serialize(sendBuffer, retCode); - Serialization::Serialize(sendBuffer, m_gid); - m_serviceManager->Write(conn, sendBuffer.Pop()); - return true; -} - -void GetGidService::process(const ReadEvent &event) { - LogDebug("Read event for counter: " << event.connectionID.counter); - auto &buffer = m_messageBufferMap[event.connectionID.counter]; - buffer.Push(event.rawBuffer); - - // We can get several requests in one package. - // Extract and process them all - while(processOne(event.connectionID, buffer)); -} - -void GetGidService::close(const CloseEvent &event) { - LogDebug("CloseEvent. ConnectionID: " << event.connectionID.sock); - m_messageBufferMap.erase(event.connectionID.counter); -} - -} // namespace SecurityServer - diff --git a/src/server/service/get-gid.h b/src/server/service/get-gid.h deleted file mode 100644 index ac87081..0000000 --- a/src/server/service/get-gid.h +++ /dev/null @@ -1,63 +0,0 @@ -/* - * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved - * - * Contact: Bumjin Im - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License - */ -/* - * @file get-gid.h - * @author Jan Olszak (j.olszak@samsung.com) - * @version 1.0 - * @brief Implementation of api-get-gid - */ - -#ifndef _SECURITY_SERVER_GET_GID_ -#define _SECURITY_SERVER_GET_GID_ - -#include -#include - -#include -#include - -namespace SecurityServer { - -class GetGidService : - public SecurityServer::GenericSocketService - , public SecurityServer::ServiceThread -{ -public: - typedef std::map MessageBufferMap; - - ServiceDescriptionVector GetServiceDescription(); - - DECLARE_THREAD_EVENT(AcceptEvent, accept) - DECLARE_THREAD_EVENT(WriteEvent, write) - DECLARE_THREAD_EVENT(ReadEvent, process) - DECLARE_THREAD_EVENT(CloseEvent, close) - - void accept(const AcceptEvent &event); - void write(const WriteEvent &event); - void process(const ReadEvent &event); - void close(const CloseEvent &event); -private: - gid_t m_gid; - bool processOne(const ConnectionID &conn, MessageBuffer &buffer); - int setGid(std::string& objectName); - MessageBufferMap m_messageBufferMap; -}; - -} // namespace SecurityServer - -#endif // _SECURITY_SERVER_GET_GID_ diff --git a/src/server/service/password-exception.h b/src/server/service/password-exception.h deleted file mode 100644 index 99f089c..0000000 --- a/src/server/service/password-exception.h +++ /dev/null @@ -1,48 +0,0 @@ -/* - * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved - * - * Contact: Bumjin Im - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License - */ -/* - * @file password-exception.h - * @author Lukasz Kostyra (l.kostyra@partner.samsung.com) - * @version 1.0 - * @brief Definition of PasswordException class. - */ - -#ifndef _PASSWORD_EXCEPTION_H_ -#define _PASSWORD_EXCEPTION_H_ - -#include - -namespace SecurityServer -{ - class PasswordException - { - public: - DECLARE_EXCEPTION_TYPE(SecurityServer::Exception, Base) - DECLARE_EXCEPTION_TYPE(Base, OutOfData) - DECLARE_EXCEPTION_TYPE(Base, NoData) - DECLARE_EXCEPTION_TYPE(Base, FStreamOpenError) - DECLARE_EXCEPTION_TYPE(Base, FStreamWriteError) - DECLARE_EXCEPTION_TYPE(Base, FStreamReadError) - DECLARE_EXCEPTION_TYPE(Base, NoPasswords) - DECLARE_EXCEPTION_TYPE(Base, PasswordNotActive) - DECLARE_EXCEPTION_TYPE(Base, MakeDirError) - DECLARE_EXCEPTION_TYPE(Base, TimerError) - }; -} //namespace SecurityServer - -#endif //_PASSWORD_EXCEPTION_H_ diff --git a/src/server/service/password-file-buffer.cpp b/src/server/service/password-file-buffer.cpp deleted file mode 100644 index 7263a3e..0000000 --- a/src/server/service/password-file-buffer.cpp +++ /dev/null @@ -1,108 +0,0 @@ -/* - * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved - * - * Contact: Bumjin Im - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License - */ -/* - * @file password-file-buffer.h - * @author Lukasz Kostyra (l.kostyra@partner.samsung.com) - * @version 1.0 - * @brief Implementation of PasswordFileBuffer, used for serialization in PasswordFile class - */ - -#include - -#include -#include - -#include -#include - -#include -#include - -#include -#include -#include - -namespace SecurityServer -{ - PasswordFileBuffer::PasswordFileBuffer(): m_bufferReadBytes(0) {} - - void PasswordFileBuffer::Read(size_t num, void *bytes) - { - if(m_buffer.empty()) { - LogError("Buffer doesn't contain any data."); - Throw(PasswordException::NoData); - } - - if((m_bufferReadBytes + num) > m_buffer.size()) { - LogError("Not enough buffer to read " << num << " data."); - Throw(PasswordException::OutOfData); - } - - memcpy(bytes, &m_buffer[m_bufferReadBytes], num); - - m_bufferReadBytes += num; - } - - void PasswordFileBuffer::Write(size_t num, const void *bytes) - { - const char* buffer = static_cast(bytes); - std::copy(buffer, buffer+num, std::back_inserter(m_buffer)); - } - - void PasswordFileBuffer::Save(const std::string &path) - { - std::ofstream file(path, std::ofstream::trunc); - - if(!file.good()) { - LogError("Error while opening file stream."); - Throw(PasswordException::FStreamOpenError); - } - - file.write(m_buffer.data(), m_buffer.size()); - if(!file) { - LogError("Failed to write data."); - Throw(PasswordException::FStreamWriteError); - } - - file.flush(); - fsync(DPL::FstreamAccessors::GetFd(file)); // flush kernel space buffer - file.close(); - } - - void PasswordFileBuffer::Load(const std::string &path) - { - std::ifstream file(path, std::ifstream::binary); - - if(!file.good()) { - LogError("Error while opening file stream."); - Throw(PasswordException::FStreamOpenError); - } - - //reset read bytes counter - m_bufferReadBytes = 0; - - m_buffer.assign(std::istreambuf_iterator(file), - std::istreambuf_iterator()); - - if(!file) { - LogError("Failed to read data. Failbit: " << file.fail() << ", Badbit: " << file.bad()); - Throw(PasswordException::FStreamReadError); - } - } - -} //namespace SecurityServer diff --git a/src/server/service/password-file-buffer.h b/src/server/service/password-file-buffer.h deleted file mode 100644 index 419f142..0000000 --- a/src/server/service/password-file-buffer.h +++ /dev/null @@ -1,56 +0,0 @@ -/* - * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved - * - * Contact: Bumjin Im - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License - */ -/* - * @file password-file-buffer.h - * @author Zbigniew Jasinski (z.jasinski@samsung.com) - * @author Lukasz Kostyra (l.kostyra@partner.samsung.com) - * @version 1.0 - * @brief Implementation of password file buffer, used for serialization in password-manager.h - */ - -#ifndef _PASSWORD_FILE_BUFFER_H_ -#define _PASSWORD_FILE_BUFFER_H_ - -#include -#include -#include - -#include - -namespace SecurityServer -{ - class PasswordFileBuffer: public IStream - { - public: - PasswordFileBuffer(); - - virtual void Read(size_t num, void *bytes); - virtual void Write(size_t num, const void *bytes); - - void Save(const std::string &path); - void Load(const std::string &path); - - private: - typedef std::vector DataBuffer; - - DataBuffer m_buffer; - size_t m_bufferReadBytes; - }; -} //namespace SecurityServer - -#endif diff --git a/src/server/service/password-file.cpp b/src/server/service/password-file.cpp deleted file mode 100644 index 6f59589..0000000 --- a/src/server/service/password-file.cpp +++ /dev/null @@ -1,497 +0,0 @@ -/* - * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved - * - * Contact: Bumjin Im - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License - */ -/* - * @file password-file.cpp - * @author Zbigniew Jasinski (z.jasinski@samsung.com) - * @author Lukasz Kostyra (l.kostyra@partner.samsung.com) - * @author Piotr Bartosiewicz (p.bartosiewi@partner.samsung.com) - * @version 1.0 - * @brief Implementation of PasswordFile, used to manage password files. - */ -#include - -#include -#include -#include - -#include -#include -#include -#include - -#include - -#include -#include - -#include -#include -#include -#include - -namespace { - const std::string DATA_DIR = "/opt/data/security-server"; - const std::string PASSWORD_FILE = DATA_DIR + "/password"; - const std::string OLD_VERSION_PASSWORD_FILE = DATA_DIR + "/password.pwd"; - const std::string ATTEMPT_FILE = DATA_DIR + "/attempt"; - const double RETRY_TIMEOUT = 0.5; - const mode_t FILE_MODE = S_IRUSR | S_IWUSR; - const unsigned int CURRENT_FILE_VERSION = 3; -} // namespace anonymous - -namespace SecurityServer -{ - const time_t PASSWORD_INFINITE_EXPIRATION_TIME = std::numeric_limits::max(); - - class NoPassword: public IPassword - { - public: - NoPassword(IStream&) {} - NoPassword() {} - - void Serialize(IStream &stream) const - { - Serialization::Serialize(stream, static_cast(PasswordType::NONE)); - } - - bool match(const std::string &) const - { - return false; - } - }; - - class SHA256Password: public IPassword - { - public: - SHA256Password(IStream& stream) - { - Deserialization::Deserialize(stream, m_hash); - } - - SHA256Password(const std::string &password) - : m_hash(hash(password)) {} - - SHA256Password(const RawHash& hash) - : m_hash(hash) {} - - void Serialize(IStream &stream) const - { - Serialization::Serialize(stream, static_cast(PasswordType::SHA256)); - Serialization::Serialize(stream, m_hash); - } - - bool match(const std::string &password) const - { - return m_hash == hash(password); - } - private: - RawHash m_hash; - - static RawHash hash(const std::string &password) - { - RawHash result(SHA256_DIGEST_LENGTH); - - SHA256_CTX context; - SHA256_Init(&context); - SHA256_Update(&context, reinterpret_cast(password.c_str()), - password.size()); - SHA256_Final(result.data(), &context); - - return result; - } - }; - - // deserialization of new password format - template <> - void Deserialization::Deserialize(IStream& stream, IPasswordPtr& ptr) - { - unsigned int algorithm; - Deserialization::Deserialize(stream, algorithm); - switch (algorithm) { - case (unsigned int)IPassword::PasswordType::NONE: - ptr.reset(new NoPassword()); - break; - case (unsigned int)IPassword::PasswordType::SHA256: - ptr.reset(new SHA256Password(stream)); - break; - default: - Throw(PasswordException::FStreamReadError); - } - } - - PasswordFile::PasswordFile(): m_passwordCurrent(new NoPassword()), - m_maxAttempt(PASSWORD_INFINITE_ATTEMPT_COUNT), - m_maxHistorySize(0), - m_expireTime(PASSWORD_INFINITE_EXPIRATION_TIME), - m_passwordActive(false), m_attempt(0) - { - // check if data directory exists - // if not create it - if (!dirExists(DATA_DIR.c_str())) { - if(mkdir(DATA_DIR.c_str(), 0700)) { - LogError("Failed to create directory for files. Error: " << strerror(errno)); - Throw(PasswordException::MakeDirError); - } - } - - preparePwdFile(); - prepareAttemptFile(); - resetTimer(); - } - - void PasswordFile::resetState() - { - m_passwordCurrent.reset(new NoPassword()); - m_maxAttempt = PASSWORD_INFINITE_ATTEMPT_COUNT; - m_maxHistorySize = 0; - m_expireTime = PASSWORD_INFINITE_EXPIRATION_TIME; - m_passwordActive = false; - } - - void PasswordFile::resetTimer() - { - m_retryTimerStart = ClockType::now(); - m_retryTimerStart -= TimeDiff(RETRY_TIMEOUT); - } - - void PasswordFile::preparePwdFile() - { - // check if password file exists - if (!fileExists(PASSWORD_FILE)) { - // if old format file exist - load it - if (tryLoadMemoryFromOldFormatFile()) { - // save in new format - writeMemoryToFile(); - // and remove old file - remove(OLD_VERSION_PASSWORD_FILE.c_str()); - return; - } - - LogSecureDebug("PWD_DBG not found password file. Creating."); - - //create file - writeMemoryToFile(); - } else { //if file exists, load data - LogSecureDebug("PWD_DBG found password file. Opening."); - try { - loadMemoryFromFile(); - } catch (...) { - LogError("Invalid " << PASSWORD_FILE << " file format"); - resetState(); - writeMemoryToFile(); - } - } - } - - void PasswordFile::prepareAttemptFile() - { - // check if attempt file exists - // if not create it - if (!fileExists(ATTEMPT_FILE)) { - LogSecureDebug("PWD_DBG not found attempt file. Creating."); - - writeAttemptToFile(); - } else { - LogSecureDebug("PWD_DBG found attempt file. Opening."); - std::ifstream attemptFile(ATTEMPT_FILE); - if(!attemptFile) { - LogError("Failed to open attempt file."); - // ignore error - return; - } - - attemptFile.read(reinterpret_cast(&m_attempt), sizeof(unsigned int)); - if(!attemptFile) { - LogError("Failed to read attempt count."); - // ignore error - resetAttempt(); - } - } - } - - bool PasswordFile::fileExists(const std::string &filename) const - { - struct stat buf; - - return ((stat(filename.c_str(), &buf) == 0)); - } - - bool PasswordFile::dirExists(const std::string &dirpath) const - { - struct stat buf; - - return ((stat(dirpath.c_str(), &buf) == 0) && (((buf.st_mode) & S_IFMT) == S_IFDIR)); - } - - void PasswordFile::writeMemoryToFile() const - { - PasswordFileBuffer pwdBuffer; - - LogSecureDebug("Saving max_att: " << m_maxAttempt << ", history_size: " << - m_maxHistorySize << ", m_expireTime: " << m_expireTime << ", isActive: " << - m_passwordActive); - - //serialize password attributes - Serialization::Serialize(pwdBuffer, CURRENT_FILE_VERSION); - Serialization::Serialize(pwdBuffer, m_maxAttempt); - Serialization::Serialize(pwdBuffer, m_maxHistorySize); - Serialization::Serialize(pwdBuffer, m_expireTime); - Serialization::Serialize(pwdBuffer, m_passwordActive); - Serialization::Serialize(pwdBuffer, m_passwordCurrent); - Serialization::Serialize(pwdBuffer, m_passwordHistory); - - pwdBuffer.Save(PASSWORD_FILE); - - chmod(PASSWORD_FILE.c_str(), FILE_MODE); - } - - void PasswordFile::loadMemoryFromFile() - { - PasswordFileBuffer pwdFile; - - pwdFile.Load(PASSWORD_FILE); - - unsigned int fileVersion = 0; - Deserialization::Deserialize(pwdFile, fileVersion); - if (fileVersion != CURRENT_FILE_VERSION) - Throw(PasswordException::FStreamReadError); - - m_passwordHistory.clear(); - - Deserialization::Deserialize(pwdFile, m_maxAttempt); - Deserialization::Deserialize(pwdFile, m_maxHistorySize); - Deserialization::Deserialize(pwdFile, m_expireTime); - Deserialization::Deserialize(pwdFile, m_passwordActive); - Deserialization::Deserialize(pwdFile, m_passwordCurrent); - Deserialization::Deserialize(pwdFile, m_passwordHistory); - - LogSecureDebug("Loaded max_att: " << m_maxAttempt << ", history_size: " << - m_maxHistorySize << ", m_expireTime: " << m_expireTime << ", isActive: " << - m_passwordActive); - } - - bool PasswordFile::tryLoadMemoryFromOldFormatFile() - { - struct stat oldFileStat; - if (stat(OLD_VERSION_PASSWORD_FILE.c_str(), &oldFileStat) != 0) - return false; - - static const int ELEMENT_SIZE = sizeof(unsigned) + SHA256_DIGEST_LENGTH; - static const int VERSION_1_REMAINING = sizeof(unsigned) * 4; - static const int VERSION_2_REMAINING = VERSION_1_REMAINING + sizeof(bool); - int remaining = oldFileStat.st_size % ELEMENT_SIZE; - - if (remaining != VERSION_1_REMAINING && remaining != VERSION_2_REMAINING) - return false; - - try { - PasswordFileBuffer pwdFile; - pwdFile.Load(OLD_VERSION_PASSWORD_FILE); - - Deserialization::Deserialize(pwdFile, m_maxAttempt); - Deserialization::Deserialize(pwdFile, m_maxHistorySize); - Deserialization::Deserialize(pwdFile, m_expireTime); - if (m_expireTime == 0) - m_expireTime = PASSWORD_INFINITE_EXPIRATION_TIME; - if (remaining == VERSION_2_REMAINING) - Deserialization::Deserialize(pwdFile, m_passwordActive); - else - m_passwordActive = true; - - // deserialize passwords in old format - struct OldPassword { - OldPassword() {} - OldPassword(IStream &stream) - { - Deserialization::Deserialize(stream, m_hash); - } - IPassword::RawHash m_hash; - }; - std::list oldFormatPasswords; - Deserialization::Deserialize(pwdFile, oldFormatPasswords); - - // convert passwords to new format - m_passwordHistory.clear(); - if (oldFormatPasswords.empty()) { - m_passwordCurrent.reset(new NoPassword()); - m_passwordActive = false; - } else { - m_passwordCurrent.reset(new SHA256Password(oldFormatPasswords.front().m_hash)); - std::for_each(++oldFormatPasswords.begin(), oldFormatPasswords.end(), - [&] (const OldPassword& pwd) - {m_passwordHistory.push_back(IPasswordPtr(new SHA256Password(pwd.m_hash)));} - ); - } - } catch (...) { - LogWarning("Invalid " << OLD_VERSION_PASSWORD_FILE << " file format"); - resetState(); - return false; - } - - return true; - } - - void PasswordFile::writeAttemptToFile() const - { - std::ofstream attemptFile(ATTEMPT_FILE, std::ofstream::trunc); - - if(!attemptFile.good()) { - LogError("Failed to open attempt file."); - Throw(PasswordException::FStreamOpenError); - } - - attemptFile.write(reinterpret_cast(&m_attempt), sizeof(unsigned int)); - if(!attemptFile) { - LogError("Failed to write attempt count."); - Throw(PasswordException::FStreamWriteError); - } - - attemptFile.flush(); - fsync(DPL::FstreamAccessors::GetFd(attemptFile)); // flush kernel space buffer - attemptFile.close(); - } - - void PasswordFile::activatePassword() - { - m_passwordActive = true; - } - - bool PasswordFile::isPasswordActive() const - { - return m_passwordActive; - } - - void PasswordFile::setMaxHistorySize(unsigned int history) - { - //setting history should be independent from password being set - m_maxHistorySize = history; - - while(m_passwordHistory.size() > history) - m_passwordHistory.pop_back(); - } - - unsigned int PasswordFile::getMaxHistorySize() const - { - return m_maxHistorySize; - } - - unsigned int PasswordFile::getAttempt() const - { - return m_attempt; - } - - void PasswordFile::resetAttempt() - { - m_attempt = 0; - } - - void PasswordFile::incrementAttempt() - { - m_attempt++; - } - - int PasswordFile::getMaxAttempt() const - { - return m_maxAttempt; - } - - void PasswordFile::setMaxAttempt(unsigned int maxAttempt) - { - m_maxAttempt = maxAttempt; - } - - bool PasswordFile::isPasswordReused(const std::string &password) const - { - LogSecureDebug("Checking if pwd is reused. HistorySize: " << m_passwordHistory.size() << - ", MaxHistorySize: " << getMaxHistorySize()); - - //go through history and check if password existed earlier - if(std::any_of(m_passwordHistory.begin(), m_passwordHistory.end(), - [&password](const IPasswordPtr& pwd) { return pwd->match(password); })) { - LogSecureDebug("Passwords match!"); - return true; - } - - LogSecureDebug("isPasswordReused: No passwords match, password not reused."); - return false; - } - - void PasswordFile::setPassword(const std::string &password) - { - //put current password to history - m_passwordHistory.push_front(std::move(m_passwordCurrent)); - - //erase last password if we exceed max history size - if(m_passwordHistory.size() > getMaxHistorySize()) - m_passwordHistory.pop_back(); - - //replace current password with new one - m_passwordCurrent.reset(new SHA256Password(password)); - } - - bool PasswordFile::checkPassword(const std::string &password) const - { - return m_passwordCurrent->match(password); - } - - void PasswordFile::setExpireTime(time_t expireTime) - { - if(isPasswordActive()) - m_expireTime = expireTime; - else { - LogError("Can't set expiration time, password not active."); - Throw(PasswordException::PasswordNotActive); - } - } - - unsigned int PasswordFile::getExpireTimeLeft() const - { - if(m_expireTime != PASSWORD_INFINITE_EXPIRATION_TIME) { - time_t timeLeft = m_expireTime - time(NULL); - return (timeLeft < 0) ? 0 : static_cast(timeLeft); - } else - return PASSWORD_API_NO_EXPIRATION; - } - - bool PasswordFile::checkExpiration() const - { - //return true if expired, else false - return ((m_expireTime != PASSWORD_INFINITE_EXPIRATION_TIME) && (time(NULL) > m_expireTime)); - } - - bool PasswordFile::checkIfAttemptsExceeded() const - { - return ((m_maxAttempt != PASSWORD_INFINITE_ATTEMPT_COUNT) && (m_attempt > m_maxAttempt)); - } - - bool PasswordFile::isIgnorePeriod() const - { - TimePoint retryTimerStop = ClockType::now(); - TimeDiff diff = retryTimerStop - m_retryTimerStart; - - m_retryTimerStart = retryTimerStop; - - return (diff.count() < RETRY_TIMEOUT); - } - - bool PasswordFile::isHistoryActive() const - { - return (m_maxHistorySize != 0); - } -} //namespace SecurityServer - diff --git a/src/server/service/password-file.h b/src/server/service/password-file.h deleted file mode 100644 index 19143d8..0000000 --- a/src/server/service/password-file.h +++ /dev/null @@ -1,128 +0,0 @@ -/* - * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved - * - * Contact: Bumjin Im - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License - */ -/* - * @file password-file.h - * @author Zbigniew Jasinski (z.jasinski@samsung.com) - * @author Lukasz Kostyra (l.kostyra@partner.samsung.com) - * @author Piotr Bartosiewicz (p.bartosiewi@partner.samsung.com) - * @version 1.0 - * @brief Implementation of PasswordFile, used to manage password files. - */ -#ifndef _PASSWORD_FILE_H_ -#define _PASSWORD_FILE_H_ - -#include -#include -#include -#include -#include - -#include - -#include - -namespace SecurityServer -{ - extern const time_t PASSWORD_INFINITE_EXPIRATION_TIME; - - struct IPassword: public ISerializable - { - typedef std::vector RawHash; - - enum class PasswordType : unsigned int - { - NONE = 0, - SHA256 = 1, - }; - - virtual bool match(const std::string &password) const = 0; - }; - - typedef std::unique_ptr IPasswordPtr; - typedef std::list PasswordList; - - class PasswordFile - { - public: - PasswordFile(); - - void writeMemoryToFile() const; - void writeAttemptToFile() const; - - void setPassword(const std::string &password); - bool checkPassword(const std::string &password) const; - - void activatePassword(); - bool isPasswordActive() const; - - void setMaxHistorySize(unsigned int history); - unsigned int getMaxHistorySize() const; - - unsigned int getExpireTimeLeft() const; - void setExpireTime(time_t expireTime); - - //attempt manipulating functions - unsigned int getAttempt() const; - void resetAttempt(); - void incrementAttempt(); - int getMaxAttempt() const; - void setMaxAttempt(unsigned int maxAttempt); - - bool isPasswordReused(const std::string &password) const; - - bool checkExpiration() const; - bool checkIfAttemptsExceeded() const; - bool isIgnorePeriod() const; - - bool isHistoryActive() const; - - private: -#if (__GNUC__ > 4) || (__GNUC__ == 4 && (__GNUC_MINOR__ >= 7)) - typedef std::chrono::steady_clock ClockType; -#else - typedef std::chrono::monotonic_clock ClockType; -#endif - typedef std::chrono::duration TimeDiff; - typedef std::chrono::time_point TimePoint; - - void loadMemoryFromFile(); - bool tryLoadMemoryFromOldFormatFile(); - - void resetTimer(); - void preparePwdFile(); - void prepareAttemptFile(); - void resetState(); - bool fileExists(const std::string &filename) const; - bool dirExists(const std::string &dirpath) const; - - mutable TimePoint m_retryTimerStart; - - //password file data - IPasswordPtr m_passwordCurrent; - PasswordList m_passwordHistory; - unsigned int m_maxAttempt; - unsigned int m_maxHistorySize; - time_t m_expireTime; - bool m_passwordActive; - - //attempt file data - unsigned int m_attempt; - }; -} //namespace SecurityServer - -#endif diff --git a/src/server/service/password-manager.cpp b/src/server/service/password-manager.cpp deleted file mode 100644 index dd3ad1b..0000000 --- a/src/server/service/password-manager.cpp +++ /dev/null @@ -1,276 +0,0 @@ -/* - * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved - * - * Contact: Bumjin Im - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License - */ -/* - * @file password-manager.cpp - * @author Zbigniew Jasinski (z.jasinski@samsung.com) - * @author Lukasz Kostyra (l.kostyra@partner.samsung.com) - * @version 1.0 - * @brief Implementation of password management functions - */ - -#include - -#include -#include -#include - -#include - -#include - -#include - -#include - -namespace { - bool calculateExpiredTime(unsigned int receivedDays, time_t &validSecs) - { - validSecs = SecurityServer::PASSWORD_INFINITE_EXPIRATION_TIME; - - //when receivedDays means infinite expiration, return default validSecs value. - if(receivedDays == SecurityServer::PASSWORD_INFINITE_EXPIRATION_DAYS) - return true; - - time_t curTime = time(NULL); - - if (receivedDays > ((UINT_MAX - curTime) / 86400)) { - LogError("Incorrect input param."); - return false; - } else { - validSecs = (curTime + (receivedDays * 86400)); - return true; - } - } -} //namespace - -namespace SecurityServer -{ - int PasswordManager::isPwdValid(unsigned int ¤tAttempt, unsigned int &maxAttempt, - unsigned int &expirationTime) const - { - if (!m_pwdFile.isPasswordActive()) { - LogError("Current password not active."); - return SECURITY_SERVER_API_ERROR_NO_PASSWORD; - } else { - currentAttempt = m_pwdFile.getAttempt(); - maxAttempt = m_pwdFile.getMaxAttempt(); - expirationTime = m_pwdFile.getExpireTimeLeft(); - - return SECURITY_SERVER_API_ERROR_PASSWORD_EXIST; - } - - return SECURITY_SERVER_API_SUCCESS; - } - - int PasswordManager::checkPassword(const std::string &challenge, unsigned int ¤tAttempt, - unsigned int &maxAttempt, unsigned int &expirationTime) - { - LogSecureDebug("Inside checkPassword function."); - - if (m_pwdFile.isIgnorePeriod()) { - LogError("Retry timeout occurred."); - return SECURITY_SERVER_API_ERROR_PASSWORD_RETRY_TIMER; - } - - if (!m_pwdFile.isPasswordActive()) { - LogError("Password not active."); - return SECURITY_SERVER_API_ERROR_NO_PASSWORD; - } - - m_pwdFile.incrementAttempt(); - m_pwdFile.writeAttemptToFile(); - - currentAttempt = m_pwdFile.getAttempt(); - maxAttempt = m_pwdFile.getMaxAttempt(); - expirationTime = m_pwdFile.getExpireTimeLeft(); - - if (m_pwdFile.checkIfAttemptsExceeded()) { - LogError("Too many tries."); - return SECURITY_SERVER_API_ERROR_PASSWORD_MAX_ATTEMPTS_EXCEEDED; - } - - if (!m_pwdFile.checkPassword(challenge)) { - LogError("Wrong password."); - return SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH; - } - - if (m_pwdFile.checkExpiration()) { - LogError("Password expired."); - return SECURITY_SERVER_API_ERROR_PASSWORD_EXPIRED; - } - - m_pwdFile.resetAttempt(); - m_pwdFile.writeAttemptToFile(); - - return SECURITY_SERVER_API_SUCCESS; - } - - int PasswordManager::setPassword(const std::string ¤tPassword, - const std::string &newPassword, - const unsigned int receivedAttempts, - const unsigned int receivedDays) - { - LogSecureDebug("Curpwd = " << currentPassword << ", newpwd = " << newPassword << - ", recatt = " << receivedAttempts << ", recdays = " << receivedDays); - - time_t valid_secs = 0; - - if (m_pwdFile.isIgnorePeriod()) { - LogError("Retry timeout occured."); - return SECURITY_SERVER_API_ERROR_PASSWORD_RETRY_TIMER; - } - - //check if passwords are correct - if (currentPassword.size() > MAX_PASSWORD_LEN) { - LogError("Current password length failed."); - return SECURITY_SERVER_API_ERROR_INPUT_PARAM; - } - - if (newPassword.size() > MAX_PASSWORD_LEN) { - LogError("New password length failed."); - return SECURITY_SERVER_API_ERROR_INPUT_PARAM; - } - - //check delivered currentPassword - //when m_passwordActive flag is true, currentPassword shouldn't be empty - if (currentPassword.empty() && m_pwdFile.isPasswordActive()) { - LogError("Password is already set. Max history: " << m_pwdFile.getMaxHistorySize()); - return SECURITY_SERVER_API_ERROR_PASSWORD_EXIST; - } - - //increment attempt count before checking it against max attempt count - m_pwdFile.incrementAttempt(); - m_pwdFile.writeAttemptToFile(); - - // check attempt - if (m_pwdFile.checkIfAttemptsExceeded()) { - LogError("Too many attempts."); - return SECURITY_SERVER_API_ERROR_PASSWORD_MAX_ATTEMPTS_EXCEEDED; - } - - //check current password, however only when we don't send empty string as current. - if(!currentPassword.empty()) { - if(!m_pwdFile.checkPassword(currentPassword)) { - LogError("Wrong password."); - return SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH; - } - } - - //check if password expired - if (m_pwdFile.checkExpiration()) { - LogError("Password expired."); - return SECURITY_SERVER_API_ERROR_PASSWORD_EXPIRED; - } - - //check history, however only if history is active - if (m_pwdFile.isPasswordActive() && m_pwdFile.isHistoryActive()) { - if (m_pwdFile.isPasswordReused(newPassword)) { - LogError("Password reused."); - return SECURITY_SERVER_API_ERROR_PASSWORD_REUSED; - } - } - - if(!calculateExpiredTime(receivedDays, valid_secs)) { - LogError("Received expiration time incorrect."); - return SECURITY_SERVER_API_ERROR_INPUT_PARAM; - } - - //setting password - m_pwdFile.setPassword(newPassword); - m_pwdFile.activatePassword(); - m_pwdFile.setMaxAttempt(receivedAttempts); - m_pwdFile.setExpireTime(valid_secs); - m_pwdFile.writeMemoryToFile(); - - m_pwdFile.resetAttempt(); - m_pwdFile.writeAttemptToFile(); - - return SECURITY_SERVER_API_SUCCESS; - } - - int PasswordManager::setPasswordValidity(const unsigned int receivedDays) - { - time_t valid_secs = 0; - - LogSecureDebug("received_days: " << receivedDays); - - if (!m_pwdFile.isPasswordActive()) { - LogError("Current password is not active."); - return SECURITY_SERVER_API_ERROR_NO_PASSWORD; - } - - if(!calculateExpiredTime(receivedDays, valid_secs)) - return SECURITY_SERVER_API_ERROR_INPUT_PARAM; - - m_pwdFile.setExpireTime(valid_secs); - m_pwdFile.writeMemoryToFile(); - - return SECURITY_SERVER_API_SUCCESS; - } - - int PasswordManager::resetPassword(const std::string &newPassword, - const unsigned int receivedAttempts, - const unsigned int receivedDays) - { - time_t valid_secs = 0; - - if(!calculateExpiredTime(receivedDays, valid_secs)) - return SECURITY_SERVER_API_ERROR_INPUT_PARAM; - - m_pwdFile.setPassword(newPassword); - m_pwdFile.activatePassword(); - m_pwdFile.setMaxAttempt(receivedAttempts); - m_pwdFile.setExpireTime(valid_secs); - m_pwdFile.writeMemoryToFile(); - - m_pwdFile.resetAttempt(); - m_pwdFile.writeAttemptToFile(); - - return SECURITY_SERVER_API_SUCCESS; - } - - int PasswordManager::setPasswordHistory(const unsigned int history) - { - if(history > MAX_PASSWORD_HISTORY) { - LogError("Incorrect input param."); - return SECURITY_SERVER_API_ERROR_INPUT_PARAM; - } - - m_pwdFile.setMaxHistorySize(history); - m_pwdFile.writeMemoryToFile(); - - return SECURITY_SERVER_API_SUCCESS; - } - - int PasswordManager::setPasswordMaxChallenge(const unsigned int maxChallenge) - { - // check if there is password - if (!m_pwdFile.isPasswordActive()) { - LogError("Password not active."); - return SECURITY_SERVER_API_ERROR_NO_PASSWORD; - } - - m_pwdFile.setMaxAttempt(maxChallenge); - m_pwdFile.writeMemoryToFile(); - - m_pwdFile.resetAttempt(); - m_pwdFile.writeAttemptToFile(); - - return SECURITY_SERVER_API_SUCCESS; - } -} //namespace SecurityServer diff --git a/src/server/service/password-manager.h b/src/server/service/password-manager.h deleted file mode 100644 index bef6521..0000000 --- a/src/server/service/password-manager.h +++ /dev/null @@ -1,59 +0,0 @@ -/* - * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved - * - * Contact: Bumjin Im - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License - */ -/* - * @file password-manager.h - * @author Zbigniew Jasinski (z.jasinski@samsung.com) - * @author Lukasz Kostyra (l.kostyra@partner.samsung.com) - * @version 1.0 - * @brief Implementation of password management functions - */ - -#ifndef _PASSWORDMANAGER_H_ -#define _PASSWORDMANAGER_H_ - -#include - -#include - -namespace SecurityServer -{ - class PasswordManager - { - public: - //checking functions - int isPwdValid(unsigned int ¤tAttempt, unsigned int &maxAttempt, - unsigned int &expirationTime) const; - int checkPassword(const std::string& challenge, unsigned int ¤tAttempt, - unsigned int &maxAttempt, unsigned int &expTime); - //no const in checkPassword, attempts are updated - - //setting functions - int setPassword(const std::string ¤tPassword, const std::string &newPassword, - const unsigned int receivedAttempts, const unsigned int receivedDays); - int setPasswordValidity(const unsigned int receivedDays); - int resetPassword(const std::string &newPassword, const unsigned int receivedAttempts, - const unsigned int receivedDays); - int setPasswordHistory(const unsigned int history); - int setPasswordMaxChallenge(const unsigned int maxChallenge); - - private: - PasswordFile m_pwdFile; - }; -} //namespace SecurityServer - -#endif diff --git a/src/server/service/password.cpp b/src/server/service/password.cpp deleted file mode 100644 index 0cbc878..0000000 --- a/src/server/service/password.cpp +++ /dev/null @@ -1,283 +0,0 @@ -/* - * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved - * - * Contact: Bumjin Im - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License - */ -/* - * @file password.cpp - * @author Zbigniew Jasinski (z.jasinski@samsung.com) - * @author Lukasz Kostyra (l.kostyra@partner.samsung.com) - * @version 1.0 - * @brief Implementation of password service - */ - -#include -#include - -#include -#include - -#include - -#include -#include - -namespace SecurityServer { - -namespace { -// Service may open more than one socket. -// These ID's will be assigned to sockets -// and will be used only by service. -// When new connection arrives, AcceptEvent -// will be generated with proper ID to inform -// service about input socket. -// -// Please note: SocketManager does not use it and -// does not check it in any way. -// -// If your service requires only one socket -// (uses only one socket labeled with smack) -// you may ignore this ID (just pass 0) -const InterfaceID SOCKET_ID_CHECK = 0; -const InterfaceID SOCKET_ID_SET = 1; -const InterfaceID SOCKET_ID_RESET = 2; - -} // namespace anonymous - -GenericSocketService::ServiceDescriptionVector PasswordService::GetServiceDescription() -{ - return ServiceDescriptionVector { - {SERVICE_SOCKET_PASSWD_CHECK, "security-server::api-password-check", SOCKET_ID_CHECK}, - {SERVICE_SOCKET_PASSWD_SET, "security-server::api-password-set", SOCKET_ID_SET}, - {SERVICE_SOCKET_PASSWD_RESET, "security-server::api-password-reset", SOCKET_ID_RESET} - }; -} - -void PasswordService::accept(const AcceptEvent &event) -{ - LogSecureDebug("Accept event. ConnectionID.sock: " << event.connectionID.sock - << " ConnectionID.counter: " << event.connectionID.counter - << " ServiceID: " << event.interfaceID); - - auto &info = m_connectionInfoMap[event.connectionID.counter]; - info.interfaceID = event.interfaceID; -} - -void PasswordService::write(const WriteEvent &event) -{ - LogSecureDebug("WriteEvent. ConnectionID: " << event.connectionID.sock << - " Size: " << event.size << " Left: " << event.left); - if (event.left == 0) - m_serviceManager->Close(event.connectionID); -} - -void PasswordService::process(const ReadEvent &event) -{ - LogSecureDebug("Read event for counter: " << event.connectionID.counter); - auto &info = m_connectionInfoMap[event.connectionID.counter]; - info.buffer.Push(event.rawBuffer); - - // We can get several requests in one package. - // Extract and process them all - while(processOne(event.connectionID, info.buffer, info.interfaceID)); -} - -void PasswordService::close(const CloseEvent &event) -{ - LogSecureDebug("CloseEvent. ConnectionID: " << event.connectionID.sock); - m_connectionInfoMap.erase(event.connectionID.counter); -} - -int PasswordService::processCheckFunctions(PasswordHdrs hdr, MessageBuffer& buffer, - unsigned int &cur_att, unsigned int &max_att, - unsigned int &exp_time) -{ - int result = SECURITY_SERVER_API_ERROR_SERVER_ERROR; - - switch (hdr) { - case PasswordHdrs::HDR_IS_PWD_VALID: - result = m_pwdManager.isPwdValid(cur_att, max_att, exp_time); - break; - - case PasswordHdrs::HDR_CHK_PWD: { - std::string challenge; - Deserialization::Deserialize(buffer, challenge); - result = m_pwdManager.checkPassword(challenge, cur_att, max_att, exp_time); - break; - } - - default: - LogError("Unknown msg header."); - Throw(Exception::IncorrectHeader); - } - - return result; -} - -int PasswordService::processSetFunctions(PasswordHdrs hdr, MessageBuffer& buffer) -{ - int result = SECURITY_SERVER_API_ERROR_SERVER_ERROR; - - std::string curPwd, newPwd; - unsigned int rec_att = 0, rec_days = 0, rec_max_challenge = 0, rec_history = 0; - - switch(hdr) { - case PasswordHdrs::HDR_SET_PWD: - Deserialization::Deserialize(buffer, curPwd); - Deserialization::Deserialize(buffer, newPwd); - Deserialization::Deserialize(buffer, rec_att); - Deserialization::Deserialize(buffer, rec_days); - result = m_pwdManager.setPassword(curPwd, newPwd, rec_att, rec_days); - break; - - case PasswordHdrs::HDR_SET_PWD_VALIDITY: - Deserialization::Deserialize(buffer, rec_days); - result = m_pwdManager.setPasswordValidity(rec_days); - break; - - case PasswordHdrs::HDR_SET_PWD_MAX_CHALLENGE: - Deserialization::Deserialize(buffer, rec_max_challenge); - result = m_pwdManager.setPasswordMaxChallenge(rec_max_challenge); - break; - - case PasswordHdrs::HDR_SET_PWD_HISTORY: - Deserialization::Deserialize(buffer, rec_history); - result = m_pwdManager.setPasswordHistory(rec_history); - break; - - default: - LogError("Unknown msg header."); - Throw(Exception::IncorrectHeader); - } - - return result; -} - -int PasswordService::processResetFunctions(PasswordHdrs hdr, MessageBuffer& buffer) -{ - int result = SECURITY_SERVER_API_ERROR_SERVER_ERROR; - - std::string newPwd; - unsigned int rec_att = 0, rec_days = 0; - - switch(hdr) { - case PasswordHdrs::HDR_RST_PWD: - Deserialization::Deserialize(buffer, newPwd); - Deserialization::Deserialize(buffer, rec_att); - Deserialization::Deserialize(buffer, rec_days); - result = m_pwdManager.resetPassword(newPwd, rec_att, rec_days); - break; - - default: - LogError("Unknown msg header."); - Throw(Exception::IncorrectHeader); - } - - return result; -} - -bool PasswordService::processOne(const ConnectionID &conn, MessageBuffer &buffer, - InterfaceID interfaceID) -{ - LogSecureDebug("Iteration begin"); - - MessageBuffer sendBuffer; - - int retCode = SECURITY_SERVER_API_ERROR_SERVER_ERROR; - unsigned int cur_att = 0, max_att = 0, exp_time = 0; - - if (!buffer.Ready()) - return false; - - Try { //try..catch for MessageBuffer errors, closes connection when exception is thrown - int tempHdr; - Deserialization::Deserialize(buffer, tempHdr); - PasswordHdrs hdr = static_cast(tempHdr); - - try { //try..catch for internal service errors, assigns error code for returning. - switch (interfaceID) { - case SOCKET_ID_CHECK: - retCode = processCheckFunctions(hdr, buffer, cur_att, max_att, exp_time); - break; - - case SOCKET_ID_SET: - retCode = processSetFunctions(hdr, buffer); - break; - - case SOCKET_ID_RESET: - retCode = processResetFunctions(hdr, buffer); - break; - - default: - LogError("Wrong interfaceID."); - Throw(Exception::IncorrectHeader); - } - } catch (PasswordException::Base &e) { - LogError("Password error: " << e.DumpToString()); - retCode = SECURITY_SERVER_API_ERROR_SERVER_ERROR; - } catch (std::exception &e) { - LogError("STD error: " << e.what()); - retCode = SECURITY_SERVER_API_ERROR_SERVER_ERROR; - } - - //everything is OK, send return code and extra data - Serialization::Serialize(sendBuffer, retCode); - - //Returning additional information should occur only when checking functions - //are called, and under certain return values - if(interfaceID == SOCKET_ID_CHECK) - { - switch(retCode) - { - case SECURITY_SERVER_API_ERROR_PASSWORD_EXIST: - case SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH: - case SECURITY_SERVER_API_ERROR_PASSWORD_MAX_ATTEMPTS_EXCEEDED: - case SECURITY_SERVER_API_ERROR_PASSWORD_EXPIRED: - Serialization::Serialize(sendBuffer, cur_att); - Serialization::Serialize(sendBuffer, max_att); - Serialization::Serialize(sendBuffer, exp_time); - break; - - case SECURITY_SERVER_API_SUCCESS: - if(hdr == PasswordHdrs::HDR_CHK_PWD) { - Serialization::Serialize(sendBuffer, cur_att); - Serialization::Serialize(sendBuffer, max_att); - Serialization::Serialize(sendBuffer, exp_time); - } - break; - - default: - break; - } - } - - m_serviceManager->Write(conn, sendBuffer.Pop()); - } Catch (MessageBuffer::Exception::Base) { - LogError("Broken protocol. Closing socket."); - m_serviceManager->Close(conn); - return false; - } Catch (PasswordService::Exception::Base) { - LogError("Incorrect message header. Closing socket."); - m_serviceManager->Close(conn); - return false; - } - - - - return true; -} - -} // namespace SecurityServer - diff --git a/src/server/service/password.h b/src/server/service/password.h deleted file mode 100644 index ceab3b6..0000000 --- a/src/server/service/password.h +++ /dev/null @@ -1,80 +0,0 @@ -/* - * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved - * - * Contact: Bumjin Im - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License - */ -/* - * @file password.h - * @author Zigniew Jasinski (z.jasinski@samsung.com) - * @author Lukasz Kostyra (l.kostyra@partner.samsung.com) - * @version 1.0 - * @brief Implementation of password service - */ - -#ifndef _SECURITY_SERVER_PASSWORD_ -#define _SECURITY_SERVER_PASSWORD_ - -#include - -#include -#include -#include -#include -#include - -#include - -namespace SecurityServer -{ - class PasswordService - : public SecurityServer::GenericSocketService - , public SecurityServer::ServiceThread - { - public: - class Exception - { - public: - DECLARE_EXCEPTION_TYPE(SecurityServer::Exception, Base) - DECLARE_EXCEPTION_TYPE(Base, IncorrectHeader) - }; - - //service functions - ServiceDescriptionVector GetServiceDescription(); - - DECLARE_THREAD_EVENT(AcceptEvent, accept) - DECLARE_THREAD_EVENT(WriteEvent, write) - DECLARE_THREAD_EVENT(ReadEvent, process) - DECLARE_THREAD_EVENT(CloseEvent, close) - - void accept(const AcceptEvent &event); - void write(const WriteEvent &event); - void process(const ReadEvent &event); - void close(const CloseEvent &event); - - private: - //internal service functions - bool processOne(const ConnectionID &conn, MessageBuffer &buffer, InterfaceID interfaceID); - int processCheckFunctions(PasswordHdrs hdr, MessageBuffer& buffer, unsigned int &cur_att, - unsigned int &max_att, unsigned int &exp_time); - int processSetFunctions(PasswordHdrs hdr, MessageBuffer& buffer); - int processResetFunctions(PasswordHdrs hdr, MessageBuffer& buffer); - - // service attributes - PasswordManager m_pwdManager; - ConnectionInfoMap m_connectionInfoMap; - }; -} // namespace SecurityServer - -#endif // _SECURITY_SERVER_PASSWORD_ diff --git a/src/server/service/privilege-by-pid.cpp b/src/server/service/privilege-by-pid.cpp deleted file mode 100644 index c7184f1..0000000 --- a/src/server/service/privilege-by-pid.cpp +++ /dev/null @@ -1,143 +0,0 @@ -/* - * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved - * - * Contact: Bumjin Im - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License - */ -/* - * @file privilege-by-pid.cpp - * @author Jan Cybulski (j.cybulski@samsung.com) - * @version 1.0 - * @brief Implementation of check-privilege-by-pid service. - */ - -#include - -#include -#include - -#include -#include - -#include -#include -#include - -#include -#include - -namespace SecurityServer { - -GenericSocketService::ServiceDescriptionVector PrivilegeByPidService::GetServiceDescription() { - return ServiceDescriptionVector - {{SERVICE_SOCKET_PRIVILEGE_BY_PID, "security-server::api-privilege-by-pid" }}; -} - -void PrivilegeByPidService::accept(const AcceptEvent &event) { - LogDebug("Accept event. ConnectionID.sock: " << event.connectionID.sock - << " ConnectionID.counter: " << event.connectionID.counter - << " ServiceID: " << event.interfaceID); -} - -void PrivilegeByPidService::write(const WriteEvent &event) { - LogDebug("WriteEvent. ConnectionID: " << event.connectionID.sock << - " Size: " << event.size << " Left: " << event.left); - if (event.left == 0) - m_serviceManager->Close(event.connectionID); -} - -bool PrivilegeByPidService::processOne(const ConnectionID &conn, MessageBuffer &buffer) { - LogDebug("Iteration begin"); - - int retval; - int pid; - std::string object; - std::string access_rights; - char subject[SMACK_LABEL_LEN + 1] = {0}; - - int retCode = SECURITY_SERVER_API_ERROR_SERVER_ERROR; - - - if (!buffer.Ready()) { - return false; - } - - Try { - Deserialization::Deserialize(buffer, pid); - Deserialization::Deserialize(buffer, object); - Deserialization::Deserialize(buffer, access_rights); - } Catch (MessageBuffer::Exception::Base) { - LogDebug("Broken protocol. Closing socket."); - m_serviceManager->Close(conn); - return false; - } - - if (smack_check()) { - retval = smack_pid_have_access(pid, object.c_str(), access_rights.c_str()); - LogDebug("smack_pid_have_access returned " << retval); - - if (-1 != get_smack_label_from_process(pid, subject)) { - // subject label is set to empty string - LogError("get_smack_label_from_process failed. Subject label has not been read."); - } else { - LogSecureDebug("Subject label of client PID " << pid << " is: " << subject); - } - } else { - LogDebug("SMACK is not available. Subject label has not been read."); - retval = 1; - } - - if (retval == 1) //there is permission - retCode = SECURITY_SERVER_API_SUCCESS; - else //there is no permission - retCode = SECURITY_SERVER_API_ERROR_ACCESS_DENIED; - - MessageBuffer sendBuffer; - Serialization::Serialize(sendBuffer, retCode); - m_serviceManager->Write(conn, sendBuffer.Pop()); - - if (retval != 1) { - char *path = read_exe_path_from_proc(pid); - - LogSmackAudit("SS_SMACK: " - << "caller_pid=" << pid - << ", subject=" << subject - << ", object=" << object - << ", access=" << access_rights - << ", result=" << retval - << ", caller_path=" << (path ? path : "" )); - - free(path); - } - - return true; -} - -void PrivilegeByPidService::process(const ReadEvent &event) { - LogDebug("Read event for counter: " << event.connectionID.counter); - auto &buffer = m_messageBufferMap[event.connectionID.counter]; - buffer.Push(event.rawBuffer); - - // We can get several requests in one package. - // Extract and process them all - while(processOne(event.connectionID, buffer)); -} - -void PrivilegeByPidService::close(const CloseEvent &event) { - LogDebug("CloseEvent. ConnectionID: " << event.connectionID.sock); - m_messageBufferMap.erase(event.connectionID.counter); -} - -} // namespace SecurityServer - diff --git a/src/server/service/privilege-by-pid.h b/src/server/service/privilege-by-pid.h deleted file mode 100644 index da5cdde..0000000 --- a/src/server/service/privilege-by-pid.h +++ /dev/null @@ -1,60 +0,0 @@ -/* - * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved - * - * Contact: Bumjin Im - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License - */ -/*hcpp - * @author Jan Cybulski (j.cybulski@samsung.com) - * @version 1.0 - * @brief Implementation of api-check-privilege-by-pid - */ - -#ifndef _SECURITY_SERVER_PRIVILEGE_BY_PID_ -#define _SECURITY_SERVER_PRIVILEGE_BY_PID_ - -#include -#include - -#include - -namespace SecurityServer { - -class PrivilegeByPidService - : public SecurityServer::GenericSocketService - , public SecurityServer::ServiceThread -{ -public: - typedef std::map MessageBufferMap; - - ServiceDescriptionVector GetServiceDescription(); - - DECLARE_THREAD_EVENT(AcceptEvent, accept) - DECLARE_THREAD_EVENT(WriteEvent, write) - DECLARE_THREAD_EVENT(ReadEvent, process) - DECLARE_THREAD_EVENT(CloseEvent, close) - - void accept(const AcceptEvent &event); - void write(const WriteEvent &event); - void process(const ReadEvent &event); - void close(const CloseEvent &event); -private: - bool processOne(const ConnectionID &conn, MessageBuffer &buffer); - - MessageBufferMap m_messageBufferMap; -}; - -} // namespace SecurityServer - -#endif // _SECURITY_SERVER_DATA_SHARE_ diff --git a/systemd/CMakeLists.txt b/systemd/CMakeLists.txt index e2ebc7a..a9b1ba9 100644 --- a/systemd/CMakeLists.txt +++ b/systemd/CMakeLists.txt @@ -1,15 +1,6 @@ INSTALL(FILES ${CMAKE_SOURCE_DIR}/systemd/security-server.service ${CMAKE_SOURCE_DIR}/systemd/security-server.target - ${CMAKE_SOURCE_DIR}/systemd/security-server-data-share.socket - ${CMAKE_SOURCE_DIR}/systemd/security-server-get-gid.socket - ${CMAKE_SOURCE_DIR}/systemd/security-server-privilege-by-pid.socket - ${CMAKE_SOURCE_DIR}/systemd/security-server-cookie-get.socket - ${CMAKE_SOURCE_DIR}/systemd/security-server-cookie-check.socket - ${CMAKE_SOURCE_DIR}/systemd/security-server-app-privilege-by-name.socket - ${CMAKE_SOURCE_DIR}/systemd/security-server-password-reset.socket - ${CMAKE_SOURCE_DIR}/systemd/security-server-password-check.socket - ${CMAKE_SOURCE_DIR}/systemd/security-server-password-set.socket ${CMAKE_SOURCE_DIR}/systemd/security-manager-installer.socket DESTINATION /usr/lib/systemd/system diff --git a/systemd/security-server-app-privilege-by-name.socket b/systemd/security-server-app-privilege-by-name.socket deleted file mode 100644 index 0b4e9f4..0000000 --- a/systemd/security-server-app-privilege-by-name.socket +++ /dev/null @@ -1,14 +0,0 @@ -[Socket] -ListenStream=/run/security-server/security-server-api-app-privilege-by-name.socket -SocketMode=0777 -SmackLabelIPIn=* -SmackLabelIPOut=@ - -Service=security-server.service - -[Unit] -Wants=security-server.target -Before=security-server.target - -[Install] -WantedBy=sockets.target diff --git a/systemd/security-server-cookie-check.socket b/systemd/security-server-cookie-check.socket deleted file mode 100644 index 58d09a0..0000000 --- a/systemd/security-server-cookie-check.socket +++ /dev/null @@ -1,14 +0,0 @@ -[Socket] -ListenStream=/run/security-server/security-server-api-cookie-check.socket -SocketMode=0777 -SmackLabelIPIn=* -SmackLabelIPOut=@ - -Service=security-server.service - -[Unit] -Wants=security-server.target -Before=security-server.target - -[Install] -WantedBy=sockets.target diff --git a/systemd/security-server-cookie-get.socket b/systemd/security-server-cookie-get.socket deleted file mode 100644 index 193b5f8..0000000 --- a/systemd/security-server-cookie-get.socket +++ /dev/null @@ -1,14 +0,0 @@ -[Socket] -ListenStream=/run/security-server/security-server-api-cookie-get.socket -SocketMode=0777 -SmackLabelIPIn=* -SmackLabelIPOut=@ - -Service=security-server.service - -[Unit] -Wants=security-server.target -Before=security-server.target - -[Install] -WantedBy=sockets.target diff --git a/systemd/security-server-data-share.socket b/systemd/security-server-data-share.socket deleted file mode 100644 index 82a8d36..0000000 --- a/systemd/security-server-data-share.socket +++ /dev/null @@ -1,14 +0,0 @@ -[Socket] -ListenStream=/run/security-server/security-server-api-data-share.socket -SocketMode=0777 -SmackLabelIPIn=* -SmackLabelIPOut=@ - -Service=security-server.service - -[Unit] -Wants=security-server.target -Before=security-server.target - -[Install] -WantedBy=sockets.target diff --git a/systemd/security-server-get-gid.socket b/systemd/security-server-get-gid.socket deleted file mode 100644 index 3cca2c1..0000000 --- a/systemd/security-server-get-gid.socket +++ /dev/null @@ -1,14 +0,0 @@ -[Socket] -ListenStream=/run/security-server/security-server-api-get-gid.socket -SocketMode=0777 -SmackLabelIPIn=* -SmackLabelIPOut=@ - -Service=security-server.service - -[Unit] -Wants=security-server.target -Before=security-server.target - -[Install] -WantedBy=sockets.target diff --git a/systemd/security-server-password-check.socket b/systemd/security-server-password-check.socket deleted file mode 100644 index be9c2fb..0000000 --- a/systemd/security-server-password-check.socket +++ /dev/null @@ -1,14 +0,0 @@ -[Socket] -ListenStream=/run/security-server/security-server-api-password-check.socket -SocketMode=0777 -SmackLabelIPIn=* -SmackLabelIPOut=@ - -Service=security-server.service - -[Unit] -Wants=security-server.target -Before=security-server.target - -[Install] -WantedBy=sockets.target diff --git a/systemd/security-server-password-reset.socket b/systemd/security-server-password-reset.socket deleted file mode 100644 index 37caf4f..0000000 --- a/systemd/security-server-password-reset.socket +++ /dev/null @@ -1,14 +0,0 @@ -[Socket] -ListenStream=/run/security-server/security-server-api-password-reset.socket -SocketMode=0777 -SmackLabelIPIn=* -SmackLabelIPOut=@ - -Service=security-server.service - -[Unit] -Wants=security-server.target -Before=security-server.target - -[Install] -WantedBy=sockets.target diff --git a/systemd/security-server-password-set.socket b/systemd/security-server-password-set.socket deleted file mode 100644 index 1c0f2ed..0000000 --- a/systemd/security-server-password-set.socket +++ /dev/null @@ -1,14 +0,0 @@ -[Socket] -ListenStream=/run/security-server/security-server-api-password-set.socket -SocketMode=0777 -SmackLabelIPIn=* -SmackLabelIPOut=@ - -Service=security-server.service - -[Unit] -Wants=security-server.target -Before=security-server.target - -[Install] -WantedBy=sockets.target diff --git a/systemd/security-server-privilege-by-pid.socket b/systemd/security-server-privilege-by-pid.socket deleted file mode 100644 index 1b38aa5..0000000 --- a/systemd/security-server-privilege-by-pid.socket +++ /dev/null @@ -1,14 +0,0 @@ -[Socket] -ListenStream=/run/security-server/security-server-api-privilege-by-pid.socket -SocketMode=0777 -SmackLabelIPIn=* -SmackLabelIPOut=@ - -Service=security-server.service - -[Unit] -Wants=security-server.target -Before=security-server.target - -[Install] -WantedBy=sockets.target -- 2.7.4 From 6dcacb523e9a51373b5a4f923bc2a8b51c0dc895 Mon Sep 17 00:00:00 2001 From: Jan Cybulski Date: Fri, 13 Jun 2014 09:22:32 +0200 Subject: [PATCH 06/16] Change package name to security-manager. Change filenames according to new package name. Change server binary file name to security-manager Update CMake files accordingly Change-Id: Ic7dbcf5a401055c38a637b8edf4ebdb5b6be8d49 Signed-off-by: Jan Cybulski --- CMakeLists.txt | 7 ++-- ...y-server.manifest => security-manager.manifest} | 0 ...{security-server.spec => security-manager.spec} | 41 +++++++++++----------- ...erver-audit.conf => security-manager-audit.conf | 0 src/CMakeLists.txt | 28 +++++++-------- src/server/dpl/log/src/audit-smack-log.cpp | 4 +-- src/server/dpl/log/src/dlog_log_provider.cpp | 2 +- ...y-server-util.cpp => security-manager-util.cpp} | 2 +- ...urity-server-util.h => security-manager-util.h} | 0 src/server/service/installer.cpp | 2 +- systemd/CMakeLists.txt | 4 +-- systemd/security-manager-installer.socket | 6 ++-- systemd/security-manager.service | 11 ++++++ systemd/security-manager.target | 4 +++ systemd/security-server.service | 21 ----------- systemd/security-server.target | 4 --- 16 files changed, 63 insertions(+), 73 deletions(-) rename packaging/{security-server.manifest => security-manager.manifest} (100%) rename packaging/{security-server.spec => security-manager.spec} (77%) rename security-server-audit.conf => security-manager-audit.conf (100%) rename src/server/main/{security-server-util.cpp => security-manager-util.cpp} (98%) rename src/server/main/{security-server-util.h => security-manager-util.h} (100%) create mode 100644 systemd/security-manager.service create mode 100644 systemd/security-manager.target delete mode 100644 systemd/security-server.service delete mode 100644 systemd/security-server.target diff --git a/CMakeLists.txt b/CMakeLists.txt index d3e2657..282a76b 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -20,7 +20,7 @@ ############################# Check minimum CMake version ##################### CMAKE_MINIMUM_REQUIRED(VERSION 2.6) -PROJECT("security-server") +PROJECT("security-manager") ############################# cmake packages ################################## @@ -58,9 +58,10 @@ IF (CMAKE_BUILD_TYPE MATCHES "DEBUG") ADD_DEFINITIONS("-DBUILD_TYPE_DEBUG") ENDIF (CMAKE_BUILD_TYPE MATCHES "DEBUG") -SET(TARGET_SECURITY_SERVER "security-server") + +SET(TARGET_SECURITY_MANAGER "security-manager") SET(TARGET_SECURITY_MANAGER_CLIENT "security-manager-client") -SET(TARGET_SERVER_COMMON "security-server-commons") +SET(TARGET_SERVER_COMMON "security-manager-commons") ADD_SUBDIRECTORY(src) ADD_SUBDIRECTORY(build) diff --git a/packaging/security-server.manifest b/packaging/security-manager.manifest similarity index 100% rename from packaging/security-server.manifest rename to packaging/security-manager.manifest diff --git a/packaging/security-server.spec b/packaging/security-manager.spec similarity index 77% rename from packaging/security-server.spec rename to packaging/security-manager.spec index a2f085f..48c2f49 100644 --- a/packaging/security-server.spec +++ b/packaging/security-manager.spec @@ -1,11 +1,11 @@ -Name: security-server -Summary: Security server and utilities -Version: 0.0.119 +Name: security-manager +Summary: Security manager and utilities +Version: 0.0.1 Release: 1 Group: Security/Service License: Apache-2.0 Source0: %{name}-%{version}.tar.gz -Source1: security-server.manifest +Source1: security-manager.manifest Source3: libsecurity-manager-client.manifest BuildRequires: cmake BuildRequires: zip @@ -18,12 +18,12 @@ BuildRequires: pkgconfig(libsystemd-daemon) %{?systemd_requires} %description -Tizen security server and utilities +Tizen security manager and utilities %package -n libsecurity-manager-client Summary: Security manager (client) Group: Security/Libraries -Requires: security-server = %{version}-%{release} +Requires: security-manager = %{version}-%{release} Requires(post): /sbin/ldconfig Requires(postun): /sbin/ldconfig @@ -63,14 +63,14 @@ mkdir -p %{buildroot}/usr/share/license cp LICENSE %{buildroot}/usr/share/license/%{name} cp LICENSE %{buildroot}/usr/share/license/libsecurity-manager-client mkdir -p %{buildroot}/etc/security/ -cp security-server-audit.conf %{buildroot}/etc/security/ +cp security-manager-audit.conf %{buildroot}/etc/security/ mkdir -p %{buildroot}/etc/smack/ cp app-rules-template.smack %{buildroot}/etc/smack/ %make_install mkdir -p %{buildroot}/usr/lib/systemd/system/multi-user.target.wants mkdir -p %{buildroot}/usr/lib/systemd/system/sockets.target.wants -ln -s ../security-server.service %{buildroot}/usr/lib/systemd/system/multi-user.target.wants/security-server.service +ln -s ../security-manager.service %{buildroot}/usr/lib/systemd/system/multi-user.target.wants/security-manager.service ln -s ../security-manager-installer.socket %{buildroot}/usr/lib/systemd/system/sockets.target.wants/security-manager-installer.socket %clean @@ -80,18 +80,18 @@ rm -rf %{buildroot} systemctl daemon-reload if [ $1 = 1 ]; then # installation - systemctl start security-server.service + systemctl start security-manager.service fi if [ $1 = 2 ]; then # update - systemctl restart security-server.service + systemctl restart security-manager.service fi %preun if [ $1 = 0 ]; then # unistall - systemctl stop security-server.service + systemctl stop security-manager.service fi %postun @@ -104,21 +104,20 @@ fi %postun -n libsecurity-manager-client -p /sbin/ldconfig -%files -n security-server -%manifest security-server.manifest +%files -n security-manager +%manifest security-manager.manifest %defattr(-,root,root,-) -%attr(755,root,root) /usr/bin/security-server -%{_libdir}/libsecurity-server-commons.so.* -%attr(-,root,root) /usr/lib/systemd/system/multi-user.target.wants/security-server.service -%attr(-,root,root) /usr/lib/systemd/system/security-server.service -%attr(-,root,root) /usr/lib/systemd/system/security-server.target +%attr(755,root,root) /usr/bin/security-manager +%{_libdir}/libsecurity-manager-commons.so.* +%attr(-,root,root) /usr/lib/systemd/system/multi-user.target.wants/security-manager.service +%attr(-,root,root) /usr/lib/systemd/system/security-manager.service +%attr(-,root,root) /usr/lib/systemd/system/security-manager.target %attr(-,root,root) /usr/lib/systemd/system/sockets.target.wants/security-manager-installer.socket %attr(-,root,root) /usr/lib/systemd/system/security-manager-installer.socket -%attr(-,root,root) /etc/security/security-server-audit.conf +%attr(-,root,root) /etc/security/security-manager-audit.conf %attr(-,root,root) /etc/smack/app-rules-template.smack %{_datadir}/license/%{name} - %files -n libsecurity-manager-client %manifest libsecurity-manager-client.manifest %defattr(-,root,root,-) @@ -129,7 +128,7 @@ fi %manifest %{name}.manifest %defattr(-,root,root,-) %{_libdir}/libsecurity-manager-client.so -%{_libdir}/libsecurity-server-commons.so +%{_libdir}/libsecurity-manager-commons.so %{_includedir}/security-manager/security-manager.h %{_includedir}/security-server/security-server.h %{_libdir}/pkgconfig/security-manager.pc diff --git a/security-server-audit.conf b/security-manager-audit.conf similarity index 100% rename from security-server-audit.conf rename to security-manager-audit.conf diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index f3fd02c..c1fc8ce 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -1,4 +1,4 @@ -PKG_CHECK_MODULES(SECURITY_SERVER_DEP +PKG_CHECK_MODULES(SECURITY_MANAGER_DEP dlog libsmack libprivilege-control @@ -6,11 +6,11 @@ PKG_CHECK_MODULES(SECURITY_SERVER_DEP REQUIRED ) -SET(SECURITY_SERVER_PATH ${PROJECT_SOURCE_DIR}/src) +SET(SECURITY_MANAGER_PATH ${PROJECT_SOURCE_DIR}/src) SET(SERVER2_PATH ${PROJECT_SOURCE_DIR}/src/server) -SET(SECURITY_SERVER_SOURCES - ${SERVER2_PATH}/main/security-server-util.cpp +SET(SECURITY_MANAGER_SOURCES + ${SERVER2_PATH}/main/security-manager-util.cpp ${SERVER2_PATH}/main/generic-socket-manager.cpp ${SERVER2_PATH}/main/socket-manager.cpp ${SERVER2_PATH}/main/server2-main.cpp @@ -20,16 +20,16 @@ SET(SECURITY_SERVER_SOURCES ) SET_SOURCE_FILES_PROPERTIES( - ${SECURITY_SERVER_SOURCES} + ${SECURITY_MANAGER_SOURCES} PROPERTIES COMPILE_FLAGS "-D_GNU_SOURCE -fvisibility=hidden") INCLUDE_DIRECTORIES(SYSTEM - ${SECURITY_SERVER_DEP_INCLUDE_DIRS} + ${SECURITY_MANAGER_DEP_INCLUDE_DIRS} ) INCLUDE_DIRECTORIES( - ${SECURITY_SERVER_PATH}/include + ${SECURITY_MANAGER_PATH}/include ${SERVER2_PATH}/main ${SERVER2_PATH}/common ${SERVER2_PATH}/service @@ -37,10 +37,10 @@ INCLUDE_DIRECTORIES( ${SERVER2_PATH}/dpl/log/include ) -ADD_EXECUTABLE(${TARGET_SECURITY_SERVER} ${SECURITY_SERVER_SOURCES}) +ADD_EXECUTABLE(${TARGET_SECURITY_MANAGER} ${SECURITY_MANAGER_SOURCES}) -TARGET_LINK_LIBRARIES(${TARGET_SECURITY_SERVER} - ${SECURITY_SERVER_DEP_LIBRARIES} +TARGET_LINK_LIBRARIES(${TARGET_SECURITY_MANAGER} + ${SECURITY_MANAGER_DEP_LIBRARIES} ${TARGET_SERVER_COMMON} -lcap ) @@ -74,7 +74,7 @@ SET_TARGET_PROPERTIES( ) TARGET_LINK_LIBRARIES(${TARGET_SECURITY_MANAGER_CLIENT} - ${SECURITY_SERVER_DEP_LIBRARIES} + ${SECURITY_MANAGER_DEP_LIBRARIES} ${TARGET_SERVER_COMMON} ) @@ -82,15 +82,15 @@ TARGET_LINK_LIBRARIES(${TARGET_SECURITY_MANAGER_CLIENT} INSTALL(TARGETS ${TARGET_SECURITY_MANAGER_CLIENT} DESTINATION ${LIB_INSTALL_DIR}) -INSTALL(TARGETS ${TARGET_SECURITY_SERVER} DESTINATION bin) +INSTALL(TARGETS ${TARGET_SECURITY_MANAGER} DESTINATION bin) INSTALL(FILES - ${SECURITY_SERVER_PATH}/include/security-server.h + ${SECURITY_MANAGER_PATH}/include/security-server.h DESTINATION ${INCLUDE_INSTALL_DIR}/security-server ) INSTALL(FILES - ${SECURITY_SERVER_PATH}/include/security-manager.h + ${SECURITY_MANAGER_PATH}/include/security-manager.h DESTINATION ${INCLUDE_INSTALL_DIR}/security-manager ) diff --git a/src/server/dpl/log/src/audit-smack-log.cpp b/src/server/dpl/log/src/audit-smack-log.cpp index e33efbb..8960b51 100644 --- a/src/server/dpl/log/src/audit-smack-log.cpp +++ b/src/server/dpl/log/src/audit-smack-log.cpp @@ -46,10 +46,10 @@ namespace { const std::string AUDIT_CONFIG_LOG_PATH = "/etc/security/"; -const std::string AUDIT_CONFIG_FILENAME = "security-server-audit.conf"; +const std::string AUDIT_CONFIG_FILENAME = "security-manager-audit.conf"; const std::string AUDIT_LOG_DIRECTORY = "/var/log/audit/"; const std::string AUDIT_LOG_FILENAME_PREFIX = "audit-smack"; -const std::string AUDIT_LOG_SMACK_LABEL = "security-server::audit-files"; +const std::string AUDIT_LOG_SMACK_LABEL = "security-manager::audit-files"; } // namespace anonymous diff --git a/src/server/dpl/log/src/dlog_log_provider.cpp b/src/server/dpl/log/src/dlog_log_provider.cpp index 90f0713..ffe23da 100644 --- a/src/server/dpl/log/src/dlog_log_provider.cpp +++ b/src/server/dpl/log/src/dlog_log_provider.cpp @@ -99,7 +99,7 @@ void DLOGLogProvider::Pedantic(const char *message, int line, const char *function) { - SLOG(LOG_DEBUG, "SecurityServer", "%s", FormatMessage(message, + SLOG(LOG_DEBUG, "SecurityManager", "%s", FormatMessage(message, filename, line, function).c_str()); diff --git a/src/server/main/security-server-util.cpp b/src/server/main/security-manager-util.cpp similarity index 98% rename from src/server/main/security-server-util.cpp rename to src/server/main/security-manager-util.cpp index d5363b9..b0febfa 100644 --- a/src/server/main/security-server-util.cpp +++ b/src/server/main/security-manager-util.cpp @@ -26,7 +26,7 @@ #include -#include +#include #include namespace { diff --git a/src/server/main/security-server-util.h b/src/server/main/security-manager-util.h similarity index 100% rename from src/server/main/security-server-util.h rename to src/server/main/security-manager-util.h diff --git a/src/server/service/installer.cpp b/src/server/service/installer.cpp index 92d98ad..9f594fa 100644 --- a/src/server/service/installer.cpp +++ b/src/server/service/installer.cpp @@ -266,7 +266,7 @@ InstallerService::InstallerService() GenericSocketService::ServiceDescriptionVector InstallerService::GetServiceDescription() { return ServiceDescriptionVector { - {SERVICE_SOCKET_INSTALLER, "security-server::installer", INSTALLER_IFACE}, + {SERVICE_SOCKET_INSTALLER, "security-manager::installer", INSTALLER_IFACE}, }; } diff --git a/systemd/CMakeLists.txt b/systemd/CMakeLists.txt index a9b1ba9..b432ad4 100644 --- a/systemd/CMakeLists.txt +++ b/systemd/CMakeLists.txt @@ -1,6 +1,6 @@ INSTALL(FILES - ${CMAKE_SOURCE_DIR}/systemd/security-server.service - ${CMAKE_SOURCE_DIR}/systemd/security-server.target + ${CMAKE_SOURCE_DIR}/systemd/security-manager.service + ${CMAKE_SOURCE_DIR}/systemd/security-manager.target ${CMAKE_SOURCE_DIR}/systemd/security-manager-installer.socket DESTINATION /usr/lib/systemd/system diff --git a/systemd/security-manager-installer.socket b/systemd/security-manager-installer.socket index 834a11f..e851c79 100644 --- a/systemd/security-manager-installer.socket +++ b/systemd/security-manager-installer.socket @@ -5,11 +5,11 @@ SmackLabelIPIn=* SmackLabelIPOut=@ # TODO: move to separate systemd service -Service=security-server.service +Service=security-manager.service [Unit] -Wants=security-server.target -Before=security-server.target +Wants=security-manager.target +Before=security-manager.target [Install] WantedBy=sockets.target diff --git a/systemd/security-manager.service b/systemd/security-manager.service new file mode 100644 index 0000000..e96e6fb --- /dev/null +++ b/systemd/security-manager.service @@ -0,0 +1,11 @@ +[Unit] +Description=Start the security manager + +[Service] +Type=notify +ExecStart=/usr/bin/security-manager + +Sockets=security-manager-installer.socket + +[Install] +WantedBy=multi-user.target diff --git a/systemd/security-manager.target b/systemd/security-manager.target new file mode 100644 index 0000000..8586718 --- /dev/null +++ b/systemd/security-manager.target @@ -0,0 +1,4 @@ +[Unit] +Description=security-manager sockets +DefaultDependencies=true + diff --git a/systemd/security-server.service b/systemd/security-server.service deleted file mode 100644 index 84d19c2..0000000 --- a/systemd/security-server.service +++ /dev/null @@ -1,21 +0,0 @@ -[Unit] -Description=Start the security server - -[Service] -Type=notify -ExecStart=/usr/bin/security-server -Sockets=security-server-data-share.socket -Sockets=security-server-get-gid.socket -Sockets=security-server-privilege-by-pid.socket -Sockets=security-server-app-privilege-by-name.socket -Sockets=security-server-cookie-get.socket -Sockets=security-server-cookie-check.socket -Sockets=security-server-password-check.socket -Sockets=security-server-password-set.socket -Sockets=security-server-password-reset.socket - -#TODO: move bellow to separate systemd service -Sockets=security-manager-installer.socket - -[Install] -WantedBy=multi-user.target diff --git a/systemd/security-server.target b/systemd/security-server.target deleted file mode 100644 index 9885544..0000000 --- a/systemd/security-server.target +++ /dev/null @@ -1,4 +0,0 @@ -[Unit] -Description=security-server sockets -DefaultDependencies=true - -- 2.7.4 From aa4d1bdf5e76054751c4210b5dd5396bd053ba73 Mon Sep 17 00:00:00 2001 From: Jan Cybulski Date: Mon, 16 Jun 2014 14:42:54 +0200 Subject: [PATCH 07/16] Move needed declarations from serurity-server.h to security-manager.h Delete file security-server.h, that is not needed any more. Change-Id: I2c90610106e58ec55f216c654e09595cf98be3c9 Signed-off-by: Jan Cybulski --- packaging/security-manager.spec | 1 - src/CMakeLists.txt | 5 - src/include/security-manager.h | 69 ++ src/include/security-server.h | 1003 ------------------------- src/server/client/client-common.cpp | 56 +- src/server/client/client-security-manager.cpp | 10 +- src/server/service/installer.cpp | 19 +- 7 files changed, 111 insertions(+), 1052 deletions(-) delete mode 100644 src/include/security-server.h diff --git a/packaging/security-manager.spec b/packaging/security-manager.spec index 48c2f49..4487539 100644 --- a/packaging/security-manager.spec +++ b/packaging/security-manager.spec @@ -130,5 +130,4 @@ fi %{_libdir}/libsecurity-manager-client.so %{_libdir}/libsecurity-manager-commons.so %{_includedir}/security-manager/security-manager.h -%{_includedir}/security-server/security-server.h %{_libdir}/pkgconfig/security-manager.pc diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index c1fc8ce..08fe241 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -85,11 +85,6 @@ INSTALL(TARGETS ${TARGET_SECURITY_MANAGER_CLIENT} DESTINATION ${LIB_INSTALL_DIR} INSTALL(TARGETS ${TARGET_SECURITY_MANAGER} DESTINATION bin) INSTALL(FILES - ${SECURITY_MANAGER_PATH}/include/security-server.h - DESTINATION ${INCLUDE_INSTALL_DIR}/security-server - ) - -INSTALL(FILES ${SECURITY_MANAGER_PATH}/include/security-manager.h DESTINATION ${INCLUDE_INSTALL_DIR}/security-manager ) diff --git a/src/include/security-manager.h b/src/include/security-manager.h index befb039..ddcd599 100644 --- a/src/include/security-manager.h +++ b/src/include/security-manager.h @@ -29,6 +29,75 @@ #include +/** + * \name Return Codes + * exported by the foundation API. + * result codes begin with the start error code and extend into negative direction. + * @{ +*/ +#define SECURITY_MANAGER_API_SUCCESS 0 +/*! \brief indicating the result of the one specific API is successful */ +#define SECURITY_MANAGER_API_ERROR_SOCKET -1 + +/*! \brief indicating the socket between client and Security Manager has been failed */ +#define SECURITY_MANAGER_API_ERROR_BAD_REQUEST -2 + +/*! \brief indicating the response from Security Manager is malformed */ +#define SECURITY_MANAGER_API_ERROR_BAD_RESPONSE -3 + +/*! \brief indicating the requested service does not exist */ +#define SECURITY_MANAGER_API_ERROR_NO_SUCH_SERVICE -4 + +/*! \brief indicating requesting object is not exist */ +#define SECURITY_MANAGER_API_ERROR_NO_SUCH_OBJECT -6 + +/*! \brief indicating the authentication between client and server has been failed */ +#define SECURITY_MANAGER_API_ERROR_AUTHENTICATION_FAILED -7 + +/*! \brief indicating the API's input parameter is malformed */ +#define SECURITY_MANAGER_API_ERROR_INPUT_PARAM -8 + +/*! \brief indicating the output buffer size which is passed as parameter is too small */ +#define SECURITY_MANAGER_API_ERROR_BUFFER_TOO_SMALL -9 + +/*! \brief indicating system is running out of memory state */ +#define SECURITY_MANAGER_API_ERROR_OUT_OF_MEMORY -10 + +/*! \brief indicating the access has been denied by Security Manager */ +#define SECURITY_MANAGER_API_ERROR_ACCESS_DENIED -11 + +/*! \brief indicating Security Manager has been failed for some reason */ +#define SECURITY_MANAGER_API_ERROR_SERVER_ERROR -12 + +/*! \brief indicating getting smack label from socket failed */ +#define SECURITY_MANAGER_API_ERROR_GETTING_SOCKET_LABEL_FAILED -21 + +/*! \brief indicating getting smack label from file failed */ +#define SECURITY_MANAGER_API_ERROR_GETTING_FILE_LABEL_FAILED -22 + +/*! \brief indicating setting smack label for file failed */ +#define SECURITY_MANAGER_API_ERROR_SETTING_FILE_LABEL_FAILED -23 + +/*! \brief indicating file already exists */ +#define SECURITY_MANAGER_API_ERROR_FILE_EXIST -24 + +/*! \brief indicating file does not exist */ +#define SECURITY_MANAGER_API_ERROR_FILE_NOT_EXIST -25 + +/*! \brief indicating file open error */ +#define SECURITY_MANAGER_API_ERROR_FILE_OPEN_FAILED -26 + +/*! \brief indicating file creation error */ +#define SECURITY_MANAGER_API_ERROR_FILE_CREATION_FAILED -27 + +/*! \brief indicating file deletion error */ +#define SECURITY_MANAGER_API_ERROR_FILE_DELETION_FAILED -28 + +/*! \brief indicating the error with unknown reason */ +#define SECURITY_MANAGER_API_ERROR_UNKNOWN -255 +/** @}*/ + + #ifdef __cplusplus extern "C" { #endif diff --git a/src/include/security-server.h b/src/include/security-server.h deleted file mode 100644 index 67c0273..0000000 --- a/src/include/security-server.h +++ /dev/null @@ -1,1003 +0,0 @@ -/* - * security-server - * - * Copyright (c) 2000 - 2011 Samsung Electronics Co., Ltd All Rights Reserved - * - * Contact: Bumjin Im - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License - * - */ - -#ifndef SECURITY_SERVER_H -#define SECURITY_SERVER_H - -#include -#include - -/** - * @file security-server.h - * @version 1.0 - * @brief This file contains APIs of the Security Server -*/ - -/** - * @defgroup SecurityFW - * @{ - * - * @defgroup SECURITY_SERVER Security Server - * @version 1.0 - * @brief Security Server client library functions - * -*/ - -/** - * @addtogroup SECURITY_SERVER - * @{ -*/ - -/* - * ==================================================================================================== - * - * - * Revision History: - * - * -- Company Name -- | Modification Date | Description of Changes - * ----------------------------------------------------------------------- - * --- Samsung ------ | --- 2010-07-25 -- | First created - * - * - */ - -/** - * \name Return Codes - * exported by the foundation API. - * result codes begin with the start error code and extend into negative direction. - * @{ -*/ -#define SECURITY_SERVER_API_SUCCESS 0 -/*! \brief indicating the result of the one specific API is successful */ -#define SECURITY_SERVER_API_ERROR_SOCKET -1 - -/*! \brief indicating the socket between client and Security Server has been failed */ -#define SECURITY_SERVER_API_ERROR_BAD_REQUEST -2 - -/*! \brief indicating the response from Security Server is malformed */ -#define SECURITY_SERVER_API_ERROR_BAD_RESPONSE -3 - -/*! \brief indicating the requested service does not exist */ -#define SECURITY_SERVER_API_ERROR_NO_SUCH_SERVICE -4 - -/*! \brief indicating requesting object is not exist */ -#define SECURITY_SERVER_API_ERROR_NO_SUCH_OBJECT -6 - -/*! \brief indicating the authentication between client and server has been failed */ -#define SECURITY_SERVER_API_ERROR_AUTHENTICATION_FAILED -7 - -/*! \brief indicating the API's input parameter is malformed */ -#define SECURITY_SERVER_API_ERROR_INPUT_PARAM -8 - -/*! \brief indicating the output buffer size which is passed as parameter is too small */ -#define SECURITY_SERVER_API_ERROR_BUFFER_TOO_SMALL -9 - -/*! \brief indicating system is running out of memory state */ -#define SECURITY_SERVER_API_ERROR_OUT_OF_MEMORY -10 - -/*! \brief indicating the access has been denied by Security Server */ -#define SECURITY_SERVER_API_ERROR_ACCESS_DENIED -11 - -/*! \brief indicating Security Server has been failed for some reason */ -#define SECURITY_SERVER_API_ERROR_SERVER_ERROR -12 - -/*! \brief indicating given cookie is not exist in the database */ -#define SECURITY_SERVER_API_ERROR_NO_SUCH_COOKIE -13 - -/*! \brief indicating there is no phone password set */ -#define SECURITY_SERVER_API_ERROR_NO_PASSWORD -14 - -/*! \brief indicating password exists in system */ -#define SECURITY_SERVER_API_ERROR_PASSWORD_EXIST -15 - -/*! \brief indicating password mismatch */ -#define SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH -16 - -/*! \brief indicating password retry timeout is not occurred yet */ -#define SECURITY_SERVER_API_ERROR_PASSWORD_RETRY_TIMER -17 - -/*! \brief indicating password retry timeout is not occurred yet */ -#define SECURITY_SERVER_API_ERROR_PASSWORD_MAX_ATTEMPTS_EXCEEDED -18 - -/*! \brief indicating password retry timeout is not occurred yet */ -#define SECURITY_SERVER_API_ERROR_PASSWORD_EXPIRED -19 - -/*! \brief indicating password retry timeout is not occurred yet */ -#define SECURITY_SERVER_API_ERROR_PASSWORD_REUSED -20 - -/*! \brief indicating getting smack label from socket failed */ -#define SECURITY_SERVER_API_ERROR_GETTING_SOCKET_LABEL_FAILED -21 - -/*! \brief indicating getting smack label from file failed */ -#define SECURITY_SERVER_API_ERROR_GETTING_FILE_LABEL_FAILED -22 - -/*! \brief indicating setting smack label for file failed */ -#define SECURITY_SERVER_API_ERROR_SETTING_FILE_LABEL_FAILED -23 - -/*! \brief indicating file already exists */ -#define SECURITY_SERVER_API_ERROR_FILE_EXIST -24 - -/*! \brief indicating file does not exist */ -#define SECURITY_SERVER_API_ERROR_FILE_NOT_EXIST -25 - -/*! \brief indicating file open error */ -#define SECURITY_SERVER_API_ERROR_FILE_OPEN_FAILED -26 - -/*! \brief indicating file creation error */ -#define SECURITY_SERVER_API_ERROR_FILE_CREATION_FAILED -27 - -/*! \brief indicating file deletion error */ -#define SECURITY_SERVER_API_ERROR_FILE_DELETION_FAILED -28 - -/*! \brief indicating the error with unknown reason */ -#define SECURITY_SERVER_API_ERROR_UNKNOWN -255 -/** @}*/ - - -#ifdef __cplusplus -extern "C" { -#endif - - - -/** - * \par Description: - * Retreives Linux group ID from object name which is passed by parameter - * - * \par Purpose: - * This API may be used before security_server_check_privilege() API by middleware daemon to get group ID of a specific object. - * - * \par Typical use case: - * In middleware daemon, before checking privilege of a service the daemon need to know the GID of the service. This API support the functionality. - * - * \par Method of function operation: - * Opens /etc/group file and searches the object name as group name. If there is matching result, returns GID as integer - * - * \par Sync (or) Async: - * This is a Synchronous API. - * - * \par Important notes: - * - This API is only allowed to be called by pre-defined middleware daemon - * - * \param[in] object Name of the object which is kwnown by the caller. - * - * \return matching gid (positive integer) on success, or negative error code on error. - * - * \par Prospective clients: - * Inhouse middleware - * - * \par Known issues/bugs: - * None - * - * \pre None - * - * \post None - * - * \see /etc/group, - * security_server_get_object_name(), security_server_check_privilege() - * - * \remarks None - * - * \par Sample code: - * \code - * #include - * ... - * int retval; - * - * // You have to make sure that the input param '*object' is defined in the platform - * retval = security_server_get_gid("telephony_makecall"); - * if(retval < 0) - * { - * printf("%s", "Error has occurred\n"); - * exit(0); - * } - * ... - * \endcode - * - * Access to this function requires SMACK rule: " security-server::api-get-gid w" -*/ -int security_server_get_gid(const char *object); - -/** - * \par Description: - * Request cookie to the Security Server. Cookie is a random bit stream which is used as ticket for user space object. - * - * \par Purpose: - * This API may be used by application and client middleware process to get access to middleware daemons. - * - * \par Typical use case: - * When an application process wants to get access to some middleware object, first call this API to get cookie value. Then it calls the service API to get service with the cookie value. - * - * \par Method of function operation: - * Caller process just send request message. Security Server checks proc file system to get list of gIDs the caller belongs, then create a random cookie and responds to caller. - * - * \par Sync (or) Async: - * This is a Synchronous API. - * - * \par Important notes: - * Cookie needs to be stored relatively secure. - * - * \param[out] cookie Place holder for cookie value. - * \param[in] max_cookie Allocated byte size of parameter "cookie". - * - * \return 0 on success, or negative error code on error. - * - * \par Prospective clients: - * Any process - * - * \par Known issues/bugs: - * None - * - * \pre output parameter cookie must be malloced before calling this API not to make memory curruption - * Size of the cookie can be retrieved by security_server_get_cookie_size() API. - * - * \post None - * - * \see security_server_check_privilege(), security_server_get_cookie_size() - * - * \remarks None - * - * \par Sample code: - * \code - * #include - * ... - * int retval; - * size_t cookie_size; - * cookie_size = security_server_get_cookie_size(); - * unsigned char cookie[cookie_size]; - * - * // Call the API - * retval = security_server_request_cookie(cookie, cookie_size); - * if(retval < 0) - * { - * printf("%s", "Error has occurred\n"); - * exit(0); - * } - * ... - * \endcode - * - * Access to this function not requires SMACK rule -*/ -int security_server_request_cookie(char *cookie, size_t bufferSize); - - - -/** - * \par Description: - * This API gets the cookie's byte size which is issued by Security Server. - * - * \par Purpose: - * This API may be used by application and middleware process to get size of cookie before getting and storing cookie value. - * - * \par Typical use case: - * When an application process wants to get access to some middleware object, first call this API to get cookie value. Then it calls the service API to get service with the cookie value. - * - * \par Method of function operation: - * This API just returns pre-defined integer value as cookie size. - * - * \par Sync (or) Async: - * This is a Synchronous API. - * - * \par Important notes: - * None - * - * \return Always returns byte size of the cookie. - * - * \par Prospective clients: - * Any process - * - * \par Known issues/bugs: - * None - * - * \pre None - * - * \post None - * - * \see security_server_request_cookie() - - * \remarks None - * - * \par Sample code: - * \code - * #include - * ... - * int retval; - * size_t cookie_size; - * - * // API calling - * cookie_size = security_server_get_cookie_size(); - * unsigned char cookie[cookie_size]; - * - * char objectname[20]; - * retval = security_server_request_cookie(cookie, cookie_size); - * if(retval < 0) - * { - * printf("%s", "Error has occurred\n"); - * exit(0); - * } - * ... - * \endcode - * - * Access to this function not requires SMACK rule -*/ -int security_server_get_cookie_size(void); - - - -/** - * \par Description: - * This API checks the cookie is allowed to access to given object. - * - * \par Purpose: - * This API may be used by middleware process to ask the client application has privilege for the given object. - * - * \par Typical use case: - * When middleware server receives request message from client application process with cookie value, it calls this API to ask to Security Server that the client application has privilege to access the service. If yes, then the middleware daemon can continue service, if not, it can return error to client application. - * - * \par Method of function operation: - * When Security Server receives this request, it searches cookie database and check the cookie is there, if there is matching cookie, then it checks the cookie has the privilege. It returns success if there is match, if not, it returns error. - * - * \par Sync (or) Async: - * This is a Synchronous API. - * - * \par Important notes: - * Cookie value needs to be stored relatively secure\n - * Privilege should be pre-defined by Platform design. - * - * \param[in] cookie Received cookie value from client application - * \param[in] privilege Object group ID which the client application wants to access - * - * \return 0 on success, or negative error code on error. - * - * \par Prospective clients: - * Only pre-defiend middleware daemons - * - * \par Known issues/bugs: - * None - * \pre None - * - * \post None - * - * \see security_server_request_cookie(), security_server_get_gid(), security_server_get_cookie_size() - * - * \remarks None - * - * \par Sample code: - * \code - * #include - * ... - * int retval; - * size_t cookie_size; - * int call_gid; - * cookie_size = security_server_get_cookie_size(); - * unsigned char recved_cookie[cookie_size]; - * - * ... // Receiving request with cookie - * - * call_gid = security_server_get_gid("telephony_makecall"); - * retval = security_server_check_privilege(recved_cookie, (gid_t)call_gid); - * if(retval < 0) - * { - * if(retval == SECURITY_SERVER_API_ERROR_ACCESS_DENIED) - * { - * printf("%s", "access has been denied\n"); - * return; - * } - * printf("%s", "Error has occurred\n"); - * } - * ... - * - * \endcode - * - * Access to this function requires SMACK rule: " security-server::api-cookie-check w" -*/ -int security_server_check_privilege(const char *cookie, gid_t privilege); - -int security_server_check_privilege_by_cookie(const char *cookie, - const char *object, - const char *access_rights); - -/** - * \par Description: - * This API searchs a cookie value and returns PID of the given cookie. - * - * \par Purpose: - * This API may be used by middleware process to ask the client application has privilege for the given object. - * - * \par Typical use case: - * In some cases, a middleware server wants to know PID of the application process. But if the middleware server uses non-direct IPC such as dbus, it's nearly impossible to know and guarantee peer PID. By using this API, the middleware server can retrieve a PID of the requesting process. - * - * \par Method of function operation: - * When Security Server receives this request, it searches cookie database and check the cookie is there, if there is matching cookie, then it returns corresponding PID for the cookie. - * - * \par Sync (or) Async: - * This is a Synchronous API. - * - * \par Important notes: - * Cookie value needs to be stored relatively secure\n - * This API is abled to be called only by pre-defined middleware servers. - * - * \param[in] cookie Received cookie value from client application. Cookie is not a null terminated human readable string. Make sure you're code doesn't have any string related process on the cookie. - * - * \return positive integer on success meaning the PID, 0 means the cookie is for root process, negative integer error code on error. - * - * \par Prospective clients: - * Only pre-defined middleware daemons - * - * \par Known issues/bugs: - * None - * - * \pre None - * - * \post None - * - * \see security_server_request_cookie(), security_server_get_cookie_size() - * - * \remarks the cookie is not a null terminated string. Cookie is a BINARY byte stream of such length which can be retrieved by security_server_get_cookie_size() API. - * Therefore, please do not use strcpy() family to process cookie value. You MUST use memcpy() function to process cookie value. - * You also have to know that the cookie value doesn't carry any null terminator. So you don't need to allocate 1 more byte of the cookie size. - * - * \par Sample code: - * \code - * #include - * ... - * int peerpid; - * size_t cookie_size; - * gid_t call_gid; - * cookie_size = security_server_get_cookie_size(); - * unsigned char recved_cookie[cookie_size]; - * - * ... // Receiving request with cookie - * - * peerpid = security_server_get_cookie_pid(recved_cookie); - * if(peerpid < 0) - * { - * printf("%s", "Error has occurred\n"); - * } - * ... - * - * \endcode - * - * Access to this function requires SMACK rule: " security-server::api-cookie-check w" -*/ -int security_server_get_cookie_pid(const char *cookie); - - - -/** - * \par Description: - * This API checks phone validity of password, to check existance, expiration, remaining attempts. - * - * \par Purpose: - * This API should be used by applications which needs phone password check. Caller application should behave properly after this API call. - * - * \par Typical use case: - * Lock screen can call this API before it shows unlock screen, if there is password, lock screen can show password input UI, if not, lock screen can show just unlock screen - * - * \par Method of function operation: - * Sends a validate request to security server and security server replies with password information. - * - * \par Sync (or) Async: - * This is a Synchronous API. - * - * \par Important notes: - * Password file should be stored safely. The password file will be stored by security server and only allowed itself to read/write, and data is will be securely hashed\n - * - * \param[out] current_attempts Number of password check missed attempts. - * \param[out] max_attempts Number of maximum attempts that the password locks. 0 means infinite - * \param[out] valid_secs Remaining time in second which represents this password will be expired. 0xFFFFFFFF means infinite - * - * \return 0 if there is no password set, other negative integer error code on error. - * - * \par Prospective clients: - * Applications which can unlock UI - * - * \par Known issues/bugs: - * None - * - * \pre None - * - * \post None - * - * \see security_server_set_pwd(), security_server_chk_pwd() - * - * \remarks If password file is corrupted or accidentally deleted, this API may not synchronized with security-server, but security-server will check file status on next request. - * - * \par Sample code: - * \code - * #include - * ... - * int ret; - * unsigned int attempt, max_attempt, expire_sec; - * - * ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec); - * if(is_pwd_set == SECURITY_SERVER_API_ERROR_NO_PASSWORD) - * { - * printf("%s", "There is no password exists\n"); - * } - * else if(is_pwd_set == SECURITY_SERVER_API_SUCCESS && expire_sec > 0 && attempt < max_attempts) - * { - * printf("%s", "Password is valid by now\n"); - * } - * else - * { - * printf("%s", "Something wrong\n"); - * } - * ... - * - * \endcode - * - * Access to this function requires SMACK rule: " security-server::api-password-check w" -*/ -int security_server_is_pwd_valid(unsigned int *current_attempts, - unsigned int *max_attempts, - unsigned int *valid_secs); - - - -/** - * \par Description: - * This API sets phone password only if current password matches. - * - * \par Purpose: - * This API should be used by setting application when the user changes his/her phone password. - * - * \par Typical use case: - * Setting application calls this API to change phone password. Caller needs current password to grant the change. - * - * \par Method of function operation: - * Sends current password with new password to security-server, security-server checks current password and set new password to current only when current password is correct. Caller application can determine maximum number of attempts and expiration time in days - * - * \par Sync (or) Async: - * This is a Synchronous API. - * - * \par Important notes: - * There is retry timer on this API to limit replay attack. You will get error if you called this API too often.\n - * - * \param[in] cur_pwd Null terminated current password string. It can be NULL pointer if there is no password set yet - by calling security_server_is_pwd_empty() - * \param[in] new_pwd Null terminated new password string. It must not a NULL pointer. - * \param[in] max_challenge Maximum number of attempts that user can try to check the password without success in serial. 0 means infinity. - * \param[in] valid_period_in_days. Number of days that this password is valid. 0 means infinity - * - * \return 0 on success, negative integer error code on error. - * - * \par Prospective clients: - * Platform's THE ONLY setting application and some dedicated privileged processes - * - * \par Known issues/bugs: - * None - * - * \pre None - * - * \post None - * - * \see security_server_is_pwd_valid(), security_server_chk_pwd(), security_server_reset_pwd() - * - * \remarks Only setting application can call this API. The password file will be access controlled and securely hashed. Security-server will remain previous password file to recover unexpected password file corruption. - * \remarks If current password exists and it's expired, or max attempts reached, you cannot call this API. You have to call security_server_reset_pwd() API. - * - * \par Sample code: - * \code - * #include - * ... - * int ret; - * unsigned int attempt, max_attempt, expire_sec; - * - * ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec); - * if(is_pwd_set == SECURITY_SERVER_API_ERROR_NO_PASSWORD) - * { - * printf("%s", "There is no password exists\n"); - * ret = security_server_set_pwd(NULL, "this_is_new_pwd", 20, 365); - * if(ret != SECURITY_SERVER_API_SUCCESS) - * { - * printf("%s", "we have error\n"); - * ... - * } - * } - * else if(is_pwd_set == SECURITY_SERVER_API_SUCCESS && expire_sec > 0 && attempt < max_attempts) - * { - * printf("%s", "Password is valid by now\n"); - * ret = security_server_set_pwd("this_is_current_pwd", "this_is_new_pwd", 20, 365); - * if(ret != SECURITY_SERVER_API_SUCCESS) - * { - * printf("%s", "we have error\n"); - * ... - * } - * } - * else - * { - * printf("%s", "Something wrong\n"); - * } - * ... - * - * \endcode - * - * Access to this function requires SMACK rule: " security-server::api-password-set w" -*/ -int security_server_set_pwd(const char *cur_pwd, - const char *new_pwd, - const unsigned int max_challenge, - const unsigned int valid_period_in_days); - - -/** - * \par Description: - * This API sets validity period for currently setup password. - * - * \par Purpose: - * This API should be used by Enterprise authorities to modify password policy. To be used only with valid password setup. - * - * \par Typical use case: - * Authorized application calls this API to change current passwords validity when password policy needs to be changed. - * - * \par Method of function operation: - * Function attempts to find currently set password and changes its current validity to passed number of days. Retry counter for the password is reset to zero. - * If there is no password set, function returns proper error code. - * - * \par Sync (or) Async: - * This is a Synchronous API. - * \param[in] valid_period_in_days. Number of days that this password is valid. 0 means infinity - * - * \return 0 on success, negative integer error code on error. - * - * \par Prospective clients: - * Platform's THE ONLY setting application and some dedicated privileged processes - * - * \par Known issues/bugs: - * Identifying calling peer is not ready yet, should be based on SMACK somehow. - * - * \see security_server_is_pwd_valid(), security_server_chk_pwd(), security_server_reset_pwd() - * - * Access to this function requires SMACK rule: " security-server::api-password-set w" - */ -int security_server_set_pwd_validity(const unsigned int valid_period_in_days); - - -/** - * \par Description: - * This API sets maximum number of attempts for currently setup password. - * - * \par Purpose: - * This API should be used by Enterprise authorities to modify password policy. To be used only with valid password setup. - * - * \par Typical use case: - * Authorized application calls this API to change current passwords max attempt number when password policy needs to be changed. - * - * \par Method of function operation: - * Function attempts to find currently set password and changes its max attempt number to passed one. Retry counter for the password is reset to zero. - * If there is no password set, function returns proper error code. - * - * \par Sync (or) Async: - * This is a Synchronous API. - * \param[in] max_challenge Maximum number of attempts that user can try to check the password without success in serial. 0 means infinity. - * - * \return 0 on success, negative integer error code on error. - * - * \par Prospective clients: - * Platform's THE ONLY setting application and some dedicated privileged processes - * - * \par Known issues/bugs: - * Identifying calling peer is not ready yet, should be based on SMACK somehow. - * - * \see security_server_is_pwd_valid(), security_server_chk_pwd(), security_server_reset_pwd() - * - * Access to this function requires SMACK rule: " security-server::api-password-set w" - */ -int security_server_set_pwd_max_challenge(const unsigned int max_challenge); - -/** - * \par Description: - * This API sets phone password without performing any checks connected with provided password. It - * should be used only if current password is invalid or user forgot the password. - * - * \par Purpose: - * This API should be used by setting application or dedicated processes when the user changes his/her phone password. - * - * \par Typical use case: - * User forgets the password. He calls emergency manager(auto or manual) for reset password. Emergency manager calls this API and reset phone password. - * - * \par Method of function operation: - * Resetting phone password with input string without any matching current password. Function does - * no checks before password replacement (expiration time check, currently set password checks, - * history check and attempt count check are skipped). - * - * \par Sync (or) Async: - * This is a Synchronous API. - * - * \par Important notes: - * There is retry timer on this API to limit replay attack. You will get error if you called this API too often.\n - * - * \param[in] new_pwd Null terminated new password string. It must not a NULL pointer. - * \param[in] max_challenge Maximum number of attempts that user can try to check the password without success in serial. 0 means infinity. - * \param[in] valid_period_in_days. Number of days that this password is valid. 0 means infinity - * - * \return 0 on success, negative integer error code on error. - * - * \par Prospective clients: - * Platform's THE ONLY setting application and some dedicated privileged processes - * - * \par Known issues/bugs: - * None - * - * \pre None - * - * \post None - * - * \see security_server_is_pwd_valid(), security_server_chk_pwd(), security_server_set_pwd() - * - * \remarks Only dedicated applications can call this API. The password file will be access controlled and securely hashed. Security-server will remain previous password file to recover unexpected password file corruption. - * - * \par Sample code: - * \code - * #include - * ... - * int ret; - * - * ret = security_server_reset_pwd("this_is_new_pwd", 20, 365); - * if(retval != SECURITY_SERVER_API_SUCCESS) - * { - * printf("%s", "we have error\n"); - * ... - * } - * ... - * - * \endcode - * - * Access to this function requires SMACK rule: " security-server::api-password-reset w" -*/ -int security_server_reset_pwd(const char *new_pwd, - const unsigned int max_challenge, - const unsigned int valid_period_in_days); - -/** - * \par Description: - * This API compares stored phone password with challenged input value. - * - * \par Purpose: - * This API should be used by applications which has phone UI lock capability. - * - * \par Typical use case: - * Lock screen calls this API after user typed phone password and pressed okay. - * - * \par Method of function operation: - * Sends challenged password to security-server, security-server compares hashed current password and hashed challenged password. - * - * \par Sync (or) Async: - * This is a Synchronous API. - * - * \par Important notes: - * There is retry timer on this API to limit replay attack. You will get error if you called this API too often.\n - * - * \param[in] challenge Null terminated challenged password string. It must not a NULL pointer. - * \param[out] current_attempts Number of password check missed attempts. - * \param[out] max_attempts Number of maximum attempts that the password locks. 0 means infinite - * \param[out] valid_secs Remaining time in second which represents this password will be expired. 0xFFFFFFFF means infinite - * - * \return 0 on success, negative integer error code on error. - * - * \par Prospective clients: - * Applications which has phone UI lock feature. - * - * \par Known issues/bugs: - * None - * - * \pre None - * - * \post None - * - * \see security_server_is_pwd_valid(), security_server_set_pwd() - * - * \remarks The password file will be acces controlled and securely hashed. Security-server will remain previous password file to recover unexpected password file curruption. - * - * \par Sample code: - * \code - * #include - * ... - * int retval; - * unsigned int attempt, max_attempt, expire_sec; - * - * retval = security_server_chk_pwd("is_this_password", &attmpt, &max_attempt, &expire_sec); - * if(retval == SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH) - * { - * printf("%s", "Oh you typed wrong password\n"); - * ... - * } - * else if(retval == SECURITY_SERVER_API_SUCCESS) - * { - * printf("%s", "You remember your password.\n"); - * ... - * } - * ... - * - * \endcode - * - * Access to this function requires SMACK rule: " security-server::api-password-check w" -*/ -int security_server_chk_pwd(const char *challenge, - unsigned int *current_attempt, - unsigned int *max_attempt, - unsigned int *valid_secs); - - -/** - * \par Description: - * This API set the number of password history which should be maintained. Once this number set, user cannot reuse recent number of passwords which is described in this history value - * - * \par Purpose: - * This API should be used only by dedicated process in the platform. - * - * \par Typical use case: - * Enterprise manager calls this API when the enterprise wants to enforce harder password policy. - * - * \par Method of function operation: - * When enterprise manager (MDM) is trying to change the security policy for phone password, it calls this API background to change the history policy. - * - * \par Sync (or) Async: - * This is a Synchronous API. - * - * \par Important notes: - * There is retry timer on this API to limit replay attack. You will get error if you called this API too often.\n - * - * \param[in] history_size Number of history to be checked when user tries to change password. Maximum is currently 50 - * - * \return 0 on success, negative integer error code on error. - * - * \par Prospective clients: - * MDM client, Enterprise manager. - * - * \par Known issues/bugs: - * None - * - * \pre None - * - * \post None - * - * \see security_server_set_pwd() - * - * \remarks The password file will be access controlled and securely hashed. Security-server will remain previous password file to recover unexpected password file curruption. - * - * \par Sample code: - * \code - * #include - * ... - * int retval; - * - * ret = security_server_set_pwd_history(100); - * if(ret != SECURITY_SERVER_API_SUCCESS) - * { - * printf("%s", "You have error\n"); - * ... - * } - * ... - * - * \endcode - * - * Access to this function requires SMACK rule: " security-server::api-password-set w" -*/ -int security_server_set_pwd_history(int history_size); - -/* - * This function allows to get process SMACK label by passing cookie assigned - * to process. Function returns pointer to allocated buffer with label. - * User has to free the buffer after using. - * - * \param[in] Pointer to cookie - * - * \return Pointer to SMACK label or NULL - * - * \par For free label use free(), label allocated by calloc() - * User responsibility is to free resource. - * - * Access to this function requires SMACK rule: " security-server::api-cookie-check w" - */ -char *security_server_get_smacklabel_cookie(const char *cookie); - -/* - * This function allows to get process SMACK label by passing socket descriptor. - * Function returns pointer to allocated buffer with label. - * User has to free the buffer after using. - * - * \param[in] Socket descriptor - * - * \return Pointer to SMACK label or NULL - * - * \par For free label use free(), label allocated by calloc(). - * User responsibility is to free resource. - * - * Access to this function not requires SMACK rule - */ -char *security_server_get_smacklabel_sockfd(int fd); - -/* - * This function will give permissions "rwxat" from - * (subject) customer_label to caller process (object). - * Object label will be extracted from socket. - * - * \param[in] CUSTOMER_LABEL execute label of the process that should have access to caller. - * \param[in] CUSTOMER_PID all rules applied by this function should be removed from system - * when process with CUSTOMER_PID dies. - * - * \return SECURITY_SERVER_API_SUCCESS on success - * \return SECURITY_SERVER_API_ERROR_GETTING_SOCKET_LABEL_FAILED - * \return SECURITY_SERVER_API_ERROR_ACCESS_DENIED - * \return SECURITY_SERVER_API_ERROR_BAD_REQUEST input params were rejected by security-server - * \return SECURITY_SERVER_API_ERROR_INPUT_PARAM input params were rejected by client library - * \return SECURITY_SERVER_API_ERROR_SOCKET connection to security server failed. - * - * Important: In current implementation CUSTOMER_PID is ignored! This mean that rules applied - * by this function won't be revoke until device reset! - * - * Access to this function requires SMACK rule: " security-server::api-data-share w" - * */ -int security_server_app_give_access(const char *customer_label, int customer_pid); - -/* - * This function allows middleware to check privileges of process with specified PID or socket - * file descriptor. - * Service is able to check process access to the specified object label with specified - * access rights. - * - * \param[in] PID id of process or SOCKFD socket file descriptor to be checked - * \param[in] SMACK object label - * \param[in] SMACK access rights to be checked - * - * \return Privilege confirm or error code - * \return SECURITY_SERVER_API_SUCCESS - on succes - * - * Access to this function requires SMACK rule: " security-server::api-privilege-by-pid w" - */ -int security_server_check_privilege_by_pid(int pid, const char *object, const char *access_rights); - -int security_server_check_privilege_by_sockfd(int sockfd, - const char *object, - const char *access_rights); - -/* - * This function allows middleware to check if an app has the specified privilege - * enabled. - * - * \param[in] Application ID (smack label) - * \param[in] Application type - * \param[in] Privilege name - * \param[out] Handler to store the result. It is set to 1 (true) if privilege is enabled, 0 (false) otherwise - * - * \return SECURITY_SERVER_API_SUCCESS on success or error code on fail - * - * Access to this function requires SMACK rule: " security-server::api-app-privilege-by-name w" - */ -int security_server_app_has_privilege(const char *app_label, - app_type_t app_type, - const char *privilege_name, - int *result); - -#ifdef __cplusplus -} -#endif - -/** - * @} -*/ - -/** - * @} -*/ - -#endif diff --git a/src/server/client/client-common.cpp b/src/server/client/client-common.cpp index 00f099f..679e00e 100644 --- a/src/server/client/client-common.cpp +++ b/src/server/client/client-common.cpp @@ -36,7 +36,7 @@ #include -#include +#include IMPLEMENT_SAFE_SINGLETON(SecurityServer::Log::LogSystem); @@ -90,7 +90,7 @@ public: if (m_sock < 0) { int err = errno; LogError("Error creating socket: " << strerror(err)); - return SECURITY_SERVER_API_ERROR_SOCKET; + return SECURITY_MANAGER_API_ERROR_SOCKET; } if ((flags = fcntl(m_sock, F_GETFL, 0)) < 0 || @@ -98,7 +98,7 @@ public: { int err = errno; LogError("Error in fcntl: " << strerror(err)); - return SECURITY_SERVER_API_ERROR_SOCKET; + return SECURITY_MANAGER_API_ERROR_SOCKET; } memset(&clientAddr, 0, sizeof(clientAddr)); @@ -107,7 +107,7 @@ public: if (strlen(interface) >= sizeof(clientAddr.sun_path)) { LogError("Error: interface name " << interface << "is too long. Max len is:" << sizeof(clientAddr.sun_path)); - return SECURITY_SERVER_API_ERROR_NO_SUCH_SERVICE; + return SECURITY_MANAGER_API_ERROR_NO_SUCH_SERVICE; } strcpy(clientAddr.sun_path, interface); @@ -118,7 +118,7 @@ public: if ((retval == -1) && (errno == EINPROGRESS)) { if (0 >= waitForSocket(m_sock, POLLIN, POLL_TIMEOUT)) { LogError("Error in waitForSocket."); - return SECURITY_SERVER_API_ERROR_SOCKET; + return SECURITY_MANAGER_API_ERROR_SOCKET; } int error = 0; socklen_t len = sizeof(error); @@ -127,33 +127,33 @@ public: if (-1 == retval) { int err = errno; LogError("Error in getsockopt: " << strerror(err)); - return SECURITY_SERVER_API_ERROR_SOCKET; + return SECURITY_MANAGER_API_ERROR_SOCKET; } if (error == EACCES) { LogError("Access denied"); - return SECURITY_SERVER_API_ERROR_ACCESS_DENIED; + return SECURITY_MANAGER_API_ERROR_ACCESS_DENIED; } if (error != 0) { LogError("Error in connect: " << strerror(error)); - return SECURITY_SERVER_API_ERROR_SOCKET; + return SECURITY_MANAGER_API_ERROR_SOCKET; } - return SECURITY_SERVER_API_SUCCESS; + return SECURITY_MANAGER_API_SUCCESS; } if (-1 == retval) { int err = errno; LogError("Error connecting socket: " << strerror(err)); if (err == EACCES) - return SECURITY_SERVER_API_ERROR_ACCESS_DENIED; + return SECURITY_MANAGER_API_ERROR_ACCESS_DENIED; if (err == ENOTSOCK) - return SECURITY_SERVER_API_ERROR_NO_SUCH_SERVICE; - return SECURITY_SERVER_API_ERROR_SOCKET; + return SECURITY_MANAGER_API_ERROR_NO_SUCH_SERVICE; + return SECURITY_MANAGER_API_ERROR_SOCKET; } - return SECURITY_SERVER_API_SUCCESS; + return SECURITY_MANAGER_API_SUCCESS; } int Get() { @@ -175,7 +175,7 @@ int sendToServer(char const * const interface, const RawBuffer &send, MessageBuf ssize_t done = 0; char buffer[2048]; - if (SECURITY_SERVER_API_SUCCESS != (ret = sock.Connect(interface))) { + if (SECURITY_MANAGER_API_SUCCESS != (ret = sock.Connect(interface))) { LogError("Error in SockRAII"); return ret; } @@ -183,13 +183,13 @@ int sendToServer(char const * const interface, const RawBuffer &send, MessageBuf while ((send.size() - done) > 0) { if (0 >= waitForSocket(sock.Get(), POLLOUT, POLL_TIMEOUT)) { LogError("Error in poll(POLLOUT)"); - return SECURITY_SERVER_API_ERROR_SOCKET; + return SECURITY_MANAGER_API_ERROR_SOCKET; } ssize_t temp = TEMP_FAILURE_RETRY(write(sock.Get(), &send[done], send.size() - done)); if (-1 == temp) { int err = errno; LogError("Error in write: " << strerror(err)); - return SECURITY_SERVER_API_ERROR_SOCKET; + return SECURITY_MANAGER_API_ERROR_SOCKET; } done += temp; } @@ -197,24 +197,24 @@ int sendToServer(char const * const interface, const RawBuffer &send, MessageBuf do { if (0 >= waitForSocket(sock.Get(), POLLIN, POLL_TIMEOUT)) { LogError("Error in poll(POLLIN)"); - return SECURITY_SERVER_API_ERROR_SOCKET; + return SECURITY_MANAGER_API_ERROR_SOCKET; } ssize_t temp = TEMP_FAILURE_RETRY(read(sock.Get(), buffer, 2048)); if (-1 == temp) { int err = errno; LogError("Error in read: " << strerror(err)); - return SECURITY_SERVER_API_ERROR_SOCKET; + return SECURITY_MANAGER_API_ERROR_SOCKET; } if (0 == temp) { LogError("Read return 0/Connection closed by server(?)"); - return SECURITY_SERVER_API_ERROR_SOCKET; + return SECURITY_MANAGER_API_ERROR_SOCKET; } RawBuffer raw(buffer, buffer+temp); recv.Push(raw); } while(!recv.Ready()); - return SECURITY_SERVER_API_SUCCESS; + return SECURITY_MANAGER_API_SUCCESS; } int sendToServerAncData(char const * const interface, const RawBuffer &send, struct msghdr &hdr) { @@ -222,7 +222,7 @@ int sendToServerAncData(char const * const interface, const RawBuffer &send, str SockRAII sock; ssize_t done = 0; - if (SECURITY_SERVER_API_SUCCESS != (ret = sock.Connect(interface))) { + if (SECURITY_MANAGER_API_SUCCESS != (ret = sock.Connect(interface))) { LogError("Error in SockRAII"); return ret; } @@ -230,20 +230,20 @@ int sendToServerAncData(char const * const interface, const RawBuffer &send, str while ((send.size() - done) > 0) { if (0 >= waitForSocket(sock.Get(), POLLOUT, POLL_TIMEOUT)) { LogError("Error in poll(POLLOUT)"); - return SECURITY_SERVER_API_ERROR_SOCKET; + return SECURITY_MANAGER_API_ERROR_SOCKET; } ssize_t temp = TEMP_FAILURE_RETRY(write(sock.Get(), &send[done], send.size() - done)); if (-1 == temp) { int err = errno; LogError("Error in write: " << strerror(err)); - return SECURITY_SERVER_API_ERROR_SOCKET; + return SECURITY_MANAGER_API_ERROR_SOCKET; } done += temp; } if (0 >= waitForSocket(sock.Get(), POLLIN, POLL_TIMEOUT)) { LogError("Error in poll(POLLIN)"); - return SECURITY_SERVER_API_ERROR_SOCKET; + return SECURITY_MANAGER_API_ERROR_SOCKET; } ssize_t temp = TEMP_FAILURE_RETRY(recvmsg(sock.Get(), &hdr, MSG_CMSG_CLOEXEC)); @@ -251,15 +251,15 @@ int sendToServerAncData(char const * const interface, const RawBuffer &send, str if (temp < 0) { int err = errno; LogError("Error in recvmsg(): " << strerror(err) << " errno: " << err); - return SECURITY_SERVER_API_ERROR_SOCKET; + return SECURITY_MANAGER_API_ERROR_SOCKET; } if (0 == temp) { LogError("Read return 0/Connection closed by server(?)"); - return SECURITY_SERVER_API_ERROR_SOCKET; + return SECURITY_MANAGER_API_ERROR_SOCKET; } - return SECURITY_SERVER_API_SUCCESS; + return SECURITY_MANAGER_API_SUCCESS; } int try_catch(const std::function& func) @@ -273,7 +273,7 @@ int try_catch(const std::function& func) } catch (...) { LogError("Unknown exception occured"); } - return SECURITY_SERVER_API_ERROR_UNKNOWN; + return SECURITY_MANAGER_API_ERROR_UNKNOWN; } } // namespace SecurityServer diff --git a/src/server/client/client-security-manager.cpp b/src/server/client/client-security-manager.cpp index 2447314..0e5f4d8 100644 --- a/src/server/client/client-security-manager.cpp +++ b/src/server/client/client-security-manager.cpp @@ -35,7 +35,7 @@ #include #include -#include + SECURITY_MANAGER_API @@ -140,14 +140,14 @@ int security_manager_app_install(const app_inst_req *p_req) //send buffer to server int retval = sendToServer(SERVICE_SOCKET_INSTALLER, send.Pop(), recv); - if (retval != SECURITY_SERVER_API_SUCCESS) { + if (retval != SECURITY_MANAGER_API_SUCCESS) { LogDebug("Error in sendToServer. Error code: " << retval); return SECURITY_MANAGER_ERROR_UNKNOWN; } //receive response from server Deserialization::Deserialize(recv, retval); - if (retval != SECURITY_SERVER_API_SUCCESS) + if (retval != SECURITY_MANAGER_API_SUCCESS) return SECURITY_MANAGER_ERROR_UNKNOWN; return SECURITY_MANAGER_SUCCESS;; @@ -175,14 +175,14 @@ int security_manager_app_uninstall(const app_inst_req *p_req) //send buffer to server int retval = sendToServer(SERVICE_SOCKET_INSTALLER, send.Pop(), recv); - if (retval != SECURITY_SERVER_API_SUCCESS) { + if (retval != SECURITY_MANAGER_API_SUCCESS) { LogDebug("Error in sendToServer. Error code: " << retval); return SECURITY_MANAGER_ERROR_UNKNOWN; } //receive response from server Deserialization::Deserialize(recv, retval); - if (retval != SECURITY_SERVER_API_SUCCESS) + if (retval != SECURITY_MANAGER_API_SUCCESS) return SECURITY_MANAGER_ERROR_UNKNOWN; return SECURITY_MANAGER_SUCCESS;; diff --git a/src/server/service/installer.cpp b/src/server/service/installer.cpp index 9f594fa..0445c78 100644 --- a/src/server/service/installer.cpp +++ b/src/server/service/installer.cpp @@ -37,7 +37,6 @@ #include "installer.h" #include "protocols.h" -#include "security-server.h" #include "security-manager.h" #include "smack-rules.h" #include "security-manager-common.h" @@ -391,7 +390,7 @@ bool InstallerService::processAppInstall(MessageBuffer &buffer, MessageBuffer &s LogDebug("perm_begin() returned " << result); if (PC_OPERATION_SUCCESS != result) { // libprivilege is locked - Serialization::Serialize(send, SECURITY_SERVER_API_ERROR_SERVER_ERROR); + Serialization::Serialize(send, SECURITY_MANAGER_API_ERROR_SERVER_ERROR); return false; } @@ -439,19 +438,19 @@ bool InstallerService::processAppInstall(MessageBuffer &buffer, MessageBuffer &s //SecurityManager::SmackRules::uninstallPackageRules(req.pkgId); // error in libprivilege-control - Serialization::Serialize(send, SECURITY_SERVER_API_ERROR_SERVER_ERROR); + Serialization::Serialize(send, SECURITY_MANAGER_API_ERROR_SERVER_ERROR); return false; } // success - Serialization::Serialize(send, SECURITY_SERVER_API_SUCCESS); + Serialization::Serialize(send, SECURITY_MANAGER_API_SUCCESS); return true; error_label: // rollback failed transaction before exiting result = perm_rollback(); LogDebug("perm_rollback() returned " << result); - Serialization::Serialize(send, SECURITY_SERVER_API_ERROR_SERVER_ERROR); + Serialization::Serialize(send, SECURITY_MANAGER_API_ERROR_SERVER_ERROR); return false; } @@ -466,7 +465,7 @@ bool InstallerService::processAppUninstall(MessageBuffer &buffer, MessageBuffer LogDebug("perm_begin() returned " << result); if (PC_OPERATION_SUCCESS != result) { // libprivilege is locked - Serialization::Serialize(send, SECURITY_SERVER_API_ERROR_SERVER_ERROR); + Serialization::Serialize(send, SECURITY_MANAGER_API_ERROR_SERVER_ERROR); return false; } @@ -478,7 +477,7 @@ bool InstallerService::processAppUninstall(MessageBuffer &buffer, MessageBuffer // error in libprivilege-control result = perm_rollback(); LogDebug("perm_rollback() returned " << result); - Serialization::Serialize(send, SECURITY_SERVER_API_ERROR_SERVER_ERROR); + Serialization::Serialize(send, SECURITY_MANAGER_API_ERROR_SERVER_ERROR); return false; } @@ -490,7 +489,7 @@ bool InstallerService::processAppUninstall(MessageBuffer &buffer, MessageBuffer // LogError("Error on uninstallation of package-specific smack rules"); // result = perm_rollback(); // LogDebug("perm_rollback() returned " << result); - // Serialization::Serialize(send, SECURITY_SERVER_API_ERROR_SERVER_ERROR); + // Serialization::Serialize(send, SECURITY_MANAGER_API_ERROR_SERVER_ERROR); // return false; //} @@ -499,12 +498,12 @@ bool InstallerService::processAppUninstall(MessageBuffer &buffer, MessageBuffer LogDebug("perm_end() returned " << result); if (PC_OPERATION_SUCCESS != result) { // error in libprivilege-control - Serialization::Serialize(send, SECURITY_SERVER_API_ERROR_SERVER_ERROR); + Serialization::Serialize(send, SECURITY_MANAGER_API_ERROR_SERVER_ERROR); return false; } // success - Serialization::Serialize(send, SECURITY_SERVER_API_SUCCESS); + Serialization::Serialize(send, SECURITY_MANAGER_API_SUCCESS); return true; } -- 2.7.4 From aba196bd9f5fe7a6a53494098f05e1aee9297cc2 Mon Sep 17 00:00:00 2001 From: Jan Cybulski Date: Fri, 13 Jun 2014 11:22:08 +0200 Subject: [PATCH 08/16] Change namespace name to SecurityManager Change-Id: I43070c39da09a67895ec5eda17bf316ff352a6e7 Signed-off-by: Jan Cybulski --- src/server/client/client-common.cpp | 10 ++++----- src/server/client/client-common.h | 4 ++-- src/server/client/client-security-manager.cpp | 4 ++-- src/server/common/connection-info.h | 4 ++-- src/server/common/message-buffer.cpp | 4 ++-- src/server/common/message-buffer.h | 10 ++++----- src/server/common/protocols.cpp | 4 ++-- src/server/common/protocols.h | 4 ++-- src/server/common/smack-check.cpp | 4 ++-- src/server/common/smack-check.h | 6 +++--- src/server/dpl/core/include/dpl/assert.h | 6 +++--- src/server/dpl/core/include/dpl/binary_queue.h | 6 +++--- src/server/dpl/core/include/dpl/colors.h | 4 ++-- src/server/dpl/core/include/dpl/exception.h | 24 +++++++++++----------- src/server/dpl/core/include/dpl/noncopyable.h | 4 ++-- src/server/dpl/core/include/dpl/serialization.h | 4 ++-- src/server/dpl/core/include/dpl/singleton.h | 4 ++-- src/server/dpl/core/include/dpl/singleton_impl.h | 8 ++++---- .../dpl/core/include/dpl/singleton_safe_impl.h | 4 ++-- src/server/dpl/core/src/assert.cpp | 6 +++--- src/server/dpl/core/src/binary_queue.cpp | 4 ++-- src/server/dpl/core/src/colors.cpp | 4 ++-- src/server/dpl/core/src/exception.cpp | 6 +++--- src/server/dpl/core/src/noncopyable.cpp | 4 ++-- .../log/include/dpl/log/abstract_log_provider.h | 4 ++-- .../dpl/log/include/dpl/log/audit-smack-log.h | 4 ++-- .../dpl/log/include/dpl/log/dlog_log_provider.h | 4 ++-- src/server/dpl/log/include/dpl/log/log.h | 10 ++++----- .../log/include/dpl/log/old_style_log_provider.h | 4 ++-- src/server/dpl/log/src/abstract_log_provider.cpp | 2 +- src/server/dpl/log/src/audit-smack-log.cpp | 4 ++-- src/server/dpl/log/src/dlog_log_provider.cpp | 4 ++-- src/server/dpl/log/src/log.cpp | 6 +++--- src/server/dpl/log/src/old_style_log_provider.cpp | 6 +++--- src/server/main/generic-event.h | 4 ++-- src/server/main/generic-socket-manager.cpp | 4 ++-- src/server/main/generic-socket-manager.h | 4 ++-- src/server/main/security-manager-util.cpp | 4 ++-- src/server/main/security-manager-util.h | 4 ++-- src/server/main/server2-main.cpp | 16 +++++++-------- src/server/main/service-thread.h | 8 ++++---- src/server/main/socket-manager.cpp | 4 ++-- src/server/main/socket-manager.h | 6 +++--- src/server/service/installer.cpp | 4 ++-- src/server/service/installer.h | 10 ++++----- src/server/service/smack-common.cpp | 4 ++-- src/server/service/smack-common.h | 4 ++-- 47 files changed, 133 insertions(+), 133 deletions(-) diff --git a/src/server/client/client-common.cpp b/src/server/client/client-common.cpp index 679e00e..e245414 100644 --- a/src/server/client/client-common.cpp +++ b/src/server/client/client-common.cpp @@ -38,14 +38,14 @@ #include -IMPLEMENT_SAFE_SINGLETON(SecurityServer::Log::LogSystem); +IMPLEMENT_SAFE_SINGLETON(SecurityManager::Log::LogSystem); namespace { const int POLL_TIMEOUT = 2000; void securityClientEnableLogSystem(void) { - SecurityServer::Singleton::Instance().SetTag("SECURITY_SERVER_CLIENT"); + SecurityManager::Singleton::Instance().SetTag("SECURITY_MANAGER_CLIENT"); } int waitForSocket(int sock, int event, int timeout) { @@ -166,7 +166,7 @@ private: } // namespace anonymous -namespace SecurityServer { +namespace SecurityManager { int sendToServer(char const * const interface, const RawBuffer &send, MessageBuffer &recv) { @@ -267,7 +267,7 @@ int try_catch(const std::function& func) try { return func(); } catch (MessageBuffer::Exception::Base &e) { - LogError("SecurityServer::MessageBuffer::Exception " << e.DumpToString()); + LogError("SecurityManager::MessageBuffer::Exception " << e.DumpToString()); } catch (std::exception &e) { LogError("STD exception " << e.what()); } catch (...) { @@ -276,7 +276,7 @@ int try_catch(const std::function& func) return SECURITY_MANAGER_API_ERROR_UNKNOWN; } -} // namespace SecurityServer +} // namespace SecurityMANAGER static void init_lib(void) __attribute__ ((constructor)); static void init_lib(void) diff --git a/src/server/client/client-common.h b/src/server/client/client-common.h index 935bb2d..7569f2f 100644 --- a/src/server/client/client-common.h +++ b/src/server/client/client-common.h @@ -39,7 +39,7 @@ extern "C" { struct msghdr; } -namespace SecurityServer { +namespace SecurityManager { typedef std::vector RawBuffer; @@ -61,6 +61,6 @@ int sendToServerAncData(char const * const interface, const RawBuffer &send, str */ int try_catch(const std::function& func); -} // namespace SecuritySever +} // namespace SecurityManager #endif // _SECURITY_SERVER_CLIENT_ diff --git a/src/server/client/client-security-manager.cpp b/src/server/client/client-security-manager.cpp index 0e5f4d8..e83115d 100644 --- a/src/server/client/client-security-manager.cpp +++ b/src/server/client/client-security-manager.cpp @@ -118,7 +118,7 @@ int security_manager_app_inst_req_add_path(app_inst_req *p_req, const char *path SECURITY_MANAGER_API int security_manager_app_install(const app_inst_req *p_req) { - using namespace SecurityServer; + using namespace SecurityManager; MessageBuffer send, recv; LogDebug("app_install() called"); @@ -157,7 +157,7 @@ int security_manager_app_install(const app_inst_req *p_req) SECURITY_MANAGER_API int security_manager_app_uninstall(const app_inst_req *p_req) { - using namespace SecurityServer; + using namespace SecurityManager; MessageBuffer send, recv; LogDebug("app_uninstall() called"); diff --git a/src/server/common/connection-info.h b/src/server/common/connection-info.h index 946b5c8..734ad69 100644 --- a/src/server/common/connection-info.h +++ b/src/server/common/connection-info.h @@ -29,7 +29,7 @@ #include #include -namespace SecurityServer +namespace SecurityManager { struct ConnectionInfo { InterfaceID interfaceID; @@ -37,6 +37,6 @@ namespace SecurityServer }; typedef std::map ConnectionInfoMap; -} //namespace SecurityServer +} //namespace SecurityManager #endif //_CONNECTION_INFO_H_ diff --git a/src/server/common/message-buffer.cpp b/src/server/common/message-buffer.cpp index 3fc090b..66d5b85 100644 --- a/src/server/common/message-buffer.cpp +++ b/src/server/common/message-buffer.cpp @@ -26,7 +26,7 @@ #include -namespace SecurityServer { +namespace SecurityManager { void MessageBuffer::Push(const RawBuffer &data) { m_buffer.AppendCopy(&data[0], data.size()); @@ -65,5 +65,5 @@ void MessageBuffer::Write(size_t num, const void *bytes) { m_buffer.AppendCopy(bytes, num); } -} // namespace SecurityServer +} // namespace SecurityManager diff --git a/src/server/common/message-buffer.h b/src/server/common/message-buffer.h index 850c7de..ff115e0 100644 --- a/src/server/common/message-buffer.h +++ b/src/server/common/message-buffer.h @@ -31,16 +31,16 @@ #include #include -namespace SecurityServer { +namespace SecurityManager { typedef std::vector RawBuffer; -class MessageBuffer : public SecurityServer::IStream { +class MessageBuffer : public SecurityManager::IStream { public: class Exception { public: - DECLARE_EXCEPTION_TYPE(SecurityServer::Exception, Base) + DECLARE_EXCEPTION_TYPE(SecurityManager::Exception, Base) DECLARE_EXCEPTION_TYPE(Base, OutOfData) }; @@ -71,9 +71,9 @@ protected: } size_t m_bytesLeft; - SecurityServer::BinaryQueue m_buffer; + SecurityManager::BinaryQueue m_buffer; }; -} // namespace SecurityServer +} // namespace SecurityManager #endif // _SECURITY_SERVER_SOCKET_BUFFER_ diff --git a/src/server/common/protocols.cpp b/src/server/common/protocols.cpp index 7bc9564..24bdae5 100644 --- a/src/server/common/protocols.cpp +++ b/src/server/common/protocols.cpp @@ -26,7 +26,7 @@ #include -namespace SecurityServer { +namespace SecurityManager { #define SOCKET_PATH_PREFIX "/run/" #define SOCKET_PATH_PREFIX_SECURITY_MANAGER SOCKET_PATH_PREFIX "security-manager/" @@ -34,5 +34,5 @@ namespace SecurityServer { char const * const SERVICE_SOCKET_INSTALLER = SOCKET_PATH_PREFIX_SECURITY_MANAGER "security-manager-installer.socket"; -} // namespace SecurityServer +} // namespace SecurityManager diff --git a/src/server/common/protocols.h b/src/server/common/protocols.h index 7775ccd..ed1c5a6 100644 --- a/src/server/common/protocols.h +++ b/src/server/common/protocols.h @@ -36,7 +36,7 @@ struct app_inst_req { std::vector> appPaths; }; -namespace SecurityServer { +namespace SecurityManager { extern char const * const SERVICE_SOCKET_INSTALLER; @@ -46,6 +46,6 @@ enum class SecurityModuleCall APP_UNINSTALL }; -} // namespace SecuritySever +} // namespace SecurityManager #endif // _SECURITY_SERVER_PROTOCOLS_ diff --git a/src/server/common/smack-check.cpp b/src/server/common/smack-check.cpp index 0e7bb5a..efc36d7 100644 --- a/src/server/common/smack-check.cpp +++ b/src/server/common/smack-check.cpp @@ -5,7 +5,7 @@ #include -namespace SecurityServer { +namespace SecurityManager { int smack_runtime_check(void) { @@ -31,4 +31,4 @@ int smack_check(void) #endif } -} // namespace SecurityServer +} // namespace SecurityManager diff --git a/src/server/common/smack-check.h b/src/server/common/smack-check.h index 875679c..24578ae 100644 --- a/src/server/common/smack-check.h +++ b/src/server/common/smack-check.h @@ -1,5 +1,5 @@ /* - * security-server + * security-manager * * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved * @@ -21,7 +21,7 @@ #ifndef _SMACK_CHECK_H_ #define _SMACK_CHECK_H_ -namespace SecurityServer { +namespace SecurityManager { /* * A very simple runtime check for SMACK on the platform @@ -37,6 +37,6 @@ int smack_runtime_check(void); */ int smack_check(void); -} // namespace SecurityServer +} // namespace SecurityManager #endif // _SMACK_CHECK_H_ diff --git a/src/server/dpl/core/include/dpl/assert.h b/src/server/dpl/core/include/dpl/assert.h index a71704d..a02aac9 100644 --- a/src/server/dpl/core/include/dpl/assert.h +++ b/src/server/dpl/core/include/dpl/assert.h @@ -24,7 +24,7 @@ #include -namespace SecurityServer { +namespace SecurityManager { // Assertion handler procedure // Do not call directly // Always use Assert macro @@ -32,9 +32,9 @@ SECURITYSERVER_NORETURN void AssertProc(const char *condition, const char *file, int line, const char *function); -} // namespace SecurityServer +} // namespace SecurityManager -#define Assert(Condition) do { if (!(Condition)) { SecurityServer::AssertProc(#Condition, \ +#define Assert(Condition) do { if (!(Condition)) { SecurityManager::AssertProc(#Condition, \ __FILE__, \ __LINE__, \ __FUNCTION__); \ diff --git a/src/server/dpl/core/include/dpl/binary_queue.h b/src/server/dpl/core/include/dpl/binary_queue.h index 387a71a..e007712 100644 --- a/src/server/dpl/core/include/dpl/binary_queue.h +++ b/src/server/dpl/core/include/dpl/binary_queue.h @@ -28,7 +28,7 @@ #include #include -namespace SecurityServer { +namespace SecurityManager { /** * Binary queue auto pointer */ @@ -47,7 +47,7 @@ class BinaryQueue class Exception { public: - DECLARE_EXCEPTION_TYPE(SecurityServer::Exception, Base) + DECLARE_EXCEPTION_TYPE(SecurityManager::Exception, Base) DECLARE_EXCEPTION_TYPE(Base, OutOfData) }; @@ -293,6 +293,6 @@ class BinaryQueue virtual size_t Write(const BinaryQueue &buffer, size_t bufferSize); }; -} // namespace SecurityServer +} // namespace SecurityManager #endif // SECURITY_SERVER_BINARY_QUEUE_H diff --git a/src/server/dpl/core/include/dpl/colors.h b/src/server/dpl/core/include/dpl/colors.h index 37ce940..69136d1 100644 --- a/src/server/dpl/core/include/dpl/colors.h +++ b/src/server/dpl/core/include/dpl/colors.h @@ -24,7 +24,7 @@ #ifndef SECURITY_SERVER_COLORS_H #define SECURITY_SERVER_COLORS_H -namespace SecurityServer { +namespace SecurityManager { namespace Colors { namespace Text { extern const char* BOLD_GREEN_BEGIN; @@ -68,6 +68,6 @@ extern const char* BOLD_WHITE_BEGIN; extern const char* BOLD_WHITE_END; } //namespace Html } //namespace Colors -} //namespace SecurityServer +} //namespace SecurityManager #endif /* SECURITY_SERVER_COLORS_H */ diff --git a/src/server/dpl/core/include/dpl/exception.h b/src/server/dpl/core/include/dpl/exception.h index ff8d300..f9c2cf2 100644 --- a/src/server/dpl/core/include/dpl/exception.h +++ b/src/server/dpl/core/include/dpl/exception.h @@ -29,7 +29,7 @@ #include #include -namespace SecurityServer { +namespace SecurityManager { void LogUnhandledException(const std::string &str); void LogUnhandledException(const std::string &str, const char *filename, @@ -37,7 +37,7 @@ void LogUnhandledException(const std::string &str, const char *function); } -namespace SecurityServer { +namespace SecurityManager { class Exception { private: @@ -287,7 +287,7 @@ class Exception return m_className; } }; -} // namespace SecurityServer +} // namespace SecurityManager #define Try try @@ -332,7 +332,7 @@ class Exception Class(const char *path, \ const char *function, \ int line, \ - const SecurityServer::Exception & reason, \ + const SecurityManager::Exception & reason, \ const std::string & message = std::string()) : \ BaseClass(path, function, line, reason, message) \ { \ @@ -343,11 +343,11 @@ class Exception #define UNHANDLED_EXCEPTION_HANDLER_BEGIN try #define UNHANDLED_EXCEPTION_HANDLER_END \ - catch (const SecurityServer::Exception &exception) \ + catch (const SecurityManager::Exception &exception) \ { \ std::ostringstream msg; \ - msg << SecurityServer::Exception::KnownExceptionToString(exception); \ - SecurityServer::LogUnhandledException(msg.str(), __FILE__, __LINE__, __FUNCTION__); \ + msg << SecurityManager::Exception::KnownExceptionToString(exception); \ + SecurityManager::LogUnhandledException(msg.str(), __FILE__, __LINE__, __FUNCTION__); \ abort(); \ } \ catch (std::exception& e) \ @@ -355,19 +355,19 @@ class Exception std::ostringstream msg; \ msg << e.what(); \ msg << "\n"; \ - msg << SecurityServer::Exception::UnknownExceptionToString(); \ - SecurityServer::LogUnhandledException(msg.str(), __FILE__, __LINE__, __FUNCTION__); \ + msg << SecurityManager::Exception::UnknownExceptionToString(); \ + SecurityManager::LogUnhandledException(msg.str(), __FILE__, __LINE__, __FUNCTION__); \ abort(); \ } \ catch (...) \ { \ std::ostringstream msg; \ - msg << SecurityServer::Exception::UnknownExceptionToString(); \ - SecurityServer::LogUnhandledException(msg.str(), __FILE__, __LINE__, __FUNCTION__); \ + msg << SecurityManager::Exception::UnknownExceptionToString(); \ + SecurityManager::LogUnhandledException(msg.str(), __FILE__, __LINE__, __FUNCTION__); \ abort(); \ } -namespace SecurityServer { +namespace SecurityManager { namespace CommonException { /** * Internal exception definitions diff --git a/src/server/dpl/core/include/dpl/noncopyable.h b/src/server/dpl/core/include/dpl/noncopyable.h index dae75e8..8f20bbc 100644 --- a/src/server/dpl/core/include/dpl/noncopyable.h +++ b/src/server/dpl/core/include/dpl/noncopyable.h @@ -22,7 +22,7 @@ #ifndef SECURITYSERVER_NONCOPYABLE_H #define SECURITYSERVER_NONCOPYABLE_H -namespace SecurityServer { +namespace SecurityManager { class Noncopyable { private: @@ -33,6 +33,6 @@ class Noncopyable Noncopyable(); virtual ~Noncopyable(); }; -} // namespace SecurityServer +} // namespace SecurityManager #endif // SECURITYSERVER_NONCOPYABLE_H diff --git a/src/server/dpl/core/include/dpl/serialization.h b/src/server/dpl/core/include/dpl/serialization.h index 0c60c4e..bb6602c 100644 --- a/src/server/dpl/core/include/dpl/serialization.h +++ b/src/server/dpl/core/include/dpl/serialization.h @@ -28,7 +28,7 @@ #include #include -namespace SecurityServer { +namespace SecurityManager { // Abstract data stream buffer class IStream { @@ -393,6 +393,6 @@ struct Deserialization { Deserialize(stream, *map); } }; // struct Deserialization -} // namespace SecurityServer +} // namespace SecurityManager #endif // SERIALIZATION_H diff --git a/src/server/dpl/core/include/dpl/singleton.h b/src/server/dpl/core/include/dpl/singleton.h index b46104f..f089107 100644 --- a/src/server/dpl/core/include/dpl/singleton.h +++ b/src/server/dpl/core/include/dpl/singleton.h @@ -22,7 +22,7 @@ #ifndef SECURITYSERVER_SINGLETON_H #define SECURITYSERVER_SINGLETON_H -namespace SecurityServer { +namespace SecurityManager { template class Singleton : private Class @@ -46,6 +46,6 @@ class Singleton : static Class &Instance(); }; -} // namespace SecurityServer +} // namespace SecurityManager #endif // SECURITYSERVER_SINGLETON_H diff --git a/src/server/dpl/core/include/dpl/singleton_impl.h b/src/server/dpl/core/include/dpl/singleton_impl.h index 31c054f..00cdbde 100644 --- a/src/server/dpl/core/include/dpl/singleton_impl.h +++ b/src/server/dpl/core/include/dpl/singleton_impl.h @@ -30,7 +30,7 @@ * singleton_safe_impl.h if possible. */ -namespace SecurityServer { +namespace SecurityManager { template Singleton& Singleton::InternalInstance() { @@ -44,10 +44,10 @@ Class &Singleton::Instance() Singleton& instance = Singleton::InternalInstance(); return instance; } -} // namespace SecurityServer +} // namespace SecurityManager #define IMPLEMENT_SINGLETON(Type) \ - template SecurityServer::Singleton&SecurityServer::Singleton::InternalInstance(); \ - template Type & SecurityServer::Singleton::Instance(); \ + template SecurityManager::Singleton&SecurityManager::Singleton::InternalInstance(); \ + template Type & SecurityManager::Singleton::Instance(); \ #endif // SECURITYSERVER_SINGLETON_IMPL_H diff --git a/src/server/dpl/core/include/dpl/singleton_safe_impl.h b/src/server/dpl/core/include/dpl/singleton_safe_impl.h index abef281..feeb30b 100644 --- a/src/server/dpl/core/include/dpl/singleton_safe_impl.h +++ b/src/server/dpl/core/include/dpl/singleton_safe_impl.h @@ -23,7 +23,7 @@ #define SECURITYSERVER_SINGLETON_SAFE_IMPL_H #define IMPLEMENT_SAFE_SINGLETON(Class) \ - namespace SecurityServer { \ + namespace SecurityManager { \ template<> \ Singleton&Singleton::InternalInstance() \ { \ @@ -40,6 +40,6 @@ \ template Singleton&Singleton::InternalInstance(); \ template Class & Singleton::Instance(); \ - } // namespace SecurityServer + } // namespace SecurityManager #endif // SECURITYSERVER_SINGLETON_SAFE_IMPL_H diff --git a/src/server/dpl/core/src/assert.cpp b/src/server/dpl/core/src/assert.cpp index 440b03a..ba1cecc 100644 --- a/src/server/dpl/core/src/assert.cpp +++ b/src/server/dpl/core/src/assert.cpp @@ -26,7 +26,7 @@ #include #include -namespace SecurityServer { +namespace SecurityManager { void AssertProc(const char *condition, const char *file, int line, @@ -37,7 +37,7 @@ void AssertProc(const char *condition, { \ std::ostringstream platformLog; \ platformLog << message; \ - SecurityServer::Log::LogSystemSingleton::Instance().Pedantic( \ + SecurityManager::Log::LogSystemSingleton::Instance().Pedantic( \ platformLog.str().c_str(), \ __FILE__, __LINE__, __FUNCTION__); \ } \ @@ -65,4 +65,4 @@ void AssertProc(const char *condition, // Fail with c-library abort abort(); } -} // namespace SecurityServer +} // namespace SecurityManager diff --git a/src/server/dpl/core/src/binary_queue.cpp b/src/server/dpl/core/src/binary_queue.cpp index be0c65d..72817a6 100644 --- a/src/server/dpl/core/src/binary_queue.cpp +++ b/src/server/dpl/core/src/binary_queue.cpp @@ -27,7 +27,7 @@ #include #include -namespace SecurityServer { +namespace SecurityManager { BinaryQueue::BinaryQueue() : m_size(0) {} @@ -314,4 +314,4 @@ size_t BinaryQueue::Write(const BinaryQueue &buffer, size_t bufferSize) AppendCopyFrom(buffer); return bufferSize; } -} // namespace SecurityServer +} // namespace SecurityManager diff --git a/src/server/dpl/core/src/colors.cpp b/src/server/dpl/core/src/colors.cpp index 6563a26..3682668 100644 --- a/src/server/dpl/core/src/colors.cpp +++ b/src/server/dpl/core/src/colors.cpp @@ -23,7 +23,7 @@ #include #include -namespace SecurityServer { +namespace SecurityManager { namespace Colors { namespace Text { const char* BOLD_GREEN_BEGIN = "\033[1;32m"; @@ -67,4 +67,4 @@ const char* BOLD_WHITE_BEGIN = ""; const char* BOLD_WHITE_END = ""; } //namespace Html } //namespace Colors -} //namespace SecurityServer +} //namespace SecurityManager diff --git a/src/server/dpl/core/src/exception.cpp b/src/server/dpl/core/src/exception.cpp index d1635bc..211a69f 100644 --- a/src/server/dpl/core/src/exception.cpp +++ b/src/server/dpl/core/src/exception.cpp @@ -24,7 +24,7 @@ #include #include -namespace SecurityServer { +namespace SecurityManager { Exception* Exception::m_lastException = NULL; unsigned int Exception::m_exceptionCount = 0; void (*Exception::m_terminateHandler)() = NULL; @@ -51,7 +51,7 @@ void LogUnhandledException(const std::string &str, printf("%s\n", msg.str().c_str()); // Logging to dlog - SecurityServer::Log::LogSystemSingleton::Instance().Error( + SecurityManager::Log::LogSystemSingleton::Instance().Error( str.c_str(), filename, line, function); } -} // namespace SecurityServer +} // namespace SecurityManager diff --git a/src/server/dpl/core/src/noncopyable.cpp b/src/server/dpl/core/src/noncopyable.cpp index c58e25a..e3a0987 100644 --- a/src/server/dpl/core/src/noncopyable.cpp +++ b/src/server/dpl/core/src/noncopyable.cpp @@ -22,10 +22,10 @@ #include #include -namespace SecurityServer { +namespace SecurityManager { Noncopyable::Noncopyable() {} Noncopyable::~Noncopyable() {} -} // namespace SecurityServer +} // namespace SecurityManager diff --git a/src/server/dpl/log/include/dpl/log/abstract_log_provider.h b/src/server/dpl/log/include/dpl/log/abstract_log_provider.h index 7679924..04a000f 100644 --- a/src/server/dpl/log/include/dpl/log/abstract_log_provider.h +++ b/src/server/dpl/log/include/dpl/log/abstract_log_provider.h @@ -22,7 +22,7 @@ #ifndef SECURITYSERVER_ABSTRACT_LOG_PROVIDER_H #define SECURITYSERVER_ABSTRACT_LOG_PROVIDER_H -namespace SecurityServer { +namespace SecurityManager { namespace Log { class AbstractLogProvider { @@ -76,6 +76,6 @@ class AbstractLogProvider static const char *LocateSourceFileName(const char *filename); }; } -} // namespace SecurityServer +} // namespace SecurityManager #endif // SECURITYSERVER_ABSTRACT_LOG_PROVIDER_H diff --git a/src/server/dpl/log/include/dpl/log/audit-smack-log.h b/src/server/dpl/log/include/dpl/log/audit-smack-log.h index 912ad53..98fdc15 100644 --- a/src/server/dpl/log/include/dpl/log/audit-smack-log.h +++ b/src/server/dpl/log/include/dpl/log/audit-smack-log.h @@ -33,7 +33,7 @@ #include #include -namespace SecurityServer { +namespace SecurityManager { namespace Log { class AuditSmackLog : @@ -110,5 +110,5 @@ private: }; } // namespace Log -} // namespace SecurityServer +} // namespace SecurityManager #endif // _AUDIT_SMACK_LOG_ diff --git a/src/server/dpl/log/include/dpl/log/dlog_log_provider.h b/src/server/dpl/log/include/dpl/log/dlog_log_provider.h index cd76c46..1d80ff7 100644 --- a/src/server/dpl/log/include/dpl/log/dlog_log_provider.h +++ b/src/server/dpl/log/include/dpl/log/dlog_log_provider.h @@ -26,7 +26,7 @@ #include #include -namespace SecurityServer { +namespace SecurityManager { namespace Log { class DLOGLogProvider : public AbstractLogProvider @@ -89,6 +89,6 @@ class DLOGLogProvider : }; } // namespace Log -} // namespace SecurityServer +} // namespace SecurityManager #endif // SECURITYSERVER_DLOG_LOG_PROVIDER_H diff --git a/src/server/dpl/log/include/dpl/log/log.h b/src/server/dpl/log/include/dpl/log/log.h index 9d8403a..e8f3665 100644 --- a/src/server/dpl/log/include/dpl/log/log.h +++ b/src/server/dpl/log/include/dpl/log/log.h @@ -28,7 +28,7 @@ #include #include -namespace SecurityServer { +namespace SecurityManager { namespace Log { /** * SecurityServer log system @@ -168,7 +168,7 @@ class NullStream */ typedef Singleton LogSystemSingleton; } -} // namespace SecurityServer +} // namespace SecurityManager // // Log support @@ -178,18 +178,18 @@ typedef Singleton LogSystemSingleton; /* avoid warnings about unused variables */ #define DPL_MACRO_DUMMY_LOGGING(message, function) \ do { \ - SecurityServer::Log::NullStream ns; \ + SecurityManager::Log::NullStream ns; \ ns << message; \ } while (0) #define DPL_MACRO_FOR_LOGGING(message, function) \ do \ { \ - if (SecurityServer::Log::LogSystemSingleton::Instance().IsLoggingEnabled()) \ + if (SecurityManager::Log::LogSystemSingleton::Instance().IsLoggingEnabled()) \ { \ std::ostringstream platformLog; \ platformLog << message; \ - SecurityServer::Log::LogSystemSingleton::Instance().function( \ + SecurityManager::Log::LogSystemSingleton::Instance().function( \ platformLog.str().c_str(), \ __FILE__, __LINE__, __FUNCTION__); \ } \ diff --git a/src/server/dpl/log/include/dpl/log/old_style_log_provider.h b/src/server/dpl/log/include/dpl/log/old_style_log_provider.h index 91eeb80..60b8cf9 100644 --- a/src/server/dpl/log/include/dpl/log/old_style_log_provider.h +++ b/src/server/dpl/log/include/dpl/log/old_style_log_provider.h @@ -25,7 +25,7 @@ #include #include -namespace SecurityServer { +namespace SecurityManager { namespace Log { class OldStyleLogProvider : public AbstractLogProvider @@ -99,6 +99,6 @@ class OldStyleLogProvider : const char *function); }; } -} // namespace SecurityServer +} // namespace SecurityManager #endif // SECURITYSERVER_OLD_STYLE_LOG_PROVIDER_H diff --git a/src/server/dpl/log/src/abstract_log_provider.cpp b/src/server/dpl/log/src/abstract_log_provider.cpp index 1da7bba..5b7574c 100644 --- a/src/server/dpl/log/src/abstract_log_provider.cpp +++ b/src/server/dpl/log/src/abstract_log_provider.cpp @@ -25,7 +25,7 @@ #define UNUSED __attribute__((unused)) -namespace SecurityServer { +namespace SecurityManager { namespace Log { void AbstractLogProvider::SetTag(const char *tag UNUSED) {} diff --git a/src/server/dpl/log/src/audit-smack-log.cpp b/src/server/dpl/log/src/audit-smack-log.cpp index 8960b51..1d03b6f 100644 --- a/src/server/dpl/log/src/audit-smack-log.cpp +++ b/src/server/dpl/log/src/audit-smack-log.cpp @@ -53,7 +53,7 @@ const std::string AUDIT_LOG_SMACK_LABEL = "security-manager::audit-files"; } // namespace anonymous -namespace SecurityServer { +namespace SecurityManager { namespace Log { AuditSmackLog::AuditSmackLog() @@ -307,4 +307,4 @@ void AuditSmackLog::SecureError(const char *message UNUSED, } } // namespace Log -} // namespace SecurityServer +} // namespace SecurityManager diff --git a/src/server/dpl/log/src/dlog_log_provider.cpp b/src/server/dpl/log/src/dlog_log_provider.cpp index ffe23da..c96dfd0 100644 --- a/src/server/dpl/log/src/dlog_log_provider.cpp +++ b/src/server/dpl/log/src/dlog_log_provider.cpp @@ -27,7 +27,7 @@ #define UNUSED __attribute__((unused)) -namespace SecurityServer { +namespace SecurityManager { namespace Log { std::string DLOGLogProvider::FormatMessage(const char *message, const char *filename, @@ -149,4 +149,4 @@ void DLOGLogProvider::SmackAudit(const char *message UNUSED, } } // nemespace Log -} // namespace SecurityServer +} // namespace SecurityManager diff --git a/src/server/dpl/log/src/log.cpp b/src/server/dpl/log/src/log.cpp index ef67fb2..0b1a528 100644 --- a/src/server/dpl/log/src/log.cpp +++ b/src/server/dpl/log/src/log.cpp @@ -28,9 +28,9 @@ #include #include -IMPLEMENT_SINGLETON(SecurityServer::Log::LogSystem) +IMPLEMENT_SINGLETON(SecurityManager::Log::LogSystem) -namespace SecurityServer { +namespace SecurityManager { namespace Log { namespace // anonymous { @@ -291,4 +291,4 @@ void LogSystem::SmackAudit(const char *message, } } -} // namespace SecurityServer +} // namespace SecurityManager diff --git a/src/server/dpl/log/src/old_style_log_provider.cpp b/src/server/dpl/log/src/old_style_log_provider.cpp index 4c10749..b3ea65a 100644 --- a/src/server/dpl/log/src/old_style_log_provider.cpp +++ b/src/server/dpl/log/src/old_style_log_provider.cpp @@ -29,11 +29,11 @@ #include #include -namespace SecurityServer { +namespace SecurityManager { namespace Log { namespace // anonymous { -using namespace SecurityServer::Colors::Text; +using namespace SecurityManager::Colors::Text; const char *DEBUG_BEGIN = GREEN_BEGIN; const char *DEBUG_END = GREEN_END; const char *INFO_BEGIN = CYAN_BEGIN; @@ -310,4 +310,4 @@ void OldStyleLogProvider::SmackAudit(const char *message, } } -} // namespace SecurityServer +} // namespace SecurityManager diff --git a/src/server/main/generic-event.h b/src/server/main/generic-event.h index 30d9e88..8e70ae3 100644 --- a/src/server/main/generic-event.h +++ b/src/server/main/generic-event.h @@ -25,12 +25,12 @@ #ifndef _SECURITY_SERVER_GENERIC_EVENT_ #define _SECURITY_SERVER_GENERIC_EVENT_ -namespace SecurityServer { +namespace SecurityManager { struct GenericEvent { virtual ~GenericEvent(){} }; -} // namespace SecurityServer +} // namespace SecurityManager #endif // _SECURITY_SERVER_GENERIC_EVENT_ diff --git a/src/server/main/generic-socket-manager.cpp b/src/server/main/generic-socket-manager.cpp index 5bf0695..1e6bc5e 100644 --- a/src/server/main/generic-socket-manager.cpp +++ b/src/server/main/generic-socket-manager.cpp @@ -27,7 +27,7 @@ #include -namespace SecurityServer { +namespace SecurityManager { class SendMsgData::Internal { public: @@ -112,5 +112,5 @@ int SendMsgData::flags() { return m_flags; } -} // namespace SecurityServer +} // namespace SecurityManager diff --git a/src/server/main/generic-socket-manager.h b/src/server/main/generic-socket-manager.h index 4417a30..8603eab 100644 --- a/src/server/main/generic-socket-manager.h +++ b/src/server/main/generic-socket-manager.h @@ -36,7 +36,7 @@ extern "C" { struct msghdr; } // extern "C" -namespace SecurityServer { +namespace SecurityManager { typedef int InterfaceID; @@ -138,6 +138,6 @@ struct GenericSocketManager { virtual ~GenericSocketManager(){} }; -} // namespace SecurityServer +} // namespace SecurityManager #endif // _SECURITY_SERVER_GENERIC_SERVICE_MANAGER_ diff --git a/src/server/main/security-manager-util.cpp b/src/server/main/security-manager-util.cpp index b0febfa..030c5ca 100644 --- a/src/server/main/security-manager-util.cpp +++ b/src/server/main/security-manager-util.cpp @@ -33,7 +33,7 @@ namespace { const size_t SIZE_T_MAX = std::numeric_limits::max(); } // namespace anonymous -namespace SecurityServer { +namespace SecurityManager { int util_smack_label_is_valid(const char *smack_label) { @@ -112,5 +112,5 @@ char *read_exe_path_from_proc(pid_t pid) return exe; } -} // namespace SecurityServer +} // namespace SecurityManager diff --git a/src/server/main/security-manager-util.h b/src/server/main/security-manager-util.h index 3bb37d4..611696e 100644 --- a/src/server/main/security-manager-util.h +++ b/src/server/main/security-manager-util.h @@ -24,11 +24,11 @@ #include -namespace SecurityServer { +namespace SecurityManager { int util_smack_label_is_valid(const char *smack_label); char *read_exe_path_from_proc(pid_t pid); -} // namespace SecurityServer +} // namespace SecurityManager #endif /*SECURITY_SERVER_UTIL_H*/ diff --git a/src/server/main/server2-main.cpp b/src/server/main/server2-main.cpp index 42f72e7..0111e42 100644 --- a/src/server/main/server2-main.cpp +++ b/src/server/main/server2-main.cpp @@ -33,13 +33,13 @@ #include -IMPLEMENT_SAFE_SINGLETON(SecurityServer::Log::LogSystem); +IMPLEMENT_SAFE_SINGLETON(SecurityManager::Log::LogSystem); #define REGISTER_SOCKET_SERVICE(manager, service) \ registerSocketService(manager, #service) template -void registerSocketService(SecurityServer::SocketManager &manager, const std::string& serviceName) +void registerSocketService(SecurityManager::SocketManager &manager, const std::string& serviceName) { T *service = NULL; try { @@ -47,7 +47,7 @@ void registerSocketService(SecurityServer::SocketManager &manager, const std::st service->Create(); manager.RegisterSocketService(service); service = NULL; - } catch (const SecurityServer::Exception &exception) { + } catch (const SecurityManager::Exception &exception) { LogError("Error in creating service " << serviceName << ", details:\n" << exception.DumpToString()); } catch (const std::exception& e) { @@ -65,16 +65,16 @@ int main(void) { UNHANDLED_EXCEPTION_HANDLER_BEGIN { - SecurityServer::Singleton::Instance().SetTag("SECURITY_SERVER"); + SecurityManager::Singleton::Instance().SetTag("SECURITY_MANAGER"); // This provider may be used in security-server only. // If we add it inside LogSystem constructor it also // will be used by security-server-client library. - SecurityServer::Log::AuditSmackLog *smackLog = new SecurityServer::Log::AuditSmackLog; + SecurityManager::Log::AuditSmackLog *smackLog = new SecurityManager::Log::AuditSmackLog; if (smackLog->Fail()) delete smackLog; else - SecurityServer::Singleton::Instance().AddProvider(smackLog); + SecurityManager::Singleton::Instance().AddProvider(smackLog); sigset_t mask; sigemptyset(&mask); @@ -86,9 +86,9 @@ int main(void) { } LogInfo("Start!"); - SecurityServer::SocketManager manager; + SecurityManager::SocketManager manager; - REGISTER_SOCKET_SERVICE(manager, SecurityServer::InstallerService); + REGISTER_SOCKET_SERVICE(manager, SecurityManager::InstallerService); manager.MainLoop(); } diff --git a/src/server/main/service-thread.h b/src/server/main/service-thread.h index e5989e6..71c6e3f 100644 --- a/src/server/main/service-thread.h +++ b/src/server/main/service-thread.h @@ -40,7 +40,7 @@ #define DEFINE_THREAD_EVENT(eventType) \ void Event(const eventType &event) { \ - SecurityServer::ServiceThread:: \ + SecurityManager::ServiceThread:: \ Event(event, \ this, \ &ParentClassName::EventInternal##eventType); \ @@ -49,13 +49,13 @@ #define DECLARE_THREAD_EVENT(eventType, methodName) \ void Event(const eventType &event) { \ - SecurityServer::ServiceThread:: \ + SecurityManager::ServiceThread:: \ Event(event, \ this, \ &ParentClassName::methodName); \ } -namespace SecurityServer { +namespace SecurityManager { template class ServiceThread { @@ -172,6 +172,6 @@ protected: bool m_quit; }; -} // namespace SecurityServer +} // namespace SecurityManager #endif // _SECURITY_SERVER_SERVICE_THREAD_ diff --git a/src/server/main/socket-manager.cpp b/src/server/main/socket-manager.cpp index e7d2f3f..c9f497b 100644 --- a/src/server/main/socket-manager.cpp +++ b/src/server/main/socket-manager.cpp @@ -52,7 +52,7 @@ const time_t SOCKET_TIMEOUT = 20; } // namespace anonymous -namespace SecurityServer { +namespace SecurityManager { struct DummyService : public GenericSocketService { ServiceDescriptionVector GetServiceDescription() { @@ -728,4 +728,4 @@ void SocketManager::CloseSocket(int sock) { FD_CLR(sock, &m_writeSet); } -} // namespace SecurityServer +} // namespace SecurityManager diff --git a/src/server/main/socket-manager.h b/src/server/main/socket-manager.h index b7b733c..fdc6516 100644 --- a/src/server/main/socket-manager.h +++ b/src/server/main/socket-manager.h @@ -35,13 +35,13 @@ #include -namespace SecurityServer { +namespace SecurityManager { class SocketManager : public GenericSocketManager { public: class Exception { public: - DECLARE_EXCEPTION_TYPE(SecurityServer::Exception, Base) + DECLARE_EXCEPTION_TYPE(SecurityManager::Exception, Base) DECLARE_EXCEPTION_TYPE(Base, InitFailed) }; SocketManager(); @@ -130,6 +130,6 @@ protected: std::priority_queue m_timeoutQueue; }; -} // namespace SecurityServer +} // namespace SecurityManager #endif // _SECURITY_SERVER_SOCKET_MANAGER_ diff --git a/src/server/service/installer.cpp b/src/server/service/installer.cpp index 0445c78..20829fd 100644 --- a/src/server/service/installer.cpp +++ b/src/server/service/installer.cpp @@ -41,7 +41,7 @@ #include "smack-rules.h" #include "security-manager-common.h" -namespace SecurityServer { +namespace SecurityManager { namespace { @@ -507,4 +507,4 @@ bool InstallerService::processAppUninstall(MessageBuffer &buffer, MessageBuffer return true; } -} // namespace SecurityServer +} // namespace SecurityManager diff --git a/src/server/service/installer.h b/src/server/service/installer.h index 45c95f6..43bf1db 100644 --- a/src/server/service/installer.h +++ b/src/server/service/installer.h @@ -29,18 +29,18 @@ #include #include -namespace SecurityServer { +namespace SecurityManager { class InstallerException { public: - DECLARE_EXCEPTION_TYPE(SecurityServer::Exception, Base) + DECLARE_EXCEPTION_TYPE(SecurityManager::Exception, Base) DECLARE_EXCEPTION_TYPE(Base, InvalidAction) }; class InstallerService : - public SecurityServer::GenericSocketService, - public SecurityServer::ServiceThread + public SecurityManager::GenericSocketService, + public SecurityManager::ServiceThread { public: InstallerService(); @@ -90,6 +90,6 @@ private: bool processAppUninstall(MessageBuffer &buffer, MessageBuffer &send); }; -} // namespace SecurityServer +} // namespace SecurityManager #endif // _SECURITY_SERVER_INSTALLER_ diff --git a/src/server/service/smack-common.cpp b/src/server/service/smack-common.cpp index 4eb5907..dcb14bb 100644 --- a/src/server/service/smack-common.cpp +++ b/src/server/service/smack-common.cpp @@ -9,7 +9,7 @@ #include -namespace SecurityServer { +namespace SecurityManager { int get_smack_label_from_process(pid_t pid, char *smack_label) { @@ -114,5 +114,5 @@ int smack_pid_have_access(pid_t pid, -} // namespace SecurityServer +} // namespace SecurityManager diff --git a/src/server/service/smack-common.h b/src/server/service/smack-common.h index 49698b6..fd12ecc 100644 --- a/src/server/service/smack-common.h +++ b/src/server/service/smack-common.h @@ -3,11 +3,11 @@ #include -namespace SecurityServer { +namespace SecurityManager { int get_smack_label_from_process(pid_t pid, char *smack_label); int smack_pid_have_access(pid_t pid, const char *object, const char *access_type); -} // namespace SecurityServer +} // namespace SecurityManager #endif -- 2.7.4 From c68803164a6c3d85d39d5e02e4b6e5785ad1f518 Mon Sep 17 00:00:00 2001 From: Jan Cybulski Date: Fri, 13 Jun 2014 13:18:45 +0200 Subject: [PATCH 09/16] Comments and defines changed to comply with new project name Change-Id: Ie931b2a4d7f2c5d7fa688fbbd0b8f062cfb9a818 Signed-off-by: Jan Cybulski --- src/server/client/client-common.h | 15 +++++++-------- src/server/common/message-buffer.h | 6 +++--- src/server/common/protocols.cpp | 2 +- src/server/common/protocols.h | 8 ++++---- src/server/dpl/core/include/dpl/assert.h | 8 ++++---- src/server/dpl/core/include/dpl/binary_queue.h | 6 +++--- src/server/dpl/core/include/dpl/colors.h | 6 +++--- src/server/dpl/core/include/dpl/exception.h | 10 +++++----- src/server/dpl/core/include/dpl/fstream_accessors.h | 6 +++--- src/server/dpl/core/include/dpl/noncopyable.h | 6 +++--- src/server/dpl/core/include/dpl/noreturn.h | 8 ++++---- src/server/dpl/core/include/dpl/singleton.h | 6 +++--- src/server/dpl/core/include/dpl/singleton_impl.h | 6 +++--- src/server/dpl/core/include/dpl/singleton_safe_impl.h | 6 +++--- src/server/dpl/core/src/assert.cpp | 2 +- .../dpl/log/include/dpl/log/abstract_log_provider.h | 6 +++--- src/server/dpl/log/include/dpl/log/dlog_log_provider.h | 6 +++--- src/server/dpl/log/include/dpl/log/log.h | 8 ++++---- .../dpl/log/include/dpl/log/old_style_log_provider.h | 6 +++--- src/server/dpl/log/src/log.cpp | 4 ++-- src/server/main/generic-event.h | 6 +++--- src/server/main/generic-socket-manager.h | 6 +++--- src/server/main/security-manager-util.cpp | 2 +- src/server/main/security-manager-util.h | 8 ++++---- src/server/main/server2-main.cpp | 6 +++--- src/server/main/service-thread.h | 6 +++--- src/server/main/socket-manager.h | 6 +++--- src/server/service/installer.h | 6 +++--- 28 files changed, 88 insertions(+), 89 deletions(-) diff --git a/src/server/client/client-common.h b/src/server/client/client-common.h index 7569f2f..607e8d3 100644 --- a/src/server/client/client-common.h +++ b/src/server/client/client-common.h @@ -20,20 +20,19 @@ * @author Bartlomiej Grzelewski (b.grzelewski@samsung.com) * @version 1.0 * @brief This file constains implementation of common types - * used in security server. + * used in security manager. */ -#ifndef _SECURITY_SERVER_CLIENT_ -#define _SECURITY_SERVER_CLIENT_ +#ifndef _SECURITY_MANAGER_CLIENT_ +#define _SECURITY_MANAGER_CLIENT_ #include #include #include -#define SECURITY_SERVER_API __attribute__((visibility("default"))) #define SECURITY_MANAGER_API __attribute__((visibility("default"))) -#define SECURITY_SERVER_UNUSED __attribute__((unused)) +#define SECURITY_MANAGER_UNUSED __attribute__((unused)) extern "C" { struct msghdr; @@ -47,13 +46,13 @@ int sendToServer(char const * const interface, const RawBuffer &send, MessageBuf /* * sendToServerAncData is special case when we want to receive file descriptor - * passed by Security Server on behalf of calling process. We can't get it with + * passed by Security Manager on behalf of calling process. We can't get it with * MessageBuffer. * * This function should be called _ONLY_ in this particular case. * */ -int sendToServerAncData(char const * const interface, const RawBuffer &send, struct msghdr &hdr); +int sendToManagerAncData(char const * const interface, const RawBuffer &send, struct msghdr &hdr); /* * Decorator function that performs frequently repeated exception handling in @@ -63,4 +62,4 @@ int try_catch(const std::function& func); } // namespace SecurityManager -#endif // _SECURITY_SERVER_CLIENT_ +#endif // _SECURITY_MANAGER_CLIENT_ diff --git a/src/server/common/message-buffer.h b/src/server/common/message-buffer.h index ff115e0..71c89ed 100644 --- a/src/server/common/message-buffer.h +++ b/src/server/common/message-buffer.h @@ -22,8 +22,8 @@ * @brief Implementatin of MessageBuffer. */ -#ifndef _SECURITY_SERVER_SOCKET_BUFFER_ -#define _SECURITY_SERVER_SOCKET_BUFFER_ +#ifndef _SECURITY_MANAGER_SOCKET_BUFFER_ +#define _SECURITY_MANAGER_SOCKET_BUFFER_ #include @@ -76,4 +76,4 @@ protected: } // namespace SecurityManager -#endif // _SECURITY_SERVER_SOCKET_BUFFER_ +#endif // _SECURITY_MANAGER_SOCKET_BUFFER_ diff --git a/src/server/common/protocols.cpp b/src/server/common/protocols.cpp index 24bdae5..c120327 100644 --- a/src/server/common/protocols.cpp +++ b/src/server/common/protocols.cpp @@ -19,7 +19,7 @@ * @file protocols.cpp * @author Bartlomiej Grzelewski (b.grzelewski@samsung.com) * @version 1.0 - * @brief List of all protocols supported by security server. + * @brief List of all protocols supported by security manager. */ #include diff --git a/src/server/common/protocols.h b/src/server/common/protocols.h index ed1c5a6..85398e8 100644 --- a/src/server/common/protocols.h +++ b/src/server/common/protocols.h @@ -19,11 +19,11 @@ * @file protocols.h * @author Bartlomiej Grzelewski (b.grzelewski@samsung.com) * @version 1.0 - * @brief This file contains list of all protocols suported by security-sever. + * @brief This file contains list of all protocols suported by security-manager. */ -#ifndef _SECURITY_SERVER_PROTOCOLS_ -#define _SECURITY_SERVER_PROTOCOLS_ +#ifndef _SECURITY_MANAGER_PROTOCOLS_ +#define _SECURITY_MANAGER_PROTOCOLS_ #include #include @@ -48,4 +48,4 @@ enum class SecurityModuleCall } // namespace SecurityManager -#endif // _SECURITY_SERVER_PROTOCOLS_ +#endif // _SECURITY_MANAGER_PROTOCOLS_ diff --git a/src/server/dpl/core/include/dpl/assert.h b/src/server/dpl/core/include/dpl/assert.h index a02aac9..34daa4d 100644 --- a/src/server/dpl/core/include/dpl/assert.h +++ b/src/server/dpl/core/include/dpl/assert.h @@ -19,8 +19,8 @@ * @version 1.0 * @brief This file is the implementation file of assert */ -#ifndef SECURITY_SERVER_ASSERT_H -#define SECURITY_SERVER_ASSERT_H +#ifndef SECURITY_MANAGER_ASSERT_H +#define SECURITY_MANAGER_ASSERT_H #include @@ -28,7 +28,7 @@ namespace SecurityManager { // Assertion handler procedure // Do not call directly // Always use Assert macro -SECURITYSERVER_NORETURN void AssertProc(const char *condition, +SECURITYMANAGER_NORETURN void AssertProc(const char *condition, const char *file, int line, const char *function); @@ -40,4 +40,4 @@ SECURITYSERVER_NORETURN void AssertProc(const char *condition, __FUNCTION__); \ } } while (0) -#endif // SECURITY_SERVER_ASSERT_H +#endif // SECURITY_MANAGER_ASSERT_H diff --git a/src/server/dpl/core/include/dpl/binary_queue.h b/src/server/dpl/core/include/dpl/binary_queue.h index e007712..dd03f5e 100644 --- a/src/server/dpl/core/include/dpl/binary_queue.h +++ b/src/server/dpl/core/include/dpl/binary_queue.h @@ -19,8 +19,8 @@ * @version 1.0 * @brief This file is the header file of binary queue */ -#ifndef SECURITY_SERVER_BINARY_QUEUE_H -#define SECURITY_SERVER_BINARY_QUEUE_H +#ifndef SECURITY_MANAGER_BINARY_QUEUE_H +#define SECURITY_MANAGER_BINARY_QUEUE_H //#include #include @@ -295,4 +295,4 @@ class BinaryQueue } // namespace SecurityManager -#endif // SECURITY_SERVER_BINARY_QUEUE_H +#endif // SECURITY_MANAGER_BINARY_QUEUE_H diff --git a/src/server/dpl/core/include/dpl/colors.h b/src/server/dpl/core/include/dpl/colors.h index 69136d1..d10f973 100644 --- a/src/server/dpl/core/include/dpl/colors.h +++ b/src/server/dpl/core/include/dpl/colors.h @@ -21,8 +21,8 @@ * and html output */ -#ifndef SECURITY_SERVER_COLORS_H -#define SECURITY_SERVER_COLORS_H +#ifndef SECURITY_MANAGER_COLORS_H +#define SECURITY_MANAGER_COLORS_H namespace SecurityManager { namespace Colors { @@ -70,4 +70,4 @@ extern const char* BOLD_WHITE_END; } //namespace Colors } //namespace SecurityManager -#endif /* SECURITY_SERVER_COLORS_H */ +#endif /* SECURITY_MANAGER_COLORS_H */ diff --git a/src/server/dpl/core/include/dpl/exception.h b/src/server/dpl/core/include/dpl/exception.h index f9c2cf2..2087102 100644 --- a/src/server/dpl/core/include/dpl/exception.h +++ b/src/server/dpl/core/include/dpl/exception.h @@ -19,8 +19,8 @@ * @version 1.0 * @brief Header file for base exception */ -#ifndef SECURITY_SERVER_EXCEPTION_H -#define SECURITY_SERVER_EXCEPTION_H +#ifndef SECURITY_MANAGER_EXCEPTION_H +#define SECURITY_MANAGER_EXCEPTION_H #include #include @@ -94,7 +94,7 @@ class Exception { std::ostringstream message; message << - "\033[1;5;31m\n=== Unhandled SecurityServer exception occurred ===\033[m\n\n"; + "\033[1;5;31m\n=== Unhandled SecurityManager exception occurred ===\033[m\n\n"; message << "\033[1;33mException trace:\033[m\n\n"; message << e.DumpToString(); message << "\033[1;31m\n=== Will now abort ===\033[m\n"; @@ -106,7 +106,7 @@ class Exception { std::ostringstream message; message << - "\033[1;5;31m\n=== Unhandled non-SecurityServer exception occurred ===\033[m\n\n"; + "\033[1;5;31m\n=== Unhandled non-SecurityManager exception occurred ===\033[m\n\n"; message << "\033[1;31m\n=== Will now abort ===\033[m\n"; return message.str(); @@ -382,4 +382,4 @@ DECLARE_EXCEPTION_TYPE(Exception, InternalError) ///< Unexpected error from } } -#endif // SECURITY_SERVER_EXCEPTION_H +#endif // SECURITY_MANAGER_EXCEPTION_H diff --git a/src/server/dpl/core/include/dpl/fstream_accessors.h b/src/server/dpl/core/include/dpl/fstream_accessors.h index 1c595b6..141a499 100644 --- a/src/server/dpl/core/include/dpl/fstream_accessors.h +++ b/src/server/dpl/core/include/dpl/fstream_accessors.h @@ -22,8 +22,8 @@ * */ -#ifndef SECURITY_SERVER_FSTREAM_ACCESSORS_H -#define SECURITY_SERVER_FSTREAM_ACCESSORS_H +#ifndef SECURITY_MANAGER_FSTREAM_ACCESSORS_H +#define SECURITY_MANAGER_FSTREAM_ACCESSORS_H namespace DPL { @@ -45,4 +45,4 @@ public: } // namespace DPL -#endif // SECURITY_SERVER_FSTREAM_ACCESSORS_H +#endif // SECURITY_MANAGER_FSTREAM_ACCESSORS_H diff --git a/src/server/dpl/core/include/dpl/noncopyable.h b/src/server/dpl/core/include/dpl/noncopyable.h index 8f20bbc..4d476a4 100644 --- a/src/server/dpl/core/include/dpl/noncopyable.h +++ b/src/server/dpl/core/include/dpl/noncopyable.h @@ -19,8 +19,8 @@ * @version 1.0 * @brief This file is the implementation file of noncopyable */ -#ifndef SECURITYSERVER_NONCOPYABLE_H -#define SECURITYSERVER_NONCOPYABLE_H +#ifndef SECURITYMANAGER_NONCOPYABLE_H +#define SECURITYMANAGER_NONCOPYABLE_H namespace SecurityManager { class Noncopyable @@ -35,4 +35,4 @@ class Noncopyable }; } // namespace SecurityManager -#endif // SECURITYSERVER_NONCOPYABLE_H +#endif // SECURITYMANAGER_NONCOPYABLE_H diff --git a/src/server/dpl/core/include/dpl/noreturn.h b/src/server/dpl/core/include/dpl/noreturn.h index 44dfd4a..a876f34 100644 --- a/src/server/dpl/core/include/dpl/noreturn.h +++ b/src/server/dpl/core/include/dpl/noreturn.h @@ -19,9 +19,9 @@ * @version 1.0 * @brief This file is the implementation file of noreturn */ -#ifndef SECURITYSERVER_NORETURN_H -#define SECURITYSERVER_NORETURN_H +#ifndef SECURITYMANAGER_NORETURN_H +#define SECURITYMANAGER_NORETURN_H -#define SECURITYSERVER_NORETURN __attribute__((__noreturn__)) +#define SECURITYMANAGER_NORETURN __attribute__((__noreturn__)) -#endif // SECURITYSERVER_NORETURN_H +#endif // SECURITYMANAGER_NORETURN_H diff --git a/src/server/dpl/core/include/dpl/singleton.h b/src/server/dpl/core/include/dpl/singleton.h index f089107..d064c62 100644 --- a/src/server/dpl/core/include/dpl/singleton.h +++ b/src/server/dpl/core/include/dpl/singleton.h @@ -19,8 +19,8 @@ * @version 1.0 * @brief This file is the implementation file of singleton */ -#ifndef SECURITYSERVER_SINGLETON_H -#define SECURITYSERVER_SINGLETON_H +#ifndef SECURITYMANAGER_SINGLETON_H +#define SECURITYMANAGER_SINGLETON_H namespace SecurityManager { template @@ -48,4 +48,4 @@ class Singleton : }; } // namespace SecurityManager -#endif // SECURITYSERVER_SINGLETON_H +#endif // SECURITYMANAGER_SINGLETON_H diff --git a/src/server/dpl/core/include/dpl/singleton_impl.h b/src/server/dpl/core/include/dpl/singleton_impl.h index 00cdbde..7f316c1 100644 --- a/src/server/dpl/core/include/dpl/singleton_impl.h +++ b/src/server/dpl/core/include/dpl/singleton_impl.h @@ -19,8 +19,8 @@ * @version 1.0 * @brief This file is the implementation file of singleton */ -#ifndef SECURITYSERVER_SINGLETON_IMPL_H -#define SECURITYSERVER_SINGLETON_IMPL_H +#ifndef SECURITYMANAGER_SINGLETON_IMPL_H +#define SECURITYMANAGER_SINGLETON_IMPL_H /* * WARNING! @@ -50,4 +50,4 @@ Class &Singleton::Instance() template SecurityManager::Singleton&SecurityManager::Singleton::InternalInstance(); \ template Type & SecurityManager::Singleton::Instance(); \ -#endif // SECURITYSERVER_SINGLETON_IMPL_H +#endif // SECURITYMANAGER_SINGLETON_IMPL_H diff --git a/src/server/dpl/core/include/dpl/singleton_safe_impl.h b/src/server/dpl/core/include/dpl/singleton_safe_impl.h index feeb30b..c199db7 100644 --- a/src/server/dpl/core/include/dpl/singleton_safe_impl.h +++ b/src/server/dpl/core/include/dpl/singleton_safe_impl.h @@ -19,8 +19,8 @@ * @version 1.0 * @brief This file is the implementation file of singleton */ -#ifndef SECURITYSERVER_SINGLETON_SAFE_IMPL_H -#define SECURITYSERVER_SINGLETON_SAFE_IMPL_H +#ifndef SECURITYMANAGER_SINGLETON_SAFE_IMPL_H +#define SECURITYMANAGER_SINGLETON_SAFE_IMPL_H #define IMPLEMENT_SAFE_SINGLETON(Class) \ namespace SecurityManager { \ @@ -42,4 +42,4 @@ template Class & Singleton::Instance(); \ } // namespace SecurityManager -#endif // SECURITYSERVER_SINGLETON_SAFE_IMPL_H +#endif // SECURITYMANAGER_SINGLETON_SAFE_IMPL_H diff --git a/src/server/dpl/core/src/assert.cpp b/src/server/dpl/core/src/assert.cpp index ba1cecc..63538a2 100644 --- a/src/server/dpl/core/src/assert.cpp +++ b/src/server/dpl/core/src/assert.cpp @@ -49,7 +49,7 @@ void AssertProc(const char *condition, INTERNAL_LOG( "################################################################################"); INTERNAL_LOG( - "### SecurityServer assertion failed! ###"); + "### SecurityManager assertion failed! ###"); INTERNAL_LOG( "################################################################################"); INTERNAL_LOG("### Condition: " << condition); diff --git a/src/server/dpl/log/include/dpl/log/abstract_log_provider.h b/src/server/dpl/log/include/dpl/log/abstract_log_provider.h index 04a000f..cfe9679 100644 --- a/src/server/dpl/log/include/dpl/log/abstract_log_provider.h +++ b/src/server/dpl/log/include/dpl/log/abstract_log_provider.h @@ -19,8 +19,8 @@ * @version 1.0 * @brief This file is the implementation file of abstract log provider */ -#ifndef SECURITYSERVER_ABSTRACT_LOG_PROVIDER_H -#define SECURITYSERVER_ABSTRACT_LOG_PROVIDER_H +#ifndef SECURITYMANAGER_ABSTRACT_LOG_PROVIDER_H +#define SECURITYMANAGER_ABSTRACT_LOG_PROVIDER_H namespace SecurityManager { namespace Log { @@ -78,4 +78,4 @@ class AbstractLogProvider } } // namespace SecurityManager -#endif // SECURITYSERVER_ABSTRACT_LOG_PROVIDER_H +#endif // SECURITYMANAGER_ABSTRACT_LOG_PROVIDER_H diff --git a/src/server/dpl/log/include/dpl/log/dlog_log_provider.h b/src/server/dpl/log/include/dpl/log/dlog_log_provider.h index 1d80ff7..6fe0d97 100644 --- a/src/server/dpl/log/include/dpl/log/dlog_log_provider.h +++ b/src/server/dpl/log/include/dpl/log/dlog_log_provider.h @@ -19,8 +19,8 @@ * @version 1.0 * @brief This file is the implementation file of DLOG log provider */ -#ifndef SECURITYSERVER_DLOG_LOG_PROVIDER_H -#define SECURITYSERVER_DLOG_LOG_PROVIDER_H +#ifndef SECURITYMANAGER_DLOG_LOG_PROVIDER_H +#define SECURITYMANAGER_DLOG_LOG_PROVIDER_H #include #include @@ -91,4 +91,4 @@ class DLOGLogProvider : } // namespace Log } // namespace SecurityManager -#endif // SECURITYSERVER_DLOG_LOG_PROVIDER_H +#endif // SECURITYMANAGER_DLOG_LOG_PROVIDER_H diff --git a/src/server/dpl/log/include/dpl/log/log.h b/src/server/dpl/log/include/dpl/log/log.h index e8f3665..2594ace 100644 --- a/src/server/dpl/log/include/dpl/log/log.h +++ b/src/server/dpl/log/include/dpl/log/log.h @@ -19,8 +19,8 @@ * @version 1.0 * @brief This file is the implementation file of log system */ -#ifndef SECURITYSERVER_LOG_H -#define SECURITYSERVER_LOG_H +#ifndef SECURITYMANAGER_LOG_H +#define SECURITYMANAGER_LOG_H #include #include @@ -31,7 +31,7 @@ namespace SecurityManager { namespace Log { /** - * SecurityServer log system + * SecurityManager log system * * To switch logs into old style, export * DPL_USE_OLD_STYLE_LOGS before application start @@ -219,4 +219,4 @@ do \ #define LogSecureWarning(message) DPL_MACRO_DUMMY_LOGGING(message, SecureWarning) #endif // BUILD_TYPE_DEBUG -#endif // SECURITYSERVER_LOG_H +#endif // SECURITYMANAGER_LOG_H diff --git a/src/server/dpl/log/include/dpl/log/old_style_log_provider.h b/src/server/dpl/log/include/dpl/log/old_style_log_provider.h index 60b8cf9..8ca2068 100644 --- a/src/server/dpl/log/include/dpl/log/old_style_log_provider.h +++ b/src/server/dpl/log/include/dpl/log/old_style_log_provider.h @@ -19,8 +19,8 @@ * @version 1.0 * @brief This file is the implementation file of old style log provider */ -#ifndef SECURITYSERVER_OLD_STYLE_LOG_PROVIDER_H -#define SECURITYSERVER_OLD_STYLE_LOG_PROVIDER_H +#ifndef SECURITYMANAGER_OLD_STYLE_LOG_PROVIDER_H +#define SECURITYMANAGER_OLD_STYLE_LOG_PROVIDER_H #include #include @@ -101,4 +101,4 @@ class OldStyleLogProvider : } } // namespace SecurityManager -#endif // SECURITYSERVER_OLD_STYLE_LOG_PROVIDER_H +#endif // SECURITYMANAGER_OLD_STYLE_LOG_PROVIDER_H diff --git a/src/server/dpl/log/src/log.cpp b/src/server/dpl/log/src/log.cpp index 0b1a528..9ac65c0 100644 --- a/src/server/dpl/log/src/log.cpp +++ b/src/server/dpl/log/src/log.cpp @@ -40,7 +40,7 @@ const char *OLD_STYLE_PEDANTIC_LOGS_ENV_NAME = "DPL_USE_OLD_STYLE_PEDANTIC_LOGS"; const char *OLD_STYLE_LOGS_MASK_ENV_NAME = "DPL_USE_OLD_STYLE_LOGS_MASK"; #endif // BUILD_TYPE_DEBUG -const char *SECURITY_SERVER_LOG_OFF = "DPL_LOG_OFF"; +const char *SECURITY_MANAGER_LOG_OFF = "DPL_LOG_OFF"; } // namespace anonymous bool LogSystem::IsLoggingEnabled() const @@ -49,7 +49,7 @@ bool LogSystem::IsLoggingEnabled() const } LogSystem::LogSystem() : - m_isLoggingEnabled(!getenv(SECURITY_SERVER_LOG_OFF)) + m_isLoggingEnabled(!getenv(SECURITY_MANAGER_LOG_OFF)) { #ifdef BUILD_TYPE_DEBUG bool oldStyleLogs = false; diff --git a/src/server/main/generic-event.h b/src/server/main/generic-event.h index 8e70ae3..3486155 100644 --- a/src/server/main/generic-event.h +++ b/src/server/main/generic-event.h @@ -22,8 +22,8 @@ * @brief Implementation of GenericEvent. */ -#ifndef _SECURITY_SERVER_GENERIC_EVENT_ -#define _SECURITY_SERVER_GENERIC_EVENT_ +#ifndef _SECURITY_MANAGER_GENERIC_EVENT_ +#define _SECURITY_MANAGER_GENERIC_EVENT_ namespace SecurityManager { @@ -33,4 +33,4 @@ struct GenericEvent { } // namespace SecurityManager -#endif // _SECURITY_SERVER_GENERIC_EVENT_ +#endif // _SECURITY_MANAGER_GENERIC_EVENT_ diff --git a/src/server/main/generic-socket-manager.h b/src/server/main/generic-socket-manager.h index 8603eab..2f0ad1d 100644 --- a/src/server/main/generic-socket-manager.h +++ b/src/server/main/generic-socket-manager.h @@ -22,8 +22,8 @@ * @brief Implementation of GenericSocketService and GenericSocketManager. */ -#ifndef _SECURITY_SERVER_GENERIC_SERVICE_MANAGER_ -#define _SECURITY_SERVER_GENERIC_SERVICE_MANAGER_ +#ifndef _SECURITY_MANAGER_GENERIC_SERVICE_MANAGER_ +#define _SECURITY_MANAGER_GENERIC_SERVICE_MANAGER_ #include #include @@ -140,4 +140,4 @@ struct GenericSocketManager { } // namespace SecurityManager -#endif // _SECURITY_SERVER_GENERIC_SERVICE_MANAGER_ +#endif // _SECURITY_MANAGER_GENERIC_SERVICE_MANAGER_ diff --git a/src/server/main/security-manager-util.cpp b/src/server/main/security-manager-util.cpp index 030c5ca..4218375 100644 --- a/src/server/main/security-manager-util.cpp +++ b/src/server/main/security-manager-util.cpp @@ -1,5 +1,5 @@ /* - * security-server + * security-manager * * Copyright (c) 2000 - 2011 Samsung Electronics Co., Ltd All Rights Reserved * diff --git a/src/server/main/security-manager-util.h b/src/server/main/security-manager-util.h index 611696e..62aa45a 100644 --- a/src/server/main/security-manager-util.h +++ b/src/server/main/security-manager-util.h @@ -1,5 +1,5 @@ /* - * security-server + * security-manager * * Copyright (c) 2000 - 2011 Samsung Electronics Co., Ltd All Rights Reserved * @@ -19,8 +19,8 @@ * */ -#ifndef SECURITY_SERVER_UTIL_H -#define SECURITY_SERVER_UTIL_H +#ifndef SECURITY_MANAGER_UTIL_H +#define SECURITY_MANAGER_UTIL_H #include @@ -31,4 +31,4 @@ char *read_exe_path_from_proc(pid_t pid); } // namespace SecurityManager -#endif /*SECURITY_SERVER_UTIL_H*/ +#endif /*SECURITY_MANAGER_UTIL_H*/ diff --git a/src/server/main/server2-main.cpp b/src/server/main/server2-main.cpp index 0111e42..213f749 100644 --- a/src/server/main/server2-main.cpp +++ b/src/server/main/server2-main.cpp @@ -19,7 +19,7 @@ * @file sever2-main.cpp * @author Bartlomiej Grzelewski (b.grzelewski@samsung.com) * @version 1.0 - * @brief Implementation of security-server2 + * @brief Implementation of security-manager on basis of security-server */ #include #include @@ -67,9 +67,9 @@ int main(void) { { SecurityManager::Singleton::Instance().SetTag("SECURITY_MANAGER"); - // This provider may be used in security-server only. + // This provider may be used in security-manager only. // If we add it inside LogSystem constructor it also - // will be used by security-server-client library. + // will be used by security-manager-client library. SecurityManager::Log::AuditSmackLog *smackLog = new SecurityManager::Log::AuditSmackLog; if (smackLog->Fail()) delete smackLog; diff --git a/src/server/main/service-thread.h b/src/server/main/service-thread.h index 71c6e3f..8b8286c 100644 --- a/src/server/main/service-thread.h +++ b/src/server/main/service-thread.h @@ -22,8 +22,8 @@ * @brief Implementation of threads. */ -#ifndef _SECURITY_SERVER_SERVICE_THREAD_ -#define _SECURITY_SERVER_SERVICE_THREAD_ +#ifndef _SECURITY_MANAGER_SERVICE_THREAD_ +#define _SECURITY_MANAGER_SERVICE_THREAD_ #include #include @@ -174,4 +174,4 @@ protected: } // namespace SecurityManager -#endif // _SECURITY_SERVER_SERVICE_THREAD_ +#endif // _SECURITY_MANAGER_SERVICE_THREAD_ diff --git a/src/server/main/socket-manager.h b/src/server/main/socket-manager.h index fdc6516..58d3db1 100644 --- a/src/server/main/socket-manager.h +++ b/src/server/main/socket-manager.h @@ -22,8 +22,8 @@ * @brief SocketManager implementation. */ -#ifndef _SECURITY_SERVER_SOCKET_MANAGER_ -#define _SECURITY_SERVER_SOCKET_MANAGER_ +#ifndef _SECURITY_MANAGER_SOCKET_MANAGER_ +#define _SECURITY_MANAGER_SOCKET_MANAGER_ #include #include @@ -132,4 +132,4 @@ protected: } // namespace SecurityManager -#endif // _SECURITY_SERVER_SOCKET_MANAGER_ +#endif // _SECURITY_MANAGER_SOCKET_MANAGER_ diff --git a/src/server/service/installer.h b/src/server/service/installer.h index 43bf1db..656bc1a 100644 --- a/src/server/service/installer.h +++ b/src/server/service/installer.h @@ -21,8 +21,8 @@ * @brief Implementation of installer service for libprivilege-control encapsulation. */ -#ifndef _SECURITY_SERVER_INSTALLER_ -#define _SECURITY_SERVER_INSTALLER_ +#ifndef _SECURITY_MANAGER_INSTALLER_ +#define _SECURITY_MANAGER_INSTALLER_ #include #include @@ -92,4 +92,4 @@ private: } // namespace SecurityManager -#endif // _SECURITY_SERVER_INSTALLER_ +#endif // _SECURITY_MANAGER_INSTALLER_ -- 2.7.4 From 008237c7b9bd6a633e8fe4c1b8d75d86ff6a5ce7 Mon Sep 17 00:00:00 2001 From: Jan Cybulski Date: Wed, 18 Jun 2014 08:56:53 +0200 Subject: [PATCH 10/16] Update readme file Change-Id: Ia0d04bdc6b56d7b70737e29e53d8e40f5984805e Signed-off-by: Jan Cybulski --- README | 43 ++++++++++++------------------------------- 1 file changed, 12 insertions(+), 31 deletions(-) diff --git a/README b/README index 738fe61..106258d 100644 --- a/README +++ b/README @@ -1,29 +1,11 @@ -README for security-server project +README for security-manager project -security-server project contains of two parts: -1) the server part, that is implemented as a daemon that has vast rights for -vulnerable, security-related data, and that may be trusted by its clients. +The security manager is project forked from security-server, from which +it inherits its main design: division for two parts: +* system daemon (security-manager) +* library for communication with daemon (libsecurity-manager). -2) the client part, libsecurity-server: a library that allows programs to -communicate with the server part to ask for granting some rights or to get some -security-related data. - -The libsecurity-server library's API is available in the header file -src/incluce/privilege-control.h. - -The libsecurity-server API may be used to: -* enable SMACK security for in-direct interprocess communication. -* password management (setting, restoring, checking passwords) -* check for SMACK rights that other processes have if its smack label is not -known, but a remote's side pid is known or communication to it is established -with socket. -* enabling and disabling permissions for a specified application - - -security-server2: - -The server part is implemented in a /src/server2 directory. -The implementation is divided into: +The implementation of daemon part is divided into: manager part: that is responsible for threads and communication management with no awareness of what information is being transferred. This part is implemented by SocketManager class that works with GenericSocketService as @@ -31,12 +13,11 @@ The implementation is divided into: and services part: implemented as classes derived from GenericSocketService grouped in src/server2/service directory that defines actions done by - security-server after receiving certain requests from client side. + security-manager after receiving certain requests from client side. -Adding services to security-server should be done by creating a new class -derived from GenericSocketService, implementing proper functions for it, -registering it to SocketManager in main loop and making unix socket for service. +The security-manager's manager part is fully inherited from security-server, +while services are completely diffrent. -The paths of unix sockets used in communication between server and libclient are -defined in src/server2/common directory. Sockets themselves are configured in -files in systemd directory. +The security-manager services are ment to gather information about security +permissions in the system and provide access to that data via means of +libsecurity-manager. -- 2.7.4 From 8189de08ad3567a12f10bb6658f7b2fbe7da235a Mon Sep 17 00:00:00 2001 From: Marcin Lis Date: Wed, 11 Jun 2014 10:39:54 +0200 Subject: [PATCH 11/16] Fix memory leak and add EINTR error handling. One memory leak was missed in the Installer service. Introduce retries on EINTR error while trying to open a file. Also add close() error handling. This is a cherry pick from security-server repository. Change-Id: I43b48e12d6e609b24ffda02c7aed199f3b9f02bb Signed-off-by: Marcin Lis --- src/server/service/installer.cpp | 13 +++++++------ src/server/service/smack-rules.cpp | 24 ++++++++++++++++++++---- 2 files changed, 27 insertions(+), 10 deletions(-) diff --git a/src/server/service/installer.cpp b/src/server/service/installer.cpp index 20829fd..15faa2d 100644 --- a/src/server/service/installer.cpp +++ b/src/server/service/installer.cpp @@ -99,24 +99,25 @@ FileDecision labelLinksToExecs(const FTSENT *ftsent) LogSecureDebug("Entering function: " << __func__); struct stat buf; - char *target; // check if it's a link if ( !S_ISLNK(ftsent->fts_statp->st_mode)) return FileDecision::SKIP; - target = realpath(ftsent->fts_path, NULL); - if (!target) { + std::unique_ptr> target(realpath(ftsent->fts_path, NULL), free); + + if (!target.get()) { LogSecureError("Getting link target for " << ftsent->fts_path << " failed (Error = " << strerror(errno) << ")"); return FileDecision::ERROR; } - if (-1 == stat(target, &buf)) { - LogSecureError("stat failed for " << target << " (Error = " << strerror(errno) << ")"); + + if (-1 == stat(target.get(), &buf)) { + LogSecureError("stat failed for " << target.get() << " (Error = " << strerror(errno) << ")"); return FileDecision::ERROR; } // skip if link target is not a regular executable file if (buf.st_mode != (buf.st_mode | S_IXUSR | S_IFREG)) { - LogSecureDebug(target << "is not a regular executable file. Skipping."); + LogSecureDebug(target.get() << "is not a regular executable file. Skipping."); return FileDecision::SKIP; } diff --git a/src/server/service/smack-rules.cpp b/src/server/service/smack-rules.cpp index 4319ca9..687795e 100644 --- a/src/server/service/smack-rules.cpp +++ b/src/server/service/smack-rules.cpp @@ -29,6 +29,7 @@ #include #include #include +#include #include @@ -74,7 +75,7 @@ bool SmackRules::loadFromFile(const std::string &path) int fd; bool ret = true; - fd = open(path.c_str(), O_RDONLY); + fd = TEMP_FAILURE_RETRY(open(path.c_str(), O_RDONLY)); if (fd == -1) { LogError("Failed to open file: %s" << path); return false; @@ -85,7 +86,11 @@ bool SmackRules::loadFromFile(const std::string &path) ret = false; } - close(fd); + if (close(fd) == -1) { + // don't change the return code, the descriptor should be closed despite the error. + LogWarning("Error while closing the file: " << path << ", error: " << strerror(errno)); + } + return ret; } @@ -94,7 +99,7 @@ bool SmackRules::saveToFile(const std::string &path) const int fd; bool ret = true; - fd = open(path.c_str(), O_CREAT | O_WRONLY | O_TRUNC, 0644); + fd = TEMP_FAILURE_RETRY(open(path.c_str(), O_CREAT | O_WRONLY | O_TRUNC, 0644)); if (fd == -1) { LogError("Failed to create file: %s" << path); return false; @@ -106,7 +111,18 @@ bool SmackRules::saveToFile(const std::string &path) const ret = false; } - close(fd); + if (close(fd) == -1) { + if (errno == EIO) { + LogError("I/O Error occured while closing the file: " << path << ", error: " << strerror(errno)); + unlink(path.c_str()); + return false; + } else { + // non critical error + // don't change the return code, the descriptor should be closed despite the error. + LogWarning("Error while closing the file: " << path << ", error: " << strerror(errno)); + } + } + return ret; } -- 2.7.4 From aa4ec72ee0b47c7d7694dbfb570f58332cc3b740 Mon Sep 17 00:00:00 2001 From: Rafal Krypa Date: Wed, 18 Jun 2014 17:07:16 +0200 Subject: [PATCH 12/16] Bump version number to 0.1.0 Make sure that new security-manager packages will have higher version than previously built packages, before split from security-server repository. Change-Id: Id7ad7fbbe19ebce514209ad8e8e6cadae77386f7 Signed-off-by: Rafal Krypa --- packaging/security-manager.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packaging/security-manager.spec b/packaging/security-manager.spec index 4487539..302bc23 100644 --- a/packaging/security-manager.spec +++ b/packaging/security-manager.spec @@ -1,6 +1,6 @@ Name: security-manager Summary: Security manager and utilities -Version: 0.0.1 +Version: 0.1.0 Release: 1 Group: Security/Service License: Apache-2.0 -- 2.7.4 From 298da3e024cd5ab29cb79867ec3601a90de15a85 Mon Sep 17 00:00:00 2001 From: Rafal Krypa Date: Wed, 18 Jun 2014 15:09:46 +0200 Subject: [PATCH 13/16] Remove SmackAudit() from logging facility This functionality was needed in security-server to log user space Smack checks consistently with logs generated by kernel. Security-manager will never perform such checks. Change-Id: Ifcc67228b85dedba33330710d1e763dbdfadd996 Signed-off-by: Rafal Krypa --- packaging/security-manager.spec | 3 - security-manager-audit.conf | 1 - src/server/CMakeLists.txt | 1 - .../log/include/dpl/log/abstract_log_provider.h | 4 - .../dpl/log/include/dpl/log/audit-smack-log.h | 114 -------- .../dpl/log/include/dpl/log/dlog_log_provider.h | 4 - src/server/dpl/log/include/dpl/log/log.h | 10 - .../log/include/dpl/log/old_style_log_provider.h | 4 - src/server/dpl/log/src/audit-smack-log.cpp | 310 --------------------- src/server/dpl/log/src/dlog_log_provider.cpp | 7 - src/server/dpl/log/src/log.cpp | 14 - src/server/dpl/log/src/old_style_log_provider.cpp | 11 - src/server/main/server2-main.cpp | 10 - 13 files changed, 493 deletions(-) delete mode 100644 security-manager-audit.conf delete mode 100644 src/server/dpl/log/include/dpl/log/audit-smack-log.h delete mode 100644 src/server/dpl/log/src/audit-smack-log.cpp diff --git a/packaging/security-manager.spec b/packaging/security-manager.spec index 302bc23..b4b44ac 100644 --- a/packaging/security-manager.spec +++ b/packaging/security-manager.spec @@ -62,8 +62,6 @@ rm -rf %{buildroot} mkdir -p %{buildroot}/usr/share/license cp LICENSE %{buildroot}/usr/share/license/%{name} cp LICENSE %{buildroot}/usr/share/license/libsecurity-manager-client -mkdir -p %{buildroot}/etc/security/ -cp security-manager-audit.conf %{buildroot}/etc/security/ mkdir -p %{buildroot}/etc/smack/ cp app-rules-template.smack %{buildroot}/etc/smack/ %make_install @@ -114,7 +112,6 @@ fi %attr(-,root,root) /usr/lib/systemd/system/security-manager.target %attr(-,root,root) /usr/lib/systemd/system/sockets.target.wants/security-manager-installer.socket %attr(-,root,root) /usr/lib/systemd/system/security-manager-installer.socket -%attr(-,root,root) /etc/security/security-manager-audit.conf %attr(-,root,root) /etc/smack/app-rules-template.smack %{_datadir}/license/%{name} diff --git a/security-manager-audit.conf b/security-manager-audit.conf deleted file mode 100644 index c977fda..0000000 --- a/security-manager-audit.conf +++ /dev/null @@ -1 +0,0 @@ -10 524288 diff --git a/src/server/CMakeLists.txt b/src/server/CMakeLists.txt index c52f61b..73e3c00 100644 --- a/src/server/CMakeLists.txt +++ b/src/server/CMakeLists.txt @@ -13,7 +13,6 @@ SET(COMMON_SOURCES ${COMMON_PATH}/dpl/log/src/dlog_log_provider.cpp ${COMMON_PATH}/dpl/log/src/log.cpp ${COMMON_PATH}/dpl/log/src/old_style_log_provider.cpp - ${COMMON_PATH}/dpl/log/src/audit-smack-log.cpp ${COMMON_PATH}/dpl/core/src/assert.cpp ${COMMON_PATH}/dpl/core/src/binary_queue.cpp ${COMMON_PATH}/dpl/core/src/colors.cpp diff --git a/src/server/dpl/log/include/dpl/log/abstract_log_provider.h b/src/server/dpl/log/include/dpl/log/abstract_log_provider.h index cfe9679..a3ad299 100644 --- a/src/server/dpl/log/include/dpl/log/abstract_log_provider.h +++ b/src/server/dpl/log/include/dpl/log/abstract_log_provider.h @@ -67,10 +67,6 @@ class AbstractLogProvider const char *fileName, int line, const char *function) = 0; - virtual void SmackAudit(const char *message, - const char *fileName, - int line, - const char *function) = 0; protected: static const char *LocateSourceFileName(const char *filename); diff --git a/src/server/dpl/log/include/dpl/log/audit-smack-log.h b/src/server/dpl/log/include/dpl/log/audit-smack-log.h deleted file mode 100644 index 98fdc15..0000000 --- a/src/server/dpl/log/include/dpl/log/audit-smack-log.h +++ /dev/null @@ -1,114 +0,0 @@ -/* - * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved - * - * Contact: Bumjin Im - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License - */ -/* - * @file audit-smack-log.h - * @author Marek Smolinski (m.smolinski@samsung.com) - * @version 1.0 - * @brief AuditSmackLog loging SMACK access deny sequentially into files - */ - -#ifndef _AUDIT_SMACK_LOG_ -#define _AUDIT_SMACK_LOG_ - -#include - -#include -#include -#include -#include -#include - -namespace SecurityManager { -namespace Log { - -class AuditSmackLog : - public AbstractLogProvider -{ -public: - AuditSmackLog(); - virtual ~AuditSmackLog(); - - bool Fail() const; - - virtual void Debug(const char *message, - const char *fileName, - int line, - const char *function); - virtual void Info(const char *message, - const char *fileName, - int line, - const char *function); - virtual void Warning(const char *message, - const char *fileName, - int line, - const char *function); - virtual void Error(const char *message, - const char *fileName, - int line, - const char *function); - virtual void Pedantic(const char *message, - const char *fileName, - int line, - const char *function); - virtual void SecureDebug(const char *message, - const char *fileName, - int line, - const char *function); - virtual void SecureInfo(const char *message, - const char *fileName, - int line, - const char *function); - virtual void SecureWarning(const char *message, - const char *fileName, - int line, - const char *function); - virtual void SecureError(const char *message, - const char *fileName, - int line, - const char *function); - - virtual void SmackAudit(const char *message, - const char *fileName, - int line, - const char *function); - -private: - void HandleWrite(const char *message, - const char *fileName, - int line, - const char *function); - - int CreateLogFile(); - int RemoveOldestLogFile(); - int ParseConfig(); - int ProcessLogDir(); - bool IsFileFull(std::ofstream &fs) const; - - bool m_state; - unsigned int m_filesCount; - unsigned int m_fileMaxBytesSize; - - std::map m_fileNameMap; - std::ofstream m_outputStream; - - std::mutex m_writeMtx; -}; - -} // namespace Log -} // namespace SecurityManager -#endif // _AUDIT_SMACK_LOG_ diff --git a/src/server/dpl/log/include/dpl/log/dlog_log_provider.h b/src/server/dpl/log/include/dpl/log/dlog_log_provider.h index 6fe0d97..6b19e09 100644 --- a/src/server/dpl/log/include/dpl/log/dlog_log_provider.h +++ b/src/server/dpl/log/include/dpl/log/dlog_log_provider.h @@ -79,10 +79,6 @@ class DLOGLogProvider : const char *fileName, int line, const char *function); - virtual void SmackAudit(const char *message, - const char *fileName, - int line, - const char *function); // Set global Tag according to DLOG void SetTag(const char *tag); diff --git a/src/server/dpl/log/include/dpl/log/log.h b/src/server/dpl/log/include/dpl/log/log.h index 2594ace..74792cc 100644 --- a/src/server/dpl/log/include/dpl/log/log.h +++ b/src/server/dpl/log/include/dpl/log/log.h @@ -123,14 +123,6 @@ class LogSystem : const char *function); /** - * Log SS_SMACK into files - */ - void SmackAudit(const char *message, - const char *fileName, - int line, - const char *function); - - /** * Set default's DLOG provider Tag */ void SetTag(const char *tag); @@ -199,8 +191,6 @@ do \ #define LogError(message) DPL_MACRO_FOR_LOGGING(message, Error) #define LogSecureError(message) DPL_MACRO_FOR_LOGGING(message, SecureError) -#define LogSmackAudit(message) DPL_MACRO_FOR_LOGGING(message, SmackAudit) - #ifdef BUILD_TYPE_DEBUG #define LogDebug(message) DPL_MACRO_FOR_LOGGING(message, Debug) #define LogInfo(message) DPL_MACRO_FOR_LOGGING(message, Info) diff --git a/src/server/dpl/log/include/dpl/log/old_style_log_provider.h b/src/server/dpl/log/include/dpl/log/old_style_log_provider.h index 8ca2068..da1117a 100644 --- a/src/server/dpl/log/include/dpl/log/old_style_log_provider.h +++ b/src/server/dpl/log/include/dpl/log/old_style_log_provider.h @@ -93,10 +93,6 @@ class OldStyleLogProvider : const char *fileName, int line, const char *function); - virtual void SmackAudit(const char *message, - const char *fileName, - int line, - const char *function); }; } } // namespace SecurityManager diff --git a/src/server/dpl/log/src/audit-smack-log.cpp b/src/server/dpl/log/src/audit-smack-log.cpp deleted file mode 100644 index 1d03b6f..0000000 --- a/src/server/dpl/log/src/audit-smack-log.cpp +++ /dev/null @@ -1,310 +0,0 @@ -/* - * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved - * - * Contact: Bumjin Im - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License - */ -/* - * @file audit-smack-log.cpp - * @author Marek Smolinski (m.smolinski@samsung.com) - * @version 1.0 - * @brief AuditSmackLog loging SMACK access deny sequentially into files - */ - -#include -#include -#include -#include -#include - -#include -#include -#include -#include -#include - -#include -#include - -#include -#include -#include - -#define UNUSED __attribute__((unused)) - -namespace { - -const std::string AUDIT_CONFIG_LOG_PATH = "/etc/security/"; -const std::string AUDIT_CONFIG_FILENAME = "security-manager-audit.conf"; -const std::string AUDIT_LOG_DIRECTORY = "/var/log/audit/"; -const std::string AUDIT_LOG_FILENAME_PREFIX = "audit-smack"; -const std::string AUDIT_LOG_SMACK_LABEL = "security-manager::audit-files"; - -} // namespace anonymous - -namespace SecurityManager { -namespace Log { - -AuditSmackLog::AuditSmackLog() - : m_state(true), m_filesCount(0), m_fileMaxBytesSize(0) -{ - if (ParseConfig() != 0) { - goto error; - } - - if (ProcessLogDir() != 0) { - goto error; - } - - if (m_state) { - - // reduce existing files count in log dir if config file was changed - while (m_fileNameMap.size() > m_filesCount) { - if (RemoveOldestLogFile() != 0) { - goto error; - } - } - - if (m_fileNameMap.size() == 0) { - if (CreateLogFile() != 0) { - goto error; - } - } else { - std::string filename(AUDIT_LOG_DIRECTORY); - filename += m_fileNameMap.rbegin()->second; - m_outputStream.open(filename, std::ios_base::app); - } - } - - return; - -error: - m_state = false; - -} - -AuditSmackLog::~AuditSmackLog(){} - -bool AuditSmackLog::Fail() const -{ - return !m_state; -} - -void AuditSmackLog::SmackAudit(const char *message, - const char *fileName, - int line, - const char *function) -{ - if (m_state) { - HandleWrite(message, fileName, line, function); - } -} - -void AuditSmackLog::HandleWrite(const char *message, - const char *filename, - int line, - const char *function) -{ - std::lock_guard lock(m_writeMtx); - if (IsFileFull(m_outputStream)) { - if (CreateLogFile() != 0) { - m_state = false; - return; - } - - if (m_fileNameMap.size() > m_filesCount) { - if (RemoveOldestLogFile() != 0) { - m_state = false; - return; - } - } - } - - m_outputStream << std::string("[") << - LocateSourceFileName(filename) << std::string(":") << line << - std::string("] ") << function << std::string("(): ") << - message << std::endl; -} - -int AuditSmackLog::CreateLogFile() -{ - time_t sec = time(NULL); - std::string fname(AUDIT_LOG_FILENAME_PREFIX); - std::string pathname(AUDIT_LOG_DIRECTORY); - - fname += std::to_string(sec); - fname += ".log"; - pathname += fname; - - if (m_outputStream.is_open()) - m_outputStream.close(); - - m_outputStream.open(pathname.c_str()); - - if (!m_outputStream) { - return -1; - } - - if (smack_setlabel(pathname.c_str(), - AUDIT_LOG_SMACK_LABEL.c_str(), - SMACK_LABEL_ACCESS) != 0) { - return -1; - } - - m_fileNameMap.insert(std::make_pair(sec, fname)); - return 0; -} - -int AuditSmackLog::RemoveOldestLogFile() -{ - assert(m_fileNameMap.size() > 0); - - auto it = m_fileNameMap.begin(); - std::string filename(AUDIT_LOG_DIRECTORY); - filename += it->second; - - if (unlink(filename.c_str()) == 0) { - m_fileNameMap.erase(it); - return 0; - } - - return -1; -} - -int AuditSmackLog::ParseConfig() -{ - struct stat sb; - if (stat(AUDIT_CONFIG_LOG_PATH.c_str(), &sb) != 0) { - return -1; - } - - std::ifstream in(AUDIT_CONFIG_LOG_PATH + AUDIT_CONFIG_FILENAME, - std::ios_base::in); - if (!in) { - return -1; - } - - in >> m_filesCount >> m_fileMaxBytesSize; - - if (in.fail()) { - return -1; - } - - return (m_filesCount > 0 && m_fileMaxBytesSize > 0) ? 0 : -1; -} - -int AuditSmackLog::ProcessLogDir() -{ - DIR *dir; - dirent *dp; - - if ((dir = opendir(AUDIT_LOG_DIRECTORY.c_str())) == NULL) { - return -1; - } - - while ((dp = readdir(dir)) != NULL) { - if (AUDIT_LOG_FILENAME_PREFIX.compare(0, std::string::npos, - dp->d_name, - AUDIT_LOG_FILENAME_PREFIX.size()) == 0) { - errno = 0; - char *pEnd; - time_t fUnxTime = static_cast( - strtoull(dp->d_name + AUDIT_LOG_FILENAME_PREFIX.size(), - &pEnd, 10)); - - if (errno != 0) { - closedir(dir); - return -1; - } - - m_fileNameMap.insert( - std::make_pair(fUnxTime, std::string(dp->d_name))); - } - } - - closedir(dir); - - return 0; -} - -bool AuditSmackLog::IsFileFull(std::ofstream &fs) const -{ - return fs.tellp() > m_fileMaxBytesSize; -} - -void AuditSmackLog::Debug(const char *message UNUSED, - const char *filename UNUSED, - int line UNUSED, - const char *function UNUSED) -{ -} - -void AuditSmackLog::Info(const char *message UNUSED, - const char *filename UNUSED, - int line UNUSED, - const char *function UNUSED) -{ -} - -void AuditSmackLog::Warning(const char *message UNUSED, - const char *filename UNUSED, - int line UNUSED, - const char *function UNUSED) -{ -} - -void AuditSmackLog::Error(const char *message UNUSED, - const char *filename UNUSED, - int line UNUSED, - const char *function UNUSED) -{ -} - -void AuditSmackLog::Pedantic(const char *message UNUSED, - const char *filename UNUSED, - int line UNUSED, - const char *function UNUSED) -{ -} - -void AuditSmackLog::SecureDebug(const char *message UNUSED, - const char *filename UNUSED, - int line UNUSED, - const char *function UNUSED) -{ -} - -void AuditSmackLog::SecureInfo(const char *message UNUSED, - const char *filename UNUSED, - int line UNUSED, - const char *function UNUSED) -{ -} - -void AuditSmackLog::SecureWarning(const char *message UNUSED, - const char *filename UNUSED, - int line UNUSED, - const char *function UNUSED) -{ -} - -void AuditSmackLog::SecureError(const char *message UNUSED, - const char *filename UNUSED, - int line UNUSED, - const char *function UNUSED) -{ -} - -} // namespace Log -} // namespace SecurityManager diff --git a/src/server/dpl/log/src/dlog_log_provider.cpp b/src/server/dpl/log/src/dlog_log_provider.cpp index c96dfd0..b2a59f9 100644 --- a/src/server/dpl/log/src/dlog_log_provider.cpp +++ b/src/server/dpl/log/src/dlog_log_provider.cpp @@ -141,12 +141,5 @@ void DLOGLogProvider::SecureError(const char *message UNUSED, FormatMessage(message, filename, line, function).c_str()); } -void DLOGLogProvider::SmackAudit(const char *message UNUSED, - const char *filename UNUSED, - int line UNUSED, - const char *function UNUSED) -{ -} - } // nemespace Log } // namespace SecurityManager diff --git a/src/server/dpl/log/src/log.cpp b/src/server/dpl/log/src/log.cpp index 9ac65c0..a237fdb 100644 --- a/src/server/dpl/log/src/log.cpp +++ b/src/server/dpl/log/src/log.cpp @@ -26,7 +26,6 @@ #include #include #include -#include IMPLEMENT_SINGLETON(SecurityManager::Log::LogSystem) @@ -277,18 +276,5 @@ void LogSystem::SecureWarning(const char *message, } } -void LogSystem::SmackAudit(const char *message, - const char *fileName, - int line, - const char *function) -{ - for (AbstractLogProviderPtrList::iterator iterator = m_providers.begin(); - iterator != m_providers.end(); - ++iterator) - { - (*iterator)->SmackAudit(message, fileName, line, function); - } -} - } } // namespace SecurityManager diff --git a/src/server/dpl/log/src/old_style_log_provider.cpp b/src/server/dpl/log/src/old_style_log_provider.cpp index b3ea65a..0317862 100644 --- a/src/server/dpl/log/src/old_style_log_provider.cpp +++ b/src/server/dpl/log/src/old_style_log_provider.cpp @@ -298,16 +298,5 @@ void OldStyleLogProvider::SecureError(const char *message, #endif } -void OldStyleLogProvider::SmackAudit(const char *message, - const char *fileName, - int line, - const char *function) -{ - (void)message; - (void)fileName; - (void)line; - (void)function; -} - } } // namespace SecurityManager diff --git a/src/server/main/server2-main.cpp b/src/server/main/server2-main.cpp index 213f749..11a3f04 100644 --- a/src/server/main/server2-main.cpp +++ b/src/server/main/server2-main.cpp @@ -25,7 +25,6 @@ #include #include -#include #include #include @@ -67,15 +66,6 @@ int main(void) { { SecurityManager::Singleton::Instance().SetTag("SECURITY_MANAGER"); - // This provider may be used in security-manager only. - // If we add it inside LogSystem constructor it also - // will be used by security-manager-client library. - SecurityManager::Log::AuditSmackLog *smackLog = new SecurityManager::Log::AuditSmackLog; - if (smackLog->Fail()) - delete smackLog; - else - SecurityManager::Singleton::Instance().AddProvider(smackLog); - sigset_t mask; sigemptyset(&mask); sigaddset(&mask, SIGTERM); -- 2.7.4 From 0ad62e1c27b64dbe9505bb0def2be4f937c71855 Mon Sep 17 00:00:00 2001 From: Rafal Krypa Date: Wed, 18 Jun 2014 16:25:46 +0200 Subject: [PATCH 14/16] Listen on socket passed by systemd This was previously disabled in security-manager code, because it was coupled with security-server, which already did that. Uncommenting the listening code now. Change-Id: I9e7c5a3a5bde2e29fc74b9918af0a36992533a80 Signed-off-by: Rafal Krypa --- src/server/main/socket-manager.cpp | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/server/main/socket-manager.cpp b/src/server/main/socket-manager.cpp index c9f497b..c2eaced 100644 --- a/src/server/main/socket-manager.cpp +++ b/src/server/main/socket-manager.cpp @@ -335,8 +335,7 @@ void SocketManager::ReadyForWrite(int sock) { void SocketManager::MainLoop() { // remove evironment values passed by systemd - // uncomment it after removing old security-server code - // sd_listen_fds(1); + sd_listen_fds(1); // Daemon is ready to work. sd_notify(0, "READY=1"); -- 2.7.4 From ea2951995db2bafa1ffb466914128b04b33656b4 Mon Sep 17 00:00:00 2001 From: Rafal Krypa Date: Fri, 20 Jun 2014 17:53:48 +0200 Subject: [PATCH 15/16] Remove API for setting allowed users for an app Removed function security_manager_app_inst_req_add_allowed_user. It became obsolete when application framework switched to multi-user support by installing apps for each user separately. Change-Id: I2c1d3533982d23b45f3226e5eb07619d60b0530f Signed-off-by: Rafal Krypa --- src/include/security-manager.h | 10 ---------- src/server/client/client-security-manager.cpp | 12 ------------ src/server/common/protocols.h | 1 - src/server/service/installer.cpp | 1 - 4 files changed, 24 deletions(-) diff --git a/src/include/security-manager.h b/src/include/security-manager.h index ddcd599..2de9c3d 100644 --- a/src/include/security-manager.h +++ b/src/include/security-manager.h @@ -163,16 +163,6 @@ int security_manager_app_inst_req_set_app_id(app_inst_req *p_req, const char *ap int security_manager_app_inst_req_set_pkg_id(app_inst_req *p_req, const char *pkg_id); /* - * This function is used to add allowed user to app_inst_req structure, - * it can be called multiple times - * - * \param[in] Pointer handling app_inst_req structure - * \param[in] Privileged user identifier - * \return API return code or error code - */ -int security_manager_app_inst_req_add_allowed_user(app_inst_req *p_req, const uid_t user_id); - -/* * This function is used to add privilege to app_inst_req structure, * it can be called multiple times * diff --git a/src/server/client/client-security-manager.cpp b/src/server/client/client-security-manager.cpp index e83115d..bab0e96 100644 --- a/src/server/client/client-security-manager.cpp +++ b/src/server/client/client-security-manager.cpp @@ -83,17 +83,6 @@ int security_manager_app_inst_req_set_pkg_id(app_inst_req *p_req, const char *pk } SECURITY_MANAGER_API -int security_manager_app_inst_req_add_allowed_user(app_inst_req *p_req, const uid_t user_id) -{ - if (!p_req) - return SECURITY_MANAGER_ERROR_INPUT_PARAM; - - p_req->allowedUsers.push_back(user_id); - - return SECURITY_MANAGER_SUCCESS; -} - -SECURITY_MANAGER_API int security_manager_app_inst_req_add_privilege(app_inst_req *p_req, const char *privilege) { if (!p_req || !privilege) @@ -134,7 +123,6 @@ int security_manager_app_install(const app_inst_req *p_req) Serialization::Serialize(send, (int)SecurityModuleCall::APP_INSTALL); Serialization::Serialize(send, p_req->appId); Serialization::Serialize(send, p_req->pkgId); - Serialization::Serialize(send, p_req->allowedUsers); Serialization::Serialize(send, p_req->privileges); Serialization::Serialize(send, p_req->appPaths); diff --git a/src/server/common/protocols.h b/src/server/common/protocols.h index 85398e8..90e60b2 100644 --- a/src/server/common/protocols.h +++ b/src/server/common/protocols.h @@ -31,7 +31,6 @@ struct app_inst_req { std::string appId; std::string pkgId; - std::vector allowedUsers; std::vector privileges; std::vector> appPaths; }; diff --git a/src/server/service/installer.cpp b/src/server/service/installer.cpp index 15faa2d..574cac8 100644 --- a/src/server/service/installer.cpp +++ b/src/server/service/installer.cpp @@ -371,7 +371,6 @@ bool InstallerService::processAppInstall(MessageBuffer &buffer, MessageBuffer &s app_inst_req req; Deserialization::Deserialize(buffer, req.appId); Deserialization::Deserialize(buffer, req.pkgId); - Deserialization::Deserialize(buffer, req.allowedUsers); Deserialization::Deserialize(buffer, req.privileges); Deserialization::Deserialize(buffer, req.appPaths); -- 2.7.4 From 5e227c17823fdaa0da30ba826b76628a94a4de10 Mon Sep 17 00:00:00 2001 From: Rafal Krypa Date: Fri, 20 Jun 2014 17:58:50 +0200 Subject: [PATCH 16/16] Set myself as contact person for security-manager Update contact e-mail in source files with appropriate address. Change-Id: I51ef49d47d870403720a51857dc5d1384afc4e39 Signed-off-by: Rafal Krypa --- src/include/security-manager.h | 2 +- src/server/client/client-common.cpp | 4 ++-- src/server/client/client-common.h | 4 ++-- src/server/client/client-security-manager.cpp | 2 +- src/server/common/connection-info.h | 4 ++-- src/server/common/message-buffer.cpp | 4 ++-- src/server/common/message-buffer.h | 4 ++-- src/server/common/protocols.cpp | 4 ++-- src/server/common/protocols.h | 4 ++-- src/server/common/smack-check.h | 4 ++-- src/server/dpl/core/include/dpl/fstream_accessors.h | 4 ++-- src/server/main/generic-event.h | 4 ++-- src/server/main/generic-socket-manager.cpp | 4 ++-- src/server/main/generic-socket-manager.h | 4 ++-- src/server/main/security-manager-util.cpp | 4 ++-- src/server/main/security-manager-util.h | 4 ++-- src/server/main/server2-main.cpp | 4 ++-- src/server/main/service-thread.h | 4 ++-- src/server/main/socket-manager.cpp | 4 ++-- src/server/main/socket-manager.h | 4 ++-- src/server/service/installer.cpp | 2 +- src/server/service/installer.h | 2 +- 22 files changed, 40 insertions(+), 40 deletions(-) diff --git a/src/include/security-manager.h b/src/include/security-manager.h index 2de9c3d..d9ed47f 100644 --- a/src/include/security-manager.h +++ b/src/include/security-manager.h @@ -1,7 +1,7 @@ /* * Copyright (c) 2000 - 2014 Samsung Electronics Co., Ltd All Rights Reserved * - * Contact: Bartlomiej Grzelewski + * Contact: Rafal Krypa * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/src/server/client/client-common.cpp b/src/server/client/client-common.cpp index e245414..549f6b8 100644 --- a/src/server/client/client-common.cpp +++ b/src/server/client/client-common.cpp @@ -1,7 +1,7 @@ /* - * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2000 - 2014 Samsung Electronics Co., Ltd All Rights Reserved * - * Contact: Bumjin Im + * Contact: Rafal Krypa * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/src/server/client/client-common.h b/src/server/client/client-common.h index 607e8d3..c7d18a4 100644 --- a/src/server/client/client-common.h +++ b/src/server/client/client-common.h @@ -1,7 +1,7 @@ /* - * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2000 - 2014 Samsung Electronics Co., Ltd All Rights Reserved * - * Contact: Bumjin Im + * Contact: Rafal Krypa * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/src/server/client/client-security-manager.cpp b/src/server/client/client-security-manager.cpp index bab0e96..282acf2 100644 --- a/src/server/client/client-security-manager.cpp +++ b/src/server/client/client-security-manager.cpp @@ -1,7 +1,7 @@ /* * Copyright (c) 2000 - 2014 Samsung Electronics Co., Ltd All Rights Reserved * - * Contact: Bartlomiej Grzelewski + * Contact: Rafal Krypa * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/src/server/common/connection-info.h b/src/server/common/connection-info.h index 734ad69..7147bbe 100644 --- a/src/server/common/connection-info.h +++ b/src/server/common/connection-info.h @@ -1,7 +1,7 @@ /* - * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2000 - 2014 Samsung Electronics Co., Ltd All Rights Reserved * - * Contact: Bumjin Im + * Contact: Rafal Krypa * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/src/server/common/message-buffer.cpp b/src/server/common/message-buffer.cpp index 66d5b85..59db481 100644 --- a/src/server/common/message-buffer.cpp +++ b/src/server/common/message-buffer.cpp @@ -1,7 +1,7 @@ /* - * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2000 - 2014 Samsung Electronics Co., Ltd All Rights Reserved * - * Contact: Bumjin Im + * Contact: Rafal Krypa * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/src/server/common/message-buffer.h b/src/server/common/message-buffer.h index 71c89ed..19e7ee2 100644 --- a/src/server/common/message-buffer.h +++ b/src/server/common/message-buffer.h @@ -1,7 +1,7 @@ /* - * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2000 - 2014 Samsung Electronics Co., Ltd All Rights Reserved * - * Contact: Bumjin Im + * Contact: Rafal Krypa * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/src/server/common/protocols.cpp b/src/server/common/protocols.cpp index c120327..59bf302 100644 --- a/src/server/common/protocols.cpp +++ b/src/server/common/protocols.cpp @@ -1,7 +1,7 @@ /* - * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2000 - 2014 Samsung Electronics Co., Ltd All Rights Reserved * - * Contact: Bartlomiej Grzelewski + * Contact: Rafal Krypa * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/src/server/common/protocols.h b/src/server/common/protocols.h index 90e60b2..51c259e 100644 --- a/src/server/common/protocols.h +++ b/src/server/common/protocols.h @@ -1,7 +1,7 @@ /* - * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2000 - 2014 Samsung Electronics Co., Ltd All Rights Reserved * - * Contact: Bartlomiej Grzelewski + * Contact: Rafal Krypa * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/src/server/common/smack-check.h b/src/server/common/smack-check.h index 24578ae..b1cf733 100644 --- a/src/server/common/smack-check.h +++ b/src/server/common/smack-check.h @@ -1,9 +1,9 @@ /* * security-manager * - * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2000 - 2014 Samsung Electronics Co., Ltd All Rights Reserved * - * Contact: Bumjin Im + * Contact: Rafal Krypa * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/src/server/dpl/core/include/dpl/fstream_accessors.h b/src/server/dpl/core/include/dpl/fstream_accessors.h index 141a499..5d6379a 100644 --- a/src/server/dpl/core/include/dpl/fstream_accessors.h +++ b/src/server/dpl/core/include/dpl/fstream_accessors.h @@ -1,7 +1,7 @@ /* - * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2000 - 2014 Samsung Electronics Co., Ltd All Rights Reserved * - * Contact: Bumjin Im + * Contact: Rafal Krypa * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/src/server/main/generic-event.h b/src/server/main/generic-event.h index 3486155..43ed2e5 100644 --- a/src/server/main/generic-event.h +++ b/src/server/main/generic-event.h @@ -1,7 +1,7 @@ /* - * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2000 - 2014 Samsung Electronics Co., Ltd All Rights Reserved * - * Contact: Bumjin Im + * Contact: Rafal Krypa * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/src/server/main/generic-socket-manager.cpp b/src/server/main/generic-socket-manager.cpp index 1e6bc5e..487b47e 100644 --- a/src/server/main/generic-socket-manager.cpp +++ b/src/server/main/generic-socket-manager.cpp @@ -1,7 +1,7 @@ /* - * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2000 - 2014 Samsung Electronics Co., Ltd All Rights Reserved * - * Contact: Bumjin Im + * Contact: Rafal Krypa * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/src/server/main/generic-socket-manager.h b/src/server/main/generic-socket-manager.h index 2f0ad1d..5234871 100644 --- a/src/server/main/generic-socket-manager.h +++ b/src/server/main/generic-socket-manager.h @@ -1,7 +1,7 @@ /* - * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2000 - 2014 Samsung Electronics Co., Ltd All Rights Reserved * - * Contact: Bumjin Im + * Contact: Rafal Krypa * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/src/server/main/security-manager-util.cpp b/src/server/main/security-manager-util.cpp index 4218375..ee85c86 100644 --- a/src/server/main/security-manager-util.cpp +++ b/src/server/main/security-manager-util.cpp @@ -1,9 +1,9 @@ /* * security-manager * - * Copyright (c) 2000 - 2011 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2000 - 2014 Samsung Electronics Co., Ltd All Rights Reserved * - * Contact: Bumjin Im + * Contact: Rafal Krypa * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/src/server/main/security-manager-util.h b/src/server/main/security-manager-util.h index 62aa45a..fc95e25 100644 --- a/src/server/main/security-manager-util.h +++ b/src/server/main/security-manager-util.h @@ -1,9 +1,9 @@ /* * security-manager * - * Copyright (c) 2000 - 2011 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2000 - 2014 Samsung Electronics Co., Ltd All Rights Reserved * - * Contact: Bumjin Im + * Contact: Rafal Krypa * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/src/server/main/server2-main.cpp b/src/server/main/server2-main.cpp index 11a3f04..aba9373 100644 --- a/src/server/main/server2-main.cpp +++ b/src/server/main/server2-main.cpp @@ -1,7 +1,7 @@ /* - * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2000 - 2014 Samsung Electronics Co., Ltd All Rights Reserved * - * Contact: Bumjin Im + * Contact: Rafal Krypa * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/src/server/main/service-thread.h b/src/server/main/service-thread.h index 8b8286c..964d168 100644 --- a/src/server/main/service-thread.h +++ b/src/server/main/service-thread.h @@ -1,7 +1,7 @@ /* - * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2000 - 2014 Samsung Electronics Co., Ltd All Rights Reserved * - * Contact: Bumjin Im + * Contact: Rafal Krypa * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/src/server/main/socket-manager.cpp b/src/server/main/socket-manager.cpp index c2eaced..b4db0db 100644 --- a/src/server/main/socket-manager.cpp +++ b/src/server/main/socket-manager.cpp @@ -1,7 +1,7 @@ /* - * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2000 - 2014 Samsung Electronics Co., Ltd All Rights Reserved * - * Contact: Bumjin Im + * Contact: Rafal Krypa * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/src/server/main/socket-manager.h b/src/server/main/socket-manager.h index 58d3db1..6174d6a 100644 --- a/src/server/main/socket-manager.h +++ b/src/server/main/socket-manager.h @@ -1,7 +1,7 @@ /* - * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2000 - 2014 Samsung Electronics Co., Ltd All Rights Reserved * - * Contact: Bumjin Im + * Contact: Rafal Krypa * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/src/server/service/installer.cpp b/src/server/service/installer.cpp index 574cac8..8de407d 100644 --- a/src/server/service/installer.cpp +++ b/src/server/service/installer.cpp @@ -1,7 +1,7 @@ /* * Copyright (c) 2000 - 2014 Samsung Electronics Co., Ltd All Rights Reserved * - * Contact: Bartlomiej Grzelewski + * Contact: Rafal Krypa * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/src/server/service/installer.h b/src/server/service/installer.h index 656bc1a..ae9a731 100644 --- a/src/server/service/installer.h +++ b/src/server/service/installer.h @@ -1,7 +1,7 @@ /* * Copyright (c) 2000 - 2014 Samsung Electronics Co., Ltd All Rights Reserved * - * Contact: Bartlomiej Grzelewski + * Contact: Rafal Krypa * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. -- 2.7.4