From 7e22ea731daeb0d4999638ecdc96c373be39bfe2 Mon Sep 17 00:00:00 2001 From: Jaemin Ryu Date: Thu, 10 Aug 2017 13:25:00 +0900 Subject: [PATCH 2/5] Add security policy Change-Id: I6517713ef05f095877d0c9eced828be63cb209b7 Signed-off-by: Jaemin Ryu --- CMakeLists.txt | 85 +++++++++++++ api/CMakeLists.txt | 48 +++++++ api/dpm-security.pc.in | 12 ++ api/security.cpp | 115 +++++++++++++++++ api/security.h | 183 +++++++++++++++++++++++++++ dpm-security.manifest | 5 + packaging/dpm-security.spec | 79 ++++++++++++ plugin/CMakeLists.txt | 35 ++++++ plugin/security.cpp | 298 ++++++++++++++++++++++++++++++++++++++++++++ 9 files changed, 860 insertions(+) create mode 100755 CMakeLists.txt create mode 100755 api/CMakeLists.txt create mode 100644 api/dpm-security.pc.in create mode 100644 api/security.cpp create mode 100644 api/security.h create mode 100644 dpm-security.manifest create mode 100755 packaging/dpm-security.spec create mode 100755 plugin/CMakeLists.txt create mode 100755 plugin/security.cpp diff --git a/CMakeLists.txt b/CMakeLists.txt new file mode 100755 index 0000000..b1c3c70 --- /dev/null +++ b/CMakeLists.txt @@ -0,0 +1,85 @@ +# +# Copyright (c) 2017 Samsung Electronics Co., Ltd All Rights Reserved +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +CMAKE_MINIMUM_REQUIRED(VERSION 2.8) + +PROJECT(dpm-security) + +IF(NOT DEFINED VERSION) + SET(VERSION "0.0.1") +ENDIF(NOT DEFINED VERSION) + +INCLUDE(FindPkgConfig) + +IF(NOT CMAKE_BUILD_TYPE) + SET(CMAKE_BUILD_TYPE "DEBUG") +ENDIF(NOT CMAKE_BUILD_TYPE) + +SET(DPM_API ${PROJECT_SOURCE_DIR}/api) +SET(DPM_PLUGIN ${PROJECT_SOURCE_DIR}/plugin) + +IF("${CMAKE_CXX_COMPILER_ID}" STREQUAL "GNU" AND CMAKE_CXX_COMPILER_VERSION VERSION_LESS 4.7) + SET(CXX_STD "c++0x") +else() + SET(CXX_STD "c++11") +endif() + +SET(COMPILE_BASE_FLAGS "-g -fPIC -Werror -Wall -Wl,--as-needed -Wl,--no-whole-archive") +SET(CMAKE_C_FLAGS_PROFILING "${COMPILE_BASE_FLAGS} -O0 -pg") +SET(CMAKE_CXX_FLAGS_PROFILING "${COMPILE_BASE_FLAGS} -O0 -pg -std=${CXX_STD} -fno-rtti") +SET(CMAKE_C_FLAGS_DEBUG "${COMPILE_BASE_FLAGS} -O0 -ggdb") +SET(CMAKE_CXX_FLAGS_DEBUG "${COMPILE_BASE_FLAGS} -O0 -ggdb -std=${CXX_STD} -fno-rtti") +SET(CMAKE_C_FLAGS_RELEASE "${COMPILE_BASE_FLAGS} -O2 -DNDEBUG") +SET(CMAKE_CXX_FLAGS_RELEASE "${COMPILE_BASE_FLAGS} -O2 -DNDEBUG -std=${CXX_STD} -fno-rtti") +SET(CMAKE_C_FLAGS_CCOV "${COMPILE_BASE_FLAGS} -O0 --coverage") +SET(CMAKE_CXX_FLAGS_CCOV "${COMPILE_BASE_FLAGS} -O0 --coverage -std=${CXX_STD} -fno-rtti") + +IF(NOT DEFINED LIB_INSTALL_DIR) + SET(LIB_INSTALL_DIR "${CMAKE_INSTALL_LIBDIR}") +ENDIF(NOT DEFINED LIB_INSTALL_DIR) + +IF(NOT DEFINED INCLUDE_INSTALL_DIR) + SET(INCLUDE_INSTALL_DIR "${CMAKE_INSTALL_INCLUDEDIR}") +ENDIF(NOT DEFINED INCLUDE_INSTALL_DIR) + +IF(NOT DEFINED CONF_INSTALL_DIR) + SET(CONF_INSTALL_DIR "${SYSCONF_INSTALL_DIR}/dpm") +ENDIF(NOT DEFINED CONF_INSTALL_DIR) + +IF(NOT DEFINED DATA_INSTALL_DIR) + SET(DATA_INSTALL_DIR "${CMAKE_INSTALL_PREFIX}/share/dpm") +ENDIF(NOT DEFINED DATA_INSTALL_DIR) + +IF(NOT DEFINED DB_INSTALL_DIR) + SET(DB_INSTALL_DIR "${CMAKE_INSTALL_PREFIX}/dbspace") +ENDIF(NOT DEFINED DB_INSTALL_DIR) + +IF(NOT DEFINED RUN_INSTALL_DIR) + SET(RUN_INSTALL_DIR "/var/run") +ENDIF(NOT DEFINED RUN_INSTALL_DIR) + +IF(NOT DEFINED PAMD_INSTALL_DIR) + SET(PAMD_INSTALL_DIR "${SYSCONF_INSTALL_DIR}/pam.d") +ENDIF(NOT DEFINED PAMD_INSTALL_DIR) + +IF(NOT DEFINED SYSTEMD_UNIT_INSTALL_DIR) + SET(SYSTEMD_UNIT_INSTALL_DIR "${CMAKE_INSTALL_PREFIX}/lib/systemd/system") +ENDIF(NOT DEFINED SYSTEMD_UNIT_INSTALL_DIR) + +ADD_DEFINITIONS(-DUG_WAYLAND) + +ADD_SUBDIRECTORY(${DPM_PLUGIN}) +ADD_SUBDIRECTORY(${DPM_API}) diff --git a/api/CMakeLists.txt b/api/CMakeLists.txt new file mode 100755 index 0000000..e0bb542 --- /dev/null +++ b/api/CMakeLists.txt @@ -0,0 +1,48 @@ +# +# Copyright (c) 2015 Samsung Electronics Co., Ltd All Rights Reserved +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +SET(TARGET ${PROJECT_NAME}) +SET(PC_FILE "${TARGET}.pc") + +SET(LIB_VERSION "${VERSION}") +SET(LIB_SOVERSION "0") + +SET(API_SOURCES "security.cpp") +SET(API_HEADERS "security.h") + +SET(DEPENDENCY klay + dpm-pil + capi-base-common + capi-system-info +) + +PKG_CHECK_MODULES(API_DEPS REQUIRED ${DEPENDENCY}) + +SET (CMAKE_SHARED_LINKER_FLAGS "${CMAKE_SHARED_LINKER_FLAGS} -Wl,-z,noexecstack") + +ADD_LIBRARY(${TARGET} SHARED ${API_SOURCES}) + +SET_TARGET_PROPERTIES(${TARGET} PROPERTIES COMPILE_FLAGS "-fvisibility=default") +SET_TARGET_PROPERTIES(${TARGET} PROPERTIES SOVERSION ${LIB_SOVERSION}) +SET_TARGET_PROPERTIES(${TARGET} PROPERTIES VERSION ${LIB_VERSION}) + +INCLUDE_DIRECTORIES(SYSTEM ${API_DEPS_INCLUDE_DIRS}) +TARGET_LINK_LIBRARIES(${TARGET} ${API_DEPS_LIBRARIES} pthread) + +CONFIGURE_FILE(${PC_FILE}.in ${CMAKE_BINARY_DIR}/${PC_FILE} @ONLY) + +INSTALL(FILES ${CMAKE_BINARY_DIR}/${PC_FILE} DESTINATION ${LIB_INSTALL_DIR}/pkgconfig) +INSTALL(TARGETS ${TARGET} DESTINATION ${LIB_INSTALL_DIR} COMPONENT RuntimeLibraries) +INSTALL(FILES ${API_HEADERS} DESTINATION ${INCLUDE_INSTALL_DIR}/dpm) diff --git a/api/dpm-security.pc.in b/api/dpm-security.pc.in new file mode 100644 index 0000000..eda263d --- /dev/null +++ b/api/dpm-security.pc.in @@ -0,0 +1,12 @@ +# Package Information for pkg-config + +prefix=@CMAKE_INSTALL_PREFIX@ +exec_prefix=@CMAKE_INSTALL_PREFIX@ +libdir=@LIB_INSTALL_DIR@ +includedir=@INCLUDE_INSTALL_DIR@ + +Name: Security policy module +Description: Security policy module for device policy manager +Version: @VERSION@ +Libs: -L${libdir} -ldpm-security +Cflags: -I${includedir}/dpm diff --git a/api/security.cpp b/api/security.cpp new file mode 100644 index 0000000..24bdcce --- /dev/null +++ b/api/security.cpp @@ -0,0 +1,115 @@ +/* + * Copyright (c) 2015 Samsung Electronics Co., Ltd All Rights Reserved + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + */ + +#include +#include + +#include + +#include "security.h" + +EXPORT_API int dpm_security_lockout_screen(device_policy_manager_h handle) +{ + RET_ON_FAILURE(handle, DPM_ERROR_INVALID_PARAMETER); + + DevicePolicyClient &client = GetDevicePolicyClient(handle); + try { + Status status { -1 }; + status = client.methodCall("Security::lockoutScreen"); + return status.get(); + } catch (...) { + return -1; + } +} + +EXPORT_API int dpm_security_set_internal_storage_encryption(device_policy_manager_h handle, bool encrypt) +{ + RET_ON_FAILURE(handle, DPM_ERROR_INVALID_PARAMETER); + + DevicePolicyClient &client = GetDevicePolicyClient(handle); + try { + Status status { -1 }; + status = client.methodCall("Security::setInternalStorageEncryption", encrypt); + return status.get(); + } catch (...) { + return -1; + } +} + +EXPORT_API int dpm_security_is_internal_storage_encrypted(device_policy_manager_h handle, bool *is_encrypted) +{ + RET_ON_FAILURE(handle, DPM_ERROR_INVALID_PARAMETER); + RET_ON_FAILURE(is_encrypted, DPM_ERROR_INVALID_PARAMETER); + + DevicePolicyClient &client = GetDevicePolicyClient(handle); + try { + Status status { false }; + status = client.methodCall("Security::isInternalStorageEncrypted"); + *is_encrypted = status.get(); + } catch (...) { + return -1; + } + + return DPM_ERROR_NONE; +} + +EXPORT_API int dpm_security_set_external_storage_encryption(device_policy_manager_h handle, bool encrypt) +{ + RET_ON_FAILURE(handle, DPM_ERROR_INVALID_PARAMETER); + + DevicePolicyClient &client = GetDevicePolicyClient(handle); + try { + Status status { -1 }; + status = client.methodCall("Security::setExternalStorageEncryption", encrypt); + return status.get(); + } catch (...) { + return -1; + } +} + +EXPORT_API int dpm_security_is_external_storage_encrypted(device_policy_manager_h handle, bool *is_encrypted) +{ + RET_ON_FAILURE(handle, DPM_ERROR_INVALID_PARAMETER); + RET_ON_FAILURE(is_encrypted, DPM_ERROR_INVALID_PARAMETER); + + DevicePolicyClient &client = GetDevicePolicyClient(handle); + try { + Status status { false }; + status = client.methodCall("Security::isExternalStorageEncrypted"); + *is_encrypted = status.get(); + } catch (...) { + return -1; + } + + return DPM_ERROR_NONE; +} + +EXPORT_API int dpm_security_wipe_data(device_policy_manager_h handle, dpm_security_wipe_type_e type) +{ + int mask = type & (DPM_SECURITY_WIPE_INTERNAL_STORAGE | DPM_SECURITY_WIPE_EXTERNAL_STORAGE); + + RET_ON_FAILURE(handle, DPM_ERROR_INVALID_PARAMETER); + RET_ON_FAILURE(mask, DPM_ERROR_INVALID_PARAMETER); + + DevicePolicyClient &client = GetDevicePolicyClient(handle); + try { + Status status { -1 }; + status = client.methodCall("Security::wipeData", mask); + return status.get(); + } catch (...) { + return -1; + } +} diff --git a/api/security.h b/api/security.h new file mode 100644 index 0000000..6431c7e --- /dev/null +++ b/api/security.h @@ -0,0 +1,183 @@ +/* + * Copyright (c) 2015 Samsung Electronics Co., Ltd All Rights Reserved + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + */ + +#ifndef __CAPI_DPM_SECURITY_POLICY_H__ +#define __CAPI_DPM_SECURITY_POLICY_H__ + +#include + +typedef void * device_policy_manager_h; + +/** + * @file security.h + * @brief This file provides APIs to control security functionality such as + * device encryption and screen lock. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * @addtogroup CAPI_DPM_SECURITY_POLICY_MODULE + * @{ + */ + +/** + * @partner + * @brief Locks device screen immediately. + * @details An administrator can use this API to lock the device screen + * immediately + * @since_tizen 3.0 + * @privlevel partner + * @privilege %http://tizen.org/privilege/dpm.lock + * @param[in] handle Device policy manager handle + * @return #DPM_ERROR_NONE on success, otherwise a negative value + * @retval #DPM_ERROR_NONE Successful + * @retval #DPM_ERROR_INVALID_PARAMETER Invalid parameter + * @retval #DPM_ERROR_PERMISSION_DENIED The application does not have + * the privilege to call this API + * @pre The handle must be created by dpm_manager_create(). + * @see dpm_manager_create() + */ +int dpm_security_lockout_screen(device_policy_manager_h handle); + +/** + * @partner + * @brief Encrypts or decrypts internal storage. + * @details An administrator can use this API to enable full device + * encryption, which includes device memory and internal SD card. + * Before calling this API, administrator must ensure that + * the device password is set to alphanumeric quality. + * The administrator can set an alphanumeric password by using + * dpm_set_password_quality() API + * @since_tizen 3.0 + * @privlevel partner + * @privilege %http://tizen.org/privilege/dpm.security + * @param[in] handle Device policy manager handle + * @param[in] encrypt true if encryption is required, false if decryption is + * required + * @return #DPM_ERROR_NONE on success, otherwise a negative value + * @retval #DPM_ERROR_NONE Successful + * @retval #DPM_ERROR_INVALID_PARAMETER Invalid parameter + * @retval #DPM_ERROR_PERMISSION_DENIED The application does not have + * the privilege to call this API + * @pre The handle must be created by dpm_manager_create(). + * @see dpm_manager_create() + * @see dpm_security_is_internal_storage_encrypted() + */ +int dpm_security_set_internal_storage_encryption(device_policy_manager_h handle, bool encrypt); + +/** + * @brief Checks the internal storage encryption state. + * @details An administrator can use this API to check whether internal + * storage encryption is enabled. + * @since_tizen 3.0 + * @param[in] handle Device policy manager handle + * @param[out] is_encrypted true if internal storage is encrypted or being encrypted, + * else false. + * @return #DPM_ERROR_NONE on success, otherwise a negative value + * @retval #DPM_ERROR_NONE Successful + * @retval #DPM_ERROR_INVALID_PARAMETER Invalid parameter + * @retval #DPM_ERROR_TIMED_OUT Time out + * @pre The handle must be created by dpm_manager_create(). + * @see dpm_manager_create() + * @see dpm_security_set_internal_storage_encryption() + */ +int dpm_security_is_internal_storage_encrypted(device_policy_manager_h handle, bool *is_encrypted); + +/** + * @partner + * @brief Encrypts or decrypts external storage. + * @details An administrator can use this API to enable external SD card + * encryption. Before calling this API, administrator must + * ensure that the device password is set to alphanumeric quality. + * The administrator can set an alphanumeric password by using + * dpm_set_password_quality() API + * @since_tizen 3.0 + * @privlevel partner + * @privilege %http://tizen.org/privilege/dpm.security + * @param[in] handle Device policy manager handle + * @param[in] encrypt true if encryption is required, false if decryption is + * required + * @return #DPM_ERROR_NONE on success, otherwise a negative value + * @retval #DPM_ERROR_NONE Successful + * @retval #DPM_ERROR_INVALID_PARAMETER Invalid parameter + * @retval #DPM_ERROR_PERMISSION_DENIED The application does not have + * the privilege to call this API + * @pre The handle must be created by dpm_manager_create(). + * @see dpm_manager_create() + * @see dpm_security_is_external_storage_encryped() + */ +int dpm_security_set_external_storage_encryption(device_policy_manager_h handle, bool encrypt); + +/** + * @brief Checks the external storage encryption state. + * @details An administrator can use this API to check whether external + * storage encryption is enabled. + * @since_tizen 3.0 + * @param[in] handle Device policy manager handle + * @param[out] is_encrypted true if external storage is encrypted or being encrypted, + * else false + * @return #DPM_ERROR_NONE on success, otherwise a negative value + * @retval #DPM_ERROR_NONE Successful + * @retval #DPM_ERROR_INVALID_PARAMETER Invalid parameter + * @retval #DPM_ERROR_TIMED_OUT Time out + * @pre The handle must be created by dpm_manager_create(). + * @see dpm_manager_create() + * @see dpm_security_set_external_storage_encryption() + */ +int dpm_security_is_external_storage_encrypted(device_policy_manager_h handle, bool *is_encrypted); + +/** + * @brief Enumeration for device wipe type. + * @since_tizen 3.0 + */ +typedef enum { + DPM_SECURITY_WIPE_INTERNAL_STORAGE = (1 << 0), /**< Wipe internal memory */ + DPM_SECURITY_WIPE_EXTERNAL_STORAGE = (1 << 1), /**< Wipe external memory */ +} dpm_security_wipe_type_e; + +/** + * @partner + * @brief Wipes external memory, internal memory, or both selectively. + * @details Device Admin can use this API to wipe both SD card data + * and application data. + * Calling this API may require rebooting the device. + * @since_tizen 3.0 + * @privlevel partner + * @privilege %http://tizen.org/privilege/dpm.wipe + * @param[in] handle Device policy manager handle + * @param[in] type The target storage for wipe + * @return #DPM_ERROR_NONE on success, otherwise a negative value + * @retval #DPM_ERROR_NONE Successful + * @retval #DPM_ERROR_INVALID_PARAMETER Invalid parameter + * @retval #DPM_ERROR_PERMISSION_DENIED The application does not have + * the privilege to call this API + * @pre The handle must be created by dpm_manager_create(). + * @see dpm_manager_create() + */ +int dpm_security_wipe_data(device_policy_manager_h handle, dpm_security_wipe_type_e type); + +/** + * @} + */ + +#ifdef __cplusplus +} +#endif + +#endif //! __CAPI_DPM_SECURITY_POLICY_H__ diff --git a/dpm-security.manifest b/dpm-security.manifest new file mode 100644 index 0000000..a76fdba --- /dev/null +++ b/dpm-security.manifest @@ -0,0 +1,5 @@ + + + + + diff --git a/packaging/dpm-security.spec b/packaging/dpm-security.spec new file mode 100755 index 0000000..dcb8f62 --- /dev/null +++ b/packaging/dpm-security.spec @@ -0,0 +1,79 @@ +Name: dpm-security +Version: 1.0.1 +Release: 0 +License: Apache-2.0 +Source0: %{name}-%{version}.tar.gz +Summary: Tizen Device Policy Manager Security Policy Module +Group: Security/Other +BuildRequires: gcc +BuildRequires: cmake +BuildRequires: gettext-tools +BuildRequires: pkgconfig(klay) +BuildRequires: pkgconfig(dpm-pil) +BuildRequires: pkgconfig(deviced) +BuildRequires: pkgconfig(vconf) +BuildRequires: pkgconfig(vconf-internal-keys) +BuildRequires: pkgconfig(capi-system-info) +BuildRequires: pkgconfig(capi-base-common) + +%description +The dpm-security package provides security policy module for device policy manager + +%files +%manifest dpm-security.manifest +%defattr(644,root,root,755) +%attr(755,root,root) /opt/data/dpm/plugins/security +%attr(755,root,root) %{_libdir}/libdpm-security.so.%{version} +%{_libdir}/libdpm-security.so.0 + +%prep +%setup -q + +%build +%{!?build_type:%define build_type "RELEASE"} + +%if %{build_type} == "DEBUG" || %{build_type} == "PROFILING" || %{build_type} == "CCOV" + CFLAGS="$CFLAGS -Wp,-U_FORTIFY_SOURCE" + CXXFLAGS="$CXXFLAGS -Wp,-U_FORTIFY_SOURCE" +%endif + +%cmake . -DVERSION=%{version} \ + -DCMAKE_BUILD_TYPE=%{build_type} \ + -DSCRIPT_INSTALL_DIR=%{_scriptdir} \ + -DSYSTEMD_UNIT_INSTALL_DIR=%{_unitdir} \ + -DDATA_INSTALL_DIR=%{TZ_SYS_DATA}/dpm \ + -DDB_INSTALL_DIR=%{TZ_SYS_DB} \ + -DRUN_INSTALL_DIR=%{TZ_SYS_RUN} \ + -DAPP_INSTALL_PREFIX="%{TZ_SYS_RO_APP}" \ + -DAPP_SHARE_PACKAGES_DIR="%{TZ_SYS_RO_PACKAGES}" \ + +make %{?jobs:-j%jobs} + +%install +%make_install + +%clean +rm -rf %{buildroot} + +%post + +%preun + +%postun + +## Devel Package ############################################################## +%package -n libdpm-security-devel +Summary: Libraries and header files for device policy client development +Group: Development/Libraries +Requires: device-policy-manager = %{version}-%{release} + +%description -n libdpm-security-devel +The libdpm-security-devel package includes the libraries and header files necessary for +developing the DPM client program. + +%files -n libdpm-security-devel +%manifest dpm-security.manifest +%defattr(644,root,root,755) +%{_libdir}/libdpm-security.so +%{_libdir}/pkgconfig/dpm-security.pc +%{_includedir}/dpm diff --git a/plugin/CMakeLists.txt b/plugin/CMakeLists.txt new file mode 100755 index 0000000..c23755d --- /dev/null +++ b/plugin/CMakeLists.txt @@ -0,0 +1,35 @@ +# +# Copyright (c) 2015 Samsung Electronics Co., Ltd All Rights Reserved +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +SET(TARGET "dpm-plugin-security") + +SET(PLUGIN_SOURCES "security.cpp") + +SET(DEPENDENCY klay + dpm-pil + vconf + deviced +) + +PKG_CHECK_MODULES(PLUGIN_DEPS REQUIRED ${DEPENDENCY}) + +SET (CMAKE_SHARED_LINKER_FLAGS "${CMAKE_SHARED_LINKER_FLAGS} -Wl,-z,noexecstack") + +ADD_LIBRARY(${TARGET} SHARED ${PLUGIN_SOURCES}) +SET_TARGET_PROPERTIES(${TARGET} PROPERTIES COMPILE_FLAGS "-fvisibility=default") +INCLUDE_DIRECTORIES(SYSTEM ${PLUGIN_DEPS_INCLUDE_DIRS}) +TARGET_LINK_LIBRARIES(${TARGET} ${PLUGIN_DEPS_LIBRARIES}) + +INSTALL(FILES libdpm-plugin-security.so RENAME security DESTINATION /opt/data/dpm/plugins) diff --git a/plugin/security.cpp b/plugin/security.cpp new file mode 100755 index 0000000..b0271cf --- /dev/null +++ b/plugin/security.cpp @@ -0,0 +1,298 @@ +/* + * Copyright (c) 2015 Samsung Electronics Co., Ltd All Rights Reserved + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + */ +#include +#include +#include + +#include +#include + +#include +#include +#include +#include +#include + +#include +#include +#include +#include + +namespace { + +const std::string APPID_DEVICE_ENCRYPTION = "org.tizen.ode"; +const std::string APPID_LOCKSCREEN = "org.tizen.lockscreen"; + +const std::string PROG_FACTORY_RESET = "/usr/bin/dbus-send"; +const std::vector wipeCommand = { + "/usr/bin/dbus-send", + "--system", + "--type=signal", + "--print-reply", + "--dest=com.samsung.factoryreset", + "/com/samsung/factoryreset", + "com.samsung.factoryreset.start.setting" +}; + +bool checkEncryptionState(const char* key, bool encrypt) +{ + char *value = ::vconf_get_str(key); + if (value == NULL) { + ERROR("Failed to read internal storage encryption state"); + return false; + } + + std::string state(value); + ::free(value); + if (encrypt) { + if (state != "unencrypted") { + ERROR("Storage might be already encrypted or it has error"); + return false; + } + } else { + if (state != "encrypted") { + ERROR("Storage might be already decrypted or it has error"); + return false; + } + } + + return true; +} + +bool getEncryptionState(const char* key) +{ + char *state = ::vconf_get_str(key); + if (state == NULL) { + throw runtime::Exception("Failed to read internal storage encryption state"); + } + + std::string expected("encrypted"); + if (expected == state) { + ::free(state); + return true; + } + + ::free(state); + return false; +} + +int launchApplication(const std::string& name, const Bundle& bundle) +{ + try { + Launchpad launchpad(rmi::Service::getPeerUid()); + if (launchpad.isRunning(name)) { + launchpad.resume(name); + return 0; + } + + launchpad.launch(name, bundle); + } catch (runtime::Exception& e) { + ERROR("Failed to start application: " << name); + return -1; + } + + return 0; +} + + +std::vector getStorageDeviceList(const std::string& type) +{ + int intparams[6]; + char* strparams[7]; + std::vector storages; + + dbus::Connection &systemDBus = dbus::Connection::getSystem(); + const dbus::Variant &var = systemDBus.methodcall("org.tizen.system.storage", + "/Org/Tizen/System/Storage/Block/Manager", + "org.tizen.system.storage.BlockManager", + "GetDeviceList", + -1, + "(a(issssssisibii))", + "(s)", + type.c_str()); + dbus::VariantIterator it; + var.get("(a(issssssisibii))", &it); + while (it.get("(issssssisibii)", + &intparams[0], // block type: 0 - scsi, 1 : mmc + &strparams[0], // devnode + &strparams[1], // syspath + &strparams[2], // usage + &strparams[3], // fs type + &strparams[4], // fs version + &strparams[5], // fs uuid enc + &intparams[1], // readonly: 0 - rw, 1 - ro + &strparams[6], // mount point + &intparams[2], // state: 0 - unmount, 1 - mount + &intparams[3], // primary: 0 - flase, 1 - true + &intparams[4], // flags: 1 - unmounted + // 2 - broken filesystem + // 4 - no filesystem + // 8 - not supported + // 16 - readonly + &intparams[5])) { // strage id + storages.push_back(strrchr(strparams[0], '/') + 1); + for (int i = 0; i < 7; i++) { + if (strparams[i]) { + ::free(strparams[i]); + } + } + } + + return storages; +} + +void requestDeviceFormat(const std::string& devnode, int option) +{ + int ret; + dbus::Connection &systemDBus = dbus::Connection::getSystem(); + systemDBus.methodcall("org.tizen.system.storage", + "/Org/Tizen/System/Storage/Block/Devices/" + devnode, + "org.tizen.system.storage.Block", + "Format", + G_MAXINT, + "(i)", + "(i)", + option).get("(i)", &ret); + if (ret != 0) { + throw runtime::Exception("Failed to format " + devnode); + } +} + +} // namespace + +class Security : public AbstractPolicyProvider { +public: + enum { + WIPE_INTERNAL_STORAGE = (1 << 0), /**< Wipe internal memory */ + WIPE_EXTERNAL_STORAGE = (1 << 1), /**< Wipe external memory */ + }; + + Security(); + ~Security(); + + int lockoutScreen(); + + int wipeData(int id); + + int setInternalStorageEncryption(bool encrypt); + bool isInternalStorageEncrypted(); + int setExternalStorageEncryption(bool encrypt); + bool isExternalStorageEncrypted(); +}; + +Security::Security() +{ +} + +Security::~Security() +{ +} + +int Security::lockoutScreen() +{ + return launchApplication(APPID_LOCKSCREEN, Bundle()); +} + +int Security::setInternalStorageEncryption(bool encrypt) +{ + if (!checkEncryptionState(VCONFKEY_ODE_CRYPTO_STATE, encrypt)) { + return -1; + } + + Bundle bundle; + bundle.add("viewtype", encrypt ? "ENCRYPT_DEVICE" : "DECRYPT_DEVICE"); + return launchApplication(APPID_DEVICE_ENCRYPTION, bundle); +} + +bool Security::isInternalStorageEncrypted() +{ + return getEncryptionState(VCONFKEY_ODE_CRYPTO_STATE); +} + +int Security::setExternalStorageEncryption(bool encrypt) +{ + if (!checkEncryptionState(VCONFKEY_SDE_CRYPTO_STATE, encrypt)) { + return -1; + } + + Bundle bundle; + bundle.add("viewtype", encrypt ? "ENCRYPT_SD_CARD" : "DECRYPT_SD_CARD"); + return launchApplication(APPID_DEVICE_ENCRYPTION, bundle); +} + +bool Security::isExternalStorageEncrypted() +{ + return getEncryptionState(VCONFKEY_SDE_CRYPTO_STATE); +} + +int Security::wipeData(int id) +{ + auto worker = [id, this]() { + if (id & WIPE_EXTERNAL_STORAGE) { + try { + std::vector devices = getStorageDeviceList("mmc"); + for (const std::string& devnode : devices) { + std::cout << "Erase device: " << devnode << std::endl; + requestDeviceFormat(devnode, 1); + std::cout << "Erase device: " << devnode << " completed" << std::endl; + } + } catch(runtime::Exception& e) { + ERROR("Failed to enforce external storage policy"); + return -1; + } + } + + if (id & WIPE_INTERNAL_STORAGE) { + runtime::Process proc(PROG_FACTORY_RESET, wipeCommand); + if (proc.execute() == -1) { + ERROR("Failed to launch factory-reset"); + return -1; + } + } + + return 0; + }; + + std::thread deviceWiper(worker); + deviceWiper.detach(); + + return 0; +} + +extern "C" { + +#define PRIVILEGE_SECURITY "http://tizen.org/privilege/dpm.security" +#define PRIVILEGE_WIPE "http://tizen.org/privilege/dpm.wipe" +#define PRIVILEGE_LOCK "http://tizen.org/privilege/dpm.lock" + +AbstractPolicyProvider *PolicyFactory(PolicyControlContext& context) +{ + Security *policy = new Security(); + + context.expose(policy, PRIVILEGE_SECURITY, (int)(Security::setInternalStorageEncryption)(bool)); + context.expose(policy, PRIVILEGE_SECURITY, (int)(Security::setExternalStorageEncryption)(bool)); + context.expose(policy, PRIVILEGE_WIPE, (int)(Security::wipeData)(int)); + context.expose(policy, PRIVILEGE_LOCK, (int)(Security::lockoutScreen)()); + + context.expose(policy, "", (bool)(Security::isInternalStorageEncrypted)()); + context.expose(policy, "", (bool)(Security::isExternalStorageEncrypted)()); + + return policy; +} + +} // extern "C" + + -- 2.7.4 From 35e4adba663a891c8edd4dcb464615daf747bb0d Mon Sep 17 00:00:00 2001 From: Sungbae Yoo Date: Tue, 26 Sep 2017 19:16:41 +0900 Subject: [PATCH 3/5] Add a license file Change-Id: Ic38a6bd1db85fe1f6379cf08c54a595238385303 Signed-off-by: Sungbae Yoo --- LICENSE | 204 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 204 insertions(+) create mode 100644 LICENSE diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..26b7de6 --- /dev/null +++ b/LICENSE @@ -0,0 +1,204 @@ +Copyright (c) 2015 Samsung Electronics Co., Ltd. All rights reserved. + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + -- 2.7.4 From d6433645bbb257cd0632d238e3ed3356aef0a9ff Mon Sep 17 00:00:00 2001 From: Jaemin Ryu Date: Tue, 31 Oct 2017 14:38:16 +0900 Subject: [PATCH 4/5] Include device-policy-manager.h for the shared types Change-Id: Ie3ae7f12083a958f191942f8cbfceeea1e60c4cb Signed-off-by: Jaemin Ryu --- api/security.cpp | 6 ++++++ api/security.h | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/api/security.cpp b/api/security.cpp index 24bdcce..04e0a40 100644 --- a/api/security.cpp +++ b/api/security.cpp @@ -21,6 +21,12 @@ #include "security.h" +#define RET_ON_FAILURE(cond, ret) \ +{ \ + if (!(cond)) \ + return (ret); \ +} + EXPORT_API int dpm_security_lockout_screen(device_policy_manager_h handle) { RET_ON_FAILURE(handle, DPM_ERROR_INVALID_PARAMETER); diff --git a/api/security.h b/api/security.h index 6431c7e..2e19a6e 100644 --- a/api/security.h +++ b/api/security.h @@ -19,7 +19,7 @@ #include -typedef void * device_policy_manager_h; +#include /** * @file security.h -- 2.7.4 From d4ac7e6cf169077f26d69c2da5151334a4f6b738 Mon Sep 17 00:00:00 2001 From: Jaemin Ryu Date: Thu, 26 Jul 2018 15:22:50 +0900 Subject: [PATCH 5/5] Change plugin path to %{_libdir}/dpm/plugins Change-Id: I8ee4189603c5667825b654cec355562edfb336c4 Signed-off-by: Jaemin Ryu --- CMakeLists.txt | 4 ++++ packaging/dpm-security.spec | 3 ++- plugin/CMakeLists.txt | 2 +- 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index b1c3c70..038da38 100755 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -79,6 +79,10 @@ IF(NOT DEFINED SYSTEMD_UNIT_INSTALL_DIR) SET(SYSTEMD_UNIT_INSTALL_DIR "${CMAKE_INSTALL_PREFIX}/lib/systemd/system") ENDIF(NOT DEFINED SYSTEMD_UNIT_INSTALL_DIR) +IF(NOT DEFINED PLUGIN_INSTALL_DIR) + SET(PLUGIN_INSTALL_DIR "${LIB_INSTALL_DIR}/dpm/plugins") +ENDIF(NOT DEFINED PLUGIN_INSTALL_DIR) + ADD_DEFINITIONS(-DUG_WAYLAND) ADD_SUBDIRECTORY(${DPM_PLUGIN}) diff --git a/packaging/dpm-security.spec b/packaging/dpm-security.spec index dcb8f62..6afe529 100755 --- a/packaging/dpm-security.spec +++ b/packaging/dpm-security.spec @@ -22,7 +22,7 @@ The dpm-security package provides security policy module for device policy manag %files %manifest dpm-security.manifest %defattr(644,root,root,755) -%attr(755,root,root) /opt/data/dpm/plugins/security +%attr(755,root,root) %{_libdir}/dpm/plugins/security %attr(755,root,root) %{_libdir}/libdpm-security.so.%{version} %{_libdir}/libdpm-security.so.0 @@ -39,6 +39,7 @@ The dpm-security package provides security policy module for device policy manag %cmake . -DVERSION=%{version} \ -DCMAKE_BUILD_TYPE=%{build_type} \ + -DPLUGIN_INSTALL_DIR=%{_libdir}/dpm/plugins \ -DSCRIPT_INSTALL_DIR=%{_scriptdir} \ -DSYSTEMD_UNIT_INSTALL_DIR=%{_unitdir} \ -DDATA_INSTALL_DIR=%{TZ_SYS_DATA}/dpm \ diff --git a/plugin/CMakeLists.txt b/plugin/CMakeLists.txt index c23755d..473808b 100755 --- a/plugin/CMakeLists.txt +++ b/plugin/CMakeLists.txt @@ -32,4 +32,4 @@ SET_TARGET_PROPERTIES(${TARGET} PROPERTIES COMPILE_FLAGS "-fvisibility=default") INCLUDE_DIRECTORIES(SYSTEM ${PLUGIN_DEPS_INCLUDE_DIRS}) TARGET_LINK_LIBRARIES(${TARGET} ${PLUGIN_DEPS_LIBRARIES}) -INSTALL(FILES libdpm-plugin-security.so RENAME security DESTINATION /opt/data/dpm/plugins) +INSTALL(FILES libdpm-plugin-security.so RENAME security DESTINATION ${PLUGIN_INSTALL_DIR}) -- 2.7.4