From 5ed4ec8644015b7418c0e86111ffb5d344a5823d Mon Sep 17 00:00:00 2001
From: Sangyoon Jang <jeremy.jang@samsung.com>
Date: Thu, 8 Feb 2024 09:42:40 +0900
Subject: [PATCH] Fix smack labeling for lib rpk

Set public RO for files under lib dir when installing "rpk" type package.

Change-Id: If72fb2b816fa577b464c1f66e307a8d3277f4960
Signed-off-by: Sangyoon Jang <jeremy.jang@samsung.com>
---
 src/common/security_registration.cc                | 19 ++++++++++++---
 src/common/security_registration.h                 |  5 ++--
 src/common/shared_dirs.cc                          | 28 +++++++++++-----------
 src/common/step/security/step_recover_security.cc  |  4 ++--
 src/common/step/security/step_register_security.cc |  4 ++--
 .../step_rollback_deinstallation_security.cc       |  4 ++--
 src/common/step/security/step_update_security.cc   |  8 +++----
 7 files changed, 43 insertions(+), 29 deletions(-)

diff --git a/src/common/security_registration.cc b/src/common/security_registration.cc
index c08992b..56447e8 100644
--- a/src/common/security_registration.cc
+++ b/src/common/security_registration.cc
@@ -382,6 +382,19 @@ class SecurityContextPathRequest {
         SetErrorMessage(&error_message_, error);
         return false;
       }
+
+      // this is for lib rpk installation. set public RO for contents only.
+      if (pkg_type == "rpk" && std::string(policy.first) == "lib") {
+        for (bf::directory_iterator iter(subpath);
+            iter != bf::directory_iterator(); ++iter) {
+          error = security_manager_path_req_add_path(req_,
+              iter->path().string().c_str(), SECURITY_MANAGER_PATH_PUBLIC_RO);
+          if (error!= SECURITY_MANAGER_SUCCESS) {
+            SetErrorMessage(&error_message_, error);
+            return false;
+          }
+        }
+      }
     }
     return true;
   }
@@ -549,8 +562,8 @@ bool UnregisterSecurityContextForPkgId(const std::string &pkg_id,
 }
 
 bool RegisterSecurityContextForPath(const std::string &pkg_id,
-    const boost::filesystem::path& path, uid_t uid, bool is_readonly_pkg,
-    std::string* error_message) {
+    const std::string& pkg_type, const boost::filesystem::path& path,
+    uid_t uid, bool is_readonly_pkg, std::string* error_message) {
   SecurityContextPathRequest req;
   if (!req.IsValid()) {
     *error_message = req.ErrorMessage();
@@ -560,7 +573,7 @@ bool RegisterSecurityContextForPath(const std::string &pkg_id,
     *error_message = req.ErrorMessage();
     return false;
   }
-  if (!req.PreparePath({}, path, is_readonly_pkg, false)) {
+  if (!req.PreparePath(pkg_type, path, is_readonly_pkg, false)) {
     *error_message = req.ErrorMessage();
     return false;
   }
diff --git a/src/common/security_registration.h b/src/common/security_registration.h
index 9eb1227..cf0ed35 100644
--- a/src/common/security_registration.h
+++ b/src/common/security_registration.h
@@ -76,6 +76,7 @@ bool UnregisterSecurityContextForPkgId(const std::string& pkg_id,
  * package path to security context
  *
  * \param pkg_id pkgid of given package
+ * \param pkg_type pkg type of given package
  * \param path path for registering
  * \param uid uid
  * \param is_readonly_pkg RO package flag
@@ -84,8 +85,8 @@ bool UnregisterSecurityContextForPkgId(const std::string& pkg_id,
  * \return true if success
  */
 bool RegisterSecurityContextForPath(const std::string &pkg_id,
-    const boost::filesystem::path& path, uid_t uid,
-    bool is_readonly_pkg, std::string* error_message);
+    const std::string& pkg_type, const boost::filesystem::path& path,
+    uid_t uid, bool is_readonly_pkg, std::string* error_message);
 
 /**
  * Adapter interface for external Security module.
diff --git a/src/common/shared_dirs.cc b/src/common/shared_dirs.cc
index ba17ea7..88fd0ba 100644
--- a/src/common/shared_dirs.cc
+++ b/src/common/shared_dirs.cc
@@ -543,8 +543,8 @@ bool CreatePerUserStorageDirectories(const std::string& pkgid, bool trusted,
   }
 
   std::string error_message;
-  if (!RegisterSecurityContextForPath(pkgid, skel_apps_rw / pkgid,
-          kGlobalUserUid, is_readonly, &error_message)) {
+  if (!RegisterSecurityContextForPath(pkgid, {}, skel_apps_rw / pkgid,
+      kGlobalUserUid, is_readonly, &error_message)) {
     LOG(ERROR) << "Failed to register security context for path: "
                << skel_apps_rw / pkgid << ", error_message: " << error_message;
     return false;
@@ -588,8 +588,8 @@ bool CreatePerUserStorageDirectories(const std::string& pkgid, bool trusted,
         }
       }
 
-      if (!RegisterSecurityContextForPath(pkgid, apps_rw / pkgid, uid, false,
-                                          &error_message)) {
+      if (!RegisterSecurityContextForPath(pkgid, {}, apps_rw / pkgid, uid,
+          false, &error_message)) {
         LOG(ERROR) << "Failed to register security context for path: "
                    << apps_rw / pkgid << ", error_message: " << error_message;
         return false;
@@ -664,8 +664,8 @@ bool CreateStorageDirectories(const boost::filesystem::path& path,
   }
 
   std::string error_message;
-  if (!RegisterSecurityContextForPath(pkgid, path / pkgid, uid, false,
-                                      &error_message)) {
+  if (!RegisterSecurityContextForPath(pkgid, {}, path / pkgid, uid, false,
+      &error_message)) {
     LOG(ERROR) << "Failed to register security context for path: " << path
                << ", error_message: " << error_message;
     return false;
@@ -855,8 +855,8 @@ bool CreateSharedDataDir(const std::string& pkgid, uid_t uid) {
 
   bf::path path = apps_rw / pkgid;
   std::string error_message;
-  if (!ci::RegisterSecurityContextForPath(pkgid, path, uid, false,
-          &error_message)) {
+  if (!ci::RegisterSecurityContextForPath(pkgid, {}, path, uid, false,
+      &error_message)) {
     LOG(ERROR) << "Failed to register security context for path: " << path
                << ", error_message: " << error_message;
     return false;
@@ -874,8 +874,8 @@ bool CreatePerUserSharedDataDir(const std::string& pkgid) {
     return false;
 
   std::string error_message;
-  if (!ci::RegisterSecurityContextForPath(pkgid, skel_apps_rw / pkgid,
-          kGlobalUserUid, false, &error_message)) {
+  if (!ci::RegisterSecurityContextForPath(pkgid, {}, skel_apps_rw / pkgid,
+      kGlobalUserUid, false, &error_message)) {
     LOG(ERROR) << "Failed to register security context for path: "
                << skel_apps_rw / pkgid << ", error_message: " << error_message;
     return false;
@@ -905,7 +905,7 @@ bool CreatePerUserSharedDataDir(const std::string& pkgid) {
           return false;
       }
 
-      if (!ci::RegisterSecurityContextForPath(pkgid, apps_rw / pkgid, uid,
+      if (!ci::RegisterSecurityContextForPath(pkgid, {}, apps_rw / pkgid, uid,
                                               false, &error_message)) {
         LOG(ERROR) << "Failed to register security context for path: "
                    << apps_rw / pkgid << ", error_message: " << error_message;
@@ -993,7 +993,7 @@ bool RestoreSharedDataDir(const std::string& pkgid, uid_t uid) {
   }
 
   std::string error_message;
-  if (!RegisterSecurityContextForPath(pkgid, apps_rw / pkgid, uid, false,
+  if (!RegisterSecurityContextForPath(pkgid, {}, apps_rw / pkgid, uid, false,
                                       &error_message)) {
     LOG(ERROR) << "Failed to register security context for path: " << apps_rw
                << ", error_message: " << error_message;
@@ -1034,8 +1034,8 @@ bool RestorePerUserSharedDataDir(const std::string& pkgid) {
           return false;
       }
 
-      if (!RegisterSecurityContextForPath(pkgid, apps_rw / pkgid, uid,
-              false, &error_message)) {
+      if (!RegisterSecurityContextForPath(pkgid, {}, apps_rw / pkgid, uid,
+          false, &error_message)) {
         LOG(ERROR) << "Failed to register security context for path: "
                    << apps_rw / pkgid << ", error_message: " << error_message;
         return false;
diff --git a/src/common/step/security/step_recover_security.cc b/src/common/step/security/step_recover_security.cc
index c9c061a..a7a62fc 100644
--- a/src/common/step/security/step_recover_security.cc
+++ b/src/common/step/security/step_recover_security.cc
@@ -79,8 +79,8 @@ Step::Status StepRecoverSecurity::RecoveryUpdate() {
   if (!HasOwnerRwOtherRoPaths(context_->GetPkgPath()))
     return Status::OK;
 
-  if (!RegisterSecurityContextForPath(
-      context_->pkgid.get(), context_->GetPkgPath(), context_->uid.get(),
+  if (!RegisterSecurityContextForPath(context_->pkgid.get(),
+      context_->pkg_type.get(), context_->GetPkgPath(), context_->uid.get(),
       context_->is_readonly_package.get(), &error_message)) {
     if (!error_message.empty()) {
       LOG(ERROR) << "error_message: " << error_message;
diff --git a/src/common/step/security/step_register_security.cc b/src/common/step/security/step_register_security.cc
index 3a8d0d1..b044e90 100644
--- a/src/common/step/security/step_register_security.cc
+++ b/src/common/step/security/step_register_security.cc
@@ -51,8 +51,8 @@ Step::Status StepRegisterSecurity::process() {
   }
   if (context_->partial_rw.get())
     return Status::OK;
-  if (!RegisterSecurityContextForPath(
-      context_->pkgid.get(), context_->GetPkgPath(), context_->uid.get(),
+  if (!RegisterSecurityContextForPath(context_->pkgid.get(),
+      context_->pkg_type.get(), context_->GetPkgPath(), context_->uid.get(),
       context_->is_readonly_package.get(), &error_message)) {
     if (!error_message.empty()) {
       LOG(ERROR) << "error_message: " << error_message;
diff --git a/src/common/step/security/step_rollback_deinstallation_security.cc b/src/common/step/security/step_rollback_deinstallation_security.cc
index 7e1614d..876534e 100644
--- a/src/common/step/security/step_rollback_deinstallation_security.cc
+++ b/src/common/step/security/step_rollback_deinstallation_security.cc
@@ -35,8 +35,8 @@ Step::Status StepRollbackDeinstallationSecurity::undo() {
     }
     return Status::SECURITY_ERROR;
   }
-  if (!RegisterSecurityContextForPath(
-      context_->pkgid.get(), context_->GetPkgPath(), context_->uid.get(),
+  if (!RegisterSecurityContextForPath(context_->pkgid.get(),
+      context_->pkg_type.get(), context_->GetPkgPath(), context_->uid.get(),
       context_->is_readonly_package.get(), &error_message)) {
     if (!error_message.empty()) {
       LOG(ERROR) << "error_message: " << error_message;
diff --git a/src/common/step/security/step_update_security.cc b/src/common/step/security/step_update_security.cc
index 0903017..644c00a 100644
--- a/src/common/step/security/step_update_security.cc
+++ b/src/common/step/security/step_update_security.cc
@@ -23,8 +23,8 @@ Step::Status StepUpdateSecurity::process() {
     return Status::SECURITY_ERROR;
   }
   if (context_->request_type.get() != RequestType::ReadonlyUpdateUninstall) {
-    if (!RegisterSecurityContextForPath(
-        context_->pkgid.get(), context_->GetPkgPath(), context_->uid.get(),
+    if (!RegisterSecurityContextForPath(context_->pkgid.get(),
+        context_->pkg_type.get(), context_->GetPkgPath(), context_->uid.get(),
         context_->is_readonly_package.get(), &error_message)) {
       if (!error_message.empty()) {
         LOG(ERROR) << "error_message: " << error_message;
@@ -45,8 +45,8 @@ Step::Status StepUpdateSecurity::undo() {
     }
     return Status::SECURITY_ERROR;
   }
-  if (!RegisterSecurityContextForPath(
-      context_->pkgid.get(), context_->GetPkgPath(), context_->uid.get(),
+  if (!RegisterSecurityContextForPath(context_->pkgid.get(),
+      context_->pkg_type.get(), context_->GetPkgPath(), context_->uid.get(),
       context_->is_readonly_package.get(), &error_message)) {
     if (!error_message.empty()) {
       LOG(ERROR) << "error_message: " << error_message;
-- 
2.7.4