2 * Copyright (c) 2000 - 2015 Samsung Electronics Co., Ltd All Rights Reserved
4 * Contact: Rafal Krypa <r.krypa@samsung.com>
6 * Licensed under the Apache License, Version 2.0 (the "License");
7 * you may not use this file except in compliance with the License.
8 * You may obtain a copy of the License at
10 * http://www.apache.org/licenses/LICENSE-2.0
12 * Unless required by applicable law or agreed to in writing, software
13 * distributed under the License is distributed on an "AS IS" BASIS,
14 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15 * See the License for the specific language governing permissions and
16 * limitations under the License
20 * @author Michal Witanowski <m.witanowski@samsung.com>
21 * @author Jacek Bukarewicz <j.bukarewicz@samsung.com>
22 * @author Rafal Krypa <r.krypa@samsung.com>
23 * @brief Implementation of security-manager service.
26 #include <sys/socket.h>
28 #include <dpl/log/log.h>
29 #include <dpl/serialization.h>
30 #include <sys/smack.h>
32 #include "connection.h"
33 #include "protocols.h"
35 #include "service_impl.h"
36 #include "master-req.h"
38 namespace SecurityManager {
40 const InterfaceID IFACE = 1;
42 Service::Service(const bool isSlave):
47 GenericSocketService::ServiceDescriptionVector Service::GetServiceDescription()
50 return ServiceDescriptionVector {
51 {SLAVE_SERVICE_SOCKET, /* path */
52 "*", /* smackLabel label (not used, we rely on systemd) */
53 IFACE, /* InterfaceID */
54 false, /* useSendMsg */
55 true}, /* systemdOnly */
58 return ServiceDescriptionVector {
59 {SERVICE_SOCKET, /* path */
60 "*", /* smackLabel label (not used, we rely on systemd) */
61 IFACE, /* InterfaceID */
62 false, /* useSendMsg */
63 true}, /* systemdOnly */
67 static bool getPeerID(int sock, uid_t &uid, pid_t &pid, std::string &smackLabel)
70 socklen_t len = sizeof(cr);
72 if (!getsockopt(sock, SOL_SOCKET, SO_PEERCRED, &cr, &len)) {
74 ssize_t ret = smack_new_label_from_socket(sock, &smk);
87 bool Service::processOne(const ConnectionID &conn, MessageBuffer &buffer,
88 InterfaceID interfaceID)
90 LogDebug("Iteration begin. Interface = " << interfaceID);
92 //waiting for all data
93 if (!buffer.Ready()) {
102 std::string smackLabel;
104 if (!getPeerID(conn.sock, uid, pid, smackLabel)) {
105 LogError("Closing socket because of error: unable to get peer's uid, pid or smack label");
106 m_serviceManager->Close(conn);
110 if (IFACE == interfaceID) {
112 // deserialize API call type
114 Deserialization::Deserialize(buffer, call_type_int);
115 SecurityModuleCall call_type = static_cast<SecurityModuleCall>(call_type_int);
118 case SecurityModuleCall::NOOP:
119 LogDebug("call_type: SecurityModuleCall::NOOP");
120 Serialization::Serialize(send, SECURITY_MANAGER_API_SUCCESS);
122 case SecurityModuleCall::APP_INSTALL:
123 LogDebug("call_type: SecurityModuleCall::APP_INSTALL");
124 processAppInstall(buffer, send, uid);
126 case SecurityModuleCall::APP_UNINSTALL:
127 LogDebug("call_type: SecurityModuleCall::APP_UNINSTALL");
128 processAppUninstall(buffer, send, uid);
130 case SecurityModuleCall::APP_GET_PKGID:
131 processGetPkgId(buffer, send);
133 case SecurityModuleCall::APP_GET_GROUPS:
134 processGetAppGroups(buffer, send, uid, pid);
136 case SecurityModuleCall::USER_ADD:
137 processUserAdd(buffer, send, uid);
139 case SecurityModuleCall::USER_DELETE:
140 processUserDelete(buffer, send, uid);
142 case SecurityModuleCall::POLICY_UPDATE:
143 processPolicyUpdate(buffer, send, uid, pid, smackLabel);
145 case SecurityModuleCall::GET_CONF_POLICY_ADMIN:
146 processGetConfiguredPolicy(buffer, send, uid, pid, smackLabel, true);
148 case SecurityModuleCall::GET_CONF_POLICY_SELF:
149 processGetConfiguredPolicy(buffer, send, uid, pid, smackLabel, false);
151 case SecurityModuleCall::GET_POLICY:
152 processGetPolicy(buffer, send, uid, pid, smackLabel);
154 case SecurityModuleCall::POLICY_GET_DESCRIPTIONS:
155 processPolicyGetDesc(send);
157 case SecurityModuleCall::GET_PRIVILEGES_MAPPING:
158 processPrivilegesMappings(buffer, send);
160 case SecurityModuleCall::GROUPS_GET:
161 processGroupsGet(send);
164 LogError("Invalid call: " << call_type_int);
165 Throw(ServiceException::InvalidAction);
167 // if we reach this point, the protocol is OK
169 } Catch (MessageBuffer::Exception::Base) {
170 LogError("Broken protocol.");
171 } Catch (ServiceException::Base) {
172 LogError("Broken protocol.");
173 } catch (const std::exception &e) {
174 LogError("STD exception " << e.what());
176 LogError("Unknown exception");
180 LogError("Wrong interface");
185 m_serviceManager->Write(conn, send.Pop());
187 LogError("Closing socket because of error");
188 m_serviceManager->Close(conn);
194 void Service::processAppInstall(MessageBuffer &buffer, MessageBuffer &send, uid_t uid)
198 Deserialization::Deserialize(buffer, req.appId);
199 Deserialization::Deserialize(buffer, req.pkgId);
200 Deserialization::Deserialize(buffer, req.privileges);
201 Deserialization::Deserialize(buffer, req.appPaths);
202 Deserialization::Deserialize(buffer, req.uid);
203 Serialization::Serialize(send, ServiceImpl::appInstall(req, uid, m_isSlave));
206 void Service::processAppUninstall(MessageBuffer &buffer, MessageBuffer &send, uid_t uid)
210 Deserialization::Deserialize(buffer, appId);
211 Serialization::Serialize(send, ServiceImpl::appUninstall(appId, uid, m_isSlave));
214 void Service::processGetPkgId(MessageBuffer &buffer, MessageBuffer &send)
220 Deserialization::Deserialize(buffer, appId);
221 ret = ServiceImpl::getPkgId(appId, pkgId);
222 Serialization::Serialize(send, ret);
223 if (ret == SECURITY_MANAGER_API_SUCCESS)
224 Serialization::Serialize(send, pkgId);
227 void Service::processGetAppGroups(MessageBuffer &buffer, MessageBuffer &send, uid_t uid, pid_t pid)
230 std::unordered_set<gid_t> gids;
233 Deserialization::Deserialize(buffer, appId);
234 ret = ServiceImpl::getAppGroups(appId, uid, pid, m_isSlave, gids);
235 Serialization::Serialize(send, ret);
236 if (ret == SECURITY_MANAGER_API_SUCCESS) {
237 Serialization::Serialize(send, static_cast<int>(gids.size()));
238 for (const auto &gid : gids) {
239 Serialization::Serialize(send, gid);
244 void Service::processUserAdd(MessageBuffer &buffer, MessageBuffer &send, uid_t uid)
250 Deserialization::Deserialize(buffer, uidAdded);
251 Deserialization::Deserialize(buffer, userType);
253 ret = ServiceImpl::userAdd(uidAdded, userType, uid, m_isSlave);
254 Serialization::Serialize(send, ret);
257 void Service::processUserDelete(MessageBuffer &buffer, MessageBuffer &send, uid_t uid)
262 Deserialization::Deserialize(buffer, uidRemoved);
264 ret = ServiceImpl::userDelete(uidRemoved, uid, m_isSlave);
265 Serialization::Serialize(send, ret);
268 void Service::processPolicyUpdate(MessageBuffer &buffer, MessageBuffer &send, uid_t uid, pid_t pid, const std::string &smackLabel)
271 std::vector<policy_entry> policyEntries;
273 Deserialization::Deserialize(buffer, policyEntries);
276 ret = MasterReq::PolicyUpdate(policyEntries, uid, pid, smackLabel);
278 ret = ServiceImpl::policyUpdate(policyEntries, uid, pid, smackLabel);
280 Serialization::Serialize(send, ret);
283 void Service::processGetConfiguredPolicy(MessageBuffer &buffer, MessageBuffer &send, uid_t uid, pid_t pid, const std::string &smackLabel, bool forAdmin)
287 Deserialization::Deserialize(buffer, filter);
288 std::vector<policy_entry> policyEntries;
291 ret = MasterReq::GetConfiguredPolicy(forAdmin, filter, uid, pid, smackLabel, policyEntries);
293 ret = ServiceImpl::getConfiguredPolicy(forAdmin, filter, uid, pid, smackLabel,
297 Serialization::Serialize(send, ret);
298 Serialization::Serialize(send, static_cast<int>(policyEntries.size()));
299 for (const auto &policyEntry : policyEntries) {
300 Serialization::Serialize(send, policyEntry);
304 void Service::processGetPolicy(MessageBuffer &buffer, MessageBuffer &send, uid_t uid, pid_t pid, const std::string &smackLabel)
308 Deserialization::Deserialize(buffer, filter);
309 std::vector<policy_entry> policyEntries;
312 ret = MasterReq::GetPolicy(filter, uid, pid, smackLabel, policyEntries);
314 ret = ServiceImpl::getPolicy(filter, uid, pid, smackLabel, policyEntries);
317 Serialization::Serialize(send, ret);
318 Serialization::Serialize(send, static_cast<int>(policyEntries.size()));
319 for (const auto &policyEntry : policyEntries) {
320 Serialization::Serialize(send, policyEntry);
324 void Service::processPolicyGetDesc(MessageBuffer &send)
327 std::vector<std::string> descriptions;
330 ret = MasterReq::PolicyGetDesc(descriptions);
332 ret = ServiceImpl::policyGetDesc(descriptions);
334 Serialization::Serialize(send, ret);
335 if (ret == SECURITY_MANAGER_API_SUCCESS) {
336 Serialization::Serialize(send, static_cast<int>(descriptions.size()));
338 for(std::vector<std::string>::size_type i = 0; i != descriptions.size(); i++) {
339 Serialization::Serialize(send, descriptions[i]);
344 void Service::processPrivilegesMappings(MessageBuffer &recv, MessageBuffer &send)
346 std::vector<std::string> privileges;
347 std::string version_from, version_to;
348 Deserialization::Deserialize(recv, version_from);
349 Deserialization::Deserialize(recv, version_to);
350 Deserialization::Deserialize(recv, privileges);
352 std::vector<std::string> mappings;
353 int ret = ServiceImpl::getPrivilegesMappings(version_from, version_to, privileges, mappings);
355 Serialization::Serialize(send, ret);
356 Serialization::Serialize(send, mappings);
359 void Service::processGroupsGet(MessageBuffer &send)
361 std::vector<std::string> groups;
362 int ret = ServiceImpl::policyGetGroups(groups);
364 Serialization::Serialize(send, ret);
365 if (ret == SECURITY_MANAGER_API_SUCCESS) {
366 Serialization::Serialize(send, groups);
370 } // namespace SecurityManager