src/server/service/service.cpp

   1 /*
   2  *  Copyright (c) 2000 - 2015 Samsung Electronics Co., Ltd All Rights Reserved
   3  *
   4  *  Contact: Rafal Krypa <r.krypa@samsung.com>
   5  *
   6  *  Licensed under the Apache License, Version 2.0 (the "License");
   7  *  you may not use this file except in compliance with the License.
   8  *  You may obtain a copy of the License at
   9  *
  10  *      http://www.apache.org/licenses/LICENSE-2.0
  11  *
  12  *  Unless required by applicable law or agreed to in writing, software
  13  *  distributed under the License is distributed on an "AS IS" BASIS,
  14  *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  15  *  See the License for the specific language governing permissions and
  16  *  limitations under the License
  17  */
  18 /*
  19  * @file        service.cpp
  20  * @author      Michal Witanowski <m.witanowski@samsung.com>
  21  * @author      Jacek Bukarewicz <j.bukarewicz@samsung.com>
  22  * @author      Rafal Krypa <r.krypa@samsung.com>
  23  * @brief       Implementation of security-manager service.
  24  */
  25
  26 #include <sys/socket.h>
  27
  28 #include <dpl/log/log.h>
  29 #include <dpl/serialization.h>
  30 #include <sys/smack.h>
  31
  32 #include "connection.h"
  33 #include "protocols.h"
  34 #include "service.h"
  35 #include "service_impl.h"
  36 #include "master-req.h"
  37
  38 namespace SecurityManager {
  39
  40 const InterfaceID IFACE = 1;
  41
  42 Service::Service(const bool isSlave):
  43         m_isSlave(isSlave)
  44 {
  45 }
  46
  47 GenericSocketService::ServiceDescriptionVector Service::GetServiceDescription()
  48 {
  49     if (m_isSlave)
  50         return ServiceDescriptionVector {
  51             {SLAVE_SERVICE_SOCKET,  /* path */
  52              "*",   /* smackLabel label (not used, we rely on systemd) */
  53              IFACE, /* InterfaceID */
  54              false, /* useSendMsg */
  55              true}, /* systemdOnly */
  56         };
  57     else
  58         return ServiceDescriptionVector {
  59             {SERVICE_SOCKET,  /* path */
  60              "*",   /* smackLabel label (not used, we rely on systemd) */
  61              IFACE, /* InterfaceID */
  62              false, /* useSendMsg */
  63              true}, /* systemdOnly */
  64         };
  65 }
  66
  67 static bool getPeerID(int sock, uid_t &uid, pid_t &pid, std::string &smackLabel)
  68 {
  69     struct ucred cr;
  70     socklen_t len = sizeof(cr);
  71
  72     if (!getsockopt(sock, SOL_SOCKET, SO_PEERCRED, &cr, &len)) {
  73         char *smk;
  74         ssize_t ret = smack_new_label_from_socket(sock, &smk);
  75         if (ret < 0)
  76             return false;
  77         smackLabel = smk;
  78         uid = cr.uid;
  79         pid = cr.pid;
  80         free(smk);
  81         return true;
  82     }
  83
  84     return false;
  85 }
  86
  87 bool Service::processOne(const ConnectionID &conn, MessageBuffer &buffer,
  88                                   InterfaceID interfaceID)
  89 {
  90     LogDebug("Iteration begin. Interface = " << interfaceID);
  91
  92     //waiting for all data
  93     if (!buffer.Ready()) {
  94         return false;
  95     }
  96
  97     MessageBuffer send;
  98     bool retval = false;
  99
 100     uid_t uid;
 101     pid_t pid;
 102     std::string smackLabel;
 103
 104     if (!getPeerID(conn.sock, uid, pid, smackLabel)) {
 105         LogError("Closing socket because of error: unable to get peer's uid, pid or smack label");
 106         m_serviceManager->Close(conn);
 107         return false;
 108     }
 109
 110     if (IFACE == interfaceID) {
 111         Try {
 112             // deserialize API call type
 113             int call_type_int;
 114             Deserialization::Deserialize(buffer, call_type_int);
 115             SecurityModuleCall call_type = static_cast<SecurityModuleCall>(call_type_int);
 116
 117             switch (call_type) {
 118                 case SecurityModuleCall::NOOP:
 119                     LogDebug("call_type: SecurityModuleCall::NOOP");
 120                     Serialization::Serialize(send, SECURITY_MANAGER_API_SUCCESS);
 121                     break;
 122                 case SecurityModuleCall::APP_INSTALL:
 123                     LogDebug("call_type: SecurityModuleCall::APP_INSTALL");
 124                     processAppInstall(buffer, send, uid);
 125                     break;
 126                 case SecurityModuleCall::APP_UNINSTALL:
 127                     LogDebug("call_type: SecurityModuleCall::APP_UNINSTALL");
 128                     processAppUninstall(buffer, send, uid);
 129                     break;
 130                 case SecurityModuleCall::APP_GET_PKGID:
 131                     processGetPkgId(buffer, send);
 132                     break;
 133                 case SecurityModuleCall::APP_GET_GROUPS:
 134                     processGetAppGroups(buffer, send, uid, pid);
 135                     break;
 136                 case SecurityModuleCall::USER_ADD:
 137                     processUserAdd(buffer, send, uid);
 138                     break;
 139                 case SecurityModuleCall::USER_DELETE:
 140                     processUserDelete(buffer, send, uid);
 141                     break;
 142                 case SecurityModuleCall::POLICY_UPDATE:
 143                     processPolicyUpdate(buffer, send, uid, pid, smackLabel);
 144                     break;
 145                 case SecurityModuleCall::GET_CONF_POLICY_ADMIN:
 146                     processGetConfiguredPolicy(buffer, send, uid, pid, smackLabel, true);
 147                     break;
 148                 case SecurityModuleCall::GET_CONF_POLICY_SELF:
 149                     processGetConfiguredPolicy(buffer, send, uid, pid, smackLabel, false);
 150                     break;
 151                 case SecurityModuleCall::GET_POLICY:
 152                     processGetPolicy(buffer, send, uid, pid, smackLabel);
 153                     break;
 154                 case SecurityModuleCall::POLICY_GET_DESCRIPTIONS:
 155                     processPolicyGetDesc(send);
 156                     break;
 157                 case SecurityModuleCall::GET_PRIVILEGES_MAPPING:
 158                     processPrivilegesMappings(buffer, send);
 159                     break;
 160                 case SecurityModuleCall::GROUPS_GET:
 161                     processGroupsGet(send);
 162                     break;
 163                 default:
 164                     LogError("Invalid call: " << call_type_int);
 165                     Throw(ServiceException::InvalidAction);
 166             }
 167             // if we reach this point, the protocol is OK
 168             retval = true;
 169         } Catch (MessageBuffer::Exception::Base) {
 170             LogError("Broken protocol.");
 171         } Catch (ServiceException::Base) {
 172             LogError("Broken protocol.");
 173         } catch (const std::exception &e) {
 174             LogError("STD exception " << e.what());
 175         } catch (...) {
 176             LogError("Unknown exception");
 177         }
 178     }
 179     else {
 180         LogError("Wrong interface");
 181     }
 182
 183     if (retval) {
 184         //send response
 185         m_serviceManager->Write(conn, send.Pop());
 186     } else {
 187         LogError("Closing socket because of error");
 188         m_serviceManager->Close(conn);
 189     }
 190
 191     return retval;
 192 }
 193
 194 void Service::processAppInstall(MessageBuffer &buffer, MessageBuffer &send, uid_t uid)
 195 {
 196     app_inst_req req;
 197
 198     Deserialization::Deserialize(buffer, req.appId);
 199     Deserialization::Deserialize(buffer, req.pkgId);
 200     Deserialization::Deserialize(buffer, req.privileges);
 201     Deserialization::Deserialize(buffer, req.appPaths);
 202     Deserialization::Deserialize(buffer, req.uid);
 203     Serialization::Serialize(send, ServiceImpl::appInstall(req, uid, m_isSlave));
 204 }
 205
 206 void Service::processAppUninstall(MessageBuffer &buffer, MessageBuffer &send, uid_t uid)
 207 {
 208     std::string appId;
 209
 210     Deserialization::Deserialize(buffer, appId);
 211     Serialization::Serialize(send, ServiceImpl::appUninstall(appId, uid, m_isSlave));
 212 }
 213
 214 void Service::processGetPkgId(MessageBuffer &buffer, MessageBuffer &send)
 215 {
 216     std::string appId;
 217     std::string pkgId;
 218     int ret;
 219
 220     Deserialization::Deserialize(buffer, appId);
 221     ret = ServiceImpl::getPkgId(appId, pkgId);
 222     Serialization::Serialize(send, ret);
 223     if (ret == SECURITY_MANAGER_API_SUCCESS)
 224         Serialization::Serialize(send, pkgId);
 225 }
 226
 227 void Service::processGetAppGroups(MessageBuffer &buffer, MessageBuffer &send, uid_t uid, pid_t pid)
 228 {
 229     std::string appId;
 230     std::unordered_set<gid_t> gids;
 231     int ret;
 232
 233     Deserialization::Deserialize(buffer, appId);
 234     ret = ServiceImpl::getAppGroups(appId, uid, pid, m_isSlave, gids);
 235     Serialization::Serialize(send, ret);
 236     if (ret == SECURITY_MANAGER_API_SUCCESS) {
 237         Serialization::Serialize(send, static_cast<int>(gids.size()));
 238         for (const auto &gid : gids) {
 239             Serialization::Serialize(send, gid);
 240         }
 241     }
 242 }
 243
 244 void Service::processUserAdd(MessageBuffer &buffer, MessageBuffer &send, uid_t uid)
 245 {
 246     int ret;
 247     uid_t uidAdded;
 248     int userType;
 249
 250     Deserialization::Deserialize(buffer, uidAdded);
 251     Deserialization::Deserialize(buffer, userType);
 252
 253     ret = ServiceImpl::userAdd(uidAdded, userType, uid, m_isSlave);
 254     Serialization::Serialize(send, ret);
 255 }
 256
 257 void Service::processUserDelete(MessageBuffer &buffer, MessageBuffer &send, uid_t uid)
 258 {
 259     int ret;
 260     uid_t uidRemoved;
 261
 262     Deserialization::Deserialize(buffer, uidRemoved);
 263
 264     ret = ServiceImpl::userDelete(uidRemoved, uid, m_isSlave);
 265     Serialization::Serialize(send, ret);
 266 }
 267
 268 void Service::processPolicyUpdate(MessageBuffer &buffer, MessageBuffer &send, uid_t uid, pid_t pid, const std::string &smackLabel)
 269 {
 270     int ret;
 271     std::vector<policy_entry> policyEntries;
 272
 273     Deserialization::Deserialize(buffer, policyEntries);
 274
 275     if (m_isSlave) {
 276         ret = MasterReq::PolicyUpdate(policyEntries, uid, pid, smackLabel);
 277     } else {
 278         ret = ServiceImpl::policyUpdate(policyEntries, uid, pid, smackLabel);
 279     }
 280     Serialization::Serialize(send, ret);
 281 }
 282
 283 void Service::processGetConfiguredPolicy(MessageBuffer &buffer, MessageBuffer &send, uid_t uid, pid_t pid, const std::string &smackLabel, bool forAdmin)
 284 {
 285     int ret;
 286     policy_entry filter;
 287     Deserialization::Deserialize(buffer, filter);
 288     std::vector<policy_entry> policyEntries;
 289
 290     if (m_isSlave) {
 291         ret = MasterReq::GetConfiguredPolicy(forAdmin, filter, uid, pid, smackLabel, policyEntries);
 292     } else {
 293         ret = ServiceImpl::getConfiguredPolicy(forAdmin, filter, uid, pid, smackLabel,
 294                                                policyEntries);
 295     }
 296
 297     Serialization::Serialize(send, ret);
 298     Serialization::Serialize(send, static_cast<int>(policyEntries.size()));
 299     for (const auto &policyEntry : policyEntries) {
 300         Serialization::Serialize(send, policyEntry);
 301     };
 302 }
 303
 304 void Service::processGetPolicy(MessageBuffer &buffer, MessageBuffer &send, uid_t uid, pid_t pid, const std::string &smackLabel)
 305 {
 306     int ret;
 307     policy_entry filter;
 308     Deserialization::Deserialize(buffer, filter);
 309     std::vector<policy_entry> policyEntries;
 310
 311     if (m_isSlave) {
 312         ret = MasterReq::GetPolicy(filter, uid, pid, smackLabel, policyEntries);
 313     } else {
 314         ret = ServiceImpl::getPolicy(filter, uid, pid, smackLabel, policyEntries);
 315     }
 316
 317     Serialization::Serialize(send, ret);
 318     Serialization::Serialize(send, static_cast<int>(policyEntries.size()));
 319     for (const auto &policyEntry : policyEntries) {
 320         Serialization::Serialize(send, policyEntry);
 321     };
 322 }
 323
 324 void Service::processPolicyGetDesc(MessageBuffer &send)
 325 {
 326     int ret;
 327     std::vector<std::string> descriptions;
 328
 329     if (m_isSlave) {
 330         ret = MasterReq::PolicyGetDesc(descriptions);
 331     } else {
 332         ret = ServiceImpl::policyGetDesc(descriptions);
 333     }
 334     Serialization::Serialize(send, ret);
 335     if (ret == SECURITY_MANAGER_API_SUCCESS) {
 336         Serialization::Serialize(send, static_cast<int>(descriptions.size()));
 337
 338         for(std::vector<std::string>::size_type i = 0; i != descriptions.size(); i++) {
 339             Serialization::Serialize(send, descriptions[i]);
 340         }
 341     }
 342 }
 343
 344 void Service::processPrivilegesMappings(MessageBuffer &recv, MessageBuffer &send)
 345 {
 346     std::vector<std::string> privileges;
 347     std::string version_from, version_to;
 348     Deserialization::Deserialize(recv, version_from);
 349     Deserialization::Deserialize(recv, version_to);
 350     Deserialization::Deserialize(recv, privileges);
 351
 352     std::vector<std::string> mappings;
 353     int ret = ServiceImpl::getPrivilegesMappings(version_from, version_to, privileges, mappings);
 354
 355     Serialization::Serialize(send, ret);
 356     Serialization::Serialize(send, mappings);
 357 }
 358
 359 void Service::processGroupsGet(MessageBuffer &send)
 360 {
 361     std::vector<std::string> groups;
 362     int ret = ServiceImpl::policyGetGroups(groups);
 363
 364     Serialization::Serialize(send, ret);
 365     if (ret == SECURITY_MANAGER_API_SUCCESS) {
 366         Serialization::Serialize(send, groups);
 367     }
 368 }
 369
 370 } // namespace SecurityManager