Add #ifdef SMACK_ENABLED to private code.

With this define commented, all security-server API
should work as if there was no SMACK error and SMACK
allowed for everything.

[Issue#]   SSDWSSP-206 & SSDWSSP-221
[Bug]      N/A
[Cause]    SS should work without SMACK enabled.
[Solution] As mentioned above.

[Verification] Build with and without ADD_DEFINITIONS( -DSMACK_ENABLED ).
1. SMACK enabled system.
1.1 -DSMACK_ENABLED on: SS tests should not fail
1.2 -DSMACK_ENABLED off: Following SS tests should fail:
 -client-smack:
  -tc04_security_server_get_gid_client_is_not_allowed
  -tc05_check_privilege_by_cookie
  -tc06_check_privilege_by_sockfd
  -tc07_check_privilege_by_sockfd
 -label:
  -tc_security_server_get_smacklabel_cookie
 -server:
  -tc01a_security_server_app_give_access
  -tc02_check_privilege_by_pid
 There should be no missing SMACK rules for security server sockets in dmesg

2. SMACK disabled system. Same results for -DSMACK_ENABLED on and off. Beside tests
failing in 1.2 all test cases using smack_accesses_apply and smack_have_access will also fail.

Change-Id: Ia1074d9da4a07e3a60878030b9b8fc3760340c73

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 692e069..c970c45 100644 (file)
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -54,10 +54,7 @@ ADD_DEFINITIONS("-Wextra")                      # Generate even more extra warni
 
 STRING(REGEX MATCH "([^.]*)" API_VERSION "${VERSION}")
 ADD_DEFINITIONS("-DAPI_VERSION=\"$(API_VERSION)\"")
-OPTION(SMACK "Enable smack support" ON)
-IF(SMACK)
-       ADD_DEFINITIONS( -DSMACK_ENABLED )
-ENDIF(SMACK)
+ADD_DEFINITIONS( -DSMACK_ENABLED )
 
 SET(TARGET_SECURITY_SERVER "security-server")
 SET(TARGET_SECURITY_CLIENT "security-server-client")

diff --git a/src/server/security-server-cookie.c b/src/server/security-server-cookie.c
index a1ffbfd..6c29bda 100644 (file)
--- a/src/server/security-server-cookie.c
+++ b/src/server/security-server-cookie.c
@@ -278,7 +278,7 @@ cookie_list *search_cookie_new(const cookie_list *c_list,
         if(memcmp(current->cookie, cookie, SECURITY_SERVER_COOKIE_LEN) == 0)
         {
             SEC_SVR_DBG("%s", "cookie has been found");
-            if (smack_runtime_check())
+            if (smack_check())
             {
                 ret = smack_have_access(current->smack_label, object, access_rights);
                 SEC_SVR_DBG("SMACK have access returned %d", ret);
@@ -477,13 +477,17 @@ out_of_while:
     if(added == NULL)
         goto error;
 
-    ret = generate_random_cookie(added->cookie, SECURITY_SERVER_COOKIE_LEN);
-    if(ret != SECURITY_SERVER_SUCCESS)
+    /* Check SMACK label */
+    if (smack_check())
     {
-        SEC_SVR_DBG("Error on making random cookie: %d", ret);
-        free(added);
-        added = NULL;
-        goto error;
+        ret = smack_new_label_from_socket(sockfd, &smack_label);
+        if (ret != 0)
+               {
+                       SEC_SVR_DBG("Error checking peer label: %d", ret);
+                       free(added);
+                       added = NULL;
+                       goto error;
+               }
     }
 
     /* Check SMACK label */

diff --git a/src/server/security-server-main.c b/src/server/security-server-main.c
index f15c11d..689b0db 100644 (file)
--- a/src/server/security-server-main.c
+++ b/src/server/security-server-main.c
@@ -1112,12 +1112,15 @@ int client_has_access(int sockfd, const char *object) {
     char *label = NULL;
     int ret = 0;
 
-    if(smack_new_label_from_socket(sockfd, &label))
-        return 0;
+    if (smack_check())
+    {
 
-    if (0 >= (ret = smack_have_access(label, object, "rw")))
-        ret = 0;
+        if(smack_new_label_from_socket(sockfd, &label))
+            return 0;
 
+        if (0 >= (ret = smack_have_access(label, object, "rw")))
+            ret = 0;
+    }
     free(label);
     return ret;
 }
@@ -1483,14 +1486,16 @@ int process_app_get_access_request(int sockfd, size_t msg_len)
     memcpy(&client_pid, message_buffer, sizeof(int));
     client_label = message_buffer + sizeof(int);
 
-    if (0 != smack_new_label_from_socket(sockfd, &provider_label)) {
-        SEC_SVR_DBG("%s", "Error in smack_new_label_from_socket");
-        goto error;
-    }
+    if (smack_check()) {
+        if (0 != smack_new_label_from_socket(sockfd, &provider_label)) {
+            SEC_SVR_DBG("%s", "Error in smack_new_label_from_socket");
+            goto error;
+        }
 
-    if (PC_OPERATION_SUCCESS != app_give_access(client_label, provider_label, "rwxat")) {
-        SEC_SVR_DBG("%s", "Error in app_give_access");
-        goto error;
+        if (PC_OPERATION_SUCCESS != app_give_access(client_label, provider_label, "rwxat")) {
+            SEC_SVR_DBG("%s", "Error in app_give_access");
+            goto error;
+        }
     }
 
     ret = SECURITY_SERVER_SUCCESS;
@@ -1502,8 +1507,10 @@ int process_app_get_access_request(int sockfd, size_t msg_len)
         goto error;
     }
 
-    if (0 != rules_revoker_add(client_pid, client_label, provider_label))
-        SEC_SVR_DBG("%s", "Error in rules_revoker_add.");
+    if (smack_check()) {
+        if (0 != rules_revoker_add(client_pid, client_label, provider_label))
+            SEC_SVR_DBG("%s", "Error in rules_revoker_add.");
+    }
 
 error:
     retval = send_generic_response(sockfd, send_message_id, send_error_id);
@@ -1527,18 +1534,24 @@ int main(int argc, char* argv[])
 {
     int res;
     pthread_t main_thread;
-    pthread_t system_observer;
 
     (void)argc;
     (void)argv;
 
-    system_observer_config so_config;
-    so_config.event_callback = rules_revoker_callback;
+    // create observer thread only if smack is enabled
+    if (smack_check()) {
+        pthread_t system_observer;
+        system_observer_config so_config;
+        so_config.event_callback = rules_revoker_callback;
 
-    res = pthread_create(&system_observer, NULL, system_observer_main_thread, (void*)&so_config);
+        res = pthread_create(&system_observer, NULL, system_observer_main_thread, (void*)&so_config);
 
-    if (res != 0)
-        return -1;
+        if (res != 0)
+            return -1;
+    }
+    else {
+        SEC_SVR_DBG("SMACK is not available. Observer thread disabled.");
+    }
 
     res = pthread_create(&main_thread, NULL, security_server_main_thread, NULL);
     if (res == 0)