Lukasz Kostyra [Thu, 27 Nov 2014 16:14:08 +0000 (17:14 +0100)]
Implement master and slave mode
Final patch with master and slave mode implementation. Every container should
have its own privilege DB - slave will delegate calls to SMACK and to Cynara
Administrative Socket to master.
[Verification] Build, install, run tests on hosts - no changes should occur.
Run tests in containers:
* Run a container
* bind-mount /run/security-manager-master.socket and
/run/cynara/cynara.socket to container
* Run tests
Keep in mind, some might fail due to tests not being
container-aware.
Change-Id: Ibd1d884ad7dba6a15ebaa068c2c216a88562eb50
Rafal Krypa [Fri, 17 Apr 2015 09:17:02 +0000 (11:17 +0200)]
cynara: rewrite class using cynara async API for parallel processing
Cynara class method check() can now be called in parallel by multiple
threads. Each call blocks until it gets a response.
This is a first step toward making security-manager multi-threaded, for
processing multiple requests in parallel.
Cynara class remains a singleton for now, but eventually there will be
single instance constructed (and destructed) from the main thread and
called for checks from separate threads processing user requests.
Change-Id: Ie1f55b9610caf45dc0df06dbd713070d39ccac07
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Rafal Krypa [Fri, 17 Apr 2015 09:18:32 +0000 (11:18 +0200)]
cynara: handle additional error codes from Cynara API
These error codes appeared in Cynara API after security-manager was
integrated with it.
Change-Id: Iba495040bd8bbb9a879a0fd27e880bb7547ed583
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Lukasz Kostyra [Mon, 17 Nov 2014 11:48:55 +0000 (12:48 +0100)]
Extract communication functions to common library
Since slave service will use the same functions as client library to send data,
these are extracted in this commit and will be used in the next change.
[Verification] Build, install, run tests.
Change-Id: I4b9e11015c657066657f493e87d68958283bb947
Rafal Krypa [Fri, 6 Feb 2015 17:25:11 +0000 (18:25 +0100)]
Prepare security-manager for master-slave mode
This commit prepares security-manager for work in master/slave mode.
In order to properly install/uninstall applications inside containers,
security-manager inside container (slave) must delegate calls related to
SMACK to security-manager outside a container (master).
Since entire master/slave mode is a huge change, it is divided into two
commits - this is the first one. Logic for master service and changes in
service to work as slave are left for second commit.
With this change security-manager launched without additional arguments should
work as it did.
Change-Id: If05cdeb2d2c35c046bf4cb46d884a3689dab57ad
Jacek Bukarewicz [Wed, 25 Mar 2015 10:44:33 +0000 (11:44 +0100)]
Release version 1.0.2
Change-Id: Ia46e9cf268fe0a7302066ee014e5d44c393fb587
Lukasz Wojciechowski [Wed, 25 Mar 2015 10:50:36 +0000 (11:50 +0100)]
Don't call Cynara if there are no policies to set
Change-Id: I3a25cbc0cdbf5ee4cb82890fbd40ea4e51b8a08d
Stephane Desneux [Wed, 25 Mar 2015 10:27:38 +0000 (11:27 +0100)]
Raise socket inactivity timeout to 300s
This is a quick workaround to installation problems on slow targets.
Bug-Tizen: TC-2483
Change-Id: I6515438e7fdc02ba6c6de6efba32cfcaaa030f7f
Signed-off-by: Stephane Desneux <stephane.desneux@open.eurogiciel.org>
Rafal Krypa [Fri, 20 Mar 2015 15:19:44 +0000 (16:19 +0100)]
Release version 1.0.1
Change-Id: Ied8852ec3ed3e8dc3ea3457a99ee4a9822349f55
Rafal Krypa [Thu, 19 Mar 2015 16:53:03 +0000 (17:53 +0100)]
Fix advisory locking in client library
Enhance off-line mode detection based on lock:
- don't use exceptions for non-exceptional code paths
- only attempt off-line mode if caller is root
Also fix misleading logs informing about lock failures (that doesn't
lead to actual security-mnanager failures) caused by lock attempt on a
lock file without proper permissions.
Change-Id: Ie7fca37154a1993cd46c59a0204837904593e5db
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Rafal Krypa [Wed, 18 Mar 2015 10:27:47 +0000 (11:27 +0100)]
security-manager-policy: add missing dependencies on required tools
The policy loading script uses sqlite3 and tzplatform-get programs. The
package should depend on them.
Change-Id: I16d5b3b9d4914ba791a493305fbdf4a57c2f37a7
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Sebastian Grabowski [Tue, 16 Dec 2014 13:37:46 +0000 (14:37 +0100)]
Removed timeout for poll.
Security-server in many cases may need much more time than just 2s to
accomplish given client request. It seems to be reasonable to just
remove the timeout by changing it to be infinite.
Change-Id: Iae8074b3bb5bfa134fd6dc324907ad3bba6f3b9b
Signed-off-by: Sebastian Grabowski <s.grabowski@samsung.com>
Jacek Bukarewicz [Wed, 11 Mar 2015 15:07:14 +0000 (16:07 +0100)]
Remove references to non-existing security-manager.target
Change-Id: I57a6d196be2d87b51d63c3226a40480e21e91e9f
Rafal Krypa [Fri, 6 Mar 2015 17:46:38 +0000 (18:46 +0100)]
Release version 1.0.0
Change-Id: I11bb09f16e150b4a95f7385084f3f8c08ce94790
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Rafal Krypa [Tue, 10 Mar 2015 09:48:08 +0000 (10:48 +0100)]
Fix grant all privileges to programs with "User" and "System" Smack labels
Cynara rules for granting said policy was added to the wrong bucket.
Another bucket, with default "Deny" policy was shadowing them.
Adding the rules to the proper bucket now.
Change-Id: Iec6b3bd093e89c8b3629994681871c94f797187b
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Rafal Krypa [Fri, 6 Mar 2015 17:52:20 +0000 (18:52 +0100)]
Drop workaround for all applications labeled with "User" label
Because every app used to have the same label, special fixes were needed for
app uninstallation not to break Smack policy for "User" label. Now with final
application labels this is no longer needed. Dropping the workaround.
Change-Id: I83d3df1499f8c0eb21d2c954c2fcba3283938a5e
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Rafal Krypa [Fri, 6 Mar 2015 17:22:14 +0000 (18:22 +0100)]
Provide support for loading privilege-group mapping
A mapping file in policy/privilege-group.list will be contained in
security-manager-policy package. All mappings from that file will be loaded
during package installation by security-manager-policy-reload tool.
For development purposes it is also possible to modify the mapping file
on the image and re-run security-manager-policy-reload.
Change-Id: I9a7d5b16888de98013da281978e299c5b19750ce
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Rafal Krypa [Thu, 5 Mar 2015 11:36:02 +0000 (12:36 +0100)]
Move template for application Smack rules to security-manager-policy
Change-Id: If323c8d8e8a930291d2db348e5a375711345707a
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Rafal Krypa [Thu, 5 Mar 2015 11:46:04 +0000 (12:46 +0100)]
Grant all privileges to programs with "User" and "System" Smack labels
Now with application labels no longer hardcoded to "User", it's time to
work on actual policy enforcment in services. Platform components that are
not downloadabla applications will run with "User" and "System" labels (for
User and System domains). They should not be restricted by Cynara.
Change-Id: I62ea8295804f3ad04b1a538642d2098aab45cb48
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Rafal Krypa [Tue, 17 Feb 2015 13:00:04 +0000 (14:00 +0100)]
Fix getting application groups
When fetching application groups, Cynara checks are made to verify whether
application actually has the privilege. Since recently, application identifier
in Cynara policy is appId-based. This function wasn't properly adapted to
that change and still used pkgId-based identifier. This would break after
introduction of proper Smack labels in security-manager.
Change-Id: Ifeed83b6ab9f920a2c0dc769d0d3de60887bdcd6
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Rafal Krypa [Fri, 27 Feb 2015 16:37:22 +0000 (17:37 +0100)]
Generate distinct Smack labels for appId and pkgId
Stop hard-wiring Smack labels to "User".
Proper unique labels will be generated:
- "User::App::$appid" for appId
- "User::Pkg::$pkgid" for pkgId
Generated rules are also validated against Smack restrictions for labels.
This imposes the following limitations on appId and pkgId values:
- length up to 244 characters (255 minus prefix length)
- non-printable ASCII characters and space are not allowed
- other prohibited characters: slash, backslash, single quote, double quote
Change-Id: Ib60b1f6fae785919542b2e749bceabbea0b9a89b
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Rafal Krypa [Mon, 2 Mar 2015 11:43:48 +0000 (12:43 +0100)]
Refactoring Smack-related code for exception-based error handling
Smack functions were incoherent with rest of security-manager with regard
to error handling. Functions and methods returned bool value to indicate
their success. This patch changes this schema to use exceptions for error
handling.
Change-Id: If4ec3cac6b63bb411b13a4eb8d9b553e7b5d1c86
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Rafal Krypa [Mon, 16 Feb 2015 11:12:27 +0000 (12:12 +0100)]
fix dependencies against security-manager-policy
Make security-manager package depend on security-manager-policy to ensure that
policy configuration will be installed on the image.
Change-Id: I80f5671a4ba855b871ab63f06a707e1f1ea73b88
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Rafal Krypa [Fri, 6 Feb 2015 16:52:35 +0000 (17:52 +0100)]
Use proper delete[] operator in security_manager_get_policy_internal
Freeing of array, previously allocated with new[], was incorrectly done by
delete operator.
Change-Id: Iec17c68ad9e6e42f199c0a3b4cb9dc6b65a1a5a1
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Zbigniew Jasinski [Mon, 2 Feb 2015 15:16:53 +0000 (16:16 +0100)]
New structure of application file paths
Application paths should be structures as:
<ROOT_APP>/<pkg_id>/<app_id>
where ROOT_APP should equlas to:
- TZ_USER_APP in single user's installation
- TZ_SYS_RW_APP in common/global installation
Change-Id: I4a407551d28401a2b94a80c34da690e0c91cfee7
Zbigniew Jasinski [Fri, 2 Jan 2015 10:36:40 +0000 (11:36 +0100)]
New path types for application installation in security-manager
security-manager now provides two path types:
- writable, accessible for writing to the app and all apps within its package
- readable, accessible to all apps for reading
Change-Id: I87a0dfbd4bc7b9e59d1ed97dc8332e7df20b139f
Michal Eljasiewicz [Sat, 31 Jan 2015 13:44:12 +0000 (14:44 +0100)]
Service backend implementation for getting policies levels
Change-Id: I58b7dff5b91dac5162477a3742398a04f4faebd6
Signed-off-by: Michal Eljasiewicz <m.eljasiewic@samsung.com>
Krzysztof Sasiak [Wed, 11 Feb 2015 11:37:05 +0000 (12:37 +0100)]
List policies: server side implementation
Change-Id: Ic771c46851a46847c007a06ecd65107465957bf8
Signed-off-by: Krzysztof Sasiak <k.sasiak@samsung.com>
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Sebastian Grabowski [Wed, 11 Feb 2015 08:31:28 +0000 (09:31 +0100)]
Changes in getters functions for security manager policy entries
In order to get rid of resources duplication strdup has been removed
from functions that get values from a struct policy_entry. So no longer
any additional free is required after using security_manager_policy_entry_get
family functions.
Change-Id: I8070dcd098f9049082da08cb4a640d70a127e5e1
Signed-off-by: Sebastian Grabowski <s.grabowski@samsung.com>
Krzysztof Sasiak [Tue, 10 Feb 2015 08:28:33 +0000 (09:28 +0100)]
List all users registered in Cynara
Change-Id: I2b167b39106368ad1808739956bd55e444b3ab5a
Michal Eljasiewicz [Wed, 18 Feb 2015 12:57:27 +0000 (13:57 +0100)]
Fix to list policies descriptions lowest to highest
Change-Id: I8eaa21c94a64d882a0e9045ede18521e66b52651
Signed-off-by: Michal Eljasiewicz <m.eljasiewic@samsung.com>
Michal Eljasiewicz [Tue, 23 Dec 2014 12:43:48 +0000 (13:43 +0100)]
Wrapper for cynara_admin_check.
Asks Cynara for permission and allows to specify in
which policy bucket to start search.
Change-Id: I127057249437c8aa2c719e498239f8f0ef3f8ed9
Signed-off-by: Michal Eljasiewicz <m.eljasiewic@samsung.com>
Krzysztof Sasiak [Tue, 23 Dec 2014 14:53:09 +0000 (15:53 +0100)]
Policy update: server side implementation
Change-Id: I920cc940b541c21607dd836d1f426c1f622ffbb2
Signed-off-by: Krzysztof Sasiak <k.sasiak@samsung.com>
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Krzysztof Sasiak [Wed, 11 Feb 2015 10:28:03 +0000 (11:28 +0100)]
Elaborating documentation and some client fixes
Change-Id: I64101b26a185706f42b621e7c04512ace8141c76
Signed-off-by: Krzysztof Sasiak <k.sasiak@samsung.com>
Rafal Krypa [Fri, 6 Feb 2015 16:42:01 +0000 (17:42 +0100)]
Fix for API: added missing dereference operator in get_policy* functions
policy_entry is an incomplete type, hence the need of three dereference operators
Change-Id: Ib7489e6e0f03419784af01d1a1c4c823791815f7
Signed-off-by: Krzysztof Sasiak <k.sasiak@samsung.com>
Jan Cybulski [Sat, 31 Jan 2015 14:29:34 +0000 (15:29 +0100)]
Obtain smack label from socket during getting peer id by service
This will be needed to validate peer application's privileges in cynara
Change-Id: Id5c2dab311d3707a9c4cccf38623496bb5111826
Signed-off-by: Jan Cybulski <j.cybulski@samsung.com>
Rafal Krypa [Fri, 6 Feb 2015 11:05:19 +0000 (12:05 +0100)]
Fix build break on x86_64 introduced in commit
ed455f0c98
DPL has methods for deserializing int, but not long int. Changing size_t
to plain int.
Change-Id: If4d0e6c9d73e125f82a11f9ef0535f7e1968ca0d
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Michal Eljasiewicz [Mon, 26 Jan 2015 11:27:03 +0000 (12:27 +0100)]
Wrapper for cynara_admin_list_policies_descriptions
Change-Id: I6b07e4fb0b8e1395a3d867bcdecf1e79b3839772
Signed-off-by: Michal Eljasiewicz <m.eljasiewic@samsung.com>
Rafal Krypa [Fri, 9 Jan 2015 16:15:30 +0000 (17:15 +0100)]
Ignore errors in supplementary group setup during app launch preparation
Such errors might happen when launcher tries to launch an application that
wasn't properly setup by the installer before. This should be supported to
allow easier integration of security-manager into platform.
Ignoring these errors won't cause any privilege escalation. Actually it
might cause giving less privileges than necessary to the application.
Change-Id: Ib8ba02a28404a25c541ba6daede9f68c864583cc
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Rafal Krypa [Fri, 9 Jan 2015 17:16:28 +0000 (18:16 +0100)]
Add missing rules for pkgId label
Commit
626f947e0b changed labeling scheme to be appId based and introduced
a new "~PKG~" template in the rules file. But the actual rules were not
included in the template file.
Change-Id: Idd5ababfb5b484811b75f2f764f6f7d77a77da1f
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Rafal Krypa [Wed, 4 Feb 2015 16:58:14 +0000 (17:58 +0100)]
Before running client in off-line mode, attempt to socket-activate the server
Security-manager is started by systemd on socket-activation basis. This
means that it won't start unless a client connects to its socket. But
client library attempts to detect off-line mode by checking whether the
service is already running. This leads to erroneous off-line runs when in
fact a message should be sent over socket to activate the service.
This change adds one more step to off-line mode detection. When the service
isn't running, client will send a special NOOP message over socket.
If systemd manages to activate security-manager service, normal on-line
operation is then performed.
Change-Id: I94b1b10af24e3b90d048fe1b96b8d870da785d8b
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Rafal Krypa [Tue, 27 Jan 2015 15:28:48 +0000 (16:28 +0100)]
Refactor off-line mode detection in client library
Extract the detection into separate class for easy re-use in client library.
The detection method will get additional logic soon, so having it in one
place will be useful.
Change-Id: I561b582eb044bf8f6aa71f090d790c00b7bb3273
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Rafal Krypa [Tue, 27 Jan 2015 11:09:14 +0000 (12:09 +0100)]
Don't start the service on system boot, rely on socket activation
Security-manager doesn't need to be started immediately on system boot.
Systemd socket activation is already in place for lazy startup. Also previous
configuration wrongly started security-manager.target, which caused the
service to be launched without sockets passed from systemd.
Change-Id: I7bff7b58a4e016119e651edfefb85a2335b8b31f
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Krzysztof Sasiak [Sat, 31 Jan 2015 11:25:19 +0000 (12:25 +0100)]
Implementation of client stubs for updating and fetching policy
Change-Id: I75089fb79488a1660f2270a7140ffc00778e7b7c
Michal Eljasiewicz [Mon, 2 Feb 2015 14:52:40 +0000 (15:52 +0100)]
API stub for getting policy levels as strings
Change-Id: I140d2d05763974d0400825220e422984bf1cde55
Signed-off-by: Michal Eljasiewicz <m.eljasiewic@samsung.com>
Krzysztof Sasiak [Sat, 31 Jan 2015 10:11:18 +0000 (11:11 +0100)]
Add API stub for getting policy entries
Change-Id: I4eaa9642b81d6524038ec18bcfe7ad55dc61b697
Signed-off-by: Jan Cybulski <j.cybulski@samsung.com>
Signed-off-by: Krzysztof Sasiak <k.sasiak@samsung.com>
Jan Cybulski [Sat, 31 Jan 2015 09:38:33 +0000 (10:38 +0100)]
Add API stub for setting policies
Change-Id: I56ccafe0432c44e7f5f97abd9f1aa29ff76e4c47
Signed-off-by: Jan Cybulski <j.cybulski@samsung.com>
Rafal Krypa [Tue, 27 Jan 2015 11:06:44 +0000 (12:06 +0100)]
Terminate service if it cannot setup its sockets
Currently even if the server cannot listen on a socket it will continue
running. There is no point in that, when no client will be able to connect.
Change-Id: I74ad5a9fddee1072f7642c036a088805f53caa11
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Marcin Lis [Fri, 19 Dec 2014 21:51:44 +0000 (22:51 +0100)]
Change "operation" argument type in CynaraAdminPolicy constructor
This change is needed in for policy updates. We need to support wide spectrum
of results, starting from DENY (0) to ALLOW (0xFFFF). SM should not be limited
to few enum class literals.
Change-Id: I1e8d26893120309f6d6276da4bb5e146936a7e59
Signed-off-by: Marcin Lis <m.lis@samsung.com>
Sebastian Grabowski [Tue, 13 Jan 2015 12:16:23 +0000 (13:16 +0100)]
Doc: correct misleading description of functions in service_impl.h
Change-Id: I3a870ca7bb9d8c52dc49a202290950ef4a4356ba
Signed-off-by: Sebastian Grabowski <s.grabowski@samsung.com>
Rafal Krypa [Tue, 27 Jan 2015 10:58:01 +0000 (11:58 +0100)]
Require socket to be passed by systemd, don't create it on our own
Socket configuration, including path, ownership, DAC and Smack configuration
is handled by systemd socket file. There is no point in duplicating that
in the code as the service will always be run by systemd anyway.
Existing socket configuration was also wrong and different from what systemd
had.
Change-Id: I4131ecf4cd0d886aec57a932c6540f10da9785a3
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Jan Cybulski [Thu, 29 Jan 2015 14:36:09 +0000 (15:36 +0100)]
Remove cynara entries regarding removed user
Change-Id: I807f4b5ebf76b29b5a9049a9a6bbfd51056d6697
Signed-off-by: Jan Cybulski <j.cybulski@samsung.com>
Krzysztof Sasiak [Fri, 19 Dec 2014 14:37:33 +0000 (15:37 +0100)]
Add EmptyBucket convenience method to CynaraAdmin class.
Change-Id: Ia050336fb69d669488601a18211775b9136d8070
Signed-off-by: Krzysztof Sasiak <k.sasiak@samsung.com>
Michal Eljasiewicz [Thu, 11 Dec 2014 07:47:43 +0000 (08:47 +0100)]
Add wrapper in CynaraAdmin for Cynara listing policies.
Change-Id: I7f8a81e6479a26446b91ac745b7b5df28ab78675
Signed-off-by: Michal Eljasiewicz <m.eljasiewic@samsung.com>
Jan Cybulski [Fri, 23 Jan 2015 12:02:57 +0000 (13:02 +0100)]
Change security-manager-command exception schema
Stop using try-catch template from DPL.
There is no need to make a coredump everytime an unexpected exception is thrown.
Use only one try-catch block for all exceptions thrown during parsing options.
Change-Id: I4faa2ad5ff7aa66c61c8830c7e1a43d03e7d9e8e
Signed-off-by: Jan Cybulski <j.cybulski@samsung.com>
Jan Cybulski [Fri, 23 Jan 2015 11:22:23 +0000 (12:22 +0100)]
fix: unbreak --install option caused by wrong --manage-users parameter
--manage-users option is not required.
Change-Id: I523a11ddc0e4925059b7759c009d8f9c129f3ae9
Signed-off-by: Jan Cybulski <j.cybulski@samsung.com>
Michal Eljasiewicz [Mon, 22 Dec 2014 13:33:13 +0000 (14:33 +0100)]
Add default policy for user when creating it.
Change-Id: Ifc2896aa413ec7c003136a5886f7aad84c0c8f00
Signed-off-by: Michal Eljasiewicz <m.eljasiewic@samsung.com>
Sebastian Grabowski [Tue, 23 Dec 2014 14:39:17 +0000 (15:39 +0100)]
Fix assertion about not clearing DataCommands objects
The following assertion occurs during exiting security-manager
when any command was executed on security-manager db:
"Condition: m_dataCommandsCount == 0 All stored procedures must be
deleted before disconnecting SqlConnection"
It was caused by not clearing list of DataCommands before destroying db
SqlConnection.
Change-Id: If2151dfc38df23ce9af00a47ac0d7939c13adaa1
Signed-off-by: Sebastian Grabowski <s.grabowski@samsung.com>
Michal Eljasiewicz [Mon, 5 Jan 2015 14:17:20 +0000 (15:17 +0100)]
Add app permissions to MANIFESTS bucket instead of default.
Change-Id: Ic19078c83c7075717c3d6b3c10c8883944519e5f
Signed-off-by: Michal Eljasiewicz <m.eljasiewic@samsung.com>
Rafal Krypa [Thu, 22 Jan 2015 10:28:49 +0000 (11:28 +0100)]
Add tool for initialization of Cynara policy structure
Program security-manager-policy-reload will (re)initialize Cynara buckets
structure and static bucket contents for user types.
Run this program from %post script of security-manager-policy to initialize
Cynara policy during installation.
Change-Id: Ibe78b9d969ff91dcf96b4805fff5884ddb3157f6
Marcin Lis [Wed, 17 Dec 2014 14:31:12 +0000 (15:31 +0100)]
Packaging: Use "_datadir" rpm macro instead of hardcoded paths
Change-Id: I18c7039f0fbae06fd3f796088553d02b558c766e
Signed-off-by: Marcin Lis <m.lis@samsung.com>
Michal Eljasiewicz [Fri, 19 Dec 2014 08:54:49 +0000 (09:54 +0100)]
Define Cynara buckets inside CynaraAdmin class
Change-Id: I4380aa94f04c728ab4467264db5d1c12e0aaff60
Signed-off-by: Michal Eljasiewicz <m.eljasiewic@samsung.com>
Rafal Krypa [Tue, 20 Jan 2015 18:46:33 +0000 (19:46 +0100)]
Convert static method CynaraAdmin::SetPolicies back to normal
Now that CynaraAdmin is a singleton class, it's methods should be called
from the singleton instance.
Change-Id: I9db11c516d2c92cb5994ebb9605d0d5f1789cead
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Jan Cybulski [Wed, 17 Dec 2014 08:53:19 +0000 (09:53 +0100)]
Add offline mode to security_manager_user_add
There must be an offline mode for registering user
for sake of adding users during image creation time.
Change-Id: I295a207c52cfb34fc1464cd1a1214118c1eb3dd7
Signed-off-by: Jan Cybulski <j.cybulski@samsung.com>
Jan Cybulski [Tue, 20 Jan 2015 08:14:13 +0000 (09:14 +0100)]
Register gumd hook for adding and removing user
Change-Id: If0f68053e16faa5d16c62dcfa5aa6bd606d1b9ca
Signed-off-by: Jan Cybulski <j.cybulski@samsung.com>
Jan Cybulski [Mon, 29 Dec 2014 10:57:47 +0000 (11:57 +0100)]
Add cmd tool option for user management in security manager
Change-Id: I88170be340ea095ea9f76b74b4fc02af021bd29f
Signed-off-by: Jan Cybulski <j.cybulski@samsung.com>
José Bollo [Thu, 8 Jan 2015 09:33:52 +0000 (10:33 +0100)]
Improved rules within user directories
Applying proposal of Rafal Krypa made during F2F meeting of
september 2014 in Vannes.
Change-Id: I1e40e5bff16c024c4d93d2abcf508c815a237234
Signed-off-by: José Bollo <jose.bollo@open.eurogiciel.org>
Roman, Kubiak [Wed, 26 Nov 2014 12:43:15 +0000 (04:43 -0800)]
Change smack labeling to be appId based.
* Generation of rules for all applications in a package so
that they can share resources
* Smack labels are now appId based (appId refers to app_name
in the database)
Change-Id: I464ca4b1a4558a0579b9da69b5b599d07340a60d
Lukasz Kostyra [Wed, 26 Nov 2014 09:49:33 +0000 (10:49 +0100)]
Extract BaseService from Service class
BaseService will be a base class for SM services, eg. a master service coming
up in next patches.
[Verification] Build, install, run tests.
Change-Id: Ie55d1b22c8887ee605e16b86adee75cfffdbe147
Sebastian Grabowski [Wed, 10 Dec 2014 16:18:35 +0000 (17:18 +0100)]
Fix includes in cynara.
Inlcuding <vector> is required in cynara header file. Otherwise, when
including cynara.h in other parts of code there may be a need for
additional vector include.
Change-Id: I1f251daa4f825d6072b720244d040c3bab174359
Signed-off-by: Sebastian Grabowski <s.grabowski@samsung.com>
Krzysztof Sasiak [Thu, 27 Nov 2014 10:02:44 +0000 (11:02 +0100)]
Add security-manager policy for user types
Change-Id: I1c5ea026fe3b69ec0d2ba1338ded1033ad5db6b2
Jan Cybulski [Thu, 27 Nov 2014 07:28:53 +0000 (08:28 +0100)]
Implementation of API for user management
Change-Id: Ib2cb08e1c466bc93775f8efe32dccd118ef095ad
Signed-off-by: Jan Cybulski <j.cybulski@samsung.com>
Jan Cybulski [Wed, 10 Dec 2014 06:58:03 +0000 (07:58 +0100)]
Add API for user management
Change-Id: I429dfa82b7cb669713b357ebe50d0b599ad8ebed
Signed-off-by: Jan Cybulski <j.cybulski@samsung.com>
Rafal Krypa [Tue, 9 Dec 2014 12:29:08 +0000 (13:29 +0100)]
PrivilegeDb: introduce convenient private method for fetching prepared query
Create an internal method for repeating code pattern fetching the prepared
query from internal data structure and resetting it before use.
Change-Id: I346e5a0790d869632181737b52d6d5ba78da79c3
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Bartlomiej Grzelewski [Wed, 9 Jul 2014 12:59:56 +0000 (14:59 +0200)]
Fix minor errors in code.
* m_maxDesc was used without initialization.
* client-common module passed wrong value to poll if
connect returns EINPROGRESS (was POLLIN, should be POLLOUT)
Change backported from security-server repository.
Change-Id: I4df6d67ff2214bd0ad857744a2c82bff5e7be299
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Rafal Krypa [Mon, 8 Dec 2014 14:39:54 +0000 (15:39 +0100)]
Server code no longer needs to include cynara and privilege-db headers
Dependant code has been recently moved to common library.
Change-Id: I5ae4a6a3ed43e00f5cf0e301ee33107844d36664
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Rafal Krypa [Mon, 8 Dec 2014 14:30:07 +0000 (15:30 +0100)]
Move database schema into a more convenient location
Change-Id: I7444211fd43be873d62c423ccd32fac65e40773e
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Jan Cybulski [Wed, 3 Dec 2014 11:18:04 +0000 (12:18 +0100)]
Fix: disallow installing apps with the same id in different packages
Change-Id: I04fca4edcd265e2853a9ce146e6dcc95d1f92dc9
Signed-off-by: Jan Cybulski <j.cybulski@samsung.com>
Marcin Lis [Thu, 27 Nov 2014 13:06:08 +0000 (14:06 +0100)]
Prepare database queries during PrivilegeDb singleton init
Avoid too many sqlite3_prepare_v2 calls, which take many cpu cycles to complete.
SQLite statements may be prepared once when DB object is created.
Change-Id: I99e4fd3fea63fd61396c9f7b2c3b13539f312d48
Signed-off-by: Marcin Lis <m.lis@samsung.com>
Sebastian Grabowski [Mon, 1 Dec 2014 15:26:56 +0000 (16:26 +0100)]
Added security_manager_strerror function.
This function translates lib_retcode(s) to a string describing given
error that occured in security-manager.
Change-Id: Ied57ff8c27a972123b28714ebc25efe143c6d64c
Signed-off-by: Sebastian Grabowski <s.grabowski@samsung.com>
Sebastian Grabowski [Mon, 27 Oct 2014 13:22:02 +0000 (14:22 +0100)]
Added security-manager-cmd application.
The purpose of this application is to have an offline tool that will do
some commands in offline mode i.e.: when security-manager service cannot
be run.
For now, only install command is supported which should be the
equivalent of security_manager_app_install function.
Change-Id: Ia9ef60b1a335650fea90c02e5fdd76ac48030f84
Signed-off-by: Sebastian Grabowski <s.grabowski@samsung.com>
Jan Cybulski [Mon, 24 Nov 2014 14:44:18 +0000 (15:44 +0100)]
Database access function obtaining apps of a certain user
This will be used during user removal in security-manager.
Change-Id: I524c9bf2da936054b7c1b597d7e4eaf879872912
Signed-off-by: Jan Cybulski <j.cybulski@samsung.com>
Sebastian Grabowski [Wed, 5 Nov 2014 11:27:23 +0000 (12:27 +0100)]
Added support for offline applications installations mode
Added support for offline mode in AppInstall function.
Moreover, security_manager_app_install will now check if it can get
a file lock on /run/lock/security-manager.lock. If it can it will do
installation request in offline mode. Otherwise, it will send
installation request to security-manager service.
Change-Id: Ie8b8f98b1fa0d3021ae76ee7aa4e7416e3ed73b9
Signed-off-by: Sebastian Grabowski <s.grabowski@samsung.com>
Sebastian Grabowski [Thu, 27 Nov 2014 15:15:23 +0000 (16:15 +0100)]
Typo fixes in installRequestAuthCheck
Changed 'paramter' to 'parameter' in installRequestAuthCheck function.
Change-Id: Iba5e3f6c3388c9faea8a326b7bf8e1b4ba48b0fa
Signed-off-by: Sebastian Grabowski <s.grabowski@samsung.com>
Rafal Krypa [Fri, 21 Nov 2014 10:55:07 +0000 (11:55 +0100)]
Split service implementation logic away from the Service class
The code implementing logic of Service methods is now available as separate
functions. They will be available to both Service class and to the upcoming
offline client implementation.
Change-Id: Ib86af8c0f28dd7a1333e67ad0f2a4c968ff181cf
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Rafal Krypa [Thu, 20 Nov 2014 23:45:05 +0000 (00:45 +0100)]
Convert Cynara, CynaraAdmin and PrivilegeDb classes into singletons
These classes are now used by the Service class to perform operations
requested by clients. But they will be also needed by offline client
implementation. Having them as private members of the Service class is no
longer feasible.
To keep their usage simple and available to the client as well, they are
now used as singletons.
Change-Id: I900a368ea14fbe61179c712b6e891f213ca61c5e
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Sebastian Grabowski [Wed, 5 Nov 2014 11:34:18 +0000 (12:34 +0100)]
Use file lock in security-manager
This change makes that security-manager checks this file lock:
/run/lock/security-manager.lock.
Change-Id: If7032089fb70eda80b0d89b649678a5af7061bf4
Signed-off-by: Sebastian Grabowski <s.grabowski@samsung.com>
Sebastian Grabowski [Mon, 27 Oct 2014 11:16:24 +0000 (12:16 +0100)]
Added FileLocker class
Initial version of file locking class for use in upcoming offline mode.
Change-Id: I4acd73ba56d09393bd138da94559b2be18e2cc3b
Signed-off-by: Sebastian Grabowski <s.grabowski@samsung.com>
Sebastian Grabowski [Mon, 27 Oct 2014 10:55:33 +0000 (11:55 +0100)]
Added security_manager_app_inst_req_set_uid function
Added uid field to app_inst_req structure.
Change-Id: Ida0204549bb4818bcd401b5d62c7e13f7dbc04b2
Signed-off-by: Sebastian Grabowski <s.grabowski@samsung.com>
Rafal Krypa [Tue, 18 Nov 2014 16:58:08 +0000 (17:58 +0100)]
Release version 0.2.0
Also fill the changelog for two previous releases.
Change-Id: I590dfd6bc302b26a0aaf2afa8b6fd1addae8194d
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Jan Cybulski [Tue, 18 Nov 2014 08:29:13 +0000 (09:29 +0100)]
Fix checking for privileges during obtaining group
Privileges of apps installed for all users also needs to be taken into account.
Change-Id: I1d31a27dc0b718f46b26d654c518d8071bbe4cfb
Signed-off-by: Jan Cybulski <j.cybulski@samsung.com>
Jan Cybulski [Tue, 18 Nov 2014 08:16:51 +0000 (09:16 +0100)]
Sanitize handling of global application user.
Remove inconsistency with treating both root and tizenglobalapp as global
users. For both cases uid of user TZ_SYS_GLOBALAPP_USER will be saved
in the data base to distinguish globally installed applications.
The whole code for handling global user was refactored by the way.
Change-Id: I5764e1f9675ebf3bb9091ede4fef724d053fed8d
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Signed-off-by: Jan Cybulski <j.cybulski@samsung.com>
Sebastian Grabowski [Mon, 27 Oct 2014 09:47:05 +0000 (10:47 +0100)]
Move some modules to common library
There are modules for handling smack, cynara, privilege db that were
grouped in server code. However, there are upcoming changes (for offline
mode) that will require these modules to be used also i.e. by client
code. Thus it would be better to have these modules in common library.
Change-Id: Ifddd037a159dc142077290c09b7e05da98ce46e5
Signed-off-by: Sebastian Grabowski <s.grabowski@samsung.com>
Janusz Kozerski [Mon, 27 Oct 2014 14:19:56 +0000 (15:19 +0100)]
Don't remove "User" Smack rules on application uninstall
Temporary fix.
After app uninstall and remove app rules, all rules from
files in accesses.d directory are re-loaded.
Change-Id: I7786a356108d17ed948abbc615f22286b251c0b3
Signed-off-by: Janusz Kozerski <j.kozerski@gmail.com>
Krzysztof Sasiak [Mon, 13 Oct 2014 14:55:00 +0000 (16:55 +0200)]
Use group names instead of group ids (gid)
Database will now contain group names instead of group ids.
Change-Id: I67dc5cf9e853b9b1ca56eeea1c006ce194f1530d
José Bollo [Wed, 3 Sep 2014 11:26:58 +0000 (13:26 +0200)]
Removal of xattr "security.TIZEN_EXEC_LABEL"
This attribute is a duplication of the SMACKEXEC
mechanism for the links. This duplication is
complicating the security mechanisms that have
to remain simple to be applied and supported
efficiently. The SMACKEXEC mechanism is the only
required mechanism. For the other uses, the function
security_manager_set_process_label_from_appid is
enough.
Change-Id: Ic831547a318942af5603a3609b87f52577109479
Signed-off-by: José Bollo <jose.bollo@open.eurogiciel.org>
Rafal Krypa [Tue, 23 Sep 2014 18:08:36 +0000 (20:08 +0200)]
Introduce convenience function for setting application security.
There are already three security-manager functions that a launcher should
call before launching the application. In the common case they will just
be called in sequence.
Provide an API function that handles all aspects for application process
preparation: set the Smack label, set additional groups and drop
capabilities.
Change-Id: I5c8346c5f834f8a4fb106169866de42578265da8
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Rafal Krypa [Fri, 19 Sep 2014 17:36:14 +0000 (19:36 +0200)]
When setting process Smack label, fix labels of socket file descriptors
File descriptors for sockets get Smack labels when sockets are created.
But if Smack labels is changed for a process with open socket descriptors,
those descriptors keep the old Smack label. This should not happen during
application launch, because launched application could be identified as
a non-app user process.
To avoid this, all open file descriptors which happen to be sockets will
be relabeled inside security_manager_set_process_label_* functions.
Change-Id: I209a7a15edef7a2c20a9a4a00806a5d3876fb9e0
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Rafal Krypa [Tue, 23 Sep 2014 18:08:16 +0000 (20:08 +0200)]
Provide a function for launchers for dropping process capabilities
The functions for launchers, manipulating process Smack label and groups,
require elevated privileges. Since they will be called by launcher after
fork, in the process for the application, privileges should be dropped
before running an actual application.
This patch introduces a convenience function for launchers for dropping
capabilities from a process: security_manager_drop_process_privileges.
Change-Id: Iff06554bdcf2d51d0163e4dcb83ea9b976896740
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
José Bollo [Tue, 2 Sep 2014 13:11:55 +0000 (15:11 +0200)]
Improvement of tagging directories.
The directories are visited two times: in pre-order
and post-order. Here to avoid tagging at both times
we choose to simply tag in post-order (that is for
simplicity of the code.
Change-Id: I866481471d433036ca371035c74e583b3a9dcfda
Signed-off-by: José Bollo <jose.bollo@open.eurogiciel.org>
projects / platform / core / security / security-manager.git / log