From da192b1fe01291030ffda93136701893e2dc3bdd Mon Sep 17 00:00:00 2001 From: "yoonki.park" Date: Thu, 9 May 2013 23:14:02 +0900 Subject: [PATCH] apply sdbd smack rule Change-Id: I8d8358aee50e8a234e2ca72e3fcbcc9c42189ec5 Signed-off-by: yoonki.park --- packaging/sdbd.spec | 2 +- sdbd.manifest | 23 +++++++++++++++++- src/sdb.c | 2 +- src/sdb.h | 1 + src/sdktools.c | 67 ++++++++++++++++++++++++++++++++++++----------------- src/sdktools.h | 6 +++-- 6 files changed, 75 insertions(+), 26 deletions(-) diff --git a/packaging/sdbd.spec b/packaging/sdbd.spec index 4235639..d0e982b 100644 --- a/packaging/sdbd.spec +++ b/packaging/sdbd.spec @@ -1,7 +1,7 @@ Name: sdbd Summary: SDB daemon Version: 2.1.2 -Release: 1 +Release: 2 Group: TO_BE/FILLED_IN License: TO BE FILLED IN Source0: %{name}-%{version}.tar.gz diff --git a/sdbd.manifest b/sdbd.manifest index 86dbb26..6a16a4f 100644 --- a/sdbd.manifest +++ b/sdbd.manifest @@ -1,5 +1,26 @@ + + + + + + + + + + + + + + + + + + + + - + diff --git a/src/sdb.c b/src/sdb.c index 5634d55..c0cb732 100644 --- a/src/sdb.c +++ b/src/sdb.c @@ -985,7 +985,7 @@ int should_drop_privileges() { } int set_developer_privileges() { - gid_t groups[] = { SID_DEVELOPER, SID_APP_LOGGING, SID_SYS_LOGGING }; + gid_t groups[] = { SID_DEVELOPER, SID_APP_LOGGING, SID_SYS_LOGGING, SID_INPUT }; if (setgroups(sizeof(groups) / sizeof(groups[0]), groups) != 0) { fprintf(stderr, "set groups failed (errno: %d, %s)\n", errno, strerror(errno)); //exit(1); diff --git a/src/sdb.h b/src/sdb.h index 41ce734..99e05f3 100644 --- a/src/sdb.h +++ b/src/sdb.h @@ -330,6 +330,7 @@ int rootshell_mode;// 0: developer, 1: root #define SID_DEVELOPER 5100 /* developer with SDK */ #define SID_APP_LOGGING 6509 #define SID_SYS_LOGGING 6527 +#define SID_INPUT 1004 #endif diff --git a/src/sdktools.c b/src/sdktools.c index b5f71b8..3e7bb29 100644 --- a/src/sdktools.c +++ b/src/sdktools.c @@ -20,14 +20,14 @@ struct sudo_command root_commands[] = { /* 0 */ {"killall", "/usr/bin/killall"}, - /* 1 */ {"pkgcmd", "/usr/bin/pkgcmd"}, - /* 2 */ {"launch_app", "/usr/bin/launch_app"}, - /* 3 */ {"dlogutil", "/usr/bin/dlogutil"}, + /* 1 */ //{"pkgcmd", "/usr/bin/pkgcmd"}, + /* 2 */ //{"launch_app", "/usr/bin/launch_app"}, + /* 3 */ //{"dlogutil", "/usr/bin/dlogutil"}, /* 4 */ {"zypper", "/usr/bin/zypper"}, - /* 5 */ {"pkginfo", "/usr/bin/pkginfo"}, + /* 5 */ //{"pkginfo", "/usr/bin/pkginfo"}, /* 6 */ {"da_command", "/usr/bin/da_command"}, /* 7 */ {"oprofile", "/usr/bin/oprofile_command"}, - /* 8 */ {"wrt-launcher", "/usr/bin/wrt-launcher"}, + /* 8 */ //{"wrt-launcher", "/usr/bin/wrt-launcher"}, /* end */ {NULL, NULL} }; @@ -139,12 +139,10 @@ int verify_root_commands(const char *arg1) { } int verify_app_path(const char* path) { - char buf[PATH_MAX]; - snprintf(buf, sizeof buf, "^((%s)|(%s))/[a-zA-Z0-9]{%d}/bin/[a-zA-Z0-9_\\-]{1,}(\\.exe)?$", APP_INSTALL_PATH_PREFIX1, APP_INSTALL_PATH_PREFIX2, 10); - int reg_cmp = regcmp(buf, path); - return reg_cmp; + snprintf(buf, sizeof buf, "^((%s)|(%s))/[a-zA-Z0-9]{%d}/bin/[a-zA-Z0-9_\\-]{1,}(\\.exe)?$", APP_INSTALL_PATH_PREFIX1, APP_INSTALL_PATH_PREFIX2, APPID_MAX_LENGTH); + return regcmp(buf, path); } int regcmp(const char* pattern, const char* str) { @@ -218,7 +216,7 @@ int exec_app_standalone(const char* path) { // TODO: check evn setting } // TODO: i length check - if (!strcmp(tokens[i], GDBSERVER_PATH) || !strcmp(tokens[i], GDBSERVER_PLATFORM_PATH)) { //gdbserver :11 --attach 2332 (cnt=4,) + if (!strcmp(tokens[i], GDBSERVER_PATH)) { //gdbserver :11 --attach 2332 (cnt=4,) char *gdb_attach_arg_pattern = "^:[1-9][0-9]{2,5} \\-\\-attach [1-9][0-9]{2,5}$"; int argcnt = cnt-i-1; if (argcnt == 3 && !strcmp("--attach", tokens[i+2])) { @@ -243,12 +241,10 @@ int exec_app_standalone(const char* path) { } } } - else if (argcnt >= 2) { - if(should_drop_privileges() == 0 || verify_app_path(tokens[i+2])) { - D("parsing.... debug run as mode\n"); - if (set_smack_rules_for_gdbserver(tokens[i+2], 0)) { - ret = 1; - } + if (argcnt >= 2 && verify_app_path(tokens[i+2])) { + D("parsing.... debug run as mode\n"); + if (set_smack_rules_for_gdbserver(tokens[i+2], 0)) { + ret = 1; } } D("finished debug launch mode\n"); @@ -258,6 +254,9 @@ int exec_app_standalone(const char* path) { char *appid = NULL; int rc = smack_lgetlabel(path, &appid, SMACK_LABEL_ACCESS); if (rc == 0 && appid != NULL) { + if (apply_sdb_rules(SDBD_LABEL_NAME, appid, "rx") < 0) { + D("unable to set sdbd rules to %s\n", appid); + } if (smack_set_label_for_self(appid) != -1) { D("set smack lebel [%s] appid to %s\n", appid, SMACK_LEBEL_SUBJECT_PATH); apply_app_process(); @@ -288,17 +287,19 @@ char* clone_gdbserver_label_from_app(const char* app_path) { char appid[APPID_MAX_LENGTH+1]; char *buffer = NULL; -#if 0 if (!verify_app_path(app_path)) { D("not be able to access %s\n", app_path); return NULL; } -#endif int rc = smack_lgetlabel(app_path, &buffer, SMACK_LABEL_ACCESS); if (rc == 0 && buffer != NULL) { - strcpy(appid, buffer); + if (strlen(buffer) == APPID_MAX_LENGTH) { + strcpy(appid, buffer); + } else { + strcpy(appid, "_"); + } free(buffer); } else { strcpy(appid, "_"); @@ -334,6 +335,12 @@ int set_smack_rules_for_gdbserver(const char* apppath, int mode) { // in case of debug as mode char *new_appid = clone_gdbserver_label_from_app(apppath); if (new_appid != NULL) { + if (apply_sdb_rules(SDBD_LABEL_NAME, new_appid, "w") < 0) { + D("unable to set sdbd rules\n"); + } + if (apply_sdb_rules(new_appid, SDK_HOME_LABEL_NAME, "rx") < 0) { + D("unable to set sdbd home rules\n"); + } if (smack_set_label_for_self(new_appid) != -1) { D("set smack lebel [%s] appid to %s\n", new_appid, SMACK_LEBEL_SUBJECT_PATH); // apply app precess only if not attach mode @@ -350,16 +357,34 @@ int set_smack_rules_for_gdbserver(const char* apppath, int mode) { return 0; } +int apply_sdb_rules(const char* subject, const char* object, const char* access_type) { + struct smack_accesses *rules = NULL; + int ret = 0; + + if (smack_accesses_new(&rules)) + return -1; + + if (smack_accesses_add(rules, subject, object, access_type)) { + smack_accesses_free(rules); + return -1; + } + + ret = smack_accesses_apply(rules); + smack_accesses_free(rules); + + return ret; +} + void apply_app_process() { set_appuser_groups(); if (setgid(SID_APP) != 0) { - fprintf(stderr, "set group id failed errno: %d\n", errno); + //fprintf(stderr, "set group id failed errno: %d\n", errno); exit(1); } if (setuid(SID_APP) != 0) { - fprintf(stderr, "set user id failed errno: %d\n", errno); + //fprintf(stderr, "set user id failed errno: %d\n", errno); exit(1); } } diff --git a/src/sdktools.h b/src/sdktools.h index 5c58298..469cf54 100644 --- a/src/sdktools.h +++ b/src/sdktools.h @@ -26,11 +26,12 @@ struct arg_permit_rule #define APP_INSTALL_PATH_PREFIX1 "/opt/apps" #define APP_INSTALL_PATH_PREFIX2 "/opt/usr/apps" #define GDBSERVER_PATH "/home/developer/sdk_tools/gdbserver/gdbserver" -#define GDBSERVER_PLATFORM_PATH "/home/developer/sdk_tools/gdbserver-platform/gdbserver" #define SMACK_LEBEL_SUBJECT_PATH "/proc/self/attr/current" #define APP_GROUPS_MAX 100 #define APP_GROUP_LIST "/usr/share/privilege-control/app_group_list" -#define APPID_MAX_LENGTH 50 +#define APPID_MAX_LENGTH 10 +#define SDBD_LABEL_NAME "sdbd" +#define SDK_HOME_LABEL_NAME "sdbd::home" int verify_commands(const char *arg1); int verify_root_commands(const char *arg1); @@ -42,6 +43,7 @@ int set_smack_rules_for_gdbserver(const char* apppath, int mode); void apply_app_process(); void set_appuser_groups(void); int is_root_commands(const char *command); +int apply_sdb_rules(const char* subject, const char* object, const char* access_type); #ifdef __cplusplus } -- 2.7.4