summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSung-jae Park <nicesj.park@samsung.com>2013-06-21 09:40:18 (GMT)
committerSung-jae Park <nicesj.park@samsung.com>2013-06-21 09:41:59 (GMT)
commit5256c30bb65bc8081f29b75594281e215e805a22 (patch)
tree75fd2857f02d3f55c604153a36d7669276a54386
parent278d2d3eab5e759809d4fee94ea8e9f388813cb2 (diff)
downloaddata-provider-master-5256c30bb65bc8081f29b75594281e215e805a22.zip
data-provider-master-5256c30bb65bc8081f29b75594281e215e805a22.tar.gz
data-provider-master-5256c30bb65bc8081f29b75594281e215e805a22.tar.bz2
User level smack permission check is applied.
User level smack permission check code is implemented. But in this patch, even if it fails to check the permission, service will be going on. After two weeks later, it will be rejected if it has no permission to get service. Change-Id: I6ea53665dd3f4ceb27edf90f56b7c368c8f6b31e
-rw-r--r--packaging/data-provider-master.spec2
-rw-r--r--src/badge_service.c36
-rw-r--r--src/shortcut_service.c14
3 files changed, 49 insertions, 3 deletions
diff --git a/packaging/data-provider-master.spec b/packaging/data-provider-master.spec
index 17922f9..ccebe1f 100644
--- a/packaging/data-provider-master.spec
+++ b/packaging/data-provider-master.spec
@@ -1,6 +1,6 @@
Name: data-provider-master
Summary: Master service provider for liveboxes.
-Version: 0.24.9
+Version: 0.24.10
Release: 1
Group: HomeTF/Livebox
License: Flora License
diff --git a/src/badge_service.c b/src/badge_service.c
index 96050f3..5b50595 100644
--- a/src/badge_service.c
+++ b/src/badge_service.c
@@ -26,6 +26,7 @@
#include <badge.h>
#include <badge_db.h>
+#include <security-server.h>
#include "service_common.h"
#include "debug.h"
@@ -45,9 +46,11 @@ struct context {
double seq;
};
-struct noti_service {
+struct badge_service {
const char *cmd;
void (*handler)(struct tcb *tcb, struct packet *packet, void *data);
+ const char *rule;
+ const char *access;
};
/*!
@@ -281,6 +284,22 @@ static void _handler_service_register(struct tcb *tcb, struct packet *packet, vo
}
}
+static int _is_valid_permission(int fd, struct badge_service *service)
+{
+ int ret;
+
+ if (service->rule != NULL && service->access != NULL) {
+ ret = security_server_check_privilege_by_sockfd(fd, service->rule, service->access);
+ if (ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED) {
+ ErrPrint("SMACK:Access denied\n");
+
+ return 0;
+ }
+ }
+
+ return 1;
+}
+
/*!
* SERVICE THREAD
*/
@@ -288,30 +307,42 @@ static int service_thread_main(struct tcb *tcb, struct packet *packet, void *dat
{
int i = 0;
const char *command;
- static struct noti_service service_req_table[] = {
+ static struct badge_service service_req_table[] = {
{
.cmd = "insert_badge",
.handler = _handler_insert_badge,
+ .rule = "data-provider-master::badge.client",
+ .access = "w",
},
{
.cmd = "delete_badge",
.handler = _handler_delete_badge,
+ .rule = "data-provider-master::badge.client",
+ .access = "w",
},
{
.cmd = "set_badge_count",
.handler = _handler_set_badge_count,
+ .rule = "data-provider-master::badge.client",
+ .access = "w",
},
{
.cmd = "set_disp_option",
.handler = _handler_set_display_option,
+ .rule = "data-provider-master::badge.client",
+ .access = "w",
},
{
.cmd = "service_register",
.handler = _handler_service_register,
+ .rule = NULL,
+ .access = NULL,
},
{
.cmd = NULL,
.handler = NULL,
+ .rule = NULL,
+ .access = NULL,
},
};
@@ -334,6 +365,7 @@ static int service_thread_main(struct tcb *tcb, struct packet *packet, void *dat
if (strcmp(service_req_table[i].cmd, command))
continue;
+ _is_valid_permission(tcb_fd(tcb), &(service_req_table[i]));
service_req_table[i].handler(tcb, packet, data);
break;
}
diff --git a/src/shortcut_service.c b/src/shortcut_service.c
index 690c08b..b5b1d82 100644
--- a/src/shortcut_service.c
+++ b/src/shortcut_service.c
@@ -94,6 +94,7 @@ static inline struct tcb *get_reply_context(double seq)
static int service_thread_main(struct tcb *tcb, struct packet *packet, void *data)
{
const char *command;
+ int ret;
if (!packet) {
DbgPrint("TCB: %p is terminated (NIL packet)\n", tcb);
@@ -108,8 +109,21 @@ static int service_thread_main(struct tcb *tcb, struct packet *packet, void *dat
switch (packet_type(packet)) {
case PACKET_REQ:
+
/* Need to send reply packet */
DbgPrint("%p REQ: Command: [%s]\n", tcb, command);
+ if (!strcmp(command, "add_livebox")) {
+ ret = security_server_check_privilege_by_sockfd(tcb_fd(tcb), "data-provider-master::shortcut.livebox", "w");
+ if (ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED) {
+ ErrPrint("SMACK:Access denied\n");
+ }
+ } else if (!strcmp(command, "add_shortcut")) {
+ ret = security_server_check_privilege_by_sockfd(tcb_fd(tcb), "data-provider-master::shortcut.shortcut", "w");
+ if (ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED) {
+ ErrPrint("SMACK:Access denied\n");
+ }
+ }
+
if (service_common_multicast_packet(tcb, packet, TCB_CLIENT_TYPE_SERVICE) < 0)
ErrPrint("Unable to send service request packet\n");
else