add code for group_id with smack label

Signed-off-by: jc815.lee <jc815.lee@samsung.com>
author: jc815.lee <jc815.lee@samsung.com> 2013-05-02 21:33:08 +0900
committer: jc815.lee <jc815.lee@samsung.com> 2013-05-02 21:33:08 +0900
commit: af8aca1e5fc1d77463d824da78b0600b42a64b6f (patch)
tree: 7817fcd826af57c0915d01104a2f27c0c6123e99
parent: 56fa0c93675f1d7de78046abdf3a549de4d56fc3 (diff)
download: secure-storage-af8aca1e5fc1d77463d824da78b0600b42a64b6f.tar.gz
secure-storage-af8aca1e5fc1d77463d824da78b0600b42a64b6f.tar.bz2
secure-storage-af8aca1e5fc1d77463d824da78b0600b42a64b6f.zip
5 files changed, 125 insertions, 14 deletions
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 3fe2f1f..f731e97 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -34,6 +34,7 @@ SET(debug_type "-DSS_DLOG_USE") 		# for debug - use dlog
 #SET(debug_type "") 						# for debug - DO NOT use
 SET(use_key "-DUSE_KEY_FILE")		# for private key - use key file
 #SET(use_key "-DUSE_NOT")			# for private key - use no private key, key will be fixed
+SET(smack_groupid "-DSMACK_GROUP_ID") # for group id sharing with smack label
 
 SET(EXTRA_CFLAGS "${EXTRA_CFLAGS} -fvisibility=hidden")
 SET(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${EXTRA_CFLAGS}")
@@ -59,7 +60,7 @@ SET(ss-server_CFLAGS " -I. -I${ss_include_dir} -I${ss_server_include_dir} ${debu
 SET(ss-server_LDFLAGS ${pkgs_LDFLAGS})
 
 ADD_EXECUTABLE(ss-server ${ss-server_SOURCES})
-TARGET_LINK_LIBRARIES(ss-server ${pkgs_LDFLAGS})
+TARGET_LINK_LIBRARIES(ss-server ${pkgs_LDFLAGS} -lsecurity-server-client)
 SET_TARGET_PROPERTIES(ss-server PROPERTIES COMPILE_FLAGS "${ss-server_CFLAGS}")
 ####################################################################################################
 
diff --git a/packaging/secure-storage.spec b/packaging/secure-storage.spec
index 428fab8..07b862f 100644
--- a/packaging/secure-storage.spec
+++ b/packaging/secure-storage.spec
@@ -9,6 +9,7 @@ Source1:    secure-storage.service
 BuildRequires:  pkgconfig(openssl)
 BuildRequires:  pkgconfig(dlog)
 #BuildRequires:  pkgconfig(libsystemd-daemon)
+BuildRequires:  pkgconfig(security-server)
 BuildRequires:  cmake
 
 %description
diff --git a/server/include/ss_server_main.h b/server/include/ss_server_main.h
index 2d84c41..c549d58 100644
--- a/server/include/ss_server_main.h
+++ b/server/include/ss_server_main.h
@@ -30,8 +30,13 @@
  *     - filepath
  *   @return type: int
  */
+#ifndef SMACK_GROUP_ID
 int SsServerDataStoreFromFile(int sender_pid, const char* filepath, ssm_flag flag, const char* cookie, const char* group_id);
 int SsServerDataStoreFromBuffer(int sender_pid, char* writebuffer, size_t bufLen, const char* filename, ssm_flag flag, const char* cookie, const char* group_id);
+#else
+int SsServerDataStoreFromFile(int sender_pid, const char* filepath, ssm_flag flag, int sockfd, const char* group_id);
+int SsServerDataStoreFromBuffer(int sender_pid, char* writebuffer, size_t bufLen, const char* filename, ssm_flag flag, int sockfd, const char* group_id);
+#endif
 
 /*
  * Declare new function
@@ -45,8 +50,11 @@ int SsServerDataStoreFromBuffer(int sender_pid, char* writebuffer, size_t bufLen
  *     - redLen
  *   @return type: int
  */
+#ifndef SMACK_GROUP_ID
 int SsServerDataRead(int sender_pid, const char* filepath, char* pRetBuf, unsigned int count, unsigned int* readLen, ssm_flag flag, const char* cookie, const char* group_id);
-
+#else
+int SsServerDataRead(int sender_pid, const char* filepath, char* pRetBuf, unsigned int count, unsigned int* readLen, ssm_flag flag, int sockfd, const char* group_id);
+#endif
 /*
  * Declare new function
  *
@@ -57,5 +65,11 @@ int SsServerDataRead(int sender_pid, const char* filepath, char* pRetBuf, unsign
  *     - file_info
  *   @return type: int
  */
+ 
+#ifndef SMACK_GROUP_ID
 int SsServerGetInfo(int sender_pid, const char* filepath, char* file_info, ssm_flag flag, const char* cookie, const char* group_id);
 int SsServerDeleteFile(int sender_pid, const char* filepath, ssm_flag flag, const char* cookie, const char* group_id);
+#else
+int SsServerGetInfo(int sender_pid, const char* filepath, char* file_info, ssm_flag flag, int sockfd, const char* group_id);
+int SsServerDeleteFile(int sender_pid, const char* filepath, ssm_flag flag, int sockfd, const char* group_id);
+#endif
diff --git a/server/src/ss_server_ipc.c b/server/src/ss_server_ipc.c
index bba503e..93006d1 100644
--- a/server/src/ss_server_ipc.c
+++ b/server/src/ss_server_ipc.c
@@ -261,7 +261,11 @@ void SsServerComm(void)
 		switch(recv_data.req_type)
 		{
 			case 1:
+#ifndef SMACK_GROUP_ID
 				send_data.rsp_type = SsServerDataStoreFromFile(cr.pid, recv_data.data_infilepath, recv_data.flag, recv_data.cookie, recv_data.group_id);
+#else
+				send_data.rsp_type = SsServerDataStoreFromFile(cr.pid, recv_data.data_infilepath, recv_data.flag, client_sockfd, recv_data.group_id);
+#endif
 
 				if(send_data.rsp_type == 1)
 				{
@@ -277,7 +281,11 @@ void SsServerComm(void)
 				write(client_sockfd, (char*)&send_data, sizeof(send_data));
 				break;
 			case 2:
+#ifndef SMACK_GROUP_ID
 				send_data.rsp_type = SsServerDataStoreFromBuffer(cr.pid, recv_data.buffer, recv_data.count, recv_data.data_infilepath, recv_data.flag, recv_data.cookie, recv_data.group_id);
+#else
+				send_data.rsp_type = SsServerDataStoreFromBuffer(cr.pid, recv_data.buffer, recv_data.count, recv_data.data_infilepath, recv_data.flag, client_sockfd, recv_data.group_id);
+#endif
 
 				if(send_data.rsp_type == 1)
 				{
@@ -293,8 +301,11 @@ void SsServerComm(void)
 				write(client_sockfd, (char*)&send_data, sizeof(send_data));
 				break;
 			case 3:
+#ifndef SMACK_GROUP_ID
 				send_data.rsp_type = SsServerDataRead(cr.pid, recv_data.data_infilepath, send_data.buffer, recv_data.count, &(send_data.readLen), recv_data.flag, recv_data.cookie, recv_data.group_id);
-			
+#else
+				send_data.rsp_type = SsServerDataRead(cr.pid, recv_data.data_infilepath, send_data.buffer, recv_data.count, &(send_data.readLen), recv_data.flag, client_sockfd, recv_data.group_id);
+#endif
 				if(send_data.rsp_type == 1)
 				{
 					strncpy(send_data.data_filepath, recv_data.data_infilepath, MAX_FILENAME_LEN - 1);
@@ -308,9 +319,13 @@ void SsServerComm(void)
 
 				write(client_sockfd, (char*)&send_data, sizeof(send_data));
 				break;
-			case 4: 
+			case 4:
+#ifndef SMACK_GROUP_ID
 				send_data.rsp_type = SsServerGetInfo(cr.pid, recv_data.data_infilepath, send_data.buffer, recv_data.flag, recv_data.cookie, recv_data.group_id);
-				
+#else
+				send_data.rsp_type = SsServerGetInfo(cr.pid, recv_data.data_infilepath, send_data.buffer, recv_data.flag, client_sockfd /*recv_data.cookie*/, recv_data.group_id);
+#endif
+
 				if(send_data.rsp_type == 1)
 				{
 					strncpy(send_data.data_filepath, recv_data.data_infilepath, MAX_FILENAME_LEN - 1);
@@ -325,7 +340,11 @@ void SsServerComm(void)
 				write(client_sockfd, (char*)&send_data, sizeof(send_data));
 				break;			
 			case 10:
+#ifndef SMACK_GROUP_ID
 				send_data.rsp_type = SsServerDeleteFile(cr.pid, recv_data.data_infilepath, recv_data.flag, recv_data.cookie, recv_data.group_id);
+#else
+				send_data.rsp_type = SsServerDeleteFile(cr.pid, recv_data.data_infilepath, recv_data.flag, client_sockfd, recv_data.group_id);
+#endif
 				
 				if(send_data.rsp_type == 1)
 				{
diff --git a/server/src/ss_server_main.c b/server/src/ss_server_main.c
index 18b4ddb..33cedf7 100644
--- a/server/src/ss_server_main.c
+++ b/server/src/ss_server_main.c
@@ -47,6 +47,7 @@
 #include "secure_storage.h"
 #include "ss_server_main.h"
 #include "ss_server_ipc.h"
+#include <security-server/security-server.h>
 
 #ifdef USE_KEY_FILE
 #define CONF_FILE_PATH	"/usr/share/secure-storage/config"
@@ -108,6 +109,17 @@ char* get_preserved_dir()
 	return retbuf;
 }
 
+int IsSmackEnabled()
+{
+	FILE *file = NULL;
+	if(file = fopen("/smack/load2", "r"))
+	{
+		fclose(file);
+		return 1;
+	}
+	return 0;
+}
+
 /* get key from hardware( ex. OMAP e-fuse random key ) */
 void GetKey(char* key, unsigned char* iv)
 {
@@ -208,6 +220,38 @@ int check_privilege(const char* cookie, const char* group_id)
 	return 0; // success always
 }
 
+int check_privilege_by_sockfd(int sockfd, const char* object, const char* access_rights)
+{
+	int ret = -1;	// if success, return 0
+	const char* private_group_id = "NOTUSED";
+
+	if(!IsSmackEnabled())
+	{
+		return 0;
+	}
+
+	if(!strncmp(object,"NOTUSED", strlen(private_group_id)))
+	{
+		SLOGD("requested default group_id :%s. get smack label", object);
+		char* client_process_smack_label = security_server_get_smacklabel_sockfd(sockfd);
+		if(client_process_smack_label)
+		{
+			SLOGD("defined smack label : %s", client_process_smack_label);
+			strncpy(object, client_process_smack_label, strlen(client_process_smack_label));
+		}
+		else
+		{
+			SLOGD("failed to get smack label");
+			return -1;
+		}
+	}
+
+	SLOGD("object : %s, access_rights : %s", object, access_rights);
+	ret = security_server_check_privilege_by_sockfd(sockfd, object, access_rights);
+
+	return ret;
+}
+
 /* convert normal file path to secure storage file path  */
 int ConvertFileName(int sender_pid, char* dest, const char* src, ssm_flag flag, const char* group_id)
 {
@@ -293,7 +337,11 @@ int ConvertFileName(int sender_pid, char* dest, const char* src, ssm_flag flag,
 			}
 		}
 		
-		strncat(dest, if_pointer + 1, strlen(if_pointer) + 1);
+		int length_of_file = 0;
+		if(if_pointer != NULL)
+		{
+			strncat(dest, if_pointer + 1, strlen(if_pointer) + 1);
+		}
 		strncat(dest, "_", 1);
 
 		SHA1((unsigned char*)src, (size_t)strlen(src), path_hash);
@@ -303,7 +351,7 @@ int ConvertFileName(int sender_pid, char* dest, const char* src, ssm_flag flag,
 		strncat(dest, s, strlen(s));
 		strncat(dest, SS_FILE_POSTFIX, strlen(SS_FILE_POSTFIX));
 
-		dest[strlen(SS_STORAGE_DEFAULT_PATH) + strlen(dir) + strlen(if_pointer) + strlen(s) + strlen(SS_FILE_POSTFIX) + 4] = '\0';
+		dest[strlen(SS_STORAGE_DEFAULT_PATH) + strlen(dir) + length_of_file + strlen(s) + strlen(SS_FILE_POSTFIX) + 4] = '\0';
 	}
 	else if(flag == SSM_FLAG_SECRET_PRESERVE) // /tmp/csa/
 	{
@@ -467,8 +515,11 @@ unsigned char* AES_Crypto(unsigned char* p_text, unsigned char* c_text, char* ae
 /***************************************************************************
  * Function Definition
  **************************************************************************/
-
+#ifndef SMACK_GROUP_ID
 int SsServerDataStoreFromFile(int sender_pid, const char* data_filepath, ssm_flag flag, const char* cookie, const char* group_id)
+#else
+int SsServerDataStoreFromFile(int sender_pid, const char* data_filepath, ssm_flag flag, int sockfd, const char* group_id)
+#endif
 {
 	char key[16] = {0, };
 	unsigned char iv[16] = {0, };
@@ -486,11 +537,13 @@ int SsServerDataStoreFromFile(int sender_pid, const char* data_filepath, ssm_fla
 	size_t read = 0, rest = 0;
 
 	//0. privilege check and get directory name
-	if(check_privilege(cookie, group_id) != 0)
+#ifdef SMACK_GROUP_ID
+	if(check_privilege_by_sockfd(sockfd, group_id, "w") != 0)
 	{
 		SLOGE("[%s] permission denied\n", group_id);
 		return SS_PERMISSION_DENIED;
 	}
+#endif
 
 	// 1. create out file name
 	ConvertFileName(sender_pid, out_filepath, in_filepath, flag, group_id);
@@ -577,7 +630,11 @@ int SsServerDataStoreFromFile(int sender_pid, const char* data_filepath, ssm_fla
 	return 1;
 }
 
+#ifndef SMACK_GROUP_ID
 int SsServerDataStoreFromBuffer(int sender_pid, char* writebuffer, size_t bufLen, const char* filename, ssm_flag flag, const char* cookie, const char* group_id)
+#else
+int SsServerDataStoreFromBuffer(int sender_pid, char* writebuffer, size_t bufLen, const char* filename, ssm_flag flag, int sockfd, const char* group_id)
+#endif
 {
 	char key[16] = {0, };
 	unsigned char iv[16] = {0, };
@@ -601,12 +658,14 @@ int SsServerDataStoreFromBuffer(int sender_pid, char* writebuffer, size_t bufLen
 	memcpy(buffer, writebuffer, bufLen);
 
 	//0. privilege check and get directory name
-	if(check_privilege(cookie, group_id) != 0)
+#ifdef SMACK_GROUP_ID
+	if(check_privilege_by_sockfd(sockfd, group_id, "w") != 0)
 	{
 		SLOGE("permission denied\n");
 		free(buffer);
 		return SS_PERMISSION_DENIED;
 	}
+#endif
 	
 	// create file path from filename
 	ConvertFileName(sender_pid, out_filepath, filename, flag, group_id); 
@@ -676,7 +735,11 @@ int SsServerDataStoreFromBuffer(int sender_pid, char* writebuffer, size_t bufLen
 	return 1;
 }
 
+#ifndef SMACK_GROUP_ID
 int SsServerDataRead(int sender_pid, const char* data_filepath, char* pRetBuf, unsigned int count, unsigned int* readLen, ssm_flag flag, const char* cookie, const char* group_id)
+#else
+int SsServerDataRead(int sender_pid, const char* data_filepath, char* pRetBuf, unsigned int count, unsigned int* readLen, ssm_flag flag, int sockfd, const char* group_id)
+#endif
 {
 	unsigned int offset = count * MAX_RECV_DATA_LEN;
 	char key[16] = {0, };
@@ -692,11 +755,13 @@ int SsServerDataRead(int sender_pid, const char* data_filepath, char* pRetBuf, u
 	*readLen = 0;
 
 	//0. privilege check and get directory name
-	if(check_privilege(cookie, group_id) != 0)
+#ifdef SMACK_GROUP_ID
+	if(check_privilege_by_sockfd(sockfd, group_id, "r") != 0)
 	{
 		SLOGE("permission denied\n");
 		return SS_PERMISSION_DENIED;
 	}
+#endif
 
 	// 1. create in file name : convert file name in order to access secure storage
 	if(flag == SSM_FLAG_WIDGET)
@@ -757,18 +822,23 @@ Last:
 	return 1;
 }
 
+#ifndef SMACK_GROUP_ID
 int SsServerDeleteFile(int sender_pid, const char* data_filepath, ssm_flag flag, const char* cookie, const char* group_id)
+#else
+int SsServerDeleteFile(int sender_pid, const char* data_filepath, ssm_flag flag, int sockfd, const char* group_id)
+#endif
 {
 	const char* in_filepath = data_filepath;
 	char out_filepath[MAX_FILENAME_LEN] = {0, };
 
 	//0. privilege check and get directory name
-	if(check_privilege(cookie, group_id) != 0)
+#ifdef SMACK_GROUP_ID
+	if(check_privilege_by_sockfd(sockfd, group_id, "w") != 0)
 	{
 		SLOGE("permission denied\n");
 		return SS_PERMISSION_DENIED;
 	}
-
+#endif
 	// 1. create out file name
 	ConvertFileName(sender_pid, out_filepath, in_filepath, flag, group_id);
 	
@@ -782,18 +852,24 @@ int SsServerDeleteFile(int sender_pid, const char* data_filepath, ssm_flag flag,
 	return 1;
 }
 
+#ifndef SMACK_GROUP_ID
 int SsServerGetInfo(int sender_pid, const char* data_filepath, char* file_info, ssm_flag flag, const char* cookie, const char* group_id)
+#else
+int SsServerGetInfo(int sender_pid, const char* data_filepath, char* file_info, ssm_flag flag, int sockfd, const char* group_id)
+#endif
 {
 	size_t read = 0;
 	FILE *fd_in = NULL;
 	char in_filepath[MAX_FILENAME_LEN] = {0, };
 
 	//0. privilege check and get directory name
-	if(check_privilege(cookie, group_id) != 0)
+#ifdef SMACK_GROUP_ID
+	if(check_privilege_by_sockfd(sockfd, group_id, "r") != 0)
 	{
 		SLOGE("permission denied, [%s]\n", group_id);
 		return SS_PERMISSION_DENIED;
 	}
+#endif
 	
 	// 1. create in file name : convert file name in order to access secure storage
 	if(flag == SSM_FLAG_WIDGET)
author	jc815.lee <jc815.lee@samsung.com>	2013-05-02 21:33:08 +0900
committer	jc815.lee <jc815.lee@samsung.com>	2013-05-02 21:33:08 +0900
commit	af8aca1e5fc1d77463d824da78b0600b42a64b6f (patch)
tree	7817fcd826af57c0915d01104a2f27c0c6123e99
parent	56fa0c93675f1d7de78046abdf3a549de4d56fc3 (diff)
download	secure-storage-af8aca1e5fc1d77463d824da78b0600b42a64b6f.tar.gz secure-storage-af8aca1e5fc1d77463d824da78b0600b42a64b6f.tar.bz2 secure-storage-af8aca1e5fc1d77463d824da78b0600b42a64b6f.zip