diff options
-rw-r--r-- | CMakeLists.txt | 3 | ||||
-rw-r--r-- | packaging/secure-storage.spec | 1 | ||||
-rw-r--r-- | server/include/ss_server_main.h | 16 | ||||
-rw-r--r-- | server/src/ss_server_ipc.c | 25 | ||||
-rw-r--r-- | server/src/ss_server_main.c | 94 |
5 files changed, 125 insertions, 14 deletions
diff --git a/CMakeLists.txt b/CMakeLists.txt index 3fe2f1f..f731e97 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -34,6 +34,7 @@ SET(debug_type "-DSS_DLOG_USE") # for debug - use dlog #SET(debug_type "") # for debug - DO NOT use SET(use_key "-DUSE_KEY_FILE") # for private key - use key file #SET(use_key "-DUSE_NOT") # for private key - use no private key, key will be fixed +SET(smack_groupid "-DSMACK_GROUP_ID") # for group id sharing with smack label SET(EXTRA_CFLAGS "${EXTRA_CFLAGS} -fvisibility=hidden") SET(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${EXTRA_CFLAGS}") @@ -59,7 +60,7 @@ SET(ss-server_CFLAGS " -I. -I${ss_include_dir} -I${ss_server_include_dir} ${debu SET(ss-server_LDFLAGS ${pkgs_LDFLAGS}) ADD_EXECUTABLE(ss-server ${ss-server_SOURCES}) -TARGET_LINK_LIBRARIES(ss-server ${pkgs_LDFLAGS}) +TARGET_LINK_LIBRARIES(ss-server ${pkgs_LDFLAGS} -lsecurity-server-client) SET_TARGET_PROPERTIES(ss-server PROPERTIES COMPILE_FLAGS "${ss-server_CFLAGS}") #################################################################################################### diff --git a/packaging/secure-storage.spec b/packaging/secure-storage.spec index 428fab8..07b862f 100644 --- a/packaging/secure-storage.spec +++ b/packaging/secure-storage.spec @@ -9,6 +9,7 @@ Source1: secure-storage.service BuildRequires: pkgconfig(openssl) BuildRequires: pkgconfig(dlog) #BuildRequires: pkgconfig(libsystemd-daemon) +BuildRequires: pkgconfig(security-server) BuildRequires: cmake %description diff --git a/server/include/ss_server_main.h b/server/include/ss_server_main.h index 2d84c41..c549d58 100644 --- a/server/include/ss_server_main.h +++ b/server/include/ss_server_main.h @@ -30,8 +30,13 @@ * - filepath * @return type: int */ +#ifndef SMACK_GROUP_ID int SsServerDataStoreFromFile(int sender_pid, const char* filepath, ssm_flag flag, const char* cookie, const char* group_id); int SsServerDataStoreFromBuffer(int sender_pid, char* writebuffer, size_t bufLen, const char* filename, ssm_flag flag, const char* cookie, const char* group_id); +#else +int SsServerDataStoreFromFile(int sender_pid, const char* filepath, ssm_flag flag, int sockfd, const char* group_id); +int SsServerDataStoreFromBuffer(int sender_pid, char* writebuffer, size_t bufLen, const char* filename, ssm_flag flag, int sockfd, const char* group_id); +#endif /* * Declare new function @@ -45,8 +50,11 @@ int SsServerDataStoreFromBuffer(int sender_pid, char* writebuffer, size_t bufLen * - redLen * @return type: int */ +#ifndef SMACK_GROUP_ID int SsServerDataRead(int sender_pid, const char* filepath, char* pRetBuf, unsigned int count, unsigned int* readLen, ssm_flag flag, const char* cookie, const char* group_id); - +#else +int SsServerDataRead(int sender_pid, const char* filepath, char* pRetBuf, unsigned int count, unsigned int* readLen, ssm_flag flag, int sockfd, const char* group_id); +#endif /* * Declare new function * @@ -57,5 +65,11 @@ int SsServerDataRead(int sender_pid, const char* filepath, char* pRetBuf, unsign * - file_info * @return type: int */ + +#ifndef SMACK_GROUP_ID int SsServerGetInfo(int sender_pid, const char* filepath, char* file_info, ssm_flag flag, const char* cookie, const char* group_id); int SsServerDeleteFile(int sender_pid, const char* filepath, ssm_flag flag, const char* cookie, const char* group_id); +#else +int SsServerGetInfo(int sender_pid, const char* filepath, char* file_info, ssm_flag flag, int sockfd, const char* group_id); +int SsServerDeleteFile(int sender_pid, const char* filepath, ssm_flag flag, int sockfd, const char* group_id); +#endif diff --git a/server/src/ss_server_ipc.c b/server/src/ss_server_ipc.c index bba503e..93006d1 100644 --- a/server/src/ss_server_ipc.c +++ b/server/src/ss_server_ipc.c @@ -261,7 +261,11 @@ void SsServerComm(void) switch(recv_data.req_type) { case 1: +#ifndef SMACK_GROUP_ID send_data.rsp_type = SsServerDataStoreFromFile(cr.pid, recv_data.data_infilepath, recv_data.flag, recv_data.cookie, recv_data.group_id); +#else + send_data.rsp_type = SsServerDataStoreFromFile(cr.pid, recv_data.data_infilepath, recv_data.flag, client_sockfd, recv_data.group_id); +#endif if(send_data.rsp_type == 1) { @@ -277,7 +281,11 @@ void SsServerComm(void) write(client_sockfd, (char*)&send_data, sizeof(send_data)); break; case 2: +#ifndef SMACK_GROUP_ID send_data.rsp_type = SsServerDataStoreFromBuffer(cr.pid, recv_data.buffer, recv_data.count, recv_data.data_infilepath, recv_data.flag, recv_data.cookie, recv_data.group_id); +#else + send_data.rsp_type = SsServerDataStoreFromBuffer(cr.pid, recv_data.buffer, recv_data.count, recv_data.data_infilepath, recv_data.flag, client_sockfd, recv_data.group_id); +#endif if(send_data.rsp_type == 1) { @@ -293,8 +301,11 @@ void SsServerComm(void) write(client_sockfd, (char*)&send_data, sizeof(send_data)); break; case 3: +#ifndef SMACK_GROUP_ID send_data.rsp_type = SsServerDataRead(cr.pid, recv_data.data_infilepath, send_data.buffer, recv_data.count, &(send_data.readLen), recv_data.flag, recv_data.cookie, recv_data.group_id); - +#else + send_data.rsp_type = SsServerDataRead(cr.pid, recv_data.data_infilepath, send_data.buffer, recv_data.count, &(send_data.readLen), recv_data.flag, client_sockfd, recv_data.group_id); +#endif if(send_data.rsp_type == 1) { strncpy(send_data.data_filepath, recv_data.data_infilepath, MAX_FILENAME_LEN - 1); @@ -308,9 +319,13 @@ void SsServerComm(void) write(client_sockfd, (char*)&send_data, sizeof(send_data)); break; - case 4: + case 4: +#ifndef SMACK_GROUP_ID send_data.rsp_type = SsServerGetInfo(cr.pid, recv_data.data_infilepath, send_data.buffer, recv_data.flag, recv_data.cookie, recv_data.group_id); - +#else + send_data.rsp_type = SsServerGetInfo(cr.pid, recv_data.data_infilepath, send_data.buffer, recv_data.flag, client_sockfd /*recv_data.cookie*/, recv_data.group_id); +#endif + if(send_data.rsp_type == 1) { strncpy(send_data.data_filepath, recv_data.data_infilepath, MAX_FILENAME_LEN - 1); @@ -325,7 +340,11 @@ void SsServerComm(void) write(client_sockfd, (char*)&send_data, sizeof(send_data)); break; case 10: +#ifndef SMACK_GROUP_ID send_data.rsp_type = SsServerDeleteFile(cr.pid, recv_data.data_infilepath, recv_data.flag, recv_data.cookie, recv_data.group_id); +#else + send_data.rsp_type = SsServerDeleteFile(cr.pid, recv_data.data_infilepath, recv_data.flag, client_sockfd, recv_data.group_id); +#endif if(send_data.rsp_type == 1) { diff --git a/server/src/ss_server_main.c b/server/src/ss_server_main.c index 18b4ddb..33cedf7 100644 --- a/server/src/ss_server_main.c +++ b/server/src/ss_server_main.c @@ -47,6 +47,7 @@ #include "secure_storage.h" #include "ss_server_main.h" #include "ss_server_ipc.h" +#include <security-server/security-server.h> #ifdef USE_KEY_FILE #define CONF_FILE_PATH "/usr/share/secure-storage/config" @@ -108,6 +109,17 @@ char* get_preserved_dir() return retbuf; } +int IsSmackEnabled() +{ + FILE *file = NULL; + if(file = fopen("/smack/load2", "r")) + { + fclose(file); + return 1; + } + return 0; +} + /* get key from hardware( ex. OMAP e-fuse random key ) */ void GetKey(char* key, unsigned char* iv) { @@ -208,6 +220,38 @@ int check_privilege(const char* cookie, const char* group_id) return 0; // success always } +int check_privilege_by_sockfd(int sockfd, const char* object, const char* access_rights) +{ + int ret = -1; // if success, return 0 + const char* private_group_id = "NOTUSED"; + + if(!IsSmackEnabled()) + { + return 0; + } + + if(!strncmp(object,"NOTUSED", strlen(private_group_id))) + { + SLOGD("requested default group_id :%s. get smack label", object); + char* client_process_smack_label = security_server_get_smacklabel_sockfd(sockfd); + if(client_process_smack_label) + { + SLOGD("defined smack label : %s", client_process_smack_label); + strncpy(object, client_process_smack_label, strlen(client_process_smack_label)); + } + else + { + SLOGD("failed to get smack label"); + return -1; + } + } + + SLOGD("object : %s, access_rights : %s", object, access_rights); + ret = security_server_check_privilege_by_sockfd(sockfd, object, access_rights); + + return ret; +} + /* convert normal file path to secure storage file path */ int ConvertFileName(int sender_pid, char* dest, const char* src, ssm_flag flag, const char* group_id) { @@ -293,7 +337,11 @@ int ConvertFileName(int sender_pid, char* dest, const char* src, ssm_flag flag, } } - strncat(dest, if_pointer + 1, strlen(if_pointer) + 1); + int length_of_file = 0; + if(if_pointer != NULL) + { + strncat(dest, if_pointer + 1, strlen(if_pointer) + 1); + } strncat(dest, "_", 1); SHA1((unsigned char*)src, (size_t)strlen(src), path_hash); @@ -303,7 +351,7 @@ int ConvertFileName(int sender_pid, char* dest, const char* src, ssm_flag flag, strncat(dest, s, strlen(s)); strncat(dest, SS_FILE_POSTFIX, strlen(SS_FILE_POSTFIX)); - dest[strlen(SS_STORAGE_DEFAULT_PATH) + strlen(dir) + strlen(if_pointer) + strlen(s) + strlen(SS_FILE_POSTFIX) + 4] = '\0'; + dest[strlen(SS_STORAGE_DEFAULT_PATH) + strlen(dir) + length_of_file + strlen(s) + strlen(SS_FILE_POSTFIX) + 4] = '\0'; } else if(flag == SSM_FLAG_SECRET_PRESERVE) // /tmp/csa/ { @@ -467,8 +515,11 @@ unsigned char* AES_Crypto(unsigned char* p_text, unsigned char* c_text, char* ae /*************************************************************************** * Function Definition **************************************************************************/ - +#ifndef SMACK_GROUP_ID int SsServerDataStoreFromFile(int sender_pid, const char* data_filepath, ssm_flag flag, const char* cookie, const char* group_id) +#else +int SsServerDataStoreFromFile(int sender_pid, const char* data_filepath, ssm_flag flag, int sockfd, const char* group_id) +#endif { char key[16] = {0, }; unsigned char iv[16] = {0, }; @@ -486,11 +537,13 @@ int SsServerDataStoreFromFile(int sender_pid, const char* data_filepath, ssm_fla size_t read = 0, rest = 0; //0. privilege check and get directory name - if(check_privilege(cookie, group_id) != 0) +#ifdef SMACK_GROUP_ID + if(check_privilege_by_sockfd(sockfd, group_id, "w") != 0) { SLOGE("[%s] permission denied\n", group_id); return SS_PERMISSION_DENIED; } +#endif // 1. create out file name ConvertFileName(sender_pid, out_filepath, in_filepath, flag, group_id); @@ -577,7 +630,11 @@ int SsServerDataStoreFromFile(int sender_pid, const char* data_filepath, ssm_fla return 1; } +#ifndef SMACK_GROUP_ID int SsServerDataStoreFromBuffer(int sender_pid, char* writebuffer, size_t bufLen, const char* filename, ssm_flag flag, const char* cookie, const char* group_id) +#else +int SsServerDataStoreFromBuffer(int sender_pid, char* writebuffer, size_t bufLen, const char* filename, ssm_flag flag, int sockfd, const char* group_id) +#endif { char key[16] = {0, }; unsigned char iv[16] = {0, }; @@ -601,12 +658,14 @@ int SsServerDataStoreFromBuffer(int sender_pid, char* writebuffer, size_t bufLen memcpy(buffer, writebuffer, bufLen); //0. privilege check and get directory name - if(check_privilege(cookie, group_id) != 0) +#ifdef SMACK_GROUP_ID + if(check_privilege_by_sockfd(sockfd, group_id, "w") != 0) { SLOGE("permission denied\n"); free(buffer); return SS_PERMISSION_DENIED; } +#endif // create file path from filename ConvertFileName(sender_pid, out_filepath, filename, flag, group_id); @@ -676,7 +735,11 @@ int SsServerDataStoreFromBuffer(int sender_pid, char* writebuffer, size_t bufLen return 1; } +#ifndef SMACK_GROUP_ID int SsServerDataRead(int sender_pid, const char* data_filepath, char* pRetBuf, unsigned int count, unsigned int* readLen, ssm_flag flag, const char* cookie, const char* group_id) +#else +int SsServerDataRead(int sender_pid, const char* data_filepath, char* pRetBuf, unsigned int count, unsigned int* readLen, ssm_flag flag, int sockfd, const char* group_id) +#endif { unsigned int offset = count * MAX_RECV_DATA_LEN; char key[16] = {0, }; @@ -692,11 +755,13 @@ int SsServerDataRead(int sender_pid, const char* data_filepath, char* pRetBuf, u *readLen = 0; //0. privilege check and get directory name - if(check_privilege(cookie, group_id) != 0) +#ifdef SMACK_GROUP_ID + if(check_privilege_by_sockfd(sockfd, group_id, "r") != 0) { SLOGE("permission denied\n"); return SS_PERMISSION_DENIED; } +#endif // 1. create in file name : convert file name in order to access secure storage if(flag == SSM_FLAG_WIDGET) @@ -757,18 +822,23 @@ Last: return 1; } +#ifndef SMACK_GROUP_ID int SsServerDeleteFile(int sender_pid, const char* data_filepath, ssm_flag flag, const char* cookie, const char* group_id) +#else +int SsServerDeleteFile(int sender_pid, const char* data_filepath, ssm_flag flag, int sockfd, const char* group_id) +#endif { const char* in_filepath = data_filepath; char out_filepath[MAX_FILENAME_LEN] = {0, }; //0. privilege check and get directory name - if(check_privilege(cookie, group_id) != 0) +#ifdef SMACK_GROUP_ID + if(check_privilege_by_sockfd(sockfd, group_id, "w") != 0) { SLOGE("permission denied\n"); return SS_PERMISSION_DENIED; } - +#endif // 1. create out file name ConvertFileName(sender_pid, out_filepath, in_filepath, flag, group_id); @@ -782,18 +852,24 @@ int SsServerDeleteFile(int sender_pid, const char* data_filepath, ssm_flag flag, return 1; } +#ifndef SMACK_GROUP_ID int SsServerGetInfo(int sender_pid, const char* data_filepath, char* file_info, ssm_flag flag, const char* cookie, const char* group_id) +#else +int SsServerGetInfo(int sender_pid, const char* data_filepath, char* file_info, ssm_flag flag, int sockfd, const char* group_id) +#endif { size_t read = 0; FILE *fd_in = NULL; char in_filepath[MAX_FILENAME_LEN] = {0, }; //0. privilege check and get directory name - if(check_privilege(cookie, group_id) != 0) +#ifdef SMACK_GROUP_ID + if(check_privilege_by_sockfd(sockfd, group_id, "r") != 0) { SLOGE("permission denied, [%s]\n", group_id); return SS_PERMISSION_DENIED; } +#endif // 1. create in file name : convert file name in order to access secure storage if(flag == SSM_FLAG_WIDGET) |