From 5ed4ec8644015b7418c0e86111ffb5d344a5823d Mon Sep 17 00:00:00 2001 From: Sangyoon Jang Date: Thu, 8 Feb 2024 09:42:40 +0900 Subject: Fix smack labeling for lib rpk Set public RO for files under lib dir when installing "rpk" type package. Change-Id: If72fb2b816fa577b464c1f66e307a8d3277f4960 Signed-off-by: Sangyoon Jang --- src/common/security_registration.cc | 19 ++++++++++++--- src/common/security_registration.h | 5 ++-- src/common/shared_dirs.cc | 28 +++++++++++----------- src/common/step/security/step_recover_security.cc | 4 ++-- src/common/step/security/step_register_security.cc | 4 ++-- .../step_rollback_deinstallation_security.cc | 4 ++-- src/common/step/security/step_update_security.cc | 8 +++---- 7 files changed, 43 insertions(+), 29 deletions(-) diff --git a/src/common/security_registration.cc b/src/common/security_registration.cc index c08992be..56447e83 100644 --- a/src/common/security_registration.cc +++ b/src/common/security_registration.cc @@ -382,6 +382,19 @@ class SecurityContextPathRequest { SetErrorMessage(&error_message_, error); return false; } + + // this is for lib rpk installation. set public RO for contents only. + if (pkg_type == "rpk" && std::string(policy.first) == "lib") { + for (bf::directory_iterator iter(subpath); + iter != bf::directory_iterator(); ++iter) { + error = security_manager_path_req_add_path(req_, + iter->path().string().c_str(), SECURITY_MANAGER_PATH_PUBLIC_RO); + if (error!= SECURITY_MANAGER_SUCCESS) { + SetErrorMessage(&error_message_, error); + return false; + } + } + } } return true; } @@ -549,8 +562,8 @@ bool UnregisterSecurityContextForPkgId(const std::string &pkg_id, } bool RegisterSecurityContextForPath(const std::string &pkg_id, - const boost::filesystem::path& path, uid_t uid, bool is_readonly_pkg, - std::string* error_message) { + const std::string& pkg_type, const boost::filesystem::path& path, + uid_t uid, bool is_readonly_pkg, std::string* error_message) { SecurityContextPathRequest req; if (!req.IsValid()) { *error_message = req.ErrorMessage(); @@ -560,7 +573,7 @@ bool RegisterSecurityContextForPath(const std::string &pkg_id, *error_message = req.ErrorMessage(); return false; } - if (!req.PreparePath({}, path, is_readonly_pkg, false)) { + if (!req.PreparePath(pkg_type, path, is_readonly_pkg, false)) { *error_message = req.ErrorMessage(); return false; } diff --git a/src/common/security_registration.h b/src/common/security_registration.h index 9eb1227c..cf0ed35e 100644 --- a/src/common/security_registration.h +++ b/src/common/security_registration.h @@ -76,6 +76,7 @@ bool UnregisterSecurityContextForPkgId(const std::string& pkg_id, * package path to security context * * \param pkg_id pkgid of given package + * \param pkg_type pkg type of given package * \param path path for registering * \param uid uid * \param is_readonly_pkg RO package flag @@ -84,8 +85,8 @@ bool UnregisterSecurityContextForPkgId(const std::string& pkg_id, * \return true if success */ bool RegisterSecurityContextForPath(const std::string &pkg_id, - const boost::filesystem::path& path, uid_t uid, - bool is_readonly_pkg, std::string* error_message); + const std::string& pkg_type, const boost::filesystem::path& path, + uid_t uid, bool is_readonly_pkg, std::string* error_message); /** * Adapter interface for external Security module. diff --git a/src/common/shared_dirs.cc b/src/common/shared_dirs.cc index ba17ea78..88fd0ba3 100644 --- a/src/common/shared_dirs.cc +++ b/src/common/shared_dirs.cc @@ -543,8 +543,8 @@ bool CreatePerUserStorageDirectories(const std::string& pkgid, bool trusted, } std::string error_message; - if (!RegisterSecurityContextForPath(pkgid, skel_apps_rw / pkgid, - kGlobalUserUid, is_readonly, &error_message)) { + if (!RegisterSecurityContextForPath(pkgid, {}, skel_apps_rw / pkgid, + kGlobalUserUid, is_readonly, &error_message)) { LOG(ERROR) << "Failed to register security context for path: " << skel_apps_rw / pkgid << ", error_message: " << error_message; return false; @@ -588,8 +588,8 @@ bool CreatePerUserStorageDirectories(const std::string& pkgid, bool trusted, } } - if (!RegisterSecurityContextForPath(pkgid, apps_rw / pkgid, uid, false, - &error_message)) { + if (!RegisterSecurityContextForPath(pkgid, {}, apps_rw / pkgid, uid, + false, &error_message)) { LOG(ERROR) << "Failed to register security context for path: " << apps_rw / pkgid << ", error_message: " << error_message; return false; @@ -664,8 +664,8 @@ bool CreateStorageDirectories(const boost::filesystem::path& path, } std::string error_message; - if (!RegisterSecurityContextForPath(pkgid, path / pkgid, uid, false, - &error_message)) { + if (!RegisterSecurityContextForPath(pkgid, {}, path / pkgid, uid, false, + &error_message)) { LOG(ERROR) << "Failed to register security context for path: " << path << ", error_message: " << error_message; return false; @@ -855,8 +855,8 @@ bool CreateSharedDataDir(const std::string& pkgid, uid_t uid) { bf::path path = apps_rw / pkgid; std::string error_message; - if (!ci::RegisterSecurityContextForPath(pkgid, path, uid, false, - &error_message)) { + if (!ci::RegisterSecurityContextForPath(pkgid, {}, path, uid, false, + &error_message)) { LOG(ERROR) << "Failed to register security context for path: " << path << ", error_message: " << error_message; return false; @@ -874,8 +874,8 @@ bool CreatePerUserSharedDataDir(const std::string& pkgid) { return false; std::string error_message; - if (!ci::RegisterSecurityContextForPath(pkgid, skel_apps_rw / pkgid, - kGlobalUserUid, false, &error_message)) { + if (!ci::RegisterSecurityContextForPath(pkgid, {}, skel_apps_rw / pkgid, + kGlobalUserUid, false, &error_message)) { LOG(ERROR) << "Failed to register security context for path: " << skel_apps_rw / pkgid << ", error_message: " << error_message; return false; @@ -905,7 +905,7 @@ bool CreatePerUserSharedDataDir(const std::string& pkgid) { return false; } - if (!ci::RegisterSecurityContextForPath(pkgid, apps_rw / pkgid, uid, + if (!ci::RegisterSecurityContextForPath(pkgid, {}, apps_rw / pkgid, uid, false, &error_message)) { LOG(ERROR) << "Failed to register security context for path: " << apps_rw / pkgid << ", error_message: " << error_message; @@ -993,7 +993,7 @@ bool RestoreSharedDataDir(const std::string& pkgid, uid_t uid) { } std::string error_message; - if (!RegisterSecurityContextForPath(pkgid, apps_rw / pkgid, uid, false, + if (!RegisterSecurityContextForPath(pkgid, {}, apps_rw / pkgid, uid, false, &error_message)) { LOG(ERROR) << "Failed to register security context for path: " << apps_rw << ", error_message: " << error_message; @@ -1034,8 +1034,8 @@ bool RestorePerUserSharedDataDir(const std::string& pkgid) { return false; } - if (!RegisterSecurityContextForPath(pkgid, apps_rw / pkgid, uid, - false, &error_message)) { + if (!RegisterSecurityContextForPath(pkgid, {}, apps_rw / pkgid, uid, + false, &error_message)) { LOG(ERROR) << "Failed to register security context for path: " << apps_rw / pkgid << ", error_message: " << error_message; return false; diff --git a/src/common/step/security/step_recover_security.cc b/src/common/step/security/step_recover_security.cc index c9c061a9..a7a62fcc 100644 --- a/src/common/step/security/step_recover_security.cc +++ b/src/common/step/security/step_recover_security.cc @@ -79,8 +79,8 @@ Step::Status StepRecoverSecurity::RecoveryUpdate() { if (!HasOwnerRwOtherRoPaths(context_->GetPkgPath())) return Status::OK; - if (!RegisterSecurityContextForPath( - context_->pkgid.get(), context_->GetPkgPath(), context_->uid.get(), + if (!RegisterSecurityContextForPath(context_->pkgid.get(), + context_->pkg_type.get(), context_->GetPkgPath(), context_->uid.get(), context_->is_readonly_package.get(), &error_message)) { if (!error_message.empty()) { LOG(ERROR) << "error_message: " << error_message; diff --git a/src/common/step/security/step_register_security.cc b/src/common/step/security/step_register_security.cc index 3a8d0d15..b044e904 100644 --- a/src/common/step/security/step_register_security.cc +++ b/src/common/step/security/step_register_security.cc @@ -51,8 +51,8 @@ Step::Status StepRegisterSecurity::process() { } if (context_->partial_rw.get()) return Status::OK; - if (!RegisterSecurityContextForPath( - context_->pkgid.get(), context_->GetPkgPath(), context_->uid.get(), + if (!RegisterSecurityContextForPath(context_->pkgid.get(), + context_->pkg_type.get(), context_->GetPkgPath(), context_->uid.get(), context_->is_readonly_package.get(), &error_message)) { if (!error_message.empty()) { LOG(ERROR) << "error_message: " << error_message; diff --git a/src/common/step/security/step_rollback_deinstallation_security.cc b/src/common/step/security/step_rollback_deinstallation_security.cc index 7e1614d5..876534ee 100644 --- a/src/common/step/security/step_rollback_deinstallation_security.cc +++ b/src/common/step/security/step_rollback_deinstallation_security.cc @@ -35,8 +35,8 @@ Step::Status StepRollbackDeinstallationSecurity::undo() { } return Status::SECURITY_ERROR; } - if (!RegisterSecurityContextForPath( - context_->pkgid.get(), context_->GetPkgPath(), context_->uid.get(), + if (!RegisterSecurityContextForPath(context_->pkgid.get(), + context_->pkg_type.get(), context_->GetPkgPath(), context_->uid.get(), context_->is_readonly_package.get(), &error_message)) { if (!error_message.empty()) { LOG(ERROR) << "error_message: " << error_message; diff --git a/src/common/step/security/step_update_security.cc b/src/common/step/security/step_update_security.cc index 09030172..644c00a9 100644 --- a/src/common/step/security/step_update_security.cc +++ b/src/common/step/security/step_update_security.cc @@ -23,8 +23,8 @@ Step::Status StepUpdateSecurity::process() { return Status::SECURITY_ERROR; } if (context_->request_type.get() != RequestType::ReadonlyUpdateUninstall) { - if (!RegisterSecurityContextForPath( - context_->pkgid.get(), context_->GetPkgPath(), context_->uid.get(), + if (!RegisterSecurityContextForPath(context_->pkgid.get(), + context_->pkg_type.get(), context_->GetPkgPath(), context_->uid.get(), context_->is_readonly_package.get(), &error_message)) { if (!error_message.empty()) { LOG(ERROR) << "error_message: " << error_message; @@ -45,8 +45,8 @@ Step::Status StepUpdateSecurity::undo() { } return Status::SECURITY_ERROR; } - if (!RegisterSecurityContextForPath( - context_->pkgid.get(), context_->GetPkgPath(), context_->uid.get(), + if (!RegisterSecurityContextForPath(context_->pkgid.get(), + context_->pkg_type.get(), context_->GetPkgPath(), context_->uid.get(), context_->is_readonly_package.get(), &error_message)) { if (!error_message.empty()) { LOG(ERROR) << "error_message: " << error_message; -- cgit v1.2.3