From 8ccec6785ee30fb7c9e06a3421f5b460364b2968 Mon Sep 17 00:00:00 2001 From: Kyungwook Tak Date: Tue, 6 Sep 2016 15:55:08 +0900 Subject: Add upgrade script Change-Id: I4d38443cf3880b50215aa36e084445cc8bbb60be Signed-off-by: Kyungwook Tak --- CMakeLists.txt | 1 + packaging/libwebappenc.manifest.in | 5 +++++ packaging/libwebappenc.spec | 23 +++++++++++++++++---- resources/CMakeLists.txt | 35 +++++++++++++++++++++++++------- scripts/CMakeLists.txt | 16 +++++++++++++++ scripts/wae-upgrade.sh.in | 30 +++++++++++++++++++++++++++ systemd/CMakeLists.txt | 24 ++++++++++++++-------- systemd/webappenc-initializer.service.in | 8 ++++---- 8 files changed, 119 insertions(+), 23 deletions(-) create mode 100644 scripts/CMakeLists.txt create mode 100755 scripts/wae-upgrade.sh.in diff --git a/CMakeLists.txt b/CMakeLists.txt index 436eb74..96efdbe 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -93,3 +93,4 @@ ADD_SUBDIRECTORY(resources) ADD_SUBDIRECTORY(include) ADD_SUBDIRECTORY(tests) ADD_SUBDIRECTORY(systemd) +ADD_SUBDIRECTORY(scripts) diff --git a/packaging/libwebappenc.manifest.in b/packaging/libwebappenc.manifest.in index 86dbb26..5451c22 100644 --- a/packaging/libwebappenc.manifest.in +++ b/packaging/libwebappenc.manifest.in @@ -2,4 +2,9 @@ + + + + + diff --git a/packaging/libwebappenc.spec b/packaging/libwebappenc.spec index 7d796f9..9f8faef 100644 --- a/packaging/libwebappenc.spec +++ b/packaging/libwebappenc.spec @@ -37,8 +37,14 @@ Requires: %{name} = %{version}-%{release} %description test Web application encryption and decryption service (test) -%define bin_dir %TZ_SYS_BIN -%define rw_share_dir %TZ_SYS_SHARE +%define user_name security_fw +%define group_name security_fw +%define smack_domain System +%define bin_dir %TZ_SYS_BIN +%define rw_share_dir %TZ_SYS_SHARE +%define upgrade_dir %TZ_SYS_RO_SHARE/upgrade +%define upgrade_script_dir %{upgrade_dir}/scripts +%define upgrade_data_dir %{upgrade_dir}/data %prep %setup -q @@ -52,6 +58,11 @@ Web application encryption and decryption service (test) -DSYSTEMD_UNIT_DIR=%{_unitdir} \ -DCMAKE_BUILD_TYPE=%{build_type} \ -DRW_SHARE_DIR=%rw_share_dir \ + -DUPGRADE_DATA_DIR=%upgrade_data_dir \ + -DUPGRADE_SCRIPT_DIR=%upgrade_script_dir \ + -DUSER_NAME=%user_name \ + -DGROUP_NAME=%group_name \ + -DSMACK_DOMAIN=%smack_domain \ -DBINDIR=%bin_dir make %{?jobs:-j%jobs} @@ -88,8 +99,12 @@ fi %{_unitdir}/webappenc-initializer.service %{_unitdir}/multi-user.target.wants/webappenc-initializer.service %{bin_dir}/wae_initializer -%{rw_share_dir}/wae/app_dek/WAE_APPDEK_KEK_PrivateKey.pem -%{rw_share_dir}/wae/app_dek/WAE_APPDEK_KEK_PublicKey.pem +%dir %attr(770, %user_name, %group_name) %{rw_share_dir}/wae +%dir %attr(770, %user_name, %group_name) %{rw_share_dir}/wae/app_dek +%attr(660, %user_name, %group_name) %{rw_share_dir}/wae/app_dek/* + +%attr(775,root,root) %{upgrade_script_dir}/wae-upgrade.sh +%{upgrade_data_dir}/wae/app_dek/* %files devel %{_includedir}/* diff --git a/resources/CMakeLists.txt b/resources/CMakeLists.txt index ae2bc8b..030553c 100644 --- a/resources/CMakeLists.txt +++ b/resources/CMakeLists.txt @@ -1,12 +1,33 @@ -################################################################################ -# for resource install -################################################################################ - +# Copyright (c) 2016 Samsung Electronics Co., Ltd All Rights Reserved +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# @file CMakeLists.txt +# @author Dongsun Lee (ds73.lee@samsung.com) +# @brief Resource install cmake +# INSTALL(FILES - ${PROJECT_SOURCE_DIR}/resources/WAE_APPDEK_KEK_PublicKey.pem - ${PROJECT_SOURCE_DIR}/resources/WAE_APPDEK_KEK_PrivateKey.pem - DESTINATION ${RW_SHARE_DIR}/wae/app_dek/ + WAE_APPDEK_KEK_PublicKey.pem + WAE_APPDEK_KEK_PrivateKey.pem + DESTINATION ${RW_SHARE_DIR}/wae/app_dek PERMISSIONS OWNER_READ OWNER_WRITE ) +INSTALL(FILES + WAE_APPDEK_KEK_PublicKey.pem + WAE_APPDEK_KEK_PrivateKey.pem + DESTINATION ${UPGRADE_DATA_DIR}/wae/app_dek + PERMISSIONS OWNER_READ + OWNER_WRITE +) diff --git a/scripts/CMakeLists.txt b/scripts/CMakeLists.txt new file mode 100644 index 0000000..c73467e --- /dev/null +++ b/scripts/CMakeLists.txt @@ -0,0 +1,16 @@ +# Copyright (c) 2016 Samsung Electronics Co., Ltd All Rights Reserved +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +CONFIGURE_FILE(wae-upgrade.sh.in wae-upgrade.sh @ONLY) +INSTALL(FILES wae-upgrade.sh DESTINATION ${UPGRADE_SCRIPT_DIR}) diff --git a/scripts/wae-upgrade.sh.in b/scripts/wae-upgrade.sh.in new file mode 100755 index 0000000..652962b --- /dev/null +++ b/scripts/wae-upgrade.sh.in @@ -0,0 +1,30 @@ +#!/bin/bash +PATH=/bin:/usr/bin:/sbin:/usr/sbin + +# Copyright (c) 2016 Samsung Electronics Co., Ltd All Rights Reserved +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# @file wae-upgrade.sh.in +# @author Kyungwook Tak (k.tak@samsung.com) +# @brief Platform upgrade support + +WAE_DIR=@RW_SHARE_DIR@/wae + +mv @UPGRADE_DATA_DIR@/wae $WAE_DIR + +chsmack -a "@SMACK_DOMAIN@" $WAE_DIR -r +chown -R @USER_NAME@:@GROUP_NAME@ $WAE_DIR +chmod 770 $WAE_DIR +chmod 770 $WAE_DIR/app_dek +chmod 660 $WAE_DIR/app_dek/* diff --git a/systemd/CMakeLists.txt b/systemd/CMakeLists.txt index bf7bb79..99eafd5 100644 --- a/systemd/CMakeLists.txt +++ b/systemd/CMakeLists.txt @@ -1,8 +1,16 @@ -CONFIGURE_FILE(${CMAKE_SOURCE_DIR}/systemd/webappenc-initializer.service.in - ${CMAKE_SOURCE_DIR}/systemd/webappenc-initializer.service @ONLY) - -INSTALL(FILES - ${CMAKE_SOURCE_DIR}/systemd/webappenc-initializer.service - DESTINATION - ${SYSTEMD_UNIT_DIR} -) +# Copyright (c) 2016 Samsung Electronics Co., Ltd All Rights Reserved +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +CONFIGURE_FILE(webappenc-initializer.service.in webappenc-initializer.service @ONLY) +INSTALL(FILES webappenc-initializer.service DESTINATION ${SYSTEMD_UNIT_DIR}) diff --git a/systemd/webappenc-initializer.service.in b/systemd/webappenc-initializer.service.in index 768552e..ed0bebe 100644 --- a/systemd/webappenc-initializer.service.in +++ b/systemd/webappenc-initializer.service.in @@ -5,11 +5,11 @@ Requires=central-key-manager.service After=central-key-manager.service [Service] -User=security_fw -Group=security_fw +User=@USER_NAME@ +Group=@GROUP_NAME@ Type=oneshot -ExecStart=/usr/bin/wae_initializer -SmackProcessLabel=System +ExecStart=@BINDIR@/wae_initializer +SmackProcessLabel=@SMACK_DOMAIN@ [Install] WantedBy=multi-user.target -- cgit v1.2.3 From 0780d62047e7d7472c65c791866e7a5fa9be7863 Mon Sep 17 00:00:00 2001 From: Kyungwook Tak Date: Mon, 28 Nov 2016 20:25:03 +0900 Subject: Fix svace defects 1) Missing returned value checking. 2) variable misused (start -> end). 3) Dead code exist in preloaded app dek loading while loop. Make subroutine to simplify loop codes/resource managed. Change-Id: Ic775e336e6480dfb56539e382edf292f2101ec8b Signed-off-by: Kyungwook Tak --- srcs/key_handler.c | 147 +++++++++++++++++++++++++---------------------------- 1 file changed, 70 insertions(+), 77 deletions(-) diff --git a/srcs/key_handler.c b/srcs/key_handler.c index cf3de1d..4607fdd 100644 --- a/srcs/key_handler.c +++ b/srcs/key_handler.c @@ -211,7 +211,7 @@ static int _extract_pkg_id_from_file_name(const char *file_name, char *pkg_id) start = start + strlen(APP_DEK_FILE_PFX) + 1; char *end = strstr(file_name, ".adek"); - if (start == NULL) { + if (end == NULL) { WAE_SLOGE("WAE: Fail to extract pkgid from APP_DEK file. file_name=%s", file_name); return WAE_ERROR_FILE; } @@ -236,6 +236,60 @@ int _write_encrypted_app_dek_to_file(const char *pkg_id, const raw_buffer_s *enc return _write_to_file(path, encrypted); } +int _load_preloaded_app_dek( + const raw_buffer_s *prikey, const char *filepath, const char *pkg_id) +{ + raw_buffer_s *encrypted_dek = NULL; + raw_buffer_s *dek = NULL; + raw_buffer_s *iv = NULL; + crypto_element_s *ce = NULL; + + int ret = _read_from_file(filepath, &encrypted_dek); + if (ret != WAE_ERROR_NONE) { + WAE_SLOGW("Failed to read file. It will be ignored. file=%s", filepath); + return ret; + } + + ret = decrypt_app_dek(prikey, APP_DEK_KEK_PRIKEY_PASSWORD, encrypted_dek, &dek); + if (ret != WAE_ERROR_NONE) { + WAE_SLOGW("Failed to decrypt dek. It will be ignored. file=%s", filepath); + goto finish; + } + + iv = buffer_create(IV_LEN); + if (iv == NULL) { + ret = WAE_ERROR_MEMORY; + goto finish; + } + + memcpy(iv->buf, AES_CBC_IV, iv->size); + + ce = crypto_element_create(dek, iv); + if (ce == NULL) { + ret = WAE_ERROR_MEMORY; + goto finish; + } + + ret = save_to_key_manager(pkg_id, pkg_id, WAE_PRELOADED_APP, ce); + if (ret == WAE_ERROR_KEY_EXISTS) { + WAE_SLOGI("Key Manager already has dek. It will be ignored. file=%s", filepath); + } else if (ret != WAE_ERROR_NONE) { + WAE_SLOGW("Fail to add APP DEK to key-manager. file=%s", filepath); + } + +finish: + buffer_destroy(encrypted_dek); + + if (ce == NULL) { + buffer_destroy(dek); + buffer_destroy(iv); + } else { + crypto_element_destroy(ce); + } + + return ret; +} + int get_app_ce(uid_t uid, const char *pkg_id, wae_app_type_e app_type, bool create_for_migrated_app, const crypto_element_s **pce) { @@ -438,7 +492,7 @@ int create_preloaded_app_ce(const char *pkg_id, const crypto_element_s **pce) } // store APP_DEK in cache - _add_app_ce_to_cache(pkg_id, ce); + ret = _add_app_ce_to_cache(pkg_id, ce); if (ret != WAE_ERROR_NONE) { WAE_SLOGE("Failed to add ce to cache for pkg_id(%s) ret(%d)", pkg_id, ret); goto error; @@ -479,15 +533,7 @@ int load_preloaded_app_deks(bool reload) int ret = WAE_ERROR_NONE; char pkg_id[MAX_PKGID_LEN] = {0, }; - char file_path_buff[MAX_PATH_LEN]; - raw_buffer_s *encrypted_dek = NULL; - raw_buffer_s *dek = NULL; - raw_buffer_s *iv = NULL; - raw_buffer_s *prikey = NULL; - crypto_element_s *ce = NULL; - - int error_during_loading = 0; if (!reload) { // check if all deks were already loaded into key-manager. @@ -497,6 +543,7 @@ int load_preloaded_app_deks(bool reload) return ret; } + raw_buffer_s *prikey = NULL; ret = _get_app_dek_kek(&prikey); if (ret != WAE_ERROR_NONE) { @@ -508,6 +555,7 @@ int load_preloaded_app_deks(bool reload) if (dir == NULL) { WAE_SLOGE("Fail to open dir. dir=%s", _get_dek_store_path()); + buffer_destroy(prikey); return WAE_ERROR_FILE; } @@ -515,11 +563,9 @@ int load_preloaded_app_deks(bool reload) struct dirent *result = NULL; while (true) { - int error = readdir_r(dir, &entry, &result); - - if (error != 0) { + if (readdir_r(dir, &entry, &result) != 0) { ret = WAE_ERROR_FILE; - goto error; + break; } // readdir_r returns NULL in *result if the end @@ -537,7 +583,7 @@ int load_preloaded_app_deks(bool reload) if (ret < 0) { WAE_SLOGE("Failed to make file path by snprintf."); ret = WAE_ERROR_INVALID_PARAMETER; /* buffer size too small */ - goto error; + break; } ret = _extract_pkg_id_from_file_name(entry.d_name, pkg_id); @@ -548,75 +594,22 @@ int load_preloaded_app_deks(bool reload) continue; } - ret = _read_from_file(file_path_buff, &encrypted_dek); - - if (ret != WAE_ERROR_NONE || encrypted_dek == NULL) { - ++error_during_loading; - WAE_SLOGW("Failed to read file. It will be ignored. file=%s", file_path_buff); - continue; - } - - ret = decrypt_app_dek(prikey, APP_DEK_KEK_PRIKEY_PASSWORD, encrypted_dek, &dek); - - buffer_destroy(encrypted_dek); - encrypted_dek = NULL; - - if (ret != WAE_ERROR_NONE || dek == NULL) { - ++error_during_loading; - WAE_SLOGW("Failed to decrypt dek. It will be ignored. file=%s", - file_path_buff); - continue; - } - iv = buffer_create(IV_LEN); - if (iv == NULL) { - ++error_during_loading; - buffer_destroy(dek); - dek = NULL; - continue; - } - - memcpy(iv->buf, AES_CBC_IV, iv->size); - - ce = crypto_element_create(dek, iv); - if (ce == NULL) { - ++error_during_loading; - buffer_destroy(iv); - iv = NULL; - buffer_destroy(dek); - dek = NULL; - continue; - } - - ret = save_to_key_manager(pkg_id, pkg_id, WAE_PRELOADED_APP, ce); - - if (ret == WAE_ERROR_KEY_EXISTS) { - WAE_SLOGI("Key Manager already has dek. It will be ignored. file=%s", - file_path_buff); - } else if (ret != WAE_ERROR_NONE) { - ++error_during_loading; - WAE_SLOGW("Fail to add APP DEK to key-manager. file=%s", file_path_buff); - } - - crypto_element_destroy(ce); - ce = NULL; - } - - ret = set_app_deks_loaded_to_key_manager(); - -error: - if (ret != WAE_ERROR_NONE) { - if (ce) { - crypto_element_destroy(ce); + ret = _load_preloaded_app_dek(prikey, file_path_buff, pkg_id); + if (ret != WAE_ERROR_NONE && ret != WAE_ERROR_KEY_EXISTS) { + WAE_SLOGW("Failed to load app dek(%s) ret(%d)", file_path_buff, ret); } else { - buffer_destroy(dek); - buffer_destroy(iv); + WAE_SLOGI("Successfully load app dek(%s)", file_path_buff); + ret = WAE_ERROR_NONE; } } buffer_destroy(prikey); closedir(dir); - return ret; + if (ret != WAE_ERROR_NONE) + return ret; + else + return set_app_deks_loaded_to_key_manager(); } int remove_app_ce(uid_t uid, const char *pkg_id, wae_app_type_e app_type) -- cgit v1.2.3