diff options
author | so.yu <so.yu@samsung.com> | 2013-08-29 19:57:28 +0900 |
---|---|---|
committer | so.yu <so.yu@samsung.com> | 2013-08-29 20:28:40 +0900 |
commit | 35e82577b3b6acacc9f37569e2ed244885a7f178 (patch) | |
tree | c86870a2857ae0dccf6cab83b8938382a16284cf | |
parent | 9e03a52218e1193a3e17e5fc865b030064eedd94 (diff) | |
parent | 8ab6aaac8bccd00433efd1bfa60828d6aa82fa61 (diff) | |
download | secure-storage-35e82577b3b6acacc9f37569e2ed244885a7f178.tar.gz secure-storage-35e82577b3b6acacc9f37569e2ed244885a7f178.tar.bz2 secure-storage-35e82577b3b6acacc9f37569e2ed244885a7f178.zip |
Sync with tizen_2.2tizen_3.0.m14.3_ivi_releasetizen_3.0.m14.2_ivi_releasetizen_3.0.2014.q3_common_releasesubmit/tizen_ivi_stable/20131116.100919submit/tizen_ivi_panda/20140403.011902submit/tizen_ivi_genivi/20140131.040653submit/tizen/20130912.090652submit/tizen/20130912.080353submit/tizen/20130830.004708ivi_oct_m2accepted/tizen_ivi_stable/20131116.111609accepted/tizen/ivi/panda/20140403.015004accepted/tizen/ivi/genivi/20140131.041859accepted/tizen/20130913.024907accepted/tizen/20130912.194132accepted/tizen/20130912.185949tizen_ivi_pandatizen_ivi_genivitizen_3.0.m14.3_ivitizen_3.0.m14.2_ivitizen_3.0.2014.q3_commonaccepted/tizen_ivi_pandaaccepted/tizen_genericaccepted/tizen_3.0.m14.3_iviaccepted/tizen_3.0.2014.q3_commonaccepted/tizen/ivi/stableaccepted/tizen/ivi/genivi
Conflicts:
packaging/secure-storage.spec
ss-server.manifest
-rw-r--r-- | CMakeLists.txt | 9 | ||||
-rwxr-xr-x[-rw-r--r--] | client/include/ss_client_intf.h | 7 | ||||
-rwxr-xr-x[-rw-r--r--] | client/src/ss_client_intf.c | 176 | ||||
-rwxr-xr-x[-rw-r--r--] | client/src/ss_manager.c | 102 | ||||
-rwxr-xr-x[-rw-r--r--] | include/secure_storage.h | 0 | ||||
-rwxr-xr-x[-rw-r--r--] | include/ss_manager.h | 12 | ||||
-rwxr-xr-x[-rw-r--r--] | packaging/secure-storage.spec | 18 | ||||
-rwxr-xr-x[-rw-r--r--] | server/include/ss_server_main.h | 4 | ||||
-rwxr-xr-x[-rw-r--r--] | server/src/ss_server_ipc.c | 90 | ||||
-rwxr-xr-x[-rw-r--r--] | server/src/ss_server_main.c | 534 | ||||
-rwxr-xr-x | ss-server.manifest | 20 | ||||
-rwxr-xr-x | ss-serverd | 4 | ||||
-rw-r--r-- | systemd/secure-storage.service (renamed from packaging/secure-storage.service) | 1 | ||||
-rw-r--r-- | systemd/secure-storage.socket | 6 |
14 files changed, 638 insertions, 345 deletions
diff --git a/CMakeLists.txt b/CMakeLists.txt index f731e97..d6c395d 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -13,7 +13,7 @@ SET(VERSION ${VERSION_MAJOR}.0.0) INCLUDE_DIRECTORIES(${CMAKE_SOURCE_DIR}/include) INCLUDE(FindPkgConfig) -pkg_check_modules(pkgs REQUIRED openssl dlog) +pkg_check_modules(pkgs REQUIRED dukgenerator libsystemd-daemon) FOREACH(flag ${pkgs_CFLAGS}) SET(EXTRA_CFLAGS "${EXTRA_CFLAGS} ${flag}") @@ -56,11 +56,11 @@ SET_TARGET_PROPERTIES(ss-client PROPERTIES COMPILE_FLAGS "${libss-client_CFLAGS} ################################################################################################### ## for ss-server (binary) SET(ss-server_SOURCES ${ss_server_dir}/ss_server_ipc.c ${ss_server_dir}/ss_server_main.c) -SET(ss-server_CFLAGS " -I. -I${ss_include_dir} -I${ss_server_include_dir} ${debug_type} ${use_key} ${OPENSSL_CFLAGS} -D_GNU_SOURCE ") +SET(ss-server_CFLAGS " -I. -I${ss_include_dir} -I${ss_server_include_dir} ${debug_type} ${use_key} ${OPENSSL_CFLAGS} ${smack_groupid} -D_GNU_SOURCE ") SET(ss-server_LDFLAGS ${pkgs_LDFLAGS}) ADD_EXECUTABLE(ss-server ${ss-server_SOURCES}) -TARGET_LINK_LIBRARIES(ss-server ${pkgs_LDFLAGS} -lsecurity-server-client) +TARGET_LINK_LIBRARIES(ss-server ${pkgs_LDFLAGS} -lsecurity-server-client ) SET_TARGET_PROPERTIES(ss-server PROPERTIES COMPILE_FLAGS "${ss-server_CFLAGS}") #################################################################################################### @@ -72,4 +72,5 @@ INSTALL(PROGRAMS ${CMAKE_BINARY_DIR}/ss-server DESTINATION bin) INSTALL(FILES ${CMAKE_CURRENT_BINARY_DIR}/secure-storage.pc DESTINATION ${LIB_INSTALL_DIR}/pkgconfig) INSTALL(FILES ${CMAKE_CURRENT_BINARY_DIR}/config DESTINATION share/secure-storage/) INSTALL(FILES ${CMAKE_CURRENT_SOURCE_DIR}/include/ss_manager.h DESTINATION include) -INSTALL(PROGRAMS ${CMAKE_CURRENT_SOURCE_DIR}/ss-serverd DESTINATION /etc/rc.d/init.d) +INSTALL(FILES ${CMAKE_CURRENT_SOURCE_DIR}/systemd/secure-storage.service DESTINATION /usr/lib/systemd/system) +INSTALL(FILES ${CMAKE_CURRENT_SOURCE_DIR}/systemd/secure-storage.socket DESTINATION /usr/lib/systemd/system) diff --git a/client/include/ss_client_intf.h b/client/include/ss_client_intf.h index 49255ea..88a54ea 100644..100755 --- a/client/include/ss_client_intf.h +++ b/client/include/ss_client_intf.h @@ -66,3 +66,10 @@ int SsClientDataRead(const char* filepath, char* pRetBuf, size_t bufLen, size_t int SsClientGetInfo(const char* filepath, ssm_file_info_t* sfi, ssm_flag flag, const char* group_id); int SsClientDeleteFile(const char* pFilePath, ssm_flag flag, const char* group_id); + +int SsClientEncrypt(const char* pAppId, int idLen, const char* pBuffer, int bufLen, char** ppEncryptedBuffer, int* pEncryptedBufLen); + +int SsClientDecrypt(const char* pAppId, int idLen, const char* pBuffer, int bufLen, char** ppDecryptedBuffer, int* pDecryptedBufLen); + +int SsClientEncryptPreloadedApplication(const char* pBuffer, int bufLen, char** ppEncryptedBuffer, int* pEncryptedBufLen); +int SsClientDecryptPreloadedApplication(const char* pBuffer, int bufLen, char** ppDecryptedBuffer, int* pEncryptedBufLen); diff --git a/client/src/ss_client_intf.c b/client/src/ss_client_intf.c index 577f8b7..ec9beb3 100644..100755 --- a/client/src/ss_client_intf.c +++ b/client/src/ss_client_intf.c @@ -23,12 +23,16 @@ #include <stdlib.h> #include <string.h> #include <unistd.h> +#include <openssl/evp.h> +#include <openssl/crypto.h> #include "secure_storage.h" #include "ss_client_intf.h" #include "ss_client_ipc.h" #include "ss_manager.h" +#include <dukgen.h> + int SsClientDataStoreFromFile(const char* filepath, ssm_flag flag, const char* group_id) { ReqData_t* send_data = NULL; @@ -264,7 +268,7 @@ Last : goto Free_and_Error; } - SLOGE("Decrypted file name : %s\n", recv_data.data_filepath); + SECURE_SLOGD("Decrypted file name : %s\n", recv_data.data_filepath); Free_and_Error: free(send_data); Error: @@ -408,8 +412,176 @@ int SsClientDeleteFile(const char *pFilePath, ssm_flag flag, const char* group_i Free_and_Error: free(send_data); - SLOGE("Deleted file name: %s\n", recv_data.data_filepath); + SECURE_SLOGD("Deleted file name: %s\n", recv_data.data_filepath); Error: return recv_data.rsp_type; } + + +////////////////////////////// +__attribute__((visibility("hidden"))) +int DoCipher(const char* pInputBuf, int inputLen, char** ppOutBuf, int* pOutBufLen, char* pKey, int encryption) +{ + static const unsigned char iv[16] = {0xbd, 0xc3, 0xc5, 0xa5, 0xb8, 0xae, 0xc6, 0xbc, 0x20, 0xb3, 0xeb, 0xb0, 0xe6, 0xbf, 0xec, 0x20}; + struct evp_cipher_st* pCipherAlgorithm = NULL; + EVP_CIPHER_CTX cipherCtx; + int tempLen = 0; + int result = 0; + int finalLen = 0; + + pCipherAlgorithm = EVP_aes_256_cbc(); + tempLen = (int)((inputLen / pCipherAlgorithm->block_size + 1) * pCipherAlgorithm->block_size); + + *ppOutBuf = (char*)calloc(tempLen, 1); + EVP_CIPHER_CTX_init(&cipherCtx); + + result = EVP_CipherInit(&cipherCtx, pCipherAlgorithm, (const unsigned char*)pKey, iv, encryption); + if(result != 1) + { + SLOGE("[%s] EVP_CipherInit failed", result); + goto Error; + } + + result = EVP_CIPHER_CTX_set_padding(&cipherCtx, 1); + if(result != 1) + { + SLOGE("[%d] EVP_CIPHER_CTX_set_padding failed", result); + goto Error; + } + + //cipher update operation + result = EVP_CipherUpdate(&cipherCtx, (unsigned char*)*ppOutBuf, pOutBufLen, (const unsigned char*)pInputBuf, inputLen); + if(result != 1) + { + SLOGE("[%d] EVP_CipherUpdate failed", result); + goto Error; + } + + //cipher final operation + result = EVP_CipherFinal(&cipherCtx, (unsigned char*)*ppOutBuf + *pOutBufLen, &finalLen); + if(result != 1) + { + SLOGE("[%d] EVP_CipherFinal failed", result); + goto Error; + } + *pOutBufLen = *pOutBufLen + finalLen; + goto Last; +Error: + result = SS_ENCRYPTION_ERROR; + free(*ppOutBuf); + +Last: + EVP_CIPHER_CTX_cleanup(&cipherCtx); + if((result != 1) && (encryption != 1)) + result = SS_DECRYPTION_ERROR; + + return result; +} + +int SsClientEncrypt(const char* pAppId, int idLen, const char* pBuffer, int bufLen, char** ppEncryptedBuffer, int* pEncryptedBufLen) +{ + int result = 1; + char* pDuk = NULL; + + if(!pAppId || idLen == 0 || !pBuffer || bufLen ==0) + { + SLOGE("Parameter error in SsClientEncrypt"); + result = SS_PARAM_ERROR; + goto Error; + } + + pDuk = GetDeviceUniqueKey(pAppId, idLen, 32); + + if(DoCipher(pBuffer, bufLen, ppEncryptedBuffer, pEncryptedBufLen, pDuk, 1) != 1) + { + SLOGE("failed to encrypt data"); + result = SS_ENCRYPTION_ERROR; + goto Error; + } + + result = 1; + +Error: + if(pDuk) + free(pDuk); + return result; +} + +int SsClientDecrypt(const char* pAppId, int idLen, const char* pBuffer, int bufLen, char** ppDecryptedBuffer, int* pDecryptedBufLen) +{ + int result = 1; + char* pDuk = NULL; + + if(!pAppId || idLen == 0 || !pBuffer || bufLen ==0) + { + SLOGE("Parameter error in SsClientDecrypt"); + result = SS_PARAM_ERROR; + goto Error; + } + + pDuk = GetDeviceUniqueKey(pAppId, idLen, 32); + + if(DoCipher(pBuffer, bufLen, ppDecryptedBuffer, pDecryptedBufLen, pDuk, 0) != 1) + { + SLOGE("failed to decrypt data\n"); + result = SS_DECRYPTION_ERROR; + goto Error; + } + result = 1; + +Error: + if(pDuk) + free(pDuk); + return result; +} + +int SsClientEncryptPreloadedApplication(const char* pBuffer, int bufLen, char** ppEncryptedBuffer, int* pEncryptedBufLen) +{ + int result = 0; + char duk[36] = {0,}; + + if(!pBuffer || bufLen ==0) + { + SLOGE("Parameter error"); + result = SS_PARAM_ERROR; + goto Final; + } + + if(DoCipher(pBuffer, bufLen, ppEncryptedBuffer, pEncryptedBufLen, duk, 1) != 1) + { + SLOGE("failed to decrypt data"); + result = SS_ENCRYPTION_ERROR; + goto Final; + } + + result = 1; + +Final: + return result; +} + +int SsClientDecryptPreloadedApplication(const char* pBuffer, int bufLen, char** ppDecryptedBuffer, int* pDecryptedBufLen) +{ + int result = 0; + char duk[36] = {0,}; + + if(!pBuffer || bufLen ==0) + { + SLOGE("Parameter error"); + result = SS_PARAM_ERROR; + goto Final; + } + + if(DoCipher(pBuffer, bufLen, ppDecryptedBuffer, pDecryptedBufLen, duk, 0) != 1) + { + SLOGE("failed to decrypt data"); + result = SS_DECRYPTION_ERROR; + goto Final; + } + + result = 1; + +Final: + return result; +} diff --git a/client/src/ss_manager.c b/client/src/ss_manager.c index a94357e..2edda6f 100644..100755 --- a/client/src/ss_manager.c +++ b/client/src/ss_manager.c @@ -212,3 +212,105 @@ int ssm_delete_file(const char *pFilePath, ssm_flag flag, const char* group_id) Error: return -(ret); } + +SS_API +int ssm_encrypt(const char* pAppId, int idLen, const char* pBuffer, int bufLen, char** ppEncryptedBuffer, int* pEncryptedBufLen) +{ + int ret = 0; + + if(!pAppId || idLen == 0 || !pBuffer || bufLen ==0) + { + SLOGE("Parameter error.\n"); + ret = SS_PARAM_ERROR; + goto Error; + } + + ret = SsClientEncrypt(pAppId, idLen, pBuffer, bufLen, ppEncryptedBuffer, pEncryptedBufLen); + + if(ret == 1) // success + { + SLOGI("Application encryption succeeded.\n"); + return 0; + } + else // fail + SLOGE("Application encryption failed.\n"); + +Error: + return -(ret); +} + +SS_API +int ssm_decrypt(const char* pAppId, int idLen, const char* pBuffer, int bufLen, char** ppDecryptedBuffer, int* pDecryptedBufLen) +{ + int ret = 0; + + if(!pAppId || idLen == 0 || !pBuffer || bufLen ==0) + { + SLOGE("Parameter error.\n"); + ret = SS_PARAM_ERROR; + goto Error; + } + + ret = SsClientDecrypt(pAppId, idLen, pBuffer, bufLen, ppDecryptedBuffer, pDecryptedBufLen); + + if(ret == 1) // success + { + SLOGI("Application decryption succeeded.\n"); + return 0; + } + else // fail + SLOGE("Application decryption failed.\n"); + +Error: + return -(ret); +} + +SS_API +int ssm_encrypt_preloaded_application(const char* pBuffer, int bufLen, char** ppEncryptedBuffer, int* pEncryptedBufLen) +{ + int ret = 0; + + if(!pBuffer || bufLen ==0) + { + SLOGE("Parameter error.\n"); + ret = SS_PARAM_ERROR; + goto Error; + } + + ret = SsClientEncryptPreloadedApplication(pBuffer, bufLen, ppEncryptedBuffer, pEncryptedBufLen); + if(ret == 1) // success + { + SLOGI("Application decryption succeeded.\n"); + return 0; + } + else // fail + SLOGE("Application decryption failed.\n"); + +Error: + return -(ret); +} + +SS_API +int ssm_decrypt_preloaded_application(const char* pBuffer, int bufLen, char** ppDecryptedBuffer, int* pDecryptedBufLen) +{ + int ret = 0; + + if(!pBuffer || bufLen ==0) + { + SLOGE("Parameter error.\n"); + ret = SS_PARAM_ERROR; + goto Error; + } + + ret = SsClientDecryptPreloadedApplication(pBuffer, bufLen, ppDecryptedBuffer, pDecryptedBufLen); + if(ret == 1) // success + { + SLOGI("Application decryption succeeded.\n"); + return 0; + } + else // fail + SLOGE("Application decryption failed.\n"); + +Error: + return -(ret); +} diff --git a/include/secure_storage.h b/include/secure_storage.h index 67ff3d0..67ff3d0 100644..100755 --- a/include/secure_storage.h +++ b/include/secure_storage.h diff --git a/include/ss_manager.h b/include/ss_manager.h index 942a1a1..1d14ca4 100644..100755 --- a/include/ss_manager.h +++ b/include/ss_manager.h @@ -45,6 +45,8 @@ typedef enum { SSM_FLAG_SECRET_PRESERVE, // for preserved operation SSM_FLAG_SECRET_OPERATION, // for oma drm , wifi addr, divx and bt addr SSM_FLAG_WIDGET, // for wiget encryption/decryption + SSM_FLAG_WEB_APP, + SSM_FLAG_PRELOADED_WEB_APP, SSM_FLAG_MAX } ssm_flag; @@ -74,6 +76,7 @@ typedef struct { #define SS_SIZE_ERROR 0x0000000b // 11 #define SS_SECURE_STORAGE_ERROR 0x0000000c // 12 #define SS_PERMISSION_DENIED 0x0000000d // 13 +#define SS_TZ_ERROR 0x0000000e // 14 #ifdef __cplusplus extern "C" { @@ -387,6 +390,15 @@ int ssm_getinfo(const char* pFilePath, ssm_file_info_t* sfi, ssm_flag flag, cons /*================================================================================================*/ int ssm_delete_file(const char* pFilePath, ssm_flag flag, const char* group_id); +//for wrt installer +/*================================================================================================*/ +int ssm_encrypt(const char* pAppId, int idLen, const char* pBuffer, int bufLen, char** ppEncryptedBuffer, int* pEncryptedBufLen); +int ssm_decrypt(const char* pAppId, int idLen, const char* pBuffer, int bufLen, char** ppDecryptedBuffer, int* pDecryptedBufLen); + +int ssm_encrypt_preloaded_application(const char* pBuffer, int bufLen, char** ppEncryptedBuffer, int* pEncryptedBufLen); +int ssm_decrypt_preloaded_application(const char* pBuffer, int bufLen, char** ppDecryptedBuffer, int* pDecryptedBufLen); + + #ifdef __cplusplus } #endif diff --git a/packaging/secure-storage.spec b/packaging/secure-storage.spec index d416a0e..e8bd09a 100644..100755 --- a/packaging/secure-storage.spec +++ b/packaging/secure-storage.spec @@ -5,15 +5,15 @@ Release: 4 Group: System/Security License: Apache 2.0 Source0: secure-storage-%{version}.tar.gz -Source1: secure-storage.service Source1001: libss-client.manifest Source1002: libss-client-devel.manifest Source1003: ss-server.manifest BuildRequires: pkgconfig(openssl) BuildRequires: pkgconfig(dlog) -#BuildRequires: pkgconfig(libsystemd-daemon) +BuildRequires: pkgconfig(libsystemd-daemon) BuildRequires: pkgconfig(security-server) BuildRequires: cmake +BuildRequires: pkgconfig(dukgenerator) %description Secure storage package @@ -22,6 +22,7 @@ Secure storage package Summary: Secure storage (client) Group: Development/Libraries Provides: libss-client.so +Requires: dukgenerator %description -n libss-client Secure storage package (client) @@ -61,13 +62,9 @@ make %{?jobs:-j%jobs} %make_install mkdir -p %{buildroot}%{_prefix}/lib/systemd/system/multi-user.target.wants -install -m 0644 %{SOURCE1} %{buildroot}%{_prefix}/lib/systemd/system/secure-storage.service +mkdir -p %{buildroot}%{_prefix}/lib/systemd/system/sockets.target.wants ln -s ../secure-storage.service %{buildroot}%{_prefix}/lib/systemd/system/multi-user.target.wants/secure-storage.service - -mkdir -p %{buildroot}%{_sysconfdir}/rc.d/rc3.d -mkdir -p %{buildroot}%{_sysconfdir}/rc.d/rc5.d -ln -s ../init.d/ss-serverd %{buildroot}%{_sysconfdir}/rc.d/rc3.d/S40ss-server -ln -s ../init.d/ss-serverd %{buildroot}%{_sysconfdir}/rc.d/rc5.d/S40ss-server +ln -s ../secure-storage.socket %{buildroot}%{_prefix}/lib/systemd/system/sockets.target.wants/secure-storage.socket mkdir -p %{buildroot}/usr/share/license cp LICENSE.APLv2 %{buildroot}/usr/share/license/ss-server @@ -94,12 +91,11 @@ systemctl daemon-reload %files -n ss-server %manifest ss-server.manifest %defattr(-,root,root,-) -%attr(0755,root,root) %{_sysconfdir}/rc.d/init.d/ss-serverd -%{_sysconfdir}/rc.d/rc3.d/S40ss-server -%{_sysconfdir}/rc.d/rc5.d/S40ss-server %{_bindir}/ss-server %{_prefix}/lib/systemd/system/secure-storage.service %{_prefix}/lib/systemd/system/multi-user.target.wants/secure-storage.service +%{_prefix}/lib/systemd/system/secure-storage.socket +%{_prefix}/lib/systemd/system/sockets.target.wants/secure-storage.socket %{_datadir}/secure-storage/config /usr/share/license/ss-server diff --git a/server/include/ss_server_main.h b/server/include/ss_server_main.h index c549d58..52ef9ed 100644..100755 --- a/server/include/ss_server_main.h +++ b/server/include/ss_server_main.h @@ -65,7 +65,7 @@ int SsServerDataRead(int sender_pid, const char* filepath, char* pRetBuf, unsign * - file_info * @return type: int */ - + #ifndef SMACK_GROUP_ID int SsServerGetInfo(int sender_pid, const char* filepath, char* file_info, ssm_flag flag, const char* cookie, const char* group_id); int SsServerDeleteFile(int sender_pid, const char* filepath, ssm_flag flag, const char* cookie, const char* group_id); @@ -73,3 +73,5 @@ int SsServerDeleteFile(int sender_pid, const char* filepath, ssm_flag flag, cons int SsServerGetInfo(int sender_pid, const char* filepath, char* file_info, ssm_flag flag, int sockfd, const char* group_id); int SsServerDeleteFile(int sender_pid, const char* filepath, ssm_flag flag, int sockfd, const char* group_id); #endif + + diff --git a/server/src/ss_server_ipc.c b/server/src/ss_server_ipc.c index 93006d1..e0cc5e0 100644..100755 --- a/server/src/ss_server_ipc.c +++ b/server/src/ss_server_ipc.c @@ -32,7 +32,7 @@ #include <dirent.h> #include <sys/ioctl.h> #include <fcntl.h> - +#include <systemd/sd-daemon.h> #include "secure_storage.h" #include "ss_server_ipc.h" #include "ss_server_main.h" @@ -103,7 +103,7 @@ int check_key_file() if(!(fp_key = fopen(key_path, "r"))) { - SLOGE("Secret key file is not exist, [%s]\n", key_path); + SECURE_SLOGE("Secret key file is not exist, [%s]\n", key_path); free(key_path); return 0; } @@ -150,14 +150,22 @@ int make_key_file() if(!(fp_key = fopen(key_path, "w"))) { - SLOGE("Secret key file Open error, [%s]\n", key_path); + SECURE_SLOGE("Secret key file Open error, [%s]\n", key_path); free(key_path); close(random_dev); return 0; } fprintf(fp_key, "%s", key); - chmod(key_path, 0600); + + if(chmod(key_path, 0600)!=0) + { + SLOGE("Secret key file chmod error, [%s]\n", strerror(errno)); + free(key_path); + close(random_dev); + fclose(fp_key); + return 0; + } free(key_path); fclose(fp_key); @@ -191,45 +199,67 @@ void SsServerComm(void) server_sockfd = client_sockfd = -1; - if((server_sockfd = socket(AF_UNIX, SOCK_STREAM, 0)) < 0) + int number_fds = sd_listen_fds(1); + if (number_fds > 1) { - SLOGE("Error in function socket()..\n"); - send_data.rsp_type = SS_SOCKET_ERROR; // ipc error + SLOGE("Too many file descriptors received..\n"); + send_data.rsp_type = SS_SOCKET_ERROR; // ipc error goto Error_exit; } + if (number_fds == 1) + { + int r; + if ((r = sd_is_socket_unix(SD_LISTEN_FDS_START, SOCK_STREAM, 1, SS_SOCK_PATH, 0)) <= 0) + { + SLOGE("The file descriptor received from systemd is of a wrong type.\n"); + send_data.rsp_type = SS_SOCKET_ERROR; // ipc error + goto Error_exit; + } + server_sockfd = SD_LISTEN_FDS_START + 0; + } + else + { + if((server_sockfd = socket(AF_UNIX, SOCK_STREAM, 0)) < 0) + { + SLOGE("Error in function socket()..\n"); + send_data.rsp_type = SS_SOCKET_ERROR; // ipc error + goto Error_exit; + } - temp_len_sock = strlen(SS_SOCK_PATH); - - bzero(&serveraddr, sizeof(serveraddr)); - serveraddr.sun_family = AF_UNIX; - strncpy(serveraddr.sun_path, SS_SOCK_PATH, temp_len_sock); - serveraddr.sun_path[temp_len_sock] = '\0'; + temp_len_sock = strlen(SS_SOCK_PATH); + + memset(&serveraddr, '0', sizeof(serveraddr)); + serveraddr.sun_family = AF_UNIX; + strncpy(serveraddr.sun_path, SS_SOCK_PATH, temp_len_sock); + serveraddr.sun_path[temp_len_sock] = '\0'; - if((bind(server_sockfd, (struct sockaddr*)&serveraddr, sizeof(serveraddr))) < 0) - { - unlink("/tmp/SsSocket"); if((bind(server_sockfd, (struct sockaddr*)&serveraddr, sizeof(serveraddr))) < 0) { - SLOGE("Error in function bind()..\n"); - send_data.rsp_type = SS_SOCKET_ERROR; // ipc error - goto Error_close_exit; + unlink(SS_SOCK_PATH); + if((bind(server_sockfd, (struct sockaddr*)&serveraddr, sizeof(serveraddr))) < 0) + { + SLOGE("Error in function bind()..\n"); + send_data.rsp_type = SS_SOCKET_ERROR; // ipc error + goto Error_close_exit; + } } - } - if(chmod(SS_SOCK_PATH, S_IRWXU | S_IRWXG | S_IRWXO) != 0) - { - send_data.rsp_type = SS_SOCKET_ERROR; - goto Error_close_exit; - } + if(chmod(SS_SOCK_PATH, S_IRWXU | S_IRWXG | S_IRWXO) != 0) + { + send_data.rsp_type = SS_SOCKET_ERROR; + goto Error_close_exit; + } - if((listen(server_sockfd, 5)) < 0) - { - SLOGE("Error in function listen()..\n"); - send_data.rsp_type = SS_SOCKET_ERROR; // ipc error - goto Error_close_exit; + if((listen(server_sockfd, 5)) < 0) + { + SLOGE("Error in function listen()..\n"); + send_data.rsp_type = SS_SOCKET_ERROR; // ipc error + goto Error_close_exit; + } } signal(SIGINT, (void*)SigHandler); + sd_notify(0, "READY=1"); while(1) { diff --git a/server/src/ss_server_main.c b/server/src/ss_server_main.c index 6344116..34c1919 100644..100755 --- a/server/src/ss_server_main.c +++ b/server/src/ss_server_main.c @@ -40,6 +40,7 @@ #include <unistd.h> #include <dirent.h> #include <errno.h> +#include <openssl/hmac.h> #include <openssl/aes.h> #include <openssl/sha.h> @@ -112,7 +113,7 @@ char* get_preserved_dir() int IsSmackEnabled() { FILE *file = NULL; - if(file = fopen("/smack/load2", "r")) + if((file = fopen("/smack/load2", "r"))) { fclose(file); return 1; @@ -185,13 +186,13 @@ unsigned short GetHashCode(const unsigned char* pString) return hash; } -int IsDirExist(char* dirpath) +int IsDirExist(const char* dirpath) { DIR* dp = NULL; if((dp = opendir(dirpath)) == NULL) // dir is not exist { - SLOGE("directory [%s] is not exist.\n", dirpath); + SECURE_SLOGE("directory [%s] is not exist.\n", dirpath); return 0; // return value '0' represents dir is not exist } else @@ -203,69 +204,21 @@ int IsDirExist(char* dirpath) return -1; } -int check_privilege(const char* cookie, const char* group_id) -{ -// int ret = -1; // if success, return 0 -// int gid = -1; - -// if(!strncmp(group_id, "NOTUSED", 7)) // group_id is NULL -// return 0; -// else -// { -// gid = security_server_get_gid(group_id); -// ret = security_server_check_privilege(cookie, gid); -// } - -// return ret; - return 0; // success always -} - int check_privilege_by_sockfd(int sockfd, const char* object, const char* access_rights) { - int ret = -1; // if success, return 0 - const char* private_group_id = "NOTUSED"; - if(!IsSmackEnabled()) - { return 0; - } - - if(!strncmp(object,"NOTUSED", strlen(private_group_id))) - { - SLOGD("requested default group_id :%s. get smack label", object); - char* client_process_smack_label = security_server_get_smacklabel_sockfd(sockfd); - if(client_process_smack_label) - { - SLOGD("defined smack label : %s", client_process_smack_label); - strncpy(object, client_process_smack_label, strlen(client_process_smack_label)); - free(client_process_smack_label); - } - else - { - SLOGD("failed to get smack label"); - return -1; - } - } - - SLOGD("object : %s, access_rights : %s", object, access_rights); - ret = security_server_check_privilege_by_sockfd(sockfd, object, access_rights); + int ret = security_server_check_privilege_by_sockfd(sockfd, object, access_rights); + SECURE_SLOGD("object : %s, access_rights : %s, ret : %d", object, access_rights, ret); return ret; } /* convert normal file path to secure storage file path */ int ConvertFileName(int sender_pid, char* dest, const char* src, ssm_flag flag, const char* group_id) { - char* if_pointer = NULL; - unsigned short h_code = 0; - unsigned short h_code2 = 0; - unsigned char path_hash[SHA_DIGEST_LENGTH + 1]; char s[33+1]; - const char* dir = NULL; - char tmp_cmd[32] = {0, }; - char tmp_buf[10] = {0, }; - const unsigned char exe_path[256] = {0, }; - FILE* fp_proc = NULL; + const char* dir = group_id; char* preserved_dir = NULL; int is_dir_exist = -1; @@ -275,221 +228,170 @@ int ConvertFileName(int sender_pid, char* dest, const char* src, ssm_flag flag, return SS_FILE_OPEN_ERROR; // file related error } - memset(tmp_cmd, 0x00, 32); - snprintf(tmp_cmd, 32, "/proc/%d/cmdline", sender_pid); + // get top-dir path + if(flag == SSM_FLAG_SECRET_PRESERVE) + { + preserved_dir = get_preserved_dir(); + if(preserved_dir == NULL) // fail to get preserved directory + { + SLOGE("fail to get preserved dir\n"); + return SS_FILE_OPEN_ERROR; + } + + strncpy(dest, preserved_dir, strlen(preserved_dir)); //dest <= /csa + free(preserved_dir); + } + else // SSM_FLAG_SECRET_DATA || SSM_FLAG_SECRET_OPERATION || SSM_FLAG_PRELOADED_WEB_APP + { + if(CreateStorageDir(SS_STORAGE_DEFAULT_PATH) < 0) + { + return SS_FILE_OPEN_ERROR; + } + // TBD + strncpy(dest, SS_STORAGE_DEFAULT_PATH, strlen(SS_STORAGE_DEFAULT_PATH) + 1); + } + + strncat(dest, dir, (strlen(dir))); // add top-dir + dir(label) + strncat(dest, "/", 1); + + if(CreateStorageDir(dest) < 0) + { + return SS_FILE_OPEN_ERROR; + } + + strncat(dest, "_", 1); // /top-dir/label/_ + + GetPathHash(src, s); + strncat(dest, s, strlen(s)); // /top-dir/label/_hash + strncat(dest, SS_FILE_POSTFIX, strlen(SS_FILE_POSTFIX)); // /top-dir/label/_hash.e + + SECURE_SLOGD("final dest : %s", dest); + + return 1; +} + +int GetProcessExecPath(int pid, char* buffer) +{ + char tmp_cmd[32] = {0,}; + FILE *fp_proc = NULL; + snprintf(tmp_cmd, 32, "/proc/%d/cmdline", pid); if(!(fp_proc = fopen(tmp_cmd, "r"))) { - SLOGE("file open error: [%s]", tmp_cmd); + SECURE_SLOGE("file open error: [%s]", tmp_cmd); return SS_FILE_OPEN_ERROR; } - - fgets((char*)exe_path, 256, fp_proc); + + fgets((char*)buffer, 256, fp_proc); fclose(fp_proc); - if(!strncmp(group_id, "NOTUSED", 7)) // don't share + return 0; +} + +int GetProcessSmackLabel(int sockfd, char* proc_smack_label) +{ + char* smack_label = security_server_get_smacklabel_sockfd(sockfd); + if(smack_label) { - h_code2 = GetHashCode(exe_path); - memset(tmp_buf, 0x00, 10); - snprintf(tmp_buf, 10, "%u", h_code2); - dir = tmp_buf; + strncpy(proc_smack_label, smack_label, strlen(smack_label)); + free(smack_label); } - else // share - dir = group_id; - - if_pointer = strrchr(src, '/'); - - if(flag == SSM_FLAG_DATA) // /opt/share/secure-storage/* + else { - // check whether directory is exist or not - is_dir_exist = IsDirExist(SS_STORAGE_DEFAULT_PATH); - - if (is_dir_exist == 0) // SS_STORAGE_FILE_PATH is not exist - { - SLOGI("directory [%s] is making now.\n", SS_STORAGE_DEFAULT_PATH); - if(mkdir(SS_STORAGE_DEFAULT_PATH, 0700) < 0) // fail to make directory - { - SLOGE("[%s] cannot be made\n", SS_STORAGE_DEFAULT_PATH); - return SS_FILE_OPEN_ERROR; - } - } - else if (is_dir_exist == -1) // Unknown error - { - SLOGE("Unknown error in the function IsDirExist().\n"); - return SS_PARAM_ERROR; - } + SLOGE("failed to get smack label"); + return -1; // SS_SECURITY_SERVER_ERROR? + } + SECURE_SLOGD("defined smack label : %s", proc_smack_label); + return 0; +} - // TBD - strncpy(dest, SS_STORAGE_DEFAULT_PATH, MAX_FILENAME_LEN - 1); - strncat(dest, dir, (strlen(dest) - 1)); - strncat(dest, "/", 1); +int GetPathHash(const char *src, char *output) +{ + unsigned short h_code = 0; + unsigned char path_hash[SHA_DIGEST_LENGTH + 1]; - // make directory - dest[strlen(SS_STORAGE_DEFAULT_PATH) + strlen(dir) + 2] = '\0'; - is_dir_exist = IsDirExist(dest); + SHA1((unsigned char*)src, (size_t)strlen(src), path_hash); + h_code = GetHashCode(path_hash); + memset(output, 0x00, 34); + snprintf(output, 34, "%u", h_code); - if(is_dir_exist == 0) // not exist - { - SLOGI("%s is making now.\n", dest); - if(mkdir(dest, 0700) < 0) // fail to make directory - { - SLOGE("[%s] cannot be made\n", dest); - return SS_FILE_OPEN_ERROR; - } - } - - int length_of_file = 0; - if(if_pointer != NULL) - { - strncat(dest, if_pointer + 1, strlen(if_pointer) + 1); - } - strncat(dest, "_", 1); + SECURE_SLOGD("hashing src : %s to output : %s", src, output); - SHA1((unsigned char*)src, (size_t)strlen(src), path_hash); - h_code = GetHashCode(path_hash); - memset(s, 0x00, 34); - snprintf(s, 34, "%u", h_code); - strncat(dest, s, strlen(s)); - strncat(dest, SS_FILE_POSTFIX, strlen(SS_FILE_POSTFIX)); + return 0; +} - dest[strlen(SS_STORAGE_DEFAULT_PATH) + strlen(dir) + length_of_file + strlen(s) + strlen(SS_FILE_POSTFIX) + 4] = '\0'; - } - else if(flag == SSM_FLAG_SECRET_PRESERVE) // /tmp/csa/ + +int CreateStorageDir(const char* path) +{ + int is_dir_exist = IsDirExist(path); + + if (is_dir_exist == 0) // path directory is not exist { - preserved_dir = get_preserved_dir(); - if(preserved_dir == NULL) // fail to get preserved directory + SECURE_SLOGI("directory [%s] is making now.\n", path); + if(mkdir(path, 0700) < 0) // fail to make directory { - SLOGE("fail to get preserved dir\n"); - return SS_FILE_OPEN_ERROR; + SLOGE("[%s] cannot be made\n", SS_STORAGE_DEFAULT_PATH); + return -SS_FILE_OPEN_ERROR; } - - if(strncmp(src, preserved_dir, strlen(preserved_dir)) == 0) //src[0] == '/') - { - strncpy(dest, src, MAX_FILENAME_LEN - 1); - strncat(dest, SS_FILE_POSTFIX, strlen(SS_FILE_POSTFIX)); + } - dest[strlen(src) + strlen(SS_FILE_POSTFIX)] = '\0'; - } - else if(if_pointer != NULL) // absolute path == file - { - strncpy(dest, preserved_dir, MAX_FILENAME_LEN - 1); - strncat(dest, if_pointer + 1, strlen(if_pointer) + 1); - strncat(dest, SS_FILE_POSTFIX, strlen(SS_FILE_POSTFIX)); - dest[strlen(preserved_dir) + strlen(if_pointer) + strlen(SS_FILE_POSTFIX) + 1] = '\0'; - } - else // relative path == buffer - { - strncpy(dest, preserved_dir, MAX_FILENAME_LEN - 1); - strncat(dest, src, strlen(src)); - strncat(dest, SS_FILE_POSTFIX, strlen(SS_FILE_POSTFIX)); - dest[strlen(preserved_dir) + strlen(src) + strlen(SS_FILE_POSTFIX)] = '\0'; - } + return 0; +} - free(preserved_dir); +/* + * if group_id is given, use group_id + * + * if NULL group_id is given + * smack enable : use process smack label + * smack disable : use process exec path + * + */ +int GetProcessStorageDir(int sockfd, int sender_pid, const char* group_id, char* output) +{ + char *object = group_id; + char proc_smack_label[MAX_GROUP_ID_LEN+1] = {0,}; + char hash_buf[10] = {0, }; + int is_shared = strncmp(group_id, "NOTUSED", 7) ? 1 : 0; - } - else if(flag == SSM_FLAG_SECRET_OPERATION) // /opt/share/secure-storage/ +#ifdef SMACK_GROUP_ID + if(IsSmackEnabled()) { - if(if_pointer != NULL) // absolute path == input is a file + if(!is_shared) // don't share, use process smack label { - // check whether directory is exist or not - is_dir_exist = IsDirExist(SS_STORAGE_DEFAULT_PATH); - - if (is_dir_exist == 0) // SS_STORAGE_FILE_PATH is not exist - { - SLOGI("%s is making now.\n", SS_STORAGE_DEFAULT_PATH); - if(mkdir(SS_STORAGE_DEFAULT_PATH, 0700) < 0) // fail to make directory - { - SLOGE("[%s] cannnot be made\n", SS_STORAGE_DEFAULT_PATH); - return SS_FILE_OPEN_ERROR; - } - } - else if (is_dir_exist == -1) // Unknown error + if(GetProcessSmackLabel(sockfd, proc_smack_label) != 0) { - SLOGE("Unknown error in the function IsDirExist().\n"); - return SS_PARAM_ERROR; + return -SS_SECURE_STORAGE_ERROR; } - - strncpy(dest, SS_STORAGE_DEFAULT_PATH, MAX_FILENAME_LEN - 1); - strncat(dest, dir, strlen(dir)); - strncat(dest, "/", 1); - - // make directory - dest[strlen(SS_STORAGE_DEFAULT_PATH) + strlen(dir) + 2] = '\0'; - is_dir_exist = IsDirExist(dest); - - if(is_dir_exist == 0) // not exist - { - SLOGI("%s is making now.\n", dest); - if(mkdir(dest, 0700) < 0) - { - SLOGE("[%s] cannot be made\n", dest); - return SS_FILE_OPEN_ERROR; - } - } - - strncat(dest, if_pointer + 1, strlen(if_pointer) + 1); - strncat(dest, "_", 1); - SHA1((unsigned char*)src, (size_t)strlen(src), path_hash); - h_code = GetHashCode(path_hash); - memset(s, 0x00, 34); - snprintf(s, 34, "%u", h_code); - strncat(dest, s, strlen(s)); - strncat(dest, SS_FILE_POSTFIX, strlen(SS_FILE_POSTFIX)); - - dest[strlen(SS_STORAGE_DEFAULT_PATH) + strlen(dir) + strlen(if_pointer) + strlen(s) + strlen(SS_FILE_POSTFIX) + 4] = '\0'; + object = proc_smack_label; } - else // relative path == input is a buffer - { - // check whether directory is exist or not - is_dir_exist = IsDirExist(SS_STORAGE_DEFAULT_PATH); - - if (is_dir_exist == 0) // SS_STORAGE_BUFFER_PATH is not exist - { - SLOGI("%s is making now.\n", SS_STORAGE_DEFAULT_PATH); - if(mkdir(SS_STORAGE_DEFAULT_PATH, 0700) < 0) - { - SLOGE("[%s] cannot be made\n", SS_STORAGE_DEFAULT_PATH); - return SS_FILE_OPEN_ERROR; - } - } - else if (is_dir_exist == -1) // Unknown error - { - SLOGE("Unknown error in the function IsDirExist().\n"); - return SS_PARAM_ERROR; - } - - strncpy(dest, SS_STORAGE_DEFAULT_PATH, MAX_FILENAME_LEN - 1); - strncat(dest, dir, strlen(dir)); - strncat(dest, "/", 1); - - // make directory - dest[strlen(SS_STORAGE_DEFAULT_PATH) + strlen(dir) + 2] = '\0'; - is_dir_exist = IsDirExist(dest); + } + else{ +#endif + char exe_path[256] = {0,}; + int h_code2 = 0; - if(is_dir_exist == 0) // not exist + if(!is_shared) // don't share + { + if(GetProcessExecPath(sender_pid, exe_path) != 0) { - SLOGI("%s is making now.\n", dest); - if(mkdir(dest, 0700) < 0) - { - SLOGE("[%s] cannot be made\n", dest); - return SS_FILE_OPEN_ERROR; - } + return -SS_SECURE_STORAGE_ERROR; } - - strncat(dest, src, strlen(src)); - strncat(dest, SS_FILE_POSTFIX, strlen(SS_FILE_POSTFIX)); - - dest[strlen(SS_STORAGE_DEFAULT_PATH) + strlen(dir) + strlen(src) + strlen(SS_FILE_POSTFIX) + 2] = '\0'; + h_code2 = GetHashCode(exe_path); + snprintf(hash_buf, 10, "%u", h_code2); + object = hash_buf; } +#ifdef SMACK_GROUP_ID } - else - { - SLOGE("flag mispatch. cannot convert file name.\n"); - return SS_PARAM_ERROR; - } +#endif + strncpy(output, object, strlen(object)); + return 0; +} - return 1; +void SetMetaData(ssm_file_info_convert_t* sfic, unsigned int orig_size, unsigned int stored_size, int flag) +{ + sfic->fInfoStruct.originSize = (unsigned int)orig_size; + sfic->fInfoStruct.storedSize = (unsigned int)stored_size; + sfic->fInfoStruct.reserved[0] = flag & 0x000000ff; } /* aes crypto function wrapper - p_text : plain text, c_text : cipher text, aes_key : from GetKey, mode : ENCRYPT/DECRYPT, size : data size */ @@ -530,25 +432,35 @@ int SsServerDataStoreFromFile(int sender_pid, const char* data_filepath, ssm_fla FILE* fd_out = NULL; struct stat file_info; ssm_file_info_convert_t sfic; - int res = -1; unsigned char p_text[ENCRYPT_SIZE]= {0, }; unsigned char e_text[ENCRYPT_SIZE]= {0, }; size_t read = 0, rest = 0; + int res = -1; //0. privilege check and get directory name + char dir[MAX_GROUP_ID_LEN] = {0,}; + if(GetProcessStorageDir(sockfd, sender_pid, group_id, dir) < 0) + { + SLOGE("Failed to get storage dir\n"); + return SS_SECURE_STORAGE_ERROR; + } + #ifdef SMACK_GROUP_ID - if(check_privilege_by_sockfd(sockfd, group_id, "w") != 0) + if(flag != SSM_FLAG_PRELOADED_WEB_APP) { - SLOGE("[%s] permission denied\n", group_id); - return SS_PERMISSION_DENIED; + if(check_privilege_by_sockfd(sockfd, dir, "w") < 0) + { + SLOGE("Permission denied\n"); + return SS_PERMISSION_DENIED; + } } #endif // 1. create out file name - ConvertFileName(sender_pid, out_filepath, in_filepath, flag, group_id); - + ConvertFileName(sender_pid, out_filepath, in_filepath, flag, dir); + // 2. file open if(!(fd_in = fopen(in_filepath, "rb"))) { @@ -574,9 +486,7 @@ int SsServerDataStoreFromFile(int sender_pid, const char* data_filepath, ssm_fla // 3. write metadata if(!stat(in_filepath, &file_info)) { - sfic.fInfoStruct.originSize = (unsigned int)file_info.st_size; - sfic.fInfoStruct.storedSize = (unsigned int)(sfic.fInfoStruct.originSize/AES_BLOCK_SIZE + 1) * AES_BLOCK_SIZE; - sfic.fInfoStruct.reserved[0] = flag & 0x000000ff; + SetMetaData(&sfic, file_info.st_size, (file_info.st_size/AES_BLOCK_SIZE + 1) * AES_BLOCK_SIZE, flag); } else { @@ -639,15 +549,37 @@ int SsServerDataStoreFromBuffer(int sender_pid, char* writebuffer, size_t bufLen { char key[16] = {0, }; unsigned char iv[16] = {0, }; - char out_filepath[MAX_FILENAME_LEN+1]; + char out_filepath[MAX_FILENAME_LEN+1] = {0,}; char *buffer = NULL; unsigned int writeLen = 0, loop, rest, count; FILE *fd_out = NULL; ssm_file_info_convert_t sfic; - unsigned char p_text[ENCRYPT_SIZE]= {0, }; - unsigned char e_text[ENCRYPT_SIZE]= {0, }; + unsigned char p_text[ENCRYPT_SIZE] = {0, }; + unsigned char e_text[ENCRYPT_SIZE] = {0, }; int res = -1; - + + //0. get directory name and privilege check + char dir[MAX_GROUP_ID_LEN] = {0,}; + if(GetProcessStorageDir(sockfd, sender_pid, group_id, dir) < 0) + { + SLOGE("Failed to get storage dir\n"); + return SS_SECURE_STORAGE_ERROR; + } + +#ifdef SMACK_GROUP_ID + if(flag != SSM_FLAG_PRELOADED_WEB_APP) + { + if(check_privilege_by_sockfd(sockfd, dir, "w") < 0) + { + SLOGE("Permission denied\n"); + return SS_PERMISSION_DENIED; + } + } +#endif + + // create file path from filename + ConvertFileName(sender_pid, out_filepath, filename, flag, dir); + writeLen = (unsigned int)(bufLen / AES_BLOCK_SIZE + 1) * AES_BLOCK_SIZE; buffer = (char*)malloc(writeLen + 1); if(!buffer) @@ -658,23 +590,10 @@ int SsServerDataStoreFromBuffer(int sender_pid, char* writebuffer, size_t bufLen memset(buffer, 0x00, writeLen); memcpy(buffer, writebuffer, bufLen); - //0. privilege check and get directory name -#ifdef SMACK_GROUP_ID - if(check_privilege_by_sockfd(sockfd, group_id, "w") != 0) - { - SLOGE("permission denied\n"); - free(buffer); - return SS_PERMISSION_DENIED; - } -#endif - - // create file path from filename - ConvertFileName(sender_pid, out_filepath, filename, flag, group_id); - // open a file with write mode if(!(fd_out = fopen(out_filepath, "wb"))) { - SLOGE("File open error:(out_filepath) %s\n", out_filepath); + SECURE_SLOGE("File open error:(out_filepath) %s\n", out_filepath); free(buffer); return SS_FILE_OPEN_ERROR; // file related error } @@ -688,9 +607,7 @@ int SsServerDataStoreFromBuffer(int sender_pid, char* writebuffer, size_t bufLen } // write metadata - sfic.fInfoStruct.originSize = (unsigned int)bufLen; - sfic.fInfoStruct.storedSize = writeLen; - sfic.fInfoStruct.reserved[0] = flag & 0x000000ff; + SetMetaData(&sfic, bufLen, writeLen, flag); fwrite(sfic.fInfoArray, 1, sizeof(ssm_file_info_t), fd_out); @@ -730,9 +647,9 @@ int SsServerDataStoreFromBuffer(int sender_pid, char* writebuffer, size_t bufLen SLOGI("success to execute fsync(). loop=[%d], rest=[%d]\n", loop, rest); } - fclose(fd_out); + fclose(fd_out); free(buffer); - + return 1; } @@ -755,12 +672,22 @@ int SsServerDataRead(int sender_pid, const char* data_filepath, char* pRetBuf, u *readLen = 0; - //0. privilege check and get directory name + //0. get directory name and privilege check + char dir[MAX_GROUP_ID_LEN] = {0,}; + if(GetProcessStorageDir(sockfd, sender_pid, group_id, dir) < 0) + { + SLOGE("Failed to get storage dir\n"); + return SS_SECURE_STORAGE_ERROR; + } + #ifdef SMACK_GROUP_ID - if(check_privilege_by_sockfd(sockfd, group_id, "r") != 0) + if(flag != SSM_FLAG_PRELOADED_WEB_APP) { - SLOGE("permission denied\n"); - return SS_PERMISSION_DENIED; + if(check_privilege_by_sockfd(sockfd, dir, "r") < 0) + { + SLOGE("Permission denied\n"); + return SS_PERMISSION_DENIED; + } } #endif @@ -768,12 +695,12 @@ int SsServerDataRead(int sender_pid, const char* data_filepath, char* pRetBuf, u if(flag == SSM_FLAG_WIDGET) strncpy(in_filepath, data_filepath, MAX_FILENAME_LEN - 1); else - ConvertFileName(sender_pid, in_filepath, data_filepath, flag, group_id); + ConvertFileName(sender_pid, in_filepath, data_filepath, flag, dir); // 2. open file if(!(fd_in = fopen(in_filepath, "rb"))) { - SLOGE("File open error:(in_filepath) %s\n", in_filepath); + SECURE_SLOGE("File open error:(in_filepath) %s\n", in_filepath); return SS_FILE_OPEN_ERROR; // file related error } @@ -781,7 +708,7 @@ int SsServerDataRead(int sender_pid, const char* data_filepath, char* pRetBuf, u if(fseek(fd_in, (long)offset + sizeof(ssm_file_info_t), SEEK_SET) < 0) { int err_tmp = errno; - SLOGE("Fseek error: %s in %s\n", strerror(err_tmp), in_filepath); + SECURE_SLOGE("Fseek error: %s in %s\n", strerror(err_tmp), in_filepath); fclose(fd_in); return SS_FILE_OPEN_ERROR; // file related error } @@ -816,10 +743,10 @@ int SsServerDataRead(int sender_pid, const char* data_filepath, char* pRetBuf, u out_data += read; *readLen += read; Last: - *out_data = '\0'; + *out_data = '\0'; fclose(fd_in); - + return 1; } @@ -832,17 +759,28 @@ int SsServerDeleteFile(int sender_pid, const char* data_filepath, ssm_flag flag, const char* in_filepath = data_filepath; char out_filepath[MAX_FILENAME_LEN] = {0, }; - //0. privilege check and get directory name + //0. get directory name and privilege check + char dir[MAX_GROUP_ID_LEN] = {0,}; + if(GetProcessStorageDir(sockfd, sender_pid, group_id, dir) < 0) + { + SLOGE("Failed to get storage dir\n"); + return SS_SECURE_STORAGE_ERROR; + } + #ifdef SMACK_GROUP_ID - if(check_privilege_by_sockfd(sockfd, group_id, "w") != 0) + if(flag != SSM_FLAG_PRELOADED_WEB_APP) { - SLOGE("permission denied\n"); - return SS_PERMISSION_DENIED; + if(check_privilege_by_sockfd(sockfd, dir, "w") < 0) + { + SLOGE("Permission denied\n"); + return SS_PERMISSION_DENIED; + } } #endif - // 1. create out file name - ConvertFileName(sender_pid, out_filepath, in_filepath, flag, group_id); - + + // create file path from filename + ConvertFileName(sender_pid, out_filepath, in_filepath, flag, dir); + // 2. delete designated file if(unlink(out_filepath) != 0) // unlink fail? { @@ -863,25 +801,35 @@ int SsServerGetInfo(int sender_pid, const char* data_filepath, char* file_info, FILE *fd_in = NULL; char in_filepath[MAX_FILENAME_LEN] = {0, }; - //0. privilege check and get directory name + //0. get directory name and privilege check + char dir[MAX_GROUP_ID_LEN] = {0,}; + if(GetProcessStorageDir(sockfd, sender_pid, group_id, dir) < 0) + { + SLOGE("Failed to get storage dir\n"); + return SS_SECURE_STORAGE_ERROR; + } + #ifdef SMACK_GROUP_ID - if(check_privilege_by_sockfd(sockfd, group_id, "r") != 0) + if(flag != SSM_FLAG_PRELOADED_WEB_APP) { - SLOGE("permission denied, [%s]\n", group_id); - return SS_PERMISSION_DENIED; + if(check_privilege_by_sockfd(sockfd, dir, "r") < 0) + { + SLOGE("Permission denied\n"); + return SS_PERMISSION_DENIED; + } } #endif - + // 1. create in file name : convert file name in order to access secure storage if(flag == SSM_FLAG_WIDGET) strncpy(in_filepath, data_filepath, MAX_FILENAME_LEN - 1); else - ConvertFileName(sender_pid, in_filepath, data_filepath, flag, group_id); - + ConvertFileName(sender_pid, in_filepath, data_filepath, flag, dir); + // 1. open file if(!(fd_in = fopen( in_filepath, "rb"))) { - SLOGE("File open error:(in_filepath) [%s], [%s]\n", data_filepath, in_filepath ); + SECURE_SLOGE("File open error:(in_filepath) [%s], [%s]\n", data_filepath, in_filepath ); return SS_FILE_OPEN_ERROR; // file related error } diff --git a/ss-server.manifest b/ss-server.manifest new file mode 100755 index 0000000..5612058 --- /dev/null +++ b/ss-server.manifest @@ -0,0 +1,20 @@ +<manifest> + <define> + <domain name="secure-storage"/> + <provide> + <label name="secure-storage::mdm-limit-call"/> + <label name="secure-storage::mdm-limit-sms"/> + <label name="secure-storage::tethering"/> + <label name="secure-storage::activesync"/> + <label name="secure-storage::divx-fragment"/> + <label name="secure-storage::google-sync"/> + <label name="secure-storage::facebook"/> + <label name="secure-storage::telephony_sim"/> + </provide> + </define> + <request> + <domain name="secure-storage"/> + </request> + <assign> + </assign> +</manifest> diff --git a/ss-serverd b/ss-serverd deleted file mode 100755 index 79132e9..0000000 --- a/ss-serverd +++ /dev/null @@ -1,4 +0,0 @@ -#!/bin/sh - -# start secure-storage server -/usr/bin/ss-server & diff --git a/packaging/secure-storage.service b/systemd/secure-storage.service index d46ceee..553539e 100644 --- a/packaging/secure-storage.service +++ b/systemd/secure-storage.service @@ -3,6 +3,7 @@ Description=Start the Secure Storage server [Service] +Type=notify ExecStartPre=-/bin/mkdir -p /csa ExecStart=/usr/bin/ss-server diff --git a/systemd/secure-storage.socket b/systemd/secure-storage.socket new file mode 100644 index 0000000..631c09a --- /dev/null +++ b/systemd/secure-storage.socket @@ -0,0 +1,6 @@ +[Socket] +ListenStream=/tmp/SsSocket +SocketMode=0777 + +[Install] +WantedBy=sockets.target |