summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorBartlomiej Grzelewski <b.grzelewski@samsung.com>2016-02-04 16:38:37 +0100
committerBartlomiej Grzelewski <b.grzelewski@samsung.com>2016-02-16 12:35:49 +0100
commiteb3625009f2c5ed45c4eda13ce712b599843b782 (patch)
tree17f19acbbb102cc7cf468dd675c34cccaaeb9498
parent7792f9f89d5e78b55ae6818dd3960b291c6a1c61 (diff)
downloadsecurity-manager-eb3625009f2c5ed45c4eda13ce712b599843b782.tar.gz
security-manager-eb3625009f2c5ed45c4eda13ce712b599843b782.tar.bz2
security-manager-eb3625009f2c5ed45c4eda13ce712b599843b782.zip
Remove master and slave mode.
Change-Id: Ia02b2ba10deef665eea203a0147cce301d46db8c
Diffstat
-rw-r--r--packaging/security-manager.spec6
-rw-r--r--src/client/client-security-manager.cpp18
-rw-r--r--src/common/CMakeLists.txt2
-rw-r--r--src/common/include/master-req.h193
-rw-r--r--src/common/include/protocols.h17
-rw-r--r--src/common/include/service_impl.h31
-rw-r--r--src/common/include/smack-labels.h2
-rw-r--r--src/common/include/smack-rules.h73
-rw-r--r--src/common/include/zone-utils.h86
-rw-r--r--src/common/master-req.cpp261
-rw-r--r--src/common/protocols.cpp4
-rw-r--r--src/common/service_impl.cpp272
-rw-r--r--src/common/smack-labels.cpp8
-rw-r--r--src/common/smack-rules.cpp118
-rw-r--r--src/common/zone-utils.cpp117
-rw-r--r--src/server/CMakeLists.txt4
-rw-r--r--src/server/main/server-main.cpp80
-rw-r--r--src/server/service/include/master-service.h160
-rw-r--r--src/server/service/include/service.h3
-rw-r--r--src/server/service/master-service.cpp464
-rw-r--r--src/server/service/service.cpp71
-rw-r--r--systemd/CMakeLists.txt6
-rw-r--r--systemd/security-manager-master.service.in10
-rw-r--r--systemd/security-manager-master.socket13
-rw-r--r--systemd/security-manager-slave.service.in9
-rw-r--r--systemd/security-manager-slave.socket10
-rw-r--r--systemd/security-manager.service.in2
-rw-r--r--systemd/security-manager.socket4
28 files changed, 192 insertions, 1852 deletions
diff --git a/packaging/security-manager.spec b/packaging/security-manager.spec
index 92261a53..4306b4f5 100644
--- a/packaging/security-manager.spec
+++ b/packaging/security-manager.spec
@@ -89,8 +89,6 @@ cp LICENSE %{buildroot}%{_datadir}/license/libsecurity-manager-client
mkdir -p %{buildroot}/%{_unitdir}/sockets.target.wants
mkdir -p %{buildroot}/%{_unitdir}/sysinit.target.wants
ln -s ../security-manager.socket %{buildroot}/%{_unitdir}/sockets.target.wants/security-manager.socket
-ln -s ../security-manager-master.socket %{buildroot}/%{_unitdir}/sockets.target.wants/security-manager-master.socket
-ln -s ../security-manager-slave.socket %{buildroot}/%{_unitdir}/sockets.target.wants/security-manager-slave.socket
ln -s ../security-manager-cleanup.service %{buildroot}/%{_unitdir}/sysinit.target.wants/security-manager-cleanup.service
%clean
@@ -142,12 +140,8 @@ fi
%{_libdir}/libsecurity-manager-commons.so.*
%attr(-,root,root) %{_unitdir}/security-manager.*
-%attr(-,root,root) %{_unitdir}/security-manager-master.*
-%attr(-,root,root) %{_unitdir}/security-manager-slave.*
%attr(-,root,root) %{_unitdir}/security-manager-cleanup.*
%attr(-,root,root) %{_unitdir}/sockets.target.wants/security-manager.*
-%attr(-,root,root) %{_unitdir}/sockets.target.wants/security-manager-master.*
-%attr(-,root,root) %{_unitdir}/sockets.target.wants/security-manager-slave.*
%attr(-,root,root) %{_unitdir}/sysinit.target.wants/security-manager-cleanup.*
%config(noreplace) %attr(0600,root,root) %{TZ_SYS_DB}/.security-manager.db
%config(noreplace) %attr(0600,root,root) %{TZ_SYS_DB}/.security-manager.db-journal
diff --git a/src/client/client-security-manager.cpp b/src/client/client-security-manager.cpp
index dc273da2..a5fdfdf7 100644
--- a/src/client/client-security-manager.cpp
+++ b/src/client/client-security-manager.cpp
@@ -47,7 +47,6 @@
#include <protocols.h>
#include <service_impl.h>
#include <connection.h>
-#include <zone-utils.h>
#include <security-manager.h>
#include <client-offline.h>
@@ -192,7 +191,7 @@ int security_manager_app_install(const app_inst_req *p_req)
int retval;
ClientOffline offlineMode;
if (offlineMode.isOffline()) {
- retval = SecurityManager::ServiceImpl().appInstall(*p_req, geteuid(), false);
+ retval = SecurityManager::ServiceImpl().appInstall(*p_req, geteuid());
} else {
MessageBuffer send, recv;
@@ -392,18 +391,8 @@ int security_manager_set_process_label_from_appid(const char *app_id)
if (smack_smackfs_path() == NULL)
return SECURITY_MANAGER_SUCCESS;
- // FIXME Below modifications related to zones are temporary. Remove when Smack Namespaces
- // are implemented.
- std::string zoneId;
- if (!getZoneIdFromPid(getpid(), zoneId)) {
- LogError("Failed to get ID of zone");
- return SECURITY_MANAGER_ERROR_REQ_NOT_COMPLETE;
- }
-
try {
- appLabel = SecurityManager::zoneSmackLabelGenerate(
- SecurityManager::SmackLabels::generateAppLabel(app_id), zoneId);
-
+ appLabel = SecurityManager::SmackLabels::generateAppLabel(app_id);
} catch (...) {
LogError("Failed to generate smack label for appId: " << app_id);
return SECURITY_MANAGER_API_ERROR_NO_SUCH_OBJECT;
@@ -603,8 +592,7 @@ int security_manager_user_add(const user_req *p_req)
int retval;
ClientOffline offlineMode;
if (offlineMode.isOffline()) {
- retval = SecurityManager::ServiceImpl().userAdd(p_req->uid, p_req->utype, geteuid(),
- false);
+ retval = SecurityManager::ServiceImpl().userAdd(p_req->uid, p_req->utype, geteuid());
} else {
MessageBuffer send, recv;
//server is working
diff --git a/src/common/CMakeLists.txt b/src/common/CMakeLists.txt
index b718e2f8..3a9d3c90 100644
--- a/src/common/CMakeLists.txt
+++ b/src/common/CMakeLists.txt
@@ -48,13 +48,11 @@ SET(COMMON_SOURCES
${COMMON_PATH}/file-lock.cpp
${COMMON_PATH}/protocols.cpp
${COMMON_PATH}/message-buffer.cpp
- ${COMMON_PATH}/master-req.cpp
${COMMON_PATH}/privilege_db.cpp
${COMMON_PATH}/smack-labels.cpp
${COMMON_PATH}/smack-rules.cpp
${COMMON_PATH}/smack-check.cpp
${COMMON_PATH}/service_impl.cpp
- ${COMMON_PATH}/zone-utils.cpp
)
ADD_LIBRARY(${TARGET_COMMON} SHARED ${COMMON_SOURCES})
diff --git a/src/common/include/master-req.h b/src/common/include/master-req.h
deleted file mode 100644
index 8cbf7591..00000000
--- a/src/common/include/master-req.h
+++ /dev/null
@@ -1,193 +0,0 @@
-/*
- * Copyright (c) 2015 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Contact: Rafal Krypa <r.krypa@samsung.com>
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License
- */
-
-/*
- * @file master-req.h
- * @author Lukasz Kostyra <l.kostyra@samsung.com>
- * @brief Master request calls declaration
- */
-
-#ifndef _SECURITY_MANAGER_MASTER_REQ_
-#define _SECURITY_MANAGER_MASTER_REQ_
-
-#include <string>
-#include <vector>
-
-#include "protocols.h"
-
-
-namespace SecurityManager {
-namespace MasterReq {
-
-/**
- * Forwards Cynara Policy Update request to Master Service.
- *
- * @param[in] appID Application ID
- * @param[in] uidstr String containing user identifier
- * @param[in] privileges Currently enabled privileges for the application
- *
- * @see CynaraAdmin::UpdateAppPolicy
- */
-int CynaraPolicyUpdate(const std::string &appId, const std::string &uidstr,
- const std::vector<std::string> &privileges);
-
-/**
- * Forwards Cynara user initialization to Master service.
- *
- * @param[in] uidAdded New user UID
- * @param[in] userType Type of user, enumerated in security-manager.h
- * @return API return code, as defined in protocols.h
- *
- * @see CynaraAdmin::UserInit
- */
-int CynaraUserInit(const uid_t uidAdded, int userType);
-
-/**
- * Forwards Cynara user removal to Master service.
- *
- * @param[in] uidDeleted Removed user UID
- * @return API return code, as defined in protocols.h
- *
- * @see CynaraAdmin::UserRemove
- */
-int CynaraUserRemove(const uid_t uidDeleted);
-
-/**
- * Forwards SMACK rule installation to Master service.
- *
- * @param[in] appId ID of application being removed
- * @param[in] pkgId ID of package being removed
- * @param[in] authorId ID for author.
- * @param[in] pkgContents list of all applications in the package
- * @param[in] appsGranted list of 2.x apps granted access
- * @param[in] accessPackages list of 2.x packages to be accessed
- * @return API return code, as defined in protocols.h
- *
- * @see SmackRules::installApplicationRules
- */
-int SmackInstallRules(const std::string &appId,
- const std::string &pkgId,
- const std::string &authorId,
- const std::vector<std::string> &pkgContents,
- const std::vector<std::string> &appsGranted,
- const std::vector<std::string> &accessPackages);
-
-/**
- * Forwards SMACK rule removal to Master service.
- *
- * @param[in] appId ID of application being removed
- * @param[in] pkgId ID of package being removed
- * @param[in] pkgContents A list of all applications in the package
- * @param[in] appsGranted list of 2.x apps granted access
- * @param[in] removeApp Flag stating if the application is no longer installed
- * for any user and should be removed
- * @param[in] removePkg Flag stating if entire package should be removed
- * @return API return code, as defined in protocols.h
- *
- * @see SmackRules::uninstallPackageRules, SmackRules::uninstallApplicationRules
- */
-int SmackUninstallRules(const std::string &appId, const std::string &pkgId,
- const std::vector<std::string> &pkgContents,
- const std::vector<std::string> &appsGranted,
- const bool removeApp, const bool removePkg);
-
-/**
- * Forwards policyUpdate API to Master. Arguments are the same as policyUpdate.
- *
- * @return API return code, as defined in protocols.h
- *
- * @see ServiceImpl::policyUpdate
- */
-int PolicyUpdate(const std::vector<policy_entry> &policyEntries, uid_t uid, pid_t pid,
- const std::string &smackLabel);
-
-/**
- * Forwards getConfiguredPolicy API to Master. Arguments are the same as getConfiguredPolicy.
- *
- * @return API return code, as defined in protocols.h
- *
- * @see ServiceImpl::getConfiguredPolicy
- */
-int GetConfiguredPolicy(bool forAdmin, const policy_entry &filter, uid_t uid, pid_t pid,
- const std::string &smackLabel, std::vector<policy_entry> &policyEntries);
-
-/**
- * Forwards getPolicy API to Master. Arguments are the same as getPolicy.
- *
- * @return API return code, as defined in protocols.h
- *
- * @see ServiceImpl::getPolicy
- */
-int GetPolicy(const policy_entry &filter, uid_t uid, pid_t pid, const std::string &smackLabel,
- std::vector<policy_entry> &policyEntries);
-
-/**
- * Forwards policyGetDesc API to Master. Arguments are the same as policyGetDesc.
- *
- * @return API return code, as defined in protocols.h
- *
- * @see ServiceImpl::policyGetDesc
- */
-int PolicyGetDesc(std::vector<std::string> &descriptions);
-
-/**
- * Forwards Smack rules applying for private sharing to Master service.
- *
- * @param[in] ownerPkgId App id of path owner application
- * @param[in] pkgContents Vector of applications belonging to the same package as path owner
- * @param[in] targetAppId App id of sharing path target application
- * @param[in] path Path being shared
- * @param[in] ownerTargetCount Count of saved owner with target sharing
- * @param[in] pathSharingCount Count of saved path sharing
- *
- * @return API return code, as defined in protocols.h
- *
- * @see ServiceImpl::applyPrivateSharing
- */
-int SmackApplyPrivateSharingRules(const std::string &ownerPkgId,
- const std::vector<std::string> &pkgContents,
- const std::string &targetAppId,
- const std::string &path,
- int ownerTargetCount,
- int pathSharingCount);
-
-/**
- * Forwards Smack rules applying for private sharing to Master service.
- *
- * @param[in] ownerPkgId Package id of path owner application
- * @param[in] pkgContents Vector of applications belonging to the same package as path owner
- * @param[in] targetAppId App id of sharing path target application
- * @param[in] path Path being shared
- * @param[in] ownerTargetCount Count of saved owner with target sharing
- * @param[in] pathSharingCount Count of saved path sharing
- *
- * @return API return code, as defined in protocols.h
- *
- * @see ServiceImpl::dropPrivateSharing
- */
-int SmackDropPrivateSharingRules(const std::string &ownerPkgId,
- const std::vector<std::string> &pkgContents,
- const std::string &targetAppId,
- const std::string &path,
- int ownerTargetCount,
- int pathSharingCount);
-
-} // namespace MasterReq
-} // namespace SecurityManager
-
-#endif // _SECURITY_MANAGER_MASTER_REQ_
diff --git a/src/common/include/protocols.h b/src/common/include/protocols.h
index 9a00bc4c..1526f872 100644
--- a/src/common/include/protocols.h
+++ b/src/common/include/protocols.h
@@ -134,8 +134,6 @@ struct private_sharing_req {
namespace SecurityManager {
extern char const * const SERVICE_SOCKET;
-extern char const * const MASTER_SERVICE_SOCKET;
-extern char const * const SLAVE_SERVICE_SOCKET;
enum class SecurityModuleCall
{
@@ -157,21 +155,6 @@ enum class SecurityModuleCall
NOOP = 0x90,
};
-enum class MasterSecurityModuleCall
-{
- CYNARA_UPDATE_POLICY,
- CYNARA_USER_INIT,
- CYNARA_USER_REMOVE,
- POLICY_UPDATE,
- GET_CONFIGURED_POLICY,
- GET_POLICY,
- POLICY_GET_DESC,
- SMACK_INSTALL_RULES,
- SMACK_UNINSTALL_RULES,
- SMACK_APPLY_PRIVATE_SHARING_RULES,
- SMACK_DROP_PRIVATE_SHARING_RULES
-};
-
} // namespace SecurityManager
using namespace SecurityManager;
diff --git a/src/common/include/service_impl.h b/src/common/include/service_impl.h
index 85cd9c26..0ffcbcd7 100644
--- a/src/common/include/service_impl.h
+++ b/src/common/include/service_impl.h
@@ -49,7 +49,7 @@ private:
int dropOnePrivateSharing(const std::string &ownerAppId, const std::string &ownerPkgId,
const std::vector<std::string> &ownerPkgContents, const std::string &targetAppId,
- const std::string &path, const std::string &zoneId, bool isSlave);
+ const std::string &path);
public:
ServiceImpl();
@@ -60,22 +60,20 @@ public:
*
* @param[in] req installation request
* @param[in] uid id of the requesting user
- * @param[in] isSlave Indicates if function should be called under slave mode
*
* @return API return code, as defined in protocols.h
*/
- int appInstall(const app_inst_req &req, uid_t uid, bool isSlave);
+ int appInstall(const app_inst_req &req, uid_t uid);
/**
* Process application uninstallation request.
*
* @param[in] req uninstallation request
* @param[in] uid id of the requesting user
- * @param[in] isSlave Indicates if function should be called under slave mode
*
* @return API return code, as defined in protocols.h
*/
- int appUninstall(const std::string &appId, uid_t uid, bool isSlave);
+ int appUninstall(const std::string &appId, uid_t uid);
/**
* Process package id query.
@@ -98,13 +96,11 @@ public:
* @param[in] appId application identifier
* @param[in] uid id of the requesting user
* @param[in] pid id of the requesting process (to construct Cynara session id)
- * @param[in] isSlave Indicates if function should be called under slave mode
* @param[out] gids returned set of allowed group ids
*
* @return API return code, as defined in protocols.h
*/
- int getAppGroups(const std::string &appId, uid_t uid, pid_t pid, bool isSlave,
- std::unordered_set<gid_t> &gids);
+ int getAppGroups(const std::string &appId, uid_t uid, pid_t pid, std::unordered_set<gid_t> &gids);
/**
* Process user adding request.
@@ -112,22 +108,20 @@ public:
* @param[in] uidAdded uid of newly created user
* @param[in] userType type of newly created user
* @param[in] uid uid of requesting user
- * @param[in] isSlave Indicates if function should be called under slave mode
*
* @return API return code, as defined in protocols.h
*/
- int userAdd(uid_t uidAdded, int userType, uid_t uid, bool isSlave);
+ int userAdd(uid_t uidAdded, int userType, uid_t uid);
/**
* Process user deletion request.
*
* @param[in] uidDeleted uid of removed user
* @param[in] uid uid of requesting user
- * @param[in] isSlave Indicates if function should be called under slave mode
*
* @return API return code, as defined in protocols.h
*/
- int userDelete(uid_t uidDeleted, uid_t uid, bool isSlave);
+ int userDelete(uid_t uidDeleted, uid_t uid);
/**
* Update policy in Cynara - proper privilege: http://tizen.org/privilege/systemsettings.admin
@@ -194,13 +188,11 @@ public:
* @param[in] appId application identifier
* @param[in] privilege privilege name
* @param[in] uid user identifier
- * @param[in] isSlave indicates if function should be called under slave mode
* @param[out] result placeholder for check result
*
* @return API return code, as defined in protocols.h
*/
- int appHasPrivilege(std::string appId, std::string privilege, uid_t uid,
- bool isSlave, bool &result);
+ int appHasPrivilege(std::string appId, std::string privilege, uid_t uid, bool &result);
/**
* Process applying private path sharing between applications.
@@ -208,14 +200,12 @@ public:
* @param[in] ownerAppId application owning paths
* @param[in] targetAppId application which paths will be shared with
* @param[in] paths vector of paths to be shared
- * @param[in] isSlave Indicates if function should be called under slave mode
*
* @return API return code, as defined in protocols.h
*/
int applyPrivatePathSharing(const std::string &ownerAppId,
const std::string &targetAppId,
- const std::vector<std::string> &paths,
- bool isSlave);
+ const std::vector<std::string> &paths);
/**
* Process droping private path sharing between applications.
@@ -223,14 +213,13 @@ public:
* @param[in] ownerAppId application owning paths
* @param[in] targetAppId application which paths won't be anymore shared with
* @param[in] paths vector of paths to be stopped being shared
- * @param[in] isSlave Indicates if function should be called under slave mode
* @return API return code, as defined in protocols.h
*/
int dropPrivatePathSharing(const std::string &ownerAppId,
const std::string &targetAppId,
- const std::vector<std::string> &paths,
- bool isSlave);
+ const std::vector<std::string> &paths);
};
+
} /* namespace SecurityManager */
#endif /* _SECURITY_MANAGER_SERVICE_IMPL_ */
diff --git a/src/common/include/smack-labels.h b/src/common/include/smack-labels.h
index af5c623b..2aa00ec8 100644
--- a/src/common/include/smack-labels.h
+++ b/src/common/include/smack-labels.h
@@ -41,13 +41,11 @@ namespace SmackLabels {
* @param path[in] path to a file or directory to setup
* @param pathType[in] type of path to setup. See description of
* app_install_path_type in security-manager.h for details
- * @param zoneId[in] ID of zone for which label should be set
*/
void setupPath(
const std::string &pkgId,
const std::string &path,
app_install_path_type pathType,
- const std::string &zoneId,
const std::string &authorId = std::string());
/**
diff --git a/src/common/include/smack-rules.h b/src/common/include/smack-rules.h
index e472dd21..a0b458aa 100644
--- a/src/common/include/smack-rules.h
+++ b/src/common/include/smack-rules.h
@@ -49,14 +49,12 @@ public:
const std::vector<std::string> &templateRules,
const std::string &appId,
const std::string &pkgId,
- const std::string &authorId,
- const std::string &zoneId);
+ const std::string &authorId);
void addFromTemplateFile(
const std::string &appId,
const std::string &pkgId,
- const std::string &authorId,
- const std::string &zoneId);
+ const std::string &authorId);
void apply() const;
void clear() const;
@@ -69,41 +67,18 @@ public:
* correct permissions to shared data.
*
* @param[in] pkgContents - a list of all applications inside this package
- * @param[in] zoneId - ID of zone which requested application install
*/
- void generatePackageCrossDeps(const std::vector<std::string> &pkgContents,
- const std::string &zoneId);
+ void generatePackageCrossDeps(const std::vector<std::string> &pkgContents);
/**
* Create cross dependencies for all other 2.X applications
*
* @param[in] pkgId - installed package id to access it's shared dir
* @param[in] other2XApps - list of 2.x apps to grant access
- * @param[in] zoneId - ID of zone which requested application install
- */
- void generateAllowOther2XApplicationDeps(const std::string pkgId,
- const std::vector<std::string> &other2XApps,
- const std::string &zoneId);
-
- /**
- * Install package-specific smack rules.
- *
- * Function creates smack rules using predefined template. Rules are applied
- * to the kernel and saved on persistent storage so they are loaded on system boot.
- *
- * @param[in] appId - application id that is beeing installed
- * @param[in] pkgId - package id that the application is in
- * @param[in] authorId - author id of application
- * @param[in] pkgContents - list of all applications in the package
- * @param[in] appsGranted - list of 2.x apps to grant access
- * @param[in] accessPackages - list of 2.x packages to be accessed
*/
- static void installApplicationRules(const std::string &appId,
- const std::string &pkgId,
- const std::string &authorId,
- const std::vector<std::string> &pkgContents,
- const std::vector<std::string> &appsGranted,
- const std::vector<std::string> &accessPackages);
+ void generateAllowOther2XApplicationDeps(
+ const std::string pkgId,
+ const std::vector<std::string> &other2XApps);
/**
* Install package-specific smack rules plus add rules for specified external apps.
@@ -115,7 +90,6 @@ public:
* @param[in] pkgId - package id that the application is in
* @param[in] authorId - author id of application
* @param[in] pkgContents - list of all applications in the package
- * @param[in] zoneId - ID of zone which requested application install
* @param[in] appsGranted - list of 2.x apps granted access
* @param[in] accessPackages - list of 2.x packages to be accessed
*/
@@ -125,8 +99,7 @@ public:
const std::string &authorId,
const std::vector<std::string> &pkgContents,
const std::vector<std::string> &appsGranted,
- const std::vector<std::string> &accessPackages,
- const std::string &zoneId);
+ const std::vector<std::string> &accessPackages);
/**
* Uninstall package-specific smack rules.
@@ -152,12 +125,12 @@ public:
* @param[in] pkgId - package id that the application belongs to
* @param[in] appsInPkg - a list of other applications in the same package id that the application belongs to
* @param[in] appsGranted - list of 2.x apps granted access
- * @param[in] zoneId - ID of zone which requested application uninstall
*/
- static void uninstallApplicationRules(const std::string &appId, const std::string &pkgId,
+ static void uninstallApplicationRules(
+ const std::string &appId,
+ const std::string &pkgId,
std::vector<std::string> appsInPkg,
- const std::vector<std::string> &appsGranted,
- const std::string &zoneId);
+ const std::vector<std::string> &appsGranted);
/**
* Update package specific rules
@@ -169,12 +142,11 @@ public:
* @param[in] pkgId - id of the package to update
* @param[in] pkgContents - list of all applications in the package
* @param[in] appsGranted - list of 2.x apps granted access
- * @param[in] zoneId - ID of zone which requested application uninstall
*/
- static void updatePackageRules(const std::string &pkgId,
+ static void updatePackageRules(
+ const std::string &pkgId,
const std::vector<std::string> &pkgContents,
- const std::vector<std::string> &appsGranted,
- const std::string &zoneId);
+ const std::vector<std::string> &appsGranted);
/* Temporary fix for authors rules */
static void fixAuthorRules(const std::string &authorId);
@@ -194,15 +166,13 @@ public:
* @param[in] isPathSharedAlready - flag indicated, if path has been shared before
* @param[in] isTargetSharingAlready - flag indicated, if target is already sharing anything
* with owner
- * @param[in] zoneId - ID of zone which requested applying sharing
*/
static void applyPrivateSharingRules(const std::string &ownerPkgId,
const std::vector<std::string> &ownerPkgContents,
const std::string &targetAppId,
const std::string &pathLabel,
bool isPathSharedAlready,
- bool isTargetSharingAlready,
- const std::string &zoneId);
+ bool isTargetSharingAlready);
/**
* Remove rules related to private path sharing rules
*
@@ -219,15 +189,15 @@ public:
* @param[in] isPathSharedNoMore - flag indicated, if path is not shared anymore
* @param[in] isTargetSharingNoMore - flag indicated, if target is not sharing anything
* with owner
- * @param[in] zoneId - ID of zone which requested droping sharing
*/
static void dropPrivateSharingRules(const std::string &ownerPkgId,
const std::vector<std::string> &ownerPkgContents,
const std::string &targetAppId,
const std::string &pathLabel,
bool isPathSharedNoMore,
- bool isTargetSharingNoMore,
- const std::string &zoneId);
+ bool isTargetSharingNoMore);
+
+ static void updatePackageRules(const std::string &pkgId, const std::vector<std::string> &pkgContents);
private:
/**
@@ -256,11 +226,10 @@ private:
*
* @param[in] path - path to the file that contains the rules
* @param[in] other2XPackages - list of 2.x packages to be accessed
- * @param[in] zoneId - ID of zone which requested application uninstall
*/
- static void generateAppToOtherPackagesDeps(const std::string appId,
- const std::vector<std::string> &other2XPackages,
- const std::string &zoneId);
+ static void generateAppToOtherPackagesDeps(
+ const std::string appId,
+ const std::vector<std::string> &other2XPackages);
/**
* Helper method: replace all occurrences of \ref needle in \ref haystack
diff --git a/src/common/include/zone-utils.h b/src/common/include/zone-utils.h
deleted file mode 100644
index 25caacce..00000000
--- a/src/common/include/zone-utils.h
+++ /dev/null
@@ -1,86 +0,0 @@
-/*
- * Copyright (c) 2000 - 2015 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Contact: Rafal Krypa <r.krypa@samsung.com>
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License
- */
-/*
- * @file zone-utils.h
- * @author Lukasz Kostyra (l.kostyra@samsung.com)
- * @version 1.0
- * @brief Definition of Zone utilities
- */
-
-#ifndef _SECURITY_MANAGER_ZONE_UTILS_H_
-#define _SECURITY_MANAGER_ZONE_UTILS_H_
-
-#include <string>
-
-// FIXME This module is a replacement for Vasum functions.
-//
-// When Vasum will be included into OBS, the module should be removed and vasum-client should
-// be used instead.
-
-namespace SecurityManager
-{
-
-extern const std::string ZONE_HOST;
-
-/**
- * Extracts Zone ID in which runs process having provided PID.
- *
- * This function parses /proc/<pid>/cpuset file and tries to acquire Zone ID name from it.
- *
- * @param[in] pid PID of process to get Zone ID from.
- * @param[out] zoneId Zone ID extracted from cpuset. If process runs in host, returns "host" string.
- * @return True on success, false on failure.
- */
-bool getZoneIdFromPid(int pid, std::string& zoneId);
-
-/**
- * Generates zone-specific label from given @ref label and zone's name @ref zoneName
- *
- * @param[in] label Base label, used to generate new zone-specific label
- * @param[in] zoneName Name of zone for which label will be generated
- * @return Generated label
- */
-std::string zoneSmackLabelGenerate(const std::string &label, const std::string &zoneName);
-
-/**
- * Map @ref hostLabel to @ref zoneLabel using Smack namespaces.
- *
- * FIXME This is a placeholder for Vasum API - implement when Smack Namespaces are implemented
- *
- * @param[in] hostLabel Smack label as seen from hosts perspective
- * @param[in] zoneName Zone ID to which label will be mapped
- * @param[in] zoneLabel Smack label seen from zone's perspective
- * @return True on success, false on failure
- */
-bool zoneSmackLabelMap(const std::string &hostLabel, const std::string &zoneName,
- const std::string &zoneLabel);
-
-/**
- * Unmap label mapped by zoneSmackLabelMap.
- *
- * FIXME This is a placeholder for Vasum API - implement when Smack Namespaces are implemented
- *
- * @param[in] hostLabel Label to unmap
- * @param[in] zoneName Zone ID for which unmapping should be done
- * @return True on success, false on failure
- */
-bool zoneSmackLabelUnmap(const std::string &hostLabel, const std::string &zoneName);
-
-} //namespace SecurityManager
-
-#endif //_SECURITY_MANAGER_ZONE_UTILS_H_
diff --git a/src/common/master-req.cpp b/src/common/master-req.cpp
deleted file mode 100644
index 3d4d071e..00000000
--- a/src/common/master-req.cpp
+++ /dev/null
@@ -1,261 +0,0 @@
-/*
- * Copyright (c) 2015 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Contact: Rafal Krypa <r.krypa@samsung.com>
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License
- */
-
-/*
- * @file master-req.cpp
- * @author Lukasz Kostyra <l.kostyra@samsung.com>
- * @brief Definitions of master request calls
- */
-
-#include "master-req.h"
-
-#include <dpl/serialization.h>
-
-#include "message-buffer.h"
-#include "connection.h"
-
-namespace SecurityManager {
-namespace MasterReq {
-
-int CynaraPolicyUpdate(const std::string &appId, const std::string &uidstr,
- const std::vector<std::string> &privileges)
-{
- int ret;
- MessageBuffer sendBuf, retBuf;
-
- Serialization::Serialize(sendBuf,
- static_cast<int>(MasterSecurityModuleCall::CYNARA_UPDATE_POLICY),
- appId, uidstr, privileges);
-
- ret = sendToServer(MASTER_SERVICE_SOCKET, sendBuf.Pop(), retBuf);
- if (ret == SECURITY_MANAGER_API_SUCCESS)
- Deserialization::Deserialize(retBuf, ret);
-
- return ret;
-}
-
-int CynaraUserInit(const uid_t uidAdded, int userType)
-{
- int ret;
- MessageBuffer sendBuf, retBuf;
-
- Serialization::Serialize(sendBuf,
- static_cast<int>(MasterSecurityModuleCall::CYNARA_USER_INIT),
- uidAdded, userType);
-
- ret = sendToServer(MASTER_SERVICE_SOCKET, sendBuf.Pop(), retBuf);
- if (ret == SECURITY_MANAGER_API_SUCCESS)
- Deserialization::Deserialize(retBuf, ret);
-
- return ret;
-}
-
-int CynaraUserRemove(const uid_t uidDeleted)
-{
- int ret;
- MessageBuffer sendBuf, retBuf;
-
- Serialization::Serialize(sendBuf,
- static_cast<int>(MasterSecurityModuleCall::CYNARA_USER_REMOVE),
- uidDeleted);
-
- ret = sendToServer(MASTER_SERVICE_SOCKET, sendBuf.Pop(), retBuf);
- if (ret == SECURITY_MANAGER_API_SUCCESS)
- Deserialization::Deserialize(retBuf, ret);
-
- return ret;
-}
-
-int SmackInstallRules(const std::string &appId,
- const std::string &pkgId,
- const std::string &authorId,
- const std::vector<std::string> &pkgContents,
- const std::vector<std::string> &appsGranted,
- const std::vector<std::string> &accessPackages)
-{
- int ret;
- MessageBuffer sendBuf, retBuf;
- Serialization::Serialize(
- sendBuf,
- static_cast<int>(MasterSecurityModuleCall::SMACK_INSTALL_RULES),
- appId,
- pkgId,
- authorId,
- pkgContents,
- appsGranted,
- accessPackages);
-
- ret = sendToServer(MASTER_SERVICE_SOCKET, sendBuf.Pop(), retBuf);
- if (ret == SECURITY_MANAGER_API_SUCCESS)
- Deserialization::Deserialize(retBuf, ret);
-
- return ret;
-}
-
-int SmackUninstallRules(const std::string &appId, const std::string &pkgId,
- const std::vector<std::string> &pkgContents,
- const std::vector<std::string> &appsGranted,
- const bool removeApp, const bool removePkg)
-{
- int ret;
- MessageBuffer sendBuf, retBuf;
-
- Serialization::Serialize(sendBuf,
- static_cast<int>(MasterSecurityModuleCall::SMACK_UNINSTALL_RULES),
- appId, pkgId, pkgContents, appsGranted, removeApp, removePkg);
-
- ret = sendToServer(MASTER_SERVICE_SOCKET, sendBuf.Pop(), retBuf);
- if (ret == SECURITY_MANAGER_API_SUCCESS)
- Deserialization::Deserialize(retBuf, ret);
-
- return ret;
-}
-
-// Following three requests are just forwarded security-manager API calls
-// these do not access Privilege DB, so all can be forwarded to Master
-int PolicyUpdate(const std::vector<policy_entry> &policyEntries, uid_t uid, pid_t pid,
- const std::string &smackLabel)
-{
- int ret;
- MessageBuffer sendBuf, retBuf;
-
- Serialization::Serialize(sendBuf,
- static_cast<int>(MasterSecurityModuleCall::POLICY_UPDATE),
- policyEntries, uid, pid, smackLabel);
-
- ret = sendToServer(MASTER_SERVICE_SOCKET, sendBuf.Pop(), retBuf);
- if (ret == SECURITY_MANAGER_API_SUCCESS)
- Deserialization::Deserialize(retBuf, ret);
-
- return ret;
-}
-
-int GetConfiguredPolicy(bool forAdmin, const policy_entry &filter, uid_t uid, pid_t pid,
- const std::string &smackLabel, std::vector<policy_entry> &policyEntries)
-{
- int ret;
- MessageBuffer sendBuf, retBuf;
-
- Serialization::Serialize(sendBuf,
- static_cast<int>(MasterSecurityModuleCall::GET_CONFIGURED_POLICY),
- forAdmin, filter, uid, pid, smackLabel);
-
- ret = sendToServer(MASTER_SERVICE_SOCKET, sendBuf.Pop(), retBuf);
- if (ret == SECURITY_MANAGER_API_SUCCESS) {
- Deserialization::Deserialize(retBuf, ret);
- if (ret == SECURITY_MANAGER_API_SUCCESS)
- Deserialization::Deserialize(retBuf, policyEntries);
- }
-
- return ret;
-}
-
-int GetPolicy(const policy_entry &filter, uid_t uid, pid_t pid, const std::string &smackLabel,
- std::vector<policy_entry> &policyEntries)
-{
- int ret;
- MessageBuffer sendBuf, retBuf;
-
- Serialization::Serialize(sendBuf,
- static_cast<int>(MasterSecurityModuleCall::GET_POLICY),
- filter, uid, pid, smackLabel);
-
- ret = sendToServer(MASTER_SERVICE_SOCKET, sendBuf.Pop(), retBuf);
- if (ret == SECURITY_MANAGER_API_SUCCESS) {
- Deserialization::Deserialize(retBuf, ret);
- if (ret == SECURITY_MANAGER_API_SUCCESS)
- Deserialization::Deserialize(retBuf, policyEntries);
- }
-
- return ret;
-}
-
-int PolicyGetDesc(std::vector<std::string> &descriptions)
-{
- int ret;
- MessageBuffer sendBuf, retBuf;
-
- Serialization::Serialize(sendBuf,
- static_cast<int>(MasterSecurityModuleCall::POLICY_GET_DESC));
-
- ret = sendToServer(MASTER_SERVICE_SOCKET, sendBuf.Pop(), retBuf);
- if (ret == SECURITY_MANAGER_API_SUCCESS) {
- Deserialization::Deserialize(retBuf, ret);
- if (ret == SECURITY_MANAGER_API_SUCCESS)
- Deserialization::Deserialize(retBuf, descriptions);
- }
-
- return ret;
-}
-
-int SmackApplyPrivateSharingRules(const std::string &ownerPkgId,
- const std::vector<std::string> &pkgContents,
- const std::string &targetAppId,
- const std::string &path,
- int ownerTargetCount,
- int pathCount)
-{
- int ret;
- MessageBuffer sendBuf, retBuf;
-
- Serialization::Serialize(sendBuf,
- static_cast<int>(MasterSecurityModuleCall::SMACK_APPLY_PRIVATE_SHARING_RULES));
- Serialization::Serialize(sendBuf, ownerPkgId);
- Serialization::Serialize(sendBuf, pkgContents);
- Serialization::Serialize(sendBuf, targetAppId);
- Serialization::Serialize(sendBuf, path);
- Serialization::Serialize(sendBuf, ownerTargetCount);
- Serialization::Serialize(sendBuf, pathCount);
-
- ret = sendToServer(MASTER_SERVICE_SOCKET, sendBuf.Pop(), retBuf);
- if (ret == SECURITY_MANAGER_API_SUCCESS) {
- Deserialization::Deserialize(retBuf, ret);
- }
-
- return ret;
-}
-
-int SmackDropPrivateSharingRules(const std::string &ownerPkgId,
- const std::vector<std::string> &pkgContents,
- const std::string &targetAppId,
- const std::string &path,
- int ownerTargetCount,
- int pathCount)
-{
- int ret;
- MessageBuffer sendBuf, retBuf;
-
- Serialization::Serialize(sendBuf,
- static_cast<int>(MasterSecurityModuleCall::SMACK_DROP_PRIVATE_SHARING_RULES));
- Serialization::Serialize(sendBuf, ownerPkgId);
- Serialization::Serialize(sendBuf, pkgContents);
- Serialization::Serialize(sendBuf, targetAppId);
- Serialization::Serialize(sendBuf, path);
- Serialization::Serialize(sendBuf, ownerTargetCount);
- Serialization::Serialize(sendBuf, pathCount);
-
- ret = sendToServer(MASTER_SERVICE_SOCKET, sendBuf.Pop(), retBuf);
- if (ret == SECURITY_MANAGER_API_SUCCESS) {
- Deserialization::Deserialize(retBuf, ret);
- }
-
- return ret;
-}
-
-} // namespace MasterReq
-} // namespace SecurityManager
diff --git a/src/common/protocols.cpp b/src/common/protocols.cpp
index eac619a8..798b9d69 100644
--- a/src/common/protocols.cpp
+++ b/src/common/protocols.cpp
@@ -32,10 +32,6 @@ namespace SecurityManager {
char const * const SERVICE_SOCKET =
SOCKET_PATH_PREFIX "security-manager.socket";
-char const * const MASTER_SERVICE_SOCKET =
- SOCKET_PATH_PREFIX "security-manager-master.socket";
-char const * const SLAVE_SERVICE_SOCKET =
- SOCKET_PATH_PREFIX "security-manager-slave.socket";
} // namespace SecurityManager
diff --git a/src/common/service_impl.cpp b/src/common/service_impl.cpp
index 99928a9d..ab15ba33 100644
--- a/src/common/service_impl.cpp
+++ b/src/common/service_impl.cpp
@@ -42,10 +42,8 @@
#include "smack-rules.h"
#include "smack-labels.h"
#include "security-manager.h"
-#include "zone-utils.h"
#include "service_impl.h"
-#include "master-req.h"
namespace SecurityManager {
@@ -278,23 +276,7 @@ bool ServiceImpl::installRequestAuthCheck(const app_inst_req &req, uid_t uid, st
return true;
}
-bool ServiceImpl::getZoneId(std::string &zoneId)
-{
- if (!getZoneIdFromPid(getpid(), zoneId)) {
- LogError("Failed to get zone ID from current PID");
- return false;
- }
-
- // This function should be called under slave mode only - assumes, that we work inside zone
- if (zoneId == ZONE_HOST) {
- LogError("We should not run in host - refusing request");
- return false;
- }
-
- return true;
-}
-
-int ServiceImpl::appInstall(const app_inst_req &req, uid_t uid, bool isSlave)
+int ServiceImpl::appInstall(const app_inst_req &req, uid_t uid)
{
std::vector<std::string> addedPermissions;
std::vector<std::string> removedPermissions;
@@ -308,14 +290,6 @@ int ServiceImpl::appInstall(const app_inst_req &req, uid_t uid, bool isSlave)
// authorId contains id from database. It's not equal to value in request.
// IMHO the id in request should be called authorName not authorId...
- std::string zoneId;
- if (isSlave) {
- if (!getZoneId(zoneId)) {
- LogError("Failed to get Zone ID.");
- return SECURITY_MANAGER_API_ERROR_SERVER_ERROR;
- }
- }
-
if (uid) {
if (uid != req.uid) {
LogError("User " << uid <<
@@ -334,9 +308,10 @@ int ServiceImpl::appInstall(const app_inst_req &req, uid_t uid, bool isSlave)
}
try {
- appLabel = zoneSmackLabelGenerate(SmackLabels::generateAppLabel(req.appId), zoneId);
+ appLabel = SmackLabels::generateAppLabel(req.appId);
+
/* NOTE: we don't use pkgLabel here, but generate it for pkgId validation */
- pkgLabel = zoneSmackLabelGenerate(SmackLabels::generatePkgLabel(req.pkgId), zoneId);
+ pkgLabel = SmackLabels::generatePkgLabel(req.pkgId);
LogDebug("Install parameters: appId: " << req.appId << ", pkgId: " << req.pkgId
<< ", uidstr " << uidstr
<< ", app label: " << appLabel << ", pkg label: " << pkgLabel
@@ -357,16 +332,7 @@ int ServiceImpl::appInstall(const app_inst_req &req, uid_t uid, bool isSlave)
PrivilegeDb::getInstance().GetAppIdsForPkgId(req.pkgId, pkgContents);
PrivilegeDb::getInstance().GetAuthorIdForAppId(req.appId, authorId);
- if (isSlave) {
- int ret = MasterReq::CynaraPolicyUpdate(req.appId, uidstr, req.privileges);
- if (ret != SECURITY_MANAGER_API_SUCCESS) {
- PrivilegeDb::getInstance().RollbackTransaction();
- LogError("Error while processing request on master: " << ret);
- return ret;
- }
- } else {
- CynaraAdmin::getInstance().UpdateAppPolicy(appLabel, uidstr, req.privileges);
- }
+ CynaraAdmin::getInstance().UpdateAppPolicy(appLabel, uidstr, req.privileges);
// if app is targetted to Tizen 2.X, give other 2.X apps RO rules to it's shared dir
if(isTizen2XVersion(req.tizenVersion))
@@ -404,22 +370,12 @@ int ServiceImpl::appInstall(const app_inst_req &req, uid_t uid, bool isSlave)
for (const auto &appPath : req.appPaths) {
const std::string &path = appPath.first;
app_install_path_type pathType = static_cast<app_install_path_type>(appPath.second);
- SmackLabels::setupPath(req.pkgId, path, pathType, zoneId, authorId);
+ SmackLabels::setupPath(req.pkgId, path, pathType, authorId);
}
- if (isSlave) {
- LogDebug("Requesting master to add rules for new appId: " << req.appId << " with pkgId: "
- << req.pkgId << ". Applications in package: " << pkgContents.size());
- int ret = MasterReq::SmackInstallRules(req.appId, req.pkgId, authorId, pkgContents, allTizen2XApps, allTizen2XPackages);
- if (ret != SECURITY_MANAGER_API_SUCCESS) {
- LogError("Master failed to apply package-specific smack rules: " << ret);
- return ret;
- }
- } else {
- LogDebug("Adding Smack rules for new appId: " << req.appId << " with pkgId: "
- << req.pkgId << ". Applications in package: " << pkgContents.size());
- SmackRules::installApplicationRules(req.appId, req.pkgId, authorId, pkgContents, allTizen2XApps, allTizen2XPackages);
- }
+ LogDebug("Adding Smack rules for new appId: " << req.appId << " with pkgId: "
+ << req.pkgId << ". Applications in package: " << pkgContents.size());
+ SmackRules::installApplicationRules(req.appId, req.pkgId, authorId, pkgContents, allTizen2XApps, allTizen2XPackages);
} catch (const SmackException::InvalidParam &e) {
LogError("Invalid paramater during labeling: " << e.GetMessage());
return SECURITY_MANAGER_API_ERROR_INPUT_PARAM;
@@ -429,7 +385,7 @@ int ServiceImpl::appInstall(const app_inst_req &req, uid_t uid, bool isSlave)
} catch (const SecurityManager::Exception &e) {
LogError("Security Manager exception: " << e.DumpToString());
return SECURITY_MANAGER_API_ERROR_SERVER_ERROR;
- }catch (const std::bad_alloc &e) {
+ } catch (const std::bad_alloc &e) {
LogError("Memory allocation error: " << e.what());
return SECURITY_MANAGER_API_ERROR_OUT_OF_MEMORY;
}
@@ -437,7 +393,7 @@ int ServiceImpl::appInstall(const app_inst_req &req, uid_t uid, bool isSlave)
return SECURITY_MANAGER_API_SUCCESS;
}
-int ServiceImpl::appUninstall(const std::string &appId, uid_t uid, bool isSlave)
+int ServiceImpl::appUninstall(const std::string &appId, uid_t uid)
{
std::string pkgId;
std::string tizenVersion;
@@ -452,14 +408,6 @@ int ServiceImpl::appUninstall(const std::string &appId, uid_t uid, bool isSlave)
std::string authorId;
int restoreAuthor = 0;
- std::string zoneId;
- if (isSlave) {
- if (!getZoneId(zoneId)) {
- LogError("Failed to get Zone ID.");
- return SECURITY_MANAGER_API_ERROR_SERVER_ERROR;
- }
- }
-
try {
PrivilegeDb::getInstance().BeginTransaction();
if (!PrivilegeDb::getInstance().GetAppPkgIdAndVer(appId, pkgId, tizenVersion)) {
@@ -468,7 +416,7 @@ int ServiceImpl::appUninstall(const std::string &appId, uid_t uid, bool isSlave)
PrivilegeDb::getInstance().RollbackTransaction();
appExists = false;
} else {
- smackLabel = zoneSmackLabelGenerate(SmackLabels::generateAppLabel(appId), zoneId);
+ smackLabel = SmackLabels::generateAppLabel(appId);
LogDebug("Uninstall parameters: appId: " << appId << ", pkgId: " << pkgId
<< ", uidstr " << uidstr << ", generated smack label: " << smackLabel);
@@ -486,16 +434,7 @@ int ServiceImpl::appUninstall(const std::string &appId, uid_t uid, bool isSlave)
if(isTizen2XVersion(tizenVersion))
PrivilegeDb::getInstance().GetTizen2XApps(appId, allTizen2XApps);
- if (isSlave) {
- int ret = MasterReq::CynaraPolicyUpdate(appId, uidstr, std::vector<std::string>());
- if (ret != SECURITY_MANAGER_API_SUCCESS) {
- PrivilegeDb::getInstance().RollbackTransaction();
- LogError("Error while processing request on master: " << ret);
- return ret;
- }
- } else {
- CynaraAdmin::getInstance().UpdateAppPolicy(smackLabel, uidstr, std::vector<std::string>());
- }
+ CynaraAdmin::getInstance().UpdateAppPolicy(smackLabel, uidstr, std::vector<std::string>());
PrivilegeDb::getInstance().CommitTransaction();
LogDebug("Application uninstallation commited to database");
@@ -523,32 +462,24 @@ int ServiceImpl::appUninstall(const std::string &appId, uid_t uid, bool isSlave)
if (appExists) {
try {
- if (isSlave) {
- LogDebug("Delegating Smack rules removal for deleted pkgId " << pkgId <<
- " to master");
- int ret = MasterReq::SmackUninstallRules(appId, pkgId, pkgContents, allTizen2XApps, removeApp, removePkg);
- if (ret != SECURITY_MANAGER_API_SUCCESS) {
- LogError("Error while processing uninstall request on master: " << ret);
- return ret;
- }
- } else {
- if (removeApp) {
- LogDebug("Removing smack rules for deleted appId " << appId);
- SmackRules::uninstallApplicationRules(appId, pkgId, pkgContents, allTizen2XApps, zoneId);
- }
- if (removePkg) {
- LogDebug("Removing Smack rules for deleted pkgId " << pkgId);
- SmackRules::uninstallPackageRules(pkgId);
- }
- if (restoreAuthor)
- SmackRules::fixAuthorRules(authorId);
+ if (removeApp) {
+ LogDebug("Removing smack rules for deleted appId " << appId);
+ SmackRules::uninstallApplicationRules(appId, pkgId, pkgContents, allTizen2XApps);
}
+
+ if (removePkg) {
+ LogDebug("Removing Smack rules for deleted pkgId " << pkgId);
+ SmackRules::uninstallPackageRules(pkgId);
+ }
+
+ if (restoreAuthor) {
+ LogDebug("Removing Smack rules for authorId " << authorId);
+ SmackRules::fixAuthorRules(authorId);
+ }
+
} catch (const SmackException::Base &e) {
LogError("Error while removing Smack rules for application: " << e.DumpToString());
return SECURITY_MANAGER_API_ERROR_SETTING_FILE_LABEL_FAILED;
- } catch (const SecurityManager::Exception &e) {
- LogError("Security Manager error: " << e.DumpToString());
- return SECURITY_MANAGER_API_ERROR_SERVER_ERROR;
} catch (const std::bad_alloc &e) {
LogError("Memory allocation error: " << e.what());
return SECURITY_MANAGER_API_ERROR_OUT_OF_MEMORY;
@@ -577,18 +508,12 @@ int ServiceImpl::getPkgId(const std::string &appId, std::string &pkgId)
return SECURITY_MANAGER_API_SUCCESS;
}
-int ServiceImpl::getAppGroups(const std::string &appId, uid_t uid, pid_t pid, bool isSlave,
+int ServiceImpl::getAppGroups(
+ const std::string &appId,
+ uid_t uid,
+ pid_t pid,
std::unordered_set<gid_t> &gids)
{
- // FIXME Temporary solution, see below
- std::string zoneId;
- if (isSlave) {
- if (!getZoneId(zoneId)) {
- LogError("Failed to get Zone ID.");
- return SECURITY_MANAGER_API_ERROR_SERVER_ERROR;
- }
- }
-
try {
std::string pkgId;
std::string smackLabel;
@@ -603,9 +528,7 @@ int ServiceImpl::getAppGroups(const std::string &appId, uid_t uid, pid_t pid, bo
}
LogDebug("pkgId: " << pkgId);
- // FIXME getAppGroups should work without generating zone-specific labels when
- // Smack Namespaces will work
- smackLabel = zoneSmackLabelGenerate(SmackLabels::generateAppLabel(appId), zoneId);
+ smackLabel = SmackLabels::generateAppLabel(appId);
LogDebug("smack label: " << smackLabel);
std::vector<std::string> privileges;
@@ -655,30 +578,20 @@ int ServiceImpl::getAppGroups(const std::string &appId, uid_t uid, pid_t pid, bo
return SECURITY_MANAGER_API_SUCCESS;
}
-int ServiceImpl::userAdd(uid_t uidAdded, int userType, uid_t uid, bool isSlave)
+int ServiceImpl::userAdd(uid_t uidAdded, int userType, uid_t uid)
{
if (uid != 0)
return SECURITY_MANAGER_API_ERROR_AUTHENTICATION_FAILED;
- if (isSlave) {
- int ret = MasterReq::CynaraUserInit(uidAdded,
- static_cast<security_manager_user_type>(userType));
- if (ret != SECURITY_MANAGER_API_SUCCESS) {
- LogError("Master failed to initialize user " << uidAdded << " of type " << userType);
- return ret;
- }
- } else {
- try {
- CynaraAdmin::getInstance().UserInit(uidAdded, static_cast<security_manager_user_type>(userType));
- } catch (CynaraException::InvalidParam &e) {
- return SECURITY_MANAGER_API_ERROR_INPUT_PARAM;
- }
+ try {
+ CynaraAdmin::getInstance().UserInit(uidAdded, static_cast<security_manager_user_type>(userType));
+ } catch (CynaraException::InvalidParam &e) {
+ return SECURITY_MANAGER_API_ERROR_INPUT_PARAM;
}
-
return SECURITY_MANAGER_API_SUCCESS;
}
-int ServiceImpl::userDelete(uid_t uidDeleted, uid_t uid, bool isSlave)
+int ServiceImpl::userDelete(uid_t uidDeleted, uid_t uid)
{
int ret = SECURITY_MANAGER_API_SUCCESS;
if (uid != 0)
@@ -694,22 +607,14 @@ int ServiceImpl::userDelete(uid_t uidDeleted, uid_t uid, bool isSlave)
}
for (auto &app: userApps) {
- if (appUninstall(app, uidDeleted, isSlave) != SECURITY_MANAGER_API_SUCCESS) {
+ if (appUninstall(app, uidDeleted) != SECURITY_MANAGER_API_SUCCESS) {
/*if uninstallation of this app fails, just go on trying to uninstall another ones.
we do not have anything special to do about that matter - user will be deleted anyway.*/
ret = SECURITY_MANAGER_API_ERROR_SERVER_ERROR;
}
}
- if (isSlave) {
- int ret = MasterReq::CynaraUserRemove(uidDeleted);
- if (ret) {
- LogError("Master failed to delete user " << uidDeleted);
- return ret;
- }
- } else {
- CynaraAdmin::getInstance().UserRemove(uidDeleted);
- }
+ CynaraAdmin::getInstance().UserRemove(uidDeleted);
return ret;
}
@@ -1039,22 +944,14 @@ int ServiceImpl::policyGetGroups(std::vector<std::string> &groups)
return ret;
}
-int ServiceImpl::appHasPrivilege(std::string appId, std::string privilege,
- uid_t uid, bool isSlave, bool &result)
+int ServiceImpl::appHasPrivilege(
+ std::string appId,
+ std::string privilege,
+ uid_t uid,
+ bool &result)
{
try {
- // FIXME getAppGroups should work without generating zone-specific labels when
- // Smack Namespaces will work
- std::string zoneId;
- if (isSlave) {
- if (!getZoneId(zoneId)) {
- LogError("Failed to get Zone ID.");
- return SECURITY_MANAGER_API_ERROR_SERVER_ERROR;
- }
- }
-
- std::string appLabel = zoneSmackLabelGenerate(
- SmackLabels::generateAppLabel(appId), zoneId);
+ std::string appLabel = SmackLabels::generateAppLabel(appId);
std::string uidStr = std::to_string(uid);
result = Cynara::getInstance().check(appLabel, privilege, uidStr, "");
LogDebug("result = " << result);
@@ -1075,9 +972,12 @@ int ServiceImpl::appHasPrivilege(std::string appId, std::string privilege,
}
-int ServiceImpl::dropOnePrivateSharing(const std::string &ownerAppId, const std::string &ownerPkgId,
- const std::vector<std::string> &ownerPkgContents, const std::string &targetAppId,
- const std::string &path, const std::string &zoneId, bool isSlave)
+int ServiceImpl::dropOnePrivateSharing(
+ const std::string &ownerAppId,
+ const std::string &ownerPkgId,
+ const std::vector<std::string> &ownerPkgContents,
+ const std::string &targetAppId,
+ const std::string &path)
{
int errorRet;
try {
@@ -1090,15 +990,11 @@ int ServiceImpl::dropOnePrivateSharing(const std::string &ownerAppId, const std:
return SECURITY_MANAGER_API_SUCCESS;
}
if (pathCount < 1) {
- SmackLabels::setupPath(ownerPkgId, path, SECURITY_MANAGER_PATH_RW, zoneId);
- }
- std::string pathLabel = zoneSmackLabelGenerate(SmackLabels::generateSharedPrivateLabel(ownerPkgId, path), zoneId);
- if (isSlave) {
- MasterReq::SmackDropPrivateSharingRules(ownerPkgId, ownerPkgContents, targetAppId, path, ownerTargetCount, pathCount);
- } else {
- SmackRules::dropPrivateSharingRules(ownerPkgId, ownerPkgContents, targetAppId, pathLabel,
- pathCount < 1, ownerTargetCount < 1, zoneId);
+ SmackLabels::setupPath(ownerPkgId, path, SECURITY_MANAGER_PATH_RW);
}
+ std::string pathLabel = SmackLabels::generateSharedPrivateLabel(ownerPkgId, path);
+ SmackRules::dropPrivateSharingRules(ownerPkgId, ownerPkgContents, targetAppId, pathLabel,
+ pathCount < 1, ownerTargetCount < 1);
return SECURITY_MANAGER_API_SUCCESS;
} catch (const SmackException::Base &e) {
LogError("Error performing smack operation: " << e.GetMessage());
@@ -1116,22 +1012,15 @@ int ServiceImpl::dropOnePrivateSharing(const std::string &ownerAppId, const std:
return errorRet;
}
-int ServiceImpl::applyPrivatePathSharing(const std::string &ownerAppId,
- const std::string &targetAppId,
- const std::vector<std::string> &paths,
- bool isSlave)
+int ServiceImpl::applyPrivatePathSharing(
+ const std::string &ownerAppId,
+ const std::string &targetAppId,
+ const std::vector<std::string> &paths)
{
int errorRet;
int sharingAdded = 0;
std::string ownerPkgId;
std::vector<std::string> pkgContents;
- std::string zoneId;
- if (isSlave) {
- if (!getZoneId(zoneId)) {
- LogError("Failed to get Zone ID.");
- return SECURITY_MANAGER_API_ERROR_SERVER_ERROR;
- }
- }
try {
std::string targetPkgId;
@@ -1146,8 +1035,8 @@ int ServiceImpl::applyPrivatePathSharing(const std::string &ownerAppId,
for(const auto &path : paths) {
std::string pathLabel = SmackLabels::getSmackLabelFromPath(path);
- if (pathLabel != zoneSmackLabelGenerate(SmackLabels::generatePkgLabel(ownerPkgId), zoneId)) {
- std::string generatedPathLabel = zoneSmackLabelGenerate(SmackLabels::generateSharedPrivateLabel(ownerPkgId, path), zoneId);
+ if (pathLabel != SmackLabels::generatePkgLabel(ownerPkgId)) {
+ std::string generatedPathLabel = SmackLabels::generateSharedPrivateLabel(ownerPkgId, path);
if (generatedPathLabel != pathLabel) {
LogError("Path " << path << " has label " << pathLabel << " and dosen't belong"
" to application " << ownerAppId);
@@ -1171,7 +1060,7 @@ int ServiceImpl::applyPrivatePathSharing(const std::string &ownerAppId,
PrivilegeDb::getInstance().GetTargetPathSharingCount(targetAppId, path, targetPathCount);
PrivilegeDb::getInstance().GetPathSharingCount(path, pathCount);
PrivilegeDb::getInstance().GetOwnerTargetSharingCount(ownerAppId, targetAppId, ownerTargetCount);
- std::string pathLabel = zoneSmackLabelGenerate(SmackLabels::generateSharedPrivateLabel(ownerPkgId, path), zoneId);
+ std::string pathLabel = SmackLabels::generateSharedPrivateLabel(ownerPkgId, path);
PrivilegeDb::getInstance().ApplyPrivateSharing(ownerAppId, targetAppId, path, pathLabel);
sharingAdded++;
if (targetPathCount > 0) {
@@ -1181,13 +1070,9 @@ int ServiceImpl::applyPrivatePathSharing(const std::string &ownerAppId,
if (pathCount <= 0) {
SmackLabels::setupSharedPrivatePath(ownerPkgId, path);
}
- if (isSlave) {
- MasterReq::SmackApplyPrivateSharingRules(ownerPkgId,
- pkgContents, targetAppId, path, ownerTargetCount, pathCount);
- } else {
- SmackRules::applyPrivateSharingRules(ownerPkgId, pkgContents, targetAppId,
- pathLabel, (pathCount > 0), (ownerTargetCount > 0), zoneId);
- }
+
+ SmackRules::applyPrivateSharingRules(ownerPkgId, pkgContents, targetAppId,
+ pathLabel, (pathCount > 0), (ownerTargetCount > 0));
}
trans.commit();
return SECURITY_MANAGER_API_SUCCESS;
@@ -1206,25 +1091,18 @@ int ServiceImpl::applyPrivatePathSharing(const std::string &ownerAppId,
}
for (int i = 0; i < sharingAdded; i++) {
const std::string &path = paths[i];
- dropOnePrivateSharing(ownerAppId, ownerPkgId, pkgContents, targetAppId, path, zoneId, isSlave);
+ dropOnePrivateSharing(ownerAppId, ownerPkgId, pkgContents, targetAppId, path);
}
return errorRet;
}
-int ServiceImpl::dropPrivatePathSharing(const std::string &ownerAppId,
- const std::string &targetAppId,
- const std::vector<std::string> &paths,
- bool isSlave)
+int ServiceImpl::dropPrivatePathSharing(
+ const std::string &ownerAppId,
+ const std::string &targetAppId,
+ const std::vector<std::string> &paths)
{
int errorRet;
try {
- std::string zoneId;
- if (isSlave) {
- if (!getZoneId(zoneId)) {
- LogError("Failed to get Zone ID.");
- return SECURITY_MANAGER_API_ERROR_SERVER_ERROR;
- }
- }
std::string ownerPkgId, targetPkgId;
if (!PrivilegeDb::getInstance().GetAppPkgId(ownerAppId, ownerPkgId)) {
LogError(ownerAppId << " is not an installed application");
@@ -1237,8 +1115,8 @@ int ServiceImpl::dropPrivatePathSharing(const std::string &ownerAppId,
for(const auto &path : paths) {
std::string pathLabel = SmackLabels::getSmackLabelFromPath(path);
- if (pathLabel != zoneSmackLabelGenerate(SmackLabels::generatePkgLabel(ownerPkgId), zoneId)) {
- std::string generatedPathLabel = zoneSmackLabelGenerate(SmackLabels::generateSharedPrivateLabel(ownerPkgId, path), zoneId);
+ if (pathLabel != SmackLabels::generatePkgLabel(ownerPkgId)) {
+ std::string generatedPathLabel = SmackLabels::generateSharedPrivateLabel(ownerPkgId, path);
if (generatedPathLabel != pathLabel) {
LogError("Path " << path << " has label " << pathLabel << " and dosen't belong"
" to application " << ownerAppId);
@@ -1260,7 +1138,7 @@ int ServiceImpl::dropPrivatePathSharing(const std::string &ownerAppId,
PrivilegeDb::getInstance().GetAppIdsForPkgId(ownerPkgId, pkgContents);
ScopedTransaction trans;
for (const auto &path : paths) {
- int ret = dropOnePrivateSharing(ownerAppId, ownerPkgId, pkgContents, targetAppId, path, zoneId, isSlave);
+ int ret = dropOnePrivateSharing(ownerAppId, ownerPkgId, pkgContents, targetAppId, path);
if (ret != SECURITY_MANAGER_API_SUCCESS) {
return ret;
}
@@ -1283,5 +1161,5 @@ int ServiceImpl::dropPrivatePathSharing(const std::string &ownerAppId,
return errorRet;
}
-
} /* namespace SecurityManager */
+
diff --git a/src/common/smack-labels.cpp b/src/common/smack-labels.cpp
index dbc6f4df..8682d52b 100644
--- a/src/common/smack-labels.cpp
+++ b/src/common/smack-labels.cpp
@@ -41,7 +41,6 @@
#include "security-manager.h"
#include "smack-labels.h"
-#include "zone-utils.h"
namespace SecurityManager {
@@ -135,7 +134,6 @@ void setupPath(
const std::string &pkgId,
const std::string &path,
app_install_path_type pathType,
- const std::string &zoneId,
const std::string &authorId)
{
std::string label;
@@ -143,12 +141,12 @@ void setupPath(
switch (pathType) {
case SECURITY_MANAGER_PATH_RW:
- label = zoneSmackLabelGenerate(generatePkgLabel(pkgId), zoneId);
+ label = generatePkgLabel(pkgId);
label_executables = false;
label_transmute = true;
break;
case SECURITY_MANAGER_PATH_RO:
- label = zoneSmackLabelGenerate(generatePkgROLabel(pkgId), zoneId);
+ label = generatePkgROLabel(pkgId);
label_executables = false;
label_transmute = false;
break;
@@ -158,7 +156,7 @@ void setupPath(
label_transmute = true;
break;
case SECURITY_MANAGER_PATH_OWNER_RW_OTHER_RO:
- label = zoneSmackLabelGenerate(generatePkgLabelOwnerRWothersRO(pkgId), zoneId);
+ label = generatePkgLabelOwnerRWothersRO(pkgId);
label_executables = false;
label_transmute = true;
break;
diff --git a/src/common/smack-rules.cpp b/src/common/smack-rules.cpp
index 3f4dce56..bd66158f 100644
--- a/src/common/smack-rules.cpp
+++ b/src/common/smack-rules.cpp
@@ -38,7 +38,6 @@
#include "smack-labels.h"
#include "smack-rules.h"
-#include "zone-utils.h"
namespace SecurityManager {
@@ -148,8 +147,7 @@ void SmackRules::saveToFile(const std::string &path) const
void SmackRules::addFromTemplateFile(
const std::string &appId,
const std::string &pkgId,
- const std::string &authorId,
- const std::string &zoneId)
+ const std::string &authorId)
{
std::vector<std::string> templateRules;
std::string line;
@@ -169,15 +167,14 @@ void SmackRules::addFromTemplateFile(
ThrowMsg(SmackException::FileError, "Error reading template file: " << APP_RULES_TEMPLATE_FILE_PATH);
}
- addFromTemplate(templateRules, appId, pkgId, authorId, zoneId);
+ addFromTemplate(templateRules, appId, pkgId, authorId);
}
void SmackRules::addFromTemplate(
const std::vector<std::string> &templateRules,
const std::string &appId,
const std::string &pkgId,
- const std::string &authorId,
- const std::string &zoneId)
+ const std::string &authorId)
{
for (auto rule : templateRules) {
if (rule.empty())
@@ -206,18 +203,11 @@ void SmackRules::addFromTemplate(
SmackLabels::generateAuthorLabel(authorId));
}
- if (!zoneId.empty()) {
- // FIXME replace with vasum calls. See zone-utils.h
- subject = zoneSmackLabelGenerate(subject, zoneId);
- object = zoneSmackLabelGenerate(object, zoneId);
- }
-
add(subject, object, permissions);
}
}
-void SmackRules::generatePackageCrossDeps(const std::vector<std::string> &pkgContents,
- const std::string &zoneId)
+void SmackRules::generatePackageCrossDeps(const std::vector<std::string> &pkgContents)
{
LogDebug ("Generating cross-package rules");
@@ -229,28 +219,28 @@ void SmackRules::generatePackageCrossDeps(const std::vector<std::string> &pkgCon
if (object == subject)
continue;
- subjectLabel = zoneSmackLabelGenerate(SmackLabels::generateAppLabel(subject), zoneId);
- objectLabel = zoneSmackLabelGenerate(SmackLabels::generateAppLabel(object), zoneId);
+ subjectLabel = SmackLabels::generateAppLabel(subject);
+ objectLabel = SmackLabels::generateAppLabel(object);
LogDebug ("Trying to add rule subject: " << subjectLabel << " object: " << objectLabel << " perms: " << appsInPackagePerms);
add(subjectLabel, objectLabel, appsInPackagePerms);
}
}
}
-void SmackRules::generateAppToOtherPackagesDeps(const std::string appId,
- const std::vector<std::string> &other2XPackages,
- const std::string &zoneId)
+void SmackRules::generateAppToOtherPackagesDeps(
+ const std::string appId,
+ const std::vector<std::string> &other2XPackages)
{
// reverse: allow installed app to access others' contents
// for every 2.X package
for (const auto &object : other2XPackages) {
- std::string otherObjectLabel = zoneSmackLabelGenerate(SmackLabels::generatePkgLabelOwnerRWothersRO(object), zoneId);
+ std::string otherObjectLabel = SmackLabels::generatePkgLabelOwnerRWothersRO(object);
SmackRules packageRules;
std::string accessPackageRulesPath = getPackageRulesFilePath(object);
packageRules.loadFromFile(accessPackageRulesPath);
- std::string subjectLabel = zoneSmackLabelGenerate(SmackLabels::generateAppLabel(appId), zoneId);
+ std::string subjectLabel = SmackLabels::generateAppLabel(appId);
LogDebug("Addding cross app rule for newly installed subject " << subjectLabel << " to already installed 2.x package object: " << otherObjectLabel << " perms: " << SMACK_APP_CROSS_PKG_PERMS);
packageRules.add(subjectLabel, otherObjectLabel, SMACK_APP_CROSS_PKG_PERMS);
packageRules.saveToFile(accessPackageRulesPath);
@@ -262,18 +252,18 @@ void SmackRules::generateAppToOtherPackagesDeps(const std::string appId,
/**
* this below works in N^2 and should be replaced by an alternative mechanism
*/
-void SmackRules::generateAllowOther2XApplicationDeps(const std::string pkgId,
- const std::vector<std::string> &other2XApps,
- const std::string &zoneId)
+void SmackRules::generateAllowOther2XApplicationDeps(
+ const std::string pkgId,
+ const std::vector<std::string> &other2XApps)
{
LogDebug("Generating cross-package rules");
- std::string objectLabel = zoneSmackLabelGenerate(SmackLabels::generatePkgLabelOwnerRWothersRO(pkgId), zoneId);
+ std::string objectLabel = SmackLabels::generatePkgLabelOwnerRWothersRO(pkgId);
std::string appsInPackagePerms = SMACK_APP_IN_PACKAGE_PERMS;
// allow other app to access installed package contents
for (const auto &subject : other2XApps) {
- std::string subjectLabel = zoneSmackLabelGenerate(SmackLabels::generateAppLabel(subject), zoneId);
+ std::string subjectLabel = SmackLabels::generateAppLabel(subject);
LogDebug("Addding cross 2.x app rule subject: " << subjectLabel << " to newly installed object: "
<< objectLabel << " perms: " << SMACK_APP_CROSS_PKG_PERMS);
@@ -301,42 +291,29 @@ void SmackRules::installApplicationRules(
const std::vector<std::string> &appsGranted,
const std::vector<std::string> &accessPackages)
{
- installApplicationRules(appId, pkgId, authorId, pkgContents, appsGranted, accessPackages, std::string());
-}
-
-void SmackRules::installApplicationRules(
- const std::string &appId,
- const std::string &pkgId,
- const std::string &authorId,
- const std::vector<std::string> &pkgContents,
- const std::vector<std::string> &appsGranted,
- const std::vector<std::string> &accessPackages,
- const std::string &zoneId)
-{
SmackRules smackRules;
std::string appPath = getApplicationRulesFilePath(appId);
- smackRules.addFromTemplateFile(appId, pkgId, authorId, zoneId);
+ smackRules.addFromTemplateFile(appId, pkgId, authorId);
if (smack_smackfs_path() != NULL)
smackRules.apply();
smackRules.saveToFile(appPath);
- updatePackageRules(pkgId, pkgContents, appsGranted, zoneId);
- generateAppToOtherPackagesDeps(appId, accessPackages, zoneId);
+ updatePackageRules(pkgId, pkgContents, appsGranted);
+ generateAppToOtherPackagesDeps(appId, accessPackages);
}
void SmackRules::updatePackageRules(const std::string &pkgId,
const std::vector<std::string> &pkgContents,
- const std::vector<std::string> &appsGranted,
- const std::string &zoneId)
+ const std::vector<std::string> &appsGranted)
{
SmackRules smackRules;
std::string pkgPath = getPackageRulesFilePath(pkgId);
- smackRules.generatePackageCrossDeps(pkgContents, zoneId);
- smackRules.generateAllowOther2XApplicationDeps(pkgId, appsGranted, zoneId);
+ smackRules.generatePackageCrossDeps(pkgContents);
+ smackRules.generateAllowOther2XApplicationDeps(pkgId, appsGranted);
if (smack_smackfs_path() != NULL)
smackRules.apply();
@@ -349,13 +326,14 @@ void SmackRules::uninstallPackageRules(const std::string &pkgId)
uninstallRules(getPackageRulesFilePath(pkgId));
}
-void SmackRules::uninstallApplicationRules(const std::string &appId,
- const std::string &pkgId, std::vector<std::string> pkgContents,
- const std::vector<std::string> &appsGranted,
- const std::string &zoneId)
+void SmackRules::uninstallApplicationRules(
+ const std::string &appId,
+ const std::string &pkgId,
+ std::vector<std::string> pkgContents,
+ const std::vector<std::string> &appsGranted)
{
uninstallRules(getApplicationRulesFilePath(appId));
- updatePackageRules(pkgId, pkgContents, appsGranted, zoneId);
+ updatePackageRules(pkgId, pkgContents, appsGranted);
}
void SmackRules::uninstallRules(const std::string &path)
@@ -402,25 +380,25 @@ void SmackRules::fixAuthorRules(const std::string &authorId) {
rules.apply();
}
-void SmackRules::applyPrivateSharingRules(const std::string &ownerPkgId,
- const std::vector<std::string> &ownerPkgContents,
- const std::string &targetAppId,
- const std::string &pathLabel,
- bool isPathSharedAlready,
- bool isTargetSharingAlready,
- const std::string &zoneId)
+void SmackRules::applyPrivateSharingRules(
+ const std::string &ownerPkgId,
+ const std::vector<std::string> &ownerPkgContents,
+ const std::string &targetAppId,
+ const std::string &pathLabel,
+ bool isPathSharedAlready,
+ bool isTargetSharingAlready)
{
SmackRules rules;
- const std::string &targetLabel = zoneSmackLabelGenerate(SmackLabels::generateAppLabel(targetAppId), zoneId);
+ const std::string &targetLabel = SmackLabels::generateAppLabel(targetAppId);
if (!isTargetSharingAlready) {
rules.add(targetLabel,
- zoneSmackLabelGenerate(SmackLabels::generatePkgLabel(ownerPkgId), zoneId),
+ SmackLabels::generatePkgLabel(ownerPkgId),
SMACK_APP_DIR_TARGET_PERMS);
}
if (!isPathSharedAlready) {
for (const auto &app: ownerPkgContents) {
- const std::string appLabel = zoneSmackLabelGenerate(SmackLabels::generateAppLabel(app), zoneId);
+ const std::string appLabel = SmackLabels::generateAppLabel(app);
rules.add(appLabel, pathLabel, SMACK_APP_PATH_OWNER_PERMS);
}
rules.add(SMACK_USER, pathLabel, SMACK_APP_PATH_USER_PERMS);
@@ -430,24 +408,24 @@ void SmackRules::applyPrivateSharingRules(const std::string &ownerPkgId,
rules.apply();
}
-void SmackRules::dropPrivateSharingRules(const std::string &ownerPkgId,
- const std::vector<std::string> &ownerPkgContents,
- const std::string &targetAppId,
- const std::string &pathLabel,
- bool isPathSharedNoMore,
- bool isTargetSharingNoMore,
- const std::string &zoneId)
+void SmackRules::dropPrivateSharingRules(
+ const std::string &ownerPkgId,
+ const std::vector<std::string> &ownerPkgContents,
+ const std::string &targetAppId,
+ const std::string &pathLabel,
+ bool isPathSharedNoMore,
+ bool isTargetSharingNoMore)
{
SmackRules rules;
- const std::string &targetLabel = zoneSmackLabelGenerate(SmackLabels::generateAppLabel(targetAppId), zoneId);
+ const std::string &targetLabel = SmackLabels::generateAppLabel(targetAppId);
if (isTargetSharingNoMore) {
rules.addModify(targetLabel,
- zoneSmackLabelGenerate(SmackLabels::generatePkgLabel(ownerPkgId), zoneId),
+ SmackLabels::generatePkgLabel(ownerPkgId),
"", SMACK_APP_DIR_TARGET_PERMS);
}
if (isPathSharedNoMore) {
for (const auto &app: ownerPkgContents) {
- const std::string appLabel = zoneSmackLabelGenerate(SmackLabels::generateAppLabel(app), zoneId);
+ const std::string appLabel = SmackLabels::generateAppLabel(app);
rules.addModify(appLabel, pathLabel, "", SMACK_APP_PATH_OWNER_PERMS);
}
rules.addModify(SMACK_USER, pathLabel, "", SMACK_APP_PATH_USER_PERMS);
diff --git a/src/common/zone-utils.cpp b/src/common/zone-utils.cpp
deleted file mode 100644
index b3c93c90..00000000
--- a/src/common/zone-utils.cpp
+++ /dev/null
@@ -1,117 +0,0 @@
-/*
- * Copyright (c) 2000 - 2015 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Contact: Rafal Krypa <r.krypa@samsung.com>
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License
- */
-/*
- * @file zone-utils.cpp
- * @author Lukasz Kostyra (l.kostyra@samsung.com)
- * @version 1.0
- * @brief Implementation of Zone utility functions
- */
-
-#include "zone-utils.h"
-
-#include <unistd.h>
-#include <fstream>
-
-#include <dpl/log/log.h>
-
-// FIXME This module is a replacement for Vasum functions.
-// When Vasum will be included into OBS, the module should be replaced with vasum-client.
-
-namespace {
-
-const std::string CPUSET_HOST = "/";
-const std::string CPUSET_LXC_PREFIX = "/lxc/";
-
-} // namespace
-
-namespace SecurityManager
-{
-
-// ZONE_HOST should be visible outside to other modules
-const std::string ZONE_HOST = "host";
-
-bool getZoneIdFromPid(int pid, std::string& zoneId)
-{
- //open /proc/<pid>/cpuset and get its contents
- const std::string path = "/proc/" + std::to_string(pid) + "/cpuset";
-
- //Assume there are no containers if cpuset dosen't present
- if(access(path.c_str(), F_OK)!= 0) {
- zoneId = ZONE_HOST;
- return true;
- }
-
- std::ifstream cpusetFile(path);
- if (!cpusetFile) {
- LogError("Failed to open cpuset");
- return false;
- }
-
- std::string cpuset;
- std::getline(cpusetFile, cpuset);
- cpusetFile.close();
-
- //check if we are in host
- if (cpuset == CPUSET_HOST) {
- zoneId = ZONE_HOST;
- return true;
- }
-
- //in lxc container, cpuset contains "/lxc/<id>" string - try to parse zoneID from there
- //search for lxc prefix
- size_t lxcPrefixPos = cpuset.find(CPUSET_LXC_PREFIX);
- if (lxcPrefixPos == std::string::npos) {
- LogError("LXC prefix not found - probably other virtualization method is used");
- return false;
- }
-
- //assign zone name and leave
- zoneId.assign(cpuset, CPUSET_LXC_PREFIX.size(), cpuset.size() - CPUSET_LXC_PREFIX.size());
- return true;
-}
-
-std::string zoneSmackLabelGenerate(const std::string &label, const std::string &zoneName)
-{
- if (zoneName.empty() || zoneName == ZONE_HOST) {
- return label;
- }
-
- return zoneName + "::" + label;
-}
-
-bool zoneSmackLabelMap(const std::string &hostLabel, const std::string &zoneName,
- const std::string &zoneLabel)
-{
- (void) hostLabel;
- (void) zoneName;
- (void) zoneLabel;
- // FIXME here Vasum should be called and Smack label mapping would commence
-
- return true;
-}
-
-bool zoneSmackLabelUnmap(const std::string &hostLabel, const std::string &zoneName)
-{
- (void) hostLabel;
- (void) zoneName;
- // FIXME here Vasum should be called and label shall be unmapped.
-
- return true;
-}
-
-} // namespace SecurityManager
diff --git a/src/server/CMakeLists.txt b/src/server/CMakeLists.txt
index 97eaaaaf..f2d09573 100644
--- a/src/server/CMakeLists.txt
+++ b/src/server/CMakeLists.txt
@@ -4,12 +4,10 @@ PKG_CHECK_MODULES(SERVER_DEP
cynara-client
)
-FIND_PACKAGE(Boost REQUIRED COMPONENTS program_options)
FIND_PACKAGE(Threads REQUIRED)
INCLUDE_DIRECTORIES(SYSTEM
${SERVER_DEP_INCLUDE_DIRS}
- ${Boost_INCLUDE_DIRS}
${Threads_INCLUDE_DIRS}
)
@@ -29,7 +27,6 @@ SET(SERVER_SOURCES
${SERVER_PATH}/main/server-main.cpp
${SERVER_PATH}/service/base-service.cpp
${SERVER_PATH}/service/service.cpp
- ${SERVER_PATH}/service/master-service.cpp
)
ADD_EXECUTABLE(${TARGET_SERVER} ${SERVER_SOURCES})
@@ -42,7 +39,6 @@ TARGET_LINK_LIBRARIES(${TARGET_SERVER}
${TARGET_COMMON}
${CMAKE_THREAD_LIBS_INIT}
${SERVER_DEP_LIBRARIES}
- ${Boost_LIBRARIES}
"-pie"
)
diff --git a/src/server/main/server-main.cpp b/src/server/main/server-main.cpp
index f8e1f713..d80f39ea 100644
--- a/src/server/main/server-main.cpp
+++ b/src/server/main/server-main.cpp
@@ -28,30 +28,25 @@
#include <dpl/singleton.h>
#include <dpl/singleton_safe_impl.h>
-#include <boost/program_options.hpp>
#include <iostream>
#include <socket-manager.h>
#include <file-lock.h>
#include <service.h>
-#include <master-service.h>
-
-namespace po = boost::program_options;
IMPLEMENT_SAFE_SINGLETON(SecurityManager::Log::LogSystem);
-#define REGISTER_SOCKET_SERVICE(manager, service, allocator) \
- registerSocketService<service>(manager, #service, allocator)
+#define REGISTER_SOCKET_SERVICE(manager, service) \
+ registerSocketService<service>(manager, #service)
template<typename T>
bool registerSocketService(SecurityManager::SocketManager &manager,
- const std::string& serviceName,
- const std::function<T*(void)>& serviceAllocator)
+ const std::string& serviceName)
{
T *service = NULL;
try {
- service = serviceAllocator();
+ service = new T();
service->Create();
manager.RegisterSocketService(service);
return true;
@@ -70,61 +65,14 @@ bool registerSocketService(SecurityManager::SocketManager &manager,
return false;
}
-int main(int argc, char* argv[])
+int main()
{
UNHANDLED_EXCEPTION_HANDLER_BEGIN
{
// initialize logging
SecurityManager::Singleton<SecurityManager::Log::LogSystem>::Instance().SetTag("SECURITY_MANAGER");
- // parse arguments
- bool masterMode = false, slaveMode = false;
- po::options_description optDesc("Allowed options");
-
- optDesc.add_options()
- ("help,h", "Print this help message")
- ("master,m", "Enable master mode")
- ("slave,s", "Enable slave mode")
- ;
-
- po::variables_map vm;
- po::basic_parsed_options<char> parsed =
- po::command_line_parser(argc, argv).options(optDesc).allow_unregistered().run();
-
- std::vector<std::string> unrecognizedOptions =
- po::collect_unrecognized(parsed.options, po::include_positional);
-
- if (!unrecognizedOptions.empty()) {
- std::cerr << "Unrecognized options: ";
-
- for (auto& uo : unrecognizedOptions) {
- std::cerr << ' ' << uo;
- }
-
- std::cerr << std::endl << std::endl;
- std::cerr << optDesc << std::endl;
-
- return EXIT_FAILURE;
- }
-
- po::store(parsed, vm);
- po::notify(vm);
-
- if (vm.count("help")) {
- std::cout << optDesc << std::endl;
- return EXIT_SUCCESS;
- }
-
- masterMode = vm.count("master") > 0;
- slaveMode = vm.count("slave") > 0;
-
- if (masterMode && slaveMode) {
- LogError("Cannot be both master and slave!");
- return EXIT_FAILURE;
- }
-
- SecurityManager::FileLocker serviceLock(SecurityManager::SERVICE_LOCK_FILE,
- true);
+ SecurityManager::FileLocker serviceLock(SecurityManager::SERVICE_LOCK_FILE, true);
sigset_t mask;
sigemptyset(&mask);
@@ -138,18 +86,10 @@ int main(int argc, char* argv[])
LogInfo("Start!");
SecurityManager::SocketManager manager;
- if (masterMode) {
- if (!REGISTER_SOCKET_SERVICE(manager, SecurityManager::MasterService,
- []() { return new SecurityManager::MasterService(); } )) {
- LogError("Unable to create master socket service. Exiting.");
- return EXIT_FAILURE;
- }
- } else {
- if (!REGISTER_SOCKET_SERVICE(manager, SecurityManager::Service,
- [&slaveMode]() { return new SecurityManager::Service(slaveMode); } )) {
- LogError("Unable to create socket service. Exiting.");
- return EXIT_FAILURE;
- }
+ if (!REGISTER_SOCKET_SERVICE(manager, SecurityManager::Service))
+ {
+ LogError("Unable to create socket service. Exiting.");
+ return EXIT_FAILURE;
}
manager.MainLoop();
diff --git a/src/server/service/include/master-service.h b/src/server/service/include/master-service.h
deleted file mode 100644
index 3d630641..00000000
--- a/src/server/service/include/master-service.h
+++ /dev/null
@@ -1,160 +0,0 @@
-/*
- * Copyright (c) 2000 - 2014 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Contact: Rafal Krypa <r.krypa@samsung.com>
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License
- */
-/*
- * @file master-service.h
- * @author Lukasz Kostyra <l.kostyra@samsung.com>
- * @author Rafal Krypa <r.krypa@samsung.com>
- * @brief Implementation of security-manager master service
- */
-
-#ifndef _SECURITY_MANAGER_MASTER_SERVICE_
-#define _SECURITY_MANAGER_MASTER_SERVICE_
-
-#include "base-service.h"
-#include "service_impl.h"
-
-namespace SecurityManager {
-
-class MasterServiceException
-{
-public:
- DECLARE_EXCEPTION_TYPE(SecurityManager::Exception, Base)
- DECLARE_EXCEPTION_TYPE(Base, InvalidAction)
-};
-
-class MasterService :
- public SecurityManager::BaseService
-{
-public:
- MasterService();
- ServiceDescriptionVector GetServiceDescription();
-
-private:
- ServiceImpl serviceImpl;
-
- /**
- * Handle request from a client
- *
- * @param conn Socket connection information
- * @param buffer Raw received data buffer
- * @param interfaceID identifier used to distinguish source socket
- * @return true on success
- */
- bool processOne(const ConnectionID &conn, MessageBuffer &buffer, InterfaceID interfaceID);
-
- /**
- * Process Cynara policy update during app installation/uninstallation
- *
- * @param buffer Raw received data buffer
- * @param send Raw data buffer to be sent
- * @param zoneId ID of zone which requested the call
- */
- void processCynaraUpdatePolicy(MessageBuffer &buffer, MessageBuffer &send,
- const std::string &zoneId);
-
- /**
- * Process Cynara user initialization
- *
- * @param buffer Raw received data buffer
- * @param send Raw data buffer to be sent
- */
- void processCynaraUserInit(MessageBuffer &buffer, MessageBuffer &send);
-
- /**
- * Process Cynara user removal
- *
- * @param buffer Raw received data buffer
- * @param send Raw data buffer to be sent
- */
- void processCynaraUserRemove(MessageBuffer &buffer, MessageBuffer &send);
-
- /**
- * Process policy update
- *
- * @param buffer Raw received data buffer
- * @param send Raw data buffer to be sent
- */
- void processPolicyUpdate(MessageBuffer &buffer, MessageBuffer &send);
-
- /**
- * Process configured policy acquisition
- *
- * @param buffer Raw received data buffer
- * @param send Raw data buffer to be sent
- */
- void processGetConfiguredPolicy(MessageBuffer &buffer, MessageBuffer &send);
-
- /**
- * Process policy acquisition from Master
- *
- * @param buffer Raw received data buffer
- * @param send Raw data buffer to be sent
- */
- // FIXME this function is not yet implemented.
- void processGetPolicy(MessageBuffer &buffer, MessageBuffer &send);
-
- /**
- * Process policy descriptions list acquisition
- *
- * @param send Raw data buffer to be sent
- */
- void processPolicyGetDesc(MessageBuffer &send);
-
- /**
- * Process SMACK rules installation for package. Map rules using Smack Namespaces.
- *
- * @param buffer Raw received data buffer
- * @param send Raw data buffer to be sent
- * @param zoneId ID of zone which requested the call
- */
- void processSmackInstallRules(MessageBuffer &buffer, MessageBuffer &send,
- const std::string &zoneId);
-
- /**
- * Process SMACK rules uninstallation
- *
- * @param buffer Raw received data buffer
- * @param send Raw data buffer to be sent
- * @param zoneId ID of zone which requested the call
- */
- void processSmackUninstallRules(MessageBuffer &buffer, MessageBuffer &send,
- const std::string &zoneId);
-
- /**
- * Process SMACK rules apply private path sharing
- *
- * @param buffer Raw received data buffer
- * @param send Raw data buffer to be sent
- * @param zoneId ID of zone which requested the call
- */
- void processSmackApplySharingRules(MessageBuffer &buffer, MessageBuffer &send,
- const std::string &zoneId);
- /**
- * Process SMACK rules drop private path sharing
- *
- * @param buffer Raw received data buffer
- * @param send Raw data buffer to be sent
- * @param zoneId ID of zone which requested the call
- */
- void processSmackDropSharingRules(MessageBuffer &buffer, MessageBuffer &send,
- const std::string &zoneId);
-};
-
-} // namespace SecurityManager
-
-#endif // _SECURITY_MANAGER_MASTER_SERVICE_
diff --git a/src/server/service/include/service.h b/src/server/service/include/service.h
index 3c23037f..4d851c16 100644
--- a/src/server/service/include/service.h
+++ b/src/server/service/include/service.h
@@ -41,11 +41,10 @@ class Service :
public SecurityManager::BaseService
{
public:
- Service(const bool isSlave);
+ Service();
ServiceDescriptionVector GetServiceDescription();
private:
- const bool m_isSlave;
ServiceImpl serviceImpl;
/**
diff --git a/src/server/service/master-service.cpp b/src/server/service/master-service.cpp
deleted file mode 100644
index d462afa9..00000000
--- a/src/server/service/master-service.cpp
+++ /dev/null
@@ -1,464 +0,0 @@
-/*
- * Copyright (c) 2000 - 2014 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Contact: Rafal Krypa <r.krypa@samsung.com>
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License
- */
-/*
- * @file master-service.cpp
- * @author Lukasz Kostyra <l.kostyra@samsung.com>
- * @author Rafal Krypa <r.krypa@samsung.com>
- * @brief Implementation of security-manager master service.
- */
-
-#include <generic-socket-manager.h>
-
-#include <dpl/log/log.h>
-#include <dpl/serialization.h>
-
-#include "protocols.h"
-#include "zone-utils.h"
-#include "cynara.h"
-#include "master-service.h"
-#include "smack-rules.h"
-#include "smack-labels.h"
-#include "service_impl.h"
-
-namespace SecurityManager {
-
-const InterfaceID IFACE = 1;
-
-MasterService::MasterService()
-{
-}
-
-GenericSocketService::ServiceDescriptionVector MasterService::GetServiceDescription()
-{
- return ServiceDescriptionVector {
- {MASTER_SERVICE_SOCKET, "security-manager-master", IFACE},
- };
-}
-
-bool MasterService::processOne(const ConnectionID &conn, MessageBuffer &buffer,
- InterfaceID interfaceID)
-{
- LogDebug("Iteration begin. Interface = " << interfaceID);
-
- //waiting for all data
- if (!buffer.Ready()) {
- return false;
- }
-
- MessageBuffer send;
- bool retval = false;
-
- uid_t uid;
- pid_t pid;
- std::string smackLabel;
-
- if (!getPeerID(conn.sock, uid, pid, smackLabel)) {
- LogError("Closing socket because of error: unable to get peer's uid and pid");
- m_serviceManager->Close(conn);
- return false;
- }
-
- // FIXME this part needs to be updated when Vasum is added to OBS. See zone-utils.h
- std::string vsmZoneId;
- if (!getZoneIdFromPid(pid, vsmZoneId)) {
- LogError("Failed to extract Zone ID! Closing socket.");
- m_serviceManager->Close(conn);
- return false;
- }
-
- if (vsmZoneId == ZONE_HOST) {
- LogError("Connection came from host - in master mode this should not happen! Closing.");
- m_serviceManager->Close(conn);
- return false;
- }
-
- LogInfo("Connection came from Zone " << vsmZoneId);
-
- if (IFACE == interfaceID) {
- Try {
- // deserialize API call type
- int call_type_int;
- Deserialization::Deserialize(buffer, call_type_int);
- MasterSecurityModuleCall call_type = static_cast<MasterSecurityModuleCall>(call_type_int);
-
- switch (call_type) {
- case MasterSecurityModuleCall::CYNARA_UPDATE_POLICY:
- LogDebug("call type MasterSecurityModuleCall::CYNARA_UPDATE_POLICY");
- processCynaraUpdatePolicy(buffer, send, vsmZoneId);
- break;
- case MasterSecurityModuleCall::CYNARA_USER_INIT:
- LogDebug("call type MasterSecurityModuleCall::CYNARA_USER_INIT");
- processCynaraUserInit(buffer, send);
- break;
- case MasterSecurityModuleCall::CYNARA_USER_REMOVE:
- LogDebug("call type MasterSecurityModuleCall::CYNARA_USER_REMOVE");
- processCynaraUserRemove(buffer, send);
- break;
- case MasterSecurityModuleCall::POLICY_UPDATE:
- LogDebug("call type MasterSecurityModuleCall::POLICY_UPDATE");
- processPolicyUpdate(buffer, send);
- break;
- case MasterSecurityModuleCall::GET_CONFIGURED_POLICY:
- LogDebug("call type MasterSecurityModuleCall::GET_CONFIGURED_POLICY");
- processGetConfiguredPolicy(buffer, send);
- break;
- case MasterSecurityModuleCall::GET_POLICY:
- LogDebug("call type MasterSecurityModuleCall::GET_POLICY");
- processGetPolicy(buffer, send);
- break;
- case MasterSecurityModuleCall::POLICY_GET_DESC:
- LogDebug("call type MasterSecurityModuleCall::POLICY_GET_DESC");
- processPolicyGetDesc(send);
- break;
- case MasterSecurityModuleCall::SMACK_INSTALL_RULES:
- LogDebug("call type MasterSecurityModuleCall::SMACK_INSTALL_RULES");
- processSmackInstallRules(buffer, send, vsmZoneId);
- break;
- case MasterSecurityModuleCall::SMACK_UNINSTALL_RULES:
- LogDebug("call type MasterSecurityModuleCall::SMACK_UNINSTALL_RULES");
- processSmackUninstallRules(buffer, send, vsmZoneId);
- break;
- case MasterSecurityModuleCall::SMACK_APPLY_PRIVATE_SHARING_RULES:
- processSmackApplySharingRules(buffer, send, vsmZoneId);
- break;
- case MasterSecurityModuleCall::SMACK_DROP_PRIVATE_SHARING_RULES:
- processSmackDropSharingRules(buffer, send, vsmZoneId);
- break;
- default:
- LogError("Invalid call: " << call_type_int);
- Throw(MasterServiceException::InvalidAction);
- }
- // if we reach this point, the protocol is OK
- retval = true;
- } Catch (MessageBuffer::Exception::Base) {
- LogError("Broken protocol.");
- } Catch (MasterServiceException::Base) {
- LogError("Broken protocol.");
- } catch (const std::exception &e) {
- LogError("STD exception " << e.what());
- } catch (...) {
- LogError("Unknown exception");
- }
- }
- else {
- LogError("Wrong interface");
- }
-
- if (retval) {
- //send response
- m_serviceManager->Write(conn, send.Pop());
- } else {
- LogError("Closing socket because of error");
- m_serviceManager->Close(conn);
- }
-
- return retval;
-}
-
-void MasterService::processCynaraUpdatePolicy(MessageBuffer &buffer, MessageBuffer &send,
- const std::string &zoneId)
-{
- int ret = SECURITY_MANAGER_API_ERROR_SERVER_ERROR;
- std::string appId;
- std::string uidstr;
- std::string appLabel;
- std::vector<std::string> privileges;
-
- Deserialization::Deserialize(buffer, appId);
- Deserialization::Deserialize(buffer, uidstr);
- Deserialization::Deserialize(buffer, privileges);
-
- appLabel = zoneSmackLabelGenerate(SmackLabels::generateAppLabel(appId), zoneId);
-
- try {
- CynaraAdmin::getInstance().UpdateAppPolicy(appLabel, uidstr, privileges);
- } catch (const CynaraException::Base &e) {
- LogError("Error while setting Cynara rules for application: " << e.DumpToString());
- goto out;
- } catch (const std::bad_alloc &e) {
- LogError("Memory allocation while setting Cynara rules for application: " << e.what());
- ret = SECURITY_MANAGER_API_ERROR_OUT_OF_MEMORY;
- goto out;
- }
-
- ret = SECURITY_MANAGER_API_SUCCESS;
-
-out:
- Serialization::Serialize(send, ret);
-}
-
-void MasterService::processCynaraUserInit(MessageBuffer &buffer, MessageBuffer &send)
-{
- int ret = SECURITY_MANAGER_API_ERROR_INPUT_PARAM;
- uid_t uidAdded;
- int userType;
-
- Deserialization::Deserialize(buffer, uidAdded);
- Deserialization::Deserialize(buffer, userType);
-
- try {
- CynaraAdmin::getInstance().UserInit(uidAdded,
- static_cast<security_manager_user_type>(userType));
- } catch (CynaraException::InvalidParam &e) {
- goto out;
- }
-
- ret = SECURITY_MANAGER_API_SUCCESS;
-out:
- Serialization::Serialize(send, ret);
-}
-
-void MasterService::processCynaraUserRemove(MessageBuffer &buffer, MessageBuffer &send)
-{
- int ret = SECURITY_MANAGER_API_ERROR_INPUT_PARAM;
- uid_t uidDeleted;
-
- Deserialization::Deserialize(buffer, uidDeleted);
-
- try {
- CynaraAdmin::getInstance().UserRemove(uidDeleted);
- } catch (CynaraException::InvalidParam &e) {
- goto out;
- }
-
- ret = SECURITY_MANAGER_API_SUCCESS;
-out:
- Serialization::Serialize(send, ret);
-}
-
-void MasterService::processPolicyUpdate(MessageBuffer &buffer, MessageBuffer &send)
-{
- int ret = SECURITY_MANAGER_API_ERROR_SERVER_ERROR;
- std::vector<policy_entry> policyEntries;
- uid_t uid;
- pid_t pid;
- std::string smackLabel;
-
- Deserialization::Deserialize(buffer, policyEntries);
- Deserialization::Deserialize(buffer, uid);
- Deserialization::Deserialize(buffer, pid);
- Deserialization::Deserialize(buffer, smackLabel);
-
- ret = serviceImpl.policyUpdate(policyEntries, uid, pid, smackLabel);
- Serialization::Serialize(send, ret);
-}
-
-void MasterService::processGetConfiguredPolicy(MessageBuffer &buffer, MessageBuffer &send)
-{
- int ret = SECURITY_MANAGER_API_ERROR_SERVER_ERROR;
- bool forAdmin;
- policy_entry filter;
- uid_t uid;
- pid_t pid;
- std::string smackLabel;
- std::vector<policy_entry> policyEntries;
-
- Deserialization::Deserialize(buffer, forAdmin);
- Deserialization::Deserialize(buffer, filter);
- Deserialization::Deserialize(buffer, uid);
- Deserialization::Deserialize(buffer, pid);
- Deserialization::Deserialize(buffer, smackLabel);
-
- ret = serviceImpl.getConfiguredPolicy(forAdmin, filter, uid, pid, smackLabel, policyEntries);
- Serialization::Serialize(send, ret);
- if (ret == SECURITY_MANAGER_API_SUCCESS)
- Serialization::Serialize(send, policyEntries);
-}
-
-void MasterService::processGetPolicy(MessageBuffer &buffer, MessageBuffer &send)
-{
- (void) buffer;
- int ret = SECURITY_MANAGER_API_ERROR_BAD_REQUEST;
-
- // FIXME getPolicy is not ready to work in Master mode. Uncomment below code when getPolicy will
- // be implemented for Master.
- /*
- policy_entry filter;
- uid_t uid;
- pid_t pid;
- std::string smackLabel;
- std::vector<policy_entry> policyEntries;
-
- Deserialization::Deserialize(buffer, filter);
- Deserialization::Deserialize(buffer, uid);
- Deserialization::Deserialize(buffer, pid);
- Deserialization::Deserialize(buffer, smackLabel);
-
- ret = serviceImpl.getPolicy(filter, uid, pid, smackLabel, policyEntries);*/
- Serialization::Serialize(send, ret);
- /*if (ret == SECURITY_MANAGER_API_SUCCESS)
- Serialization::Serialize(send, policyEntries);*/
-}
-
-void MasterService::processPolicyGetDesc(MessageBuffer &send)
-{
- int ret = SECURITY_MANAGER_API_ERROR_SERVER_ERROR;
- std::vector<std::string> descriptions;
-
- ret = serviceImpl.policyGetDesc(descriptions);
- Serialization::Serialize(send, ret);
- if (ret == SECURITY_MANAGER_API_SUCCESS)
- Serialization::Serialize(send, descriptions);
-}
-
-void MasterService::processSmackInstallRules(MessageBuffer &buffer, MessageBuffer &send,
- const std::string &zoneId)
-{
- int ret = SECURITY_MANAGER_API_ERROR_SERVER_ERROR;
- std::string appId, pkgId, authorId;
- std::vector<std::string> pkgContents, appsGranted, accessPackages;
-
- Deserialization::Deserialize(buffer, appId);
- Deserialization::Deserialize(buffer, pkgId);
- Deserialization::Deserialize(buffer, authorId);
- Deserialization::Deserialize(buffer, pkgContents);
- Deserialization::Deserialize(buffer, appsGranted);
- Deserialization::Deserialize(buffer, accessPackages);
-
- try {
- LogDebug("Adding Smack rules for new appId: " << appId << " with pkgId: "
- << pkgId << ". Applications in package: " << pkgContents.size()
- << ". Other Tizen 2.X applications: " << appsGranted.size());
-
- SmackRules::installApplicationRules(appId, pkgId, authorId, pkgContents, appsGranted, accessPackages, zoneId);
-
- // FIXME implement zoneSmackLabelMap and check if works when Smack Namespaces are implemented
- std::string zoneAppLabel = SmackLabels::generateAppLabel(appId);
- std::string zonePkgLabel = SmackLabels::generatePkgLabel(pkgId);
- std::string hostAppLabel = zoneSmackLabelGenerate(zoneAppLabel, zoneId);
- std::string hostPkgLabel = zoneSmackLabelGenerate(zonePkgLabel, zoneId);
-
- if (!zoneSmackLabelMap(hostAppLabel, zoneId, zoneAppLabel)) {
- LogError("Failed to apply Smack label mapping for application " << appId);
- goto out;
- }
-
- if (!zoneSmackLabelMap(hostPkgLabel, zoneId, zonePkgLabel)) {
- LogError("Failed to apply Smack label mapping for package " << pkgId);
- goto out;
- }
- } catch (const SmackException::Base &e) {
- LogError("Error while adding Smack rules for application: " << e.DumpToString());
- ret = SECURITY_MANAGER_API_ERROR_SETTING_FILE_LABEL_FAILED;
- goto out;
- } catch (const std::bad_alloc &e) {
- LogError("Memory allocation error: " << e.what());
- ret = SECURITY_MANAGER_API_ERROR_OUT_OF_MEMORY;
- goto out;
- }
-
- ret = SECURITY_MANAGER_API_SUCCESS;
-out:
- Serialization::Serialize(send, ret);
-}
-
-void MasterService::processSmackUninstallRules(MessageBuffer &buffer, MessageBuffer &send,
- const std::string &zoneId)
-{
- std::string appId, pkgId;
- std::vector<std::string> pkgContents, appsGranted;
- bool removeApp = false;
- bool removePkg = false;
-
- Deserialization::Deserialize(buffer, appId);
- Deserialization::Deserialize(buffer, pkgId);
- Deserialization::Deserialize(buffer, pkgContents);
- Deserialization::Deserialize(buffer, appsGranted);
- Deserialization::Deserialize(buffer, removeApp);
- Deserialization::Deserialize(buffer, removePkg);
-
- try {
- if (removeApp) {
- LogDebug("Removing smack rules for deleted appId " << appId);
- SmackRules::uninstallApplicationRules(appId, pkgId, pkgContents, appsGranted, zoneId);
-
- std::string zoneAppLabel = SmackLabels::generateAppLabel(appId);
- std::string hostAppLabel = zoneSmackLabelGenerate(zoneAppLabel, zoneId);
- // FIXME zoneSmackLabelUnmap should throw exception on error, not return false
- // FIXME implement zoneSmackLabelUnmap and check if works when Smack Namespaces are implemented
- if (!zoneSmackLabelUnmap(hostAppLabel, zoneId)) {
- LogError("Failed to unmap Smack labels for application " << appId);
- Serialization::Serialize(send, SECURITY_MANAGER_API_ERROR_SERVER_ERROR);
- return;
- }
- }
-
- if (removePkg) {
- LogDebug("Removing Smack rules for deleted pkgId " << pkgId);
- SmackRules::uninstallPackageRules(pkgId);
-
- std::string zonePkgLabel = SmackLabels::generatePkgLabel(pkgId);
- std::string hostPkgLabel = zoneSmackLabelGenerate(zonePkgLabel, zoneId);
- if (!zoneSmackLabelUnmap(hostPkgLabel, zoneId)) {
- LogError("Failed to unmap Smack label for package " << pkgId);
- Serialization::Serialize(send, SECURITY_MANAGER_API_ERROR_SERVER_ERROR);
- return;
- }
- }
- } catch (const SmackException::Base &e) {
- LogError("Error while removing Smack rules for application: " << e.DumpToString());
- Serialization::Serialize(send, SECURITY_MANAGER_API_ERROR_SETTING_FILE_LABEL_FAILED);
- return;
- } catch (const std::bad_alloc &e) {
- LogError("Memory allocation error: " << e.what());
- Serialization::Serialize(send, SECURITY_MANAGER_API_ERROR_OUT_OF_MEMORY);
- return;
- }
-
- Serialization::Serialize(send, SECURITY_MANAGER_API_SUCCESS);
-}
-
-void MasterService::processSmackApplySharingRules(MessageBuffer &buffer, MessageBuffer &send,
- const std::string &zoneId)
-{
- std::string ownerPkgId, targetAppId, path;
- std::vector<std::string> pkgContents;
- int ownerTargetCount, pathCount;
-
- Deserialization::Deserialize(buffer, ownerPkgId);
- Deserialization::Deserialize(buffer, pkgContents);
- Deserialization::Deserialize(buffer, targetAppId);
- Deserialization::Deserialize(buffer, path);
- Deserialization::Deserialize(buffer, ownerTargetCount);
- Deserialization::Deserialize(buffer, pathCount);
-
- (void)zoneId;
-
- Serialization::Serialize(send, SECURITY_MANAGER_API_SUCCESS);
-}
-
-void MasterService::processSmackDropSharingRules(MessageBuffer &buffer, MessageBuffer &send,
- const std::string &zoneId)
-{
- std::string ownerPkgId, targetAppId, path;
- std::vector<std::string> pkgContents;
- int ownerTargetCount, pathCount;
-
- Deserialization::Deserialize(buffer, ownerPkgId);
- Deserialization::Deserialize(buffer, pkgContents);
- Deserialization::Deserialize(buffer, targetAppId);
- Deserialization::Deserialize(buffer, path);
- Deserialization::Deserialize(buffer, ownerTargetCount);
- Deserialization::Deserialize(buffer, pathCount);
-
- (void)zoneId;
-
- Serialization::Serialize(send, SECURITY_MANAGER_API_SUCCESS);
-}
-
-} // namespace SecurityManager
diff --git a/src/server/service/service.cpp b/src/server/service/service.cpp
index 58a975cb..aa9424b4 100644
--- a/src/server/service/service.cpp
+++ b/src/server/service/service.cpp
@@ -33,35 +33,22 @@
#include "protocols.h"
#include "service.h"
#include "service_impl.h"
-#include "master-req.h"
namespace SecurityManager {
const InterfaceID IFACE = 1;
-Service::Service(const bool isSlave):
- m_isSlave(isSlave)
-{
-}
+Service::Service(){}
GenericSocketService::ServiceDescriptionVector Service::GetServiceDescription()
{
- if (m_isSlave)
- return ServiceDescriptionVector {
- {SLAVE_SERVICE_SOCKET, /* path */
- "*", /* smackLabel label (not used, we rely on systemd) */
- IFACE, /* InterfaceID */
- false, /* useSendMsg */
- true}, /* systemdOnly */
- };
- else
- return ServiceDescriptionVector {
- {SERVICE_SOCKET, /* path */
- "*", /* smackLabel label (not used, we rely on systemd) */
- IFACE, /* InterfaceID */
- false, /* useSendMsg */
- true}, /* systemdOnly */
- };
+ return ServiceDescriptionVector {
+ {SERVICE_SOCKET, /* path */
+ "*", /* smackLabel label (not used, we rely on systemd) */
+ IFACE, /* InterfaceID */
+ false, /* useSendMsg */
+ true}, /* systemdOnly */
+ };
}
bool Service::processOne(const ConnectionID &conn, MessageBuffer &buffer,
@@ -188,7 +175,7 @@ void Service::processAppInstall(MessageBuffer &buffer, MessageBuffer &send, uid_
Deserialization::Deserialize(buffer, req.uid);
Deserialization::Deserialize(buffer, req.tizenVersion);
Deserialization::Deserialize(buffer, req.authorId);
- Serialization::Serialize(send, serviceImpl.appInstall(req, uid, m_isSlave));
+ Serialization::Serialize(send, serviceImpl.appInstall(req, uid));
}
void Service::processAppUninstall(MessageBuffer &buffer, MessageBuffer &send, uid_t uid)
@@ -196,7 +183,7 @@ void Service::processAppUninstall(MessageBuffer &buffer, MessageBuffer &send, ui
std::string appId;
Deserialization::Deserialize(buffer, appId);
- Serialization::Serialize(send, serviceImpl.appUninstall(appId, uid, m_isSlave));
+ Serialization::Serialize(send, serviceImpl.appUninstall(appId, uid));
}
void Service::processGetPkgId(MessageBuffer &buffer, MessageBuffer &send)
@@ -219,7 +206,7 @@ void Service::processGetAppGroups(MessageBuffer &buffer, MessageBuffer &send, ui
int ret;
Deserialization::Deserialize(buffer, appId);
- ret = serviceImpl.getAppGroups(appId, uid, pid, m_isSlave, gids);
+ ret = serviceImpl.getAppGroups(appId, uid, pid, gids);
Serialization::Serialize(send, ret);
if (ret == SECURITY_MANAGER_API_SUCCESS) {
Serialization::Serialize(send, static_cast<int>(gids.size()));
@@ -238,7 +225,7 @@ void Service::processUserAdd(MessageBuffer &buffer, MessageBuffer &send, uid_t u
Deserialization::Deserialize(buffer, uidAdded);
Deserialization::Deserialize(buffer, userType);
- ret = serviceImpl.userAdd(uidAdded, userType, uid, m_isSlave);
+ ret = serviceImpl.userAdd(uidAdded, userType, uid);
Serialization::Serialize(send, ret);
}
@@ -249,7 +236,7 @@ void Service::processUserDelete(MessageBuffer &buffer, MessageBuffer &send, uid_
Deserialization::Deserialize(buffer, uidRemoved);
- ret = serviceImpl.userDelete(uidRemoved, uid, m_isSlave);
+ ret = serviceImpl.userDelete(uidRemoved, uid);
Serialization::Serialize(send, ret);
}
@@ -260,11 +247,7 @@ void Service::processPolicyUpdate(MessageBuffer &buffer, MessageBuffer &send, ui
Deserialization::Deserialize(buffer, policyEntries);
- if (m_isSlave) {
- ret = MasterReq::PolicyUpdate(policyEntries, uid, pid, smackLabel);
- } else {
- ret = serviceImpl.policyUpdate(policyEntries, uid, pid, smackLabel);
- }
+ ret = serviceImpl.policyUpdate(policyEntries, uid, pid, smackLabel);
Serialization::Serialize(send, ret);
}
@@ -275,12 +258,7 @@ void Service::processGetConfiguredPolicy(MessageBuffer &buffer, MessageBuffer &s
Deserialization::Deserialize(buffer, filter);
std::vector<policy_entry> policyEntries;
- if (m_isSlave) {
- ret = MasterReq::GetConfiguredPolicy(forAdmin, filter, uid, pid, smackLabel, policyEntries);
- } else {
- ret = serviceImpl.getConfiguredPolicy(forAdmin, filter, uid, pid, smackLabel,
- policyEntries);
- }
+ ret = serviceImpl.getConfiguredPolicy(forAdmin, filter, uid, pid, smackLabel, policyEntries);
Serialization::Serialize(send, ret);
Serialization::Serialize(send, static_cast<int>(policyEntries.size()));
@@ -296,11 +274,7 @@ void Service::processGetPolicy(MessageBuffer &buffer, MessageBuffer &send, uid_t
Deserialization::Deserialize(buffer, filter);
std::vector<policy_entry> policyEntries;
- if (m_isSlave) {
- ret = MasterReq::GetPolicy(filter, uid, pid, smackLabel, policyEntries);
- } else {
- ret = serviceImpl.getPolicy(filter, uid, pid, smackLabel, policyEntries);
- }
+ ret = serviceImpl.getPolicy(filter, uid, pid, smackLabel, policyEntries);
Serialization::Serialize(send, ret);
Serialization::Serialize(send, static_cast<int>(policyEntries.size()));
@@ -314,11 +288,8 @@ void Service::processPolicyGetDesc(MessageBuffer &send)
int ret;
std::vector<std::string> descriptions;
- if (m_isSlave) {
- ret = MasterReq::PolicyGetDesc(descriptions);
- } else {
- ret = serviceImpl.policyGetDesc(descriptions);
- }
+ ret = serviceImpl.policyGetDesc(descriptions);
+
Serialization::Serialize(send, ret);
if (ret == SECURITY_MANAGER_API_SUCCESS) {
Serialization::Serialize(send, static_cast<int>(descriptions.size()));
@@ -351,7 +322,7 @@ void Service::processAppHasPrivilege(MessageBuffer &recv, MessageBuffer &send)
Deserialization::Deserialize(recv, uid);
bool result;
- int ret = serviceImpl.appHasPrivilege(appId, privilege, uid, m_isSlave, result);
+ int ret = serviceImpl.appHasPrivilege(appId, privilege, uid, result);
Serialization::Serialize(send, ret);
if (ret == SECURITY_MANAGER_API_SUCCESS)
@@ -365,7 +336,7 @@ void Service::processApplyPrivateSharing(MessageBuffer &recv, MessageBuffer &sen
Deserialization::Deserialize(recv, ownerAppId);
Deserialization::Deserialize(recv, targetAppId);
Deserialization::Deserialize(recv, paths);
- int ret = serviceImpl.applyPrivatePathSharing(ownerAppId, targetAppId, paths, m_isSlave);
+ int ret = serviceImpl.applyPrivatePathSharing(ownerAppId, targetAppId, paths);
Serialization::Serialize(send, ret);
}
@@ -376,7 +347,7 @@ void Service::processDropPrivateSharing(MessageBuffer &recv, MessageBuffer &send
Deserialization::Deserialize(recv, ownerAppId);
Deserialization::Deserialize(recv, targetAppId);
Deserialization::Deserialize(recv, paths);
- int ret = serviceImpl.dropPrivatePathSharing(ownerAppId, targetAppId, paths, m_isSlave);
+ int ret = serviceImpl.dropPrivatePathSharing(ownerAppId, targetAppId, paths);
Serialization::Serialize(send, ret);
}
} // namespace SecurityManager
diff --git a/systemd/CMakeLists.txt b/systemd/CMakeLists.txt
index 9da2f17a..2d14d5f8 100644
--- a/systemd/CMakeLists.txt
+++ b/systemd/CMakeLists.txt
@@ -1,15 +1,9 @@
CONFIGURE_FILE(security-manager.service.in security-manager.service @ONLY)
-CONFIGURE_FILE(security-manager-master.service.in security-manager-master.service @ONLY)
-CONFIGURE_FILE(security-manager-slave.service.in security-manager-slave.service @ONLY)
CONFIGURE_FILE(security-manager-cleanup.service.in security-manager-cleanup.service @ONLY)
INSTALL(FILES
security-manager.service
security-manager.socket
- security-manager-master.service
- security-manager-master.socket
- security-manager-slave.service
- security-manager-slave.socket
security-manager-cleanup.service
DESTINATION
${SYSTEMD_INSTALL_DIR}
diff --git a/systemd/security-manager-master.service.in b/systemd/security-manager-master.service.in
deleted file mode 100644
index ef14a573..00000000
--- a/systemd/security-manager-master.service.in
+++ /dev/null
@@ -1,10 +0,0 @@
-[Unit]
-Description=Start the security manager master
-ConditionVirtualization=!lxc
-ConditionPathExists=/usr/share/.zones/enabled
-
-[Service]
-Type=notify
-ExecStart=@BIN_INSTALL_DIR@/security-manager --master
-
-Sockets=security-manager-master.socket
diff --git a/systemd/security-manager-master.socket b/systemd/security-manager-master.socket
deleted file mode 100644
index d41eae0f..00000000
--- a/systemd/security-manager-master.socket
+++ /dev/null
@@ -1,13 +0,0 @@
-[Socket]
-ListenStream=/run/security-manager-master.socket
-SocketMode=0700
-SmackLabelIPIn=System
-SmackLabelIPOut=System
-Service=security-manager-master.service
-
-[Unit]
-ConditionVirtualization=!lxc
-ConditionPathExists=/usr/share/.zones/enabled
-
-[Install]
-WantedBy=sockets.target
diff --git a/systemd/security-manager-slave.service.in b/systemd/security-manager-slave.service.in
deleted file mode 100644
index 6eb7505f..00000000
--- a/systemd/security-manager-slave.service.in
+++ /dev/null
@@ -1,9 +0,0 @@
-[Unit]
-Description=Start the security manager slave
-ConditionVirtualization=lxc
-
-[Service]
-Type=notify
-ExecStart=@BIN_INSTALL_DIR@/security-manager --slave
-
-Sockets=security-manager-slave.socket
diff --git a/systemd/security-manager-slave.socket b/systemd/security-manager-slave.socket
deleted file mode 100644
index 8d0a2c6b..00000000
--- a/systemd/security-manager-slave.socket
+++ /dev/null
@@ -1,10 +0,0 @@
-[Socket]
-ListenStream=/run/security-manager-slave.socket
-Symlinks=/run/security-manager.socket
-SocketMode=0777
-SmackLabelIPIn=*
-SmackLabelIPOut=@
-Service=security-manager-slave.service
-
-[Unit]
-ConditionVirtualization=lxc
diff --git a/systemd/security-manager.service.in b/systemd/security-manager.service.in
index f15ab90b..23fd1b28 100644
--- a/systemd/security-manager.service.in
+++ b/systemd/security-manager.service.in
@@ -1,7 +1,5 @@
[Unit]
Description=Start the security manager
-ConditionVirtualization=!lxc
-ConditionPathExists=!/usr/share/.zones/enabled
[Service]
Type=notify
diff --git a/systemd/security-manager.socket b/systemd/security-manager.socket
index 95411e82..af1c1dab 100644
--- a/systemd/security-manager.socket
+++ b/systemd/security-manager.socket
@@ -7,9 +7,5 @@ SmackLabelIPOut=@
# TODO: move to separate systemd service
Service=security-manager.service
-[Unit]
-ConditionVirtualization=!lxc
-ConditionPathExists=!/usr/share/.zones/enabled
-
[Install]
WantedBy=sockets.target
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-30 21:20:07 +0000