diff options
author | Bartlomiej Grzelewski <b.grzelewski@samsung.com> | 2016-02-04 16:38:37 +0100 |
---|---|---|
committer | Bartlomiej Grzelewski <b.grzelewski@samsung.com> | 2016-02-16 12:35:49 +0100 |
commit | eb3625009f2c5ed45c4eda13ce712b599843b782 (patch) | |
tree | 17f19acbbb102cc7cf468dd675c34cccaaeb9498 | |
parent | 7792f9f89d5e78b55ae6818dd3960b291c6a1c61 (diff) | |
download | security-manager-eb3625009f2c5ed45c4eda13ce712b599843b782.tar.gz security-manager-eb3625009f2c5ed45c4eda13ce712b599843b782.tar.bz2 security-manager-eb3625009f2c5ed45c4eda13ce712b599843b782.zip |
Remove master and slave mode.
Change-Id: Ia02b2ba10deef665eea203a0147cce301d46db8c
28 files changed, 192 insertions, 1852 deletions
diff --git a/packaging/security-manager.spec b/packaging/security-manager.spec index 92261a53..4306b4f5 100644 --- a/packaging/security-manager.spec +++ b/packaging/security-manager.spec @@ -89,8 +89,6 @@ cp LICENSE %{buildroot}%{_datadir}/license/libsecurity-manager-client mkdir -p %{buildroot}/%{_unitdir}/sockets.target.wants mkdir -p %{buildroot}/%{_unitdir}/sysinit.target.wants ln -s ../security-manager.socket %{buildroot}/%{_unitdir}/sockets.target.wants/security-manager.socket -ln -s ../security-manager-master.socket %{buildroot}/%{_unitdir}/sockets.target.wants/security-manager-master.socket -ln -s ../security-manager-slave.socket %{buildroot}/%{_unitdir}/sockets.target.wants/security-manager-slave.socket ln -s ../security-manager-cleanup.service %{buildroot}/%{_unitdir}/sysinit.target.wants/security-manager-cleanup.service %clean @@ -142,12 +140,8 @@ fi %{_libdir}/libsecurity-manager-commons.so.* %attr(-,root,root) %{_unitdir}/security-manager.* -%attr(-,root,root) %{_unitdir}/security-manager-master.* -%attr(-,root,root) %{_unitdir}/security-manager-slave.* %attr(-,root,root) %{_unitdir}/security-manager-cleanup.* %attr(-,root,root) %{_unitdir}/sockets.target.wants/security-manager.* -%attr(-,root,root) %{_unitdir}/sockets.target.wants/security-manager-master.* -%attr(-,root,root) %{_unitdir}/sockets.target.wants/security-manager-slave.* %attr(-,root,root) %{_unitdir}/sysinit.target.wants/security-manager-cleanup.* %config(noreplace) %attr(0600,root,root) %{TZ_SYS_DB}/.security-manager.db %config(noreplace) %attr(0600,root,root) %{TZ_SYS_DB}/.security-manager.db-journal diff --git a/src/client/client-security-manager.cpp b/src/client/client-security-manager.cpp index dc273da2..a5fdfdf7 100644 --- a/src/client/client-security-manager.cpp +++ b/src/client/client-security-manager.cpp @@ -47,7 +47,6 @@ #include <protocols.h> #include <service_impl.h> #include <connection.h> -#include <zone-utils.h> #include <security-manager.h> #include <client-offline.h> @@ -192,7 +191,7 @@ int security_manager_app_install(const app_inst_req *p_req) int retval; ClientOffline offlineMode; if (offlineMode.isOffline()) { - retval = SecurityManager::ServiceImpl().appInstall(*p_req, geteuid(), false); + retval = SecurityManager::ServiceImpl().appInstall(*p_req, geteuid()); } else { MessageBuffer send, recv; @@ -392,18 +391,8 @@ int security_manager_set_process_label_from_appid(const char *app_id) if (smack_smackfs_path() == NULL) return SECURITY_MANAGER_SUCCESS; - // FIXME Below modifications related to zones are temporary. Remove when Smack Namespaces - // are implemented. - std::string zoneId; - if (!getZoneIdFromPid(getpid(), zoneId)) { - LogError("Failed to get ID of zone"); - return SECURITY_MANAGER_ERROR_REQ_NOT_COMPLETE; - } - try { - appLabel = SecurityManager::zoneSmackLabelGenerate( - SecurityManager::SmackLabels::generateAppLabel(app_id), zoneId); - + appLabel = SecurityManager::SmackLabels::generateAppLabel(app_id); } catch (...) { LogError("Failed to generate smack label for appId: " << app_id); return SECURITY_MANAGER_API_ERROR_NO_SUCH_OBJECT; @@ -603,8 +592,7 @@ int security_manager_user_add(const user_req *p_req) int retval; ClientOffline offlineMode; if (offlineMode.isOffline()) { - retval = SecurityManager::ServiceImpl().userAdd(p_req->uid, p_req->utype, geteuid(), - false); + retval = SecurityManager::ServiceImpl().userAdd(p_req->uid, p_req->utype, geteuid()); } else { MessageBuffer send, recv; //server is working diff --git a/src/common/CMakeLists.txt b/src/common/CMakeLists.txt index b718e2f8..3a9d3c90 100644 --- a/src/common/CMakeLists.txt +++ b/src/common/CMakeLists.txt @@ -48,13 +48,11 @@ SET(COMMON_SOURCES ${COMMON_PATH}/file-lock.cpp ${COMMON_PATH}/protocols.cpp ${COMMON_PATH}/message-buffer.cpp - ${COMMON_PATH}/master-req.cpp ${COMMON_PATH}/privilege_db.cpp ${COMMON_PATH}/smack-labels.cpp ${COMMON_PATH}/smack-rules.cpp ${COMMON_PATH}/smack-check.cpp ${COMMON_PATH}/service_impl.cpp - ${COMMON_PATH}/zone-utils.cpp ) ADD_LIBRARY(${TARGET_COMMON} SHARED ${COMMON_SOURCES}) diff --git a/src/common/include/master-req.h b/src/common/include/master-req.h deleted file mode 100644 index 8cbf7591..00000000 --- a/src/common/include/master-req.h +++ /dev/null @@ -1,193 +0,0 @@ -/* - * Copyright (c) 2015 Samsung Electronics Co., Ltd All Rights Reserved - * - * Contact: Rafal Krypa <r.krypa@samsung.com> - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License - */ - -/* - * @file master-req.h - * @author Lukasz Kostyra <l.kostyra@samsung.com> - * @brief Master request calls declaration - */ - -#ifndef _SECURITY_MANAGER_MASTER_REQ_ -#define _SECURITY_MANAGER_MASTER_REQ_ - -#include <string> -#include <vector> - -#include "protocols.h" - - -namespace SecurityManager { -namespace MasterReq { - -/** - * Forwards Cynara Policy Update request to Master Service. - * - * @param[in] appID Application ID - * @param[in] uidstr String containing user identifier - * @param[in] privileges Currently enabled privileges for the application - * - * @see CynaraAdmin::UpdateAppPolicy - */ -int CynaraPolicyUpdate(const std::string &appId, const std::string &uidstr, - const std::vector<std::string> &privileges); - -/** - * Forwards Cynara user initialization to Master service. - * - * @param[in] uidAdded New user UID - * @param[in] userType Type of user, enumerated in security-manager.h - * @return API return code, as defined in protocols.h - * - * @see CynaraAdmin::UserInit - */ -int CynaraUserInit(const uid_t uidAdded, int userType); - -/** - * Forwards Cynara user removal to Master service. - * - * @param[in] uidDeleted Removed user UID - * @return API return code, as defined in protocols.h - * - * @see CynaraAdmin::UserRemove - */ -int CynaraUserRemove(const uid_t uidDeleted); - -/** - * Forwards SMACK rule installation to Master service. - * - * @param[in] appId ID of application being removed - * @param[in] pkgId ID of package being removed - * @param[in] authorId ID for author. - * @param[in] pkgContents list of all applications in the package - * @param[in] appsGranted list of 2.x apps granted access - * @param[in] accessPackages list of 2.x packages to be accessed - * @return API return code, as defined in protocols.h - * - * @see SmackRules::installApplicationRules - */ -int SmackInstallRules(const std::string &appId, - const std::string &pkgId, - const std::string &authorId, - const std::vector<std::string> &pkgContents, - const std::vector<std::string> &appsGranted, - const std::vector<std::string> &accessPackages); - -/** - * Forwards SMACK rule removal to Master service. - * - * @param[in] appId ID of application being removed - * @param[in] pkgId ID of package being removed - * @param[in] pkgContents A list of all applications in the package - * @param[in] appsGranted list of 2.x apps granted access - * @param[in] removeApp Flag stating if the application is no longer installed - * for any user and should be removed - * @param[in] removePkg Flag stating if entire package should be removed - * @return API return code, as defined in protocols.h - * - * @see SmackRules::uninstallPackageRules, SmackRules::uninstallApplicationRules - */ -int SmackUninstallRules(const std::string &appId, const std::string &pkgId, - const std::vector<std::string> &pkgContents, - const std::vector<std::string> &appsGranted, - const bool removeApp, const bool removePkg); - -/** - * Forwards policyUpdate API to Master. Arguments are the same as policyUpdate. - * - * @return API return code, as defined in protocols.h - * - * @see ServiceImpl::policyUpdate - */ -int PolicyUpdate(const std::vector<policy_entry> &policyEntries, uid_t uid, pid_t pid, - const std::string &smackLabel); - -/** - * Forwards getConfiguredPolicy API to Master. Arguments are the same as getConfiguredPolicy. - * - * @return API return code, as defined in protocols.h - * - * @see ServiceImpl::getConfiguredPolicy - */ -int GetConfiguredPolicy(bool forAdmin, const policy_entry &filter, uid_t uid, pid_t pid, - const std::string &smackLabel, std::vector<policy_entry> &policyEntries); - -/** - * Forwards getPolicy API to Master. Arguments are the same as getPolicy. - * - * @return API return code, as defined in protocols.h - * - * @see ServiceImpl::getPolicy - */ -int GetPolicy(const policy_entry &filter, uid_t uid, pid_t pid, const std::string &smackLabel, - std::vector<policy_entry> &policyEntries); - -/** - * Forwards policyGetDesc API to Master. Arguments are the same as policyGetDesc. - * - * @return API return code, as defined in protocols.h - * - * @see ServiceImpl::policyGetDesc - */ -int PolicyGetDesc(std::vector<std::string> &descriptions); - -/** - * Forwards Smack rules applying for private sharing to Master service. - * - * @param[in] ownerPkgId App id of path owner application - * @param[in] pkgContents Vector of applications belonging to the same package as path owner - * @param[in] targetAppId App id of sharing path target application - * @param[in] path Path being shared - * @param[in] ownerTargetCount Count of saved owner with target sharing - * @param[in] pathSharingCount Count of saved path sharing - * - * @return API return code, as defined in protocols.h - * - * @see ServiceImpl::applyPrivateSharing - */ -int SmackApplyPrivateSharingRules(const std::string &ownerPkgId, - const std::vector<std::string> &pkgContents, - const std::string &targetAppId, - const std::string &path, - int ownerTargetCount, - int pathSharingCount); - -/** - * Forwards Smack rules applying for private sharing to Master service. - * - * @param[in] ownerPkgId Package id of path owner application - * @param[in] pkgContents Vector of applications belonging to the same package as path owner - * @param[in] targetAppId App id of sharing path target application - * @param[in] path Path being shared - * @param[in] ownerTargetCount Count of saved owner with target sharing - * @param[in] pathSharingCount Count of saved path sharing - * - * @return API return code, as defined in protocols.h - * - * @see ServiceImpl::dropPrivateSharing - */ -int SmackDropPrivateSharingRules(const std::string &ownerPkgId, - const std::vector<std::string> &pkgContents, - const std::string &targetAppId, - const std::string &path, - int ownerTargetCount, - int pathSharingCount); - -} // namespace MasterReq -} // namespace SecurityManager - -#endif // _SECURITY_MANAGER_MASTER_REQ_ diff --git a/src/common/include/protocols.h b/src/common/include/protocols.h index 9a00bc4c..1526f872 100644 --- a/src/common/include/protocols.h +++ b/src/common/include/protocols.h @@ -134,8 +134,6 @@ struct private_sharing_req { namespace SecurityManager { extern char const * const SERVICE_SOCKET; -extern char const * const MASTER_SERVICE_SOCKET; -extern char const * const SLAVE_SERVICE_SOCKET; enum class SecurityModuleCall { @@ -157,21 +155,6 @@ enum class SecurityModuleCall NOOP = 0x90, }; -enum class MasterSecurityModuleCall -{ - CYNARA_UPDATE_POLICY, - CYNARA_USER_INIT, - CYNARA_USER_REMOVE, - POLICY_UPDATE, - GET_CONFIGURED_POLICY, - GET_POLICY, - POLICY_GET_DESC, - SMACK_INSTALL_RULES, - SMACK_UNINSTALL_RULES, - SMACK_APPLY_PRIVATE_SHARING_RULES, - SMACK_DROP_PRIVATE_SHARING_RULES -}; - } // namespace SecurityManager using namespace SecurityManager; diff --git a/src/common/include/service_impl.h b/src/common/include/service_impl.h index 85cd9c26..0ffcbcd7 100644 --- a/src/common/include/service_impl.h +++ b/src/common/include/service_impl.h @@ -49,7 +49,7 @@ private: int dropOnePrivateSharing(const std::string &ownerAppId, const std::string &ownerPkgId, const std::vector<std::string> &ownerPkgContents, const std::string &targetAppId, - const std::string &path, const std::string &zoneId, bool isSlave); + const std::string &path); public: ServiceImpl(); @@ -60,22 +60,20 @@ public: * * @param[in] req installation request * @param[in] uid id of the requesting user - * @param[in] isSlave Indicates if function should be called under slave mode * * @return API return code, as defined in protocols.h */ - int appInstall(const app_inst_req &req, uid_t uid, bool isSlave); + int appInstall(const app_inst_req &req, uid_t uid); /** * Process application uninstallation request. * * @param[in] req uninstallation request * @param[in] uid id of the requesting user - * @param[in] isSlave Indicates if function should be called under slave mode * * @return API return code, as defined in protocols.h */ - int appUninstall(const std::string &appId, uid_t uid, bool isSlave); + int appUninstall(const std::string &appId, uid_t uid); /** * Process package id query. @@ -98,13 +96,11 @@ public: * @param[in] appId application identifier * @param[in] uid id of the requesting user * @param[in] pid id of the requesting process (to construct Cynara session id) - * @param[in] isSlave Indicates if function should be called under slave mode * @param[out] gids returned set of allowed group ids * * @return API return code, as defined in protocols.h */ - int getAppGroups(const std::string &appId, uid_t uid, pid_t pid, bool isSlave, - std::unordered_set<gid_t> &gids); + int getAppGroups(const std::string &appId, uid_t uid, pid_t pid, std::unordered_set<gid_t> &gids); /** * Process user adding request. @@ -112,22 +108,20 @@ public: * @param[in] uidAdded uid of newly created user * @param[in] userType type of newly created user * @param[in] uid uid of requesting user - * @param[in] isSlave Indicates if function should be called under slave mode * * @return API return code, as defined in protocols.h */ - int userAdd(uid_t uidAdded, int userType, uid_t uid, bool isSlave); + int userAdd(uid_t uidAdded, int userType, uid_t uid); /** * Process user deletion request. * * @param[in] uidDeleted uid of removed user * @param[in] uid uid of requesting user - * @param[in] isSlave Indicates if function should be called under slave mode * * @return API return code, as defined in protocols.h */ - int userDelete(uid_t uidDeleted, uid_t uid, bool isSlave); + int userDelete(uid_t uidDeleted, uid_t uid); /** * Update policy in Cynara - proper privilege: http://tizen.org/privilege/systemsettings.admin @@ -194,13 +188,11 @@ public: * @param[in] appId application identifier * @param[in] privilege privilege name * @param[in] uid user identifier - * @param[in] isSlave indicates if function should be called under slave mode * @param[out] result placeholder for check result * * @return API return code, as defined in protocols.h */ - int appHasPrivilege(std::string appId, std::string privilege, uid_t uid, - bool isSlave, bool &result); + int appHasPrivilege(std::string appId, std::string privilege, uid_t uid, bool &result); /** * Process applying private path sharing between applications. @@ -208,14 +200,12 @@ public: * @param[in] ownerAppId application owning paths * @param[in] targetAppId application which paths will be shared with * @param[in] paths vector of paths to be shared - * @param[in] isSlave Indicates if function should be called under slave mode * * @return API return code, as defined in protocols.h */ int applyPrivatePathSharing(const std::string &ownerAppId, const std::string &targetAppId, - const std::vector<std::string> &paths, - bool isSlave); + const std::vector<std::string> &paths); /** * Process droping private path sharing between applications. @@ -223,14 +213,13 @@ public: * @param[in] ownerAppId application owning paths * @param[in] targetAppId application which paths won't be anymore shared with * @param[in] paths vector of paths to be stopped being shared - * @param[in] isSlave Indicates if function should be called under slave mode * @return API return code, as defined in protocols.h */ int dropPrivatePathSharing(const std::string &ownerAppId, const std::string &targetAppId, - const std::vector<std::string> &paths, - bool isSlave); + const std::vector<std::string> &paths); }; + } /* namespace SecurityManager */ #endif /* _SECURITY_MANAGER_SERVICE_IMPL_ */ diff --git a/src/common/include/smack-labels.h b/src/common/include/smack-labels.h index af5c623b..2aa00ec8 100644 --- a/src/common/include/smack-labels.h +++ b/src/common/include/smack-labels.h @@ -41,13 +41,11 @@ namespace SmackLabels { * @param path[in] path to a file or directory to setup * @param pathType[in] type of path to setup. See description of * app_install_path_type in security-manager.h for details - * @param zoneId[in] ID of zone for which label should be set */ void setupPath( const std::string &pkgId, const std::string &path, app_install_path_type pathType, - const std::string &zoneId, const std::string &authorId = std::string()); /** diff --git a/src/common/include/smack-rules.h b/src/common/include/smack-rules.h index e472dd21..a0b458aa 100644 --- a/src/common/include/smack-rules.h +++ b/src/common/include/smack-rules.h @@ -49,14 +49,12 @@ public: const std::vector<std::string> &templateRules, const std::string &appId, const std::string &pkgId, - const std::string &authorId, - const std::string &zoneId); + const std::string &authorId); void addFromTemplateFile( const std::string &appId, const std::string &pkgId, - const std::string &authorId, - const std::string &zoneId); + const std::string &authorId); void apply() const; void clear() const; @@ -69,41 +67,18 @@ public: * correct permissions to shared data. * * @param[in] pkgContents - a list of all applications inside this package - * @param[in] zoneId - ID of zone which requested application install */ - void generatePackageCrossDeps(const std::vector<std::string> &pkgContents, - const std::string &zoneId); + void generatePackageCrossDeps(const std::vector<std::string> &pkgContents); /** * Create cross dependencies for all other 2.X applications * * @param[in] pkgId - installed package id to access it's shared dir * @param[in] other2XApps - list of 2.x apps to grant access - * @param[in] zoneId - ID of zone which requested application install - */ - void generateAllowOther2XApplicationDeps(const std::string pkgId, - const std::vector<std::string> &other2XApps, - const std::string &zoneId); - - /** - * Install package-specific smack rules. - * - * Function creates smack rules using predefined template. Rules are applied - * to the kernel and saved on persistent storage so they are loaded on system boot. - * - * @param[in] appId - application id that is beeing installed - * @param[in] pkgId - package id that the application is in - * @param[in] authorId - author id of application - * @param[in] pkgContents - list of all applications in the package - * @param[in] appsGranted - list of 2.x apps to grant access - * @param[in] accessPackages - list of 2.x packages to be accessed */ - static void installApplicationRules(const std::string &appId, - const std::string &pkgId, - const std::string &authorId, - const std::vector<std::string> &pkgContents, - const std::vector<std::string> &appsGranted, - const std::vector<std::string> &accessPackages); + void generateAllowOther2XApplicationDeps( + const std::string pkgId, + const std::vector<std::string> &other2XApps); /** * Install package-specific smack rules plus add rules for specified external apps. @@ -115,7 +90,6 @@ public: * @param[in] pkgId - package id that the application is in * @param[in] authorId - author id of application * @param[in] pkgContents - list of all applications in the package - * @param[in] zoneId - ID of zone which requested application install * @param[in] appsGranted - list of 2.x apps granted access * @param[in] accessPackages - list of 2.x packages to be accessed */ @@ -125,8 +99,7 @@ public: const std::string &authorId, const std::vector<std::string> &pkgContents, const std::vector<std::string> &appsGranted, - const std::vector<std::string> &accessPackages, - const std::string &zoneId); + const std::vector<std::string> &accessPackages); /** * Uninstall package-specific smack rules. @@ -152,12 +125,12 @@ public: * @param[in] pkgId - package id that the application belongs to * @param[in] appsInPkg - a list of other applications in the same package id that the application belongs to * @param[in] appsGranted - list of 2.x apps granted access - * @param[in] zoneId - ID of zone which requested application uninstall */ - static void uninstallApplicationRules(const std::string &appId, const std::string &pkgId, + static void uninstallApplicationRules( + const std::string &appId, + const std::string &pkgId, std::vector<std::string> appsInPkg, - const std::vector<std::string> &appsGranted, - const std::string &zoneId); + const std::vector<std::string> &appsGranted); /** * Update package specific rules @@ -169,12 +142,11 @@ public: * @param[in] pkgId - id of the package to update * @param[in] pkgContents - list of all applications in the package * @param[in] appsGranted - list of 2.x apps granted access - * @param[in] zoneId - ID of zone which requested application uninstall */ - static void updatePackageRules(const std::string &pkgId, + static void updatePackageRules( + const std::string &pkgId, const std::vector<std::string> &pkgContents, - const std::vector<std::string> &appsGranted, - const std::string &zoneId); + const std::vector<std::string> &appsGranted); /* Temporary fix for authors rules */ static void fixAuthorRules(const std::string &authorId); @@ -194,15 +166,13 @@ public: * @param[in] isPathSharedAlready - flag indicated, if path has been shared before * @param[in] isTargetSharingAlready - flag indicated, if target is already sharing anything * with owner - * @param[in] zoneId - ID of zone which requested applying sharing */ static void applyPrivateSharingRules(const std::string &ownerPkgId, const std::vector<std::string> &ownerPkgContents, const std::string &targetAppId, const std::string &pathLabel, bool isPathSharedAlready, - bool isTargetSharingAlready, - const std::string &zoneId); + bool isTargetSharingAlready); /** * Remove rules related to private path sharing rules * @@ -219,15 +189,15 @@ public: * @param[in] isPathSharedNoMore - flag indicated, if path is not shared anymore * @param[in] isTargetSharingNoMore - flag indicated, if target is not sharing anything * with owner - * @param[in] zoneId - ID of zone which requested droping sharing */ static void dropPrivateSharingRules(const std::string &ownerPkgId, const std::vector<std::string> &ownerPkgContents, const std::string &targetAppId, const std::string &pathLabel, bool isPathSharedNoMore, - bool isTargetSharingNoMore, - const std::string &zoneId); + bool isTargetSharingNoMore); + + static void updatePackageRules(const std::string &pkgId, const std::vector<std::string> &pkgContents); private: /** @@ -256,11 +226,10 @@ private: * * @param[in] path - path to the file that contains the rules * @param[in] other2XPackages - list of 2.x packages to be accessed - * @param[in] zoneId - ID of zone which requested application uninstall */ - static void generateAppToOtherPackagesDeps(const std::string appId, - const std::vector<std::string> &other2XPackages, - const std::string &zoneId); + static void generateAppToOtherPackagesDeps( + const std::string appId, + const std::vector<std::string> &other2XPackages); /** * Helper method: replace all occurrences of \ref needle in \ref haystack diff --git a/src/common/include/zone-utils.h b/src/common/include/zone-utils.h deleted file mode 100644 index 25caacce..00000000 --- a/src/common/include/zone-utils.h +++ /dev/null @@ -1,86 +0,0 @@ -/* - * Copyright (c) 2000 - 2015 Samsung Electronics Co., Ltd All Rights Reserved - * - * Contact: Rafal Krypa <r.krypa@samsung.com> - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License - */ -/* - * @file zone-utils.h - * @author Lukasz Kostyra (l.kostyra@samsung.com) - * @version 1.0 - * @brief Definition of Zone utilities - */ - -#ifndef _SECURITY_MANAGER_ZONE_UTILS_H_ -#define _SECURITY_MANAGER_ZONE_UTILS_H_ - -#include <string> - -// FIXME This module is a replacement for Vasum functions. -// -// When Vasum will be included into OBS, the module should be removed and vasum-client should -// be used instead. - -namespace SecurityManager -{ - -extern const std::string ZONE_HOST; - -/** - * Extracts Zone ID in which runs process having provided PID. - * - * This function parses /proc/<pid>/cpuset file and tries to acquire Zone ID name from it. - * - * @param[in] pid PID of process to get Zone ID from. - * @param[out] zoneId Zone ID extracted from cpuset. If process runs in host, returns "host" string. - * @return True on success, false on failure. - */ -bool getZoneIdFromPid(int pid, std::string& zoneId); - -/** - * Generates zone-specific label from given @ref label and zone's name @ref zoneName - * - * @param[in] label Base label, used to generate new zone-specific label - * @param[in] zoneName Name of zone for which label will be generated - * @return Generated label - */ -std::string zoneSmackLabelGenerate(const std::string &label, const std::string &zoneName); - -/** - * Map @ref hostLabel to @ref zoneLabel using Smack namespaces. - * - * FIXME This is a placeholder for Vasum API - implement when Smack Namespaces are implemented - * - * @param[in] hostLabel Smack label as seen from hosts perspective - * @param[in] zoneName Zone ID to which label will be mapped - * @param[in] zoneLabel Smack label seen from zone's perspective - * @return True on success, false on failure - */ -bool zoneSmackLabelMap(const std::string &hostLabel, const std::string &zoneName, - const std::string &zoneLabel); - -/** - * Unmap label mapped by zoneSmackLabelMap. - * - * FIXME This is a placeholder for Vasum API - implement when Smack Namespaces are implemented - * - * @param[in] hostLabel Label to unmap - * @param[in] zoneName Zone ID for which unmapping should be done - * @return True on success, false on failure - */ -bool zoneSmackLabelUnmap(const std::string &hostLabel, const std::string &zoneName); - -} //namespace SecurityManager - -#endif //_SECURITY_MANAGER_ZONE_UTILS_H_ diff --git a/src/common/master-req.cpp b/src/common/master-req.cpp deleted file mode 100644 index 3d4d071e..00000000 --- a/src/common/master-req.cpp +++ /dev/null @@ -1,261 +0,0 @@ -/* - * Copyright (c) 2015 Samsung Electronics Co., Ltd All Rights Reserved - * - * Contact: Rafal Krypa <r.krypa@samsung.com> - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License - */ - -/* - * @file master-req.cpp - * @author Lukasz Kostyra <l.kostyra@samsung.com> - * @brief Definitions of master request calls - */ - -#include "master-req.h" - -#include <dpl/serialization.h> - -#include "message-buffer.h" -#include "connection.h" - -namespace SecurityManager { -namespace MasterReq { - -int CynaraPolicyUpdate(const std::string &appId, const std::string &uidstr, - const std::vector<std::string> &privileges) -{ - int ret; - MessageBuffer sendBuf, retBuf; - - Serialization::Serialize(sendBuf, - static_cast<int>(MasterSecurityModuleCall::CYNARA_UPDATE_POLICY), - appId, uidstr, privileges); - - ret = sendToServer(MASTER_SERVICE_SOCKET, sendBuf.Pop(), retBuf); - if (ret == SECURITY_MANAGER_API_SUCCESS) - Deserialization::Deserialize(retBuf, ret); - - return ret; -} - -int CynaraUserInit(const uid_t uidAdded, int userType) -{ - int ret; - MessageBuffer sendBuf, retBuf; - - Serialization::Serialize(sendBuf, - static_cast<int>(MasterSecurityModuleCall::CYNARA_USER_INIT), - uidAdded, userType); - - ret = sendToServer(MASTER_SERVICE_SOCKET, sendBuf.Pop(), retBuf); - if (ret == SECURITY_MANAGER_API_SUCCESS) - Deserialization::Deserialize(retBuf, ret); - - return ret; -} - -int CynaraUserRemove(const uid_t uidDeleted) -{ - int ret; - MessageBuffer sendBuf, retBuf; - - Serialization::Serialize(sendBuf, - static_cast<int>(MasterSecurityModuleCall::CYNARA_USER_REMOVE), - uidDeleted); - - ret = sendToServer(MASTER_SERVICE_SOCKET, sendBuf.Pop(), retBuf); - if (ret == SECURITY_MANAGER_API_SUCCESS) - Deserialization::Deserialize(retBuf, ret); - - return ret; -} - -int SmackInstallRules(const std::string &appId, - const std::string &pkgId, - const std::string &authorId, - const std::vector<std::string> &pkgContents, - const std::vector<std::string> &appsGranted, - const std::vector<std::string> &accessPackages) -{ - int ret; - MessageBuffer sendBuf, retBuf; - Serialization::Serialize( - sendBuf, - static_cast<int>(MasterSecurityModuleCall::SMACK_INSTALL_RULES), - appId, - pkgId, - authorId, - pkgContents, - appsGranted, - accessPackages); - - ret = sendToServer(MASTER_SERVICE_SOCKET, sendBuf.Pop(), retBuf); - if (ret == SECURITY_MANAGER_API_SUCCESS) - Deserialization::Deserialize(retBuf, ret); - - return ret; -} - -int SmackUninstallRules(const std::string &appId, const std::string &pkgId, - const std::vector<std::string> &pkgContents, - const std::vector<std::string> &appsGranted, - const bool removeApp, const bool removePkg) -{ - int ret; - MessageBuffer sendBuf, retBuf; - - Serialization::Serialize(sendBuf, - static_cast<int>(MasterSecurityModuleCall::SMACK_UNINSTALL_RULES), - appId, pkgId, pkgContents, appsGranted, removeApp, removePkg); - - ret = sendToServer(MASTER_SERVICE_SOCKET, sendBuf.Pop(), retBuf); - if (ret == SECURITY_MANAGER_API_SUCCESS) - Deserialization::Deserialize(retBuf, ret); - - return ret; -} - -// Following three requests are just forwarded security-manager API calls -// these do not access Privilege DB, so all can be forwarded to Master -int PolicyUpdate(const std::vector<policy_entry> &policyEntries, uid_t uid, pid_t pid, - const std::string &smackLabel) -{ - int ret; - MessageBuffer sendBuf, retBuf; - - Serialization::Serialize(sendBuf, - static_cast<int>(MasterSecurityModuleCall::POLICY_UPDATE), - policyEntries, uid, pid, smackLabel); - - ret = sendToServer(MASTER_SERVICE_SOCKET, sendBuf.Pop(), retBuf); - if (ret == SECURITY_MANAGER_API_SUCCESS) - Deserialization::Deserialize(retBuf, ret); - - return ret; -} - -int GetConfiguredPolicy(bool forAdmin, const policy_entry &filter, uid_t uid, pid_t pid, - const std::string &smackLabel, std::vector<policy_entry> &policyEntries) -{ - int ret; - MessageBuffer sendBuf, retBuf; - - Serialization::Serialize(sendBuf, - static_cast<int>(MasterSecurityModuleCall::GET_CONFIGURED_POLICY), - forAdmin, filter, uid, pid, smackLabel); - - ret = sendToServer(MASTER_SERVICE_SOCKET, sendBuf.Pop(), retBuf); - if (ret == SECURITY_MANAGER_API_SUCCESS) { - Deserialization::Deserialize(retBuf, ret); - if (ret == SECURITY_MANAGER_API_SUCCESS) - Deserialization::Deserialize(retBuf, policyEntries); - } - - return ret; -} - -int GetPolicy(const policy_entry &filter, uid_t uid, pid_t pid, const std::string &smackLabel, - std::vector<policy_entry> &policyEntries) -{ - int ret; - MessageBuffer sendBuf, retBuf; - - Serialization::Serialize(sendBuf, - static_cast<int>(MasterSecurityModuleCall::GET_POLICY), - filter, uid, pid, smackLabel); - - ret = sendToServer(MASTER_SERVICE_SOCKET, sendBuf.Pop(), retBuf); - if (ret == SECURITY_MANAGER_API_SUCCESS) { - Deserialization::Deserialize(retBuf, ret); - if (ret == SECURITY_MANAGER_API_SUCCESS) - Deserialization::Deserialize(retBuf, policyEntries); - } - - return ret; -} - -int PolicyGetDesc(std::vector<std::string> &descriptions) -{ - int ret; - MessageBuffer sendBuf, retBuf; - - Serialization::Serialize(sendBuf, - static_cast<int>(MasterSecurityModuleCall::POLICY_GET_DESC)); - - ret = sendToServer(MASTER_SERVICE_SOCKET, sendBuf.Pop(), retBuf); - if (ret == SECURITY_MANAGER_API_SUCCESS) { - Deserialization::Deserialize(retBuf, ret); - if (ret == SECURITY_MANAGER_API_SUCCESS) - Deserialization::Deserialize(retBuf, descriptions); - } - - return ret; -} - -int SmackApplyPrivateSharingRules(const std::string &ownerPkgId, - const std::vector<std::string> &pkgContents, - const std::string &targetAppId, - const std::string &path, - int ownerTargetCount, - int pathCount) -{ - int ret; - MessageBuffer sendBuf, retBuf; - - Serialization::Serialize(sendBuf, - static_cast<int>(MasterSecurityModuleCall::SMACK_APPLY_PRIVATE_SHARING_RULES)); - Serialization::Serialize(sendBuf, ownerPkgId); - Serialization::Serialize(sendBuf, pkgContents); - Serialization::Serialize(sendBuf, targetAppId); - Serialization::Serialize(sendBuf, path); - Serialization::Serialize(sendBuf, ownerTargetCount); - Serialization::Serialize(sendBuf, pathCount); - - ret = sendToServer(MASTER_SERVICE_SOCKET, sendBuf.Pop(), retBuf); - if (ret == SECURITY_MANAGER_API_SUCCESS) { - Deserialization::Deserialize(retBuf, ret); - } - - return ret; -} - -int SmackDropPrivateSharingRules(const std::string &ownerPkgId, - const std::vector<std::string> &pkgContents, - const std::string &targetAppId, - const std::string &path, - int ownerTargetCount, - int pathCount) -{ - int ret; - MessageBuffer sendBuf, retBuf; - - Serialization::Serialize(sendBuf, - static_cast<int>(MasterSecurityModuleCall::SMACK_DROP_PRIVATE_SHARING_RULES)); - Serialization::Serialize(sendBuf, ownerPkgId); - Serialization::Serialize(sendBuf, pkgContents); - Serialization::Serialize(sendBuf, targetAppId); - Serialization::Serialize(sendBuf, path); - Serialization::Serialize(sendBuf, ownerTargetCount); - Serialization::Serialize(sendBuf, pathCount); - - ret = sendToServer(MASTER_SERVICE_SOCKET, sendBuf.Pop(), retBuf); - if (ret == SECURITY_MANAGER_API_SUCCESS) { - Deserialization::Deserialize(retBuf, ret); - } - - return ret; -} - -} // namespace MasterReq -} // namespace SecurityManager diff --git a/src/common/protocols.cpp b/src/common/protocols.cpp index eac619a8..798b9d69 100644 --- a/src/common/protocols.cpp +++ b/src/common/protocols.cpp @@ -32,10 +32,6 @@ namespace SecurityManager { char const * const SERVICE_SOCKET = SOCKET_PATH_PREFIX "security-manager.socket"; -char const * const MASTER_SERVICE_SOCKET = - SOCKET_PATH_PREFIX "security-manager-master.socket"; -char const * const SLAVE_SERVICE_SOCKET = - SOCKET_PATH_PREFIX "security-manager-slave.socket"; } // namespace SecurityManager diff --git a/src/common/service_impl.cpp b/src/common/service_impl.cpp index 99928a9d..ab15ba33 100644 --- a/src/common/service_impl.cpp +++ b/src/common/service_impl.cpp @@ -42,10 +42,8 @@ #include "smack-rules.h" #include "smack-labels.h" #include "security-manager.h" -#include "zone-utils.h" #include "service_impl.h" -#include "master-req.h" namespace SecurityManager { @@ -278,23 +276,7 @@ bool ServiceImpl::installRequestAuthCheck(const app_inst_req &req, uid_t uid, st return true; } -bool ServiceImpl::getZoneId(std::string &zoneId) -{ - if (!getZoneIdFromPid(getpid(), zoneId)) { - LogError("Failed to get zone ID from current PID"); - return false; - } - - // This function should be called under slave mode only - assumes, that we work inside zone - if (zoneId == ZONE_HOST) { - LogError("We should not run in host - refusing request"); - return false; - } - - return true; -} - -int ServiceImpl::appInstall(const app_inst_req &req, uid_t uid, bool isSlave) +int ServiceImpl::appInstall(const app_inst_req &req, uid_t uid) { std::vector<std::string> addedPermissions; std::vector<std::string> removedPermissions; @@ -308,14 +290,6 @@ int ServiceImpl::appInstall(const app_inst_req &req, uid_t uid, bool isSlave) // authorId contains id from database. It's not equal to value in request. // IMHO the id in request should be called authorName not authorId... - std::string zoneId; - if (isSlave) { - if (!getZoneId(zoneId)) { - LogError("Failed to get Zone ID."); - return SECURITY_MANAGER_API_ERROR_SERVER_ERROR; - } - } - if (uid) { if (uid != req.uid) { LogError("User " << uid << @@ -334,9 +308,10 @@ int ServiceImpl::appInstall(const app_inst_req &req, uid_t uid, bool isSlave) } try { - appLabel = zoneSmackLabelGenerate(SmackLabels::generateAppLabel(req.appId), zoneId); + appLabel = SmackLabels::generateAppLabel(req.appId); + /* NOTE: we don't use pkgLabel here, but generate it for pkgId validation */ - pkgLabel = zoneSmackLabelGenerate(SmackLabels::generatePkgLabel(req.pkgId), zoneId); + pkgLabel = SmackLabels::generatePkgLabel(req.pkgId); LogDebug("Install parameters: appId: " << req.appId << ", pkgId: " << req.pkgId << ", uidstr " << uidstr << ", app label: " << appLabel << ", pkg label: " << pkgLabel @@ -357,16 +332,7 @@ int ServiceImpl::appInstall(const app_inst_req &req, uid_t uid, bool isSlave) PrivilegeDb::getInstance().GetAppIdsForPkgId(req.pkgId, pkgContents); PrivilegeDb::getInstance().GetAuthorIdForAppId(req.appId, authorId); - if (isSlave) { - int ret = MasterReq::CynaraPolicyUpdate(req.appId, uidstr, req.privileges); - if (ret != SECURITY_MANAGER_API_SUCCESS) { - PrivilegeDb::getInstance().RollbackTransaction(); - LogError("Error while processing request on master: " << ret); - return ret; - } - } else { - CynaraAdmin::getInstance().UpdateAppPolicy(appLabel, uidstr, req.privileges); - } + CynaraAdmin::getInstance().UpdateAppPolicy(appLabel, uidstr, req.privileges); // if app is targetted to Tizen 2.X, give other 2.X apps RO rules to it's shared dir if(isTizen2XVersion(req.tizenVersion)) @@ -404,22 +370,12 @@ int ServiceImpl::appInstall(const app_inst_req &req, uid_t uid, bool isSlave) for (const auto &appPath : req.appPaths) { const std::string &path = appPath.first; app_install_path_type pathType = static_cast<app_install_path_type>(appPath.second); - SmackLabels::setupPath(req.pkgId, path, pathType, zoneId, authorId); + SmackLabels::setupPath(req.pkgId, path, pathType, authorId); } - if (isSlave) { - LogDebug("Requesting master to add rules for new appId: " << req.appId << " with pkgId: " - << req.pkgId << ". Applications in package: " << pkgContents.size()); - int ret = MasterReq::SmackInstallRules(req.appId, req.pkgId, authorId, pkgContents, allTizen2XApps, allTizen2XPackages); - if (ret != SECURITY_MANAGER_API_SUCCESS) { - LogError("Master failed to apply package-specific smack rules: " << ret); - return ret; - } - } else { - LogDebug("Adding Smack rules for new appId: " << req.appId << " with pkgId: " - << req.pkgId << ". Applications in package: " << pkgContents.size()); - SmackRules::installApplicationRules(req.appId, req.pkgId, authorId, pkgContents, allTizen2XApps, allTizen2XPackages); - } + LogDebug("Adding Smack rules for new appId: " << req.appId << " with pkgId: " + << req.pkgId << ". Applications in package: " << pkgContents.size()); + SmackRules::installApplicationRules(req.appId, req.pkgId, authorId, pkgContents, allTizen2XApps, allTizen2XPackages); } catch (const SmackException::InvalidParam &e) { LogError("Invalid paramater during labeling: " << e.GetMessage()); return SECURITY_MANAGER_API_ERROR_INPUT_PARAM; @@ -429,7 +385,7 @@ int ServiceImpl::appInstall(const app_inst_req &req, uid_t uid, bool isSlave) } catch (const SecurityManager::Exception &e) { LogError("Security Manager exception: " << e.DumpToString()); return SECURITY_MANAGER_API_ERROR_SERVER_ERROR; - }catch (const std::bad_alloc &e) { + } catch (const std::bad_alloc &e) { LogError("Memory allocation error: " << e.what()); return SECURITY_MANAGER_API_ERROR_OUT_OF_MEMORY; } @@ -437,7 +393,7 @@ int ServiceImpl::appInstall(const app_inst_req &req, uid_t uid, bool isSlave) return SECURITY_MANAGER_API_SUCCESS; } -int ServiceImpl::appUninstall(const std::string &appId, uid_t uid, bool isSlave) +int ServiceImpl::appUninstall(const std::string &appId, uid_t uid) { std::string pkgId; std::string tizenVersion; @@ -452,14 +408,6 @@ int ServiceImpl::appUninstall(const std::string &appId, uid_t uid, bool isSlave) std::string authorId; int restoreAuthor = 0; - std::string zoneId; - if (isSlave) { - if (!getZoneId(zoneId)) { - LogError("Failed to get Zone ID."); - return SECURITY_MANAGER_API_ERROR_SERVER_ERROR; - } - } - try { PrivilegeDb::getInstance().BeginTransaction(); if (!PrivilegeDb::getInstance().GetAppPkgIdAndVer(appId, pkgId, tizenVersion)) { @@ -468,7 +416,7 @@ int ServiceImpl::appUninstall(const std::string &appId, uid_t uid, bool isSlave) PrivilegeDb::getInstance().RollbackTransaction(); appExists = false; } else { - smackLabel = zoneSmackLabelGenerate(SmackLabels::generateAppLabel(appId), zoneId); + smackLabel = SmackLabels::generateAppLabel(appId); LogDebug("Uninstall parameters: appId: " << appId << ", pkgId: " << pkgId << ", uidstr " << uidstr << ", generated smack label: " << smackLabel); @@ -486,16 +434,7 @@ int ServiceImpl::appUninstall(const std::string &appId, uid_t uid, bool isSlave) if(isTizen2XVersion(tizenVersion)) PrivilegeDb::getInstance().GetTizen2XApps(appId, allTizen2XApps); - if (isSlave) { - int ret = MasterReq::CynaraPolicyUpdate(appId, uidstr, std::vector<std::string>()); - if (ret != SECURITY_MANAGER_API_SUCCESS) { - PrivilegeDb::getInstance().RollbackTransaction(); - LogError("Error while processing request on master: " << ret); - return ret; - } - } else { - CynaraAdmin::getInstance().UpdateAppPolicy(smackLabel, uidstr, std::vector<std::string>()); - } + CynaraAdmin::getInstance().UpdateAppPolicy(smackLabel, uidstr, std::vector<std::string>()); PrivilegeDb::getInstance().CommitTransaction(); LogDebug("Application uninstallation commited to database"); @@ -523,32 +462,24 @@ int ServiceImpl::appUninstall(const std::string &appId, uid_t uid, bool isSlave) if (appExists) { try { - if (isSlave) { - LogDebug("Delegating Smack rules removal for deleted pkgId " << pkgId << - " to master"); - int ret = MasterReq::SmackUninstallRules(appId, pkgId, pkgContents, allTizen2XApps, removeApp, removePkg); - if (ret != SECURITY_MANAGER_API_SUCCESS) { - LogError("Error while processing uninstall request on master: " << ret); - return ret; - } - } else { - if (removeApp) { - LogDebug("Removing smack rules for deleted appId " << appId); - SmackRules::uninstallApplicationRules(appId, pkgId, pkgContents, allTizen2XApps, zoneId); - } - if (removePkg) { - LogDebug("Removing Smack rules for deleted pkgId " << pkgId); - SmackRules::uninstallPackageRules(pkgId); - } - if (restoreAuthor) - SmackRules::fixAuthorRules(authorId); + if (removeApp) { + LogDebug("Removing smack rules for deleted appId " << appId); + SmackRules::uninstallApplicationRules(appId, pkgId, pkgContents, allTizen2XApps); } + + if (removePkg) { + LogDebug("Removing Smack rules for deleted pkgId " << pkgId); + SmackRules::uninstallPackageRules(pkgId); + } + + if (restoreAuthor) { + LogDebug("Removing Smack rules for authorId " << authorId); + SmackRules::fixAuthorRules(authorId); + } + } catch (const SmackException::Base &e) { LogError("Error while removing Smack rules for application: " << e.DumpToString()); return SECURITY_MANAGER_API_ERROR_SETTING_FILE_LABEL_FAILED; - } catch (const SecurityManager::Exception &e) { - LogError("Security Manager error: " << e.DumpToString()); - return SECURITY_MANAGER_API_ERROR_SERVER_ERROR; } catch (const std::bad_alloc &e) { LogError("Memory allocation error: " << e.what()); return SECURITY_MANAGER_API_ERROR_OUT_OF_MEMORY; @@ -577,18 +508,12 @@ int ServiceImpl::getPkgId(const std::string &appId, std::string &pkgId) return SECURITY_MANAGER_API_SUCCESS; } -int ServiceImpl::getAppGroups(const std::string &appId, uid_t uid, pid_t pid, bool isSlave, +int ServiceImpl::getAppGroups( + const std::string &appId, + uid_t uid, + pid_t pid, std::unordered_set<gid_t> &gids) { - // FIXME Temporary solution, see below - std::string zoneId; - if (isSlave) { - if (!getZoneId(zoneId)) { - LogError("Failed to get Zone ID."); - return SECURITY_MANAGER_API_ERROR_SERVER_ERROR; - } - } - try { std::string pkgId; std::string smackLabel; @@ -603,9 +528,7 @@ int ServiceImpl::getAppGroups(const std::string &appId, uid_t uid, pid_t pid, bo } LogDebug("pkgId: " << pkgId); - // FIXME getAppGroups should work without generating zone-specific labels when - // Smack Namespaces will work - smackLabel = zoneSmackLabelGenerate(SmackLabels::generateAppLabel(appId), zoneId); + smackLabel = SmackLabels::generateAppLabel(appId); LogDebug("smack label: " << smackLabel); std::vector<std::string> privileges; @@ -655,30 +578,20 @@ int ServiceImpl::getAppGroups(const std::string &appId, uid_t uid, pid_t pid, bo return SECURITY_MANAGER_API_SUCCESS; } -int ServiceImpl::userAdd(uid_t uidAdded, int userType, uid_t uid, bool isSlave) +int ServiceImpl::userAdd(uid_t uidAdded, int userType, uid_t uid) { if (uid != 0) return SECURITY_MANAGER_API_ERROR_AUTHENTICATION_FAILED; - if (isSlave) { - int ret = MasterReq::CynaraUserInit(uidAdded, - static_cast<security_manager_user_type>(userType)); - if (ret != SECURITY_MANAGER_API_SUCCESS) { - LogError("Master failed to initialize user " << uidAdded << " of type " << userType); - return ret; - } - } else { - try { - CynaraAdmin::getInstance().UserInit(uidAdded, static_cast<security_manager_user_type>(userType)); - } catch (CynaraException::InvalidParam &e) { - return SECURITY_MANAGER_API_ERROR_INPUT_PARAM; - } + try { + CynaraAdmin::getInstance().UserInit(uidAdded, static_cast<security_manager_user_type>(userType)); + } catch (CynaraException::InvalidParam &e) { + return SECURITY_MANAGER_API_ERROR_INPUT_PARAM; } - return SECURITY_MANAGER_API_SUCCESS; } -int ServiceImpl::userDelete(uid_t uidDeleted, uid_t uid, bool isSlave) +int ServiceImpl::userDelete(uid_t uidDeleted, uid_t uid) { int ret = SECURITY_MANAGER_API_SUCCESS; if (uid != 0) @@ -694,22 +607,14 @@ int ServiceImpl::userDelete(uid_t uidDeleted, uid_t uid, bool isSlave) } for (auto &app: userApps) { - if (appUninstall(app, uidDeleted, isSlave) != SECURITY_MANAGER_API_SUCCESS) { + if (appUninstall(app, uidDeleted) != SECURITY_MANAGER_API_SUCCESS) { /*if uninstallation of this app fails, just go on trying to uninstall another ones. we do not have anything special to do about that matter - user will be deleted anyway.*/ ret = SECURITY_MANAGER_API_ERROR_SERVER_ERROR; } } - if (isSlave) { - int ret = MasterReq::CynaraUserRemove(uidDeleted); - if (ret) { - LogError("Master failed to delete user " << uidDeleted); - return ret; - } - } else { - CynaraAdmin::getInstance().UserRemove(uidDeleted); - } + CynaraAdmin::getInstance().UserRemove(uidDeleted); return ret; } @@ -1039,22 +944,14 @@ int ServiceImpl::policyGetGroups(std::vector<std::string> &groups) return ret; } -int ServiceImpl::appHasPrivilege(std::string appId, std::string privilege, - uid_t uid, bool isSlave, bool &result) +int ServiceImpl::appHasPrivilege( + std::string appId, + std::string privilege, + uid_t uid, + bool &result) { try { - // FIXME getAppGroups should work without generating zone-specific labels when - // Smack Namespaces will work - std::string zoneId; - if (isSlave) { - if (!getZoneId(zoneId)) { - LogError("Failed to get Zone ID."); - return SECURITY_MANAGER_API_ERROR_SERVER_ERROR; - } - } - - std::string appLabel = zoneSmackLabelGenerate( - SmackLabels::generateAppLabel(appId), zoneId); + std::string appLabel = SmackLabels::generateAppLabel(appId); std::string uidStr = std::to_string(uid); result = Cynara::getInstance().check(appLabel, privilege, uidStr, ""); LogDebug("result = " << result); @@ -1075,9 +972,12 @@ int ServiceImpl::appHasPrivilege(std::string appId, std::string privilege, } -int ServiceImpl::dropOnePrivateSharing(const std::string &ownerAppId, const std::string &ownerPkgId, - const std::vector<std::string> &ownerPkgContents, const std::string &targetAppId, - const std::string &path, const std::string &zoneId, bool isSlave) +int ServiceImpl::dropOnePrivateSharing( + const std::string &ownerAppId, + const std::string &ownerPkgId, + const std::vector<std::string> &ownerPkgContents, + const std::string &targetAppId, + const std::string &path) { int errorRet; try { @@ -1090,15 +990,11 @@ int ServiceImpl::dropOnePrivateSharing(const std::string &ownerAppId, const std: return SECURITY_MANAGER_API_SUCCESS; } if (pathCount < 1) { - SmackLabels::setupPath(ownerPkgId, path, SECURITY_MANAGER_PATH_RW, zoneId); - } - std::string pathLabel = zoneSmackLabelGenerate(SmackLabels::generateSharedPrivateLabel(ownerPkgId, path), zoneId); - if (isSlave) { - MasterReq::SmackDropPrivateSharingRules(ownerPkgId, ownerPkgContents, targetAppId, path, ownerTargetCount, pathCount); - } else { - SmackRules::dropPrivateSharingRules(ownerPkgId, ownerPkgContents, targetAppId, pathLabel, - pathCount < 1, ownerTargetCount < 1, zoneId); + SmackLabels::setupPath(ownerPkgId, path, SECURITY_MANAGER_PATH_RW); } + std::string pathLabel = SmackLabels::generateSharedPrivateLabel(ownerPkgId, path); + SmackRules::dropPrivateSharingRules(ownerPkgId, ownerPkgContents, targetAppId, pathLabel, + pathCount < 1, ownerTargetCount < 1); return SECURITY_MANAGER_API_SUCCESS; } catch (const SmackException::Base &e) { LogError("Error performing smack operation: " << e.GetMessage()); @@ -1116,22 +1012,15 @@ int ServiceImpl::dropOnePrivateSharing(const std::string &ownerAppId, const std: return errorRet; } -int ServiceImpl::applyPrivatePathSharing(const std::string &ownerAppId, - const std::string &targetAppId, - const std::vector<std::string> &paths, - bool isSlave) +int ServiceImpl::applyPrivatePathSharing( + const std::string &ownerAppId, + const std::string &targetAppId, + const std::vector<std::string> &paths) { int errorRet; int sharingAdded = 0; std::string ownerPkgId; std::vector<std::string> pkgContents; - std::string zoneId; - if (isSlave) { - if (!getZoneId(zoneId)) { - LogError("Failed to get Zone ID."); - return SECURITY_MANAGER_API_ERROR_SERVER_ERROR; - } - } try { std::string targetPkgId; @@ -1146,8 +1035,8 @@ int ServiceImpl::applyPrivatePathSharing(const std::string &ownerAppId, for(const auto &path : paths) { std::string pathLabel = SmackLabels::getSmackLabelFromPath(path); - if (pathLabel != zoneSmackLabelGenerate(SmackLabels::generatePkgLabel(ownerPkgId), zoneId)) { - std::string generatedPathLabel = zoneSmackLabelGenerate(SmackLabels::generateSharedPrivateLabel(ownerPkgId, path), zoneId); + if (pathLabel != SmackLabels::generatePkgLabel(ownerPkgId)) { + std::string generatedPathLabel = SmackLabels::generateSharedPrivateLabel(ownerPkgId, path); if (generatedPathLabel != pathLabel) { LogError("Path " << path << " has label " << pathLabel << " and dosen't belong" " to application " << ownerAppId); @@ -1171,7 +1060,7 @@ int ServiceImpl::applyPrivatePathSharing(const std::string &ownerAppId, PrivilegeDb::getInstance().GetTargetPathSharingCount(targetAppId, path, targetPathCount); PrivilegeDb::getInstance().GetPathSharingCount(path, pathCount); PrivilegeDb::getInstance().GetOwnerTargetSharingCount(ownerAppId, targetAppId, ownerTargetCount); - std::string pathLabel = zoneSmackLabelGenerate(SmackLabels::generateSharedPrivateLabel(ownerPkgId, path), zoneId); + std::string pathLabel = SmackLabels::generateSharedPrivateLabel(ownerPkgId, path); PrivilegeDb::getInstance().ApplyPrivateSharing(ownerAppId, targetAppId, path, pathLabel); sharingAdded++; if (targetPathCount > 0) { @@ -1181,13 +1070,9 @@ int ServiceImpl::applyPrivatePathSharing(const std::string &ownerAppId, if (pathCount <= 0) { SmackLabels::setupSharedPrivatePath(ownerPkgId, path); } - if (isSlave) { - MasterReq::SmackApplyPrivateSharingRules(ownerPkgId, - pkgContents, targetAppId, path, ownerTargetCount, pathCount); - } else { - SmackRules::applyPrivateSharingRules(ownerPkgId, pkgContents, targetAppId, - pathLabel, (pathCount > 0), (ownerTargetCount > 0), zoneId); - } + + SmackRules::applyPrivateSharingRules(ownerPkgId, pkgContents, targetAppId, + pathLabel, (pathCount > 0), (ownerTargetCount > 0)); } trans.commit(); return SECURITY_MANAGER_API_SUCCESS; @@ -1206,25 +1091,18 @@ int ServiceImpl::applyPrivatePathSharing(const std::string &ownerAppId, } for (int i = 0; i < sharingAdded; i++) { const std::string &path = paths[i]; - dropOnePrivateSharing(ownerAppId, ownerPkgId, pkgContents, targetAppId, path, zoneId, isSlave); + dropOnePrivateSharing(ownerAppId, ownerPkgId, pkgContents, targetAppId, path); } return errorRet; } -int ServiceImpl::dropPrivatePathSharing(const std::string &ownerAppId, - const std::string &targetAppId, - const std::vector<std::string> &paths, - bool isSlave) +int ServiceImpl::dropPrivatePathSharing( + const std::string &ownerAppId, + const std::string &targetAppId, + const std::vector<std::string> &paths) { int errorRet; try { - std::string zoneId; - if (isSlave) { - if (!getZoneId(zoneId)) { - LogError("Failed to get Zone ID."); - return SECURITY_MANAGER_API_ERROR_SERVER_ERROR; - } - } std::string ownerPkgId, targetPkgId; if (!PrivilegeDb::getInstance().GetAppPkgId(ownerAppId, ownerPkgId)) { LogError(ownerAppId << " is not an installed application"); @@ -1237,8 +1115,8 @@ int ServiceImpl::dropPrivatePathSharing(const std::string &ownerAppId, for(const auto &path : paths) { std::string pathLabel = SmackLabels::getSmackLabelFromPath(path); - if (pathLabel != zoneSmackLabelGenerate(SmackLabels::generatePkgLabel(ownerPkgId), zoneId)) { - std::string generatedPathLabel = zoneSmackLabelGenerate(SmackLabels::generateSharedPrivateLabel(ownerPkgId, path), zoneId); + if (pathLabel != SmackLabels::generatePkgLabel(ownerPkgId)) { + std::string generatedPathLabel = SmackLabels::generateSharedPrivateLabel(ownerPkgId, path); if (generatedPathLabel != pathLabel) { LogError("Path " << path << " has label " << pathLabel << " and dosen't belong" " to application " << ownerAppId); @@ -1260,7 +1138,7 @@ int ServiceImpl::dropPrivatePathSharing(const std::string &ownerAppId, PrivilegeDb::getInstance().GetAppIdsForPkgId(ownerPkgId, pkgContents); ScopedTransaction trans; for (const auto &path : paths) { - int ret = dropOnePrivateSharing(ownerAppId, ownerPkgId, pkgContents, targetAppId, path, zoneId, isSlave); + int ret = dropOnePrivateSharing(ownerAppId, ownerPkgId, pkgContents, targetAppId, path); if (ret != SECURITY_MANAGER_API_SUCCESS) { return ret; } @@ -1283,5 +1161,5 @@ int ServiceImpl::dropPrivatePathSharing(const std::string &ownerAppId, return errorRet; } - } /* namespace SecurityManager */ + diff --git a/src/common/smack-labels.cpp b/src/common/smack-labels.cpp index dbc6f4df..8682d52b 100644 --- a/src/common/smack-labels.cpp +++ b/src/common/smack-labels.cpp @@ -41,7 +41,6 @@ #include "security-manager.h" #include "smack-labels.h" -#include "zone-utils.h" namespace SecurityManager { @@ -135,7 +134,6 @@ void setupPath( const std::string &pkgId, const std::string &path, app_install_path_type pathType, - const std::string &zoneId, const std::string &authorId) { std::string label; @@ -143,12 +141,12 @@ void setupPath( switch (pathType) { case SECURITY_MANAGER_PATH_RW: - label = zoneSmackLabelGenerate(generatePkgLabel(pkgId), zoneId); + label = generatePkgLabel(pkgId); label_executables = false; label_transmute = true; break; case SECURITY_MANAGER_PATH_RO: - label = zoneSmackLabelGenerate(generatePkgROLabel(pkgId), zoneId); + label = generatePkgROLabel(pkgId); label_executables = false; label_transmute = false; break; @@ -158,7 +156,7 @@ void setupPath( label_transmute = true; break; case SECURITY_MANAGER_PATH_OWNER_RW_OTHER_RO: - label = zoneSmackLabelGenerate(generatePkgLabelOwnerRWothersRO(pkgId), zoneId); + label = generatePkgLabelOwnerRWothersRO(pkgId); label_executables = false; label_transmute = true; break; diff --git a/src/common/smack-rules.cpp b/src/common/smack-rules.cpp index 3f4dce56..bd66158f 100644 --- a/src/common/smack-rules.cpp +++ b/src/common/smack-rules.cpp @@ -38,7 +38,6 @@ #include "smack-labels.h" #include "smack-rules.h" -#include "zone-utils.h" namespace SecurityManager { @@ -148,8 +147,7 @@ void SmackRules::saveToFile(const std::string &path) const void SmackRules::addFromTemplateFile( const std::string &appId, const std::string &pkgId, - const std::string &authorId, - const std::string &zoneId) + const std::string &authorId) { std::vector<std::string> templateRules; std::string line; @@ -169,15 +167,14 @@ void SmackRules::addFromTemplateFile( ThrowMsg(SmackException::FileError, "Error reading template file: " << APP_RULES_TEMPLATE_FILE_PATH); } - addFromTemplate(templateRules, appId, pkgId, authorId, zoneId); + addFromTemplate(templateRules, appId, pkgId, authorId); } void SmackRules::addFromTemplate( const std::vector<std::string> &templateRules, const std::string &appId, const std::string &pkgId, - const std::string &authorId, - const std::string &zoneId) + const std::string &authorId) { for (auto rule : templateRules) { if (rule.empty()) @@ -206,18 +203,11 @@ void SmackRules::addFromTemplate( SmackLabels::generateAuthorLabel(authorId)); } - if (!zoneId.empty()) { - // FIXME replace with vasum calls. See zone-utils.h - subject = zoneSmackLabelGenerate(subject, zoneId); - object = zoneSmackLabelGenerate(object, zoneId); - } - add(subject, object, permissions); } } -void SmackRules::generatePackageCrossDeps(const std::vector<std::string> &pkgContents, - const std::string &zoneId) +void SmackRules::generatePackageCrossDeps(const std::vector<std::string> &pkgContents) { LogDebug ("Generating cross-package rules"); @@ -229,28 +219,28 @@ void SmackRules::generatePackageCrossDeps(const std::vector<std::string> &pkgCon if (object == subject) continue; - subjectLabel = zoneSmackLabelGenerate(SmackLabels::generateAppLabel(subject), zoneId); - objectLabel = zoneSmackLabelGenerate(SmackLabels::generateAppLabel(object), zoneId); + subjectLabel = SmackLabels::generateAppLabel(subject); + objectLabel = SmackLabels::generateAppLabel(object); LogDebug ("Trying to add rule subject: " << subjectLabel << " object: " << objectLabel << " perms: " << appsInPackagePerms); add(subjectLabel, objectLabel, appsInPackagePerms); } } } -void SmackRules::generateAppToOtherPackagesDeps(const std::string appId, - const std::vector<std::string> &other2XPackages, - const std::string &zoneId) +void SmackRules::generateAppToOtherPackagesDeps( + const std::string appId, + const std::vector<std::string> &other2XPackages) { // reverse: allow installed app to access others' contents // for every 2.X package for (const auto &object : other2XPackages) { - std::string otherObjectLabel = zoneSmackLabelGenerate(SmackLabels::generatePkgLabelOwnerRWothersRO(object), zoneId); + std::string otherObjectLabel = SmackLabels::generatePkgLabelOwnerRWothersRO(object); SmackRules packageRules; std::string accessPackageRulesPath = getPackageRulesFilePath(object); packageRules.loadFromFile(accessPackageRulesPath); - std::string subjectLabel = zoneSmackLabelGenerate(SmackLabels::generateAppLabel(appId), zoneId); + std::string subjectLabel = SmackLabels::generateAppLabel(appId); LogDebug("Addding cross app rule for newly installed subject " << subjectLabel << " to already installed 2.x package object: " << otherObjectLabel << " perms: " << SMACK_APP_CROSS_PKG_PERMS); packageRules.add(subjectLabel, otherObjectLabel, SMACK_APP_CROSS_PKG_PERMS); packageRules.saveToFile(accessPackageRulesPath); @@ -262,18 +252,18 @@ void SmackRules::generateAppToOtherPackagesDeps(const std::string appId, /** * this below works in N^2 and should be replaced by an alternative mechanism */ -void SmackRules::generateAllowOther2XApplicationDeps(const std::string pkgId, - const std::vector<std::string> &other2XApps, - const std::string &zoneId) +void SmackRules::generateAllowOther2XApplicationDeps( + const std::string pkgId, + const std::vector<std::string> &other2XApps) { LogDebug("Generating cross-package rules"); - std::string objectLabel = zoneSmackLabelGenerate(SmackLabels::generatePkgLabelOwnerRWothersRO(pkgId), zoneId); + std::string objectLabel = SmackLabels::generatePkgLabelOwnerRWothersRO(pkgId); std::string appsInPackagePerms = SMACK_APP_IN_PACKAGE_PERMS; // allow other app to access installed package contents for (const auto &subject : other2XApps) { - std::string subjectLabel = zoneSmackLabelGenerate(SmackLabels::generateAppLabel(subject), zoneId); + std::string subjectLabel = SmackLabels::generateAppLabel(subject); LogDebug("Addding cross 2.x app rule subject: " << subjectLabel << " to newly installed object: " << objectLabel << " perms: " << SMACK_APP_CROSS_PKG_PERMS); @@ -301,42 +291,29 @@ void SmackRules::installApplicationRules( const std::vector<std::string> &appsGranted, const std::vector<std::string> &accessPackages) { - installApplicationRules(appId, pkgId, authorId, pkgContents, appsGranted, accessPackages, std::string()); -} - -void SmackRules::installApplicationRules( - const std::string &appId, - const std::string &pkgId, - const std::string &authorId, - const std::vector<std::string> &pkgContents, - const std::vector<std::string> &appsGranted, - const std::vector<std::string> &accessPackages, - const std::string &zoneId) -{ SmackRules smackRules; std::string appPath = getApplicationRulesFilePath(appId); - smackRules.addFromTemplateFile(appId, pkgId, authorId, zoneId); + smackRules.addFromTemplateFile(appId, pkgId, authorId); if (smack_smackfs_path() != NULL) smackRules.apply(); smackRules.saveToFile(appPath); - updatePackageRules(pkgId, pkgContents, appsGranted, zoneId); - generateAppToOtherPackagesDeps(appId, accessPackages, zoneId); + updatePackageRules(pkgId, pkgContents, appsGranted); + generateAppToOtherPackagesDeps(appId, accessPackages); } void SmackRules::updatePackageRules(const std::string &pkgId, const std::vector<std::string> &pkgContents, - const std::vector<std::string> &appsGranted, - const std::string &zoneId) + const std::vector<std::string> &appsGranted) { SmackRules smackRules; std::string pkgPath = getPackageRulesFilePath(pkgId); - smackRules.generatePackageCrossDeps(pkgContents, zoneId); - smackRules.generateAllowOther2XApplicationDeps(pkgId, appsGranted, zoneId); + smackRules.generatePackageCrossDeps(pkgContents); + smackRules.generateAllowOther2XApplicationDeps(pkgId, appsGranted); if (smack_smackfs_path() != NULL) smackRules.apply(); @@ -349,13 +326,14 @@ void SmackRules::uninstallPackageRules(const std::string &pkgId) uninstallRules(getPackageRulesFilePath(pkgId)); } -void SmackRules::uninstallApplicationRules(const std::string &appId, - const std::string &pkgId, std::vector<std::string> pkgContents, - const std::vector<std::string> &appsGranted, - const std::string &zoneId) +void SmackRules::uninstallApplicationRules( + const std::string &appId, + const std::string &pkgId, + std::vector<std::string> pkgContents, + const std::vector<std::string> &appsGranted) { uninstallRules(getApplicationRulesFilePath(appId)); - updatePackageRules(pkgId, pkgContents, appsGranted, zoneId); + updatePackageRules(pkgId, pkgContents, appsGranted); } void SmackRules::uninstallRules(const std::string &path) @@ -402,25 +380,25 @@ void SmackRules::fixAuthorRules(const std::string &authorId) { rules.apply(); } -void SmackRules::applyPrivateSharingRules(const std::string &ownerPkgId, - const std::vector<std::string> &ownerPkgContents, - const std::string &targetAppId, - const std::string &pathLabel, - bool isPathSharedAlready, - bool isTargetSharingAlready, - const std::string &zoneId) +void SmackRules::applyPrivateSharingRules( + const std::string &ownerPkgId, + const std::vector<std::string> &ownerPkgContents, + const std::string &targetAppId, + const std::string &pathLabel, + bool isPathSharedAlready, + bool isTargetSharingAlready) { SmackRules rules; - const std::string &targetLabel = zoneSmackLabelGenerate(SmackLabels::generateAppLabel(targetAppId), zoneId); + const std::string &targetLabel = SmackLabels::generateAppLabel(targetAppId); if (!isTargetSharingAlready) { rules.add(targetLabel, - zoneSmackLabelGenerate(SmackLabels::generatePkgLabel(ownerPkgId), zoneId), + SmackLabels::generatePkgLabel(ownerPkgId), SMACK_APP_DIR_TARGET_PERMS); } if (!isPathSharedAlready) { for (const auto &app: ownerPkgContents) { - const std::string appLabel = zoneSmackLabelGenerate(SmackLabels::generateAppLabel(app), zoneId); + const std::string appLabel = SmackLabels::generateAppLabel(app); rules.add(appLabel, pathLabel, SMACK_APP_PATH_OWNER_PERMS); } rules.add(SMACK_USER, pathLabel, SMACK_APP_PATH_USER_PERMS); @@ -430,24 +408,24 @@ void SmackRules::applyPrivateSharingRules(const std::string &ownerPkgId, rules.apply(); } -void SmackRules::dropPrivateSharingRules(const std::string &ownerPkgId, - const std::vector<std::string> &ownerPkgContents, - const std::string &targetAppId, - const std::string &pathLabel, - bool isPathSharedNoMore, - bool isTargetSharingNoMore, - const std::string &zoneId) +void SmackRules::dropPrivateSharingRules( + const std::string &ownerPkgId, + const std::vector<std::string> &ownerPkgContents, + const std::string &targetAppId, + const std::string &pathLabel, + bool isPathSharedNoMore, + bool isTargetSharingNoMore) { SmackRules rules; - const std::string &targetLabel = zoneSmackLabelGenerate(SmackLabels::generateAppLabel(targetAppId), zoneId); + const std::string &targetLabel = SmackLabels::generateAppLabel(targetAppId); if (isTargetSharingNoMore) { rules.addModify(targetLabel, - zoneSmackLabelGenerate(SmackLabels::generatePkgLabel(ownerPkgId), zoneId), + SmackLabels::generatePkgLabel(ownerPkgId), "", SMACK_APP_DIR_TARGET_PERMS); } if (isPathSharedNoMore) { for (const auto &app: ownerPkgContents) { - const std::string appLabel = zoneSmackLabelGenerate(SmackLabels::generateAppLabel(app), zoneId); + const std::string appLabel = SmackLabels::generateAppLabel(app); rules.addModify(appLabel, pathLabel, "", SMACK_APP_PATH_OWNER_PERMS); } rules.addModify(SMACK_USER, pathLabel, "", SMACK_APP_PATH_USER_PERMS); diff --git a/src/common/zone-utils.cpp b/src/common/zone-utils.cpp deleted file mode 100644 index b3c93c90..00000000 --- a/src/common/zone-utils.cpp +++ /dev/null @@ -1,117 +0,0 @@ -/* - * Copyright (c) 2000 - 2015 Samsung Electronics Co., Ltd All Rights Reserved - * - * Contact: Rafal Krypa <r.krypa@samsung.com> - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License - */ -/* - * @file zone-utils.cpp - * @author Lukasz Kostyra (l.kostyra@samsung.com) - * @version 1.0 - * @brief Implementation of Zone utility functions - */ - -#include "zone-utils.h" - -#include <unistd.h> -#include <fstream> - -#include <dpl/log/log.h> - -// FIXME This module is a replacement for Vasum functions. -// When Vasum will be included into OBS, the module should be replaced with vasum-client. - -namespace { - -const std::string CPUSET_HOST = "/"; -const std::string CPUSET_LXC_PREFIX = "/lxc/"; - -} // namespace - -namespace SecurityManager -{ - -// ZONE_HOST should be visible outside to other modules -const std::string ZONE_HOST = "host"; - -bool getZoneIdFromPid(int pid, std::string& zoneId) -{ - //open /proc/<pid>/cpuset and get its contents - const std::string path = "/proc/" + std::to_string(pid) + "/cpuset"; - - //Assume there are no containers if cpuset dosen't present - if(access(path.c_str(), F_OK)!= 0) { - zoneId = ZONE_HOST; - return true; - } - - std::ifstream cpusetFile(path); - if (!cpusetFile) { - LogError("Failed to open cpuset"); - return false; - } - - std::string cpuset; - std::getline(cpusetFile, cpuset); - cpusetFile.close(); - - //check if we are in host - if (cpuset == CPUSET_HOST) { - zoneId = ZONE_HOST; - return true; - } - - //in lxc container, cpuset contains "/lxc/<id>" string - try to parse zoneID from there - //search for lxc prefix - size_t lxcPrefixPos = cpuset.find(CPUSET_LXC_PREFIX); - if (lxcPrefixPos == std::string::npos) { - LogError("LXC prefix not found - probably other virtualization method is used"); - return false; - } - - //assign zone name and leave - zoneId.assign(cpuset, CPUSET_LXC_PREFIX.size(), cpuset.size() - CPUSET_LXC_PREFIX.size()); - return true; -} - -std::string zoneSmackLabelGenerate(const std::string &label, const std::string &zoneName) -{ - if (zoneName.empty() || zoneName == ZONE_HOST) { - return label; - } - - return zoneName + "::" + label; -} - -bool zoneSmackLabelMap(const std::string &hostLabel, const std::string &zoneName, - const std::string &zoneLabel) -{ - (void) hostLabel; - (void) zoneName; - (void) zoneLabel; - // FIXME here Vasum should be called and Smack label mapping would commence - - return true; -} - -bool zoneSmackLabelUnmap(const std::string &hostLabel, const std::string &zoneName) -{ - (void) hostLabel; - (void) zoneName; - // FIXME here Vasum should be called and label shall be unmapped. - - return true; -} - -} // namespace SecurityManager diff --git a/src/server/CMakeLists.txt b/src/server/CMakeLists.txt index 97eaaaaf..f2d09573 100644 --- a/src/server/CMakeLists.txt +++ b/src/server/CMakeLists.txt @@ -4,12 +4,10 @@ PKG_CHECK_MODULES(SERVER_DEP cynara-client ) -FIND_PACKAGE(Boost REQUIRED COMPONENTS program_options) FIND_PACKAGE(Threads REQUIRED) INCLUDE_DIRECTORIES(SYSTEM ${SERVER_DEP_INCLUDE_DIRS} - ${Boost_INCLUDE_DIRS} ${Threads_INCLUDE_DIRS} ) @@ -29,7 +27,6 @@ SET(SERVER_SOURCES ${SERVER_PATH}/main/server-main.cpp ${SERVER_PATH}/service/base-service.cpp ${SERVER_PATH}/service/service.cpp - ${SERVER_PATH}/service/master-service.cpp ) ADD_EXECUTABLE(${TARGET_SERVER} ${SERVER_SOURCES}) @@ -42,7 +39,6 @@ TARGET_LINK_LIBRARIES(${TARGET_SERVER} ${TARGET_COMMON} ${CMAKE_THREAD_LIBS_INIT} ${SERVER_DEP_LIBRARIES} - ${Boost_LIBRARIES} "-pie" ) diff --git a/src/server/main/server-main.cpp b/src/server/main/server-main.cpp index f8e1f713..d80f39ea 100644 --- a/src/server/main/server-main.cpp +++ b/src/server/main/server-main.cpp @@ -28,30 +28,25 @@ #include <dpl/singleton.h> #include <dpl/singleton_safe_impl.h> -#include <boost/program_options.hpp> #include <iostream> #include <socket-manager.h> #include <file-lock.h> #include <service.h> -#include <master-service.h> - -namespace po = boost::program_options; IMPLEMENT_SAFE_SINGLETON(SecurityManager::Log::LogSystem); -#define REGISTER_SOCKET_SERVICE(manager, service, allocator) \ - registerSocketService<service>(manager, #service, allocator) +#define REGISTER_SOCKET_SERVICE(manager, service) \ + registerSocketService<service>(manager, #service) template<typename T> bool registerSocketService(SecurityManager::SocketManager &manager, - const std::string& serviceName, - const std::function<T*(void)>& serviceAllocator) + const std::string& serviceName) { T *service = NULL; try { - service = serviceAllocator(); + service = new T(); service->Create(); manager.RegisterSocketService(service); return true; @@ -70,61 +65,14 @@ bool registerSocketService(SecurityManager::SocketManager &manager, return false; } -int main(int argc, char* argv[]) +int main() { UNHANDLED_EXCEPTION_HANDLER_BEGIN { // initialize logging SecurityManager::Singleton<SecurityManager::Log::LogSystem>::Instance().SetTag("SECURITY_MANAGER"); - // parse arguments - bool masterMode = false, slaveMode = false; - po::options_description optDesc("Allowed options"); - - optDesc.add_options() - ("help,h", "Print this help message") - ("master,m", "Enable master mode") - ("slave,s", "Enable slave mode") - ; - - po::variables_map vm; - po::basic_parsed_options<char> parsed = - po::command_line_parser(argc, argv).options(optDesc).allow_unregistered().run(); - - std::vector<std::string> unrecognizedOptions = - po::collect_unrecognized(parsed.options, po::include_positional); - - if (!unrecognizedOptions.empty()) { - std::cerr << "Unrecognized options: "; - - for (auto& uo : unrecognizedOptions) { - std::cerr << ' ' << uo; - } - - std::cerr << std::endl << std::endl; - std::cerr << optDesc << std::endl; - - return EXIT_FAILURE; - } - - po::store(parsed, vm); - po::notify(vm); - - if (vm.count("help")) { - std::cout << optDesc << std::endl; - return EXIT_SUCCESS; - } - - masterMode = vm.count("master") > 0; - slaveMode = vm.count("slave") > 0; - - if (masterMode && slaveMode) { - LogError("Cannot be both master and slave!"); - return EXIT_FAILURE; - } - - SecurityManager::FileLocker serviceLock(SecurityManager::SERVICE_LOCK_FILE, - true); + SecurityManager::FileLocker serviceLock(SecurityManager::SERVICE_LOCK_FILE, true); sigset_t mask; sigemptyset(&mask); @@ -138,18 +86,10 @@ int main(int argc, char* argv[]) LogInfo("Start!"); SecurityManager::SocketManager manager; - if (masterMode) { - if (!REGISTER_SOCKET_SERVICE(manager, SecurityManager::MasterService, - []() { return new SecurityManager::MasterService(); } )) { - LogError("Unable to create master socket service. Exiting."); - return EXIT_FAILURE; - } - } else { - if (!REGISTER_SOCKET_SERVICE(manager, SecurityManager::Service, - [&slaveMode]() { return new SecurityManager::Service(slaveMode); } )) { - LogError("Unable to create socket service. Exiting."); - return EXIT_FAILURE; - } + if (!REGISTER_SOCKET_SERVICE(manager, SecurityManager::Service)) + { + LogError("Unable to create socket service. Exiting."); + return EXIT_FAILURE; } manager.MainLoop(); diff --git a/src/server/service/include/master-service.h b/src/server/service/include/master-service.h deleted file mode 100644 index 3d630641..00000000 --- a/src/server/service/include/master-service.h +++ /dev/null @@ -1,160 +0,0 @@ -/* - * Copyright (c) 2000 - 2014 Samsung Electronics Co., Ltd All Rights Reserved - * - * Contact: Rafal Krypa <r.krypa@samsung.com> - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License - */ -/* - * @file master-service.h - * @author Lukasz Kostyra <l.kostyra@samsung.com> - * @author Rafal Krypa <r.krypa@samsung.com> - * @brief Implementation of security-manager master service - */ - -#ifndef _SECURITY_MANAGER_MASTER_SERVICE_ -#define _SECURITY_MANAGER_MASTER_SERVICE_ - -#include "base-service.h" -#include "service_impl.h" - -namespace SecurityManager { - -class MasterServiceException -{ -public: - DECLARE_EXCEPTION_TYPE(SecurityManager::Exception, Base) - DECLARE_EXCEPTION_TYPE(Base, InvalidAction) -}; - -class MasterService : - public SecurityManager::BaseService -{ -public: - MasterService(); - ServiceDescriptionVector GetServiceDescription(); - -private: - ServiceImpl serviceImpl; - - /** - * Handle request from a client - * - * @param conn Socket connection information - * @param buffer Raw received data buffer - * @param interfaceID identifier used to distinguish source socket - * @return true on success - */ - bool processOne(const ConnectionID &conn, MessageBuffer &buffer, InterfaceID interfaceID); - - /** - * Process Cynara policy update during app installation/uninstallation - * - * @param buffer Raw received data buffer - * @param send Raw data buffer to be sent - * @param zoneId ID of zone which requested the call - */ - void processCynaraUpdatePolicy(MessageBuffer &buffer, MessageBuffer &send, - const std::string &zoneId); - - /** - * Process Cynara user initialization - * - * @param buffer Raw received data buffer - * @param send Raw data buffer to be sent - */ - void processCynaraUserInit(MessageBuffer &buffer, MessageBuffer &send); - - /** - * Process Cynara user removal - * - * @param buffer Raw received data buffer - * @param send Raw data buffer to be sent - */ - void processCynaraUserRemove(MessageBuffer &buffer, MessageBuffer &send); - - /** - * Process policy update - * - * @param buffer Raw received data buffer - * @param send Raw data buffer to be sent - */ - void processPolicyUpdate(MessageBuffer &buffer, MessageBuffer &send); - - /** - * Process configured policy acquisition - * - * @param buffer Raw received data buffer - * @param send Raw data buffer to be sent - */ - void processGetConfiguredPolicy(MessageBuffer &buffer, MessageBuffer &send); - - /** - * Process policy acquisition from Master - * - * @param buffer Raw received data buffer - * @param send Raw data buffer to be sent - */ - // FIXME this function is not yet implemented. - void processGetPolicy(MessageBuffer &buffer, MessageBuffer &send); - - /** - * Process policy descriptions list acquisition - * - * @param send Raw data buffer to be sent - */ - void processPolicyGetDesc(MessageBuffer &send); - - /** - * Process SMACK rules installation for package. Map rules using Smack Namespaces. - * - * @param buffer Raw received data buffer - * @param send Raw data buffer to be sent - * @param zoneId ID of zone which requested the call - */ - void processSmackInstallRules(MessageBuffer &buffer, MessageBuffer &send, - const std::string &zoneId); - - /** - * Process SMACK rules uninstallation - * - * @param buffer Raw received data buffer - * @param send Raw data buffer to be sent - * @param zoneId ID of zone which requested the call - */ - void processSmackUninstallRules(MessageBuffer &buffer, MessageBuffer &send, - const std::string &zoneId); - - /** - * Process SMACK rules apply private path sharing - * - * @param buffer Raw received data buffer - * @param send Raw data buffer to be sent - * @param zoneId ID of zone which requested the call - */ - void processSmackApplySharingRules(MessageBuffer &buffer, MessageBuffer &send, - const std::string &zoneId); - /** - * Process SMACK rules drop private path sharing - * - * @param buffer Raw received data buffer - * @param send Raw data buffer to be sent - * @param zoneId ID of zone which requested the call - */ - void processSmackDropSharingRules(MessageBuffer &buffer, MessageBuffer &send, - const std::string &zoneId); -}; - -} // namespace SecurityManager - -#endif // _SECURITY_MANAGER_MASTER_SERVICE_ diff --git a/src/server/service/include/service.h b/src/server/service/include/service.h index 3c23037f..4d851c16 100644 --- a/src/server/service/include/service.h +++ b/src/server/service/include/service.h @@ -41,11 +41,10 @@ class Service : public SecurityManager::BaseService { public: - Service(const bool isSlave); + Service(); ServiceDescriptionVector GetServiceDescription(); private: - const bool m_isSlave; ServiceImpl serviceImpl; /** diff --git a/src/server/service/master-service.cpp b/src/server/service/master-service.cpp deleted file mode 100644 index d462afa9..00000000 --- a/src/server/service/master-service.cpp +++ /dev/null @@ -1,464 +0,0 @@ -/* - * Copyright (c) 2000 - 2014 Samsung Electronics Co., Ltd All Rights Reserved - * - * Contact: Rafal Krypa <r.krypa@samsung.com> - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License - */ -/* - * @file master-service.cpp - * @author Lukasz Kostyra <l.kostyra@samsung.com> - * @author Rafal Krypa <r.krypa@samsung.com> - * @brief Implementation of security-manager master service. - */ - -#include <generic-socket-manager.h> - -#include <dpl/log/log.h> -#include <dpl/serialization.h> - -#include "protocols.h" -#include "zone-utils.h" -#include "cynara.h" -#include "master-service.h" -#include "smack-rules.h" -#include "smack-labels.h" -#include "service_impl.h" - -namespace SecurityManager { - -const InterfaceID IFACE = 1; - -MasterService::MasterService() -{ -} - -GenericSocketService::ServiceDescriptionVector MasterService::GetServiceDescription() -{ - return ServiceDescriptionVector { - {MASTER_SERVICE_SOCKET, "security-manager-master", IFACE}, - }; -} - -bool MasterService::processOne(const ConnectionID &conn, MessageBuffer &buffer, - InterfaceID interfaceID) -{ - LogDebug("Iteration begin. Interface = " << interfaceID); - - //waiting for all data - if (!buffer.Ready()) { - return false; - } - - MessageBuffer send; - bool retval = false; - - uid_t uid; - pid_t pid; - std::string smackLabel; - - if (!getPeerID(conn.sock, uid, pid, smackLabel)) { - LogError("Closing socket because of error: unable to get peer's uid and pid"); - m_serviceManager->Close(conn); - return false; - } - - // FIXME this part needs to be updated when Vasum is added to OBS. See zone-utils.h - std::string vsmZoneId; - if (!getZoneIdFromPid(pid, vsmZoneId)) { - LogError("Failed to extract Zone ID! Closing socket."); - m_serviceManager->Close(conn); - return false; - } - - if (vsmZoneId == ZONE_HOST) { - LogError("Connection came from host - in master mode this should not happen! Closing."); - m_serviceManager->Close(conn); - return false; - } - - LogInfo("Connection came from Zone " << vsmZoneId); - - if (IFACE == interfaceID) { - Try { - // deserialize API call type - int call_type_int; - Deserialization::Deserialize(buffer, call_type_int); - MasterSecurityModuleCall call_type = static_cast<MasterSecurityModuleCall>(call_type_int); - - switch (call_type) { - case MasterSecurityModuleCall::CYNARA_UPDATE_POLICY: - LogDebug("call type MasterSecurityModuleCall::CYNARA_UPDATE_POLICY"); - processCynaraUpdatePolicy(buffer, send, vsmZoneId); - break; - case MasterSecurityModuleCall::CYNARA_USER_INIT: - LogDebug("call type MasterSecurityModuleCall::CYNARA_USER_INIT"); - processCynaraUserInit(buffer, send); - break; - case MasterSecurityModuleCall::CYNARA_USER_REMOVE: - LogDebug("call type MasterSecurityModuleCall::CYNARA_USER_REMOVE"); - processCynaraUserRemove(buffer, send); - break; - case MasterSecurityModuleCall::POLICY_UPDATE: - LogDebug("call type MasterSecurityModuleCall::POLICY_UPDATE"); - processPolicyUpdate(buffer, send); - break; - case MasterSecurityModuleCall::GET_CONFIGURED_POLICY: - LogDebug("call type MasterSecurityModuleCall::GET_CONFIGURED_POLICY"); - processGetConfiguredPolicy(buffer, send); - break; - case MasterSecurityModuleCall::GET_POLICY: - LogDebug("call type MasterSecurityModuleCall::GET_POLICY"); - processGetPolicy(buffer, send); - break; - case MasterSecurityModuleCall::POLICY_GET_DESC: - LogDebug("call type MasterSecurityModuleCall::POLICY_GET_DESC"); - processPolicyGetDesc(send); - break; - case MasterSecurityModuleCall::SMACK_INSTALL_RULES: - LogDebug("call type MasterSecurityModuleCall::SMACK_INSTALL_RULES"); - processSmackInstallRules(buffer, send, vsmZoneId); - break; - case MasterSecurityModuleCall::SMACK_UNINSTALL_RULES: - LogDebug("call type MasterSecurityModuleCall::SMACK_UNINSTALL_RULES"); - processSmackUninstallRules(buffer, send, vsmZoneId); - break; - case MasterSecurityModuleCall::SMACK_APPLY_PRIVATE_SHARING_RULES: - processSmackApplySharingRules(buffer, send, vsmZoneId); - break; - case MasterSecurityModuleCall::SMACK_DROP_PRIVATE_SHARING_RULES: - processSmackDropSharingRules(buffer, send, vsmZoneId); - break; - default: - LogError("Invalid call: " << call_type_int); - Throw(MasterServiceException::InvalidAction); - } - // if we reach this point, the protocol is OK - retval = true; - } Catch (MessageBuffer::Exception::Base) { - LogError("Broken protocol."); - } Catch (MasterServiceException::Base) { - LogError("Broken protocol."); - } catch (const std::exception &e) { - LogError("STD exception " << e.what()); - } catch (...) { - LogError("Unknown exception"); - } - } - else { - LogError("Wrong interface"); - } - - if (retval) { - //send response - m_serviceManager->Write(conn, send.Pop()); - } else { - LogError("Closing socket because of error"); - m_serviceManager->Close(conn); - } - - return retval; -} - -void MasterService::processCynaraUpdatePolicy(MessageBuffer &buffer, MessageBuffer &send, - const std::string &zoneId) -{ - int ret = SECURITY_MANAGER_API_ERROR_SERVER_ERROR; - std::string appId; - std::string uidstr; - std::string appLabel; - std::vector<std::string> privileges; - - Deserialization::Deserialize(buffer, appId); - Deserialization::Deserialize(buffer, uidstr); - Deserialization::Deserialize(buffer, privileges); - - appLabel = zoneSmackLabelGenerate(SmackLabels::generateAppLabel(appId), zoneId); - - try { - CynaraAdmin::getInstance().UpdateAppPolicy(appLabel, uidstr, privileges); - } catch (const CynaraException::Base &e) { - LogError("Error while setting Cynara rules for application: " << e.DumpToString()); - goto out; - } catch (const std::bad_alloc &e) { - LogError("Memory allocation while setting Cynara rules for application: " << e.what()); - ret = SECURITY_MANAGER_API_ERROR_OUT_OF_MEMORY; - goto out; - } - - ret = SECURITY_MANAGER_API_SUCCESS; - -out: - Serialization::Serialize(send, ret); -} - -void MasterService::processCynaraUserInit(MessageBuffer &buffer, MessageBuffer &send) -{ - int ret = SECURITY_MANAGER_API_ERROR_INPUT_PARAM; - uid_t uidAdded; - int userType; - - Deserialization::Deserialize(buffer, uidAdded); - Deserialization::Deserialize(buffer, userType); - - try { - CynaraAdmin::getInstance().UserInit(uidAdded, - static_cast<security_manager_user_type>(userType)); - } catch (CynaraException::InvalidParam &e) { - goto out; - } - - ret = SECURITY_MANAGER_API_SUCCESS; -out: - Serialization::Serialize(send, ret); -} - -void MasterService::processCynaraUserRemove(MessageBuffer &buffer, MessageBuffer &send) -{ - int ret = SECURITY_MANAGER_API_ERROR_INPUT_PARAM; - uid_t uidDeleted; - - Deserialization::Deserialize(buffer, uidDeleted); - - try { - CynaraAdmin::getInstance().UserRemove(uidDeleted); - } catch (CynaraException::InvalidParam &e) { - goto out; - } - - ret = SECURITY_MANAGER_API_SUCCESS; -out: - Serialization::Serialize(send, ret); -} - -void MasterService::processPolicyUpdate(MessageBuffer &buffer, MessageBuffer &send) -{ - int ret = SECURITY_MANAGER_API_ERROR_SERVER_ERROR; - std::vector<policy_entry> policyEntries; - uid_t uid; - pid_t pid; - std::string smackLabel; - - Deserialization::Deserialize(buffer, policyEntries); - Deserialization::Deserialize(buffer, uid); - Deserialization::Deserialize(buffer, pid); - Deserialization::Deserialize(buffer, smackLabel); - - ret = serviceImpl.policyUpdate(policyEntries, uid, pid, smackLabel); - Serialization::Serialize(send, ret); -} - -void MasterService::processGetConfiguredPolicy(MessageBuffer &buffer, MessageBuffer &send) -{ - int ret = SECURITY_MANAGER_API_ERROR_SERVER_ERROR; - bool forAdmin; - policy_entry filter; - uid_t uid; - pid_t pid; - std::string smackLabel; - std::vector<policy_entry> policyEntries; - - Deserialization::Deserialize(buffer, forAdmin); - Deserialization::Deserialize(buffer, filter); - Deserialization::Deserialize(buffer, uid); - Deserialization::Deserialize(buffer, pid); - Deserialization::Deserialize(buffer, smackLabel); - - ret = serviceImpl.getConfiguredPolicy(forAdmin, filter, uid, pid, smackLabel, policyEntries); - Serialization::Serialize(send, ret); - if (ret == SECURITY_MANAGER_API_SUCCESS) - Serialization::Serialize(send, policyEntries); -} - -void MasterService::processGetPolicy(MessageBuffer &buffer, MessageBuffer &send) -{ - (void) buffer; - int ret = SECURITY_MANAGER_API_ERROR_BAD_REQUEST; - - // FIXME getPolicy is not ready to work in Master mode. Uncomment below code when getPolicy will - // be implemented for Master. - /* - policy_entry filter; - uid_t uid; - pid_t pid; - std::string smackLabel; - std::vector<policy_entry> policyEntries; - - Deserialization::Deserialize(buffer, filter); - Deserialization::Deserialize(buffer, uid); - Deserialization::Deserialize(buffer, pid); - Deserialization::Deserialize(buffer, smackLabel); - - ret = serviceImpl.getPolicy(filter, uid, pid, smackLabel, policyEntries);*/ - Serialization::Serialize(send, ret); - /*if (ret == SECURITY_MANAGER_API_SUCCESS) - Serialization::Serialize(send, policyEntries);*/ -} - -void MasterService::processPolicyGetDesc(MessageBuffer &send) -{ - int ret = SECURITY_MANAGER_API_ERROR_SERVER_ERROR; - std::vector<std::string> descriptions; - - ret = serviceImpl.policyGetDesc(descriptions); - Serialization::Serialize(send, ret); - if (ret == SECURITY_MANAGER_API_SUCCESS) - Serialization::Serialize(send, descriptions); -} - -void MasterService::processSmackInstallRules(MessageBuffer &buffer, MessageBuffer &send, - const std::string &zoneId) -{ - int ret = SECURITY_MANAGER_API_ERROR_SERVER_ERROR; - std::string appId, pkgId, authorId; - std::vector<std::string> pkgContents, appsGranted, accessPackages; - - Deserialization::Deserialize(buffer, appId); - Deserialization::Deserialize(buffer, pkgId); - Deserialization::Deserialize(buffer, authorId); - Deserialization::Deserialize(buffer, pkgContents); - Deserialization::Deserialize(buffer, appsGranted); - Deserialization::Deserialize(buffer, accessPackages); - - try { - LogDebug("Adding Smack rules for new appId: " << appId << " with pkgId: " - << pkgId << ". Applications in package: " << pkgContents.size() - << ". Other Tizen 2.X applications: " << appsGranted.size()); - - SmackRules::installApplicationRules(appId, pkgId, authorId, pkgContents, appsGranted, accessPackages, zoneId); - - // FIXME implement zoneSmackLabelMap and check if works when Smack Namespaces are implemented - std::string zoneAppLabel = SmackLabels::generateAppLabel(appId); - std::string zonePkgLabel = SmackLabels::generatePkgLabel(pkgId); - std::string hostAppLabel = zoneSmackLabelGenerate(zoneAppLabel, zoneId); - std::string hostPkgLabel = zoneSmackLabelGenerate(zonePkgLabel, zoneId); - - if (!zoneSmackLabelMap(hostAppLabel, zoneId, zoneAppLabel)) { - LogError("Failed to apply Smack label mapping for application " << appId); - goto out; - } - - if (!zoneSmackLabelMap(hostPkgLabel, zoneId, zonePkgLabel)) { - LogError("Failed to apply Smack label mapping for package " << pkgId); - goto out; - } - } catch (const SmackException::Base &e) { - LogError("Error while adding Smack rules for application: " << e.DumpToString()); - ret = SECURITY_MANAGER_API_ERROR_SETTING_FILE_LABEL_FAILED; - goto out; - } catch (const std::bad_alloc &e) { - LogError("Memory allocation error: " << e.what()); - ret = SECURITY_MANAGER_API_ERROR_OUT_OF_MEMORY; - goto out; - } - - ret = SECURITY_MANAGER_API_SUCCESS; -out: - Serialization::Serialize(send, ret); -} - -void MasterService::processSmackUninstallRules(MessageBuffer &buffer, MessageBuffer &send, - const std::string &zoneId) -{ - std::string appId, pkgId; - std::vector<std::string> pkgContents, appsGranted; - bool removeApp = false; - bool removePkg = false; - - Deserialization::Deserialize(buffer, appId); - Deserialization::Deserialize(buffer, pkgId); - Deserialization::Deserialize(buffer, pkgContents); - Deserialization::Deserialize(buffer, appsGranted); - Deserialization::Deserialize(buffer, removeApp); - Deserialization::Deserialize(buffer, removePkg); - - try { - if (removeApp) { - LogDebug("Removing smack rules for deleted appId " << appId); - SmackRules::uninstallApplicationRules(appId, pkgId, pkgContents, appsGranted, zoneId); - - std::string zoneAppLabel = SmackLabels::generateAppLabel(appId); - std::string hostAppLabel = zoneSmackLabelGenerate(zoneAppLabel, zoneId); - // FIXME zoneSmackLabelUnmap should throw exception on error, not return false - // FIXME implement zoneSmackLabelUnmap and check if works when Smack Namespaces are implemented - if (!zoneSmackLabelUnmap(hostAppLabel, zoneId)) { - LogError("Failed to unmap Smack labels for application " << appId); - Serialization::Serialize(send, SECURITY_MANAGER_API_ERROR_SERVER_ERROR); - return; - } - } - - if (removePkg) { - LogDebug("Removing Smack rules for deleted pkgId " << pkgId); - SmackRules::uninstallPackageRules(pkgId); - - std::string zonePkgLabel = SmackLabels::generatePkgLabel(pkgId); - std::string hostPkgLabel = zoneSmackLabelGenerate(zonePkgLabel, zoneId); - if (!zoneSmackLabelUnmap(hostPkgLabel, zoneId)) { - LogError("Failed to unmap Smack label for package " << pkgId); - Serialization::Serialize(send, SECURITY_MANAGER_API_ERROR_SERVER_ERROR); - return; - } - } - } catch (const SmackException::Base &e) { - LogError("Error while removing Smack rules for application: " << e.DumpToString()); - Serialization::Serialize(send, SECURITY_MANAGER_API_ERROR_SETTING_FILE_LABEL_FAILED); - return; - } catch (const std::bad_alloc &e) { - LogError("Memory allocation error: " << e.what()); - Serialization::Serialize(send, SECURITY_MANAGER_API_ERROR_OUT_OF_MEMORY); - return; - } - - Serialization::Serialize(send, SECURITY_MANAGER_API_SUCCESS); -} - -void MasterService::processSmackApplySharingRules(MessageBuffer &buffer, MessageBuffer &send, - const std::string &zoneId) -{ - std::string ownerPkgId, targetAppId, path; - std::vector<std::string> pkgContents; - int ownerTargetCount, pathCount; - - Deserialization::Deserialize(buffer, ownerPkgId); - Deserialization::Deserialize(buffer, pkgContents); - Deserialization::Deserialize(buffer, targetAppId); - Deserialization::Deserialize(buffer, path); - Deserialization::Deserialize(buffer, ownerTargetCount); - Deserialization::Deserialize(buffer, pathCount); - - (void)zoneId; - - Serialization::Serialize(send, SECURITY_MANAGER_API_SUCCESS); -} - -void MasterService::processSmackDropSharingRules(MessageBuffer &buffer, MessageBuffer &send, - const std::string &zoneId) -{ - std::string ownerPkgId, targetAppId, path; - std::vector<std::string> pkgContents; - int ownerTargetCount, pathCount; - - Deserialization::Deserialize(buffer, ownerPkgId); - Deserialization::Deserialize(buffer, pkgContents); - Deserialization::Deserialize(buffer, targetAppId); - Deserialization::Deserialize(buffer, path); - Deserialization::Deserialize(buffer, ownerTargetCount); - Deserialization::Deserialize(buffer, pathCount); - - (void)zoneId; - - Serialization::Serialize(send, SECURITY_MANAGER_API_SUCCESS); -} - -} // namespace SecurityManager diff --git a/src/server/service/service.cpp b/src/server/service/service.cpp index 58a975cb..aa9424b4 100644 --- a/src/server/service/service.cpp +++ b/src/server/service/service.cpp @@ -33,35 +33,22 @@ #include "protocols.h" #include "service.h" #include "service_impl.h" -#include "master-req.h" namespace SecurityManager { const InterfaceID IFACE = 1; -Service::Service(const bool isSlave): - m_isSlave(isSlave) -{ -} +Service::Service(){} GenericSocketService::ServiceDescriptionVector Service::GetServiceDescription() { - if (m_isSlave) - return ServiceDescriptionVector { - {SLAVE_SERVICE_SOCKET, /* path */ - "*", /* smackLabel label (not used, we rely on systemd) */ - IFACE, /* InterfaceID */ - false, /* useSendMsg */ - true}, /* systemdOnly */ - }; - else - return ServiceDescriptionVector { - {SERVICE_SOCKET, /* path */ - "*", /* smackLabel label (not used, we rely on systemd) */ - IFACE, /* InterfaceID */ - false, /* useSendMsg */ - true}, /* systemdOnly */ - }; + return ServiceDescriptionVector { + {SERVICE_SOCKET, /* path */ + "*", /* smackLabel label (not used, we rely on systemd) */ + IFACE, /* InterfaceID */ + false, /* useSendMsg */ + true}, /* systemdOnly */ + }; } bool Service::processOne(const ConnectionID &conn, MessageBuffer &buffer, @@ -188,7 +175,7 @@ void Service::processAppInstall(MessageBuffer &buffer, MessageBuffer &send, uid_ Deserialization::Deserialize(buffer, req.uid); Deserialization::Deserialize(buffer, req.tizenVersion); Deserialization::Deserialize(buffer, req.authorId); - Serialization::Serialize(send, serviceImpl.appInstall(req, uid, m_isSlave)); + Serialization::Serialize(send, serviceImpl.appInstall(req, uid)); } void Service::processAppUninstall(MessageBuffer &buffer, MessageBuffer &send, uid_t uid) @@ -196,7 +183,7 @@ void Service::processAppUninstall(MessageBuffer &buffer, MessageBuffer &send, ui std::string appId; Deserialization::Deserialize(buffer, appId); - Serialization::Serialize(send, serviceImpl.appUninstall(appId, uid, m_isSlave)); + Serialization::Serialize(send, serviceImpl.appUninstall(appId, uid)); } void Service::processGetPkgId(MessageBuffer &buffer, MessageBuffer &send) @@ -219,7 +206,7 @@ void Service::processGetAppGroups(MessageBuffer &buffer, MessageBuffer &send, ui int ret; Deserialization::Deserialize(buffer, appId); - ret = serviceImpl.getAppGroups(appId, uid, pid, m_isSlave, gids); + ret = serviceImpl.getAppGroups(appId, uid, pid, gids); Serialization::Serialize(send, ret); if (ret == SECURITY_MANAGER_API_SUCCESS) { Serialization::Serialize(send, static_cast<int>(gids.size())); @@ -238,7 +225,7 @@ void Service::processUserAdd(MessageBuffer &buffer, MessageBuffer &send, uid_t u Deserialization::Deserialize(buffer, uidAdded); Deserialization::Deserialize(buffer, userType); - ret = serviceImpl.userAdd(uidAdded, userType, uid, m_isSlave); + ret = serviceImpl.userAdd(uidAdded, userType, uid); Serialization::Serialize(send, ret); } @@ -249,7 +236,7 @@ void Service::processUserDelete(MessageBuffer &buffer, MessageBuffer &send, uid_ Deserialization::Deserialize(buffer, uidRemoved); - ret = serviceImpl.userDelete(uidRemoved, uid, m_isSlave); + ret = serviceImpl.userDelete(uidRemoved, uid); Serialization::Serialize(send, ret); } @@ -260,11 +247,7 @@ void Service::processPolicyUpdate(MessageBuffer &buffer, MessageBuffer &send, ui Deserialization::Deserialize(buffer, policyEntries); - if (m_isSlave) { - ret = MasterReq::PolicyUpdate(policyEntries, uid, pid, smackLabel); - } else { - ret = serviceImpl.policyUpdate(policyEntries, uid, pid, smackLabel); - } + ret = serviceImpl.policyUpdate(policyEntries, uid, pid, smackLabel); Serialization::Serialize(send, ret); } @@ -275,12 +258,7 @@ void Service::processGetConfiguredPolicy(MessageBuffer &buffer, MessageBuffer &s Deserialization::Deserialize(buffer, filter); std::vector<policy_entry> policyEntries; - if (m_isSlave) { - ret = MasterReq::GetConfiguredPolicy(forAdmin, filter, uid, pid, smackLabel, policyEntries); - } else { - ret = serviceImpl.getConfiguredPolicy(forAdmin, filter, uid, pid, smackLabel, - policyEntries); - } + ret = serviceImpl.getConfiguredPolicy(forAdmin, filter, uid, pid, smackLabel, policyEntries); Serialization::Serialize(send, ret); Serialization::Serialize(send, static_cast<int>(policyEntries.size())); @@ -296,11 +274,7 @@ void Service::processGetPolicy(MessageBuffer &buffer, MessageBuffer &send, uid_t Deserialization::Deserialize(buffer, filter); std::vector<policy_entry> policyEntries; - if (m_isSlave) { - ret = MasterReq::GetPolicy(filter, uid, pid, smackLabel, policyEntries); - } else { - ret = serviceImpl.getPolicy(filter, uid, pid, smackLabel, policyEntries); - } + ret = serviceImpl.getPolicy(filter, uid, pid, smackLabel, policyEntries); Serialization::Serialize(send, ret); Serialization::Serialize(send, static_cast<int>(policyEntries.size())); @@ -314,11 +288,8 @@ void Service::processPolicyGetDesc(MessageBuffer &send) int ret; std::vector<std::string> descriptions; - if (m_isSlave) { - ret = MasterReq::PolicyGetDesc(descriptions); - } else { - ret = serviceImpl.policyGetDesc(descriptions); - } + ret = serviceImpl.policyGetDesc(descriptions); + Serialization::Serialize(send, ret); if (ret == SECURITY_MANAGER_API_SUCCESS) { Serialization::Serialize(send, static_cast<int>(descriptions.size())); @@ -351,7 +322,7 @@ void Service::processAppHasPrivilege(MessageBuffer &recv, MessageBuffer &send) Deserialization::Deserialize(recv, uid); bool result; - int ret = serviceImpl.appHasPrivilege(appId, privilege, uid, m_isSlave, result); + int ret = serviceImpl.appHasPrivilege(appId, privilege, uid, result); Serialization::Serialize(send, ret); if (ret == SECURITY_MANAGER_API_SUCCESS) @@ -365,7 +336,7 @@ void Service::processApplyPrivateSharing(MessageBuffer &recv, MessageBuffer &sen Deserialization::Deserialize(recv, ownerAppId); Deserialization::Deserialize(recv, targetAppId); Deserialization::Deserialize(recv, paths); - int ret = serviceImpl.applyPrivatePathSharing(ownerAppId, targetAppId, paths, m_isSlave); + int ret = serviceImpl.applyPrivatePathSharing(ownerAppId, targetAppId, paths); Serialization::Serialize(send, ret); } @@ -376,7 +347,7 @@ void Service::processDropPrivateSharing(MessageBuffer &recv, MessageBuffer &send Deserialization::Deserialize(recv, ownerAppId); Deserialization::Deserialize(recv, targetAppId); Deserialization::Deserialize(recv, paths); - int ret = serviceImpl.dropPrivatePathSharing(ownerAppId, targetAppId, paths, m_isSlave); + int ret = serviceImpl.dropPrivatePathSharing(ownerAppId, targetAppId, paths); Serialization::Serialize(send, ret); } } // namespace SecurityManager diff --git a/systemd/CMakeLists.txt b/systemd/CMakeLists.txt index 9da2f17a..2d14d5f8 100644 --- a/systemd/CMakeLists.txt +++ b/systemd/CMakeLists.txt @@ -1,15 +1,9 @@ CONFIGURE_FILE(security-manager.service.in security-manager.service @ONLY) -CONFIGURE_FILE(security-manager-master.service.in security-manager-master.service @ONLY) -CONFIGURE_FILE(security-manager-slave.service.in security-manager-slave.service @ONLY) CONFIGURE_FILE(security-manager-cleanup.service.in security-manager-cleanup.service @ONLY) INSTALL(FILES security-manager.service security-manager.socket - security-manager-master.service - security-manager-master.socket - security-manager-slave.service - security-manager-slave.socket security-manager-cleanup.service DESTINATION ${SYSTEMD_INSTALL_DIR} diff --git a/systemd/security-manager-master.service.in b/systemd/security-manager-master.service.in deleted file mode 100644 index ef14a573..00000000 --- a/systemd/security-manager-master.service.in +++ /dev/null @@ -1,10 +0,0 @@ -[Unit] -Description=Start the security manager master -ConditionVirtualization=!lxc -ConditionPathExists=/usr/share/.zones/enabled - -[Service] -Type=notify -ExecStart=@BIN_INSTALL_DIR@/security-manager --master - -Sockets=security-manager-master.socket diff --git a/systemd/security-manager-master.socket b/systemd/security-manager-master.socket deleted file mode 100644 index d41eae0f..00000000 --- a/systemd/security-manager-master.socket +++ /dev/null @@ -1,13 +0,0 @@ -[Socket] -ListenStream=/run/security-manager-master.socket -SocketMode=0700 -SmackLabelIPIn=System -SmackLabelIPOut=System -Service=security-manager-master.service - -[Unit] -ConditionVirtualization=!lxc -ConditionPathExists=/usr/share/.zones/enabled - -[Install] -WantedBy=sockets.target diff --git a/systemd/security-manager-slave.service.in b/systemd/security-manager-slave.service.in deleted file mode 100644 index 6eb7505f..00000000 --- a/systemd/security-manager-slave.service.in +++ /dev/null @@ -1,9 +0,0 @@ -[Unit] -Description=Start the security manager slave -ConditionVirtualization=lxc - -[Service] -Type=notify -ExecStart=@BIN_INSTALL_DIR@/security-manager --slave - -Sockets=security-manager-slave.socket diff --git a/systemd/security-manager-slave.socket b/systemd/security-manager-slave.socket deleted file mode 100644 index 8d0a2c6b..00000000 --- a/systemd/security-manager-slave.socket +++ /dev/null @@ -1,10 +0,0 @@ -[Socket] -ListenStream=/run/security-manager-slave.socket -Symlinks=/run/security-manager.socket -SocketMode=0777 -SmackLabelIPIn=* -SmackLabelIPOut=@ -Service=security-manager-slave.service - -[Unit] -ConditionVirtualization=lxc diff --git a/systemd/security-manager.service.in b/systemd/security-manager.service.in index f15ab90b..23fd1b28 100644 --- a/systemd/security-manager.service.in +++ b/systemd/security-manager.service.in @@ -1,7 +1,5 @@ [Unit] Description=Start the security manager -ConditionVirtualization=!lxc -ConditionPathExists=!/usr/share/.zones/enabled [Service] Type=notify diff --git a/systemd/security-manager.socket b/systemd/security-manager.socket index 95411e82..af1c1dab 100644 --- a/systemd/security-manager.socket +++ b/systemd/security-manager.socket @@ -7,9 +7,5 @@ SmackLabelIPOut=@ # TODO: move to separate systemd service Service=security-manager.service -[Unit] -ConditionVirtualization=!lxc -ConditionPathExists=!/usr/share/.zones/enabled - [Install] WantedBy=sockets.target |