| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
* Fix enterMountNamespace() error handling.
Change-Id: I866366037ee2df3afd828ff7b4c184269f35ef42
|
|
There is a TOCTOU race condition between checking/entering app namespaces.
In this small time window, app can be killed,
so updating app namespace doesn't make sense, we can skip this step.
Change-Id: I2ba4c2bd701d6fc5a453c72d19e1d951e39fde53
|
|
* Properly handle ENOENT error on encrypted device
* Move initial namespace setup to security_manager_prepare_app_candidate()
* Fix security_manager_cleanup_app()
* Fix security-manager worker
* Fix app_update not setting sharedRO to false in db
* Reintroduce checks for directory existance in sharedRO setup
Change-Id: I21f1bd209c98f5c5330e84c3865611264a539ab6
|
|
Change-Id: Ica5318462304b9f96096f0376885d676e5e087ba
|
|
Change-Id: I43f316b8e074ff18462388b64793cbc3e2d895c1
|
|
After introducing sharedRO mount namespace setup,
every app should cleanup own namespace after termination.
Change-Id: I358007e3f47213f3038e6c3f2a05cbe5e273627f
|
|
Move worker process to main mount namespace after finishing job.
Change-Id: Ic0ed8011ecc8fab04a237c6a96190f4a8cc5d266
|
|
Change-Id: I502a00b4946ba3ef3c82c81f665e10c1b50d2e2b
|
|
While directories connected with per-app sharedRO should exist
if an application package has been declared to use the feature,
previous behaviour of security-manager allowed these dirs
to be nonexistent while still silently ignoring the misconfiguration
(pre-1.5.18 versions).
On already released product images, some apps, improperly installed
by installer as using sharedRO and NOT having actual folder structure,
could be already running in the wilderness. Update to new
security-manager, while true to original sharedRO-bind-mount design
(dirs SHOULD exist as designed), may introduce runtime errors.
This patch reintroduces existance checks for directories which are
arguments to bind mounts.
Alternative to this patch would be a migration script that would be much more
complicated and should be accompanied with security-manager commandline tool
used to update DB contents OR appfw script that would re-do the directory
structure. Both ways would be much more time-consuming & error prone
than reintroducing these checks, which I'm doing in this patch.
Change-Id: I9f25a85ae87e4189b81621f1ec3863a2d1cc9d2a
|
|
* Add new core privilege: notification.admin
Skipped a few numbers to make versioning of tizen and tizen_5.5 branch
not to conflict.
Lets keep this branch's versioning as 1.5.x and make tizen branch's
versioning to 1.6.x from the next release.
Change-Id: I766a2d584d03b8fb907e030763820825759e619a
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
|
|
- notification.admin: Application with this privilege can manage
notifications. For example, the app can get all notificaitons and
update, delete or hide them.
Change-Id: I4fc3c500f7f84f95dd443ebfde4b953a175112ad
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
|
|
* Remove nss plugin IPC with security-manager daemon
* Fix Svace defect, remove unreachable statement.
* Refactor macro usage within CheckProperDrop::checkThreads()
Change-Id: I9f36e37e2448791ef761b86a6efd9c64c521217a
|
|
Communication was needed to ensure the GID list is calculated based on
Cynara's privilege DB, which contains also per-user information of allowed
privileges.
It was agreed among security and platform teams that system daemons
have statically defined list of GIDs/privileges that doesn't change
over time and also, that this list is the same regardless of the user type
(gumd defines various user types).
This patch changes meaning of per-user-type policy files and Cynara's
per-user-type policy buckets. From now on, the Cynara policy for given user
is applicable as-is only for that user's applications. The user-level
& system-level daemons that may run with "User", "System" or "System::Privileged"
Smack labels have no longer their policy consulted with Cynara.
Instead, they are being given all the privilege-mapped GIDs, with exception
of GIDs that can be mapped to:
http://tizen.org/privilege/internal/livecoredump (priv_livecoredump)
http://tizen.org/privilege/internal/sysadmin (currently no GID associated)
These privileges are used by system team to control inter-service
access to certain DBus interfaces and if any GID is associated with them,
that GID should not be granted by nss plugin. Instead, that GID should
be added as supplementary group of particular service that should be granted
corresponding privilege (ie. using systemd service file or by assigning GID
as supplementary to UID under which the service is running).
When systemd SupplementaryGroup option in service files will be used
to declare all "privileges" for all services, the security-manager nss plugin
will not be needed anymore.
Change-Id: I8da6385cfaf502cfd6117b3805e5986ae3c28b80
|
|
Change-Id: I0bd14456de4e8b54e1753dfa8be2cf8d0b1b5217
|
|
Change-Id: Iadef9bacd076a666d8a527e79165b01cf2daf544
|
|
* prepare_app optimization
Change-Id: Ie25de8f2cd3c345769267b15efe6e02a840a0ed6
|
|
Change-Id: I90273f0f48290930c275685480627701e83bbc2a
|
|
* use a stack array for syscalls
* stream forbiddenGroups = privilegedGroups \ allowedGroups instead of
privilegedGroups, making IPC thinner
Change-Id: I343af0052fd90f1ed4fd37d41b7b8c7a1a5a7858
|
|
Change-Id: I28398b36b9a14fd4e4d30570f15848a8f29c5ef1
|
|
Change-Id: Ie875ff190aa032cbaa21e7ef9b72da98faf3b8b4
|
|
Change-Id: Ifb52a67a09122847c2241db3c86bf8c15bc69438
|
|
Change-Id: If78f4688d71213f06c525462cedb9d259f8d406b
|
|
Change-Id: I3a8953650c1dcee4d2cbe6b4171cd2bb3e84993e
|
|
Change-Id: I8b19bd1863f1df84ef3e10548be644e9632dcb5c
|
|
Change-Id: If103f7800e202bbd6e27b472668ea7feba7dbf38
|
|
Change-Id: Ib6a2017a39fb20576eccc766e289eaae8de65098
|
|
"The initial value of all flags are cleared." (https://linux.die.net/man/3/cap_init)
Change-Id: I6f55acaf0676daca3befe3b37fb249902c59e91e
|
|
Change-Id: I8fce33fce888cff5f5bea416099346b36004ff30
|
|
* Add even more gcc 9 fixes after Wall enabling
Change-Id: Iec7c4a8acd9a605364dbdd217a1e83fc6993d740
|
|
Needed to disable -Wcast-function-type for service-thread.h file only.
service-thread.h will require some fundamental rework later.
Change-Id: If9d13dfe8e3ae78ac658a140e9582130e98e2b6a
|
|
* Fix build for gcc 9
* Revert "Mark colour_log_formatter methods as override"
Change-Id: If053989e9f7aa8c4e9474483a3f0849c7f5fe5e3
|
|
Change-Id: Iba39f4a644d5f676e8f1606bbc283efe97f2dd9c
|
|
This reverts commit 31bba785d8f2c84207f68e862751ec5fc421c2c5.
With older versions of boost, build-time errors occur with this patch
(marked 'override', but does not override).
Change-Id: I1dff4b41703a2896de60c1dbae82536f83636c04
|
|
* Remove duplicated mount namespace setup
* Skip mount namespace setup specific to privacy privileges
* Enhance few logs around application launching.
* Add http://tizen.org/privilege/internal/livecoredump and disable it for non-applications
* Add user context to fetching tzplatform_config variable
* Mark colour_log_formatter methods as override
* Make colour_log_formatter compatible w/ boost 1.70
Change-Id: Icd275c4b19043a3251336cf26a13dd8492f981c1
|
|
When security_manager_prepare_app() is called twice by multi-process app zygote
mount namespace setup is duplicated.
This solution has race condition, but inter process synchronization
adds more overhead than benefits.
Change-Id: I92b9bead82c8caf3522b483a662e7a837f67a311
|
|
In case of empty privacy privilege to filesystem path mapping (privilege-mount.list file)
we can skip mount namespace setup specific to privacy privileges.
Change-Id: I7f1f4ef8e5f0614d7b232529f4ff665c2dfeaf5f
|
|
It was reported that some checks during our launching could be more verbose
and informative about what is going on. Added few more sentences to clearly
state if application process is improperly setup and why.
Change-Id: I47d6578dceff957cf76aa8ee690420d5a5cc9d7f
|
|
non-applications
This commit adds new privilege for triggering coredump from running (live)
process. The coredump can contain private information so additional security
measures are needed to disallow all system services from requesting livedump
for any process.
The functionality it's supposed to be used by (verified and approved) set of
processes only.
To implement this the privilege is provided in disabled state - no system service
gets it automatically. To use it one has to add membership to priv_livecoredump
group (or supplementary group).
Change-Id: I3c6664b3befae0a572ef263b94b39e0cec7fce04
|
|
Change-Id: I45cbea2d73d5c5fd3079df6f0925a8250eb005c4
|
|
Change-Id: I321149df1a390be56bf9a3ee1bcf83b726a01dc8
|
|
Change-Id: I58a52805d98b3571662cc36aec9b170272012671
|
|
* Add SharedRO skel path labelling when labeling any dir as SharedRO
* Add release script
* Label package base paths for SHARED_RO bind mounting
* Label SHARED_RO directory under symlink
* Add new $APP_HOME/.shared/$PKG_NAME dir to legal paths
* Implement SharedRO with mount namespace
* Remove package generated SharedRO rules
Change-Id: Iefa023963d135c29aef636d223a31419ed9115d2
|
|
security-manager relies on specific path layout for SharedRO mount points.
This patch adds labeling of skel subdirs for given package, if these exist.
Change-Id: Id8e3b0986eff47bc628849fcc6d51fa6176cde54
|
|
Change-Id: I199a2333c989bed23a8eee47a5ba9b645363fd2d
|
|
Label $APP_HOME/.shared/$PKG_NAME and $APP_HOME/.shared/$PKG_NAME
paths with "User::Home" to allow bind mount in application context.
Change-Id: Ib19de4e87766f5a313f1e5e0542e1da8b30f8a40
|
|
SharedRO directories from previous implementation
are now symlinks pointing to new SharedRO directories.
This commits assures, that all contents under this symlink
are properly labeled.
Change-Id: I672aaf38ffca3ed6608d9c0aaa2ad7253df16349
|
|
Add new SharedRO directory for bind mount implementation
of SharedRO.
Change-Id: Ie8dc40234b2cbdef7cb788e8883ef9508abb59bf
|
|
Perform three bind mounts to implement SharedRO
policy.
Change-Id: Ib30cf1537bdb1357ef53b77ead52a00b469566d1
|
|
Remove SharedRO rules and labels generated from
package name and replace them with "User::App::Shared".
Change-Id: I8d164be27e1d91dbf8787906a4aa083a63b4a1b7
|
|
* Add fsync after DB recovery.
Change-Id: I0dab12f010f35af2c32ec949a83a06202ded5ad8
|
