Age | Commit message (Collapse) | Author | Files | Lines |
|
* Abort app candidate process in case of wrong setup
Change-Id: I13c0e803d1a39b50f4956b5fbb8facd7d8eea3cd
|
|
When offending thread with higher privileges is detected,
new error log is added and security-manager-client library
forces entire app candidate process to abort.
This will effectively block possibility of privilege escalation
if a new thread was spawned ie. by Chromium during prepare_app call.
Abort will also generate coredump, making it easier to debug
the source of offending thread.
Change-Id: I16772d0e51aa112548acb64f7b82ccf87948ded9
|
|
* Optimize operations on file with list of Smack labels
* Change order of items checking during getDirectoryContents() loop
* Small fixes in unit tests
Change-Id: I2acc5605bb54366700f1c05f4b856b96b1f82d70
|
|
There's no need to call DB and tz-platform-config for each
label of given user; it makes sense to re-use the fact
that update is called always on update/install/uninstall of precisely
specified package, so changes only affect labels of that package,
be it removal or addition to the set.
Change-Id: I88686341fc49186afe60ed9f86dbdb98c1258064
|
|
Previously, the function called fstatat() even on . and .. which
could have been not wanted by the caller to get listed/analyzed.
This change was inspired by an issue where an error happened during
call to prepare_app() - error happened on calling fstatat(), during
checking if threads properly dropped capabilities/changed labels;
error was in accessing ".." element inside /proc/self/task,
while the audit logged, at the same time, a Smack error of access
attempt from label User::Pkg::<ID> to System::Privileged on
proc filesystem.
While this change doesn't fix that issue on its own, it optimizes
the code.
Change-Id: I83fda49530fb32776cf6edcc364dc574a7ee08f9
|
|
Spellcheck & another few negative tests for filesystem.
Change-Id: If905479a78f29f341487168483e2b68c13da0ee4
|
|
Package versioning bump to 1.8.X as Tizen 6.5 got update
(non-fast-forward) to 1.7.14.
This release is intended for tizen and tizen_7.0 branches.
Change-Id: I0c7fe641bb210c7ccfe5bf2e5db59f943083c9f4
|
|
* Fix static analysis
Change-Id: I04137e1db4e557a6b4cdc828541773a2fad9b955
|
|
Printing moved object is useless, even in debug logs.
The order of operation (logging vs moving) was changed.
Change-Id: I49ad49991e773ecf5ac65aa331b1cfb2bf1ad7cc
|
|
* Change some logs into warnings
Change-Id: Ic77c3be5eb1b28648fecdce67ae14ebae9bac0d5
|
|
Per specific request of Visual Display Division.
Change-Id: I4e5f579dafa16aab7f7f443a9f57e15c443862b4
|
|
* Add additional logs to security-manager
Change-Id: I430b7392a2176330b1fce3054a1ba1ca5ec49af6
|
|
Per explicit request of Visual Display division.
One log changed to warning, also for specific request.
Change-Id: I6fbfc528002a78afd78e60699e342795248f4a1b
|
|
* Disable LTO
Change-Id: If7bb805b212c5574a6cb501cb3893c2f037c9235
|
|
In case LTO is enabled, function defined in asm (and declared as such)
generates error at linking stage (client-security-manager.cpp, function
__restore_rt).
Change-Id: I31ff9de14755b9b531f25e777c439f7153c6548c
|
|
* Change delay for setting cpu_inheritance
Change-Id: I5e362885ee4029b67062247011fd9d55a2942739
|
|
Change-Id: If46ba6429226c4fcd7a64179fb93d715c84f1635
|
|
* Change logic of security_manager_app_update()
Change-Id: If230c9a5aa87b294066c830b9582b678c6e6ad1c
|
|
Now the function allows to update package & remove not-requested
appIds present before even if no hybrid status change has been done.
Change-Id: I3f13dddd726c57e6a1572ce3a608eaf16768ad55
|
|
* Appease SVACE
Change-Id: If5cdbb74949e2728859bbdb73be17a6626f05b4d
|
|
Change-Id: I9da1046731377e5c47096f34769f38aa67a23ae2
|
|
* Fix out of bounds socket description vector access
* Delay service thread construction until dependencies are initialized
* Decrease message buffer test payload size to avoid bad_alloc
* Refactor errno logging
Change-Id: I8287171336f96d277ea7608213cb5b26c5901dbb
|
|
Change-Id: Iacfa7ad31ad1aa5e7f4743fc114e283acc58af8e
|
|
Change-Id: I386c56804eae770e0bb90acbecc705d14010d804
|
|
Change-Id: I24c1b17e5b8e8d224b7c8d47dbe0942467e528bf
|
|
* Macros to factor out common patterns.
* Minor error detection optimization at sites that happened to be nearby.
Change-Id: Ibd14776e5d52fa59c00098317bc8031fb351eb0b
|
|
* Add subsession bind mount isolation
Change-Id: Idee1eac89d529884900b97847b64ad239d4252b7
|
|
By introducing prepare_app2(app_id, subsession_id) and implementing
prepare_app(app_id) as prepare_app2(app_id, nullptr). Null subsession_id
indicates the default subsession.
The selected subsession is mounted over the "apps_rw" directory. Other
subsessions are hidden by mounting an empty directory over the user's
"subsession" directory if it exists.
Change-Id: I19c884bdd64c53b82fef3447470378c8a8cfae3e
|
|
* Drop std::function from try_catch() and friends, deficient edition
* Simplify socket-manager timeout logic
* Switch to CLOCK_MONOTONIC_COARSE
* Refrain from calling sessiond in offline mode
* Prioritize requests based on cpu boosting level
* Simplify service and IO thread's class hierarchies
* Make socket manager counters more robust
* Refactor MessageBuffer and dependencies
Change-Id: Id35cf58156eef658907b312df06637e51ce5e9dd
|
|
When used as an argument to try_catch() and similar functions,
std::function may potentially introduce runtime overhead on the
exception-free path, possibly even allocate (and thus throw
std::bad_alloc).
This can be prevented by rewriting try_catch() as a generic wrapper with
perfect forwarding.
This has been coded deficiently on purpose, refusing to leverage any and
all kinds of bloat reduction opportunities. For the rationale, please
consult code review participants as I have none to give.
"I'm only following orders."
- A nameless soldier
Change-Id: I00adf24213a2e6bf8d148db8375a14200c64ff4f
|
|
The intention of the timeout logic is to close stale sockets (ones that
have been inactive for SOCKET_TIMEOUT seconds). The closure doesn't
really have to happen immediately after that, as long as it happens
eventually when, say, security-manager's IO thread wakes up.
* use select() without timeout
* replace timeout priority queue with generation-based management
* each generation lasts at least SOCKET_TIMEOUT seconds
* maintain per-socket activity booleans for the current generation
* a socket becomes active when performing or getting primed for IO
* when a new generation begins, loop through all sockets, time out all
inactive ones, set all remaining to inactive
Change-Id: I50a06f1566806fa9d7d69fe2367d6ade0f93acf5
|
|
All uses of clock_gettime() are fine with coarse granularity. Renamed
monotonicNow() to monotonicCoarseNow() to reflect that.
Change-Id: Id60e79ca28a888ad98907184b7c11dd9d0b4aeee
|
|
Change-Id: I0e182d45f75cc99cbc11d692c29e6c7c0bcc0719
|
|
There are three boosting levels at present, hence three distinct
priorities are introduced. Since the priority space is small, the
priority queue is implemented via an array of FIFO queues.
CPU priority inheritance from client to server is also included.
The boosting level and priority inheritance facilities are provided by
the capi-system-resource module. According to said facilities'
designers, querying the boosting level is most efficient when done
directly in the queried thread. Thus, when making a security manager
client request, the boosting level is obtained and prepended to the
request payload. This is also makes requests atomic and mitigates the
potential for priority races.
Change-Id: Icc10fb5e40fa74eafe16726d28ac66cd8b560810
|
|
* get rid of useless Generic* and Base* classes that do nothing
* shift what little functionality they provided to other entities
* make a few leaf classes final
* devirtualize a few methods across the hierarchy, either by making them
local or via CRTP
* replace the virtual Event hierarchy and handlers by a single
statically known Event type
Change-Id: Id3afef98ff99a5b0eb3966f1cfdf0dcaa52cd909
|
|
Now that the service no longer needs to maintain a dictionary of all
socket connections, socket counters no longer need to be globally
unique. The only remaining use for those counters now involves checking
whether a particular socket descriptor has gone stale. Per-descriptor
counters are enough for that, incremented every time a particular
descriptor is reopened.
* use per-socket counters instead of a global one
* use unsigned for guaranteed wraparound
* increment counter when closing instead of when opening to make the
check for isOpen unnecessary when checking connections enqueued in
m_closeQueue or m_writeBufferQueue
Change-Id: I5b9102c6fe3f9eb183ce456d1334173ac37aab4b
|
|
Security manager's protocol assumes there's at most one message in
flight per connection at any given time. The MessageBuffer class can
hold one such message in various stages of completion, assembled via
either input or serialization and disposed of via either output or
deserialization.
This conceptual interface can be satisfied in a much simpler way than
what's currently present. All that is require for a MessageBuffer is a
single contiguous memory block and a little management on the side
(the block's size, the message size, offset into the block).
Since the protocol has the payload size stored as a size_t header prior
to a message's payload, there's no need to even store it separately - it
can be stored before the payload, just as in the protocol.
Implications:
* less memory copying/shuffling
* read the full message directly into a buffer in binary form
* deserialize directly from that buffer (no Pop(), no copies)
* reuse the buffer space for serialization of the return message
* output the return message into the socket without copying
* socket manager now assembles full messages before handing them to the
service, at no performance hit
* one MessageEvent per socket instead of Accept/Close/Read/Write events
* no need for the service to maintain connection state - it now operates
on a per-message basis
Change-Id: I45f6009ce09ae2f852cfee86a32426389bcf7a30
|
|
* Decrease service thread lock thrashing
* Fix subsession paths
Change-Id: I5fafb902584edfb88b6566ace91126cbe44761fa
|
|
By not releasing the lock right after wait() returns.
Change-Id: Ic689aed448b9a00370252be2b09d7cb653bdcdc5
|
|
* place the "subsession" dir in TZ_USER_HOME instead of TZ_USER_APP
* skip over the empty subsession as returned by sessiond
* add sharedRO paths if applicable
* refrain from labelling paths inside skelDir for local installations
* refactor related code to reduce redundancy and improve robustness
Change-Id: I2ede9f53f490c9bf57d390796e2ca5a1774f8a09
|
|
* Basic integration with sessiond
* Drop socket manager multi service support
* Handle signals locally in socket manager main loop
* Switch socket manager notification from pipe to eventfd
* Remove unused sendmsg functionality
Change-Id: I9f21d9709dd6d0b7d8b2e446590d738d7f6d7504
|
|
Allow ~/subsession/$light_username/apps_rw/$pkgName as legal package
directories as needed by the lightweight multiuser feature.
New paths are in force ONLY for local app installation
(for SM_APP_INSTALL_LOCAL install type in security-manager's API).
Lacks bind-mounting per-user relevant datadirs (separation of user
data). This is supposed to be added at later stage.
Change-Id: Ia042e608781c139651578475c94d4283ddf70a47
|
|
That feature has never been used, it's always been dead weight.
Security manager is a single service so that's unlikely to ever change.
Implications:
* no need to store/check interface ID
* one service per socket manager - less bookkeeping, simpler destructor
* socket descriptors now only apply to accepted sockets
Change-Id: I84ce915f0ff6929df45a40a0a8f5cbf7a4214694
|
|
* replace SignalService with a local descriptor
* handle the descriptor directly in the main loop
* drop the now unused m_working and MainLoopStop()
White at it, also drop the harmful TEMP_FAILURE_RETRY when calling
close() on service sockets.
Change-Id: I172456d1762aaed4c4f0dd46a49732aa28d9c5d6
|
|
* use eventfd for a more efficient wakeup mechanism
* handle it directly in the manager thread to reduce thrashing
* drop the now useless DummyService and SIGPIPE-related code
* check m_working in the main loop only if eventfd is ready for reading
Change-Id: I090d90a50f3c789445dd6d0daa637abf0d189348
|
|
Kind of reverts 0798413641b7961a0132050aef6bd03270936625
Change-Id: I815e63a370528762f69b760340398e068b541b74
|
|
* Enhance DB recovery logic
* Minor fix of wording in comment
* Remove unused code
Change-Id: Ide32e4e3257810994bcb8dfe6695c455e5c0007f
|
|
"If we are wise, let us prepare for the worst."
- George Washington
Previously, the logic of DB recovery was:
1. Remove the "-recovered" file flag, IF it survived reboot (shouldn't)
2. Check DB for corruption
3. IF corruption occured, then:
a. Replace original DB with fallback made at image creation
b. Create the "-recovered" file next to DB file that signals rest of the system some apps may be missing
If sudden poweroff happens between 3a and 3b, system will not get informed
about missing app installation data.
This patch changes order of operations 3a and 3b, and also removes
operation number 1. From now on, the system-level scripts responsible
for recovery should remove the flag, when full recovery was complete.
Changing order of 3a with 3b ensures the flag is created when
DB error was found and is not prone to sudden power-off.
The flag is meant to be used for file-existance signalling of the need
to reinstall apps that were not in the backed-up DB. Since its existence
can trigger app installation, which in turn, can launch & use security-manager
(which will also attemt to access the DB), it MUST be ensured that rules-loader
is not running concurrently with any other processes/services that may use security-manager's DB
(the recovery of DB from fallback/backup has to be complete). This is achieved
by systemd's "Before=" service option in rules-loader service file which prohibits
security-manager's socket & service start before rules loader-ends operation.
Change-Id: I472c09d9398f69a97e118b69aad61dc016e3d22d
|
|
Change-Id: I48e795f72a7ca2ad720ea475c611d57d1007a622
|
|
Change-Id: I7ae95050e5018d3a38ee79401553b46e3dfc849b
|