Age | Commit message (Collapse) | Author | Files | Lines |
|
* Switch security-manager to dual license (Apache 2.0 or MIT)
* Remove unneeded dependencies from nss plugin
* Optimize nss plugin memory usage
* Merge branch 'tizen' into tizen_4.0
* Add core privilege: devicecertificate
* Merge remote-tracking branch 'origin/tizen' into tizen_4.0
* Fix bugs found in the code by static analysis
* Release 1.2.29
* Include empty rules.merged file in the package
* Adding privilege group priv_tee_client.
* Release 1.2.28
* When preparation of database connection fails, indicate this with a file fleg
* Fix security-manager package installation/update
* Remove duplicated -fPIC flag
* Fix database script
* Add test to check TizenVersion update in database.
* Modify value of extendedsd
* Add support for external storage directories
Change-Id: Iad21796f9a6ceec0396296b096e11e7ee5f79fd5
|
|
Change-Id: If0cf88b7af0e1710d71417e1000694e5c9a08da4
|
|
Dlog dependency was replaced by systemd journal on HQ request.
Change-Id: I1dc25f1fbed92cbb61266daf7b096e170d312300
|
|
Made the nss module not linked with commons or client library.
Using security-manager client library in nss module caused
additional memory usage by private data in each loaded libaries
out of which most were not needed for nss (smack, pcap, procps, rt,
sqlite, cynara-*, security-privilege-manager, mount, crypt, blkid,
pkgmgr_parser, vconf, minizip, pcre, uuid, xml2, gio, z, buxton2,
lzma, gmodule, resolv, ffi, tzplatformconfig, dlog).
Linking with dlog & tzplatformconfig left only in debug mode.
To test it, use "gdb id", break point on getgrgid, measure change of PSS after
finishing the function execution with vs. without the patch.
The PSS value of id process should go down by approx. 0.4 - 0.5 MB
(depending on the system load & number of processes).
Change-Id: If2cede89885320ea83ca79fd54770a7ea24d87d8
|
|
Change-Id: I68cad37199d3db9d1a54c59b573de50dbb423f72
|
|
* Fix MountNS::isPathBound()
* Fix NSMountLogic in case when user has no running applications
* Identify apps by Smack label instead of appName in NSMountLogic
* During application start, privileged directory enforced by bind mount may be missing
* client: do not add application process to hardcoded groups
* Add core privilege: devicecertificate
* Monitor mount/umount events on the system and update app mount namespaces
* Refactoring: make NSMountLogic class responsible for Channel and MntMonitor
* Add security_manager_cleanup_app() API
* Change license-manager package name
* Add explicit dependency on libnss-security-manager
* Fix API for freeing policy entries
* Refactor security_manager_create_namespace_internal()
* Refactor security_manager_prepare_app()
* Optimize tracking of application mount namespace
Change-Id: I2df2ed1298655a46aa23ebb9d9dbd3a4690886b7
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
|
|
Instead of bind-mounting mount namespace descriptor of application during
security_manager_prepare_app, make a symlink to it. It will make it much
faster and avoid triggering internal mount watcher that tries to update
bind mounts. It is assumed that children processes of the main application
process will never live longer than the main app process itself. This is
supposedly guaranteed by the app framework.
Change-Id: I9fcbdd670278c3884ea4a703e934065608c2fed0
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
|
|
Change-Id: I04206d26566f37f0b78e6e19c56c1dbb51caacfe
|
|
This change reduces the number of IPCs and SQL queries needed to smack label generation.
The goal is to reduce the application start time.
Change-Id: I2871a51b663b300836459b834d968f2d15cd47e0
|
|
This change reduces the number of IPCs and SQL queries needed to setup mount namespace.
The goal is to reduce the application start time.
Change-Id: Ib6ee820f097f07add9228346cd9a191abb16a97c
|
|
security_manager_policy_entries_free was supposed
to free table of pointers to policy_entry, but was
implemented improperly. Because function had wrong
signature (taking pointer to structure instead of
pointer of table) and without change, it causes double
free and not using proper function results in memory leak,
this function has to be changed, thus breaking the ABI.
Change-Id: I6d285c04eb1a77f5492c10d6709d0f47ebdd36f1
|
|
Make sure that the nss plugin gets installed to properly support
privileges enforced by gids to non-application processes.
Change-Id: I7f95503c71a2fbf18df24df7e07d8d12a4d17a3f
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
|
|
There could be naming conflicts with another package.
Therefore, change as security-license-manager.
Also, add explicit dependency with this name to install properly.
Change-Id: Iee0853b3191cd19361fc5b0c9b95509b0addad01
|
|
This function is intended for launchers for cleaning security context for an
application process. It should be called after application termination.
Change-Id: I93de1d4aad4f9ea7d2e70dff95e173677be80426
|
|
NSMountLogic class will now be solely responsible for making updates to
mount namespaces of running applications. It's single instance will be
persistent in ServiceImpl class. NSMountLogic now owns Channel for
communicating with the Worker process and sends requests for mount updates.
It also listens to mount events from MntMonitor and sends appropriate
requests to worker.
All required synchronization should be done in NSMountLogic.
NSMountLogic::check() method needs to be thread-safe because it may be
called concurrently from ServiceImpl and from MntMonitor thread.
Change-Id: I8cb4be25e5f9c8da4360d7ddff34993836f9f169
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
|
|
It is possible that file system path that has access guarded by a privilege
is not available when application starts, but becomes available later.
The reason for this is because a parent directory containing such path
may be a mount point that is not yet mounted at the time when application
starts.
If the application doesn't hold privilege to the directory in question,
it should have a dummy, empty directory mounted over that path. But this
cannot be done properly when application starts and the privileged directory
is not yet available.
Later, while application is running, the parent mount point may be mounted.
This mount will be propagated to mount namespaces of all running applications.
Then the applications that do not hold the required privilege will be able
to access privileged directory in that mount points, because dummy bind
mount wasn't done.
This patch implements a watcher keeping track of mount/unmount events in
the system. When such event is detected, mount namespaces of all running
applications will be reevaluated. If a privileged directory shows up in
mount namespace of an already running application and the application doesn't
hold required privilege, the directory will be hidden from the app.
Change-Id: Idb7044d764a620b64666bfa5e6b1724b504866f0
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
|
|
- Refers to: https://review.tizen.org/gerrit/#/c/165621/
Change-Id: I74518afab72d31acabde8b80f9c31f6cfdbff095
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
|
|
- Refers to: https://review.tizen.org/gerrit/#/c/165621/
Change-Id: I74518afab72d31acabde8b80f9c31f6cfdbff095
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
|
|
Initial implementation of privilege enforcement with mount namespaces
included client code that added all application processes to hardcoded
set of groups: priv_externalstorage and priv_mediastorage.
This is wrong. Enforcement of privileges by either groups or mount
namespaces is to be configured in respectively privilege-group.list and
privilege-mount.list. Application process should be added to a group
if and only if it holds a privilege that is configured to be enforced
with a group. Similarly proper mounts and umounts will be done in application
mount namespace based on privilege status.
There is no need to hardcode groups. If a privilege is enforced with mount
namespace, it should not require additional group assignment. If it used
to be enforced with a group, but it has been switched to enforcement with
mount, filesystem permissions need to be adjusted, not security-manager code.
Privileges mediastorage and external storage are now enforced with bind
mounts. They are being removed from privilege-group mapping - combining
these two mechanisms is undesired.
Change-Id: I41204daa24329e8e9648b3ecb4e53d87c763b35b
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
|
|
missing
When trying to prepare mount namespace for application process, check whether a
directory that requires privilege and should be bind mounted is missing. In such
case ignore it and continue preparation.
Change-Id: I08d5295440bb018d93295cb2817c643211b88c5f
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
|
|
NSMountLogic and Worker code used to take appName as application identifier
and then needed to translate it to Smack label. It was very awkward, because
such conversion needs access to PrivilegeDB in order to check hybrid status.
Now Smack label is being passed to that code right away, eliminating the
need for fetching Smack label.
Change-Id: I62c137ad08a5d7d271aa8d6adcb25e8bb56bdfe1
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
|
|
In some cases directory /run/user/UID/ may exist, but /run/user/UID/apps/
might not. Such case was incorrectly handled in NSMountLogic::readFiles(),
it caused an exception to be thrown.
Fixed implementation first checks whether directory exists before trying
to read it.
Change-Id: Ibae0415eac066672d50cf184d82aa3f53c7efdf0
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
|
|
Previous implementation of the method checking whether given source path
is bind-mounted on a given destination path was unreliable.
By careless pattern matching in /proc/self/mountinfo it could easily
return false positive (determine that bind mount exists when it doesn't)
or false negative (say that bind mount doesn't exist when it does).
New implementation relies on calling lstat() on both paths and comparing
results. If both paths have the same ID of containing device and the same
inode number, they are considered to be bind mounted.
Change-Id: I63386dd44f2c1d114705b93a76993a9bc812a90d
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
|
|
Change-Id: I4e43c03d2ccc4bcd283677932bf4ab4925d6f346
|
|
* Fix bugs found in the code by static analysis
* Fix the bug for clearing SharedRO Smack rules
* Fix the potential memory leak.
* security-manager-cmd: add new option "manage-privilege" for policy manipulation
* Add hybrid flag setting to security-manager-cmd
* Add ConfigFile class for run-time reading and parsing of config files
* Allow privilege enforcement with bind mounts to be configured
* Don't enable mount namespace code when the config file is missing or empty
Change-Id: I848d24b8cbbaa3e557722d9a0665f9c3a984c7fb
|
|
Function isMountNamespaceEnabled will read the privilege-mount.list config
file and return false when reading of that file fails or when it doesn't
contain any proper configuration entries.
Change-Id: I20fabefde1523e204c02e5ab8eb8bbdd532a8b4f
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
|
|
Add configuration file describing which privileges are to be enforced
with bind mounts and how. New config privilege-mount.list now assigns
privileges to their mount points and specifies source directory to bind
mount.
Change-Id: I7e2fb7a483803d0a8877d142b8e1df7a37ae18e3
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
|
|
New code reads config file and splits it into lines to vector, with one
element per file line. Each line is represented as vector itself, with
one element per white space separated token.
Lines that are empty or start with '#' are ignored.
New code is now used for parsing Smack policy templates and privilege to
group mapping.
Change-Id: I009cf2a33f0233a170666cfe27fd7604fb7f4340
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
|
|
Change-Id: I662d10db09931d6d3154dd263f6e6aaaa2fbf0b4
|
|
Change-Id: Ifca5479d87ec44de856b0bda6625960e010e31ba
|
|
Allow/deny privilege for application and user.
Change-Id: I371549ed2aa06ba7b2deef8543c0eff712ed8bd0
|
|
- Dynamic memory referenced by 'array' can be lost in error case.
Change-Id: Iea68a69be02dcddc74c560792502464a9a1e19bb
|
|
- Some SharedRO Smack rules were not cleared in uninstallation.
- Include the missing SharedRO rules in uninstalltion.
Change-Id: Ic63468a78002aca4d2c0b6c1bdc925faa5050580
|
|
Change-Id: I662d10db09931d6d3154dd263f6e6aaaa2fbf0b4
|
|
* Adding privilege group priv_tee_client.
* Include empty rules.merged file in the package
Change-Id: I9c58f5c82f0d9e95e5805f3ee95500cd94e7c9c3
(cherry picked from commit 3cd03950834d58853d4da5f5107a2d172dc3ba6d)
|
|
This is to fix startup of security-manager-rules-loader.service systemd
unit in case when no applications are registered in security-manager.
This is a rare scenario, that wasn't considered until now, because there
were always some preloaded applications on snapshot images. But IoT images
are actually built with no preloaded applications, triggering the bug.
Empty file with aggregated Smack rules is provided to handle such case.
In case of package upgrade, existing file will not be overwritten thanks
to %config(noreplace) directive.
Change-Id: I1743672547abcdd42f520b34eba45c67402b37b1
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
|
|
* Adding privilege group priv_tee_client.
* Include empty rules.merged file in the package
Change-Id: I9c58f5c82f0d9e95e5805f3ee95500cd94e7c9c3
|
|
Adding priv_tee_client group for http://tizen.org/privilege/tee.client
Change-Id: I40dbdce238fe2be4640e0e18339178303ddcbe78
|
|
Adding priv_tee_client group for http://tizen.org/privilege/tee.client
Change-Id: I40dbdce238fe2be4640e0e18339178303ddcbe78
|
|
* Add support for external storage directories
* When preparation of database connection fails, indicate this with a file fleg
* Fix security-manager package installation/update
* Remove duplicated -fPIC flag
* Fix database script
* Add test to check TizenVersion update in database.
Change-Id: I7f0f1f9c8d70f6439a13c90b860c4497fb2bd48b
|
|
A special file flag will be created by security-manager if it fails to
open its database or fails to initialize prepared statements.
This would indicate that database is either missing or broken. In such case
an empty file will be created at TZ_SYS_DB/.security-manager.db-broken
Change-Id: I6461b71134d6ce706d4295851a45840b3cf0be39
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
|
|
Change-Id: I117f2694ab042a05d6d5f05e3c79ee4fcc0aca9f
|
|
Change-Id: I1ef9791b0a283e497b33b2508926673a390dff89
|
|
Fix update of Tizen Version during application installation.
Change-Id: I17db2e6948aefcf625c9db3d2595a5667a74c054
|
|
Change-Id: I8271b61cd1a40eb87edce474df83d9157f9e7031
|
|
property name of extendedsd has changed.
Signed-off-by: Junghyun Yeon <jungh.yeon@samsung.com>
Change-Id: I54af2d31d08f704c9fc72d1a59028f2600be8203
|
|
This is to fix startup of security-manager-rules-loader.service systemd
unit in case when no applications are registered in security-manager.
This is a rare scenario, that wasn't considered until now, because there
were always some preloaded applications on snapshot images. But IoT images
are actually built with no preloaded applications, triggering the bug.
Empty file with aggregated Smack rules is provided to handle such case.
In case of package upgrade, existing file will not be overwritten thanks
to %config(noreplace) directive.
Change-Id: I1743672547abcdd42f520b34eba45c67402b37b1
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
|
|
* Add support for external storage directories
* When preparation of database connection fails, indicate this with a file fleg
* Fix security-manager package installation/update
* Remove duplicated -fPIC flag
* Fix database script
* Add test to check TizenVersion update in database.
Change-Id: I7f0f1f9c8d70f6439a13c90b860c4497fb2bd48b
|
|
Applications can be also installed on external storages.
Security-manager has to accept such paths during application
installation. This commit adds such support for local and
global apps.
Change-Id: Idc6fa2930aa6fdcae9191844597da31ae13ecc20
|
|
Applications can be also installed on external storages.
Security-manager has to accept such paths during application
installation. This commit adds such support for local and
global apps.
Change-Id: Idc6fa2930aa6fdcae9191844597da31ae13ecc20
|