1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
|
/*
* Copyright (c) 2014-2020 Samsung Electronics Co., Ltd. All rights reserved.
*
* This file is licensed under the terms of MIT License or the Apache License
* Version 2.0 of your choice. See the LICENSE.MIT file for MIT license details.
* See the LICENSE file or the notice below for Apache License Version 2.0
* details.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
/*
* @file service_impl.h
* @author Rafal Krypa <r.krypa@samsung.com>
* @brief Implementation of the service methods
*/
#pragma once
#include <unistd.h>
#include <sys/types.h>
#include <vector>
#include "channel.h"
#include "credentials.h"
#include "cynara.h"
#include "nsmount-logic.h"
#include "security-manager.h"
#include "smack-rules.h"
#include "protocols.h"
#include "privilege_db.h"
#include "privilege-gids.h"
namespace SecurityManager {
class ServiceImpl {
public:
ServiceImpl();
virtual ~ServiceImpl();
/**
* Process application installation request.
*
* @param[in] creds credentials of the requesting process
* @param[in] req installation request
*
* @return API return code, as defined in protocols.h
*/
int appInstall(const Credentials &creds, app_inst_req &req);
/**
* Process application uninstallation request.
*
* @param[in] creds credentials of the requesting process
* @param[in] req uninstallation request
*
* @return API return code, as defined in protocols.h
*/
int appUninstall(const Credentials &creds, app_inst_req &req);
/**
* Process package id query.
* Retrieves the package id associated with given application id.
*
* @param[in] appName application identifier
* @param[out] pkgName returned package identifier
*
* @return API return code, as defined in protocols.h
*/
int getPkgName(const std::string &appName, std::string &pkgName);
/**
* Process query for supplementary groups allowed for the application.
* For given \ref appProcessLabel and \ref uid, calculate allowed privileges that give
* direct access to file system resources. For each permission Cynara will be
* queried.
* Returns set of group ids that are permitted.
*
* @param[in] creds credentials of the requesting process
* @param[in] appProcessLabel application identifier
* @param[out] groups returned vector of allowed groups
*
* @return API return code, as defined in protocols.h
*/
int getAppGroups(const Credentials &creds, const std::string &appProcessLabel,
std::vector<gid_t> &groups);
/**
* Process user adding request.
*
* @param[in] creds credentials of the requesting process
* @param[in] uidAdded uid of newly created user
* @param[in] userType type of newly created user
*
* @return API return code, as defined in protocols.h
*/
int userAdd(const Credentials &creds, uid_t uidAdded, int userType);
/**
* Process user deletion request.
*
* @param[in] creds credentials of the requesting process
* @param[in] uidDeleted uid of removed user
*
* @return API return code, as defined in protocols.h
*/
int userDelete(const Credentials &creds, uid_t uidDeleted);
/**
* Update policy in Cynara - proper privilege: http://tizen.org/privilege/internal/usermanagement
* is needed for this to succeed
*
* @param[in] creds credentials of the requesting process
* @param[in] policyEntries vector of policy chunks with instructions
*
* @return API return code, as defined in protocols.h
*/
int policyUpdate(const Credentials &creds, const std::vector<policy_entry> &policyEntries);
/**
* Fetch all configured privileges from user configurable bucket.
* Depending on forAdmin value: personal user policies or admin enforced
* policies are returned.
*
* @param[in] forAdmin determines if user is asking as ADMIN or not
* @param[in] filter filter for limiting the query
* @param[out] policyEntries vector of policy entries with result
*
* @return API return code, as defined in protocols.h
*/
int getConfiguredPolicy(const Credentials &creds, bool forAdmin, const policy_entry &filter, std::vector<policy_entry> &policyEntries);
/**
* Fetch all privileges for all apps installed for specific user.
*
* @param[in] creds credentials of the requesting process
* @param[in] filter filter for limiting the query
* @param[out] policyEntries vector of policy entries with result
*
* @return API return code, as defined in protocols.h
*/
int getPolicy(const Credentials &creds, const policy_entry &filter, std::vector<policy_entry> &policyEntries);
/**
* Process getting policy descriptions list.
*
* @param[in] descriptions empty vector for descriptions strings
*
* @return API return code, as defined in protocols.h
*/
int policyGetDesc(std::vector<std::string> &descriptions);
/**
* Process getting resources group list.
*
* @param[out] groups empty vector for group strings
*
* @return API return code, as defined in protocols.h
*/
int policyGetGroups(std::vector<gid_t> &groups);
/**
* Receive groups connected with uid and add them
* to the vector.
*
* @param[in] uid to return the groups for
* @param[out] groups vector with groups
*
* @return API return code, as defined in protocols.h
*/
int policyGroupsForUid(uid_t uid, std::vector<gid_t> &groups);
/**
* Process checking application's privilege access based on app_name
*
* @param[in] appName application identifier
* @param[in] privilege privilege name
* @param[in] uid user identifier
* @param[out] result placeholder for check result
*
* @return API return code, as defined in protocols.h
*/
int appHasPrivilege(std::string appName, std::string privilege, uid_t uid, bool &result);
/**
* Process applying private path sharing between applications.
*
* @param[in] creds credentials of the requesting process
* @param[in] ownerAppName application owning paths
* @param[in] targetAppName application which paths will be shared with
* @param[in] paths vector of paths to be shared
*
* @return API return code, as defined in protocols.h
*/
int applyPrivatePathSharing(const Credentials &creds,
const std::string &ownerAppName,
const std::string &targetAppName,
const std::vector<std::string> &paths);
/**
* Process droping private path sharing between applications.
*
* @param[in] creds credentials of the requesting process
* @param[in] ownerAppName application owning paths
* @param[in] targetAppName application which paths won't be anymore shared with
* @param[in] paths vector of paths to be stopped being shared
* @return API return code, as defined in protocols.h
*/
int dropPrivatePathSharing(const Credentials &creds,
const std::string &ownerAppName,
const std::string &targetAppName,
const std::vector<std::string> &paths);
/**
* Process package paths registration.
*
* @param[in] creds credentials of the requesting process
* @param[in] p_req path registration request
*
* @return API return code, as defined in protocols.h
*/
int pathsRegister(const Credentials &creds, path_req p_req);
/**
* Generate label for process.
*
* @param[in] appName application identifier
* @param[out] label generated label
*
* @return API return code, as defined in protocols.h
*/
int labelForProcess(const std::string &appName, std::string &label);
/*
* Request for access to shared memory segment for
* appName application.
*
* @param[in] creds credentials of the requesting process
* @param[in] name shared memory identifier
* @param[in] appName application identifier
*
* @return API return code, as defined in protocols.h
*/
int shmAppName(const Credentials &creds,
const std::string &shmName,
const std::string &appName);
/**
* Retrieves the app_id/pkg_id associated with given privilege and uid.
*
* @param[in] uid user identifier
* @param[in] privilege privilege name
* @param[out] appName returns app_id
* @param[out] pkgName returns pkg_id
*
* @return API return code, as defined in protocols.h
*/
int getAppDefinedPrivilegeProvider(uid_t uid, const std::string &privilege,
std::string &appName, std::string &pkgName);
/**
* Retrieves the license associated with given privilege and uid.
*
* @param[in] uid user identifier
* @param[in] privilege privilege name
* @param[out] license returns license information connected with privilege
*
* @return API return code, as defined in protocols.h
*/
int getAppDefinedPrivilegeLicense(uid_t uid, const std::string &privilege,
std::string &license);
/**
* Retrieves the license associated with given privilege and uid.
*
* @param[in] appName application identifier
* @param[in] pkgName package identifier
*
* @param[in] uid user identifier
* @param[in] privilege privilege name
* @param[out] license returns license information connected with privilege
*
* @return API return code, as defined in protocols.h
*/
int getClientPrivilegeLicense(const std::string &appName, const std::string &pkgName,
uid_t uid, const std::string &privilege,
std::string &license);
/**
* Setup app namespace
*
* @param[in] creds credentials of the requesting process
* @param[in] appProcessLabel application identifier
* @param[out] privilegeStatusVector returned vector of privilege-status pair
*
* @return API return code, as defined in protocols.h
*/
int appSetupNamespace(const Credentials &creds, const std::string &appProcessLabel,
std::vector<std::pair<std::string, bool>> &privilegeStatusVector);
/**
* Register channel for communication with worker process.
*
* @param[in] channel
*
*/
void RegisterChannel(Channel channel) { m_NSMountLogic.RegisterChannel(std::move(channel)); }
/**
* Clean app namespace
*
* @param[in] creds credentials of the requesting process
* @param[in] appName application identifier
* @param[in] uid user identifier
*
* @return API return code, as defined in protocols.h
*/
int appCleanNamespace(const Credentials &creds, const std::string &appName, uid_t uid);
private:
bool authenticate(const Credentials &creds, const std::string &privilege);
static uid_t getGlobalUserId(void);
static bool isSubDir(const std::string &parent, const std::string &subdir);
static bool containSubDir(const std::string &parent, const pkg_paths &paths);
static int getLegalPkgBaseDirs(const uid_t &uid,
const std::string &pkgName,
app_install_type installType,
std::vector<std::string> &legalPkgBaseDirs);
static bool getSkelPkgDir(const std::string &pkgName,
std::string &skelPkgDir);
static void setRequestDefaultValues(uid_t& uid, int& installationType);
bool authCheck(const Credentials &creds,
const uid_t &uid,
int installationType);
static bool pathsCheck(const pkg_paths &requestedPaths,
const std::vector<std::string> &allowedDirs);
int labelPaths(const pkg_paths &paths,
const std::string &pkgName,
app_install_type installationType,
const uid_t &uid);
void getPkgLabels(const std::string &pkgName, SmackRules::Labels &pkgsLabels);
static bool isSharedRO(const pkg_paths& paths);
int squashDropPrivateSharing(const std::string &ownerAppName,
const std::string &targetAppName,
const std::string &path);
int dropOnePrivateSharing(const std::string &ownerAppName,
const std::string &ownerPkgName,
const SmackRules::Labels &ownerPkgLabels,
const std::string &targetAppName,
const std::string &targetAppLabel,
const std::string &path);
void updatePermissibleSet(uid_t uid, int type);
std::string getAppProcessLabel(const std::string &appName, const std::string &pkgName);
std::string getAppProcessLabel(const std::string &appName);
bool sharingExists(const std::string &targetAppName, const std::string &path);
void getPkgsProcessLabels(const std::vector<PkgInfo> &pkgsInfo, SmackRules::PkgsLabels &pkgsLabels);
int validatePolicy(const Credentials &creds, policy_entry &policyEntry, CynaraAdminPolicy &cyap);
int getAppDefinedPrivilegeDescription(uid_t uid, const std::string &privilege, std::string &appName, std::string &pkgName, std::string &license);
Cynara m_cynara;
PrivilegeDb m_privilegeDb;
CynaraAdmin m_cynaraAdmin;
PrivilegeGids m_privilegeGids;
NSMountLogic m_NSMountLogic;
};
} /* namespace SecurityManager */
|
