1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
|
From a80e33bc0a10fa4bed5d0b7bf29f45dd2565d309 Mon Sep 17 00:00:00 2001
From: Alejandro Joya <alejandro.joya.cruz@intel.com>
Date: Wed, 4 Nov 2015 19:01:35 -0600
Subject: [PATCH 03/14] Smack-rules: create two new functions
It let to smack-rules to create multiple set of rules
related with the privileges.
It runs from the same bases than for a static set of rules on the
template, but let you add 1 or many templates for different cases.
Change-Id: I14f8d4e914ad5a7ba34c96f3cb5589f0b15292de
Signed-off-by: Alejandro Joya <alejandro.joya.cruz@intel.com>
---
src/common/include/smack-rules.h | 15 +++++++++++
src/common/smack-rules.cpp | 44 ++++++++++++++++++++++++++++++++
2 files changed, 59 insertions(+)
diff --git a/src/common/include/smack-rules.h b/src/common/include/smack-rules.h
index 91446a7..3ad9dd4 100644
--- a/src/common/include/smack-rules.h
+++ b/src/common/include/smack-rules.h
@@ -47,6 +47,8 @@ public:
void addFromTemplate(const std::vector<std::string> &templateRules,
const std::string &appId, const std::string &pkgId);
void addFromTemplateFile(const std::string &appId, const std::string &pkgId);
+ void addFromTemplateFile(const std::string &appId, const std::string &pkgId,
+ const std::string &path);
void apply() const;
void clear() const;
@@ -74,6 +76,19 @@ public:
*/
static void installApplicationRules(const std::string &appId, const std::string &pkgId,
const std::vector<std::string> &pkgContents);
+ /**
+ * Install privileges-specific smack rules.
+ *
+ * Function creates smack rules using predefined template. Rules are applied
+ * to the kernel and saved on persistent storage so they are loaded on system boot.
+ *
+ * @param[in] appId - application id that is beeing installed
+ * @param[in] pkgId - package id that the application is in
+ * @param[in] pkgContents - a list of all applications in the package
+ * @param[in] privileges - a list of all prvileges
+ */
+ static void installApplicationPrivilegesRules(const std::string &appId, const std::string &pkgId,
+ const std::vector<std::string> &pkgContents, const std::vector<std::string> &privileges);
/**
* Uninstall package-specific smack rules.
*
diff --git a/src/common/smack-rules.cpp b/src/common/smack-rules.cpp
index 3629e0f..922a56f 100644
--- a/src/common/smack-rules.cpp
+++ b/src/common/smack-rules.cpp
@@ -135,6 +135,29 @@ void SmackRules::saveToFile(const std::string &path) const
}
}
+void SmackRules::addFromTemplateFile(const std::string &appId,
+ const std::string &pkgId, const std::string &path)
+{
+ std::vector<std::string> templateRules;
+ std::string line;
+ std::ifstream templateRulesFile(path);
+
+ if (!templateRulesFile.is_open()) {
+ LogError("Cannot open rules template file: " << path);
+ ThrowMsg(SmackException::FileError, "Cannot open rules template file: " << path);
+ }
+
+ while (std::getline(templateRulesFile, line)) {
+ templateRules.push_back(line);
+ }
+
+ if (templateRulesFile.bad()) {
+ LogError("Error reading template file: " << APP_RULES_TEMPLATE_FILE_PATH);
+ ThrowMsg(SmackException::FileError, "Error reading template file: " << APP_RULES_TEMPLATE_FILE_PATH);
+ }
+
+ addFromTemplate(templateRules, appId, pkgId);
+}
void SmackRules::addFromTemplateFile(const std::string &appId,
const std::string &pkgId)
@@ -223,7 +246,28 @@ std::string SmackRules::getApplicationRulesFilePath(const std::string &appId)
std::string path(tzplatform_mkpath3(TZ_SYS_SMACK, "accesses.d", ("app_" + appId).c_str()));
return path;
}
+void SmackRules::installApplicationPrivilegesRules(const std::string &appId, const std::string &pkgId,
+ const std::vector<std::string> &pkgContents, const std::vector<std::string> &privileges)
+{
+ SmackRules smackRules;
+ std::string appPath = getApplicationRulesFilePath(appId);
+ smackRules.loadFromFile(appPath);
+ struct stat buffer;
+ for (auto privilege : privileges) {
+ if (privilege.empty())
+ continue;
+ std::string fprivilege ( privilege + "-template.smack");
+ std::string path(tzplatform_mkpath4(TZ_SYS_SHARE, "security-manager", "policy", fprivilege.c_str()));
+ if( stat(path.c_str(), &buffer) == 0)
+ smackRules.addFromTemplateFile(appId, pkgId, path);
+ }
+
+ if (smack_smackfs_path() != NULL)
+ smackRules.apply();
+ smackRules.saveToFile(appPath);
+ updatePackageRules(pkgId, pkgContents);
+}
void SmackRules::installApplicationRules(const std::string &appId, const std::string &pkgId,
const std::vector<std::string> &pkgContents)
{
--
2.21.0
|
