1 // (C) Copyright 2015 Intel Corporation
3 // Permission is hereby granted, free of charge, to any person obtaining a copy
4 // of this software and associated documentation files (the "Software"), to deal
5 // in the Software without restriction, including without limitation the rights
6 // to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
7 // copies of the Software, and to permit persons to whom the Software is
8 // furnished to do so, subject to the following conditions:
10 // The above copyright notice and this permission notice shall be included in
11 // all copies or substantial portions of the Software.
13 // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
14 // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
15 // FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
16 // AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
17 // LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
18 // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
21 #include <security-manager.h>
29 #include <sys/types.h>
37 if (_ret != SECURITY_MANAGER_SUCCESS) { \
38 fprintf(stderr, "Failure in %s:%d: %s: %d = %s\n", __FILE__, __LINE__, #x, _ret, security_manager_strerror((lib_retcode)_ret)); \
39 return EXIT_FAILURE; \
43 static int do_install(app_inst_req *preq)
45 CHECK(security_manager_app_install(preq));
49 static int do_uninstall(app_inst_req *preq)
51 CHECK(security_manager_app_uninstall(preq));
55 static int do_run(const char *appid, const char *uid, const char *file, char *const argv[])
58 fprintf(stderr, "Always need appid, uid for app startup.\n");
68 child = waitpid(child, &status, 0);
74 // We cannot change the UID before security_manager_prepare_app()
75 // (because then setup_smack() fails to change Smack labels of
76 // our fds) and we cannot change the UID after it (because then
77 // security_manager_drop_process_privileges() has already dropped
78 // the necessary CAP_SETUID.
79 // Instead, we need to do the steps from security_manager_prepare_app()
81 CHECK(security_manager_set_process_label_from_appid(appid));
82 CHECK(security_manager_set_process_groups_from_appid(appid));
83 if (setuid(atoi(uid))) {
84 fprintf(stderr, "setuid(%s): %s\n", uid, strerror(errno));
87 CHECK(security_manager_drop_process_privileges());
88 // CHECK(security_manager_prepare_app(appid));
91 fprintf(stderr, "execvp(%s): %s", argv[optind], strerror(errno));
97 int main(int argc, char **argv)
101 const char *appid = NULL;
102 const char *pkgid = NULL;
103 const char *uid = NULL;
104 std::vector<const char *> privileges;
105 std::vector< std::pair<app_install_path_type, std::string> > paths;
106 int install = 0, uninstall = 0, run = 0;
108 while ((opt = getopt(argc, argv, "a:p:u:r:t:ide")) != -1) {
120 privileges.push_back(optarg);
123 const char *colon = strchr(optarg, ':');
125 fprintf(stderr, "-t parameter must be of the format <type>:<path>");
128 std::string typestr(optarg, colon - optarg);
129 std::string path(colon + 1);
130 app_install_path_type type;
131 if (typestr == "private") {
132 type = SECURITY_MANAGER_PATH_PRIVATE;
133 } else if (typestr == "public") {
134 type = SECURITY_MANAGER_PATH_PUBLIC;
135 } else if (typestr == "public-ro") {
136 type = SECURITY_MANAGER_PATH_PUBLIC_RO;
137 } else if (typestr == "rw") {
138 type = SECURITY_MANAGER_PATH_RW;
139 } else if (typestr == "ro") {
140 type = SECURITY_MANAGER_PATH_PRIVATE;
142 fprintf(stderr, "Invalid -t type: %s", typestr.c_str());
145 paths.push_back(std::make_pair(type, path));
159 "Usage: %s -i|-e|-d -a appid -u uid -p pkgid -r privilege1 ... -t private|public|public-ro|rw:<path> ... -- command args\n"
160 " -i = install, command ignored\n"
161 " -e = run command, privileges and pkgid ignored\n"
162 " -d = uninstall, command and privileges ignored\n"
163 " Install, run, and uninstall can be combined into a single invocation.\n",
170 if ((install || uninstall) &&
171 (!appid || !pkgid || !uid)) {
172 fprintf(stderr, "Always need appid, pkgid, uid for app install or uninstall.\n");
175 if (run && optind >= argc) {
176 fprintf(stderr, "Expected command after options\n");
181 CHECK(security_manager_app_inst_req_new(&preq));
183 CHECK(security_manager_app_inst_req_set_app_id(preq, appid));
186 CHECK(security_manager_app_inst_req_set_pkg_id(preq, pkgid));
189 CHECK(security_manager_app_inst_req_set_uid(preq, atoi(uid)));
191 for (size_t i = 0; i < paths.size(); i++) {
192 security_manager_app_inst_req_add_path(preq, paths[i].second.c_str(), paths[i].first);
194 for (size_t i = 0; i < privileges.size(); i++) {
195 CHECK(security_manager_app_inst_req_add_privilege(preq, privileges[i]));
199 bool install_failed = false;
201 result = do_install(preq);
203 install_failed = true;
206 if (run && !install_failed) {
207 int run_result = do_run(appid, uid, argv[optind], argv + optind);
212 if (uninstall && !install_failed) {
213 int uninstall_result = do_uninstall(preq);
214 if (uninstall_result) {
215 result = uninstall_result;
219 security_manager_app_inst_req_free(preq);