|
1 /* |
|
2 * Copyright (c) 2008-2009 Nokia Corporation and/or its subsidiary(-ies). |
|
3 * All rights reserved. |
|
4 * This component and the accompanying materials are made available |
|
5 * under the terms of the License "Eclipse Public License v1.0" |
|
6 * which accompanies this distribution, and is available |
|
7 * at the URL "http://www.eclipse.org/legal/epl-v10.html". |
|
8 * |
|
9 * Initial Contributors: |
|
10 * Nokia Corporation - initial contribution. |
|
11 * |
|
12 * Contributors: |
|
13 * |
|
14 * Description: |
|
15 * Implements CScrServer providing management of SCR services. |
|
16 * |
|
17 */ |
|
18 |
|
19 |
|
20 /** |
|
21 @file |
|
22 @internalComponent |
|
23 @released |
|
24 */ |
|
25 |
|
26 #include "scrserver.h" |
|
27 #include "scrrequestimpl.h" |
|
28 #include "usiflog.h" |
|
29 #include <scs/cleanuputils.h> |
|
30 #include "scrhelperclient.h" |
|
31 #include <scs/securityutils.h> |
|
32 |
|
33 using namespace Usif; |
|
34 |
|
35 _LIT_SECURE_ID(KSisRegistryServerSid, 0x10202DCA); |
|
36 |
|
37 static const TUint scrRangeCount = 11; |
|
38 |
|
39 static const TInt scrRanges[scrRangeCount] = |
|
40 { |
|
41 0, // Range-0 - 0 to EBaseSession-1. Not used. |
|
42 CScsServer::EBaseSession, // Range-1 - EBaseSession to EBaseMustAllow exclusive. |
|
43 CScsServer::EBaseSession | EGetSingleComponentSize, // Modification and transaction APIs have custom checks |
|
44 CScsServer::EBaseSession | EGetComponentIdListSize, // Component-specific APIs are free for all |
|
45 CScsServer::EBaseSession | EGetIsMediaPresent, // Getting all component IDs is restricted to ReadUserData |
|
46 CScsServer::EBaseSession | ESetScomoState, // Component-specific APIs are free for all |
|
47 CScsServer::EBaseSession | EGetPluginUidWithMimeType, // SetScomoState has custom checks (as with the rest of modification APIs) |
|
48 CScsServer::EBaseSession | EAddSoftwareType, // File filter sub-sessions and plugin-fetching APIs are free for all |
|
49 CScsServer::EBaseSubSession | EOpenComponentsView, // Software Type management APIs are only allowed for SWI |
|
50 CScsServer::EBaseSubSession | EOpenFileList, // Component filter sub-sessions require ReadUserData |
|
51 CScsServer::EBaseMustAllow // File filter sub-session are free for all, the rest of the range is reserved for SCS, and must be allowed( EBaseMustAllow to KMaxTInt inclusive) |
|
52 }; |
|
53 |
|
54 static const TUint8 scrElementsIndex[scrRangeCount] = |
|
55 { |
|
56 CPolicyServer::ENotSupported, // Range 0 is not supported. |
|
57 CPolicyServer::ECustomCheck, |
|
58 CPolicyServer::EAlwaysPass, |
|
59 0, // Require ReadUserData |
|
60 CPolicyServer::EAlwaysPass, |
|
61 CPolicyServer::ECustomCheck, |
|
62 CPolicyServer::EAlwaysPass, |
|
63 1, // Only SWI process can invoke |
|
64 0, // Require ReadUserData |
|
65 CPolicyServer::EAlwaysPass, |
|
66 CPolicyServer::EAlwaysPass |
|
67 }; |
|
68 |
|
69 static const CPolicyServer::TPolicyElement scrElements[] = |
|
70 { |
|
71 {_INIT_SECURITY_POLICY_C1(ECapabilityReadUserData), CPolicyServer::EFailClient}, |
|
72 {_INIT_SECURITY_POLICY_S0(KSisRegistryServerSid.iId), CPolicyServer::EFailClient} |
|
73 }; |
|
74 |
|
75 static const CPolicyServer::TPolicy scrPolicy = |
|
76 { |
|
77 CPolicyServer::EAlwaysPass, // Allow all connections |
|
78 scrRangeCount, |
|
79 scrRanges, |
|
80 scrElementsIndex, |
|
81 scrElements, |
|
82 }; |
|
83 |
|
84 // |
|
85 // CScrServer |
|
86 // |
|
87 |
|
88 CScrServer::CScrServer() |
|
89 /** |
|
90 Intializes the SCR server object with its version and policy. |
|
91 */ |
|
92 : CScsServer(ScrServerVersion(), scrPolicy) |
|
93 { |
|
94 DEBUG_PRINTF(_L8("SCR server construction!")); |
|
95 } |
|
96 |
|
97 CScrServer::~CScrServer() |
|
98 /** |
|
99 Destructor. Cleanup the SCR Server. |
|
100 */ |
|
101 { |
|
102 DEBUG_PRINTF(_L8("SCR server destruction!")); |
|
103 delete iRequestImpl; |
|
104 iDatabaseFile.Close(); |
|
105 iJournalFile.Close(); |
|
106 iFs.Close(); |
|
107 iSubsessionOwners.Close(); |
|
108 } |
|
109 |
|
110 |
|
111 CScrServer* CScrServer::NewLC() |
|
112 /** |
|
113 Factory function allocates a new instance of CScrServer. |
|
114 |
|
115 @return The newly created instance of CScrServer which is left on the cleanup stack. |
|
116 */ |
|
117 { |
|
118 CScrServer *self = new (ELeave) CScrServer(); |
|
119 CleanupStack::PushL(self); |
|
120 self->ConstructL(); |
|
121 return self; |
|
122 } |
|
123 |
|
124 |
|
125 void CScrServer::ConstructL() |
|
126 /** |
|
127 Second phase constructor starts the SCR server. |
|
128 */ |
|
129 { |
|
130 // StartL() must be called first in order to avoid concurrency issue when starting the server from two or more processes |
|
131 StartL(KSoftwareComponentRegistryName); |
|
132 CScsServer::ConstructL(KScrServerShutdownPeriod); |
|
133 SetupL(); |
|
134 } |
|
135 |
|
136 void CheckFilePathL(RFs& aFs, RFile& aFile, const TDesC& aExpectedPath) |
|
137 { |
|
138 RBuf fileName; |
|
139 fileName.CreateL(KMaxFileName); |
|
140 fileName.CleanupClosePushL(); |
|
141 User::LeaveIfError(aFile.FullName(fileName)); |
|
142 |
|
143 RBuf expectedFileName; |
|
144 expectedFileName.CreateL(aExpectedPath.Length()); |
|
145 expectedFileName.CleanupClosePushL(); |
|
146 expectedFileName.Copy(aExpectedPath); |
|
147 expectedFileName[0] = aFs.GetSystemDriveChar(); |
|
148 |
|
149 __ASSERT_ALWAYS(!fileName.CompareF(expectedFileName), User::Leave(KErrBadHandle)); |
|
150 |
|
151 CleanupStack::PopAndDestroy(2, &fileName); // fileName, expectedFileName |
|
152 } |
|
153 |
|
154 void CScrServer::SetupL() |
|
155 { |
|
156 // Connect to the file server |
|
157 User::LeaveIfError(iFs.Connect()); |
|
158 User::LeaveIfError(iFs.ShareProtected()); |
|
159 |
|
160 // Connect to the SCR database |
|
161 RScrHelper sh; |
|
162 User::LeaveIfError(sh.Connect()); |
|
163 CleanupClosePushL(sh); |
|
164 |
|
165 // Retrieve handles for database and journal files |
|
166 sh.RetrieveFileHandlesL(iDatabaseFile, iJournalFile); |
|
167 CleanupStack::PopAndDestroy(&sh); |
|
168 |
|
169 // Check if the retrieved file handles belong to the expected files (KScrDatabaseFilePath/KScrJournalFilePath). |
|
170 // This is an extra security measure in the SCR to check that the file handle transferred from SCR Helper Server |
|
171 // really corresponds to scr.db/scr.db-journal in the expected location. |
|
172 CheckFilePathL(iFs, iDatabaseFile, KScrDatabaseFilePath); |
|
173 CheckFilePathL(iFs, iJournalFile, KScrJournalFilePath); |
|
174 |
|
175 ReconnectL(); |
|
176 } |
|
177 |
|
178 CScsSession* CScrServer::DoNewSessionL(const RMessage2& aMessage) |
|
179 /** |
|
180 Implement CScsServer by allocating a new instance of CScrSession. |
|
181 |
|
182 @param aMessage Standard server-side handle to message. |
|
183 @return New instance of the SCR session class which is owned by the caller. |
|
184 */ |
|
185 { |
|
186 DEBUG_PRINTF(_L8("SCR session creation!")); |
|
187 return CScrSession::NewL(*this, aMessage); |
|
188 } |
|
189 |
|
190 CPolicyServer::TCustomResult CScrServer::CheckComponentIdMatchingEnvironmentL(const RMessage2& aMsg) |
|
191 { |
|
192 TComponentId componentId = CScrRequestImpl::GetComponentIdFromMsgL(aMsg); |
|
193 TSecureId clientSid = aMsg.SecureId(); |
|
194 |
|
195 TSecureId installerSid (0); |
|
196 if(iRequestImpl->GetInstallerSidForComponentL(componentId, installerSid)) |
|
197 { |
|
198 if (clientSid == installerSid) |
|
199 return EPass; |
|
200 } |
|
201 |
|
202 // Minor optimisation - in most legal cases, the installer is the one which should be doing operations, |
|
203 // so we check it first to reduce the second query |
|
204 TSecureId executionEnvironmentSid (0); |
|
205 if(iRequestImpl->GetExecutionEnvSidForComponentL(componentId, executionEnvironmentSid)) |
|
206 { |
|
207 if (clientSid == executionEnvironmentSid) |
|
208 return EPass; |
|
209 } |
|
210 |
|
211 DEBUG_PRINTF5(_L("Neither installer nor execution environment matched the client while checking for component-matching environment. Installer SID %d, execution environment SID %d, client SID %d, component ID %d"), |
|
212 TUint32(installerSid), TUint32(executionEnvironmentSid), TUint32(clientSid), componentId); |
|
213 return EFail; |
|
214 } |
|
215 |
|
216 CPolicyServer::TCustomResult CScrServer::CheckDeleteComponentAllowedL(const RMessage2& aMsg) |
|
217 { |
|
218 const TUint KSifServerSid = 0x10285BCB; |
|
219 |
|
220 if (CheckComponentIdMatchingEnvironmentL(aMsg) == EPass) |
|
221 return EPass; |
|
222 |
|
223 TSecureId clientSid = aMsg.SecureId(); |
|
224 TComponentId componentId = CScrRequestImpl::GetComponentIdFromMsgL(aMsg); |
|
225 // If a component does not have corresponding environments, it means that it is orphaned. In this case, SIF is allowed to forcefully remove it |
|
226 if (iRequestImpl->GetIsComponentOrphanedL(componentId) && (TUint32(clientSid) == KSifServerSid)) |
|
227 { |
|
228 DEBUG_PRINTF2(_L("Allowing SIF to uninstall orphaned component %d"), componentId); |
|
229 return EPass; |
|
230 } |
|
231 |
|
232 return EFail; |
|
233 } |
|
234 |
|
235 CPolicyServer::TCustomResult CScrServer::CheckSoftwareNameMatchingEnvironmentL(const RMessage2& aMsg) |
|
236 { |
|
237 HBufC* softwareTypeName = CScrRequestImpl::GetSoftwareTypeNameFromMsgLC(aMsg); |
|
238 |
|
239 TSecureId installerSid, executionEnvSid; |
|
240 if(!iRequestImpl->GetSidsForSoftwareTypeL(softwareTypeName, installerSid, executionEnvSid)) |
|
241 { |
|
242 DEBUG_PRINTF2(_L("SID couldn't be found for software type (%S)!"), softwareTypeName); |
|
243 CleanupStack::PopAndDestroy(softwareTypeName); |
|
244 return EFail; |
|
245 } |
|
246 CleanupStack::PopAndDestroy(softwareTypeName); |
|
247 |
|
248 TSecureId clientSid = aMsg.SecureId(); |
|
249 if (clientSid == installerSid || clientSid == executionEnvSid) |
|
250 return EPass; |
|
251 |
|
252 DEBUG_PRINTF4(_L("Neither installer nor execution environment matched the client while checking for component-matching environment. Installer SID %d, execution environment SID %d, client SID %d"), |
|
253 TUint32(installerSid), TUint32(executionEnvSid), TUint32(clientSid)); |
|
254 return EFail; |
|
255 } |
|
256 |
|
257 CPolicyServer::TCustomResult CScrServer::CheckAllowedFilePathL(const RMessage2& aMsg) |
|
258 { |
|
259 HBufC* fileName = CScrRequestImpl::ReadFileNameFromMsgLC(aMsg); |
|
260 |
|
261 // Retrieve the required capabilities for write access to this path |
|
262 TCapabilitySet requiredCapabilities = SecCommonUtils::FileModificationRequiredCapabilitiesL(*fileName, aMsg.SecureId()); |
|
263 |
|
264 TBool result = EFalse; |
|
265 TBool allFilesRequired = requiredCapabilities.HasCapability(ECapabilityAllFiles); |
|
266 TBool tcbRequired = requiredCapabilities.HasCapability(ECapabilityTCB); |
|
267 |
|
268 // Test whether the client has at least one of the required capabilities |
|
269 if (allFilesRequired) |
|
270 result = aMsg.HasCapability(ECapabilityAllFiles); |
|
271 if (!result && tcbRequired) |
|
272 result = aMsg.HasCapability(ECapabilityTCB); |
|
273 if (!allFilesRequired && !tcbRequired) |
|
274 result = ETrue; |
|
275 |
|
276 CleanupStack::PopAndDestroy(fileName); |
|
277 return result ? EPass : EFail; |
|
278 } |
|
279 |
|
280 CPolicyServer::TCustomResult CScrServer::CheckClientIsInstallerL(const RMessage2& aMsg) |
|
281 { |
|
282 TSecureId clientSid = aMsg.SecureId(); |
|
283 DEBUG_PRINTF2(_L("The client SID is 0x%X"), clientSid.iId); |
|
284 TBool isInstallerSid = iRequestImpl->IsInstallerOrExecutionEnvSidL(clientSid); |
|
285 return isInstallerSid ? EPass : EFail; |
|
286 } |
|
287 |
|
288 CPolicyServer::TCustomResult CScrServer::CheckCommonComponentPropertySettableL(const RMessage2& aMsg, TCapability aRequiredCapability) |
|
289 { |
|
290 // Setting a common component property is allowed either for the owning installer or for a process with corresponding capability |
|
291 if (CheckComponentIdMatchingEnvironmentL(aMsg) == EPass) |
|
292 return EPass; |
|
293 return aMsg.HasCapability(aRequiredCapability)? EPass : EFail; |
|
294 } |
|
295 |
|
296 CPolicyServer::TCustomResult CScrServer::CustomSecurityCheckL(const RMessage2& aMsg, TInt& /*aAction*/, TSecurityInfo& /*aMissing*/) |
|
297 { |
|
298 // SCS framework adds its own bitmask to the function id - we need to strip it in order to detect the actual function invoked |
|
299 TInt functionId = StripScsFunctionMask(aMsg.Function()); |
|
300 |
|
301 switch (functionId) |
|
302 { |
|
303 case ECreateTransaction: |
|
304 case ERollbackTransaction: |
|
305 case ECommitTransaction: |
|
306 return CheckClientIsInstallerL(aMsg); |
|
307 case EAddComponent: |
|
308 case EAddComponentDependency: |
|
309 case EDeleteComponentDependency: |
|
310 return CheckSoftwareNameMatchingEnvironmentL(aMsg); |
|
311 case ERegisterComponentFile: |
|
312 case ESetFileStringProperty: |
|
313 case ESetFileNumericProperty: |
|
314 case EDeleteFileProperty: |
|
315 case EUnregisterComponentFile: |
|
316 // For file registration we check that the client is actually allowed to modify files under this location |
|
317 // We do not check for the installer SID, since if the client can write to this location, then registering this location for other components |
|
318 // does not pose additional risk |
|
319 return CheckAllowedFilePathL(aMsg); |
|
320 case ESetComponentLocalizableProperty: |
|
321 case ESetComponentNumericProperty: |
|
322 case ESetComponentBinaryProperty: |
|
323 case ESetComponentName: |
|
324 case ESetComponentVendor: |
|
325 case ESetComponentVersion: |
|
326 case ESetComponentSize: |
|
327 case EDeleteComponentProperty: |
|
328 case ESetScomoState: |
|
329 case ESetIsComponentPresent: |
|
330 return CheckComponentIdMatchingEnvironmentL(aMsg); |
|
331 case EDeleteComponent: |
|
332 return CheckDeleteComponentAllowedL(aMsg); |
|
333 case ESetIsComponentRemovable: |
|
334 return CheckCommonComponentPropertySettableL(aMsg, ECapabilityAllFiles); |
|
335 case ESetIsComponentDrmProtected: |
|
336 case ESetIsComponentHidden: |
|
337 case ESetIsComponentKnownRevoked: |
|
338 case ESetIsComponentOriginVerified: |
|
339 return CheckCommonComponentPropertySettableL(aMsg, ECapabilityWriteDeviceData); |
|
340 default: |
|
341 DEBUG_PRINTF2(_L("Unknown function was invoked in CustomSecurityCheck - %d"), functionId); |
|
342 __ASSERT_DEBUG(0, User::Invariant()); |
|
343 return EFail; |
|
344 } |
|
345 } |
|
346 |
|
347 void CScrServer::ReconnectL() |
|
348 { |
|
349 DeleteObjectZ(iRequestImpl); |
|
350 iRequestImpl = CScrRequestImpl::NewL(iFs, iDatabaseFile, iJournalFile); |
|
351 } |
|
352 |
|
353 void CScrServer::AddSubsessionOwnerL(CScrSession* aSession) |
|
354 { |
|
355 iSubsessionOwners.InsertInAddressOrderAllowRepeatsL(aSession); |
|
356 } |
|
357 |
|
358 void CScrServer::RemoveSubsessionOwner(CScrSession* aSession) |
|
359 { |
|
360 TInt index = iSubsessionOwners.FindInAddressOrder(aSession); |
|
361 if(KErrNotFound != index) |
|
362 iSubsessionOwners.Remove(index); |
|
363 } |
|
364 |
|
365 TBool CScrServer::IsTheOnlySubsessionOwner(CScrSession* aSession) |
|
366 { |
|
367 TInt firstElementIdx = 0; |
|
368 TInt lastElementIdx = iSubsessionOwners.Count(); |
|
369 // if both first element and the last element in the array is the provided session |
|
370 // it means that all active subsessions is owned by this session. |
|
371 if(firstElementIdx == iSubsessionOwners.SpecificFindInAddressOrder(aSession, EArrayFindMode_First) && |
|
372 lastElementIdx == iSubsessionOwners.SpecificFindInAddressOrder(aSession, EArrayFindMode_Last)) |
|
373 { |
|
374 return ETrue; |
|
375 } |
|
376 return EFalse; |
|
377 } |
|
378 |
|
379 TInt CScrServer::SubsessionCount() |
|
380 { |
|
381 return iSubsessionOwners.Count(); |
|
382 } |
|
383 |
|
384 void CScrServer::SetTransactionOwner(CScrSession* aSession) |
|
385 { |
|
386 iTransactionOwningSession = aSession; |
|
387 } |
|
388 |
|
389 |
|
390 TBool CScrServer::IsTransactionInProgress() |
|
391 { |
|
392 if(iTransactionOwningSession) |
|
393 return ETrue; |
|
394 else |
|
395 return EFalse; |
|
396 } |
|
397 |
|
398 |
|
399 TBool CScrServer::IsTransactionOwner(CScrSession* aSession) |
|
400 { |
|
401 __ASSERT_ALWAYS(aSession, User::Invariant()); |
|
402 if(aSession == iTransactionOwningSession) |
|
403 return ETrue; |
|
404 else |
|
405 return EFalse; |
|
406 } |
|
407 |
|
408 void CScrServer::DoPreHeapMarkOrCheckL() |
|
409 /** |
|
410 This function is called by the framework just before settingchecking a heap mark. We need to compress/free memory |
|
411 down to a state which should be the same both before and after the test operations. |
|
412 */ |
|
413 { |
|
414 #ifdef _DEBUG |
|
415 iSubsessionOwners.Compress(); |
|
416 DeleteObjectZ(iRequestImpl); |
|
417 #endif |
|
418 } |
|
419 |
|
420 void CScrServer::DoPostHeapMarkOrCheckL() |
|
421 /** |
|
422 This function is called by the framework just before settingchecking a heap mark. We need to compress/free memory |
|
423 down to a state which should be the same both before and after the test operations. |
|
424 */ |
|
425 { |
|
426 #ifdef _DEBUG |
|
427 this->ReconnectL(); |
|
428 #endif |
|
429 } |