From 618920f01b65dfeffe76092057998808163ccb11 Mon Sep 17 00:00:00 2001
From: Jiri Popek <jiri.popek@gmail.com>
Date: Thu, 25 Jul 2019 13:35:11 +0200
Subject: Add option to set owner group of daemon FIFO (#122)

New option to set owner group of daemon FIFO (Default: /tmp/dlt)
is added in dlt.conf. If this option is used properly, more
secure tracing can be realized.

Only application that is in dlt_user_apps_group can write log
message to daemon FIFO.

Signed-off-by: Yusuke Sato <yusuke-sato@apn.alpine.co.jp>
---
 doc/dlt.conf.5.md       | 44 ++++++++++++++++++++++++++++++++++++++++++++
 src/daemon/dlt-daemon.c | 38 +++++++++++++++++++++++++++++++++++++-
 src/daemon/dlt-daemon.h |  3 ++-
 src/daemon/dlt.conf     |  9 ++++++++-
 4 files changed, 91 insertions(+), 3 deletions(-)

diff --git a/doc/dlt.conf.5.md b/doc/dlt.conf.5.md
index 08879b0..5142118 100644
--- a/doc/dlt.conf.5.md
+++ b/doc/dlt.conf.5.md
@@ -135,6 +135,50 @@ Read gateway configuration from another location
 
     Default: /etc/dlt_gateway.conf
 
+# Permission configuration
+
+DLT daemon runs with e.g.
+ User: genivi_dlt
+ Group: genivi_dlt
+
+DLT user applications run with different user and group than dlt-daemon but with supplimentory group: dlt_user_apps_group
+
+<basedir>/dlt FIFO will be created by dlt-daemon with
+    User: genivi_dlt
+    Group: dlt_user_apps_group
+    Permission: 620
+
+so that only dlt-daemon can read and only processes in dlt_user_apps_group can write.
+
+<basedir>/dltpipes will be created by dlt-daemon with
+    User: genivi_dlt
+    Group: genivi_dlt
+    Permission: 3733 (i.e Sticky bit and SGID turned on)
+
+<basedir>/dltpipes/dlt<PID> FIFO will be created by dlt application (user lib) with
+    User: <user of the application>
+    Group: genivi_dlt (inherited from <basedir>dltpipes/ due to SGID)
+    Permission: 620
+
+Thus DLT user applications (and also or attackers) can create the dlt<PID> FIFO
+(for communication from dlt-daemon to DLT user application) under <basedir>/dltpipes/. Since sticky bit is set the applications who creates the FIFO can only rename/delete it.
+
+Since SGID of <basedir>/dltpipes is set the group of dlt<PID> FIFO will be genivi_dlt which enables dlt daemon to have write permission on all the dlt<PID> FIFO.
+
+One dlt user application cannot access dlt<PID> FIFO created by other dlt user application(if they run with different user).
+
+Owner group of daemon FIFO directory(Default: /tmp/dlt) (If not set, primary group of dlt-daemon process is used).
+Application should have write permission to this group for tracing into dlt. For this opton to work, dlt-daemon should have this group in it's supplementary group.
+
+## DaemonFifoGroup
+
+Owner group of daemon FIFO directory
+(If not set, primary group of dlt-daemon process is used)
+Application should have write permission to this group for tracing into dlt
+For this opton to work, dlt-daemon should have this group in it's Supplementary group
+
+    Default: group of dlt-daemon process (/tmp/dlt)
+
 # CONTROL APPLICATION OPTIONS
 
 ## ControlSocketPath
diff --git a/src/daemon/dlt-daemon.c b/src/daemon/dlt-daemon.c
index 7b80ef1..c305887 100644
--- a/src/daemon/dlt-daemon.c
+++ b/src/daemon/dlt-daemon.c
@@ -39,6 +39,7 @@
 #include <syslog.h>
 #include <errno.h>
 #include <pthread.h>
+#include <grp.h>
 
 #ifdef linux
 #   include <sys/timerfd.h>
@@ -253,7 +254,8 @@ int option_file_parser(DltDaemonLocal *daemon_local)
     if (strlen(DLT_USER_IPC_PATH) > DLT_IPC_PATH_MAX)
         fprintf(stderr, "Provided path too long...trimming it to path[%s]\n",
                 daemon_local->flags.appSockPath);
-
+#else
+    memset(daemon_local->flags.daemonFifoGroup, 0, sizeof(daemon_local->flags.daemonFifoGroup));
 #endif
     daemon_local->flags.gatewayMode = 0;
     strncpy(daemon_local->flags.gatewayConfigFile,
@@ -566,6 +568,11 @@ int option_file_parser(DltDaemonLocal *daemon_local)
                                     intval);
                         }
                     }
+                    else if(strcmp(token, "DaemonFifoGroup") == 0)
+                    {
+                        strncpy(daemon_local->flags.daemonFifoGroup, value, NAME_MAX);
+                        daemon_local->flags.daemonFifoGroup[NAME_MAX] = 0;
+                    }
                     else if (strcmp(token, "BindAddress") == 0)
                     {
                         DltBindAddress_t *newNode = NULL;
@@ -1085,6 +1092,35 @@ static int dlt_daemon_init_fifo(DltDaemonLocal *daemon_local)
         return -1;
     } /* if */
 
+    /* Set group of daemon FIFO */
+    if (daemon_local->flags.daemonFifoGroup[0] != 0)
+    {
+        errno = 0;
+        struct group * group_dlt = getgrnam(daemon_local->flags.daemonFifoGroup);
+        if (group_dlt)
+        {
+            ret = chown(tmpFifo, -1, group_dlt->gr_gid);
+            if (ret == -1)
+            {
+                dlt_vlog(LOG_ERR, "FIFO user %s cannot be chowned to group %s (%s)\n",
+                         tmpFifo, daemon_local->flags.daemonFifoGroup,
+                         strerror(errno));
+            }
+        }
+        else if ((errno == 0) || (errno == ENOENT) || (errno == EBADF) || (errno == EPERM))
+        {
+            dlt_vlog(LOG_ERR, "Group name %s is not found (%s)\n",
+                     daemon_local->flags.daemonFifoGroup,
+                     strerror(errno));
+        }
+        else
+        {
+            dlt_vlog(LOG_ERR, "Failed to get group id of %s (%s)\n",
+                     daemon_local->flags.daemonFifoGroup,
+                     strerror(errno));
+        }
+    }
+
     fd = open(tmpFifo, O_RDWR);
 
     if (fd == -1) {
diff --git a/src/daemon/dlt-daemon.h b/src/daemon/dlt-daemon.h
index 6c87335..3d35335 100644
--- a/src/daemon/dlt-daemon.h
+++ b/src/daemon/dlt-daemon.h
@@ -123,7 +123,8 @@ typedef struct
     char userPipesDir[DLT_PATH_MAX]; /**< (String: Directory) directory where dltpipes reside (Default: /tmp/dltpipes) */
 #endif
     char daemonFifoName[DLT_PATH_MAX]; /**< (String: Filename) name of local fifo (Default: /tmp/dlt) */
-    unsigned int port;  /**< port number */
+    char daemonFifoGroup[DLT_PATH_MAX]; /**< (String: Group name) Owner group of local fifo (Default: Primary Group) */
+    unsigned int port; /**< port number */
     char ctrlSockPath[DLT_DAEMON_FLAG_MAX]; /**< Path to Control socket */
     int gatewayMode; /**< (Boolean) Gateway Mode */
     char gatewayConfigFile[DLT_DAEMON_FLAG_MAX]; /**< Gateway config file path */
diff --git a/src/daemon/dlt.conf b/src/daemon/dlt.conf
index 746176d..f9f02a1 100644
--- a/src/daemon/dlt.conf
+++ b/src/daemon/dlt.conf
@@ -81,6 +81,13 @@ RingbufferStepSize = 500000
 # Read gateway configuration from another location
 # GatewayConfigFile = /etc/dlt_gateway.conf
 
+########################################################################
+# Permission configuration                                             #
+# ==================================================================== #
+# Owner group of daemon FIFO directory(Default: /tmp/dlt)
+# (If not set, primary group of dlt-daemon process is used)
+# DaemonFifoGroup = dlt_user_apps_group
+
 ########################################################################
 # Control Application                                                  #
 ########################################################################
@@ -181,4 +188,4 @@ ControlSocketPath = /tmp/dlt-ctrl.sock
 # The IP addresses must be separated with ',' or ';' but not with space character ' ' 
 # If DLT_USE_IPv6 flag is ON, then only IPv6 addresses are accepted
 # If DLT_USE_IPv6 flag is OFF, then only IPv4 addresses are accepted
-# BindAddress = 160.48.199.97;160.48.199.98
\ No newline at end of file
+# BindAddress = 160.48.199.97;160.48.199.98
-- 
cgit v1.2.1