Google Git
Sign in
cos / mirrors / cros / chromiumos / platform2 / refs/heads/stabilize-15857.B / . / dlp / dlp_adaptor.cc
blob: f5e3e2465737ab7a2c9a5c6ffbec5a2766ec922d [file] [log] [blame]
// Copyright 2021 The ChromiumOS Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "dlp/dlp_adaptor.h"
#include <cstdint>
#include <set>
#include <string>
#include <sys/types.h>
#include <type_traits>
#include <utility>
#include <vector>
#include <base/check.h>
#include <base/containers/contains.h>
#include <base/files/file_enumerator.h>
#include <base/files/file_path.h>
#include <base/files/file_util.h>
#include <base/files/scoped_file.h>
#include <base/functional/bind.h>
#include <base/functional/callback_helpers.h>
#include <base/location.h>
#include <base/logging.h>
#include <base/process/process_handle.h>
#include <base/strings/string_number_conversions.h>
#include <base/task/single_thread_task_runner.h>
#include <base/time/time.h>
#include <brillo/dbus/dbus_object.h>
#include <brillo/errors/error.h>
#include <dbus/dlp/dbus-constants.h>
#include <featured/feature_library.h>
#include <google/protobuf/message_lite.h>
#include <session_manager/dbus-proxies.h>
#include <sqlite3.h>
#include "dlp/proto_bindings/dlp_service.pb.h"
namespace dlp {
// The maximum delay in between file creation and adding file to database.
constexpr base::TimeDelta kAddFileMaxDelay = base::Minutes(1);
namespace {
// Serializes |proto| to a vector of bytes. CHECKs for success (should
// never fail if there are no required proto fields).
std::vector<uint8_t> SerializeProto(
const google::protobuf::MessageLite& proto) {
std::vector<uint8_t> proto_blob(proto.ByteSizeLong());
CHECK(proto.SerializeToArray(proto_blob.data(), proto_blob.size()));
return proto_blob;
}
// Parses a proto from an array of bytes |proto_blob|. Returns
// error message or empty string if no error.
std::string ParseProto(const base::Location& from_here,
google::protobuf::MessageLite* proto,
const std::vector<uint8_t>& proto_blob) {
if (!proto->ParseFromArray(proto_blob.data(), proto_blob.size())) {
const std::string error_message = "Failed to parse proto message.";
LOG(ERROR) << from_here.ToString() << " " << error_message;
return error_message;
}
return "";
}
FileEntry ConvertToFileEntry(FileId id, AddFileRequest request) {
FileEntry result;
result.id = id;
if (request.has_source_url())
result.source_url = request.source_url();
if (request.has_referrer_url())
result.referrer_url = request.referrer_url();
return result;
}
std::set<std::pair<base::FilePath, FileId>> EnumerateFiles(
scoped_refptr<base::SingleThreadTaskRunner> task_runner,
const base::FilePath& root_path) {
CHECK(task_runner->RunsTasksInCurrentSequence());
std::set<std::pair<base::FilePath, FileId>> files;
base::FileEnumerator enumerator(root_path, /*recursive=*/true,
base::FileEnumerator::FILES);
for (base::FilePath entry = enumerator.Next(); !entry.empty();
entry = enumerator.Next()) {
FileId file_id = GetFileId(entry.value());
if (file_id.first > 0) {
files.insert(std::make_pair(entry, file_id));
}
}
return files;
}
// Checks whether the list of the rules is exactly the same.
bool SameRules(const std::vector<DlpFilesRule> rules1,
const std::vector<DlpFilesRule> rules2) {
if (rules1.size() != rules2.size()) {
return false;
}
for (int i = 0; i < rules1.size(); ++i) {
if (SerializeProto(rules1[i]) != SerializeProto(rules2[i])) {
return false;
}
}
return true;
}
// Whether the cached level should be re-checked.
bool RequiresCheck(RestrictionLevel level) {
return level == LEVEL_UNSPECIFIED || level == LEVEL_WARN_CANCEL;
}
// If the action is permanently blocked by the current policy.
bool IsAlwaysBlocked(RestrictionLevel level) {
return level == LEVEL_BLOCK;
}
} // namespace
const struct VariationsFeature kCrOSLateBootDlpDatabaseCleanupFeature = {
.name = "CrOSLateBootDlpDatabaseCleanupFeature",
.default_state = FEATURE_DISABLED_BY_DEFAULT,
};
DlpAdaptor::DlpAdaptor(
std::unique_ptr<brillo::dbus_utils::DBusObject> dbus_object,
feature::PlatformFeaturesInterface* feature_lib,
int fanotify_perm_fd,
int fanotify_notif_fd,
const base::FilePath& home_path)
: org::chromium::DlpAdaptor(this),
dbus_object_(std::move(dbus_object)),
feature_lib_(feature_lib),
home_path_(home_path),
file_enumeration_thread_("file_enumeration_thread") {
dlp_metrics_ = std::make_unique<DlpMetrics>();
fanotify_watcher_ = std::make_unique<FanotifyWatcher>(this, fanotify_perm_fd,
fanotify_notif_fd);
dlp_files_policy_service_ =
std::make_unique<org::chromium::DlpFilesPolicyServiceProxy>(
dbus_object_->GetBus().get(), kDlpFilesPolicyServiceName);
CHECK(file_enumeration_thread_.Start())
<< "Failed to start file enumeration thread.";
file_enumeration_task_runner_ = file_enumeration_thread_.task_runner();
CHECK(!file_enumeration_task_runner_->RunsTasksInCurrentSequence());
}
DlpAdaptor::~DlpAdaptor() {
if (!pending_files_to_add_.empty()) {
DCHECK(!db_);
dlp_metrics_->SendAdaptorError(
AdaptorError::kAddFileNotCompleteBeforeDestruction);
}
file_enumeration_thread_.Stop();
}
void DlpAdaptor::RegisterAsync(
brillo::dbus_utils::AsyncEventSequencer::CompletionAction
completion_callback) {
RegisterWithDBusObject(dbus_object_.get());
dbus_object_->RegisterAsync(std::move(completion_callback));
}
std::vector<uint8_t> DlpAdaptor::SetDlpFilesPolicy(
const std::vector<uint8_t>& request_blob) {
LOG(INFO) << "Received DLP files policy.";
SetDlpFilesPolicyRequest request;
std::string error_message = ParseProto(FROM_HERE, &request, request_blob);
SetDlpFilesPolicyResponse response;
if (!error_message.empty()) {
response.set_error_message(error_message);
dlp_metrics_->SendAdaptorError(AdaptorError::kInvalidProtoError);
return SerializeProto(response);
}
auto new_rules =
std::vector<DlpFilesRule>(request.rules().begin(), request.rules().end());
// No update is needed.
if (SameRules(policy_rules_, new_rules)) {
return SerializeProto(response);
}
requests_cache_.ResetCache();
policy_rules_.swap(new_rules);
if (!policy_rules_.empty()) {
EnsureFanotifyWatcherStarted();
} else {
fanotify_watcher_->SetActive(false);
}
return SerializeProto(response);
}
void DlpAdaptor::AddFiles(
std::unique_ptr<
brillo::dbus_utils::DBusMethodResponse<std::vector<uint8_t>>> response,
const std::vector<uint8_t>& request_blob) {
AddFilesRequest request;
const std::string parse_error = ParseProto(FROM_HERE, &request, request_blob);
if (!parse_error.empty()) {
ReplyOnAddFiles(std::move(response),
"Failed to parse AddFiles request: " + parse_error);
dlp_metrics_->SendAdaptorError(AdaptorError::kInvalidProtoError);
return;
}
if (request.add_file_requests().empty()) {
ReplyOnAddFiles(std::move(response), std::string());
return;
}
LOG(INFO) << "Adding " << request.add_file_requests().size()
<< " files to the database.";
std::vector<FileEntry> files_to_add;
std::vector<base::FilePath> files_paths;
std::vector<FileId> files_ids;
for (const AddFileRequest& add_file_request : request.add_file_requests()) {
LOG(INFO) << "Adding file to the database: "
<< add_file_request.file_path();
base::FilePath file_path(add_file_request.file_path());
if (base::IsLink(file_path)) {
auto resolved_path = base::ReadSymbolicLinkAbsolute(file_path);
if (!resolved_path) {
ReplyOnAddFiles(std::move(response), "Failed to follow symlink");
dlp_metrics_->SendAdaptorError(AdaptorError::kFailedToFollowSymlink);
return;
}
file_path = resolved_path.value();
LOG(INFO) << "Resolved link to: " << file_path;
}
const FileId id = GetFileId(file_path.value());
if (!id.first) {
ReplyOnAddFiles(std::move(response), "Failed to get inode");
dlp_metrics_->SendAdaptorError(AdaptorError::kInodeRetrievalError);
return;
}
// If file is created too long time ago - do not allow addition to the
// database. DLP is only for new files.
const base::Time crtime = base::Time::FromTimeT(id.second);
if (base::Time::Now() - crtime >= kAddFileMaxDelay) {
ReplyOnAddFiles(std::move(response), "File is too old");
dlp_metrics_->SendAdaptorError(AdaptorError::kAddedFileIsTooOld);
return;
}
if (!home_path_.IsParent(file_path)) {
ReplyOnAddFiles(std::move(response), "File is not on user's home");
dlp_metrics_->SendAdaptorError(AdaptorError::kAddedFileIsNotOnUserHome);
return;
}
FileEntry file_entry = ConvertToFileEntry(id, add_file_request);
files_to_add.push_back(file_entry);
files_paths.push_back(file_path);
files_ids.emplace_back(id);
}
if (!db_) {
LOG(WARNING) << "Database is not ready, pending addition of the file";
pending_files_to_add_.insert(pending_files_to_add_.end(),
files_to_add.begin(), files_to_add.end());
ReplyOnAddFiles(std::move(response), std::string());
dlp_metrics_->SendAdaptorError(AdaptorError::kDatabaseNotReadyError);
return;
}
db_->UpsertFileEntries(
files_to_add,
base::BindOnce(&DlpAdaptor::OnFilesUpserted, weak_factory_.GetWeakPtr(),
std::move(response), std::move(files_paths),
std::move(files_ids)));
}
void DlpAdaptor::RequestFileAccess(
std::unique_ptr<brillo::dbus_utils::DBusMethodResponse<std::vector<uint8_t>,
base::ScopedFD>>
response,
const std::vector<uint8_t>& request_blob) {
base::ScopedFD local_fd, remote_fd;
if (!base::CreatePipe(&local_fd, &remote_fd, /*non_blocking=*/true)) {
PLOG(ERROR) << "Failed to create lifeline pipe";
dlp_metrics_->SendAdaptorError(AdaptorError::kCreatePipeError);
std::move(response)->ReplyWithError(
FROM_HERE, brillo::errors::dbus::kDomain, dlp::kErrorFailedToCreatePipe,
"Failed to create lifeline pipe");
return;
}
RequestFileAccessRequest request;
const std::string parse_error = ParseProto(FROM_HERE, &request, request_blob);
if (!parse_error.empty()) {
LOG(ERROR) << "Failed to parse RequestFileAccess request: " << parse_error;
dlp_metrics_->SendAdaptorError(AdaptorError::kInvalidProtoError);
ReplyOnRequestFileAccess(std::move(response), std::move(remote_fd),
/*allowed=*/false, parse_error);
return;
}
if (!db_) {
ReplyOnRequestFileAccess(std::move(response), std::move(remote_fd),
/*allowed=*/true,
/*error_message=*/std::string());
return;
}
std::vector<FileId> ids;
for (const auto& file_path : request.files_paths()) {
const FileId id = GetFileId(file_path);
if (id.first > 0) {
ids.push_back(id);
}
}
// If no valid ids provided, return immediately.
if (ids.empty()) {
ReplyOnRequestFileAccess(std::move(response), std::move(remote_fd),
/*allowed=*/true,
/*error_message=*/std::string());
return;
}
db_->GetFileEntriesByIds(
ids, base::BindOnce(&DlpAdaptor::ProcessRequestFileAccessWithData,
weak_factory_.GetWeakPtr(), std::move(response),
std::move(request), std::move(local_fd),
std::move(remote_fd)));
}
void DlpAdaptor::ProcessRequestFileAccessWithData(
std::unique_ptr<brillo::dbus_utils::DBusMethodResponse<std::vector<uint8_t>,
base::ScopedFD>>
response,
RequestFileAccessRequest request,
base::ScopedFD local_fd,
base::ScopedFD remote_fd,
std::map<FileId, FileEntry> file_entries) {
IsFilesTransferRestrictedRequest matching_request;
std::vector<FileId> request_ids;
std::vector<FileId> granted_ids;
bool allow_all_files =
request.has_destination_component() &&
request.destination_component() == DlpComponent::SYSTEM;
for (const auto& file_path : request.files_paths()) {
const FileId id = GetFileId(file_path);
auto it = file_entries.find(id);
if (it == std::end(file_entries)) {
// Skip file if it's not DLP-protected as access to it is always allowed.
continue;
}
if (allow_all_files) {
granted_ids.emplace_back(id);
continue;
}
RestrictionLevel cached_level = requests_cache_.Get(
id, file_path,
request.has_destination_url() ? request.destination_url() : "",
request.has_destination_component() ? request.destination_component()
: DlpComponent::UNKNOWN_COMPONENT);
// Reply immediately is a file is always blocked.
if (IsAlwaysBlocked(cached_level)) {
ReplyOnRequestFileAccess(std::move(response), std::move(remote_fd),
/*allowed=*/false,
/*error_message=*/std::string());
return;
}
// Was previously allowed, no need to check again.
if (!RequiresCheck(cached_level)) {
granted_ids.emplace_back(id);
continue;
}
request_ids.push_back(id);
FileMetadata* file_metadata = matching_request.add_transferred_files();
file_metadata->set_inode(id.first);
file_metadata->set_crtime(id.second);
file_metadata->set_source_url(it->second.source_url);
file_metadata->set_referrer_url(it->second.referrer_url);
file_metadata->set_path(file_path);
}
// If access to all requested files was allowed, return immediately.
if (request_ids.empty()) {
if (!granted_ids.empty()) {
int lifeline_fd = AddLifelineFd(local_fd.get());
approved_requests_.insert_or_assign(
lifeline_fd,
std::make_pair(std::move(granted_ids), request.process_id()));
}
ReplyOnRequestFileAccess(std::move(response), std::move(remote_fd),
/*allowed=*/true,
/*error_message=*/std::string());
return;
}
std::pair<RequestFileAccessCallback, RequestFileAccessCallback> callbacks =
base::SplitOnceCallback(base::BindOnce(
&DlpAdaptor::ReplyOnRequestFileAccess, weak_factory_.GetWeakPtr(),
std::move(response), std::move(remote_fd)));
if (request.has_destination_url())
matching_request.set_destination_url(request.destination_url());
if (request.has_destination_component())
matching_request.set_destination_component(request.destination_component());
matching_request.set_file_action(FileAction::TRANSFER);
auto cache_callback =
base::BindOnce(&DlpRequestsCache::CacheResult,
base::Unretained(&requests_cache_), matching_request);
dlp_files_policy_service_->IsFilesTransferRestrictedAsync(
SerializeProto(matching_request),
base::BindOnce(&DlpAdaptor::OnRequestFileAccess,
weak_factory_.GetWeakPtr(), std::move(request_ids),
std::move(granted_ids), request.process_id(),
std::move(local_fd), std::move(callbacks.first),
std::move(cache_callback)),
base::BindOnce(&DlpAdaptor::OnRequestFileAccessError,
weak_factory_.GetWeakPtr(), std::move(callbacks.second)),
/*timeout_ms=*/base::Minutes(5).InMilliseconds());
}
void DlpAdaptor::GetFilesSources(
std::unique_ptr<
brillo::dbus_utils::DBusMethodResponse<std::vector<uint8_t>>> response,
const std::vector<uint8_t>& request_blob) {
GetFilesSourcesRequest request;
GetFilesSourcesResponse response_proto;
const std::string parse_error = ParseProto(FROM_HERE, &request, request_blob);
if (!parse_error.empty()) {
LOG(ERROR) << "Failed to parse GetFilesSources request: " << parse_error;
dlp_metrics_->SendAdaptorError(AdaptorError::kInvalidProtoError);
response_proto.set_error_message(parse_error);
response->Return(SerializeProto(response_proto));
return;
}
if (!db_) {
dlp_metrics_->SendAdaptorError(AdaptorError::kDatabaseNotReadyError);
response_proto.set_error_message("Database not ready");
response->Return(SerializeProto(response_proto));
return;
}
std::vector<FileId> ids;
std::vector<std::pair<FileId, std::string>> requested_files;
for (const auto& path : request.files_paths()) {
const FileId id = GetFileId(path);
if (id.first > 0) {
ids.push_back(id);
requested_files.emplace_back(id, path);
}
}
db_->GetFileEntriesByIds(
ids, base::BindOnce(&DlpAdaptor::ProcessGetFilesSourcesWithData,
weak_factory_.GetWeakPtr(), std::move(response),
requested_files));
}
void DlpAdaptor::CheckFilesTransfer(
std::unique_ptr<
brillo::dbus_utils::DBusMethodResponse<std::vector<uint8_t>>> response,
const std::vector<uint8_t>& request_blob) {
CheckFilesTransferRequest request;
CheckFilesTransferResponse response_proto;
const std::string parse_error = ParseProto(FROM_HERE, &request, request_blob);
if (!parse_error.empty()) {
LOG(ERROR) << "Failed to parse CheckFilesTransfer request: " << parse_error;
dlp_metrics_->SendAdaptorError(AdaptorError::kInvalidProtoError);
response_proto.set_error_message(parse_error);
response->Return(SerializeProto(response_proto));
return;
}
if (!db_) {
dlp_metrics_->SendAdaptorError(AdaptorError::kDatabaseNotReadyError);
response_proto.set_error_message("Database is not ready");
response->Return(SerializeProto(response_proto));
return;
}
std::vector<FileId> ids;
for (const auto& file_path : request.files_paths()) {
const FileId file_id = GetFileId(file_path);
if (file_id.first > 0) {
ids.push_back(file_id);
}
}
db_->GetFileEntriesByIds(
ids, base::BindOnce(&DlpAdaptor::ProcessCheckFilesTransferWithData,
weak_factory_.GetWeakPtr(), std::move(response),
std::move(request)));
}
void DlpAdaptor::GetDatabaseEntries(
std::unique_ptr<
brillo::dbus_utils::DBusMethodResponse<std::vector<uint8_t>>>
response) {
if (!db_) {
GetDatabaseEntriesResponse response_proto;
dlp_metrics_->SendAdaptorError(AdaptorError::kDatabaseNotReadyError);
response_proto.set_error_message("Database is not ready");
response->Return(SerializeProto(response_proto));
return;
}
db_->GetDatabaseEntries(
base::BindOnce(&DlpAdaptor::ProcessGetDatabaseEntriesWithData,
weak_factory_.GetWeakPtr(), std::move(response)));
}
void DlpAdaptor::SetFanotifyWatcherStartedForTesting(bool is_started) {
is_fanotify_watcher_started_for_testing_ = is_started;
}
void DlpAdaptor::CloseDatabaseForTesting() {
db_.reset();
}
void DlpAdaptor::SetMetricsLibraryForTesting(
std::unique_ptr<MetricsLibraryInterface> metrics_lib) {
dlp_metrics_->SetMetricsLibraryForTesting(std::move(metrics_lib));
}
void DlpAdaptor::InitDatabase(const base::FilePath& database_path,
base::OnceClosure init_callback) {
LOG(INFO) << "Opening database in: " << database_path.value();
const base::FilePath database_file = database_path.Append("database");
if (!base::PathExists(database_file)) {
LOG(INFO) << "Creating database file";
base::WriteFile(database_path, "\0", 1);
}
std::unique_ptr<DlpDatabase> db =
std::make_unique<DlpDatabase>(database_file, this);
DlpDatabase* db_ptr = db.get();
db_ptr->Init(base::BindOnce(
&DlpAdaptor::OnDatabaseInitialized, weak_factory_.GetWeakPtr(),
std::move(init_callback), std::move(db), database_path));
}
void DlpAdaptor::OnDatabaseInitialized(base::OnceClosure init_callback,
std::unique_ptr<DlpDatabase> db,
const base::FilePath& database_path,
std::pair<int, bool> db_status) {
if (db_status.first != SQLITE_OK) {
LOG(ERROR) << "Cannot connect to database " << database_path;
dlp_metrics_->SendAdaptorError(AdaptorError::kDatabaseConnectionError);
std::move(init_callback).Run();
return;
}
dlp_metrics_->SendBooleanHistogram(kDlpDatabaseMigrationNeededHistogram,
db_status.second);
// Migration is needed.
if (db_status.second) {
LOG(INFO) << "Migrating from legacy table";
file_enumeration_task_runner_->PostTaskAndReplyWithResult(
FROM_HERE,
base::BindOnce(&EnumerateFiles, file_enumeration_task_runner_,
home_path_),
base::BindOnce(&DlpAdaptor::MigrateDatabase, weak_factory_.GetWeakPtr(),
std::move(db), std::move(init_callback), database_path));
return;
}
if (!pending_files_to_add_.empty()) {
LOG(INFO) << "Upserting pending entries";
DlpDatabase* db_ptr = db.get();
std::vector<FileEntry> files_being_added;
files_being_added.swap(pending_files_to_add_);
db_ptr->UpsertFileEntries(
files_being_added,
base::BindOnce(&DlpAdaptor::OnPendingFilesUpserted,
weak_factory_.GetWeakPtr(), std::move(init_callback),
std::move(db), database_path, db_status));
return;
}
// Check whether cleanup of deleted files should happen when database is
// initialized.
// This could be disabled because for now the daemon can't traverse some
// of the home directory folders due to inconsistent access permissions.
if (feature_lib_ &&
feature_lib_->IsEnabledBlocking(kCrOSLateBootDlpDatabaseCleanupFeature)) {
LOG(INFO) << "Starting database cleanup";
file_enumeration_task_runner_->PostTaskAndReplyWithResult(
FROM_HERE,
base::BindOnce(&EnumerateFiles, file_enumeration_task_runner_,
home_path_),
base::BindOnce(&DlpAdaptor::CleanupAndSetDatabase,
weak_factory_.GetWeakPtr(), std::move(db),
std::move(init_callback)));
} else {
OnDatabaseCleaned(std::move(db), std::move(init_callback),
/*success=*/true);
}
}
void DlpAdaptor::OnPendingFilesUpserted(base::OnceClosure init_callback,
std::unique_ptr<DlpDatabase> db,
const base::FilePath& database_path,
std::pair<int, bool> db_status,
bool success) {
if (!success) {
LOG(ERROR) << "Error while adding pending files.";
dlp_metrics_->SendAdaptorError(AdaptorError::kAddFileError);
}
OnDatabaseInitialized(std::move(init_callback), std::move(db), database_path,
db_status);
}
void DlpAdaptor::AddPerFileWatch(
const std::set<std::pair<base::FilePath, FileId>>& files) {
if (!fanotify_watcher_->IsActive())
return;
// No files to add -> exit early.
if (files.empty())
return;
// Not expected, but if the DB is not there -> delay adding watches.
if (!db_) {
pending_per_file_watches_ = true;
return;
}
std::vector<FileId> ids;
for (const auto& entry : files) {
ids.push_back(entry.second);
}
db_->GetFileEntriesByIds(
ids, base::BindOnce(&DlpAdaptor::ProcessAddPerFileWatchWithData,
weak_factory_.GetWeakPtr(), files));
}
void DlpAdaptor::ProcessAddPerFileWatchWithData(
const std::set<std::pair<base::FilePath, FileId>>& files,
std::map<FileId, FileEntry> file_entries) {
for (const auto& entry : files) {
if (file_entries.find(entry.second) != std::end(file_entries)) {
fanotify_watcher_->AddFileDeleteWatch(entry.first);
}
}
}
void DlpAdaptor::EnsureFanotifyWatcherStarted() {
if (fanotify_watcher_->IsActive())
return;
if (is_fanotify_watcher_started_for_testing_)
return;
LOG(INFO) << "Activating fanotify watcher";
fanotify_watcher_->SetActive(true);
// If the database is not initialized yet, we delay adding per file watch
// till it'll be created.
if (db_) {
file_enumeration_task_runner_->PostTaskAndReplyWithResult(
FROM_HERE,
base::BindOnce(&EnumerateFiles, file_enumeration_task_runner_,
home_path_),
base::BindOnce(&DlpAdaptor::AddPerFileWatch,
weak_factory_.GetWeakPtr()));
} else {
pending_per_file_watches_ = true;
}
}
void DlpAdaptor::ProcessFileOpenRequest(
FileId id, int pid, base::OnceCallback<void(bool)> callback) {
if (pid == base::GetCurrentProcId()) {
// Allowing itself all file accesses (to database files).
std::move(callback).Run(/*allowed=*/true);
return;
}
if (!db_) {
LOG(WARNING) << "DLP database is not ready yet. Allowing the file request";
dlp_metrics_->SendAdaptorError(AdaptorError::kDatabaseNotReadyError);
std::move(callback).Run(/*allowed=*/true);
return;
}
db_->GetFileEntriesByIds(
{id},
base::BindOnce(&DlpAdaptor::ProcessFileOpenRequestWithData,
weak_factory_.GetWeakPtr(), pid, std::move(callback)));
}
void DlpAdaptor::ProcessFileOpenRequestWithData(
int pid,
base::OnceCallback<void(bool)> callback,
std::map<FileId, FileEntry> file_entries) {
if (file_entries.size() != 1) {
std::move(callback).Run(/*allowed=*/true);
return;
}
const FileEntry& file_entry = file_entries.cbegin()->second;
int lifeline_fd = -1;
for (const auto& [key, value] : approved_requests_) {
if (base::Contains(value.first, file_entry.id) && value.second == pid) {
lifeline_fd = key;
break;
}
}
if (lifeline_fd != -1) {
std::move(callback).Run(/*allowed=*/true);
return;
}
// If the file can be restricted by any DLP rule, do not allow access there.
IsDlpPolicyMatchedRequest request;
request.mutable_file_metadata()->set_inode(file_entry.id.first);
request.mutable_file_metadata()->set_crtime(file_entry.id.second);
request.mutable_file_metadata()->set_source_url(file_entry.source_url);
request.mutable_file_metadata()->set_referrer_url(file_entry.referrer_url);
// TODO(crbug.com/1357967)
// request.mutable_file_metadata()->set_path();
std::pair<base::OnceCallback<void(bool)>, base::OnceCallback<void(bool)>>
callbacks = base::SplitOnceCallback(std::move(callback));
dlp_files_policy_service_->IsDlpPolicyMatchedAsync(
SerializeProto(request),
base::BindOnce(&DlpAdaptor::OnDlpPolicyMatched,
weak_factory_.GetWeakPtr(), std::move(callbacks.first)),
base::BindOnce(&DlpAdaptor::OnDlpPolicyMatchedError,
weak_factory_.GetWeakPtr(), std::move(callbacks.second)));
}
void DlpAdaptor::OnFileDeleted(ino64_t inode) {
if (!db_) {
LOG(WARNING) << "DLP database is not ready yet.";
dlp_metrics_->SendAdaptorError(AdaptorError::kDatabaseNotReadyError);
return;
}
db_->DeleteFileEntryByInode(inode,
/*callback=*/base::DoNothing());
}
void DlpAdaptor::OnFanotifyError(FanotifyError error) {
dlp_metrics_->SendFanotifyError(error);
}
void DlpAdaptor::OnDatabaseError(DatabaseError error) {
dlp_metrics_->SendDatabaseError(error);
}
void DlpAdaptor::OnDlpPolicyMatched(base::OnceCallback<void(bool)> callback,
const std::vector<uint8_t>& response_blob) {
IsDlpPolicyMatchedResponse response;
std::string parse_error = ParseProto(FROM_HERE, &response, response_blob);
if (!parse_error.empty()) {
LOG(ERROR) << "Failed to parse IsDlpPolicyMatched response: "
<< parse_error;
dlp_metrics_->SendAdaptorError(AdaptorError::kInvalidProtoError);
std::move(callback).Run(/*allowed=*/false);
return;
}
std::move(callback).Run(!response.restricted());
}
void DlpAdaptor::OnDlpPolicyMatchedError(
base::OnceCallback<void(bool)> callback, brillo::Error* error) {
LOG(ERROR) << "Failed to check whether file could be restricted";
dlp_metrics_->SendAdaptorError(AdaptorError::kRestrictionDetectionError);
std::move(callback).Run(/*allowed=*/false);
}
void DlpAdaptor::OnRequestFileAccess(
std::vector<FileId> request_ids,
std::vector<FileId> granted_ids,
int pid,
base::ScopedFD local_fd,
RequestFileAccessCallback callback,
base::OnceCallback<void(IsFilesTransferRestrictedResponse)> cache_callback,
const std::vector<uint8_t>& response_blob) {
IsFilesTransferRestrictedResponse response;
std::string parse_error = ParseProto(FROM_HERE, &response, response_blob);
if (!parse_error.empty()) {
LOG(ERROR) << "Failed to parse IsFilesTransferRestrictedResponse response: "
<< parse_error;
dlp_metrics_->SendAdaptorError(AdaptorError::kInvalidProtoError);
std::move(callback).Run(
/*allowed=*/false, parse_error);
return;
}
// Cache the response.
std::move(cache_callback).Run(response);
bool allowed = true;
for (const auto& file : response.files_restrictions()) {
if (file.restriction_level() == ::dlp::RestrictionLevel::LEVEL_BLOCK ||
file.restriction_level() ==
::dlp::RestrictionLevel::LEVEL_WARN_CANCEL) {
allowed = false;
break;
}
}
if (allowed) {
request_ids.insert(request_ids.end(), granted_ids.begin(),
granted_ids.end());
int lifeline_fd = AddLifelineFd(local_fd.get());
approved_requests_.insert_or_assign(
lifeline_fd, std::make_pair(std::move(request_ids), pid));
}
std::move(callback).Run(allowed, /*error_message=*/std::string());
}
void DlpAdaptor::OnRequestFileAccessError(RequestFileAccessCallback callback,
brillo::Error* error) {
LOG(ERROR) << "Failed to check whether file could be restricted";
dlp_metrics_->SendAdaptorError(AdaptorError::kRestrictionDetectionError);
std::move(callback).Run(/*allowed=*/false, error->GetMessage());
}
void DlpAdaptor::ReplyOnRequestFileAccess(
std::unique_ptr<brillo::dbus_utils::DBusMethodResponse<std::vector<uint8_t>,
base::ScopedFD>>
response,
base::ScopedFD remote_fd,
bool allowed,
const std::string& error_message) {
RequestFileAccessResponse response_proto;
response_proto.set_allowed(allowed);
if (!error_message.empty())
response_proto.set_error_message(error_message);
response->Return(SerializeProto(response_proto), std::move(remote_fd));
}
void DlpAdaptor::OnFilesUpserted(
std::unique_ptr<
brillo::dbus_utils::DBusMethodResponse<std::vector<uint8_t>>> response,
std::vector<base::FilePath> files_paths,
std::vector<FileId> files_ids,
bool success) {
CHECK(files_paths.size() == files_ids.size());
if (success) {
for (size_t i = 0; i < files_paths.size(); ++i) {
AddPerFileWatch({std::make_pair(files_paths[i], files_ids[i])});
}
ReplyOnAddFiles(std::move(response), std::string());
} else {
ReplyOnAddFiles(std::move(response), "Failed to add entries to database");
}
}
void DlpAdaptor::ReplyOnAddFiles(
std::unique_ptr<
brillo::dbus_utils::DBusMethodResponse<std::vector<uint8_t>>> response,
std::string error_message) {
AddFilesResponse response_proto;
if (!error_message.empty()) {
LOG(ERROR) << "Error while adding files: " << error_message;
dlp_metrics_->SendAdaptorError(AdaptorError::kAddFileError);
response_proto.set_error_message(error_message);
}
response->Return(SerializeProto(response_proto));
}
void DlpAdaptor::ProcessCheckFilesTransferWithData(
std::unique_ptr<
brillo::dbus_utils::DBusMethodResponse<std::vector<uint8_t>>> response,
CheckFilesTransferRequest request,
std::map<FileId, FileEntry> file_entries) {
CheckFilesTransferResponse response_proto;
IsFilesTransferRestrictedRequest matching_request;
base::flat_set<std::string> files_to_check;
std::vector<std::string> already_restricted;
for (const auto& file_path : request.files_paths()) {
const FileId file_id = GetFileId(file_path);
auto it = file_entries.find(file_id);
if (it == std::end(file_entries)) {
// Skip file if it's not DLP-protected as access to it is always allowed.
continue;
}
RestrictionLevel cached_level = requests_cache_.Get(
file_id, file_path,
request.has_destination_url() ? request.destination_url() : "",
request.has_destination_component() ? request.destination_component()
: DlpComponent::UNKNOWN_COMPONENT);
// The file is always blocked.
if (IsAlwaysBlocked(cached_level)) {
already_restricted.push_back(file_path);
}
// Was previously allowed/blocked, no need to check again.
if (!RequiresCheck(cached_level)) {
continue;
}
files_to_check.insert(file_path);
FileMetadata* file_metadata = matching_request.add_transferred_files();
file_metadata->set_inode(file_id.first);
file_metadata->set_crtime(file_id.second);
file_metadata->set_source_url(it->second.source_url);
file_metadata->set_referrer_url(it->second.referrer_url);
file_metadata->set_path(file_path);
}
if (files_to_check.empty()) {
ReplyOnCheckFilesTransfer(std::move(response),
std::move(already_restricted),
/*error_message=*/std::string());
return;
}
if (request.has_destination_url())
matching_request.set_destination_url(request.destination_url());
if (request.has_destination_component())
matching_request.set_destination_component(request.destination_component());
if (request.has_file_action())
matching_request.set_file_action(request.file_action());
if (request.has_io_task_id())
matching_request.set_io_task_id(request.io_task_id());
auto callbacks = base::SplitOnceCallback(
base::BindOnce(&DlpAdaptor::ReplyOnCheckFilesTransfer,
weak_factory_.GetWeakPtr(), std::move(response)));
auto cache_callback =
base::BindOnce(&DlpRequestsCache::CacheResult,
base::Unretained(&requests_cache_), matching_request);
dlp_files_policy_service_->IsFilesTransferRestrictedAsync(
SerializeProto(matching_request),
base::BindOnce(&DlpAdaptor::OnIsFilesTransferRestricted,
weak_factory_.GetWeakPtr(), std::move(files_to_check),
std::move(already_restricted), std::move(callbacks.first),
std::move(cache_callback)),
base::BindOnce(&DlpAdaptor::OnIsFilesTransferRestrictedError,
weak_factory_.GetWeakPtr(), std::move(callbacks.second)),
/*timeout_ms=*/base::Minutes(5).InMilliseconds());
}
void DlpAdaptor::OnIsFilesTransferRestricted(
base::flat_set<std::string> checked_files,
std::vector<std::string> restricted_files,
CheckFilesTransferCallback callback,
base::OnceCallback<void(IsFilesTransferRestrictedResponse)> cache_callback,
const std::vector<uint8_t>& response_blob) {
IsFilesTransferRestrictedResponse response;
std::string parse_error = ParseProto(FROM_HERE, &response, response_blob);
if (!parse_error.empty()) {
LOG(ERROR) << "Failed to parse IsFilesTransferRestricted response: "
<< parse_error;
dlp_metrics_->SendAdaptorError(AdaptorError::kInvalidProtoError);
std::move(callback).Run(std::vector<std::string>(), parse_error);
return;
}
// Cache the response.
std::move(cache_callback).Run(response);
for (const auto& file : response.files_restrictions()) {
DCHECK(base::Contains(checked_files, file.file_metadata().path()));
if (file.restriction_level() == ::dlp::RestrictionLevel::LEVEL_BLOCK ||
file.restriction_level() ==
::dlp::RestrictionLevel::LEVEL_WARN_CANCEL) {
restricted_files.push_back(file.file_metadata().path());
}
}
std::move(callback).Run(std::move(restricted_files),
/*error_message=*/std::string());
}
void DlpAdaptor::OnIsFilesTransferRestrictedError(
CheckFilesTransferCallback callback, brillo::Error* error) {
LOG(ERROR) << "Failed to check which file should be restricted";
dlp_metrics_->SendAdaptorError(AdaptorError::kRestrictionDetectionError);
std::move(callback).Run(std::vector<std::string>(), error->GetMessage());
}
void DlpAdaptor::ReplyOnCheckFilesTransfer(
std::unique_ptr<
brillo::dbus_utils::DBusMethodResponse<std::vector<uint8_t>>> response,
std::vector<std::string> restricted_files_paths,
const std::string& error) {
CheckFilesTransferResponse response_proto;
*response_proto.mutable_files_paths() = {restricted_files_paths.begin(),
restricted_files_paths.end()};
if (!error.empty())
response_proto.set_error_message(error);
response->Return(SerializeProto(response_proto));
}
void DlpAdaptor::ProcessGetFilesSourcesWithData(
std::unique_ptr<
brillo::dbus_utils::DBusMethodResponse<std::vector<uint8_t>>> response,
const std::vector<std::pair<FileId, std::string>>& requested_files,
std::map<FileId, FileEntry> file_entries) {
GetFilesSourcesResponse response_proto;
for (const auto& [id, path] : requested_files) {
// GetFilesSources request might've contained only inode info, so we need to
// compare elements only by inode part of |id|.
for (const auto& [file_id, file_entry] : file_entries) {
if (file_id.first == id.first) {
FileMetadata* file_metadata = response_proto.add_files_metadata();
file_metadata->set_inode(file_id.first);
file_metadata->set_crtime(file_id.second);
if (!path.empty()) {
file_metadata->set_path(path);
}
file_metadata->set_source_url(file_entry.source_url);
file_metadata->set_referrer_url(file_entry.referrer_url);
break;
}
}
}
response->Return(SerializeProto(response_proto));
}
int DlpAdaptor::AddLifelineFd(int dbus_fd) {
int fd = dup(dbus_fd);
if (fd < 0) {
PLOG(ERROR) << "dup failed";
dlp_metrics_->SendAdaptorError(AdaptorError::kFileDescriptorDupError);
return -1;
}
lifeline_fd_controllers_[fd] = base::FileDescriptorWatcher::WatchReadable(
fd, base::BindRepeating(&DlpAdaptor::OnLifelineFdClosed,
weak_factory_.GetWeakPtr(), fd));
return fd;
}
bool DlpAdaptor::DeleteLifelineFd(int fd) {
auto iter = lifeline_fd_controllers_.find(fd);
if (iter == lifeline_fd_controllers_.end()) {
return false;
}
iter->second.reset(); // Destruct the controller, which removes the callback.
lifeline_fd_controllers_.erase(iter);
// AddLifelineFd() calls dup(), so this function should close the fd.
// We still return true since at this point the FileDescriptorWatcher object
// has been destructed.
if (IGNORE_EINTR(close(fd)) < 0) {
PLOG(ERROR) << "close failed";
dlp_metrics_->SendAdaptorError(AdaptorError::kFileDescriptorCloseError);
}
return true;
}
void DlpAdaptor::OnLifelineFdClosed(int client_fd) {
// The process that requested this access has died/exited.
DeleteLifelineFd(client_fd);
// Remove the approvals tied to the lifeline fd.
approved_requests_.erase(client_fd);
}
void DlpAdaptor::CleanupAndSetDatabase(
std::unique_ptr<DlpDatabase> db,
base::OnceClosure callback,
const std::set<std::pair<base::FilePath, FileId>>& files) {
DCHECK(db);
DlpDatabase* db_ptr = db.get();
std::set<FileId> ids;
for (const auto& entry : files) {
ids.insert(entry.second);
}
db_ptr->DeleteFileEntriesWithIdsNotInSet(
ids,
base::BindOnce(&DlpAdaptor::OnDatabaseCleaned, weak_factory_.GetWeakPtr(),
std::move(db), std::move(callback)));
}
void DlpAdaptor::OnDatabaseCleaned(std::unique_ptr<DlpDatabase> db,
base::OnceClosure callback,
bool success) {
if (success) {
db_.swap(db);
LOG(INFO) << "Database is initialized";
// If fanotify watcher is already started, we need to add watches for all
// files from the database.
if (pending_per_file_watches_) {
file_enumeration_task_runner_->PostTaskAndReplyWithResult(
FROM_HERE,
base::BindOnce(&EnumerateFiles, file_enumeration_task_runner_,
home_path_),
base::BindOnce(&DlpAdaptor::AddPerFileWatch,
weak_factory_.GetWeakPtr()));
pending_per_file_watches_ = false;
}
std::move(callback).Run();
}
}
void DlpAdaptor::MigrateDatabase(
std::unique_ptr<DlpDatabase> db,
base::OnceClosure callback,
const base::FilePath& database_path,
const std::set<std::pair<base::FilePath, FileId>>& files) {
DCHECK(db);
DlpDatabase* db_ptr = db.get();
std::vector<FileId> ids;
for (const auto& entry : files) {
ids.push_back(entry.second);
}
db_ptr->MigrateDatabase(
ids, base::BindOnce(&DlpAdaptor::OnDatabaseMigrated,
weak_factory_.GetWeakPtr(), std::move(db),
std::move(callback), database_path));
}
void DlpAdaptor::OnDatabaseMigrated(std::unique_ptr<DlpDatabase> db,
base::OnceClosure init_callback,
const base::FilePath& database_path,
bool success) {
if (!success) {
LOG(ERROR) << "Error while migrating database.";
dlp_metrics_->SendAdaptorError(AdaptorError::kDatabaseMigrationError);
} else {
LOG(INFO) << "Database was succesfully migrated.";
}
OnDatabaseInitialized(std::move(init_callback), std::move(db), database_path,
{SQLITE_OK, false});
}
void DlpAdaptor::ProcessGetDatabaseEntriesWithData(
std::unique_ptr<
brillo::dbus_utils::DBusMethodResponse<std::vector<uint8_t>>> response,
std::map<FileId, FileEntry> files_entries) {
GetDatabaseEntriesResponse response_proto;
for (const auto& [file_id, file_entry] : files_entries) {
FileMetadata* file_metadata = response_proto.add_files_entries();
file_metadata->set_inode(file_id.first);
file_metadata->set_crtime(file_id.second);
file_metadata->set_source_url(file_entry.source_url);
file_metadata->set_referrer_url(file_entry.referrer_url);
}
response->Return(SerializeProto(response_proto));
}
} // namespace dlp