projects / platform / core / security / privilege-checker.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Add cert level to privacy whitelist table
[platform/core/security/privilege-checker.git] / capi / res / dbspace / privilege-db-update
1 #!/bin/bash
2
3 PATH=/bin:/usr/bin:/sbin:/usr/sbin
4
5 TZ_SYS_RO_SHARE=`tzplatform-get TZ_SYS_RO_SHARE | cut -d= -f2`
6 SCRIPT_DIR=$(readlink -f "$0" | xargs dirname)
7 PRIVILEGE_DB_DIR="$TZ_SYS_RO_SHARE/privilege-manager/"
8 PRIVILEGE_DB=$PRIVILEGE_DB_DIR".privilege.db"
9 PRIVILEGE_DB_BKUP=$PRIVILEGE_DB_DIR".privilege.db.bkup"
10 SECURITY_MANAGER_POLICY_DIR="$TZ_SYS_RO_SHARE/security-manager/policy/"
11 SECURITY_MANAGER_POLICY_FILE_PRE="usertype-"
12 SECURITY_MANAGER_POLICY_FILE_POST=".profile"
13 SECURITY_MANAGER_GROUP_MAPPING_FILE=$SECURITY_MANAGER_POLICY_DIR"privilege-group.list"
14
15 PRIVILEGE_INFO_CSV="$PRIVILEGE_DB_DIR""privilege_info.csv"
16 PRIVILEGE_MAPPING_CSV="$PRIVILEGE_DB_DIR""privilege_mapping.csv"
17 PRIVACY_WHITELIST_CSV="$PRIVILEGE_DB_DIR""privacy_whitelist.csv"
18 PRIVILEGE_GROUP_MAPPING_LIST="$PRIVILEGE_DB_DIR""privilege-group.list"
19
20 SECURITY_MANAGER_DB=`tzplatform-get TZ_SYS_DB | cut -d= -f2`/.security-manager.db
21
22 UPDATE_ALL="false"
23 UPDATE_POLICY="false"
24
25 function backup {
26     cp $PRIVILEGE_DB $PRIVILEGE_DB_BKUP
27     local rst=$?
28     if [ $rst -ne 0 ]
29     then
30         echo "[ERROR] backup failed. Exit status $rst"
31         exit $rst
32     fi
33 }
34 function restoreBackup {
35     local trial_num=0
36     local rst=1
37     while [ $rst -ne 0 ] && [ $trial_num -lt 10 ]
38     do
39         cp $PRIVILEGE_DB_BKUP $PRIVILEGE_DB
40         rst=$?
41         ((trial_num++))
42     done
43
44     if [ $rst -ne 0 ]
45     then
46         echo "[ERROR] restoreBackup failed. Exit status $rst"
47
48         exit $rst
49     else
50         rm $PRIVILEGE_DB_BKUP
51     fi
52 }
53
54 function checkUpdateResult {
55     local integritycheckresult=`sqlite3 $PRIVILEGE_DB "pragma integrity_check"`
56     if [ "$integritycheckresult" == "ok" ]; then
57         rm $PRIVILEGE_DB_BKUP
58     else
59         echo "[ERROR] Update failed. Restore backup."
60         restoreBackup
61     fi
62 }
63
64 function join { local IFS="$1 "; shift; echo "$*"; }
65
66 function printUsage {
67
68     if [ $# -lt 1 ]; then
69         echo -e "There was an error in command-line options:
70 No option specified, use '-h' or '--help' to print help message"
71     else
72         if [ "$1" == "help" ]
73         then
74             echo -e "
75 [Usage]
76 privilege-db-update <update-option> [parameters]
77
78 [Description]
79 Starred[*] parameters must be given.
80
81 Do all possible update with update-option a or all. (* No parameter required *)
82     Prepare files containing update information at /usr/share/privilege-manager/
83     with file name privilege_info.csv, privilege_mapping.csv, privacy_whitelist.csv and privilege-group.list
84
85 Add new privilege information with update-option i or info.
86     Bulk file
87         For bulk update, prepare .csv file with following columns:
88             package_type,privilege_level,documented,privilege_name,privacy_name,privilege_display,privilege_description,privilege_group
89         If the privilege is not a privacy privilege then left privacy_name field as blank. All other fields must be filled.
90             [*]-f, --file               Bulk file path.
91     Single privilege
92             [*]-p, --privilege          Privilege name.
93             [*]-t, --packagetype        Whether the privilege is for core, wrt, or metadata.
94             -P, --privacy               Privacy group which the given privilege is included in.
95                                         Don't give this parameter for NOT privacy privilege.
96             [*]-l, --level              Privilege level.
97             [*]-d, --display            DID of privilege's display name.
98             [*]-D, --description        DID of privilege's description.
99             -s, --documented            Whether privilege is added to SDK resources or not.
100             [*]-g, --group              Privilege group.
101
102 Add new privilege mapping information with update-option m or mapping.
103     Bulk file
104         For bulk update, prepare .csv file with following columns:
105             package_type,privilege_name,from_api_version,to_api_version,mapped_privilege_name
106         All field must be filled.
107             [*]-f, --file               Bulk file path.
108             [*]-u, --usertype           User type. Use '*' to update all usertypes.
109     Single privilege mapping
110             [*]-p, --privilege          Privilege name.
111             [*]-F, --from               api-version from (privilege mappinge {api-version from} <= {api-version}).
112             [*]-T, --to                 api-version to (privilege mappinge {api-version} < {api-version to}).
113             [*]-t, --packagetype        Whether the privilege is for core or wrt.
114             [*]-m, --mappedprivilege    Mapped privilege name.
115             [*]-u, --usertype           User type. Use '*' to update all usertypes.
116
117 Replace privacy whitelist with update-option w or whitelist. It wipes the existing whitelist and updates it with the given privacy whitelist file.
118     For update, prepare .csv file with following columns:
119         package_id,cert_level,privacy_option,settable
120     All field must be filled.
121     [*] <filepath>      Give .csv file path as parameter.
122
123 Add new privilege-gid mapping with update-option g or group.
124     Bulk file
125         For bulk update, prepare file with following format:
126             <privilege name> <group name>
127                 ex) http://tizen.org/privilege/camera priv_camera
128                     http://tizen.org/privilege/email priv_email
129             [*] <filepath>      Bulk file path.
130     Single gid mapping
131         [*] <privilege name>    Give privilege name as parameter
132         [*] <group name>        Give group name as parameter
133
134 ex)
135 privilege-db-update all
136 privilege-db-update info --file '/tmp/privilege_info.csv'
137 privilege-db-update i -p 'http://tizen.org/privilege/new.privilege' -t 'core' -d 'IDS_DISPLAY_NAME' -D 'IDS_DESCRIPTION' -g 'IDS_TPLATFORM_BODY_PERSONAL_INFORMATION_ABB' -s 'yes' -l 'partner'
138 privilege-db-update mapping --file '/tmp/privilege_mapping.csv' -u admin
139 privilege-db-update m --packagetype 'core' --privilege 'http://tizen.org/privilege/privilege.name' --from '2.3.1' --to '9.9' --mappedprivilege 'http://tizen.org/privilege/mapped.privilege.name' --usertype admin,system,security
140 privilege-db-update w '/tmp/privacy_whitelist.csv'
141 privilege-db-update whitelist '/tmp/privacy_whitelist.csv'
142 privilege-db-update g '/tmp/privilege-group-mapping.list'
143 privilege-db-update gid 'http://tizen.org/privilege/privilegename' 'priv_groupname'
144             "
145         elif [ "$1" == "privacy" ]; then
146             privacy_list=`sqlite3 $PRIVILEGE_DB "select distinct privacy_name from privacy_info"`
147             echo -e "Privacy name should be one of the followings:\n$privacy_list"
148         elif [ "$1" == "packagetype" ]; then
149             echo -e "Package type should be one of the followings: core, wrt, metadata"
150         elif [ "$1" == "level" ]; then
151             echo -e "Privilege level should be one of the followings: public, partner, platform"
152         elif [ "$1" == "group" ]; then
153             echo -e "Group should be one of the followings:
154 IDS_TPLATFORM_BODY_HARDWARE_CONTROLS_ABB
155 IDS_TPLATFORM_OPT_LOCATION_T_LBS
156 IDS_TPLATFORM_BODY_NETWORK_CONNECTIONS_ABB
157 IDS_TPLATFORM_BODY_PAID_SERVICES_ABB
158 IDS_TPLATFORM_BODY_PERSONAL_INFORMATION_ABB
159 IDS_TPLATFORM_BODY_SYSTEM_SETTINGS_ABB
160 IDS_TPLATFORM_BODY_OTHER_PRIVILEGES_ABB"
161         elif [ "$1" == "documented" ]; then
162             echo -e "Documented should be 'yes' or 'no'.\nIf the value is not written then the default value is 'yes'"
163         elif [ "$1" == "usertype" ]; then
164             local usertypelist=$(join , $(ls $SECURITY_MANAGER_POLICY_DIR | grep usertype | cut -d '-' -f2 | cut -d '.' -f1))
165             echo -e "Use '*' to update all usertypes.\nOr choose valid usertypes from followings: $usertypelist
166 ex) -u '*'
167     --usertype admin,security,guest"
168         fi
169     fi
170     exit
171 }
172
173 function policy_load {
174     find "$SECURITY_MANAGER_POLICY_DIR" -name "usertype-*.profile" |
175     while read file
176     do
177         bucket="`echo $file | sed -r 's|.*/usertype-(.*).profile$|USER_TYPE_\1|' | tr '[:lower:]' '[:upper:]'`"
178
179         grep -v ^\' $file |
180         while read app privilege
181         do
182             user="*"        # Match any user id
183             policy="0xFFFF" # ALLOW (FIXME: cyad should parse policy names, not numeric values)
184             printf '%s;%s;%s;%s;%s;\n' "$bucket" "$user" "$app" "$privilege" "$policy"
185         done |
186         cyad --set-policy --bulk=-
187     done
188
189 }
190
191 function gid_mapping {
192     (
193     echo "BEGIN;"
194     echo "DELETE FROM privilege_group;"
195     grep -v '^#' "$SECURITY_MANAGER_GROUP_MAPPING_FILE" |
196     while read privilege group
197     do
198         echo "INSERT INTO privilege_group (privilege_name, group_name) VALUES ('$privilege', '$group');"
199     done
200     echo "COMMIT;"
201     ) | sqlite3 "$SECURITY_MANAGER_DB"
202 }
203
204 function add_privilege_info {
205     local mode bulkfile privilege level level_id display description group group_id packagetype packagetype_id
206     local privacy="N/A" is_privacy=0 documented="yes"
207     local input=(`echo "$@"`)
208
209     for ((x=1; x<${#input[@]}; x=x+2));
210     do
211         if [ "${input[x]}" == "-f" ] || [ "${input[x]}" == "--file" ]
212         then
213             if [ "$mode" == "single" ]
214             then
215                 echo "[ERROR] Do not use -p,--privilege with -f,--file"
216                 printUsage
217             fi
218             if [ -r ${input[$((x+1))]} ] && [ -f ${input[$((x+1))]} ]
219             then
220                 bulkfile=${input[$((x+1))]}
221             elif [ -r $SCRIPT_DIR"/${input[$((x+1))]}" ] && [ -f $SCRIPT_DIR"/${input[$((x+1))]}" ]
222             then
223                 bulkfile=$SCRIPT_DIR"/${input[$((x+1))]}"
224             fi
225             if [ "$bulkfile" == "" ]; then
226                 echo "[ERROR] file(${input[$((x+1))]}) not exist or unreadable!!!"
227                 exit
228             fi
229             mode="bulk"
230         elif [ "${input[x]}" == "-p" ] || [ "${input[x]}" == "--privilege" ]
231         then
232             if [ "$mode" == "bulk" ]
233             then
234                 echo "[ERROR] Do not use -p,--privilege with -f,--file"
235                 printUsage
236             fi
237             privilege=${input[$((x+1))]}
238             mode="single"
239         elif [ "${input[x]}" == "-P" ] || [ "${input[x]}" == "--privacy" ]
240         then
241             privacy_exist=`sqlite3 $PRIVILEGE_DB "select exists(select 1 from privacy_info where privacy_name='${input[$((x+1))]}')"`
242             if [ "$privacy_exist" != "1" ]; then
243                 echo "[ERROR] privacy ${input[$((x+1))]} not exist!"
244                 printUsage "privacy"
245             fi
246             privacy=${input[$((x+1))]}
247             is_privacy=1
248         elif [ "${input[x]}" == "-l" ] || [ "${input[x]}" == "--level" ]
249         then
250             level=${input[$((x+1))]}
251             if [ "$level" == "public" ]; then
252                 level_id=0
253             elif [ "$level" == "partner" ]; then
254                 level_id=1
255             elif [ "$level" == "platform" ]; then
256                 level_id=2
257             else
258                 echo "[ERROR] wrong privilege level"
259                 printUsage "level"
260             fi
261         elif [ "${input[x]}" == "-d" ] || [ "${input[x]}" == "--display" ]
262         then
263             display=${input[$((x+1))]}
264         elif [ "${input[x]}" == "-D" ] || [ "${input[x]}" == "--description" ]
265         then
266             description=${input[$((x+1))]}
267         elif [ "${input[x]}" == "-s" ] || [ "${input[x]}" == "--documented" ]
268         then
269             if [ "${input[$((x+1))]}" != "yes" ] && [ "${input[$((x+1))]}" != "no" ]
270             then
271                 printUsage "documented"
272             fi
273             documented=${input[$((x+1))]}
274         elif [ "${input[x]}" == "-g" ] || [ "${input[x]}" == "--group" ]
275         then
276             if [ "${input[$((x+1))]}" == "IDS_TPLATFORM_BODY_HARDWARE_CONTROLS_ABB" ]; then
277                 group_id=0
278             elif [ "${input[$((x+1))]}" == "IDS_TPLATFORM_OPT_LOCATION_T_LBS" ]; then
279                 group_id=1
280             elif [ "${input[$((x+1))]}" == "IDS_TPLATFORM_BODY_NETWORK_CONNECTIONS_ABB" ]; then
281                 group_id=2
282             elif [ "${input[$((x+1))]}" == "IDS_TPLATFORM_BODY_PAID_SERVICES_ABB" ]; then
283                 group_id=3
284             elif [ "${input[$((x+1))]}" == "IDS_TPLATFORM_BODY_PERSONAL_INFORMATION_ABB" ]; then
285                 group_id=4
286             elif [ "${input[$((x+1))]}" == "IDS_TPLATFORM_BODY_SYSTEM_SETTINGS_ABB" ]; then
287                 group_id=5
288             elif [ "${input[$((x+1))]}" == "IDS_TPLATFORM_BODY_OTHER_PRIVILEGES_ABB" ]; then
289                 group_id=6
290             else
291                 echo "[ERROR] wrong group"
292                 printUsage "group"
293             fi
294             group=${input[$((x+1))]}
295         elif [ "${input[x]}" == "-t" ] || [ "${input[x]}" == "--packagetype" ]
296         then
297             packagetype=${input[$((x+1))]}
298             if [ "$packagetype" == "core" ]; then
299                 packagetype_id=1
300             elif [ "$packagetype" == "wrt" ]; then
301                 packagetype_id=0
302             elif [ "$packagetype" == "metadata" ]; then
303                 packagetype_id=2
304             else
305                 echo "[ERROR] wrong packagetype"
306                 printUsage "packagetype"
307             fi
308         else
309             printUsage
310         fi
311     done
312
313     if [ "$mode" == "bulk" ]
314     then
315         bulk_add_privilege_info $bulkfile
316     elif [ "$mode" == "single" ]
317     then
318         if [ "$privilege" == "" ]; then
319             echo "[ERROR] privilege required"
320             printUsage
321         elif [ "$packagetype" == "" ]; then
322             echo "[ERROR] packagetype required"
323             printUsage "packagetype"
324         elif [ "$display" == "" ] || [ "$description" == "" ]
325         then
326             echo "[ERROR] display and description required"
327             printUsage
328         elif [ "$group" == "" ]
329         then
330             echo "[ERROR] group required"
331             printUsage "group"
332         elif [ "$level" == "" ]
333         then
334             echo "[ERROR] privilege level required"
335             printUsage "level"
336         fi
337
338         echo -e "Add privilege\n\nPackage type: $packagetype\nLevel: $level\nPrivilege: $privilege\nPrivacy: $privacy\nDisplay name: $display\nDescription: $description\nGroup: $group\nDocumented: $documented"
339
340         backup
341
342         sqlite3 $PRIVILEGE_DB "insert into privilege_info (
343                                     package_type_id, package_type, privilege_level_id, privilege_level, documented, privilege_name,
344                                     is_privacy, privacy_name, privilege_display, privilege_description, privilege_group_id, privilege_group)
345                                 values ($packagetype_id, '$packagetype', $level_id, '$level', '$documented', '$privilege',
346                                         '$is_privacy', '$privacy', '$display', '$description', $group_id, '$group')"
347
348         checkUpdateResult
349     else
350         printUsage
351     fi
352 }
353
354 function bulk_add_privilege_info {
355
356     sed -e "s/#//g" $1 > "$PRIVILEGE_DB_DIR/tmp.csv"
357
358     backup
359     sqlite3 -csv -separator "," $PRIVILEGE_DB ".import "$PRIVILEGE_DB_DIR/tmp.csv" tmp"
360
361     # check if there's missing column
362     cols=`sqlite3 $PRIVILEGE_DB "PRAGMA table_info(tmp)" | tr '[:upper:]' '[:lower:]' | cut -d "|" -f2`
363     check_cols_num=8
364     local i
365     for i in ${cols[@]}
366     do
367         if [ "$i" == "package_type" ]; then
368             ((check_cols_num--))
369         elif [ "$i" == "privilege_name" ]; then
370             ((check_cols_num--))
371         elif [ "$i" == "privilege_display" ]; then
372             ((check_cols_num--))
373         elif [ "$i" == "privilege_description" ]; then
374             ((check_cols_num--))
375         elif [ "$i" == "privilege_group" ]; then
376             ((check_cols_num--))
377         elif [ "$i" == "privacy_name" ]; then
378             ((check_cols_num--))
379         elif [ "$i" == "documented" ]; then
380             ((check_cols_num--))
381         elif [ "$i" == "privilege_level" ]; then
382             ((check_cols_num--))
383         fi
384     done
385
386     if [ $check_cols_num -ne 0 ]; then
387         # missing column exists
388         echo "[ERROR] There's missing column field in the given csv file: $1"
389         rm "$PRIVILEGE_DB_DIR/tmp.csv"
390         restoreBackup
391         exit
392     fi
393
394     sqlite3 $PRIVILEGE_DB "
395     insert into privilege_info (package_type_id, package_type, privilege_level_id, privilege_level, documented, privilege_name, is_privacy, privacy_name, privilege_display, privilege_description, privilege_group_id, privilege_group)
396     select
397         (case package_type
398             when 'wrt' then 0
399             when 'core' then 1
400             when 'metadata' then 2 end),
401         package_type,
402         (case privilege_level
403             when 'public' then 0
404             when 'partner' then 1
405             when 'platform' then 2 end),
406         privilege_level,
407         documented,
408         privilege_name,
409         case when package_type='core' and privacy_name != '' then 1 else 0 end,
410         case when package_type='core' and privacy_name != '' then privacy_name else 'N/A' end,
411         privilege_display,
412         privilege_description,
413         (case privilege_group
414             when 'IDS_TPLATFORM_BODY_HARDWARE_CONTROLS_ABB' then 0
415             when 'IDS_TPLATFORM_OPT_LOCATION_T_LBS' then 1
416             when 'IDS_TPLATFORM_BODY_NETWORK_CONNECTIONS_ABB' then 2
417             when 'IDS_TPLATFORM_BODY_PAID_SERVICES_ABB' then 3
418             when 'IDS_TPLATFORM_BODY_PERSONAL_INFORMATION_ABB' then 4
419             when 'IDS_TPLATFORM_BODY_SYSTEM_SETTINGS_ABB' then 5
420             when 'IDS_TPLATFORM_BODY_OTHER_PRIVILEGES_ABB' then 6 end),
421         privilege_group
422         from tmp"
423     sqlite3 $PRIVILEGE_DB "drop table tmp"
424     rm "$PRIVILEGE_DB_DIR/tmp.csv"
425
426     checkUpdateResult
427 }
428
429 function add_privilege_mapping {
430     local mode bulkfile privilege mapped_privilege package_type version_from version_to usertype
431     local input=("$@")
432
433     # Get all input parameters
434     for ((x=1; x<${#input[@]}; x=x+2));
435     do
436         if [ "${input[x]}" == "-f" ] || [ "${input[x]}" == "--file" ]
437         then
438             if [ "$mode" == "single" ]
439             then
440                 echo "[ERROR] Do not use -p,--privilege with -f,--file"
441                 printUsage
442             fi
443             if [ -r ${input[$((x+1))]} ] && [ -f ${input[$((x+1))]} ]
444             then
445                 bulkfile=${input[$((x+1))]}
446             elif [ -r $SCRIPT_DIR"/${input[$((x+1))]}" ] && [ -f $SCRIPT_DIR"/${input[$((x+1))]}" ]
447             then
448                 bulkfile=$SCRIPT_DIR"/${input[$((x+1))]}"
449             fi
450             if [ "$bulkfile" == "" ]; then
451                 echo "[ERROR] file(${input[$((x+1))]}) not exist  or unreadable!!!"
452                 exit
453             fi
454             mode="bulk"
455         elif [ "${input[x]}" == "-u" ] || [ "${input[x]}" == "--usertype" ]
456         then
457             usertype="${input[$((x+1))]}"
458             if [ "$usertype" != "*" ]
459             then
460                 IFS=',' read -r -a usertypes <<< "$usertype"
461                 for userbucket in "${usertypes[@]}"
462                 do
463                     check_userbucket=`find $SECURITY_MANAGER_POLICY_DIR -name "$SECURITY_MANAGER_POLICY_FILE_PRE$userbucket$SECURITY_MANAGER_POLICY_FILE_POST"`
464                     if [ "$check_userbucket" == "" ]; then
465                         echo "[ERROR] usertype $userbucket not exist!"
466                         printUsage "usertype"
467                     fi
468                 done
469             else
470                 usertype=$(join , $(ls $SECURITY_MANAGER_POLICY_DIR | grep usertype | cut -d '-' -f2 | cut -d '.' -f1))
471             fi
472         elif [ "${input[x]}" == "-p" ] || [ "${input[x]}" == "--privilege" ]
473         then
474             if [ "$mode" == "bulk" ]
475             then
476                 echo "[ERROR] Do not use -p,--privilege with -f,--file"
477                 printUsage
478             fi
479             mode="single"
480             privilege=${input[$((x+1))]}
481         elif [ "${input[x]}" == "-F" ] || [ "${input[x]}" == "--from" ]
482         then
483             version_from=${input[$((x+1))]}
484         elif [ "${input[x]}" == "-T" ] || [ "${input[x]}" == "--to" ]
485         then
486             version_to=${input[$((x+1))]}
487         elif [ "${input[x]}" == "-t" ] || [ "${input[x]}" == "--packagetype" ]
488         then
489             packagetype=${input[$((x+1))]}
490             if [ "$packagetype" == "core" ]; then
491                 packagetype_id=1
492             elif [ "$packagetype" == "wrt" ]; then
493                 packagetype_id=0
494             else
495                 echo "[ERROR] wrong packagetype"
496                 printUsage "packagetype"
497             fi
498         elif [ "${input[x]}" == "-m" ] || [ "${input[x]}" == "--mappedprivilege" ]
499         then
500             mapped_privilege=${input[$((x+1))]}
501         fi
502     done
503
504     if [ "$usertype" == "" ]; then
505         echo "[ERROR] usertype required"
506         printUsage "usertype"
507     fi
508
509     if [ "$mode" == "bulk" ]; then
510         bulk_add_privilege_mapping $bulkfile $usertype
511     elif [ "$mode" == "single" ]; then
512         if [ "$privilege" == "" ]; then
513             echo "[ERROR] privilege required"
514             printUsage
515         elif [ "$version_from" == "" ] || [ "$version_to" == "" ]
516         then
517             echo "[ERROR] api-version from/to required"
518             printUsage
519         elif [ "$mapped_privilege" == "" ]; then
520             echo "[ERROR] mapped privilege required"
521             printUsage
522         elif [ "$packagetype" == "" ]; then
523             echo "[ERROR] packagetype required"
524             printUsage
525         fi
526
527         backup
528
529         sqlite3 $PRIVILEGE_DB "insert into
530         privilege_mapping (package_type_id, package_type, privilege_name, from_api_version, to_api_version, mapped_privilege_name)
531         values ($packagetype_id, '$packagetype', '$privilege', '$version_from', '$version_to', '$mapped_privilege')"
532
533         checkUpdateResult
534
535         IFS=',' read -r -a usertypes <<< "$usertype"
536
537         local userbucket_update=0
538         for userbucket in "${usertypes[@]}"
539         do
540             userbucket_path="$SECURITY_MANAGER_POLICY_DIR$SECURITY_MANAGER_POLICY_FILE_PRE$userbucket$SECURITY_MANAGER_POLICY_FILE_POST"
541             if [ -a "$userbucket_path" ]; then
542                 check_userbucket=`grep -rn "$mapped_privilege$" $userbucket_path | wc -l`
543
544                 if [ $check_userbucket -eq 0 ]; then
545                     echo "*     $mapped_privilege" >> $userbucket_path
546                     ((userbucket_update++))
547                 fi
548             fi
549         done
550         if [ $userbucket_update -gt 0 ]; then
551             if [ "$UPDATE_ALL" == "false" ]; then
552                 policy_load
553             else
554                 UPDATE_POLICY="true"
555             fi
556         fi
557     else
558         printUsage
559     fi
560 }
561
562 function bulk_add_privilege_mapping {
563     sed -e "s/#//g" $1 > "$PRIVILEGE_DB_DIR/tmp.csv"
564
565     backup
566     sqlite3 -csv -separator "," $PRIVILEGE_DB ".import "$PRIVILEGE_DB_DIR/tmp.csv" tmp"
567
568     cols=`sqlite3 $PRIVILEGE_DB "PRAGMA table_info(tmp)" | tr '[:upper:]' '[:lower:]' | cut -d "|" -f2`
569     check_cols_num=5
570     local i
571
572     for i in ${cols[@]}
573     do
574         if [ "$i" == "package_type" ]; then
575             ((check_cols_num--))
576         elif [ "$i" == "privilege_name" ]; then
577             ((check_cols_num--))
578         elif [ "$i" == "from_api_version" ]; then
579             ((check_cols_num--))
580         elif [ "$i" == "to_api_version" ]; then
581             ((check_cols_num--))
582         elif [ "$i" == "mapped_privilege_name" ]; then
583             ((check_cols_num--))
584         fi
585     done
586     if [ $check_cols_num -ne 0 ]; then
587         echo "[ERROR] There's missing column field in the given csv file: $1"
588         rm "$PRIVILEGE_DB_DIR/tmp.csv"
589         restoreBackup
590         exit
591     fi
592
593     sqlite3 $PRIVILEGE_DB "
594     insert into privilege_mapping (package_type_id, package_type, privilege_name, from_api_version, to_api_version, mapped_privilege_name)
595     select
596         (case package_type
597             when 'wrt' then 0
598             when 'core' then 1 end),
599         package_type,
600         privilege_name,
601         from_api_version,
602         to_api_version,
603         mapped_privilege_name
604     from tmp"
605     IFS=$'\r\n' read -r -a privileges <<< `sqlite3 $PRIVILEGE_DB "select distinct mapped_privilege_name from tmp"`
606     sqlite3 $PRIVILEGE_DB "drop table tmp"
607     rm "$PRIVILEGE_DB_DIR/tmp.csv"
608
609     checkUpdateResult
610
611     IFS=',' read -r -a usertypes <<< "$2"
612
613     local userbucket_update=0
614     for userbucket in "${usertypes[@]}"
615     do
616         userbucket_path="$SECURITY_MANAGER_POLICY_DIR$SECURITY_MANAGER_POLICY_FILE_PRE$userbucket$SECURITY_MANAGER_POLICY_FILE_POST"
617         for privilege in $privileges
618         do
619                 local check_userbucket=`grep -rn "$privilege$" $userbucket_path | wc -l`
620                 if [ $check_userbucket -eq 0 ]; then
621                     echo "*     $privilege" >> $userbucket_path
622                     ((userbucket_update++))
623                 fi
624
625         done
626     done
627     if [ $userbucket_update -gt 0 ]; then
628         if [ "$UPDATE_ALL" == "false" ]; then
629             policy_load
630         else
631             UPDATE_POLICY="true"
632         fi
633     fi
634 }
635
636 function add_privacy_whitelist {
637     if [ $# -lt 2 ]; then
638         printUsage
639     fi
640     local bulkfile
641     if [ -r $2 ] && [ -f $2 ]
642     then
643         bulkfile=$2
644     elif [ -r $SCRIPT_DIR"/$2" ] && [ -f $SCRIPT_DIR"/$2" ]
645     then
646         bulkfile=$SCRIPT_DIR"/$2"
647     fi
648     if [ "$bulkfile" == "" ]; then
649         echo "[ERROR] file($2) not exist or unreadable!!!"
650         exit
651     fi
652
653     sed -e "s/#//g" $bulkfile > "$PRIVILEGE_DB_DIR/tmp.csv"
654
655     backup
656
657     sqlite3 -csv -separator "," $PRIVILEGE_DB ".import "$PRIVILEGE_DB_DIR/tmp.csv" tmp"
658
659     cols=`sqlite3 $PRIVILEGE_DB "PRAGMA table_info(tmp)" | tr '[:upper:]' '[:lower:]' | cut -d "|" -f2`
660     check_cols_num=4
661     local i
662
663     for i in ${cols[@]}
664     do
665         if [ "$i" == "package_id" ]; then
666             ((check_cols_num--))
667         elif [ "$i" == "privacy_option" ]; then
668             ((check_cols_num--))
669         elif [ "$i" == "settable" ]; then
670             ((check_cols_num--))
671         elif [ "$i" == "cert_level" ]; then
672             ((check_cols_num--))
673         fi
674     done
675     sqlite3 $PRIVILEGE_DB "drop table tmp"
676     rm "$PRIVILEGE_DB_DIR/tmp.csv"
677     if [ $check_cols_num -ne 0 ]; then
678         echo "[ERROR] There's missing column field in the given csv file: $2"
679         rm $PRIVILEGE_DB_BKUP
680         exit
681     fi
682     local i
683     local privacy_info_list=`sqlite3 $PRIVILEGE_DB "select distinct privacy_id, privacy_name from privacy_info"`
684     for i in $privacy_info_list
685     do
686         PRIVACY_ID=`echo $i | cut -d "|" -f1`
687         PRIVACY_NAME=`echo $i | cut -d "|" -f2`
688         PRIVACY_NAME_ONLY=`echo $PRIVACY_NAME | cut -d "/" -f5`
689         declare ${PRIVACY_NAME_ONLY}=$((PRIVACY_ID))
690     done
691
692     PRIVACY_NUM=$((PRIVACY_ID++))
693
694     #Wipe existing whitelist and insert new privacy whitelist to avoid conflicts
695     sqlite3 $PRIVILEGE_DB "delete from privacy_whitelist"
696     for i in `cat $bulkfile`
697     do
698         temp=`echo $i | awk '/^#/'`
699         if [ ! "$temp" = "" ]
700         then
701             continue
702         fi
703         PKG_ID=`echo $i | cut -d "," -f1`
704         CERT_LEVEL=`echo $i | cut -d "," -f2`
705         if [ "$CERT_LEVEL" = "platform" ]; then
706             CERT_LEVEL_ID=2
707         elif [ "$CERT_LEVEL" = "partner" ]; then
708             CERT_LEVEL_ID=1
709         else
710             CERT_LEVEL_ID=0
711         fi
712         PRIVACY_OPTION=`echo $i | cut -d "," -f3`
713         IFS='-+ ' read -r -a array <<< $PRIVACY_OPTION
714         # init
715         TEMP=0
716         while [ $((TEMP)) -lt $((PRIVACY_ID)) ]
717         do
718             option_array[$((TEMP++))]=0
719         done
720         # privacy list set
721         for element in "${array[@]}"
722         do
723             if [ "$element" = "*" ]; then
724                 TEMP=0
725                 while [ $((TEMP)) -lt $PRIVACY_ID ]
726                 do
727                     option_array[$((TEMP++))]=1
728                 done
729             else
730                 if [ "${option_array[${element}]}" = "1" ]; then
731                     option_array[${element}]=0
732                 else
733                     option_array[${element}]=1
734                 fi
735             fi
736         done
737         SETTABLE=`echo $i | cut -d "," -f4`
738         # privacy option string
739         TEMP=0
740         PRIVACY_OPTION_STRING=""
741         while [ $((TEMP)) -lt $((PRIVACY_ID)) ]
742         do
743             PRIVACY_OPTION_STRING="$PRIVACY_OPTION_STRING""${option_array[$((TEMP++))]}"
744         done
745         #echo "insert into privacy_whitelist(pkg_id, cert_level, privacy_option, settable) values ('$PKG_ID', $CERT_LEVEL_ID, '$PRIVACY_OPTION_STRING', '$SETTABLE')"
746         sqlite3 $PRIVILEGE_DB "insert into privacy_whitelist(pkg_id, cert_level, privacy_option, settable) values ('$PKG_ID', $CERT_LEVEL_ID, '$PRIVACY_OPTION_STRING', '$SETTABLE')"
747     done
748     checkUpdateResult
749 }
750
751 function add_gid_mapping {
752     if [ $# -lt 2 ];then
753         printUsage
754     elif [ $# -eq 2 ]; then
755         local bulkfile
756         if [ -r $2 ] && [ -f $2 ]
757         then
758             bulkfile="$2"
759         elif [ -r $SCRIPT_DIR"/$2" ] && [ -f $SCRIPT_DIR"/$2" ]
760         then
761             bulkfile="$SCRIPT_DIR/$2"
762         fi
763         if [ "$bulkfile" == "" ]
764         then
765             echo "[ERROR] file($2) not exist or unreadable"
766             printUsage
767         else
768             while IFS='' read -r line || [[ -n "$line" ]]; do
769                 local check_gid_mapping=`grep -rn "$line$" $SECURITY_MANAGER_GROUP_MAPPING_FILE | wc -l`
770                 if [ $check_gid_mapping -eq 0 ]; then
771                     echo "$line" >> $SECURITY_MANAGER_GROUP_MAPPING_FILE
772                 fi
773             done < $bulkfile
774         fi
775     elif [ $# -eq 3 ]; then
776         local check_gid_mapping=`grep -rn "$2 $3$" $SECURITY_MANAGER_GROUP_MAPPING_FILE | wc -l`
777         if [ $check_gid_mapping -eq 0 ]; then
778             echo "$2 $3" >> $SECURITY_MANAGER_GROUP_MAPPING_FILE
779         fi
780     else
781         printUsage
782     fi
783     if [ "$UPDATE_ALL" == "false" ]; then
784         gid_mapping
785     else
786         UPDATE_POLICY="true"
787     fi
788 }
789
790 #======================================================================
791 # [00] Check parameter
792 #======================================================================
793
794 param_count=$#
795
796 if [ ! -w $PRIVILEGE_DB ]
797 then
798     echo "[ERROR] DB not writable!!"
799     exit 1
800 fi
801
802 if [ ! -e  /usr/bin/security-manager-policy-reload ]
803 then
804     echo "[ERROR] security-manager-policy-reload not exist!"
805     exit 1
806 fi
807
808 if [ $param_count -lt 1 ]; then
809     printUsage
810 elif [ "$1" == "a" ] || [ "$1" == "all" ]
811 then
812     UPDATE_ALL="true"
813     if [ -r $PRIVILEGE_INFO_CSV ]; then
814         bulk_add_privilege_info $PRIVILEGE_INFO_CSV
815     fi
816     if [ -r $PRIVILEGE_MAPPING_CSV ]; then
817         bulk_add_privilege_mapping $PRIVILEGE_MAPPING_CSV '*'
818     fi
819     if [ -r $PRIVACY_WHITELIST_CSV ]; then
820         add_privacy_whitelist w $PRIVACY_WHITELIST_CSV
821     fi
822     if [ -r $PRIVILEGE_GROUP_MAPPING_LIST ]; then
823         add_gid_mapping g $PRIVILEGE_GROUP_MAPPING_LIST
824     fi
825     if [ "$UPDATE_POLICY" == "true" ]
826     then
827         policy_load
828         gid_mapping
829     fi
830 elif [ "$1" == "-h" ] || [ "$1" == "--help" ]
831 then
832     printUsage "help"
833 elif [ "$1" == "i" ] || [ "$1" == "info" ]
834 then
835     add_privilege_info $@
836 elif [ "$1" == "m" ] || [ "$1" == "mapping" ]
837 then
838     add_privilege_mapping "$@"
839 elif [ "$1" == "w" ] || [ "$1" == "whitelist" ]
840 then
841     add_privacy_whitelist $@
842 elif [ "$1" == "g" ] || [ "$1" == "gid" ]
843 then
844     add_gid_mapping $@
845 else
846     printUsage
847 fi
848 exit
Domain: Security / Application Privilege;