Rule management added.

[platform/core/security/suspicious-activity-monitor.git] / daemon / dpm / policy_enforce.cpp

/**
 * Samsung Ukraine R&D Center (SRK under a contract between)
 * LLC "Samsung Electronics Co", Ltd (Seoul, Republic of Korea)
 * Copyright (C) 2018 Samsung Electronics Co., Ltd. All rights reserved.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License
 */
/**
 * @file   policy_enforce.cpp
 * @brief  Policy group agregator
 * @date   Created Jul 01, 2016
 * @author Mail to: <A HREF="mailto:a.volkov@samsung.com">Aleksey Volkov, a.volkov@samsung.com</A>
 */

#include "policy_enforce.h"
#include <jsoncpp/json/reader.h>
#include "ipolicy.h"
#include "logging.h"
#include "samonitor_tag.h"
#include "../utils.h"

namespace
{

#define DPM_OWNER_NAME "owner"

class DpmHandle
{
public:
    DpmHandle()
    {
        m_handle = dpm_manager_create();
    }
    ~DpmHandle()
    {
        dpm_manager_destroy(m_handle);
    }
    operator device_policy_manager_h () const {
        return m_handle;
    }
    operator bool () const {
        return m_handle != nullptr;
    }
private:
    device_policy_manager_h m_handle;
};

struct DropPrivilege
{
    DropPrivilege(uid_t from, uid_t to): euid(from), cuid(to)
    {
        if (0 != setresuid(cuid, cuid, euid)) {
            throw std::runtime_error("Failed to drop privilege error code: " + std::to_string(errno));
        }
    }

    ~DropPrivilege()
    {
        (void)setresuid(euid, euid, -1);
    }

    uid_t euid, cuid;
};

}

namespace dpm
{

PolicyEnforce::PolicyEnforce() : m_policy_map()
{
    this_user = geteuid();
    dpm_user = agent::getUidByName(DPM_OWNER_NAME);
}

PolicyEnforce::~PolicyEnforce()
{
}

PolicyEnforce& PolicyEnforce::GetInstance()
{
    static PolicyEnforce policy_enforce;
    return policy_enforce;
}

void PolicyEnforce::registerPolicy(const std::string& policy_name, IPolicyPtr policy_applier)
{
    m_policy_map[policy_name] = policy_applier;
}

PolicyEnforce::Result PolicyEnforce::applyPolicy(const std::string& jsonString)
{
    Result result = Result::SUCCESS;

    LOG_D(TAG, "PolicyEnforce::applyPolicy");

    try {
        if (jsonString.empty()) {
            LOG_E(TAG, "Empty policy");
            return Result::ERROR_PARSING;
        }

        Json::Reader reader;
        Json::Value object;
        if (!reader.parse(jsonString, object) || object.empty()) {
            LOG_E(TAG, "Can't read policy");
            return Result::ERROR_PARSING;
        }

        if (object["type"].asString() != "policy") {
            LOG_E(TAG, "Invalid policy type");
            return Result::ERROR_TYPE;
        }

        Json::Value& data = object["data"];
        if (data.empty()) {
            LOG_E(TAG, "Empty policy data");
            return Result::ERROR_DATA;
        }

        DropPrivilege priv{this_user, dpm_user};

        DpmHandle dpmh;
        if (!dpmh) {
            LOG_E(TAG, "DPM initialization error!");
            return Result::ERROR_DPM;
        }

        for (auto& node : data) {
            std::string name = node.get("name", "").asString();

            PolicyMap::iterator it = m_policy_map.find(name);
            if (it == m_policy_map.end()) {
                LOG_E(TAG, "Policy \"%s\" not found", name.c_str());
                continue;
            }

            IPolicy& applier = *(it->second);
            if (applier.apply((device_policy_manager_h)dpmh, node) != TIZEN_ERROR_NONE) {
                LOG_E(TAG, "Failed to apply policy \"%s\"", name.c_str());
            }
        }
    } catch (std::exception& e) {
        LOG_E(TAG, "Failed to apply policy, exception: %s", e.what());
        result = Result::ERROR_UNKNOWN;
    }

    return result;
}

PolicyEnforce::Result PolicyEnforce::getStates(Json::Value& policy)
{
    Result result = Result::SUCCESS;

    LOG_D(TAG, "PolicyEnforce::getStates");

    try {
        if (policy.empty()) {
            LOG_E(TAG, "Empty policy");
            return Result::ERROR_PARSING;
        }

        if (policy["type"].asString() != "state-policy") {
            LOG_E(TAG, "Invalid policy type");
            return Result::ERROR_TYPE;
        }

        Json::Value& data = policy["data"];
        if (data.empty()) {
            LOG_E(TAG, "Empty policy data");
            return Result::ERROR_DATA;
        }

        DropPrivilege priv{this_user, dpm_user};

        DpmHandle dpmh;
        if (!dpmh) {
            LOG_E(TAG, "DPM initialization error!");
            return Result::ERROR_DPM;
        }

        for (Json::Value& node : data) {
            std::string name = node.get("name", "").asString();

            PolicyMap::iterator it = m_policy_map.find(name);
            if (it == m_policy_map.end()) {
                LOG_E(TAG, "Policy \"%s\" not found", name.c_str());
                continue;
            }

            IPolicy& applier = *(it->second);
            if (applier.getState((device_policy_manager_h)dpmh, node) != TIZEN_ERROR_NONE) {
                LOG_E(TAG, "Failed to get policy \"%s\" state", name.c_str());
            }
        }
    } catch (std::exception& e) {
        LOG_E(TAG, "Failed to get policy state, exception: %s", e.what());
        result = Result::ERROR_UNKNOWN;
    }

    return result;
}

} //namespace dpm