4 * Copyright (c) 2000 - 2012 Samsung Electronics Co., Ltd All Rights Reserved
6 * Contact: Kidong Kim <kd0228.kim@samsung.com>
8 * Licensed under the Apache License, Version 2.0 (the "License");
9 * you may not use this file except in compliance with the License.
10 * You may obtain a copy of the License at
12 * http://www.apache.org/licenses/LICENSE-2.0
14 * Unless required by applicable law or agreed to in writing, software
15 * distributed under the License is distributed on an "AS IS" BASIS,
16 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17 * See the License for the specific language governing permissions and
18 * limitations under the License.
23 #include <sys/types.h>
24 #include <sys/smack.h>
26 #ifndef _PRIVILEGE_CONTROL_H_
27 #define _PRIVILEGE_CONTROL_H_
29 /* Macros for converting preprocessor token to string */
30 #define STRINGIFY(x) #x
31 #define TOSTRING(x) STRINGIFY(x)
38 #define API __attribute__((visibility("default")))
41 #define DEPRECATED __attribute__((deprecated));
44 #define PC_OPERATION_SUCCESS ((int)0)
45 #define PC_ERR_FILE_OPERATION -1
46 #define PC_ERR_MEM_OPERATION -2
47 #define PC_ERR_NOT_PERMITTED -3
48 #define PC_ERR_INVALID_PARAM -4
49 #define PC_ERR_INVALID_OPERATION -5
50 #define PC_ERR_DB_OPERATION -6
57 APP_TYPE_WGT_PLATFORM,
59 APP_TYPE_OSP_PLATFORM,
71 /* APIs - used by applications */
72 int control_privilege(void) DEPRECATED;
74 int set_privilege(const char* pkg_name) DEPRECATED;
77 * Function getting process smack label based on pid.
78 * @param in: pid of process
79 * @param out: label of process
80 * @return PC_OPERATION_SUCCESS on success PC_ERR_* on error.
82 int get_smack_label_from_process(pid_t pid, char smack_label[SMACK_LABEL_LEN + 1]);
85 * Check if process with pid has access to object.
86 * This function checks if subject has access to object via smack_have_access() function.
87 * If YES then returns access granted. In NO then function checks if process with pid has
88 * CAP_MAC_OVERRIDE capability. If YES then returns access granted.
89 * If NO then returns access denied.
91 * @param pid of process
92 * @param label of object to access
94 * @return 0 (no access) or 1 (access) or -1 (error)
96 int smack_pid_have_access(pid_t pid,
98 const char *access_type);
101 * Set DAC and SMACK privileges for application.
102 * This function is meant to be called by the application launcher just before
103 * it launches an application. It will setup DAC and SMACK privileges based
104 * on app type and accesses.
105 * It must be called with root privileges, which will be dropped in the function.
107 * @param name package name
108 * @param type application type (currently distinguished types: "wgt", "wgt_partner", "wgt_platform" and other)
109 * @param path file system path to the binary
110 * @return PC_OPERATION_SUCCESS on success, PC_ERR_* on error
112 int perm_app_set_privilege(const char* name, const char* type, const char* path);
113 int set_app_privilege(const char* name, const char* type, const char* path) DEPRECATED;
116 * For a UNIX socket endpoint determine the other side's pkg_id.
118 * @param sockfd socket file descriptor
119 * @return id of the connecting widget on success, NULL on failure.
120 * Caller is responsible for freeing the return widget id.
122 char* perm_app_id_from_socket(int sockfd);
123 char* app_id_from_socket(int sockfd) DEPRECATED;
126 * Inform about installation of a new app.
127 * It is intended to be called during app installation.
128 * It will create an empty SMACK rules file used by other functions operating
129 * on permissions if it doesn't already exist. It is needed for tracking
130 * lifetime of an app. It must be called by privileged user, before using any
131 * other app_* function. It may be called more than once during installation.
134 * @param pkg_id application identifier
135 * @return PC_OPERATION_SUCCESS on success, PC_ERR_* on error
137 int perm_app_install(const char* pkg_id);
138 int app_install(const char* pkg_id) DEPRECATED;
141 * Inform about deinstallation of an app.
142 * It will remove the SMACK rules file, enabling future installation of app
143 * with the same identifier. It is needed for tracking lifetime of an app.
144 * You should call app_revoke_permissions() before this function.
145 * It must be called by privileged user.
148 * @param pkg_id application identifier
149 * @return PC_OPERATION_SUCCESS on success, PC_ERR_* on error
151 int perm_app_uninstall(const char* pkg_id);
152 int app_uninstall(const char* pkg_id) DEPRECATED;
155 * Inform about installation of new Anti Virus application.
156 * It is intended to be called during Anti Virus installation.
157 * It will give this application SMACK rules to RWX access to all other apps
158 * installed in system.
159 * It must be called by privileged user.
161 * @param app_id application identifier
162 * @return PC_OPERATION_SUCCESS on success, PC_ERR_* on error.
164 int app_register_av(const char* app_av_id) DEPRECATED;
167 * Grant SMACK permissions based on permissions list.
168 * It is intended to be called during app installation.
169 * It will construct SMACK rules based on permissions list, grant them
170 * and store it in a file, so they will be automatically granted on
172 * It must be called by privileged user.
173 * THIS FUNCTION IS NOW DEPRECATED. app_enable_permissions() SHOULD BE USED INSTEAD.
176 * @param app_id application identifier
177 * @param perm_list array of permission names, last element must be NULL
178 * @return PC_OPERATION_SUCCESS on success, PC_ERR_* on error
180 int app_add_permissions(const char* app_id, const char** perm_list) DEPRECATED;
183 * Grant temporary SMACK permissions based on permissions list.
184 * It will construct SMACK rules based on permissions list, grant them,
185 * but not store it anywhere, so they won't be granted again on system boot.
186 * It must be called by privileged user.
187 * THIS FUNCTION IS NOW DEPRECATED. app_enable_permissions() SHOULD BE USED INSTEAD.
190 * @param app_id application identifier
191 * @param perm_list array of permission names, last element must be NULL
192 * @return PC_OPERATION_SUCCESS on success, PC_ERR_* on error
194 int app_add_volatile_permissions(const char* app_id, const char** perm_list) DEPRECATED;
197 * Grant SMACK permissions based on permissions list.
198 * It is intended to be called during app installation.
199 * It will construct SMACK rules based on permissions list, grant them
200 * and store it in a file, so they will be automatically granted on
201 * system boot, when persistent mode is enabled.
202 * It must be called by privileged user.
205 * @param pkg_id application identifier
206 * @param app_type application type
207 * @param perm_list array of permission names, last element must be NULL
208 * @param persistent boolean for choosing between persistent and temporary rules
209 * @return PC_OPERATION_SUCCESS on success, PC_ERR_* on error
211 int perm_app_enable_permissions(const char* pkg_id, app_type_t app_type, const char** perm_list, bool persistent);
212 int app_enable_permissions(const char* pkg_id, app_type_t app_type, const char** perm_list, bool persistent) DEPRECATED;
215 * Remove previously granted SMACK permissions based on permissions list.
216 * It will remove given permissions from an app, leaving other granted
217 * permissions untouched. Results will be persistent.
218 * It must be called by privileged user.
221 * @param pkg_id application identifier
222 * @param app_type application type
223 * @param perm_list array of permission names, last element must be NULL
224 * @return PC_OPERATION_SUCCESS on success, PC_ERR_* on error
226 int perm_app_disable_permissions(const char* pkg_id, app_type_t app_type, const char** perm_list);
227 int app_disable_permissions(const char* pkg_id, app_type_t app_type, const char** perm_list) DEPRECATED;
230 * Revoke SMACK permissions from an application.
231 * This function should be called during app deinstallation.
232 * It will revoke all SMACK rules previously granted by app_add_permissions().
233 * It must be called by privileged user.
235 * @param pkg_id application identifier
236 * @return PC_OPERATION_SUCCESS on success, PC_ERR_* on error
238 int perm_app_revoke_permissions(const char* pkg_id);
239 int app_revoke_permissions(const char* pkg_id) DEPRECATED;
242 * Reset SMACK permissions for an application by revoking all previously
243 * granted rules and enabling them again from a rules file from disk.
244 * It must be called by privileged user.
246 * @param pkg_id application identifier
247 * @return PC_OPERATION_SUCCESS on success, PC_ERR_* on error
249 int perm_app_reset_permissions(const char* pkg_id);
250 int app_reset_permissions(const char* pkg_id) DEPRECATED;
253 * Recursively set SMACK access labels for an application directory
254 * and execute labels for executable files.
255 * This function should be called once during app installation.
256 * Results will be persistent on the file system.
257 * It must be called by privileged user.
258 * THIS FUNCTION IS NOW DEPRECATED. perm_app_setup_path() SHOULD BE USED INSTEAD.
260 * @param app_label label name
261 * @param path directory path
262 * @return PC_OPERATION_SUCCESS on success, PC_ERR_* on error
264 int app_label_dir(const char* app_label, const char* path) DEPRECATED;
267 * Recursively set SMACK access and transmute labels for an application
268 * directory and add SMACK rule for application.
269 * This function should be called once during app installation.
270 * Results will be persistent on the file system.
271 * It must be called by privileged user.
272 * Labels app_label and shared_label should not be equal.
273 * THIS FUNCTION IS NOW DEPRECATED. app_setup_path() SHOULD BE USED INSTEAD.
275 * @param app_label label name, used as subject for SMACK rule
276 * @param shared_label, used as object for SMACK rule
277 * @param path directory path
278 * @return PC_OPERATION_SUCCESS on success, PC_ERR_* on error
280 int app_label_shared_dir(const char* app_label, const char* shared_label,
281 const char* path) DEPRECATED;
284 * Add SMACK rx rules for application identifiers to shared_label.
285 * This function should be called during app installation.
286 * It must be called by privileged user.
287 * THIS FUNCTION IS NOW DEPRECATED. NO REPLACEMENT IS NEEDED.
289 * @param shared_label label of the shared resource
290 * @param app_list list of application SMACK identifiers
291 * @return PC_OPERATION_SUCCESS on success, PC_ERR_* on error
293 int add_shared_dir_readers(const char* shared_label, const char** app_list) DEPRECATED;
296 * Recursively set SMACK labels for an application directory. The exact behavior
297 * depends on app_path_type argument:
298 * - APP_PATH_PRIVATE: label with app's label, set access label on everything
299 * and execute label on executable files and symlinks to executable files
301 * - APP_PATH_GROUP_RW: label with given shared_label, set access label on
302 * everything and enable transmute on directories. Also give pkg_id full access
303 * to the shared label.
305 * - APP_PATH_PUBLIC_RO: label with autogenerated label, set access label on
306 * everything and enable transmute on directories. Give full access to the label to
307 * pkg_id and RX access to all other apps.
309 * - APP_PATH_SETTINGS_RW: label with autogenerated label, set access label on
310 * everything and enable transmute on directories. Give full access to the label to
311 * pkg_id and RWX access to all appsetting apps.
313 * - APP_PATH_ANY_LABEL: label with given shared_label. Set access label on
314 * everything and execute label on executable files and symlinks to
317 * This function should be called during app installation.
318 * Results will be persistent on the file system.
319 * It must be called by privileged user.
323 * @param app_path_type
324 * @param shared_label (optional argument for APP_PATH_GROUP_RW and
325 * APP_PATH_ANY_LABEL path type; type is const char*)
326 * @return PC_OPERATION_SUCCESS on success, PC_ERR_* on error
328 int perm_app_setup_path(const char* pkg_id, const char* path, app_path_type_t app_path_type, ...);
329 int app_setup_path(const char* pkg_id, const char* path, app_path_type_t app_path_type, ...) DEPRECATED;
333 * Make two applications "friends", by giving them both full permissions on
335 * Results will be persistent on the file system. Must be called after
336 * app_add_permissions() has been called for each application.
337 * It must be called by privileged user.
339 * @param pkg_id1 first application identifier
340 * @param pkg_id2 second application identifier
341 * @return PC_OPERATION_SUCCESS on success, PC_ERR_* on error
343 int perm_app_add_friend(const char* pkg_id1, const char* pkg_id2);
344 int app_add_friend(const char* pkg_id1, const char* pkg_id2) DEPRECATED;
347 * Adds new api feature by installing new *.smack file.
348 * It must be called by privileged user.
350 * @param app_type application type
351 * @param api_feature_name name of newly added feature
352 * @param smack_rule_set set of rules required by the feature - NULL terminated
353 * list of NULL terminated rules.
354 * @param list_of_db_gids list of gids required to access databases controlled
356 * @return PC_OPERATION_SUCCESS on success, PC_ERR_* on error
358 int perm_add_api_feature(app_type_t app_type,
359 const char* api_feature_name,
360 const char** set_smack_rule_set,
361 const gid_t* list_of_db_gids,
363 int add_api_feature(app_type_t app_type,
364 const char* api_feature_name,
365 const char** set_smack_rule_set,
366 const gid_t* list_of_db_gids,
367 size_t list_size) DEPRECATED;
371 #endif // __cplusplus
373 #endif // _PRIVILEGE_CONTROL_H_