2 * Copyright (c) 2013 Samsung Electronics Co., Ltd All Rights Reserved
4 * Licensed under the Apache License, Version 2.0 (the License);
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an AS IS BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
20 #include <sys/statfs.h>
21 #include <sys/types.h>
26 #include <download-provider.h>
27 #include <download-provider-log.h>
28 #include <download-provider-utils.h>
30 #include <cynara-client.h>
31 #include <cynara-client-async.h>
32 #include <cynara-creds-socket.h>
33 #include <cynara-creds-dbus.h>
35 #include <app_manager.h>
36 #include <tzplatform_config.h>
38 #include "download-provider-security.h"
40 #define MAX_ARRAY_LEN 1024
41 #define SECURITY_ATTRIBUTES_PATH "/proc/%d/attr/current"
43 static int dp_is_exist_dir(const char *dirpath)
45 struct stat dir_state;
47 if (dirpath == NULL) {
48 TRACE_ERROR("check path");
51 stat_ret = stat(dirpath, &dir_state);
52 if (stat_ret == 0 && S_ISDIR(dir_state.st_mode))
57 static char *_dp_get_pkg_id(dp_credential cred)
61 app_context_h context;
63 if (app_manager_get_app_id(cred.pid, &app_id) != APP_MANAGER_ERROR_NONE) {
64 TRACE_ERROR("Failed to get application ID");
68 if (app_manager_get_app_context(app_id, &context) != APP_MANAGER_ERROR_NONE) {
69 TRACE_ERROR("Failed to get application ID");
74 if (app_context_get_package_id(context, &pkg_id) != APP_MANAGER_ERROR_NONE) {
75 TRACE_ERROR("Failed to get application ID");
76 app_context_destroy(context);
81 app_context_destroy(context);
87 static int _dp_check_dir_permission(dp_credential cred, const char *privilege)
91 char client_smack[MAX_ARRAY_LEN + 1] = {0, };
92 char client_smack_path[MAX_ARRAY_LEN + 1] = {0, };
94 char *client_session = "";
95 cynara *p_cynara = NULL;
97 if (CYNARA_API_SUCCESS != cynara_initialize(&p_cynara, NULL)) {
98 TRACE_ERROR("Failed to initialize cynara structure\n");
102 snprintf(client_smack_path, MAX_ARRAY_LEN, SECURITY_ATTRIBUTES_PATH, cred.pid);
103 fd = fopen(client_smack_path, "r");
105 TRACE_ERROR("Failed to open %s", client_smack_path);
106 cynara_finish(p_cynara);
109 ret = fread(client_smack, MAX_ARRAY_LEN, 1, fd);
111 TRACE_ERROR("Failed to read %s", client_smack_path);
113 cynara_finish(p_cynara);
118 snprintf(uid, sizeof(uid), "%d", cred.uid);
120 TRACE_DEBUG("pid: %ld, uid: %s, checked privilege:%s", cred.pid, uid, privilege);
121 ret = cynara_check(p_cynara, client_smack, client_session, uid, privilege);
122 cynara_finish(p_cynara);
124 return (ret == CYNARA_API_ACCESS_ALLOWED) ? 0 : -1;
127 int dp_is_valid_dir(dp_credential cred, const char *dirpath)
129 char default_storage[PATH_MAX + 1] = {0, };
130 char media_storage[PATH_MAX + 1] = {0, };
131 char external_storage[PATH_MAX + 1] = {0, };
132 char apps_storage[PATH_MAX + 1] = {0, };
133 char resolved_path[PATH_MAX + 1] = {0 , };
136 const char *temp = NULL;
139 res = realpath(dirpath, NULL);
141 TRACE_ERROR("Failed to get absolute path");
142 return DP_ERROR_INVALID_DESTINATION;
145 strncpy(resolved_path, res, PATH_MAX - 1);
148 end = strlen(resolved_path) - 1;
149 if (resolved_path[end] != '/')
150 resolved_path[end + 1] = '/';
152 TRACE_INFO("%s -> %s", dirpath, resolved_path);
154 // Check whether directory is exist or not.
155 if (dp_is_exist_dir(resolved_path) < 0) {
156 TRACE_ERROR("%s is not exist.", resolved_path);
157 return DP_ERROR_INVALID_DESTINATION;
160 tzplatform_set_user(cred.uid);
162 // Check whether directory is default directory or not.
163 temp = tzplatform_getenv(TZ_USER_DOWNLOADS);
165 snprintf(default_storage, PATH_MAX - 1, "%s/", temp);
166 if (strncmp(resolved_path, default_storage,
167 strlen(default_storage)) == 0)
168 return DP_ERROR_NONE;
172 // Check permission: media storage
173 temp = tzplatform_getenv(TZ_USER_CONTENT);
175 snprintf(media_storage, PATH_MAX - 1, "%s/", temp);
176 if (strncmp(resolved_path, media_storage,
177 strlen(media_storage)) == 0) {
178 if (_dp_check_dir_permission(cred, MEDIA_STORAGE_PRIVILEGE) < 0) {
179 TRACE_ERROR("Permission denied: %s needs %s privilege",
180 resolved_path, MEDIA_STORAGE_PRIVILEGE);
181 return DP_ERROR_INVALID_DESTINATION;
183 return DP_ERROR_NONE;
188 // Check permission: external storage
189 temp = tzplatform_getenv(TZ_SYS_STORAGE);
191 snprintf(external_storage, PATH_MAX - 1, "%s/", temp);
192 if (strncmp(resolved_path, external_storage,
193 strlen(external_storage)) == 0) {
194 if (_dp_check_dir_permission(cred, EXTERNAL_STORAGE_PRIVILEGE) < 0) {
195 TRACE_ERROR("Permission denied: %s needs %s privilege",
196 resolved_path, EXTERNAL_STORAGE_PRIVILEGE);
197 return DP_ERROR_INVALID_DESTINATION;
199 return DP_ERROR_NONE;
204 // Check permission: private storage
205 temp = tzplatform_getenv(TZ_USER_APP);
207 snprintf(apps_storage, PATH_MAX - 1, "%s/", temp);
208 if (strncmp(resolved_path, apps_storage,
209 strlen(apps_storage)) == 0) {
210 pkg_id = _dp_get_pkg_id(cred);
212 return DP_ERROR_INVALID_DESTINATION;
214 TRACE_INFO("pkg_id: %s", pkg_id);
215 if (strncmp(resolved_path + strlen(apps_storage) + 2,
216 pkg_id, strlen(pkg_id)) != 0) {
217 TRACE_ERROR("Permission denied");
219 return DP_ERROR_INVALID_DESTINATION;
222 return DP_ERROR_NONE;
227 return DP_ERROR_INVALID_DESTINATION;
230 void dp_rebuild_dir(const char *dirpath, mode_t mode)
232 if (dp_is_exist_dir(dirpath) < 0) {
233 if (mkdir(dirpath, mode) == 0)
234 TRACE_INFO("check directory:%s", dirpath);
236 TRACE_ERROR("failed to create directory:%s", dirpath);
240 int dp_check_permission(int clientfd, const char *pkgname)
243 int result = DP_ERROR_NONE;
244 cynara *p_cynara = NULL;
245 cynara_configuration *p_conf = NULL;
246 size_t cache_size = 100;
247 const char *client_session = "";
248 char *client_smack = NULL;
251 TRACE_DEBUG("clientfd[%d] pkgname[%s]", clientfd, pkgname);
252 if (CYNARA_API_SUCCESS != cynara_configuration_create(&p_conf)) {
253 TRACE_DEBUG("failed to create cynara configuration");
254 result = DP_ERROR_PERMISSION_DENIED;
258 if (CYNARA_API_SUCCESS != cynara_configuration_set_cache_size(p_conf, cache_size)) {
259 TRACE_DEBUG("failed to set cache size");
260 result = DP_ERROR_PERMISSION_DENIED;
264 ret = cynara_initialize(&p_cynara, NULL);
265 if (ret != CYNARA_API_SUCCESS) {
266 TRACE_DEBUG("failed to initialize cynara");
267 result = DP_ERROR_PERMISSION_DENIED;
271 // Get client peer credential
272 ret = cynara_creds_socket_get_client(clientfd, CLIENT_METHOD_SMACK, &client_smack);
273 if (ret != CYNARA_API_SUCCESS) {
274 TRACE_DEBUG("failed to createsa client identification string");
275 result = DP_ERROR_PERMISSION_DENIED;
279 ret = cynara_creds_socket_get_user(clientfd, USER_METHOD_UID, &uid);
280 if (ret != CYNARA_API_SUCCESS) {
281 TRACE_DEBUG("failed to create a user identification string");
282 result = DP_ERROR_PERMISSION_DENIED;
287 ret = cynara_check(p_cynara, client_smack, client_session, uid, DOWNLOAD_PRIVILEGE);
288 if (ret == CYNARA_API_ACCESS_ALLOWED) {
289 TRACE_DEBUG("CYNARA_API_ACCESS_ALLOWED");
291 TRACE_DEBUG("DP_ERROR_PERMISSION_DENIED");
292 result = DP_ERROR_PERMISSION_DENIED;
297 cynara_configuration_destroy(p_conf);
299 cynara_finish(p_cynara);