2 * Copyright (c) 2013 Samsung Electronics Co., Ltd All Rights Reserved
4 * Licensed under the Apache License, Version 2.0 (the License);
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an AS IS BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
20 #include <sys/statfs.h>
21 #include <sys/types.h>
26 #include <download-provider.h>
27 #include <download-provider-log.h>
28 #include <download-provider-utils.h>
30 #include <cynara-client.h>
31 #include <cynara-client-async.h>
32 #include <cynara-creds-socket.h>
33 #include <cynara-creds-dbus.h>
35 #include <app_manager.h>
36 #include <tzplatform_config.h>
38 #include "download-provider-security.h"
40 #define MAX_ARRAY_LEN 1024
41 #define SECURITY_ATTRIBUTES_PATH "/proc/%d/attr/current"
42 #define TEMP_DIR "/tmp/"
44 static int dp_is_exist_dir(const char *dirpath)
46 struct stat dir_state;
48 if (dirpath == NULL) {
49 TRACE_ERROR("check path");
52 stat_ret = stat(dirpath, &dir_state);
53 if (stat_ret == 0 && S_ISDIR(dir_state.st_mode))
58 static char *_dp_get_pkg_id(dp_credential cred)
62 app_context_h context;
64 if (app_manager_get_app_id(cred.pid, &app_id) != APP_MANAGER_ERROR_NONE) {
65 TRACE_ERROR("Failed to get application ID");
69 if (app_manager_get_app_context(app_id, &context) != APP_MANAGER_ERROR_NONE) {
70 TRACE_ERROR("Failed to get application ID");
75 if (app_context_get_package_id(context, &pkg_id) != APP_MANAGER_ERROR_NONE) {
76 TRACE_ERROR("Failed to get application ID");
77 app_context_destroy(context);
82 app_context_destroy(context);
88 static int _dp_check_dir_permission(dp_credential cred, const char *privilege)
92 char client_smack[MAX_ARRAY_LEN + 1] = {0, };
93 char client_smack_path[MAX_ARRAY_LEN + 1] = {0, };
95 char *client_session = "";
96 cynara *p_cynara = NULL;
98 if (CYNARA_API_SUCCESS != cynara_initialize(&p_cynara, NULL)) {
99 TRACE_ERROR("Failed to initialize cynara structure\n");
103 snprintf(client_smack_path, MAX_ARRAY_LEN, SECURITY_ATTRIBUTES_PATH, cred.pid);
104 fd = fopen(client_smack_path, "r");
106 TRACE_ERROR("Failed to open %s", client_smack_path);
107 cynara_finish(p_cynara);
110 ret = fread(client_smack, 1, MAX_ARRAY_LEN, fd);
112 TRACE_ERROR("Failed to read %s", client_smack_path);
114 cynara_finish(p_cynara);
118 client_smack[ret] = '\0';
120 snprintf(uid, sizeof(uid), "%d", cred.uid);
122 TRACE_DEBUG("pid: %d, uid: %s, checked privilege:%s", cred.pid, uid, privilege);
123 ret = cynara_check(p_cynara, client_smack, client_session, uid, privilege);
124 cynara_finish(p_cynara);
126 return (ret == CYNARA_API_ACCESS_ALLOWED) ? 0 : -1;
129 int dp_is_valid_dir(dp_credential cred, const char *dirpath)
131 char default_storage[PATH_MAX + 1] = {0, };
132 char media_storage[PATH_MAX + 1] = {0, };
133 char external_storage[PATH_MAX + 1] = {0, };
134 char apps_storage[PATH_MAX + 1] = {0, };
135 char resolved_path[PATH_MAX + 1] = {0 , };
138 const char *temp = NULL;
141 res = realpath(dirpath, NULL);
143 TRACE_ERROR("Failed to get absolute path");
144 return DP_ERROR_INVALID_DESTINATION;
147 strncpy(resolved_path, res, PATH_MAX - 1);
150 end = strlen(resolved_path) - 1;
151 if (resolved_path[end] != '/')
152 resolved_path[end + 1] = '/';
154 TRACE_INFO("%s -> %s", dirpath, resolved_path);
156 // Check whether directory is exist or not.
157 if (dp_is_exist_dir(resolved_path) < 0) {
158 TRACE_ERROR("%s is not exist.", resolved_path);
159 return DP_ERROR_INVALID_DESTINATION;
162 // Check whether directory is temporary directory or not.
163 if (strncmp(resolved_path, TEMP_DIR, strlen(TEMP_DIR)) == 0)
164 return DP_ERROR_NONE;
166 tzplatform_set_user(cred.uid);
168 // Check whether directory is default directory or not.
169 temp = tzplatform_getenv(TZ_USER_DOWNLOADS);
171 snprintf(default_storage, PATH_MAX - 1, "%s/", temp);
172 if (strncmp(resolved_path, default_storage,
173 strlen(default_storage)) == 0)
174 return DP_ERROR_NONE;
178 // Check permission: media storage
179 temp = tzplatform_getenv(TZ_USER_CONTENT);
181 snprintf(media_storage, PATH_MAX - 1, "%s/", temp);
182 if (strncmp(resolved_path, media_storage,
183 strlen(media_storage)) == 0) {
184 if (_dp_check_dir_permission(cred, MEDIA_STORAGE_PRIVILEGE) < 0) {
185 TRACE_ERROR("Permission denied: %s needs %s privilege",
186 resolved_path, MEDIA_STORAGE_PRIVILEGE);
187 return DP_ERROR_INVALID_DESTINATION;
189 return DP_ERROR_NONE;
194 // Check permission: external storage
195 temp = tzplatform_getenv(TZ_SYS_STORAGE);
197 snprintf(external_storage, PATH_MAX - 1, "%s/", temp);
198 if (strncmp(resolved_path, external_storage,
199 strlen(external_storage)) == 0) {
200 if (_dp_check_dir_permission(cred, EXTERNAL_STORAGE_PRIVILEGE) < 0) {
201 TRACE_ERROR("Permission denied: %s needs %s privilege",
202 resolved_path, EXTERNAL_STORAGE_PRIVILEGE);
203 return DP_ERROR_INVALID_DESTINATION;
205 return DP_ERROR_NONE;
210 // Check permission: private storage
211 temp = tzplatform_getenv(TZ_USER_APP);
213 snprintf(apps_storage, PATH_MAX - 1, "%s/", temp);
214 if (strncmp(resolved_path, apps_storage,
215 strlen(apps_storage)) == 0) {
216 pkg_id = _dp_get_pkg_id(cred);
218 return DP_ERROR_INVALID_DESTINATION;
220 TRACE_INFO("pkg_id: %s", pkg_id);
221 if (strncmp(resolved_path + strlen(apps_storage),
222 pkg_id, strlen(pkg_id)) != 0) {
223 TRACE_ERROR("Permission denied");
225 return DP_ERROR_INVALID_DESTINATION;
228 return DP_ERROR_NONE;
233 return DP_ERROR_INVALID_DESTINATION;
236 void dp_rebuild_dir(const char *dirpath, mode_t mode)
238 if (dp_is_exist_dir(dirpath) < 0) {
239 if (mkdir(dirpath, mode) == 0)
240 TRACE_INFO("check directory:%s", dirpath);
242 TRACE_ERROR("failed to create directory:%s", dirpath);
246 int dp_check_permission(int clientfd, const char *pkgname)
249 int result = DP_ERROR_NONE;
250 cynara *p_cynara = NULL;
251 cynara_configuration *p_conf = NULL;
252 size_t cache_size = 100;
253 const char *client_session = "";
254 char *client_smack = NULL;
257 TRACE_DEBUG("clientfd[%d] pkgname[%s]", clientfd, pkgname);
258 if (CYNARA_API_SUCCESS != cynara_configuration_create(&p_conf)) {
259 TRACE_DEBUG("failed to create cynara configuration");
260 result = DP_ERROR_PERMISSION_DENIED;
264 if (CYNARA_API_SUCCESS != cynara_configuration_set_cache_size(p_conf, cache_size)) {
265 TRACE_DEBUG("failed to set cache size");
266 result = DP_ERROR_PERMISSION_DENIED;
270 ret = cynara_initialize(&p_cynara, NULL);
271 if (ret != CYNARA_API_SUCCESS) {
272 TRACE_DEBUG("failed to initialize cynara");
273 result = DP_ERROR_PERMISSION_DENIED;
277 // Get client peer credential
278 ret = cynara_creds_socket_get_client(clientfd, CLIENT_METHOD_SMACK, &client_smack);
279 if (ret != CYNARA_API_SUCCESS) {
280 TRACE_DEBUG("failed to createsa client identification string");
281 result = DP_ERROR_PERMISSION_DENIED;
285 ret = cynara_creds_socket_get_user(clientfd, USER_METHOD_UID, &uid);
286 if (ret != CYNARA_API_SUCCESS) {
287 TRACE_DEBUG("failed to create a user identification string");
288 result = DP_ERROR_PERMISSION_DENIED;
293 ret = cynara_check(p_cynara, client_smack, client_session, uid, DOWNLOAD_PRIVILEGE);
294 if (ret == CYNARA_API_ACCESS_ALLOWED) {
295 TRACE_DEBUG("CYNARA_API_ACCESS_ALLOWED");
297 TRACE_DEBUG("DP_ERROR_PERMISSION_DENIED");
298 result = DP_ERROR_PERMISSION_DENIED;
303 cynara_configuration_destroy(p_conf);
305 cynara_finish(p_cynara);