2 * Copyright (c) 2013 Samsung Electronics Co., Ltd All Rights Reserved
4 * Licensed under the Apache License, Version 2.0 (the License);
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an AS IS BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
20 #include <sys/statfs.h>
21 #include <sys/types.h>
26 #include <download-provider.h>
27 #include <download-provider-log.h>
28 #include <download-provider-utils.h>
30 #include <cynara-client.h>
31 #include <cynara-client-async.h>
32 #include <cynara-creds-socket.h>
33 #include <cynara-creds-dbus.h>
35 #include <app_manager.h>
36 #include <tzplatform_config.h>
38 #include "download-provider-security.h"
40 #define MAX_ARRAY_LEN 1024
41 #define SECURITY_ATTRIBUTES_PATH "/proc/%d/attr/current"
42 #define TEMP_DIR "/tmp/"
44 static int dp_is_exist_dir(const char *dirpath)
46 struct stat dir_state;
48 if (dirpath == NULL) {
49 TRACE_ERROR("check path");
52 stat_ret = stat(dirpath, &dir_state);
53 if (stat_ret == 0 && S_ISDIR(dir_state.st_mode))
58 static char *_dp_get_pkg_id(dp_credential cred)
62 app_info_h app_info = NULL;
64 if (app_manager_get_app_id(cred.pid, &app_id) != APP_MANAGER_ERROR_NONE) {
65 TRACE_ERROR("Failed to get application ID");
69 if (app_info_create(app_id, &app_info) != APP_MANAGER_ERROR_NONE) {
70 TRACE_ERROR("Failed to create app_info");
75 if (app_info_get_package(app_info, &pkg_id) != APP_MANAGER_ERROR_NONE) {
76 TRACE_ERROR("Failed to get package ID");
77 app_info_destroy(app_info);
83 app_info_destroy(app_info);
89 static int _dp_check_dir_permission(dp_credential cred, const char *privilege)
93 char client_smack[MAX_ARRAY_LEN + 1] = {0, };
94 char client_smack_path[MAX_ARRAY_LEN + 1] = {0, };
96 char *client_session = "";
97 cynara *p_cynara = NULL;
99 if (CYNARA_API_SUCCESS != cynara_initialize(&p_cynara, NULL)) {
100 TRACE_ERROR("Failed to initialize cynara structure\n");
104 snprintf(client_smack_path, MAX_ARRAY_LEN, SECURITY_ATTRIBUTES_PATH, cred.pid);
105 fd = fopen(client_smack_path, "r");
107 TRACE_ERROR("Failed to open %s", client_smack_path);
108 cynara_finish(p_cynara);
111 ret = fread(client_smack, 1, MAX_ARRAY_LEN, fd);
113 TRACE_ERROR("Failed to read %s", client_smack_path);
115 cynara_finish(p_cynara);
119 client_smack[ret] = '\0';
121 snprintf(uid, sizeof(uid), "%d", cred.uid);
123 TRACE_DEBUG("pid: %d, uid: %s, checked privilege:%s", cred.pid, uid, privilege);
124 ret = cynara_check(p_cynara, client_smack, client_session, uid, privilege);
125 cynara_finish(p_cynara);
127 return (ret == CYNARA_API_ACCESS_ALLOWED) ? 0 : -1;
130 int dp_is_valid_dir(dp_credential cred, const char *dirpath)
132 char default_storage[PATH_MAX + 1] = {0, };
133 char media_storage[PATH_MAX + 1] = {0, };
134 char external_storage[PATH_MAX + 1] = {0, };
135 char apps_storage[PATH_MAX + 1] = {0, };
136 char resolved_path[PATH_MAX + 1] = {0 , };
139 const char *temp = NULL;
142 res = realpath(dirpath, NULL);
144 TRACE_ERROR("Failed to get absolute path");
145 return DP_ERROR_INVALID_DESTINATION;
148 strncpy(resolved_path, res, PATH_MAX - 1);
151 end = strlen(resolved_path) - 1;
152 if (resolved_path[end] != '/')
153 resolved_path[end + 1] = '/';
155 TRACE_INFO("%s -> %s", dirpath, resolved_path);
157 // Check whether directory is exist or not.
158 if (dp_is_exist_dir(resolved_path) < 0) {
159 TRACE_ERROR("%s is not exist.", resolved_path);
160 return DP_ERROR_INVALID_DESTINATION;
163 // Check whether directory is temporary directory or not.
164 if (strncmp(resolved_path, TEMP_DIR, strlen(TEMP_DIR)) == 0)
165 return DP_ERROR_NONE;
167 tzplatform_set_user(cred.uid);
169 // Check whether directory is default directory or not.
170 temp = tzplatform_getenv(TZ_USER_DOWNLOADS);
172 snprintf(default_storage, PATH_MAX - 1, "%s/", temp);
173 if (strncmp(resolved_path, default_storage,
174 strlen(default_storage)) == 0)
175 return DP_ERROR_NONE;
179 // Check permission: media storage
180 temp = tzplatform_getenv(TZ_USER_CONTENT);
182 snprintf(media_storage, PATH_MAX - 1, "%s/", temp);
183 if (strncmp(resolved_path, media_storage,
184 strlen(media_storage)) == 0) {
185 if (_dp_check_dir_permission(cred, MEDIA_STORAGE_PRIVILEGE) < 0) {
186 TRACE_ERROR("Permission denied: %s needs %s privilege",
187 resolved_path, MEDIA_STORAGE_PRIVILEGE);
188 return DP_ERROR_INVALID_DESTINATION;
190 return DP_ERROR_NONE;
195 // Check permission: external storage
196 temp = tzplatform_getenv(TZ_SYS_STORAGE);
198 snprintf(external_storage, PATH_MAX - 1, "%s/", temp);
199 if (strncmp(resolved_path, external_storage,
200 strlen(external_storage)) == 0) {
201 if (_dp_check_dir_permission(cred, EXTERNAL_STORAGE_PRIVILEGE) < 0) {
202 TRACE_ERROR("Permission denied: %s needs %s privilege",
203 resolved_path, EXTERNAL_STORAGE_PRIVILEGE);
204 return DP_ERROR_INVALID_DESTINATION;
206 return DP_ERROR_NONE;
211 // Check permission: private storage
212 temp = tzplatform_getenv(TZ_USER_APP);
214 snprintf(apps_storage, PATH_MAX - 1, "%s/", temp);
215 if (strncmp(resolved_path, apps_storage,
216 strlen(apps_storage)) == 0) {
217 pkg_id = _dp_get_pkg_id(cred);
219 return DP_ERROR_INVALID_DESTINATION;
221 TRACE_INFO("pkg_id: %s", pkg_id);
222 if (strncmp(resolved_path + strlen(apps_storage),
223 pkg_id, strlen(pkg_id)) != 0) {
224 TRACE_ERROR("Permission denied");
226 return DP_ERROR_INVALID_DESTINATION;
229 return DP_ERROR_NONE;
234 // Check whether directory is shared directory or not.
235 temp = tzplatform_getenv(TZ_USER_SHARE);
237 if (strncmp(resolved_path, temp,
239 return DP_ERROR_NONE;
243 return DP_ERROR_INVALID_DESTINATION;
246 void dp_rebuild_dir(const char *dirpath, mode_t mode)
248 if (dp_is_exist_dir(dirpath) < 0) {
249 if (mkdir(dirpath, mode) == 0)
250 TRACE_INFO("check directory:%s", dirpath);
252 TRACE_ERROR("failed to create directory:%s", dirpath);
256 int dp_check_permission(int clientfd, const char *pkgname)
259 int result = DP_ERROR_NONE;
260 cynara *p_cynara = NULL;
261 cynara_configuration *p_conf = NULL;
262 size_t cache_size = 100;
263 const char *client_session = "";
264 char *client_smack = NULL;
267 TRACE_DEBUG("clientfd[%d] pkgname[%s]", clientfd, pkgname);
268 if (CYNARA_API_SUCCESS != cynara_configuration_create(&p_conf)) {
269 TRACE_DEBUG("failed to create cynara configuration");
270 result = DP_ERROR_PERMISSION_DENIED;
274 if (CYNARA_API_SUCCESS != cynara_configuration_set_cache_size(p_conf, cache_size)) {
275 TRACE_DEBUG("failed to set cache size");
276 result = DP_ERROR_PERMISSION_DENIED;
280 ret = cynara_initialize(&p_cynara, NULL);
281 if (ret != CYNARA_API_SUCCESS) {
282 TRACE_DEBUG("failed to initialize cynara");
283 result = DP_ERROR_PERMISSION_DENIED;
287 // Get client peer credential
288 ret = cynara_creds_socket_get_client(clientfd, CLIENT_METHOD_SMACK, &client_smack);
289 if (ret != CYNARA_API_SUCCESS) {
290 TRACE_DEBUG("failed to createsa client identification string");
291 result = DP_ERROR_PERMISSION_DENIED;
295 ret = cynara_creds_socket_get_user(clientfd, USER_METHOD_UID, &uid);
296 if (ret != CYNARA_API_SUCCESS) {
297 TRACE_DEBUG("failed to create a user identification string");
298 result = DP_ERROR_PERMISSION_DENIED;
303 ret = cynara_check(p_cynara, client_smack, client_session, uid, DOWNLOAD_PRIVILEGE);
304 if (ret == CYNARA_API_ACCESS_ALLOWED) {
305 TRACE_DEBUG("CYNARA_API_ACCESS_ALLOWED");
307 TRACE_DEBUG("DP_ERROR_PERMISSION_DENIED");
308 result = DP_ERROR_PERMISSION_DENIED;
313 cynara_configuration_destroy(p_conf);
315 cynara_finish(p_cynara);