2 * Copyright (c) 2014 Samsung Electronics Co., Ltd All Rights Reserved
4 * Contact: Rafal Krypa <r.krypa@samsung.com>
6 * Licensed under the Apache License, Version 2.0 (the "License");
7 * you may not use this file except in compliance with the License.
8 * You may obtain a copy of the License at
10 * http://www.apache.org/licenses/LICENSE-2.0
12 * Unless required by applicable law or agreed to in writing, software
13 * distributed under the License is distributed on an "AS IS" BASIS,
14 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15 * See the License for the specific language governing permissions and
16 * limitations under the License
20 * @author Rafal Krypa <r.krypa@samsung.com>
21 * @brief Wrapper class for Cynara interface
27 #include <dpl/log/log.h>
29 namespace SecurityManager {
32 * Rules for apps and users are organized into set of buckets stored in Cynara.
33 * Bucket is set of rules (app, uid, privilege) -> (DENY, ALLOW, BUCKET, ...).
34 * |------------------------|
37 * |------------------------|
39 * |------------------------|
40 * | app1 uid1 priv1 DENY |
41 * | * uid2 priv2 DENY |
42 * | * * * Bucket:MAIN|
43 * |------------------------|
45 * For details about buckets see Cynara documentation.
47 * Security Manager currently defines 8 buckets:
48 * - PRIVACY_MANAGER - first bucket during search (which is actually default bucket
49 * with empty string as id). If user specifies his preference then required rule
51 * - MAIN - holds rules denied by manufacturer, redirects to MANIFESTS
52 * bucket and holds entries for each user pointing to User Type
54 * - MANIFESTS - stores rules needed by installed apps (from package
59 * - USER_TYPE_GUEST - they store privileges from templates for apropriate
60 * user type. ALLOW rules only.
61 * - ADMIN - stores custom rules introduced by device administrator.
62 * Ignored if no matching rule found.
64 * Below is basic layout of buckets:
66 * |------------------------|
70 * | * * * Bucket:MAIN| |------------------|
71 * |------------------------| | <<deny>> |
73 * ----------------- | | |
74 * | | |------------------|
76 * |------------------------| |
79 * |---------------| | | |-------------------|
80 * | <<deny>> |<--| * * * Bucket:MANIFESTS|---->| <<deny>> |
81 * | USER_TYPE_SYST| |------------------------| | USER_TYPE_NORMAL |
83 * |---------------| | | |-------------------|
86 * | |---------------| |---------------| |
87 * | | <<deny>> | | <<deny>> | |
88 * | |USER_TYPE_GUEST| |USER_TYPE_ADMIN| |
90 * | |---------------| |---------------| |
95 * | |------------------| |
96 * |-------------> | <<none>> | <---------------|
99 * |------------------|
102 CynaraAdmin::BucketsMap CynaraAdmin::Buckets =
104 { Bucket::PRIVACY_MANAGER, std::string(CYNARA_ADMIN_DEFAULT_BUCKET)},
105 { Bucket::MAIN, std::string("MAIN")},
106 { Bucket::USER_TYPE_ADMIN, std::string("USER_TYPE_ADMIN")},
107 { Bucket::USER_TYPE_NORMAL, std::string("USER_TYPE_NORMAL")},
108 { Bucket::USER_TYPE_GUEST, std::string("USER_TYPE_GUEST") },
109 { Bucket::USER_TYPE_SYSTEM, std::string("USER_TYPE_SYSTEM")},
110 { Bucket::ADMIN, std::string("ADMIN")},
111 { Bucket::MANIFESTS, std::string("MANIFESTS")},
115 CynaraAdminPolicy::CynaraAdminPolicy(const std::string &client, const std::string &user,
116 const std::string &privilege, int operation,
117 const std::string &bucket)
119 this->client = strdup(client.c_str());
120 this->user = strdup(user.c_str());
121 this->privilege = strdup(privilege.c_str());
122 this->bucket = strdup(bucket.c_str());
124 if (this->bucket == nullptr || this->client == nullptr ||
125 this->user == nullptr || this->privilege == nullptr) {
129 free(this->privilege);
130 ThrowMsg(CynaraException::OutOfMemory,
131 std::string("Error in CynaraAdminPolicy allocation."));
134 this->result = operation;
135 this->result_extra = nullptr;
138 CynaraAdminPolicy::CynaraAdminPolicy(const std::string &client, const std::string &user,
139 const std::string &privilege, const std::string &goToBucket,
140 const std::string &bucket)
142 this->bucket = strdup(bucket.c_str());
143 this->client = strdup(client.c_str());
144 this->user = strdup(user.c_str());
145 this->privilege = strdup(privilege.c_str());
146 this->result_extra = strdup(goToBucket.c_str());
147 this->result = CYNARA_ADMIN_BUCKET;
149 if (this->bucket == nullptr || this->client == nullptr ||
150 this->user == nullptr || this->privilege == nullptr ||
151 this->result_extra == nullptr) {
155 free(this->privilege);
156 free(this->result_extra);
157 ThrowMsg(CynaraException::OutOfMemory,
158 std::string("Error in CynaraAdminPolicy allocation."));
162 CynaraAdminPolicy::CynaraAdminPolicy(CynaraAdminPolicy &&that)
164 bucket = that.bucket;
165 client = that.client;
167 privilege = that.privilege;
168 result_extra = that.result_extra;
169 result = that.result;
171 that.bucket = nullptr;
172 that.client = nullptr;
174 that.privilege = nullptr;
175 that.result_extra = nullptr;
178 CynaraAdminPolicy& CynaraAdminPolicy::operator=(CynaraAdminPolicy &&that)
181 bucket = that.bucket;
182 client = that.client;
184 privilege = that.privilege;
185 result_extra = that.result_extra;
186 result = that.result;
188 that.bucket = nullptr;
189 that.client = nullptr;
191 that.privilege = nullptr;
192 that.result_extra = nullptr;
198 CynaraAdminPolicy::~CynaraAdminPolicy()
203 free(this->privilege);
204 free(this->result_extra);
207 static bool checkCynaraError(int result, const std::string &msg)
210 case CYNARA_API_SUCCESS:
211 case CYNARA_API_ACCESS_ALLOWED:
213 case CYNARA_API_ACCESS_DENIED:
215 case CYNARA_API_OUT_OF_MEMORY:
216 ThrowMsg(CynaraException::OutOfMemory, msg);
217 case CYNARA_API_INVALID_PARAM:
218 ThrowMsg(CynaraException::InvalidParam, msg);
219 case CYNARA_API_SERVICE_NOT_AVAILABLE:
220 ThrowMsg(CynaraException::ServiceNotAvailable, msg);
221 case CYNARA_API_BUCKET_NOT_FOUND:
222 ThrowMsg(CynaraException::BucketNotFound, msg);
224 ThrowMsg(CynaraException::UnknownError, msg);
228 CynaraAdmin::TypeToDescriptionMap CynaraAdmin::TypeToDescription;
229 CynaraAdmin::DescriptionToTypeMap CynaraAdmin::DescriptionToType;
231 CynaraAdmin::CynaraAdmin()
232 : m_policyDescriptionsInitialized(false)
235 cynara_admin_initialize(&m_CynaraAdmin),
236 "Cannot connect to Cynara administrative interface.");
239 CynaraAdmin::~CynaraAdmin()
241 cynara_admin_finish(m_CynaraAdmin);
244 CynaraAdmin &CynaraAdmin::getInstance()
246 static CynaraAdmin cynaraAdmin;
250 void CynaraAdmin::SetPolicies(const std::vector<CynaraAdminPolicy> &policies)
252 if (policies.empty()) {
253 LogDebug("no policies to set in Cynara.");
257 std::vector<const struct cynara_admin_policy *> pp_policies(policies.size() + 1);
259 LogDebug("Sending " << policies.size() << " policies to Cynara");
260 for (std::size_t i = 0; i < policies.size(); ++i) {
261 pp_policies[i] = static_cast<const struct cynara_admin_policy *>(&policies[i]);
262 LogDebug("policies[" << i << "] = {" <<
263 ".bucket = " << pp_policies[i]->bucket << ", " <<
264 ".client = " << pp_policies[i]->client << ", " <<
265 ".user = " << pp_policies[i]->user << ", " <<
266 ".privilege = " << pp_policies[i]->privilege << ", " <<
267 ".result = " << pp_policies[i]->result << ", " <<
268 ".result_extra = " << pp_policies[i]->result_extra << "}");
271 pp_policies[policies.size()] = nullptr;
274 cynara_admin_set_policies(m_CynaraAdmin, pp_policies.data()),
275 "Error while updating Cynara policy.");
278 void CynaraAdmin::UpdateAppPolicy(
279 const std::string &label,
280 const std::string &user,
281 const std::vector<std::string> &oldPrivileges,
282 const std::vector<std::string> &newPrivileges)
284 std::vector<CynaraAdminPolicy> policies;
286 // Perform sort-merge join on oldPrivileges and newPrivileges.
287 // Assume that they are already sorted and without duplicates.
288 auto oldIter = oldPrivileges.begin();
289 auto newIter = newPrivileges.begin();
291 while (oldIter != oldPrivileges.end() && newIter != newPrivileges.end()) {
292 int compare = oldIter->compare(*newIter);
294 LogDebug("(user = " << user << " label = " << label << ") " <<
295 "keeping privilege " << *newIter);
299 } else if (compare < 0) {
300 LogDebug("(user = " << user << " label = " << label << ") " <<
301 "removing privilege " << *oldIter);
302 policies.push_back(CynaraAdminPolicy(label, user, *oldIter,
303 static_cast<int>(CynaraAdminPolicy::Operation::Delete),
304 Buckets.at(Bucket::MANIFESTS)));
307 LogDebug("(user = " << user << " label = " << label << ") " <<
308 "adding privilege " << *newIter);
309 policies.push_back(CynaraAdminPolicy(label, user, *newIter,
310 static_cast<int>(CynaraAdminPolicy::Operation::Allow),
311 Buckets.at(Bucket::MANIFESTS)));
316 for (; oldIter != oldPrivileges.end(); ++oldIter) {
317 LogDebug("(user = " << user << " label = " << label << ") " <<
318 "removing privilege " << *oldIter);
319 policies.push_back(CynaraAdminPolicy(label, user, *oldIter,
320 static_cast<int>(CynaraAdminPolicy::Operation::Delete),
321 Buckets.at(Bucket::MANIFESTS)));
324 for (; newIter != newPrivileges.end(); ++newIter) {
325 LogDebug("(user = " << user << " label = " << label << ") " <<
326 "adding privilege " << *newIter);
327 policies.push_back(CynaraAdminPolicy(label, user, *newIter,
328 static_cast<int>(CynaraAdminPolicy::Operation::Allow),
329 Buckets.at(Bucket::MANIFESTS)));
332 SetPolicies(policies);
335 void CynaraAdmin::UserInit(uid_t uid, security_manager_user_type userType)
338 std::vector<CynaraAdminPolicy> policies;
341 case SM_USER_TYPE_SYSTEM:
342 bucket = Bucket::USER_TYPE_SYSTEM;
344 case SM_USER_TYPE_ADMIN:
345 bucket = Bucket::USER_TYPE_ADMIN;
347 case SM_USER_TYPE_GUEST:
348 bucket = Bucket::USER_TYPE_GUEST;
350 case SM_USER_TYPE_NORMAL:
351 bucket = Bucket::USER_TYPE_NORMAL;
353 case SM_USER_TYPE_ANY:
354 case SM_USER_TYPE_NONE:
355 case SM_USER_TYPE_END:
357 ThrowMsg(CynaraException::InvalidParam, "User type incorrect");
360 policies.push_back(CynaraAdminPolicy(CYNARA_ADMIN_WILDCARD,
361 std::to_string(static_cast<unsigned int>(uid)),
362 CYNARA_ADMIN_WILDCARD,
364 Buckets.at(Bucket::MAIN)));
366 CynaraAdmin::getInstance().SetPolicies(policies);
369 void CynaraAdmin::ListUsers(std::vector<uid_t> &listOfUsers)
371 std::vector<CynaraAdminPolicy> tmpListOfUsers;
372 CynaraAdmin::getInstance().ListPolicies(
373 CynaraAdmin::Buckets.at(Bucket::MAIN),
374 CYNARA_ADMIN_WILDCARD,
376 CYNARA_ADMIN_WILDCARD,
379 for (const auto &tmpUser : tmpListOfUsers) {
380 std::string user = tmpUser.user;
381 if (!user.compare(CYNARA_ADMIN_WILDCARD))
384 listOfUsers.push_back(std::stoul(user));
385 } catch (std::invalid_argument &e) {
386 LogError("Invalid UID: " << e.what());
390 LogDebug("Found users: " << listOfUsers.size());
393 void CynaraAdmin::UserRemove(uid_t uid)
395 std::vector<CynaraAdminPolicy> policies;
396 std::string user = std::to_string(static_cast<unsigned int>(uid));
398 EmptyBucket(Buckets.at(Bucket::PRIVACY_MANAGER),true,
399 CYNARA_ADMIN_ANY, user, CYNARA_ADMIN_ANY);
402 void CynaraAdmin::ListPolicies(
403 const std::string &bucketName,
404 const std::string &appId,
405 const std::string &user,
406 const std::string &privilege,
407 std::vector<CynaraAdminPolicy> &policies)
409 struct cynara_admin_policy ** pp_policies = nullptr;
412 cynara_admin_list_policies(m_CynaraAdmin, bucketName.c_str(), appId.c_str(),
413 user.c_str(), privilege.c_str(), &pp_policies),
414 "Error while getting list of policies for bucket: " + bucketName);
416 for (std::size_t i = 0; pp_policies[i] != nullptr; i++) {
417 policies.push_back(std::move(*static_cast<CynaraAdminPolicy*>(pp_policies[i])));
419 free(pp_policies[i]);
426 void CynaraAdmin::EmptyBucket(const std::string &bucketName, bool recursive, const std::string &client,
427 const std::string &user, const std::string &privilege)
430 cynara_admin_erase(m_CynaraAdmin, bucketName.c_str(), static_cast<int>(recursive),
431 client.c_str(), user.c_str(), privilege.c_str()),
432 "Error while emptying bucket: " + bucketName + ", filter (C, U, P): " +
433 client + ", " + user + ", " + privilege);
436 void CynaraAdmin::FetchCynaraPolicyDescriptions(bool forceRefresh)
438 struct cynara_admin_policy_descr **descriptions = nullptr;
440 if (!forceRefresh && m_policyDescriptionsInitialized)
445 cynara_admin_list_policies_descriptions(m_CynaraAdmin, &descriptions),
446 "Error while getting list of policies descriptions from Cynara.");
448 if (descriptions[0] == nullptr) {
449 LogError("Fetching policies levels descriptions from Cynara returned empty list. "
450 "There should be at least 2 entries - Allow and Deny");
455 m_policyDescriptionsInitialized = false;
456 DescriptionToType.clear();
457 TypeToDescription.clear();
460 for (int i = 0; descriptions[i] != nullptr; i++) {
461 std::string descriptionName(descriptions[i]->name);
463 DescriptionToType[descriptionName] = descriptions[i]->result;
464 TypeToDescription[descriptions[i]->result] = std::move(descriptionName);
466 free(descriptions[i]->name);
467 free(descriptions[i]);
472 m_policyDescriptionsInitialized = true;
475 void CynaraAdmin::ListPoliciesDescriptions(std::vector<std::string> &policiesDescriptions)
477 FetchCynaraPolicyDescriptions(false);
479 for (const auto &it : TypeToDescription)
480 policiesDescriptions.push_back(it.second);
483 std::string CynaraAdmin::convertToPolicyDescription(const int policyType, bool forceRefresh)
485 FetchCynaraPolicyDescriptions(forceRefresh);
487 return TypeToDescription.at(policyType);
490 int CynaraAdmin::convertToPolicyType(const std::string &policy, bool forceRefresh)
492 FetchCynaraPolicyDescriptions(forceRefresh);
494 return DescriptionToType.at(policy);
496 void CynaraAdmin::Check(const std::string &label, const std::string &user, const std::string &privilege,
497 const std::string &bucket, int &result, std::string &resultExtra, const bool recursive)
499 char *resultExtraCstr = nullptr;
502 cynara_admin_check(m_CynaraAdmin, bucket.c_str(), recursive, label.c_str(),
503 user.c_str(), privilege.c_str(), &result, &resultExtraCstr),
504 "Error while asking cynara admin API for permission for app label: " + label + ", user: "
505 + user + " privilege: " + privilege + " bucket: " + bucket);
507 if (resultExtraCstr == nullptr)
510 resultExtra = std::string(resultExtraCstr);
511 free(resultExtraCstr);
515 int CynaraAdmin::GetPrivilegeManagerCurrLevel(const std::string &label, const std::string &user,
516 const std::string &privilege)
519 std::string resultExtra;
521 Check(label, user, privilege, Buckets.at(Bucket::PRIVACY_MANAGER), result, resultExtra, true);
526 int CynaraAdmin::GetPrivilegeManagerMaxLevel(const std::string &label, const std::string &user,
527 const std::string &privilege)
530 std::string resultExtra;
532 Check(label, user, privilege, Buckets.at(Bucket::MAIN), result, resultExtra, true);
540 cynara_initialize(&m_Cynara, nullptr),
541 "Cannot connect to Cynara policy interface.");
546 cynara_finish(m_Cynara);
549 Cynara &Cynara::getInstance()
551 static Cynara cynara;
555 bool Cynara::check(const std::string &label, const std::string &privilege,
556 const std::string &user, const std::string &session)
558 return checkCynaraError(
559 cynara_check(m_Cynara,
560 label.c_str(), session.c_str(), user.c_str(), privilege.c_str()),
561 "Cannot check permission with Cynara.");
564 } // namespace SecurityManager