2 * Copyright (c) 2014 Samsung Electronics Co., Ltd All Rights Reserved
4 * Contact: Rafal Krypa <r.krypa@samsung.com>
6 * Licensed under the Apache License, Version 2.0 (the "License");
7 * you may not use this file except in compliance with the License.
8 * You may obtain a copy of the License at
10 * http://www.apache.org/licenses/LICENSE-2.0
12 * Unless required by applicable law or agreed to in writing, software
13 * distributed under the License is distributed on an "AS IS" BASIS,
14 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15 * See the License for the specific language governing permissions and
16 * limitations under the License
20 * @author Rafal Krypa <r.krypa@samsung.com>
21 * @brief Wrapper class for Cynara interface
24 #ifndef _SECURITY_MANAGER_CYNARA_
25 #define _SECURITY_MANAGER_CYNARA_
27 #include <cynara-client.h>
28 #include <cynara-admin.h>
29 #include <dpl/exception.h>
33 namespace SecurityManager {
38 DECLARE_EXCEPTION_TYPE(SecurityManager::Exception, Base)
39 DECLARE_EXCEPTION_TYPE(Base, OutOfMemory)
40 DECLARE_EXCEPTION_TYPE(Base, InvalidParam)
41 DECLARE_EXCEPTION_TYPE(Base, ServiceNotAvailable)
42 DECLARE_EXCEPTION_TYPE(Base, UnknownError)
45 struct CynaraAdminPolicy : cynara_admin_policy
47 enum class Operation {
48 Deny = CYNARA_ADMIN_DENY,
49 Allow = CYNARA_ADMIN_ALLOW,
50 Delete = CYNARA_ADMIN_DELETE,
51 Bucket = CYNARA_ADMIN_BUCKET,
54 CynaraAdminPolicy(const std::string &client, const std::string &user,
55 const std::string &privilege, Operation operation,
56 const std::string &bucket = std::string(CYNARA_ADMIN_DEFAULT_BUCKET));
58 CynaraAdminPolicy(const std::string &client, const std::string &user,
59 const std::string &privilege, const std::string &goToBucket,
60 const std::string &bucket = std::string(CYNARA_ADMIN_DEFAULT_BUCKET));
62 /* Don't provide copy constructor, it would cause pointer trouble. */
63 CynaraAdminPolicy(const CynaraAdminPolicy &that) = delete;
65 /* Move constructor is the way to go. */
66 CynaraAdminPolicy(CynaraAdminPolicy &&that);
74 virtual ~CynaraAdmin();
76 static CynaraAdmin &getInstance();
79 * Update Cynara policies.
80 * Caller must have permission to access Cynara administrative socket.
82 * @param policies vector of CynaraAdminPolicy objects to send to Cynara
84 void SetPolicies(const std::vector<CynaraAdminPolicy> &policies);
87 * Update Cynara policies for the package and the user, using two vectors
88 * of privileges: privileges set before (and already enabled in Cynara)
89 * and new privileges, to be set in Cynara.
90 * Difference will be calculated, removing old unneeded privileges and
91 * adding new, previously not enabled privileges.
92 * Caller must have permission to access Cynara administrative socket.
94 * @param label application Smack label
95 * @param user user identifier
96 * @param oldPrivileges previously enabled privileges for the package.
97 * Must be sorted and without duplicates.
98 * @param newPrivileges currently enabled privileges for the package.
99 * Must be sorted and without duplicates.
101 * TODO: drop oldPrivileges argument and get them directly from Cynara.
102 * Appropriate Cynara interface is needed first.
104 static void UpdatePackagePolicy(const std::string &label, const std::string &user,
105 const std::vector<std::string> &oldPrivileges,
106 const std::vector<std::string> &newPrivileges);
110 struct cynara_admin *m_CynaraAdmin;
118 static Cynara &getInstance();
121 * Ask Cynara for permission.
123 * @param label application Smack label
124 * @param privilege privilege identifier
125 * @param user user identifier (uid)
126 * @param session session identifier
127 * @return true if access is permitted, false if denied
129 bool check(const std::string &label, const std::string &privilege,
130 const std::string &user, const std::string &session);
134 struct cynara *m_Cynara;
138 } // namespace SecurityManager
140 #endif // _SECURITY_MANAGER_CYNARA_