[platform/core/uifw/libds-tizen.git] / src / libds-tizen / util / security.c

#include <stdio.h>
#include <stdarg.h>
#include <stdint.h>
#include <stdlib.h>
#include <stdbool.h>

#include <cynara-session.h>
#include <cynara-client.h>
#include <cynara-creds-socket.h>
#include <sys/smack.h>

#include <libds/log.h>
#include "util.h"

#define CYNARA_BUFSIZE 128

struct ds_cynara
{
    cynara *handle;
    int references;
};

static struct ds_cynara ds_cynara;

static bool ds_cynara_init(void);
static void ds_cynara_finish(void);
static bool ds_cynara_check_privilege(pid_t pid, uid_t uid,
        const char *privilege);

bool
tizen_security_check_privilege(pid_t pid, uid_t uid, const char *privilege)
{
    return ds_cynara_check_privilege(pid, uid, privilege);
}

bool
tizen_security_init(void)
{
    return ds_cynara_init();
}

void
tizen_security_finish(void)
{
    ds_cynara_finish();
}

static void
print_cynara_error(int err, const char *fmt, ...)
{
    int ret;
    va_list args;
    char buf[CYNARA_BUFSIZE] = "\0";
    char tmp[CYNARA_BUFSIZE + CYNARA_BUFSIZE] = "\0";

    if (fmt) {
        va_start(args, fmt);
        vsnprintf(tmp, CYNARA_BUFSIZE + CYNARA_BUFSIZE, fmt, args);
        va_end(args);
    }

    ret = cynara_strerror(err, buf, CYNARA_BUFSIZE);
    if (ret != CYNARA_API_SUCCESS) {
        ds_err("Failed to get cynara_strerror. error : %d (error log about %s: %d)\n", ret, tmp, err);
        return;
    }

    ds_err("%s is failed. (%s)\n", tmp, buf);
}

static bool
ds_cynara_init(void)
{
    int ret = CYNARA_API_SUCCESS;
    int retry_cnt = 0;

    if (++ds_cynara.references != 1)
        return true;

    for (retry_cnt = 0; retry_cnt < 5; retry_cnt++) {
        ds_dbg("Retry cynara initialize: %d\n", retry_cnt + 1);

        ret = cynara_initialize(&ds_cynara.handle, NULL);

        if (CYNARA_API_SUCCESS == ret) {
            ds_dbg("Succeed to initialize cynara !\n");
            return true;
        }

        print_cynara_error(ret, "cynara_initialize");
    }

    ds_err("Failed to initialize cynara! (error:%d, retry_cnt=%d)\n",
        ret, retry_cnt);

    --ds_cynara.references;

    return false;

}

static void
ds_cynara_finish(void)
{
    if (ds_cynara.references < 1) {
        ds_err("%s called without ds_cynara_init\n", __FUNCTION__);
        return;
    }

    if (--ds_cynara.references != 0)
        return;

    cynara_finish(ds_cynara.handle);
    ds_cynara.handle = NULL;
}

static bool
ds_cynara_check_privilege(pid_t pid, uid_t uid, const char *privilege)
{
    bool res = false;
    char *client_smack = NULL;
    char *client_session = NULL;
    char uid_str[16] = { 0, };
    int len = -1;
    int ret = -1;

    if (!ds_cynara.handle) {
        ds_err("ds_cynara has not been initialized.\n");
        return false;
    }

    ret = smack_new_label_from_process((int)pid, &client_smack);
    if (ret <= 0)
        goto finish;

    snprintf(uid_str, 15, "%d", (int)uid);

    client_session = cynara_session_from_pid(pid);
    if (!client_session)
        goto finish;

    ret = cynara_check(ds_cynara.handle, client_smack, client_session,
            uid_str, privilege);

    if (ret == CYNARA_API_ACCESS_ALLOWED)
        res = true;
    else
        print_cynara_error(ret, "privilege: %s, client_smack: %s, pid: %d",
                privilege, client_smack, pid);

finish:
    ds_dbg("Privilege Check For '%s' %s pid:%u uid:%u client_smack:%s(len:%d) "
            "client_session:%s ret:%d",
            privilege, res ? "SUCCESS" : "FAIL", pid, uid,
            client_smack ? client_smack : "N/A", len,
            client_session ? client_session: "N/A", ret);

    if (client_session)
        free(client_session);

    if (client_smack)
        free(client_smack);

    return res;
}