/*! \brief indicating the response from Security Server is malformed */
#define SECURITY_SERVER_API_ERROR_BAD_RESPONSE -3
-/*! \brief indicating the transmitting request has been failed */
-#define SECURITY_SERVER_API_ERROR_SEND_FAILED -4
-
-/*! \brief indicating the receiving response has been failed */
-#define SECURITY_SERVER_API_ERROR_RECV_FAILED -5
+/*! \brief indicating the requested service does not exist */
+#define SECURITY_SERVER_API_ERROR_NO_SUCH_SERVICE -4
/*! \brief indicating requesting object is not exist */
#define SECURITY_SERVER_API_ERROR_NO_SUCH_OBJECT -6
* \return positive integer on success meaning the PID, 0 means the cookie is for root process, negative integer error code on error.
*
* \par Prospective clients:
- * Only pre-defiend middleware daemons
+ * Only pre-defined middleware daemons
*
* \par Known issues/bugs:
* None
*
* \see security_server_set_pwd(), security_server_chk_pwd()
*
- * \remarks If password file is currupted or accitentally deleted, this API may not synchronized with security-server, but security-server will check file status on next request.
+ * \remarks If password file is corrupted or accidentally deleted, this API may not synchronized with security-server, but security-server will check file status on next request.
*
* \par Sample code:
* \code
* {
* printf("%s", "There is no password exists\n");
* }
- * else if(is_pwd_set == SECURITY_SERVER_SUCCESS && expire_sec > 0 && attempt < max_attempts)
+ * else if(is_pwd_set == SECURITY_SERVER_API_SUCCESS && expire_sec > 0 && attempt < max_attempts)
* {
* printf("%s", "Password is valid by now\n");
* }
* \param[in] max_challenge Maximum number of attempts that user can try to check the password without success in serial. 0 means infinity.
* \param[in] valid_period_in_days. Number of days that this password is valid. 0 means infinity
*
- * \return 0 on seccuess, negative integer error code on error.
+ * \return 0 on success, negative integer error code on error.
*
* \par Prospective clients:
* Platform's THE ONLY setting application and some dedicated privileged processes
*
* \see security_server_is_pwd_valid(), security_server_chk_pwd(), security_server_reset_pwd()
*
- * \remarks Only setting application can call this API. The password file will be acces controlled and securely hashed. Security-server will remain previous password file to recover unexpected password file curruption.
+ * \remarks Only setting application can call this API. The password file will be access controlled and securely hashed. Security-server will remain previous password file to recover unexpected password file corruption.
* \remarks If current password exists and it's expired, or max attempts reached, you cannot call this API. You have to call security_server_reset_pwd() API.
*
* \par Sample code:
* ...
* }
* }
- * else if(is_pwd_set == SECURITY_SERVER_SUCCESS && expire_sec > 0 && attempt < max_attempts)
+ * else if(is_pwd_set == SECURITY_SERVER_API_SUCCESS && expire_sec > 0 && attempt < max_attempts)
* {
* printf("%s", "Password is valid by now\n");
* ret = security_server_set_pwd("this_is_current_pwd", "this_is_new_pwd", 20, 365);
/**
* \par Description:
- * This API sets phone password only if current password is invalid or user forgot the password.
+ * This API sets phone password without performing any checks connected with provided password. It
+ * should be used only if current password is invalid or user forgot the password.
*
* \par Purpose:
* This API should be used by setting application or dedicated processes when the user changes his/her phone password.
*
* \par Typical use case:
- * User forgots the password. He calls emergency manager(auto or manual) for reset password. Emergency manager calls this API and reset phone password.
+ * User forgets the password. He calls emergency manager(auto or manual) for reset password. Emergency manager calls this API and reset phone password.
*
* \par Method of function operation:
- * Resetting phone password with input string without any matching current password.
+ * Resetting phone password with input string without any matching current password. Function does
+ * no checks before password replacement (expiration time check, currently set password checks,
+ * history check and attempt count check are skipped).
*
* \par Sync (or) Async:
* This is a Synchronous API.
* \param[in] max_challenge Maximum number of attempts that user can try to check the password without success in serial. 0 means infinity.
* \param[in] valid_period_in_days. Number of days that this password is valid. 0 means infinity
*
- * \return 0 on seccuess, negative integer error code on error.
+ * \return 0 on success, negative integer error code on error.
*
* \par Prospective clients:
* Platform's THE ONLY setting application and some dedicated privileged processes
*
* \see security_server_is_pwd_valid(), security_server_chk_pwd(), security_server_set_pwd()
*
- * \remarks Only dedicated applications can call this API. The password file will be acces controlled and securely hashed. Security-server will remain previous password file to recover unexpected password file curruption.
+ * \remarks Only dedicated applications can call this API. The password file will be access controlled and securely hashed. Security-server will remain previous password file to recover unexpected password file corruption.
*
* \par Sample code:
* \code
* \param[out] max_attempts Number of maximum attempts that the password locks. 0 means infinite
* \param[out] valid_secs Remaining time in second which represents this password will be expired. 0xFFFFFFFF means infinite
*
- * \return 0 on seccuess, negative integer error code on error.
+ * \return 0 on success, negative integer error code on error.
*
* \par Prospective clients:
* Applications which has phone UI lock feature.
*
* \param[in] history_size Number of history to be checked when user tries to change password. Maximum is currently 50
*
- * \return 0 on seccuess, negative integer error code on error.
+ * \return 0 on success, negative integer error code on error.
*
* \par Prospective clients:
* MDM client, Enterprise manager.
*
* \see security_server_set_pwd()
*
- * \remarks The password file will be acces controlled and securely hashed. Security-server will remain previous password file to recover unexpected password file curruption.
+ * \remarks The password file will be access controlled and securely hashed. Security-server will remain previous password file to recover unexpected password file curruption.
*
* \par Sample code:
* \code
* (subject) customer_label to caller process (object).
* Object label will be extracted from socket.
*
+ * \param[in] CUSTOMER_LABEL execute label of the process that should have access to caller.
+ * \param[in] CUSTOMER_PID all rules applied by this function should be removed from system
+ * when process with CUSTOMER_PID dies.
+ *
+ * \return SECURITY_SERVER_API_SUCCESS on success
+ * \return SECURITY_SERVER_API_ERROR_GETTING_SOCKET_LABEL_FAILED
+ * \return SECURITY_SERVER_API_ERROR_ACCESS_DENIED
+ * \return SECURITY_SERVER_API_ERROR_BAD_REQUEST input params were rejected by security-server
+ * \return SECURITY_SERVER_API_ERROR_INPUT_PARAM input params were rejected by client library
+ * \return SECURITY_SERVER_API_ERROR_SOCKET connection to security server failed.
+ *
+ * Important: In current implementation CUSTOMER_PID is ignored! This mean that rules applied
+ * by this function won't be revoke until device reset!
+ *
* Access to this function requires SMACK rule: "<app_label> security-server::api-data-share w"
* */
int security_server_app_give_access(const char *customer_label, int customer_pid);
/*
- * This function allows middleware to check priviliges of process with specified PID or socket
+ * This function allows middleware to check privileges of process with specified PID or socket
* file descriptor.
- * Service is able to check proces acces to the specified object label with specified
+ * Service is able to check process access to the specified object label with specified
* access rights.
*
* \param[in] PID id of process or SOCKFD socket file descriptor to be checked
* \param[in] SMACK access rights to be checked
*
* \return Privilege confirm or error code
- * SECURITY_SERVER_SUCCESS - on succes
+ * \return SECURITY_SERVER_API_SUCCESS - on succes
*
* Access to this function requires SMACK rule: "<app_label> security-server::api-privilege-by-pid w"
*/
int security_server_check_privilege_by_sockfd(int sockfd,
const char *object,
const char *access_rights);
-/*
- * This function allows middleware to enable permissions for specified app_id.
- *
- * \param[in] Application ID
- * \param[in] Application type definet in enum at the beginning of this file
- * \param[in] Permissions list
- * \param[in] Persistent
- *
- * \return SECURITY_SERVER_SUCCESS on success or error code on fail
- *
- * Access to this function requires SMACK rule: "<app_label> security-server::api-app-permissions w"
- */
-int security_server_app_enable_permissions(const char *app_id, app_type_t app_type, const char **perm_list, int persistent);
-
-/*
- * This function allows middleware to disable permissions for specified app_id.
- *
- * \param[in] Application ID
- * \param[in] Application type definet in enum at the beginning of this file
- * \param[in] Permissions list
- *
- * \return SECURITY_SERVER_SUCCESS on success or error code on fail
- *
- * Access to this function requires SMACK rule: "<app_label> security-server::api-app-permissions w"
- */
-int security_server_app_disable_permissions(const char *app_id, app_type_t app_type, const char **perm_list);
-
-/*
- * This function allows middleware to get UID assigned to cookie
- *
- * \param[in] Cookie
- * \param[out] Handler to store UID
- *
- * \return SECURITY_SERVER_SUCCESS on success or error code on fail
- *
- * Access to this function requires SMACK rule: "<app_label> security-server::api-cookie-check w"
- */
-int security_server_get_uid_by_cookie(const char *cookie, uid_t *uid);
/*
* This function allows middleware to check if an app has the specified privilege
* \param[in] Privilege name
* \param[out] Handler to store the result. It is set to 1 (true) if privilege is enabled, 0 (false) otherwise
*
- * \return SECURITY_SERVER_SUCCESS on success or error code on fail
+ * \return SECURITY_SERVER_API_SUCCESS on success or error code on fail
*
* Access to this function requires SMACK rule: "<app_label> security-server::api-app-privilege-by-name w"
*/
const char *privilege_name,
int *result);
-/*
- * This function allows middleware to check if caller app has the specified privilege
- * enabled. Security Server gets caller app smack label from the IPC socket.
- *
- * \param[in] Application type
- * \param[in] Privilege name
- * \param[out] Handler to store the result. It is set to 1 (true) if privilege is enabled, 0 (false) otherwise
- *
- * \return SECURITY_SERVER_SUCCESS on success or error code on fail
- *
- * Access to this function requires SMACK rule: "<app_label> security-server::api-app-privilege-by-name w"
- */
-int security_server_app_caller_has_privilege(app_type_t app_type,
- const char *privilege_name,
- int *result);
-
-/*
- * This function allows middleware to get GID assigned to cookie
- *
- * \param[in] Cookie
- * \param[out] Handler to store GID
- *
- * \return SECURITY_SERVER_SUCCESS on success or error code on fail
- *
- * Access to this function requires SMACK rule: "<app_label> security-server::api-cookie-check w"
- */
-int security_server_get_gid_by_cookie(const char *cookie, gid_t *gid);
-
-/*
- * This function allows to create, if doesn't exist, or open existing file by
- * Security Server on behalf of calling process in secured directory.
- *
- * \param[in] File name to create/open
- * \param[out] File descriptor
- *
- * \return SECURITY_SERVER_API_SUCCESS on success or error code on fail
- *
- * Access to this function requires SMACK rule: "<app_label> security-server::api-open-for w"
- */
-int security_server_open_for(const char *filename, int *fd) __attribute__((deprecated));
-
-/*
- * This function allows to create, if doesn't exist, file by Security Server on
- * behalf of calling process in secured directory. File gets smack label of
- * designated client process, passed as 'client_label' argument, which is
- * allowed to read created file.
- *
- * \param[in] File name to create
- * \param[in] Label of designated client
- * \param[out] File descriptor
- *
- * \return SECURITY_SERVER_API_SUCCESS on success or one of error codes on fail
- * \return SECURITY_SERVER_API_ERROR_ACCESS_DENIED
- * \return SECURITY_SERVER_API_ERROR_SOCKET
- * \retrun SECURITY_SERVER_API_ERROR_INPUT_PARAM
- * \return SECURITY_SERVER_API_ERROR_GETTING_SOCKET_LABEL_FAILED
- * \return SECURITY_SERVER_API_ERROR_FILE_CREATION_FAILED
- * \return SECURITY_SERVER_API_ERROR_SETTING_FILE_LABEL_FAILED
- * \return SECURITY_SERVER_API_ERROR_FILE_EXIST
- *
- * Access to this function requires SMACK rule: "<app_label> security-server::api-open-for w"
- */
-int security_server_shared_file_open(const char *filename, const char *client_label, int *fd);
-
-/*
- * This function allows to open existing file by Security Server on behalf of
- * calling process in secured directory. Security Server checks smack label
- * of calling process and if it's the same as file label access to file is
- * granted.
- *
- * \param[in] File name to open
- * \param[out] File descriptor
- *
- * \return SECURITY_SERVER_API_SUCCESS on success or one of error codes on fail
- * \return SECURITY_SERVER_API_ERROR_ACCESS_DENIED
- * \return SECURITY_SERVER_API_ERROR_SOCKET
- * \return SECURITY_SERVER_API_ERROR_INPUT_PARAM
- * \return SECURITY_SERVER_API_ERROR_GETTING_SOCKET_LABEL_FAILED
- * \return SECURITY_SERVER_API_ERROR_GETTING_FILE_LABEL_FAILED
- * \return SECURITY_SERVER_API_ERROR_AUTHENTICATION_FAILED
- * \return SECURITY_SERVER_API_ERROR_FILE_NOT_EXIST
- *
- * Access to this function requires SMACK rule: "<app_label> security-server::api-open-for w"
- */
-int security_server_shared_file_reopen(const char *filename, int *fd);
-
-/*
- * This function allows to delete existing file by Security Server on behalf of
- * calling process in secured directory. Security Server checks smack label
- * of calling process and if it's the same as file label data file is deleted.
- *
- * \param[in] File name to delete
- *
- * \return SECURITY_SERVER_API_SUCCESS on success or one of error codes on fail
- * \return SECURITY_SERVER_API_ERROR_ACCESS_DENIED
- * \return SECURITY_SERVER_API_ERROR_SOCKET
- * \return SECURITY_SERVER_API_ERROR_INPUT_PARAM
- * \return SECURITY_SERVER_API_ERROR_GETTING_SOCKET_LABEL_FAILED
- * \return SECURITY_SERVER_API_ERROR_GETTING_FILE_LABEL_FAILED
- * \return SECURITY_SERVER_API_ERROR_AUTHENTICATION_FAILED
- * \return SECURITY_SERVER_API_ERROR_FILE_DELETION_FAILED
- * \return SECURITY_SERVER_API_ERROR_FILE_NOT_EXIST
- *
- * Access to this function requires SMACK rule: "<app_label> security-server::api-open-for w"
- */
-int security_server_shared_file_delete(const char *filename);
-
#ifdef __cplusplus
}
#endif