/*! \brief indicating the response from Security Server is malformed */
#define SECURITY_SERVER_API_ERROR_BAD_RESPONSE -3
-/*! \brief indicating the transmitting request has been failed */
-#define SECURITY_SERVER_API_ERROR_SEND_FAILED -4
-
-/*! \brief indicating the receiving response has been failed */
-#define SECURITY_SERVER_API_ERROR_RECV_FAILED -5
+/*! \brief indicating the requested service does not exist */
+#define SECURITY_SERVER_API_ERROR_NO_SUCH_SERVICE -4
/*! \brief indicating requesting object is not exist */
#define SECURITY_SERVER_API_ERROR_NO_SUCH_OBJECT -6
/*! \brief indicating getting smack label from socket failed */
#define SECURITY_SERVER_API_ERROR_GETTING_SOCKET_LABEL_FAILED -21
+/*! \brief indicating getting smack label from file failed */
+#define SECURITY_SERVER_API_ERROR_GETTING_FILE_LABEL_FAILED -22
+
+/*! \brief indicating setting smack label for file failed */
+#define SECURITY_SERVER_API_ERROR_SETTING_FILE_LABEL_FAILED -23
+
+/*! \brief indicating file already exists */
+#define SECURITY_SERVER_API_ERROR_FILE_EXIST -24
+
+/*! \brief indicating file does not exist */
+#define SECURITY_SERVER_API_ERROR_FILE_NOT_EXIST -25
+
+/*! \brief indicating file open error */
+#define SECURITY_SERVER_API_ERROR_FILE_OPEN_FAILED -26
+
+/*! \brief indicating file creation error */
+#define SECURITY_SERVER_API_ERROR_FILE_CREATION_FAILED -27
+
+/*! \brief indicating file deletion error */
+#define SECURITY_SERVER_API_ERROR_FILE_DELETION_FAILED -28
+
/*! \brief indicating the error with unknown reason */
#define SECURITY_SERVER_API_ERROR_UNKNOWN -255
/** @}*/
const char *object,
const char *access_rights);
-int security_server_check_privilege_by_sockfd(int sockfd,
- const char *object,
- const char *access_rights);
-
/**
* \par Description:
* This API searchs a cookie value and returns PID of the given cookie.
* \return positive integer on success meaning the PID, 0 means the cookie is for root process, negative integer error code on error.
*
* \par Prospective clients:
- * Only pre-defiend middleware daemons
+ * Only pre-defined middleware daemons
*
* \par Known issues/bugs:
* None
*
* \see security_server_set_pwd(), security_server_chk_pwd()
*
- * \remarks If password file is currupted or accitentally deleted, this API may not synchronized with security-server, but security-server will check file status on next request.
+ * \remarks If password file is corrupted or accidentally deleted, this API may not synchronized with security-server, but security-server will check file status on next request.
*
* \par Sample code:
* \code
* {
* printf("%s", "There is no password exists\n");
* }
- * else if(is_pwd_set == SECURITY_SERVER_SUCCESS && expire_sec > 0 && attempt < max_attempts)
+ * else if(is_pwd_set == SECURITY_SERVER_API_SUCCESS && expire_sec > 0 && attempt < max_attempts)
* {
* printf("%s", "Password is valid by now\n");
* }
* \param[in] max_challenge Maximum number of attempts that user can try to check the password without success in serial. 0 means infinity.
* \param[in] valid_period_in_days. Number of days that this password is valid. 0 means infinity
*
- * \return 0 on seccuess, negative integer error code on error.
+ * \return 0 on success, negative integer error code on error.
*
* \par Prospective clients:
* Platform's THE ONLY setting application and some dedicated privileged processes
*
* \see security_server_is_pwd_valid(), security_server_chk_pwd(), security_server_reset_pwd()
*
- * \remarks Only setting application can call this API. The password file will be acces controlled and securely hashed. Security-server will remain previous password file to recover unexpected password file curruption.
+ * \remarks Only setting application can call this API. The password file will be access controlled and securely hashed. Security-server will remain previous password file to recover unexpected password file corruption.
* \remarks If current password exists and it's expired, or max attempts reached, you cannot call this API. You have to call security_server_reset_pwd() API.
*
* \par Sample code:
* ...
* }
* }
- * else if(is_pwd_set == SECURITY_SERVER_SUCCESS && expire_sec > 0 && attempt < max_attempts)
+ * else if(is_pwd_set == SECURITY_SERVER_API_SUCCESS && expire_sec > 0 && attempt < max_attempts)
* {
* printf("%s", "Password is valid by now\n");
* ret = security_server_set_pwd("this_is_current_pwd", "this_is_new_pwd", 20, 365);
/**
* \par Description:
- * This API sets phone password only if current password is invalid or user forgot the password.
+ * This API sets phone password without performing any checks connected with provided password. It
+ * should be used only if current password is invalid or user forgot the password.
*
* \par Purpose:
* This API should be used by setting application or dedicated processes when the user changes his/her phone password.
*
* \par Typical use case:
- * User forgots the password. He calls emergency manager(auto or manual) for reset password. Emergency manager calls this API and reset phone password.
+ * User forgets the password. He calls emergency manager(auto or manual) for reset password. Emergency manager calls this API and reset phone password.
*
* \par Method of function operation:
- * Resetting phone password with input string without any matching current password.
+ * Resetting phone password with input string without any matching current password. Function does
+ * no checks before password replacement (expiration time check, currently set password checks,
+ * history check and attempt count check are skipped).
*
* \par Sync (or) Async:
* This is a Synchronous API.
* \param[in] max_challenge Maximum number of attempts that user can try to check the password without success in serial. 0 means infinity.
* \param[in] valid_period_in_days. Number of days that this password is valid. 0 means infinity
*
- * \return 0 on seccuess, negative integer error code on error.
+ * \return 0 on success, negative integer error code on error.
*
* \par Prospective clients:
* Platform's THE ONLY setting application and some dedicated privileged processes
*
* \see security_server_is_pwd_valid(), security_server_chk_pwd(), security_server_set_pwd()
*
- * \remarks Only dedicated applications can call this API. The password file will be acces controlled and securely hashed. Security-server will remain previous password file to recover unexpected password file curruption.
+ * \remarks Only dedicated applications can call this API. The password file will be access controlled and securely hashed. Security-server will remain previous password file to recover unexpected password file corruption.
*
* \par Sample code:
* \code
* #include <security-server.h>
* ...
* int ret;
- * unsigned int attempt, max_attempt, expire_sec;
*
- * ret = security_server_set_pwd("this_is_new_pwd", 20, 365);
+ * ret = security_server_reset_pwd("this_is_new_pwd", 20, 365);
* if(retval != SECURITY_SERVER_API_SUCCESS)
* {
* printf("%s", "we have error\n");
*
* \endcode
*
- * Access to this function requires SMACK rule: "<app_label> security-server::api-password-set w"
+ * Access to this function requires SMACK rule: "<app_label> security-server::api-password-reset w"
*/
int security_server_reset_pwd(const char *new_pwd,
const unsigned int max_challenge,
* \param[out] max_attempts Number of maximum attempts that the password locks. 0 means infinite
* \param[out] valid_secs Remaining time in second which represents this password will be expired. 0xFFFFFFFF means infinite
*
- * \return 0 on seccuess, negative integer error code on error.
+ * \return 0 on success, negative integer error code on error.
*
* \par Prospective clients:
* Applications which has phone UI lock feature.
*
* \param[in] history_size Number of history to be checked when user tries to change password. Maximum is currently 50
*
- * \return 0 on seccuess, negative integer error code on error.
+ * \return 0 on success, negative integer error code on error.
*
* \par Prospective clients:
* MDM client, Enterprise manager.
*
* \see security_server_set_pwd()
*
- * \remarks The password file will be acces controlled and securely hashed. Security-server will remain previous password file to recover unexpected password file curruption.
+ * \remarks The password file will be access controlled and securely hashed. Security-server will remain previous password file to recover unexpected password file curruption.
*
* \par Sample code:
* \code
* (subject) customer_label to caller process (object).
* Object label will be extracted from socket.
*
+ * \param[in] CUSTOMER_LABEL execute label of the process that should have access to caller.
+ * \param[in] CUSTOMER_PID all rules applied by this function should be removed from system
+ * when process with CUSTOMER_PID dies.
+ *
+ * \return SECURITY_SERVER_API_SUCCESS on success
+ * \return SECURITY_SERVER_API_ERROR_GETTING_SOCKET_LABEL_FAILED
+ * \return SECURITY_SERVER_API_ERROR_ACCESS_DENIED
+ * \return SECURITY_SERVER_API_ERROR_BAD_REQUEST input params were rejected by security-server
+ * \return SECURITY_SERVER_API_ERROR_INPUT_PARAM input params were rejected by client library
+ * \return SECURITY_SERVER_API_ERROR_SOCKET connection to security server failed.
+ *
+ * Important: In current implementation CUSTOMER_PID is ignored! This mean that rules applied
+ * by this function won't be revoke until device reset!
+ *
* Access to this function requires SMACK rule: "<app_label> security-server::api-data-share w"
* */
int security_server_app_give_access(const char *customer_label, int customer_pid);
/*
- * This function allows middleware to check priviliges of process with specified PID.
- * Service is able to check proces acces to the specified object label with specified
+ * This function allows middleware to check privileges of process with specified PID or socket
+ * file descriptor.
+ * Service is able to check process access to the specified object label with specified
* access rights.
*
- * \param[in] PID number of process to be checked
+ * \param[in] PID id of process or SOCKFD socket file descriptor to be checked
* \param[in] SMACK object label
* \param[in] SMACK access rights to be checked
*
* \return Privilege confirm or error code
- * SECURITY_SERVER_SUCCESS - on succes
+ * \return SECURITY_SERVER_API_SUCCESS - on succes
*
* Access to this function requires SMACK rule: "<app_label> security-server::api-privilege-by-pid w"
*/
int security_server_check_privilege_by_pid(int pid, const char *object, const char *access_rights);
-/*
- * This function allows middleware to enable permissions for specified app_id.
- *
- * \param[in] Application ID
- * \param[in] Application type definet in enum at the beginning of this file
- * \param[in] Permissions list
- * \param[in] Persistent
- *
- * \return SECURITY_SERVER_SUCCESS on success or error code on fail
- *
- * Access to this function requires SMACK rule: "<app_label> security-server::api-app-permissions w"
- */
-int security_server_app_enable_permissions(const char *app_id, app_type_t app_type, const char **perm_list, int persistent);
-
-/*
- * This function allows middleware to disable permissions for specified app_id.
- *
- * \param[in] Application ID
- * \param[in] Application type definet in enum at the beginning of this file
- * \param[in] Permissions list
- *
- * \return SECURITY_SERVER_SUCCESS on success or error code on fail
- *
- * Access to this function requires SMACK rule: "<app_label> security-server::api-app-permissions w"
- */
-int security_server_app_disable_permissions(const char *app_id, app_type_t app_type, const char **perm_list);
-
-/*
- * This function allows middleware to get UID assigned to cookie
- *
- * \param[in] Cookie
- * \param[out] Handler to store UID
- *
- * \return SECURITY_SERVER_SUCCESS on success or error code on fail
- *
- * Access to this function requires SMACK rule: "<app_label> security-server::api-cookie-check w"
- */
-int security_server_get_uid_by_cookie(const char *cookie, uid_t *uid);
+int security_server_check_privilege_by_sockfd(int sockfd,
+ const char *object,
+ const char *access_rights);
/*
* This function allows middleware to check if an app has the specified privilege
* \param[in] Privilege name
* \param[out] Handler to store the result. It is set to 1 (true) if privilege is enabled, 0 (false) otherwise
*
- * \return SECURITY_SERVER_SUCCESS on success or error code on fail
+ * \return SECURITY_SERVER_API_SUCCESS on success or error code on fail
*
* Access to this function requires SMACK rule: "<app_label> security-server::api-app-privilege-by-name w"
*/
const char *privilege_name,
int *result);
-/*
- * This function allows middleware to check if caller app has the specified privilege
- * enabled. Security Server gets caller app smack label from the IPC socket.
- *
- * \param[in] Application type
- * \param[in] Privilege name
- * \param[out] Handler to store the result. It is set to 1 (true) if privilege is enabled, 0 (false) otherwise
- *
- * \return SECURITY_SERVER_SUCCESS on success or error code on fail
- *
- * Access to this function requires SMACK rule: "<app_label> security-server::api-app-privilege-by-name w"
- */
-int security_server_app_caller_has_privilege(app_type_t app_type,
- const char *privilege_name,
- int *result);
-
-/*
- * This function allows middleware to get GID assigned to cookie
- *
- * \param[in] Cookie
- * \param[out] Handler to store GID
- *
- * \return SECURITY_SERVER_SUCCESS on success or error code on fail
- *
- * Access to this function requires SMACK rule: "<app_label> security-server::api-cookie-check w"
- */
-int security_server_get_gid_by_cookie(const char *cookie, gid_t *gid);
-
-/*
- * This function allows to create, if doesn't exist, or open existing file by
- * Security Server on behalf of calling process in secured directory.
- *
- * \param[in] File name to create/open
- * \param[out] File descriptor
- *
- * \return SECURITY_SERVER_API_SUCCESS on success or error code on fail
- *
- * Access to this function requires SMACK rule: "<app_label> security-server::api-open-for w"
- */
-int security_server_open_for(const char *filename, int *fd);
-
-
#ifdef __cplusplus
}
#endif
projects / platform / core / security / security-server.git / blobdiff