* @brief Implementation of security-manager service.
*/
-#include <dpl/log/log.h>
-#include <dpl/serialization.h>
-
-#include <unordered_set>
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <pwd.h>
+#include <grp.h>
#include <limits.h>
+#include <pwd.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+
#include <cstring>
+#include <unordered_set>
-#include "service.h"
+#include <dpl/log/log.h>
+#include <dpl/serialization.h>
+#include <tzplatform_config.h>
+
+#include "privilege_db.h"
#include "protocols.h"
#include "security-manager.h"
+#include "service.h"
#include "smack-common.h"
#include "smack-rules.h"
#include "smack-labels.h"
-#include "privilege_db.h"
namespace SecurityManager {
const InterfaceID IFACE = 1;
+
+static uid_t getGlobalUserId(void) {
+ static uid_t globaluid = tzplatform_getuid(TZ_SYS_GLOBALAPP_USER);
+ return globaluid;
+}
+
+/**
+ * Unifies user data of apps installed for all users
+ * @param uid peer's uid - may be changed during process
+ * @param cynaraUserStr string to which cynara user parameter will be put
+ */
+static void checkGlobalUser(uid_t &uid, std::string &cynaraUserStr)
+{
+ static uid_t globaluid = getGlobalUserId();
+ if (uid == 0 || uid == globaluid) {
+ uid = globaluid;
+ cynaraUserStr = CYNARA_ADMIN_WILDCARD;
+ } else {
+ cynaraUserStr = std::to_string(static_cast<unsigned int>(uid));
+ }
+}
+
Service::Service()
{
}
static inline bool installRequestAuthCheck(const app_inst_req &req, uid_t uid)
{
- if (uid == 0)
- return true;
-
struct passwd *pwd;
do {
errno = 0;
Deserialization::Deserialize(buffer, req.pkgId);
Deserialization::Deserialize(buffer, req.privileges);
Deserialization::Deserialize(buffer, req.appPaths);
+ std::string uidstr;
+ checkGlobalUser(uid, uidstr);
if(!installRequestAuthCheck(req, uid)) {
LogError("Request from uid " << uid << " for app installation denied");
try {
std::vector<std::string> oldPkgPrivileges, newPkgPrivileges;
- std::string uidstr = uid ? std::to_string(static_cast<unsigned int>(uid))
- : CYNARA_ADMIN_WILDCARD;
LogDebug("Install parameters: appId: " << req.appId << ", pkgId: " << req.pkgId
<< ", uidstr " << uidstr << ", generated smack label: " << smackLabel);
bool removePkg = false;
Deserialization::Deserialize(buffer, appId);
+ std::string uidstr;
+ checkGlobalUser(uid, uidstr);
try {
std::vector<std::string> oldPkgPrivileges, newPkgPrivileges;
m_privilegeDb.RollbackTransaction();
appExists = false;
} else {
+
+ LogDebug("Uninstall parameters: appId: " << appId << ", pkgId: " << pkgId
+ << ", uidstr " << uidstr << ", generated smack label: " << smackLabel);
+
if (!generateAppLabel(pkgId, smackLabel)) {
LogError("Cannot generate Smack label for package: " << pkgId);
goto error_label;
}
- std::string uidstr = uid ? std::to_string(static_cast<unsigned int>(uid))
- : CYNARA_ADMIN_WILDCARD;
-
- LogDebug("Uninstall parameters: appId: " << appId << ", pkgId: " << pkgId
- << ", uidstr " << uidstr << ", generated smack label: " << smackLabel);
-
m_privilegeDb.GetPkgPrivileges(pkgId, uid, oldPkgPrivileges);
m_privilegeDb.UpdateAppPrivileges(appId, uid, std::vector<std::string>());
m_privilegeDb.RemoveApplication(appId, uid, removePkg);
std::vector<std::string> privileges;
m_privilegeDb.GetPkgPrivileges(pkgId, uid, privileges);
for (const auto &privilege : privileges) {
- std::vector<gid_t> gidsTmp;
- m_privilegeDb.GetPrivilegeGids(privilege, gidsTmp);
+ std::vector<std::string> gidsTmp;
+ m_privilegeDb.GetPrivilegeGroups(privilege, gidsTmp);
if (!gidsTmp.empty()) {
LogDebug("Considering privilege " << privilege << " with " <<
gidsTmp.size() << " groups assigned");
if (m_cynara.check(smackLabel, privilege, uidStr, pidStr)) {
- gids.insert(gidsTmp.begin(), gidsTmp.end());
+ for_each(gidsTmp.begin(), gidsTmp.end(), [&] (std::string group)
+ {
+ struct group *grp = getgrnam(group.c_str());
+ if (grp == NULL) {
+ LogError("No such group: " << group.c_str());
+ return;
+ }
+ gids.insert(grp->gr_gid);
+ });
LogDebug("Cynara allowed, adding groups");
} else
LogDebug("Cynara denied, not adding groups");