[Cause] security_server_app_has_privilege function
uses perm_app_has_permission.
https://review.tizen.org/gerrit/#/c/20519/
redefined application identifier to smack label.
[Solution] change from app_id to app_label
[Verification] compile and install security-server
Change-Id: If7f3d1b72b26117b2680ce34dd6bd980a4859949
Signed-off-by: Lukasz Wojciechowski <l.wojciechow@partner.samsung.com>
ln -s ../security-server-data-share.socket %{buildroot}/usr/lib/systemd/system/sockets.target.wants/security-server-data-share.socket
ln -s ../security-server-get-gid.socket %{buildroot}/usr/lib/systemd/system/sockets.target.wants/security-server-get-gid.socket
ln -s ../security-server-privilege-by-pid.socket %{buildroot}/usr/lib/systemd/system/sockets.target.wants/security-server-privilege-by-pid.socket
ln -s ../security-server-data-share.socket %{buildroot}/usr/lib/systemd/system/sockets.target.wants/security-server-data-share.socket
ln -s ../security-server-get-gid.socket %{buildroot}/usr/lib/systemd/system/sockets.target.wants/security-server-get-gid.socket
ln -s ../security-server-privilege-by-pid.socket %{buildroot}/usr/lib/systemd/system/sockets.target.wants/security-server-privilege-by-pid.socket
-ln -s ../security-server-app-permissions.socket %{buildroot}/usr/lib/systemd/system/sockets.target.wants/security-server-app-permissions.socket
ln -s ../security-server-cookie-get.socket %{buildroot}/usr/lib/systemd/system/sockets.target.wants/security-server-cookie-get.socket
ln -s ../security-server-cookie-check.socket %{buildroot}/usr/lib/systemd/system/sockets.target.wants/security-server-cookie-check.socket
ln -s ../security-server-app-privilege-by-name.socket %{buildroot}/usr/lib/systemd/system/sockets.target.wants/security-server-app-privilege-by-name.socket
ln -s ../security-server-cookie-get.socket %{buildroot}/usr/lib/systemd/system/sockets.target.wants/security-server-cookie-get.socket
ln -s ../security-server-cookie-check.socket %{buildroot}/usr/lib/systemd/system/sockets.target.wants/security-server-cookie-check.socket
ln -s ../security-server-app-privilege-by-name.socket %{buildroot}/usr/lib/systemd/system/sockets.target.wants/security-server-app-privilege-by-name.socket
%attr(-,root,root) /usr/lib/systemd/system/security-server-get-gid.socket
%attr(-,root,root) /usr/lib/systemd/system/sockets.target.wants/security-server-privilege-by-pid.socket
%attr(-,root,root) /usr/lib/systemd/system/security-server-privilege-by-pid.socket
%attr(-,root,root) /usr/lib/systemd/system/security-server-get-gid.socket
%attr(-,root,root) /usr/lib/systemd/system/sockets.target.wants/security-server-privilege-by-pid.socket
%attr(-,root,root) /usr/lib/systemd/system/security-server-privilege-by-pid.socket
-%attr(-,root,root) /usr/lib/systemd/system/sockets.target.wants/security-server-app-permissions.socket
-%attr(-,root,root) /usr/lib/systemd/system/security-server-app-permissions.socket
%attr(-,root,root) /usr/lib/systemd/system/sockets.target.wants/security-server-cookie-get.socket
%attr(-,root,root) /usr/lib/systemd/system/security-server-cookie-get.socket
%attr(-,root,root) /usr/lib/systemd/system/sockets.target.wants/security-server-cookie-check.socket
%attr(-,root,root) /usr/lib/systemd/system/sockets.target.wants/security-server-cookie-get.socket
%attr(-,root,root) /usr/lib/systemd/system/security-server-cookie-get.socket
%attr(-,root,root) /usr/lib/systemd/system/sockets.target.wants/security-server-cookie-check.socket
* This function allows middleware to check if an app has the specified privilege
* enabled.
*
* This function allows middleware to check if an app has the specified privilege
* enabled.
*
- * \param[in] Application ID
+ * \param[in] Application ID (smack label)
* \param[in] Application type
* \param[in] Privilege name
* \param[out] Handler to store the result. It is set to 1 (true) if privilege is enabled, 0 (false) otherwise
* \param[in] Application type
* \param[in] Privilege name
* \param[out] Handler to store the result. It is set to 1 (true) if privilege is enabled, 0 (false) otherwise
*
* Access to this function requires SMACK rule: "<app_label> security-server::api-app-privilege-by-name w"
*/
*
* Access to this function requires SMACK rule: "<app_label> security-server::api-app-privilege-by-name w"
*/
-int security_server_app_has_privilege(const char *app_id,
+int security_server_app_has_privilege(const char *app_label,
app_type_t app_type,
const char *privilege_name,
int *result);
app_type_t app_type,
const char *privilege_name,
int *result);
#include <security-server.h>
SECURITY_SERVER_API
#include <security-server.h>
SECURITY_SERVER_API
-int security_server_app_has_privilege(const char *app_id,
+int security_server_app_has_privilege(const char *app_label,
app_type_t app_type,
const char *privilege_name,
int *result)
app_type_t app_type,
const char *privilege_name,
int *result)
LogDebug("security_server_app_has_privilege() called");
try {
LogDebug("security_server_app_has_privilege() called");
try {
- if ((NULL == app_id) || (strlen(app_id) == 0)) {
+ if ((NULL == app_label) || (strlen(app_label) == 0)) {
LogError("app_id is NULL or empty");
return SECURITY_SERVER_API_ERROR_INPUT_PARAM;
}
LogError("app_id is NULL or empty");
return SECURITY_SERVER_API_ERROR_INPUT_PARAM;
}
return SECURITY_SERVER_API_ERROR_INPUT_PARAM;
}
return SECURITY_SERVER_API_ERROR_INPUT_PARAM;
}
- LogDebug("app_id: " << app_id);
+ LogDebug("app_label: " << app_label);
LogDebug("app_type: " << static_cast<int>(app_type));
LogDebug("privilege_name: " << privilege_name);
//put data into buffer
Serialization::Serialize(send, static_cast<int>(PrivilegeCheckHdrs::CHECK_GIVEN_APP));
LogDebug("app_type: " << static_cast<int>(app_type));
LogDebug("privilege_name: " << privilege_name);
//put data into buffer
Serialization::Serialize(send, static_cast<int>(PrivilegeCheckHdrs::CHECK_GIVEN_APP));
- Serialization::Serialize(send, std::string(app_id));
+ Serialization::Serialize(send, std::string(app_label));
Serialization::Serialize(send, static_cast<int>(app_type));
Serialization::Serialize(send, std::string(privilege_name));
Serialization::Serialize(send, static_cast<int>(app_type));
Serialization::Serialize(send, std::string(privilege_name));
"/tmp/.security-server-api-get-gid.sock";
char const * const SERVICE_SOCKET_PRIVILEGE_BY_PID =
"/tmp/.security-server-api-privilege-by-pid.sock";
"/tmp/.security-server-api-get-gid.sock";
char const * const SERVICE_SOCKET_PRIVILEGE_BY_PID =
"/tmp/.security-server-api-privilege-by-pid.sock";
-char const * const SERVICE_SOCKET_APP_PERMISSIONS =
- "/tmp/.security-server-api-app-permissions.sock";
char const * const SERVICE_SOCKET_APP_PRIVILEGE_BY_NAME =
"/tmp/.security-server-api-app-privilege-by-name.sock";
char const * const SERVICE_SOCKET_COOKIE_GET =
char const * const SERVICE_SOCKET_APP_PRIVILEGE_BY_NAME =
"/tmp/.security-server-api-app-privilege-by-name.sock";
char const * const SERVICE_SOCKET_COOKIE_GET =
extern char const * const SERVICE_SOCKET_SHARED_MEMORY;
extern char const * const SERVICE_SOCKET_GET_GID;
extern char const * const SERVICE_SOCKET_PRIVILEGE_BY_PID;
extern char const * const SERVICE_SOCKET_SHARED_MEMORY;
extern char const * const SERVICE_SOCKET_GET_GID;
extern char const * const SERVICE_SOCKET_PRIVILEGE_BY_PID;
-extern char const * const SERVICE_SOCKET_APP_PERMISSIONS;
extern char const * const SERVICE_SOCKET_APP_PRIVILEGE_BY_NAME;
extern char const * const SERVICE_SOCKET_COOKIE_GET;
extern char const * const SERVICE_SOCKET_COOKIE_CHECK;
extern char const * const SERVICE_SOCKET_APP_PRIVILEGE_BY_NAME;
extern char const * const SERVICE_SOCKET_COOKIE_GET;
extern char const * const SERVICE_SOCKET_COOKIE_CHECK;
-const SecurityServer::InterfaceID CHANGE_APP_PERMISSIONS = 0;
const SecurityServer::InterfaceID CHECK_APP_PRIVILEGE = 1;
} // namespace anonymous
const SecurityServer::InterfaceID CHECK_APP_PRIVILEGE = 1;
} // namespace anonymous
GenericSocketService::ServiceDescriptionVector AppPermissionsService::GetServiceDescription() {
return ServiceDescriptionVector {
GenericSocketService::ServiceDescriptionVector AppPermissionsService::GetServiceDescription() {
return ServiceDescriptionVector {
- { SERVICE_SOCKET_APP_PERMISSIONS,
- "security-server::api-app-permissions",
- CHANGE_APP_PERMISSIONS },
{ SERVICE_SOCKET_APP_PRIVILEGE_BY_NAME,
"security-server::api-app-privilege-by-name",
CHECK_APP_PRIVILEGE }
{ SERVICE_SOCKET_APP_PRIVILEGE_BY_NAME,
"security-server::api-app-privilege-by-name",
CHECK_APP_PRIVILEGE }
{
MessageBuffer send;
std::string privilege_name;
{
MessageBuffer send;
std::string privilege_name;
int result = SECURITY_SERVER_API_ERROR_SERVER_ERROR;
app_type_t app_type;
bool has_permission = false;
int result = SECURITY_SERVER_API_ERROR_SERVER_ERROR;
app_type_t app_type;
bool has_permission = false;
LogDebug("App privilege check call type: "
<< (checkType == PrivilegeCheckHdrs::CHECK_GIVEN_APP ?
"CHECK_GIVEN_APP":"CHECK_CALLER_APP"));
LogDebug("App privilege check call type: "
<< (checkType == PrivilegeCheckHdrs::CHECK_GIVEN_APP ?
"CHECK_GIVEN_APP":"CHECK_CALLER_APP"));
- if (checkType == PrivilegeCheckHdrs::CHECK_GIVEN_APP) { //app_id present only in this case
- Deserialization::Deserialize(buffer, app_id); //get app id
+ if (checkType == PrivilegeCheckHdrs::CHECK_GIVEN_APP) { //app_label present only in this case
+ Deserialization::Deserialize(buffer, app_label); //get app_label
}
Deserialization::Deserialize(buffer, temp); //get app type
app_type = static_cast<app_type_t>(temp);
}
Deserialization::Deserialize(buffer, temp); //get app type
app_type = static_cast<app_type_t>(temp);
- if (checkType == PrivilegeCheckHdrs::CHECK_CALLER_APP) { //get sender app_id in this case
- char *label = NULL;
- if (smack_new_label_from_socket(conn.sock, &label) < 0) {
- LogDebug("Error in smack_new_label_from_socket(): "
- "client label is unknown. Sending error response.");
- Serialization::Serialize(send, SECURITY_SERVER_API_ERROR_GETTING_SOCKET_LABEL_FAILED);
- m_serviceManager->Write(conn, send.Pop());
- return false;
- } else {
- app_id = label;
- free(label);
- }
- } //end if
-
- LogDebug("app_id: " << app_id);
+ LogDebug("app_label: " << app_label);
LogDebug("app_type: " << static_cast<int>(app_type));
LogDebug("privilege_name: " << privilege_name);
LogDebug("Calling perm_app_has_permission()");
LogDebug("app_type: " << static_cast<int>(app_type));
LogDebug("privilege_name: " << privilege_name);
LogDebug("Calling perm_app_has_permission()");
- result = perm_app_has_permission(app_id.c_str(), app_type, privilege_name.c_str(), &has_permission);
+ result = perm_app_has_permission(app_label.c_str(), app_type, privilege_name.c_str(), &has_permission);
LogDebug("perm_app_has_permission() returned: " << result << " , permission enabled: " << has_permission);
//send response
LogDebug("perm_app_has_permission() returned: " << result << " , permission enabled: " << has_permission);
//send response
${CMAKE_SOURCE_DIR}/systemd/security-server-data-share.socket
${CMAKE_SOURCE_DIR}/systemd/security-server-get-gid.socket
${CMAKE_SOURCE_DIR}/systemd/security-server-privilege-by-pid.socket
${CMAKE_SOURCE_DIR}/systemd/security-server-data-share.socket
${CMAKE_SOURCE_DIR}/systemd/security-server-get-gid.socket
${CMAKE_SOURCE_DIR}/systemd/security-server-privilege-by-pid.socket
- ${CMAKE_SOURCE_DIR}/systemd/security-server-app-permissions.socket
${CMAKE_SOURCE_DIR}/systemd/security-server-cookie-get.socket
${CMAKE_SOURCE_DIR}/systemd/security-server-cookie-check.socket
${CMAKE_SOURCE_DIR}/systemd/security-server-app-privilege-by-name.socket
${CMAKE_SOURCE_DIR}/systemd/security-server-cookie-get.socket
${CMAKE_SOURCE_DIR}/systemd/security-server-cookie-check.socket
${CMAKE_SOURCE_DIR}/systemd/security-server-app-privilege-by-name.socket
+++ /dev/null
-[Socket]
-ListenStream=/tmp/.security-server-api-app-permissions.sock
-SocketMode=0777
-SmackLabelIPIn=*
-SmackLabelIPOut=@
-
-Service=security-server.service
-
-[Unit]
-Wants=security-server.target
-Before=security-server.target
-
-[Install]
-WantedBy=sockets.target
Sockets=security-server-data-share.socket
Sockets=security-server-get-gid.socket
Sockets=security-server-privilege-by-pid.socket
Sockets=security-server-data-share.socket
Sockets=security-server-get-gid.socket
Sockets=security-server-privilege-by-pid.socket
-Sockets=security-server-app-permissions.socket
Sockets=security-server-app-privilege-by-name.socket
Sockets=security-server-cookie-get.socket
Sockets=security-server-cookie-check.socket
Sockets=security-server-app-privilege-by-name.socket
Sockets=security-server-cookie-get.socket
Sockets=security-server-cookie-check.socket