Add FOTA script to apply privilege mapping changes

4.0
- native systemsettings.admin -> core systemsettings.admin
- web filesystem.read -> core systemsettings.admin
- web filesystem.write -> core systemsettings.admin
- web setting -> core systemsettings.admin
- web networkbearerselection -> core network.set

5.5
- native systemsettings.admin -> core systemsettings.admin,
                                      internal/buxton/systemsettings
- web filesystem.read -> core filesystem.read
- web filesystem.write -> core filesystem.write
- web setting -> core internal/buxton/systemsettings

6.0
- web networkbearerselection -> core network.set,
                                     netowrk.route

Change-Id: I5f69666cb3774fd2bba2c175e3df327b15d1f3ed
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 33c70ffb1f61dfbadc8bec88c60cf09b12977d29..4721fa1e82b22ffe47665a03b89fdc72f923bfc2 100755 (executable)
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -17,6 +17,7 @@ INSTALL(FILES ${CMAKE_SOURCE_DIR}/config/security-config.conf DESTINATION /usr/l
 INSTALL(FILES ${CMAKE_SOURCE_DIR}/config/90_user-content-permissions.post DESTINATION ${SYSCONF_INSTALL_DIR}/gumd/useradd.d)
 INSTALL(FILES ${CMAKE_SOURCE_DIR}/config/91_user-dbspace-permissions.post DESTINATION ${SYSCONF_INSTALL_DIR}/gumd/useradd.d)
 INSTALL(FILES ${CMAKE_SOURCE_DIR}/upgrade/201.security_upgrade.sh DESTINATION /usr/share/upgrade/scripts)
+INSTALL(FILES ${CMAKE_SOURCE_DIR}/upgrade/202.privilege_upgrade.sh DESTINATION /usr/share/upgrade/scripts)
 INSTALL(FILES ${CMAKE_SOURCE_DIR}/smack/onlycap DESTINATION /etc/smack)
 INSTALL(FILES ${CMAKE_SOURCE_DIR}/smack/smack_default_labeling DESTINATION /usr/share/security-config)
 INSTALL(FILES ${CMAKE_SOURCE_DIR}/smack/netlabel_config DESTINATION /etc/smack/netlabel.d)

diff --git a/packaging/security-config.spec b/packaging/security-config.spec
index 853f742c7dc7b0cb6044edc99bb6633b0450a866..4dff00593bf03832debbef1aa1469ead394425c5 100755 (executable)
--- a/packaging/security-config.spec
+++ b/packaging/security-config.spec
@@ -155,6 +155,7 @@ rm -r /usr/share/security-config/mount_list/
 %attr(755,root,root) %{SECURITY_TEST_DIR}/execute_label_check_test/*
 %attr(755,root,root) %{SECURITY_TEST_DIR}/new_service_test/*
 %attr(755,root,root) /usr/share/upgrade/scripts/201.security_upgrade.sh
+%attr(755,root,root) /usr/share/upgrade/scripts/202.privilege_upgrade.sh
 %attr(755,root,root) %{_sysconfdir}/gumd/useradd.d/90_user-content-permissions.post
 %attr(755,root,root) %{_sysconfdir}/gumd/useradd.d/91_user-dbspace-permissions.post
 %attr(644,root,root) /etc/smack/netlabel.d/netlabel_config

diff --git a/upgrade/202.privilege_upgrade.sh b/upgrade/202.privilege_upgrade.sh
new file mode 100644 (file)
index 0000000..9981d1f
--- /dev/null
+++ b/upgrade/202.privilege_upgrade.sh
@@ -0,0 +1,124 @@
+#!/bin/bash
+
+PATH=/bin:/usr/bin:/sbin:/usr/sbin
+. /etc/tizen-platform.conf
+
+
+for package_data in `sqlite3 /opt/dbspace/.pkgmgr_parser.db "select package, type from package_privilege_info where privilege='http://tizen.org/privilege/systemsettings.admin'"`
+do
+       package=$(echo "$package_data" | cut -d '|' -f1)
+       package_type=$(echo "$package_data" | cut -d '|' -f2)
+
+       if  [ "$package_type" == "wgt" ]; then
+               echo "$package is wgt app"
+               app_list=($(sqlite3 /opt/dbspace/.security-manager.db "select app_name from user_app_pkg_view where pkg_name='${package}' and is_hybrid=1;"))
+
+               if [ ${#app_list[@]} -eq 0 ]; then
+                       echo "$package is pure wgt"
+
+                       echo "remove systemsettings.admin"
+                       cyad -e "MANIFESTS_GLOBAL" -r no -c "User::Pkg::${package}" -u "*" -p "http://tizen.org/privilege/systemsettings.admin"
+                       sqlite3 /opt/dbspace/.pkgmgr_parser.db "DELETE FROM package_privilege_info WHERE package = '${package}' AND  privilege = 'http://tizen.org/privilege/systemsettings.admin' AND type = 'wgt';"
+
+                       #check latest first
+                       if [ -f /opt/usr/globalapps/${package}/res/wgt/config.xml ]; then
+                               manifest_file="/opt/usr/globalapps/${package}/res/wgt/config.xml"
+                       else
+                               manifest_file="/usr/apps/${package}/res/wgt/config.xml"
+                       fi
+                       echo "manifest_file $manifest_file"
+
+                       if grep -q "http://tizen.org/privilege/filesystem.read" "$manifest_file"; then
+                               echo "$package have filesystem.read"
+                               cyad -s -k "MANIFESTS_GLOBAL" -c "User::Pkg::${package}" -u "*" -p "http://tizen.org/privilege/filesystem.read" -t ALLOW
+                               sqlite3 /opt/dbspace/.pkgmgr_parser.db "INSERT OR IGNORE INTO package_privilege_info VALUES ('${package}', 'http://tizen.org/privilege/filesystem.read', 'wgt');"
+                       fi
+                       if grep -q "http://tizen.org/privilege/filesystem.write" "$manifest_file"; then
+                               echo "$package have filesystem.write"
+                               cyad -s -k "MANIFESTS_GLOBAL" -c "User::Pkg::${package}" -u "*" -p "http://tizen.org/privilege/filesystem.write" -t ALLOW
+                               sqlite3 /opt/dbspace/.pkgmgr_parser.db "INSERT OR IGNORE INTO package_privilege_info VALUES ('${package}', 'http://tizen.org/privilege/filesystem.write', 'wgt');"
+                       fi
+                       if grep -q "http://tizen.org/privilege/setting" "$manifest_file"; then
+                               echo "$package have setting"
+                               cyad -s -k "MANIFESTS_GLOBAL" -c "User::Pkg::${package}" -u "*" -p "http://tizen.org/privilege/internal/buxton/systemsettings" -t ALLOW
+                               sqlite3 /opt/dbspace/.pkgmgr_parser.db "INSERT OR IGNORE INTO package_privilege_info VALUES ('${package}', 'http://tizen.org/privilege/internal/buxton/systemsettings', 'wgt');"
+                       fi
+               else
+                       echo "$package is hybrid app"
+
+                       for app in "${app_list[@]}"
+                       do
+                               if find /opt/usr/globalapps/${package}/ /usr/apps/${package}/ -name "config.xml" 2>/dev/null | xargs grep -q ${app}; then
+                                       echo "$app is web part of hybrid $package"
+
+                                       echo "remove systemsettings.admin from $app"
+                                       cyad -e "MANIFESTS_GLOBAL" -r no -c "User::Pkg::${package}::App::${app}" -u "*" -p "http://tizen.org/privilege/systemsettings.admin"
+                                       sqlite3 /opt/dbspace/.pkgmgr_parser.db "DELETE FROM package_privilege_info WHERE package = '${package}' AND  privilege = 'http://tizen.org/privilege/systemsettings.admin' AND type = 'wgt';"
+
+                                       #check latest first
+                                       if [ -f /opt/usr/globalapps/${package}/res/wgt/config.xml ]; then
+                                               manifest_file="/opt/usr/globalapps/${package}/res/wgt/config.xml"
+                                       else
+                                               manifest_file="/usr/apps/${package}/res/wgt/config.xml"
+                                       fi
+                                       echo "manifest_file $manifest_file"
+
+                                       if grep -q "http://tizen.org/privilege/filesystem.read" "$manifest_file"; then
+                                               echo "$app have filesystem.read"
+                                               cyad -s -k "MANIFESTS_GLOBAL" -c "User::Pkg::${package}::App::${app}" -u "*" -p "http://tizen.org/privilege/filesystem.read" -t ALLOW
+                                               sqlite3 /opt/dbspace/.pkgmgr_parser.db "INSERT OR IGNORE INTO package_privilege_info VALUES ('${package}', 'http://tizen.org/privilege/filesystem.read', 'wgt');"
+                                       fi
+                                       if grep -q "http://tizen.org/privilege/filesystem.write" "$manifest_file"; then
+                                               echo "$app have filesystem.write"
+                                               cyad -s -k "MANIFESTS_GLOBAL" -c "User::Pkg::${package}::App::${app}" -u "*" -p "http://tizen.org/privilege/filesystem.write" -t ALLOW
+                                               sqlite3 /opt/dbspace/.pkgmgr_parser.db "INSERT OR IGNORE INTO package_privilege_info VALUES ('${package}', 'http://tizen.org/privilege/filesystem.write', 'wgt');"
+                                       fi
+                                       if grep -q "http://tizen.org/privilege/setting" "$manifest_file"; then
+                                               echo "$app have setting"
+                                               cyad -s -k "MANIFESTS_GLOBAL" -c "User::Pkg::${package}::App::${app}" -u "*" -p "http://tizen.org/privilege/internal/buxton/systemsettings" -t ALLOW
+                                               sqlite3 /opt/dbspace/.pkgmgr_parser.db "INSERT OR IGNORE INTO package_privilege_info VALUES ('${package}', 'http://tizen.org/privilege/internal/buxton/systemsettings', 'wgt');"
+                                       fi
+                               fi
+                       done
+               fi
+       else
+               #add cynara policy
+               echo "$package is tpk app"
+               app_list=($(sqlite3 /opt/dbspace/.security-manager.db "select app_name from user_app_pkg_view where pkg_name='${package}' and is_hybrid=1;"))
+               if [ ${#app_list[@]} -eq 0 ]; then
+                       echo "$package is pure tpk app"
+                       echo "add internal/buxton/systemsettings"
+                       cyad -s -k "MANIFESTS_GLOBAL" -c "User::Pkg::${package}" -u "*" -p "http://tizen.org/privilege/internal/buxton/systemsettings" -t ALLOW
+                       sqlite3 /opt/dbspace/.pkgmgr_parser.db "INSERT OR IGNORE INTO package_privilege_info VALUES ('${package}', 'http://tizen.org/privilege/internal/buxton/systemsettings', 'tpk');"
+               else
+                       echo "$package is hybrid app"
+                       for app in "${app_list[@]}"
+                       do
+                               if find /opt/usr/globalapps/${package}/ /usr/apps/${package}/ -name "tizen-manifest.xml" 2>/dev/null | xargs grep -q ${app}; then
+                                       echo "$app is native part of hybrid $package"
+                                       echo "add internal/buxton/systemsettings"
+                                       cyad -s -k "MANIFESTS_GLOBAL" -c "User::Pkg::${package}::App::${app}" -u "*" -p "http://tizen.org/privilege/internal/buxton/systemsettings" -t ALLOW
+                                       sqlite3 /opt/dbspace/.pkgmgr_parser.db "INSERT OR IGNORE INTO package_privilege_info VALUES ('${package}', 'http://tizen.org/privilege/internal/buxton/systemsettings', 'tpk');"
+                               fi
+                       done
+               fi
+       fi
+       echo ""
+done
+
+for package in `sqlite3 /opt/dbspace/.pkgmgr_parser.db "select package from package_privilege_info where privilege='http://tizen.org/privilege/network.set' and type='wgt'"`
+do
+       app_list=($(sqlite3 /opt/dbspace/.security-manager.db "select app_name from user_app_pkg_view where pkg_name='${package}' and is_hybrid=1;"))
+
+       sqlite3 /opt/dbspace/.pkgmgr_parser.db "INSERT OR IGNORE INTO package_privilege_info VALUES ('${package}', 'http://tizen.org/privilege/network.route', 'wgt');"
+       if [ ${#app_list[@]} -eq 0 ]; then
+               cyad -s -k "MANIFESTS_GLOBAL" -c "User::Pkg::${package}" -u "*" -p "http://tizen.org/privilege/network.route" -t ALLOW
+       else
+               for app in "${app_list[@]}"
+               do
+                       if find /opt/usr/globalapps/${package}/ /usr/apps/${package}/ -name "config.xml" 2>/dev/null | xargs grep -q ${app}; then
+                               cyad -s -k "MANIFESTS_GLOBAL" -c "User::Pkg::${package}::App::${app}" -u "*" -p "http://tizen.org/privilege/network.route" -t ALLOW
+                       fi
+               done
+       fi
+done