Move standard users group management from GUM to security-manager

Till now users created with "gum" tools were added
to predefined set of supplementary groups - audio,
display, video.  This gave the users needed permissions
to access to various device nodes.

Unfortunately, this model does not work with multiple
"passwd/group" databases - /etc/{passwd,group} on read-only
storage, /opt/etc/{passwd,group} on read-writable storage.
This is because to assign user 'kitty' to the some system
group - defined in /etc/group, this file would need to be
modified, i.e.

  video:x:44:media,system,multimedia_fw,owner,kitty

As noted - this can not be done because /opt/group is
supposed to be on read-only storage.

To address this issue security manager is used.  It does
already provide NSS module which can assign logged in users
to predefined groups.  The groups membership is based on
privileges assigned to given user type.

This commit:
 - introduces three new privileges
 - introduces mapping from new privileges to Unix groups
 - assigns the new privileges to 'admin', 'normal', 'security',
   'system' & 'guest' users
 - adds the new privileges to global & local manifests

Change-Id: I465acc69cfa92bd4162f5aa603696bdfa7ace64e

diff --git a/policy/privilege-group.list b/policy/privilege-group.list
index 548f7e759a331bc1970b4c2cf47affad5155ee7b..26f7d47c875162274f62097d35e018f7d41d28c6 100644 (file)
--- a/policy/privilege-group.list
+++ b/policy/privilege-group.list
@@ -15,3 +15,6 @@ http://tizen.org/privilege/network.get priv_network_get
 http://tizen.org/privilege/tethering.admin priv_tethering_admin
 http://tizen.org/privilege/email priv_email
 http://tizen.org/privilege/tee.client priv_tee_client
+http://tizen.org/privilege/internal/device/audio audio
+http://tizen.org/privilege/internal/device/display display
+http://tizen.org/privilege/internal/device/video video

diff --git a/policy/security-manager-policy-reload.in b/policy/security-manager-policy-reload.in
index 575607f23b791ca4ba1b81e2c9eb4e737e4cd0a9..81415143b779a8720cbecab422f21cbb6b8c4ad1 100755 (executable)
--- a/policy/security-manager-policy-reload.in
+++ b/policy/security-manager-policy-reload.in
@@ -70,6 +70,12 @@ cyad --set-policy --bucket=MANIFESTS_GLOBAL --client="User::Shell" --user="0" --
 # @(kernel thread) can get access to internet privilege
 cyad --set-policy --bucket=MANIFESTS_GLOBAL --client="@" --user=* --privilege="http://tizen.org/privilege/internet" --type=ALLOW
 
+# Ensure applications can access standard devices
+for priv in audio video display; do
+    cyad --set-policy --bucket=MANIFESTS_GLOBAL --client="*" --user="*" --privilege="http://tizen.org/privilege/internal/device/$priv" --type=ALLOW
+    cyad --set-policy --bucket=MANIFESTS_LOCAL --client="*" --user="*" --privilege="http://tizen.org/privilege/internal/device/$priv" --type=ALLOW
+done
+
 # Stop the service to prevent concurrent db access
 systemctl stop security-manager.service security-manager.socket \
     || echo Failed to stop security-manager systemd service, continuing regardless

diff --git a/policy/usertype-admin.profile b/policy/usertype-admin.profile
index 12ea042ea5414970bf833bce24a8ef56aadc4781..9c5bc8d851b357fa828cb4e18cd67426a9e88086 100644 (file)
--- a/policy/usertype-admin.profile
+++ b/policy/usertype-admin.profile
@@ -137,6 +137,9 @@
 *      http://tizen.org/privilege/internal/default/partner
 *      http://tizen.org/privilege/internal/default/platform
 *      http://tizen.org/privilege/internal/default/public
+*      http://tizen.org/privilege/internal/device/audio
+*      http://tizen.org/privilege/internal/device/display
+*      http://tizen.org/privilege/internal/device/video
 *      http://tizen.org/privilege/internal/inputdevice.block
 *      http://tizen.org/privilege/internal/service
 *      http://tizen.org/privilege/internal/usermanagement

diff --git a/policy/usertype-guest.profile b/policy/usertype-guest.profile
index 6cf9900b248ca68d0d142fba4bb579a67737d8d1..d98f67be620f3ace565827dc3b510599e1384ed2 100644 (file)
--- a/policy/usertype-guest.profile
+++ b/policy/usertype-guest.profile
@@ -137,6 +137,9 @@
 *      http://tizen.org/privilege/internal/default/partner
 *      http://tizen.org/privilege/internal/default/platform
 *      http://tizen.org/privilege/internal/default/public
+*      http://tizen.org/privilege/internal/device/audio
+*      http://tizen.org/privilege/internal/device/display
+*      http://tizen.org/privilege/internal/device/video
 *      http://tizen.org/privilege/internal/inputdevice.block
 *      http://tizen.org/privilege/internal/service
 *      http://tizen.org/privilege/notexist

diff --git a/policy/usertype-normal.profile b/policy/usertype-normal.profile
index 3718ad167c3c3542deb4a32fda028a9c8a46b67f..7a7f27ac9c440a9c8326560a3c3111fea31dd3c6 100644 (file)
--- a/policy/usertype-normal.profile
+++ b/policy/usertype-normal.profile
@@ -137,6 +137,9 @@
 *      http://tizen.org/privilege/internal/default/partner
 *      http://tizen.org/privilege/internal/default/platform
 *      http://tizen.org/privilege/internal/default/public
+*      http://tizen.org/privilege/internal/device/audio
+*      http://tizen.org/privilege/internal/device/display
+*      http://tizen.org/privilege/internal/device/video
 *      http://tizen.org/privilege/internal/inputdevice.block
 *      http://tizen.org/privilege/internal/service
 *      http://tizen.org/privilege/notexist

diff --git a/policy/usertype-security.profile b/policy/usertype-security.profile
index bdffc00d4268de1bca3291c38efe51f833cdb33c..0e467a7f7fa503122da01ee85003c9aa71a4fdc9 100644 (file)
--- a/policy/usertype-security.profile
+++ b/policy/usertype-security.profile
@@ -137,6 +137,9 @@
 *      http://tizen.org/privilege/internal/default/partner
 *      http://tizen.org/privilege/internal/default/platform
 *      http://tizen.org/privilege/internal/default/public
+*      http://tizen.org/privilege/internal/device/audio
+*      http://tizen.org/privilege/internal/device/display
+*      http://tizen.org/privilege/internal/device/video
 *      http://tizen.org/privilege/internal/inputdevice.block
 *      http://tizen.org/privilege/internal/service
 *      http://tizen.org/privilege/notexist

diff --git a/policy/usertype-system.profile b/policy/usertype-system.profile
index 7db907057e1e887c7a53b11d5d5e907d37349608..4b5ef0230fff014a77dcd3df69c4d014706c593b 100644 (file)
--- a/policy/usertype-system.profile
+++ b/policy/usertype-system.profile
@@ -137,6 +137,9 @@
 *      http://tizen.org/privilege/internal/default/partner
 *      http://tizen.org/privilege/internal/default/platform
 *      http://tizen.org/privilege/internal/default/public
+*      http://tizen.org/privilege/internal/device/audio
+*      http://tizen.org/privilege/internal/device/display
+*      http://tizen.org/privilege/internal/device/video
 *      http://tizen.org/privilege/internal/inputdevice.block
 *      http://tizen.org/privilege/internal/service
 *      http://tizen.org/privilege/notexist

diff --git a/src/common/service_impl.cpp b/src/common/service_impl.cpp
index a33ed9a3033ab85ffefbb5ecab4bee65313362a4..46a9e634d16dde1258323c9e2730b1e199b3f82c 100644 (file)
--- a/src/common/service_impl.cpp
+++ b/src/common/service_impl.cpp
@@ -1191,6 +1191,7 @@ int ServiceImpl::getAppGroups(const Credentials &creds, const std::string &appPr
         std::string uidStr = std::to_string(creds.uid);
         m_cynaraAdmin.getAppPolicy(appProcessLabel, uidStr, privileges);
         m_cynaraAdmin.getAppPolicy(appProcessLabel, CYNARA_ADMIN_WILDCARD, privileges);
+        m_cynaraAdmin.getAppPolicy(CYNARA_ADMIN_WILDCARD, CYNARA_ADMIN_WILDCARD, privileges);
 
         vectorRemoveDuplicates(privileges);