--- /dev/null
+#!/bin/sh -e
+
+export PATH=/sbin:/usr/sbin:/bin:/usr/bin
+
+. /etc/tizen-platform.conf
+
+find $TZ_SYS_VAR/security-manager -name apps-names |
+while read file_old
+do
+ file_new=`dirname $file_old`/apps-labels
+ sed 's/^/User::App::/' $f <$file_old >$file_new
+ rm -f $file_old
+done
static lib_retcode apply_relabel_list(const std::string &global_label_file,
const std::string &user_label_file)
{
- std::vector<std::string> names;
+ std::vector<std::string> appLabels;
+
try {
- PermissibleSet::readNamesFromPermissibleFile(global_label_file, names);
- PermissibleSet::readNamesFromPermissibleFile(user_label_file, names);
+ PermissibleSet::readLabelsFromPermissibleFile(global_label_file, appLabels);
+ PermissibleSet::readLabelsFromPermissibleFile(user_label_file, appLabels);
std::vector<const char*> temp;
- std::transform(names.begin(), names.end(), std::back_inserter(temp),
- [] (std::string &label) {label = SmackLabels::generateAppLabel(label);
- return label.c_str();});
- if (smack_set_relabel_self(const_cast<const char **>(temp.data()), temp.size()) != 0) {
+
+ std::transform(appLabels.begin(), appLabels.end(), std::back_inserter(temp),
+ [] (std::string &label) {return label.c_str();});
+
+ if (smack_set_relabel_self(temp.data(), temp.size()) != 0) {
LogError("smack_set_relabel_self failed");
return SECURITY_MANAGER_ERROR_SET_RELABEL_SELF_FAILED;
}
int ret = inotify_rm_watch(monitorPtr->inotify, monitorPtr->global_labels_file_watch);
if (ret == -1) {
LogError("Inotify watch removal failed on file " <<
- Config::APPS_NAME_FILE << ": " << GetErrnoString(errno));
+ Config::APPS_LABELS_FILE << ": " << GetErrnoString(errno));
}
}
if (monitorPtr->user_labels_file_watch != -1) {
const std::string PRIVILEGE_POLICY_ADMIN = "http://tizen.org/privilege/internal/usermanagement";
const std::string PRIVILEGE_APPSHARING_ADMIN = "http://tizen.org/privilege/notexist";
-const std::string APPS_NAME_FILE = "apps-names";
+const std::string APPS_LABELS_FILE = "apps-labels";
const std::string SKEL_DIR = "/etc/skel";
const std::string PRIVACY_POLICY_DESC = "Ask user";
return result;
}
+std::string dirName(const std::string &path)
+{
+ size_t slashPos = path.find_last_of('/');
+
+ if (slashPos == std::string::npos)
+ return ".";
+ else if (slashPos == 0)
+ return "/";
+ else
+ return path.substr(0, slashPos);
+}
+
} // namespace FS
} // nanespace SecurityManager
extern const std::string PRIVILEGE_APPSHARING_ADMIN;
/* Files used in permitted label managment */
-extern const std::string APPS_NAME_FILE;
+extern const std::string APPS_LABELS_FILE;
extern const std::string SKEL_DIR;
FileNameVector getDirContents(const std::string &path, const mode_t &mode);
FileNameVector getFilesFromDirectory(const std::string &path);
FileNameVector getDirsFromDirectory(const std::string &path);
+std::string dirName(const std::string &path);
} // namespace FS
} // nanespace SecurityManager
DECLARE_EXCEPTION_TYPE(Base, FileOpenError)
DECLARE_EXCEPTION_TYPE(Base, FileReadError)
DECLARE_EXCEPTION_TYPE(Base, FileWriteError)
+ DECLARE_EXCEPTION_TYPE(Base, FileInitError)
+ DECLARE_EXCEPTION_TYPE(Base, FileRemoveError)
};
+
/**
- * Return path to file with current list of application names
+ * Return path to file with current list of application labels
* installed globally or locally for the user.
*
* @param[in] uid identifier of the user whose application it should be
* @param[in] installationType type of installation (global or local)
- * @return path to file with names
+ * @return path to file with labels
*/
std::string getPerrmissibleFileLocation(uid_t uid, int installationType);
+
/**
* Update permissable file with current content of database
* @throws FileLockError
* @return resulting true on success
*/
void updatePermissibleFile(uid_t uid, int installationType);
+
/**
- * Read names from a file into a vector
+ * Read labels from a file into a vector
* @throws FileLockError
* @throws FileOpenError
* @throws FileReadError
*
- * @param[in] nameFile contains application names
- * @param[out] names vector to which application names are added
+ * @param[in] nameFile path to the labels file
+ * @param[out] appLabels vector to which application labels are added
* @return SECURITY_MANAGER_SUCCESS or error code
*/
-void readNamesFromPermissibleFile(const std::string &nameFile, std::vector<std::string> &names);
+void readLabelsFromPermissibleFile(const std::string &nameFile, std::vector<std::string> &appLabels);
+
+void initializeUserPermissibleFile(uid_t uid);
+
+void removeUserPermissibleFile(uid_t uid);
+
} // PermissibleSet
} // SecurityManager
#endif /* _PERMISSIBLE_SET_H_ */
#include <cstdio>
#include <cstring>
#include <fstream>
+#include <linux/xattr.h>
#include <memory>
#include <pwd.h>
#include <string>
#include <sys/file.h>
+#include <sys/smack.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <unistd.h>
#include <dpl/exception.h>
#include <dpl/fstream_accessors.h>
#include <dpl/log/log.h>
+#include <filesystem.h>
#include <permissible-set.h>
#include <privilege_db.h>
#include <security-manager-types.h>
+#include <smack-labels.h>
#include <tzplatform_config.h>
#include "tzplatform-config.h"
if ((installationType == SM_APP_INSTALL_GLOBAL)
|| (installationType == SM_APP_INSTALL_PRELOADED))
return tpc.ctxMakePath(TZ_SYS_VAR, Config::SERVICE_NAME,
- Config::APPS_NAME_FILE.c_str());
- else {
- std::string user = tpc.ctxGetEnv(TZ_USER_NAME);
- return tpc.ctxMakePath(TZ_SYS_VAR, Config::SERVICE_NAME, user,
- Config::APPS_NAME_FILE.c_str());
- }
+ Config::APPS_LABELS_FILE);
+ else
+ return tpc.ctxMakePath(TZ_SYS_VAR, Config::SERVICE_NAME,
+ tpc.ctxGetEnv(TZ_USER_NAME), Config::APPS_LABELS_FILE);
}
static void markPermissibleFileValid(int fd, const std::string &nameFile, bool valid)
std::ofstream fstream;
openAndLockNameFile(nameFile, fstream);
markPermissibleFileValid(getFd(fstream), nameFile, false);
+
std::vector<std::string> appNames;
PrivilegeDb::getInstance().GetUserApps(uid, appNames);
- for (auto &name : appNames) {
- fstream << name << '\n';
+ for (auto &appName : appNames) {
+ fstream << SmackLabels::generateAppLabel(appName) << '\n';
if (fstream.bad()) {
LogError("Unable to write to file " << nameFile << ": " << GetErrnoString(errno));
ThrowMsg(PermissibleSetException::PermissibleSetException::FileWriteError,
markPermissibleFileValid(getFd(fstream), nameFile, true);
}
-void readNamesFromPermissibleFile(const std::string &nameFile, std::vector<std::string> &names)
+void readLabelsFromPermissibleFile(const std::string &nameFile, std::vector<std::string> &appLabels)
{
std::ifstream fstream;
openAndLockNameFile(nameFile, fstream);
std::string line;
while (std::getline(fstream, line))
- names.push_back(line);
+ appLabels.push_back(line);
if (fstream.bad()) {
LogError("Failure while reading file " << nameFile << ": " << GetErrnoString(errno));
}
}
+void initializeUserPermissibleFile(uid_t uid)
+{
+ std::string nameFile = getPerrmissibleFileLocation(uid, SM_APP_INSTALL_LOCAL);
+ std::string nameDir = FS::dirName(nameFile);
+
+ if (mkdir(nameDir.c_str(), 0755) != 0 && errno != EEXIST)
+ ThrowMsg(PermissibleSetException::FileInitError,
+ "Unable to create directory for user permissible file:" << GetErrnoString(errno));
+
+ std::ofstream fstream;
+ openAndLockNameFile(nameFile, fstream);
+ if (smack_set_label_for_file(getFd(fstream), XATTR_NAME_SMACK, "_") != 0)
+ ThrowMsg(PermissibleSetException::FileInitError,
+ "Unable to set Smack label for user permissible file");
+
+ markPermissibleFileValid(getFd(fstream), nameFile, true);
+}
+
+void removeUserPermissibleFile(uid_t uid)
+{
+ std::string nameFile = getPerrmissibleFileLocation(uid, SM_APP_INSTALL_LOCAL);
+ std::string nameDir = FS::dirName(nameFile);
+
+ if (unlink(nameFile.c_str()) != 0 && errno != ENOENT)
+ ThrowMsg(PermissibleSetException::FileRemoveError,
+ "Unable to remove user permissible file:" << GetErrnoString(errno));
+
+ if (rmdir(nameFile.c_str()) != 0 && errno != ENOENT)
+ ThrowMsg(PermissibleSetException::FileRemoveError,
+ "Unable to remove directory for user permissible file:" << GetErrnoString(errno));
+}
+
} // PermissibleSet
} // SecurityManager
return (stat(path.c_str(), &buffer) == 0) && S_ISREG(buffer.st_mode);
}
-lib_retcode makeDirIfNotExists(const std::string &path, mode_t mode, const std::string &label)
-{
- if (mkdir(path.c_str(), mode) != 0 && errno != EEXIST) {
- LogError("Creation of directory " + path + "failed");
- return SECURITY_MANAGER_ERROR_FILE_CREATE_FAILED;
- }
- if (smack_set_label_for_path(path.c_str(), XATTR_NAME_SMACK, 0, label.c_str()) < 0) {
- LogError("Setting smack label failed for: " << path);
- return SECURITY_MANAGER_ERROR_SETTING_FILE_LABEL_FAILED;
- }
- return SECURITY_MANAGER_SUCCESS;
-}
-
-lib_retcode initializeUserAppsNameConfig(uid_t userAdded, const std::string &label) {
- TizenPlatformConfig tpc(userAdded);
- std::string user = tpc.ctxGetEnv(TZ_USER_NAME);
- std::string userDirectory = tpc.ctxMakePath(TZ_SYS_VAR, Config::SERVICE_NAME, user);
- std::string userFile = tpc.ctxMakePath(TZ_SYS_VAR, Config::SERVICE_NAME, user,
- Config::APPS_NAME_FILE);
- lib_retcode ret = makeDirIfNotExists(userDirectory, S_IRUSR|S_IXUSR|S_IWUSR|S_IXGRP|S_IXOTH,
- label);
- if (ret != SECURITY_MANAGER_SUCCESS)
- return ret;
- int fd = open(userFile.c_str(), O_CREAT|O_WRONLY, S_IRUSR|S_IRGRP|S_IROTH);
- if (fd == -1) {
- LogError("File creation failed with: " << GetErrnoString(errno) << " for: " << userFile);
- return SECURITY_MANAGER_ERROR_FILE_CREATE_FAILED;
- }
- if (smack_set_label_for_file(fd, XATTR_NAME_SMACK, label.c_str()) < 0) {
- LogError("Setting smack label for file: " << userFile << "failed");
- return SECURITY_MANAGER_ERROR_SETTING_FILE_LABEL_FAILED;
- }
- if (close(fd) == -1) {
- LogWarning("Close of file failed with: " << GetErrnoString(errno) << " for: " << userFile);
- }
-
- return SECURITY_MANAGER_SUCCESS;
-}
-
class ScopedTransaction {
public:
ScopedTransaction() : m_isCommited(false) {
return SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED;
}
try {
- lib_retcode ret;
CynaraAdmin::getInstance().UserInit(uidAdded, static_cast<security_manager_user_type>(userType), isPrivilegePrivacy);
- if ((ret = initializeUserAppsNameConfig(uidAdded, "_")) != SECURITY_MANAGER_SUCCESS)
- return ret;
+ PermissibleSet::initializeUserPermissibleFile(uidAdded);
} catch (CynaraException::InvalidParam &e) {
return SECURITY_MANAGER_ERROR_INPUT_PARAM;
+ } catch (const PermissibleSet::PermissibleSetException::FileInitError &e) {
+ LogError("Error while adding user: " << e.DumpToString());
+ return SECURITY_MANAGER_ERROR_SETTING_FILE_LABEL_FAILED;
} catch (const std::exception &e) {
LogError("Memory allocation error while adding user: " << e.what());
return SECURITY_MANAGER_ERROR_SERVER_ERROR;
std::vector<std::string> userApps;
try {
PrivilegeDb::getInstance().GetUserApps(uidDeleted, userApps);
+ PermissibleSet::removeUserPermissibleFile(uidDeleted);
} catch (const PrivilegeDb::Exception::Base &e) {
LogError("Error while getting user apps from database: " << e.DumpToString());
return SECURITY_MANAGER_ERROR_SERVER_ERROR;
+ } catch (const PermissibleSet::PermissibleSetException::FileRemoveError &e) {
+ LogError("Error while removing user: " << e.DumpToString());
+ return SECURITY_MANAGER_ERROR_FILE_DELETE_FAILED;
+ } catch (const std::exception &e) {
+ LogError("Memory allocation error while deleting user: " << e.what());
+ return SECURITY_MANAGER_ERROR_SERVER_ERROR;
}
// Don't check whether the caller may uninstall apps of the removed user
ret = SECURITY_MANAGER_ERROR_SERVER_ERROR;
}
}
- try {
- TizenPlatformConfig tpc(uidDeleted);
- std::string user = tpc.ctxGetEnv(TZ_USER_NAME);
- std::string userDirectory = tpc.ctxMakePath(TZ_SYS_VAR, Config::SERVICE_NAME, user);
- std::string userFile = tpc.ctxMakePath(TZ_SYS_VAR, Config::SERVICE_NAME, user,
- Config::APPS_NAME_FILE);
- int res = unlink(userFile.c_str());
- if (res) {
- if (errno != ENOENT) {
- LogError("File deletion failed with: " << GetErrnoString(errno) <<
- " for: " << userFile);
- ret = SECURITY_MANAGER_ERROR_FILE_DELETE_FAILED;
- }
- }
- res = rmdir(userDirectory.c_str());
- if (res) {
- if (errno != ENOENT) {
- LogError("Directory deletion failed with: " << GetErrnoString(errno) <<
- " for: " << userDirectory);
- ret = SECURITY_MANAGER_ERROR_FILE_DELETE_FAILED;
- }
- }
- } catch (const std::exception &e) {
- LogError("Memory allocation error while deleting user: " << e.what());
- return SECURITY_MANAGER_ERROR_SERVER_ERROR;
- }
+
CynaraAdmin::getInstance().UserRemove(uidDeleted);
return ret;
projects / platform / core / security / security-manager.git / commitdiff