And it can be used to validate requests from clients.
e_privilege: a collection of privilege strings for maintaining.
Change-Id: Ie4a183ef605bfa9dd3810aa882182bfd9cc27439
[capi-system-device])
#cynara
PKG_CHECK_MODULES(CYNARA,
- [cynara-client, cynara-creds-socket, cynara-session],
+ [cynara-client, cynara-creds-socket, cynara-session, libsmack],
[have_cynara="yes"], [have_cynara="no"])
if test "x${have_cynara}" = "xyes"; then
AC_DEFINE([HAVE_CYNARA], [1], [Define to 1 if you have cynara])
BuildRequires: pkgconfig(tzsh-server)
BuildRequires: pkgconfig(cynara-client)
BuildRequires: pkgconfig(cynara-creds-socket)
+BuildRequires: pkgconfig(libsmack)
Requires: libwayland-extension-server
%if "%{LIBGOMP}" == "use"
Requires: libgomp
src/bin/e_policy_private_data.h \
src/bin/e_policy_wl.h \
src/bin/e_policy_wl_display.h \
-src/bin/e_process.h
+src/bin/e_process.h \
+src/bin/e_privilege.h \
+src/bin/e_security.h
enlightenment_src = \
src/bin/e_actions.c \
src/bin/e_policy_visibility.c \
src/bin/e_policy_wl.c \
src/bin/e_policy_wl_display.c \
-src/bin/e_process.c
+src/bin/e_process.c \
+src/bin/e_privilege.c \
+src/bin/e_security.c
src_bin_enlightenment_CPPFLAGS = $(E_CPPFLAGS) -DEFL_BETA_API_SUPPORT -DEFL_EO_API_SUPPORT -DE_LOGGING=1 @WAYLAND_CFLAGS@ $(TTRACE_CFLAGS) $(DLOG_CFLAGS) $(POLICY_CFLAGS) @TIZEN_REMOTE_SURFACE_CFLAGS@
if HAVE_LIBGOMP
#include "e_process.h"
#include "e_splitlayout.h"
#include "e_slot.h"
+#include "e_privilege.h"
+#include "e_security.h"
#include "e_main.h"
TS("E_Process Init Done");
_e_main_shutdown_push(e_process_shutdown);
+ TS("E_Security Init");
+ if (!e_security_init())
+ {
+ e_error_message_show(_("Enlightenment cannot setup security system!\n"));
+ _e_main_shutdown(-1);
+ }
+ TS("E_Security Init Done");
+ _e_main_shutdown_push(e_security_shutdown);
+
TS("Load Modules");
_e_main_modules_load(safe_mode);
TS("Load Modules Done");
--- /dev/null
+#include "e.h"
+
+EINTERN const char *E_PRIVILEGE_NOTIFICATION_LEVEL_SET = "http://tizen.org/privilege/window.priority.set";
+EINTERN const char *E_PRIVILEGE_SCREEN_MODE_SET = "http://tizen.org/privilege/display";
+EINTERN const char *E_PRIVILEGE_BRIGHTNESS_SET = "http://tizen.org/privilege/display";
+EINTERN const char *E_PRIVILEGE_DATA_ONLY_SET = "http://tizen.org/privilege/force.selection";
+EINTERN const char *E_PRIVILEGE_KEYGRAB_SET = "http://tizen.org/privilege/keygrab";
--- /dev/null
+#ifdef E_TYPEDEFS
+#else
+#ifndef E_PRIVILEGE_H
+#define E_PRIVILEGE_H
+
+extern EINTERN const char *E_PRIVILEGE_NOTIFICATION_LEVEL_SET;
+extern EINTERN const char *E_PRIVILEGE_SCREEN_MODE_SET;
+extern EINTERN const char *E_PRIVILEGE_BRIGHTNESS_SET;
+extern EINTERN const char *E_PRIVILEGE_DATA_ONLY_SET;
+extern EINTERN const char *E_PRIVILEGE_KEYGRAB_SET;
+
+#endif
+#endif
--- /dev/null
+#include "e.h"
+
+#ifdef HAVE_CYNARA
+# include <cynara-session.h>
+# include <cynara-client.h>
+# include <cynara-creds-socket.h>
+# include <sys/smack.h>
+#endif
+
+#ifdef HAVE_CYNARA
+static cynara *g_cynara = NULL;
+#endif
+
+E_API Eina_Bool
+e_security_privilege_check(pid_t pid, uid_t uid, const char *privilege)
+{
+#ifdef HAVE_CYNARA
+ Eina_Bool res = EINA_FALSE;
+
+ /* Cynara is not initialized. DENY all requests */
+ EINA_SAFETY_ON_NULL_RETURN_VAL(g_cynara, EINA_FALSE);
+ EINA_SAFETY_ON_NULL_RETURN_VAL(privilege, EINA_FALSE);
+
+ char *client_smack = NULL;
+ char *client_session = NULL;
+ char uid_str[16] = { 0, };
+ int len = -1;
+ int ret = -1;
+
+ ret = smack_new_label_from_process((int)pid, &client_smack);
+ EINA_SAFETY_ON_FALSE_GOTO((ret > 0), finish);
+
+ snprintf(uid_str, 15, "%d", (int)uid);
+
+ client_session = cynara_session_from_pid(pid);
+ EINA_SAFETY_ON_NULL_GOTO(client_session, finish);
+
+ ret = cynara_check(g_cynara,
+ client_smack,
+ client_session,
+ uid_str,
+ privilege);
+
+ if (ret == CYNARA_API_ACCESS_ALLOWED)
+ res = EINA_TRUE;
+
+finish:
+ ELOGF("TZPOL",
+ "Privilege Check For '%s' %s pid:%u uid:%u client_smack:%s(len:%d) client_session:%s ret:%d",
+ NULL, NULL,
+ privilege,
+ res ? "SUCCESS" : "FAIL",
+ pid,
+ uid,
+ client_smack ? client_smack : "N/A",
+ len,
+ client_session ? client_session: "N/A",
+ ret);
+
+ if (client_session) E_FREE(client_session);
+ if (client_smack) E_FREE(client_smack);
+
+ return res;
+#else
+ return EINA_TRUE;
+#endif
+}
+
+EINTERN int
+e_security_init(void)
+{
+#ifdef HAVE_CYNARA
+ if (cynara_initialize(&g_cynara, NULL) != CYNARA_API_SUCCESS)
+ {
+ ERR("cynara_initialize failed.");
+ g_cynara = NULL;
+ }
+#endif
+ return EINA_TRUE;
+}
+
+EINTERN int
+e_security_shutdown(void)
+{
+#ifdef HAVE_CYNARA
+ if (g_cynara)
+ cynara_finish(g_cynara);
+#endif
+ g_cynara = NULL;
+
+ return 1;
+}
--- /dev/null
+#ifdef E_TYPEDEFS
+#else
+#ifndef E_SECURITY_H
+#define E_SECURITY_H
+
+EINTERN int e_security_init(void);
+EINTERN int e_security_shutdown(void);
+
+E_API Eina_Bool e_security_privilege_check(pid_t pid, uid_t uid, const char *privilege);
+
+#endif
+#endif