check metadata privilege level

Change-Id: I798acae8b829319579f7bbe16bf1a192380a99a3
Signed-off-by: jongmyeongko <jongmyeong.ko@samsung.com>

diff --git a/src/common/certificate_validation.cc b/src/common/certificate_validation.cc
index f602696..63fc757 100644 (file)
--- a/src/common/certificate_validation.cc
+++ b/src/common/certificate_validation.cc
@@ -279,4 +279,25 @@ bool ValidatePrivilegeLevel(common_installer::PrivilegeLevel level,
   return true;
 }
 
+bool ValidateMetadataPrivilege(common_installer::PrivilegeLevel level,
+    const char* api_version, GList* metadata_list,
+    std::string* error_message) {
+  if (!metadata_list)
+    return true;
+  char* error = nullptr;
+  int status = PRVMGR_ERR_NONE;
+  status = privilege_manager_verify_metadata(api_version, metadata_list,
+          PrivilegeLevelToVisibility(level), &error);
+  if (status != PRVMGR_ERR_NONE) {
+      std::string errnum = boost::str(boost::format("%d") % status);
+      LOG(ERROR) << "Error while verifing metadata privilege: "
+                 << (error ? error : "") << " <" << errnum << ">";
+      *error_message = error;
+      *error_message += ":<" + errnum + ">";
+      free(error);
+      return false;
+  }
+  return true;
+}
+
 }  // namespace common_installer

diff --git a/src/common/certificate_validation.h b/src/common/certificate_validation.h
index cbc36bb..0d3f693 100644 (file)
--- a/src/common/certificate_validation.h
+++ b/src/common/certificate_validation.h
@@ -41,6 +41,10 @@ bool ValidatePrivilegeLevel(common_installer::PrivilegeLevel level,
     uid_t uid, const char* api_version, GList* privileges,
     std::string* error_message);
 
+bool ValidateMetadataPrivilege(common_installer::PrivilegeLevel level,
+    const char* api_version, GList* metadata_list,
+    std::string* error_message);
+
 }  // namespace common_installer
 
 #endif  // COMMON_CERTIFICATE_VALIDATION_H_

diff --git a/src/common/step/security/step_check_signature.cc b/src/common/step/security/step_check_signature.cc
index 8e184b8..d0722bf 100644 (file)
--- a/src/common/step/security/step_check_signature.cc
+++ b/src/common/step/security/step_check_signature.cc
@@ -100,6 +100,25 @@ Step::Status StepCheckSignature::CheckPrivilegeLevel(PrivilegeLevel level) {
   return Status::OK;
 }
 
+Step::Status StepCheckSignature::CheckMetadataPrivilege(PrivilegeLevel level) {
+  std::string error_message;
+  if (context_->is_readonly_package.get())
+    return Status::OK;
+  manifest_x* manifest = context_->manifest_data.get();
+  for (application_x* app :
+       GListRange<application_x*>(manifest->application)) {
+    if (!ValidateMetadataPrivilege(level, manifest->api_version, app->metadata,
+                                   &error_message)) {
+      if (!error_message.empty()) {
+        LOG(ERROR) << "error_message: " << error_message;
+        on_error(Status::SIGNATURE_ERROR, error_message);
+      }
+      return Status::SIGNATURE_ERROR;
+    }
+  }
+  return Status::OK;
+}
+
 Step::Status StepCheckSignature::process() {
   PrivilegeLevel level = PrivilegeLevel::UNTRUSTED;
   bool check_reference = true;
@@ -139,6 +158,10 @@ Step::Status StepCheckSignature::process() {
   if (status != Status::OK)
     return status;
 
+  status = CheckMetadataPrivilege(level);
+  if (status != Status::OK)
+    return status;
+
   LOG(INFO) << "Signature done";
   return Status::OK;
 }

diff --git a/src/common/step/security/step_check_signature.h b/src/common/step/security/step_check_signature.h
index 7d5ef52..a9f51be 100644 (file)
--- a/src/common/step/security/step_check_signature.h
+++ b/src/common/step/security/step_check_signature.h
@@ -50,6 +50,7 @@ class StepCheckSignature : public Step {
  private:
   Status CheckSignatures(bool check_reference, PrivilegeLevel* level);
   Status CheckSignatureMismatch();
+  Status CheckMetadataPrivilege(PrivilegeLevel level);
 
   STEP_NAME(Signature)
 };