int installationType);
int labelPaths(const pkg_paths &paths,
- const std::string &pkgName,
- app_install_type installationType,
- const uid_t &uid);
+ const std::string &pkgName,
+ app_install_type installationType,
+ const uid_t &uid,
+ bool isSharedRO);
void getPkgLabels(const std::string &pkgName, SmackRules::Labels &pkgsLabels);
bool containSubDir(const std::string &parent, const pkg_paths &paths);
int getLegalPkgBaseDirs(const uid_t &uid,
- const std::string &pkgName,
- app_install_type installType,
- std::vector<std::string> &legalPkgBaseDirs);
+ const std::string &pkgName,
+ app_install_type installType,
+ std::vector<std::string> &legalPkgBaseDirs,
+ bool isSharedRO);
bool pathsCheck(const pkg_paths &requestedPaths,
const std::vector<std::string> &allowedDirs);
int ServiceImpl::labelPaths(const pkg_paths &paths,
const std::string &pkgName,
app_install_type installationType,
- const uid_t &uid)
+ const uid_t &uid,
+ bool isSharedRO)
{
try {
if (!m_privilegeDb.PkgNameExists(pkgName)) {
m_privilegeDb.GetPkgAuthorId(pkgName, authorId);
std::vector<std::string> pkgLegalBaseDirs;
- int ret = getLegalPkgBaseDirs(uid, pkgName, installationType, pkgLegalBaseDirs);
+ int ret = getLegalPkgBaseDirs(uid, pkgName, installationType, pkgLegalBaseDirs, isSharedRO);
if (ret != SECURITY_MANAGER_SUCCESS) {
LogError("Failed to generate legal directories for application");
return ret;
}
// [db] update shared ro
- if (isSharedRO(req.pkgPaths))
+ bool isAppSharedRO = isSharedRO(req.pkgPaths);
+ if (isAppSharedRO)
m_privilegeDb.SetSharedROPackage(req.pkgName);
// [db] commit
ret = labelPaths(req.pkgPaths,
req.pkgName,
static_cast<app_install_type>(req.installationType),
- req.uid);
+ req.uid,
+ isAppSharedRO);
if (ret != SECURITY_MANAGER_SUCCESS)
return ret;
}
// [db] update shared ro
- if (isSharedRO(req.pkgPaths))
+ bool isAppSharedRO = isSharedRO(req.pkgPaths);
+ if (isAppSharedRO)
m_privilegeDb.SetSharedROPackage(req.pkgName);
// [db] commit
ret = labelPaths(req.pkgPaths,
req.pkgName,
static_cast<app_install_type>(req.installationType),
- req.uid);
+ req.uid,
+ isAppSharedRO);
if (ret != SECURITY_MANAGER_SUCCESS)
return ret;
return SECURITY_MANAGER_ERROR_MEMORY;
}
+ bool isRequestSharedRO = isSharedRO(req.pkgPaths);
try {
- if (isSharedRO(req.pkgPaths)) {
+ if (isRequestSharedRO) {
ScopedTransaction trans(m_privilegeDb);
if (!m_privilegeDb.IsPackageSharedRO(req.pkgName))
return labelPaths(req.pkgPaths,
req.pkgName,
static_cast<app_install_type>(req.installationType),
- req.uid);
+ req.uid,
+ isRequestSharedRO);
}
int ServiceImpl::labelForProcess(const std::string &appName, std::string &label)
const char *str1 = parent.c_str();
const char *str2 = subdir.c_str();
- while (*str1 && *str2)
+ while (*str1 && *str2) {
+ if (*str1 == '/') {
+ str1 = str1 + 1;
+ continue;
+ }
+ if (*str2 == '/') {
+ str2 = str2 + 1;
+ continue;
+ }
if (*str1++ != *str2++)
return false;
+ }
return (*str2 == '/' || *str1 == *str2);
}
int getLegalPkgBaseDirs(const uid_t &uid,
const std::string &pkgName,
app_install_type installType,
- std::vector<std::string> &legalPkgDirs)
+ std::vector<std::string> &legalPkgDirs,
+ bool isSharedRO)
{
TizenPlatformConfig tpc(uid);
if (!getSkelPkgDir(pkgName, skelPkgBasePath))
return SECURITY_MANAGER_ERROR_UNKNOWN;
legalPkgDirs.push_back(std::move(skelPkgBasePath));
+ if (isSharedRO) {
+ std::string skelSharedROPath;
+ if (!getSkelPkgDir(".shared/" + pkgName, skelSharedROPath)) {
+ LogError("Couldn't generate skel shared RO path");
+ return SECURITY_MANAGER_ERROR_UNKNOWN;
+ }
+ legalPkgDirs.push_back(std::move(skelSharedROPath));
+ }
}
+
+ if (isSharedRO) {
+ std::string sharedROPath;
+ if (!getPath(tpc, baseId, "/.shared/" + pkgName, sharedROPath)) {
+ LogError("Couldn't generate sharedRO base path");
+ return SECURITY_MANAGER_ERROR_UNKNOWN;
+ }
+ legalPkgDirs.push_back(std::move(sharedROPath));
+ }
+
return SECURITY_MANAGER_SUCCESS;
}
LogDebug("- " << dir);
for (const auto &path : requestedPaths) {
- LogDebug("Requested path is '" << path.first.c_str() << "'");
+ std::string rPath = realPath(path.first);
+ LogDebug("Requested path is '" << path.first.c_str()
+ << ", real path is '" << rPath << "'");
bool allowed = std::any_of(allowedDirs.begin(), allowedDirs.end(),
- std::bind(isSubDir, std::placeholders::_1, realPath(path.first)));
+ std::bind(isSubDir, std::placeholders::_1, rPath));
if (!allowed) {
LogWarning("Installation path " << path.first << " is outside allowed directories");
projects / platform / core / security / security-manager.git / commitdiff