const std::string &label,
bool global,
uid_t uid,
- const std::vector<std::string> &privileges)
+ const std::vector<std::string> &privileges,
+ const std::vector<std::pair<std::string, int>> &oldAppDefinedPrivileges,
+ const std::vector<std::pair<std::string, int>> &newAppDefinedPrivileges,
+ bool policyRemove)
{
+ std::vector<CynaraAdminPolicy> oldPolicies;
std::vector<CynaraAdminPolicy> policies;
- std::string cynaraUser;
- if (global)
+ // 1st, performing operation on MANIFESTS_GLOBAL/MANIFESTS_LOCAL bucket
+ std::string cynaraUser, bucket;
+ if (global) {
cynaraUser = CYNARA_ADMIN_WILDCARD;
- else
+ bucket = Buckets.at(Bucket::MANIFESTS_GLOBAL);
+ } else {
cynaraUser = std::to_string(static_cast<unsigned int>(uid));
+ bucket = Buckets.at(Bucket::MANIFESTS_LOCAL);
+
+ // when app is installed locally add/remove redirection from MANIFESTS_GLOBAL to MANIFESTS_LOCAL
+ if (policyRemove) {
+ policies.push_back(CynaraAdminPolicy(
+ label,
+ cynaraUser,
+ "*",
+ static_cast<int>(CynaraAdminPolicy::Operation::Delete),
+ Buckets.at(Bucket::MANIFESTS_GLOBAL)));
+ } else {
+ policies.push_back(CynaraAdminPolicy(
+ label,
+ cynaraUser,
+ "*",
+ bucket,
+ Buckets.at(Bucket::MANIFESTS_GLOBAL)));
+ }
+ }
- ListPolicies(bucket, label, cynaraUser, CYNARA_ADMIN_ANY, oldPolicies);
- CalculatePolicies(label, cynaraUser, privileges, bucket,
- // 1st, performing operation on MANIFESTS bucket
- calculatePolicies(label, cynaraUser, privileges, Buckets.at(Bucket::MANIFESTS),
- static_cast<int>(CynaraAdminPolicy::Operation::Allow),
- policies);
++ listPolicies(bucket, label, cynaraUser, CYNARA_ADMIN_ANY, oldPolicies);
++ calculatePolicies(label, cynaraUser, privileges, bucket,
+ static_cast<int>(CynaraAdminPolicy::Operation::Allow), oldPolicies, policies);
+ oldPolicies.clear();
bool askUserEnabled = false;
int askUserPolicy = static_cast<int>(CynaraAdminPolicy::Operation::Allow);
if (priv.hasAttribute(PrivilegeInfo::PrivilegeAttr::BLACKLIST))
blacklistPrivileges.push_back(p);
}
- ListPolicies(Buckets.at(Bucket::PRIVACY_MANAGER), label, std::to_string(id), CYNARA_ADMIN_ANY, oldPolicies);
- CalculatePolicies(label, std::to_string(id), privacyPrivileges,
++ listPolicies(Buckets.at(Bucket::PRIVACY_MANAGER), label, std::to_string(id), CYNARA_ADMIN_ANY, oldPolicies);
+ calculatePolicies(label, std::to_string(id), privacyPrivileges,
Buckets.at(Bucket::PRIVACY_MANAGER),
- askUserPolicy, policies);
+ askUserPolicy, oldPolicies, policies);
+ oldPolicies.clear();
+
- ListPolicies(Buckets.at(Bucket::ADMIN), label, std::to_string(id), CYNARA_ADMIN_ANY, oldPolicies);
- CalculatePolicies(label, std::to_string(id), blacklistPrivileges,
++ listPolicies(Buckets.at(Bucket::ADMIN), label, std::to_string(id), CYNARA_ADMIN_ANY, oldPolicies);
+ calculatePolicies(label, std::to_string(id), blacklistPrivileges,
Buckets.at(Bucket::ADMIN),
- static_cast<int>(CynaraAdminPolicy::Operation::Deny), policies);
+ static_cast<int>(CynaraAdminPolicy::Operation::Deny), oldPolicies, policies);
+ oldPolicies.clear();
}
- ListPolicies(Buckets.at(Bucket::APPDEFINED), CYNARA_ADMIN_WILDCARD, cynaraUser,
+ // 3rd, performing operation on APPDEFINED bucket
+ std::vector<std::string> untrustedPrivileges;
+ std::vector<std::string> licensedPrivileges;
+ std::vector<CynaraAdminPolicy> oldUntrustedPolicies;
+ std::vector<CynaraAdminPolicy> oldLicensedPolicies;
+
+ for (const std::pair<std::string, int> &p : oldAppDefinedPrivileges) {
+ switch (p.second) {
+ case SM_APP_DEFINED_PRIVILEGE_TYPE_UNTRUSTED:
- ListPolicies(Buckets.at(Bucket::APPDEFINED), CYNARA_ADMIN_WILDCARD, cynaraUser,
++ listPolicies(Buckets.at(Bucket::APPDEFINED), CYNARA_ADMIN_WILDCARD, cynaraUser,
+ p.first, oldUntrustedPolicies);
+ break;
+ case SM_APP_DEFINED_PRIVILEGE_TYPE_LICENSED:
- CalculatePolicies(CYNARA_ADMIN_WILDCARD, cynaraUser, untrustedPrivileges,
++ listPolicies(Buckets.at(Bucket::APPDEFINED), CYNARA_ADMIN_WILDCARD, cynaraUser,
+ p.first, oldLicensedPolicies);
+ break;
+ }
+ }
+
+ for (const std::pair<std::string, int> &p : newAppDefinedPrivileges) {
+ switch (p.second) {
+ case SM_APP_DEFINED_PRIVILEGE_TYPE_UNTRUSTED:
+ untrustedPrivileges.push_back(p.first);
+ break;
+ case SM_APP_DEFINED_PRIVILEGE_TYPE_LICENSED:
+ licensedPrivileges.push_back(p.first);
+ break;
+ }
+ }
+
- CalculatePolicies(CYNARA_ADMIN_WILDCARD, cynaraUser, licensedPrivileges,
++ calculatePolicies(CYNARA_ADMIN_WILDCARD, cynaraUser, untrustedPrivileges,
+ Buckets.at(Bucket::APPDEFINED), static_cast<int>(CynaraAdminPolicy::Operation::Allow),
+ oldUntrustedPolicies, policies);
+
- SetPolicies(policies);
++ calculatePolicies(CYNARA_ADMIN_WILDCARD, cynaraUser, licensedPrivileges,
+ Buckets.at(Bucket::APPDEFINED), static_cast<int>(LicenseManager::Config::LM_ASK),
+ oldLicensedPolicies, policies);
+
+ setPolicies(policies);
}
- void CynaraAdmin::GetAppPolicy(const std::string &label, const std::string &user,
+ void CynaraAdmin::getAppPolicy(const std::string &label, const std::string &user,
std::vector<std::string> &privileges)
{
std::vector<CynaraAdminPolicy> policies;
- listPolicies(
- CynaraAdmin::Buckets.at(Bucket::MANIFESTS),
- label, user, CYNARA_ADMIN_ANY, policies);
++
+ std::string bucket = (user == CYNARA_ADMIN_WILDCARD) ?
+ CynaraAdmin::Buckets.at(Bucket::MANIFESTS_GLOBAL) :
+ CynaraAdmin::Buckets.at(Bucket::MANIFESTS_LOCAL);
+
- ListPolicies(bucket, label, user, CYNARA_ADMIN_ANY, policies);
++ listPolicies(bucket, label, user, CYNARA_ADMIN_ANY, policies);
for (auto &policy : policies) {
std::string privilege = policy.privilege;
Buckets.at(Bucket::MAIN)));
std::vector<CynaraAdminPolicy> appPolicies;
- ListPolicies(CynaraAdmin::Buckets.at(Bucket::MANIFESTS_GLOBAL),
- listPolicies(CynaraAdmin::Buckets.at(Bucket::MANIFESTS),
++ listPolicies(CynaraAdmin::Buckets.at(Bucket::MANIFESTS_GLOBAL),
CYNARA_ADMIN_ANY, CYNARA_ADMIN_WILDCARD,
CYNARA_ADMIN_ANY, appPolicies);
}
- void CynaraAdmin::CalculatePolicies(const std::string &label, const std::string &user,
+ void CynaraAdmin::calculatePolicies(const std::string &label, const std::string &user,
const std::vector<std::string> &privileges,
const std::string &bucket, int policyToSet,
+ std::vector<CynaraAdminPolicy> &oldPolicies,
std::vector<CynaraAdminPolicy> &policies)
{
- std::vector<CynaraAdminPolicy> oldPolicies;
std::unordered_set<std::string> privilegesSet(privileges.begin(),
privileges.end());
-
- listPolicies(bucket, label, user, CYNARA_ADMIN_ANY, oldPolicies);
// Compare previous policies with set of new requested privileges
for (auto &policy : oldPolicies) {
if (privilegesSet.erase(policy.privilege)) {
* @param global true if it's a global or preloaded installation
* @param uid user identifier
* @param privileges currently enabled privileges
+ * @param oldAppDefinedPrivileges old privileges defined by application
+ * @param newAppDefinedPrivileges new privileges defined by application
+ * @param policyRemove true while application deinstallation
*/
- void UpdateAppPolicy(const std::string &label, bool global, uid_t uid,
+ void updateAppPolicy(const std::string &label, bool global, uid_t uid,
- const std::vector<std::string> &privileges);
+ const std::vector<std::string> &privileges,
+ const std::vector<std::pair<std::string, int>> &oldAppDefinedPrivileges,
+ const std::vector<std::pair<std::string, int>> &newAppDefinedPrivileges,
+ bool policyRemove = false);
/**
* Fetch Cynara policies for the application and the user.
*
* @param forceRefresh true if you want to reinitialize mappings
*/
- void FetchCynaraPolicyDescriptions(bool forceRefresh = false);
+ void fetchCynaraPolicyDescriptions(bool forceRefresh = false);
/**
- * Calculate actual Cynara policy based on appilcation data & previous policy
+ * Calculate actual Cynara policy based on application data & previous policy
*
* @param label application identifier
* @param user user for which we are calculating the policy
- * @param privileges new privielges for which policy is being calulated
+ * @param privileges new privileges for which policy is being calculated
* @param bucket bucket to which the policy will be set
* @param policyToSet policy effect to be set
+ * @param oldPolicies old policy (input/output parameter)
* @param policies current policy (input/output parameter)
*/
- void CalculatePolicies(const std::string &label, const std::string &user,
+ void calculatePolicies(const std::string &label, const std::string &user,
const std::vector<std::string> &privileges,
const std::string &bucket, int policyToSet,
+ std::vector<CynaraAdminPolicy> &oldPolicies,
std::vector<CynaraAdminPolicy> &policies);
- struct cynara_admin *m_CynaraAdmin;
+ static TypeToDescriptionMap s_typeToDescription;
+ static DescriptionToTypeMap s_descriptionToType;
- static TypeToDescriptionMap TypeToDescription;
- static DescriptionToTypeMap DescriptionToType;
+ struct cynara_admin *m_cynaraAdmin;
bool m_policyDescriptionsInitialized;
};
bool global = req.installationType == SM_APP_INSTALL_GLOBAL ||
req.installationType == SM_APP_INSTALL_PRELOADED;
- m_cynaraAdmin.UpdateAppPolicy(appLabel, global, req.uid, req.privileges,
- m_cynaraAdmin.updateAppPolicy(appLabel, global, req.uid, req.privileges);
++ m_cynaraAdmin.updateAppPolicy(appLabel, global, req.uid, req.privileges,
+ oldAppDefinedPrivileges, req.appDefinedPrivileges);
+
+ m_privilegeDb.RemoveAppDefinedPrivileges(req.appName, req.uid);
+ m_privilegeDb.AddAppDefinedPrivileges(req.appName, req.uid, req.appDefinedPrivileges);
if (hasSharedRO)
- m_priviligeDb.SetSharedROPackage(req.pkgName);
+ m_privilegeDb.SetSharedROPackage(req.pkgName);
- m_priviligeDb.GetPackagesInfo(pkgsInfo);
+ m_privilegeDb.GetPackagesInfo(pkgsInfo);
getPkgsProcessLabels(pkgsInfo, pkgsProcessLabels);
// WTF? Why this commit is here? Shouldn't it be at the end of this function?
bool global = req.installationType == SM_APP_INSTALL_GLOBAL ||
req.installationType == SM_APP_INSTALL_PRELOADED;
- m_cynaraAdmin.UpdateAppPolicy(processLabel, global, req.uid, std::vector<std::string>(),
- m_cynaraAdmin.updateAppPolicy(processLabel, global, req.uid, std::vector<std::string>());
++ m_cynaraAdmin.updateAppPolicy(processLabel, global, req.uid, std::vector<std::string>(),
+ oldAppDefinedPrivileges, std::vector<std::pair<std::string, int>>(), true);
trans.commit();
LogDebug("Application uninstallation commited to database");
}
std::vector<std::pair<std::string, std::string>> group2privVector;
- m_priviligeDb.GetGroupsRelatedPrivileges(group2privVector);
+ m_privilegeDb.GetGroupsRelatedPrivileges(group2privVector);
for (const auto &g2p : group2privVector) {
- m_cynaraAdmin.Check(CYNARA_ADMIN_ANY, uidStr, g2p.second,
+ m_cynaraAdmin.check(CYNARA_ADMIN_ANY, uidStr, g2p.second,
bucket, result, resultExtra, true);
if (result == CYNARA_ADMIN_ALLOW)
groups.push_back(g2p.first);
projects / platform / core / security / security-manager.git / commitdiff