Check privilege when invoking http_transaction_submit()

Change-Id: I022e3488818f189207cb30e57b32cf2d6ae3d9b5
Signed-off-by: Seonah Moon <seonah1.moon@samsung.com>

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 145d8c0..a97e070 100644 (file)
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -9,7 +9,7 @@ SET(PREFIX ${CMAKE_INSTALL_PREFIX})
 SET(INC_DIR include)
 INCLUDE_DIRECTORIES(${INC_DIR})
 
-SET(dependents "dlog gio-2.0 gio-unix-2.0 glib-2.0 capi-base-common capi-network-connection libcurl libssl")
+SET(dependents "dlog gio-2.0 gio-unix-2.0 glib-2.0 capi-base-common capi-network-connection libcurl libssl cynara-client")
 
 IF("${CMAKE_BUILD_TYPE}" STREQUAL "")
        SET(CMAKE_BUILD_TYPE "Release")

diff --git a/include/http_private.h b/include/http_private.h
index 7b8b43b..eb62ea9 100644 (file)
--- a/include/http_private.h
+++ b/include/http_private.h
@@ -102,6 +102,11 @@ typedef enum {
        _CURL_HTTP_AUTH_NTLM = 8                        // The constant for ntlm authentication
 } curl_http_auth_scheme_e;
 
+typedef enum {
+       HTTP_PRIVILEGE_INTERNET = 0,
+       HTTP_PRIVILEGE_NETWORK_GET
+} http_privilege_e;
+
 typedef struct {
        struct curl_slist *header_list;
        GHashTable *hash_table;
@@ -193,6 +198,7 @@ typedef struct {
 
 void print_curl_multi_errorCode(CURLMcode code);
 bool _http_is_init(void);
+bool _http_check_permission(http_privilege_e);
 gchar* _get_http_method(http_method_e method);
 http_method_e _get_method(gchar* method);
 gchar* _get_proxy();

diff --git a/packaging/capi-network-http.spec b/packaging/capi-network-http.spec
index 2db5826..8f50ba0 100644 (file)
--- a/packaging/capi-network-http.spec
+++ b/packaging/capi-network-http.spec
@@ -1,6 +1,6 @@
 Name:          capi-network-http
 Summary:       Http Framework
-Version:       0.0.9
+Version:       0.0.10
 Release:       0
 Group:         System/Network
 License:       Apache-2.0
@@ -12,6 +12,7 @@ BuildRequires:        pkgconfig(gio-2.0)
 BuildRequires: pkgconfig(capi-network-connection)
 BuildRequires: pkgconfig(libcurl)
 BuildRequires: pkgconfig(openssl)
+BuildRequires: pkgconfig(cynara-client)
 BuildRequires: cmake
 Requires(post):                /sbin/ldconfig
 Requires(postun):      /sbin/ldconfig

diff --git a/src/http_common.c b/src/http_common.c
index 843ef29..b4c80d6 100644 (file)
--- a/src/http_common.c
+++ b/src/http_common.c
@@ -19,8 +19,13 @@
 
 #include "net_connection.h"
 
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/types.h>
+#include <unistd.h>
 #include <pthread.h>
 #include <openssl/err.h>
+#include <cynara-client.h>
 
 #define MUTEX_TYPE       pthread_mutex_t
 #define MUTEX_SETUP(x)   pthread_mutex_init(&(x), NULL)
@@ -29,6 +34,8 @@
 #define MUTEX_UNLOCK(x)  pthread_mutex_unlock(&(x))
 #define THREAD_ID        pthread_self()
 
+#define SMACK_LABEL_LEN 255
+
 /* This array will store all of the mutexes available to OpenSSL. */
 static MUTEX_TYPE *mutex_buf = NULL;
 static bool is_init = false;
@@ -38,6 +45,61 @@ bool _http_is_init(void)
        return is_init;
 }
 
+bool _http_check_permission(http_privilege_e _privilege)
+{
+       FILE *fd;
+
+       int ret;
+       char smack_label[SMACK_LABEL_LEN + 1];
+       char uid[10];
+       char *client_session = "";
+       char *privilege = NULL;
+
+       cynara *p_cynara;
+
+       if (CYNARA_API_SUCCESS != cynara_initialize(&p_cynara, NULL)) {
+               ERR("Failed to initialize cynara structure\n");
+               return false;
+       }
+
+       bzero(smack_label, SMACK_LABEL_LEN + 1);
+
+       /* get smack label */
+       fd = fopen("/proc/self/attr/current", "r");
+       if (fd == NULL) {
+               ERR("Failed to open /proc/self/attr/current\n");
+               return false;
+       }
+       ret = fread(smack_label, sizeof(smack_label), 1, fd);
+       fclose(fd);
+       if (ret < 0) {
+               ERR("Failed to read /proc/self/attr/current\n");
+               return false;
+       }
+
+       /* get uid */
+       snprintf(uid, sizeof(uid), "%d", getuid());
+
+       switch (_privilege) {
+               case HTTP_PRIVILEGE_INTERNET:
+                       privilege = "http://tizen.org/privilege/internet";
+                       break;
+               case HTTP_PRIVILEGE_NETWORK_GET:
+                       privilege = "http://tizen.org/privilege/network.get";
+                       break;
+               default:
+                       break;
+       }
+
+       DBG("%s %s %s\n", smack_label, uid, privilege);
+
+       /* cynara check */
+       ret = cynara_check(p_cynara, smack_label, client_session, uid, privilege);
+       cynara_finish(p_cynara);
+
+       return (ret == CYNARA_API_ACCESS_ALLOWED) ? true : false;
+}
+
 static void __http_set_init(bool init)
 {
        is_init = init;

diff --git a/src/http_transaction.c b/src/http_transaction.c
index 9473985..495aa0b 100644 (file)
--- a/src/http_transaction.c
+++ b/src/http_transaction.c
@@ -486,6 +486,10 @@ API int http_session_open_transaction(http_session_h http_session, http_method_e
 
 API int http_transaction_submit(http_transaction_h http_transaction)
 {
+       _retvm_if(_http_check_permission(HTTP_PRIVILEGE_INTERNET) == false,
+                       HTTP_ERROR_PERMISSION_DENIED, "Permission denied");
+       _retvm_if(_http_check_permission(HTTP_PRIVILEGE_NETWORK_GET) == false,
+                       HTTP_ERROR_PERMISSION_DENIED, "Permission denied");
        _retvm_if(_http_is_init() == false, HTTP_ERROR_INVALID_OPERATION,
                        "http isn't initialized");
        _retvm_if(http_transaction == NULL, HTTP_ERROR_INVALID_PARAMETER,