[Service] Provide smack control

This provides smack control for accessing to file system
using smack rules defined in /sys/fs/smackfs/load2 for each app.

Together with:
https://review.tizen.org/gerrit/248692

Change-Id: I279cac4702c02f3a38bba5dc204cb1e41e23a79c
Signed-off-by: Youngsoo Choi <kenshin.choi@samsung.com>

diff --git a/wrt_app/service/access_control_manager.ts b/wrt_app/service/access_control_manager.ts
index 77d889bfdfbb544362b6f33c864c6230072288e0..a8c2b23e87feff9c27ad79cf0fe4729d9691ea5a 100644 (file)
--- a/wrt_app/service/access_control_manager.ts
+++ b/wrt_app/service/access_control_manager.ts
@@ -148,7 +148,9 @@ export function refineResolveFilename(permissions: string[]) {
     } else {
       path = originalResolveFilename(...args);
     }
-    if (path.startsWith('/') && !global.webapis.isValidPath(path))
+    const webapis = global.webapis;
+    if (path.startsWith('/') &&
+        !webapis.security.checkSmack(webapis.getPackageId(), path, 'r'))
       throw new Error(`Invalid access to ${path}`);
     return path;
   }

diff --git a/wrt_app/service/device_api_router.ts b/wrt_app/service/device_api_router.ts
index 7b7b52d7c9e5a2fce52e0c8d6561671fa9dfcc5f..99d86edddab27963b1b81490b3aad6e60a71cfab 100644 (file)
--- a/wrt_app/service/device_api_router.ts
+++ b/wrt_app/service/device_api_router.ts
@@ -16,8 +16,7 @@ export class DeviceAPIRouter {
   packageId: string;
   callerAppId: string;
   permissions: string[];
-  sharedPaths: string[];
-  validPaths: string[];
+  smackMap: any;
 
   constructor(id: string, isGlobal: boolean) {
     this.id = id;
@@ -26,28 +25,7 @@ export class DeviceAPIRouter {
     this.callerAppId = ids[1] ?? '';
     this.packageId = this.serviceId.split('.')[0];
     this.permissions = [];
-    this.sharedPaths = [
-      '/opt/usr/apps/shared/res/',
-      '/opt/usr/globalapps/shared/res/'
-    ];
-    this.validPaths = [
-      '/bin/emps/empPepperPlugins/',
-      `/home/owner/apps_rw/${this.packageId}/`,
-      '/home/owner/content/',
-      '/home/owner/share/',
-      '/media/',
-      '/opt/media/',
-      '/opt/share/',
-      `/opt/usr/apps/${this.packageId}/`,
-      '/opt/usr/apps/pepper/',
-      `/opt/usr/globalapps/${this.packageId}/`,
-      `/opt/usr/home/owner/apps_rw/${this.packageId}/`,
-      '/opt/usr/home/owner/content/',
-      '/opt/usr/home/owner/share/',
-      '/tmp/',
-      '/usr/bin/emps/empPepperPlugins/',
-      '/usr/share/wrt/'
-    ];
+    this.smackMap = {};
 
     this.initWebapis();
     this.permissions = wrt.getPrivileges(this.id);
@@ -79,28 +57,16 @@ export class DeviceAPIRouter {
     global.webapis.getServiceId = () => {
       return this.serviceId;
     }
-    global.webapis.isValidPath = (path: string) => {
-      let ret = false;
-      for (const validPath of this.validPaths) {
-        if (path.startsWith(validPath))
-          return true;
-      }
-      for (const sharedPath of this.sharedPaths) {
-        if (path.replace(`${path.split('/')[4]}/`, '').includes(sharedPath))
-          return true;
-      }
-      return false;
-    }
     Object.defineProperties(global.webapis, {
       getCallerAppId: { writable: false, enumerable: true },
       getPackageId: { writable: false, enumerable: true },
       getPermissions: { writable: false, enumerable: true },
       getServiceId: { writable: false, enumerable: true },
-      isValidPath: { writable: false, enumerable: true },
     });
     this.initEdgeWebapis();
     this.initMDEWebapis();
     this.initProductWebapis();
+    this.initSecurityWebapis();
   }
 
   initEdgeWebapis() {
@@ -211,6 +177,23 @@ export class DeviceAPIRouter {
     }
   }
 
+  initSecurityWebapis() {
+    if (wrt['security'] && !global.webapis.security) {
+      let security = wrt.security as NativeWRTjs.SecurityExtension;
+      global.webapis.security = {
+        checkSmack: (packageId: string, path: string, type: string) => {
+          let smackMap = this.smackMap;
+          if (smackMap[path] !== undefined && smackMap[path][type] !== undefined)
+            return smackMap[path][type];
+          if (smackMap[path] === undefined)
+            smackMap[path] = {};
+          return smackMap[path][type] = security.checkSmack(packageId, path, type);
+        }
+      }
+      Object.defineProperty(global.webapis, 'security', { writable: false, enumerable: true });
+    }
+  }
+
   initAccessControlManager() {
     console.log(`permissions : ${this.permissions}`);
     const AccessControlManager = require('./access_control_manager');