INSERT OR IGNORE INTO permission_type(type_name) VALUES("OSP");
INSERT OR IGNORE INTO permission_type(type_name) VALUES("EFL");
--- APP PATH TYPES ----------------------------------------------------------------------------------
-INSERT OR IGNORE INTO app_path_type(name) VALUES("GROUP_PATH");
-INSERT OR IGNORE INTO app_path_type(name) VALUES("PUBLIC_PATH");
-INSERT OR IGNORE INTO app_path_type(name) VALUES("SETTINGS_PATH");
-INSERT OR IGNORE INTO app_path_type(name) VALUES("NPRUNTIME_PATH");
-
INSERT OR IGNORE INTO permission_view(name, type_name) VALUES
("ALL_APPS", "ALL_APPS"),
("WRT", "WRT"),
("OSP", "OSP"),
("EFL", "EFL");
--- PUBLIC FOLDERS ----------------------------------------------------------------------------------
--- PUBLIC_PATH
-INSERT OR IGNORE INTO permission_app_path_type_rule_view(permission_name,
- permission_type_name,
- app_path_type_name,
- access,
- is_reverse) VALUES
- ("ALL_APPS", "ALL_APPS", "PUBLIC_PATH", "rx", 0);
-
COMMIT TRANSACTION;
VACUUM;
BEGIN EXCLUSIVE TRANSACTION;
-- Update here on every schema change! Integer value.
-PRAGMA user_version = 3;
+PRAGMA user_version = 4;
CREATE TABLE IF NOT EXISTS app (
app_id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
-- Used by ltl_ view
CREATE INDEX IF NOT EXISTS app_permission_permission_id_index ON app_permission(permission_id);
-CREATE TABLE IF NOT EXISTS app_path (
- app_id INTEGER NOT NULL,
- path TEXT NOT NULL,
- label_id INTEGER NOT NULL,
- access INTEGER NOT NULL,
- access_reverse INTEGER NOT NULL,
- app_path_type_id INTEGER NOT NULL ,
-
- -- TODO:
- -- Desired behavior should be:
- -- allow one app to register a path only once (already implemented by the primary key)
- -- prohibit two apps registering the same path with different labels (probably cannot be done by SQL constraints)
- -- allow two apps to register the same path if label is also same
-
- PRIMARY KEY (app_id, path),
-
- FOREIGN KEY(app_id) REFERENCES app(app_id),
- FOREIGN KEY(label_id) REFERENCES label(label_id),
- FOREIGN KEY(app_path_type_id) REFERENCES app_path_type(app_path_type_id)
-);
-
--- Used by ltl_ view
-CREATE INDEX IF NOT EXISTS app_path_app_path_type_id_index ON app_path(app_path_type_id);
-
-CREATE TABLE IF NOT EXISTS app_path_type (
- app_path_type_id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
- name TEXT NOT NULL ,
-
- UNIQUE (name)
-);
-
CREATE TABLE IF NOT EXISTS permission_permission_rule (
permission_id INTEGER NOT NULL,
-- Used by ltl_ view
CREATE INDEX IF NOT EXISTS permission_label_rule_label_id_index ON permission_label_rule(label_id);
-CREATE TABLE IF NOT EXISTS permission_app_path_type_rule (
- permission_id INTEGER NOT NULL,
- app_path_type_id INTEGER NOT NULL,
- access INTEGER NOT NULL DEFAULT 0,
- is_reverse INTEGER NOT NULL DEFAULT 0,
-
- PRIMARY KEY (permission_id, app_path_type_id, is_reverse),
-
- FOREIGN KEY(permission_id) REFERENCES permission(permission_id),
- FOREIGN KEY(app_path_type_id) REFERENCES app_path_type(app_path_type_id)
-);
-
--- Used by ltl_ view
-CREATE INDEX IF NOT EXISTS permission_app_path_type_rule_app_path_type_id_index
- ON permission_app_path_type_rule(app_path_type_id);
-
-
CREATE TABLE IF NOT EXISTS label (
label_id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
name TEXT NOT NULL,
WHERE permission_name = NEW.name AND
permission_type_name = NEW.type_name;
- DELETE FROM permission_app_path_type_rule_view
- WHERE permission_name = NEW.name AND
- permission_type_name = NEW.type_name;
-
END;
-- PERMISSION TO LABEL RULE VIEW -----------------------------------------------
END;
--- PERMISSION TO APP PATH TYPE RULE VIEW ---------------------------------------
-DROP VIEW IF EXISTS permission_app_path_type_rule_view;
-CREATE VIEW permission_app_path_type_rule_view AS
-SELECT
- permission_view.permission_id AS permission_id,
- permission_view.name AS permission_name,
- permission_view.type_name AS permission_type_name,
- app_path_type.name AS app_path_type_name,
- permission_app_path_type_rule.access AS access,
- permission_app_path_type_rule.is_reverse AS is_reverse
-FROM permission_app_path_type_rule
-LEFT JOIN permission_view USING(permission_id)
-LEFT JOIN app_path_type USING(app_path_type_id);
-
-
-DROP TRIGGER IF EXISTS permission_app_path_type_rule_view_insert_trigger;
-CREATE TRIGGER permission_app_path_type_rule_view_insert_trigger
-INSTEAD OF INSERT
-ON permission_app_path_type_rule_view
-WHEN NEW.permission_id IS NULL
-BEGIN
- INSERT INTO permission_app_path_type_rule(permission_id,
- app_path_type_id,
- access,
- is_reverse)
- SELECT permission_view.permission_id,
- app_path_type.app_path_type_id,
- str_to_access(NEW.access),
- NEW.is_reverse
- FROM permission_view, app_path_type
- WHERE permission_view.name = NEW.permission_name AND
- permission_view.type_name = NEW.permission_type_name AND
- app_path_type.name = NEW.app_path_type_name;
-END;
-
-DROP TRIGGER IF EXISTS permission_app_path_type_rule_view_delete_trigger;
-CREATE TRIGGER permission_app_path_type_rule_view_delete_trigger
-INSTEAD OF DELETE
-ON permission_app_path_type_rule_view
-BEGIN
- -- Delete the rule
- DELETE FROM permission_app_path_type_rule
- WHERE permission_app_path_type_rule.permission_id
- IN (SELECT permission_view.permission_id
- FROM permission_view
- WHERE permission_view.name = OLD.permission_name AND
- permission_view.type_name = OLD.permission_type_name);
-END;
-
-
-CREATE TRIGGER permission_app_path_type_id_rule_view_insert_trigger
-INSTEAD OF INSERT
-ON permission_app_path_type_rule_view
-WHEN NEW.permission_id IS NOT NULL
-BEGIN
- INSERT OR REPLACE INTO permission_app_path_type_rule(permission_id,
- app_path_type_id,
- access,
- is_reverse)
- SELECT NEW.permission_id,
- app_path_type.app_path_type_id,
- str_to_access(NEW.access),
- NEW.is_reverse
- FROM app_path_type
- WHERE app_path_type.name = NEW.app_path_type_name;
-END;
-
-
-- PERMISSION TO PERMISSION RULE VIEW ------------------------------------------
DROP VIEW IF EXISTS permission_permission_rule_view;
CREATE VIEW permission_permission_rule_view AS
WHEN OLD.label_id NOT IN (SELECT app.label_id
FROM app) AND
OLD.label_id NOT IN (SELECT permission_label_rule.label_id
- FROM permission_label_rule) AND
- OLD.label_id NOT IN (SELECT app_path.label_id
- FROM app_path)
+ FROM permission_label_rule)
BEGIN
DELETE FROM label WHERE label.name = OLD.name;
END;
CREATE TRIGGER application_view_delete_trigger
INSTEAD OF DELETE ON application_view
BEGIN
- -- Delete rules that correspond to app's paths:
- DELETE FROM permission_label_rule
- WHERE permission_label_rule.label_id IN
- (SELECT app_path.label_id
- FROM app_path
- INNER JOIN application_view USING(app_id)
- WHERE application_view.name = OLD.name);
-
- -- Delete path
- DELETE FROM path_view
- WHERE path_view.owner_app_label_name=OLD.name;
-
-- Delete apps permissions:
DELETE FROM app_permission
WHERE app_permission.app_id
END;
--- PATH VIEW -------------------------------------------------------------------
-DROP VIEW IF EXISTS path_view;
-CREATE VIEW path_view AS
-SELECT application_view.name AS owner_app_label_name,
- app_path.path AS path,
- label.name AS path_label_name,
- app_path.access AS access,
- app_path.access_reverse AS access_reverse,
- app_path_type.name AS path_type_name
-
-FROM app_path
-LEFT JOIN app_path_type USING (app_path_type_id)
-LEFT JOIN application_view USING (app_id)
-LEFT JOIN label USING (label_id);
-
-
--- For an existing application we add a path.
-DROP TRIGGER IF EXISTS path_view_insert_trigger;
-CREATE TRIGGER path_view_insert_trigger
-INSTEAD OF INSERT ON path_view
-WHEN NEW.owner_app_label_name IN (SELECT application_view.name
- FROM application_view)
-BEGIN
- -- The path's label could have been added by the permission.
- INSERT OR IGNORE INTO label(name) VALUES (NEW.path_label_name);
-
- -- Add the path
- INSERT OR IGNORE INTO app_path(app_id, path, label_id, access, access_reverse, app_path_type_id)
- SELECT application_view.app_id,
- NEW.path,
- label.label_id,
- str_to_access(NEW.access),
- str_to_access(NEW.access_reverse),
- app_path_type.app_path_type_id
- FROM application_view, app_path_type, label
- WHERE application_view.name = NEW.owner_app_label_name AND
- app_path_type.name = NEW.path_type_name AND
- label.name = NEW.path_label_name;
-END;
-
-DROP TRIGGER IF EXISTS path_view_delete_trigger;
-CREATE TRIGGER path_view_delete_trigger
-INSTEAD OF DELETE ON path_view
-BEGIN
- -- Delete the path
- DELETE FROM app_path
- WHERE app_path.app_id IN (SELECT app.app_id
- FROM app, label
- WHERE label.name = OLD.owner_app_label_name AND
- app.label_id = label.label_id);
-
- -- Delete the path's label if it's not used any more
- DELETE FROM label_view WHERE label_view.name = OLD.path_label_name;
-END;
-
-
--- PATH_REMOVAL VIEW -------------------------------------------------------------------
-DROP VIEW IF EXISTS path_removal_view;
-CREATE VIEW path_removal_view AS
-SELECT application_view.app_id AS owner_app_id,
- application_view.name AS owner_app_label_name,
- app_path.path AS path,
- label.label_id AS path_label_id
-FROM app_path
-LEFT JOIN application_view USING (app_id)
-LEFT JOIN label USING (label_id);
-
-DROP TRIGGER IF EXISTS path_removal_delete_trigger;
-CREATE TRIGGER path_removal_delete_trigger
-INSTEAD OF DELETE ON path_removal_view
-BEGIN
- -- Delete the path.
- DELETE FROM app_path
- WHERE app_path.app_id = OLD.owner_app_id AND
- app_path.path = OLD.path;
-
- -- Delete the path's label if it's not used anymore.
- DELETE FROM label_view WHERE label_view.label_id = OLD.path_label_id;
-END;
-
-
-- APP PERMISSION LIST VIEW ----------------------------------------------------
-- Used in check_app_permission_internal to check if permissions are present
-- TODO: Check if SQLite optimizer doesn't change app_permission_view to the same code.
FROM permission_view
WHERE permission_view.name = "ALL_APPS" AND
permission_view.type_name = "ALL_APPS");
- -- Delete paths
- DELETE FROM path_view
- WHERE path_view.owner_app_label_name=OLD.app_name;
END;
WHERE is_reverse = 1 AND app.name != label.name;
-
-
--- PERMISSION TO PATH TYPE RULE VIEW -------------------------------------------
--- ltl = label to label
-DROP VIEW IF EXISTS ltl_permission_app_path_type_rule_view;
-CREATE VIEW ltl_permission_app_path_type_rule_view AS
-SELECT app.name AS subject,
- label.name AS object,
- p.access,
- app.is_volatile
-FROM permission_app_path_type_rule AS p
-INNER JOIN app_label_with_permission_view AS app USING(permission_id)
-INNER JOIN app_path USING(app_path_type_id)
-INNER JOIN label USING(label_id)
-WHERE is_reverse = 0 AND app.name != label.name
-UNION ALL
-SELECT label.name AS subject,
- app.name AS object,
- p.access,
- app.is_volatile
-FROM permission_app_path_type_rule AS p
-INNER JOIN app_label_with_permission_view AS app USING(permission_id)
-INNER JOIN app_path USING(app_path_type_id)
-INNER JOIN label USING(label_id)
-WHERE is_reverse = 1 AND app.name != label.name;
-
-
--- PERMISSION TO APPLICATION'S OWN PATHS ---------------------------------------
--- ltl = label to label
-DROP VIEW IF EXISTS ltl_app_path_view;
-CREATE VIEW ltl_app_path_view AS
-SELECT application_view.name AS subject,
- label.name AS object,
- app_path.access AS access
-FROM app_path
-INNER JOIN application_view USING(app_id)
-INNER JOIN label USING(label_id);
-
-
--- PERMISSION FROM PATHS TO APPLICATIONS ---------------------------------------
--- ltl = label to label
-DROP VIEW IF EXISTS ltl_app_path_reverse_view;
-CREATE VIEW ltl_app_path_reverse_view AS
-SELECT label.name AS subject,
- application_view.name AS object,
- app_path.access_reverse AS access
-FROM app_path
-INNER JOIN application_view USING(app_id)
-INNER JOIN label USING(label_id)
-WHERE app_path.access_reverse != 0 ;
-
-
-- SMACK RULES VIEWS -----------------------------------------------------------
DROP VIEW IF EXISTS all_smack_binary_rules_view;
CREATE VIEW all_smack_binary_rules_view AS
UNION ALL
SELECT subject, object, access, is_volatile
FROM ltl_permission_label_rule_view
- UNION ALL
- SELECT subject, object, access, is_volatile
- FROM ltl_permission_app_path_type_rule_view
- UNION ALL
- SELECT subject, object, access, 0
- FROM ltl_app_path_view
- UNION ALL
- SELECT subject, object, access, 0
- FROM ltl_app_path_reverse_view
);
-- ALL INSERTED DATA VIEW ------------------------------------------------------
BEGIN
DELETE FROM permission_label_rule;
DELETE FROM permission_permission_rule;
- DELETE FROM permission_app_path_type_rule;
DELETE FROM app_permission;
DELETE FROM permission;
DELETE FROM permission_type;
- DELETE FROM app_path;
- DELETE FROM app_path_type;
DELETE FROM app;
DELETE FROM label;
--- /dev/null
+BEGIN EXCLUSIVE TRANSACTION;
+
+--assume, that database is in version V3
+
+--remove all path related tables, views, indexes, etc.
+
+DROP TABLE IF EXISTS app_path;
+DROP TABLE IF EXISTS app_path_type;
+DROP TABLE IF EXISTS label_app_path_type_rule;
+DROP TABLE IF EXISTS permission_app_path_type_rule;
+
+DROP VIEW IF EXISTS permission_app_path_type_rule_view;
+DROP VIEW IF EXISTS label_app_path_type_rule_view;
+DROP VIEW IF EXISTS path_view;
+DROP VIEW IF EXISTS path_removal_view;
+DROP VIEW IF EXISTS ltl_permission_app_path_type_rule_view;
+DROP VIEW IF EXISTS ltl_label_app_path_type_rule_view;
+DROP VIEW IF EXISTS ltl_app_path_view;
+DROP VIEW IF EXISTS ltl_app_path_reverse_view;
+
+DROP INDEX IF EXISTS app_path_app_path_type_id_index;
+DROP INDEX IF EXISTS permission_app_path_type_rule_app_path_type_id_index;
+
+COMMIT TRANSACTION;
--- /dev/null
+
+BEGIN EXCLUSIVE TRANSACTION;
+
+--assume, that database is in version V3
+PRAGMA user_version = 4;
+
+COMMIT TRANSACTION;
const char* app_type_group_name(app_type_t app_type);
/**
- * Get the app path type name as stored in the database.
- *
- * This returns valid names only if paths of the given type are stored in the database.
- * Otherwise NULL is returned.
- *
- * @ingroupd RDB itnernal functions
- *
- * @param app_path_type type of the application's path
- * @return name of the application's path or NULL if no matching type was found
- */
-const char* app_path_type_name(app_path_type_t app_path_type);
-
-/**
* Divide a Smack rule into subject, object and access
*
* @ingroup RDB internal functions
/// There already exists a permission with this name and type
#define PC_ERR_DB_PERM_FORBIDDEN -13
+/// Label used for publicily shared directories
+#define LABEL_FOR_PUBLIC_SHARED_DIRS "User"
typedef enum {
APP_TYPE_WGT,
APP_PATH_PUBLIC_RO,
APP_PATH_SETTINGS_RW,
APP_PATH_ANY_LABEL,
+ APP_PATH_FLOOR,
+ APP_PATH_PUBLIC,
} app_path_type_t;
/* APIs - used by applications */
* - APP_PATH_PRIVATE: label with app's label, set access label on everything
* and execute label on executable files and symlinks to executable files
*
- * - APP_PATH_GROUP_RW: label with given shared_label, set access label on
- * everything and enable transmute on directories. Also give pkg_id full access
- * to the shared label.
+ * - APP_PATH_PUBLIC: use it for public application directory. It labels directory
+ * and its content with one common access label ("User: LABEL_FOR_PUBLIC_SHARED_DIRS),
+ * and set it to be transmutable. All applications will have full access to that
+ * directory.
*
- * - APP_PATH_PUBLIC_RO: label with autogenerated label, set access label on
- * everything and enable transmute on directories. Give full access to the label to
- * pkg_id and RX access to all other apps.
+ * - APP_PATH_FLOOR: use it for labeling a path with "_" smack label to make files
+ * readable by anyone but writable to no one.
*
- * - APP_PATH_SETTINGS_RW: label with autogenerated label, set access label on
- * everything and enable transmute on directories. Give full access to the label to
- * pkg_id and RWX access to all appsetting apps.
+ * - APP_PATH_ANY_LABEL: deprecated: the same as APP_PATH_FLOOR. It is just kept for API
+ * compatility reasons.
+ *
+ * The following arguments are now deprecated and work as APP_PATH_PUBLIC:
+ * - APP_PATH_GROUP_RW
+ * - APP_PATH_PUBLIC_RO
+ * - APP_PATH_SETTINGS_RW
*
* This function should be called during app installation.
* Results will be persistent on the file system.
* @param pkg_id application identifier
* @param path file or directory path
* @param app_path_type application path type
- * @param shared_label optional argument for APP_PATH_GROUP_RW and
- * APP_PATH_ANY_LABEL path type; type is const char*
+ * @param shared_label optional argument (not used for now); type is const char*
* @return PC_OPERATION_SUCCESS on success, PC_ERR_* on error
*/
int perm_app_setup_path(const char* pkg_id, const char* path, app_path_type_t app_path_type, ...);
/**
- * Adds label names of the application's folders to the modified labels.
- * Used during removing application.
- *
- * @ingroup RDB internal functions
- *
- * @param p_db pointer to a SQLite3 database object
- * @param s_app_label_name label of the application
- * @return PC_OPERATION_SUCCESS on success,
- * error code otherwise
- */
-int add_modified_apps_path_internal(sqlite3 *p_db, const char *const s_app_label_name);
-
-
-/**
* Open a connection with the database and perform an initialization.
*
* @ingroup RDB internal functions
/**
- * Add a path to the database.
- *
- * @ingroup RDB API functions
- *
- * @param s_owner_label_name owner application's label name
- * @param s_path_label_name path's label name
- * @param s_path the path
- * @param s_access owner to path label access rights
- * @param s_access_reverse path label to owner access rights
- * @param s_type type of path
- * @return PC_OPERATION_SUCCESS on success,
- * error code otherwise
- */
-int rdb_add_path(const char *const s_owner_label_name,
- const char *const s_path_label_name,
- const char *const s_path,
- const char *const s_access,
- const char *const s_access_reverse,
- const char *const s_type);
-
-
-/**
* Add permission with the given name and type and add smack rules.
*
* @ingroup RDB API functions
}
}
-const char* app_path_type_name(app_path_type_t app_path_type)
-{
- SECURE_C_LOGD("Entering function %s. Params: app_path_type=%d", __func__, app_path_type);
-
- switch(app_path_type) {
- case APP_PATH_GROUP_RW:
- return "GROUP_PATH";
- case APP_PATH_PUBLIC_RO:
- return "PUBLIC_PATH";
- case APP_PATH_SETTINGS_RW:
- return "SETTINGS_PATH";
- case APP_PATH_PRIVATE:
- case APP_PATH_ANY_LABEL:
- default:
- // App path type not stored in the database, return NULL;
- return NULL;
- }
-}
-
/**
* This function changes permission URI to basename for file name.
* For e.g. from http://tizen.org/privilege/contact.read will be
return rdb_app_has_permission(app_label, app_group, permission_name, is_enabled);
}
+static int app_label_public_shared_dir(const char *path, const char *label,
+ bool set_transmutable)
+{
+ int ret = PC_OPERATION_SUCCESS;
+
+ SECURE_C_LOGD("Entering function: %s. Params: path=%s, label=%s, "
+ "set_transmutable=%s", __func__, label, path,
+ set_transmutable ? "true" : "false");
+
+ if(path == NULL) {
+ C_LOGE("Invalid argument path (NULL).");
+ return PC_ERR_INVALID_PARAM;
+ }
+
+ if (!smack_label_is_valid(label)) {
+ C_LOGE("Invalid label (%s).", label);
+ return PC_ERR_INVALID_PARAM;
+ }
+
+ // setting access label on everything in given directory and below
+ ret = dir_set_smack_r(path, label, XATTR_NAME_SMACK, label_all);
+ if (PC_OPERATION_SUCCESS != ret) {
+ C_LOGE("dir_set_smack_r failed (access label): %d", ret);
+ return ret;
+ }
+
+ if (set_transmutable) {
+ // setting transmute on dirs
+ ret = dir_set_smack_r(path, "TRUE", XATTR_NAME_SMACKTRANSMUTE,
+ label_dirs);
+ if (PC_OPERATION_SUCCESS != ret) {
+ C_LOGE("dir_set_smack_r failed (transmute): %d", ret);
+ return ret;
+ }
+ }
+
+ return ret;
+}
+
API int app_label_dir(const char* label, const char* path)//deprecated
{
SECURE_C_LOGD("Entering function: %s. Params: label=%s, path=%s",
return PC_ERR_INVALID_OPERATION;
}
-static char* smack_label_for_path(const char *app_id, const char *path)
-{
- SECURE_C_LOGD("Entering function: %s. Params: app_id=%s, path=%s",
- __func__, app_id, path);
-
- char *salt AUTO_FREE;
- char *label;
- char *x;
-
- /* Prefix $1$ causes crypt() to use MD5 function */
- if (-1 == asprintf(&salt, "$1$%s", app_id)) {
- C_LOGE("asprintf failed");
- return NULL;
- }
-
- label = crypt(path, salt);
- if (label == NULL) {
- C_LOGE("crypt failed");
- return NULL;
- }
-
- /* crypt() output may contain slash character,
- * which is not legal in Smack labels */
- for (x = label; *x; ++x) {
- if (*x == '/')
- *x = '%';
- }
-
- return label;
-}
-
/* FIXME: remove this pragma once deprecated API is deleted */
#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
static int perm_app_setup_path_internal(const char* pkg_id, const char* path, app_path_type_t app_path_type, va_list ap)
C_LOGD("app_path_type is APP_PATH_PRIVATE.");
return app_label_dir(app_label, path);
- case APP_PATH_GROUP_RW: {
- C_LOGD("app_path_type is APP_PATH_GROUP.");
- int ret;
- const char *shared_label;
+ case APP_PATH_SETTINGS_RW:
+ case APP_PATH_PUBLIC_RO:
+ case APP_PATH_GROUP_RW:
+ case APP_PATH_PUBLIC: {
+ int res;
- shared_label = va_arg(ap, const char *);
-
- if (!smack_label_is_valid(shared_label)) {
- C_LOGE("Invalid shared_label.");
- return PC_ERR_INVALID_PARAM;
- }
-
- if (strcmp(app_label, shared_label) == 0) {
- C_LOGE("app_label equals shared_label.");
- return PC_ERR_INVALID_PARAM;
- }
-
- ret = app_label_shared_dir(app_label, shared_label, path);
- if (ret != PC_OPERATION_SUCCESS) {
- C_LOGE("app_label_shared_dir failed: %d", ret);
- return ret;
- }
-
- // Add the path to the database:
- ret = rdb_add_path(app_label, shared_label, path, "rwxatl", "-", "GROUP_PATH");
- if (ret != PC_OPERATION_SUCCESS) {
- C_LOGE("RDB rdb_add_path failed with: %d", ret);
- return ret;
- }
-
- return PC_OPERATION_SUCCESS;
- }
-
- case APP_PATH_PUBLIC_RO: {
C_LOGD("app_path_type is APP_PATH_PUBLIC.");
- const char *label;
- int ret;
-
- C_LOGD("New public RO path %s", path);
-
- // Generate label:
- label = smack_label_for_path(app_label, path);
- if (label == NULL) {
- C_LOGE("smack_label_for_path failed.");
- return PC_ERR_INVALID_OPERATION;
+ res = app_label_public_shared_dir(path,
+ LABEL_FOR_PUBLIC_SHARED_DIRS,
+ true);
+ if (res != PC_OPERATION_SUCCESS) {
+ C_LOGE("label_user_dir failed: %d", res);
+ return res;
}
- C_LOGD("Generated label '%s' for public RO path %s", label, path);
- ret = app_label_shared_dir(app_label, label, path);
- if (ret != PC_OPERATION_SUCCESS) {
- C_LOGE("app_label_shared_dir failed.");
- return ret;
- }
-
- // Add the path to the database:
- ret = rdb_add_path(app_label, label, path, "rwxatl", "-", "PUBLIC_PATH");
- if (ret != PC_OPERATION_SUCCESS) {
- C_LOGE("RDB rdb_add_path failed with: %d", ret);
- return ret;
- }
-
- return PC_OPERATION_SUCCESS;
+ return res;
}
- case APP_PATH_SETTINGS_RW: {
- C_LOGD("app_path_type is APP_PATH_SETTINGS.");
- const char *label;
- int ret;
-
- // Generate label:
- label = smack_label_for_path(app_label, path);
- if (label == NULL) {
- C_LOGE("smack_label_for_path failed.");
- return PC_ERR_INVALID_OPERATION;
- }
- C_LOGD("Appsetting: generated label '%s' for setting path %s", label, path);
-
- /*set id for path and all subfolders*/
- ret = app_label_shared_dir(app_label, label, path);
- if (ret != PC_OPERATION_SUCCESS) {
- C_LOGE("Appsetting: app_label_shared_dir failed (%d)", ret);
- return ret;
- }
+ case APP_PATH_ANY_LABEL:
+ case APP_PATH_FLOOR: {
+ const char *label = "_";
+ const char *anylabel UNUSED = NULL;
- // Add the path to the database:
- ret = rdb_add_path(app_label, label, path, "rwxatl", "-", "SETTINGS_PATH");
- if (ret != PC_OPERATION_SUCCESS) {
- C_LOGE("RDB rdb_add_path failed with: %d", ret);
- return ret;
+ if (APP_PATH_ANY_LABEL == app_path_type) {
+ C_LOGD("app_path_type is APP_PATH_ANY_LABEL (deprecated). "
+ "Please, use APP_PATH_FLOOR instead.");
+ anylabel = va_arg(ap, const char *);
+ } else {
+ C_LOGD("app_path_type is APP_PATH_FLOOR.");
}
-
- return PC_OPERATION_SUCCESS;
- }
-
- case APP_PATH_ANY_LABEL: {
- C_LOGD("app_path_type is APP_PATH_ANY_LABEL.");
- const char *label = NULL;
- label = va_arg(ap, const char *);
return app_label_dir(label, path);
}
}
-int add_modified_apps_path_internal(sqlite3 *p_db,
- const char *const s_app_label_name)
-{
- int ret = PC_OPERATION_SUCCESS;
- sqlite3_stmt *p_stmt = NULL;
- ret = prepare_stmt(p_db, &p_stmt,
- "INSERT OR IGNORE INTO modified_label(name) \
- SELECT path_view.path_label_name \
- FROM path_view \
- WHERE path_view.owner_app_label_name = %Q",
- s_app_label_name);
- if(ret != PC_OPERATION_SUCCESS) goto finish;
-
- ret = step_and_convert_returned_value(p_stmt);
-finish:
- if(sqlite3_finalize(p_stmt) != SQLITE_OK)
- C_LOGE("RDB: Error during finalizing statement: %s",
- sqlite3_errmsg(p_db));
- return ret;
-}
-
-
/**
* Function called when the target database is busy.
* We attempt to access the database every
}
-int add_path_internal(sqlite3 *p_db,
- const char *const s_owner_label_name,
- const char *const s_path_label_name,
- const char *const s_path,
- const char *const s_access,
- const char *const s_access_reverse,
- const char *const s_type)
-{
- RDB_LOG_ENTRY_PARAM("%s %s %s %s %s %s",
- s_owner_label_name, s_path_label_name,
- s_path, s_access, s_access_reverse, s_type);
-
- int ret = PC_ERR_DB_OPERATION;
- sqlite3_stmt *p_stmt = NULL;
-
- ret = prepare_stmt(p_db, &p_stmt,
- "INSERT INTO path_view(owner_app_label_name, \
- path, \
- path_label_name, \
- access, \
- access_reverse, \
- path_type_name) \
- VALUES(%Q, %Q, %Q, %Q, %Q, %Q);",
- s_owner_label_name, s_path, s_path_label_name,
- s_access, s_access_reverse, s_type);
- if(ret != PC_OPERATION_SUCCESS) goto finish;
-
- ret = step_and_convert_returned_value(p_stmt);
-finish:
- if(sqlite3_finalize(p_stmt) != SQLITE_OK)
- C_LOGE("RDB: Error during finalizing statement: %s",
- sqlite3_errmsg(p_db));
- return ret;
-}
-
-
int add_permission_internal(sqlite3 *p_db,
const char *const s_permission_name,
const char *const s_permission_type_name)
}
-static int add_permission_app_path_type_rule(sqlite3_stmt *p_stmt,
- const sqlite3_int64 i_permission_id,
- const char *const s_path_type_name,
- const char *const s_access,
- const int i_is_reverse)
-{
- int ret = PC_OPERATION_SUCCESS;
-
- if(sqlite3_bind_int(p_stmt, 1, i_permission_id) ||
- sqlite3_bind_text(p_stmt, 2, s_path_type_name, RDB_AUTO_DETERM_SIZE, 0) ||
- sqlite3_bind_text(p_stmt, 3, s_access, RDB_AUTO_DETERM_SIZE, 0) ||
- sqlite3_bind_int(p_stmt, 4, i_is_reverse)) {
- C_LOGE("RDB: Error during binding to statement: %s",
- sqlite3_errmsg(sqlite3_db_handle(p_stmt)));
- ret = PC_ERR_DB_QUERY_BIND;
- goto finish;
- }
-
- ret = step_and_convert_returned_value(p_stmt);
-
-finish:
- reset_and_unbind_stmt(p_stmt);
- return ret;
-}
-
int add_permission_rules_internal(sqlite3 *p_db,
const sqlite3_int64 i_permission_id,
const char *const *const pp_smack_rules)
int i;
sqlite3_stmt *p_perm_to_label_stmt = NULL;
sqlite3_stmt *p_perm_to_perm_stmt = NULL;
- sqlite3_stmt *p_perm_to_app_path_type_stmt = NULL;
// Prepare stmts. They are static, so we parse SQL only once per process and reuse it.
ret = prepare_stmts_for_bind(p_db, &p_perm_to_label_stmt,
if(ret != PC_OPERATION_SUCCESS) goto finish;
- ret = prepare_stmts_for_bind(p_db, &p_perm_to_app_path_type_stmt,
- "INSERT INTO permission_app_path_type_rule_view( \
- permission_id, app_path_type_name, access, is_reverse) \
- VALUES(?,?,?,?)");
- if(ret != PC_OPERATION_SUCCESS) goto finish;
-
-
for(i = 0; pp_smack_rules[i] != NULL ; ++i) {
C_LOGD("RDB: Granting permission: %s", pp_smack_rules[i]);
i_is_reverse);
if(ret != PC_OPERATION_SUCCESS) goto finish;
- } else if(!strcmp(s_label, "~PUBLIC_PATH~")) {
- ret = add_permission_app_path_type_rule(p_perm_to_app_path_type_stmt,
- i_permission_id,
- "PUBLIC_PATH",
- s_access,
- i_is_reverse);
- if(ret != PC_OPERATION_SUCCESS) goto finish;
-
- } else if(!strcmp(s_label, "~GROUP_PATH~")) {
- ret = add_permission_app_path_type_rule(p_perm_to_app_path_type_stmt,
- i_permission_id,
- "GROUP_PATH",
- s_access,
- i_is_reverse);
- if(ret != PC_OPERATION_SUCCESS) goto finish;
-
- } else if(!strcmp(s_label, "~SETTINGS_PATH~")) {
- ret = add_permission_app_path_type_rule(p_perm_to_app_path_type_stmt,
- i_permission_id,
- "SETTINGS_PATH",
- s_access,
- i_is_reverse);
- if(ret != PC_OPERATION_SUCCESS) goto finish;
}
}
sqlite3_errmsg(p_db));
}
- if(p_perm_to_app_path_type_stmt &&
- sqlite3_finalize(p_perm_to_app_path_type_stmt) != SQLITE_OK) {
- C_LOGE("RDB: Error during finalizing statement: %s",
- sqlite3_errmsg(p_db));
- }
return ret;
}
ret = add_modified_label_internal(p_db, s_label_name);
if(ret != PC_OPERATION_SUCCESS) goto finish;
- ret = add_modified_apps_path_internal(p_db, s_label_name);
- if(ret != PC_OPERATION_SUCCESS) goto finish;
-
ret = remove_app_internal(p_db, s_label_name);
finish:
}
-int rdb_add_path(const char *const s_owner_label_name,
- const char *const s_path_label_name,
- const char *const s_path,
- const char *const s_access,
- const char *const s_access_reverse,
- const char *const s_type)
-{
- RDB_LOG_ENTRY_PARAM("%s %s %s %s %s %s",
- s_owner_label_name, s_path_label_name,
- s_path, s_access, s_access_reverse, s_type);
-
- int ret = PC_ERR_DB_OPERATION;
- sqlite3 *p_db = NULL;
-
- ret = rdb_begin(&p_db, RDB_TRANSACTION_EXCLUSIVE);
- if(ret != PC_OPERATION_SUCCESS) goto finish;
-
- ret = add_path_internal(p_db,
- s_owner_label_name,
- s_path_label_name,
- s_path,
- s_access,
- s_access_reverse,
- s_type);
- if(ret != PC_OPERATION_SUCCESS) goto finish;
-
- ret = add_modified_label_internal(p_db, s_path_label_name);
-
-finish:
- return rdb_finish(p_db, ret);
-}
-
-
int rdb_add_permission_rules(const char *const s_permission_name,
const char *const s_permission_type_name,
const char *const *const pp_smack_rules)
ret = add_modified_label_internal(p_db, s_app_label_name);
if(ret != PC_OPERATION_SUCCESS) goto finish;
- ret = add_modified_apps_path_internal(p_db, s_app_label_name);
- if(ret != PC_OPERATION_SUCCESS) goto finish;
-
ret = revoke_app_permissions_internal(p_db, s_app_label_name);
finish: