Added APP_PATH_PUBLIC and APP_PATH_FLOOR types to perm_app_setup_path function.

Current functionality of perm_app_setup_path is not fully compatibile
with how Smack policy should look like in Tizen 3. For better
compatibility new APP_PATH_PUBLIC type has been added and implementation
of APP_PATH_GROUP_RW, APP_PATH_PUBLIC_RO and APP_PATH_SETTINGS_RW has
been changed to work exactly as APP_PATH_PUBLIC.
Moreover, APP_PATH_FLOOR type has been added that should be used to
label files and directories with "_" (floor) label. This label should be
used from now instead of APP_PATH_ANY_LABEL. APP_PATH_ANY_LABEL is still
supported but it behaves like APP_PATH_FLOOR - it just is for API
compatibility reasons.

Removed all path related tables, views, indexes etc. and code as well.

Verification may be done with the following:
security-tests.sh libprivilege-control --runignored --output=text
sqlite3 /opt/dbspace/.rules-db.db3 ".schema" | grep path
However, some test cases must be rewritten after this patch is accepted.

Change-Id: I6019ba67aa2d032acdee05a2e5c98f2dd6895fb3
Signed-off-by: Sebastian Grabowski <s.grabowski@samsung.com>

diff --git a/db/rules-db-data.sql b/db/rules-db-data.sql
index 4661c8e..c5c3505 100644 (file)
--- a/db/rules-db-data.sql
+++ b/db/rules-db-data.sql
@@ -13,27 +13,12 @@ INSERT OR IGNORE INTO permission_type(type_name) VALUES("WRT");
 INSERT OR IGNORE INTO permission_type(type_name) VALUES("OSP");
 INSERT OR IGNORE INTO permission_type(type_name) VALUES("EFL");
 
--- APP PATH TYPES ----------------------------------------------------------------------------------
-INSERT OR IGNORE INTO app_path_type(name) VALUES("GROUP_PATH");
-INSERT OR IGNORE INTO app_path_type(name) VALUES("PUBLIC_PATH");
-INSERT OR IGNORE INTO app_path_type(name) VALUES("SETTINGS_PATH");
-INSERT OR IGNORE INTO app_path_type(name) VALUES("NPRUNTIME_PATH");
-
 INSERT OR IGNORE INTO permission_view(name, type_name) VALUES
                ("ALL_APPS",    "ALL_APPS"),
                ("WRT",         "WRT"),
                ("OSP",         "OSP"),
                ("EFL",         "EFL");
 
--- PUBLIC FOLDERS ----------------------------------------------------------------------------------
--- PUBLIC_PATH
-INSERT OR IGNORE INTO permission_app_path_type_rule_view(permission_name,
-                                               permission_type_name,
-                                               app_path_type_name,
-                                               access,
-                                               is_reverse) VALUES
-       ("ALL_APPS", "ALL_APPS", "PUBLIC_PATH", "rx", 0);
-
 COMMIT TRANSACTION;
 
 VACUUM;

diff --git a/db/rules-db.sql b/db/rules-db.sql
index a188d04..85d954b 100644 (file)
--- a/db/rules-db.sql
+++ b/db/rules-db.sql
@@ -13,7 +13,7 @@ PRAGMA auto_vacuum = NONE;
 BEGIN EXCLUSIVE TRANSACTION;
 
 -- Update here on every schema change! Integer value.
-PRAGMA user_version = 3;
+PRAGMA user_version = 4;
 
 CREATE TABLE IF NOT EXISTS  app (
     app_id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
@@ -39,37 +39,6 @@ CREATE TABLE IF NOT EXISTS app_permission (
 -- Used by ltl_ view
 CREATE INDEX IF NOT EXISTS app_permission_permission_id_index ON app_permission(permission_id);
 
-CREATE TABLE IF NOT EXISTS app_path (
-    app_id INTEGER NOT NULL,
-    path TEXT NOT NULL,
-    label_id INTEGER NOT NULL,
-    access INTEGER NOT NULL,
-    access_reverse INTEGER NOT NULL,
-    app_path_type_id INTEGER NOT NULL ,
-
-    -- TODO:
-    -- Desired behavior should be:
-    -- allow one app to register a path only once (already implemented by the primary key)
-    -- prohibit two apps registering the same path with different labels (probably cannot be done by SQL constraints)
-    -- allow two apps to register the same path if label is also same
-
-    PRIMARY KEY (app_id, path),
-
-    FOREIGN KEY(app_id) REFERENCES app(app_id),
-    FOREIGN KEY(label_id) REFERENCES label(label_id),
-    FOREIGN KEY(app_path_type_id) REFERENCES app_path_type(app_path_type_id)
-);
-
--- Used by ltl_ view
-CREATE INDEX IF NOT EXISTS app_path_app_path_type_id_index ON app_path(app_path_type_id);
-
-CREATE TABLE IF NOT EXISTS app_path_type (
-    app_path_type_id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
-    name TEXT NOT NULL ,
-
-    UNIQUE (name)
-);
-
 
 CREATE TABLE IF NOT EXISTS permission_permission_rule (
     permission_id INTEGER NOT NULL,
@@ -98,23 +67,6 @@ CREATE TABLE IF NOT EXISTS permission_label_rule (
 -- Used by ltl_ view
 CREATE INDEX IF NOT EXISTS permission_label_rule_label_id_index ON permission_label_rule(label_id);
 
-CREATE TABLE IF NOT EXISTS permission_app_path_type_rule (
-    permission_id INTEGER NOT NULL,
-    app_path_type_id INTEGER NOT NULL,
-    access INTEGER NOT NULL DEFAULT 0,
-    is_reverse INTEGER NOT NULL  DEFAULT 0,
-
-    PRIMARY KEY (permission_id, app_path_type_id, is_reverse),
-
-    FOREIGN KEY(permission_id) REFERENCES permission(permission_id),
-    FOREIGN KEY(app_path_type_id) REFERENCES app_path_type(app_path_type_id)
-);
-
--- Used by ltl_ view
-CREATE INDEX IF NOT EXISTS permission_app_path_type_rule_app_path_type_id_index
-    ON permission_app_path_type_rule(app_path_type_id);
-
-
 CREATE TABLE IF NOT EXISTS label (
     label_id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
     name TEXT NOT NULL,
@@ -213,10 +165,6 @@ BEGIN
     WHERE       permission_name = NEW.name AND
                 permission_type_name = NEW.type_name;
 
-    DELETE FROM permission_app_path_type_rule_view
-    WHERE       permission_name = NEW.name AND
-                permission_type_name = NEW.type_name;
-
 END;
 
 -- PERMISSION TO LABEL RULE VIEW -----------------------------------------------
@@ -275,74 +223,6 @@ BEGIN
 END;
 
 
--- PERMISSION TO APP PATH TYPE RULE VIEW ---------------------------------------
-DROP VIEW IF EXISTS permission_app_path_type_rule_view;
-CREATE VIEW permission_app_path_type_rule_view AS
-SELECT
-        permission_view.permission_id       AS permission_id,
-        permission_view.name                AS permission_name,
-        permission_view.type_name           AS permission_type_name,
-        app_path_type.name                      AS app_path_type_name,
-        permission_app_path_type_rule.access       AS access,
-        permission_app_path_type_rule.is_reverse   AS is_reverse
-FROM    permission_app_path_type_rule
-LEFT JOIN permission_view USING(permission_id)
-LEFT JOIN app_path_type USING(app_path_type_id);
-
-
-DROP TRIGGER IF EXISTS permission_app_path_type_rule_view_insert_trigger;
-CREATE TRIGGER permission_app_path_type_rule_view_insert_trigger
-INSTEAD OF INSERT
-ON permission_app_path_type_rule_view
-WHEN NEW.permission_id IS NULL
-BEGIN
-    INSERT INTO permission_app_path_type_rule(permission_id,
-                                              app_path_type_id,
-                                              access,
-                                              is_reverse)
-    SELECT      permission_view.permission_id,
-                app_path_type.app_path_type_id,
-                str_to_access(NEW.access),
-                NEW.is_reverse
-    FROM        permission_view, app_path_type
-    WHERE       permission_view.name = NEW.permission_name AND
-                permission_view.type_name = NEW.permission_type_name AND
-                app_path_type.name = NEW.app_path_type_name;
-END;
-
-DROP TRIGGER IF EXISTS permission_app_path_type_rule_view_delete_trigger;
-CREATE TRIGGER permission_app_path_type_rule_view_delete_trigger
-INSTEAD OF DELETE
-ON permission_app_path_type_rule_view
-BEGIN
-    -- Delete the rule
-    DELETE FROM permission_app_path_type_rule
-    WHERE       permission_app_path_type_rule.permission_id
-                IN (SELECT permission_view.permission_id
-                    FROM   permission_view
-                    WHERE  permission_view.name = OLD.permission_name AND
-                           permission_view.type_name = OLD.permission_type_name);
-END;
-
-
-CREATE TRIGGER permission_app_path_type_id_rule_view_insert_trigger
-INSTEAD OF INSERT
-ON permission_app_path_type_rule_view
-WHEN NEW.permission_id IS NOT NULL
-BEGIN
-    INSERT OR REPLACE INTO permission_app_path_type_rule(permission_id,
-                                                         app_path_type_id,
-                                                         access,
-                                                         is_reverse)
-    SELECT      NEW.permission_id,
-                app_path_type.app_path_type_id,
-                str_to_access(NEW.access),
-                NEW.is_reverse
-    FROM        app_path_type
-    WHERE       app_path_type.name = NEW.app_path_type_name;
-END;
-
-
 -- PERMISSION TO PERMISSION RULE VIEW ------------------------------------------
 DROP VIEW IF EXISTS permission_permission_rule_view;
 CREATE VIEW permission_permission_rule_view AS
@@ -410,9 +290,7 @@ INSTEAD OF DELETE ON label_view
 WHEN    OLD.label_id NOT IN (SELECT app.label_id
                              FROM app) AND
         OLD.label_id NOT IN (SELECT permission_label_rule.label_id
-                             FROM permission_label_rule) AND
-        OLD.label_id NOT IN (SELECT app_path.label_id
-                             FROM app_path)
+                            FROM   permission_label_rule)
 BEGIN
         DELETE FROM label WHERE label.name = OLD.name;
 END;
@@ -449,18 +327,6 @@ DROP TRIGGER IF EXISTS application_view_delete_trigger;
 CREATE TRIGGER application_view_delete_trigger
 INSTEAD OF DELETE ON application_view
 BEGIN
-        -- Delete rules that correspond to app's paths:
-        DELETE FROM permission_label_rule
-        WHERE       permission_label_rule.label_id IN
-                   (SELECT     app_path.label_id
-                    FROM       app_path
-                    INNER JOIN application_view USING(app_id)
-                    WHERE      application_view.name = OLD.name);
-
-        -- Delete path
-        DELETE FROM path_view
-        WHERE path_view.owner_app_label_name=OLD.name;
-
         -- Delete apps permissions:
         DELETE FROM app_permission
         WHERE       app_permission.app_id
@@ -482,87 +348,6 @@ BEGIN
 END;
 
 
--- PATH VIEW -------------------------------------------------------------------
-DROP VIEW IF EXISTS path_view;
-CREATE VIEW path_view AS
-SELECT  application_view.name   AS owner_app_label_name,
-        app_path.path           AS path,
-        label.name              AS path_label_name,
-        app_path.access         AS access,
-        app_path.access_reverse AS access_reverse,
-        app_path_type.name      AS path_type_name
-
-FROM    app_path
-LEFT JOIN app_path_type     USING (app_path_type_id)
-LEFT JOIN application_view  USING (app_id)
-LEFT JOIN label             USING (label_id);
-
-
--- For an existing application we add a path.
-DROP TRIGGER IF EXISTS path_view_insert_trigger;
-CREATE TRIGGER path_view_insert_trigger
-INSTEAD OF INSERT ON path_view
-WHEN NEW.owner_app_label_name IN (SELECT application_view.name
-                                  FROM application_view)
-BEGIN
-    -- The path's label could have been added by the permission.
-    INSERT OR IGNORE INTO label(name) VALUES (NEW.path_label_name);
-
-    -- Add the path
-    INSERT OR IGNORE INTO app_path(app_id, path, label_id, access, access_reverse, app_path_type_id)
-    SELECT  application_view.app_id,
-            NEW.path,
-            label.label_id,
-            str_to_access(NEW.access),
-            str_to_access(NEW.access_reverse),
-            app_path_type.app_path_type_id
-    FROM    application_view, app_path_type, label
-    WHERE   application_view.name = NEW.owner_app_label_name AND
-            app_path_type.name = NEW.path_type_name AND
-            label.name = NEW.path_label_name;
-END;
-
-DROP TRIGGER IF EXISTS path_view_delete_trigger;
-CREATE TRIGGER path_view_delete_trigger
-INSTEAD OF DELETE ON path_view
-BEGIN
-        -- Delete the path
-        DELETE FROM app_path
-        WHERE app_path.app_id IN (SELECT  app.app_id
-                                  FROM    app, label
-                                  WHERE   label.name = OLD.owner_app_label_name AND
-                                          app.label_id = label.label_id);
-
-        -- Delete the path's label if it's not used any more
-        DELETE FROM label_view WHERE label_view.name = OLD.path_label_name;
-END;
-
-
--- PATH_REMOVAL VIEW -------------------------------------------------------------------
-DROP VIEW IF EXISTS path_removal_view;
-CREATE VIEW path_removal_view       AS
-SELECT      application_view.app_id AS owner_app_id,
-            application_view.name   AS owner_app_label_name,
-            app_path.path           AS path,
-            label.label_id          AS path_label_id
-FROM        app_path
-LEFT JOIN   application_view USING (app_id)
-LEFT JOIN   label            USING (label_id);
-
-DROP TRIGGER IF EXISTS path_removal_delete_trigger;
-CREATE TRIGGER path_removal_delete_trigger
-INSTEAD OF DELETE ON path_removal_view
-BEGIN
-        -- Delete the path.
-        DELETE FROM app_path
-        WHERE  app_path.app_id = OLD.owner_app_id AND
-               app_path.path = OLD.path;
-
-        -- Delete the path's label if it's not used anymore.
-        DELETE FROM label_view WHERE label_view.label_id = OLD.path_label_id;
-END;
-
-
 -- APP PERMISSION LIST VIEW ----------------------------------------------------
 -- Used in check_app_permission_internal to check if permissions are present
 -- TODO: Check if SQLite optimizer doesn't change app_permission_view to the same code.
@@ -646,9 +431,6 @@ BEGIN
                                                      FROM   permission_view
                                                      WHERE  permission_view.name = "ALL_APPS" AND
                                                             permission_view.type_name = "ALL_APPS");
-    -- Delete paths
-    DELETE FROM path_view
-    WHERE path_view.owner_app_label_name=OLD.app_name;
 
 END;
 
@@ -735,58 +517,6 @@ INNER JOIN  label USING(label_id)
 WHERE       is_reverse = 1 AND app.name != label.name;
 
 
-
-
--- PERMISSION TO PATH TYPE RULE VIEW -------------------------------------------
--- ltl = label to label
-DROP VIEW IF EXISTS ltl_permission_app_path_type_rule_view;
-CREATE VIEW ltl_permission_app_path_type_rule_view AS
-SELECT      app.name AS subject,
-            label.name AS object,
-            p.access,
-            app.is_volatile
-FROM        permission_app_path_type_rule AS p
-INNER JOIN  app_label_with_permission_view AS app USING(permission_id)
-INNER JOIN  app_path USING(app_path_type_id)
-INNER JOIN  label USING(label_id)
-WHERE       is_reverse = 0 AND app.name != label.name
-UNION ALL
-SELECT      label.name AS subject,
-            app.name AS object,
-            p.access,
-            app.is_volatile
-FROM        permission_app_path_type_rule AS p
-INNER JOIN  app_label_with_permission_view AS app USING(permission_id)
-INNER JOIN  app_path USING(app_path_type_id)
-INNER JOIN  label USING(label_id)
-WHERE       is_reverse = 1 AND app.name != label.name;
-
-
--- PERMISSION TO APPLICATION'S OWN PATHS ---------------------------------------
--- ltl = label to label
-DROP VIEW IF EXISTS ltl_app_path_view;
-CREATE VIEW ltl_app_path_view AS
-SELECT      application_view.name   AS subject,
-            label.name              AS object,
-            app_path.access         AS access
-FROM        app_path
-INNER JOIN  application_view USING(app_id)
-INNER JOIN  label USING(label_id);
-
-
--- PERMISSION FROM PATHS TO APPLICATIONS ---------------------------------------
--- ltl = label to label
-DROP VIEW IF EXISTS ltl_app_path_reverse_view;
-CREATE VIEW ltl_app_path_reverse_view AS
-SELECT      label.name                AS subject,
-            application_view.name     AS object,
-            app_path.access_reverse   AS access
-FROM        app_path
-INNER JOIN  application_view USING(app_id)
-INNER JOIN  label USING(label_id)
-WHERE       app_path.access_reverse != 0 ;
-
-
 -- SMACK RULES VIEWS -----------------------------------------------------------
 DROP VIEW IF EXISTS all_smack_binary_rules_view;
 CREATE VIEW all_smack_binary_rules_view AS
@@ -799,15 +529,6 @@ FROM   (SELECT subject, object, access, is_volatile
         UNION ALL
         SELECT subject, object, access, is_volatile
         FROM   ltl_permission_label_rule_view
-        UNION ALL
-        SELECT subject, object, access, is_volatile
-        FROM   ltl_permission_app_path_type_rule_view
-        UNION ALL
-        SELECT subject, object, access, 0
-        FROM   ltl_app_path_view
-        UNION ALL
-        SELECT subject, object, access, 0
-        FROM   ltl_app_path_reverse_view
        );
 
 -- ALL INSERTED DATA VIEW ------------------------------------------------------
@@ -825,15 +546,12 @@ DELETE ON all_inserted_data
 BEGIN
     DELETE FROM permission_label_rule;
     DELETE FROM permission_permission_rule;
-    DELETE FROM permission_app_path_type_rule;
 
     DELETE FROM app_permission;
 
     DELETE FROM permission;
     DELETE FROM permission_type;
 
-    DELETE FROM app_path;
-    DELETE FROM app_path_type;
     DELETE FROM app;
 
     DELETE FROM label;

diff --git a/db/updates/update-rules-db-data-to-v4.sql b/db/updates/update-rules-db-data-to-v4.sql
new file mode 100644 (file)
index 0000000..4b09593
--- /dev/null
+++ b/db/updates/update-rules-db-data-to-v4.sql
@@ -0,0 +1,24 @@
+BEGIN EXCLUSIVE TRANSACTION;
+
+--assume, that database is in version V3
+
+--remove all path related tables, views, indexes, etc.
+
+DROP TABLE IF EXISTS app_path;
+DROP TABLE IF EXISTS app_path_type;
+DROP TABLE IF EXISTS label_app_path_type_rule;
+DROP TABLE IF EXISTS permission_app_path_type_rule;
+
+DROP VIEW IF EXISTS permission_app_path_type_rule_view;
+DROP VIEW IF EXISTS label_app_path_type_rule_view;
+DROP VIEW IF EXISTS path_view;
+DROP VIEW IF EXISTS path_removal_view;
+DROP VIEW IF EXISTS ltl_permission_app_path_type_rule_view;
+DROP VIEW IF EXISTS ltl_label_app_path_type_rule_view;
+DROP VIEW IF EXISTS ltl_app_path_view;
+DROP VIEW IF EXISTS ltl_app_path_reverse_view;
+
+DROP INDEX IF EXISTS app_path_app_path_type_id_index;
+DROP INDEX IF EXISTS permission_app_path_type_rule_app_path_type_id_index;
+
+COMMIT TRANSACTION;

diff --git a/db/updates/update-rules-db-to-v4.sql b/db/updates/update-rules-db-to-v4.sql
new file mode 100644 (file)
index 0000000..5a77556
--- /dev/null
+++ b/db/updates/update-rules-db-to-v4.sql
@@ -0,0 +1,7 @@
+
+BEGIN EXCLUSIVE TRANSACTION;
+
+--assume, that database is in version V3
+PRAGMA user_version = 4;
+
+COMMIT TRANSACTION;

diff --git a/include/common.h b/include/common.h
index 2ccb473..a0bc6ef 100644 (file)
--- a/include/common.h
+++ b/include/common.h
@@ -156,19 +156,6 @@ const char* app_type_name(app_type_t app_type);
 const char* app_type_group_name(app_type_t app_type);
 
 /**
- * Get the app path type name as stored in the database.
- *
- * This returns valid names only if paths of the given type are stored in the database.
- * Otherwise NULL is returned.
- *
- * @ingroupd RDB itnernal functions
- *
- * @param  app_path_type type of the application's path
- * @return name of the application's path or NULL if no matching type was found
- */
-const char* app_path_type_name(app_path_type_t app_path_type);
-
-/**
  * Divide a Smack rule into subject, object and access
  *
  * @ingroup RDB internal functions

diff --git a/include/privilege-control.h b/include/privilege-control.h
index 1564fba..d144722 100644 (file)
--- a/include/privilege-control.h
+++ b/include/privilege-control.h
@@ -70,6 +70,8 @@ extern "C" {
 /// There already exists a permission with this name and type
 #define PC_ERR_DB_PERM_FORBIDDEN        -13
 
+/// Label used for publicily shared directories
+#define LABEL_FOR_PUBLIC_SHARED_DIRS   "User"
 
 typedef enum {
        APP_TYPE_WGT,
@@ -84,6 +86,8 @@ typedef enum {
         APP_PATH_PUBLIC_RO,
         APP_PATH_SETTINGS_RW,
         APP_PATH_ANY_LABEL,
+        APP_PATH_FLOOR,
+        APP_PATH_PUBLIC,
 } app_path_type_t;
 
 /* APIs - used by applications */
@@ -303,17 +307,21 @@ int add_shared_dir_readers(const char* shared_label, const char** app_list) DEPR
  *     - APP_PATH_PRIVATE: label with app's label, set access label on everything
  *    and execute label on executable files and symlinks to executable files
  *
- *     - APP_PATH_GROUP_RW: label with given shared_label, set access label on
- *       everything and enable transmute on directories. Also give pkg_id full access
- *       to the shared label.
+ *      - APP_PATH_PUBLIC: use it for public application directory. It labels directory
+ *        and its content with one common access label ("User: LABEL_FOR_PUBLIC_SHARED_DIRS),
+ *        and set it to be transmutable. All applications will have full access to that
+ *        directory.
  *
- *     - APP_PATH_PUBLIC_RO: label with autogenerated label, set access label on
- *       everything and enable transmute on directories. Give full access to the label to
- *       pkg_id and RX access to all other apps.
+ *      - APP_PATH_FLOOR: use it for labeling a path with "_" smack label to make files
+ *        readable by anyone but writable to no one.
  *
- *     - APP_PATH_SETTINGS_RW: label with autogenerated label, set access label on
- *       everything and enable transmute on directories. Give full access to the label to
- *       pkg_id and RWX access to all appsetting apps.
+ *      - APP_PATH_ANY_LABEL: deprecated: the same as APP_PATH_FLOOR. It is just kept for API
+ *        compatility reasons.
+ *
+ *    The following arguments are now deprecated and work as APP_PATH_PUBLIC:
+ *      - APP_PATH_GROUP_RW
+ *      - APP_PATH_PUBLIC_RO
+ *      - APP_PATH_SETTINGS_RW
  *
  * This function should be called during app installation.
  * Results will be persistent on the file system.
@@ -322,8 +330,7 @@ int add_shared_dir_readers(const char* shared_label, const char** app_list) DEPR
  * @param  pkg_id         application identifier
  * @param  path           file or directory path
  * @param  app_path_type  application path type
- * @param  shared_label   optional argument for APP_PATH_GROUP_RW and
- *                        APP_PATH_ANY_LABEL path type; type is const char*
+ * @param  shared_label   optional argument (not used for now); type is const char*
  * @return                PC_OPERATION_SUCCESS on success, PC_ERR_* on error
  */
 int perm_app_setup_path(const char* pkg_id, const char* path, app_path_type_t app_path_type, ...);

diff --git a/include/rules-db-internals.h b/include/rules-db-internals.h
index 9d06a16..ab0240e 100644 (file)
--- a/include/rules-db-internals.h
+++ b/include/rules-db-internals.h
@@ -91,20 +91,6 @@ int add_modified_permission_internal(sqlite3 *p_db, sqlite3_int64 i_permission_i
 
 
 /**
- * Adds label names of the application's folders to the modified labels.
- * Used during removing application.
- *
- * @ingroup RDB internal functions
- *
- * @param  p_db             pointer to a SQLite3 database object
- * @param  s_app_label_name label of the application
- * @return                  PC_OPERATION_SUCCESS on success,
- *                          error code otherwise
- */
-int add_modified_apps_path_internal(sqlite3 *p_db, const char *const s_app_label_name);
-
-
-/**
  * Open a connection with the database and perform an initialization.
  *
  * @ingroup RDB internal functions

diff --git a/include/rules-db.h b/include/rules-db.h
index c70fd0e..542f670 100644 (file)
--- a/include/rules-db.h
+++ b/include/rules-db.h
@@ -96,28 +96,6 @@ int rdb_remove_application(const char *const s_label_name);
 
 
 /**
- * Add a path to the database.
- *
- * @ingroup RDB API functions
- *
- * @param  s_owner_label_name owner application's label name
- * @param  s_path_label_name  path's label name
- * @param  s_path             the path
- * @param  s_access           owner to path label access rights
- * @param  s_access_reverse   path label to owner access rights
- * @param  s_type             type of path
- * @return                    PC_OPERATION_SUCCESS on success,
- *                            error code otherwise
- */
-int rdb_add_path(const char *const s_owner_label_name,
-                const char *const s_path_label_name,
-                const char *const s_path,
-                const char *const s_access,
-                const char *const s_access_reverse,
-                const char *const s_type);
-
-
-/**
  * Add permission with the given name and type and add smack rules.
  *
  * @ingroup RDB API functions

diff --git a/src/common.c b/src/common.c
index 8b14dda..2eb3f42 100644 (file)
--- a/src/common.c
+++ b/src/common.c
@@ -435,25 +435,6 @@ inline const char* app_type_group_name(app_type_t app_type)
        }
 }
 
-const char* app_path_type_name(app_path_type_t app_path_type)
-{
-       SECURE_C_LOGD("Entering function %s. Params: app_path_type=%d", __func__, app_path_type);
-
-       switch(app_path_type) {
-       case APP_PATH_GROUP_RW:
-               return "GROUP_PATH";
-       case APP_PATH_PUBLIC_RO:
-               return "PUBLIC_PATH";
-       case APP_PATH_SETTINGS_RW:
-               return "SETTINGS_PATH";
-       case APP_PATH_PRIVATE:
-       case APP_PATH_ANY_LABEL:
-       default:
-               // App path type not stored in the database, return NULL;
-               return NULL;
-       }
-}
-
 /**
  * This function changes permission URI to basename for file name.
  * For e.g. from http://tizen.org/privilege/contact.read will be

diff --git a/src/privilege-control.c b/src/privilege-control.c
index 9c51723..4a5f36e 100644 (file)
--- a/src/privilege-control.c
+++ b/src/privilege-control.c
@@ -879,6 +879,45 @@ API int perm_app_has_permission(const char *app_label,
        return rdb_app_has_permission(app_label, app_group, permission_name, is_enabled);
 }
 
+static int app_label_public_shared_dir(const char *path, const char *label,
+                                      bool set_transmutable)
+{
+       int ret = PC_OPERATION_SUCCESS;
+
+       SECURE_C_LOGD("Entering function: %s. Params: path=%s, label=%s, "
+                     "set_transmutable=%s", __func__, label, path,
+                     set_transmutable ? "true" : "false");
+
+       if(path == NULL) {
+               C_LOGE("Invalid argument path (NULL).");
+               return PC_ERR_INVALID_PARAM;
+       }
+
+       if (!smack_label_is_valid(label)) {
+               C_LOGE("Invalid label (%s).", label);
+               return PC_ERR_INVALID_PARAM;
+       }
+
+       // setting access label on everything in given directory and below
+       ret = dir_set_smack_r(path, label, XATTR_NAME_SMACK, label_all);
+       if (PC_OPERATION_SUCCESS != ret) {
+               C_LOGE("dir_set_smack_r failed (access label): %d", ret);
+               return ret;
+       }
+
+       if (set_transmutable) {
+               // setting transmute on dirs
+               ret = dir_set_smack_r(path, "TRUE", XATTR_NAME_SMACKTRANSMUTE,
+                                     label_dirs);
+               if (PC_OPERATION_SUCCESS != ret) {
+                       C_LOGE("dir_set_smack_r failed (transmute): %d", ret);
+                       return ret;
+               }
+       }
+
+       return ret;
+}
+
 API int app_label_dir(const char* label, const char* path)//deprecated
 {
        SECURE_C_LOGD("Entering function: %s. Params: label=%s, path=%s",
@@ -971,37 +1010,6 @@ API int add_shared_dir_readers(const char* shared_label UNUSED, const char** app
        return PC_ERR_INVALID_OPERATION;
 }
 
-static char* smack_label_for_path(const char *app_id, const char *path)
-{
-       SECURE_C_LOGD("Entering function: %s. Params: app_id=%s, path=%s",
-                               __func__, app_id, path);
-
-       char *salt AUTO_FREE;
-       char *label;
-       char *x;
-
-       /* Prefix $1$ causes crypt() to use MD5 function */
-       if (-1 == asprintf(&salt, "$1$%s", app_id)) {
-               C_LOGE("asprintf failed");
-               return NULL;
-       }
-
-       label = crypt(path, salt);
-       if (label == NULL) {
-               C_LOGE("crypt failed");
-               return NULL;
-       }
-
-       /* crypt() output may contain slash character,
-        * which is not legal in Smack labels */
-       for (x = label; *x; ++x) {
-               if (*x == '/')
-                       *x = '%';
-       }
-
-       return label;
-}
-
 /* FIXME: remove this pragma once deprecated API is deleted */
 #pragma GCC diagnostic ignored "-Wdeprecated-declarations"
 static int perm_app_setup_path_internal(const char* pkg_id, const char* path, app_path_type_t app_path_type, va_list ap)
@@ -1032,104 +1040,36 @@ static int perm_app_setup_path_internal(const char* pkg_id, const char* path, ap
                C_LOGD("app_path_type is APP_PATH_PRIVATE.");
                return app_label_dir(app_label, path);
 
-       case APP_PATH_GROUP_RW: {
-               C_LOGD("app_path_type is APP_PATH_GROUP.");
-               int ret;
-               const char *shared_label;
+       case APP_PATH_SETTINGS_RW:
+       case APP_PATH_PUBLIC_RO:
+       case APP_PATH_GROUP_RW:
+       case APP_PATH_PUBLIC: {
+               int res;
 
-               shared_label = va_arg(ap, const char *);
-
-               if (!smack_label_is_valid(shared_label)) {
-                       C_LOGE("Invalid shared_label.");
-                       return PC_ERR_INVALID_PARAM;
-               }
-
-               if (strcmp(app_label, shared_label) == 0) {
-                       C_LOGE("app_label equals shared_label.");
-                       return PC_ERR_INVALID_PARAM;
-               }
-
-               ret = app_label_shared_dir(app_label, shared_label, path);
-               if (ret != PC_OPERATION_SUCCESS) {
-                       C_LOGE("app_label_shared_dir failed: %d", ret);
-                       return ret;
-               }
-
-               // Add the path to the database:
-               ret = rdb_add_path(app_label, shared_label, path, "rwxatl", "-", "GROUP_PATH");
-               if (ret != PC_OPERATION_SUCCESS) {
-                       C_LOGE("RDB rdb_add_path failed with: %d", ret);
-                       return ret;
-               }
-
-               return PC_OPERATION_SUCCESS;
-       }
-
-       case APP_PATH_PUBLIC_RO: {
                C_LOGD("app_path_type is APP_PATH_PUBLIC.");
-               const char *label;
-               int ret;
-
-               C_LOGD("New public RO path %s", path);
-
-               // Generate label:
-               label = smack_label_for_path(app_label, path);
-               if (label == NULL) {
-                       C_LOGE("smack_label_for_path failed.");
-                       return PC_ERR_INVALID_OPERATION;
+               res = app_label_public_shared_dir(path,
+                                                 LABEL_FOR_PUBLIC_SHARED_DIRS,
+                                                 true);
+               if (res != PC_OPERATION_SUCCESS) {
+                       C_LOGE("label_user_dir failed: %d", res);
+                       return res;
                }
-               C_LOGD("Generated label '%s' for public RO path %s", label, path);
 
-               ret = app_label_shared_dir(app_label, label, path);
-               if (ret != PC_OPERATION_SUCCESS) {
-                       C_LOGE("app_label_shared_dir failed.");
-                       return ret;
-               }
-
-               // Add the path to the database:
-               ret = rdb_add_path(app_label, label, path, "rwxatl", "-", "PUBLIC_PATH");
-               if (ret != PC_OPERATION_SUCCESS) {
-                       C_LOGE("RDB rdb_add_path failed with: %d", ret);
-                       return ret;
-               }
-
-               return PC_OPERATION_SUCCESS;
+               return res;
        }
 
-       case APP_PATH_SETTINGS_RW: {
-               C_LOGD("app_path_type is APP_PATH_SETTINGS.");
-               const char *label;
-               int ret;
-
-               // Generate label:
-               label = smack_label_for_path(app_label, path);
-               if (label == NULL) {
-                       C_LOGE("smack_label_for_path failed.");
-                       return PC_ERR_INVALID_OPERATION;
-               }
-               C_LOGD("Appsetting: generated label '%s' for setting path %s", label, path);
-
-               /*set id for path and all subfolders*/
-               ret = app_label_shared_dir(app_label, label, path);
-               if (ret != PC_OPERATION_SUCCESS) {
-                       C_LOGE("Appsetting: app_label_shared_dir failed (%d)", ret);
-                       return ret;
-               }
+       case APP_PATH_ANY_LABEL:
+       case APP_PATH_FLOOR: {
+               const char *label = "_";
+               const char *anylabel UNUSED = NULL;
 
-               // Add the path to the database:
-               ret = rdb_add_path(app_label, label, path, "rwxatl", "-", "SETTINGS_PATH");
-               if (ret != PC_OPERATION_SUCCESS) {
-                       C_LOGE("RDB rdb_add_path failed with: %d", ret);
-                       return ret;
+               if (APP_PATH_ANY_LABEL == app_path_type) {
+                       C_LOGD("app_path_type is APP_PATH_ANY_LABEL (deprecated). "
+                              "Please, use APP_PATH_FLOOR instead.");
+                       anylabel = va_arg(ap, const char *);
+               } else {
+                       C_LOGD("app_path_type is APP_PATH_FLOOR.");
                }
-
-               return PC_OPERATION_SUCCESS;
-       }
-
-       case APP_PATH_ANY_LABEL: {
-               C_LOGD("app_path_type is APP_PATH_ANY_LABEL.");
-               const char *label = NULL;
-               label = va_arg(ap, const char *);
                return app_label_dir(label, path);
        }
 

diff --git a/src/rules-db-internals.c b/src/rules-db-internals.c
index 4cddb3b..e77eb81 100644 (file)
--- a/src/rules-db-internals.c
+++ b/src/rules-db-internals.c
@@ -120,28 +120,6 @@ finish:
 }
 
 
-int add_modified_apps_path_internal(sqlite3 *p_db,
-                                   const char *const s_app_label_name)
-{
-       int ret = PC_OPERATION_SUCCESS;
-       sqlite3_stmt *p_stmt = NULL;
-       ret = prepare_stmt(p_db, &p_stmt,
-                          "INSERT OR IGNORE INTO modified_label(name) \
-                           SELECT path_view.path_label_name           \
-                           FROM   path_view                           \
-                           WHERE  path_view.owner_app_label_name = %Q",
-                          s_app_label_name);
-       if(ret != PC_OPERATION_SUCCESS) goto finish;
-
-       ret = step_and_convert_returned_value(p_stmt);
-finish:
-       if(sqlite3_finalize(p_stmt) != SQLITE_OK)
-               C_LOGE("RDB: Error during finalizing statement: %s",
-                      sqlite3_errmsg(p_db));
-       return ret;
-}
-
-
 /**
  * Function called when the target database is busy.
  * We attempt to access the database every
@@ -408,42 +386,6 @@ finish:
 }
 
 
-int add_path_internal(sqlite3 *p_db,
-                     const char *const s_owner_label_name,
-                     const char *const s_path_label_name,
-                     const char *const s_path,
-                     const char *const s_access,
-                     const char *const s_access_reverse,
-                     const char *const s_type)
-{
-       RDB_LOG_ENTRY_PARAM("%s %s %s %s %s %s",
-                           s_owner_label_name, s_path_label_name,
-                           s_path, s_access, s_access_reverse, s_type);
-
-       int ret = PC_ERR_DB_OPERATION;
-       sqlite3_stmt *p_stmt = NULL;
-
-       ret = prepare_stmt(p_db, &p_stmt,
-                          "INSERT INTO path_view(owner_app_label_name, \
-                                                 path,                 \
-                                                 path_label_name,      \
-                                                 access,               \
-                                                 access_reverse,       \
-                                                 path_type_name)       \
-                            VALUES(%Q, %Q, %Q, %Q, %Q, %Q);",
-                          s_owner_label_name, s_path, s_path_label_name,
-                          s_access, s_access_reverse, s_type);
-       if(ret != PC_OPERATION_SUCCESS) goto finish;
-
-       ret = step_and_convert_returned_value(p_stmt);
-finish:
-       if(sqlite3_finalize(p_stmt) != SQLITE_OK)
-               C_LOGE("RDB: Error during finalizing statement: %s",
-                      sqlite3_errmsg(p_db));
-       return ret;
-}
-
-
 int add_permission_internal(sqlite3 *p_db,
                            const char *const s_permission_name,
                            const char *const s_permission_type_name)
@@ -582,31 +524,6 @@ finish:
 }
 
 
-static int add_permission_app_path_type_rule(sqlite3_stmt *p_stmt,
-               const sqlite3_int64 i_permission_id,
-               const char *const s_path_type_name,
-               const char *const s_access,
-               const int i_is_reverse)
-{
-       int ret = PC_OPERATION_SUCCESS;
-
-       if(sqlite3_bind_int(p_stmt, 1, i_permission_id) ||
-           sqlite3_bind_text(p_stmt, 2, s_path_type_name, RDB_AUTO_DETERM_SIZE, 0)  ||
-           sqlite3_bind_text(p_stmt, 3, s_access, RDB_AUTO_DETERM_SIZE, 0) ||
-           sqlite3_bind_int(p_stmt, 4, i_is_reverse)) {
-               C_LOGE("RDB: Error during binding to statement: %s",
-                      sqlite3_errmsg(sqlite3_db_handle(p_stmt)));
-               ret = PC_ERR_DB_QUERY_BIND;
-               goto finish;
-       }
-
-       ret = step_and_convert_returned_value(p_stmt);
-
-finish:
-       reset_and_unbind_stmt(p_stmt);
-       return ret;
-}
-
 int add_permission_rules_internal(sqlite3 *p_db,
                                  const sqlite3_int64 i_permission_id,
                                  const char *const *const pp_smack_rules)
@@ -621,7 +538,6 @@ int add_permission_rules_internal(sqlite3 *p_db,
        int i;
        sqlite3_stmt *p_perm_to_label_stmt = NULL;
        sqlite3_stmt *p_perm_to_perm_stmt = NULL;
-       sqlite3_stmt *p_perm_to_app_path_type_stmt = NULL;
 
        // Prepare stmts. They are static, so we parse SQL only once per process and reuse it.
        ret = prepare_stmts_for_bind(p_db, &p_perm_to_label_stmt,
@@ -638,13 +554,6 @@ int add_permission_rules_internal(sqlite3 *p_db,
        if(ret != PC_OPERATION_SUCCESS) goto finish;
 
 
-       ret = prepare_stmts_for_bind(p_db, &p_perm_to_app_path_type_stmt,
-                                    "INSERT INTO permission_app_path_type_rule_view(        \
-                                     permission_id, app_path_type_name, access, is_reverse) \
-                                     VALUES(?,?,?,?)");
-       if(ret != PC_OPERATION_SUCCESS) goto finish;
-
-
        for(i = 0; pp_smack_rules[i] != NULL ; ++i) {
                C_LOGD("RDB: Granting permission: %s", pp_smack_rules[i]);
 
@@ -688,29 +597,6 @@ int add_permission_rules_internal(sqlite3 *p_db,
                                                             i_is_reverse);
                        if(ret != PC_OPERATION_SUCCESS) goto finish;
 
-               } else if(!strcmp(s_label, "~PUBLIC_PATH~")) {
-                       ret = add_permission_app_path_type_rule(p_perm_to_app_path_type_stmt,
-                                                               i_permission_id,
-                                                               "PUBLIC_PATH",
-                                                               s_access,
-                                                               i_is_reverse);
-                       if(ret != PC_OPERATION_SUCCESS) goto finish;
-
-               } else if(!strcmp(s_label, "~GROUP_PATH~")) {
-                       ret = add_permission_app_path_type_rule(p_perm_to_app_path_type_stmt,
-                                                               i_permission_id,
-                                                               "GROUP_PATH",
-                                                               s_access,
-                                                               i_is_reverse);
-                       if(ret != PC_OPERATION_SUCCESS) goto finish;
-
-               } else if(!strcmp(s_label, "~SETTINGS_PATH~")) {
-                       ret = add_permission_app_path_type_rule(p_perm_to_app_path_type_stmt,
-                                                               i_permission_id,
-                                                               "SETTINGS_PATH",
-                                                               s_access,
-                                                               i_is_reverse);
-                       if(ret != PC_OPERATION_SUCCESS) goto finish;
                }
        }
 
@@ -729,11 +615,6 @@ finish:
                       sqlite3_errmsg(p_db));
        }
 
-       if(p_perm_to_app_path_type_stmt &&
-           sqlite3_finalize(p_perm_to_app_path_type_stmt) != SQLITE_OK) {
-               C_LOGE("RDB: Error during finalizing statement: %s",
-                      sqlite3_errmsg(p_db));
-       }
        return ret;
 }
 

diff --git a/src/rules-db.c b/src/rules-db.c
index 46a91a7..7618f5a 100644 (file)
--- a/src/rules-db.c
+++ b/src/rules-db.c
@@ -268,9 +268,6 @@ int rdb_remove_application(const char *const s_label_name)
        ret = add_modified_label_internal(p_db, s_label_name);
        if(ret != PC_OPERATION_SUCCESS) goto finish;
 
-       ret = add_modified_apps_path_internal(p_db, s_label_name);
-       if(ret != PC_OPERATION_SUCCESS) goto finish;
-
        ret = remove_app_internal(p_db, s_label_name);
 
 finish:
@@ -278,39 +275,6 @@ finish:
 }
 
 
-int rdb_add_path(const char *const s_owner_label_name,
-                const char *const s_path_label_name,
-                const char *const s_path,
-                const char *const s_access,
-                const char *const s_access_reverse,
-                const char *const s_type)
-{
-       RDB_LOG_ENTRY_PARAM("%s %s %s %s %s %s",
-                           s_owner_label_name, s_path_label_name,
-                           s_path, s_access, s_access_reverse, s_type);
-
-       int ret = PC_ERR_DB_OPERATION;
-       sqlite3 *p_db = NULL;
-
-       ret = rdb_begin(&p_db, RDB_TRANSACTION_EXCLUSIVE);
-       if(ret != PC_OPERATION_SUCCESS) goto finish;
-
-       ret = add_path_internal(p_db,
-                               s_owner_label_name,
-                               s_path_label_name,
-                               s_path,
-                               s_access,
-                               s_access_reverse,
-                               s_type);
-       if(ret != PC_OPERATION_SUCCESS) goto finish;
-
-       ret = add_modified_label_internal(p_db, s_path_label_name);
-
-finish:
-       return rdb_finish(p_db, ret);
-}
-
-
 int rdb_add_permission_rules(const char *const s_permission_name,
                             const char *const s_permission_type_name,
                             const char *const *const pp_smack_rules)
@@ -463,9 +427,6 @@ int rdb_revoke_app_permissions(const char *const s_app_label_name)
        ret = add_modified_label_internal(p_db, s_app_label_name);
        if(ret != PC_OPERATION_SUCCESS) goto finish;
 
-       ret = add_modified_apps_path_internal(p_db, s_app_label_name);
-       if(ret != PC_OPERATION_SUCCESS) goto finish;
-
        ret = revoke_app_permissions_internal(p_db, s_app_label_name);
 
 finish: