projects / platform / core / security / security-manager.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 443db22)
Adjust cynara policy to use UIDs instead of Smack labels on no-smack image 88/318888/19
authorKrzysztof Malysa <k.malysa@samsung.com>
Thu, 30 Jan 2025 11:32:02 +0000 (12:32 +0100)
committerKrzysztof Jackiewicz <k.jackiewicz@samsung.com>
Fri, 14 Feb 2025 16:06:26 +0000 (16:06 +0000)
Change-Id: I7a4dbd3799e58cdb90f5f43be01869e68bb31b81

policy/security-manager-policy-reload.in patch | blob | history

diff --git a/policy/security-manager-policy-reload.in b/policy/security-manager-policy-reload.in
index 5195d49002a7abfed80c395553fe04775bb63b8e..bbeae7259ea60a787f33e176528d94c1d45e1272 100755 (executable)
--- a/policy/security-manager-policy-reload.in
+++ b/policy/security-manager-policy-reload.in
@@ -27,6 +27,7 @@ PRIVILEGE_GROUP_MAPPING=$POLICY_PATH/privilege-group.list
 PRIVILEGE_SYSTEMD_LIST=$POLICY_PATH/privilege-managed-by-systemd-for-daemons.list
 
 DB_FILE=`tzplatform-get TZ_SYS_DB | cut -d= -f2`/.security-manager.db
+SMACK_ENABLED=$(test "@SUPPORT_SMACK@" != "" && echo true || echo false)
 
 # Create default buckets
 while read bucket default_policy
@@ -81,23 +82,43 @@ do
 done
 
 # Non-application programs get access to all privileges...
-for client in User System System::Privileged
-do
-    cyad --set-policy --bucket=MANIFESTS_GLOBAL --client="$client" --user="*" --privilege="*" --type=ALLOW
-done
+if $SMACK_ENABLED; then
+    for client in User System System::Privileged
+    do
+        cyad --set-policy --bucket=MANIFESTS_GLOBAL --client="$client" --user="*" --privilege="*" --type=ALLOW
+    done
+else
+    for uid in $(cut -d : -f 3 /etc/passwd); do
+        # Non-aplication program UIDs are [0,5000), smack-enabled application UIDs are [5000,10000), no-smack app UIDs are >=10000
+        if [ "$uid" -lt 10000 ]; then
+            cyad --set-policy --bucket=MANIFESTS_GLOBAL --client="*" --user="$uid" --privilege="*" --type=ALLOW
+        fi
+    done
+fi
 
 # ...except these that have their GIDs managed by systemd
 grep -v '^#' "$PRIVILEGE_SYSTEMD_LIST" |
 while read privilege
 do
-    for client in User System System::Privileged
-    do
-        cyad --set-policy --bucket=MANIFESTS_GLOBAL --client="$client" --user="*" --privilege="$privilege" --type=DENY
-    done
+    if $SMACK_ENABLED; then
+        for client in User System System::Privileged
+        do
+            cyad --set-policy --bucket=MANIFESTS_GLOBAL --client="$client" --user="*" --privilege="$privilege" --type=DENY
+        done
+    else
+        for uid in $(cut -d : -f 3 /etc/passwd); do
+            # Non-aplication program UIDs are [0,5000), smack-enabled application UIDs are [5000,10000), no-smack app UIDs are >=10000
+            if [ "$uid" -lt 10000 ] && [ "$uid" != 0 ]; then
+                cyad --set-policy --bucket=MANIFESTS_GLOBAL --client="*" --user="$uid" --privilege="$privilege" --type=DENY
+            fi
+        done
+    fi
 done
 
 # Root shell get access to all privileges
-cyad --set-policy --bucket=MANIFESTS_GLOBAL --client="User::Shell" --user="0" --privilege="*" --type=ALLOW
+if $SMACK_ENABLED; then
+    cyad --set-policy --bucket=MANIFESTS_GLOBAL --client="User::Shell" --user="0" --privilege="*" --type=ALLOW
+fi # Already done above in no-smack env
 
 # @(kernel thread) can get access to internet privilege
 cyad --set-policy --bucket=MANIFESTS_GLOBAL --client="@" --user=* --privilege="http://tizen.org/privilege/internet" --type=ALLOW
Domain: Security / Access Control;