New API for registering app permissions.

[Issue#]        SSDWSSP-620
[Bug/Feature]   Add new API in libprivilege-control and use it in
                security-server.
[Cause]         There is a need to prepare changes for installers team
                regarding usage of perm_app_setup_permissions function.
[Solution]      Function perm_app_setup_permissions (former
                perm_app_register_permissions) is intended to
                add persistent permissions during installation process.
                Function perm_app_enable_permissions from now on should
                not be used for initial addition of app permissions.
                Dependencies:
                security-tests:
                I18ddd5d286988584cd822a4b929419c8bc1c6102
[Verification]  Build, install, run tests.

Change-Id: I4a14b0f91a5bc7e358339cacb5b93fcf234935eb

diff --git a/db/rules-db.sql b/db/rules-db.sql
index b09cdf3..6dbd416 100644 (file)
--- a/db/rules-db.sql
+++ b/db/rules-db.sql
@@ -638,7 +638,7 @@ DROP TRIGGER IF EXISTS app_permission_view_insert_trigger;
 CREATE TRIGGER app_permission_view_insert_trigger
 INSTEAD OF INSERT ON app_permission_view
 BEGIN
-    INSERT INTO app_permission(app_id, permission_id, is_volatile, is_enabled)
+    INSERT OR IGNORE INTO app_permission(app_id, permission_id, is_volatile, is_enabled)
     SELECT      NEW.app_id,
                 permission_view.permission_id,
                 NEW.is_volatile,

diff --git a/include/privilege-control.h b/include/privilege-control.h
index 75ca37f..76eaa2f 100644 (file)
--- a/include/privilege-control.h
+++ b/include/privilege-control.h
@@ -255,15 +255,17 @@ int app_add_volatile_permissions(const char* app_id, const char** perm_list) DEP
  * @param  perm_list  array of permission names, last element must be NULL
  * @return            PC_OPERATION_SUCCESS on success, PC_ERR_* on error
  */
-int perm_app_register_permissions(const char *pkg_id, app_type_t app_type,
-        const char **perm_list);
+int perm_app_setup_permissions(const char* pkg_id, app_type_t app_type,
+                              const char** perm_list);
 
 /**
- * Grants SMACK permissions to an application, based on permissions list. It is
+ * Grants SMACK permissions to an application, based on permissions list. It was
  * intended to be called during that application installation. Permissions
  * granted as volatile will not be present after system boot. It must be called
  * by privileged user and within database transaction started with perm_begin()
  * and finished with perm_end().
+ * In new code please call perm_app_setup_permissions during your application
+ * installation instead of this function.
  *
  * @param  pkg_id      application identifier
  * @param  app_type    application type

diff --git a/src/privilege-control.c b/src/privilege-control.c
index 03f7ab4..d626c35 100644 (file)
--- a/src/privilege-control.c
+++ b/src/privilege-control.c
@@ -828,66 +828,12 @@ API char* perm_app_id_from_socket(int sockfd)
 }
 
 
-static int app_add_permissions_internal(const char* app_id, app_type_t app_type, const char** perm_list, int permanent)
-{
-       SECURE_C_LOGD("Entering function: %s. Params: app_id=%s, app_type=%d, permanent=%d",
-                               __func__, app_id, app_type, permanent);
-
-       int i, ret;
-       char* smack_path AUTO_FREE;
-       char* smack_path_early AUTO_FREE;
-       int fd AUTO_CLOSE;
-       int fd_early AUTO_CLOSE;
-       struct smack_accesses *smack AUTO_SMACK_FREE;
-       struct smack_accesses *smack_early AUTO_SMACK_FREE;
-
-       if (!smack_label_is_valid(app_id)) {
-               C_LOGE("Invalid param app_id.");
-               return PC_ERR_INVALID_PARAM;
-       }
-
-       if(perm_list == NULL) {
-               C_LOGE("Invalid perm_list (NULL).");
-               return PC_ERR_INVALID_PARAM;
-       }
-
-       if (app_type_group_name(app_type) == NULL) {
-               C_LOGE("Unknown app type.");
-               return PC_ERR_INVALID_PARAM;
-       }
-
-       // Add permission to DAC
-       for (i = 0; perm_list[i] != NULL; ++i) {
-               ret = perm_to_dac(app_id, app_type, perm_list[i]);
-               if (ret != PC_OPERATION_SUCCESS){
-                       C_LOGE("perm_to_dac failed");
-                       return ret;
-               }
-       }
-
-       // Enable the permissions:
-       ret = rdb_enable_app_permissions(app_id,
-                                        app_type,
-                                        perm_list,
-                                        !((bool)permanent));
-       if (ret != PC_OPERATION_SUCCESS) {
-               C_LOGE("RDB rdb_enable_app_permissions failed with: %d", ret);
-               return ret;
-       }
-
-
-       SECURE_C_LOGD("Leaving function: %s. Params: app_id=%s, app_type=%d, permanent=%d",
-                               __func__, app_id, app_type, permanent);
-
-       return PC_OPERATION_SUCCESS;
-}
-
 API int app_add_permissions(const char* app_id, const char** perm_list)//deprecated
 {
        SECURE_C_LOGD("Entering function: %s. Params: app_id=%s",
                                __func__, app_id);
 
-       return app_add_permissions_internal(app_id, APP_TYPE_OTHER, perm_list, 1);
+       return perm_app_enable_permissions(app_id, APP_TYPE_OTHER, perm_list, true);
 }
 
 API int app_add_volatile_permissions(const char* app_id, const char** perm_list)//deprecated
@@ -895,11 +841,11 @@ API int app_add_volatile_permissions(const char* app_id, const char** perm_list)
        SECURE_C_LOGD("Entering function: %s. Params: app_id=%s",
                                __func__, app_id);
 
-       return app_add_permissions_internal(app_id, APP_TYPE_OTHER, perm_list, 0);
+       return perm_app_enable_permissions(app_id, APP_TYPE_OTHER, perm_list, false);
 }
 
-API int perm_app_register_permissions(const char *pkg_id, app_type_t app_type,
-        const char **perm_list)
+API int perm_app_setup_permissions(const char* pkg_id, app_type_t app_type,
+                                  const char** perm_list)
 {
        SECURE_C_LOGD("Entering function: %s. Params: pkg_id=%s, app_type=%d",
                                __func__, pkg_id, app_type);
@@ -911,15 +857,50 @@ API int app_enable_permissions(const char* pkg_id, app_type_t app_type, const ch
        SECURE_C_LOGD("Entering function: %s. Params: pkg_id=%s, app_type=%d, persistent=%d",
                                __func__, pkg_id, app_type, persistent);
 
-       return app_add_permissions_internal(pkg_id, app_type, perm_list, persistent);
+       return perm_app_enable_permissions(pkg_id, app_type, perm_list, persistent);
 }
 
-API int perm_app_enable_permissions(const char* pkg_id, app_type_t app_type, const char** perm_list, bool persistent)
+API int perm_app_enable_permissions(const char* pkg_id, app_type_t app_type,
+                                   const char** perm_list, bool persistent)
 {
        SECURE_C_LOGD("Entering function: %s. Params: pkg_id=%s, app_type=%d, persistent=%d",
                                __func__, pkg_id, app_type, persistent);
 
-       return app_add_permissions_internal(pkg_id, app_type, perm_list, persistent);
+       int i, ret;
+
+       if (!smack_label_is_valid(pkg_id)) {
+               C_LOGE("Invalid param app_id.");
+               return PC_ERR_INVALID_PARAM;
+       }
+
+       if (perm_list == NULL) {
+               C_LOGE("Invalid perm_list (NULL).");
+               return PC_ERR_INVALID_PARAM;
+       }
+
+       if (app_type_group_name(app_type) == NULL) {
+               C_LOGE("Unknown app type.");
+               return PC_ERR_INVALID_PARAM;
+       }
+
+       /* Add permission to DAC */
+       for (i = 0; perm_list[i] != NULL; ++i) {
+               ret = perm_to_dac(pkg_id, app_type, perm_list[i]);
+               if (ret != PC_OPERATION_SUCCESS) {
+                       C_LOGE("perm_to_dac failed");
+                       return ret;
+               }
+       }
+
+       /* Enable the permissions: */
+       ret = rdb_enable_app_permissions(pkg_id, app_type, perm_list,
+                                        !((bool)persistent));
+       if (ret != PC_OPERATION_SUCCESS) {
+               C_LOGE("RDB rdb_enable_app_permissions failed with: %d", ret);
+               return ret;
+       }
+
+       return PC_OPERATION_SUCCESS;
 }
 
 API int app_disable_permissions(const char* pkg_id, app_type_t app_type, const char** perm_list)//deprecated

diff --git a/src/rules-db-internals.c b/src/rules-db-internals.c
index f0ebf1a..47778bf 100644 (file)
--- a/src/rules-db-internals.c
+++ b/src/rules-db-internals.c
@@ -923,7 +923,7 @@ int get_app_id_internal(sqlite3 *p_db,
        ret = prepare_stmt(p_db, &p_stmt,
                           "SELECT application_view.app_id \
                             FROM application_view \
-                            WHERE application_view.name = %Q",
+                            WHERE application_view.name = %Q LIMIT 1",
                           s_app_label_name);
 
        if(ret != PC_OPERATION_SUCCESS) goto finish;
@@ -1063,10 +1063,10 @@ int change_app_permission_internal(sqlite3 *p_db,
 
        ret = prepare_stmt(p_db, &p_stmt,
                           "SELECT is_volatile, is_enabled, permission_id      \
-                            FROM    app_permission_list_view                   \
-                            WHERE   app_id = %d AND                            \
-                            permission_name=%Q AND                             \
-                            permission_type_name=%Q LIMIT 1",
+                           FROM    app_permission_list_view                   \
+                           WHERE   app_id = %d AND                            \
+                           permission_name=%Q AND                             \
+                           permission_type_name=%Q LIMIT 1",
                           i_app_id, s_permission_name, s_permission_type_name);
        if(ret != PC_OPERATION_SUCCESS) goto finish;