)
SET(libprivilege-control_LDFLAGS " -module -avoid-version ")
SET(libprivilege-control_CFLAGS " ${CFLAGS} -fPIC -I${include_dir}")
- #SET(libprivilege-control_LIBADD " ")
+ SET(libprivilege-control_LIBADD "${pkgs_LDFLAGS} -lcap -lcrypt")
- ADD_LIBRARY(privilege-control SHARED ${libprivilege-control_SOURCES})
- TARGET_LINK_LIBRARIES(privilege-control ${pkgs_LDFLAGS} ${pkgs_LIBRARIES})
- SET_TARGET_PROPERTIES(privilege-control PROPERTIES COMPILE_FLAGS "${libprivilege-control_CFLAGS}")
- SET_TARGET_PROPERTIES(privilege-control PROPERTIES SOVERSION ${VERSION_MAJOR})
- SET_TARGET_PROPERTIES(privilege-control PROPERTIES VERSION ${VERSION})
+ ADD_LIBRARY(${TARGET_PRIVILEGE_CONTROL} SHARED ${libprivilege-control_SOURCES})
+ TARGET_LINK_LIBRARIES(${TARGET_PRIVILEGE_CONTROL} ${libprivilege-control_LIBADD} ${pkgs_LIBRARIES})
+ SET_TARGET_PROPERTIES(${TARGET_PRIVILEGE_CONTROL} PROPERTIES COMPILE_FLAGS "${libprivilege-control_CFLAGS}")
+ SET_TARGET_PROPERTIES(${TARGET_PRIVILEGE_CONTROL} PROPERTIES SOVERSION ${VERSION_MAJOR})
+ SET_TARGET_PROPERTIES(${TARGET_PRIVILEGE_CONTROL} PROPERTIES VERSION ${VERSION})
###################################################################################################
-SET(rules-db-sql-udf_LDFLAGS " -avoid-version -module ")
+ ## for rules-db-sql-udf.so (library)
+ SET(rules-db-sql-udf_SOURCES ./db/rules-db-sql-udf.c)
-SET_TARGET_PROPERTIES(rules-db-sql-udf PROPERTIES LINK_FLAGS "${rules-db-sql-udf_LDFLAGS}")
+ SET(rules-db-sql-udf_CFLAGS " ${CFLAGS} -fPIC")
+
+ ADD_LIBRARY(rules-db-sql-udf MODULE ${rules-db-sql-udf_SOURCES})
+ SET_TARGET_PROPERTIES(rules-db-sql-udf PROPERTIES COMPILE_FLAGS "${rules-db-sql-udf_CFLAGS}")
###################################################################################################
## for slp-su (excutable)
SET_TARGET_PROPERTIES(slp-su PROPERTIES COMPILE_FLAGS "${slp-su_CFLAGS}")
###################################################################################################
- CONFIGURE_FILE(libprivilege-control.pc.in libprivilege-control.pc @ONLY)
- FILE(GLOB smackfiles ${CMAKE_CURRENT_SOURCE_DIR}/permissions/*.smack)
+ CONFIGURE_FILE(libprivilege-control.pc.in libprivilege-control.pc @ONLY)
- INSTALL(TARGETS privilege-control DESTINATION ${LIB_INSTALL_DIR} COMPONENT RuntimeLibraries)
+ INSTALL(TARGETS ${TARGET_PRIVILEGE_CONTROL} DESTINATION ${LIB_INSTALL_DIR} COMPONENT RuntimeLibraries)
+ INSTALL(TARGETS rules-db-sql-udf DESTINATION ${LIB_INSTALL_DIR} COMPONENT RuntimeLibraries)
INSTALL(FILES ${CMAKE_CURRENT_BINARY_DIR}/libprivilege-control.pc DESTINATION ${LIB_INSTALL_DIR}/pkgconfig)
- INSTALL(FILES ${CMAKE_CURRENT_BINARY_DIR}/smack_default_rules DESTINATION /opt/etc/smack/accesses.d/)
- INSTALL(FILES ${CMAKE_CURRENT_BINARY_DIR}/smack_default_rules2 DESTINATION /opt/etc/smack/)
-INSTALL(FILES ${CMAKE_CURRENT_BINARY_DIR}/passwd DESTINATION /opt/etc/)
-INSTALL(FILES ${CMAKE_CURRENT_BINARY_DIR}/group DESTINATION /opt/etc/)
-INSTALL(FILES ${CMAKE_CURRENT_BINARY_DIR}/smack_default_labeling DESTINATION /etc/rc.d/init.d/)
-INSTALL(FILES ${CMAKE_CURRENT_BINARY_DIR}/smack_rules DESTINATION /etc/rc.d/init.d/)
INSTALL(FILES ${CMAKE_CURRENT_SOURCE_DIR}/include/privilege-control.h DESTINATION ${INCLUDE_INSTALL_DIR})
- INSTALL(FILES ${smackfiles} DESTINATION ${SHAREDIR})
- INSTALL(FILES ${CMAKE_CURRENT_SOURCE_DIR}/app_group_list DESTINATION ${SHAREDIR})
- INSTALL(FILES ${CMAKE_CURRENT_SOURCE_DIR}/dev_group_list DESTINATION ${SHAREDIR})
- INSTALL(FILES .privilege_control_all_apps_id.db DESTINATION /opt/dbspace)
- INSTALL(FILES .privilege_control_all_avs_id.db DESTINATION /opt/dbspace)
INSTALL(FILES .privilege_control_app_gids.db DESTINATION /opt/dbspace)
#INSTALL(DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/udev/ DESTINATION lib/udev)
INSTALL(PROGRAMS ${CMAKE_CURRENT_SOURCE_DIR}/slp-su DESTINATION bin)
- GROUP_WRITE
+
+ INSTALL(FILES ${CMAKE_CURRENT_BINARY_DIR}/db/rules-db.sql DESTINATION /usr/share/privilege-control/db)
+ INSTALL(FILES ${CMAKE_CURRENT_BINARY_DIR}/db/rules-db-data.sql DESTINATION /usr/share/privilege-control/db)
+ INSTALL(DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/db/updates/ DESTINATION /usr/share/privilege-control/db/updates)
+ INSTALL(FILES ${CMAKE_CURRENT_BINARY_DIR}/db/updater.sh DESTINATION /usr/share/privilege-control/db
+ PERMISSIONS OWNER_READ
+ OWNER_WRITE
+ OWNER_EXECUTE
+ GROUP_READ
- WORLD_WRITE
+ GROUP_EXECUTE
+ WORLD_READ
- DESTINATION /usr/lib/systemd/system
- PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE)
+ WORLD_EXECUTE)
+ INSTALL(FILES ${CMAKE_CURRENT_BINARY_DIR}/db/load-rules-db.sql DESTINATION /usr/share/privilege-control/db)
+
+
+ INSTALL(FILES ${PROJECT_SOURCE_DIR}/smack-rules.service
++ DESTINATION /usr/lib/systemd/system
++ PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE)
+
+ ADD_SUBDIRECTORY(api_feature_loader)
+ * Fri Oct 25 2013 Krzysztof Jackiewicz - 0.0.43.TIZEN
+ [Krzysztof Jackiewicz]
+ - Revert "add API definition"
+ [Marcin Lis]
+ - Implement new wildcard ~NPRUNTIME_PATH~ +fix workaround
+ [Marcin Lis]
+ - Implement adding new WRT rules in libprivilege-control
+ [Kidong Kim]
+ - add API definition
+ [Jan Olszak]
+ - Correction in enabling permissions.
+ [Jan Olszak]
+ - Renamed enums and deleted unused defines
+ [Jan Olszak]
+ - Modified checking labels and deleted unused checking.
+ [Jan Olszak]
+ - Change in setup path.
+ [Jan Olszak]
+ - Change in boot script.
+ [Jan Olszak]
+ - Adding additional rules.
+ [Jan Olszak]
+ - Implementation of cross-app rule patterns in *.smack files
+ [Jan Olszak]
+ - Corrected a mistake in deleting paths.
+ [Jan Olszak]
+ - Deleting paths on revoking permissions.
+ [Jan Olszak]
+ - Deleted volatile rules on boot and corrected permission format.
+ [Jan Olszak]
+ - Modified boot script, added deleting volatile rules.
+ [Jan Olszak]
+ - Made marking labels as modified beautiful.
+ [Jan Olszak]
+ - Changed new API names.
+ [Jan Olszak]
+ - Loading api-features from a file.
+ [Jan Olszak]
+ - Revert "rollback because of rule database"
+ [Kidong Kim]
+ - add systemd options
+ [Jan Cybulski]
+ - Add README file
+ [Marcin Lis]
+ - Compilation flags 'verbose' mode
+ [Krzysztof Jackiewicz]
+ - Unused function smack_get_access_new removed
+ [Krzysztof Jackiewicz]
+ - Libprivilege API cleanup
+ [Lukasz Kostyra]
+ - Add missing information about APP_PATH_ANY_LABEL in header
+ [Bartlomiej Grzelewski]
+ - Takes compilation profile from command line.
+ [Janusz Kozerski]
+ - Add for all anti viruses RWX access to all public-RO and group-RW shared folder
+ [Marcin Lis]
+ - Simple corrections in api-feature handling. +Fix
+
+ * Mon Sep 16 2013 Bartlomiej Grzelewski - 0.0.57.SLP
+ [Jan Olszak]
+ - Optimalization of the database operation time.
+
+ * Fri Sep 13 2013 Krzysztof Jackiewicz - 0.0.56.SLP
+ [Jan Olszak]
+ - Corrected behavior when there is no Smack on the target.
+ [Jan Olszak]
+ - Correct antivirus access rights to public dirs.
+ [Jan Olszak]
+ - Rules kept in SQLite3 database. Initial commit.
+ [Jan Olszak]
+ - SQLite3 database for application permissions.
+ [Krzysztof Jackiewicz]
+ - Fix for ~APP~ label allowance issue
+ [Krzysztof Jackiewicz]
+ - Unused function smack_get_access_new removed
+ [Krzysztof Jackiewicz]
+ - Libprivilege API cleanup
+ [Lukasz Kostyra]
+ - Add missing information about APP_PATH_ANY_LABEL in header
+ [Bartlomiej Grzelewski]
+ - Takes compilation profile from command line.
+
+ * Wed Aug 28 2013 Krzysztof Jackiewicz - 0.0.55.SLP
+ [Janusz Kozerski]
+ - Add for all anti viruses RWX access to all public-RO and group-RW shared folder
+ [Marcin Lis]
+ - Simple corrections in api-feature handling.
+
+* Tue Jul 23 2013 Baptiste DURAND <baptiste.durand@eurogiciel.fr> accepted/tizen/20130711.205247@88318d6
+- Call setguid function with the APP group ID retreives from /etc/group through getgrouplists function call.
+
+ * Tue Aug 13 2013 Rafal Krypa - 0.0.54.SLP
+ - Adapt code for new libsmack API
+ - Rewrite internal function app_uninstall_remove_early_rules()
+ - Create format strings for scanf statically.
+ - Add support for new access mode for setting locks ("l")
+ - Fix unwanted differences between SLP and RSA repositories.
+ - Add better debug logs to libprivilege-control
+
+ * Mon Aug 12 2013 Krzysztof Jackiewicz - 0.0.41.TIZEN
+ - No source code changes.
+
+ * Thu Aug 08 2013 Krzysztof Jackiewicz - 0.0.40.TIZEN
+ - Adding W rules to allow email-service move draft email to draft box
+ - Adding Smack rule for obexd to allow to RX to all app's shared directory
+ - Loading all smack-app rules during boot
+ - Revert "Work around for rule loading to allow email-service and
+ contacts-servce access to shared directory of everybody."
+ - Change API function naming sheme
+ - Add support for EFL apps
+ - Add generic solution for adding rules to shared dirs (RO & RW)
+ - Fix libprivilege-control not checking input parameters
+ - Fixing language errors
+ - Remove deprected code.
+
+ * Fri Jul 12 2013 Krzysztof Jackiewicz - 0.0.39.TIZEN
+ - Work around for rule loading to allow email-service and contacts-servce
+ access to shared directory of everybody.
+ - File locking added
+
+* Thu Jul 11 2013 Rusty Lynch <rusty.lynch@intel.com> accepted/tizen/20130711.163636@43b59bc
+- Before applied a label on the process context, check if the label is previously set.
+
+* Thu Jul 11 2013 Anas Nashif <anas.nashif@intel.com> submit/tizen/20130711.003907@5533929
+- cleanup spec
+- - remove init.d scripts
+- - remove passwd, group file and do not install them, we use the setup
+- package for those
+- - meta-data cleanup
+- Signed-off-by: Anas Nashif <anas.nashif@intel.com>
+
+ * Tue Jul 09 2013 Krzysztof Jackiewicz - 0.0.38.TIZEN
+ - Fixing prevent defects in libprivilege-control: * 63125
+ - Fixing segfault in libprivilege-control
+
+ * Tue Jul 09 2013 Krzysztof Jackiewicz - 0.0.37.TIZEN
+ - Add contact-service and email-service rule to read shared dirs.
+
+ * Mon Jul 08 2013 Krzysztof Jackiewicz - 0.0.36.TIZEN
+ - execute pkg_smack at first boot(temporary)
+ - Implementation of background rule loading
+ - Early rule loading - livebox issue.
+ - Adding script for early rules loading
+
+ * Fri Jul 05 2013 Tomasz Swierczek - 0.0.35.TIZEN
+ - Fixing segfault in get_app_gids when app_id = NULL
+
+ * Wed Jul 03 2013 Krzysztof Jackiewicz - 0.0.34.TIZEN
+ - add new smack rules for user-space access control
+ - add smack rules for sdcard
+ - add new smack rules for OSP se/secureelement privilege
+ - Keeping *.smack files in separate repository.
+
+* Mon Jul 1 2013 Maciej Wereski <m.wereski@partner.samsung.com>
+- move passwd and group to setup package
+
+ * Thu Jun 27 2013 Tomasz Swierczek - 0.0.33.TIZEN
+ - Reducing error logs number.
+ - Fixing prevent bugs on libprivilege-control: * 58766
+ - add new smack rule for WRT
+ - add smack rules
+ - add smack rules to synchronize with private
+ - add smack rules for OSP/WEB app to access clipboard
+
+ * Thu Jun 20 2013 Bartlomiej Grzelewski - 0.0.32.TIZEN
+ - add smack rule of OSP apps for e17
+ - add smack rules for WRT app
+ - add smack default rules
+ - Added SECURE_LOG* macro
+ - Log messages refactoring
+ - Fixing prevent critical defects in libprivilege-control and some log messages.
+
+ * Mon Jun 17 2013 Krzysztof Jackiewicz - 0.0.31.TIZEN
+ - No source changes.
+
+ * Mon Jun 17 2013 Krzysztof Jackiewicz - 0.0.30.TIZEN
+ - add smack rules for app-package::db
+ - fix rules and labeling on db
+ - add smack rules
+ - add new rules for OSP app
+ - Added missing part of fix for rule overwriting issue
+
+ * Mon Jun 10 2013 Krzysztof Jackiewicz - 0.0.29.TIZEN
+ - Fixed creation of rule sets with missing ----- (change-rule interface)
+ - privilege-control.c and privilege-control.h extended by new app_type_t values.
+ - Comment to app_revoke_permissions() changed.
+ - Add error logs in app_give_access.
+ - Add implementation for appsetting privilege
+ - Change parameter names app_id to pkg_id in API functions
+ - Fast boot optimization
+ - Add value APP_PATH_ANY_LABEL to enum app_path_type_t.
+ - synchronize OSP/WRT rules with private repository
+ - Fixing Rule Loading fail for livebox apps on next reboot
+
+ * Wed May 29 2013 Krzysztof Jackiewicz - 0.0.28.TIZEN
+ - Add API functions smack_pid_have_access and get_smack_label_from_process.
+ - Implement special handling for http://tizen.org/privilege/antivirus
+ - Code refactoring, new internal function for adding single rule for an application.
+ - New API for labeling directories and files.
+ - Changing way of mapping feature to file name
+
+ * Wed May 29 2013 Krzysztof Jackiewicz - 0.0.27.TIZEN
+ - Bugfix: Ensure that SMACK labelling finishes before we start launching middleware services
+ - Fix for 64 bit compatibility.
+ - Fix app_install function.
+ - Fix error handling in perm_to_smack() internal function.
+ - Fix ifdef for debug logging.
+ - Fix logging in app_add_permissions_internal()
+ - Add debug logging into app_install() and app_uninstall()
+ - Check validity of Smack labels in API function arguments.
+ - Revert "Temporary fix for web app launching."
+ - Imlement app_disable_permissions() API function stub.
+ - Fix logging ifdefs in slp-su.c.
+ - Unify code indentation.
+ - Change implementation of have_smack()
+ - Truncate Smack file for app in app_revoke_permissions().
+ - Implement adding apps to additional groups based on enabled permissions.
+ - Full set of SMACK rules support for OSP and WRT
+ - Re-enable Smack setting for native apps.
+ - Temporary workaround for complimentary groups not working on non-SMACK system.
+ - Don't delete SMACK rules file for app in function app_reset_permissions()
+ - Create separate source file for internal, common code.
+ - Simplify cleanup code by using GCC extension for variable scoping.
+ - Remove SMACK_ENABLED ifdefs.
+ - Fix for complimentary groups setting.
+ - Add DAC config files for DB access control.
+ - Merge missing code pieces from private repository.
+ - permissions: unify smack config files with private repository
+ - Implemet data control solution for OSP apps.
+ - Reduce complexity from O(n) to O(log(n)) druing state search.
+ - Allow multiple call of app_give_access.
+ - Added add_api_feature API
+ - Added support for gids in add_new_feature API
+ - Klocwork bugfixes
+ - Clean up libprivilege-control code
+ - WRT binary link handling updated.
+ - Add API for install antivirus (app_register_av API function).
+ - Add AV custom rule set support
+ - Add implementation of API function add_shared_dir_readers.
+ - Add check if app_label and shared_label are different in app_label_shared_dir
+ - app_shared_dir_add_readers() accepts NULL in 'app_list' not ""
+ - Setting WebAPP label to pkgId again.
+ - Added rules for OSP/WRT apps for app_give_access API usage in security-server
+ - add new labels for vconf
+ - add new rules for system::share
+ - add smack rules for osp/web app
+ - add smack rules for sdcard
+ - add rule for wrt_launchpad_daemon
+ - add new smack rule
+ - Update .smack files 2
+ - Adjusting Rules for boolmark
+ - Marking app_give_access & app_revoke_access as deprecated
+
+ * Mon May 13 2013 Krzysztof Jackiewicz - 0.0.26.TIZEN
+ - integrate default smack rules
+ - add new rules for bt-service
+ - add missing smack rules
+ - add smack rules regarding data-provider-master
+ - add smack rules regarding secure-storage
+ - add new smack labels
+ - add new rules and remove vconf labels
+ - add smack rules for privacy-manager
+ - add smack rules for wifi and osp
+ - add smack rules for oma-ds-agent::cfg
+ - add new smack rules for tizenprv00.privacy-popup
+ - add new smack labels for vconf and support IPv6
+ - add default rules
+ - add new label and rules - system::share
+ - Fix for 64 bit compatibility.
+ - adding missing rules
+ - Update .smack files
+ - Modifying Smack rules for Apps
+ - Modifying Smack rules for Apps
+ - Removing Label for so files
+ - Adjusting overwrapped Rule
+ - Adding x rules for osp-*-services
+ - Added rules for OSP/WRT apps for app_give_access API usage in security-server
+
+ * Wed Mar 27 2013 Krzysztof Jackiewicz - 0.0.25.TIZEN
+ - Disable libprivilege-control logs for performance increase
+ - Temporary fix for web app launching.
+ - Added stub for add_shared_dir_readers function.
+ - Added proper #ifdef SMACK_ENABLED to new APIs static functions.
+ - add new rules
+ - apply smack default rules
+ - Revising running Smack default rules for all combinations
+ - Adding missing rules
+ - Adding missing rule for crash popup
+ - Modifying device node labels
+ - Modifying rules for changed osp-*-service labels
+ - remove udev rules file
+ - Fix for compatibility of GCC 4.7.
+ - Enable libprivilege-control for target without smack module in kernel.
+ - Cosmetic: fix space indentation.
+ - Rework Smack-less mode.
+ - New API function app_add_friend(app_id1, app_id2).
+ - Add new API functions app_install() and app_uninstall().
+ - Add new API function app_enable_permissions() to replace app_add_permissions() and app_add_volatile_permissions().
+ - Don't fail when trying to enable app permissions that doesn't exist.
+ - Implicitly include base permission in app_enable_permissions().
+
* Thu Feb 14 2013 Tomasz Swierczek - 0.0.24.TIZEN
- Refactoring: adjust names of some internal identifiers.
- Refactoring: removed compilation warnings when SMACK is disabled.
-#%define udev_libdir /usr/lib/udev
-
Name: libprivilege-control
Summary: Library to control privilege of application
- Version: 0.0.26.TIZEN
+ Version: 0.0.43.TIZEN
Release: 1
-Group: System/Security
-License: Apache 2.0
+Group: Security/Access Control
+License: Apache-2.0
Source0: %{name}-%{version}.tar.gz
-Source1: %{name}-conf.manifest
-Source2: smack-default-labeling.service
+Source1001: %{name}.manifest
BuildRequires: cmake
+ BuildRequires: libcap-devel
BuildRequires: pkgconfig(libsmack)
BuildRequires: pkgconfig(dlog)
-Requires: smack-privilege-config
-Requires: sqlite
+ BuildRequires: pkgconfig(libiri)
+ BuildRequires: pkgconfig(sqlite3)
%description
development package of library to control privilege of in-house application
%prep
%setup -q
+cp %{SOURCE1001} .
%build
+ %if 0%{?sec_build_binary_debug_enable}
+ export CFLAGS="$CFLAGS -DTIZEN_DEBUG_ENABLE"
+ export CXXFLAGS="$CXXFLAGS -DTIZEN_DEBUG_ENABLE"
+ export FFLAGS="$FFLAGS -DTIZEN_DEBUG_ENABLE"
+ %endif
+
export CFLAGS="${CFLAGS} -Wno-implicit-function-declaration"
- %cmake . -DCMAKE_BUILD_TYPE=%{?build_type:%build_type}
+ %cmake . -DCMAKE_BUILD_TYPE=%{?build_type:%build_type}%{!?build_type:RELEASE} \
+ -DCMAKE_VERBOSE_MAKEFILE=ON
- make %{?jobs:-j%jobs}
+ VERBOSE=1 make %{?jobs:-j%jobs}
%install
-rm -rf %{buildroot}
-mkdir -p %{buildroot}/usr/share/license
-cp LICENSE %{buildroot}/usr/share/license/%{name}
%make_install
-
-mkdir -p %{buildroot}/etc
-mv %{buildroot}/opt/etc/passwd %{buildroot}/etc/passwd
-mv %{buildroot}/opt/etc/group %{buildroot}/etc/group
-
-cp -a %{SOURCE1} %{buildroot}%{_datadir}/
-cp -a %{SOURCE2} %{buildroot}%{_datadir}/
-
-mkdir -p %{buildroot}/usr/lib/systemd/system/basic.target.wants
-install -m 644 %{SOURCE2} %{buildroot}/usr/lib/systemd/system/
-ln -s ../smack-default-labeling.service %{buildroot}/usr/lib/systemd/system/basic.target.wants/
+mkdir -p %{buildroot}/usr/share/privilege-control/
- %post -p /sbin/ldconfig
+ mkdir -p %{buildroot}/usr/lib/systemd/system/multi-user.target.wants
+ ln -sf /usr/lib/systemd/system/smack-rules.service %{buildroot}/usr/lib/systemd/system/multi-user.target.wants/smack-rules.service
+
-mkdir -p %{buildroot}/usr/lib/systemd/system/tizen-runtime.target.wants
-ln -s /usr/lib/systemd/system/smack-default-labeling.service %{buildroot}/usr/lib/systemd/system/multi-user.target.wants/smack-default-labeling.service
-
+ %post
-if [ ! -e "/home/app" ]
-then
- mkdir -p /home/app
-fi
-
-if [ ! -e "/home/developer" ]
-then
- mkdir -p /home/developer
-fi
-
-chown 5000:5000 /home/app
-chmod 755 /home/app
-chown 5100:5100 /home/developer
-chmod 755 /home/developer
-
-
-if [ ! -e "/opt/etc/smack-app/accesses.d" ]
-then
- mkdir -p /opt/etc/smack-app/accesses.d
-fi
-
-if [ ! -e "/opt/etc/smack-app-early/accesses.d" ]
-then
- mkdir -p /opt/etc/smack-app-early/accesses.d
-fi
-
++/sbin/ldconfig
+ /usr/share/privilege-control/db/updater.sh
+%postun -p /sbin/ldconfig
+
+ api_feature_loader --verbose --dir=/usr/share/privilege-control/
+ api_feature_loader --verbose --rules=/usr/share/privilege-control/ADDITIONAL_RULES.smack
+
+ %check
+ ./db/updater.sh --check-files %{buildroot}
%files
+%manifest %{name}.manifest
+%license LICENSE
%{_libdir}/*.so.*
-%{_libdir}/librules-db-sql-udf.so
%{_bindir}/slp-su
- %dir %{_datarootdir}/privilege-control
- %{_datarootdir}/privilege-control/*
-#%{udev_libdir}/rules.d/*
-#%attr(755,root,root) %{udev_libdir}/uname_env
-%{_datadir}/license/%{name}
++%{_libdir}/librules-db-sql-udf.so
+ #systemd service
+ /usr/lib/systemd/system/smack-rules.service
+ /usr/bin/api_feature_loader
+ #link to activate systemd service
+ /usr/lib/systemd/system/multi-user.target.wants/smack-rules.service
+ /usr/share/privilege-control/db/rules-db.sql
+ /usr/share/privilege-control/db/rules-db-data.sql
+ /usr/share/privilege-control/db/updater.sh
+ /usr/share/privilege-control/db/updates/*
+ /usr/share/privilege-control/db/load-rules-db.sql
%files conf
-/etc/group
-/etc/passwd
-%attr(755,root,root) /etc/rc.d/*
-/usr/share/smack-default-labeling.service
-/usr/lib/systemd/system/smack-default-labeling.service
-/usr/lib/systemd/system/basic.target.wants/smack-default-labeling.service
-/usr/lib/systemd/system/multi-user.target.wants/smack-default-labeling.service
-%manifest %{_datadir}/%{name}-conf.manifest
+%manifest %{name}.manifest
- /opt/etc/smack/*
/opt/dbspace/.privilege_control*.db
%files devel
--- /dev/null
-WantedBy=multi-user.target
+ [Unit]
+ Description=SMACK rules loading
+ Before=starter.service
+
+ [Service]
+ Type=oneshot
+ ExecStartPre = /bin/bash -c '/usr/bin/sqlite3 /opt/dbspace/.rules-db.db3 < /usr/share/privilege-control/db/load-rules-db.sql'
+ ExecStart = /bin/bash -c '/bin/grep ^ /opt/etc/smack/boot-rules.smack --line-buffered > /smack/change-rule'
+
+ [Install]
++WantedBy=multi-user.target
+++ /dev/null
--#!/bin/sh
-
-PATH=/sbin:/usr/sbin:/bin:/usr/bin
--DBSPACE=/opt/dbspace
--DBSPACE_RW=/opt/usr/dbspace
--APPS_DIR=/opt/apps
--SHARE_DIR=/opt/share
--
--chown 5000:5000 /home/app
-find /home/app -print0 | xargs -0 chsmack -a 'system::homedir'
-find /home/app -type d -print0 | xargs -0 chsmack -t
-
-find /opt/usr/media -print0 | xargs -0 chsmack -a 'system::media'
-find /opt/usr/media -type d -print0 | xargs -0 chsmack -t
--
-chsmack -a 'system::share' /dev/shm
-chsmack -t /dev/shm
--
-if [ ! -e /opt/etc/.pkg_smack ]; then
- /usr/bin/pkg_smack
- touch /opt/etc/.pkg_smack
-fi
--
--# set vconf label when first boot
--#if [ ! -e /opt/etc/.vconf_labeling ]; then
-# chsmack -a 'system::vconf' /opt/var/kdb/db
-# chsmack -t /opt/var/kdb/db
-# find /opt/var/kdb/db -print0 | xargs -0 chsmack -a 'system::vconf'
-# find /opt/var/kdb/db -type d -print0 | xargs -0 chsmack -t
-# find /opt/var/kdb/file -print0 | xargs -0 chsmack -a 'system::vconf'
-# find /opt/var/kdb/file -type d -print0 | xargs -0 chsmack -t
-# find /var/run/memory -print0 | xargs -0 chsmack -a 'system::vconf'
-# find /var/run/memory -type d -print0 | xargs -0 chsmack -t
--# touch /opt/etc/.vconf_labeling
--#fi
-
-# Set device node permissions for security
-#chsmack -a 'system::system_bklight' /sys/class/backlight/*/brightness
-#chsmack -a '*' /sys/class/haptic/motor/level
-#chsmack -a '*' /sys/class/haptic/motor/enable
-#chsmack -a '*' /sys/class/haptic/motor/oneshot
-#chsmack -a '*' /sys/class/extension/mdnie/mode
-#chsmack -a '*' /sys/class/extension/mdnie/scenario
-#chsmack -a '*' /sys/class/extension/mdnie/tone
-#chsmack -a '*' /sys/class/extension/mdnie/outdoor
-#chsmack -a '*' /sys/class/extension/mdnie/tune
-#chsmack -a '*' /sys/class/camera/flash/rear_flash
-#chsmack -a '*' /sys/class/camera/flash/max_brightness
-
-echo "0.0.0.0/1 system::use_internet" >> /smack/netlabel
-echo "128.0.0.0/1 system::use_internet" >> /smack/netlabel
-echo "127.0.0.1 -CIPSO" >> /smack/netlabel
-echo "192.168.129.1 @" >> /smack/netlabel
-echo "system::use_internet" > /smack/ambient
--
-# Set label to database files
-chsmack -a 'libaccounts-svc::db' $DBSPACE/.account.db*
-#chsmack -a 'wrt-security::db_ace' $DBSPACE/.ace.db*
-chsmack -a 'libslp-alarm::db' $DBSPACE/.alarm.db*
-chsmack -a 'alarm-server::db' $DBSPACE/.alarmmgr.db*
-chsmack -a 'ail::db' $DBSPACE/.app_info.db*
-chsmack -a 'app-svc::db' $DBSPACE/.appsvc.db*
-chsmack -a 'bt_share::db' $DBSPACE/.bluetooth_trasnfer.db*
-chsmack -a 'telephony_framework::db' $DBSPACE/.dnet.db*
-chsmack -a 'telephony_framework::db' $DBSPACE/.mcc_mnc_oper_list.db*
-chsmack -a 'libslp-memo::db' $DBSPACE/.memo.db*
-chsmack -a 'aul::db' $DBSPACE/.mida.db*
-chsmack -a 'notification::db' $DBSPACE/.notification.db*
-chsmack -a 'push-service::db' $DBSPACE/.push.db*
-chsmack -a 'rua::db' $DBSPACE/.rua.db*
-chsmack -a 'syspopup::db' $DBSPACE/.syspopup.db*
-chsmack -a 'worldclock::db' $DBSPACE/.worldclock.db*
-chsmack -a 'wrt-commons::db_wrt' $DBSPACE/.wrt.db*
-chsmack -a 'wrt-commons::db_wrt_autosave' $DBSPACE/.wrt_autosave.db*
--
-chsmack -a 'browser::db_external' $DBSPACE_RW/.browser-history.db*
-chsmack -a 'calendar-service::db' $DBSPACE_RW/.calendar-svc.db*
-chsmack -a 'contacts-service::db' $DBSPACE_RW/.contacts-svc.db*
-chsmack -a 'email-service::db' $DBSPACE_RW/.email-service.db*
-chsmack -a 'browser::db_external' $DBSPACE_RW/.internet_bookmark.db*
-chsmack -a 'media-data::db' $DBSPACE_RW/.media.db*
-chsmack -a 'msg-service::db' $DBSPACE_RW/.msg_service.db*
-chsmack -a 'browser::db' $APPS_DIR/org.tizen.browser/data/db/.browser*
+++ /dev/null
--#!/bin/sh
--
-/usr/bin/smackload /opt/etc/smack/smack_default_rules2
FILE* file_db AUTO_FCLOSE;
const char* db_file_name = db_file_names[app_type];
+ SECURE_C_LOGD("Opening database file %s.", db_file_name);
file_db = fopen(db_file_name, "a");
if (NULL == file_db) {
- C_LOGE("Error while opening database file: %s", db_file_name);
- SECURE_C_LOGE("Error while opening database file: %s", db_file_name);
++ SECURE_C_LOGD("Error while opening database file: %s", db_file_name);
return PC_ERR_FILE_OPERATION;
}
}
}
- return have_smack;
- }
+ // smack_have_access returned 0 (access denied). Now CAP_MAC_OVERRIDE should be checked
+ C_LOGD("smack_have_access returned 0 (access denied)");
+ cap = cap_get_pid(pid);
+ if (cap == NULL) {
+ C_LOGE("cap_get_pid failed");
+ return -1;
+ }
+ ret = cap_get_flag(cap, CAP_MAC_OVERRIDE, CAP_EFFECTIVE, &cap_v);
+ if (0 != ret) {
+ C_LOGE("cap_get_flag failed");
+ return -1;
+ }
- API int control_privilege(void)
- {
- C_LOGD("Enter function: %s", __func__);
- if(getuid() == APP_UID) // current user is 'app'
- return PC_OPERATION_SUCCESS;
+ if (cap_v == CAP_SET) {
+ C_LOGD("pid %d has CAP_MAC_OVERRIDE", pid);
+ return 1;
- if(set_app_privilege("org.tizen.", NULL, NULL) == PC_OPERATION_SUCCESS)
- return PC_OPERATION_SUCCESS;
- else
- return PC_ERR_NOT_PERMITTED;
+ } else {
+ C_LOGD("pid %d doesn't have CAP_MAC_OVERRIDE", pid);
+ return 0;
+ }
}
+
+
+static int get_user_groups(uid_t user_id, int *nbgroup, gid_t **groups_list)
+{
+ gid_t *groups = NULL;
+ struct passwd * pw;
+ C_LOGD("Enter function: %s", __func__);
+
+ if ((!groups_list) || (!nbgroup))
+ return PC_ERR_INVALID_OPERATION;
+ pw = getpwuid(user_id);
+ if(!pw) {
+ C_LOGE("getgrouplist fails : Invalid User ID %d",user_id);
+ return PC_ERR_INVALID_OPERATION;
+ }
+ *nbgroup = 0;
+ //First call is done with *ngroup = 0 to get the number of groups found for the user (Usefull for next malloc operation). It should return -1 in this case.
+ if (getgrouplist(pw->pw_name, pw->pw_gid, groups, nbgroup) != -1)
+ return PC_ERR_INVALID_OPERATION;
+
+ C_LOGD("getgrouplist %s user is member of %d groups ",pw->pw_name,*nbgroup);
+ groups = malloc(*nbgroup * sizeof (gid_t));
+ if (!groups)
+ return PC_ERR_INVALID_OPERATION;
+ //Second call is done with the suitable ngroup value and structure groups allocated.
+ if (getgrouplist(pw->pw_name, pw->pw_gid, groups, nbgroup) == -1) {
+ free(groups);
+ C_LOGE("getgrouplist fails %d",nbgroup);
+ return PC_ERR_INVALID_OPERATION;
+ }
+ *groups_list = groups;
+ return PC_OPERATION_SUCCESS;
+}
+
static int set_dac(const char *smack_label, const char *pkg_name)
{
- C_LOGD("Enter function: %s", __func__);
+ SECURE_C_LOGD("Entering function: %s. Params: smack_label=%s, pkg_name=%s",
+ __func__, smack_label, pkg_name);
+
- FILE* fp_group = NULL; // /etc/group
uid_t t_uid = -1; // uid of current process
gid_t *glist = NULL; // group list
- gid_t temp_gid = -1; // for group list
- char buf[10] = {0, }; // contents in group_list file
int glist_cnt = 0; // for group list
int result;
int i;
projects / platform / core / security / libprivilege-control.git / commitdiff