namespace Config {
-/* Service name */
-extern const std::string SERVICE_NAME;
-
-/* Privileges required from users of our API */
-extern const std::string PRIVILEGE_APPINST_USER;
-extern const std::string PRIVILEGE_APPINST_ADMIN;
-extern const std::string PRIVILEGE_USER_ADMIN;
-extern const std::string PRIVILEGE_POLICY_USER;
-extern const std::string PRIVILEGE_POLICY_ADMIN;
-extern const std::string PRIVILEGE_APPSHARING_ADMIN;
-extern const std::string PRIVILEGE_SHM;
-extern const std::string PRIVILEGE_APP_NAMESPACE;
-extern const std::string PRIVILEGE_PERMISSION_CHECK;
-
-/* Files used in permitted label managment */
-extern const std::string APPS_LABELS_FILE;
-
-/* Policy files */
-extern const std::string PRIVILEGE_GROUP_LIST_FILE;
-extern const std::string PRIVILEGE_MOUNT_LIST_FILE;
-
-extern const std::string SKEL_DIR;
-
-/* Ask-user policy description */
-extern const std::string PRIVACY_POLICY_DESC;
-
-/* true if privacy-related privileges should result in UI-popup question*/
-extern const bool IS_ASKUSER_ENABLED;
-
std::string getPrivilegeDbPath();
std::string getPrivilegeDbFallbackPath();
#define DB_JOURNAL_SUFFIX "-journal"
#define DB_OK_MARKER "/tmp/.security-manager.db.ok"
+
+
+/* Service name */
+#define SERVICE_NAME "security-manager"
+
+/* Privileges required from users of our API */
+#define PRIVILEGE_APPINST_USER "http://tizen.org/privilege/notexist"
+#define PRIVILEGE_APPINST_ADMIN "http://tizen.org/privilege/notexist"
+#define PRIVILEGE_USER_ADMIN "http://tizen.org/privilege/internal/usermanagement"
+#define PRIVILEGE_POLICY_USER "http://tizen.org/privilege/notexist"
+#define PRIVILEGE_POLICY_ADMIN "http://tizen.org/privilege/internal/usermanagement"
+#define PRIVILEGE_APPSHARING_ADMIN "http://tizen.org/privilege/notexist"
+#define PRIVILEGE_SHM "http://tizen.org/privilege/internal/shm"
+#define PRIVILEGE_APP_NAMESPACE "http://tizen.org/privilege/notexist"
+#define PRIVILEGE_PERMISSION_CHECK "http://tizen.org/privilege/permission.check"
+
+/* Files used in permitted label managment */
+#define APPS_LABELS_FILE "apps-labels"
+
+/* Policy files */
+#define PRIVILEGE_GROUP_LIST_FILE POLICY_DIR "/privilege-group.list"
+#define PRIVILEGE_MOUNT_LIST_FILE POLICY_DIR "/privilege-mount.list"
+
+#define SKEL_DIR "/etc/skel"
+
+/* Ask-user policy description */
+#define PRIVACY_POLICY_DESC "Ask user"
+
+/* true if privacy-related privileges should result in UI-popup question*/
+#ifdef ASKUSER_ENABLED
+#define IS_ASKUSER_ENABLED true
+#else
+#define IS_ASKUSER_ENABLED false
+#endif
policyEntry.privilege = CYNARA_ADMIN_WILDCARD;
const std::string &privilege = (forAdmin || policyEntry.user.compare(std::to_string(creds.uid))) ?
- Config::PRIVILEGE_POLICY_ADMIN : Config::PRIVILEGE_POLICY_USER;
+ PRIVILEGE_POLICY_ADMIN : PRIVILEGE_POLICY_USER;
if (!authenticate(creds, privilege)) {
LogError("Not enough privilege to enforce user policy");
return SECURITY_MANAGER_ERROR_ACCESS_DENIED;
{
std::string app = TizenPlatformConfig::getEnv(TZ_USER_APP);
std::string home = TizenPlatformConfig::getEnv(TZ_USER_HOME);
- std::string real_skel_dir = std::move(realPath(Config::SKEL_DIR));
+ std::string real_skel_dir = std::move(realPath(SKEL_DIR));
if (real_skel_dir.empty()) {
LogError("Unable to get skel pkg dir.");
return false;
int installationType)
{
if (installationType == SM_APP_INSTALL_LOCAL) {
- if (!authenticate(creds, Config::PRIVILEGE_APPINST_USER)) {
+ if (!authenticate(creds, PRIVILEGE_APPINST_USER)) {
LogError("Caller is not permitted to manage local applications");
return false;
}
- if (uid != creds.uid && !authenticate(creds, Config::PRIVILEGE_USER_ADMIN)) {
+ if (uid != creds.uid && !authenticate(creds, PRIVILEGE_USER_ADMIN)) {
LogError("Caller is not permitted to manage applications for other users");
return false;
}
return false;
}
} else {
- if (!authenticate(creds, Config::PRIVILEGE_APPINST_ADMIN)) {
+ if (!authenticate(creds, PRIVILEGE_APPINST_ADMIN)) {
LogError("Caller is not permitted to manage global applications");
return false;
}
int ServiceImpl::userAdd(const Credentials &creds, uid_t uidAdded, int userType)
{
- if (!authenticate(creds, Config::PRIVILEGE_USER_ADMIN)) {
+ if (!authenticate(creds, PRIVILEGE_USER_ADMIN)) {
LogError("Caller is not permitted to manage users");
return SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED;
}
{
int ret = SECURITY_MANAGER_SUCCESS;
- if (!authenticate(creds, Config::PRIVILEGE_USER_ADMIN)) {
+ if (!authenticate(creds, PRIVILEGE_USER_ADMIN)) {
LogError("Caller is not permitted to manage users");
return SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED;
}
LogDebug("App: " << filter.appName << ", Label: " << appProcessLabel);
if (forAdmin) {
- if (!authenticate(creds, Config::PRIVILEGE_POLICY_ADMIN)
- && !authenticate(creds, Config::PRIVILEGE_PERMISSION_CHECK)) {
+ if (!authenticate(creds, PRIVILEGE_POLICY_ADMIN)
+ && !authenticate(creds, PRIVILEGE_PERMISSION_CHECK)) {
LogError("Not enough privilege to access admin enforced policies");
return SECURITY_MANAGER_ERROR_ACCESS_DENIED;
}
LogDebug("ADMIN - number of policies matched: " << listOfPolicies.size());
} else {
if (appProcessLabel != creds.label
- && !authenticate(creds, Config::PRIVILEGE_POLICY_USER)
- && !authenticate(creds, Config::PRIVILEGE_PERMISSION_CHECK)) {
+ && !authenticate(creds, PRIVILEGE_POLICY_USER)
+ && !authenticate(creds, PRIVILEGE_PERMISSION_CHECK)) {
LogError("Not enough privilege to access user enforced policies");
return SECURITY_MANAGER_ERROR_ACCESS_DENIED;
}
if (uidStr.compare(user)) {
- if (!authenticate(creds, Config::PRIVILEGE_POLICY_ADMIN)
- && !authenticate(creds, Config::PRIVILEGE_PERMISSION_CHECK)) {
+ if (!authenticate(creds, PRIVILEGE_POLICY_ADMIN)
+ && !authenticate(creds, PRIVILEGE_PERMISSION_CHECK)) {
LogWarning("Not enough privilege to access other user's personal policies");
return SECURITY_MANAGER_ERROR_ACCESS_DENIED;
};
std::string uidStr = std::to_string(creds.uid);
std::string pidStr = std::to_string(creds.pid);
- if (!authenticate(creds, Config::PRIVILEGE_POLICY_USER)
- && !authenticate(creds, Config::PRIVILEGE_PERMISSION_CHECK)) {
+ if (!authenticate(creds, PRIVILEGE_POLICY_USER)
+ && !authenticate(creds, PRIVILEGE_PERMISSION_CHECK)) {
LogWarning("Not enough permission to call: " << __FUNCTION__);
return SECURITY_MANAGER_ERROR_ACCESS_DENIED;
};
std::vector<uid_t> listOfUsers;
- if (authenticate(creds, Config::PRIVILEGE_POLICY_ADMIN)
- || authenticate(creds, Config::PRIVILEGE_PERMISSION_CHECK)) {
+ if (authenticate(creds, PRIVILEGE_POLICY_ADMIN)
+ || authenticate(creds, PRIVILEGE_PERMISSION_CHECK)) {
LogDebug("User is privileged");
if (filter.user.compare(SECURITY_MANAGER_ANY)) {
LogDebug("Limitting Cynara query to user: " << filter.user);
SmackRules::Labels pkgsLabels;
try {
- if (!authenticate(creds, Config::PRIVILEGE_APPSHARING_ADMIN)) {
+ if (!authenticate(creds, PRIVILEGE_APPSHARING_ADMIN)) {
LogError("Caller is not permitted to manage file sharing");
return SECURITY_MANAGER_ERROR_ACCESS_DENIED;
}
{
int errorRet;
try {
- if (!authenticate(creds, Config::PRIVILEGE_APPSHARING_ADMIN)) {
+ if (!authenticate(creds, PRIVILEGE_APPSHARING_ADMIN)) {
LogError("Caller is not permitted to manage file sharing");
return SECURITY_MANAGER_ERROR_ACCESS_DENIED;
}
return SECURITY_MANAGER_ERROR_NO_SUCH_OBJECT;
}
- if (!authenticate(creds, Config::PRIVILEGE_SHM)) {
+ if (!authenticate(creds, PRIVILEGE_SHM)) {
LogError("Request from uid=" << creds.uid << ", Smack=" << creds.label << " for shm denied");
return SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED;
}
std::vector<std::pair<std::string, bool>> &privilegeStatusVector)
{
int ret;
- if (!authenticate(creds, Config::PRIVILEGE_APP_NAMESPACE)) {
+ if (!authenticate(creds, PRIVILEGE_APP_NAMESPACE)) {
LogError("Request from uid=" << creds.uid << ", Smack=" << creds.label << " for setup app namespace denied");
return SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED;
}
// Allow application to check the manifest
if (((creds.label != cynaraClient)
|| (uidStr != CYNARA_ADMIN_WILDCARD && uidStr != std::to_string(creds.uid)))
- && !(authenticate(creds, Config::PRIVILEGE_USER_ADMIN) || authenticate(creds, Config::PRIVILEGE_PERMISSION_CHECK)))
+ && !(authenticate(creds, PRIVILEGE_USER_ADMIN) || authenticate(creds, PRIVILEGE_PERMISSION_CHECK)))
{
LogError("Request from uid=" << creds.uid << ", Smack=" << creds.label << " for checking app manifest policy denied");
return SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED;
int ServiceImpl::appCleanNamespace(const Credentials &creds, const std::string &appName, uid_t uid, pid_t pid)
{
- if (!authenticate(creds, Config::PRIVILEGE_APP_NAMESPACE)) {
+ if (!authenticate(creds, PRIVILEGE_APP_NAMESPACE)) {
LogError("Request from uid=" << creds.uid << ", Smack=" << creds.label <<
" for cleanup app namespace denied");
return SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED;