/* Temporary fix for authors rules */
static void fixAuthorRules(const std::string &authorId);
+ /**
+ * Add rules related to private path sharing rules
+ *
+ * This function generates and applies rules needed to apply private sharing.
+ * If isPathSharedAlready, no rule for owner, User or System to path label will be applied.
+ * If isTargetSharingAlready, no rule for directory traversing is set for target.
+ *
+ * @param[in] ownerAppId - package id of path owner
+ * @param[in] ownerPkgContents - vector of application ids contained in package which owner
+ * application belongs to
+ * @param[in] targetAppId - id of the target application
+ * @param[in] pathLabel - a list of all applications in the package
+ * @param[in] isPathSharedAlready - flag indicated, if path has been shared before
+ * @param[in] isTargetSharingAlready - flag indicated, if target is already sharing anything
+ * with owner
+ * @param[in] zoneId - ID of zone which requested applying sharing
+ */
+ static void applyPrivateSharingRules(const std::string &ownerPkgId,
+ const std::vector<std::string> &ownerPkgContents,
+ const std::string &targetAppId,
+ const std::string &pathLabel,
+ bool isPathSharedAlready,
+ bool isTargetSharingAlready,
+ const std::string &zoneId);
+ /**
+ * Remove rules related to private path sharing rules
+ *
+ * This function generates and applies rules needed to apply private sharing.
+ * If isPathSharedNoMore, rules for owner package contents, User or System to path label will
+ * be removed.
+ * If isTargetSharingNoMore, rule for directory traversing is removed for target.
+ *
+ * @param[in] ownerAppId - package id of path owner
+ * @param[in] ownerPkgContents - vector of application ids contained in package which owner
+ * application belongs to
+ * @param[in] targetAppId - id of the target application
+ * @param[in] pathLabel - a list of all applications in the package
+ * @param[in] isPathSharedNoMore - flag indicated, if path is not shared anymore
+ * @param[in] isTargetSharingNoMore - flag indicated, if target is not sharing anything
+ * with owner
+ * @param[in] zoneId - ID of zone which requested droping sharing
+ */
+ static void dropPrivateSharingRules(const std::string &ownerPkgId,
+ const std::vector<std::string> &ownerPkgContents,
+ const std::string &targetAppId,
+ const std::string &pathLabel,
+ bool isPathSharedNoMore,
+ bool isTargetSharingNoMore,
+ const std::string &zoneId);
+
private:
/**
* Create a path for package rules
const char *const APP_RULES_TEMPLATE_FILE_PATH = tzplatform_mkpath4(TZ_SYS_SHARE, "security-manager", "policy", "app-rules-template.smack");
const char *const SMACK_APP_IN_PACKAGE_PERMS = "rwxat";
const char *const SMACK_APP_CROSS_PKG_PERMS = "rx";
+const char *const SMACK_APP_PATH_OWNER_PERMS = "rwxat";
+const char *const SMACK_APP_PATH_TARGET_PERMS = "rxl";
+const char *const SMACK_APP_DIR_TARGET_PERMS = "x";
+const char *const SMACK_USER = "User";
+const char *const SMACK_SYSTEM = "System";
+const char *const SMACK_APP_PATH_SYSTEM_PERMS = "rwxat";
+const char *const SMACK_APP_PATH_USER_PERMS = "rwxat";
SmackRules::SmackRules()
{
rules.apply();
}
+void SmackRules::applyPrivateSharingRules(const std::string &ownerPkgId,
+ const std::vector<std::string> &ownerPkgContents,
+ const std::string &targetAppId,
+ const std::string &pathLabel,
+ bool isPathSharedAlready,
+ bool isTargetSharingAlready,
+ const std::string &zoneId)
+{
+ SmackRules rules;
+ const std::string &targetLabel = zoneSmackLabelGenerate(SmackLabels::generateAppLabel(targetAppId), zoneId);
+ if (!isTargetSharingAlready) {
+
+ rules.add(targetLabel,
+ zoneSmackLabelGenerate(SmackLabels::generatePkgLabel(ownerPkgId), zoneId),
+ SMACK_APP_DIR_TARGET_PERMS);
+ }
+ if (!isPathSharedAlready) {
+ for (const auto &app: ownerPkgContents) {
+ const std::string appLabel = zoneSmackLabelGenerate(SmackLabels::generateAppLabel(app), zoneId);
+ rules.add(appLabel, pathLabel, SMACK_APP_PATH_OWNER_PERMS);
+ }
+ rules.add(SMACK_USER, pathLabel, SMACK_APP_PATH_USER_PERMS);
+ rules.add(SMACK_SYSTEM, pathLabel, SMACK_APP_PATH_SYSTEM_PERMS);
+ }
+ rules.add(targetLabel, pathLabel, SMACK_APP_PATH_TARGET_PERMS);
+ rules.apply();
+}
+
+void SmackRules::dropPrivateSharingRules(const std::string &ownerPkgId,
+ const std::vector<std::string> &ownerPkgContents,
+ const std::string &targetAppId,
+ const std::string &pathLabel,
+ bool isPathSharedNoMore,
+ bool isTargetSharingNoMore,
+ const std::string &zoneId)
+{
+ SmackRules rules;
+ const std::string &targetLabel = zoneSmackLabelGenerate(SmackLabels::generateAppLabel(targetAppId), zoneId);
+ if (isTargetSharingNoMore) {
+ rules.addModify(targetLabel,
+ zoneSmackLabelGenerate(SmackLabels::generatePkgLabel(ownerPkgId), zoneId),
+ "", SMACK_APP_DIR_TARGET_PERMS);
+ }
+ if (isPathSharedNoMore) {
+ for (const auto &app: ownerPkgContents) {
+ const std::string appLabel = zoneSmackLabelGenerate(SmackLabels::generateAppLabel(app), zoneId);
+ rules.addModify(appLabel, pathLabel, "", SMACK_APP_PATH_OWNER_PERMS);
+ }
+ rules.addModify(SMACK_USER, pathLabel, "", SMACK_APP_PATH_USER_PERMS);
+ rules.addModify(SMACK_SYSTEM, pathLabel, "", SMACK_APP_PATH_SYSTEM_PERMS);
+ }
+ rules.addModify(targetLabel, pathLabel, "", SMACK_APP_PATH_TARGET_PERMS);
+ rules.apply();
+}
+
} // namespace SecurityManager