-System ~APP~ rwx
-System::Privileged ~APP~ rwx
-~APP~ System wx
-~APP~ System::Privileged wx
-~APP~ System::Shared rxl
-~APP~ System::Run rwxat
-~APP~ System::Log rwxa
-~APP~ _ l
-User ~APP~ rwx
-~APP~ User wx
-~APP~ User::Home rxl
-~APP~ User::App::Shared rwxat
-~APP~ ~PKG~ rwxat
-~APP~ ~PKG~::RO rxl
-~APP~ ~PKG~::SharedRO rwxat
-~APP~ ~AUTHOR~ rwxat
+System ~PROCESS~ rwx
+System::Privileged ~PROCESS~ rwx
+~PROCESS~ System wx
+~PROCESS~ System::Privileged wx
+~PROCESS~ System::Shared rxl
+~PROCESS~ System::Run rwxat
+~PROCESS~ System::Log rwxa
+~PROCESS~ _ l
+User ~PROCESS~ rwx
+~PROCESS~ User wx
+~PROCESS~ User::Home rxl
+~PROCESS~ User::App::Shared rwxat
+~PROCESS~ ~PATH_RW~ rwxat
+~PROCESS~ ~PATH_RO~ rxl
+~PROCESS~ ~PATH_SHARED_RO~ rwxat
+~PROCESS~ ~PATH_TRUSTED~ rwxat
-User ~AUTHOR~ rwxat
-System ~AUTHOR~ rwxat
-System::Privileged ~AUTHOR~ rwxat
+User ~PATH_TRUSTED~ rwxat
+System ~PATH_TRUSTED~ rwxat
+System::Privileged ~PATH_TRUSTED~ rwxat
-System ~PKG~ rwxat
-System ~PKG~::RO rwxat
-System ~PKG~::SharedRO rwxat
-System::Privileged ~PKG~ rwxat
-System::Privileged ~PKG~::RO rwxat
-System::Privileged ~PKG~::SharedRO rwxat
-User ~PKG~ rwxat
-User ~PKG~::RO rwxat
-User ~PKG~::SharedRO rwxat
+System ~PATH_RW~ rwxat
+System ~PATH_RO~ rwxat
+System ~PATH_SHARED_RO~ rwxat
+System::Privileged ~PATH_RW~ rwxat
+System::Privileged ~PATH_RO~ rwxat
+System::Privileged ~PATH_SHARED_RO~ rwxat
+User ~PATH_RW~ rwxat
+User ~PATH_RO~ rwxat
+User ~PATH_SHARED_RO~ rwxat
PermissibleSet::readNamesFromPermissibleFile(user_label_file, names);
std::vector<const char*> temp;
std::transform(names.begin(), names.end(), std::back_inserter(temp),
- [] (std::string &label) {label = SmackLabels::generateAppLabel(label);
+ [] (std::string &label) {label = SmackLabels::generateProcessLabel(label);
return label.c_str();});
if (smack_set_relabel_self(const_cast<const char **>(temp.data()), temp.size()) != 0) {
LogError("smack_set_relabel_self failed");
return SECURITY_MANAGER_SUCCESS;
try {
- appLabel = SecurityManager::SmackLabels::generateAppLabel(app_name);
+ appLabel = SecurityManager::SmackLabels::generateProcessLabel(app_name);
} catch (...) {
LogError("Failed to generate smack label for appName: " << app_name);
return SECURITY_MANAGER_ERROR_NO_SUCH_OBJECT;
uid_t cur_tid = gettid();
pid_t cur_pid = getpid();
- g_app_label = SecurityManager::SmackLabels::generateAppLabel(app_name);
+ g_app_label = SecurityManager::SmackLabels::generateProcessLabel(app_name);
g_threads_count = 0;
g_tid_attr_current_map.clear();
g_smack_fs_path = smack_smackfs_path() != NULL;
* @param[in] appName application identifier
* @return resulting Smack label
*/
-std::string generateAppLabel(const std::string &appName);
+std::string generateProcessLabel(const std::string &appName);
/**
* Generates label for an application with @ref pkgName, specific
* @param[in] pkgName application package identifier
* @return resulting Smack label
*/
-std::string generatePkgLabelOwnerRWothersRO(const std::string &pkgName);
+std::string generatePathSharedROLabel(const std::string &pkgName);
/**
* Generates label for a package identifier
* @param[in] pkgName package identifier
* @return resulting Smack label
*/
-std::string generatePkgLabel(const std::string &pkgName);
+std::string generatePathRWLabel(const std::string &pkgName);
/**
* Generates label for private application RO files with package identifier @ref pkgName
* @param[in] pkgName package identifier
* @return resulting Smack label
*/
-std::string generatePkgROLabel(const std::string &pkgName);
+std::string generatePathROLabel(const std::string &pkgName);
/**
* Generates unique label per path for private path sharing.
* @param[in] authorId
* @return resulting Smack label
*/
-std::string generateAuthorLabel(const int authorId);
+std::string generatePathTrustedLabel(const int authorId);
/**
* Returns smack label for given socket
cyap = std::move(CynaraAdminPolicy(
policyEntry.appName.compare(SECURITY_MANAGER_ANY) ?
- SmackLabels::generateAppLabel(policyEntry.appName) : CYNARA_ADMIN_WILDCARD,
+ SmackLabels::generateProcessLabel(policyEntry.appName) : CYNARA_ADMIN_WILDCARD,
policyEntry.user,
policyEntry.privilege,
level,
return SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED;
}
- appLabel = SmackLabels::generateAppLabel(req.appName);
- pkgLabel = SmackLabels::generatePkgLabel(req.pkgName);
+ appLabel = SmackLabels::generateProcessLabel(req.appName);
+ pkgLabel = SmackLabels::generatePathRWLabel(req.pkgName);
LogDebug("Generated install parameters: app label: " << appLabel <<
", pkg label: " << pkgLabel);
return SECURITY_MANAGER_SUCCESS;
}
- smackLabel = SmackLabels::generateAppLabel(req.appName);
+ smackLabel = SmackLabels::generateProcessLabel(req.appName);
LogDebug("Generated uninstall parameters: pkgName=" << req.pkgName
<< " Smack label=" << smackLabel);
{
try {
LogDebug("appName: " << appName);
- std::string smackLabel = SmackLabels::generateAppLabel(appName);
+ std::string smackLabel = SmackLabels::generateProcessLabel(appName);
LogDebug("smack label: " << smackLabel);
std::vector<std::string> privileges;
std::vector<CynaraAdminPolicy> listOfPolicies;
//convert appName to smack label
- std::string appLabel = filter.appName.compare(SECURITY_MANAGER_ANY) ? SmackLabels::generateAppLabel(filter.appName) : CYNARA_ADMIN_ANY;
+ std::string appLabel = filter.appName.compare(SECURITY_MANAGER_ANY) ? SmackLabels::generateProcessLabel(filter.appName) : CYNARA_ADMIN_ANY;
std::string user = filter.user.compare(SECURITY_MANAGER_ANY) ? filter.user : CYNARA_ADMIN_ANY;
std::string privilege = filter.privilege.compare(SECURITY_MANAGER_ANY) ? filter.privilege : CYNARA_ADMIN_ANY;
for (const std::string &appName : listOfApps) {
LogDebug("App: " << appName);
- std::string smackLabelForApp = SmackLabels::generateAppLabel(appName);
+ std::string smackLabelForApp = SmackLabels::generateProcessLabel(appName);
std::vector<std::string> listOfPrivileges;
CynaraAdmin::getInstance().GetAppPolicy(smackLabelForApp, userStr, listOfPrivileges);
bool &result)
{
try {
- std::string appLabel = SmackLabels::generateAppLabel(appName);
+ std::string appLabel = SmackLabels::generateProcessLabel(appName);
std::string uidStr = std::to_string(uid);
result = Cynara::getInstance().check(appLabel, privilege, uidStr, "");
LogDebug("result = " << result);
for(const auto &path : paths) {
std::string pathLabel = SmackLabels::getSmackLabelFromPath(path);
- if (pathLabel != SmackLabels::generatePkgLabel(ownerPkgName)) {
+ if (pathLabel != SmackLabels::generatePathRWLabel(ownerPkgName)) {
std::string generatedPathLabel = SmackLabels::generateSharedPrivateLabel(ownerPkgName, path);
if (generatedPathLabel != pathLabel) {
LogError("Path " << path << " has label " << pathLabel << " and dosen't belong"
return SECURITY_MANAGER_ERROR_INPUT_PARAM;
}
std::string pathLabel = SmackLabels::getSmackLabelFromPath(path);
- if (pathLabel != SmackLabels::generatePkgLabel(ownerPkgName)) {
+ if (pathLabel != SmackLabels::generatePathRWLabel(ownerPkgName)) {
std::string generatedPathLabel = SmackLabels::generateSharedPrivateLabel(ownerPkgName, path);
if (generatedPathLabel != pathLabel) {
LogError("Path " << path << " has label " << pathLabel << " and dosen't belong"
switch (pathType) {
case SECURITY_MANAGER_PATH_RW:
- label = generatePkgLabel(pkgName);
+ label = generatePathRWLabel(pkgName);
label_executables = false;
label_transmute = true;
break;
case SECURITY_MANAGER_PATH_RO:
- label = generatePkgROLabel(pkgName);
+ label = generatePathROLabel(pkgName);
label_executables = false;
label_transmute = false;
break;
label_transmute = true;
break;
case SECURITY_MANAGER_PATH_OWNER_RW_OTHER_RO:
- label = generatePkgLabelOwnerRWothersRO(pkgName);
+ label = generatePathSharedROLabel(pkgName);
label_executables = false;
label_transmute = true;
break;
case SECURITY_MANAGER_PATH_TRUSTED_RW:
if (authorId < 0)
ThrowMsg(SmackException::InvalidParam, "You must define author to use PATH_TRUSED_RW");
- label = generateAuthorLabel(authorId);
+ label = generatePathTrustedLabel(authorId);
label_executables = false;
label_transmute = true;
break;
return ret;
}
-std::string generateAppLabel(const std::string &appName)
+std::string generateProcessLabel(const std::string &appName)
{
std::string label = "User::App::" + appName;
return label;
}
-std::string generatePkgLabelOwnerRWothersRO(const std::string &pkgName)
+std::string generatePathSharedROLabel(const std::string &pkgName)
{
std::string label = "User::Pkg::" + pkgName + "::SharedRO";
return label;
}
-std::string generatePkgLabel(const std::string &pkgName)
+std::string generatePathRWLabel(const std::string &pkgName)
{
std::string label = "User::Pkg::" + pkgName;
return label;
}
-std::string generatePkgROLabel(const std::string &pkgName)
+std::string generatePathROLabel(const std::string &pkgName)
{
std::string label = "User::Pkg::" + pkgName + "::RO";
return result;
}
-std::string generateAuthorLabel(const int authorId)
+std::string generatePathTrustedLabel(const int authorId)
{
if (authorId < 0) {
LogError("Author was not set. It's not possible to generate label for unknown author.");
namespace SecurityManager {
-const std::string SMACK_APP_LABEL_TEMPLATE = "~APP~";
-const std::string SMACK_PKG_LABEL_TEMPLATE = "~PKG~";
-const std::string SMACK_AUTHOR_LABEL_TEMPLATE = "~AUTHOR~";
+const std::string SMACK_PROCESS_LABEL_TEMPLATE = "~PROCESS~";
+const std::string SMACK_PATH_RW_LABEL_TEMPLATE = "~PATH_RW~";
+const std::string SMACK_PATH_RO_LABEL_TEMPLATE = "~PATH_RO~";
+const std::string SMACK_PATH_SHARED_RO_LABEL_TEMPLATE = "~PATH_SHARED_RO~";
+const std::string SMACK_PATH_TRUSTED_LABEL_TEMPLATE = "~PATH_TRUSTED~";
const std::string APP_RULES_TEMPLATE_FILE_PATH = TizenPlatformConfig::makePath(TZ_SYS_RO_SHARE, "security-manager", "policy", "app-rules-template.smack");
const std::string PKG_RULES_TEMPLATE_FILE_PATH = TizenPlatformConfig::makePath(TZ_SYS_RO_SHARE, "security-manager", "policy", "pkg-rules-template.smack");
const std::string AUTHOR_RULES_TEMPLATE_FILE_PATH = TizenPlatformConfig::makePath(TZ_SYS_RO_SHARE, "security-manager", "policy", "author-rules-template.smack");
const std::string &pkgName,
const int authorId)
{
- std::string appLabel;
- std::string pkgLabel;
- std::string authorLabel;
+ std::string processLabel;
+ std::string pathRWLabel, pathROLabel, pathSharedROLabel;
+ std::string pathTrustedLabel;
if (!appName.empty())
- appLabel = SmackLabels::generateAppLabel(appName);
+ processLabel = SmackLabels::generateProcessLabel(appName);
- if (!pkgName.empty())
- pkgLabel = SmackLabels::generatePkgLabel(pkgName);
+ if (!pkgName.empty()) {
+ pathRWLabel = SmackLabels::generatePathRWLabel(pkgName);
+ pathROLabel = SmackLabels::generatePathROLabel(pkgName);
+ pathSharedROLabel = SmackLabels::generatePathSharedROLabel(pkgName);
+ }
if (authorId >= 0)
- authorLabel = SmackLabels::generateAuthorLabel(authorId);
+ pathTrustedLabel = SmackLabels::generatePathTrustedLabel(authorId);
for (auto rule : templateRules) {
if (rule.empty())
ThrowMsg(SmackException::FileError, "Invalid rule template: " << rule);
}
- strReplace(subject, SMACK_APP_LABEL_TEMPLATE, appLabel);
- strReplace(subject, SMACK_PKG_LABEL_TEMPLATE, pkgLabel);
- strReplace(object, SMACK_APP_LABEL_TEMPLATE, appLabel);
- strReplace(object, SMACK_PKG_LABEL_TEMPLATE, pkgLabel);
- strReplace(object, SMACK_AUTHOR_LABEL_TEMPLATE, authorLabel);
+ strReplace(subject, SMACK_PROCESS_LABEL_TEMPLATE, processLabel);
+ strReplace(object, SMACK_PROCESS_LABEL_TEMPLATE, processLabel);
+ strReplace(object, SMACK_PATH_RW_LABEL_TEMPLATE, pathRWLabel);
+ strReplace(object, SMACK_PATH_RO_LABEL_TEMPLATE, pathROLabel);
+ strReplace(object, SMACK_PATH_SHARED_RO_LABEL_TEMPLATE, pathSharedROLabel);
+ strReplace(object, SMACK_PATH_TRUSTED_LABEL_TEMPLATE, pathTrustedLabel);
if (subject.empty() || object.empty())
continue;
if (object == subject)
continue;
- subjectLabel = SmackLabels::generateAppLabel(subject);
- objectLabel = SmackLabels::generateAppLabel(object);
- LogDebug ("Trying to add rule subject: " << subjectLabel << " object: " << objectLabel << " perms: " << appsInPackagePerms);
+ subjectLabel = SmackLabels::generateProcessLabel(subject);
+ objectLabel = SmackLabels::generateProcessLabel(object);
+ LogDebug ("Trying to add rule subject: " << subjectLabel
+ << " object: " << objectLabel << " perms: " << appsInPackagePerms);
add(subjectLabel, objectLabel, appsInPackagePerms);
}
}
SmackRules rules;
for (size_t i = 0; i < pkgsApps.size(); ++i) {
for (const std::string &appName : pkgsApps[i].second) {
- std::string appLabel = SmackLabels::generateAppLabel(appName);
+ std::string appLabel = SmackLabels::generateProcessLabel(appName);
for (size_t j = 0; j < sharedROPkgsApps.size(); ++j) {
// Rules for SharedRO files from own pkg are generated elsewhere
if (pkgsApps[i] != sharedROPkgsApps[j]) {
const std::string &pkgName = sharedROPkgsApps[j].first;
rules.add(appLabel,
- SmackLabels::generatePkgLabelOwnerRWothersRO(pkgName),
+ SmackLabels::generatePathSharedROLabel(pkgName),
SMACK_APP_CROSS_PKG_PERMS);
}
}
SmackRules rules;
for (size_t i = 0; i < pkgsApps.size(); ++i) {
for (const std::string &appName : pkgsApps[i].second) {
- std::string appLabel = SmackLabels::generateAppLabel(appName);
+ std::string appLabel = SmackLabels::generateProcessLabel(appName);
rules.add(appLabel,
- SmackLabels::generatePkgLabelOwnerRWothersRO(revokePkg),
+ SmackLabels::generatePathSharedROLabel(revokePkg),
SMACK_APP_CROSS_PKG_PERMS);
}
}
void SmackRules::revokeAppSubject(const std::string &appName)
{
- if (smack_revoke_subject(SmackLabels::generateAppLabel(appName).c_str()))
+ if (smack_revoke_subject(SmackLabels::generateProcessLabel(appName).c_str()))
ThrowMsg(SmackException::LibsmackError, "smack_revoke_subject");
}
bool isTargetSharingAlready)
{
SmackRules rules;
- const std::string &targetLabel = SmackLabels::generateAppLabel(targetAppName);
+ const std::string &targetLabel = SmackLabels::generateProcessLabel(targetAppName);
if (!isTargetSharingAlready) {
rules.add(targetLabel,
- SmackLabels::generatePkgLabel(ownerPkgName),
+ SmackLabels::generatePathRWLabel(ownerPkgName),
SMACK_APP_DIR_TARGET_PERMS);
}
if (!isPathSharedAlready) {
for (const auto &app: ownerPkgContents) {
- const std::string appLabel = SmackLabels::generateAppLabel(app);
+ const std::string appLabel = SmackLabels::generateProcessLabel(app);
rules.add(appLabel, pathLabel, SMACK_APP_PATH_OWNER_PERMS);
}
rules.add(SMACK_USER, pathLabel, SMACK_APP_PATH_USER_PERMS);
bool isTargetSharingNoMore)
{
SmackRules rules;
- const std::string &targetLabel = SmackLabels::generateAppLabel(targetAppName);
+ const std::string &targetLabel = SmackLabels::generateProcessLabel(targetAppName);
if (isTargetSharingNoMore) {
rules.addModify(targetLabel,
- SmackLabels::generatePkgLabel(ownerPkgName),
+ SmackLabels::generatePathRWLabel(ownerPkgName),
"", SMACK_APP_DIR_TARGET_PERMS);
}
if (isPathSharedNoMore) {
for (const auto &app: ownerPkgContents) {
- const std::string appLabel = SmackLabels::generateAppLabel(app);
+ const std::string appLabel = SmackLabels::generateProcessLabel(app);
rules.addModify(appLabel, pathLabel, "", SMACK_APP_PATH_OWNER_PERMS);
}
rules.addModify(SMACK_USER, pathLabel, "", SMACK_APP_PATH_USER_PERMS);
projects / platform / core / security / security-manager.git / commitdiff