Remove the redundant SharedRO SMACK rules.

- There was some redundant SharedRO SMACK rules.
- This change will give SharedRO rules only when pkg has shared folders.

Change-Id: Ic738c6bd49972de6a48d5ff18baa8360a92f22c0

diff --git a/policy/CMakeLists.txt b/policy/CMakeLists.txt
index 809ebb834beeec1a8bdbbdc999fdba3df1851899..c0dbb48526ae881e80f15cf06479ea7f6a7922fa 100644 (file)
--- a/policy/CMakeLists.txt
+++ b/policy/CMakeLists.txt
@@ -8,6 +8,7 @@ INSTALL(FILES ${USERTYPE_POLICY_FILES} DESTINATION ${POLICY_DIR})
 INSTALL(FILES "app-rules-template.smack" DESTINATION ${POLICY_DIR})
 INSTALL(FILES "pkg-rules-template.smack" DESTINATION ${POLICY_DIR})
 INSTALL(FILES "author-rules-template.smack" DESTINATION ${POLICY_DIR})
+INSTALL(FILES "sharedro-rules-template.smack" DESTINATION ${POLICY_DIR})
 INSTALL(FILES "privilege-group.list" DESTINATION ${POLICY_DIR})
 INSTALL(PROGRAMS "update.sh" DESTINATION ${POLICY_DIR})
 INSTALL(DIRECTORY "updates" USE_SOURCE_PERMISSIONS DESTINATION ${POLICY_DIR})

diff --git a/policy/app-rules-template.smack b/policy/app-rules-template.smack
index 11385832ecc437c2c8a1f30ce741917bc0c90801..af530d190c752f0b0af12d2958aebf54b7ef0d7b 100644 (file)
--- a/policy/app-rules-template.smack
+++ b/policy/app-rules-template.smack
@@ -12,5 +12,4 @@ User ~PROCESS~ rwxat
 ~PROCESS~ User::App::Shared rwxat
 ~PROCESS~ ~PATH_RW~ rwxat
 ~PROCESS~ ~PATH_RO~ rxl
-~PROCESS~ ~PATH_SHARED_RO~ rwxat
 ~PROCESS~ ~PATH_TRUSTED~ rwxat

diff --git a/policy/pkg-rules-template.smack b/policy/pkg-rules-template.smack
index 53cd419710cddae5fe4e292eb2c8db9964532e56..bf2e868b4cb6eb8fcf47a93b84d5992326639aed 100644 (file)
--- a/policy/pkg-rules-template.smack
+++ b/policy/pkg-rules-template.smack
@@ -1,9 +1,6 @@
 System ~PATH_RW~ rwxat
 System ~PATH_RO~ rwxat
-System ~PATH_SHARED_RO~ rwxat
 System::Privileged ~PATH_RW~ rwxat
 System::Privileged ~PATH_RO~ rwxat
-System::Privileged ~PATH_SHARED_RO~ rwxat
 User ~PATH_RW~ rwxat
 User ~PATH_RO~ rwxat
-User ~PATH_SHARED_RO~ rwxat

diff --git a/policy/sharedro-rules-template.smack b/policy/sharedro-rules-template.smack
new file mode 100644 (file)
index 0000000..62bdefb
--- /dev/null
+++ b/policy/sharedro-rules-template.smack
@@ -0,0 +1,3 @@
+User ~PATH_SHARED_RO~ rwxat
+System ~PATH_SHARED_RO~ rwxat
+System::Privileged ~PATH_SHARED_RO~ rwxat

diff --git a/src/common/smack-rules.cpp b/src/common/smack-rules.cpp
index 31474b1dc6135be6064594bef92a784dfd107d91..d673ffae25b6b224b564daf2896a035833236ac1 100644 (file)
--- a/src/common/smack-rules.cpp
+++ b/src/common/smack-rules.cpp
@@ -55,6 +55,7 @@ const std::string SMACK_PATH_TRUSTED_LABEL_TEMPLATE  = "~PATH_TRUSTED~";
 const std::string APP_RULES_TEMPLATE_FILE_PATH = TizenPlatformConfig::makePath(TZ_SYS_RO_SHARE, "security-manager", "policy", "app-rules-template.smack");
 const std::string PKG_RULES_TEMPLATE_FILE_PATH = TizenPlatformConfig::makePath(TZ_SYS_RO_SHARE, "security-manager", "policy", "pkg-rules-template.smack");
 const std::string AUTHOR_RULES_TEMPLATE_FILE_PATH = TizenPlatformConfig::makePath(TZ_SYS_RO_SHARE, "security-manager", "policy", "author-rules-template.smack");
+const std::string SHAREDRO_RULES_TEMPLATE_FILE_PATH = TizenPlatformConfig::makePath(TZ_SYS_RO_SHARE, "security-manager", "policy", "sharedro-rules-template.smack");
 const std::string SMACK_RULES_PATH_MERGED      = LOCAL_STATE_DIR "/security-manager/rules-merged/rules.merged";
 const std::string SMACK_RULES_PATH_MERGED_T    = LOCAL_STATE_DIR "/security-manager/rules-merged/rules.merged.temp";
 const std::string SMACK_RULES_PATH             = LOCAL_STATE_DIR "/security-manager/rules";
@@ -265,18 +266,28 @@ void SmackRules::generateSharedRORules(PkgsLabels &pkgsLabels, std::vector<PkgIn
     for (size_t i = 0; i < pkgsLabels.size(); ++i) {
         for (const std::string &appLabel : pkgsLabels[i].second) {
             for (size_t j = 0; j < allPkgs.size(); ++j) {
-                // Rules for SharedRO files from own package are generated elsewhere
-                if (!allPkgs[j].sharedRO || pkgsLabels[i].first == allPkgs[j].name)
+                if (!allPkgs[j].sharedRO)
                     continue;
-
                 const std::string &pkgName = allPkgs[j].name;
-                rules.add(appLabel,
-                          SmackLabels::generatePathSharedROLabel(pkgName),
-                          SMACK_APP_CROSS_PKG_PERMS);
+                if (pkgsLabels[i].first != allPkgs[j].name)
+                    rules.add(appLabel,
+                              SmackLabels::generatePathSharedROLabel(pkgName),
+                              SMACK_APP_CROSS_PKG_PERMS);
+                else
+                    rules.add(appLabel,
+                              SmackLabels::generatePathSharedROLabel(pkgName),
+                              SMACK_APP_PATH_OWNER_PERMS);
             }
         }
     }
 
+    for (size_t j = 0; j < allPkgs.size(); ++j) {
+        if (!allPkgs[j].sharedRO)
+            continue;
+        const std::string &pkgName = allPkgs[j].name;
+        rules.addFromTemplateFile(SHAREDRO_RULES_TEMPLATE_FILE_PATH, std::string(), pkgName,-1);
+    }
+
     if (smack_check())
         rules.apply();