Return DENY when application has no policy for given privacy privilege

When application has no policy set in privacy bucket, return
DENY inside checkPermission. This will be also returned in case
of privileges declared in application manifests, because currently
askuser cannot differentiate these two cases.

Change-Id: I9a177bdd9cc2e107dff973c5328263f23c31a0a4

diff --git a/src/client/impl/ApiInterfaceImpl.cpp b/src/client/impl/ApiInterfaceImpl.cpp
index 4dc2094..a1833e8 100644 (file)
--- a/src/client/impl/ApiInterfaceImpl.cpp
+++ b/src/client/impl/ApiInterfaceImpl.cpp
@@ -100,6 +100,10 @@ askuser_check_result ApiInterfaceImpl::checkPrivilege(const std::string &privile
 
     auto policyLevel = getPrivilegeMappedPolicy(appId, privilege);
 
+    if (policyLevel.empty()) {
+        ALOGD("Privilege " << privilege << " is not a privacy privilege for app " << appId);
+        return ASKUSER_CHECK_RESULT_DENY;
+    }
     if (policyLevel == "Allow") {
         return ASKUSER_CHECK_RESULT_ALLOW;
     }
@@ -112,6 +116,8 @@ askuser_check_result ApiInterfaceImpl::checkPrivilege(const std::string &privile
         return ASKUSER_CHECK_RESULT_ASK;
     }
 
+    ALOGE("Unknown policy level set : " << policyLevel <<
+          " for app " << appId << " and privilege " << privilege);
     return ASKUSER_CHECK_RESULT_DENY;
 }
 

diff --git a/src/common/policy/Policy.cpp b/src/common/policy/Policy.cpp
index 501464c..0d48c08 100644 (file)
--- a/src/common/policy/Policy.cpp
+++ b/src/common/policy/Policy.cpp
@@ -71,6 +71,9 @@ PolicyEntryCopy::PolicyEntryCopy(policy_entry *entry) {
 }
 
 Policy getMinimumPolicy(const std::vector<Policy> &policies) {
+    if (policies.empty())
+        return "";
+
     Policy minimumPolicy = "Allow";
 
     for (auto &policy : policies) {
@@ -127,7 +130,10 @@ Policy getPrivilegePolicy(const std::string &appId, const Privilege &privilege)
 Policy getPrivaciesPolicy(const std::string &appId, const std::vector<Privacy> &privacies) {
     std::vector<Policy> policies;
     for (auto &privacy : privacies) {
-        policies.push_back(calculatePolicyForPrivacy(appId, privacy));
+        Policy privacyPolicy = calculatePolicyForPrivacy(appId, privacy);
+        if (privacyPolicy.empty())
+            continue;
+        policies.push_back(privacyPolicy);
     }
     return getMinimumPolicy(policies);
 }

diff --git a/src/notification-daemon/Logic.cpp b/src/notification-daemon/Logic.cpp
index 57197cf..1f7b846 100644 (file)
--- a/src/notification-daemon/Logic.cpp
+++ b/src/notification-daemon/Logic.cpp
@@ -231,8 +231,18 @@ void Logic::popup(Protocol::ConnectionFd fd, Protocol::RequestId id, const std::
             // Remove privacies which are already allowed - we don't need to spam user more with popups
             privacy = removePrivacy;
         }
+        if (policy.empty()) {
+            ALOGD("Application doesn't use privacy " << privacy);
+            continue;
+        }
         policies.push_back(policy);
     }
+
+    if (policies.empty()) {
+        ALOGD("Privilege " << privilege << " is not privacy for app : " << conn.appId);
+        m_serverChannel->popupResponse(fd, id, ASKUSER_DENY_FOREVER);
+        return;
+    }
     std::string policyLevel = getMinimumPolicy(policies);
 
     ALOGD("Privilege policy level calculated to : " << policyLevel);