projects / platform / core / security / security-manager.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 1be73d8)
Allow application to fetch its own manifest 13/171313/1
authorZofia Grzelewska <z.abramowska@samsung.com>
Wed, 28 Feb 2018 16:10:19 +0000 (17:10 +0100)
committerZofia Grzelewska <z.abramowska@samsung.com>
Wed, 28 Feb 2018 16:49:02 +0000 (17:49 +0100)
security_manager_get_manifest_policy didn't allow application
to fetch its own manifest in case of global application run in
unprivileged user context. This is required for PPM API to work
properly.

Change-Id: Ib5c72f2b3fdea170b1eb51e4d0ed4d7c31f293b9

src/common/service_impl.cpp patch | blob | history

diff --git a/src/common/service_impl.cpp b/src/common/service_impl.cpp
index de1d842..6360a86 100644 (file)
--- a/src/common/service_impl.cpp
+++ b/src/common/service_impl.cpp
@@ -2030,11 +2030,6 @@ int ServiceImpl::getAppManifestPolicy(const Credentials &creds, const std::strin
                                       uid_t uid, std::vector<std::string> &privileges)
 {
     try {
-        if (!authenticate(creds, Config::PRIVILEGE_USER_ADMIN)) {
-            LogError("Request from uid=" << creds.uid << ", Smack=" << creds.label << " for checking app manifest policy denied");
-            return SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED;
-        }
-
         std::string pkgName;
         m_privilegeDb.GetAppPkgName(appName, pkgName);
 
@@ -2043,8 +2038,17 @@ int ServiceImpl::getAppManifestPolicy(const Credentials &creds, const std::strin
             return SECURITY_MANAGER_ERROR_NO_SUCH_OBJECT;
         }
 
-        std::string uidStr = m_privilegeDb.IsUserPkgInstalled(pkgName, uid) ? std::to_string(uid) : CYNARA_ADMIN_WILDCARD;
         std::string cynaraClient = getAppProcessLabel(appName);
+        std::string uidStr = m_privilegeDb.IsUserPkgInstalled(pkgName, uid) ? std::to_string(uid) : CYNARA_ADMIN_WILDCARD;
+
+        // Allow application to check its own manifest
+        if (((creds.label != cynaraClient)
+             || (uidStr != CYNARA_ADMIN_WILDCARD && uidStr != std::to_string(creds.uid)))
+            && !authenticate(creds, Config::PRIVILEGE_USER_ADMIN))
+        {
+            LogError("Request from uid=" << creds.uid << ", Smack=" << creds.label << " for checking app manifest policy denied");
+            return SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED;
+        }
 
         m_cynaraAdmin.getAppPolicy(cynaraClient, uidStr, privileges);
     } catch (const CynaraException::Base &e) {
Domain: Security / Access Control;