[Security] return security error properly & revise cynara code

Change-Id: I6c83acc03f96fd5c81dc3a1b7ef0d8d9933e6424

diff --git a/configure.ac b/configure.ac
index 4cae56e..2743a73 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -1368,10 +1368,22 @@ else
 fi
 
 #### Cynara ####
-
+dnl use security ---------------------------------------------------------------
+AC_ARG_ENABLE(security, AC_HELP_STRING([--enable-security], [using security]),
+[
+    case "${enableval}" in
+        yes) USE_SECURITY=yes ;;
+        no)  USE_SECURITY=no ;;
+        *)   AC_MSG_ERROR(bad value ${enableval} for --enable-security) ;;
+    esac
+],[USE_SECURITY=no])
+if test "x$USE_SECURITY" = "xyes"; then
 PKG_CHECK_MODULES(CYNARA, [cynara-client, cynara-creds-socket, cynara-session])
 AC_SUBST(CYNARA_CFLAGS)
 AC_SUBST(CYNARA_LIBS)
+fi
+AM_CONDITIONAL(USE_SECURITY, test "x$USE_SECURITY" = "xyes")
+dnl end ------------------------------------------------------------------------
 
 #### PulseAudio system runtime dir ####
 

diff --git a/packaging/pulseaudio.spec b/packaging/pulseaudio.spec
index 6f05b61..b82b180 100644 (file)
--- a/packaging/pulseaudio.spec
+++ b/packaging/pulseaudio.spec
@@ -244,7 +244,8 @@ NOCONFIGURE=yes ./bootstrap.sh
         --with-udev-rules-dir=%{udev_dir}/rules.d \
         --with-system-user=pulse \
         --with-system-group=pulse \
-        --with-access-group=pulse-access
+        --with-access-group=pulse-access \
+        --enable-security
 
 %__make %{?_smp_mflags} V=0
 

diff --git a/src/Makefile.am b/src/Makefile.am
index a916f15..e62b09a 100644 (file)
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -49,16 +49,20 @@ AM_CPPFLAGS = \
        -DPA_ALSA_PROFILE_SETS_DIR=\"$(alsaprofilesetsdir)\"
 AM_CFLAGS = \
        $(PTHREAD_CFLAGS) \
-       $(CYNARA_CFLAGS) \
        -DPA_SRCDIR=\"$(abs_srcdir)\" \
        -DPA_BUILDDIR=\"$(abs_builddir)\"
 AM_CXXFLAGS = $(AM_CFLAGS)
 SERVER_CFLAGS = -D__INCLUDED_FROM_PULSE_AUDIO
 
 AM_LIBADD = $(PTHREAD_LIBS) $(INTLLIBS)
-AM_LDADD = $(PTHREAD_LIBS) $(INTLLIBS) $(CYNARA_LIBS)
+AM_LDADD = $(PTHREAD_LIBS) $(INTLLIBS)
 AM_LDFLAGS = $(NODELETE_LDFLAGS)
 
+if USE_SECURITY
+AM_CFLAGS += $(CYNARA_CFLAGS) -DUSE_SECURITY
+AM_LDADD += $(CYNARA_LIBS)
+endif
+
 if HAVE_GCOV
 AM_CFLAGS+=$(GCOV_CFLAGS)
 AM_CXXFLAGS+=$(GCOV_CFLAGS)
@@ -1240,8 +1244,7 @@ libprotocol_http_la_SOURCES = pulsecore/protocol-http.c pulsecore/protocol-http.
 libprotocol_http_la_LDFLAGS = $(AM_LDFLAGS) -avoid-version
 libprotocol_http_la_LIBADD = $(AM_LIBADD) libpulsecore-@PA_MAJORMINOR@.la libpulsecommon-@PA_MAJORMINOR@.la libpulse.la
 
-libprotocol_native_la_SOURCES = pulsecore/protocol-native.c pulsecore/protocol-native.h pulsecore/native-common.h \
-pulsecore/cynara.c pulsecore/cynara.h
+libprotocol_native_la_SOURCES = pulsecore/protocol-native.c pulsecore/protocol-native.h pulsecore/native-common.h
 libprotocol_native_la_CFLAGS = $(AM_CFLAGS) $(SERVER_CFLAGS)
 libprotocol_native_la_LDFLAGS = $(AM_LDFLAGS) -avoid-version
 libprotocol_native_la_LIBADD = $(AM_LIBADD) libpulsecore-@PA_MAJORMINOR@.la libpulsecommon-@PA_MAJORMINOR@.la libpulse.la
@@ -1249,6 +1252,9 @@ if HAVE_DBUS
 libprotocol_native_la_CFLAGS += $(DBUS_CFLAGS)
 libprotocol_native_la_LIBADD += $(DBUS_LIBS)
 endif
+if USE_SECURITY
+libprotocol_native_la_SOURCES += pulsecore/cynara.c pulsecore/cynara.h
+endif
 
 libtunnel_manager_la_SOURCES = \
                modules/tunnel-manager/remote-device.c modules/tunnel-manager/remote-device.h \

diff --git a/src/pulse/stream.c b/src/pulse/stream.c
index 77d7a74..54e5e0a 100644 (file)
--- a/src/pulse/stream.c
+++ b/src/pulse/stream.c
@@ -1172,6 +1172,19 @@ finish:
     pa_stream_unref(s);
 }
 
+static bool is_virtual_stream(pa_proplist* p) {
+    const char *media_name = NULL;
+    bool is_virtual = false;
+
+    media_name = pa_proplist_gets(p, PA_PROP_MEDIA_NAME);
+    if (media_name && pa_streq(media_name, "VIRTUAL_STREAM"))
+        is_virtual = true;
+
+    pa_log_info("Is virtual stream : %s", pa_yes_no(is_virtual));
+
+    return is_virtual;
+}
+
 static int create_stream(
         pa_stream_direction_t direction,
         pa_stream *s,
@@ -1266,18 +1279,6 @@ static int create_stream(
             (uint32_t) (s->direction == PA_STREAM_PLAYBACK ? PA_COMMAND_CREATE_PLAYBACK_STREAM : PA_COMMAND_CREATE_RECORD_STREAM),
             &tag);
 
-#ifdef __TIZEN__
-    if (direction == PA_STREAM_RECORD) {
-        const char *media_name = NULL;
-        bool is_virtual = FALSE;
-        media_name = pa_proplist_gets(s->proplist, PA_PROP_MEDIA_NAME);
-        if (media_name && pa_streq(media_name, "VIRTUAL_STREAM"))
-            is_virtual = TRUE;
-        pa_log_info("Is this stream virtual : %s", pa_yes_no(is_virtual));
-        pa_tagstruct_put_boolean(t, is_virtual);
-    }
-#endif
-
     if (s->context->version < 13)
         pa_tagstruct_puts(t, pa_proplist_gets(s->proplist, PA_PROP_MEDIA_NAME));
 
@@ -1312,8 +1313,12 @@ static int create_stream(
                 PA_TAG_INVALID);
 
         pa_tagstruct_put_cvolume(t, volume);
-    } else
+    } else {
         pa_tagstruct_putu32(t, s->buffer_attr.fragsize);
+#ifdef __TIZEN__
+        pa_tagstruct_put_boolean(t, is_virtual_stream(s->proplist));
+#endif
+    }
 
     if (s->context->version >= 12) {
         pa_tagstruct_put(

diff --git a/src/pulsecore/protocol-native.c b/src/pulsecore/protocol-native.c
index d1fdedb..d4d6ecd 100644 (file)
--- a/src/pulsecore/protocol-native.c
+++ b/src/pulsecore/protocol-native.c
@@ -60,7 +60,7 @@
 
 #include "protocol-native.h"
 
-#ifdef __TIZEN__
+#ifdef USE_SECURITY
 #include <pulsecore/cynara.h>
 #include <pulsecore/iochannel.h>
 #endif
@@ -429,6 +429,12 @@ static const pa_pdispatch_cb_t command_table[PA_COMMAND_MAX] = {
 
 /* structure management */
 
+#ifdef USE_SECURITY
+static int _get_connection_out_fd(pa_native_connection *c) {
+    return pa_iochannel_get_send_fd(pa_pstream_get_iochannel(pa_native_connection_get_pstream(c)));
+}
+#endif
+
 /* Called from main context */
 static void upload_stream_unlink(upload_stream *s) {
     pa_assert(s);
@@ -2458,18 +2464,8 @@ static void command_create_record_stream(pa_pdispatch *pd, uint32_t command, uin
     pa_idxset *formats = NULL;
     uint32_t i;
 
-#ifdef __TIZEN__
-    {
-        bool is_virtual_stream = FALSE;
-        int fd = pa_iochannel_get_send_fd(pa_pstream_get_iochannel(pa_native_connection_get_pstream(c)));
-
-        pa_tagstruct_get_boolean(t, &is_virtual_stream);
-        pa_log_info("is virtual stream : %s", pa_yes_no(is_virtual_stream));
-        if (!is_virtual_stream && !cynara_check_privilege(fd, RECORDER_PRIVILEGE)) {
-            pa_pstream_send_simple_ack(c->pstream, tag);
-            return;
-        }
-    }
+#ifdef USE_SECURITY
+    bool is_virtual_stream = false;
 #endif
 
     pa_native_connection_assert_ref(c);
@@ -2496,8 +2492,14 @@ static void command_create_record_stream(pa_pdispatch *pd, uint32_t command, uin
     CHECK_VALIDITY_GOTO(c->pstream, !source_name || source_index == PA_INVALID_INDEX, tag, PA_ERR_INVALID, finish);
 
 #ifdef USE_SECURITY
-    CHECK_VALIDITY(c->pstream, pa_pstream_check_security(c->pstream), tag, PA_ERR_ACCESS_BY_SECURITY);
+    pa_tagstruct_get_boolean(t, &is_virtual_stream);
+    pa_log_info("is virtual stream : %s", pa_yes_no(is_virtual_stream));
+    if (!is_virtual_stream) {
+        CHECK_VALIDITY(c->pstream, cynara_check_privilege(_get_connection_out_fd(c), RECORDER_PRIVILEGE),
+                       tag, PA_ERR_ACCESS_BY_SECURITY);
+    }
 #endif /* USE_SECURITY */
+
     p = pa_proplist_new();
 
     if (name)
@@ -3022,14 +3024,6 @@ static void command_get_record_latency(pa_pdispatch *pd, uint32_t command, uint3
     struct timeval tv, now;
     uint32_t idx;
 
-    #ifdef __TIZEN__
-    int fd = pa_iochannel_get_send_fd(pa_pstream_get_iochannel(pa_native_connection_get_pstream(c)));
-    if (!cynara_check_privilege(fd, RECORDER_PRIVILEGE)) {
-        pa_pstream_send_simple_ack(c->pstream, tag);
-        return;
-    }
-    #endif
-
     pa_native_connection_assert_ref(c);
     pa_assert(t);
 
@@ -3868,14 +3862,6 @@ static void command_set_volume(
     const char *name = NULL;
     const char *client_name;
 
-    #ifdef __TIZEN__
-    int fd = pa_iochannel_get_send_fd(pa_pstream_get_iochannel(pa_native_connection_get_pstream(c)));
-    if (!cynara_check_privilege(fd, VOLUME_SET_PRIVILEGE)) {
-        pa_pstream_send_simple_ack(c->pstream, tag);
-        return;
-    }
-    #endif
-
     pa_native_connection_assert_ref(c);
     pa_assert(t);
 
@@ -3893,6 +3879,11 @@ static void command_set_volume(
     CHECK_VALIDITY(c->pstream, (idx != PA_INVALID_INDEX) ^ (name != NULL), tag, PA_ERR_INVALID);
     CHECK_VALIDITY(c->pstream, pa_cvolume_valid(&volume), tag, PA_ERR_INVALID);
 
+#ifdef USE_SECURITY
+    CHECK_VALIDITY(c->pstream, cynara_check_privilege(_get_connection_out_fd(c), VOLUME_SET_PRIVILEGE),
+                   tag, PA_ERR_ACCESS_BY_SECURITY);
+#endif /* USE_SECURITY */
+
     switch (command) {
 
         case PA_COMMAND_SET_SINK_VOLUME:
@@ -3971,14 +3962,6 @@ static void command_set_volume_ramp(
     const char *name = NULL;
     const char *client_name;
 
-    #ifdef __TIZEN__
-    int fd = pa_iochannel_get_send_fd(pa_pstream_get_iochannel(pa_native_connection_get_pstream(c)));
-    if (!cynara_check_privilege(fd, VOLUME_SET_PRIVILEGE)) {
-        pa_pstream_send_simple_ack(c->pstream, tag);
-        return;
-    }
-    #endif
-
     pa_native_connection_assert_ref(c);
     pa_assert(t);
 
@@ -3996,6 +3979,10 @@ static void command_set_volume_ramp(
     CHECK_VALIDITY(c->pstream, idx != PA_INVALID_INDEX || name, tag, PA_ERR_INVALID);
     CHECK_VALIDITY(c->pstream, idx == PA_INVALID_INDEX || !name, tag, PA_ERR_INVALID);
     CHECK_VALIDITY(c->pstream, !name || idx == PA_INVALID_INDEX, tag, PA_ERR_INVALID);
+#ifdef USE_SECURITY
+    CHECK_VALIDITY(c->pstream, cynara_check_privilege(_get_connection_out_fd(c), VOLUME_SET_PRIVILEGE),
+                   tag, PA_ERR_ACCESS_BY_SECURITY);
+#endif /* USE_SECURITY */
 
     switch (command) {
 
@@ -4045,14 +4032,6 @@ static void command_set_mute(
     pa_source_output *so = NULL;
     const char *name = NULL, *client_name;
 
-    #ifdef __TIZEN__
-    int fd = pa_iochannel_get_send_fd(pa_pstream_get_iochannel(pa_native_connection_get_pstream(c)));
-    if (!cynara_check_privilege(fd, VOLUME_SET_PRIVILEGE)) {
-        pa_pstream_send_simple_ack(c->pstream, tag);
-        return;
-    }
-    #endif
-
     pa_native_connection_assert_ref(c);
     pa_assert(t);
 
@@ -4068,6 +4047,10 @@ static void command_set_mute(
     CHECK_VALIDITY(c->pstream, c->authorized, tag, PA_ERR_ACCESS);
     CHECK_VALIDITY(c->pstream, !name || pa_namereg_is_valid_name_or_wildcard(name, command == PA_COMMAND_SET_SINK_MUTE ? PA_NAMEREG_SINK : PA_NAMEREG_SOURCE), tag, PA_ERR_INVALID);
     CHECK_VALIDITY(c->pstream, (idx != PA_INVALID_INDEX) ^ (name != NULL), tag, PA_ERR_INVALID);
+#ifdef USE_SECURITY
+    CHECK_VALIDITY(c->pstream, cynara_check_privilege(_get_connection_out_fd(c), VOLUME_SET_PRIVILEGE),
+                   tag, PA_ERR_ACCESS_BY_SECURITY);
+#endif /* USE_SECURITY */
 
     switch (command) {
 

diff --git a/src/pulsecore/pstream.c b/src/pulsecore/pstream.c
index 0e8f7ee..e27ccce 100644 (file)
--- a/src/pulsecore/pstream.c
+++ b/src/pulsecore/pstream.c
@@ -1039,7 +1039,7 @@ bool pa_pstream_get_shm(pa_pstream *p) {
     return p->use_shm;
 }
 
-#ifdef __TIZEN__
+#ifdef USE_SECURITY
 pa_iochannel *pa_pstream_get_iochannel(pa_pstream *p) {
     return p->io;
 }

diff --git a/src/pulsecore/pstream.h b/src/pulsecore/pstream.h
index 79ac135..84c71de 100644 (file)
--- a/src/pulsecore/pstream.h
+++ b/src/pulsecore/pstream.h
@@ -66,7 +66,7 @@ bool pa_pstream_is_pending(pa_pstream *p);
 void pa_pstream_enable_shm(pa_pstream *p, bool enable);
 bool pa_pstream_get_shm(pa_pstream *p);
 
-#ifdef __TIZEN__
+#ifdef USE_SECURITY
 pa_iochannel *pa_pstream_get_iochannel(pa_pstream *p);
 #endif