{
}
+bool ServiceImpl::authenticate(const Credentials &creds, const std::string &privilege)
+{
+ if (creds.authenticated)
+ return true;
+ return Cynara::getInstance().check(creds.label, privilege,
+ std::to_string(creds.uid), std::to_string(creds.pid));
+}
+
uid_t ServiceImpl::getGlobalUserId(void)
{
static uid_t globaluid = tzplatform_getuid(TZ_SYS_GLOBALAPP_USER);
bool ServiceImpl::installRequestAuthCheck(const Credentials &creds, const app_inst_req &req)
{
- if (req.installationType != SM_APP_INSTALL_LOCAL || req.uid != creds.uid) {
- if (!Cynara::getInstance().check(creds.label, Config::PRIVILEGE_APPINST_ADMIN,
- std::to_string(creds.uid), std::to_string(creds.pid))) {
- LogError("Caller is not permitted to install applications globally");
+ if (req.installationType == SM_APP_INSTALL_LOCAL && req.uid == creds.uid) {
+ if (!authenticate(creds, Config::PRIVILEGE_APPINST_USER)) {
+ LogError("Caller is not permitted to install applications locally");
return false;
}
} else {
- if (!Cynara::getInstance().check(creds.label, Config::PRIVILEGE_APPINST_USER,
- std::to_string(creds.uid), std::to_string(creds.pid))) {
- LogError("Caller is not permitted to install applications");
+ if (!authenticate(creds, Config::PRIVILEGE_APPINST_ADMIN)) {
+ LogError("Caller is not permitted to install applications globally");
return false;
}
}
return SECURITY_MANAGER_SUCCESS;
}
-int ServiceImpl::appUninstall(const Credentials &creds, app_inst_req &&req,
- bool authenticated)
+int ServiceImpl::appUninstall(const Credentials &creds, app_inst_req &&req)
{
std::string tizenVersion;
std::string smackLabel;
LogDebug("Uninstall parameters: appName=" << req.appName << ", uid=" << req.uid);
- if (!authenticated && !installRequestAuthCheck(creds, req)) {
+ if (!installRequestAuthCheck(creds, req)) {
LogError("Request from uid=" << creds.uid << ", Smack=" << creds.label <<
" for app uninstallation denied");
return SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED;
int ServiceImpl::userAdd(const Credentials &creds, uid_t uidAdded, int userType)
{
- if (!Cynara::getInstance().check(creds.label, Config::PRIVILEGE_USER_ADMIN,
- std::to_string(creds.uid), std::to_string(creds.pid))) {
-
+ if (!authenticate(creds, Config::PRIVILEGE_USER_ADMIN)) {
LogError("Caller is not permitted to manage users");
return SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED;
}
{
int ret = SECURITY_MANAGER_SUCCESS;
- if (!Cynara::getInstance().check(creds.label, Config::PRIVILEGE_USER_ADMIN,
- std::to_string(creds.uid), std::to_string(creds.pid))) {
-
+ if (!authenticate(creds, Config::PRIVILEGE_USER_ADMIN)) {
LogError("Caller is not permitted to manage users");
return SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED;
}
return SECURITY_MANAGER_ERROR_SERVER_ERROR;
}
+ // Don't check whether the caller may uninstall apps of the removed user
+ Credentials credsTmp(creds);
+ credsTmp.authenticated = true;
for (const auto &app : userApps) {
app_inst_req req;
req.uid = uidDeleted;
req.appName = app;
- if (appUninstall(creds, std::move(req), true) != SECURITY_MANAGER_SUCCESS) {
+ if (appUninstall(credsTmp, std::move(req)) != SECURITY_MANAGER_SUCCESS) {
/*if uninstallation of this app fails, just go on trying to uninstall another ones.
we do not have anything special to do about that matter - user will be deleted anyway.*/
ret = SECURITY_MANAGER_ERROR_SERVER_ERROR;
};
// Check privileges
- if (permUserRequired && !Cynara::getInstance().check(creds.label,
- Config::PRIVILEGE_POLICY_USER, uidStr, pidStr)) {
+ if (permUserRequired && !authenticate(creds, Config::PRIVILEGE_POLICY_USER)) {
LogError("Not enough privilege to enforce user policy");
return SECURITY_MANAGER_ERROR_ACCESS_DENIED;
}
- if (permAdminRequired && !Cynara::getInstance().check(creds.label,
- Config::PRIVILEGE_POLICY_ADMIN, uidStr, pidStr)) {
+ if (permAdminRequired && !authenticate(creds, Config::PRIVILEGE_POLICY_ADMIN)) {
LogError("Not enough privilege to enforce admin policy");
return SECURITY_MANAGER_ERROR_ACCESS_DENIED;
}
LogDebug("App: " << filter.appName << ", Label: " << appLabel);
if (forAdmin) {
- if (!Cynara::getInstance().check(creds.label, Config::PRIVILEGE_POLICY_ADMIN, uidStr, pidStr)) {
+ if (!authenticate(creds, Config::PRIVILEGE_POLICY_ADMIN)) {
LogError("Not enough privilege to access admin enforced policies");
return SECURITY_MANAGER_ERROR_ACCESS_DENIED;
}
);
LogDebug("ADMIN - number of policies matched: " << listOfPolicies.size());
} else {
- if (!Cynara::getInstance().check(creds.label, Config::PRIVILEGE_POLICY_USER, uidStr, pidStr)) {
+ if (!authenticate(creds, Config::PRIVILEGE_POLICY_USER)) {
LogError("Not enough privilege to access user enforced policies");
return SECURITY_MANAGER_ERROR_ACCESS_DENIED;
}
if (uidStr.compare(user)) {
- if (!Cynara::getInstance().check(creds.label, Config::PRIVILEGE_POLICY_ADMIN, uidStr, pidStr)) {
+ if (!authenticate(creds, Config::PRIVILEGE_POLICY_ADMIN)) {
LogWarning("Not enough privilege to access other user's personal policies. Limiting query to personal privileges.");
user = uidStr;
};
std::string uidStr = std::to_string(creds.uid);
std::string pidStr = std::to_string(creds.pid);
- if (!Cynara::getInstance().check(creds.label, Config::PRIVILEGE_POLICY_USER, uidStr, pidStr)) {
+ if (!authenticate(creds, Config::PRIVILEGE_POLICY_USER)) {
LogWarning("Not enough permission to call: " << __FUNCTION__);
return SECURITY_MANAGER_ERROR_ACCESS_DENIED;
};
std::vector<uid_t> listOfUsers;
- if (Cynara::getInstance().check(creds.label, Config::PRIVILEGE_POLICY_ADMIN, uidStr, pidStr)) {
+ if (authenticate(creds, Config::PRIVILEGE_POLICY_ADMIN)) {
LogDebug("User is privileged");
if (filter.user.compare(SECURITY_MANAGER_ANY)) {
LogDebug("Limitting Cynara query to user: " << filter.user);
std::vector<std::string> pkgContents;
try {
- if (!Cynara::getInstance().check(creds.label, Config::PRIVILEGE_APPSHARING_ADMIN,
- std::to_string(creds.uid), std::to_string(creds.pid))) {
+ if (!authenticate(creds, Config::PRIVILEGE_APPSHARING_ADMIN)) {
LogError("Caller is not permitted to manage file sharing");
return SECURITY_MANAGER_ERROR_ACCESS_DENIED;
}
{
int errorRet;
try {
- if (!Cynara::getInstance().check(creds.label, Config::PRIVILEGE_APPSHARING_ADMIN,
- std::to_string(creds.uid), std::to_string(creds.pid))) {
+ if (!authenticate(creds, Config::PRIVILEGE_APPSHARING_ADMIN)) {
LogError("Caller is not permitted to manage file sharing");
return SECURITY_MANAGER_ERROR_ACCESS_DENIED;
}