namespace {
+static std::string getAppProcessLabel(const std::string &appName, const std::string &pkgName)
+{
+ bool isPkgHybrid = PrivilegeDb::getInstance().IsPackageHybrid(pkgName);
+ return SmackLabels::generateProcessLabel(appName, pkgName, isPkgHybrid);
+}
+
+static std::string getAppProcessLabel(const std::string &appName)
+{
+ std::string pkgName;
+ PrivilegeDb::getInstance().GetAppPkgName(appName, pkgName);
+ return getAppProcessLabel(appName, pkgName);
+}
+
static inline int validatePolicy(policy_entry &policyEntry, std::string uidStr, bool &forAdmin, CynaraAdminPolicy &cyap)
{
LogDebug("Authenticating and validating policy update request for user with id: " << uidStr);
cyap = std::move(CynaraAdminPolicy(
policyEntry.appName.compare(SECURITY_MANAGER_ANY) ?
- SmackLabels::generateProcessLabel(policyEntry.appName) : CYNARA_ADMIN_WILDCARD,
+ getAppProcessLabel(policyEntry.appName) : CYNARA_ADMIN_WILDCARD,
policyEntry.user,
policyEntry.privilege,
level,
pkgsLabels.resize(pkgs.size());
for (size_t i = 0; i < pkgs.size(); ++i) {
pkgsLabels[i].first = std::move(pkgs[i]);
+ bool isPkgHybrid = PrivilegeDb::getInstance().IsPackageHybrid(pkgsLabels[i].first);
PrivilegeDb::getInstance().GetPkgApps(pkgsLabels[i].first, pkgsLabels[i].second);
for (auto &appName : pkgsLabels[i].second) {
- std::string label = SmackLabels::generateProcessLabel(appName);
+ std::string label = SmackLabels::generateProcessLabel(appName, pkgsLabels[i].first,
+ isPkgHybrid);
appName = label;
}
}
{
std::vector<std::string> apps;
PrivilegeDb::getInstance().GetPkgApps(pkgName, apps);
+ bool isPkgHybrid = PrivilegeDb::getInstance().IsPackageHybrid(pkgName);
for (auto &app : apps) {
- auto appLabel = SmackLabels::generateProcessLabel(app);
+ auto appLabel = SmackLabels::generateProcessLabel(app, pkgName, isPkgHybrid);
app = appLabel;
}
pkgsLabels = std::move(apps);
return SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED;
}
- appLabel = SmackLabels::generateProcessLabel(req.appName);
+ appLabel = SmackLabels::generateProcessLabel(req.appName, req.pkgName, req.isHybrid);
pkgLabel = SmackLabels::generatePathRWLabel(req.pkgName);
LogDebug("Generated install parameters: app label: " << appLabel <<
", pkg label: " << pkgLabel);
return SECURITY_MANAGER_SUCCESS;
}
- processLabel = SmackLabels::generateProcessLabel(req.appName);
+ processLabel = getAppProcessLabel(req.appName, req.pkgName);
LogDebug("Generated uninstall parameters: pkgName=" << req.pkgName
<< " Smack label=" << processLabel);
// Squash sharing - change counter to 1, so dropPrivatePathSharing will completely clean it
for (const auto &path : paths) {
PrivilegeDb::getInstance().SquashSharing(targetAppName, path);
- int ret = dropOnePrivateSharing(req.appName, req.pkgName, pkgLabels, targetAppName, path);
+ auto targetAppLabel = getAppProcessLabel(targetAppName);
+ int ret = dropOnePrivateSharing(req.appName, req.pkgName, pkgLabels,
+ targetAppName, targetAppLabel, path);
if (ret != SECURITY_MANAGER_SUCCESS) {
//Ignore error, we want to drop as much as we can
LogError("Couldn't drop sharing between " << req.appName << " and " << targetAppName);
getPkgLabels(ownerPkgName, ownerPkgLabels);
for (const auto &path : paths) {
PrivilegeDb::getInstance().SquashSharing(req.appName, path);
- int ret = dropOnePrivateSharing(ownerAppName, ownerPkgName, ownerPkgLabels, req.appName, path);
+ int ret = dropOnePrivateSharing(ownerAppName, ownerPkgName, ownerPkgLabels,
+ req.appName, processLabel, path);
if (ret != SECURITY_MANAGER_SUCCESS) {
//Ignore error, we want to drop as much as we can
LogError("Couldn't drop sharing between " << req.appName << " and " << ownerAppName);
{
try {
LogDebug("appName: " << appName);
- std::string smackLabel = SmackLabels::generateProcessLabel(appName);
- LogDebug("smack label: " << smackLabel);
+ std::string appProcessLabel = getAppProcessLabel(appName);
+ LogDebug("smack label: " << appProcessLabel);
std::vector<std::string> privileges;
std::string uidStr = std::to_string(creds.uid);
- CynaraAdmin::getInstance().GetAppPolicy(smackLabel, uidStr, privileges);
- CynaraAdmin::getInstance().GetAppPolicy(smackLabel, CYNARA_ADMIN_WILDCARD, privileges);
+ CynaraAdmin::getInstance().GetAppPolicy(appProcessLabel, uidStr, privileges);
+ CynaraAdmin::getInstance().GetAppPolicy(appProcessLabel, CYNARA_ADMIN_WILDCARD, privileges);
vectorRemoveDuplicates(privileges);
LogDebug("Considering privilege " << privilege << " with " <<
privGroups.size() << " groups assigned");
- if (Cynara::getInstance().check(smackLabel, privilege, uidStr, pidStr)) {
+ if (Cynara::getInstance().check(appProcessLabel, privilege, uidStr, pidStr)) {
groups.insert(groups.end(),
std::make_move_iterator(privGroups.begin()),
std::make_move_iterator(privGroups.end()));
std::vector<CynaraAdminPolicy> listOfPolicies;
//convert appName to smack label
- std::string appLabel = filter.appName.compare(SECURITY_MANAGER_ANY) ? SmackLabels::generateProcessLabel(filter.appName) : CYNARA_ADMIN_ANY;
+ std::string appProcessLabel = filter.appName.compare(SECURITY_MANAGER_ANY) ?
+ getAppProcessLabel(filter.appName) : CYNARA_ADMIN_ANY;
std::string user = filter.user.compare(SECURITY_MANAGER_ANY) ? filter.user : CYNARA_ADMIN_ANY;
std::string privilege = filter.privilege.compare(SECURITY_MANAGER_ANY) ? filter.privilege : CYNARA_ADMIN_ANY;
- LogDebug("App: " << filter.appName << ", Label: " << appLabel);
+ LogDebug("App: " << filter.appName << ", Label: " << appProcessLabel);
if (forAdmin) {
if (!authenticate(creds, Config::PRIVILEGE_POLICY_ADMIN)) {
//Fetch privileges from ADMIN bucket
CynaraAdmin::getInstance().ListPolicies(
CynaraAdmin::Buckets.at(Bucket::ADMIN),
- appLabel,
+ appProcessLabel,
user,
privilege,
listOfPolicies
//Fetch privileges from PRIVACY_MANAGER bucket
CynaraAdmin::getInstance().ListPolicies(
CynaraAdmin::Buckets.at(Bucket::PRIVACY_MANAGER),
- appLabel,
+ appProcessLabel,
user,
privilege,
listOfPolicies
for (const std::string &appName : listOfApps) {
LogDebug("App: " << appName);
- std::string smackLabelForApp = SmackLabels::generateProcessLabel(appName);
+ std::string appProcessLabel = getAppProcessLabel(appName);
std::vector<std::string> listOfPrivileges;
- CynaraAdmin::getInstance().GetAppPolicy(smackLabelForApp, userStr, listOfPrivileges);
- CynaraAdmin::getInstance().GetAppPolicy(smackLabelForApp, CYNARA_ADMIN_WILDCARD, listOfPrivileges);
+ CynaraAdmin::getInstance().GetAppPolicy(appProcessLabel, userStr, listOfPrivileges);
+ CynaraAdmin::getInstance().GetAppPolicy(appProcessLabel, CYNARA_ADMIN_WILDCARD, listOfPrivileges);
if (filter.privilege.compare(SECURITY_MANAGER_ANY)) {
LogDebug("Limitting Cynara query to privilege: " << filter.privilege);
pe.currentLevel = CynaraAdmin::getInstance().convertToPolicyDescription(
CynaraAdmin::getInstance().GetPrivilegeManagerCurrLevel(
- smackLabelForApp, userStr, privilege));
+ appProcessLabel, userStr, privilege));
pe.maxLevel = CynaraAdmin::getInstance().convertToPolicyDescription(
CynaraAdmin::getInstance().GetPrivilegeManagerMaxLevel(
- smackLabelForApp, userStr, privilege));
+ appProcessLabel, userStr, privilege));
LogDebug(
"[policy_entry] app: " << pe.appName
bool &result)
{
try {
- std::string appLabel = SmackLabels::generateProcessLabel(appName);
+ std::string appProcessLabel = getAppProcessLabel(appName);
std::string uidStr = std::to_string(uid);
- result = Cynara::getInstance().check(appLabel, privilege, uidStr, "");
+ result = Cynara::getInstance().check(appProcessLabel, privilege, uidStr, "");
LogDebug("result = " << result);
} catch (const CynaraException::Base &e) {
LogError("Error while querying Cynara for permissions: " << e.DumpToString());
const std::string &ownerPkgName,
const SmackRules::Labels &ownerPkgLabels,
const std::string &targetAppName,
+ const std::string &targetAppLabel,
const std::string &path)
{
int errorRet;
SmackLabels::setupPath(ownerPkgName, path, SECURITY_MANAGER_PATH_RW);
}
std::string pathLabel = SmackLabels::generateSharedPrivateLabel(ownerPkgName, path);
- std::string targetAppLabel = SmackLabels::generateProcessLabel(targetAppName);
SmackRules::dropPrivateSharingRules(ownerPkgName, ownerPkgLabels, targetAppLabel,
pathLabel, pathCount < 1, ownerTargetCount < 1);
return SECURITY_MANAGER_SUCCESS;
int sharingAdded = 0;
std::string ownerPkgName;
std::string targetPkgName;
+ std::string targetAppLabel;
SmackRules::Labels pkgsLabels;
try {
LogDebug("Owner and target belong to the same package");
return SECURITY_MANAGER_SUCCESS;
}
- auto targetAppLabel = SmackLabels::generateProcessLabel(targetAppName);
- ScopedTransaction trans;
+ targetAppLabel = getAppProcessLabel(targetAppName);
getPkgLabels(ownerPkgName, pkgsLabels);
+
+ ScopedTransaction trans;
for (const auto &path : paths) {
int targetPathCount, pathCount, ownerTargetCount;
PrivilegeDb::getInstance().GetTargetPathSharingCount(targetAppName, path, targetPathCount);
for (int i = 0; i < sharingAdded; i++) {
const std::string &path = paths[i];
- dropOnePrivateSharing(ownerAppName, ownerPkgName, pkgsLabels, targetAppName, path);
+ dropOnePrivateSharing(ownerAppName, ownerPkgName, pkgsLabels,
+ targetAppName, targetAppLabel, path);
}
return errorRet;
SmackRules::Labels pkgLabels;
getPkgLabels(ownerPkgName, pkgLabels);
+ auto targetAppLabel = getAppProcessLabel(targetAppName, targetPkgName);
+
ScopedTransaction trans;
for (const auto &path : paths) {
- int ret = dropOnePrivateSharing(ownerAppName, ownerPkgName, pkgLabels, targetAppName, path);
+ int ret = dropOnePrivateSharing(ownerAppName, ownerPkgName, pkgLabels,
+ targetAppName, targetAppLabel, path);
if (ret != SECURITY_MANAGER_SUCCESS) {
return ret;
}
int ServiceImpl::labelForProcess(const std::string &appName, std::string &label)
{
LogDebug("Requested label generation for process of application " << appName);
-
- label = SmackLabels::generateProcessLabel(appName);
+ label = getAppProcessLabel(appName);
return SECURITY_MANAGER_SUCCESS;
}
projects / platform / core / security / security-manager.git / commitdiff