libsystemd-daemon
libtbm
capi-appfw-app-manager
+ cynara-client
+ cynara-creds-socket
)
IF (LIVEBOX)
extern int service_common_send_packet_to_service(struct service_context *svc_ctx, struct tcb *tcb, struct packet *packet);
+extern int service_check_privilege_by_socket_fd(struct service_context *svc_ctx, int socket_fd, char *privilege);
+
/* End of a file */
BuildRequires: pkgconfig(shortcut)
BuildRequires: pkgconfig(security-server)
BuildRequires: pkgconfig(libsystemd-daemon)
+BuildRequires: pkgconfig(cynara-client)
+BuildRequires: pkgconfig(cynara-creds-socket)
+
Requires(post): sys-assert
Requires(post): dbus
};
/*!
- * FUNCTIONS to check smack permission
- */
-static int _is_valid_permission(int fd, struct badge_service *service)
-{
- if (service->rule != NULL && service->access != NULL) {
- /*
- int ret;
- ret = security_server_check_privilege_by_sockfd(fd, service->rule, service->access);
- if (ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED) {
- ErrPrint("SMACK:Access denied\n");
- return 0;
- }
- */
- }
-
- return 1;
-}
-
-static int _is_manager_permission(int fd)
-{
- /*
- int ret;
- ret = security_server_check_privilege_by_sockfd(fd,
- "data-provider-master::badge.manager", "w");
- if (ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED) {
- ErrPrint("SMACK:not a manager\n");
- return 0;
- }
- */
-
- return 1;
-}
-
-/*!
* FUNCTIONS to handle badge
*/
static inline char *get_string(char *string)
caller = get_string(caller);
if (pkgname != NULL && caller != NULL) {
- if (_is_manager_permission(tcb_fd(tcb)) == 1) {
+ if (service_check_privilege_by_socket_fd(tcb_svc_ctx(tcb), tcb_fd(tcb), "http://tizen.org/privilege/notification") == 1) {
ret = badge_db_delete(pkgname, pkgname);
} else {
ret = badge_db_delete(pkgname, caller);
}
#if ENABLE_BS_ACCESS_CONTROL
- if (_is_valid_permission(tcb_fd(tcb), &(service_req_table[i])) == 1) {
+ if (service_check_privilege_by_socket_fd(tcb_svc_ctx(tcb), tcb_fd(tcb), "http://tizen.org/privilege/notification") == 1) {
service_req_table[i].handler(tcb, packet, data);
} else {
_handler_access_control_error(tcb, packet);
}
#else
- _is_valid_permission(tcb_fd(tcb), &(service_req_table[i]));
+ service_check_privilege_by_socket_fd(tcb_svc_ctx(tcb), tcb_fd(tcb), "http://tizen.org/privilege/notification");
service_req_table[i].handler(tcb, packet, data);
#endif
break;
}
}
-static int _persmission_check(int fd, struct noti_service *service)
-{
- if (service->rule != NULL && service->access != NULL) {
- /*
- ret = security_server_check_privilege_by_sockfd(fd, service->rule, service->access);
- if (ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED) {
- ErrPrint("SMACK:Access denied\n");
- return 0;
- }
- */
- }
-
- return 1;
-}
-
/*!
* NOTIFICATION SERVICE INITIALIZATION
*/
continue;
}
- if (_persmission_check(tcb_fd(tcb), &(service_req_table[i])) == 1) {
+ if (service_check_privilege_by_socket_fd(tcb_svc_ctx(tcb), tcb_fd(tcb), "http://tizen.org/privilege/notification") == 1) {
service_req_table[i].handler(tcb, packet, data);
} else {
if (service_req_table[i].handler_access_error != NULL) {
#include <dlog.h>
#include <Eina.h>
+#include <cynara-client.h>
+#include <cynara-creds-socket.h>
+
#include <com-core.h>
#if defined(HAVE_LIVEBOX)
#include <widget_errno.h>
Eina_List *tcb_destroy_cb_list;
int processing_service_handler;
+
+ cynara *cynara_handle;
};
struct packet_info {
pid_t pid; /*!< Keep the PID of client, if the client is remote one, this will be -1 */
};
+static void _initialize_privilege_checker(struct service_context *svc_ctx)
+{
+ int ret;
+
+ /* Cynara structure init */
+ ret = cynara_initialize(&(svc_ctx->cynara_handle), NULL);
+ if (ret != CYNARA_API_SUCCESS) {
+ ErrPrint("cynara_initialize failed[%d]\n", ret);
+ }
+}
+
+static void _finish_privilege_checker(struct service_context *svc_ctx)
+{
+ int ret;
+
+ ret = cynara_finish(svc_ctx->cynara_handle);
+ if (ret != CYNARA_API_SUCCESS) {
+ ErrPrint("cynara_initialize failed[%d]\n", ret);
+ }
+}
+
HAPI int service_common_send_packet_to_service(struct service_context *svc_ctx, struct tcb *tcb, struct packet *packet)
{
int ret = 0;
return NULL;
}
+ _initialize_privilege_checker(svc_ctx);
+
status = pthread_mutex_init(&svc_ctx->packet_list_lock, NULL);
if (status != 0) {
ErrPrint("Unable to create a mutex: %d\n", status);
DbgPrint("Thread returns: %p\n", ret);
}
+ _finish_privilege_checker(svc_ctx);
+
secure_socket_destroy_handle(svc_ctx->fd);
status = pthread_mutex_destroy(&svc_ctx->packet_list_lock);
return ctx->fd;
}
+
+HAPI int service_check_privilege_by_socket_fd(struct service_context *svc_ctx, int socket_fd, char *privilege)
+{
+ int ret = 0;
+ int result = 0;
+ char *uid = NULL;
+ char *client_smack = NULL;
+
+ if (privilege != NULL) {
+
+ ret = cynara_creds_socket_get_client(socket_fd, CLIENT_METHOD_SMACK, &client_smack);
+
+ if (ret != CYNARA_API_SUCCESS) {
+ ErrPrint("cynara_creds_socket_get_client failed [%d]", ret);
+ goto out;
+ }
+
+ ret = cynara_creds_socket_get_user(socket_fd, USER_METHOD_UID, &uid);
+
+ if (ret != CYNARA_API_SUCCESS) {
+ ErrPrint("cynara_creds_socket_get_user failed [%d]", ret);
+ goto out;
+ }
+
+ ret = cynara_check(svc_ctx->cynara_handle, client_smack, "", uid, privilege);
+
+ if (ret == CYNARA_API_ACCESS_ALLOWED) {
+ DbgPrint("[%s] Access allowed.", privilege);
+ result = 1;
+ }
+ else {
+ DbgPrint("[%s] Access denied.[%d]", privilege, ret);
+ result = 0;
+ }
+
+ }
+
+out:
+ if (client_smack) {
+ free(client_smack);
+ }
+
+ if (uid) {
+ free(uid);
+ }
+
+ return result;
+}
+
/* End of a file */
return tcb;
}
-#if defined(HAVE_SECURITY_SERVER)
static void send_reply_packet(struct tcb *tcb, struct packet *packet, int ret)
{
struct packet *reply_packet;
packet_destroy(reply_packet);
}
-#endif
/*!
* SERVICE THREAD
/* Need to send reply packet */
DbgPrint("%p REQ: Command: [%s]\n", tcb, command);
if (!strcmp(command, "add_shortcut_widget") || !strcmp(command, "rm_shortcut_widget")) {
-#if defined(HAVE_SECURITY_SERVER)
int ret;
- ret = security_server_check_privilege_by_sockfd(tcb_fd(tcb), "data-provider-master::shortcut.widget", "w");
- if (ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED) {
+ ret = service_check_privilege_by_socket_fd(tcb_svc_ctx(tcb), tcb_fd(tcb), "http://tizen.org/privilege/shortcut");
+ if (ret == 0) {
ErrPrint("SMACK:Access denied\n");
send_reply_packet(tcb, packet, SHORTCUT_ERROR_PERMISSION_DENIED);
break;
}
-#endif
+
} else if (!strcmp(command, "add_shortcut") || !strcmp(command, "rm_shortcut")) {
-#if defined(HAVE_SECURITY_SERVER)
int ret;
- ret = security_server_check_privilege_by_sockfd(tcb_fd(tcb), "data-provider-master::shortcut.shortcut", "w");
- if (ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED) {
+ ret = service_check_privilege_by_socket_fd(tcb_svc_ctx(tcb), tcb_fd(tcb), "http://tizen.org/privilege/shortcut");
+ if (ret == 0) {
ErrPrint("SMACK:Access denied\n");
send_reply_packet(tcb, packet, SHORTCUT_ERROR_PERMISSION_DENIED);
break;
}
-#endif
}
if (service_common_multicast_packet(tcb, packet, TCB_CLIENT_TYPE_SERVICE) < 0) {