Don't set policy for privileges not in application manifest

Policy is checked/set for those privacy privileges,
which had any policy in privacy bucket for given user
and application.

Change-Id: Ica8bf4a9b753418ab5517194e047b83343903686

diff --git a/src/client/impl/ApiInterfaceImpl.cpp b/src/client/impl/ApiInterfaceImpl.cpp
index 4ee3f27..4dc2094 100644 (file)
--- a/src/client/impl/ApiInterfaceImpl.cpp
+++ b/src/client/impl/ApiInterfaceImpl.cpp
@@ -98,7 +98,7 @@ askuser_check_result ApiInterfaceImpl::checkPrivilege(const std::string &privile
 {
     std::string appId = getOwnAppId();
 
-    auto policyLevel = getPrivilegePolicy(appId, privilege);
+    auto policyLevel = getPrivilegeMappedPolicy(appId, privilege);
 
     if (policyLevel == "Allow") {
         return ASKUSER_CHECK_RESULT_ALLOW;

diff --git a/src/common/policy/Policy.cpp b/src/common/policy/Policy.cpp
index feb4867..a393f0b 100644 (file)
--- a/src/common/policy/Policy.cpp
+++ b/src/common/policy/Policy.cpp
@@ -90,30 +90,40 @@ Policy calculatePolicyForPrivacy(const std::string &appId, const Privacy &privac
     auto privileges = PrivilegeInfo::getPrivacyPrivileges(privacy);
     for (const auto &privilege : privileges) {
         ALOGD("Calculating policy for privilege " << privilege);
-        PolicyEntry filter;
-        filter.setApp(appId);
-        filter.setUser(std::to_string(geteuid()));
-        filter.setPrivilege(privilege);
-
-        PolicyFetchRequest fetch(std::move(filter));
-        auto policies = fetch.fetchPolicy();
-        if (policies.size() == 0) {
-            ALOGD("No policy for given privilege " << privilege);
-            continue;
-        }
-        if (policies.size() > 1) {
-            ALOGW("Something went wrong, there should be no more than one policy for specific filter");
-            // FIXME : don't really know what to do with it. Lets ignore it for now.
+
+        std::string policyLevel = getPrivilegePolicy(appId, privilege);
+
+        if (policyLevel.empty()) {
+            ALOGE("Couldn't get policy level, skipping");
             continue;
         }
-        std::string policyLevel = policies[0].getLevel();
-        ALOGD("Fetched policy level : " << policyLevel);
 
+        ALOGD("Fetched policy level : " << policyLevel);
         privsPolicies.push_back(std::move(policyLevel));
     }
     return getMinimumPolicy(privsPolicies);
 }
 
+Policy getPrivilegePolicy(const std::string &appId, const Privilege &privilege) {
+    PolicyEntry filter;
+    filter.setApp(appId);
+    filter.setUser(std::to_string(geteuid()));
+    filter.setPrivilege(privilege);
+
+    PolicyFetchRequest fetch(std::move(filter));
+    auto policies = fetch.fetchPolicy();
+    if (policies.size() == 0) {
+        ALOGD("No policy for given privilege " << privilege);
+        return "";
+    }
+    if (policies.size() > 1) {
+        ALOGW("Something went wrong, there should be no more than one policy for specific filter");
+        // FIXME : don't really know what to do with it. Lets ignore it for now.
+        return "";
+    }
+    return policies[0].getLevel();
+}
+
 Policy getPrivaciesPolicy(const std::string &appId, const std::vector<Privacy> &privacies) {
     std::vector<Policy> policies;
     for (auto &privacy : privacies) {
@@ -144,7 +154,7 @@ void identifyApp(const std::string &client, std::string &appId, std::string &pkg
     pkgLabel = pkgInfo.pkgLabel();
 }
 
-Policy getPrivilegePolicy(const std::string &appId, const std::string &privilege) {
+Policy getPrivilegeMappedPolicy(const std::string &appId, const std::string &privilege) {
     std::vector<Privacy> privacies = PrivilegeInfo::getPrivilegePrivaciesMapping(appId, privilege);
     if (privacies.empty()) {
         ALOGE("Privilege doesn't map to any privacy");

diff --git a/src/common/policy/Policy.h b/src/common/policy/Policy.h
index b742a7e..300fa52 100644 (file)
--- a/src/common/policy/Policy.h
+++ b/src/common/policy/Policy.h
@@ -36,9 +36,11 @@ void identifyApp(const std::string &client, std::string &appId, std::string &pkg
 
 Policy calculatePolicyForPrivacy(const std::string &appId, const Privacy &privacy);
 Policy getMinimumPolicy(const std::vector<Policy> &policies);
-Policy getPrivilegePolicy(const std::string &appId, const Privilege &privilege);
+Policy getPrivilegeMappedPolicy(const std::string &appId, const Privilege &privilege);
 Policy getPrivaciesPolicy(const std::string &appId, const std::vector<Privacy> &privacies);
 
+Policy getPrivilegePolicy(const std::string &appId, const Privilege &corePrivilege);
+
 
 class PolicyEntry {
 public:

diff --git a/src/notification-daemon/PolicyUpdater.cpp b/src/notification-daemon/PolicyUpdater.cpp
index a4064e2..fdf2e15 100644 (file)
--- a/src/notification-daemon/PolicyUpdater.cpp
+++ b/src/notification-daemon/PolicyUpdater.cpp
@@ -50,6 +50,11 @@ bool PolicyUpdater::update(const std::string &appId,
         }
 
         for (auto &priv : privacyPrivs) {
+            std::string currentPolicy = getPrivilegePolicy(appId, priv);
+            if (currentPolicy.empty()) {
+                ALOGD("Application didn't request privilege " << priv << ", skipping");
+                continue;
+            }
             ALOGD("Adding policy entries for : app: " << appId << ", priv: "
                   << priv  << ", user:" << user << ", level: "
                   << level);