Since tizen 3.0, cynara has been used instead of security-server and smack.
Change-Id: Ifab2af45c8b7def4f7cf85b73e459e59ca3fe52a
ADD_DEFINITIONS(-DLOCALE_DIR=\"${LOCALE_DIR}\")
ENDIF(DEFINED LOCALE_DIR)
-IF(DEFINED SUPPORT_SECURITY_PRIVILEGE)
- MESSAGE("SUPPORT_SECURITY_PRIVILEGE: ${SUPPORT_SECURITY_PRIVILEGE}")
- IF(SUPPORT_SECURITY_PRIVILEGE)
- ADD_DEFINITIONS(-DSUPPORT_SECURITY_PRIVILEGE)
- ENDIF(SUPPORT_SECURITY_PRIVILEGE)
-ENDIF(DEFINED SUPPORT_SECURITY_PRIVILEGE)
-
IF(DEFINED SUPPORT_COMPANION_MODE)
MESSAGE("SUPPORT_COMPANION_MODE: ${SUPPORT_COMPANION_MODE}")
IF(SUPPORT_COMPANION_MODE)
BuildRequires: pkgconfig(appsvc)
BuildRequires: pkgconfig(libcurl)
BuildRequires: pkgconfig(capi-content-mime-type)
-BuildRequires: pkgconfig(libsmack)
BuildRequires: gettext-devel
BuildRequires: pkgconfig(libsystemd-daemon)
BuildRequires: pkgconfig(capi-network-wifi-direct)
-DSUPPORT_NOTIFICATION:BOOL=ON \
-DSUPPORT_LOG_MESSAGE:BOOL=ON \
-DSUPPORT_OMA_DRM:BOOL=OFF \
- -DSUPPORT_SECURITY_PRIVILEGE:BOOL=OFF \
-DSUPPORT_COMPANION_MODE:BOOL=OFF \
-DTIZEN_2_3_UX:BOOL=ON \
-DCMAKE_LOG_DUMP_SCRIPT_DIR=%{_logdump_script_dir} \
capi-content-mime-type
appsvc
bundle
- libsmack
dlog
libsystemd-daemon
vconf
MESSAGE("WIFI direct:Off")
ENDIF(SUPPORT_WIFI_DIRECT)
-IF(SUPPORT_SECURITY_PRIVILEGE)
-pkg_check_modules(dp2_security_privilege_pkgs REQUIRED security-server)
-SET(EXTRA_CFLAGS "${EXTRA_CFLAGS} ${dp2_security_privilege_pkgs_CFLAGS}")
-ENDIF(SUPPORT_SECURITY_PRIVILEGE)
-
IF(SUPPORT_NOTIFICATION)
MESSAGE("Notification:On")
pkg_check_modules(dp2_noti_pkgs REQUIRED
#include <systemd/sd-daemon.h>
#include <glib-object.h>
-#include <cynara-client.h>
-#include <cynara-client-async.h>
-#include <cynara-creds-socket.h>
-#include <cynara-creds-dbus.h>
-
#include <download-provider.h>
#include <download-provider-log.h>
#include <download-provider-config.h>
}
-char *dp_db_get_client_smack_label(const char *pkgname)
-{
- char *smack_label = NULL;
- unsigned length = 0;
- int errorcode = DP_ERROR_NONE;
-
- CLIENT_MUTEX_LOCK(&g_db_mutex);
- if (dp_db_get_client_property_string(g_db_handle, pkgname, DP_DB_COL_SMACK_LABEL, (unsigned char **)&smack_label, &length, &errorcode) < 0)
- TRACE_SECURE_ERROR("failed to get smack label for %s", pkgname);
- CLIENT_MUTEX_UNLOCK(&g_db_mutex);
-
- return smack_label;
-}
-
static int __dp_db_open_client_manager()
{
int errorcode = DP_ERROR_NONE;
TRACE_ERROR("failed to open fifo slot:%d", clientfd);
errorcode = DP_ERROR_IO_ERROR;
} else {
- char *smack_label = NULL;
- if (dp_smack_is_mounted() == 1) {
- smack_label = dp_smack_get_label_from_socket(clientfd);
- if (smack_label == NULL)
- TRACE_SECURE_ERROR("smack_new_label_from_socket");
- }
// save client info to database
CLIENT_MUTEX_LOCK(&g_db_mutex);
- if (dp_db_update_client_info(g_db_handle,
- slot->pkgname, smack_label,
- credential.uid, credential.gid, &errorcode) < 0) {
+ if (dp_db_update_client_info(g_db_handle, slot->pkgname,
+ credential.uid, credential.gid, &errorcode) < 0) {
TRACE_ERROR("check error:%s", dp_print_errorcode(errorcode));
}
CLIENT_MUTEX_UNLOCK(&g_db_mutex);
- free(smack_label);
}
if (errorcode == DP_ERROR_NONE) {
return errorcode;
}
-
static int __dp_client_new(int clientfd, dp_client_slots_fmt *clients,
dp_credential credential)
{
TRACE_ERROR("[CRITICAL] aul_app_get_appid_bypid_for_uid");
pkgname = strdup(buffer);
- /*
- //// TEST CODE ... to allow sample client ( no package name ).
- if (pkgname == NULL) {
- //pkgname = dp_strdup("unknown_app");
- char *temp_pkgname = (char *)calloc(41, sizeof(char));
- if (temp_pkgname == NULL ||
- snprintf(temp_pkgname, 41,"unknown_app_%d", credential.pid) < 0) {
- pkgname = dp_strdup("unknown_app");
- } else {
- pkgname = temp_pkgname;
- }
- }
-
- if (pkgname == NULL) {
- TRACE_ERROR("[CRITICAL] app_manager_get_app_id");
- return DP_ERROR_INVALID_PARAMETER;
- }
- */
if ((pkg_len = strlen(pkgname)) <= 0) {
TRACE_ERROR("[CRITICAL] pkgname:%s", pkgname);
free(pkgname);
return DP_ERROR_INVALID_PARAMETER;
}
-#ifdef SUPPORT_SECURITY_PRIVILEGE_OLD
- TRACE_DEBUG("SUPPORT_SECURITY_PRIVILEGE_OLD");
- int result = security_server_check_privilege_by_sockfd(clientfd, SECURITY_PRIVILEGE_INTERNET, "w");
- if (result != SECURITY_SERVER_API_SUCCESS) {
- TRACE_ERROR("check privilege permission:%d", result);
- return DP_ERROR_PERMISSION_DENIED;
- }
-#endif
-
-#if 1
- TRACE_DEBUG("SUPPORT_SECURITY_PRIVILEGE");
- // Cynara structure init
- int ret;
- cynara *p_cynara = NULL;
- cynara_configuration *p_conf = NULL;
- size_t cache_size = 100;
-
- if (CYNARA_API_SUCCESS != cynara_configuration_create(&p_conf)) { /* error */}
- if (CYNARA_API_SUCCESS != cynara_configuration_set_cache_size(p_conf, cache_size)) { /* error */ }
-
- ret = cynara_initialize(&p_cynara, NULL);
- if (ret != CYNARA_API_SUCCESS) { /* error */ }
- cynara_configuration_destroy(p_conf);
-
- // Get client peer credential
- char *clientSmack;
- ret = cynara_creds_socket_get_client(clientfd, CLIENT_METHOD_SMACK, &clientSmack);
- // In case of D-bus peer credential??
- // ret = cynara_creds_dbus_get_client(DBusConnection *connection, const char *uniqueName,CLIENT_METHOD_SMACK, &clientSmack);
- if (ret != CYNARA_API_SUCCESS) { /* error */ }
-
- char *uid;
- ret = cynara_creds_socket_get_user(clientfd, USER_METHOD_UID, &uid);
- // In case of D-bus peer credential??
- // ret = cynara_creds_dbus_get_client(DBusConnection *connection, const char *uniqueName,CLIENT_METHOD_SMACK, &clientSmack);
- if (ret != CYNARA_API_SUCCESS) { /* error */ }
-
- /* Concept of session is service-specific.
- * Might be empty string if service does not have such concept
- */
- char *client_session = "";
-
- // Cynara check
-
- ret = cynara_check(p_cynara, clientSmack, client_session, uid, "http://tizen.org/privilege/download");
-
- if (ret == CYNARA_API_ACCESS_ALLOWED) {
- TRACE_DEBUG("CYNARA_API_ACCESS_ALLOWED");
- } else {
- TRACE_DEBUG("DP_ERROR_PERMISSION_DENIED");
+ errorcode = dp_check_permission(clientfd, pkgname);
+ if (errorcode != DP_ERROR_NONE) {
+ TRACE_ERROR("permission denied");
free(pkgname);
- return DP_ERROR_PERMISSION_DENIED;
+ return errorcode;
}
- // Cleanup of cynara structure
- /*
- if(clientSmack) {
- free(clientSmack);
- }
-
- if(client_session) {
- free(client_session);
- }
-
- if(uid) {
- free(uid);
- }
- */
- cynara_finish(p_cynara);
-
-#endif
-
// EINVAL: empty slot
// EBUSY : occupied slot
// locked & thread == 0 : downloading without client <= check target
if (recv_str == NULL) {
errorcode = DP_ERROR_INVALID_PARAMETER;
} else {
- if (dp_smack_is_mounted() == 1) {
- // check here destination is available. with checking smack
- char *smack_label = dp_db_get_client_smack_label(slot->pkgname);
- if (smack_label == NULL) {
- TRACE_SECURE_ERROR("[SMACK][%d] no label", ipc_info->id);
- errorcode = DP_ERROR_PERMISSION_DENIED;
- } else if (dp_is_valid_dir(recv_str) != 0) {
- errorcode = DP_ERROR_INVALID_DESTINATION;
- } else if (dp_smack_is_valid_dir(slot->credential.uid, slot->credential.gid, smack_label, recv_str) != 0) {
- errorcode = DP_ERROR_PERMISSION_DENIED;
- }
- free(smack_label);
- }
+ // check here destination is available
+ if (dp_is_valid_dir(recv_str) != 0)
+ errorcode = DP_ERROR_INVALID_DESTINATION;
+
if (errorcode == DP_ERROR_NONE &&
- dp_db_replace_property(client->dbhandle, ipc_info->id, DP_TABLE_REQUEST, DP_DB_COL_DESTINATION, (void *)recv_str, ipc_info->size, 2, &errorcode) < 0) {
- TRACE_ERROR("failed to set %s", dp_print_property(ipc_info->property));
- errorcode = DP_ERROR_DISK_BUSY;
- }
- free(recv_str);
+ dp_db_replace_property(client->dbhandle, ipc_info->id, DP_TABLE_REQUEST, DP_DB_COL_DESTINATION, (void *)recv_str, ipc_info->size, 2, &errorcode) < 0) {
+ TRACE_ERROR("failed to set %s", dp_print_property(ipc_info->property));
+ errorcode = DP_ERROR_DISK_BUSY;
}
+ free(recv_str);
}
- break;
+ }
+ break;
}
case DP_PROP_TEMP_SAVED_PATH:
{
return count;
}
-int dp_db_update_client_info(void *handle, const char *pkgname, const char *smack, const int uid, const int gid, int *error)
+int dp_db_update_client_info(void *handle, const char *pkgname, const int uid, const int gid, int *error)
{
*error = DP_ERROR_INVALID_PARAMETER;
DP_DB_PARAM_NULL_CHECK;
if (is_update == 0)
query = sqlite3_mprintf(
- "INSERT INTO %s (%s, %s, %s, %s, %s, %s, %s) VALUES (?, ?, %d, %d, 0, DATETIME('NOW'), DATETIME('NOW'))",
- DP_TABLE_CLIENTS, DP_DB_COL_SMACK_LABEL, DP_DB_COL_PACKAGE, DP_DB_COL_UID,
- DP_DB_COL_GID, DP_DB_COL_REQUEST_COUNT,
+ "INSERT INTO %s (%s, %s, %s, %s, %s, %s) VALUES (?, %d, %d, 0, DATETIME('NOW'), DATETIME('NOW'))",
+ DP_TABLE_CLIENTS, DP_DB_COL_PACKAGE, DP_DB_COL_UID, DP_DB_COL_GID, DP_DB_COL_REQUEST_COUNT,
DP_DB_COL_CREATE_TIME, DP_DB_COL_ACCESS_TIME, uid, gid);
else
- query = sqlite3_mprintf("UPDATE %s SET %s = ?, %s = %d, %s = %d, %s = DATETIME('NOW') WHERE %s IS ?",
- DP_TABLE_CLIENTS, DP_DB_COL_SMACK_LABEL, DP_DB_COL_UID,
- uid, DP_DB_COL_GID, gid, DP_DB_COL_ACCESS_TIME, DP_DB_COL_PACKAGE);
+ query = sqlite3_mprintf("UPDATE %s SET %s = %d, %s = %d, %s = DATETIME('NOW') WHERE %s IS ?",
+ DP_TABLE_CLIENTS, DP_DB_COL_UID, uid, DP_DB_COL_GID, gid, DP_DB_COL_ACCESS_TIME, DP_DB_COL_PACKAGE);
DP_DB_BUFFER_NULL_CHECK(query);
- //TRACE_DEBUG("debug query:%s", query);
+ TRACE_DEBUG("debug query:%s", query);
errorcode = sqlite3_prepare_v2(handle, query, -1, &stmt, NULL);
sqlite3_free(query);
DP_DB_BASIC_EXCEPTION_CHECK;
- if (smack != NULL) {
- errorcode = sqlite3_bind_text(stmt, 1, smack, -1, SQLITE_STATIC);
- DP_DB_BASIC_EXCEPTION_CHECK;
- }
- errorcode = sqlite3_bind_text(stmt, 2, pkgname, -1, SQLITE_STATIC);
+ errorcode = sqlite3_bind_text(stmt, 1, pkgname, -1, SQLITE_STATIC);
DP_DB_BASIC_EXCEPTION_CHECK;
*error = DP_ERROR_NONE;
#include <sys/stat.h>
#include <unistd.h>
-#include <sys/smack.h>
-
#include <download-provider.h>
#include <download-provider-log.h>
#include <download-provider-utils.h>
-#define SMACKFS_MAGIC 0x43415d53
-#define SMACKFS_MNT "/smack"
-
-static int __dp_smack_is_transmute(char *path)
-{
- char *dir_label = NULL;
- int ret = -1;
- if (smack_getlabel(path, &dir_label, SMACK_LABEL_TRANSMUTE) == 0 && dir_label != NULL) {
- if (strncmp(dir_label, "TRUE", strlen(dir_label)) == 0)
- ret = 0;
- }
+#include <cynara-client.h>
+#include <cynara-client-async.h>
+#include <cynara-creds-socket.h>
+#include <cynara-creds-dbus.h>
- if (smack_getlabel(path, &dir_label, SMACK_LABEL_ACCESS) == 0 && dir_label != NULL) {
- if (strncmp(dir_label, "*", strlen(dir_label)) == 0)
- ret = 0;
- }
-
- free(dir_label);
- return ret;
-}
-
-int dp_smack_is_mounted()
-{
- struct statfs sfs;
- int ret;
- do {
- ret = statfs(SMACKFS_MNT, &sfs);
- } while (ret < 0 && errno == EINTR);
- if (ret) {
- TRACE_ERROR("[SMACK ERROR]");
- return -1;
- }
- if (sfs.f_type == SMACKFS_MAGIC)
- return 1;
- TRACE_ERROR("[SMACK DISABLE]");
- return 0;
-}
-
-int dp_smack_set_label(char *label, char *source, char *target)
-{
- if (label == NULL || source == NULL || target == NULL)
- return DP_ERROR_PERMISSION_DENIED;
-
- int is_setted_dir_label = 0;
- int errorcode = DP_ERROR_NONE;
-
- if (__dp_smack_is_transmute(source) < 0) {
- TRACE_SECURE_ERROR("[SMACK] no transmute:%s", source);
- } else {
- char *dir_label = NULL;
- if (smack_getlabel(source, &dir_label, SMACK_LABEL_ACCESS) == 0) {
- if (smack_have_access(label, dir_label, "t") > 0) {
- if (smack_setlabel(target, dir_label, SMACK_LABEL_ACCESS) != 0) {
- TRACE_SECURE_ERROR("[SMACK ERROR] label:%s", dir_label);
- errorcode = DP_ERROR_PERMISSION_DENIED;
- } else {
- is_setted_dir_label = 1;
- }
- } else {
- TRACE_SECURE_ERROR("[SMACK ERROR] access:%s/%s", label, dir_label);
- errorcode = DP_ERROR_PERMISSION_DENIED;
- }
- } else {
- TRACE_SECURE_ERROR("[SMACK ERROR] no label:%s", source);
- errorcode = DP_ERROR_PERMISSION_DENIED;
- }
- free(dir_label);
- }
- if (is_setted_dir_label == 0 &&
- smack_setlabel(target, label, SMACK_LABEL_ACCESS) != 0) {
- TRACE_SECURE_ERROR("[SMACK ERROR] label:%s", label);
- errorcode = DP_ERROR_PERMISSION_DENIED;
- // remove file.
- if (dp_is_file_exist(target) == 0)
- unlink(target);
- }
- return errorcode;
-}
-
-char *dp_smack_get_label_from_socket(int sock)
-{
- char *label = NULL;
- if (smack_new_label_from_socket(sock, &label) != 0) {
- free(label);
- return NULL;
- }
- return label;
-}
-
-int dp_smack_is_valid_dir(int uid, int gid, char *smack_label, char *dir)
-{
- if (smack_label == NULL || dir == NULL) {
- TRACE_ERROR("check parameter %s/%s", smack_label, dir);
- return -1;
- }
- int ret = -1;
- struct stat dstate;
- if (stat(dir, &dstate) == 0) {
- if ((dstate.st_uid == uid && (dstate.st_mode & (S_IRUSR | S_IWUSR)) == (S_IRUSR | S_IWUSR)) ||
- (dstate.st_gid == gid && (dstate.st_mode & (S_IRGRP | S_IWGRP)) == (S_IRGRP | S_IWGRP)) ||
- ((dstate.st_mode & (S_IROTH | S_IWOTH)) == (S_IROTH | S_IWOTH))) {
- char *dir_label = NULL;
- if (smack_getlabel(dir, &dir_label, SMACK_LABEL_ACCESS) == 0 &&
- smack_have_access(smack_label, dir_label, "rw") > 0) {
- ret = 0;
- }
- free(dir_label);
- }
- }
- return ret;
-}
+#include "download-provider-smack.h"
int dp_is_valid_dir(const char *dirpath)
{
void dp_rebuild_dir(const char *dirpath, mode_t mode)
{
if (dp_is_valid_dir(dirpath) < 0) {
- if (mkdir(dirpath, mode) == 0) {
+ if (mkdir(dirpath, mode) == 0)
TRACE_INFO("check directory:%s", dirpath);
- if (smack_setlabel(dirpath, "_", SMACK_LABEL_ACCESS) != 0)
- TRACE_SECURE_ERROR("failed to set smack label:%s", dirpath);
- } else {
+ else
TRACE_ERROR("failed to create directory:%s", dirpath);
- }
}
}
+
+int dp_check_permission(int clientfd, const char *pkgname)
+{
+ int ret;
+ int result = DP_ERROR_NONE;
+ cynara *p_cynara = NULL;
+ cynara_configuration *p_conf = NULL;
+ size_t cache_size = 100;
+ const char *client_session = "";
+ char *client_smack = NULL;
+ char *uid = NULL;
+
+ TRACE_DEBUG("clientfd[%d] pkgname[%s]", clientfd, pkgname);
+ if (CYNARA_API_SUCCESS != cynara_configuration_create(&p_conf)) {
+ TRACE_DEBUG("failed to create cynara configuration");
+ result = DP_ERROR_PERMISSION_DENIED;
+ goto DONE;
+ }
+
+ if (CYNARA_API_SUCCESS != cynara_configuration_set_cache_size(p_conf, cache_size)) {
+ TRACE_DEBUG("failed to set cache size");
+ result = DP_ERROR_PERMISSION_DENIED;
+ goto DONE;
+ }
+
+ ret = cynara_initialize(&p_cynara, NULL);
+ if (ret != CYNARA_API_SUCCESS) {
+ TRACE_DEBUG("failed to initialize cynara");
+ result = DP_ERROR_PERMISSION_DENIED;
+ goto DONE;
+ }
+
+ // Get client peer credential
+ ret = cynara_creds_socket_get_client(clientfd, CLIENT_METHOD_SMACK, &client_smack);
+ if (ret != CYNARA_API_SUCCESS) {
+ TRACE_DEBUG("failed to createsa client identification string");
+ result = DP_ERROR_PERMISSION_DENIED;
+ goto DONE;
+ }
+
+ ret = cynara_creds_socket_get_user(clientfd, USER_METHOD_UID, &uid);
+ if (ret != CYNARA_API_SUCCESS) {
+ TRACE_DEBUG("failed to create a user identification string");
+ result = DP_ERROR_PERMISSION_DENIED;
+ goto DONE;
+ }
+
+ // Cynara check
+ ret = cynara_check(p_cynara, client_smack, client_session, uid, DOWNLOAD_PRIVILEGE);
+ if (ret == CYNARA_API_ACCESS_ALLOWED) {
+ TRACE_DEBUG("CYNARA_API_ACCESS_ALLOWED");
+ } else {
+ TRACE_DEBUG("DP_ERROR_PERMISSION_DENIED");
+ result = DP_ERROR_PERMISSION_DENIED;
+ }
+
+DONE:
+ if (p_conf)
+ cynara_configuration_destroy(p_conf);
+ if (p_cynara)
+ cynara_finish(p_cynara);
+ free(client_smack);
+ free(uid);
+ return result;
+}
int dp_client_slot_free(dp_client_slots_fmt *slot);
void dp_broadcast_signal();
-char *dp_db_get_client_smack_label(const char *pkgname);
#endif
#define DP_SCHEMA_CLIENTS "CREATE TABLE IF NOT EXISTS clients(\
id INTEGER UNIQUE PRIMARY KEY,\
package TEXT UNIQUE NOT NULL,\
-smack_label TEXT DEFAULT NULL,\
uid INTEGER DEFAULT 0,\
gid INTEGER DEFAULT 0,\
requests INTEGER DEFAULT 0,\
int dp_db_check_duplicated_int(void *handle, const char *table, const char *column, const int value, int *error);
int dp_db_check_duplicated_string(void *handle, const int id, const char *table, const char *column, const int is_like, const char *value, int *error);
-int dp_db_update_client_info(void *handle, const char *pkgname, const char *smack, const int uid, const int gid, int *error);
+int dp_db_update_client_info(void *handle, const char *pkgname, const int uid, const int gid, int *error);
int dp_db_get_client_property_string(void *handle, const char *pkgname, const char *column, unsigned char **value, unsigned *length, int *error);
int dp_db_new_logging(void *handle, const int id, const int state, const int errorvalue, int *error);
int dp_db_update_logging(void *handle, const int id, const int state, const int errorvalue, int *error);
#ifndef DOWNLOAD_PROVIDER_SMACK_H
#define DOWNLOAD_PROVIDER_SMACK_H
-#ifdef SUPPORT_SECURITY_PRIVILEGE
-#include <security-server.h>
-#define SECURITY_PRIVILEGE_INTERNET "system::use_internet"
-#endif
+#define DOWNLOAD_PRIVILEGE "http://tizen.org/privilege/download"
-int dp_smack_is_mounted();
-int dp_smack_set_label(char *label, char *source, char *target);
-char *dp_smack_get_label_from_socket(int sock);
-int dp_smack_is_valid_dir(int uid, int gid, char *smack_label, char *dir);
void dp_rebuild_dir(const char *dirpath, mode_t mode);
int dp_is_valid_dir(const char *dirpath);
-
+int dp_check_permission(int clientfd, const char *pkgname);
#endif
projects / platform / framework / web / download-provider.git / commitdiff