LogDebug("App: " << filter.appName << ", Label: " << appProcessLabel);
if (forAdmin) {
- if (!authenticate(creds, Config::PRIVILEGE_POLICY_ADMIN)) {
+ if (!authenticate(creds, Config::PRIVILEGE_POLICY_ADMIN)
+ && !authenticate(creds, Config::PRIVILEGE_PERMISSION_CHECK)) {
LogError("Not enough privilege to access admin enforced policies");
return SECURITY_MANAGER_ERROR_ACCESS_DENIED;
}
listOfPolicies);
LogDebug("ADMIN - number of policies matched: " << listOfPolicies.size());
} else {
- if (appProcessLabel != creds.label && !authenticate(creds, Config::PRIVILEGE_POLICY_USER)) {
+ if (appProcessLabel != creds.label
+ && !authenticate(creds, Config::PRIVILEGE_POLICY_USER)
+ && !authenticate(creds, Config::PRIVILEGE_PERMISSION_CHECK)) {
LogError("Not enough privilege to access user enforced policies");
return SECURITY_MANAGER_ERROR_ACCESS_DENIED;
}
if (uidStr.compare(user)) {
- if (!authenticate(creds, Config::PRIVILEGE_POLICY_ADMIN)) {
+ if (!authenticate(creds, Config::PRIVILEGE_POLICY_ADMIN)
+ && !authenticate(creds, Config::PRIVILEGE_PERMISSION_CHECK)) {
LogWarning("Not enough privilege to access other user's personal policies");
return SECURITY_MANAGER_ERROR_ACCESS_DENIED;
};
std::string uidStr = std::to_string(creds.uid);
std::string pidStr = std::to_string(creds.pid);
- if (!authenticate(creds, Config::PRIVILEGE_POLICY_USER)) {
+ if (!authenticate(creds, Config::PRIVILEGE_POLICY_USER)
+ && !authenticate(creds, Config::PRIVILEGE_PERMISSION_CHECK)) {
LogWarning("Not enough permission to call: " << __FUNCTION__);
return SECURITY_MANAGER_ERROR_ACCESS_DENIED;
};
std::vector<uid_t> listOfUsers;
- if (authenticate(creds, Config::PRIVILEGE_POLICY_ADMIN)) {
+ if (authenticate(creds, Config::PRIVILEGE_POLICY_ADMIN)
+ || authenticate(creds, Config::PRIVILEGE_PERMISSION_CHECK)) {
LogDebug("User is privileged");
if (filter.user.compare(SECURITY_MANAGER_ANY)) {
LogDebug("Limitting Cynara query to user: " << filter.user);
std::string cynaraClient = getAppProcessLabel(appName);
std::string uidStr = m_privilegeDb.IsUserPkgInstalled(pkgName, uid) ? std::to_string(uid) : CYNARA_ADMIN_WILDCARD;
- // Allow application to check its own manifest
+ // Allow application to check the manifest
if (((creds.label != cynaraClient)
|| (uidStr != CYNARA_ADMIN_WILDCARD && uidStr != std::to_string(creds.uid)))
- && !authenticate(creds, Config::PRIVILEGE_USER_ADMIN))
+ && !(authenticate(creds, Config::PRIVILEGE_USER_ADMIN) || authenticate(creds, Config::PRIVILEGE_PERMISSION_CHECK)))
{
LogError("Request from uid=" << creds.uid << ", Smack=" << creds.label << " for checking app manifest policy denied");
return SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED;