projects / platform / core / security / security-manager.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 2a69e9d)
Add privilege for checking app permission 49/189949/2
authorPawel Kowalski <p.kowalski2@partner.samsung.com>
Mon, 24 Sep 2018 12:27:50 +0000 (14:27 +0200)
committerPawel Kowalski <p.kowalski2@partner.samsung.com>
Tue, 25 Sep 2018 14:18:49 +0000 (16:18 +0200)
New privilege http://tizen.org/privilege/permission.check was added
to enable the requesting app to check the permission of other app.

Change-Id: Ia0123e4716496852609371c228a41a477e94959e

src/common/config.cpp patch | blob | history
src/common/include/config.h patch | blob | history
src/common/service_impl.cpp patch | blob | history

diff --git a/src/common/config.cpp b/src/common/config.cpp
index 76bb56a..9c036f5 100644 (file)
--- a/src/common/config.cpp
+++ b/src/common/config.cpp
@@ -38,6 +38,7 @@ const std::string PRIVILEGE_POLICY_ADMIN     = "http://tizen.org/privilege/inter
 const std::string PRIVILEGE_APPSHARING_ADMIN = "http://tizen.org/privilege/notexist";
 const std::string PRIVILEGE_SHM              = "http://tizen.org/privilege/internal/shm";
 const std::string PRIVILEGE_APP_NAMESPACE    = "http://tizen.org/privilege/notexist";
+const std::string PRIVILEGE_PERMISSION_CHECK = "http://tizen.org/privilege/permission.check";
 
 const std::string APPS_LABELS_FILE = "apps-labels";
 const std::string SKEL_DIR = "/etc/skel";
diff --git a/src/common/include/config.h b/src/common/include/config.h
index fb2bf0c..d7a9afe 100644 (file)
--- a/src/common/include/config.h
+++ b/src/common/include/config.h
@@ -43,6 +43,7 @@ extern const std::string PRIVILEGE_POLICY_ADMIN;
 extern const std::string PRIVILEGE_APPSHARING_ADMIN;
 extern const std::string PRIVILEGE_SHM;
 extern const std::string PRIVILEGE_APP_NAMESPACE;
+extern const std::string PRIVILEGE_PERMISSION_CHECK;
 
 /* Files used in permitted label managment */
 extern const std::string APPS_LABELS_FILE;
diff --git a/src/common/service_impl.cpp b/src/common/service_impl.cpp
index 46a9e63..d902b25 100644 (file)
--- a/src/common/service_impl.cpp
+++ b/src/common/service_impl.cpp
@@ -1367,7 +1367,8 @@ int ServiceImpl::getConfiguredPolicy(const Credentials &creds, bool forAdmin,
         LogDebug("App: " << filter.appName << ", Label: " << appProcessLabel);
 
         if (forAdmin) {
-            if (!authenticate(creds, Config::PRIVILEGE_POLICY_ADMIN)) {
+            if (!authenticate(creds, Config::PRIVILEGE_POLICY_ADMIN)
+                && !authenticate(creds, Config::PRIVILEGE_PERMISSION_CHECK)) {
                 LogError("Not enough privilege to access admin enforced policies");
                 return SECURITY_MANAGER_ERROR_ACCESS_DENIED;
             }
@@ -1381,13 +1382,16 @@ int ServiceImpl::getConfiguredPolicy(const Credentials &creds, bool forAdmin,
                 listOfPolicies);
             LogDebug("ADMIN - number of policies matched: " << listOfPolicies.size());
         } else {
-            if (appProcessLabel != creds.label && !authenticate(creds, Config::PRIVILEGE_POLICY_USER)) {
+            if (appProcessLabel != creds.label
+                && !authenticate(creds, Config::PRIVILEGE_POLICY_USER)
+                && !authenticate(creds, Config::PRIVILEGE_PERMISSION_CHECK)) {
                 LogError("Not enough privilege to access user enforced policies");
                 return SECURITY_MANAGER_ERROR_ACCESS_DENIED;
             }
 
             if (uidStr.compare(user)) {
-                if (!authenticate(creds, Config::PRIVILEGE_POLICY_ADMIN)) {
+                if (!authenticate(creds, Config::PRIVILEGE_POLICY_ADMIN)
+                    && !authenticate(creds, Config::PRIVILEGE_PERMISSION_CHECK)) {
                     LogWarning("Not enough privilege to access other user's personal policies");
                     return SECURITY_MANAGER_ERROR_ACCESS_DENIED;
                 };
@@ -1482,7 +1486,8 @@ int ServiceImpl::getPolicy(const Credentials &creds, const policy_entry &filter,
         std::string uidStr = std::to_string(creds.uid);
         std::string pidStr = std::to_string(creds.pid);
 
-        if (!authenticate(creds, Config::PRIVILEGE_POLICY_USER)) {
+        if (!authenticate(creds, Config::PRIVILEGE_POLICY_USER)
+            && !authenticate(creds, Config::PRIVILEGE_PERMISSION_CHECK)) {
             LogWarning("Not enough permission to call: " << __FUNCTION__);
             return SECURITY_MANAGER_ERROR_ACCESS_DENIED;
         };
@@ -1495,7 +1500,8 @@ int ServiceImpl::getPolicy(const Credentials &creds, const policy_entry &filter,
 
         std::vector<uid_t> listOfUsers;
 
-        if (authenticate(creds, Config::PRIVILEGE_POLICY_ADMIN)) {
+        if (authenticate(creds, Config::PRIVILEGE_POLICY_ADMIN)
+            || authenticate(creds, Config::PRIVILEGE_PERMISSION_CHECK)) {
             LogDebug("User is privileged");
             if (filter.user.compare(SECURITY_MANAGER_ANY)) {
                 LogDebug("Limitting Cynara query to user: " << filter.user);
@@ -2262,10 +2268,10 @@ int ServiceImpl::getAppManifestPolicy(const Credentials &creds, const std::strin
         std::string cynaraClient = getAppProcessLabel(appName);
         std::string uidStr = m_privilegeDb.IsUserPkgInstalled(pkgName, uid) ? std::to_string(uid) : CYNARA_ADMIN_WILDCARD;
 
-        // Allow application to check its own manifest
+        // Allow application to check the manifest
         if (((creds.label != cynaraClient)
              || (uidStr != CYNARA_ADMIN_WILDCARD && uidStr != std::to_string(creds.uid)))
-            && !authenticate(creds, Config::PRIVILEGE_USER_ADMIN))
+            && !(authenticate(creds, Config::PRIVILEGE_USER_ADMIN) || authenticate(creds, Config::PRIVILEGE_PERMISSION_CHECK)))
         {
             LogError("Request from uid=" << creds.uid << ", Smack=" << creds.label << " for checking app manifest policy denied");
             return SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED;
Domain: Security / Access Control;