Require usermanagement permission for local app installation for other users

When installation type is set to SM_APP_INSTALL_LOCAL, but uid in the
request is different that uid of the calling user, security-manager will
now require the usermanagement permission, i.e.:

http://tizen.org/privilege/internal/usermanagement

The following API functions are affected:
- security_manager_app_install
- security_manager_app_uninstall
- security_manager_paths_register

Change-Id: Ic9e583e4da923ea391987fbb0cfff7f0abbbc2bb

diff --git a/src/common/service_impl.cpp b/src/common/service_impl.cpp
index 9aaafc5..a035875 100755 (executable)
--- a/src/common/service_impl.cpp
+++ b/src/common/service_impl.cpp
@@ -283,11 +283,15 @@ bool ServiceImpl::authCheck(const Credentials &creds,
                             const uid_t& uid,
                             int installationType)
 {
-    if (installationType == SM_APP_INSTALL_LOCAL && uid == creds.uid) {
+    if (installationType == SM_APP_INSTALL_LOCAL) {
         if (!authenticate(creds, Config::PRIVILEGE_APPINST_USER)) {
             LogError("Caller is not permitted to manage local applications");
             return false;
         }
+        if (uid != creds.uid && !authenticate(creds, Config::PRIVILEGE_USER_ADMIN)) {
+            LogError("Caller is not permitted to manage applications for other users");
+            return false;
+        }
     } else {
         if (!authenticate(creds, Config::PRIVILEGE_APPINST_ADMIN)) {
             LogError("Caller is not permitted to manage global applications");

diff --git a/src/include/app-manager.h b/src/include/app-manager.h
index 02207b2..0fc7085 100644 (file)
--- a/src/include/app-manager.h
+++ b/src/include/app-manager.h
@@ -130,6 +130,7 @@ int security_manager_app_inst_req_set_install_type(app_inst_req *p_req, const en
  * Required privileges:
  * - http://tizen.org/privilege/notexist (local installation)
  * - http://tizen.org/privilege/notexist (global installation)
+ * - http://tizen.org/privilege/internal/usermanagement (local installation for other users)
  *
  * \param[in] Pointer handling app_inst_req structure
  * \return API return code or error code: it would be
@@ -145,8 +146,9 @@ int security_manager_app_install(const app_inst_req *p_req);
  * using filled up app_inst_req data structure
  *
  * Required privileges:
- * - http://tizen.org/privilege/notexist (private uninstallation)
+ * - http://tizen.org/privilege/notexist (local uninstallation)
  * - http://tizen.org/privilege/notexist (global uninstallation)
+ * - http://tizen.org/privilege/internal/usermanagement (local uninstallation for other users)
  *
  * \param[in] Pointer handling app_inst_req structure
  * \return API return code or error code
@@ -216,8 +218,9 @@ int security_manager_path_req_set_uid(path_req *p_req, const uid_t uid);
  * filled up path_req data structure.
  *
  * Required privileges:
- * - http://tizen.org/privilege/notexist (if uid is not set or set to current user's uid)
- * - http://tizen.org/privilege/notexist (if uid is set to some other user's uid)
+ * - http://tizen.org/privilege/notexist (local installation)
+ * - http://tizen.org/privilege/notexist (global installation)
+ * - http://tizen.org/privilege/internal/usermanagement (local installation for other users)
  *
  * \param[in] p_req     Pointer handling path_req structure
  *