return (stat(path.c_str(), &buffer) == 0) && S_ISREG(buffer.st_mode);
}
+std::string realPath(const std::string &path)
+{
+ auto real_pathPtr = makeUnique(realpath(path.c_str(), nullptr), free);
+ if (!real_pathPtr) {
+ LogError("Error in realpath(): " << GetErrnoString(errno) << " for: " << path);
+ return std::string();
+ }
+
+ return real_pathPtr.get();
+}
+
class ScopedTransaction {
public:
ScopedTransaction(PrivilegeDb &privilegeDb) : m_isCommited(false), m_privilegeDb(privilegeDb) {
PrivilegeDb &m_privilegeDb;
};
-bool verifyAppDefinedPrivileges(const AppDefinedPrivilegesVector &privileges) {
- // check if licenses are set for license-privileges
- // check for collision with system privileges
- for (auto &e : privileges) {
- if (((std::get<1>(e) == SM_APP_DEFINED_PRIVILEGE_TYPE_LICENSED) && std::get<2>(e).empty()) ||
- (std::get<0>(e).find("http://tizen.org/privilege/") != std::string::npos))
+bool verifyAppDefinedPrivileges(app_inst_req &req) {
+ std::vector<std::string> licenseVector;
+
+ for (auto &e : req.appDefinedPrivileges) {
+ // check if licenses are set for license-privileges
+ if ((std::get<1>(e) == SM_APP_DEFINED_PRIVILEGE_TYPE_LICENSED)
+ && (std::get<2>(e).empty()))
+ {
+ LogError("License privilege delivered empty license!");
+ return false;
+ }
+
+ // check for collision with system privileges
+ if (std::get<0>(e).find("http://tizen.org/privilege/") != std::string::npos) {
+ LogError("App defined privilege could not contain: 'http://tizen.org/privilege'");
+ return false;
+ }
+
+ if (std::get<1>(e) == SM_APP_DEFINED_PRIVILEGE_TYPE_LICENSED)
+ licenseVector.push_back(std::get<2>(e));
+ }
+
+ // get license from 'client' privileges
+ for (auto &e : req.privileges) {
+ if (!e.second.empty())
+ licenseVector.push_back(e.second);
+ }
+
+ // We need to verify licenses placement in filesystem
+ // Each license must be marked as SECURITY_MANAGER_PATH_RO
+ // and the path must be inside application directory.
+ // If we put licenses in pkgPaths all of this will be done
+ // during paths verification procedure.
+ for (auto &e : licenseVector) {
+ std::string tmp = realPath(e);
+ if (tmp.empty())
return false;
+ req.pkgPaths.emplace_back(std::move(tmp), SECURITY_MANAGER_PATH_RO);
}
+
return true;
}
return false;
}
-std::string ServiceImpl::realPath(const std::string &path)
-{
- auto real_pathPtr = makeUnique(realpath(path.c_str(), nullptr), free);
- if (!real_pathPtr) {
- LogError("Error in realpath(): " << GetErrnoString(errno) << " for: " << path);
- return std::string();
- }
-
- return real_pathPtr.get();
-}
-
bool ServiceImpl::getUserPkgDir(const uid_t &uid,
const std::string &pkgName,
app_install_type installType,
try {
std::vector<std::string> privilegeList;
privilegeList.reserve(req.privileges.size());
- if (!verifyAppDefinedPrivileges(req.appDefinedPrivileges))
+
+ if (!verifyAppDefinedPrivileges(req))
return SECURITY_MANAGER_ERROR_INPUT_PARAM;
for (auto &e : req.privileges)
*/
int security_manager_app_inst_req_add_privilege(
app_inst_req *p_req,
- const char *privilege) __attribute__((deprecated(
- "Use security_manager_app_inst_req_add_client_privilege() instead")));
+ const char *privilege);
/**
* This function is used to add privilege and license to app_inst_req structure,
*
* \param[in] p_req Pointer handling app_inst_req structure
* \param[in] privilege Application privilege
- * \param[in] license Requirements for license-manager. For type
- * SM_APP_DEFINED_PRIVILEGE_TYPE_UNTRUSTED this parameter
- * must be NULL. For type SM_APP_DEFINED_PRIVILEGE_TYPE_LICENSE
- * this parameter may contain path to public_key/certificate (or
- * other document) used during varification process.
+ * \param[in] license Requirements for license-manager. For privileges provided by
+ * Tizen system and for SM_APP_DEFINED_PRIVILEGE_TYPE_UNTRUSTED
+ * this parameter must be NULL. For type
+ * SM_APP_DEFINED_PRIVILEGE_TYPE_LICENSE this parameter may contain
+ * path to document with license that will be used during varification
+ * process. File or directory with file must be marked as
+ * SECURITY_MANAGER_PATH_RO.
* \return API return code or error code
*/
int security_manager_app_inst_req_add_client_privilege(
* \param[in] license Requirements for license-manager. For type
* SM_APP_DEFINED_PRIVILEGE_TYPE_UNTRUSTED this parameter
* must be NULL. For type SM_APP_DEFINED_PRIVILEGE_TYPE_LICENSE
- * this parameter may contain path to public_key/certificate (or
- * other document) used during varification process.
+ * this parameter may contain path to license that will be used
+ * during varification process. File or directory with file must
+ * be marked as SECURITY_MANAGER_PATH_RO.
* \return API return code or error code
*/
int security_manager_app_inst_req_add_app_defined_privilege(