int getAppDefinedPrivilegeDescription(uid_t uid, const std::string &privilege, std::string &appName, std::string &pkgName, std::string &license);
+ void setupAccessToRunUserDir(uid_t uid);
+
// Objects below have to be accessed under a mutex each time - need to be thread safe at usage
Cynara m_cynara; // added api mutex
SmackRules m_smackRules; // seems to work out of the box, assuming that libsmack can be used from many threads at once
m_prepareAppFlags = PrepareAppFlags(checkProperDropFlags) << PREPARE_APP_CPD_FLAG_SHIFT;
static_assert(CheckProperDrop::N_FLAG_BITS + PREPARE_APP_CPD_FLAG_SHIFT <= 8 * sizeof m_prepareAppFlags,
"CheckProperDrop flags too large for prepareAppFlags");
+ if (!smack_simple_check()) {
+ // In dev_wos mode apps will have PUIDs instead of actual user IDs,
+ // so we need to make sure that users that exist in the system have their
+ // /run/user/<ID> paths accessible to apps with PUIDs.
+ //
+ // Since apps are the least privileged entities in the system and all need access
+ // to that path, we're doing the configuration here temporarily.
+ //
+ // Long-term a solution is needed to ensure that all apps of given actual user
+ // would have ie. one common group and ACL should be configured to give ccess to the /run/user/<ID>
+ // path for that group. Proper solution would probably include modifications around systemd
+ // or adding separate service for doing that before security-manager starts setting up
+ // user processes with PUIDs, also dynamic addition of new users has to be considered just in case.
+ std::vector<uid_t> listOfUsers;
+ m_cynaraAdmin.listUsers(listOfUsers);
+ for (auto &uid : listOfUsers)
+ setupAccessToRunUserDir(uid);
+ }
+ }
+}
+
+// This code attempts to add others+rwx on /run/user/<uid> directory to allow PUIDed apps to access it.
+// If an error is encountered, its logged but logic continues.
+//
+// On Smack-enabled image this is how permissions look like:
+//
+// root:/run/user> ls -lZ
+// total 0
+// drwxr-x--- 8 owner system_share * 260 Feb 14 18:37 5001
+void ServiceImpl::setupAccessToRunUserDir(uid_t uid)
+{
+ try {
+ std::string path = TizenPlatformConfig::makePath(TZ_SYS_RUN, "user", std::to_string(uid));
+ mode_t other_mode = S_IROTH | S_IWOTH | S_IXOTH; // others + rwx
+ struct stat statbuf;
+ if (stat(path.c_str(), &statbuf) == -1) {
+ LogErrno("Error getting file status on path: " << path);
+ return;
+ }
+ other_mode |= statbuf.st_mode;
+ if (-1 == chmod(path.c_str(), other_mode)) {
+ LogErrno("Error in setting up /run/user/<uid> path for path: " << path << " - chmod failed!");
+ }
+ } catch (...) {
+ LogError("Error in setting up /run/user/<uid> path for uid: " << uid);
}
}
projects / platform / core / security / security-manager.git / commitdiff