Improve privilege checker.

Privilege check:
- given default privilege when application installed.
- added privilege in config.xml by Application developer.

Bug: P161214-04760
Bug: http://suprem.sec.samsung.net/jira/browse/TWF-2681

Change-Id: Ic21058964aa98ca26460b6717dca063aaf406043
Signed-off-by: Youngmin Yoo <youngmin.yoo@samsung.com>

diff --git a/build/common.gypi b/build/common.gypi
index 876c0fe..ec6b82a 100644 (file)
--- a/build/common.gypi
+++ b/build/common.gypi
@@ -28,6 +28,7 @@
       }],
     ],
     'includes': [
+      'cynara-client.gypi',
       'pkg-config.gypi',
       'xwalk_js2c.gypi',
     ],

diff --git a/build/cynara-client.gypi b/build/cynara-client.gypi
new file mode 100644 (file)
index 0000000..b0fac97
--- /dev/null
+++ b/build/cynara-client.gypi
@@ -0,0 +1,16 @@
+{
+    'variables': {
+        'pkg-config': 'pkg-config',
+    },
+    'cflags': [
+        '<!@(<(pkg-config) --cflags cynara-client)'
+    ],
+    'link_settings': {
+        'ldflags': [
+            '<!@(<(pkg-config) --libs-only-L --libs-only-other cynara-client)',
+        ],
+        'libraries': [
+            '<!@(<(pkg-config) --libs-only-l cynara-client)',
+        ],
+    },
+} # cynara-client

diff --git a/common/common.gyp b/common/common.gyp
index 3757c57..7ba0750 100644 (file)
--- a/common/common.gyp
+++ b/common/common.gyp
@@ -42,6 +42,7 @@
           'capi-appfw-app-manager',
           'capi-appfw-package-manager',
           'capi-system-system-settings',
+          'cynara-client',
           'dlog',
           'uuid',
           'libwebappenc',

diff --git a/packaging/crosswalk-tizen.spec b/packaging/crosswalk-tizen.spec
index 1b9c54b..b1f452b 100755 (executable)
--- a/packaging/crosswalk-tizen.spec
+++ b/packaging/crosswalk-tizen.spec
@@ -30,6 +30,7 @@ BuildRequires: pkgconfig(capi-appfw-package-manager)
 BuildRequires: pkgconfig(capi-system-system-settings)
 BuildRequires: pkgconfig(capi-ui-efl-util)
 BuildRequires: pkgconfig(chromium-efl)
+BuildRequires: pkgconfig(cynara-client)
 BuildRequires: pkgconfig(deviced)
 BuildRequires: pkgconfig(dlog)
 BuildRequires: pkgconfig(ecore)

diff --git a/runtime/browser/web_application.cc b/runtime/browser/web_application.cc
index 49c4478..98e87a3 100755 (executable)
--- a/runtime/browser/web_application.cc
+++ b/runtime/browser/web_application.cc
@@ -17,12 +17,14 @@
 #include "runtime/browser/web_application.h"
 
 #include <app.h>
-#include <Ecore.h>
 #include <aul.h>
+#include <cynara-client.h>
+#include <Ecore.h>
 
 #include <algorithm>
 #include <map>
 #include <memory>
+#include <fstream>
 #include <sstream>
 #include <vector>
 
@@ -98,10 +100,12 @@ const char* kAmbientTickEventScript =
     "for (var i=0; i < window.frames.length; i++)\n"
     "{ window.frames[i].document.dispatchEvent(__event); }"
     "})()";
+const char* kCameraPrivilege = "http://tizen.org/privilege/camera";
 const char* kFullscreenPrivilege = "http://tizen.org/privilege/fullscreen";
 const char* kFullscreenFeature = "fullscreen";
 const char* kNotificationPrivilege = "http://tizen.org/privilege/notification";
 const char* kLocationPrivilege = "http://tizen.org/privilege/location";
+const char* kRecordPrivilege = "http://tizen.org/privilege/recorder";
 const char* kStoragePrivilege = "http://tizen.org/privilege/unlimitedstorage";
 const char* kUsermediaPrivilege = "http://tizen.org/privilege/mediacapture";
 const char* kNotiIconFile = "noti_icon.png";
@@ -128,9 +132,11 @@ const char* kDefaultCSPRule =
 const char* kResWgtPath = "res/wgt/";
 const char* kAppControlMain = "http://tizen.org/appcontrol/operation/main";
 
-bool FindPrivilege(common::ApplicationData* app_data,
+// Looking for added privilege by Application developer in config.xml.
+bool FindPrivilegeFromConfig(common::ApplicationData* app_data,
                    const std::string& privilege) {
   if (app_data->permissions_info().get() == NULL) return false;
+  LOGGER(INFO) << "Finding privilege from config.xml";
   auto it = app_data->permissions_info()->GetAPIPermissions().begin();
   auto end = app_data->permissions_info()->GetAPIPermissions().end();
   for (; it != end; ++it) {
@@ -139,6 +145,47 @@ bool FindPrivilege(common::ApplicationData* app_data,
   return false;
 }
 
+// Looking for given default privilege when application installed.
+bool FindPrivilegeFromCynara(const std::string& privilege_name) {
+  LOGGER(INFO) << "Finding privilege from cynara db";
+  static constexpr char kSmackLabelFilePath[] = "/proc/self/attr/current";
+  std::ifstream file(kSmackLabelFilePath);
+  if (!file.is_open()) {
+    LOGGER(ERROR) << "Failed to open " << kSmackLabelFilePath;
+    return false;
+  }
+
+  int ret;
+  cynara* p_cynara = NULL;
+  ret = cynara_initialize(&p_cynara, 0);
+  if (CYNARA_API_SUCCESS != ret) {
+    LOGGER(ERROR) << "Failed. The result of cynara_initialize() : " << ret;
+    return false;
+  }
+
+  std::string uid = std::to_string(getuid());
+  std::string smack_label{std::istreambuf_iterator<char>(file),
+                          std::istreambuf_iterator<char>()};
+
+  bool result = false;
+  ret = cynara_check(p_cynara, smack_label.c_str(), "", uid.c_str(), privilege_name.c_str());
+  if (CYNARA_API_ACCESS_ALLOWED != ret) {
+    LOGGER(ERROR) << "Access denied. The result of cynara_check() : " << ret;
+  } else {
+    LOGGER(INFO) << "Access allowed! The result of cynara_check() : " << ret;
+    result = true;
+  }
+
+  if (p_cynara) {
+    ret = cynara_finish(p_cynara);
+    if (CYNARA_API_SUCCESS != ret) {
+      LOGGER(ERROR) << "Failed. The result of cynara_finish() : " << ret;
+    }
+  }
+
+  return result;
+}
+
 static void SendDownloadRequest(const std::string& url) {
   common::AppControl request;
   request.set_operation(APP_CONTROL_OPERATION_DOWNLOAD);
@@ -348,7 +395,7 @@ bool WebApplication::Initialize() {
                                               this);
   InitializeNotificationCallback(ewk_context_, this);
 
-  if (FindPrivilege(app_data_, kFullscreenPrivilege)) {
+  if (FindPrivilegeFromConfig(app_data_, kFullscreenPrivilege)) {
     ewk_context_tizen_extensible_api_string_set(ewk_context_,
                                                 kFullscreenFeature, true);
   }
@@ -1043,7 +1090,7 @@ void WebApplication::OnNotificationPermissionRequest(
   // Local Domain: Grant permission if defined, otherwise Popup user prompt.
   // Remote Domain: Popup user prompt.
   if (common::utils::StartsWith(url, "file://") &&
-      FindPrivilege(app_data_, kNotificationPrivilege)) {
+      FindPrivilegeFromConfig(app_data_, kNotificationPrivilege)) {
     result_handler(true);
     return;
   }
@@ -1083,7 +1130,8 @@ void WebApplication::OnGeolocationPermissionRequest(
 
   // Local Domain: Grant permission if defined, otherwise block execution.
   // Remote Domain: Popup user prompt if defined, otherwise block execution.
-  if (!FindPrivilege(app_data_, kLocationPrivilege)) {
+  if (!FindPrivilegeFromConfig(app_data_, kLocationPrivilege) &&
+      !FindPrivilegeFromCynara(kLocationPrivilege)) {
     result_handler(false);
     return;
   }
@@ -1128,7 +1176,7 @@ void WebApplication::OnQuotaExceed(WebView*, const std::string& url,
   // Local Domain: Grant permission if defined, otherwise Popup user prompt.
   // Remote Domain: Popup user prompt.
   if (common::utils::StartsWith(url, "file://") &&
-      FindPrivilege(app_data_, kStoragePrivilege)) {
+      FindPrivilegeFromConfig(app_data_, kStoragePrivilege)) {
     result_handler(true);
     return;
   }
@@ -1224,7 +1272,8 @@ void WebApplication::OnUsermediaPermissionRequest(
 
   // Local Domain: Grant permission if defined, otherwise block execution.
   // Remote Domain: Popup user prompt if defined, otherwise block execution.
-  if (!FindPrivilege(app_data_, kUsermediaPrivilege)) {
+  if (!FindPrivilegeFromConfig(app_data_, kUsermediaPrivilege) &&
+      !(FindPrivilegeFromCynara(kCameraPrivilege) && FindPrivilegeFromCynara(kRecordPrivilege))) {
     result_handler(false);
     return;
   }