Add script to maintain mdm enabled policy

Change-Id: I316edb73c77eaba6667c67427ff14cb8618258c9
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 9a6d5b617f75b8cc959508c0be25dca32b87ddd6..e12d4611b288c94cd791aa116d00ce23ee6b6466 100755 (executable)
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -16,6 +16,7 @@ INSTALL(FILES ${CMAKE_SOURCE_DIR}/config/security-config.conf DESTINATION /usr/l
 INSTALL(FILES ${CMAKE_SOURCE_DIR}/config/90_user-content-permissions.post DESTINATION ${SYSCONF_INSTALL_DIR}/gumd/useradd.d)
 INSTALL(FILES ${CMAKE_SOURCE_DIR}/config/91_user-dbspace-permissions.post DESTINATION ${SYSCONF_INSTALL_DIR}/gumd/useradd.d)
 INSTALL(FILES ${CMAKE_SOURCE_DIR}/upgrade/201.security_upgrade.sh DESTINATION /usr/share/upgrade/scripts)
+INSTALL(FILES ${CMAKE_SOURCE_DIR}/upgrade/710.security_enabled_blacklist_upgrade.sh DESTINATION /usr/share/upgrade/scripts)
 
 INSTALL(FILES ${CMAKE_SOURCE_DIR}/smack/onlycap DESTINATION /etc/smack)
 INSTALL(FILES ${CMAKE_SOURCE_DIR}/smack/smack_default_labeling DESTINATION /usr/share/security-config)

diff --git a/packaging/security-config.spec b/packaging/security-config.spec
index 8228879580c0e8aa620e0a2680998b6ebd474558..6f8da7cd98798909657e8c5e00a6293eaa05f7c8 100755 (executable)
--- a/packaging/security-config.spec
+++ b/packaging/security-config.spec
@@ -101,6 +101,7 @@ rm /opt/share/security-config/test/capability_test/*
 %attr(755,root,root) /opt/share/security-config/test/smack_basic_test/*
 %attr(755,root,root) /opt/share/security-config/test/security_mount_option_test/*
 %attr(755,root,root) /usr/share/upgrade/scripts/201.security_upgrade.sh
+%attr(755,root,root) /usr/share/upgrade/scripts/710.security_enabled_blacklist_upgrade.sh
 %attr(755,root,root) %{_sysconfdir}/gumd/useradd.d/90_user-content-permissions.post
 %attr(755,root,root) %{_sysconfdir}/gumd/useradd.d/91_user-dbspace-permissions.post
 

diff --git a/upgrade/201.security_upgrade.sh b/upgrade/201.security_upgrade.sh
index beecc8b47a309c2b96ee89194d94e4f772af0cd5..33e7c9dad470afd7d046a9cd1c615792aaee3f2e 100644 (file)
--- a/upgrade/201.security_upgrade.sh
+++ b/upgrade/201.security_upgrade.sh
@@ -24,11 +24,15 @@ SECURITY_MANAGER_DB_JOURNAL=/opt/dbspace/.security-manager.db-journal
 SECURITY_MANAGER_DIR=/opt/var/security-manager
 PRIVILEGE_CHECKER_POLICY_DB=/opt/dbspace/.policy.db
 PRIVILEGE_CHECKER_POLICY_DB_JOURNAL=/opt/dbspace/.policy.db-journal
-
+BLACKLIST_ENABLED_FILE=/opt/data/blacklist_enabled
 
 #--------------------------------------
 # Start
 #--------------------------------------
+# save mdm blacklist enabled policy
+touch $BLACKLIST_ENABLED_FILE
+sqlite3 $SECURITY_SERVER_DB "SELECT app_name,name FROM app_permission_blacklist_view WHERE is_blacklist_enabled='1';" > $BLACKLIST_ENABLED_FILE
+
 # remove non used directories/files
 rm $APPLICATION_RULES
 rm $PRIVACY_DB

diff --git a/upgrade/710.security_enabled_blacklist_upgrade.sh b/upgrade/710.security_enabled_blacklist_upgrade.sh
new file mode 100644 (file)
index 0000000..277878c
--- /dev/null
+++ b/upgrade/710.security_enabled_blacklist_upgrade.sh
@@ -0,0 +1,26 @@
+#!/bin/sh
+
+PATH=/bin:/usr/bin:/sbin:/usr/sbin
+
+#--------------------------------------
+# RW patch for FOTA/FUS upgrade
+#--------------------------------------
+
+# 3.0 rw partition security directoy
+BLACKLIST_ENABLED_FILE=/opt/data/blacklist_enabled
+#privilege_prefix="http://tizen.org/privilege/"
+#smack prefix org.tizen.privilege
+privilege_prefix="http://developer.samsung.com/tizen/privilege/"
+#smack prefix com.developer.samsung.tizen.privilege.
+for i in `cat $BLACKLIST_ENABLED_FILE`
+do
+       pkgid=`echo $i | cut -d '|' -f1`
+       permission=`echo $i | cut -d '|' -f2`
+       privilege=`echo $permission | cut -d '.' -f6,7,8,9,10`
+       #privilege=`echo $permission | cut -d '.' -f4,5,6,7,8`
+       pkgsmack="User::Pkg::""$pkgid"
+       privilege_name="$privilege_prefix""$privilege"
+       cyad -s -k ADMIN -c $pkgsmack -u 5001 -p $privilege_name -t ALLOW
+done
+
+rm $BLACKLIST_ENABLED_FILE