From: Tomasz Swierczek Date: Wed, 18 Apr 2018 08:17:40 +0000 (+0200) Subject: Optimize privilege-checker API usage X-Git-Tag: submit/tizen/20180425.043505~1 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=263420fdfb0e5a3123885b5a1484e84983594e66;p=platform%2Fcore%2Fsecurity%2Faskuser.git Optimize privilege-checker API usage Use privilege_info_get_same_privacy_grouped_privileges() instead of sequential calling: * privilege_info_is_privacy * privilege_info_get_privacy_by_privilege * privilege_info_get_privilege_list_by_privacy Change-Id: Ifc03361cab7b9457feaec8a3c99fbe832ee82b43 --- diff --git a/src/common/policy/PrivilegeInfo.cpp b/src/common/policy/PrivilegeInfo.cpp index 83e3ca6..882ac12 100644 --- a/src/common/policy/PrivilegeInfo.cpp +++ b/src/common/policy/PrivilegeInfo.cpp @@ -104,8 +104,8 @@ std::vector getPrivilegesPrivacies(const std::vector &core return std::vector(privaciesSet.begin(), privaciesSet.end()); } -std::vector getPrivilegeMapping(AppInfo &appInfo, const std::string &appId, const Privilege &privilege) { - ALOGD("Mapping privilege " << privilege); +std::vector getCorePrivilegeMapping(AppInfo &appInfo, const std::string &appId, const Privilege &privilege) { + ALOGD("Mapping core privileges of privilege " << privilege); uid_t uid = geteuid(); std::string version = appInfo.apiVersion(appId, uid); std::string type = appInfo.type(appId, uid); @@ -140,7 +140,30 @@ std::vector getPrivilegeMapping(AppInfo &appInfo, const std::string & std::vector privMappedVector; for (GList *l = privMappedWrap.get(); l != NULL; l = l->next) { std::string corePriv = static_cast(l->data); - ALOGD("Privilege mapps to " << corePriv); + ALOGD("Privilege maps to " << corePriv); + privMappedVector.push_back(std::move(corePriv)); + } + + return privMappedVector; +} + +std::vector getSamePrivacyPrivilegeMapping(const Privilege &privilege) { + ALOGD("Mapping same privacy privileges of privilege " << privilege); + + GList *privMapped = nullptr; + + int ret = privilege_info_get_same_privacy_grouped_privileges(privilege.c_str(), &privMapped); + + if (ret != PRVMGR_ERR_NONE || !privMapped) { + ALOGE("Unable to get privacy mapping of privilege " << privilege << "; err: <" << ret << ">"); + return {}; + } + + GListWrap privMappedWrap(privMapped); + std::vector privMappedVector; + for (GList *l = privMappedWrap.get(); l != NULL; l = l->next) { + std::string corePriv = static_cast(l->data); + ALOGD("Privilege maps to " << corePriv); privMappedVector.push_back(std::move(corePriv)); } diff --git a/src/common/policy/PrivilegeInfo.h b/src/common/policy/PrivilegeInfo.h index 515a3a6..7a6ba95 100644 --- a/src/common/policy/PrivilegeInfo.h +++ b/src/common/policy/PrivilegeInfo.h @@ -30,9 +30,10 @@ namespace AskUser { namespace PrivilegeInfo { - std::vector getPrivilegeMapping(AppInfo &appInfo, + std::vector getCorePrivilegeMapping(AppInfo &appInfo, const std::string &appId, const Privilege &privilege); + std::vector getSamePrivacyPrivilegeMapping(const Privilege &privilege); std::vector getPrivilegesPrivacies(const std::vector &corePrivileges); bool isPrivacy(const Privilege &privilege); diff --git a/src/common/policy/PrivilegePolicy.cpp b/src/common/policy/PrivilegePolicy.cpp index f000965..34576da 100644 --- a/src/common/policy/PrivilegePolicy.cpp +++ b/src/common/policy/PrivilegePolicy.cpp @@ -74,7 +74,7 @@ PrivilegePolicy::PrivilegePolicy(const std::string &appId, const Privilege &priv Policy PrivilegePolicy::calculatePolicy(AppInfo &appInfo) { std::vector corePrivileges = - PrivilegeInfo::getPrivilegeMapping(appInfo, m_appId, m_privilege); + PrivilegeInfo::getCorePrivilegeMapping(appInfo, m_appId, m_privilege); if (corePrivileges.empty()) { ALOGE("Privilege " << m_privilege << " doesn't map to any core privilege"); return "Deny"; @@ -89,17 +89,46 @@ Policy PrivilegePolicy::calculatePolicy(AppInfo &appInfo) { return "Deny"; } } - std::vector privacies = PrivilegeInfo::getPrivilegesPrivacies(corePrivileges); - if (privacies.empty()) { - ALOGE("Privilege doesn't map to any privacy"); + + std::vector allMappedPrivs; + for (auto &corePriv : corePrivileges) { + std::vector someMappedPrivs = PrivilegeInfo::getSamePrivacyPrivilegeMapping(corePriv); + allMappedPrivs.insert(allMappedPrivs.end(), someMappedPrivs.begin(), someMappedPrivs.end()); + } + + auto policies = getAppPolicy(m_appId); + std::unordered_map privilegePolicy; + + for (auto &policy : policies) { + privilegePolicy[policy.getPrivilege()] = policy.getLevel(); + } + + Policy policy = calculatePrivsPolicy(allMappedPrivs, privilegePolicy); + + if (policy.empty()) { + ALOGD("Maps to some not privacy for application " << m_privilege); return "Allow"; } - return calculatePrivaciesPolicy(privacies); + return policy; } -Policy PrivilegePolicy::calculatePrivaciesPolicy(const std::vector &privacies) { +std::vector PrivilegePolicy::calculateAskablePrivacies(AppInfo &appInfo) { + std::vector corePrivileges = + PrivilegeInfo::getCorePrivilegeMapping(appInfo, m_appId, m_privilege); + + if (corePrivileges.empty()) { + ALOGE("Privilege " << m_privilege << " doesn't map to any core privilege"); + return std::vector(); + } + + std::vector privacies = PrivilegeInfo::getPrivilegesPrivacies(corePrivileges); + if (privacies.empty()) { + ALOGE("Privilege doesn't map to any privacy"); + return std::vector(); + } + std::unordered_map> privacyPrivileges; std::unordered_map privilegePolicy; @@ -114,7 +143,7 @@ Policy PrivilegePolicy::calculatePrivaciesPolicy(const std::vector &pri privilegePolicy[policy.getPrivilege()] = policy.getLevel(); } - m_askablePrivacies.clear(); + std::vector askablePrivacies; Policy totalPolicy = "Allow"; for (auto &privacy : privacies) { Policy policy = calculatePrivsPolicy(privacyPrivileges[privacy], privilegePolicy); @@ -123,16 +152,16 @@ Policy PrivilegePolicy::calculatePrivaciesPolicy(const std::vector &pri policy = "Allow"; } if (policy == "Ask user") { - m_askablePrivacies.push_back(privacy); + askablePrivacies.push_back(privacy); } if (!updateMinimal(policy, totalPolicy)) break; } if (totalPolicy == "Deny") - m_askablePrivacies.clear(); + askablePrivacies.clear(); - return totalPolicy; + return askablePrivacies; } } diff --git a/src/common/policy/PrivilegePolicy.h b/src/common/policy/PrivilegePolicy.h index 9f64e82..b4f842d 100644 --- a/src/common/policy/PrivilegePolicy.h +++ b/src/common/policy/PrivilegePolicy.h @@ -32,15 +32,10 @@ class PrivilegePolicy { public: PrivilegePolicy(const std::string &appId, const Privilege &privilege); Policy calculatePolicy(AppInfo &appInfo); - std::vector getAskablePrivacies() const { - return m_askablePrivacies; - } + std::vector calculateAskablePrivacies(AppInfo &appInfo); private: - Policy calculatePrivaciesPolicy(const std::vector &privacies); std::string m_appId; Privilege m_privilege; - - std::vector m_askablePrivacies; }; } diff --git a/src/notification-daemon/Logic.cpp b/src/notification-daemon/Logic.cpp index 87168d5..14ac205 100644 --- a/src/notification-daemon/Logic.cpp +++ b/src/notification-daemon/Logic.cpp @@ -251,7 +251,7 @@ void Logic::popup(Protocol::ConnectionFd fd, Protocol::RequestId id, const std:: return; } - auto privacies = privPolicy.getAskablePrivacies(); + auto privacies = privPolicy.calculateAskablePrivacies(appInfo); if (privacies.empty()) { ALOGE("All privacies for privilege " << privilege << " are already allowed");