From: Yunjin Lee <yunjin-.lee@samsung.com>
Date: Fri, 16 Oct 2020 04:44:30 +0000 (+0900)
Subject: Add FOTA script to apply privilege mapping changes
X-Git-Tag: submit/tizen_5.5/20201020.052325^0
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=48fd5cc4310b0040fd3a7bb7a5effab8c565269a;p=platform%2Fcore%2Fsecurity%2Fsecurity-config.git

Add FOTA script to apply privilege mapping changes

Change-Id: I499cdb692d10caafcd66b096ee36acd6bd4689ab
Signed-off-by: Junghoon Park <jh9216.park@samsung.com>
---

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 33c70ff..4721fa1 100755
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -17,6 +17,7 @@ INSTALL(FILES ${CMAKE_SOURCE_DIR}/config/security-config.conf DESTINATION /usr/l
 INSTALL(FILES ${CMAKE_SOURCE_DIR}/config/90_user-content-permissions.post DESTINATION ${SYSCONF_INSTALL_DIR}/gumd/useradd.d)
 INSTALL(FILES ${CMAKE_SOURCE_DIR}/config/91_user-dbspace-permissions.post DESTINATION ${SYSCONF_INSTALL_DIR}/gumd/useradd.d)
 INSTALL(FILES ${CMAKE_SOURCE_DIR}/upgrade/201.security_upgrade.sh DESTINATION /usr/share/upgrade/scripts)
+INSTALL(FILES ${CMAKE_SOURCE_DIR}/upgrade/202.privilege_upgrade.sh DESTINATION /usr/share/upgrade/scripts)
 INSTALL(FILES ${CMAKE_SOURCE_DIR}/smack/onlycap DESTINATION /etc/smack)
 INSTALL(FILES ${CMAKE_SOURCE_DIR}/smack/smack_default_labeling DESTINATION /usr/share/security-config)
 INSTALL(FILES ${CMAKE_SOURCE_DIR}/smack/netlabel_config DESTINATION /etc/smack/netlabel.d)
diff --git a/packaging/security-config.spec b/packaging/security-config.spec
index 01d26e6..64c7126 100755
--- a/packaging/security-config.spec
+++ b/packaging/security-config.spec
@@ -130,6 +130,7 @@ rm -r /usr/share/security-config/mount_list/
 %attr(755,root,root) %{SECURITY_TEST_DIR}/setuid_test/*
 %attr(755,root,root) %{SECURITY_TEST_DIR}/execute_label_check_test/*
 %attr(755,root,root) /usr/share/upgrade/scripts/201.security_upgrade.sh
+%attr(755,root,root) /usr/share/upgrade/scripts/202.privilege_upgrade.sh
 %attr(755,root,root) %{_sysconfdir}/gumd/useradd.d/90_user-content-permissions.post
 %attr(755,root,root) %{_sysconfdir}/gumd/useradd.d/91_user-dbspace-permissions.post
 %attr(644,root,root) /etc/smack/netlabel.d/netlabel_config
diff --git a/upgrade/202.privilege_upgrade.sh b/upgrade/202.privilege_upgrade.sh
new file mode 100644
index 0000000..159fa3a
--- /dev/null
+++ b/upgrade/202.privilege_upgrade.sh
@@ -0,0 +1,107 @@
+#!/bin/bash
+
+PATH=/bin:/usr/bin:/sbin:/usr/sbin
+. /etc/tizen-platform.conf
+
+
+for package_data in `sqlite3 /opt/dbspace/.pkgmgr_parser.db "select package, type from package_privilege_info where privilege='http://tizen.org/privilege/systemsettings.admin'"`
+do
+	package=$(echo "$package_data" | cut -d '|' -f1)
+	package_type=$(echo "$package_data" | cut -d '|' -f2)
+
+	if  [ "$package_type" == "wgt" ]; then
+		echo "$package is wgt app"
+		app_list=($(sqlite3 /opt/dbspace/.security-manager.db "select app_name from user_app_pkg_view where pkg_name='${package}' and is_hybrid=1;"))
+
+		if [ ${#app_list[@]} -eq 0 ]; then
+			echo "$package is pure wgt"
+
+			echo "remove systemsettings.admin"
+			cyad -e "MANIFESTS_GLOBAL" -r no -c "User::Pkg::${package}" -u "*" -p "http://tizen.org/privilege/systemsettings.admin"
+			sqlite3 /opt/dbspace/.pkgmgr_parser.db "DELETE FROM package_privilege_info WHERE package = '${package}' AND  privilege = 'http://tizen.org/privilege/systemsettings.admin' AND type = 'wgt';"
+
+			#check latest first
+			if [ -f /opt/usr/globalapps/${package}/res/wgt/config.xml ]; then
+				manifest_file="/opt/usr/globalapps/${package}/res/wgt/config.xml"
+			else
+				manifest_file="/usr/apps/${package}/res/wgt/config.xml"
+			fi
+			echo "manifest_file $manifest_file"
+
+			if grep -q "http://tizen.org/privilege/filesystem.read" "$manifest_file"; then
+				echo "$package have filesystem.read"
+				cyad -s -k "MANIFESTS_GLOBAL" -c "User::Pkg::${package}" -u "*" -p "http://tizen.org/privilege/filesystem.read" -t ALLOW
+				sqlite3 /opt/dbspace/.pkgmgr_parser.db "INSERT OR IGNORE INTO package_privilege_info VALUES ('${package}', 'http://tizen.org/privilege/filesystem.read', 'wgt');"
+			fi
+			if grep -q "http://tizen.org/privilege/filesystem.write" "$manifest_file"; then
+				echo "$package have filesystem.write"
+				cyad -s -k "MANIFESTS_GLOBAL" -c "User::Pkg::${package}" -u "*" -p "http://tizen.org/privilege/filesystem.write" -t ALLOW
+				sqlite3 /opt/dbspace/.pkgmgr_parser.db "INSERT OR IGNORE INTO package_privilege_info VALUES ('${package}', 'http://tizen.org/privilege/filesystem.write', 'wgt');"
+			fi
+			if grep -q "http://tizen.org/privilege/setting" "$manifest_file"; then
+				echo "$package have setting"
+				cyad -s -k "MANIFESTS_GLOBAL" -c "User::Pkg::${package}" -u "*" -p "http://tizen.org/privilege/internal/buxton/systemsettings" -t ALLOW
+				sqlite3 /opt/dbspace/.pkgmgr_parser.db "INSERT OR IGNORE INTO package_privilege_info VALUES ('${package}', 'http://tizen.org/privilege/internal/buxton/systemsettings', 'wgt');"
+			fi
+		else
+			echo "$package is hybrid app"
+
+			for app in "${app_list[@]}"
+			do
+				if find /opt/usr/globalapps/${package}/ /usr/apps/${package}/ -name "config.xml" 2>/dev/null | xargs grep -q ${app}; then
+					echo "$app is web part of hybrid $package"
+
+					echo "remove systemsettings.admin from $app"
+					cyad -e "MANIFESTS_GLOBAL" -r no -c "User::Pkg::${package}::App::${app}" -u "*" -p "http://tizen.org/privilege/systemsettings.admin"
+					sqlite3 /opt/dbspace/.pkgmgr_parser.db "DELETE FROM package_privilege_info WHERE package = '${package}' AND  privilege = 'http://tizen.org/privilege/systemsettings.admin' AND type = 'wgt';"
+
+					#check latest first
+					if [ -f /opt/usr/globalapps/${package}/res/wgt/config.xml ]; then
+						manifest_file="/opt/usr/globalapps/${package}/res/wgt/config.xml"
+					else
+						manifest_file="/usr/apps/${package}/res/wgt/config.xml"
+					fi
+					echo "manifest_file $manifest_file"
+
+					if grep -q "http://tizen.org/privilege/filesystem.read" "$manifest_file"; then
+						echo "$app have filesystem.read"
+						cyad -s -k "MANIFESTS_GLOBAL" -c "User::Pkg::${package}::App::${app}" -u "*" -p "http://tizen.org/privilege/filesystem.read" -t ALLOW
+						sqlite3 /opt/dbspace/.pkgmgr_parser.db "INSERT OR IGNORE INTO package_privilege_info VALUES ('${package}', 'http://tizen.org/privilege/filesystem.read', 'wgt');"
+					fi
+					if grep -q "http://tizen.org/privilege/filesystem.write" "$manifest_file"; then
+						echo "$app have filesystem.write"
+						cyad -s -k "MANIFESTS_GLOBAL" -c "User::Pkg::${package}::App::${app}" -u "*" -p "http://tizen.org/privilege/filesystem.write" -t ALLOW
+						sqlite3 /opt/dbspace/.pkgmgr_parser.db "INSERT OR IGNORE INTO package_privilege_info VALUES ('${package}', 'http://tizen.org/privilege/filesystem.write', 'wgt');"
+					fi
+					if grep -q "http://tizen.org/privilege/setting" "$manifest_file"; then
+						echo "$app have setting"
+						cyad -s -k "MANIFESTS_GLOBAL" -c "User::Pkg::${package}::App::${app}" -u "*" -p "http://tizen.org/privilege/internal/buxton/systemsettings" -t ALLOW
+						sqlite3 /opt/dbspace/.pkgmgr_parser.db "INSERT OR IGNORE INTO package_privilege_info VALUES ('${package}', 'http://tizen.org/privilege/internal/buxton/systemsettings', 'wgt');"
+					fi
+				fi
+			done
+		fi
+	else
+		#add cynara policy
+		echo "$package is tpk app"
+		app_list=($(sqlite3 /opt/dbspace/.security-manager.db "select app_name from user_app_pkg_view where pkg_name='${package}' and is_hybrid=1;"))
+		if [ ${#app_list[@]} -eq 0 ]; then
+			echo "$package is pure tpk app"
+			echo "add internal/buxton/systemsettings"
+			cyad -s -k "MANIFESTS_GLOBAL" -c "User::Pkg::${package}" -u "*" -p "http://tizen.org/privilege/internal/buxton/systemsettings" -t ALLOW
+			sqlite3 /opt/dbspace/.pkgmgr_parser.db "INSERT OR IGNORE INTO package_privilege_info VALUES ('${package}', 'http://tizen.org/privilege/internal/buxton/systemsettings', 'tpk');"
+		else
+			echo "$package is hybrid app"
+			for app in "${app_list[@]}"
+			do
+				if find /opt/usr/globalapps/${package}/ /usr/apps/${package}/ -name "tizen-manifest.xml" 2>/dev/null | xargs grep -q ${app}; then
+					echo "$app is native part of hybrid $package"
+					echo "add internal/buxton/systemsettings"
+					cyad -s -k "MANIFESTS_GLOBAL" -c "User::Pkg::${package}::App::${app}" -u "*" -p "http://tizen.org/privilege/internal/buxton/systemsettings" -t ALLOW
+					sqlite3 /opt/dbspace/.pkgmgr_parser.db "INSERT OR IGNORE INTO package_privilege_info VALUES ('${package}', 'http://tizen.org/privilege/internal/buxton/systemsettings', 'tpk');"
+				fi
+			done
+		fi
+	fi
+	echo ""
+done