From: Youngsoo Choi <kenshin.choi@samsung.com>
Date: Thu, 3 Dec 2020 08:37:00 +0000 (-0800)
Subject: [WRTjs][Service] Drop thread privilege of service app
X-Git-Tag: submit/tizen_6.0/20201222.052907~5
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=adcaea761207c6fdb749992cffa5ff925ec64c61;p=platform%2Fframework%2Fweb%2Fwrtjs.git

[WRTjs][Service] Drop thread privilege of service app

This drops the privilege of service app and sets it to User::Pkg::{PKG_ID}.
With this changes, the service app is under control of kernel smack rule.

Together with:
https://review.tizen.org/gerrit/249088

Change-Id: Icccd23cc27842cb24f3e81afc21f8d5d013460bf
Signed-off-by: Youngsoo Choi <kenshin.choi@samsung.com>
---

diff --git a/wrt_app/service/access_control_manager.ts b/wrt_app/service/access_control_manager.ts
index a8c2b23e..e3621a02 100644
--- a/wrt_app/service/access_control_manager.ts
+++ b/wrt_app/service/access_control_manager.ts
@@ -1,3 +1,5 @@
+import { wrt } from '../browser/wrt';
+
 const Module = require('module');
 
 function checkSystemInfoApiPrivilege(func: any, permissions: string[]) {
@@ -19,7 +21,8 @@ function isNetworkModule(module: string) {
   return false;
 }
 
-export function initialize(permissions: string[]) {
+export function initialize(packageId:string, permissions: string[]) {
+  wrt.security?.dropThreadPrivilege(packageId);
   let tizen = global.tizen;
   if (!permissions.includes("http://tizen.org/privilege/alarm")) {
     tizen.alarm.add =
@@ -136,7 +139,7 @@ export function initialize(permissions: string[]) {
 
 }
 
-export function refineResolveFilename(permissions: string[]) {
+export function refineResolveFilename(packageId: string, permissions: string[]) {
   const originalResolveFilename = Module._resolveFilename;
   Module._resolveFilename = function(...args: any[]) {
     let path = '';
@@ -148,9 +151,7 @@ export function refineResolveFilename(permissions: string[]) {
     } else {
       path = originalResolveFilename(...args);
     }
-    const webapis = global.webapis;
-    if (path.startsWith('/') &&
-        !webapis.security.checkSmack(webapis.getPackageId(), path, 'r'))
+    if (path.startsWith('/') && !wrt.security?.checkSmack(packageId, path, 'r'))
       throw new Error(`Invalid access to ${path}`);
     return path;
   }
diff --git a/wrt_app/service/device_api_router.ts b/wrt_app/service/device_api_router.ts
index 99d86edd..18ec305e 100644
--- a/wrt_app/service/device_api_router.ts
+++ b/wrt_app/service/device_api_router.ts
@@ -197,12 +197,12 @@ export class DeviceAPIRouter {
   initAccessControlManager() {
     console.log(`permissions : ${this.permissions}`);
     const AccessControlManager = require('./access_control_manager');
-    AccessControlManager.initialize(this.permissions);
+    AccessControlManager.initialize(this.packageId, this.permissions);
   }
 
   refineResolveFilename() {
     const AccessControlManager = require('./access_control_manager');
-    AccessControlManager.refineResolveFilename(this.permissions);
+    AccessControlManager.refineResolveFilename(this.packageId, this.permissions);
   }
 
   getServiceId() {