From: jin-gyu.kim <jin-gyu.kim@samsung.com>
Date: Thu, 19 Jan 2017 08:00:11 +0000 (+0900)
Subject: Remove the redundant SharedRO SMACK rules.
X-Git-Tag: submit/tizen/20170330.102312~3
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=d356e5bd5348d9ce762b42a74dffb99c10f13ed2;p=platform%2Fcore%2Fsecurity%2Fsecurity-manager.git

Remove the redundant SharedRO SMACK rules.

- There was some redundant SharedRO SMACK rules.
- This change will give SharedRO rules only when pkg has shared folders.

Change-Id: Ic738c6bd49972de6a48d5ff18baa8360a92f22c0
---

diff --git a/policy/CMakeLists.txt b/policy/CMakeLists.txt
index 809ebb83..c0dbb485 100644
--- a/policy/CMakeLists.txt
+++ b/policy/CMakeLists.txt
@@ -8,6 +8,7 @@ INSTALL(FILES ${USERTYPE_POLICY_FILES} DESTINATION ${POLICY_DIR})
 INSTALL(FILES "app-rules-template.smack" DESTINATION ${POLICY_DIR})
 INSTALL(FILES "pkg-rules-template.smack" DESTINATION ${POLICY_DIR})
 INSTALL(FILES "author-rules-template.smack" DESTINATION ${POLICY_DIR})
+INSTALL(FILES "sharedro-rules-template.smack" DESTINATION ${POLICY_DIR})
 INSTALL(FILES "privilege-group.list" DESTINATION ${POLICY_DIR})
 INSTALL(PROGRAMS "update.sh" DESTINATION ${POLICY_DIR})
 INSTALL(DIRECTORY "updates" USE_SOURCE_PERMISSIONS DESTINATION ${POLICY_DIR})
diff --git a/policy/app-rules-template.smack b/policy/app-rules-template.smack
index 11385832..af530d19 100644
--- a/policy/app-rules-template.smack
+++ b/policy/app-rules-template.smack
@@ -12,5 +12,4 @@ User ~PROCESS~ rwxat
 ~PROCESS~ User::App::Shared rwxat
 ~PROCESS~ ~PATH_RW~ rwxat
 ~PROCESS~ ~PATH_RO~ rxl
-~PROCESS~ ~PATH_SHARED_RO~ rwxat
 ~PROCESS~ ~PATH_TRUSTED~ rwxat
diff --git a/policy/pkg-rules-template.smack b/policy/pkg-rules-template.smack
index 53cd4197..bf2e868b 100644
--- a/policy/pkg-rules-template.smack
+++ b/policy/pkg-rules-template.smack
@@ -1,9 +1,6 @@
 System ~PATH_RW~ rwxat
 System ~PATH_RO~ rwxat
-System ~PATH_SHARED_RO~ rwxat
 System::Privileged ~PATH_RW~ rwxat
 System::Privileged ~PATH_RO~ rwxat
-System::Privileged ~PATH_SHARED_RO~ rwxat
 User ~PATH_RW~ rwxat
 User ~PATH_RO~ rwxat
-User ~PATH_SHARED_RO~ rwxat
diff --git a/policy/sharedro-rules-template.smack b/policy/sharedro-rules-template.smack
new file mode 100644
index 00000000..62bdefb4
--- /dev/null
+++ b/policy/sharedro-rules-template.smack
@@ -0,0 +1,3 @@
+User ~PATH_SHARED_RO~ rwxat
+System ~PATH_SHARED_RO~ rwxat
+System::Privileged ~PATH_SHARED_RO~ rwxat
diff --git a/src/common/smack-rules.cpp b/src/common/smack-rules.cpp
index 31474b1d..d673ffae 100644
--- a/src/common/smack-rules.cpp
+++ b/src/common/smack-rules.cpp
@@ -55,6 +55,7 @@ const std::string SMACK_PATH_TRUSTED_LABEL_TEMPLATE  = "~PATH_TRUSTED~";
 const std::string APP_RULES_TEMPLATE_FILE_PATH = TizenPlatformConfig::makePath(TZ_SYS_RO_SHARE, "security-manager", "policy", "app-rules-template.smack");
 const std::string PKG_RULES_TEMPLATE_FILE_PATH = TizenPlatformConfig::makePath(TZ_SYS_RO_SHARE, "security-manager", "policy", "pkg-rules-template.smack");
 const std::string AUTHOR_RULES_TEMPLATE_FILE_PATH = TizenPlatformConfig::makePath(TZ_SYS_RO_SHARE, "security-manager", "policy", "author-rules-template.smack");
+const std::string SHAREDRO_RULES_TEMPLATE_FILE_PATH = TizenPlatformConfig::makePath(TZ_SYS_RO_SHARE, "security-manager", "policy", "sharedro-rules-template.smack");
 const std::string SMACK_RULES_PATH_MERGED      = LOCAL_STATE_DIR "/security-manager/rules-merged/rules.merged";
 const std::string SMACK_RULES_PATH_MERGED_T    = LOCAL_STATE_DIR "/security-manager/rules-merged/rules.merged.temp";
 const std::string SMACK_RULES_PATH             = LOCAL_STATE_DIR "/security-manager/rules";
@@ -265,18 +266,28 @@ void SmackRules::generateSharedRORules(PkgsLabels &pkgsLabels, std::vector<PkgIn
     for (size_t i = 0; i < pkgsLabels.size(); ++i) {
         for (const std::string &appLabel : pkgsLabels[i].second) {
             for (size_t j = 0; j < allPkgs.size(); ++j) {
-                // Rules for SharedRO files from own package are generated elsewhere
-                if (!allPkgs[j].sharedRO || pkgsLabels[i].first == allPkgs[j].name)
+                if (!allPkgs[j].sharedRO)
                     continue;
-
                 const std::string &pkgName = allPkgs[j].name;
-                rules.add(appLabel,
-                          SmackLabels::generatePathSharedROLabel(pkgName),
-                          SMACK_APP_CROSS_PKG_PERMS);
+                if (pkgsLabels[i].first != allPkgs[j].name)
+                    rules.add(appLabel,
+                              SmackLabels::generatePathSharedROLabel(pkgName),
+                              SMACK_APP_CROSS_PKG_PERMS);
+                else
+                    rules.add(appLabel,
+                              SmackLabels::generatePathSharedROLabel(pkgName),
+                              SMACK_APP_PATH_OWNER_PERMS);
             }
         }
     }
 
+    for (size_t j = 0; j < allPkgs.size(); ++j) {
+        if (!allPkgs[j].sharedRO)
+            continue;
+        const std::string &pkgName = allPkgs[j].name;
+        rules.addFromTemplateFile(SHAREDRO_RULES_TEMPLATE_FILE_PATH, std::string(), pkgName,-1);
+    }
+
     if (smack_check())
         rules.apply();