From: Zofia Grzelewska <z.abramowska@samsung.com>
Date: Wed, 28 Feb 2018 16:10:19 +0000 (+0100)
Subject: Allow application to fetch its own manifest
X-Git-Tag: accepted/tizen/unified/20180302.155607~1
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=d800b53276f73c31e9fe115c85a7cc5bb10278d6;p=platform%2Fcore%2Fsecurity%2Fsecurity-manager.git

Allow application to fetch its own manifest

security_manager_get_manifest_policy didn't allow application
to fetch its own manifest in case of global application run in
unprivileged user context. This is required for PPM API to work
properly.

Change-Id: Ib5c72f2b3fdea170b1eb51e4d0ed4d7c31f293b9
---

diff --git a/src/common/service_impl.cpp b/src/common/service_impl.cpp
index de1d842..6360a86 100644
--- a/src/common/service_impl.cpp
+++ b/src/common/service_impl.cpp
@@ -2030,11 +2030,6 @@ int ServiceImpl::getAppManifestPolicy(const Credentials &creds, const std::strin
                                       uid_t uid, std::vector<std::string> &privileges)
 {
     try {
-        if (!authenticate(creds, Config::PRIVILEGE_USER_ADMIN)) {
-            LogError("Request from uid=" << creds.uid << ", Smack=" << creds.label << " for checking app manifest policy denied");
-            return SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED;
-        }
-
         std::string pkgName;
         m_privilegeDb.GetAppPkgName(appName, pkgName);
 
@@ -2043,8 +2038,17 @@ int ServiceImpl::getAppManifestPolicy(const Credentials &creds, const std::strin
             return SECURITY_MANAGER_ERROR_NO_SUCH_OBJECT;
         }
 
-        std::string uidStr = m_privilegeDb.IsUserPkgInstalled(pkgName, uid) ? std::to_string(uid) : CYNARA_ADMIN_WILDCARD;
         std::string cynaraClient = getAppProcessLabel(appName);
+        std::string uidStr = m_privilegeDb.IsUserPkgInstalled(pkgName, uid) ? std::to_string(uid) : CYNARA_ADMIN_WILDCARD;
+
+        // Allow application to check its own manifest
+        if (((creds.label != cynaraClient)
+             || (uidStr != CYNARA_ADMIN_WILDCARD && uidStr != std::to_string(creds.uid)))
+            && !authenticate(creds, Config::PRIVILEGE_USER_ADMIN))
+        {
+            LogError("Request from uid=" << creds.uid << ", Smack=" << creds.label << " for checking app manifest policy denied");
+            return SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED;
+        }
 
         m_cynaraAdmin.getAppPolicy(cynaraClient, uidStr, privileges);
     } catch (const CynaraException::Base &e) {