From: Dariusz Michaluk <d.michaluk@samsung.com>
Date: Tue, 14 Apr 2020 13:09:35 +0000 (+0200)
Subject: Fix security-manager worker
X-Git-Tag: submit/tizen_5.5/20200422.151203~4
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=dcb117a8c87c2300db0e6d69c5ed1b37c38014f7;p=platform%2Fcore%2Fsecurity%2Fsecurity-manager.git

Fix security-manager worker

Move worker process to main mount namespace after finishing job.

Change-Id: Ic0ed8011ecc8fab04a237c6a96190f4a8cc5d266
---

diff --git a/src/common/worker.cpp b/src/common/worker.cpp
index 466f50da..70d0d4a6 100644
--- a/src/common/worker.cpp
+++ b/src/common/worker.cpp
@@ -1,5 +1,5 @@
 /*
- *  Copyright (c) 2017 - 2019 Samsung Electronics Co., Ltd All Rights Reserved
+ *  Copyright (c) 2017 - 2020 Samsung Electronics Co., Ltd All Rights Reserved
  *
  *  Contact: Tomasz Swierczek <t.swierczek@samsung.com>
  *
@@ -40,29 +40,22 @@ Worker::Worker(Channel channel)
 int Worker::doWork(const NSMountLogic::EntryVector &entries)
 {
     int status = 0;
-    bool inGlobalNamespace = false;
+    bool inGlobalNamespace = true;
 
     for (auto &entry : entries) {
         try {
-            // in most cases entry.uid will not change between iterations
-            auto storagePrivilegePathMap = MountNS::getPrivilegePathMap(entry.uid);
-
-            if (!inGlobalNamespace && MountNS::enterMountNamespace(MountNS::MAIN_MOUNT_NAMESPACE)) {
-                inGlobalNamespace = true;
-            }
-
-            if (!inGlobalNamespace) {
-                LogError("Error entering global mount namespace. Environment of application: "
-                         << entry.smackLabel << " will not be setup correctly.");
-                continue;
-            }
-
-            if (MountNS::enterMountNamespace(MountNS::getUserAppServiceMountPointPath(entry.uid, entry.smackLabel, entry.pid))) {
+            auto appNamespace = MountNS::getUserAppServiceMountPointPath(entry.uid, entry.smackLabel, entry.pid);
+            if (MountNS::enterMountNamespace(appNamespace)) {
                 inGlobalNamespace = false;
             } else {
+                status = -1;
+                LogError("Error entering app mount namespace. Environment of application: "
+                         << entry.smackLabel <<  "for user: " << entry.uid << " will not be setup correctly.");
                 continue;
             }
 
+            // in most cases entry.uid will not change between iterations
+            auto storagePrivilegePathMap = MountNS::getPrivilegePathMap(entry.uid);
             for (auto &privStatus : entry.privilegeStatusVector) {
                 auto &privName = privStatus.first;
                 auto &allowed  = privStatus.second;
@@ -77,13 +70,22 @@ int Worker::doWork(const NSMountLogic::EntryVector &entries)
                                    "directory " << privilegePath.dstPath << " doesn't exist");
                         continue;
                     }
-                    if (SECURITY_MANAGER_SUCCESS != applyPrivilegePath(allowed, privilegePath))
+                    if (SECURITY_MANAGER_SUCCESS != applyPrivilegePath(allowed, privilegePath)) {
                         status = -1;
+                        LogError("Environment of application: " << entry.smackLabel <<  "for user: "
+                                 << entry.uid << " will not be setup correctly.");
+                    }
                 }
             }
         } catch (...) {
             status = -1;
-            LogError("Could not set up access to path for application: " << entry.smackLabel);
+            LogError("Environment of application: " << entry.smackLabel <<  "for user: "
+                     << entry.uid << " will not be setup correctly.");
+        }
+
+        if (!inGlobalNamespace && !MountNS::enterMountNamespace(MountNS::MAIN_MOUNT_NAMESPACE)) {
+            status = -1;
+            LogError("Error entering global mount namespace.");
         }
     }
     return status;