From: Jaemin Ryu Date: Wed, 16 Aug 2017 02:38:13 +0000 (+0900) Subject: Add application policy X-Git-Tag: accepted/tizen/4.0/unified/20170921.074234^0 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=refs%2Fchanges%2F22%2F144222%2F3;p=platform%2Fcore%2Fsecurity%2Fdpm-application.git Add application policy Change-Id: Ifaebcf54703cdd072ef8c32e5a1e3bed64601be7 Signed-off-by: Jaemin Ryu --- diff --git a/CMakeLists.txt b/CMakeLists.txt new file mode 100755 index 0000000..5805a43 --- /dev/null +++ b/CMakeLists.txt @@ -0,0 +1,85 @@ +# +# Copyright (c) 2017 Samsung Electronics Co., Ltd All Rights Reserved +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +CMAKE_MINIMUM_REQUIRED(VERSION 2.8) + +PROJECT(dpm-application) + +IF(NOT DEFINED VERSION) + SET(VERSION "0.0.1") +ENDIF(NOT DEFINED VERSION) + +INCLUDE(FindPkgConfig) + +IF(NOT CMAKE_BUILD_TYPE) + SET(CMAKE_BUILD_TYPE "DEBUG") +ENDIF(NOT CMAKE_BUILD_TYPE) + +SET(DPM_API ${PROJECT_SOURCE_DIR}/api) +SET(DPM_PLUGIN ${PROJECT_SOURCE_DIR}/plugin) + +IF("${CMAKE_CXX_COMPILER_ID}" STREQUAL "GNU" AND CMAKE_CXX_COMPILER_VERSION VERSION_LESS 4.7) + SET(CXX_STD "c++0x") +else() + SET(CXX_STD "c++11") +endif() + +SET(COMPILE_BASE_FLAGS "-g -fPIC -Werror -Wall -Wl,--as-needed -Wl,--no-whole-archive") +SET(CMAKE_C_FLAGS_PROFILING "${COMPILE_BASE_FLAGS} -O0 -pg") +SET(CMAKE_CXX_FLAGS_PROFILING "${COMPILE_BASE_FLAGS} -O0 -pg -std=${CXX_STD} -fno-rtti") +SET(CMAKE_C_FLAGS_DEBUG "${COMPILE_BASE_FLAGS} -O0 -ggdb") +SET(CMAKE_CXX_FLAGS_DEBUG "${COMPILE_BASE_FLAGS} -O0 -ggdb -std=${CXX_STD} -fno-rtti") +SET(CMAKE_C_FLAGS_RELEASE "${COMPILE_BASE_FLAGS} -O2 -DNDEBUG") +SET(CMAKE_CXX_FLAGS_RELEASE "${COMPILE_BASE_FLAGS} -O2 -DNDEBUG -std=${CXX_STD} -fno-rtti") +SET(CMAKE_C_FLAGS_CCOV "${COMPILE_BASE_FLAGS} -O0 --coverage") +SET(CMAKE_CXX_FLAGS_CCOV "${COMPILE_BASE_FLAGS} -O0 --coverage -std=${CXX_STD} -fno-rtti") + +IF(NOT DEFINED LIB_INSTALL_DIR) + SET(LIB_INSTALL_DIR "${CMAKE_INSTALL_LIBDIR}") +ENDIF(NOT DEFINED LIB_INSTALL_DIR) + +IF(NOT DEFINED INCLUDE_INSTALL_DIR) + SET(INCLUDE_INSTALL_DIR "${CMAKE_INSTALL_INCLUDEDIR}") +ENDIF(NOT DEFINED INCLUDE_INSTALL_DIR) + +IF(NOT DEFINED CONF_INSTALL_DIR) + SET(CONF_INSTALL_DIR "${SYSCONF_INSTALL_DIR}/dpm") +ENDIF(NOT DEFINED CONF_INSTALL_DIR) + +IF(NOT DEFINED DATA_INSTALL_DIR) + SET(DATA_INSTALL_DIR "${CMAKE_INSTALL_PREFIX}/share/dpm") +ENDIF(NOT DEFINED DATA_INSTALL_DIR) + +IF(NOT DEFINED DB_INSTALL_DIR) + SET(DB_INSTALL_DIR "${CMAKE_INSTALL_PREFIX}/dbspace") +ENDIF(NOT DEFINED DB_INSTALL_DIR) + +IF(NOT DEFINED RUN_INSTALL_DIR) + SET(RUN_INSTALL_DIR "/var/run") +ENDIF(NOT DEFINED RUN_INSTALL_DIR) + +IF(NOT DEFINED PAMD_INSTALL_DIR) + SET(PAMD_INSTALL_DIR "${SYSCONF_INSTALL_DIR}/pam.d") +ENDIF(NOT DEFINED PAMD_INSTALL_DIR) + +IF(NOT DEFINED SYSTEMD_UNIT_INSTALL_DIR) + SET(SYSTEMD_UNIT_INSTALL_DIR "${CMAKE_INSTALL_PREFIX}/lib/systemd/system") +ENDIF(NOT DEFINED SYSTEMD_UNIT_INSTALL_DIR) + +ADD_DEFINITIONS(-DUG_WAYLAND) + +ADD_SUBDIRECTORY(${DPM_PLUGIN}) +ADD_SUBDIRECTORY(${DPM_API}) diff --git a/api/CMakeLists.txt b/api/CMakeLists.txt new file mode 100755 index 0000000..a7c6851 --- /dev/null +++ b/api/CMakeLists.txt @@ -0,0 +1,48 @@ +# +# Copyright (c) 2015 Samsung Electronics Co., Ltd All Rights Reserved +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +SET(TARGET ${PROJECT_NAME}) +SET(PC_FILE "${TARGET}.pc") + +SET(LIB_VERSION "${VERSION}") +SET(LIB_SOVERSION "0") + +SET(API_SOURCES "application.cpp") +SET(API_HEADERS "application.h") + +SET(DEPENDENCY klay + dpm-pil + capi-base-common + capi-system-info +) + +PKG_CHECK_MODULES(API_DEPS REQUIRED ${DEPENDENCY}) + +SET (CMAKE_SHARED_LINKER_FLAGS "${CMAKE_SHARED_LINKER_FLAGS} -Wl,-z,noexecstack") + +ADD_LIBRARY(${TARGET} SHARED ${API_SOURCES}) + +SET_TARGET_PROPERTIES(${TARGET} PROPERTIES COMPILE_FLAGS "-fvisibility=default") +SET_TARGET_PROPERTIES(${TARGET} PROPERTIES SOVERSION ${LIB_SOVERSION}) +SET_TARGET_PROPERTIES(${TARGET} PROPERTIES VERSION ${LIB_VERSION}) + +INCLUDE_DIRECTORIES(SYSTEM ${API_DEPS_INCLUDE_DIRS}) +TARGET_LINK_LIBRARIES(${TARGET} ${API_DEPS_LIBRARIES} pthread) + +CONFIGURE_FILE(${PC_FILE}.in ${CMAKE_BINARY_DIR}/${PC_FILE} @ONLY) + +INSTALL(FILES ${CMAKE_BINARY_DIR}/${PC_FILE} DESTINATION ${LIB_INSTALL_DIR}/pkgconfig) +INSTALL(TARGETS ${TARGET} DESTINATION ${LIB_INSTALL_DIR} COMPONENT RuntimeLibraries) +INSTALL(FILES ${API_HEADERS} DESTINATION ${INCLUDE_INSTALL_DIR}/dpm) diff --git a/api/application.cpp b/api/application.cpp new file mode 100644 index 0000000..fc785a1 --- /dev/null +++ b/api/application.cpp @@ -0,0 +1,162 @@ +/* + * Copyright (c) 2015 Samsung Electronics Co., Ltd All Rights Reserved + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + */ + +#include +#include + +#include + +#include "application.h" + +EXPORT_API int dpm_application_set_mode_restriction(device_policy_manager_h handle, int mode) +{ + RET_ON_FAILURE(handle, DPM_ERROR_INVALID_PARAMETER); + RET_ON_FAILURE(mode, DPM_ERROR_INVALID_PARAMETER); + + DevicePolicyClient& client = GetDevicePolicyClient(handle); + + try { + Status status { -1 }; + status = client.methodCall("Application::setModeRestriction", mode); + return status.get(); + } catch (...) { + return -1; + } +} + +EXPORT_API int dpm_application_unset_mode_restriction(device_policy_manager_h handle, int mode) +{ + RET_ON_FAILURE(handle, DPM_ERROR_INVALID_PARAMETER); + RET_ON_FAILURE(mode, DPM_ERROR_INVALID_PARAMETER); + + DevicePolicyClient& client = GetDevicePolicyClient(handle); + + try { + Status status { -1 }; + status = client.methodCall("Application::unsetModeRestriction", mode); + return status.get(); + } catch (...) { + return -1; + } +} + +EXPORT_API int dpm_application_get_mode_restriction(device_policy_manager_h handle, int *mode) +{ + RET_ON_FAILURE(handle, DPM_ERROR_INVALID_PARAMETER); + RET_ON_FAILURE(mode, DPM_ERROR_INVALID_PARAMETER); + + DevicePolicyClient& client = GetDevicePolicyClient(handle); + + try { + Status status { 0 }; + status = client.methodCall("Application::getModeRestriction"); + if (status.get() < 0) { + return -1; + } + *mode = status.get(); + } catch (...) { + return -1; + } + + return DPM_ERROR_NONE; +} + +EXPORT_API int dpm_application_add_privilege_to_blacklist(device_policy_manager_h handle, int type, const char* privilege) +{ + RET_ON_FAILURE(handle, DPM_ERROR_INVALID_PARAMETER); + RET_ON_FAILURE(privilege, DPM_ERROR_INVALID_PARAMETER); + + DevicePolicyClient& client = GetDevicePolicyClient(handle); + + try { + Status status { -1 }; + status = client.methodCall("Application::addPrivilegeToBlacklist", type, privilege); + return status.get(); + } catch (...) { + return -1; + } +} + +EXPORT_API int dpm_application_remove_privilege_from_blacklist(device_policy_manager_h handle, int type, const char* privilege) +{ + RET_ON_FAILURE(handle, DPM_ERROR_INVALID_PARAMETER); + RET_ON_FAILURE(privilege, DPM_ERROR_INVALID_PARAMETER); + + DevicePolicyClient& client = GetDevicePolicyClient(handle); + + try { + Status status { -1 }; + status = client.methodCall("Application::removePrivilegeFromBlacklist", type, privilege); + return status.get(); + } catch (...) { + return -1; + } +} + +EXPORT_API int dpm_application_check_privilege_is_blacklisted(device_policy_manager_h handle, int type, const char* privilege, int *is_blacklisted) +{ + RET_ON_FAILURE(handle, DPM_ERROR_INVALID_PARAMETER); + RET_ON_FAILURE(privilege, DPM_ERROR_INVALID_PARAMETER); + RET_ON_FAILURE(is_blacklisted, DPM_ERROR_INVALID_PARAMETER); + + DevicePolicyClient& client = GetDevicePolicyClient(handle); + + try { + Status status { 0 }; + status = client.methodCall("Application::checkPrivilegeIsBlacklisted", type, privilege); + if (status.get() < 0) { + return -1; + } + + *is_blacklisted = status.get(); + } catch (...) { + return -1; + } + + return DPM_ERROR_NONE; +} + +EXPORT_API int dpm_application_install_package(device_policy_manager_h handle, const char* pkgpath) +{ + RET_ON_FAILURE(handle, DPM_ERROR_INVALID_PARAMETER); + RET_ON_FAILURE(pkgpath, DPM_ERROR_INVALID_PARAMETER); + + DevicePolicyClient& client = GetDevicePolicyClient(handle); + + try { + Status status { -1 }; + status = client.methodCall("Application::installPackage", pkgpath); + return status.get(); + } catch (...) { + return -1; + } +} + +EXPORT_API int dpm_application_uninstall_package(device_policy_manager_h handle, const char* pkgid) +{ + RET_ON_FAILURE(handle, DPM_ERROR_INVALID_PARAMETER); + RET_ON_FAILURE(pkgid, DPM_ERROR_INVALID_PARAMETER); + + DevicePolicyClient& client = GetDevicePolicyClient(handle); + + try { + Status status { -1 }; + status = client.methodCall("Application::uninstallPackage", pkgid); + return status.get(); + } catch (...) { + return -1; + } +} diff --git a/api/application.h b/api/application.h new file mode 100644 index 0000000..bc71b94 --- /dev/null +++ b/api/application.h @@ -0,0 +1,176 @@ +/* + * Copyright (c) 2015 Samsung Electronics Co., Ltd All Rights Reserved + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + */ + +#ifndef __CAPI_DPM_APPLICATION_POLICY_H__ +#define __CAPI_DPM_APPLICATION_POLICY_H__ + +typedef void * device_policy_manager_h; + +/** + * @file application.h + * @brief This file provides APIs to control application functionality + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * @addtogroup CAPI_DPM_APPLICATION_POLICY_MODULE + * @{ + */ + +/** + * @brief Enumeration for installation mode + * @since_tizen 3.0 + */ +typedef enum { + DPM_PACKAGE_RESTRICTION_MODE_ALL = 0x0F, /**< All package restriction mode */ + DPM_PACKAGE_RESTRICTION_MODE_INSTALL = 0x01, /**< Package install restriction */ + DPM_PACKAGE_RESTRICTION_MODE_UNINSTALL = 0x02, /**< Package uninstall restriction */ + DPM_PACKAGE_RESTRICTION_MODE_REINSTALL = 0x04, /**< Package reinstall restriction */ + DPM_PACKAGE_RESTRICTION_MODE_MOVE = 0x08 /**< Package move restriction */ +} dpm_package_restriction_mode_e; + +/** + * @brief Restricts installation / uninstallation for all packages. + * @details Administrator can use this API to restrict package installation, uninstallation, + * reinstallation or move. + * @since_tizen 3.0 + * @param[in] handle The device policy manager handle + * @param[in] mode The installation mode to be set, one of DPM_PACKAGE_INSTALLATION_MODE_ALLOW or + * DPM_PACKAGE_INSTALLATION_MODE_DISALLOW + * @return #DPM_ERROR_NONE on success, otherwise a negative value + * @retval #DPM_ERROR_NONE No error + * @retval #DPM_ERROR_TIMEOUT Time out + * @retval #DPM_ERROR_ACCESS_DENIED The application does not have + * the privilege to call this API + * @pre handle must be created by dpm_context_acquire_application_policy() + * @see dpm_application_unset_mode_restriction() + * @see dpm_application_get_mode_restriction() + */ +int dpm_application_set_mode_restriction(device_policy_manager_h handle, int mode); + +/** + * @brief Allows installation / uninstallation for all packages. + * @details If the mode is set to DPM_PACKAGE_INSTALLATION_MODE_DISALLOW, + * no application can be installed on the device. + * @since_tizen 3.0 + * @param[in] handle The device policy manager handle + * @param[in] mode The installation mode to be set, one of DPM_PACKAGE_INSTALLATION_MODE_ALLOW or + * DPM_PACKAGE_INSTALLATION_MODE_DISALLOW + * @return #DPM_ERROR_NONE on success, otherwise a negative value + * @retval #DPM_ERROR_NONE No error + * @retval #DPM_ERROR_TIMEOUT Time out + * @retval #DPM_ERROR_ACCESS_DENIED The application does not have + * the privilege to call this API + * @pre handle must be created by dpm_context_acquire_application_policy() + * @see dpm_application_set_mode_restriction() + * @see dpm_application_get_mode_restriction() + */ +int dpm_application_unset_mode_restriction(device_policy_manager_h handle, int mode); + +/** + * @brief Gets the current restriction mode for all packages. + * @details The default mode is to allow any package to be installed. + * @since_tizen 3.0 + * @param[in] handle The device policy manager handle + * @param[out] mode Current mode of operation, which is one of the following: + * #DPM_PACKAGE_INSTALLATION_MODE_ALLOW Package installation is allowed + * #DPM_PACKAGE_INSTALLATION_MODE_DISALLOW Package installation is not allowed + * @return #DPM_ERROR_NONE on success, otherwise a negative value + * @retval #DPM_ERROR_NONE Successful + * @retval #DPM_ERROR_TIMEOUT Time out + * @pre handle must be created by dpm_context_acquire_application_policy() + * @see dpm_application_set_mode_restriction() + * @see dpm_application_unset_mode_restriction() + * @see dpm_application_get_mode_restriction() + */ +int dpm_application_get_mode_restriction(device_policy_manager_h handle, int *mode); + +/** + * @brief Adds privilege to blacklist + * @details Administrator can use this API to disallow package installation + * which requires the privilege. + * @since_tizen 3.0 + * @param[in] handle The application policy handle + * @param[in] type The package type + * @param[in] privilehe The privilege name to be blacklisted + * @return #DPM_ERROR_NONE on success, otherwise a negative value + * @retval #DPM_ERROR_NONE Successful + * @retval #DPM_ERROR_TIMEOUT Time out + * @retval #DPM_ERROR_ACCESS_DENIED The application does not have + * the privilege to call this API + * @pre handle must be created by dpm_context_acquire_application_policy() + * @see dpm_context_acquire_application_policy() + * @see dpm_context_release_application_policy() + * @see dpm_application_remove_privilege_from_blacklist() + * @see dpm_application_check_privilege_is_blacklisted() + */ +int dpm_application_add_privilege_to_blacklist(device_policy_manager_h handle, int type, const char* privilege); + +/** + * @brief Removes privilege from blacklist + * @details Administrator can use this API to remove privilege from blacklist. + * @since_tizen 3.0 + * @param[in] handle The application policy handle + * @param[in] type The package type + * @param[in] privilege The privilege name which is removed from blacklist + * @return #DPM_ERROR_NONE on success, otherwise a negative value + * @retval #DPM_ERROR_NONE Successful + * @retval #DPM_ERROR_TIMEOUT Time out + * @retval #DPM_ERROR_ACCESS_DENIED The application does not have + * the privilege to call this API + * @pre handle must be created by dpm_context_acquire_application_policy() + * @see dpm_context_acquire_application_policy() + * @see dpm_context_release_application_policy() + * @see dpm_application_add_privilege_to_blacklist() + * @see dpm_application_check_privilege_is_blacklisted() + */ +int dpm_application_remove_privilege_from_blacklist(device_policy_manager_h handle, int type, const char* privilege); + +/** + * @brief Checks whether a privilege is added to blacklist + * @details Administrator can use this API to check whether the privilege is blacklisted. + * Once privilege is added to blacklist, the package which requires the privilege + * is prohibited to install on the device. + * @since_tizen 3.0 + * @param[in] handle The application policy handle + * @param[in] type The package type + * @param[in] privilege The privilege name + * @param[out] is_blacklisted TRUE if the package installation is disabled, else FALSE + * @return #DPM_ERROR_NONE on success, otherwise a negative value + * @retval #DPM_ERROR_NONE Successful + * @retval #DPM_ERROR_TIMEOUT Time out + * @pre handle must be created by dpm_context_acquire_application_policy() + * @see dpm_context_acquire_application_policy() + * @see dpm_context_release_application_policy() + * @see dpm_application_add_privilege_to_blacklist() + * @see dpm_application_remove_privilege_from_blacklist() + */ +int dpm_application_check_privilege_is_blacklisted(device_policy_manager_h handle, int type, const char* privilege, int *is_blacklisted); + +int dpm_application_install_package(device_policy_manager_h handle, const char* pkgpath); +int dpm_application_uninstall_package(device_policy_manager_h handle, const char* pkgid); +/** + * @} + */ + +#ifdef __cplusplus +} +#endif + +#endif //! __CAPI_APPLICATION_POLICY_H__ diff --git a/api/dpm-application.pc.in b/api/dpm-application.pc.in new file mode 100644 index 0000000..53a9701 --- /dev/null +++ b/api/dpm-application.pc.in @@ -0,0 +1,13 @@ +# Package Information for pkg-config + +prefix=@CMAKE_INSTALL_PREFIX@ +exec_prefix=@CMAKE_INSTALL_PREFIX@ +libdir=@LIB_INSTALL_DIR@ +includedir=@INCLUDE_INSTALL_DIR@ + +Name: Application policy module +Description: Application policy module for device policy manager +Version: @VERSION@ +Libs: -L${libdir} -ldpm-application +Cflags: -I${includedir}/dpm + diff --git a/dpm-application.manifest b/dpm-application.manifest new file mode 100644 index 0000000..a76fdba --- /dev/null +++ b/dpm-application.manifest @@ -0,0 +1,5 @@ + + + + + diff --git a/packaging/dpm-application.spec b/packaging/dpm-application.spec new file mode 100755 index 0000000..94a7537 --- /dev/null +++ b/packaging/dpm-application.spec @@ -0,0 +1,78 @@ +Name: dpm-application +Version: 1.0.1 +Release: 0 +License: Apache-2.0 +Source0: %{name}-%{version}.tar.gz +Summary: Tizen Device Policy Manager Application Policy Module +Group: Security/Other +BuildRequires: gcc +BuildRequires: cmake +BuildRequires: gettext-tools +BuildRequires: pkgconfig(klay) +BuildRequires: pkgconfig(dpm-pil) +BuildRequires: pkgconfig(security-privilege-manager) + +BuildRequires: pkgconfig(capi-system-info) +BuildRequires: pkgconfig(capi-base-common) + +%description +The dpm-application package provides a application policy module for device policy manager + +%files +%manifest dpm-application.manifest +%defattr(644,root,root,755) +%attr(755,root,root) /opt/data/dpm/plugins/application +%attr(755,root,root) %{_libdir}/libdpm-application.so.%{version} +%{_libdir}/libdpm-application.so.0 + +%prep +%setup -q + +%build +%{!?build_type:%define build_type "RELEASE"} + +%if %{build_type} == "DEBUG" || %{build_type} == "PROFILING" || %{build_type} == "CCOV" + CFLAGS="$CFLAGS -Wp,-U_FORTIFY_SOURCE" + CXXFLAGS="$CXXFLAGS -Wp,-U_FORTIFY_SOURCE" +%endif + +%cmake . -DVERSION=%{version} \ + -DCMAKE_BUILD_TYPE=%{build_type} \ + -DSCRIPT_INSTALL_DIR=%{_scriptdir} \ + -DSYSTEMD_UNIT_INSTALL_DIR=%{_unitdir} \ + -DDATA_INSTALL_DIR=%{TZ_SYS_DATA}/dpm \ + -DDB_INSTALL_DIR=%{TZ_SYS_DB} \ + -DRUN_INSTALL_DIR=%{TZ_SYS_RUN} \ + -DAPP_INSTALL_PREFIX="%{TZ_SYS_RO_APP}" \ + -DAPP_SHARE_PACKAGES_DIR="%{TZ_SYS_RO_PACKAGES}" \ + +make %{?jobs:-j%jobs} + +%install +%make_install + +%clean +rm -rf %{buildroot} + +%post + +%preun + +%postun + +## Devel Package ############################################################## +%package -n libdpm-application-devel +Summary: Libraries and header files for device policy client development +Group: Development/Libraries +Requires: device-policy-manager = %{version}-%{release} + +%description -n libdpm-application-devel +The libdpm-application-devel package includes the libraries and header files necessary for +developing the DPM client program. + +%files -n libdpm-application-devel +%manifest dpm-application.manifest +%defattr(644,root,root,755) +%{_libdir}/libdpm-application.so +%{_libdir}/pkgconfig/dpm-application.pc +%{_includedir}/dpm diff --git a/plugin/CMakeLists.txt b/plugin/CMakeLists.txt new file mode 100755 index 0000000..e6ee70f --- /dev/null +++ b/plugin/CMakeLists.txt @@ -0,0 +1,34 @@ +# +# Copyright (c) 2015 Samsung Electronics Co., Ltd All Rights Reserved +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +SET(TARGET "dpm-plugin-application") + +SET(PLUGIN_SOURCES "application.cpp") + +SET(DEPENDENCY klay + dpm-pil + security-privilege-manager +) + +PKG_CHECK_MODULES(PLUGIN_DEPS REQUIRED ${DEPENDENCY}) + +SET (CMAKE_SHARED_LINKER_FLAGS "${CMAKE_SHARED_LINKER_FLAGS} -Wl,-z,noexecstack") + +ADD_LIBRARY(${TARGET} SHARED ${PLUGIN_SOURCES}) +SET_TARGET_PROPERTIES(${TARGET} PROPERTIES COMPILE_FLAGS "-fvisibility=default") +INCLUDE_DIRECTORIES(SYSTEM ${PLUGIN_DEPS_INCLUDE_DIRS}) +TARGET_LINK_LIBRARIES(${TARGET} ${PLUGIN_DEPS_LIBRARIES}) + +INSTALL(FILES libdpm-plugin-application.so RENAME application DESTINATION /opt/data/dpm/plugins) diff --git a/plugin/application.cpp b/plugin/application.cpp new file mode 100644 index 0000000..60c8417 --- /dev/null +++ b/plugin/application.cpp @@ -0,0 +1,181 @@ +/* + * Copyright (c) 2016 Samsung Electronics Co., Ltd All Rights Reserved + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + */ + +#include +#include +#include +#include + +#include +#include + +#include + +#include +#include +#include + +#include +#include + +class Application : public AbstractPolicyProvider { +public: + int getModeRestriction(); + int setModeRestriction(int mode); + int unsetModeRestriction(int mode); + + int addPrivilegeToBlacklist(int, const std::string& privilege); + int removePrivilegeFromBlacklist(int, const std::string& privilege); + int checkPrivilegeIsBlacklisted(int, const std::string& privilege); + + int installPackage(const std::string& pkgpath); + int uninstallPackage(const std::string& pkgid); +}; + +int Application::setModeRestriction(int mode) +{ + try { + PackageManager& packman = PackageManager::instance(); + packman.setModeRestriction(mode, rmi::Service::getPeerUid()); + } catch (runtime::Exception& e) { + ERROR("Failed to set mode restriction"); + return -1; + } + + return 0; +} + +int Application::unsetModeRestriction(int mode) +{ + try { + PackageManager& packman = PackageManager::instance(); + packman.unsetModeRestriction(mode, rmi::Service::getPeerUid()); + } catch (runtime::Exception& e) { + ERROR("Failed to unset mode restriction"); + return -1; + } + + return 0; +} + +int Application::getModeRestriction() +{ + try { + PackageManager& packman = PackageManager::instance(); + return packman.getModeRestriction(rmi::Service::getPeerUid()); + } catch (runtime::Exception& e) { + return -1; + } +} + +int Application::installPackage(const std::string& pkgpath) +{ + try { + PackageManager& packman = PackageManager::instance(); + packman.installPackage(pkgpath, rmi::Service::getPeerUid()); + } catch (runtime::Exception& e) { + return -1; + } + + return 0; +} + +int Application::uninstallPackage(const std::string& pkgid) +{ + try { + PackageManager& packman = PackageManager::instance(); + packman.uninstallPackage(pkgid, rmi::Service::getPeerUid()); + } catch (runtime::Exception& e) { + return -1; + } + + return 0; +} + +int Application::addPrivilegeToBlacklist(int type, const std::string& privilege) +{ + GList* privilegeList = NULL; + privilegeList = g_list_append(privilegeList, const_cast(privilege.c_str())); + + privilege_manager_package_type_e pkgType = type ? PRVMGR_PACKAGE_TYPE_CORE : PRVMGR_PACKAGE_TYPE_WRT; + int ret = privilege_manager_set_black_list(rmi::Service::getPeerUid(), pkgType, privilegeList); + g_list_free(privilegeList); + if (ret !=PRVMGR_ERR_NONE) { + return -1; + } + + return 0; +} + +int Application::removePrivilegeFromBlacklist(int type, const std::string& privilege) +{ + GList* privilegeList = NULL; + privilegeList = g_list_append(privilegeList, const_cast(privilege.c_str())); + + privilege_manager_package_type_e pkgType = type ? PRVMGR_PACKAGE_TYPE_CORE : PRVMGR_PACKAGE_TYPE_WRT; + int ret = privilege_manager_unset_black_list(rmi::Service::getPeerUid(), pkgType, privilegeList); + g_list_free(privilegeList); + if (ret != PRVMGR_ERR_NONE) { + return -1; + } + + return 0; +} + +int Application::checkPrivilegeIsBlacklisted(int type, const std::string& privilege) +{ + GList* blacklist = NULL; + + privilege_manager_package_type_e pkgType = type ? PRVMGR_PACKAGE_TYPE_CORE : PRVMGR_PACKAGE_TYPE_WRT; + int ret = privilege_info_get_black_list(rmi::Service::getPeerUid(), pkgType, &blacklist); + if (ret != PRVMGR_ERR_NONE) { + return -1; + } + + for (GList* l = blacklist; l != NULL; l = l->next) { + char *name = (char *)l->data; + if (privilege == name) { + g_list_free(blacklist); + return true; + } + } + g_list_free(blacklist); + return false; +} + +extern "C" { + +#define PRIVILEGE "http://tizen.org/privilege/dpm.application" + +AbstractPolicyProvider *PolicyFactory(PolicyControlContext& context) +{ + Application *policy = new Application(); + + context.expose(policy, "", (int)(Application::getModeRestriction)()); + context.expose(policy, "", (int)(Application::setModeRestriction)(int)); + context.expose(policy, "", (int)(Application::unsetModeRestriction)(int)); + + context.expose(policy, "", (int)(Application::addPrivilegeToBlacklist)(int, std::string)); + context.expose(policy, "", (int)(Application::removePrivilegeFromBlacklist)(int, std::string)); + context.expose(policy, "", (int)(Application::checkPrivilegeIsBlacklisted)(int, std::string)); + + context.expose(policy, "", (int)(Application::installPackage)(std::string)); + context.expose(policy, "", (int)(Application::uninstallPackage)(std::string)); + + return policy; +} + +}