From: Lukasz Wojciechowski <l.wojciechow@partner.samsung.com>
Date: Thu, 8 May 2014 19:41:49 +0000 (+0200)
Subject: Adjust security_server_app_has_privilege to Tizen 3.0 model.
X-Git-Tag: submit/tizen/20140521.102910~2
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=refs%2Fchanges%2F28%2F20528%2F7;p=platform%2Fcore%2Fsecurity%2Fsecurity-server.git

Adjust security_server_app_has_privilege to Tizen 3.0 model.

[Cause]    security_server_app_has_privilege function
           uses perm_app_has_permission.
           https://review.tizen.org/gerrit/#/c/20519/
           redefined application identifier to smack label.
[Solution] change from app_id to app_label

[Verification] compile and install security-server

Change-Id: If7f3d1b72b26117b2680ce34dd6bd980a4859949
Signed-off-by: Lukasz Wojciechowski <l.wojciechow@partner.samsung.com>
---

diff --git a/packaging/security-server.spec b/packaging/security-server.spec
index 5d7a9fb..a0f15f1 100644
--- a/packaging/security-server.spec
+++ b/packaging/security-server.spec
@@ -111,7 +111,6 @@ ln -s ../security-server.service %{buildroot}/usr/lib/systemd/system/multi-user.
 ln -s ../security-server-data-share.socket %{buildroot}/usr/lib/systemd/system/sockets.target.wants/security-server-data-share.socket
 ln -s ../security-server-get-gid.socket %{buildroot}/usr/lib/systemd/system/sockets.target.wants/security-server-get-gid.socket
 ln -s ../security-server-privilege-by-pid.socket %{buildroot}/usr/lib/systemd/system/sockets.target.wants/security-server-privilege-by-pid.socket
-ln -s ../security-server-app-permissions.socket %{buildroot}/usr/lib/systemd/system/sockets.target.wants/security-server-app-permissions.socket
 ln -s ../security-server-cookie-get.socket %{buildroot}/usr/lib/systemd/system/sockets.target.wants/security-server-cookie-get.socket
 ln -s ../security-server-cookie-check.socket %{buildroot}/usr/lib/systemd/system/sockets.target.wants/security-server-cookie-check.socket
 ln -s ../security-server-app-privilege-by-name.socket %{buildroot}/usr/lib/systemd/system/sockets.target.wants/security-server-app-privilege-by-name.socket
@@ -169,8 +168,6 @@ fi
 %attr(-,root,root) /usr/lib/systemd/system/security-server-get-gid.socket
 %attr(-,root,root) /usr/lib/systemd/system/sockets.target.wants/security-server-privilege-by-pid.socket
 %attr(-,root,root) /usr/lib/systemd/system/security-server-privilege-by-pid.socket
-%attr(-,root,root) /usr/lib/systemd/system/sockets.target.wants/security-server-app-permissions.socket
-%attr(-,root,root) /usr/lib/systemd/system/security-server-app-permissions.socket
 %attr(-,root,root) /usr/lib/systemd/system/sockets.target.wants/security-server-cookie-get.socket
 %attr(-,root,root) /usr/lib/systemd/system/security-server-cookie-get.socket
 %attr(-,root,root) /usr/lib/systemd/system/sockets.target.wants/security-server-cookie-check.socket
diff --git a/src/include/security-server.h b/src/include/security-server.h
index 2114fcb..67c0273 100644
--- a/src/include/security-server.h
+++ b/src/include/security-server.h
@@ -974,7 +974,7 @@ int security_server_check_privilege_by_sockfd(int sockfd,
  * This function allows middleware to check if an app has the specified privilege
  * enabled.
  *
- * \param[in] Application ID
+ * \param[in] Application ID (smack label)
  * \param[in] Application type
  * \param[in] Privilege name
  * \param[out] Handler to store the result. It is set to 1 (true) if privilege is enabled, 0 (false) otherwise
@@ -983,7 +983,7 @@ int security_server_check_privilege_by_sockfd(int sockfd,
  *
  * Access to this function requires SMACK rule: "<app_label> security-server::api-app-privilege-by-name w"
  */
-int security_server_app_has_privilege(const char *app_id,
+int security_server_app_has_privilege(const char *app_label,
                                       app_type_t app_type,
                                       const char *privilege_name,
                                       int *result);
diff --git a/src/server/client/client-app-permissions.cpp b/src/server/client/client-app-permissions.cpp
index c1b7b9a..8c1d7b7 100644
--- a/src/server/client/client-app-permissions.cpp
+++ b/src/server/client/client-app-permissions.cpp
@@ -35,7 +35,7 @@
 #include <security-server.h>
 
 SECURITY_SERVER_API
-int security_server_app_has_privilege(const char *app_id,
+int security_server_app_has_privilege(const char *app_label,
                                       app_type_t app_type,
                                       const char *privilege_name,
                                       int *result)
@@ -46,7 +46,7 @@ int security_server_app_has_privilege(const char *app_id,
     LogDebug("security_server_app_has_privilege() called");
 
     try {
-        if ((NULL == app_id) || (strlen(app_id) == 0)) {
+        if ((NULL == app_label) || (strlen(app_label) == 0)) {
             LogError("app_id is NULL or empty");
             return SECURITY_SERVER_API_ERROR_INPUT_PARAM;
         }
@@ -59,13 +59,13 @@ int security_server_app_has_privilege(const char *app_id,
             return SECURITY_SERVER_API_ERROR_INPUT_PARAM;
         }
 
-        LogDebug("app_id: " << app_id);
+        LogDebug("app_label: " << app_label);
         LogDebug("app_type: " << static_cast<int>(app_type));
         LogDebug("privilege_name: " << privilege_name);
 
         //put data into buffer
         Serialization::Serialize(send, static_cast<int>(PrivilegeCheckHdrs::CHECK_GIVEN_APP));
-        Serialization::Serialize(send, std::string(app_id));
+        Serialization::Serialize(send, std::string(app_label));
         Serialization::Serialize(send, static_cast<int>(app_type));
         Serialization::Serialize(send, std::string(privilege_name));
 
diff --git a/src/server/common/protocols.cpp b/src/server/common/protocols.cpp
index 2bfb1bb..6862d4a 100644
--- a/src/server/common/protocols.cpp
+++ b/src/server/common/protocols.cpp
@@ -33,8 +33,6 @@ char const * const SERVICE_SOCKET_GET_GID =
         "/tmp/.security-server-api-get-gid.sock";
 char const * const SERVICE_SOCKET_PRIVILEGE_BY_PID =
         "/tmp/.security-server-api-privilege-by-pid.sock";
-char const * const SERVICE_SOCKET_APP_PERMISSIONS =
-    "/tmp/.security-server-api-app-permissions.sock";
 char const * const SERVICE_SOCKET_APP_PRIVILEGE_BY_NAME =
         "/tmp/.security-server-api-app-privilege-by-name.sock";
 char const * const SERVICE_SOCKET_COOKIE_GET =
diff --git a/src/server/common/protocols.h b/src/server/common/protocols.h
index 1294d9f..9d364e3 100644
--- a/src/server/common/protocols.h
+++ b/src/server/common/protocols.h
@@ -44,7 +44,6 @@ namespace SecurityServer {
 extern char const * const SERVICE_SOCKET_SHARED_MEMORY;
 extern char const * const SERVICE_SOCKET_GET_GID;
 extern char const * const SERVICE_SOCKET_PRIVILEGE_BY_PID;
-extern char const * const SERVICE_SOCKET_APP_PERMISSIONS;
 extern char const * const SERVICE_SOCKET_APP_PRIVILEGE_BY_NAME;
 extern char const * const SERVICE_SOCKET_COOKIE_GET;
 extern char const * const SERVICE_SOCKET_COOKIE_CHECK;
diff --git a/src/server/service/app-permissions.cpp b/src/server/service/app-permissions.cpp
index 9d63f4e..24e8c31 100644
--- a/src/server/service/app-permissions.cpp
+++ b/src/server/service/app-permissions.cpp
@@ -55,7 +55,6 @@ int privilegeToSecurityServerError(int error) {
 }
 
 // interface ids
-const SecurityServer::InterfaceID CHANGE_APP_PERMISSIONS = 0;
 const SecurityServer::InterfaceID CHECK_APP_PRIVILEGE = 1;
 
 } // namespace anonymous
@@ -64,9 +63,6 @@ namespace SecurityServer {
 
 GenericSocketService::ServiceDescriptionVector AppPermissionsService::GetServiceDescription() {
     return ServiceDescriptionVector {
-        { SERVICE_SOCKET_APP_PERMISSIONS,
-          "security-server::api-app-permissions",
-          CHANGE_APP_PERMISSIONS },
         { SERVICE_SOCKET_APP_PRIVILEGE_BY_NAME,
           "security-server::api-app-privilege-by-name",
           CHECK_APP_PRIVILEGE }
@@ -132,7 +128,7 @@ bool AppPermissionsService::processCheckAppPrivilege(const ConnectionID &conn, M
 {
     MessageBuffer send;
     std::string privilege_name;
-    std::string app_id;
+    std::string app_label;
     int result = SECURITY_SERVER_API_ERROR_SERVER_ERROR;
     app_type_t app_type;
     bool has_permission = false;
@@ -148,8 +144,8 @@ bool AppPermissionsService::processCheckAppPrivilege(const ConnectionID &conn, M
         LogDebug("App privilege check call type: "
                  << (checkType == PrivilegeCheckHdrs::CHECK_GIVEN_APP ?
                      "CHECK_GIVEN_APP":"CHECK_CALLER_APP"));
-        if (checkType == PrivilegeCheckHdrs::CHECK_GIVEN_APP) { //app_id present only in this case
-            Deserialization::Deserialize(buffer, app_id); //get app id
+        if (checkType == PrivilegeCheckHdrs::CHECK_GIVEN_APP) { //app_label present only in this case
+            Deserialization::Deserialize(buffer, app_label); //get app_label
         }
         Deserialization::Deserialize(buffer, temp); //get app type
         app_type = static_cast<app_type_t>(temp);
@@ -161,27 +157,13 @@ bool AppPermissionsService::processCheckAppPrivilege(const ConnectionID &conn, M
         return false;
     }
 
-    if (checkType == PrivilegeCheckHdrs::CHECK_CALLER_APP) { //get sender app_id in this case
-        char *label = NULL;
-        if (smack_new_label_from_socket(conn.sock, &label) < 0) {
-            LogDebug("Error in smack_new_label_from_socket(): "
-                     "client label is unknown. Sending error response.");
-            Serialization::Serialize(send, SECURITY_SERVER_API_ERROR_GETTING_SOCKET_LABEL_FAILED);
-            m_serviceManager->Write(conn, send.Pop());
-            return false;
-        } else {
-            app_id = label;
-            free(label);
-        }
-    } //end if
-
     //print received data
-    LogDebug("app_id: " << app_id);
+    LogDebug("app_label: " << app_label);
     LogDebug("app_type: " << static_cast<int>(app_type));
     LogDebug("privilege_name: " << privilege_name);
 
     LogDebug("Calling perm_app_has_permission()");
-    result = perm_app_has_permission(app_id.c_str(), app_type, privilege_name.c_str(), &has_permission);
+    result = perm_app_has_permission(app_label.c_str(), app_type, privilege_name.c_str(), &has_permission);
     LogDebug("perm_app_has_permission() returned: " << result << " , permission enabled: " << has_permission);
 
     //send response
diff --git a/systemd/CMakeLists.txt b/systemd/CMakeLists.txt
index 8049250..e2ebc7a 100644
--- a/systemd/CMakeLists.txt
+++ b/systemd/CMakeLists.txt
@@ -4,7 +4,6 @@ INSTALL(FILES
     ${CMAKE_SOURCE_DIR}/systemd/security-server-data-share.socket
     ${CMAKE_SOURCE_DIR}/systemd/security-server-get-gid.socket
     ${CMAKE_SOURCE_DIR}/systemd/security-server-privilege-by-pid.socket
-    ${CMAKE_SOURCE_DIR}/systemd/security-server-app-permissions.socket
     ${CMAKE_SOURCE_DIR}/systemd/security-server-cookie-get.socket
     ${CMAKE_SOURCE_DIR}/systemd/security-server-cookie-check.socket
     ${CMAKE_SOURCE_DIR}/systemd/security-server-app-privilege-by-name.socket
diff --git a/systemd/security-server-app-permissions.socket b/systemd/security-server-app-permissions.socket
deleted file mode 100644
index 7271ff2..0000000
--- a/systemd/security-server-app-permissions.socket
+++ /dev/null
@@ -1,14 +0,0 @@
-[Socket]
-ListenStream=/tmp/.security-server-api-app-permissions.sock
-SocketMode=0777
-SmackLabelIPIn=*
-SmackLabelIPOut=@
-
-Service=security-server.service
-
-[Unit]
-Wants=security-server.target
-Before=security-server.target
-
-[Install]
-WantedBy=sockets.target
diff --git a/systemd/security-server.service b/systemd/security-server.service
index 51fa5d6..6c74174 100644
--- a/systemd/security-server.service
+++ b/systemd/security-server.service
@@ -7,7 +7,6 @@ ExecStart=/usr/bin/security-server
 Sockets=security-server-data-share.socket
 Sockets=security-server-get-gid.socket
 Sockets=security-server-privilege-by-pid.socket
-Sockets=security-server-app-permissions.socket
 Sockets=security-server-app-privilege-by-name.socket
 Sockets=security-server-cookie-get.socket
 Sockets=security-server-cookie-check.socket