From: Rafal Krypa Date: Tue, 10 May 2016 16:06:50 +0000 (+0200) Subject: Require usermanagement permission for local app installation for other users X-Git-Tag: accepted/tizen/common/20160519.191037~2 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=refs%2Fchanges%2F64%2F68964%2F2;p=platform%2Fcore%2Fsecurity%2Fsecurity-manager.git Require usermanagement permission for local app installation for other users When installation type is set to SM_APP_INSTALL_LOCAL, but uid in the request is different that uid of the calling user, security-manager will now require the usermanagement permission, i.e.: http://tizen.org/privilege/internal/usermanagement The following API functions are affected: - security_manager_app_install - security_manager_app_uninstall - security_manager_paths_register Change-Id: Ic9e583e4da923ea391987fbb0cfff7f0abbbc2bb --- diff --git a/src/common/service_impl.cpp b/src/common/service_impl.cpp index 9aaafc5..a035875 100755 --- a/src/common/service_impl.cpp +++ b/src/common/service_impl.cpp @@ -283,11 +283,15 @@ bool ServiceImpl::authCheck(const Credentials &creds, const uid_t& uid, int installationType) { - if (installationType == SM_APP_INSTALL_LOCAL && uid == creds.uid) { + if (installationType == SM_APP_INSTALL_LOCAL) { if (!authenticate(creds, Config::PRIVILEGE_APPINST_USER)) { LogError("Caller is not permitted to manage local applications"); return false; } + if (uid != creds.uid && !authenticate(creds, Config::PRIVILEGE_USER_ADMIN)) { + LogError("Caller is not permitted to manage applications for other users"); + return false; + } } else { if (!authenticate(creds, Config::PRIVILEGE_APPINST_ADMIN)) { LogError("Caller is not permitted to manage global applications"); diff --git a/src/include/app-manager.h b/src/include/app-manager.h index 02207b2..0fc7085 100644 --- a/src/include/app-manager.h +++ b/src/include/app-manager.h @@ -130,6 +130,7 @@ int security_manager_app_inst_req_set_install_type(app_inst_req *p_req, const en * Required privileges: * - http://tizen.org/privilege/notexist (local installation) * - http://tizen.org/privilege/notexist (global installation) + * - http://tizen.org/privilege/internal/usermanagement (local installation for other users) * * \param[in] Pointer handling app_inst_req structure * \return API return code or error code: it would be @@ -145,8 +146,9 @@ int security_manager_app_install(const app_inst_req *p_req); * using filled up app_inst_req data structure * * Required privileges: - * - http://tizen.org/privilege/notexist (private uninstallation) + * - http://tizen.org/privilege/notexist (local uninstallation) * - http://tizen.org/privilege/notexist (global uninstallation) + * - http://tizen.org/privilege/internal/usermanagement (local uninstallation for other users) * * \param[in] Pointer handling app_inst_req structure * \return API return code or error code @@ -216,8 +218,9 @@ int security_manager_path_req_set_uid(path_req *p_req, const uid_t uid); * filled up path_req data structure. * * Required privileges: - * - http://tizen.org/privilege/notexist (if uid is not set or set to current user's uid) - * - http://tizen.org/privilege/notexist (if uid is set to some other user's uid) + * - http://tizen.org/privilege/notexist (local installation) + * - http://tizen.org/privilege/notexist (global installation) + * - http://tizen.org/privilege/internal/usermanagement (local installation for other users) * * \param[in] p_req Pointer handling path_req structure *