From: Rafal Krypa <r.krypa@samsung.com>
Date: Thu, 29 Sep 2016 13:27:04 +0000 (+0200)
Subject: Migrate security policy after app labeling schema changed
X-Git-Tag: accepted/tizen/3.0/ivi/20161011.062352~1
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=refs%2Fchanges%2F76%2F90176%2F2;p=platform%2Fcore%2Fsecurity%2Fsecurity-manager.git

Migrate security policy after app labeling schema changed

Adapt existing security policy to patch 5b9adf81 (Change the way of app
process label generation).
Migrate existing policy to support package upgrade:
- modify existing Cynara policy
- modify existing Smack rules for applications

Change-Id: I3d75afe4da2f58040657c01c44a7d57e986332d2
---

diff --git a/policy/updates/update-policy-to-v3.sh b/policy/updates/update-policy-to-v3.sh
new file mode 100755
index 0000000..55d94c2
--- /dev/null
+++ b/policy/updates/update-policy-to-v3.sh
@@ -0,0 +1,65 @@
+#!/bin/sh -e
+
+export PATH=/sbin:/usr/sbin:/bin:/usr/bin
+
+. /etc/tizen-platform.conf
+
+systemctl stop security-manager.service security-manager.socket
+
+
+label_mapping=`mktemp`
+
+### Fetch application label mapping
+sqlite3 >$label_mapping -noheader -separator ' ' $TZ_SYS_DB/.security-manager.db '
+SELECT DISTINCT
+       "User::App::" || app_name,
+       "User::Pkg::" || pkg_name || CASE WHEN is_hybrid THEN "::App::" || app_name ELSE "" END
+       FROM user_app_pkg_view'
+
+echo "Migrating policy for `sort -u $label_mapping | wc -l` application labels"
+
+### Migrate Cynara policy
+generic_buckets="PRIVACY_MANAGER ADMIN MAIN MANIFESTS"
+usertype_buckets=`ls $TZ_SYS_RO_SHARE/security-manager/policy/usertype-*profile |
+    sed -r 's|.*/usertype-(.*).profile$|USER_TYPE_\1|' |
+    tr '[:lower:]' '[:upper:]'`
+
+policy_tmp=`mktemp`
+for bucket in $generic_buckets $usertype_buckets
+do
+    [ "$bucket" = "PRIVACY_MANAGER" ] && bucket=""
+    echo "Migrating Cynara bucket '$bucket'"
+
+    cyad --list-policies=$bucket --all >$policy_tmp
+
+    cat $label_mapping |
+    while read app_label_old app_label_new
+    do
+        echo '-e s/\\b'$app_label_old'\\b/'$app_label_new'/'
+    done |
+    xargs sed -i $policy_tmp
+
+    cyad --erase=$bucket --recursive=no --client='#' --user='#' --privilege='#'
+    cyad --set-policy --bucket=$bucket --bulk=- <$policy_tmp
+done
+rm -f $policy_tmp
+
+### Migrate security-manager Smack policy
+echo "Migrating Smack policy"
+
+cd $TZ_SYS_VAR/security-manager
+smackload --clear <rules-merged/rules.merged
+
+cat $label_mapping |
+while read app_label_old app_label_new
+do
+    echo '-e s/\\b'$app_label_old'\\b/'$app_label_new'/'
+done |
+xargs sed -i rules/* `find -type f -name apps-labels`
+
+cat rules/* | tee rules-merged/rules.merged | smackload
+
+systemctl start security-manager.service security-manager.socket
+
+echo "Migration successful"
+rm -f $label_mapping