platform/core/security/security-manager.git
9 years agoPolicy update: server side implementation 64/32764/31
Krzysztof Sasiak [Tue, 23 Dec 2014 14:53:09 +0000 (15:53 +0100)]
Policy update: server side implementation

Change-Id: I920cc940b541c21607dd836d1f426c1f622ffbb2
Signed-off-by: Krzysztof Sasiak <k.sasiak@samsung.com>
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
9 years agoElaborating documentation and some client fixes 81/35281/8
Krzysztof Sasiak [Wed, 11 Feb 2015 10:28:03 +0000 (11:28 +0100)]
Elaborating documentation and some client fixes

Change-Id: I64101b26a185706f42b621e7c04512ace8141c76
Signed-off-by: Krzysztof Sasiak <k.sasiak@samsung.com>
9 years agoFix for API: added missing dereference operator in get_policy* functions 66/35066/4 accepted/tizen/tv/20150217.004257 submit/tizen_tv/20150216.113520
Rafal Krypa [Fri, 6 Feb 2015 16:42:01 +0000 (17:42 +0100)]
Fix for API: added missing dereference operator in get_policy* functions

policy_entry is an incomplete type, hence the need of three dereference operators

Change-Id: Ib7489e6e0f03419784af01d1a1c4c823791815f7
Signed-off-by: Krzysztof Sasiak <k.sasiak@samsung.com>
9 years agoObtain smack label from socket during getting peer id by service 13/34713/16
Jan Cybulski [Sat, 31 Jan 2015 14:29:34 +0000 (15:29 +0100)]
Obtain smack label from socket during getting peer id by service

This will be needed to validate peer application's privileges in cynara

Change-Id: Id5c2dab311d3707a9c4cccf38623496bb5111826
Signed-off-by: Jan Cybulski <j.cybulski@samsung.com>
9 years agoFix build break on x86_64 introduced in commit ed455f0c98 43/35043/2
Rafal Krypa [Fri, 6 Feb 2015 11:05:19 +0000 (12:05 +0100)]
Fix build break on x86_64 introduced in commit ed455f0c98

DPL has methods for deserializing int, but not long int. Changing size_t
to plain int.

Change-Id: If4d0e6c9d73e125f82a11f9ef0535f7e1968ca0d
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
9 years agoWrapper for cynara_admin_list_policies_descriptions 10/34710/20
Michal Eljasiewicz [Mon, 26 Jan 2015 11:27:03 +0000 (12:27 +0100)]
Wrapper for cynara_admin_list_policies_descriptions

Change-Id: I6b07e4fb0b8e1395a3d867bcdecf1e79b3839772
Signed-off-by: Michal Eljasiewicz <m.eljasiewic@samsung.com>
9 years agoIgnore errors in supplementary group setup during app launch preparation 51/33451/2
Rafal Krypa [Fri, 9 Jan 2015 16:15:30 +0000 (17:15 +0100)]
Ignore errors in supplementary group setup during app launch preparation

Such errors might happen when launcher tries to launch an application that
wasn't properly setup by the installer before. This should be supported to
allow easier integration of security-manager into platform.
Ignoring these errors won't cause any privilege escalation. Actually it
might cause giving less privileges than necessary to the application.

Change-Id: Ib8ba02a28404a25c541ba6daede9f68c864583cc
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
9 years agoAdd missing rules for pkgId label 50/33450/2
Rafal Krypa [Fri, 9 Jan 2015 17:16:28 +0000 (18:16 +0100)]
Add missing rules for pkgId label

Commit 626f947e0b changed labeling scheme to be appId based and introduced
a new "~PKG~" template in the rules file. But the actual rules were not
included in the template file.

Change-Id: Idd5ababfb5b484811b75f2f764f6f7d77a77da1f
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
9 years agoBefore running client in off-line mode, attempt to socket-activate the server 69/34469/4
Rafal Krypa [Wed, 4 Feb 2015 16:58:14 +0000 (17:58 +0100)]
Before running client in off-line mode, attempt to socket-activate the server

Security-manager is started by systemd on socket-activation basis. This
means that it won't start unless a client connects to its socket. But
client library attempts to detect off-line mode by checking whether the
service is already running. This leads to erroneous off-line runs when in
fact a message should be sent over socket to activate the service.

This change adds one more step to off-line mode detection. When the service
isn't running, client will send a special NOOP message over socket.
If systemd manages to activate security-manager service, normal on-line
operation is then performed.

Change-Id: I94b1b10af24e3b90d048fe1b96b8d870da785d8b
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
9 years agoRefactor off-line mode detection in client library 59/34459/5
Rafal Krypa [Tue, 27 Jan 2015 15:28:48 +0000 (16:28 +0100)]
Refactor off-line mode detection in client library

Extract the detection into separate class for easy re-use in client library.
The detection method will get additional logic soon, so having it in one
place will be useful.

Change-Id: I561b582eb044bf8f6aa71f090d790c00b7bb3273
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
9 years agoDon't start the service on system boot, rely on socket activation 58/34458/4
Rafal Krypa [Tue, 27 Jan 2015 11:09:14 +0000 (12:09 +0100)]
Don't start the service on system boot, rely on socket activation

Security-manager doesn't need to be started immediately on system boot.
Systemd socket activation is already in place for lazy startup. Also previous
configuration wrongly started security-manager.target, which caused the
service to be launched without sockets passed from systemd.

Change-Id: I7bff7b58a4e016119e651edfefb85a2335b8b31f
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
9 years agoImplementation of client stubs for updating and fetching policy 11/34711/11
Krzysztof Sasiak [Sat, 31 Jan 2015 11:25:19 +0000 (12:25 +0100)]
Implementation of client stubs for updating and fetching policy

Change-Id: I75089fb79488a1660f2270a7140ffc00778e7b7c

9 years agoAPI stub for getting policy levels as strings 69/34769/3
Michal Eljasiewicz [Mon, 2 Feb 2015 14:52:40 +0000 (15:52 +0100)]
API stub for getting policy levels as strings

Change-Id: I140d2d05763974d0400825220e422984bf1cde55
Signed-off-by: Michal Eljasiewicz <m.eljasiewic@samsung.com>
9 years agoAdd API stub for getting policy entries 90/34690/11
Krzysztof Sasiak [Sat, 31 Jan 2015 10:11:18 +0000 (11:11 +0100)]
Add API stub for getting policy entries

Change-Id: I4eaa9642b81d6524038ec18bcfe7ad55dc61b697
Signed-off-by: Jan Cybulski <j.cybulski@samsung.com>
Signed-off-by: Krzysztof Sasiak <k.sasiak@samsung.com>
9 years agoAdd API stub for setting policies 09/34709/13
Jan Cybulski [Sat, 31 Jan 2015 09:38:33 +0000 (10:38 +0100)]
Add API stub for setting policies

Change-Id: I56ccafe0432c44e7f5f97abd9f1aa29ff76e4c47
Signed-off-by: Jan Cybulski <j.cybulski@samsung.com>
9 years agoTerminate service if it cannot setup its sockets 57/34457/2
Rafal Krypa [Tue, 27 Jan 2015 11:06:44 +0000 (12:06 +0100)]
Terminate service if it cannot setup its sockets

Currently even if the server cannot listen on a socket it will continue
running. There is no point in that, when no client will be able to connect.

Change-Id: I74ad5a9fddee1072f7642c036a088805f53caa11
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
9 years agoChange "operation" argument type in CynaraAdminPolicy constructor 32/32632/18
Marcin Lis [Fri, 19 Dec 2014 21:51:44 +0000 (22:51 +0100)]
Change "operation" argument type in CynaraAdminPolicy constructor

This change is needed in for policy updates. We need to support wide spectrum
of results, starting from DENY (0) to ALLOW (0xFFFF). SM should not be limited
to few enum class literals.

Change-Id: I1e8d26893120309f6d6276da4bb5e146936a7e59
Signed-off-by: Marcin Lis <m.lis@samsung.com>
9 years agoDoc: correct misleading description of functions in service_impl.h 42/33642/2
Sebastian Grabowski [Tue, 13 Jan 2015 12:16:23 +0000 (13:16 +0100)]
Doc: correct misleading description of functions in service_impl.h

Change-Id: I3a870ca7bb9d8c52dc49a202290950ef4a4356ba
Signed-off-by: Sebastian Grabowski <s.grabowski@samsung.com>
9 years agoRequire socket to be passed by systemd, don't create it on our own 56/34456/2
Rafal Krypa [Tue, 27 Jan 2015 10:58:01 +0000 (11:58 +0100)]
Require socket to be passed by systemd, don't create it on our own

Socket configuration, including path, ownership, DAC and Smack configuration
is handled by systemd socket file. There is no point in duplicating that
in the code as the service will always be run by systemd anyway.
Existing socket configuration was also wrong and different from what systemd
had.

Change-Id: I4131ecf4cd0d886aec57a932c6540f10da9785a3
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
9 years agoRemove cynara entries regarding removed user 36/34336/5
Jan Cybulski [Thu, 29 Jan 2015 14:36:09 +0000 (15:36 +0100)]
Remove cynara entries regarding removed user

Change-Id: I807f4b5ebf76b29b5a9049a9a6bbfd51056d6697
Signed-off-by: Jan Cybulski <j.cybulski@samsung.com>
9 years agoAdd EmptyBucket convenience method to CynaraAdmin class. 97/31297/25
Krzysztof Sasiak [Fri, 19 Dec 2014 14:37:33 +0000 (15:37 +0100)]
Add EmptyBucket convenience method to CynaraAdmin class.

Change-Id: Ia050336fb69d669488601a18211775b9136d8070
Signed-off-by: Krzysztof Sasiak <k.sasiak@samsung.com>
9 years agoAdd wrapper in CynaraAdmin for Cynara listing policies. 53/31853/31
Michal Eljasiewicz [Thu, 11 Dec 2014 07:47:43 +0000 (08:47 +0100)]
Add wrapper in CynaraAdmin for Cynara listing policies.

Change-Id: I7f8a81e6479a26446b91ac745b7b5df28ab78675
Signed-off-by: Michal Eljasiewicz <m.eljasiewic@samsung.com>
9 years agoChange security-manager-command exception schema 47/34147/4
Jan Cybulski [Fri, 23 Jan 2015 12:02:57 +0000 (13:02 +0100)]
Change security-manager-command exception schema

Stop using try-catch template from DPL.
There is no need to make a coredump everytime an unexpected exception is thrown.
Use only one try-catch block for all exceptions thrown during parsing options.

Change-Id: I4faa2ad5ff7aa66c61c8830c7e1a43d03e7d9e8e
Signed-off-by: Jan Cybulski <j.cybulski@samsung.com>
9 years agofix: unbreak --install option caused by wrong --manage-users parameter 31/34331/1
Jan Cybulski [Fri, 23 Jan 2015 11:22:23 +0000 (12:22 +0100)]
fix: unbreak --install option caused by wrong --manage-users parameter

--manage-users option is not required.

Change-Id: I523a11ddc0e4925059b7759c009d8f9c129f3ae9
Signed-off-by: Jan Cybulski <j.cybulski@samsung.com>
9 years agoAdd default policy for user when creating it. 90/32690/15
Michal Eljasiewicz [Mon, 22 Dec 2014 13:33:13 +0000 (14:33 +0100)]
Add default policy for user when creating it.

Change-Id: Ifc2896aa413ec7c003136a5886f7aad84c0c8f00
Signed-off-by: Michal Eljasiewicz <m.eljasiewic@samsung.com>
9 years agoFix assertion about not clearing DataCommands objects 63/32763/2
Sebastian Grabowski [Tue, 23 Dec 2014 14:39:17 +0000 (15:39 +0100)]
Fix assertion about not clearing DataCommands objects

The following assertion occurs during exiting security-manager
when any command was executed on security-manager db:
"Condition: m_dataCommandsCount == 0 All stored procedures must be
deleted before disconnecting SqlConnection"
It was caused by not clearing list of DataCommands before destroying db
SqlConnection.

Change-Id: If2151dfc38df23ce9af00a47ac0d7939c13adaa1
Signed-off-by: Sebastian Grabowski <s.grabowski@samsung.com>
9 years agoAdd app permissions to MANIFESTS bucket instead of default. 91/33091/8
Michal Eljasiewicz [Mon, 5 Jan 2015 14:17:20 +0000 (15:17 +0100)]
Add app permissions to MANIFESTS bucket instead of default.

Change-Id: Ic19078c83c7075717c3d6b3c10c8883944519e5f
Signed-off-by: Michal Eljasiewicz <m.eljasiewic@samsung.com>
9 years agoAdd tool for initialization of Cynara policy structure 02/34002/5
Rafal Krypa [Thu, 22 Jan 2015 10:28:49 +0000 (11:28 +0100)]
Add tool for initialization of Cynara policy structure

Program security-manager-policy-reload will (re)initialize Cynara buckets
structure and static bucket contents for user types.
Run this program from %post script of security-manager-policy to initialize
Cynara policy during installation.

Change-Id: Ibe78b9d969ff91dcf96b4805fff5884ddb3157f6

9 years agoPackaging: Use "_datadir" rpm macro instead of hardcoded paths 87/32387/2
Marcin Lis [Wed, 17 Dec 2014 14:31:12 +0000 (15:31 +0100)]
Packaging: Use "_datadir" rpm macro instead of hardcoded paths

Change-Id: I18c7039f0fbae06fd3f796088553d02b558c766e
Signed-off-by: Marcin Lis <m.lis@samsung.com>
9 years agoDefine Cynara buckets inside CynaraAdmin class 91/32591/19
Michal Eljasiewicz [Fri, 19 Dec 2014 08:54:49 +0000 (09:54 +0100)]
Define Cynara buckets inside CynaraAdmin class

Change-Id: I4380aa94f04c728ab4467264db5d1c12e0aaff60
Signed-off-by: Michal Eljasiewicz <m.eljasiewic@samsung.com>
9 years agoConvert static method CynaraAdmin::SetPolicies back to normal 60/34060/1
Rafal Krypa [Tue, 20 Jan 2015 18:46:33 +0000 (19:46 +0100)]
Convert static method CynaraAdmin::SetPolicies back to normal

Now that CynaraAdmin is a singleton class, it's methods should be called
from the singleton instance.

Change-Id: I9db11c516d2c92cb5994ebb9605d0d5f1789cead
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
9 years agoAdd offline mode to security_manager_user_add 60/32360/7
Jan Cybulski [Wed, 17 Dec 2014 08:53:19 +0000 (09:53 +0100)]
Add offline mode to security_manager_user_add

There must be an offline mode for registering user
for sake of adding users during image creation time.

Change-Id: I295a207c52cfb34fc1464cd1a1214118c1eb3dd7
Signed-off-by: Jan Cybulski <j.cybulski@samsung.com>
9 years agoRegister gumd hook for adding and removing user 60/32760/7
Jan Cybulski [Tue, 20 Jan 2015 08:14:13 +0000 (09:14 +0100)]
Register gumd hook for adding and removing user

Change-Id: If0f68053e16faa5d16c62dcfa5aa6bd606d1b9ca
Signed-off-by: Jan Cybulski <j.cybulski@samsung.com>
9 years agoAdd cmd tool option for user management in security manager 05/32205/10
Jan Cybulski [Mon, 29 Dec 2014 10:57:47 +0000 (11:57 +0100)]
Add cmd tool option for user management in security manager

Change-Id: I88170be340ea095ea9f76b74b4fc02af021bd29f
Signed-off-by: Jan Cybulski <j.cybulski@samsung.com>
9 years agoImproved rules within user directories 16/33316/3
José Bollo [Thu, 8 Jan 2015 09:33:52 +0000 (10:33 +0100)]
Improved rules within user directories

Applying proposal of Rafal Krypa made during F2F meeting of
september 2014 in Vannes.

Change-Id: I1e40e5bff16c024c4d93d2abcf508c815a237234
Signed-off-by: José Bollo <jose.bollo@open.eurogiciel.org>
9 years agoChange smack labeling to be appId based. 89/30889/26
Roman, Kubiak [Wed, 26 Nov 2014 12:43:15 +0000 (04:43 -0800)]
Change smack labeling to be appId based.

* Generation of rules for all applications in a package so
  that they can share resources

* Smack labels are now appId based (appId refers to app_name
  in the database)

Change-Id: I464ca4b1a4558a0579b9da69b5b599d07340a60d

9 years agoExtract BaseService from Service class 59/30959/4
Lukasz Kostyra [Wed, 26 Nov 2014 09:49:33 +0000 (10:49 +0100)]
Extract BaseService from Service class

BaseService will be a base class for SM services, eg. a master service coming
up in next patches.

[Verification]  Build, install, run tests.

Change-Id: Ie55d1b22c8887ee605e16b86adee75cfffdbe147

9 years agoFix includes in cynara. 28/31828/2
Sebastian Grabowski [Wed, 10 Dec 2014 16:18:35 +0000 (17:18 +0100)]
Fix includes in cynara.

Inlcuding <vector> is required in cynara header file. Otherwise, when
including cynara.h in other parts of code there may be a need for
additional vector include.

Change-Id: I1f251daa4f825d6072b720244d040c3bab174359
Signed-off-by: Sebastian Grabowski <s.grabowski@samsung.com>
9 years agoAdd security-manager policy for user types 56/30956/5
Krzysztof Sasiak [Thu, 27 Nov 2014 10:02:44 +0000 (11:02 +0100)]
Add security-manager policy for user types

Change-Id: I1c5ea026fe3b69ec0d2ba1338ded1033ad5db6b2

9 years agoImplementation of API for user management 19/30719/13
Jan Cybulski [Thu, 27 Nov 2014 07:28:53 +0000 (08:28 +0100)]
Implementation of API for user management

Change-Id: Ib2cb08e1c466bc93775f8efe32dccd118ef095ad
Signed-off-by: Jan Cybulski <j.cybulski@samsung.com>
9 years agoAdd API for user management 79/30579/13
Jan Cybulski [Wed, 10 Dec 2014 06:58:03 +0000 (07:58 +0100)]
Add API for user management

Change-Id: I429dfa82b7cb669713b357ebe50d0b599ad8ebed
Signed-off-by: Jan Cybulski <j.cybulski@samsung.com>
9 years agoPrivilegeDb: introduce convenient private method for fetching prepared query 05/31705/5
Rafal Krypa [Tue, 9 Dec 2014 12:29:08 +0000 (13:29 +0100)]
PrivilegeDb: introduce convenient private method for fetching prepared query

Create an internal method for repeating code pattern fetching the prepared
query from internal data structure and resetting it before use.

Change-Id: I346e5a0790d869632181737b52d6d5ba78da79c3
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
9 years agoFix minor errors in code. 77/31777/2
Bartlomiej Grzelewski [Wed, 9 Jul 2014 12:59:56 +0000 (14:59 +0200)]
Fix minor errors in code.

* m_maxDesc was used without initialization.
* client-common module passed wrong value to poll if
  connect returns EINPROGRESS (was POLLIN, should be  POLLOUT)

Change backported from security-server repository.

Change-Id: I4df6d67ff2214bd0ad857744a2c82bff5e7be299
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
9 years agoServer code no longer needs to include cynara and privilege-db headers 97/31697/1
Rafal Krypa [Mon, 8 Dec 2014 14:39:54 +0000 (15:39 +0100)]
Server code no longer needs to include cynara and privilege-db headers

Dependant code has been recently moved to common library.

Change-Id: I5ae4a6a3ed43e00f5cf0e301ee33107844d36664
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
9 years agoMove database schema into a more convenient location 97/31497/2
Rafal Krypa [Mon, 8 Dec 2014 14:30:07 +0000 (15:30 +0100)]
Move database schema into a more convenient location

Change-Id: I7444211fd43be873d62c423ccd32fac65e40773e
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
9 years agoFix: disallow installing apps with the same id in different packages 37/31337/2
Jan Cybulski [Wed, 3 Dec 2014 11:18:04 +0000 (12:18 +0100)]
Fix: disallow installing apps with the same id in different packages

Change-Id: I04fca4edcd265e2853a9ce146e6dcc95d1f92dc9
Signed-off-by: Jan Cybulski <j.cybulski@samsung.com>
9 years agoPrepare database queries during PrivilegeDb singleton init 65/30965/4
Marcin Lis [Thu, 27 Nov 2014 13:06:08 +0000 (14:06 +0100)]
Prepare database queries during PrivilegeDb singleton init

Avoid too many sqlite3_prepare_v2 calls, which take many cpu cycles to complete.
SQLite statements may be prepared once when DB object is created.

Change-Id: I99e4fd3fea63fd61396c9f7b2c3b13539f312d48
Signed-off-by: Marcin Lis <m.lis@samsung.com>
9 years agoAdded security_manager_strerror function. 25/31125/2
Sebastian Grabowski [Mon, 1 Dec 2014 15:26:56 +0000 (16:26 +0100)]
Added security_manager_strerror function.

This function translates lib_retcode(s) to a string describing given
error that occured in security-manager.

Change-Id: Ied57ff8c27a972123b28714ebc25efe143c6d64c
Signed-off-by: Sebastian Grabowski <s.grabowski@samsung.com>
9 years agoAdded security-manager-cmd application. 39/29739/14
Sebastian Grabowski [Mon, 27 Oct 2014 13:22:02 +0000 (14:22 +0100)]
Added security-manager-cmd application.

The purpose of this application is to have an offline tool that will do
some commands in offline mode i.e.: when security-manager service cannot
be run.
For now, only install command is supported which should be the
equivalent of security_manager_app_install function.

Change-Id: Ia9ef60b1a335650fea90c02e5fdd76ac48030f84
Signed-off-by: Sebastian Grabowski <s.grabowski@samsung.com>
9 years agoDatabase access function obtaining apps of a certain user 81/28381/9
Jan Cybulski [Mon, 24 Nov 2014 14:44:18 +0000 (15:44 +0100)]
Database access function obtaining apps of a certain user

This will be used during user removal in security-manager.

Change-Id: I524c9bf2da936054b7c1b597d7e4eaf879872912
Signed-off-by: Jan Cybulski <j.cybulski@samsung.com>
9 years agoAdded support for offline applications installations mode 87/29887/11
Sebastian Grabowski [Wed, 5 Nov 2014 11:27:23 +0000 (12:27 +0100)]
Added support for offline applications installations mode

Added support for offline mode in AppInstall function.
Moreover, security_manager_app_install will now check if it can get
a file lock on /run/lock/security-manager.lock. If it can it will do
installation request in offline mode. Otherwise, it will send
installation request to security-manager service.

Change-Id: Ie8b8f98b1fa0d3021ae76ee7aa4e7416e3ed73b9
Signed-off-by: Sebastian Grabowski <s.grabowski@samsung.com>
9 years agoTypo fixes in installRequestAuthCheck 63/30963/1
Sebastian Grabowski [Thu, 27 Nov 2014 15:15:23 +0000 (16:15 +0100)]
Typo fixes in installRequestAuthCheck

Changed 'paramter' to 'parameter' in installRequestAuthCheck function.

Change-Id: Iba5e3f6c3388c9faea8a326b7bf8e1b4ba48b0fa
Signed-off-by: Sebastian Grabowski <s.grabowski@samsung.com>
9 years agoSplit service implementation logic away from the Service class 89/30589/4
Rafal Krypa [Fri, 21 Nov 2014 10:55:07 +0000 (11:55 +0100)]
Split service implementation logic away from the Service class

The code implementing logic of Service methods is now available as separate
functions. They will be available to both Service class and to the upcoming
offline client implementation.

Change-Id: Ib86af8c0f28dd7a1333e67ad0f2a4c968ff181cf
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
9 years agoConvert Cynara, CynaraAdmin and PrivilegeDb classes into singletons 88/30588/2
Rafal Krypa [Thu, 20 Nov 2014 23:45:05 +0000 (00:45 +0100)]
Convert Cynara, CynaraAdmin and PrivilegeDb classes into singletons

These classes are now used by the Service class to perform operations
requested by clients. But they will be also needed by offline client
implementation. Having them as private members of the Service class is no
longer feasible.
To keep their usage simple and available to the client as well, they are
now used as singletons.

Change-Id: I900a368ea14fbe61179c712b6e891f213ca61c5e
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
9 years agoUse file lock in security-manager 85/29885/6
Sebastian Grabowski [Wed, 5 Nov 2014 11:34:18 +0000 (12:34 +0100)]
Use file lock in security-manager

This change makes that security-manager checks this file lock:
/run/lock/security-manager.lock.

Change-Id: If7032089fb70eda80b0d89b649678a5af7061bf4
Signed-off-by: Sebastian Grabowski <s.grabowski@samsung.com>
9 years agoAdded FileLocker class 38/29738/6
Sebastian Grabowski [Mon, 27 Oct 2014 11:16:24 +0000 (12:16 +0100)]
Added FileLocker class

Initial version of file locking class for use in upcoming offline mode.

Change-Id: I4acd73ba56d09393bd138da94559b2be18e2cc3b
Signed-off-by: Sebastian Grabowski <s.grabowski@samsung.com>
9 years agoAdded security_manager_app_inst_req_set_uid function 14/29414/8
Sebastian Grabowski [Mon, 27 Oct 2014 10:55:33 +0000 (11:55 +0100)]
Added security_manager_app_inst_req_set_uid function

Added uid field to app_inst_req structure.

Change-Id: Ida0204549bb4818bcd401b5d62c7e13f7dbc04b2
Signed-off-by: Sebastian Grabowski <s.grabowski@samsung.com>
9 years agoRelease version 0.2.0 24/27624/4 tizen_3.0.2014.q4_common tizen_3.0_ivi accepted/tizen/common/20141121.095621 accepted/tizen/ivi/20141202.020851 accepted/tizen/mobile/20141217.032701 accepted/tizen/tv/20150223.112019 submit/tizen/20141118.171019 submit/tizen_common/20141119.161253 submit/tizen_ivi/20141201.045232 submit/tizen_mobile/20141217.022739 submit/tizen_tv/20150223.105757 tizen_3.0_ivi_release
Rafal Krypa [Tue, 18 Nov 2014 16:58:08 +0000 (17:58 +0100)]
Release version 0.2.0

Also fill the changelog for two previous releases.

Change-Id: I590dfd6bc302b26a0aaf2afa8b6fd1addae8194d
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
9 years agoFix checking for privileges during obtaining group 76/29476/11
Jan Cybulski [Tue, 18 Nov 2014 08:29:13 +0000 (09:29 +0100)]
Fix checking for privileges during obtaining group

Privileges of apps installed for all users also needs to be taken into account.

Change-Id: I1d31a27dc0b718f46b26d654c518d8071bbe4cfb
Signed-off-by: Jan Cybulski <j.cybulski@samsung.com>
9 years agoSanitize handling of global application user. 00/29700/8
Jan Cybulski [Tue, 18 Nov 2014 08:16:51 +0000 (09:16 +0100)]
Sanitize handling of global application user.

Remove inconsistency with treating both root and tizenglobalapp as global
users. For both cases uid of user TZ_SYS_GLOBALAPP_USER will be saved
in the data base to distinguish globally installed applications.
The whole code for handling global user was refactored by the way.

Change-Id: I5764e1f9675ebf3bb9091ede4fef724d053fed8d
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Signed-off-by: Jan Cybulski <j.cybulski@samsung.com>
10 years agoMove some modules to common library 13/29413/5
Sebastian Grabowski [Mon, 27 Oct 2014 09:47:05 +0000 (10:47 +0100)]
Move some modules to common library

There are modules for handling smack, cynara, privilege db that were
grouped in server code. However, there are upcoming changes (for offline
mode) that will require these modules to be used also i.e. by client
code. Thus it would be better to have these modules in common library.

Change-Id: Ifddd037a159dc142077290c09b7e05da98ce46e5
Signed-off-by: Sebastian Grabowski <s.grabowski@samsung.com>
10 years agoDon't remove "User" Smack rules on application uninstall 81/29481/5
Janusz Kozerski [Mon, 27 Oct 2014 14:19:56 +0000 (15:19 +0100)]
Don't remove "User" Smack rules on application uninstall

Temporary fix.
After app uninstall and remove app rules, all rules from
files in accesses.d directory are re-loaded.

Change-Id: I7786a356108d17ed948abbc615f22286b251c0b3
Signed-off-by: Janusz Kozerski <j.kozerski@gmail.com>
10 years agoUse group names instead of group ids (gid) 62/28662/7
Krzysztof Sasiak [Mon, 13 Oct 2014 14:55:00 +0000 (16:55 +0200)]
Use group names instead of group ids (gid)

Database will now contain group names instead of group ids.

Change-Id: I67dc5cf9e853b9b1ca56eeea1c006ce194f1530d

10 years agoRemoval of xattr "security.TIZEN_EXEC_LABEL" 41/27041/7
José Bollo [Wed, 3 Sep 2014 11:26:58 +0000 (13:26 +0200)]
Removal of xattr "security.TIZEN_EXEC_LABEL"

This attribute is a duplication of the SMACKEXEC
mechanism for the links. This duplication is
complicating the security mechanisms that have
to remain simple to be applied and supported
efficiently. The SMACKEXEC mechanism is the only
required mechanism. For the other uses, the function
security_manager_set_process_label_from_appid is
enough.

Change-Id: Ic831547a318942af5603a3609b87f52577109479
Signed-off-by: José Bollo <jose.bollo@open.eurogiciel.org>
10 years agoIntroduce convenience function for setting application security. 77/27977/5
Rafal Krypa [Tue, 23 Sep 2014 18:08:36 +0000 (20:08 +0200)]
Introduce convenience function for setting application security.

There are already three security-manager functions that a launcher should
call before launching the application. In the common case they will just
be called in sequence.
Provide an API function that handles all aspects for application process
preparation: set the Smack label, set additional groups and drop
capabilities.

Change-Id: I5c8346c5f834f8a4fb106169866de42578265da8
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
10 years agoWhen setting process Smack label, fix labels of socket file descriptors 49/27849/4
Rafal Krypa [Fri, 19 Sep 2014 17:36:14 +0000 (19:36 +0200)]
When setting process Smack label, fix labels of socket file descriptors

File descriptors for sockets get Smack labels when sockets are created.
But if Smack labels is changed for a process with open socket descriptors,
those descriptors keep the old Smack label. This should not happen during
application launch, because launched application could be identified as
a non-app user process.
To avoid this, all open file descriptors which happen to be sockets will
be relabeled inside security_manager_set_process_label_* functions.

Change-Id: I209a7a15edef7a2c20a9a4a00806a5d3876fb9e0
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
10 years agoProvide a function for launchers for dropping process capabilities 48/27848/4
Rafal Krypa [Tue, 23 Sep 2014 18:08:16 +0000 (20:08 +0200)]
Provide a function for launchers for dropping process capabilities

The functions for launchers, manipulating process Smack label and groups,
require elevated privileges. Since they will be called by launcher after
fork, in the process for the application, privileges should be dropped
before running an actual application.
This patch introduces a convenience function for launchers for dropping
capabilities from a process: security_manager_drop_process_privileges.

Change-Id: Iff06554bdcf2d51d0163e4dcb83ea9b976896740
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
10 years agoImprovement of tagging directories. 85/26985/7
José Bollo [Tue, 2 Sep 2014 13:11:55 +0000 (15:11 +0200)]
Improvement of tagging directories.

The directories are visited two times: in pre-order
and post-order. Here to avoid tagging at both times
we choose to simply tag in post-order (that is for
simplicity of the code.

Change-Id: I866481471d433036ca371035c74e583b3a9dcfda
Signed-off-by: José Bollo <jose.bollo@open.eurogiciel.org>
10 years agoAdjust libcynara-admin error codes 93/28793/2
Lukasz Wojciechowski [Thu, 16 Oct 2014 08:04:15 +0000 (10:04 +0200)]
Adjust libcynara-admin error codes

Cynara integrates error codes in all libraries.
Release 0.4.0 uses new unified error codes.
Old error codes are removed.

This patch changes old error codes into new ones.
Please do not merge this patch until 0.4.0 is released
or patch "35771f4 Use client error codes in admin libraries"
in cynara repository is merged.

Change-Id: I354bd4a4c3a9adea9308efb8ed6f9025d26f92f1

10 years agoResolving global application user 15/27615/3
José Bollo [Tue, 16 Sep 2014 14:44:19 +0000 (16:44 +0200)]
Resolving global application user

The global applications are set using the system
user 'tizenglobalapp'. In fact this name is set in
the tizen configuration variable TZ_SYS_GLOBALAPPUSER
and its uid should be retrieved using tzplatform_getuid.

Change-Id: I01635d1f65add0159b8d73fef60b76d03798fe52
Signed-off-by: José Bollo <jose.bollo@open.eurogiciel.org>
10 years agoFix a build error in 64 bits 83/26983/5
José Bollo [Tue, 2 Sep 2014 14:44:49 +0000 (16:44 +0200)]
Fix a build error in 64 bits

In 64bits archs, size_t is 64bits while int is 32 bits.
In fact, the type used for length on the sierialiser is int.

Change-Id: I6aa2ee89cd909dcebbf8c5436d586569f5f3875d
Signed-off-by: José Bollo <jose.bollo@open.eurogiciel.org>
10 years agoRemove obsolete code from security-manager-util 29/27529/1
Rafal Krypa [Mon, 15 Sep 2014 11:30:59 +0000 (13:30 +0200)]
Remove obsolete code from security-manager-util

Legacy code inherited from security-server.

Change-Id: I432b46cca9f60879fe9ff9bed811705c8191001b
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
10 years agoAdd missing include and link dependencies in cmakes 16/27516/2
Rafal Krypa [Fri, 12 Sep 2014 16:34:04 +0000 (18:34 +0200)]
Add missing include and link dependencies in cmakes

Change-Id: Ie9095e602134af962ecc231070fbc6f2a86e1ea0
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
10 years agoCompletely remove dlog remainings 58/27458/3
Rafal Krypa [Mon, 8 Sep 2014 14:04:18 +0000 (16:04 +0200)]
Completely remove dlog remainings

Security-manager uses systemd for logging for some time already, this
code is no longer needed.

Change-Id: I9f099c00422ffeed23f65d8350bf7d8957cc00af
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
10 years agoImplement client API for launcher adding process to supplementary groups 25/26925/9
Rafal Krypa [Fri, 12 Sep 2014 10:25:56 +0000 (12:25 +0200)]
Implement client API for launcher adding process to supplementary groups

In Tizen some sensitive resources are being accessed by applications
directly. The resources, being file system objects, are owned by
dedicated GIDs and only processes in those UNIX groups can access them.
This function should be used by application launcher for adding
application process to all permitted groups that are assigned to such
privileges.

Change-Id: I608d84e77869378b28c4130443323143b71380c4
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
10 years agoImplement fetching group ids assigned to a privilege from data base 24/26924/5
Rafal Krypa [Fri, 29 Aug 2014 18:27:24 +0000 (20:27 +0200)]
Implement fetching group ids assigned to a privilege from data base

Change-Id: I439a710cc203c201426c48866c4ab1d88798dcc7
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
10 years agoImplement checking policies with Cynara 23/26923/4
Rafal Krypa [Tue, 2 Sep 2014 09:45:51 +0000 (11:45 +0200)]
Implement checking policies with Cynara

Support calling libcynara-client to check for applications permissions.

Change-Id: Icb44dc9a24f0ef519863075203b3be8eb0b07c2c
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
10 years agoFix Cynara policy setting, use Smack label as app identifier 63/26963/2
Rafal Krypa [Tue, 2 Sep 2014 09:29:00 +0000 (11:29 +0200)]
Fix Cynara policy setting, use Smack label as app identifier

In Tizen Cynara policies should use application Smack label as application
identifier. Services using Cynara will be based on that assumption.
Previously security-manager incorrectly used pkgId as app identifier.

Change-Id: I31f59e3c6a037cc3730936963b10a1e7bcb008e0
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
10 years agoRefactoring: there will be only one service 22/26922/1
Rafal Krypa [Fri, 29 Aug 2014 16:34:49 +0000 (18:34 +0200)]
Refactoring: there will be only one service

Security-manager started with installer service implementation. It was
created in a way supporting future creation of other services, working
in separate threads and listening on separate sockets. Such design is
however not planned for this project. The installer service recently
began to implement methods not related to installation, which begged for
some refactoring.
Hereby the installer service is renamed as just "service". There will be
a single socket and single service for all security-manager functions.

Change-Id: I40e939ded1b0e20c4e92c86738fb62ea4acd4a50
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
10 years agoFix checking whether application path is inside user's home directory. 80/26680/1
Rafal Krypa [Wed, 27 Aug 2014 16:11:53 +0000 (18:11 +0200)]
Fix checking whether application path is inside user's home directory.

Internal function installRequestAuthCheck() making this check contained
few bugs. It didn't canonicalize the home directory. It simply checked
for substring instead of subdirectory ("/home/useruser" shouldn't be
considered as subdirectory of "/home/user"). It relied on PATH_MAX for
realpath() calls, which is broken by design according to function manual.
All of the above issues are now corrected.

Change-Id: I446c50e642b38ecbd1b4997ec5e6f7c9b5032291
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
10 years agoDrop libprivilege-control 56/25656/1
Jan Cybulski [Thu, 7 Aug 2014 13:32:45 +0000 (15:32 +0200)]
Drop libprivilege-control

Change-Id: Ifff71e53ad15d644d50b978bcb979bb492c09f92
Signed-off-by: Jan Cybulski <j.cybulski@samsung.com>
10 years agoChanged CYNARA_ADMIN_WILDCARD to proper uid string. 53/24953/3
Sebastian Grabowski [Thu, 24 Jul 2014 10:14:26 +0000 (12:14 +0200)]
Changed CYNARA_ADMIN_WILDCARD to proper uid string.

Change-Id: Ic4e9b4d26c3c41a983a4db61bbd557c84ff7c542
Signed-off-by: Sebastian Grabowski <s.grabowski@samsung.com>
10 years agoSet Cynara policies during application installation and uninstallation 16/24416/9
Rafal Krypa [Sun, 13 Jul 2014 22:21:26 +0000 (00:21 +0200)]
Set Cynara policies during application installation and uninstallation

Applied policies will have a wildcard in "user" field. Security-manager
will handle app installation per user soon, so this will also be changed.

Change-Id: I41606fb94b7385426debbcf47a57ba1593dbfc5a
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Signed-off-by: Jan Cybulski <j.cybulski@samsung.com>
10 years agoProvide move constructor instead of copy constructor for CynaraAdminPolicy 95/25295/1
Rafal Krypa [Fri, 1 Aug 2014 12:13:41 +0000 (14:13 +0200)]
Provide move constructor instead of copy constructor for CynaraAdminPolicy

The class stores pointers and owns the memory they point to.  Memory is
allocated in constructor and freed in destructor. But copying these
pointers between objects causes double free in destructor. The poiners
should not be copied, only moved.
Now CynaraAdminPolicy will provide custom move constructor. It will be
used by default, since default copy constructor is now deleted.

Change-Id: If6c49184318c54574caff8af74b336dd1c8ddd2f
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
10 years agoChange pthread flag settings in CMake to a more generic construct 94/25294/1
Rafal Krypa [Fri, 1 Aug 2014 12:17:38 +0000 (14:17 +0200)]
Change pthread flag settings in CMake to a more generic construct

Modify the previous commit using proper CMake module for thread library
support.

Change-Id: I1eaf2f8bc3b6ac542e5c81deeba14f68e47af381
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
10 years agoAdd missing gcc option -pthread to build correctly 36/25036/1 accepted/tizen_3.0.2014.q3_common accepted/tizen_3.0.m14.3_ivi tizen_3.0.2014.q3_common tizen_3.0.m14.3_ivi accepted/tizen/ivi/20140807.055102 submit/tizen_common/20140725.184508 submit/tizen_common/20140728.142410 submit/tizen_common/20140728.162339 submit/tizen_ivi/20140807.000412 submit/tizen_mobile/20141120.000000 tizen_3.0.2014.q3_common_release tizen_3.0.m14.3_ivi_release
Stephane Desneux [Fri, 25 Jul 2014 11:21:10 +0000 (13:21 +0200)]
Add missing gcc option -pthread to build correctly

Bug-Tizen: TC-1446
Change-Id: I5d2c560a01f867722c3918daa912048f098e3ab6
Signed-off-by: Stephane Desneux <stephane.desneux@open.eurogiciel.org>
10 years agoMove return codes sent by server to protocols.h 16/24716/8
Jan Cybulski [Fri, 18 Jul 2014 13:35:29 +0000 (15:35 +0200)]
Move return codes sent by server to protocols.h

Those codes are not part of security-manager's API
but are used only in communication between client and
server part. Return codes of libsecurity-manager's
functions are defined in enum lib_retcode, so there
is no need in placing additional macros in header file
security-manager.h

Also: fix problems with documentation in those macros

Change-Id: Iaa2f489f2b0a3e9dc3d2aaf74f522451e1b65057
Signed-off-by: Jan Cybulski <j.cybulski@samsung.com>
10 years agoChange security_manager_app_install return code 15/24715/10
Jan Cybulski [Fri, 18 Jul 2014 12:42:25 +0000 (14:42 +0200)]
Change security_manager_app_install return code

So far, security_manager_app_install returned only
SECURITY_MANAGER_SUCCESS or SECURITY_MANAGER_ERROR_UNKNOWN,
which is not enough now.

Now, there is possibility, that security manager would reject
installation of some applciations on the basis of uid and users
home directory.
This function will return information about that now as return code.

Change-Id: I53b23b8318a756a8fbf4b804e49046cfa5acd4e0
Signed-off-by: Jan Cybulski <j.cybulski@samsung.com>
10 years agoRegister only directories inside user's HOME 12/24712/10
Jan Cybulski [Fri, 18 Jul 2014 08:56:11 +0000 (10:56 +0200)]
Register only directories inside user's HOME

Change-Id: I546ba542dea481db2efebb24bbe03e5cd87d7220
Signed-off-by: Jan Cybulski <j.cybulski@samsung.com>
10 years agoAdd possibility of installing apps for different users 03/24703/8
Jan Cybulski [Fri, 18 Jul 2014 15:35:41 +0000 (17:35 +0200)]
Add possibility of installing apps for different users

Uid of installing user will be obtained from peer's socket
and will be stored in database.

Change-Id: I0a0edf726b54fc7b28e5f2063186a97eb29479a9
Signed-off-by: Jan Cybulski <j.cybulski@samsung.com>
10 years agoCynara: Change the type of exception in CynaraAdminPolicy constructors 77/24577/2
Marcin Lis [Wed, 16 Jul 2014 14:54:59 +0000 (16:54 +0200)]
Cynara: Change the type of exception in CynaraAdminPolicy constructors

It is better to keep exception types unified. That would minimize the number of
"catch" statements.

Change-Id: Id9e5bafef70c7ffb126a60c595505b644d596729
Signed-off-by: Marcin Lis <m.lis@samsung.com>
10 years agoCynara: implement method for setting policies 12/24412/6
Rafal Krypa [Fri, 11 Jul 2014 15:50:43 +0000 (17:50 +0200)]
Cynara: implement method for setting policies

Change-Id: I65a1c54c6307a60fba383b9e376c8541908ded59
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
10 years agoLogging: Remove the log tag from logs messages 17/24517/4
Marcin Lis [Tue, 15 Jul 2014 16:48:14 +0000 (18:48 +0200)]
Logging: Remove the log tag from logs messages

The log tag "SECURITY_MANAGER" and its client's version that were used in dlog
messages are not needed in systemd journal logs, this is redundant information.
It is easy to maintain the source of logs using journalctl.

Change-Id: Ia987cb3e401f46fe15eea210a0c2a9406caa7882
Signed-off-by: Marcin Lis <m.lis@samsung.com>
10 years agoLogging: Refine security manager log printouts 16/24516/4
Marcin Lis [Mon, 14 Jul 2014 15:58:58 +0000 (17:58 +0200)]
Logging: Refine security manager log printouts

Some of log traces were redundant, some of them carried unhelpul data. This
commit reorganizes calls to log macros to make them more helpful.

Change-Id: I6b814610e32f4c568ce6c8acfae33da0d1878dd0
Signed-off-by: Marcin Lis <m.lis@samsung.com>
10 years agoImplement setting process label for the given application 07/24407/2
Jacek Bukarewicz [Fri, 11 Jul 2014 13:40:00 +0000 (15:40 +0200)]
Implement setting process label for the given application

This change introduces functions for setting smack label for
application process. They are intended to be used by the app launcher
on application start.

2 variants have been implemented:
1) security_manager_set_process_label_from_binary
   Function extracts smack label from the given application binary and sets
   it for the current process
2) security_manager_set_process_label_from_appid
   Function computes smack label for given application id and sets it for
   current process

Change-Id: I4dfbaf133ec43e292f4ba54023b96a57df439562
Signed-off-by: Jacek Bukarewicz <j.bukarewicz@samsung.com>
10 years agoIntroduce IPC call for getting pkgid from appid 06/24406/2
Jacek Bukarewicz [Fri, 11 Jul 2014 13:36:40 +0000 (15:36 +0200)]
Introduce IPC call for getting pkgid from appid

Change-Id: I9e2c05d15c3c4bad60f5bc3b5631226e9980dc24
Signed-off-by: Jacek Bukarewicz <j.bukarewicz@samsung.com>
10 years agoInitial code for adding rules to Cynara 48/23848/6
Rafal Krypa [Thu, 3 Jul 2014 18:34:41 +0000 (20:34 +0200)]
Initial code for adding rules to Cynara

Adding new class for interface to cynara-admin. No operations implemented
yet, only initialize and destroy.

Change-Id: I1337ae9586c9767fa51c5ffc30671d6b7a758e4c
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
10 years agoRefactoring: put code operating on Smack labels in a separate file 46/23846/6
Rafał Krypa [Fri, 11 Jul 2014 19:28:21 +0000 (21:28 +0200)]
Refactoring: put code operating on Smack labels in a separate file

Create smack-labels.cpp, containing code for label assignment and file
labeling. Avoid clutter in installer.cpp.

Change-Id: I97f5251e1bfcd53e242cd0117d48539a378fefde
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
10 years agoRemove code from smack-common.cpp 47/23847/5
Rafal Krypa [Thu, 3 Jul 2014 17:10:48 +0000 (19:10 +0200)]
Remove code from smack-common.cpp

This code was a legacy from security-server. Contained functions
get_smack_label_from_process() and smack_pid_have_access() won't be used
by security-manager.

Change-Id: I9ddddf4d4d0e4347c7b0b86de96bdcfc0d715b91
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
10 years agoLogging: Change the default log provider to systemd journal. 25/24125/2
Marcin Lis [Tue, 8 Jul 2014 14:17:45 +0000 (16:17 +0200)]
Logging: Change the default log provider to systemd journal.

This change replaces the default logging mechanism in the whole security
manager. The dlog provider is not used anymore and it is also excluded from
being build along with the project. Its sources should stay untouched by now.

To verify, first please install this together with the latest security-tests
package. When installed, run tests:
  # security-manager-tests --output=text

And after that please check for the presence of traces in journal:
  # journalctl --unit=security-manager.service

Please also check for the presence of security-manager-client traces:
  # journalctl /usr/bin/security-manager-tests

Change-Id: I4af35d29a6a61d3a5a0bc4c3508bb872206a2f23
Signed-off-by: Marcin Lis <m.lis@samsung.com>