From 77f347fa83a11da75dcf923873ad05b7fc9a401f Mon Sep 17 00:00:00 2001 From: Rafal Krypa Date: Tue, 19 Dec 2017 10:00:15 +0100 Subject: [PATCH] client: do not add application process to hardcoded groups Initial implementation of privilege enforcement with mount namespaces included client code that added all application processes to hardcoded set of groups: priv_externalstorage and priv_mediastorage. This is wrong. Enforcement of privileges by either groups or mount namespaces is to be configured in respectively privilege-group.list and privilege-mount.list. Application process should be added to a group if and only if it holds a privilege that is configured to be enforced with a group. Similarly proper mounts and umounts will be done in application mount namespace based on privilege status. There is no need to hardcode groups. If a privilege is enforced with mount namespace, it should not require additional group assignment. If it used to be enforced with a group, but it has been switched to enforcement with mount, filesystem permissions need to be adjusted, not security-manager code. Privileges mediastorage and external storage are now enforced with bind mounts. They are being removed from privilege-group mapping - combining these two mechanisms is undesired. Change-Id: I41204daa24329e8e9648b3ecb4e53d87c763b35b Signed-off-by: Rafal Krypa --- policy/privilege-group.list | 2 -- src/client/client-security-manager.cpp | 26 -------------------------- 2 files changed, 28 deletions(-) diff --git a/policy/privilege-group.list b/policy/privilege-group.list index 548f7e7..0c94ad9 100644 --- a/policy/privilege-group.list +++ b/policy/privilege-group.list @@ -6,8 +6,6 @@ # - lines starting with '#' are ignored http://tizen.org/privilege/camera priv_camera http://tizen.org/privilege/recorder priv_recorder -http://tizen.org/privilege/mediastorage priv_mediastorage -http://tizen.org/privilege/externalstorage priv_externalstorage http://tizen.org/privilege/message.read priv_message_read http://tizen.org/privilege/mapservice priv_mapservice http://tizen.org/privilege/internet priv_internet diff --git a/src/client/client-security-manager.cpp b/src/client/client-security-manager.cpp index 8754740..a6cc600 100644 --- a/src/client/client-security-manager.cpp +++ b/src/client/client-security-manager.cpp @@ -782,26 +782,6 @@ static inline int security_manager_bind_namespace_internal(const char *app_name) return request.send(std::string(app_name)).getStatus(); }); } -static inline int security_manager_set_process_groups_internal(void) -{ - int ret; - struct group *grp; - const std::vector groupsNames = {"priv_externalstorage", "priv_mediastorage"}; - std::vector groupsGids; - - ret = getProcessGroups(groupsGids); - if (ret != SECURITY_MANAGER_SUCCESS) - return ret; - - for (const auto &groupName : groupsNames) { - grp = getgrnam(groupName.c_str()); - if (grp) - groupsGids.push_back(grp->gr_gid); - } - - std::unordered_set groupsSet(groupsGids.begin(), groupsGids.end()); - return setProcessGroups(std::vector(groupsSet.begin(), groupsSet.end())); -} static inline int security_manager_create_namespace_internal(const char *app_name) { @@ -841,12 +821,6 @@ static inline int security_manager_create_namespace_internal(const char *app_nam } } - ret = security_manager_set_process_groups_internal(); - if (ret != SECURITY_MANAGER_SUCCESS) { - LogError("Failed to set process group: " << security_manager_strerror(static_cast(ret))); - return ret; - } - ret = security_manager_bind_namespace_internal(app_name); if (ret != SECURITY_MANAGER_SUCCESS) { LogError("Failed to bind app namespace: " << security_manager_strerror(static_cast(ret)) << " App name:" << app_name); -- 2.7.4