From 7afa350cd62b814c0d85e8ed5eb25c1b58a93c27 Mon Sep 17 00:00:00 2001
From: "jin-gyu.kim" <jin-gyu.kim@samsung.com>
Date: Fri, 22 Sep 2017 19:57:43 +0900
Subject: [PATCH] Fix upgrade script

- pkgmgr will update app information only if version is changed.
- Therefore, migrate the privious security and cynara database.

Change-Id: Ibb7641439855a71dbc93e3ff61c062f5051bb079
---
 CMakeLists.txt                         |  2 -
 packaging/security-config.spec         |  1 -
 upgrade/201.security_upgrade.sh        | 73 ++++++++------------------
 upgrade/710.security_restore_policy.sh | 21 --------
 4 files changed, 22 insertions(+), 75 deletions(-)
 delete mode 100644 upgrade/710.security_restore_policy.sh

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 744bfba..feb5a34 100755
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -16,8 +16,6 @@ INSTALL(FILES ${CMAKE_SOURCE_DIR}/config/security-config.conf DESTINATION /usr/l
 INSTALL(FILES ${CMAKE_SOURCE_DIR}/config/90_user-content-permissions.post DESTINATION ${SYSCONF_INSTALL_DIR}/gumd/useradd.d)
 INSTALL(FILES ${CMAKE_SOURCE_DIR}/config/91_user-dbspace-permissions.post DESTINATION ${SYSCONF_INSTALL_DIR}/gumd/useradd.d)
 INSTALL(FILES ${CMAKE_SOURCE_DIR}/upgrade/201.security_upgrade.sh DESTINATION /usr/share/upgrade/scripts)
-INSTALL(FILES ${CMAKE_SOURCE_DIR}/upgrade/710.security_restore_policy.sh DESTINATION /usr/share/upgrade/scripts)
-
 INSTALL(FILES ${CMAKE_SOURCE_DIR}/smack/onlycap DESTINATION /etc/smack)
 INSTALL(FILES ${CMAKE_SOURCE_DIR}/smack/smack_default_labeling DESTINATION /usr/share/security-config)
 
diff --git a/packaging/security-config.spec b/packaging/security-config.spec
index c542022..ebbe9b7 100755
--- a/packaging/security-config.spec
+++ b/packaging/security-config.spec
@@ -103,7 +103,6 @@ rm /opt/share/security-config/test/capability_test/*
 %attr(755,root,root) /opt/share/security-config/test/smack_basic_test/*
 %attr(755,root,root) /opt/share/security-config/test/security_mount_option_test/*
 %attr(755,root,root) /usr/share/upgrade/scripts/201.security_upgrade.sh
-%attr(755,root,root) /usr/share/upgrade/scripts/710.security_restore_policy.sh
 %attr(755,root,root) %{_sysconfdir}/gumd/useradd.d/90_user-content-permissions.post
 %attr(755,root,root) %{_sysconfdir}/gumd/useradd.d/91_user-dbspace-permissions.post
 
diff --git a/upgrade/201.security_upgrade.sh b/upgrade/201.security_upgrade.sh
index 744ce0a..709bcf5 100644
--- a/upgrade/201.security_upgrade.sh
+++ b/upgrade/201.security_upgrade.sh
@@ -2,54 +2,33 @@
 
 PATH=/bin:/usr/bin:/sbin:/usr/sbin
 
-CYNARA_DIR=/opt/var/cynara
-SECURITY_MANAGER_DIR=/opt/var/security-manager
+# Migration of cynara DB
+CYNARA_VERSION=$(rpm -qf /usr/bin/cynara  | cut -d "-" -f2)
+cynara-db-migration upgrade -f 0.0.0 -t $CYNARA_VERSION
 
-# backup cynara default and admin buckets
-CYNARA_DEFAULT_DB_BACKUP=/opt/data/CYNARA_DEFAULT_DB_BACKUP
-cyad --list-policies="" --all | grep "User::Pkg::" > $CYNARA_DEFAULT_DB_BACKUP
-CYNARA_ADMIN_DB_BACKUP=/opt/data/CYNARA_ADMIN_DB_BACKUP
-cyad --list-policies=ADMIN --all | grep "User::Pkg::" > $CYNARA_ADMIN_DB_BACKUP
-
-# make Cynara and Security-manager directories/files in rw partition
-rm -r $SECURITY_MANAGER_DIR
-mkdir $SECURITY_MANAGER_DIR
-mkdir $SECURITY_MANAGER_DIR/owner
-mkdir $SECURITY_MANAGER_DIR/rules
-mkdir $SECURITY_MANAGER_DIR/rules-merged
-touch $SECURITY_MANAGER_DIR/apps-labels
-touch $SECURITY_MANAGER_DIR/owner/apps-labels
-touch $SECURITY_MANAGER_DIR/rules-merged/rules.merged
-chmod 711 $SECURITY_MANAGER_DIR
-chmod 711 $SECURITY_MANAGER_DIR/owner
-chmod 700 $SECURITY_MANAGER_DIR/rules
-chmod 700 $SECURITY_MANAGER_DIR/rules-merged
-chmod 444 $SECURITY_MANAGER_DIR/apps-labels
-chmod 444 $SECURITY_MANAGER_DIR/owner/apps-labels
-chmod 644 $SECURITY_MANAGER_DIR/rules-merged/rules.merged
+# Migration of security-manager DB
+/usr/share/security-manager/db/update.sh
 
-# init Cynara and Security-manager database
-# security-manager DB
-SECURITY_MANAGER_DB=/opt/dbspace/.security-manager.db
-SECURITY_MANAGER_DB_JOURNAL=/opt/dbspace/.security-manager.db-journal
-rm $SECURITY_MANAGER_DB
-rm $SECURITY_MANAGER_DB_JOURNAL
-touch $SECURITY_MANAGER_DB
-touch $SECURITY_MANAGER_DB_JOURNAL
+# List ask-type cynara rule
+ASKTYPE_CYNARA_RULE_TEMP="/opt/data/asktype_cynara_rule"
+cyad --list-policies="" --all | grep ";10;" > $ASKTYPE_CYNARA_RULE_TEMP # TODO : Need to check how to fileter ask type rule except of ";10;"
 
-chmod 600 $SECURITY_MANAGER_DB
-chmod 600 $SECURITY_MANAGER_DB_JOURNAL
-chown root:root $SECURITY_MANAGER_DB
-chown root:root $SECURITY_MANAGER_DB_JOURNAL
-chsmack -a System $SECURITY_MANAGER_DB
-chsmack -a System $SECURITY_MANAGER_DB_JOURNAL
+# Delete ask-type cynara rule (api version <= 3.0 would not have ask-type rule in Tizen-4.0 image)
+while read ask_rule_line
+do
+	CLIENT=$(echo "$ask_rule_line" | cut -d ";" -f2)
+	USER=$(echo "$ask_rule_line" | cut -d ";" -f3)
+	PRIVILEGE=$(echo "$ask_rule_line" | cut -d ";" -f4)
+	cyad --erase="" --recursive="no" --client="$CLIENT" --user="$USER" --privilege="$PRIVILEGE"
+done < $ASKTYPE_CYNARA_RULE_TEMP
 
-/usr/share/security-manager/db/update.sh
+rm -f $ASKTYPE_CYNARA_RULE_TEMP
 
-# cynara DB
-rm /var/cynara/db/*
-/usr/sbin/cynara-db-migration install -t 0.14.10
-/usr/bin/security-manager-policy-reload
+# start cynara & security-manager
+systemctl start cynara
+security-manager-policy-reload
+/usr/share/security-manager/policy/update.sh
+systemctl start security-manager
 
 # Create privacy database
 PRIVILEGE_CHECKER_PRIVACY_DB=/opt/dbspace/.privacy.db
@@ -65,11 +44,3 @@ chown root:app_fw $PRIVILEGE_CHECKER_PRIVACY_DB
 chown root:app_fw $PRIVILEGE_CHECHER_PRIVACY_DB_JOURNAL
 chsmack -a System::Shared $PRIVILEGE_CHECKER_PRIVACY_DB
 chsmack -a System::Shared $PRIVILEGE_CHECHER_PRIVACY_DB_JOURNAL
-
-# init Privilege-checker dpm/mdm policy database (it could be not necessary, but remains for the safe.)
-/usr/share/privilege-manager/policy_db_updater.sh
-
-# start security-manager
-systemctl start cynara
-systemctl start security-manager
-
diff --git a/upgrade/710.security_restore_policy.sh b/upgrade/710.security_restore_policy.sh
deleted file mode 100644
index e7b29db..0000000
--- a/upgrade/710.security_restore_policy.sh
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/sh
-
-PATH=/bin:/usr/bin:/sbin:/usr/sbin
-
-CYNARA_DEFAULT_DB_BACKUP=/opt/data/CYNARA_DEFAULT_DB_BACKUP
-CYNARA_ADMIN_DB_BACKUP=/opt/data/CYNARA_ADMIN_DB_BACKUP
-
-# restore cynara default and admin buckets
-
-if [ "cat $CYNARA_DEFAULT_DB_BACKUP" != "" ]
-then
-	cat $CYNARA_DEFAULT_DB_BACKUP | cyad --set-policy --bucket="" --bulk=-
-fi
-
-if [ "cat $CYNARA_ADMIN_DB_BACKUP" != "" ]
-then
-	cat $CYNARA_ADMIN_DB_BACKUP | cyad --set-policy --bucket=ADMIN --bulk=-
-fi
-
-rm $CYNARA_DEFAULT_DB_BACKUP
-rm $CYNARA_ADMIN_DB_BACKUP
-- 
2.34.1