From a405e58397ecd67886c49f08a6d0d38028f56622 Mon Sep 17 00:00:00 2001 From: Youngmin Yoo Date: Thu, 22 Dec 2016 14:15:49 +0900 Subject: [PATCH] Improve privilege checker. Privilege check: - given default privilege when application installed. - added privilege in config.xml by Application developer. Bug: P161214-04760 Bug: http://suprem.sec.samsung.net/jira/browse/TWF-2681 Change-Id: Ic21058964aa98ca26460b6717dca063aaf406043 Signed-off-by: Youngmin Yoo --- build/common.gypi | 1 + build/cynara-client.gypi | 16 ++++++++++ common/common.gyp | 1 + packaging/crosswalk-tizen.spec | 1 + runtime/browser/web_application.cc | 63 +++++++++++++++++++++++++++++++++----- 5 files changed, 75 insertions(+), 7 deletions(-) create mode 100644 build/cynara-client.gypi diff --git a/build/common.gypi b/build/common.gypi index 876c0fe..ec6b82a 100644 --- a/build/common.gypi +++ b/build/common.gypi @@ -28,6 +28,7 @@ }], ], 'includes': [ + 'cynara-client.gypi', 'pkg-config.gypi', 'xwalk_js2c.gypi', ], diff --git a/build/cynara-client.gypi b/build/cynara-client.gypi new file mode 100644 index 0000000..b0fac97 --- /dev/null +++ b/build/cynara-client.gypi @@ -0,0 +1,16 @@ +{ + 'variables': { + 'pkg-config': 'pkg-config', + }, + 'cflags': [ + ' -#include #include +#include +#include #include #include #include +#include #include #include @@ -98,10 +100,12 @@ const char* kAmbientTickEventScript = "for (var i=0; i < window.frames.length; i++)\n" "{ window.frames[i].document.dispatchEvent(__event); }" "})()"; +const char* kCameraPrivilege = "http://tizen.org/privilege/camera"; const char* kFullscreenPrivilege = "http://tizen.org/privilege/fullscreen"; const char* kFullscreenFeature = "fullscreen"; const char* kNotificationPrivilege = "http://tizen.org/privilege/notification"; const char* kLocationPrivilege = "http://tizen.org/privilege/location"; +const char* kRecordPrivilege = "http://tizen.org/privilege/recorder"; const char* kStoragePrivilege = "http://tizen.org/privilege/unlimitedstorage"; const char* kUsermediaPrivilege = "http://tizen.org/privilege/mediacapture"; const char* kNotiIconFile = "noti_icon.png"; @@ -128,9 +132,11 @@ const char* kDefaultCSPRule = const char* kResWgtPath = "res/wgt/"; const char* kAppControlMain = "http://tizen.org/appcontrol/operation/main"; -bool FindPrivilege(common::ApplicationData* app_data, +// Looking for added privilege by Application developer in config.xml. +bool FindPrivilegeFromConfig(common::ApplicationData* app_data, const std::string& privilege) { if (app_data->permissions_info().get() == NULL) return false; + LOGGER(INFO) << "Finding privilege from config.xml"; auto it = app_data->permissions_info()->GetAPIPermissions().begin(); auto end = app_data->permissions_info()->GetAPIPermissions().end(); for (; it != end; ++it) { @@ -139,6 +145,47 @@ bool FindPrivilege(common::ApplicationData* app_data, return false; } +// Looking for given default privilege when application installed. +bool FindPrivilegeFromCynara(const std::string& privilege_name) { + LOGGER(INFO) << "Finding privilege from cynara db"; + static constexpr char kSmackLabelFilePath[] = "/proc/self/attr/current"; + std::ifstream file(kSmackLabelFilePath); + if (!file.is_open()) { + LOGGER(ERROR) << "Failed to open " << kSmackLabelFilePath; + return false; + } + + int ret; + cynara* p_cynara = NULL; + ret = cynara_initialize(&p_cynara, 0); + if (CYNARA_API_SUCCESS != ret) { + LOGGER(ERROR) << "Failed. The result of cynara_initialize() : " << ret; + return false; + } + + std::string uid = std::to_string(getuid()); + std::string smack_label{std::istreambuf_iterator(file), + std::istreambuf_iterator()}; + + bool result = false; + ret = cynara_check(p_cynara, smack_label.c_str(), "", uid.c_str(), privilege_name.c_str()); + if (CYNARA_API_ACCESS_ALLOWED != ret) { + LOGGER(ERROR) << "Access denied. The result of cynara_check() : " << ret; + } else { + LOGGER(INFO) << "Access allowed! The result of cynara_check() : " << ret; + result = true; + } + + if (p_cynara) { + ret = cynara_finish(p_cynara); + if (CYNARA_API_SUCCESS != ret) { + LOGGER(ERROR) << "Failed. The result of cynara_finish() : " << ret; + } + } + + return result; +} + static void SendDownloadRequest(const std::string& url) { common::AppControl request; request.set_operation(APP_CONTROL_OPERATION_DOWNLOAD); @@ -348,7 +395,7 @@ bool WebApplication::Initialize() { this); InitializeNotificationCallback(ewk_context_, this); - if (FindPrivilege(app_data_, kFullscreenPrivilege)) { + if (FindPrivilegeFromConfig(app_data_, kFullscreenPrivilege)) { ewk_context_tizen_extensible_api_string_set(ewk_context_, kFullscreenFeature, true); } @@ -1043,7 +1090,7 @@ void WebApplication::OnNotificationPermissionRequest( // Local Domain: Grant permission if defined, otherwise Popup user prompt. // Remote Domain: Popup user prompt. if (common::utils::StartsWith(url, "file://") && - FindPrivilege(app_data_, kNotificationPrivilege)) { + FindPrivilegeFromConfig(app_data_, kNotificationPrivilege)) { result_handler(true); return; } @@ -1083,7 +1130,8 @@ void WebApplication::OnGeolocationPermissionRequest( // Local Domain: Grant permission if defined, otherwise block execution. // Remote Domain: Popup user prompt if defined, otherwise block execution. - if (!FindPrivilege(app_data_, kLocationPrivilege)) { + if (!FindPrivilegeFromConfig(app_data_, kLocationPrivilege) && + !FindPrivilegeFromCynara(kLocationPrivilege)) { result_handler(false); return; } @@ -1128,7 +1176,7 @@ void WebApplication::OnQuotaExceed(WebView*, const std::string& url, // Local Domain: Grant permission if defined, otherwise Popup user prompt. // Remote Domain: Popup user prompt. if (common::utils::StartsWith(url, "file://") && - FindPrivilege(app_data_, kStoragePrivilege)) { + FindPrivilegeFromConfig(app_data_, kStoragePrivilege)) { result_handler(true); return; } @@ -1224,7 +1272,8 @@ void WebApplication::OnUsermediaPermissionRequest( // Local Domain: Grant permission if defined, otherwise block execution. // Remote Domain: Popup user prompt if defined, otherwise block execution. - if (!FindPrivilege(app_data_, kUsermediaPrivilege)) { + if (!FindPrivilegeFromConfig(app_data_, kUsermediaPrivilege) && + !(FindPrivilegeFromCynara(kCameraPrivilege) && FindPrivilegeFromCynara(kRecordPrivilege))) { result_handler(false); return; } -- 2.7.4