From ac6af2da54aeb3a34dc2a0a2046e05d44c95cf21 Mon Sep 17 00:00:00 2001
From: Junghoon Park <jh9216.park@samsung.com>
Date: Thu, 16 Jun 2016 18:56:50 +0900
Subject: [PATCH] apply app-label-monitor to remove CAP_MAC_ADMIN

Change-Id: I49d5d19a778fbd7e39ab363cddcd99adf571728f
Signed-off-by: Junghoon Park <jh9216.park@samsung.com>
---
 packaging/launchpad.spec |  2 +-
 src/launchpad.c          | 83 ++++++++++++++++++++++++++++++++++++++++++++----
 src/launchpad_lib.c      | 10 ++----
 3 files changed, 79 insertions(+), 16 deletions(-)

diff --git a/packaging/launchpad.spec b/packaging/launchpad.spec
index 53613dd..c737c49 100644
--- a/packaging/launchpad.spec
+++ b/packaging/launchpad.spec
@@ -83,7 +83,7 @@ cp %{_builddir}/%{name}-%{version}/LICENSE  %{buildroot}/usr/share/license/%{nam
 %{_unitdir_user}/sockets.target.wants/launchpad-process-pool.socket
 %{_unitdir_user}/default.target.wants/launchpad-process-pool.service
 %caps(cap_mac_admin,cap_mac_override,cap_setgid=ei) %{_bindir}/launchpad-process-pool
-%caps(cap_mac_admin,cap_mac_override,cap_setgid=ei) %{_bindir}/launchpad-loader
+%caps(cap_mac_override,cap_setgid=ei) %{_bindir}/launchpad-loader
 %attr(0644,root,root) %{_libdir}/liblaunchpad.so.*
 
 %files devel
diff --git a/src/launchpad.c b/src/launchpad.c
index 9474862..86b7bde 100755
--- a/src/launchpad.c
+++ b/src/launchpad.c
@@ -77,6 +77,8 @@ static int __sys_hwacc;
 static GList *loader_info_list;
 static int user_slot_offset;
 static GList *candidate_slot_list;
+static app_labels_monitor *label_monitor;
+
 static candidate_process_context_t *__add_slot(int type, int loader_id,
 		int caller_pid, const char *loader_path, const char *extra,
 		int detection_method, int timeout_val);
@@ -281,11 +283,6 @@ error:
 	return -1;
 }
 
-static int __set_access(const char *appid)
-{
-	return security_manager_prepare_app(appid);
-}
-
 static int __get_loader_id(bundle *kb)
 {
 	const char *val;
@@ -507,8 +504,8 @@ static int __prepare_exec(const char *appid, const char *app_path,
 	/* SET PRIVILEGES*/
 	if (bundle_get_val(kb, AUL_K_PRIVACY_APPID) == NULL) {
 		_D("appId: %s / app_path : %s ", appid, app_path);
-		ret = __set_access(appid);
-		if (ret != 0) {
+		ret = security_manager_prepare_app(appid);
+		if (ret != SECURITY_MANAGER_SUCCESS) {
 			_D("fail to set privileges - check "
 					"your package's credential : %d\n",
 					ret);
@@ -823,6 +820,42 @@ static gboolean __handle_sigchild(gpointer data)
 	return G_SOURCE_CONTINUE;
 }
 
+static gboolean __handle_label_monitor(gpointer data)
+{
+	candidate_process_context_t *cpc;
+	GList *iter = candidate_slot_list;
+
+	_D("__handle_label_monitor()");
+	security_manager_app_labels_monitor_process(label_monitor);
+
+	while (iter) {
+		cpc = (candidate_process_context_t *)iter->data;
+		if (cpc->prepared) {
+			_D("Dispose candidate process %d", cpc->pid);
+			__kill_process(cpc->pid);
+			close(cpc->send_fd);
+			cpc->prepared = false;
+			cpc->pid = CANDIDATE_NONE;
+			cpc->send_fd = -1;
+			if (cpc->source > 0) {
+				g_source_remove(cpc->source);
+				cpc->source = 0;
+			}
+
+			if (cpc->timer > 0) {
+				g_source_remove(cpc->timer);
+				cpc->timer = 0;
+			}
+			__set_timer(cpc);
+			__prepare_candidate_process(cpc->type, cpc->loader_id);
+		}
+
+		iter = g_list_next(iter);
+	}
+
+	return G_SOURCE_CONTINUE;
+}
+
 static int __dispatch_cmd_hint(bundle *kb, int detection_method)
 {
 	candidate_process_context_t *cpc;
@@ -1221,6 +1254,33 @@ static int __init_sigchild_fd(void)
 	return 0;
 }
 
+static int __init_label_monitor_fd(void)
+{
+	int fd = -1;
+	guint pollfd;
+
+	if (security_manager_app_labels_monitor_init(&label_monitor)
+			!= SECURITY_MANAGER_SUCCESS)
+		return -1;
+	if (security_manager_app_labels_monitor_process(label_monitor)
+			!= SECURITY_MANAGER_SUCCESS)
+		return -1;
+	security_manager_app_labels_monitor_get_fd(label_monitor, &fd);
+
+	if (fd < 0) {
+		_E("failed to get fd");
+		return -1;
+	}
+
+	pollfd = __poll_fd(fd, G_IO_IN, (GSourceFunc)__handle_label_monitor, 0, 0);
+	if (pollfd == 0) {
+		close(fd);
+		return -1;
+	}
+
+	return 0;
+}
+
 static void __add_slot_from_info(gpointer data, gpointer user_data)
 {
 	loader_info_t *info = (loader_info_t *)data;
@@ -1300,6 +1360,12 @@ static int __before_loop(int argc, char **argv)
 		return -1;
 	}
 
+	ret = __init_label_monitor_fd();
+	if (ret != 0) {
+		_E("__init_launchpad_fd() failed");
+		return -1;
+	}
+
 	ret = vconf_get_int(VCONFKEY_SETAPPL_APP_HW_ACCELERATION, &__sys_hwacc);
 	if (ret != VCONF_OK) {
 		_E("Failed to get vconf int: %s",
@@ -1351,6 +1417,9 @@ int main(int argc, char **argv)
 #endif
 	g_main_loop_run(mainloop);
 
+	if (label_monitor)
+		security_manager_app_labels_monitor_finish(label_monitor);
+
 	return -1;
 }
 
diff --git a/src/launchpad_lib.c b/src/launchpad_lib.c
index f655ed6..378ccc0 100644
--- a/src/launchpad_lib.c
+++ b/src/launchpad_lib.c
@@ -71,12 +71,6 @@ static void __release_at_exit(void)
 		free(__root_path);
 }
 
-static int __set_access(const char *appid, const char *pkg_type,
-		const char *app_path)
-{
-	return security_manager_prepare_app(appid);
-}
-
 static int __prepare_exec(const char *appid, const char *app_path,
 			const char *pkg_type, int type)
 {
@@ -89,8 +83,8 @@ static int __prepare_exec(const char *appid, const char *app_path,
 	/* SET PRIVILEGES*/
 	SECURE_LOGD("[candidata] appid : %s / pkg_type : %s / app_path : %s",
 		appid, pkg_type, app_path);
-	ret = __set_access(appid, pkg_type, app_path);
-	if (ret < 0) {
+	ret = security_manager_prepare_app(appid);
+	if (ret != SECURITY_MANAGER_SUCCESS) {
 		_D("fail to set privileges - check your package's credential: "
 				"%d\n", ret);
 		return -1;
-- 
2.7.4