From b9b0f7b7882f87f2382b7aaa06d703d6ebaeb249 Mon Sep 17 00:00:00 2001
From: Pawel Andruszkiewicz <p.andruszkie@samsung.com>
Date: Wed, 20 May 2015 16:29:59 +0200
Subject: [PATCH] [Common] Added privilege implementation using Cynara.

[Verificiation] Common module compiled with 3.0 repository (http://download.tizen.org/snapshots/tizen/mobile/latest/repos/arm-wayland/packages/).

Change-Id: I1d807f0c621bdac4481145d1ca534fcb8987da1d
Signed-off-by: Pawel Andruszkiewicz <p.andruszkie@samsung.com>
---
 packaging/webapi-plugins.spec | 16 ++++++++-
 src/common/common.gyp         |  3 +-
 src/common/extension.cc       | 62 +++++++++++++++++++++++++++++++----
 3 files changed, 73 insertions(+), 8 deletions(-)

diff --git a/packaging/webapi-plugins.spec b/packaging/webapi-plugins.spec
index 046c6e64..4f79b5b1 100755
--- a/packaging/webapi-plugins.spec
+++ b/packaging/webapi-plugins.spec
@@ -19,6 +19,8 @@ Source0:    %{name}-%{version}.tar.gz
 ####################################################################
 %if "%{?tizen_profile_name}" == "mobile"
 
+%define tizen_privilege_engine                    ACE
+
 %define tizen_feature_account_support             1
 %define tizen_feature_alarm_support               1
 %define tizen_feature_application_support         1
@@ -128,6 +130,8 @@ Source0:    %{name}-%{version}.tar.gz
 ####################################################################
 %if "%{?tizen_profile_name}" == "wearable"
 
+%define tizen_privilege_engine                    ACE
+
 # Account API is optional in Tizen Wearable Profile.
 %define tizen_feature_account_support             0
 
@@ -225,6 +229,8 @@ Source0:    %{name}-%{version}.tar.gz
 ####################################################################
 %if "%{?tizen_profile_name}" == "tv"
 
+%define tizen_privilege_engine                    ACE
+
 %define tizen_feature_account_support             0
 %define tizen_feature_alarm_support               1
 %define tizen_feature_application_support         1
@@ -310,7 +316,15 @@ BuildRequires: pkgconfig(capi-appfw-app-manager)
 BuildRequires: pkgconfig(capi-appfw-package-manager)
 BuildRequires: pkgconfig(capi-content-media-content)
 BuildRequires: pkgconfig(capi-media-metadata-extractor)
+
+%if "%{?tizen_privilege_engine}" == "ACE"
 BuildRequires: pkgconfig(capi-security-privilege-manager)
+%endif
+
+%if "%{?tizen_privilege_engine}" == "CYNARA"
+BuildRequires: pkgconfig(cynara-client)
+BuildRequires: pkgconfig(libsmack)
+%endif
 
 %if 0%{?tizen_feature_account_support}
 BuildRequires: pkgconfig(accounts-svc)
@@ -444,7 +458,7 @@ Tizen Web APIs implemented.
 %build
 
 export GYP_GENERATORS='ninja'
-GYP_OPTIONS="--depth=. -Dtizen=1 -Dextension_build_type=Debug -Dextension_host_os=%{profile} -Dprivilege_engine=ACE"
+GYP_OPTIONS="--depth=. -Dtizen=1 -Dextension_build_type=Debug -Dextension_host_os=%{profile} -Dprivilege_engine=%{tizen_privilege_engine}"
 GYP_OPTIONS="$GYP_OPTIONS -Ddisplay_type=x11"
 
 # feature flags
diff --git a/src/common/common.gyp b/src/common/common.gyp
index 9dede318..24337873 100644
--- a/src/common/common.gyp
+++ b/src/common/common.gyp
@@ -65,7 +65,6 @@
               'defines': ['PRIVILEGE_USE_ACE'],
               'variables': {
                 'packages': [
-                  'sqlite3',
                   'capi-security-privilege-manager',
                 ],
               },
@@ -74,6 +73,8 @@
               'defines': ['PRIVILEGE_USE_CYNARA'],
               'variables': {
                 'packages': [
+                  'cynara-client',
+                  'libsmack',
                 ],
               },
             }],
diff --git a/src/common/extension.cc b/src/common/extension.cc
index ea9d4979..6fa97f5f 100644
--- a/src/common/extension.cc
+++ b/src/common/extension.cc
@@ -15,7 +15,10 @@
 #elif PRIVILEGE_USE_ACE
 #include <privilege_checker.h>
 #elif PRIVILEGE_USE_CYNARA
-// TODO
+#include <unistd.h>
+
+#include <cynara/cynara-client.h>
+#include <sys/smack.h>
 #endif
 
 #include "common/logger.h"
@@ -462,19 +465,66 @@ class AccessControlImpl {
 
 class AccessControlImpl {
  public:
-  AccessControlImpl() {
+  AccessControlImpl() : cynara_(nullptr) {
     LoggerD("Privilege access checked using Cynara.");
-    // TODO
+
+    char* smack_label = nullptr;
+    int ret = smack_new_label_from_self(&smack_label);
+
+    if (0 == ret && nullptr != smack_label) {
+      auto uid = getuid();
+
+      SLoggerD("uid: [%u]", uid);
+      SLoggerD("smack label: [%s]", smack_label);
+
+      uid_ = std::to_string(uid);
+      smack_label_ = smack_label;
+
+      free(smack_label);
+    } else {
+      LoggerE("Failed to get smack label");
+      return;
+    }
+
+    ret = cynara_initialize(&cynara_, nullptr);
+    if (CYNARA_API_SUCCESS != ret) {
+      LoggerE("Failed to initialize Cynara");
+      cynara_ = nullptr;
+    }
   }
 
   ~AccessControlImpl() {
-    // TODO
+    if (cynara_) {
+      auto ret = cynara_finish(cynara_);
+      if (CYNARA_API_SUCCESS != ret) {
+        LoggerE("Failed to finalize Cynara");
+      }
+      cynara_ = nullptr;
+    }
   }
 
   bool CheckAccess(const std::vector<std::string>& privileges) {
-    // TODO
-    return false;
+    if (cynara_) {
+      for (const auto& privilege : privileges) {
+        if (CYNARA_API_ACCESS_ALLOWED != cynara_simple_check(cynara_,  // p_cynara
+                                                             smack_label_.c_str(),  // client
+                                                             "", // client_session
+                                                             uid_.c_str(),  // user
+                                                             privilege.c_str()  // privilege
+                                                             )) {
+          return false;
+        }
+      }
+      return true;
+    } else {
+      return false;
+    }
   }
+
+ private:
+  cynara* cynara_;
+  std::string uid_;
+  std::string smack_label_;
 };
 
 #else
-- 
2.34.1