From ca65e32c15c1b835736534bc8ca40536551ef7d8 Mon Sep 17 00:00:00 2001
From: Lukasz Wojciechowski <l.wojciechow@partner.samsung.com>
Date: Tue, 14 Apr 2015 20:15:43 +0200
Subject: [PATCH] Fix application of Tizen 3.0 security model

Adjust Smack manifest file to ThreeDomainsModel.
Correct DAC and Smack settings for databases in spec file.
Use proper folders in spec file.
Correct service file (typo + remove explicit Smack labeling).
Use default methods of getting client and user credentials
 for use in cynara_check().

Change-Id: I1a2dd9423d41a2b4133a5c9e3a2666ba4aefba33
---
 libaccounts-svc.manifest             | 26 +-------------------------
 packaging/account-manager.spec       | 24 ++++++++++--------------
 packaging/accounts-service.service   |  6 ++----
 src/accounts/server/account-server.c |  4 ++--
 4 files changed, 15 insertions(+), 45 deletions(-)

diff --git a/libaccounts-svc.manifest b/libaccounts-svc.manifest
index 7232dc1..97e8c31 100755
--- a/libaccounts-svc.manifest
+++ b/libaccounts-svc.manifest
@@ -1,29 +1,5 @@
 <manifest>
-	<define>
-		<domain name="libaccounts-svc"/>
-		<provide>
-		    <label name="libaccounts-svc::db"/>
-		    <label name="libaccounts-svc::check_read"/>
-		</provide>
-		<request>
-			<smack request="libaccounts-svc::db" type="rw" />
-			<smack request="pkgmgr-server" type="rx" />
-			<smack request="pkgmgr::db" type="rl" />
-			<smack request="system::vconf" type="x" />
-			<smack request="system::vconf_inhouse" type="rl" />
-			<smack request="device::app_logging" type="w" />
-			<smack request="device::sys_logging" type="w" />
-			<smack request="security-server::api-cookie-check" type="w" />
-			<smack request="dbus" type="rwx"/>
-		</request>
-	</define>
 	<request>
-		<domain name="libaccounts-svc"/>
+		<domain name="_"/>
 	</request>
-	<assign>
-		<filesystem path="/usr/lib/libaccounts-svc.so.0" label="_" />
-		<filesystem path="/usr/lib/libaccounts-svc.so.0.3.0" label="_" />
-		<filesystem path="/opt/usr/dbspace/.account.db" label="libaccounts-svc::db"/>
-		<filesystem path="/opt/usr/dbspace/.account.db-journal" label="libaccounts-svc::db"/>
-	</assign>
 </manifest>
diff --git a/packaging/account-manager.spec b/packaging/account-manager.spec
index fea9e3a..587ab5a 100755
--- a/packaging/account-manager.spec
+++ b/packaging/account-manager.spec
@@ -89,23 +89,19 @@ then
 '
 fi
 
-mkdir -p /opt/usr/share/account
-chown root:root %{TZ_SYS_DB}/.account.db
-chown root:root %{TZ_SYS_DB}/.account.db-journal
+chown system:system %{TZ_SYS_DB}/.account.db
+chown system:system %{TZ_SYS_DB}/.account.db-journal
 
-chmod 600 /opt/usr/dbspace/.account.db
-chmod 600 /opt/usr/dbspace/.account.db-journal
+chmod 600 %{TZ_SYS_DB}/.account.db
+chmod 600 %{TZ_SYS_DB}/.account.db-journal
 
 #set message key value to NULL
 #vconftool set -t string db/account/msg '' -g 6514
 vconftool set -tf string db/account/msg '' -s libaccounts-svc -u 200 -g 5000
 
 #smack labeling
-if [ -f /usr/lib/rpm-plugins/msm.so ]
-then
-	chsmack -a 'libaccounts-svc::db' /opt/usr/dbspace/.account.db-journal
-	chsmack -a 'libaccounts-svc::db' /opt/usr/dbspace/.account.db
-fi
+chsmack -a 'System' %{TZ_SYS_DB}/.account.db-journal
+chsmack -a 'System' %{TZ_SYS_DB}/.account.db
 
 
 %postun -p /sbin/ldconfig
@@ -116,11 +112,11 @@ fi
 %manifest libaccounts-svc.manifest
 %defattr(-,root,root,-)
 %attr(0755,root,root) %{_bindir}/account-svcd
-%attr(-,root,root) %{_libdir}/systemd/system/accounts-service.service
-%attr(-,root,root) %{_libdir}/systemd/system/multi-user.target.wants/accounts-service.service
+%attr(-,root,root) %{_unitdir}/accounts-service.service
+%attr(-,root,root) %{_unitdir}/multi-user.target.wants/accounts-service.service
 
 %files devel
 %defattr(-,root,root,-)
 %attr(0755,root,root) %{_bindir}/account-svcd
-%attr(-,root,root) %{_libdir}/systemd/system/accounts-service.service
-%attr(-,root,root) %{_libdir}/systemd/system/multi-user.target.wants/accounts-service.service
+%attr(-,root,root) %{_unitdir}/accounts-service.service
+%attr(-,root,root) %{_unitdir}/multi-user.target.wants/accounts-service.service
diff --git a/packaging/accounts-service.service b/packaging/accounts-service.service
index 5d16913..0e2fbc8 100644
--- a/packaging/accounts-service.service
+++ b/packaging/accounts-service.service
@@ -1,12 +1,10 @@
 [Unit]
 Description=Accounts service
-After=tizen-runtime.target
-Requires=tizen-runtime.target
 
 [Service]
 User=system
-Gruop=system
-SmackProcessLabel=libaccounts-svc
+Group=system
+
 Type=simple
 ExecStart=/usr/bin/account-svcd
 Restart=always
diff --git a/src/accounts/server/account-server.c b/src/accounts/server/account-server.c
index cf2d0e0..06b1602 100644
--- a/src/accounts/server/account-server.c
+++ b/src/accounts/server/account-server.c
@@ -172,14 +172,14 @@ int __get_information_for_cynara_check(GDBusMethodInvocation *invocation, char *
 		return -1;
 	}
 
-	ret = cynara_creds_gdbus_get_user(gdbus_conn, sender, CLIENT_METHOD_SMACK, user);
+	ret = cynara_creds_gdbus_get_user(gdbus_conn, sender, USER_METHOD_DEFAULT, user);
 	if (ret != CYNARA_API_SUCCESS)
 	{
 		_ERR("cynara_creds_gdbus_get_user failed, ret = %d", ret);
 		return -1;
 	}
 
-	ret = cynara_creds_gdbus_get_client(gdbus_conn, sender, CLIENT_METHOD_SMACK, client);
+	ret = cynara_creds_gdbus_get_client(gdbus_conn, sender, CLIENT_METHOD_DEFAULT, client);
 	if (ret != CYNARA_API_SUCCESS)
 	{
 		_ERR("cynara_creds_gdbus_get_client failed, ret = %d", ret);
-- 
2.7.4