From d15806aaed7de368d4a6e7b7c3072260b90c4bc9 Mon Sep 17 00:00:00 2001 From: Tomasz Swierczek Date: Mon, 12 Feb 2018 16:13:23 +0100 Subject: [PATCH] Add serviceImpl of getAppManifestPolicy function Method to be used as implementation of security_manager_get_app_manifest_policy function Change-Id: I897187234222d0fb17a70a20983492a91072bca7 --- src/common/include/service_impl.h | 14 ++++++++++++++ src/common/service_impl.cpp | 38 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 52 insertions(+) diff --git a/src/common/include/service_impl.h b/src/common/include/service_impl.h index fc93373..51fcac3 100644 --- a/src/common/include/service_impl.h +++ b/src/common/include/service_impl.h @@ -304,6 +304,20 @@ public: int appSetupNamespace(const Credentials &creds, const std::string &appProcessLabel, std::vector> &privilegeStatusVector); + + /** + * Return list of privileges requested by application at install time + * + * @param[in] creds credentials of the requesting process + * @param[in] appName application identifier + * @param[in] uid id of user under which app is/can be run + * @param[out] privileges list of privileges + * + * @return API return code, as defined in protocols.h + */ + int getAppManifestPolicy(const Credentials &creds, const std::string &appName, + uid_t uid, std::vector &privileges); + /** * Register channel for communication with worker process. * diff --git a/src/common/service_impl.cpp b/src/common/service_impl.cpp index f6bc8e3..de1d842 100644 --- a/src/common/service_impl.cpp +++ b/src/common/service_impl.cpp @@ -2026,6 +2026,44 @@ int ServiceImpl::appSetupNamespace(const Credentials &creds, const std::string & return SECURITY_MANAGER_SUCCESS; } +int ServiceImpl::getAppManifestPolicy(const Credentials &creds, const std::string &appName, + uid_t uid, std::vector &privileges) +{ + try { + if (!authenticate(creds, Config::PRIVILEGE_USER_ADMIN)) { + LogError("Request from uid=" << creds.uid << ", Smack=" << creds.label << " for checking app manifest policy denied"); + return SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED; + } + + std::string pkgName; + m_privilegeDb.GetAppPkgName(appName, pkgName); + + if (pkgName.empty()) { + LogError("Checking manifest policy for unknown application: " << appName); + return SECURITY_MANAGER_ERROR_NO_SUCH_OBJECT; + } + + std::string uidStr = m_privilegeDb.IsUserPkgInstalled(pkgName, uid) ? std::to_string(uid) : CYNARA_ADMIN_WILDCARD; + std::string cynaraClient = getAppProcessLabel(appName); + + m_cynaraAdmin.getAppPolicy(cynaraClient, uidStr, privileges); + } catch (const CynaraException::Base &e) { + LogError("Error while querying Cynara: " << e.DumpToString()); + return SECURITY_MANAGER_ERROR_SERVER_ERROR; + } catch (const std::bad_alloc &e) { + LogError("Memory allocation failed: " << e.what()); + return SECURITY_MANAGER_ERROR_MEMORY; + } catch (const PrivilegeDb::Exception::IOError &e) { + LogError("Cannot access application database: " << e.DumpToString()); + return SECURITY_MANAGER_ERROR_SERVER_ERROR; + } catch (...) { + LogError("Unknown exception thrown"); + return SECURITY_MANAGER_ERROR_UNKNOWN; + } + + return SECURITY_MANAGER_SUCCESS; +} + int ServiceImpl::appCleanNamespace(const Credentials &creds, const std::string &appName, uid_t uid) { if (!authenticate(creds, Config::PRIVILEGE_APP_NAMESPACE)) { -- 2.7.4