From f30df79a455e7ced932e37c00cca82c4cdcb31f7 Mon Sep 17 00:00:00 2001 From: Krzysztof Malysa Date: Thu, 30 Jan 2025 15:42:16 +0100 Subject: [PATCH] Add migrating apps installed as if in smack mode on no-smack image Change-Id: I7b147eee82fe00dcaedf57cfbb7a5b1a973083d3 --- policy/security-manager-policy-reload.in | 97 +++++++++++++++++++++++- src/common/privilege_db.cpp | 4 - 2 files changed, 96 insertions(+), 5 deletions(-) diff --git a/policy/security-manager-policy-reload.in b/policy/security-manager-policy-reload.in index bbeae725..18242f4f 100755 --- a/policy/security-manager-policy-reload.in +++ b/policy/security-manager-policy-reload.in @@ -1,4 +1,5 @@ -#!/bin/sh -e +#!/bin/bash +set -euo pipefail # # Copyright (c) 2016-2020 Samsung Electronics Co., Ltd. All rights reserved. @@ -145,6 +146,100 @@ done echo "COMMIT;" ) | sqlite3 "$DB_FILE" +# Migrate pkg_id, app_id and privileges for all apps already installed as if smack was enabled +if ! $SMACK_ENABLED; then + cynara_buckets="$(cut -d ';' -f 1 /opt/var/cynara/db/buckets)" + new_puid=10000 # New PUIDs start from this value + function update_new_puid { + taken_puids="$(sqlite3 "$DB_FILE" --batch <<< "SELECT pkg_id FROM pkg WHERE pkg_id>=$new_puid UNION SELECT app_id FROM app WHERE app_id>=$new_puid ORDER BY pkg_id")" + if [[ "$taken_puids" != "" ]]; then + while read -r taken_puid; do + if [[ "$new_puid" == "$taken_puid" ]]; then + new_puid=$((new_puid + 1)) + continue + fi + break; + done <<< "$taken_puids" + fi + } + + # First remap every pkg_id + pkg_ids="$(sqlite3 "$DB_FILE" --batch <<< 'SELECT pkg_id FROM pkg ORDER BY pkg_id')" + if [[ "$pkg_ids" != "" ]]; then + while read -r pkg_id; do + if (( pkg_id < 10000 )); then + update_new_puid + new_pkg_id="$new_puid" + echo "remapping pkg_id: $pkg_id -> $new_pkg_id" + sqlite3 "$DB_FILE" --batch <<< " + BEGIN; + UPDATE pkg SET pkg_id=$new_pkg_id WHERE pkg_id=$pkg_id; + UPDATE app SET pkg_id=$new_pkg_id WHERE pkg_id=$pkg_id; + COMMIT;" + fi + done <<< "$pkg_ids" + fi + + # Then remap every author_id + author_ids="$(sqlite3 "$DB_FILE" --batch <<< 'SELECT author_id FROM author ORDER BY author_id')" + if [[ "$author_ids" != "" ]]; then + new_agid=20000 # New AGIDs start from this value + while read -r author_id; do + if (( author_id < 20000 )); then + taken_agids="$(sqlite3 "$DB_FILE" --batch <<< "SELECT author_id FROM author WHERE author_id>=$new_agid ORDER BY author_id")" + if [[ "$taken_agids" != "" ]]; then + while read -r taken_agid; do + if [[ "$new_agid" == "$taken_agid" ]]; then + new_agid=$((new_agid + 1)) + continue + fi + break; + done <<< "$taken_agids" + fi + new_author_id="$new_agid" + echo "remapping author_id: $author_id -> $new_author_id" + sqlite3 "$DB_FILE" --batch <<< " + BEGIN; + UPDATE author SET author_id=$new_author_id WHERE author_id=$author_id; + UPDATE pkg SET author_id=$new_author_id WHERE author_id=$author_id; + COMMIT;" + fi + done <<< "$author_ids" + fi + + # Then remap every app_id + app_ids="$(sqlite3 "$DB_FILE" --batch <<< 'SELECT app.app_id, app.pkg_id, app.name, pkg.name, pkg.is_hybrid FROM app LEFT JOIN pkg USING (pkg_id) ORDER BY app_id')" + if [[ "$app_ids" != "" ]]; then + while IFS='|' read -r app_id pkg_id app_name pkg_name is_hybrid; do + if (( app_id < 10000 )); then + if [[ "$is_hybrid" == 1 ]]; then + echo "Found hybrid app $app_name from package $pkg_name" + exit 1 + fi + echo ">>> migrating app $app_name from package $pkg_name" + update_new_puid + new_app_id="$new_puid" + # Update app_id + sqlite3 "$DB_FILE" --batch <<< " + BEGIN; + UPDATE app SET app_id=$new_app_id WHERE app_id=$app_id; + UPDATE user_app SET app_id=$new_app_id WHERE app_id=$app_id; + UPDATE app_defined_privilege SET app_id=$new_app_id WHERE app_id=$app_id; + UPDATE client_license SET app_id=$new_app_id WHERE app_id=$app_id; + COMMIT;" + # Migrate cynara policies + for bucket in $cynara_buckets; do + cyad --list-policies="$bucket" --client="User::Pkg::$pkg_name" --user='*' --privilege='#' | + while IFS=';' read -r bucket client user privilege type metadata; do + cyad --set-policy --bucket="$bucket" --client="User::Pkg::default_app_no_Smack_mode" --user="$pkg_id" --privilege="$privilege" --type="$type" --metadata="$metadata" + cyad --erase="$bucket" --recursive=no --client="$client" --user="$user" --privilege="$privilege" + done + done + fi + done <<< "$app_ids" + fi +fi + # Start the service with the modified database systemctl start security-manager.service security-manager.socket \ || echo Failed to start security-manager systemd service, continuing regardless diff --git a/src/common/privilege_db.cpp b/src/common/privilege_db.cpp index ca9e7606..12df7c10 100644 --- a/src/common/privilege_db.cpp +++ b/src/common/privilege_db.cpp @@ -858,10 +858,6 @@ int PrivilegeDb::GetFirstFreeId(int startValue, StmtType statement) while (command->Step()) { auto current = command->GetColumnInteger(0); - // skip existing smack-enabled apps - if (current < startValue) - continue; - if (id != current) break; id++; -- 2.34.1