From dc415e1bcfd85a8603d474edecbb686de1cda2fd Mon Sep 17 00:00:00 2001 From: Zofia Grzelewska Date: Tue, 28 Nov 2017 16:40:24 +0100 Subject: [PATCH] Don't set policy for privileges not in application manifest Policy is checked/set for those privacy privileges, which had any policy in privacy bucket for given user and application. Change-Id: Ica8bf4a9b753418ab5517194e047b83343903686 --- src/client/impl/ApiInterfaceImpl.cpp | 2 +- src/common/policy/Policy.cpp | 44 +++++++++++++++++++------------ src/common/policy/Policy.h | 4 ++- src/notification-daemon/PolicyUpdater.cpp | 5 ++++ 4 files changed, 36 insertions(+), 19 deletions(-) diff --git a/src/client/impl/ApiInterfaceImpl.cpp b/src/client/impl/ApiInterfaceImpl.cpp index 4ee3f27..4dc2094 100644 --- a/src/client/impl/ApiInterfaceImpl.cpp +++ b/src/client/impl/ApiInterfaceImpl.cpp @@ -98,7 +98,7 @@ askuser_check_result ApiInterfaceImpl::checkPrivilege(const std::string &privile { std::string appId = getOwnAppId(); - auto policyLevel = getPrivilegePolicy(appId, privilege); + auto policyLevel = getPrivilegeMappedPolicy(appId, privilege); if (policyLevel == "Allow") { return ASKUSER_CHECK_RESULT_ALLOW; diff --git a/src/common/policy/Policy.cpp b/src/common/policy/Policy.cpp index feb4867..a393f0b 100644 --- a/src/common/policy/Policy.cpp +++ b/src/common/policy/Policy.cpp @@ -90,30 +90,40 @@ Policy calculatePolicyForPrivacy(const std::string &appId, const Privacy &privac auto privileges = PrivilegeInfo::getPrivacyPrivileges(privacy); for (const auto &privilege : privileges) { ALOGD("Calculating policy for privilege " << privilege); - PolicyEntry filter; - filter.setApp(appId); - filter.setUser(std::to_string(geteuid())); - filter.setPrivilege(privilege); - - PolicyFetchRequest fetch(std::move(filter)); - auto policies = fetch.fetchPolicy(); - if (policies.size() == 0) { - ALOGD("No policy for given privilege " << privilege); - continue; - } - if (policies.size() > 1) { - ALOGW("Something went wrong, there should be no more than one policy for specific filter"); - // FIXME : don't really know what to do with it. Lets ignore it for now. + + std::string policyLevel = getPrivilegePolicy(appId, privilege); + + if (policyLevel.empty()) { + ALOGE("Couldn't get policy level, skipping"); continue; } - std::string policyLevel = policies[0].getLevel(); - ALOGD("Fetched policy level : " << policyLevel); + ALOGD("Fetched policy level : " << policyLevel); privsPolicies.push_back(std::move(policyLevel)); } return getMinimumPolicy(privsPolicies); } +Policy getPrivilegePolicy(const std::string &appId, const Privilege &privilege) { + PolicyEntry filter; + filter.setApp(appId); + filter.setUser(std::to_string(geteuid())); + filter.setPrivilege(privilege); + + PolicyFetchRequest fetch(std::move(filter)); + auto policies = fetch.fetchPolicy(); + if (policies.size() == 0) { + ALOGD("No policy for given privilege " << privilege); + return ""; + } + if (policies.size() > 1) { + ALOGW("Something went wrong, there should be no more than one policy for specific filter"); + // FIXME : don't really know what to do with it. Lets ignore it for now. + return ""; + } + return policies[0].getLevel(); +} + Policy getPrivaciesPolicy(const std::string &appId, const std::vector &privacies) { std::vector policies; for (auto &privacy : privacies) { @@ -144,7 +154,7 @@ void identifyApp(const std::string &client, std::string &appId, std::string &pkg pkgLabel = pkgInfo.pkgLabel(); } -Policy getPrivilegePolicy(const std::string &appId, const std::string &privilege) { +Policy getPrivilegeMappedPolicy(const std::string &appId, const std::string &privilege) { std::vector privacies = PrivilegeInfo::getPrivilegePrivaciesMapping(appId, privilege); if (privacies.empty()) { ALOGE("Privilege doesn't map to any privacy"); diff --git a/src/common/policy/Policy.h b/src/common/policy/Policy.h index b742a7e..300fa52 100644 --- a/src/common/policy/Policy.h +++ b/src/common/policy/Policy.h @@ -36,9 +36,11 @@ void identifyApp(const std::string &client, std::string &appId, std::string &pkg Policy calculatePolicyForPrivacy(const std::string &appId, const Privacy &privacy); Policy getMinimumPolicy(const std::vector &policies); -Policy getPrivilegePolicy(const std::string &appId, const Privilege &privilege); +Policy getPrivilegeMappedPolicy(const std::string &appId, const Privilege &privilege); Policy getPrivaciesPolicy(const std::string &appId, const std::vector &privacies); +Policy getPrivilegePolicy(const std::string &appId, const Privilege &corePrivilege); + class PolicyEntry { public: diff --git a/src/notification-daemon/PolicyUpdater.cpp b/src/notification-daemon/PolicyUpdater.cpp index a4064e2..fdf2e15 100644 --- a/src/notification-daemon/PolicyUpdater.cpp +++ b/src/notification-daemon/PolicyUpdater.cpp @@ -50,6 +50,11 @@ bool PolicyUpdater::update(const std::string &appId, } for (auto &priv : privacyPrivs) { + std::string currentPolicy = getPrivilegePolicy(appId, priv); + if (currentPolicy.empty()) { + ALOGD("Application didn't request privilege " << priv << ", skipping"); + continue; + } ALOGD("Adding policy entries for : app: " << appId << ", priv: " << priv << ", user:" << user << ", level: " << level); -- 2.7.4