From 8048ef77025ac1ea6834fd756cf417de35550058 Mon Sep 17 00:00:00 2001 From: Rafal Krypa Date: Tue, 10 May 2016 18:06:50 +0200 Subject: [PATCH] Require usermanagement permission for local app installation for other users When installation type is set to SM_APP_INSTALL_LOCAL, but uid in the request is different that uid of the calling user, security-manager will now require the usermanagement permission, i.e.: http://tizen.org/privilege/internal/usermanagement The following API functions are affected: - security_manager_app_install - security_manager_app_uninstall - security_manager_paths_register Change-Id: Ic9e583e4da923ea391987fbb0cfff7f0abbbc2bb --- src/common/service_impl.cpp | 6 +++++- src/include/app-manager.h | 9 ++++++--- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/src/common/service_impl.cpp b/src/common/service_impl.cpp index 9aaafc5..a035875 100755 --- a/src/common/service_impl.cpp +++ b/src/common/service_impl.cpp @@ -283,11 +283,15 @@ bool ServiceImpl::authCheck(const Credentials &creds, const uid_t& uid, int installationType) { - if (installationType == SM_APP_INSTALL_LOCAL && uid == creds.uid) { + if (installationType == SM_APP_INSTALL_LOCAL) { if (!authenticate(creds, Config::PRIVILEGE_APPINST_USER)) { LogError("Caller is not permitted to manage local applications"); return false; } + if (uid != creds.uid && !authenticate(creds, Config::PRIVILEGE_USER_ADMIN)) { + LogError("Caller is not permitted to manage applications for other users"); + return false; + } } else { if (!authenticate(creds, Config::PRIVILEGE_APPINST_ADMIN)) { LogError("Caller is not permitted to manage global applications"); diff --git a/src/include/app-manager.h b/src/include/app-manager.h index 02207b2..0fc7085 100644 --- a/src/include/app-manager.h +++ b/src/include/app-manager.h @@ -130,6 +130,7 @@ int security_manager_app_inst_req_set_install_type(app_inst_req *p_req, const en * Required privileges: * - http://tizen.org/privilege/notexist (local installation) * - http://tizen.org/privilege/notexist (global installation) + * - http://tizen.org/privilege/internal/usermanagement (local installation for other users) * * \param[in] Pointer handling app_inst_req structure * \return API return code or error code: it would be @@ -145,8 +146,9 @@ int security_manager_app_install(const app_inst_req *p_req); * using filled up app_inst_req data structure * * Required privileges: - * - http://tizen.org/privilege/notexist (private uninstallation) + * - http://tizen.org/privilege/notexist (local uninstallation) * - http://tizen.org/privilege/notexist (global uninstallation) + * - http://tizen.org/privilege/internal/usermanagement (local uninstallation for other users) * * \param[in] Pointer handling app_inst_req structure * \return API return code or error code @@ -216,8 +218,9 @@ int security_manager_path_req_set_uid(path_req *p_req, const uid_t uid); * filled up path_req data structure. * * Required privileges: - * - http://tizen.org/privilege/notexist (if uid is not set or set to current user's uid) - * - http://tizen.org/privilege/notexist (if uid is set to some other user's uid) + * - http://tizen.org/privilege/notexist (local installation) + * - http://tizen.org/privilege/notexist (global installation) + * - http://tizen.org/privilege/internal/usermanagement (local installation for other users) * * \param[in] p_req Pointer handling path_req structure * -- 2.7.4