From 699a7a54fac998e9cbf19b16ee3e26f77f4530c4 Mon Sep 17 00:00:00 2001
From: Myungki Lee <mk5004.lee@samsung.com>
Date: Thu, 3 Mar 2016 17:26:26 +0900
Subject: [PATCH] Check privilege in app_context_set_event_cb

Change-Id: I5b850d2faa85f8b938b19561c859273e6eb2c033
Signed-off-by: Myungki Lee <mk5004.lee@samsung.com>
---
 CMakeLists.txt                        |  3 +-
 packaging/capi-appfw-app-manager.spec |  1 +
 src/app_context.c                     | 10 ++++++
 src/app_manager.c                     | 66 +++++++++++++++++++++++++++++++++++
 src/app_manager_internal.h            |  3 ++
 5 files changed, 82 insertions(+), 1 deletion(-)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 0da6617..2f8edd0 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -13,7 +13,8 @@ pkg_check_modules(PKGS REQUIRED
 	aul
 	pkgmgr
 	pkgmgr-info
-	glib-2.0)
+	glib-2.0
+	cynara-client)
 FOREACH(FLAGS ${PKGS_CFLAGS})
 	SET(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${FLAGS}")
 ENDFOREACH(FLAGS)
diff --git a/packaging/capi-appfw-app-manager.spec b/packaging/capi-appfw-app-manager.spec
index 1812c6a..a9d9aa2 100644
--- a/packaging/capi-appfw-app-manager.spec
+++ b/packaging/capi-appfw-app-manager.spec
@@ -13,6 +13,7 @@ BuildRequires:  pkgconfig(pkgmgr)
 BuildRequires:  pkgconfig(pkgmgr-info)
 BuildRequires:  pkgconfig(capi-base-common)
 BuildRequires:  pkgconfig(glib-2.0)
+BuildRequires:  pkgconfig(cynara-client)
 Requires(post): /sbin/ldconfig
 Requires(postun): /sbin/ldconfig
 
diff --git a/src/app_context.c b/src/app_context.c
index 7d6878e..695a683 100644
--- a/src/app_context.c
+++ b/src/app_context.c
@@ -529,9 +529,19 @@ static int app_context_terminated_event_cb(pid_t pid, void *data)
 
 int app_context_set_event_cb(app_manager_app_context_event_cb callback, void *user_data)
 {
+	int ret;
+
 	if (callback == NULL)
 		return app_manager_error(APP_MANAGER_ERROR_INVALID_PARAMETER, __FUNCTION__, NULL);
 
+	ret = app_manager_check_privilege(PRIVILEGE_PKGMGR_INFO);
+	if (ret != APP_MANAGER_ERROR_NONE) {
+		if (ret == APP_MANAGER_ERROR_PERMISSION_DENIED)
+			return app_manager_error(APP_MANAGER_ERROR_PERMISSION_DENIED, __FUNCTION__, NULL);
+		else
+			return app_manager_error(APP_MANAGER_ERROR_IO_ERROR, __FUNCTION__, NULL);
+	}
+
 	app_context_lock_event_cb_context();
 
 	if (event_cb_context == NULL) {
diff --git a/src/app_manager.c b/src/app_manager.c
index fdd35a6..2aaa4e2 100644
--- a/src/app_manager.c
+++ b/src/app_manager.c
@@ -19,9 +19,11 @@
 #include <stdlib.h>
 #include <string.h>
 #include <unistd.h>
+#include <fcntl.h>
 
 #include <aul.h>
 #include <dlog.h>
+#include <cynara-client.h>
 
 #include "app_manager.h"
 #include "app_manager_internal.h"
@@ -32,6 +34,7 @@
 
 #define LOG_TAG "CAPI_APPFW_APP_MANAGER"
 
+#define SMACK_LABEL_LEN 255
 
 static const char* app_manager_error_to_string(app_manager_error_e error)
 {
@@ -52,6 +55,8 @@ static const char* app_manager_error_to_string(app_manager_error_e error)
 		return "Invalid package";
 	case APP_MANAGER_ERROR_NOT_SUPPORTED:
 		return "Not supported";
+	case APP_MANAGER_ERROR_PERMISSION_DENIED:
+		return "Permission denied";
 	default:
 		return "Unknown";
 	}
@@ -67,6 +72,67 @@ int app_manager_error(app_manager_error_e error, const char* function, const cha
 	return error;
 }
 
+int app_manager_check_privilege(char *privilege)
+{
+	cynara *p_cynara;
+	int fd;
+	int ret;
+
+	char client[SMACK_LABEL_LEN + 1] = "";
+	char uid[10] = {0,};
+	char *client_session = "";
+
+	if (privilege == NULL) {
+		LOGE("invalid parameter");
+		return APP_MANAGER_ERROR_INVALID_PARAMETER;
+	}
+
+	ret = cynara_initialize(&p_cynara, NULL);
+	if (ret != CYNARA_API_SUCCESS) {
+		LOGE("cynara_initialize [%d] failed!", ret);
+		return APP_MANAGER_ERROR_IO_ERROR;
+	}
+
+	fd = open("/proc/self/attr/current", O_RDONLY);
+	if (fd < 0) {
+		LOGE("open [%d] failed!", errno);
+		ret = APP_MANAGER_ERROR_IO_ERROR;
+		goto out;
+	}
+
+	ret = read(fd, client, SMACK_LABEL_LEN);
+	if (ret < 0) {
+		LOGE("read [%d] failed!", errno);
+		close(fd);
+		ret = APP_MANAGER_ERROR_IO_ERROR;
+		goto out;
+	}
+
+	close(fd);
+
+	snprintf(uid, 10, "%d", getuid());
+
+	ret = cynara_check(p_cynara, client, client_session, uid, privilege);
+	if (ret != CYNARA_API_ACCESS_ALLOWED) {
+		LOGE("cynara access check [%d] failed!", ret);
+
+		if (ret == CYNARA_API_ACCESS_DENIED)
+			ret = APP_MANAGER_ERROR_PERMISSION_DENIED;
+		else
+			ret = APP_MANAGER_ERROR_IO_ERROR;
+
+		goto out;
+	}
+
+	ret = APP_MANAGER_ERROR_NONE;
+
+out:
+	if (p_cynara)
+		cynara_finish(p_cynara);
+
+	return ret;
+}
+
 API int app_manager_set_app_context_event_cb(app_manager_app_context_event_cb callback, void *user_data)
 {
 	int retval = app_context_set_event_cb(callback, user_data);
diff --git a/src/app_manager_internal.h b/src/app_manager_internal.h
index 7a5a596..d7185f6 100644
--- a/src/app_manager_internal.h
+++ b/src/app_manager_internal.h
@@ -36,6 +36,8 @@ extern "C" {
  * @{
  */
 
+#define PRIVILEGE_PKGMGR_INFO "http://tizen.org/privilege/packagemanager.info"
+
 int app_manager_error(app_manager_error_e error, const char* function, const char *description);
 
 int app_context_foreach_app_context(app_manager_app_context_cb callback, void *user_data);
@@ -52,6 +54,7 @@ int app_info_foreach_app_info(app_manager_app_info_cb callback, void *user_data)
 
 int app_info_get_app_info(const char *app_id, app_info_h *app_info);
 
+int app_manager_check_privilege(char *privilege);
 /**
  * @}
  */
-- 
2.7.4