From b10063c6aa5307343772800f017ea1267cf33f76 Mon Sep 17 00:00:00 2001
From: Lukasz Wojciechowski <l.wojciechow@partner.samsung.com>
Date: Fri, 10 Jul 2015 13:54:21 +0200
Subject: [PATCH 01/16] Fix tzplatform-config linkage

tzplatform-config was linked with cmd and service,
but wasn't with common and client libraries.

In fact it's used only by common library.

This patch makes, only common library links with libtzplatform-config.
Linkage with binaries is removed.

Change-Id: Ia6bee0c47d1e5496c36a5479e19be198e4e1ab9b
---
 src/cmd/CMakeLists.txt    | 1 -
 src/common/CMakeLists.txt | 1 +
 src/server/CMakeLists.txt | 1 -
 3 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/src/cmd/CMakeLists.txt b/src/cmd/CMakeLists.txt
index 70556c6..9c0e192 100644
--- a/src/cmd/CMakeLists.txt
+++ b/src/cmd/CMakeLists.txt
@@ -1,6 +1,5 @@
 PKG_CHECK_MODULES(CMD_DEP
     REQUIRED
-    libtzplatform-config
     )
 
 FIND_PACKAGE(Boost REQUIRED COMPONENTS program_options)
diff --git a/src/common/CMakeLists.txt b/src/common/CMakeLists.txt
index 5fdd83d..b3355c2 100644
--- a/src/common/CMakeLists.txt
+++ b/src/common/CMakeLists.txt
@@ -8,6 +8,7 @@ PKG_CHECK_MODULES(COMMON_DEP
     db-util
     cynara-admin
     cynara-client-async
+    libtzplatform-config
     )
 
 FIND_PACKAGE(Boost REQUIRED)
diff --git a/src/server/CMakeLists.txt b/src/server/CMakeLists.txt
index b4efd53..3c3be5d 100644
--- a/src/server/CMakeLists.txt
+++ b/src/server/CMakeLists.txt
@@ -1,7 +1,6 @@
 PKG_CHECK_MODULES(SERVER_DEP
     REQUIRED
     libsystemd-daemon
-    libtzplatform-config
     cynara-client
     )
 
-- 
2.7.4


From cdf4595a9bd05ee18a7d7cfee4383ad98a542e8d Mon Sep 17 00:00:00 2001
From: Zofia Abramowska <z.abramowska@samsung.com>
Date: Tue, 11 Aug 2015 17:25:28 +0200
Subject: [PATCH 02/16] Add script and config for privilege mapping setting

Change-Id: I28d9b62547c5415f7cfc3c5934b75d4b6b6c020f
---
 policy/CMakeLists.txt                 |   1 +
 policy/privilege-mapping.list         | 195 ++++++++++++++++++++++++++++++++++
 policy/security-manager-policy-reload |  14 +++
 3 files changed, 210 insertions(+)
 create mode 100644 policy/privilege-mapping.list

diff --git a/policy/CMakeLists.txt b/policy/CMakeLists.txt
index bd08edc..bb795dd 100644
--- a/policy/CMakeLists.txt
+++ b/policy/CMakeLists.txt
@@ -2,4 +2,5 @@ FILE(GLOB USERTYPE_POLICY_FILES usertype-*.profile)
 INSTALL(FILES ${USERTYPE_POLICY_FILES} DESTINATION ${SHARE_INSTALL_PREFIX}/security-manager/policy)
 INSTALL(FILES "app-rules-template.smack" DESTINATION ${SHARE_INSTALL_PREFIX}/security-manager/policy)
 INSTALL(FILES "privilege-group.list" DESTINATION ${SHARE_INSTALL_PREFIX}/security-manager/policy)
+INSTALL(FILES "privilege-mapping.list" DESTINATION ${SHARE_INSTALL_PREFIX}/security-manager/policy)
 INSTALL(PROGRAMS security-manager-policy-reload DESTINATION ${BIN_INSTALL_DIR})
diff --git a/policy/privilege-mapping.list b/policy/privilege-mapping.list
new file mode 100644
index 0000000..732165d
--- /dev/null
+++ b/policy/privilege-mapping.list
@@ -0,0 +1,195 @@
+2.3 3.0 http://tizen.org/privilege/account.read http://tizen.org/privilege/account.read
+2.3 3.0 http://tizen.org/privilege/account.write http://tizen.org/privilege/account.write
+2.3 3.0 http://tizen.org/privilege/alarm http://tizen.org/privilege/alarm.get
+2.3 3.0 http://tizen.org/privilege/alarm http://tizen.org/privilege/alarm.set
+2.3 3.0 http://tizen.org/privilege/application.info http://tizen.org/privilege/packagemanager.info
+2.3 3.0 http://tizen.org/privilege/application.kill http://tizen.org/privilege/appmanager.kill
+2.3 3.0 http://tizen.org/privilege/application.launch http://tizen.org/privilege/appmanager.launch
+2.3 3.0 http://tizen.org/privilege/application.read http://tizen.org/privilege/application.read
+2.3 3.0 http://tizen.org/privilege/appmanager.certificate http://tizen.org/privilege/appmanager.certificate
+2.3 3.0 http://tizen.org/privilege/appmanager.kill http://tizen.org/privilege/appmanager.kill
+2.3 3.0 http://tizen.org/privilege/bluetooth.admin http://tizen.org/privilege/bluetooth.admin
+2.3 3.0 http://tizen.org/privilege/bluetooth.gap http://tizen.org/privilege/bluetooth.admin
+2.3 3.0 http://tizen.org/privilege/bluetooth.health http://tizen.org/privilege/bluetooth.admin
+2.3 3.0 http://tizen.org/privilege/bluetooth.spp http://tizen.org/privilege/bluetooth.admin
+2.3 3.0 http://tizen.org/privilege/bluetoothmanager http://tizen.org/privilege/bluetooth.admin
+2.3 3.0 http://tizen.org/privilege/bookmark.read http://tizen.org/privilege/bookmark.admin
+2.3 3.0 http://tizen.org/privilege/bookmark.write http://tizen.org/privilege/bookmark.admin
+2.3 3.0 http://tizen.org/privilege/calendar.read http://tizen.org/privilege/calendar.read
+2.3 3.0 http://tizen.org/privilege/calendar.write http://tizen.org/privilege/calendar.read
+2.3 3.0 http://tizen.org/privilege/calendar.write http://tizen.org/privilege/calendar.write
+2.3 3.0 http://tizen.org/privilege/call http://tizen.org/privilege/call
+2.3 3.0 http://tizen.org/privilege/callhistory.read http://tizen.org/privilege/callhistory.read
+2.3 3.0 http://tizen.org/privilege/callhistory.read http://tizen.org/privilege/contact.read
+2.3 3.0 http://tizen.org/privilege/callhistory.read http://tizen.org/privilege/telephony
+2.3 3.0 http://tizen.org/privilege/callhistory.write http://tizen.org/privilege/callhistory.read
+2.3 3.0 http://tizen.org/privilege/callhistory.write http://tizen.org/privilege/callhistory.write
+2.3 3.0 http://tizen.org/privilege/callhistory.write http://tizen.org/privilege/contact.read
+2.3 3.0 http://tizen.org/privilege/callhistory.write http://tizen.org/privilege/contact.write
+2.3 3.0 http://tizen.org/privilege/contact.read http://tizen.org/privilege/contact.read
+2.3 3.0 http://tizen.org/privilege/contact.write http://tizen.org/privilege/contact.read
+2.3 3.0 http://tizen.org/privilege/contact.write http://tizen.org/privilege/contact.write
+2.3 3.0 http://tizen.org/privilege/content.read http://tizen.org/privilege/content.write
+2.3 3.0 http://tizen.org/privilege/content.write http://tizen.org/privilege/content.write
+2.3 3.0 http://tizen.org/privilege/datacontrol.consumer http://tizen.org/privilege/appmanager.launch
+2.3 3.0 http://tizen.org/privilege/datacontrol.consumer http://tizen.org/privilege/datasharing
+2.3 3.0 http://tizen.org/privilege/download http://tizen.org/privilege/download
+2.3 3.0 http://tizen.org/privilege/filesystem.read http://tizen.org/privilege/systemsettings.admin
+2.3 3.0 http://tizen.org/privilege/filesystem.write http://tizen.org/privilege/systemsettings.admin
+2.3 3.0 http://tizen.org/privilege/fullscreen http://tizen.org/privilege/fullscreen
+2.3 3.0 http://tizen.org/privilege/healthinfo http://tizen.org/privilege/healthinfo
+2.3 3.0 http://tizen.org/privilege/ime http://tizen.org/privilege/ime
+2.3 3.0 http://tizen.org/privilege/internet http://tizen.org/privilege/internet
+2.3 3.0 http://tizen.org/privilege/keymanager http://tizen.org/privilege/keymanager
+2.3 3.0 http://tizen.org/privilege/led http://tizen.org/privilege/led
+2.3 3.0 http://tizen.org/privilege/location http://tizen.org/privilege/location
+2.3 3.0 http://tizen.org/privilege/mediacapture http://tizen.org/privilege/camera
+2.3 3.0 http://tizen.org/privilege/mediacapture http://tizen.org/privilege/recorder
+2.3 3.0 http://tizen.org/privilege/mediacontroller.client http://tizen.org/privilege/mediacontroller.client
+2.3 3.0 http://tizen.org/privilege/mediacontroller.server http://tizen.org/privilege/mediacontroller.server
+2.3 3.0 http://tizen.org/privilege/messaging.read http://tizen.org/privilege/email
+2.3 3.0 http://tizen.org/privilege/messaging.read http://tizen.org/privilege/message.read
+2.3 3.0 http://tizen.org/privilege/messaging.read http://tizen.org/privilege/mediastorage
+2.3 3.0 http://tizen.org/privilege/messaging.send http://tizen.org/privilege/callhistory.read
+2.3 3.0 http://tizen.org/privilege/messaging.send http://tizen.org/privilege/callhistory.write
+2.3 3.0 http://tizen.org/privilege/messaging.send http://tizen.org/privilege/contact.read
+2.3 3.0 http://tizen.org/privilege/messaging.send http://tizen.org/privilege/contact.write
+2.3 3.0 http://tizen.org/privilege/messaging.send http://tizen.org/privilege/email
+2.3 3.0 http://tizen.org/privilege/messaging.send http://tizen.org/privilege/message.read
+2.3 3.0 http://tizen.org/privilege/messaging.send http://tizen.org/privilege/message.write
+2.3 3.0 http://tizen.org/privilege/messaging.send http://tizen.org/privilege/mediastorage
+2.3 3.0 http://tizen.org/privilege/messaging.write http://tizen.org/privilege/callhistory.read
+2.3 3.0 http://tizen.org/privilege/messaging.write http://tizen.org/privilege/callhistory.write
+2.3 3.0 http://tizen.org/privilege/messaging.write http://tizen.org/privilege/contact.read
+2.3 3.0 http://tizen.org/privilege/messaging.write http://tizen.org/privilege/contact.write
+2.3 3.0 http://tizen.org/privilege/messaging.write http://tizen.org/privilege/email
+2.3 3.0 http://tizen.org/privilege/messaging.write http://tizen.org/privilege/message.read
+2.3 3.0 http://tizen.org/privilege/messaging.write http://tizen.org/privilege/message.write
+2.3 3.0 http://tizen.org/privilege/messaging.write http://tizen.org/privilege/mediastorage
+2.3 3.0 http://tizen.org/privilege/messaging.write http://tizen.org/privilege/telephony
+2.3 3.0 http://tizen.org/privilege/networkbearerselection http://tizen.org/privilege/network.set
+2.3 3.0 http://tizen.org/privilege/nfc.admin http://tizen.org/privilege/secureelement
+2.3 3.0 http://tizen.org/privilege/nfc.admin http://tizen.org/privilege/nfc.admin
+2.3 3.0 http://tizen.org/privilege/nfc.cardemulation http://tizen.org/privilege/nfc.cardemulation
+2.3 3.0 http://tizen.org/privilege/nfc.common http://tizen.org/privilege/secureelement
+2.3 3.0 http://tizen.org/privilege/nfc.common http://tizen.org/privilege/nfc
+2.3 3.0 http://tizen.org/privilege/nfc.p2p http://tizen.org/privilege/secureelement
+2.3 3.0 http://tizen.org/privilege/nfc.p2p http://tizen.org/privilege/nfc
+2.3 3.0 http://tizen.org/privilege/nfc.tag http://tizen.org/privilege/secureelement
+2.3 3.0 http://tizen.org/privilege/nfc.tag http://tizen.org/privilege/nfc
+2.3 3.0 http://tizen.org/privilege/notification.read http://tizen.org/privilege/notification
+2.3 3.0 http://tizen.org/privilege/notification http://tizen.org/privilege/notification
+2.3 3.0 http://tizen.org/privilege/notification http://tizen.org/privilege/packagemanager.info
+2.3 3.0 http://tizen.org/privilege/notification.write http://tizen.org/privilege/notification
+2.3 3.0 http://tizen.org/privilege/package.info http://tizen.org/privilege/packagemanager.info
+2.3 3.0 http://tizen.org/privilege/packagemanager.install http://tizen.org/privilege/packagemanager.admin
+2.3 3.0 http://tizen.org/privilege/power http://tizen.org/privilege/display
+2.3 3.0 http://tizen.org/privilege/push http://tizen.org/privilege/push
+2.3 3.0 http://tizen.org/privilege/secureelement http://tizen.org/privilege/secureelement
+2.3 3.0 http://tizen.org/privilege/setting http://tizen.org/privilege/systemsettings.admin
+2.3 3.0 http://tizen.org/privilege/system http://tizen.org/privilege/telephony
+2.3 3.0 http://tizen.org/privilege/systeminfo http://tizen.org/privilege/network.get
+2.3 3.0 http://tizen.org/privilege/systeminfo http://tizen.org/privilege/telephony
+2.3 3.0 http://tizen.org/privilege/telephony http://tizen.org/privilege/telephony
+2.3 3.0 http://tizen.org/privilege/unlimitedstorage http://tizen.org/privilege/unlimitedstorage
+2.3 3.0 http://tizen.org/privilege/volume.set http://tizen.org/privilege/volume.set
+2.3 3.0 http://tizen.org/privilege/message.read http://tizen.org/privilege/message.read
+2.3 3.0 http://tizen.org/privilege/network.get http://tizen.org/privilege/network.get
+2.3 3.0 http://tizen.org/privilege/internet http://tizen.org/privilege/internet
+2.3 3.0 http://tizen.org/privilege/notification http://tizen.org/privilege/notification
+2.3 3.0 http://tizen.org/privilege/mediastorage http://tizen.org/privilege/mediastorage
+2.3 3.0 http://tizen.org/privilege/mediacontroller.server http://tizen.org/privilege/mediacontroller.server
+2.3 3.0 http://tizen.org/privilege/packagemanager.admin http://tizen.org/privilege/packagemanager.admin
+2.3 3.0 http://tizen.org/privilege/appmanager.certificate http://tizen.org/privilege/appmanager.certificate
+2.3 3.0 http://tizen.org/privilege/keymanager http://tizen.org/privilege/keymanager
+2.3 3.0 http://tizen.org/privilege/callhistory.read http://tizen.org/privilege/callhistory.read
+2.3 3.0 http://tizen.org/privilege/calendar.read http://tizen.org/privilege/calendar.read
+2.3 3.0 http://tizen.org/privilege/push http://tizen.org/privilege/push
+2.3 3.0 http://tizen.org/privilege/nfc http://tizen.org/privilege/nfc
+2.3 3.0 http://tizen.org/privilege/camera http://tizen.org/privilege/camera
+2.3 3.0 http://tizen.org/privilege/contact.write http://tizen.org/privilege/contact.write
+2.3 3.0 http://tizen.org/privilege/message.write http://tizen.org/privilege/message.write
+2.3 3.0 http://tizen.org/privilege/callhistory.write http://tizen.org/privilege/callhistory.write
+2.3 3.0 http://tizen.org/privilege/datasharing http://tizen.org/privilege/datasharing
+2.3 3.0 http://tizen.org/privilege/unlimitedstorage http://tizen.org/privilege/unlimitedstorage
+2.3 3.0 http://tizen.org/privilege/display http://tizen.org/privilege/display
+2.3 3.0 http://tizen.org/privilege/bluetooth.admin http://tizen.org/privilege/bluetooth.admin
+2.3 3.0 http://tizen.org/privilege/appmanager.launch http://tizen.org/privilege/appmanager.launch
+2.3 3.0 http://tizen.org/privilege/telephony http://tizen.org/privilege/telephony
+2.3 3.0 http://tizen.org/privilege/download http://tizen.org/privilege/download
+2.3 3.0 http://tizen.org/privilege/recorder http://tizen.org/privilege/recorder
+2.3 3.0 http://tizen.org/privilege/account.write http://tizen.org/privilege/account.write
+2.3 3.0 http://tizen.org/privilege/contact.read http://tizen.org/privilege/contact.read
+2.3 3.0 http://tizen.org/privilege/nfc.cardemulation http://tizen.org/privilege/nfc.cardemulation
+2.3 3.0 http://tizen.org/privilege/led http://tizen.org/privilege/led
+2.3 3.0 http://tizen.org/privilege/account.read http://tizen.org/privilege/account.read
+2.3 3.0 http://tizen.org/privilege/call http://tizen.org/privilege/call
+2.3 3.0 http://tizen.org/privilege/nfc.admin http://tizen.org/privilege/nfc.admin
+2.3 3.0 http://tizen.org/privilege/fullscreen http://tizen.org/privilege/fullscreen
+2.3 3.0 http://tizen.org/privilege/network.set http://tizen.org/privilege/network.set
+2.3 3.0 http://tizen.org/privilege/volume.set http://tizen.org/privilege/volume.set
+2.3 3.0 http://tizen.org/privilege/application.read http://tizen.org/privilege/application.read
+2.3 3.0 http://tizen.org/privilege/content.write http://tizen.org/privilege/content.write
+2.3 3.0 http://tizen.org/privilege/location http://tizen.org/privilege/location
+2.3 3.0 http://tizen.org/privilege/bookmark.admin http://tizen.org/privilege/bookmark.admin
+2.3 3.0 http://tizen.org/privilege/ime http://tizen.org/privilege/ime
+2.3 3.0 http://tizen.org/privilege/systemsettings.admin http://tizen.org/privilege/systemsettings.admin
+2.3 3.0 http://tizen.org/privilege/packagemanager.info http://tizen.org/privilege/packagemanager.info
+2.3 3.0 http://tizen.org/privilege/mediacontroller.client http://tizen.org/privilege/mediacontroller.client
+2.3 3.0 http://tizen.org/privilege/healthinfo http://tizen.org/privilege/healthinfo
+2.3 3.0 http://tizen.org/privilege/alarm.set http://tizen.org/privilege/alarm.set
+2.3 3.0 http://tizen.org/privilege/appmanager.kill http://tizen.org/privilege/appmanager.kill
+2.3 3.0 http://tizen.org/privilege/secureelement http://tizen.org/privilege/secureelement
+2.3 3.0 http://tizen.org/privilege/alarm.get http://tizen.org/privilege/alarm.get
+2.3 3.0 http://tizen.org/privilege/calendar.write http://tizen.org/privilege/calendar.write
+2.3 3.0 http://tizen.org/privilege/email http://tizen.org/privilege/email
+2.4 3.0 http://tizen.org/privilege/message.read http://tizen.org/privilege/message.read
+2.4 3.0 http://tizen.org/privilege/network.get http://tizen.org/privilege/network.get
+2.4 3.0 http://tizen.org/privilege/internet http://tizen.org/privilege/internet
+2.4 3.0 http://tizen.org/privilege/notification http://tizen.org/privilege/notification
+2.4 3.0 http://tizen.org/privilege/mediastorage http://tizen.org/privilege/mediastorage
+2.4 3.0 http://tizen.org/privilege/mediacontroller.server http://tizen.org/privilege/mediacontroller.server
+2.4 3.0 http://tizen.org/privilege/packagemanager.admin http://tizen.org/privilege/packagemanager.admin
+2.4 3.0 http://tizen.org/privilege/appmanager.certificate http://tizen.org/privilege/appmanager.certificate
+2.4 3.0 http://tizen.org/privilege/keymanager http://tizen.org/privilege/keymanager
+2.4 3.0 http://tizen.org/privilege/callhistory.read http://tizen.org/privilege/callhistory.read
+2.4 3.0 http://tizen.org/privilege/calendar.read http://tizen.org/privilege/calendar.read
+2.4 3.0 http://tizen.org/privilege/push http://tizen.org/privilege/push
+2.4 3.0 http://tizen.org/privilege/nfc http://tizen.org/privilege/nfc
+2.4 3.0 http://tizen.org/privilege/camera http://tizen.org/privilege/camera
+2.4 3.0 http://tizen.org/privilege/contact.write http://tizen.org/privilege/contact.write
+2.4 3.0 http://tizen.org/privilege/message.write http://tizen.org/privilege/message.write
+2.4 3.0 http://tizen.org/privilege/callhistory.write http://tizen.org/privilege/callhistory.write
+2.4 3.0 http://tizen.org/privilege/datasharing http://tizen.org/privilege/datasharing
+2.4 3.0 http://tizen.org/privilege/unlimitedstorage http://tizen.org/privilege/unlimitedstorage
+2.4 3.0 http://tizen.org/privilege/display http://tizen.org/privilege/display
+2.4 3.0 http://tizen.org/privilege/bluetooth.admin http://tizen.org/privilege/bluetooth.admin
+2.4 3.0 http://tizen.org/privilege/appmanager.launch http://tizen.org/privilege/appmanager.launch
+2.4 3.0 http://tizen.org/privilege/telephony http://tizen.org/privilege/telephony
+2.4 3.0 http://tizen.org/privilege/download http://tizen.org/privilege/download
+2.4 3.0 http://tizen.org/privilege/recorder http://tizen.org/privilege/recorder
+2.4 3.0 http://tizen.org/privilege/account.write http://tizen.org/privilege/account.write
+2.4 3.0 http://tizen.org/privilege/contact.read http://tizen.org/privilege/contact.read
+2.4 3.0 http://tizen.org/privilege/nfc.cardemulation http://tizen.org/privilege/nfc.cardemulation
+2.4 3.0 http://tizen.org/privilege/led http://tizen.org/privilege/led
+2.4 3.0 http://tizen.org/privilege/account.read http://tizen.org/privilege/account.read
+2.4 3.0 http://tizen.org/privilege/call http://tizen.org/privilege/call
+2.4 3.0 http://tizen.org/privilege/nfc.admin http://tizen.org/privilege/nfc.admin
+2.4 3.0 http://tizen.org/privilege/fullscreen http://tizen.org/privilege/fullscreen
+2.4 3.0 http://tizen.org/privilege/network.set http://tizen.org/privilege/network.set
+2.4 3.0 http://tizen.org/privilege/volume.set http://tizen.org/privilege/volume.set
+2.4 3.0 http://tizen.org/privilege/application.read http://tizen.org/privilege/application.read
+2.4 3.0 http://tizen.org/privilege/content.write http://tizen.org/privilege/content.write
+2.4 3.0 http://tizen.org/privilege/location http://tizen.org/privilege/location
+2.4 3.0 http://tizen.org/privilege/bookmark.admin http://tizen.org/privilege/bookmark.admin
+2.4 3.0 http://tizen.org/privilege/ime http://tizen.org/privilege/ime
+2.4 3.0 http://tizen.org/privilege/systemsettings.admin http://tizen.org/privilege/systemsettings.admin
+2.4 3.0 http://tizen.org/privilege/packagemanager.info http://tizen.org/privilege/packagemanager.info
+2.4 3.0 http://tizen.org/privilege/mediacontroller.client http://tizen.org/privilege/mediacontroller.client
+2.4 3.0 http://tizen.org/privilege/healthinfo http://tizen.org/privilege/healthinfo
+2.4 3.0 http://tizen.org/privilege/alarm.set http://tizen.org/privilege/alarm.set
+2.4 3.0 http://tizen.org/privilege/appmanager.kill http://tizen.org/privilege/appmanager.kill
+2.4 3.0 http://tizen.org/privilege/secureelement http://tizen.org/privilege/secureelement
+2.4 3.0 http://tizen.org/privilege/alarm.get http://tizen.org/privilege/alarm.get
+2.4 3.0 http://tizen.org/privilege/calendar.write http://tizen.org/privilege/calendar.write
+2.4 3.0 http://tizen.org/privilege/email http://tizen.org/privilege/email
diff --git a/policy/security-manager-policy-reload b/policy/security-manager-policy-reload
index 274c49c..b131f4d 100755
--- a/policy/security-manager-policy-reload
+++ b/policy/security-manager-policy-reload
@@ -2,6 +2,8 @@
 
 POLICY_PATH=/usr/share/security-manager/policy
 PRIVILEGE_GROUP_MAPPING=$POLICY_PATH/privilege-group.list
+PRIVILEGE_MAPPING=$POLICY_PATH/privilege-mapping.list
+
 DB_FILE=`tzplatform-get TZ_SYS_DB | cut -d= -f2`/.security-manager.db
 
 # Create default buckets
@@ -70,3 +72,15 @@ do
 done
 echo "COMMIT;"
 ) | sqlite3 "$DB_FILE"
+
+# Load privilege-privilege mappings
+(
+echo "BEGIN;"
+echo "DELETE FROM privilege_mapping;"
+grep -v '^#' "$PRIVILEGE_MAPPING" |
+while read version_from version_to privilege mapping
+do
+    echo "INSERT INTO privilege_mapping_view (version_from_name, version_to_name, privilege_name, privilege_mapping_name) VALUES ('$version_from', '$version_to', '$privilege', '$mapping');"
+done
+echo "COMMIT;"
+) | sqlite3 "$DB_FILE"
-- 
2.7.4


From 1f1d17180541c12171fdcbac42260b28baf89831 Mon Sep 17 00:00:00 2001
From: Krzysztof Jackiewicz <k.jackiewicz@samsung.com>
Date: Thu, 28 Aug 2014 17:44:08 +0200
Subject: [PATCH 03/16] Fix potential buffer overflow error CID: 40674

Change backported from security-server repository.

Change-Id: Ifcbd8ebe4ddfa4c04dd000639cab2c60648c3943
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
---
 src/server/main/socket-manager.cpp | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/server/main/socket-manager.cpp b/src/server/main/socket-manager.cpp
index 94c54c6..0366186 100644
--- a/src/server/main/socket-manager.cpp
+++ b/src/server/main/socket-manager.cpp
@@ -484,6 +484,13 @@ int SocketManager::CreateDomainSocketHelp(
 {
     int sockfd;
 
+    if(desc.serviceHandlerPath.size() >= sizeof(static_cast<sockaddr_un*>(0)->sun_path) /
+                                         sizeof(decltype(desc.serviceHandlerPath)::value_type)) {
+        LogError("Service handler path too long: " << desc.serviceHandlerPath.size());
+        ThrowMsg(Exception::InitFailed,
+                 "Service handler path too long: " << desc.serviceHandlerPath.size());
+    }
+
     if (-1 == (sockfd = socket(AF_UNIX, SOCK_STREAM, 0))) {
         int err = errno;
         LogError("Error in socket: " << strerror(err));
-- 
2.7.4


From 8014cacc52f716ec424d43938967c21164ea3854 Mon Sep 17 00:00:00 2001
From: Yunjin Lee <yunjin-.lee@samsung.com>
Date: Wed, 26 Aug 2015 17:48:00 +0900
Subject: [PATCH 04/16] Update privilege list according to the latest privilege
 set in 2.x

Remove deprecated privileges and Add new privileges.

Change-Id: I385a61e02bb86a112da1be730e17f4461cf4d049
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
---
 policy/usertype-admin.profile  | 19 +++++++++++++++++--
 policy/usertype-guest.profile  | 19 +++++++++++++++++--
 policy/usertype-normal.profile | 19 +++++++++++++++++--
 policy/usertype-system.profile | 19 +++++++++++++++++--
 4 files changed, 68 insertions(+), 8 deletions(-)

diff --git a/policy/usertype-admin.profile b/policy/usertype-admin.profile
index 40c43e1..f527e86 100644
--- a/policy/usertype-admin.profile
+++ b/policy/usertype-admin.profile
@@ -4,7 +4,9 @@
 *	http://tizen.org/privilege/account.write
 *	http://tizen.org/privilege/alarm.get
 *	http://tizen.org/privilege/alarm.set
+*	http://tizen.org/privilege/apphistory.read
 *	http://tizen.org/privilege/appmanager.kill
+*	http://tizen.org/privilege/appmanager.kill.bgapp
 *	http://tizen.org/privilege/appmanager.launch
 *	http://tizen.org/privilege/bluetooth
 *	http://tizen.org/privilege/bluetooth.admin
@@ -26,15 +28,24 @@
 *	http://tizen.org/privilege/externalstorage
 *	http://tizen.org/privilege/externalstorage.appdata
 *	http://tizen.org/privilege/haptic
+*	http://tizen.org/privilege/healthinfo
+*	http://tizen.org/privilege/ime
+*	http://tizen.org/privilege/imemanager
+*	http://tizen.org/privilege/inputgenerator
 *	http://tizen.org/privilege/internet
+*	http://tizen.org/privilege/keygrab
 *	http://tizen.org/privilege/keymanager
-*	http://tizen.org/privilege/keymanager.admin
 *	http://tizen.org/privilege/led
 *	http://tizen.org/privilege/location
 *	http://tizen.org/privilege/location.enable
+*	http://tizen.org/privilege/mapservice
+*	http://tizen.org/privilege/mediacontroller.client
+*	http://tizen.org/privilege/mediacontroller.server
+*	http://tizen.org/privilege/mediahistory.read
 *	http://tizen.org/privilege/mediastorage
 *	http://tizen.org/privilege/message.read
 *	http://tizen.org/privilege/message.write
+*	http://tizen.org/privilege/minicontrol.provider
 *	http://tizen.org/privilege/network.get
 *	http://tizen.org/privilege/network.profile
 *	http://tizen.org/privilege/network.set
@@ -43,18 +54,22 @@
 *	http://tizen.org/privilege/nfc.cardemulation
 *	http://tizen.org/privilege/notification
 *	http://tizen.org/privilege/packagemanager.admin
+*	http://tizen.org/privilege/packagemanager.clearcache
 *	http://tizen.org/privilege/packagemanager.info
 *	http://tizen.org/privilege/power
 *	http://tizen.org/privilege/push
+*	http://tizen.org/privilege/reboot
 *	http://tizen.org/privilege/recorder
 *	http://tizen.org/privilege/screenshot
+*	http://tizen.org/privilege/secureelement
 *	http://tizen.org/privilege/shortcut
-*	http://tizen.org/privilege/systemsettings
+*	http://tizen.org/privilege/systemmonitor
 *	http://tizen.org/privilege/systemsettings.admin
 *	http://tizen.org/privilege/telephony
 *	http://tizen.org/privilege/telephony.admin
 *	http://tizen.org/privilege/tethering.admin
 *	http://tizen.org/privilege/volume.set
 *	http://tizen.org/privilege/web-history.admin
+*	http://tizen.org/privilege/widget.viewer
 *	http://tizen.org/privilege/wifidirect
 *	http://tizen.org/privilege/window.priority.set
diff --git a/policy/usertype-guest.profile b/policy/usertype-guest.profile
index 3d40722..f2dd9b8 100644
--- a/policy/usertype-guest.profile
+++ b/policy/usertype-guest.profile
@@ -4,7 +4,9 @@
 *	http://tizen.org/privilege/account.write
 *	http://tizen.org/privilege/alarm.get
 *	http://tizen.org/privilege/alarm.set
+*	http://tizen.org/privilege/apphistory.read
 *	http://tizen.org/privilege/appmanager.kill
+*	http://tizen.org/privilege/appmanager.kill.bgapp
 *	http://tizen.org/privilege/appmanager.launch
 *	http://tizen.org/privilege/bluetooth
 *	http://tizen.org/privilege/bluetooth.admin
@@ -26,15 +28,24 @@
 *	http://tizen.org/privilege/externalstorage
 *	http://tizen.org/privilege/externalstorage.appdata
 *	http://tizen.org/privilege/haptic
+*	http://tizen.org/privilege/healthinfo
+*	http://tizen.org/privilege/ime
+*	http://tizen.org/privilege/imemanager
+*	http://tizen.org/privilege/inputgenerator
 *	http://tizen.org/privilege/internet
+*	http://tizen.org/privilege/keygrab
 *	http://tizen.org/privilege/keymanager
-*	http://tizen.org/privilege/keymanager.admin
 *	http://tizen.org/privilege/led
 *	http://tizen.org/privilege/location
 *	http://tizen.org/privilege/location.enable
+*	http://tizen.org/privilege/mapservice
+*	http://tizen.org/privilege/mediacontroller.client
+*	http://tizen.org/privilege/mediacontroller.server
+*	http://tizen.org/privilege/mediahistory.read
 *	http://tizen.org/privilege/mediastorage
 *	http://tizen.org/privilege/message.read
 *	http://tizen.org/privilege/message.write
+*	http://tizen.org/privilege/minicontrol.provider
 *	http://tizen.org/privilege/network.get
 *	http://tizen.org/privilege/network.profile
 *	http://tizen.org/privilege/network.set
@@ -43,18 +54,22 @@
 *	http://tizen.org/privilege/nfc.cardemulation
 *	http://tizen.org/privilege/notification
 *	http://tizen.org/privilege/packagemanager.admin
+*	http://tizen.org/privilege/packagemanager.clearcache
 *	http://tizen.org/privilege/packagemanager.info
 *	http://tizen.org/privilege/power
 *	http://tizen.org/privilege/push
+*	http://tizen.org/privilege/reboot
 *	http://tizen.org/privilege/recorder
 *	http://tizen.org/privilege/screenshot
+*	http://tizen.org/privilege/secureelement
 *	http://tizen.org/privilege/shortcut
-*	http://tizen.org/privilege/systemsettings
+*	http://tizen.org/privilege/systemmonitor
 *	http://tizen.org/privilege/systemsettings.admin
 *	http://tizen.org/privilege/telephony
 *	http://tizen.org/privilege/telephony.admin
 *	http://tizen.org/privilege/tethering.admin
 *	http://tizen.org/privilege/volume.set
 *	http://tizen.org/privilege/web-history.admin
+*	http://tizen.org/privilege/widget.viewer
 *	http://tizen.org/privilege/wifidirect
 *	http://tizen.org/privilege/window.priority.set
diff --git a/policy/usertype-normal.profile b/policy/usertype-normal.profile
index 365b3f2..e24c183 100644
--- a/policy/usertype-normal.profile
+++ b/policy/usertype-normal.profile
@@ -4,7 +4,9 @@
 *	http://tizen.org/privilege/account.write
 *	http://tizen.org/privilege/alarm.get
 *	http://tizen.org/privilege/alarm.set
+*	http://tizen.org/privilege/apphistory.read
 *	http://tizen.org/privilege/appmanager.kill
+*	http://tizen.org/privilege/appmanager.kill.bgapp
 *	http://tizen.org/privilege/appmanager.launch
 *	http://tizen.org/privilege/bluetooth
 *	http://tizen.org/privilege/bluetooth.admin
@@ -26,15 +28,24 @@
 *	http://tizen.org/privilege/externalstorage
 *	http://tizen.org/privilege/externalstorage.appdata
 *	http://tizen.org/privilege/haptic
+*	http://tizen.org/privilege/healthinfo
+*	http://tizen.org/privilege/ime
+*	http://tizen.org/privilege/imemanager
+*	http://tizen.org/privilege/inputgenerator
 *	http://tizen.org/privilege/internet
+*	http://tizen.org/privilege/keygrab
 *	http://tizen.org/privilege/keymanager
-*	http://tizen.org/privilege/keymanager.admin
 *	http://tizen.org/privilege/led
 *	http://tizen.org/privilege/location
 *	http://tizen.org/privilege/location.enable
+*	http://tizen.org/privilege/mapservice
+*	http://tizen.org/privilege/mediacontroller.client
+*	http://tizen.org/privilege/mediacontroller.server
+*	http://tizen.org/privilege/mediahistory.read
 *	http://tizen.org/privilege/mediastorage
 *	http://tizen.org/privilege/message.read
 *	http://tizen.org/privilege/message.write
+*	http://tizen.org/privilege/minicontrol.provider
 *	http://tizen.org/privilege/network.get
 *	http://tizen.org/privilege/network.profile
 *	http://tizen.org/privilege/network.set
@@ -43,18 +54,22 @@
 *	http://tizen.org/privilege/nfc.cardemulation
 *	http://tizen.org/privilege/notification
 *	http://tizen.org/privilege/packagemanager.admin
+*	http://tizen.org/privilege/packagemanager.clearcache
 *	http://tizen.org/privilege/packagemanager.info
 *	http://tizen.org/privilege/power
 *	http://tizen.org/privilege/push
+*	http://tizen.org/privilege/reboot
 *	http://tizen.org/privilege/recorder
 *	http://tizen.org/privilege/screenshot
+*	http://tizen.org/privilege/secureelement
 *	http://tizen.org/privilege/shortcut
-*	http://tizen.org/privilege/systemsettings
+*	http://tizen.org/privilege/systemmonitor
 *	http://tizen.org/privilege/systemsettings.admin
 *	http://tizen.org/privilege/telephony
 *	http://tizen.org/privilege/telephony.admin
 *	http://tizen.org/privilege/tethering.admin
 *	http://tizen.org/privilege/volume.set
 *	http://tizen.org/privilege/web-history.admin
+*	http://tizen.org/privilege/widget.viewer
 *	http://tizen.org/privilege/wifidirect
 *	http://tizen.org/privilege/window.priority.set
diff --git a/policy/usertype-system.profile b/policy/usertype-system.profile
index 2cd6360..0d4c7b0 100644
--- a/policy/usertype-system.profile
+++ b/policy/usertype-system.profile
@@ -4,7 +4,9 @@
 *	http://tizen.org/privilege/account.write
 *	http://tizen.org/privilege/alarm.get
 *	http://tizen.org/privilege/alarm.set
+*	http://tizen.org/privilege/apphistory.read
 *	http://tizen.org/privilege/appmanager.kill
+*	http://tizen.org/privilege/appmanager.kill.bgapp
 *	http://tizen.org/privilege/appmanager.launch
 *	http://tizen.org/privilege/bluetooth
 *	http://tizen.org/privilege/bluetooth.admin
@@ -26,15 +28,24 @@
 *	http://tizen.org/privilege/externalstorage
 *	http://tizen.org/privilege/externalstorage.appdata
 *	http://tizen.org/privilege/haptic
+*	http://tizen.org/privilege/healthinfo
+*	http://tizen.org/privilege/ime
+*	http://tizen.org/privilege/imemanager
+*	http://tizen.org/privilege/inputgenerator
 *	http://tizen.org/privilege/internet
+*	http://tizen.org/privilege/keygrab
 *	http://tizen.org/privilege/keymanager
-*	http://tizen.org/privilege/keymanager.admin
 *	http://tizen.org/privilege/led
 *	http://tizen.org/privilege/location
 *	http://tizen.org/privilege/location.enable
+*	http://tizen.org/privilege/mapservice
+*	http://tizen.org/privilege/mediacontroller.client
+*	http://tizen.org/privilege/mediacontroller.server
+*	http://tizen.org/privilege/mediahistory.read
 *	http://tizen.org/privilege/mediastorage
 *	http://tizen.org/privilege/message.read
 *	http://tizen.org/privilege/message.write
+*	http://tizen.org/privilege/minicontrol.provider
 *	http://tizen.org/privilege/network.get
 *	http://tizen.org/privilege/network.profile
 *	http://tizen.org/privilege/network.set
@@ -43,18 +54,22 @@
 *	http://tizen.org/privilege/nfc.cardemulation
 *	http://tizen.org/privilege/notification
 *	http://tizen.org/privilege/packagemanager.admin
+*	http://tizen.org/privilege/packagemanager.clearcache
 *	http://tizen.org/privilege/packagemanager.info
 *	http://tizen.org/privilege/power
 *	http://tizen.org/privilege/push
+*	http://tizen.org/privilege/reboot
 *	http://tizen.org/privilege/recorder
 *	http://tizen.org/privilege/screenshot
+*	http://tizen.org/privilege/secureelement
 *	http://tizen.org/privilege/shortcut
-*	http://tizen.org/privilege/systemsettings
+*	http://tizen.org/privilege/systemmonitor
 *	http://tizen.org/privilege/systemsettings.admin
 *	http://tizen.org/privilege/telephony
 *	http://tizen.org/privilege/telephony.admin
 *	http://tizen.org/privilege/tethering.admin
 *	http://tizen.org/privilege/volume.set
 *	http://tizen.org/privilege/web-history.admin
+*	http://tizen.org/privilege/widget.viewer
 *	http://tizen.org/privilege/wifidirect
 *	http://tizen.org/privilege/window.priority.set
-- 
2.7.4


From e7f796f63565ffbcef91b4bdba6a0a6d112ecabb Mon Sep 17 00:00:00 2001
From: Kim Kidong <kd0228.kim@samsung.com>
Date: Wed, 26 Aug 2015 03:32:22 -0700
Subject: [PATCH 05/16] Revert "Update privilege list according to the latest
 privilege set in 2.x"

This reverts commit 8014cacc52f716ec424d43938967c21164ea3854.

Change-Id: I0c3df1d8c99986adc87ab9a6546efecf34629613
---
 policy/usertype-admin.profile  | 19 ++-----------------
 policy/usertype-guest.profile  | 19 ++-----------------
 policy/usertype-normal.profile | 19 ++-----------------
 policy/usertype-system.profile | 19 ++-----------------
 4 files changed, 8 insertions(+), 68 deletions(-)

diff --git a/policy/usertype-admin.profile b/policy/usertype-admin.profile
index f527e86..40c43e1 100644
--- a/policy/usertype-admin.profile
+++ b/policy/usertype-admin.profile
@@ -4,9 +4,7 @@
 *	http://tizen.org/privilege/account.write
 *	http://tizen.org/privilege/alarm.get
 *	http://tizen.org/privilege/alarm.set
-*	http://tizen.org/privilege/apphistory.read
 *	http://tizen.org/privilege/appmanager.kill
-*	http://tizen.org/privilege/appmanager.kill.bgapp
 *	http://tizen.org/privilege/appmanager.launch
 *	http://tizen.org/privilege/bluetooth
 *	http://tizen.org/privilege/bluetooth.admin
@@ -28,24 +26,15 @@
 *	http://tizen.org/privilege/externalstorage
 *	http://tizen.org/privilege/externalstorage.appdata
 *	http://tizen.org/privilege/haptic
-*	http://tizen.org/privilege/healthinfo
-*	http://tizen.org/privilege/ime
-*	http://tizen.org/privilege/imemanager
-*	http://tizen.org/privilege/inputgenerator
 *	http://tizen.org/privilege/internet
-*	http://tizen.org/privilege/keygrab
 *	http://tizen.org/privilege/keymanager
+*	http://tizen.org/privilege/keymanager.admin
 *	http://tizen.org/privilege/led
 *	http://tizen.org/privilege/location
 *	http://tizen.org/privilege/location.enable
-*	http://tizen.org/privilege/mapservice
-*	http://tizen.org/privilege/mediacontroller.client
-*	http://tizen.org/privilege/mediacontroller.server
-*	http://tizen.org/privilege/mediahistory.read
 *	http://tizen.org/privilege/mediastorage
 *	http://tizen.org/privilege/message.read
 *	http://tizen.org/privilege/message.write
-*	http://tizen.org/privilege/minicontrol.provider
 *	http://tizen.org/privilege/network.get
 *	http://tizen.org/privilege/network.profile
 *	http://tizen.org/privilege/network.set
@@ -54,22 +43,18 @@
 *	http://tizen.org/privilege/nfc.cardemulation
 *	http://tizen.org/privilege/notification
 *	http://tizen.org/privilege/packagemanager.admin
-*	http://tizen.org/privilege/packagemanager.clearcache
 *	http://tizen.org/privilege/packagemanager.info
 *	http://tizen.org/privilege/power
 *	http://tizen.org/privilege/push
-*	http://tizen.org/privilege/reboot
 *	http://tizen.org/privilege/recorder
 *	http://tizen.org/privilege/screenshot
-*	http://tizen.org/privilege/secureelement
 *	http://tizen.org/privilege/shortcut
-*	http://tizen.org/privilege/systemmonitor
+*	http://tizen.org/privilege/systemsettings
 *	http://tizen.org/privilege/systemsettings.admin
 *	http://tizen.org/privilege/telephony
 *	http://tizen.org/privilege/telephony.admin
 *	http://tizen.org/privilege/tethering.admin
 *	http://tizen.org/privilege/volume.set
 *	http://tizen.org/privilege/web-history.admin
-*	http://tizen.org/privilege/widget.viewer
 *	http://tizen.org/privilege/wifidirect
 *	http://tizen.org/privilege/window.priority.set
diff --git a/policy/usertype-guest.profile b/policy/usertype-guest.profile
index f2dd9b8..3d40722 100644
--- a/policy/usertype-guest.profile
+++ b/policy/usertype-guest.profile
@@ -4,9 +4,7 @@
 *	http://tizen.org/privilege/account.write
 *	http://tizen.org/privilege/alarm.get
 *	http://tizen.org/privilege/alarm.set
-*	http://tizen.org/privilege/apphistory.read
 *	http://tizen.org/privilege/appmanager.kill
-*	http://tizen.org/privilege/appmanager.kill.bgapp
 *	http://tizen.org/privilege/appmanager.launch
 *	http://tizen.org/privilege/bluetooth
 *	http://tizen.org/privilege/bluetooth.admin
@@ -28,24 +26,15 @@
 *	http://tizen.org/privilege/externalstorage
 *	http://tizen.org/privilege/externalstorage.appdata
 *	http://tizen.org/privilege/haptic
-*	http://tizen.org/privilege/healthinfo
-*	http://tizen.org/privilege/ime
-*	http://tizen.org/privilege/imemanager
-*	http://tizen.org/privilege/inputgenerator
 *	http://tizen.org/privilege/internet
-*	http://tizen.org/privilege/keygrab
 *	http://tizen.org/privilege/keymanager
+*	http://tizen.org/privilege/keymanager.admin
 *	http://tizen.org/privilege/led
 *	http://tizen.org/privilege/location
 *	http://tizen.org/privilege/location.enable
-*	http://tizen.org/privilege/mapservice
-*	http://tizen.org/privilege/mediacontroller.client
-*	http://tizen.org/privilege/mediacontroller.server
-*	http://tizen.org/privilege/mediahistory.read
 *	http://tizen.org/privilege/mediastorage
 *	http://tizen.org/privilege/message.read
 *	http://tizen.org/privilege/message.write
-*	http://tizen.org/privilege/minicontrol.provider
 *	http://tizen.org/privilege/network.get
 *	http://tizen.org/privilege/network.profile
 *	http://tizen.org/privilege/network.set
@@ -54,22 +43,18 @@
 *	http://tizen.org/privilege/nfc.cardemulation
 *	http://tizen.org/privilege/notification
 *	http://tizen.org/privilege/packagemanager.admin
-*	http://tizen.org/privilege/packagemanager.clearcache
 *	http://tizen.org/privilege/packagemanager.info
 *	http://tizen.org/privilege/power
 *	http://tizen.org/privilege/push
-*	http://tizen.org/privilege/reboot
 *	http://tizen.org/privilege/recorder
 *	http://tizen.org/privilege/screenshot
-*	http://tizen.org/privilege/secureelement
 *	http://tizen.org/privilege/shortcut
-*	http://tizen.org/privilege/systemmonitor
+*	http://tizen.org/privilege/systemsettings
 *	http://tizen.org/privilege/systemsettings.admin
 *	http://tizen.org/privilege/telephony
 *	http://tizen.org/privilege/telephony.admin
 *	http://tizen.org/privilege/tethering.admin
 *	http://tizen.org/privilege/volume.set
 *	http://tizen.org/privilege/web-history.admin
-*	http://tizen.org/privilege/widget.viewer
 *	http://tizen.org/privilege/wifidirect
 *	http://tizen.org/privilege/window.priority.set
diff --git a/policy/usertype-normal.profile b/policy/usertype-normal.profile
index e24c183..365b3f2 100644
--- a/policy/usertype-normal.profile
+++ b/policy/usertype-normal.profile
@@ -4,9 +4,7 @@
 *	http://tizen.org/privilege/account.write
 *	http://tizen.org/privilege/alarm.get
 *	http://tizen.org/privilege/alarm.set
-*	http://tizen.org/privilege/apphistory.read
 *	http://tizen.org/privilege/appmanager.kill
-*	http://tizen.org/privilege/appmanager.kill.bgapp
 *	http://tizen.org/privilege/appmanager.launch
 *	http://tizen.org/privilege/bluetooth
 *	http://tizen.org/privilege/bluetooth.admin
@@ -28,24 +26,15 @@
 *	http://tizen.org/privilege/externalstorage
 *	http://tizen.org/privilege/externalstorage.appdata
 *	http://tizen.org/privilege/haptic
-*	http://tizen.org/privilege/healthinfo
-*	http://tizen.org/privilege/ime
-*	http://tizen.org/privilege/imemanager
-*	http://tizen.org/privilege/inputgenerator
 *	http://tizen.org/privilege/internet
-*	http://tizen.org/privilege/keygrab
 *	http://tizen.org/privilege/keymanager
+*	http://tizen.org/privilege/keymanager.admin
 *	http://tizen.org/privilege/led
 *	http://tizen.org/privilege/location
 *	http://tizen.org/privilege/location.enable
-*	http://tizen.org/privilege/mapservice
-*	http://tizen.org/privilege/mediacontroller.client
-*	http://tizen.org/privilege/mediacontroller.server
-*	http://tizen.org/privilege/mediahistory.read
 *	http://tizen.org/privilege/mediastorage
 *	http://tizen.org/privilege/message.read
 *	http://tizen.org/privilege/message.write
-*	http://tizen.org/privilege/minicontrol.provider
 *	http://tizen.org/privilege/network.get
 *	http://tizen.org/privilege/network.profile
 *	http://tizen.org/privilege/network.set
@@ -54,22 +43,18 @@
 *	http://tizen.org/privilege/nfc.cardemulation
 *	http://tizen.org/privilege/notification
 *	http://tizen.org/privilege/packagemanager.admin
-*	http://tizen.org/privilege/packagemanager.clearcache
 *	http://tizen.org/privilege/packagemanager.info
 *	http://tizen.org/privilege/power
 *	http://tizen.org/privilege/push
-*	http://tizen.org/privilege/reboot
 *	http://tizen.org/privilege/recorder
 *	http://tizen.org/privilege/screenshot
-*	http://tizen.org/privilege/secureelement
 *	http://tizen.org/privilege/shortcut
-*	http://tizen.org/privilege/systemmonitor
+*	http://tizen.org/privilege/systemsettings
 *	http://tizen.org/privilege/systemsettings.admin
 *	http://tizen.org/privilege/telephony
 *	http://tizen.org/privilege/telephony.admin
 *	http://tizen.org/privilege/tethering.admin
 *	http://tizen.org/privilege/volume.set
 *	http://tizen.org/privilege/web-history.admin
-*	http://tizen.org/privilege/widget.viewer
 *	http://tizen.org/privilege/wifidirect
 *	http://tizen.org/privilege/window.priority.set
diff --git a/policy/usertype-system.profile b/policy/usertype-system.profile
index 0d4c7b0..2cd6360 100644
--- a/policy/usertype-system.profile
+++ b/policy/usertype-system.profile
@@ -4,9 +4,7 @@
 *	http://tizen.org/privilege/account.write
 *	http://tizen.org/privilege/alarm.get
 *	http://tizen.org/privilege/alarm.set
-*	http://tizen.org/privilege/apphistory.read
 *	http://tizen.org/privilege/appmanager.kill
-*	http://tizen.org/privilege/appmanager.kill.bgapp
 *	http://tizen.org/privilege/appmanager.launch
 *	http://tizen.org/privilege/bluetooth
 *	http://tizen.org/privilege/bluetooth.admin
@@ -28,24 +26,15 @@
 *	http://tizen.org/privilege/externalstorage
 *	http://tizen.org/privilege/externalstorage.appdata
 *	http://tizen.org/privilege/haptic
-*	http://tizen.org/privilege/healthinfo
-*	http://tizen.org/privilege/ime
-*	http://tizen.org/privilege/imemanager
-*	http://tizen.org/privilege/inputgenerator
 *	http://tizen.org/privilege/internet
-*	http://tizen.org/privilege/keygrab
 *	http://tizen.org/privilege/keymanager
+*	http://tizen.org/privilege/keymanager.admin
 *	http://tizen.org/privilege/led
 *	http://tizen.org/privilege/location
 *	http://tizen.org/privilege/location.enable
-*	http://tizen.org/privilege/mapservice
-*	http://tizen.org/privilege/mediacontroller.client
-*	http://tizen.org/privilege/mediacontroller.server
-*	http://tizen.org/privilege/mediahistory.read
 *	http://tizen.org/privilege/mediastorage
 *	http://tizen.org/privilege/message.read
 *	http://tizen.org/privilege/message.write
-*	http://tizen.org/privilege/minicontrol.provider
 *	http://tizen.org/privilege/network.get
 *	http://tizen.org/privilege/network.profile
 *	http://tizen.org/privilege/network.set
@@ -54,22 +43,18 @@
 *	http://tizen.org/privilege/nfc.cardemulation
 *	http://tizen.org/privilege/notification
 *	http://tizen.org/privilege/packagemanager.admin
-*	http://tizen.org/privilege/packagemanager.clearcache
 *	http://tizen.org/privilege/packagemanager.info
 *	http://tizen.org/privilege/power
 *	http://tizen.org/privilege/push
-*	http://tizen.org/privilege/reboot
 *	http://tizen.org/privilege/recorder
 *	http://tizen.org/privilege/screenshot
-*	http://tizen.org/privilege/secureelement
 *	http://tizen.org/privilege/shortcut
-*	http://tizen.org/privilege/systemmonitor
+*	http://tizen.org/privilege/systemsettings
 *	http://tizen.org/privilege/systemsettings.admin
 *	http://tizen.org/privilege/telephony
 *	http://tizen.org/privilege/telephony.admin
 *	http://tizen.org/privilege/tethering.admin
 *	http://tizen.org/privilege/volume.set
 *	http://tizen.org/privilege/web-history.admin
-*	http://tizen.org/privilege/widget.viewer
 *	http://tizen.org/privilege/wifidirect
 *	http://tizen.org/privilege/window.priority.set
-- 
2.7.4


From 0b1ae3d7f79c6bb5718b7c255e079f60e6daf319 Mon Sep 17 00:00:00 2001
From: Yunjin Lee <yunjin-.lee@samsung.com>
Date: Wed, 26 Aug 2015 03:45:48 -0700
Subject: [PATCH 06/16] Revert "Revert "Update privilege list according to the
 latest privilege set in 2.x""

This reverts commit e7f796f63565ffbcef91b4bdba6a0a6d112ecabb.

Change-Id: I5d14578100bd0631679eba84936ce1d8bca8f93e
---
 policy/usertype-admin.profile  | 20 ++++++++++++++++++--
 policy/usertype-guest.profile  | 20 ++++++++++++++++++--
 policy/usertype-normal.profile | 20 ++++++++++++++++++--
 policy/usertype-system.profile | 20 ++++++++++++++++++--
 4 files changed, 72 insertions(+), 8 deletions(-)

diff --git a/policy/usertype-admin.profile b/policy/usertype-admin.profile
index 40c43e1..e8915cc 100644
--- a/policy/usertype-admin.profile
+++ b/policy/usertype-admin.profile
@@ -4,7 +4,9 @@
 *	http://tizen.org/privilege/account.write
 *	http://tizen.org/privilege/alarm.get
 *	http://tizen.org/privilege/alarm.set
+*	http://tizen.org/privilege/apphistory.read
 *	http://tizen.org/privilege/appmanager.kill
+*	http://tizen.org/privilege/appmanager.kill.bgapp
 *	http://tizen.org/privilege/appmanager.launch
 *	http://tizen.org/privilege/bluetooth
 *	http://tizen.org/privilege/bluetooth.admin
@@ -26,15 +28,24 @@
 *	http://tizen.org/privilege/externalstorage
 *	http://tizen.org/privilege/externalstorage.appdata
 *	http://tizen.org/privilege/haptic
+*	http://tizen.org/privilege/healthinfo
+*	http://tizen.org/privilege/ime
+*	http://tizen.org/privilege/imemanager
+*	http://tizen.org/privilege/inputgenerator
 *	http://tizen.org/privilege/internet
+*	http://tizen.org/privilege/keygrab
 *	http://tizen.org/privilege/keymanager
-*	http://tizen.org/privilege/keymanager.admin
 *	http://tizen.org/privilege/led
 *	http://tizen.org/privilege/location
 *	http://tizen.org/privilege/location.enable
+*	http://tizen.org/privilege/mapservice
+*	http://tizen.org/privilege/mediacontroller.client
+*	http://tizen.org/privilege/mediacontroller.server
+*	http://tizen.org/privilege/mediahistory.read
 *	http://tizen.org/privilege/mediastorage
 *	http://tizen.org/privilege/message.read
 *	http://tizen.org/privilege/message.write
+*	http://tizen.org/privilege/minicontrol.provider
 *	http://tizen.org/privilege/network.get
 *	http://tizen.org/privilege/network.profile
 *	http://tizen.org/privilege/network.set
@@ -43,18 +54,23 @@
 *	http://tizen.org/privilege/nfc.cardemulation
 *	http://tizen.org/privilege/notification
 *	http://tizen.org/privilege/packagemanager.admin
+*	http://tizen.org/privilege/packagemanager.clearcache
 *	http://tizen.org/privilege/packagemanager.info
 *	http://tizen.org/privilege/power
 *	http://tizen.org/privilege/push
+*	http://tizen.org/privilege/reboot
 *	http://tizen.org/privilege/recorder
 *	http://tizen.org/privilege/screenshot
+*	http://tizen.org/privilege/secureelement
 *	http://tizen.org/privilege/shortcut
-*	http://tizen.org/privilege/systemsettings
+*	http://tizen.org/privilege/systemmonitor
 *	http://tizen.org/privilege/systemsettings.admin
 *	http://tizen.org/privilege/telephony
 *	http://tizen.org/privilege/telephony.admin
 *	http://tizen.org/privilege/tethering.admin
 *	http://tizen.org/privilege/volume.set
 *	http://tizen.org/privilege/web-history.admin
+*	http://tizen.org/privilege/widget.viewer
 *	http://tizen.org/privilege/wifidirect
 *	http://tizen.org/privilege/window.priority.set
+*	http://tizen.org/privilege/notexist
diff --git a/policy/usertype-guest.profile b/policy/usertype-guest.profile
index 3d40722..13b6013 100644
--- a/policy/usertype-guest.profile
+++ b/policy/usertype-guest.profile
@@ -4,7 +4,9 @@
 *	http://tizen.org/privilege/account.write
 *	http://tizen.org/privilege/alarm.get
 *	http://tizen.org/privilege/alarm.set
+*	http://tizen.org/privilege/apphistory.read
 *	http://tizen.org/privilege/appmanager.kill
+*	http://tizen.org/privilege/appmanager.kill.bgapp
 *	http://tizen.org/privilege/appmanager.launch
 *	http://tizen.org/privilege/bluetooth
 *	http://tizen.org/privilege/bluetooth.admin
@@ -26,15 +28,24 @@
 *	http://tizen.org/privilege/externalstorage
 *	http://tizen.org/privilege/externalstorage.appdata
 *	http://tizen.org/privilege/haptic
+*	http://tizen.org/privilege/healthinfo
+*	http://tizen.org/privilege/ime
+*	http://tizen.org/privilege/imemanager
+*	http://tizen.org/privilege/inputgenerator
 *	http://tizen.org/privilege/internet
+*	http://tizen.org/privilege/keygrab
 *	http://tizen.org/privilege/keymanager
-*	http://tizen.org/privilege/keymanager.admin
 *	http://tizen.org/privilege/led
 *	http://tizen.org/privilege/location
 *	http://tizen.org/privilege/location.enable
+*	http://tizen.org/privilege/mapservice
+*	http://tizen.org/privilege/mediacontroller.client
+*	http://tizen.org/privilege/mediacontroller.server
+*	http://tizen.org/privilege/mediahistory.read
 *	http://tizen.org/privilege/mediastorage
 *	http://tizen.org/privilege/message.read
 *	http://tizen.org/privilege/message.write
+*	http://tizen.org/privilege/minicontrol.provider
 *	http://tizen.org/privilege/network.get
 *	http://tizen.org/privilege/network.profile
 *	http://tizen.org/privilege/network.set
@@ -43,18 +54,23 @@
 *	http://tizen.org/privilege/nfc.cardemulation
 *	http://tizen.org/privilege/notification
 *	http://tizen.org/privilege/packagemanager.admin
+*	http://tizen.org/privilege/packagemanager.clearcache
 *	http://tizen.org/privilege/packagemanager.info
 *	http://tizen.org/privilege/power
 *	http://tizen.org/privilege/push
+*	http://tizen.org/privilege/reboot
 *	http://tizen.org/privilege/recorder
 *	http://tizen.org/privilege/screenshot
+*	http://tizen.org/privilege/secureelement
 *	http://tizen.org/privilege/shortcut
-*	http://tizen.org/privilege/systemsettings
+*	http://tizen.org/privilege/systemmonitor
 *	http://tizen.org/privilege/systemsettings.admin
 *	http://tizen.org/privilege/telephony
 *	http://tizen.org/privilege/telephony.admin
 *	http://tizen.org/privilege/tethering.admin
 *	http://tizen.org/privilege/volume.set
 *	http://tizen.org/privilege/web-history.admin
+*	http://tizen.org/privilege/widget.viewer
 *	http://tizen.org/privilege/wifidirect
 *	http://tizen.org/privilege/window.priority.set
+*	http://tizen.org/privilege/notexist
diff --git a/policy/usertype-normal.profile b/policy/usertype-normal.profile
index 365b3f2..103f13d 100644
--- a/policy/usertype-normal.profile
+++ b/policy/usertype-normal.profile
@@ -4,7 +4,9 @@
 *	http://tizen.org/privilege/account.write
 *	http://tizen.org/privilege/alarm.get
 *	http://tizen.org/privilege/alarm.set
+*	http://tizen.org/privilege/apphistory.read
 *	http://tizen.org/privilege/appmanager.kill
+*	http://tizen.org/privilege/appmanager.kill.bgapp
 *	http://tizen.org/privilege/appmanager.launch
 *	http://tizen.org/privilege/bluetooth
 *	http://tizen.org/privilege/bluetooth.admin
@@ -26,15 +28,24 @@
 *	http://tizen.org/privilege/externalstorage
 *	http://tizen.org/privilege/externalstorage.appdata
 *	http://tizen.org/privilege/haptic
+*	http://tizen.org/privilege/healthinfo
+*	http://tizen.org/privilege/ime
+*	http://tizen.org/privilege/imemanager
+*	http://tizen.org/privilege/inputgenerator
 *	http://tizen.org/privilege/internet
+*	http://tizen.org/privilege/keygrab
 *	http://tizen.org/privilege/keymanager
-*	http://tizen.org/privilege/keymanager.admin
 *	http://tizen.org/privilege/led
 *	http://tizen.org/privilege/location
 *	http://tizen.org/privilege/location.enable
+*	http://tizen.org/privilege/mapservice
+*	http://tizen.org/privilege/mediacontroller.client
+*	http://tizen.org/privilege/mediacontroller.server
+*	http://tizen.org/privilege/mediahistory.read
 *	http://tizen.org/privilege/mediastorage
 *	http://tizen.org/privilege/message.read
 *	http://tizen.org/privilege/message.write
+*	http://tizen.org/privilege/minicontrol.provider
 *	http://tizen.org/privilege/network.get
 *	http://tizen.org/privilege/network.profile
 *	http://tizen.org/privilege/network.set
@@ -43,18 +54,23 @@
 *	http://tizen.org/privilege/nfc.cardemulation
 *	http://tizen.org/privilege/notification
 *	http://tizen.org/privilege/packagemanager.admin
+*	http://tizen.org/privilege/packagemanager.clearcache
 *	http://tizen.org/privilege/packagemanager.info
 *	http://tizen.org/privilege/power
 *	http://tizen.org/privilege/push
+*	http://tizen.org/privilege/reboot
 *	http://tizen.org/privilege/recorder
 *	http://tizen.org/privilege/screenshot
+*	http://tizen.org/privilege/secureelement
 *	http://tizen.org/privilege/shortcut
-*	http://tizen.org/privilege/systemsettings
+*	http://tizen.org/privilege/systemmonitor
 *	http://tizen.org/privilege/systemsettings.admin
 *	http://tizen.org/privilege/telephony
 *	http://tizen.org/privilege/telephony.admin
 *	http://tizen.org/privilege/tethering.admin
 *	http://tizen.org/privilege/volume.set
 *	http://tizen.org/privilege/web-history.admin
+*	http://tizen.org/privilege/widget.viewer
 *	http://tizen.org/privilege/wifidirect
 *	http://tizen.org/privilege/window.priority.set
+*	http://tizen.org/privilege/notexist
diff --git a/policy/usertype-system.profile b/policy/usertype-system.profile
index 2cd6360..3e0abb6 100644
--- a/policy/usertype-system.profile
+++ b/policy/usertype-system.profile
@@ -4,7 +4,9 @@
 *	http://tizen.org/privilege/account.write
 *	http://tizen.org/privilege/alarm.get
 *	http://tizen.org/privilege/alarm.set
+*	http://tizen.org/privilege/apphistory.read
 *	http://tizen.org/privilege/appmanager.kill
+*	http://tizen.org/privilege/appmanager.kill.bgapp
 *	http://tizen.org/privilege/appmanager.launch
 *	http://tizen.org/privilege/bluetooth
 *	http://tizen.org/privilege/bluetooth.admin
@@ -26,15 +28,24 @@
 *	http://tizen.org/privilege/externalstorage
 *	http://tizen.org/privilege/externalstorage.appdata
 *	http://tizen.org/privilege/haptic
+*	http://tizen.org/privilege/healthinfo
+*	http://tizen.org/privilege/ime
+*	http://tizen.org/privilege/imemanager
+*	http://tizen.org/privilege/inputgenerator
 *	http://tizen.org/privilege/internet
+*	http://tizen.org/privilege/keygrab
 *	http://tizen.org/privilege/keymanager
-*	http://tizen.org/privilege/keymanager.admin
 *	http://tizen.org/privilege/led
 *	http://tizen.org/privilege/location
 *	http://tizen.org/privilege/location.enable
+*	http://tizen.org/privilege/mapservice
+*	http://tizen.org/privilege/mediacontroller.client
+*	http://tizen.org/privilege/mediacontroller.server
+*	http://tizen.org/privilege/mediahistory.read
 *	http://tizen.org/privilege/mediastorage
 *	http://tizen.org/privilege/message.read
 *	http://tizen.org/privilege/message.write
+*	http://tizen.org/privilege/minicontrol.provider
 *	http://tizen.org/privilege/network.get
 *	http://tizen.org/privilege/network.profile
 *	http://tizen.org/privilege/network.set
@@ -43,18 +54,23 @@
 *	http://tizen.org/privilege/nfc.cardemulation
 *	http://tizen.org/privilege/notification
 *	http://tizen.org/privilege/packagemanager.admin
+*	http://tizen.org/privilege/packagemanager.clearcache
 *	http://tizen.org/privilege/packagemanager.info
 *	http://tizen.org/privilege/power
 *	http://tizen.org/privilege/push
+*	http://tizen.org/privilege/reboot
 *	http://tizen.org/privilege/recorder
 *	http://tizen.org/privilege/screenshot
+*	http://tizen.org/privilege/secureelement
 *	http://tizen.org/privilege/shortcut
-*	http://tizen.org/privilege/systemsettings
+*	http://tizen.org/privilege/systemmonitor
 *	http://tizen.org/privilege/systemsettings.admin
 *	http://tizen.org/privilege/telephony
 *	http://tizen.org/privilege/telephony.admin
 *	http://tizen.org/privilege/tethering.admin
 *	http://tizen.org/privilege/volume.set
 *	http://tizen.org/privilege/web-history.admin
+*	http://tizen.org/privilege/widget.viewer
 *	http://tizen.org/privilege/wifidirect
 *	http://tizen.org/privilege/window.priority.set
+*	http://tizen.org/privilege/notexist
-- 
2.7.4


From 5b67944703dbbbbfc4b2ce59c13ddfa0c00092e4 Mon Sep 17 00:00:00 2001
From: Yunjin Lee <yunjin-.lee@samsung.com>
Date: Mon, 31 Aug 2015 18:06:00 +0900
Subject: [PATCH 07/16] Update privilege mapping list

Change-Id: If17b3aedf5abc9041eb033973a2b9e3b8596b9ef
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
---
 policy/privilege-mapping.list | 352 ++++++++++++++++++++++++++++--------------
 1 file changed, 237 insertions(+), 115 deletions(-)

diff --git a/policy/privilege-mapping.list b/policy/privilege-mapping.list
index 732165d..49b4743 100644
--- a/policy/privilege-mapping.list
+++ b/policy/privilege-mapping.list
@@ -1,13 +1,84 @@
+2.2.1 3.0 http://tizen.org/privilege/alarm http://tizen.org/privilege/alarm.get
+2.2.1 3.0 http://tizen.org/privilege/alarm http://tizen.org/privilege/alarm.set
+2.2.1 3.0 http://tizen.org/privilege/application.info http://tizen.org/privilege/packagemanager.info
+2.2.1 3.0 http://tizen.org/privilege/application.launch http://tizen.org/privilege/appmanager.launch
+2.2.1 3.0 http://tizen.org/privilege/appmanager.certificate http://tizen.org/privilege/notexist
+2.2.1 3.0 http://tizen.org/privilege/appmanager.kill http://tizen.org/privilege/appmanager.kill
+2.2.1 3.0 http://tizen.org/privilege/bluetooth.admin http://tizen.org/privilege/bluetooth.admin
+2.2.1 3.0 http://tizen.org/privilege/bluetooth.gap http://tizen.org/privilege/bluetooth.admin
+2.2.1 3.0 http://tizen.org/privilege/bluetooth.health http://tizen.org/privilege/bluetooth.admin
+2.2.1 3.0 http://tizen.org/privilege/bluetooth.spp http://tizen.org/privilege/bluetooth.admin
+2.2.1 3.0 http://tizen.org/privilege/bluetoothmanager http://tizen.org/privilege/bluetooth.admin
+2.2.1 3.0 http://tizen.org/privilege/bookmark.read http://tizen.org/privilege/bookmark.admin
+2.2.1 3.0 http://tizen.org/privilege/bookmark.write http://tizen.org/privilege/bookmark.admin
+2.2.1 3.0 http://tizen.org/privilege/calendar.read http://tizen.org/privilege/calendar.read
+2.2.1 3.0 http://tizen.org/privilege/calendar.write http://tizen.org/privilege/calendar.read
+2.2.1 3.0 http://tizen.org/privilege/calendar.write http://tizen.org/privilege/calendar.write
+2.2.1 3.0 http://tizen.org/privilege/callhistory.read http://tizen.org/privilege/callhistory.read
+2.2.1 3.0 http://tizen.org/privilege/callhistory.read http://tizen.org/privilege/contact.read
+2.2.1 3.0 http://tizen.org/privilege/callhistory.read http://tizen.org/privilege/telephony
+2.2.1 3.0 http://tizen.org/privilege/callhistory.write http://tizen.org/privilege/callhistory.read
+2.2.1 3.0 http://tizen.org/privilege/callhistory.write http://tizen.org/privilege/callhistory.write
+2.2.1 3.0 http://tizen.org/privilege/callhistory.write http://tizen.org/privilege/contact.read
+2.2.1 3.0 http://tizen.org/privilege/callhistory.write http://tizen.org/privilege/contact.write
+2.2.1 3.0 http://tizen.org/privilege/contact.read http://tizen.org/privilege/contact.read
+2.2.1 3.0 http://tizen.org/privilege/contact.write http://tizen.org/privilege/contact.read
+2.2.1 3.0 http://tizen.org/privilege/contact.write http://tizen.org/privilege/contact.write
+2.2.1 3.0 http://tizen.org/privilege/content.read http://tizen.org/privilege/content.write
+2.2.1 3.0 http://tizen.org/privilege/content.write http://tizen.org/privilege/content.write
+2.2.1 3.0 http://tizen.org/privilege/datacontrol.consumer http://tizen.org/privilege/appmanager.launch
+2.2.1 3.0 http://tizen.org/privilege/datacontrol.consumer http://tizen.org/privilege/datasharing
+2.2.1 3.0 http://tizen.org/privilege/datasync http://tizen.org/privilege/notexist
+2.2.1 3.0 http://tizen.org/privilege/download http://tizen.org/privilege/download
+2.2.1 3.0 http://tizen.org/privilege/filesystem.read http://tizen.org/privilege/systemsettings.admin
+2.2.1 3.0 http://tizen.org/privilege/filesystem.write http://tizen.org/privilege/systemsettings.admin
+2.2.1 3.0 http://tizen.org/privilege/fullscreen http://tizen.org/privilege/notexist
+2.2.1 3.0 http://tizen.org/privilege/location http://tizen.org/privilege/location
+2.2.1 3.0 http://tizen.org/privilege/mediacapture http://tizen.org/privilege/camera
+2.2.1 3.0 http://tizen.org/privilege/mediacapture http://tizen.org/privilege/recorder
+2.2.1 3.0 http://tizen.org/privilege/messaging.read http://tizen.org/privilege/email
+2.2.1 3.0 http://tizen.org/privilege/messaging.read http://tizen.org/privilege/message.read
+2.2.1 3.0 http://tizen.org/privilege/messaging.read http://tizen.org/privilege/mediastorage
+2.2.1 3.0 http://tizen.org/privilege/messaging.write http://tizen.org/privilege/callhistory.read
+2.2.1 3.0 http://tizen.org/privilege/messaging.write http://tizen.org/privilege/callhistory.write
+2.2.1 3.0 http://tizen.org/privilege/messaging.write http://tizen.org/privilege/contact.read
+2.2.1 3.0 http://tizen.org/privilege/messaging.write http://tizen.org/privilege/contact.write
+2.2.1 3.0 http://tizen.org/privilege/messaging.write http://tizen.org/privilege/email
+2.2.1 3.0 http://tizen.org/privilege/messaging.write http://tizen.org/privilege/message.read
+2.2.1 3.0 http://tizen.org/privilege/messaging.write http://tizen.org/privilege/message.write
+2.2.1 3.0 http://tizen.org/privilege/messaging.write http://tizen.org/privilege/mediastorage
+2.2.1 3.0 http://tizen.org/privilege/messaging.write http://tizen.org/privilege/telephony
+2.2.1 3.0 http://tizen.org/privilege/networkbearerselection http://tizen.org/privilege/network.set
+2.2.1 3.0 http://tizen.org/privilege/nfc.admin http://tizen.org/privilege/secureelement
+2.2.1 3.0 http://tizen.org/privilege/nfc.admin http://tizen.org/privilege/nfc.admin
+2.2.1 3.0 http://tizen.org/privilege/nfc.common http://tizen.org/privilege/secureelement
+2.2.1 3.0 http://tizen.org/privilege/nfc.common http://tizen.org/privilege/nfc
+2.2.1 3.0 http://tizen.org/privilege/nfc.p2p http://tizen.org/privilege/secureelement
+2.2.1 3.0 http://tizen.org/privilege/nfc.p2p http://tizen.org/privilege/nfc
+2.2.1 3.0 http://tizen.org/privilege/nfc.tag http://tizen.org/privilege/secureelement
+2.2.1 3.0 http://tizen.org/privilege/nfc.tag http://tizen.org/privilege/nfc
+2.2.1 3.0 http://tizen.org/privilege/notification http://tizen.org/privilege/notification
+2.2.1 3.0 http://tizen.org/privilege/notification http://tizen.org/privilege/packagemanager.info
+2.2.1 3.0 http://tizen.org/privilege/package.info http://tizen.org/privilege/packagemanager.info
+2.2.1 3.0 http://tizen.org/privilege/packagemanager.install http://tizen.org/privilege/packagemanager.admin
+2.2.1 3.0 http://tizen.org/privilege/power http://tizen.org/privilege/display
+2.2.1 3.0 http://tizen.org/privilege/push http://tizen.org/privilege/push
+2.2.1 3.0 http://tizen.org/privilege/secureelement http://tizen.org/privilege/secureelement
+2.2.1 3.0 http://tizen.org/privilege/setting http://tizen.org/privilege/systemsettings.admin
+2.2.1 3.0 http://tizen.org/privilege/system http://tizen.org/privilege/telephony
+2.2.1 3.0 http://tizen.org/privilege/systemmanager http://tizen.org/privilege/telephony
+2.2.1 3.0 http://tizen.org/privilege/unlimitedstorage http://tizen.org/privilege/notexist
+2.2.1 3.0 http://tizen.org/privilege/websetting http://tizen.org/privilege/notexist
 2.3 3.0 http://tizen.org/privilege/account.read http://tizen.org/privilege/account.read
 2.3 3.0 http://tizen.org/privilege/account.write http://tizen.org/privilege/account.write
 2.3 3.0 http://tizen.org/privilege/alarm http://tizen.org/privilege/alarm.get
 2.3 3.0 http://tizen.org/privilege/alarm http://tizen.org/privilege/alarm.set
 2.3 3.0 http://tizen.org/privilege/application.info http://tizen.org/privilege/packagemanager.info
-2.3 3.0 http://tizen.org/privilege/application.kill http://tizen.org/privilege/appmanager.kill
 2.3 3.0 http://tizen.org/privilege/application.launch http://tizen.org/privilege/appmanager.launch
-2.3 3.0 http://tizen.org/privilege/application.read http://tizen.org/privilege/application.read
-2.3 3.0 http://tizen.org/privilege/appmanager.certificate http://tizen.org/privilege/appmanager.certificate
+2.3 3.0 http://tizen.org/privilege/appmanager.certificate http://tizen.org/privilege/notexist
 2.3 3.0 http://tizen.org/privilege/appmanager.kill http://tizen.org/privilege/appmanager.kill
+2.3 3.0 http://tizen.org/privilege/audiorecorder http://tizen.org/privilege/camera
+2.3 3.0 http://tizen.org/privilege/audiorecorder http://tizen.org/privilege/recorder
 2.3 3.0 http://tizen.org/privilege/bluetooth.admin http://tizen.org/privilege/bluetooth.admin
 2.3 3.0 http://tizen.org/privilege/bluetooth.gap http://tizen.org/privilege/bluetooth.admin
 2.3 3.0 http://tizen.org/privilege/bluetooth.health http://tizen.org/privilege/bluetooth.admin
@@ -26,6 +97,8 @@
 2.3 3.0 http://tizen.org/privilege/callhistory.write http://tizen.org/privilege/callhistory.write
 2.3 3.0 http://tizen.org/privilege/callhistory.write http://tizen.org/privilege/contact.read
 2.3 3.0 http://tizen.org/privilege/callhistory.write http://tizen.org/privilege/contact.write
+2.3 3.0 http://tizen.org/privilege/camera http://tizen.org/privilege/camera
+2.3 3.0 http://tizen.org/privilege/camera http://tizen.org/privilege/recorder
 2.3 3.0 http://tizen.org/privilege/contact.read http://tizen.org/privilege/contact.read
 2.3 3.0 http://tizen.org/privilege/contact.write http://tizen.org/privilege/contact.read
 2.3 3.0 http://tizen.org/privilege/contact.write http://tizen.org/privilege/contact.write
@@ -33,31 +106,19 @@
 2.3 3.0 http://tizen.org/privilege/content.write http://tizen.org/privilege/content.write
 2.3 3.0 http://tizen.org/privilege/datacontrol.consumer http://tizen.org/privilege/appmanager.launch
 2.3 3.0 http://tizen.org/privilege/datacontrol.consumer http://tizen.org/privilege/datasharing
+2.3 3.0 http://tizen.org/privilege/datasync http://tizen.org/privilege/notexist
 2.3 3.0 http://tizen.org/privilege/download http://tizen.org/privilege/download
 2.3 3.0 http://tizen.org/privilege/filesystem.read http://tizen.org/privilege/systemsettings.admin
 2.3 3.0 http://tizen.org/privilege/filesystem.write http://tizen.org/privilege/systemsettings.admin
-2.3 3.0 http://tizen.org/privilege/fullscreen http://tizen.org/privilege/fullscreen
+2.3 3.0 http://tizen.org/privilege/fullscreen http://tizen.org/privilege/notexist
 2.3 3.0 http://tizen.org/privilege/healthinfo http://tizen.org/privilege/healthinfo
-2.3 3.0 http://tizen.org/privilege/ime http://tizen.org/privilege/ime
 2.3 3.0 http://tizen.org/privilege/internet http://tizen.org/privilege/internet
-2.3 3.0 http://tizen.org/privilege/keymanager http://tizen.org/privilege/keymanager
-2.3 3.0 http://tizen.org/privilege/led http://tizen.org/privilege/led
 2.3 3.0 http://tizen.org/privilege/location http://tizen.org/privilege/location
 2.3 3.0 http://tizen.org/privilege/mediacapture http://tizen.org/privilege/camera
 2.3 3.0 http://tizen.org/privilege/mediacapture http://tizen.org/privilege/recorder
-2.3 3.0 http://tizen.org/privilege/mediacontroller.client http://tizen.org/privilege/mediacontroller.client
-2.3 3.0 http://tizen.org/privilege/mediacontroller.server http://tizen.org/privilege/mediacontroller.server
 2.3 3.0 http://tizen.org/privilege/messaging.read http://tizen.org/privilege/email
 2.3 3.0 http://tizen.org/privilege/messaging.read http://tizen.org/privilege/message.read
 2.3 3.0 http://tizen.org/privilege/messaging.read http://tizen.org/privilege/mediastorage
-2.3 3.0 http://tizen.org/privilege/messaging.send http://tizen.org/privilege/callhistory.read
-2.3 3.0 http://tizen.org/privilege/messaging.send http://tizen.org/privilege/callhistory.write
-2.3 3.0 http://tizen.org/privilege/messaging.send http://tizen.org/privilege/contact.read
-2.3 3.0 http://tizen.org/privilege/messaging.send http://tizen.org/privilege/contact.write
-2.3 3.0 http://tizen.org/privilege/messaging.send http://tizen.org/privilege/email
-2.3 3.0 http://tizen.org/privilege/messaging.send http://tizen.org/privilege/message.read
-2.3 3.0 http://tizen.org/privilege/messaging.send http://tizen.org/privilege/message.write
-2.3 3.0 http://tizen.org/privilege/messaging.send http://tizen.org/privilege/mediastorage
 2.3 3.0 http://tizen.org/privilege/messaging.write http://tizen.org/privilege/callhistory.read
 2.3 3.0 http://tizen.org/privilege/messaging.write http://tizen.org/privilege/callhistory.write
 2.3 3.0 http://tizen.org/privilege/messaging.write http://tizen.org/privilege/contact.read
@@ -77,10 +138,8 @@
 2.3 3.0 http://tizen.org/privilege/nfc.p2p http://tizen.org/privilege/nfc
 2.3 3.0 http://tizen.org/privilege/nfc.tag http://tizen.org/privilege/secureelement
 2.3 3.0 http://tizen.org/privilege/nfc.tag http://tizen.org/privilege/nfc
-2.3 3.0 http://tizen.org/privilege/notification.read http://tizen.org/privilege/notification
 2.3 3.0 http://tizen.org/privilege/notification http://tizen.org/privilege/notification
 2.3 3.0 http://tizen.org/privilege/notification http://tizen.org/privilege/packagemanager.info
-2.3 3.0 http://tizen.org/privilege/notification.write http://tizen.org/privilege/notification
 2.3 3.0 http://tizen.org/privilege/package.info http://tizen.org/privilege/packagemanager.info
 2.3 3.0 http://tizen.org/privilege/packagemanager.install http://tizen.org/privilege/packagemanager.admin
 2.3 3.0 http://tizen.org/privilege/power http://tizen.org/privilege/display
@@ -88,108 +147,171 @@
 2.3 3.0 http://tizen.org/privilege/secureelement http://tizen.org/privilege/secureelement
 2.3 3.0 http://tizen.org/privilege/setting http://tizen.org/privilege/systemsettings.admin
 2.3 3.0 http://tizen.org/privilege/system http://tizen.org/privilege/telephony
-2.3 3.0 http://tizen.org/privilege/systeminfo http://tizen.org/privilege/network.get
-2.3 3.0 http://tizen.org/privilege/systeminfo http://tizen.org/privilege/telephony
-2.3 3.0 http://tizen.org/privilege/telephony http://tizen.org/privilege/telephony
-2.3 3.0 http://tizen.org/privilege/unlimitedstorage http://tizen.org/privilege/unlimitedstorage
+2.3 3.0 http://tizen.org/privilege/systemmanager http://tizen.org/privilege/telephony
+2.3 3.0 http://tizen.org/privilege/unlimitedstorage http://tizen.org/privilege/notexist
 2.3 3.0 http://tizen.org/privilege/volume.set http://tizen.org/privilege/volume.set
-2.3 3.0 http://tizen.org/privilege/message.read http://tizen.org/privilege/message.read
-2.3 3.0 http://tizen.org/privilege/network.get http://tizen.org/privilege/network.get
-2.3 3.0 http://tizen.org/privilege/internet http://tizen.org/privilege/internet
-2.3 3.0 http://tizen.org/privilege/notification http://tizen.org/privilege/notification
-2.3 3.0 http://tizen.org/privilege/mediastorage http://tizen.org/privilege/mediastorage
-2.3 3.0 http://tizen.org/privilege/mediacontroller.server http://tizen.org/privilege/mediacontroller.server
-2.3 3.0 http://tizen.org/privilege/packagemanager.admin http://tizen.org/privilege/packagemanager.admin
-2.3 3.0 http://tizen.org/privilege/appmanager.certificate http://tizen.org/privilege/appmanager.certificate
-2.3 3.0 http://tizen.org/privilege/keymanager http://tizen.org/privilege/keymanager
-2.3 3.0 http://tizen.org/privilege/callhistory.read http://tizen.org/privilege/callhistory.read
-2.3 3.0 http://tizen.org/privilege/calendar.read http://tizen.org/privilege/calendar.read
-2.3 3.0 http://tizen.org/privilege/push http://tizen.org/privilege/push
-2.3 3.0 http://tizen.org/privilege/nfc http://tizen.org/privilege/nfc
-2.3 3.0 http://tizen.org/privilege/camera http://tizen.org/privilege/camera
-2.3 3.0 http://tizen.org/privilege/contact.write http://tizen.org/privilege/contact.write
-2.3 3.0 http://tizen.org/privilege/message.write http://tizen.org/privilege/message.write
-2.3 3.0 http://tizen.org/privilege/callhistory.write http://tizen.org/privilege/callhistory.write
-2.3 3.0 http://tizen.org/privilege/datasharing http://tizen.org/privilege/datasharing
-2.3 3.0 http://tizen.org/privilege/unlimitedstorage http://tizen.org/privilege/unlimitedstorage
-2.3 3.0 http://tizen.org/privilege/display http://tizen.org/privilege/display
-2.3 3.0 http://tizen.org/privilege/bluetooth.admin http://tizen.org/privilege/bluetooth.admin
-2.3 3.0 http://tizen.org/privilege/appmanager.launch http://tizen.org/privilege/appmanager.launch
-2.3 3.0 http://tizen.org/privilege/telephony http://tizen.org/privilege/telephony
-2.3 3.0 http://tizen.org/privilege/download http://tizen.org/privilege/download
-2.3 3.0 http://tizen.org/privilege/recorder http://tizen.org/privilege/recorder
-2.3 3.0 http://tizen.org/privilege/account.write http://tizen.org/privilege/account.write
-2.3 3.0 http://tizen.org/privilege/contact.read http://tizen.org/privilege/contact.read
-2.3 3.0 http://tizen.org/privilege/nfc.cardemulation http://tizen.org/privilege/nfc.cardemulation
-2.3 3.0 http://tizen.org/privilege/led http://tizen.org/privilege/led
-2.3 3.0 http://tizen.org/privilege/account.read http://tizen.org/privilege/account.read
-2.3 3.0 http://tizen.org/privilege/call http://tizen.org/privilege/call
-2.3 3.0 http://tizen.org/privilege/nfc.admin http://tizen.org/privilege/nfc.admin
-2.3 3.0 http://tizen.org/privilege/fullscreen http://tizen.org/privilege/fullscreen
-2.3 3.0 http://tizen.org/privilege/network.set http://tizen.org/privilege/network.set
-2.3 3.0 http://tizen.org/privilege/volume.set http://tizen.org/privilege/volume.set
-2.3 3.0 http://tizen.org/privilege/application.read http://tizen.org/privilege/application.read
-2.3 3.0 http://tizen.org/privilege/content.write http://tizen.org/privilege/content.write
-2.3 3.0 http://tizen.org/privilege/location http://tizen.org/privilege/location
-2.3 3.0 http://tizen.org/privilege/bookmark.admin http://tizen.org/privilege/bookmark.admin
-2.3 3.0 http://tizen.org/privilege/ime http://tizen.org/privilege/ime
-2.3 3.0 http://tizen.org/privilege/systemsettings.admin http://tizen.org/privilege/systemsettings.admin
-2.3 3.0 http://tizen.org/privilege/packagemanager.info http://tizen.org/privilege/packagemanager.info
-2.3 3.0 http://tizen.org/privilege/mediacontroller.client http://tizen.org/privilege/mediacontroller.client
-2.3 3.0 http://tizen.org/privilege/healthinfo http://tizen.org/privilege/healthinfo
-2.3 3.0 http://tizen.org/privilege/alarm.set http://tizen.org/privilege/alarm.set
-2.3 3.0 http://tizen.org/privilege/appmanager.kill http://tizen.org/privilege/appmanager.kill
-2.3 3.0 http://tizen.org/privilege/secureelement http://tizen.org/privilege/secureelement
-2.3 3.0 http://tizen.org/privilege/alarm.get http://tizen.org/privilege/alarm.get
-2.3 3.0 http://tizen.org/privilege/calendar.write http://tizen.org/privilege/calendar.write
-2.3 3.0 http://tizen.org/privilege/email http://tizen.org/privilege/email
-2.4 3.0 http://tizen.org/privilege/message.read http://tizen.org/privilege/message.read
-2.4 3.0 http://tizen.org/privilege/network.get http://tizen.org/privilege/network.get
-2.4 3.0 http://tizen.org/privilege/internet http://tizen.org/privilege/internet
-2.4 3.0 http://tizen.org/privilege/notification http://tizen.org/privilege/notification
-2.4 3.0 http://tizen.org/privilege/mediastorage http://tizen.org/privilege/mediastorage
-2.4 3.0 http://tizen.org/privilege/mediacontroller.server http://tizen.org/privilege/mediacontroller.server
-2.4 3.0 http://tizen.org/privilege/packagemanager.admin http://tizen.org/privilege/packagemanager.admin
-2.4 3.0 http://tizen.org/privilege/appmanager.certificate http://tizen.org/privilege/appmanager.certificate
-2.4 3.0 http://tizen.org/privilege/keymanager http://tizen.org/privilege/keymanager
-2.4 3.0 http://tizen.org/privilege/callhistory.read http://tizen.org/privilege/callhistory.read
+2.3 3.0 http://tizen.org/privilege/websetting http://tizen.org/privilege/notexist
+2.3.1 3.0 http://tizen.org/privilege/account.read http://tizen.org/privilege/account.read
+2.3.1 3.0 http://tizen.org/privilege/account.write http://tizen.org/privilege/account.write
+2.3.1 3.0 http://tizen.org/privilege/alarm http://tizen.org/privilege/alarm.get
+2.3.1 3.0 http://tizen.org/privilege/alarm http://tizen.org/privilege/alarm.set
+2.3.1 3.0 http://tizen.org/privilege/application.info http://tizen.org/privilege/packagemanager.info
+2.3.1 3.0 http://tizen.org/privilege/application.launch http://tizen.org/privilege/appmanager.launch
+2.3.1 3.0 http://tizen.org/privilege/appmanager.certificate http://tizen.org/privilege/notexist
+2.3.1 3.0 http://tizen.org/privilege/appmanager.kill http://tizen.org/privilege/appmanager.kill
+2.3.1 3.0 http://tizen.org/privilege/audiorecorder http://tizen.org/privilege/camera
+2.3.1 3.0 http://tizen.org/privilege/audiorecorder http://tizen.org/privilege/recorder
+2.3.1 3.0 http://tizen.org/privilege/bluetooth.admin http://tizen.org/privilege/bluetooth.admin
+2.3.1 3.0 http://tizen.org/privilege/bluetooth.gap http://tizen.org/privilege/bluetooth.admin
+2.3.1 3.0 http://tizen.org/privilege/bluetooth.health http://tizen.org/privilege/bluetooth.admin
+2.3.1 3.0 http://tizen.org/privilege/bluetooth.spp http://tizen.org/privilege/bluetooth.admin
+2.3.1 3.0 http://tizen.org/privilege/bluetoothmanager http://tizen.org/privilege/bluetooth.admin
+2.3.1 3.0 http://tizen.org/privilege/bookmark.read http://tizen.org/privilege/bookmark.admin
+2.3.1 3.0 http://tizen.org/privilege/bookmark.write http://tizen.org/privilege/bookmark.admin
+2.3.1 3.0 http://tizen.org/privilege/calendar.read http://tizen.org/privilege/calendar.read
+2.3.1 3.0 http://tizen.org/privilege/calendar.write http://tizen.org/privilege/calendar.read
+2.3.1 3.0 http://tizen.org/privilege/calendar.write http://tizen.org/privilege/calendar.write
+2.3.1 3.0 http://tizen.org/privilege/call http://tizen.org/privilege/call
+2.3.1 3.0 http://tizen.org/privilege/callhistory.read http://tizen.org/privilege/callhistory.read
+2.3.1 3.0 http://tizen.org/privilege/callhistory.read http://tizen.org/privilege/contact.read
+2.3.1 3.0 http://tizen.org/privilege/callhistory.read http://tizen.org/privilege/telephony
+2.3.1 3.0 http://tizen.org/privilege/callhistory.write http://tizen.org/privilege/callhistory.read
+2.3.1 3.0 http://tizen.org/privilege/callhistory.write http://tizen.org/privilege/callhistory.write
+2.3.1 3.0 http://tizen.org/privilege/callhistory.write http://tizen.org/privilege/contact.read
+2.3.1 3.0 http://tizen.org/privilege/callhistory.write http://tizen.org/privilege/contact.write
+2.3.1 3.0 http://tizen.org/privilege/camera http://tizen.org/privilege/camera
+2.3.1 3.0 http://tizen.org/privilege/camera http://tizen.org/privilege/recorder
+2.3.1 3.0 http://tizen.org/privilege/contact.read http://tizen.org/privilege/contact.read
+2.3.1 3.0 http://tizen.org/privilege/contact.write http://tizen.org/privilege/contact.read
+2.3.1 3.0 http://tizen.org/privilege/contact.write http://tizen.org/privilege/contact.write
+2.3.1 3.0 http://tizen.org/privilege/content.read http://tizen.org/privilege/content.write
+2.3.1 3.0 http://tizen.org/privilege/content.write http://tizen.org/privilege/content.write
+2.3.1 3.0 http://tizen.org/privilege/datacontrol.consumer http://tizen.org/privilege/appmanager.launch
+2.3.1 3.0 http://tizen.org/privilege/datacontrol.consumer http://tizen.org/privilege/datasharing
+2.3.1 3.0 http://tizen.org/privilege/datasync http://tizen.org/privilege/notexist
+2.3.1 3.0 http://tizen.org/privilege/download http://tizen.org/privilege/download
+2.3.1 3.0 http://tizen.org/privilege/filesystem.read http://tizen.org/privilege/systemsettings.admin
+2.3.1 3.0 http://tizen.org/privilege/filesystem.write http://tizen.org/privilege/systemsettings.admin
+2.3.1 3.0 http://tizen.org/privilege/fullscreen http://tizen.org/privilege/notexist
+2.3.1 3.0 http://tizen.org/privilege/healthinfo http://tizen.org/privilege/healthinfo
+2.3.1 3.0 http://tizen.org/privilege/internet http://tizen.org/privilege/internet
+2.3.1 3.0 http://tizen.org/privilege/location http://tizen.org/privilege/location
+2.3.1 3.0 http://tizen.org/privilege/mediacapture http://tizen.org/privilege/camera
+2.3.1 3.0 http://tizen.org/privilege/mediacapture http://tizen.org/privilege/recorder
+2.3.1 3.0 http://tizen.org/privilege/messaging.read http://tizen.org/privilege/email
+2.3.1 3.0 http://tizen.org/privilege/messaging.read http://tizen.org/privilege/message.read
+2.3.1 3.0 http://tizen.org/privilege/messaging.read http://tizen.org/privilege/mediastorage
+2.3.1 3.0 http://tizen.org/privilege/messaging.write http://tizen.org/privilege/callhistory.read
+2.3.1 3.0 http://tizen.org/privilege/messaging.write http://tizen.org/privilege/callhistory.write
+2.3.1 3.0 http://tizen.org/privilege/messaging.write http://tizen.org/privilege/contact.read
+2.3.1 3.0 http://tizen.org/privilege/messaging.write http://tizen.org/privilege/contact.write
+2.3.1 3.0 http://tizen.org/privilege/messaging.write http://tizen.org/privilege/email
+2.3.1 3.0 http://tizen.org/privilege/messaging.write http://tizen.org/privilege/message.read
+2.3.1 3.0 http://tizen.org/privilege/messaging.write http://tizen.org/privilege/message.write
+2.3.1 3.0 http://tizen.org/privilege/messaging.write http://tizen.org/privilege/mediastorage
+2.3.1 3.0 http://tizen.org/privilege/messaging.write http://tizen.org/privilege/telephony
+2.3.1 3.0 http://tizen.org/privilege/networkbearerselection http://tizen.org/privilege/network.set
+2.3.1 3.0 http://tizen.org/privilege/nfc.admin http://tizen.org/privilege/secureelement
+2.3.1 3.0 http://tizen.org/privilege/nfc.admin http://tizen.org/privilege/nfc.admin
+2.3.1 3.0 http://tizen.org/privilege/nfc.cardemulation http://tizen.org/privilege/nfc.cardemulation
+2.3.1 3.0 http://tizen.org/privilege/nfc.common http://tizen.org/privilege/secureelement
+2.3.1 3.0 http://tizen.org/privilege/nfc.common http://tizen.org/privilege/nfc
+2.3.1 3.0 http://tizen.org/privilege/nfc.p2p http://tizen.org/privilege/secureelement
+2.3.1 3.0 http://tizen.org/privilege/nfc.p2p http://tizen.org/privilege/nfc
+2.3.1 3.0 http://tizen.org/privilege/nfc.tag http://tizen.org/privilege/secureelement
+2.3.1 3.0 http://tizen.org/privilege/nfc.tag http://tizen.org/privilege/nfc
+2.3.1 3.0 http://tizen.org/privilege/notification http://tizen.org/privilege/notification
+2.3.1 3.0 http://tizen.org/privilege/notification http://tizen.org/privilege/packagemanager.info
+2.3.1 3.0 http://tizen.org/privilege/package.info http://tizen.org/privilege/packagemanager.info
+2.3.1 3.0 http://tizen.org/privilege/packagemanager.install http://tizen.org/privilege/packagemanager.admin
+2.3.1 3.0 http://tizen.org/privilege/power http://tizen.org/privilege/display
+2.3.1 3.0 http://tizen.org/privilege/push http://tizen.org/privilege/push
+2.3.1 3.0 http://tizen.org/privilege/secureelement http://tizen.org/privilege/secureelement
+2.3.1 3.0 http://tizen.org/privilege/setting http://tizen.org/privilege/systemsettings.admin
+2.3.1 3.0 http://tizen.org/privilege/system http://tizen.org/privilege/telephony
+2.3.1 3.0 http://tizen.org/privilege/telephony http://tizen.org/privilege/telephony
+2.3.1 3.0 http://tizen.org/privilege/unlimitedstorage http://tizen.org/privilege/notexist
+2.3.1 3.0 http://tizen.org/privilege/volume.set http://tizen.org/privilege/volume.set
+2.3.1 3.0 http://tizen.org/privilege/websetting http://tizen.org/privilege/notexist
+2.4 3.0 http://tizen.org/privilege/account.read http://tizen.org/privilege/account.read
+2.4 3.0 http://tizen.org/privilege/account.write http://tizen.org/privilege/account.write
+2.4 3.0 http://tizen.org/privilege/alarm http://tizen.org/privilege/alarm.get
+2.4 3.0 http://tizen.org/privilege/alarm http://tizen.org/privilege/alarm.set
+2.4 3.0 http://tizen.org/privilege/application.info http://tizen.org/privilege/packagemanager.info
+2.4 3.0 http://tizen.org/privilege/application.launch http://tizen.org/privilege/appmanager.launch
+2.4 3.0 http://tizen.org/privilege/appmanager.certificate http://tizen.org/privilege/notexist
+2.4 3.0 http://tizen.org/privilege/appmanager.kill http://tizen.org/privilege/appmanager.kill
+2.4 3.0 http://tizen.org/privilege/audiorecorder http://tizen.org/privilege/camera
+2.4 3.0 http://tizen.org/privilege/audiorecorder http://tizen.org/privilege/recorder
+2.4 3.0 http://tizen.org/privilege/bluetooth http://tizen.org/privilege/bluetooth
+2.4 3.0 http://tizen.org/privilege/bluetoothmanager http://tizen.org/privilege/bluetooth.admin
+2.4 3.0 http://tizen.org/privilege/bookmark.read http://tizen.org/privilege/bookmark.admin
+2.4 3.0 http://tizen.org/privilege/bookmark.write http://tizen.org/privilege/bookmark.admin
 2.4 3.0 http://tizen.org/privilege/calendar.read http://tizen.org/privilege/calendar.read
-2.4 3.0 http://tizen.org/privilege/push http://tizen.org/privilege/push
-2.4 3.0 http://tizen.org/privilege/nfc http://tizen.org/privilege/nfc
+2.4 3.0 http://tizen.org/privilege/calendar.write http://tizen.org/privilege/calendar.read
+2.4 3.0 http://tizen.org/privilege/calendar.write http://tizen.org/privilege/calendar.write
+2.4 3.0 http://tizen.org/privilege/call http://tizen.org/privilege/call
+2.4 3.0 http://tizen.org/privilege/callhistory.read http://tizen.org/privilege/callhistory.read
+2.4 3.0 http://tizen.org/privilege/callhistory.read http://tizen.org/privilege/contact.read
+2.4 3.0 http://tizen.org/privilege/callhistory.read http://tizen.org/privilege/telephony
+2.4 3.0 http://tizen.org/privilege/callhistory.write http://tizen.org/privilege/callhistory.read
+2.4 3.0 http://tizen.org/privilege/callhistory.write http://tizen.org/privilege/callhistory.write
+2.4 3.0 http://tizen.org/privilege/callhistory.write http://tizen.org/privilege/contact.read
+2.4 3.0 http://tizen.org/privilege/callhistory.write http://tizen.org/privilege/contact.write
 2.4 3.0 http://tizen.org/privilege/camera http://tizen.org/privilege/camera
+2.4 3.0 http://tizen.org/privilege/camera http://tizen.org/privilege/recorder
+2.4 3.0 http://tizen.org/privilege/contact.read http://tizen.org/privilege/contact.read
+2.4 3.0 http://tizen.org/privilege/contact.write http://tizen.org/privilege/contact.read
 2.4 3.0 http://tizen.org/privilege/contact.write http://tizen.org/privilege/contact.write
-2.4 3.0 http://tizen.org/privilege/message.write http://tizen.org/privilege/message.write
-2.4 3.0 http://tizen.org/privilege/callhistory.write http://tizen.org/privilege/callhistory.write
-2.4 3.0 http://tizen.org/privilege/datasharing http://tizen.org/privilege/datasharing
-2.4 3.0 http://tizen.org/privilege/unlimitedstorage http://tizen.org/privilege/unlimitedstorage
-2.4 3.0 http://tizen.org/privilege/display http://tizen.org/privilege/display
-2.4 3.0 http://tizen.org/privilege/bluetooth.admin http://tizen.org/privilege/bluetooth.admin
-2.4 3.0 http://tizen.org/privilege/appmanager.launch http://tizen.org/privilege/appmanager.launch
-2.4 3.0 http://tizen.org/privilege/telephony http://tizen.org/privilege/telephony
+2.4 3.0 http://tizen.org/privilege/content.read http://tizen.org/privilege/content.write
+2.4 3.0 http://tizen.org/privilege/content.write http://tizen.org/privilege/content.write
+2.4 3.0 http://tizen.org/privilege/datacontrol.consumer http://tizen.org/privilege/appmanager.launch
+2.4 3.0 http://tizen.org/privilege/datacontrol.consumer http://tizen.org/privilege/datasharing
+2.4 3.0 http://tizen.org/privilege/datasync http://tizen.org/privilege/notexist
 2.4 3.0 http://tizen.org/privilege/download http://tizen.org/privilege/download
-2.4 3.0 http://tizen.org/privilege/recorder http://tizen.org/privilege/recorder
-2.4 3.0 http://tizen.org/privilege/account.write http://tizen.org/privilege/account.write
-2.4 3.0 http://tizen.org/privilege/contact.read http://tizen.org/privilege/contact.read
-2.4 3.0 http://tizen.org/privilege/nfc.cardemulation http://tizen.org/privilege/nfc.cardemulation
+2.4 3.0 http://tizen.org/privilege/filesystem.read http://tizen.org/privilege/systemsettings.admin
+2.4 3.0 http://tizen.org/privilege/filesystem.write http://tizen.org/privilege/systemsettings.admin
+2.4 3.0 http://tizen.org/privilege/fullscreen http://tizen.org/privilege/notexist
+2.4 3.0 http://tizen.org/privilege/healthinfo http://tizen.org/privilege/healthinfo
+2.4 3.0 http://tizen.org/privilege/internet http://tizen.org/privilege/internet
+2.4 3.0 http://tizen.org/privilege/ime http://tizen.org/privilege/ime
 2.4 3.0 http://tizen.org/privilege/led http://tizen.org/privilege/led
-2.4 3.0 http://tizen.org/privilege/account.read http://tizen.org/privilege/account.read
-2.4 3.0 http://tizen.org/privilege/call http://tizen.org/privilege/call
-2.4 3.0 http://tizen.org/privilege/nfc.admin http://tizen.org/privilege/nfc.admin
-2.4 3.0 http://tizen.org/privilege/fullscreen http://tizen.org/privilege/fullscreen
-2.4 3.0 http://tizen.org/privilege/network.set http://tizen.org/privilege/network.set
-2.4 3.0 http://tizen.org/privilege/volume.set http://tizen.org/privilege/volume.set
-2.4 3.0 http://tizen.org/privilege/application.read http://tizen.org/privilege/application.read
-2.4 3.0 http://tizen.org/privilege/content.write http://tizen.org/privilege/content.write
 2.4 3.0 http://tizen.org/privilege/location http://tizen.org/privilege/location
-2.4 3.0 http://tizen.org/privilege/bookmark.admin http://tizen.org/privilege/bookmark.admin
-2.4 3.0 http://tizen.org/privilege/ime http://tizen.org/privilege/ime
-2.4 3.0 http://tizen.org/privilege/systemsettings.admin http://tizen.org/privilege/systemsettings.admin
-2.4 3.0 http://tizen.org/privilege/packagemanager.info http://tizen.org/privilege/packagemanager.info
+2.4 3.0 http://tizen.org/privilege/mediacapture http://tizen.org/privilege/camera
+2.4 3.0 http://tizen.org/privilege/mediacapture http://tizen.org/privilege/recorder
 2.4 3.0 http://tizen.org/privilege/mediacontroller.client http://tizen.org/privilege/mediacontroller.client
-2.4 3.0 http://tizen.org/privilege/healthinfo http://tizen.org/privilege/healthinfo
-2.4 3.0 http://tizen.org/privilege/alarm.set http://tizen.org/privilege/alarm.set
-2.4 3.0 http://tizen.org/privilege/appmanager.kill http://tizen.org/privilege/appmanager.kill
+2.4 3.0 http://tizen.org/privilege/mediacontroller.server http://tizen.org/privilege/mediacontroller.server
+2.4 3.0 http://tizen.org/privilege/messaging.read http://tizen.org/privilege/email
+2.4 3.0 http://tizen.org/privilege/messaging.read http://tizen.org/privilege/message.read
+2.4 3.0 http://tizen.org/privilege/messaging.read http://tizen.org/privilege/mediastorage
+2.4 3.0 http://tizen.org/privilege/messaging.write http://tizen.org/privilege/callhistory.read
+2.4 3.0 http://tizen.org/privilege/messaging.write http://tizen.org/privilege/callhistory.write
+2.4 3.0 http://tizen.org/privilege/messaging.write http://tizen.org/privilege/contact.read
+2.4 3.0 http://tizen.org/privilege/messaging.write http://tizen.org/privilege/contact.write
+2.4 3.0 http://tizen.org/privilege/messaging.write http://tizen.org/privilege/email
+2.4 3.0 http://tizen.org/privilege/messaging.write http://tizen.org/privilege/message.read
+2.4 3.0 http://tizen.org/privilege/messaging.write http://tizen.org/privilege/message.write
+2.4 3.0 http://tizen.org/privilege/messaging.write http://tizen.org/privilege/mediastorage
+2.4 3.0 http://tizen.org/privilege/messaging.write http://tizen.org/privilege/telephony
+2.4 3.0 http://tizen.org/privilege/networkbearerselection http://tizen.org/privilege/network.set
+2.4 3.0 http://tizen.org/privilege/nfc.admin http://tizen.org/privilege/secureelement
+2.4 3.0 http://tizen.org/privilege/nfc.admin http://tizen.org/privilege/nfc.admin
+2.4 3.0 http://tizen.org/privilege/nfc.cardemulation http://tizen.org/privilege/nfc.cardemulation
+2.4 3.0 http://tizen.org/privilege/nfc.common http://tizen.org/privilege/secureelement
+2.4 3.0 http://tizen.org/privilege/nfc.common http://tizen.org/privilege/nfc
+2.4 3.0 http://tizen.org/privilege/nfc.p2p http://tizen.org/privilege/secureelement
+2.4 3.0 http://tizen.org/privilege/nfc.p2p http://tizen.org/privilege/nfc
+2.4 3.0 http://tizen.org/privilege/nfc.tag http://tizen.org/privilege/secureelement
+2.4 3.0 http://tizen.org/privilege/nfc.tag http://tizen.org/privilege/nfc
+2.4 3.0 http://tizen.org/privilege/notification http://tizen.org/privilege/notification
+2.4 3.0 http://tizen.org/privilege/notification http://tizen.org/privilege/packagemanager.info
+2.4 3.0 http://tizen.org/privilege/package.info http://tizen.org/privilege/packagemanager.info
+2.4 3.0 http://tizen.org/privilege/packagemanager.install http://tizen.org/privilege/packagemanager.admin
+2.4 3.0 http://tizen.org/privilege/power http://tizen.org/privilege/display
+2.4 3.0 http://tizen.org/privilege/push http://tizen.org/privilege/push
 2.4 3.0 http://tizen.org/privilege/secureelement http://tizen.org/privilege/secureelement
-2.4 3.0 http://tizen.org/privilege/alarm.get http://tizen.org/privilege/alarm.get
-2.4 3.0 http://tizen.org/privilege/calendar.write http://tizen.org/privilege/calendar.write
-2.4 3.0 http://tizen.org/privilege/email http://tizen.org/privilege/email
+2.4 3.0 http://tizen.org/privilege/setting http://tizen.org/privilege/systemsettings.admin
+2.4 3.0 http://tizen.org/privilege/system http://tizen.org/privilege/telephony
+2.4 3.0 http://tizen.org/privilege/telephony http://tizen.org/privilege/telephony
+2.4 3.0 http://tizen.org/privilege/unlimitedstorage http://tizen.org/privilege/notexist
+2.4 3.0 http://tizen.org/privilege/volume.set http://tizen.org/privilege/volume.set
-- 
2.7.4


From 3a0fbcccc9c7f5ef47a05e835b7619e1068f53b9 Mon Sep 17 00:00:00 2001
From: Yunjin Lee <yunjin-.lee@samsung.com>
Date: Wed, 2 Sep 2015 13:57:50 +0900
Subject: [PATCH 08/16] Update privilege list: Add missing privileges to user
 buckets and mapping list

Change-Id: Ic47dfa9255b4bb5fe3e8e98a2e2d9c06dc475877
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
---
 policy/privilege-mapping.list  | 10 ++++++++++
 policy/usertype-admin.profile  |  1 +
 policy/usertype-guest.profile  |  1 +
 policy/usertype-normal.profile |  1 +
 policy/usertype-system.profile |  1 +
 5 files changed, 14 insertions(+)

diff --git a/policy/privilege-mapping.list b/policy/privilege-mapping.list
index 49b4743..024753b 100644
--- a/policy/privilege-mapping.list
+++ b/policy/privilege-mapping.list
@@ -148,6 +148,11 @@
 2.3 3.0 http://tizen.org/privilege/setting http://tizen.org/privilege/systemsettings.admin
 2.3 3.0 http://tizen.org/privilege/system http://tizen.org/privilege/telephony
 2.3 3.0 http://tizen.org/privilege/systemmanager http://tizen.org/privilege/telephony
+2.3 3.0 http://tizen.org/privilege/tv.audio http://tizen.org/privilege/notexist
+2.3 3.0 http://tizen.org/privilege/tv.channel http://tizen.org/privilege/notexist
+2.3 3.0 http://tizen.org/privilege/tv.display http://tizen.org/privilege/notexist
+2.3 3.0 http://tizen.org/privilege/tv.inputdevice http://tizen.org/privilege/notexist
+2.3 3.0 http://tizen.org/privilege/tv.window http://tizen.org/privilege/notexist
 2.3 3.0 http://tizen.org/privilege/unlimitedstorage http://tizen.org/privilege/notexist
 2.3 3.0 http://tizen.org/privilege/volume.set http://tizen.org/privilege/volume.set
 2.3 3.0 http://tizen.org/privilege/websetting http://tizen.org/privilege/notexist
@@ -313,5 +318,10 @@
 2.4 3.0 http://tizen.org/privilege/setting http://tizen.org/privilege/systemsettings.admin
 2.4 3.0 http://tizen.org/privilege/system http://tizen.org/privilege/telephony
 2.4 3.0 http://tizen.org/privilege/telephony http://tizen.org/privilege/telephony
+2.4 3.0 http://tizen.org/privilege/tv.audio http://tizen.org/privilege/notexist
+2.4 3.0 http://tizen.org/privilege/tv.channel http://tizen.org/privilege/notexist
+2.4 3.0 http://tizen.org/privilege/tv.display http://tizen.org/privilege/notexist
+2.4 3.0 http://tizen.org/privilege/tv.inputdevice http://tizen.org/privilege/notexist
+2.4 3.0 http://tizen.org/privilege/tv.window http://tizen.org/privilege/notexist
 2.4 3.0 http://tizen.org/privilege/unlimitedstorage http://tizen.org/privilege/notexist
 2.4 3.0 http://tizen.org/privilege/volume.set http://tizen.org/privilege/volume.set
diff --git a/policy/usertype-admin.profile b/policy/usertype-admin.profile
index e8915cc..aa4324d 100644
--- a/policy/usertype-admin.profile
+++ b/policy/usertype-admin.profile
@@ -4,6 +4,7 @@
 *	http://tizen.org/privilege/account.write
 *	http://tizen.org/privilege/alarm.get
 *	http://tizen.org/privilege/alarm.set
+*	http://tizen.org/privilege/antivirus
 *	http://tizen.org/privilege/apphistory.read
 *	http://tizen.org/privilege/appmanager.kill
 *	http://tizen.org/privilege/appmanager.kill.bgapp
diff --git a/policy/usertype-guest.profile b/policy/usertype-guest.profile
index 13b6013..21fdf35 100644
--- a/policy/usertype-guest.profile
+++ b/policy/usertype-guest.profile
@@ -4,6 +4,7 @@
 *	http://tizen.org/privilege/account.write
 *	http://tizen.org/privilege/alarm.get
 *	http://tizen.org/privilege/alarm.set
+*	http://tizen.org/privilege/antivirus
 *	http://tizen.org/privilege/apphistory.read
 *	http://tizen.org/privilege/appmanager.kill
 *	http://tizen.org/privilege/appmanager.kill.bgapp
diff --git a/policy/usertype-normal.profile b/policy/usertype-normal.profile
index 103f13d..df281ab 100644
--- a/policy/usertype-normal.profile
+++ b/policy/usertype-normal.profile
@@ -4,6 +4,7 @@
 *	http://tizen.org/privilege/account.write
 *	http://tizen.org/privilege/alarm.get
 *	http://tizen.org/privilege/alarm.set
+*	http://tizen.org/privilege/antivirus
 *	http://tizen.org/privilege/apphistory.read
 *	http://tizen.org/privilege/appmanager.kill
 *	http://tizen.org/privilege/appmanager.kill.bgapp
diff --git a/policy/usertype-system.profile b/policy/usertype-system.profile
index 3e0abb6..8a1aa5e 100644
--- a/policy/usertype-system.profile
+++ b/policy/usertype-system.profile
@@ -4,6 +4,7 @@
 *	http://tizen.org/privilege/account.write
 *	http://tizen.org/privilege/alarm.get
 *	http://tizen.org/privilege/alarm.set
+*	http://tizen.org/privilege/antivirus
 *	http://tizen.org/privilege/apphistory.read
 *	http://tizen.org/privilege/appmanager.kill
 *	http://tizen.org/privilege/appmanager.kill.bgapp
-- 
2.7.4


From ba5d664e58432f4045bb0d26a99e861eadb0fc81 Mon Sep 17 00:00:00 2001
From: Aleksander Zdyb <a.zdyb@samsung.com>
Date: Fri, 31 Jul 2015 13:05:55 +0200
Subject: [PATCH 09/16] Add security_manager_groups_get() API

This function returns array of groups bound to privileges.
It's needed by nice-lad to identify resources to be subject
of auditing.

Change-Id: Ie7a195507a02a30d54f93ffbc351c403f2c83000
---
 src/client/client-security-manager.cpp | 80 +++++++++++++++++++++++++++++++++-
 src/common/include/privilege_db.h      | 15 ++++++-
 src/common/include/protocols.h         |  3 +-
 src/common/include/service_impl.h      | 11 ++++-
 src/common/privilege_db.cpp            | 15 ++++++-
 src/common/service_impl.cpp            | 15 ++++++-
 src/include/security-manager.h         | 24 +++++++++-
 src/server/service/include/service.h   |  8 +++-
 src/server/service/service.cpp         | 16 ++++++-
 9 files changed, 177 insertions(+), 10 deletions(-)

diff --git a/src/client/client-security-manager.cpp b/src/client/client-security-manager.cpp
index 308da19..62e5663 100644
--- a/src/client/client-security-manager.cpp
+++ b/src/client/client-security-manager.cpp
@@ -1,5 +1,5 @@
 /*
- *  Copyright (c) 2000 - 2014 Samsung Electronics Co., Ltd All Rights Reserved
+ *  Copyright (c) 2000 - 2015 Samsung Electronics Co., Ltd All Rights Reserved
  *
  *  Contact: Rafal Krypa <r.krypa@samsung.com>
  *
@@ -1078,3 +1078,81 @@ void security_manager_privilege_mapping_free(char **privileges_mappings, size_t
         free(privileges_mappings[i]);
     delete [] privileges_mappings;
 }
+
+SECURITY_MANAGER_API
+int security_manager_groups_get(char ***groups, size_t *groups_count)
+{
+    using namespace SecurityManager;
+    MessageBuffer send, recv;
+    if (!groups || !groups_count)
+        return SECURITY_MANAGER_ERROR_INPUT_PARAM;
+    return try_catch([&] {
+
+        //put data into buffer
+        Serialization::Serialize(send, static_cast<int>(SecurityModuleCall::GROUPS_GET));
+
+        //send buffer to server
+        int retval = sendToServer(SERVICE_SOCKET, send.Pop(), recv);
+        if (retval != SECURITY_MANAGER_API_SUCCESS) {
+            LogError("Error in sendToServer. Error code: " << retval);
+            return SECURITY_MANAGER_ERROR_UNKNOWN;
+        }
+
+        //receive response from server
+        Deserialization::Deserialize(recv, retval);
+
+        switch(retval) {
+            case SECURITY_MANAGER_API_SUCCESS:
+                // success - continue
+                break;
+            case SECURITY_MANAGER_API_ERROR_OUT_OF_MEMORY:
+                return SECURITY_MANAGER_ERROR_MEMORY;
+            case SECURITY_MANAGER_API_ERROR_INPUT_PARAM:
+                return SECURITY_MANAGER_ERROR_INPUT_PARAM;
+            default:
+                return SECURITY_MANAGER_ERROR_UNKNOWN;
+        }
+
+        std::vector<std::string> vgroups;
+        Deserialization::Deserialize(recv, vgroups);
+        const auto vgroups_size = vgroups.size();
+        LogInfo("Number of groups: " << vgroups_size);
+
+        std::unique_ptr<char *, std::function<void(char **)>> array(
+            static_cast<char **>(calloc(vgroups_size, sizeof(char *))),
+            std::bind(security_manager_groups_free, std::placeholders::_1, vgroups_size));
+
+        if (array == nullptr)
+            return SECURITY_MANAGER_ERROR_MEMORY;
+
+        for (size_t i = 0; i < vgroups_size; ++i) {
+            const auto &group = vgroups.at(i);
+
+            if (group.empty()) {
+                LogError("Unexpected empty group");
+                return SECURITY_MANAGER_ERROR_UNKNOWN;
+            }
+
+            array.get()[i] = strdup(group.c_str());
+            if (array.get()[i] == nullptr)
+                return SECURITY_MANAGER_ERROR_MEMORY;
+        }
+
+        *groups_count = vgroups_size;
+        *groups = array.release();
+
+        return SECURITY_MANAGER_SUCCESS;
+    });
+}
+
+SECURITY_MANAGER_API
+void security_manager_groups_free(char **groups, size_t groups_count)
+{
+    if (groups == nullptr)
+        return;
+
+    for (size_t i = 0; i < groups_count; i++)
+        free(groups[i]);
+
+    free(groups);
+}
diff --git a/src/common/include/privilege_db.h b/src/common/include/privilege_db.h
index 83fb157..27f68d6 100644
--- a/src/common/include/privilege_db.h
+++ b/src/common/include/privilege_db.h
@@ -1,7 +1,7 @@
 /*
  * security-manager, database access
  *
- * Copyright (c) 2000 - 2014 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2000 - 2015 Samsung Electronics Co., Ltd All Rights Reserved
  *
  * Contact: Rafal Krypa <r.krypa@samsung.com>
  *
@@ -24,6 +24,7 @@
  * @author      Krzysztof Sasiak <k.sasiak@samsung.com>
  * @author      Rafal Krypa <r.krypa@samsung.com>
  * @author      Zofia Abramowska <z.abramowska@samsung.com>
+ * @author      Aleksander Zdyb <a.zdyb@samsung.com>
  * @version     1.0
  * @brief       This file contains declaration of the API to privilges database.
  */
@@ -60,7 +61,8 @@ enum class StmtType {
     EGetPrivilegeMappings,
     EInsertPrivilegeToMap,
     EGetPrivilegesMappings,
-    EDeletePrivilegesToMap
+    EDeletePrivilegesToMap,
+    EGetGroups
 };
 
 class PrivilegeDb {
@@ -110,6 +112,7 @@ private:
                                             " WHERE version_from_name=? AND version_to_name=?"
                                             " AND privilege_name IN (SELECT privilege_name FROM privilege_to_map)"},
         { StmtType::EDeletePrivilegesToMap, "DELETE FROM privilege_to_map"},
+        { StmtType::EGetGroups, "SELECT DISTINCT group_name FROM privilege_group_view" },
     };
 
     /**
@@ -320,6 +323,14 @@ public:
                                const std::string &version_to,
                                const std::vector<std::string> &privileges,
                                std::vector<std::string> &mappings);
+
+    /**
+     * Retrieve list of resource groups
+     *
+     * @param[out] grp_names - list of group names
+     * @exception DB::SqlConnection::Exception::InternalError on internal error
+     */
+    void GetGroups(std::vector<std::string> &grp_names);
 };
 
 } //namespace SecurityManager
diff --git a/src/common/include/protocols.h b/src/common/include/protocols.h
index c0caf45..4031510 100644
--- a/src/common/include/protocols.h
+++ b/src/common/include/protocols.h
@@ -1,5 +1,5 @@
 /*
- *  Copyright (c) 2000 - 2014 Samsung Electronics Co., Ltd All Rights Reserved
+ *  Copyright (c) 2000 - 2015 Samsung Electronics Co., Ltd All Rights Reserved
  *
  *  Contact: Rafal Krypa <r.krypa@samsung.com>
  *
@@ -137,6 +137,7 @@ enum class SecurityModuleCall
     GET_CONF_POLICY_SELF,
     POLICY_GET_DESCRIPTIONS,
     GET_PRIVILEGES_MAPPING,
+    GROUPS_GET,
     NOOP = 0x90,
 };
 
diff --git a/src/common/include/service_impl.h b/src/common/include/service_impl.h
index 8374233..4444f52 100644
--- a/src/common/include/service_impl.h
+++ b/src/common/include/service_impl.h
@@ -1,5 +1,5 @@
 /*
- *  Copyright (c) 2014 Samsung Electronics Co., Ltd All Rights Reserved
+ *  Copyright (c) 2014-2015 Samsung Electronics Co., Ltd All Rights Reserved
  *
  *  Contact: Rafal Krypa <r.krypa@samsung.com>
  *
@@ -182,6 +182,15 @@ int getPrivilegesMappings(const std::string &version_from,
                           const std::vector<std::string> &privileges,
                           std::vector<std::string> &mappings);
 
+/**
+ * Process getting resources group list.
+ *
+ * @param[out] groups empty vector for group strings
+ *
+ * @return API return code, as defined in protocols.h
+ */
+int policyGetGroups(std::vector<std::string> &groups);
+
 } /* namespace ServiceImpl */
 } /* namespace SecurityManager */
 
diff --git a/src/common/privilege_db.cpp b/src/common/privilege_db.cpp
index 0498f21..9997128 100644
--- a/src/common/privilege_db.cpp
+++ b/src/common/privilege_db.cpp
@@ -1,7 +1,7 @@
 /*
  * security-manager, database access
  *
- * Copyright (c) 2000 - 2014 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2000 - 2015 Samsung Electronics Co., Ltd All Rights Reserved
  *
  * Contact: Rafal Krypa <r.krypa@samsung.com>
  *
@@ -386,4 +386,17 @@ void PrivilegeDb::GetPrivilegesMappings(const std::string &version_from,
     });
 }
 
+void PrivilegeDb::GetGroups(std::vector<std::string> &groups)
+{
+   try_catch<void>([&] {
+        auto command = getStatement(StmtType::EGetGroups);
+
+        while (command->Step()) {
+            std::string groupName = command->GetColumnString(0);
+            LogDebug("Group " << groupName);
+            groups.push_back(groupName);
+        };
+    });
+}
+
 } //namespace SecurityManager
diff --git a/src/common/service_impl.cpp b/src/common/service_impl.cpp
index 503fd62..95f09c0 100644
--- a/src/common/service_impl.cpp
+++ b/src/common/service_impl.cpp
@@ -1,5 +1,5 @@
 /*
- *  Copyright (c) 2014 Samsung Electronics Co., Ltd All Rights Reserved
+ *  Copyright (c) 2014-2015 Samsung Electronics Co., Ltd All Rights Reserved
  *
  *  Contact: Rafal Krypa <r.krypa@samsung.com>
  *
@@ -1031,5 +1031,18 @@ int getPrivilegesMappings(const std::string &version_from,
     return errorRet;
 }
 
+int policyGetGroups(std::vector<std::string> &groups) {
+    int ret = SECURITY_MANAGER_API_SUCCESS;
+
+    try {
+        PrivilegeDb::getInstance().GetGroups(groups);
+    } catch (const PrivilegeDb::Exception::Base &e) {
+        LogError("Error while getting groups from database: " << e.DumpToString());
+        return SECURITY_MANAGER_API_ERROR_SERVER_ERROR;
+    }
+
+    return ret;
+}
+
 } /* namespace ServiceImpl */
 } /* namespace SecurityManager */
diff --git a/src/include/security-manager.h b/src/include/security-manager.h
index a96d5e7..3c1304e 100644
--- a/src/include/security-manager.h
+++ b/src/include/security-manager.h
@@ -1,5 +1,5 @@
 /*
- *  Copyright (c) 2000 - 2014 Samsung Electronics Co., Ltd All Rights Reserved
+ *  Copyright (c) 2000 - 2015 Samsung Electronics Co., Ltd All Rights Reserved
  *
  *  Contact: Rafal Krypa <r.krypa@samsung.com>
  *
@@ -760,6 +760,28 @@ int security_manager_get_privileges_mapping(const char *from_version,
  * @param[in] mapping_count Number of privileges
  */
 void security_manager_privilege_mapping_free(char **privileges_mappings, size_t mappings_count);
+
+/**
+ * This function returns array of groups bound to privileges of file resources.
+ *
+ * Caller needs to free memory allocated for the list using
+ * security_manager_groups_free().
+ *
+ * @param[out] groups pointer to array of strings.
+ * @param[out] groups_count number of strings in levels array.
+ * @return API return code or error code.
+ */
+int security_manager_groups_get(char ***groups, size_t *groups_count);
+
+/**
+ * This function frees memory allocated by security_manager_groups_get()
+ * function.
+ *
+ * @param[in] groups array of strings returned by security_manager_groups_get() function.
+ * @param[in] groups_count size of the groups array
+ */
+void security_manager_groups_free(char **groups, size_t groups_count);
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/src/server/service/include/service.h b/src/server/service/include/service.h
index 371d5fd..8087899 100644
--- a/src/server/service/include/service.h
+++ b/src/server/service/include/service.h
@@ -1,5 +1,5 @@
 /*
- *  Copyright (c) 2000 - 2014 Samsung Electronics Co., Ltd All Rights Reserved
+ *  Copyright (c) 2000 - 2015 Samsung Electronics Co., Ltd All Rights Reserved
  *
  *  Contact: Rafal Krypa <r.krypa@samsung.com>
  *
@@ -150,6 +150,12 @@ private:
      */
     void processPrivilegesMappings(MessageBuffer &recv, MessageBuffer &send);
 
+    /**
+     * Process getting groups bound with privileges
+     *
+     * @param  send   Raw data buffer to be sent
+     */
+    void processGroupsGet(MessageBuffer &send);
 };
 
 } // namespace SecurityManager
diff --git a/src/server/service/service.cpp b/src/server/service/service.cpp
index 45cdcf3..9409ec8 100644
--- a/src/server/service/service.cpp
+++ b/src/server/service/service.cpp
@@ -1,5 +1,5 @@
 /*
- *  Copyright (c) 2000 - 2014 Samsung Electronics Co., Ltd All Rights Reserved
+ *  Copyright (c) 2000 - 2015 Samsung Electronics Co., Ltd All Rights Reserved
  *
  *  Contact: Rafal Krypa <r.krypa@samsung.com>
  *
@@ -157,6 +157,9 @@ bool Service::processOne(const ConnectionID &conn, MessageBuffer &buffer,
                 case SecurityModuleCall::GET_PRIVILEGES_MAPPING:
                     processPrivilegesMappings(buffer, send);
                     break;
+                case SecurityModuleCall::GROUPS_GET:
+                    processGroupsGet(send);
+                    break;
                 default:
                     LogError("Invalid call: " << call_type_int);
                     Throw(ServiceException::InvalidAction);
@@ -353,4 +356,15 @@ void Service::processPrivilegesMappings(MessageBuffer &recv, MessageBuffer &send
     Serialization::Serialize(send, mappings);
 }
 
+void Service::processGroupsGet(MessageBuffer &send)
+{
+    std::vector<std::string> groups;
+    int ret = ServiceImpl::policyGetGroups(groups);
+
+    Serialization::Serialize(send, ret);
+    if (ret == SECURITY_MANAGER_API_SUCCESS) {
+        Serialization::Serialize(send, groups);
+    }
+}
+
 } // namespace SecurityManager
-- 
2.7.4


From 9b0469f5a7e71f4506883fc3e7fdde7ca2fe3bb5 Mon Sep 17 00:00:00 2001
From: Rafal Krypa <r.krypa@samsung.com>
Date: Thu, 30 Jul 2015 18:19:12 +0200
Subject: [PATCH 10/16] Implement and use template methods for serialization of
 multiple variables

Change-Id: I84f0deaa1a8623d1f3cc1039f6b8689a4d9b4ae1
---
 src/client/client-security-manager.cpp   | 41 ++++++++------------
 src/common/include/protocols.h           |  7 +---
 src/common/master-req.cpp                | 66 +++++++++++++++-----------------
 src/dpl/core/include/dpl/serialization.h |  8 ++++
 4 files changed, 57 insertions(+), 65 deletions(-)

diff --git a/src/client/client-security-manager.cpp b/src/client/client-security-manager.cpp
index 62e5663..a995aa0 100644
--- a/src/client/client-security-manager.cpp
+++ b/src/client/client-security-manager.cpp
@@ -176,12 +176,8 @@ int security_manager_app_install(const app_inst_req *p_req)
             MessageBuffer send, recv;
 
             //put data into buffer
-            Serialization::Serialize(send, (int)SecurityModuleCall::APP_INSTALL);
-            Serialization::Serialize(send, p_req->appId);
-            Serialization::Serialize(send, p_req->pkgId);
-            Serialization::Serialize(send, p_req->privileges);
-            Serialization::Serialize(send, p_req->appPaths);
-            Serialization::Serialize(send, p_req->uid);
+            Serialization::Serialize(send, (int)SecurityModuleCall::APP_INSTALL,
+                p_req->appId, p_req->pkgId, p_req->privileges, p_req->appPaths, p_req->uid);
 
             //send buffer to server
             retval = sendToServer(SERVICE_SOCKET, send.Pop(), recv);
@@ -223,8 +219,8 @@ int security_manager_app_uninstall(const app_inst_req *p_req)
             return SECURITY_MANAGER_ERROR_REQ_NOT_COMPLETE;
 
         //put data into buffer
-        Serialization::Serialize(send, (int)SecurityModuleCall::APP_UNINSTALL);
-        Serialization::Serialize(send, p_req->appId);
+        Serialization::Serialize(send, (int)SecurityModuleCall::APP_UNINSTALL,
+            p_req->appId);
 
         //send buffer to server
         int retval = sendToServer(SERVICE_SOCKET, send.Pop(), recv);
@@ -264,8 +260,8 @@ int security_manager_get_app_pkgid(char **pkg_id, const char *app_id)
         }
 
         //put data into buffer
-        Serialization::Serialize(send, static_cast<int>(SecurityModuleCall::APP_GET_PKGID));
-        Serialization::Serialize(send, std::string(app_id));
+        Serialization::Serialize(send, static_cast<int>(SecurityModuleCall::APP_GET_PKGID),
+            std::string(app_id));
 
         //send buffer to server
         int retval = sendToServer(SERVICE_SOCKET, send.Pop(), recv);
@@ -411,8 +407,8 @@ int security_manager_set_process_groups_from_appid(const char *app_id)
         }
 
         //put data into buffer
-        Serialization::Serialize(send, static_cast<int>(SecurityModuleCall::APP_GET_GROUPS));
-        Serialization::Serialize(send, std::string(app_id));
+        Serialization::Serialize(send, static_cast<int>(SecurityModuleCall::APP_GET_GROUPS),
+            std::string(app_id));
 
         //send buffer to server
         int retval = sendToServer(SERVICE_SOCKET, send.Pop(), recv);
@@ -586,10 +582,8 @@ int security_manager_user_add(const user_req *p_req)
             //server is working
 
             //put data into buffer
-            Serialization::Serialize(send, static_cast<int>(SecurityModuleCall::USER_ADD));
-
-            Serialization::Serialize(send, p_req->uid);
-            Serialization::Serialize(send, p_req->utype);
+            Serialization::Serialize(send, static_cast<int>(SecurityModuleCall::USER_ADD),
+                p_req->uid, p_req->utype);
 
             //send buffer to server
             retval = sendToServer(SERVICE_SOCKET, send.Pop(), recv);
@@ -622,10 +616,8 @@ int security_manager_user_delete(const user_req *p_req)
     return try_catch([&] {
 
         //put data into buffer
-        Serialization::Serialize(send, static_cast<int>(SecurityModuleCall::USER_DELETE));
-
-        Serialization::Serialize(send, p_req->uid);
-
+        Serialization::Serialize(send, static_cast<int>(SecurityModuleCall::USER_DELETE),
+            p_req->uid);
 
         //send buffer to server
         int retval = sendToServer(SERVICE_SOCKET, send.Pop(), recv);
@@ -683,8 +675,8 @@ int security_manager_policy_update_send(policy_update_req *p_req)
     return try_catch([&] {
 
         //put request into buffer
-        Serialization::Serialize(send, static_cast<int>(SecurityModuleCall::POLICY_UPDATE));
-        Serialization::Serialize(send, p_req->units);
+        Serialization::Serialize(send, static_cast<int>(SecurityModuleCall::POLICY_UPDATE),
+            p_req->units);
 
         //send it to server
         int retval = sendToServer(SERVICE_SOCKET, send.Pop(), recv);
@@ -724,8 +716,9 @@ static inline int security_manager_get_policy_internal(
 
     return try_catch([&] {
         //put request into buffer
-        Serialization::Serialize(send, static_cast<int>(call_type));
-        Serialization::Serialize(send, *p_filter);
+        Serialization::Serialize(send, static_cast<int>(call_type),
+            *p_filter);
+
         //send it to server
         int retval = sendToServer(SERVICE_SOCKET, send.Pop(), recv);
         if (retval != SECURITY_MANAGER_API_SUCCESS) {
diff --git a/src/common/include/protocols.h b/src/common/include/protocols.h
index 4031510..24859d1 100644
--- a/src/common/include/protocols.h
+++ b/src/common/include/protocols.h
@@ -181,11 +181,8 @@ struct policy_entry : ISerializable {
     }
 
     virtual void Serialize(IStream &stream) const {
-        Serialization::Serialize(stream, user);
-        Serialization::Serialize(stream, appId);
-        Serialization::Serialize(stream, privilege);
-        Serialization::Serialize(stream, currentLevel);
-        Serialization::Serialize(stream, maxLevel);
+        Serialization::Serialize(stream,
+            user, appId, privilege, currentLevel, maxLevel);
     }
 
 };
diff --git a/src/common/master-req.cpp b/src/common/master-req.cpp
index 96555e3..f6526b3 100644
--- a/src/common/master-req.cpp
+++ b/src/common/master-req.cpp
@@ -38,12 +38,11 @@ int CynaraPolicyUpdate(const std::string &appId,  const std::string &uidstr,
 {
     int ret;
     MessageBuffer sendBuf, retBuf;
+
     Serialization::Serialize(sendBuf,
-                             static_cast<int>(MasterSecurityModuleCall::CYNARA_UPDATE_POLICY));
-    Serialization::Serialize(sendBuf, appId);
-    Serialization::Serialize(sendBuf, uidstr);
-    Serialization::Serialize(sendBuf, oldPkgPrivileges);
-    Serialization::Serialize(sendBuf, newPkgPrivileges);
+        static_cast<int>(MasterSecurityModuleCall::CYNARA_UPDATE_POLICY),
+        appId, uidstr, oldPkgPrivileges, newPkgPrivileges);
+
     ret = sendToServer(MASTER_SERVICE_SOCKET, sendBuf.Pop(), retBuf);
     if (ret == SECURITY_MANAGER_API_SUCCESS)
         Deserialization::Deserialize(retBuf, ret);
@@ -55,10 +54,11 @@ int CynaraUserInit(const uid_t uidAdded, int userType)
 {
     int ret;
     MessageBuffer sendBuf, retBuf;
+
     Serialization::Serialize(sendBuf,
-                             static_cast<int>(MasterSecurityModuleCall::CYNARA_USER_INIT));
-    Serialization::Serialize(sendBuf, uidAdded);
-    Serialization::Serialize(sendBuf, userType);
+        static_cast<int>(MasterSecurityModuleCall::CYNARA_USER_INIT),
+        uidAdded, userType);
+
     ret = sendToServer(MASTER_SERVICE_SOCKET, sendBuf.Pop(), retBuf);
     if (ret == SECURITY_MANAGER_API_SUCCESS)
         Deserialization::Deserialize(retBuf, ret);
@@ -70,9 +70,11 @@ int CynaraUserRemove(const uid_t uidDeleted)
 {
     int ret;
     MessageBuffer sendBuf, retBuf;
+
     Serialization::Serialize(sendBuf,
-                             static_cast<int>(MasterSecurityModuleCall::CYNARA_USER_REMOVE));
-    Serialization::Serialize(sendBuf, uidDeleted);
+        static_cast<int>(MasterSecurityModuleCall::CYNARA_USER_REMOVE),
+        uidDeleted);
+
     ret = sendToServer(MASTER_SERVICE_SOCKET, sendBuf.Pop(), retBuf);
     if (ret == SECURITY_MANAGER_API_SUCCESS)
         Deserialization::Deserialize(retBuf, ret);
@@ -86,10 +88,9 @@ int SmackInstallRules(const std::string &appId, const std::string &pkgId,
     int ret;
     MessageBuffer sendBuf, retBuf;
     Serialization::Serialize(sendBuf,
-                             static_cast<int>(MasterSecurityModuleCall::SMACK_INSTALL_RULES));
-    Serialization::Serialize(sendBuf, appId);
-    Serialization::Serialize(sendBuf, pkgId);
-    Serialization::Serialize(sendBuf, pkgContents);
+        static_cast<int>(MasterSecurityModuleCall::SMACK_INSTALL_RULES),
+        appId, pkgId, pkgContents);
+
     ret = sendToServer(MASTER_SERVICE_SOCKET, sendBuf.Pop(), retBuf);
     if (ret == SECURITY_MANAGER_API_SUCCESS)
         Deserialization::Deserialize(retBuf, ret);
@@ -102,12 +103,11 @@ int SmackUninstallRules(const std::string &appId, const std::string &pkgId,
 {
     int ret;
     MessageBuffer sendBuf, retBuf;
+
     Serialization::Serialize(sendBuf,
-                             static_cast<int>(MasterSecurityModuleCall::SMACK_UNINSTALL_RULES));
-    Serialization::Serialize(sendBuf, appId);
-    Serialization::Serialize(sendBuf, pkgId);
-    Serialization::Serialize(sendBuf, pkgContents);
-    Serialization::Serialize(sendBuf, removePkg);
+        static_cast<int>(MasterSecurityModuleCall::SMACK_UNINSTALL_RULES),
+        appId, pkgId, pkgContents, removePkg);
+
     ret = sendToServer(MASTER_SERVICE_SOCKET, sendBuf.Pop(), retBuf);
     if (ret == SECURITY_MANAGER_API_SUCCESS)
         Deserialization::Deserialize(retBuf, ret);
@@ -122,12 +122,10 @@ int PolicyUpdate(const std::vector<policy_entry> &policyEntries, uid_t uid, pid_
 {
     int ret;
     MessageBuffer sendBuf, retBuf;
+
     Serialization::Serialize(sendBuf,
-                             static_cast<int>(MasterSecurityModuleCall::POLICY_UPDATE));
-    Serialization::Serialize(sendBuf, policyEntries);
-    Serialization::Serialize(sendBuf, uid);
-    Serialization::Serialize(sendBuf, pid);
-    Serialization::Serialize(sendBuf, smackLabel);
+        static_cast<int>(MasterSecurityModuleCall::POLICY_UPDATE),
+        policyEntries, uid, pid, smackLabel);
 
     ret = sendToServer(MASTER_SERVICE_SOCKET, sendBuf.Pop(), retBuf);
     if (ret == SECURITY_MANAGER_API_SUCCESS)
@@ -141,13 +139,10 @@ int GetConfiguredPolicy(bool forAdmin, const policy_entry &filter, uid_t uid, pi
 {
     int ret;
     MessageBuffer sendBuf, retBuf;
+
     Serialization::Serialize(sendBuf,
-                             static_cast<int>(MasterSecurityModuleCall::GET_CONFIGURED_POLICY));
-    Serialization::Serialize(sendBuf, forAdmin);
-    Serialization::Serialize(sendBuf, filter);
-    Serialization::Serialize(sendBuf, uid);
-    Serialization::Serialize(sendBuf, pid);
-    Serialization::Serialize(sendBuf, smackLabel);
+        static_cast<int>(MasterSecurityModuleCall::GET_CONFIGURED_POLICY),
+        forAdmin, filter, uid, pid, smackLabel);
 
     ret = sendToServer(MASTER_SERVICE_SOCKET, sendBuf.Pop(), retBuf);
     if (ret == SECURITY_MANAGER_API_SUCCESS) {
@@ -164,12 +159,10 @@ int GetPolicy(const policy_entry &filter, uid_t uid, pid_t pid, const std::strin
 {
     int ret;
     MessageBuffer sendBuf, retBuf;
+
     Serialization::Serialize(sendBuf,
-                             static_cast<int>(MasterSecurityModuleCall::GET_POLICY));
-    Serialization::Serialize(sendBuf, filter);
-    Serialization::Serialize(sendBuf, uid);
-    Serialization::Serialize(sendBuf, pid);
-    Serialization::Serialize(sendBuf, smackLabel);
+        static_cast<int>(MasterSecurityModuleCall::GET_POLICY),
+        filter, uid, pid, smackLabel);
 
     ret = sendToServer(MASTER_SERVICE_SOCKET, sendBuf.Pop(), retBuf);
     if (ret == SECURITY_MANAGER_API_SUCCESS) {
@@ -185,8 +178,9 @@ int PolicyGetDesc(std::vector<std::string> &descriptions)
 {
     int ret;
     MessageBuffer sendBuf, retBuf;
+
     Serialization::Serialize(sendBuf,
-                             static_cast<int>(MasterSecurityModuleCall::POLICY_GET_DESC));
+        static_cast<int>(MasterSecurityModuleCall::POLICY_GET_DESC));
 
     ret = sendToServer(MASTER_SERVICE_SOCKET, sendBuf.Pop(), retBuf);
     if (ret == SECURITY_MANAGER_API_SUCCESS) {
diff --git a/src/dpl/core/include/dpl/serialization.h b/src/dpl/core/include/dpl/serialization.h
index bb6602c..4782e1c 100644
--- a/src/dpl/core/include/dpl/serialization.h
+++ b/src/dpl/core/include/dpl/serialization.h
@@ -211,6 +211,14 @@ struct Serialization {
     {
         Serialize(stream, *p);
     }
+
+    // serialize 'em all
+    template<typename T1, typename T2, typename... Tail>
+    static void Serialize(IStream& stream, const T1& first, const T2& second, const Tail&... tail)
+    {
+        Serialize(stream, first);
+        Serialize(stream, second, tail...);
+    }
 }; // struct Serialization
 
 struct Deserialization {
-- 
2.7.4


From 1afdb1628d5f84a166aa23ff41d52fe246b9c23a Mon Sep 17 00:00:00 2001
From: Rafal Krypa <r.krypa@samsung.com>
Date: Mon, 31 Aug 2015 10:50:03 +0200
Subject: [PATCH 11/16] Convert ServiceImpl namespace to a class

This class will be used in future patches:
- to hold ownership of Cynara and PrivilegeDb objects
- to polymorph into basic, slave and off-line versions
- to synchronize multiple concurrent clients (multi-threading is coming)

Change-Id: I54f0ecda081db17350209c3e56debd91927e364e
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
---
 src/client/client-security-manager.cpp      |   4 +-
 src/common/include/service_impl.h           | 323 ++++++++++++++--------------
 src/common/service_impl.cpp                 |  62 +++---
 src/server/service/base-service.cpp         |  24 +++
 src/server/service/include/base-service.h   |  15 ++
 src/server/service/include/master-service.h |   2 +
 src/server/service/include/service.h        |   2 +
 src/server/service/master-service.cpp       |  11 +-
 src/server/service/service.cpp              |  44 ++--
 9 files changed, 255 insertions(+), 232 deletions(-)

diff --git a/src/client/client-security-manager.cpp b/src/client/client-security-manager.cpp
index a995aa0..3949867 100644
--- a/src/client/client-security-manager.cpp
+++ b/src/client/client-security-manager.cpp
@@ -171,7 +171,7 @@ int security_manager_app_install(const app_inst_req *p_req)
         int retval;
         ClientOffline offlineMode;
         if (offlineMode.isOffline()) {
-            retval = SecurityManager::ServiceImpl::appInstall(*p_req, geteuid(), false);
+            retval = SecurityManager::ServiceImpl().appInstall(*p_req, geteuid(), false);
         } else {
             MessageBuffer send, recv;
 
@@ -575,7 +575,7 @@ int security_manager_user_add(const user_req *p_req)
         int retval;
         ClientOffline offlineMode;
         if (offlineMode.isOffline()) {
-            retval = SecurityManager::ServiceImpl::userAdd(p_req->uid, p_req->utype, geteuid(),
+            retval = SecurityManager::ServiceImpl().userAdd(p_req->uid, p_req->utype, geteuid(),
                                                            false);
         } else {
             MessageBuffer send, recv;
diff --git a/src/common/include/service_impl.h b/src/common/include/service_impl.h
index 4444f52..0b6e3c6 100644
--- a/src/common/include/service_impl.h
+++ b/src/common/include/service_impl.h
@@ -32,166 +32,171 @@
 #include "security-manager.h"
 
 namespace SecurityManager {
-namespace ServiceImpl {
 
-/**
- * Retrieves ID (UID and PID) of peer connected to socket
- *
- * @param[in]  Socket file descriptor
- * @param[out] UID of connected peer. Function does not modify the variable if ID retrieval fails.
- * @param[out] PID of connected peer. Function does not modify the variable if ID retrieval fails.
- *
- * @return True if peer ID was successfully retrieved, false otherwise.
- */
-bool getPeerID(int sock, uid_t &uid, pid_t &pid);
-
-/**
- * Process application installation request.
- *
- * @param[in] req installation request
- * @param[in] uid id of the requesting user
- * @param[in] isSlave Indicates if function should be called under slave mode
- *
- * @return API return code, as defined in protocols.h
- */
-int appInstall(const app_inst_req &req, uid_t uid, bool isSlave);
-
-/**
- * Process application uninstallation request.
- *
- * @param[in] req uninstallation request
- * @param[in] uid id of the requesting user
- * @param[in] isSlave Indicates if function should be called under slave mode
- *
- * @return API return code, as defined in protocols.h
- */
-int appUninstall(const std::string &appId, uid_t uid, bool isSlave);
-
-/**
- * Process package id query.
- * Retrieves the package id associated with given application id.
- *
- * @param[in] appId application identifier
- * @param[out] pkgId returned package identifier
- *
- * @return API return code, as defined in protocols.h
- */
-int getPkgId(const std::string &appId, std::string &pkgId);
-
-/**
- * Process query for supplementary groups allowed for the application.
- * For given appId and uid, calculate allowed privileges that give
- * direct access to file system resources. For each permission Cynara will be
- * queried.
- * Returns set of group ids that are permitted.
- *
- * @param[in]  appId application identifier
- * @param[in]  uid id of the requesting user
- * @param[in]  pid id of the requesting process (to construct Cynara session id)
- * @param[in]  isSlave Indicates if function should be called under slave mode
- * @param[out] gids returned set of allowed group ids
- *
- * @return API return code, as defined in protocols.h
- */
-int getAppGroups(const std::string &appId, uid_t uid, pid_t pid, bool isSlave,
-        std::unordered_set<gid_t> &gids);
-
-/**
- * Process user adding request.
- *
- * @param[in] uidAdded uid of newly created user
- * @param[in] userType type of newly created user
- * @param[in] uid uid of requesting user
- * @param[in] isSlave Indicates if function should be called under slave mode
- *
- * @return API return code, as defined in protocols.h
- */
-int userAdd(uid_t uidAdded, int userType, uid_t uid, bool isSlave);
-
-/**
- * Process user deletion request.
- *
- * @param[in] uidDeleted uid of removed user
- * @param[in] uid uid of requesting user
- * @param[in] isSlave Indicates if function should be called under slave mode
- *
- * @return API return code, as defined in protocols.h
- */
-int userDelete(uid_t uidDeleted, uid_t uid, bool isSlave);
-
-/**
- * Update policy in Cynara - proper privilege: http://tizen.org/privilege/systemsettings.admin
- * is needed for this to succeed
- *
- * @param[in] policyEntries vector of policy chunks with instructions
- * @param[in] uid identifier of requesting user
- * @param[in] pid PID of requesting process
- * @param[in] smackLabel smack label of requesting app
- *
- * @return API return code, as defined in protocols.h
- */
-
-int policyUpdate(const std::vector<policy_entry> &policyEntries, uid_t uid, pid_t pid, const std::string &smackLabel);
-/**
- * Fetch all configured privileges from user configurable bucket.
- * Depending on forAdmin value: personal user policies or admin enforced
- * policies are returned.
- *
- * @param[in] forAdmin determines if user is asking as ADMIN or not
- * @param[in] filter filter for limiting the query
- * @param[in] uid identifier of queried user
- * @param[in] pid PID of requesting process
- * @param[out] policyEntries vector of policy entries with result
- *
- * @return API return code, as defined in protocols.h
- */
-int getConfiguredPolicy(bool forAdmin, const policy_entry &filter, uid_t uid, pid_t pid, const std::string &smackLabel, std::vector<policy_entry> &policyEntries);
-
-/**
- * Fetch all privileges for all apps installed for specific user.
- *
- * @param[in] forAdmin determines if user is asking as ADMIN or not
- * @param[in] filter filter for limiting the query
- * @param[in] uid identifier of queried user
- * @param[in] pid PID of requesting process
- * @param[out] policyEntries vector of policy entries with result
- *
- * @return API return code, as defined in protocols.h
- */
-int getPolicy(const policy_entry &filter, uid_t uid, pid_t pid, const std::string &smackLabel, std::vector<policy_entry> &policyEntries);
-
-/**
- * Process getting policy descriptions list.
- *
- * @param[in] descriptions empty vector for descriptions strings
- *
- * @return API return code, as defined in protocols.h
- */
-int policyGetDesc(std::vector<std::string> &descriptions);
-
-/**
- * Process getting privileges mappings from one version to another.
- *
- * @param[in] version_from version to be mapped from
- * @param[in] version_to version to be mapped to
- * @param[in] privileges vector of privileges to be mapped
- * @param[out] mappings mappings of given privileges
- */
-int getPrivilegesMappings(const std::string &version_from,
-                          const std::string &version_to,
-                          const std::vector<std::string> &privileges,
-                          std::vector<std::string> &mappings);
-
-/**
- * Process getting resources group list.
- *
- * @param[out] groups empty vector for group strings
- *
- * @return API return code, as defined in protocols.h
- */
-int policyGetGroups(std::vector<std::string> &groups);
-
-} /* namespace ServiceImpl */
+class ServiceImpl {
+private:
+    static uid_t getGlobalUserId(void);
+
+    static void checkGlobalUser(uid_t &uid, std::string &cynaraUserStr);
+
+    static bool isSubDir(const char *parent, const char *subdir);
+
+    static bool getUserAppDir(const uid_t &uid, std::string &userAppDir);
+
+    static bool installRequestAuthCheck(const app_inst_req &req, uid_t uid, bool &isCorrectPath, std::string &appPath);
+
+    static bool getZoneId(std::string &zoneId);
+
+public:
+    ServiceImpl();
+    virtual ~ServiceImpl();
+
+    /**
+    * Process application installation request.
+    *
+    * @param[in] req installation request
+    * @param[in] uid id of the requesting user
+    * @param[in] isSlave Indicates if function should be called under slave mode
+    *
+    * @return API return code, as defined in protocols.h
+    */
+    int appInstall(const app_inst_req &req, uid_t uid, bool isSlave);
+
+    /**
+    * Process application uninstallation request.
+    *
+    * @param[in] req uninstallation request
+    * @param[in] uid id of the requesting user
+    * @param[in] isSlave Indicates if function should be called under slave mode
+    *
+    * @return API return code, as defined in protocols.h
+    */
+    int appUninstall(const std::string &appId, uid_t uid, bool isSlave);
+
+    /**
+    * Process package id query.
+    * Retrieves the package id associated with given application id.
+    *
+    * @param[in] appId application identifier
+    * @param[out] pkgId returned package identifier
+    *
+    * @return API return code, as defined in protocols.h
+    */
+    int getPkgId(const std::string &appId, std::string &pkgId);
+
+    /**
+    * Process query for supplementary groups allowed for the application.
+    * For given appId and uid, calculate allowed privileges that give
+    * direct access to file system resources. For each permission Cynara will be
+    * queried.
+    * Returns set of group ids that are permitted.
+    *
+    * @param[in]  appId application identifier
+    * @param[in]  uid id of the requesting user
+    * @param[in]  pid id of the requesting process (to construct Cynara session id)
+    * @param[in]  isSlave Indicates if function should be called under slave mode
+    * @param[out] gids returned set of allowed group ids
+    *
+    * @return API return code, as defined in protocols.h
+    */
+    int getAppGroups(const std::string &appId, uid_t uid, pid_t pid, bool isSlave,
+            std::unordered_set<gid_t> &gids);
+
+    /**
+    * Process user adding request.
+    *
+    * @param[in] uidAdded uid of newly created user
+    * @param[in] userType type of newly created user
+    * @param[in] uid uid of requesting user
+    * @param[in] isSlave Indicates if function should be called under slave mode
+    *
+    * @return API return code, as defined in protocols.h
+    */
+    int userAdd(uid_t uidAdded, int userType, uid_t uid, bool isSlave);
+
+    /**
+    * Process user deletion request.
+    *
+    * @param[in] uidDeleted uid of removed user
+    * @param[in] uid uid of requesting user
+    * @param[in] isSlave Indicates if function should be called under slave mode
+    *
+    * @return API return code, as defined in protocols.h
+    */
+    int userDelete(uid_t uidDeleted, uid_t uid, bool isSlave);
+
+    /**
+    * Update policy in Cynara - proper privilege: http://tizen.org/privilege/systemsettings.admin
+    * is needed for this to succeed
+    *
+    * @param[in] policyEntries vector of policy chunks with instructions
+    * @param[in] uid identifier of requesting user
+    * @param[in] pid PID of requesting process
+    * @param[in] smackLabel smack label of requesting app
+    *
+    * @return API return code, as defined in protocols.h
+    */
+
+    int policyUpdate(const std::vector<policy_entry> &policyEntries, uid_t uid, pid_t pid, const std::string &smackLabel);
+    /**
+    * Fetch all configured privileges from user configurable bucket.
+    * Depending on forAdmin value: personal user policies or admin enforced
+    * policies are returned.
+    *
+    * @param[in] forAdmin determines if user is asking as ADMIN or not
+    * @param[in] filter filter for limiting the query
+    * @param[in] uid identifier of queried user
+    * @param[in] pid PID of requesting process
+    * @param[out] policyEntries vector of policy entries with result
+    *
+    * @return API return code, as defined in protocols.h
+    */
+    int getConfiguredPolicy(bool forAdmin, const policy_entry &filter, uid_t uid, pid_t pid, const std::string &smackLabel, std::vector<policy_entry> &policyEntries);
+
+    /**
+    * Fetch all privileges for all apps installed for specific user.
+    *
+    * @param[in] forAdmin determines if user is asking as ADMIN or not
+    * @param[in] filter filter for limiting the query
+    * @param[in] uid identifier of queried user
+    * @param[in] pid PID of requesting process
+    * @param[out] policyEntries vector of policy entries with result
+    *
+    * @return API return code, as defined in protocols.h
+    */
+    int getPolicy(const policy_entry &filter, uid_t uid, pid_t pid, const std::string &smackLabel, std::vector<policy_entry> &policyEntries);
+
+    /**
+    * Process getting policy descriptions list.
+    *
+    * @param[in] descriptions empty vector for descriptions strings
+    *
+    * @return API return code, as defined in protocols.h
+    */
+    int policyGetDesc(std::vector<std::string> &descriptions);
+
+    /**
+     * Process getting privileges mappings from one version to another.
+     *
+     * @param[in] version_from version to be mapped from
+     * @param[in] version_to version to be mapped to
+     * @param[in] privileges vector of privileges to be mapped
+     * @param[out] mappings mappings of given privileges
+     */
+    int getPrivilegesMappings(const std::string &version_from,
+                              const std::string &version_to,
+                              const std::vector<std::string> &privileges,
+                              std::vector<std::string> &mappings);
+
+    /**
+     * Process getting resources group list.
+     *
+     * @param[out] groups empty vector for group strings
+     *
+     * @return API return code, as defined in protocols.h
+     */
+    int policyGetGroups(std::vector<std::string> &groups);
+};
 } /* namespace SecurityManager */
 
 #endif /* _SECURITY_MANAGER_SERVICE_IMPL_ */
diff --git a/src/common/service_impl.cpp b/src/common/service_impl.cpp
index 95f09c0..3f959a9 100644
--- a/src/common/service_impl.cpp
+++ b/src/common/service_impl.cpp
@@ -48,7 +48,6 @@
 #include "master-req.h"
 
 namespace SecurityManager {
-namespace ServiceImpl {
 
 static const std::string ADMIN_PRIVILEGE = "http://tizen.org/privilege/systemsettings.admin";
 static const std::string SELF_PRIVILEGE = "http://tizen.org/privilege/systemsettings";
@@ -133,7 +132,15 @@ static inline int validatePolicy(policy_entry &policyEntry, std::string uidStr,
 }
 } // end of anonymous namespace
 
-static uid_t getGlobalUserId(void)
+ServiceImpl::ServiceImpl()
+{
+}
+
+ServiceImpl::~ServiceImpl()
+{
+}
+
+uid_t ServiceImpl::getGlobalUserId(void)
 {
     static uid_t globaluid = tzplatform_getuid(TZ_SYS_GLOBALAPP_USER);
     return globaluid;
@@ -144,7 +151,7 @@ static uid_t getGlobalUserId(void)
  * @param  uid            peer's uid - may be changed during process
  * @param  cynaraUserStr  string to which cynara user parameter will be put
  */
-static void checkGlobalUser(uid_t &uid, std::string &cynaraUserStr)
+void ServiceImpl::checkGlobalUser(uid_t &uid, std::string &cynaraUserStr)
 {
     static uid_t globaluid = getGlobalUserId();
     if (uid == 0 || uid == globaluid) {
@@ -154,7 +161,8 @@ static void checkGlobalUser(uid_t &uid, std::string &cynaraUserStr)
         cynaraUserStr = std::to_string(static_cast<unsigned int>(uid));
     }
 }
-static inline bool isSubDir(const char *parent, const char *subdir)
+
+bool ServiceImpl::isSubDir(const char *parent, const char *subdir)
 {
     while (*parent && *subdir)
         if (*parent++ != *subdir++)
@@ -163,21 +171,7 @@ static inline bool isSubDir(const char *parent, const char *subdir)
     return (*subdir == '/');
 }
 
-bool getPeerID(int sock, uid_t &uid, pid_t &pid)
-{
-    struct ucred cr;
-    socklen_t len = sizeof(cr);
-
-    if (!getsockopt(sock, SOL_SOCKET, SO_PEERCRED, &cr, &len)) {
-        uid = cr.uid;
-        pid = cr.pid;
-        return true;
-    }
-
-    return false;
-}
-
-static bool getUserAppDir(const uid_t &uid, std::string &userAppDir)
+bool ServiceImpl::getUserAppDir(const uid_t &uid, std::string &userAppDir)
 {
     struct tzplatform_context *tz_ctx = nullptr;
 
@@ -207,7 +201,7 @@ static bool getUserAppDir(const uid_t &uid, std::string &userAppDir)
     return true;
 }
 
-static inline bool installRequestAuthCheck(const app_inst_req &req, uid_t uid, bool &isCorrectPath, std::string &appPath)
+bool ServiceImpl::installRequestAuthCheck(const app_inst_req &req, uid_t uid, bool &isCorrectPath, std::string &appPath)
 {
     std::string userHome;
     std::string userAppDir;
@@ -258,7 +252,7 @@ static inline bool installRequestAuthCheck(const app_inst_req &req, uid_t uid, b
     return true;
 }
 
-static inline bool getZoneId(std::string &zoneId)
+bool ServiceImpl::getZoneId(std::string &zoneId)
 {
     if (!getZoneIdFromPid(getpid(), zoneId)) {
         LogError("Failed to get zone ID from current PID");
@@ -274,7 +268,7 @@ static inline bool getZoneId(std::string &zoneId)
     return true;
 }
 
-int appInstall(const app_inst_req &req, uid_t uid, bool isSlave)
+int ServiceImpl::appInstall(const app_inst_req &req, uid_t uid, bool isSlave)
 {
     std::vector<std::string> addedPermissions;
     std::vector<std::string> removedPermissions;
@@ -408,7 +402,7 @@ int appInstall(const app_inst_req &req, uid_t uid, bool isSlave)
     return SECURITY_MANAGER_API_SUCCESS;
 }
 
-int appUninstall(const std::string &appId, uid_t uid, bool isSlave)
+int ServiceImpl::appUninstall(const std::string &appId, uid_t uid, bool isSlave)
 {
     std::string pkgId;
     std::string smackLabel;
@@ -519,7 +513,7 @@ int appUninstall(const std::string &appId, uid_t uid, bool isSlave)
     return SECURITY_MANAGER_API_SUCCESS;
 }
 
-int getPkgId(const std::string &appId, std::string &pkgId)
+int ServiceImpl::getPkgId(const std::string &appId, std::string &pkgId)
 {
     LogDebug("appId: " << appId);
 
@@ -538,7 +532,7 @@ int getPkgId(const std::string &appId, std::string &pkgId)
     return SECURITY_MANAGER_API_SUCCESS;
 }
 
-int getAppGroups(const std::string &appId, uid_t uid, pid_t pid, bool isSlave,
+int ServiceImpl::getAppGroups(const std::string &appId, uid_t uid, pid_t pid, bool isSlave,
         std::unordered_set<gid_t> &gids)
 {
     // FIXME Temporary solution, see below
@@ -616,7 +610,7 @@ int getAppGroups(const std::string &appId, uid_t uid, pid_t pid, bool isSlave,
     return SECURITY_MANAGER_API_SUCCESS;
 }
 
-int userAdd(uid_t uidAdded, int userType, uid_t uid, bool isSlave)
+int ServiceImpl::userAdd(uid_t uidAdded, int userType, uid_t uid, bool isSlave)
 {
     if (uid != 0)
         return SECURITY_MANAGER_API_ERROR_AUTHENTICATION_FAILED;
@@ -639,7 +633,7 @@ int userAdd(uid_t uidAdded, int userType, uid_t uid, bool isSlave)
     return SECURITY_MANAGER_API_SUCCESS;
 }
 
-int userDelete(uid_t uidDeleted, uid_t uid, bool isSlave)
+int ServiceImpl::userDelete(uid_t uidDeleted, uid_t uid, bool isSlave)
 {
     int ret = SECURITY_MANAGER_API_SUCCESS;
     if (uid != 0)
@@ -675,7 +669,7 @@ int userDelete(uid_t uidDeleted, uid_t uid, bool isSlave)
     return ret;
 }
 
-int policyUpdate(const std::vector<policy_entry> &policyEntries, uid_t uid, pid_t pid, const std::string &smackLabel)
+int ServiceImpl::policyUpdate(const std::vector<policy_entry> &policyEntries, uid_t uid, pid_t pid, const std::string &smackLabel)
 {
     enum {
         NOT_CHECKED,
@@ -735,7 +729,7 @@ int policyUpdate(const std::vector<policy_entry> &policyEntries, uid_t uid, pid_
     return SECURITY_MANAGER_API_SUCCESS;
 }
 
-int getConfiguredPolicy(bool forAdmin, const policy_entry &filter, uid_t uid, pid_t pid,
+int ServiceImpl::getConfiguredPolicy(bool forAdmin, const policy_entry &filter, uid_t uid, pid_t pid,
     const std::string &smackLabel, std::vector<policy_entry> &policyEntries)
 {
     try {
@@ -845,7 +839,7 @@ int getConfiguredPolicy(bool forAdmin, const policy_entry &filter, uid_t uid, pi
     return SECURITY_MANAGER_API_SUCCESS;
 }
 
-int getPolicy(const policy_entry &filter, uid_t uid, pid_t pid, const std::string &smackLabel, std::vector<policy_entry> &policyEntries)
+int ServiceImpl::getPolicy(const policy_entry &filter, uid_t uid, pid_t pid, const std::string &smackLabel, std::vector<policy_entry> &policyEntries)
 {
     try {
         std::string uidStr = std::to_string(uid);
@@ -962,7 +956,7 @@ int getPolicy(const policy_entry &filter, uid_t uid, pid_t pid, const std::strin
     return SECURITY_MANAGER_API_SUCCESS;
 }
 
-int policyGetDesc(std::vector<std::string> &levels)
+int ServiceImpl::policyGetDesc(std::vector<std::string> &levels)
 {
     int ret = SECURITY_MANAGER_API_SUCCESS;
 
@@ -985,7 +979,7 @@ int policyGetDesc(std::vector<std::string> &levels)
     return ret;
 }
 
-int getPrivilegesMappings(const std::string &version_from,
+int ServiceImpl::getPrivilegesMappings(const std::string &version_from,
                           const std::string &version_to,
                           const std::vector<std::string> &privileges,
                           std::vector<std::string> &mappings)
@@ -1031,7 +1025,8 @@ int getPrivilegesMappings(const std::string &version_from,
     return errorRet;
 }
 
-int policyGetGroups(std::vector<std::string> &groups) {
+int ServiceImpl::policyGetGroups(std::vector<std::string> &groups)
+{
     int ret = SECURITY_MANAGER_API_SUCCESS;
 
     try {
@@ -1044,5 +1039,4 @@ int policyGetGroups(std::vector<std::string> &groups) {
     return ret;
 }
 
-} /* namespace ServiceImpl */
 } /* namespace SecurityManager */
diff --git a/src/server/service/base-service.cpp b/src/server/service/base-service.cpp
index 519c46a..32360cb 100644
--- a/src/server/service/base-service.cpp
+++ b/src/server/service/base-service.cpp
@@ -22,6 +22,10 @@
  * @brief       Implementation of security-manager base service.
  */
 
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/smack.h>
+
 #include <cstring>
 #include <unordered_set>
 
@@ -35,6 +39,26 @@ BaseService::BaseService()
 {
 }
 
+bool BaseService::getPeerID(int sock, uid_t &uid, pid_t &pid, std::string &smackLabel)
+{
+    struct ucred cr;
+    socklen_t len = sizeof(cr);
+
+    if (!getsockopt(sock, SOL_SOCKET, SO_PEERCRED, &cr, &len)) {
+        char *smk;
+        ssize_t ret = smack_new_label_from_socket(sock, &smk);
+        if (ret < 0)
+            return false;
+        smackLabel = smk;
+        uid = cr.uid;
+        pid = cr.pid;
+        free(smk);
+        return true;
+    }
+
+    return false;
+}
+
 void BaseService::accept(const AcceptEvent &event)
 {
     LogDebug("Accept event. ConnectionID.sock: " << event.connectionID.sock <<
diff --git a/src/server/service/include/base-service.h b/src/server/service/include/base-service.h
index b2d06f3..5acb212 100644
--- a/src/server/service/include/base-service.h
+++ b/src/server/service/include/base-service.h
@@ -29,6 +29,7 @@
 #include <generic-socket-manager.h>
 #include <message-buffer.h>
 #include <connection-info.h>
+#include <service_impl.h>
 
 namespace SecurityManager {
 
@@ -58,9 +59,23 @@ public:
     void close(const CloseEvent &event);
 
 protected:
+    ServiceImpl serviceImpl;
+
     ConnectionInfoMap m_connectionInfoMap;
 
     /**
+     * Retrieves ID (UID and PID) of peer connected to socket
+     *
+     * @param[in]  sock Socket file descriptor
+     * @param[out] uid PID of connected peer.
+     * @param[out] pid PID of connected peer.
+     * @param[out] smackLabel Smack label of connected peer.
+     *
+     * @return True if peer ID was successfully retrieved, false otherwise.
+     */
+    bool getPeerID(int sock, uid_t &uid, pid_t &pid, std::string &smackLabel);
+
+    /**
      * Handle request from a client
      *
      * @param  conn        Socket connection information
diff --git a/src/server/service/include/master-service.h b/src/server/service/include/master-service.h
index 627cce9..177b5a9 100644
--- a/src/server/service/include/master-service.h
+++ b/src/server/service/include/master-service.h
@@ -26,6 +26,7 @@
 #define _SECURITY_MANAGER_MASTER_SERVICE_
 
 #include "base-service.h"
+#include "service_impl.h"
 
 namespace SecurityManager {
 
@@ -44,6 +45,7 @@ public:
     ServiceDescriptionVector GetServiceDescription();
 
 private:
+    ServiceImpl serviceImpl;
 
     /**
      * Handle request from a client
diff --git a/src/server/service/include/service.h b/src/server/service/include/service.h
index 8087899..30d6b0f 100644
--- a/src/server/service/include/service.h
+++ b/src/server/service/include/service.h
@@ -26,6 +26,7 @@
 #define _SECURITY_MANAGER_SERVICE_
 
 #include "base-service.h"
+#include "service_impl.h"
 
 namespace SecurityManager {
 
@@ -45,6 +46,7 @@ public:
 
 private:
     const bool m_isSlave;
+    ServiceImpl serviceImpl;
 
     /**
      * Handle request from a client
diff --git a/src/server/service/master-service.cpp b/src/server/service/master-service.cpp
index f018abb..2440419 100644
--- a/src/server/service/master-service.cpp
+++ b/src/server/service/master-service.cpp
@@ -65,8 +65,9 @@ bool MasterService::processOne(const ConnectionID &conn, MessageBuffer &buffer,
 
     uid_t uid;
     pid_t pid;
+    std::string smackLabel;
 
-    if (!ServiceImpl::getPeerID(conn.sock, uid, pid)) {
+    if (!getPeerID(conn.sock, uid, pid, smackLabel)) {
         LogError("Closing socket because of error: unable to get peer's uid and pid");
         m_serviceManager->Close(conn);
         return false;
@@ -249,7 +250,7 @@ void MasterService::processPolicyUpdate(MessageBuffer &buffer, MessageBuffer &se
     Deserialization::Deserialize(buffer, pid);
     Deserialization::Deserialize(buffer, smackLabel);
 
-    ret = ServiceImpl::policyUpdate(policyEntries, uid, pid, smackLabel);
+    ret = serviceImpl.policyUpdate(policyEntries, uid, pid, smackLabel);
     Serialization::Serialize(send, ret);
 }
 
@@ -269,7 +270,7 @@ void MasterService::processGetConfiguredPolicy(MessageBuffer &buffer, MessageBuf
     Deserialization::Deserialize(buffer, pid);
     Deserialization::Deserialize(buffer, smackLabel);
 
-    ret = ServiceImpl::getConfiguredPolicy(forAdmin, filter, uid, pid, smackLabel, policyEntries);
+    ret = serviceImpl.getConfiguredPolicy(forAdmin, filter, uid, pid, smackLabel, policyEntries);
     Serialization::Serialize(send, ret);
     if (ret == SECURITY_MANAGER_API_SUCCESS)
         Serialization::Serialize(send, policyEntries);
@@ -294,7 +295,7 @@ void MasterService::processGetPolicy(MessageBuffer &buffer, MessageBuffer &send)
     Deserialization::Deserialize(buffer, pid);
     Deserialization::Deserialize(buffer, smackLabel);
 
-    ret = ServiceImpl::getPolicy(filter, uid, pid, smackLabel, policyEntries);*/
+    ret = serviceImpl.getPolicy(filter, uid, pid, smackLabel, policyEntries);*/
     Serialization::Serialize(send, ret);
     /*if (ret == SECURITY_MANAGER_API_SUCCESS)
         Serialization::Serialize(send, policyEntries);*/
@@ -305,7 +306,7 @@ void MasterService::processPolicyGetDesc(MessageBuffer &send)
     int ret = SECURITY_MANAGER_API_ERROR_SERVER_ERROR;
     std::vector<std::string> descriptions;
 
-    ret = ServiceImpl::policyGetDesc(descriptions);
+    ret = serviceImpl.policyGetDesc(descriptions);
     Serialization::Serialize(send, ret);
     if (ret == SECURITY_MANAGER_API_SUCCESS)
         Serialization::Serialize(send, descriptions);
diff --git a/src/server/service/service.cpp b/src/server/service/service.cpp
index 9409ec8..994acd1 100644
--- a/src/server/service/service.cpp
+++ b/src/server/service/service.cpp
@@ -64,26 +64,6 @@ GenericSocketService::ServiceDescriptionVector Service::GetServiceDescription()
         };
 }
 
-static bool getPeerID(int sock, uid_t &uid, pid_t &pid, std::string &smackLabel)
-{
-    struct ucred cr;
-    socklen_t len = sizeof(cr);
-
-    if (!getsockopt(sock, SOL_SOCKET, SO_PEERCRED, &cr, &len)) {
-        char *smk;
-        ssize_t ret = smack_new_label_from_socket(sock, &smk);
-        if (ret < 0)
-            return false;
-        smackLabel = smk;
-        uid = cr.uid;
-        pid = cr.pid;
-        free(smk);
-        return true;
-    }
-
-    return false;
-}
-
 bool Service::processOne(const ConnectionID &conn, MessageBuffer &buffer,
                                   InterfaceID interfaceID)
 {
@@ -200,7 +180,7 @@ void Service::processAppInstall(MessageBuffer &buffer, MessageBuffer &send, uid_
     Deserialization::Deserialize(buffer, req.privileges);
     Deserialization::Deserialize(buffer, req.appPaths);
     Deserialization::Deserialize(buffer, req.uid);
-    Serialization::Serialize(send, ServiceImpl::appInstall(req, uid, m_isSlave));
+    Serialization::Serialize(send, serviceImpl.appInstall(req, uid, m_isSlave));
 }
 
 void Service::processAppUninstall(MessageBuffer &buffer, MessageBuffer &send, uid_t uid)
@@ -208,7 +188,7 @@ void Service::processAppUninstall(MessageBuffer &buffer, MessageBuffer &send, ui
     std::string appId;
 
     Deserialization::Deserialize(buffer, appId);
-    Serialization::Serialize(send, ServiceImpl::appUninstall(appId, uid, m_isSlave));
+    Serialization::Serialize(send, serviceImpl.appUninstall(appId, uid, m_isSlave));
 }
 
 void Service::processGetPkgId(MessageBuffer &buffer, MessageBuffer &send)
@@ -218,7 +198,7 @@ void Service::processGetPkgId(MessageBuffer &buffer, MessageBuffer &send)
     int ret;
 
     Deserialization::Deserialize(buffer, appId);
-    ret = ServiceImpl::getPkgId(appId, pkgId);
+    ret = serviceImpl.getPkgId(appId, pkgId);
     Serialization::Serialize(send, ret);
     if (ret == SECURITY_MANAGER_API_SUCCESS)
         Serialization::Serialize(send, pkgId);
@@ -231,7 +211,7 @@ void Service::processGetAppGroups(MessageBuffer &buffer, MessageBuffer &send, ui
     int ret;
 
     Deserialization::Deserialize(buffer, appId);
-    ret = ServiceImpl::getAppGroups(appId, uid, pid, m_isSlave, gids);
+    ret = serviceImpl.getAppGroups(appId, uid, pid, m_isSlave, gids);
     Serialization::Serialize(send, ret);
     if (ret == SECURITY_MANAGER_API_SUCCESS) {
         Serialization::Serialize(send, static_cast<int>(gids.size()));
@@ -250,7 +230,7 @@ void Service::processUserAdd(MessageBuffer &buffer, MessageBuffer &send, uid_t u
     Deserialization::Deserialize(buffer, uidAdded);
     Deserialization::Deserialize(buffer, userType);
 
-    ret = ServiceImpl::userAdd(uidAdded, userType, uid, m_isSlave);
+    ret = serviceImpl.userAdd(uidAdded, userType, uid, m_isSlave);
     Serialization::Serialize(send, ret);
 }
 
@@ -261,7 +241,7 @@ void Service::processUserDelete(MessageBuffer &buffer, MessageBuffer &send, uid_
 
     Deserialization::Deserialize(buffer, uidRemoved);
 
-    ret = ServiceImpl::userDelete(uidRemoved, uid, m_isSlave);
+    ret = serviceImpl.userDelete(uidRemoved, uid, m_isSlave);
     Serialization::Serialize(send, ret);
 }
 
@@ -275,7 +255,7 @@ void Service::processPolicyUpdate(MessageBuffer &buffer, MessageBuffer &send, ui
     if (m_isSlave) {
         ret = MasterReq::PolicyUpdate(policyEntries, uid, pid, smackLabel);
     } else {
-        ret = ServiceImpl::policyUpdate(policyEntries, uid, pid, smackLabel);
+        ret = serviceImpl.policyUpdate(policyEntries, uid, pid, smackLabel);
     }
     Serialization::Serialize(send, ret);
 }
@@ -290,7 +270,7 @@ void Service::processGetConfiguredPolicy(MessageBuffer &buffer, MessageBuffer &s
     if (m_isSlave) {
         ret = MasterReq::GetConfiguredPolicy(forAdmin, filter, uid, pid, smackLabel, policyEntries);
     } else {
-        ret = ServiceImpl::getConfiguredPolicy(forAdmin, filter, uid, pid, smackLabel,
+        ret = serviceImpl.getConfiguredPolicy(forAdmin, filter, uid, pid, smackLabel,
                                                policyEntries);
     }
 
@@ -311,7 +291,7 @@ void Service::processGetPolicy(MessageBuffer &buffer, MessageBuffer &send, uid_t
     if (m_isSlave) {
         ret = MasterReq::GetPolicy(filter, uid, pid, smackLabel, policyEntries);
     } else {
-        ret = ServiceImpl::getPolicy(filter, uid, pid, smackLabel, policyEntries);
+        ret = serviceImpl.getPolicy(filter, uid, pid, smackLabel, policyEntries);
     }
 
     Serialization::Serialize(send, ret);
@@ -329,7 +309,7 @@ void Service::processPolicyGetDesc(MessageBuffer &send)
     if (m_isSlave) {
         ret = MasterReq::PolicyGetDesc(descriptions);
     } else {
-        ret = ServiceImpl::policyGetDesc(descriptions);
+        ret = serviceImpl.policyGetDesc(descriptions);
     }
     Serialization::Serialize(send, ret);
     if (ret == SECURITY_MANAGER_API_SUCCESS) {
@@ -350,7 +330,7 @@ void Service::processPrivilegesMappings(MessageBuffer &recv, MessageBuffer &send
     Deserialization::Deserialize(recv, privileges);
 
     std::vector<std::string> mappings;
-    int ret = ServiceImpl::getPrivilegesMappings(version_from, version_to, privileges, mappings);
+    int ret = serviceImpl.getPrivilegesMappings(version_from, version_to, privileges, mappings);
 
     Serialization::Serialize(send, ret);
     Serialization::Serialize(send, mappings);
@@ -359,7 +339,7 @@ void Service::processPrivilegesMappings(MessageBuffer &recv, MessageBuffer &send
 void Service::processGroupsGet(MessageBuffer &send)
 {
     std::vector<std::string> groups;
-    int ret = ServiceImpl::policyGetGroups(groups);
+    int ret = serviceImpl.policyGetGroups(groups);
 
     Serialization::Serialize(send, ret);
     if (ret == SECURITY_MANAGER_API_SUCCESS) {
-- 
2.7.4


From db5ca0b66e160adb63e587936f05a40cc797b92d Mon Sep 17 00:00:00 2001
From: Rafal Krypa <r.krypa@samsung.com>
Date: Mon, 31 Aug 2015 20:07:21 +0200
Subject: [PATCH 12/16] Adapt application file labeling to new requirements

The following changes has been made:
- application base path must now be APPS_ROOT/$pkgID, not
  APPS_ROOT/$pkgID/$appID
- application base path is now enforced, no files outside base path allowed
- application base path will be labeled with User::Pkg::$pkgID, no transmute
- SECURITY_MANAGER_PATH_TYPE_RO will be labeled with User::Pkg::$pkgID::RO
- applications get a Smack rule for RO access to User::Pkg::$pkgID::RO
- SECURITY_MANAGER_PATH_PUBLIC_RO will be labeled with User::Home
- SECURITY_MANAGER_PATH_PRIVATE and SECURITY_MANAGER_PATH_PUBLIC path types

Change-Id: I2d0260effcbe8da0c0e9130b89b4b34e7e104d29
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
---
 policy/app-rules-template.smack   |  4 +++-
 src/common/include/service_impl.h |  2 +-
 src/common/include/smack-labels.h | 44 +++++++++++------------------------
 src/common/include/smack-rules.h  | 11 +++++++++
 src/common/service_impl.cpp       | 29 +++++++----------------
 src/common/smack-labels.cpp       | 48 +++++++++++++++++----------------------
 src/common/smack-rules.cpp        | 23 ++++++++++---------
 src/include/security-manager.h    | 12 ++++------
 8 files changed, 73 insertions(+), 100 deletions(-)

diff --git a/policy/app-rules-template.smack b/policy/app-rules-template.smack
index d0b6fb2..5bb1639 100644
--- a/policy/app-rules-template.smack
+++ b/policy/app-rules-template.smack
@@ -4,9 +4,11 @@ System ~APP~ rwx
 ~APP~ System::Run rwxat
 ~APP~ System::Log rwxa
 ~APP~ _ l
-User ~APP~ rwxa
+User ~APP~ rwx
 User ~PKG~ rwxat
+User ~PKG~::RO rwxat
 ~APP~ User wx
 ~APP~ User::Home rxl
 ~APP~ User::App::Shared rwxat
 ~APP~ ~PKG~ rwxat
+~APP~ ~PKG~::RO rxl
diff --git a/src/common/include/service_impl.h b/src/common/include/service_impl.h
index 0b6e3c6..ccf5e78 100644
--- a/src/common/include/service_impl.h
+++ b/src/common/include/service_impl.h
@@ -43,7 +43,7 @@ private:
 
     static bool getUserAppDir(const uid_t &uid, std::string &userAppDir);
 
-    static bool installRequestAuthCheck(const app_inst_req &req, uid_t uid, bool &isCorrectPath, std::string &appPath);
+    static bool installRequestAuthCheck(const app_inst_req &req, uid_t uid, std::string &appPath);
 
     static bool getZoneId(std::string &zoneId);
 
diff --git a/src/common/include/smack-labels.h b/src/common/include/smack-labels.h
index b454eff..1a68f1e 100644
--- a/src/common/include/smack-labels.h
+++ b/src/common/include/smack-labels.h
@@ -37,49 +37,22 @@ namespace SmackLabels {
 /**
  * Sets Smack labels on a directory and its contents, recursively.
  *
- * @param appId[in] application's identifier
- * @param path[in] path to a file or directory to setup
- * @param pathType[in] type of path to setup. See description of
- *         app_install_path_type in security-manager.h for details
- *
- */
-void setupPath(const std::string &appId, const std::string &path,
-    app_install_path_type pathType);
-
-/**
- * Sets Smack labels on a directory and its contents, recursively.
- *
- * @param appId[in] application's identifier
+ * @param pkgId[in] application's package identifier
  * @param path[in] path to a file or directory to setup
  * @param pathType[in] type of path to setup. See description of
  *         app_install_path_type in security-manager.h for details
  * @param zoneId[in] ID of zone for which label should be set
  */
-void setupPath(const std::string &appId, const std::string &path,
+void setupPath(const std::string &pkgId, const std::string &path,
     app_install_path_type pathType, const std::string &zoneId);
 
 /**
- * Sets Smack labels on a <ROOT_APP>/<pkg_id> and <ROOT_APP>/<pkg_id>/<app_id>
- * non-recursively
+ * Sets Smack labels on a <ROOT_APP>/<pkg_id> non-recursively
  *
  * @param pkgId[in] package identifier
- * @param appId[in] application's identifier
  * @param basePath[in] <ROOT_APP> path
  */
-void setupCorrectPath(const std::string &pkgId, const std::string &appId,
-        const std::string &basePath);
-
-/**
- * Sets Smack labels on a <ROOT_APP>/<pkg_id> and <ROOT_APP>/<pkg_id>/<app_id>
- * non-recursively
- *
- * @param pkgId[in] package identifier
- * @param appId[in] application's identifier
- * @param basePath[in] <ROOT_APP> path
- * @param zoneId[in] ID of zone for which label should be set
- */
-void setupCorrectPath(const std::string &pkgId, const std::string &appId,
-        const std::string &basePath, const std::string &zoneId);
+void setupAppBasePath(const std::string &pkgId, const std::string &basePath);
 
 /**
  * Generates application name for a label fetched from Cynara
@@ -105,6 +78,15 @@ std::string generateAppLabel(const std::string &appId);
  */
 std::string generatePkgLabel(const std::string &pkgId);
 
+/**
+ * Generates label for private application RO files with package ID @ref pkgId
+ *
+ * @param[in] pkgId
+ * @return resulting Smack label
+ */
+std::string generatePkgROLabel(const std::string &pkgId);
+
+
 } // namespace SmackLabels
 } // namespace SecurityManager
 
diff --git a/src/common/include/smack-rules.h b/src/common/include/smack-rules.h
index 5aadc12..c67c370 100644
--- a/src/common/include/smack-rules.h
+++ b/src/common/include/smack-rules.h
@@ -155,6 +155,17 @@ private:
      */
     static void uninstallRules (const std::string &path);
 
+    /**
+     * Helper method: replace all occurrences of \ref needle in \ref haystack
+     * with \ref replace.
+     *
+     * @param[in,out] haystack string to modify
+     * @param needle string to find in \ref haystack
+     * @param replace string to replace \ref needle with
+     */
+    static void strReplace(std::string &haystack, const std::string &needle,
+            const std::string &replace);
+
     smack_accesses *m_handle;
 };
 
diff --git a/src/common/service_impl.cpp b/src/common/service_impl.cpp
index 3f959a9..469f6a4 100644
--- a/src/common/service_impl.cpp
+++ b/src/common/service_impl.cpp
@@ -168,7 +168,7 @@ bool ServiceImpl::isSubDir(const char *parent, const char *subdir)
         if (*parent++ != *subdir++)
             return false;
 
-    return (*subdir == '/');
+    return (*subdir == '/' || *parent == *subdir);
 }
 
 bool ServiceImpl::getUserAppDir(const uid_t &uid, std::string &userAppDir)
@@ -201,7 +201,7 @@ bool ServiceImpl::getUserAppDir(const uid_t &uid, std::string &userAppDir)
     return true;
 }
 
-bool ServiceImpl::installRequestAuthCheck(const app_inst_req &req, uid_t uid, bool &isCorrectPath, std::string &appPath)
+bool ServiceImpl::installRequestAuthCheck(const app_inst_req &req, uid_t uid, std::string &appPath)
 {
     std::string userHome;
     std::string userAppDir;
@@ -219,7 +219,7 @@ bool ServiceImpl::installRequestAuthCheck(const app_inst_req &req, uid_t uid, bo
 
     appPath = userAppDir;
     correctPath.clear();
-    correctPath << userAppDir << "/" << req.pkgId << "/" << req.appId;
+    correctPath << userAppDir << "/" << req.pkgId;
     LogDebug("correctPath: " << correctPath.str());
 
     for (const auto &appPath : req.appPaths) {
@@ -232,20 +232,8 @@ bool ServiceImpl::installRequestAuthCheck(const app_inst_req &req, uid_t uid, bo
         }
         LogDebug("Requested path is '" << appPath.first.c_str()
                 << "'. User's APPS_DIR is '" << userAppDir << "'");
-        if (!isSubDir(userAppDir.c_str(), real_path.get())) {
-            LogWarning("User's apps may have registered folders only in user's APPS_DIR");
-            return false;
-        }
-
         if (!isSubDir(correctPath.str().c_str(), real_path.get())) {
-            LogWarning("Installation is outside correct path: " << correctPath.str());
-            //return false;
-        } else
-            isCorrectPath = true;
-
-        app_install_path_type pathType = static_cast<app_install_path_type>(appPath.second);
-        if (pathType == SECURITY_MANAGER_PATH_PUBLIC) {
-            LogWarning("Only root can register SECURITY_MANAGER_PATH_PUBLIC path");
+            LogWarning("Installation is outside correct path: " << correctPath.str() << "," << real_path.get());
             return false;
         }
     }
@@ -274,7 +262,6 @@ int ServiceImpl::appInstall(const app_inst_req &req, uid_t uid, bool isSlave)
     std::vector<std::string> removedPermissions;
     std::vector<std::string> pkgContents;
     std::string uidstr;
-    bool isCorrectPath = false;
     std::string appPath;
     std::string appLabel;
     std::string pkgLabel;
@@ -299,7 +286,7 @@ int ServiceImpl::appInstall(const app_inst_req &req, uid_t uid, bool isSlave)
     }
     checkGlobalUser(uid, uidstr);
 
-    if (!installRequestAuthCheck(req, uid, isCorrectPath, appPath)) {
+    if (!installRequestAuthCheck(req, uid, appPath)) {
         LogError("Request from uid " << uid << " for app installation denied");
         return SECURITY_MANAGER_API_ERROR_AUTHENTICATION_FAILED;
     }
@@ -365,14 +352,14 @@ int ServiceImpl::appInstall(const app_inst_req &req, uid_t uid, bool isSlave)
     }
 
     try {
-        if (isCorrectPath)
-            SmackLabels::setupCorrectPath(req.pkgId, req.appId, appPath, zoneId);
+        if (!req.appPaths.empty())
+            SmackLabels::setupAppBasePath(req.pkgId, appPath);
 
         // register paths
         for (const auto &appPath : req.appPaths) {
             const std::string &path = appPath.first;
             app_install_path_type pathType = static_cast<app_install_path_type>(appPath.second);
-            SmackLabels::setupPath(req.appId, path, pathType, zoneId);
+            SmackLabels::setupPath(req.pkgId, path, pathType, zoneId);
         }
 
         if (isSlave) {
diff --git a/src/common/smack-labels.cpp b/src/common/smack-labels.cpp
index 236d090..c01d555 100644
--- a/src/common/smack-labels.cpp
+++ b/src/common/smack-labels.cpp
@@ -42,8 +42,8 @@
 namespace SecurityManager {
 namespace SmackLabels {
 
-/* Const defined below is used to label files accessible to apps only for reading */
-const char *const LABEL_FOR_APP_RO_PATH = "User::Home";
+//! Smack label used for SECURITY_MANAGER_PATH_PUBLIC_RO paths (RO for all apps)
+const char *const LABEL_FOR_APP_PUBLIC_RO_PATH = "User::Home";
 
 typedef std::function<bool(const FTSENT*)> LabelDecisionFn;
 
@@ -126,34 +126,27 @@ static void labelDir(const std::string &path, const std::string &label,
         dirSetSmack(path, label, XATTR_NAME_SMACKEXEC, &labelExecs);
 }
 
-void setupPath(const std::string &appId, const std::string &path, app_install_path_type pathType)
-{
-    setupPath(appId, path, pathType, std::string());
-}
-
-void setupPath(const std::string &appId, const std::string &path, app_install_path_type pathType,
+void setupPath(const std::string &pkgId, const std::string &path, app_install_path_type pathType,
         const std::string &zoneId)
 {
     std::string label;
     bool label_executables, label_transmute;
 
     switch (pathType) {
-    case SECURITY_MANAGER_PATH_PRIVATE:
     case SECURITY_MANAGER_PATH_RW:
-        label = zoneSmackLabelGenerate(generateAppLabel(appId), zoneId);
+        label = zoneSmackLabelGenerate(generatePkgLabel(pkgId), zoneId);
         label_executables = true;
         label_transmute = false;
         break;
-    case SECURITY_MANAGER_PATH_PUBLIC:
     case SECURITY_MANAGER_PATH_RO:
-        label.assign(LABEL_FOR_APP_RO_PATH);
+        label = zoneSmackLabelGenerate(generatePkgROLabel(pkgId), zoneId);
         label_executables = false;
-        label_transmute = true;
+        label_transmute = false;
         break;
     case SECURITY_MANAGER_PATH_PUBLIC_RO:
-        label.assign("_");
+        label.assign(LABEL_FOR_APP_PUBLIC_RO_PATH);
         label_executables = false;
-        label_transmute = false;
+        label_transmute = true;
         break;
     default:
         LogError("Path type not known.");
@@ -162,20 +155,10 @@ void setupPath(const std::string &appId, const std::string &path, app_install_pa
     return labelDir(path, label, label_transmute, label_executables);
 }
 
-void setupCorrectPath(const std::string &pkgId, const std::string &appId, const std::string &basePath)
-{
-    setupCorrectPath(pkgId, appId, basePath, std::string());
-}
-
-void setupCorrectPath(const std::string &pkgId, const std::string &appId, const std::string &basePath,
-        const std::string& zoneId)
+void setupAppBasePath(const std::string &pkgId, const std::string &basePath)
 {
     std::string pkgPath = basePath + "/" + pkgId;
-    std::string appPath = pkgPath + "/" + appId;
-
-    pathSetSmack(pkgPath.c_str(), zoneSmackLabelGenerate(generatePkgLabel(pkgId), zoneId), XATTR_NAME_SMACK);
-    pathSetSmack(appPath.c_str(), zoneSmackLabelGenerate(generateAppLabel(appId), zoneId), XATTR_NAME_SMACK);
-    pathSetSmack(appPath.c_str(), "TRUE", XATTR_NAME_SMACKTRANSMUTE);
+    pathSetSmack(pkgPath.c_str(), LABEL_FOR_APP_PUBLIC_RO_PATH, XATTR_NAME_SMACK);
 }
 
 std::string generateAppNameFromLabel(const std::string &label)
@@ -208,5 +191,16 @@ std::string generatePkgLabel(const std::string &pkgId)
     return label;
 }
 
+std::string generatePkgROLabel(const std::string &pkgId)
+{
+    std::string label = "User::Pkg::" + pkgId + "::RO";
+
+    if (smack_label_length(label.c_str()) <= 0)
+        ThrowMsg(SmackException::InvalidLabel, "Invalid Smack label generated from pkgId " << pkgId);
+
+    return label;
+}
+
+
 } // namespace SmackLabels
 } // namespace SecurityManager
diff --git a/src/common/smack-rules.cpp b/src/common/smack-rules.cpp
index d3bdf22..ce4f6e2 100644
--- a/src/common/smack-rules.cpp
+++ b/src/common/smack-rules.cpp
@@ -177,17 +177,10 @@ void SmackRules::addFromTemplate(const std::vector<std::string> &templateRules,
             ThrowMsg(SmackException::FileError, "Invalid rule template: " << rule);
         }
 
-        if (subject == SMACK_APP_LABEL_TEMPLATE)
-            subject = SmackLabels::generateAppLabel(appId);
-
-        if (subject == SMACK_PKG_LABEL_TEMPLATE)
-            subject = SmackLabels::generatePkgLabel(pkgId);
-
-        if (object == SMACK_APP_LABEL_TEMPLATE)
-            object = SmackLabels::generateAppLabel(appId);
-
-        if (object == SMACK_PKG_LABEL_TEMPLATE)
-            object = SmackLabels::generatePkgLabel(pkgId);
+        strReplace(subject, SMACK_APP_LABEL_TEMPLATE, SmackLabels::generateAppLabel(appId));
+        strReplace(subject, SMACK_PKG_LABEL_TEMPLATE, SmackLabels::generatePkgLabel(pkgId));
+        strReplace(object,  SMACK_APP_LABEL_TEMPLATE, SmackLabels::generateAppLabel(appId));
+        strReplace(object,  SMACK_PKG_LABEL_TEMPLATE, SmackLabels::generatePkgLabel(pkgId));
 
         if (!zoneId.empty()) {
             // FIXME replace with vasum calls. See zone-utils.h
@@ -307,4 +300,12 @@ void SmackRules::uninstallRules(const std::string &path)
     }
 }
 
+void SmackRules::strReplace(std::string &haystack, const std::string &needle,
+            const std::string &replace)
+{
+    size_t pos;
+    while ((pos = haystack.find(needle)) != std::string::npos)
+        haystack.replace(pos, needle.size(), replace);
+}
+
 } // namespace SecurityManager
diff --git a/src/include/security-manager.h b/src/include/security-manager.h
index 3c1304e..d9a735e 100644
--- a/src/include/security-manager.h
+++ b/src/include/security-manager.h
@@ -46,17 +46,13 @@ enum lib_retcode {
 
 /*! \brief accesses types for application installation paths*/
 enum app_install_path_type {
-    //accessible read-write only for applications with same package id
-    SECURITY_MANAGER_PATH_PRIVATE,
-    //read-write access for all applications
-    SECURITY_MANAGER_PATH_PUBLIC,
-    //read only access for all applications
+    //! RO access for all applications
     SECURITY_MANAGER_PATH_PUBLIC_RO,
-    //accessible for writing to all apps within its package
+    //! RW access for given application package
     SECURITY_MANAGER_PATH_RW,
-    //accessible to apps for reading
+    //! RO access for given application package
     SECURITY_MANAGER_PATH_RO,
-    //this is only for range limit
+    //! this is only for range limit
     SECURITY_MANAGER_ENUM_END
 };
 
-- 
2.7.4


From a77e00ea27530ddfecf09fd0ae32f186ce8b1911 Mon Sep 17 00:00:00 2001
From: Rafal Krypa <r.krypa@samsung.com>
Date: Mon, 31 Aug 2015 18:07:06 +0200
Subject: [PATCH 13/16] Always print warning log messages

Several types of log messages are printed only when the code is build in DEBUG
mode. This includes warning messages, but they should be printed always.
Warning logs are generated in erroneous situation and they should not be lost
int RELEASE builds.

Change-Id: I9e9934c13b066492294cb5bd76d94030b6ee43c7
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
---
 src/dpl/log/include/dpl/log/log.h | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/src/dpl/log/include/dpl/log/log.h b/src/dpl/log/include/dpl/log/log.h
index 206223c..9e5fd8f 100644
--- a/src/dpl/log/include/dpl/log/log.h
+++ b/src/dpl/log/include/dpl/log/log.h
@@ -152,18 +152,17 @@ do                                                                         \
     }                                                                      \
 } while (0)
 
-/* Errors must be always logged. */
+/* Errors and warnings must be always logged. */
 #define  LogError(message) DPL_MACRO_FOR_LOGGING(message, Error)
+#define  LogWarning(message) DPL_MACRO_FOR_LOGGING(message, Warning)
 
 #ifdef BUILD_TYPE_DEBUG
     #define LogDebug(message) DPL_MACRO_FOR_LOGGING(message, Debug)
     #define LogInfo(message) DPL_MACRO_FOR_LOGGING(message, Info)
-    #define LogWarning(message) DPL_MACRO_FOR_LOGGING(message, Warning)
     #define LogPedantic(message) DPL_MACRO_FOR_LOGGING(message, Pedantic)
 #else
     #define LogDebug(message) DPL_MACRO_DUMMY_LOGGING(message, Debug)
     #define LogInfo(message) DPL_MACRO_DUMMY_LOGGING(message, Info)
-    #define LogWarning(message) DPL_MACRO_DUMMY_LOGGING(message, Warning)
     #define LogPedantic(message) DPL_MACRO_DUMMY_LOGGING(message, Pedantic)
 #endif // BUILD_TYPE_DEBUG
 
-- 
2.7.4


From 728eb26dbdc0ec4e2f0975c3c8701ae827f92fd3 Mon Sep 17 00:00:00 2001
From: Rafal Krypa <r.krypa@samsung.com>
Date: Thu, 3 Sep 2015 14:20:49 +0200
Subject: [PATCH 14/16] Fix labeling of SECURITY_MANAGER_PATH_RW paths

- Don't set exec label on executables. Smack label should be set only by
  launcher. Also that exec label was wrong. Apps run with appId-based label,
  not pkgId-based.
- Set transmute attribute. To keep all files in SECURITY_MANAGER_PATH_RW
  labeled with pkgId-based label, directories must be transmutable.

Change-Id: I3ce69ae70796d2d591b57c75bd175c9c3ea99028
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
---
 src/common/smack-labels.cpp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/common/smack-labels.cpp b/src/common/smack-labels.cpp
index c01d555..d90abbb 100644
--- a/src/common/smack-labels.cpp
+++ b/src/common/smack-labels.cpp
@@ -135,8 +135,8 @@ void setupPath(const std::string &pkgId, const std::string &path, app_install_pa
     switch (pathType) {
     case SECURITY_MANAGER_PATH_RW:
         label = zoneSmackLabelGenerate(generatePkgLabel(pkgId), zoneId);
-        label_executables = true;
-        label_transmute = false;
+        label_executables = false;
+        label_transmute = true;
         break;
     case SECURITY_MANAGER_PATH_RO:
         label = zoneSmackLabelGenerate(generatePkgROLabel(pkgId), zoneId);
-- 
2.7.4


From b515b69910ebfaa4c240eb116c9a3b05d5829f9d Mon Sep 17 00:00:00 2001
From: Rafal Krypa <r.krypa@samsung.com>
Date: Thu, 3 Sep 2015 16:31:30 +0200
Subject: [PATCH 15/16] Add missing Smack rules from System to ~PKG~ and
 ~PKG~::RO

System domain must also access files labeled with pkgId-based label.

Change-Id: I35ec4c092945b12480caae035055a4b00659d013
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
---
 policy/app-rules-template.smack | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/app-rules-template.smack b/policy/app-rules-template.smack
index 5bb1639..c45bf55 100644
--- a/policy/app-rules-template.smack
+++ b/policy/app-rules-template.smack
@@ -1,4 +1,6 @@
 System ~APP~ rwx
+System ~PKG~ rwxat
+System ~PKG~::RO rwxat
 ~APP~ System wx
 ~APP~ System::Shared rxl
 ~APP~ System::Run rwxat
-- 
2.7.4


From 944c13466209dcfd9088c5df544c1c7b95295e6b Mon Sep 17 00:00:00 2001
From: Rafal Krypa <r.krypa@samsung.com>
Date: Thu, 3 Sep 2015 17:13:59 +0200
Subject: [PATCH 16/16] Release version 1.1.0

Change-Id: Idf0c77468200bea93b28b8d12ca4970cfdbe9b9d
---
 packaging/security-manager.changes | 8 ++++++++
 packaging/security-manager.spec    | 2 +-
 pc/security-manager.pc.in          | 2 +-
 3 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/packaging/security-manager.changes b/packaging/security-manager.changes
index 2bc5c15..bfd7823 100644
--- a/packaging/security-manager.changes
+++ b/packaging/security-manager.changes
@@ -1,3 +1,11 @@
+* Thu Sep 03 2015 Rafal Krypa <r.krypa@samsung.com>
+- Version 1.1.0
+- Master-slave mode to support Vasum (Tizen containers)
+- New API for support of privilege mapping between platform versions
+- New API for getting list of groups mapped to privileges
+- Updated policy for labeling application files\
+- Always print warning log messages
+
 * Wed Mar 25 2015 Jacek Bukarewicz <j.bukarewicz@samsung.com>
 - Version 1.0.2
 - Work around application installation problems on slow targets
diff --git a/packaging/security-manager.spec b/packaging/security-manager.spec
index f11260c..eb66336 100644
--- a/packaging/security-manager.spec
+++ b/packaging/security-manager.spec
@@ -1,6 +1,6 @@
 Name:       security-manager
 Summary:    Security manager and utilities
-Version:    1.0.2
+Version:    1.1.0
 Release:    1
 Group:      Security/Service
 License:    Apache-2.0
diff --git a/pc/security-manager.pc.in b/pc/security-manager.pc.in
index c2916c5..7a3624d 100644
--- a/pc/security-manager.pc.in
+++ b/pc/security-manager.pc.in
@@ -5,7 +5,7 @@ includedir=${prefix}/include
 
 Name: security-manager
 Description: Security Manager Package
-Version: 1.0.2
+Version: 1.1.0
 Requires:
 Libs: -L${libdir} -lsecurity-manager-client
 Cflags: -I${includedir}/security-manager
-- 
2.7.4