From 7792f9f89d5e78b55ae6818dd3960b291c6a1c61 Mon Sep 17 00:00:00 2001 From: Bartlomiej Grzelewski Date: Fri, 29 Jan 2016 16:24:28 +0100 Subject: [PATCH 01/16] Security manager reports error druing author removal. The function Step will return false if you run DELETE command in sql language. It's not an error. Change-Id: I7f6abdb26a5ae9e1e192f3d6477020a4a868e398 --- src/common/privilege_db.cpp | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/src/common/privilege_db.cpp b/src/common/privilege_db.cpp index a003f6c..f9ecf17 100644 --- a/src/common/privilege_db.cpp +++ b/src/common/privilege_db.cpp @@ -494,11 +494,7 @@ void PrivilegeDb::GetAuthorIdForAppId(const std::string &appId, void PrivilegeDb::RemoveAuthor() { try_catch([&] { auto command = getStatement(StmtType::ERemoveAuthors); - if (command->Step()) { - LogDebug("Unconnected authors have been removed"); - } else { - LogError("Error during authors removing"); - } + command->Step(); }); } -- 2.7.4 From eb3625009f2c5ed45c4eda13ce712b599843b782 Mon Sep 17 00:00:00 2001 From: Bartlomiej Grzelewski Date: Thu, 4 Feb 2016 16:38:37 +0100 Subject: [PATCH 02/16] Remove master and slave mode. Change-Id: Ia02b2ba10deef665eea203a0147cce301d46db8c --- packaging/security-manager.spec | 6 - src/client/client-security-manager.cpp | 18 +- src/common/CMakeLists.txt | 2 - src/common/include/master-req.h | 193 ------------ src/common/include/protocols.h | 17 - src/common/include/service_impl.h | 31 +- src/common/include/smack-labels.h | 2 - src/common/include/smack-rules.h | 73 ++--- src/common/include/zone-utils.h | 86 ------ src/common/master-req.cpp | 261 ---------------- src/common/protocols.cpp | 4 - src/common/service_impl.cpp | 272 +++++----------- src/common/smack-labels.cpp | 8 +- src/common/smack-rules.cpp | 118 +++---- src/common/zone-utils.cpp | 117 ------- src/server/CMakeLists.txt | 4 - src/server/main/server-main.cpp | 80 +---- src/server/service/include/master-service.h | 160 ---------- src/server/service/include/service.h | 3 +- src/server/service/master-service.cpp | 464 ---------------------------- src/server/service/service.cpp | 71 ++--- systemd/CMakeLists.txt | 6 - systemd/security-manager-master.service.in | 10 - systemd/security-manager-master.socket | 13 - systemd/security-manager-slave.service.in | 9 - systemd/security-manager-slave.socket | 10 - systemd/security-manager.service.in | 2 - systemd/security-manager.socket | 4 - 28 files changed, 192 insertions(+), 1852 deletions(-) delete mode 100644 src/common/include/master-req.h delete mode 100644 src/common/include/zone-utils.h delete mode 100644 src/common/master-req.cpp delete mode 100644 src/common/zone-utils.cpp delete mode 100644 src/server/service/include/master-service.h delete mode 100644 src/server/service/master-service.cpp delete mode 100644 systemd/security-manager-master.service.in delete mode 100644 systemd/security-manager-master.socket delete mode 100644 systemd/security-manager-slave.service.in delete mode 100644 systemd/security-manager-slave.socket diff --git a/packaging/security-manager.spec b/packaging/security-manager.spec index 92261a5..4306b4f 100644 --- a/packaging/security-manager.spec +++ b/packaging/security-manager.spec @@ -89,8 +89,6 @@ cp LICENSE %{buildroot}%{_datadir}/license/libsecurity-manager-client mkdir -p %{buildroot}/%{_unitdir}/sockets.target.wants mkdir -p %{buildroot}/%{_unitdir}/sysinit.target.wants ln -s ../security-manager.socket %{buildroot}/%{_unitdir}/sockets.target.wants/security-manager.socket -ln -s ../security-manager-master.socket %{buildroot}/%{_unitdir}/sockets.target.wants/security-manager-master.socket -ln -s ../security-manager-slave.socket %{buildroot}/%{_unitdir}/sockets.target.wants/security-manager-slave.socket ln -s ../security-manager-cleanup.service %{buildroot}/%{_unitdir}/sysinit.target.wants/security-manager-cleanup.service %clean @@ -142,12 +140,8 @@ fi %{_libdir}/libsecurity-manager-commons.so.* %attr(-,root,root) %{_unitdir}/security-manager.* -%attr(-,root,root) %{_unitdir}/security-manager-master.* -%attr(-,root,root) %{_unitdir}/security-manager-slave.* %attr(-,root,root) %{_unitdir}/security-manager-cleanup.* %attr(-,root,root) %{_unitdir}/sockets.target.wants/security-manager.* -%attr(-,root,root) %{_unitdir}/sockets.target.wants/security-manager-master.* -%attr(-,root,root) %{_unitdir}/sockets.target.wants/security-manager-slave.* %attr(-,root,root) %{_unitdir}/sysinit.target.wants/security-manager-cleanup.* %config(noreplace) %attr(0600,root,root) %{TZ_SYS_DB}/.security-manager.db %config(noreplace) %attr(0600,root,root) %{TZ_SYS_DB}/.security-manager.db-journal diff --git a/src/client/client-security-manager.cpp b/src/client/client-security-manager.cpp index dc273da..a5fdfdf 100644 --- a/src/client/client-security-manager.cpp +++ b/src/client/client-security-manager.cpp @@ -47,7 +47,6 @@ #include #include #include -#include #include #include @@ -192,7 +191,7 @@ int security_manager_app_install(const app_inst_req *p_req) int retval; ClientOffline offlineMode; if (offlineMode.isOffline()) { - retval = SecurityManager::ServiceImpl().appInstall(*p_req, geteuid(), false); + retval = SecurityManager::ServiceImpl().appInstall(*p_req, geteuid()); } else { MessageBuffer send, recv; @@ -392,18 +391,8 @@ int security_manager_set_process_label_from_appid(const char *app_id) if (smack_smackfs_path() == NULL) return SECURITY_MANAGER_SUCCESS; - // FIXME Below modifications related to zones are temporary. Remove when Smack Namespaces - // are implemented. - std::string zoneId; - if (!getZoneIdFromPid(getpid(), zoneId)) { - LogError("Failed to get ID of zone"); - return SECURITY_MANAGER_ERROR_REQ_NOT_COMPLETE; - } - try { - appLabel = SecurityManager::zoneSmackLabelGenerate( - SecurityManager::SmackLabels::generateAppLabel(app_id), zoneId); - + appLabel = SecurityManager::SmackLabels::generateAppLabel(app_id); } catch (...) { LogError("Failed to generate smack label for appId: " << app_id); return SECURITY_MANAGER_API_ERROR_NO_SUCH_OBJECT; @@ -603,8 +592,7 @@ int security_manager_user_add(const user_req *p_req) int retval; ClientOffline offlineMode; if (offlineMode.isOffline()) { - retval = SecurityManager::ServiceImpl().userAdd(p_req->uid, p_req->utype, geteuid(), - false); + retval = SecurityManager::ServiceImpl().userAdd(p_req->uid, p_req->utype, geteuid()); } else { MessageBuffer send, recv; //server is working diff --git a/src/common/CMakeLists.txt b/src/common/CMakeLists.txt index b718e2f..3a9d3c9 100644 --- a/src/common/CMakeLists.txt +++ b/src/common/CMakeLists.txt @@ -48,13 +48,11 @@ SET(COMMON_SOURCES ${COMMON_PATH}/file-lock.cpp ${COMMON_PATH}/protocols.cpp ${COMMON_PATH}/message-buffer.cpp - ${COMMON_PATH}/master-req.cpp ${COMMON_PATH}/privilege_db.cpp ${COMMON_PATH}/smack-labels.cpp ${COMMON_PATH}/smack-rules.cpp ${COMMON_PATH}/smack-check.cpp ${COMMON_PATH}/service_impl.cpp - ${COMMON_PATH}/zone-utils.cpp ) ADD_LIBRARY(${TARGET_COMMON} SHARED ${COMMON_SOURCES}) diff --git a/src/common/include/master-req.h b/src/common/include/master-req.h deleted file mode 100644 index 8cbf759..0000000 --- a/src/common/include/master-req.h +++ /dev/null @@ -1,193 +0,0 @@ -/* - * Copyright (c) 2015 Samsung Electronics Co., Ltd All Rights Reserved - * - * Contact: Rafal Krypa - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License - */ - -/* - * @file master-req.h - * @author Lukasz Kostyra - * @brief Master request calls declaration - */ - -#ifndef _SECURITY_MANAGER_MASTER_REQ_ -#define _SECURITY_MANAGER_MASTER_REQ_ - -#include -#include - -#include "protocols.h" - - -namespace SecurityManager { -namespace MasterReq { - -/** - * Forwards Cynara Policy Update request to Master Service. - * - * @param[in] appID Application ID - * @param[in] uidstr String containing user identifier - * @param[in] privileges Currently enabled privileges for the application - * - * @see CynaraAdmin::UpdateAppPolicy - */ -int CynaraPolicyUpdate(const std::string &appId, const std::string &uidstr, - const std::vector &privileges); - -/** - * Forwards Cynara user initialization to Master service. - * - * @param[in] uidAdded New user UID - * @param[in] userType Type of user, enumerated in security-manager.h - * @return API return code, as defined in protocols.h - * - * @see CynaraAdmin::UserInit - */ -int CynaraUserInit(const uid_t uidAdded, int userType); - -/** - * Forwards Cynara user removal to Master service. - * - * @param[in] uidDeleted Removed user UID - * @return API return code, as defined in protocols.h - * - * @see CynaraAdmin::UserRemove - */ -int CynaraUserRemove(const uid_t uidDeleted); - -/** - * Forwards SMACK rule installation to Master service. - * - * @param[in] appId ID of application being removed - * @param[in] pkgId ID of package being removed - * @param[in] authorId ID for author. - * @param[in] pkgContents list of all applications in the package - * @param[in] appsGranted list of 2.x apps granted access - * @param[in] accessPackages list of 2.x packages to be accessed - * @return API return code, as defined in protocols.h - * - * @see SmackRules::installApplicationRules - */ -int SmackInstallRules(const std::string &appId, - const std::string &pkgId, - const std::string &authorId, - const std::vector &pkgContents, - const std::vector &appsGranted, - const std::vector &accessPackages); - -/** - * Forwards SMACK rule removal to Master service. - * - * @param[in] appId ID of application being removed - * @param[in] pkgId ID of package being removed - * @param[in] pkgContents A list of all applications in the package - * @param[in] appsGranted list of 2.x apps granted access - * @param[in] removeApp Flag stating if the application is no longer installed - * for any user and should be removed - * @param[in] removePkg Flag stating if entire package should be removed - * @return API return code, as defined in protocols.h - * - * @see SmackRules::uninstallPackageRules, SmackRules::uninstallApplicationRules - */ -int SmackUninstallRules(const std::string &appId, const std::string &pkgId, - const std::vector &pkgContents, - const std::vector &appsGranted, - const bool removeApp, const bool removePkg); - -/** - * Forwards policyUpdate API to Master. Arguments are the same as policyUpdate. - * - * @return API return code, as defined in protocols.h - * - * @see ServiceImpl::policyUpdate - */ -int PolicyUpdate(const std::vector &policyEntries, uid_t uid, pid_t pid, - const std::string &smackLabel); - -/** - * Forwards getConfiguredPolicy API to Master. Arguments are the same as getConfiguredPolicy. - * - * @return API return code, as defined in protocols.h - * - * @see ServiceImpl::getConfiguredPolicy - */ -int GetConfiguredPolicy(bool forAdmin, const policy_entry &filter, uid_t uid, pid_t pid, - const std::string &smackLabel, std::vector &policyEntries); - -/** - * Forwards getPolicy API to Master. Arguments are the same as getPolicy. - * - * @return API return code, as defined in protocols.h - * - * @see ServiceImpl::getPolicy - */ -int GetPolicy(const policy_entry &filter, uid_t uid, pid_t pid, const std::string &smackLabel, - std::vector &policyEntries); - -/** - * Forwards policyGetDesc API to Master. Arguments are the same as policyGetDesc. - * - * @return API return code, as defined in protocols.h - * - * @see ServiceImpl::policyGetDesc - */ -int PolicyGetDesc(std::vector &descriptions); - -/** - * Forwards Smack rules applying for private sharing to Master service. - * - * @param[in] ownerPkgId App id of path owner application - * @param[in] pkgContents Vector of applications belonging to the same package as path owner - * @param[in] targetAppId App id of sharing path target application - * @param[in] path Path being shared - * @param[in] ownerTargetCount Count of saved owner with target sharing - * @param[in] pathSharingCount Count of saved path sharing - * - * @return API return code, as defined in protocols.h - * - * @see ServiceImpl::applyPrivateSharing - */ -int SmackApplyPrivateSharingRules(const std::string &ownerPkgId, - const std::vector &pkgContents, - const std::string &targetAppId, - const std::string &path, - int ownerTargetCount, - int pathSharingCount); - -/** - * Forwards Smack rules applying for private sharing to Master service. - * - * @param[in] ownerPkgId Package id of path owner application - * @param[in] pkgContents Vector of applications belonging to the same package as path owner - * @param[in] targetAppId App id of sharing path target application - * @param[in] path Path being shared - * @param[in] ownerTargetCount Count of saved owner with target sharing - * @param[in] pathSharingCount Count of saved path sharing - * - * @return API return code, as defined in protocols.h - * - * @see ServiceImpl::dropPrivateSharing - */ -int SmackDropPrivateSharingRules(const std::string &ownerPkgId, - const std::vector &pkgContents, - const std::string &targetAppId, - const std::string &path, - int ownerTargetCount, - int pathSharingCount); - -} // namespace MasterReq -} // namespace SecurityManager - -#endif // _SECURITY_MANAGER_MASTER_REQ_ diff --git a/src/common/include/protocols.h b/src/common/include/protocols.h index 9a00bc4..1526f87 100644 --- a/src/common/include/protocols.h +++ b/src/common/include/protocols.h @@ -134,8 +134,6 @@ struct private_sharing_req { namespace SecurityManager { extern char const * const SERVICE_SOCKET; -extern char const * const MASTER_SERVICE_SOCKET; -extern char const * const SLAVE_SERVICE_SOCKET; enum class SecurityModuleCall { @@ -157,21 +155,6 @@ enum class SecurityModuleCall NOOP = 0x90, }; -enum class MasterSecurityModuleCall -{ - CYNARA_UPDATE_POLICY, - CYNARA_USER_INIT, - CYNARA_USER_REMOVE, - POLICY_UPDATE, - GET_CONFIGURED_POLICY, - GET_POLICY, - POLICY_GET_DESC, - SMACK_INSTALL_RULES, - SMACK_UNINSTALL_RULES, - SMACK_APPLY_PRIVATE_SHARING_RULES, - SMACK_DROP_PRIVATE_SHARING_RULES -}; - } // namespace SecurityManager using namespace SecurityManager; diff --git a/src/common/include/service_impl.h b/src/common/include/service_impl.h index 85cd9c2..0ffcbcd 100644 --- a/src/common/include/service_impl.h +++ b/src/common/include/service_impl.h @@ -49,7 +49,7 @@ private: int dropOnePrivateSharing(const std::string &ownerAppId, const std::string &ownerPkgId, const std::vector &ownerPkgContents, const std::string &targetAppId, - const std::string &path, const std::string &zoneId, bool isSlave); + const std::string &path); public: ServiceImpl(); @@ -60,22 +60,20 @@ public: * * @param[in] req installation request * @param[in] uid id of the requesting user - * @param[in] isSlave Indicates if function should be called under slave mode * * @return API return code, as defined in protocols.h */ - int appInstall(const app_inst_req &req, uid_t uid, bool isSlave); + int appInstall(const app_inst_req &req, uid_t uid); /** * Process application uninstallation request. * * @param[in] req uninstallation request * @param[in] uid id of the requesting user - * @param[in] isSlave Indicates if function should be called under slave mode * * @return API return code, as defined in protocols.h */ - int appUninstall(const std::string &appId, uid_t uid, bool isSlave); + int appUninstall(const std::string &appId, uid_t uid); /** * Process package id query. @@ -98,13 +96,11 @@ public: * @param[in] appId application identifier * @param[in] uid id of the requesting user * @param[in] pid id of the requesting process (to construct Cynara session id) - * @param[in] isSlave Indicates if function should be called under slave mode * @param[out] gids returned set of allowed group ids * * @return API return code, as defined in protocols.h */ - int getAppGroups(const std::string &appId, uid_t uid, pid_t pid, bool isSlave, - std::unordered_set &gids); + int getAppGroups(const std::string &appId, uid_t uid, pid_t pid, std::unordered_set &gids); /** * Process user adding request. @@ -112,22 +108,20 @@ public: * @param[in] uidAdded uid of newly created user * @param[in] userType type of newly created user * @param[in] uid uid of requesting user - * @param[in] isSlave Indicates if function should be called under slave mode * * @return API return code, as defined in protocols.h */ - int userAdd(uid_t uidAdded, int userType, uid_t uid, bool isSlave); + int userAdd(uid_t uidAdded, int userType, uid_t uid); /** * Process user deletion request. * * @param[in] uidDeleted uid of removed user * @param[in] uid uid of requesting user - * @param[in] isSlave Indicates if function should be called under slave mode * * @return API return code, as defined in protocols.h */ - int userDelete(uid_t uidDeleted, uid_t uid, bool isSlave); + int userDelete(uid_t uidDeleted, uid_t uid); /** * Update policy in Cynara - proper privilege: http://tizen.org/privilege/systemsettings.admin @@ -194,13 +188,11 @@ public: * @param[in] appId application identifier * @param[in] privilege privilege name * @param[in] uid user identifier - * @param[in] isSlave indicates if function should be called under slave mode * @param[out] result placeholder for check result * * @return API return code, as defined in protocols.h */ - int appHasPrivilege(std::string appId, std::string privilege, uid_t uid, - bool isSlave, bool &result); + int appHasPrivilege(std::string appId, std::string privilege, uid_t uid, bool &result); /** * Process applying private path sharing between applications. @@ -208,14 +200,12 @@ public: * @param[in] ownerAppId application owning paths * @param[in] targetAppId application which paths will be shared with * @param[in] paths vector of paths to be shared - * @param[in] isSlave Indicates if function should be called under slave mode * * @return API return code, as defined in protocols.h */ int applyPrivatePathSharing(const std::string &ownerAppId, const std::string &targetAppId, - const std::vector &paths, - bool isSlave); + const std::vector &paths); /** * Process droping private path sharing between applications. @@ -223,14 +213,13 @@ public: * @param[in] ownerAppId application owning paths * @param[in] targetAppId application which paths won't be anymore shared with * @param[in] paths vector of paths to be stopped being shared - * @param[in] isSlave Indicates if function should be called under slave mode * @return API return code, as defined in protocols.h */ int dropPrivatePathSharing(const std::string &ownerAppId, const std::string &targetAppId, - const std::vector &paths, - bool isSlave); + const std::vector &paths); }; + } /* namespace SecurityManager */ #endif /* _SECURITY_MANAGER_SERVICE_IMPL_ */ diff --git a/src/common/include/smack-labels.h b/src/common/include/smack-labels.h index af5c623..2aa00ec 100644 --- a/src/common/include/smack-labels.h +++ b/src/common/include/smack-labels.h @@ -41,13 +41,11 @@ namespace SmackLabels { * @param path[in] path to a file or directory to setup * @param pathType[in] type of path to setup. See description of * app_install_path_type in security-manager.h for details - * @param zoneId[in] ID of zone for which label should be set */ void setupPath( const std::string &pkgId, const std::string &path, app_install_path_type pathType, - const std::string &zoneId, const std::string &authorId = std::string()); /** diff --git a/src/common/include/smack-rules.h b/src/common/include/smack-rules.h index e472dd2..a0b458a 100644 --- a/src/common/include/smack-rules.h +++ b/src/common/include/smack-rules.h @@ -49,14 +49,12 @@ public: const std::vector &templateRules, const std::string &appId, const std::string &pkgId, - const std::string &authorId, - const std::string &zoneId); + const std::string &authorId); void addFromTemplateFile( const std::string &appId, const std::string &pkgId, - const std::string &authorId, - const std::string &zoneId); + const std::string &authorId); void apply() const; void clear() const; @@ -69,41 +67,18 @@ public: * correct permissions to shared data. * * @param[in] pkgContents - a list of all applications inside this package - * @param[in] zoneId - ID of zone which requested application install */ - void generatePackageCrossDeps(const std::vector &pkgContents, - const std::string &zoneId); + void generatePackageCrossDeps(const std::vector &pkgContents); /** * Create cross dependencies for all other 2.X applications * * @param[in] pkgId - installed package id to access it's shared dir * @param[in] other2XApps - list of 2.x apps to grant access - * @param[in] zoneId - ID of zone which requested application install - */ - void generateAllowOther2XApplicationDeps(const std::string pkgId, - const std::vector &other2XApps, - const std::string &zoneId); - - /** - * Install package-specific smack rules. - * - * Function creates smack rules using predefined template. Rules are applied - * to the kernel and saved on persistent storage so they are loaded on system boot. - * - * @param[in] appId - application id that is beeing installed - * @param[in] pkgId - package id that the application is in - * @param[in] authorId - author id of application - * @param[in] pkgContents - list of all applications in the package - * @param[in] appsGranted - list of 2.x apps to grant access - * @param[in] accessPackages - list of 2.x packages to be accessed */ - static void installApplicationRules(const std::string &appId, - const std::string &pkgId, - const std::string &authorId, - const std::vector &pkgContents, - const std::vector &appsGranted, - const std::vector &accessPackages); + void generateAllowOther2XApplicationDeps( + const std::string pkgId, + const std::vector &other2XApps); /** * Install package-specific smack rules plus add rules for specified external apps. @@ -115,7 +90,6 @@ public: * @param[in] pkgId - package id that the application is in * @param[in] authorId - author id of application * @param[in] pkgContents - list of all applications in the package - * @param[in] zoneId - ID of zone which requested application install * @param[in] appsGranted - list of 2.x apps granted access * @param[in] accessPackages - list of 2.x packages to be accessed */ @@ -125,8 +99,7 @@ public: const std::string &authorId, const std::vector &pkgContents, const std::vector &appsGranted, - const std::vector &accessPackages, - const std::string &zoneId); + const std::vector &accessPackages); /** * Uninstall package-specific smack rules. @@ -152,12 +125,12 @@ public: * @param[in] pkgId - package id that the application belongs to * @param[in] appsInPkg - a list of other applications in the same package id that the application belongs to * @param[in] appsGranted - list of 2.x apps granted access - * @param[in] zoneId - ID of zone which requested application uninstall */ - static void uninstallApplicationRules(const std::string &appId, const std::string &pkgId, + static void uninstallApplicationRules( + const std::string &appId, + const std::string &pkgId, std::vector appsInPkg, - const std::vector &appsGranted, - const std::string &zoneId); + const std::vector &appsGranted); /** * Update package specific rules @@ -169,12 +142,11 @@ public: * @param[in] pkgId - id of the package to update * @param[in] pkgContents - list of all applications in the package * @param[in] appsGranted - list of 2.x apps granted access - * @param[in] zoneId - ID of zone which requested application uninstall */ - static void updatePackageRules(const std::string &pkgId, + static void updatePackageRules( + const std::string &pkgId, const std::vector &pkgContents, - const std::vector &appsGranted, - const std::string &zoneId); + const std::vector &appsGranted); /* Temporary fix for authors rules */ static void fixAuthorRules(const std::string &authorId); @@ -194,15 +166,13 @@ public: * @param[in] isPathSharedAlready - flag indicated, if path has been shared before * @param[in] isTargetSharingAlready - flag indicated, if target is already sharing anything * with owner - * @param[in] zoneId - ID of zone which requested applying sharing */ static void applyPrivateSharingRules(const std::string &ownerPkgId, const std::vector &ownerPkgContents, const std::string &targetAppId, const std::string &pathLabel, bool isPathSharedAlready, - bool isTargetSharingAlready, - const std::string &zoneId); + bool isTargetSharingAlready); /** * Remove rules related to private path sharing rules * @@ -219,15 +189,15 @@ public: * @param[in] isPathSharedNoMore - flag indicated, if path is not shared anymore * @param[in] isTargetSharingNoMore - flag indicated, if target is not sharing anything * with owner - * @param[in] zoneId - ID of zone which requested droping sharing */ static void dropPrivateSharingRules(const std::string &ownerPkgId, const std::vector &ownerPkgContents, const std::string &targetAppId, const std::string &pathLabel, bool isPathSharedNoMore, - bool isTargetSharingNoMore, - const std::string &zoneId); + bool isTargetSharingNoMore); + + static void updatePackageRules(const std::string &pkgId, const std::vector &pkgContents); private: /** @@ -256,11 +226,10 @@ private: * * @param[in] path - path to the file that contains the rules * @param[in] other2XPackages - list of 2.x packages to be accessed - * @param[in] zoneId - ID of zone which requested application uninstall */ - static void generateAppToOtherPackagesDeps(const std::string appId, - const std::vector &other2XPackages, - const std::string &zoneId); + static void generateAppToOtherPackagesDeps( + const std::string appId, + const std::vector &other2XPackages); /** * Helper method: replace all occurrences of \ref needle in \ref haystack diff --git a/src/common/include/zone-utils.h b/src/common/include/zone-utils.h deleted file mode 100644 index 25caacc..0000000 --- a/src/common/include/zone-utils.h +++ /dev/null @@ -1,86 +0,0 @@ -/* - * Copyright (c) 2000 - 2015 Samsung Electronics Co., Ltd All Rights Reserved - * - * Contact: Rafal Krypa - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License - */ -/* - * @file zone-utils.h - * @author Lukasz Kostyra (l.kostyra@samsung.com) - * @version 1.0 - * @brief Definition of Zone utilities - */ - -#ifndef _SECURITY_MANAGER_ZONE_UTILS_H_ -#define _SECURITY_MANAGER_ZONE_UTILS_H_ - -#include - -// FIXME This module is a replacement for Vasum functions. -// -// When Vasum will be included into OBS, the module should be removed and vasum-client should -// be used instead. - -namespace SecurityManager -{ - -extern const std::string ZONE_HOST; - -/** - * Extracts Zone ID in which runs process having provided PID. - * - * This function parses /proc//cpuset file and tries to acquire Zone ID name from it. - * - * @param[in] pid PID of process to get Zone ID from. - * @param[out] zoneId Zone ID extracted from cpuset. If process runs in host, returns "host" string. - * @return True on success, false on failure. - */ -bool getZoneIdFromPid(int pid, std::string& zoneId); - -/** - * Generates zone-specific label from given @ref label and zone's name @ref zoneName - * - * @param[in] label Base label, used to generate new zone-specific label - * @param[in] zoneName Name of zone for which label will be generated - * @return Generated label - */ -std::string zoneSmackLabelGenerate(const std::string &label, const std::string &zoneName); - -/** - * Map @ref hostLabel to @ref zoneLabel using Smack namespaces. - * - * FIXME This is a placeholder for Vasum API - implement when Smack Namespaces are implemented - * - * @param[in] hostLabel Smack label as seen from hosts perspective - * @param[in] zoneName Zone ID to which label will be mapped - * @param[in] zoneLabel Smack label seen from zone's perspective - * @return True on success, false on failure - */ -bool zoneSmackLabelMap(const std::string &hostLabel, const std::string &zoneName, - const std::string &zoneLabel); - -/** - * Unmap label mapped by zoneSmackLabelMap. - * - * FIXME This is a placeholder for Vasum API - implement when Smack Namespaces are implemented - * - * @param[in] hostLabel Label to unmap - * @param[in] zoneName Zone ID for which unmapping should be done - * @return True on success, false on failure - */ -bool zoneSmackLabelUnmap(const std::string &hostLabel, const std::string &zoneName); - -} //namespace SecurityManager - -#endif //_SECURITY_MANAGER_ZONE_UTILS_H_ diff --git a/src/common/master-req.cpp b/src/common/master-req.cpp deleted file mode 100644 index 3d4d071..0000000 --- a/src/common/master-req.cpp +++ /dev/null @@ -1,261 +0,0 @@ -/* - * Copyright (c) 2015 Samsung Electronics Co., Ltd All Rights Reserved - * - * Contact: Rafal Krypa - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License - */ - -/* - * @file master-req.cpp - * @author Lukasz Kostyra - * @brief Definitions of master request calls - */ - -#include "master-req.h" - -#include - -#include "message-buffer.h" -#include "connection.h" - -namespace SecurityManager { -namespace MasterReq { - -int CynaraPolicyUpdate(const std::string &appId, const std::string &uidstr, - const std::vector &privileges) -{ - int ret; - MessageBuffer sendBuf, retBuf; - - Serialization::Serialize(sendBuf, - static_cast(MasterSecurityModuleCall::CYNARA_UPDATE_POLICY), - appId, uidstr, privileges); - - ret = sendToServer(MASTER_SERVICE_SOCKET, sendBuf.Pop(), retBuf); - if (ret == SECURITY_MANAGER_API_SUCCESS) - Deserialization::Deserialize(retBuf, ret); - - return ret; -} - -int CynaraUserInit(const uid_t uidAdded, int userType) -{ - int ret; - MessageBuffer sendBuf, retBuf; - - Serialization::Serialize(sendBuf, - static_cast(MasterSecurityModuleCall::CYNARA_USER_INIT), - uidAdded, userType); - - ret = sendToServer(MASTER_SERVICE_SOCKET, sendBuf.Pop(), retBuf); - if (ret == SECURITY_MANAGER_API_SUCCESS) - Deserialization::Deserialize(retBuf, ret); - - return ret; -} - -int CynaraUserRemove(const uid_t uidDeleted) -{ - int ret; - MessageBuffer sendBuf, retBuf; - - Serialization::Serialize(sendBuf, - static_cast(MasterSecurityModuleCall::CYNARA_USER_REMOVE), - uidDeleted); - - ret = sendToServer(MASTER_SERVICE_SOCKET, sendBuf.Pop(), retBuf); - if (ret == SECURITY_MANAGER_API_SUCCESS) - Deserialization::Deserialize(retBuf, ret); - - return ret; -} - -int SmackInstallRules(const std::string &appId, - const std::string &pkgId, - const std::string &authorId, - const std::vector &pkgContents, - const std::vector &appsGranted, - const std::vector &accessPackages) -{ - int ret; - MessageBuffer sendBuf, retBuf; - Serialization::Serialize( - sendBuf, - static_cast(MasterSecurityModuleCall::SMACK_INSTALL_RULES), - appId, - pkgId, - authorId, - pkgContents, - appsGranted, - accessPackages); - - ret = sendToServer(MASTER_SERVICE_SOCKET, sendBuf.Pop(), retBuf); - if (ret == SECURITY_MANAGER_API_SUCCESS) - Deserialization::Deserialize(retBuf, ret); - - return ret; -} - -int SmackUninstallRules(const std::string &appId, const std::string &pkgId, - const std::vector &pkgContents, - const std::vector &appsGranted, - const bool removeApp, const bool removePkg) -{ - int ret; - MessageBuffer sendBuf, retBuf; - - Serialization::Serialize(sendBuf, - static_cast(MasterSecurityModuleCall::SMACK_UNINSTALL_RULES), - appId, pkgId, pkgContents, appsGranted, removeApp, removePkg); - - ret = sendToServer(MASTER_SERVICE_SOCKET, sendBuf.Pop(), retBuf); - if (ret == SECURITY_MANAGER_API_SUCCESS) - Deserialization::Deserialize(retBuf, ret); - - return ret; -} - -// Following three requests are just forwarded security-manager API calls -// these do not access Privilege DB, so all can be forwarded to Master -int PolicyUpdate(const std::vector &policyEntries, uid_t uid, pid_t pid, - const std::string &smackLabel) -{ - int ret; - MessageBuffer sendBuf, retBuf; - - Serialization::Serialize(sendBuf, - static_cast(MasterSecurityModuleCall::POLICY_UPDATE), - policyEntries, uid, pid, smackLabel); - - ret = sendToServer(MASTER_SERVICE_SOCKET, sendBuf.Pop(), retBuf); - if (ret == SECURITY_MANAGER_API_SUCCESS) - Deserialization::Deserialize(retBuf, ret); - - return ret; -} - -int GetConfiguredPolicy(bool forAdmin, const policy_entry &filter, uid_t uid, pid_t pid, - const std::string &smackLabel, std::vector &policyEntries) -{ - int ret; - MessageBuffer sendBuf, retBuf; - - Serialization::Serialize(sendBuf, - static_cast(MasterSecurityModuleCall::GET_CONFIGURED_POLICY), - forAdmin, filter, uid, pid, smackLabel); - - ret = sendToServer(MASTER_SERVICE_SOCKET, sendBuf.Pop(), retBuf); - if (ret == SECURITY_MANAGER_API_SUCCESS) { - Deserialization::Deserialize(retBuf, ret); - if (ret == SECURITY_MANAGER_API_SUCCESS) - Deserialization::Deserialize(retBuf, policyEntries); - } - - return ret; -} - -int GetPolicy(const policy_entry &filter, uid_t uid, pid_t pid, const std::string &smackLabel, - std::vector &policyEntries) -{ - int ret; - MessageBuffer sendBuf, retBuf; - - Serialization::Serialize(sendBuf, - static_cast(MasterSecurityModuleCall::GET_POLICY), - filter, uid, pid, smackLabel); - - ret = sendToServer(MASTER_SERVICE_SOCKET, sendBuf.Pop(), retBuf); - if (ret == SECURITY_MANAGER_API_SUCCESS) { - Deserialization::Deserialize(retBuf, ret); - if (ret == SECURITY_MANAGER_API_SUCCESS) - Deserialization::Deserialize(retBuf, policyEntries); - } - - return ret; -} - -int PolicyGetDesc(std::vector &descriptions) -{ - int ret; - MessageBuffer sendBuf, retBuf; - - Serialization::Serialize(sendBuf, - static_cast(MasterSecurityModuleCall::POLICY_GET_DESC)); - - ret = sendToServer(MASTER_SERVICE_SOCKET, sendBuf.Pop(), retBuf); - if (ret == SECURITY_MANAGER_API_SUCCESS) { - Deserialization::Deserialize(retBuf, ret); - if (ret == SECURITY_MANAGER_API_SUCCESS) - Deserialization::Deserialize(retBuf, descriptions); - } - - return ret; -} - -int SmackApplyPrivateSharingRules(const std::string &ownerPkgId, - const std::vector &pkgContents, - const std::string &targetAppId, - const std::string &path, - int ownerTargetCount, - int pathCount) -{ - int ret; - MessageBuffer sendBuf, retBuf; - - Serialization::Serialize(sendBuf, - static_cast(MasterSecurityModuleCall::SMACK_APPLY_PRIVATE_SHARING_RULES)); - Serialization::Serialize(sendBuf, ownerPkgId); - Serialization::Serialize(sendBuf, pkgContents); - Serialization::Serialize(sendBuf, targetAppId); - Serialization::Serialize(sendBuf, path); - Serialization::Serialize(sendBuf, ownerTargetCount); - Serialization::Serialize(sendBuf, pathCount); - - ret = sendToServer(MASTER_SERVICE_SOCKET, sendBuf.Pop(), retBuf); - if (ret == SECURITY_MANAGER_API_SUCCESS) { - Deserialization::Deserialize(retBuf, ret); - } - - return ret; -} - -int SmackDropPrivateSharingRules(const std::string &ownerPkgId, - const std::vector &pkgContents, - const std::string &targetAppId, - const std::string &path, - int ownerTargetCount, - int pathCount) -{ - int ret; - MessageBuffer sendBuf, retBuf; - - Serialization::Serialize(sendBuf, - static_cast(MasterSecurityModuleCall::SMACK_DROP_PRIVATE_SHARING_RULES)); - Serialization::Serialize(sendBuf, ownerPkgId); - Serialization::Serialize(sendBuf, pkgContents); - Serialization::Serialize(sendBuf, targetAppId); - Serialization::Serialize(sendBuf, path); - Serialization::Serialize(sendBuf, ownerTargetCount); - Serialization::Serialize(sendBuf, pathCount); - - ret = sendToServer(MASTER_SERVICE_SOCKET, sendBuf.Pop(), retBuf); - if (ret == SECURITY_MANAGER_API_SUCCESS) { - Deserialization::Deserialize(retBuf, ret); - } - - return ret; -} - -} // namespace MasterReq -} // namespace SecurityManager diff --git a/src/common/protocols.cpp b/src/common/protocols.cpp index eac619a..798b9d6 100644 --- a/src/common/protocols.cpp +++ b/src/common/protocols.cpp @@ -32,10 +32,6 @@ namespace SecurityManager { char const * const SERVICE_SOCKET = SOCKET_PATH_PREFIX "security-manager.socket"; -char const * const MASTER_SERVICE_SOCKET = - SOCKET_PATH_PREFIX "security-manager-master.socket"; -char const * const SLAVE_SERVICE_SOCKET = - SOCKET_PATH_PREFIX "security-manager-slave.socket"; } // namespace SecurityManager diff --git a/src/common/service_impl.cpp b/src/common/service_impl.cpp index 99928a9..ab15ba3 100644 --- a/src/common/service_impl.cpp +++ b/src/common/service_impl.cpp @@ -42,10 +42,8 @@ #include "smack-rules.h" #include "smack-labels.h" #include "security-manager.h" -#include "zone-utils.h" #include "service_impl.h" -#include "master-req.h" namespace SecurityManager { @@ -278,23 +276,7 @@ bool ServiceImpl::installRequestAuthCheck(const app_inst_req &req, uid_t uid, st return true; } -bool ServiceImpl::getZoneId(std::string &zoneId) -{ - if (!getZoneIdFromPid(getpid(), zoneId)) { - LogError("Failed to get zone ID from current PID"); - return false; - } - - // This function should be called under slave mode only - assumes, that we work inside zone - if (zoneId == ZONE_HOST) { - LogError("We should not run in host - refusing request"); - return false; - } - - return true; -} - -int ServiceImpl::appInstall(const app_inst_req &req, uid_t uid, bool isSlave) +int ServiceImpl::appInstall(const app_inst_req &req, uid_t uid) { std::vector addedPermissions; std::vector removedPermissions; @@ -308,14 +290,6 @@ int ServiceImpl::appInstall(const app_inst_req &req, uid_t uid, bool isSlave) // authorId contains id from database. It's not equal to value in request. // IMHO the id in request should be called authorName not authorId... - std::string zoneId; - if (isSlave) { - if (!getZoneId(zoneId)) { - LogError("Failed to get Zone ID."); - return SECURITY_MANAGER_API_ERROR_SERVER_ERROR; - } - } - if (uid) { if (uid != req.uid) { LogError("User " << uid << @@ -334,9 +308,10 @@ int ServiceImpl::appInstall(const app_inst_req &req, uid_t uid, bool isSlave) } try { - appLabel = zoneSmackLabelGenerate(SmackLabels::generateAppLabel(req.appId), zoneId); + appLabel = SmackLabels::generateAppLabel(req.appId); + /* NOTE: we don't use pkgLabel here, but generate it for pkgId validation */ - pkgLabel = zoneSmackLabelGenerate(SmackLabels::generatePkgLabel(req.pkgId), zoneId); + pkgLabel = SmackLabels::generatePkgLabel(req.pkgId); LogDebug("Install parameters: appId: " << req.appId << ", pkgId: " << req.pkgId << ", uidstr " << uidstr << ", app label: " << appLabel << ", pkg label: " << pkgLabel @@ -357,16 +332,7 @@ int ServiceImpl::appInstall(const app_inst_req &req, uid_t uid, bool isSlave) PrivilegeDb::getInstance().GetAppIdsForPkgId(req.pkgId, pkgContents); PrivilegeDb::getInstance().GetAuthorIdForAppId(req.appId, authorId); - if (isSlave) { - int ret = MasterReq::CynaraPolicyUpdate(req.appId, uidstr, req.privileges); - if (ret != SECURITY_MANAGER_API_SUCCESS) { - PrivilegeDb::getInstance().RollbackTransaction(); - LogError("Error while processing request on master: " << ret); - return ret; - } - } else { - CynaraAdmin::getInstance().UpdateAppPolicy(appLabel, uidstr, req.privileges); - } + CynaraAdmin::getInstance().UpdateAppPolicy(appLabel, uidstr, req.privileges); // if app is targetted to Tizen 2.X, give other 2.X apps RO rules to it's shared dir if(isTizen2XVersion(req.tizenVersion)) @@ -404,22 +370,12 @@ int ServiceImpl::appInstall(const app_inst_req &req, uid_t uid, bool isSlave) for (const auto &appPath : req.appPaths) { const std::string &path = appPath.first; app_install_path_type pathType = static_cast(appPath.second); - SmackLabels::setupPath(req.pkgId, path, pathType, zoneId, authorId); + SmackLabels::setupPath(req.pkgId, path, pathType, authorId); } - if (isSlave) { - LogDebug("Requesting master to add rules for new appId: " << req.appId << " with pkgId: " - << req.pkgId << ". Applications in package: " << pkgContents.size()); - int ret = MasterReq::SmackInstallRules(req.appId, req.pkgId, authorId, pkgContents, allTizen2XApps, allTizen2XPackages); - if (ret != SECURITY_MANAGER_API_SUCCESS) { - LogError("Master failed to apply package-specific smack rules: " << ret); - return ret; - } - } else { - LogDebug("Adding Smack rules for new appId: " << req.appId << " with pkgId: " - << req.pkgId << ". Applications in package: " << pkgContents.size()); - SmackRules::installApplicationRules(req.appId, req.pkgId, authorId, pkgContents, allTizen2XApps, allTizen2XPackages); - } + LogDebug("Adding Smack rules for new appId: " << req.appId << " with pkgId: " + << req.pkgId << ". Applications in package: " << pkgContents.size()); + SmackRules::installApplicationRules(req.appId, req.pkgId, authorId, pkgContents, allTizen2XApps, allTizen2XPackages); } catch (const SmackException::InvalidParam &e) { LogError("Invalid paramater during labeling: " << e.GetMessage()); return SECURITY_MANAGER_API_ERROR_INPUT_PARAM; @@ -429,7 +385,7 @@ int ServiceImpl::appInstall(const app_inst_req &req, uid_t uid, bool isSlave) } catch (const SecurityManager::Exception &e) { LogError("Security Manager exception: " << e.DumpToString()); return SECURITY_MANAGER_API_ERROR_SERVER_ERROR; - }catch (const std::bad_alloc &e) { + } catch (const std::bad_alloc &e) { LogError("Memory allocation error: " << e.what()); return SECURITY_MANAGER_API_ERROR_OUT_OF_MEMORY; } @@ -437,7 +393,7 @@ int ServiceImpl::appInstall(const app_inst_req &req, uid_t uid, bool isSlave) return SECURITY_MANAGER_API_SUCCESS; } -int ServiceImpl::appUninstall(const std::string &appId, uid_t uid, bool isSlave) +int ServiceImpl::appUninstall(const std::string &appId, uid_t uid) { std::string pkgId; std::string tizenVersion; @@ -452,14 +408,6 @@ int ServiceImpl::appUninstall(const std::string &appId, uid_t uid, bool isSlave) std::string authorId; int restoreAuthor = 0; - std::string zoneId; - if (isSlave) { - if (!getZoneId(zoneId)) { - LogError("Failed to get Zone ID."); - return SECURITY_MANAGER_API_ERROR_SERVER_ERROR; - } - } - try { PrivilegeDb::getInstance().BeginTransaction(); if (!PrivilegeDb::getInstance().GetAppPkgIdAndVer(appId, pkgId, tizenVersion)) { @@ -468,7 +416,7 @@ int ServiceImpl::appUninstall(const std::string &appId, uid_t uid, bool isSlave) PrivilegeDb::getInstance().RollbackTransaction(); appExists = false; } else { - smackLabel = zoneSmackLabelGenerate(SmackLabels::generateAppLabel(appId), zoneId); + smackLabel = SmackLabels::generateAppLabel(appId); LogDebug("Uninstall parameters: appId: " << appId << ", pkgId: " << pkgId << ", uidstr " << uidstr << ", generated smack label: " << smackLabel); @@ -486,16 +434,7 @@ int ServiceImpl::appUninstall(const std::string &appId, uid_t uid, bool isSlave) if(isTizen2XVersion(tizenVersion)) PrivilegeDb::getInstance().GetTizen2XApps(appId, allTizen2XApps); - if (isSlave) { - int ret = MasterReq::CynaraPolicyUpdate(appId, uidstr, std::vector()); - if (ret != SECURITY_MANAGER_API_SUCCESS) { - PrivilegeDb::getInstance().RollbackTransaction(); - LogError("Error while processing request on master: " << ret); - return ret; - } - } else { - CynaraAdmin::getInstance().UpdateAppPolicy(smackLabel, uidstr, std::vector()); - } + CynaraAdmin::getInstance().UpdateAppPolicy(smackLabel, uidstr, std::vector()); PrivilegeDb::getInstance().CommitTransaction(); LogDebug("Application uninstallation commited to database"); @@ -523,32 +462,24 @@ int ServiceImpl::appUninstall(const std::string &appId, uid_t uid, bool isSlave) if (appExists) { try { - if (isSlave) { - LogDebug("Delegating Smack rules removal for deleted pkgId " << pkgId << - " to master"); - int ret = MasterReq::SmackUninstallRules(appId, pkgId, pkgContents, allTizen2XApps, removeApp, removePkg); - if (ret != SECURITY_MANAGER_API_SUCCESS) { - LogError("Error while processing uninstall request on master: " << ret); - return ret; - } - } else { - if (removeApp) { - LogDebug("Removing smack rules for deleted appId " << appId); - SmackRules::uninstallApplicationRules(appId, pkgId, pkgContents, allTizen2XApps, zoneId); - } - if (removePkg) { - LogDebug("Removing Smack rules for deleted pkgId " << pkgId); - SmackRules::uninstallPackageRules(pkgId); - } - if (restoreAuthor) - SmackRules::fixAuthorRules(authorId); + if (removeApp) { + LogDebug("Removing smack rules for deleted appId " << appId); + SmackRules::uninstallApplicationRules(appId, pkgId, pkgContents, allTizen2XApps); } + + if (removePkg) { + LogDebug("Removing Smack rules for deleted pkgId " << pkgId); + SmackRules::uninstallPackageRules(pkgId); + } + + if (restoreAuthor) { + LogDebug("Removing Smack rules for authorId " << authorId); + SmackRules::fixAuthorRules(authorId); + } + } catch (const SmackException::Base &e) { LogError("Error while removing Smack rules for application: " << e.DumpToString()); return SECURITY_MANAGER_API_ERROR_SETTING_FILE_LABEL_FAILED; - } catch (const SecurityManager::Exception &e) { - LogError("Security Manager error: " << e.DumpToString()); - return SECURITY_MANAGER_API_ERROR_SERVER_ERROR; } catch (const std::bad_alloc &e) { LogError("Memory allocation error: " << e.what()); return SECURITY_MANAGER_API_ERROR_OUT_OF_MEMORY; @@ -577,18 +508,12 @@ int ServiceImpl::getPkgId(const std::string &appId, std::string &pkgId) return SECURITY_MANAGER_API_SUCCESS; } -int ServiceImpl::getAppGroups(const std::string &appId, uid_t uid, pid_t pid, bool isSlave, +int ServiceImpl::getAppGroups( + const std::string &appId, + uid_t uid, + pid_t pid, std::unordered_set &gids) { - // FIXME Temporary solution, see below - std::string zoneId; - if (isSlave) { - if (!getZoneId(zoneId)) { - LogError("Failed to get Zone ID."); - return SECURITY_MANAGER_API_ERROR_SERVER_ERROR; - } - } - try { std::string pkgId; std::string smackLabel; @@ -603,9 +528,7 @@ int ServiceImpl::getAppGroups(const std::string &appId, uid_t uid, pid_t pid, bo } LogDebug("pkgId: " << pkgId); - // FIXME getAppGroups should work without generating zone-specific labels when - // Smack Namespaces will work - smackLabel = zoneSmackLabelGenerate(SmackLabels::generateAppLabel(appId), zoneId); + smackLabel = SmackLabels::generateAppLabel(appId); LogDebug("smack label: " << smackLabel); std::vector privileges; @@ -655,30 +578,20 @@ int ServiceImpl::getAppGroups(const std::string &appId, uid_t uid, pid_t pid, bo return SECURITY_MANAGER_API_SUCCESS; } -int ServiceImpl::userAdd(uid_t uidAdded, int userType, uid_t uid, bool isSlave) +int ServiceImpl::userAdd(uid_t uidAdded, int userType, uid_t uid) { if (uid != 0) return SECURITY_MANAGER_API_ERROR_AUTHENTICATION_FAILED; - if (isSlave) { - int ret = MasterReq::CynaraUserInit(uidAdded, - static_cast(userType)); - if (ret != SECURITY_MANAGER_API_SUCCESS) { - LogError("Master failed to initialize user " << uidAdded << " of type " << userType); - return ret; - } - } else { - try { - CynaraAdmin::getInstance().UserInit(uidAdded, static_cast(userType)); - } catch (CynaraException::InvalidParam &e) { - return SECURITY_MANAGER_API_ERROR_INPUT_PARAM; - } + try { + CynaraAdmin::getInstance().UserInit(uidAdded, static_cast(userType)); + } catch (CynaraException::InvalidParam &e) { + return SECURITY_MANAGER_API_ERROR_INPUT_PARAM; } - return SECURITY_MANAGER_API_SUCCESS; } -int ServiceImpl::userDelete(uid_t uidDeleted, uid_t uid, bool isSlave) +int ServiceImpl::userDelete(uid_t uidDeleted, uid_t uid) { int ret = SECURITY_MANAGER_API_SUCCESS; if (uid != 0) @@ -694,22 +607,14 @@ int ServiceImpl::userDelete(uid_t uidDeleted, uid_t uid, bool isSlave) } for (auto &app: userApps) { - if (appUninstall(app, uidDeleted, isSlave) != SECURITY_MANAGER_API_SUCCESS) { + if (appUninstall(app, uidDeleted) != SECURITY_MANAGER_API_SUCCESS) { /*if uninstallation of this app fails, just go on trying to uninstall another ones. we do not have anything special to do about that matter - user will be deleted anyway.*/ ret = SECURITY_MANAGER_API_ERROR_SERVER_ERROR; } } - if (isSlave) { - int ret = MasterReq::CynaraUserRemove(uidDeleted); - if (ret) { - LogError("Master failed to delete user " << uidDeleted); - return ret; - } - } else { - CynaraAdmin::getInstance().UserRemove(uidDeleted); - } + CynaraAdmin::getInstance().UserRemove(uidDeleted); return ret; } @@ -1039,22 +944,14 @@ int ServiceImpl::policyGetGroups(std::vector &groups) return ret; } -int ServiceImpl::appHasPrivilege(std::string appId, std::string privilege, - uid_t uid, bool isSlave, bool &result) +int ServiceImpl::appHasPrivilege( + std::string appId, + std::string privilege, + uid_t uid, + bool &result) { try { - // FIXME getAppGroups should work without generating zone-specific labels when - // Smack Namespaces will work - std::string zoneId; - if (isSlave) { - if (!getZoneId(zoneId)) { - LogError("Failed to get Zone ID."); - return SECURITY_MANAGER_API_ERROR_SERVER_ERROR; - } - } - - std::string appLabel = zoneSmackLabelGenerate( - SmackLabels::generateAppLabel(appId), zoneId); + std::string appLabel = SmackLabels::generateAppLabel(appId); std::string uidStr = std::to_string(uid); result = Cynara::getInstance().check(appLabel, privilege, uidStr, ""); LogDebug("result = " << result); @@ -1075,9 +972,12 @@ int ServiceImpl::appHasPrivilege(std::string appId, std::string privilege, } -int ServiceImpl::dropOnePrivateSharing(const std::string &ownerAppId, const std::string &ownerPkgId, - const std::vector &ownerPkgContents, const std::string &targetAppId, - const std::string &path, const std::string &zoneId, bool isSlave) +int ServiceImpl::dropOnePrivateSharing( + const std::string &ownerAppId, + const std::string &ownerPkgId, + const std::vector &ownerPkgContents, + const std::string &targetAppId, + const std::string &path) { int errorRet; try { @@ -1090,15 +990,11 @@ int ServiceImpl::dropOnePrivateSharing(const std::string &ownerAppId, const std: return SECURITY_MANAGER_API_SUCCESS; } if (pathCount < 1) { - SmackLabels::setupPath(ownerPkgId, path, SECURITY_MANAGER_PATH_RW, zoneId); - } - std::string pathLabel = zoneSmackLabelGenerate(SmackLabels::generateSharedPrivateLabel(ownerPkgId, path), zoneId); - if (isSlave) { - MasterReq::SmackDropPrivateSharingRules(ownerPkgId, ownerPkgContents, targetAppId, path, ownerTargetCount, pathCount); - } else { - SmackRules::dropPrivateSharingRules(ownerPkgId, ownerPkgContents, targetAppId, pathLabel, - pathCount < 1, ownerTargetCount < 1, zoneId); + SmackLabels::setupPath(ownerPkgId, path, SECURITY_MANAGER_PATH_RW); } + std::string pathLabel = SmackLabels::generateSharedPrivateLabel(ownerPkgId, path); + SmackRules::dropPrivateSharingRules(ownerPkgId, ownerPkgContents, targetAppId, pathLabel, + pathCount < 1, ownerTargetCount < 1); return SECURITY_MANAGER_API_SUCCESS; } catch (const SmackException::Base &e) { LogError("Error performing smack operation: " << e.GetMessage()); @@ -1116,22 +1012,15 @@ int ServiceImpl::dropOnePrivateSharing(const std::string &ownerAppId, const std: return errorRet; } -int ServiceImpl::applyPrivatePathSharing(const std::string &ownerAppId, - const std::string &targetAppId, - const std::vector &paths, - bool isSlave) +int ServiceImpl::applyPrivatePathSharing( + const std::string &ownerAppId, + const std::string &targetAppId, + const std::vector &paths) { int errorRet; int sharingAdded = 0; std::string ownerPkgId; std::vector pkgContents; - std::string zoneId; - if (isSlave) { - if (!getZoneId(zoneId)) { - LogError("Failed to get Zone ID."); - return SECURITY_MANAGER_API_ERROR_SERVER_ERROR; - } - } try { std::string targetPkgId; @@ -1146,8 +1035,8 @@ int ServiceImpl::applyPrivatePathSharing(const std::string &ownerAppId, for(const auto &path : paths) { std::string pathLabel = SmackLabels::getSmackLabelFromPath(path); - if (pathLabel != zoneSmackLabelGenerate(SmackLabels::generatePkgLabel(ownerPkgId), zoneId)) { - std::string generatedPathLabel = zoneSmackLabelGenerate(SmackLabels::generateSharedPrivateLabel(ownerPkgId, path), zoneId); + if (pathLabel != SmackLabels::generatePkgLabel(ownerPkgId)) { + std::string generatedPathLabel = SmackLabels::generateSharedPrivateLabel(ownerPkgId, path); if (generatedPathLabel != pathLabel) { LogError("Path " << path << " has label " << pathLabel << " and dosen't belong" " to application " << ownerAppId); @@ -1171,7 +1060,7 @@ int ServiceImpl::applyPrivatePathSharing(const std::string &ownerAppId, PrivilegeDb::getInstance().GetTargetPathSharingCount(targetAppId, path, targetPathCount); PrivilegeDb::getInstance().GetPathSharingCount(path, pathCount); PrivilegeDb::getInstance().GetOwnerTargetSharingCount(ownerAppId, targetAppId, ownerTargetCount); - std::string pathLabel = zoneSmackLabelGenerate(SmackLabels::generateSharedPrivateLabel(ownerPkgId, path), zoneId); + std::string pathLabel = SmackLabels::generateSharedPrivateLabel(ownerPkgId, path); PrivilegeDb::getInstance().ApplyPrivateSharing(ownerAppId, targetAppId, path, pathLabel); sharingAdded++; if (targetPathCount > 0) { @@ -1181,13 +1070,9 @@ int ServiceImpl::applyPrivatePathSharing(const std::string &ownerAppId, if (pathCount <= 0) { SmackLabels::setupSharedPrivatePath(ownerPkgId, path); } - if (isSlave) { - MasterReq::SmackApplyPrivateSharingRules(ownerPkgId, - pkgContents, targetAppId, path, ownerTargetCount, pathCount); - } else { - SmackRules::applyPrivateSharingRules(ownerPkgId, pkgContents, targetAppId, - pathLabel, (pathCount > 0), (ownerTargetCount > 0), zoneId); - } + + SmackRules::applyPrivateSharingRules(ownerPkgId, pkgContents, targetAppId, + pathLabel, (pathCount > 0), (ownerTargetCount > 0)); } trans.commit(); return SECURITY_MANAGER_API_SUCCESS; @@ -1206,25 +1091,18 @@ int ServiceImpl::applyPrivatePathSharing(const std::string &ownerAppId, } for (int i = 0; i < sharingAdded; i++) { const std::string &path = paths[i]; - dropOnePrivateSharing(ownerAppId, ownerPkgId, pkgContents, targetAppId, path, zoneId, isSlave); + dropOnePrivateSharing(ownerAppId, ownerPkgId, pkgContents, targetAppId, path); } return errorRet; } -int ServiceImpl::dropPrivatePathSharing(const std::string &ownerAppId, - const std::string &targetAppId, - const std::vector &paths, - bool isSlave) +int ServiceImpl::dropPrivatePathSharing( + const std::string &ownerAppId, + const std::string &targetAppId, + const std::vector &paths) { int errorRet; try { - std::string zoneId; - if (isSlave) { - if (!getZoneId(zoneId)) { - LogError("Failed to get Zone ID."); - return SECURITY_MANAGER_API_ERROR_SERVER_ERROR; - } - } std::string ownerPkgId, targetPkgId; if (!PrivilegeDb::getInstance().GetAppPkgId(ownerAppId, ownerPkgId)) { LogError(ownerAppId << " is not an installed application"); @@ -1237,8 +1115,8 @@ int ServiceImpl::dropPrivatePathSharing(const std::string &ownerAppId, for(const auto &path : paths) { std::string pathLabel = SmackLabels::getSmackLabelFromPath(path); - if (pathLabel != zoneSmackLabelGenerate(SmackLabels::generatePkgLabel(ownerPkgId), zoneId)) { - std::string generatedPathLabel = zoneSmackLabelGenerate(SmackLabels::generateSharedPrivateLabel(ownerPkgId, path), zoneId); + if (pathLabel != SmackLabels::generatePkgLabel(ownerPkgId)) { + std::string generatedPathLabel = SmackLabels::generateSharedPrivateLabel(ownerPkgId, path); if (generatedPathLabel != pathLabel) { LogError("Path " << path << " has label " << pathLabel << " and dosen't belong" " to application " << ownerAppId); @@ -1260,7 +1138,7 @@ int ServiceImpl::dropPrivatePathSharing(const std::string &ownerAppId, PrivilegeDb::getInstance().GetAppIdsForPkgId(ownerPkgId, pkgContents); ScopedTransaction trans; for (const auto &path : paths) { - int ret = dropOnePrivateSharing(ownerAppId, ownerPkgId, pkgContents, targetAppId, path, zoneId, isSlave); + int ret = dropOnePrivateSharing(ownerAppId, ownerPkgId, pkgContents, targetAppId, path); if (ret != SECURITY_MANAGER_API_SUCCESS) { return ret; } @@ -1283,5 +1161,5 @@ int ServiceImpl::dropPrivatePathSharing(const std::string &ownerAppId, return errorRet; } - } /* namespace SecurityManager */ + diff --git a/src/common/smack-labels.cpp b/src/common/smack-labels.cpp index dbc6f4d..8682d52 100644 --- a/src/common/smack-labels.cpp +++ b/src/common/smack-labels.cpp @@ -41,7 +41,6 @@ #include "security-manager.h" #include "smack-labels.h" -#include "zone-utils.h" namespace SecurityManager { @@ -135,7 +134,6 @@ void setupPath( const std::string &pkgId, const std::string &path, app_install_path_type pathType, - const std::string &zoneId, const std::string &authorId) { std::string label; @@ -143,12 +141,12 @@ void setupPath( switch (pathType) { case SECURITY_MANAGER_PATH_RW: - label = zoneSmackLabelGenerate(generatePkgLabel(pkgId), zoneId); + label = generatePkgLabel(pkgId); label_executables = false; label_transmute = true; break; case SECURITY_MANAGER_PATH_RO: - label = zoneSmackLabelGenerate(generatePkgROLabel(pkgId), zoneId); + label = generatePkgROLabel(pkgId); label_executables = false; label_transmute = false; break; @@ -158,7 +156,7 @@ void setupPath( label_transmute = true; break; case SECURITY_MANAGER_PATH_OWNER_RW_OTHER_RO: - label = zoneSmackLabelGenerate(generatePkgLabelOwnerRWothersRO(pkgId), zoneId); + label = generatePkgLabelOwnerRWothersRO(pkgId); label_executables = false; label_transmute = true; break; diff --git a/src/common/smack-rules.cpp b/src/common/smack-rules.cpp index 3f4dce5..bd66158 100644 --- a/src/common/smack-rules.cpp +++ b/src/common/smack-rules.cpp @@ -38,7 +38,6 @@ #include "smack-labels.h" #include "smack-rules.h" -#include "zone-utils.h" namespace SecurityManager { @@ -148,8 +147,7 @@ void SmackRules::saveToFile(const std::string &path) const void SmackRules::addFromTemplateFile( const std::string &appId, const std::string &pkgId, - const std::string &authorId, - const std::string &zoneId) + const std::string &authorId) { std::vector templateRules; std::string line; @@ -169,15 +167,14 @@ void SmackRules::addFromTemplateFile( ThrowMsg(SmackException::FileError, "Error reading template file: " << APP_RULES_TEMPLATE_FILE_PATH); } - addFromTemplate(templateRules, appId, pkgId, authorId, zoneId); + addFromTemplate(templateRules, appId, pkgId, authorId); } void SmackRules::addFromTemplate( const std::vector &templateRules, const std::string &appId, const std::string &pkgId, - const std::string &authorId, - const std::string &zoneId) + const std::string &authorId) { for (auto rule : templateRules) { if (rule.empty()) @@ -206,18 +203,11 @@ void SmackRules::addFromTemplate( SmackLabels::generateAuthorLabel(authorId)); } - if (!zoneId.empty()) { - // FIXME replace with vasum calls. See zone-utils.h - subject = zoneSmackLabelGenerate(subject, zoneId); - object = zoneSmackLabelGenerate(object, zoneId); - } - add(subject, object, permissions); } } -void SmackRules::generatePackageCrossDeps(const std::vector &pkgContents, - const std::string &zoneId) +void SmackRules::generatePackageCrossDeps(const std::vector &pkgContents) { LogDebug ("Generating cross-package rules"); @@ -229,28 +219,28 @@ void SmackRules::generatePackageCrossDeps(const std::vector &pkgCon if (object == subject) continue; - subjectLabel = zoneSmackLabelGenerate(SmackLabels::generateAppLabel(subject), zoneId); - objectLabel = zoneSmackLabelGenerate(SmackLabels::generateAppLabel(object), zoneId); + subjectLabel = SmackLabels::generateAppLabel(subject); + objectLabel = SmackLabels::generateAppLabel(object); LogDebug ("Trying to add rule subject: " << subjectLabel << " object: " << objectLabel << " perms: " << appsInPackagePerms); add(subjectLabel, objectLabel, appsInPackagePerms); } } } -void SmackRules::generateAppToOtherPackagesDeps(const std::string appId, - const std::vector &other2XPackages, - const std::string &zoneId) +void SmackRules::generateAppToOtherPackagesDeps( + const std::string appId, + const std::vector &other2XPackages) { // reverse: allow installed app to access others' contents // for every 2.X package for (const auto &object : other2XPackages) { - std::string otherObjectLabel = zoneSmackLabelGenerate(SmackLabels::generatePkgLabelOwnerRWothersRO(object), zoneId); + std::string otherObjectLabel = SmackLabels::generatePkgLabelOwnerRWothersRO(object); SmackRules packageRules; std::string accessPackageRulesPath = getPackageRulesFilePath(object); packageRules.loadFromFile(accessPackageRulesPath); - std::string subjectLabel = zoneSmackLabelGenerate(SmackLabels::generateAppLabel(appId), zoneId); + std::string subjectLabel = SmackLabels::generateAppLabel(appId); LogDebug("Addding cross app rule for newly installed subject " << subjectLabel << " to already installed 2.x package object: " << otherObjectLabel << " perms: " << SMACK_APP_CROSS_PKG_PERMS); packageRules.add(subjectLabel, otherObjectLabel, SMACK_APP_CROSS_PKG_PERMS); packageRules.saveToFile(accessPackageRulesPath); @@ -262,18 +252,18 @@ void SmackRules::generateAppToOtherPackagesDeps(const std::string appId, /** * this below works in N^2 and should be replaced by an alternative mechanism */ -void SmackRules::generateAllowOther2XApplicationDeps(const std::string pkgId, - const std::vector &other2XApps, - const std::string &zoneId) +void SmackRules::generateAllowOther2XApplicationDeps( + const std::string pkgId, + const std::vector &other2XApps) { LogDebug("Generating cross-package rules"); - std::string objectLabel = zoneSmackLabelGenerate(SmackLabels::generatePkgLabelOwnerRWothersRO(pkgId), zoneId); + std::string objectLabel = SmackLabels::generatePkgLabelOwnerRWothersRO(pkgId); std::string appsInPackagePerms = SMACK_APP_IN_PACKAGE_PERMS; // allow other app to access installed package contents for (const auto &subject : other2XApps) { - std::string subjectLabel = zoneSmackLabelGenerate(SmackLabels::generateAppLabel(subject), zoneId); + std::string subjectLabel = SmackLabels::generateAppLabel(subject); LogDebug("Addding cross 2.x app rule subject: " << subjectLabel << " to newly installed object: " << objectLabel << " perms: " << SMACK_APP_CROSS_PKG_PERMS); @@ -301,42 +291,29 @@ void SmackRules::installApplicationRules( const std::vector &appsGranted, const std::vector &accessPackages) { - installApplicationRules(appId, pkgId, authorId, pkgContents, appsGranted, accessPackages, std::string()); -} - -void SmackRules::installApplicationRules( - const std::string &appId, - const std::string &pkgId, - const std::string &authorId, - const std::vector &pkgContents, - const std::vector &appsGranted, - const std::vector &accessPackages, - const std::string &zoneId) -{ SmackRules smackRules; std::string appPath = getApplicationRulesFilePath(appId); - smackRules.addFromTemplateFile(appId, pkgId, authorId, zoneId); + smackRules.addFromTemplateFile(appId, pkgId, authorId); if (smack_smackfs_path() != NULL) smackRules.apply(); smackRules.saveToFile(appPath); - updatePackageRules(pkgId, pkgContents, appsGranted, zoneId); - generateAppToOtherPackagesDeps(appId, accessPackages, zoneId); + updatePackageRules(pkgId, pkgContents, appsGranted); + generateAppToOtherPackagesDeps(appId, accessPackages); } void SmackRules::updatePackageRules(const std::string &pkgId, const std::vector &pkgContents, - const std::vector &appsGranted, - const std::string &zoneId) + const std::vector &appsGranted) { SmackRules smackRules; std::string pkgPath = getPackageRulesFilePath(pkgId); - smackRules.generatePackageCrossDeps(pkgContents, zoneId); - smackRules.generateAllowOther2XApplicationDeps(pkgId, appsGranted, zoneId); + smackRules.generatePackageCrossDeps(pkgContents); + smackRules.generateAllowOther2XApplicationDeps(pkgId, appsGranted); if (smack_smackfs_path() != NULL) smackRules.apply(); @@ -349,13 +326,14 @@ void SmackRules::uninstallPackageRules(const std::string &pkgId) uninstallRules(getPackageRulesFilePath(pkgId)); } -void SmackRules::uninstallApplicationRules(const std::string &appId, - const std::string &pkgId, std::vector pkgContents, - const std::vector &appsGranted, - const std::string &zoneId) +void SmackRules::uninstallApplicationRules( + const std::string &appId, + const std::string &pkgId, + std::vector pkgContents, + const std::vector &appsGranted) { uninstallRules(getApplicationRulesFilePath(appId)); - updatePackageRules(pkgId, pkgContents, appsGranted, zoneId); + updatePackageRules(pkgId, pkgContents, appsGranted); } void SmackRules::uninstallRules(const std::string &path) @@ -402,25 +380,25 @@ void SmackRules::fixAuthorRules(const std::string &authorId) { rules.apply(); } -void SmackRules::applyPrivateSharingRules(const std::string &ownerPkgId, - const std::vector &ownerPkgContents, - const std::string &targetAppId, - const std::string &pathLabel, - bool isPathSharedAlready, - bool isTargetSharingAlready, - const std::string &zoneId) +void SmackRules::applyPrivateSharingRules( + const std::string &ownerPkgId, + const std::vector &ownerPkgContents, + const std::string &targetAppId, + const std::string &pathLabel, + bool isPathSharedAlready, + bool isTargetSharingAlready) { SmackRules rules; - const std::string &targetLabel = zoneSmackLabelGenerate(SmackLabels::generateAppLabel(targetAppId), zoneId); + const std::string &targetLabel = SmackLabels::generateAppLabel(targetAppId); if (!isTargetSharingAlready) { rules.add(targetLabel, - zoneSmackLabelGenerate(SmackLabels::generatePkgLabel(ownerPkgId), zoneId), + SmackLabels::generatePkgLabel(ownerPkgId), SMACK_APP_DIR_TARGET_PERMS); } if (!isPathSharedAlready) { for (const auto &app: ownerPkgContents) { - const std::string appLabel = zoneSmackLabelGenerate(SmackLabels::generateAppLabel(app), zoneId); + const std::string appLabel = SmackLabels::generateAppLabel(app); rules.add(appLabel, pathLabel, SMACK_APP_PATH_OWNER_PERMS); } rules.add(SMACK_USER, pathLabel, SMACK_APP_PATH_USER_PERMS); @@ -430,24 +408,24 @@ void SmackRules::applyPrivateSharingRules(const std::string &ownerPkgId, rules.apply(); } -void SmackRules::dropPrivateSharingRules(const std::string &ownerPkgId, - const std::vector &ownerPkgContents, - const std::string &targetAppId, - const std::string &pathLabel, - bool isPathSharedNoMore, - bool isTargetSharingNoMore, - const std::string &zoneId) +void SmackRules::dropPrivateSharingRules( + const std::string &ownerPkgId, + const std::vector &ownerPkgContents, + const std::string &targetAppId, + const std::string &pathLabel, + bool isPathSharedNoMore, + bool isTargetSharingNoMore) { SmackRules rules; - const std::string &targetLabel = zoneSmackLabelGenerate(SmackLabels::generateAppLabel(targetAppId), zoneId); + const std::string &targetLabel = SmackLabels::generateAppLabel(targetAppId); if (isTargetSharingNoMore) { rules.addModify(targetLabel, - zoneSmackLabelGenerate(SmackLabels::generatePkgLabel(ownerPkgId), zoneId), + SmackLabels::generatePkgLabel(ownerPkgId), "", SMACK_APP_DIR_TARGET_PERMS); } if (isPathSharedNoMore) { for (const auto &app: ownerPkgContents) { - const std::string appLabel = zoneSmackLabelGenerate(SmackLabels::generateAppLabel(app), zoneId); + const std::string appLabel = SmackLabels::generateAppLabel(app); rules.addModify(appLabel, pathLabel, "", SMACK_APP_PATH_OWNER_PERMS); } rules.addModify(SMACK_USER, pathLabel, "", SMACK_APP_PATH_USER_PERMS); diff --git a/src/common/zone-utils.cpp b/src/common/zone-utils.cpp deleted file mode 100644 index b3c93c9..0000000 --- a/src/common/zone-utils.cpp +++ /dev/null @@ -1,117 +0,0 @@ -/* - * Copyright (c) 2000 - 2015 Samsung Electronics Co., Ltd All Rights Reserved - * - * Contact: Rafal Krypa - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License - */ -/* - * @file zone-utils.cpp - * @author Lukasz Kostyra (l.kostyra@samsung.com) - * @version 1.0 - * @brief Implementation of Zone utility functions - */ - -#include "zone-utils.h" - -#include -#include - -#include - -// FIXME This module is a replacement for Vasum functions. -// When Vasum will be included into OBS, the module should be replaced with vasum-client. - -namespace { - -const std::string CPUSET_HOST = "/"; -const std::string CPUSET_LXC_PREFIX = "/lxc/"; - -} // namespace - -namespace SecurityManager -{ - -// ZONE_HOST should be visible outside to other modules -const std::string ZONE_HOST = "host"; - -bool getZoneIdFromPid(int pid, std::string& zoneId) -{ - //open /proc//cpuset and get its contents - const std::string path = "/proc/" + std::to_string(pid) + "/cpuset"; - - //Assume there are no containers if cpuset dosen't present - if(access(path.c_str(), F_OK)!= 0) { - zoneId = ZONE_HOST; - return true; - } - - std::ifstream cpusetFile(path); - if (!cpusetFile) { - LogError("Failed to open cpuset"); - return false; - } - - std::string cpuset; - std::getline(cpusetFile, cpuset); - cpusetFile.close(); - - //check if we are in host - if (cpuset == CPUSET_HOST) { - zoneId = ZONE_HOST; - return true; - } - - //in lxc container, cpuset contains "/lxc/" string - try to parse zoneID from there - //search for lxc prefix - size_t lxcPrefixPos = cpuset.find(CPUSET_LXC_PREFIX); - if (lxcPrefixPos == std::string::npos) { - LogError("LXC prefix not found - probably other virtualization method is used"); - return false; - } - - //assign zone name and leave - zoneId.assign(cpuset, CPUSET_LXC_PREFIX.size(), cpuset.size() - CPUSET_LXC_PREFIX.size()); - return true; -} - -std::string zoneSmackLabelGenerate(const std::string &label, const std::string &zoneName) -{ - if (zoneName.empty() || zoneName == ZONE_HOST) { - return label; - } - - return zoneName + "::" + label; -} - -bool zoneSmackLabelMap(const std::string &hostLabel, const std::string &zoneName, - const std::string &zoneLabel) -{ - (void) hostLabel; - (void) zoneName; - (void) zoneLabel; - // FIXME here Vasum should be called and Smack label mapping would commence - - return true; -} - -bool zoneSmackLabelUnmap(const std::string &hostLabel, const std::string &zoneName) -{ - (void) hostLabel; - (void) zoneName; - // FIXME here Vasum should be called and label shall be unmapped. - - return true; -} - -} // namespace SecurityManager diff --git a/src/server/CMakeLists.txt b/src/server/CMakeLists.txt index 97eaaaa..f2d0957 100644 --- a/src/server/CMakeLists.txt +++ b/src/server/CMakeLists.txt @@ -4,12 +4,10 @@ PKG_CHECK_MODULES(SERVER_DEP cynara-client ) -FIND_PACKAGE(Boost REQUIRED COMPONENTS program_options) FIND_PACKAGE(Threads REQUIRED) INCLUDE_DIRECTORIES(SYSTEM ${SERVER_DEP_INCLUDE_DIRS} - ${Boost_INCLUDE_DIRS} ${Threads_INCLUDE_DIRS} ) @@ -29,7 +27,6 @@ SET(SERVER_SOURCES ${SERVER_PATH}/main/server-main.cpp ${SERVER_PATH}/service/base-service.cpp ${SERVER_PATH}/service/service.cpp - ${SERVER_PATH}/service/master-service.cpp ) ADD_EXECUTABLE(${TARGET_SERVER} ${SERVER_SOURCES}) @@ -42,7 +39,6 @@ TARGET_LINK_LIBRARIES(${TARGET_SERVER} ${TARGET_COMMON} ${CMAKE_THREAD_LIBS_INIT} ${SERVER_DEP_LIBRARIES} - ${Boost_LIBRARIES} "-pie" ) diff --git a/src/server/main/server-main.cpp b/src/server/main/server-main.cpp index f8e1f71..d80f39e 100644 --- a/src/server/main/server-main.cpp +++ b/src/server/main/server-main.cpp @@ -28,30 +28,25 @@ #include #include -#include #include #include #include #include -#include - -namespace po = boost::program_options; IMPLEMENT_SAFE_SINGLETON(SecurityManager::Log::LogSystem); -#define REGISTER_SOCKET_SERVICE(manager, service, allocator) \ - registerSocketService(manager, #service, allocator) +#define REGISTER_SOCKET_SERVICE(manager, service) \ + registerSocketService(manager, #service) template bool registerSocketService(SecurityManager::SocketManager &manager, - const std::string& serviceName, - const std::function& serviceAllocator) + const std::string& serviceName) { T *service = NULL; try { - service = serviceAllocator(); + service = new T(); service->Create(); manager.RegisterSocketService(service); return true; @@ -70,61 +65,14 @@ bool registerSocketService(SecurityManager::SocketManager &manager, return false; } -int main(int argc, char* argv[]) +int main() { UNHANDLED_EXCEPTION_HANDLER_BEGIN { // initialize logging SecurityManager::Singleton::Instance().SetTag("SECURITY_MANAGER"); - // parse arguments - bool masterMode = false, slaveMode = false; - po::options_description optDesc("Allowed options"); - - optDesc.add_options() - ("help,h", "Print this help message") - ("master,m", "Enable master mode") - ("slave,s", "Enable slave mode") - ; - - po::variables_map vm; - po::basic_parsed_options parsed = - po::command_line_parser(argc, argv).options(optDesc).allow_unregistered().run(); - - std::vector unrecognizedOptions = - po::collect_unrecognized(parsed.options, po::include_positional); - - if (!unrecognizedOptions.empty()) { - std::cerr << "Unrecognized options: "; - - for (auto& uo : unrecognizedOptions) { - std::cerr << ' ' << uo; - } - - std::cerr << std::endl << std::endl; - std::cerr << optDesc << std::endl; - - return EXIT_FAILURE; - } - - po::store(parsed, vm); - po::notify(vm); - - if (vm.count("help")) { - std::cout << optDesc << std::endl; - return EXIT_SUCCESS; - } - - masterMode = vm.count("master") > 0; - slaveMode = vm.count("slave") > 0; - - if (masterMode && slaveMode) { - LogError("Cannot be both master and slave!"); - return EXIT_FAILURE; - } - - SecurityManager::FileLocker serviceLock(SecurityManager::SERVICE_LOCK_FILE, - true); + SecurityManager::FileLocker serviceLock(SecurityManager::SERVICE_LOCK_FILE, true); sigset_t mask; sigemptyset(&mask); @@ -138,18 +86,10 @@ int main(int argc, char* argv[]) LogInfo("Start!"); SecurityManager::SocketManager manager; - if (masterMode) { - if (!REGISTER_SOCKET_SERVICE(manager, SecurityManager::MasterService, - []() { return new SecurityManager::MasterService(); } )) { - LogError("Unable to create master socket service. Exiting."); - return EXIT_FAILURE; - } - } else { - if (!REGISTER_SOCKET_SERVICE(manager, SecurityManager::Service, - [&slaveMode]() { return new SecurityManager::Service(slaveMode); } )) { - LogError("Unable to create socket service. Exiting."); - return EXIT_FAILURE; - } + if (!REGISTER_SOCKET_SERVICE(manager, SecurityManager::Service)) + { + LogError("Unable to create socket service. Exiting."); + return EXIT_FAILURE; } manager.MainLoop(); diff --git a/src/server/service/include/master-service.h b/src/server/service/include/master-service.h deleted file mode 100644 index 3d63064..0000000 --- a/src/server/service/include/master-service.h +++ /dev/null @@ -1,160 +0,0 @@ -/* - * Copyright (c) 2000 - 2014 Samsung Electronics Co., Ltd All Rights Reserved - * - * Contact: Rafal Krypa - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License - */ -/* - * @file master-service.h - * @author Lukasz Kostyra - * @author Rafal Krypa - * @brief Implementation of security-manager master service - */ - -#ifndef _SECURITY_MANAGER_MASTER_SERVICE_ -#define _SECURITY_MANAGER_MASTER_SERVICE_ - -#include "base-service.h" -#include "service_impl.h" - -namespace SecurityManager { - -class MasterServiceException -{ -public: - DECLARE_EXCEPTION_TYPE(SecurityManager::Exception, Base) - DECLARE_EXCEPTION_TYPE(Base, InvalidAction) -}; - -class MasterService : - public SecurityManager::BaseService -{ -public: - MasterService(); - ServiceDescriptionVector GetServiceDescription(); - -private: - ServiceImpl serviceImpl; - - /** - * Handle request from a client - * - * @param conn Socket connection information - * @param buffer Raw received data buffer - * @param interfaceID identifier used to distinguish source socket - * @return true on success - */ - bool processOne(const ConnectionID &conn, MessageBuffer &buffer, InterfaceID interfaceID); - - /** - * Process Cynara policy update during app installation/uninstallation - * - * @param buffer Raw received data buffer - * @param send Raw data buffer to be sent - * @param zoneId ID of zone which requested the call - */ - void processCynaraUpdatePolicy(MessageBuffer &buffer, MessageBuffer &send, - const std::string &zoneId); - - /** - * Process Cynara user initialization - * - * @param buffer Raw received data buffer - * @param send Raw data buffer to be sent - */ - void processCynaraUserInit(MessageBuffer &buffer, MessageBuffer &send); - - /** - * Process Cynara user removal - * - * @param buffer Raw received data buffer - * @param send Raw data buffer to be sent - */ - void processCynaraUserRemove(MessageBuffer &buffer, MessageBuffer &send); - - /** - * Process policy update - * - * @param buffer Raw received data buffer - * @param send Raw data buffer to be sent - */ - void processPolicyUpdate(MessageBuffer &buffer, MessageBuffer &send); - - /** - * Process configured policy acquisition - * - * @param buffer Raw received data buffer - * @param send Raw data buffer to be sent - */ - void processGetConfiguredPolicy(MessageBuffer &buffer, MessageBuffer &send); - - /** - * Process policy acquisition from Master - * - * @param buffer Raw received data buffer - * @param send Raw data buffer to be sent - */ - // FIXME this function is not yet implemented. - void processGetPolicy(MessageBuffer &buffer, MessageBuffer &send); - - /** - * Process policy descriptions list acquisition - * - * @param send Raw data buffer to be sent - */ - void processPolicyGetDesc(MessageBuffer &send); - - /** - * Process SMACK rules installation for package. Map rules using Smack Namespaces. - * - * @param buffer Raw received data buffer - * @param send Raw data buffer to be sent - * @param zoneId ID of zone which requested the call - */ - void processSmackInstallRules(MessageBuffer &buffer, MessageBuffer &send, - const std::string &zoneId); - - /** - * Process SMACK rules uninstallation - * - * @param buffer Raw received data buffer - * @param send Raw data buffer to be sent - * @param zoneId ID of zone which requested the call - */ - void processSmackUninstallRules(MessageBuffer &buffer, MessageBuffer &send, - const std::string &zoneId); - - /** - * Process SMACK rules apply private path sharing - * - * @param buffer Raw received data buffer - * @param send Raw data buffer to be sent - * @param zoneId ID of zone which requested the call - */ - void processSmackApplySharingRules(MessageBuffer &buffer, MessageBuffer &send, - const std::string &zoneId); - /** - * Process SMACK rules drop private path sharing - * - * @param buffer Raw received data buffer - * @param send Raw data buffer to be sent - * @param zoneId ID of zone which requested the call - */ - void processSmackDropSharingRules(MessageBuffer &buffer, MessageBuffer &send, - const std::string &zoneId); -}; - -} // namespace SecurityManager - -#endif // _SECURITY_MANAGER_MASTER_SERVICE_ diff --git a/src/server/service/include/service.h b/src/server/service/include/service.h index 3c23037..4d851c1 100644 --- a/src/server/service/include/service.h +++ b/src/server/service/include/service.h @@ -41,11 +41,10 @@ class Service : public SecurityManager::BaseService { public: - Service(const bool isSlave); + Service(); ServiceDescriptionVector GetServiceDescription(); private: - const bool m_isSlave; ServiceImpl serviceImpl; /** diff --git a/src/server/service/master-service.cpp b/src/server/service/master-service.cpp deleted file mode 100644 index d462afa..0000000 --- a/src/server/service/master-service.cpp +++ /dev/null @@ -1,464 +0,0 @@ -/* - * Copyright (c) 2000 - 2014 Samsung Electronics Co., Ltd All Rights Reserved - * - * Contact: Rafal Krypa - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License - */ -/* - * @file master-service.cpp - * @author Lukasz Kostyra - * @author Rafal Krypa - * @brief Implementation of security-manager master service. - */ - -#include - -#include -#include - -#include "protocols.h" -#include "zone-utils.h" -#include "cynara.h" -#include "master-service.h" -#include "smack-rules.h" -#include "smack-labels.h" -#include "service_impl.h" - -namespace SecurityManager { - -const InterfaceID IFACE = 1; - -MasterService::MasterService() -{ -} - -GenericSocketService::ServiceDescriptionVector MasterService::GetServiceDescription() -{ - return ServiceDescriptionVector { - {MASTER_SERVICE_SOCKET, "security-manager-master", IFACE}, - }; -} - -bool MasterService::processOne(const ConnectionID &conn, MessageBuffer &buffer, - InterfaceID interfaceID) -{ - LogDebug("Iteration begin. Interface = " << interfaceID); - - //waiting for all data - if (!buffer.Ready()) { - return false; - } - - MessageBuffer send; - bool retval = false; - - uid_t uid; - pid_t pid; - std::string smackLabel; - - if (!getPeerID(conn.sock, uid, pid, smackLabel)) { - LogError("Closing socket because of error: unable to get peer's uid and pid"); - m_serviceManager->Close(conn); - return false; - } - - // FIXME this part needs to be updated when Vasum is added to OBS. See zone-utils.h - std::string vsmZoneId; - if (!getZoneIdFromPid(pid, vsmZoneId)) { - LogError("Failed to extract Zone ID! Closing socket."); - m_serviceManager->Close(conn); - return false; - } - - if (vsmZoneId == ZONE_HOST) { - LogError("Connection came from host - in master mode this should not happen! Closing."); - m_serviceManager->Close(conn); - return false; - } - - LogInfo("Connection came from Zone " << vsmZoneId); - - if (IFACE == interfaceID) { - Try { - // deserialize API call type - int call_type_int; - Deserialization::Deserialize(buffer, call_type_int); - MasterSecurityModuleCall call_type = static_cast(call_type_int); - - switch (call_type) { - case MasterSecurityModuleCall::CYNARA_UPDATE_POLICY: - LogDebug("call type MasterSecurityModuleCall::CYNARA_UPDATE_POLICY"); - processCynaraUpdatePolicy(buffer, send, vsmZoneId); - break; - case MasterSecurityModuleCall::CYNARA_USER_INIT: - LogDebug("call type MasterSecurityModuleCall::CYNARA_USER_INIT"); - processCynaraUserInit(buffer, send); - break; - case MasterSecurityModuleCall::CYNARA_USER_REMOVE: - LogDebug("call type MasterSecurityModuleCall::CYNARA_USER_REMOVE"); - processCynaraUserRemove(buffer, send); - break; - case MasterSecurityModuleCall::POLICY_UPDATE: - LogDebug("call type MasterSecurityModuleCall::POLICY_UPDATE"); - processPolicyUpdate(buffer, send); - break; - case MasterSecurityModuleCall::GET_CONFIGURED_POLICY: - LogDebug("call type MasterSecurityModuleCall::GET_CONFIGURED_POLICY"); - processGetConfiguredPolicy(buffer, send); - break; - case MasterSecurityModuleCall::GET_POLICY: - LogDebug("call type MasterSecurityModuleCall::GET_POLICY"); - processGetPolicy(buffer, send); - break; - case MasterSecurityModuleCall::POLICY_GET_DESC: - LogDebug("call type MasterSecurityModuleCall::POLICY_GET_DESC"); - processPolicyGetDesc(send); - break; - case MasterSecurityModuleCall::SMACK_INSTALL_RULES: - LogDebug("call type MasterSecurityModuleCall::SMACK_INSTALL_RULES"); - processSmackInstallRules(buffer, send, vsmZoneId); - break; - case MasterSecurityModuleCall::SMACK_UNINSTALL_RULES: - LogDebug("call type MasterSecurityModuleCall::SMACK_UNINSTALL_RULES"); - processSmackUninstallRules(buffer, send, vsmZoneId); - break; - case MasterSecurityModuleCall::SMACK_APPLY_PRIVATE_SHARING_RULES: - processSmackApplySharingRules(buffer, send, vsmZoneId); - break; - case MasterSecurityModuleCall::SMACK_DROP_PRIVATE_SHARING_RULES: - processSmackDropSharingRules(buffer, send, vsmZoneId); - break; - default: - LogError("Invalid call: " << call_type_int); - Throw(MasterServiceException::InvalidAction); - } - // if we reach this point, the protocol is OK - retval = true; - } Catch (MessageBuffer::Exception::Base) { - LogError("Broken protocol."); - } Catch (MasterServiceException::Base) { - LogError("Broken protocol."); - } catch (const std::exception &e) { - LogError("STD exception " << e.what()); - } catch (...) { - LogError("Unknown exception"); - } - } - else { - LogError("Wrong interface"); - } - - if (retval) { - //send response - m_serviceManager->Write(conn, send.Pop()); - } else { - LogError("Closing socket because of error"); - m_serviceManager->Close(conn); - } - - return retval; -} - -void MasterService::processCynaraUpdatePolicy(MessageBuffer &buffer, MessageBuffer &send, - const std::string &zoneId) -{ - int ret = SECURITY_MANAGER_API_ERROR_SERVER_ERROR; - std::string appId; - std::string uidstr; - std::string appLabel; - std::vector privileges; - - Deserialization::Deserialize(buffer, appId); - Deserialization::Deserialize(buffer, uidstr); - Deserialization::Deserialize(buffer, privileges); - - appLabel = zoneSmackLabelGenerate(SmackLabels::generateAppLabel(appId), zoneId); - - try { - CynaraAdmin::getInstance().UpdateAppPolicy(appLabel, uidstr, privileges); - } catch (const CynaraException::Base &e) { - LogError("Error while setting Cynara rules for application: " << e.DumpToString()); - goto out; - } catch (const std::bad_alloc &e) { - LogError("Memory allocation while setting Cynara rules for application: " << e.what()); - ret = SECURITY_MANAGER_API_ERROR_OUT_OF_MEMORY; - goto out; - } - - ret = SECURITY_MANAGER_API_SUCCESS; - -out: - Serialization::Serialize(send, ret); -} - -void MasterService::processCynaraUserInit(MessageBuffer &buffer, MessageBuffer &send) -{ - int ret = SECURITY_MANAGER_API_ERROR_INPUT_PARAM; - uid_t uidAdded; - int userType; - - Deserialization::Deserialize(buffer, uidAdded); - Deserialization::Deserialize(buffer, userType); - - try { - CynaraAdmin::getInstance().UserInit(uidAdded, - static_cast(userType)); - } catch (CynaraException::InvalidParam &e) { - goto out; - } - - ret = SECURITY_MANAGER_API_SUCCESS; -out: - Serialization::Serialize(send, ret); -} - -void MasterService::processCynaraUserRemove(MessageBuffer &buffer, MessageBuffer &send) -{ - int ret = SECURITY_MANAGER_API_ERROR_INPUT_PARAM; - uid_t uidDeleted; - - Deserialization::Deserialize(buffer, uidDeleted); - - try { - CynaraAdmin::getInstance().UserRemove(uidDeleted); - } catch (CynaraException::InvalidParam &e) { - goto out; - } - - ret = SECURITY_MANAGER_API_SUCCESS; -out: - Serialization::Serialize(send, ret); -} - -void MasterService::processPolicyUpdate(MessageBuffer &buffer, MessageBuffer &send) -{ - int ret = SECURITY_MANAGER_API_ERROR_SERVER_ERROR; - std::vector policyEntries; - uid_t uid; - pid_t pid; - std::string smackLabel; - - Deserialization::Deserialize(buffer, policyEntries); - Deserialization::Deserialize(buffer, uid); - Deserialization::Deserialize(buffer, pid); - Deserialization::Deserialize(buffer, smackLabel); - - ret = serviceImpl.policyUpdate(policyEntries, uid, pid, smackLabel); - Serialization::Serialize(send, ret); -} - -void MasterService::processGetConfiguredPolicy(MessageBuffer &buffer, MessageBuffer &send) -{ - int ret = SECURITY_MANAGER_API_ERROR_SERVER_ERROR; - bool forAdmin; - policy_entry filter; - uid_t uid; - pid_t pid; - std::string smackLabel; - std::vector policyEntries; - - Deserialization::Deserialize(buffer, forAdmin); - Deserialization::Deserialize(buffer, filter); - Deserialization::Deserialize(buffer, uid); - Deserialization::Deserialize(buffer, pid); - Deserialization::Deserialize(buffer, smackLabel); - - ret = serviceImpl.getConfiguredPolicy(forAdmin, filter, uid, pid, smackLabel, policyEntries); - Serialization::Serialize(send, ret); - if (ret == SECURITY_MANAGER_API_SUCCESS) - Serialization::Serialize(send, policyEntries); -} - -void MasterService::processGetPolicy(MessageBuffer &buffer, MessageBuffer &send) -{ - (void) buffer; - int ret = SECURITY_MANAGER_API_ERROR_BAD_REQUEST; - - // FIXME getPolicy is not ready to work in Master mode. Uncomment below code when getPolicy will - // be implemented for Master. - /* - policy_entry filter; - uid_t uid; - pid_t pid; - std::string smackLabel; - std::vector policyEntries; - - Deserialization::Deserialize(buffer, filter); - Deserialization::Deserialize(buffer, uid); - Deserialization::Deserialize(buffer, pid); - Deserialization::Deserialize(buffer, smackLabel); - - ret = serviceImpl.getPolicy(filter, uid, pid, smackLabel, policyEntries);*/ - Serialization::Serialize(send, ret); - /*if (ret == SECURITY_MANAGER_API_SUCCESS) - Serialization::Serialize(send, policyEntries);*/ -} - -void MasterService::processPolicyGetDesc(MessageBuffer &send) -{ - int ret = SECURITY_MANAGER_API_ERROR_SERVER_ERROR; - std::vector descriptions; - - ret = serviceImpl.policyGetDesc(descriptions); - Serialization::Serialize(send, ret); - if (ret == SECURITY_MANAGER_API_SUCCESS) - Serialization::Serialize(send, descriptions); -} - -void MasterService::processSmackInstallRules(MessageBuffer &buffer, MessageBuffer &send, - const std::string &zoneId) -{ - int ret = SECURITY_MANAGER_API_ERROR_SERVER_ERROR; - std::string appId, pkgId, authorId; - std::vector pkgContents, appsGranted, accessPackages; - - Deserialization::Deserialize(buffer, appId); - Deserialization::Deserialize(buffer, pkgId); - Deserialization::Deserialize(buffer, authorId); - Deserialization::Deserialize(buffer, pkgContents); - Deserialization::Deserialize(buffer, appsGranted); - Deserialization::Deserialize(buffer, accessPackages); - - try { - LogDebug("Adding Smack rules for new appId: " << appId << " with pkgId: " - << pkgId << ". Applications in package: " << pkgContents.size() - << ". Other Tizen 2.X applications: " << appsGranted.size()); - - SmackRules::installApplicationRules(appId, pkgId, authorId, pkgContents, appsGranted, accessPackages, zoneId); - - // FIXME implement zoneSmackLabelMap and check if works when Smack Namespaces are implemented - std::string zoneAppLabel = SmackLabels::generateAppLabel(appId); - std::string zonePkgLabel = SmackLabels::generatePkgLabel(pkgId); - std::string hostAppLabel = zoneSmackLabelGenerate(zoneAppLabel, zoneId); - std::string hostPkgLabel = zoneSmackLabelGenerate(zonePkgLabel, zoneId); - - if (!zoneSmackLabelMap(hostAppLabel, zoneId, zoneAppLabel)) { - LogError("Failed to apply Smack label mapping for application " << appId); - goto out; - } - - if (!zoneSmackLabelMap(hostPkgLabel, zoneId, zonePkgLabel)) { - LogError("Failed to apply Smack label mapping for package " << pkgId); - goto out; - } - } catch (const SmackException::Base &e) { - LogError("Error while adding Smack rules for application: " << e.DumpToString()); - ret = SECURITY_MANAGER_API_ERROR_SETTING_FILE_LABEL_FAILED; - goto out; - } catch (const std::bad_alloc &e) { - LogError("Memory allocation error: " << e.what()); - ret = SECURITY_MANAGER_API_ERROR_OUT_OF_MEMORY; - goto out; - } - - ret = SECURITY_MANAGER_API_SUCCESS; -out: - Serialization::Serialize(send, ret); -} - -void MasterService::processSmackUninstallRules(MessageBuffer &buffer, MessageBuffer &send, - const std::string &zoneId) -{ - std::string appId, pkgId; - std::vector pkgContents, appsGranted; - bool removeApp = false; - bool removePkg = false; - - Deserialization::Deserialize(buffer, appId); - Deserialization::Deserialize(buffer, pkgId); - Deserialization::Deserialize(buffer, pkgContents); - Deserialization::Deserialize(buffer, appsGranted); - Deserialization::Deserialize(buffer, removeApp); - Deserialization::Deserialize(buffer, removePkg); - - try { - if (removeApp) { - LogDebug("Removing smack rules for deleted appId " << appId); - SmackRules::uninstallApplicationRules(appId, pkgId, pkgContents, appsGranted, zoneId); - - std::string zoneAppLabel = SmackLabels::generateAppLabel(appId); - std::string hostAppLabel = zoneSmackLabelGenerate(zoneAppLabel, zoneId); - // FIXME zoneSmackLabelUnmap should throw exception on error, not return false - // FIXME implement zoneSmackLabelUnmap and check if works when Smack Namespaces are implemented - if (!zoneSmackLabelUnmap(hostAppLabel, zoneId)) { - LogError("Failed to unmap Smack labels for application " << appId); - Serialization::Serialize(send, SECURITY_MANAGER_API_ERROR_SERVER_ERROR); - return; - } - } - - if (removePkg) { - LogDebug("Removing Smack rules for deleted pkgId " << pkgId); - SmackRules::uninstallPackageRules(pkgId); - - std::string zonePkgLabel = SmackLabels::generatePkgLabel(pkgId); - std::string hostPkgLabel = zoneSmackLabelGenerate(zonePkgLabel, zoneId); - if (!zoneSmackLabelUnmap(hostPkgLabel, zoneId)) { - LogError("Failed to unmap Smack label for package " << pkgId); - Serialization::Serialize(send, SECURITY_MANAGER_API_ERROR_SERVER_ERROR); - return; - } - } - } catch (const SmackException::Base &e) { - LogError("Error while removing Smack rules for application: " << e.DumpToString()); - Serialization::Serialize(send, SECURITY_MANAGER_API_ERROR_SETTING_FILE_LABEL_FAILED); - return; - } catch (const std::bad_alloc &e) { - LogError("Memory allocation error: " << e.what()); - Serialization::Serialize(send, SECURITY_MANAGER_API_ERROR_OUT_OF_MEMORY); - return; - } - - Serialization::Serialize(send, SECURITY_MANAGER_API_SUCCESS); -} - -void MasterService::processSmackApplySharingRules(MessageBuffer &buffer, MessageBuffer &send, - const std::string &zoneId) -{ - std::string ownerPkgId, targetAppId, path; - std::vector pkgContents; - int ownerTargetCount, pathCount; - - Deserialization::Deserialize(buffer, ownerPkgId); - Deserialization::Deserialize(buffer, pkgContents); - Deserialization::Deserialize(buffer, targetAppId); - Deserialization::Deserialize(buffer, path); - Deserialization::Deserialize(buffer, ownerTargetCount); - Deserialization::Deserialize(buffer, pathCount); - - (void)zoneId; - - Serialization::Serialize(send, SECURITY_MANAGER_API_SUCCESS); -} - -void MasterService::processSmackDropSharingRules(MessageBuffer &buffer, MessageBuffer &send, - const std::string &zoneId) -{ - std::string ownerPkgId, targetAppId, path; - std::vector pkgContents; - int ownerTargetCount, pathCount; - - Deserialization::Deserialize(buffer, ownerPkgId); - Deserialization::Deserialize(buffer, pkgContents); - Deserialization::Deserialize(buffer, targetAppId); - Deserialization::Deserialize(buffer, path); - Deserialization::Deserialize(buffer, ownerTargetCount); - Deserialization::Deserialize(buffer, pathCount); - - (void)zoneId; - - Serialization::Serialize(send, SECURITY_MANAGER_API_SUCCESS); -} - -} // namespace SecurityManager diff --git a/src/server/service/service.cpp b/src/server/service/service.cpp index 58a975c..aa9424b 100644 --- a/src/server/service/service.cpp +++ b/src/server/service/service.cpp @@ -33,35 +33,22 @@ #include "protocols.h" #include "service.h" #include "service_impl.h" -#include "master-req.h" namespace SecurityManager { const InterfaceID IFACE = 1; -Service::Service(const bool isSlave): - m_isSlave(isSlave) -{ -} +Service::Service(){} GenericSocketService::ServiceDescriptionVector Service::GetServiceDescription() { - if (m_isSlave) - return ServiceDescriptionVector { - {SLAVE_SERVICE_SOCKET, /* path */ - "*", /* smackLabel label (not used, we rely on systemd) */ - IFACE, /* InterfaceID */ - false, /* useSendMsg */ - true}, /* systemdOnly */ - }; - else - return ServiceDescriptionVector { - {SERVICE_SOCKET, /* path */ - "*", /* smackLabel label (not used, we rely on systemd) */ - IFACE, /* InterfaceID */ - false, /* useSendMsg */ - true}, /* systemdOnly */ - }; + return ServiceDescriptionVector { + {SERVICE_SOCKET, /* path */ + "*", /* smackLabel label (not used, we rely on systemd) */ + IFACE, /* InterfaceID */ + false, /* useSendMsg */ + true}, /* systemdOnly */ + }; } bool Service::processOne(const ConnectionID &conn, MessageBuffer &buffer, @@ -188,7 +175,7 @@ void Service::processAppInstall(MessageBuffer &buffer, MessageBuffer &send, uid_ Deserialization::Deserialize(buffer, req.uid); Deserialization::Deserialize(buffer, req.tizenVersion); Deserialization::Deserialize(buffer, req.authorId); - Serialization::Serialize(send, serviceImpl.appInstall(req, uid, m_isSlave)); + Serialization::Serialize(send, serviceImpl.appInstall(req, uid)); } void Service::processAppUninstall(MessageBuffer &buffer, MessageBuffer &send, uid_t uid) @@ -196,7 +183,7 @@ void Service::processAppUninstall(MessageBuffer &buffer, MessageBuffer &send, ui std::string appId; Deserialization::Deserialize(buffer, appId); - Serialization::Serialize(send, serviceImpl.appUninstall(appId, uid, m_isSlave)); + Serialization::Serialize(send, serviceImpl.appUninstall(appId, uid)); } void Service::processGetPkgId(MessageBuffer &buffer, MessageBuffer &send) @@ -219,7 +206,7 @@ void Service::processGetAppGroups(MessageBuffer &buffer, MessageBuffer &send, ui int ret; Deserialization::Deserialize(buffer, appId); - ret = serviceImpl.getAppGroups(appId, uid, pid, m_isSlave, gids); + ret = serviceImpl.getAppGroups(appId, uid, pid, gids); Serialization::Serialize(send, ret); if (ret == SECURITY_MANAGER_API_SUCCESS) { Serialization::Serialize(send, static_cast(gids.size())); @@ -238,7 +225,7 @@ void Service::processUserAdd(MessageBuffer &buffer, MessageBuffer &send, uid_t u Deserialization::Deserialize(buffer, uidAdded); Deserialization::Deserialize(buffer, userType); - ret = serviceImpl.userAdd(uidAdded, userType, uid, m_isSlave); + ret = serviceImpl.userAdd(uidAdded, userType, uid); Serialization::Serialize(send, ret); } @@ -249,7 +236,7 @@ void Service::processUserDelete(MessageBuffer &buffer, MessageBuffer &send, uid_ Deserialization::Deserialize(buffer, uidRemoved); - ret = serviceImpl.userDelete(uidRemoved, uid, m_isSlave); + ret = serviceImpl.userDelete(uidRemoved, uid); Serialization::Serialize(send, ret); } @@ -260,11 +247,7 @@ void Service::processPolicyUpdate(MessageBuffer &buffer, MessageBuffer &send, ui Deserialization::Deserialize(buffer, policyEntries); - if (m_isSlave) { - ret = MasterReq::PolicyUpdate(policyEntries, uid, pid, smackLabel); - } else { - ret = serviceImpl.policyUpdate(policyEntries, uid, pid, smackLabel); - } + ret = serviceImpl.policyUpdate(policyEntries, uid, pid, smackLabel); Serialization::Serialize(send, ret); } @@ -275,12 +258,7 @@ void Service::processGetConfiguredPolicy(MessageBuffer &buffer, MessageBuffer &s Deserialization::Deserialize(buffer, filter); std::vector policyEntries; - if (m_isSlave) { - ret = MasterReq::GetConfiguredPolicy(forAdmin, filter, uid, pid, smackLabel, policyEntries); - } else { - ret = serviceImpl.getConfiguredPolicy(forAdmin, filter, uid, pid, smackLabel, - policyEntries); - } + ret = serviceImpl.getConfiguredPolicy(forAdmin, filter, uid, pid, smackLabel, policyEntries); Serialization::Serialize(send, ret); Serialization::Serialize(send, static_cast(policyEntries.size())); @@ -296,11 +274,7 @@ void Service::processGetPolicy(MessageBuffer &buffer, MessageBuffer &send, uid_t Deserialization::Deserialize(buffer, filter); std::vector policyEntries; - if (m_isSlave) { - ret = MasterReq::GetPolicy(filter, uid, pid, smackLabel, policyEntries); - } else { - ret = serviceImpl.getPolicy(filter, uid, pid, smackLabel, policyEntries); - } + ret = serviceImpl.getPolicy(filter, uid, pid, smackLabel, policyEntries); Serialization::Serialize(send, ret); Serialization::Serialize(send, static_cast(policyEntries.size())); @@ -314,11 +288,8 @@ void Service::processPolicyGetDesc(MessageBuffer &send) int ret; std::vector descriptions; - if (m_isSlave) { - ret = MasterReq::PolicyGetDesc(descriptions); - } else { - ret = serviceImpl.policyGetDesc(descriptions); - } + ret = serviceImpl.policyGetDesc(descriptions); + Serialization::Serialize(send, ret); if (ret == SECURITY_MANAGER_API_SUCCESS) { Serialization::Serialize(send, static_cast(descriptions.size())); @@ -351,7 +322,7 @@ void Service::processAppHasPrivilege(MessageBuffer &recv, MessageBuffer &send) Deserialization::Deserialize(recv, uid); bool result; - int ret = serviceImpl.appHasPrivilege(appId, privilege, uid, m_isSlave, result); + int ret = serviceImpl.appHasPrivilege(appId, privilege, uid, result); Serialization::Serialize(send, ret); if (ret == SECURITY_MANAGER_API_SUCCESS) @@ -365,7 +336,7 @@ void Service::processApplyPrivateSharing(MessageBuffer &recv, MessageBuffer &sen Deserialization::Deserialize(recv, ownerAppId); Deserialization::Deserialize(recv, targetAppId); Deserialization::Deserialize(recv, paths); - int ret = serviceImpl.applyPrivatePathSharing(ownerAppId, targetAppId, paths, m_isSlave); + int ret = serviceImpl.applyPrivatePathSharing(ownerAppId, targetAppId, paths); Serialization::Serialize(send, ret); } @@ -376,7 +347,7 @@ void Service::processDropPrivateSharing(MessageBuffer &recv, MessageBuffer &send Deserialization::Deserialize(recv, ownerAppId); Deserialization::Deserialize(recv, targetAppId); Deserialization::Deserialize(recv, paths); - int ret = serviceImpl.dropPrivatePathSharing(ownerAppId, targetAppId, paths, m_isSlave); + int ret = serviceImpl.dropPrivatePathSharing(ownerAppId, targetAppId, paths); Serialization::Serialize(send, ret); } } // namespace SecurityManager diff --git a/systemd/CMakeLists.txt b/systemd/CMakeLists.txt index 9da2f17..2d14d5f 100644 --- a/systemd/CMakeLists.txt +++ b/systemd/CMakeLists.txt @@ -1,15 +1,9 @@ CONFIGURE_FILE(security-manager.service.in security-manager.service @ONLY) -CONFIGURE_FILE(security-manager-master.service.in security-manager-master.service @ONLY) -CONFIGURE_FILE(security-manager-slave.service.in security-manager-slave.service @ONLY) CONFIGURE_FILE(security-manager-cleanup.service.in security-manager-cleanup.service @ONLY) INSTALL(FILES security-manager.service security-manager.socket - security-manager-master.service - security-manager-master.socket - security-manager-slave.service - security-manager-slave.socket security-manager-cleanup.service DESTINATION ${SYSTEMD_INSTALL_DIR} diff --git a/systemd/security-manager-master.service.in b/systemd/security-manager-master.service.in deleted file mode 100644 index ef14a57..0000000 --- a/systemd/security-manager-master.service.in +++ /dev/null @@ -1,10 +0,0 @@ -[Unit] -Description=Start the security manager master -ConditionVirtualization=!lxc -ConditionPathExists=/usr/share/.zones/enabled - -[Service] -Type=notify -ExecStart=@BIN_INSTALL_DIR@/security-manager --master - -Sockets=security-manager-master.socket diff --git a/systemd/security-manager-master.socket b/systemd/security-manager-master.socket deleted file mode 100644 index d41eae0..0000000 --- a/systemd/security-manager-master.socket +++ /dev/null @@ -1,13 +0,0 @@ -[Socket] -ListenStream=/run/security-manager-master.socket -SocketMode=0700 -SmackLabelIPIn=System -SmackLabelIPOut=System -Service=security-manager-master.service - -[Unit] -ConditionVirtualization=!lxc -ConditionPathExists=/usr/share/.zones/enabled - -[Install] -WantedBy=sockets.target diff --git a/systemd/security-manager-slave.service.in b/systemd/security-manager-slave.service.in deleted file mode 100644 index 6eb7505..0000000 --- a/systemd/security-manager-slave.service.in +++ /dev/null @@ -1,9 +0,0 @@ -[Unit] -Description=Start the security manager slave -ConditionVirtualization=lxc - -[Service] -Type=notify -ExecStart=@BIN_INSTALL_DIR@/security-manager --slave - -Sockets=security-manager-slave.socket diff --git a/systemd/security-manager-slave.socket b/systemd/security-manager-slave.socket deleted file mode 100644 index 8d0a2c6..0000000 --- a/systemd/security-manager-slave.socket +++ /dev/null @@ -1,10 +0,0 @@ -[Socket] -ListenStream=/run/security-manager-slave.socket -Symlinks=/run/security-manager.socket -SocketMode=0777 -SmackLabelIPIn=* -SmackLabelIPOut=@ -Service=security-manager-slave.service - -[Unit] -ConditionVirtualization=lxc diff --git a/systemd/security-manager.service.in b/systemd/security-manager.service.in index f15ab90..23fd1b2 100644 --- a/systemd/security-manager.service.in +++ b/systemd/security-manager.service.in @@ -1,7 +1,5 @@ [Unit] Description=Start the security manager -ConditionVirtualization=!lxc -ConditionPathExists=!/usr/share/.zones/enabled [Service] Type=notify diff --git a/systemd/security-manager.socket b/systemd/security-manager.socket index 95411e8..af1c1da 100644 --- a/systemd/security-manager.socket +++ b/systemd/security-manager.socket @@ -7,9 +7,5 @@ SmackLabelIPOut=@ # TODO: move to separate systemd service Service=security-manager.service -[Unit] -ConditionVirtualization=!lxc -ConditionPathExists=!/usr/share/.zones/enabled - [Install] WantedBy=sockets.target -- 2.7.4 From 87af6c581e244a70be027d6852f7b1265c88f214 Mon Sep 17 00:00:00 2001 From: Bartlomiej Grzelewski Date: Fri, 5 Feb 2016 17:41:05 +0100 Subject: [PATCH 03/16] Simplify error codes in project. Change-Id: I8cd78e66cd0e7ebda56f148b7bc52229b73f45c4 --- packaging/security-manager.spec | 1 + src/client/client-common.cpp | 2 +- src/client/client-offline.cpp | 2 +- src/client/client-security-manager.cpp | 210 +++++++++------------------------ src/common/connection.cpp | 52 ++++---- src/common/include/protocols.h | 80 +------------ src/common/service_impl.cpp | 202 +++++++++++++++---------------- src/include/CMakeLists.txt | 1 + src/include/security-manager-types.h | 126 ++++++++++++++++++++ src/include/security-manager.h | 85 +------------ src/server/service/service.cpp | 12 +- 11 files changed, 324 insertions(+), 449 deletions(-) create mode 100644 src/include/security-manager-types.h diff --git a/packaging/security-manager.spec b/packaging/security-manager.spec index 4306b4f..fe33a0e 100644 --- a/packaging/security-manager.spec +++ b/packaging/security-manager.spec @@ -159,6 +159,7 @@ fi %{_libdir}/libsecurity-manager-client.so %{_libdir}/libsecurity-manager-commons.so %{_includedir}/security-manager/security-manager.h +%{_includedir}/security-manager/security-manager-types.h %{_libdir}/pkgconfig/security-manager.pc %files -n security-manager-policy diff --git a/src/client/client-common.cpp b/src/client/client-common.cpp index 3051cbc..72fb94d 100644 --- a/src/client/client-common.cpp +++ b/src/client/client-common.cpp @@ -64,7 +64,7 @@ int try_catch(const std::function& func) } catch (...) { LogError("Unknown exception occured"); } - return SECURITY_MANAGER_API_ERROR_UNKNOWN; + return SECURITY_MANAGER_ERROR_UNKNOWN; } } // namespace SecurityMANAGER diff --git a/src/client/client-offline.cpp b/src/client/client-offline.cpp index d60911d..159d28b 100644 --- a/src/client/client-offline.cpp +++ b/src/client/client-offline.cpp @@ -52,7 +52,7 @@ ClientOffline::ClientOffline() serviceLock->Unlock(); Serialization::Serialize(send, static_cast(SecurityModuleCall::NOOP)); retval = sendToServer(SERVICE_SOCKET, send.Pop(), recv); - if (retval != SECURITY_MANAGER_API_SUCCESS) { + if (retval != SECURITY_MANAGER_SUCCESS) { LogInfo("Socket activation attempt failed."); serviceLock->Lock(); offlineMode = serviceLock->Locked(); diff --git a/src/client/client-security-manager.cpp b/src/client/client-security-manager.cpp index a5fdfdf..1727bbf 100644 --- a/src/client/client-security-manager.cpp +++ b/src/client/client-security-manager.cpp @@ -181,7 +181,7 @@ int security_manager_app_install(const app_inst_req *p_req) { using namespace SecurityManager; - return try_catch([&] { + return try_catch([&]() -> int { //checking parameters if (!p_req) return SECURITY_MANAGER_ERROR_INPUT_PARAM; @@ -208,27 +208,15 @@ int security_manager_app_install(const app_inst_req *p_req) //send buffer to server retval = sendToServer(SERVICE_SOCKET, send.Pop(), recv); - if (retval != SECURITY_MANAGER_API_SUCCESS) { + if (retval != SECURITY_MANAGER_SUCCESS) { LogError("Error in sendToServer. Error code: " << retval); - return SECURITY_MANAGER_ERROR_UNKNOWN; + return retval; } //receive response from server Deserialization::Deserialize(recv, retval); } - switch(retval) { - case SECURITY_MANAGER_API_SUCCESS: - return SECURITY_MANAGER_SUCCESS; - case SECURITY_MANAGER_API_ERROR_AUTHENTICATION_FAILED: - return SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED; - case SECURITY_MANAGER_API_ERROR_ACCESS_DENIED: - return SECURITY_MANAGER_ERROR_ACCESS_DENIED; - case SECURITY_MANAGER_API_ERROR_INPUT_PARAM: - return SECURITY_MANAGER_ERROR_INPUT_PARAM; - default: - return SECURITY_MANAGER_ERROR_UNKNOWN; - } - + return retval; }); } @@ -238,7 +226,7 @@ int security_manager_app_uninstall(const app_inst_req *p_req) using namespace SecurityManager; MessageBuffer send, recv; - return try_catch([&] { + return try_catch([&]() -> int { //checking parameters if (!p_req) return SECURITY_MANAGER_ERROR_INPUT_PARAM; @@ -251,17 +239,14 @@ int security_manager_app_uninstall(const app_inst_req *p_req) //send buffer to server int retval = sendToServer(SERVICE_SOCKET, send.Pop(), recv); - if (retval != SECURITY_MANAGER_API_SUCCESS) { + if (retval != SECURITY_MANAGER_SUCCESS) { LogError("Error in sendToServer. Error code: " << retval); - return SECURITY_MANAGER_ERROR_UNKNOWN; + return retval; } //receive response from server Deserialization::Deserialize(recv, retval); - if (retval != SECURITY_MANAGER_API_SUCCESS) - return SECURITY_MANAGER_ERROR_UNKNOWN; - - return SECURITY_MANAGER_SUCCESS;; + return retval; }); } @@ -273,7 +258,7 @@ int security_manager_get_app_pkgid(char **pkg_id, const char *app_id) LogDebug("security_manager_get_app_pkgid() called"); - return try_catch([&] { + return try_catch([&]() -> int { //checking parameters if (app_id == NULL) { @@ -292,15 +277,15 @@ int security_manager_get_app_pkgid(char **pkg_id, const char *app_id) //send buffer to server int retval = sendToServer(SERVICE_SOCKET, send.Pop(), recv); - if (retval != SECURITY_MANAGER_API_SUCCESS) { + if (retval != SECURITY_MANAGER_SUCCESS) { LogDebug("Error in sendToServer. Error code: " << retval); - return SECURITY_MANAGER_ERROR_UNKNOWN; + return retval; } //receive response from server Deserialization::Deserialize(recv, retval); - if (retval != SECURITY_MANAGER_API_SUCCESS) - return SECURITY_MANAGER_ERROR_UNKNOWN; + if (retval != SECURITY_MANAGER_SUCCESS) + return retval; std::string pkgIdString; Deserialization::Deserialize(recv, pkgIdString); @@ -395,7 +380,7 @@ int security_manager_set_process_label_from_appid(const char *app_id) appLabel = SecurityManager::SmackLabels::generateAppLabel(app_id); } catch (...) { LogError("Failed to generate smack label for appId: " << app_id); - return SECURITY_MANAGER_API_ERROR_NO_SUCH_OBJECT; + return SECURITY_MANAGER_ERROR_NO_SUCH_OBJECT; } if ((ret = setup_smack(appLabel.c_str())) != SECURITY_MANAGER_SUCCESS) { @@ -415,7 +400,7 @@ int security_manager_set_process_groups_from_appid(const char *app_id) LogDebug("security_manager_set_process_groups_from_appid() called"); - return try_catch([&] { + return try_catch([&]() -> int { //checking parameters if (app_id == nullptr) { @@ -429,16 +414,16 @@ int security_manager_set_process_groups_from_appid(const char *app_id) //send buffer to server int retval = sendToServer(SERVICE_SOCKET, send.Pop(), recv); - if (retval != SECURITY_MANAGER_API_SUCCESS) { + if (retval != SECURITY_MANAGER_SUCCESS) { LogDebug("Error in sendToServer. Error code: " << retval); - return SECURITY_MANAGER_ERROR_UNKNOWN; + return retval; } //receive response from server Deserialization::Deserialize(recv, retval); - if (retval != SECURITY_MANAGER_API_SUCCESS) { + if (retval != SECURITY_MANAGER_SUCCESS) { LogError("Failed to get list of groups from security-manager service. Error code: " << retval); - return SECURITY_MANAGER_ERROR_UNKNOWN; + return retval; } //How many new groups? @@ -603,22 +588,15 @@ int security_manager_user_add(const user_req *p_req) //send buffer to server retval = sendToServer(SERVICE_SOCKET, send.Pop(), recv); - if (retval != SECURITY_MANAGER_API_SUCCESS) { + if (retval != SECURITY_MANAGER_SUCCESS) { LogError("Error in sendToServer. Error code: " << retval); - return SECURITY_MANAGER_ERROR_UNKNOWN; + return retval; } //receive response from server Deserialization::Deserialize(recv, retval); } - switch(retval) { - case SECURITY_MANAGER_API_SUCCESS: - return SECURITY_MANAGER_SUCCESS; - case SECURITY_MANAGER_API_ERROR_AUTHENTICATION_FAILED: - return SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED; - default: - return SECURITY_MANAGER_ERROR_UNKNOWN; - } + return retval; }); } @@ -629,7 +607,7 @@ int security_manager_user_delete(const user_req *p_req) MessageBuffer send, recv; if (!p_req) return SECURITY_MANAGER_ERROR_INPUT_PARAM; - return try_catch([&] { + return try_catch([&]() -> int { //put data into buffer Serialization::Serialize(send, static_cast(SecurityModuleCall::USER_DELETE), @@ -637,21 +615,14 @@ int security_manager_user_delete(const user_req *p_req) //send buffer to server int retval = sendToServer(SERVICE_SOCKET, send.Pop(), recv); - if (retval != SECURITY_MANAGER_API_SUCCESS) { + if (retval != SECURITY_MANAGER_SUCCESS) { LogError("Error in sendToServer. Error code: " << retval); - return SECURITY_MANAGER_ERROR_UNKNOWN; + return retval; } //receive response from server Deserialization::Deserialize(recv, retval); - switch(retval) { - case SECURITY_MANAGER_API_SUCCESS: - return SECURITY_MANAGER_SUCCESS; - case SECURITY_MANAGER_API_ERROR_AUTHENTICATION_FAILED: - return SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED; - default: - return SECURITY_MANAGER_ERROR_UNKNOWN; - } + return retval; }); } @@ -696,23 +667,14 @@ int security_manager_policy_update_send(policy_update_req *p_req) //send it to server int retval = sendToServer(SERVICE_SOCKET, send.Pop(), recv); - if (retval != SECURITY_MANAGER_API_SUCCESS) { + if (retval != SECURITY_MANAGER_SUCCESS) { LogError("Error in sendToServer. Error code: " << retval); - return SECURITY_MANAGER_ERROR_UNKNOWN; + return retval; } //receive response from server Deserialization::Deserialize(recv, retval); - switch(retval) { - case SECURITY_MANAGER_API_SUCCESS: - return SECURITY_MANAGER_SUCCESS; - case SECURITY_MANAGER_API_ERROR_AUTHENTICATION_FAILED: - return SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED; - case SECURITY_MANAGER_API_ERROR_ACCESS_DENIED: - return SECURITY_MANAGER_ERROR_ACCESS_DENIED; - default: - return SECURITY_MANAGER_ERROR_UNKNOWN; - } + return retval; }); } @@ -730,21 +692,23 @@ static inline int security_manager_get_policy_internal( || p_filter == nullptr) return SECURITY_MANAGER_ERROR_INPUT_PARAM; - return try_catch([&] { + return try_catch([&]() -> int { //put request into buffer Serialization::Serialize(send, static_cast(call_type), *p_filter); //send it to server int retval = sendToServer(SERVICE_SOCKET, send.Pop(), recv); - if (retval != SECURITY_MANAGER_API_SUCCESS) { + if (retval != SECURITY_MANAGER_SUCCESS) { LogError("Error in sendToServer. Error code: " << retval); - return SECURITY_MANAGER_ERROR_UNKNOWN; + return retval; } //receive response from server Deserialization::Deserialize(recv, retval); switch (retval) { - case SECURITY_MANAGER_API_SUCCESS: { + default: + return retval; + case SECURITY_MANAGER_SUCCESS: { //extract and allocate buffers for privs policy entries int entriesCnt = 0; policy_entry **entries = nullptr; @@ -766,14 +730,6 @@ static inline int security_manager_get_policy_internal( *ppp_privs_policy = entries; return SECURITY_MANAGER_SUCCESS; } - case SECURITY_MANAGER_API_ERROR_AUTHENTICATION_FAILED: - return SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED; - - case SECURITY_MANAGER_API_ERROR_ACCESS_DENIED: - return SECURITY_MANAGER_ERROR_ACCESS_DENIED; - - default: - return SECURITY_MANAGER_ERROR_UNKNOWN; } }); } @@ -927,31 +883,23 @@ int security_manager_policy_levels_get(char ***levels, size_t *levels_count) MessageBuffer send, recv; if (!levels || !levels_count) return SECURITY_MANAGER_ERROR_INPUT_PARAM; - return try_catch([&] { + return try_catch([&]() -> int { //put data into buffer Serialization::Serialize(send, static_cast(SecurityModuleCall::POLICY_GET_DESCRIPTIONS)); //send buffer to server int retval = sendToServer(SERVICE_SOCKET, send.Pop(), recv); - if (retval != SECURITY_MANAGER_API_SUCCESS) { + if (retval != SECURITY_MANAGER_SUCCESS) { LogError("Error in sendToServer. Error code: " << retval); - return SECURITY_MANAGER_ERROR_UNKNOWN; + return retval; } //receive response from server Deserialization::Deserialize(recv, retval); - switch(retval) { - case SECURITY_MANAGER_API_SUCCESS: - // success - continue - break; - case SECURITY_MANAGER_API_ERROR_OUT_OF_MEMORY: - return SECURITY_MANAGER_ERROR_MEMORY; - case SECURITY_MANAGER_API_ERROR_INPUT_PARAM: - return SECURITY_MANAGER_ERROR_INPUT_PARAM; - default: - return SECURITY_MANAGER_ERROR_UNKNOWN; + if (retval != SECURITY_MANAGER_SUCCESS) { + return retval; } int count; @@ -997,31 +945,23 @@ int security_manager_groups_get(char ***groups, size_t *groups_count) MessageBuffer send, recv; if (!groups || !groups_count) return SECURITY_MANAGER_ERROR_INPUT_PARAM; - return try_catch([&] { + return try_catch([&]() -> int { //put data into buffer Serialization::Serialize(send, static_cast(SecurityModuleCall::GROUPS_GET)); //send buffer to server int retval = sendToServer(SERVICE_SOCKET, send.Pop(), recv); - if (retval != SECURITY_MANAGER_API_SUCCESS) { + if (retval != SECURITY_MANAGER_SUCCESS) { LogError("Error in sendToServer. Error code: " << retval); - return SECURITY_MANAGER_ERROR_UNKNOWN; + return retval; } //receive response from server Deserialization::Deserialize(recv, retval); - switch(retval) { - case SECURITY_MANAGER_API_SUCCESS: - // success - continue - break; - case SECURITY_MANAGER_API_ERROR_OUT_OF_MEMORY: - return SECURITY_MANAGER_ERROR_MEMORY; - case SECURITY_MANAGER_API_ERROR_INPUT_PARAM: - return SECURITY_MANAGER_ERROR_INPUT_PARAM; - default: - return SECURITY_MANAGER_ERROR_UNKNOWN; + if (retval != SECURITY_MANAGER_SUCCESS) { + return retval; } std::vector vgroups; @@ -1140,28 +1080,20 @@ int security_manager_app_has_privilege(const char *app_id, const char *privilege { using namespace SecurityManager; MessageBuffer send, recv; - return try_catch([&] { + return try_catch([&]() -> int { Serialization::Serialize(send, static_cast(SecurityModuleCall::APP_HAS_PRIVILEGE), std::string(app_id), std::string(privilege), uid); int retval = sendToServer(SERVICE_SOCKET, send.Pop(), recv); - if (retval != SECURITY_MANAGER_API_SUCCESS) { + if (retval != SECURITY_MANAGER_SUCCESS) { LogError("Error in sendToServer. Error code: " << retval); - return SECURITY_MANAGER_ERROR_UNKNOWN; + return retval; } Deserialization::Deserialize(recv, retval); - switch(retval) { - case SECURITY_MANAGER_API_SUCCESS: - // success - continue - break; - case SECURITY_MANAGER_API_ERROR_OUT_OF_MEMORY: - return SECURITY_MANAGER_ERROR_MEMORY; - case SECURITY_MANAGER_API_ERROR_INPUT_PARAM: - return SECURITY_MANAGER_ERROR_INPUT_PARAM; - default: - return SECURITY_MANAGER_ERROR_UNKNOWN; + if (retval != SECURITY_MANAGER_SUCCESS) { + return retval; } Deserialization::Deserialize(recv, *result); @@ -1235,7 +1167,7 @@ SECURITY_MANAGER_API int security_manager_private_sharing_apply(const private_sharing_req *p_req) { using namespace SecurityManager; - return try_catch([&] { + return try_catch([&]() -> int { if (!p_req) return SECURITY_MANAGER_ERROR_INPUT_PARAM; if (p_req->ownerAppId.empty() || p_req->targetAppId.empty() || p_req->paths.empty()) @@ -1249,27 +1181,14 @@ int security_manager_private_sharing_apply(const private_sharing_req *p_req) //send buffer to server int retval = sendToServer(SERVICE_SOCKET, send.Pop(), recv); - if (retval != SECURITY_MANAGER_API_SUCCESS) { + if (retval != SECURITY_MANAGER_SUCCESS) { LogError("Error in sendToServer. Error code: " << retval); - return SECURITY_MANAGER_ERROR_UNKNOWN; + return retval; } //receive response from server Deserialization::Deserialize(recv, retval); - switch(retval) { - case SECURITY_MANAGER_API_SUCCESS: - return SECURITY_MANAGER_SUCCESS; - case SECURITY_MANAGER_API_ERROR_OUT_OF_MEMORY: - return SECURITY_MANAGER_ERROR_MEMORY; - case SECURITY_MANAGER_API_ERROR_INPUT_PARAM: - return SECURITY_MANAGER_ERROR_INPUT_PARAM; - case SECURITY_MANAGER_API_ERROR_APP_UNKNOWN: - return SECURITY_MANAGER_ERROR_APP_UNKNOWN; - case SECURITY_MANAGER_API_ERROR_APP_NOT_PATH_OWNER: - return SECURITY_MANAGER_ERROR_APP_NOT_PATH_OWNER; - default: - return SECURITY_MANAGER_ERROR_UNKNOWN; - } + return retval; }); } @@ -1277,7 +1196,7 @@ SECURITY_MANAGER_API int security_manager_private_sharing_drop(const private_sharing_req *p_req) { using namespace SecurityManager; - return try_catch([&] { + return try_catch([&]() -> int { if (!p_req) return SECURITY_MANAGER_ERROR_INPUT_PARAM; if (p_req->ownerAppId.empty() || p_req->targetAppId.empty() || p_req->paths.empty()) @@ -1291,27 +1210,14 @@ int security_manager_private_sharing_drop(const private_sharing_req *p_req) //send buffer to server int retval = sendToServer(SERVICE_SOCKET, send.Pop(), recv); - if (retval != SECURITY_MANAGER_API_SUCCESS) { + if (retval != SECURITY_MANAGER_SUCCESS) { LogError("Error in sendToServer. Error code: " << retval); - return SECURITY_MANAGER_ERROR_UNKNOWN; + return retval; } //receive response from server Deserialization::Deserialize(recv, retval); - switch(retval) { - case SECURITY_MANAGER_API_SUCCESS: - return SECURITY_MANAGER_SUCCESS; - case SECURITY_MANAGER_API_ERROR_OUT_OF_MEMORY: - return SECURITY_MANAGER_ERROR_MEMORY; - case SECURITY_MANAGER_API_ERROR_INPUT_PARAM: - return SECURITY_MANAGER_ERROR_INPUT_PARAM; - case SECURITY_MANAGER_API_ERROR_APP_UNKNOWN: - return SECURITY_MANAGER_ERROR_APP_UNKNOWN; - case SECURITY_MANAGER_API_ERROR_APP_NOT_PATH_OWNER: - return SECURITY_MANAGER_ERROR_APP_NOT_PATH_OWNER; - default: - return SECURITY_MANAGER_ERROR_UNKNOWN; - } + return retval; }); } diff --git a/src/common/connection.cpp b/src/common/connection.cpp index e4dc9ee..104a8a2 100644 --- a/src/common/connection.cpp +++ b/src/common/connection.cpp @@ -87,7 +87,7 @@ public: if (m_sock < 0) { int err = errno; LogError("Error creating socket: " << strerror(err)); - return SECURITY_MANAGER_API_ERROR_SOCKET; + return SECURITY_MANAGER_ERROR_SOCKET; } if ((flags = fcntl(m_sock, F_GETFL, 0)) < 0 || @@ -95,7 +95,7 @@ public: { int err = errno; LogError("Error in fcntl: " << strerror(err)); - return SECURITY_MANAGER_API_ERROR_SOCKET; + return SECURITY_MANAGER_ERROR_SOCKET; } memset(&clientAddr, 0, sizeof(clientAddr)); @@ -104,7 +104,7 @@ public: if (strlen(interface) >= sizeof(clientAddr.sun_path)) { LogError("Error: interface name " << interface << "is too long. Max len is:" << sizeof(clientAddr.sun_path)); - return SECURITY_MANAGER_API_ERROR_NO_SUCH_SERVICE; + return SECURITY_MANAGER_ERROR_NO_SUCH_SERVICE; } strcpy(clientAddr.sun_path, interface); @@ -115,7 +115,7 @@ public: if ((retval == -1) && (errno == EINPROGRESS)) { if (0 >= waitForSocket(m_sock, POLLIN, POLL_TIMEOUT)) { LogError("Error in waitForSocket."); - return SECURITY_MANAGER_API_ERROR_SOCKET; + return SECURITY_MANAGER_ERROR_SOCKET; } int error = 0; socklen_t len = sizeof(error); @@ -124,33 +124,33 @@ public: if (-1 == retval) { int err = errno; LogError("Error in getsockopt: " << strerror(err)); - return SECURITY_MANAGER_API_ERROR_SOCKET; + return SECURITY_MANAGER_ERROR_SOCKET; } if (error == EACCES) { LogError("Access denied"); - return SECURITY_MANAGER_API_ERROR_ACCESS_DENIED; + return SECURITY_MANAGER_ERROR_ACCESS_DENIED; } if (error != 0) { LogError("Error in connect: " << strerror(error)); - return SECURITY_MANAGER_API_ERROR_SOCKET; + return SECURITY_MANAGER_ERROR_SOCKET; } - return SECURITY_MANAGER_API_SUCCESS; + return SECURITY_MANAGER_SUCCESS; } if (-1 == retval) { int err = errno; LogError("Error connecting socket: " << strerror(err)); if (err == EACCES) - return SECURITY_MANAGER_API_ERROR_ACCESS_DENIED; + return SECURITY_MANAGER_ERROR_ACCESS_DENIED; if (err == ENOTSOCK) - return SECURITY_MANAGER_API_ERROR_NO_SUCH_SERVICE; - return SECURITY_MANAGER_API_ERROR_SOCKET; + return SECURITY_MANAGER_ERROR_NO_SUCH_SERVICE; + return SECURITY_MANAGER_ERROR_SOCKET; } - return SECURITY_MANAGER_API_SUCCESS; + return SECURITY_MANAGER_SUCCESS; } int Get() { @@ -171,7 +171,7 @@ int sendToServer(char const * const interface, const RawBuffer &send, MessageBuf ssize_t done = 0; char buffer[2048]; - if (SECURITY_MANAGER_API_SUCCESS != (ret = sock.Connect(interface))) { + if (SECURITY_MANAGER_SUCCESS != (ret = sock.Connect(interface))) { LogError("Error in SockRAII"); return ret; } @@ -179,13 +179,13 @@ int sendToServer(char const * const interface, const RawBuffer &send, MessageBuf while ((send.size() - done) > 0) { if (0 >= waitForSocket(sock.Get(), POLLOUT, POLL_TIMEOUT)) { LogError("Error in poll(POLLOUT)"); - return SECURITY_MANAGER_API_ERROR_SOCKET; + return SECURITY_MANAGER_ERROR_SOCKET; } ssize_t temp = TEMP_FAILURE_RETRY(write(sock.Get(), &send[done], send.size() - done)); if (-1 == temp) { int err = errno; LogError("Error in write: " << strerror(err)); - return SECURITY_MANAGER_API_ERROR_SOCKET; + return SECURITY_MANAGER_ERROR_SOCKET; } done += temp; } @@ -193,24 +193,24 @@ int sendToServer(char const * const interface, const RawBuffer &send, MessageBuf do { if (0 >= waitForSocket(sock.Get(), POLLIN, POLL_TIMEOUT)) { LogError("Error in poll(POLLIN)"); - return SECURITY_MANAGER_API_ERROR_SOCKET; + return SECURITY_MANAGER_ERROR_SOCKET; } ssize_t temp = TEMP_FAILURE_RETRY(read(sock.Get(), buffer, 2048)); if (-1 == temp) { int err = errno; LogError("Error in read: " << strerror(err)); - return SECURITY_MANAGER_API_ERROR_SOCKET; + return SECURITY_MANAGER_ERROR_SOCKET; } if (0 == temp) { LogError("Read return 0/Connection closed by server(?)"); - return SECURITY_MANAGER_API_ERROR_SOCKET; + return SECURITY_MANAGER_ERROR_SOCKET; } RawBuffer raw(buffer, buffer+temp); recv.Push(raw); } while(!recv.Ready()); - return SECURITY_MANAGER_API_SUCCESS; + return SECURITY_MANAGER_SUCCESS; } int sendToServerAncData(char const * const interface, const RawBuffer &send, struct msghdr &hdr) { @@ -218,7 +218,7 @@ int sendToServerAncData(char const * const interface, const RawBuffer &send, str SockRAII sock; ssize_t done = 0; - if (SECURITY_MANAGER_API_SUCCESS != (ret = sock.Connect(interface))) { + if (SECURITY_MANAGER_SUCCESS != (ret = sock.Connect(interface))) { LogError("Error in SockRAII"); return ret; } @@ -226,20 +226,20 @@ int sendToServerAncData(char const * const interface, const RawBuffer &send, str while ((send.size() - done) > 0) { if (0 >= waitForSocket(sock.Get(), POLLOUT, POLL_TIMEOUT)) { LogError("Error in poll(POLLOUT)"); - return SECURITY_MANAGER_API_ERROR_SOCKET; + return SECURITY_MANAGER_ERROR_SOCKET; } ssize_t temp = TEMP_FAILURE_RETRY(write(sock.Get(), &send[done], send.size() - done)); if (-1 == temp) { int err = errno; LogError("Error in write: " << strerror(err)); - return SECURITY_MANAGER_API_ERROR_SOCKET; + return SECURITY_MANAGER_ERROR_SOCKET; } done += temp; } if (0 >= waitForSocket(sock.Get(), POLLIN, POLL_TIMEOUT)) { LogError("Error in poll(POLLIN)"); - return SECURITY_MANAGER_API_ERROR_SOCKET; + return SECURITY_MANAGER_ERROR_SOCKET; } ssize_t temp = TEMP_FAILURE_RETRY(recvmsg(sock.Get(), &hdr, MSG_CMSG_CLOEXEC)); @@ -247,15 +247,15 @@ int sendToServerAncData(char const * const interface, const RawBuffer &send, str if (temp < 0) { int err = errno; LogError("Error in recvmsg(): " << strerror(err) << " errno: " << err); - return SECURITY_MANAGER_API_ERROR_SOCKET; + return SECURITY_MANAGER_ERROR_SOCKET; } if (0 == temp) { LogError("Read return 0/Connection closed by server(?)"); - return SECURITY_MANAGER_API_ERROR_SOCKET; + return SECURITY_MANAGER_ERROR_SOCKET; } - return SECURITY_MANAGER_API_SUCCESS; + return SECURITY_MANAGER_SUCCESS; } } // namespace SecurityManager diff --git a/src/common/include/protocols.h b/src/common/include/protocols.h index 1526f87..59a4540 100644 --- a/src/common/include/protocols.h +++ b/src/common/include/protocols.h @@ -30,85 +30,7 @@ #include #include #include -#include - -/** - * \name Return Codes - * exported by the foundation API. - * result codes begin with the start error code and extend into negative direction. - * @{ -*/ - -/*! \brief indicating the result of the one specific API is successful */ -#define SECURITY_MANAGER_API_SUCCESS 0 - -/*! \brief indicating the socket between client and Security Manager has been failed */ -#define SECURITY_MANAGER_API_ERROR_SOCKET -1 - -/*! \brief indicating the request to Security Manager is malformed */ -#define SECURITY_MANAGER_API_ERROR_BAD_REQUEST -2 - -/*! \brief indicating the response from Security Manager is malformed */ -#define SECURITY_MANAGER_API_ERROR_BAD_RESPONSE -3 - -/*! \brief indicating the requested service does not exist */ -#define SECURITY_MANAGER_API_ERROR_NO_SUCH_SERVICE -4 - -/*! \brief indicating requesting object is not exist */ -#define SECURITY_MANAGER_API_ERROR_NO_SUCH_OBJECT -6 - -/*! \brief indicating the authentication between client and server has been failed */ -#define SECURITY_MANAGER_API_ERROR_AUTHENTICATION_FAILED -7 - -/*! \brief indicating the API's input parameter is malformed */ -#define SECURITY_MANAGER_API_ERROR_INPUT_PARAM -8 - -/*! \brief indicating the output buffer size which is passed as parameter is too small */ -#define SECURITY_MANAGER_API_ERROR_BUFFER_TOO_SMALL -9 - -/*! \brief indicating system is running out of memory state */ -#define SECURITY_MANAGER_API_ERROR_OUT_OF_MEMORY -10 - -/*! \brief indicating the access has been denied by Security Manager */ -#define SECURITY_MANAGER_API_ERROR_ACCESS_DENIED -11 - -/*! \brief indicating Security Manager has been failed for some reason */ -#define SECURITY_MANAGER_API_ERROR_SERVER_ERROR -12 - -/*! \brief indicating getting smack label from socket failed */ -#define SECURITY_MANAGER_API_ERROR_GETTING_SOCKET_LABEL_FAILED -21 - -/*! \brief indicating getting smack label from file failed */ -#define SECURITY_MANAGER_API_ERROR_GETTING_FILE_LABEL_FAILED -22 - -/*! \brief indicating setting smack label for file failed */ -#define SECURITY_MANAGER_API_ERROR_SETTING_FILE_LABEL_FAILED -23 - -/*! \brief indicating file already exists */ -#define SECURITY_MANAGER_API_ERROR_FILE_EXIST -24 - -/*! \brief indicating file does not exist */ -#define SECURITY_MANAGER_API_ERROR_FILE_NOT_EXIST -25 - -/*! \brief indicating file open error */ -#define SECURITY_MANAGER_API_ERROR_FILE_OPEN_FAILED -26 - -/*! \brief indicating file creation error */ -#define SECURITY_MANAGER_API_ERROR_FILE_CREATION_FAILED -27 - -/*! \brief indicating file deletion error */ -#define SECURITY_MANAGER_API_ERROR_FILE_DELETION_FAILED -28 - -/*! \brief indicating that application is not present in the database */ -#define SECURITY_MANAGER_API_ERROR_APP_UNKNOWN -29 - -/*! \brief indicating that application is not owner of path */ -#define SECURITY_MANAGER_API_ERROR_APP_NOT_PATH_OWNER -30 - -/*! \brief indicating the error with unknown reason */ -#define SECURITY_MANAGER_API_ERROR_UNKNOWN -255 -/** @}*/ - +#include struct app_inst_req { std::string appId; diff --git a/src/common/service_impl.cpp b/src/common/service_impl.cpp index ab15ba3..0636991 100644 --- a/src/common/service_impl.cpp +++ b/src/common/service_impl.cpp @@ -71,7 +71,7 @@ static inline int validatePolicy(policy_entry &policyEntry, std::string uidStr, if (policyEntry.appId.empty() || policyEntry.privilege.empty()) { LogError("Bad admin update request"); - return SECURITY_MANAGER_API_ERROR_BAD_REQUEST; + return SECURITY_MANAGER_ERROR_BAD_REQUEST; }; if (!policyEntry.maxLevel.compare(SECURITY_MANAGER_DELETE)) { @@ -81,7 +81,7 @@ static inline int validatePolicy(policy_entry &policyEntry, std::string uidStr, level = CynaraAdmin::getInstance().convertToPolicyType(policyEntry.maxLevel); } catch (const std::out_of_range& e) { LogError("policy max level cannot be: " << policyEntry.maxLevel); - return SECURITY_MANAGER_API_ERROR_INPUT_PARAM; + return SECURITY_MANAGER_ERROR_INPUT_PARAM; }; }; forAdmin = true; @@ -93,7 +93,7 @@ static inline int validatePolicy(policy_entry &policyEntry, std::string uidStr, || policyEntry.appId.empty() || policyEntry.privilege.empty()) { LogError("Bad privacy manager update request"); - return SECURITY_MANAGER_API_ERROR_BAD_REQUEST; + return SECURITY_MANAGER_ERROR_BAD_REQUEST; }; if (!policyEntry.currentLevel.compare(SECURITY_MANAGER_DELETE)) { @@ -103,13 +103,13 @@ static inline int validatePolicy(policy_entry &policyEntry, std::string uidStr, level = CynaraAdmin::getInstance().convertToPolicyType(policyEntry.currentLevel); } catch (const std::out_of_range& e) { LogError("policy current level cannot be: " << policyEntry.currentLevel); - return SECURITY_MANAGER_API_ERROR_INPUT_PARAM; + return SECURITY_MANAGER_ERROR_INPUT_PARAM; }; }; forAdmin = false; } else { //neither => bad request - return SECURITY_MANAGER_API_ERROR_BAD_REQUEST; + return SECURITY_MANAGER_ERROR_BAD_REQUEST; }; if (!policyEntry.user.compare(SECURITY_MANAGER_ANY)) @@ -126,7 +126,7 @@ static inline int validatePolicy(policy_entry &policyEntry, std::string uidStr, (forAdmin)?CynaraAdmin::Buckets.at(Bucket::ADMIN):CynaraAdmin::Buckets.at(Bucket::PRIVACY_MANAGER))); LogDebug("Policy update request authenticated and validated successfully"); - return SECURITY_MANAGER_API_SUCCESS; + return SECURITY_MANAGER_SUCCESS; } bool isTizen2XVersion(const std::string &version) @@ -294,7 +294,7 @@ int ServiceImpl::appInstall(const app_inst_req &req, uid_t uid) if (uid != req.uid) { LogError("User " << uid << " is denied to install application for user " << req.uid); - return SECURITY_MANAGER_API_ERROR_ACCESS_DENIED; + return SECURITY_MANAGER_ERROR_ACCESS_DENIED; } } else { if (req.uid) @@ -304,7 +304,7 @@ int ServiceImpl::appInstall(const app_inst_req &req, uid_t uid) if (!installRequestAuthCheck(req, uid, appPath)) { LogError("Request from uid " << uid << " for app installation denied"); - return SECURITY_MANAGER_API_ERROR_AUTHENTICATION_FAILED; + return SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED; } try { @@ -323,7 +323,7 @@ int ServiceImpl::appInstall(const app_inst_req &req, uid_t uid) if (ret == true && pkg != req.pkgId) { LogError("Application already installed with different package id"); PrivilegeDb::getInstance().RollbackTransaction(); - return SECURITY_MANAGER_API_ERROR_INPUT_PARAM; + return SECURITY_MANAGER_ERROR_INPUT_PARAM; } PrivilegeDb::getInstance().AddApplication(req.appId, req.pkgId, uid, req.tizenVersion, req.authorId); @@ -343,23 +343,23 @@ int ServiceImpl::appInstall(const app_inst_req &req, uid_t uid) LogDebug("Application installation commited to database"); } catch (const PrivilegeDb::Exception::IOError &e) { LogError("Cannot access application database: " << e.DumpToString()); - return SECURITY_MANAGER_API_ERROR_SERVER_ERROR; + return SECURITY_MANAGER_ERROR_SERVER_ERROR; } catch (const PrivilegeDb::Exception::InternalError &e) { PrivilegeDb::getInstance().RollbackTransaction(); LogError("Error while saving application info to database: " << e.DumpToString()); - return SECURITY_MANAGER_API_ERROR_SERVER_ERROR; + return SECURITY_MANAGER_ERROR_SERVER_ERROR; } catch (const CynaraException::Base &e) { PrivilegeDb::getInstance().RollbackTransaction(); LogError("Error while setting Cynara rules for application: " << e.DumpToString()); - return SECURITY_MANAGER_API_ERROR_SERVER_ERROR; + return SECURITY_MANAGER_ERROR_SERVER_ERROR; } catch (const SmackException::InvalidLabel &e) { PrivilegeDb::getInstance().RollbackTransaction(); LogError("Error while generating Smack labels: " << e.DumpToString()); - return SECURITY_MANAGER_API_ERROR_SERVER_ERROR; + return SECURITY_MANAGER_ERROR_SERVER_ERROR; } catch (const std::bad_alloc &e) { PrivilegeDb::getInstance().RollbackTransaction(); LogError("Memory allocation while setting Cynara rules for application: " << e.what()); - return SECURITY_MANAGER_API_ERROR_OUT_OF_MEMORY; + return SECURITY_MANAGER_ERROR_MEMORY; } try { @@ -378,19 +378,19 @@ int ServiceImpl::appInstall(const app_inst_req &req, uid_t uid) SmackRules::installApplicationRules(req.appId, req.pkgId, authorId, pkgContents, allTizen2XApps, allTizen2XPackages); } catch (const SmackException::InvalidParam &e) { LogError("Invalid paramater during labeling: " << e.GetMessage()); - return SECURITY_MANAGER_API_ERROR_INPUT_PARAM; + return SECURITY_MANAGER_ERROR_INPUT_PARAM; } catch (const SmackException::Base &e) { LogError("Error while applying Smack policy for application: " << e.DumpToString()); - return SECURITY_MANAGER_API_ERROR_SETTING_FILE_LABEL_FAILED; + return SECURITY_MANAGER_ERROR_SETTING_FILE_LABEL_FAILED; } catch (const SecurityManager::Exception &e) { LogError("Security Manager exception: " << e.DumpToString()); - return SECURITY_MANAGER_API_ERROR_SERVER_ERROR; + return SECURITY_MANAGER_ERROR_SERVER_ERROR; } catch (const std::bad_alloc &e) { LogError("Memory allocation error: " << e.what()); - return SECURITY_MANAGER_API_ERROR_OUT_OF_MEMORY; + return SECURITY_MANAGER_ERROR_MEMORY; } - return SECURITY_MANAGER_API_SUCCESS; + return SECURITY_MANAGER_SUCCESS; } int ServiceImpl::appUninstall(const std::string &appId, uid_t uid) @@ -441,23 +441,23 @@ int ServiceImpl::appUninstall(const std::string &appId, uid_t uid) } } catch (const PrivilegeDb::Exception::IOError &e) { LogError("Cannot access application database: " << e.DumpToString()); - return SECURITY_MANAGER_API_ERROR_SERVER_ERROR; + return SECURITY_MANAGER_ERROR_SERVER_ERROR; } catch (const PrivilegeDb::Exception::InternalError &e) { PrivilegeDb::getInstance().RollbackTransaction(); LogError("Error while removing application info from database: " << e.DumpToString()); - return SECURITY_MANAGER_API_ERROR_SERVER_ERROR; + return SECURITY_MANAGER_ERROR_SERVER_ERROR; } catch (const CynaraException::Base &e) { PrivilegeDb::getInstance().RollbackTransaction(); LogError("Error while setting Cynara rules for application: " << e.DumpToString()); - return SECURITY_MANAGER_API_ERROR_SERVER_ERROR; + return SECURITY_MANAGER_ERROR_SERVER_ERROR; } catch (const SmackException::InvalidLabel &e) { PrivilegeDb::getInstance().RollbackTransaction(); LogError("Error while generating Smack labels: " << e.DumpToString()); - return SECURITY_MANAGER_API_ERROR_SERVER_ERROR; + return SECURITY_MANAGER_ERROR_SERVER_ERROR; } catch (const std::bad_alloc &e) { PrivilegeDb::getInstance().RollbackTransaction(); LogError("Memory allocation while setting Cynara rules for application: " << e.what()); - return SECURITY_MANAGER_API_ERROR_OUT_OF_MEMORY; + return SECURITY_MANAGER_ERROR_MEMORY; } if (appExists) { @@ -479,14 +479,14 @@ int ServiceImpl::appUninstall(const std::string &appId, uid_t uid) } catch (const SmackException::Base &e) { LogError("Error while removing Smack rules for application: " << e.DumpToString()); - return SECURITY_MANAGER_API_ERROR_SETTING_FILE_LABEL_FAILED; + return SECURITY_MANAGER_ERROR_SETTING_FILE_LABEL_FAILED; } catch (const std::bad_alloc &e) { LogError("Memory allocation error: " << e.what()); - return SECURITY_MANAGER_API_ERROR_OUT_OF_MEMORY; + return SECURITY_MANAGER_ERROR_MEMORY; } } - return SECURITY_MANAGER_API_SUCCESS; + return SECURITY_MANAGER_SUCCESS; } int ServiceImpl::getPkgId(const std::string &appId, std::string &pkgId) @@ -496,16 +496,16 @@ int ServiceImpl::getPkgId(const std::string &appId, std::string &pkgId) try { if (!PrivilegeDb::getInstance().GetAppPkgId(appId, pkgId)) { LogWarning("Application " << appId << " not found in database"); - return SECURITY_MANAGER_API_ERROR_NO_SUCH_OBJECT; + return SECURITY_MANAGER_ERROR_NO_SUCH_OBJECT; } else { LogDebug("pkgId: " << pkgId); } } catch (const PrivilegeDb::Exception::Base &e) { LogError("Error while getting pkgId from database: " << e.DumpToString()); - return SECURITY_MANAGER_API_ERROR_SERVER_ERROR; + return SECURITY_MANAGER_ERROR_SERVER_ERROR; } - return SECURITY_MANAGER_API_SUCCESS; + return SECURITY_MANAGER_SUCCESS; } int ServiceImpl::getAppGroups( @@ -524,7 +524,7 @@ int ServiceImpl::getAppGroups( if (!PrivilegeDb::getInstance().GetAppPkgId(appId, pkgId)) { LogWarning("Application " << appId << " not found in database"); - return SECURITY_MANAGER_API_ERROR_NO_SUCH_OBJECT; + return SECURITY_MANAGER_ERROR_NO_SUCH_OBJECT; } LogDebug("pkgId: " << pkgId); @@ -563,39 +563,39 @@ int ServiceImpl::getAppGroups( } } catch (const PrivilegeDb::Exception::Base &e) { LogError("Database error: " << e.DumpToString()); - return SECURITY_MANAGER_API_ERROR_SERVER_ERROR; + return SECURITY_MANAGER_ERROR_SERVER_ERROR; } catch (const CynaraException::Base &e) { LogError("Error while querying Cynara for permissions: " << e.DumpToString()); - return SECURITY_MANAGER_API_ERROR_SERVER_ERROR; + return SECURITY_MANAGER_ERROR_SERVER_ERROR; } catch (const SmackException::InvalidLabel &e) { LogError("Error while generating Smack labels: " << e.DumpToString()); - return SECURITY_MANAGER_API_ERROR_SERVER_ERROR; + return SECURITY_MANAGER_ERROR_SERVER_ERROR; } catch (const std::bad_alloc &e) { LogError("Memory allocation failed: " << e.what()); - return SECURITY_MANAGER_API_ERROR_OUT_OF_MEMORY; + return SECURITY_MANAGER_ERROR_MEMORY; } - return SECURITY_MANAGER_API_SUCCESS; + return SECURITY_MANAGER_SUCCESS; } int ServiceImpl::userAdd(uid_t uidAdded, int userType, uid_t uid) { if (uid != 0) - return SECURITY_MANAGER_API_ERROR_AUTHENTICATION_FAILED; + return SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED; try { CynaraAdmin::getInstance().UserInit(uidAdded, static_cast(userType)); } catch (CynaraException::InvalidParam &e) { - return SECURITY_MANAGER_API_ERROR_INPUT_PARAM; + return SECURITY_MANAGER_ERROR_INPUT_PARAM; } - return SECURITY_MANAGER_API_SUCCESS; + return SECURITY_MANAGER_SUCCESS; } int ServiceImpl::userDelete(uid_t uidDeleted, uid_t uid) { - int ret = SECURITY_MANAGER_API_SUCCESS; + int ret = SECURITY_MANAGER_SUCCESS; if (uid != 0) - return SECURITY_MANAGER_API_ERROR_AUTHENTICATION_FAILED; + return SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED; /*Uninstall all user apps*/ std::vector userApps; @@ -603,14 +603,14 @@ int ServiceImpl::userDelete(uid_t uidDeleted, uid_t uid) PrivilegeDb::getInstance().GetUserApps(uidDeleted, userApps); } catch (const PrivilegeDb::Exception::Base &e) { LogError("Error while getting user apps from database: " << e.DumpToString()); - return SECURITY_MANAGER_API_ERROR_SERVER_ERROR; + return SECURITY_MANAGER_ERROR_SERVER_ERROR; } for (auto &app: userApps) { - if (appUninstall(app, uidDeleted) != SECURITY_MANAGER_API_SUCCESS) { + if (appUninstall(app, uidDeleted) != SECURITY_MANAGER_SUCCESS) { /*if uninstallation of this app fails, just go on trying to uninstall another ones. we do not have anything special to do about that matter - user will be deleted anyway.*/ - ret = SECURITY_MANAGER_API_ERROR_SERVER_ERROR; + ret = SECURITY_MANAGER_ERROR_SERVER_ERROR; } } @@ -633,12 +633,12 @@ int ServiceImpl::policyUpdate(const std::vector &policyEntries, ui if (policyEntries.size() == 0) { LogError("Validation failed: policy update request is empty"); - return SECURITY_MANAGER_API_ERROR_BAD_REQUEST; + return SECURITY_MANAGER_ERROR_BAD_REQUEST; }; if (!Cynara::getInstance().check(smackLabel, SELF_PRIVILEGE, uidStr, pidStr)) { LogError("Not enough permission to call: " << __FUNCTION__); - return SECURITY_MANAGER_API_ERROR_ACCESS_DENIED; + return SECURITY_MANAGER_ERROR_ACCESS_DENIED; }; std::vector validatedPolicies; @@ -652,13 +652,13 @@ int ServiceImpl::policyUpdate(const std::vector &policyEntries, ui isAdmin = Cynara::getInstance().check(smackLabel, ADMIN_PRIVILEGE, uidStr, pidStr)?IS_ADMIN:IS_NOT_ADMIN; }; - if (ret == SECURITY_MANAGER_API_SUCCESS) { + if (ret == SECURITY_MANAGER_SUCCESS) { if (!forAdmin || (forAdmin && (isAdmin == IS_ADMIN))) { validatedPolicies.push_back(std::move(cyap)); } else { LogError("Not enough privilege to enforce admin policy"); - return SECURITY_MANAGER_API_ERROR_ACCESS_DENIED; + return SECURITY_MANAGER_ERROR_ACCESS_DENIED; }; } else @@ -670,13 +670,13 @@ int ServiceImpl::policyUpdate(const std::vector &policyEntries, ui } catch (const CynaraException::Base &e) { LogError("Error while updating Cynara rules: " << e.DumpToString()); - return SECURITY_MANAGER_API_ERROR_SERVER_ERROR; + return SECURITY_MANAGER_ERROR_SERVER_ERROR; } catch (const std::bad_alloc &e) { LogError("Memory allocation error while updating Cynara rules: " << e.what()); - return SECURITY_MANAGER_API_ERROR_SERVER_ERROR; + return SECURITY_MANAGER_ERROR_SERVER_ERROR; } - return SECURITY_MANAGER_API_SUCCESS; + return SECURITY_MANAGER_SUCCESS; } int ServiceImpl::getConfiguredPolicy(bool forAdmin, const policy_entry &filter, uid_t uid, pid_t pid, @@ -688,7 +688,7 @@ int ServiceImpl::getConfiguredPolicy(bool forAdmin, const policy_entry &filter, if (!Cynara::getInstance().check(smackLabel, SELF_PRIVILEGE, uidStr, pidStr)) { LogError("Not enough permission to call: " << __FUNCTION__); - return SECURITY_MANAGER_API_ERROR_ACCESS_DENIED; + return SECURITY_MANAGER_ERROR_ACCESS_DENIED; }; LogDebug("Filter is: C: " << filter.appId @@ -710,7 +710,7 @@ int ServiceImpl::getConfiguredPolicy(bool forAdmin, const policy_entry &filter, if (forAdmin) { if (!Cynara::getInstance().check(smackLabel, ADMIN_PRIVILEGE, uidStr, pidStr)) { LogError("Not enough privilege to access admin enforced policies: " << __FUNCTION__); - return SECURITY_MANAGER_API_ERROR_ACCESS_DENIED; + return SECURITY_MANAGER_ERROR_ACCESS_DENIED; }; //Fetch privileges from ADMIN bucket @@ -776,17 +776,17 @@ int ServiceImpl::getConfiguredPolicy(bool forAdmin, const policy_entry &filter, } catch (const CynaraException::Base &e) { LogError("Error while listing Cynara rules: " << e.DumpToString()); - return SECURITY_MANAGER_API_ERROR_SERVER_ERROR; + return SECURITY_MANAGER_ERROR_SERVER_ERROR; } catch (const SmackException::InvalidLabel &e) { LogError("Error while generating Smack labels: " << e.DumpToString()); - return SECURITY_MANAGER_API_ERROR_SERVER_ERROR; + return SECURITY_MANAGER_ERROR_SERVER_ERROR; } catch (const std::bad_alloc &e) { LogError("Memory allocation error while listing Cynara rules: " << e.what()); - return SECURITY_MANAGER_API_ERROR_SERVER_ERROR; + return SECURITY_MANAGER_ERROR_SERVER_ERROR; } - return SECURITY_MANAGER_API_SUCCESS; + return SECURITY_MANAGER_SUCCESS; } int ServiceImpl::getPolicy(const policy_entry &filter, uid_t uid, pid_t pid, const std::string &smackLabel, std::vector &policyEntries) @@ -797,7 +797,7 @@ int ServiceImpl::getPolicy(const policy_entry &filter, uid_t uid, pid_t pid, con if (!Cynara::getInstance().check(smackLabel, SELF_PRIVILEGE, uidStr, pidStr)) { LogWarning("Not enough permission to call: " << __FUNCTION__); - return SECURITY_MANAGER_API_ERROR_ACCESS_DENIED; + return SECURITY_MANAGER_ERROR_ACCESS_DENIED; }; LogDebug("Filter is: C: " << filter.appId @@ -895,36 +895,36 @@ int ServiceImpl::getPolicy(const policy_entry &filter, uid_t uid, pid_t pid, con } catch (const CynaraException::Base &e) { LogError("Error while listing Cynara rules: " << e.DumpToString()); - return SECURITY_MANAGER_API_ERROR_SERVER_ERROR; + return SECURITY_MANAGER_ERROR_SERVER_ERROR; } catch (const SmackException::InvalidLabel &e) { LogError("Error while generating Smack labels: " << e.DumpToString()); - return SECURITY_MANAGER_API_ERROR_SERVER_ERROR; + return SECURITY_MANAGER_ERROR_SERVER_ERROR; } catch (const std::bad_alloc &e) { LogError("Memory allocation error while listing Cynara rules: " << e.what()); - return SECURITY_MANAGER_API_ERROR_SERVER_ERROR; + return SECURITY_MANAGER_ERROR_SERVER_ERROR; } - return SECURITY_MANAGER_API_SUCCESS; + return SECURITY_MANAGER_SUCCESS; } int ServiceImpl::policyGetDesc(std::vector &levels) { - int ret = SECURITY_MANAGER_API_SUCCESS; + int ret = SECURITY_MANAGER_SUCCESS; try { CynaraAdmin::getInstance().ListPoliciesDescriptions(levels); } catch (const CynaraException::OutOfMemory &e) { LogError("Error - out of memory while querying Cynara for policy descriptions list: " << e.DumpToString()); - return SECURITY_MANAGER_API_ERROR_OUT_OF_MEMORY; + return SECURITY_MANAGER_ERROR_MEMORY; } catch (const CynaraException::InvalidParam &e) { LogError("Error - invalid parameter while querying Cynara for policy descriptions list: " << e.DumpToString()); - return SECURITY_MANAGER_API_ERROR_INPUT_PARAM; + return SECURITY_MANAGER_ERROR_INPUT_PARAM; } catch (const CynaraException::ServiceNotAvailable &e) { LogError("Error - service not available while querying Cynara for policy descriptions list: " << e.DumpToString()); - return SECURITY_MANAGER_API_ERROR_NO_SUCH_SERVICE; + return SECURITY_MANAGER_ERROR_NO_SUCH_SERVICE; } catch (const CynaraException::Base &e) { LogError("Error while getting policy descriptions list from Cynara: " << e.DumpToString()); - return SECURITY_MANAGER_API_ERROR_SERVER_ERROR; + return SECURITY_MANAGER_ERROR_SERVER_ERROR; } return ret; @@ -932,13 +932,13 @@ int ServiceImpl::policyGetDesc(std::vector &levels) int ServiceImpl::policyGetGroups(std::vector &groups) { - int ret = SECURITY_MANAGER_API_SUCCESS; + int ret = SECURITY_MANAGER_SUCCESS; try { PrivilegeDb::getInstance().GetGroups(groups); } catch (const PrivilegeDb::Exception::Base &e) { LogError("Error while getting groups from database: " << e.DumpToString()); - return SECURITY_MANAGER_API_ERROR_SERVER_ERROR; + return SECURITY_MANAGER_ERROR_SERVER_ERROR; } return ret; @@ -957,18 +957,18 @@ int ServiceImpl::appHasPrivilege( LogDebug("result = " << result); } catch (const CynaraException::Base &e) { LogError("Error while querying Cynara for permissions: " << e.DumpToString()); - return SECURITY_MANAGER_API_ERROR_SERVER_ERROR; + return SECURITY_MANAGER_ERROR_SERVER_ERROR; } catch (const SmackException::InvalidLabel &e) { LogError("Error while generating Smack labels: " << e.DumpToString()); - return SECURITY_MANAGER_API_ERROR_SERVER_ERROR; + return SECURITY_MANAGER_ERROR_SERVER_ERROR; } catch (const std::bad_alloc &e) { LogError("Memory allocation failed: " << e.what()); - return SECURITY_MANAGER_API_ERROR_OUT_OF_MEMORY; + return SECURITY_MANAGER_ERROR_MEMORY; } catch (...) { LogError("Unknown exception thrown"); - return SECURITY_MANAGER_API_ERROR_UNKNOWN; + return SECURITY_MANAGER_ERROR_UNKNOWN; } - return SECURITY_MANAGER_API_SUCCESS; + return SECURITY_MANAGER_SUCCESS; } @@ -987,7 +987,7 @@ int ServiceImpl::dropOnePrivateSharing( PrivilegeDb::getInstance().GetPathSharingCount(path, pathCount); PrivilegeDb::getInstance().GetOwnerTargetSharingCount(ownerAppId, targetAppId, ownerTargetCount); if (targetPathCount > 0) { - return SECURITY_MANAGER_API_SUCCESS; + return SECURITY_MANAGER_SUCCESS; } if (pathCount < 1) { SmackLabels::setupPath(ownerPkgId, path, SECURITY_MANAGER_PATH_RW); @@ -995,19 +995,19 @@ int ServiceImpl::dropOnePrivateSharing( std::string pathLabel = SmackLabels::generateSharedPrivateLabel(ownerPkgId, path); SmackRules::dropPrivateSharingRules(ownerPkgId, ownerPkgContents, targetAppId, pathLabel, pathCount < 1, ownerTargetCount < 1); - return SECURITY_MANAGER_API_SUCCESS; + return SECURITY_MANAGER_SUCCESS; } catch (const SmackException::Base &e) { LogError("Error performing smack operation: " << e.GetMessage()); - errorRet = SECURITY_MANAGER_API_ERROR_SERVER_ERROR; + errorRet = SECURITY_MANAGER_ERROR_SERVER_ERROR; } catch (const std::bad_alloc &e) { LogError("Memory allocation failed: " << e.what()); - errorRet = SECURITY_MANAGER_API_ERROR_OUT_OF_MEMORY; + errorRet = SECURITY_MANAGER_ERROR_MEMORY; } catch (const std::exception &e) { LogError("Some exception thrown : " << e.what()); - errorRet = SECURITY_MANAGER_API_ERROR_UNKNOWN; + errorRet = SECURITY_MANAGER_ERROR_UNKNOWN; } catch (...) { LogError("Unknown exception thrown"); - errorRet = SECURITY_MANAGER_API_ERROR_UNKNOWN; + errorRet = SECURITY_MANAGER_ERROR_UNKNOWN; } return errorRet; } @@ -1026,11 +1026,11 @@ int ServiceImpl::applyPrivatePathSharing( std::string targetPkgId; if (!PrivilegeDb::getInstance().GetAppPkgId(ownerAppId, ownerPkgId)) { LogError(ownerAppId << " is not an installed application"); - return SECURITY_MANAGER_API_ERROR_APP_UNKNOWN; + return SECURITY_MANAGER_ERROR_APP_UNKNOWN; } if (!PrivilegeDb::getInstance().GetAppPkgId(targetAppId, targetPkgId)) { LogError(targetAppId << " is not an installed application"); - return SECURITY_MANAGER_API_ERROR_APP_UNKNOWN; + return SECURITY_MANAGER_ERROR_APP_UNKNOWN; } for(const auto &path : paths) { @@ -1040,18 +1040,18 @@ int ServiceImpl::applyPrivatePathSharing( if (generatedPathLabel != pathLabel) { LogError("Path " << path << " has label " << pathLabel << " and dosen't belong" " to application " << ownerAppId); - return SECURITY_MANAGER_API_ERROR_APP_NOT_PATH_OWNER; + return SECURITY_MANAGER_ERROR_APP_NOT_PATH_OWNER; } } } if (ownerAppId == targetAppId) { LogDebug("Owner application is the same as target application"); - return SECURITY_MANAGER_API_SUCCESS; + return SECURITY_MANAGER_SUCCESS; } if (ownerPkgId == targetPkgId) { LogDebug("Owner and target belong to the same package"); - return SECURITY_MANAGER_API_SUCCESS; + return SECURITY_MANAGER_SUCCESS; } ScopedTransaction trans; PrivilegeDb::getInstance().GetAppIdsForPkgId(ownerPkgId, pkgContents); @@ -1075,19 +1075,19 @@ int ServiceImpl::applyPrivatePathSharing( pathLabel, (pathCount > 0), (ownerTargetCount > 0)); } trans.commit(); - return SECURITY_MANAGER_API_SUCCESS; + return SECURITY_MANAGER_SUCCESS; } catch (const SmackException::Base &e) { LogError("Error performing smack operation: " << e.GetMessage()); - errorRet = SECURITY_MANAGER_API_ERROR_SERVER_ERROR; + errorRet = SECURITY_MANAGER_ERROR_SERVER_ERROR; } catch (const std::bad_alloc &e) { LogError("Memory allocation failed: " << e.what()); - errorRet = SECURITY_MANAGER_API_ERROR_OUT_OF_MEMORY; + errorRet = SECURITY_MANAGER_ERROR_MEMORY; } catch (const std::exception &e) { LogError("Some exception thrown : " << e.what()); - errorRet = SECURITY_MANAGER_API_ERROR_UNKNOWN; + errorRet = SECURITY_MANAGER_ERROR_UNKNOWN; } catch (...) { LogError("Unknown exception thrown"); - errorRet = SECURITY_MANAGER_API_ERROR_UNKNOWN; + errorRet = SECURITY_MANAGER_ERROR_UNKNOWN; } for (int i = 0; i < sharingAdded; i++) { const std::string &path = paths[i]; @@ -1106,11 +1106,11 @@ int ServiceImpl::dropPrivatePathSharing( std::string ownerPkgId, targetPkgId; if (!PrivilegeDb::getInstance().GetAppPkgId(ownerAppId, ownerPkgId)) { LogError(ownerAppId << " is not an installed application"); - return SECURITY_MANAGER_API_ERROR_APP_UNKNOWN; + return SECURITY_MANAGER_ERROR_APP_UNKNOWN; } if (!PrivilegeDb::getInstance().GetAppPkgId(targetAppId, targetPkgId)) { LogError(targetAppId << " is not an installed application"); - return SECURITY_MANAGER_API_ERROR_APP_UNKNOWN; + return SECURITY_MANAGER_ERROR_APP_UNKNOWN; } for(const auto &path : paths) { @@ -1120,18 +1120,18 @@ int ServiceImpl::dropPrivatePathSharing( if (generatedPathLabel != pathLabel) { LogError("Path " << path << " has label " << pathLabel << " and dosen't belong" " to application " << ownerAppId); - return SECURITY_MANAGER_API_ERROR_APP_NOT_PATH_OWNER; + return SECURITY_MANAGER_ERROR_APP_NOT_PATH_OWNER; } } } if (ownerAppId == targetAppId) { LogDebug("Owner application is the same as target application"); - return SECURITY_MANAGER_API_SUCCESS; + return SECURITY_MANAGER_SUCCESS; } if (ownerPkgId == targetPkgId) { LogDebug("Owner and target belong to the same package"); - return SECURITY_MANAGER_API_SUCCESS; + return SECURITY_MANAGER_SUCCESS; } std::vector pkgContents; @@ -1139,24 +1139,24 @@ int ServiceImpl::dropPrivatePathSharing( ScopedTransaction trans; for (const auto &path : paths) { int ret = dropOnePrivateSharing(ownerAppId, ownerPkgId, pkgContents, targetAppId, path); - if (ret != SECURITY_MANAGER_API_SUCCESS) { + if (ret != SECURITY_MANAGER_SUCCESS) { return ret; } } trans.commit(); - return SECURITY_MANAGER_API_SUCCESS; + return SECURITY_MANAGER_SUCCESS; } catch (const SmackException::Base &e) { LogError("Error performing smack operation: " << e.GetMessage()); - errorRet = SECURITY_MANAGER_API_ERROR_SERVER_ERROR; + errorRet = SECURITY_MANAGER_ERROR_SERVER_ERROR; } catch (const std::bad_alloc &e) { LogError("Memory allocation failed: " << e.what()); - errorRet = SECURITY_MANAGER_API_ERROR_OUT_OF_MEMORY; + errorRet = SECURITY_MANAGER_ERROR_MEMORY; } catch (const std::exception &e) { LogError("Some exception thrown : " << e.what()); - errorRet = SECURITY_MANAGER_API_ERROR_UNKNOWN; + errorRet = SECURITY_MANAGER_ERROR_UNKNOWN; } catch (...) { LogError("Unknown exception thrown"); - errorRet = SECURITY_MANAGER_API_ERROR_UNKNOWN; + errorRet = SECURITY_MANAGER_ERROR_UNKNOWN; } return errorRet; } diff --git a/src/include/CMakeLists.txt b/src/include/CMakeLists.txt index 6f9a45f..353a159 100644 --- a/src/include/CMakeLists.txt +++ b/src/include/CMakeLists.txt @@ -1,4 +1,5 @@ INSTALL(FILES ${INCLUDE_PATH}/security-manager.h + ${INCLUDE_PATH}/security-manager-types.h DESTINATION ${INCLUDE_INSTALL_DIR}/security-manager ) diff --git a/src/include/security-manager-types.h b/src/include/security-manager-types.h new file mode 100644 index 0000000..0acf328 --- /dev/null +++ b/src/include/security-manager-types.h @@ -0,0 +1,126 @@ +/* + * Copyright (c) 2016 Samsung Electronics Co., Ltd All Rights Reserved + * + * Contact: Rafal Krypa + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + * + * Security Manager library header + */ +/* + * @file security-manager-types.h + * @author Pawel Polawski (p.polawski@samsung.com) + * @version 1.0 + * @brief This file contains header of security-manager API + */ +#ifndef SECURITY_MANAGER_TYPES_H_ +#define SECURITY_MANAGER_TYPES_H_ + +#ifdef __cplusplus +extern "C" { +#endif + +/*! \brief return code of API functions */ +enum lib_retcode { + SECURITY_MANAGER_SUCCESS, + SECURITY_MANAGER_ERROR_UNKNOWN, + SECURITY_MANAGER_ERROR_INPUT_PARAM, + SECURITY_MANAGER_ERROR_MEMORY, + SECURITY_MANAGER_ERROR_REQ_NOT_COMPLETE, + SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED, + SECURITY_MANAGER_ERROR_ACCESS_DENIED, + SECURITY_MANAGER_ERROR_NO_SUCH_OBJECT, + SECURITY_MANAGER_ERROR_APP_UNKNOWN, + SECURITY_MANAGER_ERROR_APP_NOT_PATH_OWNER, + SECURITY_MANAGER_ERROR_SOCKET, + SECURITY_MANAGER_ERROR_BAD_REQUEST, + SECURITY_MANAGER_ERROR_NO_SUCH_SERVICE, + SECURITY_MANAGER_ERROR_SERVER_ERROR, + SECURITY_MANAGER_ERROR_SETTING_FILE_LABEL_FAILED, +}; + +/*! \brief accesses types for application installation paths*/ +enum app_install_path_type { + //! RO access for all applications + SECURITY_MANAGER_PATH_PUBLIC_RO, + //! RW access for given application package + SECURITY_MANAGER_PATH_RW, + //! RO access for given application package + SECURITY_MANAGER_PATH_RO, + //! RW access for the owner, RO for other 2.X applications + //! (other 3.0 apps will not have access to the shared folder) + SECURITY_MANAGER_PATH_OWNER_RW_OTHER_RO, + //! RW access for application packages coming from the same author + SECURITY_MANAGER_PATH_TRUSTED_RW, + //! this is only for range limit + SECURITY_MANAGER_ENUM_END +}; + +/** + * This enum has values equivalent to gumd user type. + * The gum-utils help states that + * "usertype can be system(1), admin(2), guest(3), normal(4)." + */ +enum security_manager_user_type { + SM_USER_TYPE_NONE = 0,/*<-this should not be used, if it is used, there will be an error returned by SM*/ + SM_USER_TYPE_SYSTEM = 1, + SM_USER_TYPE_ADMIN = 2, + SM_USER_TYPE_GUEST = 3, + SM_USER_TYPE_NORMAL = 4, + SM_USER_TYPE_ANY = 5,/*<-this value may be used only for setting policies and not during user adding*/ + SM_USER_TYPE_END +}; +typedef enum security_manager_user_type security_manager_user_type; + +/*! \brief data structure responsible for handling informations + * required to install / uninstall application */ +struct app_inst_req; +typedef struct app_inst_req app_inst_req; + +/*! \brief data structure responsible for handling informations + * required to manage users */ +struct user_req; +typedef struct user_req user_req; + +/*! \brief data structure responsible for handling policy updates + * required to manage users' and applications' permissions */ +struct policy_update_req; +typedef struct policy_update_req policy_update_req; + +/*! \brief data structure responsible for handling single policy entry*/ +struct policy_entry; +typedef struct policy_entry policy_entry; + +/*! brief data structure responsible for handling informations required to apply / drop + * private sharing between applications */ +struct private_sharing_req; +typedef struct private_sharing_req private_sharing_req; + +/*! \brief wildcard to be used in requests to match all possible values of given field. + * Use it, for example when it is desired to list or apply policy change for all + * users or all apps for selected user. + */ +#define SECURITY_MANAGER_ANY "#" + +/*! \brief value denoting delete operation on specific policy. It can only be used + * in update policy operation, passed to either security_manager_policy_entry_admin_set_level + * or security_manager_policy_entry_set_level. + */ +#define SECURITY_MANAGER_DELETE "DELETE" + +#ifdef __cplusplus +} +#endif + +#endif /* SECURITY_MANAGER_TYPES_H_ */ + diff --git a/src/include/security-manager.h b/src/include/security-manager.h index 3eacd28..2d990f5 100644 --- a/src/include/security-manager.h +++ b/src/include/security-manager.h @@ -29,93 +29,12 @@ #include +#include "security-manager-types.h" + #ifdef __cplusplus extern "C" { #endif -/*! \brief return code of API functions */ -enum lib_retcode { - SECURITY_MANAGER_SUCCESS, - SECURITY_MANAGER_ERROR_UNKNOWN, - SECURITY_MANAGER_ERROR_INPUT_PARAM, - SECURITY_MANAGER_ERROR_MEMORY, - SECURITY_MANAGER_ERROR_REQ_NOT_COMPLETE, - SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED, - SECURITY_MANAGER_ERROR_ACCESS_DENIED, - SECURITY_MANAGER_ERROR_NO_SUCH_OBJECT, - SECURITY_MANAGER_ERROR_APP_UNKNOWN, - SECURITY_MANAGER_ERROR_APP_NOT_PATH_OWNER -}; - -/*! \brief accesses types for application installation paths*/ -enum app_install_path_type { - //! RO access for all applications - SECURITY_MANAGER_PATH_PUBLIC_RO, - //! RW access for given application package - SECURITY_MANAGER_PATH_RW, - //! RO access for given application package - SECURITY_MANAGER_PATH_RO, - //! RW access for the owner, RO for other 2.X applications - //! (other 3.0 apps will not have access to the shared folder) - SECURITY_MANAGER_PATH_OWNER_RW_OTHER_RO, - //! RW access for application packages coming from the same author - SECURITY_MANAGER_PATH_TRUSTED_RW, - //! this is only for range limit - SECURITY_MANAGER_ENUM_END -}; - -/** - * This enum has values equivalent to gumd user type. - * The gum-utils help states that - * "usertype can be system(1), admin(2), guest(3), normal(4)." - */ -enum security_manager_user_type { - SM_USER_TYPE_NONE = 0,/*<-this should not be used, if it is used, there will be an error returned by SM*/ - SM_USER_TYPE_SYSTEM = 1, - SM_USER_TYPE_ADMIN = 2, - SM_USER_TYPE_GUEST = 3, - SM_USER_TYPE_NORMAL = 4, - SM_USER_TYPE_ANY = 5,/*<-this value may be used only for setting policies and not during user adding*/ - SM_USER_TYPE_END -}; -typedef enum security_manager_user_type security_manager_user_type; - -/*! \brief data structure responsible for handling informations - * required to install / uninstall application */ -struct app_inst_req; -typedef struct app_inst_req app_inst_req; - -/*! \brief data structure responsible for handling informations - * required to manage users */ -struct user_req; -typedef struct user_req user_req; - -/*! \brief data structure responsible for handling policy updates - * required to manage users' and applications' permissions */ -struct policy_update_req; -typedef struct policy_update_req policy_update_req; - -/*! \brief data structure responsible for handling single policy entry*/ -struct policy_entry; -typedef struct policy_entry policy_entry; - -/*! brief data structure responsible for handling informations required to apply / drop - * private sharing between applications */ -struct private_sharing_req; -typedef struct private_sharing_req private_sharing_req; - -/*! \brief wildcard to be used in requests to match all possible values of given field. - * Use it, for example when it is desired to list or apply policy change for all - * users or all apps for selected user. - */ -#define SECURITY_MANAGER_ANY "#" - -/*! \brief value denoting delete operation on specific policy. It can only be used - * in update policy operation, passed to either security_manager_policy_entry_admin_set_level - * or security_manager_policy_entry_set_level. - */ -#define SECURITY_MANAGER_DELETE "DELETE" - /** * This function translates lib_retcode error codes to strings describing * errors. diff --git a/src/server/service/service.cpp b/src/server/service/service.cpp index aa9424b..64b79f2 100644 --- a/src/server/service/service.cpp +++ b/src/server/service/service.cpp @@ -84,7 +84,7 @@ bool Service::processOne(const ConnectionID &conn, MessageBuffer &buffer, switch (call_type) { case SecurityModuleCall::NOOP: LogDebug("call_type: SecurityModuleCall::NOOP"); - Serialization::Serialize(send, SECURITY_MANAGER_API_SUCCESS); + Serialization::Serialize(send, static_cast(SECURITY_MANAGER_SUCCESS)); break; case SecurityModuleCall::APP_INSTALL: LogDebug("call_type: SecurityModuleCall::APP_INSTALL"); @@ -195,7 +195,7 @@ void Service::processGetPkgId(MessageBuffer &buffer, MessageBuffer &send) Deserialization::Deserialize(buffer, appId); ret = serviceImpl.getPkgId(appId, pkgId); Serialization::Serialize(send, ret); - if (ret == SECURITY_MANAGER_API_SUCCESS) + if (ret == SECURITY_MANAGER_SUCCESS) Serialization::Serialize(send, pkgId); } @@ -208,7 +208,7 @@ void Service::processGetAppGroups(MessageBuffer &buffer, MessageBuffer &send, ui Deserialization::Deserialize(buffer, appId); ret = serviceImpl.getAppGroups(appId, uid, pid, gids); Serialization::Serialize(send, ret); - if (ret == SECURITY_MANAGER_API_SUCCESS) { + if (ret == SECURITY_MANAGER_SUCCESS) { Serialization::Serialize(send, static_cast(gids.size())); for (const auto &gid : gids) { Serialization::Serialize(send, gid); @@ -291,7 +291,7 @@ void Service::processPolicyGetDesc(MessageBuffer &send) ret = serviceImpl.policyGetDesc(descriptions); Serialization::Serialize(send, ret); - if (ret == SECURITY_MANAGER_API_SUCCESS) { + if (ret == SECURITY_MANAGER_SUCCESS) { Serialization::Serialize(send, static_cast(descriptions.size())); for(std::vector::size_type i = 0; i != descriptions.size(); i++) { @@ -306,7 +306,7 @@ void Service::processGroupsGet(MessageBuffer &send) int ret = serviceImpl.policyGetGroups(groups); Serialization::Serialize(send, ret); - if (ret == SECURITY_MANAGER_API_SUCCESS) { + if (ret == SECURITY_MANAGER_SUCCESS) { Serialization::Serialize(send, groups); } } @@ -325,7 +325,7 @@ void Service::processAppHasPrivilege(MessageBuffer &recv, MessageBuffer &send) int ret = serviceImpl.appHasPrivilege(appId, privilege, uid, result); Serialization::Serialize(send, ret); - if (ret == SECURITY_MANAGER_API_SUCCESS) + if (ret == SECURITY_MANAGER_SUCCESS) Serialization::Serialize(send, static_cast(result)); } -- 2.7.4 From 61c5731615219421f4d122559175db1a5ec73474 Mon Sep 17 00:00:00 2001 From: Bartlomiej Grzelewski Date: Tue, 9 Feb 2016 12:09:36 +0100 Subject: [PATCH 04/16] Move authors rules to new template file. Change-Id: Ic5341e94823ef9e7be44705aeae3e5833b2b2b7b --- db/db.sql | 1 + policy/CMakeLists.txt | 1 + policy/app-rules-template.smack | 2 - policy/author-rules-template.smack | 2 + src/common/include/privilege_db.h | 24 ++++++++--- src/common/include/smack-rules.h | 26 +++++++++-- src/common/privilege_db.cpp | 35 +++++++++------ src/common/service_impl.cpp | 10 ++--- src/common/smack-rules.cpp | 88 ++++++++++++++++++++++++-------------- 9 files changed, 124 insertions(+), 65 deletions(-) create mode 100644 policy/author-rules-template.smack diff --git a/db/db.sql b/db/db.sql index 0703280..d8efc46 100644 --- a/db/db.sql +++ b/db/db.sql @@ -142,6 +142,7 @@ INSTEAD OF DELETE ON app_pkg_view BEGIN DELETE FROM app WHERE app_id=OLD.app_id AND uid=OLD.uid; DELETE FROM pkg WHERE pkg_id NOT IN (SELECT DISTINCT pkg_id from app); + DELETE FROM author WHERE author_id NOT IN (SELECT author_id FROM app WHERE author_id IS NOT NULL); END; DROP VIEW IF EXISTS app_private_sharing_view; diff --git a/policy/CMakeLists.txt b/policy/CMakeLists.txt index bd08edc..d7a8a5d 100644 --- a/policy/CMakeLists.txt +++ b/policy/CMakeLists.txt @@ -1,5 +1,6 @@ FILE(GLOB USERTYPE_POLICY_FILES usertype-*.profile) INSTALL(FILES ${USERTYPE_POLICY_FILES} DESTINATION ${SHARE_INSTALL_PREFIX}/security-manager/policy) INSTALL(FILES "app-rules-template.smack" DESTINATION ${SHARE_INSTALL_PREFIX}/security-manager/policy) +INSTALL(FILES "author-rules-template.smack" DESTINATION ${SHARE_INSTALL_PREFIX}/security-manager/policy) INSTALL(FILES "privilege-group.list" DESTINATION ${SHARE_INSTALL_PREFIX}/security-manager/policy) INSTALL(PROGRAMS security-manager-policy-reload DESTINATION ${BIN_INSTALL_DIR}) diff --git a/policy/app-rules-template.smack b/policy/app-rules-template.smack index acd7b22..2eb2dff 100644 --- a/policy/app-rules-template.smack +++ b/policy/app-rules-template.smack @@ -18,5 +18,3 @@ User ~PKG~::SharedRO rwxat ~APP~ ~PKG~::RO rxl ~APP~ ~PKG~::SharedRO rwxat ~APP~ ~AUTHOR~ rwxat -User ~AUTHOR~ rwxat -System ~AUTHOR~ rwxat diff --git a/policy/author-rules-template.smack b/policy/author-rules-template.smack new file mode 100644 index 0000000..a40cba8 --- /dev/null +++ b/policy/author-rules-template.smack @@ -0,0 +1,2 @@ +User ~AUTHOR~ rwxat +System ~AUTHOR~ rwxat diff --git a/src/common/include/privilege_db.h b/src/common/include/privilege_db.h index 1cca500..17d4c29 100644 --- a/src/common/include/privilege_db.h +++ b/src/common/include/privilege_db.h @@ -71,7 +71,6 @@ enum class StmtType { EGetAppsInPkg, EGetGroups, EGetAuthorIdAppId, - ERemoveAuthors, EAuthorIdExists, }; @@ -127,7 +126,6 @@ private: { StmtType::EGetAppsInPkg, " SELECT app_name FROM app_pkg_view WHERE pkg_name = ?" }, { StmtType::EGetGroups, "SELECT DISTINCT group_name FROM privilege_group_view" }, { StmtType::EGetAuthorIdAppId, "SELECT author_id FROM app_pkg_view WHERE app_name = ?"}, - { StmtType::ERemoveAuthors, "DELETE FROM author where author_id IN (SELECT author_id from author LEFT JOIN APP USING(author_id) where app_id is NULL)"}, { StmtType::EAuthorIdExists, "SELECT count(*) FROM author where author_id=?"}, }; @@ -174,6 +172,16 @@ private: */ bool PkgIdExists(const std::string &pkgId); + /** + * Check if authorId is already registered in database + * + * @param authorId - package identifier + * @exception DB::SqlConnection::Exception::InternalError on internal error + * @return true if authorId exists in the database + * + */ + bool AuthorIdExists(const std::string &authorId); + public: class Exception { @@ -275,10 +283,15 @@ public: * @param uid - user identifier whose application is going to be uninstalled * @param[out] appIdIsNoMore - return info if appId is in the database * @param[out] pkgIdIsNoMore - return info if pkgId is in the database + * @param[out] authorIdIsNoMore - return info if authorId is in the database * @exception DB::SqlConnection::Exception::InternalError on internal error */ - void RemoveApplication(const std::string &appId, uid_t uid, - bool &appIdIsNoMore, bool &pkgIdIsNoMore); + void RemoveApplication( + const std::string &appId, + uid_t uid, + bool &appIdIsNoMore, + bool &pkgIdIsNoMore, + bool &authorIdIsNoMore); /** * Remove privileges assigned to application @@ -435,9 +448,6 @@ public: void GetAuthorIdForAppId(const std::string &appId, std::string &authorId); - void RemoveAuthor(); - void AuthorIdExists(const std::string &authorId, int &result); - /** * Retrieve list of resource groups * diff --git a/src/common/include/smack-rules.h b/src/common/include/smack-rules.h index a0b458a..eef43cc 100644 --- a/src/common/include/smack-rules.h +++ b/src/common/include/smack-rules.h @@ -36,6 +36,9 @@ namespace SecurityManager { class SmackRules { public: + typedef std::string Rule; + typedef std::vector RuleVector; + SmackRules(); virtual ~SmackRules(); @@ -46,12 +49,13 @@ public: void loadFromFile(const std::string &path); void addFromTemplate( - const std::vector &templateRules, + const RuleVector &templateRules, const std::string &appId, const std::string &pkgId, const std::string &authorId); void addFromTemplateFile( + const std::string &templatePath, const std::string &appId, const std::string &pkgId, const std::string &authorId); @@ -148,8 +152,12 @@ public: const std::vector &pkgContents, const std::vector &appsGranted); - /* Temporary fix for authors rules */ - static void fixAuthorRules(const std::string &authorId); + /** + * Uninstall author-specific smack rules. + * + * param[in] authorId - identification (datbase key) of the author + */ + static void uninstallAuthorRules(const std::string &authorId); /** * Add rules related to private path sharing rules @@ -200,6 +208,13 @@ public: static void updatePackageRules(const std::string &pkgId, const std::vector &pkgContents); private: + static void useTemplate( + const std::string &templatePath, + const std::string &outputPath, + const std::string &appId, + const std::string &pkgId, + const std::string &authorId); + /** * Create a path for package rules * @@ -212,6 +227,11 @@ private: static std::string getApplicationRulesFilePath(const std::string &appId); /** + * Create a path for author rules + */ + static std::string getAuthorRulesFilePath(const std::string &authorId); + + /** * Uninstall rules inside a specified file path * * This is a utility function that will clear all diff --git a/src/common/privilege_db.cpp b/src/common/privilege_db.cpp index f9ecf17..6aa19a0 100644 --- a/src/common/privilege_db.cpp +++ b/src/common/privilege_db.cpp @@ -206,16 +206,24 @@ void PrivilegeDb::AddApplication( }); } -void PrivilegeDb::RemoveApplication(const std::string &appId, uid_t uid, - bool &appIdIsNoMore, bool &pkgIdIsNoMore) +void PrivilegeDb::RemoveApplication( + const std::string &appId, + uid_t uid, + bool &appIdIsNoMore, + bool &pkgIdIsNoMore, + bool &authorIdIsNoMore) { try_catch([&] { std::string pkgId; + std::string authorId; if (!GetAppPkgId(appId, pkgId)) { pkgIdIsNoMore = false; return; } + authorIdIsNoMore = false; + GetAuthorIdForAppId(appId, authorId); + auto command = getStatement(StmtType::ERemoveApplication); command->BindString(1, appId); command->BindInteger(2, static_cast(uid)); @@ -229,6 +237,10 @@ void PrivilegeDb::RemoveApplication(const std::string &appId, uid_t uid, appIdIsNoMore = !(this->AppIdExists(appId)); pkgIdIsNoMore = !(this->PkgIdExists(pkgId)); + + if (!authorId.empty()) { + authorIdIsNoMore = !(this->AuthorIdExists(authorId)); + } }); } @@ -491,26 +503,21 @@ void PrivilegeDb::GetAuthorIdForAppId(const std::string &appId, }); } -void PrivilegeDb::RemoveAuthor() { - try_catch([&] { - auto command = getStatement(StmtType::ERemoveAuthors); - command->Step(); - }); -} - -void PrivilegeDb::AuthorIdExists(const std::string &authorId, int &result) { - try_catch([&] { - auto command = getStatement(StmtType::EAuthorIdExists); - result = 0; +bool PrivilegeDb::AuthorIdExists(const std::string &authorId) { + return try_catch([&]() -> bool { + int result = 0; if (authorId.empty()) - return; + return false; + + auto command = getStatement(StmtType::EAuthorIdExists); command->BindInteger(1, std::atoi(authorId.c_str())); if (command->Step()) { result = command->GetColumnInteger(0); } LogDebug("For author: " << authorId << " found " << result << " rows"); + return result; }); } diff --git a/src/common/service_impl.cpp b/src/common/service_impl.cpp index 0636991..45de6de 100644 --- a/src/common/service_impl.cpp +++ b/src/common/service_impl.cpp @@ -402,11 +402,11 @@ int ServiceImpl::appUninstall(const std::string &appId, uid_t uid) bool appExists = true; bool removeApp = false; bool removePkg = false; + bool removeAuthor = false; std::string uidstr; std::vector allTizen2XApps; checkGlobalUser(uid, uidstr); std::string authorId; - int restoreAuthor = 0; try { PrivilegeDb::getInstance().BeginTransaction(); @@ -426,9 +426,7 @@ int ServiceImpl::appUninstall(const std::string &appId, uid_t uid) PrivilegeDb::getInstance().GetAuthorIdForAppId(appId, authorId); PrivilegeDb::getInstance().GetAppIdsForPkgId(pkgId, pkgContents); PrivilegeDb::getInstance().UpdateAppPrivileges(appId, uid, std::vector()); - PrivilegeDb::getInstance().RemoveApplication(appId, uid, removeApp, removePkg); - PrivilegeDb::getInstance().RemoveAuthor(); - PrivilegeDb::getInstance().AuthorIdExists(authorId, restoreAuthor); + PrivilegeDb::getInstance().RemoveApplication(appId, uid, removeApp, removePkg, removeAuthor); // if uninstalled app is targetted to Tizen 2.X, remove other 2.X apps RO rules it's shared dir if(isTizen2XVersion(tizenVersion)) @@ -472,9 +470,9 @@ int ServiceImpl::appUninstall(const std::string &appId, uid_t uid) SmackRules::uninstallPackageRules(pkgId); } - if (restoreAuthor) { + if (removeAuthor) { LogDebug("Removing Smack rules for authorId " << authorId); - SmackRules::fixAuthorRules(authorId); + SmackRules::uninstallAuthorRules(authorId); } } catch (const SmackException::Base &e) { diff --git a/src/common/smack-rules.cpp b/src/common/smack-rules.cpp index bd66158..7ed41f3 100644 --- a/src/common/smack-rules.cpp +++ b/src/common/smack-rules.cpp @@ -45,6 +45,8 @@ const char *const SMACK_APP_LABEL_TEMPLATE = "~APP~"; const char *const SMACK_PKG_LABEL_TEMPLATE = "~PKG~"; const char *const SMACK_AUTHOR_LABEL_TEMPLATE = "~AUTHOR~"; const char *const APP_RULES_TEMPLATE_FILE_PATH = tzplatform_mkpath4(TZ_SYS_SHARE, "security-manager", "policy", "app-rules-template.smack"); +const char *const AUTHOR_RULES_TEMPLATE_FILE_PATH = + tzplatform_mkpath4(TZ_SYS_SHARE, "security-manager", "policy", "author-rules-template.smack"); const char *const SMACK_APP_IN_PACKAGE_PERMS = "rwxat"; const char *const SMACK_APP_CROSS_PKG_PERMS = "rx"; const char *const SMACK_APP_PATH_OWNER_PERMS = "rwxat"; @@ -145,17 +147,18 @@ void SmackRules::saveToFile(const std::string &path) const } void SmackRules::addFromTemplateFile( + const std::string &templatePath, const std::string &appId, const std::string &pkgId, const std::string &authorId) { - std::vector templateRules; + RuleVector templateRules; std::string line; - std::ifstream templateRulesFile(APP_RULES_TEMPLATE_FILE_PATH); + std::ifstream templateRulesFile(templatePath); if (!templateRulesFile.is_open()) { - LogError("Cannot open rules template file: " << APP_RULES_TEMPLATE_FILE_PATH); - ThrowMsg(SmackException::FileError, "Cannot open rules template file: " << APP_RULES_TEMPLATE_FILE_PATH); + LogError("Cannot open rules template file: " << templatePath); + ThrowMsg(SmackException::FileError, "Cannot open rules template file: " << templatePath); } while (std::getline(templateRulesFile, line)) { @@ -163,26 +166,34 @@ void SmackRules::addFromTemplateFile( } if (templateRulesFile.bad()) { - LogError("Error reading template file: " << APP_RULES_TEMPLATE_FILE_PATH); - ThrowMsg(SmackException::FileError, "Error reading template file: " << APP_RULES_TEMPLATE_FILE_PATH); + LogError("Error reading template file: " << templatePath); + ThrowMsg(SmackException::FileError, "Error reading template file: " << templatePath); } addFromTemplate(templateRules, appId, pkgId, authorId); } void SmackRules::addFromTemplate( - const std::vector &templateRules, + const RuleVector &templateRules, const std::string &appId, const std::string &pkgId, const std::string &authorId) { + if (appId.empty() || pkgId.empty()) { + LogError("Neither appId nor pkgId may be empty."); + ThrowMsg(SmackException::InvalidParam, "Neither appId nor pkgId may be empty."); + } + + std::string appLabel = SmackLabels::generateAppLabel(appId); + std::string pkgLabel = SmackLabels::generatePkgLabel(pkgId); + + std::string authorLabel = + authorId.empty() ? std::string() : SmackLabels::generateAuthorLabel(authorId); + for (auto rule : templateRules) { if (rule.empty()) continue; - if (authorId.empty() && rule.find(SMACK_AUTHOR_LABEL_TEMPLATE) != std::string::npos) - continue; - std::stringstream stream(rule); std::string subject, object, permissions; stream >> subject >> object >> permissions; @@ -192,16 +203,14 @@ void SmackRules::addFromTemplate( ThrowMsg(SmackException::FileError, "Invalid rule template: " << rule); } - strReplace(subject, SMACK_APP_LABEL_TEMPLATE, SmackLabels::generateAppLabel(appId)); - strReplace(subject, SMACK_PKG_LABEL_TEMPLATE, SmackLabels::generatePkgLabel(pkgId)); - strReplace(object, SMACK_APP_LABEL_TEMPLATE, SmackLabels::generateAppLabel(appId)); - strReplace(object, SMACK_PKG_LABEL_TEMPLATE, SmackLabels::generatePkgLabel(pkgId)); + strReplace(subject, SMACK_APP_LABEL_TEMPLATE, appLabel); + strReplace(subject, SMACK_PKG_LABEL_TEMPLATE, pkgLabel); + strReplace(object, SMACK_APP_LABEL_TEMPLATE, appLabel); + strReplace(object, SMACK_PKG_LABEL_TEMPLATE, pkgLabel); + strReplace(object, SMACK_AUTHOR_LABEL_TEMPLATE, authorLabel); - if (!authorId.empty()) { - strReplace(object, - SMACK_AUTHOR_LABEL_TEMPLATE, - SmackLabels::generateAuthorLabel(authorId)); - } + if (subject.empty() || object.empty()) + continue; add(subject, object, permissions); } @@ -283,6 +292,27 @@ std::string SmackRules::getApplicationRulesFilePath(const std::string &appId) return path; } +std::string SmackRules::getAuthorRulesFilePath(const std::string &authorId) +{ + return tzplatform_mkpath3(TZ_SYS_SMACK, "accesses.d", ("author_" + authorId).c_str()); +} + +void SmackRules::useTemplate( + const std::string &templatePath, + const std::string &outputPath, + const std::string &appId, + const std::string &pkgId, + const std::string &authorId) +{ + SmackRules smackRules; + smackRules.addFromTemplateFile(templatePath, appId, pkgId, authorId); + + if (smack_smackfs_path() != NULL) + smackRules.apply(); + + smackRules.saveToFile(outputPath); +} + void SmackRules::installApplicationRules( const std::string &appId, const std::string &pkgId, @@ -291,15 +321,10 @@ void SmackRules::installApplicationRules( const std::vector &appsGranted, const std::vector &accessPackages) { - SmackRules smackRules; - std::string appPath = getApplicationRulesFilePath(appId); + useTemplate(APP_RULES_TEMPLATE_FILE_PATH, getApplicationRulesFilePath(appId), appId, pkgId, authorId); - smackRules.addFromTemplateFile(appId, pkgId, authorId); - - if (smack_smackfs_path() != NULL) - smackRules.apply(); - - smackRules.saveToFile(appPath); + if (!authorId.empty()) + useTemplate(AUTHOR_RULES_TEMPLATE_FILE_PATH, getAuthorRulesFilePath(authorId), appId, pkgId, authorId); updatePackageRules(pkgId, pkgContents, appsGranted); generateAppToOtherPackagesDeps(appId, accessPackages); @@ -372,12 +397,9 @@ void SmackRules::strReplace(std::string &haystack, const std::string &needle, haystack.replace(pos, needle.size(), replace); } -void SmackRules::fixAuthorRules(const std::string &authorId) { - SmackRules rules; - std::string authorLabel = SmackLabels::generateAuthorLabel(authorId); - rules.add("User", authorLabel, "rwxat"); - rules.add("System", authorLabel, "rwxat"); - rules.apply(); +void SmackRules::uninstallAuthorRules(const std::string &authorId) +{ + uninstallRules(getAuthorRulesFilePath(authorId)); } void SmackRules::applyPrivateSharingRules( -- 2.7.4 From 6886eeba8b0fff7563846b941fc76cabd3edb181 Mon Sep 17 00:00:00 2001 From: Bartlomiej Grzelewski Date: Thu, 11 Feb 2016 16:05:03 +0100 Subject: [PATCH 05/16] Move pkg rules to new template file. Change-Id: Ibc0a79a8f0d850ab47d43236a20a975186dfcfbe --- policy/CMakeLists.txt | 1 + policy/app-rules-template.smack | 6 ------ policy/pkg-rules-template.smack | 7 +++++++ src/common/include/smack-rules.h | 18 ++++++++---------- src/common/service_impl.cpp | 12 ++++++------ src/common/smack-rules.cpp | 38 ++++++++++++++++++++------------------ 6 files changed, 42 insertions(+), 40 deletions(-) create mode 100644 policy/pkg-rules-template.smack diff --git a/policy/CMakeLists.txt b/policy/CMakeLists.txt index d7a8a5d..fbc5c3e 100644 --- a/policy/CMakeLists.txt +++ b/policy/CMakeLists.txt @@ -1,6 +1,7 @@ FILE(GLOB USERTYPE_POLICY_FILES usertype-*.profile) INSTALL(FILES ${USERTYPE_POLICY_FILES} DESTINATION ${SHARE_INSTALL_PREFIX}/security-manager/policy) INSTALL(FILES "app-rules-template.smack" DESTINATION ${SHARE_INSTALL_PREFIX}/security-manager/policy) +INSTALL(FILES "pkg-rules-template.smack" DESTINATION ${SHARE_INSTALL_PREFIX}/security-manager/policy) INSTALL(FILES "author-rules-template.smack" DESTINATION ${SHARE_INSTALL_PREFIX}/security-manager/policy) INSTALL(FILES "privilege-group.list" DESTINATION ${SHARE_INSTALL_PREFIX}/security-manager/policy) INSTALL(PROGRAMS security-manager-policy-reload DESTINATION ${BIN_INSTALL_DIR}) diff --git a/policy/app-rules-template.smack b/policy/app-rules-template.smack index 2eb2dff..02f440f 100644 --- a/policy/app-rules-template.smack +++ b/policy/app-rules-template.smack @@ -1,16 +1,10 @@ System ~APP~ rwx -System ~PKG~ rwxat -System ~PKG~::RO rwxat -System ~PKG~::SharedRO rwxat ~APP~ System wx ~APP~ System::Shared rxl ~APP~ System::Run rwxat ~APP~ System::Log rwxa ~APP~ _ l User ~APP~ rwx -User ~PKG~ rwxat -User ~PKG~::RO rwxat -User ~PKG~::SharedRO rwxat ~APP~ User wx ~APP~ User::Home rxl ~APP~ User::App::Shared rwxat diff --git a/policy/pkg-rules-template.smack b/policy/pkg-rules-template.smack new file mode 100644 index 0000000..f94d741 --- /dev/null +++ b/policy/pkg-rules-template.smack @@ -0,0 +1,7 @@ +System ~PKG~ rwxat +System ~PKG~::RO rwxat +System ~PKG~::SharedRO rwxat +User ~PKG~ rwxat +User ~PKG~::RO rwxat +User ~PKG~::SharedRO rwxat + diff --git a/src/common/include/smack-rules.h b/src/common/include/smack-rules.h index eef43cc..bd9c22f 100644 --- a/src/common/include/smack-rules.h +++ b/src/common/include/smack-rules.h @@ -62,7 +62,7 @@ public: void apply() const; void clear() const; - void saveToFile(const std::string &path) const; + void saveToFile(const std::string &path, bool truncFile = true) const; /** * Create cross dependencies for all applications in a package @@ -126,15 +126,8 @@ public: * removes them for persistent storage. * * @param[in] appId - application id - * @param[in] pkgId - package id that the application belongs to - * @param[in] appsInPkg - a list of other applications in the same package id that the application belongs to - * @param[in] appsGranted - list of 2.x apps granted access */ - static void uninstallApplicationRules( - const std::string &appId, - const std::string &pkgId, - std::vector appsInPkg, - const std::vector &appsGranted); + static void uninstallApplicationRules(const std::string &appId); /** * Update package specific rules @@ -143,7 +136,7 @@ public: * need to exist currently for all application in that * package * - * @param[in] pkgId - id of the package to update + * @param[in] pkgId - package id that the application is in * @param[in] pkgContents - list of all applications in the package * @param[in] appsGranted - list of 2.x apps granted access */ @@ -227,6 +220,11 @@ private: static std::string getApplicationRulesFilePath(const std::string &appId); /** + * Create a path for application rules + */ + static std::string getPkgRulesFilePath(const std::string &pkgId); + + /** * Create a path for author rules */ static std::string getAuthorRulesFilePath(const std::string &authorId); diff --git a/src/common/service_impl.cpp b/src/common/service_impl.cpp index 45de6de..3678259 100644 --- a/src/common/service_impl.cpp +++ b/src/common/service_impl.cpp @@ -462,19 +462,19 @@ int ServiceImpl::appUninstall(const std::string &appId, uid_t uid) try { if (removeApp) { LogDebug("Removing smack rules for deleted appId " << appId); - SmackRules::uninstallApplicationRules(appId, pkgId, pkgContents, allTizen2XApps); - } - - if (removePkg) { - LogDebug("Removing Smack rules for deleted pkgId " << pkgId); + SmackRules::uninstallApplicationRules(appId); + LogDebug("Pkg rules are deprecated. We must uninstall them. pkgId " << pkgId); SmackRules::uninstallPackageRules(pkgId); + if (!removePkg) { + LogDebug("Creating new rules for pkgId " << pkgId); + SmackRules::updatePackageRules(pkgId, pkgContents, allTizen2XApps); + } } if (removeAuthor) { LogDebug("Removing Smack rules for authorId " << authorId); SmackRules::uninstallAuthorRules(authorId); } - } catch (const SmackException::Base &e) { LogError("Error while removing Smack rules for application: " << e.DumpToString()); return SECURITY_MANAGER_ERROR_SETTING_FILE_LABEL_FAILED; diff --git a/src/common/smack-rules.cpp b/src/common/smack-rules.cpp index 7ed41f3..df3f1a0 100644 --- a/src/common/smack-rules.cpp +++ b/src/common/smack-rules.cpp @@ -45,6 +45,7 @@ const char *const SMACK_APP_LABEL_TEMPLATE = "~APP~"; const char *const SMACK_PKG_LABEL_TEMPLATE = "~PKG~"; const char *const SMACK_AUTHOR_LABEL_TEMPLATE = "~AUTHOR~"; const char *const APP_RULES_TEMPLATE_FILE_PATH = tzplatform_mkpath4(TZ_SYS_SHARE, "security-manager", "policy", "app-rules-template.smack"); +const char *const PKG_RULES_TEMPLATE_FILE_PATH = tzplatform_mkpath4(TZ_SYS_SHARE, "security-manager", "policy", "pkg-rules-template.smack"); const char *const AUTHOR_RULES_TEMPLATE_FILE_PATH = tzplatform_mkpath4(TZ_SYS_SHARE, "security-manager", "policy", "author-rules-template.smack"); const char *const SMACK_APP_IN_PACKAGE_PERMS = "rwxat"; @@ -117,11 +118,12 @@ void SmackRules::loadFromFile(const std::string &path) } } -void SmackRules::saveToFile(const std::string &path) const +void SmackRules::saveToFile(const std::string &path, bool truncFile) const { int fd; + int flags = O_CREAT | O_WRONLY | (truncFile ? O_TRUNC : O_APPEND); - fd = TEMP_FAILURE_RETRY(open(path.c_str(), O_CREAT | O_WRONLY | O_TRUNC, 0644)); + fd = TEMP_FAILURE_RETRY(open(path.c_str(), flags, 0644)); if (fd == -1) { LogError("Failed to create file: " << path); ThrowMsg(SmackException::FileError, "Failed to create file: " << path); @@ -179,16 +181,18 @@ void SmackRules::addFromTemplate( const std::string &pkgId, const std::string &authorId) { - if (appId.empty() || pkgId.empty()) { - LogError("Neither appId nor pkgId may be empty."); - ThrowMsg(SmackException::InvalidParam, "Neither appId nor pkgId may be empty."); - } + std::string appLabel; + std::string pkgLabel; + std::string authorLabel; + + if (!appId.empty()) + appLabel = SmackLabels::generateAppLabel(appId); - std::string appLabel = SmackLabels::generateAppLabel(appId); - std::string pkgLabel = SmackLabels::generatePkgLabel(pkgId); + if (!pkgId.empty()) + pkgLabel = SmackLabels::generatePkgLabel(pkgId); - std::string authorLabel = - authorId.empty() ? std::string() : SmackLabels::generateAuthorLabel(authorId); + if (!authorId.empty()) + authorLabel = SmackLabels::generateAuthorLabel(authorId); for (auto rule : templateRules) { if (rule.empty()) @@ -330,10 +334,13 @@ void SmackRules::installApplicationRules( generateAppToOtherPackagesDeps(appId, accessPackages); } -void SmackRules::updatePackageRules(const std::string &pkgId, +void SmackRules::updatePackageRules( + const std::string &pkgId, const std::vector &pkgContents, const std::vector &appsGranted) { + useTemplate(PKG_RULES_TEMPLATE_FILE_PATH, getPackageRulesFilePath(pkgId), std::string(), pkgId, std::string()); + SmackRules smackRules; std::string pkgPath = getPackageRulesFilePath(pkgId); @@ -343,7 +350,7 @@ void SmackRules::updatePackageRules(const std::string &pkgId, if (smack_smackfs_path() != NULL) smackRules.apply(); - smackRules.saveToFile(pkgPath); + smackRules.saveToFile(pkgPath, false); } void SmackRules::uninstallPackageRules(const std::string &pkgId) @@ -351,14 +358,9 @@ void SmackRules::uninstallPackageRules(const std::string &pkgId) uninstallRules(getPackageRulesFilePath(pkgId)); } -void SmackRules::uninstallApplicationRules( - const std::string &appId, - const std::string &pkgId, - std::vector pkgContents, - const std::vector &appsGranted) +void SmackRules::uninstallApplicationRules(const std::string &appId) { uninstallRules(getApplicationRulesFilePath(appId)); - updatePackageRules(pkgId, pkgContents, appsGranted); } void SmackRules::uninstallRules(const std::string &path) -- 2.7.4 From 77ce0887710d176e10f6f37b0fc658ef329f81c8 Mon Sep 17 00:00:00 2001 From: Zbigniew Jasinski Date: Tue, 16 Feb 2016 17:29:13 +0100 Subject: [PATCH 06/16] Updated version for release Version: 1.1.0 Release: 2 Change-Id: I49569d258b16bc02bc920215c618afe6692184ef --- packaging/security-manager.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packaging/security-manager.spec b/packaging/security-manager.spec index fe33a0e..582ce14 100644 --- a/packaging/security-manager.spec +++ b/packaging/security-manager.spec @@ -1,7 +1,7 @@ Name: security-manager Summary: Security manager and utilities Version: 1.1.0 -Release: 1 +Release: 2 Group: Security/Service License: Apache-2.0 Source0: %{name}-%{version}.tar.gz -- 2.7.4 From bb1e41bbf6be7b5dabe6162effd6d70ccd6becae Mon Sep 17 00:00:00 2001 From: Zbigniew Jasinski Date: Wed, 20 Jan 2016 12:04:27 +0100 Subject: [PATCH 07/16] Added 'nether' package as required for install. Change-Id: Id1d90aeb108b7f5bec751006bf740fb9087b1c4b --- packaging/security-manager.spec | 1 + 1 file changed, 1 insertion(+) diff --git a/packaging/security-manager.spec b/packaging/security-manager.spec index 582ce14..800147f 100644 --- a/packaging/security-manager.spec +++ b/packaging/security-manager.spec @@ -8,6 +8,7 @@ Source0: %{name}-%{version}.tar.gz Source1: security-manager.manifest Source3: libsecurity-manager-client.manifest Requires: security-manager-policy +Requires: nether Requires(post): smack BuildRequires: cmake BuildRequires: zip -- 2.7.4 From c7fdaefaf9634c79d8980b970bb8a9c16586bbaf Mon Sep 17 00:00:00 2001 From: Zbigniew Jasinski Date: Fri, 19 Feb 2016 13:18:13 +0100 Subject: [PATCH 08/16] Updated version for release Version: 1.1.0 Release: 3 Change-Id: I2ea66996980c7c61fef3c662479e04eec68c5bc9 --- packaging/security-manager.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packaging/security-manager.spec b/packaging/security-manager.spec index 800147f..077767b 100644 --- a/packaging/security-manager.spec +++ b/packaging/security-manager.spec @@ -1,7 +1,7 @@ Name: security-manager Summary: Security manager and utilities Version: 1.1.0 -Release: 2 +Release: 3 Group: Security/Service License: Apache-2.0 Source0: %{name}-%{version}.tar.gz -- 2.7.4 From fd11b2adb48d9ed0df09418fc3d9e8c47cb45d7b Mon Sep 17 00:00:00 2001 From: Yunjin Lee Date: Mon, 22 Feb 2016 18:02:04 +0900 Subject: [PATCH 09/16] Remove d2d.admin and d2d.appcontrol and Add use_ir privilege Change-Id: I2fb4ad8b4a35f498f3a27bfb882b77973ffd9b44 Signed-off-by: Yunjin Lee --- policy/usertype-admin.profile | 3 +-- policy/usertype-guest.profile | 3 +-- policy/usertype-normal.profile | 3 +-- policy/usertype-system.profile | 3 +-- 4 files changed, 4 insertions(+), 8 deletions(-) diff --git a/policy/usertype-admin.profile b/policy/usertype-admin.profile index 19a537f..ac37653 100644 --- a/policy/usertype-admin.profile +++ b/policy/usertype-admin.profile @@ -21,8 +21,6 @@ * http://tizen.org/privilege/contact.read * http://tizen.org/privilege/contact.write * http://tizen.org/privilege/content.write -* http://tizen.org/privilege/d2d.admin -* http://tizen.org/privilege/d2d.appcontrol * http://tizen.org/privilege/d2d.datasharing * http://tizen.org/privilege/datasharing * http://tizen.org/privilege/display @@ -73,6 +71,7 @@ * http://tizen.org/privilege/telephony.admin * http://tizen.org/privilege/tethering.admin * http://tizen.org/privilege/volume.set +* http://tizen.org/privilege/use_ir * http://tizen.org/privilege/web-history.admin * http://tizen.org/privilege/widget.viewer * http://tizen.org/privilege/wifidirect diff --git a/policy/usertype-guest.profile b/policy/usertype-guest.profile index efbad0d..b56306a 100644 --- a/policy/usertype-guest.profile +++ b/policy/usertype-guest.profile @@ -21,8 +21,6 @@ * http://tizen.org/privilege/contact.read * http://tizen.org/privilege/contact.write * http://tizen.org/privilege/content.write -* http://tizen.org/privilege/d2d.admin -* http://tizen.org/privilege/d2d.appcontrol * http://tizen.org/privilege/d2d.datasharing * http://tizen.org/privilege/datasharing * http://tizen.org/privilege/display @@ -72,6 +70,7 @@ * http://tizen.org/privilege/telephony * http://tizen.org/privilege/telephony.admin * http://tizen.org/privilege/tethering.admin +* http://tizen.org/privilege/use_ir * http://tizen.org/privilege/volume.set * http://tizen.org/privilege/web-history.admin * http://tizen.org/privilege/widget.viewer diff --git a/policy/usertype-normal.profile b/policy/usertype-normal.profile index 0a16220..735ac80 100644 --- a/policy/usertype-normal.profile +++ b/policy/usertype-normal.profile @@ -21,8 +21,6 @@ * http://tizen.org/privilege/contact.read * http://tizen.org/privilege/contact.write * http://tizen.org/privilege/content.write -* http://tizen.org/privilege/d2d.admin -* http://tizen.org/privilege/d2d.appcontrol * http://tizen.org/privilege/d2d.datasharing * http://tizen.org/privilege/datasharing * http://tizen.org/privilege/display @@ -72,6 +70,7 @@ * http://tizen.org/privilege/telephony * http://tizen.org/privilege/telephony.admin * http://tizen.org/privilege/tethering.admin +* http://tizen.org/privilege/use_ir * http://tizen.org/privilege/volume.set * http://tizen.org/privilege/web-history.admin * http://tizen.org/privilege/widget.viewer diff --git a/policy/usertype-system.profile b/policy/usertype-system.profile index 9097750..e710940 100644 --- a/policy/usertype-system.profile +++ b/policy/usertype-system.profile @@ -21,8 +21,6 @@ * http://tizen.org/privilege/contact.read * http://tizen.org/privilege/contact.write * http://tizen.org/privilege/content.write -* http://tizen.org/privilege/d2d.admin -* http://tizen.org/privilege/d2d.appcontrol * http://tizen.org/privilege/d2d.datasharing * http://tizen.org/privilege/datasharing * http://tizen.org/privilege/display @@ -72,6 +70,7 @@ * http://tizen.org/privilege/telephony * http://tizen.org/privilege/telephony.admin * http://tizen.org/privilege/tethering.admin +* http://tizen.org/privilege/use_ir * http://tizen.org/privilege/volume.set * http://tizen.org/privilege/web-history.admin * http://tizen.org/privilege/widget.viewer -- 2.7.4 From f63582c13f531d589378d53f1bc4842569289d08 Mon Sep 17 00:00:00 2001 From: Rafal Krypa Date: Fri, 26 Feb 2016 14:05:34 +0100 Subject: [PATCH 10/16] Small fixes in functions generating Smack labels - properly release memory in SmackLabels::getSmackLabelFromSocket() - use libsmack function in SmackLabels::getSmackLabelFromPath() Change-Id: I837947a16dff90d84e751176cab0692cd70278c0 --- src/common/smack-labels.cpp | 35 ++++++++++++++++++++++------------- 1 file changed, 22 insertions(+), 13 deletions(-) diff --git a/src/common/smack-labels.cpp b/src/common/smack-labels.cpp index 8682d52..ccec4f8 100644 --- a/src/common/smack-labels.cpp +++ b/src/common/smack-labels.cpp @@ -32,6 +32,7 @@ #include #include #include +#include #include #include #include @@ -240,7 +241,8 @@ std::string generatePkgROLabel(const std::string &pkgId) return label; } -std::string generateSharedPrivateLabel(const std::string &pkgId, const std::string &path) { +std::string generateSharedPrivateLabel(const std::string &pkgId, const std::string &path) +{ // Prefix $1$ causes crypt() to use MD5 function std::string label = "User::Pkg::"; std::string salt = "$1$" + pkgId; @@ -259,14 +261,29 @@ std::string generateSharedPrivateLabel(const std::string &pkgId, const std::stri std::string getSmackLabelFromSocket(int socketFd) { char *label = nullptr; - ssize_t labelSize = smack_new_label_from_socket(socketFd, &label); + std::unique_ptr labelPtr(label, free); + if (labelSize < 0) { ThrowMsg(SmackException::Base, "smack_new_label_from_socket error for socket: " << socketFd); } - return label; + return std::string(labelPtr.get(), labelSize); +} + +std::string getSmackLabelFromPath(const std::string &path) +{ + char *label = nullptr; + ssize_t labelSize = smack_new_label_from_path(path.c_str(), XATTR_NAME_SMACK, true, &label); + std::unique_ptr labelPtr(label, free); + + if (labelSize < 0) { + ThrowMsg(SmackException::FileError, + "smack_new_label_from_path error for path: " << path); + } + + return std::string(labelPtr.get(), labelSize); } std::string getSmackLabelFromPid(pid_t pid) @@ -287,7 +304,8 @@ std::string getSmackLabelFromPid(pid_t pid) return result; } -std::string generateAuthorLabel(const std::string &authorId) { +std::string generateAuthorLabel(const std::string &authorId) +{ if (authorId.empty()) { LogError("Author was not set. It's not possible to generate label for unknown author."); ThrowMsg(SmackException::InvalidLabel, "Could not generate valid label without authorId"); @@ -296,14 +314,5 @@ std::string generateAuthorLabel(const std::string &authorId) { return "User::Author::" + authorId; } -std::string getSmackLabelFromPath(const std::string &path) { - char label[SMACK_LABEL_LEN]; - ssize_t realLen; - if ((realLen = lgetxattr(path.c_str(), XATTR_NAME_SMACK, label, SMACK_LABEL_LEN)) < 0) { - ThrowMsg(SmackException::FileError, "lgetxattr failed"); - } - return std::string(label, label+realLen); -} - } // namespace SmackLabels } // namespace SecurityManager -- 2.7.4 From b3d9b224ea5427d11ea6a4c8476448db787f474f Mon Sep 17 00:00:00 2001 From: Rafal Krypa Date: Fri, 26 Feb 2016 16:16:36 +0100 Subject: [PATCH 11/16] Split very long public header to smaller, logically consistent parts The header security-manager.h is now split into the following parts: - app-manager.h - app-runtime.h - app-sharing.h - user-manager.h - policy-manager.h The original header includes all new headers, so depending applications don't need to change their code. Change-Id: I8dd56124b20e675c76daa86752ccb0cbd0126927 Signed-off-by: Rafal Krypa --- packaging/security-manager.spec | 3 +- src/include/CMakeLists.txt | 5 + src/include/app-manager.h | 140 +++++++ src/include/app-runtime.h | 174 +++++++++ src/include/app-sharing.h | 112 ++++++ src/include/policy-manager.h | 433 ++++++++++++++++++++++ src/include/security-manager.h | 798 +--------------------------------------- src/include/user-manager.h | 98 +++++ 8 files changed, 968 insertions(+), 795 deletions(-) create mode 100644 src/include/app-manager.h create mode 100644 src/include/app-runtime.h create mode 100644 src/include/app-sharing.h create mode 100644 src/include/policy-manager.h create mode 100644 src/include/user-manager.h diff --git a/packaging/security-manager.spec b/packaging/security-manager.spec index 077767b..143f34e 100644 --- a/packaging/security-manager.spec +++ b/packaging/security-manager.spec @@ -159,8 +159,7 @@ fi %defattr(-,root,root,-) %{_libdir}/libsecurity-manager-client.so %{_libdir}/libsecurity-manager-commons.so -%{_includedir}/security-manager/security-manager.h -%{_includedir}/security-manager/security-manager-types.h +%{_includedir}/security-manager/*.h %{_libdir}/pkgconfig/security-manager.pc %files -n security-manager-policy diff --git a/src/include/CMakeLists.txt b/src/include/CMakeLists.txt index 353a159..1a6d090 100644 --- a/src/include/CMakeLists.txt +++ b/src/include/CMakeLists.txt @@ -1,5 +1,10 @@ INSTALL(FILES ${INCLUDE_PATH}/security-manager.h ${INCLUDE_PATH}/security-manager-types.h + ${INCLUDE_PATH}/app-manager.h + ${INCLUDE_PATH}/app-runtime.h + ${INCLUDE_PATH}/app-sharing.h + ${INCLUDE_PATH}/user-manager.h + ${INCLUDE_PATH}/policy-manager.h DESTINATION ${INCLUDE_INSTALL_DIR}/security-manager ) diff --git a/src/include/app-manager.h b/src/include/app-manager.h new file mode 100644 index 0000000..1d90b6a --- /dev/null +++ b/src/include/app-manager.h @@ -0,0 +1,140 @@ +/* + * Copyright (c) 2000 - 2016 Samsung Electronics Co., Ltd All Rights Reserved + * + * Contact: Rafal Krypa + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + * + */ + +#ifndef SECURITY_MANAGER_APP_MANAGER_H_ +#define SECURITY_MANAGER_APP_MANAGER_H_ + +#include "security-manager-types.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/* + * This function is responsible for initialize app_inst_req data structure + * It uses dynamic allocation inside and user responsibility is to call + * app_inst_req_free() for freeing allocated resources + * + * \param[in] Address of pointer for handle app_inst_req structure + * \return API return code or error code + */ +int security_manager_app_inst_req_new(app_inst_req **pp_req); + +/* + * This function is used to free resources allocated by calling app_inst_req_new() + * \param[in] Pointer handling allocated app_inst_req structure + */ +void security_manager_app_inst_req_free(app_inst_req *p_req); + +/* + * This function is used to set up target Tizen API version for app in app_inst_req structure + * + * \param[in] Pointer handling app_inst_req structure + * \param[in] Target Tizen version + * \return API return code or error code + */ +int security_manager_app_inst_req_set_target_version(app_inst_req *p_req, const char *tizen_ver); + +/* + * This function is used to set up application identifier in app_inst_req structure + * + * \param[in] Pointer handling app_inst_req structure + * \param[in] Application identifier + * \return API return code or error code + */ +int security_manager_app_inst_req_set_app_id(app_inst_req *p_req, const char *app_id); + +/* + * This function is used to set up package identifier in app_inst_req structure + * + * \param[in] Pointer handling app_inst_req structure + * \param[in] Package identifier + * \return API return code or error code + */ +int security_manager_app_inst_req_set_pkg_id(app_inst_req *p_req, const char *pkg_id); + +/* + * This function is used to add privilege to app_inst_req structure, + * it can be called multiple times + * + * \param[in] Pointer handling app_inst_req structure + * \param[in] Application privilager + * \return API return code or error code + */ +int security_manager_app_inst_req_add_privilege(app_inst_req *p_req, const char *privilege); + +/* + * This function is used to add application path to app_inst_req structure, + * it can be called multiple times + * + * \param[in] Pointer handling app_inst_req structure + * \param[in] Application path + * \param[in] Application path type + * \return API return code or error code + */ +int security_manager_app_inst_req_add_path(app_inst_req *p_req, const char *path, const int path_type); + +/* + * This function is used to set up user identifier in app_inst_req structure. + * This field simplifies support for online and offline modes. + * + * \param[in] Pointer handling app_inst_req structure + * \param[in] User identifier (UID) + * \return API return code or error code + */ +int security_manager_app_inst_req_set_uid(app_inst_req *p_req, + const uid_t uid); + +/* + * This function is used to set up author identifier in app_inst_req structure. + * This field is required for trusted paths only (SECURITY_MANAGER_PATH_TRUSTED_RW). + * + * \param[in] Pointer handling app_inst_req structure + * \param[in] Author's identifier + * \return API return code or error code + */ +int security_manager_app_inst_req_set_author_id(app_inst_req *p_req, const char *author_id); + +/* + * This function is used to install application based on + * using filled up app_inst_req data structure + * + * \param[in] Pointer handling app_inst_req structure + * \return API return code or error code: it would be + * - SECURITY_MANAGER_SUCCESS on success, + * - SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED when user does not + * have rights to install requested directories, + * - SECURITY_MANAGER_ERROR_UNKNOWN on other errors. + */ +int security_manager_app_install(const app_inst_req *p_req); + +/* + * This function is used to uninstall application based on + * using filled up app_inst_req data structure + * + * \param[in] Pointer handling app_inst_req structure + * \return API return code or error code + */ +int security_manager_app_uninstall(const app_inst_req *p_req); + +#ifdef __cplusplus +} +#endif + +#endif /* SECURITY_MANAGER_APP_MANAGER_H_ */ diff --git a/src/include/app-runtime.h b/src/include/app-runtime.h new file mode 100644 index 0000000..6e8e949 --- /dev/null +++ b/src/include/app-runtime.h @@ -0,0 +1,174 @@ +/* + * Copyright (c) 2000 - 2016 Samsung Electronics Co., Ltd All Rights Reserved + * + * Contact: Rafal Krypa + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + * + */ + +#ifndef SECURITY_MANAGER_APP_RUNTIME_H_ +#define SECURITY_MANAGER_APP_RUNTIME_H_ + +#include "security-manager-types.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * Get package id of a given application + * + * On successful call pkg_id should be freed by the caller using free() function + * + * \param[out] Pointer to package identifier string + * \param[in] Application identifier + * \return API return code or error code + */ +int security_manager_get_app_pkgid(char **pkg_id, const char *app_id); + +/** + * Compute smack label for given application id and set it for + * currently running process + * + * \param[in] Application identifier + * \return API return code or error code + */ +int security_manager_set_process_label_from_appid(const char *app_id); + +/** + * For given app_id and current user, calculate allowed privileges that give + * direct access to file system resources. Then add current process to + * supplementary groups that are assigned to these resources. + * + * In Tizen some sensitive resources are being accessed by applications directly. + * The resources, being file system objects, are owned by dedicated GIDs and only + * processes in those UNIX groups can access them. This function is used for + * adding application process to all permitted groups that are assigned to such + * privileges. + * + * \param[in] Application identifier + * \return API return code or error code + */ +int security_manager_set_process_groups_from_appid(const char *app_id); + +/** + * The above launcher functions, manipulating process Smack label and group, + * require elevated privileges. Since they will be called by launcher after fork, + * in the process for the application, privileges should be dropped before + * running an actual application. This function is a helper for that purpose - + * it drops capabilities from the process. + * + * \return API return code or error code + */ +int security_manager_drop_process_privileges(void); + +/** + * A convenience function for launchers for preparing security context for an + * application process. It should be called after fork in the new process, before + * running the application in it. + * It is aimed to cover most common cases and will internally call other, more + * specialized security-manager functions for launchers. + * Currently it just calls: + * - security_manager_set_process_label_from_appid + * - security_manager_set_process_groups_from_appid + * - security_manager_drop_process_privileges + * + * \param[in] Application identifier + * \return API return code or error code + */ +int security_manager_prepare_app(const char *app_id); + +/** + * This function returns array of groups bound to privileges of file resources. + * + * Caller needs to free memory allocated for the list using + * security_manager_groups_free(). + * + * @param[out] groups pointer to array of strings. + * @param[out] groups_count number of strings in levels array. + * @return API return code or error code. + */ +int security_manager_groups_get(char ***groups, size_t *groups_count); + +/** + * This function frees memory allocated by security_manager_groups_get() + * function. + * + * @param[in] groups array of strings returned by security_manager_groups_get() function. + * @param[in] groups_count size of the groups array + */ +void security_manager_groups_free(char **groups, size_t groups_count); + +/** + * Get package and application id of an application with given socket descriptor + * + * On successful call pkg_id and app_id should be freed when caller is done with them. + * Both pkg_id and app_id are allocated with malloc() so they should be freed with free() function. + * Either app_id or pkg_id may be NULL. NULL-ed argument will be ignored. + * If both app_id and pkg_id are NULL then SECURITY_MANAGER_ERROR_INPUT_PARAM will be returned. + * When socket descriptor is incorrect or not related to any package, this function will + * return SECURITY_MANAGER_ERROR_NO_SUCH_OBJECT. + * + * \param[in] Socket descriptor of wanted application + * \param[out] package id of the application + * \param[out] application id of the application + * \return API return code or error code + */ +int security_manager_identify_app_from_socket(int sockfd, char **pkg_id, char **app_id); + +/** + * Get package and application id of an application with given process identifier + * + * On successful call pkg_id and app_id should be freed when caller is done with them. + * Both pkg_id and app_id are allocated with malloc() so they should be freed with free() function. + * Either app_id or pkg_id may be NULL. NULL-ed argument will be ignored. + * If both app_id and pkg_id are NULL then SECURITY_MANAGER_ERROR_INPUT_PARAM will be returned. + * When process identifier is incorrect or not related to any package, this function will + * return SECURITY_MANAGER_ERROR_NO_SUCH_OBJECT. + * + * \note Caller must be able to access and read file /proc/PID/atrr/current where PID is the given + * process identifier. + * + * \param[in] process identifier of wanted application + * \param[out] package id of the application + * \param[out] application id of the application + * \return API return code or error code + */ +int security_manager_identify_app_from_pid(pid_t pid, char **pkg_id, char **app_id); + +/** + * Check whether an application would have access to a privilege + * + * This enables queries for application's privileges when there is no application + * process running. In such case the application label cannot be determined from + * the process and the query for privilege must be based on app_id. + * + * The check result is placed in \ref result: + * - 0: access denied + * - 1: access granted + * + * @param[in] app_id application identifier + * @param[in] privilege name + * @param[in] uid user identifier + * @param[out] result placeholder for result + * @return API return code or error code + */ +int security_manager_app_has_privilege(const char *app_id, const char *privilege, + uid_t uid, int *result); + +#ifdef __cplusplus +} +#endif + +#endif /* SECURITY_MANAGER_APP_RUNTIME_H_ */ diff --git a/src/include/app-sharing.h b/src/include/app-sharing.h new file mode 100644 index 0000000..9528c88 --- /dev/null +++ b/src/include/app-sharing.h @@ -0,0 +1,112 @@ +/* + * Copyright (c) 2000 - 2016 Samsung Electronics Co., Ltd All Rights Reserved + * + * Contact: Rafal Krypa + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + * + */ + +#ifndef SECURITY_MANAGER_APP_SHARING_H_ +#define SECURITY_MANAGER_APP_SHARING_H_ + +#include "security-manager-types.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/* + * This function is responsible for initialize private_sharing_req data structure + * It uses dynamic allocation inside and user responsibility is to call + * private_sharing_req_free() for freeing allocated resources + * + * \param[out] Address of pointer for handle private_sharing_req structure + * \return API return code or error code + */ +int security_manager_private_sharing_req_new(private_sharing_req **pp_req); + +/* + * This function is used to free resources allocated by calling private_sharing_req_new() + * + * \param[in] Pointer handling allocated app_inst_req structure + */ +void security_manager_private_sharing_req_free(private_sharing_req *p_req); + +/* + * This function is used to set up package identifier of paths owner application + * in private_sharing_req structure + * + * \param[in] Pointer handling private_sharing_req structure + * \param[in] Application identifier + * \return API return code or error code: it would be + * - SECURITY_MANAGER_SUCCESS on success, + * - SECURITY_MANAGER_ERROR_REQ_NOT_COMPLETE when either owner app_id, target app_id + * or paths are not set, + * - SECURITY_MANAGER_ERROR_UNKNOWN on other errors. + */ +int security_manager_private_sharing_req_set_owner_appid(private_sharing_req *p_req, + const char *app_id); + +/* + * This function is used to set up package identifier of sharing target application + * in private_sharing_req structure + * + * \param[in] Pointer handling private_sharing_req structure + * \param[in] Application identifier + * \return API return code or error code + */ +int security_manager_private_sharing_req_set_target_appid(private_sharing_req *p_req, + const char *app_id); + +/* + * This function is used to add path list to be shared in private_sharing_req structure + * + * \param[in] Pointer handling private_sharing_req structure + * \param[in] Path list + * \param[in] Path count + * \return API return code or error code + */ +int security_manager_private_sharing_req_add_paths(private_sharing_req *p_req, + const char **pp_paths, + size_t path_count); + +/* + * This function is used to apply private sharing based on given private_sharing_req. + * One path can be shared with multiple applications at the same time. + * + * \param[in] Pointer handling private_sharing_req structure + * \return API return code or error code: it would be + * - SECURITY_MANAGER_SUCCESS on success, + * - SECURITY_MANAGER_ERROR_INPUT_PARAM when either owner app_id, target app_id or paths are not set, + * - SECURITY_MANAGER_ERROR_UNKNOWN on other errors. + */ +int security_manager_private_sharing_apply(const private_sharing_req *p_req); + +/* + * This function is used to drop private sharing based on given private_sharing_req. + * + * \param[in] Pointer handling private_sharing_req structure + * \return API return code or error code: it would be + * - SECURITY_MANAGER_SUCCESS on success, + * - SECURITY_MANAGER_ERROR_REQ_NOT_COMPLETE when either owner app_id, target app_id + * or paths are not set, + * - SECURITY_MANAGER_ERROR_UNKNOWN on other errors. + */ +int security_manager_private_sharing_drop(const private_sharing_req *p_req); + +#ifdef __cplusplus +} +#endif + +#endif /* SECURITY_MANAGER_APP_SHARING_H_ */ diff --git a/src/include/policy-manager.h b/src/include/policy-manager.h new file mode 100644 index 0000000..14dec5b --- /dev/null +++ b/src/include/policy-manager.h @@ -0,0 +1,433 @@ +/* + * Copyright (c) 2000 - 2016 Samsung Electronics Co., Ltd All Rights Reserved + * + * Contact: Rafal Krypa + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + * + */ + +#ifndef SECURITY_MANAGER_POLICY_MANAGER_H_ +#define SECURITY_MANAGER_POLICY_MANAGER_H_ + +#include "security-manager-types.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief This function is responsible for initializing policy_update_req data structure. + * + * It uses dynamic allocation inside and user responsibility is to call + * policy_update_req_free() for freeing allocated resources. + * + * \param[out] pp_req Address of pointer for handle policy_update_req structure + * \return API return code or error code + */ +int security_manager_policy_update_req_new(policy_update_req **pp_req); + +/** + * \brief This function is used to free resources allocated by calling policy_update_req_new(). + * \param[in] p_req Pointer handling allocated policy_update_req structure + */ +void security_manager_policy_update_req_free(policy_update_req *p_req); + +/** + * \brief This function is responsible for initializing policy_entry data structure. + * + * It uses dynamic allocation inside and user responsibility is to call + * policy_policy_entry_free() for freeing allocated resources. + * + * \note application and privilege fields default to SECURITY_MANAGER_ANY wildcard, + * user field defaults to calling user's UID, whereas the current and max level + * values, default to empty string "". + * + * \param[out] pp_entry Address of pointer for handle policy_entry structure + * \return API return code or error code + */ +int security_manager_policy_entry_new(policy_entry **pp_entry); + +/** + * \brief This function is used to free resources allocated by calling + * policy_entry_req_new(). + * \param[in] p_entry Pointer handling allocated policy_entry structure + */ +void security_manager_policy_entry_free(policy_entry *p_entry); + +/** + * This function is used to set up application identifier in p_entry structure + * + * \param[in] p_entry Pointer handling policy_entry structure + * \param[in] app_id Application identifier to be set + * \return API return code or error code + */ +int security_manager_policy_entry_set_application(policy_entry *p_entry, const char *app_id); + +/** + * This function is used to set up user identifier in p_entry structure + * Calling this function may be omitted if user wants to set policies for himself + * \param[in] p_entry Pointer handling policy_entry structure + * \param[in] user_id User identifier to be set + * \return API return code or error code + */ +int security_manager_policy_entry_set_user(policy_entry *p_entry, const char *user_id); + +/** + * This function is used to set up privilege in p_entry structure + * + * \param[in] p_entry Pointer handling policy_entry structure + * \param[in] privilege Privilege to be set + * \return API return code or error code + */ +int security_manager_policy_entry_set_privilege(policy_entry *p_entry, const char *privilege); + +/** + * This function is used to set up privilege level in p_entry structure. + * This api is intended to be used to decrease user's own level of privilege. + * + * \param[in] p_entry Pointer handling policy_entry structure + * \param[in] policy_level Policy level to be set. The level of privilege may + * be one of strings returned by @ref security_manager_policy_levels_get. + * If it is not, then error code SECURITY_MANAGER_ERROR_INPUT_PARAM is returned. + * Two predefined values are always valid here: + * + * "Allow", which means that user allows some app (setup by calling function + * @ref security_manager_policy_entry_set_application) to run with some privilege + * (setup by @ref security_manager_policy_entry_set_privilege). + * Note, that this not necessarily mean, that this privilege will really be granted. + * Final decision of granting privilege also depends on app's manifests, + * predefined policy and administrator's or manufacturer's settings. + * If all of those policy sources also allows granting privilege for that app, + * then (and only then) it will be granted. + * + * "Deny", which means that user disallows some app (setup by calling function + * @ref security_manager_policy_entry_set_application) to run with some privilege + * (setup by @ref security_manager_policy_entry_set_privilege). + * Note, that this denies privilege irrespective of privilege levels granted + * to app by other policy sources: app's manifests, predefined policy + * and administrator's or manufacturer's settings. + * + * Other levels may be also valid, if returned by security_manager_policy_levels_get. + * They represent other policy levels configured in system, which security-manager + * does support. The other levels are always something between "Allow" and "Deny" + * (like "Allow only once"). + * + * Irrespective of a meaning of those values security-manager will always treat + * policy set by security_manager_policy_entry_set_level as a mean to + * decrease user's own rights. This will never increase overall policy. + * + * \return API return code or error code + */ +int security_manager_policy_entry_set_level(policy_entry *p_entry, const char *policy_level); + +/** + * This function is used to set up privilege level for admin policy entries + * in p_entry structure. + * + * This function is intended to be used by admin to change level of privilege. + * If it is used by user that has no http://tizen.org/privilege/systemsettings.admin + * privilege, then security_manager_policy_update_send will return error code. + * + * \param[in] p_entry Pointer handling policy_entry structure + * \param[in] policy_level Policy level to be set. This may be one of strings + * returned by @ref security_manager_policy_levels_get. If it is not, then error + * code is returned (SECURITY_MANAGER_ERROR_INPUT_PARAM). + * Two predefined values are always valid here: + * + * "Allow", which means that admin allows some user's app to + * get privilege irrespective of predefined policy settings for that user. + * Note, that this not necessarily mean, that this privilege will really be granted. + * Final decision of granting privilege also depends on app's manifests, + * user's own policy (set up by @ref security_manager_policy_entry_set_level) + * or manufacturer's settings. + * If all of those policy sources also allows granting privilege for that app, + * then (and only then) it will be granted. + * + * "Deny", which means that admin disallows some user's app to get privilege + * irrespective of predefined policy settings for that user. + * Note, that this denies privilege app's manifests, user's own policy + * (set up by @ref security_manager_policy_entry_set_level) or manufacturer's + * settings. + * + * Other levels may be also valid, if returned by security_manager_policy_levels_get. + * They represent other policy levels configured in system, which security-manager + * does support. The other levels are always something between "Allow" and "Deny" + * (like "Allow only once"). + * + * Irrespective of a meaning of those values security-manager will always treat + * policy set by security_manager_policy_entry_admin_set_level as a mean for admin + * to change user's rights, but will not alter user's own privilege level set up + * by @ref security_manager_policy_entry_set_level. + * + * \return API return code or error code + */ +int security_manager_policy_entry_admin_set_level(policy_entry *p_entry, const char *policy_level); + +/** + * This function is used to add policy entry to policy update request. + * + * Note, that this function does not make a copy of object pointed to by p_entry + * and does not change owner of this handler. + * User is responsible to keep p_entry untouched until @ref security_manager_policy_update_send + * is called on p_req. After that p_entry still needs to be freed. + * (see examples in documentation of @ref security_manager_policy_update_send) + * + * \param[in] p_req Pointer handling allocated policy_update_req structure + * \param[in] p_entry Pointer handling policy_entry structure + * \return API return code or error code + */ +int security_manager_policy_update_req_add_entry(policy_update_req *p_req, const policy_entry *p_entry); + +/** + * This function is used to obtain user ID from p_entry structure + * + * \param[in] p_entry Pointer handling policy_entry structure + * \attention Warning: returned pointer to user ID is valid as long as p_entry is valid. + * + * \return user uid + */ + +const char *security_manager_policy_entry_get_user(policy_entry *p_entry); +/** + * This function is used to obtain application name from p_entry structure + * + * \param[in] p_entry Pointer handling policy_entry structure + * \attention Warning: returned pointer to application name is valid as long as p_entry is valid. + * + * \return application name + */ + +const char *security_manager_policy_entry_get_application(policy_entry *p_entry); +/** + * This function is used to obtain privilege name from p_entry structure + * + * \param[in] p_entry Pointer handling policy_entry structure + * \attention Warning: returned pointer to privilege name is valid as long as p_entry is valid. + * + * \return privilege name + */ +const char *security_manager_policy_entry_get_privilege(policy_entry *p_entry); +/** + * This function is used to obtain current policy level from p_entry structure + * + * \param[in] p_entry Pointer handling policy_entry structure + * \attention Warning: returned pointer to policy level is valid as long as p_entry is valid. + * + * \return Current policy level + */ +const char *security_manager_policy_entry_get_level(policy_entry *p_entry); + +/** + * This function is used to obtain maximal policy level from p_entry structure + * + * \param[in] p_entry Pointer handling policy_entry structure. + * \attention Warning: returned pointer to maximal policy level is valid as long as p_entry is valid. + * + * \return Maximal policy level + */ +const char *security_manager_policy_entry_get_max_level(policy_entry *p_entry); + +/** + * \brief This function is used to send the prepared policy update request using privacy manager + * entry point. The request should contain at least one policy update unit, otherwise + * the SECURITY_MANAGER_ERROR_INPUT_PARAM is returned. + * + * \note 1. If user field in policy_entry is empty, then uid of the calling user is assumed + * 2. If privilege or app field in policy_entry is empty, then SECURITY_MANAGER_API_BAD_REQUEST + * is returned + * 3. For user's personal policy: wildcards usage in application or privilege field of policy_entry + * is not allowed + * + * \param[in] p_req Pointer handling allocated policy_update_req structure + * \return API return code or error code + * + * Example: + * (warning: checking return codes are omitted in examples just for visibility reasons) + * + * - to update policy for user by himself: + * (Deny access from app MyApp1 to privilege http://tizen.org/privilege/systemsettings, + * deny access from app MyApp2 to privilege http://tizen.org/privilege/systemsettings, + * deny access from app MyApp3 to privilege http://tizen.org/privilege/notificationmanager) + * + * policy_update_req *policy_update_request; + * policy_entry *entry1; + * policy_entry *entry2; + * policy_entry *entry3; + * + * security_manager_policy_update_req_new(&policy_update_request); + * security_manager_policy_entry_new(&entry1); + * security_manager_policy_entry_new(&entry2); + * security_manager_policy_entry_new(&entry3); + * + * security_manager_policy_entry_set_application(entry1, "MyApp1"); + * security_manager_policy_entry_set_privilege(entry1, "http://tizen.org/privilege/systemsettings"); + * security_manager_policy_entry_set_level(entry1, "Deny"); + * + * security_manager_policy_entry_set_application(entry2, "MyApp2"); + * security_manager_policy_entry_set_privilege(entry2, "http://tizen.org/privilege/systemsettings"); + * security_manager_policy_entry_set_level(entry2, "Deny"); + * + * security_manager_policy_entry_set_application(entry3, "MyApp3"); + * security_manager_policy_entry_set_privilege(entry3, "http://tizen.org/privilege/notificationmanager"); + * security_manager_policy_entry_set_level(entry3, "Deny"); + * + * security_manager_policy_update_req_add_entry(policy_update_request, entry1); + * security_manager_policy_update_req_add_entry(policy_update_request, entry2); + * security_manager_policy_update_req_add_entry(policy_update_request, entry3); + * + * //do not change entry1, entry2 or entry3! + * + * security_manager_policy_update_send(policy_update_request); + * + * security_manager_policy_entry_free(entry1); + * security_manager_policy_entry_free(entry2); + * security_manager_policy_entry_free(entry3); + * security_manager_policy_update_free(policy_update_request); + * + * - to update policy by administrator for some user: + * (Deny access of user of uid 2001 from any app to privilege http://tizen.org/privilege/vibrator, + * (allow access of user of uid 2002 using app "App1" to privilege http://tizen.org/privilege/email.admin) + * + * policy_update_req *policy_update_request; + * + * security_manager_policy_update_req_new(&policy_update_request); + + * policy_entry *entry1; + * policy_entry *entry2; + * char *adminswife = "2001"; + * char *adminsfriend = "2002"; + * + * security_manager_policy_entry_new(&entry1); + * security_manager_policy_entry_new(&entry2); + * + * security_manager_policy_entry_set_user(entry1, adminswife); + * security_manager_policy_entry_set_application(entry1, SECURITY_MANAGER_ANY); + * security_manager_policy_entry_set_privilege(entry1, "http://tizen.org/privilege/vibrator"); + * security_manager_policy_entry_admin_set_level(entry1, "Deny"); + * + * security_manager_policy_entry_set_user(entry2, adminsfriend); + * security_manager_policy_entry_set_application(entry2, "App1"); + * security_manager_policy_entry_set_privilege(entry2, "http://tizen.org/privilege/email.admin"); + * security_manager_policy_entry_admin_set_level(entry2, "Allow"); + * + * security_manager_policy_update_req_add_entry(policy_update_request, entry1); + * security_manager_policy_update_req_add_entry(policy_update_request, entry2); + * + * //do not change entry1 or entry2! + * + * security_manager_policy_update_send(policy_update_request); + * + * security_manager_policy_entry_free(entry1); + * security_manager_policy_entry_free(entry2); + * security_manager_policy_update_free(policy_update_request); + * + */ +int security_manager_policy_update_send(policy_update_req *p_req); + +/** + * \brief Function fetches all privileges enforced by admin user. + * The result is stored in the policy_entry structures array. + * + * \note It should be called by user with http://tizen.org/privilege/systemsettings.admin privilege. + * Normal users may list their personal policy entries using + * security_manager_get_configured_policy_for_self() API function. + * + * \attention Developer is responsible for calling security_manager_policy_entries_free() + * for freeing allocated resources. + * + * \param[in] p_filter Pointer to filter struct + * \param[out] ppp_privs_policy Pointer handling allocated policy_entry structures array + * \param[out] p_size Pointer where the size of allocated array will be stored + * \return API return code or error code + */ +int security_manager_get_configured_policy_for_admin( + policy_entry *p_filter, + policy_entry ***ppp_privs_policy, + size_t *p_size); + +/** + * \brief Function fetches all privileges that are configured by user in his/her + * privacy manager. The result is stored in the policy_entry structures array. + * User may only fetch privileges for his/her own UID. + * + * \attention Developer is responsible for calling security_manager_policy_entries_free() + * for freeing allocated resources. + * + * \param[in] p_filter Pointer to filter struct + * \param[out] ppp_privs_policy Pointer handling allocated policy_entry structures array + * \param[out] p_size Pointer where the size of allocated array will be stored + * \return API return code or error code + */ +int security_manager_get_configured_policy_for_self( + policy_entry *p_filter, + policy_entry ***ppp_privs_policy, + size_t *p_size); + +/** + * \brief Function gets the whole policy for all users, their applications and privileges + * based on the provided filter. The result is stored in the policy_entry array. + * + * \note If this call is performed by user with http://tizen.org/privilege/systemsettings.admin + * privilege, then it's possible to list policies for all users. + * Normal users may only list privileges for their own UID. + * + * \attention Developer is responsible for calling security_manager_policy_entries_free() + * for freeing allocated resources. + * + * \param[in] p_filter Pointer to filter struct + * \param[out] ppp_privs_policy Pointer handling allocated policy_entry structures array + * \param[out] p_size Pointer where the size of allocated array will be stored + * \return API return code or error code + */ +int security_manager_get_policy( + policy_entry *p_filter, + policy_entry ***ppp_privs_policy, + size_t *p_size); + +/** + * \brief This function is used to free resources allocated in policy_entry structures array. + * \param[in] p_entries Pointer handling allocated policy status array + * \param[in] size Size of the array + */ +void security_manager_policy_entries_free(policy_entry *p_entries, const size_t size); + +/** + * This function returns array of available policy levels in form of simple + * text descriptions. List is sorted using internal policy level value, + * from lowest value to highest and starts with "Deny". + * + * Caller needs to free memory allocated for the list using + * security_manager_policy_levels_free(). + * + * @param levels pointer to array of strings. + * @param levels_count number of strings in levels array. + * @return API return code or error code. + */ +int security_manager_policy_levels_get(char ***levels, size_t *levels_count); + +/** + * This function free memory allocated by security_manager_policy_levels_get() + * function. + * + * @param levels array of strings returned by + * security_manager_policy_levels_get() function. + * @return API return code or error code. + */ +void security_manager_policy_levels_free(char **levels, size_t levels_count); + +#ifdef __cplusplus +} +#endif + +#endif /* SECURITY_MANAGER_POLICY_MANAGER_H_ */ diff --git a/src/include/security-manager.h b/src/include/security-manager.h index 2d990f5..d927774 100644 --- a/src/include/security-manager.h +++ b/src/include/security-manager.h @@ -29,7 +29,11 @@ #include -#include "security-manager-types.h" +#include "app-manager.h" +#include "app-runtime.h" +#include "app-sharing.h" +#include "user-manager.h" +#include "policy-manager.h" #ifdef __cplusplus extern "C" { @@ -43,798 +47,6 @@ extern "C" { */ const char *security_manager_strerror(enum lib_retcode rc); -/* - * This function is responsible for initialize app_inst_req data structure - * It uses dynamic allocation inside and user responsibility is to call - * app_inst_req_free() for freeing allocated resources - * - * \param[in] Address of pointer for handle app_inst_req structure - * \return API return code or error code - */ -int security_manager_app_inst_req_new(app_inst_req **pp_req); - -/* - * This function is used to free resources allocated by calling app_inst_req_new() - * \param[in] Pointer handling allocated app_inst_req structure - */ -void security_manager_app_inst_req_free(app_inst_req *p_req); - -/* - * This function is used to set up target Tizen API version for app in app_inst_req structure - * - * \param[in] Pointer handling app_inst_req structure - * \param[in] Target Tizen version - * \return API return code or error code - */ -int security_manager_app_inst_req_set_target_version(app_inst_req *p_req, const char *tizen_ver); - -/* - * This function is used to set up application identifier in app_inst_req structure - * - * \param[in] Pointer handling app_inst_req structure - * \param[in] Application identifier - * \return API return code or error code - */ -int security_manager_app_inst_req_set_app_id(app_inst_req *p_req, const char *app_id); - -/* - * This function is used to set up package identifier in app_inst_req structure - * - * \param[in] Pointer handling app_inst_req structure - * \param[in] Package identifier - * \return API return code or error code - */ -int security_manager_app_inst_req_set_pkg_id(app_inst_req *p_req, const char *pkg_id); - -/* - * This function is used to add privilege to app_inst_req structure, - * it can be called multiple times - * - * \param[in] Pointer handling app_inst_req structure - * \param[in] Application privilager - * \return API return code or error code - */ -int security_manager_app_inst_req_add_privilege(app_inst_req *p_req, const char *privilege); - -/* - * This function is used to add application path to app_inst_req structure, - * it can be called multiple times - * - * \param[in] Pointer handling app_inst_req structure - * \param[in] Application path - * \param[in] Application path type - * \return API return code or error code - */ -int security_manager_app_inst_req_add_path(app_inst_req *p_req, const char *path, const int path_type); - -/* - * This function is used to set up user identifier in app_inst_req structure. - * This field simplifies support for online and offline modes. - * - * \param[in] Pointer handling app_inst_req structure - * \param[in] User identifier (UID) - * \return API return code or error code - */ -int security_manager_app_inst_req_set_uid(app_inst_req *p_req, - const uid_t uid); - -/* - * This function is used to set up author identifier in app_inst_req structure. - * This field is required for trusted paths only (SECURITY_MANAGER_PATH_TRUSTED_RW). - * - * \param[in] Pointer handling app_inst_req structure - * \param[in] Author's identifier - * \return API return code or error code - */ -int security_manager_app_inst_req_set_author_id(app_inst_req *p_req, const char *author_id); - -/* - * This function is used to install application based on - * using filled up app_inst_req data structure - * - * \param[in] Pointer handling app_inst_req structure - * \return API return code or error code: it would be - * - SECURITY_MANAGER_SUCCESS on success, - * - SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED when user does not - * have rights to install requested directories, - * - SECURITY_MANAGER_ERROR_UNKNOWN on other errors. - */ -int security_manager_app_install(const app_inst_req *p_req); - -/* - * This function is used to uninstall application based on - * using filled up app_inst_req data structure - * - * \param[in] Pointer handling app_inst_req structure - * \return API return code or error code - */ -int security_manager_app_uninstall(const app_inst_req *p_req); - -/** - * Get package id of a given application - * - * On successful call pkg_id should be freed by the caller using free() function - * - * \param[out] Pointer to package identifier string - * \param[in] Application identifier - * \return API return code or error code - */ -int security_manager_get_app_pkgid(char **pkg_id, const char *app_id); - -/* - * This function is responsible for initialize private_sharing_req data structure - * It uses dynamic allocation inside and user responsibility is to call - * private_sharing_req_free() for freeing allocated resources - * - * \param[out] Address of pointer for handle private_sharing_req structure - * \return API return code or error code - */ -int security_manager_private_sharing_req_new(private_sharing_req **pp_req); - -/* - * This function is used to free resources allocated by calling private_sharing_req_new() - * - * \param[in] Pointer handling allocated app_inst_req structure - */ -void security_manager_private_sharing_req_free(private_sharing_req *p_req); - -/* - * This function is used to set up package identifier of paths owner application - * in private_sharing_req structure - * - * \param[in] Pointer handling private_sharing_req structure - * \param[in] Application identifier - * \return API return code or error code: it would be - * - SECURITY_MANAGER_SUCCESS on success, - * - SECURITY_MANAGER_ERROR_REQ_NOT_COMPLETE when either owner app_id, target app_id - * or paths are not set, - * - SECURITY_MANAGER_ERROR_UNKNOWN on other errors. - */ -int security_manager_private_sharing_req_set_owner_appid(private_sharing_req *p_req, - const char *app_id); - -/* - * This function is used to set up package identifier of sharing target application - * in private_sharing_req structure - * - * \param[in] Pointer handling private_sharing_req structure - * \param[in] Application identifier - * \return API return code or error code - */ -int security_manager_private_sharing_req_set_target_appid(private_sharing_req *p_req, - const char *app_id); - -/* - * This function is used to add path list to be shared in private_sharing_req structure - * - * \param[in] Pointer handling private_sharing_req structure - * \param[in] Path list - * \param[in] Path count - * \return API return code or error code - */ -int security_manager_private_sharing_req_add_paths(private_sharing_req *p_req, - const char **pp_paths, - size_t path_count); - -/* - * This function is used to apply private sharing based on given private_sharing_req. - * One path can be shared with multiple applications at the same time. - * - * \param[in] Pointer handling private_sharing_req structure - * \return API return code or error code: it would be - * - SECURITY_MANAGER_SUCCESS on success, - * - SECURITY_MANAGER_ERROR_INPUT_PARAM when either owner app_id, target app_id or paths are not set, - * - SECURITY_MANAGER_ERROR_UNKNOWN on other errors. - */ -int security_manager_private_sharing_apply(const private_sharing_req *p_req); - -/* - * This function is used to drop private sharing based on given private_sharing_req. - * - * \param[in] Pointer handling private_sharing_req structure - * \return API return code or error code: it would be - * - SECURITY_MANAGER_SUCCESS on success, - * - SECURITY_MANAGER_ERROR_REQ_NOT_COMPLETE when either owner app_id, target app_id - * or paths are not set, - * - SECURITY_MANAGER_ERROR_UNKNOWN on other errors. - */ -int security_manager_private_sharing_drop(const private_sharing_req *p_req); - -/** - * Compute smack label for given application id and set it for - * currently running process - * - * \param[in] Application identifier - * \return API return code or error code - */ -int security_manager_set_process_label_from_appid(const char *app_id); - -/** - * For given app_id and current user, calculate allowed privileges that give - * direct access to file system resources. Then add current process to - * supplementary groups that are assigned to these resources. - * - * In Tizen some sensitive resources are being accessed by applications directly. - * The resources, being file system objects, are owned by dedicated GIDs and only - * processes in those UNIX groups can access them. This function is used for - * adding application process to all permitted groups that are assigned to such - * privileges. - * - * \param[in] Application identifier - * \return API return code or error code - */ -int security_manager_set_process_groups_from_appid(const char *app_id); - -/** - * The above launcher functions, manipulating process Smack label and group, - * require elevated privileges. Since they will be called by launcher after fork, - * in the process for the application, privileges should be dropped before - * running an actual application. This function is a helper for that purpose - - * it drops capabilities from the process. - * - * \return API return code or error code - */ -int security_manager_drop_process_privileges(void); - -/** - * A convenience function for launchers for preparing security context for an - * application process. It should be called after fork in the new process, before - * running the application in it. - * It is aimed to cover most common cases and will internally call other, more - * specialized security-manager functions for launchers. - * Currently it just calls: - * - security_manager_set_process_label_from_appid - * - security_manager_set_process_groups_from_appid - * - security_manager_drop_process_privileges - * - * \param[in] Application identifier - * \return API return code or error code - */ -int security_manager_prepare_app(const char *app_id); - -/* - * This function is responsible for initialization of user_req data structure. - * It uses dynamic allocation inside and user responsibility is to call - * security_manager_user_req_free() for freeing allocated resources. - * - * @param[in] Address of pointer for handle user_req structure - * @return API return code or error code - */ -int security_manager_user_req_new(user_req **pp_req); - -/* - * This function is used to free resources allocated by - * security_manager_user_req_new() - * - * @param[in] Pointer handling allocated user_req structure - */ -void security_manager_user_req_free(user_req *p_req); - -/* - * This function is used to set up user identifier in user_req structure. - * - * @param p_req Structure containing user data filled during this function call - * @param uid User identifier to be set - * @return API return code or error code - */ -int security_manager_user_req_set_uid(user_req *p_req, uid_t uid); - -/* - * This function is used to set up user type in user_req structure. - * - * @param p_req Structure containing user data filled during this function call - * @param utype User type to be set - * @return API return code or error code - */ -int security_manager_user_req_set_user_type(user_req *p_req, security_manager_user_type utype); - -/* - * This function should be called to inform security-manager about adding new user. - * This function succeeds only when is called by privileged user. - * Otherwise it just returns SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED and does nothing. - * - * It adds all required privileges to a newly created user. - * User data are passed through pointer 'p_req'. - * @param p_req Structure containing user data filled before calling this - * uid and user type needs to be filled in p_req structure, - * otherwise SECURITY_MANAGER_ERROR_INPUT_PARAM will be returned. - * @return API return code or error code. - */ -int security_manager_user_add(const user_req *p_req); - -/* - * This function should be called to inform security-manager about removing a user. - * This function succeeds only when is called by privileged user. - * Otherwise it just returns SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED and does nothing. - * - * It removes all privileges granted to a user that has been granted previously by - * security_manager_user_add. - * - * @param p_req Structure containing user data filled before calling this. - * uid of user needs to be filled in p_req structure, - * otherwise SECURITY_MANAGER_ERROR_INPUT_PARAM will be returned. - * @return API return code or error code - */ -int security_manager_user_delete(const user_req *p_req); - -/** - * \brief This function is responsible for initializing policy_update_req data structure. - * - * It uses dynamic allocation inside and user responsibility is to call - * policy_update_req_free() for freeing allocated resources. - * - * \param[out] pp_req Address of pointer for handle policy_update_req structure - * \return API return code or error code - */ -int security_manager_policy_update_req_new(policy_update_req **pp_req); - -/** - * \brief This function is used to free resources allocated by calling policy_update_req_new(). - * \param[in] p_req Pointer handling allocated policy_update_req structure - */ -void security_manager_policy_update_req_free(policy_update_req *p_req); - -/** - * \brief This function is responsible for initializing policy_entry data structure. - * - * It uses dynamic allocation inside and user responsibility is to call - * policy_policy_entry_free() for freeing allocated resources. - * - * \note application and privilege fields default to SECURITY_MANAGER_ANY wildcard, - * user field defaults to calling user's UID, whereas the current and max level - * values, default to empty string "". - * - * \param[out] pp_entry Address of pointer for handle policy_entry structure - * \return API return code or error code - */ -int security_manager_policy_entry_new(policy_entry **pp_entry); - -/** - * \brief This function is used to free resources allocated by calling - * policy_entry_req_new(). - * \param[in] p_entry Pointer handling allocated policy_entry structure - */ -void security_manager_policy_entry_free(policy_entry *p_entry); - -/** - * This function is used to set up application identifier in p_entry structure - * - * \param[in] p_entry Pointer handling policy_entry structure - * \param[in] app_id Application identifier to be set - * \return API return code or error code - */ -int security_manager_policy_entry_set_application(policy_entry *p_entry, const char *app_id); - -/** - * This function is used to set up user identifier in p_entry structure - * Calling this function may be omitted if user wants to set policies for himself - * \param[in] p_entry Pointer handling policy_entry structure - * \param[in] user_id User identifier to be set - * \return API return code or error code - */ -int security_manager_policy_entry_set_user(policy_entry *p_entry, const char *user_id); - -/** - * This function is used to set up privilege in p_entry structure - * - * \param[in] p_entry Pointer handling policy_entry structure - * \param[in] privilege Privilege to be set - * \return API return code or error code - */ -int security_manager_policy_entry_set_privilege(policy_entry *p_entry, const char *privilege); - -/** - * This function is used to set up privilege level in p_entry structure. - * This api is intended to be used to decrease user's own level of privilege. - * - * \param[in] p_entry Pointer handling policy_entry structure - * \param[in] policy_level Policy level to be set. The level of privilege may - * be one of strings returned by @ref security_manager_policy_levels_get. - * If it is not, then error code SECURITY_MANAGER_ERROR_INPUT_PARAM is returned. - * Two predefined values are always valid here: - * - * "Allow", which means that user allows some app (setup by calling function - * @ref security_manager_policy_entry_set_application) to run with some privilege - * (setup by @ref security_manager_policy_entry_set_privilege). - * Note, that this not necessarily mean, that this privilege will really be granted. - * Final decision of granting privilege also depends on app's manifests, - * predefined policy and administrator's or manufacturer's settings. - * If all of those policy sources also allows granting privilege for that app, - * then (and only then) it will be granted. - * - * "Deny", which means that user disallows some app (setup by calling function - * @ref security_manager_policy_entry_set_application) to run with some privilege - * (setup by @ref security_manager_policy_entry_set_privilege). - * Note, that this denies privilege irrespective of privilege levels granted - * to app by other policy sources: app's manifests, predefined policy - * and administrator's or manufacturer's settings. - * - * Other levels may be also valid, if returned by security_manager_policy_levels_get. - * They represent other policy levels configured in system, which security-manager - * does support. The other levels are always something between "Allow" and "Deny" - * (like "Allow only once"). - * - * Irrespective of a meaning of those values security-manager will always treat - * policy set by security_manager_policy_entry_set_level as a mean to - * decrease user's own rights. This will never increase overall policy. - * - * \return API return code or error code - */ -int security_manager_policy_entry_set_level(policy_entry *p_entry, const char *policy_level); - -/** - * This function is used to set up privilege level for admin policy entries - * in p_entry structure. - * - * This function is intended to be used by admin to change level of privilege. - * If it is used by user that has no http://tizen.org/privilege/systemsettings.admin - * privilege, then security_manager_policy_update_send will return error code. - * - * \param[in] p_entry Pointer handling policy_entry structure - * \param[in] policy_level Policy level to be set. This may be one of strings - * returned by @ref security_manager_policy_levels_get. If it is not, then error - * code is returned (SECURITY_MANAGER_ERROR_INPUT_PARAM). - * Two predefined values are always valid here: - * - * "Allow", which means that admin allows some user's app to - * get privilege irrespective of predefined policy settings for that user. - * Note, that this not necessarily mean, that this privilege will really be granted. - * Final decision of granting privilege also depends on app's manifests, - * user's own policy (set up by @ref security_manager_policy_entry_set_level) - * or manufacturer's settings. - * If all of those policy sources also allows granting privilege for that app, - * then (and only then) it will be granted. - * - * "Deny", which means that admin disallows some user's app to get privilege - * irrespective of predefined policy settings for that user. - * Note, that this denies privilege app's manifests, user's own policy - * (set up by @ref security_manager_policy_entry_set_level) or manufacturer's - * settings. - * - * Other levels may be also valid, if returned by security_manager_policy_levels_get. - * They represent other policy levels configured in system, which security-manager - * does support. The other levels are always something between "Allow" and "Deny" - * (like "Allow only once"). - * - * Irrespective of a meaning of those values security-manager will always treat - * policy set by security_manager_policy_entry_admin_set_level as a mean for admin - * to change user's rights, but will not alter user's own privilege level set up - * by @ref security_manager_policy_entry_set_level. - * - * \return API return code or error code - */ -int security_manager_policy_entry_admin_set_level(policy_entry *p_entry, const char *policy_level); - -/** - * This function is used to add policy entry to policy update request. - * - * Note, that this function does not make a copy of object pointed to by p_entry - * and does not change owner of this handler. - * User is responsible to keep p_entry untouched until @ref security_manager_policy_update_send - * is called on p_req. After that p_entry still needs to be freed. - * (see examples in documentation of @ref security_manager_policy_update_send) - * - * \param[in] p_req Pointer handling allocated policy_update_req structure - * \param[in] p_entry Pointer handling policy_entry structure - * \return API return code or error code - */ -int security_manager_policy_update_req_add_entry(policy_update_req *p_req, const policy_entry *p_entry); - -/** - * This function is used to obtain user ID from p_entry structure - * - * \param[in] p_entry Pointer handling policy_entry structure - * \attention Warning: returned pointer to user ID is valid as long as p_entry is valid. - * - * \return user uid - */ - -const char *security_manager_policy_entry_get_user(policy_entry *p_entry); -/** - * This function is used to obtain application name from p_entry structure - * - * \param[in] p_entry Pointer handling policy_entry structure - * \attention Warning: returned pointer to application name is valid as long as p_entry is valid. - * - * \return application name - */ - -const char *security_manager_policy_entry_get_application(policy_entry *p_entry); -/** - * This function is used to obtain privilege name from p_entry structure - * - * \param[in] p_entry Pointer handling policy_entry structure - * \attention Warning: returned pointer to privilege name is valid as long as p_entry is valid. - * - * \return privilege name - */ -const char *security_manager_policy_entry_get_privilege(policy_entry *p_entry); -/** - * This function is used to obtain current policy level from p_entry structure - * - * \param[in] p_entry Pointer handling policy_entry structure - * \attention Warning: returned pointer to policy level is valid as long as p_entry is valid. - * - * \return Current policy level - */ -const char *security_manager_policy_entry_get_level(policy_entry *p_entry); - -/** - * This function is used to obtain maximal policy level from p_entry structure - * - * \param[in] p_entry Pointer handling policy_entry structure. - * \attention Warning: returned pointer to maximal policy level is valid as long as p_entry is valid. - * - * \return Maximal policy level - */ -const char *security_manager_policy_entry_get_max_level(policy_entry *p_entry); - -/** - * \brief This function is used to send the prepared policy update request using privacy manager - * entry point. The request should contain at least one policy update unit, otherwise - * the SECURITY_MANAGER_ERROR_INPUT_PARAM is returned. - * - * \note 1. If user field in policy_entry is empty, then uid of the calling user is assumed - * 2. If privilege or app field in policy_entry is empty, then SECURITY_MANAGER_API_BAD_REQUEST - * is returned - * 3. For user's personal policy: wildcards usage in application or privilege field of policy_entry - * is not allowed - * - * \param[in] p_req Pointer handling allocated policy_update_req structure - * \return API return code or error code - * - * Example: - * (warning: checking return codes are omitted in examples just for visibility reasons) - * - * - to update policy for user by himself: - * (Deny access from app MyApp1 to privilege http://tizen.org/privilege/systemsettings, - * deny access from app MyApp2 to privilege http://tizen.org/privilege/systemsettings, - * deny access from app MyApp3 to privilege http://tizen.org/privilege/notificationmanager) - * - * policy_update_req *policy_update_request; - * policy_entry *entry1; - * policy_entry *entry2; - * policy_entry *entry3; - * - * security_manager_policy_update_req_new(&policy_update_request); - * security_manager_policy_entry_new(&entry1); - * security_manager_policy_entry_new(&entry2); - * security_manager_policy_entry_new(&entry3); - * - * security_manager_policy_entry_set_application(entry1, "MyApp1"); - * security_manager_policy_entry_set_privilege(entry1, "http://tizen.org/privilege/systemsettings"); - * security_manager_policy_entry_set_level(entry1, "Deny"); - * - * security_manager_policy_entry_set_application(entry2, "MyApp2"); - * security_manager_policy_entry_set_privilege(entry2, "http://tizen.org/privilege/systemsettings"); - * security_manager_policy_entry_set_level(entry2, "Deny"); - * - * security_manager_policy_entry_set_application(entry3, "MyApp3"); - * security_manager_policy_entry_set_privilege(entry3, "http://tizen.org/privilege/notificationmanager"); - * security_manager_policy_entry_set_level(entry3, "Deny"); - * - * security_manager_policy_update_req_add_entry(policy_update_request, entry1); - * security_manager_policy_update_req_add_entry(policy_update_request, entry2); - * security_manager_policy_update_req_add_entry(policy_update_request, entry3); - * - * //do not change entry1, entry2 or entry3! - * - * security_manager_policy_update_send(policy_update_request); - * - * security_manager_policy_entry_free(entry1); - * security_manager_policy_entry_free(entry2); - * security_manager_policy_entry_free(entry3); - * security_manager_policy_update_free(policy_update_request); - * - * - to update policy by administrator for some user: - * (Deny access of user of uid 2001 from any app to privilege http://tizen.org/privilege/vibrator, - * (allow access of user of uid 2002 using app "App1" to privilege http://tizen.org/privilege/email.admin) - * - * policy_update_req *policy_update_request; - * - * security_manager_policy_update_req_new(&policy_update_request); - - * policy_entry *entry1; - * policy_entry *entry2; - * char *adminswife = "2001"; - * char *adminsfriend = "2002"; - * - * security_manager_policy_entry_new(&entry1); - * security_manager_policy_entry_new(&entry2); - * - * security_manager_policy_entry_set_user(entry1, adminswife); - * security_manager_policy_entry_set_application(entry1, SECURITY_MANAGER_ANY); - * security_manager_policy_entry_set_privilege(entry1, "http://tizen.org/privilege/vibrator"); - * security_manager_policy_entry_admin_set_level(entry1, "Deny"); - * - * security_manager_policy_entry_set_user(entry2, adminsfriend); - * security_manager_policy_entry_set_application(entry2, "App1"); - * security_manager_policy_entry_set_privilege(entry2, "http://tizen.org/privilege/email.admin"); - * security_manager_policy_entry_admin_set_level(entry2, "Allow"); - * - * security_manager_policy_update_req_add_entry(policy_update_request, entry1); - * security_manager_policy_update_req_add_entry(policy_update_request, entry2); - * - * //do not change entry1 or entry2! - * - * security_manager_policy_update_send(policy_update_request); - * - * security_manager_policy_entry_free(entry1); - * security_manager_policy_entry_free(entry2); - * security_manager_policy_update_free(policy_update_request); - * - */ -int security_manager_policy_update_send(policy_update_req *p_req); - -/** - * \brief Function fetches all privileges enforced by admin user. - * The result is stored in the policy_entry structures array. - * - * \note It should be called by user with http://tizen.org/privilege/systemsettings.admin privilege. - * Normal users may list their personal policy entries using - * security_manager_get_configured_policy_for_self() API function. - * - * \attention Developer is responsible for calling security_manager_policy_entries_free() - * for freeing allocated resources. - * - * \param[in] p_filter Pointer to filter struct - * \param[out] ppp_privs_policy Pointer handling allocated policy_entry structures array - * \param[out] p_size Pointer where the size of allocated array will be stored - * \return API return code or error code - */ -int security_manager_get_configured_policy_for_admin( - policy_entry *p_filter, - policy_entry ***ppp_privs_policy, - size_t *p_size); - -/** - * \brief Function fetches all privileges that are configured by user in his/her - * privacy manager. The result is stored in the policy_entry structures array. - * User may only fetch privileges for his/her own UID. - * - * \attention Developer is responsible for calling security_manager_policy_entries_free() - * for freeing allocated resources. - * - * \param[in] p_filter Pointer to filter struct - * \param[out] ppp_privs_policy Pointer handling allocated policy_entry structures array - * \param[out] p_size Pointer where the size of allocated array will be stored - * \return API return code or error code - */ -int security_manager_get_configured_policy_for_self( - policy_entry *p_filter, - policy_entry ***ppp_privs_policy, - size_t *p_size); - -/** - * \brief Function gets the whole policy for all users, their applications and privileges - * based on the provided filter. The result is stored in the policy_entry array. - * - * \note If this call is performed by user with http://tizen.org/privilege/systemsettings.admin - * privilege, then it's possible to list policies for all users. - * Normal users may only list privileges for their own UID. - * - * \attention Developer is responsible for calling security_manager_policy_entries_free() - * for freeing allocated resources. - * - * \param[in] p_filter Pointer to filter struct - * \param[out] ppp_privs_policy Pointer handling allocated policy_entry structures array - * \param[out] p_size Pointer where the size of allocated array will be stored - * \return API return code or error code - */ -int security_manager_get_policy( - policy_entry *p_filter, - policy_entry ***ppp_privs_policy, - size_t *p_size); - -/** - * \brief This function is used to free resources allocated in policy_entry structures array. - * \param[in] p_entries Pointer handling allocated policy status array - * \param[in] size Size of the array - */ -void security_manager_policy_entries_free(policy_entry *p_entries, const size_t size); - -/** - * This function returns array of available policy levels in form of simple - * text descriptions. List is sorted using internal policy level value, - * from lowest value to highest and starts with "Deny". - * - * Caller needs to free memory allocated for the list using - * security_manager_policy_levels_free(). - * - * @param levels pointer to array of strings. - * @param levels_count number of strings in levels array. - * @return API return code or error code. - */ -int security_manager_policy_levels_get(char ***levels, size_t *levels_count); - -/** - * This function free memory allocated by security_manager_policy_levels_get() - * function. - * - * @param levels array of strings returned by - * security_manager_policy_levels_get() function. - * @return API return code or error code. - */ -void security_manager_policy_levels_free(char **levels, size_t levels_count); - -/** - * This function returns array of groups bound to privileges of file resources. - * - * Caller needs to free memory allocated for the list using - * security_manager_groups_free(). - * - * @param[out] groups pointer to array of strings. - * @param[out] groups_count number of strings in levels array. - * @return API return code or error code. - */ -int security_manager_groups_get(char ***groups, size_t *groups_count); - -/** - * This function frees memory allocated by security_manager_groups_get() - * function. - * - * @param[in] groups array of strings returned by security_manager_groups_get() function. - * @param[in] groups_count size of the groups array - */ -void security_manager_groups_free(char **groups, size_t groups_count); - -/** - * Get package and application id of an application with given socket descriptor - * - * On successful call pkg_id and app_id should be freed when caller is done with them. - * Both pkg_id and app_id are allocated with malloc() so they should be freed with free() function. - * Either app_id or pkg_id may be NULL. NULL-ed argument will be ignored. - * If both app_id and pkg_id are NULL then SECURITY_MANAGER_ERROR_INPUT_PARAM will be returned. - * When socket descriptor is incorrect or not related to any package, this function will - * return SECURITY_MANAGER_ERROR_NO_SUCH_OBJECT. - * - * \param[in] Socket descriptor of wanted application - * \param[out] package id of the application - * \param[out] application id of the application - * \return API return code or error code - */ -int security_manager_identify_app_from_socket(int sockfd, char **pkg_id, char **app_id); - -/** - * Get package and application id of an application with given process identifier - * - * On successful call pkg_id and app_id should be freed when caller is done with them. - * Both pkg_id and app_id are allocated with malloc() so they should be freed with free() function. - * Either app_id or pkg_id may be NULL. NULL-ed argument will be ignored. - * If both app_id and pkg_id are NULL then SECURITY_MANAGER_ERROR_INPUT_PARAM will be returned. - * When process identifier is incorrect or not related to any package, this function will - * return SECURITY_MANAGER_ERROR_NO_SUCH_OBJECT. - * - * \note Caller must be able to access and read file /proc/PID/atrr/current where PID is the given - * process identifier. - * - * \param[in] process identifier of wanted application - * \param[out] package id of the application - * \param[out] application id of the application - * \return API return code or error code - */ -int security_manager_identify_app_from_pid(pid_t pid, char **pkg_id, char **app_id); - -/** - * Check whether an application would have access to a privilege - * - * This enables queries for application's privileges when there is no application - * process running. In such case the application label cannot be determined from - * the process and the query for privilege must be based on app_id. - * - * The check result is placed in \ref result: - * - 0: access denied - * - 1: access granted - * - * @param[in] app_id application identifier - * @param[in] privilege name - * @param[in] uid user identifier - * @param[out] result placeholder for result - * @return API return code or error code - */ -int security_manager_app_has_privilege(const char *app_id, const char *privilege, - uid_t uid, int *result); - #ifdef __cplusplus } #endif diff --git a/src/include/user-manager.h b/src/include/user-manager.h new file mode 100644 index 0000000..e577fd0 --- /dev/null +++ b/src/include/user-manager.h @@ -0,0 +1,98 @@ +/* + * Copyright (c) 2000 - 2016 Samsung Electronics Co., Ltd All Rights Reserved + * + * Contact: Rafal Krypa + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + * + */ + +#ifndef SECURITY_MANAGER_USER_MANAGER_H_ +#define SECURITY_MANAGER_USER_MANAGER_H_ + +#include "security-manager-types.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/* + * This function is responsible for initialization of user_req data structure. + * It uses dynamic allocation inside and user responsibility is to call + * security_manager_user_req_free() for freeing allocated resources. + * + * @param[in] Address of pointer for handle user_req structure + * @return API return code or error code + */ +int security_manager_user_req_new(user_req **pp_req); + +/* + * This function is used to free resources allocated by + * security_manager_user_req_new() + * + * @param[in] Pointer handling allocated user_req structure + */ +void security_manager_user_req_free(user_req *p_req); + +/* + * This function is used to set up user identifier in user_req structure. + * + * @param p_req Structure containing user data filled during this function call + * @param uid User identifier to be set + * @return API return code or error code + */ +int security_manager_user_req_set_uid(user_req *p_req, uid_t uid); + +/* + * This function is used to set up user type in user_req structure. + * + * @param p_req Structure containing user data filled during this function call + * @param utype User type to be set + * @return API return code or error code + */ +int security_manager_user_req_set_user_type(user_req *p_req, security_manager_user_type utype); + +/* + * This function should be called to inform security-manager about adding new user. + * This function succeeds only when is called by privileged user. + * Otherwise it just returns SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED and does nothing. + * + * It adds all required privileges to a newly created user. + * User data are passed through pointer 'p_req'. + * @param p_req Structure containing user data filled before calling this + * uid and user type needs to be filled in p_req structure, + * otherwise SECURITY_MANAGER_ERROR_INPUT_PARAM will be returned. + * @return API return code or error code. + */ +int security_manager_user_add(const user_req *p_req); + +/* + * This function should be called to inform security-manager about removing a user. + * This function succeeds only when is called by privileged user. + * Otherwise it just returns SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED and does nothing. + * + * It removes all privileges granted to a user that has been granted previously by + * security_manager_user_add. + * + * @param p_req Structure containing user data filled before calling this. + * uid of user needs to be filled in p_req structure, + * otherwise SECURITY_MANAGER_ERROR_INPUT_PARAM will be returned. + * @return API return code or error code + */ +int security_manager_user_delete(const user_req *p_req); + +#ifdef __cplusplus +} +#endif + +#endif /* SECURITY_MANAGER_USER_MANAGER_H_ */ -- 2.7.4 From 5bc5f5654688e9f995049ed3503343e4eaf4f97e Mon Sep 17 00:00:00 2001 From: Rafal Krypa Date: Mon, 29 Feb 2016 11:11:23 +0100 Subject: [PATCH 12/16] Sanitize naming convention for id/name of an app/pkg/author Until now it was very confusing for security-manager developers what variables like "appId" or "authorId" meant. We had a mixed convention for both textual identifiers, supplied by API users and internal numerical identifiers, assigned by security-manager database. Since now a new convention is established: - textual identifiers of application, package or author are called respectively: app name, pkg name and author name - numerical identifiers, assigned by security-manager database are called app id, pkg id and author id For now there remains one exception from the above rules - public headers of libsecurity-manager-client. API function names and parameters specified in public headers remain unchanged for backward compatibility. We might change those too in the future. Change-Id: Id0df5da9b68f29c6ef0969521cd02732f4f880d4 Signed-off-by: Rafal Krypa --- src/client/client-security-manager.cpp | 146 +++++------ src/cmd/security-manager-cmd.cpp | 14 +- src/common/cynara.cpp | 9 +- src/common/include/cynara.h | 4 +- src/common/include/privilege_db.h | 191 +++++++------- src/common/include/protocols.h | 20 +- src/common/include/service_impl.h | 44 ++-- src/common/include/smack-labels.h | 44 ++-- src/common/include/smack-rules.h | 82 +++--- src/common/privilege_db.cpp | 226 ++++++++--------- src/common/service_impl.cpp | 322 ++++++++++++------------ src/common/smack-labels.cpp | 58 ++--- src/common/smack-rules.cpp | 103 ++++---- src/server/cleanup/security-manager-cleanup.cpp | 20 +- src/server/service/include/service.h | 4 +- src/server/service/service.cpp | 56 ++--- 16 files changed, 679 insertions(+), 664 deletions(-) diff --git a/src/client/client-security-manager.cpp b/src/client/client-security-manager.cpp index 1727bbf..033fb7f 100644 --- a/src/client/client-security-manager.cpp +++ b/src/client/client-security-manager.cpp @@ -123,33 +123,33 @@ int security_manager_app_inst_req_set_target_version(app_inst_req *p_req, const } SECURITY_MANAGER_API -int security_manager_app_inst_req_set_author_id(app_inst_req *p_req, const char *author_id) +int security_manager_app_inst_req_set_author_id(app_inst_req *p_req, const char *author_name) { - if (!p_req || !author_id || strlen(author_id) == 0) + if (!p_req || !author_name || strlen(author_name) == 0) return SECURITY_MANAGER_ERROR_INPUT_PARAM; - p_req->authorId.assign(author_id); + p_req->authorName.assign(author_name); return SECURITY_MANAGER_SUCCESS; } SECURITY_MANAGER_API -int security_manager_app_inst_req_set_app_id(app_inst_req *p_req, const char *app_id) +int security_manager_app_inst_req_set_app_id(app_inst_req *p_req, const char *app_name) { - if (!p_req || !app_id) + if (!p_req || !app_name) return SECURITY_MANAGER_ERROR_INPUT_PARAM; - p_req->appId = app_id; + p_req->appName = app_name; return SECURITY_MANAGER_SUCCESS; } SECURITY_MANAGER_API -int security_manager_app_inst_req_set_pkg_id(app_inst_req *p_req, const char *pkg_id) +int security_manager_app_inst_req_set_pkg_id(app_inst_req *p_req, const char *pkg_name) { - if (!p_req || !pkg_id) + if (!p_req || !pkg_name) return SECURITY_MANAGER_ERROR_INPUT_PARAM; - p_req->pkgId = pkg_id; + p_req->pkgName = pkg_name; return SECURITY_MANAGER_SUCCESS; } @@ -185,7 +185,7 @@ int security_manager_app_install(const app_inst_req *p_req) //checking parameters if (!p_req) return SECURITY_MANAGER_ERROR_INPUT_PARAM; - if (p_req->appId.empty() || p_req->pkgId.empty()) + if (p_req->appName.empty() || p_req->pkgName.empty()) return SECURITY_MANAGER_ERROR_REQ_NOT_COMPLETE; int retval; @@ -198,13 +198,13 @@ int security_manager_app_install(const app_inst_req *p_req) //put data into buffer Serialization::Serialize(send, (int)SecurityModuleCall::APP_INSTALL, - p_req->appId, - p_req->pkgId, + p_req->appName, + p_req->pkgName, p_req->privileges, p_req->appPaths, p_req->uid, p_req->tizenVersion, - p_req->authorId); + p_req->authorName); //send buffer to server retval = sendToServer(SERVICE_SOCKET, send.Pop(), recv); @@ -230,12 +230,12 @@ int security_manager_app_uninstall(const app_inst_req *p_req) //checking parameters if (!p_req) return SECURITY_MANAGER_ERROR_INPUT_PARAM; - if (p_req->appId.empty()) + if (p_req->appName.empty()) return SECURITY_MANAGER_ERROR_REQ_NOT_COMPLETE; //put data into buffer Serialization::Serialize(send, (int)SecurityModuleCall::APP_UNINSTALL, - p_req->appId); + p_req->appName); //send buffer to server int retval = sendToServer(SERVICE_SOCKET, send.Pop(), recv); @@ -251,7 +251,7 @@ int security_manager_app_uninstall(const app_inst_req *p_req) } SECURITY_MANAGER_API -int security_manager_get_app_pkgid(char **pkg_id, const char *app_id) +int security_manager_get_app_pkgid(char **pkg_name, const char *app_name) { using namespace SecurityManager; MessageBuffer send, recv; @@ -261,19 +261,19 @@ int security_manager_get_app_pkgid(char **pkg_id, const char *app_id) return try_catch([&]() -> int { //checking parameters - if (app_id == NULL) { - LogError("security_manager_app_get_pkgid: app_id is NULL"); + if (app_name == NULL) { + LogError("security_manager_app_get_pkgid: app_name is NULL"); return SECURITY_MANAGER_ERROR_INPUT_PARAM; } - if (pkg_id == NULL) { - LogError("security_manager_app_get_pkgid: pkg_id is NULL"); + if (pkg_name == NULL) { + LogError("security_manager_app_get_pkgid: pkg_name is NULL"); return SECURITY_MANAGER_ERROR_INPUT_PARAM; } //put data into buffer - Serialization::Serialize(send, static_cast(SecurityModuleCall::APP_GET_PKGID), - std::string(app_id)); + Serialization::Serialize(send, static_cast(SecurityModuleCall::APP_GET_PKG_NAME), + std::string(app_name)); //send buffer to server int retval = sendToServer(SERVICE_SOCKET, send.Pop(), recv); @@ -287,16 +287,16 @@ int security_manager_get_app_pkgid(char **pkg_id, const char *app_id) if (retval != SECURITY_MANAGER_SUCCESS) return retval; - std::string pkgIdString; - Deserialization::Deserialize(recv, pkgIdString); - if (pkgIdString.empty()) { - LogError("Unexpected empty pkgId"); + std::string pkgNameString; + Deserialization::Deserialize(recv, pkgNameString); + if (pkgNameString.empty()) { + LogError("Unexpected empty pkgName"); return SECURITY_MANAGER_ERROR_UNKNOWN; } - *pkg_id = strdup(pkgIdString.c_str()); - if (*pkg_id == NULL) { - LogError("Failed to allocate memory for pkgId"); + *pkg_name = strdup(pkgNameString.c_str()); + if (*pkg_name == NULL) { + LogError("Failed to allocate memory for pkgName"); return SECURITY_MANAGER_ERROR_MEMORY; } @@ -366,7 +366,7 @@ static bool setup_smack(const char *label) } SECURITY_MANAGER_API -int security_manager_set_process_label_from_appid(const char *app_id) +int security_manager_set_process_label_from_appid(const char *app_name) { int ret; std::string appLabel; @@ -377,9 +377,9 @@ int security_manager_set_process_label_from_appid(const char *app_id) return SECURITY_MANAGER_SUCCESS; try { - appLabel = SecurityManager::SmackLabels::generateAppLabel(app_id); + appLabel = SecurityManager::SmackLabels::generateAppLabel(app_name); } catch (...) { - LogError("Failed to generate smack label for appId: " << app_id); + LogError("Failed to generate smack label for appName: " << app_name); return SECURITY_MANAGER_ERROR_NO_SUCH_OBJECT; } @@ -392,7 +392,7 @@ int security_manager_set_process_label_from_appid(const char *app_id) } SECURITY_MANAGER_API -int security_manager_set_process_groups_from_appid(const char *app_id) +int security_manager_set_process_groups_from_appid(const char *app_name) { using namespace SecurityManager; MessageBuffer send, recv; @@ -403,14 +403,14 @@ int security_manager_set_process_groups_from_appid(const char *app_id) return try_catch([&]() -> int { //checking parameters - if (app_id == nullptr) { - LogError("app_id is NULL"); + if (app_name == nullptr) { + LogError("app_name is NULL"); return SECURITY_MANAGER_ERROR_INPUT_PARAM; } //put data into buffer Serialization::Serialize(send, static_cast(SecurityModuleCall::APP_GET_GROUPS), - std::string(app_id)); + std::string(app_name)); //send buffer to server int retval = sendToServer(SERVICE_SOCKET, send.Pop(), recv); @@ -506,16 +506,16 @@ int security_manager_drop_process_privileges(void) } SECURITY_MANAGER_API -int security_manager_prepare_app(const char *app_id) +int security_manager_prepare_app(const char *app_name) { LogDebug("security_manager_prepare_app() called"); int ret; - ret = security_manager_set_process_label_from_appid(app_id); + ret = security_manager_set_process_label_from_appid(app_name); if (ret != SECURITY_MANAGER_SUCCESS) return ret; - ret = security_manager_set_process_groups_from_appid(app_id); + ret = security_manager_set_process_groups_from_appid(app_name); if (ret != SECURITY_MANAGER_SUCCESS) { LogWarning("Unable to setup process groups for application. Privileges with direct access to resources will not work."); ret = SECURITY_MANAGER_SUCCESS; @@ -783,11 +783,11 @@ void security_manager_policy_entry_free(policy_entry *p_entry) } SECURITY_MANAGER_API -int security_manager_policy_entry_set_application(policy_entry *p_entry, const char *app_id) +int security_manager_policy_entry_set_application(policy_entry *p_entry, const char *app_name) { if (!p_entry) return SECURITY_MANAGER_ERROR_INPUT_PARAM; - p_entry->appId = app_id; + p_entry->appName = app_name; return SECURITY_MANAGER_SUCCESS; } @@ -848,7 +848,7 @@ const char *security_manager_policy_entry_get_user(policy_entry *p_entry) SECURITY_MANAGER_API const char *security_manager_policy_entry_get_application(policy_entry *p_entry) { - return p_entry ? p_entry->appId.c_str() : nullptr; + return p_entry ? p_entry->appName.c_str() : nullptr; } SECURITY_MANAGER_API const char *security_manager_policy_entry_get_privilege(policy_entry *p_entry) @@ -1010,37 +1010,37 @@ void security_manager_groups_free(char **groups, size_t groups_count) static lib_retcode get_app_and_pkg_id_from_smack_label( const std::string &label, - char **pkg_id, - char **app_id) + char **pkg_name, + char **app_name) { - std::string appIdString; + std::string appNameString; try { - appIdString = SmackLabels::generateAppNameFromLabel(label); + appNameString = SmackLabels::generateAppNameFromLabel(label); } catch (const SmackException::InvalidLabel &) { return SECURITY_MANAGER_ERROR_NO_SUCH_OBJECT; } - if (app_id && !(*app_id = strdup(appIdString.c_str()))) { + if (app_name && !(*app_name = strdup(appNameString.c_str()))) { LogError("Memory allocation in strdup failed."); return SECURITY_MANAGER_ERROR_MEMORY; } - return pkg_id ? static_cast(security_manager_get_app_pkgid(pkg_id, appIdString.c_str())) + return pkg_name ? static_cast(security_manager_get_app_pkgid(pkg_name, appNameString.c_str())) : SECURITY_MANAGER_SUCCESS; } static int security_manager_identify_app( const std::function &getLabel, - char **pkg_id, - char **app_id) + char **pkg_name, + char **app_name) { using namespace SecurityManager; LogDebug(__PRETTY_FUNCTION__ << " called"); - if (pkg_id == NULL && app_id == NULL) { - LogError("Both pkg_id and app_id are NULL"); + if (pkg_name == NULL && app_name == NULL) { + LogError("Both pkg_name and app_name are NULL"); return SECURITY_MANAGER_ERROR_INPUT_PARAM; } @@ -1051,38 +1051,38 @@ static int security_manager_identify_app( return SECURITY_MANAGER_ERROR_NO_SUCH_OBJECT; } - return get_app_and_pkg_id_from_smack_label(label, pkg_id, app_id); + return get_app_and_pkg_id_from_smack_label(label, pkg_name, app_name); } SECURITY_MANAGER_API -int security_manager_identify_app_from_socket(int sockfd, char **pkg_id, char **app_id) +int security_manager_identify_app_from_socket(int sockfd, char **pkg_name, char **app_name) { return try_catch([&] { return security_manager_identify_app([&] { return SmackLabels::getSmackLabelFromSocket(sockfd); - }, pkg_id, app_id); + }, pkg_name, app_name); }); } SECURITY_MANAGER_API -int security_manager_identify_app_from_pid(pid_t pid, char **pkg_id, char **app_id) +int security_manager_identify_app_from_pid(pid_t pid, char **pkg_name, char **app_name) { return try_catch([&] { return security_manager_identify_app([&] { return SmackLabels::getSmackLabelFromPid(pid); - }, pkg_id, app_id); + }, pkg_name, app_name); }); } SECURITY_MANAGER_API -int security_manager_app_has_privilege(const char *app_id, const char *privilege, +int security_manager_app_has_privilege(const char *app_name, const char *privilege, uid_t uid, int *result) { using namespace SecurityManager; MessageBuffer send, recv; return try_catch([&]() -> int { Serialization::Serialize(send, static_cast(SecurityModuleCall::APP_HAS_PRIVILEGE), - std::string(app_id), std::string(privilege), uid); + std::string(app_name), std::string(privilege), uid); int retval = sendToServer(SERVICE_SOCKET, send.Pop(), recv); if (retval != SECURITY_MANAGER_SUCCESS) { @@ -1125,25 +1125,25 @@ void security_manager_private_sharing_req_free(private_sharing_req *p_req) } SECURITY_MANAGER_API -int security_manager_private_sharing_req_set_owner_appid(private_sharing_req *p_req, - const char *app_id) +int security_manager_private_sharing_req_set_owner_appid( + private_sharing_req *p_req, const char *app_name) { return try_catch([&] { - if (!p_req || !app_id) + if (!p_req || !app_name) return SECURITY_MANAGER_ERROR_INPUT_PARAM; - p_req->ownerAppId = app_id; + p_req->ownerAppName = app_name; return SECURITY_MANAGER_SUCCESS; }); } SECURITY_MANAGER_API -int security_manager_private_sharing_req_set_target_appid(private_sharing_req *p_req, - const char *app_id) +int security_manager_private_sharing_req_set_target_appid( + private_sharing_req *p_req, const char *app_name) { return try_catch([&] { - if (!p_req || !app_id) + if (!p_req || !app_name) return SECURITY_MANAGER_ERROR_INPUT_PARAM; - p_req->targetAppId = app_id; + p_req->targetAppName = app_name; return SECURITY_MANAGER_SUCCESS; }); } @@ -1170,13 +1170,13 @@ int security_manager_private_sharing_apply(const private_sharing_req *p_req) return try_catch([&]() -> int { if (!p_req) return SECURITY_MANAGER_ERROR_INPUT_PARAM; - if (p_req->ownerAppId.empty() || p_req->targetAppId.empty() || p_req->paths.empty()) + if (p_req->ownerAppName.empty() || p_req->targetAppName.empty() || p_req->paths.empty()) return SECURITY_MANAGER_ERROR_REQ_NOT_COMPLETE; MessageBuffer send, recv; Serialization::Serialize(send, static_cast(SecurityModuleCall::APP_APPLY_PRIVATE_SHARING)); - Serialization::Serialize(send, p_req->ownerAppId); - Serialization::Serialize(send, p_req->targetAppId); + Serialization::Serialize(send, p_req->ownerAppName); + Serialization::Serialize(send, p_req->targetAppName); Serialization::Serialize(send, p_req->paths); //send buffer to server @@ -1199,13 +1199,13 @@ int security_manager_private_sharing_drop(const private_sharing_req *p_req) return try_catch([&]() -> int { if (!p_req) return SECURITY_MANAGER_ERROR_INPUT_PARAM; - if (p_req->ownerAppId.empty() || p_req->targetAppId.empty() || p_req->paths.empty()) + if (p_req->ownerAppName.empty() || p_req->targetAppName.empty() || p_req->paths.empty()) return SECURITY_MANAGER_ERROR_REQ_NOT_COMPLETE; MessageBuffer send, recv; Serialization::Serialize(send, static_cast(SecurityModuleCall::APP_DROP_PRIVATE_SHARING)); - Serialization::Serialize(send, p_req->ownerAppId); - Serialization::Serialize(send, p_req->targetAppId); + Serialization::Serialize(send, p_req->ownerAppName); + Serialization::Serialize(send, p_req->targetAppName); Serialization::Serialize(send, p_req->paths); //send buffer to server diff --git a/src/cmd/security-manager-cmd.cpp b/src/cmd/security-manager-cmd.cpp index a15b70e..a1f55e5 100644 --- a/src/cmd/security-manager-cmd.cpp +++ b/src/cmd/security-manager-cmd.cpp @@ -210,9 +210,9 @@ static void parseInstallOptions(int argc, char *argv[], parseCommandOptions(argc, argv, getInstallOptions(), vm); if (vm.count("app")) - req.appId = vm["app"].as(); + req.appName = vm["app"].as(); if (vm.count("pkg")) - req.pkgId = vm["pkg"].as(); + req.pkgName = vm["pkg"].as(); if (vm.count("path")) { const std::vector paths = vm["path"].as >(); @@ -237,7 +237,7 @@ static void parseInstallOptions(int argc, char *argv[], if (vm.count("uid")) req.uid = vm["uid"].as(); if (vm.count("author-id")) { - req.authorId = vm["author-id"].as(); + req.authorName = vm["author-id"].as(); } } @@ -266,15 +266,15 @@ static int installApp(const struct app_inst_req &req) ret = security_manager_app_install(&req); if (SECURITY_MANAGER_SUCCESS == ret) { - std::cout << "Application " << req.appId << + std::cout << "Application " << req.appName << " installed successfully." << std::endl; - LogDebug("Application " << req.appId << + LogDebug("Application " << req.appName << " installed successfully."); } else { - std::cout << "Failed to install " << req.appId << " application: " << + std::cout << "Failed to install " << req.appName << " application: " << security_manager_strerror(static_cast(ret)) << " (" << ret << ")." << std::endl; - LogError("Failed to install " << req.appId << " application: " << + LogError("Failed to install " << req.appName << " application: " << security_manager_strerror(static_cast(ret)) << " (" << ret << ")." << std::endl); } diff --git a/src/common/cynara.cpp b/src/common/cynara.cpp index 923abd8..b5d85dc 100644 --- a/src/common/cynara.cpp +++ b/src/common/cynara.cpp @@ -391,8 +391,8 @@ void CynaraAdmin::UserRemove(uid_t uid) } void CynaraAdmin::ListPolicies( - const std::string &bucketName, - const std::string &appId, + const std::string &bucket, + const std::string &label, const std::string &user, const std::string &privilege, std::vector &policies) @@ -400,9 +400,9 @@ void CynaraAdmin::ListPolicies( struct cynara_admin_policy ** pp_policies = nullptr; checkCynaraError( - cynara_admin_list_policies(m_CynaraAdmin, bucketName.c_str(), appId.c_str(), + cynara_admin_list_policies(m_CynaraAdmin, bucket.c_str(), label.c_str(), user.c_str(), privilege.c_str(), &pp_policies), - "Error while getting list of policies for bucket: " + bucketName); + "Error while getting list of policies for bucket: " + bucket); for (std::size_t i = 0; pp_policies[i] != nullptr; i++) { policies.push_back(std::move(*static_cast(pp_policies[i]))); @@ -484,6 +484,7 @@ int CynaraAdmin::convertToPolicyType(const std::string &policy, bool forceRefres return DescriptionToType.at(policy); } + void CynaraAdmin::Check(const std::string &label, const std::string &user, const std::string &privilege, const std::string &bucket, int &result, std::string &resultExtra, const bool recursive) { diff --git a/src/common/include/cynara.h b/src/common/include/cynara.h index c6a77f3..62763d0 100644 --- a/src/common/include/cynara.h +++ b/src/common/include/cynara.h @@ -160,14 +160,14 @@ public: * List Cynara policies that match selected criteria in given bucket. * * @param bucketName name of the bucket to search policies in - * @param appId string with id of app to match in search + * @param label string with label of app to match in search * @param user user string to match in search * @param privilege privilege string to match in search * @param policies empty vector for results of policies filtering. * */ void ListPolicies(const std::string &bucketName, - const std::string &appId, + const std::string &label, const std::string &user, const std::string &privilege, std::vector &policies); diff --git a/src/common/include/privilege_db.h b/src/common/include/privilege_db.h index 17d4c29..cb30b67 100644 --- a/src/common/include/privilege_db.h +++ b/src/common/include/privilege_db.h @@ -52,10 +52,10 @@ enum class StmtType { ERemoveApplication, EAddAppPrivileges, ERemoveAppPrivileges, - EPkgIdExists, - EAppIdExists, - EGetPkgId, - EGetPkgIdAndVer, + EPkgNameExists, + EAppNameExists, + EGetAppPkgName, + EGetAppVersion, EGetPathSharedCount, EGetTargetPathSharedCount, EGetOwnerTargetSharedCount, @@ -70,7 +70,7 @@ enum class StmtType { EGetAllTizen2XPackages, EGetAppsInPkg, EGetGroups, - EGetAuthorIdAppId, + EGetAppAuthorId, EAuthorIdExists, }; @@ -107,10 +107,10 @@ private: { StmtType::ERemoveApplication, "DELETE FROM app_pkg_view WHERE app_name=? AND uid=?" }, { StmtType::EAddAppPrivileges, "INSERT INTO app_privilege_view (app_name, uid, privilege_name) VALUES (?, ?, ?)" }, { StmtType::ERemoveAppPrivileges, "DELETE FROM app_privilege_view WHERE app_name=? AND uid=?" }, - { StmtType::EPkgIdExists, "SELECT * FROM pkg WHERE name=?" }, - { StmtType::EAppIdExists, "SELECT * FROM app WHERE name=?" }, - { StmtType::EGetPkgId, "SELECT pkg_name FROM app_pkg_view WHERE app_name = ?" }, - { StmtType::EGetPkgIdAndVer, "SELECT pkg_name, version FROM app_pkg_view WHERE app_name = ?" }, + { StmtType::EPkgNameExists, "SELECT count(*) FROM pkg WHERE name=?" }, + { StmtType::EAppNameExists, "SELECT count(*) FROM app WHERE name=?" }, + { StmtType::EGetAppPkgName, "SELECT pkg_name FROM app_pkg_view WHERE app_name = ?" }, + { StmtType::EGetAppVersion, "SELECT version FROM app_pkg_view WHERE app_name = ?" }, { StmtType::EGetPathSharedCount, "SELECT COUNT(*) FROM app_private_sharing_view WHERE path = ?"}, { StmtType::EGetTargetPathSharedCount, "SELECT COUNT(*) FROM app_private_sharing_view WHERE target_app_name = ? AND path = ?"}, { StmtType::EGetOwnerTargetSharedCount, "SELECT COUNT(*) FROM app_private_sharing_view WHERE owner_app_name = ? AND target_app_name = ?"}, @@ -125,7 +125,7 @@ private: { StmtType::EGetAllTizen2XPackages, "SELECT DISTINCT pkg_name FROM app_pkg_view WHERE version LIKE '2.%%' AND app_name <> ?" }, { StmtType::EGetAppsInPkg, " SELECT app_name FROM app_pkg_view WHERE pkg_name = ?" }, { StmtType::EGetGroups, "SELECT DISTINCT group_name FROM privilege_group_view" }, - { StmtType::EGetAuthorIdAppId, "SELECT author_id FROM app_pkg_view WHERE app_name = ?"}, + { StmtType::EGetAppAuthorId, "SELECT author_id FROM app_pkg_view WHERE app_name = ? AND author_id IS NOT NULL"}, { StmtType::EAuthorIdExists, "SELECT count(*) FROM author where author_id=?"}, }; @@ -152,36 +152,6 @@ private: */ StatementWrapper getStatement(StmtType queryType); - /** - * Check if appId is registered in database - * - * @param appId - package identifier - * @exception DB::SqlConnection::Exception::InternalError on internal error - * @return true if appId exists in the database - * - */ - bool AppIdExists(const std::string &appId); - - /** - * Check if pkgId is already registered in database - * - * @param pkgId - package identifier - * @exception DB::SqlConnection::Exception::InternalError on internal error - * @return true if pkgId exists in the database - * - */ - bool PkgIdExists(const std::string &pkgId); - - /** - * Check if authorId is already registered in database - * - * @param authorId - package identifier - * @exception DB::SqlConnection::Exception::InternalError on internal error - * @return true if authorId exists in the database - * - */ - bool AuthorIdExists(const std::string &authorId); - public: class Exception { @@ -217,61 +187,87 @@ public: void RollbackTransaction(void); /** + * Check if appName is registered in database + * + * @param appName - package identifier + * @exception DB::SqlConnection::Exception::InternalError on internal error + * + */ + bool AppNameExists(const std::string &appName); + + /** + * Check if pkgName is already registered in database + * + * @param pkgName - package identifier + * @exception DB::SqlConnection::Exception::InternalError on internal error + * @return true if pkgName exists in the database + * + */ + bool PkgNameExists(const std::string &pkgName); + + /** + * Check if authorId is already registered in database + * + * @param authorId numerical author identifier + * @exception DB::SqlConnection::Exception::InternalError on internal error + * @return true if authorId exists in the database + * + */ + bool AuthorIdExists(int authorId); + + /** * Return package id associated with a given application id * - * @param appId - application identifier - * @param[out] pkgId - return application's pkgId - * @return true is application exists, false otherwise + * @param appName - application identifier + * @param[out] pkgName - return application's package identifier * @exception DB::SqlConnection::Exception::InternalError on internal error */ - bool GetAppPkgId(const std::string &appId, std::string &pkgId); + void GetAppPkgName(const std::string &appName, std::string &pkgName); /** - * Return package id and tizen version associated with a given application id + * Return Tizen version associated with a given application identifier * - * @param appId - application identifier - * @param[out] pkgId - return application's pkgId - * @param[out] tizenVer - return application's target tizen version - * @return true is application exists, false otherwise + * @param appName - application identifier + * @param[out] tizenVer - return application's target Tizen version * @exception DB::SqlConnection::Exception::InternalError on internal error */ - bool GetAppPkgIdAndVer(const std::string &appId, std::string &pkgId, std::string &tizenVer); + void GetAppVersion(const std::string &appName, std::string &tizenVer); /** - * Retrieve list of privileges assigned to a pkgId + * Retrieve list of privileges assigned to a package * - * @param pkgId - package identifier + * @param pkgName - package identifier * @param uid - user identifier for whom privileges will be retrieved - * @param[out] currentPrivileges - list of current privileges assigned to pkgId + * @param[out] currentPrivileges - list of current privileges assigned to the package * @exception DB::SqlConnection::Exception::InternalError on internal error */ - void GetPkgPrivileges(const std::string &pkgId, uid_t uid, + void GetPkgPrivileges(const std::string &pkgName, uid_t uid, std::vector ¤tPrivilege); /** - * Retrieve list of privileges assigned to an appId + * Retrieve list of privileges assigned to an appName * - * @param appId - application identifier + * @param appName - application identifier * @param uid - user identifier for whom privileges will be retrieved - * @param[out] currentPrivileges - list of current privileges assigned to appId + * @param[out] currentPrivileges - list of current privileges assigned to appName * @exception DB::SqlConnection::Exception::InternalError on internal error */ - void GetAppPrivileges(const std::string &appId, uid_t uid, + void GetAppPrivileges(const std::string &appName, uid_t uid, std::vector ¤tPrivileges); /** * Add an application into the database * - * @param appId - application identifier - * @param pkgId - package identifier + * @param appName - application identifier + * @param pkgName - package identifier * @param uid - user identifier for whom application is going to be installed * @param targetTizenVer - target tizen version for application * @param author - author identifier * @exception DB::SqlConnection::Exception::InternalError on internal error */ void AddApplication( - const std::string &appId, - const std::string &pkgId, + const std::string &appName, + const std::string &pkgName, uid_t uid, const std::string &targetTizenVer, const std::string &authorId); @@ -279,39 +275,39 @@ public: /** * Remove an application from the database * - * @param appId - application identifier + * @param appName - application identifier * @param uid - user identifier whose application is going to be uninstalled - * @param[out] appIdIsNoMore - return info if appId is in the database - * @param[out] pkgIdIsNoMore - return info if pkgId is in the database - * @param[out] authorIdIsNoMore - return info if authorId is in the database + * @param[out] appNameIsNoMore - return info if appName is in the database + * @param[out] pkgNameIsNoMore - return info if pkgName is in the database + * @param[out] authorNameIsNoMore - return info if authorName is in the database * @exception DB::SqlConnection::Exception::InternalError on internal error */ void RemoveApplication( - const std::string &appId, + const std::string &appName, uid_t uid, - bool &appIdIsNoMore, - bool &pkgIdIsNoMore, - bool &authorIdIsNoMore); + bool &appNameIsNoMore, + bool &pkgNameIsNoMore, + bool &authorNameIsNoMore); /** * Remove privileges assigned to application * - * @param appId - application identifier + * @param appName - application identifier * @param uid - user identifier for whom privileges will be removed * @exception DB::SqlConnection::Exception::InternalError on internal error */ - void RemoveAppPrivileges(const std::string &appId, uid_t uid); + void RemoveAppPrivileges(const std::string &appName, uid_t uid); /** * Update privileges assigned to application * To assure data integrity this method must be called inside db transaction. * - * @param appId - application identifier + * @param appName - application identifier * @param uid - user identifier for whom privileges will be updated * @param privileges - list of privileges to assign * @exception DB::SqlConnection::Exception::InternalError on internal error */ - void UpdateAppPrivileges(const std::string &appId, uid_t uid, + void UpdateAppPrivileges(const std::string &appName, uid_t uid, const std::vector &privileges); /** @@ -326,47 +322,47 @@ public: /** * Get count of existing sharing between given applications * - * @param ownerAppId - application identifier - * @param targetAppId - application identifier + * @param ownerAppName - application identifier + * @param targetAppName - application identifier * @param[out] count - count of sharing * @exception DB::SqlConnection::Exception::InternalError on internal error */ - void GetOwnerTargetSharingCount(const std::string &ownerAppId, const std::string &targetAppId, + void GetOwnerTargetSharingCount(const std::string &ownerAppName, const std::string &targetAppName, int &count); /** * Get count of existing path sharing with target application * - * @param targetAppId - application identifier + * @param targetAppName - application identifier * @param path - user identifier for whom privileges will be updated * @param[out] count - count of sharing * @exception DB::SqlConnection::Exception::InternalError on internal error */ - void GetTargetPathSharingCount(const std::string &targetAppId, + void GetTargetPathSharingCount(const std::string &targetAppName, const std::string &path, int &count); /** * Add information about path sharing between owner application and target application * - * @param ownerAppId - application identifier - * @param targetAppId - application identifier + * @param ownerAppName - application identifier + * @param targetAppName - application identifier * @param path - path name * @param pathLabel - label of path * @exception DB::SqlConnection::Exception::InternalError on internal error */ - void ApplyPrivateSharing(const std::string &ownerAppId, const std::string &targetAppId, + void ApplyPrivateSharing(const std::string &ownerAppName, const std::string &targetAppName, const std::string &path, const std::string &pathLabel); /** * Remove information about path sharing between owner application and target application * - * @param ownerAppId - application identifier - * @param targetAppId - application identifier + * @param ownerAppName - application identifier + * @param targetAppName - application identifier * @param path - path name * @exception DB::SqlConnection::Exception::InternalError on internal error */ - void DropPrivateSharing(const std::string &ownerAppId, const std::string &targetAppId, + void DropPrivateSharing(const std::string &ownerAppName, const std::string &targetAppName, const std::string &path); /** @@ -404,34 +400,35 @@ public: * @exception DB::SqlConnection::Exception::InternalError on internal error */ void GetUserApps(uid_t uid, std::vector &apps); + /** * Retrieve a list of all application ids for a package id * - * @param pkgId - package id - * @param[out] appIds - list of application ids for the package id + * @param pkgName - package identifier + * @param[out] appNames - list of application identifiers for the package * @exception DB::SqlConnection::Exception::InternalError on internal error */ - void GetAppIdsForPkgId (const std::string &pkgId, - std::vector &appIds); + void GetPkgApps(const std::string &pkgName, std::vector &appNames); + /** * Retrieve list of all apps excluding one specified (typically action originator) * * @param origApp - do not include specific application name in the list - * @param[out] apps - vector of appId describing installed 2.x apps, + * @param[out] apps - vector of application identifiers describing installed 2.x apps, * this parameter do not need to be empty, but * it is being overwritten during function call. * @exception DB::SqlConnection::Exception::InternalError on internal error */ - void GetTizen2XApps(const std::string& origApp, std::vector &apps); + void GetTizen2XApps(const std::string &origApp, std::vector &apps); /** * Retrieve list of all apps and packages excluding one specified (typically action originator) * * @param origApp - do not include specific application name in the list - * @param[out] apps - vector of appId describing installed 2.x apps, + * @param[out] apps - vector of app identifiers describing installed 2.x apps, * this parameter do not need to be empty, but * it is being overwritten during function call. - * @param[out] packages - vector of pkgId describing installed 2.x packages, + * @param[out] packages - vector of package identifiers describing installed 2.x packages, * this parameter do not need to be empty, but * it is being overwritten during function call. * @exception DB::SqlConnection::Exception::InternalError on internal error @@ -441,12 +438,12 @@ public: /* Retrive an id of an author from database * - * @param appId - application id - * @param[out] authorId - integer connected with author name + * @param appName[in] application identifier + * @param authorId[out] author id associated with the application, or -1 if no + * author was assigned during installation * @exception DB::SqlConnection::Exception::InternalError on internal error */ - void GetAuthorIdForAppId(const std::string &appId, - std::string &authorId); + void GetAppAuthorId(const std::string &appName, int &authorId); /** * Retrieve list of resource groups diff --git a/src/common/include/protocols.h b/src/common/include/protocols.h index 59a4540..940564b 100644 --- a/src/common/include/protocols.h +++ b/src/common/include/protocols.h @@ -33,13 +33,13 @@ #include struct app_inst_req { - std::string appId; - std::string pkgId; + std::string appName; + std::string pkgName; std::vector privileges; std::vector> appPaths; uid_t uid; std::string tizenVersion; - std::string authorId; + std::string authorName; }; struct user_req { @@ -48,8 +48,8 @@ struct user_req { }; struct private_sharing_req { - std::string ownerAppId; - std::string targetAppId; + std::string ownerAppName; + std::string targetAppName; std::vector paths; }; @@ -61,7 +61,7 @@ enum class SecurityModuleCall { APP_INSTALL, APP_UNINSTALL, - APP_GET_PKGID, + APP_GET_PKG_NAME, APP_GET_GROUPS, APP_APPLY_PRIVATE_SHARING, APP_DROP_PRIVATE_SHARING, @@ -83,13 +83,13 @@ using namespace SecurityManager; struct policy_entry : ISerializable { std::string user; // uid converted to string - std::string appId; // application identifier + std::string appName; // application identifier std::string privilege; // Cynara privilege std::string currentLevel; // current level of privielege, or level asked to be set in privacy manager bucket std::string maxLevel; // holds read maximum policy status or status to be set in admin bucket policy_entry() : user(std::to_string(getuid())), - appId(SECURITY_MANAGER_ANY), + appName(SECURITY_MANAGER_ANY), privilege(SECURITY_MANAGER_ANY), currentLevel(""), maxLevel("") @@ -97,7 +97,7 @@ struct policy_entry : ISerializable { policy_entry(IStream &stream) { Deserialization::Deserialize(stream, user); - Deserialization::Deserialize(stream, appId); + Deserialization::Deserialize(stream, appName); Deserialization::Deserialize(stream, privilege); Deserialization::Deserialize(stream, currentLevel); Deserialization::Deserialize(stream, maxLevel); @@ -105,7 +105,7 @@ struct policy_entry : ISerializable { virtual void Serialize(IStream &stream) const { Serialization::Serialize(stream, - user, appId, privilege, currentLevel, maxLevel); + user, appName, privilege, currentLevel, maxLevel); } }; diff --git a/src/common/include/service_impl.h b/src/common/include/service_impl.h index 0ffcbcd..296fd83 100644 --- a/src/common/include/service_impl.h +++ b/src/common/include/service_impl.h @@ -47,8 +47,10 @@ private: static bool getZoneId(std::string &zoneId); - int dropOnePrivateSharing(const std::string &ownerAppId, const std::string &ownerPkgId, - const std::vector &ownerPkgContents, const std::string &targetAppId, + int dropOnePrivateSharing(const std::string &ownerAppName, + const std::string &ownerPkgName, + const std::vector &ownerPkgContents, + const std::string &targetAppName, const std::string &path); public: @@ -68,39 +70,39 @@ public: /** * Process application uninstallation request. * - * @param[in] req uninstallation request + * @param[in] appName application identifier * @param[in] uid id of the requesting user * * @return API return code, as defined in protocols.h */ - int appUninstall(const std::string &appId, uid_t uid); + int appUninstall(const std::string &appName, uid_t uid); /** * Process package id query. * Retrieves the package id associated with given application id. * - * @param[in] appId application identifier - * @param[out] pkgId returned package identifier + * @param[in] appName application identifier + * @param[out] pkgName returned package identifier * * @return API return code, as defined in protocols.h */ - int getPkgId(const std::string &appId, std::string &pkgId); + int getPkgName(const std::string &appName, std::string &pkgName); /** * Process query for supplementary groups allowed for the application. - * For given appId and uid, calculate allowed privileges that give + * For given \ref appName and \ref uid, calculate allowed privileges that give * direct access to file system resources. For each permission Cynara will be * queried. * Returns set of group ids that are permitted. * - * @param[in] appId application identifier + * @param[in] appName application identifier * @param[in] uid id of the requesting user * @param[in] pid id of the requesting process (to construct Cynara session id) * @param[out] gids returned set of allowed group ids * * @return API return code, as defined in protocols.h */ - int getAppGroups(const std::string &appId, uid_t uid, pid_t pid, std::unordered_set &gids); + int getAppGroups(const std::string &appName, uid_t uid, pid_t pid, std::unordered_set &gids); /** * Process user adding request. @@ -183,40 +185,40 @@ public: int policyGetGroups(std::vector &groups); /** - * Process checking application's privilege access based on app_id + * Process checking application's privilege access based on app_name * - * @param[in] appId application identifier + * @param[in] appName application identifier * @param[in] privilege privilege name * @param[in] uid user identifier * @param[out] result placeholder for check result * * @return API return code, as defined in protocols.h */ - int appHasPrivilege(std::string appId, std::string privilege, uid_t uid, bool &result); + int appHasPrivilege(std::string appName, std::string privilege, uid_t uid, bool &result); /** * Process applying private path sharing between applications. * - * @param[in] ownerAppId application owning paths - * @param[in] targetAppId application which paths will be shared with + * @param[in] ownerAppName application owning paths + * @param[in] targetAppName application which paths will be shared with * @param[in] paths vector of paths to be shared * * @return API return code, as defined in protocols.h */ - int applyPrivatePathSharing(const std::string &ownerAppId, - const std::string &targetAppId, + int applyPrivatePathSharing(const std::string &ownerAppName, + const std::string &targetAppName, const std::vector &paths); /** * Process droping private path sharing between applications. * - * @param[in] ownerAppId application owning paths - * @param[in] targetAppId application which paths won't be anymore shared with + * @param[in] ownerAppName application owning paths + * @param[in] targetAppName application which paths won't be anymore shared with * @param[in] paths vector of paths to be stopped being shared * @return API return code, as defined in protocols.h */ - int dropPrivatePathSharing(const std::string &ownerAppId, - const std::string &targetAppId, + int dropPrivatePathSharing(const std::string &ownerAppName, + const std::string &targetAppName, const std::vector &paths); }; diff --git a/src/common/include/smack-labels.h b/src/common/include/smack-labels.h index 2aa00ec..d9138d9 100644 --- a/src/common/include/smack-labels.h +++ b/src/common/include/smack-labels.h @@ -37,32 +37,32 @@ namespace SmackLabels { /** * Sets Smack labels on a directory and its contents, recursively. * - * @param pkgId[in] application's package identifier + * @param pkgName[in] application's package identifier * @param path[in] path to a file or directory to setup * @param pathType[in] type of path to setup. See description of * app_install_path_type in security-manager.h for details */ void setupPath( - const std::string &pkgId, + const std::string &pkgName, const std::string &path, app_install_path_type pathType, - const std::string &authorId = std::string()); + const int authorId = -1); /** * Sets Smack labels on a / non-recursively * - * @param pkgId[in] package identifier + * @param pkgName[in] package identifier * @param basePath[in] path */ -void setupAppBasePath(const std::string &pkgId, const std::string &basePath); +void setupAppBasePath(const std::string &pkgName, const std::string &basePath); /** * Changes Smack label on path to enable private sharing * - * @param pkgId[in] package identifier + * @param pkgName[in] package identifier * @param path[in] path */ -void setupSharedPrivatePath(const std::string &pkgId, const std::string &path); +void setupSharedPrivatePath(const std::string &pkgName, const std::string &path); /** * Generates application name for a label fetched from Cynara @@ -73,46 +73,46 @@ void setupSharedPrivatePath(const std::string &pkgId, const std::string &path); std::string generateAppNameFromLabel(const std::string &label); /** - * Generates label for an application with an application ID read from @ref appId. + * Generates label for an application identifier * - * @param[in] appId application's identifier + * @param[in] appName application identifier * @return resulting Smack label */ -std::string generateAppLabel(const std::string &appId); +std::string generateAppLabel(const std::string &appName); /** - * Generates label for an application with an pkgId, specific + * Generates label for an application with @ref pkgName, specific * for folders that can be modified by owner and other apps can only read it. * - * @param[in] pkgId application's package identifier + * @param[in] pkgName application package identifier * @return resulting Smack label */ -std::string generatePkgLabelOwnerRWothersRO(const std::string &pkgId); +std::string generatePkgLabelOwnerRWothersRO(const std::string &pkgName); /** - * Generates label for an application with a package ID read from @ref pkgId. + * Generates label for a package identifier * - * @param[in] pkgId + * @param[in] pkgName package identifier * @return resulting Smack label */ -std::string generatePkgLabel(const std::string &pkgId); +std::string generatePkgLabel(const std::string &pkgName); /** - * Generates label for private application RO files with package ID @ref pkgId + * Generates label for private application RO files with package identifier @ref pkgName * - * @param[in] pkgId + * @param[in] pkgName package identifier * @return resulting Smack label */ -std::string generatePkgROLabel(const std::string &pkgId); +std::string generatePkgROLabel(const std::string &pkgName); /** * Generates unique label per path for private path sharing. * - * @param[in] pkgId + * @param[in] pkgName * @param[in] path * @return resulting Smack label */ -std::string generateSharedPrivateLabel(const std::string &pkgId, const std::string &path); +std::string generateSharedPrivateLabel(const std::string &pkgName, const std::string &path); /* * Generates label for trusted paths. Trusted paths are paths where all application @@ -121,7 +121,7 @@ std::string generateSharedPrivateLabel(const std::string &pkgId, const std::stri * @param[in] authorId * @return resulting Smack label */ -std::string generateAuthorLabel(const std::string &authorId); +std::string generateAuthorLabel(const int authorId); /** * Returns smack label for given socket diff --git a/src/common/include/smack-rules.h b/src/common/include/smack-rules.h index bd9c22f..39ef0ef 100644 --- a/src/common/include/smack-rules.h +++ b/src/common/include/smack-rules.h @@ -50,15 +50,15 @@ public: void addFromTemplate( const RuleVector &templateRules, - const std::string &appId, - const std::string &pkgId, - const std::string &authorId); + const std::string &appName, + const std::string &pkgName, + const int authorId); void addFromTemplateFile( const std::string &templatePath, - const std::string &appId, - const std::string &pkgId, - const std::string &authorId); + const std::string &appName, + const std::string &pkgName, + const int authorId); void apply() const; void clear() const; @@ -77,11 +77,11 @@ public: /** * Create cross dependencies for all other 2.X applications * - * @param[in] pkgId - installed package id to access it's shared dir + * @param[in] pkgName - installed package identifier to access it's shared dir * @param[in] other2XApps - list of 2.x apps to grant access */ void generateAllowOther2XApplicationDeps( - const std::string pkgId, + const std::string pkgName, const std::vector &other2XApps); /** @@ -90,17 +90,17 @@ public: * Function creates smack rules using predefined template. Rules are applied * to the kernel and saved on persistent storage so they are loaded on system boot. * - * @param[in] appId - application id that is beeing installed - * @param[in] pkgId - package id that the application is in + * @param[in] appName - application identifier + * @param[in] pkgName - package identifier * @param[in] authorId - author id of application * @param[in] pkgContents - list of all applications in the package * @param[in] appsGranted - list of 2.x apps granted access * @param[in] accessPackages - list of 2.x packages to be accessed */ static void installApplicationRules( - const std::string &appId, - const std::string &pkgId, - const std::string &authorId, + const std::string &appName, + const std::string &pkgName, + const int authorId, const std::vector &pkgContents, const std::vector &appsGranted, const std::vector &accessPackages); @@ -111,13 +111,9 @@ public: * Function loads package-specific smack rules, revokes them from the kernel * and removes them from the persistent storage. * - * @param[in] pkgId - package identifier + * @param[in] pkgName - package identifier */ - static void uninstallPackageRules(const std::string &pkgId); - - /* FIXME: Remove this function if real pkgId instead of "User" label will be used - * in generateAppLabel(). */ - static void addMissingRulesFix(); + static void uninstallPackageRules(const std::string &pkgName); /** * Uninstall application-specific smack rules. @@ -125,9 +121,9 @@ public: * Function removes application specific rules from the kernel, and * removes them for persistent storage. * - * @param[in] appId - application id + * @param[in] appName - application identifier */ - static void uninstallApplicationRules(const std::string &appId); + static void uninstallApplicationRules(const std::string &appName); /** * Update package specific rules @@ -136,12 +132,12 @@ public: * need to exist currently for all application in that * package * - * @param[in] pkgId - package id that the application is in + * @param[in] pkgName - package identifier that the application is in * @param[in] pkgContents - list of all applications in the package * @param[in] appsGranted - list of 2.x apps granted access */ static void updatePackageRules( - const std::string &pkgId, + const std::string &pkgName, const std::vector &pkgContents, const std::vector &appsGranted); @@ -150,7 +146,7 @@ public: * * param[in] authorId - identification (datbase key) of the author */ - static void uninstallAuthorRules(const std::string &authorId); + static void uninstallAuthorRules(const int authorId); /** * Add rules related to private path sharing rules @@ -159,18 +155,18 @@ public: * If isPathSharedAlready, no rule for owner, User or System to path label will be applied. * If isTargetSharingAlready, no rule for directory traversing is set for target. * - * @param[in] ownerAppId - package id of path owner + * @param[in] ownerPkgName - package identifier of path owner * @param[in] ownerPkgContents - vector of application ids contained in package which owner * application belongs to - * @param[in] targetAppId - id of the target application + * @param[in] targetAppName - application identifier of the target application * @param[in] pathLabel - a list of all applications in the package * @param[in] isPathSharedAlready - flag indicated, if path has been shared before * @param[in] isTargetSharingAlready - flag indicated, if target is already sharing anything * with owner */ - static void applyPrivateSharingRules(const std::string &ownerPkgId, + static void applyPrivateSharingRules(const std::string &ownerPkgName, const std::vector &ownerPkgContents, - const std::string &targetAppId, + const std::string &targetAppName, const std::string &pathLabel, bool isPathSharedAlready, bool isTargetSharingAlready); @@ -182,52 +178,52 @@ public: * be removed. * If isTargetSharingNoMore, rule for directory traversing is removed for target. * - * @param[in] ownerAppId - package id of path owner + * @param[in] ownerPkgName - package identifier of path owner * @param[in] ownerPkgContents - vector of application ids contained in package which owner * application belongs to - * @param[in] targetAppId - id of the target application + * @param[in] targetAppName - application identifier of the target application * @param[in] pathLabel - a list of all applications in the package * @param[in] isPathSharedNoMore - flag indicated, if path is not shared anymore * @param[in] isTargetSharingNoMore - flag indicated, if target is not sharing anything * with owner */ - static void dropPrivateSharingRules(const std::string &ownerPkgId, + static void dropPrivateSharingRules(const std::string &ownerPkgName, const std::vector &ownerPkgContents, - const std::string &targetAppId, + const std::string &targetAppName, const std::string &pathLabel, bool isPathSharedNoMore, bool isTargetSharingNoMore); - static void updatePackageRules(const std::string &pkgId, const std::vector &pkgContents); + static void updatePackageRules(const std::string &pkgName, const std::vector &pkgContents); private: static void useTemplate( const std::string &templatePath, const std::string &outputPath, - const std::string &appId, - const std::string &pkgId, - const std::string &authorId); + const std::string &appName, + const std::string &pkgName, + const int authorId = -1); /** * Create a path for package rules * */ - static std::string getPackageRulesFilePath(const std::string &pkgId); + static std::string getPackageRulesFilePath(const std::string &pkgName); /** * Create a path for application rules */ - static std::string getApplicationRulesFilePath(const std::string &appId); + static std::string getApplicationRulesFilePath(const std::string &appName); /** * Create a path for application rules */ - static std::string getPkgRulesFilePath(const std::string &pkgId); + static std::string getPkgRulesFilePath(const std::string &pkgName); /** * Create a path for author rules */ - static std::string getAuthorRulesFilePath(const std::string &authorId); + static std::string getAuthorRulesFilePath(int authorId); /** * Uninstall rules inside a specified file path @@ -237,16 +233,16 @@ private: * * @param[in] path - path to the file that contains the rules */ - static void uninstallRules (const std::string &path); + static void uninstallRules(const std::string &path); /** * Allow application to access other packages shared directory. * - * @param[in] path - path to the file that contains the rules + * @param[in] appName - application identifier * @param[in] other2XPackages - list of 2.x packages to be accessed */ static void generateAppToOtherPackagesDeps( - const std::string appId, + const std::string appName, const std::vector &other2XPackages); /** diff --git a/src/common/privilege_db.cpp b/src/common/privilege_db.cpp index 6aa19a0..88b1abc 100644 --- a/src/common/privilege_db.cpp +++ b/src/common/privilege_db.cpp @@ -127,105 +127,107 @@ void PrivilegeDb::RollbackTransaction(void) }); } -bool PrivilegeDb::PkgIdExists(const std::string &pkgId) +bool PrivilegeDb::PkgNameExists(const std::string &pkgName) { return try_catch([&] { - auto command = getStatement(StmtType::EPkgIdExists); - command->BindString(1, pkgId); - return command->Step(); + auto command = getStatement(StmtType::EPkgNameExists); + int cnt = 0; + + command->BindString(1, pkgName); + if (command->Step()) + cnt = command->GetColumnInteger(0); + + LogDebug("PkgName " << pkgName << " found in " << cnt << " entries in db"); + + return (cnt > 0); }); } -bool PrivilegeDb::AppIdExists(const std::string &appId) +bool PrivilegeDb::AppNameExists(const std::string &appName) { return try_catch([&] { - auto command = getStatement(StmtType::EAppIdExists); - command->BindString(1, appId); - return command->Step(); + auto command = getStatement(StmtType::EAppNameExists); + int cnt = 0; + + command->BindString(1, appName); + if (command->Step()) + cnt = command->GetColumnInteger(0); + + LogDebug("AppName " << appName << " found in " << cnt << " entries in db"); + + return (cnt > 0); }); } -bool PrivilegeDb::GetAppPkgId(const std::string &appId, std::string &pkgId) +void PrivilegeDb::GetAppPkgName(const std::string &appName, std::string &pkgName) { - return try_catch([&] { - auto command = getStatement(StmtType::EGetPkgId); - command->BindString(1, appId); + return try_catch([&] { + pkgName.clear(); - if (!command->Step()) { - // No application with such appId - return false; - } - - // application package found in the database, get it - pkgId = command->GetColumnString(0); + auto command = getStatement(StmtType::EGetAppPkgName); + command->BindString(1, appName); - return true; + if (command->Step()) + pkgName = command->GetColumnString(0); }); } -bool PrivilegeDb::GetAppPkgIdAndVer(const std::string &appId, std::string &pkgId, std::string &tizenVer) +void PrivilegeDb::GetAppVersion(const std::string &appName, std::string &tizenVer) { - return try_catch([&] { - auto command = getStatement(StmtType::EGetPkgIdAndVer); - command->BindString(1, appId); + return try_catch([&] { + tizenVer.clear(); - if (!command->Step()) { - // No application with such appId - return false; - } - - // application package found in the database, get it - pkgId = command->GetColumnString(0); - tizenVer = command->GetColumnString(1); + auto command = getStatement(StmtType::EGetAppVersion); + command->BindString(1, appName); - return true; + if (command->Step()) + tizenVer = command->GetColumnString(0); }); } void PrivilegeDb::AddApplication( - const std::string &appId, - const std::string &pkgId, + const std::string &appName, + const std::string &pkgName, uid_t uid, const std::string &targetTizenVer, - const std::string &authorId) + const std::string &authorName) { try_catch([&] { auto command = getStatement(StmtType::EAddApplication); - command->BindString(1, appId); - command->BindString(2, pkgId); + command->BindString(1, appName); + command->BindString(2, pkgName); command->BindInteger(3, static_cast(uid)); command->BindString(4, targetTizenVer); - authorId.empty() ? command->BindNull(5) : command->BindString(5, authorId); + authorName.empty() ? command->BindNull(5) : command->BindString(5, authorName); if (command->Step()) { LogDebug("Unexpected SQLITE_ROW answer to query: " << Queries.at(StmtType::EAddApplication)); }; - LogDebug("Added appId: " << appId << ", pkgId: " << pkgId); + LogDebug("Added appName: " << appName << ", pkgName: " << pkgName); }); } void PrivilegeDb::RemoveApplication( - const std::string &appId, + const std::string &appName, uid_t uid, - bool &appIdIsNoMore, - bool &pkgIdIsNoMore, - bool &authorIdIsNoMore) + bool &appNameIsNoMore, + bool &pkgNameIsNoMore, + bool &authorNameIsNoMore) { try_catch([&] { - std::string pkgId; - std::string authorId; - if (!GetAppPkgId(appId, pkgId)) { - pkgIdIsNoMore = false; + if (!AppNameExists(appName)) return; - } - authorIdIsNoMore = false; - GetAuthorIdForAppId(appId, authorId); + std::string pkgName; + GetAppPkgName(appName, pkgName); + + int authorId; + GetAppAuthorId(appName, authorId); auto command = getStatement(StmtType::ERemoveApplication); - command->BindString(1, appId); + command->BindString(1, appName); command->BindInteger(2, static_cast(uid)); if (command->Step()) { @@ -233,18 +235,16 @@ void PrivilegeDb::RemoveApplication( Queries.at(StmtType::ERemoveApplication)); }; - LogDebug("Removed appId: " << appId); - - appIdIsNoMore = !(this->AppIdExists(appId)); - pkgIdIsNoMore = !(this->PkgIdExists(pkgId)); + LogDebug("Removed appName: " << appName); - if (!authorId.empty()) { - authorIdIsNoMore = !(this->AuthorIdExists(authorId)); - } + appNameIsNoMore = !(AppNameExists(appName)); + pkgNameIsNoMore = !(PkgNameExists(pkgName)); + authorNameIsNoMore = !(AuthorIdExists(authorId)); }); } -void PrivilegeDb::GetPathSharingCount(const std::string &path, int &count) { +void PrivilegeDb::GetPathSharingCount(const std::string &path, int &count) +{ try_catch([&] { auto command = getStatement(StmtType::EGetPathSharedCount); command->BindString(1, path); @@ -253,38 +253,41 @@ void PrivilegeDb::GetPathSharingCount(const std::string &path, int &count) { count = command->GetColumnInteger(0); }); } -void PrivilegeDb::GetOwnerTargetSharingCount(const std::string &ownerAppId, const std::string &targetAppId, - int &count) + +void PrivilegeDb::GetOwnerTargetSharingCount(const std::string &ownerAppName, + const std::string &targetAppName, int &count) { try_catch([&] { auto command = getStatement(StmtType::EGetOwnerTargetSharedCount); - command->BindString(1, ownerAppId); - command->BindString(2, targetAppId); + command->BindString(1, ownerAppName); + command->BindString(2, targetAppName); command->Step(); count = command->GetColumnInteger(0); }); } -void PrivilegeDb::GetTargetPathSharingCount(const std::string &targetAppId, - const std::string &path, - int &count) + +void PrivilegeDb::GetTargetPathSharingCount(const std::string &targetAppName, + const std::string &path, int &count) { try_catch([&] { auto command = getStatement(StmtType::EGetTargetPathSharedCount); - command->BindString(1, targetAppId); + command->BindString(1, targetAppName); command->BindString(2, path); command->Step(); count = command->GetColumnInteger(0); }); } -void PrivilegeDb::ApplyPrivateSharing(const std::string &ownerAppId, const std::string &targetAppId, - const std::string &path, const std::string &pathLabel) + +void PrivilegeDb::ApplyPrivateSharing(const std::string &ownerAppName, + const std::string &targetAppName, const std::string &path, + const std::string &pathLabel) { try_catch([&] { auto command = getStatement(StmtType::EAddPrivatePathSharing); - command->BindString(1, ownerAppId); - command->BindString(2, targetAppId); + command->BindString(1, ownerAppName); + command->BindString(2, targetAppName); command->BindString(3, path); command->BindString(4, pathLabel); @@ -292,13 +295,13 @@ void PrivilegeDb::ApplyPrivateSharing(const std::string &ownerAppId, const std:: }); } -void PrivilegeDb::DropPrivateSharing(const std::string &ownerAppId, const std::string &targetAppId, - const std::string &path) +void PrivilegeDb::DropPrivateSharing(const std::string &ownerAppName, + const std::string &targetAppName, const std::string &path) { try_catch([&] { auto command = getStatement(StmtType::ERemovePrivatePathSharing); - command->BindString(1, ownerAppId); - command->BindString(2, targetAppId); + command->BindString(1, ownerAppName); + command->BindString(2, targetAppName); command->BindString(3, path); command->Step(); @@ -330,12 +333,12 @@ void PrivilegeDb::ClearPrivateSharing() { }); } -void PrivilegeDb::GetPkgPrivileges(const std::string &pkgId, uid_t uid, +void PrivilegeDb::GetPkgPrivileges(const std::string &pkgName, uid_t uid, std::vector ¤tPrivileges) { try_catch([&] { auto command = getStatement(StmtType::EGetPkgPrivileges); - command->BindString(1, pkgId); + command->BindString(1, pkgName); command->BindInteger(2, static_cast(uid)); while (command->Step()) { @@ -346,13 +349,13 @@ void PrivilegeDb::GetPkgPrivileges(const std::string &pkgId, uid_t uid, }); } -void PrivilegeDb::GetAppPrivileges(const std::string &appId, uid_t uid, +void PrivilegeDb::GetAppPrivileges(const std::string &appName, uid_t uid, std::vector ¤tPrivileges) { try_catch([&] { auto command = getStatement(StmtType::EGetAppPrivileges); - command->BindString(1, appId); + command->BindString(1, appName); command->BindInteger(2, static_cast(uid)); currentPrivileges.clear(); @@ -364,36 +367,36 @@ void PrivilegeDb::GetAppPrivileges(const std::string &appId, uid_t uid, }); } -void PrivilegeDb::RemoveAppPrivileges(const std::string &appId, uid_t uid) +void PrivilegeDb::RemoveAppPrivileges(const std::string &appName, uid_t uid) { try_catch([&] { auto command = getStatement(StmtType::ERemoveAppPrivileges); - command->BindString(1, appId); + command->BindString(1, appName); command->BindInteger(2, static_cast(uid)); if (command->Step()) { LogDebug("Unexpected SQLITE_ROW answer to query: " << Queries.at(StmtType::ERemoveAppPrivileges)); } - LogDebug("Removed all privileges for appId: " << appId); + LogDebug("Removed all privileges for appName: " << appName); }); } -void PrivilegeDb::UpdateAppPrivileges(const std::string &appId, uid_t uid, +void PrivilegeDb::UpdateAppPrivileges(const std::string &appName, uid_t uid, const std::vector &privileges) { try_catch([&] { auto command = getStatement(StmtType::EAddAppPrivileges); - command->BindString(1, appId); + command->BindString(1, appName); command->BindInteger(2, static_cast(uid)); - RemoveAppPrivileges(appId, uid); + RemoveAppPrivileges(appName, uid); for (const auto &privilege : privileges) { command->BindString(3, privilege); command->Step(); command->Reset(); - LogDebug("Added privilege: " << privilege << " to appId: " << appId); + LogDebug("Added privilege: " << privilege << " to appName: " << appName); } }); } @@ -469,55 +472,52 @@ void PrivilegeDb::GetTizen2XAppsAndPackages(const std::string& origApp, }); } -void PrivilegeDb::GetAppIdsForPkgId(const std::string &pkgId, - std::vector &appIds) +void PrivilegeDb::GetPkgApps(const std::string &pkgName, + std::vector &appNames) { try_catch([&] { auto command = getStatement(StmtType::EGetAppsInPkg); - command->BindString(1, pkgId); - appIds.clear(); + command->BindString(1, pkgName); + appNames.clear(); while (command->Step()) { - std::string appId = command->GetColumnString (0); - LogDebug ("Got appid: " << appId << " for pkgId " << pkgId); - appIds.push_back(appId); + std::string appName = command->GetColumnString(0); + LogDebug ("Got appName: " << appName << " for pkgName " << pkgName); + appNames.push_back(appName); }; }); } -void PrivilegeDb::GetAuthorIdForAppId(const std::string &appId, - std::string &authorId) +void PrivilegeDb::GetAppAuthorId(const std::string &appName, int &authorId) { try_catch([&] { - authorId.clear(); - auto command = getStatement(StmtType::EGetAuthorIdAppId); + auto command = getStatement(StmtType::EGetAppAuthorId); - command->BindString(1, appId); + command->BindString(1, appName); if (command->Step()) { - authorId = command->GetColumnString(0); - LogDebug("Got authorid: " << authorId << " for appId " << appId); + authorId = command->GetColumnInteger(0); + LogDebug("Got authorid: " << authorId << " for appName " << appName); } else { - LogDebug("No authorid found for appId " << appId); + authorId = -1; + LogDebug("No authorid found for appName " << appName); } }); } -bool PrivilegeDb::AuthorIdExists(const std::string &authorId) { +bool PrivilegeDb::AuthorIdExists(int authorId) +{ return try_catch([&]() -> bool { - int result = 0; + auto command = getStatement(StmtType::EAuthorIdExists); + int cnt = 0; - if (authorId.empty()) - return false; + command->BindInteger(1, authorId); + if (command->Step()) + cnt = command->GetColumnInteger(0); - auto command = getStatement(StmtType::EAuthorIdExists); + LogDebug("AuthorId " << authorId << " found in " << cnt << " entries in db"); - command->BindInteger(1, std::atoi(authorId.c_str())); - if (command->Step()) { - result = command->GetColumnInteger(0); - } - LogDebug("For author: " << authorId << " found " << result << " rows"); - return result; + return (cnt > 0); }); } diff --git a/src/common/service_impl.cpp b/src/common/service_impl.cpp index 3678259..a9a624e 100644 --- a/src/common/service_impl.cpp +++ b/src/common/service_impl.cpp @@ -55,7 +55,7 @@ namespace { static inline int validatePolicy(policy_entry &policyEntry, std::string uidStr, bool &forAdmin, CynaraAdminPolicy &cyap) { LogDebug("Authenticating and validating policy update request for user with id: " << uidStr); - LogDebug("[policy_entry] app: " << policyEntry.appId + LogDebug("[policy_entry] app: " << policyEntry.appName << " user: " << policyEntry.user << " privilege: " << policyEntry.privilege << " current: " << policyEntry.currentLevel @@ -68,7 +68,7 @@ static inline int validatePolicy(policy_entry &policyEntry, std::string uidStr, int level; if (policyEntry.currentLevel.empty()) { //for admin - if (policyEntry.appId.empty() + if (policyEntry.appName.empty() || policyEntry.privilege.empty()) { LogError("Bad admin update request"); return SECURITY_MANAGER_ERROR_BAD_REQUEST; @@ -88,9 +88,9 @@ static inline int validatePolicy(policy_entry &policyEntry, std::string uidStr, } else if (policyEntry.maxLevel.empty()) { //for self if (policyEntry.user.compare(uidStr) - || !policyEntry.appId.compare(SECURITY_MANAGER_ANY) + || !policyEntry.appName.compare(SECURITY_MANAGER_ANY) || !policyEntry.privilege.compare(SECURITY_MANAGER_ANY) - || policyEntry.appId.empty() + || policyEntry.appName.empty() || policyEntry.privilege.empty()) { LogError("Bad privacy manager update request"); return SECURITY_MANAGER_ERROR_BAD_REQUEST; @@ -118,8 +118,8 @@ static inline int validatePolicy(policy_entry &policyEntry, std::string uidStr, policyEntry.privilege = CYNARA_ADMIN_WILDCARD; cyap = std::move(CynaraAdminPolicy( - policyEntry.appId.compare(SECURITY_MANAGER_ANY) ? - SmackLabels::generateAppLabel(policyEntry.appId) : CYNARA_ADMIN_WILDCARD, + policyEntry.appName.compare(SECURITY_MANAGER_ANY) ? + SmackLabels::generateAppLabel(policyEntry.appName) : CYNARA_ADMIN_WILDCARD, policyEntry.user, policyEntry.privilege, level, @@ -255,7 +255,7 @@ bool ServiceImpl::installRequestAuthCheck(const app_inst_req &req, uid_t uid, st appPath = userAppDir; correctPath.clear(); - correctPath << userAppDir << "/" << req.pkgId; + correctPath << userAppDir << "/" << req.pkgName; LogDebug("correctPath: " << correctPath.str()); for (const auto &path : req.appPaths) { @@ -286,9 +286,7 @@ int ServiceImpl::appInstall(const app_inst_req &req, uid_t uid) std::string appLabel; std::string pkgLabel; std::vector allTizen2XApps, allTizen2XPackages; - std::string authorId; - // authorId contains id from database. It's not equal to value in request. - // IMHO the id in request should be called authorName not authorId... + int authorId; if (uid) { if (uid != req.uid) { @@ -308,35 +306,34 @@ int ServiceImpl::appInstall(const app_inst_req &req, uid_t uid) } try { - appLabel = SmackLabels::generateAppLabel(req.appId); + appLabel = SmackLabels::generateAppLabel(req.appName); - /* NOTE: we don't use pkgLabel here, but generate it for pkgId validation */ - pkgLabel = SmackLabels::generatePkgLabel(req.pkgId); - LogDebug("Install parameters: appId: " << req.appId << ", pkgId: " << req.pkgId + /* NOTE: we don't use pkgLabel here, but generate it for pkgName validation */ + pkgLabel = SmackLabels::generatePkgLabel(req.pkgName); + LogDebug("Install parameters: appName: " << req.appName << ", pkgName: " << req.pkgName << ", uidstr " << uidstr << ", app label: " << appLabel << ", pkg label: " << pkgLabel << ", target Tizen API ver: " << (req.tizenVersion.empty()?"unknown":req.tizenVersion)); PrivilegeDb::getInstance().BeginTransaction(); std::string pkg; - bool ret = PrivilegeDb::getInstance().GetAppPkgId(req.appId, pkg); - if (ret == true && pkg != req.pkgId) { - LogError("Application already installed with different package id"); + PrivilegeDb::getInstance().GetAppPkgName(req.appName, pkg); + if (!pkg.empty() && pkg != req.pkgName) { + LogError("Application already installed with different package name"); PrivilegeDb::getInstance().RollbackTransaction(); return SECURITY_MANAGER_ERROR_INPUT_PARAM; } - PrivilegeDb::getInstance().AddApplication(req.appId, req.pkgId, uid, req.tizenVersion, req.authorId); - PrivilegeDb::getInstance().UpdateAppPrivileges(req.appId, uid, req.privileges); + PrivilegeDb::getInstance().AddApplication(req.appName, req.pkgName, uid, req.tizenVersion, req.authorName); + PrivilegeDb::getInstance().UpdateAppPrivileges(req.appName, uid, req.privileges); /* Get all application ids in the package to generate rules withing the package */ - PrivilegeDb::getInstance().GetAppIdsForPkgId(req.pkgId, pkgContents); - PrivilegeDb::getInstance().GetAuthorIdForAppId(req.appId, authorId); - + PrivilegeDb::getInstance().GetPkgApps(req.pkgName, pkgContents); + PrivilegeDb::getInstance().GetAppAuthorId(req.appName, authorId); CynaraAdmin::getInstance().UpdateAppPolicy(appLabel, uidstr, req.privileges); // if app is targetted to Tizen 2.X, give other 2.X apps RO rules to it's shared dir if(isTizen2XVersion(req.tizenVersion)) - PrivilegeDb::getInstance().GetTizen2XAppsAndPackages(req.appId, allTizen2XApps, allTizen2XPackages); + PrivilegeDb::getInstance().GetTizen2XAppsAndPackages(req.appName, allTizen2XApps, allTizen2XPackages); // WTF? Why this commit is here? Shouldn't it be at the end of this function? PrivilegeDb::getInstance().CommitTransaction(); @@ -364,18 +361,18 @@ int ServiceImpl::appInstall(const app_inst_req &req, uid_t uid) try { if (!req.appPaths.empty()) - SmackLabels::setupAppBasePath(req.pkgId, appPath); + SmackLabels::setupAppBasePath(req.pkgName, appPath); // register paths for (const auto &appPath : req.appPaths) { const std::string &path = appPath.first; app_install_path_type pathType = static_cast(appPath.second); - SmackLabels::setupPath(req.pkgId, path, pathType, authorId); + SmackLabels::setupPath(req.pkgName, path, pathType, authorId); } - LogDebug("Adding Smack rules for new appId: " << req.appId << " with pkgId: " - << req.pkgId << ". Applications in package: " << pkgContents.size()); - SmackRules::installApplicationRules(req.appId, req.pkgId, authorId, pkgContents, allTizen2XApps, allTizen2XPackages); + LogDebug("Adding Smack rules for new appName: " << req.appName << " with pkgName: " + << req.pkgName << ". Applications in package: " << pkgContents.size()); + SmackRules::installApplicationRules(req.appName, req.pkgName, authorId, pkgContents, allTizen2XApps, allTizen2XPackages); } catch (const SmackException::InvalidParam &e) { LogError("Invalid paramater during labeling: " << e.GetMessage()); return SECURITY_MANAGER_ERROR_INPUT_PARAM; @@ -393,50 +390,52 @@ int ServiceImpl::appInstall(const app_inst_req &req, uid_t uid) return SECURITY_MANAGER_SUCCESS; } -int ServiceImpl::appUninstall(const std::string &appId, uid_t uid) +int ServiceImpl::appUninstall(const std::string &appName, uid_t uid) { - std::string pkgId; + std::string pkgName; std::string tizenVersion; std::string smackLabel; std::vector pkgContents; - bool appExists = true; bool removeApp = false; bool removePkg = false; bool removeAuthor = false; std::string uidstr; std::vector allTizen2XApps; + int authorId; + checkGlobalUser(uid, uidstr); - std::string authorId; try { PrivilegeDb::getInstance().BeginTransaction(); - if (!PrivilegeDb::getInstance().GetAppPkgIdAndVer(appId, pkgId, tizenVersion)) { - LogWarning("Application " << appId << + PrivilegeDb::getInstance().GetAppPkgName(appName, pkgName); + if (pkgName.empty()) { + LogWarning("Application " << appName << " not found in database while uninstalling"); PrivilegeDb::getInstance().RollbackTransaction(); - appExists = false; - } else { - smackLabel = SmackLabels::generateAppLabel(appId); - LogDebug("Uninstall parameters: appId: " << appId << ", pkgId: " << pkgId - << ", uidstr " << uidstr << ", generated smack label: " << smackLabel); - - /* Before we remove the app from the database, let's fetch all apps in the package - that this app belongs to, this will allow us to remove all rules withing the - package that the app appears in */ - PrivilegeDb::getInstance().GetAuthorIdForAppId(appId, authorId); - PrivilegeDb::getInstance().GetAppIdsForPkgId(pkgId, pkgContents); - PrivilegeDb::getInstance().UpdateAppPrivileges(appId, uid, std::vector()); - PrivilegeDb::getInstance().RemoveApplication(appId, uid, removeApp, removePkg, removeAuthor); - - // if uninstalled app is targetted to Tizen 2.X, remove other 2.X apps RO rules it's shared dir - if(isTizen2XVersion(tizenVersion)) - PrivilegeDb::getInstance().GetTizen2XApps(appId, allTizen2XApps); - - CynaraAdmin::getInstance().UpdateAppPolicy(smackLabel, uidstr, std::vector()); - - PrivilegeDb::getInstance().CommitTransaction(); - LogDebug("Application uninstallation commited to database"); + return SECURITY_MANAGER_SUCCESS; } + + smackLabel = SmackLabels::generateAppLabel(appName); + LogDebug("Uninstall parameters: appName: " << appName << ", pkgName: " << pkgName + << ", uidstr " << uidstr << ", generated smack label: " << smackLabel); + + /* Before we remove the app from the database, let's fetch all apps in the package + that this app belongs to, this will allow us to remove all rules withing the + package that the app appears in */ + PrivilegeDb::getInstance().GetAppAuthorId(appName, authorId); + PrivilegeDb::getInstance().GetPkgApps(pkgName, pkgContents); + PrivilegeDb::getInstance().UpdateAppPrivileges(appName, uid, std::vector()); + PrivilegeDb::getInstance().RemoveApplication(appName, uid, removeApp, removePkg, removeAuthor); + + // if uninstalled app is targetted to Tizen 2.X, remove other 2.X apps RO rules it's shared dir + PrivilegeDb::getInstance().GetAppVersion(appName, tizenVersion); + if (isTizen2XVersion(tizenVersion)) + PrivilegeDb::getInstance().GetTizen2XApps(appName, allTizen2XApps); + + CynaraAdmin::getInstance().UpdateAppPolicy(smackLabel, uidstr, std::vector()); + + PrivilegeDb::getInstance().CommitTransaction(); + LogDebug("Application uninstallation commited to database"); } catch (const PrivilegeDb::Exception::IOError &e) { LogError("Cannot access application database: " << e.DumpToString()); return SECURITY_MANAGER_ERROR_SERVER_ERROR; @@ -458,48 +457,47 @@ int ServiceImpl::appUninstall(const std::string &appId, uid_t uid) return SECURITY_MANAGER_ERROR_MEMORY; } - if (appExists) { - try { - if (removeApp) { - LogDebug("Removing smack rules for deleted appId " << appId); - SmackRules::uninstallApplicationRules(appId); - LogDebug("Pkg rules are deprecated. We must uninstall them. pkgId " << pkgId); - SmackRules::uninstallPackageRules(pkgId); - if (!removePkg) { - LogDebug("Creating new rules for pkgId " << pkgId); - SmackRules::updatePackageRules(pkgId, pkgContents, allTizen2XApps); - } + try { + if (removeApp) { + LogDebug("Removing smack rules for deleted appName " << appName); + SmackRules::uninstallApplicationRules(appName); + LogDebug("Pkg rules are deprecated. We must uninstall them. pkgName " << pkgName); + SmackRules::uninstallPackageRules(pkgName); + if (!removePkg) { + LogDebug("Creating new rules for pkgName " << pkgName); + SmackRules::updatePackageRules(pkgName, pkgContents, allTizen2XApps); } + } - if (removeAuthor) { - LogDebug("Removing Smack rules for authorId " << authorId); - SmackRules::uninstallAuthorRules(authorId); - } - } catch (const SmackException::Base &e) { - LogError("Error while removing Smack rules for application: " << e.DumpToString()); - return SECURITY_MANAGER_ERROR_SETTING_FILE_LABEL_FAILED; - } catch (const std::bad_alloc &e) { - LogError("Memory allocation error: " << e.what()); - return SECURITY_MANAGER_ERROR_MEMORY; + if (authorId != -1 && removeAuthor) { + LogDebug("Removing Smack rules for authorId " << authorId); + SmackRules::uninstallAuthorRules(authorId); } + } catch (const SmackException::Base &e) { + LogError("Error while removing Smack rules for application: " << e.DumpToString()); + return SECURITY_MANAGER_ERROR_SETTING_FILE_LABEL_FAILED; + } catch (const std::bad_alloc &e) { + LogError("Memory allocation error: " << e.what()); + return SECURITY_MANAGER_ERROR_MEMORY; } return SECURITY_MANAGER_SUCCESS; } -int ServiceImpl::getPkgId(const std::string &appId, std::string &pkgId) +int ServiceImpl::getPkgName(const std::string &appName, std::string &pkgName) { - LogDebug("appId: " << appId); + LogDebug("appName: " << appName); try { - if (!PrivilegeDb::getInstance().GetAppPkgId(appId, pkgId)) { - LogWarning("Application " << appId << " not found in database"); + PrivilegeDb::getInstance().GetAppPkgName(appName, pkgName); + if (pkgName.empty()) { + LogWarning("Application " << appName << " not found in database"); return SECURITY_MANAGER_ERROR_NO_SUCH_OBJECT; } else { - LogDebug("pkgId: " << pkgId); + LogDebug("pkgName: " << pkgName); } } catch (const PrivilegeDb::Exception::Base &e) { - LogError("Error while getting pkgId from database: " << e.DumpToString()); + LogError("Error while getting pkgName from database: " << e.DumpToString()); return SECURITY_MANAGER_ERROR_SERVER_ERROR; } @@ -507,33 +505,34 @@ int ServiceImpl::getPkgId(const std::string &appId, std::string &pkgId) } int ServiceImpl::getAppGroups( - const std::string &appId, + const std::string &appName, uid_t uid, pid_t pid, std::unordered_set &gids) { try { - std::string pkgId; + std::string pkgName; std::string smackLabel; std::string uidStr = std::to_string(uid); std::string pidStr = std::to_string(pid); - LogDebug("appId: " << appId); + LogDebug("appName: " << appName); - if (!PrivilegeDb::getInstance().GetAppPkgId(appId, pkgId)) { - LogWarning("Application " << appId << " not found in database"); + PrivilegeDb::getInstance().GetAppPkgName(appName, pkgName); + if (pkgName.empty()) { + LogWarning("Application " << appName << " not found in database"); return SECURITY_MANAGER_ERROR_NO_SUCH_OBJECT; } - LogDebug("pkgId: " << pkgId); + LogDebug("pkgName: " << pkgName); - smackLabel = SmackLabels::generateAppLabel(appId); + smackLabel = SmackLabels::generateAppLabel(appName); LogDebug("smack label: " << smackLabel); std::vector privileges; - PrivilegeDb::getInstance().GetPkgPrivileges(pkgId, uid, privileges); + PrivilegeDb::getInstance().GetPkgPrivileges(pkgName, uid, privileges); /*there is also a need of checking, if privilege is granted to all users*/ size_t tmp = privileges.size(); - PrivilegeDb::getInstance().GetPkgPrivileges(pkgId, getGlobalUserId(), privileges); + PrivilegeDb::getInstance().GetPkgPrivileges(pkgName, getGlobalUserId(), privileges); /*privileges needs to be sorted and with no duplications - for cynara sake*/ std::inplace_merge(privileges.begin(), privileges.begin() + tmp, privileges.end()); privileges.erase(unique(privileges.begin(), privileges.end()), privileges.end()); @@ -689,7 +688,7 @@ int ServiceImpl::getConfiguredPolicy(bool forAdmin, const policy_entry &filter, return SECURITY_MANAGER_ERROR_ACCESS_DENIED; }; - LogDebug("Filter is: C: " << filter.appId + LogDebug("Filter is: C: " << filter.appName << ", U: " << filter.user << ", P: " << filter.privilege << ", current: " << filter.currentLevel @@ -698,12 +697,12 @@ int ServiceImpl::getConfiguredPolicy(bool forAdmin, const policy_entry &filter, std::vector listOfPolicies; - //convert appId to smack label - std::string appLabel = filter.appId.compare(SECURITY_MANAGER_ANY) ? SmackLabels::generateAppLabel(filter.appId) : CYNARA_ADMIN_ANY; + //convert appName to smack label + std::string appLabel = filter.appName.compare(SECURITY_MANAGER_ANY) ? SmackLabels::generateAppLabel(filter.appName) : CYNARA_ADMIN_ANY; std::string user = filter.user.compare(SECURITY_MANAGER_ANY) ? filter.user : CYNARA_ADMIN_ANY; std::string privilege = filter.privilege.compare(SECURITY_MANAGER_ANY) ? filter.privilege : CYNARA_ADMIN_ANY; - LogDebug("App: " << filter.appId << ", Label: " << appLabel); + LogDebug("App: " << filter.appName << ", Label: " << appLabel); if (forAdmin) { if (!Cynara::getInstance().check(smackLabel, ADMIN_PRIVILEGE, uidStr, pidStr)) { @@ -745,7 +744,7 @@ int ServiceImpl::getConfiguredPolicy(bool forAdmin, const policy_entry &filter, policy_entry pe; - pe.appId = strcmp(policy.client, CYNARA_ADMIN_WILDCARD) ? SmackLabels::generateAppNameFromLabel(policy.client) : SECURITY_MANAGER_ANY; + pe.appName = strcmp(policy.client, CYNARA_ADMIN_WILDCARD) ? SmackLabels::generateAppNameFromLabel(policy.client) : SECURITY_MANAGER_ANY; pe.user = strcmp(policy.user, CYNARA_ADMIN_WILDCARD) ? policy.user : SECURITY_MANAGER_ANY; pe.privilege = strcmp(policy.privilege, CYNARA_ADMIN_WILDCARD) ? policy.privilege : pe.privilege = SECURITY_MANAGER_ANY; pe.currentLevel = CynaraAdmin::getInstance().convertToPolicyDescription(policy.result); @@ -762,7 +761,7 @@ int ServiceImpl::getConfiguredPolicy(bool forAdmin, const policy_entry &filter, LogDebug( - "[policy_entry] app: " << pe.appId + "[policy_entry] app: " << pe.appName << " user: " << pe.user << " privilege: " << pe.privilege << " current: " << pe.currentLevel @@ -798,7 +797,7 @@ int ServiceImpl::getPolicy(const policy_entry &filter, uid_t uid, pid_t pid, con return SECURITY_MANAGER_ERROR_ACCESS_DENIED; }; - LogDebug("Filter is: C: " << filter.appId + LogDebug("Filter is: C: " << filter.appName << ", U: " << filter.user << ", P: " << filter.privilege << ", current: " << filter.currentLevel @@ -830,29 +829,29 @@ int ServiceImpl::getPolicy(const policy_entry &filter, uid_t uid, pid_t pid, con std::string userStr = std::to_string(user); std::vector listOfApps; - if (filter.appId.compare(SECURITY_MANAGER_ANY)) { - LogDebug("Limitting Cynara query to app: " << filter.appId); - listOfApps.push_back(filter.appId); + if (filter.appName.compare(SECURITY_MANAGER_ANY)) { + LogDebug("Limitting Cynara query to app: " << filter.appName); + listOfApps.push_back(filter.appName); } else { PrivilegeDb::getInstance().GetUserApps(user, listOfApps); LogDebug("Found apps: " << listOfApps.size()); }; - for (const std::string &appId : listOfApps) { - LogDebug("App: " << appId); - std::string smackLabelForApp = SmackLabels::generateAppLabel(appId); + for (const std::string &appName : listOfApps) { + LogDebug("App: " << appName); + std::string smackLabelForApp = SmackLabels::generateAppLabel(appName); std::vector listOfPrivileges; // FIXME: also fetch privileges of global applications // FIXME: fetch privileges from cynara, drop PrivilegeDb::GetAppPrivileges - PrivilegeDb::getInstance().GetAppPrivileges(appId, user, listOfPrivileges); + PrivilegeDb::getInstance().GetAppPrivileges(appName, user, listOfPrivileges); if (filter.privilege.compare(SECURITY_MANAGER_ANY)) { LogDebug("Limitting Cynara query to privilege: " << filter.privilege); // FIXME: this filtering should be already performed by method fetching the privileges if (std::find(listOfPrivileges.begin(), listOfPrivileges.end(), filter.privilege) == listOfPrivileges.end()) { - LogDebug("Application " << appId << + LogDebug("Application " << appName << " doesn't have the filteres privilege " << filter.privilege); continue; } @@ -866,7 +865,7 @@ int ServiceImpl::getPolicy(const policy_entry &filter, uid_t uid, pid_t pid, con LogDebug("Privilege: " << privilege); policy_entry pe; - pe.appId = appId; + pe.appName = appName; pe.user = userStr; pe.privilege = privilege; @@ -879,7 +878,7 @@ int ServiceImpl::getPolicy(const policy_entry &filter, uid_t uid, pid_t pid, con smackLabelForApp, userStr, privilege)); LogDebug( - "[policy_entry] app: " << pe.appId + "[policy_entry] app: " << pe.appName << " user: " << pe.user << " privilege: " << pe.privilege << " current: " << pe.currentLevel @@ -943,13 +942,13 @@ int ServiceImpl::policyGetGroups(std::vector &groups) } int ServiceImpl::appHasPrivilege( - std::string appId, + std::string appName, std::string privilege, uid_t uid, bool &result) { try { - std::string appLabel = SmackLabels::generateAppLabel(appId); + std::string appLabel = SmackLabels::generateAppLabel(appName); std::string uidStr = std::to_string(uid); result = Cynara::getInstance().check(appLabel, privilege, uidStr, ""); LogDebug("result = " << result); @@ -971,27 +970,27 @@ int ServiceImpl::appHasPrivilege( int ServiceImpl::dropOnePrivateSharing( - const std::string &ownerAppId, - const std::string &ownerPkgId, + const std::string &ownerAppName, + const std::string &ownerPkgName, const std::vector &ownerPkgContents, - const std::string &targetAppId, + const std::string &targetAppName, const std::string &path) { int errorRet; try { int targetPathCount, pathCount, ownerTargetCount; - PrivilegeDb::getInstance().DropPrivateSharing(ownerAppId, targetAppId, path); - PrivilegeDb::getInstance().GetTargetPathSharingCount(targetAppId, path, targetPathCount); + PrivilegeDb::getInstance().DropPrivateSharing(ownerAppName, targetAppName, path); + PrivilegeDb::getInstance().GetTargetPathSharingCount(targetAppName, path, targetPathCount); PrivilegeDb::getInstance().GetPathSharingCount(path, pathCount); - PrivilegeDb::getInstance().GetOwnerTargetSharingCount(ownerAppId, targetAppId, ownerTargetCount); + PrivilegeDb::getInstance().GetOwnerTargetSharingCount(ownerAppName, targetAppName, ownerTargetCount); if (targetPathCount > 0) { return SECURITY_MANAGER_SUCCESS; } if (pathCount < 1) { - SmackLabels::setupPath(ownerPkgId, path, SECURITY_MANAGER_PATH_RW); + SmackLabels::setupPath(ownerPkgName, path, SECURITY_MANAGER_PATH_RW); } - std::string pathLabel = SmackLabels::generateSharedPrivateLabel(ownerPkgId, path); - SmackRules::dropPrivateSharingRules(ownerPkgId, ownerPkgContents, targetAppId, pathLabel, + std::string pathLabel = SmackLabels::generateSharedPrivateLabel(ownerPkgName, path); + SmackRules::dropPrivateSharingRules(ownerPkgName, ownerPkgContents, targetAppName, pathLabel, pathCount < 1, ownerTargetCount < 1); return SECURITY_MANAGER_SUCCESS; } catch (const SmackException::Base &e) { @@ -1011,66 +1010,69 @@ int ServiceImpl::dropOnePrivateSharing( } int ServiceImpl::applyPrivatePathSharing( - const std::string &ownerAppId, - const std::string &targetAppId, + const std::string &ownerAppName, + const std::string &targetAppName, const std::vector &paths) { int errorRet; int sharingAdded = 0; - std::string ownerPkgId; + std::string ownerPkgName; + std::string targetPkgName; std::vector pkgContents; try { - std::string targetPkgId; - if (!PrivilegeDb::getInstance().GetAppPkgId(ownerAppId, ownerPkgId)) { - LogError(ownerAppId << " is not an installed application"); + PrivilegeDb::getInstance().GetAppPkgName(ownerAppName, ownerPkgName); + if (ownerPkgName.empty()) { + LogError(ownerAppName << " is not an installed application"); return SECURITY_MANAGER_ERROR_APP_UNKNOWN; } - if (!PrivilegeDb::getInstance().GetAppPkgId(targetAppId, targetPkgId)) { - LogError(targetAppId << " is not an installed application"); + + PrivilegeDb::getInstance().GetAppPkgName(targetAppName, targetPkgName); + if (targetPkgName.empty()) { + LogError(targetAppName << " is not an installed application"); return SECURITY_MANAGER_ERROR_APP_UNKNOWN; } for(const auto &path : paths) { std::string pathLabel = SmackLabels::getSmackLabelFromPath(path); - if (pathLabel != SmackLabels::generatePkgLabel(ownerPkgId)) { - std::string generatedPathLabel = SmackLabels::generateSharedPrivateLabel(ownerPkgId, path); + if (pathLabel != SmackLabels::generatePkgLabel(ownerPkgName)) { + std::string generatedPathLabel = SmackLabels::generateSharedPrivateLabel(ownerPkgName, path); if (generatedPathLabel != pathLabel) { LogError("Path " << path << " has label " << pathLabel << " and dosen't belong" - " to application " << ownerAppId); + " to application " << ownerAppName); return SECURITY_MANAGER_ERROR_APP_NOT_PATH_OWNER; } } } - if (ownerAppId == targetAppId) { + if (ownerAppName == targetAppName) { LogDebug("Owner application is the same as target application"); return SECURITY_MANAGER_SUCCESS; } - if (ownerPkgId == targetPkgId) { + if (ownerPkgName == targetPkgName) { LogDebug("Owner and target belong to the same package"); return SECURITY_MANAGER_SUCCESS; } ScopedTransaction trans; - PrivilegeDb::getInstance().GetAppIdsForPkgId(ownerPkgId, pkgContents); + PrivilegeDb::getInstance().GetPkgApps(ownerPkgName, pkgContents); for (const auto &path : paths) { int targetPathCount, pathCount, ownerTargetCount; - PrivilegeDb::getInstance().GetTargetPathSharingCount(targetAppId, path, targetPathCount); + PrivilegeDb::getInstance().GetTargetPathSharingCount(targetAppName, path, targetPathCount); PrivilegeDb::getInstance().GetPathSharingCount(path, pathCount); - PrivilegeDb::getInstance().GetOwnerTargetSharingCount(ownerAppId, targetAppId, ownerTargetCount); - std::string pathLabel = SmackLabels::generateSharedPrivateLabel(ownerPkgId, path); - PrivilegeDb::getInstance().ApplyPrivateSharing(ownerAppId, targetAppId, path, pathLabel); + PrivilegeDb::getInstance().GetOwnerTargetSharingCount(ownerAppName, targetAppName, ownerTargetCount); + std::string pathLabel = SmackLabels::generateSharedPrivateLabel(ownerPkgName, path); + PrivilegeDb::getInstance().ApplyPrivateSharing(ownerAppName, targetAppName, path, pathLabel); sharingAdded++; if (targetPathCount > 0) { //Nothing to do, only counter needed incrementing continue; } if (pathCount <= 0) { - SmackLabels::setupSharedPrivatePath(ownerPkgId, path); + SmackLabels::setupSharedPrivatePath(ownerPkgName, path); } - SmackRules::applyPrivateSharingRules(ownerPkgId, pkgContents, targetAppId, - pathLabel, (pathCount > 0), (ownerTargetCount > 0)); + SmackRules::applyPrivateSharingRules(ownerPkgName, pkgContents, + targetAppName, pathLabel, (pathCount > 0), (ownerTargetCount > 0)); } trans.commit(); return SECURITY_MANAGER_SUCCESS; @@ -1087,56 +1089,63 @@ int ServiceImpl::applyPrivatePathSharing( LogError("Unknown exception thrown"); errorRet = SECURITY_MANAGER_ERROR_UNKNOWN; } + for (int i = 0; i < sharingAdded; i++) { const std::string &path = paths[i]; - dropOnePrivateSharing(ownerAppId, ownerPkgId, pkgContents, targetAppId, path); + dropOnePrivateSharing(ownerAppName, ownerPkgName, pkgContents, targetAppName, path); } + return errorRet; } int ServiceImpl::dropPrivatePathSharing( - const std::string &ownerAppId, - const std::string &targetAppId, + const std::string &ownerAppName, + const std::string &targetAppName, const std::vector &paths) { int errorRet; try { - std::string ownerPkgId, targetPkgId; - if (!PrivilegeDb::getInstance().GetAppPkgId(ownerAppId, ownerPkgId)) { - LogError(ownerAppId << " is not an installed application"); + std::string ownerPkgName; + PrivilegeDb::getInstance().GetAppPkgName(ownerAppName, ownerPkgName); + if (ownerPkgName.empty()) { + LogError(ownerAppName << " is not an installed application"); return SECURITY_MANAGER_ERROR_APP_UNKNOWN; } - if (!PrivilegeDb::getInstance().GetAppPkgId(targetAppId, targetPkgId)) { - LogError(targetAppId << " is not an installed application"); + + std::string targetPkgName; + PrivilegeDb::getInstance().GetAppPkgName(targetAppName, targetPkgName); + if (targetPkgName.empty()) { + LogError(targetAppName << " is not an installed application"); return SECURITY_MANAGER_ERROR_APP_UNKNOWN; } for(const auto &path : paths) { std::string pathLabel = SmackLabels::getSmackLabelFromPath(path); - if (pathLabel != SmackLabels::generatePkgLabel(ownerPkgId)) { - std::string generatedPathLabel = SmackLabels::generateSharedPrivateLabel(ownerPkgId, path); + if (pathLabel != SmackLabels::generatePkgLabel(ownerPkgName)) { + std::string generatedPathLabel = SmackLabels::generateSharedPrivateLabel(ownerPkgName, path); if (generatedPathLabel != pathLabel) { LogError("Path " << path << " has label " << pathLabel << " and dosen't belong" - " to application " << ownerAppId); + " to application " << ownerAppName); return SECURITY_MANAGER_ERROR_APP_NOT_PATH_OWNER; } } } - if (ownerAppId == targetAppId) { + + if (ownerAppName == targetAppName) { LogDebug("Owner application is the same as target application"); return SECURITY_MANAGER_SUCCESS; } - if (ownerPkgId == targetPkgId) { + if (ownerPkgName == targetPkgName) { LogDebug("Owner and target belong to the same package"); return SECURITY_MANAGER_SUCCESS; } std::vector pkgContents; - PrivilegeDb::getInstance().GetAppIdsForPkgId(ownerPkgId, pkgContents); + PrivilegeDb::getInstance().GetPkgApps(ownerPkgName, pkgContents); ScopedTransaction trans; for (const auto &path : paths) { - int ret = dropOnePrivateSharing(ownerAppId, ownerPkgId, pkgContents, targetAppId, path); + int ret = dropOnePrivateSharing(ownerAppName, ownerPkgName, pkgContents, targetAppName, path); if (ret != SECURITY_MANAGER_SUCCESS) { return ret; } @@ -1156,6 +1165,7 @@ int ServiceImpl::dropPrivatePathSharing( LogError("Unknown exception thrown"); errorRet = SECURITY_MANAGER_ERROR_UNKNOWN; } + return errorRet; } diff --git a/src/common/smack-labels.cpp b/src/common/smack-labels.cpp index ccec4f8..07d9a99 100644 --- a/src/common/smack-labels.cpp +++ b/src/common/smack-labels.cpp @@ -132,22 +132,22 @@ static void labelDir(const std::string &path, const std::string &label, } void setupPath( - const std::string &pkgId, + const std::string &pkgName, const std::string &path, app_install_path_type pathType, - const std::string &authorId) + const int authorId) { std::string label; bool label_executables, label_transmute; switch (pathType) { case SECURITY_MANAGER_PATH_RW: - label = generatePkgLabel(pkgId); + label = generatePkgLabel(pkgName); label_executables = false; label_transmute = true; break; case SECURITY_MANAGER_PATH_RO: - label = generatePkgROLabel(pkgId); + label = generatePkgROLabel(pkgName); label_executables = false; label_transmute = false; break; @@ -157,12 +157,12 @@ void setupPath( label_transmute = true; break; case SECURITY_MANAGER_PATH_OWNER_RW_OTHER_RO: - label = generatePkgLabelOwnerRWothersRO(pkgId); + label = generatePkgLabelOwnerRWothersRO(pkgName); label_executables = false; label_transmute = true; break; case SECURITY_MANAGER_PATH_TRUSTED_RW: - if (authorId.empty()) + if (authorId < 0) ThrowMsg(SmackException::InvalidParam, "You must define author to use PATH_TRUSED_RW"); label = generateAuthorLabel(authorId); label_executables = false; @@ -175,14 +175,14 @@ void setupPath( return labelDir(path, label, label_transmute, label_executables); } -void setupAppBasePath(const std::string &pkgId, const std::string &basePath) +void setupAppBasePath(const std::string &pkgName, const std::string &basePath) { - std::string pkgPath = basePath + "/" + pkgId; + std::string pkgPath = basePath + "/" + pkgName; pathSetSmack(pkgPath.c_str(), LABEL_FOR_APP_PUBLIC_RO_PATH, XATTR_NAME_SMACK); } -void setupSharedPrivatePath(const std::string &pkgId, const std::string &path) { - pathSetSmack(path.c_str(), generateSharedPrivateLabel(pkgId, path), XATTR_NAME_SMACK); +void setupSharedPrivatePath(const std::string &pkgName, const std::string &path) { + pathSetSmack(path.c_str(), generateSharedPrivateLabel(pkgName, path), XATTR_NAME_SMACK); } std::string generateAppNameFromLabel(const std::string &label) @@ -190,62 +190,62 @@ std::string generateAppNameFromLabel(const std::string &label) static const char prefix[] = "User::App::"; if (label.compare(0, sizeof(prefix) - 1, prefix)) - ThrowMsg(SmackException::InvalidLabel, "Cannot extract appId from Smack label " << label); + ThrowMsg(SmackException::InvalidLabel, "Cannot extract appName from Smack label " << label); std::string ret = label.substr(sizeof(prefix) - 1); if (ret.size() == 0) { - ThrowMsg(SmackException::InvalidLabel, "No appId in Smack label " << label); + ThrowMsg(SmackException::InvalidLabel, "No appName in Smack label " << label); } return ret; } -std::string generateAppLabel(const std::string &appId) +std::string generateAppLabel(const std::string &appName) { - std::string label = "User::App::" + appId; + std::string label = "User::App::" + appName; if (smack_label_length(label.c_str()) <= 0) - ThrowMsg(SmackException::InvalidLabel, "Invalid Smack label generated from appId " << appId); + ThrowMsg(SmackException::InvalidLabel, "Invalid Smack label generated from appName " << appName); return label; } -std::string generatePkgLabelOwnerRWothersRO(const std::string &pkgId) +std::string generatePkgLabelOwnerRWothersRO(const std::string &pkgName) { - std::string label = "User::Pkg::" + pkgId + "::SharedRO"; + std::string label = "User::Pkg::" + pkgName + "::SharedRO"; if (smack_label_length(label.c_str()) <= 0) - ThrowMsg(SmackException::InvalidLabel, "Invalid Smack label generated from pkgId " << pkgId); + ThrowMsg(SmackException::InvalidLabel, "Invalid Smack label generated from pkgName " << pkgName); return label; } -std::string generatePkgLabel(const std::string &pkgId) +std::string generatePkgLabel(const std::string &pkgName) { - std::string label = "User::Pkg::" + pkgId; + std::string label = "User::Pkg::" + pkgName; if (smack_label_length(label.c_str()) <= 0) - ThrowMsg(SmackException::InvalidLabel, "Invalid Smack label generated from pkgId " << pkgId); + ThrowMsg(SmackException::InvalidLabel, "Invalid Smack label generated from pkgName " << pkgName); return label; } -std::string generatePkgROLabel(const std::string &pkgId) +std::string generatePkgROLabel(const std::string &pkgName) { - std::string label = "User::Pkg::" + pkgId + "::RO"; + std::string label = "User::Pkg::" + pkgName + "::RO"; if (smack_label_length(label.c_str()) <= 0) - ThrowMsg(SmackException::InvalidLabel, "Invalid Smack label generated from pkgId " << pkgId); + ThrowMsg(SmackException::InvalidLabel, "Invalid Smack label generated from pkgName " << pkgName); return label; } -std::string generateSharedPrivateLabel(const std::string &pkgId, const std::string &path) +std::string generateSharedPrivateLabel(const std::string &pkgName, const std::string &path) { // Prefix $1$ causes crypt() to use MD5 function std::string label = "User::Pkg::"; - std::string salt = "$1$" + pkgId; + std::string salt = "$1$" + pkgName; const char * cryptLabel = crypt(path.c_str(), salt.c_str()); if (!cryptLabel) { @@ -304,14 +304,14 @@ std::string getSmackLabelFromPid(pid_t pid) return result; } -std::string generateAuthorLabel(const std::string &authorId) +std::string generateAuthorLabel(const int authorId) { - if (authorId.empty()) { + if (authorId < 0) { LogError("Author was not set. It's not possible to generate label for unknown author."); ThrowMsg(SmackException::InvalidLabel, "Could not generate valid label without authorId"); } - return "User::Author::" + authorId; + return "User::Author::" + std::to_string(authorId); } } // namespace SmackLabels diff --git a/src/common/smack-rules.cpp b/src/common/smack-rules.cpp index df3f1a0..7be04d7 100644 --- a/src/common/smack-rules.cpp +++ b/src/common/smack-rules.cpp @@ -150,9 +150,9 @@ void SmackRules::saveToFile(const std::string &path, bool truncFile) const void SmackRules::addFromTemplateFile( const std::string &templatePath, - const std::string &appId, - const std::string &pkgId, - const std::string &authorId) + const std::string &appName, + const std::string &pkgName, + const int authorId) { RuleVector templateRules; std::string line; @@ -172,26 +172,26 @@ void SmackRules::addFromTemplateFile( ThrowMsg(SmackException::FileError, "Error reading template file: " << templatePath); } - addFromTemplate(templateRules, appId, pkgId, authorId); + addFromTemplate(templateRules, appName, pkgName, authorId); } void SmackRules::addFromTemplate( const RuleVector &templateRules, - const std::string &appId, - const std::string &pkgId, - const std::string &authorId) + const std::string &appName, + const std::string &pkgName, + const int authorId) { std::string appLabel; std::string pkgLabel; std::string authorLabel; - if (!appId.empty()) - appLabel = SmackLabels::generateAppLabel(appId); + if (!appName.empty()) + appLabel = SmackLabels::generateAppLabel(appName); - if (!pkgId.empty()) - pkgLabel = SmackLabels::generatePkgLabel(pkgId); + if (!pkgName.empty()) + pkgLabel = SmackLabels::generatePkgLabel(pkgName); - if (!authorId.empty()) + if (authorId >= 0) authorLabel = SmackLabels::generateAuthorLabel(authorId); for (auto rule : templateRules) { @@ -241,7 +241,7 @@ void SmackRules::generatePackageCrossDeps(const std::vector &pkgCon } void SmackRules::generateAppToOtherPackagesDeps( - const std::string appId, + const std::string appName, const std::vector &other2XPackages) { // reverse: allow installed app to access others' contents @@ -253,7 +253,7 @@ void SmackRules::generateAppToOtherPackagesDeps( std::string accessPackageRulesPath = getPackageRulesFilePath(object); packageRules.loadFromFile(accessPackageRulesPath); - std::string subjectLabel = SmackLabels::generateAppLabel(appId); + std::string subjectLabel = SmackLabels::generateAppLabel(appName); LogDebug("Addding cross app rule for newly installed subject " << subjectLabel << " to already installed 2.x package object: " << otherObjectLabel << " perms: " << SMACK_APP_CROSS_PKG_PERMS); packageRules.add(subjectLabel, otherObjectLabel, SMACK_APP_CROSS_PKG_PERMS); packageRules.saveToFile(accessPackageRulesPath); @@ -266,12 +266,12 @@ void SmackRules::generateAppToOtherPackagesDeps( * this below works in N^2 and should be replaced by an alternative mechanism */ void SmackRules::generateAllowOther2XApplicationDeps( - const std::string pkgId, + const std::string pkgName, const std::vector &other2XApps) { LogDebug("Generating cross-package rules"); - std::string objectLabel = SmackLabels::generatePkgLabelOwnerRWothersRO(pkgId); + std::string objectLabel = SmackLabels::generatePkgLabelOwnerRWothersRO(pkgName); std::string appsInPackagePerms = SMACK_APP_IN_PACKAGE_PERMS; // allow other app to access installed package contents @@ -284,32 +284,33 @@ void SmackRules::generateAllowOther2XApplicationDeps( } } -std::string SmackRules::getPackageRulesFilePath(const std::string &pkgId) +std::string SmackRules::getPackageRulesFilePath(const std::string &pkgName) { - std::string path(tzplatform_mkpath3(TZ_SYS_SMACK, "accesses.d", ("pkg_" + pkgId).c_str())); + std::string path(tzplatform_mkpath3(TZ_SYS_SMACK, "accesses.d", ("pkg_" + pkgName).c_str())); return path; } -std::string SmackRules::getApplicationRulesFilePath(const std::string &appId) +std::string SmackRules::getApplicationRulesFilePath(const std::string &appName) { - std::string path(tzplatform_mkpath3(TZ_SYS_SMACK, "accesses.d", ("app_" + appId).c_str())); + std::string path(tzplatform_mkpath3(TZ_SYS_SMACK, "accesses.d", ("app_" + appName).c_str())); return path; } -std::string SmackRules::getAuthorRulesFilePath(const std::string &authorId) +std::string SmackRules::getAuthorRulesFilePath(const int authorId) { - return tzplatform_mkpath3(TZ_SYS_SMACK, "accesses.d", ("author_" + authorId).c_str()); + std::string authorIdStr = std::to_string(authorId); + return tzplatform_mkpath3(TZ_SYS_SMACK, "accesses.d", ("author_" + authorIdStr).c_str()); } void SmackRules::useTemplate( const std::string &templatePath, const std::string &outputPath, - const std::string &appId, - const std::string &pkgId, - const std::string &authorId) + const std::string &appName, + const std::string &pkgName, + const int authorId) { SmackRules smackRules; - smackRules.addFromTemplateFile(templatePath, appId, pkgId, authorId); + smackRules.addFromTemplateFile(templatePath, appName, pkgName, authorId); if (smack_smackfs_path() != NULL) smackRules.apply(); @@ -318,34 +319,34 @@ void SmackRules::useTemplate( } void SmackRules::installApplicationRules( - const std::string &appId, - const std::string &pkgId, - const std::string &authorId, + const std::string &appName, + const std::string &pkgName, + const int authorId, const std::vector &pkgContents, const std::vector &appsGranted, const std::vector &accessPackages) { - useTemplate(APP_RULES_TEMPLATE_FILE_PATH, getApplicationRulesFilePath(appId), appId, pkgId, authorId); + useTemplate(APP_RULES_TEMPLATE_FILE_PATH, getApplicationRulesFilePath(appName), appName, pkgName, authorId); - if (!authorId.empty()) - useTemplate(AUTHOR_RULES_TEMPLATE_FILE_PATH, getAuthorRulesFilePath(authorId), appId, pkgId, authorId); + if (authorId >= 0) + useTemplate(AUTHOR_RULES_TEMPLATE_FILE_PATH, getAuthorRulesFilePath(authorId), appName, pkgName, authorId); - updatePackageRules(pkgId, pkgContents, appsGranted); - generateAppToOtherPackagesDeps(appId, accessPackages); + updatePackageRules(pkgName, pkgContents, appsGranted); + generateAppToOtherPackagesDeps(appName, accessPackages); } void SmackRules::updatePackageRules( - const std::string &pkgId, + const std::string &pkgName, const std::vector &pkgContents, const std::vector &appsGranted) { - useTemplate(PKG_RULES_TEMPLATE_FILE_PATH, getPackageRulesFilePath(pkgId), std::string(), pkgId, std::string()); + useTemplate(PKG_RULES_TEMPLATE_FILE_PATH, getPackageRulesFilePath(pkgName), std::string(), pkgName); SmackRules smackRules; - std::string pkgPath = getPackageRulesFilePath(pkgId); + std::string pkgPath = getPackageRulesFilePath(pkgName); smackRules.generatePackageCrossDeps(pkgContents); - smackRules.generateAllowOther2XApplicationDeps(pkgId, appsGranted); + smackRules.generateAllowOther2XApplicationDeps(pkgName, appsGranted); if (smack_smackfs_path() != NULL) smackRules.apply(); @@ -353,14 +354,14 @@ void SmackRules::updatePackageRules( smackRules.saveToFile(pkgPath, false); } -void SmackRules::uninstallPackageRules(const std::string &pkgId) +void SmackRules::uninstallPackageRules(const std::string &pkgName) { - uninstallRules(getPackageRulesFilePath(pkgId)); + uninstallRules(getPackageRulesFilePath(pkgName)); } -void SmackRules::uninstallApplicationRules(const std::string &appId) +void SmackRules::uninstallApplicationRules(const std::string &appName) { - uninstallRules(getApplicationRulesFilePath(appId)); + uninstallRules(getApplicationRulesFilePath(appName)); } void SmackRules::uninstallRules(const std::string &path) @@ -399,25 +400,25 @@ void SmackRules::strReplace(std::string &haystack, const std::string &needle, haystack.replace(pos, needle.size(), replace); } -void SmackRules::uninstallAuthorRules(const std::string &authorId) +void SmackRules::uninstallAuthorRules(const int authorId) { uninstallRules(getAuthorRulesFilePath(authorId)); } void SmackRules::applyPrivateSharingRules( - const std::string &ownerPkgId, + const std::string &ownerPkgName, const std::vector &ownerPkgContents, - const std::string &targetAppId, + const std::string &targetAppName, const std::string &pathLabel, bool isPathSharedAlready, bool isTargetSharingAlready) { SmackRules rules; - const std::string &targetLabel = SmackLabels::generateAppLabel(targetAppId); + const std::string &targetLabel = SmackLabels::generateAppLabel(targetAppName); if (!isTargetSharingAlready) { rules.add(targetLabel, - SmackLabels::generatePkgLabel(ownerPkgId), + SmackLabels::generatePkgLabel(ownerPkgName), SMACK_APP_DIR_TARGET_PERMS); } if (!isPathSharedAlready) { @@ -433,18 +434,18 @@ void SmackRules::applyPrivateSharingRules( } void SmackRules::dropPrivateSharingRules( - const std::string &ownerPkgId, + const std::string &ownerPkgName, const std::vector &ownerPkgContents, - const std::string &targetAppId, + const std::string &targetAppName, const std::string &pathLabel, bool isPathSharedNoMore, bool isTargetSharingNoMore) { SmackRules rules; - const std::string &targetLabel = SmackLabels::generateAppLabel(targetAppId); + const std::string &targetLabel = SmackLabels::generateAppLabel(targetAppName); if (isTargetSharingNoMore) { rules.addModify(targetLabel, - SmackLabels::generatePkgLabel(ownerPkgId), + SmackLabels::generatePkgLabel(ownerPkgName), "", SMACK_APP_DIR_TARGET_PERMS); } if (isPathSharedNoMore) { diff --git a/src/server/cleanup/security-manager-cleanup.cpp b/src/server/cleanup/security-manager-cleanup.cpp index 9264488..527d536 100644 --- a/src/server/cleanup/security-manager-cleanup.cpp +++ b/src/server/cleanup/security-manager-cleanup.cpp @@ -34,12 +34,14 @@ namespace { const std::string tmp_flag = "/tmp/sm-cleanup-tmp-flag"; -bool fileExists(const std::string &path) { +bool fileExists(const std::string &path) +{ struct stat buffer; return stat(path.c_str(), &buffer) == 0 && S_ISREG(buffer.st_mode); } -bool createFile(const std::string &path) { +bool createFile(const std::string &path) +{ int fd; mode_t mode = S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH; fd = TEMP_FAILURE_RETRY(creat(path.c_str(), mode)); @@ -48,25 +50,29 @@ bool createFile(const std::string &path) { return false; } close(fd); + return true; } } //namespace anonymous -int main(void) { +int main(void) +{ using namespace SecurityManager; + if (fileExists(tmp_flag)) return EXIT_SUCCESS; + try { std::map> appPathMap; PrivilegeDb::getInstance().GetAllPrivateSharing(appPathMap); for (auto &appPaths : appPathMap) { try { - std::string appPkgId; - PrivilegeDb::getInstance().GetAppPkgId(appPaths.first, appPkgId); + std::string pkgName; + PrivilegeDb::getInstance().GetAppPkgName(appPaths.first, pkgName); for (const auto &path : appPaths.second) { //FIXME Make this service run as slave and master - SmackLabels::setupPath(appPkgId, path, SECURITY_MANAGER_PATH_RW, ""); + SmackLabels::setupPath(pkgName, path, SECURITY_MANAGER_PATH_RW); } } catch (const SecurityManager::Exception &e) { LogError("Got SecurityManager exception: " << e.GetMessage() << ", ignoring"); @@ -82,7 +88,9 @@ int main(void) { } catch (...) { std::cerr << "Unknown exception thrown" << std::endl; } + if (!createFile(tmp_flag)) return EXIT_FAILURE; + return EXIT_SUCCESS; } diff --git a/src/server/service/include/service.h b/src/server/service/include/service.h index 4d851c1..3940340 100644 --- a/src/server/service/include/service.h +++ b/src/server/service/include/service.h @@ -76,12 +76,12 @@ private: void processAppUninstall(MessageBuffer &buffer, MessageBuffer &send, uid_t uid); /** - * Process getting package id from app id + * Process getting package identifier from an app identifier * * @param buffer Raw received data buffer * @param send Raw data buffer to be sent */ - void processGetPkgId(MessageBuffer &buffer, MessageBuffer &send); + void processGetPkgName(MessageBuffer &buffer, MessageBuffer &send); /** * Process getting permitted group ids for app id diff --git a/src/server/service/service.cpp b/src/server/service/service.cpp index 64b79f2..50e5635 100644 --- a/src/server/service/service.cpp +++ b/src/server/service/service.cpp @@ -94,8 +94,8 @@ bool Service::processOne(const ConnectionID &conn, MessageBuffer &buffer, LogDebug("call_type: SecurityModuleCall::APP_UNINSTALL"); processAppUninstall(buffer, send, uid); break; - case SecurityModuleCall::APP_GET_PKGID: - processGetPkgId(buffer, send); + case SecurityModuleCall::APP_GET_PKG_NAME: + processGetPkgName(buffer, send); break; case SecurityModuleCall::APP_GET_GROUPS: processGetAppGroups(buffer, send, uid, pid); @@ -168,45 +168,45 @@ void Service::processAppInstall(MessageBuffer &buffer, MessageBuffer &send, uid_ { app_inst_req req; - Deserialization::Deserialize(buffer, req.appId); - Deserialization::Deserialize(buffer, req.pkgId); + Deserialization::Deserialize(buffer, req.appName); + Deserialization::Deserialize(buffer, req.pkgName); Deserialization::Deserialize(buffer, req.privileges); Deserialization::Deserialize(buffer, req.appPaths); Deserialization::Deserialize(buffer, req.uid); Deserialization::Deserialize(buffer, req.tizenVersion); - Deserialization::Deserialize(buffer, req.authorId); + Deserialization::Deserialize(buffer, req.authorName); Serialization::Serialize(send, serviceImpl.appInstall(req, uid)); } void Service::processAppUninstall(MessageBuffer &buffer, MessageBuffer &send, uid_t uid) { - std::string appId; + std::string appName; - Deserialization::Deserialize(buffer, appId); - Serialization::Serialize(send, serviceImpl.appUninstall(appId, uid)); + Deserialization::Deserialize(buffer, appName); + Serialization::Serialize(send, serviceImpl.appUninstall(appName, uid)); } -void Service::processGetPkgId(MessageBuffer &buffer, MessageBuffer &send) +void Service::processGetPkgName(MessageBuffer &buffer, MessageBuffer &send) { - std::string appId; - std::string pkgId; + std::string appName; + std::string pkgName; int ret; - Deserialization::Deserialize(buffer, appId); - ret = serviceImpl.getPkgId(appId, pkgId); + Deserialization::Deserialize(buffer, appName); + ret = serviceImpl.getPkgName(appName, pkgName); Serialization::Serialize(send, ret); if (ret == SECURITY_MANAGER_SUCCESS) - Serialization::Serialize(send, pkgId); + Serialization::Serialize(send, pkgName); } void Service::processGetAppGroups(MessageBuffer &buffer, MessageBuffer &send, uid_t uid, pid_t pid) { - std::string appId; + std::string appName; std::unordered_set gids; int ret; - Deserialization::Deserialize(buffer, appId); - ret = serviceImpl.getAppGroups(appId, uid, pid, gids); + Deserialization::Deserialize(buffer, appName); + ret = serviceImpl.getAppGroups(appName, uid, pid, gids); Serialization::Serialize(send, ret); if (ret == SECURITY_MANAGER_SUCCESS) { Serialization::Serialize(send, static_cast(gids.size())); @@ -313,16 +313,16 @@ void Service::processGroupsGet(MessageBuffer &send) void Service::processAppHasPrivilege(MessageBuffer &recv, MessageBuffer &send) { - std::string appId; + std::string appName; std::string privilege; uid_t uid; - Deserialization::Deserialize(recv, appId); + Deserialization::Deserialize(recv, appName); Deserialization::Deserialize(recv, privilege); Deserialization::Deserialize(recv, uid); bool result; - int ret = serviceImpl.appHasPrivilege(appId, privilege, uid, result); + int ret = serviceImpl.appHasPrivilege(appName, privilege, uid, result); Serialization::Serialize(send, ret); if (ret == SECURITY_MANAGER_SUCCESS) @@ -331,23 +331,23 @@ void Service::processAppHasPrivilege(MessageBuffer &recv, MessageBuffer &send) void Service::processApplyPrivateSharing(MessageBuffer &recv, MessageBuffer &send) { - std::string ownerAppId, targetAppId; + std::string ownerAppName, targetAppName; std::vector paths; - Deserialization::Deserialize(recv, ownerAppId); - Deserialization::Deserialize(recv, targetAppId); + Deserialization::Deserialize(recv, ownerAppName); + Deserialization::Deserialize(recv, targetAppName); Deserialization::Deserialize(recv, paths); - int ret = serviceImpl.applyPrivatePathSharing(ownerAppId, targetAppId, paths); + int ret = serviceImpl.applyPrivatePathSharing(ownerAppName, targetAppName, paths); Serialization::Serialize(send, ret); } void Service::processDropPrivateSharing(MessageBuffer &recv, MessageBuffer &send) { - std::string ownerAppId, targetAppId; + std::string ownerAppName, targetAppName; std::vector paths; - Deserialization::Deserialize(recv, ownerAppId); - Deserialization::Deserialize(recv, targetAppId); + Deserialization::Deserialize(recv, ownerAppName); + Deserialization::Deserialize(recv, targetAppName); Deserialization::Deserialize(recv, paths); - int ret = serviceImpl.dropPrivatePathSharing(ownerAppId, targetAppId, paths); + int ret = serviceImpl.dropPrivatePathSharing(ownerAppName, targetAppName, paths); Serialization::Serialize(send, ret); } } // namespace SecurityManager -- 2.7.4 From 2a9b7604632310069a140fc11ff0950111c31cd0 Mon Sep 17 00:00:00 2001 From: "keeho.yang" Date: Fri, 11 Mar 2016 11:07:47 +0900 Subject: [PATCH 13/16] Change TZ_SYS_RO_SHARE from TZ_SYS_SHARE Change-Id: I99c921a7cfe5a03920e8787087b9d38157df851d --- src/common/smack-rules.cpp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) mode change 100644 => 100755 src/common/smack-rules.cpp diff --git a/src/common/smack-rules.cpp b/src/common/smack-rules.cpp old mode 100644 new mode 100755 index 7be04d7..bb14046 --- a/src/common/smack-rules.cpp +++ b/src/common/smack-rules.cpp @@ -44,10 +44,10 @@ namespace SecurityManager { const char *const SMACK_APP_LABEL_TEMPLATE = "~APP~"; const char *const SMACK_PKG_LABEL_TEMPLATE = "~PKG~"; const char *const SMACK_AUTHOR_LABEL_TEMPLATE = "~AUTHOR~"; -const char *const APP_RULES_TEMPLATE_FILE_PATH = tzplatform_mkpath4(TZ_SYS_SHARE, "security-manager", "policy", "app-rules-template.smack"); -const char *const PKG_RULES_TEMPLATE_FILE_PATH = tzplatform_mkpath4(TZ_SYS_SHARE, "security-manager", "policy", "pkg-rules-template.smack"); +const char *const APP_RULES_TEMPLATE_FILE_PATH = tzplatform_mkpath4(TZ_SYS_RO_SHARE, "security-manager", "policy", "app-rules-template.smack"); +const char *const PKG_RULES_TEMPLATE_FILE_PATH = tzplatform_mkpath4(TZ_SYS_RO_SHARE, "security-manager", "policy", "pkg-rules-template.smack"); const char *const AUTHOR_RULES_TEMPLATE_FILE_PATH = - tzplatform_mkpath4(TZ_SYS_SHARE, "security-manager", "policy", "author-rules-template.smack"); + tzplatform_mkpath4(TZ_SYS_RO_SHARE, "security-manager", "policy", "author-rules-template.smack"); const char *const SMACK_APP_IN_PACKAGE_PERMS = "rwxat"; const char *const SMACK_APP_CROSS_PKG_PERMS = "rx"; const char *const SMACK_APP_PATH_OWNER_PERMS = "rwxat"; -- 2.7.4 From cc059948b58bdfebf7e084bc64a97b617164c1df Mon Sep 17 00:00:00 2001 From: Rafal Krypa Date: Mon, 14 Mar 2016 14:17:18 +0100 Subject: [PATCH 14/16] Resolve symlinks in TZ_SYS_RW_APP/TZ_USER_APP before validating app paths Change-Id: Iefa723380df60af802e33bbeb95d4d0ebe543444 Signed-off-by: Rafal Krypa --- src/common/service_impl.cpp | 22 ++++++++++------------ 1 file changed, 10 insertions(+), 12 deletions(-) diff --git a/src/common/service_impl.cpp b/src/common/service_impl.cpp index a9a624e..2c09ec1 100644 --- a/src/common/service_impl.cpp +++ b/src/common/service_impl.cpp @@ -214,25 +214,23 @@ bool ServiceImpl::getUserAppDir(const uid_t &uid, std::string &userAppDir) if (tzplatform_context_create(&tz_ctx)) return false; - if (tzplatform_context_set_user(tz_ctx, uid)) { - tzplatform_context_destroy(tz_ctx); - tz_ctx = nullptr; + std::unique_ptr tz_ctxPtr( + tz_ctx, &tzplatform_context_destroy); + + if (tzplatform_context_set_user(tz_ctxPtr.get(), uid)) return false; - } enum tzplatform_variable id = (uid == getGlobalUserId()) ? TZ_SYS_RW_APP : TZ_USER_APP; - const char *appDir = tzplatform_context_getenv(tz_ctx, id); - if (!appDir) { - tzplatform_context_destroy(tz_ctx); - tz_ctx = nullptr; + const char *appDir = tzplatform_context_getenv(tz_ctxPtr.get(), id); + if (!appDir) return false; - } - userAppDir = appDir; + std::unique_ptr real_pathPtr(realpath(appDir, NULL), free); + if (!real_pathPtr.get()) + return false; - tzplatform_context_destroy(tz_ctx); - tz_ctx = nullptr; + userAppDir.assign(real_pathPtr.get()); return true; } -- 2.7.4 From 46fb8b487d05fc36959e8595c742fc10e5fc2ff2 Mon Sep 17 00:00:00 2001 From: Zbigniew Jasinski Date: Thu, 10 Mar 2016 15:46:55 +0100 Subject: [PATCH 15/16] Add installation types (global, local, preloaded). Before this commit installation type was based on UID. With this commit it is possible to set type of installation (global, local, preloaded) during app installation request. If type is not specified, and installation is performed by global user, default 'SM_APP_INSTALL_GLOBAL' type of installation is set. Otherwise installation type is set to 'SM_APP_INSTALL_LOCAL'. New API function avaliable: * int security_manager_app_inst_req_set_install_type(app_inst_req *p_req, const enum app_install_type type) Change-Id: I745da8fc7a7393c360ed6d281a1f729d22bb89e6 --- src/client/client-security-manager.cpp | 20 +++++++++++++++++++- src/cmd/security-manager-cmd.cpp | 13 +++++++++++-- src/common/include/protocols.h | 1 + src/common/include/service_impl.h | 2 +- src/common/service_impl.cpp | 23 ++++++++++++++++------- src/include/app-manager.h | 12 ++++++++++++ src/include/security-manager-types.h | 9 +++++++++ src/server/service/service.cpp | 1 + 8 files changed, 70 insertions(+), 11 deletions(-) diff --git a/src/client/client-security-manager.cpp b/src/client/client-security-manager.cpp index 033fb7f..06ccf05 100644 --- a/src/client/client-security-manager.cpp +++ b/src/client/client-security-manager.cpp @@ -90,6 +90,12 @@ int security_manager_app_inst_req_new(app_inst_req **pp_req) } (*pp_req)->uid = geteuid(); + uid_t globalUid = tzplatform_getuid(TZ_SYS_GLOBALAPP_USER); + if ((*pp_req)->uid == 0 || (*pp_req)->uid == globalUid) + (*pp_req)->installationType = static_cast(SM_APP_INSTALL_GLOBAL); + else + (*pp_req)->installationType = static_cast(SM_APP_INSTALL_LOCAL); + return SECURITY_MANAGER_SUCCESS; } @@ -177,6 +183,17 @@ int security_manager_app_inst_req_add_path(app_inst_req *p_req, const char *path } SECURITY_MANAGER_API +int security_manager_app_inst_req_set_install_type(app_inst_req *p_req, const enum app_install_type type) +{ + if (!p_req || (type <= SM_APP_INSTALL_NONE) || (type >= SM_APP_INSTALL_END)) + return SECURITY_MANAGER_ERROR_INPUT_PARAM; + + p_req->installationType = static_cast(type); + + return SECURITY_MANAGER_SUCCESS; +} + +SECURITY_MANAGER_API int security_manager_app_install(const app_inst_req *p_req) { using namespace SecurityManager; @@ -204,7 +221,8 @@ int security_manager_app_install(const app_inst_req *p_req) p_req->appPaths, p_req->uid, p_req->tizenVersion, - p_req->authorName); + p_req->authorName, + p_req->installationType); //send buffer to server retval = sendToServer(SERVICE_SOCKET, send.Pop(), recv); diff --git a/src/cmd/security-manager-cmd.cpp b/src/cmd/security-manager-cmd.cpp index a1f55e5..0e9b5c5 100644 --- a/src/cmd/security-manager-cmd.cpp +++ b/src/cmd/security-manager-cmd.cpp @@ -55,6 +55,12 @@ static std::map user_type_map = { {"normal", SM_USER_TYPE_NORMAL} }; +static std::map install_type_map = { + {"local", SM_APP_INSTALL_LOCAL}, + {"global", SM_APP_INSTALL_GLOBAL}, + {"preloaded", SM_APP_INSTALL_PRELOADED} +}; + static po::options_description getGenericOptions() { po::options_description opts("Generic options"); @@ -95,6 +101,8 @@ static po::options_description getInstallOptions() "user identifier number (required)") ("author-id,c", po::value(), "unique author's identifier (required for trusted_rw paths)") + ("install-type", po::value(), + "type of installation (local, global, preloaded") ; return opts; } @@ -236,9 +244,10 @@ static void parseInstallOptions(int argc, char *argv[], } if (vm.count("uid")) req.uid = vm["uid"].as(); - if (vm.count("author-id")) { + if (vm.count("author-id")) req.authorName = vm["author-id"].as(); - } + if (vm.count("install-type")) + req.installationType = install_type_map.at(vm["install-type"].as()); } diff --git a/src/common/include/protocols.h b/src/common/include/protocols.h index 940564b..984a5ab 100644 --- a/src/common/include/protocols.h +++ b/src/common/include/protocols.h @@ -40,6 +40,7 @@ struct app_inst_req { uid_t uid; std::string tizenVersion; std::string authorName; + int installationType; }; struct user_req { diff --git a/src/common/include/service_impl.h b/src/common/include/service_impl.h index 296fd83..def5618 100644 --- a/src/common/include/service_impl.h +++ b/src/common/include/service_impl.h @@ -41,7 +41,7 @@ private: static bool isSubDir(const char *parent, const char *subdir); - static bool getUserAppDir(const uid_t &uid, std::string &userAppDir); + static bool getUserAppDir(const uid_t &uid, const app_install_type &installType, std::string &userAppDir); static bool installRequestAuthCheck(const app_inst_req &req, uid_t uid, std::string &appPath); diff --git a/src/common/service_impl.cpp b/src/common/service_impl.cpp index 2c09ec1..aa731c3 100644 --- a/src/common/service_impl.cpp +++ b/src/common/service_impl.cpp @@ -207,7 +207,7 @@ bool ServiceImpl::isSubDir(const char *parent, const char *subdir) return (*subdir == '/' || *parent == *subdir); } -bool ServiceImpl::getUserAppDir(const uid_t &uid, std::string &userAppDir) +bool ServiceImpl::getUserAppDir(const uid_t &uid, const app_install_type &installType, std::string &userAppDir) { struct tzplatform_context *tz_ctx = nullptr; @@ -220,8 +220,15 @@ bool ServiceImpl::getUserAppDir(const uid_t &uid, std::string &userAppDir) if (tzplatform_context_set_user(tz_ctxPtr.get(), uid)) return false; - enum tzplatform_variable id = - (uid == getGlobalUserId()) ? TZ_SYS_RW_APP : TZ_USER_APP; + enum tzplatform_variable id; + + if (installType == SM_APP_INSTALL_LOCAL) + id = TZ_USER_APP; + else if (installType == SM_APP_INSTALL_GLOBAL) + id = TZ_SYS_RW_APP; + else + id = TZ_SYS_RO_APP; + const char *appDir = tzplatform_context_getenv(tz_ctxPtr.get(), id); if (!appDir) return false; @@ -241,12 +248,14 @@ bool ServiceImpl::installRequestAuthCheck(const app_inst_req &req, uid_t uid, st std::string userAppDir; std::stringstream correctPath; - if (uid != getGlobalUserId()) - LogDebug("Installation type: single user"); + if (static_cast(req.installationType) == SM_APP_INSTALL_LOCAL) + LogDebug("Installation type: local"); + else if (static_cast(req.installationType) == SM_APP_INSTALL_GLOBAL) + LogDebug("Installation type: global"); else - LogDebug("Installation type: global installation"); + LogDebug("Installation type: preloaded"); - if (!getUserAppDir(uid, userAppDir)) { + if (!getUserAppDir(uid, static_cast(req.installationType), userAppDir)) { LogError("Failed getting app dir for user uid: " << uid); return false; } diff --git a/src/include/app-manager.h b/src/include/app-manager.h index 1d90b6a..b4fb36b 100644 --- a/src/include/app-manager.h +++ b/src/include/app-manager.h @@ -112,6 +112,18 @@ int security_manager_app_inst_req_set_uid(app_inst_req *p_req, int security_manager_app_inst_req_set_author_id(app_inst_req *p_req, const char *author_id); /* + * This function is used to set up installation type (global, local, preloaded). + * If type is not set and if installation is performed by global user, type is set to + * 'SM_APP_INSTALL_GLOBAL'. Otherwise installation type is set to 'SM_APP_INSTALL_LOCAL'. + * + * \param[in] Pointer handling app_inst_req structure + * \param[in] Installation type + * \return API return code or error code + * + */ +int security_manager_app_inst_req_set_install_type(app_inst_req *p_req, const enum app_install_type type); + +/* * This function is used to install application based on * using filled up app_inst_req data structure * diff --git a/src/include/security-manager-types.h b/src/include/security-manager-types.h index 0acf328..df17a5a 100644 --- a/src/include/security-manager-types.h +++ b/src/include/security-manager-types.h @@ -66,6 +66,15 @@ enum app_install_path_type { SECURITY_MANAGER_ENUM_END }; +enum app_install_type : int { + SM_APP_INSTALL_NONE = 0, + SM_APP_INSTALL_LOCAL, + SM_APP_INSTALL_GLOBAL, + SM_APP_INSTALL_PRELOADED, + SM_APP_INSTALL_END +}; +typedef enum app_install_type app_install_type; + /** * This enum has values equivalent to gumd user type. * The gum-utils help states that diff --git a/src/server/service/service.cpp b/src/server/service/service.cpp index 50e5635..d5ac17a 100644 --- a/src/server/service/service.cpp +++ b/src/server/service/service.cpp @@ -175,6 +175,7 @@ void Service::processAppInstall(MessageBuffer &buffer, MessageBuffer &send, uid_ Deserialization::Deserialize(buffer, req.uid); Deserialization::Deserialize(buffer, req.tizenVersion); Deserialization::Deserialize(buffer, req.authorName); + Deserialization::Deserialize(buffer, req.installationType); Serialization::Serialize(send, serviceImpl.appInstall(req, uid)); } -- 2.7.4 From fd9f4ae994d3eb48ccf9e7b8d4f9b7900d13637e Mon Sep 17 00:00:00 2001 From: Yunjin Lee Date: Wed, 16 Mar 2016 10:58:11 +0900 Subject: [PATCH 16/16] Add privilege-group mapping for mapservice Change-Id: I36c0a8be95b201176980bf6fed303a48885a01dc Signed-off-by: Yunjin Lee --- packaging/security-manager.spec | 2 +- policy/privilege-group.list | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/packaging/security-manager.spec b/packaging/security-manager.spec index 143f34e..ae8e5db 100644 --- a/packaging/security-manager.spec +++ b/packaging/security-manager.spec @@ -1,6 +1,6 @@ Name: security-manager Summary: Security manager and utilities -Version: 1.1.0 +Version: 1.1.1 Release: 3 Group: Security/Service License: Apache-2.0 diff --git a/policy/privilege-group.list b/policy/privilege-group.list index a5062f8..46c3e1d 100644 --- a/policy/privilege-group.list +++ b/policy/privilege-group.list @@ -9,3 +9,4 @@ http://tizen.org/privilege/recorder priv_recorder http://tizen.org/privilege/mediastorage priv_mediastorage http://tizen.org/privilege/externalstorage priv_externalstorage http://tizen.org/privilege/message.read priv_message_read +http://tizen.org/privilege/mapservice priv_mapservice -- 2.7.4