2 * Copyright (c) 2014 Samsung Electronics Co., Ltd All Rights Reserved
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
21 #include <sys/capability.h>
22 #include <sys/types.h>
25 #include <privilege-control.h>
27 #include "access_control.h"
29 #include "simple_util.h"
32 const char* const APP_USER_NAME = "app";
33 const char* const APP_HOME_DIR = "/home/app";
34 const char* const APP_GROUP_PATH = "/usr/share/privilege-control/2.2.1/app_group_list";
35 const int APP_UID = 5000;
36 const int APP_GID = 5000;
37 } // anonymous namespace
41 int AccessControl::setPriviledge(const char* pkg_name, const char* pkg_type, const char* app_path)
43 return perm_app_set_privilege(pkg_name, pkg_type, app_path);
48 int AccessControl::setPriviledge(const char* pkg_name, const char* pkg_type, const char* app_path)
55 int AccessControl::setWLDPrivilege(void)
57 WrtLogD("setAccessForWLD");
61 if(!(fp = fopen(APP_GROUP_PATH, "r"))) {
62 WrtLogE("fopen failed.");
69 while(fgets(buf, 10, fp) != NULL) {
71 gid_t temp = strtoul(buf, 0, 10);
73 WrtLogE("Cannot change string to integer: %s", buf);
77 glist = (gid_t*)realloc(glist, sizeof(gid_t) * (cnt + 1));
79 WrtLogE("Cannot allocate memory");
89 if(setgroups(cnt, glist) != 0) {
90 WrtLogE("setgroups failed");
98 // setuid() & setgid()
99 if(setgid(APP_GID) != 0) {
100 WrtLogE("Failed to execute setgid().");
103 if(setuid(APP_UID) != 0) {
104 WrtLogE("Failed to execute setuid().");
109 if(setenv("USER", APP_USER_NAME, 1) != 0) {
110 WrtLogE("Failed to execute setenv() USER");
113 if(setenv("HOME", APP_HOME_DIR, 1) != 0) {
114 WrtLogE("Failed to execute setenv() HOME");
131 int AccessControl::setWLDCapability(void)
133 cap_user_header_t header;
134 cap_user_data_t data;
136 header = static_cast<cap_user_header_t>(malloc(sizeof(*header)));
137 if (header == NULL) {
138 WrtLogE("memory allocation error");
142 data = static_cast<cap_user_data_t>(calloc(sizeof(*data), _LINUX_CAPABILITY_U32S_3));
144 WrtLogE("memory allocation error");
149 header->pid = getpid();
150 header->version = _LINUX_CAPABILITY_VERSION_3;
152 // read already granted capabilities of this process
153 if (capget(header, data) < 0) {
154 WrtLogE("capget error");
160 // set only inheritable bit for CAP_MAC_ADMIN to '1'
161 data[CAP_TO_INDEX(CAP_MAC_ADMIN)].inheritable |= CAP_TO_MASK(CAP_MAC_ADMIN);
163 // remove capabilities not needed any more
164 data[CAP_TO_INDEX(CAP_MAC_ADMIN)].permitted &= ~CAP_TO_MASK(CAP_MAC_ADMIN);
165 data[CAP_TO_INDEX(CAP_MAC_ADMIN)].effective &= ~CAP_TO_MASK(CAP_MAC_ADMIN);
166 data[CAP_TO_INDEX(CAP_SETPCAP)].permitted &= ~CAP_TO_MASK(CAP_SETPCAP);
167 data[CAP_TO_INDEX(CAP_SETPCAP)].effective &= ~CAP_TO_MASK(CAP_SETPCAP);
170 if (capset(header, data) < 0) {
171 WrtLogE("capset error");