Add checking user type

non-admin user cannot request operation to other users.

Change-Id: If36ac04c6e7547ca9ecc4b65ab715e81ce96d6ae
Signed-off-by: Sangyoon Jang <s89.jang@samsung.com>

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 8e115b4..7d89a0b 100644 (file)
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -30,6 +30,7 @@ pkg_check_modules(SERVER_DEPS REQUIRED
                libtzplatform-config
                drm-service-core-tizen
                sqlite3
+               libgum
                pkgmgr
                pkgmgr-installer)
 FOREACH(SERVER_FLAGS ${SERVER_DEPS_CFLAGS})

diff --git a/packaging/pkgmgr-server.spec b/packaging/pkgmgr-server.spec
index f1ab500..7c9768d 100644 (file)
--- a/packaging/pkgmgr-server.spec
+++ b/packaging/pkgmgr-server.spec
@@ -25,6 +25,7 @@ BuildRequires:  pkgconfig(pkgmgr)
 BuildRequires:  pkgconfig(pkgmgr-installer)
 BuildRequires:  pkgconfig(drm-service-core-tizen)
 BuildRequires:  pkgconfig(sqlite3)
+BuildRequires:  pkgconfig(libgum)
 BuildRequires:  pkgmgr-info-parser-devel
 BuildRequires:  pkgmgr-info-parser
 BuildRequires:  fdupes

diff --git a/src/request.c b/src/request.c
index 9acbed0..70a7182 100644 (file)
--- a/src/request.c
+++ b/src/request.c
@@ -4,6 +4,8 @@
 
 #include <glib.h>
 #include <gio/gio.h>
+#include <gum/gum-user.h>
+#include <gum/common/gum-user-types.h>
 
 #include "pm-queue.h"
 #include "pkgmgr-server.h"
@@ -179,6 +181,69 @@ static char *__generate_reqkey(const char *pkgid)
        return str_req_key;
 }
 
+static int __is_admin_user(uid_t uid)
+{
+       GumUser *guser;
+       GumUserType ut = GUM_USERTYPE_NONE;
+
+       guser = gum_user_get_sync(uid, FALSE);
+       if (guser == NULL) {
+               ERR("cannot get user information from gumd");
+               return -1;
+       }
+
+       g_object_get(G_OBJECT(guser), "usertype", &ut, NULL);
+       if (ut == GUM_USERTYPE_NONE) {
+               ERR("cannot get user type");
+               g_object_unref(guser);
+               return -1;
+       } else if (ut != GUM_USERTYPE_ADMIN) {
+               g_object_unref(guser);
+               return 0;
+       }
+
+       g_object_unref(guser);
+
+       return 1;
+}
+
+static int __check_caller_permission(uid_t uid,
+               GDBusMethodInvocation *invocation, GVariant *parameters)
+{
+       GVariant *v;
+       uid_t target_uid;
+       int is_admin;
+
+       v = g_variant_get_child_value(parameters, 0);
+       if (v == NULL) {
+               g_dbus_method_invocation_return_error_literal(invocation,
+                               G_DBUS_ERROR, G_DBUS_ERROR_FAILED,
+                               "Internal error.");
+               return -1;
+       }
+
+       target_uid = g_variant_get_uint32(v);
+       g_variant_unref(v);
+       if (uid == target_uid)
+               return 0;
+
+       is_admin = __is_admin_user(uid);
+       if (is_admin == -1) {
+               g_dbus_method_invocation_return_error_literal(invocation,
+                               G_DBUS_ERROR, G_DBUS_ERROR_FAILED,
+                               "Internal error.");
+               return -1;
+       } else if (is_admin == 0) {
+               g_dbus_method_invocation_return_error_literal(invocation,
+                               G_DBUS_ERROR, G_DBUS_ERROR_ACCESS_DENIED,
+                               "Non-admin user cannot request operation to "
+                               "other users.");
+               return -1;
+       }
+
+       return 0;
+}
+
 static int __handle_request_install(uid_t uid,
                GDBusMethodInvocation *invocation, GVariant *parameters)
 {
@@ -1030,6 +1095,9 @@ static void __handle_method_call(GDBusConnection *connection,
        if (uid == (uid_t)-1)
                return;
 
+       if (__check_caller_permission(uid, invocation, parameters))
+               return;
+
        if (g_strcmp0(method_name, "install") == 0)
                ret = __handle_request_install(uid, invocation, parameters);
        else if (g_strcmp0(method_name, "reinstall") == 0)