3 POLICY_PATH=/usr/share/security-manager/policy
4 PRIVILEGE_GROUP_MAPPING=$POLICY_PATH/privilege-group.list
5 DB_FILE=`tzplatform-get TZ_SYS_DB | cut -d= -f2`/.security-manager.db
7 # Create default buckets
8 while read bucket default_policy
10 # Reuse the primary bucket for PRIVACY_MANAGER bucket
11 [ "$bucket" = "PRIVACY_MANAGER" ] && bucket=""
12 cyad --set-bucket="$bucket" --type="$default_policy"
20 # Link buckets together
21 while read bucket_src bucket_dst
23 # Reuse the main bucket for PRIVACY_MANAGER bucket
24 [ "$bucket_src" = "PRIVACY_MANAGER" ] && bucket_src=""
25 cyad --set-policy --client="*" --user="*" --privilege="*" --type=BUCKET \
26 --bucket="$bucket_src" --metadata="$bucket_dst"
32 # Import user-type policies
33 find "$POLICY_PATH" -name "usertype-*.profile" |
36 bucket="`echo $file | sed -r 's|.*/usertype-(.*).profile$|USER_TYPE_\U\1|'`"
38 # Re-create the bucket with empty contents
39 cyad --delete-bucket=$bucket || true
40 cyad --set-bucket=$bucket --type=DENY
42 # Link the bucket to ADMIN bucket
43 cyad --set-policy --client="*" --user="*" --privilege="*" --type=BUCKET \
44 --bucket="$bucket" --metadata="ADMIN"
47 while read app privilege
49 user="*" # Match any user id
50 policy="0xFFFF" # ALLOW (FIXME: cyad should parse policy names, not numeric values)
51 printf '%s;%s;%s;%s;%s;\n' "$bucket" "$user" "$app" "$privilege" "$policy"
53 cyad --set-policy --bulk=-
56 # Non-application programs get access to all privileges
57 for client in User System
59 cyad --set-policy --bucket=MANIFESTS --client="$client" --user="*" --privilege="*" --type=ALLOW
62 # Load privilege-group mappings
65 echo "DELETE FROM privilege_group;"
66 grep -v '^#' "$PRIVILEGE_GROUP_MAPPING" |
67 while read privilege group
69 echo "INSERT INTO privilege_group_view (privilege_name, group_name) VALUES ('$privilege', '$group');"
72 ) | sqlite3 "$DB_FILE"