2 * Copyright (c) 2014 Samsung Electronics Co., Ltd All Rights Reserved
4 * Contact: Rafal Krypa <r.krypa@samsung.com>
6 * Licensed under the Apache License, Version 2.0 (the "License");
7 * you may not use this file except in compliance with the License.
8 * You may obtain a copy of the License at
10 * http://www.apache.org/licenses/LICENSE-2.0
12 * Unless required by applicable law or agreed to in writing, software
13 * distributed under the License is distributed on an "AS IS" BASIS,
14 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15 * See the License for the specific language governing permissions and
16 * limitations under the License
20 * @author Rafal Krypa <r.krypa@samsung.com>
21 * @brief Wrapper class for Cynara interface
24 #ifndef _SECURITY_MANAGER_CYNARA_
25 #define _SECURITY_MANAGER_CYNARA_
27 #include <cynara-client.h>
28 #include <cynara-admin.h>
29 #include <dpl/exception.h>
34 namespace SecurityManager {
51 DECLARE_EXCEPTION_TYPE(SecurityManager::Exception, Base)
52 DECLARE_EXCEPTION_TYPE(Base, OutOfMemory)
53 DECLARE_EXCEPTION_TYPE(Base, InvalidParam)
54 DECLARE_EXCEPTION_TYPE(Base, ServiceNotAvailable)
55 DECLARE_EXCEPTION_TYPE(Base, UnknownError)
58 struct CynaraAdminPolicy : cynara_admin_policy
60 enum class Operation {
61 Deny = CYNARA_ADMIN_DENY,
62 Allow = CYNARA_ADMIN_ALLOW,
63 Delete = CYNARA_ADMIN_DELETE,
64 Bucket = CYNARA_ADMIN_BUCKET,
67 CynaraAdminPolicy(const std::string &client, const std::string &user,
68 const std::string &privilege, Operation operation,
69 const std::string &bucket = std::string(CYNARA_ADMIN_DEFAULT_BUCKET));
71 CynaraAdminPolicy(const std::string &client, const std::string &user,
72 const std::string &privilege, const std::string &goToBucket,
73 const std::string &bucket = std::string(CYNARA_ADMIN_DEFAULT_BUCKET));
75 /* Don't provide copy constructor, it would cause pointer trouble. */
76 CynaraAdminPolicy(const CynaraAdminPolicy &that) = delete;
78 /* Move constructor is the way to go. */
79 CynaraAdminPolicy(CynaraAdminPolicy &&that);
88 typedef std::map<Bucket, const std::string > BucketsMap;
89 static BucketsMap Buckets;
91 virtual ~CynaraAdmin();
93 static CynaraAdmin &getInstance();
96 * Update Cynara policies.
97 * Caller must have permission to access Cynara administrative socket.
99 * @param policies vector of CynaraAdminPolicy objects to send to Cynara
101 void SetPolicies(const std::vector<CynaraAdminPolicy> &policies);
104 * Update Cynara policies for the package and the user, using two vectors
105 * of privileges: privileges set before (and already enabled in Cynara)
106 * and new privileges, to be set in Cynara.
107 * Difference will be calculated, removing old unneeded privileges and
108 * adding new, previously not enabled privileges.
109 * Caller must have permission to access Cynara administrative socket.
111 * @param label application Smack label
112 * @param user user identifier
113 * @param oldPrivileges previously enabled privileges for the package.
114 * Must be sorted and without duplicates.
115 * @param newPrivileges currently enabled privileges for the package.
116 * Must be sorted and without duplicates.
118 * TODO: drop oldPrivileges argument and get them directly from Cynara.
119 * Appropriate Cynara interface is needed first.
121 void UpdateAppPolicy(const std::string &label, const std::string &user,
122 const std::vector<std::string> &oldPrivileges,
123 const std::vector<std::string> &newPrivileges);
127 struct cynara_admin *m_CynaraAdmin;
135 static Cynara &getInstance();
138 * Ask Cynara for permission.
140 * @param label application Smack label
141 * @param privilege privilege identifier
142 * @param user user identifier (uid)
143 * @param session session identifier
144 * @return true if access is permitted, false if denied
146 bool check(const std::string &label, const std::string &privilege,
147 const std::string &user, const std::string &session);
151 struct cynara *m_Cynara;
155 } // namespace SecurityManager
157 #endif // _SECURITY_MANAGER_CYNARA_