2 * Copyright (c) 2014 Samsung Electronics Co., Ltd All Rights Reserved
4 * Contact: Rafal Krypa <r.krypa@samsung.com>
6 * Licensed under the Apache License, Version 2.0 (the "License");
7 * you may not use this file except in compliance with the License.
8 * You may obtain a copy of the License at
10 * http://www.apache.org/licenses/LICENSE-2.0
12 * Unless required by applicable law or agreed to in writing, software
13 * distributed under the License is distributed on an "AS IS" BASIS,
14 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15 * See the License for the specific language governing permissions and
16 * limitations under the License
20 * @author Rafal Krypa <r.krypa@samsung.com>
21 * @brief Wrapper class for Cynara interface
24 #ifndef _SECURITY_MANAGER_CYNARA_
25 #define _SECURITY_MANAGER_CYNARA_
27 #include <cynara-client.h>
28 #include <cynara-admin.h>
29 #include <dpl/exception.h>
32 namespace SecurityManager {
37 DECLARE_EXCEPTION_TYPE(SecurityManager::Exception, Base)
38 DECLARE_EXCEPTION_TYPE(Base, OutOfMemory)
39 DECLARE_EXCEPTION_TYPE(Base, InvalidParam)
40 DECLARE_EXCEPTION_TYPE(Base, ServiceNotAvailable)
41 DECLARE_EXCEPTION_TYPE(Base, UnknownError)
44 struct CynaraAdminPolicy : cynara_admin_policy
46 enum class Operation {
47 Deny = CYNARA_ADMIN_DENY,
48 Allow = CYNARA_ADMIN_ALLOW,
49 Delete = CYNARA_ADMIN_DELETE,
50 Bucket = CYNARA_ADMIN_BUCKET,
53 CynaraAdminPolicy(const std::string &client, const std::string &user,
54 const std::string &privilege, Operation operation,
55 const std::string &bucket = std::string(CYNARA_ADMIN_DEFAULT_BUCKET));
57 CynaraAdminPolicy(const std::string &client, const std::string &user,
58 const std::string &privilege, const std::string &goToBucket,
59 const std::string &bucket = std::string(CYNARA_ADMIN_DEFAULT_BUCKET));
61 /* Don't provide copy constructor, it would cause pointer trouble. */
62 CynaraAdminPolicy(const CynaraAdminPolicy &that) = delete;
64 /* Move constructor is the way to go. */
65 CynaraAdminPolicy(CynaraAdminPolicy &&that);
73 virtual ~CynaraAdmin();
75 static CynaraAdmin &getInstance();
78 * Update Cynara policies.
79 * Caller must have permission to access Cynara administrative socket.
81 * @param policies vector of CynaraAdminPolicy objects to send to Cynara
83 void SetPolicies(const std::vector<CynaraAdminPolicy> &policies);
86 * Update Cynara policies for the package and the user, using two vectors
87 * of privileges: privileges set before (and already enabled in Cynara)
88 * and new privileges, to be set in Cynara.
89 * Difference will be calculated, removing old unneeded privileges and
90 * adding new, previously not enabled privileges.
91 * Caller must have permission to access Cynara administrative socket.
93 * @param label application Smack label
94 * @param user user identifier
95 * @param oldPrivileges previously enabled privileges for the package.
96 * Must be sorted and without duplicates.
97 * @param newPrivileges currently enabled privileges for the package.
98 * Must be sorted and without duplicates.
100 * TODO: drop oldPrivileges argument and get them directly from Cynara.
101 * Appropriate Cynara interface is needed first.
103 static void UpdatePackagePolicy(const std::string &label, const std::string &user,
104 const std::vector<std::string> &oldPrivileges,
105 const std::vector<std::string> &newPrivileges);
109 struct cynara_admin *m_CynaraAdmin;
117 static Cynara &getInstance();
120 * Ask Cynara for permission.
122 * @param label application Smack label
123 * @param privilege privilege identifier
124 * @param user user identifier (uid)
125 * @param session session identifier
126 * @return true if access is permitted, false if denied
128 bool check(const std::string &label, const std::string &privilege,
129 const std::string &user, const std::string &session);
133 struct cynara *m_Cynara;
137 } // namespace SecurityManager
139 #endif // _SECURITY_MANAGER_CYNARA_