2 * Copyright (c) 2014 Samsung Electronics Co., Ltd All Rights Reserved
4 * Contact: Rafal Krypa <r.krypa@samsung.com>
6 * Licensed under the Apache License, Version 2.0 (the "License");
7 * you may not use this file except in compliance with the License.
8 * You may obtain a copy of the License at
10 * http://www.apache.org/licenses/LICENSE-2.0
12 * Unless required by applicable law or agreed to in writing, software
13 * distributed under the License is distributed on an "AS IS" BASIS,
14 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15 * See the License for the specific language governing permissions and
16 * limitations under the License
20 * @author Rafal Krypa <r.krypa@samsung.com>
21 * @brief Wrapper class for Cynara interface
24 #ifndef _SECURITY_MANAGER_CYNARA_
25 #define _SECURITY_MANAGER_CYNARA_
27 #include <cynara-client.h>
28 #include <cynara-admin.h>
29 #include <dpl/exception.h>
34 #include "security-manager.h"
36 namespace SecurityManager {
53 DECLARE_EXCEPTION_TYPE(SecurityManager::Exception, Base)
54 DECLARE_EXCEPTION_TYPE(Base, OutOfMemory)
55 DECLARE_EXCEPTION_TYPE(Base, InvalidParam)
56 DECLARE_EXCEPTION_TYPE(Base, ServiceNotAvailable)
57 DECLARE_EXCEPTION_TYPE(Base, UnknownError)
60 struct CynaraAdminPolicy : cynara_admin_policy
62 enum class Operation {
63 Deny = CYNARA_ADMIN_DENY,
64 Allow = CYNARA_ADMIN_ALLOW,
65 Delete = CYNARA_ADMIN_DELETE,
66 Bucket = CYNARA_ADMIN_BUCKET,
69 CynaraAdminPolicy(const std::string &client, const std::string &user,
70 const std::string &privilege, Operation operation,
71 const std::string &bucket = std::string(CYNARA_ADMIN_DEFAULT_BUCKET));
73 CynaraAdminPolicy(const std::string &client, const std::string &user,
74 const std::string &privilege, const std::string &goToBucket,
75 const std::string &bucket = std::string(CYNARA_ADMIN_DEFAULT_BUCKET));
77 /* Don't provide copy constructor, it would cause pointer trouble. */
78 CynaraAdminPolicy(const CynaraAdminPolicy &that) = delete;
80 /* Move constructor is the way to go. */
81 CynaraAdminPolicy(CynaraAdminPolicy &&that);
90 typedef std::map<Bucket, const std::string > BucketsMap;
91 static BucketsMap Buckets;
93 virtual ~CynaraAdmin();
95 static CynaraAdmin &getInstance();
98 * Update Cynara policies.
99 * Caller must have permission to access Cynara administrative socket.
101 * @param policies vector of CynaraAdminPolicy objects to send to Cynara
103 void SetPolicies(const std::vector<CynaraAdminPolicy> &policies);
106 * Update Cynara policies for the package and the user, using two vectors
107 * of privileges: privileges set before (and already enabled in Cynara)
108 * and new privileges, to be set in Cynara.
109 * Difference will be calculated, removing old unneeded privileges and
110 * adding new, previously not enabled privileges.
111 * Caller must have permission to access Cynara administrative socket.
113 * @param label application Smack label
114 * @param user user identifier
115 * @param oldPrivileges previously enabled privileges for the package.
116 * Must be sorted and without duplicates.
117 * @param newPrivileges currently enabled privileges for the package.
118 * Must be sorted and without duplicates.
120 * TODO: drop oldPrivileges argument and get them directly from Cynara.
121 * Appropriate Cynara interface is needed first.
123 void UpdateAppPolicy(const std::string &label, const std::string &user,
124 const std::vector<std::string> &oldPrivileges,
125 const std::vector<std::string> &newPrivileges);
128 * Depending on user type, create link between MAIN bucket and appropriate
129 * USER_TYPE_* bucket for newly added user uid to apply permissions for that
131 * @throws CynaraException::InvalidParam.
133 * @param uid new user uid
134 * @param userType type as enumerated in security-manager.h
136 void UserInit(uid_t uid, security_manager_user_type userType);
140 struct cynara_admin *m_CynaraAdmin;
148 static Cynara &getInstance();
151 * Ask Cynara for permission.
153 * @param label application Smack label
154 * @param privilege privilege identifier
155 * @param user user identifier (uid)
156 * @param session session identifier
157 * @return true if access is permitted, false if denied
159 bool check(const std::string &label, const std::string &privilege,
160 const std::string &user, const std::string &session);
164 struct cynara *m_Cynara;
168 } // namespace SecurityManager
170 #endif // _SECURITY_MANAGER_CYNARA_