Add tool for initialization of Cynara policy structure

author Rafal Krypa <r.krypa@samsung.com>

Thu, 22 Jan 2015 10:28:49 +0000 (11:28 +0100)

committer Rafal Krypa <r.krypa@samsung.com>

Thu, 22 Jan 2015 10:50:05 +0000 (11:50 +0100)
author Rafal Krypa <r.krypa@samsung.com>
Thu, 22 Jan 2015 10:28:49 +0000 (11:28 +0100)
committer Rafal Krypa <r.krypa@samsung.com>
Thu, 22 Jan 2015 10:50:05 +0000 (11:50 +0100)
diff --git a/CMakeLists.txt b/CMakeLists.txt

index 1c5b171..28790d8 100644 (file)
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -62,3 +62,4 @@ ADD_SUBDIRECTORY(src)
  ADD_SUBDIRECTORY(pc)
  ADD_SUBDIRECTORY(systemd)
  ADD_SUBDIRECTORY(db)
+ADD_SUBDIRECTORY(policy)
diff --git a/packaging/security-manager.spec b/packaging/security-manager.spec

index 0da2e95..b39e24a 100644 (file)
--- a/packaging/security-manager.spec
+++ b/packaging/security-manager.spec
@@ -48,6 +48,7 @@ Development files needed for using the security manager client
  Summary:    Security manager policy
  Group:      Security/Development
  Requires:   security-manager = %{version}-%{release}
+Requires:   cyad
  
  %description -n security-manager-policy
  Set of security rules that constitute security policy in the system
@@ -81,8 +82,6 @@ cp LICENSE %{buildroot}%{_datadir}/license/%{name}
  cp LICENSE %{buildroot}%{_datadir}/license/libsecurity-manager-client
  mkdir -p %{buildroot}/%{TZ_SYS_SMACK}
  cp app-rules-template.smack %{buildroot}/%{TZ_SYS_SMACK}
-mkdir -p %{buildroot}%{_datadir}/security-manager
-cp -rf policy %{buildroot}%{_datadir}/security-manager
  %make_install
  
  mkdir -p %{buildroot}/%{_unitdir}/multi-user.target.wants
@@ -125,6 +124,9 @@ fi
  
  %postun -n libsecurity-manager-client -p /sbin/ldconfig
  
+%post policy
+%{_bindir}/security-manager-policy-reload
+
  %files -n security-manager
  %manifest security-manager.manifest
  %defattr(-,root,root,-)
@@ -161,3 +163,4 @@ fi
  %files -n security-manager-policy
  %manifest %{name}.manifest
  %{_datadir}/security-manager/policy
+%attr(755,root,root) %{_bindir}/security-manager-policy-reload
diff --git a/policy/CMakeLists.txt b/policy/CMakeLists.txt

new file mode 100644 (file)

index 0000000..1d35a3f
--- /dev/null
+++ b/policy/CMakeLists.txt
@@ -0,0 +1,3 @@
+FILE(GLOB USERTYPE_POLICY_FILES usertype-*.profile)
+INSTALL(FILES ${USERTYPE_POLICY_FILES} DESTINATION ${SHARE_INSTALL_PREFIX}/security-manager/policy)
+INSTALL(PROGRAMS security-manager-policy-reload DESTINATION ${BIN_INSTALL_DIR})
diff --git a/policy/security-manager-policy-reload b/policy/security-manager-policy-reload

new file mode 100755 (executable)

index 0000000..807daf3
--- /dev/null
+++ b/policy/security-manager-policy-reload
@@ -0,0 +1,52 @@
+#!/bin/sh -e
+
+USERTYPE_POLICY_PATH=/usr/share/security-manager/policy
+
+# Create default buckets
+while read bucket default_policy
+do
+    # Reuse the main bucket for PRIVACY_MANAGER bucket
+    [ "$bucket" = "PRIVACY_MANAGER" ] && bucket=""
+    cyad --set-bucket="$bucket" --type="$default_policy"
+done <<END
+PRIVACY_MANAGER DENY
+ADMIN NONE
+MAIN DENY
+MANIFESTS DENY
+END
+
+# Link buckets together
+while read bucket_src bucket_dst
+do
+    # Reuse the main bucket for PRIVACY_MANAGER bucket
+    [ "$bucket_src" = "PRIVACY_MANAGER" ] && bucket_src=""
+    cyad --set-policy --client="*" --user="*" --privilege="*" --type=BUCKET \
+        --bucket="$bucket_src" --metadata="$bucket_dst"
+done <<END
+MAIN MANIFESTS
+PRIVACY_MANAGER MAIN
+END
+
+# Import user-type policies
+find "$USERTYPE_POLICY_PATH" -name "usertype-*.profile" |
+while read file
+do
+    bucket="`echo $file | sed -r 's|.*/usertype-(.*).profile$|USER_TYPE_\U\1|'`"
+
+    # Re-create the bucket with empty contents
+    cyad --delete-bucket=$bucket || true
+    cyad --set-bucket=$bucket --type=DENY
+
+    # Link the bucket to ADMIN bucket
+    cyad --set-policy --client="*" --user="*" --privilege="*" --type=BUCKET \
+        --bucket="$bucket" --metadata="ADMIN"
+
+    grep -v ^\' $file |
+    while read app privilege
+    do
+        user="*"        # Match any user id
+        policy="0xFFFF" # ALLOW (FIXME: cyad should parse policy names, not numeric values)
+        printf '%s;%s;%s;%s;%s;\n' "$bucket" "$user" "$app" "$privilege" "$policy"
+    done |
+    cyad --set-policy --bulk=-
+done
author	Rafal Krypa <r.krypa@samsung.com>
	Thu, 22 Jan 2015 10:28:49 +0000 (11:28 +0100)
committer	Rafal Krypa <r.krypa@samsung.com>
	Thu, 22 Jan 2015 10:50:05 +0000 (11:50 +0100)
CMakeLists.txt		patch \| blob \| history
packaging/security-manager.spec		patch \| blob \| history
policy/CMakeLists.txt	[new file with mode: 0644]	patch \| blob
policy/security-manager-policy-reload	[new file with mode: 0755]	patch \| blob