CREATE TABLE IF NOT EXISTS privilege_group (
privilege_id INTEGER NOT NULL,
-name VARCHAR NOT NULL,
-PRIMARY KEY (privilege_id, name),
+group_name VARCHAR NOT NULL,
+PRIMARY KEY (privilege_id, group_name),
FOREIGN KEY (privilege_id) REFERENCES privilege (privilege_id)
);
SELECT
privilege_id,
privilege.name as privilege_name,
- privilege_group.name
+ privilege_group.group_name
FROM privilege_group
LEFT JOIN privilege USING (privilege_id);
+DROP TRIGGER IF EXISTS privilege_group_view_insert_trigger;
+CREATE TRIGGER privilege_group_view_insert_trigger
+INSTEAD OF INSERT ON privilege_group_view
+BEGIN
+ INSERT OR IGNORE INTO privilege(name) VALUES (NEW.privilege_name);
+ INSERT OR IGNORE INTO privilege_group(privilege_id, group_name) VALUES ((SELECT privilege_id FROM privilege WHERE name=NEW.privilege_name), NEW.group_name);
+END;
+
COMMIT TRANSACTION;
FILE(GLOB USERTYPE_POLICY_FILES usertype-*.profile)
INSTALL(FILES ${USERTYPE_POLICY_FILES} DESTINATION ${SHARE_INSTALL_PREFIX}/security-manager/policy)
INSTALL(FILES "app-rules-template.smack" DESTINATION ${SHARE_INSTALL_PREFIX}/security-manager/policy)
+INSTALL(FILES "privilege-group.list" DESTINATION ${SHARE_INSTALL_PREFIX}/security-manager/policy)
INSTALL(PROGRAMS security-manager-policy-reload DESTINATION ${BIN_INSTALL_DIR})
--- /dev/null
+# Configuration of groups assignment to privileges.
+# Run security-manager-policy-reload to apply.
+# Format:
+# - each line of "<PRIVILEGE> <GROUP>" describes single mapping
+# - privilege and group separated by white spaces
+# - lines starting with '#' are ignored
#!/bin/sh -e
-USERTYPE_POLICY_PATH=/usr/share/security-manager/policy
+POLICY_PATH=/usr/share/security-manager/policy
+PRIVILEGE_GROUP_MAPPING=$POLICY_PATH/privilege-group.list
+DB_FILE=`tzplatform-get TZ_SYS_DB | cut -d= -f2`/.security-manager.db
# Create default buckets
while read bucket default_policy
END
# Import user-type policies
-find "$USERTYPE_POLICY_PATH" -name "usertype-*.profile" |
+find "$POLICY_PATH" -name "usertype-*.profile" |
while read file
do
bucket="`echo $file | sed -r 's|.*/usertype-(.*).profile$|USER_TYPE_\U\1|'`"
do
cyad --set-policy --bucket=MAIN --client="$client" --user="*" --privilege="*" --type=ALLOW
done
+
+# Load privilege-group mappings
+(
+echo "BEGIN;"
+echo "DELETE FROM privilege_group;"
+grep -v '^#' "$PRIVILEGE_GROUP_MAPPING" |
+while read privilege group
+do
+ echo "INSERT INTO privilege_group_view (privilege_name, group_name) VALUES ('$privilege', '$group');"
+done
+echo "COMMIT;"
+) | sqlite3 "$DB_FILE"
{ QueryType::ERemoveAppPrivileges, "DELETE FROM app_privilege_view WHERE app_name=? AND uid=?" },
{ QueryType::EPkgIdExists, "SELECT * FROM pkg WHERE name=?" },
{ QueryType::EGetPkgId, " SELECT pkg_name FROM app_pkg_view WHERE app_name = ?" },
- { QueryType::EGetPrivilegeGroups, " SELECT name FROM privilege_group_view WHERE privilege_name = ?" },
+ { QueryType::EGetPrivilegeGroups, " SELECT group_name FROM privilege_group_view WHERE privilege_name = ?" },
{ QueryType::EGetUserApps, "SELECT name FROM app WHERE uid=?" },
{ QueryType::EGetAppsInPkg, " SELECT app_name FROM app_pkg_view WHERE pkg_name = ?" },
};