Database will now contain group names instead of group ids.
Change-Id: I67dc5cf9e853b9b1ca56eeea1c006ce194f1530d
FOREIGN KEY (privilege_id) REFERENCES privilege (privilege_id)
);
-CREATE TABLE IF NOT EXISTS privilege_gid (
+CREATE TABLE IF NOT EXISTS privilege_group (
privilege_id INTEGER NOT NULL,
-gid INTEGER NOT NULL,
-PRIMARY KEY (privilege_id, gid),
+name VARCHAR NOT NULL,
+PRIMARY KEY (privilege_id, name),
FOREIGN KEY (privilege_id) REFERENCES privilege (privilege_id)
);
DELETE FROM pkg WHERE pkg_id NOT IN (SELECT DISTINCT pkg_id from app);
END;
-DROP VIEW IF EXISTS privilege_gid_view;
-CREATE VIEW privilege_gid_view AS
+DROP VIEW IF EXISTS privilege_group_view;
+CREATE VIEW privilege_group_view AS
SELECT
privilege_id,
privilege.name as privilege_name,
- privilege_gid.gid
-FROM privilege_gid
+ privilege_group.name
+FROM privilege_group
LEFT JOIN privilege USING (privilege_id);
COMMIT TRANSACTION;
ERemoveAppPrivileges,
EPkgIdExists,
EGetPkgId,
- EGetPrivilegeGids,
+ EGetPrivilegeGroups,
};
class PrivilegeDb {
{ QueryType::ERemoveAppPrivileges, "DELETE FROM app_privilege_view WHERE app_name=? AND uid=?" },
{ QueryType::EPkgIdExists, "SELECT * FROM pkg WHERE name=?" },
{ QueryType::EGetPkgId, " SELECT pkg_name FROM app_pkg_view WHERE app_name = ?" },
- { QueryType::EGetPrivilegeGids, " SELECT gid FROM privilege_gid_view WHERE privilege_name = ?" },
+ { QueryType::EGetPrivilegeGroups, " SELECT name FROM privilege_group_view WHERE privilege_name = ?" },
};
/**
* Retrieve list of group ids assigned to a privilege
*
* @param privilege - privilege identifier
- * @param[out] gids - list of group ids assigned to the privilege
+ * @param[out] grp_names - list of group names assigned to the privilege
* @exception DB::SqlConnection::Exception::InternalError on internal error
*/
- void GetPrivilegeGids(const std::string &privilege,
- std::vector<gid_t> &gids);
+ void GetPrivilegeGroups(const std::string &privilege,
+ std::vector<std::string> &grp_names);
};
});
}
-void PrivilegeDb::GetPrivilegeGids(const std::string &privilege,
- std::vector<gid_t> &gids)
+void PrivilegeDb::GetPrivilegeGroups(const std::string &privilege,
+ std::vector<std::string> &groups)
{
try_catch<void>([&] {
DB::SqlConnection::DataCommandAutoPtr command =
mSqlConnection->PrepareDataCommand(
- Queries.at(QueryType::EGetPrivilegeGids));
+ Queries.at(QueryType::EGetPrivilegeGroups));
command->BindString(1, privilege.c_str());
while (command->Step()) {
- gid_t gid = static_cast<gid_t>(command->GetColumnInteger(0));
- LogDebug("Privilege " << privilege << " gives access to gid " << gid);
- gids.push_back(gid);
+ std::string groupName = command->GetColumnString(0);
+ LogDebug("Privilege " << privilege << " gives access to group: " << groupName);
+ groups.push_back(groupName);
};
});
}
* @brief Implementation of security-manager service.
*/
+#include <grp.h>
+#include <limits.h>
+#include <pwd.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+
+#include <cstring>
+#include <unordered_set>
+
#include <dpl/log/log.h>
#include <dpl/serialization.h>
#include <tzplatform_config.h>
-#include <unordered_set>
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <pwd.h>
-#include <limits.h>
-#include <cstring>
-
-#include "service.h"
+#include "privilege_db.h"
#include "protocols.h"
#include "security-manager.h"
+#include "service.h"
#include "smack-common.h"
#include "smack-rules.h"
#include "smack-labels.h"
-#include "privilege_db.h"
namespace SecurityManager {
std::vector<std::string> privileges;
m_privilegeDb.GetPkgPrivileges(pkgId, uid, privileges);
for (const auto &privilege : privileges) {
- std::vector<gid_t> gidsTmp;
- m_privilegeDb.GetPrivilegeGids(privilege, gidsTmp);
+ std::vector<std::string> gidsTmp;
+ m_privilegeDb.GetPrivilegeGroups(privilege, gidsTmp);
if (!gidsTmp.empty()) {
LogDebug("Considering privilege " << privilege << " with " <<
gidsTmp.size() << " groups assigned");
if (m_cynara.check(smackLabel, privilege, uidStr, pidStr)) {
- gids.insert(gidsTmp.begin(), gidsTmp.end());
+ for_each(gidsTmp.begin(), gidsTmp.end(), [&] (std::string group)
+ {
+ struct group *grp = getgrnam(group.c_str());
+ if (grp == NULL) {
+ LogError("No such group: " << group.c_str());
+ return;
+ }
+ gids.insert(grp->gr_gid);
+ });
LogDebug("Cynara allowed, adding groups");
} else
LogDebug("Cynara denied, not adding groups");