Use group names instead of group ids (gid)

author Krzysztof Sasiak <k.sasiak@samsung.com>

Mon, 13 Oct 2014 14:55:00 +0000 (16:55 +0200)

committer Rafal Krypa <r.krypa@samsung.com>

Fri, 31 Oct 2014 17:02:57 +0000 (10:02 -0700)
author Krzysztof Sasiak <k.sasiak@samsung.com>
Mon, 13 Oct 2014 14:55:00 +0000 (16:55 +0200)
committer Rafal Krypa <r.krypa@samsung.com>
Fri, 31 Oct 2014 17:02:57 +0000 (10:02 -0700)
diff --git a/src/server/db/db.sql b/src/server/db/db.sql

index 2a5475f..e9ca886 100644 (file)
--- a/src/server/db/db.sql
+++ b/src/server/db/db.sql
@@ -35,10 +35,10 @@ FOREIGN KEY (app_id) REFERENCES app (app_id)
  FOREIGN KEY (privilege_id) REFERENCES privilege (privilege_id)
  );
  
-CREATE TABLE IF NOT EXISTS privilege_gid (
+CREATE TABLE IF NOT EXISTS privilege_group (
  privilege_id INTEGER NOT NULL,
-gid INTEGER NOT NULL,
-PRIMARY KEY (privilege_id, gid),
+name VARCHAR NOT NULL,
+PRIMARY KEY (privilege_id, name),
  FOREIGN KEY (privilege_id) REFERENCES privilege (privilege_id)
  );
  
@@ -101,13 +101,13 @@ BEGIN
      DELETE FROM pkg WHERE pkg_id NOT IN (SELECT DISTINCT pkg_id from app);
  END;
  
-DROP VIEW IF EXISTS privilege_gid_view;
-CREATE VIEW privilege_gid_view AS
+DROP VIEW IF EXISTS privilege_group_view;
+CREATE VIEW privilege_group_view AS
  SELECT
      privilege_id,
      privilege.name as privilege_name,
-    privilege_gid.gid
-FROM privilege_gid
+    privilege_group.name
+FROM privilege_group
  LEFT JOIN privilege USING (privilege_id);
  
  COMMIT TRANSACTION;
diff --git a/src/server/db/include/privilege_db.h b/src/server/db/include/privilege_db.h

index 4b14771..b56f834 100644 (file)
--- a/src/server/db/include/privilege_db.h
+++ b/src/server/db/include/privilege_db.h
@@ -51,7 +51,7 @@ enum class QueryType {
      ERemoveAppPrivileges,
      EPkgIdExists,
      EGetPkgId,
-    EGetPrivilegeGids,
+    EGetPrivilegeGroups,
  };
  
  class PrivilegeDb {
@@ -69,7 +69,7 @@ private:
          { QueryType::ERemoveAppPrivileges, "DELETE FROM app_privilege_view WHERE app_name=? AND uid=?" },
          { QueryType::EPkgIdExists, "SELECT * FROM pkg WHERE name=?" },
          { QueryType::EGetPkgId, " SELECT pkg_name FROM app_pkg_view WHERE app_name = ?" },
-        { QueryType::EGetPrivilegeGids, " SELECT gid FROM privilege_gid_view WHERE privilege_name = ?" },
+        { QueryType::EGetPrivilegeGroups, " SELECT name FROM privilege_group_view WHERE privilege_name = ?" },
      };
  
      /**
@@ -189,11 +189,11 @@ public:
       * Retrieve list of group ids assigned to a privilege
       *
       * @param privilege - privilege identifier
-     * @param[out] gids - list of group ids assigned to the privilege
+     * @param[out] grp_names - list of group names assigned to the privilege
       * @exception DB::SqlConnection::Exception::InternalError on internal error
       */
-    void GetPrivilegeGids(const std::string &privilege,
-        std::vector<gid_t> &gids);
+    void GetPrivilegeGroups(const std::string &privilege,
+        std::vector<std::string> &grp_names);
  
  };
  
diff --git a/src/server/db/privilege_db.cpp b/src/server/db/privilege_db.cpp

index 4fcce0e..6c8d1f3 100644 (file)
--- a/src/server/db/privilege_db.cpp
+++ b/src/server/db/privilege_db.cpp
@@ -239,19 +239,19 @@ void PrivilegeDb::UpdateAppPrivileges(const std::string &appId, uid_t uid,
      });
  }
  
-void PrivilegeDb::GetPrivilegeGids(const std::string &privilege,
-        std::vector<gid_t> &gids)
+void PrivilegeDb::GetPrivilegeGroups(const std::string &privilege,
+        std::vector<std::string> &groups)
  {
     try_catch<void>([&] {
          DB::SqlConnection::DataCommandAutoPtr command =
                  mSqlConnection->PrepareDataCommand(
-                        Queries.at(QueryType::EGetPrivilegeGids));
+                        Queries.at(QueryType::EGetPrivilegeGroups));
          command->BindString(1, privilege.c_str());
  
          while (command->Step()) {
-            gid_t gid = static_cast<gid_t>(command->GetColumnInteger(0));
-            LogDebug("Privilege " << privilege << " gives access to gid " << gid);
-            gids.push_back(gid);
+            std::string groupName = command->GetColumnString(0);
+            LogDebug("Privilege " << privilege << " gives access to group: " << groupName);
+            groups.push_back(groupName);
          };
      });
  }
diff --git a/src/server/service/service.cpp b/src/server/service/service.cpp

index 29541ea..ff7fb29 100644 (file)
--- a/src/server/service/service.cpp
+++ b/src/server/service/service.cpp
@@ -23,24 +23,26 @@
   * @brief       Implementation of security-manager service.
   */
  
+#include <grp.h>
+#include <limits.h>
+#include <pwd.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+
+#include <cstring>
+#include <unordered_set>
+
  #include <dpl/log/log.h>
  #include <dpl/serialization.h>
  #include <tzplatform_config.h>
  
-#include <unordered_set>
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <pwd.h>
-#include <limits.h>
-#include <cstring>
-
-#include "service.h"
+#include "privilege_db.h"
  #include "protocols.h"
  #include "security-manager.h"
+#include "service.h"
  #include "smack-common.h"
  #include "smack-rules.h"
  #include "smack-labels.h"
-#include "privilege_db.h"
  
  namespace SecurityManager {
  
@@ -482,13 +484,21 @@ bool Service::processGetAppGroups(MessageBuffer &buffer, MessageBuffer &send, ui
          std::vector<std::string> privileges;
          m_privilegeDb.GetPkgPrivileges(pkgId, uid, privileges);
          for (const auto &privilege : privileges) {
-            std::vector<gid_t> gidsTmp;
-            m_privilegeDb.GetPrivilegeGids(privilege, gidsTmp);
+            std::vector<std::string> gidsTmp;
+            m_privilegeDb.GetPrivilegeGroups(privilege, gidsTmp);
              if (!gidsTmp.empty()) {
                  LogDebug("Considering privilege " << privilege << " with " <<
                      gidsTmp.size() << " groups assigned");
                  if (m_cynara.check(smackLabel, privilege, uidStr, pidStr)) {
-                    gids.insert(gidsTmp.begin(), gidsTmp.end());
+                    for_each(gidsTmp.begin(), gidsTmp.end(), [&] (std::string group)
+                    {
+                        struct group *grp = getgrnam(group.c_str());
+                        if (grp == NULL) {
+                                LogError("No such group: " << group.c_str());
+                                return;
+                        }
+                        gids.insert(grp->gr_gid);
+                    });
                      LogDebug("Cynara allowed, adding groups");
                  } else
                      LogDebug("Cynara denied, not adding groups");
author	Krzysztof Sasiak <k.sasiak@samsung.com>
	Mon, 13 Oct 2014 14:55:00 +0000 (16:55 +0200)
committer	Rafal Krypa <r.krypa@samsung.com>
	Fri, 31 Oct 2014 17:02:57 +0000 (10:02 -0700)
src/server/db/db.sql		patch \| blob \| history
src/server/db/include/privilege_db.h		patch \| blob \| history
src/server/db/privilege_db.cpp		patch \| blob \| history
src/server/service/service.cpp		patch \| blob \| history