From: Rafal Krypa <r.krypa@samsung.com>
Date: Fri, 6 Mar 2015 17:22:14 +0000 (+0100)
Subject: Provide support for loading privilege-group mapping
X-Git-Tag: accepted/tizen/3.0.2015.q1/common/20150320.110433~3
X-Git-Url: http://review.tizen.org/git/?p=platform%2Fcore%2Fsecurity%2Fsecurity-manager.git;a=commitdiff_plain;h=294bf3a4a6f5379f590b8d63f0a00485b7a46f78

Provide support for loading privilege-group mapping

A mapping file in policy/privilege-group.list will be contained in
security-manager-policy package. All mappings from that file will be loaded
during package installation by security-manager-policy-reload tool.
For development purposes it is also possible to modify the mapping file
on the image and re-run security-manager-policy-reload.

Change-Id: I9a7d5b16888de98013da281978e299c5b19750ce
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
---

diff --git a/db/db.sql b/db/db.sql
index e9ca886..fd3e084 100644
--- a/db/db.sql
+++ b/db/db.sql
@@ -37,8 +37,8 @@ FOREIGN KEY (privilege_id) REFERENCES privilege (privilege_id)
 
 CREATE TABLE IF NOT EXISTS privilege_group (
 privilege_id INTEGER NOT NULL,
-name VARCHAR NOT NULL,
-PRIMARY KEY (privilege_id, name),
+group_name VARCHAR NOT NULL,
+PRIMARY KEY (privilege_id, group_name),
 FOREIGN KEY (privilege_id) REFERENCES privilege (privilege_id)
 );
 
@@ -106,8 +106,16 @@ CREATE VIEW privilege_group_view AS
 SELECT
     privilege_id,
     privilege.name as privilege_name,
-    privilege_group.name
+    privilege_group.group_name
 FROM privilege_group
 LEFT JOIN privilege USING (privilege_id);
 
+DROP TRIGGER IF EXISTS privilege_group_view_insert_trigger;
+CREATE TRIGGER privilege_group_view_insert_trigger
+INSTEAD OF INSERT ON privilege_group_view
+BEGIN
+    INSERT OR IGNORE INTO privilege(name) VALUES (NEW.privilege_name);
+    INSERT OR IGNORE INTO privilege_group(privilege_id, group_name) VALUES ((SELECT privilege_id FROM privilege WHERE name=NEW.privilege_name), NEW.group_name);
+END;
+
 COMMIT TRANSACTION;
diff --git a/policy/CMakeLists.txt b/policy/CMakeLists.txt
index 32d6ee6..bd08edc 100644
--- a/policy/CMakeLists.txt
+++ b/policy/CMakeLists.txt
@@ -1,4 +1,5 @@
 FILE(GLOB USERTYPE_POLICY_FILES usertype-*.profile)
 INSTALL(FILES ${USERTYPE_POLICY_FILES} DESTINATION ${SHARE_INSTALL_PREFIX}/security-manager/policy)
 INSTALL(FILES "app-rules-template.smack" DESTINATION ${SHARE_INSTALL_PREFIX}/security-manager/policy)
+INSTALL(FILES "privilege-group.list" DESTINATION ${SHARE_INSTALL_PREFIX}/security-manager/policy)
 INSTALL(PROGRAMS security-manager-policy-reload DESTINATION ${BIN_INSTALL_DIR})
diff --git a/policy/privilege-group.list b/policy/privilege-group.list
new file mode 100644
index 0000000..d679d0c
--- /dev/null
+++ b/policy/privilege-group.list
@@ -0,0 +1,6 @@
+# Configuration of groups assignment to privileges.
+# Run security-manager-policy-reload to apply.
+# Format:
+# - each line of "<PRIVILEGE> <GROUP>" describes single mapping
+# - privilege and group separated by white spaces
+# - lines starting with '#' are ignored
diff --git a/policy/security-manager-policy-reload b/policy/security-manager-policy-reload
index d15cec5..5a78f2d 100755
--- a/policy/security-manager-policy-reload
+++ b/policy/security-manager-policy-reload
@@ -1,6 +1,8 @@
 #!/bin/sh -e
 
-USERTYPE_POLICY_PATH=/usr/share/security-manager/policy
+POLICY_PATH=/usr/share/security-manager/policy
+PRIVILEGE_GROUP_MAPPING=$POLICY_PATH/privilege-group.list
+DB_FILE=`tzplatform-get TZ_SYS_DB | cut -d= -f2`/.security-manager.db
 
 # Create default buckets
 while read bucket default_policy
@@ -28,7 +30,7 @@ PRIVACY_MANAGER MAIN
 END
 
 # Import user-type policies
-find "$USERTYPE_POLICY_PATH" -name "usertype-*.profile" |
+find "$POLICY_PATH" -name "usertype-*.profile" |
 while read file
 do
     bucket="`echo $file | sed -r 's|.*/usertype-(.*).profile$|USER_TYPE_\U\1|'`"
@@ -56,3 +58,15 @@ for client in User System
 do
     cyad --set-policy --bucket=MAIN --client="$client" --user="*" --privilege="*" --type=ALLOW
 done
+
+# Load privilege-group mappings
+(
+echo "BEGIN;"
+echo "DELETE FROM privilege_group;"
+grep -v '^#' "$PRIVILEGE_GROUP_MAPPING" |
+while read privilege group
+do
+    echo "INSERT INTO privilege_group_view (privilege_name, group_name) VALUES ('$privilege', '$group');"
+done
+echo "COMMIT;"
+) | sqlite3 "$DB_FILE"
diff --git a/src/common/include/privilege_db.h b/src/common/include/privilege_db.h
index cf8bdcf..4d73d90 100644
--- a/src/common/include/privilege_db.h
+++ b/src/common/include/privilege_db.h
@@ -80,7 +80,7 @@ private:
         { QueryType::ERemoveAppPrivileges, "DELETE FROM app_privilege_view WHERE app_name=? AND uid=?" },
         { QueryType::EPkgIdExists, "SELECT * FROM pkg WHERE name=?" },
         { QueryType::EGetPkgId, " SELECT pkg_name FROM app_pkg_view WHERE app_name = ?" },
-        { QueryType::EGetPrivilegeGroups, " SELECT name FROM privilege_group_view WHERE privilege_name = ?" },
+        { QueryType::EGetPrivilegeGroups, " SELECT group_name FROM privilege_group_view WHERE privilege_name = ?" },
         { QueryType::EGetUserApps, "SELECT name FROM app WHERE uid=?" },
         { QueryType::EGetAppsInPkg, " SELECT app_name FROM app_pkg_view WHERE pkg_name = ?" },
     };