From bcc0477e684ae4f8f7413b2d56e4d4ed544f573b Mon Sep 17 00:00:00 2001 From: Krzysztof Sasiak Date: Mon, 13 Oct 2014 16:55:00 +0200 Subject: [PATCH] Use group names instead of group ids (gid) Database will now contain group names instead of group ids. Change-Id: I67dc5cf9e853b9b1ca56eeea1c006ce194f1530d --- src/server/db/db.sql | 14 +++++++------- src/server/db/include/privilege_db.h | 10 +++++----- src/server/db/privilege_db.cpp | 12 ++++++------ src/server/service/service.cpp | 34 ++++++++++++++++++++++------------ 4 files changed, 40 insertions(+), 30 deletions(-) diff --git a/src/server/db/db.sql b/src/server/db/db.sql index 2a5475f..e9ca886 100644 --- a/src/server/db/db.sql +++ b/src/server/db/db.sql @@ -35,10 +35,10 @@ FOREIGN KEY (app_id) REFERENCES app (app_id) FOREIGN KEY (privilege_id) REFERENCES privilege (privilege_id) ); -CREATE TABLE IF NOT EXISTS privilege_gid ( +CREATE TABLE IF NOT EXISTS privilege_group ( privilege_id INTEGER NOT NULL, -gid INTEGER NOT NULL, -PRIMARY KEY (privilege_id, gid), +name VARCHAR NOT NULL, +PRIMARY KEY (privilege_id, name), FOREIGN KEY (privilege_id) REFERENCES privilege (privilege_id) ); @@ -101,13 +101,13 @@ BEGIN DELETE FROM pkg WHERE pkg_id NOT IN (SELECT DISTINCT pkg_id from app); END; -DROP VIEW IF EXISTS privilege_gid_view; -CREATE VIEW privilege_gid_view AS +DROP VIEW IF EXISTS privilege_group_view; +CREATE VIEW privilege_group_view AS SELECT privilege_id, privilege.name as privilege_name, - privilege_gid.gid -FROM privilege_gid + privilege_group.name +FROM privilege_group LEFT JOIN privilege USING (privilege_id); COMMIT TRANSACTION; diff --git a/src/server/db/include/privilege_db.h b/src/server/db/include/privilege_db.h index 4b14771..b56f834 100644 --- a/src/server/db/include/privilege_db.h +++ b/src/server/db/include/privilege_db.h @@ -51,7 +51,7 @@ enum class QueryType { ERemoveAppPrivileges, EPkgIdExists, EGetPkgId, - EGetPrivilegeGids, + EGetPrivilegeGroups, }; class PrivilegeDb { @@ -69,7 +69,7 @@ private: { QueryType::ERemoveAppPrivileges, "DELETE FROM app_privilege_view WHERE app_name=? AND uid=?" }, { QueryType::EPkgIdExists, "SELECT * FROM pkg WHERE name=?" }, { QueryType::EGetPkgId, " SELECT pkg_name FROM app_pkg_view WHERE app_name = ?" }, - { QueryType::EGetPrivilegeGids, " SELECT gid FROM privilege_gid_view WHERE privilege_name = ?" }, + { QueryType::EGetPrivilegeGroups, " SELECT name FROM privilege_group_view WHERE privilege_name = ?" }, }; /** @@ -189,11 +189,11 @@ public: * Retrieve list of group ids assigned to a privilege * * @param privilege - privilege identifier - * @param[out] gids - list of group ids assigned to the privilege + * @param[out] grp_names - list of group names assigned to the privilege * @exception DB::SqlConnection::Exception::InternalError on internal error */ - void GetPrivilegeGids(const std::string &privilege, - std::vector &gids); + void GetPrivilegeGroups(const std::string &privilege, + std::vector &grp_names); }; diff --git a/src/server/db/privilege_db.cpp b/src/server/db/privilege_db.cpp index 4fcce0e..6c8d1f3 100644 --- a/src/server/db/privilege_db.cpp +++ b/src/server/db/privilege_db.cpp @@ -239,19 +239,19 @@ void PrivilegeDb::UpdateAppPrivileges(const std::string &appId, uid_t uid, }); } -void PrivilegeDb::GetPrivilegeGids(const std::string &privilege, - std::vector &gids) +void PrivilegeDb::GetPrivilegeGroups(const std::string &privilege, + std::vector &groups) { try_catch([&] { DB::SqlConnection::DataCommandAutoPtr command = mSqlConnection->PrepareDataCommand( - Queries.at(QueryType::EGetPrivilegeGids)); + Queries.at(QueryType::EGetPrivilegeGroups)); command->BindString(1, privilege.c_str()); while (command->Step()) { - gid_t gid = static_cast(command->GetColumnInteger(0)); - LogDebug("Privilege " << privilege << " gives access to gid " << gid); - gids.push_back(gid); + std::string groupName = command->GetColumnString(0); + LogDebug("Privilege " << privilege << " gives access to group: " << groupName); + groups.push_back(groupName); }; }); } diff --git a/src/server/service/service.cpp b/src/server/service/service.cpp index 29541ea..ff7fb29 100644 --- a/src/server/service/service.cpp +++ b/src/server/service/service.cpp @@ -23,24 +23,26 @@ * @brief Implementation of security-manager service. */ +#include +#include +#include +#include +#include + +#include +#include + #include #include #include -#include -#include -#include -#include -#include -#include - -#include "service.h" +#include "privilege_db.h" #include "protocols.h" #include "security-manager.h" +#include "service.h" #include "smack-common.h" #include "smack-rules.h" #include "smack-labels.h" -#include "privilege_db.h" namespace SecurityManager { @@ -482,13 +484,21 @@ bool Service::processGetAppGroups(MessageBuffer &buffer, MessageBuffer &send, ui std::vector privileges; m_privilegeDb.GetPkgPrivileges(pkgId, uid, privileges); for (const auto &privilege : privileges) { - std::vector gidsTmp; - m_privilegeDb.GetPrivilegeGids(privilege, gidsTmp); + std::vector gidsTmp; + m_privilegeDb.GetPrivilegeGroups(privilege, gidsTmp); if (!gidsTmp.empty()) { LogDebug("Considering privilege " << privilege << " with " << gidsTmp.size() << " groups assigned"); if (m_cynara.check(smackLabel, privilege, uidStr, pidStr)) { - gids.insert(gidsTmp.begin(), gidsTmp.end()); + for_each(gidsTmp.begin(), gidsTmp.end(), [&] (std::string group) + { + struct group *grp = getgrnam(group.c_str()); + if (grp == NULL) { + LogError("No such group: " << group.c_str()); + return; + } + gids.insert(grp->gr_gid); + }); LogDebug("Cynara allowed, adding groups"); } else LogDebug("Cynara denied, not adding groups"); -- 2.7.4