summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSung-jae Park <nicesj.park@samsung.com>2013-06-24 08:15:47 (GMT)
committerSung-jae Park <nicesj.park@samsung.com>2013-06-24 08:15:47 (GMT)
commit82454a2906c1c2cc0dcfd75efe6e8ef431072ba9 (patch)
tree2bb94359d9c568ca5216bdf3d67896c158ddb2eb
parenta72f340ff2ccb4e5ced0dbd825399f882a649657 (diff)
downloaddata-provider-master-82454a2906c1c2cc0dcfd75efe6e8ef431072ba9.zip
data-provider-master-82454a2906c1c2cc0dcfd75efe6e8ef431072ba9.tar.gz
data-provider-master-82454a2906c1c2cc0dcfd75efe6e8ef431072ba9.tar.bz2
User level smack control added for notification
Change-Id: I58b89984321e8a249fbd976eeb8eb613e29ad439
-rw-r--r--src/badge_service.c9
-rw-r--r--src/notification_service.c40
2 files changed, 48 insertions, 1 deletions
diff --git a/src/badge_service.c b/src/badge_service.c
index 5b50595..9a91fc8 100644
--- a/src/badge_service.c
+++ b/src/badge_service.c
@@ -41,6 +41,8 @@ static struct info {
.svc_ctx = NULL, /*!< \WARN: This is only used for MAIN THREAD */
};
+#define ENABLE_BS_ACCESS_CONTROL 0
+
struct context {
struct tcb *tcb;
double seq;
@@ -292,7 +294,6 @@ static int _is_valid_permission(int fd, struct badge_service *service)
ret = security_server_check_privilege_by_sockfd(fd, service->rule, service->access);
if (ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED) {
ErrPrint("SMACK:Access denied\n");
-
return 0;
}
}
@@ -365,8 +366,14 @@ static int service_thread_main(struct tcb *tcb, struct packet *packet, void *dat
if (strcmp(service_req_table[i].cmd, command))
continue;
+#if ENABLE_BS_ACCESS_CONTROL
+ if (_is_valid_permission(tcb_fd(tcb), &(service_req_table[i])) == 1) {
+ service_req_table[i].handler(tcb, packet, data);
+ }
+#else
_is_valid_permission(tcb_fd(tcb), &(service_req_table[i]));
service_req_table[i].handler(tcb, packet, data);
+#endif
break;
}
diff --git a/src/notification_service.c b/src/notification_service.c
index fec5fa4..4f89bae 100644
--- a/src/notification_service.c
+++ b/src/notification_service.c
@@ -22,6 +22,7 @@
#include <packet.h>
#include <sys/smack.h>
+#include <security-server.h>
#include <notification_ipc.h>
#include <notification_noti.h>
@@ -35,6 +36,7 @@
#ifndef NOTIFICATION_DEL_PACKET_UNIT
#define NOTIFICATION_DEL_PACKET_UNIT 10
#endif
+#define ENABLE_NS_ACCESS_CONTROL 0
static struct info {
Eina_List *context_list;
@@ -52,6 +54,8 @@ struct context {
struct noti_service {
const char *cmd;
void (*handler)(struct tcb *tcb, struct packet *packet, void *data);
+ const char *rule;
+ const char *access;
};
/*!
@@ -345,6 +349,21 @@ static void _handler_service_register(struct tcb *tcb, struct packet *packet, vo
}
}
+static int _is_valid_permission(int fd, struct noti_service *service)
+{
+ int ret;
+
+ if (service->rule != NULL && service->access != NULL) {
+ ret = security_server_check_privilege_by_sockfd(fd, service->rule, service->access);
+ if (ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED) {
+ ErrPrint("SMACK:Access denied\n");
+ return 0;
+ }
+ }
+
+ return 1;
+}
+
/*!
* SERVICE THREAD
*/
@@ -356,30 +375,44 @@ static int service_thread_main(struct tcb *tcb, struct packet *packet, void *dat
{
.cmd = "add_noti",
.handler = _handler_insert,
+ .rule = "data-provider-master::notification.client",
+ .access = "w",
},
{
.cmd = "update_noti",
.handler = _handler_update,
+ .rule = "data-provider-master::notification.client",
+ .access = "w",
},
{
.cmd = "refresh_noti",
.handler = _handler_refresh,
+ .rule = "data-provider-master::notification.client",
+ .access = "w",
},
{
.cmd = "del_noti_single",
.handler = _handler_delete_single,
+ .rule = "data-provider-master::notification.client",
+ .access = "w",
},
{
.cmd = "del_noti_multiple",
.handler = _handler_delete_multiple,
+ .rule = "data-provider-master::notification.client",
+ .access = "w",
},
{
.cmd = "service_register",
.handler = _handler_service_register,
+ .rule = NULL,
+ .access = NULL,
},
{
.cmd = NULL,
.handler = NULL,
+ .rule = NULL,
+ .access = NULL,
},
};
@@ -403,7 +436,14 @@ static int service_thread_main(struct tcb *tcb, struct packet *packet, void *dat
if (strcmp(service_req_table[i].cmd, command))
continue;
+#if ENABLE_NS_ACCESS_CONTROL
+ if (_is_valid_permission(tcb_fd(tcb), &(service_req_table[i])) == 1) {
+ service_req_table[i].handler(tcb, packet, data);
+ }
+#else
+ _is_valid_permission(tcb_fd(tcb), &(service_req_table[i]));
service_req_table[i].handler(tcb, packet, data);
+#endif
break;
}