diff options
| author | Seonah Moon <seonah1.moon@samsung.com> | 2016-06-23 11:43:19 +0900 |
|---|---|---|
| committer | Seonah Moon <seonah1.moon@samsung.com> | 2016-06-23 16:54:44 +0900 |
| commit | 771bd209c3d2ae95a249637b1b94e554e2159a31 (patch) | |
| tree | 2a5a142bec646c5392065a962789a025b33f3498 | |
| parent | b68ee3bae7b43f36496a1ea4f86d85b23df45bd7 (diff) | |
| download | http-771bd209c3d2ae95a249637b1b94e554e2159a31.tar.gz http-771bd209c3d2ae95a249637b1b94e554e2159a31.tar.bz2 http-771bd209c3d2ae95a249637b1b94e554e2159a31.zip | |
Check privilege when invoking http_transaction_submit()submit/tizen/20160624.012559accepted/tizen/wearable/20160624.064356accepted/tizen/mobile/20160624.064050accepted/tizen/common/20160624.132420
Change-Id: I022e3488818f189207cb30e57b32cf2d6ae3d9b5
Signed-off-by: Seonah Moon <seonah1.moon@samsung.com>
| -rw-r--r-- | CMakeLists.txt | 2 | ||||
| -rw-r--r-- | include/http_private.h | 6 | ||||
| -rw-r--r-- | packaging/capi-network-http.spec | 3 | ||||
| -rw-r--r-- | src/http_common.c | 62 | ||||
| -rw-r--r-- | src/http_transaction.c | 4 |
5 files changed, 75 insertions, 2 deletions
diff --git a/CMakeLists.txt b/CMakeLists.txt index 145d8c0..a97e070 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -9,7 +9,7 @@ SET(PREFIX ${CMAKE_INSTALL_PREFIX}) SET(INC_DIR include) INCLUDE_DIRECTORIES(${INC_DIR}) -SET(dependents "dlog gio-2.0 gio-unix-2.0 glib-2.0 capi-base-common capi-network-connection libcurl libssl") +SET(dependents "dlog gio-2.0 gio-unix-2.0 glib-2.0 capi-base-common capi-network-connection libcurl libssl cynara-client") IF("${CMAKE_BUILD_TYPE}" STREQUAL "") SET(CMAKE_BUILD_TYPE "Release") diff --git a/include/http_private.h b/include/http_private.h index 7b8b43b..eb62ea9 100644 --- a/include/http_private.h +++ b/include/http_private.h @@ -102,6 +102,11 @@ typedef enum { _CURL_HTTP_AUTH_NTLM = 8 // The constant for ntlm authentication } curl_http_auth_scheme_e; +typedef enum { + HTTP_PRIVILEGE_INTERNET = 0, + HTTP_PRIVILEGE_NETWORK_GET +} http_privilege_e; + typedef struct { struct curl_slist *header_list; GHashTable *hash_table; @@ -193,6 +198,7 @@ typedef struct { void print_curl_multi_errorCode(CURLMcode code); bool _http_is_init(void); +bool _http_check_permission(http_privilege_e); gchar* _get_http_method(http_method_e method); http_method_e _get_method(gchar* method); gchar* _get_proxy(); diff --git a/packaging/capi-network-http.spec b/packaging/capi-network-http.spec index 2db5826..8f50ba0 100644 --- a/packaging/capi-network-http.spec +++ b/packaging/capi-network-http.spec @@ -1,6 +1,6 @@ Name: capi-network-http Summary: Http Framework -Version: 0.0.9 +Version: 0.0.10 Release: 0 Group: System/Network License: Apache-2.0 @@ -12,6 +12,7 @@ BuildRequires: pkgconfig(gio-2.0) BuildRequires: pkgconfig(capi-network-connection) BuildRequires: pkgconfig(libcurl) BuildRequires: pkgconfig(openssl) +BuildRequires: pkgconfig(cynara-client) BuildRequires: cmake Requires(post): /sbin/ldconfig Requires(postun): /sbin/ldconfig diff --git a/src/http_common.c b/src/http_common.c index 843ef29..b4c80d6 100644 --- a/src/http_common.c +++ b/src/http_common.c @@ -19,8 +19,13 @@ #include "net_connection.h" +#include <stdio.h> +#include <stdlib.h> +#include <sys/types.h> +#include <unistd.h> #include <pthread.h> #include <openssl/err.h> +#include <cynara-client.h> #define MUTEX_TYPE pthread_mutex_t #define MUTEX_SETUP(x) pthread_mutex_init(&(x), NULL) @@ -29,6 +34,8 @@ #define MUTEX_UNLOCK(x) pthread_mutex_unlock(&(x)) #define THREAD_ID pthread_self() +#define SMACK_LABEL_LEN 255 + /* This array will store all of the mutexes available to OpenSSL. */ static MUTEX_TYPE *mutex_buf = NULL; static bool is_init = false; @@ -38,6 +45,61 @@ bool _http_is_init(void) return is_init; } +bool _http_check_permission(http_privilege_e _privilege) +{ + FILE *fd; + + int ret; + char smack_label[SMACK_LABEL_LEN + 1]; + char uid[10]; + char *client_session = ""; + char *privilege = NULL; + + cynara *p_cynara; + + if (CYNARA_API_SUCCESS != cynara_initialize(&p_cynara, NULL)) { + ERR("Failed to initialize cynara structure\n"); + return false; + } + + bzero(smack_label, SMACK_LABEL_LEN + 1); + + /* get smack label */ + fd = fopen("/proc/self/attr/current", "r"); + if (fd == NULL) { + ERR("Failed to open /proc/self/attr/current\n"); + return false; + } + ret = fread(smack_label, sizeof(smack_label), 1, fd); + fclose(fd); + if (ret < 0) { + ERR("Failed to read /proc/self/attr/current\n"); + return false; + } + + /* get uid */ + snprintf(uid, sizeof(uid), "%d", getuid()); + + switch (_privilege) { + case HTTP_PRIVILEGE_INTERNET: + privilege = "http://tizen.org/privilege/internet"; + break; + case HTTP_PRIVILEGE_NETWORK_GET: + privilege = "http://tizen.org/privilege/network.get"; + break; + default: + break; + } + + DBG("%s %s %s\n", smack_label, uid, privilege); + + /* cynara check */ + ret = cynara_check(p_cynara, smack_label, client_session, uid, privilege); + cynara_finish(p_cynara); + + return (ret == CYNARA_API_ACCESS_ALLOWED) ? true : false; +} + static void __http_set_init(bool init) { is_init = init; diff --git a/src/http_transaction.c b/src/http_transaction.c index 9473985..495aa0b 100644 --- a/src/http_transaction.c +++ b/src/http_transaction.c @@ -486,6 +486,10 @@ API int http_session_open_transaction(http_session_h http_session, http_method_e API int http_transaction_submit(http_transaction_h http_transaction) { + _retvm_if(_http_check_permission(HTTP_PRIVILEGE_INTERNET) == false, + HTTP_ERROR_PERMISSION_DENIED, "Permission denied"); + _retvm_if(_http_check_permission(HTTP_PRIVILEGE_NETWORK_GET) == false, + HTTP_ERROR_PERMISSION_DENIED, "Permission denied"); _retvm_if(_http_is_init() == false, HTTP_ERROR_INVALID_OPERATION, "http isn't initialized"); _retvm_if(http_transaction == NULL, HTTP_ERROR_INVALID_PARAMETER, |