Add cynara check for notification privilege

It is impossible to check multiple privilege checks using dbus-policy. So, changed it to check at the code Change-Id: Ib5798d42be3a1630db1f9ff303f9a341d23a6547 Signed-off-by: Inkyun Kil <inkyun.kil@samsung.com>
author: Inkyun Kil <inkyun.kil@samsung.com> 2018-05-16 11:31:08 +0900
committer: Inkyun Kil <inkyun.kil@samsung.com> 2018-05-16 13:28:11 +0900
commit: 02b50dc3b3e6c1360238b019358ab3076e0d7bff (patch)
tree: 50e725cc43b1d878f33149612202470350b0f201
parent: f57d2e91445529ccb2e50cfb9136fe09567018b7 (diff)
download: alarm-manager-02b50dc3b3e6c1360238b019358ab3076e0d7bff.tar.gz
alarm-manager-02b50dc3b3e6c1360238b019358ab3076e0d7bff.tar.bz2
alarm-manager-02b50dc3b3e6c1360238b019358ab3076e0d7bff.zip
4 files changed, 83 insertions, 2 deletions
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 8ca52c3..733dcf3 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -6,7 +6,7 @@ INCLUDE_DIRECTORIES(
 	include
 )
 
-SET(DEPS_PKGS "glib-2.0 dlog aul bundle appsvc pkgmgr-info pkgmgr vconf gio-2.0 gio-unix-2.0 capi-system-device libtzplatform-config libsystemd-login eventsystem notification capi-system-info sqlite3 cert-svc-vcore")
+SET(DEPS_PKGS "glib-2.0 dlog aul bundle appsvc pkgmgr-info pkgmgr vconf gio-2.0 gio-unix-2.0 capi-system-device libtzplatform-config libsystemd-login eventsystem notification capi-system-info sqlite3 cert-svc-vcore cynara-session cynara-client cynara-creds-gdbus")
 
 IF(_APPFW_FEATURE_ALARM_MANAGER_MODULE_LOG)
 ADD_DEFINITIONS("-D_APPFW_FEATURE_ALARM_MANAGER_MODULE_LOG")
diff --git a/alarm-manager.c b/alarm-manager.c
index ed652df..f640ced 100644
--- a/alarm-manager.c
+++ b/alarm-manager.c
@@ -50,6 +50,9 @@
 #include <sqlite3.h>
 #include <cert-svc/ccert.h>
 #include <cert-svc/cinstance.h>
+#include <cynara-session.h>
+#include <cynara-client.h>
+#include <cynara-creds-gdbus.h>
 
 #include <glib.h>
 #if !GLIB_CHECK_VERSION(2, 31, 0)
@@ -2697,6 +2700,70 @@ void __reschedule_alarms_with_newtime(int cur_time, int new_time, double diff_ti
 	return;
 }
 
+static int __cynara_check(GDBusMethodInvocation *invocation, pid_t pid)
+{
+	int ret = 0;
+	char *user = NULL;
+	char *client = NULL;
+	char *client_session = NULL;
+	cynara *p_cynara = NULL;
+	const char *sender_unique_name;
+	GDBusConnection *connection;
+	const char *notitification_priv = "http://tizen.org/privilege/notification";
+
+	connection = g_dbus_method_invocation_get_connection(invocation);
+	sender_unique_name = g_dbus_method_invocation_get_sender(invocation);
+
+	ret = cynara_initialize(&p_cynara, NULL);
+	if (ret != CYNARA_API_SUCCESS) {
+		ALARM_MGR_EXCEPTION_PRINT("cynara_initialize() failed");
+		goto cynara_out;
+	}
+
+	ret = cynara_creds_gdbus_get_user(connection, sender_unique_name,
+			USER_METHOD_DEFAULT, &user);
+	if (ret != CYNARA_API_SUCCESS) {
+		ALARM_MGR_EXCEPTION_PRINT("cynara_creds_gdbus_get_user() failed");
+		goto cynara_out;
+	}
+
+	ret = cynara_creds_gdbus_get_client(connection, sender_unique_name,
+			CLIENT_METHOD_DEFAULT, &client);
+	if (ret != CYNARA_API_SUCCESS) {
+		ALARM_MGR_EXCEPTION_PRINT("cynara_creds_gdbus_get_client() failed");
+		goto cynara_out;
+	}
+
+	ALARM_MGR_LOG_PRINT("user :%s , client :%s ,unique_name : %s, pid() : %d",
+			user, client, sender_unique_name, pid);
+
+	client_session = cynara_session_from_pid(pid);
+	if (!client_session) {
+		ALARM_MGR_EXCEPTION_PRINT("cynara_session_from_pid() failed");
+		ret = CYNARA_API_INVALID_PARAM;
+		goto cynara_out;
+	}
+
+	ret = cynara_check(p_cynara, client, client_session, user,
+			notitification_priv);
+	if (ret == CYNARA_API_ACCESS_ALLOWED)
+		ALARM_MGR_LOG_PRINT("CYNARA_ACCESS_ALLOWED");
+	else
+		ALARM_MGR_LOG_PRINT("CYNARA_NOT_ALLOWED [%d]", ret);
+
+cynara_out:
+	if (client_session)
+		g_free(client_session);
+	if (client)
+		g_free(client);
+	if (user)
+		g_free(user);
+	if (p_cynara)
+		cynara_finish(p_cynara);
+
+	return ret;
+}
+
 gboolean alarm_manager_alarm_set_rtc_time(AlarmManager *pObj, GDBusMethodInvocation *invoc,
 				int year, int mon, int day,
 				int hour, int min, int sec,
@@ -3069,6 +3136,7 @@ gboolean alarm_manager_alarm_create_noti(AlarmManager *pObject, GDBusMethodInvoc
 				    gpointer user_data)
 {
 	alarm_info_t alarm_info;
+	int ret;
 	int return_code = ALARMMGR_RESULT_SUCCESS;
 	int alarm_id = 0;
 #ifdef _APPFW_FEATURE_ALARM_MANAGER_MODULE_LOG
@@ -3087,6 +3155,17 @@ gboolean alarm_manager_alarm_create_noti(AlarmManager *pObject, GDBusMethodInvoc
 		return true;
 	}
 
+	ret = __cynara_check(invoc, pid);
+	if (ret != CYNARA_API_ACCESS_ALLOWED) {
+		if (ret == CYNARA_API_ACCESS_DENIED)
+			return_code = ERR_ALARM_NOT_PERMITTED_APP;
+		else
+			return_code = ERR_ALARM_SYSTEM_FAIL;
+
+		g_dbus_method_invocation_return_value(invoc, g_variant_new("(ii)", alarm_id, return_code));
+		return true;
+	}
+
 	alarm_info.start.year = start_year;
 	alarm_info.start.month = start_month;
 	alarm_info.start.day = start_day;
diff --git a/alarm-service.conf.in b/alarm-service.conf.in
index d271742..7d1e5da 100644
--- a/alarm-service.conf.in
+++ b/alarm-service.conf.in
@@ -18,7 +18,6 @@
 		<check send_destination="org.tizen.alarm.manager" send_interface="org.tizen.alarm.manager" send_member="alarm_set_rtc_time" privilege="http://tizen.org/privilege/alarm.set"/>
 		<check send_destination="org.tizen.alarm.manager" send_interface="org.tizen.alarm.manager" send_member="alarm_create" privilege="http://tizen.org/privilege/alarm.set"/>
 		<check send_destination="org.tizen.alarm.manager" send_interface="org.tizen.alarm.manager" send_member="alarm_create_noti" privilege="http://tizen.org/privilege/alarm.set"/>
-		<check send_destination="org.tizen.alarm.manager" send_interface="org.tizen.alarm.manager" send_member="alarm_create_noti" privilege="http://tizen.org/privilege/notification"/>
 		<check send_destination="org.tizen.alarm.manager" send_interface="org.tizen.alarm.manager" send_member="alarm_create_appsvc" privilege="http://tizen.org/privilege/alarm.set"/>
 		<check send_destination="org.tizen.alarm.manager" send_interface="org.tizen.alarm.manager" send_member="alarm_delete" privilege="http://tizen.org/privilege/alarm.set"/>
 		<check send_destination="org.tizen.alarm.manager" send_interface="org.tizen.alarm.manager" send_member="alarm_delete_all" privilege="http://tizen.org/privilege/alarm.set"/>
diff --git a/packaging/alarm-manager.spec b/packaging/alarm-manager.spec
index e611da2..d7bcf93 100755
--- a/packaging/alarm-manager.spec
+++ b/packaging/alarm-manager.spec
@@ -33,6 +33,9 @@ BuildRequires: pkgconfig(notification)
 BuildRequires: python-xml
 BuildRequires: pkgconfig(capi-system-info)
 BuildRequires: pkgconfig(cert-svc-vcore)
+BuildRequires: pkgconfig(cynara-client)
+BuildRequires: pkgconfig(cynara-session)
+BuildRequires: pkgconfig(cynara-creds-gdbus)
 
 %description
 Alarm Server and devel libraries
author	Inkyun Kil <inkyun.kil@samsung.com>	2018-05-16 11:31:08 +0900
committer	Inkyun Kil <inkyun.kil@samsung.com>	2018-05-16 13:28:11 +0900
commit	02b50dc3b3e6c1360238b019358ab3076e0d7bff (patch)
tree	50e725cc43b1d878f33149612202470350b0f201
parent	f57d2e91445529ccb2e50cfb9136fe09567018b7 (diff)
download	alarm-manager-02b50dc3b3e6c1360238b019358ab3076e0d7bff.tar.gz alarm-manager-02b50dc3b3e6c1360238b019358ab3076e0d7bff.tar.bz2 alarm-manager-02b50dc3b3e6c1360238b019358ab3076e0d7bff.zip