Basic integration with sessiond

Allow ~/subsession/$light_username/apps_rw/$pkgName as legal package
directories as needed by the lightweight multiuser feature.

New paths are in force ONLY for local app installation
(for SM_APP_INSTALL_LOCAL install type in security-manager's API).

Lacks bind-mounting per-user relevant datadirs (separation of user
data). This is supposed to be added at later stage.

Change-Id: Ia042e608781c139651578475c94d4283ddf70a47

6 files changed, 48 insertions, 6 deletions

diff --git a/packaging/security-manager.spec b/packaging/security-manager.spec
index de4f4535..5f3951d6 100644
--- a/packaging/security-manager.spec
+++ b/packaging/security-manager.spec
@@ -41,6 +41,7 @@ BuildRequires: pkgconfig(security-privilege-manager)
 BuildRequires: pkgconfig(openssl1.1)
 BuildRequires: pkgconfig(mount)
 BuildRequires: boost-devel
+BuildRequires: pkgconfig(libsessiond)
 %if "%{build_type}" == "COVERAGE"
 BuildRequires: lcov
 %endif
diff --git a/src/common/CMakeLists.txt b/src/common/CMakeLists.txt
index 194f27f9..ac1b2ff6 100644
--- a/src/common/CMakeLists.txt
+++ b/src/common/CMakeLists.txt
@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2014-2020 Samsung Electronics Co., Ltd. All rights reserved.
+# Copyright (c) 2014-2022 Samsung Electronics Co., Ltd. All rights reserved.
 #
 # This file is licensed under the terms of MIT License or the Apache License
 # Version 2.0 of your choice. See the LICENSE.MIT file for MIT license details.
@@ -25,6 +25,7 @@ SET(COMMON_VERSION ${COMMON_VERSION_MAJOR}.0.2)
 PKG_CHECK_MODULES(COMMON_DEP
     REQUIRED
     libcap
+    libsessiond
     libsystemd
     libsmack
     sqlite3
diff --git a/src/common/include/utils.h b/src/common/include/utils.h
index 13418073..099a9fdd 100644
--- a/src/common/include/utils.h
+++ b/src/common/include/utils.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2016-2021 Samsung Electronics Co., Ltd. All rights reserved
+ * Copyright (c) 2016-2022 Samsung Electronics Co., Ltd. All rights reserved
  *
  * This file is licensed under the terms of MIT License or the Apache License
  * Version 2.0 of your choice. See the LICENSE.MIT file for MIT license details.
@@ -94,7 +94,6 @@ std::unique_ptr<T> makeUnique(size_t size)
     return std::unique_ptr<T>(new typename std::remove_extent<T>::type[size]);
 }
 
-
 template <typename T>
 static void vectorRemoveDuplicates(std::vector<T> &vec)
 {
@@ -102,6 +101,11 @@ static void vectorRemoveDuplicates(std::vector<T> &vec)
     vec.erase(std::unique(vec.begin(), vec.end()), vec.end());
 }
 
+template <size_t N>
+auto possiblyUnterminatedArrayToString(const char (&array)[N]) {
+    return std::string(array, strnlen(array, N));
+}
+
 } /* namespace SecurityManager */
 
 template <class...T>
diff --git a/src/common/service_impl_utils.cpp b/src/common/service_impl_utils.cpp
index aed8567f..967a909c 100644
--- a/src/common/service_impl_utils.cpp
+++ b/src/common/service_impl_utils.cpp
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2019-2020 Samsung Electronics Co., Ltd. All rights reserved.
+ * Copyright (c) 2019-2022 Samsung Electronics Co., Ltd. All rights reserved.
  *
  * This file is licensed under the terms of MIT License or the Apache License
  * Version 2.0 of your choice. See the LICENSE.MIT file for MIT license details.
@@ -31,6 +31,7 @@
 #include <dpl/errno_string.h>
 
 #include "config.h"
+#include "sessiond.h"
 #include "tzplatform-config.h"
 #include "utils.h"
 
@@ -179,6 +180,26 @@ int getLegalPkgBaseDirs(const uid_t &uid,
         legalPkgDirs.push_back(std::move(sharedROPath));
     }
 
+    if (SM_APP_INSTALL_LOCAL == installType) {
+        subsession_user_t *userList = nullptr;
+        int userCount;
+
+        if (SUBSESSION_ERROR_NONE != subsession_get_user_list(uid, &userList, &userCount)) {
+            LogError("Can't determine list of users for session");
+            return SECURITY_MANAGER_ERROR_UNKNOWN;
+        }
+
+        const auto userListGuard = makeUnique(userList, free);
+        const auto allowedLocalPath = homePath + "subsession/";
+
+        for (int i = 0; i < userCount; i++) {
+            std::string newPath = allowedLocalPath
+                + possiblyUnterminatedArrayToString(userList[i]) + "/apps_rw/" + pkgName;
+            LogDebug("Adding new allowed path: " << newPath);
+            legalPkgDirs.emplace_back(std::move(newPath));
+        }
+    }
+
     return SECURITY_MANAGER_SUCCESS;
 }
 
diff --git a/test/CMakeLists.txt b/test/CMakeLists.txt
index 75e85c96..11e79554 100644
--- a/test/CMakeLists.txt
+++ b/test/CMakeLists.txt
@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2016-2020 Samsung Electronics Co., Ltd. All rights reserved.
+# Copyright (c) 2016-2022 Samsung Electronics Co., Ltd. All rights reserved.
 #
 # This file is licensed under the terms of MIT License or the Apache License
 # Version 2.0 of your choice. See the LICENSE.MIT file for MIT license details.
@@ -21,6 +21,7 @@
 
 PKG_CHECK_MODULES(COMMON_DEP REQUIRED
     libtzplatform-config
+    libsessiond
     libsystemd
     libsmack
     sqlite3
diff --git a/test/test_misc.cpp b/test/test_misc.cpp
index a511463b..80716a0f 100644
--- a/test/test_misc.cpp
+++ b/test/test_misc.cpp
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020 Samsung Electronics Co., Ltd. All rights reserved.
+ * Copyright (c) 2020-2022 Samsung Electronics Co., Ltd. All rights reserved.
  *
  * This file is licensed under the terms of MIT License or the Apache License
  * Version 2.0 of your choice. See the LICENSE.MIT file for MIT license details.
@@ -172,4 +172,18 @@ POSITIVE_TEST_CASE(T292_exception_class)
         BOOST_REQUIRE_NO_THROW(Exception::DisplayUnknownException());
 }
 
+POSITIVE_TEST_CASE(T293_possiblyUnterminatedArrayToString)
+{
+    char a[] = {'k', 'o', 't', 'a'};
+    BOOST_REQUIRE_EQUAL("kota", possiblyUnterminatedArrayToString(a));
+    a[3] = '\0';
+    BOOST_REQUIRE_EQUAL("kot", possiblyUnterminatedArrayToString(a));
+    a[2] = '\0';
+    BOOST_REQUIRE_EQUAL("ko", possiblyUnterminatedArrayToString(a));
+    a[1] = '\0';
+    BOOST_REQUIRE_EQUAL("k", possiblyUnterminatedArrayToString(a));
+    a[0] = '\0';
+    BOOST_REQUIRE_EQUAL("", possiblyUnterminatedArrayToString(a));
+}
+
 BOOST_AUTO_TEST_SUITE_END()