diff options
| author | Krzysztof Jackiewicz <k.jackiewicz@samsung.com> | 2016-12-06 09:14:49 +0100 |
|---|---|---|
| committer | Krzysztof Jackiewicz <k.jackiewicz@samsung.com> | 2016-12-06 09:14:49 +0100 |
| commit | 7d6751eba585e9a2e8470698d571fd6245c9a954 (patch) | |
| tree | b1d78f5ff9b23261197961b2bc5b070cd256f8af | |
| parent | 8ddf41c17f7c0e3689854c0e48e05efb6389e3b6 (diff) | |
| download | security-manager-7d6751eba585e9a2e8470698d571fd6245c9a954.tar.gz security-manager-7d6751eba585e9a2e8470698d571fd6245c9a954.tar.bz2 security-manager-7d6751eba585e9a2e8470698d571fd6245c9a954.zip | |
Properly handle case of unknown "Ask user" policy
If askuser plugin is not registered in cynara (as in case of headless image)
CynaraAdmin::convertToPolicyType() couldn't find the policy type and was
throwing an exception.
In such cases security-manager will catch the exception and skip the code
related to askuser.
Change-Id: Ie2182a0936e62594a91bcdf22c39997ef9a65f9f
| -rw-r--r-- | src/common/cynara.cpp | 81 | ||||
| -rw-r--r-- | src/common/service_impl.cpp | 18 |
2 files changed, 53 insertions, 46 deletions
diff --git a/src/common/cynara.cpp b/src/common/cynara.cpp index 21dcf578..75f03192 100644 --- a/src/common/cynara.cpp +++ b/src/common/cynara.cpp @@ -346,28 +346,32 @@ void CynaraAdmin::UpdateAppPolicy( policies); if (Config::IS_ASKUSER_ENABLED) { - int askUserPolicy = convertToPolicyType(Config::PRIVACY_POLICY_DESC); - - std::vector<std::string> privacyPrivileges; - for (auto &p : privileges) - if (isPrivacy(label, p)) - privacyPrivileges.push_back(p); - - // 2nd, performing operation on PRIVACY_MANAGER bucket for all affected users - if (user == CYNARA_ADMIN_WILDCARD) { - // perform bucket setting for all users in the system, app is installed for everyone - std::vector<uid_t> users; - ListUsers(users); - for (uid_t id : users) { - calcPolicies(std::to_string(id), privacyPrivileges, - Buckets.at(Bucket::PRIVACY_MANAGER), + try { + int askUserPolicy = convertToPolicyType(Config::PRIVACY_POLICY_DESC); + + std::vector<std::string> privacyPrivileges; + for (auto &p : privileges) + if (isPrivacy(label, p)) + privacyPrivileges.push_back(p); + + // 2nd, performing operation on PRIVACY_MANAGER bucket for all affected users + if (user == CYNARA_ADMIN_WILDCARD) { + // perform bucket setting for all users in the system, app is installed for everyone + std::vector<uid_t> users; + ListUsers(users); + for (uid_t id : users) { + calcPolicies(std::to_string(id), privacyPrivileges, + Buckets.at(Bucket::PRIVACY_MANAGER), + askUserPolicy, policies); + } + } else { + // local single user installation, do it only for that particular user + calcPolicies(user, privacyPrivileges, Buckets.at(Bucket::PRIVACY_MANAGER), askUserPolicy, policies); } - } else { - // local single user installation, do it only for that particular user - calcPolicies(user, privacyPrivileges, Buckets.at(Bucket::PRIVACY_MANAGER), - askUserPolicy, policies); - } + } catch (const std::out_of_range&) { + LogDebug("Unknown policy level: " << Config::PRIVACY_POLICY_DESC); + }; } SetPolicies(policies); } @@ -423,22 +427,27 @@ void CynaraAdmin::UserInit(uid_t uid, security_manager_user_type userType, Buckets.at(Bucket::MAIN))); if (Config::IS_ASKUSER_ENABLED) { - // for each global app: retrieve its privacy-related privileges and set - // their policy in PRIVACY_MANAGER bucket to "Ask user" - int askUserPolicy = convertToPolicyType(Config::PRIVACY_POLICY_DESC); - - std::vector<CynaraAdminPolicy> appPolicies; - ListPolicies(CynaraAdmin::Buckets.at(Bucket::MANIFESTS), - CYNARA_ADMIN_ANY, CYNARA_ADMIN_WILDCARD, - CYNARA_ADMIN_ANY, appPolicies); - - for (CynaraAdminPolicy &policy : appPolicies) - if (isPrivacy(policy.client, policy.privilege)) - policies.push_back(CynaraAdminPolicy(policy.client, - userStr, - policy.privilege, - askUserPolicy, - Buckets.at(Bucket::PRIVACY_MANAGER))); + try{ + // for each global app: retrieve its privacy-related privileges and set + // their policy in PRIVACY_MANAGER bucket to "Ask user" + + int askUserPolicy = convertToPolicyType(Config::PRIVACY_POLICY_DESC); + + std::vector<CynaraAdminPolicy> appPolicies; + ListPolicies(CynaraAdmin::Buckets.at(Bucket::MANIFESTS), + CYNARA_ADMIN_ANY, CYNARA_ADMIN_WILDCARD, + CYNARA_ADMIN_ANY, appPolicies); + + for (CynaraAdminPolicy &policy : appPolicies) + if (isPrivacy(policy.client, policy.privilege)) + policies.push_back(CynaraAdminPolicy(policy.client, + userStr, + policy.privilege, + askUserPolicy, + Buckets.at(Bucket::PRIVACY_MANAGER))); + } catch (const std::out_of_range&) { + LogDebug("Unknown policy level: " << Config::PRIVACY_POLICY_DESC); + }; } SetPolicies(policies); diff --git a/src/common/service_impl.cpp b/src/common/service_impl.cpp index a9fd8546..e7b2dd31 100644 --- a/src/common/service_impl.cpp +++ b/src/common/service_impl.cpp @@ -447,16 +447,14 @@ int ServiceImpl::labelPaths(const pkg_paths &paths, bool ServiceImpl::isPrivilegePrivacy(const std::string &clientLabel, const std::string &privilege) { - if (Config::IS_ASKUSER_ENABLED) { - int ret = privilege_info_is_privacy2(clientLabel.c_str(), privilege.c_str()); - if (ret == 1) - return true; - if (ret != 0) - LogError("privilege_info_is_privacy called with " << privilege << " returned error: " << ret); - // FIXME: we should probably disallow such installation where privilege is not known - // However, currently privielge-checker seems to return -1 with so many real privileges - // that it would make ask-user testing impossible. - } + int ret = privilege_info_is_privacy2(clientLabel.c_str(), privilege.c_str()); + if (ret == 1) + return true; + if (ret != 0) + LogError("privilege_info_is_privacy called with " << privilege << " returned error: " << ret); + // FIXME: we should probably disallow such installation where privilege is not known + // However, currently privielge-checker seems to return -1 with so many real privileges + // that it would make ask-user testing impossible. return false; } |