client: do not add application process to hardcoded groups

Initial implementation of privilege enforcement with mount namespaces
included client code that added all application processes to hardcoded
set of groups: priv_externalstorage and priv_mediastorage.
This is wrong. Enforcement of privileges by either groups or mount
namespaces is to be configured in respectively privilege-group.list and
privilege-mount.list. Application process should be added to a group
if and only if it holds a privilege that is configured to be enforced
with a group. Similarly proper mounts and umounts will be done in application
mount namespace based on privilege status.
There is no need to hardcode groups. If a privilege is enforced with mount
namespace, it should not require additional group assignment. If it used
to be enforced with a group, but it has been switched to enforcement with
mount, filesystem permissions need to be adjusted, not security-manager code.

Privileges mediastorage and external storage are now enforced with bind
mounts. They are being removed from privilege-group mapping - combining
these two mechanisms is undesired.

Change-Id: I41204daa24329e8e9648b3ecb4e53d87c763b35b
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>

2 files changed, 0 insertions, 28 deletions

diff --git a/policy/privilege-group.list b/policy/privilege-group.list
index 548f7e75..0c94ad97 100644
--- a/policy/privilege-group.list
+++ b/policy/privilege-group.list
@@ -6,8 +6,6 @@
 # - lines starting with '#' are ignored
 http://tizen.org/privilege/camera priv_camera
 http://tizen.org/privilege/recorder priv_recorder
-http://tizen.org/privilege/mediastorage priv_mediastorage
-http://tizen.org/privilege/externalstorage priv_externalstorage
 http://tizen.org/privilege/message.read priv_message_read
 http://tizen.org/privilege/mapservice priv_mapservice
 http://tizen.org/privilege/internet priv_internet
diff --git a/src/client/client-security-manager.cpp b/src/client/client-security-manager.cpp
index 8754740b..a6cc600b 100644
--- a/src/client/client-security-manager.cpp
+++ b/src/client/client-security-manager.cpp
@@ -782,26 +782,6 @@ static inline int security_manager_bind_namespace_internal(const char *app_name)
         return request.send(std::string(app_name)).getStatus();
     });
 }
-static inline int security_manager_set_process_groups_internal(void)
-{
-    int ret;
-    struct group *grp;
-    const std::vector<std::string> groupsNames = {"priv_externalstorage", "priv_mediastorage"};
-    std::vector<gid_t> groupsGids;
-
-    ret = getProcessGroups(groupsGids);
-    if (ret != SECURITY_MANAGER_SUCCESS)
-        return ret;
-
-    for (const auto &groupName : groupsNames) {
-        grp = getgrnam(groupName.c_str());
-        if (grp)
-            groupsGids.push_back(grp->gr_gid);
-    }
-
-    std::unordered_set<gid_t> groupsSet(groupsGids.begin(), groupsGids.end());
-    return setProcessGroups(std::vector<gid_t>(groupsSet.begin(), groupsSet.end()));
-}
 
 static inline int security_manager_create_namespace_internal(const char *app_name)
 {
@@ -841,12 +821,6 @@ static inline int security_manager_create_namespace_internal(const char *app_nam
         }
     }
 
-    ret = security_manager_set_process_groups_internal();
-    if (ret != SECURITY_MANAGER_SUCCESS) {
-        LogError("Failed to set process group: " << security_manager_strerror(static_cast<lib_retcode>(ret)));
-        return ret;
-    }
-
     ret = security_manager_bind_namespace_internal(app_name);
     if (ret != SECURITY_MANAGER_SUCCESS) {
         LogError("Failed to bind app namespace: " << security_manager_strerror(static_cast<lib_retcode>(ret)) << " App name:" << app_name);