diff options
author | Rafal Krypa <r.krypa@samsung.com> | 2014-09-02 11:45:51 +0200 |
---|---|---|
committer | Rafal Krypa <r.krypa@samsung.com> | 2014-09-12 17:02:24 +0200 |
commit | 179954b28298017d507d8b16934e0b9feb5fa10a (patch) | |
tree | 17e279e21167ae769c947709cad7e9287c667ecd | |
parent | a017fe6aa8867e652b1b92a86357e296ba11b496 (diff) | |
download | security-manager-179954b28298017d507d8b16934e0b9feb5fa10a.tar.gz security-manager-179954b28298017d507d8b16934e0b9feb5fa10a.tar.bz2 security-manager-179954b28298017d507d8b16934e0b9feb5fa10a.zip |
Implement checking policies with Cynara
Support calling libcynara-client to check for applications permissions.
Change-Id: Icb44dc9a24f0ef519863075203b3be8eb0b07c2c
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
-rw-r--r-- | packaging/security-manager.spec | 1 | ||||
-rw-r--r-- | src/server/CMakeLists.txt | 1 | ||||
-rw-r--r-- | src/server/service/cynara.cpp | 40 | ||||
-rw-r--r-- | src/server/service/include/cynara.h | 24 |
4 files changed, 66 insertions, 0 deletions
diff --git a/packaging/security-manager.spec b/packaging/security-manager.spec index c4552c99..4f36bc55 100644 --- a/packaging/security-manager.spec +++ b/packaging/security-manager.spec @@ -20,6 +20,7 @@ BuildRequires: pkgconfig(libtzplatform-config) BuildRequires: pkgconfig(sqlite3) BuildRequires: pkgconfig(db-util) BuildRequires: pkgconfig(cynara-admin) +BuildRequires: pkgconfig(cynara-client) BuildRequires: boost-devel %{?systemd_requires} diff --git a/src/server/CMakeLists.txt b/src/server/CMakeLists.txt index 85951118..8049cbeb 100644 --- a/src/server/CMakeLists.txt +++ b/src/server/CMakeLists.txt @@ -7,6 +7,7 @@ PKG_CHECK_MODULES(SERVER_DEP sqlite3 db-util cynara-admin + cynara-client ) FIND_PACKAGE(Boost REQUIRED) diff --git a/src/server/service/cynara.cpp b/src/server/service/cynara.cpp index 60504447..6db3e9e7 100644 --- a/src/server/service/cynara.cpp +++ b/src/server/service/cynara.cpp @@ -208,5 +208,45 @@ void CynaraAdmin::UpdatePackagePolicy( cynaraAdmin.SetPolicies(policies); } +static bool checkCynaraError(int result, const std::string &msg) +{ + // TODO: Cynara client error codes are being currently refactored + // This function must be updated when the refactor is finished. + switch (result) { + case CYNARA_API_SUCCESS: + return true; + case CYNARA_API_ACCESS_DENIED: + return false; + case CYNARA_API_OUT_OF_MEMORY: + ThrowMsg(CynaraException::OutOfMemory, msg); + case CYNARA_API_INVALID_PARAM: + ThrowMsg(CynaraException::InvalidParam, msg); + case CYNARA_API_SERVICE_NOT_AVAILABLE: + ThrowMsg(CynaraException::ServiceNotAvailable, msg); + default: + ThrowMsg(CynaraException::UnknownError, msg); + } +} + +Cynara::Cynara() +{ + checkCynaraError( + cynara_initialize(&m_Cynara, nullptr), + "Cannot connect to Cynara policy interface."); +} + +Cynara::~Cynara() +{ + cynara_finish(m_Cynara); +} + +bool Cynara::check(const std::string &label, const std::string &privilege, + const std::string &user, const std::string &session) +{ + return checkCynaraError( + cynara_check(m_Cynara, + label.c_str(), session.c_str(), user.c_str(), privilege.c_str()), + "Cannot check permission with Cynara."); +} } // namespace SecurityManager diff --git a/src/server/service/include/cynara.h b/src/server/service/include/cynara.h index 187b53f5..c660a2ec 100644 --- a/src/server/service/include/cynara.h +++ b/src/server/service/include/cynara.h @@ -24,6 +24,7 @@ #ifndef _SECURITY_MANAGER_CYNARA_ #define _SECURITY_MANAGER_CYNARA_ +#include <cynara-client.h> #include <cynara-admin.h> #include <dpl/exception.h> #include <string> @@ -106,6 +107,29 @@ private: struct cynara_admin *m_CynaraAdmin; }; +class Cynara +{ +public: + Cynara(); + virtual ~Cynara(); + + /** + * Ask Cynara for permission. + * + * @param label application Smack label + * @param privilege privilege identifier + * @param user user identifier (uid) + * @param session session identifier + * @return true if access is permitted, false if denied + */ + bool check(const std::string &label, const std::string &privilege, + const std::string &user, const std::string &session); + +private: + struct cynara *m_Cynara; +}; + + } // namespace SecurityManager #endif // _SECURITY_MANAGER_CYNARA_ |