blob: b131f4d99131be38c6f2109dc4ba09b367f6b297 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
|
#!/bin/sh -e
POLICY_PATH=/usr/share/security-manager/policy
PRIVILEGE_GROUP_MAPPING=$POLICY_PATH/privilege-group.list
PRIVILEGE_MAPPING=$POLICY_PATH/privilege-mapping.list
DB_FILE=`tzplatform-get TZ_SYS_DB | cut -d= -f2`/.security-manager.db
# Create default buckets
while read bucket default_policy
do
# Reuse the primary bucket for PRIVACY_MANAGER bucket
[ "$bucket" = "PRIVACY_MANAGER" ] && bucket=""
cyad --set-bucket="$bucket" --type="$default_policy"
done <<END
PRIVACY_MANAGER DENY
ADMIN NONE
MAIN DENY
MANIFESTS DENY
END
# Link buckets together
while read bucket_src bucket_dst
do
# Reuse the main bucket for PRIVACY_MANAGER bucket
[ "$bucket_src" = "PRIVACY_MANAGER" ] && bucket_src=""
cyad --set-policy --client="*" --user="*" --privilege="*" --type=BUCKET \
--bucket="$bucket_src" --metadata="$bucket_dst"
done <<END
MAIN MANIFESTS
PRIVACY_MANAGER MAIN
END
# Import user-type policies
find "$POLICY_PATH" -name "usertype-*.profile" |
while read file
do
bucket="`echo $file | sed -r 's|.*/usertype-(.*).profile$|USER_TYPE_\U\1|'`"
# Re-create the bucket with empty contents
cyad --delete-bucket=$bucket || true
cyad --set-bucket=$bucket --type=DENY
# Link the bucket to ADMIN bucket
cyad --set-policy --client="*" --user="*" --privilege="*" --type=BUCKET \
--bucket="$bucket" --metadata="ADMIN"
grep -v ^\' $file |
while read app privilege
do
user="*" # Match any user id
policy="0xFFFF" # ALLOW (FIXME: cyad should parse policy names, not numeric values)
printf '%s;%s;%s;%s;%s;\n' "$bucket" "$user" "$app" "$privilege" "$policy"
done |
cyad --set-policy --bulk=-
done
# Non-application programs get access to all privileges
for client in User System
do
cyad --set-policy --bucket=MANIFESTS --client="$client" --user="*" --privilege="*" --type=ALLOW
done
# Load privilege-group mappings
(
echo "BEGIN;"
echo "DELETE FROM privilege_group;"
grep -v '^#' "$PRIVILEGE_GROUP_MAPPING" |
while read privilege group
do
echo "INSERT INTO privilege_group_view (privilege_name, group_name) VALUES ('$privilege', '$group');"
done
echo "COMMIT;"
) | sqlite3 "$DB_FILE"
# Load privilege-privilege mappings
(
echo "BEGIN;"
echo "DELETE FROM privilege_mapping;"
grep -v '^#' "$PRIVILEGE_MAPPING" |
while read version_from version_to privilege mapping
do
echo "INSERT INTO privilege_mapping_view (version_from_name, version_to_name, privilege_name, privilege_mapping_name) VALUES ('$version_from', '$version_to', '$privilege', '$mapping');"
done
echo "COMMIT;"
) | sqlite3 "$DB_FILE"
|