diff options
| author |   Marius Vlad <marius.vlad@collabora.com> | 2020-07-10 15:56:21 +0300 |
|---|---|---|
| committer | Marius Vlad <marius.vlad@collabora.com> | 2020-07-14 19:34:18 +0300 |
| commit | 5fe16df2348396c87ab24ef5e2a5e6ceaf2eb4c6 (patch) | |
| tree | 937050fa71edc8236625d08008cd7a8a4f833803 /src/policy-deny.c | |
| parent | 39ea644837dd29cd47a579a9703b43458187f82b (diff) | |
policy-*: Remove any private binding restrictions for allow-all policyjellyfish_9.99.2jellyfish/9.99.29.99.2
As we don't have any proper mechanisms in place to perform some
level of authentication on the clients binding to the private extensions,
we will resort to allow that to happen, under the default, allow-all policy.
In the same time we add some helpers for checking which applications can
bind to the private extensions but this is for the deny-all policy.
This also includes cluster-receiver and cluster-dashboard application to
that array, as without it the cluster-demo will not all work when using
the deny-all policy.
Bug-AGL: SPEC-3382
Signed-off-by: Marius Vlad <marius.vlad@collabora.com>
Change-Id: I9ea0d8fd63a323bfcee6aa146a1617aa572d131f
Diffstat (limited to 'src/policy-deny.c')
| -rw-r--r-- | src/policy-deny.c | 56 |
1 files changed, 46 insertions, 10 deletions
diff --git a/src/policy-deny.c b/src/policy-deny.c index 5b2336a..823f331 100644 --- a/src/policy-deny.c +++ b/src/policy-deny.c @@ -33,10 +33,26 @@ #include <string.h> #include "shared/helpers.h" +#ifdef HAVE_SMACK +static const char *const bind_agl_shell[] = { + "User::App::homescreen", + "User::App::cluster-gauges" /* cluster-dashboard */ +}; + +static const char *const bind_agl_shell_desktop[] = { + "User::App::launcher", + "User::App::alexa-viewer", + "User::App::tbtnavi", + "User::App::hvac", + "User::App::xdg-cluster-receiver", /* cluster-receiver, native XDG app*/ + "User::App::cluster-receiver" /* cluster-receiver, Qt app */ +}; +#endif -static const char *const applications_permitted[] = { "homescreen", "alexa-viewer", - "launcher", "hvac", - "navigation", "mediaplayer" }; +static const char *const applications_permitted[] = { + "homescreen", "alexa-viewer", "launcher", "hvac", + "navigation", "mediaplayer" +}; /* helper start searches the applications_permitted for the * app_id @@ -51,6 +67,31 @@ ivi_policy_verify_permitted_app(const char *app_id) return false; } +#ifdef HAVE_SMACK +/* helper to determine which applications are allowed to bind to the + * private extensions + */ +static bool +ivi_policy_check_bind_agl_shell(const char *app_id) +{ + for (size_t i = 0; i < ARRAY_LENGTH(bind_agl_shell); i++) + if (strcmp(app_id, bind_agl_shell[i]) == 0) + return true; + + return false; +} + +static bool +ivi_policy_check_bind_agl_shell_desktop(const char *app_id) +{ + for (size_t i = 0; i < ARRAY_LENGTH(bind_agl_shell_desktop); i++) + if (strcmp(app_id, bind_agl_shell_desktop[i]) == 0) + return true; + + return false; +} +#endif + static bool ivi_policy_verify_ivi_surface(struct ivi_surface *surf) { @@ -124,15 +165,10 @@ ivi_policy_default_shell_bind_interface(void *client, void *interface) } if (strcmp(shell_interface->name, "agl_shell") == 0) - if (strcmp(label, "User::App::homescreen") == 0) - ret = true; + ret = ivi_policy_check_bind_agl_shell(label); if (strcmp(shell_interface->name, "agl_shell_desktop") == 0) - if (strcmp(label, "User::App::launcher") == 0 || - strcmp(label, "User::App::alexa-viewer") == 0 || - strcmp(label, "User::App::tbtnavi") == 0 || - strcmp(label, "User::App::hvac") == 0) - ret = true; + ret = ivi_policy_check_bind_agl_shell_desktop(label); if (ret) weston_log("Client with pid %d, uid %d, gid %d, allowed " |