CKM: Use pkgId instead smack label in tests.

[platform/core/test/security-tests.git] / src / ckm / access_provider2.cpp

/*
 * Copyright (c) 2013 Samsung Electronics Co., Ltd All Rights Reserved
 *
 *    Licensed under the Apache License, Version 2.0 (the "License");
 *    you may not use this file except in compliance with the License.
 *    You may obtain a copy of the License at
 *
 *        http://www.apache.org/licenses/LICENSE-2.0
 *
 *    Unless required by applicable law or agreed to in writing, software
 *    distributed under the License is distributed on an "AS IS" BASIS,
 *    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 *    See the License for the specific language governing permissions and
 *    limitations under the License.
 */
/*
 * @file        access_provider.cpp
 * @author      Bartlomiej Grzelewski (b.grzelewski@samsung.com)
 * @version     1.0
 * @brief       Common functions and macros used in security-tests package.
 */
#include <sys/types.h>
#include <unistd.h>
#include <sys/smack.h>

#include <access_provider2.h>
#include <tests_common.h>
#include <ckm-common.h>

namespace {

std::string toSmackLabel(const std::string &ownerId) {
    if (ownerId.empty())
        return ownerId;

    if (ownerId[0] == '/') {
        return ownerId.substr(1, std::string::npos);
    }

    return SMACK_USER_APP_PREFIX + ownerId;
}

} // anonymous namespace

AccessProvider::AccessProvider(const std::string &ownerId)
  : m_mySubject(toSmackLabel(ownerId))
  , m_inSwitchContext(false)
{
    RUNNER_ASSERT_MSG(m_mySubject.size() > 0, "No smack label provided to AccessProvider!");
    allowJournaldLogs();
}

AccessProvider::AccessProvider(const std::string &ownerId, int uid, int gid)
  : m_mySubject(toSmackLabel(ownerId))
  , m_inSwitchContext(false)
{
    RUNNER_ASSERT_MSG(m_mySubject.size() > 0, "No smack label provided to AccessProvider!");
    allowJournaldLogs();
    applyAndSwithToUser(uid, gid);
}

void AccessProvider::allowAPI(const std::string &api, const std::string &rule) {
    m_smackAccess.add(m_mySubject, api, rule);
}

void AccessProvider::apply() {
    // This should be done by security-manager
    m_smackAccess.add("System", m_mySubject, "w");
    m_smackAccess.add(m_mySubject, "System", "w");
    m_smackAccess.apply();
}

void AccessProvider::applyAndSwithToUser(int uid, int gid)
{
    RUNNER_ASSERT_MSG(m_inSwitchContext == false, "already switched context");

    // get calling label
    char* my_label = NULL;
    RUNNER_ASSERT(smack_new_label_from_self(&my_label) > 0);
    if(my_label)
    {
        m_origLabel = std::string(my_label);
        free(my_label);
    }
    RUNNER_ASSERT(m_origLabel.size() > 0);

    RUNNER_ASSERT_MSG(0 == smack_revoke_subject(m_mySubject.c_str()),
        "Error in smack_revoke_subject(" << m_mySubject << ")");
    apply();
    RUNNER_ASSERT_MSG(0 == smack_set_label_for_self(m_mySubject.c_str()),
        "Error in smack_set_label_for_self.");

    m_origUid = getuid();
    m_origGid = getgid();
    RUNNER_ASSERT_MSG(0 == setegid(gid),
        "Error in setgid.");
    RUNNER_ASSERT_MSG(0 == seteuid(uid),
        "Error in setuid.");
    m_inSwitchContext = true;
}

void AccessProvider::allowJournaldLogs() {
    allowAPI("System::Run","wx"); // necessary for logging with journald
}

ScopedAccessProvider::~ScopedAccessProvider()
{
    if(m_inSwitchContext == true)
    {
        RUNNER_ASSERT_MSG(0 == setegid(m_origGid), "Error in setgid.");
        RUNNER_ASSERT_MSG(0 == seteuid(m_origUid), "Error in setuid.");
        RUNNER_ASSERT_MSG(0 == smack_revoke_subject(m_mySubject.c_str()),
            "Error in smack_revoke_subject(" << m_mySubject << ")");
        RUNNER_ASSERT_MSG(0 == smack_set_label_for_self(m_origLabel.c_str()),
            "Error in smack_set_label_for_self.");
        m_inSwitchContext = false;
    }
}