2 * Copyright (c) 2013 - 2019 Samsung Electronics Co., Ltd All Rights Reserved
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
17 * @file access_provider.cpp
18 * @author Bartlomiej Grzelewski (b.grzelewski@samsung.com)
19 * @author Krzysztof Jackiewicz (k.jackiewicz@samsung.com)
21 * @brief Common functions and macros used in security-tests package.
23 #include <sys/types.h>
25 #include <sys/smack.h>
27 #include <access_provider2.h>
28 #include <tests_common.h>
29 #include <ckm-common.h>
30 #include <scoped_process_label.h>
34 std::string toSmackLabel(const std::string &ownerId) {
38 if (ownerId[0] == '/') {
39 return ownerId.substr(1, std::string::npos);
42 return SMACK_USER_APP_PREFIX + ownerId;
45 } // anonymous namespace
47 AccessProvider::AccessProvider(const std::string &ownerId)
48 : m_mySubject(toSmackLabel(ownerId))
49 , m_inSwitchContext(false)
51 RUNNER_ASSERT_MSG(m_mySubject.size() > 0, "No smack label provided to AccessProvider!");
55 AccessProvider::AccessProvider(const std::string &ownerId, int uid, int gid)
56 : m_mySubject(toSmackLabel(ownerId))
57 , m_inSwitchContext(false)
59 RUNNER_ASSERT_MSG(m_mySubject.size() > 0, "No smack label provided to AccessProvider!");
61 applyAndSwithToUser(uid, gid);
64 AccessProvider::~AccessProvider()
69 void AccessProvider::allowAPI(const std::string &api, const std::string &rule) {
70 m_smackAccess.add(m_mySubject, api, rule);
73 void AccessProvider::apply() {
74 // This should be done by security-manager
75 m_smackAccess.add("System", m_mySubject, "w");
76 m_smackAccess.add(m_mySubject, "System", "w");
77 m_smackAccess.apply();
80 void AccessProvider::applyAndSwithToUser(int uid, int gid)
82 RUNNER_ASSERT_MSG(m_inSwitchContext == false, "already switched context");
84 RUNNER_ASSERT_MSG(0 == smack_revoke_subject(m_mySubject.c_str()),
85 "Error in smack_revoke_subject(" << m_mySubject << ")");
88 m_processLabel.reset(new ScopedProcessLabel(m_mySubject));
92 RUNNER_ASSERT_MSG(0 == setegid(gid),
94 RUNNER_ASSERT_MSG(0 == seteuid(uid),
96 m_inSwitchContext = true;
99 void AccessProvider::allowJournaldLogs() {
100 allowAPI("System::Run","wx"); // necessary for logging with journald
103 ScopedAccessProvider::~ScopedAccessProvider()
105 if(m_inSwitchContext == true)
107 RUNNER_ASSERT_MSG(0 == setegid(m_origGid), "Error in setgid.");
108 RUNNER_ASSERT_MSG(0 == seteuid(m_origUid), "Error in setuid.");
109 RUNNER_ASSERT_MSG(0 == smack_revoke_subject(m_mySubject.c_str()),
110 "Error in smack_revoke_subject(" << m_mySubject << ")");
111 m_processLabel.reset();
112 m_inSwitchContext = false;