-/*
- * Copyright (c) 2013 - 2020 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-/*
- * @file access_provider.cpp
- * @author Bartlomiej Grzelewski (b.grzelewski@samsung.com)
- * @author Krzysztof Jackiewicz (k.jackiewicz@samsung.com)
- * @version 1.0
- * @brief Common functions and macros used in security-tests package.
- */
-#include <sys/types.h>
-#include <unistd.h>
-#include <sys/smack.h>
-
-#include <access_provider2.h>
-#include <tests_common.h>
-#include <ckm-common.h>
-#include <scoped_process_label.h>
-
-namespace {
-
-std::string toSmackLabel(const std::string &ownerId) {
- if (ownerId.empty())
- return ownerId;
-
- if (ownerId[0] == '/') {
- return ownerId.substr(1, std::string::npos);
- }
-
- return SMACK_USER_APP_PREFIX + ownerId;
-}
-
-} // anonymous namespace
-
-AccessProvider::AccessProvider(const std::string &ownerId, int uid, int gid)
- : m_mySubject(toSmackLabel(ownerId))
- , m_inSwitchContext(false)
-{
- RUNNER_ASSERT_MSG(m_mySubject.size() > 0, "No smack label provided to AccessProvider!");
- allowJournaldLogs();
- applyAndSwithToUser(uid, gid);
-}
-
-AccessProvider::~AccessProvider()
-{
-
-}
-
-void AccessProvider::allowAPI(const std::string &api, const std::string &rule) {
- m_smackAccess.add(m_mySubject, api, rule);
-}
-
-void AccessProvider::apply() {
- // This should be done by security-manager
- m_smackAccess.add("System", m_mySubject, "w");
- m_smackAccess.add(m_mySubject, "System", "w");
- m_smackAccess.apply();
-}
-
-void AccessProvider::applyAndSwithToUser(int uid, int gid)
-{
- RUNNER_ASSERT_MSG(m_inSwitchContext == false, "already switched context");
-
- clear();
- apply();
-
- m_processLabel.reset(new ScopedProcessLabel(m_mySubject));
-
- m_origUid = getuid();
- m_origGid = getgid();
- RUNNER_ASSERT_MSG(0 == setegid(gid),
- "Error in setgid.");
- RUNNER_ASSERT_MSG(0 == seteuid(uid),
- "Error in setuid.");
- m_inSwitchContext = true;
-}
-
-void AccessProvider::clear() {
- m_smackAccess.clear();
-}
-
-void AccessProvider::allowJournaldLogs() {
- allowAPI("System::Run","wx"); // necessary for logging with journald
-}
-
-ScopedAccessProvider::~ScopedAccessProvider()
-{
- if(m_inSwitchContext == true)
- {
- RUNNER_ASSERT_MSG(0 == setegid(m_origGid), "Error in setgid.");
- RUNNER_ASSERT_MSG(0 == seteuid(m_origUid), "Error in setuid.");
- clear();
- m_processLabel.reset();
- m_inSwitchContext = false;
- }
-}