Some tests temporarily add new Smack rules in order to test unprivileged
access to system services. After the test, they are cleared with
smack_revoke_subject. However, this only removes rules where the test
application is the subject.
I have replaced calls where this is an issue with a smack_accesses_clear
call, which removes all rules loaded with a given handle. Since affected
tests do not modify Smack rules in any other way and only use test
labels for fake apps, no rules removed by the old call and not by the
new call can exist.
Change-Id: I841d6b7ad05549d8837645e3d9176f4db7029908
- * Copyright (c) 2013 - 2019 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2013 - 2020 Samsung Electronics Co., Ltd All Rights Reserved
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
{
RUNNER_ASSERT_MSG(m_inSwitchContext == false, "already switched context");
{
RUNNER_ASSERT_MSG(m_inSwitchContext == false, "already switched context");
- RUNNER_ASSERT_MSG(0 == smack_revoke_subject(m_mySubject.c_str()),
- "Error in smack_revoke_subject(" << m_mySubject << ")");
apply();
m_processLabel.reset(new ScopedProcessLabel(m_mySubject));
apply();
m_processLabel.reset(new ScopedProcessLabel(m_mySubject));
m_inSwitchContext = true;
}
m_inSwitchContext = true;
}
+void AccessProvider::clear() {
+ m_smackAccess.clear();
+}
+
void AccessProvider::allowJournaldLogs() {
allowAPI("System::Run","wx"); // necessary for logging with journald
}
void AccessProvider::allowJournaldLogs() {
allowAPI("System::Run","wx"); // necessary for logging with journald
}
{
RUNNER_ASSERT_MSG(0 == setegid(m_origGid), "Error in setgid.");
RUNNER_ASSERT_MSG(0 == seteuid(m_origUid), "Error in setuid.");
{
RUNNER_ASSERT_MSG(0 == setegid(m_origGid), "Error in setgid.");
RUNNER_ASSERT_MSG(0 == seteuid(m_origUid), "Error in setuid.");
- RUNNER_ASSERT_MSG(0 == smack_revoke_subject(m_mySubject.c_str()),
- "Error in smack_revoke_subject(" << m_mySubject << ")");
m_processLabel.reset();
m_inSwitchContext = false;
}
m_processLabel.reset();
m_inSwitchContext = false;
}
- * Copyright (c) 2013 - 2019 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2013 - 2020 Samsung Electronics Co., Ltd All Rights Reserved
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
void allowAPI(const std::string &api, const std::string &rules);
void apply();
void applyAndSwithToUser(int uid, int gid);
void allowAPI(const std::string &api, const std::string &rules);
void apply();
void applyAndSwithToUser(int uid, int gid);
private:
void allowJournaldLogs();
private:
void allowJournaldLogs();
- * Copyright (c) 2013 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2013 - 2020 Samsung Electronics Co., Ltd All Rights Reserved
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
"Error in smack_accessses_apply.");
}
"Error in smack_accessses_apply.");
}
+void SmackAccess::clear() {
+ RUNNER_ASSERT_MSG(0 == smack_accesses_clear(m_handle),
+ "Error in smack_accesses_clear.");
+}
+
SmackAccess::~SmackAccess() {
if (m_handle)
smack_accesses_free(m_handle);
SmackAccess::~SmackAccess() {
if (m_handle)
smack_accesses_free(m_handle);
- * Copyright (c) 2013 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2013 - 2020 Samsung Electronics Co., Ltd All Rights Reserved
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
const std::string &object,
const std::string &rights);
void apply();
const std::string &object,
const std::string &rights);
void apply();
virtual ~SmackAccess();
private:
struct smack_accesses *m_handle;
virtual ~SmackAccess();
private:
struct smack_accesses *m_handle;