CKM: Unlock journald logs 90/43590/4
authorKrzysztof Jackiewicz <k.jackiewicz@samsung.com>
Fri, 10 Jul 2015 10:27:30 +0000 (12:27 +0200)
committerKrzysztof Jackiewicz <k.jackiewicz@samsung.com>
Thu, 30 Jul 2015 09:43:05 +0000 (11:43 +0200)
[Problem] Journald logging fails after dropping root privileges and changing
the label.
[Solution] Change execute label to User so that sockets created by ckm-tests
are allowed to wx to System. Add permissions for custom label to wx to System::Run.

[Verification] Run ckm-tests and check journald logs for smack messages. There
should be none.

Change-Id: I8ddca950755f3b7079ae42fba4416b506ea9e35e

packaging/security-tests.manifest
src/ckm/access_provider2.cpp
src/ckm/access_provider2.h

index e6064d1fc131b2a9f273cbcc6f354d8690bc7cd4..9a62ddcc3062fad07deef02bc762421e844ba69d 100644 (file)
@@ -17,7 +17,7 @@
         <filesystem path="/usr/bin/security-server-tests-dbus" exec_label="_" />
         <filesystem path="/usr/bin/security-manager-tests" exec_label="_" />
         <filesystem path="/usr/bin/cynara-tests" exec_label="_" />
-        <filesystem path="/usr/bin/ckm-tests" exec_label="_" />
+        <filesystem path="/usr/bin/ckm-tests" exec_label="User" />
 
         <filesystem path="/usr/bin/test-app-wgt" exec_label="User" />
         <filesystem path="/usr/bin/test-app-efl" exec_label="User" />
index 1d257cb1205b3a8272dd31cd365bef1c043937f6..4e895d6fc77893c4d5c322073a66b0193ad161b2 100644 (file)
@@ -31,12 +31,14 @@ AccessProvider::AccessProvider(const std::string &mySubject)
   : m_mySubject(mySubject), m_inSwitchContext(false)
 {
     RUNNER_ASSERT_MSG(m_mySubject.size() > 0, "No smack label provided to AccessProvider!");
+    allowJournaldLogs();
 }
 
 AccessProvider::AccessProvider(const std::string &mySubject, int uid, int gid)
   : m_mySubject(mySubject), m_inSwitchContext(false)
 {
     RUNNER_ASSERT_MSG(m_mySubject.size() > 0, "No smack label provided to AccessProvider!");
+    allowJournaldLogs();
     applyAndSwithToUser(uid, gid);
 }
 
@@ -77,6 +79,10 @@ void AccessProvider::applyAndSwithToUser(int uid, int gid)
     m_inSwitchContext = true;
 }
 
+void AccessProvider::allowJournaldLogs() {
+    allowAPI("System::Run","wx"); // necessary for logging with journald
+}
+
 ScopedAccessProvider::~ScopedAccessProvider()
 {
     if(m_inSwitchContext == true)
index bcf138bba7327f772d8eed6ed1f37889a9a74c15..b7c714b707c81b9b63b6e5b25c75fcf74f3eb61b 100644 (file)
@@ -40,6 +40,8 @@ public:
     void applyAndSwithToUser(int uid, int gid);
 
 private:
+    void allowJournaldLogs();
+
     SmackAccess m_smackAccess;
 protected:
     std::string m_mySubject;