: m_mySubject(mySubject)
{}
-void AccessProvider::allowFunction(const std::string &functionName) {
- static const std::map<std::string, std::string> translation = {
- {"security_server_get_gid", "security-server::api-get-gid"},
- {"security_server_request_cookie", "none"},
- {"security_server_get_cookie_size", "none"},
- {"security_server_check_privilege", "security-server::api-cookie-check"},
- {"security_server_check_privilege_by_cookie", "security-server::api-cookie-check"},
- {"security_server_check_privilege_by_sockfd", "security-server::api-privilege-by-pid"},
- {"security_server_get_cookie_pid", "security-server::api-cookie-check"},
- {"security_server_is_pwd_valid", "security-server::api-password-check"},
- {"security_server_set_pwd", "security-server::api_password-set"},
- {"security_server_set_pwd_validity", "security-server::api-password-set"},
- {"security_server_set_pwd_max_challenge", "security-server::api-password-set"},
- {"security_server_reset_pwd", "security-server::api-password-set"},
- {"security_server_chk_pwd", "security-server::api-password-check"},
- {"security_server_set_pwd_history", "security-server::api-password-set"},
- {"security_server_get_smacklabel_cookie", "security-server::api-cookie-check"},
- {"security_server_get_smacklabel_sockfd", "none"},
- {"security_server_app_give_access", "security-server::api-data-share"},
- {"security_server_check_privilege_by_pid", "security-server::api-privilege-by-pid"},
- {"security_server_app_enable_permissions", "security-server::api-app-permissions"},
- {"security_server_app_disable_permissions", "security-server::api-app-permissions"},
- {"security_server_get_uid_by_cookie", "security-server::api-cookie-check"},
- {"security_server_app_has_privilege", "security-server::api-app-privilege-by-name"},
- {"security_server_app_caller_has_privilege", "security-server::api-app-privilege-by-name"},
- {"security_server_get_gid_by_cookie", "security-server::api-cookie-check"},
- {"security_server_open_for", "security-server::api-open-for"}
- };
-
- auto it = translation.find(functionName);
- RUNNER_ASSERT_MSG_BT(it != translation.end(),
- "Error no function " << functionName << " in security server.");
-
- m_smackAccess.add(m_mySubject, it->second, "w");
+void AccessProvider::allowSS() {
+ m_smackAccess.add(m_mySubject, "System::Run", "x");
}
-void AccessProvider::allowAPI(const std::string &api, const std::string &rule) {
- m_smackAccess.add(m_mySubject, api, rule);
+void AccessProvider::addObjectRule(const std::string &object, const std::string &rule) {
+ m_smackAccess.add(m_mySubject, object, rule);
}
void AccessProvider::apply() {
AccessProvider(const AccessProvider &second) = delete;
AccessProvider& operator=(const AccessProvider &second) = delete;
- void allowAPI(const std::string &api, const std::string &rules);
- void allowFunction(const std::string &functionName);
+ void addObjectRule(const std::string &object, const std::string &rule);
+ void allowSS();
void apply();
void applyAndSwithToUser(int uid, int gid);
const std::string ruleAll = "x";
SecurityServer::AccessProvider provider(subject);
- provider.allowAPI("User", ruleAll);
- provider.allowAPI(object, access);
+ provider.addObjectRule("User", ruleAll);
+ provider.addObjectRule(object, access);
provider.applyAndSwithToUser(APP_UID, APP_GID);
}
//function inside checks if rule exist after add it
SecurityServer::AccessProvider provider(selfLabel);
- provider.allowAPI(filename, "l");
+ provider.addObjectRule(filename, "l");
provider.apply();
int ret = smack_have_access(selfLabel.c_str(), filename.c_str(), "l");
/*
Tested API functions in this file:
-Protected by "security-server::api-cookie-get" label:
int security_server_get_cookie_size(void);
int security_server_request_cookie(char *cookie, size_t bufferSize);
-
-Protected by "security-server::api-cookie-check" label:
int security_server_check_privilege(const char *cookie, gid_t privilege);
int security_server_check_privilege_by_cookie(const char *cookie,
const char *object,
"Error in security_server_get_cookie_size(): " << cookieSize);
SecurityServer::AccessProvider provider("selflabel_02_01");
+ provider.allowSS();
provider.applyAndSwithToUser(APP_UID, APP_GID);
Cookie cookie(cookieSize);
Cookie cookie = getCookieFromSS();
SecurityServer::AccessProvider provider("selflabel_03_03");
- provider.allowFunction("security_server_check_privilege");
+ provider.allowSS();
provider.applyAndSwithToUser(APP_UID, APP_GID);
int ret = security_server_check_privilege(cookie.data(), 0);
Cookie cookie = getCookieFromSS();
SecurityServer::AccessProvider provider("selflabel_05_03");
- provider.allowFunction("security_server_get_cookie_pid");
+ provider.allowSS();
provider.applyAndSwithToUser(APP_UID, APP_GID);
int ret = security_server_get_cookie_pid(cookie.data());
RUNNER_CHILD_TEST_SMACK(tc_unit_06_03_app_user_security_server_get_smacklabel_cookie)
{
SecurityServer::AccessProvider provider("selflabel_06_03");
- provider.allowFunction("security_server_get_smacklabel_cookie");
+ provider.allowSS();
provider.applyAndSwithToUser(APP_UID, APP_GID);
Cookie cookie = getCookieFromSS();
add_process_group(PROC_AUDIO_GROUP_NAME);
SecurityServer::AccessProvider provider("subject_1d6eda7d");
- provider.allowFunction("security_server_get_gid");
- provider.allowFunction("security_server_request_cookie");
- provider.allowFunction("security_server_check_privilege");
- provider.allowFunction("security_server_get_cookie_pid");
- provider.allowFunction("security_server_get_smacklabel_cookie");
- provider.allowFunction("security_server_check_privilege_by_pid");
+ provider.allowSS();
provider.applyAndSwithToUser(APP_UID, APP_GID);
Cookie cookie = getCookieFromSS();
RUNNER_CHILD_TEST_SMACK(tc04_security_server_get_gid)
{
SecurityServer::AccessProvider provider("tc04mylabel");
- provider.allowFunction("security_server_get_gid");
+ provider.allowSS();
provider.applyAndSwithToUser(APP_UID, APP_GID);
int ret = security_server_get_gid("abc123xyz_pysiaczek");
const char *access_rights_ext = "rw";
const char *subject_label = "tc05subjectlabel";
- SmackAccess access;
- access.add(subject_label, object_label, access_rights);
- access.add(subject_label, "security-server::api-cookie-check", "w");
- access.apply();
-
- RUNNER_ASSERT_BT(0 == smack_set_label_for_self(subject_label));
+ SecurityServer::AccessProvider provider(subject_label);
+ provider.allowSS();
+ provider.addObjectRule(object_label, access_rights);
+ provider.applyAndSwithToUser(APP_UID, APP_GID);
RUNNER_ASSERT_BT(SECURITY_SERVER_API_SUCCESS ==
security_server_request_cookie(cookie,20));
- RUNNER_ASSERT_MSG_BT(drop_root_privileges() == 0, "uid = " << getuid());
-
RUNNER_ASSERT_BT(SECURITY_SERVER_API_SUCCESS ==
security_server_check_privilege_by_cookie(
cookie,
#include "security-server.h"
#include "privilege-control.h"
-#define API_DATA_SHARE "security-server::api-data-share"
-#define API_FREE_ACCESS "------"
-
#define DBUS_SERVER_NAME "test.method.server"
#define DBUS_CALLER_NAME "test.method.caller"
int ret = -1;
const char *subject_parent = "subject_parent";
const char *subject_child = "subject_child";
- struct smack_accesses *handle = NULL;
DBusMessage* msg = NULL;
DBusMessageIter args, iter, var, var_iter, var_value;
RUNNER_ASSERT_MSG_BT(ret == PC_OPERATION_SUCCESS,
"smack_set__label_for_self() failed, ret: " << ret);
- ret = smack_accesses_new(&handle);
- RUNNER_ASSERT_MSG_BT(ret == PC_OPERATION_SUCCESS,
- "smack_accesses_new() failed, ret: " << ret);
-
- ret = smack_accesses_add(handle, subject_child, API_DATA_SHARE, API_FREE_ACCESS);
- RUNNER_ASSERT_MSG_BT(ret == PC_OPERATION_SUCCESS,
- "smack_accesses_add() failed, ret: " << ret);
-
- ret = smack_accesses_apply(handle);
- RUNNER_ASSERT_MSG_BT(ret == PC_OPERATION_SUCCESS,
- "smack_accesses_apply() failed, ret: " << ret);
-
- ret = smack_set_label_for_self(subject_child);
- RUNNER_ASSERT_MSG_BT(ret == PC_OPERATION_SUCCESS,
- "smack_set_label_for_self() failed, ret: " << ret);
-
- smack_accesses_free(handle);
-
// initialize the errors
dbus_error_init(&err);
RUNNER_ASSERT_MSG_BT(ret == PC_OPERATION_SUCCESS,
"smack_set_label_for_self() failed, ret: " << ret);
- ret = smack_accesses_new(&handle);
- RUNNER_ASSERT_MSG_BT(ret == PC_OPERATION_SUCCESS,
- "smack_accesses_new() failed, ret: " << ret);
-
- ret = smack_accesses_add(handle, subject_parent, API_DATA_SHARE, API_FREE_ACCESS);
- RUNNER_ASSERT_MSG_BT(ret == PC_OPERATION_SUCCESS,
- "smack_accesses_add() failed, ret: " << ret);
-
- ret = smack_accesses_apply(handle);
- RUNNER_ASSERT_MSG_BT(ret == PC_OPERATION_SUCCESS,
- "smack_accesses_apply() failed, ret: " << ret);
-
- ret = smack_set_label_for_self(subject_parent);
- RUNNER_ASSERT_MSG_BT(ret == PC_OPERATION_SUCCESS,
- "smack_set_label_for_self() failed, ret: " << ret);
-
- smack_accesses_free(handle);
-
// initialise the error
dbus_error_init(&err);
const char *TEST07_SUBJECT = "subject_cd738844";
const char *TEST08_SUBJECT = "subject_fd84ba7f";
-const char *API_PASSWD_SET = "security-server::api-password-set";
-const char *API_PASSWD_CHECK = "security-server::api-password-check";
-const char *API_PASSWD_RESET = "security-server::api-password-reset";
-const char *API_RULE_REQUIRED = "w";
-
-int clear_password(char ** /*error*/)
+void clear_password()
{
int ret = -1;
unsigned int attempt, max_attempt, expire_sec;
- const char *subject_allow = "subject_allow";
- struct smack_accesses *handle = NULL;
-
- if (getuid() == 0) {
- reset_security_server();
-
- ret = smack_accesses_new(&handle);
- RUNNER_ASSERT_MSG_BT(ret == 0, "ret: " << ret);
-
- /* our subject 'subject_allow' has access to security-server::api-password-check */
- ret = smack_accesses_add(handle, subject_allow, API_PASSWD_CHECK, API_RULE_REQUIRED);
- RUNNER_ASSERT_MSG_BT(ret == 0, "ret: " << ret);
-
- ret = smack_accesses_apply(handle);
- RUNNER_ASSERT_MSG_BT(ret == 0, "ret: " << ret);
- ret = smack_set_label_for_self(subject_allow);
- RUNNER_ASSERT_MSG_BT(ret == 0, "ret: " << ret);
+ reset_security_server();
- smack_accesses_free(handle);
-
- attempt = max_attempt = expire_sec = UINT_MAX;
- ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec);
-
- RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_NO_PASSWORD, "ret: " << ret);
- RUNNER_ASSERT_BT(expire_sec == 0);
- RUNNER_ASSERT_BT(max_attempt == 0);
- RUNNER_ASSERT_BT(attempt == 0);
-
- /* we revoke all rules for subject 'subject_allow' */
- ret = smack_revoke_subject(subject_allow);
- RUNNER_ASSERT_MSG_BT(ret == 0, "Revoking subject didn't work.");
+ attempt = max_attempt = expire_sec = UINT_MAX;
+ ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec);
- sleep(1);
+ RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_NO_PASSWORD, "ret: " << ret);
+ RUNNER_ASSERT_BT(expire_sec == 0);
+ RUNNER_ASSERT_BT(max_attempt == 0);
+ RUNNER_ASSERT_BT(attempt == 0);
- return 0;
- }
- return -1;
+ sleep(1);
}
void check_API_passwd(bool smack) {
{
const char *subject = "abc345v34sfa";
const char *object = "efg678x2lkjz";
- const char *server_api = "security-server::api-data-share";
-
- SmackAccess smack;
- smack.add(subject, object, "-----");
- smack.add(object, server_api, "rw");
- smack.apply();
- smack_set_label_for_self(object);
-
- RUNNER_ASSERT_MSG_BT(drop_root_privileges() == 0, "uid = " << getuid());
+ SecurityServer::AccessProvider provider(object);
+ provider.allowSS();
+ provider.applyAndSwithToUser(APP_UID, APP_GID);
security_server_app_give_access(subject, getpid());
{
int ret = -1;
unsigned int attempt, max_attempt, expire_sec;
- char *str = (char*) malloc(256);
attempt = max_attempt = expire_sec = 0;
- ret = clear_password(&str);
- RUNNER_ASSERT_MSG_BT(ret == 0, "ret: " << str);
+ clear_password();
SecurityServer::AccessProvider provider(TEST03_SUBJECT);
- provider.allowAPI(API_PASSWD_CHECK, API_RULE_REQUIRED);
- provider.allowAPI(API_PASSWD_SET, API_RULE_REQUIRED);
- provider.allowAPI(API_PASSWD_RESET, API_RULE_REQUIRED);
+ provider.allowSS();
provider.applyAndSwithToUser(APP_UID, APP_GID);
ret = security_server_set_pwd_validity(10);
RUNNER_CHILD_TEST_SMACK(tc07_check_API_data_share_allow)
{
SecurityServer::AccessProvider provider(TEST07_SUBJECT);
- provider.allowFunction("security_server_app_give_access");
+ provider.allowSS();
provider.applyAndSwithToUser(APP_UID, APP_GID);
int ret = security_server_app_give_access(TEST07_SUBJECT, getpid());