Adjust AccessProvider api to current security-server.

Sockets in security-server has been moved to /run labeled with
System::Run label and AccessProvider provided old smack accesses.
Previous references to sockets' old smack labels has been removed.

Verification:
-> security-tests-all.sh
   (server, cookie-api, clientsmack and dbus tests should pass,
    no changes in other tests)

Change-Id: I9796fb0b52890553767783de5cffdc7b5ecb8746

diff --git a/tests/common/access_provider.cpp b/tests/common/access_provider.cpp
index ee06e02..476579d 100644 (file)
--- a/tests/common/access_provider.cpp
+++ b/tests/common/access_provider.cpp
@@ -35,44 +35,12 @@ AccessProvider::AccessProvider(const std::string &mySubject)
   : m_mySubject(mySubject)
 {}
 
-void AccessProvider::allowFunction(const std::string &functionName) {
-    static const std::map<std::string, std::string> translation = {
-        {"security_server_get_gid", "security-server::api-get-gid"},
-        {"security_server_request_cookie", "none"},
-        {"security_server_get_cookie_size", "none"},
-        {"security_server_check_privilege", "security-server::api-cookie-check"},
-        {"security_server_check_privilege_by_cookie", "security-server::api-cookie-check"},
-        {"security_server_check_privilege_by_sockfd", "security-server::api-privilege-by-pid"},
-        {"security_server_get_cookie_pid", "security-server::api-cookie-check"},
-        {"security_server_is_pwd_valid", "security-server::api-password-check"},
-        {"security_server_set_pwd", "security-server::api_password-set"},
-        {"security_server_set_pwd_validity", "security-server::api-password-set"},
-        {"security_server_set_pwd_max_challenge", "security-server::api-password-set"},
-        {"security_server_reset_pwd", "security-server::api-password-set"},
-        {"security_server_chk_pwd", "security-server::api-password-check"},
-        {"security_server_set_pwd_history", "security-server::api-password-set"},
-        {"security_server_get_smacklabel_cookie", "security-server::api-cookie-check"},
-        {"security_server_get_smacklabel_sockfd", "none"},
-        {"security_server_app_give_access", "security-server::api-data-share"},
-        {"security_server_check_privilege_by_pid", "security-server::api-privilege-by-pid"},
-        {"security_server_app_enable_permissions", "security-server::api-app-permissions"},
-        {"security_server_app_disable_permissions", "security-server::api-app-permissions"},
-        {"security_server_get_uid_by_cookie", "security-server::api-cookie-check"},
-        {"security_server_app_has_privilege", "security-server::api-app-privilege-by-name"},
-        {"security_server_app_caller_has_privilege", "security-server::api-app-privilege-by-name"},
-        {"security_server_get_gid_by_cookie", "security-server::api-cookie-check"},
-        {"security_server_open_for", "security-server::api-open-for"}
-    };
-
-    auto it = translation.find(functionName);
-    RUNNER_ASSERT_MSG_BT(it != translation.end(),
-        "Error no function " << functionName << " in security server.");
-
-    m_smackAccess.add(m_mySubject, it->second, "w");
+void AccessProvider::allowSS() {
+    m_smackAccess.add(m_mySubject, "System::Run", "x");
 }
 
-void AccessProvider::allowAPI(const std::string &api, const std::string &rule) {
-    m_smackAccess.add(m_mySubject, api, rule);
+void AccessProvider::addObjectRule(const std::string &object, const std::string &rule) {
+    m_smackAccess.add(m_mySubject, object, rule);
 }
 
 void AccessProvider::apply() {

diff --git a/tests/common/access_provider.h b/tests/common/access_provider.h
index c05ee4d..452d418 100644 (file)
--- a/tests/common/access_provider.h
+++ b/tests/common/access_provider.h
@@ -35,8 +35,8 @@ public:
     AccessProvider(const AccessProvider &second) = delete;
     AccessProvider& operator=(const AccessProvider &second) = delete;
 
-    void allowAPI(const std::string &api, const std::string &rules);
-    void allowFunction(const std::string &functionName);
+    void addObjectRule(const std::string &object, const std::string &rule);
+    void allowSS();
     void apply();
     void applyAndSwithToUser(int uid, int gid);
 

diff --git a/tests/libsmack-tests/test_cases.cpp b/tests/libsmack-tests/test_cases.cpp
index 717c2f3..a864a36 100644 (file)
--- a/tests/libsmack-tests/test_cases.cpp
+++ b/tests/libsmack-tests/test_cases.cpp
@@ -1380,8 +1380,8 @@ void prepareEnvironment(const std::string &subject, const std::string &object, c
     const std::string ruleAll = "x";
 
     SecurityServer::AccessProvider provider(subject);
-    provider.allowAPI("User", ruleAll);
-    provider.allowAPI(object, access);
+    provider.addObjectRule("User", ruleAll);
+    provider.addObjectRule(object, access);
     provider.applyAndSwithToUser(APP_UID, APP_GID);
 }
 
@@ -1395,7 +1395,7 @@ RUNNER_CHILD_TEST_SMACK(smack13_0_checking_laccess_mode_enabled_on_device)
 
     //function inside checks if rule exist after add it
     SecurityServer::AccessProvider provider(selfLabel);
-    provider.allowAPI(filename, "l");
+    provider.addObjectRule(filename, "l");
     provider.apply();
 
     int ret = smack_have_access(selfLabel.c_str(), filename.c_str(), "l");

diff --git a/tests/security-server-tests/cookie_api.cpp b/tests/security-server-tests/cookie_api.cpp
index 7afd813..6530292 100644 (file)
--- a/tests/security-server-tests/cookie_api.cpp
+++ b/tests/security-server-tests/cookie_api.cpp
@@ -13,12 +13,9 @@
 /*
 Tested API functions in this file:
 
-Protected by "security-server::api-cookie-get" label:
     int security_server_get_cookie_size(void);
     int security_server_request_cookie(char *cookie, size_t bufferSize);
 
-
-Protected by "security-server::api-cookie-check" label:
     int security_server_check_privilege(const char *cookie, gid_t privilege);
     int security_server_check_privilege_by_cookie(const char *cookie,
                                                   const char *object,
@@ -243,6 +240,7 @@ RUNNER_CHILD_TEST_SMACK(tc_unit_02_02_app_user_security_server_request_cookie)
                       "Error in security_server_get_cookie_size(): " << cookieSize);
 
     SecurityServer::AccessProvider provider("selflabel_02_01");
+    provider.allowSS();
     provider.applyAndSwithToUser(APP_UID, APP_GID);
 
     Cookie cookie(cookieSize);
@@ -301,7 +299,7 @@ RUNNER_CHILD_TEST_SMACK(tc_unit_03_03_app_user_security_server_check_privilege)
     Cookie cookie = getCookieFromSS();
 
     SecurityServer::AccessProvider provider("selflabel_03_03");
-    provider.allowFunction("security_server_check_privilege");
+    provider.allowSS();
     provider.applyAndSwithToUser(APP_UID, APP_GID);
 
     int ret = security_server_check_privilege(cookie.data(), 0);
@@ -385,7 +383,7 @@ RUNNER_CHILD_TEST_SMACK(tc_unit_05_03_app_user_security_server_get_cookie_pid)
     Cookie cookie = getCookieFromSS();
 
     SecurityServer::AccessProvider provider("selflabel_05_03");
-    provider.allowFunction("security_server_get_cookie_pid");
+    provider.allowSS();
     provider.applyAndSwithToUser(APP_UID, APP_GID);
 
     int ret = security_server_get_cookie_pid(cookie.data());
@@ -444,7 +442,7 @@ RUNNER_CHILD_TEST_SMACK(tc_unit_06_02_app_user_security_server_get_smacklabel_co
 RUNNER_CHILD_TEST_SMACK(tc_unit_06_03_app_user_security_server_get_smacklabel_cookie)
 {
     SecurityServer::AccessProvider provider("selflabel_06_03");
-    provider.allowFunction("security_server_get_smacklabel_cookie");
+    provider.allowSS();
     provider.applyAndSwithToUser(APP_UID, APP_GID);
 
     Cookie cookie = getCookieFromSS();
@@ -462,12 +460,7 @@ RUNNER_CHILD_TEST_SMACK(tc_unit_09_01_app_user_cookie_API_access_allow)
     add_process_group(PROC_AUDIO_GROUP_NAME);
 
     SecurityServer::AccessProvider provider("subject_1d6eda7d");
-    provider.allowFunction("security_server_get_gid");
-    provider.allowFunction("security_server_request_cookie");
-    provider.allowFunction("security_server_check_privilege");
-    provider.allowFunction("security_server_get_cookie_pid");
-    provider.allowFunction("security_server_get_smacklabel_cookie");
-    provider.allowFunction("security_server_check_privilege_by_pid");
+    provider.allowSS();
     provider.applyAndSwithToUser(APP_UID, APP_GID);
 
     Cookie cookie = getCookieFromSS();

diff --git a/tests/security-server-tests/security_server_tests_client_smack.cpp b/tests/security-server-tests/security_server_tests_client_smack.cpp
index 04b4f7a..2e3b940 100644 (file)
--- a/tests/security-server-tests/security_server_tests_client_smack.cpp
+++ b/tests/security-server-tests/security_server_tests_client_smack.cpp
@@ -50,7 +50,7 @@ RUNNER_TEST_GROUP_INIT(SECURITY_SERVER_TESTS_CLIENT_SMACK)
 RUNNER_CHILD_TEST_SMACK(tc04_security_server_get_gid)
 {
     SecurityServer::AccessProvider provider("tc04mylabel");
-    provider.allowFunction("security_server_get_gid");
+    provider.allowSS();
     provider.applyAndSwithToUser(APP_UID, APP_GID);
 
     int ret = security_server_get_gid("abc123xyz_pysiaczek");
@@ -78,18 +78,14 @@ RUNNER_CHILD_TEST_SMACK(tc05_check_privilege_by_cookie)
     const char *access_rights_ext = "rw";
     const char *subject_label = "tc05subjectlabel";
 
-    SmackAccess access;
-    access.add(subject_label, object_label, access_rights);
-    access.add(subject_label, "security-server::api-cookie-check", "w");
-    access.apply();
-
-    RUNNER_ASSERT_BT(0 == smack_set_label_for_self(subject_label));
+    SecurityServer::AccessProvider provider(subject_label);
+    provider.allowSS();
+    provider.addObjectRule(object_label, access_rights);
+    provider.applyAndSwithToUser(APP_UID, APP_GID);
 
     RUNNER_ASSERT_BT(SECURITY_SERVER_API_SUCCESS ==
         security_server_request_cookie(cookie,20));
 
-    RUNNER_ASSERT_MSG_BT(drop_root_privileges() == 0, "uid = " << getuid());
-
     RUNNER_ASSERT_BT(SECURITY_SERVER_API_SUCCESS ==
         security_server_check_privilege_by_cookie(
             cookie,

diff --git a/tests/security-server-tests/security_server_tests_dbus.cpp b/tests/security-server-tests/security_server_tests_dbus.cpp
index 836ce6d..52fdb09 100644 (file)
--- a/tests/security-server-tests/security_server_tests_dbus.cpp
+++ b/tests/security-server-tests/security_server_tests_dbus.cpp
@@ -12,9 +12,6 @@
 #include "security-server.h"
 #include "privilege-control.h"
 
-#define API_DATA_SHARE  "security-server::api-data-share"
-#define API_FREE_ACCESS "------"
-
 #define DBUS_SERVER_NAME                        "test.method.server"
 #define DBUS_CALLER_NAME                        "test.method.caller"
 
@@ -30,7 +27,6 @@ RUNNER_MULTIPROCESS_TEST_SMACK(tc01_smack_context_from_DBus)
     int ret = -1;
     const char *subject_parent = "subject_parent";
     const char *subject_child = "subject_child";
-    struct smack_accesses *handle = NULL;
 
     DBusMessage* msg = NULL;
     DBusMessageIter args, iter, var, var_iter, var_value;
@@ -49,24 +45,6 @@ RUNNER_MULTIPROCESS_TEST_SMACK(tc01_smack_context_from_DBus)
         RUNNER_ASSERT_MSG_BT(ret == PC_OPERATION_SUCCESS,
             "smack_set__label_for_self() failed, ret: " << ret);
 
-        ret = smack_accesses_new(&handle);
-        RUNNER_ASSERT_MSG_BT(ret == PC_OPERATION_SUCCESS,
-            "smack_accesses_new() failed, ret: " << ret);
-
-        ret = smack_accesses_add(handle, subject_child, API_DATA_SHARE, API_FREE_ACCESS);
-        RUNNER_ASSERT_MSG_BT(ret == PC_OPERATION_SUCCESS,
-            "smack_accesses_add() failed, ret: " << ret);
-
-        ret = smack_accesses_apply(handle);
-        RUNNER_ASSERT_MSG_BT(ret == PC_OPERATION_SUCCESS,
-            "smack_accesses_apply() failed, ret: " << ret);
-
-        ret = smack_set_label_for_self(subject_child);
-        RUNNER_ASSERT_MSG_BT(ret == PC_OPERATION_SUCCESS,
-            "smack_set_label_for_self() failed, ret: " << ret);
-
-        smack_accesses_free(handle);
-
         // initialize the errors
         dbus_error_init(&err);
 
@@ -162,24 +140,6 @@ RUNNER_MULTIPROCESS_TEST_SMACK(tc01_smack_context_from_DBus)
         RUNNER_ASSERT_MSG_BT(ret == PC_OPERATION_SUCCESS,
             "smack_set_label_for_self() failed, ret: " << ret);
 
-        ret = smack_accesses_new(&handle);
-        RUNNER_ASSERT_MSG_BT(ret == PC_OPERATION_SUCCESS,
-            "smack_accesses_new() failed, ret: " << ret);
-
-        ret = smack_accesses_add(handle, subject_parent, API_DATA_SHARE, API_FREE_ACCESS);
-        RUNNER_ASSERT_MSG_BT(ret == PC_OPERATION_SUCCESS,
-            "smack_accesses_add() failed, ret: " << ret);
-
-        ret = smack_accesses_apply(handle);
-        RUNNER_ASSERT_MSG_BT(ret == PC_OPERATION_SUCCESS,
-            "smack_accesses_apply() failed, ret: " << ret);
-
-        ret = smack_set_label_for_self(subject_parent);
-        RUNNER_ASSERT_MSG_BT(ret == PC_OPERATION_SUCCESS,
-            "smack_set_label_for_self() failed, ret: " << ret);
-
-        smack_accesses_free(handle);
-
         // initialise the error
         dbus_error_init(&err);
 

diff --git a/tests/security-server-tests/server.cpp b/tests/security-server-tests/server.cpp
index fcbb478..56034e9 100644 (file)
--- a/tests/security-server-tests/server.cpp
+++ b/tests/security-server-tests/server.cpp
@@ -40,53 +40,22 @@ const char *TEST04_SUBJECT = "subject_57dfbfc5";
 const char *TEST07_SUBJECT = "subject_cd738844";
 const char *TEST08_SUBJECT = "subject_fd84ba7f";
 
-const char *API_PASSWD_SET    = "security-server::api-password-set";
-const char *API_PASSWD_CHECK  = "security-server::api-password-check";
-const char *API_PASSWD_RESET  = "security-server::api-password-reset";
-const char *API_RULE_REQUIRED = "w";
-
-int clear_password(char ** /*error*/)
+void clear_password()
 {
     int ret = -1;
     unsigned int attempt, max_attempt, expire_sec;
-    const char *subject_allow = "subject_allow";
-    struct smack_accesses *handle = NULL;
-
-    if (getuid() == 0) {
-        reset_security_server();
-
-        ret = smack_accesses_new(&handle);
-        RUNNER_ASSERT_MSG_BT(ret == 0, "ret: " << ret);
-
-        /* our subject 'subject_allow' has access to security-server::api-password-check */
-        ret = smack_accesses_add(handle, subject_allow, API_PASSWD_CHECK, API_RULE_REQUIRED);
-        RUNNER_ASSERT_MSG_BT(ret == 0, "ret: " << ret);
-
-        ret = smack_accesses_apply(handle);
-        RUNNER_ASSERT_MSG_BT(ret == 0, "ret: " << ret);
 
-        ret = smack_set_label_for_self(subject_allow);
-        RUNNER_ASSERT_MSG_BT(ret == 0, "ret: " << ret);
+    reset_security_server();
 
-        smack_accesses_free(handle);
-
-        attempt = max_attempt = expire_sec = UINT_MAX;
-        ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec);
-
-        RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_NO_PASSWORD, "ret: " << ret);
-        RUNNER_ASSERT_BT(expire_sec == 0);
-        RUNNER_ASSERT_BT(max_attempt == 0);
-        RUNNER_ASSERT_BT(attempt == 0);
-
-        /* we revoke all rules for subject 'subject_allow' */
-        ret = smack_revoke_subject(subject_allow);
-        RUNNER_ASSERT_MSG_BT(ret == 0, "Revoking subject didn't work.");
+    attempt = max_attempt = expire_sec = UINT_MAX;
+    ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec);
 
-        sleep(1);
+    RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_NO_PASSWORD, "ret: " << ret);
+    RUNNER_ASSERT_BT(expire_sec == 0);
+    RUNNER_ASSERT_BT(max_attempt == 0);
+    RUNNER_ASSERT_BT(attempt == 0);
 
-        return 0;
-    }
-    return -1;
+    sleep(1);
 }
 
 void check_API_passwd(bool smack) {
@@ -160,16 +129,10 @@ RUNNER_CHILD_TEST_SMACK(tc01a_security_server_app_give_access)
 {
     const char *subject = "abc345v34sfa";
     const char *object = "efg678x2lkjz";
-    const char *server_api = "security-server::api-data-share";
-
-    SmackAccess smack;
-    smack.add(subject, object, "-----");
-    smack.add(object,  server_api, "rw");
-    smack.apply();
 
-    smack_set_label_for_self(object);
-
-    RUNNER_ASSERT_MSG_BT(drop_root_privileges() == 0, "uid = " << getuid());
+    SecurityServer::AccessProvider provider(object);
+    provider.allowSS();
+    provider.applyAndSwithToUser(APP_UID, APP_GID);
 
     security_server_app_give_access(subject, getpid());
 
@@ -238,17 +201,13 @@ RUNNER_CHILD_TEST_SMACK(tc03_check_API_passwd_allow)
 {
     int ret = -1;
     unsigned int attempt, max_attempt, expire_sec;
-    char *str = (char*) malloc(256);
 
     attempt = max_attempt = expire_sec = 0;
 
-    ret = clear_password(&str);
-    RUNNER_ASSERT_MSG_BT(ret == 0, "ret: " << str);
+    clear_password();
 
     SecurityServer::AccessProvider provider(TEST03_SUBJECT);
-    provider.allowAPI(API_PASSWD_CHECK, API_RULE_REQUIRED);
-    provider.allowAPI(API_PASSWD_SET,   API_RULE_REQUIRED);
-    provider.allowAPI(API_PASSWD_RESET, API_RULE_REQUIRED);
+    provider.allowSS();
     provider.applyAndSwithToUser(APP_UID, APP_GID);
 
     ret = security_server_set_pwd_validity(10);
@@ -289,7 +248,7 @@ RUNNER_CHILD_TEST_NOSMACK(tc04_check_API_app_user_passwd_allow_nosmack)
 RUNNER_CHILD_TEST_SMACK(tc07_check_API_data_share_allow)
 {
     SecurityServer::AccessProvider provider(TEST07_SUBJECT);
-    provider.allowFunction("security_server_app_give_access");
+    provider.allowSS();
     provider.applyAndSwithToUser(APP_UID, APP_GID);
 
     int ret = security_server_app_give_access(TEST07_SUBJECT, getpid());