Fix only partial rollback of Smack rules

Some tests temporarily add new Smack rules in order to test unprivileged
access to system services. After the test, they are cleared with
smack_revoke_subject. However, this only removes rules where the test
application is the subject.

I have replaced calls where this is an issue with a smack_accesses_clear
call, which removes all rules loaded with a given handle. Since affected
tests do not modify Smack rules in any other way and only use test
labels for fake apps, no rules removed by the old call and not by the
new call can exist.

Change-Id: I841d6b7ad05549d8837645e3d9176f4db7029908

diff --git a/src/ckm/privileged/access_provider2.cpp b/src/ckm/privileged/access_provider2.cpp
index 2d98ace43cd06a4c865a9083a788fdd83785960d..bc7af2234af31a210694144910425c974b93432e 100644 (file)
--- a/src/ckm/privileged/access_provider2.cpp
+++ b/src/ckm/privileged/access_provider2.cpp
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2013 - 2019 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2013 - 2020 Samsung Electronics Co., Ltd All Rights Reserved
  *
  *    Licensed under the Apache License, Version 2.0 (the "License");
  *    you may not use this file except in compliance with the License.
@@ -81,8 +81,7 @@ void AccessProvider::applyAndSwithToUser(int uid, int gid)
 {
     RUNNER_ASSERT_MSG(m_inSwitchContext == false, "already switched context");
 
-    RUNNER_ASSERT_MSG(0 == smack_revoke_subject(m_mySubject.c_str()),
-        "Error in smack_revoke_subject(" << m_mySubject << ")");
+    clear();
     apply();
 
     m_processLabel.reset(new ScopedProcessLabel(m_mySubject));
@@ -96,6 +95,10 @@ void AccessProvider::applyAndSwithToUser(int uid, int gid)
     m_inSwitchContext = true;
 }
 
+void AccessProvider::clear() {
+    m_smackAccess.clear();
+}
+
 void AccessProvider::allowJournaldLogs() {
     allowAPI("System::Run","wx"); // necessary for logging with journald
 }
@@ -106,8 +109,7 @@ ScopedAccessProvider::~ScopedAccessProvider()
     {
         RUNNER_ASSERT_MSG(0 == setegid(m_origGid), "Error in setgid.");
         RUNNER_ASSERT_MSG(0 == seteuid(m_origUid), "Error in setuid.");
-        RUNNER_ASSERT_MSG(0 == smack_revoke_subject(m_mySubject.c_str()),
-            "Error in smack_revoke_subject(" << m_mySubject << ")");
+        clear();
         m_processLabel.reset();
         m_inSwitchContext = false;
     }

diff --git a/src/ckm/privileged/access_provider2.h b/src/ckm/privileged/access_provider2.h
index d2e19b5a3ff1927c83e6852693ed31fe536ed7b1..4a745dfb0058a6b3c9b87934ac7f1e6985922c58 100644 (file)
--- a/src/ckm/privileged/access_provider2.h
+++ b/src/ckm/privileged/access_provider2.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2013 - 2019 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2013 - 2020 Samsung Electronics Co., Ltd All Rights Reserved
  *
  *    Licensed under the Apache License, Version 2.0 (the "License");
  *    you may not use this file except in compliance with the License.
@@ -41,6 +41,7 @@ public:
     void allowAPI(const std::string &api, const std::string &rules);
     void apply();
     void applyAndSwithToUser(int uid, int gid);
+    void clear();
 
 private:
     void allowJournaldLogs();

diff --git a/src/common/smack_access.cpp b/src/common/smack_access.cpp
index 354b99718153d821d8847702b8ed003392b7dc1f..e461a312745a0361c16bec2a0721d11cbe04c4ed 100644 (file)
--- a/src/common/smack_access.cpp
+++ b/src/common/smack_access.cpp
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2013 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2013 - 2020 Samsung Electronics Co., Ltd All Rights Reserved
  *
  *    Licensed under the Apache License, Version 2.0 (the "License");
  *    you may not use this file except in compliance with the License.
@@ -50,6 +50,11 @@ void SmackAccess::apply() {
         "Error in smack_accessses_apply.");
 }
 
+void SmackAccess::clear() {
+    RUNNER_ASSERT_MSG(0 == smack_accesses_clear(m_handle),
+        "Error in smack_accesses_clear.");
+}
+
 SmackAccess::~SmackAccess() {
     if (m_handle)
         smack_accesses_free(m_handle);

diff --git a/src/common/smack_access.h b/src/common/smack_access.h
index f20842be14caf995ddb6dd02f5d038e93785bbc9..0d3f227d6938c1fceadadf7b26b14bd068332b36 100644 (file)
--- a/src/common/smack_access.h
+++ b/src/common/smack_access.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2013 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2013 - 2020 Samsung Electronics Co., Ltd All Rights Reserved
  *
  *    Licensed under the Apache License, Version 2.0 (the "License");
  *    you may not use this file except in compliance with the License.
@@ -36,6 +36,7 @@ public:
              const std::string &object,
              const std::string &rights);
     void apply();
+    void clear();
     virtual ~SmackAccess();
 private:
     struct smack_accesses *m_handle;