From: Krzysztof Jackiewicz <k.jackiewicz@samsung.com>
Date: Fri, 10 Jul 2015 10:27:30 +0000 (+0200)
Subject: CKM: Unlock journald logs
X-Git-Tag: security-manager_5.5_testing~9^2~65
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=227b8f5740457f36409d78f3d02433c53780efbe;p=platform%2Fcore%2Ftest%2Fsecurity-tests.git

CKM: Unlock journald logs

[Problem] Journald logging fails after dropping root privileges and changing
the label.
[Solution] Change execute label to User so that sockets created by ckm-tests
are allowed to wx to System. Add permissions for custom label to wx to System::Run.

[Verification] Run ckm-tests and check journald logs for smack messages. There
should be none.

Change-Id: I8ddca950755f3b7079ae42fba4416b506ea9e35e
---

diff --git a/packaging/security-tests.manifest b/packaging/security-tests.manifest
index e6064d1f..9a62ddcc 100644
--- a/packaging/security-tests.manifest
+++ b/packaging/security-tests.manifest
@@ -17,7 +17,7 @@
         <filesystem path="/usr/bin/security-server-tests-dbus" exec_label="_" />
         <filesystem path="/usr/bin/security-manager-tests" exec_label="_" />
         <filesystem path="/usr/bin/cynara-tests" exec_label="_" />
-        <filesystem path="/usr/bin/ckm-tests" exec_label="_" />
+        <filesystem path="/usr/bin/ckm-tests" exec_label="User" />
 
         <filesystem path="/usr/bin/test-app-wgt" exec_label="User" />
         <filesystem path="/usr/bin/test-app-efl" exec_label="User" />
diff --git a/src/ckm/access_provider2.cpp b/src/ckm/access_provider2.cpp
index 1d257cb1..4e895d6f 100644
--- a/src/ckm/access_provider2.cpp
+++ b/src/ckm/access_provider2.cpp
@@ -31,12 +31,14 @@ AccessProvider::AccessProvider(const std::string &mySubject)
   : m_mySubject(mySubject), m_inSwitchContext(false)
 {
     RUNNER_ASSERT_MSG(m_mySubject.size() > 0, "No smack label provided to AccessProvider!");
+    allowJournaldLogs();
 }
 
 AccessProvider::AccessProvider(const std::string &mySubject, int uid, int gid)
   : m_mySubject(mySubject), m_inSwitchContext(false)
 {
     RUNNER_ASSERT_MSG(m_mySubject.size() > 0, "No smack label provided to AccessProvider!");
+    allowJournaldLogs();
     applyAndSwithToUser(uid, gid);
 }
 
@@ -77,6 +79,10 @@ void AccessProvider::applyAndSwithToUser(int uid, int gid)
     m_inSwitchContext = true;
 }
 
+void AccessProvider::allowJournaldLogs() {
+    allowAPI("System::Run","wx"); // necessary for logging with journald
+}
+
 ScopedAccessProvider::~ScopedAccessProvider()
 {
     if(m_inSwitchContext == true)
diff --git a/src/ckm/access_provider2.h b/src/ckm/access_provider2.h
index bcf138bb..b7c714b7 100644
--- a/src/ckm/access_provider2.h
+++ b/src/ckm/access_provider2.h
@@ -40,6 +40,8 @@ public:
     void applyAndSwithToUser(int uid, int gid);
 
 private:
+    void allowJournaldLogs();
+
     SmackAccess m_smackAccess;
 protected:
     std::string m_mySubject;