From: Marcin Niesluchowski Date: Wed, 21 May 2014 06:51:52 +0000 (+0200) Subject: Adjust AccessProvider api to current security-server. X-Git-Tag: security-manager_5.5_testing~246 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=608b7cbb902a2258dd90d961545ae98d367652c6;p=platform%2Fcore%2Ftest%2Fsecurity-tests.git Adjust AccessProvider api to current security-server. Sockets in security-server has been moved to /run labeled with System::Run label and AccessProvider provided old smack accesses. Previous references to sockets' old smack labels has been removed. Verification: -> security-tests-all.sh (server, cookie-api, clientsmack and dbus tests should pass, no changes in other tests) Change-Id: I9796fb0b52890553767783de5cffdc7b5ecb8746 --- diff --git a/tests/common/access_provider.cpp b/tests/common/access_provider.cpp index ee06e026..476579d9 100644 --- a/tests/common/access_provider.cpp +++ b/tests/common/access_provider.cpp @@ -35,44 +35,12 @@ AccessProvider::AccessProvider(const std::string &mySubject) : m_mySubject(mySubject) {} -void AccessProvider::allowFunction(const std::string &functionName) { - static const std::map translation = { - {"security_server_get_gid", "security-server::api-get-gid"}, - {"security_server_request_cookie", "none"}, - {"security_server_get_cookie_size", "none"}, - {"security_server_check_privilege", "security-server::api-cookie-check"}, - {"security_server_check_privilege_by_cookie", "security-server::api-cookie-check"}, - {"security_server_check_privilege_by_sockfd", "security-server::api-privilege-by-pid"}, - {"security_server_get_cookie_pid", "security-server::api-cookie-check"}, - {"security_server_is_pwd_valid", "security-server::api-password-check"}, - {"security_server_set_pwd", "security-server::api_password-set"}, - {"security_server_set_pwd_validity", "security-server::api-password-set"}, - {"security_server_set_pwd_max_challenge", "security-server::api-password-set"}, - {"security_server_reset_pwd", "security-server::api-password-set"}, - {"security_server_chk_pwd", "security-server::api-password-check"}, - {"security_server_set_pwd_history", "security-server::api-password-set"}, - {"security_server_get_smacklabel_cookie", "security-server::api-cookie-check"}, - {"security_server_get_smacklabel_sockfd", "none"}, - {"security_server_app_give_access", "security-server::api-data-share"}, - {"security_server_check_privilege_by_pid", "security-server::api-privilege-by-pid"}, - {"security_server_app_enable_permissions", "security-server::api-app-permissions"}, - {"security_server_app_disable_permissions", "security-server::api-app-permissions"}, - {"security_server_get_uid_by_cookie", "security-server::api-cookie-check"}, - {"security_server_app_has_privilege", "security-server::api-app-privilege-by-name"}, - {"security_server_app_caller_has_privilege", "security-server::api-app-privilege-by-name"}, - {"security_server_get_gid_by_cookie", "security-server::api-cookie-check"}, - {"security_server_open_for", "security-server::api-open-for"} - }; - - auto it = translation.find(functionName); - RUNNER_ASSERT_MSG_BT(it != translation.end(), - "Error no function " << functionName << " in security server."); - - m_smackAccess.add(m_mySubject, it->second, "w"); +void AccessProvider::allowSS() { + m_smackAccess.add(m_mySubject, "System::Run", "x"); } -void AccessProvider::allowAPI(const std::string &api, const std::string &rule) { - m_smackAccess.add(m_mySubject, api, rule); +void AccessProvider::addObjectRule(const std::string &object, const std::string &rule) { + m_smackAccess.add(m_mySubject, object, rule); } void AccessProvider::apply() { diff --git a/tests/common/access_provider.h b/tests/common/access_provider.h index c05ee4d0..452d4180 100644 --- a/tests/common/access_provider.h +++ b/tests/common/access_provider.h @@ -35,8 +35,8 @@ public: AccessProvider(const AccessProvider &second) = delete; AccessProvider& operator=(const AccessProvider &second) = delete; - void allowAPI(const std::string &api, const std::string &rules); - void allowFunction(const std::string &functionName); + void addObjectRule(const std::string &object, const std::string &rule); + void allowSS(); void apply(); void applyAndSwithToUser(int uid, int gid); diff --git a/tests/libsmack-tests/test_cases.cpp b/tests/libsmack-tests/test_cases.cpp index 717c2f3f..a864a360 100644 --- a/tests/libsmack-tests/test_cases.cpp +++ b/tests/libsmack-tests/test_cases.cpp @@ -1380,8 +1380,8 @@ void prepareEnvironment(const std::string &subject, const std::string &object, c const std::string ruleAll = "x"; SecurityServer::AccessProvider provider(subject); - provider.allowAPI("User", ruleAll); - provider.allowAPI(object, access); + provider.addObjectRule("User", ruleAll); + provider.addObjectRule(object, access); provider.applyAndSwithToUser(APP_UID, APP_GID); } @@ -1395,7 +1395,7 @@ RUNNER_CHILD_TEST_SMACK(smack13_0_checking_laccess_mode_enabled_on_device) //function inside checks if rule exist after add it SecurityServer::AccessProvider provider(selfLabel); - provider.allowAPI(filename, "l"); + provider.addObjectRule(filename, "l"); provider.apply(); int ret = smack_have_access(selfLabel.c_str(), filename.c_str(), "l"); diff --git a/tests/security-server-tests/cookie_api.cpp b/tests/security-server-tests/cookie_api.cpp index 7afd8131..65302929 100644 --- a/tests/security-server-tests/cookie_api.cpp +++ b/tests/security-server-tests/cookie_api.cpp @@ -13,12 +13,9 @@ /* Tested API functions in this file: -Protected by "security-server::api-cookie-get" label: int security_server_get_cookie_size(void); int security_server_request_cookie(char *cookie, size_t bufferSize); - -Protected by "security-server::api-cookie-check" label: int security_server_check_privilege(const char *cookie, gid_t privilege); int security_server_check_privilege_by_cookie(const char *cookie, const char *object, @@ -243,6 +240,7 @@ RUNNER_CHILD_TEST_SMACK(tc_unit_02_02_app_user_security_server_request_cookie) "Error in security_server_get_cookie_size(): " << cookieSize); SecurityServer::AccessProvider provider("selflabel_02_01"); + provider.allowSS(); provider.applyAndSwithToUser(APP_UID, APP_GID); Cookie cookie(cookieSize); @@ -301,7 +299,7 @@ RUNNER_CHILD_TEST_SMACK(tc_unit_03_03_app_user_security_server_check_privilege) Cookie cookie = getCookieFromSS(); SecurityServer::AccessProvider provider("selflabel_03_03"); - provider.allowFunction("security_server_check_privilege"); + provider.allowSS(); provider.applyAndSwithToUser(APP_UID, APP_GID); int ret = security_server_check_privilege(cookie.data(), 0); @@ -385,7 +383,7 @@ RUNNER_CHILD_TEST_SMACK(tc_unit_05_03_app_user_security_server_get_cookie_pid) Cookie cookie = getCookieFromSS(); SecurityServer::AccessProvider provider("selflabel_05_03"); - provider.allowFunction("security_server_get_cookie_pid"); + provider.allowSS(); provider.applyAndSwithToUser(APP_UID, APP_GID); int ret = security_server_get_cookie_pid(cookie.data()); @@ -444,7 +442,7 @@ RUNNER_CHILD_TEST_SMACK(tc_unit_06_02_app_user_security_server_get_smacklabel_co RUNNER_CHILD_TEST_SMACK(tc_unit_06_03_app_user_security_server_get_smacklabel_cookie) { SecurityServer::AccessProvider provider("selflabel_06_03"); - provider.allowFunction("security_server_get_smacklabel_cookie"); + provider.allowSS(); provider.applyAndSwithToUser(APP_UID, APP_GID); Cookie cookie = getCookieFromSS(); @@ -462,12 +460,7 @@ RUNNER_CHILD_TEST_SMACK(tc_unit_09_01_app_user_cookie_API_access_allow) add_process_group(PROC_AUDIO_GROUP_NAME); SecurityServer::AccessProvider provider("subject_1d6eda7d"); - provider.allowFunction("security_server_get_gid"); - provider.allowFunction("security_server_request_cookie"); - provider.allowFunction("security_server_check_privilege"); - provider.allowFunction("security_server_get_cookie_pid"); - provider.allowFunction("security_server_get_smacklabel_cookie"); - provider.allowFunction("security_server_check_privilege_by_pid"); + provider.allowSS(); provider.applyAndSwithToUser(APP_UID, APP_GID); Cookie cookie = getCookieFromSS(); diff --git a/tests/security-server-tests/security_server_tests_client_smack.cpp b/tests/security-server-tests/security_server_tests_client_smack.cpp index 04b4f7a3..2e3b940b 100644 --- a/tests/security-server-tests/security_server_tests_client_smack.cpp +++ b/tests/security-server-tests/security_server_tests_client_smack.cpp @@ -50,7 +50,7 @@ RUNNER_TEST_GROUP_INIT(SECURITY_SERVER_TESTS_CLIENT_SMACK) RUNNER_CHILD_TEST_SMACK(tc04_security_server_get_gid) { SecurityServer::AccessProvider provider("tc04mylabel"); - provider.allowFunction("security_server_get_gid"); + provider.allowSS(); provider.applyAndSwithToUser(APP_UID, APP_GID); int ret = security_server_get_gid("abc123xyz_pysiaczek"); @@ -78,18 +78,14 @@ RUNNER_CHILD_TEST_SMACK(tc05_check_privilege_by_cookie) const char *access_rights_ext = "rw"; const char *subject_label = "tc05subjectlabel"; - SmackAccess access; - access.add(subject_label, object_label, access_rights); - access.add(subject_label, "security-server::api-cookie-check", "w"); - access.apply(); - - RUNNER_ASSERT_BT(0 == smack_set_label_for_self(subject_label)); + SecurityServer::AccessProvider provider(subject_label); + provider.allowSS(); + provider.addObjectRule(object_label, access_rights); + provider.applyAndSwithToUser(APP_UID, APP_GID); RUNNER_ASSERT_BT(SECURITY_SERVER_API_SUCCESS == security_server_request_cookie(cookie,20)); - RUNNER_ASSERT_MSG_BT(drop_root_privileges() == 0, "uid = " << getuid()); - RUNNER_ASSERT_BT(SECURITY_SERVER_API_SUCCESS == security_server_check_privilege_by_cookie( cookie, diff --git a/tests/security-server-tests/security_server_tests_dbus.cpp b/tests/security-server-tests/security_server_tests_dbus.cpp index 836ce6d7..52fdb09e 100644 --- a/tests/security-server-tests/security_server_tests_dbus.cpp +++ b/tests/security-server-tests/security_server_tests_dbus.cpp @@ -12,9 +12,6 @@ #include "security-server.h" #include "privilege-control.h" -#define API_DATA_SHARE "security-server::api-data-share" -#define API_FREE_ACCESS "------" - #define DBUS_SERVER_NAME "test.method.server" #define DBUS_CALLER_NAME "test.method.caller" @@ -30,7 +27,6 @@ RUNNER_MULTIPROCESS_TEST_SMACK(tc01_smack_context_from_DBus) int ret = -1; const char *subject_parent = "subject_parent"; const char *subject_child = "subject_child"; - struct smack_accesses *handle = NULL; DBusMessage* msg = NULL; DBusMessageIter args, iter, var, var_iter, var_value; @@ -49,24 +45,6 @@ RUNNER_MULTIPROCESS_TEST_SMACK(tc01_smack_context_from_DBus) RUNNER_ASSERT_MSG_BT(ret == PC_OPERATION_SUCCESS, "smack_set__label_for_self() failed, ret: " << ret); - ret = smack_accesses_new(&handle); - RUNNER_ASSERT_MSG_BT(ret == PC_OPERATION_SUCCESS, - "smack_accesses_new() failed, ret: " << ret); - - ret = smack_accesses_add(handle, subject_child, API_DATA_SHARE, API_FREE_ACCESS); - RUNNER_ASSERT_MSG_BT(ret == PC_OPERATION_SUCCESS, - "smack_accesses_add() failed, ret: " << ret); - - ret = smack_accesses_apply(handle); - RUNNER_ASSERT_MSG_BT(ret == PC_OPERATION_SUCCESS, - "smack_accesses_apply() failed, ret: " << ret); - - ret = smack_set_label_for_self(subject_child); - RUNNER_ASSERT_MSG_BT(ret == PC_OPERATION_SUCCESS, - "smack_set_label_for_self() failed, ret: " << ret); - - smack_accesses_free(handle); - // initialize the errors dbus_error_init(&err); @@ -162,24 +140,6 @@ RUNNER_MULTIPROCESS_TEST_SMACK(tc01_smack_context_from_DBus) RUNNER_ASSERT_MSG_BT(ret == PC_OPERATION_SUCCESS, "smack_set_label_for_self() failed, ret: " << ret); - ret = smack_accesses_new(&handle); - RUNNER_ASSERT_MSG_BT(ret == PC_OPERATION_SUCCESS, - "smack_accesses_new() failed, ret: " << ret); - - ret = smack_accesses_add(handle, subject_parent, API_DATA_SHARE, API_FREE_ACCESS); - RUNNER_ASSERT_MSG_BT(ret == PC_OPERATION_SUCCESS, - "smack_accesses_add() failed, ret: " << ret); - - ret = smack_accesses_apply(handle); - RUNNER_ASSERT_MSG_BT(ret == PC_OPERATION_SUCCESS, - "smack_accesses_apply() failed, ret: " << ret); - - ret = smack_set_label_for_self(subject_parent); - RUNNER_ASSERT_MSG_BT(ret == PC_OPERATION_SUCCESS, - "smack_set_label_for_self() failed, ret: " << ret); - - smack_accesses_free(handle); - // initialise the error dbus_error_init(&err); diff --git a/tests/security-server-tests/server.cpp b/tests/security-server-tests/server.cpp index fcbb478a..56034e93 100644 --- a/tests/security-server-tests/server.cpp +++ b/tests/security-server-tests/server.cpp @@ -40,53 +40,22 @@ const char *TEST04_SUBJECT = "subject_57dfbfc5"; const char *TEST07_SUBJECT = "subject_cd738844"; const char *TEST08_SUBJECT = "subject_fd84ba7f"; -const char *API_PASSWD_SET = "security-server::api-password-set"; -const char *API_PASSWD_CHECK = "security-server::api-password-check"; -const char *API_PASSWD_RESET = "security-server::api-password-reset"; -const char *API_RULE_REQUIRED = "w"; - -int clear_password(char ** /*error*/) +void clear_password() { int ret = -1; unsigned int attempt, max_attempt, expire_sec; - const char *subject_allow = "subject_allow"; - struct smack_accesses *handle = NULL; - - if (getuid() == 0) { - reset_security_server(); - - ret = smack_accesses_new(&handle); - RUNNER_ASSERT_MSG_BT(ret == 0, "ret: " << ret); - - /* our subject 'subject_allow' has access to security-server::api-password-check */ - ret = smack_accesses_add(handle, subject_allow, API_PASSWD_CHECK, API_RULE_REQUIRED); - RUNNER_ASSERT_MSG_BT(ret == 0, "ret: " << ret); - - ret = smack_accesses_apply(handle); - RUNNER_ASSERT_MSG_BT(ret == 0, "ret: " << ret); - ret = smack_set_label_for_self(subject_allow); - RUNNER_ASSERT_MSG_BT(ret == 0, "ret: " << ret); + reset_security_server(); - smack_accesses_free(handle); - - attempt = max_attempt = expire_sec = UINT_MAX; - ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec); - - RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_NO_PASSWORD, "ret: " << ret); - RUNNER_ASSERT_BT(expire_sec == 0); - RUNNER_ASSERT_BT(max_attempt == 0); - RUNNER_ASSERT_BT(attempt == 0); - - /* we revoke all rules for subject 'subject_allow' */ - ret = smack_revoke_subject(subject_allow); - RUNNER_ASSERT_MSG_BT(ret == 0, "Revoking subject didn't work."); + attempt = max_attempt = expire_sec = UINT_MAX; + ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec); - sleep(1); + RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_NO_PASSWORD, "ret: " << ret); + RUNNER_ASSERT_BT(expire_sec == 0); + RUNNER_ASSERT_BT(max_attempt == 0); + RUNNER_ASSERT_BT(attempt == 0); - return 0; - } - return -1; + sleep(1); } void check_API_passwd(bool smack) { @@ -160,16 +129,10 @@ RUNNER_CHILD_TEST_SMACK(tc01a_security_server_app_give_access) { const char *subject = "abc345v34sfa"; const char *object = "efg678x2lkjz"; - const char *server_api = "security-server::api-data-share"; - - SmackAccess smack; - smack.add(subject, object, "-----"); - smack.add(object, server_api, "rw"); - smack.apply(); - smack_set_label_for_self(object); - - RUNNER_ASSERT_MSG_BT(drop_root_privileges() == 0, "uid = " << getuid()); + SecurityServer::AccessProvider provider(object); + provider.allowSS(); + provider.applyAndSwithToUser(APP_UID, APP_GID); security_server_app_give_access(subject, getpid()); @@ -238,17 +201,13 @@ RUNNER_CHILD_TEST_SMACK(tc03_check_API_passwd_allow) { int ret = -1; unsigned int attempt, max_attempt, expire_sec; - char *str = (char*) malloc(256); attempt = max_attempt = expire_sec = 0; - ret = clear_password(&str); - RUNNER_ASSERT_MSG_BT(ret == 0, "ret: " << str); + clear_password(); SecurityServer::AccessProvider provider(TEST03_SUBJECT); - provider.allowAPI(API_PASSWD_CHECK, API_RULE_REQUIRED); - provider.allowAPI(API_PASSWD_SET, API_RULE_REQUIRED); - provider.allowAPI(API_PASSWD_RESET, API_RULE_REQUIRED); + provider.allowSS(); provider.applyAndSwithToUser(APP_UID, APP_GID); ret = security_server_set_pwd_validity(10); @@ -289,7 +248,7 @@ RUNNER_CHILD_TEST_NOSMACK(tc04_check_API_app_user_passwd_allow_nosmack) RUNNER_CHILD_TEST_SMACK(tc07_check_API_data_share_allow) { SecurityServer::AccessProvider provider(TEST07_SUBJECT); - provider.allowFunction("security_server_app_give_access"); + provider.allowSS(); provider.applyAndSwithToUser(APP_UID, APP_GID); int ret = security_server_app_give_access(TEST07_SUBJECT, getpid());