From: Mateusz Cegielka Date: Fri, 24 Jul 2020 15:13:25 +0000 (+0200) Subject: Fix only partial rollback of Smack rules X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=refs%2Fchanges%2F44%2F240344%2F2;p=platform%2Fcore%2Ftest%2Fsecurity-tests.git Fix only partial rollback of Smack rules Some tests temporarily add new Smack rules in order to test unprivileged access to system services. After the test, they are cleared with smack_revoke_subject. However, this only removes rules where the test application is the subject. I have replaced calls where this is an issue with a smack_accesses_clear call, which removes all rules loaded with a given handle. Since affected tests do not modify Smack rules in any other way and only use test labels for fake apps, no rules removed by the old call and not by the new call can exist. Change-Id: I841d6b7ad05549d8837645e3d9176f4db7029908 --- diff --git a/src/ckm/privileged/access_provider2.cpp b/src/ckm/privileged/access_provider2.cpp index 2d98ace4..bc7af223 100644 --- a/src/ckm/privileged/access_provider2.cpp +++ b/src/ckm/privileged/access_provider2.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2013 - 2019 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2013 - 2020 Samsung Electronics Co., Ltd All Rights Reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -81,8 +81,7 @@ void AccessProvider::applyAndSwithToUser(int uid, int gid) { RUNNER_ASSERT_MSG(m_inSwitchContext == false, "already switched context"); - RUNNER_ASSERT_MSG(0 == smack_revoke_subject(m_mySubject.c_str()), - "Error in smack_revoke_subject(" << m_mySubject << ")"); + clear(); apply(); m_processLabel.reset(new ScopedProcessLabel(m_mySubject)); @@ -96,6 +95,10 @@ void AccessProvider::applyAndSwithToUser(int uid, int gid) m_inSwitchContext = true; } +void AccessProvider::clear() { + m_smackAccess.clear(); +} + void AccessProvider::allowJournaldLogs() { allowAPI("System::Run","wx"); // necessary for logging with journald } @@ -106,8 +109,7 @@ ScopedAccessProvider::~ScopedAccessProvider() { RUNNER_ASSERT_MSG(0 == setegid(m_origGid), "Error in setgid."); RUNNER_ASSERT_MSG(0 == seteuid(m_origUid), "Error in setuid."); - RUNNER_ASSERT_MSG(0 == smack_revoke_subject(m_mySubject.c_str()), - "Error in smack_revoke_subject(" << m_mySubject << ")"); + clear(); m_processLabel.reset(); m_inSwitchContext = false; } diff --git a/src/ckm/privileged/access_provider2.h b/src/ckm/privileged/access_provider2.h index d2e19b5a..4a745dfb 100644 --- a/src/ckm/privileged/access_provider2.h +++ b/src/ckm/privileged/access_provider2.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2013 - 2019 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2013 - 2020 Samsung Electronics Co., Ltd All Rights Reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -41,6 +41,7 @@ public: void allowAPI(const std::string &api, const std::string &rules); void apply(); void applyAndSwithToUser(int uid, int gid); + void clear(); private: void allowJournaldLogs(); diff --git a/src/common/smack_access.cpp b/src/common/smack_access.cpp index 354b9971..e461a312 100644 --- a/src/common/smack_access.cpp +++ b/src/common/smack_access.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2013 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2013 - 2020 Samsung Electronics Co., Ltd All Rights Reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -50,6 +50,11 @@ void SmackAccess::apply() { "Error in smack_accessses_apply."); } +void SmackAccess::clear() { + RUNNER_ASSERT_MSG(0 == smack_accesses_clear(m_handle), + "Error in smack_accesses_clear."); +} + SmackAccess::~SmackAccess() { if (m_handle) smack_accesses_free(m_handle); diff --git a/src/common/smack_access.h b/src/common/smack_access.h index f20842be..0d3f227d 100644 --- a/src/common/smack_access.h +++ b/src/common/smack_access.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2013 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2013 - 2020 Samsung Electronics Co., Ltd All Rights Reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -36,6 +36,7 @@ public: const std::string &object, const std::string &rights); void apply(); + void clear(); virtual ~SmackAccess(); private: struct smack_accesses *m_handle;