From 73f509909a3e4942cc60efbe5963e3bcac9cd7d4 Mon Sep 17 00:00:00 2001 From: Krzysztof Jackiewicz Date: Fri, 1 Mar 2019 12:12:34 +0100 Subject: [PATCH] Generic solution for onlycap issues Once a process changes its smack label it may be unable to restore the original one if onlycap is active and the new label is not in onlycap. This commit provides a single class for handling process relabeling. The class is able to restore the original process label even if onlycap is active. To do so it stores the original onlycap value and original process label. The new label is appended to current onlycap. When class is destroyed the old label and old onlycap content is restored. The drawback of this solution is that the relabeled process effectively gets CAP_MAC_ADMIN. The script for running ckm tests on onlycap has been removed. All tests that do not directly test smack_set_label_for_self() use the new class for process relabeling. Change-Id: I0dda65fbd392f1b09061349061bdaf634efd9093 --- packaging/security-tests.spec | 5 +- .../process-settings/change-smack.cpp | 19 +-- .../process-settings/change-smack.h | 8 +- src/ckm/privileged/CMakeLists.txt | 8 +- src/ckm/privileged/access_provider2.cpp | 26 ++-- src/ckm/privileged/access_provider2.h | 9 +- src/ckm/privileged/cc-mode.cpp | 7 +- src/ckm/privileged/ckm-privileged-common.cpp | 23 +-- src/ckm/privileged/ckm-privileged-common.h | 11 -- src/ckm/privileged/ckm-tests-on-onlycap.sh | 50 ------ src/common/CMakeLists.txt | 1 + src/common/access_provider.cpp | 6 +- src/common/scoped_process_label.cpp | 147 ++++++++++++++++++ src/common/scoped_process_label.h | 43 +++++ src/common/tests_common.cpp | 14 +- src/common/tests_common.h | 4 +- src/cynara-tests/test_cases_helpers.cpp | 5 +- .../common/scoped_label.h | 34 ---- .../common/sm_commons.cpp | 5 +- src/security-manager-tests/test_cases.cpp | 8 +- src/security-tests.sh | 4 +- 21 files changed, 244 insertions(+), 193 deletions(-) delete mode 100644 src/ckm/privileged/ckm-tests-on-onlycap.sh create mode 100644 src/common/scoped_process_label.cpp create mode 100644 src/common/scoped_process_label.h delete mode 100644 src/security-manager-tests/common/scoped_label.h diff --git a/packaging/security-tests.spec b/packaging/security-tests.spec index 4652696d..9809e032 100644 --- a/packaging/security-tests.spec +++ b/packaging/security-tests.spec @@ -107,9 +107,8 @@ echo "security-tests postinst done ..." %attr(755, security_test_user,users) %{TZ_SYS_HOME}/security_test_user/apps_rw/* /usr/bin/cynara-test /usr/bin/ckm-tests -/usr/bin/ckm-privileged-tests -/usr/bin/ckm-tests-on-onlycap.sh -/usr/bin/ckm-integration-tests +%caps(cap_mac_admin=ep) /usr/bin/ckm-privileged-tests +%caps(cap_mac_admin=ep) /usr/bin/ckm-integration-tests /usr/bin/yaca-test %{ckm_test_dir}/* /etc/security-tests diff --git a/src/ckm-integration/process-settings/change-smack.cpp b/src/ckm-integration/process-settings/change-smack.cpp index f56c5060..f83aec4f 100644 --- a/src/ckm-integration/process-settings/change-smack.cpp +++ b/src/ckm-integration/process-settings/change-smack.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2015 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2015 - 2019 Samsung Electronics Co., Ltd All Rights Reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -16,6 +16,7 @@ /* * @file change-smack.cpp * @author Bartlomiej Grzelewski (b.grzelewski@samsung.com) + * @author Krzysztof Jackiewicz (k.jackiewicz@samsung.com) * @version 1.0 */ #include @@ -23,6 +24,7 @@ #include #include +#include namespace ProcessSettings { @@ -31,22 +33,11 @@ ChangeSmack::ChangeSmack(const Policy &policy) {} void ChangeSmack::Apply() { - char *my_label = nullptr; - - RUNNER_ASSERT(-1 != smack_new_label_from_self(&my_label)); - - if (my_label) - m_originalLabel = my_label; - - free(my_label); - - RUNNER_ASSERT_MSG(0 == smack_set_label_for_self(m_policy.GetSmackLabel().c_str()), - "Error in smack_set_label_for_self(" << m_policy.GetSmackLabel() << ")"); + m_processLabel.reset(new ScopedProcessLabel(m_policy.GetSmackLabel())); } void ChangeSmack::Revoke() { - RUNNER_ASSERT_MSG(0 == smack_set_label_for_self(m_originalLabel.c_str()), - "Error in smack_set_label_for_self(" << m_originalLabel << ")"); + m_processLabel.reset(); } ChangeSmack::~ChangeSmack() {} diff --git a/src/ckm-integration/process-settings/change-smack.h b/src/ckm-integration/process-settings/change-smack.h index ac511991..937c1015 100644 --- a/src/ckm-integration/process-settings/change-smack.h +++ b/src/ckm-integration/process-settings/change-smack.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2015 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2015 - 2019 Samsung Electronics Co., Ltd All Rights Reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -16,14 +16,18 @@ /* * @file change-smack.h * @author Bartlomiej Grzelewski (b.grzelewski@samsung.com) + * @author Krzysztof Jackiewicz (k.jackiewicz@samsung.com) * @version 1.0 */ #pragma once #include +#include #include +class ScopedProcessLabel; + namespace ProcessSettings { class ChangeSmack { @@ -34,7 +38,7 @@ public: virtual ~ChangeSmack(); private: const Policy &m_policy; - std::string m_originalLabel; + std::unique_ptr m_processLabel; }; } // namespace ProcessSettings diff --git a/src/ckm/privileged/CMakeLists.txt b/src/ckm/privileged/CMakeLists.txt index 12590d0b..cbe717b2 100644 --- a/src/ckm/privileged/CMakeLists.txt +++ b/src/ckm/privileged/CMakeLists.txt @@ -1,4 +1,4 @@ -# Copyright (c) 2013-2018 Samsung Electronics Co., Ltd All Rights Reserved +# Copyright (c) 2013-2019 Samsung Electronics Co., Ltd All Rights Reserved # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -98,9 +98,3 @@ TARGET_COMPILE_DEFINITIONS(${TARGET_CKM_PRIVILEGED_TESTS} ) INSTALL(TARGETS ${TARGET_CKM_PRIVILEGED_TESTS} DESTINATION bin) -INSTALL(FILES ckm-tests-on-onlycap.sh - DESTINATION bin - PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE - GROUP_READ GROUP_EXECUTE - WORLD_READ WORLD_EXECUTE -) diff --git a/src/ckm/privileged/access_provider2.cpp b/src/ckm/privileged/access_provider2.cpp index 58a98ebb..2d98ace4 100644 --- a/src/ckm/privileged/access_provider2.cpp +++ b/src/ckm/privileged/access_provider2.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2013 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2013 - 2019 Samsung Electronics Co., Ltd All Rights Reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -16,6 +16,7 @@ /* * @file access_provider.cpp * @author Bartlomiej Grzelewski (b.grzelewski@samsung.com) + * @author Krzysztof Jackiewicz (k.jackiewicz@samsung.com) * @version 1.0 * @brief Common functions and macros used in security-tests package. */ @@ -26,6 +27,7 @@ #include #include #include +#include namespace { @@ -59,6 +61,11 @@ AccessProvider::AccessProvider(const std::string &ownerId, int uid, int gid) applyAndSwithToUser(uid, gid); } +AccessProvider::~AccessProvider() +{ + +} + void AccessProvider::allowAPI(const std::string &api, const std::string &rule) { m_smackAccess.add(m_mySubject, api, rule); } @@ -74,21 +81,11 @@ void AccessProvider::applyAndSwithToUser(int uid, int gid) { RUNNER_ASSERT_MSG(m_inSwitchContext == false, "already switched context"); - // get calling label - char* my_label = NULL; - RUNNER_ASSERT(smack_new_label_from_self(&my_label) > 0); - if(my_label) - { - m_origLabel = std::string(my_label); - free(my_label); - } - RUNNER_ASSERT(m_origLabel.size() > 0); - RUNNER_ASSERT_MSG(0 == smack_revoke_subject(m_mySubject.c_str()), "Error in smack_revoke_subject(" << m_mySubject << ")"); apply(); - RUNNER_ASSERT_MSG(0 == smack_set_label_for_self(m_mySubject.c_str()), - "Error in smack_set_label_for_self."); + + m_processLabel.reset(new ScopedProcessLabel(m_mySubject)); m_origUid = getuid(); m_origGid = getgid(); @@ -111,8 +108,7 @@ ScopedAccessProvider::~ScopedAccessProvider() RUNNER_ASSERT_MSG(0 == seteuid(m_origUid), "Error in setuid."); RUNNER_ASSERT_MSG(0 == smack_revoke_subject(m_mySubject.c_str()), "Error in smack_revoke_subject(" << m_mySubject << ")"); - RUNNER_ASSERT_MSG(0 == smack_set_label_for_self(m_origLabel.c_str()), - "Error in smack_set_label_for_self."); + m_processLabel.reset(); m_inSwitchContext = false; } } diff --git a/src/ckm/privileged/access_provider2.h b/src/ckm/privileged/access_provider2.h index 30631be6..d2e19b5a 100644 --- a/src/ckm/privileged/access_provider2.h +++ b/src/ckm/privileged/access_provider2.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2013 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2013 - 2019 Samsung Electronics Co., Ltd All Rights Reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -23,14 +23,17 @@ #define _ACCESS_FOR_DUMMIES_H_ #include +#include #include +class ScopedProcessLabel; + class AccessProvider { public: explicit AccessProvider(const std::string &ownerId); AccessProvider(const std::string &ownerId, int uid, int gid); - virtual ~AccessProvider() {} + virtual ~AccessProvider(); AccessProvider(const AccessProvider &second) = delete; AccessProvider& operator=(const AccessProvider &second) = delete; @@ -47,7 +50,7 @@ protected: std::string m_mySubject; uid_t m_origUid; gid_t m_origGid; - std::string m_origLabel; + std::unique_ptr m_processLabel; bool m_inSwitchContext; }; diff --git a/src/ckm/privileged/cc-mode.cpp b/src/ckm/privileged/cc-mode.cpp index 4a5f43e2..eeddb27b 100644 --- a/src/ckm/privileged/cc-mode.cpp +++ b/src/ckm/privileged/cc-mode.cpp @@ -34,6 +34,7 @@ #include #include #include +#include using namespace CKM; using namespace std; @@ -73,13 +74,13 @@ private: MdppState::MdppState() { - ScopedLabel sl(USER_LABEL); + ScopedProcessLabel spl(USER_LABEL); m_original = vconf_get_str(VCONFKEY_SECURITY_MDPP_STATE); } MdppState::~MdppState() { - ScopedLabel sl(USER_LABEL); + ScopedProcessLabel spl(USER_LABEL); if (!m_original) vconf_set_str(VCONFKEY_SECURITY_MDPP_STATE, UNSET); else { @@ -89,7 +90,7 @@ MdppState::~MdppState() void MdppState::set(const char* const value) { - ScopedLabel sl(USER_LABEL); + ScopedProcessLabel spl(USER_LABEL); if (value) { int ret = vconf_set_str(VCONFKEY_SECURITY_MDPP_STATE, value); diff --git a/src/ckm/privileged/ckm-privileged-common.cpp b/src/ckm/privileged/ckm-privileged-common.cpp index 0c356e35..94070db5 100644 --- a/src/ckm/privileged/ckm-privileged-common.cpp +++ b/src/ckm/privileged/ckm-privileged-common.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2016 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2016 - 2019 Samsung Electronics Co., Ltd All Rights Reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -32,27 +32,6 @@ const char *SERVICE[] = { "central-key-manager.service" }; -void changeLabel(const char *label) -{ - int ret = smack_set_label_for_self(label); - RUNNER_ASSERT_MSG(0 == ret, - "Error in smack_set_label_for_self(" << label << "). Error: " << ret); -} - -} // namespace anonymous - -ScopedLabel::ScopedLabel(const char *label) : m_original_label(getLabel()) -{ - changeLabel(label); -} - -ScopedLabel::~ScopedLabel() -{ - /* - * Let it throw. If we can't restore label then remaining tests results will be - * unreliable anyway. - */ - changeLabel(m_original_label.c_str()); } void start_service(ServiceIdx idx) diff --git a/src/ckm/privileged/ckm-privileged-common.h b/src/ckm/privileged/ckm-privileged-common.h index 2cd62b09..bc498863 100644 --- a/src/ckm/privileged/ckm-privileged-common.h +++ b/src/ckm/privileged/ckm-privileged-common.h @@ -40,14 +40,3 @@ enum ServiceIdx { void start_service(ServiceIdx idx); void stop_service(ServiceIdx idx); - -// changes process label upon construction and restores it upon destruction -class ScopedLabel -{ -public: - ScopedLabel(const char* label); - ~ScopedLabel(); - -private: - std::string m_original_label; -}; diff --git a/src/ckm/privileged/ckm-tests-on-onlycap.sh b/src/ckm/privileged/ckm-tests-on-onlycap.sh deleted file mode 100644 index 570af4a3..00000000 --- a/src/ckm/privileged/ckm-tests-on-onlycap.sh +++ /dev/null @@ -1,50 +0,0 @@ -#!/bin/sh - -# Copyright (c) 2016-2018 Samsung Electronics Co., Ltd All Rights Reserved -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# @file ckm-tests-on-onlycap.sh -# @author Kyungwook Tak (k.tak@samsung.com) -# @brief Run ckm-tests on onlycap environment -# - -# save old label and onlycap -OLD_LABEL=`cat /proc/self/attr/current` -OLD_ONLYCAP=`cat /sys/fs/smackfs/onlycap` - -# make sure we're in onlycap so original state can be restored later -# (assume that OLD_LABEL is allowed to change the label) -echo "System::Privileged" > /proc/self/attr/current || exit - -# push test app lables to onlycap label list -echo "System::Privileged \ - User::Pkg::test_label \ - User::Pkg::test_label_2 \ - User::Pkg::test_label_3 \ - User::Pkg::test_label_4 \ - User::Pkg::test_label_5 \ - System" > /sys/fs/smackfs/onlycap || exit - -# set capability for changing smack label of self and add/remove smack rules -setcap cap_mac_admin=eip /usr/bin/ckm-privileged-tests || exit - -# run test -ckm-privileged-tests "${@}" # propagate all arguments - -# restore old onlycap -echo -n $OLD_ONLYCAP > /sys/fs/smackfs/onlycap - -# restore old label -# (assume that System::Privileged is allowed to do it with $OLD_ONLYCAP) -echo $OLD_LABEL > /proc/self/attr/current diff --git a/src/common/CMakeLists.txt b/src/common/CMakeLists.txt index 9d00f363..b97fc809 100644 --- a/src/common/CMakeLists.txt +++ b/src/common/CMakeLists.txt @@ -47,6 +47,7 @@ SET(COMMON_TARGET_TEST_SOURCES ${PROJECT_SOURCE_DIR}/src/common/sm_policy_request.cpp ${PROJECT_SOURCE_DIR}/src/common/tzplatform.cpp ${PROJECT_SOURCE_DIR}/src/common/privilege_manager.cpp + ${PROJECT_SOURCE_DIR}/src/common/scoped_process_label.cpp ) #system and local includes diff --git a/src/common/access_provider.cpp b/src/common/access_provider.cpp index 1d3257a7..fb53d86a 100644 --- a/src/common/access_provider.cpp +++ b/src/common/access_provider.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2013 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2013 - 2019 Samsung Electronics Co., Ltd All Rights Reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -28,6 +28,7 @@ #include #include +#include namespace SecurityServer { @@ -55,8 +56,7 @@ void AccessProvider::applyAndSwithToUser(int uid, int gid) { RUNNER_ASSERT_MSG(0 == smack_revoke_subject(m_myLabel.c_str()), "Error in smack_revoke_subject(" << m_myLabel << ")"); apply(); - RUNNER_ASSERT_MSG(0 == smack_set_label_for_self(m_myLabel.c_str()), - "Error in smack_set_label_for_self."); + ScopedProcessLabel spl(m_myLabel, false); RUNNER_ASSERT_MSG(0 == setgid(gid), "Error in setgid."); RUNNER_ASSERT_MSG(0 == setuid(uid), diff --git a/src/common/scoped_process_label.cpp b/src/common/scoped_process_label.cpp new file mode 100644 index 00000000..47872bcc --- /dev/null +++ b/src/common/scoped_process_label.cpp @@ -0,0 +1,147 @@ +/* + * Copyright (c) 2019 Samsung Electronics Co., Ltd All Rights Reserved + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + */ +/* + * @file scoped_process_label.cpp + * @author Krzysztof Jackiewicz (k.jackiewicz@samsung.com) + * @version 1.0 + * @brief + */ + +#include + +#include +#include + +#include +#include +#include + +#include + +namespace { + +const std::string& getOnlycapPath() +{ + static std::string onlycapPath; + + if (onlycapPath.empty()) { + const char* smackfs = smack_smackfs_path(); + if (smackfs != nullptr) { + onlycapPath.assign(smackfs); + onlycapPath.append("/onlycap"); + } + } + return onlycapPath; +} + +const char* SEPARATORS = " "; + +OnlycapSet smackGetOnlycap() +{ + std::ifstream ifs(getOnlycapPath()); + + RUNNER_ASSERT_MSG(ifs, "Opening " << getOnlycapPath() << " failed."); + + std::string onlycap((std::istreambuf_iterator(ifs)), std::istreambuf_iterator()); + ifs.close(); + + OnlycapSet onlycapSet; + + size_t first = 0; + size_t last = 0; + while (last != std::string::npos) { + first = onlycap.find_first_not_of(SEPARATORS, last); + if (first == std::string::npos) + break; + + last = onlycap.find_first_of(SEPARATORS, first + 1); + onlycapSet.insert(onlycap.substr(first, last - first)); + } + return onlycapSet; +} + +void smackSetOnlycap(const OnlycapSet& onlycapSet) +{ + if (onlycapSet.empty()) { + int ret = smack_set_onlycap(NULL, 0); + RUNNER_ASSERT_MSG(ret == 0, "Error in smack_set_onlycap():" << ret); + return; + } + + const char* labels[onlycapSet.size()]; + size_t i = 0; + for (const auto& label : onlycapSet) { + labels[i] = label.c_str(); + i++; + } + + int ret = smack_set_onlycap(labels, i); + RUNNER_ASSERT_MSG(ret == 0, "Error in smack_set_onlycap():" << ret); +} + +void smackSetLabelForSelf(const std::string& label) +{ + int ret = smack_set_label_for_self(label.c_str()); + RUNNER_ASSERT_MSG(ret == 0, "Error in smack_set_label_for_self('" << label << "'): " << ret); +} + +} // namespace anonymous + +ScopedProcessLabel::ScopedProcessLabel(std::string label, bool restore) : + m_label(std::move(label)) +{ + if (restore) { + // store the current process label + char* originalLabel = NULL; + ssize_t size = smack_new_label_from_self(&originalLabel); + RUNNER_ASSERT_MSG(size > 0 || originalLabel != nullptr, + "Error in smack_new_label_from_self():" << size); + + std::unique_ptr originalLabelPtr(originalLabel, free); + m_originalLabel.assign(originalLabel, size); + + m_originalOnlycap = smackGetOnlycap(); + + // add new label to onlycap so that it's able to restore the label + if (!m_originalOnlycap.empty() + && m_originalOnlycap.find(m_label) == m_originalOnlycap.end()) { + OnlycapSet newOnlycap = m_originalOnlycap; + newOnlycap.insert(m_label); + smackSetOnlycap(newOnlycap); + } else { + m_originalLabel.clear(); + m_originalOnlycap.clear(); + } + } + smackSetLabelForSelf(m_label); +} + +ScopedProcessLabel::~ScopedProcessLabel() +{ + // it has to be restored + if (!m_originalLabel.empty()) { + try { + smackSetLabelForSelf(m_originalLabel); + smackSetOnlycap(m_originalOnlycap); + } catch (const DPL::Test::TestException& e) { + RUNNER_ERROR_MSG("Test exception occurred: " << e.GetMessage()); + } catch (const std::exception& e) { + RUNNER_ERROR_MSG("Std exception occurred: " << e.what()); + } catch (...) { + RUNNER_ERROR_MSG("Unknown exception occurred."); + } + } +} diff --git a/src/common/scoped_process_label.h b/src/common/scoped_process_label.h new file mode 100644 index 00000000..5cb0dfc1 --- /dev/null +++ b/src/common/scoped_process_label.h @@ -0,0 +1,43 @@ +/* + * Copyright (c) 2019 Samsung Electronics Co., Ltd All Rights Reserved + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + */ +/* + * @file scoped_process_label.h + * @author Krzysztof Jackiewicz (k.jackiewicz@samsung.com) + * @version 1.0 + * @brief + */ + +#pragma once + +#include +#include + +#include + +typedef std::unordered_set OnlycapSet; + +class ScopedProcessLabel: public DPL::Noncopyable +{ +public: + // if restore == true the original label will be restored + explicit ScopedProcessLabel(std::string label, bool restore = true); + ~ScopedProcessLabel(); + +private: + std::string m_label; + std::string m_originalLabel; + OnlycapSet m_originalOnlycap; +}; diff --git a/src/common/tests_common.cpp b/src/common/tests_common.cpp index b5dff60f..235b062c 100644 --- a/src/common/tests_common.cpp +++ b/src/common/tests_common.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2013-2015 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2013 - 2019 Samsung Electronics Co., Ltd All Rights Reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -65,12 +65,6 @@ int drop_root_privileges(uid_t appUid, gid_t appGid) return 1; } -void setLabelForSelf(const int line, const char *label) -{ - int ret = smack_set_label_for_self(label); - RUNNER_ASSERT_MSG(ret == 0, "Error in smack_set_label_for_self(): " << ret << ", line: " << line); -} - /* * Add a new group to the current process groups. */ @@ -240,12 +234,6 @@ void waitPid(pid_t pid) "Child process exited abnormally" << ": ret=" << ret << ", errno=" << errno << ", status=" << status); } -// changes process label -void change_label(const char* label) -{ - int ret = smack_set_label_for_self(label); - RUNNER_ASSERT_MSG(0 == ret, "Error in smack_set_label_for_self("< &process) { pid_t pid = fork(); diff --git a/src/common/tests_common.h b/src/common/tests_common.h index 3e829f1d..2eb4a009 100644 --- a/src/common/tests_common.h +++ b/src/common/tests_common.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2013-2015 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2013 - 2019 Samsung Electronics Co., Ltd All Rights Reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -47,7 +47,6 @@ const std::string TMP_DIR("/tmp"); bool smack_check(void); int drop_root_privileges(uid_t appUid = APP_UID, gid_t appGid = APP_GID); -void setLabelForSelf(const int line, const char *label); void add_process_group(const char* group_name); void remove_process_group(const char* group_name); std::string formatCstr(const char *cstr); @@ -58,7 +57,6 @@ void creatSafe(const std::string &path, mode_t mode); void symlinkSafe(const std::string &targetPath, const std::string &linkPath); void removeDir(const std::string &path); void waitPid(pid_t pid); -void change_label(const char* label); pid_t runInChild(const std::function &process); void runInChildParentWait(const std::function &process); diff --git a/src/cynara-tests/test_cases_helpers.cpp b/src/cynara-tests/test_cases_helpers.cpp index ec5ce0ea..b8d7f136 100644 --- a/src/cynara-tests/test_cases_helpers.cpp +++ b/src/cynara-tests/test_cases_helpers.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2015-2018 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2015-2019 Samsung Electronics Co., Ltd All Rights Reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -46,6 +46,7 @@ #include #include +#include class ProcessCredentials { public: @@ -700,7 +701,7 @@ void testCredsUserSelf(cynara_user_creds method, const std::string &expected) { void testSelfClientSmack(cynara_client_creds method = CLIENT_METHOD_SMACK) { std::string label = "test-label"; - change_label(label.c_str()); + ScopedProcessLabel spl(label, false); testCredsClientSelf(method, label); } diff --git a/src/security-manager-tests/common/scoped_label.h b/src/security-manager-tests/common/scoped_label.h deleted file mode 100644 index 3436e808..00000000 --- a/src/security-manager-tests/common/scoped_label.h +++ /dev/null @@ -1,34 +0,0 @@ -/* - * Copyright (c) 2016 Samsung Electronics Co., Ltd All Rights Reserved - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#pragma once - -#include - -class ScopedProcessLabel { -public: - ScopedProcessLabel() { - smack_new_label_from_self(&label); - } - - ~ScopedProcessLabel() { - smack_set_label_for_self(label); - free(label); - } - -private: - char *label; -}; diff --git a/src/security-manager-tests/common/sm_commons.cpp b/src/security-manager-tests/common/sm_commons.cpp index acaf64df..b8b389b0 100644 --- a/src/security-manager-tests/common/sm_commons.cpp +++ b/src/security-manager-tests/common/sm_commons.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2016-2017 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2016 - 2019 Samsung Electronics Co., Ltd All Rights Reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -34,6 +34,7 @@ #include #include #include +#include #include #include @@ -358,7 +359,7 @@ void runAccessTest(const std::string &label, uid_t uid, gid_t gid, const std::string &testPath, int accessType) { auto fun = [&](){ int oppositeAccessType = getOppositeAccessType(accessType); - change_label(label.c_str()); + ScopedProcessLabel spl(label, false); RUNNER_ASSERT_ERRNO_MSG(0 == drop_root_privileges(uid, gid), "drop_root_privileges failed."); diff --git a/src/security-manager-tests/test_cases.cpp b/src/security-manager-tests/test_cases.cpp index 2095709f..5bde91de 100644 --- a/src/security-manager-tests/test_cases.cpp +++ b/src/security-manager-tests/test_cases.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2016-2017 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2016 - 2019 Samsung Electronics Co., Ltd All Rights Reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -35,7 +35,6 @@ #include #include #include -#include #include #include #include @@ -45,6 +44,7 @@ #include #include #include +#include using namespace SecurityManagerTest; @@ -782,7 +782,7 @@ RUNNER_CHILD_TEST(security_manager_25e_unprivileged_install_type_global) AppInstallHelper app("sm_test_25e"); - change_label("_"); + ScopedProcessLabel spl("_", false); RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(testUser.getUid(), testUser.getGid()) == 0, "drop_root_privileges failed"); @@ -803,7 +803,7 @@ RUNNER_CHILD_TEST(security_manager_25f_unprivileged_install_type_preloaded) AppInstallHelper app("sm_test_25f"); - change_label("_"); + ScopedProcessLabel spl("_", false); RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(testUser.getUid(), testUser.getGid()) == 0, "drop_root_privileges failed"); InstallRequest invalidReq; diff --git a/src/security-tests.sh b/src/security-tests.sh index 89be46f7..294dc197 100644 --- a/src/security-tests.sh +++ b/src/security-tests.sh @@ -1,7 +1,7 @@ #!/bin/sh ##################################################################### -# Copyright (c) 2012-2018 Samsung Electronics Co., Ltd All Rights Reserved +# Copyright (c) 2012 - 2019 Samsung Electronics Co., Ltd All Rights Reserved # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -49,7 +49,7 @@ case $1 in echo "=========================================================================" echo "KEY MANAGER PRIVILEGED TESTS" echo - ckm-tests-on-onlycap.sh $ARGS + ckm-privileged-tests $ARGS ;; "yaca") echo "=========================================================================" -- 2.34.1