Some CKM tests request the key-manager::api-storage privilege when
switching context to the user. However. this privilege was removed five
years ago (see commits 06d3064 and d5e32f8 in key-manager) and is no
longer required to use key-manager.
I have removed all calls responsible for requesting this privilege. This
also made it possible to only use the simplest ScopedAccessRequest
constructor and remove all other constructors.
Change-Id: I788e44f8e59575f80c8999b6b64eaefcc905fb75
-AccessProvider::AccessProvider(const std::string &ownerId)
- : m_mySubject(toSmackLabel(ownerId))
- , m_inSwitchContext(false)
-{
- RUNNER_ASSERT_MSG(m_mySubject.size() > 0, "No smack label provided to AccessProvider!");
- allowJournaldLogs();
-}
-
AccessProvider::AccessProvider(const std::string &ownerId, int uid, int gid)
: m_mySubject(toSmackLabel(ownerId))
, m_inSwitchContext(false)
AccessProvider::AccessProvider(const std::string &ownerId, int uid, int gid)
: m_mySubject(toSmackLabel(ownerId))
, m_inSwitchContext(false)
class AccessProvider {
public:
class AccessProvider {
public:
- explicit AccessProvider(const std::string &ownerId);
AccessProvider(const std::string &ownerId, int uid, int gid);
virtual ~AccessProvider();
AccessProvider(const std::string &ownerId, int uid, int gid);
virtual ~AccessProvider();
class ScopedAccessProvider : public AccessProvider {
public:
class ScopedAccessProvider : public AccessProvider {
public:
- explicit ScopedAccessProvider(const std::string &mySubject)
- : AccessProvider(mySubject) {}
ScopedAccessProvider(const std::string &mySubject, int uid, int gid)
: AccessProvider(mySubject, uid, gid) {}
virtual ~ScopedAccessProvider();
ScopedAccessProvider(const std::string &mySubject, int uid, int gid)
: AccessProvider(mySubject, uid, gid) {}
virtual ~ScopedAccessProvider();
- * Copyright (c) 2015 - 2019 Samsung Electronics Co.
+ * Copyright (c) 2015 - 2020 Samsung Electronics Co.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
// [test2]
{
ScopedDBUnlock unlock(USER_APP, APP_PASS);
// [test2]
{
ScopedDBUnlock unlock(USER_APP, APP_PASS);
- ScopedAccessProvider ap(TEST_LABEL);
- ap.applyAndSwithToUser(USER_APP, GROUP_APP);
+ ScopedAccessProvider ap(TEST_LABEL, USER_APP, GROUP_APP);
check_key(XML_1_EXPECTED_KEY_1_RSA.c_str(), CKMC_ERROR_NOT_EXPORTABLE);
check_key_not_visible(XML_1_EXPECTED_KEY_2_RSA.c_str());
check_key(XML_1_EXPECTED_KEY_1_RSA.c_str(), CKMC_ERROR_NOT_EXPORTABLE);
check_key_not_visible(XML_1_EXPECTED_KEY_2_RSA.c_str());
// [test3]
{
ScopedDBUnlock unlock(USER_APP, APP_PASS);
// [test3]
{
ScopedDBUnlock unlock(USER_APP, APP_PASS);
- ScopedAccessProvider ap(TEST_LABEL_2);
- ap.applyAndSwithToUser(USER_APP, GROUP_APP);
+ ScopedAccessProvider ap(TEST_LABEL_2, USER_APP, GROUP_APP);
check_key_not_visible(XML_1_EXPECTED_KEY_1_RSA.c_str());
check_key_allowed(XML_1_EXPECTED_KEY_2_RSA.c_str(), CKMC_KEY_RSA_PRIVATE);
check_key_not_visible(XML_1_EXPECTED_KEY_1_RSA.c_str());
check_key_allowed(XML_1_EXPECTED_KEY_2_RSA.c_str(), CKMC_KEY_RSA_PRIVATE);
- * Copyright (c) 2016 - 2019 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2016 - 2020 Samsung Electronics Co., Ltd All Rights Reserved
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
CKM::Alias certimAlias("CertIM");
{
ScopedDBUnlock unlock(USER_TEST, APP_PASS);
CKM::Alias certimAlias("CertIM");
{
ScopedDBUnlock unlock(USER_TEST, APP_PASS);
- ScopedAccessProvider ap(TEST_LABEL);
- ap.allowAPI("key-manager::api-storage", "rw");
- ap.applyAndSwithToUser(USER_TEST, GROUP_APP);
+ ScopedAccessProvider ap(TEST_LABEL, USER_TEST, GROUP_APP);
auto manager = CKM::Manager::create();
RUNNER_ASSERT(CKM_API_SUCCESS == manager->saveCertificate(certeeAlias, certee, CKM::Policy()));
auto manager = CKM::Manager::create();
RUNNER_ASSERT(CKM_API_SUCCESS == manager->saveCertificate(certeeAlias, certee, CKM::Policy()));
// actual test
{
ScopedDBUnlock unlock(USER_TEST, APP_PASS);
// actual test
{
ScopedDBUnlock unlock(USER_TEST, APP_PASS);
- ScopedAccessProvider ap(TEST_LABEL);
- ap.allowAPI("key-manager::api-storage", "rw");
- ap.applyAndSwithToUser(USER_TEST, GROUP_APP);
+ ScopedAccessProvider ap(TEST_LABEL, USER_TEST, GROUP_APP);
auto manager = CKM::Manager::create();
int status1 = manager->saveCertificate(certeeAlias, certee, CKM::Policy());
auto manager = CKM::Manager::create();
int status1 = manager->saveCertificate(certeeAlias, certee, CKM::Policy());
{
unlock_user_data(USER_TEST+1, "t170-special-password");
{
unlock_user_data(USER_TEST+1, "t170-special-password");
- ScopedAccessProvider ap(TEST_LABEL);
- ap.applyAndSwithToUser(USER_TEST+1, GROUP_APP);
+ ScopedAccessProvider ap(TEST_LABEL, USER_TEST+1, GROUP_APP);
}
RUNNER_CHILD_TEST(T1702_insert_data)
{
int temp;
}
RUNNER_CHILD_TEST(T1702_insert_data)
{
int temp;
- ScopedAccessProvider ap(TEST_LABEL);
- ap.applyAndSwithToUser(USER_TEST+1, GROUP_APP);
+ ScopedAccessProvider ap(TEST_LABEL, USER_TEST+1, GROUP_APP);
auto certee = TestData::getTestCertificate(TestData::THIRD_PARTY_LEAF);
auto certee = TestData::getTestCertificate(TestData::THIRD_PARTY_LEAF);
RUNNER_CHILD_TEST(T1704_data_test)
{
int temp;
RUNNER_CHILD_TEST(T1704_data_test)
{
int temp;
- ScopedAccessProvider ap(TEST_LABEL);
- ap.applyAndSwithToUser(USER_TEST+1, GROUP_APP);
+ ScopedAccessProvider ap(TEST_LABEL, USER_TEST+1, GROUP_APP);
CKM::AliasVector av;
auto manager = CKM::Manager::create();
CKM::AliasVector av;
auto manager = CKM::Manager::create();
RUNNER_CHILD_TEST(T17102_prep_data_01)
{
int temp;
RUNNER_CHILD_TEST(T17102_prep_data_01)
{
int temp;
- ScopedAccessProvider ap(TEST_LABEL);
- ap.applyAndSwithToUser(USER_TEST+2, GROUP_APP);
+ ScopedAccessProvider ap(TEST_LABEL, USER_TEST+2, GROUP_APP);
CKM::AliasVector av;
auto manager = CKM::Manager::create();
CKM::AliasVector av;
auto manager = CKM::Manager::create();
RUNNER_CHILD_TEST(T17103_prep_data_02)
{
int temp;
RUNNER_CHILD_TEST(T17103_prep_data_02)
{
int temp;
- ScopedAccessProvider ap(TEST_LABEL_2);
- ap.applyAndSwithToUser(USER_TEST+2, GROUP_APP);
+ ScopedAccessProvider ap(TEST_LABEL_2, USER_TEST+2, GROUP_APP);
CKM::AliasVector av;
auto manager = CKM::Manager::create();
CKM::AliasVector av;
auto manager = CKM::Manager::create();
RUNNER_CHILD_TEST(T17104_prep_data_03)
{
int temp;
RUNNER_CHILD_TEST(T17104_prep_data_03)
{
int temp;
- ScopedAccessProvider ap(TEST_LABEL);
- ap.applyAndSwithToUser(USER_TEST+3, GROUP_APP);
+ ScopedAccessProvider ap(TEST_LABEL, USER_TEST+3, GROUP_APP);
CKM::AliasVector av;
auto manager = CKM::Manager::create();
CKM::AliasVector av;
auto manager = CKM::Manager::create();
RUNNER_CHILD_TEST(T17105_prep_data_04)
{
int temp;
RUNNER_CHILD_TEST(T17105_prep_data_04)
{
int temp;
- ScopedAccessProvider ap(TEST_LABEL_2);
- ap.applyAndSwithToUser(USER_TEST+3, GROUP_APP);
+ ScopedAccessProvider ap(TEST_LABEL_2, USER_TEST+3, GROUP_APP);
CKM::AliasVector av;
auto manager = CKM::Manager::create();
CKM::AliasVector av;
auto manager = CKM::Manager::create();
RUNNER_CHILD_TEST(T17107_check_data_01)
{
int temp;
RUNNER_CHILD_TEST(T17107_check_data_01)
{
int temp;
- ScopedAccessProvider ap(TEST_LABEL);
- ap.applyAndSwithToUser(USER_TEST+2, GROUP_APP);
+ ScopedAccessProvider ap(TEST_LABEL, USER_TEST+2, GROUP_APP);
CKM::AliasVector av;
auto manager = CKM::Manager::create();
CKM::AliasVector av;
auto manager = CKM::Manager::create();
RUNNER_CHILD_TEST(T17108_check_data_02)
{
int temp;
RUNNER_CHILD_TEST(T17108_check_data_02)
{
int temp;
- ScopedAccessProvider ap(TEST_LABEL_2);
- ap.applyAndSwithToUser(USER_TEST+2, GROUP_APP);
+ ScopedAccessProvider ap(TEST_LABEL_2, USER_TEST+2, GROUP_APP);
CKM::AliasVector av;
auto manager = CKM::Manager::create();
CKM::AliasVector av;
auto manager = CKM::Manager::create();
RUNNER_CHILD_TEST(T17110_check_data_03)
{
int temp;
RUNNER_CHILD_TEST(T17110_check_data_03)
{
int temp;
- ScopedAccessProvider ap(TEST_LABEL);
- ap.allowAPI("key-manager::api-storage", "rw");
- ap.applyAndSwithToUser(USER_TEST+3, GROUP_APP);
+ ScopedAccessProvider ap(TEST_LABEL, USER_TEST+3, GROUP_APP);
CKM::AliasVector av;
auto manager = CKM::Manager::create();
CKM::AliasVector av;
auto manager = CKM::Manager::create();
RUNNER_CHILD_TEST(T17111_check_data_04)
{
int temp;
RUNNER_CHILD_TEST(T17111_check_data_04)
{
int temp;
- ScopedAccessProvider ap(TEST_LABEL_2);
- ap.allowAPI("key-manager::api-storage", "rw");
- ap.applyAndSwithToUser(USER_TEST+3, GROUP_APP);
+ ScopedAccessProvider ap(TEST_LABEL_2, USER_TEST+3, GROUP_APP);
CKM::AliasVector av;
auto manager = CKM::Manager::create();
CKM::AliasVector av;
auto manager = CKM::Manager::create();
- * Copyright (c) 2000 - 2015 Samsung Electronics Co.
+ * Copyright (c) 2000 - 2020 Samsung Electronics Co.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
- ScopedAccessProvider ap(TEST_LABEL);
- ap.allowAPI("key-manager::api-storage", "rw");
- ap.applyAndSwithToUser(USER_APP, GROUP_APP);
+ ScopedAccessProvider ap(TEST_LABEL, USER_APP, GROUP_APP);
check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA, CKMC_ERROR_DB_LOCKED);
}
check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA, CKMC_ERROR_DB_LOCKED);
}
{
remove_user_data(USER_APP);
ScopedDBUnlock unlock(USER_APP, APP_PASS);
{
remove_user_data(USER_APP);
ScopedDBUnlock unlock(USER_APP, APP_PASS);
- ScopedAccessProvider ap(TEST_LABEL);
- ap.allowAPI("key-manager::api-storage", "rw");
- ap.applyAndSwithToUser(USER_APP, GROUP_APP);
+ ScopedAccessProvider ap(TEST_LABEL, USER_APP, GROUP_APP);
ScopedSaveData ssd(TEST_ALIAS, TEST_DATA);
check_read(TEST_ALIAS, TEST_LABEL, TEST_DATA);
ScopedSaveData ssd(TEST_ALIAS, TEST_DATA);
check_read(TEST_ALIAS, TEST_LABEL, TEST_DATA);
// [test]
{
ScopedDBUnlock unlock(USER_APP, APP_PASS);
// [test]
{
ScopedDBUnlock unlock(USER_APP, APP_PASS);
- ScopedAccessProvider ap(TEST_LABEL);
- ap.allowAPI("key-manager::api-storage", "rw");
- ap.applyAndSwithToUser(USER_APP, GROUP_APP);
+ ScopedAccessProvider ap(TEST_LABEL, USER_APP, GROUP_APP);
save_data(aliasWithLabel(SYSTEM_LABEL, TEST_ALIAS).c_str(), TEST_DATA, CKMC_ERROR_PERMISSION_DENIED);
check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA, CKMC_ERROR_DB_ALIAS_UNKNOWN);
save_data(aliasWithLabel(SYSTEM_LABEL, TEST_ALIAS).c_str(), TEST_DATA, CKMC_ERROR_PERMISSION_DENIED);
check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA, CKMC_ERROR_DB_ALIAS_UNKNOWN);
// [test]
{
ScopedDBUnlock unlock(USER_APP, APP_PASS);
// [test]
{
ScopedDBUnlock unlock(USER_APP, APP_PASS);
- ScopedAccessProvider ap(TEST_LABEL);
- ap.allowAPI("key-manager::api-storage", "rw");
- ap.applyAndSwithToUser(USER_APP, GROUP_APP);
+ ScopedAccessProvider ap(TEST_LABEL, USER_APP, GROUP_APP);
check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA);
}
check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA);
}
// [test]
{
ScopedDBUnlock unlock(USER_APP, APP_PASS);
// [test]
{
ScopedDBUnlock unlock(USER_APP, APP_PASS);
- ScopedAccessProvider ap(TEST_LABEL);
- ap.allowAPI("key-manager::api-storage", "rw");
- ap.applyAndSwithToUser(USER_APP, GROUP_APP);
+ ScopedAccessProvider ap(TEST_LABEL, USER_APP, GROUP_APP);
check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA, CKMC_ERROR_DB_ALIAS_UNKNOWN);
}
check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA, CKMC_ERROR_DB_ALIAS_UNKNOWN);
}
// [test]
{
ScopedDBUnlock unlock(USER_APP, APP_PASS);
// [test]
{
ScopedDBUnlock unlock(USER_APP, APP_PASS);
- ScopedAccessProvider ap(TEST_LABEL);
- ap.allowAPI("key-manager::api-storage", "rw");
- ap.applyAndSwithToUser(USER_APP, GROUP_APP);
+ ScopedAccessProvider ap(TEST_LABEL, USER_APP, GROUP_APP);
check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA);
}
check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA);
}
// [test2]
{
ScopedDBUnlock unlock(USER_APP, APP_PASS);
// [test2]
{
ScopedDBUnlock unlock(USER_APP, APP_PASS);
- ScopedAccessProvider ap(TEST_LABEL);
- ap.allowAPI("key-manager::api-storage", "rw");
- ap.applyAndSwithToUser(USER_APP, GROUP_APP);
+ ScopedAccessProvider ap(TEST_LABEL, USER_APP, GROUP_APP);
check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA, CKMC_ERROR_DB_ALIAS_UNKNOWN);
}
check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA, CKMC_ERROR_DB_ALIAS_UNKNOWN);
}
// [test]
{
ScopedDBUnlock unlock(USER_APP, APP_PASS);
// [test]
{
ScopedDBUnlock unlock(USER_APP, APP_PASS);
- ScopedAccessProvider ap(TEST_LABEL);
- ap.allowAPI("key-manager::api-storage", "rw");
- ap.applyAndSwithToUser(USER_APP, GROUP_APP);
+ ScopedAccessProvider ap(TEST_LABEL, USER_APP, GROUP_APP);
ScopedSaveData ssdsystem_user(TEST_ALIAS, TEST_DATA);
ScopedSaveData ssdsystem_system(TEST_SYSTEM_ALIAS.c_str(), TEST_DATA, CKMC_ERROR_PERMISSION_DENIED);
ScopedSaveData ssdsystem_user(TEST_ALIAS, TEST_DATA);
ScopedSaveData ssdsystem_system(TEST_SYSTEM_ALIAS.c_str(), TEST_DATA, CKMC_ERROR_PERMISSION_DENIED);
// [test]
{
ScopedDBUnlock unlock(USER_APP, APP_PASS);
// [test]
{
ScopedDBUnlock unlock(USER_APP, APP_PASS);
- ScopedAccessProvider ap(TEST_LABEL);
- ap.allowAPI("key-manager::api-storage", "rw");
- ap.applyAndSwithToUser(USER_APP, GROUP_APP);
+ ScopedAccessProvider ap(TEST_LABEL, USER_APP, GROUP_APP);
check_remove_denied(TEST_SYSTEM_ALIAS.c_str());
}
check_remove_denied(TEST_SYSTEM_ALIAS.c_str());
}
// [test2]
{
ScopedDBUnlock unlock(USER_APP, APP_PASS);
// [test2]
{
ScopedDBUnlock unlock(USER_APP, APP_PASS);
- ScopedAccessProvider ap(TEST_LABEL);
- ap.allowAPI("key-manager::api-storage", "rw");
- ap.applyAndSwithToUser(USER_APP, GROUP_APP);
+ ScopedAccessProvider ap(TEST_LABEL, USER_APP, GROUP_APP);
ScopedSaveData user_data(TEST_ALIAS, TEST_DATA);
check_alias_list({TEST_SYSTEM_ALIAS.c_str(),
ScopedSaveData user_data(TEST_ALIAS, TEST_DATA);
check_alias_list({TEST_SYSTEM_ALIAS.c_str(),
// [test]
{
ScopedDBUnlock unlock(USER_APP, APP_PASS);
// [test]
{
ScopedDBUnlock unlock(USER_APP, APP_PASS);
- ScopedAccessProvider ap(TEST_LABEL);
- ap.allowAPI("key-manager::api-storage", "rw");
- ap.applyAndSwithToUser(USER_APP, GROUP_APP);
+ ScopedAccessProvider ap(TEST_LABEL, USER_APP, GROUP_APP);
std::string private_key_alias = aliasWithLabel(SYSTEM_LABEL, "sys-db-priv");
std::string public_key_alias = aliasWithLabel(SYSTEM_LABEL, "sys-db-pub");
std::string private_key_alias = aliasWithLabel(SYSTEM_LABEL, "sys-db-priv");
std::string public_key_alias = aliasWithLabel(SYSTEM_LABEL, "sys-db-pub");
// [test2]
{
ScopedDBUnlock unlock(USER_APP, APP_PASS);
// [test2]
{
ScopedDBUnlock unlock(USER_APP, APP_PASS);
- ScopedAccessProvider ap(TEST_LABEL);
- ap.allowAPI("key-manager::api-storage", "rw");
- ap.applyAndSwithToUser(USER_APP, GROUP_APP);
+ ScopedAccessProvider ap(TEST_LABEL, USER_APP, GROUP_APP);
ckmc_hash_algo_e hash_algo = CKMC_HASH_SHA256;
ckmc_rsa_padding_algo_e pad_algo = CKMC_PKCS1_PADDING;
ckmc_hash_algo_e hash_algo = CKMC_HASH_SHA256;
ckmc_rsa_padding_algo_e pad_algo = CKMC_PKCS1_PADDING;
- ScopedAccessProvider ap(TEST_LABEL_2);
- ap.allowAPI("key-manager::api-storage", "rw");
- ap.applyAndSwithToUser(USER_SERVICE_2, GROUP_SERVICE_2);
+ ScopedAccessProvider ap(TEST_LABEL_2, USER_SERVICE_2, GROUP_SERVICE_2);
check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA);
}
check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA);
}
- ScopedAccessProvider ap(TEST_LABEL_2);
- ap.allowAPI("key-manager::api-storage", "rw");
- ap.applyAndSwithToUser(USER_SERVICE_2, GROUP_SERVICE_2);
+ ScopedAccessProvider ap(TEST_LABEL_2, USER_SERVICE_2, GROUP_SERVICE_2);
// [test]
ScopedSaveData ssd(TEST_SYSTEM_ALIAS.c_str(), TEST_DATA);
// [test]
ScopedSaveData ssd(TEST_SYSTEM_ALIAS.c_str(), TEST_DATA);
- ScopedAccessProvider ap(TEST_LABEL_2);
- ap.allowAPI("key-manager::api-storage", "rw");
- ap.applyAndSwithToUser(USER_SERVICE_MAX, GROUP_SERVICE_MAX);
+ ScopedAccessProvider ap(TEST_LABEL_2, USER_SERVICE_MAX, GROUP_SERVICE_MAX);
check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA);
}
check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA);
}
- ScopedAccessProvider ap(TEST_LABEL_2);
- ap.allowAPI("key-manager::api-storage", "rw");
- ap.applyAndSwithToUser(USER_SERVICE_FAIL, GROUP_SERVICE_FAIL);
+ ScopedAccessProvider ap(TEST_LABEL_2, USER_SERVICE_FAIL, GROUP_SERVICE_FAIL);
check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA, CKMC_ERROR_DB_LOCKED);
}
check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA, CKMC_ERROR_DB_LOCKED);
}