Fix only partial rollback of Smack rules

Some tests temporarily add new Smack rules in order to test unprivileged
access to system services. After the test, they are cleared with
smack_revoke_subject. However, this only removes rules where the test
application is the subject.

I have replaced calls where this is an issue with a smack_accesses_clear
call, which removes all rules loaded with a given handle. Since affected
tests do not modify Smack rules in any other way and only use test
labels for fake apps, no rules removed by the old call and not by the
new call can exist.

Change-Id: I841d6b7ad05549d8837645e3d9176f4db7029908

diff --git a/src/ckm/privileged/access_provider2.cpp b/src/ckm/privileged/access_provider2.cpp
index 2d98ace..bc7af22 100644 (file)
--- a/src/ckm/privileged/access_provider2.cpp
+++ b/src/ckm/privileged/access_provider2.cpp
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2013 - 2019 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2013 - 2020 Samsung Electronics Co., Ltd All Rights Reserved
  *
  *    Licensed under the Apache License, Version 2.0 (the "License");
  *    you may not use this file except in compliance with the License.
@@ -81,8 +81,7 @@ void AccessProvider::applyAndSwithToUser(int uid, int gid)
 {
     RUNNER_ASSERT_MSG(m_inSwitchContext == false, "already switched context");
 
-    RUNNER_ASSERT_MSG(0 == smack_revoke_subject(m_mySubject.c_str()),
-        "Error in smack_revoke_subject(" << m_mySubject << ")");
+    clear();
     apply();
 
     m_processLabel.reset(new ScopedProcessLabel(m_mySubject));
@@ -96,6 +95,10 @@ void AccessProvider::applyAndSwithToUser(int uid, int gid)
     m_inSwitchContext = true;
 }
 
+void AccessProvider::clear() {
+    m_smackAccess.clear();
+}
+
 void AccessProvider::allowJournaldLogs() {
     allowAPI("System::Run","wx"); // necessary for logging with journald
 }
@@ -106,8 +109,7 @@ ScopedAccessProvider::~ScopedAccessProvider()
     {
         RUNNER_ASSERT_MSG(0 == setegid(m_origGid), "Error in setgid.");
         RUNNER_ASSERT_MSG(0 == seteuid(m_origUid), "Error in setuid.");
-        RUNNER_ASSERT_MSG(0 == smack_revoke_subject(m_mySubject.c_str()),
-            "Error in smack_revoke_subject(" << m_mySubject << ")");
+        clear();
         m_processLabel.reset();
         m_inSwitchContext = false;
     }

diff --git a/src/ckm/privileged/access_provider2.h b/src/ckm/privileged/access_provider2.h
index d2e19b5..4a745df 100644 (file)
--- a/src/ckm/privileged/access_provider2.h
+++ b/src/ckm/privileged/access_provider2.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2013 - 2019 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2013 - 2020 Samsung Electronics Co., Ltd All Rights Reserved
  *
  *    Licensed under the Apache License, Version 2.0 (the "License");
  *    you may not use this file except in compliance with the License.
@@ -41,6 +41,7 @@ public:
     void allowAPI(const std::string &api, const std::string &rules);
     void apply();
     void applyAndSwithToUser(int uid, int gid);
+    void clear();
 
 private:
     void allowJournaldLogs();

diff --git a/src/common/smack_access.cpp b/src/common/smack_access.cpp
index 354b997..e461a31 100644 (file)
--- a/src/common/smack_access.cpp
+++ b/src/common/smack_access.cpp
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2013 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2013 - 2020 Samsung Electronics Co., Ltd All Rights Reserved
  *
  *    Licensed under the Apache License, Version 2.0 (the "License");
  *    you may not use this file except in compliance with the License.
@@ -50,6 +50,11 @@ void SmackAccess::apply() {
         "Error in smack_accessses_apply.");
 }
 
+void SmackAccess::clear() {
+    RUNNER_ASSERT_MSG(0 == smack_accesses_clear(m_handle),
+        "Error in smack_accesses_clear.");
+}
+
 SmackAccess::~SmackAccess() {
     if (m_handle)
         smack_accesses_free(m_handle);

diff --git a/src/common/smack_access.h b/src/common/smack_access.h
index f20842b..0d3f227 100644 (file)
--- a/src/common/smack_access.h
+++ b/src/common/smack_access.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2013 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2013 - 2020 Samsung Electronics Co., Ltd All Rights Reserved
  *
  *    Licensed under the Apache License, Version 2.0 (the "License");
  *    you may not use this file except in compliance with the License.
@@ -36,6 +36,7 @@ public:
              const std::string &object,
              const std::string &rights);
     void apply();
+    void clear();
     virtual ~SmackAccess();
 private:
     struct smack_accesses *m_handle;