From: Mateusz Cegielka Date: Mon, 27 Jul 2020 09:29:24 +0000 (+0200) Subject: Remove key-manager::api-storage privilege use in CKM tests X-Git-Url: http://review.tizen.org/git/?p=platform%2Fcore%2Ftest%2Fsecurity-tests.git;a=commitdiff_plain;h=3e8471dd39814048adf9ef625e888bbfbae16e6c Remove key-manager::api-storage privilege use in CKM tests Some CKM tests request the key-manager::api-storage privilege when switching context to the user. However. this privilege was removed five years ago (see commits 06d3064 and d5e32f8 in key-manager) and is no longer required to use key-manager. I have removed all calls responsible for requesting this privilege. This also made it possible to only use the simplest ScopedAccessRequest constructor and remove all other constructors. Change-Id: I788e44f8e59575f80c8999b6b64eaefcc905fb75 --- diff --git a/src/ckm/privileged/access_provider2.cpp b/src/ckm/privileged/access_provider2.cpp index bc7af22..be26bd6 100644 --- a/src/ckm/privileged/access_provider2.cpp +++ b/src/ckm/privileged/access_provider2.cpp @@ -44,14 +44,6 @@ std::string toSmackLabel(const std::string &ownerId) { } // anonymous namespace -AccessProvider::AccessProvider(const std::string &ownerId) - : m_mySubject(toSmackLabel(ownerId)) - , m_inSwitchContext(false) -{ - RUNNER_ASSERT_MSG(m_mySubject.size() > 0, "No smack label provided to AccessProvider!"); - allowJournaldLogs(); -} - AccessProvider::AccessProvider(const std::string &ownerId, int uid, int gid) : m_mySubject(toSmackLabel(ownerId)) , m_inSwitchContext(false) diff --git a/src/ckm/privileged/access_provider2.h b/src/ckm/privileged/access_provider2.h index 4a745df..4552065 100644 --- a/src/ckm/privileged/access_provider2.h +++ b/src/ckm/privileged/access_provider2.h @@ -31,7 +31,6 @@ class ScopedProcessLabel; class AccessProvider { public: - explicit AccessProvider(const std::string &ownerId); AccessProvider(const std::string &ownerId, int uid, int gid); virtual ~AccessProvider(); @@ -57,8 +56,6 @@ protected: class ScopedAccessProvider : public AccessProvider { public: - explicit ScopedAccessProvider(const std::string &mySubject) - : AccessProvider(mySubject) {} ScopedAccessProvider(const std::string &mySubject, int uid, int gid) : AccessProvider(mySubject, uid, gid) {} virtual ~ScopedAccessProvider(); diff --git a/src/ckm/privileged/initial-values.cpp b/src/ckm/privileged/initial-values.cpp index e8988de..f4d1bb6 100644 --- a/src/ckm/privileged/initial-values.cpp +++ b/src/ckm/privileged/initial-values.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2015 - 2019 Samsung Electronics Co. + * Copyright (c) 2015 - 2020 Samsung Electronics Co. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -153,8 +153,7 @@ RUNNER_TEST(T6010_PARSE_XML_FILE_AT_STARTUP) // [test2] { ScopedDBUnlock unlock(USER_APP, APP_PASS); - ScopedAccessProvider ap(TEST_LABEL); - ap.applyAndSwithToUser(USER_APP, GROUP_APP); + ScopedAccessProvider ap(TEST_LABEL, USER_APP, GROUP_APP); check_key(XML_1_EXPECTED_KEY_1_RSA.c_str(), CKMC_ERROR_NOT_EXPORTABLE); check_key_not_visible(XML_1_EXPECTED_KEY_2_RSA.c_str()); @@ -166,8 +165,7 @@ RUNNER_TEST(T6010_PARSE_XML_FILE_AT_STARTUP) // [test3] { ScopedDBUnlock unlock(USER_APP, APP_PASS); - ScopedAccessProvider ap(TEST_LABEL_2); - ap.applyAndSwithToUser(USER_APP, GROUP_APP); + ScopedAccessProvider ap(TEST_LABEL_2, USER_APP, GROUP_APP); check_key_not_visible(XML_1_EXPECTED_KEY_1_RSA.c_str()); check_key_allowed(XML_1_EXPECTED_KEY_2_RSA.c_str(), CKMC_KEY_RSA_PRIVATE); diff --git a/src/ckm/privileged/main.cpp b/src/ckm/privileged/main.cpp index f750ebe..7df9e61 100644 --- a/src/ckm/privileged/main.cpp +++ b/src/ckm/privileged/main.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2016 - 2019 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2016 - 2020 Samsung Electronics Co., Ltd All Rights Reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -77,9 +77,7 @@ RUNNER_TEST(T1511_insert_data) CKM::Alias certimAlias("CertIM"); { ScopedDBUnlock unlock(USER_TEST, APP_PASS); - ScopedAccessProvider ap(TEST_LABEL); - ap.allowAPI("key-manager::api-storage", "rw"); - ap.applyAndSwithToUser(USER_TEST, GROUP_APP); + ScopedAccessProvider ap(TEST_LABEL, USER_TEST, GROUP_APP); auto manager = CKM::Manager::create(); RUNNER_ASSERT(CKM_API_SUCCESS == manager->saveCertificate(certeeAlias, certee, CKM::Policy())); @@ -93,9 +91,7 @@ RUNNER_TEST(T1511_insert_data) // actual test { ScopedDBUnlock unlock(USER_TEST, APP_PASS); - ScopedAccessProvider ap(TEST_LABEL); - ap.allowAPI("key-manager::api-storage", "rw"); - ap.applyAndSwithToUser(USER_TEST, GROUP_APP); + ScopedAccessProvider ap(TEST_LABEL, USER_TEST, GROUP_APP); auto manager = CKM::Manager::create(); int status1 = manager->saveCertificate(certeeAlias, certee, CKM::Policy()); @@ -120,15 +116,13 @@ RUNNER_TEST(T1701_init_unlock_key) { unlock_user_data(USER_TEST+1, "t170-special-password"); - ScopedAccessProvider ap(TEST_LABEL); - ap.applyAndSwithToUser(USER_TEST+1, GROUP_APP); + ScopedAccessProvider ap(TEST_LABEL, USER_TEST+1, GROUP_APP); } RUNNER_CHILD_TEST(T1702_insert_data) { int temp; - ScopedAccessProvider ap(TEST_LABEL); - ap.applyAndSwithToUser(USER_TEST+1, GROUP_APP); + ScopedAccessProvider ap(TEST_LABEL, USER_TEST+1, GROUP_APP); auto certee = TestData::getTestCertificate(TestData::THIRD_PARTY_LEAF); @@ -161,8 +155,7 @@ RUNNER_TEST(T1703_removeApplicationData) RUNNER_CHILD_TEST(T1704_data_test) { int temp; - ScopedAccessProvider ap(TEST_LABEL); - ap.applyAndSwithToUser(USER_TEST+1, GROUP_APP); + ScopedAccessProvider ap(TEST_LABEL, USER_TEST+1, GROUP_APP); CKM::AliasVector av; auto manager = CKM::Manager::create(); @@ -209,8 +202,7 @@ RUNNER_TEST(T17101_init) RUNNER_CHILD_TEST(T17102_prep_data_01) { int temp; - ScopedAccessProvider ap(TEST_LABEL); - ap.applyAndSwithToUser(USER_TEST+2, GROUP_APP); + ScopedAccessProvider ap(TEST_LABEL, USER_TEST+2, GROUP_APP); CKM::AliasVector av; auto manager = CKM::Manager::create(); @@ -228,8 +220,7 @@ RUNNER_CHILD_TEST(T17102_prep_data_01) RUNNER_CHILD_TEST(T17103_prep_data_02) { int temp; - ScopedAccessProvider ap(TEST_LABEL_2); - ap.applyAndSwithToUser(USER_TEST+2, GROUP_APP); + ScopedAccessProvider ap(TEST_LABEL_2, USER_TEST+2, GROUP_APP); CKM::AliasVector av; auto manager = CKM::Manager::create(); @@ -247,8 +238,7 @@ RUNNER_CHILD_TEST(T17103_prep_data_02) RUNNER_CHILD_TEST(T17104_prep_data_03) { int temp; - ScopedAccessProvider ap(TEST_LABEL); - ap.applyAndSwithToUser(USER_TEST+3, GROUP_APP); + ScopedAccessProvider ap(TEST_LABEL, USER_TEST+3, GROUP_APP); CKM::AliasVector av; auto manager = CKM::Manager::create(); @@ -266,8 +256,7 @@ RUNNER_CHILD_TEST(T17104_prep_data_03) RUNNER_CHILD_TEST(T17105_prep_data_04) { int temp; - ScopedAccessProvider ap(TEST_LABEL_2); - ap.applyAndSwithToUser(USER_TEST+3, GROUP_APP); + ScopedAccessProvider ap(TEST_LABEL_2, USER_TEST+3, GROUP_APP); CKM::AliasVector av; auto manager = CKM::Manager::create(); @@ -298,8 +287,7 @@ RUNNER_TEST(T17106_remove_application) RUNNER_CHILD_TEST(T17107_check_data_01) { int temp; - ScopedAccessProvider ap(TEST_LABEL); - ap.applyAndSwithToUser(USER_TEST+2, GROUP_APP); + ScopedAccessProvider ap(TEST_LABEL, USER_TEST+2, GROUP_APP); CKM::AliasVector av; auto manager = CKM::Manager::create(); @@ -315,8 +303,7 @@ RUNNER_CHILD_TEST(T17107_check_data_01) RUNNER_CHILD_TEST(T17108_check_data_02) { int temp; - ScopedAccessProvider ap(TEST_LABEL_2); - ap.applyAndSwithToUser(USER_TEST+2, GROUP_APP); + ScopedAccessProvider ap(TEST_LABEL_2, USER_TEST+2, GROUP_APP); CKM::AliasVector av; auto manager = CKM::Manager::create(); @@ -342,9 +329,7 @@ RUNNER_TEST(T17109_unlock_user2) RUNNER_CHILD_TEST(T17110_check_data_03) { int temp; - ScopedAccessProvider ap(TEST_LABEL); - ap.allowAPI("key-manager::api-storage", "rw"); - ap.applyAndSwithToUser(USER_TEST+3, GROUP_APP); + ScopedAccessProvider ap(TEST_LABEL, USER_TEST+3, GROUP_APP); CKM::AliasVector av; auto manager = CKM::Manager::create(); @@ -360,9 +345,7 @@ RUNNER_CHILD_TEST(T17110_check_data_03) RUNNER_CHILD_TEST(T17111_check_data_04) { int temp; - ScopedAccessProvider ap(TEST_LABEL_2); - ap.allowAPI("key-manager::api-storage", "rw"); - ap.applyAndSwithToUser(USER_TEST+3, GROUP_APP); + ScopedAccessProvider ap(TEST_LABEL_2, USER_TEST+3, GROUP_APP); CKM::AliasVector av; auto manager = CKM::Manager::create(); diff --git a/src/ckm/privileged/system-db.cpp b/src/ckm/privileged/system-db.cpp index e9c7a5d..3fe2528 100644 --- a/src/ckm/privileged/system-db.cpp +++ b/src/ckm/privileged/system-db.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000 - 2015 Samsung Electronics Co. + * Copyright (c) 2000 - 2020 Samsung Electronics Co. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -77,9 +77,7 @@ RUNNER_TEST(T5010_CLIENT_APP_LOCKED_PRIVATE_DB) // [test] { - ScopedAccessProvider ap(TEST_LABEL); - ap.allowAPI("key-manager::api-storage", "rw"); - ap.applyAndSwithToUser(USER_APP, GROUP_APP); + ScopedAccessProvider ap(TEST_LABEL, USER_APP, GROUP_APP); check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA, CKMC_ERROR_DB_LOCKED); } @@ -97,9 +95,7 @@ RUNNER_TEST(T5020_CLIENT_APP_ADD_TO_PRIVATE_DB) { remove_user_data(USER_APP); ScopedDBUnlock unlock(USER_APP, APP_PASS); - ScopedAccessProvider ap(TEST_LABEL); - ap.allowAPI("key-manager::api-storage", "rw"); - ap.applyAndSwithToUser(USER_APP, GROUP_APP); + ScopedAccessProvider ap(TEST_LABEL, USER_APP, GROUP_APP); ScopedSaveData ssd(TEST_ALIAS, TEST_DATA); check_read(TEST_ALIAS, TEST_LABEL, TEST_DATA); @@ -115,9 +111,7 @@ RUNNER_TEST(T5030_CLIENT_APP_TRY_ADDING_SYSTEM_ITEM, RemoveDataEnv<0, USER_APP>) // [test] { ScopedDBUnlock unlock(USER_APP, APP_PASS); - ScopedAccessProvider ap(TEST_LABEL); - ap.allowAPI("key-manager::api-storage", "rw"); - ap.applyAndSwithToUser(USER_APP, GROUP_APP); + ScopedAccessProvider ap(TEST_LABEL, USER_APP, GROUP_APP); save_data(aliasWithLabel(SYSTEM_LABEL, TEST_ALIAS).c_str(), TEST_DATA, CKMC_ERROR_PERMISSION_DENIED); check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA, CKMC_ERROR_DB_ALIAS_UNKNOWN); @@ -140,9 +134,7 @@ RUNNER_TEST(T5031_CLIENT_APP_ACCESS_WITH_PERMISSION, RemoveDataEnv<0, USER_APP>) // [test] { ScopedDBUnlock unlock(USER_APP, APP_PASS); - ScopedAccessProvider ap(TEST_LABEL); - ap.allowAPI("key-manager::api-storage", "rw"); - ap.applyAndSwithToUser(USER_APP, GROUP_APP); + ScopedAccessProvider ap(TEST_LABEL, USER_APP, GROUP_APP); check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA); } @@ -163,9 +155,7 @@ RUNNER_TEST(T5032_CLIENT_APP_ACCESS_NO_PERMISSION, RemoveDataEnv<0, USER_APP>) // [test] { ScopedDBUnlock unlock(USER_APP, APP_PASS); - ScopedAccessProvider ap(TEST_LABEL); - ap.allowAPI("key-manager::api-storage", "rw"); - ap.applyAndSwithToUser(USER_APP, GROUP_APP); + ScopedAccessProvider ap(TEST_LABEL, USER_APP, GROUP_APP); check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA, CKMC_ERROR_DB_ALIAS_UNKNOWN); } @@ -194,9 +184,7 @@ RUNNER_TEST(T5033_CLIENT_APP_PERMISSION_REMOVAL, RemoveDataEnv<0, USER_APP>) // [test] { ScopedDBUnlock unlock(USER_APP, APP_PASS); - ScopedAccessProvider ap(TEST_LABEL); - ap.allowAPI("key-manager::api-storage", "rw"); - ap.applyAndSwithToUser(USER_APP, GROUP_APP); + ScopedAccessProvider ap(TEST_LABEL, USER_APP, GROUP_APP); check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA); } @@ -207,9 +195,7 @@ RUNNER_TEST(T5033_CLIENT_APP_PERMISSION_REMOVAL, RemoveDataEnv<0, USER_APP>) // [test2] { ScopedDBUnlock unlock(USER_APP, APP_PASS); - ScopedAccessProvider ap(TEST_LABEL); - ap.allowAPI("key-manager::api-storage", "rw"); - ap.applyAndSwithToUser(USER_APP, GROUP_APP); + ScopedAccessProvider ap(TEST_LABEL, USER_APP, GROUP_APP); check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA, CKMC_ERROR_DB_ALIAS_UNKNOWN); } @@ -225,9 +211,7 @@ RUNNER_TEST(T5034_CLIENT_APP_SET_READ_ACCESS, RemoveDataEnv<0, USER_APP>) // [test] { ScopedDBUnlock unlock(USER_APP, APP_PASS); - ScopedAccessProvider ap(TEST_LABEL); - ap.allowAPI("key-manager::api-storage", "rw"); - ap.applyAndSwithToUser(USER_APP, GROUP_APP); + ScopedAccessProvider ap(TEST_LABEL, USER_APP, GROUP_APP); ScopedSaveData ssdsystem_user(TEST_ALIAS, TEST_DATA); ScopedSaveData ssdsystem_system(TEST_SYSTEM_ALIAS.c_str(), TEST_DATA, CKMC_ERROR_PERMISSION_DENIED); @@ -252,9 +236,7 @@ RUNNER_TEST(T5035_CLIENT_APP_TRY_REMOVING_SYSTEM_ITEM, RemoveDataEnv<0, USER_APP // [test] { ScopedDBUnlock unlock(USER_APP, APP_PASS); - ScopedAccessProvider ap(TEST_LABEL); - ap.allowAPI("key-manager::api-storage", "rw"); - ap.applyAndSwithToUser(USER_APP, GROUP_APP); + ScopedAccessProvider ap(TEST_LABEL, USER_APP, GROUP_APP); check_remove_denied(TEST_SYSTEM_ALIAS.c_str()); } @@ -285,9 +267,7 @@ RUNNER_TEST(T5036_CLIENT_LIST_ACCESSIBLE_ITEMS, RemoveDataEnv<0, USER_APP>) // [test2] { ScopedDBUnlock unlock(USER_APP, APP_PASS); - ScopedAccessProvider ap(TEST_LABEL); - ap.allowAPI("key-manager::api-storage", "rw"); - ap.applyAndSwithToUser(USER_APP, GROUP_APP); + ScopedAccessProvider ap(TEST_LABEL, USER_APP, GROUP_APP); ScopedSaveData user_data(TEST_ALIAS, TEST_DATA); check_alias_list({TEST_SYSTEM_ALIAS.c_str(), @@ -304,9 +284,7 @@ RUNNER_TEST(T5037_CLIENT_APP_TRY_GENERATE_KEY_IN_SYSTEM_DB, RemoveDataEnv) // [test] { - ScopedAccessProvider ap(TEST_LABEL_2); - ap.allowAPI("key-manager::api-storage", "rw"); - ap.applyAndSwithToUser(USER_SERVICE_2, GROUP_SERVICE_2); + ScopedAccessProvider ap(TEST_LABEL_2, USER_SERVICE_2, GROUP_SERVICE_2); check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA); } @@ -473,9 +447,7 @@ RUNNER_TEST(T5042_SYSTEM_SVC_1234_ADD_ITEM_TO_DB) // [prepare] { - ScopedAccessProvider ap(TEST_LABEL_2); - ap.allowAPI("key-manager::api-storage", "rw"); - ap.applyAndSwithToUser(USER_SERVICE_2, GROUP_SERVICE_2); + ScopedAccessProvider ap(TEST_LABEL_2, USER_SERVICE_2, GROUP_SERVICE_2); // [test] ScopedSaveData ssd(TEST_SYSTEM_ALIAS.c_str(), TEST_DATA); @@ -497,9 +469,7 @@ RUNNER_TEST(T5043_SYSTEM_SVC_4999_ACCESS_DB, RemoveDataEnv<0>) // [test] { - ScopedAccessProvider ap(TEST_LABEL_2); - ap.allowAPI("key-manager::api-storage", "rw"); - ap.applyAndSwithToUser(USER_SERVICE_MAX, GROUP_SERVICE_MAX); + ScopedAccessProvider ap(TEST_LABEL_2, USER_SERVICE_MAX, GROUP_SERVICE_MAX); check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA); } @@ -521,9 +491,7 @@ RUNNER_TEST(T5044_SYSTEM_SVC_5000_ACCESS_DB, RemoveDataEnv<0>) // [test] { - ScopedAccessProvider ap(TEST_LABEL_2); - ap.allowAPI("key-manager::api-storage", "rw"); - ap.applyAndSwithToUser(USER_SERVICE_FAIL, GROUP_SERVICE_FAIL); + ScopedAccessProvider ap(TEST_LABEL_2, USER_SERVICE_FAIL, GROUP_SERVICE_FAIL); check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA, CKMC_ERROR_DB_LOCKED); }