From d268044f6b941e7f9526ed765a6503708bf67e3a Mon Sep 17 00:00:00 2001 From: Mateusz Cegielka Date: Fri, 24 Jul 2020 17:13:25 +0200 Subject: [PATCH] Fix only partial rollback of Smack rules Some tests temporarily add new Smack rules in order to test unprivileged access to system services. After the test, they are cleared with smack_revoke_subject. However, this only removes rules where the test application is the subject. I have replaced calls where this is an issue with a smack_accesses_clear call, which removes all rules loaded with a given handle. Since affected tests do not modify Smack rules in any other way and only use test labels for fake apps, no rules removed by the old call and not by the new call can exist. Change-Id: I841d6b7ad05549d8837645e3d9176f4db7029908 --- src/ckm/privileged/access_provider2.cpp | 12 +++++++----- src/ckm/privileged/access_provider2.h | 3 ++- src/common/smack_access.cpp | 7 ++++++- src/common/smack_access.h | 3 ++- 4 files changed, 17 insertions(+), 8 deletions(-) diff --git a/src/ckm/privileged/access_provider2.cpp b/src/ckm/privileged/access_provider2.cpp index 2d98ace..bc7af22 100644 --- a/src/ckm/privileged/access_provider2.cpp +++ b/src/ckm/privileged/access_provider2.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2013 - 2019 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2013 - 2020 Samsung Electronics Co., Ltd All Rights Reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -81,8 +81,7 @@ void AccessProvider::applyAndSwithToUser(int uid, int gid) { RUNNER_ASSERT_MSG(m_inSwitchContext == false, "already switched context"); - RUNNER_ASSERT_MSG(0 == smack_revoke_subject(m_mySubject.c_str()), - "Error in smack_revoke_subject(" << m_mySubject << ")"); + clear(); apply(); m_processLabel.reset(new ScopedProcessLabel(m_mySubject)); @@ -96,6 +95,10 @@ void AccessProvider::applyAndSwithToUser(int uid, int gid) m_inSwitchContext = true; } +void AccessProvider::clear() { + m_smackAccess.clear(); +} + void AccessProvider::allowJournaldLogs() { allowAPI("System::Run","wx"); // necessary for logging with journald } @@ -106,8 +109,7 @@ ScopedAccessProvider::~ScopedAccessProvider() { RUNNER_ASSERT_MSG(0 == setegid(m_origGid), "Error in setgid."); RUNNER_ASSERT_MSG(0 == seteuid(m_origUid), "Error in setuid."); - RUNNER_ASSERT_MSG(0 == smack_revoke_subject(m_mySubject.c_str()), - "Error in smack_revoke_subject(" << m_mySubject << ")"); + clear(); m_processLabel.reset(); m_inSwitchContext = false; } diff --git a/src/ckm/privileged/access_provider2.h b/src/ckm/privileged/access_provider2.h index d2e19b5..4a745df 100644 --- a/src/ckm/privileged/access_provider2.h +++ b/src/ckm/privileged/access_provider2.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2013 - 2019 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2013 - 2020 Samsung Electronics Co., Ltd All Rights Reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -41,6 +41,7 @@ public: void allowAPI(const std::string &api, const std::string &rules); void apply(); void applyAndSwithToUser(int uid, int gid); + void clear(); private: void allowJournaldLogs(); diff --git a/src/common/smack_access.cpp b/src/common/smack_access.cpp index 354b997..e461a31 100644 --- a/src/common/smack_access.cpp +++ b/src/common/smack_access.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2013 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2013 - 2020 Samsung Electronics Co., Ltd All Rights Reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -50,6 +50,11 @@ void SmackAccess::apply() { "Error in smack_accessses_apply."); } +void SmackAccess::clear() { + RUNNER_ASSERT_MSG(0 == smack_accesses_clear(m_handle), + "Error in smack_accesses_clear."); +} + SmackAccess::~SmackAccess() { if (m_handle) smack_accesses_free(m_handle); diff --git a/src/common/smack_access.h b/src/common/smack_access.h index f20842b..0d3f227 100644 --- a/src/common/smack_access.h +++ b/src/common/smack_access.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2013 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2013 - 2020 Samsung Electronics Co., Ltd All Rights Reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -36,6 +36,7 @@ public: const std::string &object, const std::string &rights); void apply(); + void clear(); virtual ~SmackAccess(); private: struct smack_accesses *m_handle; -- 2.7.4