From a522431bdf0357e45ec799cd3a2fe7825fee5291 Mon Sep 17 00:00:00 2001 From: qiaozzzh Date: Mon, 24 Apr 2023 17:09:05 +0800 Subject: [PATCH] Delete XTS for CAP and DAC Signed-off-by: qiaozzzh --- security_lite/BUILD.gn | 2 - .../permission_posix/capability/BUILD.gn | 35 - .../capability/src/ActsCapability.cpp | 532 ------- .../capability/src/ActsCapabilityTest.cpp | 1226 ----------------- .../capability/src/ActsCapabilityTest.h | 155 --- .../src/CapabilityFileSystemTest.cpp | 61 - .../capability/src/CapabilityFileSystemTest.h | 28 - .../permission_posix/capability/vfat/BUILD.gn | 57 - .../capability/vfat/Test.json | 25 - security_lite/permission_posix/dac/BUILD.gn | 16 - .../dac/src/ActsDacPreTest.cpp | 985 ------------- .../permission_posix/dac/src/ActsDacTest.h | 142 -- .../dac/src/DACFileSystemTest.cpp | 68 - .../dac/src/DACFileSystemTest.h | 28 - .../permission_posix/dac/vfat/BUILD.gn | 50 - .../permission_posix/dac/vfat/Test.json | 25 - 16 files changed, 3435 deletions(-) delete mode 100755 security_lite/permission_posix/capability/BUILD.gn delete mode 100644 security_lite/permission_posix/capability/src/ActsCapability.cpp delete mode 100644 security_lite/permission_posix/capability/src/ActsCapabilityTest.cpp delete mode 100644 security_lite/permission_posix/capability/src/ActsCapabilityTest.h delete mode 100755 security_lite/permission_posix/capability/src/CapabilityFileSystemTest.cpp delete mode 100755 security_lite/permission_posix/capability/src/CapabilityFileSystemTest.h delete mode 100755 security_lite/permission_posix/capability/vfat/BUILD.gn delete mode 100644 security_lite/permission_posix/capability/vfat/Test.json delete mode 100755 security_lite/permission_posix/dac/BUILD.gn delete mode 100755 security_lite/permission_posix/dac/src/ActsDacPreTest.cpp delete mode 100755 security_lite/permission_posix/dac/src/ActsDacTest.h delete mode 100755 security_lite/permission_posix/dac/src/DACFileSystemTest.cpp delete mode 100755 security_lite/permission_posix/dac/src/DACFileSystemTest.h delete mode 100755 security_lite/permission_posix/dac/vfat/BUILD.gn delete mode 100644 security_lite/permission_posix/dac/vfat/Test.json diff --git a/security_lite/BUILD.gn b/security_lite/BUILD.gn index 99e76ab70..e05e31f99 100644 --- a/security_lite/BUILD.gn +++ b/security_lite/BUILD.gn @@ -15,8 +15,6 @@ group("securitytest") { if (ohos_kernel_type == "liteos_a") { deps = [ "//test/xts/acts/security_lite/huks/liteos_a_adapter:Hukslitetest", - "//test/xts/acts/security_lite/permission_posix/capability:ActsCapabilityTest", - "//test/xts/acts/security_lite/permission_posix/dac:ActsDacTest", "//test/xts/acts/security_lite/permission_posix/pms:ActsPMSTest", ] } else if (ohos_kernel_type == "linux") { diff --git a/security_lite/permission_posix/capability/BUILD.gn b/security_lite/permission_posix/capability/BUILD.gn deleted file mode 100755 index b0d7a9e96..000000000 --- a/security_lite/permission_posix/capability/BUILD.gn +++ /dev/null @@ -1,35 +0,0 @@ -# Copyright (c) 2021 Huawei Device Co., Ltd. -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -group("ActsCapabilityTest") { - deps = [ "./vfat:ActsVFATCapabilityTest" ] -} - -shared_library("capability_shared") { - sources = [ "src/ActsCapability.cpp" ] - - include_dirs = [ - "src", - "//third_party/bounds_checking_function/include", - ] - - public_deps = [ "//third_party/bounds_checking_function:libsec_shared" ] - - cflags = [ "-Wno-error" ] - - ldflags = [ - "-lstdc++", - "-lm", - "-lpthread", - ] -} diff --git a/security_lite/permission_posix/capability/src/ActsCapability.cpp b/security_lite/permission_posix/capability/src/ActsCapability.cpp deleted file mode 100644 index 0097c41dc..000000000 --- a/security_lite/permission_posix/capability/src/ActsCapability.cpp +++ /dev/null @@ -1,532 +0,0 @@ -/* - * Copyright (c) 2021 Huawei Device Co., Ltd. - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -#include "ActsCapabilityTest.h" -#include -#include -#include -#include -#include - -void Sigac(int i) -{ - _exit(0); -} - -void ChildSleep() -{ - signal(SIGXFSZ, Sigac); - usleep(LONG_SLEEP_NUM); - exit(0); -} - -int CapInit() -{ - // Init capabilities - struct __user_cap_header_struct capheader; - (void)memset_s(&capheader, sizeof(struct __user_cap_header_struct), - 0, sizeof(struct __user_cap_header_struct)); - capheader.version = _LINUX_CAPABILITY_VERSION_3; - capheader.pid = 0; - struct __user_cap_data_struct capdata[CAP_NUM]; - (void)memset_s(capdata, CAP_NUM * sizeof(struct __user_cap_data_struct), - 0xff, CAP_NUM * sizeof(struct __user_cap_data_struct)); - capdata[0].permitted = LINUX_FULL_CAP; - capdata[0].effective = LINUX_FULL_CAP; - capdata[0].inheritable = LINUX_FULL_CAP; - // Set capabilities - int ret = capset(&capheader, &capdata[0]); - if (ret != 0) { - return FALSE; - } - return 0; -} - -int DropCAPCHOWN() -{ - struct __user_cap_header_struct capheader = { 0 }; - errno_t result = memset_s(&capheader, sizeof(struct __user_cap_header_struct), - 0, sizeof(struct __user_cap_header_struct)); - if (result != EOK) { - LOG("DropCAPCHOWN memset_s failed"); - return FALSE; - }; - capheader.version = _LINUX_CAPABILITY_VERSION_3; - capheader.pid = 0; - struct __user_cap_data_struct capdata[CAP_NUM] = { { 0 }, { 0 } }; - result = memset_s(capdata, CAP_NUM * sizeof(struct __user_cap_data_struct), - 0xff, CAP_NUM * sizeof(struct __user_cap_data_struct)); - if (result != EOK) { - LOG("DropCAPCHOWN memset_s failed"); - return FALSE; - }; - // Drop the capabilities of CAP_CHOWN - capdata[CAP_TO_INDEX(CAP_CHOWN)].permitted &= ~CAP_TO_MASK(CAP_CHOWN); - capdata[CAP_TO_INDEX(CAP_CHOWN)].effective &= ~CAP_TO_MASK(CAP_CHOWN); - capdata[CAP_TO_INDEX(CAP_CHOWN)].inheritable &= ~CAP_TO_MASK(CAP_CHOWN); - int ret = capset(&capheader, &capdata[0]); - if (ret != 0) { - return FALSE; - } - return 0; -} - -int DropCAPDACOVERRIDE() -{ - struct __user_cap_header_struct capheader = { 0, 0 }; - errno_t result = memset_s(&capheader, sizeof(struct __user_cap_header_struct), - 0, sizeof(struct __user_cap_header_struct)); - if (result != EOK) { - LOG("DropCAPDACOVERRIDE memset_s failed"); - return FALSE; - }; - capheader.version = _LINUX_CAPABILITY_VERSION_3; - capheader.pid = 0; - struct __user_cap_data_struct capdata[CAP_NUM] = { { 0 }, { 0 } }; - result = memset_s(capdata, CAP_NUM * sizeof(struct __user_cap_data_struct), - 0xff, CAP_NUM * sizeof(struct __user_cap_data_struct)); - if (result != EOK) { - LOG("DropCAPDACOVERRIDE memset_s failed"); - return FALSE; - }; - // Drop the capabilities of CAP_DAC_OVERRIDE - capdata[CAP_TO_INDEX(CAP_DAC_OVERRIDE)].permitted &= ~CAP_TO_MASK(CAP_DAC_OVERRIDE); - capdata[CAP_TO_INDEX(CAP_DAC_OVERRIDE)].effective &= ~CAP_TO_MASK(CAP_DAC_OVERRIDE); - capdata[CAP_TO_INDEX(CAP_DAC_OVERRIDE)].inheritable &= ~CAP_TO_MASK(CAP_DAC_OVERRIDE); - int ret = capset(&capheader, &capdata[0]); - if (ret != 0) { - return FALSE; - } - return 0; -} - -int DropCAPDACREADSEARCH() -{ - struct __user_cap_header_struct capheader = { 0, 0 }; - errno_t result = memset_s(&capheader, sizeof(struct __user_cap_header_struct), - 0, sizeof(struct __user_cap_header_struct)); - if (result != EOK) { - LOG("DropCAPDACREADSEARCH memset_s failed"); - return FALSE; - }; - capheader.version = _LINUX_CAPABILITY_VERSION_3; - capheader.pid = 0; - struct __user_cap_data_struct capdata[CAP_NUM] = { { 0 }, { 0 } }; - result = memset_s(capdata, CAP_NUM * sizeof(struct __user_cap_data_struct), - 0xff, CAP_NUM * sizeof(struct __user_cap_data_struct)); - if (result != EOK) { - LOG("DropCAPDACREADSEARCH memset_s failed"); - return FALSE; - }; - // Drop the capabilities of CAP_DAC_READ_SEARCH - capdata[CAP_TO_INDEX(CAP_DAC_READ_SEARCH)].permitted &= ~CAP_TO_MASK(CAP_DAC_READ_SEARCH); - capdata[CAP_TO_INDEX(CAP_DAC_READ_SEARCH)].effective &= ~CAP_TO_MASK(CAP_DAC_READ_SEARCH); - capdata[CAP_TO_INDEX(CAP_DAC_READ_SEARCH)].inheritable &= ~CAP_TO_MASK(CAP_DAC_READ_SEARCH); - int ret = capset(&capheader, &capdata[0]); - if (ret != 0) { - return FALSE; - } - return 0; -} - -int DropCAPDACOVERRIDEAndREADSEARCH() -{ - struct __user_cap_header_struct capheader = { 0, 0 }; - errno_t result = memset_s(&capheader, sizeof(struct __user_cap_header_struct), - 0, sizeof(struct __user_cap_header_struct)); - if (result != EOK) { - LOG("DropCAPDACOVERRIDEAndREADSEARCH memset_s failed"); - return FALSE; - }; - capheader.version = _LINUX_CAPABILITY_VERSION_3; - capheader.pid = 0; - struct __user_cap_data_struct capdata[CAP_NUM] = { { 0 }, { 0 } }; - result = memset_s(capdata, CAP_NUM * sizeof(struct __user_cap_data_struct), - 0xff, CAP_NUM * sizeof(struct __user_cap_data_struct)); - if (result != EOK) { - LOG("DropCAPDACOVERRIDEAndREADSEARCH memset_s failed"); - return FALSE; - }; - // Drop the capabilities of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH - capdata[CAP_TO_INDEX(CAP_DAC_READ_SEARCH)].permitted &= ~CAP_TO_MASK(CAP_DAC_READ_SEARCH); - capdata[CAP_TO_INDEX(CAP_DAC_READ_SEARCH)].effective &= ~CAP_TO_MASK(CAP_DAC_READ_SEARCH); - capdata[CAP_TO_INDEX(CAP_DAC_READ_SEARCH)].inheritable &= ~CAP_TO_MASK(CAP_DAC_READ_SEARCH); - capdata[CAP_TO_INDEX(CAP_DAC_OVERRIDE)].permitted &= ~CAP_TO_MASK(CAP_DAC_OVERRIDE); - capdata[CAP_TO_INDEX(CAP_DAC_OVERRIDE)].effective &= ~CAP_TO_MASK(CAP_DAC_OVERRIDE); - capdata[CAP_TO_INDEX(CAP_DAC_OVERRIDE)].inheritable &= ~CAP_TO_MASK(CAP_DAC_OVERRIDE); - int ret = capset(&capheader, &capdata[0]); - if (ret != 0) { - return FALSE; - } - return 0; -} - -int DropCAPFOWNER() -{ - struct __user_cap_header_struct capheader = { 0, 0 }; - errno_t result = memset_s(&capheader, sizeof(struct __user_cap_header_struct), - 0, sizeof(struct __user_cap_header_struct)); - if (result != EOK) { - LOG("DropCAPFOWNER memset_s failed"); - return FALSE; - }; - capheader.version = _LINUX_CAPABILITY_VERSION_3; - capheader.pid = 0; - struct __user_cap_data_struct capdata[CAP_NUM] = { { 0 }, { 0 } }; - result = memset_s(capdata, CAP_NUM * sizeof(struct __user_cap_data_struct), - 0xff, CAP_NUM * sizeof(struct __user_cap_data_struct)); - if (result != EOK) { - LOG("DropCAPFOWNER memset_s failed"); - return FALSE; - }; - // Drop the capabilities of CAP_FOWNER - capdata[CAP_TO_INDEX(CAP_FOWNER)].permitted &= ~CAP_TO_MASK(CAP_FOWNER); - capdata[CAP_TO_INDEX(CAP_FOWNER)].effective &= ~CAP_TO_MASK(CAP_FOWNER); - capdata[CAP_TO_INDEX(CAP_FOWNER)].inheritable &= ~CAP_TO_MASK(CAP_FOWNER); - int ret = capset(&capheader, &capdata[0]); - if (ret != 0) { - return FALSE; - } - return 0; -} - -int DropCAPKILL() -{ - struct __user_cap_header_struct capheader = { 0, 0 }; - errno_t result = memset_s(&capheader, sizeof(struct __user_cap_header_struct), - 0, sizeof(struct __user_cap_header_struct)); - if (result != EOK) { - LOG("DropCAPKILL memset_s failed"); - return FALSE; - }; - capheader.version = _LINUX_CAPABILITY_VERSION_3; - capheader.pid = 0; - struct __user_cap_data_struct capdata[CAP_NUM] = { { 0 }, { 0 } }; - result = memset_s(capdata, CAP_NUM * sizeof(struct __user_cap_data_struct), - 0xff, CAP_NUM * sizeof(struct __user_cap_data_struct)); - if (result != EOK) { - LOG("DropCAPKILL memset_s failed"); - return FALSE; - }; - // Drop the capabilities of CAP_KILL - capdata[CAP_TO_INDEX(CAP_KILL)].permitted &= ~CAP_TO_MASK(CAP_KILL); - capdata[CAP_TO_INDEX(CAP_KILL)].effective &= ~CAP_TO_MASK(CAP_KILL); - capdata[CAP_TO_INDEX(CAP_KILL)].inheritable &= ~CAP_TO_MASK(CAP_KILL); - int ret = capset(&capheader, &capdata[0]); - if (ret != 0) { - return FALSE; - } - return 0; -} - -int DropCAPSETGID() -{ - struct __user_cap_header_struct capheader = { 0, 0 }; - errno_t result = memset_s(&capheader, sizeof(struct __user_cap_header_struct), - 0, sizeof(struct __user_cap_header_struct)); - if (result != EOK) { - LOG("DropCAPSETGID memset_s failed"); - return FALSE; - }; - capheader.version = _LINUX_CAPABILITY_VERSION_3; - capheader.pid = 0; - struct __user_cap_data_struct capdata[CAP_NUM] = { { 0 }, { 0 } }; - result = memset_s(capdata, CAP_NUM * sizeof(struct __user_cap_data_struct), - 0xff, CAP_NUM * sizeof(struct __user_cap_data_struct)); - if (result != EOK) { - LOG("DropCAPSETGID memset_s failed"); - return FALSE; - }; - // Drop the capabilities of CAP_SETGID - capdata[CAP_TO_INDEX(CAP_SETGID)].permitted &= ~CAP_TO_MASK(CAP_SETGID); - capdata[CAP_TO_INDEX(CAP_SETGID)].effective &= ~CAP_TO_MASK(CAP_SETGID); - capdata[CAP_TO_INDEX(CAP_SETGID)].inheritable &= ~CAP_TO_MASK(CAP_SETGID); - int ret = capset(&capheader, &capdata[0]); - if (ret != 0) { - return FALSE; - } - return 0; -} - -int DropCAPSETUID() -{ - struct __user_cap_header_struct capheader = { 0, 0 }; - errno_t result = memset_s(&capheader, sizeof(struct __user_cap_header_struct), - 0, sizeof(struct __user_cap_header_struct)); - if (result != EOK) { - LOG("DropCAPSETUID memset_s failed"); - return FALSE; - }; - capheader.version = _LINUX_CAPABILITY_VERSION_3; - capheader.pid = 0; - struct __user_cap_data_struct capdata[CAP_NUM] = { { 0 }, { 0 } }; - result = memset_s(capdata, CAP_NUM * sizeof(struct __user_cap_data_struct), - 0xff, CAP_NUM * sizeof(struct __user_cap_data_struct)); - if (result != EOK) { - LOG("DropCAPSETUID memset_s failed"); - return FALSE; - }; - // Drop the capabilities of CAP_SETUID - capdata[CAP_TO_INDEX(CAP_SETUID)].permitted &= ~CAP_TO_MASK(CAP_SETUID); - capdata[CAP_TO_INDEX(CAP_SETUID)].effective &= ~CAP_TO_MASK(CAP_SETUID); - capdata[CAP_TO_INDEX(CAP_SETUID)].inheritable &= ~CAP_TO_MASK(CAP_SETUID); - int ret = capset(&capheader, &capdata[0]); - if (ret != 0) { - return FALSE; - } - return 0; -} - -int DropCAPSETPCAP() -{ - struct __user_cap_header_struct capheader = { 0, 0 }; - errno_t result = memset_s(&capheader, sizeof(struct __user_cap_header_struct), - 0, sizeof(struct __user_cap_header_struct)); - if (result != EOK) { - LOG("DropCAPSETPCAP memset_s failed"); - return FALSE; - }; - capheader.version = _LINUX_CAPABILITY_VERSION_3; - capheader.pid = 0; - struct __user_cap_data_struct capdata[CAP_NUM] = { { 0 }, { 0 } }; - result = memset_s(capdata, CAP_NUM * sizeof(struct __user_cap_data_struct), - 0xff, CAP_NUM * sizeof(struct __user_cap_data_struct)); - if (result != EOK) { - LOG("DropCAPSETPCAP memset_s failed"); - return FALSE; - }; - // Drop the capabilities of CAP_SETPCAP - capdata[CAP_TO_INDEX(CAP_SETPCAP)].permitted &= ~CAP_TO_MASK(CAP_SETPCAP); - capdata[CAP_TO_INDEX(CAP_SETPCAP)].effective &= ~CAP_TO_MASK(CAP_SETPCAP); - capdata[CAP_TO_INDEX(CAP_SETPCAP)].inheritable &= ~CAP_TO_MASK(CAP_SETPCAP); - int ret = capset(&capheader, &capdata[0]); - if (ret != 0) { - return FALSE; - } - return 0; -} - -int DropCAPSYSNICE() -{ - struct __user_cap_header_struct capheader = { 0, 0 }; - errno_t result = memset_s(&capheader, sizeof(struct __user_cap_header_struct), - 0, sizeof(struct __user_cap_header_struct)); - if (result != EOK) { - LOG("DropCAPSYSNICE memset_s failed"); - return FALSE; - }; - capheader.version = _LINUX_CAPABILITY_VERSION_3; - capheader.pid = 0; - struct __user_cap_data_struct capdata[CAP_NUM] = { { 0 }, { 0 } }; - result = memset_s(capdata, CAP_NUM * sizeof(struct __user_cap_data_struct), - 0xff, CAP_NUM * sizeof(struct __user_cap_data_struct)); - if (result != EOK) { - LOG("DropCAPSYSNICE memset_s failed"); - return FALSE; - }; - // Drop the capabilities of CAP_SYS_NICE - capdata[CAP_TO_INDEX(CAP_SYS_NICE)].permitted &= ~CAP_TO_MASK(CAP_SYS_NICE); - capdata[CAP_TO_INDEX(CAP_SYS_NICE)].effective &= ~CAP_TO_MASK(CAP_SYS_NICE); - capdata[CAP_TO_INDEX(CAP_SYS_NICE)].inheritable &= ~CAP_TO_MASK(CAP_SYS_NICE); - int ret = capset(&capheader, &capdata[0]); - if (ret != 0) { - return FALSE; - } - return 0; -} - -int DropCAPSYSTIME() -{ - struct __user_cap_header_struct capheader = { 0, 0 }; - errno_t result = memset_s(&capheader, sizeof(struct __user_cap_header_struct), - 0, sizeof(struct __user_cap_header_struct)); - if (result != EOK) { - LOG("DropCAPSYSTIME memset_s failed"); - return FALSE; - }; - capheader.version = _LINUX_CAPABILITY_VERSION_3; - capheader.pid = 0; - struct __user_cap_data_struct capdata[CAP_NUM] = { { 0 }, { 0 } }; - result = memset_s(capdata, CAP_NUM * sizeof(struct __user_cap_data_struct), - 0xff, CAP_NUM * sizeof(struct __user_cap_data_struct)); - if (result != EOK) { - LOG("DropCAPSYSTIME memset_s failed"); - return FALSE; - }; - // Drop the capabilities of CAP_SYS_TIME - capdata[CAP_TO_INDEX(CAP_SYS_TIME)].permitted &= ~CAP_TO_MASK(CAP_SYS_TIME); - capdata[CAP_TO_INDEX(CAP_SYS_TIME)].effective &= ~CAP_TO_MASK(CAP_SYS_TIME); - capdata[CAP_TO_INDEX(CAP_SYS_TIME)].inheritable &= ~CAP_TO_MASK(CAP_SYS_TIME); - int ret = capset(&capheader, &capdata[0]); - if (ret != 0) { - return FALSE; - } - return 0; -} - -int DropAllCAP() -{ - struct __user_cap_header_struct capheader = { 0, 0 }; - errno_t result = memset_s(&capheader, sizeof(struct __user_cap_header_struct), - 0, sizeof(struct __user_cap_header_struct)); - if (result != EOK) { - LOG("DropAllCAP memset_s failed"); - return FALSE; - }; - capheader.version = _LINUX_CAPABILITY_VERSION_3; - capheader.pid = 0; - struct __user_cap_data_struct capdata[CAP_NUM] = { { 0 }, { 0 } }; - result = memset_s(capdata, CAP_NUM * sizeof(struct __user_cap_data_struct), - 0xff, CAP_NUM * sizeof(struct __user_cap_data_struct)); - if (result != EOK) { - LOG("DropAllCAP memset_s failed"); - return FALSE; - }; - // Drop all the capabilities - capdata[0].permitted = NO_CAP; - capdata[0].effective = NO_CAP; - capdata[0].inheritable = NO_CAP; - int ret = capset(&capheader, &capdata[0]); - if (ret != 0) { - return FALSE; - } - return 0; -} - -int RemoveDir(const char *dirname) -{ - int ret; - char curDir[] = "."; - char upDir[] = ".."; - char updirname[SIZE512]; - DIR *dir = nullptr; - struct dirent *dp = nullptr; - struct stat upDirStat = { 0 }; - // Init capabilities - CapInit(); - // The directory transferred by the parameter does not exist - if (access(dirname, F_OK != 0)) { - return 0; - } else { - chmod(dirname, RWX); - } - // Open the current-level directory - dir = opendir(dirname); - while ((dp = readdir(dir)) != nullptr) { - // The system skips the judgment and continues looping when the . or .. directory is encountered - if ((strcmp(curDir, dp->d_name) == 0) || (strcmp(upDir, dp->d_name) == 0)) { - continue; - } - // Combine the upper-level directory content - int spr = sprintf_s(updirname, SIZE512, "%s/%s", dirname, dp->d_name); - if (spr == FALSE) { - closedir(dir); - return FALSE; - } - // Obtains the status of the upper-level, file or directory - stat(updirname, &upDirStat); - // Directory files, recursively deleting contents in the directory - if (upDirStat.st_mode & S_IFDIR) { - // Invoke the function recursively to delete the content of the upper-level directory - RemoveDir(updirname); - } else { - // Common files, directly deleting - ret = unlink(updirname); - if (ret != 0) { - // Failed to delete the file - perror("Failed to delete the file"); - LOG("ErrInfo: The file name is %s", updirname); - closedir(dir); - return FALSE; - } - } - } - // Close the current-level directory - closedir(dir); - // Delete the empty directory - ret = rmdir(dirname); - if (ret != 0) { - // Failed to delete the empty directory - perror("Failed to delete the empty directory"); - LOG("ErrInfo: The directory name is %s", dirname); - return FALSE; - } - return 0; -} - -int SetUidGid(uid_t uid, gid_t gid) -{ - // Set the process uid and gid - int retsetuid = setuid(uid); - if (retsetuid != 0) { - LOG("ErrInfo: Set uid=%d failed, now uid=%d", uid, getuid()); - return FALSE; - } - int retsetgid = setgid(gid); - if (retsetgid != 0) { - LOG("ErrInfo: Set gid=%d failed, now gid=%d", gid, getgid()); - return FALSE; - } - return 0; -} - -timespec CompareTime(timespec start, timespec end) -{ - // Compare time 'start' and time 'end' - timespec ret = { 0 }; - int tp = 1000000000; - if ((end.tv_nsec - start.tv_nsec) < 0) { - ret.tv_sec = end.tv_sec - start.tv_sec - 1; - ret.tv_nsec = tp + end.tv_nsec - start.tv_nsec; - } else { - ret.tv_sec = end.tv_sec - start.tv_sec; - ret.tv_nsec = end.tv_nsec - start.tv_nsec; - } - return ret; -} - -char *GetCurrentPath() -{ - // Obtain the current working directory - static char path[MAX_PATH_SIZE]; - getcwd(path, MAX_PATH_SIZE); - return path; -} - -// Check topDir file system, 0 is exist, -1 is non-exist -int CheckFsMount(const char *topDir, const char *topDirMountInfo) -{ - const int lenMax = 100; - int len = 0; - char buf[lenMax] = {0}; - const char mountInfoFile[] = "/proc/mounts"; - // check topDir exist - if (access(topDir, F_OK) != 0) { - LOG("ErrInfo: '%s' not accessable, Test Stop!", topDir); - return -1; - } - FILE *fp = fopen(mountInfoFile, "r"); - if (fp != nullptr) { - while (fgets(buf, sizeof(buf), fp) != NULL) { - len = strlen(buf); - if (strstr(buf, topDirMountInfo) != nullptr) { - fclose(fp); - return 0; - } - } - fclose(fp); - } - LOG("'%s' is not a '%s' not mount properly, Test Stop! please change another file type!", topDir, topDirMountInfo); - return -1; -} \ No newline at end of file diff --git a/security_lite/permission_posix/capability/src/ActsCapabilityTest.cpp b/security_lite/permission_posix/capability/src/ActsCapabilityTest.cpp deleted file mode 100644 index e478ef961..000000000 --- a/security_lite/permission_posix/capability/src/ActsCapabilityTest.cpp +++ /dev/null @@ -1,1226 +0,0 @@ -/* - * Copyright (c) 2021 Huawei Device Co., Ltd. - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -#include "ActsCapabilityTest.h" -#include -#include -#include -#include -#include -#include -#include -#include "gtest/gtest.h" -#include "CapabilityFileSystemTest.h" - -using namespace std; -using namespace testing::ext; - -#if defined(LITE_FS_VFAT) -static void CreateTxt() -{ - int ret; - int fd = 0; - char cap[] = "CapabilityTestSuite!\n"; - // Initialize the process and set the uid and gid of the process to zero - SetUidGid(UID0, GID0); - // Create a directory 'CAPDIR0' in the directory 'TOP_DIR' - ret = mkdir(TOP_DIR "/" CAPDIR0, NORWX); - ASSERT_EQ(ret, 0) << "ErrInfo: Failed to create the directory 'TOP_DIR/CAPDIR0'"; - // Create a directory 'CAPDIR0_CAPDIR0' in the directory 'TOP_DIR/CAPDIR0' - ret = mkdir(TOP_DIR "/" CAPDIR0 "/" CAPDIR0_CAPDIR0, RWX); - ASSERT_EQ(ret, 0) << "ErrInfo: Failed to create the directory 'TOP_DIR/CAPDIR0/CAPDIR0_CAPDIR0'"; - // Create a file 'CAPDIR0_CAPFILE0' in the directory 'CAPDIR0' - fd = open(TOP_DIR "/" CAPDIR0 "/" CAPDIR0_CAPFILE0, O_WRONLY | O_CREAT | O_TRUNC, RWX); - if (fd >= 0) { - // File created successfully - write(fd, cap, sizeof(cap)); - close(fd); - } else { - // Failed to create the file - ASSERT_GE(fd, 0) << "ErrInfo: Failed to create the file 'TOP_DIR/CAPDIR0/CAPDIR0_CAPFILE0'"; - } -} - -static int CapsetOnlySETPCAP(int num) -{ - struct __user_cap_header_struct capheader; - errno_t result = memset_s(&capheader, sizeof(struct __user_cap_header_struct), 0, - sizeof(struct __user_cap_header_struct)); - if (result != EOK) { - LOG("CapgetWithAllCap memset_s failed"); - return FALSE; - }; - capheader.version = _LINUX_CAPABILITY_VERSION_3; - capheader.pid = 0; - struct __user_cap_data_struct capdata[CAP_NUM]; - result = memset_s(capdata, CAP_NUM * sizeof(struct __user_cap_data_struct), - 0, CAP_NUM * sizeof(struct __user_cap_data_struct)); - if (result != EOK) { - LOG("CapgetWithAllCap memset_s failed"); - return FALSE; - }; - capdata[CAP_TO_INDEX(CAP_SETPCAP)].permitted |= CAP_TO_MASK(CAP_SETPCAP); - capdata[CAP_TO_INDEX(CAP_SETPCAP)].effective |= CAP_TO_MASK(CAP_SETPCAP); - capdata[CAP_TO_INDEX(CAP_SETPCAP)].inheritable |= CAP_TO_MASK(CAP_SETPCAP); - // Set capabilities - int ret = capset(&capheader, &capdata[0]); - if (ret != 0) { - LOG("ErrInfo: Failed to drop all caps except CAP_SETPCAP during the %d time", num); - return FALSE; - } - return 0; -} - -static int AddCapUnauthorized(int num) -{ - struct __user_cap_header_struct capheader; - errno_t result = memset_s(&capheader, sizeof(struct __user_cap_header_struct), 0, - sizeof(struct __user_cap_header_struct)); - if (result != EOK) { - LOG("CapgetWithAllCap memset_s failed"); - return FALSE; - }; - capheader.version = _LINUX_CAPABILITY_VERSION_3; - capheader.pid = 0; - struct __user_cap_data_struct capdata[CAP_NUM]; - result = memset_s(capdata, CAP_NUM * sizeof(struct __user_cap_data_struct), - 0, CAP_NUM * sizeof(struct __user_cap_data_struct)); - if (result != EOK) { - LOG("CapgetWithAllCap memset_s failed"); - return FALSE; - }; - capdata[0].permitted = LINUX_FULL_CAP; - capdata[0].effective = LINUX_FULL_CAP; - capdata[0].inheritable = LINUX_FULL_CAP; - // Set capabilities - int ret = capset(&capheader, &capdata[0]); - if (ret != FALSE) { - LOG("ErrInfo: Add unauthorized capability during the %d time", num); - return FALSE; - } - return 0; -} - -static int CapgetWithAllCap(int num) -{ - struct __user_cap_header_struct capheader = { 0 }; - errno_t result = memset_s(&capheader, sizeof(struct __user_cap_header_struct), 0, - sizeof(struct __user_cap_header_struct)); - if (result != EOK) { - LOG("CapgetWithAllCap memset_s failed"); - return FALSE; - }; - capheader.version = _LINUX_CAPABILITY_VERSION_3; - capheader.pid = 0; - struct __user_cap_data_struct capdataget[CAP_NUM] = { { 0 }, { 0 } }; - result = memset_s(capdataget, CAP_NUM * sizeof(struct __user_cap_data_struct), - 0, CAP_NUM * sizeof(struct __user_cap_data_struct)); - if (result != EOK) { - LOG("CapgetWithAllCap memset_s failed"); - return FALSE; - }; - int ret = capget(&capheader, &capdataget[0]); - if (ret != 0) { - EXPECT_EQ(ret, 0) << "ErrInfo: Failed to get CAPs"; - LOG("ErrInfo: Failed to get CAPs during the %d time", num); - return FALSE; - } - // The process has all capabilities - if (capdataget[0].effective != OHOS_FULL_CAP) { - EXPECT_EQ(capdataget[0].effective, OHOS_FULL_CAP) << "ErrInfo: Get wrong capabilities"; - LOG("ErrInfo: Get wrong capabilities during the %d time", num); - return FALSE; - } - return 0; -} - -static int CapgetWithNoCap(int num) -{ - struct __user_cap_header_struct capheader = { 0 }; - errno_t result = memset_s(&capheader, sizeof(struct __user_cap_header_struct), 0, - sizeof(struct __user_cap_header_struct)); - if (result != EOK) { - LOG("CapgetWithAllCap memset_s failed"); - return FALSE; - }; - capheader.version = _LINUX_CAPABILITY_VERSION_3; - capheader.pid = 0; - struct __user_cap_data_struct capdataget[CAP_NUM] = { { 0 }, { 0 } }; - result = memset_s(capdataget, CAP_NUM * sizeof(struct __user_cap_data_struct), - 0, CAP_NUM * sizeof(struct __user_cap_data_struct)); - if (result != EOK) { - LOG("CapgetWithAllCap memset_s failed"); - return FALSE; - }; - int ret = capget(&capheader, &capdataget[0]); - if (ret != 0) { - EXPECT_EQ(ret, 0) << "ErrInfo: Failed to get CAPs"; - LOG("ErrInfo: Failed to get CAPs during the %d time", num); - return FALSE; - } - // The process does not have any capabilities - if (capdataget[0].effective != NO_CAP) { - EXPECT_EQ(capdataget[0].effective, NO_CAP) << "ErrInfo: Get wrong capabilities"; - LOG("ErrInfo: Get wrong capabilities during the %d time", num); - return FALSE; - } - return 0; -} - -static int CapgetOnlySETPCAP(int num) -{ - struct __user_cap_header_struct capheader = { 0 }; - errno_t result = memset_s(&capheader, sizeof(struct __user_cap_header_struct), 0, - sizeof(struct __user_cap_header_struct)); - if (result != EOK) { - LOG("CapgetWithAllCap memset_s failed"); - return FALSE; - }; - capheader.version = _LINUX_CAPABILITY_VERSION_3; - capheader.pid = 0; - struct __user_cap_data_struct capdataget[CAP_NUM] = { { 0 }, { 0 } }; - result = memset_s(capdataget, CAP_NUM * sizeof(struct __user_cap_data_struct), - 0, CAP_NUM * sizeof(struct __user_cap_data_struct)); - if (result != EOK) { - LOG("CapgetWithAllCap memset_s failed"); - return FALSE; - }; - int ret = capget(&capheader, &capdataget[0]); - if (ret != 0) { - EXPECT_EQ(ret, 0) << "ErrInfo: Failed to get CAPs"; - LOG("ErrInfo: Failed to get CAPs during the %d time", num); - return FALSE; - } - // The process only has CAP_SETPCAP - if (capdataget[0].effective != ONLY_SETPCAP_CAP) { - EXPECT_EQ(capdataget[0].effective, ONLY_SETPCAP_CAP) << "ErrInfo: Get wrong capabilities"; - LOG("ErrInfo: Get wrong capabilities during the %d time", num); - return FALSE; - } - return 0; -} - -static int CapsetWithoutSETPCAP() -{ - // Drop the capabilities of CAP_SETPCAP 8 - int retsetpcap = DropCAPSETPCAP(); - EXPECT_EQ(retsetpcap, 0) << "ErrInfo: Failed to drop CAP_SETPCAP"; - // Drop the capabilities of CAP_CHOWN 0 - int retchown = DropCAPCHOWN(); - EXPECT_EQ(retchown, FALSE) << "ErrInfo: Drop CAP_CHOWN without CAP_SETPCAP"; - // Drop the capabilities of CAP_DAC_OVERRIDE 1 - int retdacoverride = DropCAPDACOVERRIDE(); - EXPECT_EQ(retdacoverride, FALSE) << "ErrInfo: Drop CAP_DAC_OVERRIDE without CAP_SETPCAP"; - // Drop the capabilities of CAP_DAC_READ_SEARCH 2 - int retdacreadsearch = DropCAPDACREADSEARCH(); - EXPECT_EQ(retdacreadsearch, FALSE) << "ErrInfo: Drop CAP_DAC_READ_SEARCH without CAP_SETPCAP"; - // Drop the capabilities of CAP_FOWNER 3 - int retfowner = DropCAPFOWNER(); - EXPECT_EQ(retfowner, FALSE) << "ErrInfo: Drop CAP_FOWNER without CAP_SETPCAP"; - // Drop the capabilities of CAP_KILL 5 - int retkill = DropCAPKILL(); - EXPECT_EQ(retkill, FALSE) << "ErrInfo: Drop CAP_KILL without CAP_SETPCAP"; - // Drop the capabilities of CAP_SETGID 6 - int retsetgid = DropCAPSETGID(); - EXPECT_EQ(retsetgid, FALSE) << "ErrInfo: Drop CAP_SETGID without CAP_SETPCAP"; - // Drop the capabilities of CAP_SETUID 7 - int retsetuid = DropCAPSETUID(); - EXPECT_EQ(retsetuid, FALSE) << "ErrInfo: Drop CAP_SETUID without CAP_SETPCAP"; - // Drop the capabilities of CAP_SETPCAP 8 - int retsetpcapfailed = DropCAPSETPCAP(); - EXPECT_EQ(retsetpcapfailed, FALSE) << "ErrInfo: Drop CAP_SETPCAP without CAP_SETPCAP"; - // Drop the capabilities of CAP_SYS_NICE 23 - int retsysnice = DropCAPSYSNICE(); - EXPECT_EQ(retsysnice, FALSE) << "ErrInfo: Drop CAP_SYS_NICE without CAP_SETPCAP"; - // Drop the capabilities of CAP_SYS_TIME 25 - int retsystime = DropCAPSYSTIME(); - EXPECT_EQ(retsystime, FALSE) << "ErrInfo: Drop CAP_SYS_TIME without CAP_SETPCAP"; - if ((retchown != FALSE) || (retdacoverride != FALSE) || (retdacreadsearch != FALSE) || (retfowner != FALSE) || - (retkill != FALSE) || (retsetgid != FALSE) || (retsetuid != FALSE) || (retsetpcapfailed != FALSE) || - (retsysnice != FALSE) || (retsystime != FALSE) || (retsetpcap == FALSE)) { - LOG("ErrInfo: Drop the capabilities without CAP_SETPCAP"); - return FALSE; - } - return 0; -} - -static int CapsetWithVersion(pid_t pid, unsigned int version) -{ - struct __user_cap_header_struct capheader = { 0 }; - errno_t result = memset_s(&capheader, sizeof(struct __user_cap_header_struct), 0, - sizeof(struct __user_cap_header_struct)); - if (result != EOK) { - LOG("CapgetWithAllCap memset_s failed"); - return FALSE; - }; - capheader.pid = pid; - capheader.version = version; - struct __user_cap_data_struct capdata[CAP_NUM] = { { 0 }, { 0 } }; - result = memset_s(capdata, CAP_NUM * sizeof(struct __user_cap_data_struct), - 0xff, CAP_NUM * sizeof(struct __user_cap_data_struct)); - if (result != EOK) { - LOG("CapgetWithAllCap memset_s failed"); - return FALSE; - }; - // Capget based on input parameters - int ret = capset(&capheader, &capdata[0]); - if (ret != 0) { - // Capset with abnormal parameter - return FALSE; - } - return 0; -} - -static int CapgetWithVersion(pid_t pid, unsigned int version) -{ - struct __user_cap_header_struct capheader = { 0 }; - errno_t result = memset_s(&capheader, sizeof(struct __user_cap_header_struct), 0, - sizeof(struct __user_cap_header_struct)); - if (result != EOK) { - LOG("CapgetWithAllCap memset_s failed"); - return FALSE; - }; - capheader.pid = pid; - capheader.version = version; - struct __user_cap_data_struct capdataget[CAP_NUM] = { { 0 }, { 0 } }; - result = memset_s(capdataget, CAP_NUM * sizeof(struct __user_cap_data_struct), - 0xff, CAP_NUM * sizeof(struct __user_cap_data_struct)); - if (result != EOK) { - LOG("CapgetWithAllCap memset_s failed"); - return FALSE; - }; - // Capget based on input parameters - int ret = capget(&capheader, &capdataget[0]); - if (ret != 0) { - // Capget with abnormal parameter - return FALSE; - } - return 0; -} - -static int CapgetWithCaps(pid_t pid, unsigned int caps) -{ - struct __user_cap_header_struct capheader = { 0 }; - errno_t result = memset_s(&capheader, sizeof(struct __user_cap_header_struct), 0, - sizeof(struct __user_cap_header_struct)); - if (result != EOK) { - LOG("CapgetWithAllCap memset_s failed"); - return FALSE; - }; - capheader.pid = pid; - capheader.version = _LINUX_CAPABILITY_VERSION_3; - struct __user_cap_data_struct capdataget[CAP_NUM] = { { 0 }, { 0 } }; - result = memset_s(capdataget, CAP_NUM * sizeof(struct __user_cap_data_struct), - 0xff, CAP_NUM * sizeof(struct __user_cap_data_struct)); - if (result != EOK) { - LOG("CapgetWithAllCap memset_s failed"); - return FALSE; - }; - // Capget based on input parameters and check whether the capability is the same as the input parameter - int ret = capget(&capheader, &capdataget[0]); - if (ret != 0 || capdataget[0].effective != caps) { - EXPECT_EQ(capdataget[0].effective, caps) << "ErrInfo: Pid = " << pid << ", process has wrong capability"; - return FALSE; - } - return 0; -} - -/* - * @tc.number : SUB_SEC_AppSEC_PermissionMgmt_Capability_0600 - * @tc.name : Processes with the CAP_KILL capability can invoke their management - and control interfaces to kill other processes - * @tc.desc : [C-SECURITY-0100] - */ -HWTEST_F(CapabilityTestSuite, CapabilityTest0600, Function | MediumTest | Level2) -{ - int ret = 0; - int status1 = 0; - int status2 = 0; - // Preset action: Fork a sub process pid1 - pid_t pid1 = fork(); - ASSERT_TRUE(pid1 >= 0) << "======== Fork Error! ========="; - usleep(SLEEP_NUM); - // Preset action: Change the UID&GID of the sub process pid1 and keep it hibernated - if (pid1 == 0) { - SetUidGid(UID555, GID555); - ChildSleep(); - } else { - // Preset action: Fork a sub process pid2 - pid_t pid2 = fork(); - ASSERT_TRUE(pid2 >= 0) << "======== Fork Error! ========="; - usleep(SLEEP_NUM); - if (pid2 == 0) { - int exitCode = 0; - // Step 1: Drop the capabilities of CAP_KILL - ret = DropCAPKILL(); - if (ret != 0) { - LOG("ErrInfo: Failed to drop CAP_KILL"); - exitCode = 1; - } - // Step 2: Failed to kill the sub process - ret = kill(pid1, SIGXFSZ); - if (ret != FALSE) { - LOG("ErrInfo: Kill process without CAP_KILL"); - exitCode = 1; - } - // Step 3: Change the UID&GID of the sub process pid1 and keep it hibernated - ret = SetUidGid(UID555, GID555); - if (ret != 0) { - LOG("ErrInfo: Failed to set uid and gid"); - exitCode = 1; - } - // Step 4: The sub process exit with the exitCode - exit(exitCode); - } else { - // Step 4: Kill the sub process pid1 successfully - ret = kill(pid1, SIGXFSZ); - EXPECT_EQ(ret, 0) << "ErrInfo: Failed to Kill pid1 with CAP_KILL"; - // Cleanup action: Wait for the sub process pid1 and pid2 to be killed - waitpid(pid1, &status1, 0); - waitpid(pid2, &status2, 0); - EXPECT_NE(WIFEXITED(status2), 0) << "ErrInfo: The sub process exit error, child_pid = " << pid2; - EXPECT_EQ(WEXITSTATUS(status2), 0) << "ErrInfo: The exitCode is wrong, please query logs, child_pid = " - << pid2; - } - } -} - -/* - * @tc.number : SUB_SEC_AppSEC_PermissionMgmt_Capability_0700 - * @tc.name : Processes with the CAP_SETGID capability can invoke their management - and control interfaces to change the group IDs of other processes - * @tc.desc : [C-SECURITY-0100] - */ -HWTEST_F(CapabilityTestSuite, CapabilityTest0700, Function | MediumTest | Level2) -{ - int ret = 0; - int status = 0; - pid_t pid = fork(); // Preset action: Fork a sub process - ASSERT_TRUE(pid >= 0) << "======== Fork Error! ========="; - usleep(SLEEP_NUM); - if (pid == 0) { - int exitCode = 0; - ret = setgid(NUM500); // Step 1.1: Set GID with interface 'setgid' - if (ret != 0) {LOG("ErrInfo: Failed to set GID with interface 'setgid', now process gid=%d", getpid()); - exitCode = 1; } - ret = setregid(NUM600, NUM600); // Step 1.2: Set reGID with interface 'setregid' - if (ret != 0) {LOG("ErrInfo: Failed to set reGID with interface 'setregid', now process gid=%d", getpid()); - exitCode = 1; } - ret = setresgid(NUM700, NUM700, NUM700); // Step 1.3: Set resGID with interface 'setresgid' - if (ret != 0) {LOG("ErrInfo: Failed to set resGID with interface 'setresgid', now process gid=%d", getpid()); - exitCode = 1; } - ret = setgroups(NUM3, GROUPLIST); // Step 1.4: Set groups with interface 'setgroups' - if (ret != 0) {LOG("ErrInfo: Failed to set groups with interface 'setgroups'"); - exitCode = 1; } - ret = DropCAPSETGID(); // Step 2: Drop the capabilities of CAP_SETGID - if (ret != 0) {LOG("ErrInfo: Failed to drop CAP_SETGID"); - exitCode = 1; } - ret = setgid(NUM500); // Step 3.1: Failed to set GID with interface 'setgid' - if (ret != FALSE) {LOG("ErrInfo: Set GID without CAP_SETGID, now process gid=%d", getpid()); - exitCode = 1; } - ret = setregid(NUM500, NUM500); // Step 3.2: Failed to set reGID with interface 'setregid' - if (ret != FALSE) {LOG("ErrInfo: Set reGID without CAP_SETGID, now process gid=%d", getpid()); - exitCode = 1; } - ret = setresgid(NUM500, NUM500, NUM500); // Step 3.3: Failed to set resGID with interface 'setregid' - if (ret != FALSE) {LOG("ErrInfo: Set resGID without CAP_SETGID, now process gid=%d", getpid()); - exitCode = 1; } - ret = setgroups(NUM3, GROUPLIST); // Step 3.4: Failed to set groups with interface 'setgroups' - if (ret != FALSE) {LOG("ErrInfo: Set groups without CAP_SETGID"); - exitCode = 1; } // Step 4: The sub process exit with the exitCode - exit(exitCode); - } else { - waitpid(pid, &status, 0); // Step 5: The parent process wait for the sub process to exit and obtain the exitCode - EXPECT_NE(WIFEXITED(status), 0) << "ErrInfo: The sub process exit error, child_pid = " << pid; - EXPECT_EQ(WEXITSTATUS(status), 0) << "ErrInfo: The exitCode is wrong, please query logs, child_pid = " << pid; - } -} - -/* - * @tc.number : SUB_SEC_AppSEC_PermissionMgmt_Capability_0800 - * @tc.name : Processes with the CAP_SETUID capability can invoke their management - and control interfaces to change user IDs of other processes - * @tc.desc : [C-SECURITY-0100] - */ -HWTEST_F(CapabilityTestSuite, CapabilityTest0800, Function | MediumTest | Level2) -{ - int ret = 0; - int status = 0; - // Preset action: Fork a sub process - pid_t pid = fork(); - ASSERT_TRUE(pid >= 0) << "======== Fork Error! ========="; - usleep(SLEEP_NUM); - if (pid == 0) { - int exitCode = 0; - // Step 1.1: Set UID with interface 'setuid' - ret = setuid(NUM500); - if (ret != 0) { - LOG("ErrInfo: Failed to set UID with interface 'setuid', now process uid=%d", getpid()); - exitCode = 1; - } - // Step 1.2: Set reUID with interface 'setreuid' - ret = setreuid(NUM600, NUM600); - if (ret != 0) { - LOG("ErrInfo: Failed to set reUID with interface 'setreuid', now process uid=%d", getpid()); - exitCode = 1; - } - // Step 1.3: Set resUID with interface 'setresuid' - ret = setresuid(NUM700, NUM700, NUM700); - if (ret != 0) { - LOG("ErrInfo: Failed to set resUID with interface 'setresuid', now process uid=%d", getpid()); - exitCode = 1; - } - // Step 2: Drop the capabilities of CAP_SETUID - ret = DropCAPSETUID(); - if (ret != 0) { - LOG("ErrInfo: Failed to drop CAP_SETUID"); - exitCode = 1; - } - // Step 3.1: Failed to set UID with interface 'setuid' - ret = setuid(NUM500); - if (ret != FALSE) { - LOG("ErrInfo: Set UID without CAP_SETUID, now process uid=%d", getpid()); - exitCode = 1; - } - // Step 3.2: Failed to set reUID with interface 'setreuid' - ret = setreuid(NUM500, NUM500); - if (ret != FALSE) { - LOG("ErrInfo: Set reUID without CAP_SETUID, now process uid=%d", getpid()); - exitCode = 1; - } - // Step 3.3: Failed to set resUID with interface 'setreuid' - ret = setresuid(NUM500, NUM500, NUM500); - if (ret != FALSE) { - LOG("ErrInfo: Set resUID without CAP_SETUID, now process uid=%d", getpid()); - exitCode = 1; - } - // Step 4: The sub process exit with the exitCode - exit(exitCode); - } else { - // Step 5: The parent process wait for the sub process to exit and obtain the exitCode - waitpid(pid, &status, 0); - EXPECT_NE(WIFEXITED(status), 0) << "ErrInfo: The sub process exit error, child_pid = " << pid; - EXPECT_EQ(WEXITSTATUS(status), 0) << "ErrInfo: The exitCode is wrong, please query logs, child_pid = " << pid; - } -} - -/* - * @tc.number : SUB_SEC_AppSEC_PermissionMgmt_Capability_0900 - * @tc.name : Processes with the CAP_SETPCCAP capability can invoke their management - and control interfaces to add and delete capabilities for other processes - * @tc.desc : [C-SECURITY-0100] - */ -HWTEST_F(CapabilityTestSuite, CapabilityTest0900, Security | MediumTest | Level2) -{ - int ret = 0; - int status = 0; - // Preset action: Fork a sub process - pid_t pid = fork(); - ASSERT_TRUE(pid >= 0) << "======== Fork Error! ========="; - usleep(SLEEP_NUM); - if (pid == 0) { - int exitCode = 0; - // Step 1: Drop the capabilities of CAP_SETPCAP - ret = DropCAPSETPCAP(); - if (ret != 0) { - LOG("ErrInfo: Failed to drop CAP_SETPCAP"); - exitCode = 1; - } - // Step 2: Failed to add the capabilities of CAP_SETPCAP - exitCode = AddCapUnauthorized(1); - if (exitCode != 0) { - LOG("ErrInfo: Add capabilities without CAP_SETPCAP"); - } - // Step 3: The sub process exit with the exitCode - exit(exitCode); - } else { - // Step 4: The parent process wait for the sub process to exit and obtain the exitCode - waitpid(pid, &status, 0); - EXPECT_NE(WIFEXITED(status), 0) << "ErrInfo: The sub process exit error, child_pid = " << pid; - EXPECT_EQ(WEXITSTATUS(status), 0) << "ErrInfo: The exitCode is wrong, please query logs, child_pid = " << pid; - } -} - -/* - * @tc.number : SUB_SEC_AppSEC_PermissionMgmt_Capability_1000 - * @tc.name : Processes with the CAP_SYS_NICE capability can invoke their management - and control interfaces to set the process priority - * @tc.desc : [C-SECURITY-0100] - */ -HWTEST_F(CapabilityTestSuite, CapabilityTest1000, Function | MediumTest | Level2) -{ - int ret = 0; - int status1 = 0; - int status2 = 0; - // Preset action: Fork a sub process pid1 - pid_t pid1 = fork(); - ASSERT_TRUE(pid1 >= 0) << "======== Fork Error! ========="; - usleep(SLEEP_NUM); - // Preset action: keep the sub process pid1 hibernated - if (pid1 == 0) { - ChildSleep(); - } else { - // Preset action: Fork a sub process pid2 - pid_t pid2 = fork(); - ASSERT_TRUE(pid2 >= 0) << "======== Fork Error! ========="; - usleep(SLEEP_NUM); - if (pid2 == 0) { - int exitCode = 0; - // Preset action: Obtains the test priority - struct sched_param param = { 0 }; - ret = sched_getparam(pid1, ¶m); - param.sched_priority--; - // Step 1: Set the priority of the sub process successfully - ret = sched_setparam(pid1, ¶m); - if (ret != 0) { - LOG("ErrInfo: Failed to set priority with CAP_SYS_NICE"); - exitCode = 1; - } - // Step 2: Drop the capabilities of CAP_SYS_NICE - ret = DropCAPSYSNICE(); - if (ret != 0) { - LOG("ErrInfo: Failed to drop CAP_SYS_NICE"); - exitCode = 1; - } - // Step 3: Failed to set the priority of the sub process - param.sched_priority++; - ret = sched_setparam(pid1, ¶m); - if (ret != FALSE) { - LOG("ErrInfo: Set priority without CAP_SYS_NICE"); - exitCode = 1; - } - // Step 4: The sub process exit with the exitCode - exit(exitCode); - } else { - // Step 5: The parent process wait for the sub process to exit and obtain the exitCode - waitpid(pid2, &status2, 0); - EXPECT_NE(WIFEXITED(status2), 0) << "ErrInfo: The sub process exit error, child_pid = " << pid2; - EXPECT_EQ(WEXITSTATUS(status2), 0) << "ErrInfo: The exitCode is wrong, please query logs, child_pid = " - << pid2; - // Cleanup action: Kill the sub process and wait for the sub process to be killed - ret = kill(pid1, SIGXFSZ); - EXPECT_EQ(ret, 0) << "ErrInfo: Failed to kill the sub process pid1"; - waitpid(pid1, &status1, 0); - } - } -} - -/* - * @tc.number : SUB_SEC_AppSEC_PermissionMgmt_Capability_1100 - * @tc.name : Processes with the CAP_SYS_TIME capability can call their management - and control interfaces and change the system clock - * @tc.desc : [C-SECURITY-0100] - */ -HWTEST_F(CapabilityTestSuite, CapabilityTest1100, Function | MediumTest | Level2) -{ - int ret = 0; - int status = 0; - struct timespec tp = { 0 }; - // Preset action: Fork a sub process - pid_t pid = fork(); - ASSERT_TRUE(pid >= 0) << "======== Fork Error! ========="; - usleep(SLEEP_NUM); - if (pid == 0) { - int exitCode = 0; - // Preset action: Obtains the system time and the test time - clock_gettime(CLOCK_REALTIME, &tp); - tp.tv_sec += 1; - // Step 1: Set the System Time with the test time successfully - ret = clock_settime(CLOCK_REALTIME, &tp); - if (ret != 0) { - LOG("ErrInfo: Failed to set clocktime with CAP_SYS_TIME"); - exitCode = 1; - } - // Step 2: Drop the capabilities of CAP_SYS_TIME - ret = DropCAPSYSTIME(); - if (ret != 0) { - LOG("ErrInfo: Failed to drop CAP_SYS_TIME"); - exitCode = 1; - } - // Step 3: Failed to set the system time with the test time - tp.tv_sec += 1; - ret = clock_settime(CLOCK_REALTIME, &tp); - if (ret != FALSE) { - LOG("ErrInfo: Set clocktime without CAP_SYS_TIME"); - exitCode = 1; - } - // Step 4: The sub process exit with the exitCode - exit(exitCode); - } else { - // Step 5: The parent process wait for the sub process to exit and obtain the exitCode - waitpid(pid, &status, 0); - EXPECT_NE(WIFEXITED(status), 0) << "ErrInfo: The sub process exit error, child_pid = " << pid; - EXPECT_EQ(WEXITSTATUS(status), 0) << "ErrInfo: The exitCode is wrong, please query logs, child_pid = " << pid; - } -} - -/* - * @tc.number : SUB_SEC_AppSEC_PermissionMgmt_Capability_1200 - * @tc.name : Processes without the CAP_SETPCAP capability cannot drop any capability - * @tc.desc : [C-SECURITY-0100] - */ -HWTEST_F(CapabilityTestSuite, CapabilityTest1200, Function | MediumTest | Level3) -{ - int status = 0; - // Preset action: Fork a sub process - pid_t pid = fork(); - ASSERT_TRUE(pid >= 0) << "======== Fork Error! ========="; - usleep(SLEEP_NUM); - if (pid == 0) { - int exitCode = 0; - // Step 1: Failed to add capabilities without CAP_SETPCAP - exitCode = CapsetWithoutSETPCAP(); - // Step 2: The sub process exit with the exitCode - exit(exitCode); - } else { - // Step 3: The parent process wait for the sub process to exit and obtain the exitCode - waitpid(pid, &status, 0); - EXPECT_NE(WIFEXITED(status), 0) << "ErrInfo: The sub process exit error, child_pid = " << pid; - EXPECT_EQ(WEXITSTATUS(status), 0) << "ErrInfo: The exitCode is wrong, please query logs, child_pid = " << pid; - } -} - -/* - * @tc.number : SUB_SEC_AppSEC_PermissionMgmt_Capability_1300 - * @tc.name : Inheritance of process capabilities - * @tc.desc : [C-SECURITY-0100] - */ -HWTEST_F(CapabilityTestSuite, CapabilityTest1300, Function | MediumTest | Level1) -{ - int status = 0; - // Preset action: Fork a sub process - pid_t pid = fork(); - ASSERT_TRUE(pid >= 0) << "======== Fork Error! ========="; - usleep(SLEEP_NUM); - if (pid == 0) { - int exitCode = 0; - // Step 1: Query the sub process capabilities for 10000 times - for (int number = 0; number < NUM10000; number++) { - exitCode = CapgetWithAllCap(number); - if (exitCode != 0) { - LOG("ErrInfo: CapgetWithAllCap error during the %d time", number); - break; - } - } - // Step 2: The sub process exit with the exitCode - exit(exitCode); - } else { - // Step 3: The parent process wait for the sub process to exit and obtain the exitCode - waitpid(pid, &status, 0); - EXPECT_NE(WIFEXITED(status), 0) << "ErrInfo: The sub process exit error, child_pid = " << pid; - EXPECT_EQ(WEXITSTATUS(status), 0) << "ErrInfo: The exitCode is wrong, please query logs, child_pid = " << pid; - // Step 4: Query the parent process capabilities - int ret = CapgetWithAllCap(1); - EXPECT_EQ(ret, 0) << "ErrInfo: CapgetWithAllCap error"; - } -} - -/* - * @tc.number : SUB_SEC_AppSEC_PermissionMgmt_Capability_1400 - * @tc.name : Invoke the capset interface to add and drop the process capabilities for 10000 times - * @tc.desc : [C-SECURITY-0100] - */ -HWTEST_F(CapabilityTestSuite, CapabilityTest1400, Reliability | MediumTest | Level2) -{ - int status = 0; - // Preset action: Fork a sub process - pid_t pid = fork(); - ASSERT_TRUE(pid >= 0) << "======== Fork Error! ========="; - usleep(SLEEP_NUM); - if (pid == 0) { - int exitCode = 0; - // Step 1: Drop and add the sub process capabilities for 10000 times - for (int number = 0; number < NUM10000; number++) { - exitCode = CapsetOnlySETPCAP(number); - if (exitCode != 0) { - LOG("ErrInfo: CapsetOnlySETPCAP error during the %d time", number); - break; - } - exitCode = AddCapUnauthorized(number); - if (exitCode != 0) { - LOG("ErrInfo: AddCapUnauthorized error during the %d time", number); - break; - } - } - // Step 2: The sub process exit with the exitCode - exit(exitCode); - } else { - // Step 3: The parent process wait for the sub process to exit and obtain the exitCode - waitpid(pid, &status, 0); - EXPECT_NE(WIFEXITED(status), 0) << "ErrInfo: The sub process exit error, child_pid = " << pid; - EXPECT_EQ(WEXITSTATUS(status), 0) << "ErrInfo: The exitCode is wrong, please query logs, child_pid = " << pid; - } -} - -/* - * @tc.number : SUB_SEC_AppSEC_PermissionMgmt_Capability_1500 - * @tc.name : Invoke the capset interface to revoke the process capabilities which not exist for 10000 times - * @tc.desc : [C-SECURITY-0100] - */ -HWTEST_F(CapabilityTestSuite, CapabilityTest1500, Reliability | MediumTest | Level2) -{ - int status = 0; - // Preset action: Fork a sub process - pid_t pid = fork(); - ASSERT_TRUE(pid >= 0) << "======== Fork Error! ========="; - usleep(SLEEP_NUM); - if (pid == 0) { - int exitCode = 0; - struct __user_cap_header_struct capheader = { 0 }; - errno_t result = memset_s(&capheader, sizeof(struct __user_cap_header_struct), 0, - sizeof(struct __user_cap_header_struct)); - if (result != EOK) { - LOG("CapgetWithAllCap memset_s failed"); - ASSERT_TRUE(false); - }; - capheader.version = _LINUX_CAPABILITY_VERSION_3; - capheader.pid = 0; - struct __user_cap_data_struct capdata[CAP_NUM] = { { 0 }, { 0 } }; - result = memset_s(capdata, CAP_NUM * sizeof(struct __user_cap_data_struct), - LINUX_FULL_CAP, CAP_NUM * sizeof(struct __user_cap_data_struct)); - if (result != EOK) { - LOG("CapgetWithAllCap memset_s failed"); - ASSERT_TRUE(false); - }; - capdata[CAP_TO_INDEX(INVALID_CAP_TO_INDEX)].permitted &= ~CAP_TO_MASK(INVALID_CAP_TO_INDEX); - capdata[CAP_TO_INDEX(INVALID_CAP_TO_INDEX)].effective &= ~CAP_TO_MASK(INVALID_CAP_TO_INDEX); - capdata[CAP_TO_INDEX(INVALID_CAP_TO_INDEX)].inheritable &= ~CAP_TO_MASK(INVALID_CAP_TO_INDEX); - for (int number = 0; number < NUM10000; number++) { - // Step 1: Drop an abnormal capability for 10000 times - int ret = capset(&capheader, &capdata[0]); - if (ret != 0) { - LOG("ErrInfo: Drop an abnormal capability during the %d time", number); - exitCode = 1; - break; - } - } - // Step 2: The sub process exit with the exitCode - exit(exitCode); - } else { - // Step 3: The parent process wait for the sub process to exit and obtain the exitCode - waitpid(pid, &status, 0); - EXPECT_NE(WIFEXITED(status), 0) << "ErrInfo: The sub process exit error, child_pid = " << pid; - EXPECT_EQ(WEXITSTATUS(status), 0) << "ErrInfo: The exitCode is wrong, please query logs, child_pid = " << pid; - } -} - -/* - * @tc.number : SUB_SEC_AppSEC_PermissionMgmt_Capability_1600 - * @tc.name : Enter the exception parameter for 10000 times when invoke the capset interface - * @tc.desc : [C-SECURITY-0100] - */ -HWTEST_F(CapabilityTestSuite, CapabilityTest1600, Reliability | MediumTest | Level3) -{ - int ret = 0; - int status = 0; - // Preset action: Fork a sub process - pid_t pid = fork(); - ASSERT_TRUE(pid >= 0) << "======== Fork Error! ========="; - usleep(SLEEP_NUM); - if (pid == 0) { - int exitCode = 0; - for (int number = 0; number < NUM10000; number++) { - // Step 1.1: Capset the abnormal capheader.pid '-1' for 10000 times - ret = CapsetWithVersion(FALSE, _LINUX_CAPABILITY_VERSION_3); - if (ret != FALSE) { - LOG("ErrInfo: Capset with the abnormal capheader.pid '-1' during the %d time", number); - exitCode = 1; - break; - } - // Step 1.2: Capset the abnormal capheader.pid '65536' for 10000 times - ret = CapsetWithVersion(INVAILD_PID, _LINUX_CAPABILITY_VERSION_3); - if (ret != FALSE) { - LOG("ErrInfo: Capset with the abnormal capheader.pid '65536' during the %d time", number); - exitCode = 1; - break; - } - // Step 1.3: Capset the abnormal capheader.version '1' for 10000 times - ret = CapsetWithVersion(0, 1); - if (ret != FALSE) { - LOG("ErrInfo: Capset with the abnormal normal capheader.version '1' during the %d time", number); - exitCode = 1; - break; - } - // Step 1.4: Capset the abnormal capheader.version '_LINUX_CAPABILITY_VERSION_1' for 10000 times - ret = CapsetWithVersion(0, _LINUX_CAPABILITY_VERSION_1); - if (ret != 0) { - LOG("ErrInfo: Capset with the abnormal capheader.version '_LINUX_CAPABILITY_VERSION_1'" - "during the %d time", number); - exitCode = 1; - break; - } - // Step 1.5: Add normal capheader.version '_LINUX_CAPABILITY_VERSION_3' for 10000 times - ret = CapsetWithVersion(0, _LINUX_CAPABILITY_VERSION_3); - if (ret != 0) { - LOG("ErrInfo: Failed to capset with normal capheader.version during the %d time", number); - exitCode = 1; - break; - } - } - // Step 2: The sub process exit with the exitCode - exit(exitCode); - } else { - // Step 3: The parent process wait for the sub process to exit and obtain the exitCode - waitpid(pid, &status, 0); - EXPECT_NE(WIFEXITED(status), 0) << "ErrInfo: The sub process exit error, child_pid = " << pid; - EXPECT_EQ(WEXITSTATUS(status), 0) << "ErrInfo: The exitCode is wrong, please query logs, child_pid = " << pid; - } -} - -/* - * @tc.number : SUB_SEC_AppSEC_PermissionMgmt_Capability_1700 - * @tc.name : Invoke the capget interface to query the process capabilities for 10000 times - * @tc.desc : [C-SECURITY-0100] - */ -HWTEST_F(CapabilityTestSuite, CapabilityTest1700, Reliability | MediumTest | Level2) -{ - // Step 1: Query the process capabilities for 10000 times - for (int number = 0; number < NUM10000; number++) { - int ret = CapgetWithAllCap(number); - if (ret != 0) { - EXPECT_EQ(ret, 0) << "ErrInfo: CapgetWithAllCap error during the " << number << " time"; - break; - } - } -} - -/* - * @tc.number : SUB_SEC_AppSEC_PermissionMgmt_Capability_1800 - * @tc.name : Invoke the capget interface to query the process capabilities which not exist for 10000 times - * @tc.desc : [C-SECURITY-0100] - */ -HWTEST_F(CapabilityTestSuite, CapabilityTest1800, Reliability | MediumTest | Level3) -{ - int ret = 0; - int status = 0; - // Preset action: Fork a sub process - pid_t pid = fork(); - ASSERT_TRUE(pid >= 0) << "======== Fork Error! ========="; - usleep(SLEEP_NUM); - if (pid == 0) { - int exitCode = 0; - // Step 1: Drop all the sub process capabilities - DropAllCAP(); - // Step 2: Obtain the sub process capabilities - for (int number = 0; number < NUM10000; number++) { - exitCode = CapgetWithNoCap(number); - if (exitCode != 0) { - LOG("ErrInfo: CapgetWithNoCap error during the %d time", number); - break; - } - } - // Step 3: The sub process exit with the exitCode - exit(exitCode); - } else { - // Step 4: The parent process wait for the sub process to exit and obtain the exitCode - waitpid(pid, &status, 0); - EXPECT_NE(WIFEXITED(status), 0) << "ErrInfo: The sub process exit error, child_pid = " << pid; - EXPECT_EQ(WEXITSTATUS(status), 0) << "ErrInfo: The exitCode is wrong, please query logs, child_pid = " << pid; - // Step 5: Query the parent process capabilities - ret = CapgetWithAllCap(1); - EXPECT_EQ(ret, 0) << "ErrInfo: CapgetWithAllCap error"; - } -} - -/* - * @tc.number : SUB_SEC_AppSEC_PermissionMgmt_Capability_1900 - * @tc.name : Enter the exception parameter for 10000 times when invoke the capget interface - * @tc.desc : [C-SECURITY-0100] - */ -HWTEST_F(CapabilityTestSuite, CapabilityTest1900, Reliability | MediumTest | Level2) -{ - int ret = 0; - int status = 0; - // Preset action: Fork a sub process - pid_t pid = fork(); - ASSERT_TRUE(pid >= 0) << "======== Fork Error! ========="; - usleep(SLEEP_NUM); - if (pid == 0) { - int exitCode = 0; - for (int number = 0; number < NUM10000; number++) { - // Step 1.1: Capget the abnormal capheader.pid '-1' for 10000 times - ret = CapgetWithVersion(FALSE, _LINUX_CAPABILITY_VERSION_3); - if (ret != FALSE) { - LOG("ErrInfo: Capget with the abnormal capheader.pid '-1' during the %d time", number); - exitCode = 1; - break; - } - // Step 1.2: Capget the abnormal capheader.pid '65536' for 10000 times - ret = CapgetWithVersion(INVAILD_PID, _LINUX_CAPABILITY_VERSION_3); - if (ret != FALSE) { - LOG("ErrInfo: Capget with the abnormal capheader.pid '65536' during the %d time", number); - exitCode = 1; - break; - } - // Step 1.3: Capget the abnormal capheader.version '1' for 10000 times - ret = CapgetWithVersion(0, 1); - if (ret != FALSE) { - LOG("ErrInfo: Capget with the abnormal capheader.version '1' during the %d time", number); - exitCode = 1; - break; - } - // Step 1.4: Capget with the abnormal capheader.version '_LINUX_CAPABILITY_VERSION_1' for 10000 times - ret = CapgetWithVersion(0, _LINUX_CAPABILITY_VERSION_1); - if (ret != 0) { - LOG("ErrInfo: Capget with the abnormal capheader.version '_LINUX_CAPABILITY_VERSION_1'" - "during the %d time", number); - exitCode = 1; - break; - } - // Step 1.5: Capget the normal capheader.version '_LINUX_CAPABILITY_VERSION_3' for 10000 times - ret = CapgetWithVersion(0, _LINUX_CAPABILITY_VERSION_3); - if (ret != 0) { - LOG("ErrInfo: Failed to capget with the normal capheader.version '_LINUX_CAPABILITY_VERSION_3'" - "during the %d time", number); - exitCode = 1; - break; - } - } - // Step 2: The sub process exit with the exitCode - exit(exitCode); - } else { - // Step 3: The parent process wait for the sub process to exit and obtain the exitCode - waitpid(pid, &status, 0); - EXPECT_NE(WIFEXITED(status), 0) << "ErrInfo: The sub process exit error, child_pid = " << pid; - EXPECT_EQ(WEXITSTATUS(status), 0) << "ErrInfo: The exitCode is wrong, please query logs, child_pid = " << pid; - } -} - -/* - * @tc.number : SUB_SEC_AppSEC_PermissionMgmt_Capability_2100 - * @tc.name : Five processes concurrently invoke APIs managed by the capability for 5000 times - * @tc.desc : [C-SECURITY-0100] - */ -HWTEST_F(CapabilityTestSuite, CapabilityTest2100, Reliability | MediumTest | Level2) -{ - int status = 0; - // Preset action: Fork five sub processes - pid_t pid; - for (int num = 0; num < NUM5; num++) { - pid = fork(); - ASSERT_TRUE(pid >= 0) << "======== Fork Error! ========="; - usleep(SLEEP_NUM); - if (pid == 0) { - break; - } - } - // get one parent & five children - if (pid == 0) { - int exitCode = 0; - for (int number = 0; number < NUM5000; number++) { - // Step 1: Five sub processes simultaneously drop capabilities for 5000 times - exitCode = CapsetOnlySETPCAP(number); - if (exitCode != 0) { - LOG("ErrInfo: CapsetOnlySETPCAP Error during the %d time", number); - break; - } - // Step 2: Five sub processes simultaneously add capabilities for 5000 times - exitCode = AddCapUnauthorized(number); - if (exitCode != 0) { - LOG("ErrInfo: AddCapUnauthorized Error during the %d time", number); - break; - } - // Step 3: Five sub processes simultaneously capget for 5000 times - exitCode = CapgetOnlySETPCAP(number); - if (exitCode != 0) { - LOG("ErrInfo: CapgetOnlySETPCAP Error during the %d time", number); - break; - } - } - // Step 4: Five sub processes exit with the exitCode - exit(exitCode); - } else { - // Step 5: The parent process wait for five sub processes to exit and obtain the exitCode - for (int num2 = 0; num2 < NUM5; num2++) { - wait(&status); - EXPECT_NE(WIFEXITED(status), 0) << "ErrInfo: The sub process exit error, child_pid = " << pid; - EXPECT_EQ(WEXITSTATUS(status), 0) << "ErrInfo: Pid = "<< pid - << ", its exitCode is wrong and test case failed, please query logs"; - } - } -} - -/* - * @tc.number : SUB_SEC_AppSEC_PermissionMgmt_Capability_2200 - * @tc.name : Check whether the default configuration of the system process capabilities - is the same as that described in the design document - * @tc.desc : [C-SECURITY-0100] - */ -HWTEST_F(CapabilityTestSuite, CapabilityTest2200, Security | MediumTest | Level1) -{ - int ret; - // Step 1: Check the capability of process 'init', pid = 1 - ret = CapgetWithCaps(INIT_PID, INIT_CAP); - EXPECT_EQ(ret, 0) << "ErrInfo: Pid = 1, process init has wrong capability"; - // Step 2: Check the capability of process 'KProcess', pid = 2 - ret = CapgetWithCaps(KPROCESS_PID, KPROCESS_CAP); - EXPECT_EQ(ret, 0) << "ErrInfo: Pid = 2, process KProcess has wrong capability"; - // Step 3: Check the capability of process 'shell', pid = 8 - ret = CapgetWithCaps(SHELL_PID, SHELL_CAP); - EXPECT_EQ(ret, 0) << "ErrInfo: Pid = 8, process shell has wrong capability"; - // Step 4: Check the capability of process 'apphilogcat', pid = 10 - ret = CapgetWithCaps(HILOGCAT_PID, HILOGCAT_CAP); - EXPECT_EQ(ret, 0) << "ErrInfo: Pid = 10, process apphilogcat has wrong capability"; - // Step 5: Check the capability of process 'foundation', pid = 3 - ret = CapgetWithCaps(FOUNDATION_PID, FOUNDATION_CAP); - EXPECT_EQ(ret, 0) << "ErrInfo: Pid = 3, process foundation has wrong capability"; - // Step 6: Check the capability of process 'bundle_daemon', pid = 4 - ret = CapgetWithCaps(BUNDLE_DAEMON_PID, BUNDLE_DAEMON_CAP); - EXPECT_EQ(ret, 0) << "ErrInfo: Pid = 4, process bundle_daemon has wrong capability"; - // Step 7: Check the capability of process 'appspawn', pid = 5 - ret = CapgetWithCaps(APPSPAWN_PID, APPSPAWN_CAP); - EXPECT_EQ(ret, 0) << "ErrInfo: Pid = 5, process appspawn has wrong capability"; - // Step 8: Check the capability of process 'media_server', pid = 6 - ret = CapgetWithCaps(MEDIA_SERVER_PID, MEDIA_SERVER_CAP); - EXPECT_EQ(ret, 0) << "ErrInfo: Pid = 6, process media_server has wrong capability"; -} - -/* - * @tc.number : SUB_SEC_AppSEC_PermissionMgmt_Capability_2400 - * @tc.name : The process continuously invokes the capset and capget interfaces, - which does not affect the use of other processes - * @tc.desc : [C-SECURITY-0100] - */ -HWTEST_F(CapabilityTestSuite, CapabilityTest2400, Function | MediumTest | Level1) -{ - int status = 0; - // Preset action: Create a txt - CreateTxt(); - // Preset action: Fork two sub processes - pid_t pid; - for (int num = 0; num < NUM2; num++) { - pid = fork(); - ASSERT_TRUE(pid >= 0) << "======== Fork Error! ========="; - usleep(SLEEP_NUM); - if (pid == 0) { - break; - } - } - // get one parent & two children - if (pid == 0) { - int exitCode = 0; - for (int number = 0; number < NUM5000; number++) { - // Step 1: Two sub processes simultaneously drop capabilities for 5000 times - exitCode = CapsetOnlySETPCAP(number); - if (exitCode != 0) { - LOG("ErrInfo: CapsetOnlySETPCAP Error during the %d time", number); - break; - } - // Step 2: Two sub processes simultaneously add capabilities for 5000 times - exitCode = AddCapUnauthorized(number); - if (exitCode != 0) { - LOG("ErrInfo: AddCapUnauthorized Error during the %d time", number); - break; - } - // Step 3: Two sub processes simultaneously capget for 5000 times - exitCode = CapgetOnlySETPCAP(number); - if (exitCode != 0) { - LOG("ErrInfo: CapgetOnlySETPCAP Error during the %d time", number); - break; - } - } - // Step 4: Two sub processes exit with the exitCode - exit(exitCode); - } else { - // Step 5: The parent process simultaneously invoke chown interfaces for 1000 times - for (int number2 = 0; number2 < NUM1000; number2++) { - int ret = chown(TOP_DIR "/" CAPDIR0 "/" CAPDIR0_CAPFILE0, number2, number2); - if (ret != 0) { - EXPECT_EQ(ret, 0) << "ErrInfo: Failed to chown during the " << number2 << " time"; - break; - } - } - // Step 6: The parent process wait for two sub processes to exit and obtain the exitCode - for (int num2 = 0; num2 < NUM2; num2++) { - wait(&status); - EXPECT_NE(WIFEXITED(status), 0) << "ErrInfo: The sub process exit error, child_pid = " << pid; - EXPECT_EQ(WEXITSTATUS(status), 0) << "ErrInfo: Pid = "<< pid - << ", its exitCode is wrong and test case failed, please query logs"; - } - } -} - -/* - * @tc.number : SUB_SEC_AppSEC_PermissionMgmt_Capability_2500 - * @tc.name : Performance test of capset and capget interface - * @tc.desc : [C-SECURITY-0100] - */ -HWTEST_F(CapabilityTestSuite, CapabilityTest2500, Performance | MediumTest | Level2) -{ - int status = 0; - // Preset action: Fork a sub process - pid_t pid = fork(); - ASSERT_TRUE(pid >= 0) << "======== Fork Error! ========="; - usleep(SLEEP_NUM); - if (pid == 0) { - int exitCode = 0; - struct timespec tp = { 0 }; - struct timespec starttime = { 0 }; - struct timespec endtime = { 0 }; - tp.tv_sec = 0; - tp.tv_nsec = 0; - // Preset action: Obtains the system time -> starttime - clock_gettime(CLOCK_REALTIME, &starttime); - // Step 1: Capset and capget for 200000 times - for (int number = 0; number < NUM10000; number++) { - CapsetOnlySETPCAP(number); - AddCapUnauthorized(number); - CapgetOnlySETPCAP(number); - } - // Step 2: Obtains the system time again -> endtime - clock_gettime(CLOCK_REALTIME, &endtime); - // Step 3: Compare the starttime and the endtime -> tp - tp = CompareTime(starttime, endtime); - if (tp.tv_sec > NUM20) { - LOG("ErrInfo: Capset and capget for 200000 times used %d.%d s", tp.tv_sec, tp.tv_nsec); - exitCode = 1; - } - // Step 4: Two sub processes exit with the exitCode - exit(exitCode); - } else { - // Step 5: The parent process wait for the sub process to exit and obtain the exitCode - waitpid(pid, &status, 0); - EXPECT_NE(WIFEXITED(status), 0) << "ErrInfo: The sub process exit error, child_pid = " << pid; - EXPECT_EQ(WEXITSTATUS(status), 0) << "ErrInfo: The exitCode is wrong, please query logs, child_pid = " << pid; - } -} - -/* - * @tc.number : SUB_SEC_AppSEC_PermissionMgmt_Capability_2600 - * @tc.name : Performance test of the interface managed by Capability - * @tc.desc : [C-SECURITY-0100] - */ -HWTEST_F(CapabilityTestSuite, CapabilityTest2600, Performance | MediumTest | Level2) -{ - struct timespec tp = { 0 }; - struct timespec starttime = { 0 }; - struct timespec endtime = { 0 }; - tp.tv_sec = 0; - tp.tv_nsec = 0; - // Preset action: Create a txt - CreateTxt(); - // Preset action: Obtains the system time -> starttime - clock_gettime(CLOCK_REALTIME, &starttime); - // Step 1: Chown for 10000 times - for (int number = 0; number < NUM1000; number++) { - chown(TOP_DIR "/" CAPDIR0 "/" CAPDIR0_CAPFILE0, number, number); - } - // Step 2: Obtains the system time again -> endtime - clock_gettime(CLOCK_REALTIME, &endtime); - // Step 3: Compare the starttime and the endtime -> tp - tp = CompareTime(starttime, endtime); - EXPECT_LE(tp.tv_sec, NUM80) << "ErrInfo: Chown for 1000 times used " << tp.tv_sec << "." << tp.tv_nsec << "s"; - // Cleanup action: Restore the initial status of the file - chown(TOP_DIR "/" CAPDIR0 "/" CAPDIR0_CAPFILE0, UID0, GID0); -} -#endif diff --git a/security_lite/permission_posix/capability/src/ActsCapabilityTest.h b/security_lite/permission_posix/capability/src/ActsCapabilityTest.h deleted file mode 100644 index 8aa0dbbd1..000000000 --- a/security_lite/permission_posix/capability/src/ActsCapabilityTest.h +++ /dev/null @@ -1,155 +0,0 @@ -/* - * Copyright (c) 2021 Huawei Device Co., Ltd. - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -#ifndef XTS_ACTS_SECURITY_LITE_PERMISSSION_POSIX_CAPABILITY_SRC_ACTSCAPABILITYTEST_H -#define XTS_ACTS_SECURITY_LITE_PERMISSSION_POSIX_CAPABILITY_SRC_ACTSCAPABILITYTEST_H - -#include -#include - -constexpr int FALSE = -1; -constexpr int NUM0 = 0; -constexpr int NUM1 = 1; -constexpr int NUM2 = 2; -constexpr int NUM3 = 3; -constexpr int NUM5 = 5; -constexpr int NUM20 = 20; -constexpr int NUM80 = 80; -constexpr int NUM100 = 100; -constexpr int NUM500 = 500; -constexpr int NUM600 = 600; -constexpr int NUM700 = 700; -constexpr int NUM1000 = 1000; -constexpr int NUM3000 = 3000; -constexpr int NUM5000 = 5000; -constexpr int NUM10000 = 10000; - -constexpr int INIT_PID = 1; -constexpr int KPROCESS_PID = 2; -constexpr int SHELL_PID = 8; -constexpr int HILOGCAT_PID = 10; -constexpr int FOUNDATION_PID = 3; -constexpr int BUNDLE_DAEMON_PID = 4; -constexpr int APPSPAWN_PID = 5; -constexpr int MEDIA_SERVER_PID = 6; -constexpr int WMS_SERVER_OR_AI_SERVER_PID = 7; -constexpr int HIVIEW_PID = 10; -constexpr int OTHER_PID = 12; -constexpr int INIT_PID_2 = 1; -constexpr int KPROCESS_PID_2 = 2; -constexpr int SHELL_PID_2 = 8; -constexpr int HILOGCAT_PID_2 = 10; -constexpr int FOUNDATION_PID_2 = 3; -constexpr int BUNDLE_DAEMON_PID_2 = 4; -constexpr int APPSPAWN_PID_2 = 5; -constexpr int MEDIA_SERVER_PID_2 = 6; -constexpr int WMS_SERVER_OR_AI_SERVER_PID_2 = 7; -constexpr int HIVIEW_PID_2 = 10; -constexpr int OTHER_PID_2 = 12; - -constexpr unsigned int INIT_CAP = 0x02e83def; -constexpr unsigned int KPROCESS_CAP = 0x02e83def; -constexpr unsigned int SHELL_CAP = 0x02e83def; -constexpr unsigned int HILOGCAT_CAP = 0x00000000; -constexpr unsigned int FOUNDATION_CAP = 0x00003c00; -constexpr unsigned int BUNDLE_DAEMON_CAP = 0x00000007; -constexpr unsigned int APPSPAWN_CAP = 0x008009c4; -constexpr unsigned int MEDIA_SERVER_CAP = 0x00000000; -constexpr unsigned int WMS_SERVER_OR_AI_SERVER_CAP = 0x00000000; -constexpr unsigned int HIVIEW_CAP = 0x00000000; -constexpr unsigned int LINUX_FULL_CAP = 0xffffffff; -constexpr unsigned int OHOS_FULL_CAP = 0x02e83def; -constexpr unsigned int NO_CAP = 0x00000000; -constexpr unsigned int ONLY_SETPCAP_CAP = 0x00000100; - -constexpr int CAP_NUM = 2; -constexpr int INVALID_CAP_TO_INDEX = 40; -constexpr int MAX_PATH_SIZE = 256; -constexpr int INVAILD_PID = 65536; -constexpr int SLEEP_NUM = 100000; -constexpr int LONG_SLEEP_NUM = 2000000; -constexpr int PID_MAX = 4194305; - -constexpr mode_t ZERO = 0000; -constexpr mode_t NORWX = 0001; -constexpr mode_t RWX = 0777; - -constexpr uid_t UID0 = 0; -constexpr uid_t UID1 = 1; -constexpr uid_t UID555 = 555; -constexpr uid_t UID1000 = 1000; -constexpr uid_t UID10000 = 10000; -constexpr uid_t UID20000 = 20000; -constexpr gid_t GID0 = 0; -constexpr gid_t GID1 = 1; -constexpr gid_t GID555 = 555; -constexpr gid_t GID1000 = 1000; -constexpr gid_t GID10000 = 10000; -constexpr gid_t GID20000 = 20000; -constexpr gid_t GROUPLIST[NUM3] = { 500, 500, 500 }; - -constexpr size_t SIZE512 = 512; - -// Creating Folders and Files for the Test -#define CAPDIR0 "CAPDIR0" // DIR0/ -#define CAPDIR0_CAPFILE0 "CAPDIR0_CAPFILE0" // ├── DIR0_FILE0 -#define CAPDIR0_CAPFILE1 "CAPDIR0_CAPFILE1" // ├── DIR0_FILE1 -#define CAPDIR0_CAPDIR0 "CAPDIR0_CAPDIR0" // ├── DIR0_DIR0/ -#define CAPDIR0_CAPDIR1 "CAPDIR0_CAPDIR1" // └── DIR0_DIR1/ - -extern "C" { -#define LOG(format, ...) printf("%s:%d:\n" format "\n", __FILE__, __LINE__, ##__VA_ARGS__); -} - -void Sigac(int i); - -void ChildSleep(); - -int CapInit(); - -int DropCAPCHOWN(); - -int DropCAPDACOVERRIDE(); - -int DropCAPDACREADSEARCH(); - -int DropCAPDACOVERRIDEAndREADSEARCH(); - -int DropCAPFOWNER(); - -int DropCAPKILL(); - -int DropCAPSETGID(); - -int DropCAPSETUID(); - -int DropCAPSETPCAP(); - -int DropCAPSYSNICE(); - -int DropCAPSYSTIME(); - -int DropAllCAP(); - -int RemoveDir(const char *dirname); - -int SetUidGid(uid_t uid, gid_t gid); - -timespec CompareTime(timespec start, timespec end); - -char *GetCurrentPath(); - -int CheckFsMount(const char *topDir, const char *topDirMountInfo); - -#endif diff --git a/security_lite/permission_posix/capability/src/CapabilityFileSystemTest.cpp b/security_lite/permission_posix/capability/src/CapabilityFileSystemTest.cpp deleted file mode 100755 index 1b7c1c147..000000000 --- a/security_lite/permission_posix/capability/src/CapabilityFileSystemTest.cpp +++ /dev/null @@ -1,61 +0,0 @@ -/* - * Copyright (c) 2021 Huawei Device Co., Ltd. - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -#include "CapabilityFileSystemTest.h" -#include -#include "ActsCapabilityTest.h" - -using namespace testing::ext; - -// Preset action of the test suite, which is executed before the first test case -void CapabilityTestSuite::SetUp() -{ - // Permission mask preset when creating a file - umask(ZERO); - // Init capabilities - CapInit(); - // Initialize the process and set the uid and gid of the process to zero - SetUidGid(UID0, GID0); - // Delete the 'TOP_DIR/CAPDIR0' if the directory exists - RemoveDir(TOP_DIR "/" CAPDIR0); - // Obtain the current working directory of the test code - mCurPath = GetCurrentPath(); - // Modify the current working directory of the test code - int ret = chdir(TOP_DIR); - if (ret != 0) { - LOG("ErrInfo: Failed to chdir to %s, ret=%d, errno=%d", TOP_DIR, ret, errno); - } -} - -// Test suite cleanup action, which is executed after the last test case -void CapabilityTestSuite::TearDown() -{ - // Delete the 'TOP_DIR/CAPDIR0' if the directory exists - RemoveDir(TOP_DIR "/" CAPDIR0); - // Restore the working directory of the test code - int ret = chdir(mCurPath); - if (ret != 0) { - LOG("ErrInfo: Failed to chdir to %s, ret=%d, errno=%d", mCurPath, ret, errno); - } -} - -int main(int argc, char *argv[]) -{ - testing::GTEST_FLAG(output) = "xml:"; - testing::InitGoogleTest(&argc, argv); - if (CheckFsMount(TOP_DIR, TOP_DIR_MOUNT_INFO) != 0) { - return 1; - } - return RUN_ALL_TESTS(); -} \ No newline at end of file diff --git a/security_lite/permission_posix/capability/src/CapabilityFileSystemTest.h b/security_lite/permission_posix/capability/src/CapabilityFileSystemTest.h deleted file mode 100755 index 2e6d2e429..000000000 --- a/security_lite/permission_posix/capability/src/CapabilityFileSystemTest.h +++ /dev/null @@ -1,28 +0,0 @@ -/* - * Copyright (c) 2021 Huawei Device Co., Ltd. - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#ifndef XTS_ACTS_SECURITY_LITE_PERMISSSION_POSIX_CAPABILITY_SRC_CAPABILITYFILESYSTEMTEST_H -#define XTS_ACTS_SECURITY_LITE_PERMISSSION_POSIX_CAPABILITY_SRC_CAPABILITYFILESYSTEMTEST_H - -#include - -class CapabilityTestSuite : public::testing::Test { -protected: - char *mCurPath; - void SetUp(); - void TearDown(); -}; - -#endif \ No newline at end of file diff --git a/security_lite/permission_posix/capability/vfat/BUILD.gn b/security_lite/permission_posix/capability/vfat/BUILD.gn deleted file mode 100755 index e71a8c951..000000000 --- a/security_lite/permission_posix/capability/vfat/BUILD.gn +++ /dev/null @@ -1,57 +0,0 @@ -# Copyright (c) 2021 Huawei Device Co., Ltd. -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -import("//build/lite/config/subsystem/aafwk/config.gni") -import("//test/xts/tools/lite/build/suite_lite.gni") - -hcpptest_suite("ActsVFATCapabilityTest") { - suite_name = "acts" - sources = [ - "../src/ActsCapability.cpp", - "../src/ActsCapabilityTest.cpp", - "../src/CapabilityFileSystemTest.cpp", - ] - - include_dirs = [ - "../src", - "//third_party/bounds_checking_function/include", - ] - - public_deps = [ "//third_party/bounds_checking_function:libsec_shared" ] - - cflags_cc = [ - "-Wno-write-strings", - "-Wno-sign-compare", - ] - - ldflags = [ - "-lstdc++", - "-lm", - "-lpthread", - ] - - if (enable_ohos_appexecfwk_feature_ability == true) { - defines = [ - "_BOARD_HI3516_", - "LITE_FS_VFAT", - "TOP_DIR=\"/sdcard\"", - "TOP_DIR_MOUNT_INFO=\"/sdcard vfat\"", - ] - } else { - defines = [ - "LITE_FS_VFAT", - "TOP_DIR=\"/sdcard\"", - "TOP_DIR_MOUNT_INFO=\"/sdcard vfat\"", - ] - } -} diff --git a/security_lite/permission_posix/capability/vfat/Test.json b/security_lite/permission_posix/capability/vfat/Test.json deleted file mode 100644 index 694fcfa01..000000000 --- a/security_lite/permission_posix/capability/vfat/Test.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "description": "Config for hcpptest demo test cases", - "environment": [ - { - "type": "device", - "label": "ipcamera" - } - ], - "kits": [ - { - "type": "MountKit", - "server": "NfsServer", - "mount": [ - { - "source": "testcases/security", - "target": "/test_root/security" - } - ] - } - ], - "driver": { - "type": "CppTestLite", - "execute": "/test_root/security/ActsVFATCapabilityTest.bin" - } -} \ No newline at end of file diff --git a/security_lite/permission_posix/dac/BUILD.gn b/security_lite/permission_posix/dac/BUILD.gn deleted file mode 100755 index 428e6b127..000000000 --- a/security_lite/permission_posix/dac/BUILD.gn +++ /dev/null @@ -1,16 +0,0 @@ -# Copyright (c) 2020-2021 Huawei Device Co., Ltd. -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -group("ActsDacTest") { - deps = [ "./vfat:ActsVFATDACTest" ] -} diff --git a/security_lite/permission_posix/dac/src/ActsDacPreTest.cpp b/security_lite/permission_posix/dac/src/ActsDacPreTest.cpp deleted file mode 100755 index 0decd1324..000000000 --- a/security_lite/permission_posix/dac/src/ActsDacPreTest.cpp +++ /dev/null @@ -1,985 +0,0 @@ -/* - * Copyright (c) 2020-2021 Huawei Device Co., Ltd. - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -#include "ActsDacTest.h" -#include -#include -#include -#include -#include -#include "gtest/gtest.h" -#include "ActsCapabilityTest.h" -#include "DACFileSystemTest.h" - -using namespace std; -using namespace testing::ext; - -#if defined(LITE_FS_VFAT) -static int TestSetUid() -{ - // Test the 'setuid' interface - int ret = 0; - uid_t ruid = 0; - uid_t euid = 0; - uid_t suid = 0; - // Step 1: Verify that UID is set to 0 - ret = setuid(UID0); - if (ret != 0) { - EXPECT_EQ(ret, 0); - LOG("ErrInfo: Failed to set uid=0, now process uid=%d", getuid()); - return FALSE; - } - // To test the function of invoking the setuid interface to set the UID=0 - getresuid(&ruid, &euid, &suid); - EXPECT_EQ(ruid, UID0) << "Failed to set ruid=0: ruid=" << ruid; - EXPECT_EQ(euid, UID0) << "Failed to set euid=0: euid=" << euid; - EXPECT_EQ(suid, UID0) << "Failed to set suid=0: suid=" << suid; - // Step 2: Verify that UID is set to 1000 - ret = setuid(UID1000); - if (ret != 0) { - EXPECT_EQ(ret, 0); - LOG("ErrInfo: Failed to set uid=1000, now process uid=%d", getuid()); - return FALSE; - } - // To test the function of invoking the setuid interface to set the UID=1000 - getresuid(&ruid, &euid, &suid); - EXPECT_EQ(ruid, UID1000) << "Failed to set ruid=1000: ruid=" << ruid; - EXPECT_EQ(euid, UID1000) << "Failed to set euid=1000: euid=" << euid; - EXPECT_EQ(suid, UID1000) << "Failed to set suid=1000: suid=" << suid; - // Step 3: Verify that UID is set to 10000 - ret = setuid(UID10000); - if (ret != 0) { - EXPECT_EQ(ret, 0); - LOG("ErrInfo: Failed to set uid=10000, now process uid=%d", getuid()); - return FALSE; - } - // To test the function of invoking the setuid interface to set the UID=10000 - getresuid(&ruid, &euid, &suid); - EXPECT_EQ(ruid, UID10000) << "Failed to set ruid=10000: ruid=" << ruid; - EXPECT_EQ(euid, UID10000) << "Failed to set euid=10000: euid=" << euid; - EXPECT_EQ(suid, UID10000) << "Failed to set suid=10000: suid=" << suid; - // Step 4: Verify that UID is set to 2147483647 - ret = setuid(MAX_INT); - if (ret != 0) { - EXPECT_EQ(ret, 0); - LOG("ErrInfo: Failed to set uid=2147483647, now process uid=%d", getuid()); - return FALSE; - } - // To test the function of invoking the setuid interface to set the UID=2147483647 - getresuid(&ruid, &euid, &suid); - EXPECT_EQ(ruid, MAX_INT) << "Failed to set ruid=2147483647: ruid=" << ruid; - EXPECT_EQ(euid, MAX_INT) << "Failed to set euid=2147483647: euid=" << euid; - EXPECT_EQ(suid, MAX_INT) << "Failed to set suid=2147483647: suid=" << suid; - return 0; -} - -static int TestSetREUid() -{ - // Test the 'setreuid' interface - int ret = 0; - uid_t ruid = 0; - uid_t euid = 0; - uid_t suid = 0; - // Step 1: Verify that UID is set to 0 - ret = setreuid(UID0, UID0); - if (ret != 0) { - EXPECT_EQ(ret, 0); - LOG("ErrInfo: Failed to set uid=0, now process uid=%d", getuid()); - return FALSE; - } - // To test the function of invoking the setuid interface to set the UID=0 - getresuid(&ruid, &euid, &suid); - EXPECT_EQ(ruid, UID0) << "Failed to set ruid=0: ruid=" << ruid; - EXPECT_EQ(euid, UID0) << "Failed to set euid=0: euid=" << euid; - EXPECT_EQ(suid, UID0) << "Failed to set suid=0: suid=" << suid; - // Step 2: Verify that UID is set to 1000 - ret = setreuid(UID1000, UID1000); - if (ret != 0) { - EXPECT_EQ(ret, 0); - LOG("ErrInfo: Failed to set uid=1000, now process uid=%d", getuid()); - return FALSE; - } - // To test the function of invoking the setuid interface to set the UID=1000 - getresuid(&ruid, &euid, &suid); - EXPECT_EQ(ruid, UID1000) << "Failed to set ruid=1000: ruid=" << ruid; - EXPECT_EQ(euid, UID1000) << "Failed to set euid=1000: euid=" << euid; - EXPECT_EQ(suid, UID1000) << "Failed to set suid=1000: suid=" << suid; - // Step 3: Verify that UID is set to 10000 - ret = setreuid(UID10000, UID10000); - if (ret != 0) { - EXPECT_EQ(ret, 0); - LOG("ErrInfo: Failed to set uid=10000, now process uid=%d", getuid()); - return FALSE; - } - // To test the function of invoking the setuid interface to set the UID=10000 - getresuid(&ruid, &euid, &suid); - EXPECT_EQ(ruid, UID10000) << "Failed to set ruid=10000: ruid=" << ruid; - EXPECT_EQ(euid, UID10000) << "Failed to set euid=10000: euid=" << euid; - EXPECT_EQ(suid, UID10000) << "Failed to set suid=10000: suid=" << suid; - // Step 4: Verify that UID is set to 2147483647 - ret = setreuid(MAX_INT, MAX_INT); - if (ret != 0) { - EXPECT_EQ(ret, 0); - LOG("ErrInfo: Failed to set uid=2147483647, now process uid=%d", getuid()); - return FALSE; - } - // To test the function of invoking the setuid interface to set the UID=2147483647 - getresuid(&ruid, &euid, &suid); - EXPECT_EQ(ruid, MAX_INT) << "Failed to set ruid=2147483647: ruid=" << ruid; - EXPECT_EQ(euid, MAX_INT) << "Failed to set euid=2147483647: euid=" << euid; - EXPECT_EQ(suid, MAX_INT) << "Failed to set suid=2147483647: suid=" << suid; - return 0; -} - -static int TestSetRESUid() -{ - // Test the 'setresuid' interface - int ret = 0; - uid_t ruid = 0; - uid_t euid = 0; - uid_t suid = 0; - // Step 1: Verify that UID is set to 0 - ret = setresuid(UID0, UID0, UID0); - if (ret != 0) { - EXPECT_EQ(ret, 0); - LOG("ErrInfo: Failed to set uid=0, now process uid=%d", getuid()); - return FALSE; - } - // To test the function of invoking the setuid interface to set the UID=0 - getresuid(&ruid, &euid, &suid); - EXPECT_EQ(ruid, UID0) << "Failed to set ruid=0: ruid=" << ruid; - EXPECT_EQ(euid, UID0) << "Failed to set euid=0: euid=" << euid; - EXPECT_EQ(suid, UID0) << "Failed to set suid=0: suid=" << suid; - // Step 2: Verify that UID is set to 1000 - ret = setresuid(UID1000, UID1000, UID1000); - if (ret != 0) { - EXPECT_EQ(ret, 0); - LOG("ErrInfo: Failed to set uid=1000, now process uid=%d", getuid()); - return FALSE; - } - // To test the function of invoking the setuid interface to set the UID=1000 - getresuid(&ruid, &euid, &suid); - EXPECT_EQ(ruid, UID1000) << "Failed to set ruid=1000: ruid=" << ruid; - EXPECT_EQ(euid, UID1000) << "Failed to set euid=1000: euid=" << euid; - EXPECT_EQ(suid, UID1000) << "Failed to set suid=1000: suid=" << suid; - // Step 3: Verify that UID is set to 10000 - ret = setresuid(UID10000, UID10000, UID10000); - if (ret != 0) { - EXPECT_EQ(ret, 0); - LOG("ErrInfo: Failed to set uid=10000, now process uid=%d", getuid()); - return FALSE; - } - // To test the function of invoking the setuid interface to set the UID=10000 - getresuid(&ruid, &euid, &suid); - EXPECT_EQ(ruid, UID10000) << "Failed to set ruid=10000: ruid=" << ruid; - EXPECT_EQ(euid, UID10000) << "Failed to set euid=10000: euid=" << euid; - EXPECT_EQ(suid, UID10000) << "Failed to set suid=10000: suid=" << suid; - // Step 4: Verify that UID is set to 2147483647 - ret = setresuid(MAX_INT, MAX_INT, MAX_INT); - if (ret != 0) { - EXPECT_EQ(ret, 0); - LOG("ErrInfo: Failed to set uid=2147483647, now process uid=%d", getuid()); - return FALSE; - } - // To test the function of invoking the setuid interface to set the UID=2147483647 - getresuid(&ruid, &euid, &suid); - EXPECT_EQ(ruid, MAX_INT) << "Failed to set ruid=2147483647: ruid=" << ruid; - EXPECT_EQ(euid, MAX_INT) << "Failed to set euid=2147483647: euid=" << euid; - EXPECT_EQ(suid, MAX_INT) << "Failed to set suid=2147483647: suid=" << suid; - return 0; -} - -static int TestSetUidAbnormal() -{ - // Enter the exception parameter when invoke the 'setuid','setreuid','setresuid' interface - int ret = 0; - uid_t newruid = 0; - uid_t neweuid = 0; - uid_t newsuid = 0; - uid_t ruid = 0; - uid_t euid = 0; - uid_t suid = 0; - // Obtain the ruid, euid, suid of the current process - getresuid(&ruid, &euid, &suid); - // Step 1: Verify that UID is set to -100 with the 'setuid' interface - ret = setuid(ABNORMALINT); - if (ret != FALSE) { - EXPECT_EQ(ret, FALSE); - LOG("ErrInfo: Set uid=-100, now process uid=%d", getuid()); - return FALSE; - } - // To test the function of invoking the 'setuid' interface to set the UID=-100 - getresuid(&newruid, &neweuid, &newsuid); - EXPECT_EQ(newruid, ruid) << "The value of ruid changes after an invalid parameter is entered: ruid=" << ruid; - EXPECT_EQ(neweuid, euid) << "The value of euid changes after an invalid parameter is entered: euid=" << euid; - EXPECT_EQ(newsuid, suid) << "The value of suid changes after an invalid parameter is entered: suid=" << suid; - // Step 2: Verify that UID is set to -100 with the 'setreuid' interface - ret = setreuid(ABNORMALINT, ABNORMALINT); - if (ret != FALSE) { - EXPECT_EQ(ret, FALSE); - LOG("ErrInfo: Set uid=-100, now process uid=%d", getuid()); - return FALSE; - } - // To test the function of invoking the 'setuid' interface to set the UID=-100 - getresuid(&newruid, &neweuid, &newsuid); - EXPECT_EQ(newruid, ruid) << "The value of ruid changes after an invalid parameter is entered: ruid=" << ruid; - EXPECT_EQ(neweuid, euid) << "The value of euid changes after an invalid parameter is entered: euid=" << euid; - EXPECT_EQ(newsuid, suid) << "The value of suid changes after an invalid parameter is entered: suid=" << suid; - // Step 3: Verify that UID is set to -100 with the 'setreuid' interface - ret = setresuid(ABNORMALINT, ABNORMALINT, ABNORMALINT); - if (ret != FALSE) { - EXPECT_EQ(ret, FALSE); - LOG("ErrInfo: Set uid=-100, now process uid=%d", getuid()); - return FALSE; - } - // To test the function of invoking the 'setuid' interface to set the UID=-100 - getresuid(&newruid, &neweuid, &newsuid); - EXPECT_EQ(newruid, ruid) << "The value of ruid changes after an invalid parameter is entered: ruid=" << ruid; - EXPECT_EQ(neweuid, euid) << "The value of euid changes after an invalid parameter is entered: euid=" << euid; - EXPECT_EQ(newsuid, suid) << "The value of suid changes after an invalid parameter is entered: suid=" << suid; - return 0; -} - -static int TestSetGid() -{ - // Test the 'setgid' interface - int ret = 0; - gid_t rgid = 0; - gid_t egid = 0; - gid_t sgid = 0; - // Step 1: Verify that GID is set to 0 - ret = setgid(GID0); - if (ret != 0) { - EXPECT_EQ(ret, 0); - LOG("ErrInfo: Failed to set gid=0, now process gid=%d", getgid()); - return FALSE; - } - // To test the function of invoking the setgid interface to set the GID=0 - getresgid(&rgid, &egid, &sgid); - EXPECT_EQ(rgid, GID0) << "Failed to set rgid=0: rgid=" << rgid; - EXPECT_EQ(egid, GID0) << "Failed to set egid=0: egid=" << egid; - EXPECT_EQ(sgid, GID0) << "Failed to set sgid=0: sgid=" << sgid; - // Step 2: Verify that GID is set to 1000 - ret = setgid(GID1000); - if (ret != 0) { - EXPECT_EQ(ret, 0); - LOG("ErrInfo: Failed to set gid=1000, now process gid=%d", getgid()); - return FALSE; - } - // To test the function of invoking the setgid interface to set the GID=1000 - getresgid(&rgid, &egid, &sgid); - EXPECT_EQ(rgid, GID1000) << "Failed to set rgid=1000: rgid=" << rgid; - EXPECT_EQ(egid, GID1000) << "Failed to set egid=1000: egid=" << egid; - EXPECT_EQ(sgid, GID1000) << "Failed to set sgid=1000: sgid=" << sgid; - // Step 3: Verify that GID is set to 10000 - ret = setgid(GID10000); - if (ret != 0) { - EXPECT_EQ(ret, 0); - LOG("ErrInfo: Failed to set gid=10000, now process gid=%d", getgid()); - return FALSE; - } - // To test the function of invoking the setgid interface to set the GID=10000 - getresgid(&rgid, &egid, &sgid); - EXPECT_EQ(rgid, GID10000) << "Failed to set rgid=10000: rgid=" << rgid; - EXPECT_EQ(egid, GID10000) << "Failed to set egid=10000: egid=" << egid; - EXPECT_EQ(sgid, GID10000) << "Failed to set sgid=10000: sgid=" << sgid; - // Step 4: Verify that GID is set to 2147483647 - ret = setgid(MAX_INT); - if (ret != 0) { - EXPECT_EQ(ret, 0); - LOG("ErrInfo: Failed to set gid=2147483647, now process gid=%d", getgid()); - return FALSE; - } - // To test the function of invoking the setgid interface to set the GID=2147483647 - getresgid(&rgid, &egid, &sgid); - EXPECT_EQ(rgid, MAX_INT) << "Failed to set rgid=2147483647: rgid=" << rgid; - EXPECT_EQ(egid, MAX_INT) << "Failed to set egid=2147483647: egid=" << egid; - EXPECT_EQ(sgid, MAX_INT) << "Failed to set sgid=2147483647: sgid=" << sgid; - return 0; -} - -static int TestSetREGid() -{ - // Test the 'setregid' interface - int ret = 0; - gid_t rgid = 0; - gid_t egid = 0; - gid_t sgid = 0; - // Step 1: Verify that GID is set to 0 - ret = setregid(GID0, GID0); - if (ret != 0) { - EXPECT_EQ(ret, 0); - LOG("ErrInfo: Failed to set gid=0, now process gid=%d", getgid()); - return FALSE; - } - // To test the function of invoking the setgid interface to set the GID=0 - getresgid(&rgid, &egid, &sgid); - EXPECT_EQ(rgid, GID0) << "Failed to set rgid=0: rgid=" << rgid; - EXPECT_EQ(egid, GID0) << "Failed to set egid=0: egid=" << egid; - EXPECT_EQ(sgid, GID0) << "Failed to set sgid=0: sgid=" << sgid; - // Step 2: Verify that GID is set to 1000 - ret = setregid(GID1000, GID1000); - if (ret != 0) { - EXPECT_EQ(ret, 0); - LOG("ErrInfo: Failed to set gid=1000, now process gid=%d", getgid()); - return FALSE; - } - // To test the function of invoking the setgid interface to set the GID=1000 - getresgid(&rgid, &egid, &sgid); - EXPECT_EQ(rgid, GID1000) << "Failed to set rgid=1000: rgid=" << rgid; - EXPECT_EQ(egid, GID1000) << "Failed to set egid=1000: egid=" << egid; - EXPECT_EQ(sgid, GID1000) << "Failed to set sgid=1000: sgid=" << sgid; - // Step 3: Verify that GID is set to 10000 - ret = setregid(GID10000, GID10000); - if (ret != 0) { - EXPECT_EQ(ret, 0); - LOG("ErrInfo: Failed to set gid=10000, now process gid=%d", getgid()); - return FALSE; - } - // To test the function of invoking the setgid interface to set the GID=10000 - getresgid(&rgid, &egid, &sgid); - EXPECT_EQ(rgid, GID10000) << "Failed to set rgid=10000: rgid=" << rgid; - EXPECT_EQ(egid, GID10000) << "Failed to set egid=10000: egid=" << egid; - EXPECT_EQ(sgid, GID10000) << "Failed to set sgid=10000: sgid=" << sgid; - // Step 4: Verify that GID is set to 2147483647 - ret = setregid(MAX_INT, MAX_INT); - if (ret != 0) { - EXPECT_EQ(ret, 0); - LOG("ErrInfo: Failed to set gid=2147483647, now process gid=%d", getgid()); - return FALSE; - } - // To test the function of invoking the setgid interface to set the GID=2147483647 - getresgid(&rgid, &egid, &sgid); - EXPECT_EQ(rgid, MAX_INT) << "Failed to set rgid=2147483647: rgid=" << rgid; - EXPECT_EQ(egid, MAX_INT) << "Failed to set egid=2147483647: egid=" << egid; - EXPECT_EQ(sgid, MAX_INT) << "Failed to set sgid=2147483647: sgid=" << sgid; - return 0; -} - -static int TestSetRESGid() -{ - // Test the 'setresgid' interface - int ret = 0; - gid_t rgid = 0; - gid_t egid = 0; - gid_t sgid = 0; - // Step 1: Verify that GID is set to 0 - ret = setresgid(GID0, GID0, GID0); - if (ret != 0) { - EXPECT_EQ(ret, 0); - LOG("ErrInfo: Failed to set gid=0, now process gid=%d", getgid()); - return FALSE; - } - // To test the function of invoking the setgid interface to set the GID=0 - getresgid(&rgid, &egid, &sgid); - EXPECT_EQ(rgid, GID0) << "Failed to set rgid=0: rgid=" << rgid; - EXPECT_EQ(egid, GID0) << "Failed to set egid=0: egid=" << egid; - EXPECT_EQ(sgid, GID0) << "Failed to set sgid=0: sgid=" << sgid; - // Step 2: Verify that GID is set to 1000 - ret = setresgid(GID1000, GID1000, GID1000); - if (ret != 0) { - EXPECT_EQ(ret, 0); - LOG("ErrInfo: Failed to set gid=1000, now process gid=%d", getgid()); - return FALSE; - } - // To test the function of invoking the setgid interface to set the GID=1000 - getresgid(&rgid, &egid, &sgid); - EXPECT_EQ(rgid, GID1000) << "Failed to set rgid=1000: rgid=" << rgid; - EXPECT_EQ(egid, GID1000) << "Failed to set egid=1000: egid=" << egid; - EXPECT_EQ(sgid, GID1000) << "Failed to set sgid=1000: sgid=" << sgid; - // Step 3: Verify that GID is set to 10000 - ret = setresgid(GID10000, GID10000, GID10000); - if (ret != 0) { - EXPECT_EQ(ret, 0); - LOG("ErrInfo: Failed to set gid=10000, now process gid=%d", getgid()); - return FALSE; - } - // To test the function of invoking the setgid interface to set the GID=10000 - getresgid(&rgid, &egid, &sgid); - EXPECT_EQ(rgid, GID10000) << "Failed to set rgid=10000: rgid=" << rgid; - EXPECT_EQ(egid, GID10000) << "Failed to set egid=10000: egid=" << egid; - EXPECT_EQ(sgid, GID10000) << "Failed to set sgid=10000: sgid=" << sgid; - // Step 4: Verify that GID is set to 2147483647 - ret = setresgid(MAX_INT, MAX_INT, MAX_INT); - if (ret != 0) { - EXPECT_EQ(ret, 0); - LOG("ErrInfo: Failed to set gid=2147483647, now process gid=%d", getgid()); - return FALSE; - } - // To test the function of invoking the setgid interface to set the GID=2147483647 - getresgid(&rgid, &egid, &sgid); - EXPECT_EQ(rgid, MAX_INT) << "Failed to set rgid=2147483647: rgid=" << rgid; - EXPECT_EQ(egid, MAX_INT) << "Failed to set egid=2147483647: egid=" << egid; - EXPECT_EQ(sgid, MAX_INT) << "Failed to set sgid=2147483647: sgid=" << sgid; - return 0; -} - -static int TestSetGidAbnormal() -{ - // Enter the exception parameter when invoke the 'setgid','setregid','setresgid' interface - int ret = 0; - gid_t newrgid = 0; - gid_t newegid = 0; - gid_t newsgid = 0; - gid_t rgid = 0; - gid_t egid = 0; - gid_t sgid = 0; - // Obtain the rgid, egid, sgid of the current process - getresgid(&rgid, &egid, &sgid); - // Step 1: Verify that GID is set to -100 with the 'setgid' interface - ret = setgid(ABNORMALINT); - if (ret != FALSE) { - EXPECT_EQ(ret, FALSE); - LOG("ErrInfo: Set gid=-100, now process gid=%d", getgid()); - return FALSE; - } - // To test the function of invoking the 'setgid' interface to set the GID=-100 - getresgid(&newrgid, &newegid, &newsgid); - EXPECT_EQ(newrgid, rgid) << "The value of rgid changes after an invalid parameter is entered: rgid=" << rgid; - EXPECT_EQ(newegid, egid) << "The value of egid changes after an invalid parameter is entered: egid=" << egid; - EXPECT_EQ(newsgid, sgid) << "The value of sgid changes after an invalid parameter is entered: sgid=" << sgid; - // Step 2: Verify that GID is set to -100 with the 'setregid' interface - ret = setregid(ABNORMALINT, ABNORMALINT); - if (ret != FALSE) { - EXPECT_EQ(ret, FALSE); - LOG("ErrInfo: Set gid=-100, now process gid=%d", getgid()); - return FALSE; - } - // To test the function of invoking the 'setgid' interface to set the GID=-100 - getresgid(&newrgid, &newegid, &newsgid); - EXPECT_EQ(newrgid, rgid) << "The value of rgid changes after an invalid parameter is entered: rgid=" << rgid; - EXPECT_EQ(newegid, egid) << "The value of egid changes after an invalid parameter is entered: egid=" << egid; - EXPECT_EQ(newsgid, sgid) << "The value of sgid changes after an invalid parameter is entered: sgid=" << sgid; - // Step 3: Verify that GID is set to -100 with the 'setregid' interface - ret = setresgid(ABNORMALINT, ABNORMALINT, ABNORMALINT); - if (ret != FALSE) { - EXPECT_EQ(ret, FALSE); - LOG("ErrInfo: Set gid=-100, now process gid=%d", getgid()); - return FALSE; - } - // To test the function of invoking the 'setgid' interface to set the GID=-100 - getresgid(&newrgid, &newegid, &newsgid); - EXPECT_EQ(newrgid, rgid) << "The value of rgid changes after an invalid parameter is entered: rgid=" << rgid; - EXPECT_EQ(newegid, egid) << "The value of egid changes after an invalid parameter is entered: egid=" << egid; - EXPECT_EQ(newsgid, sgid) << "The value of sgid changes after an invalid parameter is entered: sgid=" << sgid; - return 0; -} - -static int TestSetGroups() -{ - // Test the 'setgroups' interface - int ret; - gid_t list[SIZE255]; - for (size_t num = 0; num < SIZE253; num++) { - list[num] = num; - } - list[SIZE254] = MAX_INT; - ret = setgroups(SIZE255, list); - if (ret != 0) { - EXPECT_EQ(ret, 0); - LOG("ErrInfo: Failed to set groups"); - return FALSE; - } - return 0; -} - -static void TsetFork(uid_t uid, gid_t gid, size_t size, const gid_t list[]) -{ - // The sub process inherits the UID, GID, and groups of the parent process - int ret; - int status = 0; - gid_t reallist[SIZE255]; - // Preset action: Adjust the UID, GID, and groups of the parent process - ret = setuid(uid); - EXPECT_EQ(ret, 0) << "ErrInfo: Failed to set uid, now process uid=" << getuid(); - ret = setgid(gid); - EXPECT_EQ(ret, 0) << "ErrInfo: Failed to set gid, now process gid=" << getgid(); - setgroups(0, nullptr); - ret = setgroups(size, list); - EXPECT_EQ(ret, 0) << "ErrInfo: Failed to set groups"; - // Preset action: Fork a sub process - pid_t pid = fork(); - ASSERT_TRUE(pid >= 0) << "======== Fork Error! ========="; - usleep(SLEEP_NUM); - if (pid == 0) { - int exitCode = 0; - // Step 1: Inheritance test of sub process UID - uid_t retuid = getuid(); - if (retuid != uid) { - LOG("ErrInfo: The sub process UID changes when fork process, now process uid=%d", getuid()); - exitCode = 1; - } - // Step 2: Inheritance test of sub process GID - gid_t retgid = getgid(); - if (retgid != gid) { - LOG("ErrInfo: The sub process GID changes when fork process, now process gid=%d", getgid()); - exitCode = 1; - } - // Step 3: Inheritance test of sub process groups - int retgroups = getgroups(0, reallist); - if (retgroups == FALSE) { - LOG("ErrInfo: Failed to get groups"); - exitCode = 1; - } - // Step 4: The sub process exit with the exitCode - exit(exitCode); - } else { - // Step 5: The parent process wait for the sub process to exit and obtain the exitCode - waitpid(pid, &status, 0); - EXPECT_NE(WIFEXITED(status), 0) << "ErrInfo: The sub process exit error, child_pid = " << pid; - EXPECT_EQ(WEXITSTATUS(status), 0) << "ErrInfo: The exitCode is wrong, please query logs, child_pid = " << pid; - } -} - -static int ChangeSensitiveInformation() -{ - int fd = 0; - int ret = 0; - int exitCode = 0; - char dac[] = "DACPreTest!\n"; - // Failed to read sensitive information - fd = open("/proc/process", O_WRONLY); - if (fd >= 0) { - ret = write(fd, dac, sizeof(dac)); - if (ret != FALSE) { - LOG("ErrInfo: Change sensitive information, ret = %d", ret); - exitCode = 1; - } - close(fd); - } - return exitCode; -} - -/* - * @tc.number : SUB_SEC_AppSEC_PermissionMgmt_DAC_0010 - * @tc.name : Invoke the interface to set the process UID - * @tc.desc : [C- SECURITY -0200] - */ -HWTEST_F(DacTestSuite, DACTest0010, Function | MediumTest | Level1) -{ - int ret = 0; - uid_t ruid = 0; - uid_t euid = 0; - uid_t suid = 0; - uid_t newruid = 0; - uid_t neweuid = 0; - uid_t newsuid = 0; - // Preset action: Obtain the ruid, euid, suid of the current process - getresuid(&ruid, &euid, &suid); - // Step 1: Test the 'setuid' interface - ret = TestSetUid(); - EXPECT_EQ(ret, 0) << "ErrInfo: TestSetUid() exit error"; - // Step 2: Test the 'setreuid' interface - ret = TestSetREUid(); - EXPECT_EQ(ret, 0) << "ErrInfo: TestSetREUid() exit error"; - // Step 3: Test the 'setreuid' interface - ret = TestSetRESUid(); - EXPECT_EQ(ret, 0) << "ErrInfo: TestSetRESUid() exit error"; - // Step 4: Enter the exception parameter when invoke the 'setuid','setreuid','setresuid' interface - ret = TestSetUidAbnormal(); - EXPECT_EQ(ret, 0) << "ErrInfo: TestSetUidAbnormal() exit error"; - // Cleanup action: Restore the initial UID of the process - ret = setresuid(ruid, euid, suid); - EXPECT_EQ(ret, 0) << "ErrInfo: Failed to restore the initial UID of the process"; - getresuid(&newruid, &neweuid, &newsuid); - EXPECT_EQ(newruid, ruid) << "The value of ruid changes after testcase: ruid=" << ruid; - EXPECT_EQ(neweuid, euid) << "The value of euid changes after testcase: euid=" << euid; - EXPECT_EQ(newsuid, suid) << "The value of suid changes after testcase: suid=" << suid; -} - -/* - * @tc.number : SUB_SEC_AppSEC_PermissionMgmt_DAC_0020 - * @tc.name : Invoke the interface to set the process GID - * @tc.desc : [C- SECURITY -0200] - */ -HWTEST_F(DacTestSuite, DACTest0020, Function | MediumTest | Level1) -{ - int ret = 0; - gid_t rgid = 0; - gid_t egid = 0; - gid_t sgid = 0; - gid_t newrgid = 0; - gid_t newegid = 0; - gid_t newsgid = 0; - // Preset action: Obtain the rgid, egid, sgid of the current process - getresgid(&rgid, &egid, &sgid); - // Step 1: Test the 'setgid' interface - ret = TestSetGid(); - EXPECT_EQ(ret, 0) << "ErrInfo: TestSetGid() exit error"; - // Step 2: Test the 'setregid' interface - ret = TestSetREGid(); - EXPECT_EQ(ret, 0) << "ErrInfo: TestSetREGid() exit error"; - // Step 3: Test the 'setregid' interface - ret = TestSetRESGid(); - EXPECT_EQ(ret, 0) << "ErrInfo: TestSetRESGid() exit error"; - // Step 4: Enter the exception parameter when invoke the 'setgid','setregid','setresgid' interface - ret = TestSetGidAbnormal(); - EXPECT_EQ(ret, 0) << "ErrInfo: TestSetGidAbnormal() exit error"; - // Cleanup action: Restore the initial GID of the process - ret = setresgid(rgid, egid, sgid); - EXPECT_EQ(ret, 0) << "ErrInfo: Failed to restore the initial GID of the process"; - getresgid(&newrgid, &newegid, &newsgid); - EXPECT_EQ(newrgid, rgid) << "The value of rgid changes after testcase: rgid=" << rgid; - EXPECT_EQ(newegid, egid) << "The value of egid changes after testcase: egid=" << egid; - EXPECT_EQ(newsgid, sgid) << "The value of sgid changes after testcase: sgid=" << sgid; -} - -/* - * @tc.number : SUB_SEC_AppSEC_PermissionMgmt_DAC_0030 - * @tc.name : Invoke the setgroups interface to set the process groups that contain a single GID or an empty value - * @tc.desc : [C- SECURITY -0200] - */ -HWTEST_F(DacTestSuite, DACTest0030, Function | MediumTest | Level1) -{ - int ret = 0; - gid_t grouplist[SIZE255]; - // Preset action: Obtain the groups of the current process - unsigned int groupsize = getgroups(0, grouplist); - if (groupsize >= 0) { - getgroups(groupsize, grouplist); - // Preset action: Obtain the group lists required for the testcase - gid_t list1[SIZE1] = {1}; - gid_t list2[SIZE1] = {MAX_INT}; - gid_t list3[SIZE1] = {}; - // Step 1: Set the group list to {1} - ret = setgroups(SIZE1, list1); - EXPECT_EQ(ret, 0) << "ErrInfo: Failed to set the group list to {1}"; - // Step 2: Set the group list to {2147483647} - ret = setgroups(SIZE1, list2); - EXPECT_EQ(ret, 0) << "ErrInfo: Failed to set the group list to {2147483647}"; - // Step 3: Set the group list to {} - ret = setgroups(SIZE1, list3); - EXPECT_EQ(ret, 0) << "ErrInfo: Failed to set the group list to {}"; - // Cleanup action: Restore the initial groups of the process - setgroups(0, nullptr); - ret = setgroups(groupsize, grouplist); - EXPECT_EQ(ret, 0) << "ErrInfo: Failed to restore the initial groups of the process"; - } else { - EXPECT_GE(groupsize, 0) << "ErrInfo: Failed to get groups"; - } -} - -/* - * @tc.number : SUB_SEC_AppSEC_PermissionMgmt_DAC_0040 - * @tc.name : Invoke the setgroups interface to set the process groups that contain the same GID - * @tc.desc : [C- SECURITY -0200] - */ -HWTEST_F(DacTestSuite, DACTest0040, Function | MediumTest | Level2) -{ - int ret = 0; - gid_t grouplist[SIZE255]; - // Preset action: Obtain the groups of the current process - unsigned int groupsize = getgroups(0, grouplist); - if (groupsize >= 0) { - getgroups(groupsize, grouplist); - // Preset action: Obtain the group lists required for the testcase - gid_t list1[SIZE2]={GID0, GID0}; - gid_t list2[SIZE2]={GID1, GID1}; - gid_t list3[SIZE2]={MAX_INT, MAX_INT}; - // Step 1: Set the group list to {0, 0} - ret = setgroups(SIZE2, list1); - EXPECT_EQ(ret, 0) << "ErrInfo: Failed to set the group list to {0, 0}"; - // Step 2: Set the group list to {1, 1} - ret = setgroups(SIZE2, list2); - EXPECT_EQ(ret, 0) << "ErrInfo: Failed to set the group list to {1, 1}"; - // Step 3: Set the group list to {2147483647, 2147483647} - ret = setgroups(SIZE2, list3); - EXPECT_EQ(ret, 0) << "ErrInfo: Failed to set the group list to {2147483647, 2147483647}"; - // Cleanup action: Restore the initial groups of the process - setgroups(0, nullptr); - ret = setgroups(groupsize, grouplist); - EXPECT_EQ(ret, 0) << "ErrInfo: Failed to restore the initial groups of the process"; - } else { - EXPECT_GE(groupsize, 0) << "ErrInfo: Failed to get groups"; - } -} - -/* - * @tc.number : SUB_SEC_AppSEC_PermissionMgmt_DAC_0050 - * @tc.name : Invoke the setgroups interface to set the process groups that contain the duplicate GIDs - * @tc.desc : [C- SECURITY -0200] - */ -HWTEST_F(DacTestSuite, DACTest0050, Function | MediumTest | Level3) -{ - int ret = 0; - gid_t grouplist[SIZE255]; - // Preset action: Obtain the groups of the current process - unsigned int groupsize = getgroups(0, grouplist); - if (groupsize >= 0) { - getgroups(groupsize, grouplist); - // Preset action: Obtain the group lists required for the testcase - gid_t list1[SIZE3]={GID0, GID0, MAX_INT}; - gid_t list2[SIZE3]={GID10000, GID10000, MAX_INT}; - gid_t list3[SIZE3]={GID0, MAX_INT, MAX_INT}; - // Step 1: Set the group list to {0, 0, 2147483647} - ret = setgroups(SIZE3, list1); - EXPECT_EQ(ret, 0) << "ErrInfo: Failed to set the group list to {0, 0, 2147483647}"; - // Step 2: Set the group list to {10000, 10000, 2147483647} - ret = setgroups(SIZE3, list2); - EXPECT_EQ(ret, 0) << "ErrInfo: Failed to set the group list to {10000, 10000, 2147483647}"; - // Step 3: Set the group list to {0, 2147483647, 2147483647} - ret = setgroups(SIZE3, list3); - EXPECT_EQ(ret, 0) << "ErrInfo: Failed to set the group list to {0, 2147483647, 2147483647}"; - // Cleanup action: Restore the initial groups of the process - setgroups(0, nullptr); - ret = setgroups(groupsize, grouplist); - EXPECT_EQ(ret, 0) << "ErrInfo: Failed to restore the initial groups of the process"; - } else { - EXPECT_GE(groupsize, 0) << "ErrInfo: Failed to get groups"; - } -} - -/* - * @tc.number : SUB_SEC_AppSEC_PermissionMgmt_DAC_0060 - * @tc.name : Invoke the setgroups interface to set the process groups that contain all different GIDs - * @tc.desc : [C- SECURITY -0200] - */ -HWTEST_F(DacTestSuite, DACTest0060, Function | MediumTest | Level3) -{ - int ret = 0; - gid_t grouplist[SIZE255]; - // Preset action: Obtain the groups of the current process - size_t groupsize = getgroups(0, grouplist); - if (groupsize >= 0) { - getgroups(groupsize, grouplist); - // Preset action: Obtain the group lists required for the testcase - gid_t list0[SIZE255]; - for (size_t num0 = 0; num0 < SIZE254; num0++) { - list0[num0] = num0; - } - list0[SIZE254] = MAX_INT; - gid_t list1[INVAILD_SIZE]; - for (size_t num1 = 0; num1 < MAX_SIZE; num1++) { - list1[num1] = num1; - } - list1[MAX_SIZE] = MAX_INT; - // Step 1: Set 255 different group lists - ret = setgroups(SIZE255, list0); - EXPECT_EQ(ret, 0) << "ErrInfo: Failed to set the group list to {0, 1, 2, ..., 255}"; - // Step 2: Set the number of groups that exceed the upper limit - ret = setgroups(INVAILD_SIZE, list1); - EXPECT_EQ(ret, FALSE) << "ErrInfo: Set groups size over max, size=65537"; - // Cleanup action: Restore the initial groups of the process - setgroups(0, nullptr); - ret = setgroups(groupsize, grouplist); - EXPECT_EQ(ret, 0) << "ErrInfo: Failed to restore the initial groups of the process"; - } else { - EXPECT_GE(groupsize, 0) << "ErrInfo: Failed to get groups"; - } -} - -/* - * @tc.number : SUB_SEC_AppSEC_PermissionMgmt_DAC_0070 - * @tc.name : Invoke the setuid, gid, and groups interfaces to set the uid, gid, - and groups of processes concurrently - * @tc.desc : [C- SECURITY -0200] - */ -HWTEST_F(DacTestSuite, DACTest0070, Security | MediumTest | Level2) -{ - int ret = 0; - int status = 0; - // Preset action: Fork three sub processes - pid_t pid; - for (int num = 0; num < NUM3; num++) { - pid = fork(); - ASSERT_TRUE(pid >= 0) << "======== Fork Error! ========="; - usleep(SLEEP_NUM); - if (pid == 0) { - break; - } - } - // get one parent & three children - if (pid == 0) { - int exitCode = 0; - for (int number = 0; number < NUM3000; number++) { - // Preset action: Initialize the subprocess UID, GID and groups - setuid(0); - setgid(0); - setgroups(0, nullptr); - // Step 1: Test the 'setuid' interface concurrently - ret = TestSetUid(); - if (ret != 0) { - LOG("ErrInfo: TestSetUid error during the %d time", number); - exitCode = 1; - break; - } - // Step 2: Test the 'setgid' interface concurrently - ret = TestSetGid(); - if (ret != 0) { - LOG("ErrInfo: TestSetGid error during the %d time", number); - exitCode = 1; - break; - } - // Step 2: Test the 'setgroups' interface concurrently - ret = TestSetGroups(); - if (ret != 0) { - LOG("ErrInfo: TestSetGroups error during the %d time", number); - exitCode = 1; - break; - } - } - // Step 3: Three sub processes exit with the exitCode - exit(exitCode); - } else { - // Step 4: The parent process wait for three sub processes to exit and obtain the exitCode - for (int num2 = 0; num2 < NUM3; num2++) { - wait(&status); - EXPECT_NE(WIFEXITED(status), 0) << "ErrInfo: The sub process exit error, child_pid = " << pid; - EXPECT_EQ(WEXITSTATUS(status), 0) << "ErrInfo: Pid = "<< pid - << ", its exitCode is wrong and test case failed, please query logs"; - } - } -} - -/* - * @tc.number : SUB_SEC_AppSEC_PermissionMgmt_DAC_0080 - * @tc.name : Inheritance of process UID, GID and groups - * @tc.desc : [C- SECURITY -0200] - */ -HWTEST_F(DacTestSuite, DACTest0080, Function | MediumTest | Level2) -{ - int ret = 0; - uid_t ruid = 0; uid_t euid = 0; uid_t suid = 0; - uid_t newruid = 0; uid_t neweuid = 0; uid_t newsuid = 0; - gid_t rgid = 0; gid_t egid = 0; gid_t sgid = 0; - gid_t newrgid = 0; gid_t newegid = 0; gid_t newsgid = 0; - gid_t grouplist[SIZE255]; - // Preset action: Obtain the ruid, euid, suid of the current process - getresuid(&ruid, &euid, &suid); - // Preset action: Obtain the rgid, egid, sgid of the current process - getresgid(&rgid, &egid, &sgid); - // Preset action: Obtain the groups of the current process - int groupsize = getgroups(0, grouplist); - if (groupsize >= 0) { - getgroups(groupsize, grouplist); - // Preset action: Obtain the group lists required for the testcase - gid_t list1[SIZE1] = {GID10000}; - gid_t list2[SIZE1] = {}; - gid_t list3[SIZE255]; - for (size_t num = 0; num < SIZE254; num++) { - list3[num] = num; - } - list3[SIZE254] = MAX_INT; - // Step 1: Factor combination test of UID, GID, and groups - TsetFork(UID0, GID10000, SIZE1, list1); - TsetFork(UID10000, GID10000, SIZE1, list1); - TsetFork(MAX_INT, GID10000, SIZE1, list1); - TsetFork(UID10000, GID0, SIZE1, list1); - TsetFork(UID10000, MAX_INT, SIZE1, list1); - TsetFork(UID10000, GID10000, SIZE1, list2); - TsetFork(UID10000, GID10000, SIZE255, list3); - // Cleanup action: Restore the initial UID of the process - ret = setresuid(ruid, euid, suid); - EXPECT_EQ(ret, 0) << "ErrInfo: Failed to restore the initial UID of the process"; - getresuid(&newruid, &neweuid, &newsuid); - EXPECT_EQ(newruid, ruid) << "The value of ruid changes after testcase: ruid=" << ruid; - EXPECT_EQ(neweuid, euid) << "The value of euid changes after testcase: euid=" << euid; - EXPECT_EQ(newsuid, suid) << "The value of suid changes after testcase: suid=" << suid; - // Cleanup action: Restore the initial GID of the process - ret = setresgid(rgid, egid, sgid); - EXPECT_EQ(ret, 0) << "ErrInfo: Failed to restore the initial GID of the process"; - getresgid(&newrgid, &newegid, &newsgid); - EXPECT_EQ(newrgid, rgid) << "The value of rgid changes after testcase: rgid=" << rgid; - EXPECT_EQ(newegid, egid) << "The value of egid changes after testcase: egid=" << egid; - EXPECT_EQ(newsgid, sgid) << "The value of sgid changes after testcase: sgid=" << sgid; - // Cleanup action: Restore the initial groups of the process - setgroups(0, nullptr); - ret = setgroups(groupsize, grouplist); - EXPECT_EQ(ret, 0) << "ErrInfo: Failed to restore the initial groups of the process"; - } else { - EXPECT_GE(groupsize, 0) << "ErrInfo: Failed to get groups"; - } -} - -/* - * @tc.number : SUB_SEC_AppSEC_PermissionMgmt_DAC_0120 - * @tc.name : Failed to use the third-party app UID to change sensitive information - * @tc.desc : [C- SECURITY -0200] - */ -HWTEST_F(DacTestSuite, DACTest0120, Security | MediumTest | Level2) -{ - int ret = 0; - int status = 0; - // Preset action: Fork a sub process - pid_t pid = fork(); - ASSERT_TRUE(pid >= 0) << "======== Fork Error! ========="; - usleep(SLEEP_NUM); - if (pid == 0) { - int exitCode = 0; - // Step 1: Set the process uid and gid to the third-party application uid and gid - ret = SetUidGid(UID20000, GID20000); - if (ret != 0) { - LOG("ErrInfo: Failed to set the process uid and gid"); - exitCode = 1; - } - // Step 2: Drop all the sub process capabilities - ret = DropAllCAP(); - if (ret != 0) { - LOG("ErrInfo: Failed to drop all the sub process capabilities"); - exitCode = 1; - } - // Step 3: Failed to change sensitive information - ret = ChangeSensitiveInformation(); - if (ret != 0) { - LOG("ErrInfo: change sensitive information"); - exitCode = 1; - } - // Step 4: The sub process exit with the exitCode - exit(exitCode); - } else { - // Step 5: The parent process wait for the sub process to exit and obtain the exitCode - waitpid(pid, &status, 0); - EXPECT_NE(WIFEXITED(status), 0) << "ErrInfo: The sub process exit error, child_pid = " << pid; - EXPECT_EQ(WEXITSTATUS(status), 0) << "ErrInfo: The exitCode is wrong, please query logs, child_pid = " << pid; - } -} - -/* - * @tc.number : SUB_SEC_AppSEC_PermissionMgmt_DAC_0130 - * @tc.name : Performance test of the setuid, setgid and setgroups interface - * @tc.desc : [C- SECURITY -0200] - */ -HWTEST_F(DacTestSuite, DACTest0130, Performance | MediumTest | Level2) -{ - struct timespec tp = { 0 }; - struct timespec starttime = { 0 }; - struct timespec endtime = { 0 }; - tp.tv_sec = 0; - tp.tv_nsec = 0; - // Preset action: Obtain the group lists required for the testcase - gid_t list[SIZE255]; - for (size_t num = 0; num < SIZE253; num++) { - list[num] = num; - } - // Preset action: Obtains the system time -> starttime - clock_gettime(CLOCK_REALTIME, &starttime); - for (int number = 0; number < NUM10000; number++) { - list[SIZE254] = number; - // Step 1.1: Setuid for 10000 times - setuid(number); - // Step 1.2: Setgid for 10000 times - setgid(number); - // Step 1.3: Setgroups for 10000 times - setgroups(SIZE255, list); - } - // Step 2: Obtains the system time again -> endtime - clock_gettime(CLOCK_REALTIME, &endtime); - // Step 3: Compare the starttime and the endtime -> tp - tp = CompareTime(starttime, endtime); - EXPECT_LE(tp.tv_sec, NUM20) << "ErrInfo: Chown for 10000 times used " << tp.tv_sec << "." << tp.tv_nsec << "s"; - // Cleanup action: Restore the uid, gid and groups of the process to zero - SetUidGid(UID0, GID0); - setgroups(0, nullptr); -} -#endif diff --git a/security_lite/permission_posix/dac/src/ActsDacTest.h b/security_lite/permission_posix/dac/src/ActsDacTest.h deleted file mode 100755 index 2fbf5fb94..000000000 --- a/security_lite/permission_posix/dac/src/ActsDacTest.h +++ /dev/null @@ -1,142 +0,0 @@ -/* - * Copyright (c) 2020-2021 Huawei Device Co., Ltd. - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -#ifndef XTS_ACTS_SECURITY_LITE_PERMISSSION_POSIX_DAC_SRC_ACTSDACTEST_H -#define XTS_ACTS_SECURITY_LITE_PERMISSSION_POSIX_DAC_SRC_ACTSDACTEST_H - -#include -#include - -constexpr int ABNORMALINT = -100; -constexpr int SINGLESIZE = 1; -constexpr unsigned int MAX_INT = 2147483647; - -constexpr size_t SIZE1 = 1; -constexpr size_t SIZE2 = 2; -constexpr size_t SIZE3 = 3; -constexpr size_t SIZE253 = 253; -constexpr size_t SIZE254 = 254; -constexpr size_t SIZE255 = 255; -constexpr size_t MAX_SIZE = 65536; -constexpr size_t INVAILD_SIZE = 65537; - -constexpr mode_t CHMOD000 = 0000; -constexpr mode_t CHMOD013 = 0013; -constexpr mode_t CHMOD016 = 0016; -constexpr mode_t CHMOD027 = 0027; -constexpr mode_t CHMOD031 = 0031; -constexpr mode_t CHMOD044 = 0044; -constexpr mode_t CHMOD045 = 0045; -constexpr mode_t CHMOD052 = 0052; -constexpr mode_t CHMOD063 = 0063; -constexpr mode_t CHMOD074 = 0074; -constexpr mode_t CHMOD076 = 0076; -constexpr mode_t CHMOD077 = 0077; -constexpr mode_t CHMOD105 = 0105; -constexpr mode_t CHMOD111 = 0111; -constexpr mode_t CHMOD116 = 0116; -constexpr mode_t CHMOD120 = 0120; -constexpr mode_t CHMOD123 = 0123; -constexpr mode_t CHMOD124 = 0124; -constexpr mode_t CHMOD132 = 0132; -constexpr mode_t CHMOD143 = 0143; -constexpr mode_t CHMOD151 = 0151; -constexpr mode_t CHMOD166 = 0166; -constexpr mode_t CHMOD167 = 0167; -constexpr mode_t CHMOD175 = 0175; -constexpr mode_t CHMOD203 = 0203; -constexpr mode_t CHMOD210 = 0210; -constexpr mode_t CHMOD222 = 0222; -constexpr mode_t CHMOD230 = 0230; -constexpr mode_t CHMOD235 = 0235; -constexpr mode_t CHMOD241 = 0241; -constexpr mode_t CHMOD242 = 0242; -constexpr mode_t CHMOD256 = 0256; -constexpr mode_t CHMOD257 = 0257; -constexpr mode_t CHMOD261 = 0261; -constexpr mode_t CHMOD274 = 0274; -constexpr mode_t CHMOD305 = 0305; -constexpr mode_t CHMOD306 = 0306; -constexpr mode_t CHMOD310 = 0310; -constexpr mode_t CHMOD312 = 0312; -constexpr mode_t CHMOD325 = 0325; -constexpr mode_t CHMOD333 = 0333; -constexpr mode_t CHMOD334 = 0334; -constexpr mode_t CHMOD342 = 0342; -constexpr mode_t CHMOD347 = 0347; -constexpr mode_t CHMOD354 = 0354; -constexpr mode_t CHMOD362 = 0362; -constexpr mode_t CHMOD371 = 0371; -constexpr mode_t CHMOD401 = 0401; -constexpr mode_t CHMOD406 = 0406; -constexpr mode_t CHMOD407 = 0407; -constexpr mode_t CHMOD415 = 0415; -constexpr mode_t CHMOD422 = 0422; -constexpr mode_t CHMOD430 = 0430; -constexpr mode_t CHMOD444 = 0444; -constexpr mode_t CHMOD446 = 0446; -constexpr mode_t CHMOD453 = 0453; -constexpr mode_t CHMOD456 = 0456; -constexpr mode_t CHMOD457 = 0457; -constexpr mode_t CHMOD460 = 0460; -constexpr mode_t CHMOD473 = 0473; -constexpr mode_t CHMOD507 = 0507; -constexpr mode_t CHMOD511 = 0511; -constexpr mode_t CHMOD521 = 0521; -constexpr mode_t CHMOD526 = 0526; -constexpr mode_t CHMOD536 = 0536; -constexpr mode_t CHMOD543 = 0543; -constexpr mode_t CHMOD555 = 0555; -constexpr mode_t CHMOD560 = 0560; -constexpr mode_t CHMOD562 = 0562; -constexpr mode_t CHMOD564 = 0564; -constexpr mode_t CHMOD570 = 0570; -constexpr mode_t CHMOD604 = 0604; -constexpr mode_t CHMOD611 = 0611; -constexpr mode_t CHMOD614 = 0614; -constexpr mode_t CHMOD623 = 0623; -constexpr mode_t CHMOD637 = 0637; -constexpr mode_t CHMOD640 = 0640; -constexpr mode_t CHMOD655 = 0655; -constexpr mode_t CHMOD657 = 0657; -constexpr mode_t CHMOD665 = 0665; -constexpr mode_t CHMOD666 = 0666; -constexpr mode_t CHMOD670 = 0670; -constexpr mode_t CHMOD671 = 0671; -constexpr mode_t CHMOD672 = 0672; -constexpr mode_t CHMOD700 = 0700; -constexpr mode_t CHMOD702 = 0702; -constexpr mode_t CHMOD703 = 0703; -constexpr mode_t CHMOD712 = 0712; -constexpr mode_t CHMOD716 = 0716; -constexpr mode_t CHMOD717 = 0717; -constexpr mode_t CHMOD724 = 0724; -constexpr mode_t CHMOD731 = 0731; -constexpr mode_t CHMOD743 = 0743; -constexpr mode_t CHMOD750 = 0750; -constexpr mode_t CHMOD765 = 0765; -constexpr mode_t CHMOD777 = 0777; - -// Creating Folders and Files for the Test -#define DACDIR0 "DACDIR0" // DIR0/ -#define DACDIR0_DACFILE0 "DACDIR0_DACFILE0" // ├── DIR0_FILE0 -#define DACDIR0_DACFILE1 "DACDIR0_DACFILE1" // ├── DIR0_FILE1 -#define DACDIR0_DACDIR0 "DACDIR0_DACDIR0" // ├── DIR0_DIR0/ -#define DACDIR0_DACDIR0_DACDIR0 "DACDIR0_DACDIR0_DACDIR0" // | └── DIR0_DIR0_DIR0/ -#define DACDIR0_DACDIR1 "DACDIR0_DACDIR1" // └── DIR0_DIR1/ -#define DACDIR1 "DACDIR1" // DIR1/ -#define DACDIR1_DACFILE0 "DACDIR1_DACFILE0" // ├── DIR1_FILE0 -#define DACDIR1_DACDIR0 "DACDIR1_DACDIR0" // └── DIR1_DIR0/ - -#endif \ No newline at end of file diff --git a/security_lite/permission_posix/dac/src/DACFileSystemTest.cpp b/security_lite/permission_posix/dac/src/DACFileSystemTest.cpp deleted file mode 100755 index f2d75e5b8..000000000 --- a/security_lite/permission_posix/dac/src/DACFileSystemTest.cpp +++ /dev/null @@ -1,68 +0,0 @@ -/* - * Copyright (c) 2021 Huawei Device Co., Ltd. - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -#include "DACFileSystemTest.h" -#include -#include "ActsCapabilityTest.h" -#include "ActsDacTest.h" - -using namespace testing::ext; - -// Preset action of the test suite, which is executed before the first test case -void DacTestSuite::SetUp() -{ - // Permission mask preset when creating a file - umask(ZERO); - // Init capabilities - CapInit(); - // Initialize the process and set the uid and gid of the process to zero - SetUidGid(UID0, GID0); - // Delete the the directory if exists - RemoveDir(TOP_DIR "/" DACDIR0); - RemoveDir(TOP_DIR "/" DACDIR1); - RemoveDir("/storage/" DACDIR0); - // Obtain the current working directory of the test code - mCurPath = GetCurrentPath(); - // Modify the current working directory of the test code - int ret = chdir(TOP_DIR); - if (ret != 0) { - LOG("ErrInfo: Failed to chdir to %s, ret=%d, errno=%d", TOP_DIR, ret, errno); - } -} - -// Test suite cleanup action, which is executed after the last test case -void DacTestSuite::TearDown() -{ - // Delete the the directory if exists - RemoveDir(TOP_DIR "/" DACDIR0); - RemoveDir(TOP_DIR "/" DACDIR1); - RemoveDir("/storage/" DACDIR0); - // Initialize the process and set the uid and gid of the process to zero - SetUidGid(UID0, GID0); - // Restore the working directory of the test code - int ret = chdir(mCurPath); - if (ret != 0) { - LOG("ErrInfo: Failed to chdir to %s, ret=%d, errno=%d", mCurPath, ret, errno); - } -} - -int main(int argc, char *argv[]) -{ - testing::GTEST_FLAG(output) = "xml:"; - testing::InitGoogleTest(&argc, argv); - if (CheckFsMount(TOP_DIR, TOP_DIR_MOUNT_INFO) != 0) { - return 1; - } - return RUN_ALL_TESTS(); -} \ No newline at end of file diff --git a/security_lite/permission_posix/dac/src/DACFileSystemTest.h b/security_lite/permission_posix/dac/src/DACFileSystemTest.h deleted file mode 100755 index 755b21984..000000000 --- a/security_lite/permission_posix/dac/src/DACFileSystemTest.h +++ /dev/null @@ -1,28 +0,0 @@ -/* - * Copyright (c) 2021 Huawei Device Co., Ltd. - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#ifndef XTS_ACTS_SECURITY_LITE_PERMISSSION_POSIX_DAC_SRC_DACTFILESYSTEMTEST_H -#define XTS_ACTS_SECURITY_LITE_PERMISSSION_POSIX_DAC_SRC_DACTFILESYSTEMTEST_H - -#include - -class DacTestSuite : public::testing::Test { -protected: - char *mCurPath; - void SetUp(); - void TearDown(); -}; - -#endif \ No newline at end of file diff --git a/security_lite/permission_posix/dac/vfat/BUILD.gn b/security_lite/permission_posix/dac/vfat/BUILD.gn deleted file mode 100755 index f8608c73c..000000000 --- a/security_lite/permission_posix/dac/vfat/BUILD.gn +++ /dev/null @@ -1,50 +0,0 @@ -# Copyright (c) 2021 Huawei Device Co., Ltd. -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -import("//test/xts/tools/lite/build/suite_lite.gni") - -hcpptest_suite("ActsVFATDACTest") { - suite_name = "acts" - sources = [ - "../src/ActsDacPreTest.cpp", - "../src/DACFileSystemTest.cpp", - ] - - include_dirs = [ - "../src", - "../../capability/src", - "//third_party/bounds_checking_function/include", - ] - - public_deps = [ - "../../capability:capability_shared", - "//third_party/bounds_checking_function:libsec_shared", - ] - - cflags_cc = [ - "-Wno-write-strings", - "-Wno-sign-compare", - ] - - ldflags = [ - "-lstdc++", - "-lm", - "-lpthread", - ] - - defines = [ - "LITE_FS_VFAT", - "TOP_DIR=\"/sdcard\"", - "TOP_DIR_MOUNT_INFO=\"/sdcard vfat\"", - ] -} diff --git a/security_lite/permission_posix/dac/vfat/Test.json b/security_lite/permission_posix/dac/vfat/Test.json deleted file mode 100644 index 26b780f68..000000000 --- a/security_lite/permission_posix/dac/vfat/Test.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "description": "Config for hcpptest demo test cases", - "environment": [ - { - "type": "device", - "label": "ipcamera" - } - ], - "kits": [ - { - "type": "MountKit", - "server": "NfsServer", - "mount": [ - { - "source": "testcases/security", - "target": "/test_root/security" - } - ] - } - ], - "driver": { - "type": "CppTestLite", - "execute": "/test_root/security/ActsVFATDACTest.bin" - } -} \ No newline at end of file -- GitLab