Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
OpenHarmony
Xts Acts
提交
a522431b
X
Xts Acts
项目概览
OpenHarmony
/
Xts Acts
1 年多 前同步成功
通知
9
Star
22
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
X
Xts Acts
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
提交
a522431b
编写于
4月 24, 2023
作者:
Q
qiaozzzh
1
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Delete XTS for CAP and DAC
Signed-off-by:
N
qiaozzzh
<
qiaozhang@huawei.com
>
上级
ed6da30f
变更
16
隐藏空白更改
内联
并排
Showing
16 changed file
with
0 addition
and
3435 deletion
+0
-3435
security_lite/BUILD.gn
security_lite/BUILD.gn
+0
-2
security_lite/permission_posix/capability/BUILD.gn
security_lite/permission_posix/capability/BUILD.gn
+0
-35
security_lite/permission_posix/capability/src/ActsCapability.cpp
...y_lite/permission_posix/capability/src/ActsCapability.cpp
+0
-532
security_lite/permission_posix/capability/src/ActsCapabilityTest.cpp
...te/permission_posix/capability/src/ActsCapabilityTest.cpp
+0
-1226
security_lite/permission_posix/capability/src/ActsCapabilityTest.h
...lite/permission_posix/capability/src/ActsCapabilityTest.h
+0
-155
security_lite/permission_posix/capability/src/CapabilityFileSystemTest.cpp
...mission_posix/capability/src/CapabilityFileSystemTest.cpp
+0
-61
security_lite/permission_posix/capability/src/CapabilityFileSystemTest.h
...ermission_posix/capability/src/CapabilityFileSystemTest.h
+0
-28
security_lite/permission_posix/capability/vfat/BUILD.gn
security_lite/permission_posix/capability/vfat/BUILD.gn
+0
-57
security_lite/permission_posix/capability/vfat/Test.json
security_lite/permission_posix/capability/vfat/Test.json
+0
-25
security_lite/permission_posix/dac/BUILD.gn
security_lite/permission_posix/dac/BUILD.gn
+0
-16
security_lite/permission_posix/dac/src/ActsDacPreTest.cpp
security_lite/permission_posix/dac/src/ActsDacPreTest.cpp
+0
-985
security_lite/permission_posix/dac/src/ActsDacTest.h
security_lite/permission_posix/dac/src/ActsDacTest.h
+0
-142
security_lite/permission_posix/dac/src/DACFileSystemTest.cpp
security_lite/permission_posix/dac/src/DACFileSystemTest.cpp
+0
-68
security_lite/permission_posix/dac/src/DACFileSystemTest.h
security_lite/permission_posix/dac/src/DACFileSystemTest.h
+0
-28
security_lite/permission_posix/dac/vfat/BUILD.gn
security_lite/permission_posix/dac/vfat/BUILD.gn
+0
-50
security_lite/permission_posix/dac/vfat/Test.json
security_lite/permission_posix/dac/vfat/Test.json
+0
-25
未找到文件。
security_lite/BUILD.gn
浏览文件 @
a522431b
...
...
@@ -15,8 +15,6 @@ group("securitytest") {
if (ohos_kernel_type == "liteos_a") {
deps = [
"//test/xts/acts/security_lite/huks/liteos_a_adapter:Hukslitetest",
"//test/xts/acts/security_lite/permission_posix/capability:ActsCapabilityTest",
"//test/xts/acts/security_lite/permission_posix/dac:ActsDacTest",
"//test/xts/acts/security_lite/permission_posix/pms:ActsPMSTest",
]
} else if (ohos_kernel_type == "linux") {
...
...
security_lite/permission_posix/capability/BUILD.gn
已删除
100755 → 0
浏览文件 @
ed6da30f
# Copyright (c) 2021 Huawei Device Co., Ltd.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
group("ActsCapabilityTest") {
deps = [ "./vfat:ActsVFATCapabilityTest" ]
}
shared_library("capability_shared") {
sources = [ "src/ActsCapability.cpp" ]
include_dirs = [
"src",
"//third_party/bounds_checking_function/include",
]
public_deps = [ "//third_party/bounds_checking_function:libsec_shared" ]
cflags = [ "-Wno-error" ]
ldflags = [
"-lstdc++",
"-lm",
"-lpthread",
]
}
security_lite/permission_posix/capability/src/ActsCapability.cpp
已删除
100644 → 0
浏览文件 @
ed6da30f
/*
* Copyright (c) 2021 Huawei Device Co., Ltd.
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include "ActsCapabilityTest.h"
#include <csignal>
#include <dirent.h>
#include <securec.h>
#include <sys/capability.h>
#include <unistd.h>
void
Sigac
(
int
i
)
{
_exit
(
0
);
}
void
ChildSleep
()
{
signal
(
SIGXFSZ
,
Sigac
);
usleep
(
LONG_SLEEP_NUM
);
exit
(
0
);
}
int
CapInit
()
{
// Init capabilities
struct
__user_cap_header_struct
capheader
;
(
void
)
memset_s
(
&
capheader
,
sizeof
(
struct
__user_cap_header_struct
),
0
,
sizeof
(
struct
__user_cap_header_struct
));
capheader
.
version
=
_LINUX_CAPABILITY_VERSION_3
;
capheader
.
pid
=
0
;
struct
__user_cap_data_struct
capdata
[
CAP_NUM
];
(
void
)
memset_s
(
capdata
,
CAP_NUM
*
sizeof
(
struct
__user_cap_data_struct
),
0xff
,
CAP_NUM
*
sizeof
(
struct
__user_cap_data_struct
));
capdata
[
0
].
permitted
=
LINUX_FULL_CAP
;
capdata
[
0
].
effective
=
LINUX_FULL_CAP
;
capdata
[
0
].
inheritable
=
LINUX_FULL_CAP
;
// Set capabilities
int
ret
=
capset
(
&
capheader
,
&
capdata
[
0
]);
if
(
ret
!=
0
)
{
return
FALSE
;
}
return
0
;
}
int
DropCAPCHOWN
()
{
struct
__user_cap_header_struct
capheader
=
{
0
};
errno_t
result
=
memset_s
(
&
capheader
,
sizeof
(
struct
__user_cap_header_struct
),
0
,
sizeof
(
struct
__user_cap_header_struct
));
if
(
result
!=
EOK
)
{
LOG
(
"DropCAPCHOWN memset_s failed"
);
return
FALSE
;
};
capheader
.
version
=
_LINUX_CAPABILITY_VERSION_3
;
capheader
.
pid
=
0
;
struct
__user_cap_data_struct
capdata
[
CAP_NUM
]
=
{
{
0
},
{
0
}
};
result
=
memset_s
(
capdata
,
CAP_NUM
*
sizeof
(
struct
__user_cap_data_struct
),
0xff
,
CAP_NUM
*
sizeof
(
struct
__user_cap_data_struct
));
if
(
result
!=
EOK
)
{
LOG
(
"DropCAPCHOWN memset_s failed"
);
return
FALSE
;
};
// Drop the capabilities of CAP_CHOWN
capdata
[
CAP_TO_INDEX
(
CAP_CHOWN
)].
permitted
&=
~
CAP_TO_MASK
(
CAP_CHOWN
);
capdata
[
CAP_TO_INDEX
(
CAP_CHOWN
)].
effective
&=
~
CAP_TO_MASK
(
CAP_CHOWN
);
capdata
[
CAP_TO_INDEX
(
CAP_CHOWN
)].
inheritable
&=
~
CAP_TO_MASK
(
CAP_CHOWN
);
int
ret
=
capset
(
&
capheader
,
&
capdata
[
0
]);
if
(
ret
!=
0
)
{
return
FALSE
;
}
return
0
;
}
int
DropCAPDACOVERRIDE
()
{
struct
__user_cap_header_struct
capheader
=
{
0
,
0
};
errno_t
result
=
memset_s
(
&
capheader
,
sizeof
(
struct
__user_cap_header_struct
),
0
,
sizeof
(
struct
__user_cap_header_struct
));
if
(
result
!=
EOK
)
{
LOG
(
"DropCAPDACOVERRIDE memset_s failed"
);
return
FALSE
;
};
capheader
.
version
=
_LINUX_CAPABILITY_VERSION_3
;
capheader
.
pid
=
0
;
struct
__user_cap_data_struct
capdata
[
CAP_NUM
]
=
{
{
0
},
{
0
}
};
result
=
memset_s
(
capdata
,
CAP_NUM
*
sizeof
(
struct
__user_cap_data_struct
),
0xff
,
CAP_NUM
*
sizeof
(
struct
__user_cap_data_struct
));
if
(
result
!=
EOK
)
{
LOG
(
"DropCAPDACOVERRIDE memset_s failed"
);
return
FALSE
;
};
// Drop the capabilities of CAP_DAC_OVERRIDE
capdata
[
CAP_TO_INDEX
(
CAP_DAC_OVERRIDE
)].
permitted
&=
~
CAP_TO_MASK
(
CAP_DAC_OVERRIDE
);
capdata
[
CAP_TO_INDEX
(
CAP_DAC_OVERRIDE
)].
effective
&=
~
CAP_TO_MASK
(
CAP_DAC_OVERRIDE
);
capdata
[
CAP_TO_INDEX
(
CAP_DAC_OVERRIDE
)].
inheritable
&=
~
CAP_TO_MASK
(
CAP_DAC_OVERRIDE
);
int
ret
=
capset
(
&
capheader
,
&
capdata
[
0
]);
if
(
ret
!=
0
)
{
return
FALSE
;
}
return
0
;
}
int
DropCAPDACREADSEARCH
()
{
struct
__user_cap_header_struct
capheader
=
{
0
,
0
};
errno_t
result
=
memset_s
(
&
capheader
,
sizeof
(
struct
__user_cap_header_struct
),
0
,
sizeof
(
struct
__user_cap_header_struct
));
if
(
result
!=
EOK
)
{
LOG
(
"DropCAPDACREADSEARCH memset_s failed"
);
return
FALSE
;
};
capheader
.
version
=
_LINUX_CAPABILITY_VERSION_3
;
capheader
.
pid
=
0
;
struct
__user_cap_data_struct
capdata
[
CAP_NUM
]
=
{
{
0
},
{
0
}
};
result
=
memset_s
(
capdata
,
CAP_NUM
*
sizeof
(
struct
__user_cap_data_struct
),
0xff
,
CAP_NUM
*
sizeof
(
struct
__user_cap_data_struct
));
if
(
result
!=
EOK
)
{
LOG
(
"DropCAPDACREADSEARCH memset_s failed"
);
return
FALSE
;
};
// Drop the capabilities of CAP_DAC_READ_SEARCH
capdata
[
CAP_TO_INDEX
(
CAP_DAC_READ_SEARCH
)].
permitted
&=
~
CAP_TO_MASK
(
CAP_DAC_READ_SEARCH
);
capdata
[
CAP_TO_INDEX
(
CAP_DAC_READ_SEARCH
)].
effective
&=
~
CAP_TO_MASK
(
CAP_DAC_READ_SEARCH
);
capdata
[
CAP_TO_INDEX
(
CAP_DAC_READ_SEARCH
)].
inheritable
&=
~
CAP_TO_MASK
(
CAP_DAC_READ_SEARCH
);
int
ret
=
capset
(
&
capheader
,
&
capdata
[
0
]);
if
(
ret
!=
0
)
{
return
FALSE
;
}
return
0
;
}
int
DropCAPDACOVERRIDEAndREADSEARCH
()
{
struct
__user_cap_header_struct
capheader
=
{
0
,
0
};
errno_t
result
=
memset_s
(
&
capheader
,
sizeof
(
struct
__user_cap_header_struct
),
0
,
sizeof
(
struct
__user_cap_header_struct
));
if
(
result
!=
EOK
)
{
LOG
(
"DropCAPDACOVERRIDEAndREADSEARCH memset_s failed"
);
return
FALSE
;
};
capheader
.
version
=
_LINUX_CAPABILITY_VERSION_3
;
capheader
.
pid
=
0
;
struct
__user_cap_data_struct
capdata
[
CAP_NUM
]
=
{
{
0
},
{
0
}
};
result
=
memset_s
(
capdata
,
CAP_NUM
*
sizeof
(
struct
__user_cap_data_struct
),
0xff
,
CAP_NUM
*
sizeof
(
struct
__user_cap_data_struct
));
if
(
result
!=
EOK
)
{
LOG
(
"DropCAPDACOVERRIDEAndREADSEARCH memset_s failed"
);
return
FALSE
;
};
// Drop the capabilities of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH
capdata
[
CAP_TO_INDEX
(
CAP_DAC_READ_SEARCH
)].
permitted
&=
~
CAP_TO_MASK
(
CAP_DAC_READ_SEARCH
);
capdata
[
CAP_TO_INDEX
(
CAP_DAC_READ_SEARCH
)].
effective
&=
~
CAP_TO_MASK
(
CAP_DAC_READ_SEARCH
);
capdata
[
CAP_TO_INDEX
(
CAP_DAC_READ_SEARCH
)].
inheritable
&=
~
CAP_TO_MASK
(
CAP_DAC_READ_SEARCH
);
capdata
[
CAP_TO_INDEX
(
CAP_DAC_OVERRIDE
)].
permitted
&=
~
CAP_TO_MASK
(
CAP_DAC_OVERRIDE
);
capdata
[
CAP_TO_INDEX
(
CAP_DAC_OVERRIDE
)].
effective
&=
~
CAP_TO_MASK
(
CAP_DAC_OVERRIDE
);
capdata
[
CAP_TO_INDEX
(
CAP_DAC_OVERRIDE
)].
inheritable
&=
~
CAP_TO_MASK
(
CAP_DAC_OVERRIDE
);
int
ret
=
capset
(
&
capheader
,
&
capdata
[
0
]);
if
(
ret
!=
0
)
{
return
FALSE
;
}
return
0
;
}
int
DropCAPFOWNER
()
{
struct
__user_cap_header_struct
capheader
=
{
0
,
0
};
errno_t
result
=
memset_s
(
&
capheader
,
sizeof
(
struct
__user_cap_header_struct
),
0
,
sizeof
(
struct
__user_cap_header_struct
));
if
(
result
!=
EOK
)
{
LOG
(
"DropCAPFOWNER memset_s failed"
);
return
FALSE
;
};
capheader
.
version
=
_LINUX_CAPABILITY_VERSION_3
;
capheader
.
pid
=
0
;
struct
__user_cap_data_struct
capdata
[
CAP_NUM
]
=
{
{
0
},
{
0
}
};
result
=
memset_s
(
capdata
,
CAP_NUM
*
sizeof
(
struct
__user_cap_data_struct
),
0xff
,
CAP_NUM
*
sizeof
(
struct
__user_cap_data_struct
));
if
(
result
!=
EOK
)
{
LOG
(
"DropCAPFOWNER memset_s failed"
);
return
FALSE
;
};
// Drop the capabilities of CAP_FOWNER
capdata
[
CAP_TO_INDEX
(
CAP_FOWNER
)].
permitted
&=
~
CAP_TO_MASK
(
CAP_FOWNER
);
capdata
[
CAP_TO_INDEX
(
CAP_FOWNER
)].
effective
&=
~
CAP_TO_MASK
(
CAP_FOWNER
);
capdata
[
CAP_TO_INDEX
(
CAP_FOWNER
)].
inheritable
&=
~
CAP_TO_MASK
(
CAP_FOWNER
);
int
ret
=
capset
(
&
capheader
,
&
capdata
[
0
]);
if
(
ret
!=
0
)
{
return
FALSE
;
}
return
0
;
}
int
DropCAPKILL
()
{
struct
__user_cap_header_struct
capheader
=
{
0
,
0
};
errno_t
result
=
memset_s
(
&
capheader
,
sizeof
(
struct
__user_cap_header_struct
),
0
,
sizeof
(
struct
__user_cap_header_struct
));
if
(
result
!=
EOK
)
{
LOG
(
"DropCAPKILL memset_s failed"
);
return
FALSE
;
};
capheader
.
version
=
_LINUX_CAPABILITY_VERSION_3
;
capheader
.
pid
=
0
;
struct
__user_cap_data_struct
capdata
[
CAP_NUM
]
=
{
{
0
},
{
0
}
};
result
=
memset_s
(
capdata
,
CAP_NUM
*
sizeof
(
struct
__user_cap_data_struct
),
0xff
,
CAP_NUM
*
sizeof
(
struct
__user_cap_data_struct
));
if
(
result
!=
EOK
)
{
LOG
(
"DropCAPKILL memset_s failed"
);
return
FALSE
;
};
// Drop the capabilities of CAP_KILL
capdata
[
CAP_TO_INDEX
(
CAP_KILL
)].
permitted
&=
~
CAP_TO_MASK
(
CAP_KILL
);
capdata
[
CAP_TO_INDEX
(
CAP_KILL
)].
effective
&=
~
CAP_TO_MASK
(
CAP_KILL
);
capdata
[
CAP_TO_INDEX
(
CAP_KILL
)].
inheritable
&=
~
CAP_TO_MASK
(
CAP_KILL
);
int
ret
=
capset
(
&
capheader
,
&
capdata
[
0
]);
if
(
ret
!=
0
)
{
return
FALSE
;
}
return
0
;
}
int
DropCAPSETGID
()
{
struct
__user_cap_header_struct
capheader
=
{
0
,
0
};
errno_t
result
=
memset_s
(
&
capheader
,
sizeof
(
struct
__user_cap_header_struct
),
0
,
sizeof
(
struct
__user_cap_header_struct
));
if
(
result
!=
EOK
)
{
LOG
(
"DropCAPSETGID memset_s failed"
);
return
FALSE
;
};
capheader
.
version
=
_LINUX_CAPABILITY_VERSION_3
;
capheader
.
pid
=
0
;
struct
__user_cap_data_struct
capdata
[
CAP_NUM
]
=
{
{
0
},
{
0
}
};
result
=
memset_s
(
capdata
,
CAP_NUM
*
sizeof
(
struct
__user_cap_data_struct
),
0xff
,
CAP_NUM
*
sizeof
(
struct
__user_cap_data_struct
));
if
(
result
!=
EOK
)
{
LOG
(
"DropCAPSETGID memset_s failed"
);
return
FALSE
;
};
// Drop the capabilities of CAP_SETGID
capdata
[
CAP_TO_INDEX
(
CAP_SETGID
)].
permitted
&=
~
CAP_TO_MASK
(
CAP_SETGID
);
capdata
[
CAP_TO_INDEX
(
CAP_SETGID
)].
effective
&=
~
CAP_TO_MASK
(
CAP_SETGID
);
capdata
[
CAP_TO_INDEX
(
CAP_SETGID
)].
inheritable
&=
~
CAP_TO_MASK
(
CAP_SETGID
);
int
ret
=
capset
(
&
capheader
,
&
capdata
[
0
]);
if
(
ret
!=
0
)
{
return
FALSE
;
}
return
0
;
}
int
DropCAPSETUID
()
{
struct
__user_cap_header_struct
capheader
=
{
0
,
0
};
errno_t
result
=
memset_s
(
&
capheader
,
sizeof
(
struct
__user_cap_header_struct
),
0
,
sizeof
(
struct
__user_cap_header_struct
));
if
(
result
!=
EOK
)
{
LOG
(
"DropCAPSETUID memset_s failed"
);
return
FALSE
;
};
capheader
.
version
=
_LINUX_CAPABILITY_VERSION_3
;
capheader
.
pid
=
0
;
struct
__user_cap_data_struct
capdata
[
CAP_NUM
]
=
{
{
0
},
{
0
}
};
result
=
memset_s
(
capdata
,
CAP_NUM
*
sizeof
(
struct
__user_cap_data_struct
),
0xff
,
CAP_NUM
*
sizeof
(
struct
__user_cap_data_struct
));
if
(
result
!=
EOK
)
{
LOG
(
"DropCAPSETUID memset_s failed"
);
return
FALSE
;
};
// Drop the capabilities of CAP_SETUID
capdata
[
CAP_TO_INDEX
(
CAP_SETUID
)].
permitted
&=
~
CAP_TO_MASK
(
CAP_SETUID
);
capdata
[
CAP_TO_INDEX
(
CAP_SETUID
)].
effective
&=
~
CAP_TO_MASK
(
CAP_SETUID
);
capdata
[
CAP_TO_INDEX
(
CAP_SETUID
)].
inheritable
&=
~
CAP_TO_MASK
(
CAP_SETUID
);
int
ret
=
capset
(
&
capheader
,
&
capdata
[
0
]);
if
(
ret
!=
0
)
{
return
FALSE
;
}
return
0
;
}
int
DropCAPSETPCAP
()
{
struct
__user_cap_header_struct
capheader
=
{
0
,
0
};
errno_t
result
=
memset_s
(
&
capheader
,
sizeof
(
struct
__user_cap_header_struct
),
0
,
sizeof
(
struct
__user_cap_header_struct
));
if
(
result
!=
EOK
)
{
LOG
(
"DropCAPSETPCAP memset_s failed"
);
return
FALSE
;
};
capheader
.
version
=
_LINUX_CAPABILITY_VERSION_3
;
capheader
.
pid
=
0
;
struct
__user_cap_data_struct
capdata
[
CAP_NUM
]
=
{
{
0
},
{
0
}
};
result
=
memset_s
(
capdata
,
CAP_NUM
*
sizeof
(
struct
__user_cap_data_struct
),
0xff
,
CAP_NUM
*
sizeof
(
struct
__user_cap_data_struct
));
if
(
result
!=
EOK
)
{
LOG
(
"DropCAPSETPCAP memset_s failed"
);
return
FALSE
;
};
// Drop the capabilities of CAP_SETPCAP
capdata
[
CAP_TO_INDEX
(
CAP_SETPCAP
)].
permitted
&=
~
CAP_TO_MASK
(
CAP_SETPCAP
);
capdata
[
CAP_TO_INDEX
(
CAP_SETPCAP
)].
effective
&=
~
CAP_TO_MASK
(
CAP_SETPCAP
);
capdata
[
CAP_TO_INDEX
(
CAP_SETPCAP
)].
inheritable
&=
~
CAP_TO_MASK
(
CAP_SETPCAP
);
int
ret
=
capset
(
&
capheader
,
&
capdata
[
0
]);
if
(
ret
!=
0
)
{
return
FALSE
;
}
return
0
;
}
int
DropCAPSYSNICE
()
{
struct
__user_cap_header_struct
capheader
=
{
0
,
0
};
errno_t
result
=
memset_s
(
&
capheader
,
sizeof
(
struct
__user_cap_header_struct
),
0
,
sizeof
(
struct
__user_cap_header_struct
));
if
(
result
!=
EOK
)
{
LOG
(
"DropCAPSYSNICE memset_s failed"
);
return
FALSE
;
};
capheader
.
version
=
_LINUX_CAPABILITY_VERSION_3
;
capheader
.
pid
=
0
;
struct
__user_cap_data_struct
capdata
[
CAP_NUM
]
=
{
{
0
},
{
0
}
};
result
=
memset_s
(
capdata
,
CAP_NUM
*
sizeof
(
struct
__user_cap_data_struct
),
0xff
,
CAP_NUM
*
sizeof
(
struct
__user_cap_data_struct
));
if
(
result
!=
EOK
)
{
LOG
(
"DropCAPSYSNICE memset_s failed"
);
return
FALSE
;
};
// Drop the capabilities of CAP_SYS_NICE
capdata
[
CAP_TO_INDEX
(
CAP_SYS_NICE
)].
permitted
&=
~
CAP_TO_MASK
(
CAP_SYS_NICE
);
capdata
[
CAP_TO_INDEX
(
CAP_SYS_NICE
)].
effective
&=
~
CAP_TO_MASK
(
CAP_SYS_NICE
);
capdata
[
CAP_TO_INDEX
(
CAP_SYS_NICE
)].
inheritable
&=
~
CAP_TO_MASK
(
CAP_SYS_NICE
);
int
ret
=
capset
(
&
capheader
,
&
capdata
[
0
]);
if
(
ret
!=
0
)
{
return
FALSE
;
}
return
0
;
}
int
DropCAPSYSTIME
()
{
struct
__user_cap_header_struct
capheader
=
{
0
,
0
};
errno_t
result
=
memset_s
(
&
capheader
,
sizeof
(
struct
__user_cap_header_struct
),
0
,
sizeof
(
struct
__user_cap_header_struct
));
if
(
result
!=
EOK
)
{
LOG
(
"DropCAPSYSTIME memset_s failed"
);
return
FALSE
;
};
capheader
.
version
=
_LINUX_CAPABILITY_VERSION_3
;
capheader
.
pid
=
0
;
struct
__user_cap_data_struct
capdata
[
CAP_NUM
]
=
{
{
0
},
{
0
}
};
result
=
memset_s
(
capdata
,
CAP_NUM
*
sizeof
(
struct
__user_cap_data_struct
),
0xff
,
CAP_NUM
*
sizeof
(
struct
__user_cap_data_struct
));
if
(
result
!=
EOK
)
{
LOG
(
"DropCAPSYSTIME memset_s failed"
);
return
FALSE
;
};
// Drop the capabilities of CAP_SYS_TIME
capdata
[
CAP_TO_INDEX
(
CAP_SYS_TIME
)].
permitted
&=
~
CAP_TO_MASK
(
CAP_SYS_TIME
);
capdata
[
CAP_TO_INDEX
(
CAP_SYS_TIME
)].
effective
&=
~
CAP_TO_MASK
(
CAP_SYS_TIME
);
capdata
[
CAP_TO_INDEX
(
CAP_SYS_TIME
)].
inheritable
&=
~
CAP_TO_MASK
(
CAP_SYS_TIME
);
int
ret
=
capset
(
&
capheader
,
&
capdata
[
0
]);
if
(
ret
!=
0
)
{
return
FALSE
;
}
return
0
;
}
int
DropAllCAP
()
{
struct
__user_cap_header_struct
capheader
=
{
0
,
0
};
errno_t
result
=
memset_s
(
&
capheader
,
sizeof
(
struct
__user_cap_header_struct
),
0
,
sizeof
(
struct
__user_cap_header_struct
));
if
(
result
!=
EOK
)
{
LOG
(
"DropAllCAP memset_s failed"
);
return
FALSE
;
};
capheader
.
version
=
_LINUX_CAPABILITY_VERSION_3
;
capheader
.
pid
=
0
;
struct
__user_cap_data_struct
capdata
[
CAP_NUM
]
=
{
{
0
},
{
0
}
};
result
=
memset_s
(
capdata
,
CAP_NUM
*
sizeof
(
struct
__user_cap_data_struct
),
0xff
,
CAP_NUM
*
sizeof
(
struct
__user_cap_data_struct
));
if
(
result
!=
EOK
)
{
LOG
(
"DropAllCAP memset_s failed"
);
return
FALSE
;
};
// Drop all the capabilities
capdata
[
0
].
permitted
=
NO_CAP
;
capdata
[
0
].
effective
=
NO_CAP
;
capdata
[
0
].
inheritable
=
NO_CAP
;
int
ret
=
capset
(
&
capheader
,
&
capdata
[
0
]);
if
(
ret
!=
0
)
{
return
FALSE
;
}
return
0
;
}
int
RemoveDir
(
const
char
*
dirname
)
{
int
ret
;
char
curDir
[]
=
"."
;
char
upDir
[]
=
".."
;
char
updirname
[
SIZE512
];
DIR
*
dir
=
nullptr
;
struct
dirent
*
dp
=
nullptr
;
struct
stat
upDirStat
=
{
0
};
// Init capabilities
CapInit
();
// The directory transferred by the parameter does not exist
if
(
access
(
dirname
,
F_OK
!=
0
))
{
return
0
;
}
else
{
chmod
(
dirname
,
RWX
);
}
// Open the current-level directory
dir
=
opendir
(
dirname
);
while
((
dp
=
readdir
(
dir
))
!=
nullptr
)
{
// The system skips the judgment and continues looping when the . or .. directory is encountered
if
((
strcmp
(
curDir
,
dp
->
d_name
)
==
0
)
||
(
strcmp
(
upDir
,
dp
->
d_name
)
==
0
))
{
continue
;
}
// Combine the upper-level directory content
int
spr
=
sprintf_s
(
updirname
,
SIZE512
,
"%s/%s"
,
dirname
,
dp
->
d_name
);
if
(
spr
==
FALSE
)
{
closedir
(
dir
);
return
FALSE
;
}
// Obtains the status of the upper-level, file or directory
stat
(
updirname
,
&
upDirStat
);
// Directory files, recursively deleting contents in the directory
if
(
upDirStat
.
st_mode
&
S_IFDIR
)
{
// Invoke the function recursively to delete the content of the upper-level directory
RemoveDir
(
updirname
);
}
else
{
// Common files, directly deleting
ret
=
unlink
(
updirname
);
if
(
ret
!=
0
)
{
// Failed to delete the file
perror
(
"Failed to delete the file"
);
LOG
(
"ErrInfo: The file name is %s"
,
updirname
);
closedir
(
dir
);
return
FALSE
;
}
}
}
// Close the current-level directory
closedir
(
dir
);
// Delete the empty directory
ret
=
rmdir
(
dirname
);
if
(
ret
!=
0
)
{
// Failed to delete the empty directory
perror
(
"Failed to delete the empty directory"
);
LOG
(
"ErrInfo: The directory name is %s"
,
dirname
);
return
FALSE
;
}
return
0
;
}
int
SetUidGid
(
uid_t
uid
,
gid_t
gid
)
{
// Set the process uid and gid
int
retsetuid
=
setuid
(
uid
);
if
(
retsetuid
!=
0
)
{
LOG
(
"ErrInfo: Set uid=%d failed, now uid=%d"
,
uid
,
getuid
());
return
FALSE
;
}
int
retsetgid
=
setgid
(
gid
);
if
(
retsetgid
!=
0
)
{
LOG
(
"ErrInfo: Set gid=%d failed, now gid=%d"
,
gid
,
getgid
());
return
FALSE
;
}
return
0
;
}
timespec
CompareTime
(
timespec
start
,
timespec
end
)
{
// Compare time 'start' and time 'end'
timespec
ret
=
{
0
};
int
tp
=
1000000000
;
if
((
end
.
tv_nsec
-
start
.
tv_nsec
)
<
0
)
{
ret
.
tv_sec
=
end
.
tv_sec
-
start
.
tv_sec
-
1
;
ret
.
tv_nsec
=
tp
+
end
.
tv_nsec
-
start
.
tv_nsec
;
}
else
{
ret
.
tv_sec
=
end
.
tv_sec
-
start
.
tv_sec
;
ret
.
tv_nsec
=
end
.
tv_nsec
-
start
.
tv_nsec
;
}
return
ret
;
}
char
*
GetCurrentPath
()
{
// Obtain the current working directory
static
char
path
[
MAX_PATH_SIZE
];
getcwd
(
path
,
MAX_PATH_SIZE
);
return
path
;
}
// Check topDir file system, 0 is exist, -1 is non-exist
int
CheckFsMount
(
const
char
*
topDir
,
const
char
*
topDirMountInfo
)
{
const
int
lenMax
=
100
;
int
len
=
0
;
char
buf
[
lenMax
]
=
{
0
};
const
char
mountInfoFile
[]
=
"/proc/mounts"
;
// check topDir exist
if
(
access
(
topDir
,
F_OK
)
!=
0
)
{
LOG
(
"ErrInfo: '%s' not accessable, Test Stop!"
,
topDir
);
return
-
1
;
}
FILE
*
fp
=
fopen
(
mountInfoFile
,
"r"
);
if
(
fp
!=
nullptr
)
{
while
(
fgets
(
buf
,
sizeof
(
buf
),
fp
)
!=
NULL
)
{
len
=
strlen
(
buf
);
if
(
strstr
(
buf
,
topDirMountInfo
)
!=
nullptr
)
{
fclose
(
fp
);
return
0
;
}
}
fclose
(
fp
);
}
LOG
(
"'%s' is not a '%s' not mount properly, Test Stop! please change another file type!"
,
topDir
,
topDirMountInfo
);
return
-
1
;
}
\ No newline at end of file
security_lite/permission_posix/capability/src/ActsCapabilityTest.cpp
已删除
100644 → 0
浏览文件 @
ed6da30f
/*
* Copyright (c) 2021 Huawei Device Co., Ltd.
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include "ActsCapabilityTest.h"
#include <dirent.h>
#include <fcntl.h>
#include <securec.h>
#include <sys/capability.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/wait.h>
#include "gtest/gtest.h"
#include "CapabilityFileSystemTest.h"
using
namespace
std
;
using
namespace
testing
::
ext
;
#if defined(LITE_FS_VFAT)
static
void
CreateTxt
()
{
int
ret
;
int
fd
=
0
;
char
cap
[]
=
"CapabilityTestSuite!
\n
"
;
// Initialize the process and set the uid and gid of the process to zero
SetUidGid
(
UID0
,
GID0
);
// Create a directory 'CAPDIR0' in the directory 'TOP_DIR'
ret
=
mkdir
(
TOP_DIR
"/"
CAPDIR0
,
NORWX
);
ASSERT_EQ
(
ret
,
0
)
<<
"ErrInfo: Failed to create the directory 'TOP_DIR/CAPDIR0'"
;
// Create a directory 'CAPDIR0_CAPDIR0' in the directory 'TOP_DIR/CAPDIR0'
ret
=
mkdir
(
TOP_DIR
"/"
CAPDIR0
"/"
CAPDIR0_CAPDIR0
,
RWX
);
ASSERT_EQ
(
ret
,
0
)
<<
"ErrInfo: Failed to create the directory 'TOP_DIR/CAPDIR0/CAPDIR0_CAPDIR0'"
;
// Create a file 'CAPDIR0_CAPFILE0' in the directory 'CAPDIR0'
fd
=
open
(
TOP_DIR
"/"
CAPDIR0
"/"
CAPDIR0_CAPFILE0
,
O_WRONLY
|
O_CREAT
|
O_TRUNC
,
RWX
);
if
(
fd
>=
0
)
{
// File created successfully
write
(
fd
,
cap
,
sizeof
(
cap
));
close
(
fd
);
}
else
{
// Failed to create the file
ASSERT_GE
(
fd
,
0
)
<<
"ErrInfo: Failed to create the file 'TOP_DIR/CAPDIR0/CAPDIR0_CAPFILE0'"
;
}
}
static
int
CapsetOnlySETPCAP
(
int
num
)
{
struct
__user_cap_header_struct
capheader
;
errno_t
result
=
memset_s
(
&
capheader
,
sizeof
(
struct
__user_cap_header_struct
),
0
,
sizeof
(
struct
__user_cap_header_struct
));
if
(
result
!=
EOK
)
{
LOG
(
"CapgetWithAllCap memset_s failed"
);
return
FALSE
;
};
capheader
.
version
=
_LINUX_CAPABILITY_VERSION_3
;
capheader
.
pid
=
0
;
struct
__user_cap_data_struct
capdata
[
CAP_NUM
];
result
=
memset_s
(
capdata
,
CAP_NUM
*
sizeof
(
struct
__user_cap_data_struct
),
0
,
CAP_NUM
*
sizeof
(
struct
__user_cap_data_struct
));
if
(
result
!=
EOK
)
{
LOG
(
"CapgetWithAllCap memset_s failed"
);
return
FALSE
;
};
capdata
[
CAP_TO_INDEX
(
CAP_SETPCAP
)].
permitted
|=
CAP_TO_MASK
(
CAP_SETPCAP
);
capdata
[
CAP_TO_INDEX
(
CAP_SETPCAP
)].
effective
|=
CAP_TO_MASK
(
CAP_SETPCAP
);
capdata
[
CAP_TO_INDEX
(
CAP_SETPCAP
)].
inheritable
|=
CAP_TO_MASK
(
CAP_SETPCAP
);
// Set capabilities
int
ret
=
capset
(
&
capheader
,
&
capdata
[
0
]);
if
(
ret
!=
0
)
{
LOG
(
"ErrInfo: Failed to drop all caps except CAP_SETPCAP during the %d time"
,
num
);
return
FALSE
;
}
return
0
;
}
static
int
AddCapUnauthorized
(
int
num
)
{
struct
__user_cap_header_struct
capheader
;
errno_t
result
=
memset_s
(
&
capheader
,
sizeof
(
struct
__user_cap_header_struct
),
0
,
sizeof
(
struct
__user_cap_header_struct
));
if
(
result
!=
EOK
)
{
LOG
(
"CapgetWithAllCap memset_s failed"
);
return
FALSE
;
};
capheader
.
version
=
_LINUX_CAPABILITY_VERSION_3
;
capheader
.
pid
=
0
;
struct
__user_cap_data_struct
capdata
[
CAP_NUM
];
result
=
memset_s
(
capdata
,
CAP_NUM
*
sizeof
(
struct
__user_cap_data_struct
),
0
,
CAP_NUM
*
sizeof
(
struct
__user_cap_data_struct
));
if
(
result
!=
EOK
)
{
LOG
(
"CapgetWithAllCap memset_s failed"
);
return
FALSE
;
};
capdata
[
0
].
permitted
=
LINUX_FULL_CAP
;
capdata
[
0
].
effective
=
LINUX_FULL_CAP
;
capdata
[
0
].
inheritable
=
LINUX_FULL_CAP
;
// Set capabilities
int
ret
=
capset
(
&
capheader
,
&
capdata
[
0
]);
if
(
ret
!=
FALSE
)
{
LOG
(
"ErrInfo: Add unauthorized capability during the %d time"
,
num
);
return
FALSE
;
}
return
0
;
}
static
int
CapgetWithAllCap
(
int
num
)
{
struct
__user_cap_header_struct
capheader
=
{
0
};
errno_t
result
=
memset_s
(
&
capheader
,
sizeof
(
struct
__user_cap_header_struct
),
0
,
sizeof
(
struct
__user_cap_header_struct
));
if
(
result
!=
EOK
)
{
LOG
(
"CapgetWithAllCap memset_s failed"
);
return
FALSE
;
};
capheader
.
version
=
_LINUX_CAPABILITY_VERSION_3
;
capheader
.
pid
=
0
;
struct
__user_cap_data_struct
capdataget
[
CAP_NUM
]
=
{
{
0
},
{
0
}
};
result
=
memset_s
(
capdataget
,
CAP_NUM
*
sizeof
(
struct
__user_cap_data_struct
),
0
,
CAP_NUM
*
sizeof
(
struct
__user_cap_data_struct
));
if
(
result
!=
EOK
)
{
LOG
(
"CapgetWithAllCap memset_s failed"
);
return
FALSE
;
};
int
ret
=
capget
(
&
capheader
,
&
capdataget
[
0
]);
if
(
ret
!=
0
)
{
EXPECT_EQ
(
ret
,
0
)
<<
"ErrInfo: Failed to get CAPs"
;
LOG
(
"ErrInfo: Failed to get CAPs during the %d time"
,
num
);
return
FALSE
;
}
// The process has all capabilities
if
(
capdataget
[
0
].
effective
!=
OHOS_FULL_CAP
)
{
EXPECT_EQ
(
capdataget
[
0
].
effective
,
OHOS_FULL_CAP
)
<<
"ErrInfo: Get wrong capabilities"
;
LOG
(
"ErrInfo: Get wrong capabilities during the %d time"
,
num
);
return
FALSE
;
}
return
0
;
}
static
int
CapgetWithNoCap
(
int
num
)
{
struct
__user_cap_header_struct
capheader
=
{
0
};
errno_t
result
=
memset_s
(
&
capheader
,
sizeof
(
struct
__user_cap_header_struct
),
0
,
sizeof
(
struct
__user_cap_header_struct
));
if
(
result
!=
EOK
)
{
LOG
(
"CapgetWithAllCap memset_s failed"
);
return
FALSE
;
};
capheader
.
version
=
_LINUX_CAPABILITY_VERSION_3
;
capheader
.
pid
=
0
;
struct
__user_cap_data_struct
capdataget
[
CAP_NUM
]
=
{
{
0
},
{
0
}
};
result
=
memset_s
(
capdataget
,
CAP_NUM
*
sizeof
(
struct
__user_cap_data_struct
),
0
,
CAP_NUM
*
sizeof
(
struct
__user_cap_data_struct
));
if
(
result
!=
EOK
)
{
LOG
(
"CapgetWithAllCap memset_s failed"
);
return
FALSE
;
};
int
ret
=
capget
(
&
capheader
,
&
capdataget
[
0
]);
if
(
ret
!=
0
)
{
EXPECT_EQ
(
ret
,
0
)
<<
"ErrInfo: Failed to get CAPs"
;
LOG
(
"ErrInfo: Failed to get CAPs during the %d time"
,
num
);
return
FALSE
;
}
// The process does not have any capabilities
if
(
capdataget
[
0
].
effective
!=
NO_CAP
)
{
EXPECT_EQ
(
capdataget
[
0
].
effective
,
NO_CAP
)
<<
"ErrInfo: Get wrong capabilities"
;
LOG
(
"ErrInfo: Get wrong capabilities during the %d time"
,
num
);
return
FALSE
;
}
return
0
;
}
static
int
CapgetOnlySETPCAP
(
int
num
)
{
struct
__user_cap_header_struct
capheader
=
{
0
};
errno_t
result
=
memset_s
(
&
capheader
,
sizeof
(
struct
__user_cap_header_struct
),
0
,
sizeof
(
struct
__user_cap_header_struct
));
if
(
result
!=
EOK
)
{
LOG
(
"CapgetWithAllCap memset_s failed"
);
return
FALSE
;
};
capheader
.
version
=
_LINUX_CAPABILITY_VERSION_3
;
capheader
.
pid
=
0
;
struct
__user_cap_data_struct
capdataget
[
CAP_NUM
]
=
{
{
0
},
{
0
}
};
result
=
memset_s
(
capdataget
,
CAP_NUM
*
sizeof
(
struct
__user_cap_data_struct
),
0
,
CAP_NUM
*
sizeof
(
struct
__user_cap_data_struct
));
if
(
result
!=
EOK
)
{
LOG
(
"CapgetWithAllCap memset_s failed"
);
return
FALSE
;
};
int
ret
=
capget
(
&
capheader
,
&
capdataget
[
0
]);
if
(
ret
!=
0
)
{
EXPECT_EQ
(
ret
,
0
)
<<
"ErrInfo: Failed to get CAPs"
;
LOG
(
"ErrInfo: Failed to get CAPs during the %d time"
,
num
);
return
FALSE
;
}
// The process only has CAP_SETPCAP
if
(
capdataget
[
0
].
effective
!=
ONLY_SETPCAP_CAP
)
{
EXPECT_EQ
(
capdataget
[
0
].
effective
,
ONLY_SETPCAP_CAP
)
<<
"ErrInfo: Get wrong capabilities"
;
LOG
(
"ErrInfo: Get wrong capabilities during the %d time"
,
num
);
return
FALSE
;
}
return
0
;
}
static
int
CapsetWithoutSETPCAP
()
{
// Drop the capabilities of CAP_SETPCAP 8
int
retsetpcap
=
DropCAPSETPCAP
();
EXPECT_EQ
(
retsetpcap
,
0
)
<<
"ErrInfo: Failed to drop CAP_SETPCAP"
;
// Drop the capabilities of CAP_CHOWN 0
int
retchown
=
DropCAPCHOWN
();
EXPECT_EQ
(
retchown
,
FALSE
)
<<
"ErrInfo: Drop CAP_CHOWN without CAP_SETPCAP"
;
// Drop the capabilities of CAP_DAC_OVERRIDE 1
int
retdacoverride
=
DropCAPDACOVERRIDE
();
EXPECT_EQ
(
retdacoverride
,
FALSE
)
<<
"ErrInfo: Drop CAP_DAC_OVERRIDE without CAP_SETPCAP"
;
// Drop the capabilities of CAP_DAC_READ_SEARCH 2
int
retdacreadsearch
=
DropCAPDACREADSEARCH
();
EXPECT_EQ
(
retdacreadsearch
,
FALSE
)
<<
"ErrInfo: Drop CAP_DAC_READ_SEARCH without CAP_SETPCAP"
;
// Drop the capabilities of CAP_FOWNER 3
int
retfowner
=
DropCAPFOWNER
();
EXPECT_EQ
(
retfowner
,
FALSE
)
<<
"ErrInfo: Drop CAP_FOWNER without CAP_SETPCAP"
;
// Drop the capabilities of CAP_KILL 5
int
retkill
=
DropCAPKILL
();
EXPECT_EQ
(
retkill
,
FALSE
)
<<
"ErrInfo: Drop CAP_KILL without CAP_SETPCAP"
;
// Drop the capabilities of CAP_SETGID 6
int
retsetgid
=
DropCAPSETGID
();
EXPECT_EQ
(
retsetgid
,
FALSE
)
<<
"ErrInfo: Drop CAP_SETGID without CAP_SETPCAP"
;
// Drop the capabilities of CAP_SETUID 7
int
retsetuid
=
DropCAPSETUID
();
EXPECT_EQ
(
retsetuid
,
FALSE
)
<<
"ErrInfo: Drop CAP_SETUID without CAP_SETPCAP"
;
// Drop the capabilities of CAP_SETPCAP 8
int
retsetpcapfailed
=
DropCAPSETPCAP
();
EXPECT_EQ
(
retsetpcapfailed
,
FALSE
)
<<
"ErrInfo: Drop CAP_SETPCAP without CAP_SETPCAP"
;
// Drop the capabilities of CAP_SYS_NICE 23
int
retsysnice
=
DropCAPSYSNICE
();
EXPECT_EQ
(
retsysnice
,
FALSE
)
<<
"ErrInfo: Drop CAP_SYS_NICE without CAP_SETPCAP"
;
// Drop the capabilities of CAP_SYS_TIME 25
int
retsystime
=
DropCAPSYSTIME
();
EXPECT_EQ
(
retsystime
,
FALSE
)
<<
"ErrInfo: Drop CAP_SYS_TIME without CAP_SETPCAP"
;
if
((
retchown
!=
FALSE
)
||
(
retdacoverride
!=
FALSE
)
||
(
retdacreadsearch
!=
FALSE
)
||
(
retfowner
!=
FALSE
)
||
(
retkill
!=
FALSE
)
||
(
retsetgid
!=
FALSE
)
||
(
retsetuid
!=
FALSE
)
||
(
retsetpcapfailed
!=
FALSE
)
||
(
retsysnice
!=
FALSE
)
||
(
retsystime
!=
FALSE
)
||
(
retsetpcap
==
FALSE
))
{
LOG
(
"ErrInfo: Drop the capabilities without CAP_SETPCAP"
);
return
FALSE
;
}
return
0
;
}
static
int
CapsetWithVersion
(
pid_t
pid
,
unsigned
int
version
)
{
struct
__user_cap_header_struct
capheader
=
{
0
};
errno_t
result
=
memset_s
(
&
capheader
,
sizeof
(
struct
__user_cap_header_struct
),
0
,
sizeof
(
struct
__user_cap_header_struct
));
if
(
result
!=
EOK
)
{
LOG
(
"CapgetWithAllCap memset_s failed"
);
return
FALSE
;
};
capheader
.
pid
=
pid
;
capheader
.
version
=
version
;
struct
__user_cap_data_struct
capdata
[
CAP_NUM
]
=
{
{
0
},
{
0
}
};
result
=
memset_s
(
capdata
,
CAP_NUM
*
sizeof
(
struct
__user_cap_data_struct
),
0xff
,
CAP_NUM
*
sizeof
(
struct
__user_cap_data_struct
));
if
(
result
!=
EOK
)
{
LOG
(
"CapgetWithAllCap memset_s failed"
);
return
FALSE
;
};
// Capget based on input parameters
int
ret
=
capset
(
&
capheader
,
&
capdata
[
0
]);
if
(
ret
!=
0
)
{
// Capset with abnormal parameter
return
FALSE
;
}
return
0
;
}
static
int
CapgetWithVersion
(
pid_t
pid
,
unsigned
int
version
)
{
struct
__user_cap_header_struct
capheader
=
{
0
};
errno_t
result
=
memset_s
(
&
capheader
,
sizeof
(
struct
__user_cap_header_struct
),
0
,
sizeof
(
struct
__user_cap_header_struct
));
if
(
result
!=
EOK
)
{
LOG
(
"CapgetWithAllCap memset_s failed"
);
return
FALSE
;
};
capheader
.
pid
=
pid
;
capheader
.
version
=
version
;
struct
__user_cap_data_struct
capdataget
[
CAP_NUM
]
=
{
{
0
},
{
0
}
};
result
=
memset_s
(
capdataget
,
CAP_NUM
*
sizeof
(
struct
__user_cap_data_struct
),
0xff
,
CAP_NUM
*
sizeof
(
struct
__user_cap_data_struct
));
if
(
result
!=
EOK
)
{
LOG
(
"CapgetWithAllCap memset_s failed"
);
return
FALSE
;
};
// Capget based on input parameters
int
ret
=
capget
(
&
capheader
,
&
capdataget
[
0
]);
if
(
ret
!=
0
)
{
// Capget with abnormal parameter
return
FALSE
;
}
return
0
;
}
static
int
CapgetWithCaps
(
pid_t
pid
,
unsigned
int
caps
)
{
struct
__user_cap_header_struct
capheader
=
{
0
};
errno_t
result
=
memset_s
(
&
capheader
,
sizeof
(
struct
__user_cap_header_struct
),
0
,
sizeof
(
struct
__user_cap_header_struct
));
if
(
result
!=
EOK
)
{
LOG
(
"CapgetWithAllCap memset_s failed"
);
return
FALSE
;
};
capheader
.
pid
=
pid
;
capheader
.
version
=
_LINUX_CAPABILITY_VERSION_3
;
struct
__user_cap_data_struct
capdataget
[
CAP_NUM
]
=
{
{
0
},
{
0
}
};
result
=
memset_s
(
capdataget
,
CAP_NUM
*
sizeof
(
struct
__user_cap_data_struct
),
0xff
,
CAP_NUM
*
sizeof
(
struct
__user_cap_data_struct
));
if
(
result
!=
EOK
)
{
LOG
(
"CapgetWithAllCap memset_s failed"
);
return
FALSE
;
};
// Capget based on input parameters and check whether the capability is the same as the input parameter
int
ret
=
capget
(
&
capheader
,
&
capdataget
[
0
]);
if
(
ret
!=
0
||
capdataget
[
0
].
effective
!=
caps
)
{
EXPECT_EQ
(
capdataget
[
0
].
effective
,
caps
)
<<
"ErrInfo: Pid = "
<<
pid
<<
", process has wrong capability"
;
return
FALSE
;
}
return
0
;
}
/*
* @tc.number : SUB_SEC_AppSEC_PermissionMgmt_Capability_0600
* @tc.name : Processes with the CAP_KILL capability can invoke their management
and control interfaces to kill other processes
* @tc.desc : [C-SECURITY-0100]
*/
HWTEST_F
(
CapabilityTestSuite
,
CapabilityTest0600
,
Function
|
MediumTest
|
Level2
)
{
int
ret
=
0
;
int
status1
=
0
;
int
status2
=
0
;
// Preset action: Fork a sub process pid1
pid_t
pid1
=
fork
();
ASSERT_TRUE
(
pid1
>=
0
)
<<
"======== Fork Error! ========="
;
usleep
(
SLEEP_NUM
);
// Preset action: Change the UID&GID of the sub process pid1 and keep it hibernated
if
(
pid1
==
0
)
{
SetUidGid
(
UID555
,
GID555
);
ChildSleep
();
}
else
{
// Preset action: Fork a sub process pid2
pid_t
pid2
=
fork
();
ASSERT_TRUE
(
pid2
>=
0
)
<<
"======== Fork Error! ========="
;
usleep
(
SLEEP_NUM
);
if
(
pid2
==
0
)
{
int
exitCode
=
0
;
// Step 1: Drop the capabilities of CAP_KILL
ret
=
DropCAPKILL
();
if
(
ret
!=
0
)
{
LOG
(
"ErrInfo: Failed to drop CAP_KILL"
);
exitCode
=
1
;
}
// Step 2: Failed to kill the sub process
ret
=
kill
(
pid1
,
SIGXFSZ
);
if
(
ret
!=
FALSE
)
{
LOG
(
"ErrInfo: Kill process without CAP_KILL"
);
exitCode
=
1
;
}
// Step 3: Change the UID&GID of the sub process pid1 and keep it hibernated
ret
=
SetUidGid
(
UID555
,
GID555
);
if
(
ret
!=
0
)
{
LOG
(
"ErrInfo: Failed to set uid and gid"
);
exitCode
=
1
;
}
// Step 4: The sub process exit with the exitCode
exit
(
exitCode
);
}
else
{
// Step 4: Kill the sub process pid1 successfully
ret
=
kill
(
pid1
,
SIGXFSZ
);
EXPECT_EQ
(
ret
,
0
)
<<
"ErrInfo: Failed to Kill pid1 with CAP_KILL"
;
// Cleanup action: Wait for the sub process pid1 and pid2 to be killed
waitpid
(
pid1
,
&
status1
,
0
);
waitpid
(
pid2
,
&
status2
,
0
);
EXPECT_NE
(
WIFEXITED
(
status2
),
0
)
<<
"ErrInfo: The sub process exit error, child_pid = "
<<
pid2
;
EXPECT_EQ
(
WEXITSTATUS
(
status2
),
0
)
<<
"ErrInfo: The exitCode is wrong, please query logs, child_pid = "
<<
pid2
;
}
}
}
/*
* @tc.number : SUB_SEC_AppSEC_PermissionMgmt_Capability_0700
* @tc.name : Processes with the CAP_SETGID capability can invoke their management
and control interfaces to change the group IDs of other processes
* @tc.desc : [C-SECURITY-0100]
*/
HWTEST_F
(
CapabilityTestSuite
,
CapabilityTest0700
,
Function
|
MediumTest
|
Level2
)
{
int
ret
=
0
;
int
status
=
0
;
pid_t
pid
=
fork
();
// Preset action: Fork a sub process
ASSERT_TRUE
(
pid
>=
0
)
<<
"======== Fork Error! ========="
;
usleep
(
SLEEP_NUM
);
if
(
pid
==
0
)
{
int
exitCode
=
0
;
ret
=
setgid
(
NUM500
);
// Step 1.1: Set GID with interface 'setgid'
if
(
ret
!=
0
)
{
LOG
(
"ErrInfo: Failed to set GID with interface 'setgid', now process gid=%d"
,
getpid
());
exitCode
=
1
;
}
ret
=
setregid
(
NUM600
,
NUM600
);
// Step 1.2: Set reGID with interface 'setregid'
if
(
ret
!=
0
)
{
LOG
(
"ErrInfo: Failed to set reGID with interface 'setregid', now process gid=%d"
,
getpid
());
exitCode
=
1
;
}
ret
=
setresgid
(
NUM700
,
NUM700
,
NUM700
);
// Step 1.3: Set resGID with interface 'setresgid'
if
(
ret
!=
0
)
{
LOG
(
"ErrInfo: Failed to set resGID with interface 'setresgid', now process gid=%d"
,
getpid
());
exitCode
=
1
;
}
ret
=
setgroups
(
NUM3
,
GROUPLIST
);
// Step 1.4: Set groups with interface 'setgroups'
if
(
ret
!=
0
)
{
LOG
(
"ErrInfo: Failed to set groups with interface 'setgroups'"
);
exitCode
=
1
;
}
ret
=
DropCAPSETGID
();
// Step 2: Drop the capabilities of CAP_SETGID
if
(
ret
!=
0
)
{
LOG
(
"ErrInfo: Failed to drop CAP_SETGID"
);
exitCode
=
1
;
}
ret
=
setgid
(
NUM500
);
// Step 3.1: Failed to set GID with interface 'setgid'
if
(
ret
!=
FALSE
)
{
LOG
(
"ErrInfo: Set GID without CAP_SETGID, now process gid=%d"
,
getpid
());
exitCode
=
1
;
}
ret
=
setregid
(
NUM500
,
NUM500
);
// Step 3.2: Failed to set reGID with interface 'setregid'
if
(
ret
!=
FALSE
)
{
LOG
(
"ErrInfo: Set reGID without CAP_SETGID, now process gid=%d"
,
getpid
());
exitCode
=
1
;
}
ret
=
setresgid
(
NUM500
,
NUM500
,
NUM500
);
// Step 3.3: Failed to set resGID with interface 'setregid'
if
(
ret
!=
FALSE
)
{
LOG
(
"ErrInfo: Set resGID without CAP_SETGID, now process gid=%d"
,
getpid
());
exitCode
=
1
;
}
ret
=
setgroups
(
NUM3
,
GROUPLIST
);
// Step 3.4: Failed to set groups with interface 'setgroups'
if
(
ret
!=
FALSE
)
{
LOG
(
"ErrInfo: Set groups without CAP_SETGID"
);
exitCode
=
1
;
}
// Step 4: The sub process exit with the exitCode
exit
(
exitCode
);
}
else
{
waitpid
(
pid
,
&
status
,
0
);
// Step 5: The parent process wait for the sub process to exit and obtain the exitCode
EXPECT_NE
(
WIFEXITED
(
status
),
0
)
<<
"ErrInfo: The sub process exit error, child_pid = "
<<
pid
;
EXPECT_EQ
(
WEXITSTATUS
(
status
),
0
)
<<
"ErrInfo: The exitCode is wrong, please query logs, child_pid = "
<<
pid
;
}
}
/*
* @tc.number : SUB_SEC_AppSEC_PermissionMgmt_Capability_0800
* @tc.name : Processes with the CAP_SETUID capability can invoke their management
and control interfaces to change user IDs of other processes
* @tc.desc : [C-SECURITY-0100]
*/
HWTEST_F
(
CapabilityTestSuite
,
CapabilityTest0800
,
Function
|
MediumTest
|
Level2
)
{
int
ret
=
0
;
int
status
=
0
;
// Preset action: Fork a sub process
pid_t
pid
=
fork
();
ASSERT_TRUE
(
pid
>=
0
)
<<
"======== Fork Error! ========="
;
usleep
(
SLEEP_NUM
);
if
(
pid
==
0
)
{
int
exitCode
=
0
;
// Step 1.1: Set UID with interface 'setuid'
ret
=
setuid
(
NUM500
);
if
(
ret
!=
0
)
{
LOG
(
"ErrInfo: Failed to set UID with interface 'setuid', now process uid=%d"
,
getpid
());
exitCode
=
1
;
}
// Step 1.2: Set reUID with interface 'setreuid'
ret
=
setreuid
(
NUM600
,
NUM600
);
if
(
ret
!=
0
)
{
LOG
(
"ErrInfo: Failed to set reUID with interface 'setreuid', now process uid=%d"
,
getpid
());
exitCode
=
1
;
}
// Step 1.3: Set resUID with interface 'setresuid'
ret
=
setresuid
(
NUM700
,
NUM700
,
NUM700
);
if
(
ret
!=
0
)
{
LOG
(
"ErrInfo: Failed to set resUID with interface 'setresuid', now process uid=%d"
,
getpid
());
exitCode
=
1
;
}
// Step 2: Drop the capabilities of CAP_SETUID
ret
=
DropCAPSETUID
();
if
(
ret
!=
0
)
{
LOG
(
"ErrInfo: Failed to drop CAP_SETUID"
);
exitCode
=
1
;
}
// Step 3.1: Failed to set UID with interface 'setuid'
ret
=
setuid
(
NUM500
);
if
(
ret
!=
FALSE
)
{
LOG
(
"ErrInfo: Set UID without CAP_SETUID, now process uid=%d"
,
getpid
());
exitCode
=
1
;
}
// Step 3.2: Failed to set reUID with interface 'setreuid'
ret
=
setreuid
(
NUM500
,
NUM500
);
if
(
ret
!=
FALSE
)
{
LOG
(
"ErrInfo: Set reUID without CAP_SETUID, now process uid=%d"
,
getpid
());
exitCode
=
1
;
}
// Step 3.3: Failed to set resUID with interface 'setreuid'
ret
=
setresuid
(
NUM500
,
NUM500
,
NUM500
);
if
(
ret
!=
FALSE
)
{
LOG
(
"ErrInfo: Set resUID without CAP_SETUID, now process uid=%d"
,
getpid
());
exitCode
=
1
;
}
// Step 4: The sub process exit with the exitCode
exit
(
exitCode
);
}
else
{
// Step 5: The parent process wait for the sub process to exit and obtain the exitCode
waitpid
(
pid
,
&
status
,
0
);
EXPECT_NE
(
WIFEXITED
(
status
),
0
)
<<
"ErrInfo: The sub process exit error, child_pid = "
<<
pid
;
EXPECT_EQ
(
WEXITSTATUS
(
status
),
0
)
<<
"ErrInfo: The exitCode is wrong, please query logs, child_pid = "
<<
pid
;
}
}
/*
* @tc.number : SUB_SEC_AppSEC_PermissionMgmt_Capability_0900
* @tc.name : Processes with the CAP_SETPCCAP capability can invoke their management
and control interfaces to add and delete capabilities for other processes
* @tc.desc : [C-SECURITY-0100]
*/
HWTEST_F
(
CapabilityTestSuite
,
CapabilityTest0900
,
Security
|
MediumTest
|
Level2
)
{
int
ret
=
0
;
int
status
=
0
;
// Preset action: Fork a sub process
pid_t
pid
=
fork
();
ASSERT_TRUE
(
pid
>=
0
)
<<
"======== Fork Error! ========="
;
usleep
(
SLEEP_NUM
);
if
(
pid
==
0
)
{
int
exitCode
=
0
;
// Step 1: Drop the capabilities of CAP_SETPCAP
ret
=
DropCAPSETPCAP
();
if
(
ret
!=
0
)
{
LOG
(
"ErrInfo: Failed to drop CAP_SETPCAP"
);
exitCode
=
1
;
}
// Step 2: Failed to add the capabilities of CAP_SETPCAP
exitCode
=
AddCapUnauthorized
(
1
);
if
(
exitCode
!=
0
)
{
LOG
(
"ErrInfo: Add capabilities without CAP_SETPCAP"
);
}
// Step 3: The sub process exit with the exitCode
exit
(
exitCode
);
}
else
{
// Step 4: The parent process wait for the sub process to exit and obtain the exitCode
waitpid
(
pid
,
&
status
,
0
);
EXPECT_NE
(
WIFEXITED
(
status
),
0
)
<<
"ErrInfo: The sub process exit error, child_pid = "
<<
pid
;
EXPECT_EQ
(
WEXITSTATUS
(
status
),
0
)
<<
"ErrInfo: The exitCode is wrong, please query logs, child_pid = "
<<
pid
;
}
}
/*
* @tc.number : SUB_SEC_AppSEC_PermissionMgmt_Capability_1000
* @tc.name : Processes with the CAP_SYS_NICE capability can invoke their management
and control interfaces to set the process priority
* @tc.desc : [C-SECURITY-0100]
*/
HWTEST_F
(
CapabilityTestSuite
,
CapabilityTest1000
,
Function
|
MediumTest
|
Level2
)
{
int
ret
=
0
;
int
status1
=
0
;
int
status2
=
0
;
// Preset action: Fork a sub process pid1
pid_t
pid1
=
fork
();
ASSERT_TRUE
(
pid1
>=
0
)
<<
"======== Fork Error! ========="
;
usleep
(
SLEEP_NUM
);
// Preset action: keep the sub process pid1 hibernated
if
(
pid1
==
0
)
{
ChildSleep
();
}
else
{
// Preset action: Fork a sub process pid2
pid_t
pid2
=
fork
();
ASSERT_TRUE
(
pid2
>=
0
)
<<
"======== Fork Error! ========="
;
usleep
(
SLEEP_NUM
);
if
(
pid2
==
0
)
{
int
exitCode
=
0
;
// Preset action: Obtains the test priority
struct
sched_param
param
=
{
0
};
ret
=
sched_getparam
(
pid1
,
&
param
);
param
.
sched_priority
--
;
// Step 1: Set the priority of the sub process successfully
ret
=
sched_setparam
(
pid1
,
&
param
);
if
(
ret
!=
0
)
{
LOG
(
"ErrInfo: Failed to set priority with CAP_SYS_NICE"
);
exitCode
=
1
;
}
// Step 2: Drop the capabilities of CAP_SYS_NICE
ret
=
DropCAPSYSNICE
();
if
(
ret
!=
0
)
{
LOG
(
"ErrInfo: Failed to drop CAP_SYS_NICE"
);
exitCode
=
1
;
}
// Step 3: Failed to set the priority of the sub process
param
.
sched_priority
++
;
ret
=
sched_setparam
(
pid1
,
&
param
);
if
(
ret
!=
FALSE
)
{
LOG
(
"ErrInfo: Set priority without CAP_SYS_NICE"
);
exitCode
=
1
;
}
// Step 4: The sub process exit with the exitCode
exit
(
exitCode
);
}
else
{
// Step 5: The parent process wait for the sub process to exit and obtain the exitCode
waitpid
(
pid2
,
&
status2
,
0
);
EXPECT_NE
(
WIFEXITED
(
status2
),
0
)
<<
"ErrInfo: The sub process exit error, child_pid = "
<<
pid2
;
EXPECT_EQ
(
WEXITSTATUS
(
status2
),
0
)
<<
"ErrInfo: The exitCode is wrong, please query logs, child_pid = "
<<
pid2
;
// Cleanup action: Kill the sub process and wait for the sub process to be killed
ret
=
kill
(
pid1
,
SIGXFSZ
);
EXPECT_EQ
(
ret
,
0
)
<<
"ErrInfo: Failed to kill the sub process pid1"
;
waitpid
(
pid1
,
&
status1
,
0
);
}
}
}
/*
* @tc.number : SUB_SEC_AppSEC_PermissionMgmt_Capability_1100
* @tc.name : Processes with the CAP_SYS_TIME capability can call their management
and control interfaces and change the system clock
* @tc.desc : [C-SECURITY-0100]
*/
HWTEST_F
(
CapabilityTestSuite
,
CapabilityTest1100
,
Function
|
MediumTest
|
Level2
)
{
int
ret
=
0
;
int
status
=
0
;
struct
timespec
tp
=
{
0
};
// Preset action: Fork a sub process
pid_t
pid
=
fork
();
ASSERT_TRUE
(
pid
>=
0
)
<<
"======== Fork Error! ========="
;
usleep
(
SLEEP_NUM
);
if
(
pid
==
0
)
{
int
exitCode
=
0
;
// Preset action: Obtains the system time and the test time
clock_gettime
(
CLOCK_REALTIME
,
&
tp
);
tp
.
tv_sec
+=
1
;
// Step 1: Set the System Time with the test time successfully
ret
=
clock_settime
(
CLOCK_REALTIME
,
&
tp
);
if
(
ret
!=
0
)
{
LOG
(
"ErrInfo: Failed to set clocktime with CAP_SYS_TIME"
);
exitCode
=
1
;
}
// Step 2: Drop the capabilities of CAP_SYS_TIME
ret
=
DropCAPSYSTIME
();
if
(
ret
!=
0
)
{
LOG
(
"ErrInfo: Failed to drop CAP_SYS_TIME"
);
exitCode
=
1
;
}
// Step 3: Failed to set the system time with the test time
tp
.
tv_sec
+=
1
;
ret
=
clock_settime
(
CLOCK_REALTIME
,
&
tp
);
if
(
ret
!=
FALSE
)
{
LOG
(
"ErrInfo: Set clocktime without CAP_SYS_TIME"
);
exitCode
=
1
;
}
// Step 4: The sub process exit with the exitCode
exit
(
exitCode
);
}
else
{
// Step 5: The parent process wait for the sub process to exit and obtain the exitCode
waitpid
(
pid
,
&
status
,
0
);
EXPECT_NE
(
WIFEXITED
(
status
),
0
)
<<
"ErrInfo: The sub process exit error, child_pid = "
<<
pid
;
EXPECT_EQ
(
WEXITSTATUS
(
status
),
0
)
<<
"ErrInfo: The exitCode is wrong, please query logs, child_pid = "
<<
pid
;
}
}
/*
* @tc.number : SUB_SEC_AppSEC_PermissionMgmt_Capability_1200
* @tc.name : Processes without the CAP_SETPCAP capability cannot drop any capability
* @tc.desc : [C-SECURITY-0100]
*/
HWTEST_F
(
CapabilityTestSuite
,
CapabilityTest1200
,
Function
|
MediumTest
|
Level3
)
{
int
status
=
0
;
// Preset action: Fork a sub process
pid_t
pid
=
fork
();
ASSERT_TRUE
(
pid
>=
0
)
<<
"======== Fork Error! ========="
;
usleep
(
SLEEP_NUM
);
if
(
pid
==
0
)
{
int
exitCode
=
0
;
// Step 1: Failed to add capabilities without CAP_SETPCAP
exitCode
=
CapsetWithoutSETPCAP
();
// Step 2: The sub process exit with the exitCode
exit
(
exitCode
);
}
else
{
// Step 3: The parent process wait for the sub process to exit and obtain the exitCode
waitpid
(
pid
,
&
status
,
0
);
EXPECT_NE
(
WIFEXITED
(
status
),
0
)
<<
"ErrInfo: The sub process exit error, child_pid = "
<<
pid
;
EXPECT_EQ
(
WEXITSTATUS
(
status
),
0
)
<<
"ErrInfo: The exitCode is wrong, please query logs, child_pid = "
<<
pid
;
}
}
/*
* @tc.number : SUB_SEC_AppSEC_PermissionMgmt_Capability_1300
* @tc.name : Inheritance of process capabilities
* @tc.desc : [C-SECURITY-0100]
*/
HWTEST_F
(
CapabilityTestSuite
,
CapabilityTest1300
,
Function
|
MediumTest
|
Level1
)
{
int
status
=
0
;
// Preset action: Fork a sub process
pid_t
pid
=
fork
();
ASSERT_TRUE
(
pid
>=
0
)
<<
"======== Fork Error! ========="
;
usleep
(
SLEEP_NUM
);
if
(
pid
==
0
)
{
int
exitCode
=
0
;
// Step 1: Query the sub process capabilities for 10000 times
for
(
int
number
=
0
;
number
<
NUM10000
;
number
++
)
{
exitCode
=
CapgetWithAllCap
(
number
);
if
(
exitCode
!=
0
)
{
LOG
(
"ErrInfo: CapgetWithAllCap error during the %d time"
,
number
);
break
;
}
}
// Step 2: The sub process exit with the exitCode
exit
(
exitCode
);
}
else
{
// Step 3: The parent process wait for the sub process to exit and obtain the exitCode
waitpid
(
pid
,
&
status
,
0
);
EXPECT_NE
(
WIFEXITED
(
status
),
0
)
<<
"ErrInfo: The sub process exit error, child_pid = "
<<
pid
;
EXPECT_EQ
(
WEXITSTATUS
(
status
),
0
)
<<
"ErrInfo: The exitCode is wrong, please query logs, child_pid = "
<<
pid
;
// Step 4: Query the parent process capabilities
int
ret
=
CapgetWithAllCap
(
1
);
EXPECT_EQ
(
ret
,
0
)
<<
"ErrInfo: CapgetWithAllCap error"
;
}
}
/*
* @tc.number : SUB_SEC_AppSEC_PermissionMgmt_Capability_1400
* @tc.name : Invoke the capset interface to add and drop the process capabilities for 10000 times
* @tc.desc : [C-SECURITY-0100]
*/
HWTEST_F
(
CapabilityTestSuite
,
CapabilityTest1400
,
Reliability
|
MediumTest
|
Level2
)
{
int
status
=
0
;
// Preset action: Fork a sub process
pid_t
pid
=
fork
();
ASSERT_TRUE
(
pid
>=
0
)
<<
"======== Fork Error! ========="
;
usleep
(
SLEEP_NUM
);
if
(
pid
==
0
)
{
int
exitCode
=
0
;
// Step 1: Drop and add the sub process capabilities for 10000 times
for
(
int
number
=
0
;
number
<
NUM10000
;
number
++
)
{
exitCode
=
CapsetOnlySETPCAP
(
number
);
if
(
exitCode
!=
0
)
{
LOG
(
"ErrInfo: CapsetOnlySETPCAP error during the %d time"
,
number
);
break
;
}
exitCode
=
AddCapUnauthorized
(
number
);
if
(
exitCode
!=
0
)
{
LOG
(
"ErrInfo: AddCapUnauthorized error during the %d time"
,
number
);
break
;
}
}
// Step 2: The sub process exit with the exitCode
exit
(
exitCode
);
}
else
{
// Step 3: The parent process wait for the sub process to exit and obtain the exitCode
waitpid
(
pid
,
&
status
,
0
);
EXPECT_NE
(
WIFEXITED
(
status
),
0
)
<<
"ErrInfo: The sub process exit error, child_pid = "
<<
pid
;
EXPECT_EQ
(
WEXITSTATUS
(
status
),
0
)
<<
"ErrInfo: The exitCode is wrong, please query logs, child_pid = "
<<
pid
;
}
}
/*
* @tc.number : SUB_SEC_AppSEC_PermissionMgmt_Capability_1500
* @tc.name : Invoke the capset interface to revoke the process capabilities which not exist for 10000 times
* @tc.desc : [C-SECURITY-0100]
*/
HWTEST_F
(
CapabilityTestSuite
,
CapabilityTest1500
,
Reliability
|
MediumTest
|
Level2
)
{
int
status
=
0
;
// Preset action: Fork a sub process
pid_t
pid
=
fork
();
ASSERT_TRUE
(
pid
>=
0
)
<<
"======== Fork Error! ========="
;
usleep
(
SLEEP_NUM
);
if
(
pid
==
0
)
{
int
exitCode
=
0
;
struct
__user_cap_header_struct
capheader
=
{
0
};
errno_t
result
=
memset_s
(
&
capheader
,
sizeof
(
struct
__user_cap_header_struct
),
0
,
sizeof
(
struct
__user_cap_header_struct
));
if
(
result
!=
EOK
)
{
LOG
(
"CapgetWithAllCap memset_s failed"
);
ASSERT_TRUE
(
false
);
};
capheader
.
version
=
_LINUX_CAPABILITY_VERSION_3
;
capheader
.
pid
=
0
;
struct
__user_cap_data_struct
capdata
[
CAP_NUM
]
=
{
{
0
},
{
0
}
};
result
=
memset_s
(
capdata
,
CAP_NUM
*
sizeof
(
struct
__user_cap_data_struct
),
LINUX_FULL_CAP
,
CAP_NUM
*
sizeof
(
struct
__user_cap_data_struct
));
if
(
result
!=
EOK
)
{
LOG
(
"CapgetWithAllCap memset_s failed"
);
ASSERT_TRUE
(
false
);
};
capdata
[
CAP_TO_INDEX
(
INVALID_CAP_TO_INDEX
)].
permitted
&=
~
CAP_TO_MASK
(
INVALID_CAP_TO_INDEX
);
capdata
[
CAP_TO_INDEX
(
INVALID_CAP_TO_INDEX
)].
effective
&=
~
CAP_TO_MASK
(
INVALID_CAP_TO_INDEX
);
capdata
[
CAP_TO_INDEX
(
INVALID_CAP_TO_INDEX
)].
inheritable
&=
~
CAP_TO_MASK
(
INVALID_CAP_TO_INDEX
);
for
(
int
number
=
0
;
number
<
NUM10000
;
number
++
)
{
// Step 1: Drop an abnormal capability for 10000 times
int
ret
=
capset
(
&
capheader
,
&
capdata
[
0
]);
if
(
ret
!=
0
)
{
LOG
(
"ErrInfo: Drop an abnormal capability during the %d time"
,
number
);
exitCode
=
1
;
break
;
}
}
// Step 2: The sub process exit with the exitCode
exit
(
exitCode
);
}
else
{
// Step 3: The parent process wait for the sub process to exit and obtain the exitCode
waitpid
(
pid
,
&
status
,
0
);
EXPECT_NE
(
WIFEXITED
(
status
),
0
)
<<
"ErrInfo: The sub process exit error, child_pid = "
<<
pid
;
EXPECT_EQ
(
WEXITSTATUS
(
status
),
0
)
<<
"ErrInfo: The exitCode is wrong, please query logs, child_pid = "
<<
pid
;
}
}
/*
* @tc.number : SUB_SEC_AppSEC_PermissionMgmt_Capability_1600
* @tc.name : Enter the exception parameter for 10000 times when invoke the capset interface
* @tc.desc : [C-SECURITY-0100]
*/
HWTEST_F
(
CapabilityTestSuite
,
CapabilityTest1600
,
Reliability
|
MediumTest
|
Level3
)
{
int
ret
=
0
;
int
status
=
0
;
// Preset action: Fork a sub process
pid_t
pid
=
fork
();
ASSERT_TRUE
(
pid
>=
0
)
<<
"======== Fork Error! ========="
;
usleep
(
SLEEP_NUM
);
if
(
pid
==
0
)
{
int
exitCode
=
0
;
for
(
int
number
=
0
;
number
<
NUM10000
;
number
++
)
{
// Step 1.1: Capset the abnormal capheader.pid '-1' for 10000 times
ret
=
CapsetWithVersion
(
FALSE
,
_LINUX_CAPABILITY_VERSION_3
);
if
(
ret
!=
FALSE
)
{
LOG
(
"ErrInfo: Capset with the abnormal capheader.pid '-1' during the %d time"
,
number
);
exitCode
=
1
;
break
;
}
// Step 1.2: Capset the abnormal capheader.pid '65536' for 10000 times
ret
=
CapsetWithVersion
(
INVAILD_PID
,
_LINUX_CAPABILITY_VERSION_3
);
if
(
ret
!=
FALSE
)
{
LOG
(
"ErrInfo: Capset with the abnormal capheader.pid '65536' during the %d time"
,
number
);
exitCode
=
1
;
break
;
}
// Step 1.3: Capset the abnormal capheader.version '1' for 10000 times
ret
=
CapsetWithVersion
(
0
,
1
);
if
(
ret
!=
FALSE
)
{
LOG
(
"ErrInfo: Capset with the abnormal normal capheader.version '1' during the %d time"
,
number
);
exitCode
=
1
;
break
;
}
// Step 1.4: Capset the abnormal capheader.version '_LINUX_CAPABILITY_VERSION_1' for 10000 times
ret
=
CapsetWithVersion
(
0
,
_LINUX_CAPABILITY_VERSION_1
);
if
(
ret
!=
0
)
{
LOG
(
"ErrInfo: Capset with the abnormal capheader.version '_LINUX_CAPABILITY_VERSION_1'"
"during the %d time"
,
number
);
exitCode
=
1
;
break
;
}
// Step 1.5: Add normal capheader.version '_LINUX_CAPABILITY_VERSION_3' for 10000 times
ret
=
CapsetWithVersion
(
0
,
_LINUX_CAPABILITY_VERSION_3
);
if
(
ret
!=
0
)
{
LOG
(
"ErrInfo: Failed to capset with normal capheader.version during the %d time"
,
number
);
exitCode
=
1
;
break
;
}
}
// Step 2: The sub process exit with the exitCode
exit
(
exitCode
);
}
else
{
// Step 3: The parent process wait for the sub process to exit and obtain the exitCode
waitpid
(
pid
,
&
status
,
0
);
EXPECT_NE
(
WIFEXITED
(
status
),
0
)
<<
"ErrInfo: The sub process exit error, child_pid = "
<<
pid
;
EXPECT_EQ
(
WEXITSTATUS
(
status
),
0
)
<<
"ErrInfo: The exitCode is wrong, please query logs, child_pid = "
<<
pid
;
}
}
/*
* @tc.number : SUB_SEC_AppSEC_PermissionMgmt_Capability_1700
* @tc.name : Invoke the capget interface to query the process capabilities for 10000 times
* @tc.desc : [C-SECURITY-0100]
*/
HWTEST_F
(
CapabilityTestSuite
,
CapabilityTest1700
,
Reliability
|
MediumTest
|
Level2
)
{
// Step 1: Query the process capabilities for 10000 times
for
(
int
number
=
0
;
number
<
NUM10000
;
number
++
)
{
int
ret
=
CapgetWithAllCap
(
number
);
if
(
ret
!=
0
)
{
EXPECT_EQ
(
ret
,
0
)
<<
"ErrInfo: CapgetWithAllCap error during the "
<<
number
<<
" time"
;
break
;
}
}
}
/*
* @tc.number : SUB_SEC_AppSEC_PermissionMgmt_Capability_1800
* @tc.name : Invoke the capget interface to query the process capabilities which not exist for 10000 times
* @tc.desc : [C-SECURITY-0100]
*/
HWTEST_F
(
CapabilityTestSuite
,
CapabilityTest1800
,
Reliability
|
MediumTest
|
Level3
)
{
int
ret
=
0
;
int
status
=
0
;
// Preset action: Fork a sub process
pid_t
pid
=
fork
();
ASSERT_TRUE
(
pid
>=
0
)
<<
"======== Fork Error! ========="
;
usleep
(
SLEEP_NUM
);
if
(
pid
==
0
)
{
int
exitCode
=
0
;
// Step 1: Drop all the sub process capabilities
DropAllCAP
();
// Step 2: Obtain the sub process capabilities
for
(
int
number
=
0
;
number
<
NUM10000
;
number
++
)
{
exitCode
=
CapgetWithNoCap
(
number
);
if
(
exitCode
!=
0
)
{
LOG
(
"ErrInfo: CapgetWithNoCap error during the %d time"
,
number
);
break
;
}
}
// Step 3: The sub process exit with the exitCode
exit
(
exitCode
);
}
else
{
// Step 4: The parent process wait for the sub process to exit and obtain the exitCode
waitpid
(
pid
,
&
status
,
0
);
EXPECT_NE
(
WIFEXITED
(
status
),
0
)
<<
"ErrInfo: The sub process exit error, child_pid = "
<<
pid
;
EXPECT_EQ
(
WEXITSTATUS
(
status
),
0
)
<<
"ErrInfo: The exitCode is wrong, please query logs, child_pid = "
<<
pid
;
// Step 5: Query the parent process capabilities
ret
=
CapgetWithAllCap
(
1
);
EXPECT_EQ
(
ret
,
0
)
<<
"ErrInfo: CapgetWithAllCap error"
;
}
}
/*
* @tc.number : SUB_SEC_AppSEC_PermissionMgmt_Capability_1900
* @tc.name : Enter the exception parameter for 10000 times when invoke the capget interface
* @tc.desc : [C-SECURITY-0100]
*/
HWTEST_F
(
CapabilityTestSuite
,
CapabilityTest1900
,
Reliability
|
MediumTest
|
Level2
)
{
int
ret
=
0
;
int
status
=
0
;
// Preset action: Fork a sub process
pid_t
pid
=
fork
();
ASSERT_TRUE
(
pid
>=
0
)
<<
"======== Fork Error! ========="
;
usleep
(
SLEEP_NUM
);
if
(
pid
==
0
)
{
int
exitCode
=
0
;
for
(
int
number
=
0
;
number
<
NUM10000
;
number
++
)
{
// Step 1.1: Capget the abnormal capheader.pid '-1' for 10000 times
ret
=
CapgetWithVersion
(
FALSE
,
_LINUX_CAPABILITY_VERSION_3
);
if
(
ret
!=
FALSE
)
{
LOG
(
"ErrInfo: Capget with the abnormal capheader.pid '-1' during the %d time"
,
number
);
exitCode
=
1
;
break
;
}
// Step 1.2: Capget the abnormal capheader.pid '65536' for 10000 times
ret
=
CapgetWithVersion
(
INVAILD_PID
,
_LINUX_CAPABILITY_VERSION_3
);
if
(
ret
!=
FALSE
)
{
LOG
(
"ErrInfo: Capget with the abnormal capheader.pid '65536' during the %d time"
,
number
);
exitCode
=
1
;
break
;
}
// Step 1.3: Capget the abnormal capheader.version '1' for 10000 times
ret
=
CapgetWithVersion
(
0
,
1
);
if
(
ret
!=
FALSE
)
{
LOG
(
"ErrInfo: Capget with the abnormal capheader.version '1' during the %d time"
,
number
);
exitCode
=
1
;
break
;
}
// Step 1.4: Capget with the abnormal capheader.version '_LINUX_CAPABILITY_VERSION_1' for 10000 times
ret
=
CapgetWithVersion
(
0
,
_LINUX_CAPABILITY_VERSION_1
);
if
(
ret
!=
0
)
{
LOG
(
"ErrInfo: Capget with the abnormal capheader.version '_LINUX_CAPABILITY_VERSION_1'"
"during the %d time"
,
number
);
exitCode
=
1
;
break
;
}
// Step 1.5: Capget the normal capheader.version '_LINUX_CAPABILITY_VERSION_3' for 10000 times
ret
=
CapgetWithVersion
(
0
,
_LINUX_CAPABILITY_VERSION_3
);
if
(
ret
!=
0
)
{
LOG
(
"ErrInfo: Failed to capget with the normal capheader.version '_LINUX_CAPABILITY_VERSION_3'"
"during the %d time"
,
number
);
exitCode
=
1
;
break
;
}
}
// Step 2: The sub process exit with the exitCode
exit
(
exitCode
);
}
else
{
// Step 3: The parent process wait for the sub process to exit and obtain the exitCode
waitpid
(
pid
,
&
status
,
0
);
EXPECT_NE
(
WIFEXITED
(
status
),
0
)
<<
"ErrInfo: The sub process exit error, child_pid = "
<<
pid
;
EXPECT_EQ
(
WEXITSTATUS
(
status
),
0
)
<<
"ErrInfo: The exitCode is wrong, please query logs, child_pid = "
<<
pid
;
}
}
/*
* @tc.number : SUB_SEC_AppSEC_PermissionMgmt_Capability_2100
* @tc.name : Five processes concurrently invoke APIs managed by the capability for 5000 times
* @tc.desc : [C-SECURITY-0100]
*/
HWTEST_F
(
CapabilityTestSuite
,
CapabilityTest2100
,
Reliability
|
MediumTest
|
Level2
)
{
int
status
=
0
;
// Preset action: Fork five sub processes
pid_t
pid
;
for
(
int
num
=
0
;
num
<
NUM5
;
num
++
)
{
pid
=
fork
();
ASSERT_TRUE
(
pid
>=
0
)
<<
"======== Fork Error! ========="
;
usleep
(
SLEEP_NUM
);
if
(
pid
==
0
)
{
break
;
}
}
// get one parent & five children
if
(
pid
==
0
)
{
int
exitCode
=
0
;
for
(
int
number
=
0
;
number
<
NUM5000
;
number
++
)
{
// Step 1: Five sub processes simultaneously drop capabilities for 5000 times
exitCode
=
CapsetOnlySETPCAP
(
number
);
if
(
exitCode
!=
0
)
{
LOG
(
"ErrInfo: CapsetOnlySETPCAP Error during the %d time"
,
number
);
break
;
}
// Step 2: Five sub processes simultaneously add capabilities for 5000 times
exitCode
=
AddCapUnauthorized
(
number
);
if
(
exitCode
!=
0
)
{
LOG
(
"ErrInfo: AddCapUnauthorized Error during the %d time"
,
number
);
break
;
}
// Step 3: Five sub processes simultaneously capget for 5000 times
exitCode
=
CapgetOnlySETPCAP
(
number
);
if
(
exitCode
!=
0
)
{
LOG
(
"ErrInfo: CapgetOnlySETPCAP Error during the %d time"
,
number
);
break
;
}
}
// Step 4: Five sub processes exit with the exitCode
exit
(
exitCode
);
}
else
{
// Step 5: The parent process wait for five sub processes to exit and obtain the exitCode
for
(
int
num2
=
0
;
num2
<
NUM5
;
num2
++
)
{
wait
(
&
status
);
EXPECT_NE
(
WIFEXITED
(
status
),
0
)
<<
"ErrInfo: The sub process exit error, child_pid = "
<<
pid
;
EXPECT_EQ
(
WEXITSTATUS
(
status
),
0
)
<<
"ErrInfo: Pid = "
<<
pid
<<
", its exitCode is wrong and test case failed, please query logs"
;
}
}
}
/*
* @tc.number : SUB_SEC_AppSEC_PermissionMgmt_Capability_2200
* @tc.name : Check whether the default configuration of the system process capabilities
is the same as that described in the design document
* @tc.desc : [C-SECURITY-0100]
*/
HWTEST_F
(
CapabilityTestSuite
,
CapabilityTest2200
,
Security
|
MediumTest
|
Level1
)
{
int
ret
;
// Step 1: Check the capability of process 'init', pid = 1
ret
=
CapgetWithCaps
(
INIT_PID
,
INIT_CAP
);
EXPECT_EQ
(
ret
,
0
)
<<
"ErrInfo: Pid = 1, process init has wrong capability"
;
// Step 2: Check the capability of process 'KProcess', pid = 2
ret
=
CapgetWithCaps
(
KPROCESS_PID
,
KPROCESS_CAP
);
EXPECT_EQ
(
ret
,
0
)
<<
"ErrInfo: Pid = 2, process KProcess has wrong capability"
;
// Step 3: Check the capability of process 'shell', pid = 8
ret
=
CapgetWithCaps
(
SHELL_PID
,
SHELL_CAP
);
EXPECT_EQ
(
ret
,
0
)
<<
"ErrInfo: Pid = 8, process shell has wrong capability"
;
// Step 4: Check the capability of process 'apphilogcat', pid = 10
ret
=
CapgetWithCaps
(
HILOGCAT_PID
,
HILOGCAT_CAP
);
EXPECT_EQ
(
ret
,
0
)
<<
"ErrInfo: Pid = 10, process apphilogcat has wrong capability"
;
// Step 5: Check the capability of process 'foundation', pid = 3
ret
=
CapgetWithCaps
(
FOUNDATION_PID
,
FOUNDATION_CAP
);
EXPECT_EQ
(
ret
,
0
)
<<
"ErrInfo: Pid = 3, process foundation has wrong capability"
;
// Step 6: Check the capability of process 'bundle_daemon', pid = 4
ret
=
CapgetWithCaps
(
BUNDLE_DAEMON_PID
,
BUNDLE_DAEMON_CAP
);
EXPECT_EQ
(
ret
,
0
)
<<
"ErrInfo: Pid = 4, process bundle_daemon has wrong capability"
;
// Step 7: Check the capability of process 'appspawn', pid = 5
ret
=
CapgetWithCaps
(
APPSPAWN_PID
,
APPSPAWN_CAP
);
EXPECT_EQ
(
ret
,
0
)
<<
"ErrInfo: Pid = 5, process appspawn has wrong capability"
;
// Step 8: Check the capability of process 'media_server', pid = 6
ret
=
CapgetWithCaps
(
MEDIA_SERVER_PID
,
MEDIA_SERVER_CAP
);
EXPECT_EQ
(
ret
,
0
)
<<
"ErrInfo: Pid = 6, process media_server has wrong capability"
;
}
/*
* @tc.number : SUB_SEC_AppSEC_PermissionMgmt_Capability_2400
* @tc.name : The process continuously invokes the capset and capget interfaces,
which does not affect the use of other processes
* @tc.desc : [C-SECURITY-0100]
*/
HWTEST_F
(
CapabilityTestSuite
,
CapabilityTest2400
,
Function
|
MediumTest
|
Level1
)
{
int
status
=
0
;
// Preset action: Create a txt
CreateTxt
();
// Preset action: Fork two sub processes
pid_t
pid
;
for
(
int
num
=
0
;
num
<
NUM2
;
num
++
)
{
pid
=
fork
();
ASSERT_TRUE
(
pid
>=
0
)
<<
"======== Fork Error! ========="
;
usleep
(
SLEEP_NUM
);
if
(
pid
==
0
)
{
break
;
}
}
// get one parent & two children
if
(
pid
==
0
)
{
int
exitCode
=
0
;
for
(
int
number
=
0
;
number
<
NUM5000
;
number
++
)
{
// Step 1: Two sub processes simultaneously drop capabilities for 5000 times
exitCode
=
CapsetOnlySETPCAP
(
number
);
if
(
exitCode
!=
0
)
{
LOG
(
"ErrInfo: CapsetOnlySETPCAP Error during the %d time"
,
number
);
break
;
}
// Step 2: Two sub processes simultaneously add capabilities for 5000 times
exitCode
=
AddCapUnauthorized
(
number
);
if
(
exitCode
!=
0
)
{
LOG
(
"ErrInfo: AddCapUnauthorized Error during the %d time"
,
number
);
break
;
}
// Step 3: Two sub processes simultaneously capget for 5000 times
exitCode
=
CapgetOnlySETPCAP
(
number
);
if
(
exitCode
!=
0
)
{
LOG
(
"ErrInfo: CapgetOnlySETPCAP Error during the %d time"
,
number
);
break
;
}
}
// Step 4: Two sub processes exit with the exitCode
exit
(
exitCode
);
}
else
{
// Step 5: The parent process simultaneously invoke chown interfaces for 1000 times
for
(
int
number2
=
0
;
number2
<
NUM1000
;
number2
++
)
{
int
ret
=
chown
(
TOP_DIR
"/"
CAPDIR0
"/"
CAPDIR0_CAPFILE0
,
number2
,
number2
);
if
(
ret
!=
0
)
{
EXPECT_EQ
(
ret
,
0
)
<<
"ErrInfo: Failed to chown during the "
<<
number2
<<
" time"
;
break
;
}
}
// Step 6: The parent process wait for two sub processes to exit and obtain the exitCode
for
(
int
num2
=
0
;
num2
<
NUM2
;
num2
++
)
{
wait
(
&
status
);
EXPECT_NE
(
WIFEXITED
(
status
),
0
)
<<
"ErrInfo: The sub process exit error, child_pid = "
<<
pid
;
EXPECT_EQ
(
WEXITSTATUS
(
status
),
0
)
<<
"ErrInfo: Pid = "
<<
pid
<<
", its exitCode is wrong and test case failed, please query logs"
;
}
}
}
/*
* @tc.number : SUB_SEC_AppSEC_PermissionMgmt_Capability_2500
* @tc.name : Performance test of capset and capget interface
* @tc.desc : [C-SECURITY-0100]
*/
HWTEST_F
(
CapabilityTestSuite
,
CapabilityTest2500
,
Performance
|
MediumTest
|
Level2
)
{
int
status
=
0
;
// Preset action: Fork a sub process
pid_t
pid
=
fork
();
ASSERT_TRUE
(
pid
>=
0
)
<<
"======== Fork Error! ========="
;
usleep
(
SLEEP_NUM
);
if
(
pid
==
0
)
{
int
exitCode
=
0
;
struct
timespec
tp
=
{
0
};
struct
timespec
starttime
=
{
0
};
struct
timespec
endtime
=
{
0
};
tp
.
tv_sec
=
0
;
tp
.
tv_nsec
=
0
;
// Preset action: Obtains the system time -> starttime
clock_gettime
(
CLOCK_REALTIME
,
&
starttime
);
// Step 1: Capset and capget for 200000 times
for
(
int
number
=
0
;
number
<
NUM10000
;
number
++
)
{
CapsetOnlySETPCAP
(
number
);
AddCapUnauthorized
(
number
);
CapgetOnlySETPCAP
(
number
);
}
// Step 2: Obtains the system time again -> endtime
clock_gettime
(
CLOCK_REALTIME
,
&
endtime
);
// Step 3: Compare the starttime and the endtime -> tp
tp
=
CompareTime
(
starttime
,
endtime
);
if
(
tp
.
tv_sec
>
NUM20
)
{
LOG
(
"ErrInfo: Capset and capget for 200000 times used %d.%d s"
,
tp
.
tv_sec
,
tp
.
tv_nsec
);
exitCode
=
1
;
}
// Step 4: Two sub processes exit with the exitCode
exit
(
exitCode
);
}
else
{
// Step 5: The parent process wait for the sub process to exit and obtain the exitCode
waitpid
(
pid
,
&
status
,
0
);
EXPECT_NE
(
WIFEXITED
(
status
),
0
)
<<
"ErrInfo: The sub process exit error, child_pid = "
<<
pid
;
EXPECT_EQ
(
WEXITSTATUS
(
status
),
0
)
<<
"ErrInfo: The exitCode is wrong, please query logs, child_pid = "
<<
pid
;
}
}
/*
* @tc.number : SUB_SEC_AppSEC_PermissionMgmt_Capability_2600
* @tc.name : Performance test of the interface managed by Capability
* @tc.desc : [C-SECURITY-0100]
*/
HWTEST_F
(
CapabilityTestSuite
,
CapabilityTest2600
,
Performance
|
MediumTest
|
Level2
)
{
struct
timespec
tp
=
{
0
};
struct
timespec
starttime
=
{
0
};
struct
timespec
endtime
=
{
0
};
tp
.
tv_sec
=
0
;
tp
.
tv_nsec
=
0
;
// Preset action: Create a txt
CreateTxt
();
// Preset action: Obtains the system time -> starttime
clock_gettime
(
CLOCK_REALTIME
,
&
starttime
);
// Step 1: Chown for 10000 times
for
(
int
number
=
0
;
number
<
NUM1000
;
number
++
)
{
chown
(
TOP_DIR
"/"
CAPDIR0
"/"
CAPDIR0_CAPFILE0
,
number
,
number
);
}
// Step 2: Obtains the system time again -> endtime
clock_gettime
(
CLOCK_REALTIME
,
&
endtime
);
// Step 3: Compare the starttime and the endtime -> tp
tp
=
CompareTime
(
starttime
,
endtime
);
EXPECT_LE
(
tp
.
tv_sec
,
NUM80
)
<<
"ErrInfo: Chown for 1000 times used "
<<
tp
.
tv_sec
<<
"."
<<
tp
.
tv_nsec
<<
"s"
;
// Cleanup action: Restore the initial status of the file
chown
(
TOP_DIR
"/"
CAPDIR0
"/"
CAPDIR0_CAPFILE0
,
UID0
,
GID0
);
}
#endif
security_lite/permission_posix/capability/src/ActsCapabilityTest.h
已删除
100644 → 0
浏览文件 @
ed6da30f
/*
* Copyright (c) 2021 Huawei Device Co., Ltd.
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#ifndef XTS_ACTS_SECURITY_LITE_PERMISSSION_POSIX_CAPABILITY_SRC_ACTSCAPABILITYTEST_H
#define XTS_ACTS_SECURITY_LITE_PERMISSSION_POSIX_CAPABILITY_SRC_ACTSCAPABILITYTEST_H
#include <cstddef>
#include <sys/stat.h>
constexpr
int
FALSE
=
-
1
;
constexpr
int
NUM0
=
0
;
constexpr
int
NUM1
=
1
;
constexpr
int
NUM2
=
2
;
constexpr
int
NUM3
=
3
;
constexpr
int
NUM5
=
5
;
constexpr
int
NUM20
=
20
;
constexpr
int
NUM80
=
80
;
constexpr
int
NUM100
=
100
;
constexpr
int
NUM500
=
500
;
constexpr
int
NUM600
=
600
;
constexpr
int
NUM700
=
700
;
constexpr
int
NUM1000
=
1000
;
constexpr
int
NUM3000
=
3000
;
constexpr
int
NUM5000
=
5000
;
constexpr
int
NUM10000
=
10000
;
constexpr
int
INIT_PID
=
1
;
constexpr
int
KPROCESS_PID
=
2
;
constexpr
int
SHELL_PID
=
8
;
constexpr
int
HILOGCAT_PID
=
10
;
constexpr
int
FOUNDATION_PID
=
3
;
constexpr
int
BUNDLE_DAEMON_PID
=
4
;
constexpr
int
APPSPAWN_PID
=
5
;
constexpr
int
MEDIA_SERVER_PID
=
6
;
constexpr
int
WMS_SERVER_OR_AI_SERVER_PID
=
7
;
constexpr
int
HIVIEW_PID
=
10
;
constexpr
int
OTHER_PID
=
12
;
constexpr
int
INIT_PID_2
=
1
;
constexpr
int
KPROCESS_PID_2
=
2
;
constexpr
int
SHELL_PID_2
=
8
;
constexpr
int
HILOGCAT_PID_2
=
10
;
constexpr
int
FOUNDATION_PID_2
=
3
;
constexpr
int
BUNDLE_DAEMON_PID_2
=
4
;
constexpr
int
APPSPAWN_PID_2
=
5
;
constexpr
int
MEDIA_SERVER_PID_2
=
6
;
constexpr
int
WMS_SERVER_OR_AI_SERVER_PID_2
=
7
;
constexpr
int
HIVIEW_PID_2
=
10
;
constexpr
int
OTHER_PID_2
=
12
;
constexpr
unsigned
int
INIT_CAP
=
0x02e83def
;
constexpr
unsigned
int
KPROCESS_CAP
=
0x02e83def
;
constexpr
unsigned
int
SHELL_CAP
=
0x02e83def
;
constexpr
unsigned
int
HILOGCAT_CAP
=
0x00000000
;
constexpr
unsigned
int
FOUNDATION_CAP
=
0x00003c00
;
constexpr
unsigned
int
BUNDLE_DAEMON_CAP
=
0x00000007
;
constexpr
unsigned
int
APPSPAWN_CAP
=
0x008009c4
;
constexpr
unsigned
int
MEDIA_SERVER_CAP
=
0x00000000
;
constexpr
unsigned
int
WMS_SERVER_OR_AI_SERVER_CAP
=
0x00000000
;
constexpr
unsigned
int
HIVIEW_CAP
=
0x00000000
;
constexpr
unsigned
int
LINUX_FULL_CAP
=
0xffffffff
;
constexpr
unsigned
int
OHOS_FULL_CAP
=
0x02e83def
;
constexpr
unsigned
int
NO_CAP
=
0x00000000
;
constexpr
unsigned
int
ONLY_SETPCAP_CAP
=
0x00000100
;
constexpr
int
CAP_NUM
=
2
;
constexpr
int
INVALID_CAP_TO_INDEX
=
40
;
constexpr
int
MAX_PATH_SIZE
=
256
;
constexpr
int
INVAILD_PID
=
65536
;
constexpr
int
SLEEP_NUM
=
100000
;
constexpr
int
LONG_SLEEP_NUM
=
2000000
;
constexpr
int
PID_MAX
=
4194305
;
constexpr
mode_t
ZERO
=
0000
;
constexpr
mode_t
NORWX
=
0001
;
constexpr
mode_t
RWX
=
0777
;
constexpr
uid_t
UID0
=
0
;
constexpr
uid_t
UID1
=
1
;
constexpr
uid_t
UID555
=
555
;
constexpr
uid_t
UID1000
=
1000
;
constexpr
uid_t
UID10000
=
10000
;
constexpr
uid_t
UID20000
=
20000
;
constexpr
gid_t
GID0
=
0
;
constexpr
gid_t
GID1
=
1
;
constexpr
gid_t
GID555
=
555
;
constexpr
gid_t
GID1000
=
1000
;
constexpr
gid_t
GID10000
=
10000
;
constexpr
gid_t
GID20000
=
20000
;
constexpr
gid_t
GROUPLIST
[
NUM3
]
=
{
500
,
500
,
500
};
constexpr
size_t
SIZE512
=
512
;
// Creating Folders and Files for the Test
#define CAPDIR0 "CAPDIR0" // DIR0/
#define CAPDIR0_CAPFILE0 "CAPDIR0_CAPFILE0" // ├── DIR0_FILE0
#define CAPDIR0_CAPFILE1 "CAPDIR0_CAPFILE1" // ├── DIR0_FILE1
#define CAPDIR0_CAPDIR0 "CAPDIR0_CAPDIR0" // ├── DIR0_DIR0/
#define CAPDIR0_CAPDIR1 "CAPDIR0_CAPDIR1" // └── DIR0_DIR1/
extern
"C"
{
#define LOG(format, ...) printf("%s:%d:\n" format "\n", __FILE__, __LINE__, ##__VA_ARGS__);
}
void
Sigac
(
int
i
);
void
ChildSleep
();
int
CapInit
();
int
DropCAPCHOWN
();
int
DropCAPDACOVERRIDE
();
int
DropCAPDACREADSEARCH
();
int
DropCAPDACOVERRIDEAndREADSEARCH
();
int
DropCAPFOWNER
();
int
DropCAPKILL
();
int
DropCAPSETGID
();
int
DropCAPSETUID
();
int
DropCAPSETPCAP
();
int
DropCAPSYSNICE
();
int
DropCAPSYSTIME
();
int
DropAllCAP
();
int
RemoveDir
(
const
char
*
dirname
);
int
SetUidGid
(
uid_t
uid
,
gid_t
gid
);
timespec
CompareTime
(
timespec
start
,
timespec
end
);
char
*
GetCurrentPath
();
int
CheckFsMount
(
const
char
*
topDir
,
const
char
*
topDirMountInfo
);
#endif
security_lite/permission_posix/capability/src/CapabilityFileSystemTest.cpp
已删除
100755 → 0
浏览文件 @
ed6da30f
/*
* Copyright (c) 2021 Huawei Device Co., Ltd.
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include "CapabilityFileSystemTest.h"
#include <unistd.h>
#include "ActsCapabilityTest.h"
using
namespace
testing
::
ext
;
// Preset action of the test suite, which is executed before the first test case
void
CapabilityTestSuite
::
SetUp
()
{
// Permission mask preset when creating a file
umask
(
ZERO
);
// Init capabilities
CapInit
();
// Initialize the process and set the uid and gid of the process to zero
SetUidGid
(
UID0
,
GID0
);
// Delete the 'TOP_DIR/CAPDIR0' if the directory exists
RemoveDir
(
TOP_DIR
"/"
CAPDIR0
);
// Obtain the current working directory of the test code
mCurPath
=
GetCurrentPath
();
// Modify the current working directory of the test code
int
ret
=
chdir
(
TOP_DIR
);
if
(
ret
!=
0
)
{
LOG
(
"ErrInfo: Failed to chdir to %s, ret=%d, errno=%d"
,
TOP_DIR
,
ret
,
errno
);
}
}
// Test suite cleanup action, which is executed after the last test case
void
CapabilityTestSuite
::
TearDown
()
{
// Delete the 'TOP_DIR/CAPDIR0' if the directory exists
RemoveDir
(
TOP_DIR
"/"
CAPDIR0
);
// Restore the working directory of the test code
int
ret
=
chdir
(
mCurPath
);
if
(
ret
!=
0
)
{
LOG
(
"ErrInfo: Failed to chdir to %s, ret=%d, errno=%d"
,
mCurPath
,
ret
,
errno
);
}
}
int
main
(
int
argc
,
char
*
argv
[])
{
testing
::
GTEST_FLAG
(
output
)
=
"xml:"
;
testing
::
InitGoogleTest
(
&
argc
,
argv
);
if
(
CheckFsMount
(
TOP_DIR
,
TOP_DIR_MOUNT_INFO
)
!=
0
)
{
return
1
;
}
return
RUN_ALL_TESTS
();
}
\ No newline at end of file
security_lite/permission_posix/capability/src/CapabilityFileSystemTest.h
已删除
100755 → 0
浏览文件 @
ed6da30f
/*
* Copyright (c) 2021 Huawei Device Co., Ltd.
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#ifndef XTS_ACTS_SECURITY_LITE_PERMISSSION_POSIX_CAPABILITY_SRC_CAPABILITYFILESYSTEMTEST_H
#define XTS_ACTS_SECURITY_LITE_PERMISSSION_POSIX_CAPABILITY_SRC_CAPABILITYFILESYSTEMTEST_H
#include <gtest/gtest.h>
class
CapabilityTestSuite
:
public
::
testing
::
Test
{
protected:
char
*
mCurPath
;
void
SetUp
();
void
TearDown
();
};
#endif
\ No newline at end of file
security_lite/permission_posix/capability/vfat/BUILD.gn
已删除
100755 → 0
浏览文件 @
ed6da30f
# Copyright (c) 2021 Huawei Device Co., Ltd.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
import("//build/lite/config/subsystem/aafwk/config.gni")
import("//test/xts/tools/lite/build/suite_lite.gni")
hcpptest_suite("ActsVFATCapabilityTest") {
suite_name = "acts"
sources = [
"../src/ActsCapability.cpp",
"../src/ActsCapabilityTest.cpp",
"../src/CapabilityFileSystemTest.cpp",
]
include_dirs = [
"../src",
"//third_party/bounds_checking_function/include",
]
public_deps = [ "//third_party/bounds_checking_function:libsec_shared" ]
cflags_cc = [
"-Wno-write-strings",
"-Wno-sign-compare",
]
ldflags = [
"-lstdc++",
"-lm",
"-lpthread",
]
if (enable_ohos_appexecfwk_feature_ability == true) {
defines = [
"_BOARD_HI3516_",
"LITE_FS_VFAT",
"TOP_DIR=\"/sdcard\"",
"TOP_DIR_MOUNT_INFO=\"/sdcard vfat\"",
]
} else {
defines = [
"LITE_FS_VFAT",
"TOP_DIR=\"/sdcard\"",
"TOP_DIR_MOUNT_INFO=\"/sdcard vfat\"",
]
}
}
security_lite/permission_posix/capability/vfat/Test.json
已删除
100644 → 0
浏览文件 @
ed6da30f
{
"description"
:
"Config for hcpptest demo test cases"
,
"environment"
:
[
{
"type"
:
"device"
,
"label"
:
"ipcamera"
}
],
"kits"
:
[
{
"type"
:
"MountKit"
,
"server"
:
"NfsServer"
,
"mount"
:
[
{
"source"
:
"testcases/security"
,
"target"
:
"/test_root/security"
}
]
}
],
"driver"
:
{
"type"
:
"CppTestLite"
,
"execute"
:
"/test_root/security/ActsVFATCapabilityTest.bin"
}
}
\ No newline at end of file
security_lite/permission_posix/dac/BUILD.gn
已删除
100755 → 0
浏览文件 @
ed6da30f
# Copyright (c) 2020-2021 Huawei Device Co., Ltd.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
group("ActsDacTest") {
deps = [ "./vfat:ActsVFATDACTest" ]
}
security_lite/permission_posix/dac/src/ActsDacPreTest.cpp
已删除
100755 → 0
浏览文件 @
ed6da30f
/*
* Copyright (c) 2020-2021 Huawei Device Co., Ltd.
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include "ActsDacTest.h"
#include <cstddef>
#include <fcntl.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/wait.h>
#include "gtest/gtest.h"
#include "ActsCapabilityTest.h"
#include "DACFileSystemTest.h"
using
namespace
std
;
using
namespace
testing
::
ext
;
#if defined(LITE_FS_VFAT)
static
int
TestSetUid
()
{
// Test the 'setuid' interface
int
ret
=
0
;
uid_t
ruid
=
0
;
uid_t
euid
=
0
;
uid_t
suid
=
0
;
// Step 1: Verify that UID is set to 0
ret
=
setuid
(
UID0
);
if
(
ret
!=
0
)
{
EXPECT_EQ
(
ret
,
0
);
LOG
(
"ErrInfo: Failed to set uid=0, now process uid=%d"
,
getuid
());
return
FALSE
;
}
// To test the function of invoking the setuid interface to set the UID=0
getresuid
(
&
ruid
,
&
euid
,
&
suid
);
EXPECT_EQ
(
ruid
,
UID0
)
<<
"Failed to set ruid=0: ruid="
<<
ruid
;
EXPECT_EQ
(
euid
,
UID0
)
<<
"Failed to set euid=0: euid="
<<
euid
;
EXPECT_EQ
(
suid
,
UID0
)
<<
"Failed to set suid=0: suid="
<<
suid
;
// Step 2: Verify that UID is set to 1000
ret
=
setuid
(
UID1000
);
if
(
ret
!=
0
)
{
EXPECT_EQ
(
ret
,
0
);
LOG
(
"ErrInfo: Failed to set uid=1000, now process uid=%d"
,
getuid
());
return
FALSE
;
}
// To test the function of invoking the setuid interface to set the UID=1000
getresuid
(
&
ruid
,
&
euid
,
&
suid
);
EXPECT_EQ
(
ruid
,
UID1000
)
<<
"Failed to set ruid=1000: ruid="
<<
ruid
;
EXPECT_EQ
(
euid
,
UID1000
)
<<
"Failed to set euid=1000: euid="
<<
euid
;
EXPECT_EQ
(
suid
,
UID1000
)
<<
"Failed to set suid=1000: suid="
<<
suid
;
// Step 3: Verify that UID is set to 10000
ret
=
setuid
(
UID10000
);
if
(
ret
!=
0
)
{
EXPECT_EQ
(
ret
,
0
);
LOG
(
"ErrInfo: Failed to set uid=10000, now process uid=%d"
,
getuid
());
return
FALSE
;
}
// To test the function of invoking the setuid interface to set the UID=10000
getresuid
(
&
ruid
,
&
euid
,
&
suid
);
EXPECT_EQ
(
ruid
,
UID10000
)
<<
"Failed to set ruid=10000: ruid="
<<
ruid
;
EXPECT_EQ
(
euid
,
UID10000
)
<<
"Failed to set euid=10000: euid="
<<
euid
;
EXPECT_EQ
(
suid
,
UID10000
)
<<
"Failed to set suid=10000: suid="
<<
suid
;
// Step 4: Verify that UID is set to 2147483647
ret
=
setuid
(
MAX_INT
);
if
(
ret
!=
0
)
{
EXPECT_EQ
(
ret
,
0
);
LOG
(
"ErrInfo: Failed to set uid=2147483647, now process uid=%d"
,
getuid
());
return
FALSE
;
}
// To test the function of invoking the setuid interface to set the UID=2147483647
getresuid
(
&
ruid
,
&
euid
,
&
suid
);
EXPECT_EQ
(
ruid
,
MAX_INT
)
<<
"Failed to set ruid=2147483647: ruid="
<<
ruid
;
EXPECT_EQ
(
euid
,
MAX_INT
)
<<
"Failed to set euid=2147483647: euid="
<<
euid
;
EXPECT_EQ
(
suid
,
MAX_INT
)
<<
"Failed to set suid=2147483647: suid="
<<
suid
;
return
0
;
}
static
int
TestSetREUid
()
{
// Test the 'setreuid' interface
int
ret
=
0
;
uid_t
ruid
=
0
;
uid_t
euid
=
0
;
uid_t
suid
=
0
;
// Step 1: Verify that UID is set to 0
ret
=
setreuid
(
UID0
,
UID0
);
if
(
ret
!=
0
)
{
EXPECT_EQ
(
ret
,
0
);
LOG
(
"ErrInfo: Failed to set uid=0, now process uid=%d"
,
getuid
());
return
FALSE
;
}
// To test the function of invoking the setuid interface to set the UID=0
getresuid
(
&
ruid
,
&
euid
,
&
suid
);
EXPECT_EQ
(
ruid
,
UID0
)
<<
"Failed to set ruid=0: ruid="
<<
ruid
;
EXPECT_EQ
(
euid
,
UID0
)
<<
"Failed to set euid=0: euid="
<<
euid
;
EXPECT_EQ
(
suid
,
UID0
)
<<
"Failed to set suid=0: suid="
<<
suid
;
// Step 2: Verify that UID is set to 1000
ret
=
setreuid
(
UID1000
,
UID1000
);
if
(
ret
!=
0
)
{
EXPECT_EQ
(
ret
,
0
);
LOG
(
"ErrInfo: Failed to set uid=1000, now process uid=%d"
,
getuid
());
return
FALSE
;
}
// To test the function of invoking the setuid interface to set the UID=1000
getresuid
(
&
ruid
,
&
euid
,
&
suid
);
EXPECT_EQ
(
ruid
,
UID1000
)
<<
"Failed to set ruid=1000: ruid="
<<
ruid
;
EXPECT_EQ
(
euid
,
UID1000
)
<<
"Failed to set euid=1000: euid="
<<
euid
;
EXPECT_EQ
(
suid
,
UID1000
)
<<
"Failed to set suid=1000: suid="
<<
suid
;
// Step 3: Verify that UID is set to 10000
ret
=
setreuid
(
UID10000
,
UID10000
);
if
(
ret
!=
0
)
{
EXPECT_EQ
(
ret
,
0
);
LOG
(
"ErrInfo: Failed to set uid=10000, now process uid=%d"
,
getuid
());
return
FALSE
;
}
// To test the function of invoking the setuid interface to set the UID=10000
getresuid
(
&
ruid
,
&
euid
,
&
suid
);
EXPECT_EQ
(
ruid
,
UID10000
)
<<
"Failed to set ruid=10000: ruid="
<<
ruid
;
EXPECT_EQ
(
euid
,
UID10000
)
<<
"Failed to set euid=10000: euid="
<<
euid
;
EXPECT_EQ
(
suid
,
UID10000
)
<<
"Failed to set suid=10000: suid="
<<
suid
;
// Step 4: Verify that UID is set to 2147483647
ret
=
setreuid
(
MAX_INT
,
MAX_INT
);
if
(
ret
!=
0
)
{
EXPECT_EQ
(
ret
,
0
);
LOG
(
"ErrInfo: Failed to set uid=2147483647, now process uid=%d"
,
getuid
());
return
FALSE
;
}
// To test the function of invoking the setuid interface to set the UID=2147483647
getresuid
(
&
ruid
,
&
euid
,
&
suid
);
EXPECT_EQ
(
ruid
,
MAX_INT
)
<<
"Failed to set ruid=2147483647: ruid="
<<
ruid
;
EXPECT_EQ
(
euid
,
MAX_INT
)
<<
"Failed to set euid=2147483647: euid="
<<
euid
;
EXPECT_EQ
(
suid
,
MAX_INT
)
<<
"Failed to set suid=2147483647: suid="
<<
suid
;
return
0
;
}
static
int
TestSetRESUid
()
{
// Test the 'setresuid' interface
int
ret
=
0
;
uid_t
ruid
=
0
;
uid_t
euid
=
0
;
uid_t
suid
=
0
;
// Step 1: Verify that UID is set to 0
ret
=
setresuid
(
UID0
,
UID0
,
UID0
);
if
(
ret
!=
0
)
{
EXPECT_EQ
(
ret
,
0
);
LOG
(
"ErrInfo: Failed to set uid=0, now process uid=%d"
,
getuid
());
return
FALSE
;
}
// To test the function of invoking the setuid interface to set the UID=0
getresuid
(
&
ruid
,
&
euid
,
&
suid
);
EXPECT_EQ
(
ruid
,
UID0
)
<<
"Failed to set ruid=0: ruid="
<<
ruid
;
EXPECT_EQ
(
euid
,
UID0
)
<<
"Failed to set euid=0: euid="
<<
euid
;
EXPECT_EQ
(
suid
,
UID0
)
<<
"Failed to set suid=0: suid="
<<
suid
;
// Step 2: Verify that UID is set to 1000
ret
=
setresuid
(
UID1000
,
UID1000
,
UID1000
);
if
(
ret
!=
0
)
{
EXPECT_EQ
(
ret
,
0
);
LOG
(
"ErrInfo: Failed to set uid=1000, now process uid=%d"
,
getuid
());
return
FALSE
;
}
// To test the function of invoking the setuid interface to set the UID=1000
getresuid
(
&
ruid
,
&
euid
,
&
suid
);
EXPECT_EQ
(
ruid
,
UID1000
)
<<
"Failed to set ruid=1000: ruid="
<<
ruid
;
EXPECT_EQ
(
euid
,
UID1000
)
<<
"Failed to set euid=1000: euid="
<<
euid
;
EXPECT_EQ
(
suid
,
UID1000
)
<<
"Failed to set suid=1000: suid="
<<
suid
;
// Step 3: Verify that UID is set to 10000
ret
=
setresuid
(
UID10000
,
UID10000
,
UID10000
);
if
(
ret
!=
0
)
{
EXPECT_EQ
(
ret
,
0
);
LOG
(
"ErrInfo: Failed to set uid=10000, now process uid=%d"
,
getuid
());
return
FALSE
;
}
// To test the function of invoking the setuid interface to set the UID=10000
getresuid
(
&
ruid
,
&
euid
,
&
suid
);
EXPECT_EQ
(
ruid
,
UID10000
)
<<
"Failed to set ruid=10000: ruid="
<<
ruid
;
EXPECT_EQ
(
euid
,
UID10000
)
<<
"Failed to set euid=10000: euid="
<<
euid
;
EXPECT_EQ
(
suid
,
UID10000
)
<<
"Failed to set suid=10000: suid="
<<
suid
;
// Step 4: Verify that UID is set to 2147483647
ret
=
setresuid
(
MAX_INT
,
MAX_INT
,
MAX_INT
);
if
(
ret
!=
0
)
{
EXPECT_EQ
(
ret
,
0
);
LOG
(
"ErrInfo: Failed to set uid=2147483647, now process uid=%d"
,
getuid
());
return
FALSE
;
}
// To test the function of invoking the setuid interface to set the UID=2147483647
getresuid
(
&
ruid
,
&
euid
,
&
suid
);
EXPECT_EQ
(
ruid
,
MAX_INT
)
<<
"Failed to set ruid=2147483647: ruid="
<<
ruid
;
EXPECT_EQ
(
euid
,
MAX_INT
)
<<
"Failed to set euid=2147483647: euid="
<<
euid
;
EXPECT_EQ
(
suid
,
MAX_INT
)
<<
"Failed to set suid=2147483647: suid="
<<
suid
;
return
0
;
}
static
int
TestSetUidAbnormal
()
{
// Enter the exception parameter when invoke the 'setuid','setreuid','setresuid' interface
int
ret
=
0
;
uid_t
newruid
=
0
;
uid_t
neweuid
=
0
;
uid_t
newsuid
=
0
;
uid_t
ruid
=
0
;
uid_t
euid
=
0
;
uid_t
suid
=
0
;
// Obtain the ruid, euid, suid of the current process
getresuid
(
&
ruid
,
&
euid
,
&
suid
);
// Step 1: Verify that UID is set to -100 with the 'setuid' interface
ret
=
setuid
(
ABNORMALINT
);
if
(
ret
!=
FALSE
)
{
EXPECT_EQ
(
ret
,
FALSE
);
LOG
(
"ErrInfo: Set uid=-100, now process uid=%d"
,
getuid
());
return
FALSE
;
}
// To test the function of invoking the 'setuid' interface to set the UID=-100
getresuid
(
&
newruid
,
&
neweuid
,
&
newsuid
);
EXPECT_EQ
(
newruid
,
ruid
)
<<
"The value of ruid changes after an invalid parameter is entered: ruid="
<<
ruid
;
EXPECT_EQ
(
neweuid
,
euid
)
<<
"The value of euid changes after an invalid parameter is entered: euid="
<<
euid
;
EXPECT_EQ
(
newsuid
,
suid
)
<<
"The value of suid changes after an invalid parameter is entered: suid="
<<
suid
;
// Step 2: Verify that UID is set to -100 with the 'setreuid' interface
ret
=
setreuid
(
ABNORMALINT
,
ABNORMALINT
);
if
(
ret
!=
FALSE
)
{
EXPECT_EQ
(
ret
,
FALSE
);
LOG
(
"ErrInfo: Set uid=-100, now process uid=%d"
,
getuid
());
return
FALSE
;
}
// To test the function of invoking the 'setuid' interface to set the UID=-100
getresuid
(
&
newruid
,
&
neweuid
,
&
newsuid
);
EXPECT_EQ
(
newruid
,
ruid
)
<<
"The value of ruid changes after an invalid parameter is entered: ruid="
<<
ruid
;
EXPECT_EQ
(
neweuid
,
euid
)
<<
"The value of euid changes after an invalid parameter is entered: euid="
<<
euid
;
EXPECT_EQ
(
newsuid
,
suid
)
<<
"The value of suid changes after an invalid parameter is entered: suid="
<<
suid
;
// Step 3: Verify that UID is set to -100 with the 'setreuid' interface
ret
=
setresuid
(
ABNORMALINT
,
ABNORMALINT
,
ABNORMALINT
);
if
(
ret
!=
FALSE
)
{
EXPECT_EQ
(
ret
,
FALSE
);
LOG
(
"ErrInfo: Set uid=-100, now process uid=%d"
,
getuid
());
return
FALSE
;
}
// To test the function of invoking the 'setuid' interface to set the UID=-100
getresuid
(
&
newruid
,
&
neweuid
,
&
newsuid
);
EXPECT_EQ
(
newruid
,
ruid
)
<<
"The value of ruid changes after an invalid parameter is entered: ruid="
<<
ruid
;
EXPECT_EQ
(
neweuid
,
euid
)
<<
"The value of euid changes after an invalid parameter is entered: euid="
<<
euid
;
EXPECT_EQ
(
newsuid
,
suid
)
<<
"The value of suid changes after an invalid parameter is entered: suid="
<<
suid
;
return
0
;
}
static
int
TestSetGid
()
{
// Test the 'setgid' interface
int
ret
=
0
;
gid_t
rgid
=
0
;
gid_t
egid
=
0
;
gid_t
sgid
=
0
;
// Step 1: Verify that GID is set to 0
ret
=
setgid
(
GID0
);
if
(
ret
!=
0
)
{
EXPECT_EQ
(
ret
,
0
);
LOG
(
"ErrInfo: Failed to set gid=0, now process gid=%d"
,
getgid
());
return
FALSE
;
}
// To test the function of invoking the setgid interface to set the GID=0
getresgid
(
&
rgid
,
&
egid
,
&
sgid
);
EXPECT_EQ
(
rgid
,
GID0
)
<<
"Failed to set rgid=0: rgid="
<<
rgid
;
EXPECT_EQ
(
egid
,
GID0
)
<<
"Failed to set egid=0: egid="
<<
egid
;
EXPECT_EQ
(
sgid
,
GID0
)
<<
"Failed to set sgid=0: sgid="
<<
sgid
;
// Step 2: Verify that GID is set to 1000
ret
=
setgid
(
GID1000
);
if
(
ret
!=
0
)
{
EXPECT_EQ
(
ret
,
0
);
LOG
(
"ErrInfo: Failed to set gid=1000, now process gid=%d"
,
getgid
());
return
FALSE
;
}
// To test the function of invoking the setgid interface to set the GID=1000
getresgid
(
&
rgid
,
&
egid
,
&
sgid
);
EXPECT_EQ
(
rgid
,
GID1000
)
<<
"Failed to set rgid=1000: rgid="
<<
rgid
;
EXPECT_EQ
(
egid
,
GID1000
)
<<
"Failed to set egid=1000: egid="
<<
egid
;
EXPECT_EQ
(
sgid
,
GID1000
)
<<
"Failed to set sgid=1000: sgid="
<<
sgid
;
// Step 3: Verify that GID is set to 10000
ret
=
setgid
(
GID10000
);
if
(
ret
!=
0
)
{
EXPECT_EQ
(
ret
,
0
);
LOG
(
"ErrInfo: Failed to set gid=10000, now process gid=%d"
,
getgid
());
return
FALSE
;
}
// To test the function of invoking the setgid interface to set the GID=10000
getresgid
(
&
rgid
,
&
egid
,
&
sgid
);
EXPECT_EQ
(
rgid
,
GID10000
)
<<
"Failed to set rgid=10000: rgid="
<<
rgid
;
EXPECT_EQ
(
egid
,
GID10000
)
<<
"Failed to set egid=10000: egid="
<<
egid
;
EXPECT_EQ
(
sgid
,
GID10000
)
<<
"Failed to set sgid=10000: sgid="
<<
sgid
;
// Step 4: Verify that GID is set to 2147483647
ret
=
setgid
(
MAX_INT
);
if
(
ret
!=
0
)
{
EXPECT_EQ
(
ret
,
0
);
LOG
(
"ErrInfo: Failed to set gid=2147483647, now process gid=%d"
,
getgid
());
return
FALSE
;
}
// To test the function of invoking the setgid interface to set the GID=2147483647
getresgid
(
&
rgid
,
&
egid
,
&
sgid
);
EXPECT_EQ
(
rgid
,
MAX_INT
)
<<
"Failed to set rgid=2147483647: rgid="
<<
rgid
;
EXPECT_EQ
(
egid
,
MAX_INT
)
<<
"Failed to set egid=2147483647: egid="
<<
egid
;
EXPECT_EQ
(
sgid
,
MAX_INT
)
<<
"Failed to set sgid=2147483647: sgid="
<<
sgid
;
return
0
;
}
static
int
TestSetREGid
()
{
// Test the 'setregid' interface
int
ret
=
0
;
gid_t
rgid
=
0
;
gid_t
egid
=
0
;
gid_t
sgid
=
0
;
// Step 1: Verify that GID is set to 0
ret
=
setregid
(
GID0
,
GID0
);
if
(
ret
!=
0
)
{
EXPECT_EQ
(
ret
,
0
);
LOG
(
"ErrInfo: Failed to set gid=0, now process gid=%d"
,
getgid
());
return
FALSE
;
}
// To test the function of invoking the setgid interface to set the GID=0
getresgid
(
&
rgid
,
&
egid
,
&
sgid
);
EXPECT_EQ
(
rgid
,
GID0
)
<<
"Failed to set rgid=0: rgid="
<<
rgid
;
EXPECT_EQ
(
egid
,
GID0
)
<<
"Failed to set egid=0: egid="
<<
egid
;
EXPECT_EQ
(
sgid
,
GID0
)
<<
"Failed to set sgid=0: sgid="
<<
sgid
;
// Step 2: Verify that GID is set to 1000
ret
=
setregid
(
GID1000
,
GID1000
);
if
(
ret
!=
0
)
{
EXPECT_EQ
(
ret
,
0
);
LOG
(
"ErrInfo: Failed to set gid=1000, now process gid=%d"
,
getgid
());
return
FALSE
;
}
// To test the function of invoking the setgid interface to set the GID=1000
getresgid
(
&
rgid
,
&
egid
,
&
sgid
);
EXPECT_EQ
(
rgid
,
GID1000
)
<<
"Failed to set rgid=1000: rgid="
<<
rgid
;
EXPECT_EQ
(
egid
,
GID1000
)
<<
"Failed to set egid=1000: egid="
<<
egid
;
EXPECT_EQ
(
sgid
,
GID1000
)
<<
"Failed to set sgid=1000: sgid="
<<
sgid
;
// Step 3: Verify that GID is set to 10000
ret
=
setregid
(
GID10000
,
GID10000
);
if
(
ret
!=
0
)
{
EXPECT_EQ
(
ret
,
0
);
LOG
(
"ErrInfo: Failed to set gid=10000, now process gid=%d"
,
getgid
());
return
FALSE
;
}
// To test the function of invoking the setgid interface to set the GID=10000
getresgid
(
&
rgid
,
&
egid
,
&
sgid
);
EXPECT_EQ
(
rgid
,
GID10000
)
<<
"Failed to set rgid=10000: rgid="
<<
rgid
;
EXPECT_EQ
(
egid
,
GID10000
)
<<
"Failed to set egid=10000: egid="
<<
egid
;
EXPECT_EQ
(
sgid
,
GID10000
)
<<
"Failed to set sgid=10000: sgid="
<<
sgid
;
// Step 4: Verify that GID is set to 2147483647
ret
=
setregid
(
MAX_INT
,
MAX_INT
);
if
(
ret
!=
0
)
{
EXPECT_EQ
(
ret
,
0
);
LOG
(
"ErrInfo: Failed to set gid=2147483647, now process gid=%d"
,
getgid
());
return
FALSE
;
}
// To test the function of invoking the setgid interface to set the GID=2147483647
getresgid
(
&
rgid
,
&
egid
,
&
sgid
);
EXPECT_EQ
(
rgid
,
MAX_INT
)
<<
"Failed to set rgid=2147483647: rgid="
<<
rgid
;
EXPECT_EQ
(
egid
,
MAX_INT
)
<<
"Failed to set egid=2147483647: egid="
<<
egid
;
EXPECT_EQ
(
sgid
,
MAX_INT
)
<<
"Failed to set sgid=2147483647: sgid="
<<
sgid
;
return
0
;
}
static
int
TestSetRESGid
()
{
// Test the 'setresgid' interface
int
ret
=
0
;
gid_t
rgid
=
0
;
gid_t
egid
=
0
;
gid_t
sgid
=
0
;
// Step 1: Verify that GID is set to 0
ret
=
setresgid
(
GID0
,
GID0
,
GID0
);
if
(
ret
!=
0
)
{
EXPECT_EQ
(
ret
,
0
);
LOG
(
"ErrInfo: Failed to set gid=0, now process gid=%d"
,
getgid
());
return
FALSE
;
}
// To test the function of invoking the setgid interface to set the GID=0
getresgid
(
&
rgid
,
&
egid
,
&
sgid
);
EXPECT_EQ
(
rgid
,
GID0
)
<<
"Failed to set rgid=0: rgid="
<<
rgid
;
EXPECT_EQ
(
egid
,
GID0
)
<<
"Failed to set egid=0: egid="
<<
egid
;
EXPECT_EQ
(
sgid
,
GID0
)
<<
"Failed to set sgid=0: sgid="
<<
sgid
;
// Step 2: Verify that GID is set to 1000
ret
=
setresgid
(
GID1000
,
GID1000
,
GID1000
);
if
(
ret
!=
0
)
{
EXPECT_EQ
(
ret
,
0
);
LOG
(
"ErrInfo: Failed to set gid=1000, now process gid=%d"
,
getgid
());
return
FALSE
;
}
// To test the function of invoking the setgid interface to set the GID=1000
getresgid
(
&
rgid
,
&
egid
,
&
sgid
);
EXPECT_EQ
(
rgid
,
GID1000
)
<<
"Failed to set rgid=1000: rgid="
<<
rgid
;
EXPECT_EQ
(
egid
,
GID1000
)
<<
"Failed to set egid=1000: egid="
<<
egid
;
EXPECT_EQ
(
sgid
,
GID1000
)
<<
"Failed to set sgid=1000: sgid="
<<
sgid
;
// Step 3: Verify that GID is set to 10000
ret
=
setresgid
(
GID10000
,
GID10000
,
GID10000
);
if
(
ret
!=
0
)
{
EXPECT_EQ
(
ret
,
0
);
LOG
(
"ErrInfo: Failed to set gid=10000, now process gid=%d"
,
getgid
());
return
FALSE
;
}
// To test the function of invoking the setgid interface to set the GID=10000
getresgid
(
&
rgid
,
&
egid
,
&
sgid
);
EXPECT_EQ
(
rgid
,
GID10000
)
<<
"Failed to set rgid=10000: rgid="
<<
rgid
;
EXPECT_EQ
(
egid
,
GID10000
)
<<
"Failed to set egid=10000: egid="
<<
egid
;
EXPECT_EQ
(
sgid
,
GID10000
)
<<
"Failed to set sgid=10000: sgid="
<<
sgid
;
// Step 4: Verify that GID is set to 2147483647
ret
=
setresgid
(
MAX_INT
,
MAX_INT
,
MAX_INT
);
if
(
ret
!=
0
)
{
EXPECT_EQ
(
ret
,
0
);
LOG
(
"ErrInfo: Failed to set gid=2147483647, now process gid=%d"
,
getgid
());
return
FALSE
;
}
// To test the function of invoking the setgid interface to set the GID=2147483647
getresgid
(
&
rgid
,
&
egid
,
&
sgid
);
EXPECT_EQ
(
rgid
,
MAX_INT
)
<<
"Failed to set rgid=2147483647: rgid="
<<
rgid
;
EXPECT_EQ
(
egid
,
MAX_INT
)
<<
"Failed to set egid=2147483647: egid="
<<
egid
;
EXPECT_EQ
(
sgid
,
MAX_INT
)
<<
"Failed to set sgid=2147483647: sgid="
<<
sgid
;
return
0
;
}
static
int
TestSetGidAbnormal
()
{
// Enter the exception parameter when invoke the 'setgid','setregid','setresgid' interface
int
ret
=
0
;
gid_t
newrgid
=
0
;
gid_t
newegid
=
0
;
gid_t
newsgid
=
0
;
gid_t
rgid
=
0
;
gid_t
egid
=
0
;
gid_t
sgid
=
0
;
// Obtain the rgid, egid, sgid of the current process
getresgid
(
&
rgid
,
&
egid
,
&
sgid
);
// Step 1: Verify that GID is set to -100 with the 'setgid' interface
ret
=
setgid
(
ABNORMALINT
);
if
(
ret
!=
FALSE
)
{
EXPECT_EQ
(
ret
,
FALSE
);
LOG
(
"ErrInfo: Set gid=-100, now process gid=%d"
,
getgid
());
return
FALSE
;
}
// To test the function of invoking the 'setgid' interface to set the GID=-100
getresgid
(
&
newrgid
,
&
newegid
,
&
newsgid
);
EXPECT_EQ
(
newrgid
,
rgid
)
<<
"The value of rgid changes after an invalid parameter is entered: rgid="
<<
rgid
;
EXPECT_EQ
(
newegid
,
egid
)
<<
"The value of egid changes after an invalid parameter is entered: egid="
<<
egid
;
EXPECT_EQ
(
newsgid
,
sgid
)
<<
"The value of sgid changes after an invalid parameter is entered: sgid="
<<
sgid
;
// Step 2: Verify that GID is set to -100 with the 'setregid' interface
ret
=
setregid
(
ABNORMALINT
,
ABNORMALINT
);
if
(
ret
!=
FALSE
)
{
EXPECT_EQ
(
ret
,
FALSE
);
LOG
(
"ErrInfo: Set gid=-100, now process gid=%d"
,
getgid
());
return
FALSE
;
}
// To test the function of invoking the 'setgid' interface to set the GID=-100
getresgid
(
&
newrgid
,
&
newegid
,
&
newsgid
);
EXPECT_EQ
(
newrgid
,
rgid
)
<<
"The value of rgid changes after an invalid parameter is entered: rgid="
<<
rgid
;
EXPECT_EQ
(
newegid
,
egid
)
<<
"The value of egid changes after an invalid parameter is entered: egid="
<<
egid
;
EXPECT_EQ
(
newsgid
,
sgid
)
<<
"The value of sgid changes after an invalid parameter is entered: sgid="
<<
sgid
;
// Step 3: Verify that GID is set to -100 with the 'setregid' interface
ret
=
setresgid
(
ABNORMALINT
,
ABNORMALINT
,
ABNORMALINT
);
if
(
ret
!=
FALSE
)
{
EXPECT_EQ
(
ret
,
FALSE
);
LOG
(
"ErrInfo: Set gid=-100, now process gid=%d"
,
getgid
());
return
FALSE
;
}
// To test the function of invoking the 'setgid' interface to set the GID=-100
getresgid
(
&
newrgid
,
&
newegid
,
&
newsgid
);
EXPECT_EQ
(
newrgid
,
rgid
)
<<
"The value of rgid changes after an invalid parameter is entered: rgid="
<<
rgid
;
EXPECT_EQ
(
newegid
,
egid
)
<<
"The value of egid changes after an invalid parameter is entered: egid="
<<
egid
;
EXPECT_EQ
(
newsgid
,
sgid
)
<<
"The value of sgid changes after an invalid parameter is entered: sgid="
<<
sgid
;
return
0
;
}
static
int
TestSetGroups
()
{
// Test the 'setgroups' interface
int
ret
;
gid_t
list
[
SIZE255
];
for
(
size_t
num
=
0
;
num
<
SIZE253
;
num
++
)
{
list
[
num
]
=
num
;
}
list
[
SIZE254
]
=
MAX_INT
;
ret
=
setgroups
(
SIZE255
,
list
);
if
(
ret
!=
0
)
{
EXPECT_EQ
(
ret
,
0
);
LOG
(
"ErrInfo: Failed to set groups"
);
return
FALSE
;
}
return
0
;
}
static
void
TsetFork
(
uid_t
uid
,
gid_t
gid
,
size_t
size
,
const
gid_t
list
[])
{
// The sub process inherits the UID, GID, and groups of the parent process
int
ret
;
int
status
=
0
;
gid_t
reallist
[
SIZE255
];
// Preset action: Adjust the UID, GID, and groups of the parent process
ret
=
setuid
(
uid
);
EXPECT_EQ
(
ret
,
0
)
<<
"ErrInfo: Failed to set uid, now process uid="
<<
getuid
();
ret
=
setgid
(
gid
);
EXPECT_EQ
(
ret
,
0
)
<<
"ErrInfo: Failed to set gid, now process gid="
<<
getgid
();
setgroups
(
0
,
nullptr
);
ret
=
setgroups
(
size
,
list
);
EXPECT_EQ
(
ret
,
0
)
<<
"ErrInfo: Failed to set groups"
;
// Preset action: Fork a sub process
pid_t
pid
=
fork
();
ASSERT_TRUE
(
pid
>=
0
)
<<
"======== Fork Error! ========="
;
usleep
(
SLEEP_NUM
);
if
(
pid
==
0
)
{
int
exitCode
=
0
;
// Step 1: Inheritance test of sub process UID
uid_t
retuid
=
getuid
();
if
(
retuid
!=
uid
)
{
LOG
(
"ErrInfo: The sub process UID changes when fork process, now process uid=%d"
,
getuid
());
exitCode
=
1
;
}
// Step 2: Inheritance test of sub process GID
gid_t
retgid
=
getgid
();
if
(
retgid
!=
gid
)
{
LOG
(
"ErrInfo: The sub process GID changes when fork process, now process gid=%d"
,
getgid
());
exitCode
=
1
;
}
// Step 3: Inheritance test of sub process groups
int
retgroups
=
getgroups
(
0
,
reallist
);
if
(
retgroups
==
FALSE
)
{
LOG
(
"ErrInfo: Failed to get groups"
);
exitCode
=
1
;
}
// Step 4: The sub process exit with the exitCode
exit
(
exitCode
);
}
else
{
// Step 5: The parent process wait for the sub process to exit and obtain the exitCode
waitpid
(
pid
,
&
status
,
0
);
EXPECT_NE
(
WIFEXITED
(
status
),
0
)
<<
"ErrInfo: The sub process exit error, child_pid = "
<<
pid
;
EXPECT_EQ
(
WEXITSTATUS
(
status
),
0
)
<<
"ErrInfo: The exitCode is wrong, please query logs, child_pid = "
<<
pid
;
}
}
static
int
ChangeSensitiveInformation
()
{
int
fd
=
0
;
int
ret
=
0
;
int
exitCode
=
0
;
char
dac
[]
=
"DACPreTest!
\n
"
;
// Failed to read sensitive information
fd
=
open
(
"/proc/process"
,
O_WRONLY
);
if
(
fd
>=
0
)
{
ret
=
write
(
fd
,
dac
,
sizeof
(
dac
));
if
(
ret
!=
FALSE
)
{
LOG
(
"ErrInfo: Change sensitive information, ret = %d"
,
ret
);
exitCode
=
1
;
}
close
(
fd
);
}
return
exitCode
;
}
/*
* @tc.number : SUB_SEC_AppSEC_PermissionMgmt_DAC_0010
* @tc.name : Invoke the interface to set the process UID
* @tc.desc : [C- SECURITY -0200]
*/
HWTEST_F
(
DacTestSuite
,
DACTest0010
,
Function
|
MediumTest
|
Level1
)
{
int
ret
=
0
;
uid_t
ruid
=
0
;
uid_t
euid
=
0
;
uid_t
suid
=
0
;
uid_t
newruid
=
0
;
uid_t
neweuid
=
0
;
uid_t
newsuid
=
0
;
// Preset action: Obtain the ruid, euid, suid of the current process
getresuid
(
&
ruid
,
&
euid
,
&
suid
);
// Step 1: Test the 'setuid' interface
ret
=
TestSetUid
();
EXPECT_EQ
(
ret
,
0
)
<<
"ErrInfo: TestSetUid() exit error"
;
// Step 2: Test the 'setreuid' interface
ret
=
TestSetREUid
();
EXPECT_EQ
(
ret
,
0
)
<<
"ErrInfo: TestSetREUid() exit error"
;
// Step 3: Test the 'setreuid' interface
ret
=
TestSetRESUid
();
EXPECT_EQ
(
ret
,
0
)
<<
"ErrInfo: TestSetRESUid() exit error"
;
// Step 4: Enter the exception parameter when invoke the 'setuid','setreuid','setresuid' interface
ret
=
TestSetUidAbnormal
();
EXPECT_EQ
(
ret
,
0
)
<<
"ErrInfo: TestSetUidAbnormal() exit error"
;
// Cleanup action: Restore the initial UID of the process
ret
=
setresuid
(
ruid
,
euid
,
suid
);
EXPECT_EQ
(
ret
,
0
)
<<
"ErrInfo: Failed to restore the initial UID of the process"
;
getresuid
(
&
newruid
,
&
neweuid
,
&
newsuid
);
EXPECT_EQ
(
newruid
,
ruid
)
<<
"The value of ruid changes after testcase: ruid="
<<
ruid
;
EXPECT_EQ
(
neweuid
,
euid
)
<<
"The value of euid changes after testcase: euid="
<<
euid
;
EXPECT_EQ
(
newsuid
,
suid
)
<<
"The value of suid changes after testcase: suid="
<<
suid
;
}
/*
* @tc.number : SUB_SEC_AppSEC_PermissionMgmt_DAC_0020
* @tc.name : Invoke the interface to set the process GID
* @tc.desc : [C- SECURITY -0200]
*/
HWTEST_F
(
DacTestSuite
,
DACTest0020
,
Function
|
MediumTest
|
Level1
)
{
int
ret
=
0
;
gid_t
rgid
=
0
;
gid_t
egid
=
0
;
gid_t
sgid
=
0
;
gid_t
newrgid
=
0
;
gid_t
newegid
=
0
;
gid_t
newsgid
=
0
;
// Preset action: Obtain the rgid, egid, sgid of the current process
getresgid
(
&
rgid
,
&
egid
,
&
sgid
);
// Step 1: Test the 'setgid' interface
ret
=
TestSetGid
();
EXPECT_EQ
(
ret
,
0
)
<<
"ErrInfo: TestSetGid() exit error"
;
// Step 2: Test the 'setregid' interface
ret
=
TestSetREGid
();
EXPECT_EQ
(
ret
,
0
)
<<
"ErrInfo: TestSetREGid() exit error"
;
// Step 3: Test the 'setregid' interface
ret
=
TestSetRESGid
();
EXPECT_EQ
(
ret
,
0
)
<<
"ErrInfo: TestSetRESGid() exit error"
;
// Step 4: Enter the exception parameter when invoke the 'setgid','setregid','setresgid' interface
ret
=
TestSetGidAbnormal
();
EXPECT_EQ
(
ret
,
0
)
<<
"ErrInfo: TestSetGidAbnormal() exit error"
;
// Cleanup action: Restore the initial GID of the process
ret
=
setresgid
(
rgid
,
egid
,
sgid
);
EXPECT_EQ
(
ret
,
0
)
<<
"ErrInfo: Failed to restore the initial GID of the process"
;
getresgid
(
&
newrgid
,
&
newegid
,
&
newsgid
);
EXPECT_EQ
(
newrgid
,
rgid
)
<<
"The value of rgid changes after testcase: rgid="
<<
rgid
;
EXPECT_EQ
(
newegid
,
egid
)
<<
"The value of egid changes after testcase: egid="
<<
egid
;
EXPECT_EQ
(
newsgid
,
sgid
)
<<
"The value of sgid changes after testcase: sgid="
<<
sgid
;
}
/*
* @tc.number : SUB_SEC_AppSEC_PermissionMgmt_DAC_0030
* @tc.name : Invoke the setgroups interface to set the process groups that contain a single GID or an empty value
* @tc.desc : [C- SECURITY -0200]
*/
HWTEST_F
(
DacTestSuite
,
DACTest0030
,
Function
|
MediumTest
|
Level1
)
{
int
ret
=
0
;
gid_t
grouplist
[
SIZE255
];
// Preset action: Obtain the groups of the current process
unsigned
int
groupsize
=
getgroups
(
0
,
grouplist
);
if
(
groupsize
>=
0
)
{
getgroups
(
groupsize
,
grouplist
);
// Preset action: Obtain the group lists required for the testcase
gid_t
list1
[
SIZE1
]
=
{
1
};
gid_t
list2
[
SIZE1
]
=
{
MAX_INT
};
gid_t
list3
[
SIZE1
]
=
{};
// Step 1: Set the group list to {1}
ret
=
setgroups
(
SIZE1
,
list1
);
EXPECT_EQ
(
ret
,
0
)
<<
"ErrInfo: Failed to set the group list to {1}"
;
// Step 2: Set the group list to {2147483647}
ret
=
setgroups
(
SIZE1
,
list2
);
EXPECT_EQ
(
ret
,
0
)
<<
"ErrInfo: Failed to set the group list to {2147483647}"
;
// Step 3: Set the group list to {}
ret
=
setgroups
(
SIZE1
,
list3
);
EXPECT_EQ
(
ret
,
0
)
<<
"ErrInfo: Failed to set the group list to {}"
;
// Cleanup action: Restore the initial groups of the process
setgroups
(
0
,
nullptr
);
ret
=
setgroups
(
groupsize
,
grouplist
);
EXPECT_EQ
(
ret
,
0
)
<<
"ErrInfo: Failed to restore the initial groups of the process"
;
}
else
{
EXPECT_GE
(
groupsize
,
0
)
<<
"ErrInfo: Failed to get groups"
;
}
}
/*
* @tc.number : SUB_SEC_AppSEC_PermissionMgmt_DAC_0040
* @tc.name : Invoke the setgroups interface to set the process groups that contain the same GID
* @tc.desc : [C- SECURITY -0200]
*/
HWTEST_F
(
DacTestSuite
,
DACTest0040
,
Function
|
MediumTest
|
Level2
)
{
int
ret
=
0
;
gid_t
grouplist
[
SIZE255
];
// Preset action: Obtain the groups of the current process
unsigned
int
groupsize
=
getgroups
(
0
,
grouplist
);
if
(
groupsize
>=
0
)
{
getgroups
(
groupsize
,
grouplist
);
// Preset action: Obtain the group lists required for the testcase
gid_t
list1
[
SIZE2
]
=
{
GID0
,
GID0
};
gid_t
list2
[
SIZE2
]
=
{
GID1
,
GID1
};
gid_t
list3
[
SIZE2
]
=
{
MAX_INT
,
MAX_INT
};
// Step 1: Set the group list to {0, 0}
ret
=
setgroups
(
SIZE2
,
list1
);
EXPECT_EQ
(
ret
,
0
)
<<
"ErrInfo: Failed to set the group list to {0, 0}"
;
// Step 2: Set the group list to {1, 1}
ret
=
setgroups
(
SIZE2
,
list2
);
EXPECT_EQ
(
ret
,
0
)
<<
"ErrInfo: Failed to set the group list to {1, 1}"
;
// Step 3: Set the group list to {2147483647, 2147483647}
ret
=
setgroups
(
SIZE2
,
list3
);
EXPECT_EQ
(
ret
,
0
)
<<
"ErrInfo: Failed to set the group list to {2147483647, 2147483647}"
;
// Cleanup action: Restore the initial groups of the process
setgroups
(
0
,
nullptr
);
ret
=
setgroups
(
groupsize
,
grouplist
);
EXPECT_EQ
(
ret
,
0
)
<<
"ErrInfo: Failed to restore the initial groups of the process"
;
}
else
{
EXPECT_GE
(
groupsize
,
0
)
<<
"ErrInfo: Failed to get groups"
;
}
}
/*
* @tc.number : SUB_SEC_AppSEC_PermissionMgmt_DAC_0050
* @tc.name : Invoke the setgroups interface to set the process groups that contain the duplicate GIDs
* @tc.desc : [C- SECURITY -0200]
*/
HWTEST_F
(
DacTestSuite
,
DACTest0050
,
Function
|
MediumTest
|
Level3
)
{
int
ret
=
0
;
gid_t
grouplist
[
SIZE255
];
// Preset action: Obtain the groups of the current process
unsigned
int
groupsize
=
getgroups
(
0
,
grouplist
);
if
(
groupsize
>=
0
)
{
getgroups
(
groupsize
,
grouplist
);
// Preset action: Obtain the group lists required for the testcase
gid_t
list1
[
SIZE3
]
=
{
GID0
,
GID0
,
MAX_INT
};
gid_t
list2
[
SIZE3
]
=
{
GID10000
,
GID10000
,
MAX_INT
};
gid_t
list3
[
SIZE3
]
=
{
GID0
,
MAX_INT
,
MAX_INT
};
// Step 1: Set the group list to {0, 0, 2147483647}
ret
=
setgroups
(
SIZE3
,
list1
);
EXPECT_EQ
(
ret
,
0
)
<<
"ErrInfo: Failed to set the group list to {0, 0, 2147483647}"
;
// Step 2: Set the group list to {10000, 10000, 2147483647}
ret
=
setgroups
(
SIZE3
,
list2
);
EXPECT_EQ
(
ret
,
0
)
<<
"ErrInfo: Failed to set the group list to {10000, 10000, 2147483647}"
;
// Step 3: Set the group list to {0, 2147483647, 2147483647}
ret
=
setgroups
(
SIZE3
,
list3
);
EXPECT_EQ
(
ret
,
0
)
<<
"ErrInfo: Failed to set the group list to {0, 2147483647, 2147483647}"
;
// Cleanup action: Restore the initial groups of the process
setgroups
(
0
,
nullptr
);
ret
=
setgroups
(
groupsize
,
grouplist
);
EXPECT_EQ
(
ret
,
0
)
<<
"ErrInfo: Failed to restore the initial groups of the process"
;
}
else
{
EXPECT_GE
(
groupsize
,
0
)
<<
"ErrInfo: Failed to get groups"
;
}
}
/*
* @tc.number : SUB_SEC_AppSEC_PermissionMgmt_DAC_0060
* @tc.name : Invoke the setgroups interface to set the process groups that contain all different GIDs
* @tc.desc : [C- SECURITY -0200]
*/
HWTEST_F
(
DacTestSuite
,
DACTest0060
,
Function
|
MediumTest
|
Level3
)
{
int
ret
=
0
;
gid_t
grouplist
[
SIZE255
];
// Preset action: Obtain the groups of the current process
size_t
groupsize
=
getgroups
(
0
,
grouplist
);
if
(
groupsize
>=
0
)
{
getgroups
(
groupsize
,
grouplist
);
// Preset action: Obtain the group lists required for the testcase
gid_t
list0
[
SIZE255
];
for
(
size_t
num0
=
0
;
num0
<
SIZE254
;
num0
++
)
{
list0
[
num0
]
=
num0
;
}
list0
[
SIZE254
]
=
MAX_INT
;
gid_t
list1
[
INVAILD_SIZE
];
for
(
size_t
num1
=
0
;
num1
<
MAX_SIZE
;
num1
++
)
{
list1
[
num1
]
=
num1
;
}
list1
[
MAX_SIZE
]
=
MAX_INT
;
// Step 1: Set 255 different group lists
ret
=
setgroups
(
SIZE255
,
list0
);
EXPECT_EQ
(
ret
,
0
)
<<
"ErrInfo: Failed to set the group list to {0, 1, 2, ..., 255}"
;
// Step 2: Set the number of groups that exceed the upper limit
ret
=
setgroups
(
INVAILD_SIZE
,
list1
);
EXPECT_EQ
(
ret
,
FALSE
)
<<
"ErrInfo: Set groups size over max, size=65537"
;
// Cleanup action: Restore the initial groups of the process
setgroups
(
0
,
nullptr
);
ret
=
setgroups
(
groupsize
,
grouplist
);
EXPECT_EQ
(
ret
,
0
)
<<
"ErrInfo: Failed to restore the initial groups of the process"
;
}
else
{
EXPECT_GE
(
groupsize
,
0
)
<<
"ErrInfo: Failed to get groups"
;
}
}
/*
* @tc.number : SUB_SEC_AppSEC_PermissionMgmt_DAC_0070
* @tc.name : Invoke the setuid, gid, and groups interfaces to set the uid, gid,
and groups of processes concurrently
* @tc.desc : [C- SECURITY -0200]
*/
HWTEST_F
(
DacTestSuite
,
DACTest0070
,
Security
|
MediumTest
|
Level2
)
{
int
ret
=
0
;
int
status
=
0
;
// Preset action: Fork three sub processes
pid_t
pid
;
for
(
int
num
=
0
;
num
<
NUM3
;
num
++
)
{
pid
=
fork
();
ASSERT_TRUE
(
pid
>=
0
)
<<
"======== Fork Error! ========="
;
usleep
(
SLEEP_NUM
);
if
(
pid
==
0
)
{
break
;
}
}
// get one parent & three children
if
(
pid
==
0
)
{
int
exitCode
=
0
;
for
(
int
number
=
0
;
number
<
NUM3000
;
number
++
)
{
// Preset action: Initialize the subprocess UID, GID and groups
setuid
(
0
);
setgid
(
0
);
setgroups
(
0
,
nullptr
);
// Step 1: Test the 'setuid' interface concurrently
ret
=
TestSetUid
();
if
(
ret
!=
0
)
{
LOG
(
"ErrInfo: TestSetUid error during the %d time"
,
number
);
exitCode
=
1
;
break
;
}
// Step 2: Test the 'setgid' interface concurrently
ret
=
TestSetGid
();
if
(
ret
!=
0
)
{
LOG
(
"ErrInfo: TestSetGid error during the %d time"
,
number
);
exitCode
=
1
;
break
;
}
// Step 2: Test the 'setgroups' interface concurrently
ret
=
TestSetGroups
();
if
(
ret
!=
0
)
{
LOG
(
"ErrInfo: TestSetGroups error during the %d time"
,
number
);
exitCode
=
1
;
break
;
}
}
// Step 3: Three sub processes exit with the exitCode
exit
(
exitCode
);
}
else
{
// Step 4: The parent process wait for three sub processes to exit and obtain the exitCode
for
(
int
num2
=
0
;
num2
<
NUM3
;
num2
++
)
{
wait
(
&
status
);
EXPECT_NE
(
WIFEXITED
(
status
),
0
)
<<
"ErrInfo: The sub process exit error, child_pid = "
<<
pid
;
EXPECT_EQ
(
WEXITSTATUS
(
status
),
0
)
<<
"ErrInfo: Pid = "
<<
pid
<<
", its exitCode is wrong and test case failed, please query logs"
;
}
}
}
/*
* @tc.number : SUB_SEC_AppSEC_PermissionMgmt_DAC_0080
* @tc.name : Inheritance of process UID, GID and groups
* @tc.desc : [C- SECURITY -0200]
*/
HWTEST_F
(
DacTestSuite
,
DACTest0080
,
Function
|
MediumTest
|
Level2
)
{
int
ret
=
0
;
uid_t
ruid
=
0
;
uid_t
euid
=
0
;
uid_t
suid
=
0
;
uid_t
newruid
=
0
;
uid_t
neweuid
=
0
;
uid_t
newsuid
=
0
;
gid_t
rgid
=
0
;
gid_t
egid
=
0
;
gid_t
sgid
=
0
;
gid_t
newrgid
=
0
;
gid_t
newegid
=
0
;
gid_t
newsgid
=
0
;
gid_t
grouplist
[
SIZE255
];
// Preset action: Obtain the ruid, euid, suid of the current process
getresuid
(
&
ruid
,
&
euid
,
&
suid
);
// Preset action: Obtain the rgid, egid, sgid of the current process
getresgid
(
&
rgid
,
&
egid
,
&
sgid
);
// Preset action: Obtain the groups of the current process
int
groupsize
=
getgroups
(
0
,
grouplist
);
if
(
groupsize
>=
0
)
{
getgroups
(
groupsize
,
grouplist
);
// Preset action: Obtain the group lists required for the testcase
gid_t
list1
[
SIZE1
]
=
{
GID10000
};
gid_t
list2
[
SIZE1
]
=
{};
gid_t
list3
[
SIZE255
];
for
(
size_t
num
=
0
;
num
<
SIZE254
;
num
++
)
{
list3
[
num
]
=
num
;
}
list3
[
SIZE254
]
=
MAX_INT
;
// Step 1: Factor combination test of UID, GID, and groups
TsetFork
(
UID0
,
GID10000
,
SIZE1
,
list1
);
TsetFork
(
UID10000
,
GID10000
,
SIZE1
,
list1
);
TsetFork
(
MAX_INT
,
GID10000
,
SIZE1
,
list1
);
TsetFork
(
UID10000
,
GID0
,
SIZE1
,
list1
);
TsetFork
(
UID10000
,
MAX_INT
,
SIZE1
,
list1
);
TsetFork
(
UID10000
,
GID10000
,
SIZE1
,
list2
);
TsetFork
(
UID10000
,
GID10000
,
SIZE255
,
list3
);
// Cleanup action: Restore the initial UID of the process
ret
=
setresuid
(
ruid
,
euid
,
suid
);
EXPECT_EQ
(
ret
,
0
)
<<
"ErrInfo: Failed to restore the initial UID of the process"
;
getresuid
(
&
newruid
,
&
neweuid
,
&
newsuid
);
EXPECT_EQ
(
newruid
,
ruid
)
<<
"The value of ruid changes after testcase: ruid="
<<
ruid
;
EXPECT_EQ
(
neweuid
,
euid
)
<<
"The value of euid changes after testcase: euid="
<<
euid
;
EXPECT_EQ
(
newsuid
,
suid
)
<<
"The value of suid changes after testcase: suid="
<<
suid
;
// Cleanup action: Restore the initial GID of the process
ret
=
setresgid
(
rgid
,
egid
,
sgid
);
EXPECT_EQ
(
ret
,
0
)
<<
"ErrInfo: Failed to restore the initial GID of the process"
;
getresgid
(
&
newrgid
,
&
newegid
,
&
newsgid
);
EXPECT_EQ
(
newrgid
,
rgid
)
<<
"The value of rgid changes after testcase: rgid="
<<
rgid
;
EXPECT_EQ
(
newegid
,
egid
)
<<
"The value of egid changes after testcase: egid="
<<
egid
;
EXPECT_EQ
(
newsgid
,
sgid
)
<<
"The value of sgid changes after testcase: sgid="
<<
sgid
;
// Cleanup action: Restore the initial groups of the process
setgroups
(
0
,
nullptr
);
ret
=
setgroups
(
groupsize
,
grouplist
);
EXPECT_EQ
(
ret
,
0
)
<<
"ErrInfo: Failed to restore the initial groups of the process"
;
}
else
{
EXPECT_GE
(
groupsize
,
0
)
<<
"ErrInfo: Failed to get groups"
;
}
}
/*
* @tc.number : SUB_SEC_AppSEC_PermissionMgmt_DAC_0120
* @tc.name : Failed to use the third-party app UID to change sensitive information
* @tc.desc : [C- SECURITY -0200]
*/
HWTEST_F
(
DacTestSuite
,
DACTest0120
,
Security
|
MediumTest
|
Level2
)
{
int
ret
=
0
;
int
status
=
0
;
// Preset action: Fork a sub process
pid_t
pid
=
fork
();
ASSERT_TRUE
(
pid
>=
0
)
<<
"======== Fork Error! ========="
;
usleep
(
SLEEP_NUM
);
if
(
pid
==
0
)
{
int
exitCode
=
0
;
// Step 1: Set the process uid and gid to the third-party application uid and gid
ret
=
SetUidGid
(
UID20000
,
GID20000
);
if
(
ret
!=
0
)
{
LOG
(
"ErrInfo: Failed to set the process uid and gid"
);
exitCode
=
1
;
}
// Step 2: Drop all the sub process capabilities
ret
=
DropAllCAP
();
if
(
ret
!=
0
)
{
LOG
(
"ErrInfo: Failed to drop all the sub process capabilities"
);
exitCode
=
1
;
}
// Step 3: Failed to change sensitive information
ret
=
ChangeSensitiveInformation
();
if
(
ret
!=
0
)
{
LOG
(
"ErrInfo: change sensitive information"
);
exitCode
=
1
;
}
// Step 4: The sub process exit with the exitCode
exit
(
exitCode
);
}
else
{
// Step 5: The parent process wait for the sub process to exit and obtain the exitCode
waitpid
(
pid
,
&
status
,
0
);
EXPECT_NE
(
WIFEXITED
(
status
),
0
)
<<
"ErrInfo: The sub process exit error, child_pid = "
<<
pid
;
EXPECT_EQ
(
WEXITSTATUS
(
status
),
0
)
<<
"ErrInfo: The exitCode is wrong, please query logs, child_pid = "
<<
pid
;
}
}
/*
* @tc.number : SUB_SEC_AppSEC_PermissionMgmt_DAC_0130
* @tc.name : Performance test of the setuid, setgid and setgroups interface
* @tc.desc : [C- SECURITY -0200]
*/
HWTEST_F
(
DacTestSuite
,
DACTest0130
,
Performance
|
MediumTest
|
Level2
)
{
struct
timespec
tp
=
{
0
};
struct
timespec
starttime
=
{
0
};
struct
timespec
endtime
=
{
0
};
tp
.
tv_sec
=
0
;
tp
.
tv_nsec
=
0
;
// Preset action: Obtain the group lists required for the testcase
gid_t
list
[
SIZE255
];
for
(
size_t
num
=
0
;
num
<
SIZE253
;
num
++
)
{
list
[
num
]
=
num
;
}
// Preset action: Obtains the system time -> starttime
clock_gettime
(
CLOCK_REALTIME
,
&
starttime
);
for
(
int
number
=
0
;
number
<
NUM10000
;
number
++
)
{
list
[
SIZE254
]
=
number
;
// Step 1.1: Setuid for 10000 times
setuid
(
number
);
// Step 1.2: Setgid for 10000 times
setgid
(
number
);
// Step 1.3: Setgroups for 10000 times
setgroups
(
SIZE255
,
list
);
}
// Step 2: Obtains the system time again -> endtime
clock_gettime
(
CLOCK_REALTIME
,
&
endtime
);
// Step 3: Compare the starttime and the endtime -> tp
tp
=
CompareTime
(
starttime
,
endtime
);
EXPECT_LE
(
tp
.
tv_sec
,
NUM20
)
<<
"ErrInfo: Chown for 10000 times used "
<<
tp
.
tv_sec
<<
"."
<<
tp
.
tv_nsec
<<
"s"
;
// Cleanup action: Restore the uid, gid and groups of the process to zero
SetUidGid
(
UID0
,
GID0
);
setgroups
(
0
,
nullptr
);
}
#endif
security_lite/permission_posix/dac/src/ActsDacTest.h
已删除
100755 → 0
浏览文件 @
ed6da30f
/*
* Copyright (c) 2020-2021 Huawei Device Co., Ltd.
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#ifndef XTS_ACTS_SECURITY_LITE_PERMISSSION_POSIX_DAC_SRC_ACTSDACTEST_H
#define XTS_ACTS_SECURITY_LITE_PERMISSSION_POSIX_DAC_SRC_ACTSDACTEST_H
#include <cstddef>
#include <sys/stat.h>
constexpr
int
ABNORMALINT
=
-
100
;
constexpr
int
SINGLESIZE
=
1
;
constexpr
unsigned
int
MAX_INT
=
2147483647
;
constexpr
size_t
SIZE1
=
1
;
constexpr
size_t
SIZE2
=
2
;
constexpr
size_t
SIZE3
=
3
;
constexpr
size_t
SIZE253
=
253
;
constexpr
size_t
SIZE254
=
254
;
constexpr
size_t
SIZE255
=
255
;
constexpr
size_t
MAX_SIZE
=
65536
;
constexpr
size_t
INVAILD_SIZE
=
65537
;
constexpr
mode_t
CHMOD000
=
0000
;
constexpr
mode_t
CHMOD013
=
0013
;
constexpr
mode_t
CHMOD016
=
0016
;
constexpr
mode_t
CHMOD027
=
0027
;
constexpr
mode_t
CHMOD031
=
0031
;
constexpr
mode_t
CHMOD044
=
0044
;
constexpr
mode_t
CHMOD045
=
0045
;
constexpr
mode_t
CHMOD052
=
0052
;
constexpr
mode_t
CHMOD063
=
0063
;
constexpr
mode_t
CHMOD074
=
0074
;
constexpr
mode_t
CHMOD076
=
0076
;
constexpr
mode_t
CHMOD077
=
0077
;
constexpr
mode_t
CHMOD105
=
0105
;
constexpr
mode_t
CHMOD111
=
0111
;
constexpr
mode_t
CHMOD116
=
0116
;
constexpr
mode_t
CHMOD120
=
0120
;
constexpr
mode_t
CHMOD123
=
0123
;
constexpr
mode_t
CHMOD124
=
0124
;
constexpr
mode_t
CHMOD132
=
0132
;
constexpr
mode_t
CHMOD143
=
0143
;
constexpr
mode_t
CHMOD151
=
0151
;
constexpr
mode_t
CHMOD166
=
0166
;
constexpr
mode_t
CHMOD167
=
0167
;
constexpr
mode_t
CHMOD175
=
0175
;
constexpr
mode_t
CHMOD203
=
0203
;
constexpr
mode_t
CHMOD210
=
0210
;
constexpr
mode_t
CHMOD222
=
0222
;
constexpr
mode_t
CHMOD230
=
0230
;
constexpr
mode_t
CHMOD235
=
0235
;
constexpr
mode_t
CHMOD241
=
0241
;
constexpr
mode_t
CHMOD242
=
0242
;
constexpr
mode_t
CHMOD256
=
0256
;
constexpr
mode_t
CHMOD257
=
0257
;
constexpr
mode_t
CHMOD261
=
0261
;
constexpr
mode_t
CHMOD274
=
0274
;
constexpr
mode_t
CHMOD305
=
0305
;
constexpr
mode_t
CHMOD306
=
0306
;
constexpr
mode_t
CHMOD310
=
0310
;
constexpr
mode_t
CHMOD312
=
0312
;
constexpr
mode_t
CHMOD325
=
0325
;
constexpr
mode_t
CHMOD333
=
0333
;
constexpr
mode_t
CHMOD334
=
0334
;
constexpr
mode_t
CHMOD342
=
0342
;
constexpr
mode_t
CHMOD347
=
0347
;
constexpr
mode_t
CHMOD354
=
0354
;
constexpr
mode_t
CHMOD362
=
0362
;
constexpr
mode_t
CHMOD371
=
0371
;
constexpr
mode_t
CHMOD401
=
0401
;
constexpr
mode_t
CHMOD406
=
0406
;
constexpr
mode_t
CHMOD407
=
0407
;
constexpr
mode_t
CHMOD415
=
0415
;
constexpr
mode_t
CHMOD422
=
0422
;
constexpr
mode_t
CHMOD430
=
0430
;
constexpr
mode_t
CHMOD444
=
0444
;
constexpr
mode_t
CHMOD446
=
0446
;
constexpr
mode_t
CHMOD453
=
0453
;
constexpr
mode_t
CHMOD456
=
0456
;
constexpr
mode_t
CHMOD457
=
0457
;
constexpr
mode_t
CHMOD460
=
0460
;
constexpr
mode_t
CHMOD473
=
0473
;
constexpr
mode_t
CHMOD507
=
0507
;
constexpr
mode_t
CHMOD511
=
0511
;
constexpr
mode_t
CHMOD521
=
0521
;
constexpr
mode_t
CHMOD526
=
0526
;
constexpr
mode_t
CHMOD536
=
0536
;
constexpr
mode_t
CHMOD543
=
0543
;
constexpr
mode_t
CHMOD555
=
0555
;
constexpr
mode_t
CHMOD560
=
0560
;
constexpr
mode_t
CHMOD562
=
0562
;
constexpr
mode_t
CHMOD564
=
0564
;
constexpr
mode_t
CHMOD570
=
0570
;
constexpr
mode_t
CHMOD604
=
0604
;
constexpr
mode_t
CHMOD611
=
0611
;
constexpr
mode_t
CHMOD614
=
0614
;
constexpr
mode_t
CHMOD623
=
0623
;
constexpr
mode_t
CHMOD637
=
0637
;
constexpr
mode_t
CHMOD640
=
0640
;
constexpr
mode_t
CHMOD655
=
0655
;
constexpr
mode_t
CHMOD657
=
0657
;
constexpr
mode_t
CHMOD665
=
0665
;
constexpr
mode_t
CHMOD666
=
0666
;
constexpr
mode_t
CHMOD670
=
0670
;
constexpr
mode_t
CHMOD671
=
0671
;
constexpr
mode_t
CHMOD672
=
0672
;
constexpr
mode_t
CHMOD700
=
0700
;
constexpr
mode_t
CHMOD702
=
0702
;
constexpr
mode_t
CHMOD703
=
0703
;
constexpr
mode_t
CHMOD712
=
0712
;
constexpr
mode_t
CHMOD716
=
0716
;
constexpr
mode_t
CHMOD717
=
0717
;
constexpr
mode_t
CHMOD724
=
0724
;
constexpr
mode_t
CHMOD731
=
0731
;
constexpr
mode_t
CHMOD743
=
0743
;
constexpr
mode_t
CHMOD750
=
0750
;
constexpr
mode_t
CHMOD765
=
0765
;
constexpr
mode_t
CHMOD777
=
0777
;
// Creating Folders and Files for the Test
#define DACDIR0 "DACDIR0" // DIR0/
#define DACDIR0_DACFILE0 "DACDIR0_DACFILE0" // ├── DIR0_FILE0
#define DACDIR0_DACFILE1 "DACDIR0_DACFILE1" // ├── DIR0_FILE1
#define DACDIR0_DACDIR0 "DACDIR0_DACDIR0" // ├── DIR0_DIR0/
#define DACDIR0_DACDIR0_DACDIR0 "DACDIR0_DACDIR0_DACDIR0" // | └── DIR0_DIR0_DIR0/
#define DACDIR0_DACDIR1 "DACDIR0_DACDIR1" // └── DIR0_DIR1/
#define DACDIR1 "DACDIR1" // DIR1/
#define DACDIR1_DACFILE0 "DACDIR1_DACFILE0" // ├── DIR1_FILE0
#define DACDIR1_DACDIR0 "DACDIR1_DACDIR0" // └── DIR1_DIR0/
#endif
\ No newline at end of file
security_lite/permission_posix/dac/src/DACFileSystemTest.cpp
已删除
100755 → 0
浏览文件 @
ed6da30f
/*
* Copyright (c) 2021 Huawei Device Co., Ltd.
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include "DACFileSystemTest.h"
#include <unistd.h>
#include "ActsCapabilityTest.h"
#include "ActsDacTest.h"
using
namespace
testing
::
ext
;
// Preset action of the test suite, which is executed before the first test case
void
DacTestSuite
::
SetUp
()
{
// Permission mask preset when creating a file
umask
(
ZERO
);
// Init capabilities
CapInit
();
// Initialize the process and set the uid and gid of the process to zero
SetUidGid
(
UID0
,
GID0
);
// Delete the the directory if exists
RemoveDir
(
TOP_DIR
"/"
DACDIR0
);
RemoveDir
(
TOP_DIR
"/"
DACDIR1
);
RemoveDir
(
"/storage/"
DACDIR0
);
// Obtain the current working directory of the test code
mCurPath
=
GetCurrentPath
();
// Modify the current working directory of the test code
int
ret
=
chdir
(
TOP_DIR
);
if
(
ret
!=
0
)
{
LOG
(
"ErrInfo: Failed to chdir to %s, ret=%d, errno=%d"
,
TOP_DIR
,
ret
,
errno
);
}
}
// Test suite cleanup action, which is executed after the last test case
void
DacTestSuite
::
TearDown
()
{
// Delete the the directory if exists
RemoveDir
(
TOP_DIR
"/"
DACDIR0
);
RemoveDir
(
TOP_DIR
"/"
DACDIR1
);
RemoveDir
(
"/storage/"
DACDIR0
);
// Initialize the process and set the uid and gid of the process to zero
SetUidGid
(
UID0
,
GID0
);
// Restore the working directory of the test code
int
ret
=
chdir
(
mCurPath
);
if
(
ret
!=
0
)
{
LOG
(
"ErrInfo: Failed to chdir to %s, ret=%d, errno=%d"
,
mCurPath
,
ret
,
errno
);
}
}
int
main
(
int
argc
,
char
*
argv
[])
{
testing
::
GTEST_FLAG
(
output
)
=
"xml:"
;
testing
::
InitGoogleTest
(
&
argc
,
argv
);
if
(
CheckFsMount
(
TOP_DIR
,
TOP_DIR_MOUNT_INFO
)
!=
0
)
{
return
1
;
}
return
RUN_ALL_TESTS
();
}
\ No newline at end of file
security_lite/permission_posix/dac/src/DACFileSystemTest.h
已删除
100755 → 0
浏览文件 @
ed6da30f
/*
* Copyright (c) 2021 Huawei Device Co., Ltd.
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#ifndef XTS_ACTS_SECURITY_LITE_PERMISSSION_POSIX_DAC_SRC_DACTFILESYSTEMTEST_H
#define XTS_ACTS_SECURITY_LITE_PERMISSSION_POSIX_DAC_SRC_DACTFILESYSTEMTEST_H
#include <gtest/gtest.h>
class
DacTestSuite
:
public
::
testing
::
Test
{
protected:
char
*
mCurPath
;
void
SetUp
();
void
TearDown
();
};
#endif
\ No newline at end of file
security_lite/permission_posix/dac/vfat/BUILD.gn
已删除
100755 → 0
浏览文件 @
ed6da30f
# Copyright (c) 2021 Huawei Device Co., Ltd.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
import("//test/xts/tools/lite/build/suite_lite.gni")
hcpptest_suite("ActsVFATDACTest") {
suite_name = "acts"
sources = [
"../src/ActsDacPreTest.cpp",
"../src/DACFileSystemTest.cpp",
]
include_dirs = [
"../src",
"../../capability/src",
"//third_party/bounds_checking_function/include",
]
public_deps = [
"../../capability:capability_shared",
"//third_party/bounds_checking_function:libsec_shared",
]
cflags_cc = [
"-Wno-write-strings",
"-Wno-sign-compare",
]
ldflags = [
"-lstdc++",
"-lm",
"-lpthread",
]
defines = [
"LITE_FS_VFAT",
"TOP_DIR=\"/sdcard\"",
"TOP_DIR_MOUNT_INFO=\"/sdcard vfat\"",
]
}
security_lite/permission_posix/dac/vfat/Test.json
已删除
100644 → 0
浏览文件 @
ed6da30f
{
"description"
:
"Config for hcpptest demo test cases"
,
"environment"
:
[
{
"type"
:
"device"
,
"label"
:
"ipcamera"
}
],
"kits"
:
[
{
"type"
:
"MountKit"
,
"server"
:
"NfsServer"
,
"mount"
:
[
{
"source"
:
"testcases/security"
,
"target"
:
"/test_root/security"
}
]
}
],
"driver"
:
{
"type"
:
"CppTestLite"
,
"execute"
:
"/test_root/security/ActsVFATDACTest.bin"
}
}
\ No newline at end of file
鸿蒙社区
@harmonycommunity
mentioned in commit
7b067988
·
4月 29, 2023
mentioned in commit
7b067988
mentioned in commit 7b0679889b2c33b15c89cc809b3cf877137f762b
开关提交列表
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录