Skip to content

X
Xts Acts

OpenHarmony / Xts Acts
1 年多 前同步成功

通知 9
Star 22
Fork 0
X
Xts Acts
提交 a522431b 编写于 作者: Q qiaozzzh
1 浏览文件
操作

Delete XTS for CAP and DAC 

Signed-off-by: Nqiaozzzh <qiaozhang@huawei.com>
上级 ed6da30f
显示空白变更内容
内联 并排
Showing with 0 addition and 3435 deletion
security_lite/BUILD.gn
浏览文件 @ a522431b
......@@ -15,8 +15,6 @@ group("securitytest") {
if (ohos_kernel_type == "liteos_a") {
deps = [
"//test/xts/acts/security_lite/huks/liteos_a_adapter:Hukslitetest",
"//test/xts/acts/security_lite/permission_posix/capability:ActsCapabilityTest",
"//test/xts/acts/security_lite/permission_posix/dac:ActsDacTest",
"//test/xts/acts/security_lite/permission_posix/pms:ActsPMSTest",
]
} else if (ohos_kernel_type == "linux") {
......
security_lite/permission_posix/capability/BUILD.gn 已删除 100755 → 0
浏览文件 @ ed6da30f
# Copyright (c) 2021 Huawei Device Co., Ltd.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
group("ActsCapabilityTest") {
deps = [ "./vfat:ActsVFATCapabilityTest" ]
}
shared_library("capability_shared") {
sources = [ "src/ActsCapability.cpp" ]
include_dirs = [
"src",
"//third_party/bounds_checking_function/include",
]
public_deps = [ "//third_party/bounds_checking_function:libsec_shared" ]
cflags = [ "-Wno-error" ]
ldflags = [
"-lstdc++",
"-lm",
"-lpthread",
]
}
security_lite/permission_posix/capability/src/ActsCapability.cpp 已删除 100644 → 0
浏览文件 @ ed6da30f
/*
* Copyright (c) 2021 Huawei Device Co., Ltd.
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include "ActsCapabilityTest.h"
#include <csignal>
#include <dirent.h>
#include <securec.h>
#include <sys/capability.h>
#include <unistd.h>
void Sigac(int i)
{
_exit(0);
}
void ChildSleep()
{
signal(SIGXFSZ, Sigac);
usleep(LONG_SLEEP_NUM);
exit(0);
}
int CapInit()
{
// Init capabilities
struct __user_cap_header_struct capheader;
(void)memset_s(&capheader, sizeof(struct __user_cap_header_struct),
0, sizeof(struct __user_cap_header_struct));
capheader.version = _LINUX_CAPABILITY_VERSION_3;
capheader.pid = 0;
struct __user_cap_data_struct capdata[CAP_NUM];
(void)memset_s(capdata, CAP_NUM * sizeof(struct __user_cap_data_struct),
0xff, CAP_NUM * sizeof(struct __user_cap_data_struct));
capdata[0].permitted = LINUX_FULL_CAP;
capdata[0].effective = LINUX_FULL_CAP;
capdata[0].inheritable = LINUX_FULL_CAP;
// Set capabilities
int ret = capset(&capheader, &capdata[0]);
if (ret != 0) {
return FALSE;
}
return 0;
}
int DropCAPCHOWN()
{
struct __user_cap_header_struct capheader = { 0 };
errno_t result = memset_s(&capheader, sizeof(struct __user_cap_header_struct),
0, sizeof(struct __user_cap_header_struct));
if (result != EOK) {
LOG("DropCAPCHOWN memset_s failed");
return FALSE;
};
capheader.version = _LINUX_CAPABILITY_VERSION_3;
capheader.pid = 0;
struct __user_cap_data_struct capdata[CAP_NUM] = { { 0 }, { 0 } };
result = memset_s(capdata, CAP_NUM * sizeof(struct __user_cap_data_struct),
0xff, CAP_NUM * sizeof(struct __user_cap_data_struct));
if (result != EOK) {
LOG("DropCAPCHOWN memset_s failed");
return FALSE;
};
// Drop the capabilities of CAP_CHOWN
capdata[CAP_TO_INDEX(CAP_CHOWN)].permitted &= ~CAP_TO_MASK(CAP_CHOWN);
capdata[CAP_TO_INDEX(CAP_CHOWN)].effective &= ~CAP_TO_MASK(CAP_CHOWN);
capdata[CAP_TO_INDEX(CAP_CHOWN)].inheritable &= ~CAP_TO_MASK(CAP_CHOWN);
int ret = capset(&capheader, &capdata[0]);
if (ret != 0) {
return FALSE;
}
return 0;
}
int DropCAPDACOVERRIDE()
{
struct __user_cap_header_struct capheader = { 0, 0 };
errno_t result = memset_s(&capheader, sizeof(struct __user_cap_header_struct),
0, sizeof(struct __user_cap_header_struct));
if (result != EOK) {
LOG("DropCAPDACOVERRIDE memset_s failed");
return FALSE;
};
capheader.version = _LINUX_CAPABILITY_VERSION_3;
capheader.pid = 0;
struct __user_cap_data_struct capdata[CAP_NUM] = { { 0 }, { 0 } };
result = memset_s(capdata, CAP_NUM * sizeof(struct __user_cap_data_struct),
0xff, CAP_NUM * sizeof(struct __user_cap_data_struct));
if (result != EOK) {
LOG("DropCAPDACOVERRIDE memset_s failed");
return FALSE;
};
// Drop the capabilities of CAP_DAC_OVERRIDE
capdata[CAP_TO_INDEX(CAP_DAC_OVERRIDE)].permitted &= ~CAP_TO_MASK(CAP_DAC_OVERRIDE);
capdata[CAP_TO_INDEX(CAP_DAC_OVERRIDE)].effective &= ~CAP_TO_MASK(CAP_DAC_OVERRIDE);
capdata[CAP_TO_INDEX(CAP_DAC_OVERRIDE)].inheritable &= ~CAP_TO_MASK(CAP_DAC_OVERRIDE);
int ret = capset(&capheader, &capdata[0]);
if (ret != 0) {
return FALSE;
}
return 0;
}
int DropCAPDACREADSEARCH()
{
struct __user_cap_header_struct capheader = { 0, 0 };
errno_t result = memset_s(&capheader, sizeof(struct __user_cap_header_struct),
0, sizeof(struct __user_cap_header_struct));
if (result != EOK) {
LOG("DropCAPDACREADSEARCH memset_s failed");
return FALSE;
};
capheader.version = _LINUX_CAPABILITY_VERSION_3;
capheader.pid = 0;
struct __user_cap_data_struct capdata[CAP_NUM] = { { 0 }, { 0 } };
result = memset_s(capdata, CAP_NUM * sizeof(struct __user_cap_data_struct),
0xff, CAP_NUM * sizeof(struct __user_cap_data_struct));
if (result != EOK) {
LOG("DropCAPDACREADSEARCH memset_s failed");
return FALSE;
};
// Drop the capabilities of CAP_DAC_READ_SEARCH
capdata[CAP_TO_INDEX(CAP_DAC_READ_SEARCH)].permitted &= ~CAP_TO_MASK(CAP_DAC_READ_SEARCH);
capdata[CAP_TO_INDEX(CAP_DAC_READ_SEARCH)].effective &= ~CAP_TO_MASK(CAP_DAC_READ_SEARCH);
capdata[CAP_TO_INDEX(CAP_DAC_READ_SEARCH)].inheritable &= ~CAP_TO_MASK(CAP_DAC_READ_SEARCH);
int ret = capset(&capheader, &capdata[0]);
if (ret != 0) {
return FALSE;
}
return 0;
}
int DropCAPDACOVERRIDEAndREADSEARCH()
{
struct __user_cap_header_struct capheader = { 0, 0 };
errno_t result = memset_s(&capheader, sizeof(struct __user_cap_header_struct),
0, sizeof(struct __user_cap_header_struct));
if (result != EOK) {
LOG("DropCAPDACOVERRIDEAndREADSEARCH memset_s failed");
return FALSE;
};
capheader.version = _LINUX_CAPABILITY_VERSION_3;
capheader.pid = 0;
struct __user_cap_data_struct capdata[CAP_NUM] = { { 0 }, { 0 } };
result = memset_s(capdata, CAP_NUM * sizeof(struct __user_cap_data_struct),
0xff, CAP_NUM * sizeof(struct __user_cap_data_struct));
if (result != EOK) {
LOG("DropCAPDACOVERRIDEAndREADSEARCH memset_s failed");
return FALSE;
};
// Drop the capabilities of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH
capdata[CAP_TO_INDEX(CAP_DAC_READ_SEARCH)].permitted &= ~CAP_TO_MASK(CAP_DAC_READ_SEARCH);
capdata[CAP_TO_INDEX(CAP_DAC_READ_SEARCH)].effective &= ~CAP_TO_MASK(CAP_DAC_READ_SEARCH);
capdata[CAP_TO_INDEX(CAP_DAC_READ_SEARCH)].inheritable &= ~CAP_TO_MASK(CAP_DAC_READ_SEARCH);
capdata[CAP_TO_INDEX(CAP_DAC_OVERRIDE)].permitted &= ~CAP_TO_MASK(CAP_DAC_OVERRIDE);
capdata[CAP_TO_INDEX(CAP_DAC_OVERRIDE)].effective &= ~CAP_TO_MASK(CAP_DAC_OVERRIDE);
capdata[CAP_TO_INDEX(CAP_DAC_OVERRIDE)].inheritable &= ~CAP_TO_MASK(CAP_DAC_OVERRIDE);
int ret = capset(&capheader, &capdata[0]);
if (ret != 0) {
return FALSE;
}
return 0;
}
int DropCAPFOWNER()
{
struct __user_cap_header_struct capheader = { 0, 0 };
errno_t result = memset_s(&capheader, sizeof(struct __user_cap_header_struct),
0, sizeof(struct __user_cap_header_struct));
if (result != EOK) {
LOG("DropCAPFOWNER memset_s failed");
return FALSE;
};
capheader.version = _LINUX_CAPABILITY_VERSION_3;
capheader.pid = 0;
struct __user_cap_data_struct capdata[CAP_NUM] = { { 0 }, { 0 } };
result = memset_s(capdata, CAP_NUM * sizeof(struct __user_cap_data_struct),
0xff, CAP_NUM * sizeof(struct __user_cap_data_struct));
if (result != EOK) {
LOG("DropCAPFOWNER memset_s failed");
return FALSE;
};
// Drop the capabilities of CAP_FOWNER
capdata[CAP_TO_INDEX(CAP_FOWNER)].permitted &= ~CAP_TO_MASK(CAP_FOWNER);
capdata[CAP_TO_INDEX(CAP_FOWNER)].effective &= ~CAP_TO_MASK(CAP_FOWNER);
capdata[CAP_TO_INDEX(CAP_FOWNER)].inheritable &= ~CAP_TO_MASK(CAP_FOWNER);
int ret = capset(&capheader, &capdata[0]);
if (ret != 0) {
return FALSE;
}
return 0;
}
int DropCAPKILL()
{
struct __user_cap_header_struct capheader = { 0, 0 };
errno_t result = memset_s(&capheader, sizeof(struct __user_cap_header_struct),
0, sizeof(struct __user_cap_header_struct));
if (result != EOK) {
LOG("DropCAPKILL memset_s failed");
return FALSE;
};
capheader.version = _LINUX_CAPABILITY_VERSION_3;
capheader.pid = 0;
struct __user_cap_data_struct capdata[CAP_NUM] = { { 0 }, { 0 } };
result = memset_s(capdata, CAP_NUM * sizeof(struct __user_cap_data_struct),
0xff, CAP_NUM * sizeof(struct __user_cap_data_struct));
if (result != EOK) {
LOG("DropCAPKILL memset_s failed");
return FALSE;
};
// Drop the capabilities of CAP_KILL
capdata[CAP_TO_INDEX(CAP_KILL)].permitted &= ~CAP_TO_MASK(CAP_KILL);
capdata[CAP_TO_INDEX(CAP_KILL)].effective &= ~CAP_TO_MASK(CAP_KILL);
capdata[CAP_TO_INDEX(CAP_KILL)].inheritable &= ~CAP_TO_MASK(CAP_KILL);
int ret = capset(&capheader, &capdata[0]);
if (ret != 0) {
return FALSE;
}
return 0;
}
int DropCAPSETGID()
{
struct __user_cap_header_struct capheader = { 0, 0 };
errno_t result = memset_s(&capheader, sizeof(struct __user_cap_header_struct),
0, sizeof(struct __user_cap_header_struct));
if (result != EOK) {
LOG("DropCAPSETGID memset_s failed");
return FALSE;
};
capheader.version = _LINUX_CAPABILITY_VERSION_3;
capheader.pid = 0;
struct __user_cap_data_struct capdata[CAP_NUM] = { { 0 }, { 0 } };
result = memset_s(capdata, CAP_NUM * sizeof(struct __user_cap_data_struct),
0xff, CAP_NUM * sizeof(struct __user_cap_data_struct));
if (result != EOK) {
LOG("DropCAPSETGID memset_s failed");
return FALSE;
};
// Drop the capabilities of CAP_SETGID
capdata[CAP_TO_INDEX(CAP_SETGID)].permitted &= ~CAP_TO_MASK(CAP_SETGID);
capdata[CAP_TO_INDEX(CAP_SETGID)].effective &= ~CAP_TO_MASK(CAP_SETGID);
capdata[CAP_TO_INDEX(CAP_SETGID)].inheritable &= ~CAP_TO_MASK(CAP_SETGID);
int ret = capset(&capheader, &capdata[0]);
if (ret != 0) {
return FALSE;
}
return 0;
}
int DropCAPSETUID()
{
struct __user_cap_header_struct capheader = { 0, 0 };
errno_t result = memset_s(&capheader, sizeof(struct __user_cap_header_struct),
0, sizeof(struct __user_cap_header_struct));
if (result != EOK) {
LOG("DropCAPSETUID memset_s failed");
return FALSE;
};
capheader.version = _LINUX_CAPABILITY_VERSION_3;
capheader.pid = 0;
struct __user_cap_data_struct capdata[CAP_NUM] = { { 0 }, { 0 } };
result = memset_s(capdata, CAP_NUM * sizeof(struct __user_cap_data_struct),
0xff, CAP_NUM * sizeof(struct __user_cap_data_struct));
if (result != EOK) {
LOG("DropCAPSETUID memset_s failed");
return FALSE;
};
// Drop the capabilities of CAP_SETUID
capdata[CAP_TO_INDEX(CAP_SETUID)].permitted &= ~CAP_TO_MASK(CAP_SETUID);
capdata[CAP_TO_INDEX(CAP_SETUID)].effective &= ~CAP_TO_MASK(CAP_SETUID);
capdata[CAP_TO_INDEX(CAP_SETUID)].inheritable &= ~CAP_TO_MASK(CAP_SETUID);
int ret = capset(&capheader, &capdata[0]);
if (ret != 0) {
return FALSE;
}
return 0;
}
int DropCAPSETPCAP()
{
struct __user_cap_header_struct capheader = { 0, 0 };
errno_t result = memset_s(&capheader, sizeof(struct __user_cap_header_struct),
0, sizeof(struct __user_cap_header_struct));
if (result != EOK) {
LOG("DropCAPSETPCAP memset_s failed");
return FALSE;
};
capheader.version = _LINUX_CAPABILITY_VERSION_3;
capheader.pid = 0;
struct __user_cap_data_struct capdata[CAP_NUM] = { { 0 }, { 0 } };
result = memset_s(capdata, CAP_NUM * sizeof(struct __user_cap_data_struct),
0xff, CAP_NUM * sizeof(struct __user_cap_data_struct));
if (result != EOK) {
LOG("DropCAPSETPCAP memset_s failed");
return FALSE;
};
// Drop the capabilities of CAP_SETPCAP
capdata[CAP_TO_INDEX(CAP_SETPCAP)].permitted &= ~CAP_TO_MASK(CAP_SETPCAP);
capdata[CAP_TO_INDEX(CAP_SETPCAP)].effective &= ~CAP_TO_MASK(CAP_SETPCAP);
capdata[CAP_TO_INDEX(CAP_SETPCAP)].inheritable &= ~CAP_TO_MASK(CAP_SETPCAP);
int ret = capset(&capheader, &capdata[0]);
if (ret != 0) {
return FALSE;
}
return 0;
}
int DropCAPSYSNICE()
{
struct __user_cap_header_struct capheader = { 0, 0 };
errno_t result = memset_s(&capheader, sizeof(struct __user_cap_header_struct),
0, sizeof(struct __user_cap_header_struct));
if (result != EOK) {
LOG("DropCAPSYSNICE memset_s failed");
return FALSE;
};
capheader.version = _LINUX_CAPABILITY_VERSION_3;
capheader.pid = 0;
struct __user_cap_data_struct capdata[CAP_NUM] = { { 0 }, { 0 } };
result = memset_s(capdata, CAP_NUM * sizeof(struct __user_cap_data_struct),
0xff, CAP_NUM * sizeof(struct __user_cap_data_struct));
if (result != EOK) {
LOG("DropCAPSYSNICE memset_s failed");
return FALSE;
};
// Drop the capabilities of CAP_SYS_NICE
capdata[CAP_TO_INDEX(CAP_SYS_NICE)].permitted &= ~CAP_TO_MASK(CAP_SYS_NICE);
capdata[CAP_TO_INDEX(CAP_SYS_NICE)].effective &= ~CAP_TO_MASK(CAP_SYS_NICE);
capdata[CAP_TO_INDEX(CAP_SYS_NICE)].inheritable &= ~CAP_TO_MASK(CAP_SYS_NICE);
int ret = capset(&capheader, &capdata[0]);
if (ret != 0) {
return FALSE;
}
return 0;
}
int DropCAPSYSTIME()
{
struct __user_cap_header_struct capheader = { 0, 0 };
errno_t result = memset_s(&capheader, sizeof(struct __user_cap_header_struct),
0, sizeof(struct __user_cap_header_struct));
if (result != EOK) {
LOG("DropCAPSYSTIME memset_s failed");
return FALSE;
};
capheader.version = _LINUX_CAPABILITY_VERSION_3;
capheader.pid = 0;
struct __user_cap_data_struct capdata[CAP_NUM] = { { 0 }, { 0 } };
result = memset_s(capdata, CAP_NUM * sizeof(struct __user_cap_data_struct),
0xff, CAP_NUM * sizeof(struct __user_cap_data_struct));
if (result != EOK) {
LOG("DropCAPSYSTIME memset_s failed");
return FALSE;
};
// Drop the capabilities of CAP_SYS_TIME
capdata[CAP_TO_INDEX(CAP_SYS_TIME)].permitted &= ~CAP_TO_MASK(CAP_SYS_TIME);
capdata[CAP_TO_INDEX(CAP_SYS_TIME)].effective &= ~CAP_TO_MASK(CAP_SYS_TIME);
capdata[CAP_TO_INDEX(CAP_SYS_TIME)].inheritable &= ~CAP_TO_MASK(CAP_SYS_TIME);
int ret = capset(&capheader, &capdata[0]);
if (ret != 0) {
return FALSE;
}
return 0;
}
int DropAllCAP()
{
struct __user_cap_header_struct capheader = { 0, 0 };
errno_t result = memset_s(&capheader, sizeof(struct __user_cap_header_struct),
0, sizeof(struct __user_cap_header_struct));
if (result != EOK) {
LOG("DropAllCAP memset_s failed");
return FALSE;
};
capheader.version = _LINUX_CAPABILITY_VERSION_3;
capheader.pid = 0;
struct __user_cap_data_struct capdata[CAP_NUM] = { { 0 }, { 0 } };
result = memset_s(capdata, CAP_NUM * sizeof(struct __user_cap_data_struct),
0xff, CAP_NUM * sizeof(struct __user_cap_data_struct));
if (result != EOK) {
LOG("DropAllCAP memset_s failed");
return FALSE;
};
// Drop all the capabilities
capdata[0].permitted = NO_CAP;
capdata[0].effective = NO_CAP;
capdata[0].inheritable = NO_CAP;
int ret = capset(&capheader, &capdata[0]);
if (ret != 0) {
return FALSE;
}
return 0;
}
int RemoveDir(const char *dirname)
{
int ret;
char curDir[] = ".";
char upDir[] = "..";
char updirname[SIZE512];
DIR *dir = nullptr;
struct dirent *dp = nullptr;
struct stat upDirStat = { 0 };
// Init capabilities
CapInit();
// The directory transferred by the parameter does not exist
if (access(dirname, F_OK != 0)) {
return 0;
} else {
chmod(dirname, RWX);
}
// Open the current-level directory
dir = opendir(dirname);
while ((dp = readdir(dir)) != nullptr) {
// The system skips the judgment and continues looping when the . or .. directory is encountered
if ((strcmp(curDir, dp->d_name) == 0) || (strcmp(upDir, dp->d_name) == 0)) {
continue;
}
// Combine the upper-level directory content
int spr = sprintf_s(updirname, SIZE512, "%s/%s", dirname, dp->d_name);
if (spr == FALSE) {
closedir(dir);
return FALSE;
}
// Obtains the status of the upper-level, file or directory
stat(updirname, &upDirStat);
// Directory files, recursively deleting contents in the directory
if (upDirStat.st_mode & S_IFDIR) {
// Invoke the function recursively to delete the content of the upper-level directory
RemoveDir(updirname);
} else {
// Common files, directly deleting
ret = unlink(updirname);
if (ret != 0) {
// Failed to delete the file
perror("Failed to delete the file");
LOG("ErrInfo: The file name is %s", updirname);
closedir(dir);
return FALSE;
}
}
}
// Close the current-level directory
closedir(dir);
// Delete the empty directory
ret = rmdir(dirname);
if (ret != 0) {
// Failed to delete the empty directory
perror("Failed to delete the empty directory");
LOG("ErrInfo: The directory name is %s", dirname);
return FALSE;
}
return 0;
}
int SetUidGid(uid_t uid, gid_t gid)
{
// Set the process uid and gid
int retsetuid = setuid(uid);
if (retsetuid != 0) {
LOG("ErrInfo: Set uid=%d failed, now uid=%d", uid, getuid());
return FALSE;
}
int retsetgid = setgid(gid);
if (retsetgid != 0) {
LOG("ErrInfo: Set gid=%d failed, now gid=%d", gid, getgid());
return FALSE;
}
return 0;
}
timespec CompareTime(timespec start, timespec end)
{
// Compare time 'start' and time 'end'
timespec ret = { 0 };
int tp = 1000000000;
if ((end.tv_nsec - start.tv_nsec) < 0) {
ret.tv_sec = end.tv_sec - start.tv_sec - 1;
ret.tv_nsec = tp + end.tv_nsec - start.tv_nsec;
} else {
ret.tv_sec = end.tv_sec - start.tv_sec;
ret.tv_nsec = end.tv_nsec - start.tv_nsec;
}
return ret;
}
char *GetCurrentPath()
{
// Obtain the current working directory
static char path[MAX_PATH_SIZE];
getcwd(path, MAX_PATH_SIZE);
return path;
}
// Check topDir file system, 0 is exist, -1 is non-exist
int CheckFsMount(const char *topDir, const char *topDirMountInfo)
{
const int lenMax = 100;
int len = 0;
char buf[lenMax] = {0};
const char mountInfoFile[] = "/proc/mounts";
// check topDir exist
if (access(topDir, F_OK) != 0) {
LOG("ErrInfo: '%s' not accessable, Test Stop!", topDir);
return -1;
}
FILE *fp = fopen(mountInfoFile, "r");
if (fp != nullptr) {
while (fgets(buf, sizeof(buf), fp) != NULL) {
len = strlen(buf);
if (strstr(buf, topDirMountInfo) != nullptr) {
fclose(fp);
return 0;
}
}
fclose(fp);
}
LOG("'%s' is not a '%s' not mount properly, Test Stop! please change another file type!", topDir, topDirMountInfo);
return -1;
}
\ No newline at end of file
security_lite/permission_posix/capability/src/ActsCapabilityTest.cpp 已删除 100644 → 0
浏览文件 @ ed6da30f
/*
* Copyright (c) 2021 Huawei Device Co., Ltd.
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include "ActsCapabilityTest.h"
#include <dirent.h>
#include <fcntl.h>
#include <securec.h>
#include <sys/capability.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/wait.h>
#include "gtest/gtest.h"
#include "CapabilityFileSystemTest.h"
using namespace std;
using namespace testing::ext;
#if defined(LITE_FS_VFAT)
static void CreateTxt()
{
int ret;
int fd = 0;
char cap[] = "CapabilityTestSuite!\n";
// Initialize the process and set the uid and gid of the process to zero
SetUidGid(UID0, GID0);
// Create a directory 'CAPDIR0' in the directory 'TOP_DIR'
ret = mkdir(TOP_DIR "/" CAPDIR0, NORWX);
ASSERT_EQ(ret, 0) << "ErrInfo: Failed to create the directory 'TOP_DIR/CAPDIR0'";
// Create a directory 'CAPDIR0_CAPDIR0' in the directory 'TOP_DIR/CAPDIR0'
ret = mkdir(TOP_DIR "/" CAPDIR0 "/" CAPDIR0_CAPDIR0, RWX);
ASSERT_EQ(ret, 0) << "ErrInfo: Failed to create the directory 'TOP_DIR/CAPDIR0/CAPDIR0_CAPDIR0'";
// Create a file 'CAPDIR0_CAPFILE0' in the directory 'CAPDIR0'
fd = open(TOP_DIR "/" CAPDIR0 "/" CAPDIR0_CAPFILE0, O_WRONLY | O_CREAT | O_TRUNC, RWX);
if (fd >= 0) {
// File created successfully
write(fd, cap, sizeof(cap));
close(fd);
} else {
// Failed to create the file
ASSERT_GE(fd, 0) << "ErrInfo: Failed to create the file 'TOP_DIR/CAPDIR0/CAPDIR0_CAPFILE0'";
}
}
static int CapsetOnlySETPCAP(int num)
{
struct __user_cap_header_struct capheader;
errno_t result = memset_s(&capheader, sizeof(struct __user_cap_header_struct), 0,
sizeof(struct __user_cap_header_struct));
if (result != EOK) {
LOG("CapgetWithAllCap memset_s failed");
return FALSE;
};
capheader.version = _LINUX_CAPABILITY_VERSION_3;
capheader.pid = 0;
struct __user_cap_data_struct capdata[CAP_NUM];
result = memset_s(capdata, CAP_NUM * sizeof(struct __user_cap_data_struct),
0, CAP_NUM * sizeof(struct __user_cap_data_struct));
if (result != EOK) {
LOG("CapgetWithAllCap memset_s failed");
return FALSE;
};
capdata[CAP_TO_INDEX(CAP_SETPCAP)].permitted |= CAP_TO_MASK(CAP_SETPCAP);
capdata[CAP_TO_INDEX(CAP_SETPCAP)].effective |= CAP_TO_MASK(CAP_SETPCAP);
capdata[CAP_TO_INDEX(CAP_SETPCAP)].inheritable |= CAP_TO_MASK(CAP_SETPCAP);
// Set capabilities
int ret = capset(&capheader, &capdata[0]);
if (ret != 0) {
LOG("ErrInfo: Failed to drop all caps except CAP_SETPCAP during the %d time", num);
return FALSE;
}
return 0;
}
static int AddCapUnauthorized(int num)
{
struct __user_cap_header_struct capheader;
errno_t result = memset_s(&capheader, sizeof(struct __user_cap_header_struct), 0,
sizeof(struct __user_cap_header_struct));
if (result != EOK) {
LOG("CapgetWithAllCap memset_s failed");
return FALSE;
};
capheader.version = _LINUX_CAPABILITY_VERSION_3;
capheader.pid = 0;
struct __user_cap_data_struct capdata[CAP_NUM];
result = memset_s(capdata, CAP_NUM * sizeof(struct __user_cap_data_struct),
0, CAP_NUM * sizeof(struct __user_cap_data_struct));
if (result != EOK) {
LOG("CapgetWithAllCap memset_s failed");
return FALSE;
};
capdata[0].permitted = LINUX_FULL_CAP;
capdata[0].effective = LINUX_FULL_CAP;
capdata[0].inheritable = LINUX_FULL_CAP;
// Set capabilities
int ret = capset(&capheader, &capdata[0]);
if (ret != FALSE) {
LOG("ErrInfo: Add unauthorized capability during the %d time", num);
return FALSE;
}
return 0;
}
static int CapgetWithAllCap(int num)
{
struct __user_cap_header_struct capheader = { 0 };
errno_t result = memset_s(&capheader, sizeof(struct __user_cap_header_struct), 0,
sizeof(struct __user_cap_header_struct));
if (result != EOK) {
LOG("CapgetWithAllCap memset_s failed");
return FALSE;
};
capheader.version = _LINUX_CAPABILITY_VERSION_3;
capheader.pid = 0;
struct __user_cap_data_struct capdataget[CAP_NUM] = { { 0 }, { 0 } };
result = memset_s(capdataget, CAP_NUM * sizeof(struct __user_cap_data_struct),
0, CAP_NUM * sizeof(struct __user_cap_data_struct));
if (result != EOK) {
LOG("CapgetWithAllCap memset_s failed");
return FALSE;
};
int ret = capget(&capheader, &capdataget[0]);
if (ret != 0) {
EXPECT_EQ(ret, 0) << "ErrInfo: Failed to get CAPs";
LOG("ErrInfo: Failed to get CAPs during the %d time", num);
return FALSE;
}
// The process has all capabilities
if (capdataget[0].effective != OHOS_FULL_CAP) {
EXPECT_EQ(capdataget[0].effective, OHOS_FULL_CAP) << "ErrInfo: Get wrong capabilities";
LOG("ErrInfo: Get wrong capabilities during the %d time", num);
return FALSE;
}
return 0;
}
static int CapgetWithNoCap(int num)
{
struct __user_cap_header_struct capheader = { 0 };
errno_t result = memset_s(&capheader, sizeof(struct __user_cap_header_struct), 0,
sizeof(struct __user_cap_header_struct));
if (result != EOK) {
LOG("CapgetWithAllCap memset_s failed");
return FALSE;
};
capheader.version = _LINUX_CAPABILITY_VERSION_3;
capheader.pid = 0;
struct __user_cap_data_struct capdataget[CAP_NUM] = { { 0 }, { 0 } };
result = memset_s(capdataget, CAP_NUM * sizeof(struct __user_cap_data_struct),
0, CAP_NUM * sizeof(struct __user_cap_data_struct));
if (result != EOK) {
LOG("CapgetWithAllCap memset_s failed");
return FALSE;
};
int ret = capget(&capheader, &capdataget[0]);
if (ret != 0) {
EXPECT_EQ(ret, 0) << "ErrInfo: Failed to get CAPs";
LOG("ErrInfo: Failed to get CAPs during the %d time", num);
return FALSE;
}
// The process does not have any capabilities
if (capdataget[0].effective != NO_CAP) {
EXPECT_EQ(capdataget[0].effective, NO_CAP) << "ErrInfo: Get wrong capabilities";
LOG("ErrInfo: Get wrong capabilities during the %d time", num);
return FALSE;
}
return 0;
}
static int CapgetOnlySETPCAP(int num)
{
struct __user_cap_header_struct capheader = { 0 };
errno_t result = memset_s(&capheader, sizeof(struct __user_cap_header_struct), 0,
sizeof(struct __user_cap_header_struct));
if (result != EOK) {
LOG("CapgetWithAllCap memset_s failed");
return FALSE;
};
capheader.version = _LINUX_CAPABILITY_VERSION_3;
capheader.pid = 0;
struct __user_cap_data_struct capdataget[CAP_NUM] = { { 0 }, { 0 } };
result = memset_s(capdataget, CAP_NUM * sizeof(struct __user_cap_data_struct),
0, CAP_NUM * sizeof(struct __user_cap_data_struct));
if (result != EOK) {
LOG("CapgetWithAllCap memset_s failed");
return FALSE;
};
int ret = capget(&capheader, &capdataget[0]);
if (ret != 0) {
EXPECT_EQ(ret, 0) << "ErrInfo: Failed to get CAPs";
LOG("ErrInfo: Failed to get CAPs during the %d time", num);
return FALSE;
}
// The process only has CAP_SETPCAP
if (capdataget[0].effective != ONLY_SETPCAP_CAP) {
EXPECT_EQ(capdataget[0].effective, ONLY_SETPCAP_CAP) << "ErrInfo: Get wrong capabilities";
LOG("ErrInfo: Get wrong capabilities during the %d time", num);
return FALSE;
}
return 0;
}
static int CapsetWithoutSETPCAP()
{
// Drop the capabilities of CAP_SETPCAP 8
int retsetpcap = DropCAPSETPCAP();
EXPECT_EQ(retsetpcap, 0) << "ErrInfo: Failed to drop CAP_SETPCAP";
// Drop the capabilities of CAP_CHOWN 0
int retchown = DropCAPCHOWN();
EXPECT_EQ(retchown, FALSE) << "ErrInfo: Drop CAP_CHOWN without CAP_SETPCAP";
// Drop the capabilities of CAP_DAC_OVERRIDE 1
int retdacoverride = DropCAPDACOVERRIDE();
EXPECT_EQ(retdacoverride, FALSE) << "ErrInfo: Drop CAP_DAC_OVERRIDE without CAP_SETPCAP";
// Drop the capabilities of CAP_DAC_READ_SEARCH 2
int retdacreadsearch = DropCAPDACREADSEARCH();
EXPECT_EQ(retdacreadsearch, FALSE) << "ErrInfo: Drop CAP_DAC_READ_SEARCH without CAP_SETPCAP";
// Drop the capabilities of CAP_FOWNER 3
int retfowner = DropCAPFOWNER();
EXPECT_EQ(retfowner, FALSE) << "ErrInfo: Drop CAP_FOWNER without CAP_SETPCAP";
// Drop the capabilities of CAP_KILL 5
int retkill = DropCAPKILL();
EXPECT_EQ(retkill, FALSE) << "ErrInfo: Drop CAP_KILL without CAP_SETPCAP";
// Drop the capabilities of CAP_SETGID 6
int retsetgid = DropCAPSETGID();
EXPECT_EQ(retsetgid, FALSE) << "ErrInfo: Drop CAP_SETGID without CAP_SETPCAP";
// Drop the capabilities of CAP_SETUID 7
int retsetuid = DropCAPSETUID();
EXPECT_EQ(retsetuid, FALSE) << "ErrInfo: Drop CAP_SETUID without CAP_SETPCAP";
// Drop the capabilities of CAP_SETPCAP 8
int retsetpcapfailed = DropCAPSETPCAP();
EXPECT_EQ(retsetpcapfailed, FALSE) << "ErrInfo: Drop CAP_SETPCAP without CAP_SETPCAP";
// Drop the capabilities of CAP_SYS_NICE 23
int retsysnice = DropCAPSYSNICE();
EXPECT_EQ(retsysnice, FALSE) << "ErrInfo: Drop CAP_SYS_NICE without CAP_SETPCAP";
// Drop the capabilities of CAP_SYS_TIME 25
int retsystime = DropCAPSYSTIME();
EXPECT_EQ(retsystime, FALSE) << "ErrInfo: Drop CAP_SYS_TIME without CAP_SETPCAP";
if ((retchown != FALSE) || (retdacoverride != FALSE) || (retdacreadsearch != FALSE) || (retfowner != FALSE) ||
(retkill != FALSE) || (retsetgid != FALSE) || (retsetuid != FALSE) || (retsetpcapfailed != FALSE) ||
(retsysnice != FALSE) || (retsystime != FALSE) || (retsetpcap == FALSE)) {
LOG("ErrInfo: Drop the capabilities without CAP_SETPCAP");
return FALSE;
}
return 0;
}
static int CapsetWithVersion(pid_t pid, unsigned int version)
{
struct __user_cap_header_struct capheader = { 0 };
errno_t result = memset_s(&capheader, sizeof(struct __user_cap_header_struct), 0,
sizeof(struct __user_cap_header_struct));
if (result != EOK) {
LOG("CapgetWithAllCap memset_s failed");
return FALSE;
};
capheader.pid = pid;
capheader.version = version;
struct __user_cap_data_struct capdata[CAP_NUM] = { { 0 }, { 0 } };
result = memset_s(capdata, CAP_NUM * sizeof(struct __user_cap_data_struct),
0xff, CAP_NUM * sizeof(struct __user_cap_data_struct));
if (result != EOK) {
LOG("CapgetWithAllCap memset_s failed");
return FALSE;
};
// Capget based on input parameters
int ret = capset(&capheader, &capdata[0]);
if (ret != 0) {
// Capset with abnormal parameter
return FALSE;
}
return 0;
}
static int CapgetWithVersion(pid_t pid, unsigned int version)
{
struct __user_cap_header_struct capheader = { 0 };
errno_t result = memset_s(&capheader, sizeof(struct __user_cap_header_struct), 0,
sizeof(struct __user_cap_header_struct));
if (result != EOK) {
LOG("CapgetWithAllCap memset_s failed");
return FALSE;
};
capheader.pid = pid;
capheader.version = version;
struct __user_cap_data_struct capdataget[CAP_NUM] = { { 0 }, { 0 } };
result = memset_s(capdataget, CAP_NUM * sizeof(struct __user_cap_data_struct),
0xff, CAP_NUM * sizeof(struct __user_cap_data_struct));
if (result != EOK) {
LOG("CapgetWithAllCap memset_s failed");
return FALSE;
};
// Capget based on input parameters
int ret = capget(&capheader, &capdataget[0]);
if (ret != 0) {
// Capget with abnormal parameter
return FALSE;
}
return 0;
}
static int CapgetWithCaps(pid_t pid, unsigned int caps)
{
struct __user_cap_header_struct capheader = { 0 };
errno_t result = memset_s(&capheader, sizeof(struct __user_cap_header_struct), 0,
sizeof(struct __user_cap_header_struct));
if (result != EOK) {
LOG("CapgetWithAllCap memset_s failed");
return FALSE;
};
capheader.pid = pid;
capheader.version = _LINUX_CAPABILITY_VERSION_3;
struct __user_cap_data_struct capdataget[CAP_NUM] = { { 0 }, { 0 } };
result = memset_s(capdataget, CAP_NUM * sizeof(struct __user_cap_data_struct),
0xff, CAP_NUM * sizeof(struct __user_cap_data_struct));
if (result != EOK) {
LOG("CapgetWithAllCap memset_s failed");
return FALSE;
};
// Capget based on input parameters and check whether the capability is the same as the input parameter
int ret = capget(&capheader, &capdataget[0]);
if (ret != 0 || capdataget[0].effective != caps) {
EXPECT_EQ(capdataget[0].effective, caps) << "ErrInfo: Pid = " << pid << ", process has wrong capability";
return FALSE;
}
return 0;
}
/*
* @tc.number : SUB_SEC_AppSEC_PermissionMgmt_Capability_0600
* @tc.name : Processes with the CAP_KILL capability can invoke their management
and control interfaces to kill other processes
* @tc.desc : [C-SECURITY-0100]
*/
HWTEST_F(CapabilityTestSuite, CapabilityTest0600, Function | MediumTest | Level2)
{
int ret = 0;
int status1 = 0;
int status2 = 0;
// Preset action: Fork a sub process pid1
pid_t pid1 = fork();
ASSERT_TRUE(pid1 >= 0) << "======== Fork Error! =========";
usleep(SLEEP_NUM);
// Preset action: Change the UID&GID of the sub process pid1 and keep it hibernated
if (pid1 == 0) {
SetUidGid(UID555, GID555);
ChildSleep();
} else {
// Preset action: Fork a sub process pid2
pid_t pid2 = fork();
ASSERT_TRUE(pid2 >= 0) << "======== Fork Error! =========";
usleep(SLEEP_NUM);
if (pid2 == 0) {
int exitCode = 0;
// Step 1: Drop the capabilities of CAP_KILL
ret = DropCAPKILL();
if (ret != 0) {
LOG("ErrInfo: Failed to drop CAP_KILL");
exitCode = 1;
}
// Step 2: Failed to kill the sub process
ret = kill(pid1, SIGXFSZ);
if (ret != FALSE) {
LOG("ErrInfo: Kill process without CAP_KILL");
exitCode = 1;
}
// Step 3: Change the UID&GID of the sub process pid1 and keep it hibernated
ret = SetUidGid(UID555, GID555);
if (ret != 0) {
LOG("ErrInfo: Failed to set uid and gid");
exitCode = 1;
}
// Step 4: The sub process exit with the exitCode
exit(exitCode);
} else {
// Step 4: Kill the sub process pid1 successfully
ret = kill(pid1, SIGXFSZ);
EXPECT_EQ(ret, 0) << "ErrInfo: Failed to Kill pid1 with CAP_KILL";
// Cleanup action: Wait for the sub process pid1 and pid2 to be killed
waitpid(pid1, &status1, 0);
waitpid(pid2, &status2, 0);
EXPECT_NE(WIFEXITED(status2), 0) << "ErrInfo: The sub process exit error, child_pid = " << pid2;
EXPECT_EQ(WEXITSTATUS(status2), 0) << "ErrInfo: The exitCode is wrong, please query logs, child_pid = "
<< pid2;
}
}
}
/*
* @tc.number : SUB_SEC_AppSEC_PermissionMgmt_Capability_0700
* @tc.name : Processes with the CAP_SETGID capability can invoke their management
and control interfaces to change the group IDs of other processes
* @tc.desc : [C-SECURITY-0100]
*/
HWTEST_F(CapabilityTestSuite, CapabilityTest0700, Function | MediumTest | Level2)
{
int ret = 0;
int status = 0;
pid_t pid = fork(); // Preset action: Fork a sub process
ASSERT_TRUE(pid >= 0) << "======== Fork Error! =========";
usleep(SLEEP_NUM);
if (pid == 0) {
int exitCode = 0;
ret = setgid(NUM500); // Step 1.1: Set GID with interface 'setgid'
if (ret != 0) {LOG("ErrInfo: Failed to set GID with interface 'setgid', now process gid=%d", getpid());
exitCode = 1; }
ret = setregid(NUM600, NUM600); // Step 1.2: Set reGID with interface 'setregid'
if (ret != 0) {LOG("ErrInfo: Failed to set reGID with interface 'setregid', now process gid=%d", getpid());
exitCode = 1; }
ret = setresgid(NUM700, NUM700, NUM700); // Step 1.3: Set resGID with interface 'setresgid'
if (ret != 0) {LOG("ErrInfo: Failed to set resGID with interface 'setresgid', now process gid=%d", getpid());
exitCode = 1; }
ret = setgroups(NUM3, GROUPLIST); // Step 1.4: Set groups with interface 'setgroups'
if (ret != 0) {LOG("ErrInfo: Failed to set groups with interface 'setgroups'");
exitCode = 1; }
ret = DropCAPSETGID(); // Step 2: Drop the capabilities of CAP_SETGID
if (ret != 0) {LOG("ErrInfo: Failed to drop CAP_SETGID");
exitCode = 1; }
ret = setgid(NUM500); // Step 3.1: Failed to set GID with interface 'setgid'
if (ret != FALSE) {LOG("ErrInfo: Set GID without CAP_SETGID, now process gid=%d", getpid());
exitCode = 1; }
ret = setregid(NUM500, NUM500); // Step 3.2: Failed to set reGID with interface 'setregid'
if (ret != FALSE) {LOG("ErrInfo: Set reGID without CAP_SETGID, now process gid=%d", getpid());
exitCode = 1; }
ret = setresgid(NUM500, NUM500, NUM500); // Step 3.3: Failed to set resGID with interface 'setregid'
if (ret != FALSE) {LOG("ErrInfo: Set resGID without CAP_SETGID, now process gid=%d", getpid());
exitCode = 1; }
ret = setgroups(NUM3, GROUPLIST); // Step 3.4: Failed to set groups with interface 'setgroups'
if (ret != FALSE) {LOG("ErrInfo: Set groups without CAP_SETGID");
exitCode = 1; } // Step 4: The sub process exit with the exitCode
exit(exitCode);
} else {
waitpid(pid, &status, 0); // Step 5: The parent process wait for the sub process to exit and obtain the exitCode
EXPECT_NE(WIFEXITED(status), 0) << "ErrInfo: The sub process exit error, child_pid = " << pid;
EXPECT_EQ(WEXITSTATUS(status), 0) << "ErrInfo: The exitCode is wrong, please query logs, child_pid = " << pid;
}
}
/*
* @tc.number : SUB_SEC_AppSEC_PermissionMgmt_Capability_0800
* @tc.name : Processes with the CAP_SETUID capability can invoke their management
and control interfaces to change user IDs of other processes
* @tc.desc : [C-SECURITY-0100]
*/
HWTEST_F(CapabilityTestSuite, CapabilityTest0800, Function | MediumTest | Level2)
{
int ret = 0;
int status = 0;
// Preset action: Fork a sub process
pid_t pid = fork();
ASSERT_TRUE(pid >= 0) << "======== Fork Error! =========";
usleep(SLEEP_NUM);
if (pid == 0) {
int exitCode = 0;
// Step 1.1: Set UID with interface 'setuid'
ret = setuid(NUM500);
if (ret != 0) {
LOG("ErrInfo: Failed to set UID with interface 'setuid', now process uid=%d", getpid());
exitCode = 1;
}
// Step 1.2: Set reUID with interface 'setreuid'
ret = setreuid(NUM600, NUM600);
if (ret != 0) {
LOG("ErrInfo: Failed to set reUID with interface 'setreuid', now process uid=%d", getpid());
exitCode = 1;
}
// Step 1.3: Set resUID with interface 'setresuid'
ret = setresuid(NUM700, NUM700, NUM700);
if (ret != 0) {
LOG("ErrInfo: Failed to set resUID with interface 'setresuid', now process uid=%d", getpid());
exitCode = 1;
}
// Step 2: Drop the capabilities of CAP_SETUID
ret = DropCAPSETUID();
if (ret != 0) {
LOG("ErrInfo: Failed to drop CAP_SETUID");
exitCode = 1;
}
// Step 3.1: Failed to set UID with interface 'setuid'
ret = setuid(NUM500);
if (ret != FALSE) {
LOG("ErrInfo: Set UID without CAP_SETUID, now process uid=%d", getpid());
exitCode = 1;
}
// Step 3.2: Failed to set reUID with interface 'setreuid'
ret = setreuid(NUM500, NUM500);
if (ret != FALSE) {
LOG("ErrInfo: Set reUID without CAP_SETUID, now process uid=%d", getpid());
exitCode = 1;
}
// Step 3.3: Failed to set resUID with interface 'setreuid'
ret = setresuid(NUM500, NUM500, NUM500);
if (ret != FALSE) {
LOG("ErrInfo: Set resUID without CAP_SETUID, now process uid=%d", getpid());
exitCode = 1;
}
// Step 4: The sub process exit with the exitCode
exit(exitCode);
} else {
// Step 5: The parent process wait for the sub process to exit and obtain the exitCode
waitpid(pid, &status, 0);
EXPECT_NE(WIFEXITED(status), 0) << "ErrInfo: The sub process exit error, child_pid = " << pid;
EXPECT_EQ(WEXITSTATUS(status), 0) << "ErrInfo: The exitCode is wrong, please query logs, child_pid = " << pid;
}
}
/*
* @tc.number : SUB_SEC_AppSEC_PermissionMgmt_Capability_0900
* @tc.name : Processes with the CAP_SETPCCAP capability can invoke their management
and control interfaces to add and delete capabilities for other processes
* @tc.desc : [C-SECURITY-0100]
*/
HWTEST_F(CapabilityTestSuite, CapabilityTest0900, Security | MediumTest | Level2)
{
int ret = 0;
int status = 0;
// Preset action: Fork a sub process
pid_t pid = fork();
ASSERT_TRUE(pid >= 0) << "======== Fork Error! =========";
usleep(SLEEP_NUM);
if (pid == 0) {
int exitCode = 0;
// Step 1: Drop the capabilities of CAP_SETPCAP
ret = DropCAPSETPCAP();
if (ret != 0) {
LOG("ErrInfo: Failed to drop CAP_SETPCAP");
exitCode = 1;
}
// Step 2: Failed to add the capabilities of CAP_SETPCAP
exitCode = AddCapUnauthorized(1);
if (exitCode != 0) {
LOG("ErrInfo: Add capabilities without CAP_SETPCAP");
}
// Step 3: The sub process exit with the exitCode
exit(exitCode);
} else {
// Step 4: The parent process wait for the sub process to exit and obtain the exitCode
waitpid(pid, &status, 0);
EXPECT_NE(WIFEXITED(status), 0) << "ErrInfo: The sub process exit error, child_pid = " << pid;
EXPECT_EQ(WEXITSTATUS(status), 0) << "ErrInfo: The exitCode is wrong, please query logs, child_pid = " << pid;
}
}
/*
* @tc.number : SUB_SEC_AppSEC_PermissionMgmt_Capability_1000
* @tc.name : Processes with the CAP_SYS_NICE capability can invoke their management
and control interfaces to set the process priority
* @tc.desc : [C-SECURITY-0100]
*/
HWTEST_F(CapabilityTestSuite, CapabilityTest1000, Function | MediumTest | Level2)
{
int ret = 0;
int status1 = 0;
int status2 = 0;
// Preset action: Fork a sub process pid1
pid_t pid1 = fork();
ASSERT_TRUE(pid1 >= 0) << "======== Fork Error! =========";
usleep(SLEEP_NUM);
// Preset action: keep the sub process pid1 hibernated
if (pid1 == 0) {
ChildSleep();
} else {
// Preset action: Fork a sub process pid2
pid_t pid2 = fork();
ASSERT_TRUE(pid2 >= 0) << "======== Fork Error! =========";
usleep(SLEEP_NUM);
if (pid2 == 0) {
int exitCode = 0;
// Preset action: Obtains the test priority
struct sched_param param = { 0 };
ret = sched_getparam(pid1, &param);
param.sched_priority--;
// Step 1: Set the priority of the sub process successfully
ret = sched_setparam(pid1, &param);
if (ret != 0) {
LOG("ErrInfo: Failed to set priority with CAP_SYS_NICE");
exitCode = 1;
}
// Step 2: Drop the capabilities of CAP_SYS_NICE
ret = DropCAPSYSNICE();
if (ret != 0) {
LOG("ErrInfo: Failed to drop CAP_SYS_NICE");
exitCode = 1;
}
// Step 3: Failed to set the priority of the sub process
param.sched_priority++;
ret = sched_setparam(pid1, &param);
if (ret != FALSE) {
LOG("ErrInfo: Set priority without CAP_SYS_NICE");
exitCode = 1;
}
// Step 4: The sub process exit with the exitCode
exit(exitCode);
} else {
// Step 5: The parent process wait for the sub process to exit and obtain the exitCode
waitpid(pid2, &status2, 0);
EXPECT_NE(WIFEXITED(status2), 0) << "ErrInfo: The sub process exit error, child_pid = " << pid2;
EXPECT_EQ(WEXITSTATUS(status2), 0) << "ErrInfo: The exitCode is wrong, please query logs, child_pid = "
<< pid2;
// Cleanup action: Kill the sub process and wait for the sub process to be killed
ret = kill(pid1, SIGXFSZ);
EXPECT_EQ(ret, 0) << "ErrInfo: Failed to kill the sub process pid1";
waitpid(pid1, &status1, 0);
}
}
}
/*
* @tc.number : SUB_SEC_AppSEC_PermissionMgmt_Capability_1100
* @tc.name : Processes with the CAP_SYS_TIME capability can call their management
and control interfaces and change the system clock
* @tc.desc : [C-SECURITY-0100]
*/
HWTEST_F(CapabilityTestSuite, CapabilityTest1100, Function | MediumTest | Level2)
{
int ret = 0;
int status = 0;
struct timespec tp = { 0 };
// Preset action: Fork a sub process
pid_t pid = fork();
ASSERT_TRUE(pid >= 0) << "======== Fork Error! =========";
usleep(SLEEP_NUM);
if (pid == 0) {
int exitCode = 0;
// Preset action: Obtains the system time and the test time
clock_gettime(CLOCK_REALTIME, &tp);
tp.tv_sec += 1;
// Step 1: Set the System Time with the test time successfully
ret = clock_settime(CLOCK_REALTIME, &tp);
if (ret != 0) {
LOG("ErrInfo: Failed to set clocktime with CAP_SYS_TIME");
exitCode = 1;
}
// Step 2: Drop the capabilities of CAP_SYS_TIME
ret = DropCAPSYSTIME();
if (ret != 0) {
LOG("ErrInfo: Failed to drop CAP_SYS_TIME");
exitCode = 1;
}
// Step 3: Failed to set the system time with the test time
tp.tv_sec += 1;
ret = clock_settime(CLOCK_REALTIME, &tp);
if (ret != FALSE) {
LOG("ErrInfo: Set clocktime without CAP_SYS_TIME");
exitCode = 1;
}
// Step 4: The sub process exit with the exitCode
exit(exitCode);
} else {
// Step 5: The parent process wait for the sub process to exit and obtain the exitCode
waitpid(pid, &status, 0);
EXPECT_NE(WIFEXITED(status), 0) << "ErrInfo: The sub process exit error, child_pid = " << pid;
EXPECT_EQ(WEXITSTATUS(status), 0) << "ErrInfo: The exitCode is wrong, please query logs, child_pid = " << pid;
}
}
/*
* @tc.number : SUB_SEC_AppSEC_PermissionMgmt_Capability_1200
* @tc.name : Processes without the CAP_SETPCAP capability cannot drop any capability
* @tc.desc : [C-SECURITY-0100]
*/
HWTEST_F(CapabilityTestSuite, CapabilityTest1200, Function | MediumTest | Level3)
{
int status = 0;
// Preset action: Fork a sub process
pid_t pid = fork();
ASSERT_TRUE(pid >= 0) << "======== Fork Error! =========";
usleep(SLEEP_NUM);
if (pid == 0) {
int exitCode = 0;
// Step 1: Failed to add capabilities without CAP_SETPCAP
exitCode = CapsetWithoutSETPCAP();
// Step 2: The sub process exit with the exitCode
exit(exitCode);
} else {
// Step 3: The parent process wait for the sub process to exit and obtain the exitCode
waitpid(pid, &status, 0);
EXPECT_NE(WIFEXITED(status), 0) << "ErrInfo: The sub process exit error, child_pid = " << pid;
EXPECT_EQ(WEXITSTATUS(status), 0) << "ErrInfo: The exitCode is wrong, please query logs, child_pid = " << pid;
}
}
/*
* @tc.number : SUB_SEC_AppSEC_PermissionMgmt_Capability_1300
* @tc.name : Inheritance of process capabilities
* @tc.desc : [C-SECURITY-0100]
*/
HWTEST_F(CapabilityTestSuite, CapabilityTest1300, Function | MediumTest | Level1)
{
int status = 0;
// Preset action: Fork a sub process
pid_t pid = fork();
ASSERT_TRUE(pid >= 0) << "======== Fork Error! =========";
usleep(SLEEP_NUM);
if (pid == 0) {
int exitCode = 0;
// Step 1: Query the sub process capabilities for 10000 times
for (int number = 0; number < NUM10000; number++) {
exitCode = CapgetWithAllCap(number);
if (exitCode != 0) {
LOG("ErrInfo: CapgetWithAllCap error during the %d time", number);
break;
}
}
// Step 2: The sub process exit with the exitCode
exit(exitCode);
} else {
// Step 3: The parent process wait for the sub process to exit and obtain the exitCode
waitpid(pid, &status, 0);
EXPECT_NE(WIFEXITED(status), 0) << "ErrInfo: The sub process exit error, child_pid = " << pid;
EXPECT_EQ(WEXITSTATUS(status), 0) << "ErrInfo: The exitCode is wrong, please query logs, child_pid = " << pid;
// Step 4: Query the parent process capabilities
int ret = CapgetWithAllCap(1);
EXPECT_EQ(ret, 0) << "ErrInfo: CapgetWithAllCap error";
}
}
/*
* @tc.number : SUB_SEC_AppSEC_PermissionMgmt_Capability_1400
* @tc.name : Invoke the capset interface to add and drop the process capabilities for 10000 times
* @tc.desc : [C-SECURITY-0100]
*/
HWTEST_F(CapabilityTestSuite, CapabilityTest1400, Reliability | MediumTest | Level2)
{
int status = 0;
// Preset action: Fork a sub process
pid_t pid = fork();
ASSERT_TRUE(pid >= 0) << "======== Fork Error! =========";
usleep(SLEEP_NUM);
if (pid == 0) {
int exitCode = 0;
// Step 1: Drop and add the sub process capabilities for 10000 times
for (int number = 0; number < NUM10000; number++) {
exitCode = CapsetOnlySETPCAP(number);
if (exitCode != 0) {
LOG("ErrInfo: CapsetOnlySETPCAP error during the %d time", number);
break;
}
exitCode = AddCapUnauthorized(number);
if (exitCode != 0) {
LOG("ErrInfo: AddCapUnauthorized error during the %d time", number);
break;
}
}
// Step 2: The sub process exit with the exitCode
exit(exitCode);
} else {
// Step 3: The parent process wait for the sub process to exit and obtain the exitCode
waitpid(pid, &status, 0);
EXPECT_NE(WIFEXITED(status), 0) << "ErrInfo: The sub process exit error, child_pid = " << pid;
EXPECT_EQ(WEXITSTATUS(status), 0) << "ErrInfo: The exitCode is wrong, please query logs, child_pid = " << pid;
}
}
/*
* @tc.number : SUB_SEC_AppSEC_PermissionMgmt_Capability_1500
* @tc.name : Invoke the capset interface to revoke the process capabilities which not exist for 10000 times
* @tc.desc : [C-SECURITY-0100]
*/
HWTEST_F(CapabilityTestSuite, CapabilityTest1500, Reliability | MediumTest | Level2)
{
int status = 0;
// Preset action: Fork a sub process
pid_t pid = fork();
ASSERT_TRUE(pid >= 0) << "======== Fork Error! =========";
usleep(SLEEP_NUM);
if (pid == 0) {
int exitCode = 0;
struct __user_cap_header_struct capheader = { 0 };
errno_t result = memset_s(&capheader, sizeof(struct __user_cap_header_struct), 0,
sizeof(struct __user_cap_header_struct));
if (result != EOK) {
LOG("CapgetWithAllCap memset_s failed");
ASSERT_TRUE(false);
};
capheader.version = _LINUX_CAPABILITY_VERSION_3;
capheader.pid = 0;
struct __user_cap_data_struct capdata[CAP_NUM] = { { 0 }, { 0 } };
result = memset_s(capdata, CAP_NUM * sizeof(struct __user_cap_data_struct),
LINUX_FULL_CAP, CAP_NUM * sizeof(struct __user_cap_data_struct));
if (result != EOK) {
LOG("CapgetWithAllCap memset_s failed");
ASSERT_TRUE(false);
};
capdata[CAP_TO_INDEX(INVALID_CAP_TO_INDEX)].permitted &= ~CAP_TO_MASK(INVALID_CAP_TO_INDEX);
capdata[CAP_TO_INDEX(INVALID_CAP_TO_INDEX)].effective &= ~CAP_TO_MASK(INVALID_CAP_TO_INDEX);
capdata[CAP_TO_INDEX(INVALID_CAP_TO_INDEX)].inheritable &= ~CAP_TO_MASK(INVALID_CAP_TO_INDEX);
for (int number = 0; number < NUM10000; number++) {
// Step 1: Drop an abnormal capability for 10000 times
int ret = capset(&capheader, &capdata[0]);
if (ret != 0) {
LOG("ErrInfo: Drop an abnormal capability during the %d time", number);
exitCode = 1;
break;
}
}
// Step 2: The sub process exit with the exitCode
exit(exitCode);
} else {
// Step 3: The parent process wait for the sub process to exit and obtain the exitCode
waitpid(pid, &status, 0);
EXPECT_NE(WIFEXITED(status), 0) << "ErrInfo: The sub process exit error, child_pid = " << pid;
EXPECT_EQ(WEXITSTATUS(status), 0) << "ErrInfo: The exitCode is wrong, please query logs, child_pid = " << pid;
}
}
/*
* @tc.number : SUB_SEC_AppSEC_PermissionMgmt_Capability_1600
* @tc.name : Enter the exception parameter for 10000 times when invoke the capset interface
* @tc.desc : [C-SECURITY-0100]
*/
HWTEST_F(CapabilityTestSuite, CapabilityTest1600, Reliability | MediumTest | Level3)
{
int ret = 0;
int status = 0;
// Preset action: Fork a sub process
pid_t pid = fork();
ASSERT_TRUE(pid >= 0) << "======== Fork Error! =========";
usleep(SLEEP_NUM);
if (pid == 0) {
int exitCode = 0;
for (int number = 0; number < NUM10000; number++) {
// Step 1.1: Capset the abnormal capheader.pid '-1' for 10000 times
ret = CapsetWithVersion(FALSE, _LINUX_CAPABILITY_VERSION_3);
if (ret != FALSE) {
LOG("ErrInfo: Capset with the abnormal capheader.pid '-1' during the %d time", number);
exitCode = 1;
break;
}
// Step 1.2: Capset the abnormal capheader.pid '65536' for 10000 times
ret = CapsetWithVersion(INVAILD_PID, _LINUX_CAPABILITY_VERSION_3);
if (ret != FALSE) {
LOG("ErrInfo: Capset with the abnormal capheader.pid '65536' during the %d time", number);
exitCode = 1;
break;
}
// Step 1.3: Capset the abnormal capheader.version '1' for 10000 times
ret = CapsetWithVersion(0, 1);
if (ret != FALSE) {
LOG("ErrInfo: Capset with the abnormal normal capheader.version '1' during the %d time", number);
exitCode = 1;
break;
}
// Step 1.4: Capset the abnormal capheader.version '_LINUX_CAPABILITY_VERSION_1' for 10000 times
ret = CapsetWithVersion(0, _LINUX_CAPABILITY_VERSION_1);
if (ret != 0) {
LOG("ErrInfo: Capset with the abnormal capheader.version '_LINUX_CAPABILITY_VERSION_1'"
"during the %d time", number);
exitCode = 1;
break;
}
// Step 1.5: Add normal capheader.version '_LINUX_CAPABILITY_VERSION_3' for 10000 times
ret = CapsetWithVersion(0, _LINUX_CAPABILITY_VERSION_3);
if (ret != 0) {
LOG("ErrInfo: Failed to capset with normal capheader.version during the %d time", number);
exitCode = 1;
break;
}
}
// Step 2: The sub process exit with the exitCode
exit(exitCode);
} else {
// Step 3: The parent process wait for the sub process to exit and obtain the exitCode
waitpid(pid, &status, 0);
EXPECT_NE(WIFEXITED(status), 0) << "ErrInfo: The sub process exit error, child_pid = " << pid;
EXPECT_EQ(WEXITSTATUS(status), 0) << "ErrInfo: The exitCode is wrong, please query logs, child_pid = " << pid;
}
}
/*
* @tc.number : SUB_SEC_AppSEC_PermissionMgmt_Capability_1700
* @tc.name : Invoke the capget interface to query the process capabilities for 10000 times
* @tc.desc : [C-SECURITY-0100]
*/
HWTEST_F(CapabilityTestSuite, CapabilityTest1700, Reliability | MediumTest | Level2)
{
// Step 1: Query the process capabilities for 10000 times
for (int number = 0; number < NUM10000; number++) {
int ret = CapgetWithAllCap(number);
if (ret != 0) {
EXPECT_EQ(ret, 0) << "ErrInfo: CapgetWithAllCap error during the " << number << " time";
break;
}
}
}
/*
* @tc.number : SUB_SEC_AppSEC_PermissionMgmt_Capability_1800
* @tc.name : Invoke the capget interface to query the process capabilities which not exist for 10000 times
* @tc.desc : [C-SECURITY-0100]
*/
HWTEST_F(CapabilityTestSuite, CapabilityTest1800, Reliability | MediumTest | Level3)
{
int ret = 0;
int status = 0;
// Preset action: Fork a sub process
pid_t pid = fork();
ASSERT_TRUE(pid >= 0) << "======== Fork Error! =========";
usleep(SLEEP_NUM);
if (pid == 0) {
int exitCode = 0;
// Step 1: Drop all the sub process capabilities
DropAllCAP();
// Step 2: Obtain the sub process capabilities
for (int number = 0; number < NUM10000; number++) {
exitCode = CapgetWithNoCap(number);
if (exitCode != 0) {
LOG("ErrInfo: CapgetWithNoCap error during the %d time", number);
break;
}
}
// Step 3: The sub process exit with the exitCode
exit(exitCode);
} else {
// Step 4: The parent process wait for the sub process to exit and obtain the exitCode
waitpid(pid, &status, 0);
EXPECT_NE(WIFEXITED(status), 0) << "ErrInfo: The sub process exit error, child_pid = " << pid;
EXPECT_EQ(WEXITSTATUS(status), 0) << "ErrInfo: The exitCode is wrong, please query logs, child_pid = " << pid;
// Step 5: Query the parent process capabilities
ret = CapgetWithAllCap(1);
EXPECT_EQ(ret, 0) << "ErrInfo: CapgetWithAllCap error";
}
}
/*
* @tc.number : SUB_SEC_AppSEC_PermissionMgmt_Capability_1900
* @tc.name : Enter the exception parameter for 10000 times when invoke the capget interface
* @tc.desc : [C-SECURITY-0100]
*/
HWTEST_F(CapabilityTestSuite, CapabilityTest1900, Reliability | MediumTest | Level2)
{
int ret = 0;
int status = 0;
// Preset action: Fork a sub process
pid_t pid = fork();
ASSERT_TRUE(pid >= 0) << "======== Fork Error! =========";
usleep(SLEEP_NUM);
if (pid == 0) {
int exitCode = 0;
for (int number = 0; number < NUM10000; number++) {
// Step 1.1: Capget the abnormal capheader.pid '-1' for 10000 times
ret = CapgetWithVersion(FALSE, _LINUX_CAPABILITY_VERSION_3);
if (ret != FALSE) {
LOG("ErrInfo: Capget with the abnormal capheader.pid '-1' during the %d time", number);
exitCode = 1;
break;
}
// Step 1.2: Capget the abnormal capheader.pid '65536' for 10000 times
ret = CapgetWithVersion(INVAILD_PID, _LINUX_CAPABILITY_VERSION_3);
if (ret != FALSE) {
LOG("ErrInfo: Capget with the abnormal capheader.pid '65536' during the %d time", number);
exitCode = 1;
break;
}
// Step 1.3: Capget the abnormal capheader.version '1' for 10000 times
ret = CapgetWithVersion(0, 1);
if (ret != FALSE) {
LOG("ErrInfo: Capget with the abnormal capheader.version '1' during the %d time", number);
exitCode = 1;
break;
}
// Step 1.4: Capget with the abnormal capheader.version '_LINUX_CAPABILITY_VERSION_1' for 10000 times
ret = CapgetWithVersion(0, _LINUX_CAPABILITY_VERSION_1);
if (ret != 0) {
LOG("ErrInfo: Capget with the abnormal capheader.version '_LINUX_CAPABILITY_VERSION_1'"
"during the %d time", number);
exitCode = 1;
break;
}
// Step 1.5: Capget the normal capheader.version '_LINUX_CAPABILITY_VERSION_3' for 10000 times
ret = CapgetWithVersion(0, _LINUX_CAPABILITY_VERSION_3);
if (ret != 0) {
LOG("ErrInfo: Failed to capget with the normal capheader.version '_LINUX_CAPABILITY_VERSION_3'"
"during the %d time", number);
exitCode = 1;
break;
}
}
// Step 2: The sub process exit with the exitCode
exit(exitCode);
} else {
// Step 3: The parent process wait for the sub process to exit and obtain the exitCode
waitpid(pid, &status, 0);
EXPECT_NE(WIFEXITED(status), 0) << "ErrInfo: The sub process exit error, child_pid = " << pid;
EXPECT_EQ(WEXITSTATUS(status), 0) << "ErrInfo: The exitCode is wrong, please query logs, child_pid = " << pid;
}
}
/*
* @tc.number : SUB_SEC_AppSEC_PermissionMgmt_Capability_2100
* @tc.name : Five processes concurrently invoke APIs managed by the capability for 5000 times
* @tc.desc : [C-SECURITY-0100]
*/
HWTEST_F(CapabilityTestSuite, CapabilityTest2100, Reliability | MediumTest | Level2)
{
int status = 0;
// Preset action: Fork five sub processes
pid_t pid;
for (int num = 0; num < NUM5; num++) {
pid = fork();
ASSERT_TRUE(pid >= 0) << "======== Fork Error! =========";
usleep(SLEEP_NUM);
if (pid == 0) {
break;
}
}
// get one parent & five children
if (pid == 0) {
int exitCode = 0;
for (int number = 0; number < NUM5000; number++) {
// Step 1: Five sub processes simultaneously drop capabilities for 5000 times
exitCode = CapsetOnlySETPCAP(number);
if (exitCode != 0) {
LOG("ErrInfo: CapsetOnlySETPCAP Error during the %d time", number);
break;
}
// Step 2: Five sub processes simultaneously add capabilities for 5000 times
exitCode = AddCapUnauthorized(number);
if (exitCode != 0) {
LOG("ErrInfo: AddCapUnauthorized Error during the %d time", number);
break;
}
// Step 3: Five sub processes simultaneously capget for 5000 times
exitCode = CapgetOnlySETPCAP(number);
if (exitCode != 0) {
LOG("ErrInfo: CapgetOnlySETPCAP Error during the %d time", number);
break;
}
}
// Step 4: Five sub processes exit with the exitCode
exit(exitCode);
} else {
// Step 5: The parent process wait for five sub processes to exit and obtain the exitCode
for (int num2 = 0; num2 < NUM5; num2++) {
wait(&status);
EXPECT_NE(WIFEXITED(status), 0) << "ErrInfo: The sub process exit error, child_pid = " << pid;
EXPECT_EQ(WEXITSTATUS(status), 0) << "ErrInfo: Pid = "<< pid
<< ", its exitCode is wrong and test case failed, please query logs";
}
}
}
/*
* @tc.number : SUB_SEC_AppSEC_PermissionMgmt_Capability_2200
* @tc.name : Check whether the default configuration of the system process capabilities
is the same as that described in the design document
* @tc.desc : [C-SECURITY-0100]
*/
HWTEST_F(CapabilityTestSuite, CapabilityTest2200, Security | MediumTest | Level1)
{
int ret;
// Step 1: Check the capability of process 'init', pid = 1
ret = CapgetWithCaps(INIT_PID, INIT_CAP);
EXPECT_EQ(ret, 0) << "ErrInfo: Pid = 1, process init has wrong capability";
// Step 2: Check the capability of process 'KProcess', pid = 2
ret = CapgetWithCaps(KPROCESS_PID, KPROCESS_CAP);
EXPECT_EQ(ret, 0) << "ErrInfo: Pid = 2, process KProcess has wrong capability";
// Step 3: Check the capability of process 'shell', pid = 8
ret = CapgetWithCaps(SHELL_PID, SHELL_CAP);
EXPECT_EQ(ret, 0) << "ErrInfo: Pid = 8, process shell has wrong capability";
// Step 4: Check the capability of process 'apphilogcat', pid = 10
ret = CapgetWithCaps(HILOGCAT_PID, HILOGCAT_CAP);
EXPECT_EQ(ret, 0) << "ErrInfo: Pid = 10, process apphilogcat has wrong capability";
// Step 5: Check the capability of process 'foundation', pid = 3
ret = CapgetWithCaps(FOUNDATION_PID, FOUNDATION_CAP);
EXPECT_EQ(ret, 0) << "ErrInfo: Pid = 3, process foundation has wrong capability";
// Step 6: Check the capability of process 'bundle_daemon', pid = 4
ret = CapgetWithCaps(BUNDLE_DAEMON_PID, BUNDLE_DAEMON_CAP);
EXPECT_EQ(ret, 0) << "ErrInfo: Pid = 4, process bundle_daemon has wrong capability";
// Step 7: Check the capability of process 'appspawn', pid = 5
ret = CapgetWithCaps(APPSPAWN_PID, APPSPAWN_CAP);
EXPECT_EQ(ret, 0) << "ErrInfo: Pid = 5, process appspawn has wrong capability";
// Step 8: Check the capability of process 'media_server', pid = 6
ret = CapgetWithCaps(MEDIA_SERVER_PID, MEDIA_SERVER_CAP);
EXPECT_EQ(ret, 0) << "ErrInfo: Pid = 6, process media_server has wrong capability";
}
/*
* @tc.number : SUB_SEC_AppSEC_PermissionMgmt_Capability_2400
* @tc.name : The process continuously invokes the capset and capget interfaces,
which does not affect the use of other processes
* @tc.desc : [C-SECURITY-0100]
*/
HWTEST_F(CapabilityTestSuite, CapabilityTest2400, Function | MediumTest | Level1)
{
int status = 0;
// Preset action: Create a txt
CreateTxt();
// Preset action: Fork two sub processes
pid_t pid;
for (int num = 0; num < NUM2; num++) {
pid = fork();
ASSERT_TRUE(pid >= 0) << "======== Fork Error! =========";
usleep(SLEEP_NUM);
if (pid == 0) {
break;
}
}
// get one parent & two children
if (pid == 0) {
int exitCode = 0;
for (int number = 0; number < NUM5000; number++) {
// Step 1: Two sub processes simultaneously drop capabilities for 5000 times
exitCode = CapsetOnlySETPCAP(number);
if (exitCode != 0) {
LOG("ErrInfo: CapsetOnlySETPCAP Error during the %d time", number);
break;
}
// Step 2: Two sub processes simultaneously add capabilities for 5000 times
exitCode = AddCapUnauthorized(number);
if (exitCode != 0) {
LOG("ErrInfo: AddCapUnauthorized Error during the %d time", number);
break;
}
// Step 3: Two sub processes simultaneously capget for 5000 times
exitCode = CapgetOnlySETPCAP(number);
if (exitCode != 0) {
LOG("ErrInfo: CapgetOnlySETPCAP Error during the %d time", number);
break;
}
}
// Step 4: Two sub processes exit with the exitCode
exit(exitCode);
} else {
// Step 5: The parent process simultaneously invoke chown interfaces for 1000 times
for (int number2 = 0; number2 < NUM1000; number2++) {
int ret = chown(TOP_DIR "/" CAPDIR0 "/" CAPDIR0_CAPFILE0, number2, number2);
if (ret != 0) {
EXPECT_EQ(ret, 0) << "ErrInfo: Failed to chown during the " << number2 << " time";
break;
}
}
// Step 6: The parent process wait for two sub processes to exit and obtain the exitCode
for (int num2 = 0; num2 < NUM2; num2++) {
wait(&status);
EXPECT_NE(WIFEXITED(status), 0) << "ErrInfo: The sub process exit error, child_pid = " << pid;
EXPECT_EQ(WEXITSTATUS(status), 0) << "ErrInfo: Pid = "<< pid
<< ", its exitCode is wrong and test case failed, please query logs";
}
}
}
/*
* @tc.number : SUB_SEC_AppSEC_PermissionMgmt_Capability_2500
* @tc.name : Performance test of capset and capget interface
* @tc.desc : [C-SECURITY-0100]
*/
HWTEST_F(CapabilityTestSuite, CapabilityTest2500, Performance | MediumTest | Level2)
{
int status = 0;
// Preset action: Fork a sub process
pid_t pid = fork();
ASSERT_TRUE(pid >= 0) << "======== Fork Error! =========";
usleep(SLEEP_NUM);
if (pid == 0) {
int exitCode = 0;
struct timespec tp = { 0 };
struct timespec starttime = { 0 };
struct timespec endtime = { 0 };
tp.tv_sec = 0;
tp.tv_nsec = 0;
// Preset action: Obtains the system time -> starttime
clock_gettime(CLOCK_REALTIME, &starttime);
// Step 1: Capset and capget for 200000 times
for (int number = 0; number < NUM10000; number++) {
CapsetOnlySETPCAP(number);
AddCapUnauthorized(number);
CapgetOnlySETPCAP(number);
}
// Step 2: Obtains the system time again -> endtime
clock_gettime(CLOCK_REALTIME, &endtime);
// Step 3: Compare the starttime and the endtime -> tp
tp = CompareTime(starttime, endtime);
if (tp.tv_sec > NUM20) {
LOG("ErrInfo: Capset and capget for 200000 times used %d.%d s", tp.tv_sec, tp.tv_nsec);
exitCode = 1;
}
// Step 4: Two sub processes exit with the exitCode
exit(exitCode);
} else {
// Step 5: The parent process wait for the sub process to exit and obtain the exitCode
waitpid(pid, &status, 0);
EXPECT_NE(WIFEXITED(status), 0) << "ErrInfo: The sub process exit error, child_pid = " << pid;
EXPECT_EQ(WEXITSTATUS(status), 0) << "ErrInfo: The exitCode is wrong, please query logs, child_pid = " << pid;
}
}
/*
* @tc.number : SUB_SEC_AppSEC_PermissionMgmt_Capability_2600
* @tc.name : Performance test of the interface managed by Capability
* @tc.desc : [C-SECURITY-0100]
*/
HWTEST_F(CapabilityTestSuite, CapabilityTest2600, Performance | MediumTest | Level2)
{
struct timespec tp = { 0 };
struct timespec starttime = { 0 };
struct timespec endtime = { 0 };
tp.tv_sec = 0;
tp.tv_nsec = 0;
// Preset action: Create a txt
CreateTxt();
// Preset action: Obtains the system time -> starttime
clock_gettime(CLOCK_REALTIME, &starttime);
// Step 1: Chown for 10000 times
for (int number = 0; number < NUM1000; number++) {
chown(TOP_DIR "/" CAPDIR0 "/" CAPDIR0_CAPFILE0, number, number);
}
// Step 2: Obtains the system time again -> endtime
clock_gettime(CLOCK_REALTIME, &endtime);
// Step 3: Compare the starttime and the endtime -> tp
tp = CompareTime(starttime, endtime);
EXPECT_LE(tp.tv_sec, NUM80) << "ErrInfo: Chown for 1000 times used " << tp.tv_sec << "." << tp.tv_nsec << "s";
// Cleanup action: Restore the initial status of the file
chown(TOP_DIR "/" CAPDIR0 "/" CAPDIR0_CAPFILE0, UID0, GID0);
}
#endif
security_lite/permission_posix/capability/src/ActsCapabilityTest.h 已删除 100644 → 0
浏览文件 @ ed6da30f
/*
* Copyright (c) 2021 Huawei Device Co., Ltd.
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#ifndef XTS_ACTS_SECURITY_LITE_PERMISSSION_POSIX_CAPABILITY_SRC_ACTSCAPABILITYTEST_H
#define XTS_ACTS_SECURITY_LITE_PERMISSSION_POSIX_CAPABILITY_SRC_ACTSCAPABILITYTEST_H
#include <cstddef>
#include <sys/stat.h>
constexpr int FALSE = -1;
constexpr int NUM0 = 0;
constexpr int NUM1 = 1;
constexpr int NUM2 = 2;
constexpr int NUM3 = 3;
constexpr int NUM5 = 5;
constexpr int NUM20 = 20;
constexpr int NUM80 = 80;
constexpr int NUM100 = 100;
constexpr int NUM500 = 500;
constexpr int NUM600 = 600;
constexpr int NUM700 = 700;
constexpr int NUM1000 = 1000;
constexpr int NUM3000 = 3000;
constexpr int NUM5000 = 5000;
constexpr int NUM10000 = 10000;
constexpr int INIT_PID = 1;
constexpr int KPROCESS_PID = 2;
constexpr int SHELL_PID = 8;
constexpr int HILOGCAT_PID = 10;
constexpr int FOUNDATION_PID = 3;
constexpr int BUNDLE_DAEMON_PID = 4;
constexpr int APPSPAWN_PID = 5;
constexpr int MEDIA_SERVER_PID = 6;
constexpr int WMS_SERVER_OR_AI_SERVER_PID = 7;
constexpr int HIVIEW_PID = 10;
constexpr int OTHER_PID = 12;
constexpr int INIT_PID_2 = 1;
constexpr int KPROCESS_PID_2 = 2;
constexpr int SHELL_PID_2 = 8;
constexpr int HILOGCAT_PID_2 = 10;
constexpr int FOUNDATION_PID_2 = 3;
constexpr int BUNDLE_DAEMON_PID_2 = 4;
constexpr int APPSPAWN_PID_2 = 5;
constexpr int MEDIA_SERVER_PID_2 = 6;
constexpr int WMS_SERVER_OR_AI_SERVER_PID_2 = 7;
constexpr int HIVIEW_PID_2 = 10;
constexpr int OTHER_PID_2 = 12;
constexpr unsigned int INIT_CAP = 0x02e83def;
constexpr unsigned int KPROCESS_CAP = 0x02e83def;
constexpr unsigned int SHELL_CAP = 0x02e83def;
constexpr unsigned int HILOGCAT_CAP = 0x00000000;
constexpr unsigned int FOUNDATION_CAP = 0x00003c00;
constexpr unsigned int BUNDLE_DAEMON_CAP = 0x00000007;
constexpr unsigned int APPSPAWN_CAP = 0x008009c4;
constexpr unsigned int MEDIA_SERVER_CAP = 0x00000000;
constexpr unsigned int WMS_SERVER_OR_AI_SERVER_CAP = 0x00000000;
constexpr unsigned int HIVIEW_CAP = 0x00000000;
constexpr unsigned int LINUX_FULL_CAP = 0xffffffff;
constexpr unsigned int OHOS_FULL_CAP = 0x02e83def;
constexpr unsigned int NO_CAP = 0x00000000;
constexpr unsigned int ONLY_SETPCAP_CAP = 0x00000100;
constexpr int CAP_NUM = 2;
constexpr int INVALID_CAP_TO_INDEX = 40;
constexpr int MAX_PATH_SIZE = 256;
constexpr int INVAILD_PID = 65536;
constexpr int SLEEP_NUM = 100000;
constexpr int LONG_SLEEP_NUM = 2000000;
constexpr int PID_MAX = 4194305;
constexpr mode_t ZERO = 0000;
constexpr mode_t NORWX = 0001;
constexpr mode_t RWX = 0777;
constexpr uid_t UID0 = 0;
constexpr uid_t UID1 = 1;
constexpr uid_t UID555 = 555;
constexpr uid_t UID1000 = 1000;
constexpr uid_t UID10000 = 10000;
constexpr uid_t UID20000 = 20000;
constexpr gid_t GID0 = 0;
constexpr gid_t GID1 = 1;
constexpr gid_t GID555 = 555;
constexpr gid_t GID1000 = 1000;
constexpr gid_t GID10000 = 10000;
constexpr gid_t GID20000 = 20000;
constexpr gid_t GROUPLIST[NUM3] = { 500, 500, 500 };
constexpr size_t SIZE512 = 512;
// Creating Folders and Files for the Test
#define CAPDIR0 "CAPDIR0" // DIR0/
#define CAPDIR0_CAPFILE0 "CAPDIR0_CAPFILE0" // ├── DIR0_FILE0
#define CAPDIR0_CAPFILE1 "CAPDIR0_CAPFILE1" // ├── DIR0_FILE1
#define CAPDIR0_CAPDIR0 "CAPDIR0_CAPDIR0" // ├── DIR0_DIR0/
#define CAPDIR0_CAPDIR1 "CAPDIR0_CAPDIR1" // └── DIR0_DIR1/
extern "C" {
#define LOG(format, ...) printf("%s:%d:\n" format "\n", __FILE__, __LINE__, ##__VA_ARGS__);
}
void Sigac(int i);
void ChildSleep();
int CapInit();
int DropCAPCHOWN();
int DropCAPDACOVERRIDE();
int DropCAPDACREADSEARCH();
int DropCAPDACOVERRIDEAndREADSEARCH();
int DropCAPFOWNER();
int DropCAPKILL();
int DropCAPSETGID();
int DropCAPSETUID();
int DropCAPSETPCAP();
int DropCAPSYSNICE();
int DropCAPSYSTIME();
int DropAllCAP();
int RemoveDir(const char *dirname);
int SetUidGid(uid_t uid, gid_t gid);
timespec CompareTime(timespec start, timespec end);
char *GetCurrentPath();
int CheckFsMount(const char *topDir, const char *topDirMountInfo);
#endif
security_lite/permission_posix/capability/src/CapabilityFileSystemTest.cpp 已删除 100755 → 0
浏览文件 @ ed6da30f
/*
* Copyright (c) 2021 Huawei Device Co., Ltd.
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include "CapabilityFileSystemTest.h"
#include <unistd.h>
#include "ActsCapabilityTest.h"
using namespace testing::ext;
// Preset action of the test suite, which is executed before the first test case
void CapabilityTestSuite::SetUp()
{
// Permission mask preset when creating a file
umask(ZERO);
// Init capabilities
CapInit();
// Initialize the process and set the uid and gid of the process to zero
SetUidGid(UID0, GID0);
// Delete the 'TOP_DIR/CAPDIR0' if the directory exists
RemoveDir(TOP_DIR "/" CAPDIR0);
// Obtain the current working directory of the test code
mCurPath = GetCurrentPath();
// Modify the current working directory of the test code
int ret = chdir(TOP_DIR);
if (ret != 0) {
LOG("ErrInfo: Failed to chdir to %s, ret=%d, errno=%d", TOP_DIR, ret, errno);
}
}
// Test suite cleanup action, which is executed after the last test case
void CapabilityTestSuite::TearDown()
{
// Delete the 'TOP_DIR/CAPDIR0' if the directory exists
RemoveDir(TOP_DIR "/" CAPDIR0);
// Restore the working directory of the test code
int ret = chdir(mCurPath);
if (ret != 0) {
LOG("ErrInfo: Failed to chdir to %s, ret=%d, errno=%d", mCurPath, ret, errno);
}
}
int main(int argc, char *argv[])
{
testing::GTEST_FLAG(output) = "xml:";
testing::InitGoogleTest(&argc, argv);
if (CheckFsMount(TOP_DIR, TOP_DIR_MOUNT_INFO) != 0) {
return 1;
}
return RUN_ALL_TESTS();
}
\ No newline at end of file
security_lite/permission_posix/capability/src/CapabilityFileSystemTest.h 已删除 100755 → 0
浏览文件 @ ed6da30f
/*
* Copyright (c) 2021 Huawei Device Co., Ltd.
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#ifndef XTS_ACTS_SECURITY_LITE_PERMISSSION_POSIX_CAPABILITY_SRC_CAPABILITYFILESYSTEMTEST_H
#define XTS_ACTS_SECURITY_LITE_PERMISSSION_POSIX_CAPABILITY_SRC_CAPABILITYFILESYSTEMTEST_H
#include <gtest/gtest.h>
class CapabilityTestSuite : public::testing::Test {
protected:
char *mCurPath;
void SetUp();
void TearDown();
};
#endif
\ No newline at end of file
security_lite/permission_posix/capability/vfat/BUILD.gn 已删除 100755 → 0
浏览文件 @ ed6da30f
# Copyright (c) 2021 Huawei Device Co., Ltd.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
import("//build/lite/config/subsystem/aafwk/config.gni")
import("//test/xts/tools/lite/build/suite_lite.gni")
hcpptest_suite("ActsVFATCapabilityTest") {
suite_name = "acts"
sources = [
"../src/ActsCapability.cpp",
"../src/ActsCapabilityTest.cpp",
"../src/CapabilityFileSystemTest.cpp",
]
include_dirs = [
"../src",
"//third_party/bounds_checking_function/include",
]
public_deps = [ "//third_party/bounds_checking_function:libsec_shared" ]
cflags_cc = [
"-Wno-write-strings",
"-Wno-sign-compare",
]
ldflags = [
"-lstdc++",
"-lm",
"-lpthread",
]
if (enable_ohos_appexecfwk_feature_ability == true) {
defines = [
"_BOARD_HI3516_",
"LITE_FS_VFAT",
"TOP_DIR=\"/sdcard\"",
"TOP_DIR_MOUNT_INFO=\"/sdcard vfat\"",
]
} else {
defines = [
"LITE_FS_VFAT",
"TOP_DIR=\"/sdcard\"",
"TOP_DIR_MOUNT_INFO=\"/sdcard vfat\"",
]
}
}
security_lite/permission_posix/capability/vfat/Test.json 已删除 100644 → 0
浏览文件 @ ed6da30f
{
"description": "Config for hcpptest demo test cases",
"environment": [
{
"type": "device",
"label": "ipcamera"
}
],
"kits": [
{
"type": "MountKit",
"server": "NfsServer",
"mount": [
{
"source": "testcases/security",
"target": "/test_root/security"
}
]
}
],
"driver": {
"type": "CppTestLite",
"execute": "/test_root/security/ActsVFATCapabilityTest.bin"
}
}
\ No newline at end of file
security_lite/permission_posix/dac/BUILD.gn 已删除 100755 → 0
浏览文件 @ ed6da30f
# Copyright (c) 2020-2021 Huawei Device Co., Ltd.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
group("ActsDacTest") {
deps = [ "./vfat:ActsVFATDACTest" ]
}
security_lite/permission_posix/dac/src/ActsDacPreTest.cpp 已删除 100755 → 0
浏览文件 @ ed6da30f
/*
* Copyright (c) 2020-2021 Huawei Device Co., Ltd.
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include "ActsDacTest.h"
#include <cstddef>
#include <fcntl.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/wait.h>
#include "gtest/gtest.h"
#include "ActsCapabilityTest.h"
#include "DACFileSystemTest.h"
using namespace std;
using namespace testing::ext;
#if defined(LITE_FS_VFAT)
static int TestSetUid()
{
// Test the 'setuid' interface
int ret = 0;
uid_t ruid = 0;
uid_t euid = 0;
uid_t suid = 0;
// Step 1: Verify that UID is set to 0
ret = setuid(UID0);
if (ret != 0) {
EXPECT_EQ(ret, 0);
LOG("ErrInfo: Failed to set uid=0, now process uid=%d", getuid());
return FALSE;
}
// To test the function of invoking the setuid interface to set the UID=0
getresuid(&ruid, &euid, &suid);
EXPECT_EQ(ruid, UID0) << "Failed to set ruid=0: ruid=" << ruid;
EXPECT_EQ(euid, UID0) << "Failed to set euid=0: euid=" << euid;
EXPECT_EQ(suid, UID0) << "Failed to set suid=0: suid=" << suid;
// Step 2: Verify that UID is set to 1000
ret = setuid(UID1000);
if (ret != 0) {
EXPECT_EQ(ret, 0);
LOG("ErrInfo: Failed to set uid=1000, now process uid=%d", getuid());
return FALSE;
}
// To test the function of invoking the setuid interface to set the UID=1000
getresuid(&ruid, &euid, &suid);
EXPECT_EQ(ruid, UID1000) << "Failed to set ruid=1000: ruid=" << ruid;
EXPECT_EQ(euid, UID1000) << "Failed to set euid=1000: euid=" << euid;
EXPECT_EQ(suid, UID1000) << "Failed to set suid=1000: suid=" << suid;
// Step 3: Verify that UID is set to 10000
ret = setuid(UID10000);
if (ret != 0) {
EXPECT_EQ(ret, 0);
LOG("ErrInfo: Failed to set uid=10000, now process uid=%d", getuid());
return FALSE;
}
// To test the function of invoking the setuid interface to set the UID=10000
getresuid(&ruid, &euid, &suid);
EXPECT_EQ(ruid, UID10000) << "Failed to set ruid=10000: ruid=" << ruid;
EXPECT_EQ(euid, UID10000) << "Failed to set euid=10000: euid=" << euid;
EXPECT_EQ(suid, UID10000) << "Failed to set suid=10000: suid=" << suid;
// Step 4: Verify that UID is set to 2147483647
ret = setuid(MAX_INT);
if (ret != 0) {
EXPECT_EQ(ret, 0);
LOG("ErrInfo: Failed to set uid=2147483647, now process uid=%d", getuid());
return FALSE;
}
// To test the function of invoking the setuid interface to set the UID=2147483647
getresuid(&ruid, &euid, &suid);
EXPECT_EQ(ruid, MAX_INT) << "Failed to set ruid=2147483647: ruid=" << ruid;
EXPECT_EQ(euid, MAX_INT) << "Failed to set euid=2147483647: euid=" << euid;
EXPECT_EQ(suid, MAX_INT) << "Failed to set suid=2147483647: suid=" << suid;
return 0;
}
static int TestSetREUid()
{
// Test the 'setreuid' interface
int ret = 0;
uid_t ruid = 0;
uid_t euid = 0;
uid_t suid = 0;
// Step 1: Verify that UID is set to 0
ret = setreuid(UID0, UID0);
if (ret != 0) {
EXPECT_EQ(ret, 0);
LOG("ErrInfo: Failed to set uid=0, now process uid=%d", getuid());
return FALSE;
}
// To test the function of invoking the setuid interface to set the UID=0
getresuid(&ruid, &euid, &suid);
EXPECT_EQ(ruid, UID0) << "Failed to set ruid=0: ruid=" << ruid;
EXPECT_EQ(euid, UID0) << "Failed to set euid=0: euid=" << euid;
EXPECT_EQ(suid, UID0) << "Failed to set suid=0: suid=" << suid;
// Step 2: Verify that UID is set to 1000
ret = setreuid(UID1000, UID1000);
if (ret != 0) {
EXPECT_EQ(ret, 0);
LOG("ErrInfo: Failed to set uid=1000, now process uid=%d", getuid());
return FALSE;
}
// To test the function of invoking the setuid interface to set the UID=1000
getresuid(&ruid, &euid, &suid);
EXPECT_EQ(ruid, UID1000) << "Failed to set ruid=1000: ruid=" << ruid;
EXPECT_EQ(euid, UID1000) << "Failed to set euid=1000: euid=" << euid;
EXPECT_EQ(suid, UID1000) << "Failed to set suid=1000: suid=" << suid;
// Step 3: Verify that UID is set to 10000
ret = setreuid(UID10000, UID10000);
if (ret != 0) {
EXPECT_EQ(ret, 0);
LOG("ErrInfo: Failed to set uid=10000, now process uid=%d", getuid());
return FALSE;
}
// To test the function of invoking the setuid interface to set the UID=10000
getresuid(&ruid, &euid, &suid);
EXPECT_EQ(ruid, UID10000) << "Failed to set ruid=10000: ruid=" << ruid;
EXPECT_EQ(euid, UID10000) << "Failed to set euid=10000: euid=" << euid;
EXPECT_EQ(suid, UID10000) << "Failed to set suid=10000: suid=" << suid;
// Step 4: Verify that UID is set to 2147483647
ret = setreuid(MAX_INT, MAX_INT);
if (ret != 0) {
EXPECT_EQ(ret, 0);
LOG("ErrInfo: Failed to set uid=2147483647, now process uid=%d", getuid());
return FALSE;
}
// To test the function of invoking the setuid interface to set the UID=2147483647
getresuid(&ruid, &euid, &suid);
EXPECT_EQ(ruid, MAX_INT) << "Failed to set ruid=2147483647: ruid=" << ruid;
EXPECT_EQ(euid, MAX_INT) << "Failed to set euid=2147483647: euid=" << euid;
EXPECT_EQ(suid, MAX_INT) << "Failed to set suid=2147483647: suid=" << suid;
return 0;
}
static int TestSetRESUid()
{
// Test the 'setresuid' interface
int ret = 0;
uid_t ruid = 0;
uid_t euid = 0;
uid_t suid = 0;
// Step 1: Verify that UID is set to 0
ret = setresuid(UID0, UID0, UID0);
if (ret != 0) {
EXPECT_EQ(ret, 0);
LOG("ErrInfo: Failed to set uid=0, now process uid=%d", getuid());
return FALSE;
}
// To test the function of invoking the setuid interface to set the UID=0
getresuid(&ruid, &euid, &suid);
EXPECT_EQ(ruid, UID0) << "Failed to set ruid=0: ruid=" << ruid;
EXPECT_EQ(euid, UID0) << "Failed to set euid=0: euid=" << euid;
EXPECT_EQ(suid, UID0) << "Failed to set suid=0: suid=" << suid;
// Step 2: Verify that UID is set to 1000
ret = setresuid(UID1000, UID1000, UID1000);
if (ret != 0) {
EXPECT_EQ(ret, 0);
LOG("ErrInfo: Failed to set uid=1000, now process uid=%d", getuid());
return FALSE;
}
// To test the function of invoking the setuid interface to set the UID=1000
getresuid(&ruid, &euid, &suid);
EXPECT_EQ(ruid, UID1000) << "Failed to set ruid=1000: ruid=" << ruid;
EXPECT_EQ(euid, UID1000) << "Failed to set euid=1000: euid=" << euid;
EXPECT_EQ(suid, UID1000) << "Failed to set suid=1000: suid=" << suid;
// Step 3: Verify that UID is set to 10000
ret = setresuid(UID10000, UID10000, UID10000);
if (ret != 0) {
EXPECT_EQ(ret, 0);
LOG("ErrInfo: Failed to set uid=10000, now process uid=%d", getuid());
return FALSE;
}
// To test the function of invoking the setuid interface to set the UID=10000
getresuid(&ruid, &euid, &suid);
EXPECT_EQ(ruid, UID10000) << "Failed to set ruid=10000: ruid=" << ruid;
EXPECT_EQ(euid, UID10000) << "Failed to set euid=10000: euid=" << euid;
EXPECT_EQ(suid, UID10000) << "Failed to set suid=10000: suid=" << suid;
// Step 4: Verify that UID is set to 2147483647
ret = setresuid(MAX_INT, MAX_INT, MAX_INT);
if (ret != 0) {
EXPECT_EQ(ret, 0);
LOG("ErrInfo: Failed to set uid=2147483647, now process uid=%d", getuid());
return FALSE;
}
// To test the function of invoking the setuid interface to set the UID=2147483647
getresuid(&ruid, &euid, &suid);
EXPECT_EQ(ruid, MAX_INT) << "Failed to set ruid=2147483647: ruid=" << ruid;
EXPECT_EQ(euid, MAX_INT) << "Failed to set euid=2147483647: euid=" << euid;
EXPECT_EQ(suid, MAX_INT) << "Failed to set suid=2147483647: suid=" << suid;
return 0;
}
static int TestSetUidAbnormal()
{
// Enter the exception parameter when invoke the 'setuid','setreuid','setresuid' interface
int ret = 0;
uid_t newruid = 0;
uid_t neweuid = 0;
uid_t newsuid = 0;
uid_t ruid = 0;
uid_t euid = 0;
uid_t suid = 0;
// Obtain the ruid, euid, suid of the current process
getresuid(&ruid, &euid, &suid);
// Step 1: Verify that UID is set to -100 with the 'setuid' interface
ret = setuid(ABNORMALINT);
if (ret != FALSE) {
EXPECT_EQ(ret, FALSE);
LOG("ErrInfo: Set uid=-100, now process uid=%d", getuid());
return FALSE;
}
// To test the function of invoking the 'setuid' interface to set the UID=-100
getresuid(&newruid, &neweuid, &newsuid);
EXPECT_EQ(newruid, ruid) << "The value of ruid changes after an invalid parameter is entered: ruid=" << ruid;
EXPECT_EQ(neweuid, euid) << "The value of euid changes after an invalid parameter is entered: euid=" << euid;
EXPECT_EQ(newsuid, suid) << "The value of suid changes after an invalid parameter is entered: suid=" << suid;
// Step 2: Verify that UID is set to -100 with the 'setreuid' interface
ret = setreuid(ABNORMALINT, ABNORMALINT);
if (ret != FALSE) {
EXPECT_EQ(ret, FALSE);
LOG("ErrInfo: Set uid=-100, now process uid=%d", getuid());
return FALSE;
}
// To test the function of invoking the 'setuid' interface to set the UID=-100
getresuid(&newruid, &neweuid, &newsuid);
EXPECT_EQ(newruid, ruid) << "The value of ruid changes after an invalid parameter is entered: ruid=" << ruid;
EXPECT_EQ(neweuid, euid) << "The value of euid changes after an invalid parameter is entered: euid=" << euid;
EXPECT_EQ(newsuid, suid) << "The value of suid changes after an invalid parameter is entered: suid=" << suid;
// Step 3: Verify that UID is set to -100 with the 'setreuid' interface
ret = setresuid(ABNORMALINT, ABNORMALINT, ABNORMALINT);
if (ret != FALSE) {
EXPECT_EQ(ret, FALSE);
LOG("ErrInfo: Set uid=-100, now process uid=%d", getuid());
return FALSE;
}
// To test the function of invoking the 'setuid' interface to set the UID=-100
getresuid(&newruid, &neweuid, &newsuid);
EXPECT_EQ(newruid, ruid) << "The value of ruid changes after an invalid parameter is entered: ruid=" << ruid;
EXPECT_EQ(neweuid, euid) << "The value of euid changes after an invalid parameter is entered: euid=" << euid;
EXPECT_EQ(newsuid, suid) << "The value of suid changes after an invalid parameter is entered: suid=" << suid;
return 0;
}
static int TestSetGid()
{
// Test the 'setgid' interface
int ret = 0;
gid_t rgid = 0;
gid_t egid = 0;
gid_t sgid = 0;
// Step 1: Verify that GID is set to 0
ret = setgid(GID0);
if (ret != 0) {
EXPECT_EQ(ret, 0);
LOG("ErrInfo: Failed to set gid=0, now process gid=%d", getgid());
return FALSE;
}
// To test the function of invoking the setgid interface to set the GID=0
getresgid(&rgid, &egid, &sgid);
EXPECT_EQ(rgid, GID0) << "Failed to set rgid=0: rgid=" << rgid;
EXPECT_EQ(egid, GID0) << "Failed to set egid=0: egid=" << egid;
EXPECT_EQ(sgid, GID0) << "Failed to set sgid=0: sgid=" << sgid;
// Step 2: Verify that GID is set to 1000
ret = setgid(GID1000);
if (ret != 0) {
EXPECT_EQ(ret, 0);
LOG("ErrInfo: Failed to set gid=1000, now process gid=%d", getgid());
return FALSE;
}
// To test the function of invoking the setgid interface to set the GID=1000
getresgid(&rgid, &egid, &sgid);
EXPECT_EQ(rgid, GID1000) << "Failed to set rgid=1000: rgid=" << rgid;
EXPECT_EQ(egid, GID1000) << "Failed to set egid=1000: egid=" << egid;
EXPECT_EQ(sgid, GID1000) << "Failed to set sgid=1000: sgid=" << sgid;
// Step 3: Verify that GID is set to 10000
ret = setgid(GID10000);
if (ret != 0) {
EXPECT_EQ(ret, 0);
LOG("ErrInfo: Failed to set gid=10000, now process gid=%d", getgid());
return FALSE;
}
// To test the function of invoking the setgid interface to set the GID=10000
getresgid(&rgid, &egid, &sgid);
EXPECT_EQ(rgid, GID10000) << "Failed to set rgid=10000: rgid=" << rgid;
EXPECT_EQ(egid, GID10000) << "Failed to set egid=10000: egid=" << egid;
EXPECT_EQ(sgid, GID10000) << "Failed to set sgid=10000: sgid=" << sgid;
// Step 4: Verify that GID is set to 2147483647
ret = setgid(MAX_INT);
if (ret != 0) {
EXPECT_EQ(ret, 0);
LOG("ErrInfo: Failed to set gid=2147483647, now process gid=%d", getgid());
return FALSE;
}
// To test the function of invoking the setgid interface to set the GID=2147483647
getresgid(&rgid, &egid, &sgid);
EXPECT_EQ(rgid, MAX_INT) << "Failed to set rgid=2147483647: rgid=" << rgid;
EXPECT_EQ(egid, MAX_INT) << "Failed to set egid=2147483647: egid=" << egid;
EXPECT_EQ(sgid, MAX_INT) << "Failed to set sgid=2147483647: sgid=" << sgid;
return 0;
}
static int TestSetREGid()
{
// Test the 'setregid' interface
int ret = 0;
gid_t rgid = 0;
gid_t egid = 0;
gid_t sgid = 0;
// Step 1: Verify that GID is set to 0
ret = setregid(GID0, GID0);
if (ret != 0) {
EXPECT_EQ(ret, 0);
LOG("ErrInfo: Failed to set gid=0, now process gid=%d", getgid());
return FALSE;
}
// To test the function of invoking the setgid interface to set the GID=0
getresgid(&rgid, &egid, &sgid);
EXPECT_EQ(rgid, GID0) << "Failed to set rgid=0: rgid=" << rgid;
EXPECT_EQ(egid, GID0) << "Failed to set egid=0: egid=" << egid;
EXPECT_EQ(sgid, GID0) << "Failed to set sgid=0: sgid=" << sgid;
// Step 2: Verify that GID is set to 1000
ret = setregid(GID1000, GID1000);
if (ret != 0) {
EXPECT_EQ(ret, 0);
LOG("ErrInfo: Failed to set gid=1000, now process gid=%d", getgid());
return FALSE;
}
// To test the function of invoking the setgid interface to set the GID=1000
getresgid(&rgid, &egid, &sgid);
EXPECT_EQ(rgid, GID1000) << "Failed to set rgid=1000: rgid=" << rgid;
EXPECT_EQ(egid, GID1000) << "Failed to set egid=1000: egid=" << egid;
EXPECT_EQ(sgid, GID1000) << "Failed to set sgid=1000: sgid=" << sgid;
// Step 3: Verify that GID is set to 10000
ret = setregid(GID10000, GID10000);
if (ret != 0) {
EXPECT_EQ(ret, 0);
LOG("ErrInfo: Failed to set gid=10000, now process gid=%d", getgid());
return FALSE;
}
// To test the function of invoking the setgid interface to set the GID=10000
getresgid(&rgid, &egid, &sgid);
EXPECT_EQ(rgid, GID10000) << "Failed to set rgid=10000: rgid=" << rgid;
EXPECT_EQ(egid, GID10000) << "Failed to set egid=10000: egid=" << egid;
EXPECT_EQ(sgid, GID10000) << "Failed to set sgid=10000: sgid=" << sgid;
// Step 4: Verify that GID is set to 2147483647
ret = setregid(MAX_INT, MAX_INT);
if (ret != 0) {
EXPECT_EQ(ret, 0);
LOG("ErrInfo: Failed to set gid=2147483647, now process gid=%d", getgid());
return FALSE;
}
// To test the function of invoking the setgid interface to set the GID=2147483647
getresgid(&rgid, &egid, &sgid);
EXPECT_EQ(rgid, MAX_INT) << "Failed to set rgid=2147483647: rgid=" << rgid;
EXPECT_EQ(egid, MAX_INT) << "Failed to set egid=2147483647: egid=" << egid;
EXPECT_EQ(sgid, MAX_INT) << "Failed to set sgid=2147483647: sgid=" << sgid;
return 0;
}
static int TestSetRESGid()
{
// Test the 'setresgid' interface
int ret = 0;
gid_t rgid = 0;
gid_t egid = 0;
gid_t sgid = 0;
// Step 1: Verify that GID is set to 0
ret = setresgid(GID0, GID0, GID0);
if (ret != 0) {
EXPECT_EQ(ret, 0);
LOG("ErrInfo: Failed to set gid=0, now process gid=%d", getgid());
return FALSE;
}
// To test the function of invoking the setgid interface to set the GID=0
getresgid(&rgid, &egid, &sgid);
EXPECT_EQ(rgid, GID0) << "Failed to set rgid=0: rgid=" << rgid;
EXPECT_EQ(egid, GID0) << "Failed to set egid=0: egid=" << egid;
EXPECT_EQ(sgid, GID0) << "Failed to set sgid=0: sgid=" << sgid;
// Step 2: Verify that GID is set to 1000
ret = setresgid(GID1000, GID1000, GID1000);
if (ret != 0) {
EXPECT_EQ(ret, 0);
LOG("ErrInfo: Failed to set gid=1000, now process gid=%d", getgid());
return FALSE;
}
// To test the function of invoking the setgid interface to set the GID=1000
getresgid(&rgid, &egid, &sgid);
EXPECT_EQ(rgid, GID1000) << "Failed to set rgid=1000: rgid=" << rgid;
EXPECT_EQ(egid, GID1000) << "Failed to set egid=1000: egid=" << egid;
EXPECT_EQ(sgid, GID1000) << "Failed to set sgid=1000: sgid=" << sgid;
// Step 3: Verify that GID is set to 10000
ret = setresgid(GID10000, GID10000, GID10000);
if (ret != 0) {
EXPECT_EQ(ret, 0);
LOG("ErrInfo: Failed to set gid=10000, now process gid=%d", getgid());
return FALSE;
}
// To test the function of invoking the setgid interface to set the GID=10000
getresgid(&rgid, &egid, &sgid);
EXPECT_EQ(rgid, GID10000) << "Failed to set rgid=10000: rgid=" << rgid;
EXPECT_EQ(egid, GID10000) << "Failed to set egid=10000: egid=" << egid;
EXPECT_EQ(sgid, GID10000) << "Failed to set sgid=10000: sgid=" << sgid;
// Step 4: Verify that GID is set to 2147483647
ret = setresgid(MAX_INT, MAX_INT, MAX_INT);
if (ret != 0) {
EXPECT_EQ(ret, 0);
LOG("ErrInfo: Failed to set gid=2147483647, now process gid=%d", getgid());
return FALSE;
}
// To test the function of invoking the setgid interface to set the GID=2147483647
getresgid(&rgid, &egid, &sgid);
EXPECT_EQ(rgid, MAX_INT) << "Failed to set rgid=2147483647: rgid=" << rgid;
EXPECT_EQ(egid, MAX_INT) << "Failed to set egid=2147483647: egid=" << egid;
EXPECT_EQ(sgid, MAX_INT) << "Failed to set sgid=2147483647: sgid=" << sgid;
return 0;
}
static int TestSetGidAbnormal()
{
// Enter the exception parameter when invoke the 'setgid','setregid','setresgid' interface
int ret = 0;
gid_t newrgid = 0;
gid_t newegid = 0;
gid_t newsgid = 0;
gid_t rgid = 0;
gid_t egid = 0;
gid_t sgid = 0;
// Obtain the rgid, egid, sgid of the current process
getresgid(&rgid, &egid, &sgid);
// Step 1: Verify that GID is set to -100 with the 'setgid' interface
ret = setgid(ABNORMALINT);
if (ret != FALSE) {
EXPECT_EQ(ret, FALSE);
LOG("ErrInfo: Set gid=-100, now process gid=%d", getgid());
return FALSE;
}
// To test the function of invoking the 'setgid' interface to set the GID=-100
getresgid(&newrgid, &newegid, &newsgid);
EXPECT_EQ(newrgid, rgid) << "The value of rgid changes after an invalid parameter is entered: rgid=" << rgid;
EXPECT_EQ(newegid, egid) << "The value of egid changes after an invalid parameter is entered: egid=" << egid;
EXPECT_EQ(newsgid, sgid) << "The value of sgid changes after an invalid parameter is entered: sgid=" << sgid;
// Step 2: Verify that GID is set to -100 with the 'setregid' interface
ret = setregid(ABNORMALINT, ABNORMALINT);
if (ret != FALSE) {
EXPECT_EQ(ret, FALSE);
LOG("ErrInfo: Set gid=-100, now process gid=%d", getgid());
return FALSE;
}
// To test the function of invoking the 'setgid' interface to set the GID=-100
getresgid(&newrgid, &newegid, &newsgid);
EXPECT_EQ(newrgid, rgid) << "The value of rgid changes after an invalid parameter is entered: rgid=" << rgid;
EXPECT_EQ(newegid, egid) << "The value of egid changes after an invalid parameter is entered: egid=" << egid;
EXPECT_EQ(newsgid, sgid) << "The value of sgid changes after an invalid parameter is entered: sgid=" << sgid;
// Step 3: Verify that GID is set to -100 with the 'setregid' interface
ret = setresgid(ABNORMALINT, ABNORMALINT, ABNORMALINT);
if (ret != FALSE) {
EXPECT_EQ(ret, FALSE);
LOG("ErrInfo: Set gid=-100, now process gid=%d", getgid());
return FALSE;
}
// To test the function of invoking the 'setgid' interface to set the GID=-100
getresgid(&newrgid, &newegid, &newsgid);
EXPECT_EQ(newrgid, rgid) << "The value of rgid changes after an invalid parameter is entered: rgid=" << rgid;
EXPECT_EQ(newegid, egid) << "The value of egid changes after an invalid parameter is entered: egid=" << egid;
EXPECT_EQ(newsgid, sgid) << "The value of sgid changes after an invalid parameter is entered: sgid=" << sgid;
return 0;
}
static int TestSetGroups()
{
// Test the 'setgroups' interface
int ret;
gid_t list[SIZE255];
for (size_t num = 0; num < SIZE253; num++) {
list[num] = num;
}
list[SIZE254] = MAX_INT;
ret = setgroups(SIZE255, list);
if (ret != 0) {
EXPECT_EQ(ret, 0);
LOG("ErrInfo: Failed to set groups");
return FALSE;
}
return 0;
}
static void TsetFork(uid_t uid, gid_t gid, size_t size, const gid_t list[])
{
// The sub process inherits the UID, GID, and groups of the parent process
int ret;
int status = 0;
gid_t reallist[SIZE255];
// Preset action: Adjust the UID, GID, and groups of the parent process
ret = setuid(uid);
EXPECT_EQ(ret, 0) << "ErrInfo: Failed to set uid, now process uid=" << getuid();
ret = setgid(gid);
EXPECT_EQ(ret, 0) << "ErrInfo: Failed to set gid, now process gid=" << getgid();
setgroups(0, nullptr);
ret = setgroups(size, list);
EXPECT_EQ(ret, 0) << "ErrInfo: Failed to set groups";
// Preset action: Fork a sub process
pid_t pid = fork();
ASSERT_TRUE(pid >= 0) << "======== Fork Error! =========";
usleep(SLEEP_NUM);
if (pid == 0) {
int exitCode = 0;
// Step 1: Inheritance test of sub process UID
uid_t retuid = getuid();
if (retuid != uid) {
LOG("ErrInfo: The sub process UID changes when fork process, now process uid=%d", getuid());
exitCode = 1;
}
// Step 2: Inheritance test of sub process GID
gid_t retgid = getgid();
if (retgid != gid) {
LOG("ErrInfo: The sub process GID changes when fork process, now process gid=%d", getgid());
exitCode = 1;
}
// Step 3: Inheritance test of sub process groups
int retgroups = getgroups(0, reallist);
if (retgroups == FALSE) {
LOG("ErrInfo: Failed to get groups");
exitCode = 1;
}
// Step 4: The sub process exit with the exitCode
exit(exitCode);
} else {
// Step 5: The parent process wait for the sub process to exit and obtain the exitCode
waitpid(pid, &status, 0);
EXPECT_NE(WIFEXITED(status), 0) << "ErrInfo: The sub process exit error, child_pid = " << pid;
EXPECT_EQ(WEXITSTATUS(status), 0) << "ErrInfo: The exitCode is wrong, please query logs, child_pid = " << pid;
}
}
static int ChangeSensitiveInformation()
{
int fd = 0;
int ret = 0;
int exitCode = 0;
char dac[] = "DACPreTest!\n";
// Failed to read sensitive information
fd = open("/proc/process", O_WRONLY);
if (fd >= 0) {
ret = write(fd, dac, sizeof(dac));
if (ret != FALSE) {
LOG("ErrInfo: Change sensitive information, ret = %d", ret);
exitCode = 1;
}
close(fd);
}
return exitCode;
}
/*
* @tc.number : SUB_SEC_AppSEC_PermissionMgmt_DAC_0010
* @tc.name : Invoke the interface to set the process UID
* @tc.desc : [C- SECURITY -0200]
*/
HWTEST_F(DacTestSuite, DACTest0010, Function | MediumTest | Level1)
{
int ret = 0;
uid_t ruid = 0;
uid_t euid = 0;
uid_t suid = 0;
uid_t newruid = 0;
uid_t neweuid = 0;
uid_t newsuid = 0;
// Preset action: Obtain the ruid, euid, suid of the current process
getresuid(&ruid, &euid, &suid);
// Step 1: Test the 'setuid' interface
ret = TestSetUid();
EXPECT_EQ(ret, 0) << "ErrInfo: TestSetUid() exit error";
// Step 2: Test the 'setreuid' interface
ret = TestSetREUid();
EXPECT_EQ(ret, 0) << "ErrInfo: TestSetREUid() exit error";
// Step 3: Test the 'setreuid' interface
ret = TestSetRESUid();
EXPECT_EQ(ret, 0) << "ErrInfo: TestSetRESUid() exit error";
// Step 4: Enter the exception parameter when invoke the 'setuid','setreuid','setresuid' interface
ret = TestSetUidAbnormal();
EXPECT_EQ(ret, 0) << "ErrInfo: TestSetUidAbnormal() exit error";
// Cleanup action: Restore the initial UID of the process
ret = setresuid(ruid, euid, suid);
EXPECT_EQ(ret, 0) << "ErrInfo: Failed to restore the initial UID of the process";
getresuid(&newruid, &neweuid, &newsuid);
EXPECT_EQ(newruid, ruid) << "The value of ruid changes after testcase: ruid=" << ruid;
EXPECT_EQ(neweuid, euid) << "The value of euid changes after testcase: euid=" << euid;
EXPECT_EQ(newsuid, suid) << "The value of suid changes after testcase: suid=" << suid;
}
/*
* @tc.number : SUB_SEC_AppSEC_PermissionMgmt_DAC_0020
* @tc.name : Invoke the interface to set the process GID
* @tc.desc : [C- SECURITY -0200]
*/
HWTEST_F(DacTestSuite, DACTest0020, Function | MediumTest | Level1)
{
int ret = 0;
gid_t rgid = 0;
gid_t egid = 0;
gid_t sgid = 0;
gid_t newrgid = 0;
gid_t newegid = 0;
gid_t newsgid = 0;
// Preset action: Obtain the rgid, egid, sgid of the current process
getresgid(&rgid, &egid, &sgid);
// Step 1: Test the 'setgid' interface
ret = TestSetGid();
EXPECT_EQ(ret, 0) << "ErrInfo: TestSetGid() exit error";
// Step 2: Test the 'setregid' interface
ret = TestSetREGid();
EXPECT_EQ(ret, 0) << "ErrInfo: TestSetREGid() exit error";
// Step 3: Test the 'setregid' interface
ret = TestSetRESGid();
EXPECT_EQ(ret, 0) << "ErrInfo: TestSetRESGid() exit error";
// Step 4: Enter the exception parameter when invoke the 'setgid','setregid','setresgid' interface
ret = TestSetGidAbnormal();
EXPECT_EQ(ret, 0) << "ErrInfo: TestSetGidAbnormal() exit error";
// Cleanup action: Restore the initial GID of the process
ret = setresgid(rgid, egid, sgid);
EXPECT_EQ(ret, 0) << "ErrInfo: Failed to restore the initial GID of the process";
getresgid(&newrgid, &newegid, &newsgid);
EXPECT_EQ(newrgid, rgid) << "The value of rgid changes after testcase: rgid=" << rgid;
EXPECT_EQ(newegid, egid) << "The value of egid changes after testcase: egid=" << egid;
EXPECT_EQ(newsgid, sgid) << "The value of sgid changes after testcase: sgid=" << sgid;
}
/*
* @tc.number : SUB_SEC_AppSEC_PermissionMgmt_DAC_0030
* @tc.name : Invoke the setgroups interface to set the process groups that contain a single GID or an empty value
* @tc.desc : [C- SECURITY -0200]
*/
HWTEST_F(DacTestSuite, DACTest0030, Function | MediumTest | Level1)
{
int ret = 0;
gid_t grouplist[SIZE255];
// Preset action: Obtain the groups of the current process
unsigned int groupsize = getgroups(0, grouplist);
if (groupsize >= 0) {
getgroups(groupsize, grouplist);
// Preset action: Obtain the group lists required for the testcase
gid_t list1[SIZE1] = {1};
gid_t list2[SIZE1] = {MAX_INT};
gid_t list3[SIZE1] = {};
// Step 1: Set the group list to {1}
ret = setgroups(SIZE1, list1);
EXPECT_EQ(ret, 0) << "ErrInfo: Failed to set the group list to {1}";
// Step 2: Set the group list to {2147483647}
ret = setgroups(SIZE1, list2);
EXPECT_EQ(ret, 0) << "ErrInfo: Failed to set the group list to {2147483647}";
// Step 3: Set the group list to {}
ret = setgroups(SIZE1, list3);
EXPECT_EQ(ret, 0) << "ErrInfo: Failed to set the group list to {}";
// Cleanup action: Restore the initial groups of the process
setgroups(0, nullptr);
ret = setgroups(groupsize, grouplist);
EXPECT_EQ(ret, 0) << "ErrInfo: Failed to restore the initial groups of the process";
} else {
EXPECT_GE(groupsize, 0) << "ErrInfo: Failed to get groups";
}
}
/*
* @tc.number : SUB_SEC_AppSEC_PermissionMgmt_DAC_0040
* @tc.name : Invoke the setgroups interface to set the process groups that contain the same GID
* @tc.desc : [C- SECURITY -0200]
*/
HWTEST_F(DacTestSuite, DACTest0040, Function | MediumTest | Level2)
{
int ret = 0;
gid_t grouplist[SIZE255];
// Preset action: Obtain the groups of the current process
unsigned int groupsize = getgroups(0, grouplist);
if (groupsize >= 0) {
getgroups(groupsize, grouplist);
// Preset action: Obtain the group lists required for the testcase
gid_t list1[SIZE2]={GID0, GID0};
gid_t list2[SIZE2]={GID1, GID1};
gid_t list3[SIZE2]={MAX_INT, MAX_INT};
// Step 1: Set the group list to {0, 0}
ret = setgroups(SIZE2, list1);
EXPECT_EQ(ret, 0) << "ErrInfo: Failed to set the group list to {0, 0}";
// Step 2: Set the group list to {1, 1}
ret = setgroups(SIZE2, list2);
EXPECT_EQ(ret, 0) << "ErrInfo: Failed to set the group list to {1, 1}";
// Step 3: Set the group list to {2147483647, 2147483647}
ret = setgroups(SIZE2, list3);
EXPECT_EQ(ret, 0) << "ErrInfo: Failed to set the group list to {2147483647, 2147483647}";
// Cleanup action: Restore the initial groups of the process
setgroups(0, nullptr);
ret = setgroups(groupsize, grouplist);
EXPECT_EQ(ret, 0) << "ErrInfo: Failed to restore the initial groups of the process";
} else {
EXPECT_GE(groupsize, 0) << "ErrInfo: Failed to get groups";
}
}
/*
* @tc.number : SUB_SEC_AppSEC_PermissionMgmt_DAC_0050
* @tc.name : Invoke the setgroups interface to set the process groups that contain the duplicate GIDs
* @tc.desc : [C- SECURITY -0200]
*/
HWTEST_F(DacTestSuite, DACTest0050, Function | MediumTest | Level3)
{
int ret = 0;
gid_t grouplist[SIZE255];
// Preset action: Obtain the groups of the current process
unsigned int groupsize = getgroups(0, grouplist);
if (groupsize >= 0) {
getgroups(groupsize, grouplist);
// Preset action: Obtain the group lists required for the testcase
gid_t list1[SIZE3]={GID0, GID0, MAX_INT};
gid_t list2[SIZE3]={GID10000, GID10000, MAX_INT};
gid_t list3[SIZE3]={GID0, MAX_INT, MAX_INT};
// Step 1: Set the group list to {0, 0, 2147483647}
ret = setgroups(SIZE3, list1);
EXPECT_EQ(ret, 0) << "ErrInfo: Failed to set the group list to {0, 0, 2147483647}";
// Step 2: Set the group list to {10000, 10000, 2147483647}
ret = setgroups(SIZE3, list2);
EXPECT_EQ(ret, 0) << "ErrInfo: Failed to set the group list to {10000, 10000, 2147483647}";
// Step 3: Set the group list to {0, 2147483647, 2147483647}
ret = setgroups(SIZE3, list3);
EXPECT_EQ(ret, 0) << "ErrInfo: Failed to set the group list to {0, 2147483647, 2147483647}";
// Cleanup action: Restore the initial groups of the process
setgroups(0, nullptr);
ret = setgroups(groupsize, grouplist);
EXPECT_EQ(ret, 0) << "ErrInfo: Failed to restore the initial groups of the process";
} else {
EXPECT_GE(groupsize, 0) << "ErrInfo: Failed to get groups";
}
}
/*
* @tc.number : SUB_SEC_AppSEC_PermissionMgmt_DAC_0060
* @tc.name : Invoke the setgroups interface to set the process groups that contain all different GIDs
* @tc.desc : [C- SECURITY -0200]
*/
HWTEST_F(DacTestSuite, DACTest0060, Function | MediumTest | Level3)
{
int ret = 0;
gid_t grouplist[SIZE255];
// Preset action: Obtain the groups of the current process
size_t groupsize = getgroups(0, grouplist);
if (groupsize >= 0) {
getgroups(groupsize, grouplist);
// Preset action: Obtain the group lists required for the testcase
gid_t list0[SIZE255];
for (size_t num0 = 0; num0 < SIZE254; num0++) {
list0[num0] = num0;
}
list0[SIZE254] = MAX_INT;
gid_t list1[INVAILD_SIZE];
for (size_t num1 = 0; num1 < MAX_SIZE; num1++) {
list1[num1] = num1;
}
list1[MAX_SIZE] = MAX_INT;
// Step 1: Set 255 different group lists
ret = setgroups(SIZE255, list0);
EXPECT_EQ(ret, 0) << "ErrInfo: Failed to set the group list to {0, 1, 2, ..., 255}";
// Step 2: Set the number of groups that exceed the upper limit
ret = setgroups(INVAILD_SIZE, list1);
EXPECT_EQ(ret, FALSE) << "ErrInfo: Set groups size over max, size=65537";
// Cleanup action: Restore the initial groups of the process
setgroups(0, nullptr);
ret = setgroups(groupsize, grouplist);
EXPECT_EQ(ret, 0) << "ErrInfo: Failed to restore the initial groups of the process";
} else {
EXPECT_GE(groupsize, 0) << "ErrInfo: Failed to get groups";
}
}
/*
* @tc.number : SUB_SEC_AppSEC_PermissionMgmt_DAC_0070
* @tc.name : Invoke the setuid, gid, and groups interfaces to set the uid, gid,
and groups of processes concurrently
* @tc.desc : [C- SECURITY -0200]
*/
HWTEST_F(DacTestSuite, DACTest0070, Security | MediumTest | Level2)
{
int ret = 0;
int status = 0;
// Preset action: Fork three sub processes
pid_t pid;
for (int num = 0; num < NUM3; num++) {
pid = fork();
ASSERT_TRUE(pid >= 0) << "======== Fork Error! =========";
usleep(SLEEP_NUM);
if (pid == 0) {
break;
}
}
// get one parent & three children
if (pid == 0) {
int exitCode = 0;
for (int number = 0; number < NUM3000; number++) {
// Preset action: Initialize the subprocess UID, GID and groups
setuid(0);
setgid(0);
setgroups(0, nullptr);
// Step 1: Test the 'setuid' interface concurrently
ret = TestSetUid();
if (ret != 0) {
LOG("ErrInfo: TestSetUid error during the %d time", number);
exitCode = 1;
break;
}
// Step 2: Test the 'setgid' interface concurrently
ret = TestSetGid();
if (ret != 0) {
LOG("ErrInfo: TestSetGid error during the %d time", number);
exitCode = 1;
break;
}
// Step 2: Test the 'setgroups' interface concurrently
ret = TestSetGroups();
if (ret != 0) {
LOG("ErrInfo: TestSetGroups error during the %d time", number);
exitCode = 1;
break;
}
}
// Step 3: Three sub processes exit with the exitCode
exit(exitCode);
} else {
// Step 4: The parent process wait for three sub processes to exit and obtain the exitCode
for (int num2 = 0; num2 < NUM3; num2++) {
wait(&status);
EXPECT_NE(WIFEXITED(status), 0) << "ErrInfo: The sub process exit error, child_pid = " << pid;
EXPECT_EQ(WEXITSTATUS(status), 0) << "ErrInfo: Pid = "<< pid
<< ", its exitCode is wrong and test case failed, please query logs";
}
}
}
/*
* @tc.number : SUB_SEC_AppSEC_PermissionMgmt_DAC_0080
* @tc.name : Inheritance of process UID, GID and groups
* @tc.desc : [C- SECURITY -0200]
*/
HWTEST_F(DacTestSuite, DACTest0080, Function | MediumTest | Level2)
{
int ret = 0;
uid_t ruid = 0; uid_t euid = 0; uid_t suid = 0;
uid_t newruid = 0; uid_t neweuid = 0; uid_t newsuid = 0;
gid_t rgid = 0; gid_t egid = 0; gid_t sgid = 0;
gid_t newrgid = 0; gid_t newegid = 0; gid_t newsgid = 0;
gid_t grouplist[SIZE255];
// Preset action: Obtain the ruid, euid, suid of the current process
getresuid(&ruid, &euid, &suid);
// Preset action: Obtain the rgid, egid, sgid of the current process
getresgid(&rgid, &egid, &sgid);
// Preset action: Obtain the groups of the current process
int groupsize = getgroups(0, grouplist);
if (groupsize >= 0) {
getgroups(groupsize, grouplist);
// Preset action: Obtain the group lists required for the testcase
gid_t list1[SIZE1] = {GID10000};
gid_t list2[SIZE1] = {};
gid_t list3[SIZE255];
for (size_t num = 0; num < SIZE254; num++) {
list3[num] = num;
}
list3[SIZE254] = MAX_INT;
// Step 1: Factor combination test of UID, GID, and groups
TsetFork(UID0, GID10000, SIZE1, list1);
TsetFork(UID10000, GID10000, SIZE1, list1);
TsetFork(MAX_INT, GID10000, SIZE1, list1);
TsetFork(UID10000, GID0, SIZE1, list1);
TsetFork(UID10000, MAX_INT, SIZE1, list1);
TsetFork(UID10000, GID10000, SIZE1, list2);
TsetFork(UID10000, GID10000, SIZE255, list3);
// Cleanup action: Restore the initial UID of the process
ret = setresuid(ruid, euid, suid);
EXPECT_EQ(ret, 0) << "ErrInfo: Failed to restore the initial UID of the process";
getresuid(&newruid, &neweuid, &newsuid);
EXPECT_EQ(newruid, ruid) << "The value of ruid changes after testcase: ruid=" << ruid;
EXPECT_EQ(neweuid, euid) << "The value of euid changes after testcase: euid=" << euid;
EXPECT_EQ(newsuid, suid) << "The value of suid changes after testcase: suid=" << suid;
// Cleanup action: Restore the initial GID of the process
ret = setresgid(rgid, egid, sgid);
EXPECT_EQ(ret, 0) << "ErrInfo: Failed to restore the initial GID of the process";
getresgid(&newrgid, &newegid, &newsgid);
EXPECT_EQ(newrgid, rgid) << "The value of rgid changes after testcase: rgid=" << rgid;
EXPECT_EQ(newegid, egid) << "The value of egid changes after testcase: egid=" << egid;
EXPECT_EQ(newsgid, sgid) << "The value of sgid changes after testcase: sgid=" << sgid;
// Cleanup action: Restore the initial groups of the process
setgroups(0, nullptr);
ret = setgroups(groupsize, grouplist);
EXPECT_EQ(ret, 0) << "ErrInfo: Failed to restore the initial groups of the process";
} else {
EXPECT_GE(groupsize, 0) << "ErrInfo: Failed to get groups";
}
}
/*
* @tc.number : SUB_SEC_AppSEC_PermissionMgmt_DAC_0120
* @tc.name : Failed to use the third-party app UID to change sensitive information
* @tc.desc : [C- SECURITY -0200]
*/
HWTEST_F(DacTestSuite, DACTest0120, Security | MediumTest | Level2)
{
int ret = 0;
int status = 0;
// Preset action: Fork a sub process
pid_t pid = fork();
ASSERT_TRUE(pid >= 0) << "======== Fork Error! =========";
usleep(SLEEP_NUM);
if (pid == 0) {
int exitCode = 0;
// Step 1: Set the process uid and gid to the third-party application uid and gid
ret = SetUidGid(UID20000, GID20000);
if (ret != 0) {
LOG("ErrInfo: Failed to set the process uid and gid");
exitCode = 1;
}
// Step 2: Drop all the sub process capabilities
ret = DropAllCAP();
if (ret != 0) {
LOG("ErrInfo: Failed to drop all the sub process capabilities");
exitCode = 1;
}
// Step 3: Failed to change sensitive information
ret = ChangeSensitiveInformation();
if (ret != 0) {
LOG("ErrInfo: change sensitive information");
exitCode = 1;
}
// Step 4: The sub process exit with the exitCode
exit(exitCode);
} else {
// Step 5: The parent process wait for the sub process to exit and obtain the exitCode
waitpid(pid, &status, 0);
EXPECT_NE(WIFEXITED(status), 0) << "ErrInfo: The sub process exit error, child_pid = " << pid;
EXPECT_EQ(WEXITSTATUS(status), 0) << "ErrInfo: The exitCode is wrong, please query logs, child_pid = " << pid;
}
}
/*
* @tc.number : SUB_SEC_AppSEC_PermissionMgmt_DAC_0130
* @tc.name : Performance test of the setuid, setgid and setgroups interface
* @tc.desc : [C- SECURITY -0200]
*/
HWTEST_F(DacTestSuite, DACTest0130, Performance | MediumTest | Level2)
{
struct timespec tp = { 0 };
struct timespec starttime = { 0 };
struct timespec endtime = { 0 };
tp.tv_sec = 0;
tp.tv_nsec = 0;
// Preset action: Obtain the group lists required for the testcase
gid_t list[SIZE255];
for (size_t num = 0; num < SIZE253; num++) {
list[num] = num;
}
// Preset action: Obtains the system time -> starttime
clock_gettime(CLOCK_REALTIME, &starttime);
for (int number = 0; number < NUM10000; number++) {
list[SIZE254] = number;
// Step 1.1: Setuid for 10000 times
setuid(number);
// Step 1.2: Setgid for 10000 times
setgid(number);
// Step 1.3: Setgroups for 10000 times
setgroups(SIZE255, list);
}
// Step 2: Obtains the system time again -> endtime
clock_gettime(CLOCK_REALTIME, &endtime);
// Step 3: Compare the starttime and the endtime -> tp
tp = CompareTime(starttime, endtime);
EXPECT_LE(tp.tv_sec, NUM20) << "ErrInfo: Chown for 10000 times used " << tp.tv_sec << "." << tp.tv_nsec << "s";
// Cleanup action: Restore the uid, gid and groups of the process to zero
SetUidGid(UID0, GID0);
setgroups(0, nullptr);
}
#endif
security_lite/permission_posix/dac/src/ActsDacTest.h 已删除 100755 → 0
浏览文件 @ ed6da30f
/*
* Copyright (c) 2020-2021 Huawei Device Co., Ltd.
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#ifndef XTS_ACTS_SECURITY_LITE_PERMISSSION_POSIX_DAC_SRC_ACTSDACTEST_H
#define XTS_ACTS_SECURITY_LITE_PERMISSSION_POSIX_DAC_SRC_ACTSDACTEST_H
#include <cstddef>
#include <sys/stat.h>
constexpr int ABNORMALINT = -100;
constexpr int SINGLESIZE = 1;
constexpr unsigned int MAX_INT = 2147483647;
constexpr size_t SIZE1 = 1;
constexpr size_t SIZE2 = 2;
constexpr size_t SIZE3 = 3;
constexpr size_t SIZE253 = 253;
constexpr size_t SIZE254 = 254;
constexpr size_t SIZE255 = 255;
constexpr size_t MAX_SIZE = 65536;
constexpr size_t INVAILD_SIZE = 65537;
constexpr mode_t CHMOD000 = 0000;
constexpr mode_t CHMOD013 = 0013;
constexpr mode_t CHMOD016 = 0016;
constexpr mode_t CHMOD027 = 0027;
constexpr mode_t CHMOD031 = 0031;
constexpr mode_t CHMOD044 = 0044;
constexpr mode_t CHMOD045 = 0045;
constexpr mode_t CHMOD052 = 0052;
constexpr mode_t CHMOD063 = 0063;
constexpr mode_t CHMOD074 = 0074;
constexpr mode_t CHMOD076 = 0076;
constexpr mode_t CHMOD077 = 0077;
constexpr mode_t CHMOD105 = 0105;
constexpr mode_t CHMOD111 = 0111;
constexpr mode_t CHMOD116 = 0116;
constexpr mode_t CHMOD120 = 0120;
constexpr mode_t CHMOD123 = 0123;
constexpr mode_t CHMOD124 = 0124;
constexpr mode_t CHMOD132 = 0132;
constexpr mode_t CHMOD143 = 0143;
constexpr mode_t CHMOD151 = 0151;
constexpr mode_t CHMOD166 = 0166;
constexpr mode_t CHMOD167 = 0167;
constexpr mode_t CHMOD175 = 0175;
constexpr mode_t CHMOD203 = 0203;
constexpr mode_t CHMOD210 = 0210;
constexpr mode_t CHMOD222 = 0222;
constexpr mode_t CHMOD230 = 0230;
constexpr mode_t CHMOD235 = 0235;
constexpr mode_t CHMOD241 = 0241;
constexpr mode_t CHMOD242 = 0242;
constexpr mode_t CHMOD256 = 0256;
constexpr mode_t CHMOD257 = 0257;
constexpr mode_t CHMOD261 = 0261;
constexpr mode_t CHMOD274 = 0274;
constexpr mode_t CHMOD305 = 0305;
constexpr mode_t CHMOD306 = 0306;
constexpr mode_t CHMOD310 = 0310;
constexpr mode_t CHMOD312 = 0312;
constexpr mode_t CHMOD325 = 0325;
constexpr mode_t CHMOD333 = 0333;
constexpr mode_t CHMOD334 = 0334;
constexpr mode_t CHMOD342 = 0342;
constexpr mode_t CHMOD347 = 0347;
constexpr mode_t CHMOD354 = 0354;
constexpr mode_t CHMOD362 = 0362;
constexpr mode_t CHMOD371 = 0371;
constexpr mode_t CHMOD401 = 0401;
constexpr mode_t CHMOD406 = 0406;
constexpr mode_t CHMOD407 = 0407;
constexpr mode_t CHMOD415 = 0415;
constexpr mode_t CHMOD422 = 0422;
constexpr mode_t CHMOD430 = 0430;
constexpr mode_t CHMOD444 = 0444;
constexpr mode_t CHMOD446 = 0446;
constexpr mode_t CHMOD453 = 0453;
constexpr mode_t CHMOD456 = 0456;
constexpr mode_t CHMOD457 = 0457;
constexpr mode_t CHMOD460 = 0460;
constexpr mode_t CHMOD473 = 0473;
constexpr mode_t CHMOD507 = 0507;
constexpr mode_t CHMOD511 = 0511;
constexpr mode_t CHMOD521 = 0521;
constexpr mode_t CHMOD526 = 0526;
constexpr mode_t CHMOD536 = 0536;
constexpr mode_t CHMOD543 = 0543;
constexpr mode_t CHMOD555 = 0555;
constexpr mode_t CHMOD560 = 0560;
constexpr mode_t CHMOD562 = 0562;
constexpr mode_t CHMOD564 = 0564;
constexpr mode_t CHMOD570 = 0570;
constexpr mode_t CHMOD604 = 0604;
constexpr mode_t CHMOD611 = 0611;
constexpr mode_t CHMOD614 = 0614;
constexpr mode_t CHMOD623 = 0623;
constexpr mode_t CHMOD637 = 0637;
constexpr mode_t CHMOD640 = 0640;
constexpr mode_t CHMOD655 = 0655;
constexpr mode_t CHMOD657 = 0657;
constexpr mode_t CHMOD665 = 0665;
constexpr mode_t CHMOD666 = 0666;
constexpr mode_t CHMOD670 = 0670;
constexpr mode_t CHMOD671 = 0671;
constexpr mode_t CHMOD672 = 0672;
constexpr mode_t CHMOD700 = 0700;
constexpr mode_t CHMOD702 = 0702;
constexpr mode_t CHMOD703 = 0703;
constexpr mode_t CHMOD712 = 0712;
constexpr mode_t CHMOD716 = 0716;
constexpr mode_t CHMOD717 = 0717;
constexpr mode_t CHMOD724 = 0724;
constexpr mode_t CHMOD731 = 0731;
constexpr mode_t CHMOD743 = 0743;
constexpr mode_t CHMOD750 = 0750;
constexpr mode_t CHMOD765 = 0765;
constexpr mode_t CHMOD777 = 0777;
// Creating Folders and Files for the Test
#define DACDIR0 "DACDIR0" // DIR0/
#define DACDIR0_DACFILE0 "DACDIR0_DACFILE0" // ├── DIR0_FILE0
#define DACDIR0_DACFILE1 "DACDIR0_DACFILE1" // ├── DIR0_FILE1
#define DACDIR0_DACDIR0 "DACDIR0_DACDIR0" // ├── DIR0_DIR0/
#define DACDIR0_DACDIR0_DACDIR0 "DACDIR0_DACDIR0_DACDIR0" // | └── DIR0_DIR0_DIR0/
#define DACDIR0_DACDIR1 "DACDIR0_DACDIR1" // └── DIR0_DIR1/
#define DACDIR1 "DACDIR1" // DIR1/
#define DACDIR1_DACFILE0 "DACDIR1_DACFILE0" // ├── DIR1_FILE0
#define DACDIR1_DACDIR0 "DACDIR1_DACDIR0" // └── DIR1_DIR0/
#endif
\ No newline at end of file
security_lite/permission_posix/dac/src/DACFileSystemTest.cpp 已删除 100755 → 0
浏览文件 @ ed6da30f
/*
* Copyright (c) 2021 Huawei Device Co., Ltd.
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include "DACFileSystemTest.h"
#include <unistd.h>
#include "ActsCapabilityTest.h"
#include "ActsDacTest.h"
using namespace testing::ext;
// Preset action of the test suite, which is executed before the first test case
void DacTestSuite::SetUp()
{
// Permission mask preset when creating a file
umask(ZERO);
// Init capabilities
CapInit();
// Initialize the process and set the uid and gid of the process to zero
SetUidGid(UID0, GID0);
// Delete the the directory if exists
RemoveDir(TOP_DIR "/" DACDIR0);
RemoveDir(TOP_DIR "/" DACDIR1);
RemoveDir("/storage/" DACDIR0);
// Obtain the current working directory of the test code
mCurPath = GetCurrentPath();
// Modify the current working directory of the test code
int ret = chdir(TOP_DIR);
if (ret != 0) {
LOG("ErrInfo: Failed to chdir to %s, ret=%d, errno=%d", TOP_DIR, ret, errno);
}
}
// Test suite cleanup action, which is executed after the last test case
void DacTestSuite::TearDown()
{
// Delete the the directory if exists
RemoveDir(TOP_DIR "/" DACDIR0);
RemoveDir(TOP_DIR "/" DACDIR1);
RemoveDir("/storage/" DACDIR0);
// Initialize the process and set the uid and gid of the process to zero
SetUidGid(UID0, GID0);
// Restore the working directory of the test code
int ret = chdir(mCurPath);
if (ret != 0) {
LOG("ErrInfo: Failed to chdir to %s, ret=%d, errno=%d", mCurPath, ret, errno);
}
}
int main(int argc, char *argv[])
{
testing::GTEST_FLAG(output) = "xml:";
testing::InitGoogleTest(&argc, argv);
if (CheckFsMount(TOP_DIR, TOP_DIR_MOUNT_INFO) != 0) {
return 1;
}
return RUN_ALL_TESTS();
}
\ No newline at end of file
security_lite/permission_posix/dac/src/DACFileSystemTest.h 已删除 100755 → 0
浏览文件 @ ed6da30f
/*
* Copyright (c) 2021 Huawei Device Co., Ltd.
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#ifndef XTS_ACTS_SECURITY_LITE_PERMISSSION_POSIX_DAC_SRC_DACTFILESYSTEMTEST_H
#define XTS_ACTS_SECURITY_LITE_PERMISSSION_POSIX_DAC_SRC_DACTFILESYSTEMTEST_H
#include <gtest/gtest.h>
class DacTestSuite : public::testing::Test {
protected:
char *mCurPath;
void SetUp();
void TearDown();
};
#endif
\ No newline at end of file
security_lite/permission_posix/dac/vfat/BUILD.gn 已删除 100755 → 0
浏览文件 @ ed6da30f
# Copyright (c) 2021 Huawei Device Co., Ltd.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
import("//test/xts/tools/lite/build/suite_lite.gni")
hcpptest_suite("ActsVFATDACTest") {
suite_name = "acts"
sources = [
"../src/ActsDacPreTest.cpp",
"../src/DACFileSystemTest.cpp",
]
include_dirs = [
"../src",
"../../capability/src",
"//third_party/bounds_checking_function/include",
]
public_deps = [
"../../capability:capability_shared",
"//third_party/bounds_checking_function:libsec_shared",
]
cflags_cc = [
"-Wno-write-strings",
"-Wno-sign-compare",
]
ldflags = [
"-lstdc++",
"-lm",
"-lpthread",
]
defines = [
"LITE_FS_VFAT",
"TOP_DIR=\"/sdcard\"",
"TOP_DIR_MOUNT_INFO=\"/sdcard vfat\"",
]
}
security_lite/permission_posix/dac/vfat/Test.json 已删除 100644 → 0
浏览文件 @ ed6da30f
{
"description": "Config for hcpptest demo test cases",
"environment": [
{
"type": "device",
"label": "ipcamera"
}
],
"kits": [
{
"type": "MountKit",
"server": "NfsServer",
"mount": [
{
"source": "testcases/security",
"target": "/test_root/security"
}
]
}
],
"driver": {
"type": "CppTestLite",
"execute": "/test_root/security/ActsVFATDACTest.bin"
}
}
\ No newline at end of file
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册