1 #include <dpl/test/test_runner.h>
6 #include <unordered_set>
7 #include <sys/capability.h>
9 #include <sys/socket.h>
11 #include <attr/xattr.h>
12 #include <linux/xattr.h>
17 #include <libprivilege-control_test_common.h>
18 #include <tests_common.h>
20 #include <security-manager.h>
22 #include <cynara_test_client.h>
24 DEFINE_SMARTPTR(security_manager_app_inst_req_free, app_inst_req, AppInstReqUniquePtr);
25 DEFINE_SMARTPTR(cap_free, _cap_struct, CapsSetsUniquePtr);
27 static const char *const SM_APP_ID1 = "sm_test_app_id_double";
28 static const char *const SM_PKG_ID1 = "sm_test_pkg_id_double";
30 static const char *const SM_APP_ID2 = "sm_test_app_id_full";
31 static const char *const SM_PKG_ID2 = "sm_test_pkg_id_full";
33 static const char *const SM_APP_ID3 = "sm_test_app_id_uid";
34 static const char *const SM_PKG_ID3 = "sm_test_pkg_id_uid";
36 static const privileges_t SM_ALLOWED_PRIVILEGES = {
37 "security_manager_test_rules2_r",
38 "security_manager_test_rules2_no_r"
41 static const privileges_t SM_DENIED_PRIVILEGES = {
42 "security_manager_test_rules1",
43 "security_manager_test_rules2"
46 static const privileges_t SM_NO_PRIVILEGES = {
49 static const std::vector<std::string> SM_ALLOWED_GROUPS = {"db_browser", "db_alarm"};
51 static const char *const SM_PRIVATE_PATH = "/usr/apps/test_DIR/app_dir";
52 static const char *const SM_PUBLIC_RO_PATH = "/usr/apps/test_DIR/app_dir_public_ro";
53 static const char *const SM_DENIED_PATH = "/usr/apps/test_DIR/non_app_dir";
54 static const char *const SM_PRIVATE_PATH_FOR_USER = "/home/" APP_USER "/test_DIR";
55 static const char *const ANY_USER_REPRESENTATION = "anyuser";/*this may be actually any string*/
57 static void generateAppLabel(const std::string &pkgId, std::string &label)
63 static int nftw_check_sm_labels_app_dir(const char *fpath, const struct stat *sb,
64 const char* correctLabel, bool transmute_test, bool exec_test)
68 char* label = nullptr;
71 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS);
72 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
73 labelPtr.reset(label);
74 RUNNER_ASSERT_MSG(label != nullptr, "ACCESS label on " << fpath << " is not set");
75 result = strcmp(correctLabel, label);
76 RUNNER_ASSERT_MSG(result == 0, "ACCESS label on " << fpath << " is incorrect"
77 " (should be '" << correctLabel << "' and is '" << label << "')");
81 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
82 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
83 labelPtr.reset(label);
85 if (S_ISREG(sb->st_mode) && (sb->st_mode & S_IXUSR) && exec_test) {
86 RUNNER_ASSERT_MSG(label != nullptr, "EXEC label on " << fpath << " is not set");
87 result = strcmp(correctLabel, label);
88 RUNNER_ASSERT_MSG(result == 0, "Incorrect EXEC label on executable file " << fpath);
90 RUNNER_ASSERT_MSG(label == nullptr, "EXEC label on " << fpath << " is set");
94 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
95 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
96 labelPtr.reset(label);
98 if (S_ISDIR(sb->st_mode) && transmute_test == true) {
99 RUNNER_ASSERT_MSG(label != nullptr, "TRANSMUTE label on " << fpath << " is not set at all");
100 RUNNER_ASSERT_MSG(strcmp(label,"TRUE") == 0,
101 "TRANSMUTE label on " << fpath << " is not set properly: '"<<label<<"'");
103 RUNNER_ASSERT_MSG(label == nullptr, "TRANSMUTE label on " << fpath << " is set");
110 static int nftw_check_sm_labels_app_private_dir(const char *fpath, const struct stat *sb,
111 int /*typeflag*/, struct FTW* /*ftwbuf*/)
113 return nftw_check_sm_labels_app_dir(fpath, sb, USER_APP_ID, false, true);
116 static int nftw_check_sm_labels_app_floor_dir(const char *fpath, const struct stat *sb,
117 int /*typeflag*/, struct FTW* /*ftwbuf*/)
120 return nftw_check_sm_labels_app_dir(fpath, sb, "_", false, false);
123 static app_inst_req* do_app_inst_req_new()
126 app_inst_req *req = nullptr;
128 result = security_manager_app_inst_req_new(&req);
129 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
130 "creation of new request failed. Result: " << result);
131 RUNNER_ASSERT_MSG(req != nullptr, "creation of new request did not allocate memory");
135 static void prepare_app_path()
139 result = nftw(SM_PRIVATE_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
140 RUNNER_ASSERT_MSG(result == 0, "Unable to clean Smack labels in " << SM_PRIVATE_PATH);
142 result = nftw(SM_PUBLIC_RO_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
143 RUNNER_ASSERT_MSG(result == 0, "Unable to clean Smack labels in " << SM_PUBLIC_RO_PATH);
145 result = nftw(SM_DENIED_PATH, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
146 RUNNER_ASSERT_MSG(result == 0, "Unable to set Smack labels in " << SM_DENIED_PATH);
149 static void prepare_app_env()
154 /* TODO: add parameters to this function */
155 static void check_app_path_after_install()
159 result = nftw(SM_PRIVATE_PATH, &nftw_check_sm_labels_app_private_dir, FTW_MAX_FDS, FTW_PHYS);
160 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_PRIVATE_PATH);
162 result = nftw(SM_PUBLIC_RO_PATH, &nftw_check_sm_labels_app_floor_dir, FTW_MAX_FDS, FTW_PHYS);
163 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_PUBLIC_RO_PATH);
165 result = nftw(SM_DENIED_PATH, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
166 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_DENIED_PATH);
170 static void check_app_permissions(const char *const app_id, const char *const pkg_id, const char *const user,
171 const privileges_t &allowed_privs, const privileges_t &denied_privs)
174 std::string smackLabel;
175 generateAppLabel(pkg_id, smackLabel);
177 CynaraTestClient::Client ctc;
179 for (auto &priv : allowed_privs) {
180 ctc.check(smackLabel.c_str(), "", user, priv.c_str(), CYNARA_API_ACCESS_ALLOWED);
183 for (auto &priv : denied_privs) {
184 ctc.check(smackLabel.c_str(), "", user, priv.c_str(), CYNARA_API_ACCESS_DENIED);
188 static void check_app_gids(const char *const app_id, const std::vector<gid_t> &allowed_gids)
191 gid_t main_gid = getgid();
192 std::unordered_set<gid_t> reference_gids(allowed_gids.begin(), allowed_gids.end());
194 // Reset supplementary groups
195 ret = setgroups(0, NULL);
196 RUNNER_ASSERT_MSG(ret != -1, "Unable to set supplementary groups");
198 ret = security_manager_set_process_groups_from_appid(app_id);
199 RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS,
200 "security_manager_set_process_groups_from_appid(" <<
201 app_id << ") failed. Result: " << ret);
203 ret = getgroups(0, nullptr);
204 RUNNER_ASSERT_MSG(ret != -1, "Unable to get supplementary groups");
206 std::vector<gid_t> actual_gids(ret);
207 ret = getgroups(ret, actual_gids.data());
208 RUNNER_ASSERT_MSG(ret != -1, "Unable to get supplementary groups");
210 for (const auto &gid : actual_gids) {
211 RUNNER_ASSERT_MSG(gid == main_gid || reference_gids.count(gid) > 0,
212 "Application shouldn't get access to group " << gid);
213 reference_gids.erase(gid);
216 RUNNER_ASSERT_MSG(reference_gids.empty(), "Application didn't get access to some groups");
219 static void check_app_after_install(const char *const app_id, const char *const pkg_id,
220 const privileges_t &allowed_privs,
221 const privileges_t &denied_privs,
222 const std::vector<std::string> &allowed_groups)
224 TestSecurityManagerDatabase dbtest;
225 dbtest.test_db_after__app_install(app_id, pkg_id, allowed_privs);
226 dbtest.check_privileges_removed(app_id, pkg_id, denied_privs);
228 /*Privileges should be granted to all users if root installs app*/
229 check_app_permissions(app_id, pkg_id, ANY_USER_REPRESENTATION, allowed_privs, denied_privs);
231 /* Setup mapping of gids to privileges */
232 /* Do this for each privilege for extra check */
233 for (const auto &privilege : allowed_privs) {
234 dbtest.setup_privilege_groups(privilege, allowed_groups);
237 std::vector<gid_t> allowed_gids;
239 for (const auto &groupName : allowed_groups) {
241 struct group* grp = getgrnam(groupName.c_str());
242 RUNNER_ASSERT_ERRNO_MSG(grp, "Group: " << groupName << " not found");
243 allowed_gids.push_back(grp->gr_gid);
246 check_app_gids(app_id, allowed_gids);
249 static void check_app_after_install(const char *const app_id, const char *const pkg_id)
251 TestSecurityManagerDatabase dbtest;
252 dbtest.test_db_after__app_install(app_id, pkg_id);
255 static void check_app_after_uninstall(const char *const app_id, const char *const pkg_id,
256 const privileges_t &privileges, const bool is_pkg_removed)
258 TestSecurityManagerDatabase dbtest;
259 dbtest.test_db_after__app_uninstall(app_id, pkg_id, privileges, is_pkg_removed);
262 /*Privileges should not be granted anymore to any user*/
263 check_app_permissions(app_id, pkg_id, ANY_USER_REPRESENTATION, SM_NO_PRIVILEGES, privileges);
266 static void check_app_after_uninstall(const char *const app_id, const char *const pkg_id,
267 const bool is_pkg_removed)
269 TestSecurityManagerDatabase dbtest;
270 dbtest.test_db_after__app_uninstall(app_id, pkg_id, is_pkg_removed);
273 static void install_app(const char *app_id, const char *pkg_id)
276 AppInstReqUniquePtr request;
277 request.reset(do_app_inst_req_new());
279 result = security_manager_app_inst_req_set_app_id(request.get(), app_id);
280 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
281 "setting app id failed. Result: " << result);
283 result = security_manager_app_inst_req_set_pkg_id(request.get(), pkg_id);
284 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
285 "setting pkg id failed. Result: " << result);
287 result = security_manager_app_install(request.get());
288 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
289 "installing app failed. Result: " << result);
291 check_app_after_install(app_id, pkg_id);
295 static void uninstall_app(const char *app_id, const char *pkg_id,
296 bool expect_installed, bool expect_pkg_removed)
299 AppInstReqUniquePtr request;
300 request.reset(do_app_inst_req_new());
302 result = security_manager_app_inst_req_set_app_id(request.get(), app_id);
303 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
304 "setting app id failed. Result: " << result);
306 result = security_manager_app_uninstall(request.get());
307 RUNNER_ASSERT_MSG(!expect_installed || (lib_retcode)result == SECURITY_MANAGER_SUCCESS,
308 "uninstalling app failed. Result: " << result);
310 check_app_after_uninstall(app_id, pkg_id, expect_pkg_removed);
314 RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER)
317 RUNNER_TEST(security_manager_01_app_double_install_double_uninstall)
320 AppInstReqUniquePtr request;
322 request.reset(do_app_inst_req_new());
324 result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID1);
325 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
326 "setting app id failed. Result: " << result);
328 result = security_manager_app_inst_req_set_pkg_id(request.get(), SM_PKG_ID1);
329 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
330 "setting pkg id failed. Result: " << result);
332 result = security_manager_app_install(request.get());
333 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
334 "installing app failed. Result: " << result);
336 result = security_manager_app_install(request.get());
337 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
338 "installing already installed app failed. Result: " << result);
340 /* Check records in the security-manager database */
341 check_app_after_install(SM_APP_ID1, SM_PKG_ID1);
343 request.reset(do_app_inst_req_new());
345 result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID1);
346 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
347 "setting app id failed. Result: " << result);
349 result = security_manager_app_uninstall(request.get());
350 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
351 "uninstalling app failed. Result: " << result);
353 result = security_manager_app_uninstall(request.get());
354 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
355 "uninstalling already uninstalled app failed. Result: " << result);
357 /* Check records in the security-manager database */
358 check_app_after_uninstall(SM_APP_ID1, SM_PKG_ID1, TestSecurityManagerDatabase::REMOVED);
361 RUNNER_TEST(security_manager_02_app_install_uninstall_full)
364 AppInstReqUniquePtr request;
368 request.reset(do_app_inst_req_new());
370 result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID2);
371 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
372 "setting app id failed. Result: " << result);
374 result = security_manager_app_inst_req_set_pkg_id(request.get(), SM_PKG_ID2);
375 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
376 "setting pkg id failed. Result: " << result);
378 result = security_manager_app_inst_req_add_privilege(request.get(), SM_ALLOWED_PRIVILEGES[0].c_str());
379 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
380 "setting allowed permission failed. Result: " << result);
381 result = security_manager_app_inst_req_add_privilege(request.get(), SM_ALLOWED_PRIVILEGES[1].c_str());
382 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
383 "setting allowed permission failed. Result: " << result);
385 result = security_manager_app_inst_req_add_path(request.get(), SM_PRIVATE_PATH,
386 SECURITY_MANAGER_PATH_PRIVATE);
387 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
388 "setting allowed path failed. Result: " << result);
390 result = security_manager_app_inst_req_add_path(request.get(), SM_PUBLIC_RO_PATH,
391 SECURITY_MANAGER_PATH_PUBLIC_RO);
392 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
393 "setting allowed path failed. Result: " << result);
395 result = security_manager_app_install(request.get());
396 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
397 "installing app failed. Result: " << result);
399 /* Check records in the security-manager database */
400 check_app_after_install(SM_APP_ID2, SM_PKG_ID2,
401 SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES, SM_ALLOWED_GROUPS);
403 /* TODO: add parameters to this function */
404 check_app_path_after_install();
406 request.reset(do_app_inst_req_new());
408 result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID2);
409 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
410 "setting app id failed. Result: " << result);
412 result = security_manager_app_uninstall(request.get());
413 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
414 "uninstalling app failed. Result: " << result);
416 /* Check records in the security-manager database,
417 * all previously allowed privileges should be removed */
418 check_app_after_uninstall(SM_APP_ID2, SM_PKG_ID2,
419 SM_ALLOWED_PRIVILEGES, TestSecurityManagerDatabase::REMOVED);
422 RUNNER_CHILD_TEST_SMACK(security_manager_03_set_label_from_appid)
424 const char *const app_id = "sm_test_app_id_set_label_from_appid";
425 const char *const pkg_id = "sm_test_pkg_id_set_label_from_appid";
426 const char *const expected_label = USER_APP_ID;
427 const char *const socketLabel = "not_expected_label";
428 char *label = nullptr;
432 uninstall_app(app_id, pkg_id, false, true);
433 install_app(app_id, pkg_id);
435 struct sockaddr_un sockaddr = {AF_UNIX, SOCK_PATH};
436 //Clean up before creating socket
438 int sock = socket(AF_UNIX, SOCK_STREAM, 0);
439 RUNNER_ASSERT_ERRNO_MSG(sock >= 0, "socket failed");
440 SockUniquePtr sockPtr(&sock);
441 //Bind socket to address
442 result = bind(sock, (struct sockaddr*) &sockaddr, sizeof(struct sockaddr_un));
443 RUNNER_ASSERT_ERRNO_MSG(result == 0, "bind failed");
444 //Set socket label to something different than expecedLabel
445 result = fsetxattr(sock, XATTR_NAME_SMACKIPIN, socketLabel,
446 strlen(socketLabel), 0);
447 RUNNER_ASSERT_ERRNO_MSG(result == 0,
448 "Can't set socket label. Result: " << result);
449 result = fsetxattr(sock, XATTR_NAME_SMACKIPOUT, socketLabel,
450 strlen(socketLabel), 0);
451 RUNNER_ASSERT_ERRNO_MSG(result == 0,
452 "Can't set socket label. Result: " << result);
454 result = security_manager_set_process_label_from_appid(app_id);
455 RUNNER_ASSERT_MSG(result == SECURITY_MANAGER_SUCCESS,
456 "security_manager_set_process_label_from_appid(" <<
457 app_id << ") failed. Result: " << result);
459 char value[SMACK_LABEL_LEN + 1];
461 size = fgetxattr(sock, XATTR_NAME_SMACKIPIN, value, sizeof(value));
462 RUNNER_ASSERT_ERRNO_MSG(size != -1, "fgetxattr failed: " << value);
463 result = strcmp(expected_label, value);
464 RUNNER_ASSERT_MSG(result == 0, "Socket label is incorrect. Expected: " <<
465 expected_label << " Actual: " << value);
467 size = fgetxattr(sock, XATTR_NAME_SMACKIPOUT, value, sizeof(value));
468 RUNNER_ASSERT_ERRNO_MSG(size != -1, "fgetxattr failed: " << value);
469 result = strcmp(expected_label, value);
470 RUNNER_ASSERT_MSG(result == 0, "Socket label is incorrect. Expected: " <<
471 expected_label << " Actual: " << value);
473 result = smack_new_label_from_self(&label);
474 RUNNER_ASSERT_MSG(result >= 0,
475 " Error getting current process label");
476 RUNNER_ASSERT_MSG(label != nullptr,
477 " Process label is not set");
478 labelPtr.reset(label);
480 result = strcmp(expected_label, label);
481 RUNNER_ASSERT_MSG(result == 0,
482 " Process label is incorrect. Expected: \"" << expected_label <<
483 "\" Actual: \"" << label << "\"");
485 uninstall_app(app_id, pkg_id, true, true);
488 RUNNER_CHILD_TEST_NOSMACK(security_manager_03_set_label_from_appid_nosmack)
490 const char *const app_id = "sm_test_app_id_set_label_from_appid";
491 const char *const pkg_id = "sm_test_pkg_id_set_label_from_appid";
494 uninstall_app(app_id, pkg_id, false, true);
495 install_app(app_id, pkg_id);
497 result = security_manager_set_process_label_from_appid(app_id);
498 RUNNER_ASSERT_MSG(result == SECURITY_MANAGER_SUCCESS,
499 "security_manager_set_process_label_from_appid(" <<
500 app_id << ") failed. Result: " << result);
502 uninstall_app(app_id, pkg_id, true, true);
507 static void prepare_request(AppInstReqUniquePtr &request,
508 const char *const app_id,
509 const char *const pkg_id,
510 app_install_path_type pathType,
511 const char *const path)
514 request.reset(do_app_inst_req_new());
516 result = security_manager_app_inst_req_set_app_id(request.get(), app_id);
517 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
518 "setting app id failed. Result: " << result);
520 result = security_manager_app_inst_req_set_pkg_id(request.get(), pkg_id);
521 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
522 "setting pkg id failed. Result: " << result);
524 result = security_manager_app_inst_req_add_path(request.get(), path, pathType);
525 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
526 "setting allowed path failed. Result: " << result);
530 static struct passwd* get_app_pw()
532 struct passwd *pw = nullptr;
534 while(!(pw = getpwnam(APP_USER))) {
535 RUNNER_ASSERT_ERRNO_MSG(errno == EINTR, "getpwnam() failed");
540 RUNNER_CHILD_TEST(security_manager_04_app_install_uninstall_by_app_user)
543 AppInstReqUniquePtr request;
544 struct passwd *pw = get_app_pw();
545 const std::string user = std::to_string(static_cast<unsigned int>(pw->pw_uid));
547 //switch user to non-root
548 result = drop_root_privileges(pw->pw_uid, pw->pw_gid);
549 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
551 //install app as non-root user and try to register public path (should fail)
552 prepare_request(request, SM_APP_ID3, SM_PKG_ID3, SECURITY_MANAGER_PATH_PUBLIC, SM_PRIVATE_PATH_FOR_USER);
554 result = security_manager_app_install(request.get());
555 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED,
556 "installing app not failed. Result: " << result);
558 //install app as non-root user
559 //should fail (non-root users may only register folders inside their home)
560 prepare_request(request, SM_APP_ID3, SM_PKG_ID3, SECURITY_MANAGER_PATH_PRIVATE, SM_PRIVATE_PATH);
562 result = security_manager_app_install(request.get());
563 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED,
564 "installing app not failed. Result: " << result);
566 //install app as non-root user
567 //should succeed - this time i register folder inside user's home dir
568 prepare_request(request, SM_APP_ID3, SM_PKG_ID3, SECURITY_MANAGER_PATH_PRIVATE, SM_PRIVATE_PATH_FOR_USER);
570 for (auto &privilege : SM_ALLOWED_PRIVILEGES) {
571 result = security_manager_app_inst_req_add_privilege(request.get(), privilege.c_str());
572 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
573 "setting allowed permission failed. Result: " << result);
576 result = security_manager_app_install(request.get());
577 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
578 "installing app failed. Result: " << result);
580 check_app_permissions(SM_APP_ID3, SM_PKG_ID3, user.c_str(), SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES);
582 //uninstall app as non-root user
583 request.reset(do_app_inst_req_new());
585 result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID3);
586 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
587 "setting app id failed. Result: " << result);
589 result = security_manager_app_uninstall(request.get());
590 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
591 "uninstalling app failed. Result: " << result);
593 check_app_permissions(SM_APP_ID3, SM_PKG_ID3, user.c_str(), SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES);
596 RUNNER_CHILD_TEST(security_manager_05_drop_process_capabilities)
599 CapsSetsUniquePtr caps, caps_empty(cap_init());
601 caps.reset(cap_from_text("all=eip"));
602 RUNNER_ASSERT_MSG(caps, "can't convert capabilities from text");
603 result = cap_set_proc(caps.get());
604 RUNNER_ASSERT_MSG(result == 0,
605 "can't set capabilities. Result: " << result);
607 result = security_manager_drop_process_privileges();
608 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
609 "dropping caps failed. Result: " << result);
611 caps.reset(cap_get_proc());
612 RUNNER_ASSERT_MSG(caps, "can't get proc capabilities");
614 result = cap_compare(caps.get(), caps_empty.get());
615 RUNNER_ASSERT_MSG(result == 0,
616 "capabilities not dropped. Current: " << cap_to_text(caps.get(), NULL));
619 int main(int argc, char *argv[])
621 return DPL::Test::TestRunnerSingleton::Instance().ExecTestRunner(argc, argv);