1 #include <dpl/test/test_runner.h>
6 #include <unordered_set>
7 #include <sys/capability.h>
9 #include <sys/socket.h>
11 #include <attr/xattr.h>
12 #include <linux/xattr.h>
17 #include <libprivilege-control_test_common.h>
18 #include <tests_common.h>
20 #include <security-manager.h>
23 #include <sm_request.h>
24 #include <cynara_test_client.h>
26 using namespace SecurityManagerTest;
28 DEFINE_SMARTPTR(cap_free, _cap_struct, CapsSetsUniquePtr);
30 static const privileges_t SM_ALLOWED_PRIVILEGES = {
31 "security_manager_test_rules2_r",
32 "security_manager_test_rules2_no_r"
35 static const privileges_t SM_DENIED_PRIVILEGES = {
36 "security_manager_test_rules1",
37 "security_manager_test_rules2"
40 static const privileges_t SM_NO_PRIVILEGES = {
43 static const std::vector<std::string> SM_ALLOWED_GROUPS = {"db_browser", "db_alarm"};
45 static const char *const SM_PRIVATE_PATH = "/usr/apps/test_DIR/app_dir";
46 static const char *const SM_PUBLIC_RO_PATH = "/usr/apps/test_DIR/app_dir_public_ro";
47 static const char *const SM_DENIED_PATH = "/usr/apps/test_DIR/non_app_dir";
48 static const char *const SM_PRIVATE_PATH_FOR_USER = "/home/" APP_USER "/test_DIR";
49 static const char *const ANY_USER_REPRESENTATION = "anyuser";/*this may be actually any string*/
51 static void generateAppLabel(const std::string &pkgId, std::string &label)
57 static int nftw_check_sm_labels_app_dir(const char *fpath, const struct stat *sb,
58 const char* correctLabel, bool transmute_test, bool exec_test)
62 char* label = nullptr;
65 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS);
66 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
67 labelPtr.reset(label);
68 RUNNER_ASSERT_MSG(label != nullptr, "ACCESS label on " << fpath << " is not set");
69 result = strcmp(correctLabel, label);
70 RUNNER_ASSERT_MSG(result == 0, "ACCESS label on " << fpath << " is incorrect"
71 " (should be '" << correctLabel << "' and is '" << label << "')");
75 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
76 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
77 labelPtr.reset(label);
79 if (S_ISREG(sb->st_mode) && (sb->st_mode & S_IXUSR) && exec_test) {
80 RUNNER_ASSERT_MSG(label != nullptr, "EXEC label on " << fpath << " is not set");
81 result = strcmp(correctLabel, label);
82 RUNNER_ASSERT_MSG(result == 0, "Incorrect EXEC label on executable file " << fpath);
84 RUNNER_ASSERT_MSG(label == nullptr, "EXEC label on " << fpath << " is set");
88 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
89 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
90 labelPtr.reset(label);
92 if (S_ISDIR(sb->st_mode) && transmute_test == true) {
93 RUNNER_ASSERT_MSG(label != nullptr, "TRANSMUTE label on " << fpath << " is not set at all");
94 RUNNER_ASSERT_MSG(strcmp(label,"TRUE") == 0,
95 "TRANSMUTE label on " << fpath << " is not set properly: '"<<label<<"'");
97 RUNNER_ASSERT_MSG(label == nullptr, "TRANSMUTE label on " << fpath << " is set");
104 static int nftw_check_sm_labels_app_private_dir(const char *fpath, const struct stat *sb,
105 int /*typeflag*/, struct FTW* /*ftwbuf*/)
107 return nftw_check_sm_labels_app_dir(fpath, sb, USER_APP_ID, false, true);
110 static int nftw_check_sm_labels_app_floor_dir(const char *fpath, const struct stat *sb,
111 int /*typeflag*/, struct FTW* /*ftwbuf*/)
114 return nftw_check_sm_labels_app_dir(fpath, sb, "_", false, false);
117 static void prepare_app_path()
121 result = nftw(SM_PRIVATE_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
122 RUNNER_ASSERT_MSG(result == 0, "Unable to clean Smack labels in " << SM_PRIVATE_PATH);
124 result = nftw(SM_PUBLIC_RO_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
125 RUNNER_ASSERT_MSG(result == 0, "Unable to clean Smack labels in " << SM_PUBLIC_RO_PATH);
127 result = nftw(SM_DENIED_PATH, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
128 RUNNER_ASSERT_MSG(result == 0, "Unable to set Smack labels in " << SM_DENIED_PATH);
131 static void prepare_app_env()
136 /* TODO: add parameters to this function */
137 static void check_app_path_after_install()
141 result = nftw(SM_PRIVATE_PATH, &nftw_check_sm_labels_app_private_dir, FTW_MAX_FDS, FTW_PHYS);
142 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_PRIVATE_PATH);
144 result = nftw(SM_PUBLIC_RO_PATH, &nftw_check_sm_labels_app_floor_dir, FTW_MAX_FDS, FTW_PHYS);
145 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_PUBLIC_RO_PATH);
147 result = nftw(SM_DENIED_PATH, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
148 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_DENIED_PATH);
152 static void check_app_permissions(const char *const app_id, const char *const pkg_id, const char *const user,
153 const privileges_t &allowed_privs, const privileges_t &denied_privs)
156 std::string smackLabel;
157 generateAppLabel(pkg_id, smackLabel);
159 CynaraTestClient ctc;
161 for (auto &priv : allowed_privs) {
162 ctc.check(smackLabel.c_str(), "", user, priv.c_str(), CYNARA_API_ACCESS_ALLOWED);
165 for (auto &priv : denied_privs) {
166 ctc.check(smackLabel.c_str(), "", user, priv.c_str(), CYNARA_API_ACCESS_DENIED);
170 static void check_app_gids(const char *const app_id, const std::vector<gid_t> &allowed_gids)
173 gid_t main_gid = getgid();
174 std::unordered_set<gid_t> reference_gids(allowed_gids.begin(), allowed_gids.end());
176 // Reset supplementary groups
177 ret = setgroups(0, NULL);
178 RUNNER_ASSERT_MSG(ret != -1, "Unable to set supplementary groups");
180 Api::setProcessGroups(app_id);
182 ret = getgroups(0, nullptr);
183 RUNNER_ASSERT_MSG(ret != -1, "Unable to get supplementary groups");
185 std::vector<gid_t> actual_gids(ret);
186 ret = getgroups(ret, actual_gids.data());
187 RUNNER_ASSERT_MSG(ret != -1, "Unable to get supplementary groups");
189 for (const auto &gid : actual_gids) {
190 RUNNER_ASSERT_MSG(gid == main_gid || reference_gids.count(gid) > 0,
191 "Application shouldn't get access to group " << gid);
192 reference_gids.erase(gid);
195 RUNNER_ASSERT_MSG(reference_gids.empty(), "Application didn't get access to some groups");
198 static void check_app_after_install(const char *const app_id, const char *const pkg_id,
199 const privileges_t &allowed_privs,
200 const privileges_t &denied_privs,
201 const std::vector<std::string> &allowed_groups)
203 TestSecurityManagerDatabase dbtest;
204 dbtest.test_db_after__app_install(app_id, pkg_id, allowed_privs);
205 dbtest.check_privileges_removed(app_id, pkg_id, denied_privs);
207 /*Privileges should be granted to all users if root installs app*/
208 check_app_permissions(app_id, pkg_id, ANY_USER_REPRESENTATION, allowed_privs, denied_privs);
210 /* Setup mapping of gids to privileges */
211 /* Do this for each privilege for extra check */
212 for (const auto &privilege : allowed_privs) {
213 dbtest.setup_privilege_groups(privilege, allowed_groups);
216 std::vector<gid_t> allowed_gids;
218 for (const auto &groupName : allowed_groups) {
220 struct group* grp = getgrnam(groupName.c_str());
221 RUNNER_ASSERT_ERRNO_MSG(grp, "Group: " << groupName << " not found");
222 allowed_gids.push_back(grp->gr_gid);
225 check_app_gids(app_id, allowed_gids);
228 static void check_app_after_install(const char *const app_id, const char *const pkg_id)
230 TestSecurityManagerDatabase dbtest;
231 dbtest.test_db_after__app_install(app_id, pkg_id);
234 static void check_app_after_uninstall(const char *const app_id, const char *const pkg_id,
235 const privileges_t &privileges, const bool is_pkg_removed)
237 TestSecurityManagerDatabase dbtest;
238 dbtest.test_db_after__app_uninstall(app_id, pkg_id, privileges, is_pkg_removed);
241 /*Privileges should not be granted anymore to any user*/
242 check_app_permissions(app_id, pkg_id, ANY_USER_REPRESENTATION, SM_NO_PRIVILEGES, privileges);
245 static void check_app_after_uninstall(const char *const app_id, const char *const pkg_id,
246 const bool is_pkg_removed)
248 TestSecurityManagerDatabase dbtest;
249 dbtest.test_db_after__app_uninstall(app_id, pkg_id, is_pkg_removed);
252 static void install_app(const char *app_id, const char *pkg_id)
254 InstallRequest request;
255 request.setAppId(app_id);
256 request.setPkgId(pkg_id);
258 Api::install(request);
260 check_app_after_install(app_id, pkg_id);
264 static void uninstall_app(const char *app_id, const char *pkg_id, bool expect_pkg_removed)
266 InstallRequest request;
267 request.setAppId(app_id);
269 Api::uninstall(request);
271 check_app_after_uninstall(app_id, pkg_id, expect_pkg_removed);
275 RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER)
278 RUNNER_TEST(security_manager_01_app_double_install_double_uninstall)
280 const char *const sm_app_id = "sm_test_01_app_id_double";
281 const char *const sm_pkg_id = "sm_test_01_pkg_id_double";
283 InstallRequest requestInst;
284 requestInst.setAppId(sm_app_id);
285 requestInst.setPkgId(sm_pkg_id);
287 Api::install(requestInst);
288 Api::install(requestInst);
290 /* Check records in the security-manager database */
291 check_app_after_install(sm_app_id, sm_pkg_id);
293 InstallRequest requestUninst;
294 requestUninst.setAppId(sm_app_id);
296 Api::uninstall(requestUninst);
297 Api::uninstall(requestUninst);
299 /* Check records in the security-manager database */
300 check_app_after_uninstall(sm_app_id, sm_pkg_id, TestSecurityManagerDatabase::REMOVED);
303 RUNNER_TEST(security_manager_02_app_install_uninstall_full)
305 const char *const sm_app_id = "sm_test_02_app_id_full";
306 const char *const sm_pkg_id = "sm_test_02_pkg_id_full";
310 InstallRequest requestInst;
311 requestInst.setAppId(sm_app_id);
312 requestInst.setPkgId(sm_pkg_id);
313 requestInst.addPrivilege(SM_ALLOWED_PRIVILEGES[0].c_str());
314 requestInst.addPrivilege(SM_ALLOWED_PRIVILEGES[1].c_str());
315 requestInst.addPath(SM_PRIVATE_PATH, SECURITY_MANAGER_PATH_PRIVATE);
316 requestInst.addPath(SM_PUBLIC_RO_PATH, SECURITY_MANAGER_PATH_PUBLIC_RO);
318 Api::install(requestInst);
320 /* Check records in the security-manager database */
321 check_app_after_install(sm_app_id, sm_pkg_id,
322 SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES, SM_ALLOWED_GROUPS);
324 /* TODO: add parameters to this function */
325 check_app_path_after_install();
327 InstallRequest requestUninst;
328 requestUninst.setAppId(sm_app_id);
330 Api::uninstall(requestUninst);
332 /* Check records in the security-manager database,
333 * all previously allowed privileges should be removed */
334 check_app_after_uninstall(sm_app_id, sm_pkg_id,
335 SM_ALLOWED_PRIVILEGES, TestSecurityManagerDatabase::REMOVED);
338 RUNNER_CHILD_TEST_SMACK(security_manager_03_set_label_from_appid)
340 const char *const app_id = "sm_test_03_app_id_set_label_from_appid_smack";
341 const char *const pkg_id = "sm_test_03_pkg_id_set_label_from_appid_smack";
342 const char *const expected_label = USER_APP_ID;
343 const char *const socketLabel = "not_expected_label";
344 char *label = nullptr;
348 uninstall_app(app_id, pkg_id, true);
349 install_app(app_id, pkg_id);
351 struct sockaddr_un sockaddr = {AF_UNIX, SOCK_PATH};
352 //Clean up before creating socket
354 int sock = socket(AF_UNIX, SOCK_STREAM, 0);
355 RUNNER_ASSERT_ERRNO_MSG(sock >= 0, "socket failed");
356 SockUniquePtr sockPtr(&sock);
357 //Bind socket to address
358 result = bind(sock, (struct sockaddr*) &sockaddr, sizeof(struct sockaddr_un));
359 RUNNER_ASSERT_ERRNO_MSG(result == 0, "bind failed");
360 //Set socket label to something different than expecedLabel
361 result = fsetxattr(sock, XATTR_NAME_SMACKIPIN, socketLabel,
362 strlen(socketLabel), 0);
363 RUNNER_ASSERT_ERRNO_MSG(result == 0,
364 "Can't set socket label. Result: " << result);
365 result = fsetxattr(sock, XATTR_NAME_SMACKIPOUT, socketLabel,
366 strlen(socketLabel), 0);
367 RUNNER_ASSERT_ERRNO_MSG(result == 0,
368 "Can't set socket label. Result: " << result);
370 Api::setProcessLabel(app_id);
372 char value[SMACK_LABEL_LEN + 1];
374 size = fgetxattr(sock, XATTR_NAME_SMACKIPIN, value, sizeof(value));
375 RUNNER_ASSERT_ERRNO_MSG(size != -1, "fgetxattr failed: " << value);
376 result = strcmp(expected_label, value);
377 RUNNER_ASSERT_MSG(result == 0, "Socket label is incorrect. Expected: " <<
378 expected_label << " Actual: " << value);
380 size = fgetxattr(sock, XATTR_NAME_SMACKIPOUT, value, sizeof(value));
381 RUNNER_ASSERT_ERRNO_MSG(size != -1, "fgetxattr failed: " << value);
382 result = strcmp(expected_label, value);
383 RUNNER_ASSERT_MSG(result == 0, "Socket label is incorrect. Expected: " <<
384 expected_label << " Actual: " << value);
386 result = smack_new_label_from_self(&label);
387 RUNNER_ASSERT_MSG(result >= 0,
388 " Error getting current process label");
389 RUNNER_ASSERT_MSG(label != nullptr,
390 " Process label is not set");
391 labelPtr.reset(label);
393 result = strcmp(expected_label, label);
394 RUNNER_ASSERT_MSG(result == 0,
395 " Process label is incorrect. Expected: \"" << expected_label <<
396 "\" Actual: \"" << label << "\"");
398 uninstall_app(app_id, pkg_id, true);
401 RUNNER_CHILD_TEST_NOSMACK(security_manager_03_set_label_from_appid_nosmack)
403 const char *const app_id = "sm_test_03_app_id_set_label_from_appid_nosmack";
404 const char *const pkg_id = "sm_test_03_pkg_id_set_label_from_appid_nosmack";
406 uninstall_app(app_id, pkg_id, true);
407 install_app(app_id, pkg_id);
409 Api::setProcessLabel(app_id);
411 uninstall_app(app_id, pkg_id, true);
416 static void prepare_request(InstallRequest &request,
417 const char *const app_id,
418 const char *const pkg_id,
419 app_install_path_type pathType,
420 const char *const path,
423 request.setAppId(app_id);
424 request.setPkgId(pkg_id);
425 request.addPath(path, pathType);
432 static struct passwd* get_app_pw()
434 struct passwd *pw = nullptr;
436 while(!(pw = getpwnam(APP_USER))) {
437 RUNNER_ASSERT_ERRNO_MSG(errno == EINTR, "getpwnam() failed");
443 static void install_and_check(const char *const sm_app_id,
444 const char *const sm_pkg_id,
445 const std::string &user, uid_t uid)
447 InstallRequest requestPublic;
449 //install app for non-root user and try to register public path (should fail)
450 prepare_request(requestPublic, sm_app_id, sm_pkg_id, SECURITY_MANAGER_PATH_PUBLIC, SM_PRIVATE_PATH_FOR_USER, uid);
452 Api::install(requestPublic, SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED);
454 InstallRequest requestPrivate;
456 //install app for non-root user
457 //should fail (users may only register folders inside their home)
458 prepare_request(requestPrivate, sm_app_id, sm_pkg_id, SECURITY_MANAGER_PATH_PRIVATE, SM_PRIVATE_PATH, uid);
460 Api::install(requestPrivate, SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED);
462 InstallRequest requestPrivateUser;
464 //install app for non-root user
465 //should succeed - this time i register folder inside user's home dir
466 prepare_request(requestPrivateUser, sm_app_id, sm_pkg_id, SECURITY_MANAGER_PATH_PRIVATE, SM_PRIVATE_PATH_FOR_USER, uid);
468 for (auto &privilege : SM_ALLOWED_PRIVILEGES)
469 requestPrivateUser.addPrivilege(privilege.c_str());
471 Api::install(requestPrivateUser);
473 check_app_permissions(sm_app_id, sm_pkg_id, user.c_str(), SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES);
476 RUNNER_CHILD_TEST(security_manager_04a_app_install_uninstall_by_app_user_for_self)
479 const char *const sm_app_id = "sm_test_04a_app_id_uid";
480 const char *const sm_pkg_id = "sm_test_04a_pkg_id_uid";
482 struct passwd *pw = get_app_pw();
483 const std::string user = std::to_string(static_cast<unsigned int>(pw->pw_uid));
485 //switch user to non-root
486 result = drop_root_privileges(pw->pw_uid, pw->pw_gid);
487 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
489 install_and_check(sm_app_id, sm_pkg_id, user, 0);
491 //uninstall app as non-root user
492 InstallRequest request;
493 request.setAppId(sm_app_id);
495 Api::uninstall(request);
497 check_app_permissions(sm_app_id, sm_pkg_id, user.c_str(), SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES);
500 RUNNER_CHILD_TEST(security_manager_04b_app_install_by_root_for_app_user)
503 const char *const sm_app_id = "sm_test_04b_app_id_uid";
504 const char *const sm_pkg_id = "sm_test_04b_pkg_id_uid";
506 struct passwd *pw = get_app_pw();
507 const std::string user = std::to_string(static_cast<unsigned int>(pw->pw_uid));
509 install_and_check(sm_app_id, sm_pkg_id, user, pw->pw_uid);
511 //switch user to non-root - root may not uninstall apps for specified users
512 result = drop_root_privileges(pw->pw_uid, pw->pw_gid);
513 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
515 //uninstall app as non-root user
516 InstallRequest request;
517 request.setAppId(sm_app_id);
519 Api::uninstall(request);
521 check_app_permissions(sm_app_id, sm_pkg_id, user.c_str(), SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES);
525 RUNNER_CHILD_TEST(security_manager_05_drop_process_capabilities)
528 CapsSetsUniquePtr caps, caps_empty(cap_init());
530 caps.reset(cap_from_text("all=eip"));
531 RUNNER_ASSERT_MSG(caps, "can't convert capabilities from text");
532 result = cap_set_proc(caps.get());
533 RUNNER_ASSERT_MSG(result == 0,
534 "can't set capabilities. Result: " << result);
536 Api::dropProcessPrivileges();
538 caps.reset(cap_get_proc());
539 RUNNER_ASSERT_MSG(caps, "can't get proc capabilities");
541 result = cap_compare(caps.get(), caps_empty.get());
542 RUNNER_ASSERT_MSG(result == 0,
543 "capabilities not dropped. Current: " << cap_to_text(caps.get(), NULL));
546 int main(int argc, char *argv[])
548 return DPL::Test::TestRunnerSingleton::Instance().ExecTestRunner(argc, argv);