projects / platform / core / test / security-tests.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Update tests to work with group names instead of gids
[platform/core/test/security-tests.git] / tests / security-manager-tests / security_manager_tests.cpp
1 #include <dpl/test/test_runner.h>
2 #include <fcntl.h>
3 #include <stdio.h>
4 #include <memory.h>
5 #include <summary_collector.h>
6 #include <string>
7 #include <unordered_set>
8 #include <sys/capability.h>
9
10 #include <sys/socket.h>
11 #include <sys/un.h>
12 #include <attr/xattr.h>
13 #include <linux/xattr.h>
14
15 #include <grp.h>
16 #include <pwd.h>
17
18 #include <libprivilege-control_test_common.h>
19 #include <tests_common.h>
20
21 #include <security-manager.h>
22 #include <sm_db.h>
23 #include <cynara_test_client.h>
24
25 DEFINE_SMARTPTR(security_manager_app_inst_req_free, app_inst_req, AppInstReqUniquePtr);
26 DEFINE_SMARTPTR(cap_free, _cap_struct, CapsSetsUniquePtr);
27
28 static const char *const SM_APP_ID1 = "sm_test_app_id_double";
29 static const char *const SM_PKG_ID1 = "sm_test_pkg_id_double";
30
31 static const char *const SM_APP_ID2 = "sm_test_app_id_full";
32 static const char *const SM_PKG_ID2 = "sm_test_pkg_id_full";
33
34 static const char *const SM_APP_ID3 = "sm_test_app_id_uid";
35 static const char *const SM_PKG_ID3 = "sm_test_pkg_id_uid";
36
37 static const privileges_t SM_ALLOWED_PRIVILEGES = {
38     "security_manager_test_rules2_r",
39     "security_manager_test_rules2_no_r"
40 };
41
42 static const privileges_t SM_DENIED_PRIVILEGES  = {
43     "security_manager_test_rules1",
44     "security_manager_test_rules2"
45 };
46
47 static const privileges_t SM_NO_PRIVILEGES  = {
48 };
49
50 static const std::vector<std::string> SM_ALLOWED_GROUPS = {"db_browser", "db_alarm"};
51
52 static const char *const SM_PRIVATE_PATH = "/etc/smack/test_DIR/app_dir";
53 static const char *const SM_PUBLIC_PATH = "/etc/smack/test_DIR/app_dir_public";
54 static const char *const SM_PUBLIC_RO_PATH = "/etc/smack/test_DIR/app_dir_public_ro";
55 static const char *const SM_DENIED_PATH = "/etc/smack/test_DIR/non_app_dir";
56 static const char *const SM_PRIVATE_PATH_FOR_USER = "/home/" APP_USER "/test_DIR";
57 static const char *const ANY_USER_REPRESENTATION = "anyuser";/*this may be actually any string*/
58
59 static void generateAppLabel(const std::string &pkgId, std::string &label)
60 {
61     (void) pkgId;
62     label = "User";
63 }
64
65 static int nftw_check_sm_labels_app_dir(const char *fpath, const struct stat *sb,
66                               const char* correctLabel, bool transmute_test, bool exec_test)
67 {
68     int result;
69     CStringPtr labelPtr;
70     char* label = nullptr;
71
72     /* ACCESS */
73     result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS);
74     RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
75     labelPtr.reset(label);
76     RUNNER_ASSERT_MSG(label != nullptr, "ACCESS label on " << fpath << " is not set");
77     result = strcmp(correctLabel, label);
78     RUNNER_ASSERT_MSG(result == 0, "ACCESS label on " << fpath << " is incorrect"
79             " (should be '" << correctLabel << "' and is '" << label << "')");
80
81
82     /* EXEC */
83     result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
84     RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
85     labelPtr.reset(label);
86
87     if (S_ISREG(sb->st_mode) && (sb->st_mode & S_IXUSR) && exec_test) {
88         RUNNER_ASSERT_MSG(label != nullptr, "EXEC label on " << fpath << " is not set");
89         result = strcmp(correctLabel, label);
90         RUNNER_ASSERT_MSG(result == 0, "Incorrect EXEC label on executable file " << fpath);
91     } else
92         RUNNER_ASSERT_MSG(label == nullptr, "EXEC label on " << fpath << " is set");
93
94
95     /* TRANSMUTE */
96     result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
97     RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
98     labelPtr.reset(label);
99
100     if (S_ISDIR(sb->st_mode) && transmute_test == true) {
101         RUNNER_ASSERT_MSG(label != nullptr, "TRANSMUTE label on " << fpath << " is not set at all");
102         RUNNER_ASSERT_MSG(strcmp(label,"TRUE") == 0,
103                 "TRANSMUTE label on " << fpath << " is not set properly: '"<<label<<"'");
104     } else {
105         RUNNER_ASSERT_MSG(label == nullptr, "TRANSMUTE label on " << fpath << " is set");
106     }
107
108     return 0;
109 }
110
111
112 static int nftw_check_sm_labels_app_private_dir(const char *fpath, const struct stat *sb,
113                                int /*typeflag*/, struct FTW* /*ftwbuf*/)
114 {
115     return nftw_check_sm_labels_app_dir(fpath, sb, USER_APP_ID, false, true);
116 }
117
118 static int nftw_check_sm_labels_app_public_dir(const char *fpath, const struct stat *sb,
119                                int /*typeflag*/, struct FTW* /*ftwbuf*/)
120 {
121
122     return nftw_check_sm_labels_app_dir(fpath, sb, "User", true, false);
123 }
124
125 static int nftw_check_sm_labels_app_floor_dir(const char *fpath, const struct stat *sb,
126                                int /*typeflag*/, struct FTW* /*ftwbuf*/)
127 {
128
129     return nftw_check_sm_labels_app_dir(fpath, sb, "_", false, false);
130 }
131
132 static app_inst_req* do_app_inst_req_new()
133 {
134     int result;
135     app_inst_req *req = nullptr;
136
137     result = security_manager_app_inst_req_new(&req);
138     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
139             "creation of new request failed. Result: " << result);
140     RUNNER_ASSERT_MSG(req != nullptr, "creation of new request did not allocate memory");
141     return req;
142 }
143
144 static void prepare_app_path()
145 {
146     int result;
147
148     result = nftw(SM_PRIVATE_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
149     RUNNER_ASSERT_MSG(result == 0, "Unable to clean Smack labels in " << SM_PRIVATE_PATH);
150
151     result = nftw(SM_PUBLIC_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
152     RUNNER_ASSERT_MSG(result == 0, "Unable to clean Smack labels in " << SM_PUBLIC_PATH);
153
154     result = nftw(SM_PUBLIC_RO_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
155     RUNNER_ASSERT_MSG(result == 0, "Unable to clean Smack labels in " << SM_PUBLIC_RO_PATH);
156
157     result = nftw(SM_DENIED_PATH, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
158     RUNNER_ASSERT_MSG(result == 0, "Unable to set Smack labels in " << SM_DENIED_PATH);
159 }
160
161 static void prepare_app_env()
162 {
163     prepare_app_path();
164 }
165
166 /* TODO: add parameters to this function */
167 static void check_app_path_after_install()
168 {
169     int result;
170
171     result = nftw(SM_PRIVATE_PATH, &nftw_check_sm_labels_app_private_dir, FTW_MAX_FDS, FTW_PHYS);
172     RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_PRIVATE_PATH);
173
174     result = nftw(SM_PUBLIC_PATH, &nftw_check_sm_labels_app_public_dir, FTW_MAX_FDS, FTW_PHYS);
175     RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_PUBLIC_PATH);
176
177     result = nftw(SM_PUBLIC_RO_PATH, &nftw_check_sm_labels_app_floor_dir, FTW_MAX_FDS, FTW_PHYS);
178     RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_PUBLIC_RO_PATH);
179
180     result = nftw(SM_DENIED_PATH, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
181     RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_DENIED_PATH);
182 }
183
184
185 static void check_app_permissions(const char *const app_id, const char *const pkg_id, const char *const user,
186                                   const privileges_t &allowed_privs, const privileges_t &denied_privs)
187 {
188     (void) app_id;
189     std::string smackLabel;
190     generateAppLabel(pkg_id, smackLabel);
191
192     CynaraTestClient ctc;
193
194     for (auto &priv : allowed_privs) {
195         ctc.check(smackLabel.c_str(), "", user, priv.c_str(), CYNARA_API_ACCESS_ALLOWED);
196     }
197
198     for (auto &priv : denied_privs) {
199         ctc.check(smackLabel.c_str(), "", user, priv.c_str(), CYNARA_API_ACCESS_DENIED);
200     }
201 }
202
203 static void check_app_gids(const char *const app_id, const std::vector<gid_t> &allowed_gids)
204 {
205     int ret;
206     gid_t main_gid = getgid();
207     std::unordered_set<gid_t> reference_gids(allowed_gids.begin(), allowed_gids.end());
208
209     // Reset supplementary groups
210     ret = setgroups(0, NULL);
211     RUNNER_ASSERT_MSG(ret != -1, "Unable to set supplementary groups");
212
213     ret = security_manager_set_process_groups_from_appid(app_id);
214     RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS,
215             "security_manager_set_process_groups_from_appid(" <<
216             app_id << ") failed. Result: " << ret);
217
218     ret = getgroups(0, nullptr);
219     RUNNER_ASSERT_MSG(ret != -1, "Unable to get supplementary groups");
220
221     std::vector<gid_t> actual_gids(ret);
222     ret = getgroups(ret, actual_gids.data());
223     RUNNER_ASSERT_MSG(ret != -1, "Unable to get supplementary groups");
224
225     for (const auto &gid : actual_gids) {
226         RUNNER_ASSERT_MSG(gid == main_gid || reference_gids.count(gid) > 0,
227             "Application shouldn't get access to group " << gid);
228         reference_gids.erase(gid);
229     }
230
231     RUNNER_ASSERT_MSG(reference_gids.empty(), "Application didn't get access to some groups");
232 }
233
234 static void check_app_after_install(const char *const app_id, const char *const pkg_id,
235                                     const privileges_t &allowed_privs,
236                                     const privileges_t &denied_privs,
237                                     const std::vector<std::string> &allowed_groups)
238 {
239     TestSecurityManagerDatabase dbtest;
240     dbtest.test_db_after__app_install(app_id, pkg_id, allowed_privs);
241     dbtest.check_privileges_removed(app_id, pkg_id, denied_privs);
242
243     /*Privileges should be granted to all users if root installs app*/
244     check_app_permissions(app_id, pkg_id, ANY_USER_REPRESENTATION, allowed_privs, denied_privs);
245
246     /* Setup mapping of gids to privileges */
247     /* Do this for each privilege for extra check */
248     for (const auto &privilege : allowed_privs) {
249         dbtest.setup_privilege_groups(privilege, allowed_groups);
250     }
251
252     std::vector<gid_t> allowed_gids;
253
254     for (const auto &groupName : allowed_groups) {
255         errno = 0;
256         struct group* grp = getgrnam(groupName.c_str());
257         RUNNER_ASSERT_ERRNO_MSG(grp, "Group: " << groupName << " not found");
258         allowed_gids.push_back(grp->gr_gid);
259     }
260
261     check_app_gids(app_id, allowed_gids);
262 }
263
264 static void check_app_after_install(const char *const app_id, const char *const pkg_id)
265 {
266     TestSecurityManagerDatabase dbtest;
267     dbtest.test_db_after__app_install(app_id, pkg_id);
268 }
269
270 static void check_app_after_uninstall(const char *const app_id, const char *const pkg_id,
271                                       const privileges_t &privileges, const bool is_pkg_removed)
272 {
273     TestSecurityManagerDatabase dbtest;
274     dbtest.test_db_after__app_uninstall(app_id, pkg_id, privileges, is_pkg_removed);
275
276
277     /*Privileges should not be granted anymore to any user*/
278     check_app_permissions(app_id, pkg_id, ANY_USER_REPRESENTATION, SM_NO_PRIVILEGES, privileges);
279 }
280
281 static void check_app_after_uninstall(const char *const app_id, const char *const pkg_id,
282                                       const bool is_pkg_removed)
283 {
284     TestSecurityManagerDatabase dbtest;
285     dbtest.test_db_after__app_uninstall(app_id, pkg_id, is_pkg_removed);
286 }
287
288 static void install_app(const char *app_id, const char *pkg_id)
289 {
290     int result;
291     AppInstReqUniquePtr request;
292     request.reset(do_app_inst_req_new());
293
294     result = security_manager_app_inst_req_set_app_id(request.get(), app_id);
295     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
296             "setting app id failed. Result: " << result);
297
298     result = security_manager_app_inst_req_set_pkg_id(request.get(), pkg_id);
299     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
300             "setting pkg id failed. Result: " << result);
301
302     result = security_manager_app_install(request.get());
303     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
304             "installing app failed. Result: " << result);
305
306     check_app_after_install(app_id, pkg_id);
307
308 }
309
310 static void uninstall_app(const char *app_id, const char *pkg_id,
311         bool expect_installed, bool expect_pkg_removed)
312 {
313     int result;
314     AppInstReqUniquePtr request;
315     request.reset(do_app_inst_req_new());
316
317     result = security_manager_app_inst_req_set_app_id(request.get(), app_id);
318     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
319           "setting app id failed. Result: " << result);
320
321     result = security_manager_app_uninstall(request.get());
322     RUNNER_ASSERT_MSG(!expect_installed || (lib_retcode)result == SECURITY_MANAGER_SUCCESS,
323           "uninstalling app failed. Result: " << result);
324
325     check_app_after_uninstall(app_id, pkg_id, expect_pkg_removed);
326 }
327
328
329 RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER)
330
331
332 RUNNER_TEST(security_manager_01_app_double_install_double_uninstall)
333 {
334     int result;
335     AppInstReqUniquePtr request;
336
337     request.reset(do_app_inst_req_new());
338
339     result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID1);
340     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
341             "setting app id failed. Result: " << result);
342
343     result = security_manager_app_inst_req_set_pkg_id(request.get(), SM_PKG_ID1);
344     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
345             "setting pkg id failed. Result: " << result);
346
347     result = security_manager_app_install(request.get());
348     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
349             "installing app failed. Result: " << result);
350
351     result = security_manager_app_install(request.get());
352     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
353             "installing already installed app failed. Result: " << result);
354
355     /* Check records in the security-manager database */
356     check_app_after_install(SM_APP_ID1, SM_PKG_ID1);
357
358     request.reset(do_app_inst_req_new());
359
360     result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID1);
361     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
362             "setting app id failed. Result: " << result);
363
364     result = security_manager_app_uninstall(request.get());
365     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
366             "uninstalling app failed. Result: " << result);
367
368     result = security_manager_app_uninstall(request.get());
369     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
370             "uninstalling already uninstalled app failed. Result: " << result);
371
372     /* Check records in the security-manager database */
373     check_app_after_uninstall(SM_APP_ID1, SM_PKG_ID1, TestSecurityManagerDatabase::REMOVED);
374 }
375
376 RUNNER_TEST(security_manager_02_app_install_uninstall_full)
377 {
378     int result;
379     AppInstReqUniquePtr request;
380
381     prepare_app_env();
382
383     request.reset(do_app_inst_req_new());
384
385     result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID2);
386     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
387             "setting app id failed. Result: " << result);
388
389     result = security_manager_app_inst_req_set_pkg_id(request.get(), SM_PKG_ID2);
390     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
391             "setting pkg id failed. Result: " << result);
392
393     result = security_manager_app_inst_req_add_privilege(request.get(), SM_ALLOWED_PRIVILEGES[0].c_str());
394     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
395             "setting allowed permission failed. Result: " << result);
396     result = security_manager_app_inst_req_add_privilege(request.get(), SM_ALLOWED_PRIVILEGES[1].c_str());
397     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
398             "setting allowed permission failed. Result: " << result);
399
400     result = security_manager_app_inst_req_add_path(request.get(), SM_PRIVATE_PATH,
401                                                     SECURITY_MANAGER_PATH_PRIVATE);
402     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
403             "setting allowed path failed. Result: " << result);
404
405     result = security_manager_app_inst_req_add_path(request.get(), SM_PUBLIC_PATH,
406                                                     SECURITY_MANAGER_PATH_PUBLIC);
407     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
408             "setting allowed path failed. Result: " << result);
409
410     result = security_manager_app_inst_req_add_path(request.get(), SM_PUBLIC_RO_PATH,
411                                                     SECURITY_MANAGER_PATH_PUBLIC_RO);
412     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
413             "setting allowed path failed. Result: " << result);
414
415     result = security_manager_app_install(request.get());
416     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
417             "installing app failed. Result: " << result);
418
419     /* Check records in the security-manager database */
420     check_app_after_install(SM_APP_ID2, SM_PKG_ID2,
421                             SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES, SM_ALLOWED_GROUPS);
422
423     /* TODO: add parameters to this function */
424     check_app_path_after_install();
425
426     request.reset(do_app_inst_req_new());
427
428     result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID2);
429     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
430             "setting app id failed. Result: " << result);
431
432     result = security_manager_app_uninstall(request.get());
433     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
434             "uninstalling app failed. Result: " << result);
435
436     /* Check records in the security-manager database,
437      * all previously allowed privileges should be removed */
438     check_app_after_uninstall(SM_APP_ID2, SM_PKG_ID2,
439                               SM_ALLOWED_PRIVILEGES, TestSecurityManagerDatabase::REMOVED);
440 }
441
442 RUNNER_CHILD_TEST_SMACK(security_manager_03_set_label_from_appid)
443 {
444     const char *const app_id = "sm_test_app_id_set_label_from_appid";
445     const char *const pkg_id = "sm_test_pkg_id_set_label_from_appid";
446     const char *const expected_label = USER_APP_ID;
447     const char *const socketLabel = "not_expected_label";
448     char *label = nullptr;
449     CStringPtr labelPtr;
450     int result;
451
452     uninstall_app(app_id, pkg_id, false, true);
453     install_app(app_id, pkg_id);
454
455     struct sockaddr_un sockaddr = {AF_UNIX, SOCK_PATH};
456     //Clean up before creating socket
457     unlink(SOCK_PATH);
458     int sock = socket(AF_UNIX, SOCK_STREAM, 0);
459     RUNNER_ASSERT_ERRNO_MSG(sock >= 0, "socket failed");
460     SockUniquePtr sockPtr(&sock);
461     //Bind socket to address
462     result = bind(sock, (struct sockaddr*) &sockaddr, sizeof(struct sockaddr_un));
463     RUNNER_ASSERT_ERRNO_MSG(result == 0, "bind failed");
464     //Set socket label to something different than expecedLabel
465     result = fsetxattr(sock, XATTR_NAME_SMACKIPIN, socketLabel,
466         strlen(socketLabel), 0);
467     RUNNER_ASSERT_ERRNO_MSG(result == 0,
468         "Can't set socket label. Result: " << result);
469     result = fsetxattr(sock, XATTR_NAME_SMACKIPOUT, socketLabel,
470         strlen(socketLabel), 0);
471     RUNNER_ASSERT_ERRNO_MSG(result == 0,
472         "Can't set socket label. Result: " << result);
473
474     result = security_manager_set_process_label_from_appid(app_id);
475     RUNNER_ASSERT_MSG(result == SECURITY_MANAGER_SUCCESS,
476             "security_manager_set_process_label_from_appid(" <<
477             app_id << ") failed. Result: " << result);
478
479     char value[SMACK_LABEL_LEN + 1];
480     ssize_t size;
481     size = fgetxattr(sock, XATTR_NAME_SMACKIPIN, value, sizeof(value));
482     RUNNER_ASSERT_ERRNO_MSG(size != -1, "fgetxattr failed: " << value);
483     result = strcmp(expected_label, value);
484     RUNNER_ASSERT_MSG(result == 0, "Socket label is incorrect. Expected: " <<
485         expected_label << " Actual: " << value);
486
487     size = fgetxattr(sock, XATTR_NAME_SMACKIPOUT, value, sizeof(value));
488     RUNNER_ASSERT_ERRNO_MSG(size != -1, "fgetxattr failed: " << value);
489     result = strcmp(expected_label, value);
490     RUNNER_ASSERT_MSG(result == 0, "Socket label is incorrect. Expected: " <<
491         expected_label << " Actual: " << value);
492
493     result = smack_new_label_from_self(&label);
494     RUNNER_ASSERT_MSG(result >= 0,
495             " Error getting current process label");
496     RUNNER_ASSERT_MSG(label != nullptr,
497             " Process label is not set");
498     labelPtr.reset(label);
499
500     result = strcmp(expected_label, label);
501     RUNNER_ASSERT_MSG(result == 0,
502             " Process label is incorrect. Expected: \"" << expected_label <<
503             "\" Actual: \"" << label << "\"");
504
505     uninstall_app(app_id, pkg_id, true, true);
506 }
507
508 RUNNER_CHILD_TEST_NOSMACK(security_manager_03_set_label_from_appid_nosmack)
509 {
510     const char *const app_id = "sm_test_app_id_set_label_from_appid";
511     const char *const pkg_id = "sm_test_pkg_id_set_label_from_appid";
512     int result;
513
514     uninstall_app(app_id, pkg_id, false, true);
515     install_app(app_id, pkg_id);
516
517     result = security_manager_set_process_label_from_appid(app_id);
518     RUNNER_ASSERT_MSG(result == SECURITY_MANAGER_SUCCESS,
519             "security_manager_set_process_label_from_appid(" <<
520             app_id << ") failed. Result: " << result);
521
522     uninstall_app(app_id, pkg_id, true, true);
523 }
524
525
526
527 static void prepare_request(AppInstReqUniquePtr &request,
528               const char *const app_id,
529               const char *const pkg_id,
530               app_install_path_type pathType,
531               const char *const path)
532 {
533     int result;
534     request.reset(do_app_inst_req_new());
535
536     result = security_manager_app_inst_req_set_app_id(request.get(), app_id);
537     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
538             "setting app id failed. Result: " << result);
539
540     result = security_manager_app_inst_req_set_pkg_id(request.get(), pkg_id);
541     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
542             "setting pkg id failed. Result: " << result);
543
544     result = security_manager_app_inst_req_add_path(request.get(), path, pathType);
545     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
546             "setting allowed path failed. Result: " << result);
547 }
548
549
550 static struct passwd* get_app_pw()
551 {
552     struct passwd *pw = nullptr;
553     errno = 0;
554     while(!(pw = getpwnam(APP_USER))) {
555         RUNNER_ASSERT_ERRNO_MSG(errno == EINTR, "getpwnam() failed");
556     }
557     return pw;
558 }
559
560 RUNNER_CHILD_TEST(security_manager_04_app_install_uninstall_by_app_user)
561 {
562     int result;
563     AppInstReqUniquePtr request;
564     struct passwd *pw = get_app_pw();
565     const std::string user =  std::to_string(static_cast<unsigned int>(pw->pw_uid));
566
567     //switch user to non-root
568     result = drop_root_privileges(pw->pw_uid, pw->pw_gid);
569     RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
570
571     //install app as non-root user and try to register public path (should fail)
572     prepare_request(request, SM_APP_ID3, SM_PKG_ID3, SECURITY_MANAGER_PATH_PUBLIC, SM_PRIVATE_PATH_FOR_USER);
573
574     result = security_manager_app_install(request.get());
575     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED,
576             "installing app not failed. Result: " << result);
577
578     //install app as non-root user
579     //should fail (non-root users may only register folders inside their home)
580     prepare_request(request, SM_APP_ID3, SM_PKG_ID3, SECURITY_MANAGER_PATH_PRIVATE, SM_PRIVATE_PATH);
581
582     result = security_manager_app_install(request.get());
583     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED,
584             "installing app not failed. Result: " << result);
585
586     //install app as non-root user
587     //should succeed - this time i register folder inside user's home dir
588     prepare_request(request, SM_APP_ID3, SM_PKG_ID3, SECURITY_MANAGER_PATH_PRIVATE, SM_PRIVATE_PATH_FOR_USER);
589
590     for (auto &privilege : SM_ALLOWED_PRIVILEGES) {
591         result = security_manager_app_inst_req_add_privilege(request.get(), privilege.c_str());
592         RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
593             "setting allowed permission failed. Result: " << result);
594     }
595
596     result = security_manager_app_install(request.get());
597     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
598             "installing app failed. Result: " << result);
599
600     check_app_permissions(SM_APP_ID3, SM_PKG_ID3, user.c_str(), SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES);
601
602     //uninstall app as non-root user
603     request.reset(do_app_inst_req_new());
604
605     result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID3);
606     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
607             "setting app id failed. Result: " << result);
608
609     result = security_manager_app_uninstall(request.get());
610     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
611             "uninstalling app failed. Result: " << result);
612
613     check_app_permissions(SM_APP_ID3, SM_PKG_ID3, user.c_str(), SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES);
614 }
615
616 RUNNER_CHILD_TEST(security_manager_05_drop_process_capabilities)
617 {
618     int result;
619     CapsSetsUniquePtr caps, caps_empty(cap_init());
620
621     caps.reset(cap_from_text("all=eip"));
622     RUNNER_ASSERT_MSG(caps, "can't convert capabilities from text");
623     result = cap_set_proc(caps.get());
624     RUNNER_ASSERT_MSG(result == 0,
625         "can't set capabilities. Result: " << result);
626
627     result = security_manager_drop_process_privileges();
628     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
629         "dropping caps failed. Result: " << result);
630
631     caps.reset(cap_get_proc());
632     RUNNER_ASSERT_MSG(caps, "can't get proc capabilities");
633
634     result = cap_compare(caps.get(), caps_empty.get());
635     RUNNER_ASSERT_MSG(result == 0,
636         "capabilities not dropped. Current: " << cap_to_text(caps.get(), NULL));
637 }
638
639 int main(int argc, char *argv[])
640 {
641     SummaryCollector::Register();
642     return DPL::Test::TestRunnerSingleton::Instance().ExecTestRunner(argc, argv);
643 }
Domain: Security / Uncategorized;