projects / platform / core / test / security-tests.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Make app id and pkg id unique for each security-manager test
[platform/core/test/security-tests.git] / tests / security-manager-tests / security_manager_tests.cpp
1 #include <dpl/test/test_runner.h>
2 #include <fcntl.h>
3 #include <stdio.h>
4 #include <memory.h>
5 #include <summary_collector.h>
6 #include <string>
7 #include <unordered_set>
8 #include <sys/capability.h>
9
10 #include <sys/socket.h>
11 #include <sys/un.h>
12 #include <attr/xattr.h>
13 #include <linux/xattr.h>
14
15 #include <grp.h>
16 #include <pwd.h>
17
18 #include <libprivilege-control_test_common.h>
19 #include <tests_common.h>
20
21 #include <security-manager.h>
22 #include <sm_db.h>
23 #include <cynara_test_client.h>
24
25 DEFINE_SMARTPTR(security_manager_app_inst_req_free, app_inst_req, AppInstReqUniquePtr);
26 DEFINE_SMARTPTR(cap_free, _cap_struct, CapsSetsUniquePtr);
27
28 static const privileges_t SM_ALLOWED_PRIVILEGES = {
29     "security_manager_test_rules2_r",
30     "security_manager_test_rules2_no_r"
31 };
32
33 static const privileges_t SM_DENIED_PRIVILEGES  = {
34     "security_manager_test_rules1",
35     "security_manager_test_rules2"
36 };
37
38 static const privileges_t SM_NO_PRIVILEGES  = {
39 };
40
41 static const std::vector<std::string> SM_ALLOWED_GROUPS = {"db_browser", "db_alarm"};
42
43 static const char *const SM_PRIVATE_PATH = "/usr/apps/test_DIR/app_dir";
44 static const char *const SM_PUBLIC_RO_PATH = "/usr/apps/test_DIR/app_dir_public_ro";
45 static const char *const SM_DENIED_PATH = "/usr/apps/test_DIR/non_app_dir";
46 static const char *const SM_PRIVATE_PATH_FOR_USER = "/home/" APP_USER "/test_DIR";
47 static const char *const ANY_USER_REPRESENTATION = "anyuser";/*this may be actually any string*/
48
49 static void generateAppLabel(const std::string &pkgId, std::string &label)
50 {
51     (void) pkgId;
52     label = "User";
53 }
54
55 static int nftw_check_sm_labels_app_dir(const char *fpath, const struct stat *sb,
56                               const char* correctLabel, bool transmute_test, bool exec_test)
57 {
58     int result;
59     CStringPtr labelPtr;
60     char* label = nullptr;
61
62     /* ACCESS */
63     result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS);
64     RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
65     labelPtr.reset(label);
66     RUNNER_ASSERT_MSG(label != nullptr, "ACCESS label on " << fpath << " is not set");
67     result = strcmp(correctLabel, label);
68     RUNNER_ASSERT_MSG(result == 0, "ACCESS label on " << fpath << " is incorrect"
69             " (should be '" << correctLabel << "' and is '" << label << "')");
70
71
72     /* EXEC */
73     result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
74     RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
75     labelPtr.reset(label);
76
77     if (S_ISREG(sb->st_mode) && (sb->st_mode & S_IXUSR) && exec_test) {
78         RUNNER_ASSERT_MSG(label != nullptr, "EXEC label on " << fpath << " is not set");
79         result = strcmp(correctLabel, label);
80         RUNNER_ASSERT_MSG(result == 0, "Incorrect EXEC label on executable file " << fpath);
81     } else
82         RUNNER_ASSERT_MSG(label == nullptr, "EXEC label on " << fpath << " is set");
83
84
85     /* TRANSMUTE */
86     result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
87     RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
88     labelPtr.reset(label);
89
90     if (S_ISDIR(sb->st_mode) && transmute_test == true) {
91         RUNNER_ASSERT_MSG(label != nullptr, "TRANSMUTE label on " << fpath << " is not set at all");
92         RUNNER_ASSERT_MSG(strcmp(label,"TRUE") == 0,
93                 "TRANSMUTE label on " << fpath << " is not set properly: '"<<label<<"'");
94     } else {
95         RUNNER_ASSERT_MSG(label == nullptr, "TRANSMUTE label on " << fpath << " is set");
96     }
97
98     return 0;
99 }
100
101
102 static int nftw_check_sm_labels_app_private_dir(const char *fpath, const struct stat *sb,
103                                int /*typeflag*/, struct FTW* /*ftwbuf*/)
104 {
105     return nftw_check_sm_labels_app_dir(fpath, sb, USER_APP_ID, false, true);
106 }
107
108 static int nftw_check_sm_labels_app_floor_dir(const char *fpath, const struct stat *sb,
109                                int /*typeflag*/, struct FTW* /*ftwbuf*/)
110 {
111
112     return nftw_check_sm_labels_app_dir(fpath, sb, "_", false, false);
113 }
114
115 static app_inst_req* do_app_inst_req_new()
116 {
117     int result;
118     app_inst_req *req = nullptr;
119
120     result = security_manager_app_inst_req_new(&req);
121     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
122             "creation of new request failed. Result: " << result);
123     RUNNER_ASSERT_MSG(req != nullptr, "creation of new request did not allocate memory");
124     return req;
125 }
126
127 static void prepare_app_path()
128 {
129     int result;
130
131     result = nftw(SM_PRIVATE_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
132     RUNNER_ASSERT_MSG(result == 0, "Unable to clean Smack labels in " << SM_PRIVATE_PATH);
133
134     result = nftw(SM_PUBLIC_RO_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
135     RUNNER_ASSERT_MSG(result == 0, "Unable to clean Smack labels in " << SM_PUBLIC_RO_PATH);
136
137     result = nftw(SM_DENIED_PATH, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
138     RUNNER_ASSERT_MSG(result == 0, "Unable to set Smack labels in " << SM_DENIED_PATH);
139 }
140
141 static void prepare_app_env()
142 {
143     prepare_app_path();
144 }
145
146 /* TODO: add parameters to this function */
147 static void check_app_path_after_install()
148 {
149     int result;
150
151     result = nftw(SM_PRIVATE_PATH, &nftw_check_sm_labels_app_private_dir, FTW_MAX_FDS, FTW_PHYS);
152     RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_PRIVATE_PATH);
153
154     result = nftw(SM_PUBLIC_RO_PATH, &nftw_check_sm_labels_app_floor_dir, FTW_MAX_FDS, FTW_PHYS);
155     RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_PUBLIC_RO_PATH);
156
157     result = nftw(SM_DENIED_PATH, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
158     RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_DENIED_PATH);
159 }
160
161
162 static void check_app_permissions(const char *const app_id, const char *const pkg_id, const char *const user,
163                                   const privileges_t &allowed_privs, const privileges_t &denied_privs)
164 {
165     (void) app_id;
166     std::string smackLabel;
167     generateAppLabel(pkg_id, smackLabel);
168
169     CynaraTestClient ctc;
170
171     for (auto &priv : allowed_privs) {
172         ctc.check(smackLabel.c_str(), "", user, priv.c_str(), CYNARA_API_ACCESS_ALLOWED);
173     }
174
175     for (auto &priv : denied_privs) {
176         ctc.check(smackLabel.c_str(), "", user, priv.c_str(), CYNARA_API_ACCESS_DENIED);
177     }
178 }
179
180 static void check_app_gids(const char *const app_id, const std::vector<gid_t> &allowed_gids)
181 {
182     int ret;
183     gid_t main_gid = getgid();
184     std::unordered_set<gid_t> reference_gids(allowed_gids.begin(), allowed_gids.end());
185
186     // Reset supplementary groups
187     ret = setgroups(0, NULL);
188     RUNNER_ASSERT_MSG(ret != -1, "Unable to set supplementary groups");
189
190     ret = security_manager_set_process_groups_from_appid(app_id);
191     RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS,
192             "security_manager_set_process_groups_from_appid(" <<
193             app_id << ") failed. Result: " << ret);
194
195     ret = getgroups(0, nullptr);
196     RUNNER_ASSERT_MSG(ret != -1, "Unable to get supplementary groups");
197
198     std::vector<gid_t> actual_gids(ret);
199     ret = getgroups(ret, actual_gids.data());
200     RUNNER_ASSERT_MSG(ret != -1, "Unable to get supplementary groups");
201
202     for (const auto &gid : actual_gids) {
203         RUNNER_ASSERT_MSG(gid == main_gid || reference_gids.count(gid) > 0,
204             "Application shouldn't get access to group " << gid);
205         reference_gids.erase(gid);
206     }
207
208     RUNNER_ASSERT_MSG(reference_gids.empty(), "Application didn't get access to some groups");
209 }
210
211 static void check_app_after_install(const char *const app_id, const char *const pkg_id,
212                                     const privileges_t &allowed_privs,
213                                     const privileges_t &denied_privs,
214                                     const std::vector<std::string> &allowed_groups)
215 {
216     TestSecurityManagerDatabase dbtest;
217     dbtest.test_db_after__app_install(app_id, pkg_id, allowed_privs);
218     dbtest.check_privileges_removed(app_id, pkg_id, denied_privs);
219
220     /*Privileges should be granted to all users if root installs app*/
221     check_app_permissions(app_id, pkg_id, ANY_USER_REPRESENTATION, allowed_privs, denied_privs);
222
223     /* Setup mapping of gids to privileges */
224     /* Do this for each privilege for extra check */
225     for (const auto &privilege : allowed_privs) {
226         dbtest.setup_privilege_groups(privilege, allowed_groups);
227     }
228
229     std::vector<gid_t> allowed_gids;
230
231     for (const auto &groupName : allowed_groups) {
232         errno = 0;
233         struct group* grp = getgrnam(groupName.c_str());
234         RUNNER_ASSERT_ERRNO_MSG(grp, "Group: " << groupName << " not found");
235         allowed_gids.push_back(grp->gr_gid);
236     }
237
238     check_app_gids(app_id, allowed_gids);
239 }
240
241 static void check_app_after_install(const char *const app_id, const char *const pkg_id)
242 {
243     TestSecurityManagerDatabase dbtest;
244     dbtest.test_db_after__app_install(app_id, pkg_id);
245 }
246
247 static void check_app_after_uninstall(const char *const app_id, const char *const pkg_id,
248                                       const privileges_t &privileges, const bool is_pkg_removed)
249 {
250     TestSecurityManagerDatabase dbtest;
251     dbtest.test_db_after__app_uninstall(app_id, pkg_id, privileges, is_pkg_removed);
252
253
254     /*Privileges should not be granted anymore to any user*/
255     check_app_permissions(app_id, pkg_id, ANY_USER_REPRESENTATION, SM_NO_PRIVILEGES, privileges);
256 }
257
258 static void check_app_after_uninstall(const char *const app_id, const char *const pkg_id,
259                                       const bool is_pkg_removed)
260 {
261     TestSecurityManagerDatabase dbtest;
262     dbtest.test_db_after__app_uninstall(app_id, pkg_id, is_pkg_removed);
263 }
264
265 static void install_app(const char *app_id, const char *pkg_id)
266 {
267     int result;
268     AppInstReqUniquePtr request;
269     request.reset(do_app_inst_req_new());
270
271     result = security_manager_app_inst_req_set_app_id(request.get(), app_id);
272     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
273             "setting app id failed. Result: " << result);
274
275     result = security_manager_app_inst_req_set_pkg_id(request.get(), pkg_id);
276     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
277             "setting pkg id failed. Result: " << result);
278
279     result = security_manager_app_install(request.get());
280     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
281             "installing app failed. Result: " << result);
282
283     check_app_after_install(app_id, pkg_id);
284
285 }
286
287 static void uninstall_app(const char *app_id, const char *pkg_id,
288         bool expect_installed, bool expect_pkg_removed)
289 {
290     int result;
291     AppInstReqUniquePtr request;
292     request.reset(do_app_inst_req_new());
293
294     result = security_manager_app_inst_req_set_app_id(request.get(), app_id);
295     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
296           "setting app id failed. Result: " << result);
297
298     result = security_manager_app_uninstall(request.get());
299     RUNNER_ASSERT_MSG(!expect_installed || (lib_retcode)result == SECURITY_MANAGER_SUCCESS,
300           "uninstalling app failed. Result: " << result);
301
302     check_app_after_uninstall(app_id, pkg_id, expect_pkg_removed);
303 }
304
305
306 RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER)
307
308
309 RUNNER_TEST(security_manager_01_app_double_install_double_uninstall)
310 {
311     int result;
312     AppInstReqUniquePtr request;
313     const char *const sm_app_id = "sm_test_01_app_id_double";
314     const char *const sm_pkg_id = "sm_test_01_pkg_id_double";
315
316     request.reset(do_app_inst_req_new());
317
318     result = security_manager_app_inst_req_set_app_id(request.get(), sm_app_id);
319     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
320             "setting app id failed. Result: " << result);
321
322     result = security_manager_app_inst_req_set_pkg_id(request.get(), sm_pkg_id);
323     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
324             "setting pkg id failed. Result: " << result);
325
326     result = security_manager_app_install(request.get());
327     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
328             "installing app failed. Result: " << result);
329
330     result = security_manager_app_install(request.get());
331     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
332             "installing already installed app failed. Result: " << result);
333
334     /* Check records in the security-manager database */
335     check_app_after_install(sm_app_id, sm_pkg_id);
336
337     request.reset(do_app_inst_req_new());
338
339     result = security_manager_app_inst_req_set_app_id(request.get(), sm_app_id);
340     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
341             "setting app id failed. Result: " << result);
342
343     result = security_manager_app_uninstall(request.get());
344     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
345             "uninstalling app failed. Result: " << result);
346
347     result = security_manager_app_uninstall(request.get());
348     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
349             "uninstalling already uninstalled app failed. Result: " << result);
350
351     /* Check records in the security-manager database */
352     check_app_after_uninstall(sm_app_id, sm_pkg_id, TestSecurityManagerDatabase::REMOVED);
353 }
354
355 RUNNER_TEST(security_manager_02_app_install_uninstall_full)
356 {
357     int result;
358     AppInstReqUniquePtr request;
359     const char *const sm_app_id = "sm_test_02_app_id_full";
360     const char *const sm_pkg_id = "sm_test_02_pkg_id_full";
361
362     prepare_app_env();
363
364     request.reset(do_app_inst_req_new());
365
366     result = security_manager_app_inst_req_set_app_id(request.get(), sm_app_id);
367     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
368             "setting app id failed. Result: " << result);
369
370     result = security_manager_app_inst_req_set_pkg_id(request.get(), sm_pkg_id);
371     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
372             "setting pkg id failed. Result: " << result);
373
374     result = security_manager_app_inst_req_add_privilege(request.get(), SM_ALLOWED_PRIVILEGES[0].c_str());
375     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
376             "setting allowed permission failed. Result: " << result);
377     result = security_manager_app_inst_req_add_privilege(request.get(), SM_ALLOWED_PRIVILEGES[1].c_str());
378     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
379             "setting allowed permission failed. Result: " << result);
380
381     result = security_manager_app_inst_req_add_path(request.get(), SM_PRIVATE_PATH,
382                                                     SECURITY_MANAGER_PATH_PRIVATE);
383     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
384             "setting allowed path failed. Result: " << result);
385
386     result = security_manager_app_inst_req_add_path(request.get(), SM_PUBLIC_RO_PATH,
387                                                     SECURITY_MANAGER_PATH_PUBLIC_RO);
388     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
389             "setting allowed path failed. Result: " << result);
390
391     result = security_manager_app_install(request.get());
392     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
393             "installing app failed. Result: " << result);
394
395     /* Check records in the security-manager database */
396     check_app_after_install(sm_app_id, sm_pkg_id,
397                             SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES, SM_ALLOWED_GROUPS);
398
399     /* TODO: add parameters to this function */
400     check_app_path_after_install();
401
402     request.reset(do_app_inst_req_new());
403
404     result = security_manager_app_inst_req_set_app_id(request.get(), sm_app_id);
405     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
406             "setting app id failed. Result: " << result);
407
408     result = security_manager_app_uninstall(request.get());
409     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
410             "uninstalling app failed. Result: " << result);
411
412     /* Check records in the security-manager database,
413      * all previously allowed privileges should be removed */
414     check_app_after_uninstall(sm_app_id, sm_pkg_id,
415                               SM_ALLOWED_PRIVILEGES, TestSecurityManagerDatabase::REMOVED);
416 }
417
418 RUNNER_CHILD_TEST_SMACK(security_manager_03_set_label_from_appid)
419 {
420     const char *const app_id = "sm_test_03_app_id_set_label_from_appid_smack";
421     const char *const pkg_id = "sm_test_03_pkg_id_set_label_from_appid_smack";
422     const char *const expected_label = USER_APP_ID;
423     const char *const socketLabel = "not_expected_label";
424     char *label = nullptr;
425     CStringPtr labelPtr;
426     int result;
427
428     uninstall_app(app_id, pkg_id, false, true);
429     install_app(app_id, pkg_id);
430
431     struct sockaddr_un sockaddr = {AF_UNIX, SOCK_PATH};
432     //Clean up before creating socket
433     unlink(SOCK_PATH);
434     int sock = socket(AF_UNIX, SOCK_STREAM, 0);
435     RUNNER_ASSERT_ERRNO_MSG(sock >= 0, "socket failed");
436     SockUniquePtr sockPtr(&sock);
437     //Bind socket to address
438     result = bind(sock, (struct sockaddr*) &sockaddr, sizeof(struct sockaddr_un));
439     RUNNER_ASSERT_ERRNO_MSG(result == 0, "bind failed");
440     //Set socket label to something different than expecedLabel
441     result = fsetxattr(sock, XATTR_NAME_SMACKIPIN, socketLabel,
442         strlen(socketLabel), 0);
443     RUNNER_ASSERT_ERRNO_MSG(result == 0,
444         "Can't set socket label. Result: " << result);
445     result = fsetxattr(sock, XATTR_NAME_SMACKIPOUT, socketLabel,
446         strlen(socketLabel), 0);
447     RUNNER_ASSERT_ERRNO_MSG(result == 0,
448         "Can't set socket label. Result: " << result);
449
450     result = security_manager_set_process_label_from_appid(app_id);
451     RUNNER_ASSERT_MSG(result == SECURITY_MANAGER_SUCCESS,
452             "security_manager_set_process_label_from_appid(" <<
453             app_id << ") failed. Result: " << result);
454
455     char value[SMACK_LABEL_LEN + 1];
456     ssize_t size;
457     size = fgetxattr(sock, XATTR_NAME_SMACKIPIN, value, sizeof(value));
458     RUNNER_ASSERT_ERRNO_MSG(size != -1, "fgetxattr failed: " << value);
459     result = strcmp(expected_label, value);
460     RUNNER_ASSERT_MSG(result == 0, "Socket label is incorrect. Expected: " <<
461         expected_label << " Actual: " << value);
462
463     size = fgetxattr(sock, XATTR_NAME_SMACKIPOUT, value, sizeof(value));
464     RUNNER_ASSERT_ERRNO_MSG(size != -1, "fgetxattr failed: " << value);
465     result = strcmp(expected_label, value);
466     RUNNER_ASSERT_MSG(result == 0, "Socket label is incorrect. Expected: " <<
467         expected_label << " Actual: " << value);
468
469     result = smack_new_label_from_self(&label);
470     RUNNER_ASSERT_MSG(result >= 0,
471             " Error getting current process label");
472     RUNNER_ASSERT_MSG(label != nullptr,
473             " Process label is not set");
474     labelPtr.reset(label);
475
476     result = strcmp(expected_label, label);
477     RUNNER_ASSERT_MSG(result == 0,
478             " Process label is incorrect. Expected: \"" << expected_label <<
479             "\" Actual: \"" << label << "\"");
480
481     uninstall_app(app_id, pkg_id, true, true);
482 }
483
484 RUNNER_CHILD_TEST_NOSMACK(security_manager_03_set_label_from_appid_nosmack)
485 {
486     const char *const app_id = "sm_test_03_app_id_set_label_from_appid_nosmack";
487     const char *const pkg_id = "sm_test_03_pkg_id_set_label_from_appid_nosmack";
488     int result;
489
490     uninstall_app(app_id, pkg_id, false, true);
491     install_app(app_id, pkg_id);
492
493     result = security_manager_set_process_label_from_appid(app_id);
494     RUNNER_ASSERT_MSG(result == SECURITY_MANAGER_SUCCESS,
495             "security_manager_set_process_label_from_appid(" <<
496             app_id << ") failed. Result: " << result);
497
498     uninstall_app(app_id, pkg_id, true, true);
499 }
500
501
502
503 static void prepare_request(AppInstReqUniquePtr &request,
504               const char *const app_id,
505               const char *const pkg_id,
506               app_install_path_type pathType,
507               const char *const path,
508               uid_t uid)
509 {
510     int result;
511     request.reset(do_app_inst_req_new());
512
513     result = security_manager_app_inst_req_set_app_id(request.get(), app_id);
514     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
515             "setting app id failed. Result: " << result);
516
517     result = security_manager_app_inst_req_set_pkg_id(request.get(), pkg_id);
518     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
519             "setting pkg id failed. Result: " << result);
520
521     result = security_manager_app_inst_req_add_path(request.get(), path, pathType);
522     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
523             "setting allowed path failed. Result: " << result);
524
525     if (uid != 0) {
526         result = security_manager_app_inst_req_set_uid(request.get(), uid);
527         RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
528                     "security_manager_app_inst_req_set_uid failed. Result: " << result);
529     }
530 }
531
532
533 static struct passwd* get_app_pw()
534 {
535     struct passwd *pw = nullptr;
536     errno = 0;
537     while(!(pw = getpwnam(APP_USER))) {
538         RUNNER_ASSERT_ERRNO_MSG(errno == EINTR, "getpwnam() failed");
539     }
540     return pw;
541 }
542
543
544 static void install_and_check(AppInstReqUniquePtr &request,
545                               const char *const sm_app_id,
546                               const char *const sm_pkg_id,
547                               const std::string &user, uid_t uid)
548 {
549     int result;
550     //install app for non-root user and try to register public path (should fail)
551     prepare_request(request, sm_app_id, sm_pkg_id, SECURITY_MANAGER_PATH_PUBLIC, SM_PRIVATE_PATH_FOR_USER, uid);
552
553     result = security_manager_app_install(request.get());
554     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED,
555             "installing app not failed. Result: " << result);
556
557     //install app for non-root user
558     //should fail (users may only register folders inside their home)
559     prepare_request(request, sm_app_id, sm_pkg_id, SECURITY_MANAGER_PATH_PRIVATE, SM_PRIVATE_PATH, uid);
560
561     result = security_manager_app_install(request.get());
562     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED,
563             "installing app not failed. Result: " << result);
564     //install app for non-root user
565     //should succeed - this time i register folder inside user's home dir
566     prepare_request(request, sm_app_id, sm_pkg_id, SECURITY_MANAGER_PATH_PRIVATE, SM_PRIVATE_PATH_FOR_USER, uid);
567
568     for (auto &privilege : SM_ALLOWED_PRIVILEGES) {
569         result = security_manager_app_inst_req_add_privilege(request.get(), privilege.c_str());
570         RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
571             "setting allowed permission failed. Result: " << result);
572     }
573     result = security_manager_app_install(request.get());
574     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
575             "installing app failed. Result: " << result);
576
577     check_app_permissions(sm_app_id, sm_pkg_id, user.c_str(), SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES);
578 }
579
580 RUNNER_CHILD_TEST(security_manager_04a_app_install_uninstall_by_app_user_for_self)
581 {
582     int result;
583     AppInstReqUniquePtr request;
584     const char *const sm_app_id = "sm_test_04a_app_id_uid";
585     const char *const sm_pkg_id = "sm_test_04a_pkg_id_uid";
586
587     struct passwd *pw = get_app_pw();
588     const std::string user =  std::to_string(static_cast<unsigned int>(pw->pw_uid));
589
590     //switch user to non-root
591     result = drop_root_privileges(pw->pw_uid, pw->pw_gid);
592     RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
593
594     install_and_check(request, sm_app_id, sm_pkg_id, user, 0);
595
596     //uninstall app as non-root user
597     request.reset(do_app_inst_req_new());
598
599     result = security_manager_app_inst_req_set_app_id(request.get(), sm_app_id);
600     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
601             "setting app id failed. Result: " << result);
602
603     result = security_manager_app_uninstall(request.get());
604     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
605             "uninstalling app failed. Result: " << result);
606
607     check_app_permissions(sm_app_id, sm_pkg_id, user.c_str(), SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES);
608 }
609
610 RUNNER_CHILD_TEST(security_manager_04b_app_install_by_root_for_app_user)
611 {
612     int result;
613     AppInstReqUniquePtr request;
614     const char *const sm_app_id = "sm_test_04b_app_id_uid";
615     const char *const sm_pkg_id = "sm_test_04b_pkg_id_uid";
616
617     struct passwd *pw = get_app_pw();
618     const std::string user =  std::to_string(static_cast<unsigned int>(pw->pw_uid));
619
620     install_and_check(request, sm_app_id, sm_pkg_id, user, pw->pw_uid);
621
622     //switch user to non-root - root may not uninstall apps for specified users
623     result = drop_root_privileges(pw->pw_uid, pw->pw_gid);
624     RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
625
626     //uninstall app as non-root user
627     request.reset(do_app_inst_req_new());
628
629     result = security_manager_app_inst_req_set_app_id(request.get(), sm_app_id);
630     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
631             "setting app id failed. Result: " << result);
632
633     result = security_manager_app_uninstall(request.get());
634     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
635             "uninstalling app failed. Result: " << result);
636
637     check_app_permissions(sm_app_id, sm_pkg_id, user.c_str(), SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES);
638 }
639
640
641 RUNNER_CHILD_TEST(security_manager_05_drop_process_capabilities)
642 {
643     int result;
644     CapsSetsUniquePtr caps, caps_empty(cap_init());
645
646     caps.reset(cap_from_text("all=eip"));
647     RUNNER_ASSERT_MSG(caps, "can't convert capabilities from text");
648     result = cap_set_proc(caps.get());
649     RUNNER_ASSERT_MSG(result == 0,
650         "can't set capabilities. Result: " << result);
651
652     result = security_manager_drop_process_privileges();
653     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
654         "dropping caps failed. Result: " << result);
655
656     caps.reset(cap_get_proc());
657     RUNNER_ASSERT_MSG(caps, "can't get proc capabilities");
658
659     result = cap_compare(caps.get(), caps_empty.get());
660     RUNNER_ASSERT_MSG(result == 0,
661         "capabilities not dropped. Current: " << cap_to_text(caps.get(), NULL));
662 }
663
664 int main(int argc, char *argv[])
665 {
666     SummaryCollector::Register();
667     return DPL::Test::TestRunnerSingleton::Instance().ExecTestRunner(argc, argv);
668 }
Domain: Security / Uncategorized;