1 #include <dpl/test/test_runner.h>
5 #include <summary_collector.h>
7 #include <unordered_set>
8 #include <sys/capability.h>
10 #include <sys/socket.h>
12 #include <attr/xattr.h>
13 #include <linux/xattr.h>
18 #include <libprivilege-control_test_common.h>
19 #include <tests_common.h>
21 #include <security-manager.h>
23 #include <cynara_test_client.h>
25 DEFINE_SMARTPTR(security_manager_app_inst_req_free, app_inst_req, AppInstReqUniquePtr);
26 DEFINE_SMARTPTR(cap_free, _cap_struct, CapsSetsUniquePtr);
28 static const privileges_t SM_ALLOWED_PRIVILEGES = {
29 "security_manager_test_rules2_r",
30 "security_manager_test_rules2_no_r"
33 static const privileges_t SM_DENIED_PRIVILEGES = {
34 "security_manager_test_rules1",
35 "security_manager_test_rules2"
38 static const privileges_t SM_NO_PRIVILEGES = {
41 static const std::vector<std::string> SM_ALLOWED_GROUPS = {"db_browser", "db_alarm"};
43 static const char *const SM_PRIVATE_PATH = "/usr/apps/test_DIR/app_dir";
44 static const char *const SM_PUBLIC_RO_PATH = "/usr/apps/test_DIR/app_dir_public_ro";
45 static const char *const SM_DENIED_PATH = "/usr/apps/test_DIR/non_app_dir";
46 static const char *const SM_PRIVATE_PATH_FOR_USER = "/home/" APP_USER "/test_DIR";
47 static const char *const ANY_USER_REPRESENTATION = "anyuser";/*this may be actually any string*/
49 static void generateAppLabel(const std::string &pkgId, std::string &label)
55 static int nftw_check_sm_labels_app_dir(const char *fpath, const struct stat *sb,
56 const char* correctLabel, bool transmute_test, bool exec_test)
60 char* label = nullptr;
63 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS);
64 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
65 labelPtr.reset(label);
66 RUNNER_ASSERT_MSG(label != nullptr, "ACCESS label on " << fpath << " is not set");
67 result = strcmp(correctLabel, label);
68 RUNNER_ASSERT_MSG(result == 0, "ACCESS label on " << fpath << " is incorrect"
69 " (should be '" << correctLabel << "' and is '" << label << "')");
73 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
74 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
75 labelPtr.reset(label);
77 if (S_ISREG(sb->st_mode) && (sb->st_mode & S_IXUSR) && exec_test) {
78 RUNNER_ASSERT_MSG(label != nullptr, "EXEC label on " << fpath << " is not set");
79 result = strcmp(correctLabel, label);
80 RUNNER_ASSERT_MSG(result == 0, "Incorrect EXEC label on executable file " << fpath);
82 RUNNER_ASSERT_MSG(label == nullptr, "EXEC label on " << fpath << " is set");
86 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
87 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
88 labelPtr.reset(label);
90 if (S_ISDIR(sb->st_mode) && transmute_test == true) {
91 RUNNER_ASSERT_MSG(label != nullptr, "TRANSMUTE label on " << fpath << " is not set at all");
92 RUNNER_ASSERT_MSG(strcmp(label,"TRUE") == 0,
93 "TRANSMUTE label on " << fpath << " is not set properly: '"<<label<<"'");
95 RUNNER_ASSERT_MSG(label == nullptr, "TRANSMUTE label on " << fpath << " is set");
102 static int nftw_check_sm_labels_app_private_dir(const char *fpath, const struct stat *sb,
103 int /*typeflag*/, struct FTW* /*ftwbuf*/)
105 return nftw_check_sm_labels_app_dir(fpath, sb, USER_APP_ID, false, true);
108 static int nftw_check_sm_labels_app_floor_dir(const char *fpath, const struct stat *sb,
109 int /*typeflag*/, struct FTW* /*ftwbuf*/)
112 return nftw_check_sm_labels_app_dir(fpath, sb, "_", false, false);
115 static app_inst_req* do_app_inst_req_new()
118 app_inst_req *req = nullptr;
120 result = security_manager_app_inst_req_new(&req);
121 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
122 "creation of new request failed. Result: " << result);
123 RUNNER_ASSERT_MSG(req != nullptr, "creation of new request did not allocate memory");
127 static void prepare_app_path()
131 result = nftw(SM_PRIVATE_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
132 RUNNER_ASSERT_MSG(result == 0, "Unable to clean Smack labels in " << SM_PRIVATE_PATH);
134 result = nftw(SM_PUBLIC_RO_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
135 RUNNER_ASSERT_MSG(result == 0, "Unable to clean Smack labels in " << SM_PUBLIC_RO_PATH);
137 result = nftw(SM_DENIED_PATH, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
138 RUNNER_ASSERT_MSG(result == 0, "Unable to set Smack labels in " << SM_DENIED_PATH);
141 static void prepare_app_env()
146 /* TODO: add parameters to this function */
147 static void check_app_path_after_install()
151 result = nftw(SM_PRIVATE_PATH, &nftw_check_sm_labels_app_private_dir, FTW_MAX_FDS, FTW_PHYS);
152 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_PRIVATE_PATH);
154 result = nftw(SM_PUBLIC_RO_PATH, &nftw_check_sm_labels_app_floor_dir, FTW_MAX_FDS, FTW_PHYS);
155 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_PUBLIC_RO_PATH);
157 result = nftw(SM_DENIED_PATH, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
158 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_DENIED_PATH);
162 static void check_app_permissions(const char *const app_id, const char *const pkg_id, const char *const user,
163 const privileges_t &allowed_privs, const privileges_t &denied_privs)
166 std::string smackLabel;
167 generateAppLabel(pkg_id, smackLabel);
169 CynaraTestClient ctc;
171 for (auto &priv : allowed_privs) {
172 ctc.check(smackLabel.c_str(), "", user, priv.c_str(), CYNARA_API_ACCESS_ALLOWED);
175 for (auto &priv : denied_privs) {
176 ctc.check(smackLabel.c_str(), "", user, priv.c_str(), CYNARA_API_ACCESS_DENIED);
180 static void check_app_gids(const char *const app_id, const std::vector<gid_t> &allowed_gids)
183 gid_t main_gid = getgid();
184 std::unordered_set<gid_t> reference_gids(allowed_gids.begin(), allowed_gids.end());
186 // Reset supplementary groups
187 ret = setgroups(0, NULL);
188 RUNNER_ASSERT_MSG(ret != -1, "Unable to set supplementary groups");
190 ret = security_manager_set_process_groups_from_appid(app_id);
191 RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS,
192 "security_manager_set_process_groups_from_appid(" <<
193 app_id << ") failed. Result: " << ret);
195 ret = getgroups(0, nullptr);
196 RUNNER_ASSERT_MSG(ret != -1, "Unable to get supplementary groups");
198 std::vector<gid_t> actual_gids(ret);
199 ret = getgroups(ret, actual_gids.data());
200 RUNNER_ASSERT_MSG(ret != -1, "Unable to get supplementary groups");
202 for (const auto &gid : actual_gids) {
203 RUNNER_ASSERT_MSG(gid == main_gid || reference_gids.count(gid) > 0,
204 "Application shouldn't get access to group " << gid);
205 reference_gids.erase(gid);
208 RUNNER_ASSERT_MSG(reference_gids.empty(), "Application didn't get access to some groups");
211 static void check_app_after_install(const char *const app_id, const char *const pkg_id,
212 const privileges_t &allowed_privs,
213 const privileges_t &denied_privs,
214 const std::vector<std::string> &allowed_groups)
216 TestSecurityManagerDatabase dbtest;
217 dbtest.test_db_after__app_install(app_id, pkg_id, allowed_privs);
218 dbtest.check_privileges_removed(app_id, pkg_id, denied_privs);
220 /*Privileges should be granted to all users if root installs app*/
221 check_app_permissions(app_id, pkg_id, ANY_USER_REPRESENTATION, allowed_privs, denied_privs);
223 /* Setup mapping of gids to privileges */
224 /* Do this for each privilege for extra check */
225 for (const auto &privilege : allowed_privs) {
226 dbtest.setup_privilege_groups(privilege, allowed_groups);
229 std::vector<gid_t> allowed_gids;
231 for (const auto &groupName : allowed_groups) {
233 struct group* grp = getgrnam(groupName.c_str());
234 RUNNER_ASSERT_ERRNO_MSG(grp, "Group: " << groupName << " not found");
235 allowed_gids.push_back(grp->gr_gid);
238 check_app_gids(app_id, allowed_gids);
241 static void check_app_after_install(const char *const app_id, const char *const pkg_id)
243 TestSecurityManagerDatabase dbtest;
244 dbtest.test_db_after__app_install(app_id, pkg_id);
247 static void check_app_after_uninstall(const char *const app_id, const char *const pkg_id,
248 const privileges_t &privileges, const bool is_pkg_removed)
250 TestSecurityManagerDatabase dbtest;
251 dbtest.test_db_after__app_uninstall(app_id, pkg_id, privileges, is_pkg_removed);
254 /*Privileges should not be granted anymore to any user*/
255 check_app_permissions(app_id, pkg_id, ANY_USER_REPRESENTATION, SM_NO_PRIVILEGES, privileges);
258 static void check_app_after_uninstall(const char *const app_id, const char *const pkg_id,
259 const bool is_pkg_removed)
261 TestSecurityManagerDatabase dbtest;
262 dbtest.test_db_after__app_uninstall(app_id, pkg_id, is_pkg_removed);
265 static void install_app(const char *app_id, const char *pkg_id)
268 AppInstReqUniquePtr request;
269 request.reset(do_app_inst_req_new());
271 result = security_manager_app_inst_req_set_app_id(request.get(), app_id);
272 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
273 "setting app id failed. Result: " << result);
275 result = security_manager_app_inst_req_set_pkg_id(request.get(), pkg_id);
276 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
277 "setting pkg id failed. Result: " << result);
279 result = security_manager_app_install(request.get());
280 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
281 "installing app failed. Result: " << result);
283 check_app_after_install(app_id, pkg_id);
287 static void uninstall_app(const char *app_id, const char *pkg_id,
288 bool expect_installed, bool expect_pkg_removed)
291 AppInstReqUniquePtr request;
292 request.reset(do_app_inst_req_new());
294 result = security_manager_app_inst_req_set_app_id(request.get(), app_id);
295 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
296 "setting app id failed. Result: " << result);
298 result = security_manager_app_uninstall(request.get());
299 RUNNER_ASSERT_MSG(!expect_installed || (lib_retcode)result == SECURITY_MANAGER_SUCCESS,
300 "uninstalling app failed. Result: " << result);
302 check_app_after_uninstall(app_id, pkg_id, expect_pkg_removed);
306 RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER)
309 RUNNER_TEST(security_manager_01_app_double_install_double_uninstall)
312 AppInstReqUniquePtr request;
313 const char *const sm_app_id = "sm_test_01_app_id_double";
314 const char *const sm_pkg_id = "sm_test_01_pkg_id_double";
316 request.reset(do_app_inst_req_new());
318 result = security_manager_app_inst_req_set_app_id(request.get(), sm_app_id);
319 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
320 "setting app id failed. Result: " << result);
322 result = security_manager_app_inst_req_set_pkg_id(request.get(), sm_pkg_id);
323 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
324 "setting pkg id failed. Result: " << result);
326 result = security_manager_app_install(request.get());
327 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
328 "installing app failed. Result: " << result);
330 result = security_manager_app_install(request.get());
331 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
332 "installing already installed app failed. Result: " << result);
334 /* Check records in the security-manager database */
335 check_app_after_install(sm_app_id, sm_pkg_id);
337 request.reset(do_app_inst_req_new());
339 result = security_manager_app_inst_req_set_app_id(request.get(), sm_app_id);
340 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
341 "setting app id failed. Result: " << result);
343 result = security_manager_app_uninstall(request.get());
344 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
345 "uninstalling app failed. Result: " << result);
347 result = security_manager_app_uninstall(request.get());
348 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
349 "uninstalling already uninstalled app failed. Result: " << result);
351 /* Check records in the security-manager database */
352 check_app_after_uninstall(sm_app_id, sm_pkg_id, TestSecurityManagerDatabase::REMOVED);
355 RUNNER_TEST(security_manager_02_app_install_uninstall_full)
358 AppInstReqUniquePtr request;
359 const char *const sm_app_id = "sm_test_02_app_id_full";
360 const char *const sm_pkg_id = "sm_test_02_pkg_id_full";
364 request.reset(do_app_inst_req_new());
366 result = security_manager_app_inst_req_set_app_id(request.get(), sm_app_id);
367 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
368 "setting app id failed. Result: " << result);
370 result = security_manager_app_inst_req_set_pkg_id(request.get(), sm_pkg_id);
371 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
372 "setting pkg id failed. Result: " << result);
374 result = security_manager_app_inst_req_add_privilege(request.get(), SM_ALLOWED_PRIVILEGES[0].c_str());
375 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
376 "setting allowed permission failed. Result: " << result);
377 result = security_manager_app_inst_req_add_privilege(request.get(), SM_ALLOWED_PRIVILEGES[1].c_str());
378 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
379 "setting allowed permission failed. Result: " << result);
381 result = security_manager_app_inst_req_add_path(request.get(), SM_PRIVATE_PATH,
382 SECURITY_MANAGER_PATH_PRIVATE);
383 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
384 "setting allowed path failed. Result: " << result);
386 result = security_manager_app_inst_req_add_path(request.get(), SM_PUBLIC_RO_PATH,
387 SECURITY_MANAGER_PATH_PUBLIC_RO);
388 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
389 "setting allowed path failed. Result: " << result);
391 result = security_manager_app_install(request.get());
392 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
393 "installing app failed. Result: " << result);
395 /* Check records in the security-manager database */
396 check_app_after_install(sm_app_id, sm_pkg_id,
397 SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES, SM_ALLOWED_GROUPS);
399 /* TODO: add parameters to this function */
400 check_app_path_after_install();
402 request.reset(do_app_inst_req_new());
404 result = security_manager_app_inst_req_set_app_id(request.get(), sm_app_id);
405 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
406 "setting app id failed. Result: " << result);
408 result = security_manager_app_uninstall(request.get());
409 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
410 "uninstalling app failed. Result: " << result);
412 /* Check records in the security-manager database,
413 * all previously allowed privileges should be removed */
414 check_app_after_uninstall(sm_app_id, sm_pkg_id,
415 SM_ALLOWED_PRIVILEGES, TestSecurityManagerDatabase::REMOVED);
418 RUNNER_CHILD_TEST_SMACK(security_manager_03_set_label_from_appid)
420 const char *const app_id = "sm_test_03_app_id_set_label_from_appid_smack";
421 const char *const pkg_id = "sm_test_03_pkg_id_set_label_from_appid_smack";
422 const char *const expected_label = USER_APP_ID;
423 const char *const socketLabel = "not_expected_label";
424 char *label = nullptr;
428 uninstall_app(app_id, pkg_id, false, true);
429 install_app(app_id, pkg_id);
431 struct sockaddr_un sockaddr = {AF_UNIX, SOCK_PATH};
432 //Clean up before creating socket
434 int sock = socket(AF_UNIX, SOCK_STREAM, 0);
435 RUNNER_ASSERT_ERRNO_MSG(sock >= 0, "socket failed");
436 SockUniquePtr sockPtr(&sock);
437 //Bind socket to address
438 result = bind(sock, (struct sockaddr*) &sockaddr, sizeof(struct sockaddr_un));
439 RUNNER_ASSERT_ERRNO_MSG(result == 0, "bind failed");
440 //Set socket label to something different than expecedLabel
441 result = fsetxattr(sock, XATTR_NAME_SMACKIPIN, socketLabel,
442 strlen(socketLabel), 0);
443 RUNNER_ASSERT_ERRNO_MSG(result == 0,
444 "Can't set socket label. Result: " << result);
445 result = fsetxattr(sock, XATTR_NAME_SMACKIPOUT, socketLabel,
446 strlen(socketLabel), 0);
447 RUNNER_ASSERT_ERRNO_MSG(result == 0,
448 "Can't set socket label. Result: " << result);
450 result = security_manager_set_process_label_from_appid(app_id);
451 RUNNER_ASSERT_MSG(result == SECURITY_MANAGER_SUCCESS,
452 "security_manager_set_process_label_from_appid(" <<
453 app_id << ") failed. Result: " << result);
455 char value[SMACK_LABEL_LEN + 1];
457 size = fgetxattr(sock, XATTR_NAME_SMACKIPIN, value, sizeof(value));
458 RUNNER_ASSERT_ERRNO_MSG(size != -1, "fgetxattr failed: " << value);
459 result = strcmp(expected_label, value);
460 RUNNER_ASSERT_MSG(result == 0, "Socket label is incorrect. Expected: " <<
461 expected_label << " Actual: " << value);
463 size = fgetxattr(sock, XATTR_NAME_SMACKIPOUT, value, sizeof(value));
464 RUNNER_ASSERT_ERRNO_MSG(size != -1, "fgetxattr failed: " << value);
465 result = strcmp(expected_label, value);
466 RUNNER_ASSERT_MSG(result == 0, "Socket label is incorrect. Expected: " <<
467 expected_label << " Actual: " << value);
469 result = smack_new_label_from_self(&label);
470 RUNNER_ASSERT_MSG(result >= 0,
471 " Error getting current process label");
472 RUNNER_ASSERT_MSG(label != nullptr,
473 " Process label is not set");
474 labelPtr.reset(label);
476 result = strcmp(expected_label, label);
477 RUNNER_ASSERT_MSG(result == 0,
478 " Process label is incorrect. Expected: \"" << expected_label <<
479 "\" Actual: \"" << label << "\"");
481 uninstall_app(app_id, pkg_id, true, true);
484 RUNNER_CHILD_TEST_NOSMACK(security_manager_03_set_label_from_appid_nosmack)
486 const char *const app_id = "sm_test_03_app_id_set_label_from_appid_nosmack";
487 const char *const pkg_id = "sm_test_03_pkg_id_set_label_from_appid_nosmack";
490 uninstall_app(app_id, pkg_id, false, true);
491 install_app(app_id, pkg_id);
493 result = security_manager_set_process_label_from_appid(app_id);
494 RUNNER_ASSERT_MSG(result == SECURITY_MANAGER_SUCCESS,
495 "security_manager_set_process_label_from_appid(" <<
496 app_id << ") failed. Result: " << result);
498 uninstall_app(app_id, pkg_id, true, true);
503 static void prepare_request(AppInstReqUniquePtr &request,
504 const char *const app_id,
505 const char *const pkg_id,
506 app_install_path_type pathType,
507 const char *const path,
511 request.reset(do_app_inst_req_new());
513 result = security_manager_app_inst_req_set_app_id(request.get(), app_id);
514 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
515 "setting app id failed. Result: " << result);
517 result = security_manager_app_inst_req_set_pkg_id(request.get(), pkg_id);
518 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
519 "setting pkg id failed. Result: " << result);
521 result = security_manager_app_inst_req_add_path(request.get(), path, pathType);
522 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
523 "setting allowed path failed. Result: " << result);
526 result = security_manager_app_inst_req_set_uid(request.get(), uid);
527 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
528 "security_manager_app_inst_req_set_uid failed. Result: " << result);
533 static struct passwd* get_app_pw()
535 struct passwd *pw = nullptr;
537 while(!(pw = getpwnam(APP_USER))) {
538 RUNNER_ASSERT_ERRNO_MSG(errno == EINTR, "getpwnam() failed");
544 static void install_and_check(AppInstReqUniquePtr &request,
545 const char *const sm_app_id,
546 const char *const sm_pkg_id,
547 const std::string &user, uid_t uid)
550 //install app for non-root user and try to register public path (should fail)
551 prepare_request(request, sm_app_id, sm_pkg_id, SECURITY_MANAGER_PATH_PUBLIC, SM_PRIVATE_PATH_FOR_USER, uid);
553 result = security_manager_app_install(request.get());
554 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED,
555 "installing app not failed. Result: " << result);
557 //install app for non-root user
558 //should fail (users may only register folders inside their home)
559 prepare_request(request, sm_app_id, sm_pkg_id, SECURITY_MANAGER_PATH_PRIVATE, SM_PRIVATE_PATH, uid);
561 result = security_manager_app_install(request.get());
562 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED,
563 "installing app not failed. Result: " << result);
564 //install app for non-root user
565 //should succeed - this time i register folder inside user's home dir
566 prepare_request(request, sm_app_id, sm_pkg_id, SECURITY_MANAGER_PATH_PRIVATE, SM_PRIVATE_PATH_FOR_USER, uid);
568 for (auto &privilege : SM_ALLOWED_PRIVILEGES) {
569 result = security_manager_app_inst_req_add_privilege(request.get(), privilege.c_str());
570 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
571 "setting allowed permission failed. Result: " << result);
573 result = security_manager_app_install(request.get());
574 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
575 "installing app failed. Result: " << result);
577 check_app_permissions(sm_app_id, sm_pkg_id, user.c_str(), SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES);
580 RUNNER_CHILD_TEST(security_manager_04a_app_install_uninstall_by_app_user_for_self)
583 AppInstReqUniquePtr request;
584 const char *const sm_app_id = "sm_test_04a_app_id_uid";
585 const char *const sm_pkg_id = "sm_test_04a_pkg_id_uid";
587 struct passwd *pw = get_app_pw();
588 const std::string user = std::to_string(static_cast<unsigned int>(pw->pw_uid));
590 //switch user to non-root
591 result = drop_root_privileges(pw->pw_uid, pw->pw_gid);
592 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
594 install_and_check(request, sm_app_id, sm_pkg_id, user, 0);
596 //uninstall app as non-root user
597 request.reset(do_app_inst_req_new());
599 result = security_manager_app_inst_req_set_app_id(request.get(), sm_app_id);
600 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
601 "setting app id failed. Result: " << result);
603 result = security_manager_app_uninstall(request.get());
604 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
605 "uninstalling app failed. Result: " << result);
607 check_app_permissions(sm_app_id, sm_pkg_id, user.c_str(), SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES);
610 RUNNER_CHILD_TEST(security_manager_04b_app_install_by_root_for_app_user)
613 AppInstReqUniquePtr request;
614 const char *const sm_app_id = "sm_test_04b_app_id_uid";
615 const char *const sm_pkg_id = "sm_test_04b_pkg_id_uid";
617 struct passwd *pw = get_app_pw();
618 const std::string user = std::to_string(static_cast<unsigned int>(pw->pw_uid));
620 install_and_check(request, sm_app_id, sm_pkg_id, user, pw->pw_uid);
622 //switch user to non-root - root may not uninstall apps for specified users
623 result = drop_root_privileges(pw->pw_uid, pw->pw_gid);
624 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
626 //uninstall app as non-root user
627 request.reset(do_app_inst_req_new());
629 result = security_manager_app_inst_req_set_app_id(request.get(), sm_app_id);
630 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
631 "setting app id failed. Result: " << result);
633 result = security_manager_app_uninstall(request.get());
634 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
635 "uninstalling app failed. Result: " << result);
637 check_app_permissions(sm_app_id, sm_pkg_id, user.c_str(), SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES);
641 RUNNER_CHILD_TEST(security_manager_05_drop_process_capabilities)
644 CapsSetsUniquePtr caps, caps_empty(cap_init());
646 caps.reset(cap_from_text("all=eip"));
647 RUNNER_ASSERT_MSG(caps, "can't convert capabilities from text");
648 result = cap_set_proc(caps.get());
649 RUNNER_ASSERT_MSG(result == 0,
650 "can't set capabilities. Result: " << result);
652 result = security_manager_drop_process_privileges();
653 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
654 "dropping caps failed. Result: " << result);
656 caps.reset(cap_get_proc());
657 RUNNER_ASSERT_MSG(caps, "can't get proc capabilities");
659 result = cap_compare(caps.get(), caps_empty.get());
660 RUNNER_ASSERT_MSG(result == 0,
661 "capabilities not dropped. Current: " << cap_to_text(caps.get(), NULL));
664 int main(int argc, char *argv[])
666 SummaryCollector::Register();
667 return DPL::Test::TestRunnerSingleton::Instance().ExecTestRunner(argc, argv);