tests/security-manager-tests/security_manager_tests.cpp

   1 #include <dpl/test/test_runner.h>
   2 #include <fcntl.h>
   3 #include <stdio.h>
   4 #include <memory.h>
   5 #include <summary_collector.h>
   6 #include <string>
   7 #include <unordered_set>
   8 #include <sys/capability.h>
   9
  10 #include <grp.h>
  11 #include <pwd.h>
  12
  13 #include <libprivilege-control_test_common.h>
  14 #include <tests_common.h>
  15
  16 #include <security-manager.h>
  17 #include <sm_db.h>
  18 #include <cynara_test_client.h>
  19
  20 DEFINE_SMARTPTR(security_manager_app_inst_req_free, app_inst_req, AppInstReqUniquePtr);
  21 DEFINE_SMARTPTR(cap_free, _cap_struct, CapsSetsUniquePtr);
  22
  23 static const char *const SM_APP_ID1 = "sm_test_app_id_double";
  24 static const char *const SM_PKG_ID1 = "sm_test_pkg_id_double";
  25
  26 static const char *const SM_APP_ID2 = "sm_test_app_id_full";
  27 static const char *const SM_PKG_ID2 = "sm_test_pkg_id_full";
  28
  29 static const char *const SM_APP_ID3 = "sm_test_app_id_uid";
  30 static const char *const SM_PKG_ID3 = "sm_test_pkg_id_uid";
  31
  32 static const privileges_t SM_ALLOWED_PRIVILEGES = {
  33     "security_manager_test_rules2_r",
  34     "security_manager_test_rules2_no_r"
  35 };
  36
  37 static const privileges_t SM_DENIED_PRIVILEGES  = {
  38     "security_manager_test_rules1",
  39     "security_manager_test_rules2"
  40 };
  41
  42 static const privileges_t SM_NO_PRIVILEGES  = {
  43 };
  44
  45 static const std::vector<gid_t> SM_ALLOWED_GIDS = {6001, 6002};
  46
  47 static const char *const SM_PRIVATE_PATH = "/etc/smack/test_DIR/app_dir";
  48 static const char *const SM_PUBLIC_PATH = "/etc/smack/test_DIR/app_dir_public";
  49 static const char *const SM_PUBLIC_RO_PATH = "/etc/smack/test_DIR/app_dir_public_ro";
  50 static const char *const SM_DENIED_PATH = "/etc/smack/test_DIR/non_app_dir";
  51 static const char *const SM_PRIVATE_PATH_FOR_USER = "/home/" APP_USER "/test_DIR";
  52 static const char *const ANY_USER_REPRESENTATION = "anyuser";/*this may be actually any string*/
  53
  54 static void generateAppLabel(const std::string &pkgId, std::string &label)
  55 {
  56     (void) pkgId;
  57     label = "User";
  58 }
  59
  60 static int nftw_check_sm_labels_app_dir(const char *fpath, const struct stat *sb,
  61                               const char* correctLabel, bool transmute_test, bool exec_test)
  62 {
  63     int result;
  64     CStringPtr labelPtr;
  65     char* label = nullptr;
  66
  67     /* ACCESS */
  68     result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS);
  69     RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
  70     labelPtr.reset(label);
  71     RUNNER_ASSERT_MSG(label != nullptr, "ACCESS label on " << fpath << " is not set");
  72     result = strcmp(correctLabel, label);
  73     RUNNER_ASSERT_MSG(result == 0, "ACCESS label on " << fpath << " is incorrect"
  74             " (should be '" << correctLabel << "' and is '" << label << "')");
  75
  76
  77     /* EXEC */
  78     result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
  79     RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
  80     labelPtr.reset(label);
  81
  82     if (S_ISREG(sb->st_mode) && (sb->st_mode & S_IXUSR) && exec_test) {
  83         RUNNER_ASSERT_MSG(label != nullptr, "EXEC label on " << fpath << " is not set");
  84         result = strcmp(correctLabel, label);
  85         RUNNER_ASSERT_MSG(result == 0, "Incorrect EXEC label on executable file " << fpath);
  86     } else
  87         RUNNER_ASSERT_MSG(label == nullptr, "EXEC label on " << fpath << " is set");
  88
  89
  90     /* TRANSMUTE */
  91     result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
  92     RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
  93     labelPtr.reset(label);
  94
  95     if (S_ISDIR(sb->st_mode) && transmute_test == true) {
  96         RUNNER_ASSERT_MSG(label != nullptr, "TRANSMUTE label on " << fpath << " is not set at all");
  97         RUNNER_ASSERT_MSG(strcmp(label,"TRUE") == 0,
  98                 "TRANSMUTE label on " << fpath << " is not set properly: '"<<label<<"'");
  99     } else {
 100         RUNNER_ASSERT_MSG(label == nullptr, "TRANSMUTE label on " << fpath << " is set");
 101     }
 102
 103     return 0;
 104 }
 105
 106
 107 static int nftw_check_sm_labels_app_private_dir(const char *fpath, const struct stat *sb,
 108                                int /*typeflag*/, struct FTW* /*ftwbuf*/)
 109 {
 110     return nftw_check_sm_labels_app_dir(fpath, sb, USER_APP_ID, false, true);
 111 }
 112
 113 static int nftw_check_sm_labels_app_public_dir(const char *fpath, const struct stat *sb,
 114                                int /*typeflag*/, struct FTW* /*ftwbuf*/)
 115 {
 116
 117     return nftw_check_sm_labels_app_dir(fpath, sb, "User", true, false);
 118 }
 119
 120 static int nftw_check_sm_labels_app_floor_dir(const char *fpath, const struct stat *sb,
 121                                int /*typeflag*/, struct FTW* /*ftwbuf*/)
 122 {
 123
 124     return nftw_check_sm_labels_app_dir(fpath, sb, "_", false, false);
 125 }
 126
 127 static app_inst_req* do_app_inst_req_new()
 128 {
 129     int result;
 130     app_inst_req *req = nullptr;
 131
 132     result = security_manager_app_inst_req_new(&req);
 133     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 134             "creation of new request failed. Result: " << result);
 135     RUNNER_ASSERT_MSG(req != nullptr, "creation of new request did not allocate memory");
 136     return req;
 137 }
 138
 139 static void prepare_app_path()
 140 {
 141     int result;
 142
 143     result = nftw(SM_PRIVATE_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
 144     RUNNER_ASSERT_MSG(result == 0, "Unable to clean Smack labels in " << SM_PRIVATE_PATH);
 145
 146     result = nftw(SM_PUBLIC_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
 147     RUNNER_ASSERT_MSG(result == 0, "Unable to clean Smack labels in " << SM_PUBLIC_PATH);
 148
 149     result = nftw(SM_PUBLIC_RO_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
 150     RUNNER_ASSERT_MSG(result == 0, "Unable to clean Smack labels in " << SM_PUBLIC_RO_PATH);
 151
 152     result = nftw(SM_DENIED_PATH, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
 153     RUNNER_ASSERT_MSG(result == 0, "Unable to set Smack labels in " << SM_DENIED_PATH);
 154 }
 155
 156 static void prepare_app_env()
 157 {
 158     prepare_app_path();
 159 }
 160
 161 /* TODO: add parameters to this function */
 162 static void check_app_path_after_install()
 163 {
 164     int result;
 165
 166     result = nftw(SM_PRIVATE_PATH, &nftw_check_sm_labels_app_private_dir, FTW_MAX_FDS, FTW_PHYS);
 167     RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_PRIVATE_PATH);
 168
 169     result = nftw(SM_PUBLIC_PATH, &nftw_check_sm_labels_app_public_dir, FTW_MAX_FDS, FTW_PHYS);
 170     RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_PUBLIC_PATH);
 171
 172     result = nftw(SM_PUBLIC_RO_PATH, &nftw_check_sm_labels_app_floor_dir, FTW_MAX_FDS, FTW_PHYS);
 173     RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_PUBLIC_RO_PATH);
 174
 175     result = nftw(SM_DENIED_PATH, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
 176     RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_DENIED_PATH);
 177 }
 178
 179
 180 static void check_app_permissions(const char *const app_id, const char *const pkg_id, const char *const user,
 181                                   const privileges_t &allowed_privs, const privileges_t &denied_privs)
 182 {
 183     (void) app_id;
 184     std::string smackLabel;
 185     generateAppLabel(pkg_id, smackLabel);
 186
 187     CynaraTestClient ctc;
 188
 189     for (auto &priv : allowed_privs) {
 190         ctc.check(smackLabel.c_str(), "", user, priv.c_str(), CYNARA_API_ACCESS_ALLOWED);
 191     }
 192
 193     for (auto &priv : denied_privs) {
 194         ctc.check(smackLabel.c_str(), "", user, priv.c_str(), CYNARA_API_ACCESS_DENIED);
 195     }
 196 }
 197
 198 static void check_app_gids(const char *const app_id, const std::vector<gid_t> &allowed_gids)
 199 {
 200     int ret;
 201     gid_t main_gid = getgid();
 202     std::unordered_set<gid_t> reference_gids(allowed_gids.begin(), allowed_gids.end());
 203
 204     // Reset supplementary groups
 205     ret = setgroups(0, NULL);
 206     RUNNER_ASSERT_MSG(ret != -1, "Unable to set supplementary groups");
 207
 208     ret = security_manager_set_process_groups_from_appid(app_id);
 209     RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS,
 210             "security_manager_set_process_groups_from_appid(" <<
 211             app_id << ") failed. Result: " << ret);
 212
 213     ret = getgroups(0, nullptr);
 214     RUNNER_ASSERT_MSG(ret != -1, "Unable to get supplementary groups");
 215
 216     std::vector<gid_t> actual_gids(ret);
 217     ret = getgroups(ret, actual_gids.data());
 218     RUNNER_ASSERT_MSG(ret != -1, "Unable to get supplementary groups");
 219
 220     for (const auto &gid : actual_gids) {
 221         RUNNER_ASSERT_MSG(gid == main_gid || reference_gids.count(gid) > 0,
 222             "Application shouldn't get access to group " << gid);
 223         reference_gids.erase(gid);
 224     }
 225
 226     RUNNER_ASSERT_MSG(reference_gids.empty(), "Application didn't get access to some groups");
 227 }
 228
 229 static void check_app_after_install(const char *const app_id, const char *const pkg_id,
 230                                     const privileges_t &allowed_privs,
 231                                     const privileges_t &denied_privs,
 232                                     const std::vector<gid_t> &allowed_gids)
 233 {
 234     TestSecurityManagerDatabase dbtest;
 235     dbtest.test_db_after__app_install(app_id, pkg_id, allowed_privs);
 236     dbtest.check_privileges_removed(app_id, pkg_id, denied_privs);
 237
 238     /*Privileges should be granted to all users if root installs app*/
 239     check_app_permissions(app_id, pkg_id, ANY_USER_REPRESENTATION, allowed_privs, denied_privs);
 240
 241     /* Setup mapping of gids to privileges */
 242     /* Do this for each privilege for extra check */
 243     for (const auto &privilege : allowed_privs) {
 244         dbtest.setup_privilege_gids(privilege, allowed_gids);
 245     }
 246
 247     check_app_gids(app_id, allowed_gids);
 248 }
 249
 250 static void check_app_after_install(const char *const app_id, const char *const pkg_id)
 251 {
 252     TestSecurityManagerDatabase dbtest;
 253     dbtest.test_db_after__app_install(app_id, pkg_id);
 254 }
 255
 256 static void check_app_after_uninstall(const char *const app_id, const char *const pkg_id,
 257                                       const privileges_t &privileges, const bool is_pkg_removed)
 258 {
 259     TestSecurityManagerDatabase dbtest;
 260     dbtest.test_db_after__app_uninstall(app_id, pkg_id, privileges, is_pkg_removed);
 261
 262
 263     /*Privileges should not be granted anymore to any user*/
 264     check_app_permissions(app_id, pkg_id, ANY_USER_REPRESENTATION, SM_NO_PRIVILEGES, privileges);
 265 }
 266
 267 static void check_app_after_uninstall(const char *const app_id, const char *const pkg_id,
 268                                       const bool is_pkg_removed)
 269 {
 270     TestSecurityManagerDatabase dbtest;
 271     dbtest.test_db_after__app_uninstall(app_id, pkg_id, is_pkg_removed);
 272 }
 273
 274 static void install_app(const char *app_id, const char *pkg_id)
 275 {
 276     int result;
 277     AppInstReqUniquePtr request;
 278     request.reset(do_app_inst_req_new());
 279
 280     result = security_manager_app_inst_req_set_app_id(request.get(), app_id);
 281     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 282             "setting app id failed. Result: " << result);
 283
 284     result = security_manager_app_inst_req_set_pkg_id(request.get(), pkg_id);
 285     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 286             "setting pkg id failed. Result: " << result);
 287
 288     result = security_manager_app_install(request.get());
 289     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 290             "installing app failed. Result: " << result);
 291
 292     check_app_after_install(app_id, pkg_id);
 293
 294 }
 295
 296 static void uninstall_app(const char *app_id, const char *pkg_id,
 297         bool expect_installed, bool expect_pkg_removed)
 298 {
 299     int result;
 300     AppInstReqUniquePtr request;
 301     request.reset(do_app_inst_req_new());
 302
 303     result = security_manager_app_inst_req_set_app_id(request.get(), app_id);
 304     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 305           "setting app id failed. Result: " << result);
 306
 307     result = security_manager_app_uninstall(request.get());
 308     RUNNER_ASSERT_MSG(!expect_installed || (lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 309           "uninstalling app failed. Result: " << result);
 310
 311     check_app_after_uninstall(app_id, pkg_id, expect_pkg_removed);
 312 }
 313
 314
 315 RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER)
 316
 317
 318 RUNNER_TEST(security_manager_01_app_double_install_double_uninstall)
 319 {
 320     int result;
 321     AppInstReqUniquePtr request;
 322
 323     request.reset(do_app_inst_req_new());
 324
 325     result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID1);
 326     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 327             "setting app id failed. Result: " << result);
 328
 329     result = security_manager_app_inst_req_set_pkg_id(request.get(), SM_PKG_ID1);
 330     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 331             "setting pkg id failed. Result: " << result);
 332
 333     result = security_manager_app_install(request.get());
 334     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 335             "installing app failed. Result: " << result);
 336
 337     result = security_manager_app_install(request.get());
 338     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 339             "installing already installed app failed. Result: " << result);
 340
 341     /* Check records in the security-manager database */
 342     check_app_after_install(SM_APP_ID1, SM_PKG_ID1);
 343
 344     request.reset(do_app_inst_req_new());
 345
 346     result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID1);
 347     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 348             "setting app id failed. Result: " << result);
 349
 350     result = security_manager_app_uninstall(request.get());
 351     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 352             "uninstalling app failed. Result: " << result);
 353
 354     result = security_manager_app_uninstall(request.get());
 355     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 356             "uninstalling already uninstalled app failed. Result: " << result);
 357
 358     /* Check records in the security-manager database */
 359     check_app_after_uninstall(SM_APP_ID1, SM_PKG_ID1, TestSecurityManagerDatabase::REMOVED);
 360 }
 361
 362 RUNNER_TEST(security_manager_02_app_install_uninstall_full)
 363 {
 364     int result;
 365     AppInstReqUniquePtr request;
 366
 367     prepare_app_env();
 368
 369     request.reset(do_app_inst_req_new());
 370
 371     result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID2);
 372     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 373             "setting app id failed. Result: " << result);
 374
 375     result = security_manager_app_inst_req_set_pkg_id(request.get(), SM_PKG_ID2);
 376     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 377             "setting pkg id failed. Result: " << result);
 378
 379     result = security_manager_app_inst_req_add_privilege(request.get(), SM_ALLOWED_PRIVILEGES[0].c_str());
 380     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 381             "setting allowed permission failed. Result: " << result);
 382     result = security_manager_app_inst_req_add_privilege(request.get(), SM_ALLOWED_PRIVILEGES[1].c_str());
 383     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 384             "setting allowed permission failed. Result: " << result);
 385
 386     result = security_manager_app_inst_req_add_path(request.get(), SM_PRIVATE_PATH,
 387                                                     SECURITY_MANAGER_PATH_PRIVATE);
 388     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 389             "setting allowed path failed. Result: " << result);
 390
 391     result = security_manager_app_inst_req_add_path(request.get(), SM_PUBLIC_PATH,
 392                                                     SECURITY_MANAGER_PATH_PUBLIC);
 393     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 394             "setting allowed path failed. Result: " << result);
 395
 396     result = security_manager_app_inst_req_add_path(request.get(), SM_PUBLIC_RO_PATH,
 397                                                     SECURITY_MANAGER_PATH_PUBLIC_RO);
 398     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 399             "setting allowed path failed. Result: " << result);
 400
 401     result = security_manager_app_install(request.get());
 402     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 403             "installing app failed. Result: " << result);
 404
 405     /* Check records in the security-manager database */
 406     check_app_after_install(SM_APP_ID2, SM_PKG_ID2,
 407                             SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES, SM_ALLOWED_GIDS);
 408
 409     /* TODO: add parameters to this function */
 410     check_app_path_after_install();
 411
 412     request.reset(do_app_inst_req_new());
 413
 414     result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID2);
 415     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 416             "setting app id failed. Result: " << result);
 417
 418     result = security_manager_app_uninstall(request.get());
 419     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 420             "uninstalling app failed. Result: " << result);
 421
 422     /* Check records in the security-manager database,
 423      * all previously allowed privileges should be removed */
 424     check_app_after_uninstall(SM_APP_ID2, SM_PKG_ID2,
 425                               SM_ALLOWED_PRIVILEGES, TestSecurityManagerDatabase::REMOVED);
 426 }
 427
 428 RUNNER_CHILD_TEST_SMACK(security_manager_03_set_label_from_appid)
 429 {
 430     const char *const app_id = "sm_test_app_id_set_label_from_appid";
 431     const char *const pkg_id = "sm_test_pkg_id_set_label_from_appid";
 432     const char *const expected_label = USER_APP_ID;
 433     char *label = nullptr;
 434     CStringPtr labelPtr;
 435     int result;
 436
 437     uninstall_app(app_id, pkg_id, false, true);
 438     install_app(app_id, pkg_id);
 439
 440     result = security_manager_set_process_label_from_appid(app_id);
 441     RUNNER_ASSERT_MSG(result == SECURITY_MANAGER_SUCCESS,
 442             "security_manager_set_process_label_from_appid(" <<
 443             app_id << ") failed. Result: " << result);
 444
 445     result = smack_new_label_from_self(&label);
 446     RUNNER_ASSERT_MSG(result >= 0,
 447             " Error getting current process label");
 448     RUNNER_ASSERT_MSG(label != nullptr,
 449             " Process label is not set");
 450     labelPtr.reset(label);
 451
 452     result = strcmp(expected_label, label);
 453     RUNNER_ASSERT_MSG(result == 0,
 454             " Process label is incorrect. Expected: \"" << expected_label <<
 455             "\" Actual: \"" << label << "\"");
 456
 457     uninstall_app(app_id, pkg_id, true, true);
 458 }
 459
 460 RUNNER_CHILD_TEST_NOSMACK(security_manager_03_set_label_from_appid_nosmack)
 461 {
 462     const char *const app_id = "sm_test_app_id_set_label_from_appid";
 463     const char *const pkg_id = "sm_test_pkg_id_set_label_from_appid";
 464     int result;
 465
 466     uninstall_app(app_id, pkg_id, false, true);
 467     install_app(app_id, pkg_id);
 468
 469     result = security_manager_set_process_label_from_appid(app_id);
 470     RUNNER_ASSERT_MSG(result == SECURITY_MANAGER_SUCCESS,
 471             "security_manager_set_process_label_from_appid(" <<
 472             app_id << ") failed. Result: " << result);
 473
 474     uninstall_app(app_id, pkg_id, true, true);
 475 }
 476
 477
 478
 479 static void prepare_request(AppInstReqUniquePtr &request,
 480               const char *const app_id,
 481               const char *const pkg_id,
 482               app_install_path_type pathType,
 483               const char *const path)
 484 {
 485     int result;
 486     request.reset(do_app_inst_req_new());
 487
 488     result = security_manager_app_inst_req_set_app_id(request.get(), app_id);
 489     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 490             "setting app id failed. Result: " << result);
 491
 492     result = security_manager_app_inst_req_set_pkg_id(request.get(), pkg_id);
 493     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 494             "setting pkg id failed. Result: " << result);
 495
 496     result = security_manager_app_inst_req_add_path(request.get(), path, pathType);
 497     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 498             "setting allowed path failed. Result: " << result);
 499 }
 500
 501
 502 static struct passwd* get_app_pw()
 503 {
 504     struct passwd *pw = nullptr;
 505     errno = 0;
 506     while(!(pw = getpwnam(APP_USER))) {
 507         RUNNER_ASSERT_ERRNO_MSG(errno == EINTR, "getpwnam() failed");
 508     }
 509     return pw;
 510 }
 511
 512 RUNNER_CHILD_TEST(security_manager_04_app_install_uninstall_by_app_user)
 513 {
 514     int result;
 515     AppInstReqUniquePtr request;
 516     struct passwd *pw = get_app_pw();
 517     const std::string user =  std::to_string(static_cast<unsigned int>(pw->pw_uid));
 518
 519     //switch user to non-root
 520     result = drop_root_privileges(pw->pw_uid, pw->pw_gid);
 521     RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
 522
 523     //install app as non-root user and try to register public path (should fail)
 524     prepare_request(request, SM_APP_ID3, SM_PKG_ID3, SECURITY_MANAGER_PATH_PUBLIC, SM_PRIVATE_PATH_FOR_USER);
 525
 526     result = security_manager_app_install(request.get());
 527     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED,
 528             "installing app not failed. Result: " << result);
 529
 530     //install app as non-root user
 531     //should fail (non-root users may only register folders inside their home)
 532     prepare_request(request, SM_APP_ID3, SM_PKG_ID3, SECURITY_MANAGER_PATH_PRIVATE, SM_PRIVATE_PATH);
 533
 534     result = security_manager_app_install(request.get());
 535     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED,
 536             "installing app not failed. Result: " << result);
 537
 538     //install app as non-root user
 539     //should succeed - this time i register folder inside user's home dir
 540     prepare_request(request, SM_APP_ID3, SM_PKG_ID3, SECURITY_MANAGER_PATH_PRIVATE, SM_PRIVATE_PATH_FOR_USER);
 541
 542     for (auto &privilege : SM_ALLOWED_PRIVILEGES) {
 543         result = security_manager_app_inst_req_add_privilege(request.get(), privilege.c_str());
 544         RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 545             "setting allowed permission failed. Result: " << result);
 546     }
 547
 548     result = security_manager_app_install(request.get());
 549     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 550             "installing app failed. Result: " << result);
 551
 552     check_app_permissions(SM_APP_ID3, SM_PKG_ID3, user.c_str(), SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES);
 553
 554     //uninstall app as non-root user
 555     request.reset(do_app_inst_req_new());
 556
 557     result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID3);
 558     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 559             "setting app id failed. Result: " << result);
 560
 561     result = security_manager_app_uninstall(request.get());
 562     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 563             "uninstalling app failed. Result: " << result);
 564
 565     check_app_permissions(SM_APP_ID3, SM_PKG_ID3, user.c_str(), SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES);
 566 }
 567
 568 RUNNER_CHILD_TEST(security_manager_05_drop_process_capabilities)
 569 {
 570     int result;
 571     CapsSetsUniquePtr caps, caps_empty(cap_init());
 572
 573     caps.reset(cap_from_text("all=eip"));
 574     RUNNER_ASSERT_MSG(caps, "can't convert capabilities from text");
 575     result = cap_set_proc(caps.get());
 576     RUNNER_ASSERT_MSG(result == 0,
 577         "can't set capabilities. Result: " << result);
 578
 579     result = security_manager_drop_process_privileges();
 580     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 581         "dropping caps failed. Result: " << result);
 582
 583     caps.reset(cap_get_proc());
 584     RUNNER_ASSERT_MSG(caps, "can't get proc capabilities");
 585
 586     result = cap_compare(caps.get(), caps_empty.get());
 587     RUNNER_ASSERT_MSG(result == 0,
 588         "capabilities not dropped. Current: " << cap_to_text(caps.get(), NULL));
 589 }
 590
 591 int main(int argc, char *argv[])
 592 {
 593     SummaryCollector::Register();
 594     return DPL::Test::TestRunnerSingleton::Instance().ExecTestRunner(argc, argv);
 595 }