1 #include <dpl/test/test_runner.h>
5 #include <summary_collector.h>
7 #include <unordered_set>
8 #include <sys/capability.h>
10 #include <sys/socket.h>
12 #include <attr/xattr.h>
13 #include <linux/xattr.h>
18 #include <libprivilege-control_test_common.h>
19 #include <tests_common.h>
21 #include <security-manager.h>
23 #include <cynara_test_client.h>
25 DEFINE_SMARTPTR(security_manager_app_inst_req_free, app_inst_req, AppInstReqUniquePtr);
26 DEFINE_SMARTPTR(cap_free, _cap_struct, CapsSetsUniquePtr);
28 static const char *const SM_APP_ID1 = "sm_test_app_id_double";
29 static const char *const SM_PKG_ID1 = "sm_test_pkg_id_double";
31 static const char *const SM_APP_ID2 = "sm_test_app_id_full";
32 static const char *const SM_PKG_ID2 = "sm_test_pkg_id_full";
34 static const char *const SM_APP_ID3 = "sm_test_app_id_uid";
35 static const char *const SM_PKG_ID3 = "sm_test_pkg_id_uid";
37 static const privileges_t SM_ALLOWED_PRIVILEGES = {
38 "security_manager_test_rules2_r",
39 "security_manager_test_rules2_no_r"
42 static const privileges_t SM_DENIED_PRIVILEGES = {
43 "security_manager_test_rules1",
44 "security_manager_test_rules2"
47 static const privileges_t SM_NO_PRIVILEGES = {
50 static const std::vector<gid_t> SM_ALLOWED_GIDS = {6001, 6002};
52 static const char *const SM_PRIVATE_PATH = "/etc/smack/test_DIR/app_dir";
53 static const char *const SM_PUBLIC_PATH = "/etc/smack/test_DIR/app_dir_public";
54 static const char *const SM_PUBLIC_RO_PATH = "/etc/smack/test_DIR/app_dir_public_ro";
55 static const char *const SM_DENIED_PATH = "/etc/smack/test_DIR/non_app_dir";
56 static const char *const SM_PRIVATE_PATH_FOR_USER = "/home/" APP_USER "/test_DIR";
57 static const char *const ANY_USER_REPRESENTATION = "anyuser";/*this may be actually any string*/
59 static void generateAppLabel(const std::string &pkgId, std::string &label)
65 static int nftw_check_sm_labels_app_dir(const char *fpath, const struct stat *sb,
66 const char* correctLabel, bool transmute_test, bool exec_test)
70 char* label = nullptr;
73 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS);
74 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
75 labelPtr.reset(label);
76 RUNNER_ASSERT_MSG(label != nullptr, "ACCESS label on " << fpath << " is not set");
77 result = strcmp(correctLabel, label);
78 RUNNER_ASSERT_MSG(result == 0, "ACCESS label on " << fpath << " is incorrect"
79 " (should be '" << correctLabel << "' and is '" << label << "')");
83 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
84 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
85 labelPtr.reset(label);
87 if (S_ISREG(sb->st_mode) && (sb->st_mode & S_IXUSR) && exec_test) {
88 RUNNER_ASSERT_MSG(label != nullptr, "EXEC label on " << fpath << " is not set");
89 result = strcmp(correctLabel, label);
90 RUNNER_ASSERT_MSG(result == 0, "Incorrect EXEC label on executable file " << fpath);
92 RUNNER_ASSERT_MSG(label == nullptr, "EXEC label on " << fpath << " is set");
96 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
97 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
98 labelPtr.reset(label);
100 if (S_ISDIR(sb->st_mode) && transmute_test == true) {
101 RUNNER_ASSERT_MSG(label != nullptr, "TRANSMUTE label on " << fpath << " is not set at all");
102 RUNNER_ASSERT_MSG(strcmp(label,"TRUE") == 0,
103 "TRANSMUTE label on " << fpath << " is not set properly: '"<<label<<"'");
105 RUNNER_ASSERT_MSG(label == nullptr, "TRANSMUTE label on " << fpath << " is set");
112 static int nftw_check_sm_labels_app_private_dir(const char *fpath, const struct stat *sb,
113 int /*typeflag*/, struct FTW* /*ftwbuf*/)
115 return nftw_check_sm_labels_app_dir(fpath, sb, USER_APP_ID, false, true);
118 static int nftw_check_sm_labels_app_public_dir(const char *fpath, const struct stat *sb,
119 int /*typeflag*/, struct FTW* /*ftwbuf*/)
122 return nftw_check_sm_labels_app_dir(fpath, sb, "User", true, false);
125 static int nftw_check_sm_labels_app_floor_dir(const char *fpath, const struct stat *sb,
126 int /*typeflag*/, struct FTW* /*ftwbuf*/)
129 return nftw_check_sm_labels_app_dir(fpath, sb, "_", false, false);
132 static app_inst_req* do_app_inst_req_new()
135 app_inst_req *req = nullptr;
137 result = security_manager_app_inst_req_new(&req);
138 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
139 "creation of new request failed. Result: " << result);
140 RUNNER_ASSERT_MSG(req != nullptr, "creation of new request did not allocate memory");
144 static void prepare_app_path()
148 result = nftw(SM_PRIVATE_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
149 RUNNER_ASSERT_MSG(result == 0, "Unable to clean Smack labels in " << SM_PRIVATE_PATH);
151 result = nftw(SM_PUBLIC_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
152 RUNNER_ASSERT_MSG(result == 0, "Unable to clean Smack labels in " << SM_PUBLIC_PATH);
154 result = nftw(SM_PUBLIC_RO_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
155 RUNNER_ASSERT_MSG(result == 0, "Unable to clean Smack labels in " << SM_PUBLIC_RO_PATH);
157 result = nftw(SM_DENIED_PATH, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
158 RUNNER_ASSERT_MSG(result == 0, "Unable to set Smack labels in " << SM_DENIED_PATH);
161 static void prepare_app_env()
166 /* TODO: add parameters to this function */
167 static void check_app_path_after_install()
171 result = nftw(SM_PRIVATE_PATH, &nftw_check_sm_labels_app_private_dir, FTW_MAX_FDS, FTW_PHYS);
172 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_PRIVATE_PATH);
174 result = nftw(SM_PUBLIC_PATH, &nftw_check_sm_labels_app_public_dir, FTW_MAX_FDS, FTW_PHYS);
175 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_PUBLIC_PATH);
177 result = nftw(SM_PUBLIC_RO_PATH, &nftw_check_sm_labels_app_floor_dir, FTW_MAX_FDS, FTW_PHYS);
178 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_PUBLIC_RO_PATH);
180 result = nftw(SM_DENIED_PATH, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
181 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_DENIED_PATH);
185 static void check_app_permissions(const char *const app_id, const char *const pkg_id, const char *const user,
186 const privileges_t &allowed_privs, const privileges_t &denied_privs)
189 std::string smackLabel;
190 generateAppLabel(pkg_id, smackLabel);
192 CynaraTestClient ctc;
194 for (auto &priv : allowed_privs) {
195 ctc.check(smackLabel.c_str(), "", user, priv.c_str(), CYNARA_API_ACCESS_ALLOWED);
198 for (auto &priv : denied_privs) {
199 ctc.check(smackLabel.c_str(), "", user, priv.c_str(), CYNARA_API_ACCESS_DENIED);
203 static void check_app_gids(const char *const app_id, const std::vector<gid_t> &allowed_gids)
206 gid_t main_gid = getgid();
207 std::unordered_set<gid_t> reference_gids(allowed_gids.begin(), allowed_gids.end());
209 // Reset supplementary groups
210 ret = setgroups(0, NULL);
211 RUNNER_ASSERT_MSG(ret != -1, "Unable to set supplementary groups");
213 ret = security_manager_set_process_groups_from_appid(app_id);
214 RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS,
215 "security_manager_set_process_groups_from_appid(" <<
216 app_id << ") failed. Result: " << ret);
218 ret = getgroups(0, nullptr);
219 RUNNER_ASSERT_MSG(ret != -1, "Unable to get supplementary groups");
221 std::vector<gid_t> actual_gids(ret);
222 ret = getgroups(ret, actual_gids.data());
223 RUNNER_ASSERT_MSG(ret != -1, "Unable to get supplementary groups");
225 for (const auto &gid : actual_gids) {
226 RUNNER_ASSERT_MSG(gid == main_gid || reference_gids.count(gid) > 0,
227 "Application shouldn't get access to group " << gid);
228 reference_gids.erase(gid);
231 RUNNER_ASSERT_MSG(reference_gids.empty(), "Application didn't get access to some groups");
234 static void check_app_after_install(const char *const app_id, const char *const pkg_id,
235 const privileges_t &allowed_privs,
236 const privileges_t &denied_privs,
237 const std::vector<gid_t> &allowed_gids)
239 TestSecurityManagerDatabase dbtest;
240 dbtest.test_db_after__app_install(app_id, pkg_id, allowed_privs);
241 dbtest.check_privileges_removed(app_id, pkg_id, denied_privs);
243 /*Privileges should be granted to all users if root installs app*/
244 check_app_permissions(app_id, pkg_id, ANY_USER_REPRESENTATION, allowed_privs, denied_privs);
246 /* Setup mapping of gids to privileges */
247 /* Do this for each privilege for extra check */
248 for (const auto &privilege : allowed_privs) {
249 dbtest.setup_privilege_gids(privilege, allowed_gids);
252 check_app_gids(app_id, allowed_gids);
255 static void check_app_after_install(const char *const app_id, const char *const pkg_id)
257 TestSecurityManagerDatabase dbtest;
258 dbtest.test_db_after__app_install(app_id, pkg_id);
261 static void check_app_after_uninstall(const char *const app_id, const char *const pkg_id,
262 const privileges_t &privileges, const bool is_pkg_removed)
264 TestSecurityManagerDatabase dbtest;
265 dbtest.test_db_after__app_uninstall(app_id, pkg_id, privileges, is_pkg_removed);
268 /*Privileges should not be granted anymore to any user*/
269 check_app_permissions(app_id, pkg_id, ANY_USER_REPRESENTATION, SM_NO_PRIVILEGES, privileges);
272 static void check_app_after_uninstall(const char *const app_id, const char *const pkg_id,
273 const bool is_pkg_removed)
275 TestSecurityManagerDatabase dbtest;
276 dbtest.test_db_after__app_uninstall(app_id, pkg_id, is_pkg_removed);
279 static void install_app(const char *app_id, const char *pkg_id)
282 AppInstReqUniquePtr request;
283 request.reset(do_app_inst_req_new());
285 result = security_manager_app_inst_req_set_app_id(request.get(), app_id);
286 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
287 "setting app id failed. Result: " << result);
289 result = security_manager_app_inst_req_set_pkg_id(request.get(), pkg_id);
290 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
291 "setting pkg id failed. Result: " << result);
293 result = security_manager_app_install(request.get());
294 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
295 "installing app failed. Result: " << result);
297 check_app_after_install(app_id, pkg_id);
301 static void uninstall_app(const char *app_id, const char *pkg_id,
302 bool expect_installed, bool expect_pkg_removed)
305 AppInstReqUniquePtr request;
306 request.reset(do_app_inst_req_new());
308 result = security_manager_app_inst_req_set_app_id(request.get(), app_id);
309 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
310 "setting app id failed. Result: " << result);
312 result = security_manager_app_uninstall(request.get());
313 RUNNER_ASSERT_MSG(!expect_installed || (lib_retcode)result == SECURITY_MANAGER_SUCCESS,
314 "uninstalling app failed. Result: " << result);
316 check_app_after_uninstall(app_id, pkg_id, expect_pkg_removed);
320 RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER)
323 RUNNER_TEST(security_manager_01_app_double_install_double_uninstall)
326 AppInstReqUniquePtr request;
328 request.reset(do_app_inst_req_new());
330 result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID1);
331 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
332 "setting app id failed. Result: " << result);
334 result = security_manager_app_inst_req_set_pkg_id(request.get(), SM_PKG_ID1);
335 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
336 "setting pkg id failed. Result: " << result);
338 result = security_manager_app_install(request.get());
339 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
340 "installing app failed. Result: " << result);
342 result = security_manager_app_install(request.get());
343 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
344 "installing already installed app failed. Result: " << result);
346 /* Check records in the security-manager database */
347 check_app_after_install(SM_APP_ID1, SM_PKG_ID1);
349 request.reset(do_app_inst_req_new());
351 result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID1);
352 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
353 "setting app id failed. Result: " << result);
355 result = security_manager_app_uninstall(request.get());
356 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
357 "uninstalling app failed. Result: " << result);
359 result = security_manager_app_uninstall(request.get());
360 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
361 "uninstalling already uninstalled app failed. Result: " << result);
363 /* Check records in the security-manager database */
364 check_app_after_uninstall(SM_APP_ID1, SM_PKG_ID1, TestSecurityManagerDatabase::REMOVED);
367 RUNNER_TEST(security_manager_02_app_install_uninstall_full)
370 AppInstReqUniquePtr request;
374 request.reset(do_app_inst_req_new());
376 result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID2);
377 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
378 "setting app id failed. Result: " << result);
380 result = security_manager_app_inst_req_set_pkg_id(request.get(), SM_PKG_ID2);
381 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
382 "setting pkg id failed. Result: " << result);
384 result = security_manager_app_inst_req_add_privilege(request.get(), SM_ALLOWED_PRIVILEGES[0].c_str());
385 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
386 "setting allowed permission failed. Result: " << result);
387 result = security_manager_app_inst_req_add_privilege(request.get(), SM_ALLOWED_PRIVILEGES[1].c_str());
388 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
389 "setting allowed permission failed. Result: " << result);
391 result = security_manager_app_inst_req_add_path(request.get(), SM_PRIVATE_PATH,
392 SECURITY_MANAGER_PATH_PRIVATE);
393 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
394 "setting allowed path failed. Result: " << result);
396 result = security_manager_app_inst_req_add_path(request.get(), SM_PUBLIC_PATH,
397 SECURITY_MANAGER_PATH_PUBLIC);
398 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
399 "setting allowed path failed. Result: " << result);
401 result = security_manager_app_inst_req_add_path(request.get(), SM_PUBLIC_RO_PATH,
402 SECURITY_MANAGER_PATH_PUBLIC_RO);
403 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
404 "setting allowed path failed. Result: " << result);
406 result = security_manager_app_install(request.get());
407 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
408 "installing app failed. Result: " << result);
410 /* Check records in the security-manager database */
411 check_app_after_install(SM_APP_ID2, SM_PKG_ID2,
412 SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES, SM_ALLOWED_GIDS);
414 /* TODO: add parameters to this function */
415 check_app_path_after_install();
417 request.reset(do_app_inst_req_new());
419 result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID2);
420 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
421 "setting app id failed. Result: " << result);
423 result = security_manager_app_uninstall(request.get());
424 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
425 "uninstalling app failed. Result: " << result);
427 /* Check records in the security-manager database,
428 * all previously allowed privileges should be removed */
429 check_app_after_uninstall(SM_APP_ID2, SM_PKG_ID2,
430 SM_ALLOWED_PRIVILEGES, TestSecurityManagerDatabase::REMOVED);
433 RUNNER_CHILD_TEST_SMACK(security_manager_03_set_label_from_appid)
435 const char *const app_id = "sm_test_app_id_set_label_from_appid";
436 const char *const pkg_id = "sm_test_pkg_id_set_label_from_appid";
437 const char *const expected_label = USER_APP_ID;
438 const char *const socketLabel = "not_expected_label";
439 char *label = nullptr;
443 uninstall_app(app_id, pkg_id, false, true);
444 install_app(app_id, pkg_id);
446 struct sockaddr_un sockaddr = {AF_UNIX, SOCK_PATH};
447 //Clean up before creating socket
449 int sock = socket(AF_UNIX, SOCK_STREAM, 0);
450 RUNNER_ASSERT_ERRNO_MSG(sock >= 0, "socket failed");
451 SockUniquePtr sockPtr(&sock);
452 //Bind socket to address
453 result = bind(sock, (struct sockaddr*) &sockaddr, sizeof(struct sockaddr_un));
454 RUNNER_ASSERT_ERRNO_MSG(result == 0, "bind failed");
455 //Set socket label to something different than expecedLabel
456 result = fsetxattr(sock, XATTR_NAME_SMACKIPIN, socketLabel,
457 strlen(socketLabel), 0);
458 RUNNER_ASSERT_ERRNO_MSG(result == 0,
459 "Can't set socket label. Result: " << result);
460 result = fsetxattr(sock, XATTR_NAME_SMACKIPOUT, socketLabel,
461 strlen(socketLabel), 0);
462 RUNNER_ASSERT_ERRNO_MSG(result == 0,
463 "Can't set socket label. Result: " << result);
465 result = security_manager_set_process_label_from_appid(app_id);
466 RUNNER_ASSERT_MSG(result == SECURITY_MANAGER_SUCCESS,
467 "security_manager_set_process_label_from_appid(" <<
468 app_id << ") failed. Result: " << result);
470 char value[SMACK_LABEL_LEN + 1];
472 size = fgetxattr(sock, XATTR_NAME_SMACKIPIN, value, sizeof(value));
473 RUNNER_ASSERT_ERRNO_MSG(size != -1, "fgetxattr failed: " << value);
474 result = strcmp(expected_label, value);
475 RUNNER_ASSERT_MSG(result == 0, "Socket label is incorrect. Expected: " <<
476 expected_label << " Actual: " << value);
478 size = fgetxattr(sock, XATTR_NAME_SMACKIPOUT, value, sizeof(value));
479 RUNNER_ASSERT_ERRNO_MSG(size != -1, "fgetxattr failed: " << value);
480 result = strcmp(expected_label, value);
481 RUNNER_ASSERT_MSG(result == 0, "Socket label is incorrect. Expected: " <<
482 expected_label << " Actual: " << value);
484 result = smack_new_label_from_self(&label);
485 RUNNER_ASSERT_MSG(result >= 0,
486 " Error getting current process label");
487 RUNNER_ASSERT_MSG(label != nullptr,
488 " Process label is not set");
489 labelPtr.reset(label);
491 result = strcmp(expected_label, label);
492 RUNNER_ASSERT_MSG(result == 0,
493 " Process label is incorrect. Expected: \"" << expected_label <<
494 "\" Actual: \"" << label << "\"");
496 uninstall_app(app_id, pkg_id, true, true);
499 RUNNER_CHILD_TEST_NOSMACK(security_manager_03_set_label_from_appid_nosmack)
501 const char *const app_id = "sm_test_app_id_set_label_from_appid";
502 const char *const pkg_id = "sm_test_pkg_id_set_label_from_appid";
505 uninstall_app(app_id, pkg_id, false, true);
506 install_app(app_id, pkg_id);
508 result = security_manager_set_process_label_from_appid(app_id);
509 RUNNER_ASSERT_MSG(result == SECURITY_MANAGER_SUCCESS,
510 "security_manager_set_process_label_from_appid(" <<
511 app_id << ") failed. Result: " << result);
513 uninstall_app(app_id, pkg_id, true, true);
518 static void prepare_request(AppInstReqUniquePtr &request,
519 const char *const app_id,
520 const char *const pkg_id,
521 app_install_path_type pathType,
522 const char *const path)
525 request.reset(do_app_inst_req_new());
527 result = security_manager_app_inst_req_set_app_id(request.get(), app_id);
528 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
529 "setting app id failed. Result: " << result);
531 result = security_manager_app_inst_req_set_pkg_id(request.get(), pkg_id);
532 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
533 "setting pkg id failed. Result: " << result);
535 result = security_manager_app_inst_req_add_path(request.get(), path, pathType);
536 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
537 "setting allowed path failed. Result: " << result);
541 static struct passwd* get_app_pw()
543 struct passwd *pw = nullptr;
545 while(!(pw = getpwnam(APP_USER))) {
546 RUNNER_ASSERT_ERRNO_MSG(errno == EINTR, "getpwnam() failed");
551 RUNNER_CHILD_TEST(security_manager_04_app_install_uninstall_by_app_user)
554 AppInstReqUniquePtr request;
555 struct passwd *pw = get_app_pw();
556 const std::string user = std::to_string(static_cast<unsigned int>(pw->pw_uid));
558 //switch user to non-root
559 result = drop_root_privileges(pw->pw_uid, pw->pw_gid);
560 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
562 //install app as non-root user and try to register public path (should fail)
563 prepare_request(request, SM_APP_ID3, SM_PKG_ID3, SECURITY_MANAGER_PATH_PUBLIC, SM_PRIVATE_PATH_FOR_USER);
565 result = security_manager_app_install(request.get());
566 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED,
567 "installing app not failed. Result: " << result);
569 //install app as non-root user
570 //should fail (non-root users may only register folders inside their home)
571 prepare_request(request, SM_APP_ID3, SM_PKG_ID3, SECURITY_MANAGER_PATH_PRIVATE, SM_PRIVATE_PATH);
573 result = security_manager_app_install(request.get());
574 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED,
575 "installing app not failed. Result: " << result);
577 //install app as non-root user
578 //should succeed - this time i register folder inside user's home dir
579 prepare_request(request, SM_APP_ID3, SM_PKG_ID3, SECURITY_MANAGER_PATH_PRIVATE, SM_PRIVATE_PATH_FOR_USER);
581 for (auto &privilege : SM_ALLOWED_PRIVILEGES) {
582 result = security_manager_app_inst_req_add_privilege(request.get(), privilege.c_str());
583 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
584 "setting allowed permission failed. Result: " << result);
587 result = security_manager_app_install(request.get());
588 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
589 "installing app failed. Result: " << result);
591 check_app_permissions(SM_APP_ID3, SM_PKG_ID3, user.c_str(), SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES);
593 //uninstall app as non-root user
594 request.reset(do_app_inst_req_new());
596 result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID3);
597 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
598 "setting app id failed. Result: " << result);
600 result = security_manager_app_uninstall(request.get());
601 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
602 "uninstalling app failed. Result: " << result);
604 check_app_permissions(SM_APP_ID3, SM_PKG_ID3, user.c_str(), SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES);
607 RUNNER_CHILD_TEST(security_manager_05_drop_process_capabilities)
610 CapsSetsUniquePtr caps, caps_empty(cap_init());
612 caps.reset(cap_from_text("all=eip"));
613 RUNNER_ASSERT_MSG(caps, "can't convert capabilities from text");
614 result = cap_set_proc(caps.get());
615 RUNNER_ASSERT_MSG(result == 0,
616 "can't set capabilities. Result: " << result);
618 result = security_manager_drop_process_privileges();
619 RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
620 "dropping caps failed. Result: " << result);
622 caps.reset(cap_get_proc());
623 RUNNER_ASSERT_MSG(caps, "can't get proc capabilities");
625 result = cap_compare(caps.get(), caps_empty.get());
626 RUNNER_ASSERT_MSG(result == 0,
627 "capabilities not dropped. Current: " << cap_to_text(caps.get(), NULL));
630 int main(int argc, char *argv[])
632 SummaryCollector::Register();
633 return DPL::Test::TestRunnerSingleton::Instance().ExecTestRunner(argc, argv);