tests/security-manager-tests/security_manager_tests.cpp

   1 #include <dpl/test/test_runner.h>
   2 #include <fcntl.h>
   3 #include <stdio.h>
   4 #include <memory.h>
   5 #include <summary_collector.h>
   6 #include <string>
   7 #include <unordered_set>
   8
   9 #include <grp.h>
  10 #include <pwd.h>
  11
  12 #include <libprivilege-control_test_common.h>
  13 #include <tests_common.h>
  14
  15 #include <security-manager.h>
  16 #include <sm_db.h>
  17 #include <cynara_test_client.h>
  18
  19 DEFINE_SMARTPTR(security_manager_app_inst_req_free, app_inst_req, AppInstReqUniquePtr);
  20
  21 static const char *const SM_APP_ID1 = "sm_test_app_id_double";
  22 static const char *const SM_PKG_ID1 = "sm_test_pkg_id_double";
  23
  24 static const char *const SM_APP_ID2 = "sm_test_app_id_full";
  25 static const char *const SM_PKG_ID2 = "sm_test_pkg_id_full";
  26
  27 static const char *const SM_APP_ID3 = "sm_test_app_id_uid";
  28 static const char *const SM_PKG_ID3 = "sm_test_pkg_id_uid";
  29
  30 static const privileges_t SM_ALLOWED_PRIVILEGES = {
  31     "security_manager_test_rules2_r",
  32     "security_manager_test_rules2_no_r"
  33 };
  34
  35 static const privileges_t SM_DENIED_PRIVILEGES  = {
  36     "security_manager_test_rules1",
  37     "security_manager_test_rules2"
  38 };
  39
  40 static const privileges_t SM_NO_PRIVILEGES  = {
  41 };
  42
  43 static const std::vector<gid_t> SM_ALLOWED_GIDS = {6001, 6002};
  44
  45 static const char *const SM_PRIVATE_PATH = "/etc/smack/test_DIR/app_dir";
  46 static const char *const SM_PUBLIC_PATH = "/etc/smack/test_DIR/app_dir_public";
  47 static const char *const SM_PUBLIC_RO_PATH = "/etc/smack/test_DIR/app_dir_public_ro";
  48 static const char *const SM_DENIED_PATH = "/etc/smack/test_DIR/non_app_dir";
  49 static const char *const SM_PRIVATE_PATH_FOR_USER = "/home/" APP_USER "/test_DIR";
  50 static const char *const ANY_USER_REPRESENTATION = "anyuser";/*this may be actually any string*/
  51
  52 static void generateAppLabel(const std::string &pkgId, std::string &label)
  53 {
  54     (void) pkgId;
  55     label = "User";
  56 }
  57
  58 static int nftw_check_sm_labels_app_dir(const char *fpath, const struct stat *sb,
  59                               const char* correctLabel, bool transmute_test, bool exec_test)
  60 {
  61     int result;
  62     CStringPtr labelPtr;
  63     char* label = nullptr;
  64
  65     /* ACCESS */
  66     result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS);
  67     RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
  68     labelPtr.reset(label);
  69     RUNNER_ASSERT_MSG(label != nullptr, "ACCESS label on " << fpath << " is not set");
  70     result = strcmp(correctLabel, label);
  71     RUNNER_ASSERT_MSG(result == 0, "ACCESS label on " << fpath << " is incorrect"
  72             " (should be '" << correctLabel << "' and is '" << label << "')");
  73
  74
  75     /* EXEC */
  76     result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
  77     RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
  78     labelPtr.reset(label);
  79
  80     if (S_ISREG(sb->st_mode) && (sb->st_mode & S_IXUSR) && exec_test) {
  81         RUNNER_ASSERT_MSG(label != nullptr, "EXEC label on " << fpath << " is not set");
  82         result = strcmp(correctLabel, label);
  83         RUNNER_ASSERT_MSG(result == 0, "Incorrect EXEC label on executable file " << fpath);
  84     } else
  85         RUNNER_ASSERT_MSG(label == nullptr, "EXEC label on " << fpath << " is set");
  86
  87
  88     /* TRANSMUTE */
  89     result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
  90     RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
  91     labelPtr.reset(label);
  92
  93     if (S_ISDIR(sb->st_mode) && transmute_test == true) {
  94         RUNNER_ASSERT_MSG(label != nullptr, "TRANSMUTE label on " << fpath << " is not set at all");
  95         RUNNER_ASSERT_MSG(strcmp(label,"TRUE") == 0,
  96                 "TRANSMUTE label on " << fpath << " is not set properly: '"<<label<<"'");
  97     } else {
  98         RUNNER_ASSERT_MSG(label == nullptr, "TRANSMUTE label on " << fpath << " is set");
  99     }
 100
 101     return 0;
 102 }
 103
 104
 105 static int nftw_check_sm_labels_app_private_dir(const char *fpath, const struct stat *sb,
 106                                int /*typeflag*/, struct FTW* /*ftwbuf*/)
 107 {
 108     return nftw_check_sm_labels_app_dir(fpath, sb, USER_APP_ID, false, true);
 109 }
 110
 111 static int nftw_check_sm_labels_app_public_dir(const char *fpath, const struct stat *sb,
 112                                int /*typeflag*/, struct FTW* /*ftwbuf*/)
 113 {
 114
 115     return nftw_check_sm_labels_app_dir(fpath, sb, "User", true, false);
 116 }
 117
 118 static int nftw_check_sm_labels_app_floor_dir(const char *fpath, const struct stat *sb,
 119                                int /*typeflag*/, struct FTW* /*ftwbuf*/)
 120 {
 121
 122     return nftw_check_sm_labels_app_dir(fpath, sb, "_", false, false);
 123 }
 124
 125 static app_inst_req* do_app_inst_req_new()
 126 {
 127     int result;
 128     app_inst_req *req = nullptr;
 129
 130     result = security_manager_app_inst_req_new(&req);
 131     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 132             "creation of new request failed. Result: " << result);
 133     RUNNER_ASSERT_MSG(req != nullptr, "creation of new request did not allocate memory");
 134     return req;
 135 }
 136
 137 static void prepare_app_path()
 138 {
 139     int result;
 140
 141     result = nftw(SM_PRIVATE_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
 142     RUNNER_ASSERT_MSG(result == 0, "Unable to clean Smack labels in " << SM_PRIVATE_PATH);
 143
 144     result = nftw(SM_PUBLIC_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
 145     RUNNER_ASSERT_MSG(result == 0, "Unable to clean Smack labels in " << SM_PUBLIC_PATH);
 146
 147     result = nftw(SM_PUBLIC_RO_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
 148     RUNNER_ASSERT_MSG(result == 0, "Unable to clean Smack labels in " << SM_PUBLIC_RO_PATH);
 149
 150     result = nftw(SM_DENIED_PATH, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
 151     RUNNER_ASSERT_MSG(result == 0, "Unable to set Smack labels in " << SM_DENIED_PATH);
 152 }
 153
 154 static void prepare_app_env()
 155 {
 156     prepare_app_path();
 157 }
 158
 159 /* TODO: add parameters to this function */
 160 static void check_app_path_after_install()
 161 {
 162     int result;
 163
 164     result = nftw(SM_PRIVATE_PATH, &nftw_check_sm_labels_app_private_dir, FTW_MAX_FDS, FTW_PHYS);
 165     RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_PRIVATE_PATH);
 166
 167     result = nftw(SM_PUBLIC_PATH, &nftw_check_sm_labels_app_public_dir, FTW_MAX_FDS, FTW_PHYS);
 168     RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_PUBLIC_PATH);
 169
 170     result = nftw(SM_PUBLIC_RO_PATH, &nftw_check_sm_labels_app_floor_dir, FTW_MAX_FDS, FTW_PHYS);
 171     RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_PUBLIC_RO_PATH);
 172
 173     result = nftw(SM_DENIED_PATH, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
 174     RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_DENIED_PATH);
 175 }
 176
 177
 178 static void check_app_permissions(const char *const app_id, const char *const pkg_id, const char *const user,
 179                                   const privileges_t &allowed_privs, const privileges_t &denied_privs)
 180 {
 181     (void) app_id;
 182     std::string smackLabel;
 183     generateAppLabel(pkg_id, smackLabel);
 184
 185     CynaraTestClient ctc;
 186
 187     for (auto &priv : allowed_privs) {
 188         ctc.check(smackLabel.c_str(), "", user, priv.c_str(), CYNARA_API_ACCESS_ALLOWED);
 189     }
 190
 191     for (auto &priv : denied_privs) {
 192         ctc.check(smackLabel.c_str(), "", user, priv.c_str(), CYNARA_API_ACCESS_DENIED);
 193     }
 194 }
 195
 196 static void check_app_gids(const char *const app_id, const std::vector<gid_t> &allowed_gids)
 197 {
 198     int ret;
 199     gid_t main_gid = getgid();
 200     std::unordered_set<gid_t> reference_gids(allowed_gids.begin(), allowed_gids.end());
 201
 202     // Reset supplementary groups
 203     ret = setgroups(0, NULL);
 204     RUNNER_ASSERT_MSG(ret != -1, "Unable to set supplementary groups");
 205
 206     ret = security_manager_set_process_groups_from_appid(app_id);
 207     RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS,
 208             "security_manager_set_process_groups_from_appid(" <<
 209             app_id << ") failed. Result: " << ret);
 210
 211     ret = getgroups(0, nullptr);
 212     RUNNER_ASSERT_MSG(ret != -1, "Unable to get supplementary groups");
 213
 214     std::vector<gid_t> actual_gids(ret);
 215     ret = getgroups(ret, actual_gids.data());
 216     RUNNER_ASSERT_MSG(ret != -1, "Unable to get supplementary groups");
 217
 218     for (const auto &gid : actual_gids) {
 219         RUNNER_ASSERT_MSG(gid == main_gid || reference_gids.count(gid) > 0,
 220             "Application shouldn't get access to group " << gid);
 221         reference_gids.erase(gid);
 222     }
 223
 224     RUNNER_ASSERT_MSG(reference_gids.empty(), "Application didn't get access to some groups");
 225 }
 226
 227 static void check_app_after_install(const char *const app_id, const char *const pkg_id,
 228                                     const privileges_t &allowed_privs,
 229                                     const privileges_t &denied_privs,
 230                                     const std::vector<gid_t> &allowed_gids)
 231 {
 232     TestSecurityManagerDatabase dbtest;
 233     dbtest.test_db_after__app_install(app_id, pkg_id, allowed_privs);
 234     dbtest.check_privileges_removed(app_id, pkg_id, denied_privs);
 235
 236     /*Privileges should be granted to all users if root installs app*/
 237     check_app_permissions(app_id, pkg_id, ANY_USER_REPRESENTATION, allowed_privs, denied_privs);
 238
 239     /* Setup mapping of gids to privileges */
 240     /* Do this for each privilege for extra check */
 241     for (const auto &privilege : allowed_privs) {
 242         dbtest.setup_privilege_gids(privilege, allowed_gids);
 243     }
 244
 245     check_app_gids(app_id, allowed_gids);
 246 }
 247
 248 static void check_app_after_install(const char *const app_id, const char *const pkg_id)
 249 {
 250     TestSecurityManagerDatabase dbtest;
 251     dbtest.test_db_after__app_install(app_id, pkg_id);
 252 }
 253
 254 static void check_app_after_uninstall(const char *const app_id, const char *const pkg_id,
 255                                       const privileges_t &privileges, const bool is_pkg_removed)
 256 {
 257     TestSecurityManagerDatabase dbtest;
 258     dbtest.test_db_after__app_uninstall(app_id, pkg_id, privileges, is_pkg_removed);
 259
 260
 261     /*Privileges should not be granted anymore to any user*/
 262     check_app_permissions(app_id, pkg_id, ANY_USER_REPRESENTATION, SM_NO_PRIVILEGES, privileges);
 263 }
 264
 265 static void check_app_after_uninstall(const char *const app_id, const char *const pkg_id,
 266                                       const bool is_pkg_removed)
 267 {
 268     TestSecurityManagerDatabase dbtest;
 269     dbtest.test_db_after__app_uninstall(app_id, pkg_id, is_pkg_removed);
 270 }
 271
 272 static void install_app(const char *app_id, const char *pkg_id)
 273 {
 274     int result;
 275     AppInstReqUniquePtr request;
 276     request.reset(do_app_inst_req_new());
 277
 278     result = security_manager_app_inst_req_set_app_id(request.get(), app_id);
 279     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 280             "setting app id failed. Result: " << result);
 281
 282     result = security_manager_app_inst_req_set_pkg_id(request.get(), pkg_id);
 283     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 284             "setting pkg id failed. Result: " << result);
 285
 286     result = security_manager_app_install(request.get());
 287     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 288             "installing app failed. Result: " << result);
 289
 290     check_app_after_install(app_id, pkg_id);
 291
 292 }
 293
 294 static void uninstall_app(const char *app_id, const char *pkg_id,
 295         bool expect_installed, bool expect_pkg_removed)
 296 {
 297     int result;
 298     AppInstReqUniquePtr request;
 299     request.reset(do_app_inst_req_new());
 300
 301     result = security_manager_app_inst_req_set_app_id(request.get(), app_id);
 302     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 303           "setting app id failed. Result: " << result);
 304
 305     result = security_manager_app_uninstall(request.get());
 306     RUNNER_ASSERT_MSG(!expect_installed || (lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 307           "uninstalling app failed. Result: " << result);
 308
 309     check_app_after_uninstall(app_id, pkg_id, expect_pkg_removed);
 310 }
 311
 312
 313 RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER)
 314
 315
 316 RUNNER_TEST(security_manager_01_app_double_install_double_uninstall)
 317 {
 318     int result;
 319     AppInstReqUniquePtr request;
 320
 321     request.reset(do_app_inst_req_new());
 322
 323     result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID1);
 324     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 325             "setting app id failed. Result: " << result);
 326
 327     result = security_manager_app_inst_req_set_pkg_id(request.get(), SM_PKG_ID1);
 328     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 329             "setting pkg id failed. Result: " << result);
 330
 331     result = security_manager_app_install(request.get());
 332     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 333             "installing app failed. Result: " << result);
 334
 335     result = security_manager_app_install(request.get());
 336     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 337             "installing already installed app failed. Result: " << result);
 338
 339     /* Check records in the security-manager database */
 340     check_app_after_install(SM_APP_ID1, SM_PKG_ID1);
 341
 342     request.reset(do_app_inst_req_new());
 343
 344     result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID1);
 345     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 346             "setting app id failed. Result: " << result);
 347
 348     result = security_manager_app_uninstall(request.get());
 349     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 350             "uninstalling app failed. Result: " << result);
 351
 352     result = security_manager_app_uninstall(request.get());
 353     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 354             "uninstalling already uninstalled app failed. Result: " << result);
 355
 356     /* Check records in the security-manager database */
 357     check_app_after_uninstall(SM_APP_ID1, SM_PKG_ID1, TestSecurityManagerDatabase::REMOVED);
 358 }
 359
 360 RUNNER_TEST(security_manager_02_app_install_uninstall_full)
 361 {
 362     int result;
 363     AppInstReqUniquePtr request;
 364
 365     prepare_app_env();
 366
 367     request.reset(do_app_inst_req_new());
 368
 369     result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID2);
 370     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 371             "setting app id failed. Result: " << result);
 372
 373     result = security_manager_app_inst_req_set_pkg_id(request.get(), SM_PKG_ID2);
 374     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 375             "setting pkg id failed. Result: " << result);
 376
 377     result = security_manager_app_inst_req_add_privilege(request.get(), SM_ALLOWED_PRIVILEGES[0].c_str());
 378     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 379             "setting allowed permission failed. Result: " << result);
 380     result = security_manager_app_inst_req_add_privilege(request.get(), SM_ALLOWED_PRIVILEGES[1].c_str());
 381     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 382             "setting allowed permission failed. Result: " << result);
 383
 384     result = security_manager_app_inst_req_add_path(request.get(), SM_PRIVATE_PATH,
 385                                                     SECURITY_MANAGER_PATH_PRIVATE);
 386     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 387             "setting allowed path failed. Result: " << result);
 388
 389     result = security_manager_app_inst_req_add_path(request.get(), SM_PUBLIC_PATH,
 390                                                     SECURITY_MANAGER_PATH_PUBLIC);
 391     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 392             "setting allowed path failed. Result: " << result);
 393
 394     result = security_manager_app_inst_req_add_path(request.get(), SM_PUBLIC_RO_PATH,
 395                                                     SECURITY_MANAGER_PATH_PUBLIC_RO);
 396     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 397             "setting allowed path failed. Result: " << result);
 398
 399     result = security_manager_app_install(request.get());
 400     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 401             "installing app failed. Result: " << result);
 402
 403     /* Check records in the security-manager database */
 404     check_app_after_install(SM_APP_ID2, SM_PKG_ID2,
 405                             SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES, SM_ALLOWED_GIDS);
 406
 407     /* TODO: add parameters to this function */
 408     check_app_path_after_install();
 409
 410     request.reset(do_app_inst_req_new());
 411
 412     result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID2);
 413     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 414             "setting app id failed. Result: " << result);
 415
 416     result = security_manager_app_uninstall(request.get());
 417     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 418             "uninstalling app failed. Result: " << result);
 419
 420     /* Check records in the security-manager database,
 421      * all previously allowed privileges should be removed */
 422     check_app_after_uninstall(SM_APP_ID2, SM_PKG_ID2,
 423                               SM_ALLOWED_PRIVILEGES, TestSecurityManagerDatabase::REMOVED);
 424 }
 425
 426 RUNNER_CHILD_TEST_SMACK(security_manager_03_set_label_from_appid)
 427 {
 428     const char *const app_id = "sm_test_app_id_set_label_from_appid";
 429     const char *const pkg_id = "sm_test_pkg_id_set_label_from_appid";
 430     const char *const expected_label = USER_APP_ID;
 431     char *label = nullptr;
 432     CStringPtr labelPtr;
 433     int result;
 434
 435     uninstall_app(app_id, pkg_id, false, true);
 436     install_app(app_id, pkg_id);
 437
 438     result = security_manager_set_process_label_from_appid(app_id);
 439     RUNNER_ASSERT_MSG(result == SECURITY_MANAGER_SUCCESS,
 440             "security_manager_set_process_label_from_appid(" <<
 441             app_id << ") failed. Result: " << result);
 442
 443     result = smack_new_label_from_self(&label);
 444     RUNNER_ASSERT_MSG(result >= 0,
 445             " Error getting current process label");
 446     RUNNER_ASSERT_MSG(label != nullptr,
 447             " Process label is not set");
 448     labelPtr.reset(label);
 449
 450     result = strcmp(expected_label, label);
 451     RUNNER_ASSERT_MSG(result == 0,
 452             " Process label is incorrect. Expected: \"" << expected_label <<
 453             "\" Actual: \"" << label << "\"");
 454
 455     uninstall_app(app_id, pkg_id, true, true);
 456 }
 457
 458 RUNNER_CHILD_TEST_NOSMACK(security_manager_03_set_label_from_appid_nosmack)
 459 {
 460     const char *const app_id = "sm_test_app_id_set_label_from_appid";
 461     const char *const pkg_id = "sm_test_pkg_id_set_label_from_appid";
 462     int result;
 463
 464     uninstall_app(app_id, pkg_id, false, true);
 465     install_app(app_id, pkg_id);
 466
 467     result = security_manager_set_process_label_from_appid(app_id);
 468     RUNNER_ASSERT_MSG(result == SECURITY_MANAGER_SUCCESS,
 469             "security_manager_set_process_label_from_appid(" <<
 470             app_id << ") failed. Result: " << result);
 471
 472     uninstall_app(app_id, pkg_id, true, true);
 473 }
 474
 475
 476
 477 static void prepare_request(AppInstReqUniquePtr &request,
 478               const char *const app_id,
 479               const char *const pkg_id,
 480               app_install_path_type pathType,
 481               const char *const path)
 482 {
 483     int result;
 484     request.reset(do_app_inst_req_new());
 485
 486     result = security_manager_app_inst_req_set_app_id(request.get(), app_id);
 487     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 488             "setting app id failed. Result: " << result);
 489
 490     result = security_manager_app_inst_req_set_pkg_id(request.get(), pkg_id);
 491     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 492             "setting pkg id failed. Result: " << result);
 493
 494     result = security_manager_app_inst_req_add_path(request.get(), path, pathType);
 495     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 496             "setting allowed path failed. Result: " << result);
 497 }
 498
 499
 500 static struct passwd* get_app_pw()
 501 {
 502     struct passwd *pw = nullptr;
 503     errno = 0;
 504     while(!(pw = getpwnam(APP_USER))) {
 505         RUNNER_ASSERT_ERRNO_MSG(errno == EINTR, "getpwnam() failed");
 506     }
 507     return pw;
 508 }
 509
 510 RUNNER_CHILD_TEST(security_manager_04_app_install_uninstall_by_app_user)
 511 {
 512     int result;
 513     AppInstReqUniquePtr request;
 514     struct passwd *pw = get_app_pw();
 515     const std::string user =  std::to_string(static_cast<unsigned int>(pw->pw_uid));
 516
 517     //switch user to non-root
 518     result = drop_root_privileges(pw->pw_uid, pw->pw_gid);
 519     RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
 520
 521     //install app as non-root user and try to register public path (should fail)
 522     prepare_request(request, SM_APP_ID3, SM_PKG_ID3, SECURITY_MANAGER_PATH_PUBLIC, SM_PRIVATE_PATH_FOR_USER);
 523
 524     result = security_manager_app_install(request.get());
 525     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED,
 526             "installing app not failed. Result: " << result);
 527
 528     //install app as non-root user
 529     //should fail (non-root users may only register folders inside their home)
 530     prepare_request(request, SM_APP_ID3, SM_PKG_ID3, SECURITY_MANAGER_PATH_PRIVATE, SM_PRIVATE_PATH);
 531
 532     result = security_manager_app_install(request.get());
 533     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED,
 534             "installing app not failed. Result: " << result);
 535
 536     //install app as non-root user
 537     //should succeed - this time i register folder inside user's home dir
 538     prepare_request(request, SM_APP_ID3, SM_PKG_ID3, SECURITY_MANAGER_PATH_PRIVATE, SM_PRIVATE_PATH_FOR_USER);
 539
 540     for (auto &privilege : SM_ALLOWED_PRIVILEGES) {
 541         result = security_manager_app_inst_req_add_privilege(request.get(), privilege.c_str());
 542         RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 543             "setting allowed permission failed. Result: " << result);
 544     }
 545
 546     result = security_manager_app_install(request.get());
 547     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 548             "installing app failed. Result: " << result);
 549
 550     check_app_permissions(SM_APP_ID3, SM_PKG_ID3, user.c_str(), SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES);
 551
 552     //uninstall app as non-root user
 553     request.reset(do_app_inst_req_new());
 554
 555     result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID3);
 556     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 557             "setting app id failed. Result: " << result);
 558
 559     result = security_manager_app_uninstall(request.get());
 560     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
 561             "uninstalling app failed. Result: " << result);
 562
 563     check_app_permissions(SM_APP_ID3, SM_PKG_ID3, user.c_str(), SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES);
 564 }
 565
 566
 567 int main(int argc, char *argv[])
 568 {
 569     SummaryCollector::Register();
 570     return DPL::Test::TestRunnerSingleton::Instance().ExecTestRunner(argc, argv);
 571 }