+RUNNER_CHILD_TEST_SMACK(security_manager_03_set_label_from_appid)
+{
+ const char *const app_id = "sm_test_03_app_id_set_label_from_appid_smack";
+ const char *const pkg_id = "sm_test_03_pkg_id_set_label_from_appid_smack";
+ const char *const expected_label = USER_APP_ID;
+ const char *const socketLabel = "not_expected_label";
+ char *label = nullptr;
+ CStringPtr labelPtr;
+ int result;
+
+ uninstall_app(app_id, pkg_id, true);
+ install_app(app_id, pkg_id);
+
+ struct sockaddr_un sockaddr = {AF_UNIX, SOCK_PATH};
+ //Clean up before creating socket
+ unlink(SOCK_PATH);
+ int sock = socket(AF_UNIX, SOCK_STREAM, 0);
+ RUNNER_ASSERT_ERRNO_MSG(sock >= 0, "socket failed");
+ SockUniquePtr sockPtr(&sock);
+ //Bind socket to address
+ result = bind(sock, (struct sockaddr*) &sockaddr, sizeof(struct sockaddr_un));
+ RUNNER_ASSERT_ERRNO_MSG(result == 0, "bind failed");
+ //Set socket label to something different than expecedLabel
+ result = fsetxattr(sock, XATTR_NAME_SMACKIPIN, socketLabel,
+ strlen(socketLabel), 0);
+ RUNNER_ASSERT_ERRNO_MSG(result == 0,
+ "Can't set socket label. Result: " << result);
+ result = fsetxattr(sock, XATTR_NAME_SMACKIPOUT, socketLabel,
+ strlen(socketLabel), 0);
+ RUNNER_ASSERT_ERRNO_MSG(result == 0,
+ "Can't set socket label. Result: " << result);
+
+ Api::setProcessLabel(app_id);
+
+ char value[SMACK_LABEL_LEN + 1];
+ ssize_t size;
+ size = fgetxattr(sock, XATTR_NAME_SMACKIPIN, value, sizeof(value));
+ RUNNER_ASSERT_ERRNO_MSG(size != -1, "fgetxattr failed: " << value);
+ result = strcmp(expected_label, value);
+ RUNNER_ASSERT_MSG(result == 0, "Socket label is incorrect. Expected: " <<
+ expected_label << " Actual: " << value);
+
+ size = fgetxattr(sock, XATTR_NAME_SMACKIPOUT, value, sizeof(value));
+ RUNNER_ASSERT_ERRNO_MSG(size != -1, "fgetxattr failed: " << value);
+ result = strcmp(expected_label, value);
+ RUNNER_ASSERT_MSG(result == 0, "Socket label is incorrect. Expected: " <<
+ expected_label << " Actual: " << value);
+
+ result = smack_new_label_from_self(&label);
+ RUNNER_ASSERT_MSG(result >= 0,
+ " Error getting current process label");
+ RUNNER_ASSERT_MSG(label != nullptr,
+ " Process label is not set");
+ labelPtr.reset(label);
+
+ result = strcmp(expected_label, label);
+ RUNNER_ASSERT_MSG(result == 0,
+ " Process label is incorrect. Expected: \"" << expected_label <<
+ "\" Actual: \"" << label << "\"");
+
+ uninstall_app(app_id, pkg_id, true);
+}
+
+RUNNER_CHILD_TEST_NOSMACK(security_manager_03_set_label_from_appid_nosmack)
+{
+ const char *const app_id = "sm_test_03_app_id_set_label_from_appid_nosmack";
+ const char *const pkg_id = "sm_test_03_pkg_id_set_label_from_appid_nosmack";
+
+ uninstall_app(app_id, pkg_id, true);
+ install_app(app_id, pkg_id);
+
+ Api::setProcessLabel(app_id);
+
+ uninstall_app(app_id, pkg_id, true);
+}
+
+
+
+static void prepare_request(InstallRequest &request,
+ const char *const app_id,
+ const char *const pkg_id,
+ app_install_path_type pathType,
+ const char *const path,
+ uid_t uid)
+{
+ request.setAppId(app_id);
+ request.setPkgId(pkg_id);
+ request.addPath(path, pathType);
+
+ if (uid != 0)
+ request.setUid(uid);
+}
+
+
+static struct passwd* get_app_pw()
+{
+ struct passwd *pw = nullptr;
+ errno = 0;
+ while(!(pw = getpwnam(APP_USER))) {
+ RUNNER_ASSERT_ERRNO_MSG(errno == EINTR, "getpwnam() failed");
+ }
+ return pw;
+}
+
+
+static void install_and_check(const char *const sm_app_id,
+ const char *const sm_pkg_id,
+ const std::string &user, uid_t uid,
+ const std::string &user_path = SM_PRIVATE_PATH_FOR_USER)
+{
+ InstallRequest requestPublic;
+
+ //install app for non-root user and try to register public path (should fail)
+ prepare_request(requestPublic, sm_app_id, sm_pkg_id, SECURITY_MANAGER_PATH_PUBLIC, user_path.c_str(), uid);
+
+ Api::install(requestPublic, SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED);
+
+ InstallRequest requestPrivate;
+
+ //install app for non-root user
+ //should fail (users may only register folders inside their home)
+ prepare_request(requestPrivate, sm_app_id, sm_pkg_id, SECURITY_MANAGER_PATH_PRIVATE, SM_PRIVATE_PATH, uid);
+
+ Api::install(requestPrivate, SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED);
+
+ InstallRequest requestPrivateUser;
+
+ //install app for non-root user
+ //should succeed - this time i register folder inside user's home dir
+ prepare_request(requestPrivateUser, sm_app_id, sm_pkg_id, SECURITY_MANAGER_PATH_PRIVATE, user_path.c_str(), uid);
+
+ for (auto &privilege : SM_ALLOWED_PRIVILEGES)
+ requestPrivateUser.addPrivilege(privilege.c_str());
+
+ Api::install(requestPrivateUser);
+
+ check_app_permissions(sm_app_id, sm_pkg_id, user.c_str(), SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES);
+}
+
+RUNNER_CHILD_TEST(security_manager_04a_app_install_uninstall_by_app_user_for_self)
+{
+ int result;
+ const char *const sm_app_id = "sm_test_04a_app_id_uid";
+ const char *const sm_pkg_id = "sm_test_04a_pkg_id_uid";
+
+ struct passwd *pw = get_app_pw();
+ const std::string user = std::to_string(static_cast<unsigned int>(pw->pw_uid));
+
+ //switch user to non-root
+ result = drop_root_privileges(pw->pw_uid, pw->pw_gid);
+ RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
+
+ install_and_check(sm_app_id, sm_pkg_id, user, 0);
+
+ //uninstall app as non-root user
+ InstallRequest request;
+ request.setAppId(sm_app_id);
+
+ Api::uninstall(request);
+
+ check_app_permissions(sm_app_id, sm_pkg_id, user.c_str(), SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES);
+}
+
+RUNNER_CHILD_TEST(security_manager_04b_app_install_by_root_for_app_user)
+{
+ int result;
+ const char *const sm_app_id = "sm_test_04b_app_id_uid";
+ const char *const sm_pkg_id = "sm_test_04b_pkg_id_uid";
+
+ struct passwd *pw = get_app_pw();
+ const std::string user = std::to_string(static_cast<unsigned int>(pw->pw_uid));
+
+ install_and_check(sm_app_id, sm_pkg_id, user, pw->pw_uid);
+
+ //switch user to non-root - root may not uninstall apps for specified users
+ result = drop_root_privileges(pw->pw_uid, pw->pw_gid);
+ RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
+
+ //uninstall app as non-root user
+ InstallRequest request;
+ request.setAppId(sm_app_id);
+
+ Api::uninstall(request);
+
+ check_app_permissions(sm_app_id, sm_pkg_id, user.c_str(), SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES);
+}
+
+
+RUNNER_CHILD_TEST(security_manager_05_drop_process_capabilities)
+{
+ int result;
+ CapsSetsUniquePtr caps, caps_empty(cap_init());
+
+ caps.reset(cap_from_text("all=eip"));
+ RUNNER_ASSERT_MSG(caps, "can't convert capabilities from text");
+ result = cap_set_proc(caps.get());
+ RUNNER_ASSERT_MSG(result == 0,
+ "can't set capabilities. Result: " << result);
+
+ Api::dropProcessPrivileges();
+
+ caps.reset(cap_get_proc());
+ RUNNER_ASSERT_MSG(caps, "can't get proc capabilities");
+
+ result = cap_compare(caps.get(), caps_empty.get());
+ RUNNER_ASSERT_MSG(result == 0,
+ "capabilities not dropped. Current: " << cap_to_text(caps.get(), NULL));
+}
+
+RUNNER_CHILD_TEST(security_manager_06_install_app_offline)
+{
+ const char *const app_id = "sm_test_06_app_id_install_app_offline";
+ const char *const pkg_id = "sm_test_06_pkg_id_install_app_offline";
+ DBusAccess dbusAccess("security-manager.service");
+
+ uninstall_app(app_id, pkg_id, true);
+ dbusAccess.maskService();
+ dbusAccess.stopService();
+
+ install_app(app_id, pkg_id);
+
+ dbusAccess.unmaskService();
+ dbusAccess.startService();
+
+ uninstall_app(app_id, pkg_id, true);
+}
+
+RUNNER_CHILD_TEST(security_manager_07_user_add_app_install)
+{
+ const char *const sm_app_id = "sm_test_07_app_id_user";
+ const char *const sm_pkg_id = "sm_test_07_pkg_id_user";
+ const std::string new_user_name = "sm_test_07_user_name";
+ std::string uid_string;
+ TemporaryTestUser test_user(new_user_name, GUM_USERTYPE_NORMAL, false);
+ uid_string = std::to_string(static_cast<unsigned int>(test_user.getUid()));
+
+ install_app(sm_app_id, sm_pkg_id, test_user.getUid());
+
+ check_app_after_install(sm_app_id, sm_pkg_id);
+
+ test_user.remove();
+
+ check_app_permissions(sm_app_id, sm_pkg_id, uid_string.c_str(), SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES);
+
+ check_app_after_uninstall(sm_app_id, sm_pkg_id, true);
+}
+
+RUNNER_CHILD_TEST(security_manager_08_user_double_add_double_remove)
+{
+ UserRequest addUserRequest;
+
+ const char *const sm_app_id = "sm_test_08_app_id_user";
+ const char *const sm_pkg_id = "sm_test_08_pkg_id_user";
+ const char *const new_user_name = "sm_test_08_user_name";
+ std::string uid_string;
+
+ // gumd user add
+ TemporaryTestUser test_user(new_user_name, GUM_USERTYPE_NORMAL, false);
+ uid_string = std::to_string(static_cast<unsigned int>(test_user.getUid()));
+
+ addUserRequest.setUid(test_user.getUid());
+ addUserRequest.setUserType(SM_USER_TYPE_NORMAL);
+
+ //sm user add
+ Api::addUser(addUserRequest);
+
+ install_app(sm_app_id, sm_pkg_id, test_user.getUid());
+
+ check_app_after_install(sm_app_id, sm_pkg_id);
+
+ test_user.remove();
+
+ UserRequest deleteUserRequest;
+ deleteUserRequest.setUid(test_user.getUid());
+
+ Api::deleteUser(deleteUserRequest);
+
+ check_app_permissions(sm_app_id, sm_pkg_id, uid_string.c_str(), SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES);
+
+ check_app_after_uninstall(sm_app_id, sm_pkg_id, true);
+}
+
+RUNNER_CHILD_TEST(security_manager_09_add_user_offline)
+{
+ const char *const app_id = "security_manager_09_add_user_offline_app";
+ const char *const pkg_id = "security_manager_09_add_user_offline_pkg";
+ const std::string username("sm_test_09_user_name");
+ DBusAccess dbusAccess("security-manager.service");
+ dbusAccess.maskService();
+ dbusAccess.stopService();
+
+ TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, true);
+
+ install_app(app_id, pkg_id, user.getUid());
+
+ check_app_after_install(app_id, pkg_id);
+
+ dbusAccess.unmaskService();
+ dbusAccess.startService();
+
+ user.remove();
+
+ check_app_after_uninstall(app_id, pkg_id, true);
+}
+