Security manager: test for offline user adding

[platform/core/test/security-tests.git] / tests / security-manager-tests / security_manager_tests.cpp

diff --git a/tests/security-manager-tests/security_manager_tests.cpp b/tests/security-manager-tests/security_manager_tests.cpp
index 59ece53..df0f46c 100644 (file)
--- a/tests/security-manager-tests/security_manager_tests.cpp
+++ b/tests/security-manager-tests/security_manager_tests.cpp
@@ -2,9 +2,14 @@
 #include <fcntl.h>
 #include <stdio.h>
 #include <memory.h>
-#include <summary_collector.h>
 #include <string>
 #include <unordered_set>
+#include <sys/capability.h>
+
+#include <sys/socket.h>
+#include <sys/un.h>
+#include <attr/xattr.h>
+#include <linux/xattr.h>
 
 #include <grp.h>
 #include <pwd.h>
@@ -13,21 +18,17 @@
 #include <tests_common.h>
 
 #include <security-manager.h>
+#include <sm_api.h>
 #include <sm_db.h>
+#include <sm_request.h>
+#include <sm_user_request.h>
+#include <temp_test_user.h>
 #include <cynara_test_client.h>
+#include <dbus_access.h>
 
-DEFINE_SMARTPTR(security_manager_app_inst_req_free, app_inst_req, AppInstReqUniquePtr);
-
-static const char *const LABELLED_BINARY_PATH = "/usr/bin/test-app-efl";
-
-static const char *const SM_APP_ID1 = "sm_test_app_id_double";
-static const char *const SM_PKG_ID1 = "sm_test_pkg_id_double";
+using namespace SecurityManagerTest;
 
-static const char *const SM_APP_ID2 = "sm_test_app_id_full";
-static const char *const SM_PKG_ID2 = "sm_test_pkg_id_full";
-
-static const char *const SM_APP_ID3 = "sm_test_app_id_uid";
-static const char *const SM_PKG_ID3 = "sm_test_pkg_id_uid";
+DEFINE_SMARTPTR(cap_free, _cap_struct, CapsSetsUniquePtr);
 
 static const privileges_t SM_ALLOWED_PRIVILEGES = {
     "security_manager_test_rules2_r",
@@ -42,12 +43,11 @@ static const privileges_t SM_DENIED_PRIVILEGES  = {
 static const privileges_t SM_NO_PRIVILEGES  = {
 };
 
-static const std::vector<gid_t> SM_ALLOWED_GIDS = {6001, 6002};
+static const std::vector<std::string> SM_ALLOWED_GROUPS = {"db_browser", "db_alarm"};
 
-static const char *const SM_PRIVATE_PATH = "/etc/smack/test_DIR/app_dir";
-static const char *const SM_PUBLIC_PATH = "/etc/smack/test_DIR/app_dir_public";
-static const char *const SM_PUBLIC_RO_PATH = "/etc/smack/test_DIR/app_dir_public_ro";
-static const char *const SM_DENIED_PATH = "/etc/smack/test_DIR/non_app_dir";
+static const char *const SM_PRIVATE_PATH = "/usr/apps/test_DIR/app_dir";
+static const char *const SM_PUBLIC_RO_PATH = "/usr/apps/test_DIR/app_dir_public_ro";
+static const char *const SM_DENIED_PATH = "/usr/apps/test_DIR/non_app_dir";
 static const char *const SM_PRIVATE_PATH_FOR_USER = "/home/" APP_USER "/test_DIR";
 static const char *const ANY_USER_REPRESENTATION = "anyuser";/*this may be actually any string*/
 
@@ -110,13 +110,6 @@ static int nftw_check_sm_labels_app_private_dir(const char *fpath, const struct
     return nftw_check_sm_labels_app_dir(fpath, sb, USER_APP_ID, false, true);
 }
 
-static int nftw_check_sm_labels_app_public_dir(const char *fpath, const struct stat *sb,
-                               int /*typeflag*/, struct FTW* /*ftwbuf*/)
-{
-
-    return nftw_check_sm_labels_app_dir(fpath, sb, "User", true, false);
-}
-
 static int nftw_check_sm_labels_app_floor_dir(const char *fpath, const struct stat *sb,
                                int /*typeflag*/, struct FTW* /*ftwbuf*/)
 {
@@ -124,18 +117,6 @@ static int nftw_check_sm_labels_app_floor_dir(const char *fpath, const struct st
     return nftw_check_sm_labels_app_dir(fpath, sb, "_", false, false);
 }
 
-static app_inst_req* do_app_inst_req_new()
-{
-    int result;
-    app_inst_req *req = nullptr;
-
-    result = security_manager_app_inst_req_new(&req);
-    RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
-            "creation of new request failed. Result: " << result);
-    RUNNER_ASSERT_MSG(req != nullptr, "creation of new request did not allocate memory");
-    return req;
-}
-
 static void prepare_app_path()
 {
     int result;
@@ -143,9 +124,6 @@ static void prepare_app_path()
     result = nftw(SM_PRIVATE_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
     RUNNER_ASSERT_MSG(result == 0, "Unable to clean Smack labels in " << SM_PRIVATE_PATH);
 
-    result = nftw(SM_PUBLIC_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
-    RUNNER_ASSERT_MSG(result == 0, "Unable to clean Smack labels in " << SM_PUBLIC_PATH);
-
     result = nftw(SM_PUBLIC_RO_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
     RUNNER_ASSERT_MSG(result == 0, "Unable to clean Smack labels in " << SM_PUBLIC_RO_PATH);
 
@@ -166,9 +144,6 @@ static void check_app_path_after_install()
     result = nftw(SM_PRIVATE_PATH, &nftw_check_sm_labels_app_private_dir, FTW_MAX_FDS, FTW_PHYS);
     RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_PRIVATE_PATH);
 
-    result = nftw(SM_PUBLIC_PATH, &nftw_check_sm_labels_app_public_dir, FTW_MAX_FDS, FTW_PHYS);
-    RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_PUBLIC_PATH);
-
     result = nftw(SM_PUBLIC_RO_PATH, &nftw_check_sm_labels_app_floor_dir, FTW_MAX_FDS, FTW_PHYS);
     RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_PUBLIC_RO_PATH);
 
@@ -205,10 +180,7 @@ static void check_app_gids(const char *const app_id, const std::vector<gid_t> &a
     ret = setgroups(0, NULL);
     RUNNER_ASSERT_MSG(ret != -1, "Unable to set supplementary groups");
 
-    ret = security_manager_set_process_groups_from_appid(app_id);
-    RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS,
-            "security_manager_set_process_groups_from_appid(" <<
-            app_id << ") failed. Result: " << ret);
+    Api::setProcessGroups(app_id);
 
     ret = getgroups(0, nullptr);
     RUNNER_ASSERT_MSG(ret != -1, "Unable to get supplementary groups");
@@ -229,7 +201,7 @@ static void check_app_gids(const char *const app_id, const std::vector<gid_t> &a
 static void check_app_after_install(const char *const app_id, const char *const pkg_id,
                                     const privileges_t &allowed_privs,
                                     const privileges_t &denied_privs,
-                                    const std::vector<gid_t> &allowed_gids)
+                                    const std::vector<std::string> &allowed_groups)
 {
     TestSecurityManagerDatabase dbtest;
     dbtest.test_db_after__app_install(app_id, pkg_id, allowed_privs);
@@ -241,7 +213,16 @@ static void check_app_after_install(const char *const app_id, const char *const
     /* Setup mapping of gids to privileges */
     /* Do this for each privilege for extra check */
     for (const auto &privilege : allowed_privs) {
-        dbtest.setup_privilege_gids(privilege, allowed_gids);
+        dbtest.setup_privilege_groups(privilege, allowed_groups);
+    }
+
+    std::vector<gid_t> allowed_gids;
+
+    for (const auto &groupName : allowed_groups) {
+        errno = 0;
+        struct group* grp = getgrnam(groupName.c_str());
+        RUNNER_ASSERT_ERRNO_MSG(grp, "Group: " << groupName << " not found");
+        allowed_gids.push_back(grp->gr_gid);
     }
 
     check_app_gids(app_id, allowed_gids);
@@ -271,42 +252,24 @@ static void check_app_after_uninstall(const char *const app_id, const char *cons
     dbtest.test_db_after__app_uninstall(app_id, pkg_id, is_pkg_removed);
 }
 
-static void install_app(const char *app_id, const char *pkg_id)
+static void install_app(const char *app_id, const char *pkg_id, uid_t uid = 0)
 {
-    int result;
-    AppInstReqUniquePtr request;
-    request.reset(do_app_inst_req_new());
-
-    result = security_manager_app_inst_req_set_app_id(request.get(), app_id);
-    RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
-            "setting app id failed. Result: " << result);
-
-    result = security_manager_app_inst_req_set_pkg_id(request.get(), pkg_id);
-    RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
-            "setting pkg id failed. Result: " << result);
-
-    result = security_manager_app_install(request.get());
-    RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
-            "installing app failed. Result: " << result);
+    InstallRequest request;
+    request.setAppId(app_id);
+    request.setPkgId(pkg_id);
+    request.setUid(uid);
+    Api::install(request);
 
     check_app_after_install(app_id, pkg_id);
 
 }
 
-static void uninstall_app(const char *app_id, const char *pkg_id,
-        bool expect_installed, bool expect_pkg_removed)
+static void uninstall_app(const char *app_id, const char *pkg_id, bool expect_pkg_removed)
 {
-    int result;
-    AppInstReqUniquePtr request;
-    request.reset(do_app_inst_req_new());
+    InstallRequest request;
+    request.setAppId(app_id);
 
-    result = security_manager_app_inst_req_set_app_id(request.get(), app_id);
-    RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
-          "setting app id failed. Result: " << result);
-
-    result = security_manager_app_uninstall(request.get());
-    RUNNER_ASSERT_MSG(!expect_installed || (lib_retcode)result == SECURITY_MANAGER_SUCCESS,
-          "uninstalling app failed. Result: " << result);
+    Api::uninstall(request);
 
     check_app_after_uninstall(app_id, pkg_id, expect_pkg_removed);
 }
@@ -315,169 +278,172 @@ static void uninstall_app(const char *app_id, const char *pkg_id,
 RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER)
 
 
-RUNNER_TEST(security_manager_01_app_double_install_double_uninstall)
+RUNNER_TEST(security_manager_01a_app_double_install_double_uninstall)
 {
-    int result;
-    AppInstReqUniquePtr request;
+    const char *const sm_app_id = "sm_test_01a_app_id_double";
+    const char *const sm_pkg_id = "sm_test_01a_pkg_id_double";
 
-    request.reset(do_app_inst_req_new());
+    InstallRequest requestInst;
+    requestInst.setAppId(sm_app_id);
+    requestInst.setPkgId(sm_pkg_id);
 
-    result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID1);
-    RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
-            "setting app id failed. Result: " << result);
+    Api::install(requestInst);
+    Api::install(requestInst);
 
-    result = security_manager_app_inst_req_set_pkg_id(request.get(), SM_PKG_ID1);
-    RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
-            "setting pkg id failed. Result: " << result);
+    /* Check records in the security-manager database */
+    check_app_after_install(sm_app_id, sm_pkg_id);
 
-    result = security_manager_app_install(request.get());
-    RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
-            "installing app failed. Result: " << result);
+    InstallRequest requestUninst;
+    requestUninst.setAppId(sm_app_id);
 
-    result = security_manager_app_install(request.get());
-    RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
-            "installing already installed app failed. Result: " << result);
+    Api::uninstall(requestUninst);
+    Api::uninstall(requestUninst);
 
     /* Check records in the security-manager database */
-    check_app_after_install(SM_APP_ID1, SM_PKG_ID1);
+    check_app_after_uninstall(sm_app_id, sm_pkg_id, TestSecurityManagerDatabase::REMOVED);
+}
 
-    request.reset(do_app_inst_req_new());
 
-    result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID1);
-    RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
-            "setting app id failed. Result: " << result);
+RUNNER_TEST(security_manager_01b_app_double_install_wrong_pkg_id)
+{
+    const char *const sm_app_id = "sm_test_01b_app";
+    const char *const sm_pkg_id = "sm_test_01b_pkg";
+    const char *const sm_pkg_id_wrong = "sm_test_01b_pkg_BAD";
 
-    result = security_manager_app_uninstall(request.get());
-    RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
-            "uninstalling app failed. Result: " << result);
+    InstallRequest requestInst;
+    requestInst.setAppId(sm_app_id);
+    requestInst.setPkgId(sm_pkg_id);
 
-    result = security_manager_app_uninstall(request.get());
-    RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
-            "uninstalling already uninstalled app failed. Result: " << result);
+    Api::install(requestInst);
 
-    /* Check records in the security-manager database */
-    check_app_after_uninstall(SM_APP_ID1, SM_PKG_ID1, TestSecurityManagerDatabase::REMOVED);
-}
+    InstallRequest requestInst2;
+    requestInst2.setAppId(sm_app_id);
+    requestInst2.setPkgId(sm_pkg_id_wrong);
 
-RUNNER_TEST(security_manager_02_app_install_uninstall_full)
-{
-    int result;
-    AppInstReqUniquePtr request;
+    Api::install(requestInst2, SECURITY_MANAGER_ERROR_INPUT_PARAM);
 
-    prepare_app_env();
 
-    request.reset(do_app_inst_req_new());
+    /* Check records in the security-manager database */
+    check_app_after_install(sm_app_id, sm_pkg_id);
 
-    result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID2);
-    RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
-            "setting app id failed. Result: " << result);
+    InstallRequest requestUninst;
+    requestUninst.setAppId(sm_app_id);
 
-    result = security_manager_app_inst_req_set_pkg_id(request.get(), SM_PKG_ID2);
-    RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
-            "setting pkg id failed. Result: " << result);
+    Api::uninstall(requestUninst);
 
-    result = security_manager_app_inst_req_add_privilege(request.get(), SM_ALLOWED_PRIVILEGES[0].c_str());
-    RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
-            "setting allowed permission failed. Result: " << result);
-    result = security_manager_app_inst_req_add_privilege(request.get(), SM_ALLOWED_PRIVILEGES[1].c_str());
-    RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
-            "setting allowed permission failed. Result: " << result);
 
-    result = security_manager_app_inst_req_add_path(request.get(), SM_PRIVATE_PATH,
-                                                    SECURITY_MANAGER_PATH_PRIVATE);
-    RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
-            "setting allowed path failed. Result: " << result);
+    /* Check records in the security-manager database */
+    check_app_after_uninstall(sm_app_id, sm_pkg_id, TestSecurityManagerDatabase::REMOVED);
 
-    result = security_manager_app_inst_req_add_path(request.get(), SM_PUBLIC_PATH,
-                                                    SECURITY_MANAGER_PATH_PUBLIC);
-    RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
-            "setting allowed path failed. Result: " << result);
+}
 
-    result = security_manager_app_inst_req_add_path(request.get(), SM_PUBLIC_RO_PATH,
-                                                    SECURITY_MANAGER_PATH_PUBLIC_RO);
-    RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
-            "setting allowed path failed. Result: " << result);
+RUNNER_TEST(security_manager_01c_app_uninstall_pkg_id_ignored)
+{
+    const char * const  sm_app_id = "SM_TEST_01c_APPID";
+    const char * const  sm_pkg_id = "SM_TEST_01c_PKGID";
+    const char * const  sm_pkg_id_wrong = "SM_TEST_01c_PKGID_wrong";
 
-    result = security_manager_app_install(request.get());
-    RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
-            "installing app failed. Result: " << result);
+    InstallRequest requestInst;
+    requestInst.setAppId(sm_app_id);
+    requestInst.setPkgId(sm_pkg_id);
 
-    /* Check records in the security-manager database */
-    check_app_after_install(SM_APP_ID2, SM_PKG_ID2,
-                            SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES, SM_ALLOWED_GIDS);
+    Api::install(requestInst);
 
-    /* TODO: add parameters to this function */
-    check_app_path_after_install();
+    /* Check records in the security-manager database */
+    check_app_after_install(sm_app_id, sm_pkg_id);
 
-    request.reset(do_app_inst_req_new());
+    InstallRequest requestUninst;
+    requestUninst.setAppId(sm_app_id);
+    requestUninst.setPkgId(sm_pkg_id_wrong);
 
-    result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID2);
-    RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
-            "setting app id failed. Result: " << result);
+    Api::uninstall(requestUninst);
 
-    result = security_manager_app_uninstall(request.get());
-    RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
-            "uninstalling app failed. Result: " << result);
+    check_app_after_uninstall(sm_app_id, sm_pkg_id, TestSecurityManagerDatabase::REMOVED);
 
-    /* Check records in the security-manager database,
-     * all previously allowed privileges should be removed */
-    check_app_after_uninstall(SM_APP_ID2, SM_PKG_ID2,
-                              SM_ALLOWED_PRIVILEGES, TestSecurityManagerDatabase::REMOVED);
 }
 
-RUNNER_CHILD_TEST_SMACK(security_manager_03_set_label_from_binary)
+RUNNER_TEST(security_manager_02_app_install_uninstall_full)
 {
-    const char *const testBinaryPath    = LABELLED_BINARY_PATH;
-    const char *const expectedLabel     = USER_APP_ID;
-    int result;
-    char *label = nullptr;
-    CStringPtr labelPtr;
+    const char *const sm_app_id = "sm_test_02_app_id_full";
+    const char *const sm_pkg_id = "sm_test_02_pkg_id_full";
 
-    result = security_manager_set_process_label_from_binary(testBinaryPath);
-    RUNNER_ASSERT_MSG(result == SECURITY_MANAGER_SUCCESS,
-            "security_manager_set_process_label_from_binary(" <<
-            testBinaryPath << ") failed. Result: " << result);
+    prepare_app_env();
 
-    result = smack_new_label_from_self(&label);
-    RUNNER_ASSERT_MSG(result >= 0,
-            " Error getting current process label");
-    RUNNER_ASSERT_MSG(label != nullptr,
-            " Process label is not set");
-    labelPtr.reset(label);
+    InstallRequest requestInst;
+    requestInst.setAppId(sm_app_id);
+    requestInst.setPkgId(sm_pkg_id);
+    requestInst.addPrivilege(SM_ALLOWED_PRIVILEGES[0].c_str());
+    requestInst.addPrivilege(SM_ALLOWED_PRIVILEGES[1].c_str());
+    requestInst.addPath(SM_PRIVATE_PATH, SECURITY_MANAGER_PATH_PRIVATE);
+    requestInst.addPath(SM_PUBLIC_RO_PATH, SECURITY_MANAGER_PATH_PUBLIC_RO);
 
-    result = strcmp(expectedLabel, label);
-    RUNNER_ASSERT_MSG(result == 0,
-            " Process label is incorrect. Expected: \"" << expectedLabel << "\" Actual: \""
-            << label << "\"");
-}
+    Api::install(requestInst);
 
-RUNNER_CHILD_TEST_NOSMACK(security_manager_03_set_label_from_binary_nosmack)
-{
-    const char *const testBinaryPath = LABELLED_BINARY_PATH;
-    int result;
+    /* Check records in the security-manager database */
+    check_app_after_install(sm_app_id, sm_pkg_id,
+                            SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES, SM_ALLOWED_GROUPS);
+
+    /* TODO: add parameters to this function */
+    check_app_path_after_install();
+
+    InstallRequest requestUninst;
+    requestUninst.setAppId(sm_app_id);
 
-    result = security_manager_set_process_label_from_binary(testBinaryPath);
-    RUNNER_ASSERT_MSG(result == SECURITY_MANAGER_SUCCESS,
-            "security_manager_set_process_label_from_binary(" <<
-            testBinaryPath << ") failed. Result: " << result);
+    Api::uninstall(requestUninst);
+
+    /* Check records in the security-manager database,
+     * all previously allowed privileges should be removed */
+    check_app_after_uninstall(sm_app_id, sm_pkg_id,
+                              SM_ALLOWED_PRIVILEGES, TestSecurityManagerDatabase::REMOVED);
 }
 
-RUNNER_CHILD_TEST_SMACK(security_manager_04_set_label_from_appid)
+RUNNER_CHILD_TEST_SMACK(security_manager_03_set_label_from_appid)
 {
-    const char *const app_id = "sm_test_app_id_set_label_from_appid";
-    const char *const pkg_id = "sm_test_pkg_id_set_label_from_appid";
+    const char *const app_id = "sm_test_03_app_id_set_label_from_appid_smack";
+    const char *const pkg_id = "sm_test_03_pkg_id_set_label_from_appid_smack";
     const char *const expected_label = USER_APP_ID;
+    const char *const socketLabel = "not_expected_label";
     char *label = nullptr;
     CStringPtr labelPtr;
     int result;
 
-    uninstall_app(app_id, pkg_id, false, true);
+    uninstall_app(app_id, pkg_id, true);
     install_app(app_id, pkg_id);
 
-    result = security_manager_set_process_label_from_appid(app_id);
-    RUNNER_ASSERT_MSG(result == SECURITY_MANAGER_SUCCESS,
-            "security_manager_set_process_label_from_appid(" <<
-            app_id << ") failed. Result: " << result);
+    struct sockaddr_un sockaddr = {AF_UNIX, SOCK_PATH};
+    //Clean up before creating socket
+    unlink(SOCK_PATH);
+    int sock = socket(AF_UNIX, SOCK_STREAM, 0);
+    RUNNER_ASSERT_ERRNO_MSG(sock >= 0, "socket failed");
+    SockUniquePtr sockPtr(&sock);
+    //Bind socket to address
+    result = bind(sock, (struct sockaddr*) &sockaddr, sizeof(struct sockaddr_un));
+    RUNNER_ASSERT_ERRNO_MSG(result == 0, "bind failed");
+    //Set socket label to something different than expecedLabel
+    result = fsetxattr(sock, XATTR_NAME_SMACKIPIN, socketLabel,
+        strlen(socketLabel), 0);
+    RUNNER_ASSERT_ERRNO_MSG(result == 0,
+        "Can't set socket label. Result: " << result);
+    result = fsetxattr(sock, XATTR_NAME_SMACKIPOUT, socketLabel,
+        strlen(socketLabel), 0);
+    RUNNER_ASSERT_ERRNO_MSG(result == 0,
+        "Can't set socket label. Result: " << result);
+
+    Api::setProcessLabel(app_id);
+
+    char value[SMACK_LABEL_LEN + 1];
+    ssize_t size;
+    size = fgetxattr(sock, XATTR_NAME_SMACKIPIN, value, sizeof(value));
+    RUNNER_ASSERT_ERRNO_MSG(size != -1, "fgetxattr failed: " << value);
+    result = strcmp(expected_label, value);
+    RUNNER_ASSERT_MSG(result == 0, "Socket label is incorrect. Expected: " <<
+        expected_label << " Actual: " << value);
+
+    size = fgetxattr(sock, XATTR_NAME_SMACKIPOUT, value, sizeof(value));
+    RUNNER_ASSERT_ERRNO_MSG(size != -1, "fgetxattr failed: " << value);
+    result = strcmp(expected_label, value);
+    RUNNER_ASSERT_MSG(result == 0, "Socket label is incorrect. Expected: " <<
+        expected_label << " Actual: " << value);
 
     result = smack_new_label_from_self(&label);
     RUNNER_ASSERT_MSG(result >= 0,
@@ -491,48 +457,37 @@ RUNNER_CHILD_TEST_SMACK(security_manager_04_set_label_from_appid)
             " Process label is incorrect. Expected: \"" << expected_label <<
             "\" Actual: \"" << label << "\"");
 
-    uninstall_app(app_id, pkg_id, true, true);
+    uninstall_app(app_id, pkg_id, true);
 }
 
-RUNNER_CHILD_TEST_NOSMACK(security_manager_04_set_label_from_appid_nosmack)
+RUNNER_CHILD_TEST_NOSMACK(security_manager_03_set_label_from_appid_nosmack)
 {
-    const char *const app_id = "sm_test_app_id_set_label_from_appid";
-    const char *const pkg_id = "sm_test_pkg_id_set_label_from_appid";
-    int result;
+    const char *const app_id = "sm_test_03_app_id_set_label_from_appid_nosmack";
+    const char *const pkg_id = "sm_test_03_pkg_id_set_label_from_appid_nosmack";
 
-    uninstall_app(app_id, pkg_id, false, true);
+    uninstall_app(app_id, pkg_id, true);
     install_app(app_id, pkg_id);
 
-    result = security_manager_set_process_label_from_appid(app_id);
-    RUNNER_ASSERT_MSG(result == SECURITY_MANAGER_SUCCESS,
-            "security_manager_set_process_label_from_appid(" <<
-            app_id << ") failed. Result: " << result);
+    Api::setProcessLabel(app_id);
 
-    uninstall_app(app_id, pkg_id, true, true);
+    uninstall_app(app_id, pkg_id, true);
 }
 
 
 
-static void prepare_request(AppInstReqUniquePtr &request,
+static void prepare_request(InstallRequest &request,
               const char *const app_id,
               const char *const pkg_id,
               app_install_path_type pathType,
-              const char *const path)
+              const char *const path,
+              uid_t uid)
 {
-    int result;
-    request.reset(do_app_inst_req_new());
-
-    result = security_manager_app_inst_req_set_app_id(request.get(), app_id);
-    RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
-            "setting app id failed. Result: " << result);
+    request.setAppId(app_id);
+    request.setPkgId(pkg_id);
+    request.addPath(path, pathType);
 
-    result = security_manager_app_inst_req_set_pkg_id(request.get(), pkg_id);
-    RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
-            "setting pkg id failed. Result: " << result);
-
-    result = security_manager_app_inst_req_add_path(request.get(), path, pathType);
-    RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
-            "setting allowed path failed. Result: " << result);
+    if (uid != 0)
+        request.setUid(uid);
 }
 
 
@@ -546,10 +501,47 @@ static struct passwd* get_app_pw()
     return pw;
 }
 
-RUNNER_CHILD_TEST(security_manager_05_app_install_uninstall_by_app_user)
+
+static void install_and_check(const char *const sm_app_id,
+                              const char *const sm_pkg_id,
+                              const std::string &user, uid_t uid,
+                              const std::string &user_path = SM_PRIVATE_PATH_FOR_USER)
+{
+    InstallRequest requestPublic;
+
+    //install app for non-root user and try to register public path (should fail)
+    prepare_request(requestPublic, sm_app_id, sm_pkg_id, SECURITY_MANAGER_PATH_PUBLIC, user_path.c_str(), uid);
+
+    Api::install(requestPublic, SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED);
+
+    InstallRequest requestPrivate;
+
+    //install app for non-root user
+    //should fail (users may only register folders inside their home)
+    prepare_request(requestPrivate, sm_app_id, sm_pkg_id, SECURITY_MANAGER_PATH_PRIVATE, SM_PRIVATE_PATH, uid);
+
+    Api::install(requestPrivate, SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED);
+
+    InstallRequest requestPrivateUser;
+
+    //install app for non-root user
+    //should succeed - this time i register folder inside user's home dir
+    prepare_request(requestPrivateUser, sm_app_id, sm_pkg_id, SECURITY_MANAGER_PATH_PRIVATE, user_path.c_str(), uid);
+
+    for (auto &privilege : SM_ALLOWED_PRIVILEGES)
+        requestPrivateUser.addPrivilege(privilege.c_str());
+
+    Api::install(requestPrivateUser);
+
+    check_app_permissions(sm_app_id, sm_pkg_id, user.c_str(), SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES);
+}
+
+RUNNER_CHILD_TEST(security_manager_04a_app_install_uninstall_by_app_user_for_self)
 {
     int result;
-    AppInstReqUniquePtr request;
+    const char *const sm_app_id = "sm_test_04a_app_id_uid";
+    const char *const sm_pkg_id = "sm_test_04a_pkg_id_uid";
+
     struct passwd *pw = get_app_pw();
     const std::string user =  std::to_string(static_cast<unsigned int>(pw->pw_uid));
 
@@ -557,54 +549,160 @@ RUNNER_CHILD_TEST(security_manager_05_app_install_uninstall_by_app_user)
     result = drop_root_privileges(pw->pw_uid, pw->pw_gid);
     RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
 
-    //install app as non-root user and try to register public path (should fail)
-    prepare_request(request, SM_APP_ID3, SM_PKG_ID3, SECURITY_MANAGER_PATH_PUBLIC, SM_PRIVATE_PATH_FOR_USER);
+    install_and_check(sm_app_id, sm_pkg_id, user, 0);
 
-    result = security_manager_app_install(request.get());
-    RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED,
-            "installing app not failed. Result: " << result);
+    //uninstall app as non-root user
+    InstallRequest request;
+    request.setAppId(sm_app_id);
 
-    //install app as non-root user
-    //should fail (non-root users may only register folders inside their home)
-    prepare_request(request, SM_APP_ID3, SM_PKG_ID3, SECURITY_MANAGER_PATH_PRIVATE, SM_PRIVATE_PATH);
+    Api::uninstall(request);
 
-    result = security_manager_app_install(request.get());
-    RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED,
-            "installing app not failed. Result: " << result);
+    check_app_permissions(sm_app_id, sm_pkg_id, user.c_str(), SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES);
+}
 
-    //install app as non-root user
-    //should succeed - this time i register folder inside user's home dir
-    prepare_request(request, SM_APP_ID3, SM_PKG_ID3, SECURITY_MANAGER_PATH_PRIVATE, SM_PRIVATE_PATH_FOR_USER);
+RUNNER_CHILD_TEST(security_manager_04b_app_install_by_root_for_app_user)
+{
+    int result;
+    const char *const sm_app_id = "sm_test_04b_app_id_uid";
+    const char *const sm_pkg_id = "sm_test_04b_pkg_id_uid";
 
-    for (auto &privilege : SM_ALLOWED_PRIVILEGES) {
-        result = security_manager_app_inst_req_add_privilege(request.get(), privilege.c_str());
-        RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
-            "setting allowed permission failed. Result: " << result);
-    }
+    struct passwd *pw = get_app_pw();
+    const std::string user =  std::to_string(static_cast<unsigned int>(pw->pw_uid));
 
-    result = security_manager_app_install(request.get());
-    RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
-            "installing app failed. Result: " << result);
+    install_and_check(sm_app_id, sm_pkg_id, user, pw->pw_uid);
 
-    check_app_permissions(SM_APP_ID3, SM_PKG_ID3, user.c_str(), SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES);
+    //switch user to non-root - root may not uninstall apps for specified users
+    result = drop_root_privileges(pw->pw_uid, pw->pw_gid);
+    RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
 
     //uninstall app as non-root user
-    request.reset(do_app_inst_req_new());
+    InstallRequest request;
+    request.setAppId(sm_app_id);
+
+    Api::uninstall(request);
+
+    check_app_permissions(sm_app_id, sm_pkg_id, user.c_str(), SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES);
+}
+
+
+RUNNER_CHILD_TEST(security_manager_05_drop_process_capabilities)
+{
+    int result;
+    CapsSetsUniquePtr caps, caps_empty(cap_init());
+
+    caps.reset(cap_from_text("all=eip"));
+    RUNNER_ASSERT_MSG(caps, "can't convert capabilities from text");
+    result = cap_set_proc(caps.get());
+    RUNNER_ASSERT_MSG(result == 0,
+        "can't set capabilities. Result: " << result);
+
+    Api::dropProcessPrivileges();
+
+    caps.reset(cap_get_proc());
+    RUNNER_ASSERT_MSG(caps, "can't get proc capabilities");
+
+    result = cap_compare(caps.get(), caps_empty.get());
+    RUNNER_ASSERT_MSG(result == 0,
+        "capabilities not dropped. Current: " << cap_to_text(caps.get(), NULL));
+}
+
+RUNNER_CHILD_TEST(security_manager_06_install_app_offline)
+{
+    const char *const app_id = "sm_test_06_app_id_install_app_offline";
+    const char *const pkg_id = "sm_test_06_pkg_id_install_app_offline";
+    DBusAccess dbusAccess("security-manager.service");
+
+    uninstall_app(app_id, pkg_id, true);
+    dbusAccess.maskService();
+    dbusAccess.stopService();
 
-    result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID3);
-    RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
-            "setting app id failed. Result: " << result);
+    install_app(app_id, pkg_id);
 
-    result = security_manager_app_uninstall(request.get());
-    RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
-            "uninstalling app failed. Result: " << result);
+    dbusAccess.unmaskService();
+    dbusAccess.startService();
 
-    check_app_permissions(SM_APP_ID3, SM_PKG_ID3, user.c_str(), SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES);
+    uninstall_app(app_id, pkg_id, true);
 }
 
+RUNNER_CHILD_TEST(security_manager_07_user_add_app_install)
+{
+    const char *const sm_app_id = "sm_test_07_app_id_user";
+    const char *const sm_pkg_id = "sm_test_07_pkg_id_user";
+    const std::string new_user_name = "sm_test_07_user_name";
+    std::string uid_string;
+    TemporaryTestUser test_user(new_user_name, GUM_USERTYPE_NORMAL, false);
+    uid_string =  std::to_string(static_cast<unsigned int>(test_user.getUid()));
+
+    install_app(sm_app_id, sm_pkg_id, test_user.getUid());
+
+    check_app_after_install(sm_app_id, sm_pkg_id);
+
+    test_user.remove();
+
+    check_app_permissions(sm_app_id, sm_pkg_id, uid_string.c_str(), SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES);
+
+    check_app_after_uninstall(sm_app_id, sm_pkg_id, true);
+}
+
+RUNNER_CHILD_TEST(security_manager_08_user_double_add_double_remove)
+{
+    UserRequest addUserRequest;
+
+    const char *const sm_app_id = "sm_test_08_app_id_user";
+    const char *const sm_pkg_id = "sm_test_08_pkg_id_user";
+    const char *const new_user_name = "sm_test_08_user_name";
+    std::string uid_string;
+
+    // gumd user add
+    TemporaryTestUser test_user(new_user_name, GUM_USERTYPE_NORMAL, false);
+    uid_string =  std::to_string(static_cast<unsigned int>(test_user.getUid()));
+
+    addUserRequest.setUid(test_user.getUid());
+    addUserRequest.setUserType(SM_USER_TYPE_NORMAL);
+
+    //sm user add
+    Api::addUser(addUserRequest);
+
+    install_app(sm_app_id, sm_pkg_id, test_user.getUid());
+
+    check_app_after_install(sm_app_id, sm_pkg_id);
+
+    test_user.remove();
+
+    UserRequest deleteUserRequest;
+    deleteUserRequest.setUid(test_user.getUid());
+
+    Api::deleteUser(deleteUserRequest);
+
+    check_app_permissions(sm_app_id, sm_pkg_id, uid_string.c_str(), SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES);
+
+    check_app_after_uninstall(sm_app_id, sm_pkg_id, true);
+}
+
+RUNNER_CHILD_TEST(security_manager_09_add_user_offline)
+{
+    const char *const app_id = "security_manager_09_add_user_offline_app";
+    const char *const pkg_id = "security_manager_09_add_user_offline_pkg";
+    const std::string username("sm_test_09_user_name");
+    DBusAccess dbusAccess("security-manager.service");
+    dbusAccess.maskService();
+    dbusAccess.stopService();
+
+    TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, true);
+
+    install_app(app_id, pkg_id, user.getUid());
+
+    check_app_after_install(app_id, pkg_id);
+
+    dbusAccess.unmaskService();
+    dbusAccess.startService();
+
+    user.remove();
+
+    check_app_after_uninstall(app_id, pkg_id, true);
+}
 
 int main(int argc, char *argv[])
 {
-    SummaryCollector::Register();
     return DPL::Test::TestRunnerSingleton::Instance().ExecTestRunner(argc, argv);
 }