X-Git-Url: http://review.tizen.org/git/?a=blobdiff_plain;f=tests%2Fsecurity-manager-tests%2Fsecurity_manager_tests.cpp;h=df0f46cee105e20157e8c87ce96199ceed423602;hb=8956650ff14e7d7367206c39d74024b78b4bc842;hp=0e505afcf027136f509fe562cf8b1d99937a84c3;hpb=c8a77b62054614b6bd3f9a30bff54918bec5aea6;p=platform%2Fcore%2Ftest%2Fsecurity-tests.git diff --git a/tests/security-manager-tests/security_manager_tests.cpp b/tests/security-manager-tests/security_manager_tests.cpp index 0e505af..df0f46c 100644 --- a/tests/security-manager-tests/security_manager_tests.cpp +++ b/tests/security-manager-tests/security_manager_tests.cpp @@ -2,31 +2,33 @@ #include #include #include -#include +#include +#include +#include -#include -#include -#include +#include +#include +#include #include +#include +#include + #include #include #include +#include #include +#include +#include +#include +#include +#include -DEFINE_SMARTPTR(security_manager_app_inst_req_free, app_inst_req, AppInstReqUniquePtr); - -static const char *const LABELLED_BINARY_PATH = "/usr/bin/test-app-efl"; - -static const char *const SM_APP_ID1 = "sm_test_app_id_double"; -static const char *const SM_PKG_ID1 = "sm_test_pkg_id_double"; +using namespace SecurityManagerTest; -static const char *const SM_APP_ID2 = "sm_test_app_id_full"; -static const char *const SM_PKG_ID2 = "sm_test_pkg_id_full"; - -static const char *const SM_APP_ID3 = "sm_test_app_id_uid"; -static const char *const SM_PKG_ID3 = "sm_test_pkg_id_uid"; +DEFINE_SMARTPTR(cap_free, _cap_struct, CapsSetsUniquePtr); static const privileges_t SM_ALLOWED_PRIVILEGES = { "security_manager_test_rules2_r", @@ -38,72 +40,21 @@ static const privileges_t SM_DENIED_PRIVILEGES = { "security_manager_test_rules2" }; -static const char *const XATTR_NAME_TIZENEXEC = XATTR_SECURITY_PREFIX "TIZEN_EXEC_LABEL"; - -static const rules_t SM_ALLOWED_RULES = { - { USER_APP_ID, "test_sm_book_8", "r" }, - { USER_APP_ID, "test_sm_book_9", "w" }, - { USER_APP_ID, "test_sm_book_10", "x" }, - { USER_APP_ID, "test_sm_book_11", "rw" }, - { USER_APP_ID, "test_sm_book_12", "rx" }, - { USER_APP_ID, "test_sm_book_13", "wx" }, - { USER_APP_ID, "test_sm_book_14", "rwx" }, - { USER_APP_ID, "test_sm_book_15", "rwxat" }, - { "test_sm_subject_8", USER_APP_ID, "r" }, - { "test_sm_subject_9", USER_APP_ID, "w" }, - { "test_sm_subject_10", USER_APP_ID, "x" }, - { "test_sm_subject_11", USER_APP_ID, "rw" }, - { "test_sm_subject_12", USER_APP_ID, "rx" }, - { "test_sm_subject_13", USER_APP_ID, "wx" }, - { "test_sm_subject_14", USER_APP_ID, "rwx" }, - { "test_sm_subject_15", USER_APP_ID, "rwxat" } -}; -static const rules_t SM_DENIED_RULES = { - { USER_APP_ID, "test_sm_book_1", "r" }, - { USER_APP_ID, "test_sm_book_2", "w" }, - { USER_APP_ID, "test_sm_book_3", "x" }, - { USER_APP_ID, "test_sm_book_4", "rw" }, - { USER_APP_ID, "test_sm_book_5", "rx" }, - { USER_APP_ID, "test_sm_book_6", "wx" }, - { USER_APP_ID, "test_sm_book_7", "rwx" }, - { "test_sm_subject_1", USER_APP_ID, "r" }, - { "test_sm_subject_2", USER_APP_ID, "w" }, - { "test_sm_subject_3", USER_APP_ID, "x" }, - { "test_sm_subject_4", USER_APP_ID, "rw" }, - { "test_sm_subject_5", USER_APP_ID, "rx" }, - { "test_sm_subject_6", USER_APP_ID, "wx" }, - { "test_sm_subject_7", USER_APP_ID, "rwx" } +static const privileges_t SM_NO_PRIVILEGES = { }; -static const char *const SM_PRIVATE_PATH = "/etc/smack/test_DIR/app_dir"; -static const char *const SM_PUBLIC_PATH = "/etc/smack/test_DIR/app_dir_public"; -static const char *const SM_PUBLIC_RO_PATH = "/etc/smack/test_DIR/app_dir_public_ro"; -static const char *const SM_DENIED_PATH = "/etc/smack/test_DIR/non_app_dir"; -static const char *const SM_PRIVATE_PATH_FOR_USER_5000 = "/home/app/securitytests/test_DIR"; +static const std::vector SM_ALLOWED_GROUPS = {"db_browser", "db_alarm"}; +static const char *const SM_PRIVATE_PATH = "/usr/apps/test_DIR/app_dir"; +static const char *const SM_PUBLIC_RO_PATH = "/usr/apps/test_DIR/app_dir_public_ro"; +static const char *const SM_DENIED_PATH = "/usr/apps/test_DIR/non_app_dir"; +static const char *const SM_PRIVATE_PATH_FOR_USER = "/home/" APP_USER "/test_DIR"; +static const char *const ANY_USER_REPRESENTATION = "anyuser";/*this may be actually any string*/ -static bool isLinkToExec(const char *fpath, const struct stat *sb) +static void generateAppLabel(const std::string &pkgId, std::string &label) { - - struct stat buf; - char *target; - int ret; - - // check if it's a link - if ( !S_ISLNK(sb->st_mode)) - return false; - - target = realpath(fpath, NULL); - RUNNER_ASSERT_MSG_BT(target != 0, "Could not obtain real path from link."); - - ret = stat(target, &buf); - RUNNER_ASSERT_MSG_BT(ret == 0, "Could not obtain real path's stat from link."); - - if (buf.st_mode != (buf.st_mode | S_IXUSR | S_IFREG)) - return false; - - - return true; + (void) pkgId; + label = "User"; } static int nftw_check_sm_labels_app_dir(const char *fpath, const struct stat *sb, @@ -111,56 +62,42 @@ static int nftw_check_sm_labels_app_dir(const char *fpath, const struct stat *sb { int result; CStringPtr labelPtr; - char* label = NULL; + char* label = nullptr; /* ACCESS */ result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS); - RUNNER_ASSERT_MSG_BT(result == 0, "Could not get label for the path"); + RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path"); labelPtr.reset(label); - RUNNER_ASSERT_MSG_BT(label != NULL, "ACCESS label on " << fpath << " is not set"); + RUNNER_ASSERT_MSG(label != nullptr, "ACCESS label on " << fpath << " is not set"); result = strcmp(correctLabel, label); - RUNNER_ASSERT_MSG_BT(result == 0, "ACCESS label on " << fpath << " is incorrect" + RUNNER_ASSERT_MSG(result == 0, "ACCESS label on " << fpath << " is incorrect" " (should be '" << correctLabel << "' and is '" << label << "')"); /* EXEC */ result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC); - RUNNER_ASSERT_MSG_BT(result == 0, "Could not get label for the path"); + RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path"); labelPtr.reset(label); if (S_ISREG(sb->st_mode) && (sb->st_mode & S_IXUSR) && exec_test) { - RUNNER_ASSERT_MSG_BT(label != NULL, "EXEC label on " << fpath << " is not set"); + RUNNER_ASSERT_MSG(label != nullptr, "EXEC label on " << fpath << " is not set"); result = strcmp(correctLabel, label); - RUNNER_ASSERT_MSG_BT(result == 0, "Incorrect EXEC label on executable file " << fpath); + RUNNER_ASSERT_MSG(result == 0, "Incorrect EXEC label on executable file " << fpath); } else - RUNNER_ASSERT_MSG_BT(label == NULL, "EXEC label on " << fpath << " is set"); - - - /* LINK TO EXEC */ - if (isLinkToExec(fpath, sb) && exec_test) { - char buf[SMACK_LABEL_LEN+1]; - result = lgetxattr(fpath, XATTR_NAME_TIZENEXEC, buf, sizeof(buf)); - RUNNER_ASSERT_MSG_BT(result != -1, "Could not get label for the path " - << fpath << "("<st_mode) && transmute_test == true) { - RUNNER_ASSERT_MSG_BT(label != NULL, "TRANSMUTE label on " << fpath << " is not set at all"); - RUNNER_ASSERT_MSG_BT(strcmp(label,"TRUE") == 0, + RUNNER_ASSERT_MSG(label != nullptr, "TRANSMUTE label on " << fpath << " is not set at all"); + RUNNER_ASSERT_MSG(strcmp(label,"TRUE") == 0, "TRANSMUTE label on " << fpath << " is not set properly: '"< &allowed_gids) +{ + int ret; + gid_t main_gid = getgid(); + std::unordered_set reference_gids(allowed_gids.begin(), allowed_gids.end()); + + // Reset supplementary groups + ret = setgroups(0, NULL); + RUNNER_ASSERT_MSG(ret != -1, "Unable to set supplementary groups"); + + Api::setProcessGroups(app_id); + + ret = getgroups(0, nullptr); + RUNNER_ASSERT_MSG(ret != -1, "Unable to get supplementary groups"); + + std::vector actual_gids(ret); + ret = getgroups(ret, actual_gids.data()); + RUNNER_ASSERT_MSG(ret != -1, "Unable to get supplementary groups"); + + for (const auto &gid : actual_gids) { + RUNNER_ASSERT_MSG(gid == main_gid || reference_gids.count(gid) > 0, + "Application shouldn't get access to group " << gid); + reference_gids.erase(gid); + } + + RUNNER_ASSERT_MSG(reference_gids.empty(), "Application didn't get access to some groups"); } static void check_app_after_install(const char *const app_id, const char *const pkg_id, - const privileges_t &allowed_privs, const privileges_t &denied_privs, - const rules_t &allowed_rules, const rules_t &denied_rules) + const privileges_t &allowed_privs, + const privileges_t &denied_privs, + const std::vector &allowed_groups) { TestSecurityManagerDatabase dbtest; dbtest.test_db_after__app_install(app_id, pkg_id, allowed_privs); dbtest.check_privileges_removed(app_id, pkg_id, denied_privs); - check_app_permissions(app_id, pkg_id, - allowed_privs, denied_privs, - allowed_rules, denied_rules); + /*Privileges should be granted to all users if root installs app*/ + check_app_permissions(app_id, pkg_id, ANY_USER_REPRESENTATION, allowed_privs, denied_privs); + + /* Setup mapping of gids to privileges */ + /* Do this for each privilege for extra check */ + for (const auto &privilege : allowed_privs) { + dbtest.setup_privilege_groups(privilege, allowed_groups); + } + + std::vector allowed_gids; + + for (const auto &groupName : allowed_groups) { + errno = 0; + struct group* grp = getgrnam(groupName.c_str()); + RUNNER_ASSERT_ERRNO_MSG(grp, "Group: " << groupName << " not found"); + allowed_gids.push_back(grp->gr_gid); + } + + check_app_gids(app_id, allowed_gids); } static void check_app_after_install(const char *const app_id, const char *const pkg_id) @@ -286,6 +239,10 @@ static void check_app_after_uninstall(const char *const app_id, const char *cons { TestSecurityManagerDatabase dbtest; dbtest.test_db_after__app_uninstall(app_id, pkg_id, privileges, is_pkg_removed); + + + /*Privileges should not be granted anymore to any user*/ + check_app_permissions(app_id, pkg_id, ANY_USER_REPRESENTATION, SM_NO_PRIVILEGES, privileges); } static void check_app_after_uninstall(const char *const app_id, const char *const pkg_id, @@ -295,42 +252,24 @@ static void check_app_after_uninstall(const char *const app_id, const char *cons dbtest.test_db_after__app_uninstall(app_id, pkg_id, is_pkg_removed); } -static void install_app(const char *app_id, const char *pkg_id) +static void install_app(const char *app_id, const char *pkg_id, uid_t uid = 0) { - int result; - AppInstReqUniquePtr request; - request.reset(do_app_inst_req_new()); - - result = security_manager_app_inst_req_set_app_id(request.get(), app_id); - RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS, - "setting app id failed. Result: " << result); - - result = security_manager_app_inst_req_set_pkg_id(request.get(), pkg_id); - RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS, - "setting pkg id failed. Result: " << result); - - result = security_manager_app_install(request.get()); - RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS, - "installing app failed. Result: " << result); + InstallRequest request; + request.setAppId(app_id); + request.setPkgId(pkg_id); + request.setUid(uid); + Api::install(request); check_app_after_install(app_id, pkg_id); } -static void uninstall_app(const char *app_id, const char *pkg_id, - bool expect_installed, bool expect_pkg_removed) +static void uninstall_app(const char *app_id, const char *pkg_id, bool expect_pkg_removed) { - int result; - AppInstReqUniquePtr request; - request.reset(do_app_inst_req_new()); + InstallRequest request; + request.setAppId(app_id); - result = security_manager_app_inst_req_set_app_id(request.get(), app_id); - RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS, - "setting app id failed. Result: " << result); - - result = security_manager_app_uninstall(request.get()); - RUNNER_ASSERT_MSG_BT(!expect_installed || (lib_retcode)result == SECURITY_MANAGER_SUCCESS, - "uninstalling app failed. Result: " << result); + Api::uninstall(request); check_app_after_uninstall(app_id, pkg_id, expect_pkg_removed); } @@ -339,277 +278,431 @@ static void uninstall_app(const char *app_id, const char *pkg_id, RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER) -RUNNER_TEST(security_manager_01_app_double_install_double_uninstall) +RUNNER_TEST(security_manager_01a_app_double_install_double_uninstall) { - int result; - AppInstReqUniquePtr request; + const char *const sm_app_id = "sm_test_01a_app_id_double"; + const char *const sm_pkg_id = "sm_test_01a_pkg_id_double"; - request.reset(do_app_inst_req_new()); + InstallRequest requestInst; + requestInst.setAppId(sm_app_id); + requestInst.setPkgId(sm_pkg_id); - result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID1); - RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS, - "setting app id failed. Result: " << result); + Api::install(requestInst); + Api::install(requestInst); - result = security_manager_app_inst_req_set_pkg_id(request.get(), SM_PKG_ID1); - RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS, - "setting pkg id failed. Result: " << result); + /* Check records in the security-manager database */ + check_app_after_install(sm_app_id, sm_pkg_id); - result = security_manager_app_install(request.get()); - RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS, - "installing app failed. Result: " << result); + InstallRequest requestUninst; + requestUninst.setAppId(sm_app_id); - result = security_manager_app_install(request.get()); - RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS, - "installing already installed app failed. Result: " << result); + Api::uninstall(requestUninst); + Api::uninstall(requestUninst); /* Check records in the security-manager database */ - check_app_after_install(SM_APP_ID1, SM_PKG_ID1); + check_app_after_uninstall(sm_app_id, sm_pkg_id, TestSecurityManagerDatabase::REMOVED); +} - request.reset(do_app_inst_req_new()); - result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID1); - RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS, - "setting app id failed. Result: " << result); +RUNNER_TEST(security_manager_01b_app_double_install_wrong_pkg_id) +{ + const char *const sm_app_id = "sm_test_01b_app"; + const char *const sm_pkg_id = "sm_test_01b_pkg"; + const char *const sm_pkg_id_wrong = "sm_test_01b_pkg_BAD"; - result = security_manager_app_uninstall(request.get()); - RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS, - "uninstalling app failed. Result: " << result); + InstallRequest requestInst; + requestInst.setAppId(sm_app_id); + requestInst.setPkgId(sm_pkg_id); - result = security_manager_app_uninstall(request.get()); - RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS, - "uninstalling already uninstalled app failed. Result: " << result); + Api::install(requestInst); - /* Check records in the security-manager database */ - check_app_after_uninstall(SM_APP_ID1, SM_PKG_ID1, TestSecurityManagerDatabase::REMOVED); -} + InstallRequest requestInst2; + requestInst2.setAppId(sm_app_id); + requestInst2.setPkgId(sm_pkg_id_wrong); -RUNNER_TEST(security_manager_02_app_install_uninstall_full) -{ - int result; - AppInstReqUniquePtr request; + Api::install(requestInst2, SECURITY_MANAGER_ERROR_INPUT_PARAM); - prepare_app_env(); - request.reset(do_app_inst_req_new()); + /* Check records in the security-manager database */ + check_app_after_install(sm_app_id, sm_pkg_id); - result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID2); - RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS, - "setting app id failed. Result: " << result); + InstallRequest requestUninst; + requestUninst.setAppId(sm_app_id); - result = security_manager_app_inst_req_set_pkg_id(request.get(), SM_PKG_ID2); - RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS, - "setting pkg id failed. Result: " << result); + Api::uninstall(requestUninst); - result = security_manager_app_inst_req_add_privilege(request.get(), SM_ALLOWED_PRIVILEGES[0].c_str()); - RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS, - "setting allowed permission failed. Result: " << result); - result = security_manager_app_inst_req_add_privilege(request.get(), SM_ALLOWED_PRIVILEGES[1].c_str()); - RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS, - "setting allowed permission failed. Result: " << result); - result = security_manager_app_inst_req_add_path(request.get(), SM_PRIVATE_PATH, - SECURITY_MANAGER_PATH_PRIVATE); - RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS, - "setting allowed path failed. Result: " << result); + /* Check records in the security-manager database */ + check_app_after_uninstall(sm_app_id, sm_pkg_id, TestSecurityManagerDatabase::REMOVED); - result = security_manager_app_inst_req_add_path(request.get(), SM_PUBLIC_PATH, - SECURITY_MANAGER_PATH_PUBLIC); - RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS, - "setting allowed path failed. Result: " << result); +} - result = security_manager_app_inst_req_add_path(request.get(), SM_PUBLIC_RO_PATH, - SECURITY_MANAGER_PATH_PUBLIC_RO); - RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS, - "setting allowed path failed. Result: " << result); +RUNNER_TEST(security_manager_01c_app_uninstall_pkg_id_ignored) +{ + const char * const sm_app_id = "SM_TEST_01c_APPID"; + const char * const sm_pkg_id = "SM_TEST_01c_PKGID"; + const char * const sm_pkg_id_wrong = "SM_TEST_01c_PKGID_wrong"; - result = security_manager_app_install(request.get()); - RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS, - "installing app failed. Result: " << result); + InstallRequest requestInst; + requestInst.setAppId(sm_app_id); + requestInst.setPkgId(sm_pkg_id); - /* Check records in the security-manager database */ - check_app_after_install(SM_APP_ID2, SM_PKG_ID2, - SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES, - SM_ALLOWED_RULES, SM_DENIED_RULES); + Api::install(requestInst); - /* TODO: add parameters to this function */ - check_app_path_after_install(); + /* Check records in the security-manager database */ + check_app_after_install(sm_app_id, sm_pkg_id); - request.reset(do_app_inst_req_new()); + InstallRequest requestUninst; + requestUninst.setAppId(sm_app_id); + requestUninst.setPkgId(sm_pkg_id_wrong); - result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID2); - RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS, - "setting app id failed. Result: " << result); + Api::uninstall(requestUninst); - result = security_manager_app_uninstall(request.get()); - RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS, - "uninstalling app failed. Result: " << result); + check_app_after_uninstall(sm_app_id, sm_pkg_id, TestSecurityManagerDatabase::REMOVED); - /* Check records in the security-manager database, - * all previously allowed privileges should be removed */ - check_app_after_uninstall(SM_APP_ID2, SM_PKG_ID2, - SM_ALLOWED_PRIVILEGES, TestSecurityManagerDatabase::REMOVED); } -RUNNER_CHILD_TEST_SMACK(security_manager_03_set_label_from_binary) +RUNNER_TEST(security_manager_02_app_install_uninstall_full) { - const char *const testBinaryPath = LABELLED_BINARY_PATH; - const char *const expectedLabel = USER_APP_ID; - int result; - char *label = NULL; - CStringPtr labelPtr; + const char *const sm_app_id = "sm_test_02_app_id_full"; + const char *const sm_pkg_id = "sm_test_02_pkg_id_full"; - result = security_manager_set_process_label_from_binary(testBinaryPath); - RUNNER_ASSERT_MSG_BT(result == SECURITY_MANAGER_SUCCESS, - "security_manager_set_process_label_from_binary(" << - testBinaryPath << ") failed. Result: " << result); + prepare_app_env(); - result = smack_new_label_from_self(&label); - RUNNER_ASSERT_MSG_BT(result >= 0, - " Error getting current process label"); - RUNNER_ASSERT_MSG_BT(label != NULL, - " Process label is not set"); - labelPtr.reset(label); + InstallRequest requestInst; + requestInst.setAppId(sm_app_id); + requestInst.setPkgId(sm_pkg_id); + requestInst.addPrivilege(SM_ALLOWED_PRIVILEGES[0].c_str()); + requestInst.addPrivilege(SM_ALLOWED_PRIVILEGES[1].c_str()); + requestInst.addPath(SM_PRIVATE_PATH, SECURITY_MANAGER_PATH_PRIVATE); + requestInst.addPath(SM_PUBLIC_RO_PATH, SECURITY_MANAGER_PATH_PUBLIC_RO); - result = strcmp(expectedLabel, label); - RUNNER_ASSERT_MSG_BT(result == 0, - " Process label is incorrect. Expected: \"" << expectedLabel << "\" Actual: \"" - << label << "\""); -} + Api::install(requestInst); -RUNNER_CHILD_TEST_NOSMACK(security_manager_03_set_label_from_binary_nosmack) -{ - const char *const testBinaryPath = LABELLED_BINARY_PATH; - int result; + /* Check records in the security-manager database */ + check_app_after_install(sm_app_id, sm_pkg_id, + SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES, SM_ALLOWED_GROUPS); + + /* TODO: add parameters to this function */ + check_app_path_after_install(); - result = security_manager_set_process_label_from_binary(testBinaryPath); - RUNNER_ASSERT_MSG_BT(result == SECURITY_MANAGER_SUCCESS, - "security_manager_set_process_label_from_binary(" << - testBinaryPath << ") failed. Result: " << result); + InstallRequest requestUninst; + requestUninst.setAppId(sm_app_id); + + Api::uninstall(requestUninst); + + /* Check records in the security-manager database, + * all previously allowed privileges should be removed */ + check_app_after_uninstall(sm_app_id, sm_pkg_id, + SM_ALLOWED_PRIVILEGES, TestSecurityManagerDatabase::REMOVED); } -RUNNER_CHILD_TEST_SMACK(security_manager_04_set_label_from_appid) +RUNNER_CHILD_TEST_SMACK(security_manager_03_set_label_from_appid) { - const char *const app_id = "sm_test_app_id_set_label_from_appid"; - const char *const pkg_id = "sm_test_pkg_id_set_label_from_appid"; + const char *const app_id = "sm_test_03_app_id_set_label_from_appid_smack"; + const char *const pkg_id = "sm_test_03_pkg_id_set_label_from_appid_smack"; const char *const expected_label = USER_APP_ID; - char *label = NULL; + const char *const socketLabel = "not_expected_label"; + char *label = nullptr; CStringPtr labelPtr; int result; - uninstall_app(app_id, pkg_id, false, true); + uninstall_app(app_id, pkg_id, true); install_app(app_id, pkg_id); - result = security_manager_set_process_label_from_appid(app_id); - RUNNER_ASSERT_MSG_BT(result == SECURITY_MANAGER_SUCCESS, - "security_manager_set_process_label_from_appid(" << - app_id << ") failed. Result: " << result); + struct sockaddr_un sockaddr = {AF_UNIX, SOCK_PATH}; + //Clean up before creating socket + unlink(SOCK_PATH); + int sock = socket(AF_UNIX, SOCK_STREAM, 0); + RUNNER_ASSERT_ERRNO_MSG(sock >= 0, "socket failed"); + SockUniquePtr sockPtr(&sock); + //Bind socket to address + result = bind(sock, (struct sockaddr*) &sockaddr, sizeof(struct sockaddr_un)); + RUNNER_ASSERT_ERRNO_MSG(result == 0, "bind failed"); + //Set socket label to something different than expecedLabel + result = fsetxattr(sock, XATTR_NAME_SMACKIPIN, socketLabel, + strlen(socketLabel), 0); + RUNNER_ASSERT_ERRNO_MSG(result == 0, + "Can't set socket label. Result: " << result); + result = fsetxattr(sock, XATTR_NAME_SMACKIPOUT, socketLabel, + strlen(socketLabel), 0); + RUNNER_ASSERT_ERRNO_MSG(result == 0, + "Can't set socket label. Result: " << result); + + Api::setProcessLabel(app_id); + + char value[SMACK_LABEL_LEN + 1]; + ssize_t size; + size = fgetxattr(sock, XATTR_NAME_SMACKIPIN, value, sizeof(value)); + RUNNER_ASSERT_ERRNO_MSG(size != -1, "fgetxattr failed: " << value); + result = strcmp(expected_label, value); + RUNNER_ASSERT_MSG(result == 0, "Socket label is incorrect. Expected: " << + expected_label << " Actual: " << value); + + size = fgetxattr(sock, XATTR_NAME_SMACKIPOUT, value, sizeof(value)); + RUNNER_ASSERT_ERRNO_MSG(size != -1, "fgetxattr failed: " << value); + result = strcmp(expected_label, value); + RUNNER_ASSERT_MSG(result == 0, "Socket label is incorrect. Expected: " << + expected_label << " Actual: " << value); result = smack_new_label_from_self(&label); - RUNNER_ASSERT_MSG_BT(result >= 0, + RUNNER_ASSERT_MSG(result >= 0, " Error getting current process label"); - RUNNER_ASSERT_MSG_BT(label != NULL, + RUNNER_ASSERT_MSG(label != nullptr, " Process label is not set"); labelPtr.reset(label); result = strcmp(expected_label, label); - RUNNER_ASSERT_MSG_BT(result == 0, + RUNNER_ASSERT_MSG(result == 0, " Process label is incorrect. Expected: \"" << expected_label << "\" Actual: \"" << label << "\""); - uninstall_app(app_id, pkg_id, true, true); + uninstall_app(app_id, pkg_id, true); } -RUNNER_CHILD_TEST_NOSMACK(security_manager_04_set_label_from_appid_nosmack) +RUNNER_CHILD_TEST_NOSMACK(security_manager_03_set_label_from_appid_nosmack) { - const char *const app_id = "sm_test_app_id_set_label_from_appid"; - const char *const pkg_id = "sm_test_pkg_id_set_label_from_appid"; - int result; + const char *const app_id = "sm_test_03_app_id_set_label_from_appid_nosmack"; + const char *const pkg_id = "sm_test_03_pkg_id_set_label_from_appid_nosmack"; - uninstall_app(app_id, pkg_id, false, true); + uninstall_app(app_id, pkg_id, true); install_app(app_id, pkg_id); - result = security_manager_set_process_label_from_appid(app_id); - RUNNER_ASSERT_MSG_BT(result == SECURITY_MANAGER_SUCCESS, - "security_manager_set_process_label_from_appid(" << - app_id << ") failed. Result: " << result); + Api::setProcessLabel(app_id); - uninstall_app(app_id, pkg_id, true, true); + uninstall_app(app_id, pkg_id, true); } -static void prepare_request(AppInstReqUniquePtr &request, +static void prepare_request(InstallRequest &request, const char *const app_id, const char *const pkg_id, app_install_path_type pathType, - const char *const path) + const char *const path, + uid_t uid) { - int result; - request.reset(do_app_inst_req_new()); + request.setAppId(app_id); + request.setPkgId(pkg_id); + request.addPath(path, pathType); - result = security_manager_app_inst_req_set_app_id(request.get(), app_id); - RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS, - "setting app id failed. Result: " << result); + if (uid != 0) + request.setUid(uid); +} - result = security_manager_app_inst_req_set_pkg_id(request.get(), pkg_id); - RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS, - "setting pkg id failed. Result: " << result); - result = security_manager_app_inst_req_add_path(request.get(), path, pathType); - RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS, - "setting allowed path failed. Result: " << result); +static struct passwd* get_app_pw() +{ + struct passwd *pw = nullptr; + errno = 0; + while(!(pw = getpwnam(APP_USER))) { + RUNNER_ASSERT_ERRNO_MSG(errno == EINTR, "getpwnam() failed"); + } + return pw; } +static void install_and_check(const char *const sm_app_id, + const char *const sm_pkg_id, + const std::string &user, uid_t uid, + const std::string &user_path = SM_PRIVATE_PATH_FOR_USER) +{ + InstallRequest requestPublic; + + //install app for non-root user and try to register public path (should fail) + prepare_request(requestPublic, sm_app_id, sm_pkg_id, SECURITY_MANAGER_PATH_PUBLIC, user_path.c_str(), uid); + + Api::install(requestPublic, SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED); + + InstallRequest requestPrivate; + + //install app for non-root user + //should fail (users may only register folders inside their home) + prepare_request(requestPrivate, sm_app_id, sm_pkg_id, SECURITY_MANAGER_PATH_PRIVATE, SM_PRIVATE_PATH, uid); -RUNNER_CHILD_TEST(security_manager_05_app_install_uninstall_by_uid_5000) + Api::install(requestPrivate, SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED); + + InstallRequest requestPrivateUser; + + //install app for non-root user + //should succeed - this time i register folder inside user's home dir + prepare_request(requestPrivateUser, sm_app_id, sm_pkg_id, SECURITY_MANAGER_PATH_PRIVATE, user_path.c_str(), uid); + + for (auto &privilege : SM_ALLOWED_PRIVILEGES) + requestPrivateUser.addPrivilege(privilege.c_str()); + + Api::install(requestPrivateUser); + + check_app_permissions(sm_app_id, sm_pkg_id, user.c_str(), SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES); +} + +RUNNER_CHILD_TEST(security_manager_04a_app_install_uninstall_by_app_user_for_self) { int result; - AppInstReqUniquePtr request; + const char *const sm_app_id = "sm_test_04a_app_id_uid"; + const char *const sm_pkg_id = "sm_test_04a_pkg_id_uid"; + struct passwd *pw = get_app_pw(); + const std::string user = std::to_string(static_cast(pw->pw_uid)); //switch user to non-root - result = drop_root_privileges(); - RUNNER_ASSERT_MSG_BT(result == 0, "drop_root_privileges failed"); + result = drop_root_privileges(pw->pw_uid, pw->pw_gid); + RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed"); - //install app as non-root user and try to register public path (should fail) - prepare_request(request, SM_APP_ID3, SM_PKG_ID3, SECURITY_MANAGER_PATH_PUBLIC, SM_PRIVATE_PATH_FOR_USER_5000); + install_and_check(sm_app_id, sm_pkg_id, user, 0); - result = security_manager_app_install(request.get()); - RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED, - "installing app not failed. Result: " << result); + //uninstall app as non-root user + InstallRequest request; + request.setAppId(sm_app_id); - //install app as non-root user - //should fail (non-root users may only register folders inside their home) - prepare_request(request, SM_APP_ID3, SM_PKG_ID3, SECURITY_MANAGER_PATH_PRIVATE, SM_PRIVATE_PATH); + Api::uninstall(request); - result = security_manager_app_install(request.get()); - RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED, - "installing app not failed. Result: " << result); + check_app_permissions(sm_app_id, sm_pkg_id, user.c_str(), SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES); +} - //install app as non-root user - //should succeed - this time i register folder inside user's home dir - prepare_request(request, SM_APP_ID3, SM_PKG_ID3, SECURITY_MANAGER_PATH_PRIVATE, SM_PRIVATE_PATH_FOR_USER_5000); +RUNNER_CHILD_TEST(security_manager_04b_app_install_by_root_for_app_user) +{ + int result; + const char *const sm_app_id = "sm_test_04b_app_id_uid"; + const char *const sm_pkg_id = "sm_test_04b_pkg_id_uid"; + + struct passwd *pw = get_app_pw(); + const std::string user = std::to_string(static_cast(pw->pw_uid)); - result = security_manager_app_install(request.get()); - RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS, - "installing app failed. Result: " << result); + install_and_check(sm_app_id, sm_pkg_id, user, pw->pw_uid); + + //switch user to non-root - root may not uninstall apps for specified users + result = drop_root_privileges(pw->pw_uid, pw->pw_gid); + RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed"); //uninstall app as non-root user - request.reset(do_app_inst_req_new()); + InstallRequest request; + request.setAppId(sm_app_id); + + Api::uninstall(request); + + check_app_permissions(sm_app_id, sm_pkg_id, user.c_str(), SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES); +} + + +RUNNER_CHILD_TEST(security_manager_05_drop_process_capabilities) +{ + int result; + CapsSetsUniquePtr caps, caps_empty(cap_init()); + + caps.reset(cap_from_text("all=eip")); + RUNNER_ASSERT_MSG(caps, "can't convert capabilities from text"); + result = cap_set_proc(caps.get()); + RUNNER_ASSERT_MSG(result == 0, + "can't set capabilities. Result: " << result); + + Api::dropProcessPrivileges(); + + caps.reset(cap_get_proc()); + RUNNER_ASSERT_MSG(caps, "can't get proc capabilities"); + + result = cap_compare(caps.get(), caps_empty.get()); + RUNNER_ASSERT_MSG(result == 0, + "capabilities not dropped. Current: " << cap_to_text(caps.get(), NULL)); +} + +RUNNER_CHILD_TEST(security_manager_06_install_app_offline) +{ + const char *const app_id = "sm_test_06_app_id_install_app_offline"; + const char *const pkg_id = "sm_test_06_pkg_id_install_app_offline"; + DBusAccess dbusAccess("security-manager.service"); + + uninstall_app(app_id, pkg_id, true); + dbusAccess.maskService(); + dbusAccess.stopService(); + + install_app(app_id, pkg_id); + + dbusAccess.unmaskService(); + dbusAccess.startService(); + + uninstall_app(app_id, pkg_id, true); +} + +RUNNER_CHILD_TEST(security_manager_07_user_add_app_install) +{ + const char *const sm_app_id = "sm_test_07_app_id_user"; + const char *const sm_pkg_id = "sm_test_07_pkg_id_user"; + const std::string new_user_name = "sm_test_07_user_name"; + std::string uid_string; + TemporaryTestUser test_user(new_user_name, GUM_USERTYPE_NORMAL, false); + uid_string = std::to_string(static_cast(test_user.getUid())); + + install_app(sm_app_id, sm_pkg_id, test_user.getUid()); + + check_app_after_install(sm_app_id, sm_pkg_id); + + test_user.remove(); + + check_app_permissions(sm_app_id, sm_pkg_id, uid_string.c_str(), SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES); + + check_app_after_uninstall(sm_app_id, sm_pkg_id, true); +} + +RUNNER_CHILD_TEST(security_manager_08_user_double_add_double_remove) +{ + UserRequest addUserRequest; + + const char *const sm_app_id = "sm_test_08_app_id_user"; + const char *const sm_pkg_id = "sm_test_08_pkg_id_user"; + const char *const new_user_name = "sm_test_08_user_name"; + std::string uid_string; + + // gumd user add + TemporaryTestUser test_user(new_user_name, GUM_USERTYPE_NORMAL, false); + uid_string = std::to_string(static_cast(test_user.getUid())); + + addUserRequest.setUid(test_user.getUid()); + addUserRequest.setUserType(SM_USER_TYPE_NORMAL); + + //sm user add + Api::addUser(addUserRequest); + + install_app(sm_app_id, sm_pkg_id, test_user.getUid()); + + check_app_after_install(sm_app_id, sm_pkg_id); + + test_user.remove(); + + UserRequest deleteUserRequest; + deleteUserRequest.setUid(test_user.getUid()); - result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID3); - RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS, - "setting app id failed. Result: " << result); + Api::deleteUser(deleteUserRequest); - result = security_manager_app_uninstall(request.get()); - RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS, - "uninstalling app failed. Result: " << result); + check_app_permissions(sm_app_id, sm_pkg_id, uid_string.c_str(), SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES); + + check_app_after_uninstall(sm_app_id, sm_pkg_id, true); } +RUNNER_CHILD_TEST(security_manager_09_add_user_offline) +{ + const char *const app_id = "security_manager_09_add_user_offline_app"; + const char *const pkg_id = "security_manager_09_add_user_offline_pkg"; + const std::string username("sm_test_09_user_name"); + DBusAccess dbusAccess("security-manager.service"); + dbusAccess.maskService(); + dbusAccess.stopService(); + + TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, true); + + install_app(app_id, pkg_id, user.getUid()); + + check_app_after_install(app_id, pkg_id); + + dbusAccess.unmaskService(); + dbusAccess.startService(); + + user.remove(); + + check_app_after_uninstall(app_id, pkg_id, true); +} int main(int argc, char *argv[]) { - SummaryCollector::Register(); return DPL::Test::TestRunnerSingleton::Instance().ExecTestRunner(argc, argv); }