X-Git-Url: http://review.tizen.org/git/?a=blobdiff_plain;f=tests%2Fsecurity-manager-tests%2Fsecurity_manager_tests.cpp;h=df0f46cee105e20157e8c87ce96199ceed423602;hb=8956650ff14e7d7367206c39d74024b78b4bc842;hp=59ece53921eef75b4dc748a3a63453987050ff03;hpb=4142add0b59648154b7020e3906ff33c7e082738;p=platform%2Fcore%2Ftest%2Fsecurity-tests.git diff --git a/tests/security-manager-tests/security_manager_tests.cpp b/tests/security-manager-tests/security_manager_tests.cpp index 59ece53..df0f46c 100644 --- a/tests/security-manager-tests/security_manager_tests.cpp +++ b/tests/security-manager-tests/security_manager_tests.cpp @@ -2,9 +2,14 @@ #include #include #include -#include #include #include +#include + +#include +#include +#include +#include #include #include @@ -13,21 +18,17 @@ #include #include +#include #include +#include +#include +#include #include +#include -DEFINE_SMARTPTR(security_manager_app_inst_req_free, app_inst_req, AppInstReqUniquePtr); - -static const char *const LABELLED_BINARY_PATH = "/usr/bin/test-app-efl"; - -static const char *const SM_APP_ID1 = "sm_test_app_id_double"; -static const char *const SM_PKG_ID1 = "sm_test_pkg_id_double"; +using namespace SecurityManagerTest; -static const char *const SM_APP_ID2 = "sm_test_app_id_full"; -static const char *const SM_PKG_ID2 = "sm_test_pkg_id_full"; - -static const char *const SM_APP_ID3 = "sm_test_app_id_uid"; -static const char *const SM_PKG_ID3 = "sm_test_pkg_id_uid"; +DEFINE_SMARTPTR(cap_free, _cap_struct, CapsSetsUniquePtr); static const privileges_t SM_ALLOWED_PRIVILEGES = { "security_manager_test_rules2_r", @@ -42,12 +43,11 @@ static const privileges_t SM_DENIED_PRIVILEGES = { static const privileges_t SM_NO_PRIVILEGES = { }; -static const std::vector SM_ALLOWED_GIDS = {6001, 6002}; +static const std::vector SM_ALLOWED_GROUPS = {"db_browser", "db_alarm"}; -static const char *const SM_PRIVATE_PATH = "/etc/smack/test_DIR/app_dir"; -static const char *const SM_PUBLIC_PATH = "/etc/smack/test_DIR/app_dir_public"; -static const char *const SM_PUBLIC_RO_PATH = "/etc/smack/test_DIR/app_dir_public_ro"; -static const char *const SM_DENIED_PATH = "/etc/smack/test_DIR/non_app_dir"; +static const char *const SM_PRIVATE_PATH = "/usr/apps/test_DIR/app_dir"; +static const char *const SM_PUBLIC_RO_PATH = "/usr/apps/test_DIR/app_dir_public_ro"; +static const char *const SM_DENIED_PATH = "/usr/apps/test_DIR/non_app_dir"; static const char *const SM_PRIVATE_PATH_FOR_USER = "/home/" APP_USER "/test_DIR"; static const char *const ANY_USER_REPRESENTATION = "anyuser";/*this may be actually any string*/ @@ -110,13 +110,6 @@ static int nftw_check_sm_labels_app_private_dir(const char *fpath, const struct return nftw_check_sm_labels_app_dir(fpath, sb, USER_APP_ID, false, true); } -static int nftw_check_sm_labels_app_public_dir(const char *fpath, const struct stat *sb, - int /*typeflag*/, struct FTW* /*ftwbuf*/) -{ - - return nftw_check_sm_labels_app_dir(fpath, sb, "User", true, false); -} - static int nftw_check_sm_labels_app_floor_dir(const char *fpath, const struct stat *sb, int /*typeflag*/, struct FTW* /*ftwbuf*/) { @@ -124,18 +117,6 @@ static int nftw_check_sm_labels_app_floor_dir(const char *fpath, const struct st return nftw_check_sm_labels_app_dir(fpath, sb, "_", false, false); } -static app_inst_req* do_app_inst_req_new() -{ - int result; - app_inst_req *req = nullptr; - - result = security_manager_app_inst_req_new(&req); - RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS, - "creation of new request failed. Result: " << result); - RUNNER_ASSERT_MSG(req != nullptr, "creation of new request did not allocate memory"); - return req; -} - static void prepare_app_path() { int result; @@ -143,9 +124,6 @@ static void prepare_app_path() result = nftw(SM_PRIVATE_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS); RUNNER_ASSERT_MSG(result == 0, "Unable to clean Smack labels in " << SM_PRIVATE_PATH); - result = nftw(SM_PUBLIC_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS); - RUNNER_ASSERT_MSG(result == 0, "Unable to clean Smack labels in " << SM_PUBLIC_PATH); - result = nftw(SM_PUBLIC_RO_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS); RUNNER_ASSERT_MSG(result == 0, "Unable to clean Smack labels in " << SM_PUBLIC_RO_PATH); @@ -166,9 +144,6 @@ static void check_app_path_after_install() result = nftw(SM_PRIVATE_PATH, &nftw_check_sm_labels_app_private_dir, FTW_MAX_FDS, FTW_PHYS); RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_PRIVATE_PATH); - result = nftw(SM_PUBLIC_PATH, &nftw_check_sm_labels_app_public_dir, FTW_MAX_FDS, FTW_PHYS); - RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_PUBLIC_PATH); - result = nftw(SM_PUBLIC_RO_PATH, &nftw_check_sm_labels_app_floor_dir, FTW_MAX_FDS, FTW_PHYS); RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_PUBLIC_RO_PATH); @@ -205,10 +180,7 @@ static void check_app_gids(const char *const app_id, const std::vector &a ret = setgroups(0, NULL); RUNNER_ASSERT_MSG(ret != -1, "Unable to set supplementary groups"); - ret = security_manager_set_process_groups_from_appid(app_id); - RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS, - "security_manager_set_process_groups_from_appid(" << - app_id << ") failed. Result: " << ret); + Api::setProcessGroups(app_id); ret = getgroups(0, nullptr); RUNNER_ASSERT_MSG(ret != -1, "Unable to get supplementary groups"); @@ -229,7 +201,7 @@ static void check_app_gids(const char *const app_id, const std::vector &a static void check_app_after_install(const char *const app_id, const char *const pkg_id, const privileges_t &allowed_privs, const privileges_t &denied_privs, - const std::vector &allowed_gids) + const std::vector &allowed_groups) { TestSecurityManagerDatabase dbtest; dbtest.test_db_after__app_install(app_id, pkg_id, allowed_privs); @@ -241,7 +213,16 @@ static void check_app_after_install(const char *const app_id, const char *const /* Setup mapping of gids to privileges */ /* Do this for each privilege for extra check */ for (const auto &privilege : allowed_privs) { - dbtest.setup_privilege_gids(privilege, allowed_gids); + dbtest.setup_privilege_groups(privilege, allowed_groups); + } + + std::vector allowed_gids; + + for (const auto &groupName : allowed_groups) { + errno = 0; + struct group* grp = getgrnam(groupName.c_str()); + RUNNER_ASSERT_ERRNO_MSG(grp, "Group: " << groupName << " not found"); + allowed_gids.push_back(grp->gr_gid); } check_app_gids(app_id, allowed_gids); @@ -271,42 +252,24 @@ static void check_app_after_uninstall(const char *const app_id, const char *cons dbtest.test_db_after__app_uninstall(app_id, pkg_id, is_pkg_removed); } -static void install_app(const char *app_id, const char *pkg_id) +static void install_app(const char *app_id, const char *pkg_id, uid_t uid = 0) { - int result; - AppInstReqUniquePtr request; - request.reset(do_app_inst_req_new()); - - result = security_manager_app_inst_req_set_app_id(request.get(), app_id); - RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS, - "setting app id failed. Result: " << result); - - result = security_manager_app_inst_req_set_pkg_id(request.get(), pkg_id); - RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS, - "setting pkg id failed. Result: " << result); - - result = security_manager_app_install(request.get()); - RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS, - "installing app failed. Result: " << result); + InstallRequest request; + request.setAppId(app_id); + request.setPkgId(pkg_id); + request.setUid(uid); + Api::install(request); check_app_after_install(app_id, pkg_id); } -static void uninstall_app(const char *app_id, const char *pkg_id, - bool expect_installed, bool expect_pkg_removed) +static void uninstall_app(const char *app_id, const char *pkg_id, bool expect_pkg_removed) { - int result; - AppInstReqUniquePtr request; - request.reset(do_app_inst_req_new()); + InstallRequest request; + request.setAppId(app_id); - result = security_manager_app_inst_req_set_app_id(request.get(), app_id); - RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS, - "setting app id failed. Result: " << result); - - result = security_manager_app_uninstall(request.get()); - RUNNER_ASSERT_MSG(!expect_installed || (lib_retcode)result == SECURITY_MANAGER_SUCCESS, - "uninstalling app failed. Result: " << result); + Api::uninstall(request); check_app_after_uninstall(app_id, pkg_id, expect_pkg_removed); } @@ -315,169 +278,172 @@ static void uninstall_app(const char *app_id, const char *pkg_id, RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER) -RUNNER_TEST(security_manager_01_app_double_install_double_uninstall) +RUNNER_TEST(security_manager_01a_app_double_install_double_uninstall) { - int result; - AppInstReqUniquePtr request; + const char *const sm_app_id = "sm_test_01a_app_id_double"; + const char *const sm_pkg_id = "sm_test_01a_pkg_id_double"; - request.reset(do_app_inst_req_new()); + InstallRequest requestInst; + requestInst.setAppId(sm_app_id); + requestInst.setPkgId(sm_pkg_id); - result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID1); - RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS, - "setting app id failed. Result: " << result); + Api::install(requestInst); + Api::install(requestInst); - result = security_manager_app_inst_req_set_pkg_id(request.get(), SM_PKG_ID1); - RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS, - "setting pkg id failed. Result: " << result); + /* Check records in the security-manager database */ + check_app_after_install(sm_app_id, sm_pkg_id); - result = security_manager_app_install(request.get()); - RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS, - "installing app failed. Result: " << result); + InstallRequest requestUninst; + requestUninst.setAppId(sm_app_id); - result = security_manager_app_install(request.get()); - RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS, - "installing already installed app failed. Result: " << result); + Api::uninstall(requestUninst); + Api::uninstall(requestUninst); /* Check records in the security-manager database */ - check_app_after_install(SM_APP_ID1, SM_PKG_ID1); + check_app_after_uninstall(sm_app_id, sm_pkg_id, TestSecurityManagerDatabase::REMOVED); +} - request.reset(do_app_inst_req_new()); - result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID1); - RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS, - "setting app id failed. Result: " << result); +RUNNER_TEST(security_manager_01b_app_double_install_wrong_pkg_id) +{ + const char *const sm_app_id = "sm_test_01b_app"; + const char *const sm_pkg_id = "sm_test_01b_pkg"; + const char *const sm_pkg_id_wrong = "sm_test_01b_pkg_BAD"; - result = security_manager_app_uninstall(request.get()); - RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS, - "uninstalling app failed. Result: " << result); + InstallRequest requestInst; + requestInst.setAppId(sm_app_id); + requestInst.setPkgId(sm_pkg_id); - result = security_manager_app_uninstall(request.get()); - RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS, - "uninstalling already uninstalled app failed. Result: " << result); + Api::install(requestInst); - /* Check records in the security-manager database */ - check_app_after_uninstall(SM_APP_ID1, SM_PKG_ID1, TestSecurityManagerDatabase::REMOVED); -} + InstallRequest requestInst2; + requestInst2.setAppId(sm_app_id); + requestInst2.setPkgId(sm_pkg_id_wrong); -RUNNER_TEST(security_manager_02_app_install_uninstall_full) -{ - int result; - AppInstReqUniquePtr request; + Api::install(requestInst2, SECURITY_MANAGER_ERROR_INPUT_PARAM); - prepare_app_env(); - request.reset(do_app_inst_req_new()); + /* Check records in the security-manager database */ + check_app_after_install(sm_app_id, sm_pkg_id); - result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID2); - RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS, - "setting app id failed. Result: " << result); + InstallRequest requestUninst; + requestUninst.setAppId(sm_app_id); - result = security_manager_app_inst_req_set_pkg_id(request.get(), SM_PKG_ID2); - RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS, - "setting pkg id failed. Result: " << result); + Api::uninstall(requestUninst); - result = security_manager_app_inst_req_add_privilege(request.get(), SM_ALLOWED_PRIVILEGES[0].c_str()); - RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS, - "setting allowed permission failed. Result: " << result); - result = security_manager_app_inst_req_add_privilege(request.get(), SM_ALLOWED_PRIVILEGES[1].c_str()); - RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS, - "setting allowed permission failed. Result: " << result); - result = security_manager_app_inst_req_add_path(request.get(), SM_PRIVATE_PATH, - SECURITY_MANAGER_PATH_PRIVATE); - RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS, - "setting allowed path failed. Result: " << result); + /* Check records in the security-manager database */ + check_app_after_uninstall(sm_app_id, sm_pkg_id, TestSecurityManagerDatabase::REMOVED); - result = security_manager_app_inst_req_add_path(request.get(), SM_PUBLIC_PATH, - SECURITY_MANAGER_PATH_PUBLIC); - RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS, - "setting allowed path failed. Result: " << result); +} - result = security_manager_app_inst_req_add_path(request.get(), SM_PUBLIC_RO_PATH, - SECURITY_MANAGER_PATH_PUBLIC_RO); - RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS, - "setting allowed path failed. Result: " << result); +RUNNER_TEST(security_manager_01c_app_uninstall_pkg_id_ignored) +{ + const char * const sm_app_id = "SM_TEST_01c_APPID"; + const char * const sm_pkg_id = "SM_TEST_01c_PKGID"; + const char * const sm_pkg_id_wrong = "SM_TEST_01c_PKGID_wrong"; - result = security_manager_app_install(request.get()); - RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS, - "installing app failed. Result: " << result); + InstallRequest requestInst; + requestInst.setAppId(sm_app_id); + requestInst.setPkgId(sm_pkg_id); - /* Check records in the security-manager database */ - check_app_after_install(SM_APP_ID2, SM_PKG_ID2, - SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES, SM_ALLOWED_GIDS); + Api::install(requestInst); - /* TODO: add parameters to this function */ - check_app_path_after_install(); + /* Check records in the security-manager database */ + check_app_after_install(sm_app_id, sm_pkg_id); - request.reset(do_app_inst_req_new()); + InstallRequest requestUninst; + requestUninst.setAppId(sm_app_id); + requestUninst.setPkgId(sm_pkg_id_wrong); - result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID2); - RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS, - "setting app id failed. Result: " << result); + Api::uninstall(requestUninst); - result = security_manager_app_uninstall(request.get()); - RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS, - "uninstalling app failed. Result: " << result); + check_app_after_uninstall(sm_app_id, sm_pkg_id, TestSecurityManagerDatabase::REMOVED); - /* Check records in the security-manager database, - * all previously allowed privileges should be removed */ - check_app_after_uninstall(SM_APP_ID2, SM_PKG_ID2, - SM_ALLOWED_PRIVILEGES, TestSecurityManagerDatabase::REMOVED); } -RUNNER_CHILD_TEST_SMACK(security_manager_03_set_label_from_binary) +RUNNER_TEST(security_manager_02_app_install_uninstall_full) { - const char *const testBinaryPath = LABELLED_BINARY_PATH; - const char *const expectedLabel = USER_APP_ID; - int result; - char *label = nullptr; - CStringPtr labelPtr; + const char *const sm_app_id = "sm_test_02_app_id_full"; + const char *const sm_pkg_id = "sm_test_02_pkg_id_full"; - result = security_manager_set_process_label_from_binary(testBinaryPath); - RUNNER_ASSERT_MSG(result == SECURITY_MANAGER_SUCCESS, - "security_manager_set_process_label_from_binary(" << - testBinaryPath << ") failed. Result: " << result); + prepare_app_env(); - result = smack_new_label_from_self(&label); - RUNNER_ASSERT_MSG(result >= 0, - " Error getting current process label"); - RUNNER_ASSERT_MSG(label != nullptr, - " Process label is not set"); - labelPtr.reset(label); + InstallRequest requestInst; + requestInst.setAppId(sm_app_id); + requestInst.setPkgId(sm_pkg_id); + requestInst.addPrivilege(SM_ALLOWED_PRIVILEGES[0].c_str()); + requestInst.addPrivilege(SM_ALLOWED_PRIVILEGES[1].c_str()); + requestInst.addPath(SM_PRIVATE_PATH, SECURITY_MANAGER_PATH_PRIVATE); + requestInst.addPath(SM_PUBLIC_RO_PATH, SECURITY_MANAGER_PATH_PUBLIC_RO); - result = strcmp(expectedLabel, label); - RUNNER_ASSERT_MSG(result == 0, - " Process label is incorrect. Expected: \"" << expectedLabel << "\" Actual: \"" - << label << "\""); -} + Api::install(requestInst); -RUNNER_CHILD_TEST_NOSMACK(security_manager_03_set_label_from_binary_nosmack) -{ - const char *const testBinaryPath = LABELLED_BINARY_PATH; - int result; + /* Check records in the security-manager database */ + check_app_after_install(sm_app_id, sm_pkg_id, + SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES, SM_ALLOWED_GROUPS); + + /* TODO: add parameters to this function */ + check_app_path_after_install(); + + InstallRequest requestUninst; + requestUninst.setAppId(sm_app_id); - result = security_manager_set_process_label_from_binary(testBinaryPath); - RUNNER_ASSERT_MSG(result == SECURITY_MANAGER_SUCCESS, - "security_manager_set_process_label_from_binary(" << - testBinaryPath << ") failed. Result: " << result); + Api::uninstall(requestUninst); + + /* Check records in the security-manager database, + * all previously allowed privileges should be removed */ + check_app_after_uninstall(sm_app_id, sm_pkg_id, + SM_ALLOWED_PRIVILEGES, TestSecurityManagerDatabase::REMOVED); } -RUNNER_CHILD_TEST_SMACK(security_manager_04_set_label_from_appid) +RUNNER_CHILD_TEST_SMACK(security_manager_03_set_label_from_appid) { - const char *const app_id = "sm_test_app_id_set_label_from_appid"; - const char *const pkg_id = "sm_test_pkg_id_set_label_from_appid"; + const char *const app_id = "sm_test_03_app_id_set_label_from_appid_smack"; + const char *const pkg_id = "sm_test_03_pkg_id_set_label_from_appid_smack"; const char *const expected_label = USER_APP_ID; + const char *const socketLabel = "not_expected_label"; char *label = nullptr; CStringPtr labelPtr; int result; - uninstall_app(app_id, pkg_id, false, true); + uninstall_app(app_id, pkg_id, true); install_app(app_id, pkg_id); - result = security_manager_set_process_label_from_appid(app_id); - RUNNER_ASSERT_MSG(result == SECURITY_MANAGER_SUCCESS, - "security_manager_set_process_label_from_appid(" << - app_id << ") failed. Result: " << result); + struct sockaddr_un sockaddr = {AF_UNIX, SOCK_PATH}; + //Clean up before creating socket + unlink(SOCK_PATH); + int sock = socket(AF_UNIX, SOCK_STREAM, 0); + RUNNER_ASSERT_ERRNO_MSG(sock >= 0, "socket failed"); + SockUniquePtr sockPtr(&sock); + //Bind socket to address + result = bind(sock, (struct sockaddr*) &sockaddr, sizeof(struct sockaddr_un)); + RUNNER_ASSERT_ERRNO_MSG(result == 0, "bind failed"); + //Set socket label to something different than expecedLabel + result = fsetxattr(sock, XATTR_NAME_SMACKIPIN, socketLabel, + strlen(socketLabel), 0); + RUNNER_ASSERT_ERRNO_MSG(result == 0, + "Can't set socket label. Result: " << result); + result = fsetxattr(sock, XATTR_NAME_SMACKIPOUT, socketLabel, + strlen(socketLabel), 0); + RUNNER_ASSERT_ERRNO_MSG(result == 0, + "Can't set socket label. Result: " << result); + + Api::setProcessLabel(app_id); + + char value[SMACK_LABEL_LEN + 1]; + ssize_t size; + size = fgetxattr(sock, XATTR_NAME_SMACKIPIN, value, sizeof(value)); + RUNNER_ASSERT_ERRNO_MSG(size != -1, "fgetxattr failed: " << value); + result = strcmp(expected_label, value); + RUNNER_ASSERT_MSG(result == 0, "Socket label is incorrect. Expected: " << + expected_label << " Actual: " << value); + + size = fgetxattr(sock, XATTR_NAME_SMACKIPOUT, value, sizeof(value)); + RUNNER_ASSERT_ERRNO_MSG(size != -1, "fgetxattr failed: " << value); + result = strcmp(expected_label, value); + RUNNER_ASSERT_MSG(result == 0, "Socket label is incorrect. Expected: " << + expected_label << " Actual: " << value); result = smack_new_label_from_self(&label); RUNNER_ASSERT_MSG(result >= 0, @@ -491,48 +457,37 @@ RUNNER_CHILD_TEST_SMACK(security_manager_04_set_label_from_appid) " Process label is incorrect. Expected: \"" << expected_label << "\" Actual: \"" << label << "\""); - uninstall_app(app_id, pkg_id, true, true); + uninstall_app(app_id, pkg_id, true); } -RUNNER_CHILD_TEST_NOSMACK(security_manager_04_set_label_from_appid_nosmack) +RUNNER_CHILD_TEST_NOSMACK(security_manager_03_set_label_from_appid_nosmack) { - const char *const app_id = "sm_test_app_id_set_label_from_appid"; - const char *const pkg_id = "sm_test_pkg_id_set_label_from_appid"; - int result; + const char *const app_id = "sm_test_03_app_id_set_label_from_appid_nosmack"; + const char *const pkg_id = "sm_test_03_pkg_id_set_label_from_appid_nosmack"; - uninstall_app(app_id, pkg_id, false, true); + uninstall_app(app_id, pkg_id, true); install_app(app_id, pkg_id); - result = security_manager_set_process_label_from_appid(app_id); - RUNNER_ASSERT_MSG(result == SECURITY_MANAGER_SUCCESS, - "security_manager_set_process_label_from_appid(" << - app_id << ") failed. Result: " << result); + Api::setProcessLabel(app_id); - uninstall_app(app_id, pkg_id, true, true); + uninstall_app(app_id, pkg_id, true); } -static void prepare_request(AppInstReqUniquePtr &request, +static void prepare_request(InstallRequest &request, const char *const app_id, const char *const pkg_id, app_install_path_type pathType, - const char *const path) + const char *const path, + uid_t uid) { - int result; - request.reset(do_app_inst_req_new()); - - result = security_manager_app_inst_req_set_app_id(request.get(), app_id); - RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS, - "setting app id failed. Result: " << result); + request.setAppId(app_id); + request.setPkgId(pkg_id); + request.addPath(path, pathType); - result = security_manager_app_inst_req_set_pkg_id(request.get(), pkg_id); - RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS, - "setting pkg id failed. Result: " << result); - - result = security_manager_app_inst_req_add_path(request.get(), path, pathType); - RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS, - "setting allowed path failed. Result: " << result); + if (uid != 0) + request.setUid(uid); } @@ -546,10 +501,47 @@ static struct passwd* get_app_pw() return pw; } -RUNNER_CHILD_TEST(security_manager_05_app_install_uninstall_by_app_user) + +static void install_and_check(const char *const sm_app_id, + const char *const sm_pkg_id, + const std::string &user, uid_t uid, + const std::string &user_path = SM_PRIVATE_PATH_FOR_USER) +{ + InstallRequest requestPublic; + + //install app for non-root user and try to register public path (should fail) + prepare_request(requestPublic, sm_app_id, sm_pkg_id, SECURITY_MANAGER_PATH_PUBLIC, user_path.c_str(), uid); + + Api::install(requestPublic, SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED); + + InstallRequest requestPrivate; + + //install app for non-root user + //should fail (users may only register folders inside their home) + prepare_request(requestPrivate, sm_app_id, sm_pkg_id, SECURITY_MANAGER_PATH_PRIVATE, SM_PRIVATE_PATH, uid); + + Api::install(requestPrivate, SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED); + + InstallRequest requestPrivateUser; + + //install app for non-root user + //should succeed - this time i register folder inside user's home dir + prepare_request(requestPrivateUser, sm_app_id, sm_pkg_id, SECURITY_MANAGER_PATH_PRIVATE, user_path.c_str(), uid); + + for (auto &privilege : SM_ALLOWED_PRIVILEGES) + requestPrivateUser.addPrivilege(privilege.c_str()); + + Api::install(requestPrivateUser); + + check_app_permissions(sm_app_id, sm_pkg_id, user.c_str(), SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES); +} + +RUNNER_CHILD_TEST(security_manager_04a_app_install_uninstall_by_app_user_for_self) { int result; - AppInstReqUniquePtr request; + const char *const sm_app_id = "sm_test_04a_app_id_uid"; + const char *const sm_pkg_id = "sm_test_04a_pkg_id_uid"; + struct passwd *pw = get_app_pw(); const std::string user = std::to_string(static_cast(pw->pw_uid)); @@ -557,54 +549,160 @@ RUNNER_CHILD_TEST(security_manager_05_app_install_uninstall_by_app_user) result = drop_root_privileges(pw->pw_uid, pw->pw_gid); RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed"); - //install app as non-root user and try to register public path (should fail) - prepare_request(request, SM_APP_ID3, SM_PKG_ID3, SECURITY_MANAGER_PATH_PUBLIC, SM_PRIVATE_PATH_FOR_USER); + install_and_check(sm_app_id, sm_pkg_id, user, 0); - result = security_manager_app_install(request.get()); - RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED, - "installing app not failed. Result: " << result); + //uninstall app as non-root user + InstallRequest request; + request.setAppId(sm_app_id); - //install app as non-root user - //should fail (non-root users may only register folders inside their home) - prepare_request(request, SM_APP_ID3, SM_PKG_ID3, SECURITY_MANAGER_PATH_PRIVATE, SM_PRIVATE_PATH); + Api::uninstall(request); - result = security_manager_app_install(request.get()); - RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED, - "installing app not failed. Result: " << result); + check_app_permissions(sm_app_id, sm_pkg_id, user.c_str(), SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES); +} - //install app as non-root user - //should succeed - this time i register folder inside user's home dir - prepare_request(request, SM_APP_ID3, SM_PKG_ID3, SECURITY_MANAGER_PATH_PRIVATE, SM_PRIVATE_PATH_FOR_USER); +RUNNER_CHILD_TEST(security_manager_04b_app_install_by_root_for_app_user) +{ + int result; + const char *const sm_app_id = "sm_test_04b_app_id_uid"; + const char *const sm_pkg_id = "sm_test_04b_pkg_id_uid"; - for (auto &privilege : SM_ALLOWED_PRIVILEGES) { - result = security_manager_app_inst_req_add_privilege(request.get(), privilege.c_str()); - RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS, - "setting allowed permission failed. Result: " << result); - } + struct passwd *pw = get_app_pw(); + const std::string user = std::to_string(static_cast(pw->pw_uid)); - result = security_manager_app_install(request.get()); - RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS, - "installing app failed. Result: " << result); + install_and_check(sm_app_id, sm_pkg_id, user, pw->pw_uid); - check_app_permissions(SM_APP_ID3, SM_PKG_ID3, user.c_str(), SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES); + //switch user to non-root - root may not uninstall apps for specified users + result = drop_root_privileges(pw->pw_uid, pw->pw_gid); + RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed"); //uninstall app as non-root user - request.reset(do_app_inst_req_new()); + InstallRequest request; + request.setAppId(sm_app_id); + + Api::uninstall(request); + + check_app_permissions(sm_app_id, sm_pkg_id, user.c_str(), SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES); +} + + +RUNNER_CHILD_TEST(security_manager_05_drop_process_capabilities) +{ + int result; + CapsSetsUniquePtr caps, caps_empty(cap_init()); + + caps.reset(cap_from_text("all=eip")); + RUNNER_ASSERT_MSG(caps, "can't convert capabilities from text"); + result = cap_set_proc(caps.get()); + RUNNER_ASSERT_MSG(result == 0, + "can't set capabilities. Result: " << result); + + Api::dropProcessPrivileges(); + + caps.reset(cap_get_proc()); + RUNNER_ASSERT_MSG(caps, "can't get proc capabilities"); + + result = cap_compare(caps.get(), caps_empty.get()); + RUNNER_ASSERT_MSG(result == 0, + "capabilities not dropped. Current: " << cap_to_text(caps.get(), NULL)); +} + +RUNNER_CHILD_TEST(security_manager_06_install_app_offline) +{ + const char *const app_id = "sm_test_06_app_id_install_app_offline"; + const char *const pkg_id = "sm_test_06_pkg_id_install_app_offline"; + DBusAccess dbusAccess("security-manager.service"); + + uninstall_app(app_id, pkg_id, true); + dbusAccess.maskService(); + dbusAccess.stopService(); - result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID3); - RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS, - "setting app id failed. Result: " << result); + install_app(app_id, pkg_id); - result = security_manager_app_uninstall(request.get()); - RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS, - "uninstalling app failed. Result: " << result); + dbusAccess.unmaskService(); + dbusAccess.startService(); - check_app_permissions(SM_APP_ID3, SM_PKG_ID3, user.c_str(), SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES); + uninstall_app(app_id, pkg_id, true); } +RUNNER_CHILD_TEST(security_manager_07_user_add_app_install) +{ + const char *const sm_app_id = "sm_test_07_app_id_user"; + const char *const sm_pkg_id = "sm_test_07_pkg_id_user"; + const std::string new_user_name = "sm_test_07_user_name"; + std::string uid_string; + TemporaryTestUser test_user(new_user_name, GUM_USERTYPE_NORMAL, false); + uid_string = std::to_string(static_cast(test_user.getUid())); + + install_app(sm_app_id, sm_pkg_id, test_user.getUid()); + + check_app_after_install(sm_app_id, sm_pkg_id); + + test_user.remove(); + + check_app_permissions(sm_app_id, sm_pkg_id, uid_string.c_str(), SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES); + + check_app_after_uninstall(sm_app_id, sm_pkg_id, true); +} + +RUNNER_CHILD_TEST(security_manager_08_user_double_add_double_remove) +{ + UserRequest addUserRequest; + + const char *const sm_app_id = "sm_test_08_app_id_user"; + const char *const sm_pkg_id = "sm_test_08_pkg_id_user"; + const char *const new_user_name = "sm_test_08_user_name"; + std::string uid_string; + + // gumd user add + TemporaryTestUser test_user(new_user_name, GUM_USERTYPE_NORMAL, false); + uid_string = std::to_string(static_cast(test_user.getUid())); + + addUserRequest.setUid(test_user.getUid()); + addUserRequest.setUserType(SM_USER_TYPE_NORMAL); + + //sm user add + Api::addUser(addUserRequest); + + install_app(sm_app_id, sm_pkg_id, test_user.getUid()); + + check_app_after_install(sm_app_id, sm_pkg_id); + + test_user.remove(); + + UserRequest deleteUserRequest; + deleteUserRequest.setUid(test_user.getUid()); + + Api::deleteUser(deleteUserRequest); + + check_app_permissions(sm_app_id, sm_pkg_id, uid_string.c_str(), SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES); + + check_app_after_uninstall(sm_app_id, sm_pkg_id, true); +} + +RUNNER_CHILD_TEST(security_manager_09_add_user_offline) +{ + const char *const app_id = "security_manager_09_add_user_offline_app"; + const char *const pkg_id = "security_manager_09_add_user_offline_pkg"; + const std::string username("sm_test_09_user_name"); + DBusAccess dbusAccess("security-manager.service"); + dbusAccess.maskService(); + dbusAccess.stopService(); + + TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, true); + + install_app(app_id, pkg_id, user.getUid()); + + check_app_after_install(app_id, pkg_id); + + dbusAccess.unmaskService(); + dbusAccess.startService(); + + user.remove(); + + check_app_after_uninstall(app_id, pkg_id, true); +} int main(int argc, char *argv[]) { - SummaryCollector::Register(); return DPL::Test::TestRunnerSingleton::Instance().ExecTestRunner(argc, argv); }