X-Git-Url: http://review.tizen.org/git/?a=blobdiff_plain;f=tests%2Fsecurity-manager-tests%2Fsecurity_manager_tests.cpp;h=df0f46cee105e20157e8c87ce96199ceed423602;hb=8956650ff14e7d7367206c39d74024b78b4bc842;hp=b33e4689eb1de998e97d8d82eda356a3118020e9;hpb=6d25b48d99e3aeb735602df0b64084292f5bff4b;p=platform%2Fcore%2Ftest%2Fsecurity-tests.git diff --git a/tests/security-manager-tests/security_manager_tests.cpp b/tests/security-manager-tests/security_manager_tests.cpp index b33e468..df0f46c 100644 --- a/tests/security-manager-tests/security_manager_tests.cpp +++ b/tests/security-manager-tests/security_manager_tests.cpp @@ -2,26 +2,33 @@ #include #include #include -#include +#include +#include +#include -#include -#include -#include +#include +#include +#include #include +#include +#include + #include #include #include +#include #include +#include +#include +#include +#include +#include -DEFINE_SMARTPTR(security_manager_app_inst_req_free, app_inst_req, AppInstReqUniquePtr); - -static const char *const SM_APP_ID1 = "sm_test_app_id_double"; -static const char *const SM_PKG_ID1 = "sm_test_pkg_id_double"; +using namespace SecurityManagerTest; -static const char *const SM_APP_ID2 = "sm_test_app_id_full"; -static const char *const SM_PKG_ID2 = "sm_test_pkg_id_full"; +DEFINE_SMARTPTR(cap_free, _cap_struct, CapsSetsUniquePtr); static const privileges_t SM_ALLOWED_PRIVILEGES = { "security_manager_test_rules2_r", @@ -33,71 +40,21 @@ static const privileges_t SM_DENIED_PRIVILEGES = { "security_manager_test_rules2" }; -static const char *const XATTR_NAME_TIZENEXEC = XATTR_SECURITY_PREFIX "TIZEN_EXEC_LABEL"; - -static const rules_t SM_ALLOWED_RULES = { - { USER_APP_ID, "test_sm_book_8", "r" }, - { USER_APP_ID, "test_sm_book_9", "w" }, - { USER_APP_ID, "test_sm_book_10", "x" }, - { USER_APP_ID, "test_sm_book_11", "rw" }, - { USER_APP_ID, "test_sm_book_12", "rx" }, - { USER_APP_ID, "test_sm_book_13", "wx" }, - { USER_APP_ID, "test_sm_book_14", "rwx" }, - { USER_APP_ID, "test_sm_book_15", "rwxat" }, - { "test_sm_subject_8", USER_APP_ID, "r" }, - { "test_sm_subject_9", USER_APP_ID, "w" }, - { "test_sm_subject_10", USER_APP_ID, "x" }, - { "test_sm_subject_11", USER_APP_ID, "rw" }, - { "test_sm_subject_12", USER_APP_ID, "rx" }, - { "test_sm_subject_13", USER_APP_ID, "wx" }, - { "test_sm_subject_14", USER_APP_ID, "rwx" }, - { "test_sm_subject_15", USER_APP_ID, "rwxat" } -}; -static const rules_t SM_DENIED_RULES = { - { USER_APP_ID, "test_sm_book_1", "r" }, - { USER_APP_ID, "test_sm_book_2", "w" }, - { USER_APP_ID, "test_sm_book_3", "x" }, - { USER_APP_ID, "test_sm_book_4", "rw" }, - { USER_APP_ID, "test_sm_book_5", "rx" }, - { USER_APP_ID, "test_sm_book_6", "wx" }, - { USER_APP_ID, "test_sm_book_7", "rwx" }, - { "test_sm_subject_1", USER_APP_ID, "r" }, - { "test_sm_subject_2", USER_APP_ID, "w" }, - { "test_sm_subject_3", USER_APP_ID, "x" }, - { "test_sm_subject_4", USER_APP_ID, "rw" }, - { "test_sm_subject_5", USER_APP_ID, "rx" }, - { "test_sm_subject_6", USER_APP_ID, "wx" }, - { "test_sm_subject_7", USER_APP_ID, "rwx" } +static const privileges_t SM_NO_PRIVILEGES = { }; -static const char *const SM_PRIVATE_PATH = "/etc/smack/test_DIR/app_dir"; -static const char *const SM_PUBLIC_PATH = "/etc/smack/test_DIR/app_dir_public"; -static const char *const SM_PUBLIC_RO_PATH = "/etc/smack/test_DIR/app_dir_public_ro"; -static const char *const SM_DENIED_PATH = "/etc/smack/test_DIR/non_app_dir"; +static const std::vector SM_ALLOWED_GROUPS = {"db_browser", "db_alarm"}; +static const char *const SM_PRIVATE_PATH = "/usr/apps/test_DIR/app_dir"; +static const char *const SM_PUBLIC_RO_PATH = "/usr/apps/test_DIR/app_dir_public_ro"; +static const char *const SM_DENIED_PATH = "/usr/apps/test_DIR/non_app_dir"; +static const char *const SM_PRIVATE_PATH_FOR_USER = "/home/" APP_USER "/test_DIR"; +static const char *const ANY_USER_REPRESENTATION = "anyuser";/*this may be actually any string*/ -static bool isLinkToExec(const char *fpath, const struct stat *sb) +static void generateAppLabel(const std::string &pkgId, std::string &label) { - - struct stat buf; - char *target; - int ret; - - // check if it's a link - if ( !S_ISLNK(sb->st_mode)) - return false; - - target = realpath(fpath, NULL); - RUNNER_ASSERT_MSG_BT(target != 0, "Could not obtain real path from link."); - - ret = stat(target, &buf); - RUNNER_ASSERT_MSG_BT(ret == 0, "Could not obtain real path's stat from link."); - - if (buf.st_mode != (buf.st_mode | S_IXUSR | S_IFREG)) - return false; - - - return true; + (void) pkgId; + label = "User"; } static int nftw_check_sm_labels_app_dir(const char *fpath, const struct stat *sb, @@ -105,56 +62,42 @@ static int nftw_check_sm_labels_app_dir(const char *fpath, const struct stat *sb { int result; CStringPtr labelPtr; - char* label = NULL; + char* label = nullptr; /* ACCESS */ result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS); - RUNNER_ASSERT_MSG_BT(result == 0, "Could not get label for the path"); + RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path"); labelPtr.reset(label); - RUNNER_ASSERT_MSG_BT(label != NULL, "ACCESS label on " << fpath << " is not set"); + RUNNER_ASSERT_MSG(label != nullptr, "ACCESS label on " << fpath << " is not set"); result = strcmp(correctLabel, label); - RUNNER_ASSERT_MSG_BT(result == 0, "ACCESS label on " << fpath << " is incorrect" + RUNNER_ASSERT_MSG(result == 0, "ACCESS label on " << fpath << " is incorrect" " (should be '" << correctLabel << "' and is '" << label << "')"); /* EXEC */ result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC); - RUNNER_ASSERT_MSG_BT(result == 0, "Could not get label for the path"); + RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path"); labelPtr.reset(label); if (S_ISREG(sb->st_mode) && (sb->st_mode & S_IXUSR) && exec_test) { - RUNNER_ASSERT_MSG_BT(label != NULL, "EXEC label on " << fpath << " is not set"); + RUNNER_ASSERT_MSG(label != nullptr, "EXEC label on " << fpath << " is not set"); result = strcmp(correctLabel, label); - RUNNER_ASSERT_MSG_BT(result == 0, "Incorrect EXEC label on executable file " << fpath); + RUNNER_ASSERT_MSG(result == 0, "Incorrect EXEC label on executable file " << fpath); } else - RUNNER_ASSERT_MSG_BT(label == NULL, "EXEC label on " << fpath << " is set"); - - - /* LINK TO EXEC */ - if (isLinkToExec(fpath, sb) && exec_test) { - char buf[SMACK_LABEL_LEN+1]; - result = lgetxattr(fpath, XATTR_NAME_TIZENEXEC, buf, sizeof(buf)); - RUNNER_ASSERT_MSG_BT(result != -1, "Could not get label for the path " - << fpath << "("<st_mode) && transmute_test == true) { - RUNNER_ASSERT_MSG_BT(label != NULL, "TRANSMUTE label on " << fpath << " is not set at all"); - RUNNER_ASSERT_MSG_BT(strcmp(label,"TRUE") == 0, + RUNNER_ASSERT_MSG(label != nullptr, "TRANSMUTE label on " << fpath << " is not set at all"); + RUNNER_ASSERT_MSG(strcmp(label,"TRUE") == 0, "TRANSMUTE label on " << fpath << " is not set properly: '"< &allowed_gids) { - bool result; + int ret; + gid_t main_gid = getgid(); + std::unordered_set reference_gids(allowed_gids.begin(), allowed_gids.end()); + + // Reset supplementary groups + ret = setgroups(0, NULL); + RUNNER_ASSERT_MSG(ret != -1, "Unable to set supplementary groups"); - result = check_all_accesses(smack_check(), allowed_rules); - RUNNER_ASSERT_MSG_BT(result, "Permissions not added."); - result = check_no_accesses(smack_check(), denied_rules); - RUNNER_ASSERT_MSG_BT(result, "Permissions added."); + Api::setProcessGroups(app_id); - /* TODO: USER_APP_ID is hardcoded in the following checks, because libprivilege always generate - * label "User" for all installed apps. Adjust it when libprivilege is upgraded. */ - (void)app_id; // unused parameter - (void)pkg_id; // unused parameter + ret = getgroups(0, nullptr); + RUNNER_ASSERT_MSG(ret != -1, "Unable to get supplementary groups"); - for (auto it = allowed_privs.begin(); it != allowed_privs.end(); ++it) - check_perm_app_has_permission(USER_APP_ID, (*it).c_str(), true); + std::vector actual_gids(ret); + ret = getgroups(ret, actual_gids.data()); + RUNNER_ASSERT_MSG(ret != -1, "Unable to get supplementary groups"); - for (auto it = denied_privs.begin(); it != denied_privs.end(); ++it) - check_perm_app_has_permission(USER_APP_ID, (*it).c_str(), false); + for (const auto &gid : actual_gids) { + RUNNER_ASSERT_MSG(gid == main_gid || reference_gids.count(gid) > 0, + "Application shouldn't get access to group " << gid); + reference_gids.erase(gid); + } + + RUNNER_ASSERT_MSG(reference_gids.empty(), "Application didn't get access to some groups"); } static void check_app_after_install(const char *const app_id, const char *const pkg_id, - const privileges_t &allowed_privs, const privileges_t &denied_privs, - const rules_t &allowed_rules, const rules_t &denied_rules) + const privileges_t &allowed_privs, + const privileges_t &denied_privs, + const std::vector &allowed_groups) { TestSecurityManagerDatabase dbtest; dbtest.test_db_after__app_install(app_id, pkg_id, allowed_privs); dbtest.check_privileges_removed(app_id, pkg_id, denied_privs); - check_app_permissions(app_id, pkg_id, - allowed_privs, denied_privs, - allowed_rules, denied_rules); + /*Privileges should be granted to all users if root installs app*/ + check_app_permissions(app_id, pkg_id, ANY_USER_REPRESENTATION, allowed_privs, denied_privs); + + /* Setup mapping of gids to privileges */ + /* Do this for each privilege for extra check */ + for (const auto &privilege : allowed_privs) { + dbtest.setup_privilege_groups(privilege, allowed_groups); + } + + std::vector allowed_gids; + + for (const auto &groupName : allowed_groups) { + errno = 0; + struct group* grp = getgrnam(groupName.c_str()); + RUNNER_ASSERT_ERRNO_MSG(grp, "Group: " << groupName << " not found"); + allowed_gids.push_back(grp->gr_gid); + } + + check_app_gids(app_id, allowed_gids); } static void check_app_after_install(const char *const app_id, const char *const pkg_id) @@ -280,6 +239,10 @@ static void check_app_after_uninstall(const char *const app_id, const char *cons { TestSecurityManagerDatabase dbtest; dbtest.test_db_after__app_uninstall(app_id, pkg_id, privileges, is_pkg_removed); + + + /*Privileges should not be granted anymore to any user*/ + check_app_permissions(app_id, pkg_id, ANY_USER_REPRESENTATION, SM_NO_PRIVILEGES, privileges); } static void check_app_after_uninstall(const char *const app_id, const char *const pkg_id, @@ -289,123 +252,457 @@ static void check_app_after_uninstall(const char *const app_id, const char *cons dbtest.test_db_after__app_uninstall(app_id, pkg_id, is_pkg_removed); } +static void install_app(const char *app_id, const char *pkg_id, uid_t uid = 0) +{ + InstallRequest request; + request.setAppId(app_id); + request.setPkgId(pkg_id); + request.setUid(uid); + Api::install(request); + + check_app_after_install(app_id, pkg_id); + +} + +static void uninstall_app(const char *app_id, const char *pkg_id, bool expect_pkg_removed) +{ + InstallRequest request; + request.setAppId(app_id); + + Api::uninstall(request); + + check_app_after_uninstall(app_id, pkg_id, expect_pkg_removed); +} + RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER) -RUNNER_TEST(security_manager_01_app_double_install_double_uninstall) +RUNNER_TEST(security_manager_01a_app_double_install_double_uninstall) { - int result; - AppInstReqUniquePtr request; + const char *const sm_app_id = "sm_test_01a_app_id_double"; + const char *const sm_pkg_id = "sm_test_01a_pkg_id_double"; - request.reset(do_app_inst_req_new()); + InstallRequest requestInst; + requestInst.setAppId(sm_app_id); + requestInst.setPkgId(sm_pkg_id); - result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID1); - RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS, - "setting app id failed. Result: " << result); + Api::install(requestInst); + Api::install(requestInst); - result = security_manager_app_inst_req_set_pkg_id(request.get(), SM_PKG_ID1); - RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS, - "setting pkg id failed. Result: " << result); + /* Check records in the security-manager database */ + check_app_after_install(sm_app_id, sm_pkg_id); - result = security_manager_app_install(request.get()); - RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS, - "installing app failed. Result: " << result); + InstallRequest requestUninst; + requestUninst.setAppId(sm_app_id); - result = security_manager_app_install(request.get()); - RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS, - "installing already installed app failed. Result: " << result); + Api::uninstall(requestUninst); + Api::uninstall(requestUninst); /* Check records in the security-manager database */ - check_app_after_install(SM_APP_ID1, SM_PKG_ID1); + check_app_after_uninstall(sm_app_id, sm_pkg_id, TestSecurityManagerDatabase::REMOVED); +} - request.reset(do_app_inst_req_new()); - result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID1); - RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS, - "setting app id failed. Result: " << result); +RUNNER_TEST(security_manager_01b_app_double_install_wrong_pkg_id) +{ + const char *const sm_app_id = "sm_test_01b_app"; + const char *const sm_pkg_id = "sm_test_01b_pkg"; + const char *const sm_pkg_id_wrong = "sm_test_01b_pkg_BAD"; + + InstallRequest requestInst; + requestInst.setAppId(sm_app_id); + requestInst.setPkgId(sm_pkg_id); + + Api::install(requestInst); + + InstallRequest requestInst2; + requestInst2.setAppId(sm_app_id); + requestInst2.setPkgId(sm_pkg_id_wrong); + + Api::install(requestInst2, SECURITY_MANAGER_ERROR_INPUT_PARAM); + - result = security_manager_app_uninstall(request.get()); - RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS, - "uninstalling app failed. Result: " << result); + /* Check records in the security-manager database */ + check_app_after_install(sm_app_id, sm_pkg_id); + + InstallRequest requestUninst; + requestUninst.setAppId(sm_app_id); + + Api::uninstall(requestUninst); - result = security_manager_app_uninstall(request.get()); - RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS, - "uninstalling already uninstalled app failed. Result: " << result); /* Check records in the security-manager database */ - check_app_after_uninstall(SM_APP_ID1, SM_PKG_ID1, TestSecurityManagerDatabase::REMOVED); + check_app_after_uninstall(sm_app_id, sm_pkg_id, TestSecurityManagerDatabase::REMOVED); + } -RUNNER_TEST(security_manager_02_app_install_uninstall_full) +RUNNER_TEST(security_manager_01c_app_uninstall_pkg_id_ignored) { - int result; - AppInstReqUniquePtr request; + const char * const sm_app_id = "SM_TEST_01c_APPID"; + const char * const sm_pkg_id = "SM_TEST_01c_PKGID"; + const char * const sm_pkg_id_wrong = "SM_TEST_01c_PKGID_wrong"; - prepare_app_env(); + InstallRequest requestInst; + requestInst.setAppId(sm_app_id); + requestInst.setPkgId(sm_pkg_id); + + Api::install(requestInst); + + /* Check records in the security-manager database */ + check_app_after_install(sm_app_id, sm_pkg_id); - request.reset(do_app_inst_req_new()); + InstallRequest requestUninst; + requestUninst.setAppId(sm_app_id); + requestUninst.setPkgId(sm_pkg_id_wrong); - result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID2); - RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS, - "setting app id failed. Result: " << result); + Api::uninstall(requestUninst); - result = security_manager_app_inst_req_set_pkg_id(request.get(), SM_PKG_ID2); - RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS, - "setting pkg id failed. Result: " << result); + check_app_after_uninstall(sm_app_id, sm_pkg_id, TestSecurityManagerDatabase::REMOVED); - result = security_manager_app_inst_req_add_privilege(request.get(), SM_ALLOWED_PRIVILEGES[0].c_str()); - RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS, - "setting allowed permission failed. Result: " << result); - result = security_manager_app_inst_req_add_privilege(request.get(), SM_ALLOWED_PRIVILEGES[1].c_str()); - RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS, - "setting allowed permission failed. Result: " << result); +} - result = security_manager_app_inst_req_add_path(request.get(), SM_PRIVATE_PATH, - SECURITY_MANAGER_PATH_PRIVATE); - RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS, - "setting allowed path failed. Result: " << result); +RUNNER_TEST(security_manager_02_app_install_uninstall_full) +{ + const char *const sm_app_id = "sm_test_02_app_id_full"; + const char *const sm_pkg_id = "sm_test_02_pkg_id_full"; - result = security_manager_app_inst_req_add_path(request.get(), SM_PUBLIC_PATH, - SECURITY_MANAGER_PATH_PUBLIC); - RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS, - "setting allowed path failed. Result: " << result); + prepare_app_env(); - result = security_manager_app_inst_req_add_path(request.get(), SM_PUBLIC_RO_PATH, - SECURITY_MANAGER_PATH_PUBLIC_RO); - RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS, - "setting allowed path failed. Result: " << result); + InstallRequest requestInst; + requestInst.setAppId(sm_app_id); + requestInst.setPkgId(sm_pkg_id); + requestInst.addPrivilege(SM_ALLOWED_PRIVILEGES[0].c_str()); + requestInst.addPrivilege(SM_ALLOWED_PRIVILEGES[1].c_str()); + requestInst.addPath(SM_PRIVATE_PATH, SECURITY_MANAGER_PATH_PRIVATE); + requestInst.addPath(SM_PUBLIC_RO_PATH, SECURITY_MANAGER_PATH_PUBLIC_RO); - result = security_manager_app_install(request.get()); - RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS, - "installing app failed. Result: " << result); + Api::install(requestInst); /* Check records in the security-manager database */ - check_app_after_install(SM_APP_ID2, SM_PKG_ID2, - SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES, - SM_ALLOWED_RULES, SM_DENIED_RULES); + check_app_after_install(sm_app_id, sm_pkg_id, + SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES, SM_ALLOWED_GROUPS); /* TODO: add parameters to this function */ check_app_path_after_install(); - request.reset(do_app_inst_req_new()); - - result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID2); - RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS, - "setting app id failed. Result: " << result); + InstallRequest requestUninst; + requestUninst.setAppId(sm_app_id); - result = security_manager_app_uninstall(request.get()); - RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS, - "uninstalling app failed. Result: " << result); + Api::uninstall(requestUninst); /* Check records in the security-manager database, * all previously allowed privileges should be removed */ - check_app_after_uninstall(SM_APP_ID2, SM_PKG_ID2, + check_app_after_uninstall(sm_app_id, sm_pkg_id, SM_ALLOWED_PRIVILEGES, TestSecurityManagerDatabase::REMOVED); } +RUNNER_CHILD_TEST_SMACK(security_manager_03_set_label_from_appid) +{ + const char *const app_id = "sm_test_03_app_id_set_label_from_appid_smack"; + const char *const pkg_id = "sm_test_03_pkg_id_set_label_from_appid_smack"; + const char *const expected_label = USER_APP_ID; + const char *const socketLabel = "not_expected_label"; + char *label = nullptr; + CStringPtr labelPtr; + int result; + + uninstall_app(app_id, pkg_id, true); + install_app(app_id, pkg_id); + + struct sockaddr_un sockaddr = {AF_UNIX, SOCK_PATH}; + //Clean up before creating socket + unlink(SOCK_PATH); + int sock = socket(AF_UNIX, SOCK_STREAM, 0); + RUNNER_ASSERT_ERRNO_MSG(sock >= 0, "socket failed"); + SockUniquePtr sockPtr(&sock); + //Bind socket to address + result = bind(sock, (struct sockaddr*) &sockaddr, sizeof(struct sockaddr_un)); + RUNNER_ASSERT_ERRNO_MSG(result == 0, "bind failed"); + //Set socket label to something different than expecedLabel + result = fsetxattr(sock, XATTR_NAME_SMACKIPIN, socketLabel, + strlen(socketLabel), 0); + RUNNER_ASSERT_ERRNO_MSG(result == 0, + "Can't set socket label. Result: " << result); + result = fsetxattr(sock, XATTR_NAME_SMACKIPOUT, socketLabel, + strlen(socketLabel), 0); + RUNNER_ASSERT_ERRNO_MSG(result == 0, + "Can't set socket label. Result: " << result); + + Api::setProcessLabel(app_id); + + char value[SMACK_LABEL_LEN + 1]; + ssize_t size; + size = fgetxattr(sock, XATTR_NAME_SMACKIPIN, value, sizeof(value)); + RUNNER_ASSERT_ERRNO_MSG(size != -1, "fgetxattr failed: " << value); + result = strcmp(expected_label, value); + RUNNER_ASSERT_MSG(result == 0, "Socket label is incorrect. Expected: " << + expected_label << " Actual: " << value); + + size = fgetxattr(sock, XATTR_NAME_SMACKIPOUT, value, sizeof(value)); + RUNNER_ASSERT_ERRNO_MSG(size != -1, "fgetxattr failed: " << value); + result = strcmp(expected_label, value); + RUNNER_ASSERT_MSG(result == 0, "Socket label is incorrect. Expected: " << + expected_label << " Actual: " << value); + + result = smack_new_label_from_self(&label); + RUNNER_ASSERT_MSG(result >= 0, + " Error getting current process label"); + RUNNER_ASSERT_MSG(label != nullptr, + " Process label is not set"); + labelPtr.reset(label); + + result = strcmp(expected_label, label); + RUNNER_ASSERT_MSG(result == 0, + " Process label is incorrect. Expected: \"" << expected_label << + "\" Actual: \"" << label << "\""); + + uninstall_app(app_id, pkg_id, true); +} + +RUNNER_CHILD_TEST_NOSMACK(security_manager_03_set_label_from_appid_nosmack) +{ + const char *const app_id = "sm_test_03_app_id_set_label_from_appid_nosmack"; + const char *const pkg_id = "sm_test_03_pkg_id_set_label_from_appid_nosmack"; + + uninstall_app(app_id, pkg_id, true); + install_app(app_id, pkg_id); + + Api::setProcessLabel(app_id); + + uninstall_app(app_id, pkg_id, true); +} + + + +static void prepare_request(InstallRequest &request, + const char *const app_id, + const char *const pkg_id, + app_install_path_type pathType, + const char *const path, + uid_t uid) +{ + request.setAppId(app_id); + request.setPkgId(pkg_id); + request.addPath(path, pathType); + + if (uid != 0) + request.setUid(uid); +} + + +static struct passwd* get_app_pw() +{ + struct passwd *pw = nullptr; + errno = 0; + while(!(pw = getpwnam(APP_USER))) { + RUNNER_ASSERT_ERRNO_MSG(errno == EINTR, "getpwnam() failed"); + } + return pw; +} + + +static void install_and_check(const char *const sm_app_id, + const char *const sm_pkg_id, + const std::string &user, uid_t uid, + const std::string &user_path = SM_PRIVATE_PATH_FOR_USER) +{ + InstallRequest requestPublic; + + //install app for non-root user and try to register public path (should fail) + prepare_request(requestPublic, sm_app_id, sm_pkg_id, SECURITY_MANAGER_PATH_PUBLIC, user_path.c_str(), uid); + + Api::install(requestPublic, SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED); + + InstallRequest requestPrivate; + + //install app for non-root user + //should fail (users may only register folders inside their home) + prepare_request(requestPrivate, sm_app_id, sm_pkg_id, SECURITY_MANAGER_PATH_PRIVATE, SM_PRIVATE_PATH, uid); + + Api::install(requestPrivate, SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED); + + InstallRequest requestPrivateUser; + + //install app for non-root user + //should succeed - this time i register folder inside user's home dir + prepare_request(requestPrivateUser, sm_app_id, sm_pkg_id, SECURITY_MANAGER_PATH_PRIVATE, user_path.c_str(), uid); + + for (auto &privilege : SM_ALLOWED_PRIVILEGES) + requestPrivateUser.addPrivilege(privilege.c_str()); + + Api::install(requestPrivateUser); + + check_app_permissions(sm_app_id, sm_pkg_id, user.c_str(), SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES); +} + +RUNNER_CHILD_TEST(security_manager_04a_app_install_uninstall_by_app_user_for_self) +{ + int result; + const char *const sm_app_id = "sm_test_04a_app_id_uid"; + const char *const sm_pkg_id = "sm_test_04a_pkg_id_uid"; + + struct passwd *pw = get_app_pw(); + const std::string user = std::to_string(static_cast(pw->pw_uid)); + + //switch user to non-root + result = drop_root_privileges(pw->pw_uid, pw->pw_gid); + RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed"); + + install_and_check(sm_app_id, sm_pkg_id, user, 0); + + //uninstall app as non-root user + InstallRequest request; + request.setAppId(sm_app_id); + + Api::uninstall(request); + + check_app_permissions(sm_app_id, sm_pkg_id, user.c_str(), SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES); +} + +RUNNER_CHILD_TEST(security_manager_04b_app_install_by_root_for_app_user) +{ + int result; + const char *const sm_app_id = "sm_test_04b_app_id_uid"; + const char *const sm_pkg_id = "sm_test_04b_pkg_id_uid"; + + struct passwd *pw = get_app_pw(); + const std::string user = std::to_string(static_cast(pw->pw_uid)); + + install_and_check(sm_app_id, sm_pkg_id, user, pw->pw_uid); + + //switch user to non-root - root may not uninstall apps for specified users + result = drop_root_privileges(pw->pw_uid, pw->pw_gid); + RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed"); + + //uninstall app as non-root user + InstallRequest request; + request.setAppId(sm_app_id); + + Api::uninstall(request); + + check_app_permissions(sm_app_id, sm_pkg_id, user.c_str(), SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES); +} + + +RUNNER_CHILD_TEST(security_manager_05_drop_process_capabilities) +{ + int result; + CapsSetsUniquePtr caps, caps_empty(cap_init()); + + caps.reset(cap_from_text("all=eip")); + RUNNER_ASSERT_MSG(caps, "can't convert capabilities from text"); + result = cap_set_proc(caps.get()); + RUNNER_ASSERT_MSG(result == 0, + "can't set capabilities. Result: " << result); + + Api::dropProcessPrivileges(); + + caps.reset(cap_get_proc()); + RUNNER_ASSERT_MSG(caps, "can't get proc capabilities"); + + result = cap_compare(caps.get(), caps_empty.get()); + RUNNER_ASSERT_MSG(result == 0, + "capabilities not dropped. Current: " << cap_to_text(caps.get(), NULL)); +} + +RUNNER_CHILD_TEST(security_manager_06_install_app_offline) +{ + const char *const app_id = "sm_test_06_app_id_install_app_offline"; + const char *const pkg_id = "sm_test_06_pkg_id_install_app_offline"; + DBusAccess dbusAccess("security-manager.service"); + + uninstall_app(app_id, pkg_id, true); + dbusAccess.maskService(); + dbusAccess.stopService(); + + install_app(app_id, pkg_id); + + dbusAccess.unmaskService(); + dbusAccess.startService(); + + uninstall_app(app_id, pkg_id, true); +} + +RUNNER_CHILD_TEST(security_manager_07_user_add_app_install) +{ + const char *const sm_app_id = "sm_test_07_app_id_user"; + const char *const sm_pkg_id = "sm_test_07_pkg_id_user"; + const std::string new_user_name = "sm_test_07_user_name"; + std::string uid_string; + TemporaryTestUser test_user(new_user_name, GUM_USERTYPE_NORMAL, false); + uid_string = std::to_string(static_cast(test_user.getUid())); + + install_app(sm_app_id, sm_pkg_id, test_user.getUid()); + + check_app_after_install(sm_app_id, sm_pkg_id); + + test_user.remove(); + + check_app_permissions(sm_app_id, sm_pkg_id, uid_string.c_str(), SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES); + + check_app_after_uninstall(sm_app_id, sm_pkg_id, true); +} + +RUNNER_CHILD_TEST(security_manager_08_user_double_add_double_remove) +{ + UserRequest addUserRequest; + + const char *const sm_app_id = "sm_test_08_app_id_user"; + const char *const sm_pkg_id = "sm_test_08_pkg_id_user"; + const char *const new_user_name = "sm_test_08_user_name"; + std::string uid_string; + + // gumd user add + TemporaryTestUser test_user(new_user_name, GUM_USERTYPE_NORMAL, false); + uid_string = std::to_string(static_cast(test_user.getUid())); + + addUserRequest.setUid(test_user.getUid()); + addUserRequest.setUserType(SM_USER_TYPE_NORMAL); + + //sm user add + Api::addUser(addUserRequest); + + install_app(sm_app_id, sm_pkg_id, test_user.getUid()); + + check_app_after_install(sm_app_id, sm_pkg_id); + + test_user.remove(); + + UserRequest deleteUserRequest; + deleteUserRequest.setUid(test_user.getUid()); + + Api::deleteUser(deleteUserRequest); + + check_app_permissions(sm_app_id, sm_pkg_id, uid_string.c_str(), SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES); + + check_app_after_uninstall(sm_app_id, sm_pkg_id, true); +} + +RUNNER_CHILD_TEST(security_manager_09_add_user_offline) +{ + const char *const app_id = "security_manager_09_add_user_offline_app"; + const char *const pkg_id = "security_manager_09_add_user_offline_pkg"; + const std::string username("sm_test_09_user_name"); + DBusAccess dbusAccess("security-manager.service"); + dbusAccess.maskService(); + dbusAccess.stopService(); + + TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, true); + + install_app(app_id, pkg_id, user.getUid()); + + check_app_after_install(app_id, pkg_id); + + dbusAccess.unmaskService(); + dbusAccess.startService(); + + user.remove(); + + check_app_after_uninstall(app_id, pkg_id, true); +} + int main(int argc, char *argv[]) { - SummaryCollector::Register(); return DPL::Test::TestRunnerSingleton::Instance().ExecTestRunner(argc, argv); }