Removes test codes accessing /proc/thread-self/attr/current

- The security_manager_set_identity() can set limited smack labels(SYSTEM, SYSTEM_PRIVILEGED, APP).
- And OverrideSmackLabel class doesn't work with security_manager_set_identity().
- So a test that requires SYSTEM_PRIVILEGED runs in a separate child prococess.

Change-Id: Ia03785b490c3ce0773412692d18c618a62acc3db

diff --git a/packaging/device-certificate-manager.spec b/packaging/device-certificate-manager.spec
index 126fc17f6d48523624fa69993c6aaa7325f9ac14..1b34efbd3b06e3acad16440fcfe2e2eedb18fa1d 100644 (file)
--- a/packaging/device-certificate-manager.spec
+++ b/packaging/device-certificate-manager.spec
@@ -10,7 +10,6 @@ Source0: %{name}-%{version}.tar.gz
 Source1001: device-certificate-manager.manifest
 BuildRequires: cmake
 BuildRequires: pkgconfig(dlog)
-BuildRequires: pkgconfig(libsmack)
 BuildRequires: pkgconfig(libsystemd)
 BuildRequires: pkgconfig(protobuf-lite)
 BuildRequires: pkgconfig(cynara-client)
@@ -61,6 +60,7 @@ Device Certificate Manager backend development header
 Summary:       Internal tests for Device Certificate Manager
 Group:         Security/Testing
 License:       Apache-2.0 and BSL-1.0
+BuildRequires: pkgconfig(security-manager)
 Requires:      device-certificate-manager = %{version}-%{release}
 Requires:      boost-test
 

diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
index 9133611e7823264717639a0f8ba3e742f0a7f314..42d198d36365e794f032d576d95776186fc0b269 100644 (file)
--- a/tests/CMakeLists.txt
+++ b/tests/CMakeLists.txt
@@ -48,7 +48,7 @@ FIND_PACKAGE(Boost REQUIRED
        COMPONENTS
        unit_test_framework)
 
-PKG_CHECK_MODULES(TEST_DEPS REQUIRED dlog libsmack capi-system-info)
+PKG_CHECK_MODULES(TEST_DEPS REQUIRED dlog capi-system-info security-manager)
 
 INCLUDE_DIRECTORIES(SYSTEM ${Boost_INCLUDE_DIRS} ${TEST_DEPS_INCLUDE_DIRS})
 LINK_DIRECTORIES(${Boost_LIBRARY_DIRS} ${TEST_DEPS_LIBRARY_DIRS})

diff --git a/tests/api_test.cpp b/tests/api_test.cpp
index 9d6c67cb6d3720e0b1e200195ad8e03d3eb9fd9c..3463fb969f60cd11231d0c729020b3186b18047c 100644 (file)
--- a/tests/api_test.cpp
+++ b/tests/api_test.cpp
@@ -21,7 +21,11 @@
 #include <cstring>
 #include <iomanip>
 #include <iostream>
-#include <sys/smack.h> // SMACK_LABEL_LEN
+
+#include <unistd.h>
+#include <sys/wait.h>
+
+#include <app-runtime.h>
 
 #include "dcm_client.h"
 #include "device_certificate_manager.h"
@@ -65,38 +69,6 @@ extern "C" void *malloc(size_t size) {
     return __libc_malloc(size);
 }
 
-class Fd {
-    int fd;
-public:
-    explicit Fd(int fd) : fd(fd) { BOOST_REQUIRE_GE(fd, 0); }
-    operator int() const { return fd; }
-    ~Fd() { BOOST_CHECK_EQUAL(close(fd), 0); }
-};
-
-class OverrideSmackLabel {
-    Fd fd;
-    char old_label[SMACK_LABEL_LEN];
-    boost::uint_value_t<SMACK_LABEL_LEN>::least old_label_len;
-public:
-    explicit OverrideSmackLabel(const char *override_label)
-    : fd(open("/proc/thread-self/attr/current", O_RDWR)) {
-        const auto ret = read(fd, old_label, sizeof old_label);
-        BOOST_REQUIRE_GT(ret, 0);
-        BOOST_REQUIRE_LE(ret, sizeof old_label);
-        old_label_len = ret;
-
-        // subsequent write()s fail without the seek
-        BOOST_REQUIRE_EQUAL(lseek(fd, 0, SEEK_SET), 0);
-
-        const auto len = strlen(override_label);
-        BOOST_REQUIRE_EQUAL(write(fd, override_label, len), len);
-    }
-
-    ~OverrideSmackLabel() {
-        BOOST_CHECK_EQUAL(write(fd, old_label, old_label_len), old_label_len);
-    }
-};
-
 } // namespace
 
 BOOST_AUTO_TEST_SUITE(API_TEST)
@@ -280,11 +252,32 @@ NEGATIVE_TEST_CASE(test08_dcm_ext_api_no_privilege)
     // checked during the "method-with-a-privilege-not-granted" call.
     // Grep backend code for /method-with-a-privilege-not-granted/ for details.
     //
-    // Sdb uses User::Shell but one can switch to System::Privileged, then back.
-    OverrideSmackLabel _("System::Privileged");
-
-    int ret = dcm_ext_call_api("method-with-a-privilege-not-granted", NULL, 0, NULL, NULL);
-    BOOST_REQUIRE_EQUAL(ret, DCM_EXT_ERROR_PERMISSION_DENIED);
+    // Sdb uses User::Shell but one can switch to System::Privileged in the separate child process.
+    pid_t p;
+    int stat;
+
+    /* split this program into two processes */
+    p = fork();
+
+    if(p == 0) {       // child process is running
+        int ret = security_manager_set_identity(SM_PROCESS_TYPE_SYSTEM_PRIVILEGED, NULL);
+        if(ret != SECURITY_MANAGER_SUCCESS) {
+            std::cout << "security_manager_set_identity() failed... ret=" << ret << std::endl;
+            exit(2); // error case
+        }
+        ret = dcm_ext_call_api("method-with-a-privilege-not-granted", NULL, 0, NULL, NULL);
+        if(ret != DCM_EXT_ERROR_PERMISSION_DENIED) {
+            std::cout << "dcm_ext_call_api() failed..."
+                << "expected=" << DCM_EXT_ERROR_PERMISSION_DENIED
+                << "actual=" << ret
+                << std::endl;
+            exit(2); // error case
+        }
+        exit(0);
+    } else {            // parent process is runnin
+        wait(&stat);                    // wait for the child
+        BOOST_REQUIRE(WIFEXITED(stat) & (WEXITSTATUS(stat) == 0)); // check result from child
+    }
 }
 
 POSITIVE_TEST_CASE(test09_dcm_ext_api_normal_call)