: AppInstallHelper(appNamePrefix, pkgNamePrefix, false, uid)
{}
- AppInstallHelper(const std::string &namePrefix)
+ explicit AppInstallHelper(const std::string &namePrefix)
: AppInstallHelper(namePrefix, namePrefix, false, geteuid())
{}
Api::cleanupApp(app.getAppId(), app.getUID(), pid);
}
+void runAccessTest(const AppInstallHelper &app, const std::string &testPath,
+ uid_t uid, gid_t gid, int accessType) {
+ auto fun = [&](){
+ RUNNER_ASSERT_ERRNO_MSG(setLauncherSecurityAttributes(uid, gid) == 0,
+ "launcher failed");
+ Api::prepareAppCandidate();
+ Api::prepareApp(app.getAppId());
+ accessTest(app.getAppId(), testPath, accessType);
+ };
+
+ auto pid = runInChildParentWait(fun);
+ Api::cleanupApp(app.getAppId(), uid, pid);
+}
+
void runSystemAccessTest(uid_t uid, gid_t gid, const std::string &testPath, int accessType) {
for (const auto &label : SM_SYSTEM_LABELS)
runAccessTest(label, uid, gid, testPath, accessType);
void runAccessTest(const std::string &label, uid_t uid, gid_t gid,
const std::string &testPath, int accessType);
void runAccessTest(const AppInstallHelper &app, const std::string &testPath, int accessType);
+void runAccessTest(const AppInstallHelper &app, const std::string &testPath,
+ uid_t uid, gid_t gid, int accessType);
void runSystemAccessTest(uid_t uid, gid_t gid, const std::string &testPath, int accessType);
bool isAskuserDisabled();
#include <sys/capability.h>
#include <sys/smack.h>
#include <sys/types.h>
+#include <sys/wait.h>
#include <unistd.h>
#include <cynara-admin.h>
app.checkAfterInstall();
- pid_t pid = fork();
- RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed");
- if (pid != 0) {
- waitPid(pid);
- } else {
+ runInChildParentWait([&]{
Api::setProcessGroups(app.getAppId());
app.checkGroupPrivileges(defaultAllowedPrivs);
- exit(0);
- }
+ });
}
app.checkAfterUninstall();
}
ScopedInstaller appInstall(app);
- pid_t pid = fork();
- RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed");
- if (pid == 0) { // child
+ runInChildParentWait([&]{
Api::setAppProcessIdentity(app.getAppId());
char *label = nullptr;
RUNNER_ASSERT_MSG(result == 0,
" Process label is incorrect. Expected: \"" << expectedProcLabel <<
"\" Actual: \"" << label << "\"");
- } else { // parent
- waitPid(pid);
- }
+ });
}
#endif
RUNNER_CHILD_TEST(security_manager_11a_set_identity_system)
{
- pid_t pid = fork();
- RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed");
- if (pid != 0) { //parent process
- waitPid(pid);
- } else {
- int result = security_manager_set_identity(process_type::SM_PROCESS_TYPE_SYSTEM, nullptr);
- RUNNER_ASSERT_MSG(result == SECURITY_MANAGER_SUCCESS,
- "security_manager_set_identity(SM_PROCESS_TYPE_SYSTEM, nullptr) failed");
- exit(0);
- }
+ int result = security_manager_set_identity(process_type::SM_PROCESS_TYPE_SYSTEM, nullptr);
+ RUNNER_ASSERT_MSG(result == SECURITY_MANAGER_SUCCESS,
+ "security_manager_set_identity(SM_PROCESS_TYPE_SYSTEM, nullptr) failed");
}
RUNNER_CHILD_TEST(security_manager_11b_set_identity_privileged)
{
- pid_t pid = fork();
- RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed");
- if (pid != 0) { //parent process
- waitPid(pid);
- } else {
- int result = security_manager_set_identity(process_type::SM_PROCESS_TYPE_SYSTEM_PRIVILEGED,
- nullptr);
- RUNNER_ASSERT_MSG(result == SECURITY_MANAGER_SUCCESS,
- "security_manager_set_identity(SM_PROCESS_TYPE_SYSTEM_PRIVILEGED, nullptr) failed");
- exit(0);
- }
+ int result = security_manager_set_identity(process_type::SM_PROCESS_TYPE_SYSTEM_PRIVILEGED,
+ nullptr);
+ RUNNER_ASSERT_MSG(result == SECURITY_MANAGER_SUCCESS,
+ "security_manager_set_identity(SM_PROCESS_TYPE_SYSTEM_PRIVILEGED, nullptr) failed");
}
RUNNER_CHILD_TEST(security_manager_11c_set_identity_app_no_author)
AppInstallHelper appLocal(appLocalName);
ScopedInstaller appInstall(appLocal);
- pid_t pid = fork();
- RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed");
- if (pid != 0) { //parent process
- waitPid(pid);
- } else {
+ runInChildParentWait([&] {
int result = security_manager_set_identity(process_type::SM_PROCESS_TYPE_APP, nullptr);
RUNNER_ASSERT_MSG(
result == SECURITY_MANAGER_ERROR_INPUT_PARAM,
result == SECURITY_MANAGER_SUCCESS,
"security_manager_set_identity(SM_PROCESS_TYPE_APP, appLocal.getAppId().c_str()) failed"
);
- exit(0);
- }
+ });
}
RUNNER_CHILD_TEST(security_manager_11d_set_identity_app_author)
appLocal.setAuthor("sm_test_app_author");
ScopedInstaller appInstall(appLocal);
- pid_t pid = fork();
- RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed");
- if (pid != 0) { //parent process
- waitPid(pid);
- } else {
+ runInChildParentWait([&] {
int result = security_manager_set_identity(process_type::SM_PROCESS_TYPE_APP, nullptr);
RUNNER_ASSERT_MSG(
result == SECURITY_MANAGER_ERROR_INPUT_PARAM,
result == SECURITY_MANAGER_SUCCESS,
"security_manager_set_identity(SM_PROCESS_TYPE_APP, appLocal.getAppId().c_str()) failed"
);
- exit(0);
- }
+ });
}
RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_INTERNET)
app.addPrivilege(PRIV_INTERNET);
ScopedInstaller appInstall(app);
- pid_t pid = fork();
- RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed");
- if (pid != 0) {
- // wait for child to exit before uninstallation
- waitPid(pid);
- Api::cleanupApp(app.getAppId(), testUser.getUid(), pid);
- } else {
+ pid_t pid = runInChildParentWait([&] {
// child - the actual application
RUNNER_ASSERT_MSG(setLauncherSecurityAttributes(testUser) == 0, "launcher failed");
Api::prepareAppCandidate();
Api::prepareApp(app.getAppId());
RUNNER_ASSERT_MSG(ping() == 0, "No internet access while the privilege is present");
- }
+ });
+
+ Api::cleanupApp(app.getAppId(), testUser.getUid(), pid);
}
RUNNER_CHILD_TEST(security_manager_12b_internet_access_negative)
AppInstallHelperExt app("sm_test_12b", "sm_test_12b", testUser.getUid());
ScopedInstaller appInstall(app);
- pid_t pid = fork();
- RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed");
- if (pid != 0) {
- // wait for child to exit before uninstallation
- waitPid(pid);
- Api::cleanupApp(app.getAppId(), testUser.getUid(), pid);
- } else {
+ pid_t pid = runInChildParentWait([&] {
// child - the actual application
RUNNER_ASSERT_MSG(setLauncherSecurityAttributes(testUser) == 0, "launcher failed");
Api::prepareAppCandidate();
Api::prepareApp(app.getAppId());
RUNNER_ASSERT_MSG(ping() != 0, "Internet access detected despite no privilege");
- }
+ });
+
+ Api::cleanupApp(app.getAppId(), testUser.getUid(), pid);
}
RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_POLICY)
ScopedInstaller normalAppInstall(normalApp);
normalApp.checkAfterInstall();
- pid_t pid = fork();
- RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
- if (pid != 0) { //parent process
- waitPid(pid);
- normalApp.checkPrivileges(allowedPrivsAfterChange, deniedPrivsAfterChange);
- } else {
+ runInChildParentWait([&] {
Api::setAppProcessIdentity(adminApp.getAppId());
RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(adminUser.getUid(),adminUser.getGid()) == 0,
"drop_root_privileges failed");
addPolicyReq.addEntry(entry);
}
Api::sendPolicy(addPolicyReq);
- exit(0);
- }
+ });
+
+ normalApp.checkPrivileges(allowedPrivsAfterChange, deniedPrivsAfterChange);
}
RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_CMD)
testUser.create();
AppInstallHelperExt app("sm_test_26_1a", "sm_test_26_1a", testUser.getUid());
ScopedInstaller appInstall(app);
- pid_t pid = fork();
- RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed");
- if (pid != 0) {
- // wait for child to exit before uninstallation
- waitPid(pid);
- Api::cleanupApp(app.getAppId(), testUser.getUid(), pid);
- } else {
- // child - the actual application
+
+ pid_t pid = runInChildParentWait([&] {
RUNNER_ASSERT_MSG(setLauncherSecurityAttributes(testUser) == 0, "launcher failed");
auto expected = getuid();
Api::prepareAppCandidate();
RUNNER_ASSERT_MSG(owner_uid == expected, "Invalid uid returned - expected: "
<< expected << " returned: " << owner_uid);
- exit(0);
- }
+ });
+
+ Api::cleanupApp(app.getAppId(), testUser.getUid(), pid);
}
RUNNER_CHILD_TEST(security_manager_26_1b_security_manager_get_app_owner_uid)
TemporaryTestUser testUser("sm_test_26_1b_user_name", GUM_USERTYPE_NORMAL);
testUser.create();
- pid_t pid = fork();
- RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed");
- if (pid != 0) {
- // wait for child to exit
- waitPid(pid);
- } else {
- // child
+
+ runInChildParentWait([&]{
test();
RUNNER_ASSERT_MSG(setLauncherSecurityAttributes(testUser) == 0, "launcher failed");
test();
- exit(0);
- }
+ });
}
RUNNER_CHILD_TEST(security_manager_26_2_security_manager_self_is_app)
app.checkAfterInstall();
- pid_t pid = fork();
- RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed");
- if (pid != 0) {
- // here we can check if function will return it is NOT an app
- bool is_app;
- RUNNER_ASSERT_MSG(security_manager_self_is_app(&is_app) == SECURITY_MANAGER_SUCCESS,
- "failed security_manager_self_is_app");
- RUNNER_ASSERT_MSG(is_app == false, "this should not be an app");
- waitPid(pid);
- } else {
+ // here we can check if function will return it is NOT an app
+ bool is_app;
+ RUNNER_ASSERT_MSG(security_manager_self_is_app(&is_app) == SECURITY_MANAGER_SUCCESS,
+ "failed security_manager_self_is_app");
+ RUNNER_ASSERT_MSG(is_app == false, "this should not be an app");
+
+ runInChildParentWait([&] {
// here we can check if the function will return it IS an app
Api::setAppProcessIdentity(app.getAppId());
bool is_app;
RUNNER_ASSERT_MSG(security_manager_self_is_app(&is_app) == SECURITY_MANAGER_SUCCESS,
"failed security_manager_self_is_app");
RUNNER_ASSERT_MSG(is_app == true, "this should be an app");
- exit(0);
- }
+ });
}
app.checkAfterUninstall();
}
app.checkAfterInstall();
- pid_t pid = fork();
- RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed");
- if (pid != 0) {
- pipe.claimParentEp();
- // here we can check if function will return it is NOT an app
- bool is_app;
- RUNNER_ASSERT_MSG(security_manager_is_app_from_pid(getpid(), &is_app) == SECURITY_MANAGER_SUCCESS,
- "failed security_manager_is_app_from_pid");
- RUNNER_ASSERT_MSG(is_app == false, "this should not be an app");
- pipe.wait(); //synchronization point of setting Smack label - A1
- RUNNER_ASSERT_MSG(security_manager_is_app_from_pid(pid, &is_app) == SECURITY_MANAGER_SUCCESS,
- "failed security_manager_is_app_from_pid");
- RUNNER_ASSERT_MSG(is_app == true, "this should be an app");
- waitPid(pid);
- } else {
+
+ pid_t pid = runInChild([&] {
pipe.claimChildEp();
- // here we can check if the function will return it IS an app
+ pipe.wait(); // synchronization point before child becomes an app - A1
Api::setAppProcessIdentity(app.getAppId());
- pipe.post(); // A1
+ pipe.post(); // A2
bool is_app;
RUNNER_ASSERT_MSG(security_manager_is_app_from_pid(getpid(), &is_app) == SECURITY_MANAGER_SUCCESS,
"failed security_manager_is_app_from_pid");
RUNNER_ASSERT_MSG(is_app == true, "this should be an app");
- exit(0);
- }
+ });
+
+ pipe.claimParentEp();
+ // here we can check if function will return it is NOT an app
+ bool is_app;
+ RUNNER_ASSERT_MSG(security_manager_is_app_from_pid(getpid(), &is_app) == SECURITY_MANAGER_SUCCESS,
+ "failed security_manager_is_app_from_pid");
+ RUNNER_ASSERT_MSG(is_app == false, "this should not be an app");
+ pipe.post(); // A1
+ pipe.wait(); //synchronization point after child process becomess an app - A2
+ RUNNER_ASSERT_MSG(security_manager_is_app_from_pid(pid, &is_app) == SECURITY_MANAGER_SUCCESS,
+ "failed security_manager_is_app_from_pid");
+ RUNNER_ASSERT_MSG(is_app == true, "this should be an app");
+
+ waitPid(pid);
}
app.checkAfterUninstall();
}
PkgPrivacyPrivileges setupPrivacyPrivs(app);
ScopedInstaller appInstall(app);
- pid_t pid = fork();
- RUNNER_ASSERT_ERRNO_MSG(pid != -1, "Fork failed");
- if (pid != 0) { //parent process
- waitPid(pid);
- } else { //child process
+ runInChildParentWait([&] {
Api::setAppProcessIdentity(app.getAppId());
RUNNER_ASSERT_ERRNO_MSG(
drop_root_privileges(tmpUser.getUid(), tmpUser.getGid()) == 0,
}
}
- exit(0);
- }
+ });
}
RUNNER_CHILD_TEST(security_manager_ap2_app_policy_fetch_for_self_different_user) {
PkgPrivacyPrivileges setupPrivacyPrivs(app);
ScopedInstaller appInstall(app);
- pid_t pid = fork();
- RUNNER_ASSERT_ERRNO_MSG(pid != -1, "Fork failed");
- if (pid != 0) { //parent process
- waitPid(pid);
- } else { //child process
+ runInChildParentWait([&] { //child process
Api::setAppProcessIdentity(app.getAppId());
RUNNER_ASSERT_ERRNO_MSG(
drop_root_privileges(tmpUser.getUid(), tmpUser.getGid()) == 0,
Api::getPolicyForSelf(filter, policyEntries,
SECURITY_MANAGER_ERROR_ACCESS_DENIED);
}
- exit(0);
- }
+ });
}
RUNNER_CHILD_TEST(security_manager_ap3_app_policy_fetch_for_self_different_user_global) {
PkgPrivacyPrivileges setupPrivacyPrivs(app);
ScopedInstaller appInstall(app);
- pid_t pid = fork();
- RUNNER_ASSERT_ERRNO_MSG(pid != -1, "Fork failed");
- if (pid != 0) { //parent process
- waitPid(pid);
- } else { //child process
+ runInChildParentWait([&] {
Api::setAppProcessIdentity(app.getAppId());
RUNNER_ASSERT_ERRNO_MSG(
drop_root_privileges(tmpUser.getUid(), tmpUser.getGid()) == 0,
Api::getPolicyForSelf(filter, policyEntries,
SECURITY_MANAGER_ERROR_ACCESS_DENIED);
}
- exit(0);
- }
+ });
}
RUNNER_CHILD_TEST(security_manager_ap3_app_policy_fetch_for_self_different_app) {
PkgPrivacyPrivileges setupPrivacyPrivs2(app2);
ScopedInstaller appInstall2(app2);
- pid_t pid = fork();
- RUNNER_ASSERT_ERRNO_MSG(pid != -1, "Fork failed");
- if (pid != 0) { //parent process
- waitPid(pid);
- } else { //child process
+
+ runInChildParentWait([&] {
Api::setAppProcessIdentity(app1.getAppId());
RUNNER_ASSERT_ERRNO_MSG(
drop_root_privileges(tmpUser.getUid(), tmpUser.getGid()) == 0,
Api::getPolicyForSelf(filter, policyEntries,
SECURITY_MANAGER_ERROR_ACCESS_DENIED);
}
- exit(0);
- }
+ });
}
SynchronizationPipe synchPipe;
TemporaryTestUser testUser("sm_test_71_user_name", GUM_USERTYPE_NORMAL, false);
testUser.create();
- pid_t pid = fork();
- RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed");
- if (pid != 0) { //parent process
- synchPipe.claimParentEp();
- RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(testUser.getUid(), testUser.getGid()) == 0,
- "drop_root_privileges failed");
- synchPipe.wait(); //synchronization point A1
- AppInstallHelper appLocal("sm_test_71_local", testUser.getUid());
- appLocal.setInstallType(SM_APP_INSTALL_LOCAL);
- ScopedInstaller appLocalInstall(appLocal);
- synchPipe.post(); //synchronization point A2
-
- synchPipe.wait(); //synchronization point B1
- AppInstallHelper appGlobal("sm_test_71_global");
- appLocal.setInstallType(SM_APP_INSTALL_GLOBAL);
- // This shouldn't be possible with dropped privileges, but uid and gid doesn't suffice
- // to lose privileges to install applications (tests are running with System::Privileged)
- ScopedInstaller appGlobalInstall(appGlobal);
- synchPipe.post(); //synchronization point B2
-
- synchPipe.wait(); //synchronization point C1
- appLocalInstall.uninstallApp();
- synchPipe.post(); //synchronization point C2
-
- synchPipe.wait(); //synchronization point D1
- appGlobalInstall.uninstallApp();
- synchPipe.post(); //synchronization point D2
-
- waitPid(pid);
- } else { //child process
+ pid_t pid = runInChild([&] {
synchPipe.claimChildEp();
setCaps("cap_mac_admin+ep cap_setuid+ep cap_setgid+ep");
RUNNER_ASSERT_ERRNO_MSG(prctl(PR_SET_KEEPCAPS, 1, 0, 0) == 0, "prctl keeping caps failed");
RUNNER_ASSERT_MSG((fds[0].revents & POLLIN) > 0, "There is no data to read "
"regarding app installation");
}
- }
+ });
+
+ synchPipe.claimParentEp();
+ RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(testUser.getUid(), testUser.getGid()) == 0,
+ "drop_root_privileges failed");
+
+ synchPipe.wait(); //synchronization point A1
+ AppInstallHelper appLocal("sm_test_71_local", testUser.getUid());
+ appLocal.setInstallType(SM_APP_INSTALL_LOCAL);
+ ScopedInstaller appLocalInstall(appLocal);
+ synchPipe.post(); //synchronization point A2
+
+ synchPipe.wait(); //synchronization point B1
+ AppInstallHelper appGlobal("sm_test_71_global");
+ appLocal.setInstallType(SM_APP_INSTALL_GLOBAL);
+ // This shouldn't be possible with dropped privileges, but uid and gid doesn't suffice
+ // to lose privileges to install applications (tests are running with System::Privileged)
+ ScopedInstaller appGlobalInstall(appGlobal);
+ synchPipe.post(); //synchronization point B2
+
+ synchPipe.wait(); //synchronization point C1
+ appLocalInstall.uninstallApp();
+ synchPipe.post(); //synchronization point C2
+
+ synchPipe.wait(); //synchronization point D1
+ appGlobalInstall.uninstallApp();
+ synchPipe.post(); //synchronization point D2
+
+ waitPid(pid);
}
RUNNER_CHILD_TEST(security_manager_72_app_label_monitor_user_local)
TemporaryTestUser testUser("sm_test_75_user_name", GUM_USERTYPE_NORMAL, false);
testUser.create();
- pid_t pid = fork();
- RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed");
- if (pid != 0) { //parent process
- synchPipe.claimParentEp();
- RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(testUser.getUid(), testUser.getGid()) == 0,
- "drop_root_privileges failed");
-
- synchPipe.wait(); //synchronization point A1
- AppInstallHelper appLocal("sm_test_72_local1", testUser.getUid());
- appLocal.setInstallType(SM_APP_INSTALL_LOCAL);
- ScopedInstaller appLocalInstall(appLocal);
- synchPipe.post(); //synchronization point A2
-
- synchPipe.wait(); //synchronization point B1
- AppInstallHelper appLocal2("sm_test_72_local2");
- appLocal2.setInstallType(SM_APP_INSTALL_LOCAL);
- ScopedInstaller appLocal2Install(appLocal2);
- synchPipe.post(); //synchronization point B2
-
- synchPipe.wait(); //synchronization point C1
- appLocalInstall.uninstallApp();
- synchPipe.post(); //synchronization point C2
-
- synchPipe.wait(); //synchronization point D1
- appLocal2Install.uninstallApp();
- synchPipe.post(); //synchronization point D2
-
- waitPid(pid);
- } else { //child process
+ pid_t pid = runInChild([&] {
synchPipe.claimChildEp();
setCaps("cap_mac_admin+ep cap_setuid+ep cap_setgid+ep");
RUNNER_ASSERT_MSG((fds[0].revents & POLLIN) > 0, "There is no data to read "
"regarding app installation");
}
- }
+ });
+
+ synchPipe.claimParentEp();
+
+ RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(testUser.getUid(), testUser.getGid()) == 0,
+ "drop_root_privileges failed");
+
+ synchPipe.wait(); //synchronization point A1
+ AppInstallHelper appLocal("sm_test_72_local1", testUser.getUid());
+ appLocal.setInstallType(SM_APP_INSTALL_LOCAL);
+ ScopedInstaller appLocalInstall(appLocal);
+ synchPipe.post(); //synchronization point A2
+
+ synchPipe.wait(); //synchronization point B1
+ AppInstallHelper appLocal2("sm_test_72_local2");
+ appLocal2.setInstallType(SM_APP_INSTALL_LOCAL);
+ ScopedInstaller appLocal2Install(appLocal2);
+ synchPipe.post(); //synchronization point B2
+
+ synchPipe.wait(); //synchronization point C1
+ appLocalInstall.uninstallApp();
+ synchPipe.post(); //synchronization point C2
+
+ synchPipe.wait(); //synchronization point D1
+ appLocal2Install.uninstallApp();
+ synchPipe.post(); //synchronization point D2
+
+ waitPid(pid);
}
RUNNER_CHILD_TEST(security_manager_73_app_label_monitor_different_users)
appGlobal.setInstallType(SM_APP_INSTALL_GLOBAL);
ScopedInstaller appGlobalInstall(appGlobal);
- pid_t pid = fork();
- RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed");
- if (pid != 0) { //parent process
- waitPid(pid);
- } else { //child process
+ runInChildParentWait([&] {
setCaps("cap_mac_admin+ep cap_setuid+ep cap_setgid+ep");
RUNNER_ASSERT_ERRNO_MSG(prctl(PR_SET_KEEPCAPS, 1, 0, 0) == 0, "prctl keeping caps failed");
AppInstallHelper appLocal(appLocalName), appGlobal(appGlobalName);
testSetLabelForSelf(appLocal.getAppId(), appLocal.getPkgId(), false);
testSetLabelForSelf(appGlobal.getAppId(), appGlobal.getPkgId(), true);
- }
+ });
}
RUNNER_CHILD_TEST(security_manager_74_app_label_monitor_relabel_changes_global)
ScopedInstaller appGlobalInstall1(appGlobal1);
ScopedInstaller appGlobalInstall2(appGlobal2);
- pid_t pid = fork();
- RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed");
- if (pid != 0) { // parent
- waitPid(pid);
- } else { // child
+ runInChildParentWait([&] { // child
TemporaryTestUser testUser("sm_test_74_user_name", GUM_USERTYPE_NORMAL, false);
setCaps("all=eip");
testSetLabelForSelf(appGlobal1.getAppId(), appGlobal1.getPkgId(), true); // global installation (OK)
testSetLabelForSelf(appGlobal1.getAppId(), appGlobal1.getPkgId(), false); //second change
testSetLabelForSelf(appGlobal2.getAppId(), appGlobal2.getPkgId(), false); //third change
- }
+ });
}
RUNNER_CHILD_TEST(security_manager_75_app_label_monitor_relabel_changes_local)
testUser.create();
SynchronizationPipe synchPipe;
- pid_t pid = fork();
- RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed");
- if (pid != 0) { //parent process
- synchPipe.claimParentEp();
-
- RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(testUser.getUid(), testUser.getGid()) == 0,
- "drop_root_privileges failed");
-
- AppInstallHelper appLocal1(appLocalName1, testUser.getUid());
- AppInstallHelper appLocal2(appLocalName2, testUser.getUid());
- AppInstallHelper appLocal3(appLocalName3, testUser.getUid());
- ScopedInstaller appLocalInstall1(appLocal1), appLocalInstall2(appLocal2), appLocalInstall3(appLocal3);
- appLocalInstall1.uninstallApp();
- synchPipe.post();
-
- waitPid(pid);
- } else { //child process
+ pid_t pid = runInChild([&] {
synchPipe.claimChildEp();
setCaps("all=eip");
testSetLabelForSelf(appLocal1.getAppId(), appLocal1.getPkgId(), false); //uninstalled
testSetLabelForSelf(appLocal2.getAppId(), appLocal2.getPkgId(), true); //installed
testSetLabelForSelf(appLocal3.getAppId(), appLocal3.getPkgId(), false); //second change
- }
+ });
+
+ synchPipe.claimParentEp();
+
+ RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(testUser.getUid(), testUser.getGid()) == 0,
+ "drop_root_privileges failed");
+
+ AppInstallHelper appLocal1(appLocalName1, testUser.getUid());
+ AppInstallHelper appLocal2(appLocalName2, testUser.getUid());
+ AppInstallHelper appLocal3(appLocalName3, testUser.getUid());
+ ScopedInstaller appLocalInstall1(appLocal1), appLocalInstall2(appLocal2), appLocalInstall3(appLocal3);
+ appLocalInstall1.uninstallApp();
+ synchPipe.post();
+
+ waitPid(pid);
}
static void clientMonitorProcess(const TemporaryTestUser &testUser)
{
- pid_t pid = fork();
- RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed");
- if (pid != 0) { //parent process
- waitPid(pid);
- } else { //child process
+ runInChildParentWait([&] {
setCaps("cap_mac_admin+ep cap_setuid+ep cap_setgid+ep");
RUNNER_ASSERT_ERRNO_MSG(prctl(PR_SET_KEEPCAPS, 1, 0, 0) == 0, "prctl keeping caps failed");
Api::labelsProcess(monitor);
setCaps("cap_mac_admin-eip");
- }
+ });
}
RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_PERMISSIBLE_FILE_REPAIR)
corruptFile(testUser.getUid());
clientMonitorProcess(testUser);
-}
\ No newline at end of file
+}
const ProcessId expected{true, true};
#endif
- pid_t pid = fork();
- RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed");
- if (pid == 0) {
+ pid_t pid = runInChildParentWait([&] {
{
RUNNER_ASSERT_ERRNO_MSG(setLauncherSecurityAttributes(tmpUser) == 0, "launcher failed");
Api::prepareAppCandidate();
Api::prepareApp(app.getAppId());
}
RUNNER_ASSERT_MSG(thread_errors.empty(), std::endl << thread_errors);
- exit(0);
- } else {
- waitPid(pid);
- Api::cleanupApp(app.getAppId(), tmpUser.getUid(), pid);
- }
+ });
+
+ Api::cleanupApp(app.getAppId(), tmpUser.getUid(), pid);
}
RUNNER_CHILD_TEST(security_manager_100_synchronize_credentials_no_author_test)
const ProcessId expected{true, false};
#endif
- pid_t pid = fork();
- RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed");
- if (pid == 0) {
+ pid_t pid = runInChildParentWait([&] {
{
RUNNER_ASSERT_ERRNO_MSG(setLauncherSecurityAttributes(tmpUser) == 0, "launcher failed");
Api::prepareAppCandidate();
Api::prepareApp(app.getAppId());
}
RUNNER_ASSERT_MSG(thread_errors.empty(), std::endl << thread_errors);
- exit(0);
- } else {
- waitPid(pid);
- Api::cleanupApp(app.getAppId(), tmpUser.getUid(), pid);
- }
+ });
+
+ Api::cleanupApp(app.getAppId(), tmpUser.getUid(), pid);
}
RUNNER_CHILD_TEST(security_manager_101_create_namespace_test_n)
const ProcessId expected{true, true};
#endif
- pid_t pid = fork();
- RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed");
- if (pid == 0) {
+ runInChildParentWait([&] {
{
RUNNER_ASSERT_ERRNO_MSG(setLauncherSecurityAttributes(tmpUser) == 0, "launcher failed");
ThreadWrapper threads[THREADS];
Api::prepareAppCandidate(SECURITY_MANAGER_ERROR_INPUT_PARAM);
}
RUNNER_ASSERT_MSG(!thread_errors.empty(), std::endl << thread_errors);
- exit(0);
- } else {
- waitPid(pid);
- }
+ });
}
RUNNER_CHILD_TEST(security_manager_101_create_namespace_test_p)
ScopedInstaller appInstall(app);
SynchronizationPipe synchPipe;
- pid_t pid = fork();
- RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed");
- if (pid == 0) {
+ pid_t pid = runInChild([&] {
synchPipe.claimChildEp();
RUNNER_ASSERT_ERRNO_MSG(setLauncherSecurityAttributes(tmpUser) == 0, "launcher failed");
Api::prepareAppCandidate();
Api::prepareApp(app.getAppId());
synchPipe.post();
synchPipe.wait();
+ });
- exit(0);
- } else {
- synchPipe.claimParentEp();
- synchPipe.wait();
+ synchPipe.claimParentEp();
+ synchPipe.wait();
- std::string appBindPath = std::string("/var/run/user/") + tmpUser.getUidString()
- + "/apps/" + app.generateAppLabel() + "/" + std::to_string(pid);
- std::string appProcPath = std::string("/proc/") + std::to_string(pid) + "/ns/mnt";
- std::string launcherProcPath = std::string("/proc/") + std::to_string(getpid()) + "/ns/mnt";
+ std::string appBindPath = std::string("/var/run/user/") + tmpUser.getUidString()
+ + "/apps/" + app.generateAppLabel() + "/" + std::to_string(pid);
+ std::string appProcPath = std::string("/proc/") + std::to_string(pid) + "/ns/mnt";
+ std::string launcherProcPath = std::string("/proc/") + std::to_string(getpid()) + "/ns/mnt";
- ino_t appBindInode = getFileInode(appBindPath);
- ino_t appProcInode = getFileInode(appProcPath);
- ino_t launcherProcInode = getFileInode(launcherProcPath);
+ ino_t appBindInode = getFileInode(appBindPath);
+ ino_t appProcInode = getFileInode(appProcPath);
+ ino_t launcherProcInode = getFileInode(launcherProcPath);
- RUNNER_ASSERT_ERRNO_MSG(appBindInode != 0, "get inode failed");
- RUNNER_ASSERT_ERRNO_MSG(appProcInode != 0, "get inode failed");
- RUNNER_ASSERT_ERRNO_MSG(launcherProcInode != 0, "get inode failed");
+ RUNNER_ASSERT_ERRNO_MSG(appBindInode != 0, "get inode failed");
+ RUNNER_ASSERT_ERRNO_MSG(appProcInode != 0, "get inode failed");
+ RUNNER_ASSERT_ERRNO_MSG(launcherProcInode != 0, "get inode failed");
- RUNNER_ASSERT_ERRNO_MSG(launcherProcInode != appProcInode, "create mount namespace failed");
- RUNNER_ASSERT_ERRNO_MSG(appBindInode == appProcInode, "bind namespace failed");
+ RUNNER_ASSERT_ERRNO_MSG(launcherProcInode != appProcInode, "create mount namespace failed");
+ RUNNER_ASSERT_ERRNO_MSG(appBindInode == appProcInode, "bind namespace failed");
- synchPipe.post();
+ synchPipe.post();
- waitPid(pid);
- Api::cleanupApp(app.getAppId(), tmpUser.getUid(), pid);
- }
+ waitPid(pid);
+ Api::cleanupApp(app.getAppId(), tmpUser.getUid(), pid);
}
RUNNER_CHILD_TEST(security_manager_102_check_propagation_test)
ScopedInstaller appInstall(app);
SynchronizationPipe synchPipe;
- pid_t pid = fork();
- RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed");
- if (pid == 0) {
+ pid_t pid = runInChild([&] {
synchPipe.claimChildEp();
RUNNER_ASSERT_ERRNO_MSG(setLauncherSecurityAttributes(tmpUser) == 0, "launcher failed");
Api::prepareAppCandidate();
Api::prepareApp(app.getAppId());
synchPipe.post();
synchPipe.wait();
-
- exit(0);
- } else {
- synchPipe.claimParentEp();
- synchPipe.wait();
-
- bool result = isPathBound(ACCESS_DENIED_DIR_PATH, EXTERNAL_STORAGE_DIR_PATH, pid);
- RUNNER_ASSERT_ERRNO_MSG(result == true, "path is not bound");
- result = isPathBound(ACCESS_DENIED_DIR_PATH, MEDIA_STORAGE_RW_DIR_PATH, pid);
- RUNNER_ASSERT_ERRNO_MSG(result == true, "path is not bound");
- result = isPathBound(ACCESS_DENIED_DIR_PATH, MEDIA_STORAGE_RO_DIR_PATH, pid);
- RUNNER_ASSERT_ERRNO_MSG(result == true, "path is not bound");
-
- result = isPathBound(ACCESS_DENIED_DIR_PATH, EXTERNAL_STORAGE_DIR_PATH);
- RUNNER_ASSERT_ERRNO_MSG(result == false, "path is bound");
- result = isPathBound(ACCESS_DENIED_DIR_PATH, MEDIA_STORAGE_RW_DIR_PATH);
- RUNNER_ASSERT_ERRNO_MSG(result == false, "path is bound");
- result = isPathBound(ACCESS_DENIED_DIR_PATH, MEDIA_STORAGE_RO_DIR_PATH);
- RUNNER_ASSERT_ERRNO_MSG(result == false, "path is bound");
-
- synchPipe.post();
- waitPid(pid);
- Api::cleanupApp(app.getAppId(), tmpUser.getUid(), pid);
- }
+ });
+ synchPipe.claimParentEp();
+ synchPipe.wait();
+
+ bool result = isPathBound(ACCESS_DENIED_DIR_PATH, EXTERNAL_STORAGE_DIR_PATH, pid);
+ RUNNER_ASSERT_ERRNO_MSG(result == true, "path is not bound");
+ result = isPathBound(ACCESS_DENIED_DIR_PATH, MEDIA_STORAGE_RW_DIR_PATH, pid);
+ RUNNER_ASSERT_ERRNO_MSG(result == true, "path is not bound");
+ result = isPathBound(ACCESS_DENIED_DIR_PATH, MEDIA_STORAGE_RO_DIR_PATH, pid);
+ RUNNER_ASSERT_ERRNO_MSG(result == true, "path is not bound");
+
+ result = isPathBound(ACCESS_DENIED_DIR_PATH, EXTERNAL_STORAGE_DIR_PATH);
+ RUNNER_ASSERT_ERRNO_MSG(result == false, "path is bound");
+ result = isPathBound(ACCESS_DENIED_DIR_PATH, MEDIA_STORAGE_RW_DIR_PATH);
+ RUNNER_ASSERT_ERRNO_MSG(result == false, "path is bound");
+ result = isPathBound(ACCESS_DENIED_DIR_PATH, MEDIA_STORAGE_RO_DIR_PATH);
+ RUNNER_ASSERT_ERRNO_MSG(result == false, "path is bound");
+
+ synchPipe.post();
+ waitPid(pid);
+ Api::cleanupApp(app.getAppId(), tmpUser.getUid(), pid);
}
RUNNER_CHILD_TEST(security_manager_103_policy_change_test)
ScopedInstaller appInstall(app);
SynchronizationPipe synchPipe;
- pid_t pid = fork();
- RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed");
- if (pid == 0) {
+ pid_t pid = runInChild([&] {
synchPipe.claimChildEp();
RUNNER_ASSERT_ERRNO_MSG(setLauncherSecurityAttributes(tmpUser) == 0, "launcher failed");
Api::prepareAppCandidate();
Api::prepareApp(app.getAppId());
synchPipe.post();
synchPipe.wait();
+ });
+
+ synchPipe.claimParentEp();
+ synchPipe.wait();
+
+ bool result = isPathBound(ACCESS_DENIED_DIR_PATH, EXTERNAL_STORAGE_DIR_PATH, pid);
+ RUNNER_ASSERT_ERRNO_MSG(result == false, "path is bound");
+ result = isPathBound(ACCESS_DENIED_DIR_PATH, MEDIA_STORAGE_RW_DIR_PATH, pid);
+ RUNNER_ASSERT_ERRNO_MSG(result == false, "path is bound");
+ result = isPathBound(ACCESS_DENIED_DIR_PATH, MEDIA_STORAGE_RO_DIR_PATH, pid);
+ RUNNER_ASSERT_ERRNO_MSG(result == false, "path is bound");
+
+ PolicyRequest policyRequest;
+ PolicyEntry policyEntry(app.getAppId(), tmpUser.getUidString(), PRIV_EXTERNALSTORAGE);
+ policyEntry.setLevel(PolicyEntry::LEVEL_DENY);
+ policyRequest.addEntry(policyEntry);
+
+ policyEntry = PolicyEntry(app.getAppId(), tmpUser.getUidString(), PRIV_MEDIASTORAGE);
+ policyEntry.setLevel(PolicyEntry::LEVEL_DENY);
+ policyRequest.addEntry(policyEntry);
+ Api::sendPolicy(policyRequest);
+
+ result = isPathBound(ACCESS_DENIED_DIR_PATH, EXTERNAL_STORAGE_DIR_PATH, pid);
+ RUNNER_ASSERT_ERRNO_MSG(result == true, "path is not bound");
+ result = isPathBound(ACCESS_DENIED_DIR_PATH, MEDIA_STORAGE_RW_DIR_PATH, pid);
+ RUNNER_ASSERT_ERRNO_MSG(result == true, "path is not bound");
+ result = isPathBound(ACCESS_DENIED_DIR_PATH, MEDIA_STORAGE_RO_DIR_PATH, pid);
+ RUNNER_ASSERT_ERRNO_MSG(result == true, "path is not bound");
+
+ policyEntry = PolicyEntry(app.getAppId(), tmpUser.getUidString(), PRIV_EXTERNALSTORAGE);
+ policyEntry.setLevel(PolicyEntry::LEVEL_ALLOW);
+ policyRequest.addEntry(policyEntry);
+
+ policyEntry = PolicyEntry(app.getAppId(), tmpUser.getUidString(), PRIV_MEDIASTORAGE);
+ policyEntry.setLevel(PolicyEntry::LEVEL_ALLOW);
+ policyRequest.addEntry(policyEntry);
+ Api::sendPolicy(policyRequest);
+
+ result = isPathBound(ACCESS_DENIED_DIR_PATH, EXTERNAL_STORAGE_DIR_PATH, pid);
+ RUNNER_ASSERT_ERRNO_MSG(result == false, "path is bound");
+ result = isPathBound(ACCESS_DENIED_DIR_PATH, MEDIA_STORAGE_RW_DIR_PATH, pid);
+ RUNNER_ASSERT_ERRNO_MSG(result == false, "path is bound");
+ result = isPathBound(ACCESS_DENIED_DIR_PATH, MEDIA_STORAGE_RO_DIR_PATH, pid);
+ RUNNER_ASSERT_ERRNO_MSG(result == false, "path is bound");
+
+ synchPipe.post();
+ waitPid(pid);
+ Api::cleanupApp(app.getAppId(), tmpUser.getUid(), pid);
- exit(0);
- } else {
- synchPipe.claimParentEp();
- synchPipe.wait();
-
- bool result = isPathBound(ACCESS_DENIED_DIR_PATH, EXTERNAL_STORAGE_DIR_PATH, pid);
- RUNNER_ASSERT_ERRNO_MSG(result == false, "path is bound");
- result = isPathBound(ACCESS_DENIED_DIR_PATH, MEDIA_STORAGE_RW_DIR_PATH, pid);
- RUNNER_ASSERT_ERRNO_MSG(result == false, "path is bound");
- result = isPathBound(ACCESS_DENIED_DIR_PATH, MEDIA_STORAGE_RO_DIR_PATH, pid);
- RUNNER_ASSERT_ERRNO_MSG(result == false, "path is bound");
-
- PolicyRequest policyRequest;
- PolicyEntry policyEntry(app.getAppId(), tmpUser.getUidString(), PRIV_EXTERNALSTORAGE);
- policyEntry.setLevel(PolicyEntry::LEVEL_DENY);
- policyRequest.addEntry(policyEntry);
-
- policyEntry = PolicyEntry(app.getAppId(), tmpUser.getUidString(), PRIV_MEDIASTORAGE);
- policyEntry.setLevel(PolicyEntry::LEVEL_DENY);
- policyRequest.addEntry(policyEntry);
- Api::sendPolicy(policyRequest);
-
- result = isPathBound(ACCESS_DENIED_DIR_PATH, EXTERNAL_STORAGE_DIR_PATH, pid);
- RUNNER_ASSERT_ERRNO_MSG(result == true, "path is not bound");
- result = isPathBound(ACCESS_DENIED_DIR_PATH, MEDIA_STORAGE_RW_DIR_PATH, pid);
- RUNNER_ASSERT_ERRNO_MSG(result == true, "path is not bound");
- result = isPathBound(ACCESS_DENIED_DIR_PATH, MEDIA_STORAGE_RO_DIR_PATH, pid);
- RUNNER_ASSERT_ERRNO_MSG(result == true, "path is not bound");
-
- policyEntry = PolicyEntry(app.getAppId(), tmpUser.getUidString(), PRIV_EXTERNALSTORAGE);
- policyEntry.setLevel(PolicyEntry::LEVEL_ALLOW);
- policyRequest.addEntry(policyEntry);
-
- policyEntry = PolicyEntry(app.getAppId(), tmpUser.getUidString(), PRIV_MEDIASTORAGE);
- policyEntry.setLevel(PolicyEntry::LEVEL_ALLOW);
- policyRequest.addEntry(policyEntry);
- Api::sendPolicy(policyRequest);
-
- result = isPathBound(ACCESS_DENIED_DIR_PATH, EXTERNAL_STORAGE_DIR_PATH, pid);
- RUNNER_ASSERT_ERRNO_MSG(result == false, "path is bound");
- result = isPathBound(ACCESS_DENIED_DIR_PATH, MEDIA_STORAGE_RW_DIR_PATH, pid);
- RUNNER_ASSERT_ERRNO_MSG(result == false, "path is bound");
- result = isPathBound(ACCESS_DENIED_DIR_PATH, MEDIA_STORAGE_RO_DIR_PATH, pid);
- RUNNER_ASSERT_ERRNO_MSG(result == false, "path is bound");
-
- synchPipe.post();
- waitPid(pid);
- Api::cleanupApp(app.getAppId(), tmpUser.getUid(), pid);
- }
}
RUNNER_CHILD_TEST(security_manager_104_policy_change_kill_app_test)
ScopedInstaller appInstall(app);
SynchronizationPipe synchPipe;
- pid_t pid = fork();
- RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed");
- if (pid == 0) {
+ pid_t pid = runInChild([&] {
synchPipe.claimChildEp();
try {
RUNNER_ASSERT_ERRNO_MSG(setLauncherSecurityAttributes(tmpUser) == 0, "launcher failed");
throw;
}
synchPipe.post();
- exit(0);
- } else {
- synchPipe.claimParentEp();
- synchPipe.wait();
+ });
- PolicyRequest policyRequest;
- PolicyEntry policyEntry(app.getAppId(), tmpUser.getUidString(), PRIV_EXTERNALSTORAGE);
- policyEntry.setLevel(PolicyEntry::LEVEL_DENY);
- policyRequest.addEntry(policyEntry);
- Api::sendPolicy(policyRequest);
+ synchPipe.claimParentEp();
+ synchPipe.wait();
- waitPid(pid);
- Api::cleanupApp(app.getAppId(), tmpUser.getUid(), pid);
- }
+ PolicyRequest policyRequest;
+ PolicyEntry policyEntry(app.getAppId(), tmpUser.getUidString(), PRIV_EXTERNALSTORAGE);
+ policyEntry.setLevel(PolicyEntry::LEVEL_DENY);
+ policyRequest.addEntry(policyEntry);
+ Api::sendPolicy(policyRequest);
+
+ waitPid(pid);
+ Api::cleanupApp(app.getAppId(), tmpUser.getUid(), pid);
}
namespace {
const auto uid = tmpUser.getUid();
- AppInstallHelper app("app190", uid);
+ AppInstallHelper app("app190", uid);
- ScopedInstaller installer(app);
+ ScopedInstaller installer(app);
- const auto pid = fork();
- RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed");
+ pid_t pid = runInChildParentWait([&] {
+ RUNNER_ASSERT_ERRNO_MSG(setLauncherSecurityAttributes(tmpUser) == 0, "launcher failed");
- if (pid == 0) {
- RUNNER_ASSERT_ERRNO_MSG(setLauncherSecurityAttributes(tmpUser) == 0, "launcher failed");
+ const auto appId = app.getAppId();
- const auto appId = app.getAppId();
+ Api::prepareAppCandidate();
- Api::prepareAppCandidate();
+ std::atomic<bool> quit = false;
+ static constexpr size_t MAX = 60;
+ std::vector<std::thread> threads;threads.reserve(MAX);
+ for (size_t i = 0; i < MAX; i++ ) {
+ threads.emplace_back(std::thread([&](){
+ while(!quit) {
+ auto tmp = malloc(1000);
+ free(tmp);
+ }
+ }));
+ }
- std::atomic<bool> quit = false;
- static constexpr size_t MAX = 60;
- std::vector<std::thread> threads;threads.reserve(MAX);
- for (size_t i = 0; i < MAX; i++ ) {
- threads.emplace_back(std::thread([&](){
- while(!quit) {
- auto tmp = malloc(1000);
- free(tmp);
- }
- }));
- }
+ Api::prepareApp(appId);
+ quit = true;
+ for (size_t i = 0; i < MAX; i++ )
+ threads[i].join();
+ });
- Api::prepareApp(appId);
- quit = true;
- for (size_t i = 0; i < MAX; i++ )
- threads[i].join();
- exit(0);
- }
- waitPid(pid);
- Api::cleanupApp(app.getAppId(), uid, pid);
+ Api::cleanupApp(app.getAppId(), uid, pid);
}
RUNNER_CHILD_TEST(security_manager_200_prepare_app_perf)
for (int i = 0; i < nConcurrentApps; i++) {
auto &app = apps[i];
- const auto pid = fork();
- RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed");
- if (pid)
- app.pid = pid;
- else {
+ app.pid = runInChild([&] {
synchPipe.claimChildEp();
RUNNER_ASSERT_ERRNO_MSG(setLauncherSecurityAttributes(tmpUser) == 0, "launcher failed");
auto ret = TEMP_FAILURE_RETRY(poll(fds, 1, -1));
RUNNER_ASSERT_ERRNO(ret > 0);
- exit(0);
- }
+ });
}
synchPipe.claimParentEp();
app.addPrivileges({PRIV_EXTERNALSTORAGE, PRIV_MEDIASTORAGE});
ScopedInstaller appInstall(app);
- pid_t pid = fork();
- RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed");
- if (pid == 0) {
+ pid_t pid = runInChildParentWait([&] {
RUNNER_ASSERT_ERRNO_MSG(setLauncherSecurityAttributes(tmpUser) == 0, "launcher failed");
Api::prepareAppCandidate();
for (unsigned i = 0; i < MAX_THREADS; ++i)
PREP_THREADS[i].join();
- exit(0);
- } else {
- waitPid(pid);
- Api::cleanupApp(app.getAppId(), tmpUser.getUid(), pid);
- }
+ });
+
+ Api::cleanupApp(app.getAppId(), tmpUser.getUid(), pid);
}
RUNNER_CHILD_TEST(security_manager_400_prepare_app_with_concurrent_install)
app.addPrivileges({PRIV_EXTERNALSTORAGE, PRIV_MEDIASTORAGE});
ScopedInstaller appInstall(app);
- pid_t pid = fork();
- RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed");
- if (pid == 0) {
+ pid_t pid = runInChild([&] {
RUNNER_ASSERT_ERRNO_MSG(setLauncherSecurityAttributes(tmpUser) == 0, "launcher failed");
// wait a bit for the other process to start running install/deinstall loop
Api::prepareAppCandidate();
Api::prepareApp(app.getAppId());
- exit(0);
- } else {
- // in a loop, install & uninstall a temporary app
- std::time_t begin = std::time(nullptr);
- while(1) {
- {
- AppInstallHelper app2("app400_2", tmpUser.getUid());
- app2.addPrivileges({PRIV_EXTERNALSTORAGE, PRIV_MEDIASTORAGE});
- ScopedInstaller appInstall(app2);
- }
- std::time_t now = std::time(nullptr);
- if (now - begin >= 3) // wait at most 3 seconds
- break;
+ });
+ // in a loop, install & uninstall a temporary app
+ std::time_t begin = std::time(nullptr);
+ while(1) {
+ {
+ AppInstallHelper app2("app400_2", tmpUser.getUid());
+ app2.addPrivileges({PRIV_EXTERNALSTORAGE, PRIV_MEDIASTORAGE});
+ ScopedInstaller appInstall(app2);
}
- waitPid(pid);
- Api::cleanupApp(app.getAppId(), tmpUser.getUid(), pid);
+ std::time_t now = std::time(nullptr);
+ if (now - begin >= 3) // wait at most 3 seconds
+ break;
}
+ waitPid(pid);
+ Api::cleanupApp(app.getAppId(), tmpUser.getUid(), pid);
}
}
TemporaryTestUser tmpUser(APP_TEST_USER, GUM_USERTYPE_NORMAL, false);
tmpUser.create();
- pid_t pid = fork();
- RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed");
- if (pid == 0) {
+ pid_t pid = runInChild([&] {
// install an app, and in a loop - fork + launch it
AppInstallHelper app("app400", tmpUser.getUid());
ScopedInstaller appInstall(app);
std::time_t begin = std::time(nullptr);
while(1) {
- pid_t pid2 = fork();
- RUNNER_ASSERT_ERRNO_MSG(pid2 >= 0, "Fork failed");
- if (pid2 == 0) {
+ pid_t pid2 = runInChildParentWait([&] {
RUNNER_ASSERT_ERRNO_MSG(setLauncherSecurityAttributes(tmpUser) == 0, "launcher failed");
Api::prepareAppCandidate();
Api::prepareApp(app.getAppId());
- exit(0);
- } else {
- waitPid(pid2);
- Api::cleanupApp(app.getAppId(), tmpUser.getUid(), pid2);
- }
+ });
+
+ Api::cleanupApp(app.getAppId(), tmpUser.getUid(), pid2);
+
std::time_t now = std::time(nullptr);
if (now - begin >= 30) // wait 30 sec
break;
}
- exit(0);
- } else {
- // in a loop, install & uninstall a temporary app
- std::time_t begin = std::time(nullptr);
- while(1) {
- {
- AppInstallHelper app2("app400_2", tmpUser.getUid());
- app2.addPrivileges({PRIV_EXTERNALSTORAGE, PRIV_MEDIASTORAGE});
- ScopedInstaller appInstall(app2);
- }
- std::time_t now = std::time(nullptr);
- if (now - begin >= 30) // wait 30 sec
- break;
+
+ });
+ // in a loop, install & uninstall a temporary app
+ std::time_t begin = std::time(nullptr);
+ while(1) {
+ {
+ AppInstallHelper app2("app400_2", tmpUser.getUid());
+ app2.addPrivileges({PRIV_EXTERNALSTORAGE, PRIV_MEDIASTORAGE});
+ ScopedInstaller appInstall(app2);
}
- waitPid(pid);
+ std::time_t now = std::time(nullptr);
+ if (now - begin >= 30) // wait 30 sec
+ break;
}
+ waitPid(pid);
}
scopedInstallations.emplace_back(ScopedInstaller(appIdAIH.second));
}
- pid_t pid = fork();
- RUNNER_ASSERT_ERRNO_MSG(pid != -1, "Fork failed");
- if (pid != 0) { //parent process
- waitPid(pid);
- } else { //child process
+ runInChildParentWait([&] {
Api::setAppProcessIdentity(privManagerAppId);
RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(tmpUser.getUid(), tmpUser.getGid()) == 0,
"drop_root_privileges failed");
RUNNER_ASSERT_MSG(privIt != appPrivileges.end(),
"Unexpected privilege " << privilege << " for app " << app);
}
- exit(0);
- }
+ });
}
RUNNER_CHILD_TEST(security_manager_11_privacy_manager_fetch_whole_policy_for_admin_unprivileged)
scopedInstallations.emplace_back(ScopedInstaller(userAppIdAIH.second));
}
- pid_t pid = fork();
- RUNNER_ASSERT_ERRNO_MSG(pid != -1, "Fork failed");
- if (pid != 0) { //parent process
- waitPid(pid);
- } else { //child process
+ runInChildParentWait([&] {
Api::setAppProcessIdentity(privManagerAppId);
RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(normalUserToSwitch.getUid(),
normalUserToSwitch.getGid()) == 0,
RUNNER_ASSERT_MSG(privIt != appPrivileges.end(),
"Unexpected privilege " << privilege << " for app " << app);
}
- exit(0);
- }
+ });
}
RUNNER_CHILD_TEST(security_manager_12_privacy_manager_fetch_whole_policy_for_admin_privileged)
scopedInstallations.emplace_back(ScopedInstaller(userAppIdAIH.second));
}
- pid_t pid = fork();
- RUNNER_ASSERT_ERRNO_MSG(pid != -1, "Fork failed");
- if (pid != 0) { //parent process
- waitPid(pid);
- } else { //child process
+ runInChildParentWait([&] {
Api::setAppProcessIdentity(privManagerAppId);
RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(adminUserToSwitch.getUid(),
adminUserToSwitch.getGid()) == 0,
RUNNER_ASSERT_MSG(privIt != appPrivileges.end(),
"Unexpected privilege " << privilege << " for app " << app);
};
- exit(0);
- };
+ });
}
RUNNER_CHILD_TEST(security_manager_13_privacy_manager_fetch_policy_after_update_unprivileged)
TemporaryTestUser &adminUser = usernameToTTU.at(adminName);
TemporaryTestUser &normalUser = usernameToTTU.at(normalName);
- pid_t pid = fork();
- RUNNER_ASSERT_ERRNO_MSG(pid >=0, "Fork failed");
- if (pid == 0) { //child #1 process
+ runInChildParentWait([&] {
Api::setAppProcessIdentity(privManagerAppId);
RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(normalUser.getUid(), normalUser.getGid()) == 0,
"drop_root_privileges failed");
policyEntry.setLevel(PolicyEntry::LEVEL_DENY);
policyRequest.addEntry(policyEntry);
Api::sendPolicy(policyRequest);
+ });
+ runInChildParentWait([&] {
+ Api::setAppProcessIdentity(privManagerAppId);
+ // Admin user, but in context of app, which doesn't have usermanagement privilege
+ RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(adminUser.getUid(), adminUser.getGid()) == 0,
+ "drop_root_privileges failed");
- exit(0);
- } else {
- waitPid(pid);
- pid = fork();
- RUNNER_ASSERT_ERRNO_MSG(pid >=0, "Fork failed");
- if (pid == 0) { //child #2 process
- Api::setAppProcessIdentity(privManagerAppId);
- // Admin user, but in context of app, which doesn't have usermanagement privilege
- RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(adminUser.getUid(), adminUser.getGid()) == 0,
- "drop_root_privileges failed");
-
- PolicyEntry filter = PolicyEntry(
- SECURITY_MANAGER_ANY,
- normalUser.getUidString(),
- SECURITY_MANAGER_ANY
- );
- std::vector<PolicyEntry> policyEntries;
- //U2 requests contents of U1 privacy manager - should fail
- Api::getPolicyForSelf(filter, policyEntries, SECURITY_MANAGER_ERROR_ACCESS_DENIED);
- RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Policy is not empty, but has "
- << policyEntries.size() << " entries");
-
- filter = PolicyEntry(
- SECURITY_MANAGER_ANY,
- SECURITY_MANAGER_ANY,
- SECURITY_MANAGER_ANY
- );
-
- policyEntries.clear();
-
- //U2 requests contents of ADMIN bucket - should fail
- Api::getPolicyForAdmin(filter, policyEntries, SECURITY_MANAGER_ERROR_ACCESS_DENIED);
- RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Policy is not empty, but has "
- << policyEntries.size() << " entries");
- exit(0);
- } else {
- waitPid(pid);
- }
- }
+ PolicyEntry filter = PolicyEntry(
+ SECURITY_MANAGER_ANY,
+ normalUser.getUidString(),
+ SECURITY_MANAGER_ANY
+ );
+ std::vector<PolicyEntry> policyEntries;
+ //U2 requests contents of U1 privacy manager - should fail
+ Api::getPolicyForSelf(filter, policyEntries, SECURITY_MANAGER_ERROR_ACCESS_DENIED);
+ RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Policy is not empty, but has "
+ << policyEntries.size() << " entries");
+
+ filter = PolicyEntry(
+ SECURITY_MANAGER_ANY,
+ SECURITY_MANAGER_ANY,
+ SECURITY_MANAGER_ANY
+ );
+
+ policyEntries.clear();
+
+ //U2 requests contents of ADMIN bucket - should fail
+ Api::getPolicyForAdmin(filter, policyEntries, SECURITY_MANAGER_ERROR_ACCESS_DENIED);
+ RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Policy is not empty, but has "
+ << policyEntries.size() << " entries");
+ });
}
RUNNER_CHILD_TEST(security_manager_14_privacy_manager_fetch_and_update_policy_for_admin)
ScopedInstaller privManagerInstall(privManager);
- pid_t pid = fork();
- if (pid != 0) {
- waitPid(pid);
- } else { //child process
+ runInChildParentWait([&] {
Api::setAppProcessIdentity(privManager.getAppId());
RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(adminUserToSwitch.getUid(),
adminUserToSwitch.getGid()) == 0,
Api::getPolicyForAdmin(PolicyEntry(), policyEntries);
RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Number of policies doesn't match - should be: 0"
" and is " << policyEntries.size());
- exit(0);
- };
+ });
}
RUNNER_CHILD_TEST(security_manager_15_privacy_manager_send_policy_update_for_admin)
privManager.addPrivilege(ADMIN_PRIVILEGE);
ScopedInstaller privManagerInstall(privManager);
- pid_t pid = fork();
- RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "fork failed");
- if (pid != 0) { //parent process
- waitPid(pid);
- CynaraTestAdmin::Admin admin;
- admin.adminCheck("ADMIN", false, updatedApp.generateAppLabel().c_str(),
- adminUser.getUidString().c_str(), updatePriv.c_str(), CYNARA_ADMIN_ALLOW,
- nullptr);
- } else {
+ runInChildParentWait([&] {
Api::setAppProcessIdentity(privManager.getAppId());
RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(adminUser.getUid(), adminUser.getGid()) == 0,
PolicyRequest addPolicyRequest;
addPolicyRequest.addEntry(entry);
Api::sendPolicy(addPolicyRequest);
- exit(0);
- }
+ });
+
+ CynaraTestAdmin::Admin admin;
+ admin.adminCheck("ADMIN", false, updatedApp.generateAppLabel().c_str(),
+ adminUser.getUidString().c_str(), updatePriv.c_str(), CYNARA_ADMIN_ALLOW,
+ nullptr);
}
RUNNER_CHILD_TEST(security_manager_15_privacy_manager_send_policy_update_for_admin_wildcard)
privManager.addPrivilege(ADMIN_PRIVILEGE);
ScopedInstaller privManagerInstall(privManager);
- pid_t pid = fork();
- RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "fork failed");
- if (pid != 0) {
- waitPid(pid);
- CynaraTestAdmin::Admin admin;
- admin.adminCheck("ADMIN", false, app.generateAppLabel().c_str(),
- adminUser.getUidString().c_str(), updatePriv.c_str(), CYNARA_ADMIN_ALLOW,
- nullptr);
- } else {
+ runInChildParentWait([&] {
Api::setAppProcessIdentity(privManager.getAppId());
RUNNER_ASSERT_MSG(drop_root_privileges(adminUser.getUid(), adminUser.getGid()) == 0,
"drop_root_privileges failed");
PolicyRequest addPolicyRequest;
addPolicyRequest.addEntry(entry);
Api::sendPolicy(addPolicyRequest);
- exit(0);
- }
+ });
+
+ CynaraTestAdmin::Admin admin;
+ admin.adminCheck("ADMIN", false, app.generateAppLabel().c_str(),
+ adminUser.getUidString().c_str(), updatePriv.c_str(), CYNARA_ADMIN_ALLOW,
+ nullptr);
}
RUNNER_CHILD_TEST(security_manager_15_privacy_manager_send_policy_update_for_self)
privManager.addPrivilege(SELF_PRIVILEGE);
ScopedInstaller privManagerInstall(privManager);
- pid_t pid = fork();
- RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
- if (pid != 0) {
- waitPid(pid);
- CynaraTestAdmin::Admin admin;
- admin.adminCheck("", false, app.generateAppLabel().c_str(), user.getUidString().c_str(),
- updatePriv.c_str(), CYNARA_ADMIN_ALLOW, nullptr);
- } else {
+ runInChildParentWait([&] {
Api::setAppProcessIdentity(privManager.getAppId());
RUNNER_ASSERT_MSG(drop_root_privileges(user.getUid(), user.getGid()) == 0,
"drop_root_privileges failed");
PolicyRequest addPolicyRequest;
addPolicyRequest.addEntry(entry);
Api::sendPolicy(addPolicyRequest);
- exit(0);
- }
+ });
+
+ CynaraTestAdmin::Admin admin;
+ admin.adminCheck("", false, app.generateAppLabel().c_str(), user.getUidString().c_str(),
+ updatePriv.c_str(), CYNARA_ADMIN_ALLOW, nullptr);
}
RUNNER_CHILD_TEST(security_manager_16_policy_levels_get)
TemporaryTestUser user("sm_test_16_user_name", GUM_USERTYPE_NORMAL);
user.create();
- pid_t pid = fork();
- RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "fork failed");
- if (pid != 0) {
- waitPid(pid);
- } else {
+ runInChildParentWait([&] {
RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(user.getUid(), user.getGid()) == 0,
"drop_root_privileges failed");
// last should always be Allow
RUNNER_ASSERT_MSG(allowPolicy.compare(PolicyEntry::LEVEL_ALLOW) == 0,
"Invalid last policy level. Should be Allow, instead there is: " << levels[count-1]);
- exit(0);
- }
+ });
}
RUNNER_CHILD_TEST(security_manager_17a_privacy_manager_delete_policy_for_self)
ScopedInstaller appInstall(app);
SynchronizationPipe synchPipe;
- pid_t pid = fork();
- RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
- if (pid != 0) {
- synchPipe.claimParentEp();
-
- synchPipe.wait();
- CynaraTestAdmin::Admin admin;
- admin.adminCheck("", false, app.generateAppLabel().c_str(), user.getUidString().c_str(),
- updatePriv.c_str(), CYNARA_ADMIN_ALLOW, nullptr);
- synchPipe.post();
- synchPipe.wait();
- admin.adminCheck("", false, app.generateAppLabel().c_str(), user.getUidString().c_str(),
- updatePriv.c_str(), CYNARA_ADMIN_DENY, nullptr);
- waitPid(pid);
- } else {
+ pid_t pid = runInChild([&] {
synchPipe.claimChildEp();
RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(user.getUid(), user.getGid()) == 0,
"drop_root_privileges failed");
Api::sendPolicy(deletePolicyRequest);
synchPipe.post();
- exit(0);
- }
+ });
+
+ synchPipe.claimParentEp();
+
+ synchPipe.wait();
+ CynaraTestAdmin::Admin admin;
+ admin.adminCheck("", false, app.generateAppLabel().c_str(), user.getUidString().c_str(),
+ updatePriv.c_str(), CYNARA_ADMIN_ALLOW, nullptr);
+ synchPipe.post();
+
+ synchPipe.wait();
+ admin.adminCheck("", false, app.generateAppLabel().c_str(), user.getUidString().c_str(),
+ updatePriv.c_str(), CYNARA_ADMIN_DENY, nullptr);
+ waitPid(pid);
}
RUNNER_CHILD_TEST(security_manager_17b_privacy_manager_delete_policy_for_self)
ScopedInstaller privManagerInstall(privManager);
SynchronizationPipe synchPipe;
- pid_t pid = fork();
- RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
- if (pid != 0) {
- synchPipe.claimParentEp();
- synchPipe.wait();
- CynaraTestAdmin::Admin admin;
- admin.adminCheck("", false, app.generateAppLabel().c_str(), user.getUidString().c_str(),
- updatePriv.c_str(), CYNARA_ADMIN_ALLOW, nullptr);
- synchPipe.post();
-
- synchPipe.wait();
- admin.adminCheck("", false, app.generateAppLabel().c_str(),
- user.getUidString().c_str(), updatePriv.c_str(), CYNARA_ADMIN_DENY, nullptr);
- waitPid(pid);
-
- } else {
+ pid_t pid = runInChild([&] {
synchPipe.claimChildEp();
Api::setAppProcessIdentity(privManager.getAppId());
RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(user.getUid(), user.getGid()) == 0,
deletePolicyRequest.addEntry(deleteEntry);
Api::sendPolicy(deletePolicyRequest);
synchPipe.post();
- exit(0);
- }
+ });
+
+ synchPipe.claimParentEp();
+ synchPipe.wait();
+ CynaraTestAdmin::Admin admin;
+ admin.adminCheck("", false, app.generateAppLabel().c_str(), user.getUidString().c_str(),
+ updatePriv.c_str(), CYNARA_ADMIN_ALLOW, nullptr);
+ synchPipe.post();
+
+ synchPipe.wait();
+ admin.adminCheck("", false, app.generateAppLabel().c_str(),
+ user.getUidString().c_str(), updatePriv.c_str(), CYNARA_ADMIN_DENY, nullptr);
+ waitPid(pid);
}
RUNNER_CHILD_TEST(security_manager_17_privacy_manager_fetch_whole_policy_for_self_filtered)
for (const auto &app : appHelpers)
scopedInstallations.emplace_back(std::move(ScopedInstaller(app)));
- pid_t pid = fork();
- RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
- if (pid != 0)//parent process
- {
- waitPid(pid);
- } else {
+ runInChildParentWait([&] {
Api::setAppProcessIdentity(privManagerAppId);
RUNNER_ASSERT_MSG(drop_root_privileges(user.getUid(), user.getGid()) == 0,
"drop_root_privileges failed");
RUNNER_ASSERT_MSG(policyEntries.size() == policyCount,
"Number of policies doesn't match - should be: " << policyCount
<< " and is " << policyEntries.size());
-
- exit(0);
- }
+ });
}
RUNNER_CHILD_TEST(security_manager_18_privacy_manager_privacy_related_privileges_policy_install_remove)
app.addPrivileges({PRIV_CALENDAR_READ, PRIV_CALENDAR_WRITE});
ScopedInstaller appInstall(app);
- pid_t pid = fork();
- RUNNER_ASSERT_ERRNO_MSG(pid != -1, "Fork failed");
- if (pid != 0) { //parent process
- waitPid(pid);
- } else { //child process
+ runInChildParentWait([&] {
Api::setAppProcessIdentity(app.getAppId());
RUNNER_ASSERT_ERRNO_MSG(
drop_root_privileges(user.getUid(), user.getGid()) == 0,
RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS, "Expected success, returned " << ret);
check_privileges_from_manifest(app, privileges, nPrivs);
security_manager_privileges_free(privileges, nPrivs);
- exit(0);
- }
+ });
}
RUNNER_CHILD_TEST(security_manager_28_fetch_app_manifest_app_context_global_positive)
app.addPrivileges({PRIV_CALENDAR_READ, PRIV_CALENDAR_WRITE});
ScopedInstaller appInstall(app);
- pid_t pid = fork();
- RUNNER_ASSERT_ERRNO_MSG(pid != -1, "Fork failed");
- if (pid != 0) { //parent process
- waitPid(pid);
- } else { //child process
+ runInChildParentWait([&] { //child process
Api::setAppProcessIdentity(app.getAppId());
RUNNER_ASSERT_ERRNO_MSG(
drop_root_privileges(user.getUid(), user.getGid()) == 0,
RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS, "Expected success, returned " << ret);
check_privileges_from_manifest(app, privileges, nPrivs);
security_manager_privileges_free(privileges, nPrivs);
- exit(0);
- }
+ });
}
RUNNER_CHILD_TEST(security_manager_29_fetch_app_manifest_app_context_local_different_uid)
ScopedInstaller appInstall1(app1);
- pid_t pid = fork();
- RUNNER_ASSERT_ERRNO_MSG(pid != -1, "Fork failed");
- if (pid != 0) { //parent process
- waitPid(pid);
- } else { //child process
+ runInChildParentWait([&] {
Api::setAppProcessIdentity(app1.getAppId());
RUNNER_ASSERT_ERRNO_MSG(
drop_root_privileges(user1.getUid(), user1.getGid()) == 0,
RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS, "Expected success, returned " << ret);
check_privileges_from_manifest(app1, privileges, nPrivs);
security_manager_privileges_free(privileges, nPrivs);
- exit(0);
- }
+ });
}
RUNNER_CHILD_TEST(security_manager_30_fetch_app_manifest_app_context_local_different_label)
ScopedInstaller appInstall1(app1);
- pid_t pid = fork();
- RUNNER_ASSERT_ERRNO_MSG(pid != -1, "Fork failed");
- if (pid != 0) { //parent process
- waitPid(pid);
- } else { //child process
+ runInChildParentWait([&] {
Api::setAppProcessIdentity(app1.getAppId());
RUNNER_ASSERT_ERRNO_MSG(
drop_root_privileges(user.getUid(), user.getGid()) == 0,
RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS, "Expected success, returned " << ret);
check_privileges_from_manifest(app1, privileges, nPrivs);
security_manager_privileges_free(privileges, nPrivs);
- exit(0);
- }
+ });
}
RUNNER_CHILD_TEST(security_manager_31_fetch_app_manifest_app_context_local_different_label_with_privilege)
ScopedInstaller appInstall1(app1);
- pid_t pid = fork();
- RUNNER_ASSERT_ERRNO_MSG(pid != -1, "Fork failed");
- if (pid != 0) { //parent process
- waitPid(pid);
- } else { //child process
+ runInChildParentWait([&] {
Api::setAppProcessIdentity(app1.getAppId());
RUNNER_ASSERT_ERRNO_MSG(
drop_root_privileges(user.getUid(), user.getGid()) == 0,
RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS, "Expected success, returned " << ret);
check_privileges_from_manifest(app1, privileges, nPrivs);
security_manager_privileges_free(privileges, nPrivs);
- exit(0);
- }
+ });
}
} //anonymous namespace
RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_SHARED_RO)
-
-static void runAccessTest(uid_t uid, gid_t gid, const std::string &appId,
- std::function<void(void)> f)
-{
- pid_t pid = fork();
-
- RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed");
- if (pid == 0) {
- setLauncherSecurityAttributes(uid, gid);
- Api::prepareAppCandidate();
- Api::prepareApp(appId);
- f();
- exit(0);
- } else {
-
- waitPid(pid);
- Api::cleanupApp(appId, uid, pid);
- }
-}
-
/**
* Check whether owner app have access to own sharedRO dir
*/
app.createSharedRODir();
ScopedInstaller sharedROPkgApp(app);
- runAccessTest(OWNER_UID, OWNER_GID, app.getAppId(), [&]() {
- accessTest(app.getAppId(), app.getSharedRODir(), R_OK|W_OK|X_OK);
- });
+ runAccessTest(app, app.getSharedRODir(), OWNER_UID, OWNER_GID, R_OK|W_OK|X_OK);
}
}
otherApp.createSharedRODir();
ScopedInstaller otherAppInstall(otherApp);
- runAccessTest(OWNER_UID, OWNER_GID, ownerApp.getAppId(), [&]() {
- accessTest(ownerApp.getAppId(), ownerApp.getSharedRODir(), R_OK | W_OK | X_OK);
- accessTest(ownerApp.getAppId(), otherApp.getSharedRODir(), R_OK | X_OK);
- exit(0);
- });
+ runAccessTest(ownerApp, ownerApp.getSharedRODir(), OWNER_UID, OWNER_GID, R_OK | W_OK | X_OK);
+ runAccessTest(ownerApp, otherApp.getSharedRODir(), OWNER_UID, OWNER_GID, R_OK | X_OK);
}
/**
AppInstallHelper nonSharedApp("sm_test_77_nonshared", OWNER_UID, version.second);
ScopedInstaller nonSharedAppInstall(nonSharedApp);
- runAccessTest(OWNER_UID, OWNER_GID, sharedApp.getAppId(), [&]() {
- accessTest(sharedApp.getAppId(), sharedApp.getSharedRODir(), R_OK|W_OK|X_OK);
- });
+ runAccessTest(sharedApp, sharedApp.getSharedRODir(), OWNER_UID, OWNER_GID, R_OK|W_OK|X_OK);
- runAccessTest(OWNER_UID, OWNER_GID, nonSharedApp.getAppId(), [&]() {
- accessTest(nonSharedApp.getAppId(), sharedApp.getPrivateDir(), 0);
- accessTest(nonSharedApp.getAppId(), sharedApp.getSharedRODir(), R_OK|X_OK);
- });
+ runAccessTest(nonSharedApp, sharedApp.getPrivateDir(), OWNER_UID, OWNER_GID, 0);
+ runAccessTest(nonSharedApp, sharedApp.getSharedRODir(), OWNER_UID, OWNER_GID, R_OK|X_OK);
}
}
sharedApp2.createPrivateDir();
ScopedInstaller sharedApp2Install(sharedApp2);
- runAccessTest(OWNER_UID, OWNER_GID, sharedApp1.getAppId(), [&]() {
- accessTest(sharedApp1.getAppId(), sharedApp2.getSharedRODir(), R_OK|X_OK);
- accessTest(sharedApp1.getAppId(), sharedApp1.getSharedRODir(), R_OK|W_OK|X_OK);
- accessTest(sharedApp1.getAppId(), sharedApp2.getPrivateDir(), 0);
- });
-
- runAccessTest(OWNER_UID, OWNER_GID, sharedApp2.getAppId(), [&]() {
- accessTest(sharedApp2.getAppId(), sharedApp1.getSharedRODir(), R_OK|X_OK);
- accessTest(sharedApp2.getAppId(), sharedApp2.getSharedRODir(), R_OK|W_OK|X_OK);
- accessTest(sharedApp2.getAppId(), sharedApp1.getPrivateDir(), 0);
- });
+ runAccessTest(sharedApp1, sharedApp2.getSharedRODir(), OWNER_UID, OWNER_GID, R_OK|X_OK);
+ runAccessTest(sharedApp1, sharedApp1.getSharedRODir(), OWNER_UID, OWNER_GID, R_OK|W_OK|X_OK);
+ runAccessTest(sharedApp1, sharedApp2.getPrivateDir(), OWNER_UID, OWNER_GID, 0);
+
+ runAccessTest(sharedApp2, sharedApp1.getSharedRODir(), OWNER_UID, OWNER_GID, R_OK|X_OK);
+ runAccessTest(sharedApp2, sharedApp2.getSharedRODir(), OWNER_UID, OWNER_GID, R_OK|W_OK|X_OK);
+ runAccessTest(sharedApp2, sharedApp1.getPrivateDir(), OWNER_UID, OWNER_GID, 0);
}
}
sharedApp2.createSharedRODir();
ScopedInstaller sharedAppInstall2(sharedApp2);
- runAccessTest(OWNER_UID, OWNER_GID, sharedApp1.getAppId(), [&]() {
- accessTest(sharedApp1.getAppId(), sharedApp2.getSharedRODir(), R_OK|W_OK|X_OK);
- });
- runAccessTest(OWNER_UID, OWNER_GID, sharedApp2.getAppId(), [&]() {
- accessTest(sharedApp2.getAppId(), sharedApp1.getSharedRODir(), R_OK|W_OK|X_OK);
- });
+
+ runAccessTest(sharedApp1, sharedApp2.getSharedRODir(), OWNER_UID, OWNER_GID, R_OK|W_OK|X_OK);
+ runAccessTest(sharedApp2, sharedApp1.getSharedRODir(), OWNER_UID, OWNER_GID, R_OK|W_OK|X_OK);
}
}
AppInstallHelper nonSharedApp("sm_test_79b_shared2", sharedPkgName, OWNER_UID, version);
ScopedInstaller nonSharedAppInstall(nonSharedApp);
- runAccessTest(OWNER_UID, OWNER_GID, nonSharedApp.getAppId(), [&]() {
- accessTest(nonSharedApp.getAppId(), sharedApp.getSharedRODir(), R_OK|W_OK|X_OK);
- });
- };
+ runAccessTest(nonSharedApp, sharedApp.getSharedRODir(),
+ OWNER_UID, OWNER_GID, R_OK|W_OK|X_OK);
+ }
}
/**
AppInstallHelper nonSharedApp("sm_test_80_nonshared", sharedPkgName, OWNER_UID, version);
ScopedInstaller nonSharedAppInstall(nonSharedApp);
- runAccessTest(OWNER_UID, OWNER_GID, sharedApp1.getAppId(), [&]() {
- accessTest(sharedApp1.getAppId(), sharedApp2.getPrivateDir(2), R_OK|W_OK|X_OK);
- });
- runAccessTest(OWNER_UID, OWNER_GID, sharedApp2.getAppId(), [&]() {
- accessTest(sharedApp2.getAppId(), sharedApp1.getPrivateDir(1), R_OK|W_OK|X_OK);
- });
+ runAccessTest(sharedApp1, sharedApp2.getPrivateDir(2),
+ OWNER_UID, OWNER_GID, R_OK|W_OK|X_OK);
+ runAccessTest(sharedApp2, sharedApp1.getPrivateDir(1),
+ OWNER_UID, OWNER_GID, R_OK|W_OK|X_OK);
+
+
+ runAccessTest(nonSharedApp, sharedApp1.getPrivateDir(1),
+ OWNER_UID, OWNER_GID, R_OK|W_OK|X_OK);
+ runAccessTest(nonSharedApp, sharedApp2.getPrivateDir(2),
+ OWNER_UID, OWNER_GID, R_OK|W_OK|X_OK);
- runAccessTest(OWNER_UID, OWNER_GID, nonSharedApp.getAppId(), [&]() {
- accessTest(nonSharedApp.getAppId(), sharedApp1.getPrivateDir(1), R_OK|W_OK|X_OK);
- accessTest(nonSharedApp.getAppId(), sharedApp2.getPrivateDir(2), R_OK|W_OK|X_OK);
- });
sharedAppInstall1.uninstallApp();
- runAccessTest(OWNER_UID, OWNER_GID, nonSharedApp.getAppId(), [&]() {
- accessTest(nonSharedApp.getAppId(), sharedApp2.getPrivateDir(2), R_OK|W_OK|X_OK);
- });
+ runAccessTest(nonSharedApp, sharedApp2.getPrivateDir(2),
+ OWNER_UID, OWNER_GID, R_OK|W_OK|X_OK);
}
}
sharedRORequest.setUid(sharedApp2.getUID());
Api::registerPaths(sharedRORequest);
- runAccessTest(OWNER_UID, OWNER_GID, sharedApp.getAppId(), [&]() {
- accessTest(sharedApp.getAppId(), sharedApp.getSharedRODir(), R_OK|W_OK|X_OK);
- accessTest(sharedApp.getAppId(), sharedApp.getPrivateDir(), R_OK|W_OK|X_OK);
- });
-
- runAccessTest(OWNER_UID, OWNER_GID, sharedApp2.getAppId(), [&]() {
- accessTest(sharedApp2.getAppId(), sharedApp2.getSharedRODir(), R_OK|W_OK|X_OK);
- accessTest(sharedApp2.getAppId(), sharedApp.getSharedRODir(), R_OK|X_OK);
- accessTest(sharedApp2.getAppId(), sharedApp.getPrivateDir(), 0);
- });
-
- runAccessTest(OWNER_UID, OWNER_GID, nonSharedApp.getAppId(), [&]() {
- accessTest(nonSharedApp.getAppId(), sharedApp.getSharedRODir(), R_OK|X_OK);
- accessTest(nonSharedApp.getAppId(), sharedApp2.getSharedRODir(), R_OK|X_OK);
- accessTest(nonSharedApp.getAppId(), sharedApp.getPrivateDir(), 0);
- });
+
+ runAccessTest(sharedApp, sharedApp.getSharedRODir(), OWNER_UID, OWNER_GID, R_OK|W_OK|X_OK);
+ runAccessTest(sharedApp, sharedApp.getPrivateDir(), OWNER_UID, OWNER_GID, R_OK|W_OK|X_OK);
+
+ runAccessTest(sharedApp2, sharedApp2.getSharedRODir(),
+ OWNER_UID, OWNER_GID, R_OK|W_OK|X_OK);
+ runAccessTest(sharedApp2, sharedApp.getSharedRODir(),
+ OWNER_UID, OWNER_GID, R_OK|X_OK);
+ runAccessTest(sharedApp2, sharedApp.getPrivateDir(), OWNER_UID, OWNER_GID, 0);
+
+ runAccessTest(nonSharedApp, sharedApp.getSharedRODir(),
+ OWNER_UID, OWNER_GID, R_OK|X_OK);
+ runAccessTest(nonSharedApp, sharedApp2.getSharedRODir(),
+ OWNER_UID, OWNER_GID, R_OK|X_OK);
+ runAccessTest(nonSharedApp, sharedApp.getPrivateDir(), OWNER_UID, OWNER_GID, 0);
}
}
sharedAppInstall1.uninstallApp();
sharedApp1.removePaths();
- runAccessTest(OWNER_UID, OWNER_GID, nonSharedApp.getAppId(), [&]() {
- accessTest(nonSharedApp.getAppId(), sharedApp1.getSharedRODir(), 0);
- accessTest(nonSharedApp.getAppId(), sharedApp2.getSharedRODir(), R_OK|X_OK);
- });
- runAccessTest(OWNER_UID, OWNER_GID, sharedApp2.getAppId(), [&]() {
- accessTest(sharedApp2.getAppId(), sharedApp1.getSharedRODir(), 0);
- accessTest(sharedApp2.getAppId(), sharedApp2.getSharedRODir(), R_OK|W_OK|X_OK);
- });
+ runAccessTest(nonSharedApp, sharedApp1.getSharedRODir(), OWNER_UID, OWNER_GID, 0);
+ runAccessTest(nonSharedApp, sharedApp2.getSharedRODir(), OWNER_UID, OWNER_GID, R_OK|X_OK);
+
+ runAccessTest(sharedApp2, sharedApp1.getSharedRODir(), OWNER_UID, OWNER_GID, 0);
+ runAccessTest(sharedApp2, sharedApp2.getSharedRODir(), OWNER_UID, OWNER_GID, R_OK|W_OK|X_OK);
}
}
sharedAppInstall1.uninstallApp();
- runAccessTest(OWNER_UID, OWNER_GID, nonSharedApp.getAppId(), [&]() {
- accessTest(nonSharedApp.getAppId(), sharedApp2.getSharedRODir(2), R_OK|X_OK);
- });
-
- runAccessTest(OWNER_UID, OWNER_GID, sharedApp2.getAppId(), [&]() {
- accessTest(sharedApp2.getAppId(), sharedApp2.getSharedRODir(2), R_OK|W_OK|X_OK);
- });
+ runAccessTest(nonSharedApp, sharedApp2.getSharedRODir(2), OWNER_UID, OWNER_GID, R_OK|X_OK);
+ runAccessTest(sharedApp2, sharedApp2.getSharedRODir(2),
+ OWNER_UID, OWNER_GID, R_OK|W_OK|X_OK);
}
}
app.createPrivateDir();
- pid_t pid = fork();
- RUNNER_ASSERT_ERRNO_MSG(pid != -1, "Fork failed");
- if (pid == 0) { // child
+ runInChildParentWait([&] {
RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(user1.getUid(), user1.getGid()) == 0,
"drop_root_privileges failed");
preq.addPath(app.getPrivateDir(), SECURITY_MANAGER_PATH_RW);
Api::registerPaths(preq, (lib_retcode)SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED);
- } else {
- waitPid(pid);
- }
+ });
}
static void checkOutsidePath(const std::string& pkgId, uid_t uid, const std::string& path)
projects / platform / core / test / security-tests.git / commitdiff