Fix groups issue in tests using perm_app_set_privilege api. 59/18159/9
authorMarcin Niesluchowski <m.niesluchow@samsung.com>
Thu, 13 Mar 2014 15:33:53 +0000 (16:33 +0100)
committerMarcin Niesluchowski <m.niesluchow@samsung.com>
Tue, 22 Apr 2014 05:31:51 +0000 (22:31 -0700)
Due to current policy process calling perm_app_set_privilege is added
to current groups of app user and additional groups associated with
smack label in database. Previous tests did not take into account
current groups of app user.

Verification:
-> security-tests.sh libprivilege-control --runignored --output=text

Change-Id: I03a7e96c46da20af6a01c86b290fc7180425afb5

tests/libprivilege-control-tests/CMakeLists.txt
tests/libprivilege-control-tests/common/libprivilege-control_test_common.h
tests/libprivilege-control-tests/libprivilege-control_test_common.cpp
tests/libprivilege-control-tests/test_cases.cpp
tests/libprivilege-control-tests/test_cases_nosmack.cpp
tests/libprivilege-control-tests/test_privilege_control_rules.dac [deleted file]

index 9339dfdf68bff4b06951c49a8ba4bf5cb2c6ed62..4eabea3f6f0d42fb74c20f3ba140ab8ca3838b7f 100644 (file)
@@ -119,17 +119,6 @@ INSTALL(FILES
     DESTINATION /usr/share/privilege-control/
   )
 
-INSTALL(FILES
-    ${PROJECT_SOURCE_DIR}/tests/libprivilege-control-tests/test_privilege_control_rules.dac
-    DESTINATION /usr/share/privilege-control/
-    PERMISSIONS
-    OWNER_READ
-    GROUP_READ
-    GROUP_EXECUTE
-    WORLD_READ
-    WORLD_EXECUTE
-  )
-
 INSTALL(DIRECTORY
     ${PROJECT_SOURCE_DIR}/tests/libprivilege-control-tests/test_privilege_control_DIR
     DESTINATION /etc/smack/
index 979188f469df1161a40070096c3d8c726fbea4e0..0fa812d954ca771a38e7a79c5108399f210cb3bf 100644 (file)
@@ -56,7 +56,6 @@
 
 #define EFL_APP_ID             "hello-tizen"
 
-#define LIBPRIVILEGE_TEST_DAC_FILE     "/usr/share/privilege-control/test_privilege_control_rules.dac"
 #define LIBPRIVILEGE_TEST_DAC_FILE_WGT "/usr/share/privilege-control/WRT_test_privilege_control_rules_wgt.dac"
 #define LIBPRIVILEGE_TEST_DAC_FILE_OSP "/usr/share/privilege-control/OSP_test_privilege_control_rules_osp.dac"
 #define LIBPRIVILEGE_TEST_DAC_FILE_EFL "/usr/share/privilege-control/EFL_test_privilege_control_rules_efl.dac"
@@ -214,8 +213,8 @@ int test_have_all_accesses(const rules_t &rules);
 int test_have_any_accesses(const rules_t &rules);
 int test_have_nosmack_accesses(const rules_t &rules);
 
-void read_gids(std::set<unsigned> &set, const char *file_path);
-void check_groups(const char *dac_file);
+void read_user_gids(std::set<unsigned> &set, const uid_t user_id);
+void check_groups(const std::set<unsigned> &groups_prev, const char *dac_file);
 
 int file_exists(const char *path);
 void check_app_installed(const char *app_path);
index 117331b12b0f42eabf9e42002b4b27e02ab59100..3746dde3bd2329943212de1f1a30a2e2f9d0d93c 100644 (file)
@@ -32,6 +32,8 @@
 #include <sys/stat.h>
 #include <sys/types.h>
 #include <vector>
+#include <grp.h>
+#include <pwd.h>
 
 #include <libprivilege-control_test_common.h>
 #include <tests_common.h>
@@ -132,35 +134,83 @@ void read_gids(std::set<unsigned> &set, const char *file_path)
     fclose(f);
 }
 
-void check_groups(const char *dac_file)
+void read_user_gids(std::set<unsigned> &set, const uid_t user_id)
 {
-    std::set<unsigned> groups_check;
-    read_gids(groups_check, dac_file);
+    int ret;
+
+    struct passwd *pw = getpwuid(user_id);
+    RUNNER_ASSERT_MSG_BT(pw != NULL, "getpwuid() failed.");
+
+    int groups_cnt = 0;
+    gid_t *groups_list = NULL;
+    ret = getgrouplist(pw->pw_name,  pw->pw_gid, groups_list, &groups_cnt);
+    RUNNER_ASSERT_MSG_BT(ret == -1, "getgrouplist() failed.");
+    if (groups_cnt == 0)
+        return;
+    groups_list = (gid_t*) calloc(groups_cnt, sizeof(gid_t));
+    RUNNER_ASSERT_MSG_BT(groups_list != NULL, "Memory allocation failed.");
+
+    ret = getgrouplist(pw->pw_name,  pw->pw_gid, groups_list, &groups_cnt);
+    if (ret == -1) {
+        free(groups_list);
+        RUNNER_ASSERT_MSG_BT(false, "getgrouplist() failed.");
+    }
 
+    for (int i = 0; i < groups_cnt; ++i) {
+        set.insert(groups_list[i]);
+    }
+    free(groups_list);
+}
+
+void read_current_gids(std::set<unsigned> &set)
+{
     int groups_cnt = getgroups(0, NULL);
-    RUNNER_ASSERT_MSG_BT(groups_cnt > 0, "Wrong number of supplementary groupsCnt");
+    RUNNER_ASSERT_MSG_BT(groups_cnt > 0, "Wrong number of supplementary groups.");
     gid_t *groups_list = (gid_t*) calloc(groups_cnt, sizeof(gid_t));
-    RUNNER_ASSERT_MSG_BT(groups_list != NULL, "Memory allocation failed");
-    RUNNER_ASSERT_BT(-1 != getgroups(groups_cnt, groups_list));
+    RUNNER_ASSERT_MSG_BT(groups_list != NULL, "Memory allocation failed.");
+    if (getgroups(groups_cnt, groups_list) == -1){
+        free(groups_list);
+        RUNNER_ASSERT_MSG_BT(false, "getgroups failed.");
+    }
 
     for (int i = 0; i < groups_cnt; ++i) {
-        //getgroups() can return multiple number of the same group
-        //they are returned in sequence, so we will given number when last
-        //element of this number is reached
-        if ((i < groups_cnt - 1) && (groups_list[i + 1] == groups_list[i]))
-            continue;
-        if (groups_check.erase(groups_list[i]) == 0) {
-            // getgroups() may also return process' main group
-            if (groups_list[i] != getgid())
-                RUNNER_ASSERT_MSG_BT(false, "Application belongs to unknown group (GID=" << groups_list[i] << ")");
-        }
+        set.insert(groups_list[i]);
     }
     free(groups_list);
+}
+
+void check_groups(const std::set<unsigned> &groups_prev, const char *dac_file)
+{
+    std::set<unsigned> groups_check;
+    std::set<unsigned> groups_current;
+    if(dac_file != NULL)
+        read_gids(groups_check, dac_file);
+    read_current_gids(groups_current);
+
     std::string groups_left;
-    for (std::set<unsigned>::iterator it = groups_check.begin(); it != groups_check.end(); it++) {
+    for (auto it = groups_prev.begin(); it != groups_prev.end(); ++it)
+    {
+        (void)groups_check.erase(*it);
+        if(groups_current.erase(*it) == 0)
+            groups_left.append(std::to_string(*it)).append(" ");
+    }
+    RUNNER_ASSERT_MSG_BT(groups_left.empty(),
+        "Application lost some groups: " << groups_left);
+
+    for (auto it = groups_check.begin(); it != groups_check.end(); ++it)
+    {
+        if(groups_current.erase(*it) == 0)
+            groups_left.append(std::to_string(*it)).append(" ");
+    }
+    RUNNER_ASSERT_MSG_BT(groups_left.empty(),
+        "Application doesn't belong to some required groups: " << groups_left);
+
+    for (auto it = groups_current.begin(); it != groups_current.end(); ++it)
+    {
         groups_left.append(std::to_string(*it)).append(" ");
     }
-    RUNNER_ASSERT_MSG_BT(groups_check.empty(), "Application doesn't belong to some required groups: " << groups_left);
+    RUNNER_ASSERT_MSG_BT(groups_left.empty(),
+        "Application belongs to groups it should't belong to: " << groups_left);
 }
 
 int file_exists(const char *path)
index c4875c877cdec927b41ae6c24bd3c24b0753d63a..1a885927bc998883e97f73ca0cef84fc8d90da06 100644 (file)
@@ -28,6 +28,7 @@
 #include <memory>
 #include <fstream>
 #include <sstream>
+#include <set>
 
 #include <fcntl.h>
 #include <errno.h>
@@ -268,6 +269,9 @@ void test_set_app_privilege(
     result = test_have_all_accesses(rules);
     RUNNER_ASSERT_MSG_BT(result == 1, "Permissions not added.");
 
+    std::set<unsigned> groups_before;
+    read_user_gids(groups_before, APP_UID);
+
     result = perm_app_set_privilege(app_id, type, app_path);
     RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
             " Error in perm_app_set_privilege. Error: " << result);
@@ -283,7 +287,7 @@ void test_set_app_privilege(
     RUNNER_ASSERT_MSG_BT(result == 0,
             " Process label " << label << " is incorrect");
 
-    check_groups(dac_file);
+    check_groups(groups_before, dac_file);
 }
 
 /**
index 972d8e99b52ea6f779f925ce20a3ee365ac9a1b4..cf8420580920832bc8f3bbab5a05db93bd06779b 100644 (file)
@@ -26,6 +26,7 @@
 #include <memory>
 #include <functional>
 #include <fstream>
+#include <set>
 
 #include <string.h>
 #include <errno.h>
@@ -214,6 +215,9 @@ void test_set_app_privilege_nosmack(
     RUNNER_ASSERT_MSG_BT(result == -1,
             " Permissions shouldn't be added. Result: " << result);
 
+    std::set<unsigned> groups_before;
+    read_user_gids(groups_before, APP_UID);
+
     result = perm_app_set_privilege(app_id, type, app_path);
     RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
             " Error in perm_app_set_privilege. Error: " << result);
@@ -226,7 +230,7 @@ void test_set_app_privilege_nosmack(
     RUNNER_ASSERT_MSG_BT(label == NULL,
             " new_label_from_self shouldn't allocate memory for label.");
 
-    check_groups(dac_file);
+    check_groups(groups_before, dac_file);
 }
 
 /**
@@ -249,6 +253,9 @@ RUNNER_CHILD_TEST_NOSMACK(privilege_control05_set_app_privilege_nosmack)
     perm_app_uninstall(APP_ID);
     DB_END
 
+    std::set<unsigned> groups_before;
+    read_user_gids(groups_before, APP_UID);
+
     //Set app privileges
     result = perm_app_set_privilege(APP_ID, NULL, APP_SET_PRIV_PATH);
     RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
@@ -271,7 +278,7 @@ RUNNER_CHILD_TEST_NOSMACK(privilege_control05_set_app_privilege_nosmack)
     result = strcmp(getenv("USER"), APP_USER_NAME);
     RUNNER_ASSERT_MSG_BT(result == 0, "Wrong user USER NAME. Result: " << result);
 
-    check_groups(LIBPRIVILEGE_TEST_DAC_FILE);
+    check_groups(groups_before, NULL);
 }
 
 /**
diff --git a/tests/libprivilege-control-tests/test_privilege_control_rules.dac b/tests/libprivilege-control-tests/test_privilege_control_rules.dac
deleted file mode 100644 (file)
index eb6ed40..0000000
+++ /dev/null
@@ -1,2 +0,0 @@
-12345
-23456