const bool TestSecurityManagerDatabase::NOT_REMOVED = false;
const bool TestSecurityManagerDatabase::REMOVED = true;
-TestSecurityManagerDatabase::TestSecurityManagerDatabase() : m_base(PRIVILEGE_DB_PATH, SQLITE_OPEN_READWRITE)
+TestSecurityManagerDatabase::TestSecurityManagerDatabase() : m_base(PRIVILEGE_DB_PATH)
{
}
return result.rows.size() == 1;
}
-
-void TestSecurityManagerDatabase::setup_privilege_gids(const std::string &privilege,
- const std::vector<gid_t> &gids)
-{
- Sqlite3DBaseSelectResult result;
- std::ostringstream sql;
-
- if (!m_base.is_open())
- m_base.open();
-
- sql << "INSERT OR IGNORE INTO privilege (name) VALUES ('" << privilege << "')";
- m_base.execute(sql.str(), result);
-
- for (const auto &gid : gids) {
- sql.clear();
- sql.str("");
- sql << "INSERT OR IGNORE INTO privilege_gid (privilege_id, gid) "
- "VALUES ((SELECT privilege_id FROM privilege WHERE name = '"
- << privilege << "')," << (int) gid << ")";
- m_base.execute(sql.str(), result);
- }
-}
#include <memory.h>
#include <summary_collector.h>
#include <string>
-#include <unordered_set>
-
-#include <grp.h>
#include <libprivilege-control_test_common.h>
#include <tests_common.h>
static const privileges_t SM_NO_PRIVILEGES = {
};
-static const std::vector<gid_t> SM_ALLOWED_GIDS = {6001, 6002};
-
static const char *const SM_PRIVATE_PATH = "/etc/smack/test_DIR/app_dir";
static const char *const SM_PUBLIC_PATH = "/etc/smack/test_DIR/app_dir_public";
static const char *const SM_PUBLIC_RO_PATH = "/etc/smack/test_DIR/app_dir_public_ro";
}
}
-static void check_app_gids(const char *const app_id, const std::vector<gid_t> &allowed_gids)
-{
- int ret;
- gid_t main_gid = getgid();
- std::unordered_set<gid_t> reference_gids(allowed_gids.begin(), allowed_gids.end());
-
- // Reset supplementary groups
- ret = setgroups(0, NULL);
- RUNNER_ASSERT_MSG(ret != -1, "Unable to set supplementary groups");
-
- ret = security_manager_set_process_groups_from_appid(app_id);
- RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS,
- "security_manager_set_process_groups_from_appid(" <<
- app_id << ") failed. Result: " << ret);
-
- ret = getgroups(0, nullptr);
- RUNNER_ASSERT_MSG(ret != -1, "Unable to get supplementary groups");
-
- std::vector<gid_t> actual_gids(ret);
- ret = getgroups(ret, actual_gids.data());
- RUNNER_ASSERT_MSG(ret != -1, "Unable to get supplementary groups");
-
- for (const auto &gid : actual_gids) {
- RUNNER_ASSERT_MSG(gid == main_gid || reference_gids.count(gid) > 0,
- "Application shouldn't get access to group " << gid);
- reference_gids.erase(gid);
- }
-
- RUNNER_ASSERT_MSG(reference_gids.empty(), "Application didn't get access to some groups");
-}
-
static void check_app_after_install(const char *const app_id, const char *const pkg_id,
const privileges_t &allowed_privs,
- const privileges_t &denied_privs,
- const std::vector<gid_t> &allowed_gids)
+ const privileges_t &denied_privs)
{
TestSecurityManagerDatabase dbtest;
dbtest.test_db_after__app_install(app_id, pkg_id, allowed_privs);
/*Privileges should be granted to all users if root installs app*/
check_app_permissions(app_id, pkg_id, ANY_USER_REPRESENTATION, allowed_privs, denied_privs);
-
- /* Setup mapping of gids to privileges */
- /* Do this for each privilege for extra check */
- for (const auto &privilege : allowed_privs) {
- dbtest.setup_privilege_gids(privilege, allowed_gids);
- }
-
- check_app_gids(app_id, allowed_gids);
}
static void check_app_after_install(const char *const app_id, const char *const pkg_id)
/* Check records in the security-manager database */
check_app_after_install(SM_APP_ID2, SM_PKG_ID2,
- SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES, SM_ALLOWED_GIDS);
+ SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES);
/* TODO: add parameters to this function */
check_app_path_after_install();