From: Zofia Abramowska Date: Wed, 26 Mar 2025 13:25:13 +0000 (+0100) Subject: security-manager: Remove manual calls of fork() X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=a164749484df85e39d1da0c5f19c0168b692615e;p=platform%2Fcore%2Ftest%2Fsecurity-tests.git security-manager: Remove manual calls of fork() Change-Id: Id39eb0a124175c178d9ad62a362856518bcde0b0 --- diff --git a/src/common/app_install_helper.h b/src/common/app_install_helper.h index ded0a415..e01e14bd 100644 --- a/src/common/app_install_helper.h +++ b/src/common/app_install_helper.h @@ -53,7 +53,7 @@ struct AppInstallHelper { : AppInstallHelper(appNamePrefix, pkgNamePrefix, false, uid) {} - AppInstallHelper(const std::string &namePrefix) + explicit AppInstallHelper(const std::string &namePrefix) : AppInstallHelper(namePrefix, namePrefix, false, geteuid()) {} diff --git a/src/security-manager-tests/common/sm_commons.cpp b/src/security-manager-tests/common/sm_commons.cpp index a87429f4..2ad57421 100644 --- a/src/security-manager-tests/common/sm_commons.cpp +++ b/src/security-manager-tests/common/sm_commons.cpp @@ -214,6 +214,20 @@ void runAccessTest(const AppInstallHelper &app, const std::string &testPath, int Api::cleanupApp(app.getAppId(), app.getUID(), pid); } +void runAccessTest(const AppInstallHelper &app, const std::string &testPath, + uid_t uid, gid_t gid, int accessType) { + auto fun = [&](){ + RUNNER_ASSERT_ERRNO_MSG(setLauncherSecurityAttributes(uid, gid) == 0, + "launcher failed"); + Api::prepareAppCandidate(); + Api::prepareApp(app.getAppId()); + accessTest(app.getAppId(), testPath, accessType); + }; + + auto pid = runInChildParentWait(fun); + Api::cleanupApp(app.getAppId(), uid, pid); +} + void runSystemAccessTest(uid_t uid, gid_t gid, const std::string &testPath, int accessType) { for (const auto &label : SM_SYSTEM_LABELS) runAccessTest(label, uid, gid, testPath, accessType); diff --git a/src/security-manager-tests/common/sm_commons.h b/src/security-manager-tests/common/sm_commons.h index 2df2caf9..c06a8040 100644 --- a/src/security-manager-tests/common/sm_commons.h +++ b/src/security-manager-tests/common/sm_commons.h @@ -42,6 +42,8 @@ void accessTest(const std::string &id, const std::string &testPath, int accessTy void runAccessTest(const std::string &label, uid_t uid, gid_t gid, const std::string &testPath, int accessType); void runAccessTest(const AppInstallHelper &app, const std::string &testPath, int accessType); +void runAccessTest(const AppInstallHelper &app, const std::string &testPath, + uid_t uid, gid_t gid, int accessType); void runSystemAccessTest(uid_t uid, gid_t gid, const std::string &testPath, int accessType); bool isAskuserDisabled(); diff --git a/src/security-manager-tests/test_cases.cpp b/src/security-manager-tests/test_cases.cpp index f27fbc92..1022f34b 100644 --- a/src/security-manager-tests/test_cases.cpp +++ b/src/security-manager-tests/test_cases.cpp @@ -22,6 +22,7 @@ #include #include #include +#include #include #include @@ -189,15 +190,10 @@ RUNNER_CHILD_TEST(security_manager_02a_set_process_groups) app.checkAfterInstall(); - pid_t pid = fork(); - RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed"); - if (pid != 0) { - waitPid(pid); - } else { + runInChildParentWait([&]{ Api::setProcessGroups(app.getAppId()); app.checkGroupPrivileges(defaultAllowedPrivs); - exit(0); - } + }); } app.checkAfterUninstall(); } @@ -224,9 +220,7 @@ RUNNER_CHILD_TEST_SMACK(security_manager_03_set_label_from_appid) ScopedInstaller appInstall(app); - pid_t pid = fork(); - RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed"); - if (pid == 0) { // child + runInChildParentWait([&]{ Api::setAppProcessIdentity(app.getAppId()); char *label = nullptr; @@ -256,9 +250,7 @@ RUNNER_CHILD_TEST_SMACK(security_manager_03_set_label_from_appid) RUNNER_ASSERT_MSG(result == 0, " Process label is incorrect. Expected: \"" << expectedProcLabel << "\" Actual: \"" << label << "\""); - } else { // parent - waitPid(pid); - } + }); } #endif @@ -731,31 +723,17 @@ RUNNER_CHILD_TEST(security_manager_10_app_has_privilege) RUNNER_CHILD_TEST(security_manager_11a_set_identity_system) { - pid_t pid = fork(); - RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed"); - if (pid != 0) { //parent process - waitPid(pid); - } else { - int result = security_manager_set_identity(process_type::SM_PROCESS_TYPE_SYSTEM, nullptr); - RUNNER_ASSERT_MSG(result == SECURITY_MANAGER_SUCCESS, - "security_manager_set_identity(SM_PROCESS_TYPE_SYSTEM, nullptr) failed"); - exit(0); - } + int result = security_manager_set_identity(process_type::SM_PROCESS_TYPE_SYSTEM, nullptr); + RUNNER_ASSERT_MSG(result == SECURITY_MANAGER_SUCCESS, + "security_manager_set_identity(SM_PROCESS_TYPE_SYSTEM, nullptr) failed"); } RUNNER_CHILD_TEST(security_manager_11b_set_identity_privileged) { - pid_t pid = fork(); - RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed"); - if (pid != 0) { //parent process - waitPid(pid); - } else { - int result = security_manager_set_identity(process_type::SM_PROCESS_TYPE_SYSTEM_PRIVILEGED, - nullptr); - RUNNER_ASSERT_MSG(result == SECURITY_MANAGER_SUCCESS, - "security_manager_set_identity(SM_PROCESS_TYPE_SYSTEM_PRIVILEGED, nullptr) failed"); - exit(0); - } + int result = security_manager_set_identity(process_type::SM_PROCESS_TYPE_SYSTEM_PRIVILEGED, + nullptr); + RUNNER_ASSERT_MSG(result == SECURITY_MANAGER_SUCCESS, + "security_manager_set_identity(SM_PROCESS_TYPE_SYSTEM_PRIVILEGED, nullptr) failed"); } RUNNER_CHILD_TEST(security_manager_11c_set_identity_app_no_author) @@ -764,11 +742,7 @@ RUNNER_CHILD_TEST(security_manager_11c_set_identity_app_no_author) AppInstallHelper appLocal(appLocalName); ScopedInstaller appInstall(appLocal); - pid_t pid = fork(); - RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed"); - if (pid != 0) { //parent process - waitPid(pid); - } else { + runInChildParentWait([&] { int result = security_manager_set_identity(process_type::SM_PROCESS_TYPE_APP, nullptr); RUNNER_ASSERT_MSG( result == SECURITY_MANAGER_ERROR_INPUT_PARAM, @@ -779,8 +753,7 @@ RUNNER_CHILD_TEST(security_manager_11c_set_identity_app_no_author) result == SECURITY_MANAGER_SUCCESS, "security_manager_set_identity(SM_PROCESS_TYPE_APP, appLocal.getAppId().c_str()) failed" ); - exit(0); - } + }); } RUNNER_CHILD_TEST(security_manager_11d_set_identity_app_author) @@ -790,11 +763,7 @@ RUNNER_CHILD_TEST(security_manager_11d_set_identity_app_author) appLocal.setAuthor("sm_test_app_author"); ScopedInstaller appInstall(appLocal); - pid_t pid = fork(); - RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed"); - if (pid != 0) { //parent process - waitPid(pid); - } else { + runInChildParentWait([&] { int result = security_manager_set_identity(process_type::SM_PROCESS_TYPE_APP, nullptr); RUNNER_ASSERT_MSG( result == SECURITY_MANAGER_ERROR_INPUT_PARAM, @@ -805,8 +774,7 @@ RUNNER_CHILD_TEST(security_manager_11d_set_identity_app_author) result == SECURITY_MANAGER_SUCCESS, "security_manager_set_identity(SM_PROCESS_TYPE_APP, appLocal.getAppId().c_str()) failed" ); - exit(0); - } + }); } RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_INTERNET) @@ -828,20 +796,16 @@ RUNNER_CHILD_TEST(security_manager_12a_internet_access_positive) app.addPrivilege(PRIV_INTERNET); ScopedInstaller appInstall(app); - pid_t pid = fork(); - RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed"); - if (pid != 0) { - // wait for child to exit before uninstallation - waitPid(pid); - Api::cleanupApp(app.getAppId(), testUser.getUid(), pid); - } else { + pid_t pid = runInChildParentWait([&] { // child - the actual application RUNNER_ASSERT_MSG(setLauncherSecurityAttributes(testUser) == 0, "launcher failed"); Api::prepareAppCandidate(); Api::prepareApp(app.getAppId()); RUNNER_ASSERT_MSG(ping() == 0, "No internet access while the privilege is present"); - } + }); + + Api::cleanupApp(app.getAppId(), testUser.getUid(), pid); } RUNNER_CHILD_TEST(security_manager_12b_internet_access_negative) @@ -851,20 +815,16 @@ RUNNER_CHILD_TEST(security_manager_12b_internet_access_negative) AppInstallHelperExt app("sm_test_12b", "sm_test_12b", testUser.getUid()); ScopedInstaller appInstall(app); - pid_t pid = fork(); - RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed"); - if (pid != 0) { - // wait for child to exit before uninstallation - waitPid(pid); - Api::cleanupApp(app.getAppId(), testUser.getUid(), pid); - } else { + pid_t pid = runInChildParentWait([&] { // child - the actual application RUNNER_ASSERT_MSG(setLauncherSecurityAttributes(testUser) == 0, "launcher failed"); Api::prepareAppCandidate(); Api::prepareApp(app.getAppId()); RUNNER_ASSERT_MSG(ping() != 0, "Internet access detected despite no privilege"); - } + }); + + Api::cleanupApp(app.getAppId(), testUser.getUid(), pid); } RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_POLICY) @@ -919,12 +879,7 @@ RUNNER_CHILD_TEST(security_manager_21_security_manager_admin_deny_user_priv) ScopedInstaller normalAppInstall(normalApp); normalApp.checkAfterInstall(); - pid_t pid = fork(); - RUNNER_ASSERT_MSG(pid >= 0, "fork failed"); - if (pid != 0) { //parent process - waitPid(pid); - normalApp.checkPrivileges(allowedPrivsAfterChange, deniedPrivsAfterChange); - } else { + runInChildParentWait([&] { Api::setAppProcessIdentity(adminApp.getAppId()); RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(adminUser.getUid(),adminUser.getGid()) == 0, "drop_root_privileges failed"); @@ -936,8 +891,9 @@ RUNNER_CHILD_TEST(security_manager_21_security_manager_admin_deny_user_priv) addPolicyReq.addEntry(entry); } Api::sendPolicy(addPolicyReq); - exit(0); - } + }); + + normalApp.checkPrivileges(allowedPrivsAfterChange, deniedPrivsAfterChange); } RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_CMD) @@ -1257,14 +1213,8 @@ RUNNER_CHILD_TEST(security_manager_26_1a_security_manager_get_app_owner_uid) testUser.create(); AppInstallHelperExt app("sm_test_26_1a", "sm_test_26_1a", testUser.getUid()); ScopedInstaller appInstall(app); - pid_t pid = fork(); - RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed"); - if (pid != 0) { - // wait for child to exit before uninstallation - waitPid(pid); - Api::cleanupApp(app.getAppId(), testUser.getUid(), pid); - } else { - // child - the actual application + + pid_t pid = runInChildParentWait([&] { RUNNER_ASSERT_MSG(setLauncherSecurityAttributes(testUser) == 0, "launcher failed"); auto expected = getuid(); Api::prepareAppCandidate(); @@ -1276,8 +1226,9 @@ RUNNER_CHILD_TEST(security_manager_26_1a_security_manager_get_app_owner_uid) RUNNER_ASSERT_MSG(owner_uid == expected, "Invalid uid returned - expected: " << expected << " returned: " << owner_uid); - exit(0); - } + }); + + Api::cleanupApp(app.getAppId(), testUser.getUid(), pid); } RUNNER_CHILD_TEST(security_manager_26_1b_security_manager_get_app_owner_uid) @@ -1302,18 +1253,12 @@ RUNNER_CHILD_TEST(security_manager_26_1b_security_manager_get_app_owner_uid) TemporaryTestUser testUser("sm_test_26_1b_user_name", GUM_USERTYPE_NORMAL); testUser.create(); - pid_t pid = fork(); - RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed"); - if (pid != 0) { - // wait for child to exit - waitPid(pid); - } else { - // child + + runInChildParentWait([&]{ test(); RUNNER_ASSERT_MSG(setLauncherSecurityAttributes(testUser) == 0, "launcher failed"); test(); - exit(0); - } + }); } RUNNER_CHILD_TEST(security_manager_26_2_security_manager_self_is_app) @@ -1327,24 +1272,20 @@ RUNNER_CHILD_TEST(security_manager_26_2_security_manager_self_is_app) app.checkAfterInstall(); - pid_t pid = fork(); - RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed"); - if (pid != 0) { - // here we can check if function will return it is NOT an app - bool is_app; - RUNNER_ASSERT_MSG(security_manager_self_is_app(&is_app) == SECURITY_MANAGER_SUCCESS, - "failed security_manager_self_is_app"); - RUNNER_ASSERT_MSG(is_app == false, "this should not be an app"); - waitPid(pid); - } else { + // here we can check if function will return it is NOT an app + bool is_app; + RUNNER_ASSERT_MSG(security_manager_self_is_app(&is_app) == SECURITY_MANAGER_SUCCESS, + "failed security_manager_self_is_app"); + RUNNER_ASSERT_MSG(is_app == false, "this should not be an app"); + + runInChildParentWait([&] { // here we can check if the function will return it IS an app Api::setAppProcessIdentity(app.getAppId()); bool is_app; RUNNER_ASSERT_MSG(security_manager_self_is_app(&is_app) == SECURITY_MANAGER_SUCCESS, "failed security_manager_self_is_app"); RUNNER_ASSERT_MSG(is_app == true, "this should be an app"); - exit(0); - } + }); } app.checkAfterUninstall(); } @@ -1361,31 +1302,31 @@ RUNNER_CHILD_TEST(security_manager_26_3_security_manager_is_app_from_pid) app.checkAfterInstall(); - pid_t pid = fork(); - RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed"); - if (pid != 0) { - pipe.claimParentEp(); - // here we can check if function will return it is NOT an app - bool is_app; - RUNNER_ASSERT_MSG(security_manager_is_app_from_pid(getpid(), &is_app) == SECURITY_MANAGER_SUCCESS, - "failed security_manager_is_app_from_pid"); - RUNNER_ASSERT_MSG(is_app == false, "this should not be an app"); - pipe.wait(); //synchronization point of setting Smack label - A1 - RUNNER_ASSERT_MSG(security_manager_is_app_from_pid(pid, &is_app) == SECURITY_MANAGER_SUCCESS, - "failed security_manager_is_app_from_pid"); - RUNNER_ASSERT_MSG(is_app == true, "this should be an app"); - waitPid(pid); - } else { + + pid_t pid = runInChild([&] { pipe.claimChildEp(); - // here we can check if the function will return it IS an app + pipe.wait(); // synchronization point before child becomes an app - A1 Api::setAppProcessIdentity(app.getAppId()); - pipe.post(); // A1 + pipe.post(); // A2 bool is_app; RUNNER_ASSERT_MSG(security_manager_is_app_from_pid(getpid(), &is_app) == SECURITY_MANAGER_SUCCESS, "failed security_manager_is_app_from_pid"); RUNNER_ASSERT_MSG(is_app == true, "this should be an app"); - exit(0); - } + }); + + pipe.claimParentEp(); + // here we can check if function will return it is NOT an app + bool is_app; + RUNNER_ASSERT_MSG(security_manager_is_app_from_pid(getpid(), &is_app) == SECURITY_MANAGER_SUCCESS, + "failed security_manager_is_app_from_pid"); + RUNNER_ASSERT_MSG(is_app == false, "this should not be an app"); + pipe.post(); // A1 + pipe.wait(); //synchronization point after child process becomess an app - A2 + RUNNER_ASSERT_MSG(security_manager_is_app_from_pid(pid, &is_app) == SECURITY_MANAGER_SUCCESS, + "failed security_manager_is_app_from_pid"); + RUNNER_ASSERT_MSG(is_app == true, "this should be an app"); + + waitPid(pid); } app.checkAfterUninstall(); } diff --git a/src/security-manager-tests/test_cases_app_policy.cpp b/src/security-manager-tests/test_cases_app_policy.cpp index 3e3e2051..86384d34 100644 --- a/src/security-manager-tests/test_cases_app_policy.cpp +++ b/src/security-manager-tests/test_cases_app_policy.cpp @@ -56,11 +56,7 @@ RUNNER_CHILD_TEST(security_manager_ap1_app_policy_fetch_for_self) { PkgPrivacyPrivileges setupPrivacyPrivs(app); ScopedInstaller appInstall(app); - pid_t pid = fork(); - RUNNER_ASSERT_ERRNO_MSG(pid != -1, "Fork failed"); - if (pid != 0) { //parent process - waitPid(pid); - } else { //child process + runInChildParentWait([&] { Api::setAppProcessIdentity(app.getAppId()); RUNNER_ASSERT_ERRNO_MSG( drop_root_privileges(tmpUser.getUid(), tmpUser.getGid()) == 0, @@ -95,8 +91,7 @@ RUNNER_CHILD_TEST(security_manager_ap1_app_policy_fetch_for_self) { } } - exit(0); - } + }); } RUNNER_CHILD_TEST(security_manager_ap2_app_policy_fetch_for_self_different_user) { @@ -111,11 +106,7 @@ RUNNER_CHILD_TEST(security_manager_ap2_app_policy_fetch_for_self_different_user) PkgPrivacyPrivileges setupPrivacyPrivs(app); ScopedInstaller appInstall(app); - pid_t pid = fork(); - RUNNER_ASSERT_ERRNO_MSG(pid != -1, "Fork failed"); - if (pid != 0) { //parent process - waitPid(pid); - } else { //child process + runInChildParentWait([&] { //child process Api::setAppProcessIdentity(app.getAppId()); RUNNER_ASSERT_ERRNO_MSG( drop_root_privileges(tmpUser.getUid(), tmpUser.getGid()) == 0, @@ -129,8 +120,7 @@ RUNNER_CHILD_TEST(security_manager_ap2_app_policy_fetch_for_self_different_user) Api::getPolicyForSelf(filter, policyEntries, SECURITY_MANAGER_ERROR_ACCESS_DENIED); } - exit(0); - } + }); } RUNNER_CHILD_TEST(security_manager_ap3_app_policy_fetch_for_self_different_user_global) { @@ -146,11 +136,7 @@ RUNNER_CHILD_TEST(security_manager_ap3_app_policy_fetch_for_self_different_user_ PkgPrivacyPrivileges setupPrivacyPrivs(app); ScopedInstaller appInstall(app); - pid_t pid = fork(); - RUNNER_ASSERT_ERRNO_MSG(pid != -1, "Fork failed"); - if (pid != 0) { //parent process - waitPid(pid); - } else { //child process + runInChildParentWait([&] { Api::setAppProcessIdentity(app.getAppId()); RUNNER_ASSERT_ERRNO_MSG( drop_root_privileges(tmpUser.getUid(), tmpUser.getGid()) == 0, @@ -164,8 +150,7 @@ RUNNER_CHILD_TEST(security_manager_ap3_app_policy_fetch_for_self_different_user_ Api::getPolicyForSelf(filter, policyEntries, SECURITY_MANAGER_ERROR_ACCESS_DENIED); } - exit(0); - } + }); } RUNNER_CHILD_TEST(security_manager_ap3_app_policy_fetch_for_self_different_app) { @@ -184,11 +169,8 @@ RUNNER_CHILD_TEST(security_manager_ap3_app_policy_fetch_for_self_different_app) PkgPrivacyPrivileges setupPrivacyPrivs2(app2); ScopedInstaller appInstall2(app2); - pid_t pid = fork(); - RUNNER_ASSERT_ERRNO_MSG(pid != -1, "Fork failed"); - if (pid != 0) { //parent process - waitPid(pid); - } else { //child process + + runInChildParentWait([&] { Api::setAppProcessIdentity(app1.getAppId()); RUNNER_ASSERT_ERRNO_MSG( drop_root_privileges(tmpUser.getUid(), tmpUser.getGid()) == 0, @@ -202,6 +184,5 @@ RUNNER_CHILD_TEST(security_manager_ap3_app_policy_fetch_for_self_different_app) Api::getPolicyForSelf(filter, policyEntries, SECURITY_MANAGER_ERROR_ACCESS_DENIED); } - exit(0); - } + }); } diff --git a/src/security-manager-tests/test_cases_dyntransition.cpp b/src/security-manager-tests/test_cases_dyntransition.cpp index 81f8c4c1..6f17b83d 100644 --- a/src/security-manager-tests/test_cases_dyntransition.cpp +++ b/src/security-manager-tests/test_cases_dyntransition.cpp @@ -68,37 +68,8 @@ RUNNER_CHILD_TEST(security_manager_71_app_label_monitor_user_local_global) SynchronizationPipe synchPipe; TemporaryTestUser testUser("sm_test_71_user_name", GUM_USERTYPE_NORMAL, false); testUser.create(); - pid_t pid = fork(); - RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed"); - if (pid != 0) { //parent process - synchPipe.claimParentEp(); - RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(testUser.getUid(), testUser.getGid()) == 0, - "drop_root_privileges failed"); - synchPipe.wait(); //synchronization point A1 - AppInstallHelper appLocal("sm_test_71_local", testUser.getUid()); - appLocal.setInstallType(SM_APP_INSTALL_LOCAL); - ScopedInstaller appLocalInstall(appLocal); - synchPipe.post(); //synchronization point A2 - - synchPipe.wait(); //synchronization point B1 - AppInstallHelper appGlobal("sm_test_71_global"); - appLocal.setInstallType(SM_APP_INSTALL_GLOBAL); - // This shouldn't be possible with dropped privileges, but uid and gid doesn't suffice - // to lose privileges to install applications (tests are running with System::Privileged) - ScopedInstaller appGlobalInstall(appGlobal); - synchPipe.post(); //synchronization point B2 - - synchPipe.wait(); //synchronization point C1 - appLocalInstall.uninstallApp(); - synchPipe.post(); //synchronization point C2 - - synchPipe.wait(); //synchronization point D1 - appGlobalInstall.uninstallApp(); - synchPipe.post(); //synchronization point D2 - - waitPid(pid); - } else { //child process + pid_t pid = runInChild([&] { synchPipe.claimChildEp(); setCaps("cap_mac_admin+ep cap_setuid+ep cap_setgid+ep"); RUNNER_ASSERT_ERRNO_MSG(prctl(PR_SET_KEEPCAPS, 1, 0, 0) == 0, "prctl keeping caps failed"); @@ -121,7 +92,35 @@ RUNNER_CHILD_TEST(security_manager_71_app_label_monitor_user_local_global) RUNNER_ASSERT_MSG((fds[0].revents & POLLIN) > 0, "There is no data to read " "regarding app installation"); } - } + }); + + synchPipe.claimParentEp(); + RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(testUser.getUid(), testUser.getGid()) == 0, + "drop_root_privileges failed"); + + synchPipe.wait(); //synchronization point A1 + AppInstallHelper appLocal("sm_test_71_local", testUser.getUid()); + appLocal.setInstallType(SM_APP_INSTALL_LOCAL); + ScopedInstaller appLocalInstall(appLocal); + synchPipe.post(); //synchronization point A2 + + synchPipe.wait(); //synchronization point B1 + AppInstallHelper appGlobal("sm_test_71_global"); + appLocal.setInstallType(SM_APP_INSTALL_GLOBAL); + // This shouldn't be possible with dropped privileges, but uid and gid doesn't suffice + // to lose privileges to install applications (tests are running with System::Privileged) + ScopedInstaller appGlobalInstall(appGlobal); + synchPipe.post(); //synchronization point B2 + + synchPipe.wait(); //synchronization point C1 + appLocalInstall.uninstallApp(); + synchPipe.post(); //synchronization point C2 + + synchPipe.wait(); //synchronization point D1 + appGlobalInstall.uninstallApp(); + synchPipe.post(); //synchronization point D2 + + waitPid(pid); } RUNNER_CHILD_TEST(security_manager_72_app_label_monitor_user_local) @@ -130,36 +129,8 @@ RUNNER_CHILD_TEST(security_manager_72_app_label_monitor_user_local) TemporaryTestUser testUser("sm_test_75_user_name", GUM_USERTYPE_NORMAL, false); testUser.create(); - pid_t pid = fork(); - RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed"); - if (pid != 0) { //parent process - synchPipe.claimParentEp(); - RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(testUser.getUid(), testUser.getGid()) == 0, - "drop_root_privileges failed"); - - synchPipe.wait(); //synchronization point A1 - AppInstallHelper appLocal("sm_test_72_local1", testUser.getUid()); - appLocal.setInstallType(SM_APP_INSTALL_LOCAL); - ScopedInstaller appLocalInstall(appLocal); - synchPipe.post(); //synchronization point A2 - - synchPipe.wait(); //synchronization point B1 - AppInstallHelper appLocal2("sm_test_72_local2"); - appLocal2.setInstallType(SM_APP_INSTALL_LOCAL); - ScopedInstaller appLocal2Install(appLocal2); - synchPipe.post(); //synchronization point B2 - - synchPipe.wait(); //synchronization point C1 - appLocalInstall.uninstallApp(); - synchPipe.post(); //synchronization point C2 - - synchPipe.wait(); //synchronization point D1 - appLocal2Install.uninstallApp(); - synchPipe.post(); //synchronization point D2 - - waitPid(pid); - } else { //child process + pid_t pid = runInChild([&] { synchPipe.claimChildEp(); setCaps("cap_mac_admin+ep cap_setuid+ep cap_setgid+ep"); @@ -182,7 +153,34 @@ RUNNER_CHILD_TEST(security_manager_72_app_label_monitor_user_local) RUNNER_ASSERT_MSG((fds[0].revents & POLLIN) > 0, "There is no data to read " "regarding app installation"); } - } + }); + + synchPipe.claimParentEp(); + + RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(testUser.getUid(), testUser.getGid()) == 0, + "drop_root_privileges failed"); + + synchPipe.wait(); //synchronization point A1 + AppInstallHelper appLocal("sm_test_72_local1", testUser.getUid()); + appLocal.setInstallType(SM_APP_INSTALL_LOCAL); + ScopedInstaller appLocalInstall(appLocal); + synchPipe.post(); //synchronization point A2 + + synchPipe.wait(); //synchronization point B1 + AppInstallHelper appLocal2("sm_test_72_local2"); + appLocal2.setInstallType(SM_APP_INSTALL_LOCAL); + ScopedInstaller appLocal2Install(appLocal2); + synchPipe.post(); //synchronization point B2 + + synchPipe.wait(); //synchronization point C1 + appLocalInstall.uninstallApp(); + synchPipe.post(); //synchronization point C2 + + synchPipe.wait(); //synchronization point D1 + appLocal2Install.uninstallApp(); + synchPipe.post(); //synchronization point D2 + + waitPid(pid); } RUNNER_CHILD_TEST(security_manager_73_app_label_monitor_different_users) @@ -204,11 +202,7 @@ RUNNER_CHILD_TEST(security_manager_73_app_label_monitor_different_users) appGlobal.setInstallType(SM_APP_INSTALL_GLOBAL); ScopedInstaller appGlobalInstall(appGlobal); - pid_t pid = fork(); - RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed"); - if (pid != 0) { //parent process - waitPid(pid); - } else { //child process + runInChildParentWait([&] { setCaps("cap_mac_admin+ep cap_setuid+ep cap_setgid+ep"); RUNNER_ASSERT_ERRNO_MSG(prctl(PR_SET_KEEPCAPS, 1, 0, 0) == 0, "prctl keeping caps failed"); @@ -223,7 +217,7 @@ RUNNER_CHILD_TEST(security_manager_73_app_label_monitor_different_users) AppInstallHelper appLocal(appLocalName), appGlobal(appGlobalName); testSetLabelForSelf(appLocal.getAppId(), appLocal.getPkgId(), false); testSetLabelForSelf(appGlobal.getAppId(), appGlobal.getPkgId(), true); - } + }); } RUNNER_CHILD_TEST(security_manager_74_app_label_monitor_relabel_changes_global) @@ -236,11 +230,7 @@ RUNNER_CHILD_TEST(security_manager_74_app_label_monitor_relabel_changes_global) ScopedInstaller appGlobalInstall1(appGlobal1); ScopedInstaller appGlobalInstall2(appGlobal2); - pid_t pid = fork(); - RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed"); - if (pid != 0) { // parent - waitPid(pid); - } else { // child + runInChildParentWait([&] { // child TemporaryTestUser testUser("sm_test_74_user_name", GUM_USERTYPE_NORMAL, false); setCaps("all=eip"); @@ -257,7 +247,7 @@ RUNNER_CHILD_TEST(security_manager_74_app_label_monitor_relabel_changes_global) testSetLabelForSelf(appGlobal1.getAppId(), appGlobal1.getPkgId(), true); // global installation (OK) testSetLabelForSelf(appGlobal1.getAppId(), appGlobal1.getPkgId(), false); //second change testSetLabelForSelf(appGlobal2.getAppId(), appGlobal2.getPkgId(), false); //third change - } + }); } RUNNER_CHILD_TEST(security_manager_75_app_label_monitor_relabel_changes_local) @@ -270,23 +260,7 @@ RUNNER_CHILD_TEST(security_manager_75_app_label_monitor_relabel_changes_local) testUser.create(); SynchronizationPipe synchPipe; - pid_t pid = fork(); - RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed"); - if (pid != 0) { //parent process - synchPipe.claimParentEp(); - - RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(testUser.getUid(), testUser.getGid()) == 0, - "drop_root_privileges failed"); - - AppInstallHelper appLocal1(appLocalName1, testUser.getUid()); - AppInstallHelper appLocal2(appLocalName2, testUser.getUid()); - AppInstallHelper appLocal3(appLocalName3, testUser.getUid()); - ScopedInstaller appLocalInstall1(appLocal1), appLocalInstall2(appLocal2), appLocalInstall3(appLocal3); - appLocalInstall1.uninstallApp(); - synchPipe.post(); - - waitPid(pid); - } else { //child process + pid_t pid = runInChild([&] { synchPipe.claimChildEp(); setCaps("all=eip"); @@ -308,5 +282,19 @@ RUNNER_CHILD_TEST(security_manager_75_app_label_monitor_relabel_changes_local) testSetLabelForSelf(appLocal1.getAppId(), appLocal1.getPkgId(), false); //uninstalled testSetLabelForSelf(appLocal2.getAppId(), appLocal2.getPkgId(), true); //installed testSetLabelForSelf(appLocal3.getAppId(), appLocal3.getPkgId(), false); //second change - } + }); + + synchPipe.claimParentEp(); + + RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(testUser.getUid(), testUser.getGid()) == 0, + "drop_root_privileges failed"); + + AppInstallHelper appLocal1(appLocalName1, testUser.getUid()); + AppInstallHelper appLocal2(appLocalName2, testUser.getUid()); + AppInstallHelper appLocal3(appLocalName3, testUser.getUid()); + ScopedInstaller appLocalInstall1(appLocal1), appLocalInstall2(appLocal2), appLocalInstall3(appLocal3); + appLocalInstall1.uninstallApp(); + synchPipe.post(); + + waitPid(pid); } diff --git a/src/security-manager-tests/test_cases_permissible_file_repair.cpp b/src/security-manager-tests/test_cases_permissible_file_repair.cpp index 0dc3010c..67b51dab 100644 --- a/src/security-manager-tests/test_cases_permissible_file_repair.cpp +++ b/src/security-manager-tests/test_cases_permissible_file_repair.cpp @@ -73,11 +73,7 @@ static void corruptFile(uid_t uid) static void clientMonitorProcess(const TemporaryTestUser &testUser) { - pid_t pid = fork(); - RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed"); - if (pid != 0) { //parent process - waitPid(pid); - } else { //child process + runInChildParentWait([&] { setCaps("cap_mac_admin+ep cap_setuid+ep cap_setgid+ep"); RUNNER_ASSERT_ERRNO_MSG(prctl(PR_SET_KEEPCAPS, 1, 0, 0) == 0, "prctl keeping caps failed"); @@ -89,7 +85,7 @@ static void clientMonitorProcess(const TemporaryTestUser &testUser) Api::labelsProcess(monitor); setCaps("cap_mac_admin-eip"); - } + }); } RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_PERMISSIBLE_FILE_REPAIR) @@ -151,4 +147,4 @@ RUNNER_CHILD_TEST(security_manager_122c_repair_permissible_file_client_both) corruptFile(testUser.getUid()); clientMonitorProcess(testUser); -} \ No newline at end of file +} diff --git a/src/security-manager-tests/test_cases_prepare_app.cpp b/src/security-manager-tests/test_cases_prepare_app.cpp index 1555a9f8..f201bc10 100644 --- a/src/security-manager-tests/test_cases_prepare_app.cpp +++ b/src/security-manager-tests/test_cases_prepare_app.cpp @@ -226,9 +226,7 @@ RUNNER_CHILD_TEST(security_manager_100_synchronize_credentials_test) const ProcessId expected{true, true}; #endif - pid_t pid = fork(); - RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed"); - if (pid == 0) { + pid_t pid = runInChildParentWait([&] { { RUNNER_ASSERT_ERRNO_MSG(setLauncherSecurityAttributes(tmpUser) == 0, "launcher failed"); Api::prepareAppCandidate(); @@ -240,11 +238,9 @@ RUNNER_CHILD_TEST(security_manager_100_synchronize_credentials_test) Api::prepareApp(app.getAppId()); } RUNNER_ASSERT_MSG(thread_errors.empty(), std::endl << thread_errors); - exit(0); - } else { - waitPid(pid); - Api::cleanupApp(app.getAppId(), tmpUser.getUid(), pid); - } + }); + + Api::cleanupApp(app.getAppId(), tmpUser.getUid(), pid); } RUNNER_CHILD_TEST(security_manager_100_synchronize_credentials_no_author_test) @@ -260,9 +256,7 @@ RUNNER_CHILD_TEST(security_manager_100_synchronize_credentials_no_author_test) const ProcessId expected{true, false}; #endif - pid_t pid = fork(); - RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed"); - if (pid == 0) { + pid_t pid = runInChildParentWait([&] { { RUNNER_ASSERT_ERRNO_MSG(setLauncherSecurityAttributes(tmpUser) == 0, "launcher failed"); Api::prepareAppCandidate(); @@ -274,11 +268,9 @@ RUNNER_CHILD_TEST(security_manager_100_synchronize_credentials_no_author_test) Api::prepareApp(app.getAppId()); } RUNNER_ASSERT_MSG(thread_errors.empty(), std::endl << thread_errors); - exit(0); - } else { - waitPid(pid); - Api::cleanupApp(app.getAppId(), tmpUser.getUid(), pid); - } + }); + + Api::cleanupApp(app.getAppId(), tmpUser.getUid(), pid); } RUNNER_CHILD_TEST(security_manager_101_create_namespace_test_n) @@ -295,9 +287,7 @@ RUNNER_CHILD_TEST(security_manager_101_create_namespace_test_n) const ProcessId expected{true, true}; #endif - pid_t pid = fork(); - RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed"); - if (pid == 0) { + runInChildParentWait([&] { { RUNNER_ASSERT_ERRNO_MSG(setLauncherSecurityAttributes(tmpUser) == 0, "launcher failed"); ThreadWrapper threads[THREADS]; @@ -308,10 +298,7 @@ RUNNER_CHILD_TEST(security_manager_101_create_namespace_test_n) Api::prepareAppCandidate(SECURITY_MANAGER_ERROR_INPUT_PARAM); } RUNNER_ASSERT_MSG(!thread_errors.empty(), std::endl << thread_errors); - exit(0); - } else { - waitPid(pid); - } + }); } RUNNER_CHILD_TEST(security_manager_101_create_namespace_test_p) @@ -323,42 +310,38 @@ RUNNER_CHILD_TEST(security_manager_101_create_namespace_test_p) ScopedInstaller appInstall(app); SynchronizationPipe synchPipe; - pid_t pid = fork(); - RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed"); - if (pid == 0) { + pid_t pid = runInChild([&] { synchPipe.claimChildEp(); RUNNER_ASSERT_ERRNO_MSG(setLauncherSecurityAttributes(tmpUser) == 0, "launcher failed"); Api::prepareAppCandidate(); Api::prepareApp(app.getAppId()); synchPipe.post(); synchPipe.wait(); + }); - exit(0); - } else { - synchPipe.claimParentEp(); - synchPipe.wait(); + synchPipe.claimParentEp(); + synchPipe.wait(); - std::string appBindPath = std::string("/var/run/user/") + tmpUser.getUidString() - + "/apps/" + app.generateAppLabel() + "/" + std::to_string(pid); - std::string appProcPath = std::string("/proc/") + std::to_string(pid) + "/ns/mnt"; - std::string launcherProcPath = std::string("/proc/") + std::to_string(getpid()) + "/ns/mnt"; + std::string appBindPath = std::string("/var/run/user/") + tmpUser.getUidString() + + "/apps/" + app.generateAppLabel() + "/" + std::to_string(pid); + std::string appProcPath = std::string("/proc/") + std::to_string(pid) + "/ns/mnt"; + std::string launcherProcPath = std::string("/proc/") + std::to_string(getpid()) + "/ns/mnt"; - ino_t appBindInode = getFileInode(appBindPath); - ino_t appProcInode = getFileInode(appProcPath); - ino_t launcherProcInode = getFileInode(launcherProcPath); + ino_t appBindInode = getFileInode(appBindPath); + ino_t appProcInode = getFileInode(appProcPath); + ino_t launcherProcInode = getFileInode(launcherProcPath); - RUNNER_ASSERT_ERRNO_MSG(appBindInode != 0, "get inode failed"); - RUNNER_ASSERT_ERRNO_MSG(appProcInode != 0, "get inode failed"); - RUNNER_ASSERT_ERRNO_MSG(launcherProcInode != 0, "get inode failed"); + RUNNER_ASSERT_ERRNO_MSG(appBindInode != 0, "get inode failed"); + RUNNER_ASSERT_ERRNO_MSG(appProcInode != 0, "get inode failed"); + RUNNER_ASSERT_ERRNO_MSG(launcherProcInode != 0, "get inode failed"); - RUNNER_ASSERT_ERRNO_MSG(launcherProcInode != appProcInode, "create mount namespace failed"); - RUNNER_ASSERT_ERRNO_MSG(appBindInode == appProcInode, "bind namespace failed"); + RUNNER_ASSERT_ERRNO_MSG(launcherProcInode != appProcInode, "create mount namespace failed"); + RUNNER_ASSERT_ERRNO_MSG(appBindInode == appProcInode, "bind namespace failed"); - synchPipe.post(); + synchPipe.post(); - waitPid(pid); - Api::cleanupApp(app.getAppId(), tmpUser.getUid(), pid); - } + waitPid(pid); + Api::cleanupApp(app.getAppId(), tmpUser.getUid(), pid); } RUNNER_CHILD_TEST(security_manager_102_check_propagation_test) @@ -370,39 +353,34 @@ RUNNER_CHILD_TEST(security_manager_102_check_propagation_test) ScopedInstaller appInstall(app); SynchronizationPipe synchPipe; - pid_t pid = fork(); - RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed"); - if (pid == 0) { + pid_t pid = runInChild([&] { synchPipe.claimChildEp(); RUNNER_ASSERT_ERRNO_MSG(setLauncherSecurityAttributes(tmpUser) == 0, "launcher failed"); Api::prepareAppCandidate(); Api::prepareApp(app.getAppId()); synchPipe.post(); synchPipe.wait(); - - exit(0); - } else { - synchPipe.claimParentEp(); - synchPipe.wait(); - - bool result = isPathBound(ACCESS_DENIED_DIR_PATH, EXTERNAL_STORAGE_DIR_PATH, pid); - RUNNER_ASSERT_ERRNO_MSG(result == true, "path is not bound"); - result = isPathBound(ACCESS_DENIED_DIR_PATH, MEDIA_STORAGE_RW_DIR_PATH, pid); - RUNNER_ASSERT_ERRNO_MSG(result == true, "path is not bound"); - result = isPathBound(ACCESS_DENIED_DIR_PATH, MEDIA_STORAGE_RO_DIR_PATH, pid); - RUNNER_ASSERT_ERRNO_MSG(result == true, "path is not bound"); - - result = isPathBound(ACCESS_DENIED_DIR_PATH, EXTERNAL_STORAGE_DIR_PATH); - RUNNER_ASSERT_ERRNO_MSG(result == false, "path is bound"); - result = isPathBound(ACCESS_DENIED_DIR_PATH, MEDIA_STORAGE_RW_DIR_PATH); - RUNNER_ASSERT_ERRNO_MSG(result == false, "path is bound"); - result = isPathBound(ACCESS_DENIED_DIR_PATH, MEDIA_STORAGE_RO_DIR_PATH); - RUNNER_ASSERT_ERRNO_MSG(result == false, "path is bound"); - - synchPipe.post(); - waitPid(pid); - Api::cleanupApp(app.getAppId(), tmpUser.getUid(), pid); - } + }); + synchPipe.claimParentEp(); + synchPipe.wait(); + + bool result = isPathBound(ACCESS_DENIED_DIR_PATH, EXTERNAL_STORAGE_DIR_PATH, pid); + RUNNER_ASSERT_ERRNO_MSG(result == true, "path is not bound"); + result = isPathBound(ACCESS_DENIED_DIR_PATH, MEDIA_STORAGE_RW_DIR_PATH, pid); + RUNNER_ASSERT_ERRNO_MSG(result == true, "path is not bound"); + result = isPathBound(ACCESS_DENIED_DIR_PATH, MEDIA_STORAGE_RO_DIR_PATH, pid); + RUNNER_ASSERT_ERRNO_MSG(result == true, "path is not bound"); + + result = isPathBound(ACCESS_DENIED_DIR_PATH, EXTERNAL_STORAGE_DIR_PATH); + RUNNER_ASSERT_ERRNO_MSG(result == false, "path is bound"); + result = isPathBound(ACCESS_DENIED_DIR_PATH, MEDIA_STORAGE_RW_DIR_PATH); + RUNNER_ASSERT_ERRNO_MSG(result == false, "path is bound"); + result = isPathBound(ACCESS_DENIED_DIR_PATH, MEDIA_STORAGE_RO_DIR_PATH); + RUNNER_ASSERT_ERRNO_MSG(result == false, "path is bound"); + + synchPipe.post(); + waitPid(pid); + Api::cleanupApp(app.getAppId(), tmpUser.getUid(), pid); } RUNNER_CHILD_TEST(security_manager_103_policy_change_test) @@ -415,65 +393,62 @@ RUNNER_CHILD_TEST(security_manager_103_policy_change_test) ScopedInstaller appInstall(app); SynchronizationPipe synchPipe; - pid_t pid = fork(); - RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed"); - if (pid == 0) { + pid_t pid = runInChild([&] { synchPipe.claimChildEp(); RUNNER_ASSERT_ERRNO_MSG(setLauncherSecurityAttributes(tmpUser) == 0, "launcher failed"); Api::prepareAppCandidate(); Api::prepareApp(app.getAppId()); synchPipe.post(); synchPipe.wait(); + }); + + synchPipe.claimParentEp(); + synchPipe.wait(); + + bool result = isPathBound(ACCESS_DENIED_DIR_PATH, EXTERNAL_STORAGE_DIR_PATH, pid); + RUNNER_ASSERT_ERRNO_MSG(result == false, "path is bound"); + result = isPathBound(ACCESS_DENIED_DIR_PATH, MEDIA_STORAGE_RW_DIR_PATH, pid); + RUNNER_ASSERT_ERRNO_MSG(result == false, "path is bound"); + result = isPathBound(ACCESS_DENIED_DIR_PATH, MEDIA_STORAGE_RO_DIR_PATH, pid); + RUNNER_ASSERT_ERRNO_MSG(result == false, "path is bound"); + + PolicyRequest policyRequest; + PolicyEntry policyEntry(app.getAppId(), tmpUser.getUidString(), PRIV_EXTERNALSTORAGE); + policyEntry.setLevel(PolicyEntry::LEVEL_DENY); + policyRequest.addEntry(policyEntry); + + policyEntry = PolicyEntry(app.getAppId(), tmpUser.getUidString(), PRIV_MEDIASTORAGE); + policyEntry.setLevel(PolicyEntry::LEVEL_DENY); + policyRequest.addEntry(policyEntry); + Api::sendPolicy(policyRequest); + + result = isPathBound(ACCESS_DENIED_DIR_PATH, EXTERNAL_STORAGE_DIR_PATH, pid); + RUNNER_ASSERT_ERRNO_MSG(result == true, "path is not bound"); + result = isPathBound(ACCESS_DENIED_DIR_PATH, MEDIA_STORAGE_RW_DIR_PATH, pid); + RUNNER_ASSERT_ERRNO_MSG(result == true, "path is not bound"); + result = isPathBound(ACCESS_DENIED_DIR_PATH, MEDIA_STORAGE_RO_DIR_PATH, pid); + RUNNER_ASSERT_ERRNO_MSG(result == true, "path is not bound"); + + policyEntry = PolicyEntry(app.getAppId(), tmpUser.getUidString(), PRIV_EXTERNALSTORAGE); + policyEntry.setLevel(PolicyEntry::LEVEL_ALLOW); + policyRequest.addEntry(policyEntry); + + policyEntry = PolicyEntry(app.getAppId(), tmpUser.getUidString(), PRIV_MEDIASTORAGE); + policyEntry.setLevel(PolicyEntry::LEVEL_ALLOW); + policyRequest.addEntry(policyEntry); + Api::sendPolicy(policyRequest); + + result = isPathBound(ACCESS_DENIED_DIR_PATH, EXTERNAL_STORAGE_DIR_PATH, pid); + RUNNER_ASSERT_ERRNO_MSG(result == false, "path is bound"); + result = isPathBound(ACCESS_DENIED_DIR_PATH, MEDIA_STORAGE_RW_DIR_PATH, pid); + RUNNER_ASSERT_ERRNO_MSG(result == false, "path is bound"); + result = isPathBound(ACCESS_DENIED_DIR_PATH, MEDIA_STORAGE_RO_DIR_PATH, pid); + RUNNER_ASSERT_ERRNO_MSG(result == false, "path is bound"); + + synchPipe.post(); + waitPid(pid); + Api::cleanupApp(app.getAppId(), tmpUser.getUid(), pid); - exit(0); - } else { - synchPipe.claimParentEp(); - synchPipe.wait(); - - bool result = isPathBound(ACCESS_DENIED_DIR_PATH, EXTERNAL_STORAGE_DIR_PATH, pid); - RUNNER_ASSERT_ERRNO_MSG(result == false, "path is bound"); - result = isPathBound(ACCESS_DENIED_DIR_PATH, MEDIA_STORAGE_RW_DIR_PATH, pid); - RUNNER_ASSERT_ERRNO_MSG(result == false, "path is bound"); - result = isPathBound(ACCESS_DENIED_DIR_PATH, MEDIA_STORAGE_RO_DIR_PATH, pid); - RUNNER_ASSERT_ERRNO_MSG(result == false, "path is bound"); - - PolicyRequest policyRequest; - PolicyEntry policyEntry(app.getAppId(), tmpUser.getUidString(), PRIV_EXTERNALSTORAGE); - policyEntry.setLevel(PolicyEntry::LEVEL_DENY); - policyRequest.addEntry(policyEntry); - - policyEntry = PolicyEntry(app.getAppId(), tmpUser.getUidString(), PRIV_MEDIASTORAGE); - policyEntry.setLevel(PolicyEntry::LEVEL_DENY); - policyRequest.addEntry(policyEntry); - Api::sendPolicy(policyRequest); - - result = isPathBound(ACCESS_DENIED_DIR_PATH, EXTERNAL_STORAGE_DIR_PATH, pid); - RUNNER_ASSERT_ERRNO_MSG(result == true, "path is not bound"); - result = isPathBound(ACCESS_DENIED_DIR_PATH, MEDIA_STORAGE_RW_DIR_PATH, pid); - RUNNER_ASSERT_ERRNO_MSG(result == true, "path is not bound"); - result = isPathBound(ACCESS_DENIED_DIR_PATH, MEDIA_STORAGE_RO_DIR_PATH, pid); - RUNNER_ASSERT_ERRNO_MSG(result == true, "path is not bound"); - - policyEntry = PolicyEntry(app.getAppId(), tmpUser.getUidString(), PRIV_EXTERNALSTORAGE); - policyEntry.setLevel(PolicyEntry::LEVEL_ALLOW); - policyRequest.addEntry(policyEntry); - - policyEntry = PolicyEntry(app.getAppId(), tmpUser.getUidString(), PRIV_MEDIASTORAGE); - policyEntry.setLevel(PolicyEntry::LEVEL_ALLOW); - policyRequest.addEntry(policyEntry); - Api::sendPolicy(policyRequest); - - result = isPathBound(ACCESS_DENIED_DIR_PATH, EXTERNAL_STORAGE_DIR_PATH, pid); - RUNNER_ASSERT_ERRNO_MSG(result == false, "path is bound"); - result = isPathBound(ACCESS_DENIED_DIR_PATH, MEDIA_STORAGE_RW_DIR_PATH, pid); - RUNNER_ASSERT_ERRNO_MSG(result == false, "path is bound"); - result = isPathBound(ACCESS_DENIED_DIR_PATH, MEDIA_STORAGE_RO_DIR_PATH, pid); - RUNNER_ASSERT_ERRNO_MSG(result == false, "path is bound"); - - synchPipe.post(); - waitPid(pid); - Api::cleanupApp(app.getAppId(), tmpUser.getUid(), pid); - } } RUNNER_CHILD_TEST(security_manager_104_policy_change_kill_app_test) @@ -486,9 +461,7 @@ RUNNER_CHILD_TEST(security_manager_104_policy_change_kill_app_test) ScopedInstaller appInstall(app); SynchronizationPipe synchPipe; - pid_t pid = fork(); - RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed"); - if (pid == 0) { + pid_t pid = runInChild([&] { synchPipe.claimChildEp(); try { RUNNER_ASSERT_ERRNO_MSG(setLauncherSecurityAttributes(tmpUser) == 0, "launcher failed"); @@ -499,20 +472,19 @@ RUNNER_CHILD_TEST(security_manager_104_policy_change_kill_app_test) throw; } synchPipe.post(); - exit(0); - } else { - synchPipe.claimParentEp(); - synchPipe.wait(); + }); - PolicyRequest policyRequest; - PolicyEntry policyEntry(app.getAppId(), tmpUser.getUidString(), PRIV_EXTERNALSTORAGE); - policyEntry.setLevel(PolicyEntry::LEVEL_DENY); - policyRequest.addEntry(policyEntry); - Api::sendPolicy(policyRequest); + synchPipe.claimParentEp(); + synchPipe.wait(); - waitPid(pid); - Api::cleanupApp(app.getAppId(), tmpUser.getUid(), pid); - } + PolicyRequest policyRequest; + PolicyEntry policyEntry(app.getAppId(), tmpUser.getUidString(), PRIV_EXTERNALSTORAGE); + policyEntry.setLevel(PolicyEntry::LEVEL_DENY); + policyRequest.addEntry(policyEntry); + Api::sendPolicy(policyRequest); + + waitPid(pid); + Api::cleanupApp(app.getAppId(), tmpUser.getUid(), pid); } namespace { @@ -591,40 +563,36 @@ RUNNER_CHILD_TEST(security_manager_190_prepare_app_threads_malloc) const auto uid = tmpUser.getUid(); - AppInstallHelper app("app190", uid); + AppInstallHelper app("app190", uid); - ScopedInstaller installer(app); + ScopedInstaller installer(app); - const auto pid = fork(); - RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed"); + pid_t pid = runInChildParentWait([&] { + RUNNER_ASSERT_ERRNO_MSG(setLauncherSecurityAttributes(tmpUser) == 0, "launcher failed"); - if (pid == 0) { - RUNNER_ASSERT_ERRNO_MSG(setLauncherSecurityAttributes(tmpUser) == 0, "launcher failed"); + const auto appId = app.getAppId(); - const auto appId = app.getAppId(); + Api::prepareAppCandidate(); - Api::prepareAppCandidate(); + std::atomic quit = false; + static constexpr size_t MAX = 60; + std::vector threads;threads.reserve(MAX); + for (size_t i = 0; i < MAX; i++ ) { + threads.emplace_back(std::thread([&](){ + while(!quit) { + auto tmp = malloc(1000); + free(tmp); + } + })); + } - std::atomic quit = false; - static constexpr size_t MAX = 60; - std::vector threads;threads.reserve(MAX); - for (size_t i = 0; i < MAX; i++ ) { - threads.emplace_back(std::thread([&](){ - while(!quit) { - auto tmp = malloc(1000); - free(tmp); - } - })); - } + Api::prepareApp(appId); + quit = true; + for (size_t i = 0; i < MAX; i++ ) + threads[i].join(); + }); - Api::prepareApp(appId); - quit = true; - for (size_t i = 0; i < MAX; i++ ) - threads[i].join(); - exit(0); - } - waitPid(pid); - Api::cleanupApp(app.getAppId(), uid, pid); + Api::cleanupApp(app.getAppId(), uid, pid); } RUNNER_CHILD_TEST(security_manager_200_prepare_app_perf) @@ -669,11 +637,7 @@ RUNNER_CHILD_TEST(security_manager_200_prepare_app_perf) for (int i = 0; i < nConcurrentApps; i++) { auto &app = apps[i]; - const auto pid = fork(); - RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed"); - if (pid) - app.pid = pid; - else { + app.pid = runInChild([&] { synchPipe.claimChildEp(); RUNNER_ASSERT_ERRNO_MSG(setLauncherSecurityAttributes(tmpUser) == 0, "launcher failed"); @@ -705,8 +669,7 @@ RUNNER_CHILD_TEST(security_manager_200_prepare_app_perf) auto ret = TEMP_FAILURE_RETRY(poll(fds, 1, -1)); RUNNER_ASSERT_ERRNO(ret > 0); - exit(0); - } + }); } synchPipe.claimParentEp(); @@ -756,9 +719,7 @@ RUNNER_CHILD_TEST(security_manager_300_prepare_app_recursive_threads) app.addPrivileges({PRIV_EXTERNALSTORAGE, PRIV_MEDIASTORAGE}); ScopedInstaller appInstall(app); - pid_t pid = fork(); - RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed"); - if (pid == 0) { + pid_t pid = runInChildParentWait([&] { RUNNER_ASSERT_ERRNO_MSG(setLauncherSecurityAttributes(tmpUser) == 0, "launcher failed"); Api::prepareAppCandidate(); @@ -772,11 +733,9 @@ RUNNER_CHILD_TEST(security_manager_300_prepare_app_recursive_threads) for (unsigned i = 0; i < MAX_THREADS; ++i) PREP_THREADS[i].join(); - exit(0); - } else { - waitPid(pid); - Api::cleanupApp(app.getAppId(), tmpUser.getUid(), pid); - } + }); + + Api::cleanupApp(app.getAppId(), tmpUser.getUid(), pid); } RUNNER_CHILD_TEST(security_manager_400_prepare_app_with_concurrent_install) @@ -791,9 +750,7 @@ RUNNER_CHILD_TEST(security_manager_400_prepare_app_with_concurrent_install) app.addPrivileges({PRIV_EXTERNALSTORAGE, PRIV_MEDIASTORAGE}); ScopedInstaller appInstall(app); - pid_t pid = fork(); - RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed"); - if (pid == 0) { + pid_t pid = runInChild([&] { RUNNER_ASSERT_ERRNO_MSG(setLauncherSecurityAttributes(tmpUser) == 0, "launcher failed"); // wait a bit for the other process to start running install/deinstall loop @@ -802,23 +759,21 @@ RUNNER_CHILD_TEST(security_manager_400_prepare_app_with_concurrent_install) Api::prepareAppCandidate(); Api::prepareApp(app.getAppId()); - exit(0); - } else { - // in a loop, install & uninstall a temporary app - std::time_t begin = std::time(nullptr); - while(1) { - { - AppInstallHelper app2("app400_2", tmpUser.getUid()); - app2.addPrivileges({PRIV_EXTERNALSTORAGE, PRIV_MEDIASTORAGE}); - ScopedInstaller appInstall(app2); - } - std::time_t now = std::time(nullptr); - if (now - begin >= 3) // wait at most 3 seconds - break; + }); + // in a loop, install & uninstall a temporary app + std::time_t begin = std::time(nullptr); + while(1) { + { + AppInstallHelper app2("app400_2", tmpUser.getUid()); + app2.addPrivileges({PRIV_EXTERNALSTORAGE, PRIV_MEDIASTORAGE}); + ScopedInstaller appInstall(app2); } - waitPid(pid); - Api::cleanupApp(app.getAppId(), tmpUser.getUid(), pid); + std::time_t now = std::time(nullptr); + if (now - begin >= 3) // wait at most 3 seconds + break; } + waitPid(pid); + Api::cleanupApp(app.getAppId(), tmpUser.getUid(), pid); } } @@ -828,44 +783,38 @@ RUNNER_CHILD_TEST(security_manager_400_prepare_app_series_with_concurrent_instal TemporaryTestUser tmpUser(APP_TEST_USER, GUM_USERTYPE_NORMAL, false); tmpUser.create(); - pid_t pid = fork(); - RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed"); - if (pid == 0) { + pid_t pid = runInChild([&] { // install an app, and in a loop - fork + launch it AppInstallHelper app("app400", tmpUser.getUid()); ScopedInstaller appInstall(app); std::time_t begin = std::time(nullptr); while(1) { - pid_t pid2 = fork(); - RUNNER_ASSERT_ERRNO_MSG(pid2 >= 0, "Fork failed"); - if (pid2 == 0) { + pid_t pid2 = runInChildParentWait([&] { RUNNER_ASSERT_ERRNO_MSG(setLauncherSecurityAttributes(tmpUser) == 0, "launcher failed"); Api::prepareAppCandidate(); Api::prepareApp(app.getAppId()); - exit(0); - } else { - waitPid(pid2); - Api::cleanupApp(app.getAppId(), tmpUser.getUid(), pid2); - } + }); + + Api::cleanupApp(app.getAppId(), tmpUser.getUid(), pid2); + std::time_t now = std::time(nullptr); if (now - begin >= 30) // wait 30 sec break; } - exit(0); - } else { - // in a loop, install & uninstall a temporary app - std::time_t begin = std::time(nullptr); - while(1) { - { - AppInstallHelper app2("app400_2", tmpUser.getUid()); - app2.addPrivileges({PRIV_EXTERNALSTORAGE, PRIV_MEDIASTORAGE}); - ScopedInstaller appInstall(app2); - } - std::time_t now = std::time(nullptr); - if (now - begin >= 30) // wait 30 sec - break; + + }); + // in a loop, install & uninstall a temporary app + std::time_t begin = std::time(nullptr); + while(1) { + { + AppInstallHelper app2("app400_2", tmpUser.getUid()); + app2.addPrivileges({PRIV_EXTERNALSTORAGE, PRIV_MEDIASTORAGE}); + ScopedInstaller appInstall(app2); } - waitPid(pid); + std::time_t now = std::time(nullptr); + if (now - begin >= 30) // wait 30 sec + break; } + waitPid(pid); } diff --git a/src/security-manager-tests/test_cases_privacy_manager.cpp b/src/security-manager-tests/test_cases_privacy_manager.cpp index f1b940be..472a512d 100644 --- a/src/security-manager-tests/test_cases_privacy_manager.cpp +++ b/src/security-manager-tests/test_cases_privacy_manager.cpp @@ -105,11 +105,7 @@ RUNNER_CHILD_TEST(security_manager_10_privacy_manager_fetch_whole_policy_for_sel scopedInstallations.emplace_back(ScopedInstaller(appIdAIH.second)); } - pid_t pid = fork(); - RUNNER_ASSERT_ERRNO_MSG(pid != -1, "Fork failed"); - if (pid != 0) { //parent process - waitPid(pid); - } else { //child process + runInChildParentWait([&] { Api::setAppProcessIdentity(privManagerAppId); RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(tmpUser.getUid(), tmpUser.getGid()) == 0, "drop_root_privileges failed"); @@ -138,8 +134,7 @@ RUNNER_CHILD_TEST(security_manager_10_privacy_manager_fetch_whole_policy_for_sel RUNNER_ASSERT_MSG(privIt != appPrivileges.end(), "Unexpected privilege " << privilege << " for app " << app); } - exit(0); - } + }); } RUNNER_CHILD_TEST(security_manager_11_privacy_manager_fetch_whole_policy_for_admin_unprivileged) @@ -182,11 +177,7 @@ RUNNER_CHILD_TEST(security_manager_11_privacy_manager_fetch_whole_policy_for_adm scopedInstallations.emplace_back(ScopedInstaller(userAppIdAIH.second)); } - pid_t pid = fork(); - RUNNER_ASSERT_ERRNO_MSG(pid != -1, "Fork failed"); - if (pid != 0) { //parent process - waitPid(pid); - } else { //child process + runInChildParentWait([&] { Api::setAppProcessIdentity(privManagerAppId); RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(normalUserToSwitch.getUid(), normalUserToSwitch.getGid()) == 0, @@ -219,8 +210,7 @@ RUNNER_CHILD_TEST(security_manager_11_privacy_manager_fetch_whole_policy_for_adm RUNNER_ASSERT_MSG(privIt != appPrivileges.end(), "Unexpected privilege " << privilege << " for app " << app); } - exit(0); - } + }); } RUNNER_CHILD_TEST(security_manager_12_privacy_manager_fetch_whole_policy_for_admin_privileged) @@ -270,11 +260,7 @@ RUNNER_CHILD_TEST(security_manager_12_privacy_manager_fetch_whole_policy_for_adm scopedInstallations.emplace_back(ScopedInstaller(userAppIdAIH.second)); } - pid_t pid = fork(); - RUNNER_ASSERT_ERRNO_MSG(pid != -1, "Fork failed"); - if (pid != 0) { //parent process - waitPid(pid); - } else { //child process + runInChildParentWait([&] { Api::setAppProcessIdentity(privManagerAppId); RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(adminUserToSwitch.getUid(), adminUserToSwitch.getGid()) == 0, @@ -311,8 +297,7 @@ RUNNER_CHILD_TEST(security_manager_12_privacy_manager_fetch_whole_policy_for_adm RUNNER_ASSERT_MSG(privIt != appPrivileges.end(), "Unexpected privilege " << privilege << " for app " << app); }; - exit(0); - }; + }); } RUNNER_CHILD_TEST(security_manager_13_privacy_manager_fetch_policy_after_update_unprivileged) @@ -357,9 +342,7 @@ RUNNER_CHILD_TEST(security_manager_13_privacy_manager_fetch_policy_after_update_ TemporaryTestUser &adminUser = usernameToTTU.at(adminName); TemporaryTestUser &normalUser = usernameToTTU.at(normalName); - pid_t pid = fork(); - RUNNER_ASSERT_ERRNO_MSG(pid >=0, "Fork failed"); - if (pid == 0) { //child #1 process + runInChildParentWait([&] { Api::setAppProcessIdentity(privManagerAppId); RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(normalUser.getUid(), normalUser.getGid()) == 0, "drop_root_privileges failed"); @@ -382,46 +365,37 @@ RUNNER_CHILD_TEST(security_manager_13_privacy_manager_fetch_policy_after_update_ policyEntry.setLevel(PolicyEntry::LEVEL_DENY); policyRequest.addEntry(policyEntry); Api::sendPolicy(policyRequest); + }); + runInChildParentWait([&] { + Api::setAppProcessIdentity(privManagerAppId); + // Admin user, but in context of app, which doesn't have usermanagement privilege + RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(adminUser.getUid(), adminUser.getGid()) == 0, + "drop_root_privileges failed"); - exit(0); - } else { - waitPid(pid); - pid = fork(); - RUNNER_ASSERT_ERRNO_MSG(pid >=0, "Fork failed"); - if (pid == 0) { //child #2 process - Api::setAppProcessIdentity(privManagerAppId); - // Admin user, but in context of app, which doesn't have usermanagement privilege - RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(adminUser.getUid(), adminUser.getGid()) == 0, - "drop_root_privileges failed"); - - PolicyEntry filter = PolicyEntry( - SECURITY_MANAGER_ANY, - normalUser.getUidString(), - SECURITY_MANAGER_ANY - ); - std::vector policyEntries; - //U2 requests contents of U1 privacy manager - should fail - Api::getPolicyForSelf(filter, policyEntries, SECURITY_MANAGER_ERROR_ACCESS_DENIED); - RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Policy is not empty, but has " - << policyEntries.size() << " entries"); - - filter = PolicyEntry( - SECURITY_MANAGER_ANY, - SECURITY_MANAGER_ANY, - SECURITY_MANAGER_ANY - ); - - policyEntries.clear(); - - //U2 requests contents of ADMIN bucket - should fail - Api::getPolicyForAdmin(filter, policyEntries, SECURITY_MANAGER_ERROR_ACCESS_DENIED); - RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Policy is not empty, but has " - << policyEntries.size() << " entries"); - exit(0); - } else { - waitPid(pid); - } - } + PolicyEntry filter = PolicyEntry( + SECURITY_MANAGER_ANY, + normalUser.getUidString(), + SECURITY_MANAGER_ANY + ); + std::vector policyEntries; + //U2 requests contents of U1 privacy manager - should fail + Api::getPolicyForSelf(filter, policyEntries, SECURITY_MANAGER_ERROR_ACCESS_DENIED); + RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Policy is not empty, but has " + << policyEntries.size() << " entries"); + + filter = PolicyEntry( + SECURITY_MANAGER_ANY, + SECURITY_MANAGER_ANY, + SECURITY_MANAGER_ANY + ); + + policyEntries.clear(); + + //U2 requests contents of ADMIN bucket - should fail + Api::getPolicyForAdmin(filter, policyEntries, SECURITY_MANAGER_ERROR_ACCESS_DENIED); + RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Policy is not empty, but has " + << policyEntries.size() << " entries"); + }); } RUNNER_CHILD_TEST(security_manager_14_privacy_manager_fetch_and_update_policy_for_admin) @@ -434,10 +408,7 @@ RUNNER_CHILD_TEST(security_manager_14_privacy_manager_fetch_and_update_policy_fo ScopedInstaller privManagerInstall(privManager); - pid_t pid = fork(); - if (pid != 0) { - waitPid(pid); - } else { //child process + runInChildParentWait([&] { Api::setAppProcessIdentity(privManager.getAppId()); RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(adminUserToSwitch.getUid(), adminUserToSwitch.getGid()) == 0, @@ -474,8 +445,7 @@ RUNNER_CHILD_TEST(security_manager_14_privacy_manager_fetch_and_update_policy_fo Api::getPolicyForAdmin(PolicyEntry(), policyEntries); RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Number of policies doesn't match - should be: 0" " and is " << policyEntries.size()); - exit(0); - }; + }); } RUNNER_CHILD_TEST(security_manager_15_privacy_manager_send_policy_update_for_admin) @@ -492,15 +462,7 @@ RUNNER_CHILD_TEST(security_manager_15_privacy_manager_send_policy_update_for_adm privManager.addPrivilege(ADMIN_PRIVILEGE); ScopedInstaller privManagerInstall(privManager); - pid_t pid = fork(); - RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "fork failed"); - if (pid != 0) { //parent process - waitPid(pid); - CynaraTestAdmin::Admin admin; - admin.adminCheck("ADMIN", false, updatedApp.generateAppLabel().c_str(), - adminUser.getUidString().c_str(), updatePriv.c_str(), CYNARA_ADMIN_ALLOW, - nullptr); - } else { + runInChildParentWait([&] { Api::setAppProcessIdentity(privManager.getAppId()); RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(adminUser.getUid(), adminUser.getGid()) == 0, @@ -511,8 +473,12 @@ RUNNER_CHILD_TEST(security_manager_15_privacy_manager_send_policy_update_for_adm PolicyRequest addPolicyRequest; addPolicyRequest.addEntry(entry); Api::sendPolicy(addPolicyRequest); - exit(0); - } + }); + + CynaraTestAdmin::Admin admin; + admin.adminCheck("ADMIN", false, updatedApp.generateAppLabel().c_str(), + adminUser.getUidString().c_str(), updatePriv.c_str(), CYNARA_ADMIN_ALLOW, + nullptr); } RUNNER_CHILD_TEST(security_manager_15_privacy_manager_send_policy_update_for_admin_wildcard) @@ -529,15 +495,7 @@ RUNNER_CHILD_TEST(security_manager_15_privacy_manager_send_policy_update_for_adm privManager.addPrivilege(ADMIN_PRIVILEGE); ScopedInstaller privManagerInstall(privManager); - pid_t pid = fork(); - RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "fork failed"); - if (pid != 0) { - waitPid(pid); - CynaraTestAdmin::Admin admin; - admin.adminCheck("ADMIN", false, app.generateAppLabel().c_str(), - adminUser.getUidString().c_str(), updatePriv.c_str(), CYNARA_ADMIN_ALLOW, - nullptr); - } else { + runInChildParentWait([&] { Api::setAppProcessIdentity(privManager.getAppId()); RUNNER_ASSERT_MSG(drop_root_privileges(adminUser.getUid(), adminUser.getGid()) == 0, "drop_root_privileges failed"); @@ -548,8 +506,12 @@ RUNNER_CHILD_TEST(security_manager_15_privacy_manager_send_policy_update_for_adm PolicyRequest addPolicyRequest; addPolicyRequest.addEntry(entry); Api::sendPolicy(addPolicyRequest); - exit(0); - } + }); + + CynaraTestAdmin::Admin admin; + admin.adminCheck("ADMIN", false, app.generateAppLabel().c_str(), + adminUser.getUidString().c_str(), updatePriv.c_str(), CYNARA_ADMIN_ALLOW, + nullptr); } RUNNER_CHILD_TEST(security_manager_15_privacy_manager_send_policy_update_for_self) @@ -566,14 +528,7 @@ RUNNER_CHILD_TEST(security_manager_15_privacy_manager_send_policy_update_for_sel privManager.addPrivilege(SELF_PRIVILEGE); ScopedInstaller privManagerInstall(privManager); - pid_t pid = fork(); - RUNNER_ASSERT_MSG(pid >= 0, "fork failed"); - if (pid != 0) { - waitPid(pid); - CynaraTestAdmin::Admin admin; - admin.adminCheck("", false, app.generateAppLabel().c_str(), user.getUidString().c_str(), - updatePriv.c_str(), CYNARA_ADMIN_ALLOW, nullptr); - } else { + runInChildParentWait([&] { Api::setAppProcessIdentity(privManager.getAppId()); RUNNER_ASSERT_MSG(drop_root_privileges(user.getUid(), user.getGid()) == 0, "drop_root_privileges failed"); @@ -584,8 +539,11 @@ RUNNER_CHILD_TEST(security_manager_15_privacy_manager_send_policy_update_for_sel PolicyRequest addPolicyRequest; addPolicyRequest.addEntry(entry); Api::sendPolicy(addPolicyRequest); - exit(0); - } + }); + + CynaraTestAdmin::Admin admin; + admin.adminCheck("", false, app.generateAppLabel().c_str(), user.getUidString().c_str(), + updatePriv.c_str(), CYNARA_ADMIN_ALLOW, nullptr); } RUNNER_CHILD_TEST(security_manager_16_policy_levels_get) @@ -593,11 +551,7 @@ RUNNER_CHILD_TEST(security_manager_16_policy_levels_get) TemporaryTestUser user("sm_test_16_user_name", GUM_USERTYPE_NORMAL); user.create(); - pid_t pid = fork(); - RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "fork failed"); - if (pid != 0) { - waitPid(pid); - } else { + runInChildParentWait([&] { RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(user.getUid(), user.getGid()) == 0, "drop_root_privileges failed"); @@ -622,8 +576,7 @@ RUNNER_CHILD_TEST(security_manager_16_policy_levels_get) // last should always be Allow RUNNER_ASSERT_MSG(allowPolicy.compare(PolicyEntry::LEVEL_ALLOW) == 0, "Invalid last policy level. Should be Allow, instead there is: " << levels[count-1]); - exit(0); - } + }); } RUNNER_CHILD_TEST(security_manager_17a_privacy_manager_delete_policy_for_self) @@ -637,22 +590,8 @@ RUNNER_CHILD_TEST(security_manager_17a_privacy_manager_delete_policy_for_self) ScopedInstaller appInstall(app); SynchronizationPipe synchPipe; - pid_t pid = fork(); - RUNNER_ASSERT_MSG(pid >= 0, "fork failed"); - if (pid != 0) { - synchPipe.claimParentEp(); - - synchPipe.wait(); - CynaraTestAdmin::Admin admin; - admin.adminCheck("", false, app.generateAppLabel().c_str(), user.getUidString().c_str(), - updatePriv.c_str(), CYNARA_ADMIN_ALLOW, nullptr); - synchPipe.post(); - synchPipe.wait(); - admin.adminCheck("", false, app.generateAppLabel().c_str(), user.getUidString().c_str(), - updatePriv.c_str(), CYNARA_ADMIN_DENY, nullptr); - waitPid(pid); - } else { + pid_t pid = runInChild([&] { synchPipe.claimChildEp(); RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(user.getUid(), user.getGid()) == 0, "drop_root_privileges failed"); @@ -672,8 +611,20 @@ RUNNER_CHILD_TEST(security_manager_17a_privacy_manager_delete_policy_for_self) Api::sendPolicy(deletePolicyRequest); synchPipe.post(); - exit(0); - } + }); + + synchPipe.claimParentEp(); + + synchPipe.wait(); + CynaraTestAdmin::Admin admin; + admin.adminCheck("", false, app.generateAppLabel().c_str(), user.getUidString().c_str(), + updatePriv.c_str(), CYNARA_ADMIN_ALLOW, nullptr); + synchPipe.post(); + + synchPipe.wait(); + admin.adminCheck("", false, app.generateAppLabel().c_str(), user.getUidString().c_str(), + updatePriv.c_str(), CYNARA_ADMIN_DENY, nullptr); + waitPid(pid); } RUNNER_CHILD_TEST(security_manager_17b_privacy_manager_delete_policy_for_self) @@ -691,22 +642,7 @@ RUNNER_CHILD_TEST(security_manager_17b_privacy_manager_delete_policy_for_self) ScopedInstaller privManagerInstall(privManager); SynchronizationPipe synchPipe; - pid_t pid = fork(); - RUNNER_ASSERT_MSG(pid >= 0, "fork failed"); - if (pid != 0) { - synchPipe.claimParentEp(); - synchPipe.wait(); - CynaraTestAdmin::Admin admin; - admin.adminCheck("", false, app.generateAppLabel().c_str(), user.getUidString().c_str(), - updatePriv.c_str(), CYNARA_ADMIN_ALLOW, nullptr); - synchPipe.post(); - - synchPipe.wait(); - admin.adminCheck("", false, app.generateAppLabel().c_str(), - user.getUidString().c_str(), updatePriv.c_str(), CYNARA_ADMIN_DENY, nullptr); - waitPid(pid); - - } else { + pid_t pid = runInChild([&] { synchPipe.claimChildEp(); Api::setAppProcessIdentity(privManager.getAppId()); RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(user.getUid(), user.getGid()) == 0, @@ -726,8 +662,19 @@ RUNNER_CHILD_TEST(security_manager_17b_privacy_manager_delete_policy_for_self) deletePolicyRequest.addEntry(deleteEntry); Api::sendPolicy(deletePolicyRequest); synchPipe.post(); - exit(0); - } + }); + + synchPipe.claimParentEp(); + synchPipe.wait(); + CynaraTestAdmin::Admin admin; + admin.adminCheck("", false, app.generateAppLabel().c_str(), user.getUidString().c_str(), + updatePriv.c_str(), CYNARA_ADMIN_ALLOW, nullptr); + synchPipe.post(); + + synchPipe.wait(); + admin.adminCheck("", false, app.generateAppLabel().c_str(), + user.getUidString().c_str(), updatePriv.c_str(), CYNARA_ADMIN_DENY, nullptr); + waitPid(pid); } RUNNER_CHILD_TEST(security_manager_17_privacy_manager_fetch_whole_policy_for_self_filtered) @@ -762,12 +709,7 @@ RUNNER_CHILD_TEST(security_manager_17_privacy_manager_fetch_whole_policy_for_sel for (const auto &app : appHelpers) scopedInstallations.emplace_back(std::move(ScopedInstaller(app))); - pid_t pid = fork(); - RUNNER_ASSERT_MSG(pid >= 0, "fork failed"); - if (pid != 0)//parent process - { - waitPid(pid); - } else { + runInChildParentWait([&] { Api::setAppProcessIdentity(privManagerAppId); RUNNER_ASSERT_MSG(drop_root_privileges(user.getUid(), user.getGid()) == 0, "drop_root_privileges failed"); @@ -799,9 +741,7 @@ RUNNER_CHILD_TEST(security_manager_17_privacy_manager_fetch_whole_policy_for_sel RUNNER_ASSERT_MSG(policyEntries.size() == policyCount, "Number of policies doesn't match - should be: " << policyCount << " and is " << policyEntries.size()); - - exit(0); - } + }); } RUNNER_CHILD_TEST(security_manager_18_privacy_manager_privacy_related_privileges_policy_install_remove) @@ -1077,11 +1017,7 @@ RUNNER_CHILD_TEST(security_manager_27_fetch_app_manifest_app_context_local_posit app.addPrivileges({PRIV_CALENDAR_READ, PRIV_CALENDAR_WRITE}); ScopedInstaller appInstall(app); - pid_t pid = fork(); - RUNNER_ASSERT_ERRNO_MSG(pid != -1, "Fork failed"); - if (pid != 0) { //parent process - waitPid(pid); - } else { //child process + runInChildParentWait([&] { Api::setAppProcessIdentity(app.getAppId()); RUNNER_ASSERT_ERRNO_MSG( drop_root_privileges(user.getUid(), user.getGid()) == 0, @@ -1092,8 +1028,7 @@ RUNNER_CHILD_TEST(security_manager_27_fetch_app_manifest_app_context_local_posit RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS, "Expected success, returned " << ret); check_privileges_from_manifest(app, privileges, nPrivs); security_manager_privileges_free(privileges, nPrivs); - exit(0); - } + }); } RUNNER_CHILD_TEST(security_manager_28_fetch_app_manifest_app_context_global_positive) @@ -1106,11 +1041,7 @@ RUNNER_CHILD_TEST(security_manager_28_fetch_app_manifest_app_context_global_posi app.addPrivileges({PRIV_CALENDAR_READ, PRIV_CALENDAR_WRITE}); ScopedInstaller appInstall(app); - pid_t pid = fork(); - RUNNER_ASSERT_ERRNO_MSG(pid != -1, "Fork failed"); - if (pid != 0) { //parent process - waitPid(pid); - } else { //child process + runInChildParentWait([&] { //child process Api::setAppProcessIdentity(app.getAppId()); RUNNER_ASSERT_ERRNO_MSG( drop_root_privileges(user.getUid(), user.getGid()) == 0, @@ -1121,8 +1052,7 @@ RUNNER_CHILD_TEST(security_manager_28_fetch_app_manifest_app_context_global_posi RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS, "Expected success, returned " << ret); check_privileges_from_manifest(app, privileges, nPrivs); security_manager_privileges_free(privileges, nPrivs); - exit(0); - } + }); } RUNNER_CHILD_TEST(security_manager_29_fetch_app_manifest_app_context_local_different_uid) @@ -1144,11 +1074,7 @@ RUNNER_CHILD_TEST(security_manager_29_fetch_app_manifest_app_context_local_diffe ScopedInstaller appInstall1(app1); - pid_t pid = fork(); - RUNNER_ASSERT_ERRNO_MSG(pid != -1, "Fork failed"); - if (pid != 0) { //parent process - waitPid(pid); - } else { //child process + runInChildParentWait([&] { Api::setAppProcessIdentity(app1.getAppId()); RUNNER_ASSERT_ERRNO_MSG( drop_root_privileges(user1.getUid(), user1.getGid()) == 0, @@ -1163,8 +1089,7 @@ RUNNER_CHILD_TEST(security_manager_29_fetch_app_manifest_app_context_local_diffe RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS, "Expected success, returned " << ret); check_privileges_from_manifest(app1, privileges, nPrivs); security_manager_privileges_free(privileges, nPrivs); - exit(0); - } + }); } RUNNER_CHILD_TEST(security_manager_30_fetch_app_manifest_app_context_local_different_label) @@ -1183,11 +1108,7 @@ RUNNER_CHILD_TEST(security_manager_30_fetch_app_manifest_app_context_local_diffe ScopedInstaller appInstall1(app1); - pid_t pid = fork(); - RUNNER_ASSERT_ERRNO_MSG(pid != -1, "Fork failed"); - if (pid != 0) { //parent process - waitPid(pid); - } else { //child process + runInChildParentWait([&] { Api::setAppProcessIdentity(app1.getAppId()); RUNNER_ASSERT_ERRNO_MSG( drop_root_privileges(user.getUid(), user.getGid()) == 0, @@ -1202,8 +1123,7 @@ RUNNER_CHILD_TEST(security_manager_30_fetch_app_manifest_app_context_local_diffe RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS, "Expected success, returned " << ret); check_privileges_from_manifest(app1, privileges, nPrivs); security_manager_privileges_free(privileges, nPrivs); - exit(0); - } + }); } RUNNER_CHILD_TEST(security_manager_31_fetch_app_manifest_app_context_local_different_label_with_privilege) @@ -1225,11 +1145,7 @@ RUNNER_CHILD_TEST(security_manager_31_fetch_app_manifest_app_context_local_diffe ScopedInstaller appInstall1(app1); - pid_t pid = fork(); - RUNNER_ASSERT_ERRNO_MSG(pid != -1, "Fork failed"); - if (pid != 0) { //parent process - waitPid(pid); - } else { //child process + runInChildParentWait([&] { Api::setAppProcessIdentity(app1.getAppId()); RUNNER_ASSERT_ERRNO_MSG( drop_root_privileges(user.getUid(), user.getGid()) == 0, @@ -1246,6 +1162,5 @@ RUNNER_CHILD_TEST(security_manager_31_fetch_app_manifest_app_context_local_diffe RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS, "Expected success, returned " << ret); check_privileges_from_manifest(app1, privileges, nPrivs); security_manager_privileges_free(privileges, nPrivs); - exit(0); - } + }); } diff --git a/src/security-manager-tests/test_cases_public_sharing.cpp b/src/security-manager-tests/test_cases_public_sharing.cpp index c4f0078a..7592f4e2 100644 --- a/src/security-manager-tests/test_cases_public_sharing.cpp +++ b/src/security-manager-tests/test_cases_public_sharing.cpp @@ -55,26 +55,6 @@ const VersionCombinations versionCombinations = makeVersionCombinations(versions } //anonymous namespace RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_SHARED_RO) - -static void runAccessTest(uid_t uid, gid_t gid, const std::string &appId, - std::function f) -{ - pid_t pid = fork(); - - RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed"); - if (pid == 0) { - setLauncherSecurityAttributes(uid, gid); - Api::prepareAppCandidate(); - Api::prepareApp(appId); - f(); - exit(0); - } else { - - waitPid(pid); - Api::cleanupApp(appId, uid, pid); - } -} - /** * Check whether owner app have access to own sharedRO dir */ @@ -85,9 +65,7 @@ RUNNER_CHILD_TEST(security_manager_76_owner_access) app.createSharedRODir(); ScopedInstaller sharedROPkgApp(app); - runAccessTest(OWNER_UID, OWNER_GID, app.getAppId(), [&]() { - accessTest(app.getAppId(), app.getSharedRODir(), R_OK|W_OK|X_OK); - }); + runAccessTest(app, app.getSharedRODir(), OWNER_UID, OWNER_GID, R_OK|W_OK|X_OK); } } @@ -101,11 +79,8 @@ RUNNER_CHILD_TEST(security_manager_7x_test) otherApp.createSharedRODir(); ScopedInstaller otherAppInstall(otherApp); - runAccessTest(OWNER_UID, OWNER_GID, ownerApp.getAppId(), [&]() { - accessTest(ownerApp.getAppId(), ownerApp.getSharedRODir(), R_OK | W_OK | X_OK); - accessTest(ownerApp.getAppId(), otherApp.getSharedRODir(), R_OK | X_OK); - exit(0); - }); + runAccessTest(ownerApp, ownerApp.getSharedRODir(), OWNER_UID, OWNER_GID, R_OK | W_OK | X_OK); + runAccessTest(ownerApp, otherApp.getSharedRODir(), OWNER_UID, OWNER_GID, R_OK | X_OK); } /** @@ -124,14 +99,10 @@ RUNNER_CHILD_TEST(security_manager_77_owner_other_access_version_combinations) AppInstallHelper nonSharedApp("sm_test_77_nonshared", OWNER_UID, version.second); ScopedInstaller nonSharedAppInstall(nonSharedApp); - runAccessTest(OWNER_UID, OWNER_GID, sharedApp.getAppId(), [&]() { - accessTest(sharedApp.getAppId(), sharedApp.getSharedRODir(), R_OK|W_OK|X_OK); - }); + runAccessTest(sharedApp, sharedApp.getSharedRODir(), OWNER_UID, OWNER_GID, R_OK|W_OK|X_OK); - runAccessTest(OWNER_UID, OWNER_GID, nonSharedApp.getAppId(), [&]() { - accessTest(nonSharedApp.getAppId(), sharedApp.getPrivateDir(), 0); - accessTest(nonSharedApp.getAppId(), sharedApp.getSharedRODir(), R_OK|X_OK); - }); + runAccessTest(nonSharedApp, sharedApp.getPrivateDir(), OWNER_UID, OWNER_GID, 0); + runAccessTest(nonSharedApp, sharedApp.getSharedRODir(), OWNER_UID, OWNER_GID, R_OK|X_OK); } } @@ -153,17 +124,13 @@ RUNNER_CHILD_TEST(security_manager_78_another_pkg_shared_ro_have_ro_access_to_sh sharedApp2.createPrivateDir(); ScopedInstaller sharedApp2Install(sharedApp2); - runAccessTest(OWNER_UID, OWNER_GID, sharedApp1.getAppId(), [&]() { - accessTest(sharedApp1.getAppId(), sharedApp2.getSharedRODir(), R_OK|X_OK); - accessTest(sharedApp1.getAppId(), sharedApp1.getSharedRODir(), R_OK|W_OK|X_OK); - accessTest(sharedApp1.getAppId(), sharedApp2.getPrivateDir(), 0); - }); - - runAccessTest(OWNER_UID, OWNER_GID, sharedApp2.getAppId(), [&]() { - accessTest(sharedApp2.getAppId(), sharedApp1.getSharedRODir(), R_OK|X_OK); - accessTest(sharedApp2.getAppId(), sharedApp2.getSharedRODir(), R_OK|W_OK|X_OK); - accessTest(sharedApp2.getAppId(), sharedApp1.getPrivateDir(), 0); - }); + runAccessTest(sharedApp1, sharedApp2.getSharedRODir(), OWNER_UID, OWNER_GID, R_OK|X_OK); + runAccessTest(sharedApp1, sharedApp1.getSharedRODir(), OWNER_UID, OWNER_GID, R_OK|W_OK|X_OK); + runAccessTest(sharedApp1, sharedApp2.getPrivateDir(), OWNER_UID, OWNER_GID, 0); + + runAccessTest(sharedApp2, sharedApp1.getSharedRODir(), OWNER_UID, OWNER_GID, R_OK|X_OK); + runAccessTest(sharedApp2, sharedApp2.getSharedRODir(), OWNER_UID, OWNER_GID, R_OK|W_OK|X_OK); + runAccessTest(sharedApp2, sharedApp1.getPrivateDir(), OWNER_UID, OWNER_GID, 0); } } @@ -184,12 +151,9 @@ RUNNER_CHILD_TEST(security_manager_79a_same_pkg_shared_ro_have_ro_access_to_shar sharedApp2.createSharedRODir(); ScopedInstaller sharedAppInstall2(sharedApp2); - runAccessTest(OWNER_UID, OWNER_GID, sharedApp1.getAppId(), [&]() { - accessTest(sharedApp1.getAppId(), sharedApp2.getSharedRODir(), R_OK|W_OK|X_OK); - }); - runAccessTest(OWNER_UID, OWNER_GID, sharedApp2.getAppId(), [&]() { - accessTest(sharedApp2.getAppId(), sharedApp1.getSharedRODir(), R_OK|W_OK|X_OK); - }); + + runAccessTest(sharedApp1, sharedApp2.getSharedRODir(), OWNER_UID, OWNER_GID, R_OK|W_OK|X_OK); + runAccessTest(sharedApp2, sharedApp1.getSharedRODir(), OWNER_UID, OWNER_GID, R_OK|W_OK|X_OK); } } @@ -209,10 +173,9 @@ RUNNER_CHILD_TEST(security_manager_79b_same_pkg_shared_ro_have_ro_access_to_shar AppInstallHelper nonSharedApp("sm_test_79b_shared2", sharedPkgName, OWNER_UID, version); ScopedInstaller nonSharedAppInstall(nonSharedApp); - runAccessTest(OWNER_UID, OWNER_GID, nonSharedApp.getAppId(), [&]() { - accessTest(nonSharedApp.getAppId(), sharedApp.getSharedRODir(), R_OK|W_OK|X_OK); - }); - }; + runAccessTest(nonSharedApp, sharedApp.getSharedRODir(), + OWNER_UID, OWNER_GID, R_OK|W_OK|X_OK); + } } /** @@ -237,23 +200,22 @@ RUNNER_CHILD_TEST(security_manager_80_same_pkg_shared_ro_have_no_access_to_share AppInstallHelper nonSharedApp("sm_test_80_nonshared", sharedPkgName, OWNER_UID, version); ScopedInstaller nonSharedAppInstall(nonSharedApp); - runAccessTest(OWNER_UID, OWNER_GID, sharedApp1.getAppId(), [&]() { - accessTest(sharedApp1.getAppId(), sharedApp2.getPrivateDir(2), R_OK|W_OK|X_OK); - }); - runAccessTest(OWNER_UID, OWNER_GID, sharedApp2.getAppId(), [&]() { - accessTest(sharedApp2.getAppId(), sharedApp1.getPrivateDir(1), R_OK|W_OK|X_OK); - }); + runAccessTest(sharedApp1, sharedApp2.getPrivateDir(2), + OWNER_UID, OWNER_GID, R_OK|W_OK|X_OK); + runAccessTest(sharedApp2, sharedApp1.getPrivateDir(1), + OWNER_UID, OWNER_GID, R_OK|W_OK|X_OK); + + + runAccessTest(nonSharedApp, sharedApp1.getPrivateDir(1), + OWNER_UID, OWNER_GID, R_OK|W_OK|X_OK); + runAccessTest(nonSharedApp, sharedApp2.getPrivateDir(2), + OWNER_UID, OWNER_GID, R_OK|W_OK|X_OK); - runAccessTest(OWNER_UID, OWNER_GID, nonSharedApp.getAppId(), [&]() { - accessTest(nonSharedApp.getAppId(), sharedApp1.getPrivateDir(1), R_OK|W_OK|X_OK); - accessTest(nonSharedApp.getAppId(), sharedApp2.getPrivateDir(2), R_OK|W_OK|X_OK); - }); sharedAppInstall1.uninstallApp(); - runAccessTest(OWNER_UID, OWNER_GID, nonSharedApp.getAppId(), [&]() { - accessTest(nonSharedApp.getAppId(), sharedApp2.getPrivateDir(2), R_OK|W_OK|X_OK); - }); + runAccessTest(nonSharedApp, sharedApp2.getPrivateDir(2), + OWNER_UID, OWNER_GID, R_OK|W_OK|X_OK); } } @@ -283,22 +245,21 @@ RUNNER_CHILD_TEST(security_manager_81_add_path_to_app_and_check_all) sharedRORequest.setUid(sharedApp2.getUID()); Api::registerPaths(sharedRORequest); - runAccessTest(OWNER_UID, OWNER_GID, sharedApp.getAppId(), [&]() { - accessTest(sharedApp.getAppId(), sharedApp.getSharedRODir(), R_OK|W_OK|X_OK); - accessTest(sharedApp.getAppId(), sharedApp.getPrivateDir(), R_OK|W_OK|X_OK); - }); - - runAccessTest(OWNER_UID, OWNER_GID, sharedApp2.getAppId(), [&]() { - accessTest(sharedApp2.getAppId(), sharedApp2.getSharedRODir(), R_OK|W_OK|X_OK); - accessTest(sharedApp2.getAppId(), sharedApp.getSharedRODir(), R_OK|X_OK); - accessTest(sharedApp2.getAppId(), sharedApp.getPrivateDir(), 0); - }); - - runAccessTest(OWNER_UID, OWNER_GID, nonSharedApp.getAppId(), [&]() { - accessTest(nonSharedApp.getAppId(), sharedApp.getSharedRODir(), R_OK|X_OK); - accessTest(nonSharedApp.getAppId(), sharedApp2.getSharedRODir(), R_OK|X_OK); - accessTest(nonSharedApp.getAppId(), sharedApp.getPrivateDir(), 0); - }); + + runAccessTest(sharedApp, sharedApp.getSharedRODir(), OWNER_UID, OWNER_GID, R_OK|W_OK|X_OK); + runAccessTest(sharedApp, sharedApp.getPrivateDir(), OWNER_UID, OWNER_GID, R_OK|W_OK|X_OK); + + runAccessTest(sharedApp2, sharedApp2.getSharedRODir(), + OWNER_UID, OWNER_GID, R_OK|W_OK|X_OK); + runAccessTest(sharedApp2, sharedApp.getSharedRODir(), + OWNER_UID, OWNER_GID, R_OK|X_OK); + runAccessTest(sharedApp2, sharedApp.getPrivateDir(), OWNER_UID, OWNER_GID, 0); + + runAccessTest(nonSharedApp, sharedApp.getSharedRODir(), + OWNER_UID, OWNER_GID, R_OK|X_OK); + runAccessTest(nonSharedApp, sharedApp2.getSharedRODir(), + OWNER_UID, OWNER_GID, R_OK|X_OK); + runAccessTest(nonSharedApp, sharedApp.getPrivateDir(), OWNER_UID, OWNER_GID, 0); } } @@ -343,15 +304,12 @@ RUNNER_CHILD_TEST(security_manager_83_install_uninstall_shared_ro_app_and_check_ sharedAppInstall1.uninstallApp(); sharedApp1.removePaths(); - runAccessTest(OWNER_UID, OWNER_GID, nonSharedApp.getAppId(), [&]() { - accessTest(nonSharedApp.getAppId(), sharedApp1.getSharedRODir(), 0); - accessTest(nonSharedApp.getAppId(), sharedApp2.getSharedRODir(), R_OK|X_OK); - }); - runAccessTest(OWNER_UID, OWNER_GID, sharedApp2.getAppId(), [&]() { - accessTest(sharedApp2.getAppId(), sharedApp1.getSharedRODir(), 0); - accessTest(sharedApp2.getAppId(), sharedApp2.getSharedRODir(), R_OK|W_OK|X_OK); - }); + runAccessTest(nonSharedApp, sharedApp1.getSharedRODir(), OWNER_UID, OWNER_GID, 0); + runAccessTest(nonSharedApp, sharedApp2.getSharedRODir(), OWNER_UID, OWNER_GID, R_OK|X_OK); + + runAccessTest(sharedApp2, sharedApp1.getSharedRODir(), OWNER_UID, OWNER_GID, 0); + runAccessTest(sharedApp2, sharedApp2.getSharedRODir(), OWNER_UID, OWNER_GID, R_OK|W_OK|X_OK); } } @@ -378,12 +336,8 @@ RUNNER_CHILD_TEST(security_manager_84_install_uninstall_shared_ro_two_apps_in_on sharedAppInstall1.uninstallApp(); - runAccessTest(OWNER_UID, OWNER_GID, nonSharedApp.getAppId(), [&]() { - accessTest(nonSharedApp.getAppId(), sharedApp2.getSharedRODir(2), R_OK|X_OK); - }); - - runAccessTest(OWNER_UID, OWNER_GID, sharedApp2.getAppId(), [&]() { - accessTest(sharedApp2.getAppId(), sharedApp2.getSharedRODir(2), R_OK|W_OK|X_OK); - }); + runAccessTest(nonSharedApp, sharedApp2.getSharedRODir(2), OWNER_UID, OWNER_GID, R_OK|X_OK); + runAccessTest(sharedApp2, sharedApp2.getSharedRODir(2), + OWNER_UID, OWNER_GID, R_OK|W_OK|X_OK); } } diff --git a/src/security-manager-tests/test_cases_register_paths.cpp b/src/security-manager-tests/test_cases_register_paths.cpp index d318edfc..df0c8e61 100644 --- a/src/security-manager-tests/test_cases_register_paths.cpp +++ b/src/security-manager-tests/test_cases_register_paths.cpp @@ -198,9 +198,7 @@ RUNNER_CHILD_TEST(security_manager_61_path_req_different_user) app.createPrivateDir(); - pid_t pid = fork(); - RUNNER_ASSERT_ERRNO_MSG(pid != -1, "Fork failed"); - if (pid == 0) { // child + runInChildParentWait([&] { RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(user1.getUid(), user1.getGid()) == 0, "drop_root_privileges failed"); @@ -210,9 +208,7 @@ RUNNER_CHILD_TEST(security_manager_61_path_req_different_user) preq.addPath(app.getPrivateDir(), SECURITY_MANAGER_PATH_RW); Api::registerPaths(preq, (lib_retcode)SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED); - } else { - waitPid(pid); - } + }); } static void checkOutsidePath(const std::string& pkgId, uid_t uid, const std::string& path)