From: Krzysztof Jackiewicz Date: Fri, 17 Jan 2025 17:00:17 +0000 (+0100) Subject: Adjust app preparation tests to no-smack mode X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=a1fcff72aac5bff06dad6a707fd1de90ba378dbb;p=platform%2Fcore%2Ftest%2Fsecurity-tests.git Adjust app preparation tests to no-smack mode Change-Id: I08a98000e404d2d5f8d95fe507fe53f901c235bf --- diff --git a/src/common/label_generator.cpp b/src/common/label_generator.cpp index dbd00b54..adf1eddb 100644 --- a/src/common/label_generator.cpp +++ b/src/common/label_generator.cpp @@ -14,11 +14,17 @@ * limitations under the License. */ +#include #include +constexpr inline char NO_SMACK_LABEL[] = "User::Pkg::default_app_no_Smack_mode"; + // Common implementation details std::string generateProcessLabel(const std::string &appId, const std::string &pkgId, bool isHybrid) { + if (!smack_check()) + return NO_SMACK_LABEL; + std::string label = "User::Pkg::" + pkgId; if (isHybrid) { label += "::App::" + appId; @@ -28,25 +34,40 @@ std::string generateProcessLabel(const std::string &appId, const std::string &pk std::string generatePathRWLabel(const std::string &pkgId) { + if (!smack_check()) + return NO_SMACK_LABEL; + return "User::Pkg::" + pkgId; } std::string generatePathROLabel(const std::string &pkgId) { + if (!smack_check()) + return NO_SMACK_LABEL; + return generatePathRWLabel(pkgId) + "::RO"; } std::string generatePathTrustedLabel(int64_t authorId) { + if (!smack_check()) + return NO_SMACK_LABEL; + return "User::Author::" + std::to_string(authorId); } std::string getPublicPathLabel() { + if (!smack_check()) + return NO_SMACK_LABEL; + return "User::Home"; } std::string getSharedROPathLabel() { + if (!smack_check()) + return NO_SMACK_LABEL; + return "User::App::Shared"; } diff --git a/src/security-manager-tests/test_cases_prepare_app.cpp b/src/security-manager-tests/test_cases_prepare_app.cpp index 95405c5c..2fc6be7b 100644 --- a/src/security-manager-tests/test_cases_prepare_app.cpp +++ b/src/security-manager-tests/test_cases_prepare_app.cpp @@ -19,6 +19,9 @@ #include #include #include +#include +#include + #include #include @@ -28,6 +31,7 @@ #include #include #include +#include #include #include @@ -72,7 +76,52 @@ std::mutex error_mutex; } \ } while (0) -void threadFn(int i, const std::string &expectedLabel) +#ifdef SMACK_ENABLED + typedef std::string ProcessId; + + ProcessId GetProcessIdFromSelf() { + char* label; + THREAD_ASSERT_MSG(smack_new_label_from_self(&label) > 0, "smack_new_label_from_self failed"); + CStringPtr labelPtr(label); + ProcessId ret = label; + return ret; + } +#else + struct ProcessId { + bool uidGE10000; + bool gidGE20000; + + bool operator==(const ProcessId& other) const noexcept { + return other.uidGE10000 == uidGE10000 && other.gidGE20000 == gidGE20000; + } + }; + + ProcessId GetProcessIdFromSelf() { + static constexpr uid_t MIN_PROCESS_UID = 10000; + static constexpr gid_t MIN_AUTHOR_GID = 20000; + + // get current process groups + int ret = getgroups(0, nullptr); + RUNNER_ASSERT_MSG(ret != -1, "Unable to get supplementary groups"); + + std::vector actualGids(ret); + ret = getgroups(ret, actualGids.data()); + RUNNER_ASSERT_MSG(ret != -1, "Unable to get supplementary groups"); + + auto agidCnt = std::count_if(actualGids.begin(), actualGids.end(), [](gid_t gid) { + return gid >= MIN_AUTHOR_GID; + }); + + return ProcessId{ getuid() >= MIN_PROCESS_UID, agidCnt == 1 }; + } + + std::ostream& operator<<(std::ostream& os, const ProcessId& id) { + os << id.uidGE10000 << "|" << id.gidGE20000; + return os; + } +#endif + +void threadFn(int i, const ProcessId &expected) { if (i % 2 == 0) { // block all signals @@ -84,12 +133,8 @@ void threadFn(int i, const std::string &expectedLabel) while (!finish) usleep(1000); - char* label; - THREAD_ASSERT_MSG(smack_new_label_from_self(&label) > 0, "smack_new_label_from_self failed"); - CStringPtr labelPtr(label); - - THREAD_ASSERT_MSG(expectedLabel.compare(label) == 0, - "Thread " << i << " has a wrong label: " << label); + auto id = GetProcessIdFromSelf(); + THREAD_ASSERT_MSG(id == expected, "Thread " << i << " has a wrong id: " << id); CapPtr expectedCaps(cap_init(), cap_free); THREAD_ASSERT_MSG(expectedCaps, "cap_init() failed"); @@ -103,7 +148,6 @@ void threadFn(int i, const std::string &expectedLabel) struct ThreadWrapper { - ThreadWrapper() { } @@ -113,10 +157,10 @@ struct ThreadWrapper thread.join(); } - void run(int i, const std::string &expectedLabel) + void run(int i, const ProcessId &expected) { THREAD_ASSERT_MSG(!thread.joinable(), "Thread already started"); - thread = std::thread(threadFn, i, expectedLabel); + thread = std::thread(threadFn, i, expected); } std::thread thread; @@ -174,8 +218,13 @@ RUNNER_CHILD_TEST(security_manager_100_synchronize_credentials_test) tmpUser.create(); AppInstallHelper app("app100", tmpUser.getUid()); + app.setAuthor("author"); ScopedInstaller appInstall(app); - const std::string expectedLabel = app.generateAppLabel(); +#ifdef SMACK_ENABLED + const ProcessId expected = app.generateAppLabel(); +#else + const ProcessId expected{true, true}; +#endif pid_t pid = fork(); RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed"); @@ -186,7 +235,41 @@ RUNNER_CHILD_TEST(security_manager_100_synchronize_credentials_test) ThreadWrapper threads[THREADS]; for (size_t i = 0; i < THREADS; i++) - threads[i].run(i, expectedLabel); + threads[i].run(i, expected); + + Api::prepareApp(app.getAppId()); + } + RUNNER_ASSERT_MSG(thread_errors.empty(), std::endl << thread_errors); + exit(0); + } else { + waitPid(pid); + Api::cleanupApp(app.getAppId(), tmpUser.getUid(), pid); + } +} + +RUNNER_CHILD_TEST(security_manager_100_synchronize_credentials_no_author_test) +{ + TemporaryTestUser tmpUser(APP_TEST_USER, GUM_USERTYPE_NORMAL, false); + tmpUser.create(); + + AppInstallHelper app("app100", tmpUser.getUid()); + ScopedInstaller appInstall(app); +#ifdef SMACK_ENABLED + const ProcessId expected = app.generateAppLabel(); +#else + const ProcessId expected{true, false}; +#endif + + pid_t pid = fork(); + RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed"); + if (pid == 0) { + { + RUNNER_ASSERT_ERRNO_MSG(setLauncherSecurityAttributes(tmpUser) == 0, "launcher failed"); + Api::prepareAppCandidate(); + ThreadWrapper threads[THREADS]; + + for (size_t i = 0; i < THREADS; i++) + threads[i].run(i, expected); Api::prepareApp(app.getAppId()); } @@ -204,8 +287,13 @@ RUNNER_CHILD_TEST(security_manager_101_create_namespace_test_n) tmpUser.create(); AppInstallHelper app("app100_n", tmpUser.getUid()); + app.setAuthor("author"); ScopedInstaller appInstall(app); - const std::string expectedLabel = app.generateAppLabel(); +#ifdef SMACK_ENABLED + const ProcessId expected = app.generateAppLabel(); +#else + const ProcessId expected{true, true}; +#endif pid_t pid = fork(); RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed"); @@ -215,7 +303,7 @@ RUNNER_CHILD_TEST(security_manager_101_create_namespace_test_n) ThreadWrapper threads[THREADS]; for (size_t i = 0; i < THREADS; i++) - threads[i].run(i, expectedLabel); + threads[i].run(i, expected); Api::prepareAppCandidate(SECURITY_MANAGER_ERROR_INPUT_PARAM); } @@ -226,7 +314,7 @@ RUNNER_CHILD_TEST(security_manager_101_create_namespace_test_n) } } -RUNNER_CHILD_TEST(security_manager_101_create_namespace_test) +RUNNER_CHILD_TEST(security_manager_101_create_namespace_test_p) { TemporaryTestUser tmpUser(APP_TEST_USER, GUM_USERTYPE_NORMAL, false); tmpUser.create(); @@ -267,6 +355,7 @@ RUNNER_CHILD_TEST(security_manager_101_create_namespace_test) RUNNER_ASSERT_ERRNO_MSG(appBindInode == appProcInode, "bind namespace failed"); synchPipe.post(); + waitPid(pid); Api::cleanupApp(app.getAppId(), tmpUser.getUid(), pid); }