From: Zofia Abramowska Date: Tue, 29 Apr 2025 16:01:03 +0000 (+0200) Subject: security-manager: Use ScopedAppLauncher for app processes X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=f42ff5de19a53d70fb0d072b4bd568d61a516fee;p=platform%2Fcore%2Ftest%2Fsecurity-tests.git security-manager: Use ScopedAppLauncher for app processes Change-Id: I7be4f77ac5e774dcbdce445c24d4b2dc38efa5e1 --- diff --git a/src/common/sm_commons.cpp b/src/common/sm_commons.cpp index 9a58320e..cf298f95 100644 --- a/src/common/sm_commons.cpp +++ b/src/common/sm_commons.cpp @@ -202,16 +202,7 @@ void runAccessTest(const std::string &label, uid_t uid, gid_t gid, } void runAccessTest(const AppInstallHelper &app, const std::string &testPath, int accessType) { - auto fun = [&](){ - RUNNER_ASSERT_ERRNO_MSG(setLauncherSecurityAttributes(app.getUID(), app.getGID()) == 0, - "launcher failed"); - Api::prepareAppCandidate(); - Api::prepareApp(app.getAppId()); - accessTest(app.getAppId(), testPath, accessType); - }; - - auto pid = runInChildParentWait(fun); - Api::cleanupApp(app.getAppId(), app.getUID(), pid); + ScopedAppLauncher(app, [&] { accessTest(app.getAppId(), testPath, accessType);}); } void runAccessTest(const AppInstallHelper &app, const TestUser &user, @@ -219,20 +210,6 @@ void runAccessTest(const AppInstallHelper &app, const TestUser &user, ScopedAppLauncher(app, user, [&] { accessTest(app.getAppId(), testPath, accessType);}); } -void runAccessTest(const AppInstallHelper &app, const std::string &testPath, - uid_t uid, gid_t gid, int accessType) { - auto fun = [&](){ - RUNNER_ASSERT_ERRNO_MSG(setLauncherSecurityAttributes(uid, gid) == 0, - "launcher failed"); - Api::prepareAppCandidate(); - Api::prepareApp(app.getAppId()); - accessTest(app.getAppId(), testPath, accessType); - }; - - auto pid = runInChildParentWait(fun); - Api::cleanupApp(app.getAppId(), uid, pid); -} - void runSystemAccessTest(uid_t uid, gid_t gid, const std::string &testPath, int accessType) { for (const auto &label : SM_SYSTEM_LABELS) runAccessTest(label, uid, gid, testPath, accessType); diff --git a/src/common/sm_commons.h b/src/common/sm_commons.h index 8c9a97d7..d22bc2cd 100644 --- a/src/common/sm_commons.h +++ b/src/common/sm_commons.h @@ -42,8 +42,6 @@ void accessTest(const std::string &id, const std::string &testPath, int accessTy void runAccessTest(const std::string &label, uid_t uid, gid_t gid, const std::string &testPath, int accessType); void runAccessTest(const AppInstallHelper &app, const std::string &testPath, int accessType); -void runAccessTest(const AppInstallHelper &app, const std::string &testPath, - uid_t uid, gid_t gid, int accessType); void runAccessTest(const AppInstallHelper &app, const TestUser &user, const std::string &testPath, int accessType); void runSystemAccessTest(uid_t uid, gid_t gid, const std::string &testPath, int accessType); diff --git a/src/security-manager-tests/run-security-manager-no-smack-tests.sh b/src/security-manager-tests/run-security-manager-no-smack-tests.sh index 39a1b3c4..fa54dac0 100755 --- a/src/security-manager-tests/run-security-manager-no-smack-tests.sh +++ b/src/security-manager-tests/run-security-manager-no-smack-tests.sh @@ -216,6 +216,16 @@ required=( security_manager_37b_pkg_double_share_owner_uninstall security_manager_38a_share_one_with_two_uninstall_target security_manager_38b_share_one_with_two_uninstall_owner + security_manager_27_fetch_app_manifest_app_context_local_positive + security_manager_28_fetch_app_manifest_app_context_global_positive + security_manager_30_fetch_app_manifest_app_context_local_different_label + security_manager_31_fetch_app_manifest_app_context_local_different_label_with_privilege + security_manager_ap2_app_policy_fetch_for_self_different_user + security_manager_ap3_app_policy_fetch_for_self_different_user_global + security_manager_ap3_app_policy_fetch_for_self_different_app + security_manager_14_privacy_manager_fetch_and_update_policy_for_admin + security_manager_15_privacy_manager_send_policy_update_for_admin + security_manager_15_privacy_manager_send_policy_update_for_admin_wildcard ) function run_tests_and_exit { diff --git a/src/security-manager-tests/test_cases.cpp b/src/security-manager-tests/test_cases.cpp index 384c7a3c..b36ceb3d 100644 --- a/src/security-manager-tests/test_cases.cpp +++ b/src/security-manager-tests/test_cases.cpp @@ -14,6 +14,7 @@ * limitations under the License. */ +#include #include #include #include @@ -793,16 +794,9 @@ RUNNER_CHILD_TEST(security_manager_12a_internet_access_positive) app.addPrivilege(PRIV_INTERNET); ScopedInstaller appInstall(app); - pid_t pid = runInChildParentWait([&] { - // child - the actual application - RUNNER_ASSERT_MSG(setLauncherSecurityAttributes(testUser) == 0, "launcher failed"); - Api::prepareAppCandidate(); - Api::prepareApp(app.getAppId()); - + ScopedAppLauncher(app, testUser, [&] { RUNNER_ASSERT_MSG(ping() == 0, "No internet access while the privilege is present"); }); - - Api::cleanupApp(app.getAppId(), testUser.getUid(), pid); } RUNNER_CHILD_TEST(security_manager_12b_internet_access_negative) @@ -812,16 +806,9 @@ RUNNER_CHILD_TEST(security_manager_12b_internet_access_negative) AppInstallHelperExt app("sm_test_12b", "sm_test_12b", testUser.getUid()); ScopedInstaller appInstall(app); - pid_t pid = runInChildParentWait([&] { - // child - the actual application - RUNNER_ASSERT_MSG(setLauncherSecurityAttributes(testUser) == 0, "launcher failed"); - Api::prepareAppCandidate(); - Api::prepareApp(app.getAppId()); - + ScopedAppLauncher(app, testUser, [&] { RUNNER_ASSERT_MSG(ping() != 0, "Internet access detected despite no privilege"); }); - - Api::cleanupApp(app.getAppId(), testUser.getUid(), pid); } RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_POLICY) @@ -875,11 +862,7 @@ RUNNER_CHILD_TEST(security_manager_21_security_manager_admin_deny_user_priv) ScopedInstaller normalAppInstall(normalApp); normalApp.checkAfterInstall(); - runInChildParentWait([&] { - Api::setAppProcessIdentity(adminApp.getAppId()); - RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(adminUser.getUid(),adminUser.getGid()) == 0, - "drop_root_privileges failed"); - + ScopedAppLauncher(adminApp, adminUser, [&] { PolicyRequest addPolicyReq; for (auto &deniedPriv : deniedPrivsAfterChange) { PolicyEntry entry(SECURITY_MANAGER_ANY, normalUser.getUidString(), deniedPriv); @@ -1210,21 +1193,15 @@ RUNNER_CHILD_TEST(security_manager_26_1a_security_manager_get_app_owner_uid) AppInstallHelperExt app("sm_test_26_1a", "sm_test_26_1a", testUser.getUid()); ScopedInstaller appInstall(app); - pid_t pid = runInChildParentWait([&] { - RUNNER_ASSERT_MSG(setLauncherSecurityAttributes(testUser) == 0, "launcher failed"); - auto expected = getuid(); - Api::prepareAppCandidate(); - Api::prepareApp(app.getAppId()); + ScopedAppLauncher(app, testUser, [&] { uid_t owner_uid = 0; RUNNER_ASSERT_MSG( security_manager_get_app_owner_uid(getpid(), &owner_uid) == SECURITY_MANAGER_SUCCESS, "Invalid return from security_manager_get_app_owner_uid()"); - RUNNER_ASSERT_MSG(owner_uid == expected, "Invalid uid returned - expected: " - << expected << " returned: " << owner_uid); + RUNNER_ASSERT_MSG(owner_uid == testUser.getUid(), "Invalid uid returned - expected: " + << testUser.getUid() << " returned: " << owner_uid); }); - - Api::cleanupApp(app.getAppId(), testUser.getUid(), pid); } RUNNER_CHILD_TEST(security_manager_26_1b_security_manager_get_app_owner_uid) @@ -1327,19 +1304,13 @@ RUNNER_CHILD_TEST(security_manager_26_3_security_manager_is_app_from_pid) app.checkAfterUninstall(); } - RUNNER_CHILD_TEST(security_manager_26_4a_security_manager_get_app_full_credentials_from_pid) { TestUser testUser = TestUser::createTemporary("sm_test_26_4a_user_name", GUM_USERTYPE_NORMAL); AppInstallHelperExt app("sm_test_26_4a", "sm_test_26_4a", testUser.getUid()); ScopedInstaller appInstall(app); - auto pid = runInChildParentWait([&]{ - // child - the actual application - RUNNER_ASSERT_MSG(setLauncherSecurityAttributes(testUser) == 0, "launcher failed"); - auto expected = getuid(); - Api::prepareAppCandidate(); - Api::prepareApp(app.getAppId()); + ScopedAppLauncher(app, testUser, [&]{ uid_t owner_uid = 0; char* pkgId = nullptr; char* appId = nullptr; @@ -1347,16 +1318,24 @@ RUNNER_CHILD_TEST(security_manager_26_4a_security_manager_get_app_full_credentia security_manager_get_app_full_credentials_from_pid(getpid(), &owner_uid, &pkgId, &appId) == SECURITY_MANAGER_SUCCESS, "Invalid return from ecurity_manager_get_app_full_credentials_from_pid()"); - RUNNER_ASSERT_MSG(owner_uid == expected, "Invalid uid returned - expected: " - << expected << " returned: " << owner_uid); + CStringPtr pkgPtr(pkgId); + CStringPtr appPtr(appId); + + RUNNER_ASSERT_MSG(owner_uid == testUser.getUid(), "Invalid uid returned - expected: " + << testUser.getUid() << " returned: " << owner_uid); - RUNNER_ASSERT_MSG(app.getPkgId() == pkgId, "Invalid pkgId returned from security_manager_get_app_full_credentials_from_pid"); - RUNNER_ASSERT_MSG(appId == nullptr, "Invalid appId returned from security_manager_get_app_full_credentials_from_pid"); // non-hybrid app + RUNNER_ASSERT_MSG( + pkgId != nullptr && app.getPkgId() == pkgId, + "Invalid pkgId returned from security_manager_get_app_full_credentials_from_pid" + ); + // non-hybrid app + RUNNER_ASSERT_MSG( + appId == nullptr, + "Invalid appId returned from security_manager_get_app_full_credentials_from_pid" + ); }); - Api::cleanupApp(app.getAppId(), testUser.getUid(), pid); } - RUNNER_CHILD_TEST(security_manager_26_4b_security_manager_get_app_full_credentials_from_pid) { TestUser testUser = TestUser::createTemporary("sm_test_26_4b_user_name", GUM_USERTYPE_NORMAL); @@ -1364,12 +1343,7 @@ RUNNER_CHILD_TEST(security_manager_26_4b_security_manager_get_app_full_credentia AppInstallHelperExt app("sm_test_26_4b", "sm_test_26_4b", testUser.getUid()); app.setHybrid(); ScopedInstaller appInstall(app); - auto pid = runInChildParentWait([&]{ - // child - the actual application - RUNNER_ASSERT_MSG(setLauncherSecurityAttributes(testUser) == 0, "launcher failed"); - auto expected = getuid(); - Api::prepareAppCandidate(); - Api::prepareApp(app.getAppId()); + ScopedAppLauncher(app, testUser, [&]{ uid_t owner_uid = 0; char* pkgId = nullptr; char* appId = nullptr; @@ -1377,11 +1351,20 @@ RUNNER_CHILD_TEST(security_manager_26_4b_security_manager_get_app_full_credentia security_manager_get_app_full_credentials_from_pid(getpid(), &owner_uid, &pkgId, &appId) == SECURITY_MANAGER_SUCCESS, "Invalid return from ecurity_manager_get_app_full_credentials_from_pid()"); - RUNNER_ASSERT_MSG(owner_uid == expected, "Invalid uid returned - expected: " - << expected << " returned: " << owner_uid); + CStringPtr pkgPtr(pkgId); + CStringPtr appPtr(appId); + + RUNNER_ASSERT_MSG(owner_uid == testUser.getUid(), "Invalid uid returned - expected: " + << testUser.getUid() << " returned: " << owner_uid); - RUNNER_ASSERT_MSG(app.getPkgId() == pkgId, "Invalid pkgId returned from security_manager_get_app_full_credentials_from_pid"); - RUNNER_ASSERT_MSG(app.getAppId() == appId, "Invalid appId returned from security_manager_get_app_full_credentials_from_pid"); // hybrid app + RUNNER_ASSERT_MSG( + pkgId != nullptr && app.getPkgId() == pkgId, + "Invalid pkgId returned from security_manager_get_app_full_credentials_from_pid" + ); + // hybrid app + RUNNER_ASSERT_MSG( + appId != nullptr && app.getAppId() == appId, + "Invalid appId returned from security_manager_get_app_full_credentials_from_pid" + ); }); - Api::cleanupApp(app.getAppId(), testUser.getUid(), pid); } diff --git a/src/security-manager-tests/test_cases_app_policy.cpp b/src/security-manager-tests/test_cases_app_policy.cpp index b4e963a9..7c1eab47 100644 --- a/src/security-manager-tests/test_cases_app_policy.cpp +++ b/src/security-manager-tests/test_cases_app_policy.cpp @@ -14,6 +14,7 @@ * limitations under the License. */ +#include #include #include @@ -56,12 +57,7 @@ RUNNER_CHILD_TEST(security_manager_ap1_app_policy_fetch_for_self) { PkgPrivacyPrivileges setupPrivacyPrivs(app); ScopedInstaller appInstall(app); - runInChildParentWait([&] { - Api::setAppProcessIdentity(app.getAppId()); - RUNNER_ASSERT_ERRNO_MSG( - drop_root_privileges(tmpUser.getUid(), tmpUser.getGid()) == 0, - "drop_root_privileges failed"); - + ScopedAppLauncher(app, tmpUser, [&] { std::string uidStr = tmpUser.getUidString(); for (const auto &appPrivilege : app.getPrivileges()) { PolicyEntry filter(app.getAppId(), uidStr, appPrivilege); @@ -106,12 +102,7 @@ RUNNER_CHILD_TEST(security_manager_ap2_app_policy_fetch_for_self_different_user) PkgPrivacyPrivileges setupPrivacyPrivs(app); ScopedInstaller appInstall(app); - runInChildParentWait([&] { //child process - Api::setAppProcessIdentity(app.getAppId()); - RUNNER_ASSERT_ERRNO_MSG( - drop_root_privileges(tmpUser.getUid(), tmpUser.getGid()) == 0, - "drop_root_privileges failed"); - + ScopedAppLauncher(app, tmpUser, [&] { //child process std::string wrongUidStr = tmpUser2.getUidString(); for (const auto &appPrivilege : app.getPrivileges()) { PolicyEntry filter(app.getAppId(), wrongUidStr, appPrivilege); @@ -136,12 +127,7 @@ RUNNER_CHILD_TEST(security_manager_ap3_app_policy_fetch_for_self_different_user_ PkgPrivacyPrivileges setupPrivacyPrivs(app); ScopedInstaller appInstall(app); - runInChildParentWait([&] { - Api::setAppProcessIdentity(app.getAppId()); - RUNNER_ASSERT_ERRNO_MSG( - drop_root_privileges(tmpUser.getUid(), tmpUser.getGid()) == 0, - "drop_root_privileges failed"); - + ScopedAppLauncher(app, tmpUser, [&] { std::string wrongUidStr = tmpUser2.getUidString(); for (const auto &appPrivilege : app.getPrivileges()) { PolicyEntry filter(app.getAppId(), wrongUidStr, appPrivilege); @@ -170,12 +156,7 @@ RUNNER_CHILD_TEST(security_manager_ap3_app_policy_fetch_for_self_different_app) ScopedInstaller appInstall2(app2); - runInChildParentWait([&] { - Api::setAppProcessIdentity(app1.getAppId()); - RUNNER_ASSERT_ERRNO_MSG( - drop_root_privileges(tmpUser.getUid(), tmpUser.getGid()) == 0, - "drop_root_privileges failed"); - + ScopedAppLauncher(app1, tmpUser, [&] { std::string uidStr = tmpUser.getUidString(); for (const auto &appPrivilege : app1.getPrivileges()) { PolicyEntry filter(app2.getAppId(), uidStr, appPrivilege); diff --git a/src/security-manager-tests/test_cases_prepare_app.cpp b/src/security-manager-tests/test_cases_prepare_app.cpp index 174e2d7d..f6be6ae8 100644 --- a/src/security-manager-tests/test_cases_prepare_app.cpp +++ b/src/security-manager-tests/test_cases_prepare_app.cpp @@ -14,6 +14,7 @@ * limitations under the License. */ +#include #include #include #include @@ -460,22 +461,7 @@ RUNNER_CHILD_TEST(security_manager_104_policy_change_kill_app_test) app.addPrivileges({PRIV_EXTERNALSTORAGE, PRIV_MEDIASTORAGE}); ScopedInstaller appInstall(app); - SynchronizationPipe synchPipe; - pid_t pid = runInChild([&] { - synchPipe.claimChildEp(); - try { - RUNNER_ASSERT_ERRNO_MSG(setLauncherSecurityAttributes(tmpUser) == 0, "launcher failed"); - Api::prepareAppCandidate(); - Api::prepareApp(app.getAppId()); - } catch (...) { - synchPipe.post(); - throw; - } - synchPipe.post(); - }); - - synchPipe.claimParentEp(); - synchPipe.wait(); + ScopedAppLauncher launcher = ScopedAppLauncher(app, tmpUser); PolicyRequest policyRequest; PolicyEntry policyEntry(app.getAppId(), tmpUser.getUidString(), PRIV_EXTERNALSTORAGE); @@ -483,8 +469,6 @@ RUNNER_CHILD_TEST(security_manager_104_policy_change_kill_app_test) policyRequest.addEntry(policyEntry); Api::sendPolicy(policyRequest); - waitPid(pid); - Api::cleanupApp(app.getAppId(), tmpUser.getUid(), pid); } namespace { @@ -790,13 +774,7 @@ RUNNER_CHILD_TEST(security_manager_400_prepare_app_series_with_concurrent_instal std::time_t begin = std::time(nullptr); while(1) { - pid_t pid2 = runInChildParentWait([&] { - RUNNER_ASSERT_ERRNO_MSG(setLauncherSecurityAttributes(tmpUser) == 0, "launcher failed"); - Api::prepareAppCandidate(); - Api::prepareApp(app.getAppId()); - }); - - Api::cleanupApp(app.getAppId(), tmpUser.getUid(), pid2); + ScopedAppLauncher(app, tmpUser); std::time_t now = std::time(nullptr); if (now - begin >= 30) // wait 30 sec diff --git a/src/security-manager-tests/test_cases_privacy_manager.cpp b/src/security-manager-tests/test_cases_privacy_manager.cpp index 5dad875c..16d97327 100644 --- a/src/security-manager-tests/test_cases_privacy_manager.cpp +++ b/src/security-manager-tests/test_cases_privacy_manager.cpp @@ -14,6 +14,7 @@ * limitations under the License. */ +#include #include #include #include @@ -30,6 +31,7 @@ #include #include #include +#include #include #include #include @@ -95,7 +97,6 @@ RUNNER_CHILD_TEST(security_manager_10_privacy_manager_fetch_whole_policy_for_sel } AppInstallHelper privManager("sm_test_10_privilege_manager", tmpUser.getUid()); - std::string privManagerAppId = privManager.getAppId(); privManager.addPrivilege(SELF_PRIVILEGE); expectedPolicyCount += privManager.getPrivileges().size(); appIdToAIH.emplace(privManager.getAppId(), std::move(privManager)); @@ -105,11 +106,7 @@ RUNNER_CHILD_TEST(security_manager_10_privacy_manager_fetch_whole_policy_for_sel scopedInstallations.emplace_back(ScopedInstaller(appIdAIH.second)); } - runInChildParentWait([&] { - Api::setAppProcessIdentity(privManagerAppId); - RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(tmpUser.getUid(), tmpUser.getGid()) == 0, - "drop_root_privileges failed"); - + ScopedAppLauncher launcher(privManager, [&] { std::vector policyEntries; Api::getPolicy(PolicyEntry(), policyEntries); @@ -166,7 +163,6 @@ RUNNER_CHILD_TEST(security_manager_11_privacy_manager_fetch_whole_policy_for_adm TestUser &normalUserToSwitch = usernameToTTU.at(normalNameToSwitch); AppInstallHelper privManager("sm_test_11_priv_manager", normalUserToSwitch.getUid()); - std::string privManagerAppId = privManager.getAppId(); privManager.addPrivilege(SELF_PRIVILEGE); expectedPolicyCount += privManager.getPrivileges().size(); userAppIdToAIH.emplace(std::make_pair(normalUserToSwitch.getUid(), privManager.getAppId()), @@ -177,12 +173,7 @@ RUNNER_CHILD_TEST(security_manager_11_privacy_manager_fetch_whole_policy_for_adm scopedInstallations.emplace_back(ScopedInstaller(userAppIdAIH.second)); } - runInChildParentWait([&] { - Api::setAppProcessIdentity(privManagerAppId); - RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(normalUserToSwitch.getUid(), - normalUserToSwitch.getGid()) == 0, - "drop_root_privileges failed"); - + ScopedAppLauncher(privManager, normalUserToSwitch, [&] { std::vector policyEntries; Api::getPolicy(PolicyEntry(), policyEntries); @@ -247,7 +238,6 @@ RUNNER_CHILD_TEST(security_manager_12_privacy_manager_fetch_whole_policy_for_adm TestUser &adminUserToSwitch = usernameToTTU.at(adminNameToSwitch); AppInstallHelper privManager("sm_test_12_priv_manager", adminUserToSwitch.getUid()); - std::string privManagerAppId = privManager.getAppId(); privManager.addPrivilege(SELF_PRIVILEGE); privManager.addPrivilege(ADMIN_PRIVILEGE); expectedPolicyCount += privManager.getPrivileges().size(); @@ -260,12 +250,7 @@ RUNNER_CHILD_TEST(security_manager_12_privacy_manager_fetch_whole_policy_for_adm scopedInstallations.emplace_back(ScopedInstaller(userAppIdAIH.second)); } - runInChildParentWait([&] { - Api::setAppProcessIdentity(privManagerAppId); - RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(adminUserToSwitch.getUid(), - adminUserToSwitch.getGid()) == 0, - "drop_root_privileges failed"); - + ScopedAppLauncher(privManager, adminUserToSwitch, [&] { std::vector policyEntries; Api::getPolicy(PolicyEntry(), policyEntries); RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty"); @@ -309,8 +294,7 @@ RUNNER_CHILD_TEST(security_manager_13_privacy_manager_fetch_policy_after_update_ std::map usernameToTTU; std::map> uidToAIHs; - unsigned expectedPolicyCount = 0; - std::string privManagerAppId; + std::map uidToPM; for (unsigned int u_i = 0; u_i < userInfos.size(); u_i++) { //Only entries for one of the users will be listed @@ -321,14 +305,11 @@ RUNNER_CHILD_TEST(security_manager_13_privacy_manager_fetch_policy_after_update_ AppInstallHelper app("sm_test_13_" + std::to_string(p_i), user.getUid()); // Shift privileges, so same app_id for different user doesn't have same privileges app.addPrivileges(TEST_PRIVILEGES.at((p_i + u_i) % TEST_PRIVILEGES.size())); - expectedPolicyCount += app.getPrivileges().size(); uidToAIHs[user.getUid()].emplace_back(std::move(app)); }; AppInstallHelper privManager("sm_test_13_priv_manager", user.getUid()); - privManagerAppId = privManager.getAppId(); privManager.addPrivilege(SELF_PRIVILEGE); - expectedPolicyCount += privManager.getPrivileges().size(); - uidToAIHs[user.getUid()].emplace_back(std::move(privManager)); + uidToPM.emplace(user.getUid(), std::move(privManager)); usernameToTTU.emplace(user.getUserName(), std::move(user)); }; @@ -338,16 +319,16 @@ RUNNER_CHILD_TEST(security_manager_13_privacy_manager_fetch_policy_after_update_ for (const auto &aih : userAIHs.second) scopedInstallations.emplace_back(ScopedInstaller(aih)); } + for (const auto &[uid, pm]: uidToPM) { + scopedInstallations.emplace_back(ScopedInstaller(pm)); + } - TestUser &adminUser = usernameToTTU.at(adminName); TestUser &normalUser = usernameToTTU.at(normalName); + auto &privManager = uidToPM.at(normalUser.getUid()); - runInChildParentWait([&] { - Api::setAppProcessIdentity(privManagerAppId); - RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(normalUser.getUid(), normalUser.getGid()) == 0, - "drop_root_privileges failed"); + ScopedAppLauncher(privManager, normalUser, [&] { auto &app1 = uidToAIHs[normalUser.getUid()][0]; - auto &app2 = uidToAIHs[normalUser.getUid()][0]; + auto &app2 = uidToAIHs[normalUser.getUid()][1]; PolicyRequest policyRequest; PolicyEntry policyEntry( app1.getAppId(), @@ -366,12 +347,11 @@ RUNNER_CHILD_TEST(security_manager_13_privacy_manager_fetch_policy_after_update_ policyRequest.addEntry(policyEntry); Api::sendPolicy(policyRequest); }); - runInChildParentWait([&] { - Api::setAppProcessIdentity(privManagerAppId); - // Admin user, but in context of app, which doesn't have usermanagement privilege - RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(adminUser.getUid(), adminUser.getGid()) == 0, - "drop_root_privileges failed"); + TestUser &adminUser = usernameToTTU.at(adminName); + auto &adminPrivManager = uidToPM.at(adminUser.getUid()); + + ScopedAppLauncher(adminPrivManager, adminUser, [&] { PolicyEntry filter = PolicyEntry( SECURITY_MANAGER_ANY, normalUser.getUidString(), @@ -408,12 +388,7 @@ RUNNER_CHILD_TEST(security_manager_14_privacy_manager_fetch_and_update_policy_fo ScopedInstaller privManagerInstall(privManager); - runInChildParentWait([&] { - Api::setAppProcessIdentity(privManager.getAppId()); - RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(adminUserToSwitch.getUid(), - adminUserToSwitch.getGid()) == 0, - "drop_root_privileges failed"); - + ScopedAppLauncher(privManager, adminUserToSwitch, [&] { PolicyRequest setPolicyRequest; std::vector policyEntries; @@ -462,12 +437,7 @@ RUNNER_CHILD_TEST(security_manager_15_privacy_manager_send_policy_update_for_adm privManager.addPrivilege(ADMIN_PRIVILEGE); ScopedInstaller privManagerInstall(privManager); - runInChildParentWait([&] { - Api::setAppProcessIdentity(privManager.getAppId()); - - RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(adminUser.getUid(), adminUser.getGid()) == 0, - "drop_root_privileges failed"); - + ScopedAppLauncher(privManager, adminUser, [&] { PolicyEntry entry(updatedApp.getAppId(), adminUser.getUidString(), updatePriv); entry.setMaxLevel(PolicyEntry::LEVEL_ALLOW); PolicyRequest addPolicyRequest; @@ -495,11 +465,7 @@ RUNNER_CHILD_TEST(security_manager_15_privacy_manager_send_policy_update_for_adm privManager.addPrivilege(ADMIN_PRIVILEGE); ScopedInstaller privManagerInstall(privManager); - runInChildParentWait([&] { - Api::setAppProcessIdentity(privManager.getAppId()); - RUNNER_ASSERT_MSG(drop_root_privileges(adminUser.getUid(), adminUser.getGid()) == 0, - "drop_root_privileges failed"); - + ScopedAppLauncher(privManager, adminUser, [&] { PolicyEntry entry(SECURITY_MANAGER_ANY, adminUser.getUidString(), updatePriv); entry.setMaxLevel(PolicyEntry::LEVEL_ALLOW); @@ -528,11 +494,7 @@ RUNNER_CHILD_TEST(security_manager_15_privacy_manager_send_policy_update_for_sel privManager.addPrivilege(SELF_PRIVILEGE); ScopedInstaller privManagerInstall(privManager); - runInChildParentWait([&] { - Api::setAppProcessIdentity(privManager.getAppId()); - RUNNER_ASSERT_MSG(drop_root_privileges(user.getUid(), user.getGid()) == 0, - "drop_root_privileges failed"); - + ScopedAppLauncher(privManager, user, [&] { PolicyEntry entry(app.getAppId(), user.getUidString(), updatePriv); entry.setLevel(PolicyEntry::LEVEL_ALLOW); @@ -642,12 +604,8 @@ RUNNER_CHILD_TEST(security_manager_17b_privacy_manager_delete_policy_for_self) ScopedInstaller privManagerInstall(privManager); SynchronizationPipe synchPipe; - pid_t pid = runInChild([&] { + ScopedAppLauncher launcher(privManager, user, [&] { synchPipe.claimChildEp(); - Api::setAppProcessIdentity(privManager.getAppId()); - RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(user.getUid(), user.getGid()) == 0, - "drop_root_privileges failed"); - PolicyEntry entry(app.getAppId(), user.getUidString(), updatePriv); entry.setLevel(PolicyEntry::LEVEL_ALLOW); PolicyRequest addPolicyRequest; @@ -674,7 +632,6 @@ RUNNER_CHILD_TEST(security_manager_17b_privacy_manager_delete_policy_for_self) synchPipe.wait(); admin.adminCheck("", false, app.generateAppLabel().c_str(), user.getUidString().c_str(), updatePriv.c_str(), CYNARA_ADMIN_DENY, nullptr); - waitPid(pid); } RUNNER_CHILD_TEST(security_manager_17_privacy_manager_fetch_whole_policy_for_self_filtered) @@ -700,7 +657,6 @@ RUNNER_CHILD_TEST(security_manager_17_privacy_manager_fetch_whole_policy_for_sel } AppInstallHelper privManager("sm_test_17_priv_manager", user.getUid()); - std::string privManagerAppId = privManager.getAppId(); privManager.addPrivilege(SELF_PRIVILEGE); privToCount[SELF_PRIVILEGE]++; policyCount += privManager.getPrivileges().size(); @@ -709,11 +665,7 @@ RUNNER_CHILD_TEST(security_manager_17_privacy_manager_fetch_whole_policy_for_sel for (const auto &app : appHelpers) scopedInstallations.emplace_back(std::move(ScopedInstaller(app))); - runInChildParentWait([&] { - Api::setAppProcessIdentity(privManagerAppId); - RUNNER_ASSERT_MSG(drop_root_privileges(user.getUid(), user.getGid()) == 0, - "drop_root_privileges failed"); - + ScopedAppLauncher(privManager, user, [&] { for (const auto &privCount : privToCount) { std::vector policyEntries; PolicyEntry filter(SECURITY_MANAGER_ANY, SECURITY_MANAGER_ANY, privCount.first); @@ -1017,11 +969,7 @@ RUNNER_CHILD_TEST(security_manager_27_fetch_app_manifest_app_context_local_posit app.addPrivileges({PRIV_CALENDAR_READ, PRIV_CALENDAR_WRITE}); ScopedInstaller appInstall(app); - runInChildParentWait([&] { - Api::setAppProcessIdentity(app.getAppId()); - RUNNER_ASSERT_ERRNO_MSG( - drop_root_privileges(user.getUid(), user.getGid()) == 0, - "drop_root_privileges failed"); + ScopedAppLauncher(app, user, [&] { char **privileges; size_t nPrivs = 0; int ret = security_manager_get_app_manifest_policy(app.getAppId().c_str(), user.getUid(), &privileges, &nPrivs); @@ -1041,11 +989,7 @@ RUNNER_CHILD_TEST(security_manager_28_fetch_app_manifest_app_context_global_posi app.addPrivileges({PRIV_CALENDAR_READ, PRIV_CALENDAR_WRITE}); ScopedInstaller appInstall(app); - runInChildParentWait([&] { //child process - Api::setAppProcessIdentity(app.getAppId()); - RUNNER_ASSERT_ERRNO_MSG( - drop_root_privileges(user.getUid(), user.getGid()) == 0, - "drop_root_privileges failed"); + ScopedAppLauncher(app, user, [&] { char **privileges; size_t nPrivs = 0; int ret = security_manager_get_app_manifest_policy(app.getAppId().c_str(), user.getUid(), &privileges, &nPrivs); @@ -1074,11 +1018,7 @@ RUNNER_CHILD_TEST(security_manager_29_fetch_app_manifest_app_context_local_diffe ScopedInstaller appInstall1(app1); - runInChildParentWait([&] { - Api::setAppProcessIdentity(app1.getAppId()); - RUNNER_ASSERT_ERRNO_MSG( - drop_root_privileges(user1.getUid(), user1.getGid()) == 0, - "drop_root_privileges failed"); + ScopedAppLauncher(app1, user1, [&] { char **privileges; size_t nPrivs = 0; int ret = security_manager_get_app_manifest_policy(app.getAppId().c_str(), user.getUid(), &privileges, &nPrivs); @@ -1108,11 +1048,7 @@ RUNNER_CHILD_TEST(security_manager_30_fetch_app_manifest_app_context_local_diffe ScopedInstaller appInstall1(app1); - runInChildParentWait([&] { - Api::setAppProcessIdentity(app1.getAppId()); - RUNNER_ASSERT_ERRNO_MSG( - drop_root_privileges(user.getUid(), user.getGid()) == 0, - "drop_root_privileges failed"); + ScopedAppLauncher(app1, user, [&] { char **privileges; size_t nPrivs = 0; int ret = security_manager_get_app_manifest_policy(app.getAppId().c_str(), user.getUid(), &privileges, &nPrivs); @@ -1145,11 +1081,7 @@ RUNNER_CHILD_TEST(security_manager_31_fetch_app_manifest_app_context_local_diffe ScopedInstaller appInstall1(app1); - runInChildParentWait([&] { - Api::setAppProcessIdentity(app1.getAppId()); - RUNNER_ASSERT_ERRNO_MSG( - drop_root_privileges(user.getUid(), user.getGid()) == 0, - "drop_root_privileges failed"); + ScopedAppLauncher(app1, user, [&] { char **privileges; size_t nPrivs = 0; int ret = security_manager_get_app_manifest_policy(app.getAppId().c_str(), user.getUid(), &privileges, &nPrivs);