From 4142add0b59648154b7020e3906ff33c7e082738 Mon Sep 17 00:00:00 2001 From: Marcin Niesluchowski Date: Thu, 23 Oct 2014 13:32:38 +0200 Subject: [PATCH] Fix security_manager_05_app_install_uninstall_by_uid_5000 User app (uid 5000) used for tests has been removed from system. Due to this chage security-manager can not find it in /etc/passwd. Special user is created in %post section and is removed in %postun section. Current test name: security_manager_05_app_install_uninstall_by_app_user Change-Id: Ia2eec416b44fe216b08f1fc29ec46826621ad796 --- CMakeLists.txt | 1 + packaging/security-tests.spec | 13 ++++++++++-- tests/common/tests_common.cpp | 8 ++++---- tests/common/tests_common.h | 2 +- tests/security-manager-tests/CMakeLists.txt | 2 +- .../security_manager_tests.cpp | 24 +++++++++++++++------- 6 files changed, 35 insertions(+), 15 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 86ccb16..45ef3a5 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -72,6 +72,7 @@ ADD_DEFINITIONS("-Wno-deprecated-declarations") # No warnings abou STRING(REGEX MATCH "([^.]*)" API_VERSION "${VERSION}") ADD_DEFINITIONS("-DAPI_VERSION=\"$(API_VERSION)\"") ADD_DEFINITIONS("-DCYNARA_DB_DIR=\"${CYNARA_DB_DIR}\"") +ADD_DEFINITIONS("-DAPP_USER=\"${APP_USER}\"") IF(SMACK_ENABLE) ADD_DEFINITIONS("-DWRT_SMACK_ENABLED") diff --git a/packaging/security-tests.spec b/packaging/security-tests.spec index 10deacb..9434d69 100644 --- a/packaging/security-tests.spec +++ b/packaging/security-tests.spec @@ -27,6 +27,9 @@ BuildRequires: pkgconfig(libtzplatform-config) BuildRequires: boost-devel Requires: smack Requires: libprivilege-control +Requires(post): libgum >= 1.0.0 +Requires(postun): libgum >= 1.0.0 +Requires(postun): %{_bindir}/id %description Security tests repository - for tests that can't be kept together with code. @@ -43,7 +46,8 @@ cmake . -DCMAKE_INSTALL_PREFIX=%{_prefix} \ -DVERSION=%{version} \ -DCMAKE_BUILD_TYPE=%{?build_type:%build_type}%{!?build_type:DEBUG} \ -DCMAKE_VERBOSE_MAKEFILE=ON \ - -DCYNARA_DB_DIR=%{_localstatedir}/cynara/db + -DCYNARA_DB_DIR=%{_localstatedir}/cynara/db \ + -DAPP_USER=security-tests-app make %{?jobs:-j%jobs} %install @@ -51,6 +55,8 @@ make %{?jobs:-j%jobs} ln -sf /etc/smack/test_smack_rules %{buildroot}/etc/smack/test_smack_rules_lnk %post +%{_bindir}/gum-utils --add-user --username=security-tests-app --usertype=4 --offline + find /etc/smack/test_privilege_control_DIR/ -type f -name exec -exec chmod 0755 {} + find /etc/smack/test_DIR/ -type f -name exec -exec chmod 0755 {} + @@ -59,6 +65,9 @@ api_feature_loader --verbose echo "security-tests postinst done ..." +%postun +%{_bindir}/gum-utils --delete-user --uid=`%{_bindir}/id -u security-tests-app` --offline + %files %manifest %{name}.manifest %defattr(-, root, root, -) @@ -90,7 +99,7 @@ echo "security-tests postinst done ..." /usr/share/privilege-control/* /etc/smack/test_privilege_control_DIR/* /etc/smack/test_DIR/* -/home/app/securitytests +/home/security-tests-app/test_DIR /usr/bin/test-app-efl /usr/bin/test-app-osp /usr/bin/test-app-wgt diff --git a/tests/common/tests_common.cpp b/tests/common/tests_common.cpp index 5fa6125..1bf0236 100644 --- a/tests/common/tests_common.cpp +++ b/tests/common/tests_common.cpp @@ -58,17 +58,17 @@ int smack_check(void) * Dropping root privileges * returns 0 on success, 1 on error */ -int drop_root_privileges(void) +int drop_root_privileges(uid_t appUid, gid_t appGid) { if (getuid() == 0) { /* process is running as root, drop privileges */ - if (setgid(APP_GID) != 0) + if (setgid(appGid) != 0) return 1; - if (setuid(APP_UID) != 0) + if (setuid(appUid) != 0) return 1; } uid_t uid = getuid(); - if (uid == APP_UID) + if (uid == appUid) return 0; return 1; diff --git a/tests/common/tests_common.h b/tests/common/tests_common.h index 4fdbc14..47dac47 100644 --- a/tests/common/tests_common.h +++ b/tests/common/tests_common.h @@ -41,7 +41,7 @@ const gid_t DB_ALARM_GID = 6001; int smack_runtime_check(void); int smack_check(void); -int drop_root_privileges(void); +int drop_root_privileges(uid_t appUid = APP_UID, gid_t appGid = APP_GID); void setLabelForSelf(const int line, const char *label); void add_process_group(const char* group_name); void remove_process_group(const char* group_name); diff --git a/tests/security-manager-tests/CMakeLists.txt b/tests/security-manager-tests/CMakeLists.txt index b4fdf6b..d8a5b7f 100644 --- a/tests/security-manager-tests/CMakeLists.txt +++ b/tests/security-manager-tests/CMakeLists.txt @@ -72,5 +72,5 @@ INSTALL(DIRECTORY INSTALL(DIRECTORY ${PROJECT_SOURCE_DIR}/tests/security-manager-tests/test_DIR - DESTINATION /home/app/securitytests/ + DESTINATION /home/${APP_USER}/ ) diff --git a/tests/security-manager-tests/security_manager_tests.cpp b/tests/security-manager-tests/security_manager_tests.cpp index 9d217c8..59ece53 100644 --- a/tests/security-manager-tests/security_manager_tests.cpp +++ b/tests/security-manager-tests/security_manager_tests.cpp @@ -7,6 +7,7 @@ #include #include +#include #include #include @@ -47,7 +48,7 @@ static const char *const SM_PRIVATE_PATH = "/etc/smack/test_DIR/app_dir"; static const char *const SM_PUBLIC_PATH = "/etc/smack/test_DIR/app_dir_public"; static const char *const SM_PUBLIC_RO_PATH = "/etc/smack/test_DIR/app_dir_public_ro"; static const char *const SM_DENIED_PATH = "/etc/smack/test_DIR/non_app_dir"; -static const char *const SM_PRIVATE_PATH_FOR_USER_5000 = "/home/app/securitytests/test_DIR"; +static const char *const SM_PRIVATE_PATH_FOR_USER = "/home/" APP_USER "/test_DIR"; static const char *const ANY_USER_REPRESENTATION = "anyuser";/*this may be actually any string*/ static void generateAppLabel(const std::string &pkgId, std::string &label) @@ -535,20 +536,29 @@ static void prepare_request(AppInstReqUniquePtr &request, } +static struct passwd* get_app_pw() +{ + struct passwd *pw = nullptr; + errno = 0; + while(!(pw = getpwnam(APP_USER))) { + RUNNER_ASSERT_ERRNO_MSG(errno == EINTR, "getpwnam() failed"); + } + return pw; +} -RUNNER_CHILD_TEST(security_manager_05_app_install_uninstall_by_uid_5000) +RUNNER_CHILD_TEST(security_manager_05_app_install_uninstall_by_app_user) { int result; AppInstReqUniquePtr request; - const std::string user = std::to_string(static_cast(APP_UID)); - + struct passwd *pw = get_app_pw(); + const std::string user = std::to_string(static_cast(pw->pw_uid)); //switch user to non-root - result = drop_root_privileges(); + result = drop_root_privileges(pw->pw_uid, pw->pw_gid); RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed"); //install app as non-root user and try to register public path (should fail) - prepare_request(request, SM_APP_ID3, SM_PKG_ID3, SECURITY_MANAGER_PATH_PUBLIC, SM_PRIVATE_PATH_FOR_USER_5000); + prepare_request(request, SM_APP_ID3, SM_PKG_ID3, SECURITY_MANAGER_PATH_PUBLIC, SM_PRIVATE_PATH_FOR_USER); result = security_manager_app_install(request.get()); RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED, @@ -564,7 +574,7 @@ RUNNER_CHILD_TEST(security_manager_05_app_install_uninstall_by_uid_5000) //install app as non-root user //should succeed - this time i register folder inside user's home dir - prepare_request(request, SM_APP_ID3, SM_PKG_ID3, SECURITY_MANAGER_PATH_PRIVATE, SM_PRIVATE_PATH_FOR_USER_5000); + prepare_request(request, SM_APP_ID3, SM_PKG_ID3, SECURITY_MANAGER_PATH_PRIVATE, SM_PRIVATE_PATH_FOR_USER); for (auto &privilege : SM_ALLOWED_PRIVILEGES) { result = security_manager_app_inst_req_add_privilege(request.get(), privilege.c_str()); -- 2.7.4