From b0b52bc6aadee215649803da3a7541596ae3fe51 Mon Sep 17 00:00:00 2001 From: Dariusz Michaluk Date: Tue, 1 Aug 2017 14:31:23 +0200 Subject: [PATCH] Fix security_manager_100_synchronize_credentials_test. Launcher security attributes (user, group, capabilities) should be set before calling security_manager_prepare_app(). Change-Id: I38680bec6873e6b3ac51dbc4c2c2dbadbb62e307 --- .../test_cases_prepare_app.cpp | 32 ++++++++++++++++++++-- 1 file changed, 30 insertions(+), 2 deletions(-) diff --git a/src/security-manager-tests/test_cases_prepare_app.cpp b/src/security-manager-tests/test_cases_prepare_app.cpp index bebb90a..9ddddf1 100644 --- a/src/security-manager-tests/test_cases_prepare_app.cpp +++ b/src/security-manager-tests/test_cases_prepare_app.cpp @@ -16,6 +16,7 @@ #include #include +#include #include #include @@ -38,7 +39,7 @@ namespace { bool finish = false; const size_t THREADS = 10; -const std::string SYNC_TEST_APP("app100"); +const std::string APP_TEST_USER = "app_test_user"; typedef std::unique_ptr<_cap_struct, decltype(&cap_free)> CapPtr; @@ -108,13 +109,38 @@ struct ThreadWrapper std::thread thread; }; +int setLauncherSecurityAttributes(TemporaryTestUser &user) +{ + // Add launcher capabilities (cap_dac_override, cap_setgid, cap_sys_admin, cap_mac_admin), + // launcher is user process, we must drop root privileges (cap_setgid, cap_setuid are needed). + // By default, the permitted capability set is cleared when credentials change is made + // (if a process drops a capability from its permitted set, it can never reacquire that capability), + // setting the "keep capabilities" flag prevents it from being cleared. + // Effective capability set is always cleared when credential change is made, we need to add them again. + + setCaps("cap_dac_override+ep cap_setgid+ep cap_sys_admin+ep cap_mac_admin+ep cap_setuid+ep"); + int ret = prctl(PR_SET_KEEPCAPS, 1, 0, 0); + if (ret != 0) + return ret; + + ret = drop_root_privileges(user.getUid(), user.getGid()); + if (ret != 0) + return ret; + + setCaps("cap_dac_override+ep cap_setgid+ep cap_sys_admin+ep cap_mac_admin+ep"); + return ret; +} + } // anonymous namespace RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_PREPARE_APP) RUNNER_CHILD_TEST(security_manager_100_synchronize_credentials_test) { - AppInstallHelper app(SYNC_TEST_APP.c_str()); + TemporaryTestUser tmpUser(APP_TEST_USER, GUM_USERTYPE_NORMAL, false); + tmpUser.create(); + + AppInstallHelper app("app100", tmpUser.getUid()); ScopedInstaller appInstall(app); const std::string expectedLabel = app.generateAppLabel(); @@ -122,6 +148,8 @@ RUNNER_CHILD_TEST(security_manager_100_synchronize_credentials_test) RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed"); if (pid == 0) { { + RUNNER_ASSERT_ERRNO_MSG(setLauncherSecurityAttributes(tmpUser) == 0, "launcher failed"); + ThreadWrapper threads[THREADS]; for (size_t i = 0; i < THREADS; i++) -- 2.7.4