From e3e2809fbd268b6884fcaed1f44b4b036bcef39f Mon Sep 17 00:00:00 2001 From: Rafal Krypa Date: Tue, 16 Sep 2014 16:28:07 +0200 Subject: [PATCH] security-manager: test security_manager_set_process_groups_from_appid New security-manager API supports setting process groups based on privilege settings. This is intended for launchers. Check it during application installation check to verify if gid-mapped privileges are handled correctly. Change-Id: Ie558bf985dbbc5cd1451ae743aa2f26f519fef5e Signed-off-by: Rafal Krypa --- tests/security-manager-tests/common/sm_db.cpp | 24 ++++++++++- tests/security-manager-tests/common/sm_db.h | 8 ++++ .../security_manager_tests.cpp | 49 +++++++++++++++++++++- 3 files changed, 78 insertions(+), 3 deletions(-) diff --git a/tests/security-manager-tests/common/sm_db.cpp b/tests/security-manager-tests/common/sm_db.cpp index 083b9ae..d4498e6 100644 --- a/tests/security-manager-tests/common/sm_db.cpp +++ b/tests/security-manager-tests/common/sm_db.cpp @@ -34,7 +34,7 @@ const char *const PRIVILEGE_DB_PATH = tzplatform_mkpath(TZ_SYS_DB, ".security-ma const bool TestSecurityManagerDatabase::NOT_REMOVED = false; const bool TestSecurityManagerDatabase::REMOVED = true; -TestSecurityManagerDatabase::TestSecurityManagerDatabase() : m_base(PRIVILEGE_DB_PATH) +TestSecurityManagerDatabase::TestSecurityManagerDatabase() : m_base(PRIVILEGE_DB_PATH, SQLITE_OPEN_READWRITE) { } @@ -177,3 +177,25 @@ bool TestSecurityManagerDatabase::check_privilege(const std::string &app_name, return result.rows.size() == 1; } + +void TestSecurityManagerDatabase::setup_privilege_gids(const std::string &privilege, + const std::vector &gids) +{ + Sqlite3DBaseSelectResult result; + std::ostringstream sql; + + if (!m_base.is_open()) + m_base.open(); + + sql << "INSERT OR IGNORE INTO privilege (name) VALUES ('" << privilege << "')"; + m_base.execute(sql.str(), result); + + for (const auto &gid : gids) { + sql.clear(); + sql.str(""); + sql << "INSERT OR IGNORE INTO privilege_gid (privilege_id, gid) " + "VALUES ((SELECT privilege_id FROM privilege WHERE name = '" + << privilege << "')," << (int) gid << ")"; + m_base.execute(sql.str(), result); + } +} diff --git a/tests/security-manager-tests/common/sm_db.h b/tests/security-manager-tests/common/sm_db.h index 21a419a..e73558c 100644 --- a/tests/security-manager-tests/common/sm_db.h +++ b/tests/security-manager-tests/common/sm_db.h @@ -129,6 +129,14 @@ public: void check_privileges_removed(const std::string &app_name, const std::string &pkg_name, const privileges_t &privileges); +/** + * @brief Method for setting privilege to groups mapping in security-manager database + * + * @param privilege name of the privilege + * @param gids vector of group ids + */ + void setup_privilege_gids(const std::string &privilege, const std::vector &gids); + private: /** * @var base diff --git a/tests/security-manager-tests/security_manager_tests.cpp b/tests/security-manager-tests/security_manager_tests.cpp index 0632cd1..5698d6d 100644 --- a/tests/security-manager-tests/security_manager_tests.cpp +++ b/tests/security-manager-tests/security_manager_tests.cpp @@ -4,6 +4,9 @@ #include #include #include +#include + +#include #include #include @@ -38,6 +41,8 @@ static const privileges_t SM_DENIED_PRIVILEGES = { static const privileges_t SM_NO_PRIVILEGES = { }; +static const std::vector SM_ALLOWED_GIDS = {6001, 6002}; + static const char *const SM_PRIVATE_PATH = "/etc/smack/test_DIR/app_dir"; static const char *const SM_PUBLIC_PATH = "/etc/smack/test_DIR/app_dir_public"; static const char *const SM_PUBLIC_RO_PATH = "/etc/smack/test_DIR/app_dir_public_ro"; @@ -189,9 +194,41 @@ static void check_app_permissions(const char *const app_id, const char *const pk } } +static void check_app_gids(const char *const app_id, const std::vector &allowed_gids) +{ + int ret; + gid_t main_gid = getgid(); + std::unordered_set reference_gids(allowed_gids.begin(), allowed_gids.end()); + + // Reset supplementary groups + ret = setgroups(0, NULL); + RUNNER_ASSERT_MSG(ret != -1, "Unable to set supplementary groups"); + + ret = security_manager_set_process_groups_from_appid(app_id); + RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS, + "security_manager_set_process_groups_from_appid(" << + app_id << ") failed. Result: " << ret); + + ret = getgroups(0, nullptr); + RUNNER_ASSERT_MSG(ret != -1, "Unable to get supplementary groups"); + + std::vector actual_gids(ret); + ret = getgroups(ret, actual_gids.data()); + RUNNER_ASSERT_MSG(ret != -1, "Unable to get supplementary groups"); + + for (const auto &gid : actual_gids) { + RUNNER_ASSERT_MSG(gid == main_gid || reference_gids.count(gid) > 0, + "Application shouldn't get access to group " << gid); + reference_gids.erase(gid); + } + + RUNNER_ASSERT_MSG(reference_gids.empty(), "Application didn't get access to some groups"); +} + static void check_app_after_install(const char *const app_id, const char *const pkg_id, const privileges_t &allowed_privs, - const privileges_t &denied_privs) + const privileges_t &denied_privs, + const std::vector &allowed_gids) { TestSecurityManagerDatabase dbtest; dbtest.test_db_after__app_install(app_id, pkg_id, allowed_privs); @@ -199,6 +236,14 @@ static void check_app_after_install(const char *const app_id, const char *const /*Privileges should be granted to all users if root installs app*/ check_app_permissions(app_id, pkg_id, ANY_USER_REPRESENTATION, allowed_privs, denied_privs); + + /* Setup mapping of gids to privileges */ + /* Do this for each privilege for extra check */ + for (const auto &privilege : allowed_privs) { + dbtest.setup_privilege_gids(privilege, allowed_gids); + } + + check_app_gids(app_id, allowed_gids); } static void check_app_after_install(const char *const app_id, const char *const pkg_id) @@ -358,7 +403,7 @@ RUNNER_TEST(security_manager_02_app_install_uninstall_full) /* Check records in the security-manager database */ check_app_after_install(SM_APP_ID2, SM_PKG_ID2, - SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES); + SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES, SM_ALLOWED_GIDS); /* TODO: add parameters to this function */ check_app_path_after_install(); -- 2.7.4