From 084f65d218c8e2bdcc43018c7f70fde533f15787 Mon Sep 17 00:00:00 2001 From: Marcin Niesluchowski Date: Thu, 13 Mar 2014 16:33:53 +0100 Subject: [PATCH] Fix groups issue in tests using perm_app_set_privilege api. Due to current policy process calling perm_app_set_privilege is added to current groups of app user and additional groups associated with smack label in database. Previous tests did not take into account current groups of app user. Verification: -> security-tests.sh libprivilege-control --runignored --output=text Change-Id: I03a7e96c46da20af6a01c86b290fc7180425afb5 --- tests/libprivilege-control-tests/CMakeLists.txt | 11 --- .../common/libprivilege-control_test_common.h | 5 +- .../libprivilege-control_test_common.cpp | 86 +++++++++++++++++----- tests/libprivilege-control-tests/test_cases.cpp | 6 +- .../test_cases_nosmack.cpp | 11 ++- .../test_privilege_control_rules.dac | 2 - 6 files changed, 84 insertions(+), 37 deletions(-) delete mode 100644 tests/libprivilege-control-tests/test_privilege_control_rules.dac diff --git a/tests/libprivilege-control-tests/CMakeLists.txt b/tests/libprivilege-control-tests/CMakeLists.txt index 9339dfd..4eabea3 100644 --- a/tests/libprivilege-control-tests/CMakeLists.txt +++ b/tests/libprivilege-control-tests/CMakeLists.txt @@ -119,17 +119,6 @@ INSTALL(FILES DESTINATION /usr/share/privilege-control/ ) -INSTALL(FILES - ${PROJECT_SOURCE_DIR}/tests/libprivilege-control-tests/test_privilege_control_rules.dac - DESTINATION /usr/share/privilege-control/ - PERMISSIONS - OWNER_READ - GROUP_READ - GROUP_EXECUTE - WORLD_READ - WORLD_EXECUTE - ) - INSTALL(DIRECTORY ${PROJECT_SOURCE_DIR}/tests/libprivilege-control-tests/test_privilege_control_DIR DESTINATION /etc/smack/ diff --git a/tests/libprivilege-control-tests/common/libprivilege-control_test_common.h b/tests/libprivilege-control-tests/common/libprivilege-control_test_common.h index 979188f..0fa812d 100644 --- a/tests/libprivilege-control-tests/common/libprivilege-control_test_common.h +++ b/tests/libprivilege-control-tests/common/libprivilege-control_test_common.h @@ -56,7 +56,6 @@ #define EFL_APP_ID "hello-tizen" -#define LIBPRIVILEGE_TEST_DAC_FILE "/usr/share/privilege-control/test_privilege_control_rules.dac" #define LIBPRIVILEGE_TEST_DAC_FILE_WGT "/usr/share/privilege-control/WRT_test_privilege_control_rules_wgt.dac" #define LIBPRIVILEGE_TEST_DAC_FILE_OSP "/usr/share/privilege-control/OSP_test_privilege_control_rules_osp.dac" #define LIBPRIVILEGE_TEST_DAC_FILE_EFL "/usr/share/privilege-control/EFL_test_privilege_control_rules_efl.dac" @@ -214,8 +213,8 @@ int test_have_all_accesses(const rules_t &rules); int test_have_any_accesses(const rules_t &rules); int test_have_nosmack_accesses(const rules_t &rules); -void read_gids(std::set &set, const char *file_path); -void check_groups(const char *dac_file); +void read_user_gids(std::set &set, const uid_t user_id); +void check_groups(const std::set &groups_prev, const char *dac_file); int file_exists(const char *path); void check_app_installed(const char *app_path); diff --git a/tests/libprivilege-control-tests/libprivilege-control_test_common.cpp b/tests/libprivilege-control-tests/libprivilege-control_test_common.cpp index 117331b..3746dde 100644 --- a/tests/libprivilege-control-tests/libprivilege-control_test_common.cpp +++ b/tests/libprivilege-control-tests/libprivilege-control_test_common.cpp @@ -32,6 +32,8 @@ #include #include #include +#include +#include #include #include @@ -132,35 +134,83 @@ void read_gids(std::set &set, const char *file_path) fclose(f); } -void check_groups(const char *dac_file) +void read_user_gids(std::set &set, const uid_t user_id) { - std::set groups_check; - read_gids(groups_check, dac_file); + int ret; + + struct passwd *pw = getpwuid(user_id); + RUNNER_ASSERT_MSG_BT(pw != NULL, "getpwuid() failed."); + + int groups_cnt = 0; + gid_t *groups_list = NULL; + ret = getgrouplist(pw->pw_name, pw->pw_gid, groups_list, &groups_cnt); + RUNNER_ASSERT_MSG_BT(ret == -1, "getgrouplist() failed."); + if (groups_cnt == 0) + return; + groups_list = (gid_t*) calloc(groups_cnt, sizeof(gid_t)); + RUNNER_ASSERT_MSG_BT(groups_list != NULL, "Memory allocation failed."); + + ret = getgrouplist(pw->pw_name, pw->pw_gid, groups_list, &groups_cnt); + if (ret == -1) { + free(groups_list); + RUNNER_ASSERT_MSG_BT(false, "getgrouplist() failed."); + } + for (int i = 0; i < groups_cnt; ++i) { + set.insert(groups_list[i]); + } + free(groups_list); +} + +void read_current_gids(std::set &set) +{ int groups_cnt = getgroups(0, NULL); - RUNNER_ASSERT_MSG_BT(groups_cnt > 0, "Wrong number of supplementary groupsCnt"); + RUNNER_ASSERT_MSG_BT(groups_cnt > 0, "Wrong number of supplementary groups."); gid_t *groups_list = (gid_t*) calloc(groups_cnt, sizeof(gid_t)); - RUNNER_ASSERT_MSG_BT(groups_list != NULL, "Memory allocation failed"); - RUNNER_ASSERT_BT(-1 != getgroups(groups_cnt, groups_list)); + RUNNER_ASSERT_MSG_BT(groups_list != NULL, "Memory allocation failed."); + if (getgroups(groups_cnt, groups_list) == -1){ + free(groups_list); + RUNNER_ASSERT_MSG_BT(false, "getgroups failed."); + } for (int i = 0; i < groups_cnt; ++i) { - //getgroups() can return multiple number of the same group - //they are returned in sequence, so we will given number when last - //element of this number is reached - if ((i < groups_cnt - 1) && (groups_list[i + 1] == groups_list[i])) - continue; - if (groups_check.erase(groups_list[i]) == 0) { - // getgroups() may also return process' main group - if (groups_list[i] != getgid()) - RUNNER_ASSERT_MSG_BT(false, "Application belongs to unknown group (GID=" << groups_list[i] << ")"); - } + set.insert(groups_list[i]); } free(groups_list); +} + +void check_groups(const std::set &groups_prev, const char *dac_file) +{ + std::set groups_check; + std::set groups_current; + if(dac_file != NULL) + read_gids(groups_check, dac_file); + read_current_gids(groups_current); + std::string groups_left; - for (std::set::iterator it = groups_check.begin(); it != groups_check.end(); it++) { + for (auto it = groups_prev.begin(); it != groups_prev.end(); ++it) + { + (void)groups_check.erase(*it); + if(groups_current.erase(*it) == 0) + groups_left.append(std::to_string(*it)).append(" "); + } + RUNNER_ASSERT_MSG_BT(groups_left.empty(), + "Application lost some groups: " << groups_left); + + for (auto it = groups_check.begin(); it != groups_check.end(); ++it) + { + if(groups_current.erase(*it) == 0) + groups_left.append(std::to_string(*it)).append(" "); + } + RUNNER_ASSERT_MSG_BT(groups_left.empty(), + "Application doesn't belong to some required groups: " << groups_left); + + for (auto it = groups_current.begin(); it != groups_current.end(); ++it) + { groups_left.append(std::to_string(*it)).append(" "); } - RUNNER_ASSERT_MSG_BT(groups_check.empty(), "Application doesn't belong to some required groups: " << groups_left); + RUNNER_ASSERT_MSG_BT(groups_left.empty(), + "Application belongs to groups it should't belong to: " << groups_left); } int file_exists(const char *path) diff --git a/tests/libprivilege-control-tests/test_cases.cpp b/tests/libprivilege-control-tests/test_cases.cpp index c4875c8..1a88592 100644 --- a/tests/libprivilege-control-tests/test_cases.cpp +++ b/tests/libprivilege-control-tests/test_cases.cpp @@ -28,6 +28,7 @@ #include #include #include +#include #include #include @@ -268,6 +269,9 @@ void test_set_app_privilege( result = test_have_all_accesses(rules); RUNNER_ASSERT_MSG_BT(result == 1, "Permissions not added."); + std::set groups_before; + read_user_gids(groups_before, APP_UID); + result = perm_app_set_privilege(app_id, type, app_path); RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, " Error in perm_app_set_privilege. Error: " << result); @@ -283,7 +287,7 @@ void test_set_app_privilege( RUNNER_ASSERT_MSG_BT(result == 0, " Process label " << label << " is incorrect"); - check_groups(dac_file); + check_groups(groups_before, dac_file); } /** diff --git a/tests/libprivilege-control-tests/test_cases_nosmack.cpp b/tests/libprivilege-control-tests/test_cases_nosmack.cpp index 972d8e9..cf84205 100644 --- a/tests/libprivilege-control-tests/test_cases_nosmack.cpp +++ b/tests/libprivilege-control-tests/test_cases_nosmack.cpp @@ -26,6 +26,7 @@ #include #include #include +#include #include #include @@ -214,6 +215,9 @@ void test_set_app_privilege_nosmack( RUNNER_ASSERT_MSG_BT(result == -1, " Permissions shouldn't be added. Result: " << result); + std::set groups_before; + read_user_gids(groups_before, APP_UID); + result = perm_app_set_privilege(app_id, type, app_path); RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, " Error in perm_app_set_privilege. Error: " << result); @@ -226,7 +230,7 @@ void test_set_app_privilege_nosmack( RUNNER_ASSERT_MSG_BT(label == NULL, " new_label_from_self shouldn't allocate memory for label."); - check_groups(dac_file); + check_groups(groups_before, dac_file); } /** @@ -249,6 +253,9 @@ RUNNER_CHILD_TEST_NOSMACK(privilege_control05_set_app_privilege_nosmack) perm_app_uninstall(APP_ID); DB_END + std::set groups_before; + read_user_gids(groups_before, APP_UID); + //Set app privileges result = perm_app_set_privilege(APP_ID, NULL, APP_SET_PRIV_PATH); RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, @@ -271,7 +278,7 @@ RUNNER_CHILD_TEST_NOSMACK(privilege_control05_set_app_privilege_nosmack) result = strcmp(getenv("USER"), APP_USER_NAME); RUNNER_ASSERT_MSG_BT(result == 0, "Wrong user USER NAME. Result: " << result); - check_groups(LIBPRIVILEGE_TEST_DAC_FILE); + check_groups(groups_before, NULL); } /** diff --git a/tests/libprivilege-control-tests/test_privilege_control_rules.dac b/tests/libprivilege-control-tests/test_privilege_control_rules.dac deleted file mode 100644 index eb6ed40..0000000 --- a/tests/libprivilege-control-tests/test_privilege_control_rules.dac +++ /dev/null @@ -1,2 +0,0 @@ -12345 -23456 -- 2.7.4