From c1443e9b1264a80e7bf09ae64285852f44b9302d Mon Sep 17 00:00:00 2001 From: Zofia Abramowska Date: Wed, 12 Oct 2016 18:46:58 +0200 Subject: [PATCH] SM : Cleanup - dyntransition test cases Change-Id: I65d4c5502ca4e0f5352d11984b1b45b513254bdf --- src/security-manager-tests/CMakeLists.txt | 1 + src/security-manager-tests/common/sm_api.cpp | 22 +- src/security-manager-tests/common/sm_api.h | 12 +- .../common/sm_label_monitor.cpp | 38 ++ .../common/sm_label_monitor.h | 36 ++ .../test_cases_dyntransition.cpp | 432 ++++++++---------- 6 files changed, 271 insertions(+), 270 deletions(-) create mode 100644 src/security-manager-tests/common/sm_label_monitor.cpp create mode 100644 src/security-manager-tests/common/sm_label_monitor.h diff --git a/src/security-manager-tests/CMakeLists.txt b/src/security-manager-tests/CMakeLists.txt index 6171e895..030f206c 100644 --- a/src/security-manager-tests/CMakeLists.txt +++ b/src/security-manager-tests/CMakeLists.txt @@ -55,6 +55,7 @@ SET(SEC_MGR_SOURCES ${PROJECT_SOURCE_DIR}/src/security-manager-tests/common/sm_api.cpp ${PROJECT_SOURCE_DIR}/src/security-manager-tests/common/sm_commons.cpp ${PROJECT_SOURCE_DIR}/src/security-manager-tests/common/sm_db.cpp + ${PROJECT_SOURCE_DIR}/src/security-manager-tests/common/sm_label_monitor.cpp ${PROJECT_SOURCE_DIR}/src/security-manager-tests/common/sm_request.cpp ${PROJECT_SOURCE_DIR}/src/security-manager-tests/common/sm_sharing_request.cpp ${PROJECT_SOURCE_DIR}/src/security-manager-tests/common/sm_user_request.cpp diff --git a/src/security-manager-tests/common/sm_api.cpp b/src/security-manager-tests/common/sm_api.cpp index abe701e0..26c831ce 100644 --- a/src/security-manager-tests/common/sm_api.cpp +++ b/src/security-manager-tests/common/sm_api.cpp @@ -297,32 +297,18 @@ void registerPaths(const PathsRequest& req, lib_retcode expectedResult) << " Result: " << result << " Expected: " << expectedResult); } -void labelsMonitorInit(app_labels_monitor **monitor, lib_retcode expectedResult) +void labelsMonitorGetFd(const LabelMonitor &monitor, int *fd, lib_retcode expectedResult) { - int result = security_manager_app_labels_monitor_init(monitor); - RUNNER_ASSERT_MSG(static_cast(result) == expectedResult, - "Unexpected result in security_manager_app_labels_monitor_init()" - << std::endl << " Result: " << result << " Expected: " - << expectedResult); -}; - -void labelsMonitorFinish(app_labels_monitor *monitor) -{ - security_manager_app_labels_monitor_finish(monitor); -}; - -void labelsMonitorGetFd(app_labels_monitor *monitor, int *fd, lib_retcode expectedResult) -{ - int result = security_manager_app_labels_monitor_get_fd(monitor, fd); + int result = security_manager_app_labels_monitor_get_fd(monitor.get(), fd); RUNNER_ASSERT_MSG(static_cast(result) == expectedResult, "Unexpected result in security_manager_app_labels_monitor_get_fd()" << std::endl << " Result: " << result << " Expected: " << expectedResult); }; -void labelsProcess(app_labels_monitor *monitor, lib_retcode expectedResult) +void labelsProcess(const LabelMonitor &monitor, lib_retcode expectedResult) { - int result = security_manager_app_labels_monitor_process(monitor); + int result = security_manager_app_labels_monitor_process(monitor.get()); RUNNER_ASSERT_MSG(static_cast(result) == expectedResult, "Unexpected result in security_manager_app_labels_monitor_process()" << std::endl << " Result: " << result << " Expected: " diff --git a/src/security-manager-tests/common/sm_api.h b/src/security-manager-tests/common/sm_api.h index 0eae4cd1..3ee0b24a 100644 --- a/src/security-manager-tests/common/sm_api.h +++ b/src/security-manager-tests/common/sm_api.h @@ -17,13 +17,13 @@ #ifndef SECURITY_MANAGER_TEST_API #define SECURITY_MANAGER_TEST_API -#include -#include +#include #include +#include #include +#include #include -#include namespace SecurityManagerTest { @@ -50,10 +50,8 @@ void getPkgIdByCynaraClient(const std::string &client, std::string *pkgId, std:: void appHasPrivilege(const std::string &appId, const std::string &privilege, uid_t user, int &value, lib_retcode expectedResult = SECURITY_MANAGER_SUCCESS); void getSecurityManagerGroups(char ***groups, size_t *groups_count, lib_retcode expectedResult = SECURITY_MANAGER_SUCCESS); void registerPaths(const PathsRequest& req, lib_retcode expectedResult = SECURITY_MANAGER_SUCCESS); -void labelsMonitorInit(app_labels_monitor **monitor, lib_retcode expectedResult = SECURITY_MANAGER_SUCCESS); -void labelsMonitorFinish(app_labels_monitor *monitor); -void labelsMonitorGetFd(app_labels_monitor *monitor, int *fd, lib_retcode expectedResult = SECURITY_MANAGER_SUCCESS); -void labelsProcess(app_labels_monitor *monitor, lib_retcode expectedResult = SECURITY_MANAGER_SUCCESS); +void labelsMonitorGetFd(const LabelMonitor &monitor, int *fd, lib_retcode expectedResult = SECURITY_MANAGER_SUCCESS); +void labelsProcess(const LabelMonitor &monitor, lib_retcode expectedResult = SECURITY_MANAGER_SUCCESS); } // namespace Api diff --git a/src/security-manager-tests/common/sm_label_monitor.cpp b/src/security-manager-tests/common/sm_label_monitor.cpp new file mode 100644 index 00000000..6d648fe5 --- /dev/null +++ b/src/security-manager-tests/common/sm_label_monitor.cpp @@ -0,0 +1,38 @@ +/* + * Copyright (c) 2016 Samsung Electronics Co., Ltd All Rights Reserved + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "sm_label_monitor.h" + +#include + +namespace SecurityManagerTest { + +LabelMonitor::LabelMonitor() + : m_monitor(nullptr) +{ + int result = security_manager_app_labels_monitor_init(&m_monitor); + RUNNER_ASSERT_MSG(static_cast(result) == SECURITY_MANAGER_SUCCESS, + "security_manager_app_labels_monitor_init failed with " << result); + RUNNER_ASSERT_MSG(m_monitor != nullptr, + "security_manager_app_labels_monitor_init didn't allocate memory"); +} + +LabelMonitor::~LabelMonitor() +{ + security_manager_app_labels_monitor_finish(m_monitor); +} + +} // namespace SecurityManagerTest diff --git a/src/security-manager-tests/common/sm_label_monitor.h b/src/security-manager-tests/common/sm_label_monitor.h new file mode 100644 index 00000000..ee82863c --- /dev/null +++ b/src/security-manager-tests/common/sm_label_monitor.h @@ -0,0 +1,36 @@ +/* + * Copyright (c) 2016 Samsung Electronics Co., Ltd All Rights Reserved + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#pragma once +#include + +namespace SecurityManagerTest { + +class LabelMonitor +{ +public: + LabelMonitor(); + LabelMonitor(const LabelMonitor&) = delete; + LabelMonitor& operator=(const LabelMonitor&) = delete; + ~LabelMonitor(); + + app_labels_monitor *get() const { return m_monitor; } +private: + app_labels_monitor *m_monitor; +}; + +} // namespace SecurityManagerTest + diff --git a/src/security-manager-tests/test_cases_dyntransition.cpp b/src/security-manager-tests/test_cases_dyntransition.cpp index d7b7ec52..e2b2ba6e 100644 --- a/src/security-manager-tests/test_cases_dyntransition.cpp +++ b/src/security-manager-tests/test_cases_dyntransition.cpp @@ -14,7 +14,9 @@ * limitations under the License. */ +#include #include +#include #include #include #include @@ -22,10 +24,11 @@ #include #include #include -#include -#include +#include +#include #include #include +#include #include #include #include @@ -37,26 +40,6 @@ struct UidGidMsg { gid_t gid; }; -static UidGidMsg createUserSendCreds(TemporaryTestUser &testUser, int pipefd1) -{ - testUser.create(); - UidGidMsg msg; - msg.uid = testUser.getUid(); - msg.gid = testUser.getGid(); - RUNNER_ASSERT_MSG(msg.uid != 0, "wrong uid of created test user"); - ssize_t written = TEMP_FAILURE_RETRY(write(pipefd1, &msg, sizeof(UidGidMsg))); - RUNNER_ASSERT_MSG((written == sizeof(UidGidMsg)),"write failed"); - return msg; -} - -static UidGidMsg readCreds(int pipefd0) -{ - struct UidGidMsg msg; - ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd0, &msg, sizeof(UidGidMsg))); - RUNNER_ASSERT_MSG(fetched == sizeof(UidGidMsg), "read failed"); - return msg; -} - static void testSetLabelForSelf(const std::string &appName, const std::string &pkgName, bool expected_success) { @@ -72,291 +55,250 @@ static void testSetLabelForSelf(const std::string &appName, const std::string &p RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_LABEL_MONITOR_API) -RUNNER_CHILD_TEST(security_manager_71_app_label_monitor_user_local_global) { - - const char *sm_app_id_a = "sm_test_71_app_label_monitor_local"; - const char *sm_pkg_id_a = "sm_test_71_app_label_monitor_local"; - const char *sm_app_id_b = "sm_test_71_app_label_monitor_global"; - const char *sm_pkg_id_b = "sm_test_71_app_label_monitor_global"; - const std::string new_user_name = "sm_test_71"; - int pipefd[2]; - RUNNER_ASSERT_MSG((pipe(pipefd) != -1), "pipe failed"); - SynchronizationPipe s_pipe; - +RUNNER_CHILD_TEST(security_manager_71_app_label_monitor_user_local_global) +{ + SynchronizationPipe synchPipe; + TemporaryTestUser testUser("sm_test_71_user_name", GUM_USERTYPE_NORMAL, false); + testUser.create(); pid_t pid = fork(); + RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed"); if (pid != 0) { //parent process - FdUniquePtr pipeptr(pipefd + 1); - close(pipefd[0]); - TemporaryTestUser testUser(new_user_name, GUM_USERTYPE_NORMAL, false); - UidGidMsg msg = createUserSendCreds(testUser, pipefd[1]); - int result = drop_root_privileges(msg.uid, msg.gid); - RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed"); - s_pipe.claimParentEp(); - s_pipe.wait(); //synchronization point A1 - install_app(sm_app_id_a, sm_pkg_id_a, msg.uid, SM_APP_INSTALL_LOCAL, false); - s_pipe.post(); //synchronization point A2 - s_pipe.wait(); //synchronization point B1 - install_app(sm_app_id_b, sm_pkg_id_b, msg.uid, SM_APP_INSTALL_GLOBAL, false); - s_pipe.post(); //synchronization point B2 - s_pipe.wait(); //synchronization point C1 - uninstall_app(sm_app_id_a, sm_app_id_a, false, SM_APP_INSTALL_LOCAL, false); - s_pipe.post(); //synchronization point C2 - s_pipe.wait(); //synchronization point D1 - uninstall_app(sm_app_id_b, sm_app_id_b, false, SM_APP_INSTALL_GLOBAL, false); - s_pipe.post(); //synchronization point D2 + synchPipe.claimParentEp(); + RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(testUser.getUid(), testUser.getGid()) == 0, + "drop_root_privileges failed"); + + synchPipe.wait(); //synchronization point A1 + AppInstallHelper appLocal("sm_test_71_local", testUser.getUid()); + appLocal.setInstallType(SM_APP_INSTALL_LOCAL); + ScopedInstaller appLocalInstall(appLocal); + synchPipe.post(); //synchronization point A2 + + synchPipe.wait(); //synchronization point B1 + AppInstallHelper appGlobal("sm_test_71_global"); + appLocal.setInstallType(SM_APP_INSTALL_GLOBAL); + // This shouldn't be possible with dropped privileges, but uid and gid doesn't suffice + // to lose privileges to install applications (tests are running with System::Privileged) + ScopedInstaller appGlobalInstall(appGlobal); + synchPipe.post(); //synchronization point B2 + + synchPipe.wait(); //synchronization point C1 + appLocalInstall.uninstallApp(); + synchPipe.post(); //synchronization point C2 + + synchPipe.wait(); //synchronization point D1 + appGlobalInstall.uninstallApp(); + synchPipe.post(); //synchronization point D2 + waitPid(pid); } else { //child process + synchPipe.claimChildEp(); setCaps("cap_mac_admin+ep cap_setuid+ep cap_setgid+ep"); RUNNER_ASSERT_ERRNO_MSG(prctl(PR_SET_KEEPCAPS, 1, 0, 0) == 0, "prctl keeping caps failed"); - s_pipe.claimChildEp(); - FdUniquePtr pipeptr(pipefd); - close(pipefd[1]); - UidGidMsg msg = readCreds(pipefd[0]); - int result = drop_root_privileges(msg.uid, msg.gid); - RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed"); + + RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(testUser.getUid(), testUser.getGid()) == 0, + "drop_root_privileges failed"); + setCaps("cap_mac_admin+ep"); - app_labels_monitor *monitor; + + LabelMonitor monitor; int fd; - nfds_t nfds = 1; - struct pollfd fds[1]; - Api::labelsMonitorInit(&monitor); - Api::labelsProcess(monitor); Api::labelsMonitorGetFd(monitor, &fd); - fds[0].fd = fd; - fds[0].events = POLLIN; + struct pollfd fds[1] = {fd, POLLIN, 0}; for (int i = 0; i < 4; i++) { //A,B,C,D - s_pipe.post(); //synchronization point {A,B,C,D}1 - s_pipe.wait(); //synchronization point {A,B,C,D}2 + synchPipe.post(); //synchronization point {A,B,C,D}1 + synchPipe.wait(); //synchronization point {A,B,C,D}2 + nfds_t nfds = 1; int poll_num = TEMP_FAILURE_RETRY(poll(fds, nfds, 0)); RUNNER_ASSERT_MSG(poll_num > 0, "Application installation was not detected"); RUNNER_ASSERT_MSG((fds[0].revents & POLLIN) > 0, "There is no data to read " "regarding app installation"); } - Api::labelsMonitorFinish(monitor); } } -RUNNER_CHILD_TEST(security_manager_72_app_label_monitor_user_local) { +RUNNER_CHILD_TEST(security_manager_72_app_label_monitor_user_local) +{ + SynchronizationPipe synchPipe; + TemporaryTestUser testUser("sm_test_75_user_name", GUM_USERTYPE_NORMAL, false); + testUser.create(); - const char *sm_app_id_a = "sm_test_72_app_label_monitor_local_1"; - const char *sm_pkg_id_a = "sm_test_72_app_label_monitor_local_1"; - const char *sm_app_id_b = "sm_test_72_app_label_monitor_local_2"; - const char *sm_pkg_id_b = "sm_test_72_app_label_monitor_local_2"; - const std::string new_user_name = "sm_test_75"; + pid_t pid = fork(); + RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed"); + if (pid != 0) { //parent process + synchPipe.claimParentEp(); - int pipefd[2]; - RUNNER_ASSERT_MSG((pipe(pipefd) != -1), "pipe failed"); - SynchronizationPipe s_pipe; + RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(testUser.getUid(), testUser.getGid()) == 0, + "drop_root_privileges failed"); - pid_t pid = fork(); - if (pid != 0) { //parent process - FdUniquePtr pipeptr(pipefd + 1); - close(pipefd[0]); - TemporaryTestUser testUser(new_user_name, GUM_USERTYPE_NORMAL, false); - UidGidMsg msg = createUserSendCreds(testUser, pipefd[1]); - int result = drop_root_privileges(msg.uid, msg.gid); - RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed"); - s_pipe.claimParentEp(); - s_pipe.wait(); //synchronization point A1 - install_app(sm_app_id_a, sm_pkg_id_a, msg.uid, SM_APP_INSTALL_LOCAL, false); - s_pipe.post(); //synchronization point A2 - s_pipe.wait(); //synchronization point B1 - install_app(sm_app_id_b, sm_pkg_id_b, msg.uid, SM_APP_INSTALL_LOCAL, false); - s_pipe.post(); //synchronization point B2 - s_pipe.wait(); //synchronization point C1 - uninstall_app(sm_app_id_a, sm_app_id_a, false, SM_APP_INSTALL_LOCAL, false); - s_pipe.post(); //synchronization point C2 - s_pipe.wait(); //synchronization point D1 - uninstall_app(sm_app_id_b, sm_app_id_b, false, SM_APP_INSTALL_LOCAL, false); - s_pipe.post(); //synchronization point D2 - waitPid(pid); - } else { //child process - setCaps("cap_mac_admin+ep cap_setuid+ep cap_setgid+ep"); - RUNNER_ASSERT_ERRNO_MSG(prctl(PR_SET_KEEPCAPS, 1, 0, 0) == 0, "prctl keeping caps failed"); - s_pipe.claimChildEp(); - FdUniquePtr pipeptr(pipefd); - close(pipefd[1]); - UidGidMsg msg = readCreds(pipefd[0]); - int result = drop_root_privileges(msg.uid, msg.gid); - RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed"); - setCaps("cap_mac_admin+ep"); - app_labels_monitor *monitor; - int fd; + synchPipe.wait(); //synchronization point A1 + AppInstallHelper appLocal("sm_test_72_local1", testUser.getUid()); + appLocal.setInstallType(SM_APP_INSTALL_LOCAL); + ScopedInstaller appLocalInstall(appLocal); + synchPipe.post(); //synchronization point A2 + + synchPipe.wait(); //synchronization point B1 + AppInstallHelper appLocal2("sm_test_72_local2"); + appLocal2.setInstallType(SM_APP_INSTALL_LOCAL); + ScopedInstaller appLocal2Install(appLocal2); + synchPipe.post(); //synchronization point B2 + + synchPipe.wait(); //synchronization point C1 + appLocalInstall.uninstallApp(); + synchPipe.post(); //synchronization point C2 + + synchPipe.wait(); //synchronization point D1 + appLocal2Install.uninstallApp(); + synchPipe.post(); //synchronization point D2 + + waitPid(pid); + } else { //child process + synchPipe.claimChildEp(); + + setCaps("cap_mac_admin+ep cap_setuid+ep cap_setgid+ep"); + RUNNER_ASSERT_ERRNO_MSG(prctl(PR_SET_KEEPCAPS, 1, 0, 0) == 0, "prctl keeping caps failed"); + + RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(testUser.getUid(), testUser.getGid()) == 0, + "drop_root_privileges failed"); + setCaps("cap_mac_admin+ep"); + + LabelMonitor monitor; + int fd; + Api::labelsMonitorGetFd(monitor, &fd); + struct pollfd fds[1] = {fd, POLLIN, 0}; + for (int i = 0; i < 4; i++) { //A,B,C,D + synchPipe.post(); //synchronization point {A,B,C,D}1 + synchPipe.wait(); //synchronization point {A,B,C,D}2 nfds_t nfds = 1; - struct pollfd fds[1]; - Api::labelsMonitorInit(&monitor); - Api::labelsProcess(monitor); - Api::labelsMonitorGetFd(monitor, &fd); - fds[0].fd = fd; - fds[0].events = POLLIN; - for (int i = 0; i < 4; i++) { //A,B,C,D - s_pipe.post(); //synchronization point {A,B,C,D}1 - s_pipe.wait(); //synchronization point {A,B,C,D}2 - int poll_num = TEMP_FAILURE_RETRY(poll(fds, nfds, 0)); - RUNNER_ASSERT_MSG(poll_num > 0, "Application installation was not detected"); - RUNNER_ASSERT_MSG((fds[0].revents & POLLIN) > 0, "There is no data to read " - "regarding app installation"); - } - Api::labelsMonitorFinish(monitor); + int poll_num = TEMP_FAILURE_RETRY(poll(fds, nfds, 0)); + RUNNER_ASSERT_MSG(poll_num > 0, "Application installation was not detected"); + RUNNER_ASSERT_MSG((fds[0].revents & POLLIN) > 0, "There is no data to read " + "regarding app installation"); } + } } -RUNNER_CHILD_TEST(security_manager_73_app_label_monitor_different_users) { +RUNNER_CHILD_TEST(security_manager_73_app_label_monitor_different_users) +{ + const std::string appLocalName = "sm_test_73_local"; + const std::string appGlobalName = "sm_test_73_global"; + + TemporaryTestUser testUser1("sm_test_73_user_name_1", GUM_USERTYPE_NORMAL, false); + testUser1.create(); - const char *sm_app_id_a = "sm_test_73_app_label_monitor_local_1"; - const char *sm_pkg_id_a = "sm_test_73_app_label_monitor_local_1"; - const char *sm_app_id_b = "sm_test_73_app_label_monitor_global_2"; - const char *sm_pkg_id_b = "sm_test_73_app_label_monitor_global_2"; - const std::string new_user_name_1 = "sm_test_73_1"; - const std::string new_user_name_2 = "sm_test_73_2"; + TemporaryTestUser testUser2("sm_test_73_user_name_2", GUM_USERTYPE_NORMAL, false); + testUser2.create(); - SynchronizationPipe s_pipe; + AppInstallHelper appLocal(appLocalName, testUser1.getUid()); + appLocal.setInstallType(SM_APP_INSTALL_LOCAL); + ScopedInstaller appLocalInstall(appLocal); + + AppInstallHelper appGlobal(appGlobalName); + appGlobal.setInstallType(SM_APP_INSTALL_GLOBAL); + ScopedInstaller appGlobalInstall(appGlobal); pid_t pid = fork(); + RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed"); if (pid != 0) { //parent process - s_pipe.claimParentEp(); - TemporaryTestUser testUserOne(new_user_name_1, GUM_USERTYPE_NORMAL, false); - testUserOne.create(); - s_pipe.post(); //synchronization point A for user creation - int result = drop_root_privileges(testUserOne.getUid(), testUserOne.getGid()); - RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed"); - install_app(sm_app_id_a, sm_pkg_id_a, testUserOne.getUid(), SM_APP_INSTALL_LOCAL, false); - install_app(sm_app_id_b, sm_pkg_id_b, testUserOne.getUid(), SM_APP_INSTALL_GLOBAL, false); - s_pipe.post(); //synchronization point B - s_pipe.wait(); //synchronization point C - uninstall_app(sm_app_id_a, sm_app_id_a, false, SM_APP_INSTALL_LOCAL, false); - uninstall_app(sm_app_id_b, sm_app_id_b, false, SM_APP_INSTALL_LOCAL, false); waitPid(pid); } else { //child process setCaps("cap_mac_admin+ep cap_setuid+ep cap_setgid+ep"); RUNNER_ASSERT_ERRNO_MSG(prctl(PR_SET_KEEPCAPS, 1, 0, 0) == 0, "prctl keeping caps failed"); - s_pipe.claimChildEp(); - s_pipe.wait(); //synchronization point A for user creation - TemporaryTestUser testUserTwo(new_user_name_2, GUM_USERTYPE_NORMAL, false); - testUserTwo.create(); - int result = drop_root_privileges(testUserTwo.getUid(), testUserTwo.getGid()); - RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed"); + + RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(testUser2.getUid(), testUser2.getGid()) == 0, + "drop_root_privileges failed"); setCaps("cap_mac_admin+ep"); - app_labels_monitor *monitor; - Api::labelsMonitorInit(&monitor); - s_pipe.wait(); //B + LabelMonitor monitor; + Api::labelsProcess(monitor); - Api::labelsMonitorFinish(monitor); setCaps("cap_mac_admin-eip"); - testSetLabelForSelf(sm_app_id_a, sm_pkg_id_a, false); // local installation by another user - testSetLabelForSelf(sm_app_id_b, sm_pkg_id_b, true); // global installation by another user - s_pipe.post(); //C + // Only for proper appId and pkgId generation + AppInstallHelper appLocal(appLocalName), appGlobal(appGlobalName); + testSetLabelForSelf(appLocal.getAppId(), appLocal.getPkgId(), false); + testSetLabelForSelf(appGlobal.getAppId(), appGlobal.getPkgId(), true); } } -RUNNER_CHILD_TEST(security_manager_74_app_label_monitor_relabel_changes_1) { - - const char *sm_app_id_a = "sm_test_74_app_label_monitor_global_1"; - const char *sm_pkg_id_a = "sm_test_74_app_label_monitor_global_1"; - const char *sm_app_id_b = "sm_test_74_app_label_monitor_global_2"; - const char *sm_pkg_id_b = "sm_test_74_app_label_monitor_global_2"; - const char *sm_app_id_c = "sm_test_74_app_label_monitor_global_3"; - const char *sm_pkg_id_c = "sm_test_74_app_label_monitor_global_3"; - const std::string new_user_name = "sm_test_74"; +RUNNER_CHILD_TEST(security_manager_74_app_label_monitor_relabel_changes_global) +{ + const std::string appGlobalName1 = "sm_test_74_global1"; + const std::string appGlobalName2 = "sm_test_74_global2"; - int pipefd[2]; - RUNNER_ASSERT_MSG((pipe(pipefd) != -1), "pipe failed"); - SynchronizationPipe s_pipe; + AppInstallHelper appGlobal1(appGlobalName1); + AppInstallHelper appGlobal2(appGlobalName2); + ScopedInstaller appGlobalInstall1(appGlobal1); + ScopedInstaller appGlobalInstall2(appGlobal2); pid_t pid = fork(); - if (pid != 0) { //parent process - FdUniquePtr pipeptr(pipefd + 1); - close(pipefd[0]); - s_pipe.claimParentEp(); - install_app(sm_app_id_a, sm_pkg_id_a, getuid(), SM_APP_INSTALL_GLOBAL); - TemporaryTestUser testUser(new_user_name, GUM_USERTYPE_NORMAL, false); - UidGidMsg msg = createUserSendCreds(testUser, pipefd[1]); - int result = drop_root_privileges(msg.uid, msg.gid); - RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed"); - install_app(sm_app_id_b, sm_pkg_id_b, msg.uid, SM_APP_INSTALL_GLOBAL, false); - install_app(sm_app_id_c, sm_pkg_id_c, msg.gid, SM_APP_INSTALL_GLOBAL, false); - s_pipe.post(); //Synchronization point A - s_pipe.wait(); //Synchronization point B - uninstall_app(sm_app_id_a, sm_pkg_id_a, false, SM_APP_INSTALL_GLOBAL, false); - uninstall_app(sm_app_id_b, sm_app_id_b, false, SM_APP_INSTALL_GLOBAL, false); - uninstall_app(sm_app_id_c, sm_app_id_c, false, SM_APP_INSTALL_GLOBAL, false); + RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed"); + if (pid != 0) { // parent waitPid(pid); - } else { //child process + } else { // child + TemporaryTestUser testUser("sm_test_74_user_name", GUM_USERTYPE_NORMAL, false); + setCaps("all=eip"); RUNNER_ASSERT_ERRNO_MSG(prctl(PR_SET_KEEPCAPS, 1, 0, 0) == 0, "prctl keeping caps failed"); - s_pipe.claimChildEp(); - FdUniquePtr pipeptr(pipefd); - close(pipefd[1]); - UidGidMsg msg = readCreds(pipefd[0]); - int result = drop_root_privileges(msg.uid, msg.gid); - RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed"); + testUser.create(); + RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(testUser.getUid(), testUser.getGid()) == 0, + "drop_root_privileges failed"); setCaps("cap_mac_admin=eip"); - app_labels_monitor *monitor; - Api::labelsMonitorInit(&monitor); - s_pipe.wait(); //A + + LabelMonitor monitor; Api::labelsProcess(monitor); - Api::labelsMonitorFinish(monitor); setCaps("cap_mac_admin-eip"); - testSetLabelForSelf(sm_app_id_a, sm_pkg_id_a, true); // global installation (OK) - testSetLabelForSelf(sm_app_id_b, sm_pkg_id_b, false); //second change - testSetLabelForSelf(sm_app_id_c, sm_pkg_id_c, false); //second change - s_pipe.post(); //B + + testSetLabelForSelf(appGlobal1.getAppId(), appGlobal1.getPkgId(), true); // global installation (OK) + testSetLabelForSelf(appGlobal1.getAppId(), appGlobal1.getPkgId(), false); //second change + testSetLabelForSelf(appGlobal2.getAppId(), appGlobal2.getPkgId(), false); //third change } } -RUNNER_CHILD_TEST(security_manager_75_app_label_monitor_relabel_changes_2) { - - const char *sm_app_id_a = "sm_test_75_app_label_monitor_local_1"; - const char *sm_pkg_id_a = "sm_test_75_app_label_monitor_local_1"; - const char *sm_app_id_b = "sm_test_75_app_label_monitor_local_2"; - const char *sm_pkg_id_b = "sm_test_75_app_label_monitor_local_2"; - const char *sm_app_id_c = "sm_test_75_app_label_monitor_local_3"; - const char *sm_pkg_id_c = "sm_test_75_app_label_monitor_local_3"; - const char *bad_seed ="Not_permitted_id"; +RUNNER_CHILD_TEST(security_manager_75_app_label_monitor_relabel_changes_local) +{ + const std::string appLocalName1 = "sm_test_75_local1"; + const std::string appLocalName2 = "sm_test_75_local2"; + const std::string appLocalName3 = "sm_test_75_local3"; const std::string new_user_name = "sm_test_75"; - - int pipefd[2]; - RUNNER_ASSERT_MSG((pipe(pipefd) != -1), "pipe failed"); - SynchronizationPipe s_pipe; + TemporaryTestUser testUser("sm_test_75_user_name", GUM_USERTYPE_NORMAL, false); + testUser.create(); + SynchronizationPipe synchPipe; pid_t pid = fork(); + RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed"); if (pid != 0) { //parent process - FdUniquePtr pipeptr(pipefd + 1); - close(pipefd[0]); - s_pipe.claimParentEp(); - TemporaryTestUser testUser(new_user_name, GUM_USERTYPE_NORMAL, false); - UidGidMsg msg = createUserSendCreds(testUser, pipefd[1]); - int result = drop_root_privileges(msg.uid, msg.gid); - RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed"); - install_app(sm_app_id_a, sm_pkg_id_a, msg.uid, SM_APP_INSTALL_LOCAL, false); - install_app(sm_app_id_b, sm_pkg_id_b, msg.uid, SM_APP_INSTALL_LOCAL, false); - install_app(sm_app_id_c, sm_pkg_id_c, msg.uid, SM_APP_INSTALL_LOCAL, false); - uninstall_app(sm_app_id_a, sm_pkg_id_a, false, SM_APP_INSTALL_LOCAL, false); - s_pipe.post(); //Synchronization A - s_pipe.wait(); //Synchronization B - uninstall_app(sm_app_id_b, sm_pkg_id_b, false, SM_APP_INSTALL_LOCAL, false); - uninstall_app(sm_app_id_c, sm_pkg_id_c, false, SM_APP_INSTALL_LOCAL, false); + synchPipe.claimParentEp(); + + RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(testUser.getUid(), testUser.getGid()) == 0, + "drop_root_privileges failed"); + + AppInstallHelper appLocal1(appLocalName1, testUser.getUid()); + AppInstallHelper appLocal2(appLocalName2, testUser.getUid()); + AppInstallHelper appLocal3(appLocalName3, testUser.getUid()); + ScopedInstaller appLocalInstall1(appLocal1), appLocalInstall2(appLocal2), appLocalInstall3(appLocal3); + appLocalInstall1.uninstallApp(); + synchPipe.post(); + waitPid(pid); } else { //child process + synchPipe.claimChildEp(); + setCaps("all=eip"); RUNNER_ASSERT_ERRNO_MSG(prctl(PR_SET_KEEPCAPS, 1, 0, 0) == 0, "prctl keeping caps failed"); - s_pipe.claimChildEp(); - FdUniquePtr pipeptr(pipefd); - close(pipefd[1]); - UidGidMsg msg = readCreds(pipefd[0]); - int result = drop_root_privileges(msg.uid, msg.gid); - RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed"); + + RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(testUser.getUid(), testUser.getGid()) == 0, + "drop_root_privileges failed"); setCaps("cap_mac_admin=eip"); - app_labels_monitor *monitor; - Api::labelsMonitorInit(&monitor); - s_pipe.wait(); //A + + synchPipe.wait(); + LabelMonitor monitor; Api::labelsProcess(monitor); - Api::labelsMonitorFinish(monitor); + setCaps("cap_mac_admin-eip"); - testSetLabelForSelf(bad_seed, "", false); //not premitted - testSetLabelForSelf(sm_app_id_a, sm_pkg_id_a, false); //uninstalled - testSetLabelForSelf(sm_app_id_b, sm_pkg_id_b, true); //installed - testSetLabelForSelf(sm_app_id_c, sm_pkg_id_c, false); //second change - s_pipe.post(); //B + testSetLabelForSelf("unknownApp", "unknownPkg", false); //not premitted + + // Only for proper appId and pkgId generation + AppInstallHelper appLocal1(appLocalName1), appLocal2(appLocalName2), appLocal3(appLocalName3); + testSetLabelForSelf(appLocal1.getAppId(), appLocal1.getPkgId(), false); //uninstalled + testSetLabelForSelf(appLocal2.getAppId(), appLocal2.getPkgId(), true); //installed + testSetLabelForSelf(appLocal3.getAppId(), appLocal3.getPkgId(), false); //second change } } -- 2.34.1