From 27ed639a95028e096215765f1db6358df15bbbd2 Mon Sep 17 00:00:00 2001 From: Tomasz Swierczek Date: Wed, 10 Aug 2016 10:27:51 +0200 Subject: [PATCH] Adjusting security-manager tests to run with onlycap System::Privileged is the only label that has effective CAP_MAC_ADMIN/CAP_MAC_OVERRIDE. Gumd cannot add/remove users in online mode. Change-Id: Iec1810273d3fc6f3a185b7227683202b854dc709 --- packaging/security-tests.manifest | 2 +- src/common/temp_test_user.cpp | 20 ++++++++++++++++++++ .../security_manager_tests.cpp | 19 +++++++++++++------ 3 files changed, 34 insertions(+), 7 deletions(-) diff --git a/packaging/security-tests.manifest b/packaging/security-tests.manifest index 5829dad..a65ddaa 100644 --- a/packaging/security-tests.manifest +++ b/packaging/security-tests.manifest @@ -7,7 +7,7 @@ - + diff --git a/src/common/temp_test_user.cpp b/src/common/temp_test_user.cpp index 198645c..c754308 100644 --- a/src/common/temp_test_user.cpp +++ b/src/common/temp_test_user.cpp @@ -40,6 +40,26 @@ void TemporaryTestUser::create(void) if (m_uid != 0) remove(); +/* + Below line of code is a hack for Gumd commit that removes Smack management capabilities: + + | commit 9b45c1afa49103dcb4101f4b28bf7c145f3294a6 + |/ Author: Yunmi Ha + | Date: Tue Jul 5 13:40:16 2016 +0900 + | + | Remove smack capability + | + | with wearable profile, CAP_MAC_ADMIN and CAP_MAC_OVERRIDE capabilities are removed. + | (can't use useradd/del/modify function without offline option.) + | with other profile, only CAP_MAC_OVERRIDE capability is removed. + | + | For this, gumd launcher was changed to systemd. + | + | Change-Id: Ic95fceed41afc41e37e93606c3abf830536ac7d6 + | Signed-off-by: Yunmi Ha +*/ + m_offline = true; + bool ret = m_runner.userCreate(m_userName, m_userType, m_offline, m_uid, m_gid); RUNNER_ASSERT_MSG(ret, "Failed to add user"); RUNNER_ASSERT_MSG(m_uid != 0, "Something strange happened during user creation. uid == 0."); diff --git a/src/security-manager-tests/security_manager_tests.cpp b/src/security-manager-tests/security_manager_tests.cpp index f8f88c6..ec210bd 100644 --- a/src/security-manager-tests/security_manager_tests.cpp +++ b/src/security-manager-tests/security_manager_tests.cpp @@ -742,8 +742,12 @@ RUNNER_CHILD_TEST_SMACK(security_manager_03_set_label_from_appid) RUNNER_ASSERT_ERRNO_MSG(result == 0, "Can't set socket label. Result: " << result); - { - ScopedProcessLabel keepLabel; + + SynchronizationPipe pipe; + pid_t pid = fork(); + + if (pid != 0) { // parent process + pipe.claimParentEp(); Api::setProcessLabel(app_id); result = smack_new_label_from_file(*sockPtr, XATTR_NAME_SMACKIPIN, &label); @@ -771,9 +775,14 @@ RUNNER_CHILD_TEST_SMACK(security_manager_03_set_label_from_appid) RUNNER_ASSERT_MSG(result == 0, " Process label is incorrect. Expected: \"" << expected_label << "\" Actual: \"" << label << "\""); + pipe.post(); + waitPid(pid); + } else { // child process + pipe.claimChildEp(); + pipe.wait(); + uninstall_app(app_id, pkg_id, true); + exit(0); } - - uninstall_app(app_id, pkg_id, true); } RUNNER_CHILD_TEST_NOSMACK(security_manager_03_set_label_from_appid_nosmack) @@ -2114,8 +2123,6 @@ RUNNER_CHILD_TEST(security_manager_17_privacy_manager_delete_policy_for_self) ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd2[0], &msg, sizeof(struct message))); RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed"); - //become admin privacy manager manager - Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str()); result = drop_root_privileges(msg.uid, msg.gid); RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed"); -- 2.7.4