projects / platform / core / test / security-tests.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Rename /tests to /ckm to align with tizen branch
[platform/core/test/security-tests.git] / src / security-manager-tests / security_manager_tests.cpp
1 #include <dpl/test/test_runner.h>
2 #include <fcntl.h>
3 #include <stdio.h>
4 #include <memory.h>
5 #include <string>
6 #include <unordered_set>
7 #include <sys/capability.h>
8
9 #include <sys/socket.h>
10 #include <sys/un.h>
11 #include <attr/xattr.h>
12 #include <linux/xattr.h>
13
14 #include <grp.h>
15 #include <pwd.h>
16
17 #include <libprivilege-control_test_common.h>
18 #include <tests_common.h>
19
20 #include <security-manager.h>
21 #include <sm_db.h>
22 #include <cynara_test_client.h>
23
24 DEFINE_SMARTPTR(security_manager_app_inst_req_free, app_inst_req, AppInstReqUniquePtr);
25 DEFINE_SMARTPTR(cap_free, _cap_struct, CapsSetsUniquePtr);
26
27 static const char *const SM_APP_ID1 = "sm_test_app_id_double";
28 static const char *const SM_PKG_ID1 = "sm_test_pkg_id_double";
29
30 static const char *const SM_APP_ID2 = "sm_test_app_id_full";
31 static const char *const SM_PKG_ID2 = "sm_test_pkg_id_full";
32
33 static const char *const SM_APP_ID3 = "sm_test_app_id_uid";
34 static const char *const SM_PKG_ID3 = "sm_test_pkg_id_uid";
35
36 static const privileges_t SM_ALLOWED_PRIVILEGES = {
37     "security_manager_test_rules2_r",
38     "security_manager_test_rules2_no_r"
39 };
40
41 static const privileges_t SM_DENIED_PRIVILEGES  = {
42     "security_manager_test_rules1",
43     "security_manager_test_rules2"
44 };
45
46 static const privileges_t SM_NO_PRIVILEGES  = {
47 };
48
49 static const std::vector<std::string> SM_ALLOWED_GROUPS = {"db_browser", "db_alarm"};
50
51 static const char *const SM_PRIVATE_PATH = "/usr/apps/test_DIR/app_dir";
52 static const char *const SM_PUBLIC_RO_PATH = "/usr/apps/test_DIR/app_dir_public_ro";
53 static const char *const SM_DENIED_PATH = "/usr/apps/test_DIR/non_app_dir";
54 static const char *const SM_PRIVATE_PATH_FOR_USER = "/home/" APP_USER "/test_DIR";
55 static const char *const ANY_USER_REPRESENTATION = "anyuser";/*this may be actually any string*/
56
57 static void generateAppLabel(const std::string &pkgId, std::string &label)
58 {
59     (void) pkgId;
60     label = "User";
61 }
62
63 static int nftw_check_sm_labels_app_dir(const char *fpath, const struct stat *sb,
64                               const char* correctLabel, bool transmute_test, bool exec_test)
65 {
66     int result;
67     CStringPtr labelPtr;
68     char* label = nullptr;
69
70     /* ACCESS */
71     result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS);
72     RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
73     labelPtr.reset(label);
74     RUNNER_ASSERT_MSG(label != nullptr, "ACCESS label on " << fpath << " is not set");
75     result = strcmp(correctLabel, label);
76     RUNNER_ASSERT_MSG(result == 0, "ACCESS label on " << fpath << " is incorrect"
77             " (should be '" << correctLabel << "' and is '" << label << "')");
78
79
80     /* EXEC */
81     result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
82     RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
83     labelPtr.reset(label);
84
85     if (S_ISREG(sb->st_mode) && (sb->st_mode & S_IXUSR) && exec_test) {
86         RUNNER_ASSERT_MSG(label != nullptr, "EXEC label on " << fpath << " is not set");
87         result = strcmp(correctLabel, label);
88         RUNNER_ASSERT_MSG(result == 0, "Incorrect EXEC label on executable file " << fpath);
89     } else
90         RUNNER_ASSERT_MSG(label == nullptr, "EXEC label on " << fpath << " is set");
91
92
93     /* TRANSMUTE */
94     result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
95     RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
96     labelPtr.reset(label);
97
98     if (S_ISDIR(sb->st_mode) && transmute_test == true) {
99         RUNNER_ASSERT_MSG(label != nullptr, "TRANSMUTE label on " << fpath << " is not set at all");
100         RUNNER_ASSERT_MSG(strcmp(label,"TRUE") == 0,
101                 "TRANSMUTE label on " << fpath << " is not set properly: '"<<label<<"'");
102     } else {
103         RUNNER_ASSERT_MSG(label == nullptr, "TRANSMUTE label on " << fpath << " is set");
104     }
105
106     return 0;
107 }
108
109
110 static int nftw_check_sm_labels_app_private_dir(const char *fpath, const struct stat *sb,
111                                int /*typeflag*/, struct FTW* /*ftwbuf*/)
112 {
113     return nftw_check_sm_labels_app_dir(fpath, sb, USER_APP_ID, false, true);
114 }
115
116 static int nftw_check_sm_labels_app_floor_dir(const char *fpath, const struct stat *sb,
117                                int /*typeflag*/, struct FTW* /*ftwbuf*/)
118 {
119
120     return nftw_check_sm_labels_app_dir(fpath, sb, "_", false, false);
121 }
122
123 static app_inst_req* do_app_inst_req_new()
124 {
125     int result;
126     app_inst_req *req = nullptr;
127
128     result = security_manager_app_inst_req_new(&req);
129     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
130             "creation of new request failed. Result: " << result);
131     RUNNER_ASSERT_MSG(req != nullptr, "creation of new request did not allocate memory");
132     return req;
133 }
134
135 static void prepare_app_path()
136 {
137     int result;
138
139     result = nftw(SM_PRIVATE_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
140     RUNNER_ASSERT_MSG(result == 0, "Unable to clean Smack labels in " << SM_PRIVATE_PATH);
141
142     result = nftw(SM_PUBLIC_RO_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
143     RUNNER_ASSERT_MSG(result == 0, "Unable to clean Smack labels in " << SM_PUBLIC_RO_PATH);
144
145     result = nftw(SM_DENIED_PATH, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
146     RUNNER_ASSERT_MSG(result == 0, "Unable to set Smack labels in " << SM_DENIED_PATH);
147 }
148
149 static void prepare_app_env()
150 {
151     prepare_app_path();
152 }
153
154 /* TODO: add parameters to this function */
155 static void check_app_path_after_install()
156 {
157     int result;
158
159     result = nftw(SM_PRIVATE_PATH, &nftw_check_sm_labels_app_private_dir, FTW_MAX_FDS, FTW_PHYS);
160     RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_PRIVATE_PATH);
161
162     result = nftw(SM_PUBLIC_RO_PATH, &nftw_check_sm_labels_app_floor_dir, FTW_MAX_FDS, FTW_PHYS);
163     RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_PUBLIC_RO_PATH);
164
165     result = nftw(SM_DENIED_PATH, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
166     RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_DENIED_PATH);
167 }
168
169
170 static void check_app_permissions(const char *const app_id, const char *const pkg_id, const char *const user,
171                                   const privileges_t &allowed_privs, const privileges_t &denied_privs)
172 {
173     (void) app_id;
174     std::string smackLabel;
175     generateAppLabel(pkg_id, smackLabel);
176
177     CynaraTestClient::Client ctc;
178
179     for (auto &priv : allowed_privs) {
180         ctc.check(smackLabel.c_str(), "", user, priv.c_str(), CYNARA_API_ACCESS_ALLOWED);
181     }
182
183     for (auto &priv : denied_privs) {
184         ctc.check(smackLabel.c_str(), "", user, priv.c_str(), CYNARA_API_ACCESS_DENIED);
185     }
186 }
187
188 static void check_app_gids(const char *const app_id, const std::vector<gid_t> &allowed_gids)
189 {
190     int ret;
191     gid_t main_gid = getgid();
192     std::unordered_set<gid_t> reference_gids(allowed_gids.begin(), allowed_gids.end());
193
194     // Reset supplementary groups
195     ret = setgroups(0, NULL);
196     RUNNER_ASSERT_MSG(ret != -1, "Unable to set supplementary groups");
197
198     ret = security_manager_set_process_groups_from_appid(app_id);
199     RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS,
200             "security_manager_set_process_groups_from_appid(" <<
201             app_id << ") failed. Result: " << ret);
202
203     ret = getgroups(0, nullptr);
204     RUNNER_ASSERT_MSG(ret != -1, "Unable to get supplementary groups");
205
206     std::vector<gid_t> actual_gids(ret);
207     ret = getgroups(ret, actual_gids.data());
208     RUNNER_ASSERT_MSG(ret != -1, "Unable to get supplementary groups");
209
210     for (const auto &gid : actual_gids) {
211         RUNNER_ASSERT_MSG(gid == main_gid || reference_gids.count(gid) > 0,
212             "Application shouldn't get access to group " << gid);
213         reference_gids.erase(gid);
214     }
215
216     RUNNER_ASSERT_MSG(reference_gids.empty(), "Application didn't get access to some groups");
217 }
218
219 static void check_app_after_install(const char *const app_id, const char *const pkg_id,
220                                     const privileges_t &allowed_privs,
221                                     const privileges_t &denied_privs,
222                                     const std::vector<std::string> &allowed_groups)
223 {
224     TestSecurityManagerDatabase dbtest;
225     dbtest.test_db_after__app_install(app_id, pkg_id, allowed_privs);
226     dbtest.check_privileges_removed(app_id, pkg_id, denied_privs);
227
228     /*Privileges should be granted to all users if root installs app*/
229     check_app_permissions(app_id, pkg_id, ANY_USER_REPRESENTATION, allowed_privs, denied_privs);
230
231     /* Setup mapping of gids to privileges */
232     /* Do this for each privilege for extra check */
233     for (const auto &privilege : allowed_privs) {
234         dbtest.setup_privilege_groups(privilege, allowed_groups);
235     }
236
237     std::vector<gid_t> allowed_gids;
238
239     for (const auto &groupName : allowed_groups) {
240         errno = 0;
241         struct group* grp = getgrnam(groupName.c_str());
242         RUNNER_ASSERT_ERRNO_MSG(grp, "Group: " << groupName << " not found");
243         allowed_gids.push_back(grp->gr_gid);
244     }
245
246     check_app_gids(app_id, allowed_gids);
247 }
248
249 static void check_app_after_install(const char *const app_id, const char *const pkg_id)
250 {
251     TestSecurityManagerDatabase dbtest;
252     dbtest.test_db_after__app_install(app_id, pkg_id);
253 }
254
255 static void check_app_after_uninstall(const char *const app_id, const char *const pkg_id,
256                                       const privileges_t &privileges, const bool is_pkg_removed)
257 {
258     TestSecurityManagerDatabase dbtest;
259     dbtest.test_db_after__app_uninstall(app_id, pkg_id, privileges, is_pkg_removed);
260
261
262     /*Privileges should not be granted anymore to any user*/
263     check_app_permissions(app_id, pkg_id, ANY_USER_REPRESENTATION, SM_NO_PRIVILEGES, privileges);
264 }
265
266 static void check_app_after_uninstall(const char *const app_id, const char *const pkg_id,
267                                       const bool is_pkg_removed)
268 {
269     TestSecurityManagerDatabase dbtest;
270     dbtest.test_db_after__app_uninstall(app_id, pkg_id, is_pkg_removed);
271 }
272
273 static void install_app(const char *app_id, const char *pkg_id)
274 {
275     int result;
276     AppInstReqUniquePtr request;
277     request.reset(do_app_inst_req_new());
278
279     result = security_manager_app_inst_req_set_app_id(request.get(), app_id);
280     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
281             "setting app id failed. Result: " << result);
282
283     result = security_manager_app_inst_req_set_pkg_id(request.get(), pkg_id);
284     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
285             "setting pkg id failed. Result: " << result);
286
287     result = security_manager_app_install(request.get());
288     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
289             "installing app failed. Result: " << result);
290
291     check_app_after_install(app_id, pkg_id);
292
293 }
294
295 static void uninstall_app(const char *app_id, const char *pkg_id,
296         bool expect_installed, bool expect_pkg_removed)
297 {
298     int result;
299     AppInstReqUniquePtr request;
300     request.reset(do_app_inst_req_new());
301
302     result = security_manager_app_inst_req_set_app_id(request.get(), app_id);
303     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
304           "setting app id failed. Result: " << result);
305
306     result = security_manager_app_uninstall(request.get());
307     RUNNER_ASSERT_MSG(!expect_installed || (lib_retcode)result == SECURITY_MANAGER_SUCCESS,
308           "uninstalling app failed. Result: " << result);
309
310     check_app_after_uninstall(app_id, pkg_id, expect_pkg_removed);
311 }
312
313
314 RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER)
315
316
317 RUNNER_TEST(security_manager_01_app_double_install_double_uninstall)
318 {
319     int result;
320     AppInstReqUniquePtr request;
321
322     request.reset(do_app_inst_req_new());
323
324     result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID1);
325     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
326             "setting app id failed. Result: " << result);
327
328     result = security_manager_app_inst_req_set_pkg_id(request.get(), SM_PKG_ID1);
329     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
330             "setting pkg id failed. Result: " << result);
331
332     result = security_manager_app_install(request.get());
333     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
334             "installing app failed. Result: " << result);
335
336     result = security_manager_app_install(request.get());
337     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
338             "installing already installed app failed. Result: " << result);
339
340     /* Check records in the security-manager database */
341     check_app_after_install(SM_APP_ID1, SM_PKG_ID1);
342
343     request.reset(do_app_inst_req_new());
344
345     result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID1);
346     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
347             "setting app id failed. Result: " << result);
348
349     result = security_manager_app_uninstall(request.get());
350     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
351             "uninstalling app failed. Result: " << result);
352
353     result = security_manager_app_uninstall(request.get());
354     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
355             "uninstalling already uninstalled app failed. Result: " << result);
356
357     /* Check records in the security-manager database */
358     check_app_after_uninstall(SM_APP_ID1, SM_PKG_ID1, TestSecurityManagerDatabase::REMOVED);
359 }
360
361 RUNNER_TEST(security_manager_02_app_install_uninstall_full)
362 {
363     int result;
364     AppInstReqUniquePtr request;
365
366     prepare_app_env();
367
368     request.reset(do_app_inst_req_new());
369
370     result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID2);
371     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
372             "setting app id failed. Result: " << result);
373
374     result = security_manager_app_inst_req_set_pkg_id(request.get(), SM_PKG_ID2);
375     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
376             "setting pkg id failed. Result: " << result);
377
378     result = security_manager_app_inst_req_add_privilege(request.get(), SM_ALLOWED_PRIVILEGES[0].c_str());
379     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
380             "setting allowed permission failed. Result: " << result);
381     result = security_manager_app_inst_req_add_privilege(request.get(), SM_ALLOWED_PRIVILEGES[1].c_str());
382     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
383             "setting allowed permission failed. Result: " << result);
384
385     result = security_manager_app_inst_req_add_path(request.get(), SM_PRIVATE_PATH,
386                                                     SECURITY_MANAGER_PATH_PRIVATE);
387     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
388             "setting allowed path failed. Result: " << result);
389
390     result = security_manager_app_inst_req_add_path(request.get(), SM_PUBLIC_RO_PATH,
391                                                     SECURITY_MANAGER_PATH_PUBLIC_RO);
392     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
393             "setting allowed path failed. Result: " << result);
394
395     result = security_manager_app_install(request.get());
396     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
397             "installing app failed. Result: " << result);
398
399     /* Check records in the security-manager database */
400     check_app_after_install(SM_APP_ID2, SM_PKG_ID2,
401                             SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES, SM_ALLOWED_GROUPS);
402
403     /* TODO: add parameters to this function */
404     check_app_path_after_install();
405
406     request.reset(do_app_inst_req_new());
407
408     result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID2);
409     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
410             "setting app id failed. Result: " << result);
411
412     result = security_manager_app_uninstall(request.get());
413     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
414             "uninstalling app failed. Result: " << result);
415
416     /* Check records in the security-manager database,
417      * all previously allowed privileges should be removed */
418     check_app_after_uninstall(SM_APP_ID2, SM_PKG_ID2,
419                               SM_ALLOWED_PRIVILEGES, TestSecurityManagerDatabase::REMOVED);
420 }
421
422 RUNNER_CHILD_TEST_SMACK(security_manager_03_set_label_from_appid)
423 {
424     const char *const app_id = "sm_test_app_id_set_label_from_appid";
425     const char *const pkg_id = "sm_test_pkg_id_set_label_from_appid";
426     const char *const expected_label = USER_APP_ID;
427     const char *const socketLabel = "not_expected_label";
428     char *label = nullptr;
429     CStringPtr labelPtr;
430     int result;
431
432     uninstall_app(app_id, pkg_id, false, true);
433     install_app(app_id, pkg_id);
434
435     struct sockaddr_un sockaddr = {AF_UNIX, SOCK_PATH};
436     //Clean up before creating socket
437     unlink(SOCK_PATH);
438     int sock = socket(AF_UNIX, SOCK_STREAM, 0);
439     RUNNER_ASSERT_ERRNO_MSG(sock >= 0, "socket failed");
440     SockUniquePtr sockPtr(&sock);
441     //Bind socket to address
442     result = bind(sock, (struct sockaddr*) &sockaddr, sizeof(struct sockaddr_un));
443     RUNNER_ASSERT_ERRNO_MSG(result == 0, "bind failed");
444     //Set socket label to something different than expecedLabel
445     result = fsetxattr(sock, XATTR_NAME_SMACKIPIN, socketLabel,
446         strlen(socketLabel), 0);
447     RUNNER_ASSERT_ERRNO_MSG(result == 0,
448         "Can't set socket label. Result: " << result);
449     result = fsetxattr(sock, XATTR_NAME_SMACKIPOUT, socketLabel,
450         strlen(socketLabel), 0);
451     RUNNER_ASSERT_ERRNO_MSG(result == 0,
452         "Can't set socket label. Result: " << result);
453
454     result = security_manager_set_process_label_from_appid(app_id);
455     RUNNER_ASSERT_MSG(result == SECURITY_MANAGER_SUCCESS,
456             "security_manager_set_process_label_from_appid(" <<
457             app_id << ") failed. Result: " << result);
458
459     char value[SMACK_LABEL_LEN + 1];
460     ssize_t size;
461     size = fgetxattr(sock, XATTR_NAME_SMACKIPIN, value, sizeof(value));
462     RUNNER_ASSERT_ERRNO_MSG(size != -1, "fgetxattr failed: " << value);
463     result = strcmp(expected_label, value);
464     RUNNER_ASSERT_MSG(result == 0, "Socket label is incorrect. Expected: " <<
465         expected_label << " Actual: " << value);
466
467     size = fgetxattr(sock, XATTR_NAME_SMACKIPOUT, value, sizeof(value));
468     RUNNER_ASSERT_ERRNO_MSG(size != -1, "fgetxattr failed: " << value);
469     result = strcmp(expected_label, value);
470     RUNNER_ASSERT_MSG(result == 0, "Socket label is incorrect. Expected: " <<
471         expected_label << " Actual: " << value);
472
473     result = smack_new_label_from_self(&label);
474     RUNNER_ASSERT_MSG(result >= 0,
475             " Error getting current process label");
476     RUNNER_ASSERT_MSG(label != nullptr,
477             " Process label is not set");
478     labelPtr.reset(label);
479
480     result = strcmp(expected_label, label);
481     RUNNER_ASSERT_MSG(result == 0,
482             " Process label is incorrect. Expected: \"" << expected_label <<
483             "\" Actual: \"" << label << "\"");
484
485     uninstall_app(app_id, pkg_id, true, true);
486 }
487
488 RUNNER_CHILD_TEST_NOSMACK(security_manager_03_set_label_from_appid_nosmack)
489 {
490     const char *const app_id = "sm_test_app_id_set_label_from_appid";
491     const char *const pkg_id = "sm_test_pkg_id_set_label_from_appid";
492     int result;
493
494     uninstall_app(app_id, pkg_id, false, true);
495     install_app(app_id, pkg_id);
496
497     result = security_manager_set_process_label_from_appid(app_id);
498     RUNNER_ASSERT_MSG(result == SECURITY_MANAGER_SUCCESS,
499             "security_manager_set_process_label_from_appid(" <<
500             app_id << ") failed. Result: " << result);
501
502     uninstall_app(app_id, pkg_id, true, true);
503 }
504
505
506
507 static void prepare_request(AppInstReqUniquePtr &request,
508               const char *const app_id,
509               const char *const pkg_id,
510               app_install_path_type pathType,
511               const char *const path)
512 {
513     int result;
514     request.reset(do_app_inst_req_new());
515
516     result = security_manager_app_inst_req_set_app_id(request.get(), app_id);
517     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
518             "setting app id failed. Result: " << result);
519
520     result = security_manager_app_inst_req_set_pkg_id(request.get(), pkg_id);
521     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
522             "setting pkg id failed. Result: " << result);
523
524     result = security_manager_app_inst_req_add_path(request.get(), path, pathType);
525     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
526             "setting allowed path failed. Result: " << result);
527 }
528
529
530 static struct passwd* get_app_pw()
531 {
532     struct passwd *pw = nullptr;
533     errno = 0;
534     while(!(pw = getpwnam(APP_USER))) {
535         RUNNER_ASSERT_ERRNO_MSG(errno == EINTR, "getpwnam() failed");
536     }
537     return pw;
538 }
539
540 RUNNER_CHILD_TEST(security_manager_04_app_install_uninstall_by_app_user)
541 {
542     int result;
543     AppInstReqUniquePtr request;
544     struct passwd *pw = get_app_pw();
545     const std::string user =  std::to_string(static_cast<unsigned int>(pw->pw_uid));
546
547     //switch user to non-root
548     result = drop_root_privileges(pw->pw_uid, pw->pw_gid);
549     RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
550
551     //install app as non-root user and try to register public path (should fail)
552     prepare_request(request, SM_APP_ID3, SM_PKG_ID3, SECURITY_MANAGER_PATH_PUBLIC, SM_PRIVATE_PATH_FOR_USER);
553
554     result = security_manager_app_install(request.get());
555     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED,
556             "installing app not failed. Result: " << result);
557
558     //install app as non-root user
559     //should fail (non-root users may only register folders inside their home)
560     prepare_request(request, SM_APP_ID3, SM_PKG_ID3, SECURITY_MANAGER_PATH_PRIVATE, SM_PRIVATE_PATH);
561
562     result = security_manager_app_install(request.get());
563     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED,
564             "installing app not failed. Result: " << result);
565
566     //install app as non-root user
567     //should succeed - this time i register folder inside user's home dir
568     prepare_request(request, SM_APP_ID3, SM_PKG_ID3, SECURITY_MANAGER_PATH_PRIVATE, SM_PRIVATE_PATH_FOR_USER);
569
570     for (auto &privilege : SM_ALLOWED_PRIVILEGES) {
571         result = security_manager_app_inst_req_add_privilege(request.get(), privilege.c_str());
572         RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
573             "setting allowed permission failed. Result: " << result);
574     }
575
576     result = security_manager_app_install(request.get());
577     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
578             "installing app failed. Result: " << result);
579
580     check_app_permissions(SM_APP_ID3, SM_PKG_ID3, user.c_str(), SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES);
581
582     //uninstall app as non-root user
583     request.reset(do_app_inst_req_new());
584
585     result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID3);
586     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
587             "setting app id failed. Result: " << result);
588
589     result = security_manager_app_uninstall(request.get());
590     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
591             "uninstalling app failed. Result: " << result);
592
593     check_app_permissions(SM_APP_ID3, SM_PKG_ID3, user.c_str(), SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES);
594 }
595
596 RUNNER_CHILD_TEST(security_manager_05_drop_process_capabilities)
597 {
598     int result;
599     CapsSetsUniquePtr caps, caps_empty(cap_init());
600
601     caps.reset(cap_from_text("all=eip"));
602     RUNNER_ASSERT_MSG(caps, "can't convert capabilities from text");
603     result = cap_set_proc(caps.get());
604     RUNNER_ASSERT_MSG(result == 0,
605         "can't set capabilities. Result: " << result);
606
607     result = security_manager_drop_process_privileges();
608     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
609         "dropping caps failed. Result: " << result);
610
611     caps.reset(cap_get_proc());
612     RUNNER_ASSERT_MSG(caps, "can't get proc capabilities");
613
614     result = cap_compare(caps.get(), caps_empty.get());
615     RUNNER_ASSERT_MSG(result == 0,
616         "capabilities not dropped. Current: " << cap_to_text(caps.get(), NULL));
617 }
618
619 int main(int argc, char *argv[])
620 {
621     return DPL::Test::TestRunnerSingleton::Instance().ExecTestRunner(argc, argv);
622 }
Domain: Security / Uncategorized;