2 * Copyright (c) 2016-2020 Samsung Electronics Co., Ltd. All rights reserved
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
21 #include <sys/types.h>
24 #include <dpl/test/test_runner.h>
25 #include <dpl/test/test_runner_child.h>
26 #include <policy_configuration.h>
28 #include <sm_policy_request.h>
29 #include <sm_user_request.h>
30 #include <temp_test_user.h>
31 #include <privilege_names.h>
33 #include <security-manager.h>
35 using namespace SecurityManagerTest;
36 using namespace PrivilegeNames;
38 RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_NSS_PLUGIN)
40 RUNNER_CHILD_TEST(nss_01_normal_user_without_inter_daemon_groups) {
41 const std::string newUserName = "nss_01_user";
42 TemporaryTestUser testUser(newUserName, GUM_USERTYPE_NORMAL, false);
45 UserRequest addUserRequest;
46 addUserRequest.setUid(testUser.getUid());
47 addUserRequest.setUserType(SM_USER_TYPE_NORMAL);
48 Api::addUser(addUserRequest);
50 RUNNER_ASSERT_MSG(0 == initgroups(newUserName.c_str(), 0), "Init groups failed");
52 gid_t list[NGROUPS_MAX + 1];
53 int grsize = getgroups(NGROUPS_MAX + 1, list);
55 PolicyConfiguration pc;
56 auto sysdGidVec = pc.groupToGid(pc.privToGroup(pc.getSystemdManagedPrivs()));
57 auto allPrivGids = pc.getGid();
58 unsigned int privGidsOther = 0;
59 for (int i = 0; i < grsize; ++i) {
60 RUNNER_ASSERT_MSG(std::find(sysdGidVec.begin(), sysdGidVec.end(), list[i]) == sysdGidVec.end() , "Process should not get gid " << list[i]);
61 if (std::find(allPrivGids.begin(), allPrivGids.end(), list[i]) != allPrivGids.end())
65 RUNNER_ASSERT_MSG(privGidsOther + sysdGidVec.size() == allPrivGids.size(), "Improper GID setup for process, has priv_*: " <<
66 privGidsOther << ", systemd managed all: " << sysdGidVec.size() << " , all: " << allPrivGids.size() );
69 RUNNER_CHILD_TEST(nss_02_guest_user_without_inter_daemon_groups) {
70 const std::string newUserName = "nss_02_user";
71 TemporaryTestUser testUser(newUserName, GUM_USERTYPE_GUEST, false);
74 UserRequest addUserRequest;
75 addUserRequest.setUid(testUser.getUid());
76 addUserRequest.setUserType(SM_USER_TYPE_GUEST);
77 Api::addUser(addUserRequest);
79 RUNNER_ASSERT_MSG(0 == initgroups(newUserName.c_str(), 0), "Init groups failed");
81 gid_t list[NGROUPS_MAX + 1];
82 int grsize = getgroups(NGROUPS_MAX + 1, list);
84 PolicyConfiguration pc;
85 auto sysdGidVec = pc.groupToGid(pc.privToGroup(pc.getSystemdManagedPrivs()));
86 auto allPrivGids = pc.getGid();
87 unsigned int privGidsOther = 0;
88 for (int i = 0; i < grsize; ++i) {
89 RUNNER_ASSERT_MSG(std::find(sysdGidVec.begin(), sysdGidVec.end(), list[i]) == sysdGidVec.end() , "Process should not get gid " << list[i]);
90 if (std::find(allPrivGids.begin(), allPrivGids.end(), list[i]) != allPrivGids.end())
94 RUNNER_ASSERT_MSG(privGidsOther + sysdGidVec.size() == allPrivGids.size(), "Improper GID setup for process, has priv_*: " <<
95 privGidsOther << ", systemd managed all: " << sysdGidVec.size() << " , all: " << allPrivGids.size() );
99 RUNNER_CHILD_TEST(nss_03_guest_user_without_inter_daemon_groups_unaffected_by_cynara) {
100 const std::string newUserName = "nss_03_user";
101 TemporaryTestUser testUser(newUserName, GUM_USERTYPE_GUEST, false);
104 UserRequest addUserRequest;
105 addUserRequest.setUid(testUser.getUid());
106 addUserRequest.setUserType(SM_USER_TYPE_GUEST);
107 Api::addUser(addUserRequest);
109 // Removing one more privilege from policy (that has GID associated), which should not affect nss daemon groups
110 PolicyRequest policyRequest;
112 PolicyEntry entry(SECURITY_MANAGER_ANY, testUser.getUidString(), PRIV_CAMERA);
113 entry.setMaxLevel(PolicyEntry::LEVEL_DENY);
115 policyRequest.addEntry(entry);
116 Api::sendPolicy(policyRequest);
118 RUNNER_ASSERT_MSG(0 == initgroups(newUserName.c_str(), 0), "Init groups failed");
120 gid_t list[NGROUPS_MAX + 1];
121 int grsize = getgroups(NGROUPS_MAX + 1, list);
123 PolicyConfiguration pc;
124 auto sysdGidVec = pc.groupToGid(pc.privToGroup(pc.getSystemdManagedPrivs()));
125 auto allPrivGids = pc.getGid();
126 unsigned int privGidsOther = 0;
127 for (int i = 0; i < grsize; ++i) {
128 RUNNER_ASSERT_MSG(std::find(sysdGidVec.begin(), sysdGidVec.end(), list[i]) == sysdGidVec.end() , "Process should not get gid " << list[i]);
129 if (std::find(allPrivGids.begin(), allPrivGids.end(), list[i]) != allPrivGids.end())
133 RUNNER_ASSERT_MSG(privGidsOther + sysdGidVec.size() == allPrivGids.size(), "Improper GID setup for process, has priv_*: " <<
134 privGidsOther << ", systemd managed all: " << sysdGidVec.size() << " , all: " << allPrivGids.size() );