2 * Copyright (c) 2016-2020 Samsung Electronics Co., Ltd. All rights reserved
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
21 #include <sys/types.h>
24 #include <dpl/test/test_runner.h>
25 #include <dpl/test/test_runner_child.h>
26 #include <policy_configuration.h>
28 #include <sm_policy_request.h>
29 #include <sm_user_request.h>
30 #include <temp_test_user.h>
32 #include <security-manager.h>
34 using namespace SecurityManagerTest;
36 RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_NSS_PLUGIN)
38 RUNNER_CHILD_TEST(nss_01_normal_user_without_inter_daemon_groups) {
39 const std::string newUserName = "nss_01_user";
40 TemporaryTestUser testUser(newUserName, GUM_USERTYPE_NORMAL, false);
43 UserRequest addUserRequest;
44 addUserRequest.setUid(testUser.getUid());
45 addUserRequest.setUserType(SM_USER_TYPE_NORMAL);
46 Api::addUser(addUserRequest);
48 RUNNER_ASSERT_MSG(0 == initgroups(newUserName.c_str(), 0), "Init groups failed");
50 gid_t list[NGROUPS_MAX + 1];
51 int grsize = getgroups(NGROUPS_MAX + 1, list);
53 PolicyConfiguration pc;
54 auto sysdGidVec = pc.groupToGid(pc.privToGroup(pc.getSystemdManagedPrivs()));
55 auto allPrivGids = pc.getGid();
56 unsigned int privGidsOther = 0;
57 for (int i = 0; i < grsize; ++i) {
58 RUNNER_ASSERT_MSG(std::find(sysdGidVec.begin(), sysdGidVec.end(), list[i]) == sysdGidVec.end() , "Process should not get gid " << list[i]);
59 if (std::find(allPrivGids.begin(), allPrivGids.end(), list[i]) != allPrivGids.end())
63 RUNNER_ASSERT_MSG(privGidsOther + sysdGidVec.size() == allPrivGids.size(), "Improper GID setup for process, has priv_*: " <<
64 privGidsOther << ", systemd managed all: " << sysdGidVec.size() << " , all: " << allPrivGids.size() );
67 RUNNER_CHILD_TEST(nss_02_guest_user_without_inter_daemon_groups) {
68 const std::string newUserName = "nss_02_user";
69 TemporaryTestUser testUser(newUserName, GUM_USERTYPE_GUEST, false);
72 UserRequest addUserRequest;
73 addUserRequest.setUid(testUser.getUid());
74 addUserRequest.setUserType(SM_USER_TYPE_GUEST);
75 Api::addUser(addUserRequest);
77 RUNNER_ASSERT_MSG(0 == initgroups(newUserName.c_str(), 0), "Init groups failed");
79 gid_t list[NGROUPS_MAX + 1];
80 int grsize = getgroups(NGROUPS_MAX + 1, list);
82 PolicyConfiguration pc;
83 auto sysdGidVec = pc.groupToGid(pc.privToGroup(pc.getSystemdManagedPrivs()));
84 auto allPrivGids = pc.getGid();
85 unsigned int privGidsOther = 0;
86 for (int i = 0; i < grsize; ++i) {
87 RUNNER_ASSERT_MSG(std::find(sysdGidVec.begin(), sysdGidVec.end(), list[i]) == sysdGidVec.end() , "Process should not get gid " << list[i]);
88 if (std::find(allPrivGids.begin(), allPrivGids.end(), list[i]) != allPrivGids.end())
92 RUNNER_ASSERT_MSG(privGidsOther + sysdGidVec.size() == allPrivGids.size(), "Improper GID setup for process, has priv_*: " <<
93 privGidsOther << ", systemd managed all: " << sysdGidVec.size() << " , all: " << allPrivGids.size() );
97 RUNNER_CHILD_TEST(nss_03_guest_user_without_inter_daemon_groups_unaffected_by_cynara) {
98 const std::string newUserName = "nss_03_user";
99 TemporaryTestUser testUser(newUserName, GUM_USERTYPE_GUEST, false);
102 UserRequest addUserRequest;
103 addUserRequest.setUid(testUser.getUid());
104 addUserRequest.setUserType(SM_USER_TYPE_GUEST);
105 Api::addUser(addUserRequest);
107 // Removing one more privilege from policy (that has GID associated), which should not affect nss daemon groups
108 PolicyRequest policyRequest;
111 SECURITY_MANAGER_ANY,
112 std::to_string(static_cast<int>(testUser.getUid())),
113 "http://tizen.org/privilege/camera");
114 entry.setMaxLevel("Deny");
116 policyRequest.addEntry(entry);
117 Api::sendPolicy(policyRequest);
119 RUNNER_ASSERT_MSG(0 == initgroups(newUserName.c_str(), 0), "Init groups failed");
121 gid_t list[NGROUPS_MAX + 1];
122 int grsize = getgroups(NGROUPS_MAX + 1, list);
124 PolicyConfiguration pc;
125 auto sysdGidVec = pc.groupToGid(pc.privToGroup(pc.getSystemdManagedPrivs()));
126 auto allPrivGids = pc.getGid();
127 unsigned int privGidsOther = 0;
128 for (int i = 0; i < grsize; ++i) {
129 RUNNER_ASSERT_MSG(std::find(sysdGidVec.begin(), sysdGidVec.end(), list[i]) == sysdGidVec.end() , "Process should not get gid " << list[i]);
130 if (std::find(allPrivGids.begin(), allPrivGids.end(), list[i]) != allPrivGids.end())
134 RUNNER_ASSERT_MSG(privGidsOther + sysdGidVec.size() == allPrivGids.size(), "Improper GID setup for process, has priv_*: " <<
135 privGidsOther << ", systemd managed all: " << sysdGidVec.size() << " , all: " << allPrivGids.size() );