projects / platform / core / test / security-tests.git / blob
? search:


ab6c0cd221c3b85625b541cf5ed58d59bb8c5fdd
[platform/core/test/security-tests.git] / tests / security-manager-tests / security_manager_tests.cpp
1 #include <dpl/test/test_runner.h>
2 #include <fcntl.h>
3 #include <stdio.h>
4 #include <memory.h>
5 #include <summary_collector.h>
6 #include <string>
7 #include <unordered_set>
8 #include <sys/capability.h>
9
10 #include <sys/socket.h>
11 #include <sys/un.h>
12 #include <attr/xattr.h>
13 #include <linux/xattr.h>
14
15 #include <grp.h>
16 #include <pwd.h>
17
18 #include <libprivilege-control_test_common.h>
19 #include <tests_common.h>
20
21 #include <security-manager.h>
22 #include <sm_db.h>
23 #include <cynara_test_client.h>
24
25 DEFINE_SMARTPTR(security_manager_app_inst_req_free, app_inst_req, AppInstReqUniquePtr);
26 DEFINE_SMARTPTR(cap_free, _cap_struct, CapsSetsUniquePtr);
27
28 static const char *const SM_APP_ID1 = "sm_test_app_id_double";
29 static const char *const SM_PKG_ID1 = "sm_test_pkg_id_double";
30
31 static const char *const SM_APP_ID2 = "sm_test_app_id_full";
32 static const char *const SM_PKG_ID2 = "sm_test_pkg_id_full";
33
34 static const char *const SM_APP_ID3 = "sm_test_app_id_uid";
35 static const char *const SM_PKG_ID3 = "sm_test_pkg_id_uid";
36
37 static const privileges_t SM_ALLOWED_PRIVILEGES = {
38     "security_manager_test_rules2_r",
39     "security_manager_test_rules2_no_r"
40 };
41
42 static const privileges_t SM_DENIED_PRIVILEGES  = {
43     "security_manager_test_rules1",
44     "security_manager_test_rules2"
45 };
46
47 static const privileges_t SM_NO_PRIVILEGES  = {
48 };
49
50 static const std::vector<std::string> SM_ALLOWED_GROUPS = {"db_browser", "db_alarm"};
51
52 static const char *const SM_PRIVATE_PATH = "/usr/apps/test_DIR/app_dir";
53 static const char *const SM_PUBLIC_RO_PATH = "/usr/apps/test_DIR/app_dir_public_ro";
54 static const char *const SM_DENIED_PATH = "/usr/apps/test_DIR/non_app_dir";
55 static const char *const SM_PRIVATE_PATH_FOR_USER = "/home/" APP_USER "/test_DIR";
56 static const char *const ANY_USER_REPRESENTATION = "anyuser";/*this may be actually any string*/
57
58 static void generateAppLabel(const std::string &pkgId, std::string &label)
59 {
60     (void) pkgId;
61     label = "User";
62 }
63
64 static int nftw_check_sm_labels_app_dir(const char *fpath, const struct stat *sb,
65                               const char* correctLabel, bool transmute_test, bool exec_test)
66 {
67     int result;
68     CStringPtr labelPtr;
69     char* label = nullptr;
70
71     /* ACCESS */
72     result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS);
73     RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
74     labelPtr.reset(label);
75     RUNNER_ASSERT_MSG(label != nullptr, "ACCESS label on " << fpath << " is not set");
76     result = strcmp(correctLabel, label);
77     RUNNER_ASSERT_MSG(result == 0, "ACCESS label on " << fpath << " is incorrect"
78             " (should be '" << correctLabel << "' and is '" << label << "')");
79
80
81     /* EXEC */
82     result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
83     RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
84     labelPtr.reset(label);
85
86     if (S_ISREG(sb->st_mode) && (sb->st_mode & S_IXUSR) && exec_test) {
87         RUNNER_ASSERT_MSG(label != nullptr, "EXEC label on " << fpath << " is not set");
88         result = strcmp(correctLabel, label);
89         RUNNER_ASSERT_MSG(result == 0, "Incorrect EXEC label on executable file " << fpath);
90     } else
91         RUNNER_ASSERT_MSG(label == nullptr, "EXEC label on " << fpath << " is set");
92
93
94     /* TRANSMUTE */
95     result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
96     RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
97     labelPtr.reset(label);
98
99     if (S_ISDIR(sb->st_mode) && transmute_test == true) {
100         RUNNER_ASSERT_MSG(label != nullptr, "TRANSMUTE label on " << fpath << " is not set at all");
101         RUNNER_ASSERT_MSG(strcmp(label,"TRUE") == 0,
102                 "TRANSMUTE label on " << fpath << " is not set properly: '"<<label<<"'");
103     } else {
104         RUNNER_ASSERT_MSG(label == nullptr, "TRANSMUTE label on " << fpath << " is set");
105     }
106
107     return 0;
108 }
109
110
111 static int nftw_check_sm_labels_app_private_dir(const char *fpath, const struct stat *sb,
112                                int /*typeflag*/, struct FTW* /*ftwbuf*/)
113 {
114     return nftw_check_sm_labels_app_dir(fpath, sb, USER_APP_ID, false, true);
115 }
116
117 static int nftw_check_sm_labels_app_floor_dir(const char *fpath, const struct stat *sb,
118                                int /*typeflag*/, struct FTW* /*ftwbuf*/)
119 {
120
121     return nftw_check_sm_labels_app_dir(fpath, sb, "_", false, false);
122 }
123
124 static app_inst_req* do_app_inst_req_new()
125 {
126     int result;
127     app_inst_req *req = nullptr;
128
129     result = security_manager_app_inst_req_new(&req);
130     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
131             "creation of new request failed. Result: " << result);
132     RUNNER_ASSERT_MSG(req != nullptr, "creation of new request did not allocate memory");
133     return req;
134 }
135
136 static void prepare_app_path()
137 {
138     int result;
139
140     result = nftw(SM_PRIVATE_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
141     RUNNER_ASSERT_MSG(result == 0, "Unable to clean Smack labels in " << SM_PRIVATE_PATH);
142
143     result = nftw(SM_PUBLIC_RO_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
144     RUNNER_ASSERT_MSG(result == 0, "Unable to clean Smack labels in " << SM_PUBLIC_RO_PATH);
145
146     result = nftw(SM_DENIED_PATH, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
147     RUNNER_ASSERT_MSG(result == 0, "Unable to set Smack labels in " << SM_DENIED_PATH);
148 }
149
150 static void prepare_app_env()
151 {
152     prepare_app_path();
153 }
154
155 /* TODO: add parameters to this function */
156 static void check_app_path_after_install()
157 {
158     int result;
159
160     result = nftw(SM_PRIVATE_PATH, &nftw_check_sm_labels_app_private_dir, FTW_MAX_FDS, FTW_PHYS);
161     RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_PRIVATE_PATH);
162
163     result = nftw(SM_PUBLIC_RO_PATH, &nftw_check_sm_labels_app_floor_dir, FTW_MAX_FDS, FTW_PHYS);
164     RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_PUBLIC_RO_PATH);
165
166     result = nftw(SM_DENIED_PATH, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
167     RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_DENIED_PATH);
168 }
169
170
171 static void check_app_permissions(const char *const app_id, const char *const pkg_id, const char *const user,
172                                   const privileges_t &allowed_privs, const privileges_t &denied_privs)
173 {
174     (void) app_id;
175     std::string smackLabel;
176     generateAppLabel(pkg_id, smackLabel);
177
178     CynaraTestClient ctc;
179
180     for (auto &priv : allowed_privs) {
181         ctc.check(smackLabel.c_str(), "", user, priv.c_str(), CYNARA_API_ACCESS_ALLOWED);
182     }
183
184     for (auto &priv : denied_privs) {
185         ctc.check(smackLabel.c_str(), "", user, priv.c_str(), CYNARA_API_ACCESS_DENIED);
186     }
187 }
188
189 static void check_app_gids(const char *const app_id, const std::vector<gid_t> &allowed_gids)
190 {
191     int ret;
192     gid_t main_gid = getgid();
193     std::unordered_set<gid_t> reference_gids(allowed_gids.begin(), allowed_gids.end());
194
195     // Reset supplementary groups
196     ret = setgroups(0, NULL);
197     RUNNER_ASSERT_MSG(ret != -1, "Unable to set supplementary groups");
198
199     ret = security_manager_set_process_groups_from_appid(app_id);
200     RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS,
201             "security_manager_set_process_groups_from_appid(" <<
202             app_id << ") failed. Result: " << ret);
203
204     ret = getgroups(0, nullptr);
205     RUNNER_ASSERT_MSG(ret != -1, "Unable to get supplementary groups");
206
207     std::vector<gid_t> actual_gids(ret);
208     ret = getgroups(ret, actual_gids.data());
209     RUNNER_ASSERT_MSG(ret != -1, "Unable to get supplementary groups");
210
211     for (const auto &gid : actual_gids) {
212         RUNNER_ASSERT_MSG(gid == main_gid || reference_gids.count(gid) > 0,
213             "Application shouldn't get access to group " << gid);
214         reference_gids.erase(gid);
215     }
216
217     RUNNER_ASSERT_MSG(reference_gids.empty(), "Application didn't get access to some groups");
218 }
219
220 static void check_app_after_install(const char *const app_id, const char *const pkg_id,
221                                     const privileges_t &allowed_privs,
222                                     const privileges_t &denied_privs,
223                                     const std::vector<std::string> &allowed_groups)
224 {
225     TestSecurityManagerDatabase dbtest;
226     dbtest.test_db_after__app_install(app_id, pkg_id, allowed_privs);
227     dbtest.check_privileges_removed(app_id, pkg_id, denied_privs);
228
229     /*Privileges should be granted to all users if root installs app*/
230     check_app_permissions(app_id, pkg_id, ANY_USER_REPRESENTATION, allowed_privs, denied_privs);
231
232     /* Setup mapping of gids to privileges */
233     /* Do this for each privilege for extra check */
234     for (const auto &privilege : allowed_privs) {
235         dbtest.setup_privilege_groups(privilege, allowed_groups);
236     }
237
238     std::vector<gid_t> allowed_gids;
239
240     for (const auto &groupName : allowed_groups) {
241         errno = 0;
242         struct group* grp = getgrnam(groupName.c_str());
243         RUNNER_ASSERT_ERRNO_MSG(grp, "Group: " << groupName << " not found");
244         allowed_gids.push_back(grp->gr_gid);
245     }
246
247     check_app_gids(app_id, allowed_gids);
248 }
249
250 static void check_app_after_install(const char *const app_id, const char *const pkg_id)
251 {
252     TestSecurityManagerDatabase dbtest;
253     dbtest.test_db_after__app_install(app_id, pkg_id);
254 }
255
256 static void check_app_after_uninstall(const char *const app_id, const char *const pkg_id,
257                                       const privileges_t &privileges, const bool is_pkg_removed)
258 {
259     TestSecurityManagerDatabase dbtest;
260     dbtest.test_db_after__app_uninstall(app_id, pkg_id, privileges, is_pkg_removed);
261
262
263     /*Privileges should not be granted anymore to any user*/
264     check_app_permissions(app_id, pkg_id, ANY_USER_REPRESENTATION, SM_NO_PRIVILEGES, privileges);
265 }
266
267 static void check_app_after_uninstall(const char *const app_id, const char *const pkg_id,
268                                       const bool is_pkg_removed)
269 {
270     TestSecurityManagerDatabase dbtest;
271     dbtest.test_db_after__app_uninstall(app_id, pkg_id, is_pkg_removed);
272 }
273
274 static void install_app(const char *app_id, const char *pkg_id)
275 {
276     int result;
277     AppInstReqUniquePtr request;
278     request.reset(do_app_inst_req_new());
279
280     result = security_manager_app_inst_req_set_app_id(request.get(), app_id);
281     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
282             "setting app id failed. Result: " << result);
283
284     result = security_manager_app_inst_req_set_pkg_id(request.get(), pkg_id);
285     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
286             "setting pkg id failed. Result: " << result);
287
288     result = security_manager_app_install(request.get());
289     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
290             "installing app failed. Result: " << result);
291
292     check_app_after_install(app_id, pkg_id);
293
294 }
295
296 static void uninstall_app(const char *app_id, const char *pkg_id,
297         bool expect_installed, bool expect_pkg_removed)
298 {
299     int result;
300     AppInstReqUniquePtr request;
301     request.reset(do_app_inst_req_new());
302
303     result = security_manager_app_inst_req_set_app_id(request.get(), app_id);
304     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
305           "setting app id failed. Result: " << result);
306
307     result = security_manager_app_uninstall(request.get());
308     RUNNER_ASSERT_MSG(!expect_installed || (lib_retcode)result == SECURITY_MANAGER_SUCCESS,
309           "uninstalling app failed. Result: " << result);
310
311     check_app_after_uninstall(app_id, pkg_id, expect_pkg_removed);
312 }
313
314
315 RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER)
316
317
318 RUNNER_TEST(security_manager_01_app_double_install_double_uninstall)
319 {
320     int result;
321     AppInstReqUniquePtr request;
322
323     request.reset(do_app_inst_req_new());
324
325     result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID1);
326     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
327             "setting app id failed. Result: " << result);
328
329     result = security_manager_app_inst_req_set_pkg_id(request.get(), SM_PKG_ID1);
330     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
331             "setting pkg id failed. Result: " << result);
332
333     result = security_manager_app_install(request.get());
334     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
335             "installing app failed. Result: " << result);
336
337     result = security_manager_app_install(request.get());
338     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
339             "installing already installed app failed. Result: " << result);
340
341     /* Check records in the security-manager database */
342     check_app_after_install(SM_APP_ID1, SM_PKG_ID1);
343
344     request.reset(do_app_inst_req_new());
345
346     result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID1);
347     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
348             "setting app id failed. Result: " << result);
349
350     result = security_manager_app_uninstall(request.get());
351     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
352             "uninstalling app failed. Result: " << result);
353
354     result = security_manager_app_uninstall(request.get());
355     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
356             "uninstalling already uninstalled app failed. Result: " << result);
357
358     /* Check records in the security-manager database */
359     check_app_after_uninstall(SM_APP_ID1, SM_PKG_ID1, TestSecurityManagerDatabase::REMOVED);
360 }
361
362 RUNNER_TEST(security_manager_02_app_install_uninstall_full)
363 {
364     int result;
365     AppInstReqUniquePtr request;
366
367     prepare_app_env();
368
369     request.reset(do_app_inst_req_new());
370
371     result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID2);
372     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
373             "setting app id failed. Result: " << result);
374
375     result = security_manager_app_inst_req_set_pkg_id(request.get(), SM_PKG_ID2);
376     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
377             "setting pkg id failed. Result: " << result);
378
379     result = security_manager_app_inst_req_add_privilege(request.get(), SM_ALLOWED_PRIVILEGES[0].c_str());
380     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
381             "setting allowed permission failed. Result: " << result);
382     result = security_manager_app_inst_req_add_privilege(request.get(), SM_ALLOWED_PRIVILEGES[1].c_str());
383     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
384             "setting allowed permission failed. Result: " << result);
385
386     result = security_manager_app_inst_req_add_path(request.get(), SM_PRIVATE_PATH,
387                                                     SECURITY_MANAGER_PATH_PRIVATE);
388     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
389             "setting allowed path failed. Result: " << result);
390
391     result = security_manager_app_inst_req_add_path(request.get(), SM_PUBLIC_RO_PATH,
392                                                     SECURITY_MANAGER_PATH_PUBLIC_RO);
393     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
394             "setting allowed path failed. Result: " << result);
395
396     result = security_manager_app_install(request.get());
397     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
398             "installing app failed. Result: " << result);
399
400     /* Check records in the security-manager database */
401     check_app_after_install(SM_APP_ID2, SM_PKG_ID2,
402                             SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES, SM_ALLOWED_GROUPS);
403
404     /* TODO: add parameters to this function */
405     check_app_path_after_install();
406
407     request.reset(do_app_inst_req_new());
408
409     result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID2);
410     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
411             "setting app id failed. Result: " << result);
412
413     result = security_manager_app_uninstall(request.get());
414     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
415             "uninstalling app failed. Result: " << result);
416
417     /* Check records in the security-manager database,
418      * all previously allowed privileges should be removed */
419     check_app_after_uninstall(SM_APP_ID2, SM_PKG_ID2,
420                               SM_ALLOWED_PRIVILEGES, TestSecurityManagerDatabase::REMOVED);
421 }
422
423 RUNNER_CHILD_TEST_SMACK(security_manager_03_set_label_from_appid)
424 {
425     const char *const app_id = "sm_test_app_id_set_label_from_appid";
426     const char *const pkg_id = "sm_test_pkg_id_set_label_from_appid";
427     const char *const expected_label = USER_APP_ID;
428     const char *const socketLabel = "not_expected_label";
429     char *label = nullptr;
430     CStringPtr labelPtr;
431     int result;
432
433     uninstall_app(app_id, pkg_id, false, true);
434     install_app(app_id, pkg_id);
435
436     struct sockaddr_un sockaddr = {AF_UNIX, SOCK_PATH};
437     //Clean up before creating socket
438     unlink(SOCK_PATH);
439     int sock = socket(AF_UNIX, SOCK_STREAM, 0);
440     RUNNER_ASSERT_ERRNO_MSG(sock >= 0, "socket failed");
441     SockUniquePtr sockPtr(&sock);
442     //Bind socket to address
443     result = bind(sock, (struct sockaddr*) &sockaddr, sizeof(struct sockaddr_un));
444     RUNNER_ASSERT_ERRNO_MSG(result == 0, "bind failed");
445     //Set socket label to something different than expecedLabel
446     result = fsetxattr(sock, XATTR_NAME_SMACKIPIN, socketLabel,
447         strlen(socketLabel), 0);
448     RUNNER_ASSERT_ERRNO_MSG(result == 0,
449         "Can't set socket label. Result: " << result);
450     result = fsetxattr(sock, XATTR_NAME_SMACKIPOUT, socketLabel,
451         strlen(socketLabel), 0);
452     RUNNER_ASSERT_ERRNO_MSG(result == 0,
453         "Can't set socket label. Result: " << result);
454
455     result = security_manager_set_process_label_from_appid(app_id);
456     RUNNER_ASSERT_MSG(result == SECURITY_MANAGER_SUCCESS,
457             "security_manager_set_process_label_from_appid(" <<
458             app_id << ") failed. Result: " << result);
459
460     char value[SMACK_LABEL_LEN + 1];
461     ssize_t size;
462     size = fgetxattr(sock, XATTR_NAME_SMACKIPIN, value, sizeof(value));
463     RUNNER_ASSERT_ERRNO_MSG(size != -1, "fgetxattr failed: " << value);
464     result = strcmp(expected_label, value);
465     RUNNER_ASSERT_MSG(result == 0, "Socket label is incorrect. Expected: " <<
466         expected_label << " Actual: " << value);
467
468     size = fgetxattr(sock, XATTR_NAME_SMACKIPOUT, value, sizeof(value));
469     RUNNER_ASSERT_ERRNO_MSG(size != -1, "fgetxattr failed: " << value);
470     result = strcmp(expected_label, value);
471     RUNNER_ASSERT_MSG(result == 0, "Socket label is incorrect. Expected: " <<
472         expected_label << " Actual: " << value);
473
474     result = smack_new_label_from_self(&label);
475     RUNNER_ASSERT_MSG(result >= 0,
476             " Error getting current process label");
477     RUNNER_ASSERT_MSG(label != nullptr,
478             " Process label is not set");
479     labelPtr.reset(label);
480
481     result = strcmp(expected_label, label);
482     RUNNER_ASSERT_MSG(result == 0,
483             " Process label is incorrect. Expected: \"" << expected_label <<
484             "\" Actual: \"" << label << "\"");
485
486     uninstall_app(app_id, pkg_id, true, true);
487 }
488
489 RUNNER_CHILD_TEST_NOSMACK(security_manager_03_set_label_from_appid_nosmack)
490 {
491     const char *const app_id = "sm_test_app_id_set_label_from_appid";
492     const char *const pkg_id = "sm_test_pkg_id_set_label_from_appid";
493     int result;
494
495     uninstall_app(app_id, pkg_id, false, true);
496     install_app(app_id, pkg_id);
497
498     result = security_manager_set_process_label_from_appid(app_id);
499     RUNNER_ASSERT_MSG(result == SECURITY_MANAGER_SUCCESS,
500             "security_manager_set_process_label_from_appid(" <<
501             app_id << ") failed. Result: " << result);
502
503     uninstall_app(app_id, pkg_id, true, true);
504 }
505
506
507
508 static void prepare_request(AppInstReqUniquePtr &request,
509               const char *const app_id,
510               const char *const pkg_id,
511               app_install_path_type pathType,
512               const char *const path)
513 {
514     int result;
515     request.reset(do_app_inst_req_new());
516
517     result = security_manager_app_inst_req_set_app_id(request.get(), app_id);
518     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
519             "setting app id failed. Result: " << result);
520
521     result = security_manager_app_inst_req_set_pkg_id(request.get(), pkg_id);
522     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
523             "setting pkg id failed. Result: " << result);
524
525     result = security_manager_app_inst_req_add_path(request.get(), path, pathType);
526     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
527             "setting allowed path failed. Result: " << result);
528 }
529
530
531 static struct passwd* get_app_pw()
532 {
533     struct passwd *pw = nullptr;
534     errno = 0;
535     while(!(pw = getpwnam(APP_USER))) {
536         RUNNER_ASSERT_ERRNO_MSG(errno == EINTR, "getpwnam() failed");
537     }
538     return pw;
539 }
540
541 RUNNER_CHILD_TEST(security_manager_04_app_install_uninstall_by_app_user)
542 {
543     int result;
544     AppInstReqUniquePtr request;
545     struct passwd *pw = get_app_pw();
546     const std::string user =  std::to_string(static_cast<unsigned int>(pw->pw_uid));
547
548     //switch user to non-root
549     result = drop_root_privileges(pw->pw_uid, pw->pw_gid);
550     RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
551
552     //install app as non-root user and try to register public path (should fail)
553     prepare_request(request, SM_APP_ID3, SM_PKG_ID3, SECURITY_MANAGER_PATH_PUBLIC, SM_PRIVATE_PATH_FOR_USER);
554
555     result = security_manager_app_install(request.get());
556     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED,
557             "installing app not failed. Result: " << result);
558
559     //install app as non-root user
560     //should fail (non-root users may only register folders inside their home)
561     prepare_request(request, SM_APP_ID3, SM_PKG_ID3, SECURITY_MANAGER_PATH_PRIVATE, SM_PRIVATE_PATH);
562
563     result = security_manager_app_install(request.get());
564     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED,
565             "installing app not failed. Result: " << result);
566
567     //install app as non-root user
568     //should succeed - this time i register folder inside user's home dir
569     prepare_request(request, SM_APP_ID3, SM_PKG_ID3, SECURITY_MANAGER_PATH_PRIVATE, SM_PRIVATE_PATH_FOR_USER);
570
571     for (auto &privilege : SM_ALLOWED_PRIVILEGES) {
572         result = security_manager_app_inst_req_add_privilege(request.get(), privilege.c_str());
573         RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
574             "setting allowed permission failed. Result: " << result);
575     }
576
577     result = security_manager_app_install(request.get());
578     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
579             "installing app failed. Result: " << result);
580
581     check_app_permissions(SM_APP_ID3, SM_PKG_ID3, user.c_str(), SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES);
582
583     //uninstall app as non-root user
584     request.reset(do_app_inst_req_new());
585
586     result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID3);
587     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
588             "setting app id failed. Result: " << result);
589
590     result = security_manager_app_uninstall(request.get());
591     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
592             "uninstalling app failed. Result: " << result);
593
594     check_app_permissions(SM_APP_ID3, SM_PKG_ID3, user.c_str(), SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES);
595 }
596
597 RUNNER_CHILD_TEST(security_manager_05_drop_process_capabilities)
598 {
599     int result;
600     CapsSetsUniquePtr caps, caps_empty(cap_init());
601
602     caps.reset(cap_from_text("all=eip"));
603     RUNNER_ASSERT_MSG(caps, "can't convert capabilities from text");
604     result = cap_set_proc(caps.get());
605     RUNNER_ASSERT_MSG(result == 0,
606         "can't set capabilities. Result: " << result);
607
608     result = security_manager_drop_process_privileges();
609     RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
610         "dropping caps failed. Result: " << result);
611
612     caps.reset(cap_get_proc());
613     RUNNER_ASSERT_MSG(caps, "can't get proc capabilities");
614
615     result = cap_compare(caps.get(), caps_empty.get());
616     RUNNER_ASSERT_MSG(result == 0,
617         "capabilities not dropped. Current: " << cap_to_text(caps.get(), NULL));
618 }
619
620 int main(int argc, char *argv[])
621 {
622     SummaryCollector::Register();
623     return DPL::Test::TestRunnerSingleton::Instance().ExecTestRunner(argc, argv);
624 }
Domain: Security / Uncategorized;