checkPrivileges({}, deniedPrivs);
}
-void AppInstallHelperExt::checkPrivilegeGroups(const PrivilegeVector &allowedPrivs) const
+void AppInstallHelperExt::checkGroupPrivileges(const PrivilegeVector &expectedPrivs) const
{
static PolicyConfiguration policy;
- const auto allowed_groups = policy.privToGroup(allowedPrivs);
- RUNNER_ASSERT_MSG(allowed_groups.size() == allowedPrivs.size(),
+
+ // get expected groups
+ auto expectedGids = policy.groupToGid(policy.privToGroup(expectedPrivs));
+ RUNNER_ASSERT_MSG(expectedGids.size() == expectedPrivs.size(),
"Some privileges given were not found in the policy");
+ std::sort(expectedGids.begin(), expectedGids.end());
- std::vector<gid_t> allowed_gids;
- for (const auto &groupName : allowed_groups) {
- errno = 0;
- struct group* grp = getgrnam(groupName.c_str());
- RUNNER_ASSERT_ERRNO_MSG(grp, "Group: " << groupName << " not found");
- allowed_gids.push_back(grp->gr_gid);
- }
+ // get current process groups
+ int ret = getgroups(0, nullptr);
+ RUNNER_ASSERT_MSG(ret != -1, "Unable to get supplementary groups");
- checkGids(allowed_gids);
+ std::vector<gid_t> actualGids(ret);
+ ret = getgroups(ret, actualGids.data());
+ RUNNER_ASSERT_MSG(ret != -1, "Unable to get supplementary groups");
+
+ // remove groups unrelated to privileges
+ const auto allPrivGids = policy.getGid();
+ auto notPrivGid = [&](gid_t gid){
+ return std::find(allPrivGids.begin(), allPrivGids.end(), gid) == allPrivGids.end();
+ };
+ actualGids.erase(std::remove_if(actualGids.begin(), actualGids.end(), notPrivGid),
+ actualGids.end());
+ std::sort(actualGids.begin(), actualGids.end());
+
+ // expected but not allowed
+ std::vector<gid_t> notAllowedGids;
+ std::set_difference(expectedGids.begin(), expectedGids.end(),
+ actualGids.begin(), actualGids.end(),
+ std::back_inserter(notAllowedGids));
+
+ RUNNER_ASSERT_MSG(notAllowedGids.empty(),
+ notAllowedGids.size() << " expected groups were not assigned");
+
+ // allowed but not expected
+ std::vector<gid_t> notDeniedGids;
+ std::set_difference(actualGids.begin(), actualGids.end(),
+ expectedGids.begin(), expectedGids.end(),
+ std::back_inserter(notDeniedGids));
+
+ RUNNER_ASSERT_MSG(notDeniedGids.empty(),
+ notDeniedGids.size() << " unexpected groups were assigned");
}
void AppInstallHelperExt:: checkSmackPrivileges(const PrivilegeVector &allowedPrivs,
}
}
-void AppInstallHelperExt::checkGids(const std::vector<gid_t> &allowedGids) const
-{
- int ret;
- std::unordered_set<gid_t> referenceGids(allowedGids.begin(), allowedGids.end());
-
- // Reset supplementary groups
- ret = setgroups(0, NULL);
- RUNNER_ASSERT_MSG(ret != -1, "Unable to set supplementary groups");
-
- Api::setProcessGroups(m_appName);
-
- ret = getgroups(0, nullptr);
- RUNNER_ASSERT_MSG(ret != -1, "Unable to get supplementary groups");
-
- std::vector<gid_t> actualGids(ret);
- ret = getgroups(ret, actualGids.data());
- RUNNER_ASSERT_MSG(ret != -1, "Unable to get supplementary groups");
-
- for (const auto &gid : actualGids) {
- RUNNER_ASSERT_MSG(referenceGids.count(gid) > 0,
- "Application shouldn't get access to group " << gid);
- referenceGids.erase(gid);
- }
-
- RUNNER_ASSERT_MSG(referenceGids.empty(), "Application didn't get access to some groups");
-}
-
} // namespace SecurityManagerTest
projects / platform / core / test / security-tests.git / blobdiff