/*
- * Copyright (c) 2016 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2016-2020 Samsung Electronics Co., Ltd. All rights reserved
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_NSS_PLUGIN)
-RUNNER_CHILD_TEST(nss_01_unknown_user) {
+RUNNER_CHILD_TEST(nss_01_normal_user_without_inter_daemon_groups) {
const std::string newUserName = "nss_01_user";
- PolicyConfiguration pc;
TemporaryTestUser testUser(newUserName, GUM_USERTYPE_NORMAL, false);
testUser.create();
- auto gidVector = pc.getGid();
+ UserRequest addUserRequest;
+ addUserRequest.setUid(testUser.getUid());
+ addUserRequest.setUserType(SM_USER_TYPE_NORMAL);
+ Api::addUser(addUserRequest);
RUNNER_ASSERT_MSG(0 == initgroups(newUserName.c_str(), 0), "Init groups failed");
- gid_t list[64];
- int grsize = getgroups(64, list);
- size_t counter = 0;
+ gid_t list[NGROUPS_MAX + 1];
+ int grsize = getgroups(NGROUPS_MAX + 1, list);
- for (size_t i=0; i<gidVector.size(); ++i) {
- for (int j=0; j<grsize; ++j)
- if(list[j] == gidVector[i]) {
- counter++;
- break;
- }
+ PolicyConfiguration pc;
+ auto sysdGidVec = pc.groupToGid(pc.privToGroup(pc.getSystemdManagedPrivs()));
+ auto allPrivGids = pc.getGid();
+ unsigned int privGidsOther = 0;
+ for (int i = 0; i < grsize; ++i) {
+ RUNNER_ASSERT_MSG(std::find(sysdGidVec.begin(), sysdGidVec.end(), list[i]) == sysdGidVec.end() , "Process should not get gid " << list[i]);
+ if (std::find(allPrivGids.begin(), allPrivGids.end(), list[i]) != allPrivGids.end())
+ ++privGidsOther;
}
- RUNNER_ASSERT_MSG(gidVector.size() == counter,
- "Process should have all groups related with privileges but it have only " <<
- counter << " of " << gidVector.size() << " required groups");
+ RUNNER_ASSERT_MSG(privGidsOther + sysdGidVec.size() == allPrivGids.size(), "Improper GID setup for process, has priv_*: " <<
+ privGidsOther << ", systemd managed all: " << sysdGidVec.size() << " , all: " << allPrivGids.size() );
}
-RUNNER_CHILD_TEST(nss_02_normal_user_all_priv) {
+RUNNER_CHILD_TEST(nss_02_guest_user_without_inter_daemon_groups) {
const std::string newUserName = "nss_02_user";
- PolicyConfiguration pc;
- TemporaryTestUser testUser(newUserName, GUM_USERTYPE_NORMAL, false);
+ TemporaryTestUser testUser(newUserName, GUM_USERTYPE_GUEST, false);
testUser.create();
- auto gidVector = pc.getUserGid(PolicyConfiguration::NORMAL);
-
UserRequest addUserRequest;
addUserRequest.setUid(testUser.getUid());
- addUserRequest.setUserType(SM_USER_TYPE_NORMAL);
+ addUserRequest.setUserType(SM_USER_TYPE_GUEST);
Api::addUser(addUserRequest);
RUNNER_ASSERT_MSG(0 == initgroups(newUserName.c_str(), 0), "Init groups failed");
- gid_t list[64];
- int grsize = getgroups(64, list);
- size_t counter = 0;
+ gid_t list[NGROUPS_MAX + 1];
+ int grsize = getgroups(NGROUPS_MAX + 1, list);
- for (size_t i=0; i<gidVector.size(); ++i) {
- for (int j=0; j<grsize; ++j)
- if(list[j] == gidVector[i]) {
- counter++;
- break;
- }
+ PolicyConfiguration pc;
+ auto sysdGidVec = pc.groupToGid(pc.privToGroup(pc.getSystemdManagedPrivs()));
+ auto allPrivGids = pc.getGid();
+ unsigned int privGidsOther = 0;
+ for (int i = 0; i < grsize; ++i) {
+ RUNNER_ASSERT_MSG(std::find(sysdGidVec.begin(), sysdGidVec.end(), list[i]) == sysdGidVec.end() , "Process should not get gid " << list[i]);
+ if (std::find(allPrivGids.begin(), allPrivGids.end(), list[i]) != allPrivGids.end())
+ ++privGidsOther;
}
- RUNNER_ASSERT_MSG(gidVector.size() == counter,
- "Process should have all groups related with privileges but it have only " <<
- counter << " of " << gidVector.size() << " required groups");
+ RUNNER_ASSERT_MSG(privGidsOther + sysdGidVec.size() == allPrivGids.size(), "Improper GID setup for process, has priv_*: " <<
+ privGidsOther << ", systemd managed all: " << sysdGidVec.size() << " , all: " << allPrivGids.size() );
}
-RUNNER_CHILD_TEST(nss_03_normal_user_without_camera) {
+
+RUNNER_CHILD_TEST(nss_03_guest_user_without_inter_daemon_groups_unaffected_by_cynara) {
const std::string newUserName = "nss_03_user";
- TemporaryTestUser testUser(newUserName, GUM_USERTYPE_NORMAL, false);
+ TemporaryTestUser testUser(newUserName, GUM_USERTYPE_GUEST, false);
testUser.create();
- gid_t cameraPrivId = nameToGid("priv_camera");
UserRequest addUserRequest;
addUserRequest.setUid(testUser.getUid());
- addUserRequest.setUserType(SM_USER_TYPE_NORMAL);
+ addUserRequest.setUserType(SM_USER_TYPE_GUEST);
Api::addUser(addUserRequest);
+ // Removing one more privilege from policy (that has GID associated), which should not affect nss daemon groups
PolicyRequest policyRequest;
+
PolicyEntry entry(
SECURITY_MANAGER_ANY,
std::to_string(static_cast<int>(testUser.getUid())),
"http://tizen.org/privilege/camera");
entry.setMaxLevel("Deny");
+
policyRequest.addEntry(entry);
Api::sendPolicy(policyRequest);
RUNNER_ASSERT_MSG(0 == initgroups(newUserName.c_str(), 0), "Init groups failed");
- gid_t list[64];
- int grsize = getgroups(64, list);
- size_t counter = 0;
-
- for (int i=0; i<grsize; ++i) {
- if (list[i] == cameraPrivId) {
- counter++;
- break;
- }
- }
-
- RUNNER_ASSERT_MSG(0 == counter, "Process should not have priv_camera group");
-
- PolicyConfiguration pc;
- auto gidVector = pc.getUserGid(PolicyConfiguration::NORMAL);
- gidVector.erase(
- std::remove_if(gidVector.begin(), gidVector.end(), [=](gid_t g) { return g == cameraPrivId; }),
- gidVector.end());
-
- for (size_t i=0; i<gidVector.size(); ++i) {
- for (int j=0; j<grsize; ++j)
- if(list[j] == gidVector[i]) {
- counter++;
- break;
- }
- }
-
- RUNNER_ASSERT_MSG(gidVector.size() == counter,
- "Process should have all groups related with privileges but it have only " <<
- counter << " of " << gidVector.size() << " required groups");
-}
-
-RUNNER_CHILD_TEST(nss_04_guest_user) {
- const std::string newUserName = "nss_04_user";
- TemporaryTestUser testUser(newUserName, GUM_USERTYPE_GUEST, false);
- testUser.create();
-
- UserRequest addUserRequest;
- addUserRequest.setUid(testUser.getUid());
- addUserRequest.setUserType(SM_USER_TYPE_GUEST);
- Api::addUser(addUserRequest);
-
- RUNNER_ASSERT_MSG(0 == initgroups(newUserName.c_str(), 0), "Init groups failed");
-
- gid_t list[64];
- int grsize = getgroups(64, list);
- size_t counter = 0;
+ gid_t list[NGROUPS_MAX + 1];
+ int grsize = getgroups(NGROUPS_MAX + 1, list);
PolicyConfiguration pc;
- auto gidVector = pc.getUserGid(PolicyConfiguration::GUEST);
-
- for (size_t i=0; i<gidVector.size(); ++i) {
- for (int j=0; j<grsize; ++j)
- if(list[j] == gidVector[i]) {
- counter++;
- break;
- }
+ auto sysdGidVec = pc.groupToGid(pc.privToGroup(pc.getSystemdManagedPrivs()));
+ auto allPrivGids = pc.getGid();
+ unsigned int privGidsOther = 0;
+ for (int i = 0; i < grsize; ++i) {
+ RUNNER_ASSERT_MSG(std::find(sysdGidVec.begin(), sysdGidVec.end(), list[i]) == sysdGidVec.end() , "Process should not get gid " << list[i]);
+ if (std::find(allPrivGids.begin(), allPrivGids.end(), list[i]) != allPrivGids.end())
+ ++privGidsOther;
}
- RUNNER_ASSERT_MSG(gidVector.size() == counter,
- "Process should have all groups related with privileges but it have only " <<
- counter << " of " << gidVector.size() << " required groups");
+ RUNNER_ASSERT_MSG(privGidsOther + sysdGidVec.size() == allPrivGids.size(), "Improper GID setup for process, has priv_*: " <<
+ privGidsOther << ", systemd managed all: " << sysdGidVec.size() << " , all: " << allPrivGids.size() );
}
-
-