Merge branch 'tizen' into security-manager

Change-Id: I3fa314322c8005c432cbdcfca15043d3679622b9

diff --git a/packaging/security-tests.spec b/packaging/security-tests.spec
index f815452..709a3e6 100644 (file)
--- a/packaging/security-tests.spec
+++ b/packaging/security-tests.spec
@@ -63,14 +63,15 @@ cmake . -DCMAKE_INSTALL_PREFIX=%{_prefix} \
         -DLOCAL_APP_DIR="%{TZ_SYS_HOME}/security_test_user/apps_rw"
 make %{?jobs:-j%jobs}
 
+%pre
+id -u  security_test_user 1>/dev/null 2>&1 || \
+    gum-utils -o -a --username=security_test_user --usertype=normal
+
 %install
 %make_install
 ln -sf /etc/smack/test_smack_rules %{buildroot}/etc/smack/test_smack_rules_lnk
 
 %post
-id -u  security_test_user 1>/dev/null 2>&1 || \
-    gum-utils -o -a --username=security_test_user --usertype=normal
-
 # Reload dbus daemon to apply newly installed configuration
 systemctl reload dbus
 
@@ -94,7 +95,7 @@ echo "security-tests postinst done ..."
 /etc/smack/test_smack_rules
 /etc/smack/test_smack_rules_lnk
 %{TZ_SYS_RW_APP}*
-%{TZ_SYS_HOME}/security_test_user/apps_rw/*
+%attr(755, security_test_user,users) %{TZ_SYS_HOME}/security_test_user/apps_rw/*
 /usr/bin/cynara-test
 /usr/bin/ckm-tests
 /usr/bin/ckm-integration-tests

diff --git a/src/security-manager-tests/test_cases_prepare_app.cpp b/src/security-manager-tests/test_cases_prepare_app.cpp
index bebb90a..9ddddf1 100644 (file)
--- a/src/security-manager-tests/test_cases_prepare_app.cpp
+++ b/src/security-manager-tests/test_cases_prepare_app.cpp
@@ -16,6 +16,7 @@
 
 #include <sys/smack.h>
 #include <sys/capability.h>
+#include <sys/prctl.h>
 
 #include <thread>
 #include <string>
@@ -38,7 +39,7 @@ namespace {
 bool finish = false;
 const size_t THREADS = 10;
 
-const std::string SYNC_TEST_APP("app100");
+const std::string APP_TEST_USER = "app_test_user";
 
 typedef std::unique_ptr<_cap_struct, decltype(&cap_free)> CapPtr;
 
@@ -108,13 +109,38 @@ struct ThreadWrapper
     std::thread thread;
 };
 
+int setLauncherSecurityAttributes(TemporaryTestUser &user)
+{
+    // Add launcher capabilities (cap_dac_override, cap_setgid, cap_sys_admin, cap_mac_admin),
+    // launcher is user process, we must drop root privileges (cap_setgid, cap_setuid are needed).
+    // By default, the permitted capability set is cleared when credentials change is made
+    // (if a process drops a capability from its permitted set, it can never reacquire that capability),
+    // setting the "keep capabilities" flag prevents it from being cleared.
+    // Effective capability set is always cleared when credential change is made, we need to add them again.
+
+    setCaps("cap_dac_override+ep cap_setgid+ep cap_sys_admin+ep cap_mac_admin+ep cap_setuid+ep");
+    int ret = prctl(PR_SET_KEEPCAPS, 1, 0, 0);
+    if (ret != 0)
+        return ret;
+
+    ret = drop_root_privileges(user.getUid(), user.getGid());
+    if (ret != 0)
+        return ret;
+
+    setCaps("cap_dac_override+ep cap_setgid+ep cap_sys_admin+ep cap_mac_admin+ep");
+    return ret;
+}
+
 } // anonymous namespace
 
 RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_PREPARE_APP)
 
 RUNNER_CHILD_TEST(security_manager_100_synchronize_credentials_test)
 {
-    AppInstallHelper app(SYNC_TEST_APP.c_str());
+    TemporaryTestUser tmpUser(APP_TEST_USER, GUM_USERTYPE_NORMAL, false);
+    tmpUser.create();
+
+    AppInstallHelper app("app100", tmpUser.getUid());
     ScopedInstaller appInstall(app);
     const std::string expectedLabel = app.generateAppLabel();
 
@@ -122,6 +148,8 @@ RUNNER_CHILD_TEST(security_manager_100_synchronize_credentials_test)
     RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed");
     if (pid == 0) {
         {
+            RUNNER_ASSERT_ERRNO_MSG(setLauncherSecurityAttributes(tmpUser) == 0, "launcher failed");
+
             ThreadWrapper threads[THREADS];
 
             for (size_t i = 0; i < THREADS; i++)