const bool TestSecurityManagerDatabase::NOT_REMOVED = false;
const bool TestSecurityManagerDatabase::REMOVED = true;
-TestSecurityManagerDatabase::TestSecurityManagerDatabase() : m_base(PRIVILEGE_DB_PATH)
+TestSecurityManagerDatabase::TestSecurityManagerDatabase() : m_base(PRIVILEGE_DB_PATH, SQLITE_OPEN_READWRITE)
{
}
return result.rows.size() == 1;
}
+
+void TestSecurityManagerDatabase::setup_privilege_gids(const std::string &privilege,
+ const std::vector<gid_t> &gids)
+{
+ Sqlite3DBaseSelectResult result;
+ std::ostringstream sql;
+
+ if (!m_base.is_open())
+ m_base.open();
+
+ sql << "INSERT OR IGNORE INTO privilege (name) VALUES ('" << privilege << "')";
+ m_base.execute(sql.str(), result);
+
+ for (const auto &gid : gids) {
+ sql.clear();
+ sql.str("");
+ sql << "INSERT OR IGNORE INTO privilege_gid (privilege_id, gid) "
+ "VALUES ((SELECT privilege_id FROM privilege WHERE name = '"
+ << privilege << "')," << (int) gid << ")";
+ m_base.execute(sql.str(), result);
+ }
+}
#include <memory.h>
#include <summary_collector.h>
#include <string>
+#include <unordered_set>
+
+#include <grp.h>
#include <libprivilege-control_test_common.h>
#include <tests_common.h>
static const privileges_t SM_NO_PRIVILEGES = {
};
+static const std::vector<gid_t> SM_ALLOWED_GIDS = {6001, 6002};
+
static const char *const SM_PRIVATE_PATH = "/etc/smack/test_DIR/app_dir";
static const char *const SM_PUBLIC_PATH = "/etc/smack/test_DIR/app_dir_public";
static const char *const SM_PUBLIC_RO_PATH = "/etc/smack/test_DIR/app_dir_public_ro";
}
}
+static void check_app_gids(const char *const app_id, const std::vector<gid_t> &allowed_gids)
+{
+ int ret;
+ gid_t main_gid = getgid();
+ std::unordered_set<gid_t> reference_gids(allowed_gids.begin(), allowed_gids.end());
+
+ // Reset supplementary groups
+ ret = setgroups(0, NULL);
+ RUNNER_ASSERT_MSG(ret != -1, "Unable to set supplementary groups");
+
+ ret = security_manager_set_process_groups_from_appid(app_id);
+ RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS,
+ "security_manager_set_process_groups_from_appid(" <<
+ app_id << ") failed. Result: " << ret);
+
+ ret = getgroups(0, nullptr);
+ RUNNER_ASSERT_MSG(ret != -1, "Unable to get supplementary groups");
+
+ std::vector<gid_t> actual_gids(ret);
+ ret = getgroups(ret, actual_gids.data());
+ RUNNER_ASSERT_MSG(ret != -1, "Unable to get supplementary groups");
+
+ for (const auto &gid : actual_gids) {
+ RUNNER_ASSERT_MSG(gid == main_gid || reference_gids.count(gid) > 0,
+ "Application shouldn't get access to group " << gid);
+ reference_gids.erase(gid);
+ }
+
+ RUNNER_ASSERT_MSG(reference_gids.empty(), "Application didn't get access to some groups");
+}
+
static void check_app_after_install(const char *const app_id, const char *const pkg_id,
const privileges_t &allowed_privs,
- const privileges_t &denied_privs)
+ const privileges_t &denied_privs,
+ const std::vector<gid_t> &allowed_gids)
{
TestSecurityManagerDatabase dbtest;
dbtest.test_db_after__app_install(app_id, pkg_id, allowed_privs);
/*Privileges should be granted to all users if root installs app*/
check_app_permissions(app_id, pkg_id, ANY_USER_REPRESENTATION, allowed_privs, denied_privs);
+
+ /* Setup mapping of gids to privileges */
+ /* Do this for each privilege for extra check */
+ for (const auto &privilege : allowed_privs) {
+ dbtest.setup_privilege_gids(privilege, allowed_gids);
+ }
+
+ check_app_gids(app_id, allowed_gids);
}
static void check_app_after_install(const char *const app_id, const char *const pkg_id)
/* Check records in the security-manager database */
check_app_after_install(SM_APP_ID2, SM_PKG_ID2,
- SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES);
+ SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES, SM_ALLOWED_GIDS);
/* TODO: add parameters to this function */
check_app_path_after_install();