2 * Copyright (c) 2016 Samsung Electronics Co., Ltd All Rights Reserved
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
17 // cstdlibg has to be included before attr/xattr
19 #include <attr/xattr.h>
24 #include <sys/capability.h>
25 #include <sys/smack.h>
26 #include <sys/types.h>
29 #include <cynara-admin.h>
31 #include <app_install_helper.h>
32 #include <cynara_test_admin.h>
33 #include <dpl/test/test_runner.h>
34 #include <message_pipe.h>
35 #include <policy_configuration.h>
36 #include <scoped_installer.h>
37 #include <scoped_label.h>
38 #include <service_manager.h>
40 #include <sm_commons.h>
41 #include <sm_request.h>
42 #include <synchronization_pipe.h>
43 #include <temp_test_user.h>
44 #include <tests_common.h>
45 #include <tzplatform.h>
48 using namespace SecurityManagerTest;
51 std::vector<std::string> merge(const std::vector<std::string> &one, const std::vector<std::string> &two) {
52 std::vector<std::string> sum;
53 sum.reserve(one.size() + two.size());
54 sum.insert(sum.end(), one.begin(), one.end());
55 sum.insert(sum.end(), two.begin(), two.end());
60 RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER)
62 RUNNER_TEST(security_manager_01a_app_double_install_double_uninstall)
64 AppInstallHelper app("sm_test_01a_app");
66 ScopedInstaller appInstall(app);
67 check_app_after_install(app.getAppId(), app.getPkgId());
69 ScopedInstaller appInstall2(app);
70 check_app_after_install(app.getAppId(), app.getPkgId());
72 check_app_after_uninstall(app.getAppId(), app.getPkgId());
76 RUNNER_TEST(security_manager_01b_app_double_install_wrong_pkg_id)
78 AppInstallHelper app("sm_test_01b");
80 ScopedInstaller appInstall(app);
82 InstallRequest requestInst2;
83 requestInst2.setAppId(app.getAppId());
84 requestInst2.setPkgId(app.getPkgId() + "_wrong");
86 Api::install(requestInst2, SECURITY_MANAGER_ERROR_INPUT_PARAM);
88 check_app_after_install(app.getAppId(), app.getPkgId());
90 check_app_after_uninstall(app.getAppId(), app.getPkgId());
93 RUNNER_TEST(security_manager_01c_app_uninstall_wrong_pkg_id)
95 AppInstallHelper app("sm_test_01c");
96 ScopedInstaller appInstall(app);
98 check_app_after_install(app.getAppId(), app.getPkgId());
100 InstallRequest requestUninst;
101 requestUninst.setAppId(app.getAppId());
102 requestUninst.setPkgId(app.getPkgId() + "_wrong_pkg_id");
104 Api::uninstall(requestUninst, SECURITY_MANAGER_ERROR_NO_SUCH_OBJECT);
108 * This test uses files installed with security-tests package
110 RUNNER_TEST(security_manager_01d_app_install_complicated_dir_tree)
112 const std::string appId = "sm_test_01d_app_id_full";
113 const std::string pkgId = "sm_test_01d_pkg_id_full";
115 const std::string rootDir = TzPlatformConfig::globalAppDir() + "/" + pkgId + "/";
116 const std::string privateDir = rootDir + "app_dir/";
117 const std::string privateRODir = rootDir + "app_dir_ro/";
118 const std::string publicRODir = rootDir + "app_dir_public_ro/";
119 const std::string sharedRODir = rootDir + "app_dir_rw_others_ro/";
121 int result = nftw(rootDir.c_str(), &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
122 RUNNER_ASSERT_MSG(result == 0, "Unable to clean Smack labels in " << rootDir);
124 InstallRequest requestInst;
125 requestInst.setAppId(appId);
126 requestInst.setPkgId(pkgId);
127 requestInst.addPath(privateDir, SECURITY_MANAGER_PATH_RW);
128 requestInst.addPath(privateRODir, SECURITY_MANAGER_PATH_RO);
129 requestInst.addPath(publicRODir, SECURITY_MANAGER_PATH_PUBLIC_RO);
130 requestInst.addPath(sharedRODir, SECURITY_MANAGER_PATH_OWNER_RW_OTHER_RO);
131 Api::install(requestInst);
133 std::unique_ptr<InstallRequest, std::function<void(InstallRequest*)>> appCleanup(&requestInst,
134 [](InstallRequest *req) {
135 Api::uninstall(*req);
138 check_path(privateDir, generatePathRWLabel(pkgId));
139 check_path(privateRODir, generatePathROLabel(pkgId), false);
140 check_path(publicRODir, getPublicPathLabel());
141 check_path(sharedRODir, generatePathSharedROLabel(pkgId));
144 RUNNER_TEST(security_manager_02_app_install_uninstall_full)
146 PolicyConfiguration policy;
147 PolicyConfiguration::PrivGroupMap privGroupMap = policy.getPrivGroupMap();
149 RUNNER_ASSERT_MSG(privGroupMap.size() >= 4, "Failed to get policy of a suitable size");
151 privileges_t allowedPrivs;
152 privileges_t someDeniedPrivs;
155 for (auto const &it: privGroupMap) {
157 allowedPrivs.push_back(it.first);
158 else if (counter < 4)
159 someDeniedPrivs.push_back(it.first);
165 AppInstallHelper app("sm_test_02");
166 app.createPrivateDir();
167 app.createPrivateRODir();
168 app.createPublicDir();
169 app.createSharedRODir();
170 app.addPrivileges(allowedPrivs);
172 ScopedInstaller appInstall(app);
174 check_app_after_install(app.getAppId(), app.getPkgId(),
175 app.getPrivileges(), someDeniedPrivs);
177 check_path(app.getPrivateDir(), generatePathRWLabel(app.getPkgId()));
178 check_path(app.getPrivateRODir(), generatePathROLabel(app.getPkgId()), false);
179 check_path(app.getPublicDir(), getPublicPathLabel());
180 check_path(app.getSharedRODir(), generatePathSharedROLabel(app.getPkgId()));
183 check_app_after_uninstall(app.getAppId(), app.getPkgId(), app.getPrivileges());
186 RUNNER_CHILD_TEST_SMACK(security_manager_03_set_label_from_appid)
188 std::string expectedSockLabel = "labelExpectedOnlyFromSocket";
190 AppInstallHelper app("sm_test_03a");
191 std::string expectedProcLabel = generateProcessLabel(app.getAppId(), app.getPkgId());
193 const auto sockaddr = UDSHelpers::makeAbstractAddress("sm_test_03a.socket");
194 int sock = UDSHelpers::createServer(&sockaddr);
195 SockUniquePtr sockPtr(&sock);
197 //Set socket label to something different than expeced process label
198 int result = smack_set_label_for_file(*sockPtr, XATTR_NAME_SMACKIPIN, expectedSockLabel.c_str());
199 RUNNER_ASSERT_ERRNO_MSG(result == 0,
200 "Can't set socket label. Result: " << result);
201 result = smack_set_label_for_file(*sockPtr, XATTR_NAME_SMACKIPOUT, expectedSockLabel.c_str());
202 RUNNER_ASSERT_ERRNO_MSG(result == 0,
203 "Can't set socket label. Result: " << result);
205 ScopedInstaller appInstall(app);
208 RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed");
209 if (pid == 0) { // child
210 Api::setProcessLabel(app.getAppId());
212 char *label = nullptr;
214 result = smack_new_label_from_file(*sockPtr, XATTR_NAME_SMACKIPIN, &label);
215 RUNNER_ASSERT_ERRNO_MSG(result != -1, "smack_new_label_from_file failed: " << label);
216 labelPtr.reset(label);
217 result = expectedSockLabel.compare(label);
218 RUNNER_ASSERT_MSG(result == 0, "Socket label is incorrect. Expected: " <<
219 expectedProcLabel << " Actual: " << label);
221 result = smack_new_label_from_file(*sockPtr, XATTR_NAME_SMACKIPOUT, &label);
222 RUNNER_ASSERT_ERRNO_MSG(result != -1, "smack_new_label_from_file failed: " << label);
223 labelPtr.reset(label);
224 result = expectedSockLabel.compare(label);
225 RUNNER_ASSERT_MSG(result == 0, "Socket label is incorrect. Expected: " <<
226 expectedProcLabel << " Actual: " << label);
228 result = smack_new_label_from_self(&label);
229 RUNNER_ASSERT_MSG(result >= 0,
230 " Error getting current process label");
231 RUNNER_ASSERT_MSG(label != nullptr,
232 " Process label is not set");
233 labelPtr.reset(label);
235 result = expectedProcLabel.compare(label);
236 RUNNER_ASSERT_MSG(result == 0,
237 " Process label is incorrect. Expected: \"" << expectedProcLabel <<
238 "\" Actual: \"" << label << "\"");
244 RUNNER_CHILD_TEST(security_manager_04a_app_install_uninstall_by_app_user_for_self)
246 const std::vector<std::string> allowedPrivs = {
247 "http://tizen.org/privilege/bluetooth",
248 "http://tizen.org/privilege/power"
250 const std::vector<std::string> someDeniedPrivs = {
251 "http://tizen.org/privilege/display",
252 "http://tizen.org/privilege/nfc"
255 TemporaryTestUser testUser("sm_test_04a_user_name", GUM_USERTYPE_NORMAL);
258 AppInstallHelper app("sm_test_04a", testUser.getUid());
259 app.addPrivileges(allowedPrivs);
261 RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(testUser.getUid(), testUser.getGid()) == 0,
262 "drop_root_privileges failed");
264 ScopedInstaller appInstall(app, false);
265 check_app_permissions(app.getAppId(), app.getPkgId(), testUser.getUidString(),
266 allowedPrivs, someDeniedPrivs);
268 check_app_permissions(app.getAppId(), app.getPkgId(), testUser.getUidString(),
269 {}, merge(allowedPrivs, someDeniedPrivs));
272 RUNNER_CHILD_TEST(security_manager_04b_app_install_by_root_for_app_user) {
273 const std::vector<std::string> allowedPrivs = {
274 "http://tizen.org/privilege/internet",
275 "http://tizen.org/privilege/led"
277 const std::vector<std::string> someDeniedPrivs = {
278 "http://tizen.org/privilege/location",
279 "http://tizen.org/privilege/notification"
282 TemporaryTestUser testUser("sm_test_04b_user_name", GUM_USERTYPE_NORMAL);
285 AppInstallHelper app("sm_test_04b", testUser.getUid());
286 app.addPrivileges(allowedPrivs);
289 ScopedInstaller appInstall(app);
290 check_app_permissions(app.getAppId(), app.getPkgId(), testUser.getUidString(),
291 allowedPrivs, someDeniedPrivs);
293 RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(testUser.getUid(), testUser.getGid()) == 0,
294 "drop_root_privileges failed");
296 check_app_permissions(app.getAppId(), app.getPkgId(), testUser.getUidString(),
297 {}, merge(allowedPrivs, someDeniedPrivs));
300 RUNNER_CHILD_TEST(security_manager_05_drop_process_capabilities)
303 CapsSetsUniquePtr caps_empty(cap_init());
304 auto caps = setCaps("all=eip");
305 Api::dropProcessPrivileges();
307 caps.reset(cap_get_proc());
308 RUNNER_ASSERT_MSG(caps, "can't get proc capabilities");
310 result = cap_compare(caps.get(), caps_empty.get());
311 RUNNER_ASSERT_MSG(result == 0,
312 "capabilities not dropped. Current: " << cap_to_text(caps.get(), NULL));
315 RUNNER_TEST(security_manager_06_install_app_offline)
317 ServiceManager("security-manager.service").stopService();
319 ServiceManager serviceManager("security-manager.socket");
320 serviceManager.stopService();
322 AppInstallHelper app("sm_test_06");
323 ScopedInstaller appInstall(app);
324 // TODO - check if app is installed properly
325 // start service before uninstall, offline mode doesn't support uninstall
326 serviceManager.startService();
327 appInstall.uninstallApp();
328 // TODO - check if app is uninstalled properly
331 RUNNER_TEST(security_manager_07a_user_add_app_install)
333 const std::vector<std::string> allowedPrivs = {
334 "http://tizen.org/privilege/internet",
335 "http://tizen.org/privilege/led"
337 const std::vector<std::string> someDeniedPrivs = {
338 "http://tizen.org/privilege/location",
339 "http://tizen.org/privilege/notification"
342 TemporaryTestUser testUser("sm_test_07a_user_name", GUM_USERTYPE_NORMAL);
345 AppInstallHelper app("sm_test_07a", testUser.getUid());
346 app.addPrivileges(allowedPrivs);
349 req.setAppId(app.getAppId());
350 req.setPkgId(app.getPkgId());
351 req.setUid(app.getUID());
352 for (const auto &priv: app.getPrivileges()) {
353 req.addPrivilege(priv);
357 check_app_permissions(app.getAppId(), app.getPkgId(), testUser.getUidString(),
358 allowedPrivs, someDeniedPrivs);
362 check_app_permissions(app.getAppId(), app.getPkgId(), testUser.getUidString(),
363 {}, merge(allowedPrivs, someDeniedPrivs));
365 // TODO - check if app is uninstalled
368 RUNNER_TEST(security_manager_07b_user_add_offline)
370 ServiceManager("security-manager.service").stopService();
372 ServiceManager serviceManager("security-manager.socket");
373 serviceManager.stopService();
375 TemporaryTestUser testUser("sm_test_07b_user_name", GUM_USERTYPE_NORMAL, true);
378 AppInstallHelper app("sm_test_07b", testUser.getUid());
379 ScopedInstaller appInstall(app);
381 serviceManager.startService();
382 check_app_after_install(app.getAppId(), app.getPkgId());
385 check_app_after_uninstall(app.getAppId(), app.getPkgId());
388 RUNNER_TEST(security_manager_08_user_double_add_double_remove)
390 std::vector<std::string> somePrivs = {
391 "http://tizen.org/privilege/internet", "http://tizen.org/privilege/led",
392 "http://tizen.org/privilege/location", "http://tizen.org/privilege/notification"
395 TemporaryTestUser testUser("sm_test_08_user_name", GUM_USERTYPE_NORMAL);
399 UserRequest addUserRequest;
400 addUserRequest.setUid(testUser.getUid());
401 addUserRequest.setUserType(SM_USER_TYPE_NORMAL);
402 Api::addUser(addUserRequest);
404 AppInstallHelper app("sm_test_08", testUser.getUid());
405 ScopedInstaller appInstall(app);
407 check_app_after_install(app.getAppId(), app.getPkgId());
408 check_app_permissions(app.getAppId(), app.getPkgId(), testUser.getUidString(), {}, somePrivs);
413 check_app_after_uninstall(app.getAppId(), app.getPkgId());
414 check_app_permissions(app.getAppId(), app.getPkgId(), testUser.getUidString(), {}, somePrivs);
417 UserRequest deleteUserRequest;
418 deleteUserRequest.setUid(testUser.getUid());
419 Api::deleteUser(deleteUserRequest);
422 RUNNER_TEST(security_manager_09_app_install_constraint_check)
424 auto install = [](const TemporaryTestUser& user,
430 enum lib_retcode expected,
431 bool uninstall = true)
433 InstallRequest request;
434 request.setAppId(appId);
435 request.setPkgId(pkgId);
436 request.setAppTizenVersion(version);
437 request.setAuthorId(author);
438 request.setUid(user.getUid());
441 Api::install(request, expected);
443 if(expected == SECURITY_MANAGER_SUCCESS && uninstall) {
444 Api::uninstall(request);
448 std::vector<TemporaryTestUser> users = {
449 {"sm_test_09_user_name_0", GUM_USERTYPE_NORMAL, false},
450 {"sm_test_09_user_name_1", GUM_USERTYPE_NORMAL, false}
453 for(auto& gu : users)
456 const char *const pkgId[] = {"sm_test_09_pkg_id_0", "sm_test_09_pkg_id_1"};
457 const char *const appId[] = {"sm_test_09_app_id_0", "sm_test_09_app_id_1"};
458 const char *const version[] = {"sm_test_09_version_0", "sm_test_09_version_1"};
459 const char *const author[] = {"sm_test_09_author_0", "sm_test_09_author_1"};
460 bool hybrid[] = {false, true};
462 // uid_0, pkg_0, app_0, version_0, author_0, not hybrid
463 install(users[0], pkgId[0], appId[0], version[0], author[0], hybrid[0], SECURITY_MANAGER_SUCCESS, false);
464 // uid_1, pkg_0, app_0, version_0, author_0, not hybrid -> ok (different uid)
465 install(users[1], pkgId[0], appId[0], version[0], author[0], hybrid[0], SECURITY_MANAGER_SUCCESS);
466 // uid_0, pkg_0, app_0, version_0, author_0, hybrid -> fail (different hybrid setting)
467 install(users[0], pkgId[0], appId[0], version[0], author[0], hybrid[1], SECURITY_MANAGER_ERROR_INPUT_PARAM);
468 // uid_0, pkg_0, app_1, version_0, author_0, hybrid -> fail (different hybrid setting)
469 install(users[0], pkgId[0], appId[1], version[0], author[0], hybrid[1], SECURITY_MANAGER_ERROR_INPUT_PARAM);
470 // uid_1, pkg_0, app_0, version_0, author_0, hybrid -> fail (different hybrid setting)
471 install(users[1], pkgId[0], appId[0], version[0], author[0], hybrid[1], SECURITY_MANAGER_ERROR_INPUT_PARAM);
472 // uid_1, pkg_0, app_0, version_0, author_1, not hybrid -> fail (author of app_0 must be the same)
473 install(users[1], pkgId[0], appId[0], version[0], author[1], hybrid[0], SECURITY_MANAGER_ERROR_INPUT_PARAM);
474 // uid_1, pkg_0, app_0, version_1, author_0, not hybrid -> ok (version upgrade)
475 install(users[1], pkgId[0], appId[0], version[1], author[0], hybrid[0], SECURITY_MANAGER_SUCCESS);
476 // uid_1, pkg_1, app_0, version_0, author_0, not hybrid -> fail (pkg of app_0 must be the same)
477 install(users[1], pkgId[1], appId[0], version[0], author[0], hybrid[0], SECURITY_MANAGER_ERROR_INPUT_PARAM);
478 // uid_0, pkg_0, app_0, version_0, author_0, not hybrid -> ok (the same app again)
479 install(users[0], pkgId[0], appId[0], version[0], author[0], hybrid[0], SECURITY_MANAGER_SUCCESS, false);
480 // uid_0, pkg_1, app_0, version_0, author_0, not hybrid -> fail (app_name + uid must be unique)
481 install(users[0], pkgId[1], appId[0], version[0], author[0], hybrid[0], SECURITY_MANAGER_ERROR_INPUT_PARAM);
482 // uid_0, pkg_0, app_0, version_0, author_1, not hybrid -> fail (app_name + uid must be unique)
483 install(users[0], pkgId[0], appId[0], version[0], author[1], hybrid[0], SECURITY_MANAGER_ERROR_INPUT_PARAM);
486 RUNNER_CHILD_TEST(security_manager_10_app_has_privilege)
488 const std::vector<std::string> allowedPrivs = {
489 "http://tizen.org/privilege/wifidirect",
490 "http://tizen.org/privilege/telephony"
492 const std::vector<std::string> someDeniedPrivs = {
493 "http://tizen.org/privilege/vpnservice",
494 "http://tizen.org/privilege/notification"
496 AppInstallHelper app("sm_test_10");
497 app.addPrivileges(allowedPrivs);
498 ScopedInstaller appInstall(app);
500 sm_app_has_privileges(app, allowedPrivs, 1);
501 // FIXME - all other existing privileges should be checked
502 sm_app_has_privileges(app, someDeniedPrivs, 0);
505 RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_POLICY)
507 RUNNER_TEST(security_manager_20_user_cynara_policy)
509 // FIXME - whitebox - cynara
510 const char *const MAIN_BUCKET = "MAIN";
511 const char *const MANIFESTS_GLOBAL_BUCKET = "MANIFESTS_GLOBAL";
512 const char *const MANIFESTS_LOCAL_BUCKET = "MANIFESTS_LOCAL";
513 const char *const ADMIN_BUCKET = "ADMIN";
514 const char *const USER_TYPE_NORMAL_BUCKET = "USER_TYPE_NORMAL";
515 CynaraTestAdmin::Admin admin;
517 TemporaryTestUser user("sm_test_20_user_name", GUM_USERTYPE_NORMAL, false);
519 std::string uid_string = user.getUidString();
521 CynaraTestAdmin::CynaraPoliciesContainer nonemptyContainer;
522 nonemptyContainer.add(MAIN_BUCKET,CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, CYNARA_ADMIN_BUCKET, USER_TYPE_NORMAL_BUCKET);
523 admin.listPolicies(MAIN_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, nonemptyContainer,CYNARA_API_SUCCESS);
526 CynaraTestAdmin::CynaraPoliciesContainer emptyContainer;
528 admin.listPolicies(MAIN_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS);
529 admin.listPolicies(MANIFESTS_GLOBAL_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS);
530 admin.listPolicies(MANIFESTS_LOCAL_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS);
531 admin.listPolicies(CYNARA_ADMIN_DEFAULT_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS);
532 admin.listPolicies(ADMIN_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS);
535 RUNNER_CHILD_TEST(security_manager_21_security_manager_admin_deny_user_priv)
537 const privileges_t adminRequiredPrivs = {
538 "http://tizen.org/privilege/notexist",
539 "http://tizen.org/privilege/internal/usermanagement"
541 const privileges_t manifestPrivs = {
542 "http://tizen.org/privilege/internet",
543 "http://tizen.org/privilege/datasharing"
545 const privileges_t allowedPrivsAfterChange = {"http://tizen.org/privilege/datasharing"};
546 const privileges_t deniedPrivsAfterChange = {"http://tizen.org/privilege/internet"};
547 TemporaryTestUser adminUser("sm_test_21_admin_user_name", GUM_USERTYPE_ADMIN, false);
548 TemporaryTestUser normalUser("sm_test_21_normal_user_name", GUM_USERTYPE_NORMAL, false);
552 std::string childUidStr = normalUser.getUidString();
554 AppInstallHelper adminApp("sm_test_21_admin", adminUser.getUid());
555 adminApp.addPrivileges(adminRequiredPrivs);
556 ScopedInstaller adminAppInstall(adminApp);
558 AppInstallHelper normalApp("sm_test_21_normal", normalUser.getUid());
559 normalApp.addPrivileges(manifestPrivs);
560 ScopedInstaller normalAppInstall(normalApp);
562 check_app_permissions(normalApp.getAppId(), normalApp.getPkgId(), childUidStr,
566 RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
567 if (pid != 0) { //parent process
569 check_app_permissions(normalApp.getAppId(), normalApp.getPkgId(), childUidStr,
570 allowedPrivsAfterChange, deniedPrivsAfterChange);
572 Api::setProcessLabel(adminApp.getAppId());
573 RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(adminUser.getUid(),adminUser.getGid()) == 0,
574 "drop_root_privileges failed");
576 PolicyRequest addPolicyReq;
577 for (auto &deniedPriv : deniedPrivsAfterChange) {
578 PolicyEntry entry(SECURITY_MANAGER_ANY, normalUser.getUidString(), deniedPriv);
579 entry.setMaxLevel("Deny");
580 addPolicyReq.addEntry(entry);
582 Api::sendPolicy(addPolicyReq);
587 RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_CMD)
589 RUNNER_TEST(security_manager_22_security_manager_cmd_install)
592 const int SUCCESS = 0;
593 const int FAILURE = 256;
594 const std::string app_id = "sm_test_22_app_id";
595 const std::string pkg_id = "sm_test_22_pkg_id";
596 const std::string username("sm_test_22_user_name");
598 TemporaryTestUser user(username, GUM_USERTYPE_NORMAL);
601 const std::string path1 = TzPlatformConfig::appDirPath(user, app_id, pkg_id) + "/p1";
602 const std::string path2 = TzPlatformConfig::appDirPath(user, app_id, pkg_id) + "/p2";
603 const std::string pkgopt = " --pkg=" + pkg_id;
604 const std::string appopt = " --app=" + app_id;
605 const std::string uidopt = " --uid=" + user.getUidString();
607 mktreeSafe(path1.c_str(), 0);
608 mktreeSafe(path2.c_str(), 0);
610 const std::string installcmd = "security-manager-cmd --install " + appopt + pkgopt + uidopt;
616 std::vector<struct operation> operations = {
617 {"security-manager-cmd", FAILURE},//no option
618 {"security-manager-cmd --blah", FAILURE},//blah option is not known
619 {"security-manager-cmd --help", SUCCESS},
620 {"security-manager-cmd --install", FAILURE},//no params
621 {"security-manager-cmd -i", FAILURE},//no params
622 {"security-manager-cmd --i --app=app_id_10 --pkg=pkg_id_10", FAILURE},//no uid
623 {installcmd, SUCCESS},
624 {"security-manager-cmd -i -a" + app_id + " -g" + pkg_id + uidopt, SUCCESS},
625 {installcmd + " --path " + path1 + " rw", SUCCESS},
626 {installcmd + " --path " + path1, FAILURE},//no path type
627 {installcmd + " --path " + path1 + " rw" + " --path " + path2 + " ro", SUCCESS},
628 {installcmd + " --path " + path1 + " prie" + " --path " + path2 + " ro", FAILURE},//wrong path type
629 {installcmd + " --path " + path1 + " rw" + " --privilege somepriv --privilege somepriv2" , SUCCESS},
632 for (auto &op : operations) {
633 ret = system((op.command + " 1>/dev/null 2>&1").c_str());
634 RUNNER_ASSERT_MSG(ret == op.expected_result,
635 "Unexpected result for command '" << op.command <<"': "
636 << ret << " Expected was: "<< op.expected_result);
640 RUNNER_TEST(security_manager_23_security_manager_cmd_users)
642 const int SUCCESS = 0;
643 const int FAILURE = 256;
644 TemporaryTestUser user("sm_test_23_user_name", GUM_USERTYPE_NORMAL, false);
646 const std::string uidopt = " --uid=" + user.getUidString();
652 std::vector<struct operation> operations = {
653 {"security-manager-cmd --manage-users=remove", FAILURE},//no params
654 {"security-manager-cmd -m", FAILURE},//no params
655 {"security-manager-cmd -mr", FAILURE},//no uid
656 {"security-manager-cmd -mr --uid" + uidopt, FAILURE},//no uid
657 {"security-manager-cmd -mr --sdfj" + uidopt, FAILURE},//sdfj?
658 {"security-manager-cmd --msdf -u2004" , FAILURE},//sdf?
659 {"security-manager-cmd -mr" + uidopt, SUCCESS},//ok, removed
660 {"security-manager-cmd -mr --blah" + uidopt, FAILURE},//blah
661 {"security-manager-cmd -ma" + uidopt, SUCCESS},//ok, added
662 {"security-manager-cmd -ma --usertype=normal" + uidopt, SUCCESS},//ok, added
663 {"security-manager-cmd -ma --usertype=mal" + uidopt, FAILURE},//ok, added
666 for (auto &op : operations) {
667 int ret = system((op.command + " 1>/dev/null 2>&1").c_str());
668 RUNNER_ASSERT_MSG(ret == op.expected_result,
669 "Unexpected result for command '" << op.command <<"': "
670 << ret << " Expected was: "<< op.expected_result);
674 RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_GROUPS)
676 RUNNER_TEST(security_manager_24_groups_get)
678 PolicyConfiguration pc;
682 Api::getSecurityManagerGroups(&c_groups, &count);
683 std::unique_ptr<char *, std::function<void(char **)>> groupsPtr(c_groups, [count] (char ** groups) {
684 security_manager_groups_free(groups, count);
687 auto policyGroups = pc.getGroup();
688 RUNNER_ASSERT_MSG(count == policyGroups.size(), "security_manager_groups_get should set count to: "
689 << policyGroups.size() << " but count is: " << count);
691 for (const auto &group : policyGroups) {
693 for (size_t i = 0; i < count; ++i) {
694 if (group == c_groups[i]) {
699 RUNNER_ASSERT_MSG(found, "PrivilegeGroup: " << group << " was not found");
703 RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_INSTALL_TYPE)
705 RUNNER_TEST(security_manager_25a_global_user_set_install_type_global)
707 AppInstallHelper app("sm_test_25a");
708 app.setInstallType(SM_APP_INSTALL_GLOBAL);
710 ScopedInstaller appInstall(app);
712 check_app_after_install(app.getAppId(), app.getPkgId());
715 // Check records in the security-manager database
716 check_app_after_uninstall(app.getAppId(), app.getPkgId());
719 RUNNER_TEST(security_manager_25b_global_user_set_install_type_local)
721 AppInstallHelper app("sm_test_25b");
723 InstallRequest requestInst;
724 requestInst.setAppId(app.getAppId());
725 requestInst.setPkgId(app.getPkgId());
726 requestInst.setInstallType(SM_APP_INSTALL_LOCAL);
728 Api::install(requestInst, (lib_retcode)SECURITY_MANAGER_ERROR_SERVER_ERROR);
731 RUNNER_TEST(security_manager_25c_global_user_set_install_type_preloaded)
733 AppInstallHelper app("sm_test_25c");
734 app.setInstallType(SM_APP_INSTALL_PRELOADED);
736 ScopedInstaller appInstall(app);
737 check_app_after_install(app.getAppId(), app.getPkgId());
739 check_app_after_uninstall(app.getAppId(), app.getPkgId());
742 RUNNER_TEST(security_manager_25d_local_user_set_install_type_invalid)
744 InstallRequest requestPrivateUser;
745 requestPrivateUser.setInstallType((app_install_type)0, (lib_retcode)SECURITY_MANAGER_ERROR_INPUT_PARAM);
746 requestPrivateUser.setInstallType((app_install_type)22, (lib_retcode)SECURITY_MANAGER_ERROR_INPUT_PARAM);
750 * It is possible for local user to install global application but one needs app_install privileges
751 * By default only global user or root can install global apps (or "User", "System", "System::Privileged"...)
753 RUNNER_CHILD_TEST(security_manager_25e_unprivileged_install_type_global)
755 TemporaryTestUser testUser("sm_test_25e_user_name", GUM_USERTYPE_NORMAL);
758 AppInstallHelper app("sm_test_25e");
761 RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(testUser.getUid(), testUser.getGid()) == 0,
762 "drop_root_privileges failed");
764 InstallRequest invalidReq;
765 invalidReq.setAppId(app.getAppId());
766 invalidReq.setPkgId(app.getPkgId());
767 invalidReq.setInstallType(SM_APP_INSTALL_GLOBAL);
769 Api::install(invalidReq, (lib_retcode)SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED);
772 RUNNER_CHILD_TEST(security_manager_25f_unprivileged_install_type_preloaded)
774 TemporaryTestUser testUser("sm_test_25f_user_name", GUM_USERTYPE_NORMAL);
777 AppInstallHelper app("sm_test_25f");
780 RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(testUser.getUid(), testUser.getGid()) == 0,
781 "drop_root_privileges failed");
782 InstallRequest invalidReq;
783 invalidReq.setAppId(app.getAppId());
784 invalidReq.setPkgId(app.getPkgId());
785 invalidReq.setInstallType(SM_APP_INSTALL_PRELOADED);
786 Api::install(invalidReq, (lib_retcode)SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED);
790 RUNNER_CHILD_TEST(security_manager_25g_local_user_set_install_type_local)
792 std::vector<std::string> allowedPrivs = {
793 "http://tizen.org/privilege/volume.set",
794 "http://tizen.org/privilege/systemmonitor",
795 "http://tizen.org/privilege/internet"
797 std::vector<std::string> someDeniedPrivs = {
798 "http://tizen.org/privilege/push",
799 "http://tizen.org/privilege/power",
800 "http://tizen.org/privilege/notification"
803 TemporaryTestUser testUser("sm_test_25g_user_name", GUM_USERTYPE_NORMAL);
806 AppInstallHelper app("sm_test_25g", testUser.getUid());
807 app.createPrivateDir();
808 app.setInstallType(SM_APP_INSTALL_LOCAL);
809 app.addPrivileges(allowedPrivs);
811 RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(testUser.getUid(), testUser.getGid()) == 0,
812 "drop_root_privileges failed");
814 ScopedInstaller appInstall(app);
815 check_app_permissions(app.getAppId(), app.getPkgId(), testUser.getUidString(),
816 allowedPrivs, someDeniedPrivs);
819 check_app_permissions(app.getAppId(), app.getPkgId(), testUser.getUidString(),
820 {}, merge(allowedPrivs, someDeniedPrivs));
821 // TODO - check if app is properly uninstalled
824 RUNNER_CHILD_TEST(security_manager_25h_local_path_global_install)
826 TemporaryTestUser testUser("sm_test_25h_user_name", GUM_USERTYPE_NORMAL);
829 AppInstallHelper app("sm_test_25h", testUser.getUid());
830 app.createPrivateDir();
832 InstallRequest invalidReq;
833 invalidReq.setAppId(app.getAppId());
834 invalidReq.setPkgId(app.getPkgId());
835 invalidReq.addPath(app.getPrivateDir(), SECURITY_MANAGER_PATH_RW);
836 invalidReq.setInstallType(SM_APP_INSTALL_GLOBAL);
837 Api::install(invalidReq, (lib_retcode)SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED);
840 RUNNER_CHILD_TEST(security_manager_25i_local_path_preloaded_install)
842 TemporaryTestUser testUser("sm_test_25i_user_name", GUM_USERTYPE_NORMAL);
845 AppInstallHelper app("sm_test_25i", testUser.getUid());
846 app.createPrivateDir();
848 InstallRequest invalidReq;
849 invalidReq.setAppId(app.getAppId());
850 invalidReq.setPkgId(app.getPkgId());
851 invalidReq.addPath(app.getPrivateDir(), SECURITY_MANAGER_PATH_RW);
852 invalidReq.setInstallType(SM_APP_INSTALL_PRELOADED);
853 Api::install(invalidReq, (lib_retcode)SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED);
856 RUNNER_CHILD_TEST(security_manager_25j_global_path_local_install)
858 TemporaryTestUser testUser("sm_test_25j_user_name", GUM_USERTYPE_NORMAL);
861 AppInstallHelper appLocal("sm_test_25j", testUser.getUid());
863 AppInstallHelper appGlobal("sm_test_25");
864 appGlobal.createPrivateDir();
866 RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(testUser.getUid(), testUser.getGid()) == 0,
867 "drop_root_privileges failed");
869 InstallRequest invalidReq;
870 invalidReq.setAppId(appLocal.getAppId());
871 invalidReq.setPkgId(appLocal.getPkgId());
872 invalidReq.addPath(appGlobal.getPrivateDir(), SECURITY_MANAGER_PATH_RW);
873 invalidReq.setInstallType(SM_APP_INSTALL_LOCAL);
875 Api::install(invalidReq, SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED);