projects / platform / core / test / security-tests.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
SM: Rename and use one label generators
[platform/core/test/security-tests.git] / src / security-manager-tests / test_cases.cpp
1 /*
2  * Copyright (c) 2016 Samsung Electronics Co., Ltd All Rights Reserved
3  *
4  *    Licensed under the Apache License, Version 2.0 (the "License");
5  *    you may not use this file except in compliance with the License.
6  *    You may obtain a copy of the License at
7  *
8  *        http://www.apache.org/licenses/LICENSE-2.0
9  *
10  *    Unless required by applicable law or agreed to in writing, software
11  *    distributed under the License is distributed on an "AS IS" BASIS,
12  *    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  *    See the License for the specific language governing permissions and
14  *    limitations under the License.
15  */
16
17 #include <cstdlib>
18 #include <attr/xattr.h>
19 #include <fstream>
20 #include <regex>
21 #include <string>
22 #include <unordered_set>
23
24 #include <sys/capability.h>
25 #include <sys/smack.h>
26 #include <sys/types.h>
27 #include <unistd.h>
28
29 #include <cynara-admin.h>
30
31 #include <cynara_test_admin.h>
32 #include <dpl/test/test_runner.h>
33 #include <memory>
34 #include <scoped_label.h>
35 #include <service_manager.h>
36 #include <sm_api.h>
37 #include <sm_commons.h>
38 #include <sm_request.h>
39 #include <synchronization_pipe.h>
40 #include <temp_test_user.h>
41 #include <tests_common.h>
42 #include <tzplatform.h>
43 #include <uds.h>
44
45 using namespace SecurityManagerTest;
46
47 RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER)
48
49 RUNNER_TEST(security_manager_01a_app_double_install_double_uninstall)
50 {
51     const char *const sm_app_id = "sm_test_01a_app_id_double";
52     const char *const sm_pkg_id = "sm_test_01a_pkg_id_double";
53
54     InstallRequest requestInst;
55     requestInst.setAppId(sm_app_id);
56     requestInst.setPkgId(sm_pkg_id);
57
58     Api::install(requestInst);
59     Api::install(requestInst);
60
61     // Check records in the security-manager database
62     check_app_after_install(sm_app_id, sm_pkg_id);
63
64     InstallRequest requestUninst;
65     requestUninst.setAppId(sm_app_id);
66
67     Api::uninstall(requestUninst);
68     Api::uninstall(requestUninst);
69
70     // Check records in the security-manager database
71     check_app_after_uninstall(sm_app_id, sm_pkg_id, TestSecurityManagerDatabase::REMOVED);
72 }
73
74 RUNNER_TEST(security_manager_01b_app_double_install_wrong_pkg_id)
75 {
76     const char *const sm_app_id = "sm_test_01b_app";
77     const char *const sm_pkg_id = "sm_test_01b_pkg";
78     const char *const sm_pkg_id_wrong = "sm_test_01b_pkg_BAD";
79
80     InstallRequest requestInst;
81     requestInst.setAppId(sm_app_id);
82     requestInst.setPkgId(sm_pkg_id);
83
84     Api::install(requestInst);
85
86     InstallRequest requestInst2;
87     requestInst2.setAppId(sm_app_id);
88     requestInst2.setPkgId(sm_pkg_id_wrong);
89
90     Api::install(requestInst2, SECURITY_MANAGER_ERROR_INPUT_PARAM);
91
92
93     /* Check records in the security-manager database */
94     check_app_after_install(sm_app_id, sm_pkg_id);
95
96     InstallRequest requestUninst;
97     requestUninst.setAppId(sm_app_id);
98
99     Api::uninstall(requestUninst);
100
101
102     /* Check records in the security-manager database */
103     check_app_after_uninstall(sm_app_id, sm_pkg_id, TestSecurityManagerDatabase::REMOVED);
104 }
105
106 RUNNER_TEST(security_manager_01c_app_uninstall_pkg_id_ignored)
107 {
108     const char * const  sm_app_id = "SM_TEST_01c_APPID";
109     const char * const  sm_pkg_id = "SM_TEST_01c_PKGID";
110     const char * const  sm_pkg_id_wrong = "SM_TEST_01c_PKGID_wrong";
111
112     InstallRequest requestInst;
113     requestInst.setAppId(sm_app_id);
114     requestInst.setPkgId(sm_pkg_id);
115
116     Api::install(requestInst);
117
118     /* Check records in the security-manager database */
119     check_app_after_install(sm_app_id, sm_pkg_id);
120
121     InstallRequest requestUninst;
122     requestUninst.setAppId(sm_app_id);
123     requestUninst.setPkgId(sm_pkg_id_wrong);
124
125     Api::uninstall(requestUninst);
126
127     check_app_after_uninstall(sm_app_id, sm_pkg_id, TestSecurityManagerDatabase::REMOVED);
128 }
129
130 RUNNER_TEST(security_manager_02_app_install_uninstall_full)
131 {
132     std::string SM_RW_PATH = genRWPath(2);
133     std::string SM_RO_PATH = genROPath(2);
134     std::string SM_PUBLIC_RO_PATH = genPublicROPath(2);
135
136     const char *const sm_app_id = "sm_test_02_app_id_full";
137     const char *const sm_pkg_id = "sm_test_02_pkg_id_full";
138
139     prepare_app_env(2);
140
141     InstallRequest requestInst;
142     requestInst.setAppId(sm_app_id);
143     requestInst.setPkgId(sm_pkg_id);
144     requestInst.addPrivilege(SM_ALLOWED_PRIVILEGES[0].c_str());
145     requestInst.addPrivilege(SM_ALLOWED_PRIVILEGES[1].c_str());
146     requestInst.addPath(SM_RW_PATH, SECURITY_MANAGER_PATH_RW);
147     requestInst.addPath(SM_RO_PATH, SECURITY_MANAGER_PATH_RO);
148     requestInst.addPath(SM_PUBLIC_RO_PATH, SECURITY_MANAGER_PATH_PUBLIC_RO);
149
150     Api::install(requestInst);
151
152     /* Check records in the security-manager database */
153     check_app_after_install(sm_app_id, sm_pkg_id,
154                             SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES, SM_ALLOWED_GROUPS);
155
156     /* TODO: add parameters to this function */
157     check_app_path_after_install(2, sm_pkg_id, false);
158
159     InstallRequest requestUninst;
160     requestUninst.setAppId(sm_app_id);
161
162     Api::uninstall(requestUninst);
163
164     /* Check records in the security-manager database,
165      * all previously allowed privileges should be removed */
166     check_app_after_uninstall(sm_app_id, sm_pkg_id,
167                               SM_ALLOWED_PRIVILEGES, TestSecurityManagerDatabase::REMOVED);
168 }
169
170 RUNNER_CHILD_TEST_SMACK(security_manager_03_set_label_from_appid)
171 {
172     const char *const app_id = "sm_test_03_app_id_set_label_from_appid_smack";
173     const char *const pkg_id = "sm_test_03_pkg_id_set_label_from_appid_smack";
174     const char *const socketLabel = "not_expected_label";
175     std::string expected_label = generateProcessLabel(app_id);
176     std::string expected_socket_label = socketLabel;
177     char *label = nullptr;
178     CStringPtr labelPtr;
179     int result;
180
181     uninstall_app(app_id, pkg_id, true);
182     install_app(app_id, pkg_id);
183
184     const auto sockaddr = UDSHelpers::makeAbstractAddress("sm_test_03.socket");
185     int sock = UDSHelpers::createServer(&sockaddr);
186     SockUniquePtr sockPtr(&sock);
187
188     //Set socket label to something different than expecedLabel
189     result = smack_set_label_for_file(*sockPtr, XATTR_NAME_SMACKIPIN, socketLabel);
190     RUNNER_ASSERT_ERRNO_MSG(result == 0,
191         "Can't set socket label. Result: " << result);
192     result = smack_set_label_for_file(*sockPtr, XATTR_NAME_SMACKIPOUT, socketLabel);
193     RUNNER_ASSERT_ERRNO_MSG(result == 0,
194         "Can't set socket label. Result: " << result);
195
196
197     SynchronizationPipe pipe;
198     pid_t pid = fork();
199
200     if (pid != 0) { // parent process
201         pipe.claimParentEp();
202         Api::setProcessLabel(app_id);
203
204         result = smack_new_label_from_file(*sockPtr, XATTR_NAME_SMACKIPIN, &label);
205         RUNNER_ASSERT_ERRNO_MSG(result != -1, "smack_new_label_from_file failed: " << label);
206         labelPtr.reset(label);
207         result = expected_socket_label.compare(label);
208         RUNNER_ASSERT_MSG(result == 0, "Socket label is incorrect. Expected: " <<
209             expected_label << " Actual: " << label);
210
211         result = smack_new_label_from_file(*sockPtr, XATTR_NAME_SMACKIPOUT, &label);
212         RUNNER_ASSERT_ERRNO_MSG(result != -1, "smack_new_label_from_file failed: " << label);
213         labelPtr.reset(label);
214         result = expected_socket_label.compare(label);
215         RUNNER_ASSERT_MSG(result == 0, "Socket label is incorrect. Expected: " <<
216             expected_label << " Actual: " << label);
217
218         result = smack_new_label_from_self(&label);
219         RUNNER_ASSERT_MSG(result >= 0,
220                 " Error getting current process label");
221         RUNNER_ASSERT_MSG(label != nullptr,
222                 " Process label is not set");
223         labelPtr.reset(label);
224
225         result = expected_label.compare(label);
226         RUNNER_ASSERT_MSG(result == 0,
227                 " Process label is incorrect. Expected: \"" << expected_label <<
228                 "\" Actual: \"" << label << "\"");
229         pipe.post();
230         waitPid(pid);
231     } else { // child process
232         pipe.claimChildEp();
233         pipe.wait();
234         uninstall_app(app_id, pkg_id, true);
235         exit(0);
236     }
237 }
238
239 RUNNER_CHILD_TEST_NOSMACK(security_manager_03_set_label_from_appid_nosmack)
240 {
241     const char *const app_id = "sm_test_03_app_id_set_label_from_appid_nosmack";
242     const char *const pkg_id = "sm_test_03_pkg_id_set_label_from_appid_nosmack";
243
244     uninstall_app(app_id, pkg_id, true);
245     install_app(app_id, pkg_id);
246
247     {
248         ScopedProcessLabel keepLabel;
249         Api::setProcessLabel(app_id);
250     }
251
252     uninstall_app(app_id, pkg_id, true);
253 }
254
255 static void install_and_check(const char *const sm_app_id,
256                               const char *const sm_pkg_id,
257                               const TemporaryTestUser& user,
258                               const std::string &appDir,
259                               bool requestUid)
260 {
261     InstallRequest requestPrivate;
262
263     //install app for non-root user
264     //should fail (users may only register folders inside their home)
265     prepare_request(requestPrivate, sm_app_id, sm_pkg_id,
266                     SECURITY_MANAGER_PATH_RW, SM_RW_PATH,
267                     requestUid ? user.getUid() : 0);
268
269     Api::install(requestPrivate, SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED);
270
271     InstallRequest requestPrivateUser;
272
273     //install app for non-root user
274     //should succeed - this time i register folder inside user's home dir
275     prepare_request(requestPrivateUser, sm_app_id, sm_pkg_id,
276                     SECURITY_MANAGER_PATH_RW, appDir.c_str(),
277                     requestUid ? user.getUid() : 0);
278
279     for (auto &privilege : SM_ALLOWED_PRIVILEGES)
280         requestPrivateUser.addPrivilege(privilege.c_str());
281
282     Api::install(requestPrivateUser);
283
284     check_app_permissions(sm_app_id, sm_pkg_id,
285                           uidToStr(user.getUid()).c_str(),
286                           SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES);
287 }
288
289 RUNNER_CHILD_TEST(security_manager_04a_app_install_uninstall_by_app_user_for_self)
290 {
291     int result;
292     const char *const sm_app_id = "sm_test_04a_app_id_uid";
293     const char *const sm_pkg_id = "sm_test_04a_pkg_id_uid";
294     const std::string new_user_name = "sm_test_04a_user_name";
295
296     TemporaryTestUser testUser(new_user_name, GUM_USERTYPE_NORMAL, false);
297     testUser.create();
298
299     removeTestDirs(testUser, sm_app_id, sm_pkg_id);
300     createTestDirs(testUser, sm_app_id, sm_pkg_id);
301
302     const std::string userAppDirPath = TzPlatformConfig::appDirPath(testUser, sm_app_id, sm_pkg_id);
303
304     //switch user to non-root
305     result = drop_root_privileges(testUser.getUid(), testUser.getGid());
306     RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
307
308     install_and_check(sm_app_id, sm_pkg_id, testUser, userAppDirPath, false);
309
310     //uninstall app as non-root user
311     InstallRequest request;
312     request.setAppId(sm_app_id);
313
314     Api::uninstall(request);
315
316     check_app_permissions(sm_app_id, sm_pkg_id,
317                           uidToStr(testUser.getUid()).c_str(),
318                           SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES);
319 }
320
321 RUNNER_CHILD_TEST(security_manager_04b_app_install_by_root_for_app_user)
322 {
323     int result;
324     const char *const sm_app_id = "sm_test_04b_app_id_uid";
325     const char *const sm_pkg_id = "sm_test_04b_pkg_id_uid";
326     const std::string new_user_name = "sm_test_04b_user_name";
327
328     TemporaryTestUser testUser(new_user_name, GUM_USERTYPE_NORMAL, false);
329     testUser.create();
330
331     removeTestDirs(testUser, sm_app_id, sm_pkg_id);
332     createTestDirs(testUser, sm_app_id, sm_pkg_id);
333
334     install_and_check(sm_app_id, sm_pkg_id, testUser,
335                       TzPlatformConfig::appDirPath(testUser, sm_app_id, sm_pkg_id), true);
336
337     //switch user to non-root - root may not uninstall apps for specified users
338     result = drop_root_privileges(testUser.getUid(), testUser.getGid());
339     RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
340
341     //uninstall app as non-root user
342     InstallRequest request;
343     request.setAppId(sm_app_id);
344
345     Api::uninstall(request);
346
347     check_app_permissions(sm_app_id, sm_pkg_id,
348                           uidToStr(testUser.getUid()).c_str(),
349                           SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES);
350 }
351
352 RUNNER_CHILD_TEST(security_manager_05_drop_process_capabilities)
353 {
354     int result;
355     CapsSetsUniquePtr caps_empty(cap_init());
356     auto caps = setCaps("all=eip");
357     Api::dropProcessPrivileges();
358
359     caps.reset(cap_get_proc());
360     RUNNER_ASSERT_MSG(caps, "can't get proc capabilities");
361
362     result = cap_compare(caps.get(), caps_empty.get());
363     RUNNER_ASSERT_MSG(result == 0,
364         "capabilities not dropped. Current: " << cap_to_text(caps.get(), NULL));
365 }
366
367 RUNNER_CHILD_TEST(security_manager_06_install_app_offline)
368 {
369     const char *const app_id = "sm_test_06_app_id_install_app_offline";
370     const char *const pkg_id = "sm_test_06_pkg_id_install_app_offline";
371
372     // Uninstall app on-line, off-line mode doesn't support it
373     uninstall_app(app_id, pkg_id, true);
374
375     ServiceManager("security-manager.service").stopService();
376
377     ServiceManager serviceManager("security-manager.socket");
378     serviceManager.stopService();
379
380     install_app(app_id, pkg_id);
381
382     serviceManager.startService();
383
384     uninstall_app(app_id, pkg_id, true);
385 }
386
387 RUNNER_CHILD_TEST(security_manager_07_user_add_app_install)
388 {
389     const char *const sm_app_id = "sm_test_07_app_id_user";
390     const char *const sm_pkg_id = "sm_test_07_pkg_id_user";
391     const std::string new_user_name = "sm_test_07_user_name";
392     std::string uid_string;
393     TemporaryTestUser test_user(new_user_name, GUM_USERTYPE_NORMAL, false);
394     test_user.create();
395     test_user.getUidString(uid_string);
396
397     removeTestDirs(test_user, sm_app_id, sm_pkg_id);
398     createTestDirs(test_user, sm_app_id, sm_pkg_id);
399
400     install_app(sm_app_id, sm_pkg_id, test_user.getUid());
401
402     check_app_after_install(sm_app_id, sm_pkg_id);
403
404     test_user.remove();
405
406     check_app_permissions(sm_app_id, sm_pkg_id, uid_string.c_str(), SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES);
407
408     check_app_after_uninstall(sm_app_id, sm_pkg_id, true);
409 }
410
411 RUNNER_CHILD_TEST(security_manager_08_user_double_add_double_remove)
412 {
413     UserRequest addUserRequest;
414
415     const char *const sm_app_id = "sm_test_08_app_id_user";
416     const char *const sm_pkg_id = "sm_test_08_pkg_id_user";
417     const std::string new_user_name = "sm_test_08_user_name";
418     std::string uid_string;
419
420     // gumd user add
421     TemporaryTestUser test_user(new_user_name, GUM_USERTYPE_NORMAL, false);
422     test_user.create();
423     test_user.getUidString(uid_string);
424
425     removeTestDirs(test_user, sm_app_id, sm_pkg_id);
426     createTestDirs(test_user, sm_app_id, sm_pkg_id);
427
428     addUserRequest.setUid(test_user.getUid());
429     addUserRequest.setUserType(SM_USER_TYPE_NORMAL);
430
431     //sm user add
432     Api::addUser(addUserRequest);
433
434     install_app(sm_app_id, sm_pkg_id, test_user.getUid());
435
436     check_app_after_install(sm_app_id, sm_pkg_id);
437
438     test_user.remove();
439
440     UserRequest deleteUserRequest;
441     deleteUserRequest.setUid(test_user.getUid());
442
443     Api::deleteUser(deleteUserRequest);
444
445     check_app_permissions(sm_app_id, sm_pkg_id, uid_string.c_str(), SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES);
446
447     check_app_after_uninstall(sm_app_id, sm_pkg_id, true);
448 }
449
450 RUNNER_CHILD_TEST(security_manager_09_add_user_offline)
451 {
452     const char *const app_id = "security_manager_09_add_user_offline_app";
453     const char *const pkg_id = "security_manager_09_add_user_offline_pkg";
454     const std::string new_user_name("sm_test_09_user_name");
455
456     ServiceManager("security-manager.service").stopService();
457
458     ServiceManager serviceManager("security-manager.socket");
459     serviceManager.stopService();
460
461     TemporaryTestUser test_user(new_user_name, GUM_USERTYPE_NORMAL, true);
462     test_user.create();
463
464     removeTestDirs(test_user, app_id, pkg_id);
465     createTestDirs(test_user, app_id, pkg_id);
466
467     install_app(app_id, pkg_id, test_user.getUid());
468
469     check_app_after_install(app_id, pkg_id);
470
471     serviceManager.startService();
472
473     test_user.remove();
474
475     check_app_after_uninstall(app_id, pkg_id, true);
476 }
477
478 RUNNER_TEST(security_manager_50_app_install_constraint_check)
479 {
480     auto install = [](const TemporaryTestUser& user,
481                       const char *pkgId,
482                       const char *appId,
483                       const char *version,
484                       const char *author,
485                       enum lib_retcode expected,
486                       bool uninstall = true)
487     {
488         InstallRequest request;
489         request.setAppId(appId);
490         request.setPkgId(pkgId);
491         request.setAppTizenVersion(version);
492         request.setAuthorId(author);
493         request.setUid(user.getUid());
494
495         Api::install(request, expected);
496
497         if(expected == SECURITY_MANAGER_SUCCESS) {
498             // TODO add verification once check_app_after_install() supports uid
499             // check_app_after_install(appId, pkgId);
500             if(uninstall)
501                 Api::uninstall(request);
502         }
503     };
504
505     std::vector<TemporaryTestUser> users = {
506             {"sm_test_50_user_name_0", GUM_USERTYPE_NORMAL, false},
507             {"sm_test_50_user_name_1", GUM_USERTYPE_NORMAL, false}
508     };
509
510     for(auto& gu : users)
511         gu.create();
512
513     const char *const pkgId[] =   {"sm_test_50_pkg_id_0",  "sm_test_50_pkg_id_1"};
514     const char *const appId[] =   {"sm_test_50_app_id_0",  "sm_test_50_app_id_1"};
515     const char *const version[] = {"sm_test_50_version_0", "sm_test_50_version_1"};
516     const char *const author[] =  {"sm_test_50_author_0",  "sm_test_50_author_1"};
517
518     // uid_0, pkg_0, app_0, version_0, author_0
519     install(users[0], pkgId[0], appId[0], version[0], author[0], SECURITY_MANAGER_SUCCESS, false);
520
521     // uid_1, pkg_0, app_0, version_0, author_0 -> ok (different uid)
522     install(users[1], pkgId[0], appId[0], version[0], author[0], SECURITY_MANAGER_SUCCESS);
523     // uid_1, pkg_0, app_0, version_0, author_1 -> fail (author of app_0 must be the same)
524     install(users[1], pkgId[0], appId[0], version[0], author[1], SECURITY_MANAGER_ERROR_INPUT_PARAM);
525     // uid_1, pkg_0, app_0, version_1, author_0 -> fail (version of app_0 must be the same)
526     install(users[1], pkgId[0], appId[0], version[1], author[0], SECURITY_MANAGER_ERROR_INPUT_PARAM);
527     // uid_1, pkg_1, app_0, version_0, author_0 -> fail (pkg of app_0 must be the same)
528     install(users[1], pkgId[1], appId[0], version[0], author[0], SECURITY_MANAGER_ERROR_INPUT_PARAM);
529     // uid_0, pkg_0, app_0, version_0, author_0 -> ok (the same app again)
530     install(users[0], pkgId[0], appId[0], version[0], author[0], SECURITY_MANAGER_SUCCESS, false);
531     // uid_0, pkg_1, app_0, version_0, author_0 -> fail (app_name + uid must be unique)
532     install(users[0], pkgId[1], appId[0], version[0], author[0], SECURITY_MANAGER_ERROR_INPUT_PARAM);
533     // uid_0, pkg_0, app_0, version_1, author_0 -> fail (app_name + uid must be unique)
534     install(users[0], pkgId[0], appId[0], version[1], author[0], SECURITY_MANAGER_ERROR_INPUT_PARAM);
535     // uid_0, pkg_0, app_0, version_0, author_1 -> fail (app_name + uid must be unique)
536     install(users[0], pkgId[0], appId[0], version[0], author[1], SECURITY_MANAGER_ERROR_INPUT_PARAM);
537 }
538
539 RUNNER_CHILD_TEST(security_manager_53_app_has_privilege)
540 {
541     const char *const sm_app_id = "sm_test_53_app";
542     const char *const sm_pkg_id = "sm_test_53_pkg";
543     const std::string new_user_name = "sm_test_47_user_name";
544
545     InstallRequest requestInst;
546     requestInst.setAppId(sm_app_id);
547     requestInst.setPkgId(sm_pkg_id);
548     for (auto const &privilege : SM_ALLOWED_PRIVILEGES)
549         requestInst.addPrivilege(privilege.c_str());
550     Api::install(requestInst);
551
552     for (auto const &privilege : SM_ALLOWED_PRIVILEGES) {
553         int result;
554         Api::appHasPrivilege(sm_app_id, privilege.c_str(), TzPlatformConfig::getGlobalUserId(),
555                              result);
556         RUNNER_ASSERT_MSG(result == 1, "Application " << sm_app_id <<
557             " should have access to privilege " << privilege);
558     }
559
560     for (auto const &privilege : SM_DENIED_PRIVILEGES) {
561         int result;
562         Api::appHasPrivilege(sm_app_id, privilege.c_str(), TzPlatformConfig::getGlobalUserId(),
563                 result);
564         RUNNER_ASSERT_MSG(result == 0, "Application " << sm_app_id <<
565             " should not have access to privilege " << privilege);
566     }
567
568     InstallRequest requestUninst;
569     requestUninst.setAppId(sm_app_id);
570     Api::uninstall(requestUninst);
571 }
572
573 RUNNER_TEST_GROUP_INIT(SECRUTIY_MANAGER_POLICY)
574
575 RUNNER_TEST(security_manager_18_user_cynara_policy)
576 {
577     const char *const MAIN_BUCKET = "MAIN";
578     const char *const MANIFESTS_BUCKET = "MANIFESTS";
579     const char *const ADMIN_BUCKET = "ADMIN";
580     const char *const USER_TYPE_NORMAL_BUCKET = "USER_TYPE_NORMAL";
581     const std::string username("sm_test_10_user_cynara_policy");
582     CynaraTestAdmin::Admin admin;
583     std::string uid_string;
584     TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, false);
585     user.create();
586     user.getUidString(uid_string);
587
588     CynaraTestAdmin::CynaraPoliciesContainer nonemptyContainer;
589     nonemptyContainer.add(MAIN_BUCKET,CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, CYNARA_ADMIN_BUCKET, USER_TYPE_NORMAL_BUCKET);
590     admin.listPolicies(MAIN_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, nonemptyContainer,CYNARA_API_SUCCESS);
591
592     user.remove();
593     CynaraTestAdmin::CynaraPoliciesContainer emptyContainer;
594
595     admin.listPolicies(MAIN_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS);
596     admin.listPolicies(MANIFESTS_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS);
597     admin.listPolicies(CYNARA_ADMIN_DEFAULT_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS);
598     admin.listPolicies(ADMIN_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS);
599 }
600
601 RUNNER_CHILD_TEST(security_manager_21_security_manager_admin_deny_user_priv)
602 {
603     const int BUFFER_SIZE = 128;
604     struct message {
605         uid_t uid;
606         gid_t gid;
607         char buf[BUFFER_SIZE];
608     } msg;
609
610     privileges_t admin_required_privs = {
611             "http://tizen.org/privilege/notexist",
612             "http://tizen.org/privilege/internal/usermanagement"};
613     privileges_t manifest_privs = {
614             "http://tizen.org/privilege/internet",
615             "http://tizen.org/privilege/datasharing"};
616     privileges_t real_privs_allow = {"http://tizen.org/privilege/datasharing"};
617     privileges_t real_privs_deny = {"http://tizen.org/privilege/internet"};
618
619     const std::string pirivman_id = "sm_test_13_ADMIN_APP";
620     const std::string pirivman_pkg_id = "sm_test_13_ADMIN_PKG";
621     const std::string app_id = "sm_test_13_SOME_APP";
622     const std::string pkg_id = "sm_test_13_SOME_PKG";
623
624     int pipefd[2];
625     pid_t pid;
626     int result = 0;
627
628     RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed");
629     pid = fork();
630     RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
631     if (pid != 0)//parent process
632     {
633         std::string childuidstr;
634         TemporaryTestUser admin("sm_test_13_ADMIN_USER", GUM_USERTYPE_ADMIN, false);
635         TemporaryTestUser child("sm_test_13_NORMAL_USER", GUM_USERTYPE_NORMAL, false);
636
637         InstallRequest request,request2;
638         FdUniquePtr pipeptr(pipefd+1);
639         close(pipefd[0]);
640
641         admin.create();
642         child.create();
643         child.getUidString(childuidstr);
644
645         //install privacy manager for admin
646         request.setAppId(pirivman_id.c_str());
647         request.setPkgId(pirivman_pkg_id.c_str());
648         request.setUid(admin.getUid());
649         for (auto &priv: admin_required_privs)
650             request.addPrivilege(priv.c_str());
651         Api::install(request);
652
653         //install app for child that has internet privilege
654         request2.setAppId(app_id.c_str());
655         request2.setPkgId(pkg_id.c_str());
656         request2.setUid(child.getUid());
657         for (auto &priv: manifest_privs)
658             request2.addPrivilege(priv.c_str());
659         Api::install(request2);
660
661         check_app_permissions(app_id.c_str(), pkg_id.c_str(), childuidstr.c_str(),
662                               manifest_privs, SM_NO_PRIVILEGES);
663
664         //send info to child
665         msg.uid = admin.getUid();
666         msg.gid = admin.getGid();
667         strncpy (msg.buf, childuidstr.c_str(), BUFFER_SIZE);
668
669         ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
670         RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
671
672         waitPid(pid);
673
674         check_app_permissions(app_id.c_str(), pkg_id.c_str(), childuidstr.c_str(),
675                               real_privs_allow, real_privs_deny);
676     }
677     if (pid == 0)//child
678     {
679         FdUniquePtr pipeptr(pipefd);
680         close(pipefd[1]);
681
682         ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message)));
683         RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
684
685         //become admin privacy manager manager
686         Api::setProcessLabel(pirivman_id.c_str());
687         result = drop_root_privileges(msg.uid, msg.gid);
688         RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
689         PolicyRequest addPolicyReq;
690         //change rights
691         for (auto &denypriv:real_privs_deny) {
692             /*this entry will deny some privileges for user whose uid (as c string)
693               was sent in message's buf field.
694               That user would be denying internet for child in this case*/
695             PolicyEntry entry(SECURITY_MANAGER_ANY, msg.buf, denypriv);
696             entry.setMaxLevel("Deny");
697             addPolicyReq.addEntry(entry);
698         }
699         Api::sendPolicy(addPolicyReq);
700         exit(0);
701     }
702 }
703
704 RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_CMD)
705
706 RUNNER_TEST(security_manager_19_security_manager_cmd_install)
707 {
708     int ret;
709     const int SUCCESS = 0;
710     const int FAILURE = 256;
711     const std::string app_id = "security_manager_10_app";
712     const std::string pkg_id = "security_manager_10_pkg";
713     const std::string username("sm_test_10_user_name");
714     std::string uid_string;
715     TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, false);
716     user.create();
717     user.getUidString(uid_string);
718     const std::string path1 = TzPlatformConfig::appDirPath(user, app_id, pkg_id) + "/p1";
719     const std::string path2 = TzPlatformConfig::appDirPath(user, app_id, pkg_id) + "/p2";
720     const std::string pkgopt = " --pkg=" + pkg_id;
721     const std::string appopt = " --app=" + app_id;
722     const std::string uidopt = " --uid=" + uid_string;
723
724     mktreeSafe(path1.c_str(), 0);
725     mktreeSafe(path2.c_str(), 0);
726
727     const std::string installcmd = "security-manager-cmd --install " + appopt + pkgopt + uidopt;
728
729     struct operation {
730         std::string command;
731         int expected_result;
732     };
733     std::vector<struct operation> operations = {
734             {"security-manager-cmd", FAILURE},//no option
735             {"security-manager-cmd --blah", FAILURE},//blah option is not known
736             {"security-manager-cmd --help", SUCCESS},
737             {"security-manager-cmd --install", FAILURE},//no params
738             {"security-manager-cmd -i", FAILURE},//no params
739             {"security-manager-cmd --i --app=app_id_10 --pkg=pkg_id_10", FAILURE},//no uid
740             {installcmd, SUCCESS},
741             {"security-manager-cmd -i -a" + app_id + " -g" + pkg_id + uidopt, SUCCESS},
742             {installcmd + " --path " + path1 + " rw", SUCCESS},
743             {installcmd + " --path " + path1, FAILURE},//no path type
744             {installcmd + " --path " + path1 + " rw" + " --path " + path2 + " ro", SUCCESS},
745             {installcmd + " --path " + path1 + " prie" + " --path " + path2 + " ro", FAILURE},//wrong path type
746             {installcmd + " --path " + path1 + " rw" + " --privilege somepriv --privilege somepriv2" , SUCCESS},
747     };
748
749     for (auto &op : operations) {
750         ret = system((op.command + " 1>/dev/null 2>&1").c_str());
751         RUNNER_ASSERT_MSG(ret == op.expected_result,
752                 "Unexpected result for command '" << op.command <<"': "
753                 << ret << " Expected was: "<< op.expected_result);
754     }
755 }
756
757 RUNNER_TEST(security_manager_20_security_manager_cmd_users)
758 {
759     int ret;
760     const int SUCCESS = 0;
761     const int FAILURE = 256;
762     const std::string username("sm_test_11_user_name");
763     std::string uid_string;
764     TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, false);
765     user.create();
766     user.getUidString(uid_string);
767     const std::string uidopt = " --uid=" + uid_string;
768
769     struct operation {
770         std::string command;
771         int expected_result;
772     };
773     std::vector<struct operation> operations = {
774             {"security-manager-cmd --manage-users=remove", FAILURE},//no params
775             {"security-manager-cmd -m", FAILURE},//no params
776             {"security-manager-cmd -mr", FAILURE},//no uid
777             {"security-manager-cmd -mr --uid" + uidopt, FAILURE},//no uid
778             {"security-manager-cmd -mr --sdfj" + uidopt, FAILURE},//sdfj?
779             {"security-manager-cmd --msdf -u2004" , FAILURE},//sdf?
780             {"security-manager-cmd -mr" + uidopt, SUCCESS},//ok, removed
781             {"security-manager-cmd -mr --blah" + uidopt, FAILURE},//blah
782             {"security-manager-cmd -ma" + uidopt, SUCCESS},//ok, added
783             {"security-manager-cmd -ma --usertype=normal" + uidopt, SUCCESS},//ok, added
784             {"security-manager-cmd -ma --usertype=mal" + uidopt, FAILURE},//ok, added
785     };
786
787     for (auto &op : operations) {
788         ret = system((op.command + " 1>/dev/null 2>&1").c_str());
789         RUNNER_ASSERT_MSG(ret == op.expected_result,
790                 "Unexpected result for command '" << op.command <<"': "
791                 << ret << " Expected was: "<< op.expected_result);
792     }
793 }
794
795 std::vector<std::string> readPrivilegeGroups()
796 {
797     std::vector<std::string> groups;
798     const static std::string privilegeGroupMappingPath("/usr/share/security-manager/policy/privilege-group.list");
799     std::ifstream mappingFile(privilegeGroupMappingPath);
800
801     RUNNER_ASSERT_MSG(mappingFile.is_open(),
802         "Unable to read group mapping file " << privilegeGroupMappingPath);
803
804     std::string line;
805     std::regex r("^[^ #]+ +(.*)");
806     while (std::getline(mappingFile, line)) {
807         std::smatch m;
808         if (std::regex_search(line, m, r))
809             groups.push_back(m[1]);
810     }
811
812     return groups;
813 }
814
815 RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_GROUPS)
816
817 RUNNER_TEST(security_manager_22_groups_get)
818 {
819     std::unordered_set<std::string> groups;
820     auto tmp = readPrivilegeGroups();
821     groups.insert(tmp.begin(), tmp.end());
822
823     char ** c_groups;
824     size_t count = 0;
825
826     Api::getSecurityManagerGroups(&c_groups, &count);
827     RUNNER_ASSERT_MSG(count == groups.size(), "security_manager_groups_get should set count to: "
828                       << groups.size() << " but count is: " << count);
829
830     for (const auto &group : groups) {
831         bool found = false;
832         for (size_t i = 0; i < count; ++i) {
833             if (group == c_groups[i]) {
834                 found = true;
835                 break;
836             }
837         }
838         RUNNER_ASSERT_MSG(found, "PrivilegeGroup: " << group << " was not found");
839     }
840     security_manager_groups_free(c_groups, count);
841 }
842
843 RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_INSTALL_TYPE)
844
845 RUNNER_TEST(security_manager_49a_global_user_set_install_type_global)
846 {
847     const char *const sm_app_id = "sm_test_49a_app_id_global";
848     const char *const sm_pkg_id = "sm_test_49a_pkg_id_global";
849
850     InstallRequest requestInst;
851     requestInst.setAppId(sm_app_id);
852     requestInst.setPkgId(sm_pkg_id);
853     requestInst.setInstallType(SM_APP_INSTALL_GLOBAL);
854
855     Api::install(requestInst);
856
857     // Check records in the security-manager database
858     check_app_after_install(sm_app_id, sm_pkg_id);
859
860     InstallRequest requestUninst;
861     requestUninst.setAppId(sm_app_id);
862
863     Api::uninstall(requestUninst);
864
865     // Check records in the security-manager database
866     check_app_after_uninstall(sm_app_id, sm_pkg_id, TestSecurityManagerDatabase::REMOVED);
867 }
868
869 RUNNER_TEST(security_manager_49b_global_user_set_install_type_local)
870 {
871     const char *const sm_app_id = "sm_test_49b_app_id_local";
872     const char *const sm_pkg_id = "sm_test_49b_pkg_id_local";
873
874     InstallRequest requestInst;
875     requestInst.setAppId(sm_app_id);
876     requestInst.setPkgId(sm_pkg_id);
877     requestInst.setInstallType(SM_APP_INSTALL_LOCAL);
878
879     Api::install(requestInst, (lib_retcode)SECURITY_MANAGER_ERROR_SERVER_ERROR);
880 }
881
882 RUNNER_TEST(security_manager_49c_global_user_set_install_type_preloaded)
883 {
884     const char *const sm_app_id = "sm_test_49c_app_id_preloaded";
885     const char *const sm_pkg_id = "sm_test_49c_pkg_id_preloaded";
886
887     InstallRequest requestInst;
888     requestInst.setAppId(sm_app_id);
889     requestInst.setPkgId(sm_pkg_id);
890     requestInst.setInstallType(SM_APP_INSTALL_PRELOADED);
891
892     Api::install(requestInst);
893
894     // Check records in the security-manager database
895     check_app_after_install(sm_app_id, sm_pkg_id);
896
897     InstallRequest requestUninst;
898     requestUninst.setAppId(sm_app_id);
899
900     Api::uninstall(requestUninst);
901
902     // Check records in the security-manager database
903     check_app_after_uninstall(sm_app_id, sm_pkg_id, TestSecurityManagerDatabase::REMOVED);
904 }
905
906 RUNNER_CHILD_TEST(security_manager_49d_local_user_set_install_type_global)
907 {
908     int result;
909     const char *const sm_app_id = "sm_test_49d_app_id_global";
910     const char *const sm_pkg_id = "sm_test_49d_pkg_id_global";
911     const std::string new_user_name = "sm_test_49d_user_name";
912
913     TemporaryTestUser testUser(new_user_name, GUM_USERTYPE_NORMAL, false);
914     testUser.create();
915
916     removeTestDirs(testUser, sm_app_id, sm_pkg_id);
917     createTestDirs(testUser, sm_app_id, sm_pkg_id);
918
919     const std::string userAppDirPath = TzPlatformConfig::appDirPath(testUser, sm_app_id, sm_pkg_id);
920
921     //switch user to non-root
922     result = drop_root_privileges(testUser.getUid(), testUser.getGid());
923     RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
924
925     InstallRequest requestPrivateUser;
926     prepare_request(requestPrivateUser, sm_app_id, sm_pkg_id,
927                     SECURITY_MANAGER_PATH_RW, userAppDirPath.c_str(),
928                     false);
929
930     requestPrivateUser.setInstallType((app_install_type)0, (lib_retcode)SECURITY_MANAGER_ERROR_INPUT_PARAM);
931     requestPrivateUser.setInstallType((app_install_type)22, (lib_retcode)SECURITY_MANAGER_ERROR_INPUT_PARAM);
932     requestPrivateUser.setInstallType(SM_APP_INSTALL_GLOBAL);
933
934     for (auto &privilege : SM_ALLOWED_PRIVILEGES)
935         requestPrivateUser.addPrivilege(privilege.c_str());
936
937     /*
938      * It is possible for local user to install global application but one needs app_install privileges
939      * By default only global user or root can install global apps
940      */
941     Api::install(requestPrivateUser, (lib_retcode)SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED);
942 }
943
944 RUNNER_CHILD_TEST(security_manager_49e_local_user_set_install_type_local)
945 {
946     int result;
947     const char *const sm_app_id = "sm_test_49e_app_id_local";
948     const char *const sm_pkg_id = "sm_test_49e_pkg_id_local";
949     const std::string new_user_name = "sm_test_49e_user_name";
950
951     TemporaryTestUser testUser(new_user_name, GUM_USERTYPE_NORMAL, false);
952     testUser.create();
953
954     removeTestDirs(testUser, sm_app_id, sm_pkg_id);
955     createTestDirs(testUser, sm_app_id, sm_pkg_id);
956
957     const std::string userAppDirPath = TzPlatformConfig::appDirPath(testUser, sm_app_id, sm_pkg_id);
958
959     //switch user to non-root
960     result = drop_root_privileges(testUser.getUid(), testUser.getGid());
961     RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
962
963     InstallRequest requestPrivateUser;
964     prepare_request(requestPrivateUser, sm_app_id, sm_pkg_id,
965                     SECURITY_MANAGER_PATH_RW, userAppDirPath.c_str(),
966                     false);
967
968     requestPrivateUser.setInstallType(SM_APP_INSTALL_LOCAL);
969
970     for (auto &privilege : SM_ALLOWED_PRIVILEGES)
971         requestPrivateUser.addPrivilege(privilege.c_str());
972
973     Api::install(requestPrivateUser);
974
975     check_app_permissions(sm_app_id, sm_pkg_id,
976                           uidToStr(testUser.getUid()).c_str(),
977                           SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES);
978
979     //uninstall app as non-root user
980     InstallRequest request;
981     request.setAppId(sm_app_id);
982
983     Api::uninstall(request);
984
985     check_app_permissions(sm_app_id, sm_pkg_id,
986                           uidToStr(testUser.getUid()).c_str(),
987                           SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES);
988 }
989
990 RUNNER_CHILD_TEST(security_manager_49f_local_user_set_install_type_preloaded)
991 {
992     int result;
993     const char *const sm_app_id = "sm_test_49f_app_id_preloaded";
994     const char *const sm_pkg_id = "sm_test_49f_pkg_id_preloaded";
995     const std::string new_user_name = "sm_test_49f_user_name";
996
997     TemporaryTestUser testUser(new_user_name, GUM_USERTYPE_NORMAL, false);
998     testUser.create();
999
1000     removeTestDirs(testUser, sm_app_id, sm_pkg_id);
1001     createTestDirs(testUser, sm_app_id, sm_pkg_id);
1002
1003     const std::string userAppDirPath = TzPlatformConfig::appDirPath(testUser, sm_app_id, sm_pkg_id);
1004
1005     //switch user to non-root
1006     result = drop_root_privileges(testUser.getUid(), testUser.getGid());
1007     RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
1008
1009     InstallRequest requestPrivateUser;
1010     prepare_request(requestPrivateUser, sm_app_id, sm_pkg_id,
1011                     SECURITY_MANAGER_PATH_RW, userAppDirPath.c_str(),
1012                     false);
1013
1014     requestPrivateUser.setInstallType((app_install_type)0, (lib_retcode)SECURITY_MANAGER_ERROR_INPUT_PARAM);
1015     requestPrivateUser.setInstallType((app_install_type)22, (lib_retcode)SECURITY_MANAGER_ERROR_INPUT_PARAM);
1016     requestPrivateUser.setInstallType(SM_APP_INSTALL_PRELOADED);
1017
1018     for (auto &privilege : SM_ALLOWED_PRIVILEGES)
1019         requestPrivateUser.addPrivilege(privilege.c_str());
1020
1021     /*
1022      * It is possible for local user to install preloaded application but one needs app_install privileges
1023      * By default only global user or root can install preloaded apps
1024      */
1025     Api::install(requestPrivateUser, (lib_retcode)SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED);
1026 }
Domain: Security / Uncategorized;