2 * Copyright (c) 2016 Samsung Electronics Co., Ltd All Rights Reserved
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
18 #include <attr/xattr.h>
22 #include <unordered_set>
24 #include <sys/capability.h>
25 #include <sys/smack.h>
26 #include <sys/types.h>
29 #include <cynara-admin.h>
31 #include <cynara_test_admin.h>
32 #include <dpl/test/test_runner.h>
34 #include <scoped_label.h>
35 #include <service_manager.h>
37 #include <sm_commons.h>
38 #include <sm_request.h>
39 #include <synchronization_pipe.h>
40 #include <temp_test_user.h>
41 #include <tests_common.h>
42 #include <tzplatform.h>
45 using namespace SecurityManagerTest;
47 RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER)
49 RUNNER_TEST(security_manager_01a_app_double_install_double_uninstall)
51 const char *const sm_app_id = "sm_test_01a_app_id_double";
52 const char *const sm_pkg_id = "sm_test_01a_pkg_id_double";
54 InstallRequest requestInst;
55 requestInst.setAppId(sm_app_id);
56 requestInst.setPkgId(sm_pkg_id);
58 Api::install(requestInst);
59 Api::install(requestInst);
61 // Check records in the security-manager database
62 check_app_after_install(sm_app_id, sm_pkg_id);
64 InstallRequest requestUninst;
65 requestUninst.setAppId(sm_app_id);
67 Api::uninstall(requestUninst);
68 Api::uninstall(requestUninst);
70 // Check records in the security-manager database
71 check_app_after_uninstall(sm_app_id, sm_pkg_id, TestSecurityManagerDatabase::REMOVED);
74 RUNNER_TEST(security_manager_01b_app_double_install_wrong_pkg_id)
76 const char *const sm_app_id = "sm_test_01b_app";
77 const char *const sm_pkg_id = "sm_test_01b_pkg";
78 const char *const sm_pkg_id_wrong = "sm_test_01b_pkg_BAD";
80 InstallRequest requestInst;
81 requestInst.setAppId(sm_app_id);
82 requestInst.setPkgId(sm_pkg_id);
84 Api::install(requestInst);
86 InstallRequest requestInst2;
87 requestInst2.setAppId(sm_app_id);
88 requestInst2.setPkgId(sm_pkg_id_wrong);
90 Api::install(requestInst2, SECURITY_MANAGER_ERROR_INPUT_PARAM);
93 /* Check records in the security-manager database */
94 check_app_after_install(sm_app_id, sm_pkg_id);
96 InstallRequest requestUninst;
97 requestUninst.setAppId(sm_app_id);
99 Api::uninstall(requestUninst);
102 /* Check records in the security-manager database */
103 check_app_after_uninstall(sm_app_id, sm_pkg_id, TestSecurityManagerDatabase::REMOVED);
106 RUNNER_TEST(security_manager_01c_app_uninstall_pkg_id_ignored)
108 const char * const sm_app_id = "SM_TEST_01c_APPID";
109 const char * const sm_pkg_id = "SM_TEST_01c_PKGID";
110 const char * const sm_pkg_id_wrong = "SM_TEST_01c_PKGID_wrong";
112 InstallRequest requestInst;
113 requestInst.setAppId(sm_app_id);
114 requestInst.setPkgId(sm_pkg_id);
116 Api::install(requestInst);
118 /* Check records in the security-manager database */
119 check_app_after_install(sm_app_id, sm_pkg_id);
121 InstallRequest requestUninst;
122 requestUninst.setAppId(sm_app_id);
123 requestUninst.setPkgId(sm_pkg_id_wrong);
125 Api::uninstall(requestUninst);
127 check_app_after_uninstall(sm_app_id, sm_pkg_id, TestSecurityManagerDatabase::REMOVED);
130 RUNNER_TEST(security_manager_02_app_install_uninstall_full)
132 std::string SM_RW_PATH = genRWPath(2);
133 std::string SM_RO_PATH = genROPath(2);
134 std::string SM_PUBLIC_RO_PATH = genPublicROPath(2);
136 const char *const sm_app_id = "sm_test_02_app_id_full";
137 const char *const sm_pkg_id = "sm_test_02_pkg_id_full";
141 InstallRequest requestInst;
142 requestInst.setAppId(sm_app_id);
143 requestInst.setPkgId(sm_pkg_id);
144 requestInst.addPrivilege(SM_ALLOWED_PRIVILEGES[0].c_str());
145 requestInst.addPrivilege(SM_ALLOWED_PRIVILEGES[1].c_str());
146 requestInst.addPath(SM_RW_PATH, SECURITY_MANAGER_PATH_RW);
147 requestInst.addPath(SM_RO_PATH, SECURITY_MANAGER_PATH_RO);
148 requestInst.addPath(SM_PUBLIC_RO_PATH, SECURITY_MANAGER_PATH_PUBLIC_RO);
150 Api::install(requestInst);
152 /* Check records in the security-manager database */
153 check_app_after_install(sm_app_id, sm_pkg_id,
154 SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES, SM_ALLOWED_GROUPS);
156 /* TODO: add parameters to this function */
157 check_app_path_after_install(2, sm_pkg_id, false);
159 InstallRequest requestUninst;
160 requestUninst.setAppId(sm_app_id);
162 Api::uninstall(requestUninst);
164 /* Check records in the security-manager database,
165 * all previously allowed privileges should be removed */
166 check_app_after_uninstall(sm_app_id, sm_pkg_id,
167 SM_ALLOWED_PRIVILEGES, TestSecurityManagerDatabase::REMOVED);
170 RUNNER_CHILD_TEST_SMACK(security_manager_03_set_label_from_appid)
172 const char *const app_id = "sm_test_03_app_id_set_label_from_appid_smack";
173 const char *const pkg_id = "sm_test_03_pkg_id_set_label_from_appid_smack";
174 const char *const socketLabel = "not_expected_label";
175 std::string expected_label = generateProcessLabel(app_id);
176 std::string expected_socket_label = socketLabel;
177 char *label = nullptr;
181 uninstall_app(app_id, pkg_id, true);
182 install_app(app_id, pkg_id);
184 const auto sockaddr = UDSHelpers::makeAbstractAddress("sm_test_03.socket");
185 int sock = UDSHelpers::createServer(&sockaddr);
186 SockUniquePtr sockPtr(&sock);
188 //Set socket label to something different than expecedLabel
189 result = smack_set_label_for_file(*sockPtr, XATTR_NAME_SMACKIPIN, socketLabel);
190 RUNNER_ASSERT_ERRNO_MSG(result == 0,
191 "Can't set socket label. Result: " << result);
192 result = smack_set_label_for_file(*sockPtr, XATTR_NAME_SMACKIPOUT, socketLabel);
193 RUNNER_ASSERT_ERRNO_MSG(result == 0,
194 "Can't set socket label. Result: " << result);
197 SynchronizationPipe pipe;
200 if (pid != 0) { // parent process
201 pipe.claimParentEp();
202 Api::setProcessLabel(app_id);
204 result = smack_new_label_from_file(*sockPtr, XATTR_NAME_SMACKIPIN, &label);
205 RUNNER_ASSERT_ERRNO_MSG(result != -1, "smack_new_label_from_file failed: " << label);
206 labelPtr.reset(label);
207 result = expected_socket_label.compare(label);
208 RUNNER_ASSERT_MSG(result == 0, "Socket label is incorrect. Expected: " <<
209 expected_label << " Actual: " << label);
211 result = smack_new_label_from_file(*sockPtr, XATTR_NAME_SMACKIPOUT, &label);
212 RUNNER_ASSERT_ERRNO_MSG(result != -1, "smack_new_label_from_file failed: " << label);
213 labelPtr.reset(label);
214 result = expected_socket_label.compare(label);
215 RUNNER_ASSERT_MSG(result == 0, "Socket label is incorrect. Expected: " <<
216 expected_label << " Actual: " << label);
218 result = smack_new_label_from_self(&label);
219 RUNNER_ASSERT_MSG(result >= 0,
220 " Error getting current process label");
221 RUNNER_ASSERT_MSG(label != nullptr,
222 " Process label is not set");
223 labelPtr.reset(label);
225 result = expected_label.compare(label);
226 RUNNER_ASSERT_MSG(result == 0,
227 " Process label is incorrect. Expected: \"" << expected_label <<
228 "\" Actual: \"" << label << "\"");
231 } else { // child process
234 uninstall_app(app_id, pkg_id, true);
239 RUNNER_CHILD_TEST_NOSMACK(security_manager_03_set_label_from_appid_nosmack)
241 const char *const app_id = "sm_test_03_app_id_set_label_from_appid_nosmack";
242 const char *const pkg_id = "sm_test_03_pkg_id_set_label_from_appid_nosmack";
244 uninstall_app(app_id, pkg_id, true);
245 install_app(app_id, pkg_id);
248 ScopedProcessLabel keepLabel;
249 Api::setProcessLabel(app_id);
252 uninstall_app(app_id, pkg_id, true);
255 static void install_and_check(const char *const sm_app_id,
256 const char *const sm_pkg_id,
257 const TemporaryTestUser& user,
258 const std::string &appDir,
261 InstallRequest requestPrivate;
263 //install app for non-root user
264 //should fail (users may only register folders inside their home)
265 prepare_request(requestPrivate, sm_app_id, sm_pkg_id,
266 SECURITY_MANAGER_PATH_RW, SM_RW_PATH,
267 requestUid ? user.getUid() : 0);
269 Api::install(requestPrivate, SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED);
271 InstallRequest requestPrivateUser;
273 //install app for non-root user
274 //should succeed - this time i register folder inside user's home dir
275 prepare_request(requestPrivateUser, sm_app_id, sm_pkg_id,
276 SECURITY_MANAGER_PATH_RW, appDir.c_str(),
277 requestUid ? user.getUid() : 0);
279 for (auto &privilege : SM_ALLOWED_PRIVILEGES)
280 requestPrivateUser.addPrivilege(privilege.c_str());
282 Api::install(requestPrivateUser);
284 check_app_permissions(sm_app_id, sm_pkg_id,
285 uidToStr(user.getUid()).c_str(),
286 SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES);
289 RUNNER_CHILD_TEST(security_manager_04a_app_install_uninstall_by_app_user_for_self)
292 const char *const sm_app_id = "sm_test_04a_app_id_uid";
293 const char *const sm_pkg_id = "sm_test_04a_pkg_id_uid";
294 const std::string new_user_name = "sm_test_04a_user_name";
296 TemporaryTestUser testUser(new_user_name, GUM_USERTYPE_NORMAL, false);
299 removeTestDirs(testUser, sm_app_id, sm_pkg_id);
300 createTestDirs(testUser, sm_app_id, sm_pkg_id);
302 const std::string userAppDirPath = TzPlatformConfig::appDirPath(testUser, sm_app_id, sm_pkg_id);
304 //switch user to non-root
305 result = drop_root_privileges(testUser.getUid(), testUser.getGid());
306 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
308 install_and_check(sm_app_id, sm_pkg_id, testUser, userAppDirPath, false);
310 //uninstall app as non-root user
311 InstallRequest request;
312 request.setAppId(sm_app_id);
314 Api::uninstall(request);
316 check_app_permissions(sm_app_id, sm_pkg_id,
317 uidToStr(testUser.getUid()).c_str(),
318 SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES);
321 RUNNER_CHILD_TEST(security_manager_04b_app_install_by_root_for_app_user)
324 const char *const sm_app_id = "sm_test_04b_app_id_uid";
325 const char *const sm_pkg_id = "sm_test_04b_pkg_id_uid";
326 const std::string new_user_name = "sm_test_04b_user_name";
328 TemporaryTestUser testUser(new_user_name, GUM_USERTYPE_NORMAL, false);
331 removeTestDirs(testUser, sm_app_id, sm_pkg_id);
332 createTestDirs(testUser, sm_app_id, sm_pkg_id);
334 install_and_check(sm_app_id, sm_pkg_id, testUser,
335 TzPlatformConfig::appDirPath(testUser, sm_app_id, sm_pkg_id), true);
337 //switch user to non-root - root may not uninstall apps for specified users
338 result = drop_root_privileges(testUser.getUid(), testUser.getGid());
339 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
341 //uninstall app as non-root user
342 InstallRequest request;
343 request.setAppId(sm_app_id);
345 Api::uninstall(request);
347 check_app_permissions(sm_app_id, sm_pkg_id,
348 uidToStr(testUser.getUid()).c_str(),
349 SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES);
352 RUNNER_CHILD_TEST(security_manager_05_drop_process_capabilities)
355 CapsSetsUniquePtr caps_empty(cap_init());
356 auto caps = setCaps("all=eip");
357 Api::dropProcessPrivileges();
359 caps.reset(cap_get_proc());
360 RUNNER_ASSERT_MSG(caps, "can't get proc capabilities");
362 result = cap_compare(caps.get(), caps_empty.get());
363 RUNNER_ASSERT_MSG(result == 0,
364 "capabilities not dropped. Current: " << cap_to_text(caps.get(), NULL));
367 RUNNER_CHILD_TEST(security_manager_06_install_app_offline)
369 const char *const app_id = "sm_test_06_app_id_install_app_offline";
370 const char *const pkg_id = "sm_test_06_pkg_id_install_app_offline";
372 // Uninstall app on-line, off-line mode doesn't support it
373 uninstall_app(app_id, pkg_id, true);
375 ServiceManager("security-manager.service").stopService();
377 ServiceManager serviceManager("security-manager.socket");
378 serviceManager.stopService();
380 install_app(app_id, pkg_id);
382 serviceManager.startService();
384 uninstall_app(app_id, pkg_id, true);
387 RUNNER_CHILD_TEST(security_manager_07_user_add_app_install)
389 const char *const sm_app_id = "sm_test_07_app_id_user";
390 const char *const sm_pkg_id = "sm_test_07_pkg_id_user";
391 const std::string new_user_name = "sm_test_07_user_name";
392 std::string uid_string;
393 TemporaryTestUser test_user(new_user_name, GUM_USERTYPE_NORMAL, false);
395 test_user.getUidString(uid_string);
397 removeTestDirs(test_user, sm_app_id, sm_pkg_id);
398 createTestDirs(test_user, sm_app_id, sm_pkg_id);
400 install_app(sm_app_id, sm_pkg_id, test_user.getUid());
402 check_app_after_install(sm_app_id, sm_pkg_id);
406 check_app_permissions(sm_app_id, sm_pkg_id, uid_string.c_str(), SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES);
408 check_app_after_uninstall(sm_app_id, sm_pkg_id, true);
411 RUNNER_CHILD_TEST(security_manager_08_user_double_add_double_remove)
413 UserRequest addUserRequest;
415 const char *const sm_app_id = "sm_test_08_app_id_user";
416 const char *const sm_pkg_id = "sm_test_08_pkg_id_user";
417 const std::string new_user_name = "sm_test_08_user_name";
418 std::string uid_string;
421 TemporaryTestUser test_user(new_user_name, GUM_USERTYPE_NORMAL, false);
423 test_user.getUidString(uid_string);
425 removeTestDirs(test_user, sm_app_id, sm_pkg_id);
426 createTestDirs(test_user, sm_app_id, sm_pkg_id);
428 addUserRequest.setUid(test_user.getUid());
429 addUserRequest.setUserType(SM_USER_TYPE_NORMAL);
432 Api::addUser(addUserRequest);
434 install_app(sm_app_id, sm_pkg_id, test_user.getUid());
436 check_app_after_install(sm_app_id, sm_pkg_id);
440 UserRequest deleteUserRequest;
441 deleteUserRequest.setUid(test_user.getUid());
443 Api::deleteUser(deleteUserRequest);
445 check_app_permissions(sm_app_id, sm_pkg_id, uid_string.c_str(), SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES);
447 check_app_after_uninstall(sm_app_id, sm_pkg_id, true);
450 RUNNER_CHILD_TEST(security_manager_09_add_user_offline)
452 const char *const app_id = "security_manager_09_add_user_offline_app";
453 const char *const pkg_id = "security_manager_09_add_user_offline_pkg";
454 const std::string new_user_name("sm_test_09_user_name");
456 ServiceManager("security-manager.service").stopService();
458 ServiceManager serviceManager("security-manager.socket");
459 serviceManager.stopService();
461 TemporaryTestUser test_user(new_user_name, GUM_USERTYPE_NORMAL, true);
464 removeTestDirs(test_user, app_id, pkg_id);
465 createTestDirs(test_user, app_id, pkg_id);
467 install_app(app_id, pkg_id, test_user.getUid());
469 check_app_after_install(app_id, pkg_id);
471 serviceManager.startService();
475 check_app_after_uninstall(app_id, pkg_id, true);
478 RUNNER_TEST(security_manager_50_app_install_constraint_check)
480 auto install = [](const TemporaryTestUser& user,
485 enum lib_retcode expected,
486 bool uninstall = true)
488 InstallRequest request;
489 request.setAppId(appId);
490 request.setPkgId(pkgId);
491 request.setAppTizenVersion(version);
492 request.setAuthorId(author);
493 request.setUid(user.getUid());
495 Api::install(request, expected);
497 if(expected == SECURITY_MANAGER_SUCCESS) {
498 // TODO add verification once check_app_after_install() supports uid
499 // check_app_after_install(appId, pkgId);
501 Api::uninstall(request);
505 std::vector<TemporaryTestUser> users = {
506 {"sm_test_50_user_name_0", GUM_USERTYPE_NORMAL, false},
507 {"sm_test_50_user_name_1", GUM_USERTYPE_NORMAL, false}
510 for(auto& gu : users)
513 const char *const pkgId[] = {"sm_test_50_pkg_id_0", "sm_test_50_pkg_id_1"};
514 const char *const appId[] = {"sm_test_50_app_id_0", "sm_test_50_app_id_1"};
515 const char *const version[] = {"sm_test_50_version_0", "sm_test_50_version_1"};
516 const char *const author[] = {"sm_test_50_author_0", "sm_test_50_author_1"};
518 // uid_0, pkg_0, app_0, version_0, author_0
519 install(users[0], pkgId[0], appId[0], version[0], author[0], SECURITY_MANAGER_SUCCESS, false);
521 // uid_1, pkg_0, app_0, version_0, author_0 -> ok (different uid)
522 install(users[1], pkgId[0], appId[0], version[0], author[0], SECURITY_MANAGER_SUCCESS);
523 // uid_1, pkg_0, app_0, version_0, author_1 -> fail (author of app_0 must be the same)
524 install(users[1], pkgId[0], appId[0], version[0], author[1], SECURITY_MANAGER_ERROR_INPUT_PARAM);
525 // uid_1, pkg_0, app_0, version_1, author_0 -> fail (version of app_0 must be the same)
526 install(users[1], pkgId[0], appId[0], version[1], author[0], SECURITY_MANAGER_ERROR_INPUT_PARAM);
527 // uid_1, pkg_1, app_0, version_0, author_0 -> fail (pkg of app_0 must be the same)
528 install(users[1], pkgId[1], appId[0], version[0], author[0], SECURITY_MANAGER_ERROR_INPUT_PARAM);
529 // uid_0, pkg_0, app_0, version_0, author_0 -> ok (the same app again)
530 install(users[0], pkgId[0], appId[0], version[0], author[0], SECURITY_MANAGER_SUCCESS, false);
531 // uid_0, pkg_1, app_0, version_0, author_0 -> fail (app_name + uid must be unique)
532 install(users[0], pkgId[1], appId[0], version[0], author[0], SECURITY_MANAGER_ERROR_INPUT_PARAM);
533 // uid_0, pkg_0, app_0, version_1, author_0 -> fail (app_name + uid must be unique)
534 install(users[0], pkgId[0], appId[0], version[1], author[0], SECURITY_MANAGER_ERROR_INPUT_PARAM);
535 // uid_0, pkg_0, app_0, version_0, author_1 -> fail (app_name + uid must be unique)
536 install(users[0], pkgId[0], appId[0], version[0], author[1], SECURITY_MANAGER_ERROR_INPUT_PARAM);
539 RUNNER_CHILD_TEST(security_manager_53_app_has_privilege)
541 const char *const sm_app_id = "sm_test_53_app";
542 const char *const sm_pkg_id = "sm_test_53_pkg";
543 const std::string new_user_name = "sm_test_47_user_name";
545 InstallRequest requestInst;
546 requestInst.setAppId(sm_app_id);
547 requestInst.setPkgId(sm_pkg_id);
548 for (auto const &privilege : SM_ALLOWED_PRIVILEGES)
549 requestInst.addPrivilege(privilege.c_str());
550 Api::install(requestInst);
552 for (auto const &privilege : SM_ALLOWED_PRIVILEGES) {
554 Api::appHasPrivilege(sm_app_id, privilege.c_str(), TzPlatformConfig::getGlobalUserId(),
556 RUNNER_ASSERT_MSG(result == 1, "Application " << sm_app_id <<
557 " should have access to privilege " << privilege);
560 for (auto const &privilege : SM_DENIED_PRIVILEGES) {
562 Api::appHasPrivilege(sm_app_id, privilege.c_str(), TzPlatformConfig::getGlobalUserId(),
564 RUNNER_ASSERT_MSG(result == 0, "Application " << sm_app_id <<
565 " should not have access to privilege " << privilege);
568 InstallRequest requestUninst;
569 requestUninst.setAppId(sm_app_id);
570 Api::uninstall(requestUninst);
573 RUNNER_TEST_GROUP_INIT(SECRUTIY_MANAGER_POLICY)
575 RUNNER_TEST(security_manager_18_user_cynara_policy)
577 const char *const MAIN_BUCKET = "MAIN";
578 const char *const MANIFESTS_BUCKET = "MANIFESTS";
579 const char *const ADMIN_BUCKET = "ADMIN";
580 const char *const USER_TYPE_NORMAL_BUCKET = "USER_TYPE_NORMAL";
581 const std::string username("sm_test_10_user_cynara_policy");
582 CynaraTestAdmin::Admin admin;
583 std::string uid_string;
584 TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, false);
586 user.getUidString(uid_string);
588 CynaraTestAdmin::CynaraPoliciesContainer nonemptyContainer;
589 nonemptyContainer.add(MAIN_BUCKET,CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, CYNARA_ADMIN_BUCKET, USER_TYPE_NORMAL_BUCKET);
590 admin.listPolicies(MAIN_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, nonemptyContainer,CYNARA_API_SUCCESS);
593 CynaraTestAdmin::CynaraPoliciesContainer emptyContainer;
595 admin.listPolicies(MAIN_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS);
596 admin.listPolicies(MANIFESTS_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS);
597 admin.listPolicies(CYNARA_ADMIN_DEFAULT_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS);
598 admin.listPolicies(ADMIN_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS);
601 RUNNER_CHILD_TEST(security_manager_21_security_manager_admin_deny_user_priv)
603 const int BUFFER_SIZE = 128;
607 char buf[BUFFER_SIZE];
610 privileges_t admin_required_privs = {
611 "http://tizen.org/privilege/notexist",
612 "http://tizen.org/privilege/internal/usermanagement"};
613 privileges_t manifest_privs = {
614 "http://tizen.org/privilege/internet",
615 "http://tizen.org/privilege/datasharing"};
616 privileges_t real_privs_allow = {"http://tizen.org/privilege/datasharing"};
617 privileges_t real_privs_deny = {"http://tizen.org/privilege/internet"};
619 const std::string pirivman_id = "sm_test_13_ADMIN_APP";
620 const std::string pirivman_pkg_id = "sm_test_13_ADMIN_PKG";
621 const std::string app_id = "sm_test_13_SOME_APP";
622 const std::string pkg_id = "sm_test_13_SOME_PKG";
628 RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed");
630 RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
631 if (pid != 0)//parent process
633 std::string childuidstr;
634 TemporaryTestUser admin("sm_test_13_ADMIN_USER", GUM_USERTYPE_ADMIN, false);
635 TemporaryTestUser child("sm_test_13_NORMAL_USER", GUM_USERTYPE_NORMAL, false);
637 InstallRequest request,request2;
638 FdUniquePtr pipeptr(pipefd+1);
643 child.getUidString(childuidstr);
645 //install privacy manager for admin
646 request.setAppId(pirivman_id.c_str());
647 request.setPkgId(pirivman_pkg_id.c_str());
648 request.setUid(admin.getUid());
649 for (auto &priv: admin_required_privs)
650 request.addPrivilege(priv.c_str());
651 Api::install(request);
653 //install app for child that has internet privilege
654 request2.setAppId(app_id.c_str());
655 request2.setPkgId(pkg_id.c_str());
656 request2.setUid(child.getUid());
657 for (auto &priv: manifest_privs)
658 request2.addPrivilege(priv.c_str());
659 Api::install(request2);
661 check_app_permissions(app_id.c_str(), pkg_id.c_str(), childuidstr.c_str(),
662 manifest_privs, SM_NO_PRIVILEGES);
665 msg.uid = admin.getUid();
666 msg.gid = admin.getGid();
667 strncpy (msg.buf, childuidstr.c_str(), BUFFER_SIZE);
669 ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
670 RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
674 check_app_permissions(app_id.c_str(), pkg_id.c_str(), childuidstr.c_str(),
675 real_privs_allow, real_privs_deny);
679 FdUniquePtr pipeptr(pipefd);
682 ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message)));
683 RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
685 //become admin privacy manager manager
686 Api::setProcessLabel(pirivman_id.c_str());
687 result = drop_root_privileges(msg.uid, msg.gid);
688 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
689 PolicyRequest addPolicyReq;
691 for (auto &denypriv:real_privs_deny) {
692 /*this entry will deny some privileges for user whose uid (as c string)
693 was sent in message's buf field.
694 That user would be denying internet for child in this case*/
695 PolicyEntry entry(SECURITY_MANAGER_ANY, msg.buf, denypriv);
696 entry.setMaxLevel("Deny");
697 addPolicyReq.addEntry(entry);
699 Api::sendPolicy(addPolicyReq);
704 RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_CMD)
706 RUNNER_TEST(security_manager_19_security_manager_cmd_install)
709 const int SUCCESS = 0;
710 const int FAILURE = 256;
711 const std::string app_id = "security_manager_10_app";
712 const std::string pkg_id = "security_manager_10_pkg";
713 const std::string username("sm_test_10_user_name");
714 std::string uid_string;
715 TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, false);
717 user.getUidString(uid_string);
718 const std::string path1 = TzPlatformConfig::appDirPath(user, app_id, pkg_id) + "/p1";
719 const std::string path2 = TzPlatformConfig::appDirPath(user, app_id, pkg_id) + "/p2";
720 const std::string pkgopt = " --pkg=" + pkg_id;
721 const std::string appopt = " --app=" + app_id;
722 const std::string uidopt = " --uid=" + uid_string;
724 mktreeSafe(path1.c_str(), 0);
725 mktreeSafe(path2.c_str(), 0);
727 const std::string installcmd = "security-manager-cmd --install " + appopt + pkgopt + uidopt;
733 std::vector<struct operation> operations = {
734 {"security-manager-cmd", FAILURE},//no option
735 {"security-manager-cmd --blah", FAILURE},//blah option is not known
736 {"security-manager-cmd --help", SUCCESS},
737 {"security-manager-cmd --install", FAILURE},//no params
738 {"security-manager-cmd -i", FAILURE},//no params
739 {"security-manager-cmd --i --app=app_id_10 --pkg=pkg_id_10", FAILURE},//no uid
740 {installcmd, SUCCESS},
741 {"security-manager-cmd -i -a" + app_id + " -g" + pkg_id + uidopt, SUCCESS},
742 {installcmd + " --path " + path1 + " rw", SUCCESS},
743 {installcmd + " --path " + path1, FAILURE},//no path type
744 {installcmd + " --path " + path1 + " rw" + " --path " + path2 + " ro", SUCCESS},
745 {installcmd + " --path " + path1 + " prie" + " --path " + path2 + " ro", FAILURE},//wrong path type
746 {installcmd + " --path " + path1 + " rw" + " --privilege somepriv --privilege somepriv2" , SUCCESS},
749 for (auto &op : operations) {
750 ret = system((op.command + " 1>/dev/null 2>&1").c_str());
751 RUNNER_ASSERT_MSG(ret == op.expected_result,
752 "Unexpected result for command '" << op.command <<"': "
753 << ret << " Expected was: "<< op.expected_result);
757 RUNNER_TEST(security_manager_20_security_manager_cmd_users)
760 const int SUCCESS = 0;
761 const int FAILURE = 256;
762 const std::string username("sm_test_11_user_name");
763 std::string uid_string;
764 TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, false);
766 user.getUidString(uid_string);
767 const std::string uidopt = " --uid=" + uid_string;
773 std::vector<struct operation> operations = {
774 {"security-manager-cmd --manage-users=remove", FAILURE},//no params
775 {"security-manager-cmd -m", FAILURE},//no params
776 {"security-manager-cmd -mr", FAILURE},//no uid
777 {"security-manager-cmd -mr --uid" + uidopt, FAILURE},//no uid
778 {"security-manager-cmd -mr --sdfj" + uidopt, FAILURE},//sdfj?
779 {"security-manager-cmd --msdf -u2004" , FAILURE},//sdf?
780 {"security-manager-cmd -mr" + uidopt, SUCCESS},//ok, removed
781 {"security-manager-cmd -mr --blah" + uidopt, FAILURE},//blah
782 {"security-manager-cmd -ma" + uidopt, SUCCESS},//ok, added
783 {"security-manager-cmd -ma --usertype=normal" + uidopt, SUCCESS},//ok, added
784 {"security-manager-cmd -ma --usertype=mal" + uidopt, FAILURE},//ok, added
787 for (auto &op : operations) {
788 ret = system((op.command + " 1>/dev/null 2>&1").c_str());
789 RUNNER_ASSERT_MSG(ret == op.expected_result,
790 "Unexpected result for command '" << op.command <<"': "
791 << ret << " Expected was: "<< op.expected_result);
795 std::vector<std::string> readPrivilegeGroups()
797 std::vector<std::string> groups;
798 const static std::string privilegeGroupMappingPath("/usr/share/security-manager/policy/privilege-group.list");
799 std::ifstream mappingFile(privilegeGroupMappingPath);
801 RUNNER_ASSERT_MSG(mappingFile.is_open(),
802 "Unable to read group mapping file " << privilegeGroupMappingPath);
805 std::regex r("^[^ #]+ +(.*)");
806 while (std::getline(mappingFile, line)) {
808 if (std::regex_search(line, m, r))
809 groups.push_back(m[1]);
815 RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_GROUPS)
817 RUNNER_TEST(security_manager_22_groups_get)
819 std::unordered_set<std::string> groups;
820 auto tmp = readPrivilegeGroups();
821 groups.insert(tmp.begin(), tmp.end());
826 Api::getSecurityManagerGroups(&c_groups, &count);
827 RUNNER_ASSERT_MSG(count == groups.size(), "security_manager_groups_get should set count to: "
828 << groups.size() << " but count is: " << count);
830 for (const auto &group : groups) {
832 for (size_t i = 0; i < count; ++i) {
833 if (group == c_groups[i]) {
838 RUNNER_ASSERT_MSG(found, "PrivilegeGroup: " << group << " was not found");
840 security_manager_groups_free(c_groups, count);
843 RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_INSTALL_TYPE)
845 RUNNER_TEST(security_manager_49a_global_user_set_install_type_global)
847 const char *const sm_app_id = "sm_test_49a_app_id_global";
848 const char *const sm_pkg_id = "sm_test_49a_pkg_id_global";
850 InstallRequest requestInst;
851 requestInst.setAppId(sm_app_id);
852 requestInst.setPkgId(sm_pkg_id);
853 requestInst.setInstallType(SM_APP_INSTALL_GLOBAL);
855 Api::install(requestInst);
857 // Check records in the security-manager database
858 check_app_after_install(sm_app_id, sm_pkg_id);
860 InstallRequest requestUninst;
861 requestUninst.setAppId(sm_app_id);
863 Api::uninstall(requestUninst);
865 // Check records in the security-manager database
866 check_app_after_uninstall(sm_app_id, sm_pkg_id, TestSecurityManagerDatabase::REMOVED);
869 RUNNER_TEST(security_manager_49b_global_user_set_install_type_local)
871 const char *const sm_app_id = "sm_test_49b_app_id_local";
872 const char *const sm_pkg_id = "sm_test_49b_pkg_id_local";
874 InstallRequest requestInst;
875 requestInst.setAppId(sm_app_id);
876 requestInst.setPkgId(sm_pkg_id);
877 requestInst.setInstallType(SM_APP_INSTALL_LOCAL);
879 Api::install(requestInst, (lib_retcode)SECURITY_MANAGER_ERROR_SERVER_ERROR);
882 RUNNER_TEST(security_manager_49c_global_user_set_install_type_preloaded)
884 const char *const sm_app_id = "sm_test_49c_app_id_preloaded";
885 const char *const sm_pkg_id = "sm_test_49c_pkg_id_preloaded";
887 InstallRequest requestInst;
888 requestInst.setAppId(sm_app_id);
889 requestInst.setPkgId(sm_pkg_id);
890 requestInst.setInstallType(SM_APP_INSTALL_PRELOADED);
892 Api::install(requestInst);
894 // Check records in the security-manager database
895 check_app_after_install(sm_app_id, sm_pkg_id);
897 InstallRequest requestUninst;
898 requestUninst.setAppId(sm_app_id);
900 Api::uninstall(requestUninst);
902 // Check records in the security-manager database
903 check_app_after_uninstall(sm_app_id, sm_pkg_id, TestSecurityManagerDatabase::REMOVED);
906 RUNNER_CHILD_TEST(security_manager_49d_local_user_set_install_type_global)
909 const char *const sm_app_id = "sm_test_49d_app_id_global";
910 const char *const sm_pkg_id = "sm_test_49d_pkg_id_global";
911 const std::string new_user_name = "sm_test_49d_user_name";
913 TemporaryTestUser testUser(new_user_name, GUM_USERTYPE_NORMAL, false);
916 removeTestDirs(testUser, sm_app_id, sm_pkg_id);
917 createTestDirs(testUser, sm_app_id, sm_pkg_id);
919 const std::string userAppDirPath = TzPlatformConfig::appDirPath(testUser, sm_app_id, sm_pkg_id);
921 //switch user to non-root
922 result = drop_root_privileges(testUser.getUid(), testUser.getGid());
923 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
925 InstallRequest requestPrivateUser;
926 prepare_request(requestPrivateUser, sm_app_id, sm_pkg_id,
927 SECURITY_MANAGER_PATH_RW, userAppDirPath.c_str(),
930 requestPrivateUser.setInstallType((app_install_type)0, (lib_retcode)SECURITY_MANAGER_ERROR_INPUT_PARAM);
931 requestPrivateUser.setInstallType((app_install_type)22, (lib_retcode)SECURITY_MANAGER_ERROR_INPUT_PARAM);
932 requestPrivateUser.setInstallType(SM_APP_INSTALL_GLOBAL);
934 for (auto &privilege : SM_ALLOWED_PRIVILEGES)
935 requestPrivateUser.addPrivilege(privilege.c_str());
938 * It is possible for local user to install global application but one needs app_install privileges
939 * By default only global user or root can install global apps
941 Api::install(requestPrivateUser, (lib_retcode)SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED);
944 RUNNER_CHILD_TEST(security_manager_49e_local_user_set_install_type_local)
947 const char *const sm_app_id = "sm_test_49e_app_id_local";
948 const char *const sm_pkg_id = "sm_test_49e_pkg_id_local";
949 const std::string new_user_name = "sm_test_49e_user_name";
951 TemporaryTestUser testUser(new_user_name, GUM_USERTYPE_NORMAL, false);
954 removeTestDirs(testUser, sm_app_id, sm_pkg_id);
955 createTestDirs(testUser, sm_app_id, sm_pkg_id);
957 const std::string userAppDirPath = TzPlatformConfig::appDirPath(testUser, sm_app_id, sm_pkg_id);
959 //switch user to non-root
960 result = drop_root_privileges(testUser.getUid(), testUser.getGid());
961 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
963 InstallRequest requestPrivateUser;
964 prepare_request(requestPrivateUser, sm_app_id, sm_pkg_id,
965 SECURITY_MANAGER_PATH_RW, userAppDirPath.c_str(),
968 requestPrivateUser.setInstallType(SM_APP_INSTALL_LOCAL);
970 for (auto &privilege : SM_ALLOWED_PRIVILEGES)
971 requestPrivateUser.addPrivilege(privilege.c_str());
973 Api::install(requestPrivateUser);
975 check_app_permissions(sm_app_id, sm_pkg_id,
976 uidToStr(testUser.getUid()).c_str(),
977 SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES);
979 //uninstall app as non-root user
980 InstallRequest request;
981 request.setAppId(sm_app_id);
983 Api::uninstall(request);
985 check_app_permissions(sm_app_id, sm_pkg_id,
986 uidToStr(testUser.getUid()).c_str(),
987 SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES);
990 RUNNER_CHILD_TEST(security_manager_49f_local_user_set_install_type_preloaded)
993 const char *const sm_app_id = "sm_test_49f_app_id_preloaded";
994 const char *const sm_pkg_id = "sm_test_49f_pkg_id_preloaded";
995 const std::string new_user_name = "sm_test_49f_user_name";
997 TemporaryTestUser testUser(new_user_name, GUM_USERTYPE_NORMAL, false);
1000 removeTestDirs(testUser, sm_app_id, sm_pkg_id);
1001 createTestDirs(testUser, sm_app_id, sm_pkg_id);
1003 const std::string userAppDirPath = TzPlatformConfig::appDirPath(testUser, sm_app_id, sm_pkg_id);
1005 //switch user to non-root
1006 result = drop_root_privileges(testUser.getUid(), testUser.getGid());
1007 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
1009 InstallRequest requestPrivateUser;
1010 prepare_request(requestPrivateUser, sm_app_id, sm_pkg_id,
1011 SECURITY_MANAGER_PATH_RW, userAppDirPath.c_str(),
1014 requestPrivateUser.setInstallType((app_install_type)0, (lib_retcode)SECURITY_MANAGER_ERROR_INPUT_PARAM);
1015 requestPrivateUser.setInstallType((app_install_type)22, (lib_retcode)SECURITY_MANAGER_ERROR_INPUT_PARAM);
1016 requestPrivateUser.setInstallType(SM_APP_INSTALL_PRELOADED);
1018 for (auto &privilege : SM_ALLOWED_PRIVILEGES)
1019 requestPrivateUser.addPrivilege(privilege.c_str());
1022 * It is possible for local user to install preloaded application but one needs app_install privileges
1023 * By default only global user or root can install preloaded apps
1025 Api::install(requestPrivateUser, (lib_retcode)SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED);