src/security-manager-tests/test_cases.cpp

   1 /*
   2  * Copyright (c) 2016 Samsung Electronics Co., Ltd All Rights Reserved
   3  *
   4  *    Licensed under the Apache License, Version 2.0 (the "License");
   5  *    you may not use this file except in compliance with the License.
   6  *    You may obtain a copy of the License at
   7  *
   8  *        http://www.apache.org/licenses/LICENSE-2.0
   9  *
  10  *    Unless required by applicable law or agreed to in writing, software
  11  *    distributed under the License is distributed on an "AS IS" BASIS,
  12  *    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13  *    See the License for the specific language governing permissions and
  14  *    limitations under the License.
  15  */
  16
  17 #include <sys/capability.h>
  18 #include <sys/smack.h>
  19 #include <sys/types.h>
  20 #include <unistd.h>
  21 #include <attr/xattr.h>
  22
  23 #include <cstdlib>
  24 #include <dpl/test/test_runner.h>
  25 #include <memory>
  26 #include <scoped_label.h>
  27 #include <service_manager.h>
  28 #include <sm_api.h>
  29 #include <sm_commons.h>
  30 #include <sm_request.h>
  31 #include <synchronization_pipe.h>
  32 #include <tests_common.h>
  33 #include <tzplatform.h>
  34 #include <uds.h>
  35
  36 using namespace SecurityManagerTest;
  37
  38 RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER)
  39
  40 RUNNER_TEST(security_manager_01a_app_double_install_double_uninstall)
  41 {
  42     const char *const sm_app_id = "sm_test_01a_app_id_double";
  43     const char *const sm_pkg_id = "sm_test_01a_pkg_id_double";
  44
  45     InstallRequest requestInst;
  46     requestInst.setAppId(sm_app_id);
  47     requestInst.setPkgId(sm_pkg_id);
  48
  49     Api::install(requestInst);
  50     Api::install(requestInst);
  51
  52     // Check records in the security-manager database
  53     check_app_after_install(sm_app_id, sm_pkg_id);
  54
  55     InstallRequest requestUninst;
  56     requestUninst.setAppId(sm_app_id);
  57
  58     Api::uninstall(requestUninst);
  59     Api::uninstall(requestUninst);
  60
  61     // Check records in the security-manager database
  62     check_app_after_uninstall(sm_app_id, sm_pkg_id, TestSecurityManagerDatabase::REMOVED);
  63 }
  64
  65 RUNNER_TEST(security_manager_01b_app_double_install_wrong_pkg_id)
  66 {
  67     const char *const sm_app_id = "sm_test_01b_app";
  68     const char *const sm_pkg_id = "sm_test_01b_pkg";
  69     const char *const sm_pkg_id_wrong = "sm_test_01b_pkg_BAD";
  70
  71     InstallRequest requestInst;
  72     requestInst.setAppId(sm_app_id);
  73     requestInst.setPkgId(sm_pkg_id);
  74
  75     Api::install(requestInst);
  76
  77     InstallRequest requestInst2;
  78     requestInst2.setAppId(sm_app_id);
  79     requestInst2.setPkgId(sm_pkg_id_wrong);
  80
  81     Api::install(requestInst2, SECURITY_MANAGER_ERROR_INPUT_PARAM);
  82
  83
  84     /* Check records in the security-manager database */
  85     check_app_after_install(sm_app_id, sm_pkg_id);
  86
  87     InstallRequest requestUninst;
  88     requestUninst.setAppId(sm_app_id);
  89
  90     Api::uninstall(requestUninst);
  91
  92
  93     /* Check records in the security-manager database */
  94     check_app_after_uninstall(sm_app_id, sm_pkg_id, TestSecurityManagerDatabase::REMOVED);
  95 }
  96
  97 RUNNER_TEST(security_manager_01c_app_uninstall_pkg_id_ignored)
  98 {
  99     const char * const  sm_app_id = "SM_TEST_01c_APPID";
 100     const char * const  sm_pkg_id = "SM_TEST_01c_PKGID";
 101     const char * const  sm_pkg_id_wrong = "SM_TEST_01c_PKGID_wrong";
 102
 103     InstallRequest requestInst;
 104     requestInst.setAppId(sm_app_id);
 105     requestInst.setPkgId(sm_pkg_id);
 106
 107     Api::install(requestInst);
 108
 109     /* Check records in the security-manager database */
 110     check_app_after_install(sm_app_id, sm_pkg_id);
 111
 112     InstallRequest requestUninst;
 113     requestUninst.setAppId(sm_app_id);
 114     requestUninst.setPkgId(sm_pkg_id_wrong);
 115
 116     Api::uninstall(requestUninst);
 117
 118     check_app_after_uninstall(sm_app_id, sm_pkg_id, TestSecurityManagerDatabase::REMOVED);
 119 }
 120
 121 RUNNER_TEST(security_manager_02_app_install_uninstall_full)
 122 {
 123     std::string SM_RW_PATH = genRWPath(2);
 124     std::string SM_RO_PATH = genROPath(2);
 125     std::string SM_PUBLIC_RO_PATH = genPublicROPath(2);
 126
 127     const char *const sm_app_id = "sm_test_02_app_id_full";
 128     const char *const sm_pkg_id = "sm_test_02_pkg_id_full";
 129
 130     prepare_app_env(2);
 131
 132     InstallRequest requestInst;
 133     requestInst.setAppId(sm_app_id);
 134     requestInst.setPkgId(sm_pkg_id);
 135     requestInst.addPrivilege(SM_ALLOWED_PRIVILEGES[0].c_str());
 136     requestInst.addPrivilege(SM_ALLOWED_PRIVILEGES[1].c_str());
 137     requestInst.addPath(SM_RW_PATH, SECURITY_MANAGER_PATH_RW);
 138     requestInst.addPath(SM_RO_PATH, SECURITY_MANAGER_PATH_RO);
 139     requestInst.addPath(SM_PUBLIC_RO_PATH, SECURITY_MANAGER_PATH_PUBLIC_RO);
 140
 141     Api::install(requestInst);
 142
 143     /* Check records in the security-manager database */
 144     check_app_after_install(sm_app_id, sm_pkg_id,
 145                             SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES, SM_ALLOWED_GROUPS);
 146
 147     /* TODO: add parameters to this function */
 148     check_app_path_after_install(2, sm_pkg_id, false);
 149
 150     InstallRequest requestUninst;
 151     requestUninst.setAppId(sm_app_id);
 152
 153     Api::uninstall(requestUninst);
 154
 155     /* Check records in the security-manager database,
 156      * all previously allowed privileges should be removed */
 157     check_app_after_uninstall(sm_app_id, sm_pkg_id,
 158                               SM_ALLOWED_PRIVILEGES, TestSecurityManagerDatabase::REMOVED);
 159 }
 160
 161 RUNNER_CHILD_TEST_SMACK(security_manager_03_set_label_from_appid)
 162 {
 163     const char *const app_id = "sm_test_03_app_id_set_label_from_appid_smack";
 164     const char *const pkg_id = "sm_test_03_pkg_id_set_label_from_appid_smack";
 165     const char *const socketLabel = "not_expected_label";
 166     std::string expected_label = generateAppLabel(app_id);
 167     std::string expected_socket_label = socketLabel;
 168     char *label = nullptr;
 169     CStringPtr labelPtr;
 170     int result;
 171
 172     uninstall_app(app_id, pkg_id, true);
 173     install_app(app_id, pkg_id);
 174
 175     const auto sockaddr = UDSHelpers::makeAbstractAddress("sm_test_03.socket");
 176     int sock = UDSHelpers::createServer(&sockaddr);
 177     SockUniquePtr sockPtr(&sock);
 178
 179     //Set socket label to something different than expecedLabel
 180     result = smack_set_label_for_file(*sockPtr, XATTR_NAME_SMACKIPIN, socketLabel);
 181     RUNNER_ASSERT_ERRNO_MSG(result == 0,
 182         "Can't set socket label. Result: " << result);
 183     result = smack_set_label_for_file(*sockPtr, XATTR_NAME_SMACKIPOUT, socketLabel);
 184     RUNNER_ASSERT_ERRNO_MSG(result == 0,
 185         "Can't set socket label. Result: " << result);
 186
 187
 188     SynchronizationPipe pipe;
 189     pid_t pid = fork();
 190
 191     if (pid != 0) { // parent process
 192         pipe.claimParentEp();
 193         Api::setProcessLabel(app_id);
 194
 195         result = smack_new_label_from_file(*sockPtr, XATTR_NAME_SMACKIPIN, &label);
 196         RUNNER_ASSERT_ERRNO_MSG(result != -1, "smack_new_label_from_file failed: " << label);
 197         labelPtr.reset(label);
 198         result = expected_socket_label.compare(label);
 199         RUNNER_ASSERT_MSG(result == 0, "Socket label is incorrect. Expected: " <<
 200             expected_label << " Actual: " << label);
 201
 202         result = smack_new_label_from_file(*sockPtr, XATTR_NAME_SMACKIPOUT, &label);
 203         RUNNER_ASSERT_ERRNO_MSG(result != -1, "smack_new_label_from_file failed: " << label);
 204         labelPtr.reset(label);
 205         result = expected_socket_label.compare(label);
 206         RUNNER_ASSERT_MSG(result == 0, "Socket label is incorrect. Expected: " <<
 207             expected_label << " Actual: " << label);
 208
 209         result = smack_new_label_from_self(&label);
 210         RUNNER_ASSERT_MSG(result >= 0,
 211                 " Error getting current process label");
 212         RUNNER_ASSERT_MSG(label != nullptr,
 213                 " Process label is not set");
 214         labelPtr.reset(label);
 215
 216         result = expected_label.compare(label);
 217         RUNNER_ASSERT_MSG(result == 0,
 218                 " Process label is incorrect. Expected: \"" << expected_label <<
 219                 "\" Actual: \"" << label << "\"");
 220         pipe.post();
 221         waitPid(pid);
 222     } else { // child process
 223         pipe.claimChildEp();
 224         pipe.wait();
 225         uninstall_app(app_id, pkg_id, true);
 226         exit(0);
 227     }
 228 }
 229
 230 RUNNER_CHILD_TEST_NOSMACK(security_manager_03_set_label_from_appid_nosmack)
 231 {
 232     const char *const app_id = "sm_test_03_app_id_set_label_from_appid_nosmack";
 233     const char *const pkg_id = "sm_test_03_pkg_id_set_label_from_appid_nosmack";
 234
 235     uninstall_app(app_id, pkg_id, true);
 236     install_app(app_id, pkg_id);
 237
 238     {
 239         ScopedProcessLabel keepLabel;
 240         Api::setProcessLabel(app_id);
 241     }
 242
 243     uninstall_app(app_id, pkg_id, true);
 244 }
 245
 246 static void install_and_check(const char *const sm_app_id,
 247                               const char *const sm_pkg_id,
 248                               const TemporaryTestUser& user,
 249                               const std::string &appDir,
 250                               bool requestUid)
 251 {
 252     InstallRequest requestPrivate;
 253
 254     //install app for non-root user
 255     //should fail (users may only register folders inside their home)
 256     prepare_request(requestPrivate, sm_app_id, sm_pkg_id,
 257                     SECURITY_MANAGER_PATH_RW, SM_RW_PATH,
 258                     requestUid ? user.getUid() : 0);
 259
 260     Api::install(requestPrivate, SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED);
 261
 262     InstallRequest requestPrivateUser;
 263
 264     //install app for non-root user
 265     //should succeed - this time i register folder inside user's home dir
 266     prepare_request(requestPrivateUser, sm_app_id, sm_pkg_id,
 267                     SECURITY_MANAGER_PATH_RW, appDir.c_str(),
 268                     requestUid ? user.getUid() : 0);
 269
 270     for (auto &privilege : SM_ALLOWED_PRIVILEGES)
 271         requestPrivateUser.addPrivilege(privilege.c_str());
 272
 273     Api::install(requestPrivateUser);
 274
 275     check_app_permissions(sm_app_id, sm_pkg_id,
 276                           uidToStr(user.getUid()).c_str(),
 277                           SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES);
 278 }
 279
 280 RUNNER_CHILD_TEST(security_manager_04a_app_install_uninstall_by_app_user_for_self)
 281 {
 282     int result;
 283     const char *const sm_app_id = "sm_test_04a_app_id_uid";
 284     const char *const sm_pkg_id = "sm_test_04a_pkg_id_uid";
 285     const std::string new_user_name = "sm_test_04a_user_name";
 286
 287     TemporaryTestUser testUser(new_user_name, GUM_USERTYPE_NORMAL, false);
 288     testUser.create();
 289
 290     removeTestDirs(testUser, sm_app_id, sm_pkg_id);
 291     createTestDirs(testUser, sm_app_id, sm_pkg_id);
 292
 293     const std::string userAppDirPath = TzPlatformConfig::appDirPath(testUser, sm_app_id, sm_pkg_id);
 294
 295     //switch user to non-root
 296     result = drop_root_privileges(testUser.getUid(), testUser.getGid());
 297     RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
 298
 299     install_and_check(sm_app_id, sm_pkg_id, testUser, userAppDirPath, false);
 300
 301     //uninstall app as non-root user
 302     InstallRequest request;
 303     request.setAppId(sm_app_id);
 304
 305     Api::uninstall(request);
 306
 307     check_app_permissions(sm_app_id, sm_pkg_id,
 308                           uidToStr(testUser.getUid()).c_str(),
 309                           SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES);
 310 }
 311
 312 RUNNER_CHILD_TEST(security_manager_04b_app_install_by_root_for_app_user)
 313 {
 314     int result;
 315     const char *const sm_app_id = "sm_test_04b_app_id_uid";
 316     const char *const sm_pkg_id = "sm_test_04b_pkg_id_uid";
 317     const std::string new_user_name = "sm_test_04b_user_name";
 318
 319     TemporaryTestUser testUser(new_user_name, GUM_USERTYPE_NORMAL, false);
 320     testUser.create();
 321
 322     removeTestDirs(testUser, sm_app_id, sm_pkg_id);
 323     createTestDirs(testUser, sm_app_id, sm_pkg_id);
 324
 325     install_and_check(sm_app_id, sm_pkg_id, testUser,
 326                       TzPlatformConfig::appDirPath(testUser, sm_app_id, sm_pkg_id), true);
 327
 328     //switch user to non-root - root may not uninstall apps for specified users
 329     result = drop_root_privileges(testUser.getUid(), testUser.getGid());
 330     RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
 331
 332     //uninstall app as non-root user
 333     InstallRequest request;
 334     request.setAppId(sm_app_id);
 335
 336     Api::uninstall(request);
 337
 338     check_app_permissions(sm_app_id, sm_pkg_id,
 339                           uidToStr(testUser.getUid()).c_str(),
 340                           SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES);
 341 }
 342
 343 RUNNER_CHILD_TEST(security_manager_05_drop_process_capabilities)
 344 {
 345     int result;
 346     CapsSetsUniquePtr caps_empty(cap_init());
 347     auto caps = setCaps("all=eip");
 348     Api::dropProcessPrivileges();
 349
 350     caps.reset(cap_get_proc());
 351     RUNNER_ASSERT_MSG(caps, "can't get proc capabilities");
 352
 353     result = cap_compare(caps.get(), caps_empty.get());
 354     RUNNER_ASSERT_MSG(result == 0,
 355         "capabilities not dropped. Current: " << cap_to_text(caps.get(), NULL));
 356 }
 357
 358 RUNNER_CHILD_TEST(security_manager_06_install_app_offline)
 359 {
 360     const char *const app_id = "sm_test_06_app_id_install_app_offline";
 361     const char *const pkg_id = "sm_test_06_pkg_id_install_app_offline";
 362
 363     // Uninstall app on-line, off-line mode doesn't support it
 364     uninstall_app(app_id, pkg_id, true);
 365
 366     ServiceManager("security-manager.service").stopService();
 367
 368     ServiceManager serviceManager("security-manager.socket");
 369     serviceManager.stopService();
 370
 371     install_app(app_id, pkg_id);
 372
 373     serviceManager.startService();
 374
 375     uninstall_app(app_id, pkg_id, true);
 376 }
 377
 378 RUNNER_CHILD_TEST(security_manager_07_user_add_app_install)
 379 {
 380     const char *const sm_app_id = "sm_test_07_app_id_user";
 381     const char *const sm_pkg_id = "sm_test_07_pkg_id_user";
 382     const std::string new_user_name = "sm_test_07_user_name";
 383     std::string uid_string;
 384     TemporaryTestUser test_user(new_user_name, GUM_USERTYPE_NORMAL, false);
 385     test_user.create();
 386     test_user.getUidString(uid_string);
 387
 388     removeTestDirs(test_user, sm_app_id, sm_pkg_id);
 389     createTestDirs(test_user, sm_app_id, sm_pkg_id);
 390
 391     install_app(sm_app_id, sm_pkg_id, test_user.getUid());
 392
 393     check_app_after_install(sm_app_id, sm_pkg_id);
 394
 395     test_user.remove();
 396
 397     check_app_permissions(sm_app_id, sm_pkg_id, uid_string.c_str(), SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES);
 398
 399     check_app_after_uninstall(sm_app_id, sm_pkg_id, true);
 400 }
 401
 402 RUNNER_CHILD_TEST(security_manager_08_user_double_add_double_remove)
 403 {
 404     UserRequest addUserRequest;
 405
 406     const char *const sm_app_id = "sm_test_08_app_id_user";
 407     const char *const sm_pkg_id = "sm_test_08_pkg_id_user";
 408     const std::string new_user_name = "sm_test_08_user_name";
 409     std::string uid_string;
 410
 411     // gumd user add
 412     TemporaryTestUser test_user(new_user_name, GUM_USERTYPE_NORMAL, false);
 413     test_user.create();
 414     test_user.getUidString(uid_string);
 415
 416     removeTestDirs(test_user, sm_app_id, sm_pkg_id);
 417     createTestDirs(test_user, sm_app_id, sm_pkg_id);
 418
 419     addUserRequest.setUid(test_user.getUid());
 420     addUserRequest.setUserType(SM_USER_TYPE_NORMAL);
 421
 422     //sm user add
 423     Api::addUser(addUserRequest);
 424
 425     install_app(sm_app_id, sm_pkg_id, test_user.getUid());
 426
 427     check_app_after_install(sm_app_id, sm_pkg_id);
 428
 429     test_user.remove();
 430
 431     UserRequest deleteUserRequest;
 432     deleteUserRequest.setUid(test_user.getUid());
 433
 434     Api::deleteUser(deleteUserRequest);
 435
 436     check_app_permissions(sm_app_id, sm_pkg_id, uid_string.c_str(), SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES);
 437
 438     check_app_after_uninstall(sm_app_id, sm_pkg_id, true);
 439 }
 440
 441 RUNNER_CHILD_TEST(security_manager_09_add_user_offline)
 442 {
 443     const char *const app_id = "security_manager_09_add_user_offline_app";
 444     const char *const pkg_id = "security_manager_09_add_user_offline_pkg";
 445     const std::string new_user_name("sm_test_09_user_name");
 446
 447     ServiceManager("security-manager.service").stopService();
 448
 449     ServiceManager serviceManager("security-manager.socket");
 450     serviceManager.stopService();
 451
 452     TemporaryTestUser test_user(new_user_name, GUM_USERTYPE_NORMAL, true);
 453     test_user.create();
 454
 455     removeTestDirs(test_user, app_id, pkg_id);
 456     createTestDirs(test_user, app_id, pkg_id);
 457
 458     install_app(app_id, pkg_id, test_user.getUid());
 459
 460     check_app_after_install(app_id, pkg_id);
 461
 462     serviceManager.startService();
 463
 464     test_user.remove();
 465
 466     check_app_after_uninstall(app_id, pkg_id, true);
 467 }