2 * Copyright (c) 2016 Samsung Electronics Co., Ltd All Rights Reserved
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
17 #include <sys/capability.h>
18 #include <sys/smack.h>
19 #include <sys/types.h>
21 #include <attr/xattr.h>
24 #include <dpl/test/test_runner.h>
26 #include <scoped_label.h>
27 #include <service_manager.h>
29 #include <sm_commons.h>
30 #include <sm_request.h>
31 #include <synchronization_pipe.h>
32 #include <tests_common.h>
33 #include <tzplatform.h>
36 using namespace SecurityManagerTest;
38 RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER)
40 RUNNER_TEST(security_manager_01a_app_double_install_double_uninstall)
42 const char *const sm_app_id = "sm_test_01a_app_id_double";
43 const char *const sm_pkg_id = "sm_test_01a_pkg_id_double";
45 InstallRequest requestInst;
46 requestInst.setAppId(sm_app_id);
47 requestInst.setPkgId(sm_pkg_id);
49 Api::install(requestInst);
50 Api::install(requestInst);
52 // Check records in the security-manager database
53 check_app_after_install(sm_app_id, sm_pkg_id);
55 InstallRequest requestUninst;
56 requestUninst.setAppId(sm_app_id);
58 Api::uninstall(requestUninst);
59 Api::uninstall(requestUninst);
61 // Check records in the security-manager database
62 check_app_after_uninstall(sm_app_id, sm_pkg_id, TestSecurityManagerDatabase::REMOVED);
65 RUNNER_TEST(security_manager_01b_app_double_install_wrong_pkg_id)
67 const char *const sm_app_id = "sm_test_01b_app";
68 const char *const sm_pkg_id = "sm_test_01b_pkg";
69 const char *const sm_pkg_id_wrong = "sm_test_01b_pkg_BAD";
71 InstallRequest requestInst;
72 requestInst.setAppId(sm_app_id);
73 requestInst.setPkgId(sm_pkg_id);
75 Api::install(requestInst);
77 InstallRequest requestInst2;
78 requestInst2.setAppId(sm_app_id);
79 requestInst2.setPkgId(sm_pkg_id_wrong);
81 Api::install(requestInst2, SECURITY_MANAGER_ERROR_INPUT_PARAM);
84 /* Check records in the security-manager database */
85 check_app_after_install(sm_app_id, sm_pkg_id);
87 InstallRequest requestUninst;
88 requestUninst.setAppId(sm_app_id);
90 Api::uninstall(requestUninst);
93 /* Check records in the security-manager database */
94 check_app_after_uninstall(sm_app_id, sm_pkg_id, TestSecurityManagerDatabase::REMOVED);
97 RUNNER_TEST(security_manager_01c_app_uninstall_pkg_id_ignored)
99 const char * const sm_app_id = "SM_TEST_01c_APPID";
100 const char * const sm_pkg_id = "SM_TEST_01c_PKGID";
101 const char * const sm_pkg_id_wrong = "SM_TEST_01c_PKGID_wrong";
103 InstallRequest requestInst;
104 requestInst.setAppId(sm_app_id);
105 requestInst.setPkgId(sm_pkg_id);
107 Api::install(requestInst);
109 /* Check records in the security-manager database */
110 check_app_after_install(sm_app_id, sm_pkg_id);
112 InstallRequest requestUninst;
113 requestUninst.setAppId(sm_app_id);
114 requestUninst.setPkgId(sm_pkg_id_wrong);
116 Api::uninstall(requestUninst);
118 check_app_after_uninstall(sm_app_id, sm_pkg_id, TestSecurityManagerDatabase::REMOVED);
121 RUNNER_TEST(security_manager_02_app_install_uninstall_full)
123 std::string SM_RW_PATH = genRWPath(2);
124 std::string SM_RO_PATH = genROPath(2);
125 std::string SM_PUBLIC_RO_PATH = genPublicROPath(2);
127 const char *const sm_app_id = "sm_test_02_app_id_full";
128 const char *const sm_pkg_id = "sm_test_02_pkg_id_full";
132 InstallRequest requestInst;
133 requestInst.setAppId(sm_app_id);
134 requestInst.setPkgId(sm_pkg_id);
135 requestInst.addPrivilege(SM_ALLOWED_PRIVILEGES[0].c_str());
136 requestInst.addPrivilege(SM_ALLOWED_PRIVILEGES[1].c_str());
137 requestInst.addPath(SM_RW_PATH, SECURITY_MANAGER_PATH_RW);
138 requestInst.addPath(SM_RO_PATH, SECURITY_MANAGER_PATH_RO);
139 requestInst.addPath(SM_PUBLIC_RO_PATH, SECURITY_MANAGER_PATH_PUBLIC_RO);
141 Api::install(requestInst);
143 /* Check records in the security-manager database */
144 check_app_after_install(sm_app_id, sm_pkg_id,
145 SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES, SM_ALLOWED_GROUPS);
147 /* TODO: add parameters to this function */
148 check_app_path_after_install(2, sm_pkg_id, false);
150 InstallRequest requestUninst;
151 requestUninst.setAppId(sm_app_id);
153 Api::uninstall(requestUninst);
155 /* Check records in the security-manager database,
156 * all previously allowed privileges should be removed */
157 check_app_after_uninstall(sm_app_id, sm_pkg_id,
158 SM_ALLOWED_PRIVILEGES, TestSecurityManagerDatabase::REMOVED);
161 RUNNER_CHILD_TEST_SMACK(security_manager_03_set_label_from_appid)
163 const char *const app_id = "sm_test_03_app_id_set_label_from_appid_smack";
164 const char *const pkg_id = "sm_test_03_pkg_id_set_label_from_appid_smack";
165 const char *const socketLabel = "not_expected_label";
166 std::string expected_label = generateAppLabel(app_id);
167 std::string expected_socket_label = socketLabel;
168 char *label = nullptr;
172 uninstall_app(app_id, pkg_id, true);
173 install_app(app_id, pkg_id);
175 const auto sockaddr = UDSHelpers::makeAbstractAddress("sm_test_03.socket");
176 int sock = UDSHelpers::createServer(&sockaddr);
177 SockUniquePtr sockPtr(&sock);
179 //Set socket label to something different than expecedLabel
180 result = smack_set_label_for_file(*sockPtr, XATTR_NAME_SMACKIPIN, socketLabel);
181 RUNNER_ASSERT_ERRNO_MSG(result == 0,
182 "Can't set socket label. Result: " << result);
183 result = smack_set_label_for_file(*sockPtr, XATTR_NAME_SMACKIPOUT, socketLabel);
184 RUNNER_ASSERT_ERRNO_MSG(result == 0,
185 "Can't set socket label. Result: " << result);
188 SynchronizationPipe pipe;
191 if (pid != 0) { // parent process
192 pipe.claimParentEp();
193 Api::setProcessLabel(app_id);
195 result = smack_new_label_from_file(*sockPtr, XATTR_NAME_SMACKIPIN, &label);
196 RUNNER_ASSERT_ERRNO_MSG(result != -1, "smack_new_label_from_file failed: " << label);
197 labelPtr.reset(label);
198 result = expected_socket_label.compare(label);
199 RUNNER_ASSERT_MSG(result == 0, "Socket label is incorrect. Expected: " <<
200 expected_label << " Actual: " << label);
202 result = smack_new_label_from_file(*sockPtr, XATTR_NAME_SMACKIPOUT, &label);
203 RUNNER_ASSERT_ERRNO_MSG(result != -1, "smack_new_label_from_file failed: " << label);
204 labelPtr.reset(label);
205 result = expected_socket_label.compare(label);
206 RUNNER_ASSERT_MSG(result == 0, "Socket label is incorrect. Expected: " <<
207 expected_label << " Actual: " << label);
209 result = smack_new_label_from_self(&label);
210 RUNNER_ASSERT_MSG(result >= 0,
211 " Error getting current process label");
212 RUNNER_ASSERT_MSG(label != nullptr,
213 " Process label is not set");
214 labelPtr.reset(label);
216 result = expected_label.compare(label);
217 RUNNER_ASSERT_MSG(result == 0,
218 " Process label is incorrect. Expected: \"" << expected_label <<
219 "\" Actual: \"" << label << "\"");
222 } else { // child process
225 uninstall_app(app_id, pkg_id, true);
230 RUNNER_CHILD_TEST_NOSMACK(security_manager_03_set_label_from_appid_nosmack)
232 const char *const app_id = "sm_test_03_app_id_set_label_from_appid_nosmack";
233 const char *const pkg_id = "sm_test_03_pkg_id_set_label_from_appid_nosmack";
235 uninstall_app(app_id, pkg_id, true);
236 install_app(app_id, pkg_id);
239 ScopedProcessLabel keepLabel;
240 Api::setProcessLabel(app_id);
243 uninstall_app(app_id, pkg_id, true);
246 static void install_and_check(const char *const sm_app_id,
247 const char *const sm_pkg_id,
248 const TemporaryTestUser& user,
249 const std::string &appDir,
252 InstallRequest requestPrivate;
254 //install app for non-root user
255 //should fail (users may only register folders inside their home)
256 prepare_request(requestPrivate, sm_app_id, sm_pkg_id,
257 SECURITY_MANAGER_PATH_RW, SM_RW_PATH,
258 requestUid ? user.getUid() : 0);
260 Api::install(requestPrivate, SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED);
262 InstallRequest requestPrivateUser;
264 //install app for non-root user
265 //should succeed - this time i register folder inside user's home dir
266 prepare_request(requestPrivateUser, sm_app_id, sm_pkg_id,
267 SECURITY_MANAGER_PATH_RW, appDir.c_str(),
268 requestUid ? user.getUid() : 0);
270 for (auto &privilege : SM_ALLOWED_PRIVILEGES)
271 requestPrivateUser.addPrivilege(privilege.c_str());
273 Api::install(requestPrivateUser);
275 check_app_permissions(sm_app_id, sm_pkg_id,
276 uidToStr(user.getUid()).c_str(),
277 SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES);
280 RUNNER_CHILD_TEST(security_manager_04a_app_install_uninstall_by_app_user_for_self)
283 const char *const sm_app_id = "sm_test_04a_app_id_uid";
284 const char *const sm_pkg_id = "sm_test_04a_pkg_id_uid";
285 const std::string new_user_name = "sm_test_04a_user_name";
287 TemporaryTestUser testUser(new_user_name, GUM_USERTYPE_NORMAL, false);
290 removeTestDirs(testUser, sm_app_id, sm_pkg_id);
291 createTestDirs(testUser, sm_app_id, sm_pkg_id);
293 const std::string userAppDirPath = TzPlatformConfig::appDirPath(testUser, sm_app_id, sm_pkg_id);
295 //switch user to non-root
296 result = drop_root_privileges(testUser.getUid(), testUser.getGid());
297 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
299 install_and_check(sm_app_id, sm_pkg_id, testUser, userAppDirPath, false);
301 //uninstall app as non-root user
302 InstallRequest request;
303 request.setAppId(sm_app_id);
305 Api::uninstall(request);
307 check_app_permissions(sm_app_id, sm_pkg_id,
308 uidToStr(testUser.getUid()).c_str(),
309 SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES);
312 RUNNER_CHILD_TEST(security_manager_04b_app_install_by_root_for_app_user)
315 const char *const sm_app_id = "sm_test_04b_app_id_uid";
316 const char *const sm_pkg_id = "sm_test_04b_pkg_id_uid";
317 const std::string new_user_name = "sm_test_04b_user_name";
319 TemporaryTestUser testUser(new_user_name, GUM_USERTYPE_NORMAL, false);
322 removeTestDirs(testUser, sm_app_id, sm_pkg_id);
323 createTestDirs(testUser, sm_app_id, sm_pkg_id);
325 install_and_check(sm_app_id, sm_pkg_id, testUser,
326 TzPlatformConfig::appDirPath(testUser, sm_app_id, sm_pkg_id), true);
328 //switch user to non-root - root may not uninstall apps for specified users
329 result = drop_root_privileges(testUser.getUid(), testUser.getGid());
330 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
332 //uninstall app as non-root user
333 InstallRequest request;
334 request.setAppId(sm_app_id);
336 Api::uninstall(request);
338 check_app_permissions(sm_app_id, sm_pkg_id,
339 uidToStr(testUser.getUid()).c_str(),
340 SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES);
343 RUNNER_CHILD_TEST(security_manager_05_drop_process_capabilities)
346 CapsSetsUniquePtr caps_empty(cap_init());
347 auto caps = setCaps("all=eip");
348 Api::dropProcessPrivileges();
350 caps.reset(cap_get_proc());
351 RUNNER_ASSERT_MSG(caps, "can't get proc capabilities");
353 result = cap_compare(caps.get(), caps_empty.get());
354 RUNNER_ASSERT_MSG(result == 0,
355 "capabilities not dropped. Current: " << cap_to_text(caps.get(), NULL));
358 RUNNER_CHILD_TEST(security_manager_06_install_app_offline)
360 const char *const app_id = "sm_test_06_app_id_install_app_offline";
361 const char *const pkg_id = "sm_test_06_pkg_id_install_app_offline";
363 // Uninstall app on-line, off-line mode doesn't support it
364 uninstall_app(app_id, pkg_id, true);
366 ServiceManager("security-manager.service").stopService();
368 ServiceManager serviceManager("security-manager.socket");
369 serviceManager.stopService();
371 install_app(app_id, pkg_id);
373 serviceManager.startService();
375 uninstall_app(app_id, pkg_id, true);
378 RUNNER_CHILD_TEST(security_manager_07_user_add_app_install)
380 const char *const sm_app_id = "sm_test_07_app_id_user";
381 const char *const sm_pkg_id = "sm_test_07_pkg_id_user";
382 const std::string new_user_name = "sm_test_07_user_name";
383 std::string uid_string;
384 TemporaryTestUser test_user(new_user_name, GUM_USERTYPE_NORMAL, false);
386 test_user.getUidString(uid_string);
388 removeTestDirs(test_user, sm_app_id, sm_pkg_id);
389 createTestDirs(test_user, sm_app_id, sm_pkg_id);
391 install_app(sm_app_id, sm_pkg_id, test_user.getUid());
393 check_app_after_install(sm_app_id, sm_pkg_id);
397 check_app_permissions(sm_app_id, sm_pkg_id, uid_string.c_str(), SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES);
399 check_app_after_uninstall(sm_app_id, sm_pkg_id, true);
402 RUNNER_CHILD_TEST(security_manager_08_user_double_add_double_remove)
404 UserRequest addUserRequest;
406 const char *const sm_app_id = "sm_test_08_app_id_user";
407 const char *const sm_pkg_id = "sm_test_08_pkg_id_user";
408 const std::string new_user_name = "sm_test_08_user_name";
409 std::string uid_string;
412 TemporaryTestUser test_user(new_user_name, GUM_USERTYPE_NORMAL, false);
414 test_user.getUidString(uid_string);
416 removeTestDirs(test_user, sm_app_id, sm_pkg_id);
417 createTestDirs(test_user, sm_app_id, sm_pkg_id);
419 addUserRequest.setUid(test_user.getUid());
420 addUserRequest.setUserType(SM_USER_TYPE_NORMAL);
423 Api::addUser(addUserRequest);
425 install_app(sm_app_id, sm_pkg_id, test_user.getUid());
427 check_app_after_install(sm_app_id, sm_pkg_id);
431 UserRequest deleteUserRequest;
432 deleteUserRequest.setUid(test_user.getUid());
434 Api::deleteUser(deleteUserRequest);
436 check_app_permissions(sm_app_id, sm_pkg_id, uid_string.c_str(), SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES);
438 check_app_after_uninstall(sm_app_id, sm_pkg_id, true);
441 RUNNER_CHILD_TEST(security_manager_09_add_user_offline)
443 const char *const app_id = "security_manager_09_add_user_offline_app";
444 const char *const pkg_id = "security_manager_09_add_user_offline_pkg";
445 const std::string new_user_name("sm_test_09_user_name");
447 ServiceManager("security-manager.service").stopService();
449 ServiceManager serviceManager("security-manager.socket");
450 serviceManager.stopService();
452 TemporaryTestUser test_user(new_user_name, GUM_USERTYPE_NORMAL, true);
455 removeTestDirs(test_user, app_id, pkg_id);
456 createTestDirs(test_user, app_id, pkg_id);
458 install_app(app_id, pkg_id, test_user.getUid());
460 check_app_after_install(app_id, pkg_id);
462 serviceManager.startService();
466 check_app_after_uninstall(app_id, pkg_id, true);